8 files changed, 112 insertions, 96 deletions

diff --git a/configure b/configure
index b75848bea..f31816599 100755
--- a/configure
+++ b/configure
@@ -5559,48 +5559,49 @@ if test -n "$ac_unrecognized_opts" && test "$enable_option_checking" != no; then
 $as_echo "$as_me: WARNING: unrecognized options: $ac_unrecognized_opts" >&2;}
 fi
 
+cat <<EOF
+
+Configuration options:
+   prefix: $prefix
+   sysconfdir: $sysconfdir
+   apparmor: $HAVE_APPARMOR
+   SELinux labeling support: $HAVE_SELINUX
+   global config: $HAVE_GLOBALCFG
+   chroot: $HAVE_CHROOT
+   network: $HAVE_NETWORK
+   user namespace: $HAVE_USERNS
+   X11 sandboxing support: $HAVE_X11
+   whitelisting: $HAVE_WHITELIST
+   private home support: $HAVE_PRIVATE_HOME
+   file transfer support: $HAVE_FILE_TRANSFER
+   overlayfs support: $HAVE_OVERLAYFS
+   DBUS proxy support: $HAVE_DBUSPROXY
+   allow tmpfs as regular user: $HAVE_USERTMPFS
+   enable --ouput logging: $HAVE_OUTPUT
+   Manpage support: $HAVE_MAN
+   firetunnel support: $HAVE_FIRETUNNEL
+   busybox workaround: $BUSYBOX_WORKAROUND
+   Spectre compiler patch: $HAVE_SPECTRE
+   EXTRA_LDFLAGS: $EXTRA_LDFLAGS
+   EXTRA_CFLAGS: $EXTRA_CFLAGS
+   fatal warnings: $HAVE_FATAL_WARNINGS
+   Gcov instrumentation: $HAVE_GCOV
+   Install contrib scripts: $HAVE_CONTRIB_INSTALL
+   Install as a SUID executable: $HAVE_SUID
+   LTS: $HAVE_LTS
+   Always enforce filters: $HAVE_FORCE_NONEWPRIVS
+
+EOF
 
-echo
-echo "Configuration options:"
-echo "   prefix: $prefix"
-echo "   sysconfdir: $sysconfdir"
-echo "   apparmor: $HAVE_APPARMOR"
-echo "   SELinux labeling support: $HAVE_SELINUX"
-echo "   global config: $HAVE_GLOBALCFG"
-echo "   chroot: $HAVE_CHROOT"
-echo "   network: $HAVE_NETWORK"
-echo "   user namespace: $HAVE_USERNS"
-echo "   X11 sandboxing support: $HAVE_X11"
-echo "   whitelisting: $HAVE_WHITELIST"
-echo "   private home support: $HAVE_PRIVATE_HOME"
-echo "   file transfer support: $HAVE_FILE_TRANSFER"
-echo "   overlayfs support: $HAVE_OVERLAYFS"
-echo "   DBUS proxy support: $HAVE_DBUSPROXY"
-echo "   allow tmpfs as regular user: $HAVE_USERTMPFS"
-echo "   enable --ouput logging: $HAVE_OUTPUT"
-echo "   Manpage support: $HAVE_MAN"
-echo "   firetunnel support: $HAVE_FIRETUNNEL"
-echo "   busybox workaround: $BUSYBOX_WORKAROUND"
-echo "   Spectre compiler patch: $HAVE_SPECTRE"
-echo "   EXTRA_LDFLAGS: $EXTRA_LDFLAGS"
-echo "   EXTRA_CFLAGS: $EXTRA_CFLAGS"
-echo "   fatal warnings: $HAVE_FATAL_WARNINGS"
-echo "   Gcov instrumentation: $HAVE_GCOV"
-echo "   Install contrib scripts: $HAVE_CONTRIB_INSTALL"
-echo "   Install as a SUID executable: $HAVE_SUID"
-echo "   LTS: $HAVE_LTS"
-echo "   Always enforce filters: $HAVE_FORCE_NONEWPRIVS"
-echo
+if test "$HAVE_LTS" = -DHAVE_LTS; then
+        cat <<\EOF
 
 
-if test "$HAVE_LTS" = -DHAVE_LTS; then
-        echo
-        echo
-        echo "*********************************************************"
-        echo "*    Warning: Long-term support (LTS) was enabled!      *"
-        echo "*    Most compile-time options have bean rewritten!     *"
-        echo "*********************************************************"
-        echo
-        echo
-fi
+*********************************************************
+*    Warning: Long-term support (LTS) was enabled!      *
+*    Most compile-time options have bean rewritten!     *
+*********************************************************
 
+
+EOF
+fi
diff --git a/configure.ac b/configure.ac
index 4af69766d..0eb616355 100644
--- a/configure.ac
+++ b/configure.ac
@@ -12,7 +12,7 @@
 #
 
 AC_PREREQ([2.68])
-AC_INIT(firejail, 0.9.65, netblue30@protonmail.com, , https://firejail.wordpress.com)
+AC_INIT([firejail],[0.9.65],[netblue30@protonmail.com],[],[https://firejail.wordpress.com])
 AC_CONFIG_SRCDIR([src/firejail/main.c])
 
 AC_CONFIG_MACRO_DIR([m4])
@@ -304,53 +304,56 @@ if test "$prefix" = /usr; then
 fi
 
 AC_CONFIG_FILES([mkdeb.sh], [chmod +x mkdeb.sh])
-AC_OUTPUT(Makefile src/common.mk src/lib/Makefile src/fcopy/Makefile src/fnet/Makefile src/firejail/Makefile src/fnetfilter/Makefile \
+AC_CONFIG_FILES([Makefile src/common.mk src/lib/Makefile src/fcopy/Makefile src/fnet/Makefile src/firejail/Makefile src/fnetfilter/Makefile \
 src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile src/fbuilder/Makefile src/fsec-print/Makefile \
 src/ftee/Makefile src/fseccomp/Makefile src/fldd/Makefile src/libpostexecseccomp/Makefile src/fsec-optimize/Makefile \
 src/profstats/Makefile src/man/Makefile src/zsh_completion/Makefile src/bash_completion/Makefile test/Makefile \
-src/jailcheck/Makefile)
-
-echo
-echo "Configuration options:"
-echo "   prefix: $prefix"
-echo "   sysconfdir: $sysconfdir"
-echo "   apparmor: $HAVE_APPARMOR"
-echo "   SELinux labeling support: $HAVE_SELINUX"
-echo "   global config: $HAVE_GLOBALCFG"
-echo "   chroot: $HAVE_CHROOT"
-echo "   network: $HAVE_NETWORK"
-echo "   user namespace: $HAVE_USERNS"
-echo "   X11 sandboxing support: $HAVE_X11"
-echo "   whitelisting: $HAVE_WHITELIST"
-echo "   private home support: $HAVE_PRIVATE_HOME"
-echo "   file transfer support: $HAVE_FILE_TRANSFER"
-echo "   overlayfs support: $HAVE_OVERLAYFS"
-echo "   DBUS proxy support: $HAVE_DBUSPROXY"
-echo "   allow tmpfs as regular user: $HAVE_USERTMPFS"
-echo "   enable --ouput logging: $HAVE_OUTPUT"
-echo "   Manpage support: $HAVE_MAN"
-echo "   firetunnel support: $HAVE_FIRETUNNEL"
-echo "   busybox workaround: $BUSYBOX_WORKAROUND"
-echo "   Spectre compiler patch: $HAVE_SPECTRE"
-echo "   EXTRA_LDFLAGS: $EXTRA_LDFLAGS"
-echo "   EXTRA_CFLAGS: $EXTRA_CFLAGS"
-echo "   fatal warnings: $HAVE_FATAL_WARNINGS"
-echo "   Gcov instrumentation: $HAVE_GCOV"
-echo "   Install contrib scripts: $HAVE_CONTRIB_INSTALL"
-echo "   Install as a SUID executable: $HAVE_SUID"
-echo "   LTS: $HAVE_LTS"
-echo "   Always enforce filters: $HAVE_FORCE_NONEWPRIVS"
-echo
-
+src/jailcheck/Makefile])
+AC_OUTPUT
+
+cat <<EOF
+
+Configuration options:
+   prefix: $prefix
+   sysconfdir: $sysconfdir
+   apparmor: $HAVE_APPARMOR
+   SELinux labeling support: $HAVE_SELINUX
+   global config: $HAVE_GLOBALCFG
+   chroot: $HAVE_CHROOT
+   network: $HAVE_NETWORK
+   user namespace: $HAVE_USERNS
+   X11 sandboxing support: $HAVE_X11
+   whitelisting: $HAVE_WHITELIST
+   private home support: $HAVE_PRIVATE_HOME
+   file transfer support: $HAVE_FILE_TRANSFER
+   overlayfs support: $HAVE_OVERLAYFS
+   DBUS proxy support: $HAVE_DBUSPROXY
+   allow tmpfs as regular user: $HAVE_USERTMPFS
+   enable --ouput logging: $HAVE_OUTPUT
+   Manpage support: $HAVE_MAN
+   firetunnel support: $HAVE_FIRETUNNEL
+   busybox workaround: $BUSYBOX_WORKAROUND
+   Spectre compiler patch: $HAVE_SPECTRE
+   EXTRA_LDFLAGS: $EXTRA_LDFLAGS
+   EXTRA_CFLAGS: $EXTRA_CFLAGS
+   fatal warnings: $HAVE_FATAL_WARNINGS
+   Gcov instrumentation: $HAVE_GCOV
+   Install contrib scripts: $HAVE_CONTRIB_INSTALL
+   Install as a SUID executable: $HAVE_SUID
+   LTS: $HAVE_LTS
+   Always enforce filters: $HAVE_FORCE_NONEWPRIVS
+
+EOF
 
 if test "$HAVE_LTS" = -DHAVE_LTS; then
-        echo
-        echo
-        echo "*********************************************************"
-        echo "*    Warning: Long-term support (LTS) was enabled!      *"
-        echo "*    Most compile-time options have bean rewritten!     *"
-        echo "*********************************************************"
-        echo
-        echo
-fi
+        cat <<\EOF
+
 
+*********************************************************
+*    Warning: Long-term support (LTS) was enabled!      *
+*    Most compile-time options have bean rewritten!     *
+*********************************************************
+
+
+EOF
+fi
diff --git a/etc/profile-a-l/gunzip.profile b/etc/profile-a-l/gunzip.profile
index 6e97c6b78..584d88f85 100644
--- a/etc/profile-a-l/gunzip.profile
+++ b/etc/profile-a-l/gunzip.profile
@@ -7,5 +7,7 @@ include gunzip.local
 # added by included profile
 #include globals.local
 
+include allow-bin-sh.inc
+
 # Redirect
 include gzip.profile
diff --git a/etc/profile-a-l/hexchat.profile b/etc/profile-a-l/hexchat.profile
index f72af0b4a..b887de147 100644
--- a/etc/profile-a-l/hexchat.profile
+++ b/etc/profile-a-l/hexchat.profile
@@ -8,6 +8,9 @@ include globals.local
 
 noblacklist ${HOME}/.config/hexchat
 
+# Allow /bin/sh (blacklisted by disable-shell.inc)
+include allow-bin-sh.inc
+
 # Allow perl (blacklisted by disable-interpreters.inc)
 include allow-perl.inc
 
@@ -48,7 +51,7 @@ tracelog
 
 disable-mnt
 # debug note: private-bin requires perl, python, etc on some systems
-private-bin hexchat,python*
+private-bin hexchat,python*,sh
 private-dev
 #private-lib - python problems
 private-tmp
diff --git a/src/firejail/fs_whitelist.c b/src/firejail/fs_whitelist.c
index 77bb5e5bb..9a7a1bac7 100644
--- a/src/firejail/fs_whitelist.c
+++ b/src/firejail/fs_whitelist.c
@@ -423,6 +423,13 @@ static TopDir *add_topdir(const char *dir, TopDir *topdirs, const char *path) {
             strcmp(dir, "/sys") == 0)
                 whitelist_error(path);
 
+        // whitelisting home directory is disabled if --private option is present
+        if (arg_private && strcmp(dir, cfg.homedir) == 0) {
+                if (arg_debug || arg_debug_whitelists)
+                        printf("Debug %d: skip %s - a private home dir is configured!\n", __LINE__, path);
+                return NULL;
+        }
+
         // do nothing if directory doesn't exist
         struct stat s;
         if (lstat(dir, &s) != 0) {
diff --git a/src/firejail/main.c b/src/firejail/main.c
index 31694558d..7cfa58078 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -1904,8 +1904,6 @@ int main(int argc, char **argv, char **envp) {
                 }
                 else if (strcmp(argv[i], "--private") == 0) {
                         arg_private = 1;
-                        // disable whitelisting in home directory
-                        profile_add("whitelist ~/*");
                 }
                 else if (strncmp(argv[i], "--private=", 10) == 0) {
                         if (cfg.home_private_keep) {
@@ -1927,8 +1925,6 @@ int main(int argc, char **argv, char **envp) {
                                 cfg.home_private = NULL;
                         }
                         arg_private = 1;
-                        // disable whitelisting in home directory
-                        profile_add("whitelist ~/*");
                 }
 #ifdef HAVE_PRIVATE_HOME
                 else if (strncmp(argv[i], "--private-home=", 15) == 0) {
diff --git a/src/firejail/shutdown.c b/src/firejail/shutdown.c
index fbfe1765b..d1be6eed4 100644
--- a/src/firejail/shutdown.c
+++ b/src/firejail/shutdown.c
@@ -36,8 +36,10 @@ void shut(pid_t pid) {
                 }
                 free(comm);
         }
-        else
-                errExit("/proc/PID/comm");
+        else {
+                fprintf(stderr, "Error: cannot find process %d\n", pid);
+                exit(1);
+        }
 
         // check privileges for non-root users
         uid_t uid = getuid();
diff --git a/src/firejail/util.c b/src/firejail/util.c
index b15b719b7..6a7318c4b 100644
--- a/src/firejail/util.c
+++ b/src/firejail/util.c
@@ -647,9 +647,11 @@ int find_child(pid_t parent, pid_t *child) {
                                 if (parent == atoi(ptr)) {
                                         // we don't want /usr/bin/xdg-dbus-proxy!
                                         char *cmdline = pid_proc_cmdline(pid);
-                                        if (strncmp(cmdline, XDG_DBUS_PROXY_PATH, strlen(XDG_DBUS_PROXY_PATH)) != 0)
-                                                *child = pid;
-                                        free(cmdline);
+                                        if (cmdline) {
+                                                if (strncmp(cmdline, XDG_DBUS_PROXY_PATH, strlen(XDG_DBUS_PROXY_PATH)) != 0)
+                                                        *child = pid;
+                                                free(cmdline);
+                                        }
                                 }
                                 break;            // stop reading the file
                         }