58 files changed, 303 insertions, 103 deletions

diff --git a/src/firejail/appimage.c b/src/firejail/appimage.c
index bb5b29d79..479473572 100644
--- a/src/firejail/appimage.c
+++ b/src/firejail/appimage.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
  *
  * This file is part of firejail project
  *
diff --git a/src/firejail/appimage_size.c b/src/firejail/appimage_size.c
index 43ca501da..4f8c7a7aa 100644
--- a/src/firejail/appimage_size.c
+++ b/src/firejail/appimage_size.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
  *
  * This file is part of firejail project
  *
diff --git a/src/firejail/arp.c b/src/firejail/arp.c
index c259fc0ad..cbd80dee0 100644
--- a/src/firejail/arp.c
+++ b/src/firejail/arp.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
  *
  * This file is part of firejail project
  *
diff --git a/src/firejail/bandwidth.c b/src/firejail/bandwidth.c
index a085f2c27..fa9d3a940 100644
--- a/src/firejail/bandwidth.c
+++ b/src/firejail/bandwidth.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
  *
  * This file is part of firejail project
  *
diff --git a/src/firejail/caps.c b/src/firejail/caps.c
index 5e02b99c2..c5c06c675 100644
--- a/src/firejail/caps.c
+++ b/src/firejail/caps.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
  *
  * This file is part of firejail project
  *
diff --git a/src/firejail/cgroup.c b/src/firejail/cgroup.c
index 38b3c32d3..f1e16187f 100644
--- a/src/firejail/cgroup.c
+++ b/src/firejail/cgroup.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
  *
  * This file is part of firejail project
  *
@@ -18,6 +18,7 @@
  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 */
 #include "firejail.h"
+#include "../include/gcov_wrapper.h"
 #include <sys/wait.h>
 #include <errno.h>
 
@@ -122,6 +123,9 @@ void set_cgroup(const char *fname, pid_t pid) {
                 drop_privs(0);
 
                 do_set_cgroup(fname, pid);
+
+                __gcov_flush();
+
                 _exit(0);
         }
         waitpid(child, NULL, 0);
diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c
index e5d837bbb..6fc70318b 100644
--- a/src/firejail/checkcfg.c
+++ b/src/firejail/checkcfg.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
  *
  * This file is part of firejail project
  *
diff --git a/src/firejail/chroot.c b/src/firejail/chroot.c
index 9425638ea..551948318 100644
--- a/src/firejail/chroot.c
+++ b/src/firejail/chroot.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
  *
  * This file is part of firejail project
  *
diff --git a/src/firejail/cmdline.c b/src/firejail/cmdline.c
index 2fa68a55d..6f7739da0 100644
--- a/src/firejail/cmdline.c
+++ b/src/firejail/cmdline.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
  *
  * This file is part of firejail project
  *
diff --git a/src/firejail/cpu.c b/src/firejail/cpu.c
index fe7258fb0..1ec510456 100644
--- a/src/firejail/cpu.c
+++ b/src/firejail/cpu.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
  *
  * This file is part of firejail project
  *
diff --git a/src/firejail/dbus.c b/src/firejail/dbus.c
index 735ff54fa..66738bd4b 100644
--- a/src/firejail/dbus.c
+++ b/src/firejail/dbus.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
  *
  * This file is part of firejail project
  *
@@ -297,11 +297,12 @@ void dbus_proxy_start(void) {
         if (dbus_proxy_pid == -1)
                 errExit("fork");
         if (dbus_proxy_pid == 0) {
-                int i;
-                for (i = STDERR_FILENO + 1; i < FIREJAIL_MAX_FD; i++) {
-                        if (i != status_pipe[1] && i != args_pipe[0])
-                                close(i); // close open files
-                }
+                // close open files
+                int keep[2];
+                keep[0] = status_pipe[1];
+                keep[1] = args_pipe[0];
+                close_all(keep, ARRAY_SIZE(keep));
+
                 if (arg_dbus_log_file != NULL) {
                         int output_fd = creat(arg_dbus_log_file, 0666);
                         if (output_fd < 0)
diff --git a/src/firejail/dhcp.c b/src/firejail/dhcp.c
index ec482e2ea..fb66d74ff 100644
--- a/src/firejail/dhcp.c
+++ b/src/firejail/dhcp.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
  *
  * This file is part of firejail project
  *
diff --git a/src/firejail/env.c b/src/firejail/env.c
index 4c0d729a1..963288459 100644
--- a/src/firejail/env.c
+++ b/src/firejail/env.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
  *
  * This file is part of firejail project
  *
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index bc4cfe3fc..f1fa66707 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
  *
  * This file is part of firejail project
  *
@@ -161,6 +161,7 @@ typedef struct config_t {
 
 #define MAX_PROFILE_IGNORE 32
         char *profile_ignore[MAX_PROFILE_IGNORE];
+        char *keep_fd;          // inherit file descriptors to sandbox
         char *chrootdir;        // chroot directory
         char *home_private;     // private home directory
         char *home_private_keep;        // keep list for private home directory
@@ -352,6 +353,7 @@ extern int arg_nou2f;	// --nou2f
 extern int arg_noinput; // --noinput
 extern int arg_deterministic_exit_code; // always exit with first child's exit status
 extern int arg_deterministic_shutdown;  // shut down the sandbox if first child dies
+extern int arg_keep_fd_all;     // inherit all file descriptors to sandbox
 
 typedef enum {
         DBUS_POLICY_ALLOW,      // Allow unrestricted access to the bus
@@ -551,6 +553,7 @@ int remount_by_fd(int dst, unsigned long mountflags);
 int bind_mount_by_fd(int src, int dst);
 int bind_mount_path_to_fd(const char *srcname, int dst);
 int bind_mount_fd_to_path(int src, const char *destname);
+void close_all(int *keep_list, size_t sz);
 int has_handler(pid_t pid, int signal);
 void enter_network_namespace(pid_t pid);
 int read_pid(const char *name, pid_t *pid);
@@ -707,6 +710,7 @@ void env_ibus_load(void);
 void fs_whitelist(void);
 
 // pulseaudio.c
+void pipewire_disable(void);
 void pulseaudio_init(void);
 void pulseaudio_disable(void);
 
@@ -881,7 +885,6 @@ void build_appimage_cmdline(char **command_line, char **window_title, int argc,
 #define SBOX_CAPS_HIDEPID (1 << 7)      // hidepid caps filter for running firemon
 #define SBOX_CAPS_NET_SERVICE (1 << 8) // caps filter for programs running network services
 #define SBOX_KEEP_FDS (1 << 9) // keep file descriptors open
-#define FIREJAIL_MAX_FD 20 // getdtablesize() is overkill for a firejail process
 
 // run sbox
 int sbox_run(unsigned filter, int num, ...);
diff --git a/src/firejail/fs.c b/src/firejail/fs.c
index f62e6404e..04ea715cd 100644
--- a/src/firejail/fs.c
+++ b/src/firejail/fs.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
  *
  * This file is part of firejail project
  *
diff --git a/src/firejail/fs_bin.c b/src/firejail/fs_bin.c
index 4c9dac0c2..2b0b3003e 100644
--- a/src/firejail/fs_bin.c
+++ b/src/firejail/fs_bin.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
  *
  * This file is part of firejail project
  *
diff --git a/src/firejail/fs_dev.c b/src/firejail/fs_dev.c
index 694d0a379..a6fbbb89a 100644
--- a/src/firejail/fs_dev.c
+++ b/src/firejail/fs_dev.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
  *
  * This file is part of firejail project
  *
diff --git a/src/firejail/fs_etc.c b/src/firejail/fs_etc.c
index 76054b485..786e0d360 100644
--- a/src/firejail/fs_etc.c
+++ b/src/firejail/fs_etc.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
  *
  * This file is part of firejail project
  *
@@ -142,7 +142,7 @@ errexit:
 static void duplicate(const char *fname, const char *private_dir, const char *private_run_dir) {
         assert(fname);
 
-        if (*fname == '~' || *fname == '/' || strncmp(fname, "..", 2) == 0) {
+        if (*fname == '~' || *fname == '/' || strstr(fname, "..")) {
                 fprintf(stderr, "Error: \"%s\" is an invalid filename\n", fname);
                 exit(1);
         }
diff --git a/src/firejail/fs_home.c b/src/firejail/fs_home.c
index b410ba68e..b1cb9d927 100644
--- a/src/firejail/fs_home.c
+++ b/src/firejail/fs_home.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
  *
  * This file is part of firejail project
  *
diff --git a/src/firejail/fs_hostname.c b/src/firejail/fs_hostname.c
index 8b7e94f51..dca394865 100644
--- a/src/firejail/fs_hostname.c
+++ b/src/firejail/fs_hostname.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
  *
  * This file is part of firejail project
  *
diff --git a/src/firejail/fs_lib.c b/src/firejail/fs_lib.c
index 03af7f8fb..194a980f4 100644
--- a/src/firejail/fs_lib.c
+++ b/src/firejail/fs_lib.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
  *
  * This file is part of firejail project
  *
diff --git a/src/firejail/fs_lib2.c b/src/firejail/fs_lib2.c
index a347b380c..aefd38e3c 100644
--- a/src/firejail/fs_lib2.c
+++ b/src/firejail/fs_lib2.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
  *
  * This file is part of firejail project
  *
diff --git a/src/firejail/fs_logger.c b/src/firejail/fs_logger.c
index 604e297b1..06f03dac5 100644
--- a/src/firejail/fs_logger.c
+++ b/src/firejail/fs_logger.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
  *
  * This file is part of firejail project
  *
diff --git a/src/firejail/fs_mkdir.c b/src/firejail/fs_mkdir.c
index 4983db0a0..30dbd8e9b 100644
--- a/src/firejail/fs_mkdir.c
+++ b/src/firejail/fs_mkdir.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
  *
  * This file is part of firejail project
  *
diff --git a/src/firejail/fs_overlayfs.c b/src/firejail/fs_overlayfs.c
index fe3761cb6..167a7e28b 100644
--- a/src/firejail/fs_overlayfs.c
+++ b/src/firejail/fs_overlayfs.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
  *
  * This file is part of firejail project
  *
diff --git a/src/firejail/fs_trace.c b/src/firejail/fs_trace.c
index 17a7b3d23..4cecea9ce 100644
--- a/src/firejail/fs_trace.c
+++ b/src/firejail/fs_trace.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
  *
  * This file is part of firejail project
  *
diff --git a/src/firejail/fs_var.c b/src/firejail/fs_var.c
index e19d0df96..9523875d7 100644
--- a/src/firejail/fs_var.c
+++ b/src/firejail/fs_var.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
  *
  * This file is part of firejail project
  *
diff --git a/src/firejail/fs_whitelist.c b/src/firejail/fs_whitelist.c
index 7afebed1f..c515b59f5 100644
--- a/src/firejail/fs_whitelist.c
+++ b/src/firejail/fs_whitelist.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
  *
  * This file is part of firejail project
  *
@@ -337,21 +337,34 @@ static void tmpfs_topdirs(const TopDir *topdirs) {
                         // fix pam-tmpdir (#2685)
                         const char *env = env_get("TMP");
                         if (env) {
-                                char *pamtmpdir;
-                                if (asprintf(&pamtmpdir, "/tmp/user/%u", getuid()) == -1)
+                                // we allow TMP env set as /tmp/user/$UID and /tmp/$UID - see #4151
+                                char *pamtmpdir1;
+                                if (asprintf(&pamtmpdir1, "/tmp/user/%u", getuid()) == -1)
                                         errExit("asprintf");
-                                if (strcmp(env, pamtmpdir) == 0) {
+                                char *pamtmpdir2;
+                                if (asprintf(&pamtmpdir2, "/tmp/%u", getuid()) == -1)
+                                        errExit("asprintf");
+                                if (strcmp(env, pamtmpdir1) == 0) {
                                         // create empty user-owned /tmp/user/$UID directory
                                         EUID_ROOT();
-                                        mkdir_attr("/tmp/user", 0711, 0, 0);
+                                        mkdir_attr("/tmp/user", 0755, 0, 0);
                                         selinux_relabel_path("/tmp/user", "/tmp/user");
                                         fs_logger("mkdir /tmp/user");
-                                        mkdir_attr(pamtmpdir, 0700, getuid(), 0);
-                                        selinux_relabel_path(pamtmpdir, pamtmpdir);
-                                        fs_logger2("mkdir", pamtmpdir);
+                                        mkdir_attr(pamtmpdir1, 0700, getuid(), 0);
+                                        selinux_relabel_path(pamtmpdir1, pamtmpdir1);
+                                        fs_logger2("mkdir", pamtmpdir1);
+                                        EUID_USER();
+                                }
+                                else if (strcmp(env, pamtmpdir2) == 0) {
+                                        // create empty user-owned /tmp/$UID directory
+                                        EUID_ROOT();
+                                        mkdir_attr(pamtmpdir2, 0700, getuid(), 0);
+                                        selinux_relabel_path(pamtmpdir2, pamtmpdir2);
+                                        fs_logger2("mkdir", pamtmpdir2);
                                         EUID_USER();
                                 }
-                                free(pamtmpdir);
+                                free(pamtmpdir1);
+                                free(pamtmpdir2);
                         }
                 }
 
diff --git a/src/firejail/ids.c b/src/firejail/ids.c
index a9ff59be4..fdb78d6e6 100644
--- a/src/firejail/ids.c
+++ b/src/firejail/ids.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
  *
  * This file is part of firejail project
  *
diff --git a/src/firejail/join.c b/src/firejail/join.c
index 0e76fd944..b62a1ca9d 100644
--- a/src/firejail/join.c
+++ b/src/firejail/join.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
  *
  * This file is part of firejail project
  *
@@ -569,11 +569,6 @@ void join(pid_t pid, int argc, char **argv, int index) {
                         dbus_set_system_bus_env();
 #endif
 
-                // set nice and rlimits
-                if (arg_nice)
-                        set_nice(cfg.nice);
-                set_rlimits();
-
                 start_application(0, shfd, NULL);
 
                 __builtin_unreachable();
diff --git a/src/firejail/ls.c b/src/firejail/ls.c
index 53e918dde..7207d1087 100644
--- a/src/firejail/ls.c
+++ b/src/firejail/ls.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
  *
  * This file is part of firejail project
  *
diff --git a/src/firejail/macros.c b/src/firejail/macros.c
index cd29d8f85..11385143a 100644
--- a/src/firejail/macros.c
+++ b/src/firejail/macros.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
  *
  * This file is part of firejail project
  *
@@ -314,9 +314,9 @@ void invalid_filename(const char *fname, int globbing) {
 
         char *reject;
         if (globbing)
-                reject = "\\&!\"'<>%^{};,"; // file globbing ('*?[]') is allowed
+                reject = "\\&!\"<>%^{};,"; // file globbing ('*?[]') is allowed
         else
-                reject = "\\&!?\"'<>%^{};,*[]";
+                reject = "\\&!?\"<>%^{};,*[]";
         char *c = strpbrk(ptr, reject);
         if (c) {
                 fprintf(stderr, "Error: \"%s\" is an invalid filename: rejected character: \"%c\"\n", fname, *c);
diff --git a/src/firejail/main.c b/src/firejail/main.c
index b33db36f1..d614ae1ac 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
  *
  * This file is part of firejail project
  *
@@ -149,6 +149,7 @@ int arg_nou2f = 0; // --nou2f
 int arg_noinput = 0; // --noinput
 int arg_deterministic_exit_code = 0;    // always exit with first child's exit status
 int arg_deterministic_shutdown = 0;     // shut down the sandbox if first child dies
+int arg_keep_fd_all = 0;                // inherit all file descriptors to sandbox
 DbusPolicy arg_dbus_user = DBUS_POLICY_ALLOW;   // --dbus-user
 DbusPolicy arg_dbus_system = DBUS_POLICY_ALLOW; // --dbus-system
 const char *arg_dbus_log_file = NULL;
@@ -408,9 +409,22 @@ static void run_cmd_and_exit(int i, int argc, char **argv) {
         }
 #endif
 #ifdef HAVE_NETWORK
+        else if (strcmp(argv[i], "--nettrace") == 0) {
+                if (checkcfg(CFG_NETWORK)) {
+                        netfilter_trace(0);
+                }
+                else
+                        exit_err_feature("networking");
+                exit(0);
+        }
         else if (strncmp(argv[i], "--nettrace=", 11) == 0) {
-                pid_t pid = require_pid(argv[i] + 11);
-                netfilter_trace(pid);
+                if (checkcfg(CFG_NETWORK)) {
+                        pid_t pid = require_pid(argv[i] + 11);
+                        netfilter_trace(pid);
+                }
+                else
+                        exit_err_feature("networking");
+                exit(0);
         }
         else if (strncmp(argv[i], "--bandwidth=", 12) == 0) {
                 if (checkcfg(CFG_NETWORK)) {
@@ -1862,6 +1876,14 @@ int main(int argc, char **argv, char **envp) {
                         }
                         profile_add_ignore(argv[i] + 9);
                 }
+                else if (strncmp(argv[i], "--keep-fd=", 10) == 0) {
+                        if (strcmp(argv[i] + 10, "all") == 0)
+                                arg_keep_fd_all = 1;
+                        else {
+                                const char *add = argv[i] + 10;
+                                profile_list_augment(&cfg.keep_fd, add);
+                        }
+                }
 #ifdef HAVE_CHROOT
                 else if (strncmp(argv[i], "--chroot=", 9) == 0) {
                         if (checkcfg(CFG_CHROOT)) {
@@ -2307,11 +2329,20 @@ int main(int argc, char **argv, char **envp) {
                         continue;
                 }
 #ifdef HAVE_NETWORK
-                else if (strcmp(argv[i], "--netlock") == 0)
-                        arg_netlock = 1;
+                else if (strcmp(argv[i], "--netlock") == 0) {
+                        if (checkcfg(CFG_NETWORK))
+                                arg_netlock = 1;
+                        else
+                                exit_err_feature("networking");
+                }
                 else if (strncmp(argv[i], "--netlock=", 10) == 0) {
-                        pid_t pid = require_pid(argv[i] + 10);
-                        netfilter_netlock(pid);
+                        if (checkcfg(CFG_NETWORK)) {
+                                pid_t pid = require_pid(argv[i] + 10);
+                                netfilter_netlock(pid);
+                        }
+                        else
+                                exit_err_feature("networking");
+                        exit(0);
                 }
                 else if (strncmp(argv[i], "--interface=", 12) == 0) {
                         if (checkcfg(CFG_NETWORK)) {
@@ -3150,13 +3181,18 @@ int main(int argc, char **argv, char **envp) {
                                 }
                         }
 
-                        // add render group
+                        // add render/vglusers group
                         if (!arg_no3d) {
                                 g = get_group_id("render");
                                 if (g) {
                                         sprintf(ptr, "%d %d 1\n", g, g);
                                         ptr += strlen(ptr);
                                 }
+                                g = get_group_id("vglusers");
+                                if (g) {
+                                        sprintf(ptr, "%d %d 1\n", g, g);
+                                        ptr += strlen(ptr);
+                                }
                         }
 
                         // add lp group
diff --git a/src/firejail/mountinfo.c b/src/firejail/mountinfo.c
index ee437e10b..7d30d21d9 100644
--- a/src/firejail/mountinfo.c
+++ b/src/firejail/mountinfo.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
  *
  * This file is part of firejail project
  *
diff --git a/src/firejail/netfilter.c b/src/firejail/netfilter.c
index 82bf25e78..939ab29fa 100644
--- a/src/firejail/netfilter.c
+++ b/src/firejail/netfilter.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
  *
  * This file is part of firejail project
  *
@@ -93,7 +93,10 @@ void netfilter_netlock(pid_t pid) {
 void netfilter_trace(pid_t pid) {
         EUID_ASSERT();
 
-        enter_network_namespace(pid);
+        // a pid of 0 means the main system network namespace
+        if (pid)
+                enter_network_namespace(pid);
+
         char *cmd;
         if (asprintf(&cmd, "%s/firejail/fnettrace", LIBDIR) == -1)
                 errExit("asprintf");
diff --git a/src/firejail/netns.c b/src/firejail/netns.c
index b5d6fb636..c72c009ae 100644
--- a/src/firejail/netns.c
+++ b/src/firejail/netns.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2020-2021 Firejail Authors
+ * Copyright (C) 2020-2022 Firejail Authors
  *
  * This file is part of firejail project
  *
diff --git a/src/firejail/network.c b/src/firejail/network.c
index 289e164c6..e631745fb 100644
--- a/src/firejail/network.c
+++ b/src/firejail/network.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
  *
  * This file is part of firejail project
  *
diff --git a/src/firejail/network_main.c b/src/firejail/network_main.c
index d3e75bbed..dd66ecc55 100644
--- a/src/firejail/network_main.c
+++ b/src/firejail/network_main.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
  *
  * This file is part of firejail project
  *
diff --git a/src/firejail/no_sandbox.c b/src/firejail/no_sandbox.c
index 0e5562d90..c57d397ef 100644
--- a/src/firejail/no_sandbox.c
+++ b/src/firejail/no_sandbox.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
  *
  * This file is part of firejail project
  *
diff --git a/src/firejail/output.c b/src/firejail/output.c
index ce10ab157..f9df9f3d4 100644
--- a/src/firejail/output.c
+++ b/src/firejail/output.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
  *
  * This file is part of firejail project
  *
diff --git a/src/firejail/paths.c b/src/firejail/paths.c
index d58a9d272..6d62c9004 100644
--- a/src/firejail/paths.c
+++ b/src/firejail/paths.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
  *
  * This file is part of firejail project
  *
diff --git a/src/firejail/preproc.c b/src/firejail/preproc.c
index 1aafd1ca2..da50e9a82 100644
--- a/src/firejail/preproc.c
+++ b/src/firejail/preproc.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
  *
  * This file is part of firejail project
  *
diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index 92dbecac1..794668dc6 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
  *
  * This file is part of firejail project
  *
@@ -290,6 +290,15 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
                 return 0;
         }
 
+        if (strncmp(ptr, "keep-fd ", 8) == 0) {
+                if (strcmp(ptr + 8, "all") == 0)
+                        arg_keep_fd_all = 1;
+                else {
+                        const char *add = ptr + 8;
+                        profile_list_augment(&cfg.keep_fd, add);
+                }
+                return 0;
+        }
         if (strncmp(ptr, "xephyr-screen ", 14) == 0) {
 #ifdef HAVE_X11
                 if (checkcfg(CFG_X11)) {
diff --git a/src/firejail/protocol.c b/src/firejail/protocol.c
index f21f8c96e..37e541f50 100644
--- a/src/firejail/protocol.c
+++ b/src/firejail/protocol.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
  *
  * This file is part of firejail project
  *
diff --git a/src/firejail/pulseaudio.c b/src/firejail/pulseaudio.c
index f8d4c2f3c..320668bf9 100644
--- a/src/firejail/pulseaudio.c
+++ b/src/firejail/pulseaudio.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
  *
  * This file is part of firejail project
  *
@@ -25,6 +25,7 @@
 #include <dirent.h>
 #include <errno.h>
 #include <sys/wait.h>
+#include <glob.h>
 
 #include <fcntl.h>
 #ifndef O_PATH
@@ -33,6 +34,59 @@
 
 #define PULSE_CLIENT_SYSCONF "/etc/pulse/client.conf"
 
+
+
+static void disable_rundir_pipewire(const char *path) {
+        assert(path);
+
+        // globbing for path/pipewire-*
+        char *pattern;
+        if (asprintf(&pattern, "%s/pipewire-*", path) == -1)
+                errExit("asprintf");
+
+        glob_t globbuf;
+        int globerr = glob(pattern, GLOB_NOCHECK | GLOB_NOSORT, NULL, &globbuf);
+        if (globerr) {
+                fprintf(stderr, "Error: failed to glob pattern %s\n", pattern);
+                exit(1);
+        }
+
+        size_t i;
+        for (i = 0; i < globbuf.gl_pathc; i++) {
+                char *dir = globbuf.gl_pathv[i];
+                assert(dir);
+
+                // don't disable symlinks - disable_file_or_dir will bind-mount an empty directory on top of it!
+                if (is_link(dir))
+                        continue;
+                disable_file_or_dir(dir);
+        }
+        globfree(&globbuf);
+        free(pattern);
+}
+
+
+
+// disable pipewire socket
+void pipewire_disable(void) {
+        if (arg_debug)
+                printf("disable pipewire\n");
+        // blacklist user config directory
+        disable_file_path(cfg.homedir, ".config/pipewire");
+
+        // blacklist pipewire in XDG_RUNTIME_DIR
+        const char *name = env_get("XDG_RUNTIME_DIR");
+        if (name)
+                disable_rundir_pipewire(name);
+
+        // try the default location anyway
+        char *path;
+        if (asprintf(&path, "/run/user/%d", getuid()) == -1)
+                errExit("asprintf");
+        disable_rundir_pipewire(path);
+        free(path);
+}
+
 // disable pulseaudio socket
 void pulseaudio_disable(void) {
         if (arg_debug)
diff --git a/src/firejail/restrict_users.c b/src/firejail/restrict_users.c
index 59077dada..447d7b663 100644
--- a/src/firejail/restrict_users.c
+++ b/src/firejail/restrict_users.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
  *
  * This file is part of firejail project
  *
diff --git a/src/firejail/restricted_shell.c b/src/firejail/restricted_shell.c
index ed66903b5..c1340cae1 100644
--- a/src/firejail/restricted_shell.c
+++ b/src/firejail/restricted_shell.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
  *
  * This file is part of firejail project
  *
diff --git a/src/firejail/rlimit.c b/src/firejail/rlimit.c
index f177f4b89..b10d2c528 100644
--- a/src/firejail/rlimit.c
+++ b/src/firejail/rlimit.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
  *
  * This file is part of firejail project
  *
diff --git a/src/firejail/run_files.c b/src/firejail/run_files.c
index c28c3e01b..c971a4f53 100644
--- a/src/firejail/run_files.c
+++ b/src/firejail/run_files.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
  *
  * This file is part of firejail project
  *
diff --git a/src/firejail/run_symlink.c b/src/firejail/run_symlink.c
index 14667d9eb..e2847aea6 100644
--- a/src/firejail/run_symlink.c
+++ b/src/firejail/run_symlink.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
  *
  * This file is part of firejail project
  *
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index 53b1e6914..96407d081 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
  *
  * This file is part of firejail project
  *
@@ -404,7 +404,6 @@ static void print_time(void) {
         fmessage("Child process initialized in %.02f ms\n", delta);
 }
 
-
 // check execute permissions for the program
 // this is done typically by the shell
 // we are here because of --shell=none
@@ -461,10 +460,42 @@ static int ok_to_run(const char *program) {
         return 0;
 }
 
+static void close_file_descriptors(void) {
+        if (arg_keep_fd_all)
+                return;
+
+        if (arg_debug)
+                printf("Closing non-standard file descriptors\n");
+
+        if (!cfg.keep_fd) {
+                close_all(NULL, 0);
+                return;
+        }
+
+        size_t sz = 0;
+        int *keep = str_to_int_array(cfg.keep_fd, &sz);
+        if (!keep) {
+                fprintf(stderr, "Error: invalid keep-fd option\n");
+                exit(1);
+        }
+        close_all(keep, sz);
+        free(keep);
+}
+
+
 void start_application(int no_sandbox, int fd, char *set_sandbox_status) {
-        // set environment
-        if (no_sandbox == 0)
+        if (no_sandbox == 0) {
+                close_file_descriptors();
+
+                // set nice and rlimits
+                if (arg_nice)
+                        set_nice(cfg.nice);
+                set_rlimits();
+
                 env_defaults();
+        }
+
+        // set environment
         env_apply_all();
 
         // restore original umask
@@ -1018,6 +1049,9 @@ int sandbox(void* sandbox_arg) {
                 // disable pulseaudio
                 pulseaudio_disable();
 
+                // disable pipewire
+                pipewire_disable();
+
                 // disable /dev/snd
                 fs_dev_disable_sound();
         }
@@ -1252,12 +1286,6 @@ int sandbox(void* sandbox_arg) {
 #ifdef HAVE_APPARMOR
                 set_apparmor();
 #endif
-
-                // set nice and rlimits
-                if (arg_nice)
-                        set_nice(cfg.nice);
-                set_rlimits();
-
                 start_application(0, -1, set_sandbox_status);
         }
 
diff --git a/src/firejail/sbox.c b/src/firejail/sbox.c
index 37111324a..a37943940 100644
--- a/src/firejail/sbox.c
+++ b/src/firejail/sbox.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
  *
  * This file is part of firejail project
  *
@@ -23,6 +23,7 @@
 #include <unistd.h>
 #include <net/if.h>
 #include <stdarg.h>
+#include <sys/resource.h>
 #include <sys/wait.h>
 #include "../include/seccomp.h"
 
@@ -72,11 +73,8 @@ static int __attribute__((noreturn)) sbox_do_exec_v(unsigned filtermask, char *
         }
 
         // close all other file descriptors
-        if ((filtermask & SBOX_KEEP_FDS) == 0) {
-                int i;
-                for (i = 3; i < FIREJAIL_MAX_FD; i++)
-                        close(i); // close open files
-        }
+        if ((filtermask & SBOX_KEEP_FDS) == 0)
+                close_all(NULL, 0);
 
         umask(027);
 
@@ -206,6 +204,11 @@ static int __attribute__((noreturn)) sbox_do_exec_v(unsigned filtermask, char *
         if (filtermask & SBOX_USER)
                 drop_privs(1);
         else if (filtermask & SBOX_ROOT) {
+                // https://seclists.org/oss-sec/2021/q4/43
+                struct rlimit tozero = { .rlim_cur = 0, .rlim_max = 0 };
+                if (setrlimit(RLIMIT_CORE, &tozero))
+                        errExit("setrlimit");
+
                 // elevate privileges in order to get grsecurity working
                 if (setreuid(0, 0))
                         errExit("setreuid");
@@ -292,7 +295,8 @@ int sbox_run_v(unsigned filtermask, char * const arg[]) {
         if (waitpid(child, &status, 0) == -1 ) {
                 errExit("waitpid");
         }
-        if (WIFEXITED(status) && WEXITSTATUS(status) != 0) {
+        if (WIFSIGNALED(status) ||
+           (WIFEXITED(status) && WEXITSTATUS(status) != 0)) {
                 fprintf(stderr, "Error: failed to run %s, exiting...\n", arg[0]);
                 exit(1);
         }
diff --git a/src/firejail/seccomp.c b/src/firejail/seccomp.c
index e02be29f1..0cd6ac7ec 100644
--- a/src/firejail/seccomp.c
+++ b/src/firejail/seccomp.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
  *
  * This file is part of firejail project
  *
diff --git a/src/firejail/selinux.c b/src/firejail/selinux.c
index fa59882ed..0348cef4b 100644
--- a/src/firejail/selinux.c
+++ b/src/firejail/selinux.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2020-2021 Firejail and systemd authors
+ * Copyright (C) 2020-2022 Firejail and systemd authors
  *
  * This file is part of firejail project, from systemd selinux-util.c
  *
diff --git a/src/firejail/shutdown.c b/src/firejail/shutdown.c
index d1be6eed4..44fdd58ab 100644
--- a/src/firejail/shutdown.c
+++ b/src/firejail/shutdown.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
  *
  * This file is part of firejail project
  *
diff --git a/src/firejail/usage.c b/src/firejail/usage.c
index b993cb80c..c903841c5 100644
--- a/src/firejail/usage.c
+++ b/src/firejail/usage.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
  *
  * This file is part of firejail project
  *
@@ -119,6 +119,7 @@ static char *usage_str =
         "    --join-or-start=name|pid - join the sandbox or start a new one.\n"
         "    --keep-config-pulse - disable automatic ~/.config/pulse init.\n"
         "    --keep-dev-shm - /dev/shm directory is untouched (even with --private-dev).\n"
+        "    --keep-fd - inherit open file descriptors to sandbox.\n"
         "    --keep-var-tmp - /var/tmp directory is untouched.\n"
         "    --list - list all sandboxes.\n"
 #ifdef HAVE_FILE_TRANSFER
@@ -161,6 +162,7 @@ static char *usage_str =
         "    --nogroups - disable supplementary groups.\n"
         "    --noinput - disable input devices.\n"
         "    --nonewprivs - sets the NO_NEW_PRIVS prctl.\n"
+        "    --noprinters - disable printers.\n"
         "    --noprofile - do not use a security profile.\n"
 #ifdef HAVE_USERNS
         "    --noroot - install a user namespace with only the current user.\n"
diff --git a/src/firejail/util.c b/src/firejail/util.c
index c1c31b43c..79ebfa1dd 100644
--- a/src/firejail/util.c
+++ b/src/firejail/util.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
  *
  * This file is part of firejail project
  *
@@ -209,6 +209,8 @@ static void clean_supplementary_groups(gid_t gid) {
         if (!arg_no3d) {
                 copy_group_ifcont("render", groups, ngroups,
                                   new_groups, &new_ngroups, MAX_GROUPS);
+                copy_group_ifcont("vglusers", groups, ngroups,
+                                  new_groups, &new_ngroups, MAX_GROUPS);
         }
 
         if (!arg_noprinters) {
@@ -1398,6 +1400,52 @@ int bind_mount_path_to_fd(const char *srcname, int dst) {
         return rv;
 }
 
+void close_all(int *keep_list, size_t sz) {
+        DIR *dir;
+        if (!(dir = opendir("/proc/self/fd"))) {
+                // sleep 2 seconds and try again
+                sleep(2);
+                if (!(dir = opendir("/proc/self/fd"))) {
+                        fprintf(stderr, "Error: cannot open /proc/self/fd directory\n");
+                        exit(1);
+                }
+        }
+        struct dirent *entry;
+        while ((entry = readdir(dir)) != NULL) {
+                if (strcmp(entry->d_name, ".") == 0 ||
+                    strcmp(entry->d_name, "..") == 0)
+                        continue;
+
+                int fd = atoi(entry->d_name);
+
+                // don't close standard streams
+                if (fd == STDIN_FILENO ||
+                    fd == STDOUT_FILENO ||
+                    fd == STDERR_FILENO)
+                        continue;
+
+                if (fd == dirfd(dir))
+                        continue; // just postponed
+
+                // dont't close file descriptors in keep list
+                int keep = 0;
+                if (keep_list) {
+                        size_t i;
+                        for (i = 0; i < sz; i++) {
+                                if (keep_list[i] == fd) {
+                                        keep = 1;
+                                        break;
+                                }
+                        }
+                }
+                if (keep)
+                        continue;
+
+                close(fd);
+        }
+        closedir(dir);
+}
+
 int has_handler(pid_t pid, int signal) {
         if (signal > 0 && signal <= SIGRTMAX) {
                 char *fname;
diff --git a/src/firejail/x11.c b/src/firejail/x11.c
index 896aa2fd3..f173b6672 100644
--- a/src/firejail/x11.c
+++ b/src/firejail/x11.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2021 Firejail Authors
+ * Copyright (C) 2014-2022 Firejail Authors
  *
  * This file is part of firejail project
  *