19 files changed, 148 insertions, 15 deletions
diff --git a/etc/firejail.config b/etc/firejail.config
index b2a96612f..731e744dd 100644
--- a/etc/firejail.config
+++ b/etc/firejail.config
@@ -107,7 +107,7 @@
 # Enable or disable seccomp support, default enabled.
 # seccomp yes
-# Seccomp error action, kill or errno (EPERM, ENOSYS etc)
+# Seccomp error action, kill, log or errno (EPERM, ENOSYS etc)
 # seccomp-error-action EPERM
 # Enable or disable user namespace support, default enabled.
diff --git a/etc/inc/disable-programs.inc b/etc/inc/disable-programs.inc
index e911be93a..e5dd9cb59 100644
--- a/etc/inc/disable-programs.inc
+++ b/etc/inc/disable-programs.inc
@@ -396,6 +396,7 @@ blacklist ${HOME}/.config/yandex-browser
 blacklist ${HOME}/.config/yandex-browser-beta
 blacklist ${HOME}/.config/yelp
 blacklist ${HOME}/.config/youtube-dl
+blacklist ${HOME}/.config/youtube-viewer
 blacklist ${HOME}/.config/zathura
 blacklist ${HOME}/.config/zoomus.conf
 blacklist ${HOME}/.config/Zulip
diff --git a/etc/inc/whitelist-usr-share-common.inc b/etc/inc/whitelist-usr-share-common.inc
index c9c8bdedf..ceeb14dcc 100644
--- a/etc/inc/whitelist-usr-share-common.inc
+++ b/etc/inc/whitelist-usr-share-common.inc
@@ -41,6 +41,8 @@ whitelist /usr/share/misc
 whitelist /usr/share/Modules
 whitelist /usr/share/myspell
 whitelist /usr/share/p11-kit
+whitelist /usr/share/perl
+whitelist /usr/share/perl5
 whitelist /usr/share/pixmaps
 whitelist /usr/share/pki
 whitelist /usr/share/plasma
diff --git a/etc/profile-a-l/gtk-youtube-viewer b/etc/profile-a-l/gtk-youtube-viewer
new file mode 100644
index 000000000..023f10d3d
--- /dev/null
+++ b/etc/profile-a-l/gtk-youtube-viewer
@@ -0,0 +1,18 @@
+# Firejail profile for gtk-youtube-viewer
+# Description: Gtk front-end to youtube-viewer
+# This file is overwritten after every install/update
+# Persistent local customizations
+include gtk-youtube-viewer.local
+# Persistent global definitions
+# include globals.local
+ignore quiet
+noblacklist /tmp/.X11-unix
+noblacklist ${RUNUSER}/wayland-*
+noblacklist ${RUNUSER}
+include whitelist-runuser-common.inc
+# Redirect
+include youtube-viewer.profile
+\ No newline at end of file
diff --git a/etc/profile-a-l/gtk2-youtube-viewer b/etc/profile-a-l/gtk2-youtube-viewer
new file mode 100644
index 000000000..331e73218
--- /dev/null
+++ b/etc/profile-a-l/gtk2-youtube-viewer
@@ -0,0 +1,18 @@
+# Firejail profile for gtk2-youtube-viewer
+# Description: Gtk front-end to youtube-viewer
+# This file is overwritten after every install/update
+# Persistent local customizations
+include gtk2-youtube-viewer.local
+# Persistent global definitions
+# include globals.local
+ignore quiet
+noblacklist /tmp/.X11-unix
+noblacklist ${RUNUSER}/wayland-*
+noblacklist ${RUNUSER}
+include whitelist-runuser-common.inc
+# Redirect
+include youtube-viewer.profile
+\ No newline at end of file
diff --git a/etc/profile-a-l/gtk3-youtube-viewer b/etc/profile-a-l/gtk3-youtube-viewer
new file mode 100644
index 000000000..4c5bde55f
--- /dev/null
+++ b/etc/profile-a-l/gtk3-youtube-viewer
@@ -0,0 +1,18 @@
+# Firejail profile for gtk3-youtube-viewer
+# Description: Gtk front-end to youtube-viewer
+# This file is overwritten after every install/update
+# Persistent local customizations
+include gtk3-youtube-viewer.local
+# Persistent global definitions
+# include globals.local
+ignore quiet
+noblacklist /tmp/.X11-unix
+noblacklist ${RUNUSER}/wayland-*
+noblacklist ${RUNUSER}
+include whitelist-runuser-common.inc
+# Redirect
+include youtube-viewer.profile
+\ No newline at end of file
diff --git a/etc/profile-m-z/youtube-viewer.profile b/etc/profile-m-z/youtube-viewer.profile
new file mode 100644
index 000000000..513cb0f6e
--- /dev/null
+++ b/etc/profile-m-z/youtube-viewer.profile
@@ -0,0 +1,57 @@
+# Firejail profile for youtube-viewer
+# Description: Trizen's CLI Youtube viewer with login support
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include youtube-viewer.local
+# Persistent global definitions
+include globals.local
+blacklist /tmp/.X11-unix
+blacklist ${RUNUSER}/wayland-*
+blacklist ${RUNUSER}
+noblacklist ${HOME}/.config/youtube-viewer
+include allow-perl.inc
+include allow-python2.inc
+include allow-python3.inc
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+mkdir ${HOME}/.config/youtube-viewer
+whitelist ${HOME}/.config/youtube-viewer
+include whitelist-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+apparmor
+caps.drop all
+netfilter
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+disable-mnt
+# private-bin ffmpeg,ffprobe,firefox,gtk-youtube-viewer,gtk2-youtube-viewer,gtk3-youtube-viewer,mpv,python*,smplayer,sh,which,vlc,youtube-dl,youtube-viewer
+private-cache
+private-dev
+private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,machine-id,mime.types,nsswitch.conf,passwd,pki,pulse,resolv.conf,ssl,X11,xdg
+private-tmp
+dbus-user none
+dbus-system none
+\ No newline at end of file
diff --git a/mkdeb.sh.in b/mkdeb.sh.in
index efb477920..a19dee620 100755
--- a/mkdeb.sh.in
+++ b/mkdeb.sh.in
@@ -52,12 +52,12 @@ echo "*****************************************"
 mv $INSTALL_DIR/usr/share/doc/firejail/RELNOTES $INSTALL_DIR/usr/share/doc/firejail/changelog.Debian
 gzip -9 -n $INSTALL_DIR/usr/share/doc/firejail/changelog.Debian
 rm $INSTALL_DIR/usr/share/doc/firejail/COPYING
-install -m644 platform/debian/copyright $INSTALL_DIR/usr/share/doc/firejail/.
+install -m644 $CODE_DIR/platform/debian/copyright $INSTALL_DIR/usr/share/doc/firejail/.
 mkdir -p $DEBIAN_CTRL_DIR
-sed "s/FIREJAILVER/$VERSION/g"  platform/debian/control.$(dpkg-architecture -qDEB_HOST_ARCH) > $DEBIAN_CTRL_DIR/control
+sed "s/FIREJAILVER/$VERSION/g"  $CODE_DIR/platform/debian/control.$(dpkg-architecture -qDEB_HOST_ARCH) > $DEBIAN_CTRL_DIR/control
 mkdir -p $INSTALL_DIR/usr/share/lintian/overrides/
-install -m644 platform/debian/firejail.lintian-overrides $INSTALL_DIR/usr/share/lintian/overrides/firejail
+install -m644 $CODE_DIR/platform/debian/firejail.lintian-overrides $INSTALL_DIR/usr/share/lintian/overrides/firejail
 find $INSTALL_DIR/etc -type f | sed "s,^$INSTALL_DIR,," | LC_ALL=C sort > $DEBIAN_CTRL_DIR/conffiles
 chmod 644 $DEBIAN_CTRL_DIR/conffiles
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config
index 05c5681d5..0574daae6 100644
--- a/src/firecfg/firecfg.config
+++ b/src/firecfg/firecfg.config
@@ -327,6 +327,9 @@ gradio
 gramps
 gravity-beams-and-evaporating-stars
 gthumb
+gtk-youtube-viewer
+gtk2-youtube-viewer
+gtk3-youtube-viewer
 guayadeque
 gucharmap
 gummi
@@ -816,6 +819,7 @@ xviewer
 yandex-browser
 yelp
 youtube-dl
+youtube-viewer
 zaproxy
 zart
 zathura
diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c
index 5d6b4af66..f6b3b3252 100644
--- a/src/firejail/checkcfg.c
+++ b/src/firejail/checkcfg.c
@@ -229,6 +229,8 @@ int checkcfg(int val) {
 #ifdef HAVE_SECCOMP
                                if (strcmp(ptr + 21, "kill") == 0)
                                        cfg_val[CFG_SECCOMP_ERROR_ACTION] = SECCOMP_RET_KILL;
+                                else if (strcmp(ptr + 21, "log") == 0)
+                                        cfg_val[CFG_SECCOMP_ERROR_ACTION] = SECCOMP_RET_LOG;
                                else {
                                        cfg_val[CFG_SECCOMP_ERROR_ACTION] = errno_find_name(ptr + 21);
                                        if (cfg_val[CFG_SECCOMP_ERROR_ACTION] == -1)
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index 9c5a050b4..c98f80d13 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -186,7 +186,7 @@ typedef struct config_t {
        char *seccomp_list_drop, *seccomp_list_drop32;  // seccomp drop list
        char *seccomp_list_keep, *seccomp_list_keep32;  // seccomp keep list
        char *protocol;                 // protocol list
-        char *seccomp_error_action;                     // error action: kill or errno
+        char *seccomp_error_action;                     // error action: kill, log or errno
        // rlimits
        long long unsigned rlimit_cpu;
diff --git a/src/firejail/main.c b/src/firejail/main.c
index f37d1ca52..b9cb43444 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -1441,6 +1441,8 @@ int main(int argc, char **argv, char **envp) {
                                if (config_seccomp_error_action == -1) {
                                        if (strcmp(argv[i] + 23, "kill") == 0)
                                                arg_seccomp_error_action = SECCOMP_RET_KILL;
+                                        else if (strcmp(argv[i] + 23, "log") == 0)
+                                                arg_seccomp_error_action = SECCOMP_RET_LOG;
                                        else {
                                                arg_seccomp_error_action = errno_find_name(argv[i] + 23);
                                                if (arg_seccomp_error_action == -1)
diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index 70acd8a2a..970033899 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -991,6 +991,8 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
                        if (config_seccomp_error_action == -1) {
                                if (strcmp(ptr + 21, "kill") == 0)
                                        arg_seccomp_error_action = SECCOMP_RET_KILL;
+                                else if (strcmp(ptr + 21, "log") == 0)
+                                        arg_seccomp_error_action = SECCOMP_RET_LOG;
                                else {
                                        arg_seccomp_error_action = errno_find_name(ptr + 21);
                                        if (arg_seccomp_error_action == -1)
diff --git a/src/firejail/shutdown.c b/src/firejail/shutdown.c
index a7d0b2fbe..7e9628007 100644
--- a/src/firejail/shutdown.c
+++ b/src/firejail/shutdown.c
@@ -63,7 +63,9 @@ void shut(pid_t pid) {
                sleep(1);
                monsec--;
+                EUID_ROOT();
                FILE *fp = fopen(monfile, "r");
+                EUID_USER();
                if (!fp) {
                        killdone = 1;
                        break;
diff --git a/src/firejail/usage.c b/src/firejail/usage.c
index 4ab464289..73c9a6a8b 100644
--- a/src/firejail/usage.c
+++ b/src/firejail/usage.c
@@ -224,7 +224,8 @@ static char *usage_str =
        "    --seccomp.print=name|pid - print the seccomp filter for the sandbox\n"
        "\tidentified by name or PID.\n"
        "    --seccomp.32[.drop,.keep][=syscall] - like above but for 32 bit architecture.\n"
-        "    --seccomp-error-action=errno|kill - change error code or kill process.\n"
+        "    --seccomp-error-action=errno|kill|log - change error code, kill process\n"
+        "\tor log the attempt.\n"
 #endif
        "    --shell=none - run the program directly without a user shell.\n"
        "    --shell=program - set default user shell.\n"
diff --git a/src/fseccomp/main.c b/src/fseccomp/main.c
index 892a88e25..3b3c92b46 100644
--- a/src/fseccomp/main.c
+++ b/src/fseccomp/main.c
@@ -20,7 +20,7 @@
 #include "fseccomp.h"
 #include "../include/seccomp.h"
 int arg_quiet = 0;
-int arg_seccomp_error_action = EPERM; // error action: errno or kill
+int arg_seccomp_error_action = EPERM; // error action: errno, log or kill
 static void usage(void) {
        printf("Usage:\n");
@@ -73,6 +73,8 @@ printf("\n");
        if (error_action) {
                if (strcmp(error_action, "kill") == 0)
                        arg_seccomp_error_action = SECCOMP_RET_KILL;
+                else if (strcmp(error_action, "log") == 0)
+                        arg_seccomp_error_action = SECCOMP_RET_LOG;
                else {
                        arg_seccomp_error_action = errno_find_name(error_action);
                        if (arg_seccomp_error_action == -1)
diff --git a/src/include/seccomp.h b/src/include/seccomp.h
index 50920ce3a..29b858c70 100644
--- a/src/include/seccomp.h
+++ b/src/include/seccomp.h
@@ -274,7 +274,7 @@ struct seccomp_data {
 #define RETURN_ERRNO(nr) \
        BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ERRNO | nr)
-extern int arg_seccomp_error_action;    // error action: errno or kill
+extern int arg_seccomp_error_action;    // error action: errno, log or kill
 #define KILL_OR_RETURN_ERRNO \
        BPF_STMT(BPF_RET+BPF_K, arg_seccomp_error_action)
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt
index 7b5653942..0784e7fd7 100644
--- a/src/man/firejail-profile.txt
+++ b/src/man/firejail-profile.txt
@@ -433,8 +433,10 @@ Enable seccomp filter and whitelist the system calls in the list.
 \fBseccomp.32.keep syscall,syscall,syscall
 Enable seccomp filter and whitelist the system calls in the list for 32 bit system calls on a 64 bit architecture system.
 .TP
-\fBseccomp-error-action kill | ERRNO
+\fBseccomp-error-action kill | log | ERRNO
-Return a different error instead of EPERM to the process or kill it when an attempt is made to call a blocked system call.
+Return a different error instead of EPERM to the process, kill it when
+an attempt is made to call a blocked system call, or allow but log the
+attempt.
 .TP
 \fBx11
 Enable X11 sandboxing.
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index 69cd4a7bc..e216531ae 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -1059,7 +1059,7 @@ that are both writable and executable, to change mappings to be
 executable, or to create executable shared memory. The filter examines
 the arguments of mmap, mmap2, mprotect, pkey_mprotect, memfd_create
 and shmat system calls and returns error EPERM to the process (or
-kills it, see \-\-seccomp-error-action below) if necessary.
+kills it or log the attempt, see \-\-seccomp-error-action below) if necessary.
 .br
 .br
@@ -2122,8 +2122,8 @@ Instead of dropping the syscall by returning EPERM, another error
 number can be returned using \fBsyscall:errno\fR syntax. This can be
 also changed globally with \-\-seccomp-error-action or
 in /etc/firejail/firejail.config file.  The process can also be killed
-by using \fBsyscall:kill\fR syntax.
+by using \fBsyscall:kill\fR syntax, or the attempt may be logged with
+\fBsyscall:log\fR.
 .br
 .br
@@ -2193,7 +2193,8 @@ Instead of dropping the syscall by returning EPERM, another error
 number can be returned using \fBsyscall:errno\fR syntax. This can be
 also changed globally with \-\-seccomp-error-action or
 in /etc/firejail/firejail.config file.  The process can also be killed
-by using \fBsyscall:kill\fR syntax.
+by using \fBsyscall:kill\fR syntax, or the attempt may be logged with
+\fBsyscall:log\fR.
 .br
 .br
@@ -2402,7 +2403,8 @@ By default, if a seccomp filter blocks a system call, the process gets
 EPERM as the error. With \-\-seccomp-error-action=error, another error
 number can be returned, for example ENOSYS or EACCES. The process can
 also be killed (like in versions <0.9.63 of Firejail) by using
-\-\-seccomp-error-action=kill syntax. Not killing the process weakens
+\-\-seccomp-error-action=kill syntax, or the attempt may be logged
+with \-\-seccomp-error-action=log. Not killing the process weakens
 Firejail slightly when trying to contain intrusion, but it may also
 allow tighter filters if the only alternative is to allow a system
 call.

diff --git a/etc/firejail.config b/etc/firejail.config index b2a96612f..731e744dd 100644 --- a/etc/firejail.config +++ b/etc/firejail.config
@@ -107,7 +107,7 @@
107	# Enable or disable seccomp support, default enabled.	107	# Enable or disable seccomp support, default enabled.
108	# seccomp yes	108	# seccomp yes
109		109
110	# Seccomp error action, kill or errno (EPERM, ENOSYS etc)	110	# Seccomp error action, kill, log or errno (EPERM, ENOSYS etc)
111	# seccomp-error-action EPERM	111	# seccomp-error-action EPERM
112		112
113	# Enable or disable user namespace support, default enabled.	113	# Enable or disable user namespace support, default enabled.


diff --git a/etc/inc/disable-programs.inc b/etc/inc/disable-programs.inc index e911be93a..e5dd9cb59 100644 --- a/etc/inc/disable-programs.inc +++ b/etc/inc/disable-programs.inc
@@ -396,6 +396,7 @@ blacklist ${HOME}/.config/yandex-browser
396	blacklist ${HOME}/.config/yandex-browser-beta	396	blacklist ${HOME}/.config/yandex-browser-beta
397	blacklist ${HOME}/.config/yelp	397	blacklist ${HOME}/.config/yelp
398	blacklist ${HOME}/.config/youtube-dl	398	blacklist ${HOME}/.config/youtube-dl
		399	blacklist ${HOME}/.config/youtube-viewer
399	blacklist ${HOME}/.config/zathura	400	blacklist ${HOME}/.config/zathura
400	blacklist ${HOME}/.config/zoomus.conf	401	blacklist ${HOME}/.config/zoomus.conf
401	blacklist ${HOME}/.config/Zulip	402	blacklist ${HOME}/.config/Zulip


diff --git a/etc/inc/whitelist-usr-share-common.inc b/etc/inc/whitelist-usr-share-common.inc index c9c8bdedf..ceeb14dcc 100644 --- a/etc/inc/whitelist-usr-share-common.inc +++ b/etc/inc/whitelist-usr-share-common.inc
@@ -41,6 +41,8 @@ whitelist /usr/share/misc
41	whitelist /usr/share/Modules	41	whitelist /usr/share/Modules
42	whitelist /usr/share/myspell	42	whitelist /usr/share/myspell
43	whitelist /usr/share/p11-kit	43	whitelist /usr/share/p11-kit
		44	whitelist /usr/share/perl
		45	whitelist /usr/share/perl5
44	whitelist /usr/share/pixmaps	46	whitelist /usr/share/pixmaps
45	whitelist /usr/share/pki	47	whitelist /usr/share/pki
46	whitelist /usr/share/plasma	48	whitelist /usr/share/plasma


diff --git a/etc/profile-a-l/gtk-youtube-viewer b/etc/profile-a-l/gtk-youtube-viewer new file mode 100644 index 000000000..023f10d3d --- /dev/null +++ b/etc/profile-a-l/gtk-youtube-viewer
@@ -0,0 +1,18 @@
		1	# Firejail profile for gtk-youtube-viewer
		2	# Description: Gtk front-end to youtube-viewer
		3	# This file is overwritten after every install/update
		4	# Persistent local customizations
		5	include gtk-youtube-viewer.local
		6	# Persistent global definitions
		7	# include globals.local
		8
		9	ignore quiet
		10
		11	noblacklist /tmp/.X11-unix
		12	noblacklist ${RUNUSER}/wayland-*
		13	noblacklist ${RUNUSER}
		14
		15	include whitelist-runuser-common.inc
		16
		17	# Redirect
		18	include youtube-viewer.profile \ No newline at end of file


diff --git a/etc/profile-a-l/gtk2-youtube-viewer b/etc/profile-a-l/gtk2-youtube-viewer new file mode 100644 index 000000000..331e73218 --- /dev/null +++ b/etc/profile-a-l/gtk2-youtube-viewer
@@ -0,0 +1,18 @@
		1	# Firejail profile for gtk2-youtube-viewer
		2	# Description: Gtk front-end to youtube-viewer
		3	# This file is overwritten after every install/update
		4	# Persistent local customizations
		5	include gtk2-youtube-viewer.local
		6	# Persistent global definitions
		7	# include globals.local
		8
		9	ignore quiet
		10
		11	noblacklist /tmp/.X11-unix
		12	noblacklist ${RUNUSER}/wayland-*
		13	noblacklist ${RUNUSER}
		14
		15	include whitelist-runuser-common.inc
		16
		17	# Redirect
		18	include youtube-viewer.profile \ No newline at end of file


diff --git a/etc/profile-a-l/gtk3-youtube-viewer b/etc/profile-a-l/gtk3-youtube-viewer new file mode 100644 index 000000000..4c5bde55f --- /dev/null +++ b/etc/profile-a-l/gtk3-youtube-viewer
@@ -0,0 +1,18 @@
		1	# Firejail profile for gtk3-youtube-viewer
		2	# Description: Gtk front-end to youtube-viewer
		3	# This file is overwritten after every install/update
		4	# Persistent local customizations
		5	include gtk3-youtube-viewer.local
		6	# Persistent global definitions
		7	# include globals.local
		8
		9	ignore quiet
		10
		11	noblacklist /tmp/.X11-unix
		12	noblacklist ${RUNUSER}/wayland-*
		13	noblacklist ${RUNUSER}
		14
		15	include whitelist-runuser-common.inc
		16
		17	# Redirect
		18	include youtube-viewer.profile \ No newline at end of file


diff --git a/etc/profile-m-z/youtube-viewer.profile b/etc/profile-m-z/youtube-viewer.profile new file mode 100644 index 000000000..513cb0f6e --- /dev/null +++ b/etc/profile-m-z/youtube-viewer.profile
@@ -0,0 +1,57 @@
		1	# Firejail profile for youtube-viewer
		2	# Description: Trizen's CLI Youtube viewer with login support
		3	# This file is overwritten after every install/update
		4	quiet
		5	# Persistent local customizations
		6	include youtube-viewer.local
		7	# Persistent global definitions
		8	include globals.local
		9
		10	blacklist /tmp/.X11-unix
		11	blacklist ${RUNUSER}/wayland-*
		12	blacklist ${RUNUSER}
		13
		14	noblacklist ${HOME}/.config/youtube-viewer
		15
		16	include allow-perl.inc
		17	include allow-python2.inc
		18	include allow-python3.inc
		19
		20	include disable-common.inc
		21	include disable-devel.inc
		22	include disable-exec.inc
		23	include disable-interpreters.inc
		24	include disable-passwdmgr.inc
		25	include disable-programs.inc
		26	include disable-xdg.inc
		27
		28	mkdir ${HOME}/.config/youtube-viewer
		29	whitelist ${HOME}/.config/youtube-viewer
		30	include whitelist-common.inc
		31	include whitelist-usr-share-common.inc
		32	include whitelist-var-common.inc
		33
		34	apparmor
		35	caps.drop all
		36	netfilter
		37	nodvd
		38	nogroups
		39	nonewprivs
		40	noroot
		41	notv
		42	nou2f
		43	novideo
		44	protocol unix,inet,inet6
		45	seccomp
		46	shell none
		47	tracelog
		48
		49	disable-mnt
		50	# private-bin ffmpeg,ffprobe,firefox,gtk-youtube-viewer,gtk2-youtube-viewer,gtk3-youtube-viewer,mpv,python*,smplayer,sh,which,vlc,youtube-dl,youtube-viewer
		51	private-cache
		52	private-dev
		53	private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,machine-id,mime.types,nsswitch.conf,passwd,pki,pulse,resolv.conf,ssl,X11,xdg
		54	private-tmp
		55
		56	dbus-user none
		57	dbus-system none \ No newline at end of file


diff --git a/mkdeb.sh.in b/mkdeb.sh.in index efb477920..a19dee620 100755 --- a/mkdeb.sh.in +++ b/mkdeb.sh.in
@@ -52,12 +52,12 @@ echo "*****************************************"
52	mv $INSTALL_DIR/usr/share/doc/firejail/RELNOTES $INSTALL_DIR/usr/share/doc/firejail/changelog.Debian	52	mv $INSTALL_DIR/usr/share/doc/firejail/RELNOTES $INSTALL_DIR/usr/share/doc/firejail/changelog.Debian
53	gzip -9 -n $INSTALL_DIR/usr/share/doc/firejail/changelog.Debian	53	gzip -9 -n $INSTALL_DIR/usr/share/doc/firejail/changelog.Debian
54	rm $INSTALL_DIR/usr/share/doc/firejail/COPYING	54	rm $INSTALL_DIR/usr/share/doc/firejail/COPYING
55	install -m644 platform/debian/copyright $INSTALL_DIR/usr/share/doc/firejail/.	55	install -m644 $CODE_DIR/platform/debian/copyright $INSTALL_DIR/usr/share/doc/firejail/.
56	mkdir -p $DEBIAN_CTRL_DIR	56	mkdir -p $DEBIAN_CTRL_DIR
57	sed "s/FIREJAILVER/$VERSION/g" platform/debian/control.$(dpkg-architecture -qDEB_HOST_ARCH) > $DEBIAN_CTRL_DIR/control	57	sed "s/FIREJAILVER/$VERSION/g" $CODE_DIR/platform/debian/control.$(dpkg-architecture -qDEB_HOST_ARCH) > $DEBIAN_CTRL_DIR/control
58		58
59	mkdir -p $INSTALL_DIR/usr/share/lintian/overrides/	59	mkdir -p $INSTALL_DIR/usr/share/lintian/overrides/
60	install -m644 platform/debian/firejail.lintian-overrides $INSTALL_DIR/usr/share/lintian/overrides/firejail	60	install -m644 $CODE_DIR/platform/debian/firejail.lintian-overrides $INSTALL_DIR/usr/share/lintian/overrides/firejail
61		61
62	find $INSTALL_DIR/etc -type f \| sed "s,^$INSTALL_DIR,," \| LC_ALL=C sort > $DEBIAN_CTRL_DIR/conffiles	62	find $INSTALL_DIR/etc -type f \| sed "s,^$INSTALL_DIR,," \| LC_ALL=C sort > $DEBIAN_CTRL_DIR/conffiles
63	chmod 644 $DEBIAN_CTRL_DIR/conffiles	63	chmod 644 $DEBIAN_CTRL_DIR/conffiles


diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index 05c5681d5..0574daae6 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config
@@ -327,6 +327,9 @@ gradio
327	gramps	327	gramps
328	gravity-beams-and-evaporating-stars	328	gravity-beams-and-evaporating-stars
329	gthumb	329	gthumb
		330	gtk-youtube-viewer
		331	gtk2-youtube-viewer
		332	gtk3-youtube-viewer
330	guayadeque	333	guayadeque
331	gucharmap	334	gucharmap
332	gummi	335	gummi
@@ -816,6 +819,7 @@ xviewer
816	yandex-browser	819	yandex-browser
817	yelp	820	yelp
818	youtube-dl	821	youtube-dl
		822	youtube-viewer
819	zaproxy	823	zaproxy
820	zart	824	zart
821	zathura	825	zathura


diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c index 5d6b4af66..f6b3b3252 100644 --- a/src/firejail/checkcfg.c +++ b/src/firejail/checkcfg.c
@@ -229,6 +229,8 @@ int checkcfg(int val) {
229	#ifdef HAVE_SECCOMP	229	#ifdef HAVE_SECCOMP
230	if (strcmp(ptr + 21, "kill") == 0)	230	if (strcmp(ptr + 21, "kill") == 0)
231	cfg_val[CFG_SECCOMP_ERROR_ACTION] = SECCOMP_RET_KILL;	231	cfg_val[CFG_SECCOMP_ERROR_ACTION] = SECCOMP_RET_KILL;
		232	else if (strcmp(ptr + 21, "log") == 0)
		233	cfg_val[CFG_SECCOMP_ERROR_ACTION] = SECCOMP_RET_LOG;
232	else {	234	else {
233	cfg_val[CFG_SECCOMP_ERROR_ACTION] = errno_find_name(ptr + 21);	235	cfg_val[CFG_SECCOMP_ERROR_ACTION] = errno_find_name(ptr + 21);
234	if (cfg_val[CFG_SECCOMP_ERROR_ACTION] == -1)	236	if (cfg_val[CFG_SECCOMP_ERROR_ACTION] == -1)


diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 9c5a050b4..c98f80d13 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h
@@ -186,7 +186,7 @@ typedef struct config_t {
186	char seccomp_list_drop, seccomp_list_drop32; // seccomp drop list	186	char seccomp_list_drop, seccomp_list_drop32; // seccomp drop list
187	char seccomp_list_keep, seccomp_list_keep32; // seccomp keep list	187	char seccomp_list_keep, seccomp_list_keep32; // seccomp keep list
188	char *protocol; // protocol list	188	char *protocol; // protocol list
189	char *seccomp_error_action; // error action: kill or errno	189	char *seccomp_error_action; // error action: kill, log or errno
190		190
191	// rlimits	191	// rlimits
192	long long unsigned rlimit_cpu;	192	long long unsigned rlimit_cpu;


diff --git a/src/firejail/main.c b/src/firejail/main.c index f37d1ca52..b9cb43444 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c
@@ -1441,6 +1441,8 @@ int main(int argc, char argv, char envp) {
1441	if (config_seccomp_error_action == -1) {	1441	if (config_seccomp_error_action == -1) {
1442	if (strcmp(argv[i] + 23, "kill") == 0)	1442	if (strcmp(argv[i] + 23, "kill") == 0)
1443	arg_seccomp_error_action = SECCOMP_RET_KILL;	1443	arg_seccomp_error_action = SECCOMP_RET_KILL;
		1444	else if (strcmp(argv[i] + 23, "log") == 0)
		1445	arg_seccomp_error_action = SECCOMP_RET_LOG;
1444	else {	1446	else {
1445	arg_seccomp_error_action = errno_find_name(argv[i] + 23);	1447	arg_seccomp_error_action = errno_find_name(argv[i] + 23);
1446	if (arg_seccomp_error_action == -1)	1448	if (arg_seccomp_error_action == -1)


diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 70acd8a2a..970033899 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c
@@ -991,6 +991,8 @@ int profile_check_line(char ptr, int lineno, const char fname) {
991	if (config_seccomp_error_action == -1) {	991	if (config_seccomp_error_action == -1) {
992	if (strcmp(ptr + 21, "kill") == 0)	992	if (strcmp(ptr + 21, "kill") == 0)
993	arg_seccomp_error_action = SECCOMP_RET_KILL;	993	arg_seccomp_error_action = SECCOMP_RET_KILL;
		994	else if (strcmp(ptr + 21, "log") == 0)
		995	arg_seccomp_error_action = SECCOMP_RET_LOG;
994	else {	996	else {
995	arg_seccomp_error_action = errno_find_name(ptr + 21);	997	arg_seccomp_error_action = errno_find_name(ptr + 21);
996	if (arg_seccomp_error_action == -1)	998	if (arg_seccomp_error_action == -1)


diff --git a/src/firejail/shutdown.c b/src/firejail/shutdown.c index a7d0b2fbe..7e9628007 100644 --- a/src/firejail/shutdown.c +++ b/src/firejail/shutdown.c
@@ -63,7 +63,9 @@ void shut(pid_t pid) {
63	sleep(1);	63	sleep(1);
64	monsec--;	64	monsec--;
65		65
		66	EUID_ROOT();
66	FILE *fp = fopen(monfile, "r");	67	FILE *fp = fopen(monfile, "r");
		68	EUID_USER();
67	if (!fp) {	69	if (!fp) {
68	killdone = 1;	70	killdone = 1;
69	break;	71	break;


diff --git a/src/firejail/usage.c b/src/firejail/usage.c index 4ab464289..73c9a6a8b 100644 --- a/src/firejail/usage.c +++ b/src/firejail/usage.c
@@ -224,7 +224,8 @@ static char *usage_str =
224	" --seccomp.print=name\|pid - print the seccomp filter for the sandbox\n"	224	" --seccomp.print=name\|pid - print the seccomp filter for the sandbox\n"
225	"\tidentified by name or PID.\n"	225	"\tidentified by name or PID.\n"
226	" --seccomp.32[.drop,.keep][=syscall] - like above but for 32 bit architecture.\n"	226	" --seccomp.32[.drop,.keep][=syscall] - like above but for 32 bit architecture.\n"
227	" --seccomp-error-action=errno\|kill - change error code or kill process.\n"	227	" --seccomp-error-action=errno\|kill\|log - change error code, kill process\n"
		228	"\tor log the attempt.\n"
228	#endif	229	#endif
229	" --shell=none - run the program directly without a user shell.\n"	230	" --shell=none - run the program directly without a user shell.\n"
230	" --shell=program - set default user shell.\n"	231	" --shell=program - set default user shell.\n"


diff --git a/src/fseccomp/main.c b/src/fseccomp/main.c index 892a88e25..3b3c92b46 100644 --- a/src/fseccomp/main.c +++ b/src/fseccomp/main.c
@@ -20,7 +20,7 @@
20	#include "fseccomp.h"	20	#include "fseccomp.h"
21	#include "../include/seccomp.h"	21	#include "../include/seccomp.h"
22	int arg_quiet = 0;	22	int arg_quiet = 0;
23	int arg_seccomp_error_action = EPERM; // error action: errno or kill	23	int arg_seccomp_error_action = EPERM; // error action: errno, log or kill
24		24
25	static void usage(void) {	25	static void usage(void) {
26	printf("Usage:\n");	26	printf("Usage:\n");
@@ -73,6 +73,8 @@ printf("\n");
73	if (error_action) {	73	if (error_action) {
74	if (strcmp(error_action, "kill") == 0)	74	if (strcmp(error_action, "kill") == 0)
75	arg_seccomp_error_action = SECCOMP_RET_KILL;	75	arg_seccomp_error_action = SECCOMP_RET_KILL;
		76	else if (strcmp(error_action, "log") == 0)
		77	arg_seccomp_error_action = SECCOMP_RET_LOG;
76	else {	78	else {
77	arg_seccomp_error_action = errno_find_name(error_action);	79	arg_seccomp_error_action = errno_find_name(error_action);
78	if (arg_seccomp_error_action == -1)	80	if (arg_seccomp_error_action == -1)


diff --git a/src/include/seccomp.h b/src/include/seccomp.h index 50920ce3a..29b858c70 100644 --- a/src/include/seccomp.h +++ b/src/include/seccomp.h
@@ -274,7 +274,7 @@ struct seccomp_data {
274	#define RETURN_ERRNO(nr) \	274	#define RETURN_ERRNO(nr) \
275	BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ERRNO \| nr)	275	BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ERRNO \| nr)
276		276
277	extern int arg_seccomp_error_action; // error action: errno or kill	277	extern int arg_seccomp_error_action; // error action: errno, log or kill
278	#define KILL_OR_RETURN_ERRNO \	278	#define KILL_OR_RETURN_ERRNO \
279	BPF_STMT(BPF_RET+BPF_K, arg_seccomp_error_action)	279	BPF_STMT(BPF_RET+BPF_K, arg_seccomp_error_action)
280		280


diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index 7b5653942..0784e7fd7 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt
@@ -433,8 +433,10 @@ Enable seccomp filter and whitelist the system calls in the list.
433	\fBseccomp.32.keep syscall,syscall,syscall	433	\fBseccomp.32.keep syscall,syscall,syscall
434	Enable seccomp filter and whitelist the system calls in the list for 32 bit system calls on a 64 bit architecture system.	434	Enable seccomp filter and whitelist the system calls in the list for 32 bit system calls on a 64 bit architecture system.
435	.TP	435	.TP
436	\fBseccomp-error-action kill \| ERRNO	436	\fBseccomp-error-action kill \| log \| ERRNO
437	Return a different error instead of EPERM to the process or kill it when an attempt is made to call a blocked system call.	437	Return a different error instead of EPERM to the process, kill it when
		438	an attempt is made to call a blocked system call, or allow but log the
		439	attempt.
438	.TP	440	.TP
439	\fBx11	441	\fBx11
440	Enable X11 sandboxing.	442	Enable X11 sandboxing.


diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 69cd4a7bc..e216531ae 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt
@@ -1059,7 +1059,7 @@ that are both writable and executable, to change mappings to be
1059	executable, or to create executable shared memory. The filter examines	1059	executable, or to create executable shared memory. The filter examines
1060	the arguments of mmap, mmap2, mprotect, pkey_mprotect, memfd_create	1060	the arguments of mmap, mmap2, mprotect, pkey_mprotect, memfd_create
1061	and shmat system calls and returns error EPERM to the process (or	1061	and shmat system calls and returns error EPERM to the process (or
1062	kills it, see \-\-seccomp-error-action below) if necessary.	1062	kills it or log the attempt, see \-\-seccomp-error-action below) if necessary.
1063	.br	1063	.br
1064		1064
1065	.br	1065	.br
@@ -2122,8 +2122,8 @@ Instead of dropping the syscall by returning EPERM, another error
2122	number can be returned using \fBsyscall:errno\fR syntax. This can be	2122	number can be returned using \fBsyscall:errno\fR syntax. This can be
2123	also changed globally with \-\-seccomp-error-action or	2123	also changed globally with \-\-seccomp-error-action or
2124	in /etc/firejail/firejail.config file. The process can also be killed	2124	in /etc/firejail/firejail.config file. The process can also be killed
2125	by using \fBsyscall:kill\fR syntax.	2125	by using \fBsyscall:kill\fR syntax, or the attempt may be logged with
2126		2126	\fBsyscall:log\fR.
2127	.br	2127	.br
2128		2128
2129	.br	2129	.br
@@ -2193,7 +2193,8 @@ Instead of dropping the syscall by returning EPERM, another error
2193	number can be returned using \fBsyscall:errno\fR syntax. This can be	2193	number can be returned using \fBsyscall:errno\fR syntax. This can be
2194	also changed globally with \-\-seccomp-error-action or	2194	also changed globally with \-\-seccomp-error-action or
2195	in /etc/firejail/firejail.config file. The process can also be killed	2195	in /etc/firejail/firejail.config file. The process can also be killed
2196	by using \fBsyscall:kill\fR syntax.	2196	by using \fBsyscall:kill\fR syntax, or the attempt may be logged with
		2197	\fBsyscall:log\fR.
2197	.br	2198	.br
2198		2199
2199	.br	2200	.br
@@ -2402,7 +2403,8 @@ By default, if a seccomp filter blocks a system call, the process gets
2402	EPERM as the error. With \-\-seccomp-error-action=error, another error	2403	EPERM as the error. With \-\-seccomp-error-action=error, another error
2403	number can be returned, for example ENOSYS or EACCES. The process can	2404	number can be returned, for example ENOSYS or EACCES. The process can
2404	also be killed (like in versions <0.9.63 of Firejail) by using	2405	also be killed (like in versions <0.9.63 of Firejail) by using
2405	\-\-seccomp-error-action=kill syntax. Not killing the process weakens	2406	\-\-seccomp-error-action=kill syntax, or the attempt may be logged
		2407	with \-\-seccomp-error-action=log. Not killing the process weakens
2406	Firejail slightly when trying to contain intrusion, but it may also	2408	Firejail slightly when trying to contain intrusion, but it may also
2407	allow tighter filters if the only alternative is to allow a system	2409	allow tighter filters if the only alternative is to allow a system
2408	call.	2410	call.