From 2b8b8e54968d068599d5800f88869efcadd316ac Mon Sep 17 00:00:00 2001
From: netblue30 <netblue30@yahoo.com>
Date: Sat, 28 Nov 2015 07:37:32 -0500
Subject: profile cleanup, addinghexchat profile

---
 Makefile.in                |  2 ++
 RELNOTES                   |  2 +-
 etc/disable-common.inc     |  1 +
 etc/hexchat.profile        | 10 +++++++
 etc/weechat-curses.profile |  2 ++
 etc/wine.profile           |  1 +
 etc/xchat.profile          |  1 +
 platform/debian/conffiles  |  2 ++
 test/evince.exp            |  2 +-
 test/fbreader.exp          |  2 +-
 test/hexchat.exp           | 71 ++++++++++++++++++++++++++++++++++++++++++++++
 test/test.sh               | 35 +++++++++++++++++++++++
 test/vlc.exp               |  2 +-
 test/weechat.exp           | 71 ++++++++++++++++++++++++++++++++++++++++++++++
 test/wine.exp              | 30 ++++++++++++++++++++
 test/xchat.exp             | 71 ++++++++++++++++++++++++++++++++++++++++++++++
 todo                       | 12 ++++++++
 17 files changed, 313 insertions(+), 4 deletions(-)
 create mode 100644 etc/hexchat.profile
 create mode 100644 etc/weechat-curses.profile
 create mode 100755 test/hexchat.exp
 create mode 100755 test/weechat.exp
 create mode 100755 test/wine.exp
 create mode 100755 test/xchat.exp

diff --git a/Makefile.in b/Makefile.in
index 89383bb27..c074c97e5 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -119,6 +119,8 @@ realinstall:
 	install -c -m 0644 .etc/webserver.net $(DESTDIR)/$(sysconfdir)/firejail/.
 	install -c -m 0644 .etc/bitlbee.profile $(DESTDIR)/$(sysconfdir)/firejail/.
 	install -c -m 0644 .etc/weechat.profile $(DESTDIR)/$(sysconfdir)/firejail/.
+	install -c -m 0644 .etc/weechat-curses.profile $(DESTDIR)/$(sysconfdir)/firejail/.
+	install -c -m 0644 .etc/hexchat.profile $(DESTDIR)/$(sysconfdir)/firejail/.
 	bash -c "if [ ! -f $(DESTDIR)/$(sysconfdir)/firejail/login.users ]; then install -c -m 0644 etc/login.users $(DESTDIR)/$(sysconfdir)/firejail/.; fi;"
 	rm -fr .etc
 	# man pages
diff --git a/RELNOTES b/RELNOTES
index ddd90218b..172e44bc9 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -1,5 +1,5 @@
 firejail (0.9.35) baseline; urgency=low
-  * added  unbound, dnscrypt-proxy, BitlBee, and WeeChat profiles
+  * added  unbound, dnscrypt-proxy, BitlBee, HexChat and WeeChat profiles
   * added --noblacklist option
   * whitelist command enhancements
   * prevent leaking user information by modifying /home directory,
diff --git a/etc/disable-common.inc b/etc/disable-common.inc
index a363d1369..177588f5b 100644
--- a/etc/disable-common.inc
+++ b/etc/disable-common.inc
@@ -38,6 +38,7 @@ blacklist ${HOME}/.remmina
 # Other
 blacklist ${HOME}/.tconn
 blacklist ${HOME}/.FBReader
+blacklist ${HOME}/.wine
 
 # X11 session autostart
 blacklist ${HOME}/.xinitrc
diff --git a/etc/hexchat.profile b/etc/hexchat.profile
new file mode 100644
index 000000000..61c9ac5bb
--- /dev/null
+++ b/etc/hexchat.profile
@@ -0,0 +1,10 @@
+# HexChat profile
+noblacklist ${HOME}/.config/hexchat
+include /etc/firejail/disable-mgmt.inc
+include /etc/firejail/disable-secret.inc
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-devel.inc
+caps.drop all
+seccomp
+protocol unix,inet,inet6
+noroot
diff --git a/etc/weechat-curses.profile b/etc/weechat-curses.profile
new file mode 100644
index 000000000..f7c1b6590
--- /dev/null
+++ b/etc/weechat-curses.profile
@@ -0,0 +1,2 @@
+# Weechat profile (Debian)
+include /etc/firejail/weechat.profile
diff --git a/etc/wine.profile b/etc/wine.profile
index e3dd081eb..8a7f66773 100644
--- a/etc/wine.profile
+++ b/etc/wine.profile
@@ -1,6 +1,7 @@
 # wine profile
 noblacklist ${HOME}/.steam
 noblacklist ${HOME}/.local/share/steam
+noblacklist ${HOME}/.wine
 include /etc/firejail/disable-mgmt.inc
 include /etc/firejail/disable-secret.inc
 include /etc/firejail/disable-common.inc
diff --git a/etc/xchat.profile b/etc/xchat.profile
index a9f56cda4..37e1371e6 100644
--- a/etc/xchat.profile
+++ b/etc/xchat.profile
@@ -1,4 +1,5 @@
 # XChat profile
+noblacklist ${HOME}/.config/xchat
 include /etc/firejail/disable-mgmt.inc
 include /etc/firejail/disable-secret.inc
 include /etc/firejail/disable-common.inc
diff --git a/platform/debian/conffiles b/platform/debian/conffiles
index fd82a4e8c..c0d07a446 100644
--- a/platform/debian/conffiles
+++ b/platform/debian/conffiles
@@ -46,3 +46,5 @@
 /etc/firejail/webserver.net
 /etc/firejail/bitlbee.profile
 /etc/firejail/weechat.profile
+/etc/firejail/weechat-curses.profile
+/etc/firejail/hexchat.profile
diff --git a/test/evince.exp b/test/evince.exp
index 7b115144c..ba6ca1b6d 100755
--- a/test/evince.exp
+++ b/test/evince.exp
@@ -13,7 +13,7 @@ expect {
 	timeout {puts "TESTING ERROR 1\n";exit}
 	"Child process initialized"
 }
-sleep 10
+sleep 3
 
 spawn $env(SHELL)
 send -- "firejail --list\r"
diff --git a/test/fbreader.exp b/test/fbreader.exp
index 546710b97..a4df50932 100755
--- a/test/fbreader.exp
+++ b/test/fbreader.exp
@@ -13,7 +13,7 @@ expect {
 	timeout {puts "TESTING ERROR 1\n";exit}
 	"Child process initialized"
 }
-sleep 10
+sleep 3
 
 spawn $env(SHELL)
 send -- "firejail --list\r"
diff --git a/test/hexchat.exp b/test/hexchat.exp
new file mode 100755
index 000000000..0653bcb13
--- /dev/null
+++ b/test/hexchat.exp
@@ -0,0 +1,71 @@
+#!/usr/bin/expect -f
+
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+
+send -- "firejail hexchat\r"
+expect {
+	timeout {puts "TESTING ERROR 0\n";exit}
+	"Reading profile /etc/firejail/hexchat.profile"
+}
+expect {
+	timeout {puts "TESTING ERROR 1\n";exit}
+	"Child process initialized"
+}
+sleep 3
+
+spawn $env(SHELL)
+send -- "firejail --list\r"
+expect {
+	timeout {puts "TESTING ERROR 3\n";exit}
+	":firejail"
+}
+expect {
+	timeout {puts "TESTING ERROR 3.1\n";exit}
+	"hexchat"
+}
+sleep 1
+send -- "firejail --name=blablabla\r"
+expect {
+	timeout {puts "TESTING ERROR 4\n";exit}
+	"Child process initialized"
+}
+sleep 2
+
+spawn $env(SHELL)
+send -- "firemon --seccomp\r"
+expect {
+	timeout {puts "TESTING ERROR 5\n";exit}
+	"hexchat"
+}
+expect {
+	timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit}
+	"Seccomp:	2"
+}
+expect {
+	timeout {puts "TESTING ERROR 5.1\n";exit}
+	"name=blablabla"
+}
+sleep 1
+send -- "firemon --caps\r"
+expect {
+	timeout {puts "TESTING ERROR 6\n";exit}
+	"hexchat"
+}
+expect {
+	timeout {puts "TESTING ERROR 6.1\n";exit}
+	"CapBnd:"
+}
+expect {
+	timeout {puts "TESTING ERROR 6.2\n";exit}
+	"0000000000000000"
+}
+expect {
+	timeout {puts "TESTING ERROR 6.3\n";exit}
+	"name=blablabla"
+}
+sleep 1
+
+puts "\n"
+
diff --git a/test/test.sh b/test/test.sh
index fdb1f8ed7..aaae2a981 100755
--- a/test/test.sh
+++ b/test/test.sh
@@ -260,6 +260,41 @@ else
 	echo "TESTING: gnome-mplayer not found"
 fi
 
+which xchat
+if [ "$?" -eq 0 ];
+then
+	echo "TESTING: xchat"
+	./xchat.exp
+else
+	echo "TESTING: xchat not found"
+fi
+
+which hexchat
+if [ "$?" -eq 0 ];
+then
+	echo "TESTING: hexchat"
+	./hexchat.exp
+else
+	echo "TESTING: hexchat not found"
+fi
+
+which weechat-curses
+if [ "$?" -eq 0 ];
+then
+	echo "TESTING: weechat"
+	./weechat.exp
+else
+	echo "TESTING: weechat not found"
+fi
+
+#which wine
+#if [ "$?" -eq 0 ];
+#then
+#	echo "TESTING: wine"
+#	./wine.exp
+#else
+#	echo "TESTING: wine not found"
+#fi
 
 
 
diff --git a/test/vlc.exp b/test/vlc.exp
index 8ab5aa2ce..53d25c9dd 100755
--- a/test/vlc.exp
+++ b/test/vlc.exp
@@ -13,7 +13,7 @@ expect {
 	timeout {puts "TESTING ERROR 1\n";exit}
 	"Child process initialized"
 }
-sleep 10
+sleep 3
 
 spawn $env(SHELL)
 send -- "firejail --list\r"
diff --git a/test/weechat.exp b/test/weechat.exp
new file mode 100755
index 000000000..ac2430280
--- /dev/null
+++ b/test/weechat.exp
@@ -0,0 +1,71 @@
+#!/usr/bin/expect -f
+
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+
+send -- "firejail weechat-curses\r"
+expect {
+	timeout {puts "TESTING ERROR 0\n";exit}
+	"Reading profile /etc/firejail/weechat.profile"
+}
+expect {
+	timeout {puts "TESTING ERROR 1\n";exit}
+	"Child process initialized"
+}
+sleep 3
+
+spawn $env(SHELL)
+send -- "firejail --list\r"
+expect {
+	timeout {puts "TESTING ERROR 3\n";exit}
+	":firejail"
+}
+expect {
+	timeout {puts "TESTING ERROR 3.1\n";exit}
+	"weechat-curses"
+}
+sleep 1
+send -- "firejail --name=blablabla\r"
+expect {
+	timeout {puts "TESTING ERROR 4\n";exit}
+	"Child process initialized"
+}
+sleep 2
+
+spawn $env(SHELL)
+send -- "firemon --seccomp\r"
+expect {
+	timeout {puts "TESTING ERROR 5\n";exit}
+	"weechat-curses"
+}
+expect {
+	timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit}
+	"Seccomp:	2"
+}
+expect {
+	timeout {puts "TESTING ERROR 5.1\n";exit}
+	"name=blablabla"
+}
+sleep 1
+send -- "firemon --caps\r"
+expect {
+	timeout {puts "TESTING ERROR 6\n";exit}
+	"weechat-curses"
+}
+expect {
+	timeout {puts "TESTING ERROR 6.1\n";exit}
+	"CapBnd:"
+}
+expect {
+	timeout {puts "TESTING ERROR 6.2\n";exit}
+	"0000000000000000"
+}
+expect {
+	timeout {puts "TESTING ERROR 6.3\n";exit}
+	"name=blablabla"
+}
+sleep 1
+
+puts "\n"
+
diff --git a/test/wine.exp b/test/wine.exp
new file mode 100755
index 000000000..d87c1f205
--- /dev/null
+++ b/test/wine.exp
@@ -0,0 +1,30 @@
+#!/usr/bin/expect -f
+
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+
+send -- "firejail wine --help\r"
+expect {
+	timeout {puts "TESTING ERROR 0\n";exit}
+	"Reading profile /etc/firejail/wine.profile"
+}
+expect {
+	timeout {puts "TESTING ERROR 1\n";exit}
+	"Child process initialized"
+}
+expect {
+	timeout {puts "TESTING ERROR 2\n";exit}
+	"Usage: wine PROGRAM"
+}
+expect {
+	timeout {puts "TESTING ERROR 3\n";exit}
+	"wine --version"
+}
+expect {
+	timeout {puts "TESTING ERROR 4\n";exit}
+	"parent is shutting down, bye..."
+}
+
+puts "\nall done\n"
+
diff --git a/test/xchat.exp b/test/xchat.exp
new file mode 100755
index 000000000..babbcf87d
--- /dev/null
+++ b/test/xchat.exp
@@ -0,0 +1,71 @@
+#!/usr/bin/expect -f
+
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+
+send -- "firejail xchat\r"
+expect {
+	timeout {puts "TESTING ERROR 0\n";exit}
+	"Reading profile /etc/firejail/xchat.profile"
+}
+expect {
+	timeout {puts "TESTING ERROR 1\n";exit}
+	"Child process initialized"
+}
+sleep 3
+
+spawn $env(SHELL)
+send -- "firejail --list\r"
+expect {
+	timeout {puts "TESTING ERROR 3\n";exit}
+	":firejail"
+}
+expect {
+	timeout {puts "TESTING ERROR 3.1\n";exit}
+	"xchat"
+}
+sleep 1
+send -- "firejail --name=blablabla\r"
+expect {
+	timeout {puts "TESTING ERROR 4\n";exit}
+	"Child process initialized"
+}
+sleep 2
+
+spawn $env(SHELL)
+send -- "firemon --seccomp\r"
+expect {
+	timeout {puts "TESTING ERROR 5\n";exit}
+	" xchat"
+}
+expect {
+	timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit}
+	"Seccomp:	2"
+}
+expect {
+	timeout {puts "TESTING ERROR 5.1\n";exit}
+	"name=blablabla"
+}
+sleep 1
+send -- "firemon --caps\r"
+expect {
+	timeout {puts "TESTING ERROR 6\n";exit}
+	" xchat"
+}
+expect {
+	timeout {puts "TESTING ERROR 6.1\n";exit}
+	"CapBnd:"
+}
+expect {
+	timeout {puts "TESTING ERROR 6.2\n";exit}
+	"0000000000000000"
+}
+expect {
+	timeout {puts "TESTING ERROR 6.3\n";exit}
+	"name=blablabla"
+}
+sleep 1
+
+puts "\n"
+
diff --git a/todo b/todo
index a55e12818..db895deef 100644
--- a/todo
+++ b/todo
@@ -150,3 +150,15 @@ mount tmpfs on /sys/power
 
 20. Try --overlay on a Ubuntu 14.04 32bit.Without adding --dns, there will be no network connectivity - see issue 151
 
+21. Check this out:
+
+I was messing around with my fstab, and found out that firejail can't have /usr/bin mounted in read-only.
+ Here's what my fstab looks like now:
+ 
+/dev/mapper/asdf-home /home ext4 nosuid,noatime,nodev 0 2
+/dev/mapper/asdf-opt /opt ext4 discard,noatime,nosuid 0 2
+/dev/mapper/asdf-usr--bin /usr/bin ext4 defaults,nosuid,noatime,rw 0 2
+/dev/mapper/asdf-usr--local /usr/local ext4 defaults,nosuid,noatime,ro 0 2
+/dev/mapper/asdf-usr--sbin /usr/sbin ext4 defaults,nosuid,,noatime,ro 0 2
+/dev/mapper/asdf-var /var ext4 discard,noatime,nodev,nosuid 0 2
+tmpfs /tmp tmpfs noatime,nosuid,nodev,size=2G 0 1
\ No newline at end of file
-- 
cgit v1.2.3-70-g09d2