4 files changed, 9 insertions, 3 deletions

diff --git a/src/firejail/main.c b/src/firejail/main.c
index e39a41502..1c1c3a08f 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -1226,8 +1226,8 @@ int main(int argc, char **argv) {
                         fprintf(stderr, "Warning: default profile disabled by --chroot option\n");
                 else if (arg_overlay)
                         fprintf(stderr, "Warning: default profile disabled by --overlay option\n");
-                else if (cfg.home_private_keep)
-                        fprintf(stderr, "Warning: default profile disabled by --private-home option\n");
+//              else if (cfg.home_private_keep)
+//                      fprintf(stderr, "Warning: default profile disabled by --private-home option\n");
                 else {
                         // try to load a default profile
                         char *profile_name = DEFAULT_USER_PROFILE;
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index 427b3fc09..b23c5d742 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -210,6 +210,8 @@ int sandbox(void* sandbox_arg) {
                         if (!arg_quiet)
                                 printf("Dropping all Linux capabilities and enforcing default seccomp filter\n");
                 }
+                else
+                        arg_seccomp = 1;
                                                 
                 //****************************
                 // trace pre-install, this time inside chroot
diff --git a/src/firejail/seccomp.c b/src/firejail/seccomp.c
index 6ab3ae56e..353b212f6 100644
--- a/src/firejail/seccomp.c
+++ b/src/firejail/seccomp.c
@@ -385,6 +385,7 @@ void seccomp_filter_32(void) {
                 BLACKLIST(294), // migrate_pages
                 BLACKLIST(317), // move_pages
                 BLACKLIST(316), // vmsplice
+                BLACKLIST(61),  // chroot
                 RETURN_ALLOW
         };
 
@@ -558,6 +559,9 @@ int seccomp_filter_drop(void) {
 #ifdef SYS_vmsplice
                 filter_add_blacklist(SYS_vmsplice, 0);
 #endif
+#ifdef SYS_chroot
+                filter_add_blacklist(SYS_chroot, 0);
+#endif
         //#ifdef SYS_set_robust_list
         //              filter_add_blacklist(SYS_set_robust_list, 0);
         //#endif
diff --git a/src/firejail/usage.c b/src/firejail/usage.c
index c829b94f2..76c12ecc1 100644
--- a/src/firejail/usage.c
+++ b/src/firejail/usage.c
@@ -225,7 +225,7 @@ void usage(void) {
         printf("\t\tio_destroy, io_getevents, io_submit, io_cancel,\n");
         printf("\t\tremap_file_pages, mbind, get_mempolicy, set_mempolicy,\n");
         printf("\t\tmigrate_pages, move_pages, vmsplice, perf_event_open and\n");
-        printf("\t\tkexec_file_load.\n\n");
+        printf("\t\tkexec_file_load, chroot.\n\n");
         
         printf("\t--seccomp=syscall,syscall,syscall - enable seccomp filter, blacklist the\n");
         printf("\t\tdefault syscall list and the syscalls specified by the command.\n\n");