13 files changed, 54 insertions, 61 deletions

diff --git a/etc/profile-a-l/kodi.profile b/etc/profile-a-l/kodi.profile
index b72632bf4..b7091f1fc 100644
--- a/etc/profile-a-l/kodi.profile
+++ b/etc/profile-a-l/kodi.profile
@@ -8,6 +8,10 @@ include globals.local
 
 # noexec ${HOME} breaks plugins
 ignore noexec ${HOME}
+# Add the following to your kodi.local if you use a CEC Adapter.
+#ignore nogroups
+#ignore noroot
+#ignore private-dev
 
 noblacklist ${HOME}/.kodi
 noblacklist ${MUSIC}
diff --git a/etc/profile-m-z/megaglest.profile b/etc/profile-m-z/megaglest.profile
index 972838729..f07b9166a 100644
--- a/etc/profile-m-z/megaglest.profile
+++ b/etc/profile-m-z/megaglest.profile
@@ -20,6 +20,7 @@ include disable-xdg.inc
 mkdir ${HOME}/.megaglest
 whitelist ${HOME}/.megaglest
 whitelist /usr/share/megaglest
+whitelist /usr/share/games/megaglest    # Debian version
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-m-z/scorched3d.profile b/etc/profile-m-z/scorched3d.profile
index aac3e721f..b1989e474 100644
--- a/etc/profile-m-z/scorched3d.profile
+++ b/etc/profile-m-z/scorched3d.profile
@@ -19,6 +19,7 @@ include disable-xdg.inc
 mkdir ${HOME}/.scorched3d
 whitelist ${HOME}/.scorched3d
 whitelist /usr/share/scorched3d
+whitelist /usr/share/games/scorched3d
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-m-z/seahorse-adventures.profile b/etc/profile-m-z/seahorse-adventures.profile
index 131dcbb68..54e179958 100644
--- a/etc/profile-m-z/seahorse-adventures.profile
+++ b/etc/profile-m-z/seahorse-adventures.profile
@@ -16,10 +16,11 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
-include disable-shell.inc
+#include disable-shell.inc - breaks on Debian 10
 include disable-xdg.inc
 
 whitelist /usr/share/seahorse-adventures
+whitelist /usr/share/games/seahorse-adventures  # Debian version
 include whitelist-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
@@ -42,7 +43,7 @@ tracelog
 
 disable-mnt
 private
-private-bin python*,seahorse-adventures
+private-bin python*,seahorse-adventures,bash,dash,sh
 private-cache
 private-dev
 private-etc machine-id
diff --git a/etc/profile-m-z/slack.profile b/etc/profile-m-z/slack.profile
index 9ad772cd5..51f6c8b00 100644
--- a/etc/profile-m-z/slack.profile
+++ b/etc/profile-m-z/slack.profile
@@ -18,12 +18,14 @@ ignore dbus-system none
 
 noblacklist ${HOME}/.config/Slack
 
+include allow-bin-sh.inc
+
 include disable-shell.inc
 
 mkdir ${HOME}/.config/Slack
 whitelist ${HOME}/.config/Slack
 
-private-bin locale,slack
+private-bin electron,electron[0-9],electron[0-9][0-9],locale,sh,slack
 private-etc alternatives,asound.conf,ca-certificates,crypto-policies,debian_version,fedora-release,fonts,group,ld.so.cache,ld.so.conf,localtime,machine-id,os-release,passwd,pki,pulse,redhat-release,resolv.conf,ssl,system-release,system-release-cpe
 
 # Redirect
diff --git a/etc/profile-m-z/supertux2.profile b/etc/profile-m-z/supertux2.profile
index dd456f085..cfd7a63ea 100644
--- a/etc/profile-m-z/supertux2.profile
+++ b/etc/profile-m-z/supertux2.profile
@@ -20,6 +20,7 @@ include disable-xdg.inc
 mkdir ${HOME}/.local/share/supertux2
 whitelist ${HOME}/.local/share/supertux2
 whitelist /usr/share/supertux2
+whitelist /usr/share/games/supertux2    # Debian version
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-m-z/supertuxkart.profile b/etc/profile-m-z/supertuxkart.profile
index 095cea7b8..4eb8f921c 100644
--- a/etc/profile-m-z/supertuxkart.profile
+++ b/etc/profile-m-z/supertuxkart.profile
@@ -28,6 +28,7 @@ whitelist ${HOME}/.config/supertuxkart
 whitelist ${HOME}/.cache/supertuxkart
 whitelist ${HOME}/.local/share/supertuxkart
 whitelist /usr/share/supertuxkart
+whitelist /usr/share/games/supertuxkart # Debian version
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-m-z/telegram-desktop.profile b/etc/profile-m-z/telegram-desktop.profile
index e0c5aee9e..7463b761f 100644
--- a/etc/profile-m-z/telegram-desktop.profile
+++ b/etc/profile-m-z/telegram-desktop.profile
@@ -2,7 +2,7 @@
 # Description: Official Telegram Desktop client
 # This file is overwritten after every install/update
 # Persistent local customizations
-include tekegram-desktop.local
+include telegram-desktop.local
 # Persistent global definitions
 # added by included profile
 #include globals.local
diff --git a/etc/templates/profile.template b/etc/templates/profile.template
index fcc7fe949..61e9c9fd8 100644
--- a/etc/templates/profile.template
+++ b/etc/templates/profile.template
@@ -59,14 +59,6 @@ include globals.local
 ##ignore noexec ${HOME}
 ##ignore noexec /tmp
 
-##blacklist PATH
-# Disable X11 (CLI only), see also 'x11 none' below
-#blacklist /tmp/.X11-unix
-# Disable Wayland
-#blacklist ${RUNUSER}/wayland-*
-# Disable RUNUSER (cli only; supersedes Disable Wayland)
-#blacklist ${RUNUSER}
-
 # It is common practice to add files/dirs containing program-specific configuration
 # (often ${HOME}/PROGRAMNAME or ${HOME}/.config/PROGRAMNAME) into disable-programs.inc
 # (keep list sorted) and then disable blacklisting below.
@@ -109,6 +101,17 @@ include globals.local
 # Allow ssh (blacklisted by disable-common.inc)
 #include allow-ssh.inc
 
+##blacklist PATH
+# Disable X11 (CLI only), see also 'x11 none' below
+#blacklist /tmp/.X11-unix
+# Disable Wayland
+#blacklist ${RUNUSER}/wayland-*
+# Disable RUNUSER (cli only; supersedes Disable Wayland)
+#blacklist ${RUNUSER}
+# Remove the next blacklist if you system has no /usr/libexec dir,
+# otherwise try to add it.
+#blacklist /usr/libexec
+
 # disable-*.inc includes
 # remove disable-write-mnt.inc if you set disable-mnt
 #include disable-common.inc
diff --git a/src/firejail/x11.c b/src/firejail/x11.c
index 257d376a1..f4f093138 100644
--- a/src/firejail/x11.c
+++ b/src/firejail/x11.c
@@ -1327,7 +1327,7 @@ void fs_x11(void) {
         struct stat s1, s2;
         if (stat("/tmp", &s1) != 0 || lstat("/tmp/.X11-unix", &s2) != 0)
                 return;
-        if ((s1.st_mode & S_ISVTX) == 0) {
+        if ((s1.st_mode & S_ISVTX) != S_ISVTX) {
                 fwarning("cannot mask X11 sockets: sticky bit not set on /tmp directory\n");
                 return;
         }
@@ -1335,26 +1335,26 @@ void fs_x11(void) {
                 fwarning("cannot mask X11 sockets: /tmp/.X11-unix not owned by root user\n");
                 return;
         }
+
         char *x11file;
         if (asprintf(&x11file, "/tmp/.X11-unix/X%d", display) == -1)
                 errExit("asprintf");
+        int src = open(x11file, O_PATH|O_NOFOLLOW|O_CLOEXEC);
+        if (src < 0) {
+                free(x11file);
+                return;
+        }
         struct stat x11stat;
-        if (lstat(x11file, &x11stat) != 0 || !S_ISSOCK(x11stat.st_mode)) {
+        if (fstat(src, &x11stat) < 0)
+                errExit("fstat");
+        if (!S_ISSOCK(x11stat.st_mode)) {
+                close(src);
                 free(x11file);
                 return;
         }
 
         if (arg_debug || arg_debug_whitelists)
                 fprintf(stderr, "Masking all X11 sockets except %s\n", x11file);
-
-        // Move the real /tmp/.X11-unix to a scratch location
-        // so we can still access x11file after we mount a
-        // tmpfs over /tmp/.X11-unix.
-        if (mkdir(RUN_WHITELIST_X11_DIR, 0700) == -1)
-                errExit("mkdir");
-        if (mount("/tmp/.X11-unix", RUN_WHITELIST_X11_DIR, 0, MS_BIND|MS_REC, 0) < 0)
-                errExit("mount bind");
-
         // This directory must be mode 1777
         if (mount("tmpfs", "/tmp/.X11-unix", "tmpfs",
                 MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_STRICTATIME,
@@ -1363,40 +1363,21 @@ void fs_x11(void) {
         fs_logger("tmpfs /tmp/.X11-unix");
 
         // create an empty root-owned file which will have the desired socket bind-mounted over it
-        int fd = open(x11file, O_RDONLY|O_CREAT|O_EXCL|O_CLOEXEC, S_IRUSR | S_IWUSR);
-        if (fd < 0)
-                errExit(x11file);
-        close(fd);
+        int dst = open(x11file, O_RDONLY|O_CREAT|O_EXCL|O_CLOEXEC, S_IRUSR | S_IWUSR);
+        if (dst < 0)
+                errExit("open");
 
-        // the mount source is under control of the user, so be careful and
-        // mount without following symbolic links, using a file descriptor
-        char *wx11file;
-        if (asprintf(&wx11file, "%s/X%d", RUN_WHITELIST_X11_DIR, display) == -1)
-                errExit("asprintf");
-        fd = safer_openat(-1, wx11file, O_PATH|O_NOFOLLOW|O_CLOEXEC);
-        if (fd == -1)
-                errExit("opening X11 socket");
-        // confirm once more we are mounting a socket
-        if (fstat(fd, &x11stat) == -1)
-                errExit("fstat");
-        if (!S_ISSOCK(x11stat.st_mode)) {
-                errno = ENOTSOCK;
-                errExit("mounting X11 socket");
-        }
-        char *proc;
-        if (asprintf(&proc, "/proc/self/fd/%d", fd) == -1)
+        char *proc_src, *proc_dst;
+        if (asprintf(&proc_src, "/proc/self/fd/%d", src) == -1 ||
+            asprintf(&proc_dst, "/proc/self/fd/%d", dst) == -1)
                 errExit("asprintf");
-        if (mount(proc, x11file, NULL, MS_BIND|MS_REC, NULL) < 0)
+        if (mount(proc_src, proc_dst, NULL, MS_BIND | MS_REC, NULL) < 0)
                 errExit("mount bind");
+        free(proc_src);
+        free(proc_dst);
+        close(src);
+        close(dst);
         fs_logger2("whitelist", x11file);
-        close(fd);
-        free(proc);
-
-        // block access to RUN_WHITELIST_X11_DIR
-        if (mount(RUN_RO_DIR, RUN_WHITELIST_X11_DIR, 0, MS_BIND, 0) < 0)
-                errExit("mount");
-        fs_logger2("blacklist", RUN_WHITELIST_X11_DIR);
-        free(wx11file);
         free(x11file);
 #endif
 }
diff --git a/src/include/rundefs.h b/src/include/rundefs.h
index a172dd511..3db750da3 100644
--- a/src/include/rundefs.h
+++ b/src/include/rundefs.h
@@ -79,12 +79,8 @@
 #define PATH_SECCOMP_MDWX_32            LIBDIR "/firejail/seccomp.mdwx.32"
 #define PATH_SECCOMP_BLOCK_SECONDARY    LIBDIR "/firejail/seccomp.block_secondary"      // secondary arch blocking filter built during make
 
-
 #define RUN_DEV_DIR                     RUN_MNT_DIR "/dev"
 #define RUN_DEVLOG_FILE                 RUN_MNT_DIR "/devlog"
-
-#define RUN_WHITELIST_X11_DIR           RUN_MNT_DIR "/orig-x11"
-
 #define RUN_XAUTHORITY_FILE             RUN_MNT_DIR "/.Xauthority"              // private options
 #define RUN_XAUTH_FILE                  RUN_MNT_DIR "/xauth"                    // x11=xorg
 #define RUN_XAUTHORITY_SEC_DIR          RUN_MNT_DIR "/.sec.Xauthority"          // x11=xorg
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt
index 12e841af5..6f3bef7f2 100644
--- a/src/man/firejail-profile.txt
+++ b/src/man/firejail-profile.txt
@@ -428,8 +428,9 @@ Blacklist violations logged to syslog.
 \fBwhitelist file_or_directory
 Whitelist directory or file. A temporary file system is mounted on the top directory, and the
 whitelisted files are mount-binded inside. Modifications to whitelisted files are persistent,
-everything else is discarded when the sandbox is closed. The top directory could be
-user home, /dev, /etc, /media, /mnt, /opt, /srv, /sys/module, /usr/share, /var, and /tmp.
+everything else is discarded when the sandbox is closed. The top directory can be
+all directories in / (except /proc and /sys), /sys/module, /run/user/$UID, $HOME and
+all directories in /usr.
 .br
 
 .br
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index f4a549b05..3212a88e4 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -2723,8 +2723,9 @@ $ firejail \-\-net=br0 --veth-name=if0
 \fB\-\-whitelist=dirname_or_filename
 Whitelist directory or file. A temporary file system is mounted on the top directory, and the
 whitelisted files are mount-binded inside. Modifications to whitelisted files are persistent,
-everything else is discarded when the sandbox is closed. The top directory could be
-user home, /dev, /etc, /media, /mnt, /opt, /run/user/$UID, /srv, /sys/module, /tmp, /usr/share and /var.
+everything else is discarded when the sandbox is closed. The top directory can be
+all directories in / (except /proc and /sys), /sys/module, /run/user/$UID, $HOME and
+all directories in /usr.
 .br
 
 .br