7 files changed, 104 insertions, 41 deletions
diff --git a/README.md b/README.md
index c6b1b0933..67beef83b 100644
--- a/README.md
+++ b/README.md
@@ -66,12 +66,69 @@ Use this issue to request new profiles: https://github.com/netblue30/firejail/is
 `````
 `````
+## Desktop integration
+All --fix functionality is done by default in firecfg, --fix option was removed. Clicking on a program
+in desktop manager menu should start the program automatically in a sandbox, if a profile
+is available in /etc/firejail. We cover about 270 different applications in this moment on all major desktop managers.
+Thunar (XFCE) and PCManFM (LXDE) file managers symlinks are installed in /usr/local/bin by firecfg. 
+File managers are usually started by default at login time, and will be sandboxed.
+Clicking on a file in the file manager will start the corresponding program in the same sandbox as the file manager.
+For example, clicking on a video file will start a sandboxed VLC running the video.
+We support in this moment XFCE and LXDE, MATE will come next, followed by KDE and Gnome.
 ## AppImage
 Added AppImage type 2 support, and support for passing command line arguments to appimages.
 `````
 `````
+## X11 sandboxing support
+In this release we add support for Xvfb (X virtual framebuffer), an in-memory X display server.
+Xvfb allows the user to run graphical applications without a display (e.g., browser tests on a CI server)
+while also having the ability to take screenshots.
+       --x11=xvfb
+              Start  Xvfb  X11  server  and attach the sandbox to this server.
+              Xvfb, short for X virtual framebuffer,  performs  all  graphical
+              operations  in memory without showing any screen output. Xvfb is
+              mainly used for remote access and software testing  on  headless
+              servers.
+              On Debian platforms Xvfb is installed with the command sudo apt-
+              get install xvfb.  This feature is not available when running as
+              root.
+              Example: remote VNC access
+              On  the  server we start a sandbox using Xvfb and openbox window
+              manager. The default size of Xvfb screen is 800x600 - it can  be
+              changed  in  /etc/firejail/firejail.config  (xvfb-screen).  Some
+              sort of networking (--net) is required in order to  isolate  the
+              abstract sockets used by other X servers.
+              $ firejail --net=none --x11=xvfb openbox
+              *** Attaching to Xvfb display 792 ***
+              Reading profile /etc/firejail/openbox.profile
+              Reading profile /etc/firejail/disable-common.inc
+              Reading profile /etc/firejail/disable-common.local
+              Parent pid 5400, child pid 5401
+              On  the  server  we also start a VNC server and attach it to the
+              display handled by our Xvfb server (792).
+              $ x11vnc -display :792
+              On the client machine we start a VNC viewer and use it  to  con‐
+              nect to our server:
+              $ vncviewer
 ## New command line options
 `````
      --private-opt=file,directory
@@ -145,43 +202,6 @@ Added AppImage type 2 support, and support for passing command line arguments to
              $ firejail --git-uninstall
-       --x11=xvfb
-              Start  Xvfb  X11  server  and attach the sandbox to this server.
-              Xvfb, short for X virtual framebuffer,  performs  all  graphical
-              operations  in memory without showing any screen output. Xvfb is
-              mainly used for remote access and software testing  on  headless
-              servers.
-              On Debian platforms Xvfb is installed with the command sudo apt-
-              get install xvfb.  This feature is not available when running as
-              root.
-              Example: remote VNC access
-              On  the  server we start a sandbox using Xvfb and openbox window
-              manager. The default size of Xvfb screen is 800x600 - it can  be
-              changed  in  /etc/firejail/firejail.config  (xvfb-screen).  Some
-              sort of networking (--net) is required in order to  isolate  the
-              abstract sockets used by other X servers.
-              $ firejail --net=none --x11=xvfb openbox
-              *** Attaching to Xvfb display 792 ***
-              Reading profile /etc/firejail/openbox.profile
-              Reading profile /etc/firejail/disable-common.inc
-              Reading profile /etc/firejail/disable-common.local
-              Parent pid 5400, child pid 5401
-              On  the  server  we also start a VNC server and attach it to the
-              display handled by our Xvfb server (792).
-              $ x11vnc -display :792
-              On the client machine we start a VNC viewer and use it  to  con‐
-              nect to our server:
-              $ vncviewer
       --nowhitelist=dirname_or_filename
              Disable whitelist for this directory or file.
@@ -196,5 +216,5 @@ simple-scan, skanlite, ssh-agent, tracker, transmission-cli, transmission-show,
 xed, pluma, Cryptocat, Bless, Gnome 2048, Gnome Calculator, Gnome Contacts, JD-GUI, Lollypop, MultiMC5,
 PDFSam, Pithos, Xonotic, wireshark, keepassx2, QupZilla, FossaMail, Uzbl browser, xmms, iridium browser,
 Kino, Thunar, Geeqie, Engrampa, Scribus, mousepad, gpicview, keepassxc, cvlc, MediathekView, baloo_file,
-Nylas, dino, BibleTime, viewnior, Kodi, viking, youtube-dl, meld, Arduino, akregator, kcalc, ktorrent,
+Nylas, dino, BibleTime, viewnior, Kodi, viking, youtube-dl, meld, Arduino, Akregator, KCalc, KTorrent,
-Orage Globaltime, Orage Clendar, xfce4-notes, xfce4-dict, Ristretto
+Orage Globaltime, Orage Clendar, xfce4-notes, xfce4-dict, Ristretto, PCManFM
diff --git a/RELNOTES b/RELNOTES
index f71859cf4..a4615b240 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -37,7 +37,9 @@ firejail (0.9.46-rc1) baseline; urgency=low
  * new profiles: Uzbl browser, iridium browser, Thunar, Geeqie, Engrampa,
  * new profiles: Scribus, mousepad, gpicview, keepassxc, cvlc, MediathekView,
  * new profiles: baloo_file, Nylas, dino, BibleTime, viewnior, Kodi, viking,
-  * new profiles: youtube-dl, meld, Arduino
+  * new profiles: youtube-dl, meld, Arduino, Akregator, KCalc, KTorrent,
+  * new profiles: Orage Globaltime, Orage Clendar, xfce4-notes, xfce4-dict,
+  * new profiles: Ristretto, PCManFM
  * bugfixes
 -- netblue30 <netblue30@yahoo.com>  Fri, 7 Apr 2017 08:00:00 -0500
diff --git a/etc/Thunar.profile b/etc/Thunar.profile
index 5a27177e0..f1b75b1f3 100644
--- a/etc/Thunar.profile
+++ b/etc/Thunar.profile
@@ -7,7 +7,7 @@ noblacklist ~/.config/Thunar
 noblacklist ~/.config/xfce4/xfconf/xfce-perchannel-xml/thunar.xml
 include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-programs.inc
+#include /etc/firejail/disable-programs.inc
 include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
@@ -21,3 +21,11 @@ protocol unix
 seccomp
 shell none
 tracelog
+#
+# depending on you usage, you can enable some of the commands below: 
+#
+# private-bin program
+# private-etc none
+# private-dev
+# private-tmp
diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc
index 9b84f5e8a..18b644987 100644
--- a/etc/disable-programs.inc
+++ b/etc/disable-programs.inc
@@ -107,6 +107,7 @@ blacklist ${HOME}/.config/opera
 blacklist ${HOME}/.config/opera-beta
 blacklist ${HOME}/.config/orage
 blacklist ${HOME}/.config/org.kde.gwenviewrc
+blacklist ${HOME}/.config/pcmanfm
 blacklist ${HOME}/.config/pix
 blacklist ${HOME}/.config/pluma
 blacklist ${HOME}/.config/psi+
diff --git a/etc/pcmanfm.profile b/etc/pcmanfm.profile
new file mode 100644
index 000000000..e51c5e3b8
--- /dev/null
+++ b/etc/pcmanfm.profile
@@ -0,0 +1,30 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/pcmanfm.local
+noblacklist ~/.config/pcmanfm
+noblacklist ~/.config/libfm
+include /etc/firejail/disable-common.inc
+#include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+caps.drop all
+netfilter
+nogroups
+nonewprivs
+noroot
+nosound
+protocol unix
+seccomp
+shell none
+tracelog
+#
+# depending on you usage, you can enable some of the commands below: 
+#
+# private-bin program
+# private-etc none
+# private-dev
+# private-tmp
diff --git a/platform/debian/conffiles b/platform/debian/conffiles
index 355faf44f..2f0da51ce 100644
--- a/platform/debian/conffiles
+++ b/platform/debian/conffiles
@@ -276,3 +276,4 @@
 /etc/firejail/ristretto.profile
 /etc/firejail/xfce4-dict.profile
 /etc/firejail/xfce4-notes.profile
+/etc/firejail/pcmanfm.profile
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config
index c44d83e7b..93744f671 100644
--- a/src/firecfg/firecfg.config
+++ b/src/firecfg/firecfg.config
@@ -148,6 +148,7 @@ opera-beta
 orage
 palemoon
 parole
+pcmanfm
 pdfsam
 pdftotext
 pidgin

diff --git a/README.md b/README.md index c6b1b0933..67beef83b 100644 --- a/README.md +++ b/README.md
@@ -66,12 +66,69 @@ Use this issue to request new profiles: https://github.com/netblue30/firejail/is
66	`````	66	`````
67		67
68	`````	68	`````
		69	## Desktop integration
		70
		71	All --fix functionality is done by default in firecfg, --fix option was removed. Clicking on a program
		72	in desktop manager menu should start the program automatically in a sandbox, if a profile
		73	is available in /etc/firejail. We cover about 270 different applications in this moment on all major desktop managers.
		74
		75	Thunar (XFCE) and PCManFM (LXDE) file managers symlinks are installed in /usr/local/bin by firecfg.
		76	File managers are usually started by default at login time, and will be sandboxed.
		77	Clicking on a file in the file manager will start the corresponding program in the same sandbox as the file manager.
		78	For example, clicking on a video file will start a sandboxed VLC running the video.
		79	We support in this moment XFCE and LXDE, MATE will come next, followed by KDE and Gnome.
		80
69	## AppImage	81	## AppImage
70		82
71	Added AppImage type 2 support, and support for passing command line arguments to appimages.	83	Added AppImage type 2 support, and support for passing command line arguments to appimages.
72	`````	84	`````
73		85
74	`````	86	`````
		87	## X11 sandboxing support
		88	In this release we add support for Xvfb (X virtual framebuffer), an in-memory X display server.
		89	Xvfb allows the user to run graphical applications without a display (e.g., browser tests on a CI server)
		90	while also having the ability to take screenshots.
		91
		92
		93	--x11=xvfb
		94	Start Xvfb X11 server and attach the sandbox to this server.
		95	Xvfb, short for X virtual framebuffer, performs all graphical
		96	operations in memory without showing any screen output. Xvfb is
		97	mainly used for remote access and software testing on headless
		98	servers.
		99
		100	On Debian platforms Xvfb is installed with the command sudo apt-
		101	get install xvfb. This feature is not available when running as
		102	root.
		103
		104	Example: remote VNC access
		105
		106	On the server we start a sandbox using Xvfb and openbox window
		107	manager. The default size of Xvfb screen is 800x600 - it can be
		108	changed in /etc/firejail/firejail.config (xvfb-screen). Some
		109	sort of networking (--net) is required in order to isolate the
		110	abstract sockets used by other X servers.
		111
		112	$ firejail --net=none --x11=xvfb openbox
		113
		114	* Attaching to Xvfb display 792 *
		115
		116	Reading profile /etc/firejail/openbox.profile
		117	Reading profile /etc/firejail/disable-common.inc
		118	Reading profile /etc/firejail/disable-common.local
		119	Parent pid 5400, child pid 5401
		120
		121	On the server we also start a VNC server and attach it to the
		122	display handled by our Xvfb server (792).
		123
		124	$ x11vnc -display :792
		125
		126	On the client machine we start a VNC viewer and use it to con‐
		127	nect to our server:
		128
		129	$ vncviewer
		130
		131
75	## New command line options	132	## New command line options
76	`````	133	`````
77	--private-opt=file,directory	134	--private-opt=file,directory
@@ -145,43 +202,6 @@ Added AppImage type 2 support, and support for passing command line arguments to
145		202
146	$ firejail --git-uninstall	203	$ firejail --git-uninstall
147		204
148	--x11=xvfb
149	Start Xvfb X11 server and attach the sandbox to this server.
150	Xvfb, short for X virtual framebuffer, performs all graphical
151	operations in memory without showing any screen output. Xvfb is
152	mainly used for remote access and software testing on headless
153	servers.
154
155	On Debian platforms Xvfb is installed with the command sudo apt-
156	get install xvfb. This feature is not available when running as
157	root.
158
159	Example: remote VNC access
160
161	On the server we start a sandbox using Xvfb and openbox window
162	manager. The default size of Xvfb screen is 800x600 - it can be
163	changed in /etc/firejail/firejail.config (xvfb-screen). Some
164	sort of networking (--net) is required in order to isolate the
165	abstract sockets used by other X servers.
166
167	$ firejail --net=none --x11=xvfb openbox
168
169	* Attaching to Xvfb display 792 *
170
171	Reading profile /etc/firejail/openbox.profile
172	Reading profile /etc/firejail/disable-common.inc
173	Reading profile /etc/firejail/disable-common.local
174	Parent pid 5400, child pid 5401
175
176	On the server we also start a VNC server and attach it to the
177	display handled by our Xvfb server (792).
178
179	$ x11vnc -display :792
180
181	On the client machine we start a VNC viewer and use it to con‐
182	nect to our server:
183
184	$ vncviewer
185		205
186	--nowhitelist=dirname_or_filename	206	--nowhitelist=dirname_or_filename
187	Disable whitelist for this directory or file.	207	Disable whitelist for this directory or file.
@@ -196,5 +216,5 @@ simple-scan, skanlite, ssh-agent, tracker, transmission-cli, transmission-show,
196	xed, pluma, Cryptocat, Bless, Gnome 2048, Gnome Calculator, Gnome Contacts, JD-GUI, Lollypop, MultiMC5,	216	xed, pluma, Cryptocat, Bless, Gnome 2048, Gnome Calculator, Gnome Contacts, JD-GUI, Lollypop, MultiMC5,
197	PDFSam, Pithos, Xonotic, wireshark, keepassx2, QupZilla, FossaMail, Uzbl browser, xmms, iridium browser,	217	PDFSam, Pithos, Xonotic, wireshark, keepassx2, QupZilla, FossaMail, Uzbl browser, xmms, iridium browser,
198	Kino, Thunar, Geeqie, Engrampa, Scribus, mousepad, gpicview, keepassxc, cvlc, MediathekView, baloo_file,	218	Kino, Thunar, Geeqie, Engrampa, Scribus, mousepad, gpicview, keepassxc, cvlc, MediathekView, baloo_file,
199	Nylas, dino, BibleTime, viewnior, Kodi, viking, youtube-dl, meld, Arduino, akregator, kcalc, ktorrent,	219	Nylas, dino, BibleTime, viewnior, Kodi, viking, youtube-dl, meld, Arduino, Akregator, KCalc, KTorrent,
200	Orage Globaltime, Orage Clendar, xfce4-notes, xfce4-dict, Ristretto	220	Orage Globaltime, Orage Clendar, xfce4-notes, xfce4-dict, Ristretto, PCManFM


diff --git a/RELNOTES b/RELNOTES index f71859cf4..a4615b240 100644 --- a/RELNOTES +++ b/RELNOTES
@@ -37,7 +37,9 @@ firejail (0.9.46-rc1) baseline; urgency=low
37	* new profiles: Uzbl browser, iridium browser, Thunar, Geeqie, Engrampa,	37	* new profiles: Uzbl browser, iridium browser, Thunar, Geeqie, Engrampa,
38	* new profiles: Scribus, mousepad, gpicview, keepassxc, cvlc, MediathekView,	38	* new profiles: Scribus, mousepad, gpicview, keepassxc, cvlc, MediathekView,
39	* new profiles: baloo_file, Nylas, dino, BibleTime, viewnior, Kodi, viking,	39	* new profiles: baloo_file, Nylas, dino, BibleTime, viewnior, Kodi, viking,
40	* new profiles: youtube-dl, meld, Arduino	40	* new profiles: youtube-dl, meld, Arduino, Akregator, KCalc, KTorrent,
		41	* new profiles: Orage Globaltime, Orage Clendar, xfce4-notes, xfce4-dict,
		42	* new profiles: Ristretto, PCManFM
41	* bugfixes	43	* bugfixes
42	-- netblue30 <netblue30@yahoo.com> Fri, 7 Apr 2017 08:00:00 -0500	44	-- netblue30 <netblue30@yahoo.com> Fri, 7 Apr 2017 08:00:00 -0500
43		45


diff --git a/etc/Thunar.profile b/etc/Thunar.profile index 5a27177e0..f1b75b1f3 100644 --- a/etc/Thunar.profile +++ b/etc/Thunar.profile
@@ -7,7 +7,7 @@ noblacklist ~/.config/Thunar
7	noblacklist ~/.config/xfce4/xfconf/xfce-perchannel-xml/thunar.xml	7	noblacklist ~/.config/xfce4/xfconf/xfce-perchannel-xml/thunar.xml
8		8
9	include /etc/firejail/disable-common.inc	9	include /etc/firejail/disable-common.inc
10	include /etc/firejail/disable-programs.inc	10	#include /etc/firejail/disable-programs.inc
11	include /etc/firejail/disable-devel.inc	11	include /etc/firejail/disable-devel.inc
12	include /etc/firejail/disable-passwdmgr.inc	12	include /etc/firejail/disable-passwdmgr.inc
13		13
@@ -21,3 +21,11 @@ protocol unix
21	seccomp	21	seccomp
22	shell none	22	shell none
23	tracelog	23	tracelog
		24
		25	#
		26	# depending on you usage, you can enable some of the commands below:
		27	#
		28	# private-bin program
		29	# private-etc none
		30	# private-dev
		31	# private-tmp


diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index 9b84f5e8a..18b644987 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc
@@ -107,6 +107,7 @@ blacklist ${HOME}/.config/opera
107	blacklist ${HOME}/.config/opera-beta	107	blacklist ${HOME}/.config/opera-beta
108	blacklist ${HOME}/.config/orage	108	blacklist ${HOME}/.config/orage
109	blacklist ${HOME}/.config/org.kde.gwenviewrc	109	blacklist ${HOME}/.config/org.kde.gwenviewrc
		110	blacklist ${HOME}/.config/pcmanfm
110	blacklist ${HOME}/.config/pix	111	blacklist ${HOME}/.config/pix
111	blacklist ${HOME}/.config/pluma	112	blacklist ${HOME}/.config/pluma
112	blacklist ${HOME}/.config/psi+	113	blacklist ${HOME}/.config/psi+


diff --git a/etc/pcmanfm.profile b/etc/pcmanfm.profile new file mode 100644 index 000000000..e51c5e3b8 --- /dev/null +++ b/etc/pcmanfm.profile
@@ -0,0 +1,30 @@
		1	# This file is overwritten during software install.
		2	# Persistent customizations should go in a .local file.
		3	include /etc/firejail/pcmanfm.local
		4
		5	noblacklist ~/.config/pcmanfm
		6	noblacklist ~/.config/libfm
		7	include /etc/firejail/disable-common.inc
		8	#include /etc/firejail/disable-programs.inc
		9	include /etc/firejail/disable-devel.inc
		10	include /etc/firejail/disable-passwdmgr.inc
		11
		12	caps.drop all
		13	netfilter
		14	nogroups
		15	nonewprivs
		16	noroot
		17	nosound
		18	protocol unix
		19	seccomp
		20	shell none
		21	tracelog
		22
		23	#
		24	# depending on you usage, you can enable some of the commands below:
		25	#
		26	# private-bin program
		27	# private-etc none
		28	# private-dev
		29	# private-tmp
		30


diff --git a/platform/debian/conffiles b/platform/debian/conffiles index 355faf44f..2f0da51ce 100644 --- a/platform/debian/conffiles +++ b/platform/debian/conffiles
@@ -276,3 +276,4 @@
276	/etc/firejail/ristretto.profile	276	/etc/firejail/ristretto.profile
277	/etc/firejail/xfce4-dict.profile	277	/etc/firejail/xfce4-dict.profile
278	/etc/firejail/xfce4-notes.profile	278	/etc/firejail/xfce4-notes.profile
		279	/etc/firejail/pcmanfm.profile


diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index c44d83e7b..93744f671 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config
@@ -148,6 +148,7 @@ opera-beta
148	orage	148	orage
149	palemoon	149	palemoon
150	parole	150	parole
		151	pcmanfm
151	pdfsam	152	pdfsam
152	pdftotext	153	pdftotext
153	pidgin	154	pidgin