7 files changed, 86 insertions, 40 deletions

diff --git a/src/fbuilder/build_bin.c b/src/fbuilder/build_bin.c
index 96bd351f3..431aebee6 100644
--- a/src/fbuilder/build_bin.c
+++ b/src/fbuilder/build_bin.c
@@ -121,6 +121,6 @@ void build_bin(const char *fname, FILE *fp) {
                         ptr = ptr->next;
                 }
                 fprintf(fp, "\n");
-                fprintf(fp, "# private-lib\n");
+                fprintf(fp, "#private-lib\n");
         }
 }
diff --git a/src/fbuilder/build_fs.c b/src/fbuilder/build_fs.c
index 495f71ab8..ac0cd455a 100644
--- a/src/fbuilder/build_fs.c
+++ b/src/fbuilder/build_fs.c
@@ -220,6 +220,10 @@ static void tmp_callback(char *ptr) {
         // skip strace file
         if (strncmp(ptr, "/tmp/firejail-strace", 20) == 0)
                 return;
+        if (strncmp(ptr, "/tmp/runtime-", 13) == 0)
+                return;
+        if (strcmp(ptr, "/tmp") == 0)
+                return;
 
         tmp_out = filedb_add(tmp_out, ptr);
 }
@@ -232,8 +236,7 @@ void build_tmp(const char *fname, FILE *fp) {
         if (tmp_out == NULL)
                 fprintf(fp, "private-tmp\n");
         else {
-                fprintf(fp, "\n");
-                fprintf(fp, "# private-tmp\n");
+                fprintf(fp, "#private-tmp\n");
                 fprintf(fp, "# File accessed in /tmp directory:\n");
                 fprintf(fp, "# ");
                 FileDB *ptr = tmp_out;
@@ -310,9 +313,8 @@ void build_dev(const char *fname, FILE *fp) {
         if (dev_out == NULL)
                 fprintf(fp, "private-dev\n");
         else {
-                fprintf(fp, "\n");
-                fprintf(fp, "# private-dev\n");
-                fprintf(fp, "# This is the list of devices accessed (on top of regular private-dev devices:\n");
+                fprintf(fp, "#private-dev\n");
+                fprintf(fp, "# This is the list of devices accessed on top of regular private-dev devices:\n");
                 fprintf(fp, "# ");
                 FileDB *ptr = dev_out;
                 while (ptr) {
diff --git a/src/fbuilder/build_home.c b/src/fbuilder/build_home.c
index 683009b71..d7706282a 100644
--- a/src/fbuilder/build_home.c
+++ b/src/fbuilder/build_home.c
@@ -141,7 +141,7 @@ void process_home(const char *fname, char *home, int home_len) {
                 }
 
                 // skip files and directories in whitelist-common.inc
-                if (filedb_find(db_skip, toadd)) {
+                if (strlen(toadd) == 0 || filedb_find(db_skip, toadd)) {
                         if (dir)
                                 free(dir);
                         continue;
diff --git a/src/fbuilder/build_profile.c b/src/fbuilder/build_profile.c
index 96a83954d..0c1b57384 100644
--- a/src/fbuilder/build_profile.c
+++ b/src/fbuilder/build_profile.c
@@ -150,12 +150,12 @@ void build_profile(int argc, char **argv, int index, FILE *fp) {
 
                 fprintf(fp, "### basic blacklisting\n");
                 fprintf(fp, "include disable-common.inc\n");
-                fprintf(fp, "# include disable-devel.inc\n");
-                fprintf(fp, "# include disable-exec.inc\n");
-                fprintf(fp, "# include disable-interpreters.inc\n");
+                fprintf(fp, "#include disable-devel.inc\n");
+                fprintf(fp, "#include disable-exec.inc\n");
+                fprintf(fp, "#include disable-interpreters.inc\n");
                 fprintf(fp, "include disable-passwdmgr.inc\n");
-                fprintf(fp, "# include disable-programs.inc\n");
-                fprintf(fp, "# include disable-xdg.inc\n");
+                fprintf(fp, "#include disable-programs.inc\n");
+                fprintf(fp, "#include disable-xdg.inc\n");
                 fprintf(fp, "\n");
 
                 fprintf(fp, "### home directory whitelisting\n");
@@ -163,18 +163,17 @@ void build_profile(int argc, char **argv, int index, FILE *fp) {
                 fprintf(fp, "\n");
 
                 fprintf(fp, "### filesystem\n");
-                fprintf(fp, "# /usr/share:\n");
+                fprintf(fp, "### /usr/share:\n");
                 build_share(trace_output, fp);
-                fprintf(fp, "# /var:\n");
+                fprintf(fp, "### /var:\n");
                 build_var(trace_output, fp);
-                fprintf(fp, "\n");
-                fprintf(fp, "# $PATH:\n");
+                fprintf(fp, "### /bin:\n");
                 build_bin(trace_output, fp);
-                fprintf(fp, "# /dev:\n");
+                fprintf(fp, "### /dev:\n");
                 build_dev(trace_output, fp);
-                fprintf(fp, "# /etc:\n");
+                fprintf(fp, "### /etc:\n");
                 build_etc(trace_output, fp);
-                fprintf(fp, "# /tmp:\n");
+                fprintf(fp, "### /tmp:\n");
                 build_tmp(trace_output, fp);
                 fprintf(fp, "\n");
 
diff --git a/src/firejail/fs_etc.c b/src/firejail/fs_etc.c
index abec25d45..8cb25a1ff 100644
--- a/src/firejail/fs_etc.c
+++ b/src/firejail/fs_etc.c
@@ -76,6 +76,44 @@ void fs_machineid(void) {
         }
 }
 
+// Duplicate directory structure from src to dst by creating empty directories.
+// The paths _must_ be identical after their respective prefixes.
+// When finished, dst will point to the target directory. That is, if
+// it starts out pointing to a file, it will instead be truncated so
+// that it contains the parent directory instead.
+static void build_dirs(char *src, char *dst, size_t src_prefix_len, size_t dst_prefix_len) {
+        char *p = src + src_prefix_len + 1;
+        char *q = dst + dst_prefix_len + 1;
+        char *r = dst + dst_prefix_len;
+        struct stat s;
+        bool last = false;
+        *r = '\0';
+        for (; !last; p++, q++) {
+                if (*p == '\0') {
+                        last = true;
+                }
+                if (*p == '\0' || (*p == '/' && *(p - 1) != '/')) {
+                        // We found a new component of our src path.
+                        // Null-terminate it temporarily here so that we can work
+                        // with it.
+                        *p = '\0';
+                        if (stat(src, &s) == 0 && S_ISDIR(s.st_mode)) {
+                                // Null-terminate the dst path and undo its previous
+                                // termination.
+                                *q = '\0';
+                                *r = '/';
+                                r = q;
+                                create_empty_dir_as_root(dst, s.st_mode);
+                        }
+                        if (!last) {
+                                // If we're not at the final terminating null, restore
+                                // the slash so that we can continue our traversal.
+                                *p = '/';
+                        }
+                }
+        }
+}
+
 // return 0 if file not found, 1 if found
 static int check_dir_or_file(const char *fname) {
         assert(fname);
@@ -103,7 +141,7 @@ errexit:
 static void duplicate(const char *fname, const char *private_dir, const char *private_run_dir) {
         assert(fname);
 
-        if (*fname == '~' || strchr(fname, '/') || strcmp(fname, "..") == 0) {
+        if (*fname == '~' || *fname == '/' || strncmp(fname, "..", 2) == 0) {
                 fprintf(stderr, "Error: \"%s\" is an invalid filename\n", fname);
                 exit(1);
         }
@@ -119,21 +157,16 @@ static void duplicate(const char *fname, const char *private_dir, const char *pr
         }
 
         if (arg_debug)
-                printf("copying %s to private %s\n", src, private_dir);
+                printf("Copying %s to private %s\n", src, private_dir);
 
-        struct stat s;
-        if (stat(src, &s) == 0 && S_ISDIR(s.st_mode)) {
-                // create the directory in RUN_ETC_DIR
-                char *dirname;
-                if (asprintf(&dirname, "%s/%s", private_run_dir, fname) == -1)
-                        errExit("asprintf");
-                create_empty_dir_as_root(dirname, s.st_mode);
-                sbox_run(SBOX_ROOT| SBOX_SECCOMP, 3, PATH_FCOPY, src, dirname);
-                free(dirname);
-        }
-        else
-                sbox_run(SBOX_ROOT| SBOX_SECCOMP, 3, PATH_FCOPY, src, private_run_dir);
+        char *dst;
+        if (asprintf(&dst, "%s/%s", private_run_dir, fname) == -1)
+                errExit("asprintf");
+
+        build_dirs(src, dst, strlen(private_dir), strlen(private_run_dir));
+        sbox_run(SBOX_ROOT | SBOX_SECCOMP, 3, PATH_FCOPY, src, dst);
 
+        free(dst);
         fs_logger2("clone", src);
         free(src);
 }
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt
index ee685da73..2bb57cee2 100644
--- a/src/man/firejail-profile.txt
+++ b/src/man/firejail-profile.txt
@@ -295,7 +295,9 @@ Use the options no3d, nodvd, nosound, notv, nou2f and novideo for additional res
 Build a new /etc in a temporary
 filesystem, and copy the files and directories in the list.
 The files and directories in the list must be expressed as relative to
-the /etc directory.
+the /etc directory, and must not contain the / character
+(e.g., /etc/foo must be expressed as foo, but /etc/foo/bar --
+expressed as foo/bar -- is disallowed).
 All modifications are discarded when the sandbox is closed.
 #ifdef HAVE_PRIVATE_HOME
 .TP
@@ -319,14 +321,18 @@ This feature is still under development, see \fBman 1 firejail\fR for some examp
 Build a new /opt in a temporary
 filesystem, and copy the files and directories in the list.
 The files and directories in the list must be expressed as relative to
-the /opt directory.
+the /opt directory, and must not contain the / character
+(e.g., /opt/foo must be expressed as foo, but /opt/foo/bar --
+expressed as foo/bar -- is disallowed).
 All modifications are discarded when the sandbox is closed.
 .TP
 \fBprivate-srv file,directory
 Build a new /srv in a temporary
 filesystem, and copy the files and directories in the list.
 The files and directories in the list must be expressed as relative to
-the /srv directory.
+the /srv directory, and must not contain the / character
+(e.g., /srv/foo must be expressed as foo, but /srv/foo/bar --
+expressed as foo/bar -- is disallowed).
 All modifications are discarded when the sandbox is closed.
 .TP
 \fBprivate-tmp
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index f27379a2d..1ee7ab1f1 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -1883,7 +1883,9 @@ $
 Build a new /etc in a temporary
 filesystem, and copy the files and directories in the list.
 The files and directories in the list must be expressed as relative to
-the /etc directory.
+the /etc directory, and must not contain the / character
+(e.g., /etc/foo must be expressed as foo, but /etc/foo/bar --
+expressed as foo/bar -- is disallowed).
 If no listed file is found, /etc directory will be empty.
 All modifications are discarded when the sandbox is closed.
 .br
@@ -1893,7 +1895,7 @@ Example:
 .br
 $ firejail --private-etc=group,hostname,localtime, \\
 .br
-nsswitch.conf,passwd,resolv.conf,default/motd-news
+nsswitch.conf,passwd,resolv.conf
 #ifdef HAVE_PRIVATE_HOME
 .TP
 \fB\-\-private-home=file,directory
@@ -1968,7 +1970,9 @@ $
 Build a new /opt in a temporary
 filesystem, and copy the files and directories in the list.
 The files and directories in the list must be expressed as relative to
-the /opt directory.
+the /opt directory, and must not contain the / character
+(e.g., /opt/foo must be expressed as foo, but /opt/foo/bar --
+expressed as foo/bar -- is disallowed).
 If no listed file is found, /opt directory will be empty.
 All modifications are discarded when the sandbox is closed.
 .br
@@ -1983,7 +1987,9 @@ $ firejail --private-opt=firefox /opt/firefox/firefox
 Build a new /srv in a temporary
 filesystem, and copy the files and directories in the list.
 The files and directories in the list must be expressed as relative to
-the /srv directory.
+the /srv directory, and must not contain the / character
+(e.g., /opt/srv must be expressed as foo, but /srv/foo/bar --
+expressed as srv/bar -- is disallowed).
 If no listed file is found, /srv directory will be empty.
 All modifications are discarded when the sandbox is closed.
 .br