19 files changed, 175 insertions, 32 deletions

diff --git a/README b/README
index 25d1d728f..c685c500c 100644
--- a/README
+++ b/README
@@ -387,6 +387,8 @@ SpotComms (https://github.com/SpotComms)
         - fixed wget profile
         - fixed firecfg.config file
         - added novideo and disable-mnt support in all profile files
+    - added Peek and silent profiles
+    - added IntelliJ IDEA and Android Studio profiles
 SYN-cook (https://github.com/SYN-cook)
         - keepass/keepassx browser fixes
         - disable-common.inc fixes
diff --git a/README.md b/README.md
index 517aee81d..05e45d573 100644
--- a/README.md
+++ b/README.md
@@ -107,5 +107,5 @@ Use this issue to request new profiles: [#1139](https://github.com/netblue30/fir
 
 ## New profiles:
 
-curl, mplayer2, SMPlayer, Calibre, ebook-viewer, KWrite, Geary, Liferea
+curl, mplayer2, SMPlayer, Calibre, ebook-viewer, KWrite, Geary, Liferea, peek, silentarmy, IntelliJ IDEA, Android Studio
 
diff --git a/RELNOTES b/RELNOTES
index 5310b0ae5..d9f18906f 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -2,7 +2,8 @@ firejail (0.9.49) baseline; urgency=low
   * work in progress!
   * feature: per-profile disable-mnt
   * new profiles: curl, mplayer2, SMPlayer, Calibre, ebook-viewer, KWrite,
-  * new profiles: Geary, Liferea
+  * new profiles: Geary, Liferea, peek, silentarmy, IntelliJ IDEA,
+  * new profiles: Android Studio
   * bugfixes
  -- netblue30 <netblue30@yahoo.com>  Mon, 12 Jun 2017 20:00:00 -0500
 
diff --git a/etc/android-studio.profile b/etc/android-studio.profile
new file mode 100644
index 000000000..68a3cdc85
--- /dev/null
+++ b/etc/android-studio.profile
@@ -0,0 +1,37 @@
+# Persistent global definitions go here
+include /etc/firejail/globals.local
+
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/android-studio.local
+
+# Firejail profile for Android Studio
+
+noblacklist ${HOME}/.AndroidStudio*
+noblacklist ${HOME}/.android
+noblacklist ${HOME}/.gitconfig
+noblacklist ${HOME}/.gradle
+noblacklist ${HOME}/.java
+noblacklist ${HOME}/.local/share/JetBrains
+noblacklist ${HOME}/.ssh
+noblacklist ${HOME}/.tooling
+
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-passwdmgr.inc
+include /etc/firejail/disable-programs.inc
+
+caps.drop all
+netfilter
+nogroups
+nonewprivs
+noroot
+#nosound
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+
+private-dev
+#private-tmp
+
+noexec /tmp
diff --git a/etc/arduino.profile b/etc/arduino.profile
index 60c071c01..ff605501d 100644
--- a/etc/arduino.profile
+++ b/etc/arduino.profile
@@ -8,6 +8,7 @@ include /etc/firejail/arduino.local
 # Firejail profile for arduino
 noblacklist ${HOME}/.arduino15
 noblacklist ${HOME}/Arduino
+noblacklist ${HOME}/.java
 
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-programs.inc
diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc
index 655a44a04..3c98b8ac3 100644
--- a/etc/disable-programs.inc
+++ b/etc/disable-programs.inc
@@ -4,8 +4,10 @@ include /etc/firejail/disable-programs.local
 
 blacklist ${HOME}/.*coin
 blacklist ${HOME}/.8pecxstudios
+blacklist ${HOME}/.AndroidStudio*
 blacklist ${HOME}/.Atom
 blacklist ${HOME}/.FBReader
+blacklist ${HOME}/.IdeaIC*
 blacklist ${HOME}/.LuminanceHDR
 blacklist ${HOME}/.Mathematica
 blacklist ${HOME}/.Natron
@@ -16,6 +18,7 @@ blacklist ${HOME}/.Steampid
 blacklist ${HOME}/.TelegramDesktop
 blacklist ${HOME}/.VirtualBox
 blacklist ${HOME}/.Wolfram Research
+blacklist ${HOME}/.android
 blacklist ${HOME}/.arduino15
 blacklist ${HOME}/.atom
 blacklist ${HOME}/.attic
@@ -192,11 +195,13 @@ blacklist ${HOME}/.googleearth/Cache/
 blacklist ${HOME}/.googleearth/Temp/
 blacklist ${HOME}/.googleearth/myplaces.backup.kml
 blacklist ${HOME}/.googleearth/myplaces.kml
+blacklist ${HOME}/.gradle
 blacklist ${HOME}/.guayadeque
 blacklist ${HOME}/.hedgewars
 blacklist ${HOME}/.hugin
 blacklist ${HOME}/.icedove
 blacklist ${HOME}/.inkscape
+blacklist ${HOME}/.java
 blacklist ${HOME}/.jitsi
 blacklist ${HOME}/.kde4/share/apps/gwenview
 blacklist ${HOME}/.kde4/share/apps/kcookiejar
@@ -249,6 +254,7 @@ blacklist ${HOME}/.local/share/0ad
 blacklist ${HOME}/.local/share/3909/PapersPlease
 blacklist ${HOME}/.local/share/akregator
 blacklist ${HOME}/.local/share/Empathy
+blacklist ${HOME}/.local/share/JetBrains
 blacklist ${HOME}/.local/share/Mumble
 blacklist ${HOME}/.local/share/QuiteRss
 blacklist ${HOME}/.local/share/Ricochet
@@ -338,6 +344,7 @@ blacklist ${HOME}/.sylpheed-2.0
 blacklist ${HOME}/.synfig
 blacklist ${HOME}/.tconn
 blacklist ${HOME}/.thunderbird
+blacklist ${HOME}/.tooling
 blacklist ${HOME}/.ts3client
 blacklist ${HOME}/.viking
 blacklist ${HOME}/.viking-maps
@@ -387,6 +394,7 @@ blacklist ${HOME}/.cache/netsurf
 blacklist ${HOME}/.cache/opera
 blacklist ${HOME}/.cache/opera-beta
 blacklist ${HOME}/.cache/org.gnome.Books
+blacklist ${HOME}/.cache/peek
 blacklist ${HOME}/.cache/qBittorrent
 blacklist ${HOME}/.cache/qutebrowser
 blacklist ${HOME}/.cache/simple-scan
diff --git a/etc/exiftool.profile b/etc/exiftool.profile
index 729dabeb7..aba484718 100644
--- a/etc/exiftool.profile
+++ b/etc/exiftool.profile
@@ -1,3 +1,4 @@
+quiet
 # Persistent global definitions go here
 include /etc/firejail/globals.local
 
diff --git a/etc/idea.sh.profile b/etc/idea.sh.profile
new file mode 100644
index 000000000..771131262
--- /dev/null
+++ b/etc/idea.sh.profile
@@ -0,0 +1,37 @@
+# Persistent global definitions go here
+include /etc/firejail/globals.local
+
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/idea.sh.local
+
+# Firejail profile for IntelliJ IDEA Community Edition
+
+noblacklist ${HOME}/.android
+noblacklist ${HOME}/.gitconfig
+noblacklist ${HOME}/.gradle
+noblacklist ${HOME}/.IdeaIC*
+noblacklist ${HOME}/.java
+noblacklist ${HOME}/.local/share/JetBrains
+noblacklist ${HOME}/.ssh
+noblacklist ${HOME}/.tooling
+
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-passwdmgr.inc
+include /etc/firejail/disable-programs.inc
+
+caps.drop all
+netfilter
+nogroups
+nonewprivs
+noroot
+#nosound
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+
+private-dev
+#private-tmp
+
+noexec /tmp
diff --git a/etc/jd-gui.profile b/etc/jd-gui.profile
index a96eedee6..32b43cdf1 100644
--- a/etc/jd-gui.profile
+++ b/etc/jd-gui.profile
@@ -10,6 +10,7 @@ include /etc/firejail/jd-gui.local
 #
 
 noblacklist ${HOME}/.config/jd-gui.cfg
+noblacklist ${HOME}/.java
 
 #Blacklist Paths
 include /etc/firejail/disable-common.inc
diff --git a/etc/libreoffice.profile b/etc/libreoffice.profile
index 90d87df2f..fe5861e4a 100644
--- a/etc/libreoffice.profile
+++ b/etc/libreoffice.profile
@@ -7,6 +7,7 @@ include /etc/firejail/libreoffice.local
 
 # Firejail profile for LibreOffice
 noblacklist ~/.config/libreoffice
+noblacklist ${HOME}/.java
 noblacklist /usr/local/sbin
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-programs.inc
diff --git a/etc/multimc5.profile b/etc/multimc5.profile
index e45ab9cba..6b0696064 100644
--- a/etc/multimc5.profile
+++ b/etc/multimc5.profile
@@ -10,6 +10,7 @@ include /etc/firejail/multimc5.local
 #
 
 #No Blacklist Paths
+noblacklist ${HOME}/.java
 noblacklist ${HOME}/.local/share/multimc5
 noblacklist ${HOME}/.multimc5
 
diff --git a/etc/pdfsam.profile b/etc/pdfsam.profile
index 611ca3775..b46ac9294 100644
--- a/etc/pdfsam.profile
+++ b/etc/pdfsam.profile
@@ -8,6 +8,7 @@ include /etc/firejail/pdfsam.local
 #
 #Profile for pdfsam
 #
+noblacklist ${HOME}/.java
 
 #Blacklist Paths
 include /etc/firejail/disable-common.inc
diff --git a/etc/silentarmy.profile b/etc/silentarmy.profile
new file mode 100644
index 000000000..bcad82b5d
--- /dev/null
+++ b/etc/silentarmy.profile
@@ -0,0 +1,33 @@
+# Persistent global definitions go here
+include /etc/firejail/globals.local
+
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/silentarmy.local
+
+# Firejail profile for SILENTARMY
+
+include /etc/firejail/disable-common.inc
+#include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+include /etc/firejail/disable-programs.inc
+
+caps.drop all
+netfilter
+nogroups
+nonewprivs
+noroot
+nosound
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+
+disable-mnt
+private
+#private-bin silentarmy,sa-solver,python3
+private-dev
+private-tmp
+
+noexec ${HOME}
+noexec /tmp
diff --git a/etc/steam.profile b/etc/steam.profile
index e2dc6216b..9eaa6a83b 100644
--- a/etc/steam.profile
+++ b/etc/steam.profile
@@ -6,6 +6,7 @@ include /etc/firejail/globals.local
 include /etc/firejail/steam.local
 
 # Steam profile (applies to games/apps launched from Steam as well)
+noblacklist ${HOME}/.java
 noblacklist ${HOME}/.Steam
 noblacklist ${HOME}/.steam
 noblacklist ${HOME}/.Steampath
@@ -29,7 +30,9 @@ noroot
 protocol unix,inet,inet6,netlink
 seccomp
 shell none
-tracelog
+
+# tracelog disabled as it breaks integrated browser
+#tracelog
 
 private-dev
 private-tmp
diff --git a/platform/debian/conffiles b/platform/debian/conffiles
index 214f4f885..852d54c0e 100644
--- a/platform/debian/conffiles
+++ b/platform/debian/conffiles
@@ -14,6 +14,7 @@
 /etc/firejail/abrowser.profile
 /etc/firejail/akregator.profile
 /etc/firejail/amarok.profile
+/etc/firejail/android-studio.profile
 /etc/firejail/arduino.profile
 /etc/firejail/ark.profile
 /etc/firejail/atom-beta.profile
@@ -136,6 +137,7 @@
 /etc/firejail/icecat.profile
 /etc/firejail/icedove.profile
 /etc/firejail/iceweasel.profile
+/etc/firejail/idea.sh.profile
 /etc/firejail/img2txt.profile
 /etc/firejail/inkscape.profile
 /etc/firejail/inox.profile
@@ -209,6 +211,7 @@
 /etc/firejail/pcmanfm.profile
 /etc/firejail/pdfsam.profile
 /etc/firejail/pdftotext.profile
+/etc/firejail/peek.profile
 /etc/firejail/pidgin.profile
 /etc/firejail/pithos.profile
 /etc/firejail/pix.profile
@@ -233,6 +236,7 @@
 /etc/firejail/seamonkey-bin.profile
 /etc/firejail/seamonkey.profile
 /etc/firejail/server.profile
+/etc/firejail/silentarmy.profile
 /etc/firejail/simple-scan.profile
 /etc/firejail/skanlite.profile
 /etc/firejail/skype.profile
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config
index c616f040c..025f239ba 100644
--- a/src/firecfg/firecfg.config
+++ b/src/firecfg/firecfg.config
@@ -6,6 +6,7 @@
 abrowser
 akregator
 amarok
+android-studio
 arduino
 ark
 atom
@@ -118,6 +119,7 @@ hugin
 icecat
 icedove
 iceweasel
+idea.sh
 img2txt
 inkscape
 inox
@@ -188,6 +190,7 @@ palemoon
 parole
 pdfsam
 pdftotext
+peek
 pidgin
 pithos
 pix
@@ -212,6 +215,7 @@ scribus
 seamonkey
 seamonkey-bin
 simple-scan
+silentarmy
 skanlite
 skype
 skypeforlinux
diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index af943581e..88f04f47f 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -81,8 +81,12 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
                 if (cfg.profile_ignore[i] == NULL)
                         break;
 
-                if (strncmp(ptr, cfg.profile_ignore[i], strlen(cfg.profile_ignore[i])) == 0)
-                        return 0;       // ignore line
+                int len = strlen(cfg.profile_ignore[i]);
+                if (strncmp(ptr, cfg.profile_ignore[i], len) == 0) {
+                        // full word match
+                        if (*(ptr + len) == '\0' || *(ptr + len) == ' ')
+                                return 0;       // ignore line
+                }
         }
 
         if (strncmp(ptr, "ignore ", 7) == 0) {
diff --git a/src/firejail/seccomp.c b/src/firejail/seccomp.c
index 15379215c..29f928ee7 100644
--- a/src/firejail/seccomp.c
+++ b/src/firejail/seccomp.c
@@ -123,40 +123,47 @@ void seccomp_filter_64(void) {
 
 // drop filter for seccomp option
 int seccomp_filter_drop(int enforce_seccomp) {
-        // default seccomp
-        if (cfg.seccomp_list_drop == NULL && cfg.seccomp_list == NULL) {
+        // if we have multiple seccomp commands, only one of them is executed
+        // in the following order:
+        //      - seccomp.drop list
+        //      - seccomp list
+        //      - seccomp
+        if (cfg.seccomp_list_drop == NULL) {
+                // default seccomp
+                if (cfg.seccomp_list == NULL) {
 #if defined(__x86_64__)
-                seccomp_filter_32();
+                        seccomp_filter_32();
 #endif
 #if defined(__i386__)
-                seccomp_filter_64();
+                        seccomp_filter_64();
 #endif
-        }
-        // default seccomp filter with additional drop list
-        else if (cfg.seccomp_list && cfg.seccomp_list_drop == NULL) {
+                }
+                // default seccomp filter with additional drop list
+                else { // cfg.seccomp_list != NULL
 #if defined(__x86_64__)
-                seccomp_filter_32();
+                        seccomp_filter_32();
 #endif
 #if defined(__i386__)
-                seccomp_filter_64();
+                        seccomp_filter_64();
 #endif
-                if (arg_debug)
-                        printf("Build default+drop seccomp filter\n");
-
-                // build the seccomp filter as a regular user
-                int rv;
-                if (arg_allow_debuggers)
-                        rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 6,
-                                PATH_FSECCOMP, "default", "drop", RUN_SECCOMP_CFG, cfg.seccomp_list, "allow-debuggers");
-                else
-                        rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 5,
-                                PATH_FSECCOMP, "default", "drop", RUN_SECCOMP_CFG, cfg.seccomp_list);
-                if (rv)
-                        exit(rv);
+                        if (arg_debug)
+                                printf("Build default+drop seccomp filter\n");
+
+                        // build the seccomp filter as a regular user
+                        int rv;
+                        if (arg_allow_debuggers)
+                                rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 6,
+                                        PATH_FSECCOMP, "default", "drop", RUN_SECCOMP_CFG, cfg.seccomp_list, "allow-debuggers");
+                        else
+                                rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 5,
+                                        PATH_FSECCOMP, "default", "drop", RUN_SECCOMP_CFG, cfg.seccomp_list);
+                        if (rv)
+                                exit(rv);
+                }
         }
 
         // drop list without defaults - secondary filters are not installed
-        else if (cfg.seccomp_list == NULL && cfg.seccomp_list_drop) {
+        else { // cfg.seccomp_list_drop != NULL
                 if (arg_debug)
                         printf("Build drop seccomp filter\n");
 
@@ -172,9 +179,6 @@ int seccomp_filter_drop(int enforce_seccomp) {
                 if (rv)
                         exit(rv);
         }
-        else {
-                assert(0);
-        }
 
         // load the filter
         if (seccomp_load(RUN_SECCOMP_CFG) == 0) {
diff --git a/src/firejail/x11.c b/src/firejail/x11.c
index 79ebc3b1b..77bf7749f 100644
--- a/src/firejail/x11.c
+++ b/src/firejail/x11.c
@@ -639,7 +639,7 @@ void x11_start_xpra(int argc, char **argv) {
 
         // build the start command
         char *server_argv[256] = {                // rest initialyzed to NULL
-                 "xpra", "start", display_str, "--no-daemon", "--use-display",
+                 "xpra", "start", display_str, "--no-daemon",
         };
         unsigned pos = 0;
         while (server_argv[pos] != NULL) pos++;