Merge branch 'master' into replace-iwrite-iwuser

39 files changed, 319 insertions, 149 deletions

diff --git a/.github/ISSUE_TEMPLATE/bug_report.md b/.github/ISSUE_TEMPLATE/bug_report.md
index 0f13afc51..eb485b8a2 100644
--- a/.github/ISSUE_TEMPLATE/bug_report.md
+++ b/.github/ISSUE_TEMPLATE/bug_report.md
@@ -7,6 +7,13 @@ assignees: ''
 
 ---
 
+<!--
+See the following links for help with formatting:
+
+https://guides.github.com/features/mastering-markdown/
+https://docs.github.com/en/github/writing-on-github/getting-started-with-writing-and-formatting-on-github/basic-writing-and-formatting-syntax
+-->
+
 ### Description
 
 _Describe the bug_
@@ -15,7 +22,7 @@ _Describe the bug_
 
 _Steps to reproduce the behavior_
 
-1. Run in bash `LANG=C firejail PROGRAM` (`LANG=C` to get English messages that can be understood by everybody)
+1. Run in bash `LC_ALL=C firejail PROGRAM` (`LC_ALL=C` to get a consistent output in English that can be understood by everybody)
 2. Click on '....'
 3. Scroll down to '....'
 4. See error `ERROR`
@@ -30,7 +37,7 @@ _What actually happened_
 
 ### Behavior without a profile
 
-_What changed calling `firejail --noprofile /path/to/program` in a terminal?_
+_What changed calling `LC_ALL=C firejail --noprofile /path/to/program` in a terminal?_
 
 ### Additional context
 
@@ -44,6 +51,12 @@ _Any other detail that may help to understand/debug the problem_
 
 ### Checklist
 
+<!--
+Note: Items are checked with an "x", like so:
+
+- [x] This is a checked item.
+-->
+
 - [ ] The issues is caused by firejail (i.e. running the program by path (e.g. `/usr/bin/vlc`) "fixes" it).
 - [ ] I can reproduce the issue without custom modifications (e.g. globals.local).
 - [ ] The program has a profile. (If not, request one in `https://github.com/netblue30/firejail/issues/1139`)
@@ -55,7 +68,7 @@ _Any other detail that may help to understand/debug the problem_
 ### Log
 
 <details>
-<summary>Output of <code>firejail /path/to/program</code></summary>
+<summary>Output of <code>LC_ALL=C firejail /path/to/program</code></summary>
 <p>
 
 ```
@@ -66,7 +79,7 @@ output goes here
 </details>
 
 <details>
-<summary>Output of <code>firejail --debug /path/to/program</code></summary>
+<summary>Output of <code>LC_ALL=C firejail --debug /path/to/program</code></summary>
 <p>
 
 ```
diff --git a/README.md b/README.md
index 0623d9463..40c6e9d98 100644
--- a/README.md
+++ b/README.md
@@ -267,4 +267,5 @@ $ ./profstats *.profile
 
 ### New profiles:
 
-clion-eap, lifeograph, io.github.lainsce.Notejot, rednotebook, zim, microsoft-edge-beta, ncdu2, gallery-dl, yt-dlp
+clion-eap, lifeograph, io.github.lainsce.Notejot, rednotebook, zim, microsoft-edge-beta, ncdu2, gallery-dl, yt-dlp, goldendict, bundle,
+cmake, make, meson, pip, codium
diff --git a/RELNOTES b/RELNOTES
index f52ce09f1..3f92c89c7 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -1,13 +1,16 @@
 firejail (0.9.67) baseline; urgency=low
   * work in progress
+  * exit code: distinguish fatal signals by adding 128
   * deprecated --disable-whitelist at compile time
   * deprecated whitelist=yes/no in /etc/firejail/firejail.config
+  * new condition: ALLOW_TRAY
   * remove (some) environment variables with auth-tokens
   * new includes: whitelist-run-common.inc, disable-X11.inc
   * removed includes: disable-passwordmgr.inc
   * new profiles: microsoft-edge-beta, clion-eap, lifeograph, zim
   * new profiles: io.github.lainsce.Notejot, rednotebook, gallery-dl
-  * new profiles: yt-dlp
+  * new profiles: yt-dlp, goldendict, goldendict, bundle, cmake
+  * new profiles: make, meson, pip, codium
  -- netblue30 <netblue30@yahoo.com>  Thu, 29 Jul 2021 09:00:00 -0500
 
 firejail (0.9.66) baseline; urgency=low
diff --git a/contrib/vim/syntax/firejail.vim b/contrib/vim/syntax/firejail.vim
index d07690ee2..fa80a9c00 100644
--- a/contrib/vim/syntax/firejail.vim
+++ b/contrib/vim/syntax/firejail.vim
@@ -72,7 +72,7 @@ syn match fjCommandNoCond /quiet$/ contained
 
 " Conditionals grabbed from: src/firejail/profile.c
 " Generate list with: awk -- 'BEGIN {process=0;} /^Cond conditionals\[\] = \{$/ {process=1;} /\t*\{"[^"]+".*/ { if (process) {print gensub(/^\t*\{"([^"]+)".*$/, "\\1", 1);} } /^\t\{ NULL, NULL \}$/ {process=0;}' src/firejail/profile.c | sort -u | tr $'\n' '|'
-syn match fjConditional /\v\?(BROWSER_ALLOW_DRM|BROWSER_DISABLE_U2F|HAS_APPIMAGE|HAS_NET|HAS_NODBUS|HAS_NOSOUND|HAS_X11) ?:/ nextgroup=fjCommand skipwhite contained
+syn match fjConditional /\v\?(ALLOW_TRAY|BROWSER_ALLOW_DRM|BROWSER_DISABLE_U2F|HAS_APPIMAGE|HAS_NET|HAS_NODBUS|HAS_NOSOUND|HAS_X11) ?:/ nextgroup=fjCommand skipwhite contained
 
 " A line is either a command, a conditional or a comment
 syn match fjStatement /^/ nextgroup=fjCommand,fjCommandNoCond,fjConditional,fjComment
diff --git a/etc/firejail.config b/etc/firejail.config
index aec152b85..7912b746c 100644
--- a/etc/firejail.config
+++ b/etc/firejail.config
@@ -2,6 +2,9 @@
 # keyword-argument pairs, one per line. Most features are enabled by default.
 # Use 'yes' or 'no' as configuration values.
 
+# Allow programs to display a tray icon
+# allow-tray no
+
 # Enable AppArmor functionality, default enabled.
 # apparmor yes
 
diff --git a/etc/inc/allow-common-devel.inc b/etc/inc/allow-common-devel.inc
index 011bbe226..4e460fc10 100644
--- a/etc/inc/allow-common-devel.inc
+++ b/etc/inc/allow-common-devel.inc
@@ -27,5 +27,8 @@ noblacklist ${HOME}/.python-history
 noblacklist ${HOME}/.python_history
 noblacklist ${HOME}/.pythonhist
 
+# Ruby
+noblacklist ${HOME}/.bundle
+
 # Rust
-noblacklist ${HOME}/.cargo/*
+noblacklist ${HOME}/.cargo
diff --git a/etc/inc/allow-ruby.inc b/etc/inc/allow-ruby.inc
index a8c701219..00276cac7 100644
--- a/etc/inc/allow-ruby.inc
+++ b/etc/inc/allow-ruby.inc
@@ -4,3 +4,4 @@ include allow-ruby.local
 
 noblacklist ${PATH}/ruby
 noblacklist /usr/lib/ruby
+noblacklist /usr/lib64/ruby
diff --git a/etc/inc/disable-interpreters.inc b/etc/inc/disable-interpreters.inc
index 5d8a236fb..804869e2a 100644
--- a/etc/inc/disable-interpreters.inc
+++ b/etc/inc/disable-interpreters.inc
@@ -48,6 +48,7 @@ blacklist /usr/share/php*
 # Ruby
 blacklist ${PATH}/ruby
 blacklist /usr/lib/ruby
+blacklist /usr/lib64/ruby
 
 # Programs using python: deluge, firefox addons, filezilla, cherrytree, xchat, hexchat, libreoffice, scribus
 # Python 2
diff --git a/etc/inc/disable-programs.inc b/etc/inc/disable-programs.inc
index 511d8730e..6734e220a 100644
--- a/etc/inc/disable-programs.inc
+++ b/etc/inc/disable-programs.inc
@@ -49,8 +49,9 @@ blacklist ${HOME}/.bibletime
 blacklist ${HOME}/.bitcoin
 blacklist ${HOME}/.blobby
 blacklist ${HOME}/.bogofilter
+blacklist ${HOME}/.bundle
 blacklist ${HOME}/.bzf
-blacklist ${HOME}/.cargo/*
+blacklist ${HOME}/.cargo
 blacklist ${HOME}/.claws-mail
 blacklist ${HOME}/.cliqz
 blacklist ${HOME}/.clion*
@@ -142,6 +143,7 @@ blacklist ${HOME}/.config/SubDownloader
 blacklist ${HOME}/.config/Thunar
 blacklist ${HOME}/.config/Twitch
 blacklist ${HOME}/.config/Unknown Organization
+blacklist ${HOME}/.config/VSCodium
 blacklist ${HOME}/.config/VirtualBox
 blacklist ${HOME}/.config/Whalebird
 blacklist ${HOME}/.config/Wire
diff --git a/etc/profile-a-l/amule.profile b/etc/profile-a-l/amule.profile
index 3ce05c5bc..e82c145d1 100644
--- a/etc/profile-a-l/amule.profile
+++ b/etc/profile-a-l/amule.profile
@@ -32,6 +32,7 @@ nosound
 notv
 nou2f
 novideo
+# Add netlink protocol to use UPnP
 protocol unix,inet,inet6
 seccomp
 shell none
diff --git a/etc/profile-a-l/build-systems-common.profile b/etc/profile-a-l/build-systems-common.profile
new file mode 100644
index 000000000..1b199d612
--- /dev/null
+++ b/etc/profile-a-l/build-systems-common.profile
@@ -0,0 +1,66 @@
+# Firejail profile for build-systems-common
+# This file is overwritten after every install/update
+# Persistent local customizations
+include build-systems-common.local
+# Persistent global definitions
+# added by caller profile
+#include globals.local
+
+ignore noexec ${HOME}
+ignore noexec /tmp
+
+# Allow /bin/sh (blacklisted by disable-shell.inc)
+include allow-bin-sh.inc
+
+# Allows files commonly used by IDEs
+include allow-common-devel.inc
+
+# Allow ssh (blacklisted by disable-common.inc)
+#include allow-ssh.inc
+
+blacklist ${RUNUSER}
+
+include disable-common.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-X11.inc
+include disable-xdg.inc
+
+#whitelist ${HOME}/Projects
+#include whitelist-common.inc
+
+whitelist /usr/share/pkgconfig
+include whitelist-run-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+caps.drop all
+ipc-namespace
+machine-id
+# net none
+netfilter
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+seccomp.block-secondary
+shell none
+tracelog
+
+disable-mnt
+private-cache
+private-dev
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-a-l/bundle.profile b/etc/profile-a-l/bundle.profile
new file mode 100644
index 000000000..bb82022b1
--- /dev/null
+++ b/etc/profile-a-l/bundle.profile
@@ -0,0 +1,23 @@
+# Firejail profile for bundle
+# Description: Ruby Dependency Management
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include bundle.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.bundle
+
+# Allow ruby (blacklisted by disable-interpreters.inc)
+include allow-ruby.inc
+
+#whitelist ${HOME}/.bundle
+#whitelist ${HOME}/.gem
+#whitelist ${HOME}/.local/share/gem
+whitelist /usr/share/gems
+whitelist /usr/share/ruby
+whitelist /usr/share/rubygems
+
+# Redirect
+include build-systems-common.profile
diff --git a/etc/profile-a-l/cargo.profile b/etc/profile-a-l/cargo.profile
index ff46cd429..4c8afd895 100644
--- a/etc/profile-a-l/cargo.profile
+++ b/etc/profile-a-l/cargo.profile
@@ -7,66 +7,18 @@ include cargo.local
 # Persistent global definitions
 include globals.local
 
-ignore noexec ${HOME}
-ignore noexec /tmp
-
-blacklist /tmp/.X11-unix
-blacklist ${RUNUSER}
+ignore read-only ${HOME}/.cargo/bin
 
 noblacklist ${HOME}/.cargo/credentials
 noblacklist ${HOME}/.cargo/credentials.toml
 
-# Allows files commonly used by IDEs
-include allow-common-devel.inc
-
-# Allow ssh (blacklisted by disable-common.inc)
-#include allow-ssh.inc
-
-include disable-common.inc
-include disable-exec.inc
-include disable-interpreters.inc
-include disable-programs.inc
-include disable-xdg.inc
-
-#mkdir ${HOME}/.cargo
-#whitelist ${HOME}/YOUR_CARGO_PROJECTS
 #whitelist ${HOME}/.cargo
 #whitelist ${HOME}/.rustup
-#include whitelist-common.inc
-whitelist /usr/share/pkgconfig
-include whitelist-runuser-common.inc
-include whitelist-usr-share-common.inc
-include whitelist-var-common.inc
 
-caps.drop all
-ipc-namespace
-machine-id
-netfilter
-no3d
-nodvd
-nogroups
-noinput
-nonewprivs
-noroot
-nosound
-notv
-nou2f
-novideo
-protocol unix,inet,inet6
-seccomp
-seccomp.block-secondary
-shell none
-tracelog
-
-disable-mnt
 #private-bin cargo,rustc
-private-cache
-private-dev
 private-etc alternatives,ca-certificates,crypto-policies,group,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,magic,magic.mgc,nsswitch.conf,passwd,pki,protocols,resolv.conf,rpc,services,ssl
-private-tmp
-
-dbus-user none
-dbus-system none
 
 memory-deny-write-execute
-read-write ${HOME}/.cargo/bin
+
+# Redirect
+include build-systems-common.profile
diff --git a/etc/profile-a-l/cmake.profile b/etc/profile-a-l/cmake.profile
new file mode 100644
index 000000000..26cc2a00a
--- /dev/null
+++ b/etc/profile-a-l/cmake.profile
@@ -0,0 +1,13 @@
+# Firejail profile for cargo
+# Description: The Rust package manager
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include cargo.local
+# Persistent global definitions
+include globals.local
+
+memory-deny-write-execute
+
+# Redirect
+include build-systems-common.profile
diff --git a/etc/profile-a-l/codium.profile b/etc/profile-a-l/codium.profile
new file mode 100644
index 000000000..9ff87ed8a
--- /dev/null
+++ b/etc/profile-a-l/codium.profile
@@ -0,0 +1,10 @@
+# Firejail profile alias for VSCodium
+# This file is overwritten after every install/update
+# Persistent local customizations
+include codium.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include vscodium.profile
diff --git a/etc/profile-m-z/make.profile b/etc/profile-m-z/make.profile
new file mode 100644
index 000000000..7e9638fe4
--- /dev/null
+++ b/etc/profile-m-z/make.profile
@@ -0,0 +1,13 @@
+# Firejail profile for make
+# Description: GNU make utility to maintain groups of programs
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include make.local
+# Persistent global definitions
+include globals.local
+
+memory-deny-write-execute
+
+# Redirect
+include build-systems-common.profile
diff --git a/etc/profile-m-z/meson.profile b/etc/profile-m-z/meson.profile
new file mode 100644
index 000000000..b4909a9d8
--- /dev/null
+++ b/etc/profile-m-z/meson.profile
@@ -0,0 +1,14 @@
+# Firejail profile for meson
+# Description: A high productivity build system
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include meson.local
+# Persistent global definitions
+include globals.local
+
+# Allow python3 (blacklisted by disable-interpreters.inc)
+include allow-python3.inc
+
+# Redirect
+include build-systems-common.profile
diff --git a/etc/profile-m-z/pip.profile b/etc/profile-m-z/pip.profile
new file mode 100644
index 000000000..a0926371f
--- /dev/null
+++ b/etc/profile-m-z/pip.profile
@@ -0,0 +1,18 @@
+# Firejail profile for pip
+# Description: package manager for Python packages
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include meson.local
+# Persistent global definitions
+include globals.local
+
+ignore read-only ${HOME}/.local/lib
+
+# Allow python3 (blacklisted by disable-interpreters.inc)
+include allow-python3.inc
+
+#whitelist ${HOME}/.local/lib/python*
+
+# Redirect
+include build-systems-common.profile
diff --git a/etc/profile-m-z/vscodium.profile b/etc/profile-m-z/vscodium.profile
index a4a4fb7d8..9c0a887b2 100644
--- a/etc/profile-m-z/vscodium.profile
+++ b/etc/profile-m-z/vscodium.profile
@@ -1,4 +1,4 @@
-# Firejail profile alias for Visual Studio Code
+# Firejail profile alias for VSCodium
 # This file is overwritten after every install/update
 # Persistent local customizations
 include vscodium.local
@@ -7,6 +7,8 @@ include vscodium.local
 #include globals.local
 
 noblacklist ${HOME}/.VSCodium
+noblacklist ${HOME}/.config/VSCodium
+noblacklist ${HOME}/.vscode-oss
 
 # Redirect
 include code.profile
diff --git a/src/fbuilder/build_fs.c b/src/fbuilder/build_fs.c
index 019c3ac5a..8700e0ba1 100644
--- a/src/fbuilder/build_fs.c
+++ b/src/fbuilder/build_fs.c
@@ -182,12 +182,12 @@ static void var_callback(char *ptr) {
 void build_var(const char *fname, FILE *fp) {
         assert(fname);
 
-        var_skip = filedb_load_whitelist(var_skip, "whitelist-var-common.inc", "allow /var/");
+        var_skip = filedb_load_whitelist(var_skip, "whitelist-var-common.inc", "whitelist /var/");
         process_files(fname, "/var", var_callback);
 
         // always whitelist /var
         if (var_out)
-                filedb_print(var_out, "allow /var/", fp);
+                filedb_print(var_out, "whitelist /var/", fp);
         fprintf(fp, "include whitelist-var-common.inc\n");
 }
 
@@ -222,12 +222,12 @@ static void share_callback(char *ptr) {
 void build_share(const char *fname, FILE *fp) {
         assert(fname);
 
-        share_skip = filedb_load_whitelist(share_skip, "whitelist-usr-share-common.inc", "allow /usr/share/");
+        share_skip = filedb_load_whitelist(share_skip, "whitelist-usr-share-common.inc", "whitelist /usr/share/");
         process_files(fname, "/usr/share", share_callback);
 
         // always whitelist /usr/share
         if (share_out)
-                filedb_print(share_out, "allow /usr/share/", fp);
+                filedb_print(share_out, "whitelist /usr/share/", fp);
         fprintf(fp, "include whitelist-usr-share-common.inc\n");
 }
 
diff --git a/src/fbuilder/build_home.c b/src/fbuilder/build_home.c
index c85474779..0fe0ffef6 100644
--- a/src/fbuilder/build_home.c
+++ b/src/fbuilder/build_home.c
@@ -140,7 +140,7 @@ void build_home(const char *fname, FILE *fp) {
         assert(fname);
 
         // load whitelist common
-        db_skip = filedb_load_whitelist(db_skip, "whitelist-common.inc", "allow ${HOME}/");
+        db_skip = filedb_load_whitelist(db_skip, "whitelist-common.inc", "whitelist ${HOME}/");
 
         // find user home directory
         struct passwd *pw = getpwuid(getuid());
@@ -168,7 +168,7 @@ void build_home(const char *fname, FILE *fp) {
 
         // print the out list if any
         if (db_out) {
-                filedb_print(db_out, "allow ${HOME}/", fp);
+                filedb_print(db_out, "whitelist ${HOME}/", fp);
                 fprintf(fp, "include whitelist-common.inc\n");
         }
         else
diff --git a/src/fbuilder/build_profile.c b/src/fbuilder/build_profile.c
index 0b9a99739..c945d7253 100644
--- a/src/fbuilder/build_profile.c
+++ b/src/fbuilder/build_profile.c
@@ -92,7 +92,7 @@ void build_profile(int argc, char **argv, int index, FILE *fp) {
 
         if (WIFEXITED(status) && WEXITSTATUS(status) == 0) {
                 if (fp == stdout)
-                        printf("--- Built profile beings after this line ---\n");
+                        printf("--- Built profile begins after this line ---\n");
                 fprintf(fp, "# Save this file as \"application.profile\" (change \"application\" with the\n");
                 fprintf(fp, "# program name) in ~/.config/firejail directory. Firejail will find it\n");
                 fprintf(fp, "# automatically every time you sandbox your application.\n#\n");
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config
index a544e25f2..aad22ec7a 100644
--- a/src/firecfg/firecfg.config
+++ b/src/firecfg/firecfg.config
@@ -151,6 +151,7 @@ clocks
 cmus
 code
 code-oss
+codium
 cola
 colorful
 com.github.bleakgrey.tootle
diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c
index 06e6f0ccb..e5d837bbb 100644
--- a/src/firejail/checkcfg.c
+++ b/src/firejail/checkcfg.c
@@ -58,6 +58,7 @@ int checkcfg(int val) {
                 cfg_val[CFG_XPRA_ATTACH] = 0;
                 cfg_val[CFG_SECCOMP_ERROR_ACTION] = -1;
                 cfg_val[CFG_BROWSER_ALLOW_DRM] = 0;
+                cfg_val[CFG_ALLOW_TRAY] = 0;
 
                 // open configuration file
                 const char *fname = SYSCONFDIR "/firejail.config";
@@ -122,6 +123,7 @@ int checkcfg(int val) {
                         PARSE_YESNO(CFG_XPRA_ATTACH, "xpra-attach")
                         PARSE_YESNO(CFG_BROWSER_DISABLE_U2F, "browser-disable-u2f")
                         PARSE_YESNO(CFG_BROWSER_ALLOW_DRM, "browser-allow-drm")
+                        PARSE_YESNO(CFG_ALLOW_TRAY, "allow-tray")
 #undef PARSE_YESNO
 
                         // netfilter
diff --git a/src/firejail/env.c b/src/firejail/env.c
index ad16de037..4c0d729a1 100644
--- a/src/firejail/env.c
+++ b/src/firejail/env.c
@@ -22,6 +22,7 @@
 #include <sys/stat.h>
 #include <unistd.h>
 #include <dirent.h>
+#include <limits.h>
 
 typedef struct env_t {
         struct env_t *next;
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index 2a7d88575..bf51a4c93 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -22,6 +22,7 @@
 #include "../include/common.h"
 #include "../include/euid_common.h"
 #include "../include/rundefs.h"
+#include <linux/limits.h> // Note: Plain limits.h may break ARG_MAX (see #4583)
 #include <stdarg.h>
 #include <sys/stat.h>
 
@@ -563,7 +564,7 @@ typedef struct {
 
 // mountinfo.c
 MountData *get_last_mount(void);
-int get_mount_id(const char *path);
+int get_mount_id(int fd);
 char **build_mount_array(const int mount_id, const char *path);
 
 // fs_var.c
@@ -621,7 +622,8 @@ void caps_print_filter(pid_t pid) __attribute__((noreturn));
 void caps_drop_dac_override(void);
 
 // fs_trace.c
-void fs_trace_preload(void);
+void fs_trace_touch_preload(void);
+void fs_trace_touch_or_store_preload(void);
 void fs_tracefile(void);
 void fs_trace(void);
 
@@ -801,6 +803,7 @@ enum {
         CFG_NAME_CHANGE,
         CFG_SECCOMP_ERROR_ACTION,
         // CFG_FILE_COPY_LIMIT - file copy limit handled using setenv/getenv
+        CFG_ALLOW_TRAY,
         CFG_MAX // this should always be the last entry
 };
 extern char *xephyr_screen;
diff --git a/src/firejail/fs.c b/src/firejail/fs.c
index 6d01b5e5d..1a9a8df0d 100644
--- a/src/firejail/fs.c
+++ b/src/firejail/fs.c
@@ -23,7 +23,6 @@
 #include <sys/stat.h>
 #include <sys/statvfs.h>
 #include <sys/wait.h>
-#include <linux/limits.h>
 #include <fnmatch.h>
 #include <glob.h>
 #include <dirent.h>
@@ -633,34 +632,30 @@ out:
 }
 
 // remount recursively; requires a resolved path
-static void fs_remount_rec(const char *dir, OPERATION op) {
+static void fs_remount_rec(const char *path, OPERATION op) {
         EUID_ASSERT();
-        assert(dir);
+        assert(op < OPERATION_MAX);
+        assert(path);
 
-        struct stat s;
-        if (stat(dir, &s) != 0)
-                return;
-        if (!S_ISDIR(s.st_mode)) {
-                // no need to search in /proc/self/mountinfo for submounts if not a directory
-                fs_remount_simple(dir, op);
+        // no need to search /proc/self/mountinfo for submounts if not a directory
+        int fd = open(path, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC);
+        if (fd < 0) {
+                fs_remount_simple(path, op);
                 return;
         }
-        // get mount point of the directory
-        int mountid = get_mount_id(dir);
-        if (mountid == -1)
-                return;
-        if (mountid == -2) {
-                // falling back to a simple remount on old kernels
-                static int mount_warning = 0;
-                if (!mount_warning) {
-                        fwarning("read-only, read-write and noexec options are not applied recursively\n");
-                        mount_warning = 1;
-                }
-                fs_remount_simple(dir, op);
+
+        // get mount id of the directory
+        int mountid = get_mount_id(fd);
+        close(fd);
+        if (mountid < 0) {
+                // falling back to a simple remount
+                fwarning("%s %s not applied recursively\n", opstr[op], path);
+                fs_remount_simple(path, op);
                 return;
         }
+
         // build array with all mount points that need to get remounted
-        char **arr = build_mount_array(mountid, dir);
+        char **arr = build_mount_array(mountid, path);
         assert(arr);
         // remount
         char **tmp = arr;
diff --git a/src/firejail/fs_dev.c b/src/firejail/fs_dev.c
index a43b18344..694d0a379 100644
--- a/src/firejail/fs_dev.c
+++ b/src/firejail/fs_dev.c
@@ -20,7 +20,6 @@
 #include "firejail.h"
 #include <sys/mount.h>
 #include <sys/stat.h>
-#include <linux/limits.h>
 #include <glob.h>
 #include <dirent.h>
 #include <fcntl.h>
diff --git a/src/firejail/fs_home.c b/src/firejail/fs_home.c
index 590337da1..8d8530d81 100644
--- a/src/firejail/fs_home.c
+++ b/src/firejail/fs_home.c
@@ -19,7 +19,6 @@
 */
 #include "firejail.h"
 #include <sys/mount.h>
-#include <linux/limits.h>
 #include <dirent.h>
 #include <errno.h>
 #include <sys/stat.h>
diff --git a/src/firejail/fs_hostname.c b/src/firejail/fs_hostname.c
index 43f6e658e..8b7e94f51 100644
--- a/src/firejail/fs_hostname.c
+++ b/src/firejail/fs_hostname.c
@@ -20,7 +20,6 @@
 #include "firejail.h"
 #include <sys/mount.h>
 #include <sys/stat.h>
-#include <linux/limits.h>
 #include <glob.h>
 #include <dirent.h>
 #include <fcntl.h>
diff --git a/src/firejail/fs_trace.c b/src/firejail/fs_trace.c
index dd9abe253..17a7b3d23 100644
--- a/src/firejail/fs_trace.c
+++ b/src/firejail/fs_trace.c
@@ -20,25 +20,31 @@
 #include "firejail.h"
 #include <sys/mount.h>
 #include <sys/stat.h>
-#include <linux/limits.h>
 #include <glob.h>
 #include <dirent.h>
 #include <fcntl.h>
 #include <pwd.h>
 
-void fs_trace_preload(void) {
+// create an empty /etc/ld.so.preload
+void fs_trace_touch_preload(void) {
+        create_empty_file_as_root("/etc/ld.so.preload", S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH);
+}
+
+void fs_trace_touch_or_store_preload(void) {
         struct stat s;
 
-        // create an empty /etc/ld.so.preload
-        if (stat("/etc/ld.so.preload", &s)) {
-                if (arg_debug)
-                        printf("Creating an empty /etc/ld.so.preload file\n");
-                FILE *fp = fopen("/etc/ld.so.preload", "wxe");
-                if (!fp)
-                        errExit("fopen");
-                SET_PERMS_STREAM(fp, 0, 0, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH);
-                fclose(fp);
-                fs_logger("touch /etc/ld.so.preload");
+        if (stat("/etc/ld.so.preload", &s) != 0) {
+                fs_trace_touch_preload();
+                return;
+        }
+
+        if (s.st_size == 0)
+                return;
+
+        // create a copy of /etc/ld.so.preload
+        if (copy_file("/etc/ld.so.preload", RUN_LDPRELOAD_FILE, 0, 0, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH)) {
+                fprintf(stderr, "Error: cannot copy /etc/ld.so.preload file\n");
+                exit(1);
         }
 }
 
@@ -83,7 +89,7 @@ void fs_trace(void) {
         if (arg_debug)
                 printf("Create the new ld.so.preload file\n");
 
-        FILE *fp = fopen(RUN_LDPRELOAD_FILE, "we");
+        FILE *fp = fopen(RUN_LDPRELOAD_FILE, "ae");
         if (!fp)
                 errExit("fopen");
         const char *prefix = RUN_FIREJAIL_LIB_DIR;
diff --git a/src/firejail/fs_var.c b/src/firejail/fs_var.c
index 12ffd8383..e19d0df96 100644
--- a/src/firejail/fs_var.c
+++ b/src/firejail/fs_var.c
@@ -20,7 +20,6 @@
 #include "firejail.h"
 #include <sys/mount.h>
 #include <sys/stat.h>
-#include <linux/limits.h>
 #include <glob.h>
 #include <dirent.h>
 #include <fcntl.h>
diff --git a/src/firejail/main.c b/src/firejail/main.c
index 81d148257..cc5186204 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -32,7 +32,8 @@
 #include <dirent.h>
 #include <pwd.h>
 #include <errno.h>
-//#include <limits.h>
+
+#include <limits.h>
 #include <sys/file.h>
 #include <sys/prctl.h>
 #include <signal.h>
diff --git a/src/firejail/mountinfo.c b/src/firejail/mountinfo.c
index 64a94bd84..304f80eee 100644
--- a/src/firejail/mountinfo.c
+++ b/src/firejail/mountinfo.c
@@ -19,6 +19,7 @@
 */
 
 #include "firejail.h"
+#include <errno.h>
 
 #include <fcntl.h>
 #ifndef O_PATH
@@ -151,53 +152,71 @@ MountData *get_last_mount(void) {
         return &mdata;
 }
 
-// Extract the mount id from /proc/self/fdinfo and return it.
-int get_mount_id(const char *path) {
+// Returns mount id, or -1 if fd refers to a procfs or sysfs file
+static int get_mount_id_from_handle(int fd) {
         EUID_ASSERT();
-        assert(path);
 
-        int fd = open(path, O_PATH|O_CLOEXEC);
-        if (fd == -1)
-                return -1;
+        char *proc;
+        if (asprintf(&proc, "/proc/self/fd/%d", fd) == -1)
+                errExit("asprintf");
+        struct file_handle *fh = malloc(sizeof *fh);
+        if (!fh)
+                errExit("malloc");
+        fh->handle_bytes = 0;
+
+        int rv = -1;
+        int tmp;
+        if (name_to_handle_at(-1, proc, fh, &tmp, AT_SYMLINK_FOLLOW) != -1) {
+                fprintf(stderr, "Error: unexpected result from name_to_handle_at\n");
+                exit(1);
+        }
+        if (errno == EOVERFLOW && fh->handle_bytes)
+                rv = tmp;
+
+        free(proc);
+        free(fh);
+        return rv;
+}
+
+// Returns mount id, or -1 on kernels < 3.15
+static int get_mount_id_from_fdinfo(int fd) {
+        EUID_ASSERT();
+        int rv = -1;
 
-        char *fdinfo;
-        if (asprintf(&fdinfo, "/proc/self/fdinfo/%d", fd) == -1)
+        char *proc;
+        if (asprintf(&proc, "/proc/self/fdinfo/%d", fd) == -1)
                 errExit("asprintf");
         EUID_ROOT();
-        FILE *fp = fopen(fdinfo, "re");
+        FILE *fp = fopen(proc, "re");
         EUID_USER();
-        free(fdinfo);
         if (!fp)
                 goto errexit;
 
-        // read the file
         char buf[MAX_BUF];
-        if (fgets(buf, MAX_BUF, fp) == NULL)
-                goto errexit;
-        do {
+        while (fgets(buf, MAX_BUF, fp)) {
                 if (strncmp(buf, "mnt_id:", 7) == 0) {
-                        char *ptr = buf + 7;
-                        while (*ptr != '\0' && (*ptr == ' ' || *ptr == '\t')) {
-                                ptr++;
-                        }
-                        if (*ptr == '\0')
+                        if (sscanf(buf + 7, "%d", &rv) != 1)
                                 goto errexit;
-                        fclose(fp);
-                        close(fd);
-                        return atoi(ptr);
+                        break;
                 }
-        } while (fgets(buf, MAX_BUF, fp));
+        }
 
-        // fallback, kernels older than 3.15 don't expose the mount id in this place
+        free(proc);
         fclose(fp);
-        close(fd);
-        return -2;
+        return rv;
 
 errexit:
         fprintf(stderr, "Error: cannot read proc file\n");
         exit(1);
 }
 
+int get_mount_id(int fd) {
+        int rv = get_mount_id_from_fdinfo(fd);
+        if (rv < 0)
+                rv = get_mount_id_from_handle(fd);
+        return rv;
+}
+
 // Check /proc/self/mountinfo if path contains any mounts points.
 // Returns an array that can be iterated over for recursive remounting.
 char **build_mount_array(const int mount_id, const char *path) {
diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index 059100fcb..5390249ea 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -175,6 +175,10 @@ static int check_allow_drm(void) {
         return checkcfg(CFG_BROWSER_ALLOW_DRM) != 0;
 }
 
+static int check_allow_tray(void) {
+        return checkcfg(CFG_ALLOW_TRAY) != 0;
+}
+
 Cond conditionals[] = {
         {"HAS_APPIMAGE", check_appimage},
         {"HAS_NET", check_netoptions},
@@ -184,6 +188,7 @@ Cond conditionals[] = {
         {"HAS_X11", check_x11},
         {"BROWSER_DISABLE_U2F", check_disable_u2f},
         {"BROWSER_ALLOW_DRM", check_allow_drm},
+        {"ALLOW_TRAY", check_allow_tray},
         { NULL, NULL }
 };
 
@@ -630,7 +635,7 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
 #endif
                 return 0;
         }
-        else if (strncmp(ptr, "netns  ", 6) == 0) {
+        else if (strncmp(ptr, "netns ", 6) == 0) {
 #ifdef HAVE_NETWORK
                 if (checkcfg(CFG_NETWORK)) {
                         arg_netns = ptr + 6;
@@ -981,10 +986,10 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
                         warning_feature_disabled("seccomp");
                 return 0;
         }
-        if (strncmp(ptr, "seccomp.32.drop ", 13) == 0) {
+        if (strncmp(ptr, "seccomp.32.drop ", 16) == 0) {
                 if (checkcfg(CFG_SECCOMP)) {
                         arg_seccomp32 = 1;
-                        cfg.seccomp_list_drop32 = seccomp_check_list(ptr + 13);
+                        cfg.seccomp_list_drop32 = seccomp_check_list(ptr + 16);
                 }
                 else
                         warning_feature_disabled("seccomp");
@@ -1001,10 +1006,10 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
                         warning_feature_disabled("seccomp");
                 return 0;
         }
-        if (strncmp(ptr, "seccomp.32.keep ", 13) == 0) {
+        if (strncmp(ptr, "seccomp.32.keep ", 16) == 0) {
                 if (checkcfg(CFG_SECCOMP)) {
                         arg_seccomp32 = 1;
-                        cfg.seccomp_list_keep32 = seccomp_check_list(ptr + 13);
+                        cfg.seccomp_list_keep32 = seccomp_check_list(ptr + 16);
                 }
                 else
                         warning_feature_disabled("seccomp");
diff --git a/src/firejail/restrict_users.c b/src/firejail/restrict_users.c
index 6f17231a4..59077dada 100644
--- a/src/firejail/restrict_users.c
+++ b/src/firejail/restrict_users.c
@@ -21,7 +21,6 @@
 #include "../include/firejail_user.h"
 #include <sys/mount.h>
 #include <sys/stat.h>
-#include <linux/limits.h>
 #include <fnmatch.h>
 #include <glob.h>
 #include <dirent.h>
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index 5e0e849b9..d66b6c573 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -798,7 +798,7 @@ int sandbox(void* sandbox_arg) {
 
         // trace pre-install
         if (need_preload)
-                fs_trace_preload();
+                fs_trace_touch_or_store_preload();
 
         // store hosts file
         if (cfg.hosts_file)
@@ -814,8 +814,11 @@ int sandbox(void* sandbox_arg) {
                 //****************************
                 // trace pre-install, this time inside chroot
                 //****************************
-                if (need_preload)
-                        fs_trace_preload();
+                if (need_preload) {
+                        int rv = unlink(RUN_LDPRELOAD_FILE);
+                        (void) rv;
+                        fs_trace_touch_or_store_preload();
+                }
         }
         else
 #endif
@@ -992,7 +995,7 @@ int sandbox(void* sandbox_arg) {
 
                         // create /etc/ld.so.preload file again
                         if (need_preload)
-                                fs_trace_preload();
+                                fs_trace_touch_preload();
 
                         // openSUSE configuration is split between /etc and /usr/etc
                         // process private-etc a second time
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt
index a76fd3765..a1eccaa5e 100644
--- a/src/man/firejail-profile.txt
+++ b/src/man/firejail-profile.txt
@@ -174,7 +174,7 @@ Example: "?HAS_APPIMAGE: whitelist ${HOME}/special/appimage/dir"
 
 This example will load the whitelist profile line only if the \-\-appimage option has been specified on the command line.
 
-Currently the only conditionals supported this way are HAS_APPIMAGE, HAS_NET, HAS_NODBUS, HAS_NOSOUND, HAS_PRIVATE and HAS_X11. The conditionals BROWSER_DISABLE_U2F and BROWSER_ALLOW_DRM
+Currently the only conditionals supported this way are HAS_APPIMAGE, HAS_NET, HAS_NODBUS, HAS_NOSOUND, HAS_PRIVATE and HAS_X11. The conditionals ALLOW_TRAY, BROWSER_DISABLE_U2F and BROWSER_ALLOW_DRM
 can be enabled or disabled globally in Firejail's configuration file.
 
 The profile line may be any profile line that you would normally use in a profile \fBexcept\fR for "quiet" and "include" lines.
diff --git a/test/utils/build.exp b/test/utils/build.exp
index 104ac037c..b9733c137 100755
--- a/test/utils/build.exp
+++ b/test/utils/build.exp
@@ -13,7 +13,7 @@ after 100
 send -- "firejail --build cat ~/_firejail-test-file\r"
 expect {
         timeout {puts "TESTING ERROR 0\n";exit}
-        "allow $\{HOME\}/_firejail-test-file"
+        "whitelist $\{HOME\}/_firejail-test-file"
 }
 expect {
         timeout {puts "TESTING ERROR 1\n";exit}