11 files changed, 61 insertions, 52 deletions

diff --git a/.github/workflows/sort.yml b/.github/workflows/sort.yml
index 3e717f162..f3ded0f22 100644
--- a/.github/workflows/sort.yml
+++ b/.github/workflows/sort.yml
@@ -5,10 +5,12 @@ on:
     branches: [ master ]
     paths:
       - 'etc/**'
+      - 'contrib/sort.py'
   pull_request:
     branches: [ master ]
     paths:
       - 'etc/**'
+      - 'contrib/sort.py'
 
 jobs:
   profile-sort:
diff --git a/contrib/sort.py b/contrib/sort.py
index 5df353549..9e5062c3c 100755
--- a/contrib/sort.py
+++ b/contrib/sort.py
@@ -80,7 +80,7 @@ def fix_profile(filename):
         lines = profile.read().split("\n")
         was_fixed = False
         fixed_profile = []
-        for line in lines:
+        for lineno, line in enumerate(lines):
             if line[:12] in ("private-bin ", "private-etc ", "private-lib "):
                 fixed_line = f"{line[:12]}{sort_alphabetical(line[12:])}"
             elif line[:13] in ("seccomp.drop ", "seccomp.keep "):
@@ -95,6 +95,10 @@ def fix_profile(filename):
                 fixed_line = line
             if fixed_line != line:
                 was_fixed = True
+                print(
+                    f"{filename}:{lineno + 1}:-{line}\n"
+                    f"{filename}:{lineno + 1}:+{fixed_line}"
+                )
             fixed_profile.append(fixed_line)
         if was_fixed:
             profile.seek(0)
@@ -108,6 +112,7 @@ def fix_profile(filename):
 
 def main(args):
     exit_code = 0
+    print(f"sort.py: checking {len(args)} {'profiles' if len(args) != 1 else 'profile'}...")
     for filename in args:
         try:
             if exit_code not in (1, 101):
@@ -120,8 +125,8 @@ def main(args):
         except PermissionError:
             print(f"[ Error ] Can't read/write `{filename}'")
             exit_code = 1
-        except:
-            print(f"[ Error ] An error occurred while processing `{filename}'")
+        except Exception as err:
+            print(f"[ Error ] An error occurred while processing `{filename}': {err}")
             exit_code = 1
     return exit_code
 
diff --git a/etc/apparmor/firejail-local b/etc/apparmor/firejail-local
index f086653f8..893a1ce46 100644
--- a/etc/apparmor/firejail-local
+++ b/etc/apparmor/firejail-local
@@ -1,2 +1,5 @@
 # Site-specific additions and overrides for 'firejail-default'.
 # For more details, please see /etc/apparmor.d/local/README.
+
+# Uncomment to opt-in to apparmor for torbrowser-launcher
+#owner @{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/Browser/** ix,
diff --git a/etc/profile-a-l/jitsi-meet-desktop.profile b/etc/profile-a-l/jitsi-meet-desktop.profile
index e5beb741a..edb7ed840 100644
--- a/etc/profile-a-l/jitsi-meet-desktop.profile
+++ b/etc/profile-a-l/jitsi-meet-desktop.profile
@@ -20,7 +20,7 @@ nowhitelist ${DOWNLOADS}
 mkdir ${HOME}/.config/Jitsi Meet
 whitelist ${HOME}/.config/Jitsi Meet
 
-private-bin bash,jitsi-meet-desktop
+private-bin bash,electron,electron[0-9],electron[0-9][0-9],jitsi-meet-desktop,sh
 private-etc alsa,alternatives,asound.conf,bumblebee,ca-certificates,crypto-policies,drirc,fonts,glvnd,group,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,mime.types,nsswitch.conf,nvidia,pango,passwd,pki,protocols,pulse,resolv.conf,rpc,services,ssl,X11,xdg
 
 # Redirect
diff --git a/etc/profile-m-z/start-tor-browser.desktop.profile b/etc/profile-m-z/start-tor-browser.desktop.profile
index 7367d906e..2f73c9fee 100644
--- a/etc/profile-m-z/start-tor-browser.desktop.profile
+++ b/etc/profile-m-z/start-tor-browser.desktop.profile
@@ -4,7 +4,7 @@
 include start-tor-browser.desktop.local
 # Persistent global definitions
 # added by included profile
-include globals.local
+#include globals.local
 
 noblacklist ${HOME}/.tor-browser*
 
@@ -72,8 +72,5 @@ whitelist ${HOME}/.tor-browser_vi
 whitelist ${HOME}/.tor-browser_zh-CN
 whitelist ${HOME}/.tor-browser_zh-TW
 
-# Ignoring apparmor, tor browser is installed in user home directory using the binary archive distributed by Tor Foundation
-ignore apparmor
-
 # Redirect
 include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/start-tor-browser.profile b/etc/profile-m-z/start-tor-browser.profile
index b5c4d211e..17ceedee7 100644
--- a/etc/profile-m-z/start-tor-browser.profile
+++ b/etc/profile-m-z/start-tor-browser.profile
@@ -3,7 +3,8 @@
 # Persistent local customizations
 include start-tor-browser.local
 # Persistent global definitions
-include globals.local
+# added by included profile
+#include globals.local
 
 # Redirect
 include start-tor-browser.desktop.profile
diff --git a/etc/profile-m-z/torbrowser-launcher.profile b/etc/profile-m-z/torbrowser-launcher.profile
index eb90f0030..1045fa02a 100644
--- a/etc/profile-m-z/torbrowser-launcher.profile
+++ b/etc/profile-m-z/torbrowser-launcher.profile
@@ -31,7 +31,10 @@ whitelist ${HOME}/.local/share/torbrowser
 include whitelist-common.inc
 include whitelist-var-common.inc
 
-apparmor
+# Uncomment the line below or put 'apparmor' in your torbrowser-launcher.local.
+# IMPORTANT: the relevant rule in /etc/apparmor.d/local/firejail-default will need
+# to be uncommented too for this to work as expected.
+#apparmor
 caps.drop all
 netfilter
 nodvd
diff --git a/etc/templates/profile.template b/etc/templates/profile.template
index 9e9fc3fe9..72b7d3025 100644
--- a/etc/templates/profile.template
+++ b/etc/templates/profile.template
@@ -2,15 +2,15 @@
 # Description: DESCRIPTION
 # This file is overwritten after every install/update
 # --- CUT HERE ---
-# This is a generic template to help you with creation of profiles
-# for new programs. PRs welcome at https://github.com/netblue30/firejail/.
+# This is a generic template to help you create profiles.
+# PRs welcome at https://github.com/netblue30/firejail/.
 #
 # Rules to follow:
 #  - lines with one # are often used in profiles
 #  - lines with two ## are only needed in special situations
 #  - make the profile as restrictive as possible while still keeping the program useful
-#    (e. g. a program that is unable to save user's work is considered bad practice)
-#  - dedicate some time (based on the complexity of the application) to profile testing before raising
+#    (e.g. a program that is unable to save user's work is considered bad practice)
+#  - dedicate ample time (based on the complexity of the application) to profile testing before raising
 #    a pull request
 #  - keep the sections structure, use a single empty line as separator
 #  - entries within sections are alphabetically sorted
@@ -42,7 +42,7 @@
 #  ${DOCUMENTS}
 #  ${DOWNLOADS}
 #  ${HOME} (user's home)
-#  ${PATH} (contents of PATH envvar)
+#  ${PATH} (contents of PATH env var)
 #  ${MUSIC}
 #  ${RUNUSER} (/run/user/UID)
 #  ${VIDEOS}
@@ -81,12 +81,11 @@ include globals.local
 #      `ls -aR`
 #noblacklist PATH
 
-# Allow python (blacklisted by disable-interpreters.inc)
-#include allow-python2.inc
-#include allow-python3.inc
+# Allows files commonly used by IDEs
+#include allow-common-devel.inc
 
-# Allow perl (blacklisted by disable-interpreters.inc)
-#include allow-perl.inc
+# Allow gjs (blacklisted by disable-interpreters.inc)
+#include allow-gjs.inc
 
 # Allow java (blacklisted by disable-devel.inc)
 #include allow-java.inc
@@ -94,14 +93,15 @@ include globals.local
 # Allow lua (blacklisted by disable-interpreters.inc)
 #include allow-lua.inc
 
-# Allow ruby (blacklisted by disable-interpreters.inc)
-#include allow-ruby.inc
+# Allow perl (blacklisted by disable-interpreters.inc)
+#include allow-perl.inc
 
-# Allow gjs (blacklisted by disable-interpreters.inc)
-#include allow-gjs.inc
+# Allow python (blacklisted by disable-interpreters.inc)
+#include allow-python2.inc
+#include allow-python3.inc
 
-# Allows files commonly used by IDEs
-#include allow-common-devel.inc
+# Allow ruby (blacklisted by disable-interpreters.inc)
+#include allow-ruby.inc
 
 # Allow ssh (blacklisted by disable-common.inc)
 #include allow-ssh.inc
@@ -117,10 +117,10 @@ include globals.local
 #include disable-xdg.inc
 
 # This section often mirrors noblacklist section above. The idea is
-# that if a user feels too restricted (he's unable to save files into
-# home directory for instance) he/she may disable whitelist (nowhitelist)
+# that if a user feels too restricted (e.g. unable to save files into
+# home directory) they may disable whitelist (nowhitelist)
 # in PROFILE.local but still be protected by BLACKLISTS section
-# (further explanation at https://github.com/netblue30/firejail/issues/1569)
+# (explanation at https://github.com/netblue30/firejail/issues/1569)
 #mkdir PATH
 ##mkfile PATH
 #whitelist PATH
@@ -136,7 +136,7 @@ include globals.local
 ##hostname NAME
 # CLI only
 ##ipc-namespace
-# breaks sound and sometime dbus related functions
+# breaks audio and sometimes dbus related functions
 #machine-id
 # 'net none' or 'netfilter'
 #net none
@@ -161,7 +161,7 @@ include globals.local
 ##seccomp !chroot
 ##seccomp.drop SYSCALLS (see syscalls.txt)
 #seccomp.block-secondary
-##seccomp-error-action log (Only for debugging seccomp issues)
+##seccomp-error-action log (only for debugging seccomp issues)
 #shell none
 #tracelog
 # Prefer 'x11 none' instead of 'blacklist /tmp/.X11-unix' if 'net none' is set
@@ -176,16 +176,16 @@ include globals.local
 #private-etc FILES
 # private-etc templates (see also #1734, #2093)
 #  Common: alternatives,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,mime.types,xdg
-#    Extra: magic,magic.mgc,passwd,group
-#  Networking: ca-certificates,ssl,pki,crypto-policies,nsswitch.conf,resolv.conf,hosts,host.conf,hostname,protocols,services,rpc
-#    Extra: proxychains.conf,gai.conf
-#  Sound: alsa,asound.conf,pulse,machine-id
+#    Extra: group,magic,magic.mgc,passwd
+#  3D: bumblebee,drirc,glvnd,nvidia
+#  Audio: alsa,asound.conf,machine-id,pulse
+#  D-Bus: dbus-1,machine-id
 #  GUI: fonts,pango,X11
 #  GTK: dconf,gconf,gtk-2.0,gtk-3.0
-#  Qt: Trolltech.conf
 #  KDE: kde4rc,kde5rc
-#  3D: drirc,glvnd,bumblebee,nvidia
-#  D-Bus: dbus-1,machine-id
+#  Networking: ca-certificates,crypto-policies,host.conf,hostname,hosts,nsswitch.conf,pki,protocols,resolv.conf,services,rpc,ssl
+#    Extra: gai.conf,proxychains.conf
+#  Qt: Trolltech.conf
 ##private-lib LIBS
 ##private-opt NAME
 #private-tmp
@@ -194,14 +194,14 @@ include globals.local
 ##writable-var
 ##writable-var-log
 
-# Since 0.9.63 also a more granular regulation of dbus is supported.
-# To get the dbus-addresses to which an application needs access to.
-# You can look at flatpak if the application is also distriputed via flatpak:
+# Since 0.9.63 also a more granular control of dbus is supported.
+# To get the dbus-addresses an application needs access to you can
+# check with flatpak (when the application is distriputed that way):
 #    flatpak remote-info --show-metadata flathub <APP-ID>
 # Notes:
 #  - flatpak implicitly allows an app to own <APP-ID> on the session bus
-#  - In order to make dconf work (if it is used by the app) you need to allow
-#    'ca.desrt.dconf' even if it is not allowed by flatpak.
+#  - In order to make dconf work (when used by the app) you need to allow
+#    'ca.desrt.dconf' even when not allowed by flatpak.
 # Notes and Policiy about addresses can be found at
 # <https://github.com/netblue30/firejail/wiki/Restrict-D-Bus>
 #dbus-user filter
@@ -211,7 +211,7 @@ include globals.local
 #dbus-system none
 
 ##env VAR=VALUE
+##join-or-start NAME
 #memory-deny-write-execute
 ##noexec PATH
 ##read-only ${HOME}
-##join-or-start NAME
diff --git a/src/firejail/chroot.c b/src/firejail/chroot.c
index 88df8b9d4..d7e96cf4c 100644
--- a/src/firejail/chroot.c
+++ b/src/firejail/chroot.c
@@ -171,7 +171,7 @@ void fs_chroot(const char *rootdir) {
         free(proc);
         close(fd);
 
-        // x11
+#ifdef HAVE_X11
         // if users want this mount, they should set FIREJAIL_CHROOT_X11
         if (env_get("FIREJAIL_X11") || env_get("FIREJAIL_CHROOT_X11")) {
                 if (arg_debug)
@@ -199,6 +199,7 @@ void fs_chroot(const char *rootdir) {
                 free(proc);
                 close(fd);
         }
+#endif // HAVE_X11
 
         // some older distros don't have a /run directory, create one by default
         if (mkdirat(parentfd, "run", 0755) == -1 && errno != EEXIST)
diff --git a/src/firejail/main.c b/src/firejail/main.c
index ec601b1a0..61533fcd9 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -1008,7 +1008,7 @@ int main(int argc, char **argv, char **envp) {
 
         // sanity check for environment variables
         if (i >= MAX_ENVS) {
-                fprintf(stderr, "Error: too many environment variables, please use --rmenv\n");
+                fprintf(stderr, "Error: too many environment variables\n");
                 exit(1);
         }
 
@@ -1022,9 +1022,6 @@ int main(int argc, char **argv, char **envp) {
                         fprintf(stderr, "Error: too long arguments\n");
                         exit(1);
                 }
-                // Also remove requested environment variables
-                if (strncmp(argv[i], "--rmenv=", 8) == 0)
-                        env_store(argv[i] + 8, RMENV);
         }
 
         // Reapply a minimal set of environment variables
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index 318c45335..9a4be5cc0 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -462,10 +462,10 @@ static int ok_to_run(const char *program) {
 
 void start_application(int no_sandbox, int fd, char *set_sandbox_status) {
         // set environment
-        if (no_sandbox == 0) {
+        if (no_sandbox == 0)
                 env_defaults();
-                env_apply_all();
-        }
+        env_apply_all();
+
         // restore original umask
         umask(orig_umask);