Merge branch 'master' of https://github.com/netblue30/firejail

21 files changed, 206 insertions, 176 deletions

diff --git a/.gitignore b/.gitignore
index 8142985b3..74f719ebc 100644
--- a/.gitignore
+++ b/.gitignore
@@ -8,6 +8,7 @@
 *.gcno
 *.DS_Store
 .directory
+*.man
 Makefile
 autom4te.cache/
 config.log
@@ -35,7 +36,8 @@ src/fsec-optimize/fsec-optimize
 src/fcopy/fcopy
 src/fldd/fldd
 src/fbuilder/fbuilder
-etc/profstats
+src/profstats/profstats
+src/man/preproc
 uids.h
 seccomp
 seccomp.debug
diff --git a/Makefile.in b/Makefile.in
index 6ed22b007..5096ad44a 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -10,23 +10,20 @@ VERSION=@PACKAGE_VERSION@
 NAME=@PACKAGE_NAME@
 PACKAGE_TARNAME=@PACKAGE_TARNAME@
 DOCDIR=@docdir@
-HAVE_SECCOMP=@HAVE_SECCOMP@
 HAVE_APPARMOR=@HAVE_APPARMOR@
 HAVE_CONTRIB_INSTALL=@HAVE_CONTRIB_INSTALL@
 BUSYBOX_WORKAROUND=@BUSYBOX_WORKAROUND@
 HAVE_SUID=@HAVE_SUID@
 
 all: all_items man filters
-APPS = src/firecfg/firecfg src/firejail/firejail src/firemon/firemon src/profstats/profstats
+APPS = src/firecfg/firecfg src/firejail/firejail src/firemon/firemon src/profstats/profstats src/man/preproc
 SBOX_APPS = src/faudit/faudit src/fbuilder/fbuilder src/ftee/ftee
 SBOX_APPS_NON_DUMPABLE = src/fcopy/fcopy src/fldd/fldd src/fnet/fnet src/fnetfilter/fnetfilter
 MYDIRS = src/lib
 MYLIBS = src/libpostexecseccomp/libpostexecseccomp.so src/libtrace/libtrace.so src/libtracelog/libtracelog.so
 MANPAGES = firejail.1 firemon.1 firecfg.1 firejail-profile.5 firejail-login.5 firejail-users.5
-ifeq ($(HAVE_SECCOMP),-DHAVE_SECCOMP)
 SBOX_APPS_NON_DUMPABLE += src/fsec-optimize/fsec-optimize src/fsec-print/fsec-print src/fseccomp/fseccomp
 SECCOMP_FILTERS = seccomp seccomp.debug seccomp.32 seccomp.block_secondary seccomp.mdwx seccomp.mdwx.32
-endif
 ALL_ITEMS = $(APPS) $(SBOX_APPS) $(SBOX_APPS_NON_DUMPABLE) $(MYLIBS)
 
 .PHONY: all_items $(ALL_ITEMS)
@@ -39,13 +36,13 @@ mydirs: mydirs $(MYDIRS)
 $(MYDIRS):
         $(MAKE) -C $@
 
-$(MANPAGES): $(wildcard src/man/*.txt)
-        ./mkman.sh $(VERSION) src/man/$(basename $@).txt $@
+
+$(MANPAGES): $(wildcard src/man/*.man)
+        ./mkman.sh $(VERSION) src/man/$(basename $@).man $@
 
 man: $(MANPAGES)
 
 filters: $(SECCOMP_FILTERS) $(SBOX_APPS_NON_DUMPABLE)
-ifeq ($(HAVE_SECCOMP),-DHAVE_SECCOMP)
 seccomp: src/fseccomp/fseccomp src/fsec-optimize/fsec-optimize
         src/fseccomp/fseccomp default seccomp
         src/fsec-optimize/fsec-optimize seccomp
@@ -66,7 +63,6 @@ seccomp.mdwx: src/fseccomp/fseccomp
 
 seccomp.mdwx.32: src/fseccomp/fseccomp
         src/fseccomp/fseccomp memory-deny-write-execute.32 seccomp.mdwx.32
-endif
 
 clean:
         for dir in $$(dirname $(ALL_ITEMS)) $(MYDIRS); do \
@@ -249,9 +245,7 @@ test-environment:
         cd test/environment; ./environment.sh | grep TESTING
 
 test-filters:
-ifeq ($(HAVE_SECCOMP),-DHAVE_SECCOMP)
         cd test/filters; ./filters.sh | grep TESTING
-endif
 
 test-arguments:
         cd test/arguments; ./arguments.sh | grep TESTING
diff --git a/configure b/configure
index 12881fcaf..5a80402b1 100755
--- a/configure
+++ b/configure
@@ -624,7 +624,6 @@ ac_includes_default="\
 
 ac_subst_vars='LTLIBOBJS
 LIBOBJS
-HAVE_SECCOMP_H
 EGREP
 GREP
 CPP
@@ -641,7 +640,6 @@ HAVE_USERNS
 HAVE_NETWORK
 HAVE_GLOBALCFG
 HAVE_CHROOT
-HAVE_SECCOMP
 HAVE_PRIVATE_HOME
 HAVE_FIRETUNNEL
 HAVE_OVERLAYFS
@@ -710,7 +708,6 @@ enable_apparmor
 enable_overlayfs
 enable_firetunnel
 enable_private_home
-enable_seccomp
 enable_chroot
 enable_globalcfg
 enable_network
@@ -1363,7 +1360,6 @@ Optional Features:
   --disable-overlayfs     disable overlayfs
   --disable-firetunnel    disable firetunnel
   --disable-private-home  disable private home feature
-  --disable-seccomp       disable seccomp
   --disable-chroot        disable chroot
   --disable-globalcfg     if the global config file firejail.cfg is not
                           present, continue the program using defaults
@@ -3537,19 +3533,6 @@ if test "x$enable_private_home" != "xno"; then :
 
 fi
 
-HAVE_SECCOMP=""
-# Check whether --enable-seccomp was given.
-if test "${enable_seccomp+set}" = set; then :
-  enableval=$enable_seccomp;
-fi
-
-if test "x$enable_seccomp" != "xno"; then :
-
-        HAVE_SECCOMP="-DHAVE_SECCOMP"
-
-
-fi
-
 HAVE_CHROOT=""
 # Check whether --enable-chroot was given.
 if test "${enable_chroot+set}" = set; then :
@@ -4173,14 +4156,13 @@ fi
 
 ac_fn_c_check_header_mongrel "$LINENO" "linux/seccomp.h" "ac_cv_header_linux_seccomp_h" "$ac_includes_default"
 if test "x$ac_cv_header_linux_seccomp_h" = xyes; then :
-  HAVE_SECCOMP_H="-DHAVE_SECCOMP_H"
+
 else
-  HAVE_SECCOMP_H=""
+  as_fn_error $? "*** SECCOMP support is not installed (/usr/include/linux/seccomp.h missing) ***" "$LINENO" 5
 fi
 
 
 
-
 # set sysconfdir
 if test "$prefix" = /usr; then
         test "$sysconfdir" = '${prefix}/etc' && sysconfdir="/etc"
@@ -4188,7 +4170,7 @@ fi
 
 ac_config_files="$ac_config_files mkdeb.sh"
 
-ac_config_files="$ac_config_files Makefile src/common.mk src/lib/Makefile src/fcopy/Makefile src/fnet/Makefile src/firejail/Makefile src/fnetfilter/Makefile src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile src/fbuilder/Makefile src/fsec-print/Makefile src/ftee/Makefile src/faudit/Makefile src/fseccomp/Makefile src/fldd/Makefile src/libpostexecseccomp/Makefile src/fsec-optimize/Makefile src/profstats/Makefile"
+ac_config_files="$ac_config_files Makefile src/common.mk src/lib/Makefile src/fcopy/Makefile src/fnet/Makefile src/firejail/Makefile src/fnetfilter/Makefile src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile src/fbuilder/Makefile src/fsec-print/Makefile src/ftee/Makefile src/faudit/Makefile src/fseccomp/Makefile src/fldd/Makefile src/libpostexecseccomp/Makefile src/fsec-optimize/Makefile src/profstats/Makefile src/man/Makefile"
 
 cat >confcache <<\_ACEOF
 # This file is a shell script that caches the results of configure
@@ -4918,6 +4900,7 @@ do
     "src/libpostexecseccomp/Makefile") CONFIG_FILES="$CONFIG_FILES src/libpostexecseccomp/Makefile" ;;
     "src/fsec-optimize/Makefile") CONFIG_FILES="$CONFIG_FILES src/fsec-optimize/Makefile" ;;
     "src/profstats/Makefile") CONFIG_FILES="$CONFIG_FILES src/profstats/Makefile" ;;
+    "src/man/Makefile") CONFIG_FILES="$CONFIG_FILES src/man/Makefile" ;;
 
   *) as_fn_error $? "invalid argument: \`$ac_config_target'" "$LINENO" 5;;
   esac
@@ -5382,8 +5365,6 @@ echo
 echo "Configuration options:"
 echo "   prefix: $prefix"
 echo "   sysconfdir: $sysconfdir"
-echo "   seccomp: $HAVE_SECCOMP"
-echo "   <linux/seccomp.h>: $HAVE_SECCOMP_H"
 echo "   apparmor: $HAVE_APPARMOR"
 echo "   global config: $HAVE_GLOBALCFG"
 echo "   chroot: $HAVE_CHROOT"
diff --git a/configure.ac b/configure.ac
index feb0b38a6..241865968 100644
--- a/configure.ac
+++ b/configure.ac
@@ -76,14 +76,6 @@ AS_IF([test "x$enable_private_home" != "xno"], [
         AC_SUBST(HAVE_PRIVATE_HOME)
 ])
 
-HAVE_SECCOMP=""
-AC_ARG_ENABLE([seccomp],
-    AS_HELP_STRING([--disable-seccomp], [disable seccomp]))
-AS_IF([test "x$enable_seccomp" != "xno"], [
-        HAVE_SECCOMP="-DHAVE_SECCOMP"
-        AC_SUBST(HAVE_SECCOMP)
-])
-
 HAVE_CHROOT=""
 AC_ARG_ENABLE([chroot],
     AS_HELP_STRING([--disable-chroot], [disable chroot]))
@@ -196,8 +188,7 @@ AS_IF([test "x$enable_selinux" = "xyes"], [
 # checking pthread library
 AC_CHECK_LIB([pthread], [main], [], AC_MSG_ERROR([*** POSIX thread support not installed ***]))
 AC_CHECK_HEADER(pthread.h,,AC_MSG_ERROR([*** POSIX thread support not installed ***]))
-AC_CHECK_HEADER([linux/seccomp.h], HAVE_SECCOMP_H="-DHAVE_SECCOMP_H", HAVE_SECCOMP_H="")
-AC_SUBST(HAVE_SECCOMP_H)
+AC_CHECK_HEADER([linux/seccomp.h],,AC_MSG_ERROR([*** SECCOMP support is not installed (/usr/include/linux/seccomp.h missing) ***]))
 
 # set sysconfdir
 if test "$prefix" = /usr; then
@@ -208,14 +199,12 @@ AC_CONFIG_FILES([mkdeb.sh], [chmod +x mkdeb.sh])
 AC_OUTPUT(Makefile src/common.mk src/lib/Makefile src/fcopy/Makefile src/fnet/Makefile src/firejail/Makefile src/fnetfilter/Makefile \
 src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile src/fbuilder/Makefile src/fsec-print/Makefile \
 src/ftee/Makefile src/faudit/Makefile src/fseccomp/Makefile src/fldd/Makefile src/libpostexecseccomp/Makefile src/fsec-optimize/Makefile \
-src/profstats/Makefile)
+src/profstats/Makefile src/man/Makefile)
 
 echo
 echo "Configuration options:"
 echo "   prefix: $prefix"
 echo "   sysconfdir: $sysconfdir"
-echo "   seccomp: $HAVE_SECCOMP"
-echo "   <linux/seccomp.h>: $HAVE_SECCOMP_H"
 echo "   apparmor: $HAVE_APPARMOR"
 echo "   global config: $HAVE_GLOBALCFG"
 echo "   chroot: $HAVE_CHROOT"
diff --git a/etc/templates/syscalls.txt b/etc/templates/syscalls.txt
index ea3b5a6b0..c454887dd 100644
--- a/etc/templates/syscalls.txt
+++ b/etc/templates/syscalls.txt
@@ -33,7 +33,7 @@ Definition of groups
 @clock=adjtimex,clock_adjtime,clock_settime,settimeofday,stime
 @cpu-emulation=modify_ldt,subpage_prot,switch_endian,vm86,vm86old
 @debug=lookup_dcookie,perf_event_open,process_vm_writev,rtas,s390_runtime_instr,sys_debug_setcontext
-@default=@clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@swap,open_by_handle_at,name_to_handle_at,ioprio_set,ni_syscall,syslog,fanotify_init,kcmp,add_key,request_key,mbind,migrate_pages,move_pages,keyctl,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,set_mempolicyvmsplice,umount,userfaultfd,acct,bpf,chroot,mount,nfsservctl,pivot_root,setdomainname,sethostname,umount2,vhangup
+@default=@clock,@cpu-emulation,@debug,@module,@mount,@obsolete,@raw-io,@reboot,@swap,open_by_handle_at,name_to_handle_at,ioprio_set,ni_syscall,syslog,fanotify_init,kcmp,add_key,request_key,mbind,migrate_pages,move_pages,keyctl,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,set_mempolicyvmsplice,userfaultfd,acct,bpf,nfsservctl,setdomainname,sethostname,vhangup
 @default-nodebuggers=@default,ptrace,personality,process_vm_readv
 @default-keep=execve,prctl
 @file-system=access,chdir,chmod,close,creat,faccessat,fallocate,fchdir,fchmod,fchmodat,fcntl,fcntl64,fgetxattr,flistxattr,fremovexattr,fsetxattr,fstat,fstat64,fstatat64,fstatfs,fstatfs64,ftruncate,ftruncate64,futimesat,getcwd,getdents,getdents64,getxattr,inotify_add_watch,inotify_init,inotify_init1,inotify_rm_watch,lgetxattr,link,linkat,listxattr,llistxattr,lremovexattr,lsetxattr,lstat,lstat64,mkdir,mkdirat,mknod,mknodat,mmap,mmap2,munmap,newfstatat,oldfstat,oldlstat,oldstat,open,openat,readlink,readlinkat,removexattr,rename,renameat,renameat2,rmdir,setxattr,stat,stat64,statfs,statfs64,statx,symlink,symlinkat,truncate,truncate64,unlink,unlinkat,utime,utimensat,utimes
@@ -62,15 +62,14 @@ Inheritance of groups
 
 +---------------+
 | @default-keep |
-| @mount        |
 +---------------+
 
 +----------------+  +---------+  +--------+  +--------------+
 | @cpu-emulation |  | @clock  |  | @chown |  | @aio         |
 | @debug         |  | @module |  +--------+  | @basic-io    |
 | @obsolete      |  | @raw-io |     :  :     | @file-system |
-+----------------+  | @reboot |     :  :     | @io-event    |
-   :                | @swap   |     :  :     | @ipc         |
+| @mount         |  | @reboot |     :  :     | @io-event    |
++----------------+  | @swap   |     :  :     | @ipc         |
    :                +---------+     :  :     | @keyring     |
    :                  :  :          :  :     | @memlock     |
    :    ..............:  :          :  :     | @network-io  |
diff --git a/src/common.mk.in b/src/common.mk.in
index 8104bc258..22c25c6aa 100644
--- a/src/common.mk.in
+++ b/src/common.mk.in
@@ -9,8 +9,6 @@ sysconfdir=@sysconfdir@
 
 VERSION=@PACKAGE_VERSION@
 NAME=@PACKAGE_NAME@
-HAVE_SECCOMP_H=@HAVE_SECCOMP_H@
-HAVE_SECCOMP=@HAVE_SECCOMP@
 HAVE_CHROOT=@HAVE_CHROOT@
 HAVE_FATAL_WARNINGS=@HAVE_FATAL_WARNINGS@
 HAVE_NETWORK=@HAVE_NETWORK@
@@ -34,7 +32,8 @@ BINOBJS =  $(foreach file, $(OBJS), $file)
 CFLAGS = @CFLAGS@
 CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' $(HAVE_GCOV)
 CFLAGS += -DPREFIX='"$(prefix)"' -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' -DBINDIR='"$(bindir)"'
-CFLAGS += $(HAVE_X11) $(HAVE_PRIVATE_HOME) $(HAVE_APPARMOR) $(HAVE_OVERLAYFS) $(HAVE_FIRETUNNEL) $(HAVE_SECCOMP) $(HAVE_GLOBALCFG) $(HAVE_SECCOMP_H) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_FILE_TRANSFER) $(HAVE_WHITELIST) $(HAVE_SELINUX)
+MANFLAGS = $(HAVE_X11) $(HAVE_PRIVATE_HOME) $(HAVE_APPARMOR) $(HAVE_OVERLAYFS) $(HAVE_FIRETUNNEL) $(HAVE_GLOBALCFG) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_FILE_TRANSFER) $(HAVE_WHITELIST) $(HAVE_SELINUX)
+CFLAGS += $(MANFLAGS)
 CFLAGS += -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security
 LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now -lpthread
 EXTRA_LDFLAGS +=@EXTRA_LDFLAGS@
diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c
index f6b3b3252..fb19e8f5a 100644
--- a/src/firejail/checkcfg.c
+++ b/src/firejail/checkcfg.c
@@ -226,7 +226,6 @@ int checkcfg(int val) {
 
                         // seccomp error action
                         else if (strncmp(ptr, "seccomp-error-action ", 21) == 0) {
-#ifdef HAVE_SECCOMP
                                 if (strcmp(ptr + 21, "kill") == 0)
                                         cfg_val[CFG_SECCOMP_ERROR_ACTION] = SECCOMP_RET_KILL;
                                 else if (strcmp(ptr + 21, "log") == 0)
@@ -239,9 +238,6 @@ int checkcfg(int val) {
                                 config_seccomp_error_action_str = strdup(ptr + 21);
                                 if (!config_seccomp_error_action_str)
                                         errExit("strdup");
-#else
-                                warning_feature_disabled("seccomp");
-#endif
                         }
 
                         else
@@ -347,14 +343,6 @@ void print_compiletime_support(void) {
 #endif
                 );
 
-        printf("\t- seccomp-bpf support is %s\n",
-#ifdef HAVE_SECCOMP
-                "enabled"
-#else
-                "disabled"
-#endif
-                );
-
         printf("\t- SELinux support is %s\n",
 #ifdef HAVE_SELINUX
                 "enabled"
diff --git a/src/firejail/dbus.c b/src/firejail/dbus.c
index 36d110ac7..f0ba10afc 100644
--- a/src/firejail/dbus.c
+++ b/src/firejail/dbus.c
@@ -555,10 +555,8 @@ void dbus_apply_policy(void) {
                 return;
 
         // --protocol=unix
-#ifdef HAVE_SECCOMP
         if (cfg.protocol && !strstr(cfg.protocol, "unix"))
                 return;
-#endif
 
         fwarning("An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.\n");
 }
diff --git a/src/firejail/join.c b/src/firejail/join.c
index c7619ef3b..7fd5ec3d3 100644
--- a/src/firejail/join.c
+++ b/src/firejail/join.c
@@ -465,10 +465,8 @@ void join(pid_t pid, int argc, char **argv, int index) {
                 EUID_ROOT();
                 if (apply_caps == 1)    // not available for uid 0
                         caps_set(caps);
-#ifdef HAVE_SECCOMP
                 if (getuid() != 0)
                         seccomp_load_file_list();
-#endif
 
                 // mount user namespace or drop privileges
                 if (arg_noroot) {       // not available for uid 0
diff --git a/src/firejail/main.c b/src/firejail/main.c
index df890ecea..75324b66a 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -479,7 +479,6 @@ static void run_cmd_and_exit(int i, int argc, char **argv) {
         //*************************************
         // independent commands - the program will exit!
         //*************************************
-#ifdef HAVE_SECCOMP
         else if (strcmp(argv[i], "--debug-syscalls") == 0) {
                 if (checkcfg(CFG_SECCOMP)) {
                         int rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 2, PATH_FSECCOMP_MAIN, "debug-syscalls");
@@ -529,7 +528,6 @@ static void run_cmd_and_exit(int i, int argc, char **argv) {
                         exit_err_feature("seccomp");
                 exit(0);
         }
-#endif
         else if (strncmp(argv[i], "--profile.print=", 16) == 0) {
                 pid_t pid = require_pid(argv[i] + 16);
 
@@ -950,7 +948,6 @@ void filter_add_blacklist_override(int fd, int syscall, int arg, void *ptrarg, b
         (void) native;
 }
 
-#ifdef HAVE_SECCOMP
 static int check_postexec(const char *list) {
         char *prelist, *postlist;
 
@@ -961,7 +958,6 @@ static int check_postexec(const char *list) {
         }
         return 0;
 }
-#endif
 
 //*******************************************
 // Main program
@@ -1264,7 +1260,6 @@ int main(int argc, char **argv, char **envp) {
                 else if (strcmp(argv[i], "--apparmor") == 0)
                         arg_apparmor = 1;
 #endif
-#ifdef HAVE_SECCOMP
                 else if (strncmp(argv[i], "--protocol=", 11) == 0) {
                         if (checkcfg(CFG_SECCOMP)) {
                                 if (cfg.protocol) {
@@ -1402,7 +1397,6 @@ int main(int argc, char **argv, char **envp) {
                         } else
                                 exit_err_feature("seccomp");
                 }
-#endif
                 else if (strcmp(argv[i], "--caps") == 0) {
                         arg_caps_default_filter = 1;
                         arg_caps_cmdline = 1;
@@ -2783,10 +2777,9 @@ int main(int argc, char **argv, char **envp) {
         // check network configuration options - it will exit if anything went wrong
         net_check_cfg();
 
-#ifdef HAVE_SECCOMP
         if (arg_seccomp)
                 arg_seccomp_postexec = check_postexec(cfg.seccomp_list) || check_postexec(cfg.seccomp_list_drop);
-#endif
+
         bool need_preload = arg_trace || arg_tracelog || arg_seccomp_postexec;
         if (need_preload && (cfg.seccomp_list32 || cfg.seccomp_list_drop32 || cfg.seccomp_list_keep32))
                 fwarning("preload libraries (trace, tracelog, postexecseccomp due to seccomp.drop=execve etc.) are incompatible with 32 bit filters\n");
diff --git a/src/firejail/preproc.c b/src/firejail/preproc.c
index c0b09e945..836526593 100644
--- a/src/firejail/preproc.c
+++ b/src/firejail/preproc.c
@@ -103,7 +103,6 @@ void preproc_mount_mnt_dir(void) {
                 if (arg_tracefile)
                         fs_tracefile();
 
-#ifdef HAVE_SECCOMP
                 create_empty_dir_as_root(RUN_SECCOMP_DIR, 0755);
 
                 if (arg_seccomp_block_secondary)
@@ -132,7 +131,6 @@ void preproc_mount_mnt_dir(void) {
                 create_empty_file_as_root(RUN_SECCOMP_POSTEXEC_32, 0644);
                 if (set_perms(RUN_SECCOMP_POSTEXEC_32, getuid(), getgid(), 0644))
                         errExit("set_perms");
-#endif
         }
 }
 
diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index 970033899..8eaae9a30 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -327,12 +327,10 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
                 return 0;
         }
         else if (strcmp(ptr, "seccomp") == 0) {
-#ifdef HAVE_SECCOMP
                 if (checkcfg(CFG_SECCOMP))
                         arg_seccomp = 1;
                 else
                         warning_feature_disabled("seccomp");
-#endif
                 return 0;
         }
         else if (strcmp(ptr, "caps") == 0) {
@@ -861,7 +859,6 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
         }
 
         if (strncmp(ptr, "protocol ", 9) == 0) {
-#ifdef HAVE_SECCOMP
                 if (checkcfg(CFG_SECCOMP)) {
                         if (cfg.protocol) {
                                 fwarning("two protocol lists are present, \"%s\" will be installed\n", cfg.protocol);
@@ -875,7 +872,6 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
                 }
                 else
                         warning_feature_disabled("seccomp");
-#endif
                 return 0;
         }
 
@@ -890,102 +886,85 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
 
         // seccomp drop list on top of default list
         if (strncmp(ptr, "seccomp ", 8) == 0) {
-#ifdef HAVE_SECCOMP
                 if (checkcfg(CFG_SECCOMP)) {
                         arg_seccomp = 1;
                         cfg.seccomp_list = seccomp_check_list(ptr + 8);
                 }
                 else if (!arg_quiet)
                         warning_feature_disabled("seccomp");
-#endif
 
                 return 0;
         }
         if (strncmp(ptr, "seccomp.32 ", 11) == 0) {
-#ifdef HAVE_SECCOMP
                 if (checkcfg(CFG_SECCOMP)) {
                         arg_seccomp32 = 1;
                         cfg.seccomp_list32 = seccomp_check_list(ptr + 11);
                 }
                 else if (!arg_quiet)
                         warning_feature_disabled("seccomp");
-#endif
 
                 return 0;
         }
 
         if (strcmp(ptr, "seccomp.block-secondary") == 0) {
-#ifdef HAVE_SECCOMP
                 if (checkcfg(CFG_SECCOMP)) {
                         arg_seccomp_block_secondary = 1;
                 }
                 else
                         warning_feature_disabled("seccomp");
-#endif
                 return 0;
         }
         // seccomp drop list without default list
         if (strncmp(ptr, "seccomp.drop ", 13) == 0) {
-#ifdef HAVE_SECCOMP
                 if (checkcfg(CFG_SECCOMP)) {
                         arg_seccomp = 1;
                         cfg.seccomp_list_drop = seccomp_check_list(ptr + 13);
                 }
                 else
                         warning_feature_disabled("seccomp");
-#endif
                 return 0;
         }
         if (strncmp(ptr, "seccomp.32.drop ", 13) == 0) {
-#ifdef HAVE_SECCOMP
                 if (checkcfg(CFG_SECCOMP)) {
                         arg_seccomp32 = 1;
                         cfg.seccomp_list_drop32 = seccomp_check_list(ptr + 13);
                 }
                 else
                         warning_feature_disabled("seccomp");
-#endif
                 return 0;
         }
 
         // seccomp keep list
         if (strncmp(ptr, "seccomp.keep ", 13) == 0) {
-#ifdef HAVE_SECCOMP
                 if (checkcfg(CFG_SECCOMP)) {
                         arg_seccomp = 1;
                         cfg.seccomp_list_keep= seccomp_check_list(ptr + 13);
                 }
                 else
                         warning_feature_disabled("seccomp");
-#endif
                 return 0;
         }
         if (strncmp(ptr, "seccomp.32.keep ", 13) == 0) {
-#ifdef HAVE_SECCOMP
                 if (checkcfg(CFG_SECCOMP)) {
                         arg_seccomp32 = 1;
                         cfg.seccomp_list_keep32 = seccomp_check_list(ptr + 13);
                 }
                 else
                         warning_feature_disabled("seccomp");
-#endif
                 return 0;
         }
 
         // memory deny write&execute
         if (strcmp(ptr, "memory-deny-write-execute") == 0) {
-#ifdef HAVE_SECCOMP
                 if (checkcfg(CFG_SECCOMP))
                         arg_memory_deny_write_execute = 1;
                 else
                         warning_feature_disabled("seccomp");
-#endif
                 return 0;
         }
 
         // seccomp error action
         if (strncmp(ptr, "seccomp-error-action ", 21) == 0) {
-#ifdef HAVE_SECCOMP
                 if (checkcfg(CFG_SECCOMP)) {
                         int config_seccomp_error_action = checkcfg(CFG_SECCOMP_ERROR_ACTION);
                         if (config_seccomp_error_action == -1) {
@@ -1008,7 +987,6 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
                         }
                 } else
                         warning_feature_disabled("seccomp");
-#endif
                 return 0;
         }
 
diff --git a/src/firejail/protocol.c b/src/firejail/protocol.c
index a1594d6b9..cd54eb72d 100644
--- a/src/firejail/protocol.c
+++ b/src/firejail/protocol.c
@@ -18,7 +18,6 @@
  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 */
 
-#ifdef HAVE_SECCOMP
 #include "firejail.h"
 #include "../include/seccomp.h"
 
@@ -93,6 +92,3 @@ void protocol_print_filter(pid_t pid) {
         exit(1);
 #endif
 }
-
-
-#endif // HAVE_SECCOMP
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index 5a4741a56..3bb4858c9 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -141,7 +141,6 @@ void set_apparmor(void) {
 }
 #endif
 
-#ifdef HAVE_SECCOMP
 void seccomp_debug(void) {
         if (arg_debug == 0)
                 return;
@@ -158,7 +157,6 @@ void seccomp_debug(void) {
                 printf("No active seccomp files\n");
         EUID_ROOT();
 }
-#endif
 
 static void save_nogroups(void) {
         if (arg_nogroups == 0)
@@ -497,9 +495,7 @@ void start_application(int no_sandbox, char *set_sandbox_status) {
 #ifdef HAVE_GCOV
                 __gcov_dump();
 #endif
-#ifdef HAVE_SECCOMP
                 seccomp_install_filters();
-#endif
                 if (set_sandbox_status)
                         *set_sandbox_status = SANDBOX_DONE;
                 execl(arg_audit_prog, arg_audit_prog, NULL);
@@ -536,9 +532,8 @@ void start_application(int no_sandbox, char *set_sandbox_status) {
 #ifdef HAVE_GCOV
                 __gcov_dump();
 #endif
-#ifdef HAVE_SECCOMP
                 seccomp_install_filters();
-#endif
+
                 if (set_sandbox_status)
                         *set_sandbox_status = SANDBOX_DONE;
                 execvp(cfg.original_argv[cfg.original_program_index], &cfg.original_argv[cfg.original_program_index]);
@@ -591,9 +586,8 @@ void start_application(int no_sandbox, char *set_sandbox_status) {
 #ifdef HAVE_GCOV
                 __gcov_dump();
 #endif
-#ifdef HAVE_SECCOMP
                 seccomp_install_filters();
-#endif
+
                 if (set_sandbox_status)
                         *set_sandbox_status = SANDBOX_DONE;
                 execvp(arg[0], arg);
@@ -797,7 +791,6 @@ int sandbox(void* sandbox_arg) {
         //  - build seccomp filters
         //  - create an empty /etc/ld.so.preload
         //****************************
-#ifdef HAVE_SECCOMP
         if (cfg.protocol) {
                 if (arg_debug)
                         printf("Build protocol filter: %s\n", cfg.protocol);
@@ -808,7 +801,6 @@ int sandbox(void* sandbox_arg) {
                 if (rv)
                         exit(rv);
         }
-#endif
 
         // need ld.so.preload if tracing or seccomp with any non-default lists
         bool need_preload = arg_trace || arg_tracelog || arg_seccomp_postexec;
@@ -1107,7 +1099,6 @@ int sandbox(void* sandbox_arg) {
         save_cgroup();
 
         // set seccomp
-#ifdef HAVE_SECCOMP
         // install protocol filter
 #ifdef SYS_socket
         if (cfg.protocol) {
@@ -1151,7 +1142,6 @@ int sandbox(void* sandbox_arg) {
         // make seccomp filters read-only
         fs_remount(RUN_SECCOMP_DIR, MOUNT_READONLY, 0);
         seccomp_debug();
-#endif
 
         // set capabilities
         set_caps();
diff --git a/src/firejail/seccomp.c b/src/firejail/seccomp.c
index 7f55ccc0e..e47e6c910 100644
--- a/src/firejail/seccomp.c
+++ b/src/firejail/seccomp.c
@@ -18,7 +18,6 @@
  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 */
 
-#ifdef HAVE_SECCOMP
 #include "firejail.h"
 #include "../include/seccomp.h"
 #include <sys/mman.h>
@@ -445,5 +444,3 @@ errexit:
         printf("Cannot access seccomp filter.\n");
         exit(1);
 }
-
-#endif // HAVE_SECCOMP
diff --git a/src/firejail/usage.c b/src/firejail/usage.c
index 2390706f2..d58bbb409 100644
--- a/src/firejail/usage.c
+++ b/src/firejail/usage.c
@@ -123,10 +123,8 @@ static char *usage_str =
         "    --mac=xx:xx:xx:xx:xx:xx - set interface MAC address.\n"
 #endif
         "    --machine-id - preserve /etc/machine-id\n"
-#ifdef HAVE_SECCOMP
         "    --memory-deny-write-execute - seccomp filter to block attempts to create\n"
         "\tmemory mappings that are both writable and executable.\n"
-#endif
 #ifdef HAVE_NETWORK
         "    --mtu=number - set interface MTU.\n"
 #endif
@@ -215,7 +213,6 @@ static char *usage_str =
 #ifdef HAVE_NETWORK
         "    --scan - ARP-scan all the networks from inside a network namespace.\n"
 #endif
-#ifdef HAVE_SECCOMP
         "    --seccomp - enable seccomp filter and apply the default blacklist.\n"
         "    --seccomp=syscall,syscall,syscall - enable seccomp filter, blacklist the\n"
         "\tdefault syscall list and the syscalls specified by the command.\n"
@@ -229,7 +226,6 @@ static char *usage_str =
         "    --seccomp.32[.drop,.keep][=syscall] - like above but for 32 bit architecture.\n"
         "    --seccomp-error-action=errno|kill|log - change error code, kill process\n"
         "\tor log the attempt.\n"
-#endif
         "    --shell=none - run the program directly without a user shell.\n"
         "    --shell=program - set default user shell.\n"
         "    --shutdown=name|pid - shutdown the sandbox identified by name or PID.\n"
diff --git a/src/include/seccomp.h b/src/include/seccomp.h
index 29b858c70..90db16d39 100644
--- a/src/include/seccomp.h
+++ b/src/include/seccomp.h
@@ -96,24 +96,7 @@
 # define PR_SET_NO_NEW_PRIVS 38
 #endif
 
-#if HAVE_SECCOMP_H
 #include <linux/seccomp.h>
-#else
-#define SECCOMP_MODE_FILTER     2
-#define SECCOMP_RET_KILL        0x00000000U
-#define SECCOMP_RET_TRAP        0x00030000U
-#define SECCOMP_RET_ALLOW       0x7fff0000U
-#define SECCOMP_RET_ERRNO       0x00050000U
-#define SECCOMP_RET_DATA        0x0000ffffU
-
-struct seccomp_data {
-    int nr;
-    __u32 arch;
-    __u64 instruction_pointer;
-    __u64 args[6];
-};
-#endif
-
 #ifndef SECCOMP_RET_LOG
 #define SECCOMP_RET_LOG         0x7ffc0000U
 #endif
diff --git a/src/lib/syscall.c b/src/lib/syscall.c
index 2f8ccaed7..4903971ad 100644
--- a/src/lib/syscall.c
+++ b/src/lib/syscall.c
@@ -230,6 +230,7 @@ static const SyscallGroupList sysgroups[] = {
           "@cpu-emulation,"
           "@debug,"
           "@module,"
+          "@mount,"
           "@obsolete,"
           "@raw-io,"
           "@reboot,"
@@ -297,9 +298,6 @@ static const SyscallGroupList sysgroups[] = {
 #ifdef SYS_vmsplice
           "vmsplice,"
 #endif
-#ifdef SYS_umount
-          "umount,"
-#endif
 #ifdef SYS_userfaultfd
           "userfaultfd,"
 #endif
@@ -309,27 +307,15 @@ static const SyscallGroupList sysgroups[] = {
 #ifdef SYS_bpf
           "bpf,"
 #endif
-#ifdef SYS_chroot
-          "chroot,"
-#endif
-#ifdef SYS_mount
-          "mount,"
-#endif
 #ifdef SYS_nfsservctl
           "nfsservctl,"
 #endif
-#ifdef SYS_pivot_root
-          "pivot_root,"
-#endif
 #ifdef SYS_setdomainname
           "setdomainname,"
 #endif
 #ifdef SYS_sethostname
           "sethostname,"
 #endif
-#ifdef SYS_umount2
-          "umount2,"
-#endif
 #ifdef SYS_vhangup
           "vhangup"
 #endif
diff --git a/src/man/Makefile.in b/src/man/Makefile.in
new file mode 100644
index 000000000..0180baee5
--- /dev/null
+++ b/src/man/Makefile.in
@@ -0,0 +1,17 @@
+all: firecfg.man firejail.man firejail-login.man firejail-users.man firejail-profile.man firemon.man
+
+include ../common.mk
+
+%.o : %.c $(H_FILE_LIST)
+        $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@
+
+preproc: $(OBJS)
+        $(CC)  $(LDFLAGS) -o $@ $(OBJS) $(LIBS) $(EXTRA_LDFLAGS)
+
+%.man: %.txt preproc
+        ./preproc $(MANFLAGS) $<
+
+clean:; rm -fr *.o preproc *.gcov *.gcda *.gcno *.plist *.man alldone
+
+distclean: clean
+        rm -fr Makefile
diff --git a/src/man/preproc.c b/src/man/preproc.c
new file mode 100644
index 000000000..34a49d335
--- /dev/null
+++ b/src/man/preproc.c
@@ -0,0 +1,146 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <assert.h>
+
+#define MAXBUF 4096
+#define MAXMACROS 64
+static char *macro[MAXMACROS] = {NULL};
+
+static void add_macro(char *m) {
+        assert(m);
+        int i;
+        for (i = 0; i < MAXMACROS && macro[i]; i++);
+        if (i == MAXMACROS) {
+                fprintf(stderr, "Error: maximum number of marcros (%d) exceeded\n", MAXMACROS);
+                exit(1);
+        }
+
+        macro[i] = m;
+}
+
+static char *find_macro(char *m) {
+        assert(m);
+        int i = 0;
+        while (i < MAXMACROS && macro[i]) {
+                if (strcmp(macro[i], m) == 0)
+                        return m;
+                i++;
+        }
+
+        return NULL;
+}
+
+static void usage(void) {
+        printf("Simple preprocessor for man pages. It supports:\n");
+        printf("\t#if 0 ... #endif\n");
+        printf("\t#ifdef macro ... #endif\n");
+        printf("Usage: preproc [--help] [-Dmacro] manpage.txt\n");
+        return;
+}
+
+
+int main(int argc, char **argv) {
+        if (argc == 1) {
+                fprintf(stderr, "Error: no files/arguments provided\n");
+                usage();
+                exit(1);
+        }
+
+        int i;
+        for (i = 1; i < argc; i++) {
+                if (strncmp(argv[i], "-D", 2) == 0)
+                        add_macro(argv[i] + 2);
+                else if (strcmp(argv[i], "--help") == 0) {
+                        usage();
+                        return 0;
+                }
+                else if (*argv[i] == '-') {
+                        fprintf(stderr, "Error: invalid argument %s\n", argv[i]);
+                        exit(1);
+                }
+                else
+                        break;
+        }
+
+        char *ptr = strstr(argv[i], ".txt");
+        if (!ptr || strlen(ptr) != 4) {
+                fprintf(stderr, "Error: input file needs to have a .txt extension\n"),
+                exit(1);
+        }
+
+        FILE *fp = fopen(argv[i], "r");
+        if (!fp) {
+                fprintf(stderr, "Error: cannot open %s\n", argv[i]);
+                exit(1);
+        }
+        char *outfile = strdup(argv[i]);
+        if (!outfile)
+                goto errout;
+        ptr = strstr(outfile, ".txt");
+        assert(ptr);
+        strcpy(ptr, ".man");
+        FILE *fpout = fopen(outfile, "w");
+        if (!fpout)
+                goto errout;
+
+        char buf[MAXBUF];
+        int disabled = 0;
+        int enabled = 0;
+        int line = 0;;
+        while (fgets(buf, MAXBUF, fp)) {
+                line++;
+                if (disabled && strncmp(buf, "#if", 3) == 0) {
+                        fprintf(stderr, "Error %d: already in a #if block on line %d\n", __LINE__, line);
+                        exit(1);
+                }
+                if ((!disabled && !enabled) && strncmp(buf, "#endif", 6) == 0) {
+                        fprintf(stderr, "Error %d: unmatched #endif on line %d\n", __LINE__, line);
+                        exit(1);
+                }
+
+                char *ptr = strchr(buf, '\n');
+                if (ptr)
+                        *ptr = '\0';
+
+                if (strncmp(buf, "#if 0", 5) == 0) {
+                        disabled = 1;
+                        continue;
+                }
+                if (strncmp(buf, "#ifdef", 6) == 0) {
+                        char *ptr = buf + 6;
+                        if (*ptr != ' ' && *ptr != '\t') {
+                                fprintf(stderr, "Error %d: invalid macro on line %d\n", __LINE__, line);
+                                exit(1);
+                        }
+
+                        while (*ptr == ' ' || *ptr == '\t')
+                                ptr++;
+
+                        if (!find_macro(ptr))
+                                disabled = 1;
+                        else
+                                enabled = 1;
+                        continue;
+                }
+
+                if (strncmp(buf, "#endif", 6) == 0) {
+                        disabled = 0;
+                        enabled = 1;
+                        continue;
+                }
+
+                if (!disabled) {
+//                      printf("%s\n", buf);
+                        fprintf(fpout, "%s\n", buf);
+                }
+        }
+        fclose(fp);
+
+        return 0;
+
+errout:
+        fclose(fp);
+        fprintf(stderr, "Error: cannot open output file\n");
+        exit(1);
+}
diff --git a/test/compile/compile.sh b/test/compile/compile.sh
index 2f9e0ece6..6739bc4d6 100755
--- a/test/compile/compile.sh
+++ b/test/compile/compile.sh
@@ -4,7 +4,7 @@
 # License GPL v2
 
 arr[1]="TEST 1: standard compilation"
-arr[2]="TEST 2: compile seccomp disabled"
+arr[2]="deprecated"
 arr[3]="TEST 3: compile chroot disabled"
 arr[4]="TEST 4: compile firetunnel disabled"
 arr[5]="TEST 5: compile user namespace disabled"
@@ -24,6 +24,8 @@ cleanup() {
         rm -f report*
         rm -fr firejail
         rm -f oc* om*
+        rm -f output-configure
+        rm -f output-make
 }
 
 print_title() {
@@ -74,23 +76,23 @@ cp output-make om1
 rm output-configure output-make
 
 
-#*****************************************************************
-# TEST 2
-#*****************************************************************
-# - disable seccomp configuration
-#*****************************************************************
-print_title "${arr[2]}"
-# seccomp
-cd firejail
-make distclean
-./configure --prefix=/usr --disable-seccomp  --enable-fatal-warnings 2>&1 | tee ../output-configure
-make -j4 2>&1 | tee ../output-make
-cd ..
-grep Warning output-configure output-make > ./report-test2
-grep Error output-configure output-make >> ./report-test2
-cp output-configure oc2
-cp output-make om2
-rm output-configure output-make
+##*****************************************************************
+## TEST 2
+##*****************************************************************
+## - disable seccomp configuration
+##*****************************************************************
+#print_title "${arr[2]}"
+## seccomp
+#cd firejail
+#make distclean
+#./configure --prefix=/usr --disable-seccomp  --enable-fatal-warnings 2>&1 | tee ../output-configure
+#make -j4 2>&1 | tee ../output-make
+#cd ..
+#grep Warning output-configure output-make > ./report-test2
+#grep Error output-configure output-make >> ./report-test2
+#cp output-configure oc2
+#cp output-make om2
+#rm output-configure output-make
 
 #*****************************************************************
 # TEST 3
@@ -342,7 +344,7 @@ wc -l report-test*
 echo
 echo  "Legend:"
 echo ${arr[1]}
-echo ${arr[2]}
+#echo ${arr[2]}
 echo ${arr[3]}
 echo ${arr[4]}
 echo ${arr[5]}