9 files changed, 109 insertions, 177 deletions

diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config
index 48789359d..b4efa3add 100644
--- a/src/firecfg/firecfg.config
+++ b/src/firecfg/firecfg.config
@@ -25,8 +25,8 @@ QOwnNotes
 Telegram
 Viber
 VirtualBox
-Xephyr
 XMind
+Xephyr
 abrowser
 akonadi_control
 akregator
@@ -186,8 +186,8 @@ firefox-developer-edition
 firefox-esr
 firefox-nightly
 firefox-wayland
-flameshot
 flacsplt
+flameshot
 flashpeak-slimjet
 flowblade
 font-manager
@@ -248,6 +248,7 @@ gnome-schedule
 gnome-system-log
 gnome-twitch
 gnome-weather
+godot
 goobox
 google-chrome
 google-chrome-beta
@@ -300,11 +301,15 @@ keepass2
 keepassx
 keepassx2
 keepassxc
+keepassxc-cli
+keepassxc-proxy
 kget
 kid3
 kid3-cli
 kid3-qt
 kino
+klatexformula
+klatexformula_cmdl
 klavaro
 kmail
 knotes
@@ -322,6 +327,7 @@ less
 libreoffice
 liferea
 lincity-ng
+links
 linphone
 lmms
 lobase
@@ -396,6 +402,7 @@ netactview
 nethack
 netsurf
 neverball
+newsbeuter
 newsboat
 nheko
 nitroshare
@@ -413,6 +420,7 @@ oggsplt
 okular
 onionshare-gui
 open-invaders
+openarena
 opencity
 openshot
 openshot-qt
@@ -422,6 +430,7 @@ opera-beta
 orage
 ostrichriders
 palemoon
+pandoc
 parole
 patch
 pavucontrol
@@ -466,6 +475,7 @@ redshift
 regextester
 remmina
 rhythmbox
+rhythmbox-client
 ricochet
 riot-desktop
 riot-web
@@ -521,6 +531,7 @@ sylpheed
 synfigstudio
 sysprof
 sysprof-cli
+teams-for-linux
 teamspeak3
 teeworlds
 telegram
@@ -578,7 +589,9 @@ transmission-remote-gtk
 transmission-show
 tremulous
 truecraft
+tshark
 tuxguitar
+udiskie
 uefitool
 uget-gtk
 unbound
@@ -622,6 +635,7 @@ xfce4-dict
 xfce4-mixer
 xfce4-notes
 xiphos
+xlinks
 xmms
 xmr-stak
 xonotic
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index fd6cb9ff2..630adc3d7 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -364,16 +364,23 @@ void preproc_mount_mnt_dir(void);
 void preproc_clean_run(void);
 
 // fs.c
+typedef enum {
+        BLACKLIST_FILE,
+        BLACKLIST_NOLOG,
+        MOUNT_READONLY,
+        MOUNT_TMPFS,
+        MOUNT_NOEXEC,
+        MOUNT_RDWR,
+        OPERATION_MAX
+} OPERATION;
+
 // blacklist files or directories by mounting empty files on top of them
 void fs_blacklist(void);
 // mount a writable tmpfs
 void fs_tmpfs(const char *dir, unsigned check_owner);
-// remount a directory read-only
-void fs_rdonly(const char *dir);
-void fs_rdonly_rec(const char *dir);
-// remount a directory noexec, nodev and nosuid
-void fs_noexec(const char *dir);
-void fs_noexec_rec(const char *dir);
+// remount noexec/nodev/nosuid or read-only or read-write
+void fs_remount(const char *dir, OPERATION op, unsigned check_mnt);
+void fs_remount_rec(const char *dir, OPERATION op, unsigned check_mnt);
 // mount /proc and /sys directories
 void fs_proc_sys_dev_boot(void);
 // build a basic read-only filesystem
diff --git a/src/firejail/fs.c b/src/firejail/fs.c
index 411f2e778..14d7d7156 100644
--- a/src/firejail/fs.c
+++ b/src/firejail/fs.c
@@ -39,24 +39,17 @@
 //#define TEST_NO_BLACKLIST_MATCHING
 
 
-static int mount_warning = 0;
-static void fs_rdwr(const char *dir);
-static void fs_rdwr_rec(const char *dir);
-
-
-
 //***********************************************
 // process profile file
 //***********************************************
-typedef enum {
-        BLACKLIST_FILE,
-        BLACKLIST_NOLOG,
-        MOUNT_READONLY,
-        MOUNT_TMPFS,
-        MOUNT_NOEXEC,
-        MOUNT_RDWR,
-        OPERATION_MAX
-} OPERATION;
+static char *opstr[] = {
+        [BLACKLIST_FILE] = "blacklist",
+        [BLACKLIST_NOLOG] = "blacklist-nolog",
+        [MOUNT_READONLY] = "read-only",
+        [MOUNT_TMPFS] = "tmpfs",
+        [MOUNT_NOEXEC] = "noexec",
+        [MOUNT_RDWR] = "read-write",
+};
 
 typedef enum {
         UNSUCCESSFUL,
@@ -153,17 +146,9 @@ static void disable_file(OPERATION op, const char *filename) {
                                 fs_logger2("blacklist-nolog", fname);
                 }
         }
-        else if (op == MOUNT_READONLY) {
-                fs_rdonly_rec(fname);
-// todo: last_disable = SUCCESSFUL;
-        }
-        else if (op == MOUNT_RDWR) {
-                fs_rdwr_rec(fname);
-// todo: last_disable = SUCCESSFUL;
-        }
-        else if (op == MOUNT_NOEXEC) {
-                fs_noexec_rec(fname);
-// todo: last_disable = SUCCESSFUL;
+        else if (op == MOUNT_READONLY || op == MOUNT_RDWR || op == MOUNT_NOEXEC) {
+                fs_remount_rec(fname, op, 1);
+                // todo: last_disable = SUCCESSFUL;
         }
         else if (op == MOUNT_TMPFS) {
                 if (S_ISDIR(s.st_mode)) {
@@ -493,145 +478,60 @@ void fs_tmpfs(const char *dir, unsigned check_owner) {
         close(fd);
 }
 
-// remount directory read-only
-void fs_rdonly(const char *dir) {
+void fs_remount(const char *dir, OPERATION op, unsigned check_mnt) {
         assert(dir);
         // check directory exists
         struct stat s;
         int rv = stat(dir, &s);
         if (rv == 0) {
                 unsigned long flags = 0;
-                get_mount_flags(dir, &flags);
-                if ((flags & MS_RDONLY) == MS_RDONLY)
+                if (get_mount_flags(dir, &flags) != 0) {
+                        fwarning("cannot remount %s\n", dir);
                         return;
-                flags |= MS_RDONLY;
-                if (arg_debug)
-                        printf("Mounting read-only %s\n", dir);
-                // mount --bind /bin /bin
-                // mount --bind -o remount,ro /bin
-                if (mount(dir, dir, NULL, MS_BIND|MS_REC, NULL) < 0 ||
-                    mount(NULL, dir, NULL, flags|MS_BIND|MS_REMOUNT, NULL) < 0)
-                        errExit("mount read-only");
-                fs_logger2("read-only", dir);
-        }
-}
-
-// remount directory read-only recursively
-void fs_rdonly_rec(const char *dir) {
-        assert(dir);
-        // get mount point of the directory
-        int mountid = get_mount_id(dir);
-        if (mountid == -1)
-                return;
-        if (mountid == -2) {
-                // falling back to a simple remount on old kernels
-                if (!mount_warning) {
-                        fwarning("read-only, read-write and noexec options are not applied recursively\n");
-                        mount_warning = 1;
                 }
-                fs_rdonly(dir);
-                return;
-        }
-        // build array with all mount points that need to get remounted
-        char **arr = build_mount_array(mountid, dir);
-        assert(arr);
-        // remount
-        char **tmp = arr;
-        while (*tmp) {
-                fs_rdonly(*tmp);
-                free(*tmp++);
-        }
-        free(arr);
-}
-
-// remount directory read-write
-static void fs_rdwr(const char *dir) {
-        assert(dir);
-        // check directory exists
-        struct stat s;
-        int rv = stat(dir, &s);
-        if (rv == 0) {
-                // allow only user owned directories, except the user is root
-                uid_t u = getuid();
-                if (u != 0 && s.st_uid != u) {
-                        fwarning("you are not allowed to change %s to read-write\n", dir);
-                        return;
+                if (op == MOUNT_RDWR) {
+                        // allow only user owned directories, except the user is root
+                        if (getuid() != 0 && s.st_uid != getuid()) {
+                                fwarning("you are not allowed to change %s to read-write\n", dir);
+                                return;
+                        }
+                        if ((flags & MS_RDONLY) == 0)
+                                return;
+                        flags &= ~MS_RDONLY;
                 }
-                unsigned long flags = 0;
-                get_mount_flags(dir, &flags);
-                if ((flags & MS_RDONLY) == 0)
-                        return;
-                flags &= ~MS_RDONLY;
-                if (arg_debug)
-                        printf("Mounting read-write %s\n", dir);
-                // mount --bind /bin /bin
-                // mount --bind -o remount,rw /bin
-                if (mount(dir, dir, NULL, MS_BIND|MS_REC, NULL) < 0 ||
-                    mount(NULL, dir, NULL, flags|MS_BIND|MS_REMOUNT, NULL) < 0)
-                        errExit("mount read-write");
-                fs_logger2("read-write", dir);
-                // run a sanity check on /proc/self/mountinfo
-                MountData *mptr = get_last_mount();
-                size_t len = strlen(dir);
-                if (strncmp(mptr->dir, dir, len) != 0 ||
-                   (*(mptr->dir + len) != '\0' && *(mptr->dir + len) != '/'))
-                        errLogExit("invalid read-write mount");
-        }
-}
-
-// remount directory read-write recursively
-static void fs_rdwr_rec(const char *dir) {
-        assert(dir);
-        // get mount point of the directory
-        int mountid = get_mount_id(dir);
-        if (mountid == -1)
-                return;
-        if (mountid == -2) {
-                // falling back to a simple remount on old kernels
-                if (!mount_warning) {
-                        fwarning("read-only, read-write and noexec options are not applied recursively\n");
-                        mount_warning = 1;
+                else if (op == MOUNT_NOEXEC) {
+                        if ((flags & (MS_NOEXEC|MS_NODEV|MS_NOSUID)) == (MS_NOEXEC|MS_NODEV|MS_NOSUID))
+                                return;
+                        flags |= MS_NOEXEC|MS_NODEV|MS_NOSUID;
                 }
-                fs_rdwr(dir);
-                return;
-        }
-        // build array with all mount points that need to get remounted
-        char **arr = build_mount_array(mountid, dir);
-        assert(arr);
-        // remount
-        char **tmp = arr;
-        while (*tmp) {
-                fs_rdwr(*tmp);
-                free(*tmp++);
-        }
-        free(arr);
-}
+                else if (op == MOUNT_READONLY) {
+                        if ((flags & MS_RDONLY) == MS_RDONLY)
+                                return;
+                        flags |= MS_RDONLY;
+                }
+                else
+                        assert(0);
 
-// remount directory noexec, nodev, nosuid
-void fs_noexec(const char *dir) {
-        assert(dir);
-        // check directory exists
-        struct stat s;
-        int rv = stat(dir, &s);
-        if (rv == 0) {
-                unsigned long flags = 0;
-                get_mount_flags(dir, &flags);
-                if ((flags & (MS_NOEXEC|MS_NODEV|MS_NOSUID)) == (MS_NOEXEC|MS_NODEV|MS_NOSUID))
-                        return;
-                flags |= MS_NOEXEC|MS_NODEV|MS_NOSUID;
                 if (arg_debug)
-                        printf("Mounting noexec %s\n", dir);
+                        printf("Mounting %s %s\n", opstr[op], dir);
                 // mount --bind /bin /bin
-                // mount --bind -o remount,noexec /bin
+                // mount --bind -o remount,rw /bin
                 if (mount(dir, dir, NULL, MS_BIND|MS_REC, NULL) < 0 ||
                     mount(NULL, dir, NULL, flags|MS_BIND|MS_REMOUNT, NULL) < 0)
-                        errExit("mount noexec");
-                fs_logger2("noexec", dir);
+                        errExit("remounting");
+                if (check_mnt) {
+                        // run a sanity check on /proc/self/mountinfo
+                        MountData *mptr = get_last_mount();
+                        size_t len = strlen(dir);
+                        if (strncmp(mptr->dir, dir, len) != 0 ||
+                           (*(mptr->dir + len) != '\0' && *(mptr->dir + len) != '/'))
+                                errLogExit("invalid %s mount", opstr[op]);
+                }
+                fs_logger2(opstr[op], dir);
         }
 }
 
-// remount directory noexec, nodev, nosuid recursively
-void fs_noexec_rec(const char *dir) {
+void fs_remount_rec(const char *dir, OPERATION op, unsigned check_mnt) {
         assert(dir);
         // get mount point of the directory
         int mountid = get_mount_id(dir);
@@ -639,11 +539,12 @@ void fs_noexec_rec(const char *dir) {
                 return;
         if (mountid == -2) {
                 // falling back to a simple remount on old kernels
+                static int mount_warning = 0;
                 if (!mount_warning) {
                         fwarning("read-only, read-write and noexec options are not applied recursively\n");
                         mount_warning = 1;
                 }
-                fs_noexec(dir);
+                fs_remount(dir, op, check_mnt);
                 return;
         }
         // build array with all mount points that need to get remounted
@@ -652,7 +553,7 @@ void fs_noexec_rec(const char *dir) {
         // remount
         char **tmp = arr;
         while (*tmp) {
-                fs_noexec(*tmp);
+                fs_remount(*tmp, op, check_mnt);
                 free(*tmp++);
         }
         free(arr);
@@ -818,28 +719,29 @@ static void disable_config(void) {
 
 
 // build a basic read-only filesystem
+// top level directories could be links, run no after-mount checks
 void fs_basic_fs(void) {
         uid_t uid = getuid();
 
         if (arg_debug)
                 printf("Basic read-only filesystem:\n");
         if (!arg_writable_etc) {
-                fs_rdonly("/etc");
+                fs_remount("/etc", MOUNT_READONLY, 0);
                 if (uid)
-                        fs_noexec("/etc");
+                        fs_remount("/etc", MOUNT_NOEXEC, 0);
         }
         if (!arg_writable_var) {
-                fs_rdonly("/var");
+                fs_remount("/var", MOUNT_READONLY, 0);
                 if (uid)
-                        fs_noexec("/var");
+                        fs_remount("/var", MOUNT_NOEXEC, 0);
         }
-        fs_rdonly("/bin");
-        fs_rdonly("/sbin");
-        fs_rdonly("/lib");
-        fs_rdonly("/lib64");
-        fs_rdonly("/lib32");
-        fs_rdonly("/libx32");
-        fs_rdonly("/usr");
+        fs_remount("/bin", MOUNT_READONLY, 0);
+        fs_remount("/sbin", MOUNT_READONLY, 0);
+        fs_remount("/lib", MOUNT_READONLY, 0);
+        fs_remount("/lib64", MOUNT_READONLY, 0);
+        fs_remount("/lib32", MOUNT_READONLY, 0);
+        fs_remount("/libx32", MOUNT_READONLY, 0);
+        fs_remount("/usr", MOUNT_READONLY, 0);
 
         // update /var directory in order to support multiple sandboxes running on the same root directory
         fs_var_lock();
@@ -848,7 +750,7 @@ void fs_basic_fs(void) {
         if (!arg_writable_var_log)
                 fs_var_log();
         else
-                fs_rdwr("/var/log");
+                fs_remount("/var/log", MOUNT_RDWR, 0);
 
         fs_var_lib();
         fs_var_cache();
diff --git a/src/firejail/pulseaudio.c b/src/firejail/pulseaudio.c
index e3f237b8e..b82473476 100644
--- a/src/firejail/pulseaudio.c
+++ b/src/firejail/pulseaudio.c
@@ -88,7 +88,7 @@ void pulseaudio_init(void) {
         if (mkdir(RUN_PULSE_DIR, 0700) == -1)
                 errExit("mkdir");
         // mount it nosuid, noexec, nodev
-        fs_noexec(RUN_PULSE_DIR);
+        fs_remount(RUN_PULSE_DIR, MOUNT_NOEXEC, 0);
 
         // create the new client.conf file
         char *pulsecfg = NULL;
@@ -155,8 +155,10 @@ void pulseaudio_init(void) {
                 if (fstatvfs(fd, &vfs) == -1)
                         errExit("fstatvfs");
                 if ((vfs.f_flag & MS_RDONLY) == MS_RDONLY)
-                        fs_rdonly(RUN_PULSE_DIR);
+                        fs_remount(RUN_PULSE_DIR, MOUNT_READONLY, 0);
                 // mount via the link in /proc/self/fd
+                if (arg_debug)
+                        printf("Mounting %s on %s\n", RUN_PULSE_DIR, homeusercfg);
                 char *proc;
                 if (asprintf(&proc, "/proc/self/fd/%d", fd) == -1)
                         errExit("asprintf");
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index 841d57c89..f91e5ab7c 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -1116,7 +1116,7 @@ int sandbox(void* sandbox_arg) {
                 (void) rv;
         }
         // make seccomp filters read-only
-        fs_rdonly(RUN_SECCOMP_DIR);
+        fs_remount(RUN_SECCOMP_DIR, MOUNT_READONLY, 0);
 #endif
 
         // set capabilities
diff --git a/src/firejail/x11.c b/src/firejail/x11.c
index 9d821d980..69a9a7bee 100644
--- a/src/firejail/x11.c
+++ b/src/firejail/x11.c
@@ -1169,7 +1169,7 @@ void x11_xorg(void) {
         umount("/tmp");
 
         // remount RUN_XAUTHORITY_SEC_FILE noexec, nodev, nosuid
-        fs_noexec(RUN_XAUTHORITY_SEC_FILE);
+        fs_remount(RUN_XAUTHORITY_SEC_FILE, MOUNT_NOEXEC, 0);
 
         // Ensure there is already a file in the usual location, so that bind-mount below will work.
         char *dest;
@@ -1202,9 +1202,11 @@ void x11_xorg(void) {
         if (fstatvfs(fd, &vfs) == -1)
                 errExit("fstatvfs");
         if ((vfs.f_flag & MS_RDONLY) == MS_RDONLY)
-                fs_rdonly(RUN_XAUTHORITY_SEC_FILE);
+                fs_remount(RUN_XAUTHORITY_SEC_FILE, MOUNT_READONLY, 0);
 
         // mount via the link in /proc/self/fd
+        if (arg_debug)
+                printf("Mounting %s on %s\n", RUN_XAUTHORITY_SEC_FILE, dest);
         char *proc;
         if (asprintf(&proc, "/proc/self/fd/%d", fd) == -1)
                 errExit("asprintf");
diff --git a/src/firemon/firemon.c b/src/firemon/firemon.c
index e5f1b6f9a..b3c435d9e 100644
--- a/src/firemon/firemon.c
+++ b/src/firemon/firemon.c
@@ -83,7 +83,9 @@ int find_child(int id) {
                         return i;
         }
 
-        return -1;
+        // if a second child is not found, return the first child pid
+        // this happens for processes sandboxed with --join
+        return first_child;
 }
 
 // sleep and wait for a key to be pressed
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt
index 8c9989970..f97261456 100644
--- a/src/man/firejail-profile.txt
+++ b/src/man/firejail-profile.txt
@@ -74,6 +74,9 @@ Child process initialized
 [...]
 .RE
 
+.SH Templates
+Templates for writing own profiles can be found in /usr/share/doc/firejail.
+
 .SH Scripting
 Scripting commands:
 
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index 67b84de0e..201339c8b 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -2318,9 +2318,9 @@ $ sudo firejail --writable-var-log
 .TP
 \fB\-\-x11
 Sandbox the application using Xpra, Xephyr, Xvfb or Xorg security extension.
-The sandbox will prevents screenshot and keylogger applications started inside the sandbox from accessing
+The sandbox will prevent screenshot and keylogger applications started inside the sandbox from accessing
 clients running outside the sandbox.
-Firejail will try first Xpra, and if Xpra is not installed on the system, it will try to find Xephyr.
+Firejail will try Xpra first, and if Xpra is not installed on the system, it will try to find Xephyr.
 If all fails, Firejail will not attempt to use Xvfb or X11 security extension.
 .br