6 files changed, 38 insertions, 5 deletions

diff --git a/etc/disable-secret.inc b/etc/disable-secret.inc
index 4ac7a330b..f6cfc0f45 100644
--- a/etc/disable-secret.inc
+++ b/etc/disable-secret.inc
@@ -10,3 +10,9 @@ blacklist ${HOME}/.local/share/recently-used.xbel
 blacklist ${HOME}/*.kdb
 blacklist ${HOME}/*.key
 blacklist /etc/shadow
+blacklist /etc/gshadow
+blacklist /etc/passwd-
+blacklist /etc/group-
+blacklist /etc/shadow-
+blacklist /etc/gshadow-
+blacklist /etc/ssh
diff --git a/src/firejail/fs.c b/src/firejail/fs.c
index ad84b2222..c6dfdec30 100644
--- a/src/firejail/fs.c
+++ b/src/firejail/fs.c
@@ -56,7 +56,7 @@ static void create_empty_file(void) {
         }
 }
 
-// build /tmp/firejail directory
+// build /run/firejail directory
 void fs_build_firejail_dir(void) {
         struct stat s;
 
@@ -86,11 +86,16 @@ void fs_build_firejail_dir(void) {
 
 // build /tmp/firejail/mnt directory
 static int tmpfs_mounted = 0;
+static void fs_build_remount_mnt_dir(void) {
+        tmpfs_mounted = 0;
+        fs_build_mnt_dir();
+}
+
 void fs_build_mnt_dir(void) {
         struct stat s;
         fs_build_firejail_dir();
         
-        // create /tmp/firejail directory
+        // create /run/firejail/mnt directory
         if (stat(MNT_DIR, &s)) {
                 if (arg_debug)
                         printf("Creating %s directory\n", MNT_DIR);
@@ -106,7 +111,7 @@ void fs_build_mnt_dir(void) {
 
         // ... and mount tmpfs on top of it
         if (!tmpfs_mounted) {
-                // mount tmpfs on top of /tmp/firejail/mnt
+                // mount tmpfs on top of /run/firejail/mnt
                 if (arg_debug)
                         printf("Mounting tmpfs on %s directory\n", MNT_DIR);
                 if (mount("tmpfs", MNT_DIR, "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC,  "mode=755,gid=0") < 0)
@@ -533,6 +538,14 @@ void fs_proc_sys_dev_boot(void) {
                         errExit("mounting /boot directory");
         }
         
+        // disable /selinux
+        if (stat("/selinux", &s) == 0) {
+                if (arg_debug)
+                        printf("Mounting a new /selinux directory\n");
+                if (mount("tmpfs", "/selinux", "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME | MS_REC,  "mode=777,gid=0") < 0)
+                        errExit("mounting /selinux directory");
+        }
+        
         // disable /dev/port
         if (stat("/dev/port", &s) == 0) {
                 disable_file(BLACKLIST_FILE, "/dev/port");
@@ -818,6 +831,8 @@ void fs_chroot(const char *rootdir) {
                 printf("Chrooting into %s\n", rootdir);
         if (chroot(rootdir) < 0)
                 errExit("chroot");
+        // mount a new tmpfs in /run/firejail/mnt - the old one was lost in chroot
+        fs_build_remount_mnt_dir();
                 
         // update /var directory in order to support multiple sandboxes running on the same root directory
         if (!arg_private_dev)
diff --git a/src/firejail/main.c b/src/firejail/main.c
index c55d87364..1495d7516 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -1285,6 +1285,15 @@ int main(int argc, char **argv) {
         if (pipe(child_to_parent_fds) < 0)
                 errExit("pipe");
 
+        if (arg_noroot && arg_overlay) {
+                fprintf(stderr, "Warning: --overlay and --noroot are mutually exclusive, noroot disabled\n");
+                arg_noroot = 0;
+        }
+        else if (arg_noroot && cfg.chrootdir) {
+                fprintf(stderr, "Warning: --overlay and --chroot are mutually exclusive, noroot disabled\n");
+                arg_noroot = 0;
+        }
+
         // clone environment
         int flags = CLONE_NEWNS | CLONE_NEWPID | CLONE_NEWUTS | SIGCHLD;
         
diff --git a/src/firejail/restrict_users.c b/src/firejail/restrict_users.c
index c0a14ff6f..d2d106f27 100644
--- a/src/firejail/restrict_users.c
+++ b/src/firejail/restrict_users.c
@@ -293,7 +293,6 @@ static void sanitize_group(void) {
                 if ((gid_t) gid != mygid) {
                         continue; // skip line
                 }
-                fprintf(fpout, "%s", buf);
                 if (copy_line(fpout, buf, ptr))
                         goto errout;
         }
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index c105894bb..dd444f0b9 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -300,6 +300,9 @@ int sandbox(void* sandbox_arg) {
 #ifdef HAVE_CHROOT              
         if (cfg.chrootdir) {
                 fs_chroot(cfg.chrootdir);
+                // redo cp command
+                fs_build_cp_command();
+                
                 // force caps and seccomp if not started as root
                 if (getuid() != 0) {
                         // force default seccomp inside the chroot, no keep or drop list
@@ -336,7 +339,7 @@ int sandbox(void* sandbox_arg) {
         }
         else 
 #endif          
-        if (arg_overlay)
+        if (arg_overlay)        
                 fs_overlayfs();
         else
                 fs_basic_fs();
diff --git a/todo b/todo
index dad8b3e10..109c662fd 100644
--- a/todo
+++ b/todo
@@ -73,4 +73,5 @@ socat ABSTRACT-LISTEN:/tmp/dbus-awBoQTCc,fork UNIX-CONNECT:/tmp/mysock
 ./configure --enable-fatal-warnings --disable-chroot --prefix=/usr
 ./configure --enable-fatal-warnings --disable-bind --prefix=/usr
 
+12. do not allow symlinks for --bind