From d7ce16d760b15f6342871f0cc24034918c241c78 Mon Sep 17 00:00:00 2001
From: Peter Millerchip <pete@millerchipsoftware.com>
Date: Sun, 18 Dec 2016 13:34:53 +0000
Subject: Remove compiler warnings on Ubuntu 16.04

---
 src/firejail/firejail.h | 1 +
 src/firejail/fs_etc.c   | 1 +
 2 files changed, 2 insertions(+)

diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index 8fede5a69..86a669fcd 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -564,6 +564,7 @@ void network_del_run_file(pid_t pid);
 void network_set_run_file(pid_t pid);
 
 // fs_etc.c
+void fs_machineid(void);
 void fs_private_dir_list(const char *private_dir, const char *private_run_dir, const char *private_list);
 
 // no_sandbox.c
diff --git a/src/firejail/fs_etc.c b/src/firejail/fs_etc.c
index a27c0e41b..479383af2 100644
--- a/src/firejail/fs_etc.c
+++ b/src/firejail/fs_etc.c
@@ -21,6 +21,7 @@
 #include <sys/mount.h>
 #include <sys/stat.h>
 #include <sys/types.h>
+#include <time.h>
 #include <unistd.h>
 
 // spoof /etc/machine_id
-- 
cgit v1.2.3-70-g09d2


From a49147ae947c6b9a07f2bb629268b251694b5c22 Mon Sep 17 00:00:00 2001
From: Peter Millerchip <pete@millerchipsoftware.com>
Date: Sun, 18 Dec 2016 14:11:37 +0000
Subject: Implement the --allow-private-blacklist option

---
 src/firejail/firejail.h | 3 ++-
 src/firejail/fs.c       | 9 +++++++++
 src/firejail/main.c     | 4 ++++
 src/firejail/usage.c    | 4 +++-
 4 files changed, 18 insertions(+), 2 deletions(-)

diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index 86a669fcd..de939439d 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -208,7 +208,7 @@ typedef struct config_t {
 	char *bin_private_keep;	// keep list for private bin directory
 	char *cwd;		// current working directory
 	char *overlay_dir;
-   char *private_template; // template dir for tmpfs home
+	char *private_template; // template dir for tmpfs home
 
 	// networking
 	char *name;		// sandbox name
@@ -285,6 +285,7 @@ void clear_run_files(pid_t pid);
 
 extern int arg_private;		// mount private /home
 extern int arg_private_template; // private /home template
+extern int arg_allow_private_blacklist;  // blacklist things in private directories
 extern int arg_debug;		// print debug messages
 extern int arg_debug_check_filename;		// print debug messages for filename checking
 extern int arg_debug_blacklists;	// print debug messages for blacklists
diff --git a/src/firejail/fs.c b/src/firejail/fs.c
index 890f281aa..e2fc09533 100644
--- a/src/firejail/fs.c
+++ b/src/firejail/fs.c
@@ -216,6 +216,15 @@ static void globbing(OPERATION op, const char *pattern, const char *noblacklist[
 				exit(1);
 			}
 		}
+
+		// We don't usually need to blacklist things in private home directories
+		if (okay_to_blacklist
+		 && cfg.homedir
+		 && arg_private
+		 && (!arg_allow_private_blacklist)
+		 && (strncmp(path, cfg.homedir, strlen(cfg.homedir)) == 0))
+			okay_to_blacklist = false;
+
 		if (okay_to_blacklist)
 			disable_file(op, path);
 		else if (arg_debug)
diff --git a/src/firejail/main.c b/src/firejail/main.c
index b25bad9f2..65d2b9d44 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -112,6 +112,7 @@ int arg_x11_block = 0;				// block X11
 int arg_x11_xorg = 0;				// use X11 security extention
 int arg_allusers = 0;				// all user home directories visible
 int arg_machineid = 0;				// preserve /etc/machine-id
+int arg_allow_private_blacklist = 0;  // blacklist things in private directories
 
 int login_shell = 0;
 
@@ -1463,6 +1464,9 @@ int main(int argc, char **argv) {
 		else if (strcmp(argv[i], "--machine-id") == 0) {
 			arg_machineid = 1;
 		}
+		else if (strcmp(argv[i], "--allow-private-blacklist") == 0) {
+			arg_allow_private_blacklist = 1;
+		}
 		else if (strcmp(argv[i], "--private") == 0) {
 			arg_private = 1;
 		}
diff --git a/src/firejail/usage.c b/src/firejail/usage.c
index db3c25a5a..1131abe5f 100644
--- a/src/firejail/usage.c
+++ b/src/firejail/usage.c
@@ -30,12 +30,14 @@ void usage(void) {
 	printf("Options:\n");
 	printf("    -- - signal the end of options and disables further option processing.\n");
 	printf("    --allow-debuggers - allow tools such as strace and gdb inside the sandbox.\n");
+	printf("    --allow-private-blacklist - allow blacklisting things in private\n");
+	printf("\tdirectories.\n");
 	printf("    --allusers - all user home directories are visible inside the sandbox.\n");
 	printf("    --apparmor - enable AppArmor confinement.\n");
 	printf("    --appimage - sandbox an AppImage application.\n");
 	printf("    --audit[=test-program] - audit the sandbox.\n");
 #ifdef HAVE_NETWORK	
-	printf("    --bandwidth=name|pid - set  bandwidth  limits\n");
+	printf("    --bandwidth=name|pid - set bandwidth limits.\n");
 #endif
 #ifdef HAVE_BIND		
 	printf("    --bind=dirname1,dirname2 - mount-bind dirname1 on top of dirname2.\n");
-- 
cgit v1.2.3-70-g09d2