From 783251e0749e27e28b3ac54b5047f10cf1c44016 Mon Sep 17 00:00:00 2001
From: netblue30 <netblue30@yahoo.com>
Date: Fri, 10 Jun 2016 08:40:24 -0400
Subject: private-bin conversion

---
 README.md                    |  4 +++
 etc/deluge.profile           |  5 ++-
 etc/disable-devel.inc        |  3 +-
 etc/mpv.profile              |  4 +++
 etc/qbittorrent.profile      |  3 ++
 etc/rtorrent.profile         |  3 ++
 etc/transmission-gtk.profile |  5 ++-
 etc/transmission-qt.profile  |  5 ++-
 etc/vlc.profile              |  5 +++
 src/man/firejail.txt         |  2 +-
 test/apps/apps.sh            |  9 +++++
 test/apps/qbittorrent.exp    | 83 ++++++++++++++++++++++++++++++++++++++++++++
 12 files changed, 125 insertions(+), 6 deletions(-)
 create mode 100755 test/apps/qbittorrent.exp

diff --git a/README.md b/README.md
index bc5717fb7..029a7c904 100644
--- a/README.md
+++ b/README.md
@@ -65,6 +65,10 @@ More packages build by AppImage developer Simon Peter: https://bintray.com/probo
 
 AppImage project home: https://github.com/probonopd/AppImageKit
 
+## Converting profiles to private-bin - work in progress
+
+BitTorrent profiles converted to private-bin: deluge, qbittorrent, rtorrent, transmission-gtk, transmission-qt
+
 ## New security profiles
 
 Gitter, gThumb, mpv, Franz messenger
diff --git a/etc/deluge.profile b/etc/deluge.profile
index 277ecc15e..87a17423b 100644
--- a/etc/deluge.profile
+++ b/etc/deluge.profile
@@ -1,4 +1,4 @@
-# deluge bittorernt client profile
+# deluge bittorrernt client profile
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-programs.inc
 # deluge is using python on Debian
@@ -12,3 +12,6 @@ noroot
 nosound
 protocol unix,inet,inet6
 seccomp
+
+shell none
+private-bin deluge,sh,python,uname
diff --git a/etc/disable-devel.inc b/etc/disable-devel.inc
index 0c9d21d39..99f059c44 100644
--- a/etc/disable-devel.inc
+++ b/etc/disable-devel.inc
@@ -37,8 +37,7 @@ blacklist /usr/lib/php*
 blacklist /usr/bin/ruby
 blacklist /usr/lib/ruby
 
-# disabled temporarily pending globbing implementation
-# in noblacklist command and firefox profile fix
+# Programs using python: deluge, some firefox addons
 # Python 2
 #blacklist /usr/bin/python2*
 #blacklist /usr/lib/python2*
diff --git a/etc/mpv.profile b/etc/mpv.profile
index 0a8a6103f..cbed7e8c6 100644
--- a/etc/mpv.profile
+++ b/etc/mpv.profile
@@ -12,3 +12,7 @@ nonewprivs
 noroot
 protocol unix,inet,inet6
 seccomp
+
+# to test
+shell none
+private-bin mpv
diff --git a/etc/qbittorrent.profile b/etc/qbittorrent.profile
index cbf898502..bb97a880b 100644
--- a/etc/qbittorrent.profile
+++ b/etc/qbittorrent.profile
@@ -11,3 +11,6 @@ noroot
 nosound
 protocol unix,inet,inet6
 seccomp
+
+shell none
+private-bin qbittorrent
diff --git a/etc/rtorrent.profile b/etc/rtorrent.profile
index 0be5e15d1..c196370a2 100644
--- a/etc/rtorrent.profile
+++ b/etc/rtorrent.profile
@@ -11,3 +11,6 @@ noroot
 nosound
 protocol unix,inet,inet6
 seccomp
+
+shell none
+private-bin rtorrent
diff --git a/etc/transmission-gtk.profile b/etc/transmission-gtk.profile
index 5aef32d45..e8d0e25e7 100644
--- a/etc/transmission-gtk.profile
+++ b/etc/transmission-gtk.profile
@@ -1,4 +1,4 @@
-# transmission-gtk profile
+# transmission-gtk bittorrent profile
 noblacklist ${HOME}/.config/transmission
 noblacklist ${HOME}/.cache/transmission
 
@@ -15,3 +15,6 @@ nosound
 protocol unix,inet,inet6
 seccomp
 tracelog
+
+shell none
+private-bin transmission-gtk
diff --git a/etc/transmission-qt.profile b/etc/transmission-qt.profile
index d8ab1c60d..fd3a98aad 100644
--- a/etc/transmission-qt.profile
+++ b/etc/transmission-qt.profile
@@ -1,4 +1,4 @@
-# transmission-qt profile
+# transmission-qt bittorrent profile
 noblacklist ${HOME}/.config/transmission
 noblacklist ${HOME}/.cache/transmission
 
@@ -15,3 +15,6 @@ nosound
 protocol unix,inet,inet6
 seccomp
 tracelog
+
+shell none
+private-bin transmission-qt
diff --git a/etc/vlc.profile b/etc/vlc.profile
index f8eebd376..e225e80e9 100644
--- a/etc/vlc.profile
+++ b/etc/vlc.profile
@@ -12,3 +12,8 @@ nonewprivs
 noroot
 protocol unix,inet,inet6
 seccomp
+
+
+# to test
+shell none
+private-bin vlc
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index 71a73a02d..d72deab2f 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -1206,7 +1206,7 @@ sysfs,_sysctl, adjtimex, clock_adjtime, lookup_dcookie, perf_event_open, fanotif
 add_key, request_key, keyctl, uselib, acct, modify_ldt, pivot_root, io_setup,
 io_destroy, io_getevents, io_submit, io_cancel,
 remap_file_pages, mbind, get_mempolicy, set_mempolicy,
-migrate_pages, move_pages, vmsplice, perf_event_open, chroot,
+migrate_pages, move_pages, vmsplice, chroot,
 tuxcall, reboot, mfsservctl and get_kernel_syms.
 .br
 
diff --git a/test/apps/apps.sh b/test/apps/apps.sh
index 37d66d609..3ecc161a1 100755
--- a/test/apps/apps.sh
+++ b/test/apps/apps.sh
@@ -60,6 +60,15 @@ else
 	echo "TESTING SKIP: transmission-qt not found"
 fi
 
+which qbittorrent
+if [ "$?" -eq 0 ];
+then
+	echo "TESTING: qbittorrent"
+	./qbittorrent.exp
+else
+	echo "TESTING SKIP: qbittorrent not found"
+fi
+
 which evince
 if [ "$?" -eq 0 ];
 then
diff --git a/test/apps/qbittorrent.exp b/test/apps/qbittorrent.exp
new file mode 100755
index 000000000..4f3f7c362
--- /dev/null
+++ b/test/apps/qbittorrent.exp
@@ -0,0 +1,83 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
+
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+
+send -- "firejail qbittorrent\r"
+expect {
+	timeout {puts "TESTING ERROR 0\n";exit}
+	"Reading profile /etc/firejail/qbittorrent.profile"
+}
+expect {
+	timeout {puts "TESTING ERROR 1\n";exit}
+	"Child process initialized"
+}
+sleep 5
+
+spawn $env(SHELL)
+send -- "firejail --list\r"
+expect {
+	timeout {puts "TESTING ERROR 3\n";exit}
+	":firejail"
+}
+expect {
+	timeout {puts "TESTING ERROR 3.1\n";exit}
+	"qbittorrent"
+}
+sleep 1
+
+# grsecurity exit
+send -- "file /proc/sys/kernel/grsecurity\r"
+expect {
+	timeout {puts "TESTING ERROR - grsecurity detection\n";exit}
+	"grsecurity: directory" {puts "grsecurity present, exiting...\n";exit}
+	"cannot open" {puts "grsecurity not present\n"}
+}
+
+send -- "firejail --name=blablabla\r"
+expect {
+	timeout {puts "TESTING ERROR 4\n";exit}
+	"Child process initialized"
+}
+sleep 2
+
+spawn $env(SHELL)
+send -- "firemon --seccomp\r"
+expect {
+	timeout {puts "TESTING ERROR 5\n";exit}
+	":firejail qbittorrent"
+}
+expect {
+	timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit}
+	"Seccomp:	2"
+}
+expect {
+	timeout {puts "TESTING ERROR 5.1\n";exit}
+	"name=blablabla"
+}
+sleep 1
+send -- "firemon --caps\r"
+expect {
+	timeout {puts "TESTING ERROR 6\n";exit}
+	":firejail qbittorrent"
+}
+expect {
+	timeout {puts "TESTING ERROR 6.1\n";exit}
+	"CapBnd:"
+}
+expect {
+	timeout {puts "TESTING ERROR 6.2\n";exit}
+	"0000000000000000"
+}
+expect {
+	timeout {puts "TESTING ERROR 6.3\n";exit}
+	"name=blablabla"
+}
+sleep 1
+
+puts "\n"
+
-- 
cgit v1.2.3-54-g00ecf