17 files changed, 129 insertions, 19 deletions

diff --git a/README b/README
index 46c314a64..f9933f592 100644
--- a/README
+++ b/README
@@ -77,6 +77,12 @@ Fred-Barclay (https://github.com/Fred-Barclay)
         - added gnome-chess profile
         - added DOSBox profile
         - evince profile enhancement
+valoq (https://github.com/valoq)
+        - LibreOffice profile fixes
+        - cherrytree profile fixes
+        - added support for /srv in --whitelist feature
+Rafael Cavalcanti (https://github.com/rccavalcanti)
+        - chromium profile fixes for Arch Linux
 Deelvesh Bunjun (https://github.com/DeelveshBunjun)
         - added xpdf profile
 vismir2 (https://github.com/vismir2)
@@ -84,9 +90,6 @@ vismir2 (https://github.com/vismir2)
 Dara Adib (https://github.com/daradib)
         - ssh profile fix
         - evince profile fix
-valoq (https://github.com/valoq)
-        - LibreOffice profile fixes
-        - cherrytree profile fixes
 vismir2 (https://github.com/vismir2)
         - feh, ranger, 7z, keepass, keepassx and zathura profiles
         - lots of profile fixes
diff --git a/README.md b/README.md
index 1038e1ef8..5c061dad8 100644
--- a/README.md
+++ b/README.md
@@ -113,5 +113,5 @@ x11 xpra, x11 xephyr, x11 none, x11 xorg, allusers, join-or-start
 ## New profiles
 
 qpdfview, mupdf, Luminance HDR, Synfig Studio, Gimp, Inkscape, feh, ranger, zathura, 7z, keepass, keepassx,
-claws-mail, mutt, git, emacs, vim, xpdf
+claws-mail, mutt, git, emacs, vim, xpdf, VirtualBox, OpenShot, Flowblade
 
diff --git a/RELNOTES b/RELNOTES
index 4c191fc82..7aa3155e1 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -1,9 +1,11 @@
-firejail (0.9.43) baseline; urgency=low
+firejail (0.9.44~rc1) baseline; urgency=low
   * CVE-2016-7545 submitted by Aleksey Manevich
   * development version
   * modifs: removed man firejail-config
   * modifs: --private-tmp whitelists /tmp/.X11-unix directory
   * modifs: Nvidia drivers added to --private-dev
+  * modifs: /srv supported by --whitelist
+  * feature: allow user access to /sys/fs (--noblacklist=/sys/fs)
   * feature: support starting/joining sandbox is a single command
     (--join-or-start)
   * feature: X11 detection support for --audit
@@ -15,11 +17,13 @@ firejail (0.9.43) baseline; urgency=low
   * feature: X11 security extension (--x11=xorg)
   * feature: disable 3D hardware acceleration (--no3d)
   * feature: x11 xpra, x11 xephyr, x11 block, allusers, no3d profile commands
+  * feature: move files in sandbox (--put)
   * new profiles: qpdfview, mupdf, Luminance HDR, Synfig Studio, Gimp, Inkscape
   * new profiles: feh, ranger, zathura, 7z, keepass, keepassx,
-  * new profiles: claws-mail, mutt, git, emacs, vim, xpdf
+  * new profiles: claws-mail, mutt, git, emacs, vim, xpdf, VirtualBox, OpenShot
+  * new profiles: Flowblade
   * bugfixes
- -- netblue30 <netblue30@yahoo.com>  Fri, 9 Sept 2016 08:00:00 -0500
+ -- netblue30 <netblue30@yahoo.com>  Sat, 15 Sept 2016 08:00:00 -0500
 
 firejail (0.9.42) baseline; urgency=low
   * security: --whitelist deleted files, submitted by Vasya Novikov
diff --git a/configure b/configure
index 48b891c40..9a33f0401 100755
--- a/configure
+++ b/configure
@@ -1,6 +1,6 @@
 #! /bin/sh
 # Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.69 for firejail 0.9.44~rc1.
+# Generated by GNU Autoconf 2.69 for firejail 0.9.44~rc2.
 #
 # Report bugs to <netblue30@yahoo.com>.
 #
@@ -580,8 +580,8 @@ MAKEFLAGS=
 # Identity of this package.
 PACKAGE_NAME='firejail'
 PACKAGE_TARNAME='firejail'
-PACKAGE_VERSION='0.9.44~rc1'
-PACKAGE_STRING='firejail 0.9.44~rc1'
+PACKAGE_VERSION='0.9.44~rc2'
+PACKAGE_STRING='firejail 0.9.44~rc2'
 PACKAGE_BUGREPORT='netblue30@yahoo.com'
 PACKAGE_URL='http://firejail.wordpress.com'
 
@@ -1259,7 +1259,7 @@ if test "$ac_init_help" = "long"; then
   # Omit some internal or obsolete options to make the list less imposing.
   # This message is too long to be a string in the A/UX 3.1 sh.
   cat <<_ACEOF
-\`configure' configures firejail 0.9.44~rc1 to adapt to many kinds of systems.
+\`configure' configures firejail 0.9.44~rc2 to adapt to many kinds of systems.
 
 Usage: $0 [OPTION]... [VAR=VALUE]...
 
@@ -1320,7 +1320,7 @@ fi
 
 if test -n "$ac_init_help"; then
   case $ac_init_help in
-     short | recursive ) echo "Configuration of firejail 0.9.44~rc1:";;
+     short | recursive ) echo "Configuration of firejail 0.9.44~rc2:";;
    esac
   cat <<\_ACEOF
 
@@ -1424,7 +1424,7 @@ fi
 test -n "$ac_init_help" && exit $ac_status
 if $ac_init_version; then
   cat <<\_ACEOF
-firejail configure 0.9.44~rc1
+firejail configure 0.9.44~rc2
 generated by GNU Autoconf 2.69
 
 Copyright (C) 2012 Free Software Foundation, Inc.
@@ -1726,7 +1726,7 @@ cat >config.log <<_ACEOF
 This file contains any messages produced by compilers while
 running configure, to aid debugging if configure makes a mistake.
 
-It was created by firejail $as_me 0.9.44~rc1, which was
+It was created by firejail $as_me 0.9.44~rc2, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
 
   $ $0 $@
@@ -4303,7 +4303,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
 # report actual input values of CONFIG_FILES etc. instead of their
 # values after options handling.
 ac_log="
-This file was extended by firejail $as_me 0.9.44~rc1, which was
+This file was extended by firejail $as_me 0.9.44~rc2, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
 
   CONFIG_FILES    = $CONFIG_FILES
@@ -4357,7 +4357,7 @@ _ACEOF
 cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
 ac_cs_version="\\
-firejail config.status 0.9.44~rc1
+firejail config.status 0.9.44~rc2
 configured by $0, generated by GNU Autoconf 2.69,
   with options \\"\$ac_cs_config\\"
 
diff --git a/configure.ac b/configure.ac
index 108b558d4..4496550fd 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1,5 +1,5 @@
 AC_PREREQ([2.68])
-AC_INIT(firejail, 0.9.44~rc1, netblue30@yahoo.com, , http://firejail.wordpress.com)
+AC_INIT(firejail, 0.9.44~rc2, netblue30@yahoo.com, , http://firejail.wordpress.com)
 AC_CONFIG_SRCDIR([src/firejail/main.c])
 #AC_CONFIG_HEADERS([config.h])
 
diff --git a/etc/chromium.profile b/etc/chromium.profile
index 0d383aebf..4109af9a4 100644
--- a/etc/chromium.profile
+++ b/etc/chromium.profile
@@ -25,4 +25,7 @@ whitelist ~/keepassx.kdbx
 whitelist ~/.lastpass
 whitelist ~/.config/lastpass
 
+# specific to Arch
+whitelist ~/.config/chromium-flags.conf
+
 include /etc/firejail/whitelist-common.inc
diff --git a/etc/disable-devel.inc b/etc/disable-devel.inc
index 971857710..2ac367f37 100644
--- a/etc/disable-devel.inc
+++ b/etc/disable-devel.inc
@@ -20,7 +20,7 @@ blacklist /usr/bin/x86_64-unknown-linux-gnu-gcc*
 # clang/llvm
 blacklist /usr/bin/clang*
 blacklist /usr/bin/llvm*
-blacklist /usb/bin/lldb*
+blacklist /usr/bin/lldb*
 blacklist /usr/lib/llvm*
 
 # tcc - Tiny C Compiler
diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc
index 369e4813c..1ff486509 100644
--- a/etc/disable-programs.inc
+++ b/etc/disable-programs.inc
@@ -35,6 +35,10 @@ blacklist ${HOME}/.gimp*
 blacklist ${HOME}/.config/zathura
 blacklist ${HOME}/.config/cherrytree
 blacklist ${HOME}/.xpdfrc
+blacklist ${HOME}/.openshot
+blacklist ${HOME}/.openshot_qt
+blacklist ${HOME}/.flowblade
+blacklist ${HOME}/.config/flowblade
 
 
 # Media players
diff --git a/etc/flowblade.profile b/etc/flowblade.profile
new file mode 100644
index 000000000..e1ec291bd
--- /dev/null
+++ b/etc/flowblade.profile
@@ -0,0 +1,13 @@
+# OpenShot profile
+noblacklist ${HOME}/.flowblade
+noblacklist ${HOME}/.config/flowblade
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-passwdmgr.inc
+
+caps.drop all
+netfilter
+nonewprivs
+noroot
+protocol unix,inet,inet6,netlink
+seccomp
diff --git a/etc/openshot.profile b/etc/openshot.profile
new file mode 100644
index 000000000..f12bd7d11
--- /dev/null
+++ b/etc/openshot.profile
@@ -0,0 +1,13 @@
+# OpenShot profile
+noblacklist ${HOME}/.openshot
+noblacklist ${HOME}/.openshot_qt
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-passwdmgr.inc
+
+caps.drop all
+netfilter
+nonewprivs
+noroot
+protocol unix,inet,inet6,netlink
+seccomp
diff --git a/etc/virtualbox.profile b/etc/virtualbox.profile
new file mode 100644
index 000000000..148b7efc8
--- /dev/null
+++ b/etc/virtualbox.profile
@@ -0,0 +1,12 @@
+# VirtualBox profile
+
+noblacklist ${HOME}/.VirtualBox
+noblacklist ${HOME}/VirtualBox VMs
+noblacklist ${HOME}/.config/VirtualBox
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-passwdmgr.inc
+
+caps.drop all
+
+
diff --git a/platform/debian/conffiles b/platform/debian/conffiles
index a8ed6f691..2ffa6d035 100644
--- a/platform/debian/conffiles
+++ b/platform/debian/conffiles
@@ -161,3 +161,6 @@
 /etc/firejail/emacs.profile
 /etc/firejail/vim.profile
 /etc/firejail/xpdf.profile
+/etc/firejail/virtualbox.profile
+/etc/firejail/openshot.profile
+/etc/firejail/flowblade.profile
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config
index 31f6b2fd5..0c46f2dfa 100644
--- a/src/firecfg/firecfg.config
+++ b/src/firecfg/firecfg.config
@@ -76,6 +76,7 @@ unbound
 mupen64plus
 wine
 dosbox
+virtualbox
 
 # games
 0ad
@@ -137,6 +138,8 @@ pix
 xpdf
 xreader
 zathura
+openshot
+flowblade
 
 # other
 ssh
diff --git a/src/firejail/fs.c b/src/firejail/fs.c
index a5f12c7df..6c566bd90 100644
--- a/src/firejail/fs.c
+++ b/src/firejail/fs.c
@@ -649,7 +649,11 @@ void fs_proc_sys_dev_boot(void) {
                 
         disable_file(BLACKLIST_FILE, "/sys/firmware");
         disable_file(BLACKLIST_FILE, "/sys/hypervisor");
-        disable_file(BLACKLIST_FILE, "/sys/fs");
+        { // allow user access to /sys/fs if "--noblacklist=/sys/fs" is present on the command line
+                EUID_USER();    
+                profile_add("blacklist /sys/fs");
+                EUID_ROOT();
+        }
         disable_file(BLACKLIST_FILE, "/sys/module");
         disable_file(BLACKLIST_FILE, "/sys/power");
         disable_file(BLACKLIST_FILE, "/sys/kernel/debug");
diff --git a/src/firejail/fs_whitelist.c b/src/firejail/fs_whitelist.c
index b1c2774e2..8bbdbe5d3 100644
--- a/src/firejail/fs_whitelist.c
+++ b/src/firejail/fs_whitelist.c
@@ -822,6 +822,7 @@ void fs_whitelist(void) {
                 if (mount("tmpfs", RUN_WHITELIST_SRV_DIR, "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC,  "mode=755,gid=0") < 0)
                         errExit("mount tmpfs");
                 fs_logger2("tmpfs", RUN_WHITELIST_SRV_DIR);
+        }
 
         if (new_name)
                 free(new_name);
diff --git a/test/fs/fs.sh b/test/fs/fs.sh
index d45ef48bd..3139b8eae 100755
--- a/test/fs/fs.sh
+++ b/test/fs/fs.sh
@@ -6,6 +6,9 @@
 export MALLOC_CHECK_=3
 export MALLOC_PERTURB_=$(($RANDOM % 255 + 1))
 
+echo "TESTING: /sys/fs access (test/fs/sys_fs.exp)"
+./sys_fs.exp
+
 echo "TESTING: kmsg access (test/fs/kmsg.exp)"
 ./kmsg.exp
 
diff --git a/test/fs/sys_fs.exp b/test/fs/sys_fs.exp
new file mode 100755
index 000000000..f512776d9
--- /dev/null
+++ b/test/fs/sys_fs.exp
@@ -0,0 +1,44 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
+
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+
+send -- "firejail\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "Child process initialized"
+}
+sleep 1
+
+send -- "ls /sys/fs\r"
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        "Permission denied"
+}
+after 100
+
+send -- "exit\r"
+sleep 1
+
+send -- "firejail --noblacklist=/sys/fs\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "Child process initialized"
+}
+sleep 1
+
+send -- "ls /sys/fs\r"
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        "cgroup"
+}
+after 100
+send -- "exit\r"
+after 100
+
+puts "\nall done\n"
+