From d4113399e3b19b3cf29cb8eb8ab47bcd164112a9 Mon Sep 17 00:00:00 2001
From: xSmurf <xsmurf+github@smurfturf.net>
Date: Thu, 25 Jun 2015 21:36:12 +0000
Subject: [PATCH 1/2] Don't barf on missing blacklist items, cleanup of makedev
 mode setting

---
 fs/fs.go            |  9 ++++-----
 oz-daemon/rootfs.go | 34 +++++++++++++++++-----------------
 2 files changed, 21 insertions(+), 22 deletions(-)

diff --git a/fs/fs.go b/fs/fs.go
index 288d2b5..40423a8 100644
--- a/fs/fs.go
+++ b/fs/fs.go
@@ -51,14 +51,13 @@ func (fs *Filesystem) CreateEmptyDir(target string) error {
 	return copyFileInfo(fi, target)
 }
 
-func (fs *Filesystem) CreateDevice(devpath string, dev int, mode, perm uint32) error {
+func (fs *Filesystem) CreateDevice(devpath string, dev int, mode uint32) error {
 	p := fs.absPath(devpath)
+	um := syscall.Umask(0)
 	if err := syscall.Mknod(p, mode, dev); err != nil {
 		return fmt.Errorf("failed to mknod device '%s': %v", p, err)
 	}
-	if err := os.Chmod(p, os.FileMode(perm)); err != nil {
-		return fmt.Errorf("unable to set file permissions on device '%s': %v", p, err)
-	}
+	syscall.Umask(um)
 	return nil
 }
 
@@ -196,7 +195,7 @@ func readSourceInfo(src string, cancreate bool, u *user.User) (os.FileInfo, erro
 func (fs *Filesystem) BlacklistPath(target string, u *user.User) error {
 	ps, err := resolvePath(target, u)
 	if err != nil {
-		return err
+		return nil
 	}
 	for _, p := range ps {
 		if err := fs.blacklist(p); err != nil {
diff --git a/oz-daemon/rootfs.go b/oz-daemon/rootfs.go
index d89e6b6..8a56028 100644
--- a/oz-daemon/rootfs.go
+++ b/oz-daemon/rootfs.go
@@ -38,17 +38,17 @@ var deviceSymlinks = [][2]string{
 }
 
 var basicBlacklist = []string{
-	"/usr/sbin", "/sbin", "${PATH}/su",
-	"${PATH}/sudo", "${PATH}/fusermount",
+	"/usr/sbin", "/sbin", "/etc/X11",
+	"${PATH}/sudo", "${PATH}/su",
 	"${PATH}/xinput", "${PATH}/strace",
 	"${PATH}/mount", "${PATH}/umount",
+	"${PATH}/fusermount",
 }
 
 type fsDeviceDefinition struct {
 	path string
 	mode uint32
 	dev  int
-	perm uint32
 }
 
 const ugorw = syscall.S_IRUSR | syscall.S_IWUSR | syscall.S_IRGRP | syscall.S_IWGRP | syscall.S_IROTH | syscall.S_IWOTH
@@ -56,19 +56,19 @@ const urwgr = syscall.S_IRUSR | syscall.S_IWUSR | syscall.S_IRGRP
 const urw = syscall.S_IRUSR | syscall.S_IWUSR
 
 var basicDevices = []fsDeviceDefinition{
-	{path: "/dev/full", mode: syscall.S_IFCHR | ugorw, dev: _makedev(1, 7), perm: 0666},
-	{path: "/dev/null", mode: syscall.S_IFCHR | ugorw, dev: _makedev(1, 3), perm: 0666},
-	{path: "/dev/random", mode: syscall.S_IFCHR | ugorw, dev: _makedev(1, 8), perm: 0666},
-
-	{path: "/dev/console", mode: syscall.S_IFCHR | urw, dev: _makedev(5, 1), perm: 0600},
-	{path: "/dev/tty", mode: syscall.S_IFCHR | ugorw, dev: _makedev(5, 0), perm: 0666},
-	{path: "/dev/tty1", mode: syscall.S_IFREG | urwgr, dev: 0, perm: 0640},
-	{path: "/dev/tty2", mode: syscall.S_IFREG | urwgr, dev: 0, perm: 0640},
-	{path: "/dev/tty3", mode: syscall.S_IFREG | urwgr, dev: 0, perm: 0640},
-	{path: "/dev/tty4", mode: syscall.S_IFREG | urwgr, dev: 0, perm: 0640},
-
-	{path: "/dev/urandom", mode: syscall.S_IFCHR | ugorw, dev: _makedev(1, 9), perm: 0666},
-	{path: "/dev/zero", mode: syscall.S_IFCHR | ugorw, dev: _makedev(1, 5), perm: 0666},
+	{path: "/dev/full", mode: syscall.S_IFCHR | ugorw, dev: _makedev(1, 7)},
+	{path: "/dev/null", mode: syscall.S_IFCHR | ugorw, dev: _makedev(1, 3)},
+	{path: "/dev/random", mode: syscall.S_IFCHR | ugorw, dev: _makedev(1, 8)},
+
+	{path: "/dev/console", mode: syscall.S_IFCHR | urw, dev: _makedev(5, 1)},
+	{path: "/dev/tty", mode: syscall.S_IFCHR | ugorw, dev: _makedev(5, 0)},
+	{path: "/dev/tty1", mode: syscall.S_IFREG | urwgr, dev: 0},
+	{path: "/dev/tty2", mode: syscall.S_IFREG | urwgr, dev: 0},
+	{path: "/dev/tty3", mode: syscall.S_IFREG | urwgr, dev: 0},
+	{path: "/dev/tty4", mode: syscall.S_IFREG | urwgr, dev: 0},
+
+	{path: "/dev/urandom", mode: syscall.S_IFCHR | ugorw, dev: _makedev(1, 9)},
+	{path: "/dev/zero", mode: syscall.S_IFCHR | ugorw, dev: _makedev(1, 5)},
 }
 
 func _makedev(x, y int) int {
@@ -111,7 +111,7 @@ func setupRootfs(fsys *fs.Filesystem) error {
 
 	}
 	for _, d := range basicDevices {
-		if err := fsys.CreateDevice(d.path, d.dev, d.mode, d.perm); err != nil {
+		if err := fsys.CreateDevice(d.path, d.dev, d.mode); err != nil {
 			return err
 		}
 	}

From c2d559027b7bc7ce11350be3fadbee5de6d8254c Mon Sep 17 00:00:00 2001
From: xSmurf <xsmurf+github@smurfturf.net>
Date: Fri, 26 Jun 2015 17:23:09 +0000
Subject: [PATCH 2/2] Added multiple executables to evince profile

---
 profiles/evince.json | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/profiles/evince.json b/profiles/evince.json
index 2a618a7..b858d8f 100644
--- a/profiles/evince.json
+++ b/profiles/evince.json
@@ -1,5 +1,10 @@
 {
-"path": "/usr/bin/evince"
+"name": "evince"
+, "path": "/usr/bin/evince"
+, "paths": [
+	"/usr/bin/evince-thumbnailer"
+	, "/usr/bin/evince-previewer"
+]
 , "allow_files": true
 , "xserver": {
 	"enabled": true