Merge branch 'master' into ls

46 files changed, 283 insertions, 103 deletions

diff --git a/RELNOTES b/RELNOTES
index a22f16373..07dd9f8a9 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -1,5 +1,6 @@
 firejail (0.9.63) baseline; urgency=low
   * work in progress
+  * security: fixes for CVE-2020-17367 & CVE-2020-17368, reported by Tim Starling
   * The blocking action of seccomp filters has been changed from
     killing the process to returning EPERM to the caller. To get the
     previous behaviour, use --seccomp-error-action=kill or
diff --git a/etc/firejail.config b/etc/firejail.config
index b2a96612f..731e744dd 100644
--- a/etc/firejail.config
+++ b/etc/firejail.config
@@ -107,7 +107,7 @@
 # Enable or disable seccomp support, default enabled.
 # seccomp yes
 
-# Seccomp error action, kill or errno (EPERM, ENOSYS etc)
+# Seccomp error action, kill, log or errno (EPERM, ENOSYS etc)
 # seccomp-error-action EPERM
 
 # Enable or disable user namespace support, default enabled.
diff --git a/etc/inc/disable-programs.inc b/etc/inc/disable-programs.inc
index e911be93a..e5dd9cb59 100644
--- a/etc/inc/disable-programs.inc
+++ b/etc/inc/disable-programs.inc
@@ -396,6 +396,7 @@ blacklist ${HOME}/.config/yandex-browser
 blacklist ${HOME}/.config/yandex-browser-beta
 blacklist ${HOME}/.config/yelp
 blacklist ${HOME}/.config/youtube-dl
+blacklist ${HOME}/.config/youtube-viewer
 blacklist ${HOME}/.config/zathura
 blacklist ${HOME}/.config/zoomus.conf
 blacklist ${HOME}/.config/Zulip
diff --git a/etc/inc/whitelist-usr-share-common.inc b/etc/inc/whitelist-usr-share-common.inc
index c9c8bdedf..ceeb14dcc 100644
--- a/etc/inc/whitelist-usr-share-common.inc
+++ b/etc/inc/whitelist-usr-share-common.inc
@@ -41,6 +41,8 @@ whitelist /usr/share/misc
 whitelist /usr/share/Modules
 whitelist /usr/share/myspell
 whitelist /usr/share/p11-kit
+whitelist /usr/share/perl
+whitelist /usr/share/perl5
 whitelist /usr/share/pixmaps
 whitelist /usr/share/pki
 whitelist /usr/share/plasma
diff --git a/etc/profile-a-l/celluloid.profile b/etc/profile-a-l/celluloid.profile
index 567bd912a..54d3f742f 100644
--- a/etc/profile-a-l/celluloid.profile
+++ b/etc/profile-a-l/celluloid.profile
@@ -9,8 +9,6 @@ include globals.local
 noblacklist ${HOME}/.config/celluloid
 noblacklist ${HOME}/.config/gnome-mpv
 noblacklist ${HOME}/.config/youtube-dl
-noblacklist ${MUSIC}
-noblacklist ${VIDEOS}
 
 # Allow python (blacklisted by disable-interpreters.inc)
 include allow-python2.inc
@@ -22,8 +20,20 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
-include disable-xdg.inc
 
+read-only ${DESKTOP}
+mkdir ${HOME}/.config/celluloid
+mkdir ${HOME}/.config/gnome-mpv
+mkdir ${HOME}/.config/youtube-dl
+whitelist ${HOME}/.config/celluloid
+whitelist ${HOME}/.config/gnome-mpv
+whitelist ${HOME}/.config/youtube-dl
+whitelist ${DESKTOP}
+whitelist ${DOWNLOADS}
+whitelist ${MUSIC}
+whitelist ${PICTURES}
+whitelist ${VIDEOS}
+include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-a-l/gtk-youtube-viewer b/etc/profile-a-l/gtk-youtube-viewer
new file mode 100644
index 000000000..023f10d3d
--- /dev/null
+++ b/etc/profile-a-l/gtk-youtube-viewer
@@ -0,0 +1,18 @@
+# Firejail profile for gtk-youtube-viewer
+# Description: Gtk front-end to youtube-viewer
+# This file is overwritten after every install/update
+# Persistent local customizations
+include gtk-youtube-viewer.local
+# Persistent global definitions
+# include globals.local
+
+ignore quiet
+
+noblacklist /tmp/.X11-unix
+noblacklist ${RUNUSER}/wayland-*
+noblacklist ${RUNUSER}
+
+include whitelist-runuser-common.inc
+
+# Redirect
+include youtube-viewer.profile
\ No newline at end of file
diff --git a/etc/profile-a-l/gtk2-youtube-viewer b/etc/profile-a-l/gtk2-youtube-viewer
new file mode 100644
index 000000000..331e73218
--- /dev/null
+++ b/etc/profile-a-l/gtk2-youtube-viewer
@@ -0,0 +1,18 @@
+# Firejail profile for gtk2-youtube-viewer
+# Description: Gtk front-end to youtube-viewer
+# This file is overwritten after every install/update
+# Persistent local customizations
+include gtk2-youtube-viewer.local
+# Persistent global definitions
+# include globals.local
+
+ignore quiet
+
+noblacklist /tmp/.X11-unix
+noblacklist ${RUNUSER}/wayland-*
+noblacklist ${RUNUSER}
+
+include whitelist-runuser-common.inc
+
+# Redirect
+include youtube-viewer.profile
\ No newline at end of file
diff --git a/etc/profile-a-l/gtk3-youtube-viewer b/etc/profile-a-l/gtk3-youtube-viewer
new file mode 100644
index 000000000..4c5bde55f
--- /dev/null
+++ b/etc/profile-a-l/gtk3-youtube-viewer
@@ -0,0 +1,18 @@
+# Firejail profile for gtk3-youtube-viewer
+# Description: Gtk front-end to youtube-viewer
+# This file is overwritten after every install/update
+# Persistent local customizations
+include gtk3-youtube-viewer.local
+# Persistent global definitions
+# include globals.local
+
+ignore quiet
+
+noblacklist /tmp/.X11-unix
+noblacklist ${RUNUSER}/wayland-*
+noblacklist ${RUNUSER}
+
+include whitelist-runuser-common.inc
+
+# Redirect
+include youtube-viewer.profile
\ No newline at end of file
diff --git a/etc/profile-m-z/mplayer.profile b/etc/profile-m-z/mplayer.profile
index cd25d6c0b..f4f862cb9 100644
--- a/etc/profile-m-z/mplayer.profile
+++ b/etc/profile-m-z/mplayer.profile
@@ -7,8 +7,6 @@ include mplayer.local
 include globals.local
 
 noblacklist ${HOME}/.mplayer
-noblacklist ${MUSIC}
-noblacklist ${VIDEOS}
 
 include disable-common.inc
 include disable-devel.inc
@@ -16,8 +14,16 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
-include disable-xdg.inc
 
+read-only ${DESKTOP}
+mkdir ${HOME}/.mplayer
+whitelist ${HOME}/.mplayer
+whitelist ${DESKTOP}
+whitelist ${DOWNLOADS}
+whitelist ${MUSIC}
+whitelist ${PICTURES}
+whitelist ${VIDEOS}
+include whitelist-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
@@ -36,4 +42,3 @@ shell none
 private-bin mplayer
 private-dev
 private-tmp
-
diff --git a/etc/profile-m-z/mpv.profile b/etc/profile-m-z/mpv.profile
index 2fc027257..5ca684eb5 100644
--- a/etc/profile-m-z/mpv.profile
+++ b/etc/profile-m-z/mpv.profile
@@ -7,6 +7,10 @@ include mpv.local
 # Persistent global definitions
 include globals.local
 
+# In order to save screenshots to a persistent location,
+# edit ~/.config/mpv/foobar.conf:
+#    screenshot-directory=~/Pictures
+
 noblacklist ${HOME}/.config/mpv
 noblacklist ${HOME}/.config/youtube-dl
 noblacklist ${HOME}/.netrc
@@ -17,10 +21,6 @@ include allow-lua.inc
 include allow-python2.inc
 include allow-python3.inc
 
-noblacklist ${MUSIC}
-noblacklist ${PICTURES}
-noblacklist ${VIDEOS}
-
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
@@ -28,8 +28,20 @@ include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
-include disable-xdg.inc
 
+read-only ${DESKTOP}
+mkdir ${HOME}/.config/mpv
+mkdir ${HOME}/.config/youtube-dl
+mkfile ${HOME}/.netrc
+whitelist ${HOME}/.config/mpv
+whitelist ${HOME}/.config/youtube-dl
+whitelist ${HOME}/.netrc
+whitelist ${DESKTOP}
+whitelist ${DOWNLOADS}
+whitelist ${MUSIC}
+whitelist ${PICTURES}
+whitelist ${VIDEOS}
+include whitelist-common.inc
 whitelist /usr/share/lua
 whitelist /usr/share/lua*
 whitelist /usr/share/vulkan
diff --git a/etc/profile-m-z/nomacs.profile b/etc/profile-m-z/nomacs.profile
index 7a7ff504a..d081c9cb7 100644
--- a/etc/profile-m-z/nomacs.profile
+++ b/etc/profile-m-z/nomacs.profile
@@ -43,5 +43,3 @@ private-cache
 private-dev
 private-etc alternatives,ca-certificates,crypto-policies,dconf,drirc,fonts,gtk-3.0,hosts,login.defs,machine-id,pki,resolv.conf,ssl
 private-tmp
-
-memory-deny-write-execute
diff --git a/etc/profile-m-z/signal-desktop.profile b/etc/profile-m-z/signal-desktop.profile
index b51a86e7d..c28571270 100644
--- a/etc/profile-m-z/signal-desktop.profile
+++ b/etc/profile-m-z/signal-desktop.profile
@@ -34,7 +34,6 @@ nodvd
 nogroups
 notv
 nou2f
-novideo
 shell none
 
 disable-mnt
diff --git a/etc/profile-m-z/totem.profile b/etc/profile-m-z/totem.profile
index b8f4ca765..abbbba6c3 100644
--- a/etc/profile-m-z/totem.profile
+++ b/etc/profile-m-z/totem.profile
@@ -14,9 +14,6 @@ include allow-python3.inc
 
 noblacklist ${HOME}/.config/totem
 noblacklist ${HOME}/.local/share/totem
-noblacklist ${MUSIC}
-noblacklist ${PICTURES}
-noblacklist ${VIDEOS}
 
 include disable-common.inc
 include disable-devel.inc
@@ -25,8 +22,18 @@ include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
-include disable-xdg.inc
 
+read-only ${DESKTOP}
+mkdir ${HOME}/.config/totem
+mkdir ${HOME}/.local/share/totem
+whitelist ${HOME}/.config/totem
+whitelist ${HOME}/.local/share/totem
+whitelist ${DESKTOP}
+whitelist ${DOWNLOADS}
+whitelist ${MUSIC}
+whitelist ${PICTURES}
+whitelist ${VIDEOS}
+include whitelist-common.inc
 include whitelist-var-common.inc
 
 # apparmor - makes settings immutable
diff --git a/etc/profile-m-z/vlc.profile b/etc/profile-m-z/vlc.profile
index 0069ebeae..07a1b5fc0 100644
--- a/etc/profile-m-z/vlc.profile
+++ b/etc/profile-m-z/vlc.profile
@@ -9,8 +9,6 @@ include globals.local
 noblacklist ${HOME}/.cache/vlc
 noblacklist ${HOME}/.config/vlc
 noblacklist ${HOME}/.local/share/vlc
-noblacklist ${MUSIC}
-noblacklist ${VIDEOS}
 
 include disable-common.inc
 include disable-devel.inc
@@ -18,8 +16,20 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
-include disable-xdg.inc
 
+read-only ${DESKTOP}
+mkdir ${HOME}/.cache/vlc
+mkdir ${HOME}/.config/vlc
+mkdir ${HOME}/.local/share/vlc
+whitelist ${HOME}/.cache/vlc
+whitelist ${HOME}/.config/vlc
+whitelist ${HOME}/.local/share/vlc
+whitelist ${DESKTOP}
+whitelist ${DOWNLOADS}
+whitelist ${MUSIC}
+whitelist ${PICTURES}
+whitelist ${VIDEOS}
+include whitelist-common.inc
 include whitelist-var-common.inc
 
 #apparmor - on Ubuntu 18.04 it refuses to start without dbus access
diff --git a/etc/profile-m-z/xplayer.profile b/etc/profile-m-z/xplayer.profile
index 28df73ea5..555d8e9a4 100644
--- a/etc/profile-m-z/xplayer.profile
+++ b/etc/profile-m-z/xplayer.profile
@@ -7,8 +7,6 @@ include globals.local
 
 noblacklist ${HOME}/.config/xplayer
 noblacklist ${HOME}/.local/share/xplayer
-noblacklist ${MUSIC}
-noblacklist ${VIDEOS}
 
 # Allow python (blacklisted by disable-interpreters.inc)
 include allow-python2.inc
@@ -20,8 +18,18 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
-include disable-xdg.inc
 
+read-only ${DESKTOP}
+mkdir ${HOME}/.config/xplayer
+mkdir ${HOME}/.local/share/xplayer
+whitelist ${HOME}/.config/xplayer
+whitelist ${HOME}/.local/share/xplayer
+whitelist ${DESKTOP}
+whitelist ${DOWNLOADS}
+whitelist ${MUSIC}
+whitelist ${PICTURES}
+whitelist ${VIDEOS}
+include whitelist-common.inc
 include whitelist-var-common.inc
 
 # apparmor - makes settings immutable
diff --git a/etc/profile-m-z/youtube-viewer.profile b/etc/profile-m-z/youtube-viewer.profile
new file mode 100644
index 000000000..513cb0f6e
--- /dev/null
+++ b/etc/profile-m-z/youtube-viewer.profile
@@ -0,0 +1,57 @@
+# Firejail profile for youtube-viewer
+# Description: Trizen's CLI Youtube viewer with login support
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include youtube-viewer.local
+# Persistent global definitions
+include globals.local
+
+blacklist /tmp/.X11-unix
+blacklist ${RUNUSER}/wayland-*
+blacklist ${RUNUSER}
+
+noblacklist ${HOME}/.config/youtube-viewer
+
+include allow-perl.inc
+include allow-python2.inc
+include allow-python3.inc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.config/youtube-viewer
+whitelist ${HOME}/.config/youtube-viewer
+include whitelist-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+netfilter
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+
+disable-mnt
+# private-bin ffmpeg,ffprobe,firefox,gtk-youtube-viewer,gtk2-youtube-viewer,gtk3-youtube-viewer,mpv,python*,smplayer,sh,which,vlc,youtube-dl,youtube-viewer
+private-cache
+private-dev
+private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,machine-id,mime.types,nsswitch.conf,passwd,pki,pulse,resolv.conf,ssl,X11,xdg
+private-tmp
+
+dbus-user none
+dbus-system none
\ No newline at end of file
diff --git a/mkdeb.sh.in b/mkdeb.sh.in
index efb477920..a19dee620 100755
--- a/mkdeb.sh.in
+++ b/mkdeb.sh.in
@@ -52,12 +52,12 @@ echo "*****************************************"
 mv $INSTALL_DIR/usr/share/doc/firejail/RELNOTES $INSTALL_DIR/usr/share/doc/firejail/changelog.Debian
 gzip -9 -n $INSTALL_DIR/usr/share/doc/firejail/changelog.Debian
 rm $INSTALL_DIR/usr/share/doc/firejail/COPYING
-install -m644 platform/debian/copyright $INSTALL_DIR/usr/share/doc/firejail/.
+install -m644 $CODE_DIR/platform/debian/copyright $INSTALL_DIR/usr/share/doc/firejail/.
 mkdir -p $DEBIAN_CTRL_DIR
-sed "s/FIREJAILVER/$VERSION/g"  platform/debian/control.$(dpkg-architecture -qDEB_HOST_ARCH) > $DEBIAN_CTRL_DIR/control
+sed "s/FIREJAILVER/$VERSION/g"  $CODE_DIR/platform/debian/control.$(dpkg-architecture -qDEB_HOST_ARCH) > $DEBIAN_CTRL_DIR/control
 
 mkdir -p $INSTALL_DIR/usr/share/lintian/overrides/
-install -m644 platform/debian/firejail.lintian-overrides $INSTALL_DIR/usr/share/lintian/overrides/firejail
+install -m644 $CODE_DIR/platform/debian/firejail.lintian-overrides $INSTALL_DIR/usr/share/lintian/overrides/firejail
 
 find $INSTALL_DIR/etc -type f | sed "s,^$INSTALL_DIR,," | LC_ALL=C sort > $DEBIAN_CTRL_DIR/conffiles
 chmod 644 $DEBIAN_CTRL_DIR/conffiles
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config
index 05c5681d5..0574daae6 100644
--- a/src/firecfg/firecfg.config
+++ b/src/firecfg/firecfg.config
@@ -327,6 +327,9 @@ gradio
 gramps
 gravity-beams-and-evaporating-stars
 gthumb
+gtk-youtube-viewer
+gtk2-youtube-viewer
+gtk3-youtube-viewer
 guayadeque
 gucharmap
 gummi
@@ -816,6 +819,7 @@ xviewer
 yandex-browser
 yelp
 youtube-dl
+youtube-viewer
 zaproxy
 zart
 zathura
diff --git a/src/firejail/arp.c b/src/firejail/arp.c
index 3714af9a3..f88d0a1dd 100644
--- a/src/firejail/arp.c
+++ b/src/firejail/arp.c
@@ -239,9 +239,7 @@ int arp_check(const char *dev, uint32_t destaddr) {
                 }
         }
 
-        // it will never get here!
-        close(sock);
-        return -1;
+        __builtin_unreachable();
 }
 
 // assign a random IP address and check it
diff --git a/src/firejail/bandwidth.c b/src/firejail/bandwidth.c
index edef823fd..6fd0b53ef 100644
--- a/src/firejail/bandwidth.c
+++ b/src/firejail/bandwidth.c
@@ -327,6 +327,15 @@ void bandwidth_pid(pid_t pid, const char *command, const char *dev, int down, in
                                 devname = strdup(buf + len + 1);
                                 if (!devname)
                                         errExit("strdup");
+                                // double-check device name
+                                size_t i;
+                                for (i = 0; devname[i]; i++) {
+                                        if (isalnum((unsigned char) devname[i]) == 0 &&
+                                            devname[i] != '-') {
+                                                fprintf(stderr, "Error: name of network device is invalid\n");
+                                                exit(1);
+                                        }
+                                }
                                 // check device in namespace
                                 if (if_nametoindex(devname) == 0) {
                                         fprintf(stderr, "Error: cannot find network device %s\n", devname);
@@ -354,6 +363,7 @@ void bandwidth_pid(pid_t pid, const char *command, const char *dev, int down, in
                 }
                 bandwidth_remove(pid, devname);
         }
+        else assert(strcmp(command, "status") == 0);
 
         // build fshaper.sh command
         char *cmd = NULL;
@@ -375,26 +385,16 @@ void bandwidth_pid(pid_t pid, const char *command, const char *dev, int down, in
         }
         assert(cmd);
 
-        // wipe out environment variables
-        environ = NULL;
-
         //************************
         // build command
         //************************
-        // elevate privileges
-        if (setreuid(0, 0))
-                errExit("setreuid");
-        if (setregid(0, 0))
-                errExit("setregid");
-
         char *arg[4];
         arg[0] = "/bin/sh";
         arg[1] = "-c";
         arg[2] = cmd;
         arg[3] = NULL;
         clearenv();
-        execvp(arg[0], arg);
+        sbox_exec_v(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, arg);
 
-        // it will never get here
-        errExit("execvp");
+        // it will never get here!!
 }
diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c
index 5d6b4af66..f6b3b3252 100644
--- a/src/firejail/checkcfg.c
+++ b/src/firejail/checkcfg.c
@@ -229,6 +229,8 @@ int checkcfg(int val) {
 #ifdef HAVE_SECCOMP
                                 if (strcmp(ptr + 21, "kill") == 0)
                                         cfg_val[CFG_SECCOMP_ERROR_ACTION] = SECCOMP_RET_KILL;
+                                else if (strcmp(ptr + 21, "log") == 0)
+                                        cfg_val[CFG_SECCOMP_ERROR_ACTION] = SECCOMP_RET_LOG;
                                 else {
                                         cfg_val[CFG_SECCOMP_ERROR_ACTION] = errno_find_name(ptr + 21);
                                         if (cfg_val[CFG_SECCOMP_ERROR_ACTION] == -1)
diff --git a/src/firejail/chroot.c b/src/firejail/chroot.c
index cae52e20b..5fc6c8298 100644
--- a/src/firejail/chroot.c
+++ b/src/firejail/chroot.c
@@ -165,7 +165,8 @@ void fs_chroot(const char *rootdir) {
         close(fd);
 
         // x11
-        if (getenv("FIREJAIL_X11")) {
+        // if users want this mount, they should set FIREJAIL_CHROOT_X11
+        if (getenv("FIREJAIL_X11") || getenv("FIREJAIL_CHROOT_X11")) {
                 if (arg_debug)
                         printf("Mounting /tmp/.X11-unix on chroot /tmp/.X11-unix\n");
                 check_subdir(parentfd, "tmp/.X11-unix", 0);
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index 56bdd7ec3..49d19e33d 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -186,7 +186,7 @@ typedef struct config_t {
         char *seccomp_list_drop, *seccomp_list_drop32;  // seccomp drop list
         char *seccomp_list_keep, *seccomp_list_keep32;  // seccomp keep list
         char *protocol;                 // protocol list
-        char *seccomp_error_action;                     // error action: kill or errno
+        char *seccomp_error_action;                     // error action: kill, log or errno
 
         // rlimits
         long long unsigned rlimit_cpu;
@@ -371,14 +371,14 @@ char *guess_shell(void);
 
 // sandbox.c
 int sandbox(void* sandbox_arg);
-void start_application(int no_sandbox, FILE *fp);
+void start_application(int no_sandbox, FILE *fp) __attribute__((noreturn));
 void set_apparmor(void);
 
 // network_main.c
 void net_configure_sandbox_ip(Bridge *br);
 void net_configure_veth_pair(Bridge *br, const char *ifname, pid_t child);
 void net_check_cfg(void);
-void net_dns_print(pid_t pid);
+void net_dns_print(pid_t pid) __attribute__((noreturn));
 void network_main(pid_t child);
 void net_print(pid_t pid);
 
@@ -453,13 +453,12 @@ void profile_add_ignore(const char *str);
 void list(void);
 void tree(void);
 void top(void);
-void netstats(void);
 
 // usage.c
 void usage(void);
 
 // join.c
-void join(pid_t pid, int argc, char **argv, int index);
+void join(pid_t pid, int argc, char **argv, int index) __attribute__((noreturn));
 bool is_ready_for_join(const pid_t pid);
 void check_join_permission(pid_t pid);
 pid_t switch_to_child(pid_t pid);
@@ -486,7 +485,7 @@ int macro_id(const char *name);
 
 
 // util.c
-void errLogExit(char* fmt, ...);
+void errLogExit(char* fmt, ...) __attribute__((noreturn));
 void fwarning(char* fmt, ...);
 void fmessage(char* fmt, ...);
 void drop_privs(int nogroups);
@@ -584,7 +583,7 @@ int seccomp_load(const char *fname);
 int seccomp_filter_drop(bool native);
 int seccomp_filter_keep(bool native);
 int seccomp_filter_mdwx(bool native);
-void seccomp_print_filter(pid_t pid);
+void seccomp_print_filter(pid_t pid) __attribute__((noreturn));
 
 // caps.c
 void seccomp_load_file_list(void);
@@ -595,7 +594,7 @@ void caps_set(uint64_t caps);
 void caps_check_list(const char *clist, void (*callback)(int));
 void caps_drop_list(const char *clist);
 void caps_keep_list(const char *clist);
-void caps_print_filter(pid_t pid);
+void caps_print_filter(pid_t pid) __attribute__((noreturn));
 void caps_drop_dac_override(void);
 
 // fs_trace.c
@@ -618,7 +617,7 @@ void read_cpu_list(const char *str);
 void set_cpu_affinity(void);
 void load_cpu(const char *fname);
 void save_cpu(void);
-void cpu_print_filter(pid_t pid);
+void cpu_print_filter(pid_t pid) __attribute__((noreturn));
 
 // cgroup.c
 void save_cgroup(void);
@@ -640,7 +639,7 @@ void netns(const char *nsname);
 void netns_mounts(const char *nsname);
 
 // bandwidth.c
-void bandwidth_pid(pid_t pid, const char *command, const char *dev, int down, int up);
+void bandwidth_pid(pid_t pid, const char *command, const char *dev, int down, int up) __attribute__((noreturn));
 void network_set_run_file(pid_t pid);
 
 // fs_etc.c
@@ -650,7 +649,7 @@ void fs_private_dir_list(const char *private_dir, const char *private_run_dir, c
 // no_sandbox.c
 int check_namespace_virt(void);
 int check_kernel_procs(void);
-void run_no_sandbox(int argc, char **argv);
+void run_no_sandbox(int argc, char **argv) __attribute__((noreturn));
 
 #define MAX_ENVS 256                    // some sane maximum number of environment variables
 #define MAX_ENV_LEN (PATH_MAX + 32)     // FOOBAR=SOME_PATH
@@ -681,7 +680,7 @@ void fs_private_lib(void);
 // protocol.c
 void protocol_filter_save(void);
 void protocol_filter_load(const char *fname);
-void protocol_print_filter(pid_t pid);
+void protocol_print_filter(pid_t pid) __attribute__((noreturn));
 
 // restrict_users.c
 void restrict_users(void);
@@ -693,7 +692,7 @@ void fs_logger2int(const char *msg1, int d);
 void fs_logger3(const char *msg1, const char *msg2, const char *msg3);
 void fs_logger_print(void);
 void fs_logger_change_owner(void);
-void fs_logger_print_log(pid_t pid);
+void fs_logger_print_log(pid_t pid) __attribute__((noreturn));
 
 // run_symlink.c
 void run_symlink(int argc, char **argv, int run_as_is);
@@ -719,11 +718,11 @@ void fs_mkfile(const char *name);
 
 void fs_x11(void);
 int x11_display(void);
-void x11_start(int argc, char **argv);
-void x11_start_xpra(int argc, char **argv);
-void x11_start_xephyr(int argc, char **argv);
+void x11_start(int argc, char **argv) __attribute__((noreturn));
+void x11_start_xpra(int argc, char **argv) __attribute__((noreturn));
+void x11_start_xephyr(int argc, char **argv) __attribute__((noreturn));
 void x11_block(void);
-void x11_start_xvfb(int argc, char **argv);
+void x11_start_xvfb(int argc, char **argv) __attribute__((noreturn));
 void x11_xorg(void);
 
 // ls.c
@@ -736,7 +735,7 @@ enum {
 };
 void ls(const char *path);
 void cat(const char *path);
-void sandboxfs(int op, pid_t pid, const char *path1, const char *path2);
+void sandboxfs(int op, pid_t pid, const char *path1, const char *path2) __attribute__((noreturn));
 
 // checkcfg.c
 #define DEFAULT_ARP_PROBES 2
@@ -842,7 +841,7 @@ void build_appimage_cmdline(char **command_line, char **window_title, int argc,
 // run sbox
 int sbox_run(unsigned filter, int num, ...);
 int sbox_run_v(unsigned filter, char * const arg[]);
-void sbox_exec_v(unsigned filter, char * const arg[]);
+void sbox_exec_v(unsigned filter, char * const arg[]) __attribute__((noreturn));
 
 // run_files.c
 void delete_run_files(pid_t pid);
diff --git a/src/firejail/fs_dev.c b/src/firejail/fs_dev.c
index fbce72429..00edc5f88 100644
--- a/src/firejail/fs_dev.c
+++ b/src/firejail/fs_dev.c
@@ -25,6 +25,7 @@
 #include <dirent.h>
 #include <fcntl.h>
 #include <pwd.h>
+#include <errno.h>
 #ifndef _BSD_SOURCE
 #define _BSD_SOURCE
 #endif
@@ -148,7 +149,7 @@ static void create_char_dev(const char *path, mode_t mode, int major, int minor)
         return;
 
 errexit:
-        fprintf(stderr, "Error: cannot create %s device\n", path);
+        fprintf(stderr, "Error: cannot create %s device: %s\n", path, strerror(errno));
         exit(1);
 }
 
diff --git a/src/firejail/join.c b/src/firejail/join.c
index 4c8555f29..f202d1a9c 100644
--- a/src/firejail/join.c
+++ b/src/firejail/join.c
@@ -588,7 +588,7 @@ void join(pid_t pid, int argc, char **argv, int index) {
 
                 start_application(0, NULL);
 
-                // it will never get here!!!
+                __builtin_unreachable();
         }
         EUID_USER();
 
diff --git a/src/firejail/main.c b/src/firejail/main.c
index afd9af91d..412c6148a 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -1190,8 +1190,7 @@ int main(int argc, char **argv, char **envp) {
 
                         // start the program directly without sandboxing
                         run_no_sandbox(argc, argv);
-                        // it will never get here!
-                        assert(0);
+                        __builtin_unreachable();
                 }
         }
         EUID_ASSERT();
@@ -1473,6 +1472,8 @@ int main(int argc, char **argv, char **envp) {
                                 if (config_seccomp_error_action == -1) {
                                         if (strcmp(argv[i] + 23, "kill") == 0)
                                                 arg_seccomp_error_action = SECCOMP_RET_KILL;
+                                        else if (strcmp(argv[i] + 23, "log") == 0)
+                                                arg_seccomp_error_action = SECCOMP_RET_LOG;
                                         else {
                                                 arg_seccomp_error_action = errno_find_name(argv[i] + 23);
                                                 if (arg_seccomp_error_action == -1)
diff --git a/src/firejail/output.c b/src/firejail/output.c
index 0e961bb61..36cb905cb 100644
--- a/src/firejail/output.c
+++ b/src/firejail/output.c
@@ -122,7 +122,8 @@ void check_output(int argc, char **argv) {
         }
         bool found_separator = false;
         /* copy argv into args, but drop --output(-stderr) arguments */
-        for (int i = 0, j = 0; i < argc; i++) {
+        int j;
+        for (i = 0, j = 0; i < argc; i++) {
                 if (!found_separator && i > 0) {
                         if (strncmp(argv[i], "--output=", 9) == 0) {
                                 continue;
diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index 70acd8a2a..970033899 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -991,6 +991,8 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
                         if (config_seccomp_error_action == -1) {
                                 if (strcmp(ptr + 21, "kill") == 0)
                                         arg_seccomp_error_action = SECCOMP_RET_KILL;
+                                else if (strcmp(ptr + 21, "log") == 0)
+                                        arg_seccomp_error_action = SECCOMP_RET_LOG;
                                 else {
                                         arg_seccomp_error_action = errno_find_name(ptr + 21);
                                         if (arg_seccomp_error_action == -1)
diff --git a/src/firejail/protocol.c b/src/firejail/protocol.c
index 6402afbc6..a1594d6b9 100644
--- a/src/firejail/protocol.c
+++ b/src/firejail/protocol.c
@@ -90,7 +90,7 @@ void protocol_print_filter(pid_t pid) {
         exit(0);
 #else
         fwarning("--protocol not supported on this platform\n");
-        return;
+        exit(1);
 #endif
 }
 
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index df33319f6..81d535762 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -654,7 +654,8 @@ int sandbox(void* sandbox_arg) {
         // ... and mount a tmpfs on top of /run/firejail/mnt directory
         preproc_mount_mnt_dir();
         // bind-mount firejail binaries and helper programs
-        if (mount(LIBDIR "/firejail", RUN_FIREJAIL_LIB_DIR, "none", MS_BIND, NULL) < 0)
+        if (mount(LIBDIR "/firejail", RUN_FIREJAIL_LIB_DIR, NULL, MS_BIND, NULL) < 0 ||
+            mount(NULL, RUN_FIREJAIL_LIB_DIR, NULL, MS_RDONLY|MS_NOSUID|MS_NODEV|MS_BIND|MS_REMOUNT, NULL) < 0)
                 errExit("mounting " RUN_FIREJAIL_LIB_DIR);
 
         //****************************
diff --git a/src/firejail/sbox.c b/src/firejail/sbox.c
index 99f11a246..57c21ce78 100644
--- a/src/firejail/sbox.c
+++ b/src/firejail/sbox.c
@@ -31,7 +31,7 @@
 #define O_PATH 010000000
 #endif
 
-static int sbox_do_exec_v(unsigned filtermask, char * const arg[]) {
+static int __attribute__((noreturn)) sbox_do_exec_v(unsigned filtermask, char * const arg[]) {
         // build a new, clean environment
         int env_index = 0;
         char *new_environment[256] = { NULL };
diff --git a/src/firejail/shutdown.c b/src/firejail/shutdown.c
index a7d0b2fbe..7e9628007 100644
--- a/src/firejail/shutdown.c
+++ b/src/firejail/shutdown.c
@@ -63,7 +63,9 @@ void shut(pid_t pid) {
                 sleep(1);
                 monsec--;
 
+                EUID_ROOT();
                 FILE *fp = fopen(monfile, "r");
+                EUID_USER();
                 if (!fp) {
                         killdone = 1;
                         break;
diff --git a/src/firejail/usage.c b/src/firejail/usage.c
index be6715df4..2390706f2 100644
--- a/src/firejail/usage.c
+++ b/src/firejail/usage.c
@@ -227,7 +227,8 @@ static char *usage_str =
         "    --seccomp.print=name|pid - print the seccomp filter for the sandbox\n"
         "\tidentified by name or PID.\n"
         "    --seccomp.32[.drop,.keep][=syscall] - like above but for 32 bit architecture.\n"
-        "    --seccomp-error-action=errno|kill - change error code or kill process.\n"
+        "    --seccomp-error-action=errno|kill|log - change error code, kill process\n"
+        "\tor log the attempt.\n"
 #endif
         "    --shell=none - run the program directly without a user shell.\n"
         "    --shell=program - set default user shell.\n"
diff --git a/src/firejail/x11.c b/src/firejail/x11.c
index 98ac184d9..ba54ca376 100644
--- a/src/firejail/x11.c
+++ b/src/firejail/x11.c
@@ -682,7 +682,7 @@ static char * get_title_arg_str() {
 }
 
 
-void x11_start_xpra_old(int argc, char **argv, int display, char *display_str) {
+static void __attribute__((noreturn)) x11_start_xpra_old(int argc, char **argv, int display, char *display_str) {
         EUID_ASSERT();
         int i;
         struct stat s;
@@ -921,7 +921,7 @@ void x11_start_xpra_old(int argc, char **argv, int display, char *display_str) {
 }
 
 
-void x11_start_xpra_new(int argc, char **argv, char *display_str) {
+static void __attribute__((noreturn)) x11_start_xpra_new(int argc, char **argv, char *display_str) {
         EUID_ASSERT();
         int i;
         pid_t server = 0;
diff --git a/src/firemon/firemon.h b/src/firemon/firemon.h
index 7a55a64fb..3fba486eb 100644
--- a/src/firemon/firemon.h
+++ b/src/firemon/firemon.h
@@ -46,13 +46,13 @@ void firemon_sleep(int st);
 
 
 // procevent.c
-void procevent(pid_t pid);
+void procevent(pid_t pid) __attribute__((noreturn));
 
 // usage.c
 void usage(void);
 
 // top.c
-void top(void);
+void top(void) __attribute__((noreturn));
 
 // list.c
 void list(void);
@@ -82,7 +82,7 @@ void cgroup(pid_t pid, int print_procs);
 void tree(pid_t pid);
 
 // netstats.c
-void netstats(void);
+void netstats(void) __attribute__((noreturn));
 
 // x11.c
 void x11(pid_t pid, int print_procs);
diff --git a/src/firemon/procevent.c b/src/firemon/procevent.c
index 7dd08444e..45964d3a2 100644
--- a/src/firemon/procevent.c
+++ b/src/firemon/procevent.c
@@ -220,7 +220,7 @@ errexit:
 }
 
 
-static int procevent_monitor(const int sock, pid_t mypid) {
+static void __attribute__((noreturn)) procevent_monitor(const int sock, pid_t mypid) {
         ssize_t len;
         struct nlmsghdr *nlmsghdr;
 
@@ -246,8 +246,7 @@ static int procevent_monitor(const int sock, pid_t mypid) {
 
                 int rv = select(max, &readfds, NULL, NULL, &tv);
                 if (rv == -1) {
-                        fprintf(stderr, "recv: %s\n", strerror(errno));
-                        return -1;
+                        errExit("recv");
                 }
 
                 // timeout
@@ -259,7 +258,7 @@ static int procevent_monitor(const int sock, pid_t mypid) {
 
 
                 if ((len = recv(sock, buf, sizeof(buf), 0)) == 0)
-                        return 0;
+                        exit(0);
                 if (len == -1) {
                         if (errno == EINTR)
                                 continue;
@@ -271,7 +270,7 @@ static int procevent_monitor(const int sock, pid_t mypid) {
                         }
                         else {
                                 fprintf(stderr,"Error: rx socket recv call, errno %d, %s\n", errno, strerror(errno));
-                                return -1;
+                                exit(1);
                         }
                 }
 
@@ -497,7 +496,7 @@ static int procevent_monitor(const int sock, pid_t mypid) {
                                 exit(0);
                 }
         }
-        return 0;
+        __builtin_unreachable();
 }
 
 void procevent(pid_t pid) {
@@ -515,6 +514,4 @@ void procevent(pid_t pid) {
         }
 
         procevent_monitor(sock, pid); // it will never return from here
-        assert(0);
-        close(sock); // quiet static analyzers
 }
diff --git a/src/fseccomp/main.c b/src/fseccomp/main.c
index 892a88e25..3b3c92b46 100644
--- a/src/fseccomp/main.c
+++ b/src/fseccomp/main.c
@@ -20,7 +20,7 @@
 #include "fseccomp.h"
 #include "../include/seccomp.h"
 int arg_quiet = 0;
-int arg_seccomp_error_action = EPERM; // error action: errno or kill
+int arg_seccomp_error_action = EPERM; // error action: errno, log or kill
 
 static void usage(void) {
         printf("Usage:\n");
@@ -73,6 +73,8 @@ printf("\n");
         if (error_action) {
                 if (strcmp(error_action, "kill") == 0)
                         arg_seccomp_error_action = SECCOMP_RET_KILL;
+                else if (strcmp(error_action, "log") == 0)
+                        arg_seccomp_error_action = SECCOMP_RET_LOG;
                 else {
                         arg_seccomp_error_action = errno_find_name(error_action);
                         if (arg_seccomp_error_action == -1)
diff --git a/src/include/seccomp.h b/src/include/seccomp.h
index 50920ce3a..29b858c70 100644
--- a/src/include/seccomp.h
+++ b/src/include/seccomp.h
@@ -274,7 +274,7 @@ struct seccomp_data {
 #define RETURN_ERRNO(nr) \
         BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ERRNO | nr)
 
-extern int arg_seccomp_error_action;    // error action: errno or kill
+extern int arg_seccomp_error_action;    // error action: errno, log or kill
 #define KILL_OR_RETURN_ERRNO \
         BPF_STMT(BPF_RET+BPF_K, arg_seccomp_error_action)
 
diff --git a/src/include/syscall.h b/src/include/syscall.h
index 89b54170e..489da0600 100644
--- a/src/include/syscall.h
+++ b/src/include/syscall.h
@@ -32,7 +32,7 @@ void filter_add_blacklist_override(int fd, int syscall, int arg, void *ptrarg, b
 // errno.c
 void errno_print(void);
 int errno_find_name(const char *name);
-char *errno_find_nr(int nr);
+const char *errno_find_nr(int nr);
 
 // syscall.c
 void syscall_print(void);
diff --git a/src/lib/errno.c b/src/lib/errno.c
index d38c197ad..881c3b27e 100644
--- a/src/lib/errno.c
+++ b/src/lib/errno.c
@@ -183,7 +183,7 @@ int errno_find_name(const char *name) {
         return -1;
 }
 
-char *errno_find_nr(int nr) {
+const char *errno_find_nr(int nr) {
         int i;
         int elems = sizeof(errnolist) / sizeof(errnolist[0]);
         for (i = 0; i < elems; i++) {
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt
index 7b5653942..0784e7fd7 100644
--- a/src/man/firejail-profile.txt
+++ b/src/man/firejail-profile.txt
@@ -433,8 +433,10 @@ Enable seccomp filter and whitelist the system calls in the list.
 \fBseccomp.32.keep syscall,syscall,syscall
 Enable seccomp filter and whitelist the system calls in the list for 32 bit system calls on a 64 bit architecture system.
 .TP
-\fBseccomp-error-action kill | ERRNO
-Return a different error instead of EPERM to the process or kill it when an attempt is made to call a blocked system call.
+\fBseccomp-error-action kill | log | ERRNO
+Return a different error instead of EPERM to the process, kill it when
+an attempt is made to call a blocked system call, or allow but log the
+attempt.
 .TP
 \fBx11
 Enable X11 sandboxing.
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index f5f092bd9..abb73b5e2 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -1063,7 +1063,7 @@ that are both writable and executable, to change mappings to be
 executable, or to create executable shared memory. The filter examines
 the arguments of mmap, mmap2, mprotect, pkey_mprotect, memfd_create
 and shmat system calls and returns error EPERM to the process (or
-kills it, see \-\-seccomp-error-action below) if necessary.
+kills it or log the attempt, see \-\-seccomp-error-action below) if necessary.
 .br
 
 .br
@@ -2126,8 +2126,8 @@ Instead of dropping the syscall by returning EPERM, another error
 number can be returned using \fBsyscall:errno\fR syntax. This can be
 also changed globally with \-\-seccomp-error-action or
 in /etc/firejail/firejail.config file.  The process can also be killed
-by using \fBsyscall:kill\fR syntax.
-
+by using \fBsyscall:kill\fR syntax, or the attempt may be logged with
+\fBsyscall:log\fR.
 .br
 
 .br
@@ -2197,7 +2197,8 @@ Instead of dropping the syscall by returning EPERM, another error
 number can be returned using \fBsyscall:errno\fR syntax. This can be
 also changed globally with \-\-seccomp-error-action or
 in /etc/firejail/firejail.config file.  The process can also be killed
-by using \fBsyscall:kill\fR syntax.
+by using \fBsyscall:kill\fR syntax, or the attempt may be logged with
+\fBsyscall:log\fR.
 .br
 
 .br
@@ -2406,7 +2407,8 @@ By default, if a seccomp filter blocks a system call, the process gets
 EPERM as the error. With \-\-seccomp-error-action=error, another error
 number can be returned, for example ENOSYS or EACCES. The process can
 also be killed (like in versions <0.9.63 of Firejail) by using
-\-\-seccomp-error-action=kill syntax. Not killing the process weakens
+\-\-seccomp-error-action=kill syntax, or the attempt may be logged
+with \-\-seccomp-error-action=log. Not killing the process weakens
 Firejail slightly when trying to contain intrusion, but it may also
 allow tighter filters if the only alternative is to allow a system
 call.
diff --git a/test/environment/rlimit-profile.exp b/test/environment/rlimit-profile.exp
index 721e2196e..63b01a38c 100755
--- a/test/environment/rlimit-profile.exp
+++ b/test/environment/rlimit-profile.exp
@@ -30,7 +30,7 @@ expect {
 }
 expect {
         timeout {puts "TESTING ERROR 1.4\n";exit}
-        "Max address space         123456789012         123456789012"
+        "Max address space         1234567890           1234567890"
 }
 expect {
         timeout {puts "TESTING ERROR 1.5\n";exit}
diff --git a/test/environment/rlimit.exp b/test/environment/rlimit.exp
index 757faf1f9..c80f2857c 100755
--- a/test/environment/rlimit.exp
+++ b/test/environment/rlimit.exp
@@ -8,7 +8,7 @@ cd /home
 spawn $env(SHELL)
 match_max 100000
 
-send -- "firejail --rlimit-fsize=1024 --rlimit-nproc=1000 --rlimit-nofile=500 --rlimit-sigpending=200 --rlimit-as=123456789012\r"
+send -- "firejail --rlimit-fsize=1024 --rlimit-nproc=1000 --rlimit-nofile=500 --rlimit-sigpending=200 --rlimit-as=1234567890\r"
 expect {
         timeout {puts "TESTING ERROR 0\n";exit}
         "Child process initialized"
@@ -30,7 +30,7 @@ expect {
 }
 expect {
         timeout {puts "TESTING ERROR 1.4\n";exit}
-        "Max address space         123456789012         123456789012"
+        "Max address space         1234567890           1234567890"
 }
 expect {
         timeout {puts "TESTING ERROR 1.5\n";exit}
diff --git a/test/environment/rlimit.profile b/test/environment/rlimit.profile
index a569edc6d..2f1134e6c 100644
--- a/test/environment/rlimit.profile
+++ b/test/environment/rlimit.profile
@@ -2,4 +2,4 @@ rlimit-fsize 1024
 rlimit-nproc 1000
 rlimit-nofile 500
 rlimit-sigpending 200
-rlimit-as 123456789012
+rlimit-as 1234567890
diff --git a/test/fs/private-lib.exp b/test/fs/private-lib.exp
index ed04de1f9..574ca7ab4 100755
--- a/test/fs/private-lib.exp
+++ b/test/fs/private-lib.exp
@@ -30,8 +30,8 @@ after 100
 send -- "cd /lib; find .\r"
 expect {
         timeout {puts "TESTING ERROR 5\n";exit}
-        "modules" {puts "TESTING ERROR 6\n";exit}
-        "firmware" {puts "TESTING ERROR 7\n";exit}
+        "./modules" {puts "TESTING ERROR 6\n";exit}
+        "./firmware" {puts "TESTING ERROR 7\n";exit}
         "libc.so"
 }
 after 100