18 files changed, 143 insertions, 64 deletions
diff --git a/.github/workflows/build-extra.yml b/.github/workflows/build-extra.yml
index a319e1ac6..c0e0062cd 100644
--- a/.github/workflows/build-extra.yml
+++ b/.github/workflows/build-extra.yml
@@ -40,7 +40,7 @@ jobs:
    runs-on: ubuntu-22.04
    steps:
    - name: Harden Runner
-      uses: step-security/harden-runner@2e205a28d0e1da00c5f53b161f4067b052c61f34
+      uses: step-security/harden-runner@ebacdc22ef6c2cfb85ee5ded8f2e640f4c776dd5
      with:
        egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
@@ -59,7 +59,7 @@ jobs:
    runs-on: ubuntu-22.04
    steps:
    - name: Harden Runner
-      uses: step-security/harden-runner@2e205a28d0e1da00c5f53b161f4067b052c61f34
+      uses: step-security/harden-runner@ebacdc22ef6c2cfb85ee5ded8f2e640f4c776dd5
      with:
        egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
@@ -74,7 +74,7 @@ jobs:
    runs-on: ubuntu-22.04
    steps:
    - name: Harden Runner
-      uses: step-security/harden-runner@2e205a28d0e1da00c5f53b161f4067b052c61f34
+      uses: step-security/harden-runner@ebacdc22ef6c2cfb85ee5ded8f2e640f4c776dd5
      with:
        egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
@@ -89,7 +89,7 @@ jobs:
    runs-on: ubuntu-20.04
    steps:
    - name: Harden Runner
-      uses: step-security/harden-runner@2e205a28d0e1da00c5f53b161f4067b052c61f34
+      uses: step-security/harden-runner@ebacdc22ef6c2cfb85ee5ded8f2e640f4c776dd5
      with:
        egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index e383c9ef2..6612e256d 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -32,7 +32,7 @@ jobs:
    runs-on: ubuntu-22.04
    steps:
    - name: Harden Runner
-      uses: step-security/harden-runner@2e205a28d0e1da00c5f53b161f4067b052c61f34
+      uses: step-security/harden-runner@ebacdc22ef6c2cfb85ee5ded8f2e640f4c776dd5
      with:
        egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
index 8b84f4d16..2190c9a1d 100644
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -56,7 +56,7 @@ jobs:
    steps:
    - name: Harden Runner
-      uses: step-security/harden-runner@2e205a28d0e1da00c5f53b161f4067b052c61f34
+      uses: step-security/harden-runner@ebacdc22ef6c2cfb85ee5ded8f2e640f4c776dd5
      with:
        egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
@@ -65,7 +65,7 @@ jobs:
    # Initializes the CodeQL tools for scanning.
    - name: Initialize CodeQL
-      uses: github/codeql-action/init@ec3cf9c605b848da5f1e41e8452719eb1ccfb9a6
+      uses: github/codeql-action/init@c3b6fce4ee2ca25bc1066aa3bf73962fda0e8898
      with:
        languages: ${{ matrix.language }}
        # If you wish to specify custom queries, you can do so here or in a config file.
@@ -76,7 +76,7 @@ jobs:
    # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
    # If this step fails, then you should remove it and run the build manually (see below)
    - name: Autobuild
-      uses: github/codeql-action/autobuild@ec3cf9c605b848da5f1e41e8452719eb1ccfb9a6
+      uses: github/codeql-action/autobuild@c3b6fce4ee2ca25bc1066aa3bf73962fda0e8898
    # ℹ️ Command-line programs to run using the OS shell.
    # 📚 https://git.io/JvXDl
@@ -90,4 +90,4 @@ jobs:
    #   make release
    - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@ec3cf9c605b848da5f1e41e8452719eb1ccfb9a6
+      uses: github/codeql-action/analyze@c3b6fce4ee2ca25bc1066aa3bf73962fda0e8898
diff --git a/.github/workflows/profile-checks.yml b/.github/workflows/profile-checks.yml
index f5de62412..d36d050ab 100644
--- a/.github/workflows/profile-checks.yml
+++ b/.github/workflows/profile-checks.yml
@@ -24,7 +24,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
    - name: Harden Runner
-      uses: step-security/harden-runner@2e205a28d0e1da00c5f53b161f4067b052c61f34
+      uses: step-security/harden-runner@ebacdc22ef6c2cfb85ee5ded8f2e640f4c776dd5
      with:
        egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
diff --git a/README.md b/README.md
index 023436e0d..a9df34c77 100644
--- a/README.md
+++ b/README.md
@@ -336,3 +336,4 @@ Stats:
 ### New profiles:
 onionshare, onionshare-cli, opera-developer, songrec, gdu, makedeb, lbry-viewer, tuir,
+cinelerra-gg
diff --git a/RELNOTES b/RELNOTES
index 1adfd913e..18b577cca 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -2,6 +2,8 @@ firejail (0.9.71) baseline; urgency=low
  * work in progress
  * feature: On failing to remount a fuse filesystem, give warning instead of
    erroring out (#5240 #5242)
+  * feature: Update syscall tables and seccomp groups (#5188)
+  * feature: improve force-nonewprivs security guarantees (#5217 #5271)
  * feature: restrict namespaces (--restrict-namespaces) implemented as
    a seccomp filter for both 64 and 32 bit architectures (#4939 #5259)
  * feature: support for custom AppArmor profiles (--apparmor=) (#5274 #5316
@@ -26,8 +28,9 @@ firejail (0.9.71) baseline; urgency=low
  * build: add autoconf auto-generation comment to input files (#5251)
  * build: Add files make uninstall forgot to remove (#5283)
  * build: add and use TARNAME instead of NAME for paths (#5310)
-  * build: only install ids.config when --enable-ids is set (#5357)
+  * build: only install ids.config when --enable-ids is set (#5356 #5357)
  * build: Remove deprecated syntax and modernize shell test scripts (#5370)
+  * build: Fix musl warnings (#5421 #5431)
  * ci: bump ubuntu to 22.04 and use newer compilers / analyzers (#5275)
  * ci: ignore git-related paths and the project license (#5249)
  * docs: mention risk of SUID binaries and also firejail-users(5) (#5288
@@ -37,6 +40,8 @@ firejail (0.9.71) baseline; urgency=low
  * docs: Add IRC channel info to README.md (#5361)
  * docs: man: Note that some commands can be disabled in firejail.config
    (#5366)
+  * docs: Add gist note to bug_report.md (#5398)
+  * docs: clarify that --appimage should appear before --profile (#5402 #5451)
 -- netblue30 <netblue30@yahoo.com>  Sat, 11 Jun 2022 09:00:00 -0500
 firejail (0.9.70) baseline; urgency=low
diff --git a/contrib/sort.py b/contrib/sort.py
index 6f21370ec..638f14516 100755
--- a/contrib/sort.py
+++ b/contrib/sort.py
@@ -2,48 +2,61 @@
 # This file is part of Firejail project
 # Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
-"""
-Sort the items of multi-item options in profiles, the following options are supported:
-  private-bin, private-etc, private-lib, caps.drop, caps.keep, seccomp.drop, seccomp.drop, protocol
-Usage:
+# Requirements:
-    $ ./sort.py /path/to/profile [ /path/to/profile2 /path/to/profile3 ... ]
+#  python >= 3.6
+from os import path
+from sys import argv, exit as sys_exit, stderr
+__doc__ = f"""\
+Sort the arguments of commands in profiles.
+Usage: {path.basename(argv[0])} [/path/to/profile ...]
+The following commands are supported:
+    private-bin, private-etc, private-lib, caps.drop, caps.keep, seccomp.drop,
+    seccomp.drop, protocol
+Note that this is only applicable to commands that support multiple arguments.
 Keep in mind that this will overwrite your profile(s).
 Examples:
-    $ ./sort.py MyAwesomeProfile.profile
+    $ {argv[0]} MyAwesomeProfile.profile
-    $ ./sort.py new_profile.profile second_new_profile.profile
+    $ {argv[0]} new_profile.profile second_new_profile.profile
-    $ ./sort.py ~/.config/firejail/*.{profile,inc,local}
+    $ {argv[0]} ~/.config/firejail/*.{{profile,inc,local}}
-    $ sudo ./sort.py /etc/firejail/*.{profile,inc,local}
+    $ sudo {argv[0]} /etc/firejail/*.{{profile,inc,local}}
-Exit-Codes:
+Exit Codes:
-  0: No Error; No Profile Fixed.
+  0: Success: No profiles needed fixing.
-  1: Error, one or more profiles were not processed correctly.
+  1: Error: One or more profiles could not be processed correctly.
-  101: No Error; One or more profile were fixed.
+  2: Error: Missing arguments.
+  101: Info: One or more profiles were fixed.
 """
-# Requirements:
-#  python >= 3.6
-from sys import argv, exit as sys_exit
-def sort_alphabetical(raw_items):
+def sort_alphabetical(original_items):
-    items = raw_items.split(",")
+    items = original_items.split(",")
-    items.sort(key=lambda s: s.casefold())
+    items.sort(key=str.casefold)
    return ",".join(items)
-def sort_protocol(protocols):
+def sort_protocol(original_protocols):
-    """sort the given protocols into this scheme: unix,inet,inet6,netlink,packet,bluetooth"""
+    """
+    Sort the given protocols into the following order:
+        unix,inet,inet6,netlink,packet,bluetooth
+    """
    # shortcut for common protocol lines
-    if protocols in ("unix", "unix,inet,inet6"):
+    if original_protocols in ("unix", "unix,inet,inet6"):
-        return protocols
+        return original_protocols
    fixed_protocols = ""
    for protocol in ("unix", "inet", "inet6", "netlink", "packet", "bluetooth"):
        for prefix in ("", "-", "+", "="):
-            if f",{prefix}{protocol}," in f",{protocols},":
+            if f",{prefix}{protocol}," in f",{original_protocols},":
                fixed_protocols += f"{prefix}{protocol},"
    return fixed_protocols[:-1]
@@ -53,7 +66,7 @@ def fix_profile(filename):
        lines = profile.read().split("\n")
        was_fixed = False
        fixed_profile = []
-        for lineno, line in enumerate(lines):
+        for lineno, line in enumerate(lines, 1):
            if line[:12] in ("private-bin ", "private-etc ", "private-lib "):
                fixed_line = f"{line[:12]}{sort_alphabetical(line[12:])}"
            elif line[:13] in ("seccomp.drop ", "seccomp.keep "):
@@ -69,8 +82,8 @@ def fix_profile(filename):
            if fixed_line != line:
                was_fixed = True
                print(
-                    f"{filename}:{lineno + 1}:-{line}\n"
+                    f"{filename}:{lineno}:-{line}\n"
-                    f"{filename}:{lineno + 1}:+{fixed_line}"
+                    f"{filename}:{lineno}:+{fixed_line}"
                )
            fixed_profile.append(fixed_line)
        if was_fixed:
@@ -84,22 +97,30 @@ def fix_profile(filename):
 def main(args):
+    if len(args) < 1:
+        print(__doc__, file=stderr)
+        return 2
+    print(f"sort.py: checking {len(args)} profile(s)...")
    exit_code = 0
-    print(f"sort.py: checking {len(args)} {'profiles' if len(args) != 1 else 'profile'}...")
    for filename in args:
        try:
            if exit_code not in (1, 101):
                exit_code = fix_profile(filename)
            else:
                fix_profile(filename)
-        except FileNotFoundError:
+        except FileNotFoundError as err:
-            print(f"[ Error ] Can't find `{filename}'")
+            print(f"[ Error ] {err}", file=stderr)
            exit_code = 1
-        except PermissionError:
+        except PermissionError as err:
-            print(f"[ Error ] Can't read/write `{filename}'")
+            print(f"[ Error ] {err}", file=stderr)
            exit_code = 1
        except Exception as err:
-            print(f"[ Error ] An error occurred while processing `{filename}': {err}")
+            print(
+                f"[ Error ] An error occurred while processing '{filename}': {err}",
+                file=stderr,
+            )
            exit_code = 1
    return exit_code
diff --git a/etc/profile-a-l/brave.profile b/etc/profile-a-l/brave.profile
index 09548c761..071a279b0 100644
--- a/etc/profile-a-l/brave.profile
+++ b/etc/profile-a-l/brave.profile
@@ -13,6 +13,8 @@ ignore noexec /tmp
 # you will need to uncomment the 'brave + tor' rule in /etc/apparmor.d/local/firejail-default.
 # Alternatively you can add 'ignore apparmor' to your brave.local.
 ignore noexec ${HOME}
+# Causes slow starts (#4604)
+ignore private-cache
 noblacklist ${HOME}/.cache/BraveSoftware
 noblacklist ${HOME}/.config/BraveSoftware
diff --git a/etc/profile-a-l/cinelerra-gg b/etc/profile-a-l/cinelerra-gg
new file mode 100644
index 000000000..ccb9fe04b
--- /dev/null
+++ b/etc/profile-a-l/cinelerra-gg
@@ -0,0 +1,10 @@
+# Firejail profile alias for cin
+# This file is overwritten after every install/update
+# Persistent local customizations
+include cinelerra-gg.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+# Redirect
+include cin.profile
diff --git a/etc/profile-a-l/deluge.profile b/etc/profile-a-l/deluge.profile
index fddd613e2..d8a27da62 100644
--- a/etc/profile-a-l/deluge.profile
+++ b/etc/profile-a-l/deluge.profile
@@ -36,7 +36,7 @@ nosound
 notv
 nou2f
 novideo
-protocol unix,inet,inet6
+protocol unix,inet,inet6,netlink
 seccomp
 # deluge is using python on Debian
diff --git a/etc/profile-a-l/evince.profile b/etc/profile-a-l/evince.profile
index 21bf7eabf..eec9f86db 100644
--- a/etc/profile-a-l/evince.profile
+++ b/etc/profile-a-l/evince.profile
@@ -6,9 +6,9 @@ include evince.local
 # Persistent global definitions
 include globals.local
-# WARNING: using bookmarks possibly exposes information, including file history from other programs.
+# WARNING: This exposes information like file history from other programs.
-# Add the next line to your evince.local if you need bookmarks support. This also needs additional dbus-user filtering (see below).
+# You can add a blacklist for it in your evince.local for additional hardening if you can live with some restrictions.
-#noblacklist ${HOME}/.local/share/gvfs-metadata
+noblacklist ${HOME}/.local/share/gvfs-metadata
 noblacklist ${HOME}/.config/evince
 noblacklist ${DOCUMENTS}
@@ -59,9 +59,8 @@ private-etc alternatives,fonts,group,ld.so.cache,ld.so.preload,machine-id,passwd
 private-lib evince,gcc/*/*/libgcc_s.so.*,gcc/*/*/libstdc++.so.*,gconv,gdk-pixbuf-2.*,gio,gvfs/libgvfscommon.so,libarchive.so.*,libdjvulibre.so.*,libgconf-2.so.*,libgraphite2.so.*,libpoppler-glib.so.*,librsvg-2.so.*,libspectre.so.*
 private-tmp
-# dbus-user filtering might break two-page-view on some systems
 dbus-user filter
-# Add the next two lines to your evince.local if you need bookmarks support.
+dbus-user.talk ca.desrt.dconf
-#dbus-user.talk org.gtk.vfs.Daemon
+dbus-user.talk org.gtk.vfs.Daemon
-#dbus-user.talk org.gtk.vfs.Metadata
+dbus-user.talk org.gtk.vfs.Metadata
 dbus-system none
diff --git a/etc/profile-a-l/godot3.profile b/etc/profile-a-l/godot3.profile
new file mode 100644
index 000000000..90d1b15b7
--- /dev/null
+++ b/etc/profile-a-l/godot3.profile
@@ -0,0 +1,11 @@
+# Firejail profile for godot
+# Description: multi-platform 2D and 3D game engine with a feature-rich editor
+# This file is overwritten after every install/update
+# Persistent local customizations
+include godot3.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+# Redirect
+include godot.profile
diff --git a/etc/profile-m-z/nicotine.profile b/etc/profile-m-z/nicotine.profile
index bb2a41457..22c8b1782 100644
--- a/etc/profile-m-z/nicotine.profile
+++ b/etc/profile-m-z/nicotine.profile
@@ -8,8 +8,12 @@ include globals.local
 noblacklist ${HOME}/.nicotine
+# Allow /bin/sh (blacklisted by disable-shell.inc)
+include allow-bin-sh.inc
 # Allow python (blacklisted by disable-interpreters.inc)
 include allow-python2.inc
+include allow-python3.inc
 include disable-common.inc
 include disable-devel.inc
@@ -37,6 +41,7 @@ nodvd
 nogroups
 noinput
 nonewprivs
+noprinters
 noroot
 nosound
 notv
@@ -47,7 +52,7 @@ seccomp
 tracelog
 disable-mnt
-private-bin nicotine,python2*
+#private-bin nicotine,python2*
 private-cache
 private-dev
 private-tmp
diff --git a/etc/profile-m-z/whalebird.profile b/etc/profile-m-z/whalebird.profile
index 92ebebdae..8a9614fb0 100644
--- a/etc/profile-m-z/whalebird.profile
+++ b/etc/profile-m-z/whalebird.profile
@@ -10,6 +10,7 @@ include globals.local
 ignore include whitelist-runuser-common.inc
 ignore include whitelist-usr-share-common.inc
+ignore apparmor
 ignore dbus-user none
 ignore dbus-system none
@@ -21,7 +22,7 @@ whitelist ${HOME}/.config/Whalebird
 no3d
 private-bin electron,electron[0-9],electron[0-9][0-9],whalebird
-private-etc alternatives,fonts,ld.so.cache,ld.so.preload,machine-id
+private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.preload,machine-id,nsswitch.conf,pki,resolv.conf,ssl
 # Redirect
 include electron.profile
diff --git a/etc/profile-m-z/youtube-viewers-common.profile b/etc/profile-m-z/youtube-viewers-common.profile
index 8582e2462..28c219377 100644
--- a/etc/profile-m-z/youtube-viewers-common.profile
+++ b/etc/profile-m-z/youtube-viewers-common.profile
@@ -19,6 +19,13 @@ include allow-perl.inc
 include allow-python2.inc
 include allow-python3.inc
+# The lines below are needed to find the default Firefox profile name, to allow
+# opening links in an existing instance of Firefox (note that it still fails if
+# there isn't a Firefox instance running with the default profile; see #5352)
+noblacklist ${HOME}/.mozilla
+whitelist ${HOME}/.mozilla/firefox/profiles.ini
+read-only ${HOME}/.mozilla/firefox/profiles.ini
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
@@ -55,5 +62,8 @@ private-dev
 private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,machine-id,mime.types,nsswitch.conf,passwd,pki,pulse,resolv.conf,ssl,X11,xdg
 private-tmp
-dbus-user none
+dbus-user filter
+# allow D-Bus communication with firefox for opening links
+dbus-user.talk org.mozilla.*
 dbus-system none
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config
index 72a33ed5a..17563cde3 100644
--- a/src/firecfg/firecfg.config
+++ b/src/firecfg/firecfg.config
@@ -137,6 +137,7 @@ chromium-browser-privacy
 chromium-freeworld
 cin
 cinelerra
+cinelerra-gg
 clamdscan
 clamdtop
 clamscan
@@ -355,6 +356,7 @@ gnome-weather
 gnote
 gnubik
 godot
+godot3
 goldendict
 goobox
 google-chrome
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt
index 138aae8af..7fa677ae5 100644
--- a/src/man/firejail-profile.txt
+++ b/src/man/firejail-profile.txt
@@ -14,7 +14,7 @@ Using a specific profile:
 .br
 Example:
 .br
-$ firejail --profile=/etc/firejail/kdenlive.profile --appimage kdenlive.appimage
+$ firejail --appimage --profile=/etc/firejail/kdenlive.profile kdenlive.appimage
 .br
 .br
@@ -25,7 +25,7 @@ $ firejail --profile=/etc/firejail/kdenlive.profile --appimage kdenlive.appimage
 .br
 Example:
 .br
-$ firejail --profile=kdenlive --appimage kdenlive.appimage
+$ firejail --appimage --profile=kdenlive kdenlive.appimage
 .br
 .br
@@ -179,6 +179,11 @@ can be enabled or disabled globally in Firejail's configuration file.
 The profile line may be any profile line that you would normally use in a profile \fBexcept\fR for "quiet" and "include" lines.
+Note: When using one or more conditionals and \fB--profile\fR, it is
+recommended that the relevant option(s) (such as \fB--appimage\fR) be specified
+before \fB--profile\fR, so that their respective conditional(s) (such as
+\fB?HAS_APPIMAGE\fR) inside of the profile evaluate to true.
 .TP
 \fBinclude other.profile
 Include other.profile file.
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index b4be1cd62..39c81312c 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -11,7 +11,7 @@ firejail [OPTIONS] [program and arguments]
 Start an AppImage program:
 .PP
 .RS
-firejail [OPTIONS] --appimage [appimage-file and arguments]
+firejail [OPTIONS] --appimage [OPTIONS] [appimage-file and arguments]
 .RE
 .PP
 #ifdef HAVE_FILE_TRANSFER
@@ -164,15 +164,22 @@ private-bin and private-lib are disabled by default when running appimages.
 .br
 Example:
 .br
-$ firejail --profile=krita --appimage krita-3.0-x86_64.appimage
+$ firejail --appimage --profile=krita krita-3.0-x86_64.appimage
 .br
-$ firejail --private --profile=krita --appimage krita-3.0-x86_64.appimage
+$ firejail --quiet --appimage --private --profile=krita krita-3.0-x86_64.appimage
 .br
 #ifdef HAVE_X11
-$ firejail --net=none --x11 --profile=krita --appimage krita-3.0-x86_64.appimage
+$ firejail --appimage --net=none --x11 --profile=krita krita-3.0-x86_64.appimage
 #endif
-.TP
+.br
+.br
+Note: When using both \fB--appimage\fR and \fB--profile\fR, it is recommended
+to always specify the former before the latter, so that any \fB?HAS_APPIMAGE\fR
+conditionals inside of the profile evaluate to true (see \fB?CONDITIONAL\fR in
+firejail-profile(5)).
 #ifdef HAVE_NETWORK
+.TP
 \fB\-\-bandwidth=name|pid
 Set bandwidth limits for the sandbox identified by name or PID, see \fBTRAFFIC SHAPING\fR section for more details.
 #endif