15 files changed, 59 insertions, 18 deletions

diff --git a/Makefile.in b/Makefile.in
index fd427dc00..c00d20c64 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -43,7 +43,7 @@ $(MYDIRS):
         $(MAKE) -C $@
 
 
-$(MANPAGES): $(wildcard src/man/*.man)
+$(MANPAGES): src/man
         ./mkman.sh $(VERSION) src/man/$(basename $@).man $@
 
 man: $(MANPAGES)
diff --git a/etc/profile-m-z/vmware.profile b/etc/profile-m-z/vmware.profile
index 720b69773..493c53936 100644
--- a/etc/profile-m-z/vmware.profile
+++ b/etc/profile-m-z/vmware.profile
@@ -34,6 +34,6 @@ shell none
 tracelog
 
 #disable-mnt
-private-etc alsa,asound.conf,ca-certificates,conf.d,crypto-policies,dconf,fonts,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,localtime,machine-id,pki,pulse,resolv.conf,ssl,vmware,vmware-installer,vmware-vix
+#private-etc alsa,asound.conf,ca-certificates,conf.d,crypto-policies,dconf,fonts,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,localtime,machine-id,pki,pulse,resolv.conf,ssl,vmware,vmware-installer,vmware-vix
 dbus-user none
 dbus-system none
diff --git a/mkman.sh b/mkman.sh
index b8e7e58eb..6ca96d331 100755
--- a/mkman.sh
+++ b/mkman.sh
@@ -3,6 +3,8 @@
 # Copyright (C) 2014-2020 Firejail Authors
 # License GPL v2
 
+set -e
+
 sed "s/VERSION/$1/g" $2 > $3
 MONTH=`LC_ALL=C date -u --date="@${SOURCE_DATE_EPOCH:-$(date +%s)}" +%b`
 sed -i "s/MONTH/$MONTH/g" $3
diff --git a/src/common.mk.in b/src/common.mk.in
index fc0c612ea..c9ef455ed 100644
--- a/src/common.mk.in
+++ b/src/common.mk.in
@@ -36,7 +36,7 @@ CFLAGS += -DPREFIX='"$(prefix)"' -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDI
 MANFLAGS = $(HAVE_X11) $(HAVE_PRIVATE_HOME) $(HAVE_APPARMOR) $(HAVE_OVERLAYFS) $(HAVE_DBUSPROXY) $(HAVE_FIRETUNNEL) $(HAVE_GLOBALCFG) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_FILE_TRANSFER) $(HAVE_WHITELIST) $(HAVE_SELINUX)
 CFLAGS += $(MANFLAGS)
 CFLAGS += -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security
-LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now -lpthread
+LDFLAGS += -pie -fPIE -Wl,-z,relro -Wl,-z,now -lpthread
 EXTRA_LDFLAGS +=@EXTRA_LDFLAGS@
 
 ifdef NO_EXTRA_CFLAGS
diff --git a/src/firejail/dhcp.c b/src/firejail/dhcp.c
index 37547a985..456bba91b 100644
--- a/src/firejail/dhcp.c
+++ b/src/firejail/dhcp.c
@@ -130,7 +130,9 @@ static void dhcp_waitll_all() {
                 dhcp_waitll(cfg.bridge3.devsandbox);
 }
 
-void dhcp_start(void) {
+// Temporarily copy dhclient executable under /run/firejail/mnt and start it from there
+// in order to recognize it later in firemon and firetools
+void dhcp_store_exec(void) {
         if (!any_dhcp())
                 return;
 
@@ -144,6 +146,26 @@ void dhcp_start(void) {
                 }
         }
 
+        sbox_run(SBOX_ROOT| SBOX_SECCOMP, 4, PATH_FCOPY, "--follow-link", dhclient_path, RUN_MNT_DIR);
+}
+
+void dhcp_start(void) {
+        if (!any_dhcp())
+                return;
+
+        char *dhclient_path = RUN_MNT_DIR "/dhclient";;
+        struct stat s;
+        if (stat(dhclient_path, &s) == -1) {
+                dhclient_path = "/usr/sbin/dhclient";
+                if (stat(dhclient_path, &s) == -1) {
+                        fprintf(stderr, "Error: dhclient was not found.\n");
+                        exit(1);
+                }
+        }
+
+        sbox_run(SBOX_ROOT| SBOX_SECCOMP, 4, PATH_FCOPY, "--follow-link", dhclient_path, RUN_MNT_DIR);
+        dhclient_path = RUN_MNT_DIR "/dhclient";
+
         EUID_ROOT();
         if (mkdir(RUN_DHCLIENT_DIR, 0700))
                 errExit("mkdir");
@@ -163,4 +185,6 @@ void dhcp_start(void) {
                         exit(1);
                 }
         }
+
+        unlink(dhclient_path);
 }
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index 2bb8dd351..6c0ebcd43 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -867,6 +867,7 @@ void dbus_apply_policy(void);
 // dhcp.c
 extern pid_t dhclient4_pid;
 extern pid_t dhclient6_pid;
+void dhcp_store_exec(void);
 void dhcp_start(void);
 
 // selinux.c
diff --git a/src/firejail/main.c b/src/firejail/main.c
index 5cc2d4123..daa924698 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -888,19 +888,20 @@ char *guess_shell(void) {
         return shell;
 }
 
+// return argument index
 static int check_arg(int argc, char **argv, const char *argument, int strict) {
         int i;
         int found = 0;
         for (i = 1; i < argc; i++) {
                 if (strict) {
                         if (strcmp(argv[i], argument) == 0) {
-                                found = 1;
+                                found = i;
                                 break;
                         }
                 }
                 else {
                         if (strncmp(argv[i], argument, strlen(argument)) == 0) {
-                                found = 1;
+                                found = i;
                                 break;
                         }
                 }
@@ -1046,6 +1047,14 @@ int main(int argc, char **argv, char **envp) {
         }
         EUID_USER();
 
+        // --ip=dhcp - we need access to /sbin and /usr/sbin directories in order to run ISC DHCP client (dhclient)
+        // these paths are disabled in disable-common.inc
+        if ((i = check_arg(argc, argv, "--ip", 0)) != 0) {
+                if (strncmp(argv[i] + 4, "=dhcp", 5) == 0) {
+                        profile_add("noblacklist /sbin");
+                        profile_add("noblacklist /usr/sbin");
+                }
+        }
 
         // for appimages we need to remove "include disable-shell.inc from the profile
         // a --profile command can show up before --appimage
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index ff6be986f..3e8dbe5d9 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -651,6 +651,8 @@ int sandbox(void* sandbox_arg) {
         if (mount(LIBDIR "/firejail", RUN_FIREJAIL_LIB_DIR, NULL, MS_BIND, NULL) < 0 ||
             mount(NULL, RUN_FIREJAIL_LIB_DIR, NULL, MS_RDONLY|MS_NOSUID|MS_NODEV|MS_BIND|MS_REMOUNT, NULL) < 0)
                 errExit("mounting " RUN_FIREJAIL_LIB_DIR);
+        // keep a copy of dhclient executable before the filesystem is modified
+        dhcp_store_exec();
 
         //****************************
         // log sandbox data
diff --git a/src/firejail/selinux.c b/src/firejail/selinux.c
index 52d6788ef..dd776fcce 100644
--- a/src/firejail/selinux.c
+++ b/src/firejail/selinux.c
@@ -35,7 +35,7 @@ static int selinux_enabled = -1;
 void selinux_relabel_path(const char *path, const char *inside_path)
 {
 #if HAVE_SELINUX
-        char procfs_path[64];
+        char procfs_path[64];
         char *fcon = NULL;
         int fd;
         struct stat st;
@@ -43,26 +43,29 @@ void selinux_relabel_path(const char *path, const char *inside_path)
         if (selinux_enabled == -1)
                 selinux_enabled = is_selinux_enabled();
 
-        if (!selinux_enabled && arg_debug)
+        if (!selinux_enabled)
                 return;
 
         if (!label_hnd)
                 label_hnd = selabel_open(SELABEL_CTX_FILE, NULL, 0);
 
+        if (!label_hnd)
+                errExit("selabel_open");
+
         /* Open the file as O_PATH, to pin it while we determine and adjust the label */
-        fd = open(path, O_NOFOLLOW|O_CLOEXEC|O_PATH);
+        fd = open(path, O_NOFOLLOW|O_CLOEXEC|O_PATH);
         if (fd < 0)
                 return;
         if (fstat(fd, &st) < 0)
                 goto close;
 
-        if (selabel_lookup_raw(label_hnd, &fcon, inside_path, st.st_mode)  == 0) {
+        if (selabel_lookup_raw(label_hnd, &fcon, inside_path, st.st_mode)  == 0) {
                 sprintf(procfs_path, "/proc/self/fd/%i", fd);
                 if (arg_debug)
                         printf("Relabeling %s as %s (%s)\n", path, inside_path, fcon);
 
                 setfilecon_raw(procfs_path, fcon);
-        }
+        }
         freecon(fcon);
  close:
         close(fd);
diff --git a/src/fsec-print/print.c b/src/fsec-print/print.c
index a6aae5ecb..eecf18832 100644
--- a/src/fsec-print/print.c
+++ b/src/fsec-print/print.c
@@ -19,7 +19,7 @@
  *
  *
  *
- * Parts of this code was lifted from libseccomp project, license LGPV 2.1.
+ * Parts of this code was lifted from libseccomp project, license LGPL 2.1.
  * This is the original copyright notice in libseccomp code:
  *
  *
diff --git a/src/include/rundefs.h b/src/include/rundefs.h
index 4da2db748..21aad66f7 100644
--- a/src/include/rundefs.h
+++ b/src/include/rundefs.h
@@ -51,7 +51,7 @@
 #define RUN_LIB_DIR                     RUN_MNT_DIR "/lib"
 #define RUN_LIB_FILE                    RUN_MNT_DIR "/libfiles"
 #define RUN_DNS_ETC                     RUN_MNT_DIR "/dns-etc"
-#define RUN_DHCLIENT_DIR                        RUN_MNT_DIR "/dhclient"
+#define RUN_DHCLIENT_DIR                        RUN_MNT_DIR "/dhclient-dir"
 #define RUN_DHCLIENT_4_LEASES_FILE              RUN_DHCLIENT_DIR "/dhclient.leases"
 #define RUN_DHCLIENT_6_LEASES_FILE              RUN_DHCLIENT_DIR "/dhclient6.leases"
 #define RUN_DHCLIENT_4_LEASES_FILE              RUN_DHCLIENT_DIR "/dhclient.leases"
diff --git a/src/libpostexecseccomp/Makefile.in b/src/libpostexecseccomp/Makefile.in
index 00dc6ee7e..edd4534b8 100644
--- a/src/libpostexecseccomp/Makefile.in
+++ b/src/libpostexecseccomp/Makefile.in
@@ -9,7 +9,7 @@ C_FILE_LIST       = $(sort $(wildcard *.c))
 OBJS = $(C_FILE_LIST:.c=.o)
 BINOBJS =  $(foreach file, $(OBJS), $file)
 CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIC -Wformat -Wformat-security
-LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now
+LDFLAGS += -pie -fPIE -Wl,-z,relro -Wl,-z,now
 
 all: libpostexecseccomp.so
 
diff --git a/src/libtrace/Makefile.in b/src/libtrace/Makefile.in
index 2070fe0ea..5c7d0f885 100644
--- a/src/libtrace/Makefile.in
+++ b/src/libtrace/Makefile.in
@@ -9,7 +9,7 @@ C_FILE_LIST       = $(sort $(wildcard *.c))
 OBJS = $(C_FILE_LIST:.c=.o)
 BINOBJS =  $(foreach file, $(OBJS), $file)
 CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIC -Wformat -Wformat-security
-LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now
+LDFLAGS += -pie -fPIE -Wl,-z,relro -Wl,-z,now
 
 all: libtrace.so
 
diff --git a/src/libtracelog/Makefile.in b/src/libtracelog/Makefile.in
index db640617a..b1ac9e57c 100644
--- a/src/libtracelog/Makefile.in
+++ b/src/libtracelog/Makefile.in
@@ -9,7 +9,7 @@ C_FILE_LIST       = $(sort $(wildcard *.c))
 OBJS = $(C_FILE_LIST:.c=.o)
 BINOBJS =  $(foreach file, $(OBJS), $file)
 CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIC -Wformat -Wformat-security
-LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now
+LDFLAGS += -pie -fPIE -Wl,-z,relro -Wl,-z,now
 
 all: libtracelog.so
 
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt
index c0ced120e..ef7dccbfb 100644
--- a/src/man/firejail-profile.txt
+++ b/src/man/firejail-profile.txt
@@ -524,7 +524,7 @@ Allow the application to see but not talk to the name org.freedesktop.Notificati
 Allow the application to call methods of the interface org.freedesktop.Notifications of the object exposed at the path /org/freedesktop/Notifications by the client owning the bus name org.freedesktop.Notifications on the system DBus.
 .TP
 \fBdbus-system.broadcast org.freedesktop.Notifications=org.freedesktop.Notifications.*@/org/freedesktop/Notifications
-Allow the application to recieve broadcast signals from the the interface org.freedesktop.Notifications of the object exposed at the path /org/freedesktop/Notifications by the client owning the bus name org.freedesktop.Notifications on the system DBus.
+Allow the application to receive broadcast signals from the the interface org.freedesktop.Notifications of the object exposed at the path /org/freedesktop/Notifications by the client owning the bus name org.freedesktop.Notifications on the system DBus.
 .TP
 \fBdbus-user filter
 Enable filtered access to the session DBus. Filters can be specified with the dbus-user.talk and dbus-user.own commands.
@@ -545,7 +545,7 @@ Allow the application to see but not talk to the name org.freedesktop.Notificati
 Allow the application to call methods of the interface org.freedesktop.Notifications of the object exposed at the path /org/freedesktop/Notifications by the client owning the bus name org.freedesktop.Notifications on the session DBus.
 .TP
 \fBdbus-user.broadcast org.freedesktop.Notifications=org.freedesktop.Notifications.*@/org/freedesktop/Notifications
-Allow the application to recieve broadcast signals from the the interface org.freedesktop.Notifications of the object exposed at the path /org/freedesktop/Notifications by the client owning the bus name org.freedesktop.Notifications on the session DBus.
+Allow the application to receive broadcast signals from the the interface org.freedesktop.Notifications of the object exposed at the path /org/freedesktop/Notifications by the client owning the bus name org.freedesktop.Notifications on the session DBus.
 .TP
 \fBnodbus \fR(deprecated)
 Disable D-Bus access (both system and session buses). Equivalent to dbus-system none and dbus-user none.