13 files changed, 145 insertions, 70 deletions

diff --git a/.github/workflows/build-extra.yml b/.github/workflows/build-extra.yml
index a319e1ac6..e9ec436a4 100644
--- a/.github/workflows/build-extra.yml
+++ b/.github/workflows/build-extra.yml
@@ -4,33 +4,43 @@ on:
   push:
     branches: [ master ]
     paths-ignore:
+      - '.github/ISSUE_TEMPLATE/*'
+      - 'etc/**'
+      - 'contrib/vim/**'
+      - 'src/man/*.txt'
       - .git-blame-ignore-revs
+      - .github/dependabot.yml
+      - .github/pull_request_template.md
+      - .github/workflows/codeql-analysis.yml
       - .gitignore
+      - .gitlab-ci.yml
       - CONTRIBUTING.md
       - COPYING
       - README
       - README.md
       - RELNOTES
       - SECURITY.md
-      - 'etc/**'
-      - 'src/firecfg/firecfg.config'
-      - '.github/ISSUE_TEMPLATE/*'
-      - '.github/pull_request_template.md'
+      - src/firecfg/firecfg.config
   pull_request:
     branches: [ master ]
     paths-ignore:
+      - '.github/ISSUE_TEMPLATE/*'
+      - 'etc/**'
+      - 'contrib/vim/**'
+      - 'src/man/*.txt'
       - .git-blame-ignore-revs
+      - .github/dependabot.yml
+      - .github/pull_request_template.md
+      - .github/workflows/codeql-analysis.yml
       - .gitignore
+      - .gitlab-ci.yml
       - CONTRIBUTING.md
       - COPYING
       - README
       - README.md
       - RELNOTES
       - SECURITY.md
-      - 'etc/**'
-      - 'src/firecfg/firecfg.config'
-      - '.github/ISSUE_TEMPLATE/*'
-      - '.github/pull_request_template.md'
+      - src/firecfg/firecfg.config
 
 permissions:  # added using https://github.com/step-security/secure-workflows
   contents: read
@@ -40,7 +50,7 @@ jobs:
     runs-on: ubuntu-22.04
     steps:
     - name: Harden Runner
-      uses: step-security/harden-runner@2e205a28d0e1da00c5f53b161f4067b052c61f34
+      uses: step-security/harden-runner@ebacdc22ef6c2cfb85ee5ded8f2e640f4c776dd5
       with:
         egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
 
@@ -59,7 +69,7 @@ jobs:
     runs-on: ubuntu-22.04
     steps:
     - name: Harden Runner
-      uses: step-security/harden-runner@2e205a28d0e1da00c5f53b161f4067b052c61f34
+      uses: step-security/harden-runner@ebacdc22ef6c2cfb85ee5ded8f2e640f4c776dd5
       with:
         egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
 
@@ -74,7 +84,7 @@ jobs:
     runs-on: ubuntu-22.04
     steps:
     - name: Harden Runner
-      uses: step-security/harden-runner@2e205a28d0e1da00c5f53b161f4067b052c61f34
+      uses: step-security/harden-runner@ebacdc22ef6c2cfb85ee5ded8f2e640f4c776dd5
       with:
         egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
 
@@ -89,7 +99,7 @@ jobs:
     runs-on: ubuntu-20.04
     steps:
     - name: Harden Runner
-      uses: step-security/harden-runner@2e205a28d0e1da00c5f53b161f4067b052c61f34
+      uses: step-security/harden-runner@ebacdc22ef6c2cfb85ee5ded8f2e640f4c776dd5
       with:
         egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
 
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index e383c9ef2..3119f59b9 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -4,8 +4,13 @@ on:
   push:
     branches: [ master ]
     paths-ignore:
+      - '.github/ISSUE_TEMPLATE/*'
       - .git-blame-ignore-revs
+      - .github/dependabot.yml
+      - .github/pull_request_template.md
+      - .github/workflows/codeql-analysis.yml
       - .gitignore
+      - .gitlab-ci.yml
       - CONTRIBUTING.md
       - COPYING
       - README
@@ -15,8 +20,13 @@ on:
   pull_request:
     branches: [ master ]
     paths-ignore:
+      - '.github/ISSUE_TEMPLATE/*'
       - .git-blame-ignore-revs
+      - .github/dependabot.yml
+      - .github/pull_request_template.md
+      - .github/workflows/codeql-analysis.yml
       - .gitignore
+      - .gitlab-ci.yml
       - CONTRIBUTING.md
       - COPYING
       - README
@@ -32,7 +42,7 @@ jobs:
     runs-on: ubuntu-22.04
     steps:
     - name: Harden Runner
-      uses: step-security/harden-runner@2e205a28d0e1da00c5f53b161f4067b052c61f34
+      uses: step-security/harden-runner@ebacdc22ef6c2cfb85ee5ded8f2e640f4c776dd5
       with:
         egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
 
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
index 6c8a9bf99..ad19c9530 100644
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -9,28 +9,42 @@ on:
   push:
     branches: [ master ]
     paths-ignore:
+      - '.github/ISSUE_TEMPLATE/*'
+      - 'etc/**'
+      - 'contrib/vim/**'
+      - 'src/man/*.txt'
       - .git-blame-ignore-revs
+      - .github/dependabot.yml
+      - .github/pull_request_template.md
       - .gitignore
+      - .gitlab-ci.yml
       - CONTRIBUTING.md
       - COPYING
       - README
       - README.md
       - RELNOTES
       - SECURITY.md
-      - 'etc/**'
+      - src/firecfg/firecfg.config
   pull_request:
     # The branches below must be a subset of the branches above
     branches: [ master ]
     paths-ignore:
+      - '.github/ISSUE_TEMPLATE/*'
+      - 'etc/**'
+      - 'contrib/vim/**'
+      - 'src/man/*.txt'
       - .git-blame-ignore-revs
+      - .github/dependabot.yml
+      - .github/pull_request_template.md
       - .gitignore
+      - .gitlab-ci.yml
       - CONTRIBUTING.md
       - COPYING
       - README
       - README.md
       - RELNOTES
       - SECURITY.md
-      - 'etc/**'
+      - src/firecfg/firecfg.config
   schedule:
     - cron: '0 7 * * 2'
 
@@ -56,7 +70,7 @@ jobs:
 
     steps:
     - name: Harden Runner
-      uses: step-security/harden-runner@2e205a28d0e1da00c5f53b161f4067b052c61f34
+      uses: step-security/harden-runner@ebacdc22ef6c2cfb85ee5ded8f2e640f4c776dd5
       with:
         egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
 
diff --git a/.github/workflows/profile-checks.yml b/.github/workflows/profile-checks.yml
index f5de62412..17e756685 100644
--- a/.github/workflows/profile-checks.yml
+++ b/.github/workflows/profile-checks.yml
@@ -4,17 +4,17 @@ on:
   push:
     branches: [ master ]
     paths:
-      - 'etc/**'
       - 'ci/check/profiles/**'
-      - 'src/firecfg/firecfg.config'
-      - 'contrib/sort.py'
+      - 'etc/**'
+      - contrib/sort.py
+      - src/firecfg/firecfg.config
   pull_request:
     branches: [ master ]
     paths:
-      - 'etc/**'
       - 'ci/check/profiles/**'
-      - 'src/firecfg/firecfg.config'
-      - 'contrib/sort.py'
+      - 'etc/**'
+      - contrib/sort.py
+      - src/firecfg/firecfg.config
 
 permissions:  # added using https://github.com/step-security/secure-workflows
   contents: read
@@ -24,7 +24,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - name: Harden Runner
-      uses: step-security/harden-runner@2e205a28d0e1da00c5f53b161f4067b052c61f34
+      uses: step-security/harden-runner@ebacdc22ef6c2cfb85ee5ded8f2e640f4c776dd5
       with:
         egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
 
diff --git a/RELNOTES b/RELNOTES
index 69ddc6845..18b577cca 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -2,6 +2,8 @@ firejail (0.9.71) baseline; urgency=low
   * work in progress
   * feature: On failing to remount a fuse filesystem, give warning instead of
     erroring out (#5240 #5242)
+  * feature: Update syscall tables and seccomp groups (#5188)
+  * feature: improve force-nonewprivs security guarantees (#5217 #5271)
   * feature: restrict namespaces (--restrict-namespaces) implemented as
     a seccomp filter for both 64 and 32 bit architectures (#4939 #5259)
   * feature: support for custom AppArmor profiles (--apparmor=) (#5274 #5316
diff --git a/contrib/sort.py b/contrib/sort.py
index 6f21370ec..638f14516 100755
--- a/contrib/sort.py
+++ b/contrib/sort.py
@@ -2,48 +2,61 @@
 # This file is part of Firejail project
 # Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
-"""
-Sort the items of multi-item options in profiles, the following options are supported:
-  private-bin, private-etc, private-lib, caps.drop, caps.keep, seccomp.drop, seccomp.drop, protocol
 
-Usage:
-    $ ./sort.py /path/to/profile [ /path/to/profile2 /path/to/profile3 ... ]
+# Requirements:
+#  python >= 3.6
+from os import path
+from sys import argv, exit as sys_exit, stderr
+
+__doc__ = f"""\
+Sort the arguments of commands in profiles.
+
+Usage: {path.basename(argv[0])} [/path/to/profile ...]
+
+The following commands are supported:
+
+    private-bin, private-etc, private-lib, caps.drop, caps.keep, seccomp.drop,
+    seccomp.drop, protocol
+
+Note that this is only applicable to commands that support multiple arguments.
+
 Keep in mind that this will overwrite your profile(s).
 
 Examples:
-    $ ./sort.py MyAwesomeProfile.profile
-    $ ./sort.py new_profile.profile second_new_profile.profile
-    $ ./sort.py ~/.config/firejail/*.{profile,inc,local}
-    $ sudo ./sort.py /etc/firejail/*.{profile,inc,local}
-
-Exit-Codes:
-  0: No Error; No Profile Fixed.
-  1: Error, one or more profiles were not processed correctly.
-  101: No Error; One or more profile were fixed.
+    $ {argv[0]} MyAwesomeProfile.profile
+    $ {argv[0]} new_profile.profile second_new_profile.profile
+    $ {argv[0]} ~/.config/firejail/*.{{profile,inc,local}}
+    $ sudo {argv[0]} /etc/firejail/*.{{profile,inc,local}}
+
+Exit Codes:
+  0: Success: No profiles needed fixing.
+  1: Error: One or more profiles could not be processed correctly.
+  2: Error: Missing arguments.
+  101: Info: One or more profiles were fixed.
 """
 
-# Requirements:
-#  python >= 3.6
-from sys import argv, exit as sys_exit
-
 
-def sort_alphabetical(raw_items):
-    items = raw_items.split(",")
-    items.sort(key=lambda s: s.casefold())
+def sort_alphabetical(original_items):
+    items = original_items.split(",")
+    items.sort(key=str.casefold)
     return ",".join(items)
 
 
-def sort_protocol(protocols):
-    """sort the given protocols into this scheme: unix,inet,inet6,netlink,packet,bluetooth"""
+def sort_protocol(original_protocols):
+    """
+    Sort the given protocols into the following order:
+
+        unix,inet,inet6,netlink,packet,bluetooth
+    """
 
     # shortcut for common protocol lines
-    if protocols in ("unix", "unix,inet,inet6"):
-        return protocols
+    if original_protocols in ("unix", "unix,inet,inet6"):
+        return original_protocols
 
     fixed_protocols = ""
     for protocol in ("unix", "inet", "inet6", "netlink", "packet", "bluetooth"):
         for prefix in ("", "-", "+", "="):
-            if f",{prefix}{protocol}," in f",{protocols},":
+            if f",{prefix}{protocol}," in f",{original_protocols},":
                 fixed_protocols += f"{prefix}{protocol},"
     return fixed_protocols[:-1]
 
@@ -53,7 +66,7 @@ def fix_profile(filename):
         lines = profile.read().split("\n")
         was_fixed = False
         fixed_profile = []
-        for lineno, line in enumerate(lines):
+        for lineno, line in enumerate(lines, 1):
             if line[:12] in ("private-bin ", "private-etc ", "private-lib "):
                 fixed_line = f"{line[:12]}{sort_alphabetical(line[12:])}"
             elif line[:13] in ("seccomp.drop ", "seccomp.keep "):
@@ -69,8 +82,8 @@ def fix_profile(filename):
             if fixed_line != line:
                 was_fixed = True
                 print(
-                    f"{filename}:{lineno + 1}:-{line}\n"
-                    f"{filename}:{lineno + 1}:+{fixed_line}"
+                    f"{filename}:{lineno}:-{line}\n"
+                    f"{filename}:{lineno}:+{fixed_line}"
                 )
             fixed_profile.append(fixed_line)
         if was_fixed:
@@ -84,22 +97,30 @@ def fix_profile(filename):
 
 
 def main(args):
+    if len(args) < 1:
+        print(__doc__, file=stderr)
+        return 2
+
+    print(f"sort.py: checking {len(args)} profile(s)...")
+
     exit_code = 0
-    print(f"sort.py: checking {len(args)} {'profiles' if len(args) != 1 else 'profile'}...")
     for filename in args:
         try:
             if exit_code not in (1, 101):
                 exit_code = fix_profile(filename)
             else:
                 fix_profile(filename)
-        except FileNotFoundError:
-            print(f"[ Error ] Can't find `{filename}'")
+        except FileNotFoundError as err:
+            print(f"[ Error ] {err}", file=stderr)
             exit_code = 1
-        except PermissionError:
-            print(f"[ Error ] Can't read/write `{filename}'")
+        except PermissionError as err:
+            print(f"[ Error ] {err}", file=stderr)
             exit_code = 1
         except Exception as err:
-            print(f"[ Error ] An error occurred while processing `{filename}': {err}")
+            print(
+                f"[ Error ] An error occurred while processing '{filename}': {err}",
+                file=stderr,
+            )
             exit_code = 1
     return exit_code
 
diff --git a/etc/profile-a-l/brave.profile b/etc/profile-a-l/brave.profile
index 09548c761..071a279b0 100644
--- a/etc/profile-a-l/brave.profile
+++ b/etc/profile-a-l/brave.profile
@@ -13,6 +13,8 @@ ignore noexec /tmp
 # you will need to uncomment the 'brave + tor' rule in /etc/apparmor.d/local/firejail-default.
 # Alternatively you can add 'ignore apparmor' to your brave.local.
 ignore noexec ${HOME}
+# Causes slow starts (#4604)
+ignore private-cache
 
 noblacklist ${HOME}/.cache/BraveSoftware
 noblacklist ${HOME}/.config/BraveSoftware
diff --git a/etc/profile-a-l/email-common.profile b/etc/profile-a-l/email-common.profile
index 2b26b3727..89c44bf76 100644
--- a/etc/profile-a-l/email-common.profile
+++ b/etc/profile-a-l/email-common.profile
@@ -65,7 +65,7 @@ tracelog
 # disable-mnt
 private-cache
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gcrypt,gnupg,groups,gtk-2.0,gtk-3.0,hostname,hosts,hosts.conf,ld.so.cache,ld.so.preload,machine-id,mailname,nsswitch.conf,passwd,pki,resolv.conf,selinux,ssl,xdg
+private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gcrypt,gnupg,groups,gtk-2.0,gtk-3.0,hostname,hosts,hosts.conf,ld.so.cache,ld.so.preload,localtime,machine-id,mailname,nsswitch.conf,passwd,pki,resolv.conf,selinux,ssl,xdg
 private-tmp
 # encrypting and signing email
 writable-run-user
diff --git a/etc/profile-a-l/evince.profile b/etc/profile-a-l/evince.profile
index 21bf7eabf..eec9f86db 100644
--- a/etc/profile-a-l/evince.profile
+++ b/etc/profile-a-l/evince.profile
@@ -6,9 +6,9 @@ include evince.local
 # Persistent global definitions
 include globals.local
 
-# WARNING: using bookmarks possibly exposes information, including file history from other programs.
-# Add the next line to your evince.local if you need bookmarks support. This also needs additional dbus-user filtering (see below).
-#noblacklist ${HOME}/.local/share/gvfs-metadata
+# WARNING: This exposes information like file history from other programs.
+# You can add a blacklist for it in your evince.local for additional hardening if you can live with some restrictions.
+noblacklist ${HOME}/.local/share/gvfs-metadata
 
 noblacklist ${HOME}/.config/evince
 noblacklist ${DOCUMENTS}
@@ -59,9 +59,8 @@ private-etc alternatives,fonts,group,ld.so.cache,ld.so.preload,machine-id,passwd
 private-lib evince,gcc/*/*/libgcc_s.so.*,gcc/*/*/libstdc++.so.*,gconv,gdk-pixbuf-2.*,gio,gvfs/libgvfscommon.so,libarchive.so.*,libdjvulibre.so.*,libgconf-2.so.*,libgraphite2.so.*,libpoppler-glib.so.*,librsvg-2.so.*,libspectre.so.*
 private-tmp
 
-# dbus-user filtering might break two-page-view on some systems
 dbus-user filter
-# Add the next two lines to your evince.local if you need bookmarks support.
-#dbus-user.talk org.gtk.vfs.Daemon
-#dbus-user.talk org.gtk.vfs.Metadata
+dbus-user.talk ca.desrt.dconf
+dbus-user.talk org.gtk.vfs.Daemon
+dbus-user.talk org.gtk.vfs.Metadata
 dbus-system none
diff --git a/etc/profile-a-l/lutris.profile b/etc/profile-a-l/lutris.profile
index 0562cf430..80cecd056 100644
--- a/etc/profile-a-l/lutris.profile
+++ b/etc/profile-a-l/lutris.profile
@@ -69,7 +69,8 @@ notv
 nou2f
 novideo
 protocol unix,inet,inet6,netlink
-seccomp
+seccomp !modify_ldt
+seccomp.32 !modify_ldt
 
 # Add the next line to your lutris.local if you do not need controller support.
 #private-dev
diff --git a/etc/profile-m-z/nicotine.profile b/etc/profile-m-z/nicotine.profile
index bb2a41457..22c8b1782 100644
--- a/etc/profile-m-z/nicotine.profile
+++ b/etc/profile-m-z/nicotine.profile
@@ -8,8 +8,12 @@ include globals.local
 
 noblacklist ${HOME}/.nicotine
 
+# Allow /bin/sh (blacklisted by disable-shell.inc)
+include allow-bin-sh.inc
+
 # Allow python (blacklisted by disable-interpreters.inc)
 include allow-python2.inc
+include allow-python3.inc
 
 include disable-common.inc
 include disable-devel.inc
@@ -37,6 +41,7 @@ nodvd
 nogroups
 noinput
 nonewprivs
+noprinters
 noroot
 nosound
 notv
@@ -47,7 +52,7 @@ seccomp
 tracelog
 
 disable-mnt
-private-bin nicotine,python2*
+#private-bin nicotine,python2*
 private-cache
 private-dev
 private-tmp
diff --git a/etc/profile-m-z/whalebird.profile b/etc/profile-m-z/whalebird.profile
index 92ebebdae..8a9614fb0 100644
--- a/etc/profile-m-z/whalebird.profile
+++ b/etc/profile-m-z/whalebird.profile
@@ -10,6 +10,7 @@ include globals.local
 ignore include whitelist-runuser-common.inc
 ignore include whitelist-usr-share-common.inc
 
+ignore apparmor
 ignore dbus-user none
 ignore dbus-system none
 
@@ -21,7 +22,7 @@ whitelist ${HOME}/.config/Whalebird
 no3d
 
 private-bin electron,electron[0-9],electron[0-9][0-9],whalebird
-private-etc alternatives,fonts,ld.so.cache,ld.so.preload,machine-id
+private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.preload,machine-id,nsswitch.conf,pki,resolv.conf,ssl
 
 # Redirect
 include electron.profile
diff --git a/etc/profile-m-z/youtube-viewers-common.profile b/etc/profile-m-z/youtube-viewers-common.profile
index 8582e2462..28c219377 100644
--- a/etc/profile-m-z/youtube-viewers-common.profile
+++ b/etc/profile-m-z/youtube-viewers-common.profile
@@ -19,6 +19,13 @@ include allow-perl.inc
 include allow-python2.inc
 include allow-python3.inc
 
+# The lines below are needed to find the default Firefox profile name, to allow
+# opening links in an existing instance of Firefox (note that it still fails if
+# there isn't a Firefox instance running with the default profile; see #5352)
+noblacklist ${HOME}/.mozilla
+whitelist ${HOME}/.mozilla/firefox/profiles.ini
+read-only ${HOME}/.mozilla/firefox/profiles.ini
+
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
@@ -55,5 +62,8 @@ private-dev
 private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,machine-id,mime.types,nsswitch.conf,passwd,pki,pulse,resolv.conf,ssl,X11,xdg
 private-tmp
 
-dbus-user none
+dbus-user filter
+# allow D-Bus communication with firefox for opening links
+dbus-user.talk org.mozilla.*
+
 dbus-system none