From ac39cb31334c7951a97c4fc9b295c39924cd7427 Mon Sep 17 00:00:00 2001
From: netblue30 <netblue30@yahoo.com>
Date: Thu, 10 Dec 2015 13:49:30 -0500
Subject: fixes

---
 configure               | 18 +++++++++---------
 configure.ac            |  2 +-
 etc/firefox.profile     |  6 ++++++
 src/firejail/fs_etc.c   | 30 ++++++++++++++++++++++--------
 src/firejail/fs_trace.c |  6 +++---
 src/firejail/main.c     | 23 ++++++++++++++++++++++-
 src/firejail/profile.c  |  8 +++++++-
 src/firejail/sandbox.c  |  6 +++++-
 8 files changed, 75 insertions(+), 24 deletions(-)

diff --git a/configure b/configure
index 460224ad2..5770c0729 100755
--- a/configure
+++ b/configure
@@ -1,6 +1,6 @@
 #! /bin/sh
 # Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.69 for firejail 0.9.36-rc1.
+# Generated by GNU Autoconf 2.69 for firejail 0.9.36-rc2.
 #
 # Report bugs to <netblue30@yahoo.com>.
 #
@@ -580,8 +580,8 @@ MAKEFLAGS=
 # Identity of this package.
 PACKAGE_NAME='firejail'
 PACKAGE_TARNAME='firejail'
-PACKAGE_VERSION='0.9.36-rc1'
-PACKAGE_STRING='firejail 0.9.36-rc1'
+PACKAGE_VERSION='0.9.36-rc2'
+PACKAGE_STRING='firejail 0.9.36-rc2'
 PACKAGE_BUGREPORT='netblue30@yahoo.com'
 PACKAGE_URL='http://github.com/netblue30/firejail'
 
@@ -1238,7 +1238,7 @@ if test "$ac_init_help" = "long"; then
   # Omit some internal or obsolete options to make the list less imposing.
   # This message is too long to be a string in the A/UX 3.1 sh.
   cat <<_ACEOF
-\`configure' configures firejail 0.9.36-rc1 to adapt to many kinds of systems.
+\`configure' configures firejail 0.9.36-rc2 to adapt to many kinds of systems.
 
 Usage: $0 [OPTION]... [VAR=VALUE]...
 
@@ -1299,7 +1299,7 @@ fi
 
 if test -n "$ac_init_help"; then
   case $ac_init_help in
-     short | recursive ) echo "Configuration of firejail 0.9.36-rc1:";;
+     short | recursive ) echo "Configuration of firejail 0.9.36-rc2:";;
    esac
   cat <<\_ACEOF
 
@@ -1389,7 +1389,7 @@ fi
 test -n "$ac_init_help" && exit $ac_status
 if $ac_init_version; then
   cat <<\_ACEOF
-firejail configure 0.9.36-rc1
+firejail configure 0.9.36-rc2
 generated by GNU Autoconf 2.69
 
 Copyright (C) 2012 Free Software Foundation, Inc.
@@ -1691,7 +1691,7 @@ cat >config.log <<_ACEOF
 This file contains any messages produced by compilers while
 running configure, to aid debugging if configure makes a mistake.
 
-It was created by firejail $as_me 0.9.36-rc1, which was
+It was created by firejail $as_me 0.9.36-rc2, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
 
   $ $0 $@
@@ -4107,7 +4107,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
 # report actual input values of CONFIG_FILES etc. instead of their
 # values after options handling.
 ac_log="
-This file was extended by firejail $as_me 0.9.36-rc1, which was
+This file was extended by firejail $as_me 0.9.36-rc2, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
 
   CONFIG_FILES    = $CONFIG_FILES
@@ -4161,7 +4161,7 @@ _ACEOF
 cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
 ac_cs_version="\\
-firejail config.status 0.9.36-rc1
+firejail config.status 0.9.36-rc2
 configured by $0, generated by GNU Autoconf 2.69,
   with options \\"\$ac_cs_config\\"
 
diff --git a/configure.ac b/configure.ac
index d9f7ad22a..eec6481a8 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1,5 +1,5 @@
 AC_PREREQ([2.68])
-AC_INIT(firejail, 0.9.36-rc1, netblue30@yahoo.com, , http://github.com/netblue30/firejail)
+AC_INIT(firejail, 0.9.36-rc2, netblue30@yahoo.com, , http://github.com/netblue30/firejail)
 AC_CONFIG_SRCDIR([src/firejail/main.c])
 #AC_CONFIG_HEADERS([config.h])
 
diff --git a/etc/firefox.profile b/etc/firefox.profile
index bc30b61d2..40ddd7920 100644
--- a/etc/firefox.profile
+++ b/etc/firefox.profile
@@ -24,3 +24,9 @@ whitelist ~/.keysnail.js
 whitelist ~/.config/gnome-mplayer
 whitelist ~/.cache/gnome-mplayer/plugin
 include /etc/firejail/whitelist-common.inc
+whitelist /tmp/.X11-unix
+
+# experimental features
+#private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,iceweasel,firefox,adobe,mime.types,mailcap,asound.conf,pulse
+
+
diff --git a/src/firejail/fs_etc.c b/src/firejail/fs_etc.c
index df0e92203..b82baf1ad 100644
--- a/src/firejail/fs_etc.c
+++ b/src/firejail/fs_etc.c
@@ -24,7 +24,8 @@
 #include <sys/wait.h>
 #include <unistd.h>
 
-static void check_dir_or_file(const char *name) {
+// return 0 if file not found, 1 if found
+static int check_dir_or_file(const char *name) {
 	assert(name);
 	invalid_filename(name);
 	
@@ -35,19 +36,20 @@ static void check_dir_or_file(const char *name) {
 	if (arg_debug)
 		printf("Checking %s\n", fname);		
 	if (stat(fname, &s) == -1) {
-		fprintf(stderr, "Error: file %s not found.\n", fname);
-		exit(1);
+		if (arg_debug)
+			printf("Warning: file %s not found.\n", fname);
+		return 0;
 	}
 	
 	// dir or regular file
 	if (S_ISDIR(s.st_mode) || S_ISREG(s.st_mode)) {
 		free(fname);
-		return;
+		return 1;
 	}
 
 	if (!is_link(fname)) {
 		free(fname);
-		return;
+		return 1;
 	}
 	
 	fprintf(stderr, "Error: invalid file type, %s.\n", fname);
@@ -63,11 +65,23 @@ void fs_check_etc_list(void) {
 	char *dlist = strdup(cfg.etc_private_keep);
 	if (!dlist)
 		errExit("strdup");
+	
+	// build a new list only with the files found
+	char *newlist = malloc(strlen(cfg.etc_private_keep) + 1);
+	if (!newlist)
+		errExit("malloc");
+	*newlist = '\0';
 
 	char *ptr = strtok(dlist, ",");
-	check_dir_or_file(ptr);
-	while ((ptr = strtok(NULL, ",")) != NULL)
-		check_dir_or_file(ptr);
+	if (check_dir_or_file(ptr))
+		strcat(newlist, ptr);
+	while ((ptr = strtok(NULL, ",")) != NULL) {
+		if (check_dir_or_file(ptr)) {
+			strcat(newlist, ",");
+			strcat(newlist, ptr);
+		}
+	}
+	cfg.etc_private_keep = newlist;
 	
 	free(dlist);
 }
diff --git a/src/firejail/fs_trace.c b/src/firejail/fs_trace.c
index 55a1b9c7a..eec51c3f9 100644
--- a/src/firejail/fs_trace.c
+++ b/src/firejail/fs_trace.c
@@ -42,7 +42,7 @@ void fs_trace_preload(void) {
 			errExit("chown");
 		if (chmod("/etc/ld.so.preload", S_IRUSR | S_IWRITE | S_IRGRP | S_IROTH ) < 0)
 			errExit("chmod");
-		fs_logger("touch /etc/ls.so.preload");
+		fs_logger("touch /etc/ld.so.preload");
 	}
 }
 
@@ -77,8 +77,8 @@ void fs_trace(void) {
 	if (arg_debug)
 		printf("Mount the new ld.so.preload file\n");
 	if (mount(RUN_LDPRELOAD_FILE, "/etc/ld.so.preload", NULL, MS_BIND|MS_REC, NULL) < 0)
-		errExit("mount bind ls.so.preload");
-	fs_logger("create /etc/ls.so.preload");
+		errExit("mount bind ld.so.preload");
+	fs_logger("create /etc/ld.so.preload");
 }
 
 		
diff --git a/src/firejail/main.c b/src/firejail/main.c
index aad0af3e4..75b90ae81 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -831,6 +831,10 @@ int main(int argc, char **argv) {
 			
 			// extract private home dirname
 			cfg.home_private = argv[i] + 10;
+			if (*cfg.home_private == '\0') {
+				fprintf(stderr, "Error: invalid private option\n");
+				exit(1);
+			}
 			fs_check_private_dir();
 			arg_private = 1;
 		}
@@ -842,6 +846,10 @@ int main(int argc, char **argv) {
 			
 			// extract private home dirname
 			cfg.home_private_keep = argv[i] + 15;
+			if (*cfg.home_private_keep == '\0') {
+				fprintf(stderr, "Error: invalid private-home option\n");
+				exit(1);
+			}
 			fs_check_home_list();
 			arg_private = 1;
 		}
@@ -851,12 +859,25 @@ int main(int argc, char **argv) {
 		else if (strncmp(argv[i], "--private-etc=", 14) == 0) {
 			// extract private etc dirname
 			cfg.etc_private_keep = argv[i] + 14;
+			if (*cfg.etc_private_keep == '\0') {
+				fprintf(stderr, "Error: invalid private-etc option\n");
+				exit(1);
+			}
 			fs_check_etc_list();
-			arg_private_etc = 1;
+			if (*cfg.etc_private_keep != '\0')
+				arg_private_etc = 1;
+			else {
+				arg_private_etc = 0;
+				fprintf(stderr, "Warning: private-etc disabled, no file found\n");
+			}
 		}
 		else if (strncmp(argv[i], "--private-bin=", 14) == 0) {
 			// extract private etc dirname
 			cfg.bin_private_keep = argv[i] + 14;
+			if (*cfg.bin_private_keep == '\0') {
+				fprintf(stderr, "Error: invalid private-bin option\n");
+				exit(1);
+			}
 			fs_check_bin_list();
 			arg_private_bin = 1;
 		}
diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index 366a56e13..244370b98 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -285,7 +285,13 @@ int profile_check_line(char *ptr, int lineno) {
 	if (strncmp(ptr, "private-etc ", 12) == 0) {
 		cfg.etc_private_keep = ptr + 12;
 		fs_check_etc_list();
-		arg_private_etc = 1;
+		if (*cfg.etc_private_keep != '\0')
+			arg_private_etc = 1;
+		else {
+			arg_private_etc = 0;
+			fprintf(stderr, "Warning: private-etc disabled, no file found\n");
+		}
+		
 		return 0;
 	}
 
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index 39f95a43a..4a1990382 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -380,8 +380,12 @@ int sandbox(void* sandbox_arg) {
 	
 	if (arg_private_dev)
 		fs_private_dev();
-	if (arg_private_etc)
+	if (arg_private_etc) {
 		fs_private_etc_list();
+		// create /etc/ld.so.preload file again
+		if (arg_trace || arg_tracelog)
+			fs_trace_preload();
+	}
 	if (arg_private_bin)
 		fs_private_bin_list();
 	
-- 
cgit v1.2.3-70-g09d2