11 files changed, 139 insertions, 23 deletions

diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config
index e997598af..e8ec20273 100644
--- a/src/firecfg/firecfg.config
+++ b/src/firecfg/firecfg.config
@@ -57,6 +57,7 @@ atril-previewer
 atril-thumbnailer
 audacious
 audacity
+audio-recorder
 authenticator
 autokey-gtk
 autokey-qt
@@ -82,6 +83,10 @@ brackets
 brasero
 brave
 brave-browser
+brave-browser-beta
+brave-browser-dev
+brave-browser-nightly
+brave-browser-stable
 bunzip2
 bzcat
 bzflag
@@ -96,6 +101,7 @@ calligraplanwork
 calligrasheets
 calligrastage
 calligrawords
+cameramonitor
 cantata
 catfish
 celluloid
@@ -132,6 +138,7 @@ cvlc
 cyberfox
 darktable
 dconf-editor
+ddgtk
 deadbeef
 deluge
 devhelp
@@ -151,10 +158,12 @@ dooble
 dooble-qt4
 dosbox
 dragon
+drawio
 dropbox
 d-feet
 easystroke
 ebook-viewer
+electron-mail
 electrum
 elinks
 empathy
@@ -167,6 +176,7 @@ enox
 enpass
 eog
 eom
+ephemeral
 #epiphany
 etr
 evince
@@ -222,16 +232,20 @@ geary
 gedit
 geekbench
 geeqie
+gfeeds
 ghb
 ghostwriter
 gimp
 gimp-2.10
 gimp-2.8
+gist
+gist-paste
 gitg
 github-desktop
 gitter
 gjs
 globaltime
+gmpc
 gnome-2048
 gnome-books
 gnome-builder
@@ -445,9 +459,12 @@ odt2txt
 oggsplt
 okular
 onionshare-gui
+ooffice
+ooviewdoc
 open-invaders
 openarena
 opencity
+openoffice.org
 openshot
 openshot-qt
 openttd
@@ -482,6 +499,7 @@ pngquant
 polari
 ppsspp
 pragha
+profanity
 psi-plus
 pybitmessage
 # pycharm-community - FB note: may enable later
@@ -627,6 +645,7 @@ udiskie
 uefitool
 uget-gtk
 unbound
+unf
 unknown-horizons
 unzstd
 utox
diff --git a/src/firecfg/main.c b/src/firecfg/main.c
index 3f5921322..9a2efebd2 100644
--- a/src/firecfg/main.c
+++ b/src/firecfg/main.c
@@ -443,15 +443,33 @@ int main(int argc, char **argv) {
         // set new symlinks based on /usr/lib/firejail/firecfg.cfg
         set_links_firecfg();
 
-        // add user to firejail access database - only for root
         if (getuid() == 0) {
+                // add user to firejail access database - only for root
                 printf("\nAdding user %s to Firejail access database in %s/firejail.users\n", user, SYSCONFDIR);
                 // temporarily set the umask, access database must be world-readable
                 mode_t orig_umask = umask(022);
                 firejail_user_add(user);
                 umask(orig_umask);
+
+#ifdef HAVE_APPARMOR
+                // enable firejail apparmor profile
+                struct stat s;
+                if (stat("/sbin/apparmor_parser", &s) == 0) {
+                        char *cmd;
+
+                        // SYSCONFDIR points to /etc/firejail, we have to go on level up (..)
+                        printf("\nLoading AppArmor profile\n");
+                        if (asprintf(&cmd, "/sbin/apparmor_parser -r /etc/apparmor.d/firejail-default %s/../apparmor.d/firejail-default", SYSCONFDIR) == -1)
+                                errExit("asprintf");
+                        int rv = system(cmd);
+                        (void) rv;
+                        free(cmd);
+                }
+#endif
         }
 
+
+
         // set new symlinks based on ~/.config/firejail directory
         set_links_homedir(home);
 
diff --git a/src/firejail/appimage.c b/src/firejail/appimage.c
index e886e81da..520960db2 100644
--- a/src/firejail/appimage.c
+++ b/src/firejail/appimage.c
@@ -113,12 +113,12 @@ void appimage_set(const char *appimage) {
         EUID_ROOT();
         if (size == 0) {
                 fmessage("Mounting appimage type 1\n");
-                if (mount(devloop, mntdir, "iso9660", flags,  mode) < 0)
+                if (mount(devloop, mntdir, "iso9660", flags, mode) < 0)
                         errExit("mounting appimage");
         }
         else {
                 fmessage("Mounting appimage type 2\n");
-                if (mount(devloop, mntdir, "squashfs", flags,  mode) < 0)
+                if (mount(devloop, mntdir, "squashfs", flags, NULL) < 0)
                         errExit("mounting appimage");
         }
 
diff --git a/src/firejail/fs.c b/src/firejail/fs.c
index 1f0ccac1a..316057ec5 100644
--- a/src/firejail/fs.c
+++ b/src/firejail/fs.c
@@ -535,6 +535,14 @@ void fs_remount(const char *dir, OPERATION op, unsigned check_mnt) {
 
 void fs_remount_rec(const char *dir, OPERATION op, unsigned check_mnt) {
         assert(dir);
+        struct stat s;
+        if (stat(dir, &s) != 0)
+                return;
+        if (!S_ISDIR(s.st_mode)) {
+                // no need to search in /proc/self/mountinfo for submounts if not a directory
+                fs_remount(dir, op, check_mnt);
+                return;
+        }
         // get mount point of the directory
         int mountid = get_mount_id(dir);
         if (mountid == -1)
@@ -634,7 +642,8 @@ void fs_proc_sys_dev_boot(void) {
         // various /proc files
         disable_file(BLACKLIST_FILE, "/proc/irq");
         disable_file(BLACKLIST_FILE, "/proc/bus");
-        disable_file(BLACKLIST_FILE, "/proc/config.gz");
+        // move /proc/config.gz to disable-common.inc
+        //disable_file(BLACKLIST_FILE, "/proc/config.gz");
         disable_file(BLACKLIST_FILE, "/proc/sched_debug");
         disable_file(BLACKLIST_FILE, "/proc/timer_list");
         disable_file(BLACKLIST_FILE, "/proc/timer_stats");
@@ -1139,6 +1148,9 @@ void fs_overlayfs(void) {
 
 // this function is called from sandbox.c before blacklist/whitelist functions
 void fs_private_tmp(void) {
+        if (arg_debug)
+                printf("Generate private-tmp whitelist commands\n");
+
         // check XAUTHORITY file, KDE keeps it under /tmp
         char *xauth = getenv("XAUTHORITY");
         if (xauth) {
diff --git a/src/firejail/fs_etc.c b/src/firejail/fs_etc.c
index eb03eb35f..082f8b4a0 100644
--- a/src/firejail/fs_etc.c
+++ b/src/firejail/fs_etc.c
@@ -189,5 +189,10 @@ void fs_private_dir_list(const char *private_dir, const char *private_run_dir, c
                 errExit("mount bind");
         fs_logger2("mount", private_dir);
 
+        // mask private_run_dir (who knows if there are writable paths, and it is mounted exec)
+        if (mount("tmpfs", private_run_dir, "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME,  "mode=755,gid=0") < 0)
+                errExit("mounting tmpfs");
+        fs_logger2("tmpfs", private_run_dir);
+
         fmessage("Private %s installed in %0.2f ms\n", private_dir, timetrace_end());
 }
diff --git a/src/firejail/fs_home.c b/src/firejail/fs_home.c
index d09f92697..cfa0af078 100644
--- a/src/firejail/fs_home.c
+++ b/src/firejail/fs_home.c
@@ -315,7 +315,7 @@ void fs_private_homedir(void) {
                         errExit("mounting /root directory");
                 fs_logger("tmpfs /root");
         }
-        if (u == 0 || strncmp(homedir, "/home/", 6) != 0) {
+        if (u == 0 && !arg_allusers) {
                 // mask /home
                 if (arg_debug)
                         printf("Mounting a new /home directory\n");
@@ -606,7 +606,7 @@ void fs_private_home_list(void) {
                         errExit("mounting /root directory");
                 fs_logger("tmpfs /root");
         }
-        if (uid == 0 || strncmp(homedir, "/home/", 6) != 0) {
+        if (uid == 0 && !arg_allusers) {
                 // mask /home
                 if (arg_debug)
                         printf("Mounting a new /home directory\n");
diff --git a/src/firejail/main.c b/src/firejail/main.c
index 1786cfac2..179f8ddf9 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -55,7 +55,9 @@ uid_t firejail_uid = 0;
 gid_t firejail_gid = 0;
 
 #define STACK_SIZE (1024 * 1024)
-static char child_stack[STACK_SIZE] __attribute__((aligned(8)));                // space for child's stack
+#define STACK_ALIGNMENT 16
+static char child_stack[STACK_SIZE] __attribute__((aligned(STACK_ALIGNMENT)));          // space for child's stack
+
 Config cfg;                                     // configuration
 int arg_private = 0;                            // mount private /home and /tmp directoryu
 int arg_private_cache = 0;              // mount private home/.cache
@@ -143,6 +145,14 @@ int arg_nou2f = 0; // --nou2f
 int arg_deterministic_exit_code = 0;    // always exit with first child's exit status
 int login_shell = 0;
 
+//**********************************************************************************
+// work in progress!!!
+//**********************************************************************************
+//#define POSTMORTEM
+#ifdef POSTMORTEM
+#include <grp.h>
+pid_t pm_child = 0;
+#endif
 
 int parent_to_child_fds[2];
 int child_to_parent_fds[2];
@@ -176,6 +186,20 @@ static void myexit(int rv) {
 static void my_handler(int s) {
         fmessage("\nParent received signal %d, shutting down the child process...\n", s);
         logsignal(s);
+
+#ifdef POSTMORTEM
+printf("attempt to kill %d\n", pm_child);
+        if (pm_child) {
+                if (waitpid(pm_child, NULL, WNOHANG) == 0) {
+                        if (has_handler(pm_child, s)) // signals are not delivered if there is no handler yet
+                                kill(pm_child, s);
+                        else
+                                kill(pm_child, SIGKILL);
+                        waitpid(pm_child, NULL, 0);
+                }
+        }
+#endif
+
         if (waitpid(child, NULL, WNOHANG) == 0) {
                 if (has_handler(child, s)) // signals are not delivered if there is no handler yet
                         kill(child, s);
@@ -2726,6 +2750,44 @@ int main(int argc, char **argv) {
         }
         EUID_USER();
 
+
+#ifdef POSTMORTEM
+        pm_child = fork();
+        if (pm_child == -1)
+                fprintf(stderr, "Error: cannot start POSTMORTEM process\n");
+        else if (pm_child == 0) {
+                // running --join as root
+                EUID_ROOT();
+                int rv = setgroups(0, NULL);
+                rv |= setuid(0);
+                rv |= setgid(0);
+                if (rv) {
+                        fprintf(stderr, "Error: cannot start POSTMORTEM process\n");
+                        exit(1);
+                }
+
+                prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0);
+/*problem???*/  sleep(1); // we need to give the sandbox some time to start the namespaces
+                char *joincmd;
+                if (asprintf(&joincmd, "--join-network=%d", child) == -1)
+                        errExit("asprintf");
+
+                // we join only the network ns, the filesystem is intact so we can find tcpdump
+                char *arg[] =  {
+                        "/usr/bin/firejail",
+                        joincmd,
+                        "/usr/sbin/tcpdump",
+                        "-n",
+                        "-q",
+                        NULL
+                };
+                execvp(arg[0], arg);
+                assert(0);
+printf("**********************************\n");
+                exit(1);
+        }
+#endif
+
         int status = 0;
         //*****************************
         // following code is signal-safe
diff --git a/src/firejail/util.c b/src/firejail/util.c
index 2a4353d8d..18d121ca9 100644
--- a/src/firejail/util.c
+++ b/src/firejail/util.c
@@ -1111,10 +1111,10 @@ unsigned extract_timeout(const char *str) {
 }
 
 void disable_file_or_dir(const char *fname) {
-        if (arg_debug)
-                printf("blacklist %s\n", fname);
         struct stat s;
         if (stat(fname, &s) != -1) {
+                if (arg_debug)
+                        printf("blacklist %s\n", fname);
                 if (is_dir(fname)) {
                         if (mount(RUN_RO_DIR, fname, "none", MS_BIND, "mode=400,gid=0") < 0)
                                 errExit("disable directory");
@@ -1123,8 +1123,8 @@ void disable_file_or_dir(const char *fname) {
                         if (mount(RUN_RO_FILE, fname, "none", MS_BIND, "mode=400,gid=0") < 0)
                                 errExit("disable file");
                 }
+                fs_logger2("blacklist", fname);
         }
-        fs_logger2("blacklist", fname);
 }
 
 void disable_file_path(const char *path, const char *file) {
diff --git a/src/firejail/x11.c b/src/firejail/x11.c
index 944c24bc7..b390ad38e 100644
--- a/src/firejail/x11.c
+++ b/src/firejail/x11.c
@@ -1248,10 +1248,10 @@ void x11_xorg(void) {
                                 disable_file_or_dir(rp);
                         free(rp);
                 }
-                // update environment variable, so our new .Xauthority file is used
-                if (setenv("XAUTHORITY", dest, 1) < 0)
-                        errExit("setenv");
         }
+        // set environment variable
+        if (setenv("XAUTHORITY", dest, 1) < 0)
+                errExit("setenv");
         free(dest);
 #endif
 }
diff --git a/src/lib/common.c b/src/lib/common.c
index 1678a4092..3a7f910e1 100644
--- a/src/lib/common.c
+++ b/src/lib/common.c
@@ -53,7 +53,7 @@ int join_namespace(pid_t pid, char *type) {
 
 errout:
         free(path);
-        fprintf(stderr, "Error: cannot join namespace %s\\n", type);
+        fprintf(stderr, "Error: cannot join namespace %s\n", type);
         return -1;
 
 }
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index cabc4f619..47f5ecbdf 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -2768,6 +2768,15 @@ Sandbox running time in hours:minutes:seconds format.
 USER
 The owner of the sandbox.
 
+.SH RESTRICTED SHELL
+To configure a restricted shell, replace /bin/bash with /usr/bin/firejail in
+/etc/passwd file for each user that needs to be restricted. Alternatively,
+you can specify /usr/bin/firejail  in adduser command:
+
+adduser \-\-shell /usr/bin/firejail username
+
+Additional arguments passed to firejail executable upon login are declared in /etc/firejail/login.users file.
+
 .SH SECURITY PROFILES
 Several command line options can be passed to the program using
 profile files. Firejail chooses the profile file as follows:
@@ -2836,15 +2845,6 @@ Child process initialized
 
 See \fBman 5 firejail-profile\fR for profile file syntax information.
 
-.SH RESTRICTED SHELL
-To configure a restricted shell, replace /bin/bash with /usr/bin/firejail in
-/etc/passwd file for each user that needs to be restricted. Alternatively,
-you can specify /usr/bin/firejail  in adduser command:
-
-adduser \-\-shell /usr/bin/firejail username
-
-Additional arguments passed to firejail executable upon login are declared in /etc/firejail/login.users file.
-
 .SH TRAFFIC SHAPING
 Network bandwidth is an expensive resource shared among all sandboxes running on a system.
 Traffic shaping allows the user to increase network performance by controlling