14 files changed, 73 insertions, 8 deletions

diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config
index a7a1351ff..1de107a03 100644
--- a/src/firecfg/firecfg.config
+++ b/src/firecfg/firecfg.config
@@ -289,6 +289,7 @@ gapplication
 gcalccmd
 gcloud
 gconf-editor
+gdu
 geany
 geary
 gedit
@@ -842,6 +843,7 @@ tremulous
 trojita
 truecraft
 tshark
+tuir
 tutanota-desktop
 tuxguitar
 tvbrowser
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index 167b6a843..0a4dffb75 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -338,6 +338,7 @@ extern int arg_writable_run_user;	// writable /run/user
 extern int arg_writable_var_log; // writable /var/log
 extern int arg_appimage;        // appimage
 extern int arg_apparmor;        // apparmor
+extern char *apparmor_profile;  // apparmor profile
 extern int arg_allow_debuggers; // allow debuggers
 extern int arg_x11_block;       // block X11
 extern int arg_x11_xorg;        // use X11 security extension
diff --git a/src/firejail/main.c b/src/firejail/main.c
index 55f623138..29c25dfc5 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -133,6 +133,7 @@ int arg_writable_run_user = 0;			// writable /run/user
 int arg_writable_var_log = 0;           // writable /var/log
 int arg_appimage = 0;                           // appimage
 int arg_apparmor = 0;                           // apparmor
+char *apparmor_profile = NULL;  // apparmor profile
 int arg_allow_debuggers = 0;                    // allow debuggers
 int arg_x11_block = 0;                          // block X11
 int arg_x11_xorg = 0;                           // use X11 security extension
@@ -1287,8 +1288,14 @@ int main(int argc, char **argv, char **envp) {
                 // filtering
                 //*************************************
 #ifdef HAVE_APPARMOR
-                else if (strcmp(argv[i], "--apparmor") == 0)
+                else if (strcmp(argv[i], "--apparmor") == 0) {
                         arg_apparmor = 1;
+                        apparmor_profile = "firejail-default";
+                }
+                else if (strncmp(argv[i], "--apparmor=", 11) == 0) {
+                        arg_apparmor = 1;
+                        apparmor_profile = argv[i] + 11;
+                }
 #endif
                 else if (strncmp(argv[i], "--protocol=", 11) == 0) {
                         if (checkcfg(CFG_SECCOMP)) {
diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index dc1aff49a..f406e2c53 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -939,6 +939,17 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
         if (strcmp(ptr, "apparmor") == 0) {
 #ifdef HAVE_APPARMOR
                 arg_apparmor = 1;
+                apparmor_profile = "firejail-default";
+#endif
+                return 0;
+        }
+
+        if (strncmp(ptr, "apparmor ", 9) == 0) {
+#ifdef HAVE_APPARMOR
+                arg_apparmor = 1;
+                apparmor_profile = strdup(ptr + 9);
+                if (!apparmor_profile)
+                        errExit("strdup");
 #endif
                 return 0;
         }
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index b1b3407b4..9299268a3 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -130,7 +130,7 @@ static void set_caps(void) {
 static void set_apparmor(void) {
         EUID_ASSERT();
         if (checkcfg(CFG_APPARMOR) && arg_apparmor) {
-                if (aa_change_onexec("firejail-default")) {
+                if (aa_stack_onexec(apparmor_profile)) {
                         fwarning("Cannot confine the application using AppArmor.\n"
                                 "Maybe firejail-default AppArmor profile is not loaded into the kernel.\n"
                                 "As root, run \"aa-enforce firejail-default\" to load it.\n");
diff --git a/src/firejail/usage.c b/src/firejail/usage.c
index c3c17393c..e11081eed 100644
--- a/src/firejail/usage.c
+++ b/src/firejail/usage.c
@@ -30,7 +30,9 @@ static char *usage_str =
         "    -- - signal the end of options and disables further option processing.\n"
         "    --allow-debuggers - allow tools such as strace and gdb inside the sandbox.\n"
         "    --allusers - all user home directories are visible inside the sandbox.\n"
-        "    --apparmor - enable AppArmor confinement.\n"
+        "    --apparmor - enable AppArmor confinement with the default profile.\n"
+        "    --apparmor=profile_name - enable AppArmor confinement with a\n"
+        "\tcustom profile.\n"
         "    --apparmor.print=name|pid - print apparmor status.\n"
         "    --appimage - sandbox an AppImage application.\n"
 #ifdef HAVE_NETWORK
diff --git a/src/man/firecfg.txt b/src/man/firecfg.txt
index 280a4aff1..42add6a41 100644
--- a/src/man/firecfg.txt
+++ b/src/man/firecfg.txt
@@ -146,3 +146,4 @@ Homepage: https://firejail.wordpress.com
 .BR firejail-login (5),
 .BR firejail-users (5),
 .BR jailcheck (1)
+.\" vim: set filetype=groff :
diff --git a/src/man/firejail-login.txt b/src/man/firejail-login.txt
index 05afd55b5..f03fc3c37 100644
--- a/src/man/firejail-login.txt
+++ b/src/man/firejail-login.txt
@@ -40,3 +40,4 @@ Homepage: https://firejail.wordpress.com
 .BR firejail-profile (5),
 .BR firejail-users (5),
 .BR jailcheck (1)
+.\" vim: set filetype=groff :
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt
index be1f55f0f..138aae8af 100644
--- a/src/man/firejail-profile.txt
+++ b/src/man/firejail-profile.txt
@@ -478,7 +478,11 @@ Allow tools such as strace and gdb inside the sandbox by whitelisting system cal
 #ifdef HAVE_APPARMOR
 .TP
 \fBapparmor
-Enable AppArmor confinement.
+Enable AppArmor confinement with the "firejail-default" AppArmor profile.
+.TP
+\fBapparmor profile_name
+Enable AppArmor confinement with a custom AppArmor profile.
+Note that the profile in question must already be loaded into the kernel.
 #endif
 .TP
 \fBcaps
@@ -1031,3 +1035,4 @@ Homepage: https://firejail.wordpress.com
 
 .UR https://github.com/netblue30/firejail/wiki/Creating-Profiles
 .UE
+.\" vim: set filetype=groff :
diff --git a/src/man/firejail-users.txt b/src/man/firejail-users.txt
index e3cce7ed5..7aa151680 100644
--- a/src/man/firejail-users.txt
+++ b/src/man/firejail-users.txt
@@ -60,3 +60,4 @@ Homepage: https://firejail.wordpress.com
 .BR firejail-profile (5),
 .BR firejail-login (5),
 .BR jailcheck (1)
+.\" vim: set filetype=groff :
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index 087d1c85a..1dd5508b3 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -67,6 +67,17 @@ Firejail allows the user to manage application security using security profiles.
 Each profile defines a set of permissions for a specific application or group
 of applications. The software includes security profiles for a number of more common
 Linux programs, such as Mozilla Firefox, Chromium, VLC, Transmission etc.
+.\" TODO: Explain the security/usability tradeoffs from #4601.
+.PP
+Firejail is currently implemented as an SUID binary, which means that if a
+malicious or compromised user account manages to exploit a bug in Firejail,
+that could ultimately lead to a privilege escalation to root.
+To mitigate this, it is recommended to only allow trusted users to run firejail
+(see firejail-users(5) for details on how to achieve that).
+For more details on the security/usability tradeoffs of Firejail, see:
+.UR https://github.com/netblue30/firejail/discussions/4601
+#4601
+.UE
 .PP
 Alternative sandbox technologies like snap (https://snapcraft.io/) and flatpak (https://flatpak.org/)
 are not supported. Snap and flatpak packages have their own native management tools and will
@@ -122,7 +133,13 @@ $ firejail --allusers
 #ifdef HAVE_APPARMOR
 .TP
 \fB\-\-apparmor
-Enable AppArmor confinement. For more information, please see \fBAPPARMOR\fR section below.
+Enable AppArmor confinement with the "firejail-default" AppArmor profile.
+For more information, please see \fBAPPARMOR\fR section below.
+.TP
+\fB\-\-apparmor=profile_name
+Enable AppArmor confinement with a custom AppArmor profile.
+Note that profile in question must already be loaded into the kernel.
+For more information, please see \fBAPPARMOR\fR section below.
 .TP
 \fB\-\-apparmor.print=name|pid
 Print the AppArmor confinement status for the sandbox identified by name or by PID.
@@ -174,6 +191,13 @@ Blacklist directory or file. File globbing is supported, see \fBFILE GLOBBING\fR
 .br
 
 .br
+Symbolic link handling: Blacklisting a path that is a symbolic link will also
+blacklist the path that it points to.
+For example, if ~/foo is blacklisted and it points to /foo, then /foo will also
+be blacklisted.
+.br
+
+.br
 Example:
 .br
 $ firejail \-\-blacklist=/sbin \-\-blacklist=/usr/sbin
@@ -2905,8 +2929,14 @@ all directories in /usr.
 .br
 
 .br
-Symbolic link handling: with the exception of user home, both the link and the real file should be in
-the same top directory. For user home, both the link and the real file should be owned by the user.
+Symbolic link handling: Whitelisting a path that is a symbolic link will also
+whitelist the path that it points to.
+For example, if ~/foo is whitelisted and it points to ~/bar, then ~/bar will
+also be whitelisted.
+Restrictions: With the exception of the user home directory, both the link and
+the real file should be in the same top directory.
+For symbolic links in the user home directory, both the link and the real file
+should be owned by the user.
 .br
 
 .br
@@ -3611,3 +3641,4 @@ Homepage: https://firejail.wordpress.com
 .UE ,
 .UR https://github.com/netblue30/firejail
 .UE
+.\" vim: set filetype=groff :
diff --git a/src/man/firemon.txt b/src/man/firemon.txt
index fd58a7168..9d0785a4a 100644
--- a/src/man/firemon.txt
+++ b/src/man/firemon.txt
@@ -118,3 +118,4 @@ Homepage: https://firejail.wordpress.com
 .BR firejail-login (5),
 .BR firejail-users (5),
 .BR jailcheck (1)
+.\" vim: set filetype=groff :
diff --git a/src/man/jailcheck.txt b/src/man/jailcheck.txt
index 483f47fb9..e889ea91b 100644
--- a/src/man/jailcheck.txt
+++ b/src/man/jailcheck.txt
@@ -115,3 +115,4 @@ Homepage: https://firejail.wordpress.com
 .BR firejail-profile (5),
 .BR firejail-login (5),
 .BR firejail-users (5),
+.\" vim: set filetype=groff :
diff --git a/src/zsh_completion/_firejail.in b/src/zsh_completion/_firejail.in
index 605000e31..2b67c2a00 100644
--- a/src/zsh_completion/_firejail.in
+++ b/src/zsh_completion/_firejail.in
@@ -171,7 +171,8 @@ _firejail_args=(
     '--writable-var-log[use the real /var/log directory, not a clone]'
 
 #ifdef HAVE_APPARMOR
-    '--apparmor[enable AppArmor confinement]'
+    '--apparmor[enable AppArmor confinement with the default profile]'
+    '--apparmor=-[enable AppArmor confinement with a custom profile]: :'
     '--apparmor.print=-[print apparmor status name|pid]:firejail:_all_firejails'
 #endif