13 files changed, 142 insertions, 141 deletions
diff --git a/src/bash_completion/firejail.bash_completion b/src/bash_completion/firejail.bash_completion
index 78bd622fc..d3dcd57d0 100644
--- a/src/bash_completion/firejail.bash_completion
+++ b/src/bash_completion/firejail.bash_completion
@@ -47,6 +47,10 @@ _firejail()
            _filedir
            return 0
            ;;
+       --read-write)
+            _filedir
+            return 0
+            ;;
        --bind)
            _filedir
            return 0
diff --git a/src/faudit/dbus.c b/src/faudit/dbus.c
index 1ead2aa38..1edce5802 100644
--- a/src/faudit/dbus.c
+++ b/src/faudit/dbus.c
@@ -42,7 +42,7 @@ void check_session_bus(const char *sockfile) {
                printf("GOOD: I cannot connect to session bus. If the application misbehaves, please log a bug with the application developer.\n");
        }
        else {
-                printf("MAYBE: I can connect to session bus. It could be a good idea to create a new network namespace using \"--net=none\" or \"--net=eth0\".\n");
+                printf("MAYBE: I can connect to session bus. It could be a good idea to disable it by creating a new network namespace using \"--net=none\" or \"--net=eth0\".\n");
        }       
        close(sock);
@@ -65,8 +65,8 @@ void dbus_test(void) {
                        check_session_bus(sockfile);
                        
                        sockfile -= 13;
-                        free(sockfile);
                }
+                free(bus);
        }
 }
diff --git a/src/faudit/dev.c b/src/faudit/dev.c
new file mode 100644
index 000000000..92f615958
--- /dev/null
+++ b/src/faudit/dev.c
@@ -0,0 +1,47 @@
+/*
+ * Copyright (C) 2014-2016 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
+#include "faudit.h"
+#include <dirent.h>
+void dev_test(void) {
+        DIR *dir;
+        if (!(dir = opendir("/dev"))) {
+                fprintf(stderr, "Error: cannot open /dev directory\n");
+                return;
+        }
+        
+        struct dirent *entry;
+        printf("INFO: files visible in /dev directory: ");
+        int cnt = 0;
+        while ((entry = readdir(dir)) != NULL) {
+                if (strcmp(entry->d_name, ".") == 0 || strcmp(entry->d_name, "..") == 0)
+                        continue;
+                
+                printf("%s, ", entry->d_name);
+                cnt++;
+        }
+        printf("\n");
+        
+        if (cnt > 20)
+                printf("MAYBE: /dev directory seems to be fully populated. Use --private-dev or --whitelist to restrict the access.\n");
+        else
+                printf("GOOD: Access to /dev directory is restricted.\n");
+        closedir(dir);
+}
diff --git a/src/faudit/faudit.h b/src/faudit/faudit.h
index 3c08a3eab..93fb4b709 100644
--- a/src/faudit/faudit.h
+++ b/src/faudit/faudit.h
@@ -58,4 +58,7 @@ void network_test(void);
 // dbus.c
 void dbus_test(void);
+// dev.c
+void dev_test(void);
 #endif
diff --git a/src/faudit/main.c b/src/faudit/main.c
index 14794719d..6ff938d98 100644
--- a/src/faudit/main.c
+++ b/src/faudit/main.c
@@ -38,8 +38,9 @@ int main(int argc, char **argv) {
        // extract program name
        prog = realpath(argv[0], NULL);
        if (prog == NULL) {
-                fprintf(stderr, "Error: cannot extract the path of the audit program\n");
+                prog = strdup("faudit");
-                return 1;
+                if (!prog)
+                        errExit("strdup");
        }
        printf("INFO: starting %s.\n", prog);
        
@@ -67,7 +68,11 @@ int main(int argc, char **argv) {
        // dbus
        dbus_test();
        printf("\n");
-        
+        // /dev test
+        dev_test();
+        printf("\n");
        free(prog);
        printf("--------------------------------------------------------------------------------\n");
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config
index ba975c4b4..48e205a58 100644
--- a/src/firecfg/firecfg.config
+++ b/src/firecfg/firecfg.config
@@ -40,6 +40,7 @@ midori
 netsurf
 opera-beta
 opera
+palemoon
 qutebrowser
 seamonkey
 seamonkey-bin
@@ -98,6 +99,7 @@ totem
 vlc
 xplayer
 xviewer
+eom
 # news readers
 quiterss
@@ -110,10 +112,11 @@ fbreader
 gwenview
 gthumb
 libreoffice
+localc
 lodraw
 loffice
 lofromtemplate
-loimpres
+loimpress
 lomath
 loweb
 lowriter
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index 8856986e6..29bb6c494 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -584,10 +584,6 @@ extern char *xephyr_screen;
 extern char *xephyr_extra_params;
 int checkcfg(int val);
-// fs_rdwr.c
-void fs_rdwr_add(const char *path);
-void fs_rdwr(void);
 // appimage.c
 void appimage_set(const char *appimage_path);
 void appimage_clear(void);
diff --git a/src/firejail/fs.c b/src/firejail/fs.c
index 4b2b91b17..630458549 100644
--- a/src/firejail/fs.c
+++ b/src/firejail/fs.c
@@ -27,6 +27,8 @@
 #include <fcntl.h>
 #include <errno.h>
+static void fs_rdwr(const char *dir);
 static void create_empty_dir(void) {
        struct stat s;
        
@@ -229,6 +231,7 @@ typedef enum {
        MOUNT_READONLY,
        MOUNT_TMPFS,
        MOUNT_NOEXEC,
+        MOUNT_RDWR,
        OPERATION_MAX
 } OPERATION;
@@ -331,6 +334,12 @@ static void disable_file(OPERATION op, const char *filename) {
                fs_rdonly(fname);
 // todo: last_disable = SUCCESSFUL;
        }
+        else if (op == MOUNT_RDWR) {
+                if (arg_debug)
+                        printf("Mounting read-only %s\n", fname);
+                fs_rdwr(fname);
+// todo: last_disable = SUCCESSFUL;
+        }
        else if (op == MOUNT_NOEXEC) {
                if (arg_debug)
                        printf("Mounting noexec %s\n", fname);
@@ -492,6 +501,10 @@ void fs_blacklist(void) {
                        ptr = entry->data + 10;
                        op = MOUNT_READONLY;
                }                       
+                else if (strncmp(entry->data, "read-write ", 11) == 0) {
+                        ptr = entry->data + 11;
+                        op = MOUNT_RDWR;
+                }                       
                else if (strncmp(entry->data, "noexec ", 7) == 0) {
                        ptr = entry->data + 7;
                        op = MOUNT_NOEXEC;
@@ -560,6 +573,29 @@ void fs_rdonly(const char *dir) {
        }
 }
+static void fs_rdwr(const char *dir) {
+        assert(dir);
+        // check directory exists
+        struct stat s;
+        int rv = stat(dir, &s);
+        if (rv == 0) {
+                // if the file is outside /home directory, allow only root user
+                uid_t u = getuid();
+                if (u != 0 && s.st_uid != u) {
+                        fprintf(stderr, "Warning: you are not allowed to change %s to read-write\n", dir);
+                        return;
+                }
+                
+                // mount --bind /bin /bin
+                if (mount(dir, dir, NULL, MS_BIND|MS_REC, NULL) < 0)
+                        errExit("mount read-write");
+                // mount --bind -o remount,rw /bin
+                if (mount(NULL, dir, NULL, MS_BIND|MS_REMOUNT|MS_REC, NULL) < 0)
+                        errExit("mount read-write");
+                fs_logger2("read-write", dir);
+        }
+}
 void fs_noexec(const char *dir) {
        assert(dir);
        // check directory exists
@@ -757,9 +793,6 @@ void fs_basic_fs(void) {
        // firejail sandboxes (firejail --force)
        if (getuid() != 0)
                disable_firejail_config();
-                
-        if (getuid() == 0)
-                fs_rdwr();
 }
@@ -1093,7 +1126,7 @@ void fs_chroot(const char *rootdir) {
                if (asprintf(&newx11, "%s/tmp/.X11-unix", rootdir) == -1)
                        errExit("asprintf");
                if (arg_debug)
-                        printf("Mounting /tmp/.X11-unix on %s\n", newdev);
+                        printf("Mounting /tmp/.X11-unix on %s\n", newx11);
                if (mount("/tmp/.X11-unix", newx11, NULL, MS_BIND|MS_REC, NULL) < 0)
                        errExit("mounting /tmp/.X11-unix");
                free(newx11);
diff --git a/src/firejail/fs_rdwr.c b/src/firejail/fs_rdwr.c
deleted file mode 100644
index 68df6465f..000000000
--- a/src/firejail/fs_rdwr.c
+++ /dev/null
@@ -1,93 +0,0 @@
-/*
- * Copyright (C) 2014-2016 Firejail Authors
- *
- * This file is part of firejail project
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or
- * (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License along
- * with this program; if not, write to the Free Software Foundation, Inc.,
- * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-*/
-#include "firejail.h"
-#include <sys/mount.h>
-#include <sys/stat.h>
-#include <sys/types.h>
-#include <sys/wait.h>
-#include <unistd.h>
-typedef struct rdwr_t {
-        struct rdwr_t *next;
-        const char *path;
-} RDWR;
-RDWR *rdwr = NULL;
-void fs_rdwr_add(const char *path) {
-        // verify path
-        if (*path != '/') {
-                fprintf(stderr, "Error: invalid path for read-write command\n");
-                exit(1);
-        }
-        invalid_filename(path);
-        if (is_link(path)) {
-                fprintf(stderr, "Error: invalid symbolic link for read-write command\n");
-                exit(1);
-        }
-        if (strstr(path, "..")) {
-                fprintf(stderr, "Error: invalid path for read-write command\n");
-                exit(1);
-        }
-        
-        // print warning if the file doesn't exist
-        struct stat s;
-        if (stat(path, &s) == -1) {
-                fprintf(stderr, "Warning: %s not found, skipping read-write command\n", path);
-                return;
-        }
-        
-        // build list entry
-        RDWR *r = malloc(sizeof(RDWR));
-        if (!r)
-                errExit("malloc");
-        memset(r, 0, sizeof(RDWR));
-        r->path = path;
-        
-        // add
-        r->next = rdwr;
-        rdwr = r;
-}
-static void mount_rdwr(const char *path) {
-        assert(path);
-        // check directory exists
-        struct stat s;
-        int rv = stat(path, &s);
-        if (rv == 0) {
-                // mount --bind /bin /bin
-                if (mount(path, path, NULL, MS_BIND|MS_REC, NULL) < 0)
-                        errExit("mount read-write");
-                // mount --bind -o remount,rw /bin
-                if (mount(NULL, path, NULL, MS_BIND|MS_REMOUNT|MS_REC, NULL) < 0)
-                        errExit("mount read-write");
-                fs_logger2("read-write", path);
-        }
-}
-void fs_rdwr(void) {
-        RDWR *ptr = rdwr;
-        
-        while (ptr) {
-                mount_rdwr(ptr->path);
-                ptr = ptr->next;
-        }
-}
diff --git a/src/firejail/fs_whitelist.c b/src/firejail/fs_whitelist.c
index ba6c8cd74..926e5415c 100644
--- a/src/firejail/fs_whitelist.c
+++ b/src/firejail/fs_whitelist.c
@@ -181,11 +181,15 @@ static void whitelist_path(ProfileEntry *entry) {
        char *wfile = NULL;
        if (entry->home_dir) {
-                fname = path + strlen(cfg.homedir);
+                if (strncmp(path, cfg.homedir, strlen(cfg.homedir)) == 0) {             
-                if (*fname == '\0') {
+                        fname = path + strlen(cfg.homedir);
-                        fprintf(stderr, "Error: file %s is not in user home directory, exiting...\n", path);
+                        if (*fname == '\0') {
-                        exit(1);
+                                fprintf(stderr, "Error: file %s is not in user home directory, exiting...\n", path);
+                                exit(1);
+                        }
                }
+                else
+                        fname = path;
        
                if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_HOME_USER_DIR, fname) == -1)
                        errExit("asprintf");
@@ -248,9 +252,6 @@ static void whitelist_path(ProfileEntry *entry) {
                        printf("Whitelisting %s\n", path);
        }
        else {
-                if (arg_debug || arg_debug_whitelists) {
-                        fprintf(stderr, "Warning (whitelisting): %s is an invalid file, skipping...\n", path);
-                }
                return;
        }
        
@@ -390,13 +391,14 @@ void fs_whitelist(void) {
                        entry->home_dir = 1;
                        home_dir = 1;
+                        if (arg_debug)
+                                fprintf(stderr, "Debug %d: fname #%s#, cfg.homedir #%s#\n",
+                                        __LINE__, fname, cfg.homedir);
                        // both path and absolute path are under /home
-                        if (strncmp(fname, cfg.homedir, strlen(cfg.homedir)) != 0) {
+//                      if (strncmp(fname, cfg.homedir, strlen(cfg.homedir)) != 0) {
-                                if (arg_debug)
+//                              goto errexit;
-                                        fprintf(stderr, "Debug %d: fname #%s#, cfg.homedir #%s#\n",
+//                      }
-                                                __LINE__, fname, cfg.homedir);
-                                goto errexit;
-                        }
                }
                else if (strncmp(new_name, "/tmp/", 5) == 0) {
                        entry->tmp_dir = 1;
diff --git a/src/firejail/main.c b/src/firejail/main.c
index 4f1c81e2b..cbc3d57cf 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -1206,7 +1206,7 @@ int main(int argc, char **argv) {
                                errExit("asprintf");
                        
                        profile_check_line(line, 0, NULL);      // will exit if something wrong
-                        // profile_add(line); is not necessary
+                        profile_add(line);
                }
                else if (strcmp(argv[i], "--overlay") == 0) {
                        if (cfg.chrootdir) {
@@ -2142,8 +2142,6 @@ int main(int argc, char **argv) {
                        fprintf(stderr, "Warning: default profile disabled by --chroot option\n");
                else if (arg_overlay)
                        fprintf(stderr, "Warning: default profile disabled by --overlay option\n");
-//              else if (cfg.home_private_keep)
-//                      fprintf(stderr, "Warning: default profile disabled by --private-home option\n");
                else {
                        // try to load a default profile
                        char *profile_name = DEFAULT_USER_PROFILE;
@@ -2166,6 +2164,10 @@ int main(int argc, char **argv) {
                                else
                                        custom_profile = profile_find(profile_name, SYSCONFDIR);
                        }
+                        if (!custom_profile) {
+                                fprintf(stderr, "Error: no default.profile installed\n");
+                                exit(1);
+                        }
                        
                        if (custom_profile && !arg_quiet)
                                printf("\n** Note: you can use --noprofile to disable %s.profile **\n\n", profile_name);
diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index 40e2e4330..46ef0921d 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -716,16 +716,6 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
                return 0;               
        }
-        // read-write
-        if (strncmp(ptr, "read-write ", 11) == 0) {
-                if (getuid() != 0) {
-                        fprintf(stderr, "Error: read-write command is available only for root user\n");
-                        exit(1);
-                }
-                fs_rdwr_add(ptr + 11);
-                return 0;
-        }
        // rest of filesystem
        if (strncmp(ptr, "blacklist ", 10) == 0)
                ptr += 10;
@@ -747,6 +737,8 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
        }
        else if (strncmp(ptr, "read-only ", 10) == 0)
                ptr += 10;
+        else if (strncmp(ptr, "read-write ", 11) == 0)
+                ptr += 11;
        else if (strncmp(ptr, "noexec ", 7) == 0)
                ptr += 7;
        else if (strncmp(ptr, "tmpfs ", 6) == 0) {
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index cd9ea6a8a..fed573e6c 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -1184,16 +1184,23 @@ A short note about mixing \-\-whitelist and \-\-read-only options. Whitelisted d
 should be made read-only independently. Making a parent directory read-only, will not
 make the whitelist read-only. Example:
 .br
+.br
 $ firejail --whitelist=~/work --read-only=~ --read-only=~/work
 .TP
 \fB\-\-read-write=dirname_or_filename
-By default, the sandbox mounts system directories read-only.
+Set directory or file read-write. Only files or directories belonging to the current user are allowed for
-These directories are /etc, /var, /usr, /bin, /sbin, /lib, /lib32, /libx32 and /lib64. 
+this operation. Example:
-Use this option to mount read-write files or directories inside the system directories.
+.br
+.br
+$ mkdir ~/test
+.br
+$ touch ~/test/a
+.br
+$ firejail --read-only=~/test --read-write=~/test/a
-This option is available only to root user. It has no effect when --chroot or --overlay are also set. In these
-cases the system directories are mounted read-write.
 .TP
 \fB\-\-rlimit-fsize=number
@@ -1515,14 +1522,14 @@ firejail version 0.9.27
 .TP
 \fB\-\-whitelist=dirname_or_filename
 Whitelist directory or file. This feature is implemented only for user home, /dev, /media, /opt, /var, and /tmp directories.
-When whitlisting symbolic links, both the link and the real file should be in the same top directory
+With the exeception of user home, both the link and the real file should be in 
-(home user, /media, /var etc.)
+the same top directory.
 .br
 .br
 Example:
 .br
-$ firejail \-\-whitelist=~/.mozilla \-\-whitelist=~/Downloads
+$ firejail \-\-noprofile \-\-whitelist=~/.mozilla
 .br
 $ firejail \-\-whitelist=/tmp/.X11-unix --whitelist=/dev/null
 .br