From 67f8a71cd721b1786dc5b17248316a714ea71869 Mon Sep 17 00:00:00 2001
From: netblue30 <netblue30@yahoo.com>
Date: Tue, 12 Jul 2016 08:21:57 -0400
Subject: whitelist rework

---
 README.md                   | 17 ++++++++++++++
 src/firejail/fs_whitelist.c | 28 +++++++++++-----------
 src/man/firejail.txt        |  6 ++---
 todo                        | 57 +++++++++++++++++++++++++++++++++++++++++++++
 4 files changed, 92 insertions(+), 16 deletions(-)

diff --git a/README.md b/README.md
index 8f4a66c0f..019a6a56c 100644
--- a/README.md
+++ b/README.md
@@ -40,6 +40,23 @@ FAQ: https://firejail.wordpress.com/support/frequently-asked-questions/
 
 --user option was deprecated, please use "sudo -u username firejail application" instead.
 
+## --whitelist rework
+
+Symlinks outside user home directories are allowed:
+`````
+      --whitelist=dirname_or_filename
+              Whitelist directory or file. This feature  is  implemented  only
+              for  user  home, /dev, /media, /opt, /var, and /tmp directories.
+              With the exeception of user home, both the  link  and  the  real
+              file should be in the same top directory.
+
+              Example:
+              $ firejail --noprofile --whitelist=~/.mozilla
+              $ firejail --whitelist=/tmp/.X11-unix --whitelist=/dev/null
+              $ firejail "--whitelist=/home/username/My Virtual Machines"
+`````
+
+
 ## AppImage
 
 AppImage (http://appimage.org/) is a distribution-agnostic packaging format.
diff --git a/src/firejail/fs_whitelist.c b/src/firejail/fs_whitelist.c
index ba6c8cd74..926e5415c 100644
--- a/src/firejail/fs_whitelist.c
+++ b/src/firejail/fs_whitelist.c
@@ -181,11 +181,15 @@ static void whitelist_path(ProfileEntry *entry) {
 	char *wfile = NULL;
 
 	if (entry->home_dir) {
-		fname = path + strlen(cfg.homedir);
-		if (*fname == '\0') {
-			fprintf(stderr, "Error: file %s is not in user home directory, exiting...\n", path);
-			exit(1);
+		if (strncmp(path, cfg.homedir, strlen(cfg.homedir)) == 0) {		
+			fname = path + strlen(cfg.homedir);
+			if (*fname == '\0') {
+				fprintf(stderr, "Error: file %s is not in user home directory, exiting...\n", path);
+				exit(1);
+			}
 		}
+		else
+			fname = path;
 	
 		if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_HOME_USER_DIR, fname) == -1)
 			errExit("asprintf");
@@ -248,9 +252,6 @@ static void whitelist_path(ProfileEntry *entry) {
 			printf("Whitelisting %s\n", path);
 	}
 	else {
-		if (arg_debug || arg_debug_whitelists) {
- 			fprintf(stderr, "Warning (whitelisting): %s is an invalid file, skipping...\n", path);
-		}
 		return;
 	}
 	
@@ -390,13 +391,14 @@ void fs_whitelist(void) {
 
 			entry->home_dir = 1;
 			home_dir = 1;
+			if (arg_debug)
+				fprintf(stderr, "Debug %d: fname #%s#, cfg.homedir #%s#\n",
+					__LINE__, fname, cfg.homedir);
+
 			// both path and absolute path are under /home
-			if (strncmp(fname, cfg.homedir, strlen(cfg.homedir)) != 0) {
-				if (arg_debug)
-					fprintf(stderr, "Debug %d: fname #%s#, cfg.homedir #%s#\n",
-						__LINE__, fname, cfg.homedir);
-				goto errexit;
-			}
+//			if (strncmp(fname, cfg.homedir, strlen(cfg.homedir)) != 0) {
+//				goto errexit;
+//			}
 		}
 		else if (strncmp(new_name, "/tmp/", 5) == 0) {
 			entry->tmp_dir = 1;
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index cd9ea6a8a..f7079200e 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -1515,14 +1515,14 @@ firejail version 0.9.27
 .TP
 \fB\-\-whitelist=dirname_or_filename
 Whitelist directory or file. This feature is implemented only for user home, /dev, /media, /opt, /var, and /tmp directories.
-When whitlisting symbolic links, both the link and the real file should be in the same top directory
-(home user, /media, /var etc.)
+With the exeception of user home, both the link and the real file should be in 
+the same top directory.
 .br
 
 .br
 Example:
 .br
-$ firejail \-\-whitelist=~/.mozilla \-\-whitelist=~/Downloads
+$ firejail \-\-noprofile \-\-whitelist=~/.mozilla
 .br
 $ firejail \-\-whitelist=/tmp/.X11-unix --whitelist=/dev/null
 .br
diff --git a/todo b/todo
index 88baff216..5ceb4e530 100644
--- a/todo
+++ b/todo
@@ -161,3 +161,60 @@ To disable Vsync
 
 $ vblank_mode=0 glxgears
 
+18. Bring in nvidia drives in private-dev
+
+/dev/nvidia[0-9], /dev/nvidiactl, /dev/nvidia-modset and /dev/nvidia-uvm
+
+19. testing snaps
+
+Install firejail from official repository
+sudo apt-get install firejail
+
+Check firejail version
+firejail --version
+
+Above command outputs: firejail version 0.9.38
+
+Search the snap 'ubuntu clock' application
+sudo snap find ubuntu-clock-app
+
+Install 'ubuntu clock' application using snap
+sudo snap install ubuntu-clock-app
+
+Ubuntu snap packages are installed in /snap/// directory and can be executed from /snap/bin/
+cd /snap/bin/
+ls -l
+
+Note: We see application name is: ubuntu-clock-app.clock
+
+Run application
+/snap/bin/ubuntu-clock-app.clock
+
+Note: Application starts-up without a problem and clock is displayed.
+
+Close application using mouse.
+
+Now try to firejail the application.
+firejail /snap/bin/ubuntu-clock-app.clock
+
+-------- Error message --------
+Reading profile /etc/firejail/generic.profile
+Reading profile /etc/firejail/disable-mgmt.inc
+Reading profile /etc/firejail/disable-secret.inc
+Reading profile /etc/firejail/disable-common.inc
+
+** Note: you can use --noprofile to disable generic.profile **
+
+Parent pid 3770, child pid 3771
+
+Child process initialized
+need to run as root or suid
+
+parent is shutting down, bye...
+-------- End of Error message --------
+
+Try running as root as message instructs.
+sudo firejail /snap/bin/ubuntu-clock-app.clock
+
+extract env for process
+ps e -p <pid> | sed 's/ /\n/g' 
-- 
cgit v1.2.3-70-g09d2