7 files changed, 57 insertions, 2 deletions

diff --git a/RELNOTES b/RELNOTES
index 19c3b6a00..acbac2275 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -5,8 +5,11 @@ firejail (0.9.29) baseline; urgency=low
   * added --private-etc option
   * support ${HOME} token in include directive in profile files
   * --private.keep is transitioned to --private-home
+  * support ~ and blanks in blacklist option
+  * support "net none" command in profile files
+  * added "net none" to Evince PDF viewer
   * bugfixes
- -- netblue30 <netblue30@yahoo.com>  Sat, 12 Aug 2015 20:25:00 -0500
+ -- netblue30 <netblue30@yahoo.com>  Sat, 22 Aug 2015 20:25:00 -0500
 
 firejail (0.9.28) baseline; urgency=low
   * network scanning, --scan option
diff --git a/etc/evince.profile b/etc/evince.profile
index e81044314..c90317ed8 100644
--- a/etc/evince.profile
+++ b/etc/evince.profile
@@ -5,5 +5,5 @@ include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-history.inc
 caps.drop all
 seccomp
-netfilter
+net none
 noroot
diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index e9a2e55a3..86db82da0 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -128,6 +128,14 @@ int profile_check_line(char *ptr, int lineno) {
                 check_netfilter_file(arg_netfilter_file);
                 return 0;
         }
+        else if (strcmp(ptr, "net none") == 0) {
+                arg_nonetwork  = 1;
+                cfg.bridge0.configured = 0;
+                cfg.bridge1.configured = 0;
+                cfg.bridge2.configured = 0;
+                cfg.bridge3.configured = 0;
+                return 0;
+        }
         
         // seccomp drop list on top of default list
         if (strncmp(ptr, "seccomp ", 8) == 0) {
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt
index 7be5304c1..58ba39b00 100644
--- a/src/man/firejail-profile.txt
+++ b/src/man/firejail-profile.txt
@@ -180,6 +180,13 @@ netfilter filename
 If a new network namespace is created, enabled the network filter in filename.
 
 .TP
+net none
+Enable  a new, unconnected network namespace. The only interface
+available in the new namespace is a new loopback interface (lo).
+Use  this  option  to deny network access to programs that don't
+really need network access.
+
+.TP
 dns address
 Set a DNS server for the sandbox. Up to three DNS servers can be defined.
 
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index 0b7ed1434..ffc698edd 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -97,6 +97,10 @@ Blacklist directory or file.
 Example:
 .br
 $ firejail \-\-blacklist=/sbin \-\-blacklist=/usr/sbin
+.br
+$ firejail \-\-blacklist=~/.mozilla
+.br
+$ firejail "\-\-blacklist=My Virtual Machines"
 .TP
 \fB\-c
 Execute command and exit.
diff --git a/test/net_none.exp b/test/net_none.exp
index dfa14a211..54b6cb946 100755
--- a/test/net_none.exp
+++ b/test/net_none.exp
@@ -4,6 +4,7 @@ set timeout 10
 spawn $env(SHELL)
 match_max 100000
 
+# options
 send -- "firejail --net=none\r"
 expect {
         timeout {puts "TESTING ERROR 0\n";exit}
@@ -30,7 +31,38 @@ expect {
         "eth0" {puts "TESTING ERROR 2.1\n";exit}
         "home"
 }
+send -- "exit\r"
+sleep 1
+send -- "exit\r"
+sleep 1
+
+# profile
+send -- "firejail --profile=net_none.profile\r"
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        "eth0" {puts "TESTING ERROR 3.1\n";exit}
+        "Child process initialized"
+}
 sleep 1
 
+# test default gw
+send -- "bash\r"
+sleep 1
+send -- "netstat -rn; pwd\r"
+expect {
+        timeout {puts "TESTING ERROR 4\n";exit}
+        "0.0.0.0" {puts "TESTING ERROR 4.1\n";exit}
+        "home"
+}
+sleep 1
+
+# check again devices
+send -- "cat /proc/1/net/dev;pwd\r"
+expect {
+        timeout {puts "TESTING ERROR 5\n";exit}
+        "eth0" {puts "TESTING ERROR 5.1\n";exit}
+        "home"
+}
+sleep 1
 
 puts "\n"
diff --git a/test/net_none.profile b/test/net_none.profile
new file mode 100644
index 000000000..079c08ea8
--- /dev/null
+++ b/test/net_none.profile
@@ -0,0 +1 @@
+net none