43 files changed, 379 insertions, 427 deletions

diff --git a/.github/workflows/build-extra.yml b/.github/workflows/build-extra.yml
index a319e1ac6..e9ec436a4 100644
--- a/.github/workflows/build-extra.yml
+++ b/.github/workflows/build-extra.yml
@@ -4,33 +4,43 @@ on:
   push:
     branches: [ master ]
     paths-ignore:
+      - '.github/ISSUE_TEMPLATE/*'
+      - 'etc/**'
+      - 'contrib/vim/**'
+      - 'src/man/*.txt'
       - .git-blame-ignore-revs
+      - .github/dependabot.yml
+      - .github/pull_request_template.md
+      - .github/workflows/codeql-analysis.yml
       - .gitignore
+      - .gitlab-ci.yml
       - CONTRIBUTING.md
       - COPYING
       - README
       - README.md
       - RELNOTES
       - SECURITY.md
-      - 'etc/**'
-      - 'src/firecfg/firecfg.config'
-      - '.github/ISSUE_TEMPLATE/*'
-      - '.github/pull_request_template.md'
+      - src/firecfg/firecfg.config
   pull_request:
     branches: [ master ]
     paths-ignore:
+      - '.github/ISSUE_TEMPLATE/*'
+      - 'etc/**'
+      - 'contrib/vim/**'
+      - 'src/man/*.txt'
       - .git-blame-ignore-revs
+      - .github/dependabot.yml
+      - .github/pull_request_template.md
+      - .github/workflows/codeql-analysis.yml
       - .gitignore
+      - .gitlab-ci.yml
       - CONTRIBUTING.md
       - COPYING
       - README
       - README.md
       - RELNOTES
       - SECURITY.md
-      - 'etc/**'
-      - 'src/firecfg/firecfg.config'
-      - '.github/ISSUE_TEMPLATE/*'
-      - '.github/pull_request_template.md'
+      - src/firecfg/firecfg.config
 
 permissions:  # added using https://github.com/step-security/secure-workflows
   contents: read
@@ -40,7 +50,7 @@ jobs:
     runs-on: ubuntu-22.04
     steps:
     - name: Harden Runner
-      uses: step-security/harden-runner@2e205a28d0e1da00c5f53b161f4067b052c61f34
+      uses: step-security/harden-runner@ebacdc22ef6c2cfb85ee5ded8f2e640f4c776dd5
       with:
         egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
 
@@ -59,7 +69,7 @@ jobs:
     runs-on: ubuntu-22.04
     steps:
     - name: Harden Runner
-      uses: step-security/harden-runner@2e205a28d0e1da00c5f53b161f4067b052c61f34
+      uses: step-security/harden-runner@ebacdc22ef6c2cfb85ee5ded8f2e640f4c776dd5
       with:
         egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
 
@@ -74,7 +84,7 @@ jobs:
     runs-on: ubuntu-22.04
     steps:
     - name: Harden Runner
-      uses: step-security/harden-runner@2e205a28d0e1da00c5f53b161f4067b052c61f34
+      uses: step-security/harden-runner@ebacdc22ef6c2cfb85ee5ded8f2e640f4c776dd5
       with:
         egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
 
@@ -89,7 +99,7 @@ jobs:
     runs-on: ubuntu-20.04
     steps:
     - name: Harden Runner
-      uses: step-security/harden-runner@2e205a28d0e1da00c5f53b161f4067b052c61f34
+      uses: step-security/harden-runner@ebacdc22ef6c2cfb85ee5ded8f2e640f4c776dd5
       with:
         egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
 
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index e383c9ef2..3119f59b9 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -4,8 +4,13 @@ on:
   push:
     branches: [ master ]
     paths-ignore:
+      - '.github/ISSUE_TEMPLATE/*'
       - .git-blame-ignore-revs
+      - .github/dependabot.yml
+      - .github/pull_request_template.md
+      - .github/workflows/codeql-analysis.yml
       - .gitignore
+      - .gitlab-ci.yml
       - CONTRIBUTING.md
       - COPYING
       - README
@@ -15,8 +20,13 @@ on:
   pull_request:
     branches: [ master ]
     paths-ignore:
+      - '.github/ISSUE_TEMPLATE/*'
       - .git-blame-ignore-revs
+      - .github/dependabot.yml
+      - .github/pull_request_template.md
+      - .github/workflows/codeql-analysis.yml
       - .gitignore
+      - .gitlab-ci.yml
       - CONTRIBUTING.md
       - COPYING
       - README
@@ -32,7 +42,7 @@ jobs:
     runs-on: ubuntu-22.04
     steps:
     - name: Harden Runner
-      uses: step-security/harden-runner@2e205a28d0e1da00c5f53b161f4067b052c61f34
+      uses: step-security/harden-runner@ebacdc22ef6c2cfb85ee5ded8f2e640f4c776dd5
       with:
         egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
 
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
index 6c8a9bf99..ad19c9530 100644
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -9,28 +9,42 @@ on:
   push:
     branches: [ master ]
     paths-ignore:
+      - '.github/ISSUE_TEMPLATE/*'
+      - 'etc/**'
+      - 'contrib/vim/**'
+      - 'src/man/*.txt'
       - .git-blame-ignore-revs
+      - .github/dependabot.yml
+      - .github/pull_request_template.md
       - .gitignore
+      - .gitlab-ci.yml
       - CONTRIBUTING.md
       - COPYING
       - README
       - README.md
       - RELNOTES
       - SECURITY.md
-      - 'etc/**'
+      - src/firecfg/firecfg.config
   pull_request:
     # The branches below must be a subset of the branches above
     branches: [ master ]
     paths-ignore:
+      - '.github/ISSUE_TEMPLATE/*'
+      - 'etc/**'
+      - 'contrib/vim/**'
+      - 'src/man/*.txt'
       - .git-blame-ignore-revs
+      - .github/dependabot.yml
+      - .github/pull_request_template.md
       - .gitignore
+      - .gitlab-ci.yml
       - CONTRIBUTING.md
       - COPYING
       - README
       - README.md
       - RELNOTES
       - SECURITY.md
-      - 'etc/**'
+      - src/firecfg/firecfg.config
   schedule:
     - cron: '0 7 * * 2'
 
@@ -56,7 +70,7 @@ jobs:
 
     steps:
     - name: Harden Runner
-      uses: step-security/harden-runner@2e205a28d0e1da00c5f53b161f4067b052c61f34
+      uses: step-security/harden-runner@ebacdc22ef6c2cfb85ee5ded8f2e640f4c776dd5
       with:
         egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
 
diff --git a/.github/workflows/profile-checks.yml b/.github/workflows/profile-checks.yml
index f5de62412..17e756685 100644
--- a/.github/workflows/profile-checks.yml
+++ b/.github/workflows/profile-checks.yml
@@ -4,17 +4,17 @@ on:
   push:
     branches: [ master ]
     paths:
-      - 'etc/**'
       - 'ci/check/profiles/**'
-      - 'src/firecfg/firecfg.config'
-      - 'contrib/sort.py'
+      - 'etc/**'
+      - contrib/sort.py
+      - src/firecfg/firecfg.config
   pull_request:
     branches: [ master ]
     paths:
-      - 'etc/**'
       - 'ci/check/profiles/**'
-      - 'src/firecfg/firecfg.config'
-      - 'contrib/sort.py'
+      - 'etc/**'
+      - contrib/sort.py
+      - src/firecfg/firecfg.config
 
 permissions:  # added using https://github.com/step-security/secure-workflows
   contents: read
@@ -24,7 +24,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - name: Harden Runner
-      uses: step-security/harden-runner@2e205a28d0e1da00c5f53b161f4067b052c61f34
+      uses: step-security/harden-runner@ebacdc22ef6c2cfb85ee5ded8f2e640f4c776dd5
       with:
         egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
 
diff --git a/Makefile b/Makefile
index 0499ff170..843ccd5ae 100644
--- a/Makefile
+++ b/Makefile
@@ -1,3 +1,4 @@
+ROOT = .
 -include config.mk
 
 ifneq ($(HAVE_MAN),no)
@@ -7,8 +8,6 @@ endif
 
 COMPLETIONDIRS = src/zsh_completion src/bash_completion
 
-.PHONY: all
-all: all_items mydirs $(MAN_TARGET) filters
 APPS = src/firecfg/firecfg src/firejail/firejail src/firemon/firemon src/profstats/profstats src/jailcheck/jailcheck
 SBOX_APPS = src/fbuilder/fbuilder src/ftee/ftee src/fids/fids
 SBOX_APPS_NON_DUMPABLE = src/fcopy/fcopy src/fldd/fldd src/fnet/fnet src/fnetfilter/fnetfilter src/fzenity/fzenity
@@ -22,6 +21,9 @@ MANPAGES = firejail.1 firemon.1 firecfg.1 firejail-profile.5 firejail-login.5 fi
 SECCOMP_FILTERS = seccomp seccomp.debug seccomp.32 seccomp.block_secondary seccomp.mdwx seccomp.mdwx.32
 ALL_ITEMS = $(APPS) $(SBOX_APPS) $(SBOX_APPS_NON_DUMPABLE) $(MYLIBS)
 
+.PHONY: all
+all: all_items mydirs $(MAN_TARGET) filters
+
 config.mk config.sh:
         printf 'run ./configure to generate %s\n' "$@" >&2
         false
diff --git a/RELNOTES b/RELNOTES
index 327cfdb36..18b577cca 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -2,6 +2,8 @@ firejail (0.9.71) baseline; urgency=low
   * work in progress
   * feature: On failing to remount a fuse filesystem, give warning instead of
     erroring out (#5240 #5242)
+  * feature: Update syscall tables and seccomp groups (#5188)
+  * feature: improve force-nonewprivs security guarantees (#5217 #5271)
   * feature: restrict namespaces (--restrict-namespaces) implemented as
     a seccomp filter for both 64 and 32 bit architectures (#4939 #5259)
   * feature: support for custom AppArmor profiles (--apparmor=) (#5274 #5316
@@ -38,6 +40,8 @@ firejail (0.9.71) baseline; urgency=low
   * docs: Add IRC channel info to README.md (#5361)
   * docs: man: Note that some commands can be disabled in firejail.config
     (#5366)
+  * docs: Add gist note to bug_report.md (#5398)
+  * docs: clarify that --appimage should appear before --profile (#5402 #5451)
  -- netblue30 <netblue30@yahoo.com>  Sat, 11 Jun 2022 09:00:00 -0500
 
 firejail (0.9.70) baseline; urgency=low
diff --git a/contrib/sort.py b/contrib/sort.py
index 6f21370ec..638f14516 100755
--- a/contrib/sort.py
+++ b/contrib/sort.py
@@ -2,48 +2,61 @@
 # This file is part of Firejail project
 # Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
-"""
-Sort the items of multi-item options in profiles, the following options are supported:
-  private-bin, private-etc, private-lib, caps.drop, caps.keep, seccomp.drop, seccomp.drop, protocol
 
-Usage:
-    $ ./sort.py /path/to/profile [ /path/to/profile2 /path/to/profile3 ... ]
+# Requirements:
+#  python >= 3.6
+from os import path
+from sys import argv, exit as sys_exit, stderr
+
+__doc__ = f"""\
+Sort the arguments of commands in profiles.
+
+Usage: {path.basename(argv[0])} [/path/to/profile ...]
+
+The following commands are supported:
+
+    private-bin, private-etc, private-lib, caps.drop, caps.keep, seccomp.drop,
+    seccomp.drop, protocol
+
+Note that this is only applicable to commands that support multiple arguments.
+
 Keep in mind that this will overwrite your profile(s).
 
 Examples:
-    $ ./sort.py MyAwesomeProfile.profile
-    $ ./sort.py new_profile.profile second_new_profile.profile
-    $ ./sort.py ~/.config/firejail/*.{profile,inc,local}
-    $ sudo ./sort.py /etc/firejail/*.{profile,inc,local}
-
-Exit-Codes:
-  0: No Error; No Profile Fixed.
-  1: Error, one or more profiles were not processed correctly.
-  101: No Error; One or more profile were fixed.
+    $ {argv[0]} MyAwesomeProfile.profile
+    $ {argv[0]} new_profile.profile second_new_profile.profile
+    $ {argv[0]} ~/.config/firejail/*.{{profile,inc,local}}
+    $ sudo {argv[0]} /etc/firejail/*.{{profile,inc,local}}
+
+Exit Codes:
+  0: Success: No profiles needed fixing.
+  1: Error: One or more profiles could not be processed correctly.
+  2: Error: Missing arguments.
+  101: Info: One or more profiles were fixed.
 """
 
-# Requirements:
-#  python >= 3.6
-from sys import argv, exit as sys_exit
-
 
-def sort_alphabetical(raw_items):
-    items = raw_items.split(",")
-    items.sort(key=lambda s: s.casefold())
+def sort_alphabetical(original_items):
+    items = original_items.split(",")
+    items.sort(key=str.casefold)
     return ",".join(items)
 
 
-def sort_protocol(protocols):
-    """sort the given protocols into this scheme: unix,inet,inet6,netlink,packet,bluetooth"""
+def sort_protocol(original_protocols):
+    """
+    Sort the given protocols into the following order:
+
+        unix,inet,inet6,netlink,packet,bluetooth
+    """
 
     # shortcut for common protocol lines
-    if protocols in ("unix", "unix,inet,inet6"):
-        return protocols
+    if original_protocols in ("unix", "unix,inet,inet6"):
+        return original_protocols
 
     fixed_protocols = ""
     for protocol in ("unix", "inet", "inet6", "netlink", "packet", "bluetooth"):
         for prefix in ("", "-", "+", "="):
-            if f",{prefix}{protocol}," in f",{protocols},":
+            if f",{prefix}{protocol}," in f",{original_protocols},":
                 fixed_protocols += f"{prefix}{protocol},"
     return fixed_protocols[:-1]
 
@@ -53,7 +66,7 @@ def fix_profile(filename):
         lines = profile.read().split("\n")
         was_fixed = False
         fixed_profile = []
-        for lineno, line in enumerate(lines):
+        for lineno, line in enumerate(lines, 1):
             if line[:12] in ("private-bin ", "private-etc ", "private-lib "):
                 fixed_line = f"{line[:12]}{sort_alphabetical(line[12:])}"
             elif line[:13] in ("seccomp.drop ", "seccomp.keep "):
@@ -69,8 +82,8 @@ def fix_profile(filename):
             if fixed_line != line:
                 was_fixed = True
                 print(
-                    f"{filename}:{lineno + 1}:-{line}\n"
-                    f"{filename}:{lineno + 1}:+{fixed_line}"
+                    f"{filename}:{lineno}:-{line}\n"
+                    f"{filename}:{lineno}:+{fixed_line}"
                 )
             fixed_profile.append(fixed_line)
         if was_fixed:
@@ -84,22 +97,30 @@ def fix_profile(filename):
 
 
 def main(args):
+    if len(args) < 1:
+        print(__doc__, file=stderr)
+        return 2
+
+    print(f"sort.py: checking {len(args)} profile(s)...")
+
     exit_code = 0
-    print(f"sort.py: checking {len(args)} {'profiles' if len(args) != 1 else 'profile'}...")
     for filename in args:
         try:
             if exit_code not in (1, 101):
                 exit_code = fix_profile(filename)
             else:
                 fix_profile(filename)
-        except FileNotFoundError:
-            print(f"[ Error ] Can't find `{filename}'")
+        except FileNotFoundError as err:
+            print(f"[ Error ] {err}", file=stderr)
             exit_code = 1
-        except PermissionError:
-            print(f"[ Error ] Can't read/write `{filename}'")
+        except PermissionError as err:
+            print(f"[ Error ] {err}", file=stderr)
             exit_code = 1
         except Exception as err:
-            print(f"[ Error ] An error occurred while processing `{filename}': {err}")
+            print(
+                f"[ Error ] An error occurred while processing '{filename}': {err}",
+                file=stderr,
+            )
             exit_code = 1
     return exit_code
 
diff --git a/etc/profile-a-l/brave.profile b/etc/profile-a-l/brave.profile
index 09548c761..071a279b0 100644
--- a/etc/profile-a-l/brave.profile
+++ b/etc/profile-a-l/brave.profile
@@ -13,6 +13,8 @@ ignore noexec /tmp
 # you will need to uncomment the 'brave + tor' rule in /etc/apparmor.d/local/firejail-default.
 # Alternatively you can add 'ignore apparmor' to your brave.local.
 ignore noexec ${HOME}
+# Causes slow starts (#4604)
+ignore private-cache
 
 noblacklist ${HOME}/.cache/BraveSoftware
 noblacklist ${HOME}/.config/BraveSoftware
diff --git a/etc/profile-a-l/email-common.profile b/etc/profile-a-l/email-common.profile
index 2b26b3727..89c44bf76 100644
--- a/etc/profile-a-l/email-common.profile
+++ b/etc/profile-a-l/email-common.profile
@@ -65,7 +65,7 @@ tracelog
 # disable-mnt
 private-cache
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gcrypt,gnupg,groups,gtk-2.0,gtk-3.0,hostname,hosts,hosts.conf,ld.so.cache,ld.so.preload,machine-id,mailname,nsswitch.conf,passwd,pki,resolv.conf,selinux,ssl,xdg
+private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gcrypt,gnupg,groups,gtk-2.0,gtk-3.0,hostname,hosts,hosts.conf,ld.so.cache,ld.so.preload,localtime,machine-id,mailname,nsswitch.conf,passwd,pki,resolv.conf,selinux,ssl,xdg
 private-tmp
 # encrypting and signing email
 writable-run-user
diff --git a/etc/profile-a-l/evince.profile b/etc/profile-a-l/evince.profile
index 21bf7eabf..eec9f86db 100644
--- a/etc/profile-a-l/evince.profile
+++ b/etc/profile-a-l/evince.profile
@@ -6,9 +6,9 @@ include evince.local
 # Persistent global definitions
 include globals.local
 
-# WARNING: using bookmarks possibly exposes information, including file history from other programs.
-# Add the next line to your evince.local if you need bookmarks support. This also needs additional dbus-user filtering (see below).
-#noblacklist ${HOME}/.local/share/gvfs-metadata
+# WARNING: This exposes information like file history from other programs.
+# You can add a blacklist for it in your evince.local for additional hardening if you can live with some restrictions.
+noblacklist ${HOME}/.local/share/gvfs-metadata
 
 noblacklist ${HOME}/.config/evince
 noblacklist ${DOCUMENTS}
@@ -59,9 +59,8 @@ private-etc alternatives,fonts,group,ld.so.cache,ld.so.preload,machine-id,passwd
 private-lib evince,gcc/*/*/libgcc_s.so.*,gcc/*/*/libstdc++.so.*,gconv,gdk-pixbuf-2.*,gio,gvfs/libgvfscommon.so,libarchive.so.*,libdjvulibre.so.*,libgconf-2.so.*,libgraphite2.so.*,libpoppler-glib.so.*,librsvg-2.so.*,libspectre.so.*
 private-tmp
 
-# dbus-user filtering might break two-page-view on some systems
 dbus-user filter
-# Add the next two lines to your evince.local if you need bookmarks support.
-#dbus-user.talk org.gtk.vfs.Daemon
-#dbus-user.talk org.gtk.vfs.Metadata
+dbus-user.talk ca.desrt.dconf
+dbus-user.talk org.gtk.vfs.Daemon
+dbus-user.talk org.gtk.vfs.Metadata
 dbus-system none
diff --git a/etc/profile-a-l/lutris.profile b/etc/profile-a-l/lutris.profile
index 0562cf430..80cecd056 100644
--- a/etc/profile-a-l/lutris.profile
+++ b/etc/profile-a-l/lutris.profile
@@ -69,7 +69,8 @@ notv
 nou2f
 novideo
 protocol unix,inet,inet6,netlink
-seccomp
+seccomp !modify_ldt
+seccomp.32 !modify_ldt
 
 # Add the next line to your lutris.local if you do not need controller support.
 #private-dev
diff --git a/etc/profile-m-z/nicotine.profile b/etc/profile-m-z/nicotine.profile
index bb2a41457..22c8b1782 100644
--- a/etc/profile-m-z/nicotine.profile
+++ b/etc/profile-m-z/nicotine.profile
@@ -8,8 +8,12 @@ include globals.local
 
 noblacklist ${HOME}/.nicotine
 
+# Allow /bin/sh (blacklisted by disable-shell.inc)
+include allow-bin-sh.inc
+
 # Allow python (blacklisted by disable-interpreters.inc)
 include allow-python2.inc
+include allow-python3.inc
 
 include disable-common.inc
 include disable-devel.inc
@@ -37,6 +41,7 @@ nodvd
 nogroups
 noinput
 nonewprivs
+noprinters
 noroot
 nosound
 notv
@@ -47,7 +52,7 @@ seccomp
 tracelog
 
 disable-mnt
-private-bin nicotine,python2*
+#private-bin nicotine,python2*
 private-cache
 private-dev
 private-tmp
diff --git a/etc/profile-m-z/whalebird.profile b/etc/profile-m-z/whalebird.profile
index 92ebebdae..8a9614fb0 100644
--- a/etc/profile-m-z/whalebird.profile
+++ b/etc/profile-m-z/whalebird.profile
@@ -10,6 +10,7 @@ include globals.local
 ignore include whitelist-runuser-common.inc
 ignore include whitelist-usr-share-common.inc
 
+ignore apparmor
 ignore dbus-user none
 ignore dbus-system none
 
@@ -21,7 +22,7 @@ whitelist ${HOME}/.config/Whalebird
 no3d
 
 private-bin electron,electron[0-9],electron[0-9][0-9],whalebird
-private-etc alternatives,fonts,ld.so.cache,ld.so.preload,machine-id
+private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.preload,machine-id,nsswitch.conf,pki,resolv.conf,ssl
 
 # Redirect
 include electron.profile
diff --git a/etc/profile-m-z/youtube-viewers-common.profile b/etc/profile-m-z/youtube-viewers-common.profile
index 8582e2462..28c219377 100644
--- a/etc/profile-m-z/youtube-viewers-common.profile
+++ b/etc/profile-m-z/youtube-viewers-common.profile
@@ -19,6 +19,13 @@ include allow-perl.inc
 include allow-python2.inc
 include allow-python3.inc
 
+# The lines below are needed to find the default Firefox profile name, to allow
+# opening links in an existing instance of Firefox (note that it still fails if
+# there isn't a Firefox instance running with the default profile; see #5352)
+noblacklist ${HOME}/.mozilla
+whitelist ${HOME}/.mozilla/firefox/profiles.ini
+read-only ${HOME}/.mozilla/firefox/profiles.ini
+
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
@@ -55,5 +62,8 @@ private-dev
 private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,machine-id,mime.types,nsswitch.conf,passwd,pki,pulse,resolv.conf,ssl,X11,xdg
 private-tmp
 
-dbus-user none
+dbus-user filter
+# allow D-Bus communication with firefox for opening links
+dbus-user.talk org.mozilla.*
+
 dbus-system none
diff --git a/src/common.mk b/src/common.mk
deleted file mode 100644
index 07b5e373d..000000000
--- a/src/common.mk
+++ /dev/null
@@ -1,16 +0,0 @@
-# Common definitions for building C programs and non-shared objects.
-#
-# Note: "ROOT" must be defined before including this file.
-
--include $(ROOT)/config.mk
-
-H_FILE_LIST       = $(sort $(wildcard *.h))
-C_FILE_LIST       = $(sort $(wildcard *.c))
-OBJS = $(C_FILE_LIST:.c=.o)
-BINOBJS =  $(foreach file, $(OBJS), $file)
-
-CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' $(HAVE_GCOV)
-CFLAGS += -DPREFIX='"$(prefix)"' -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' -DBINDIR='"$(bindir)"'   -DVARDIR='"/var/lib/firejail"'
-CFLAGS += $(MANFLAGS)
-CFLAGS += -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security
-LDFLAGS += -pie -fPIE -Wl,-z,relro -Wl,-z,now
diff --git a/src/fbuilder/Makefile b/src/fbuilder/Makefile
index da0403c6e..ad73e8960 100644
--- a/src/fbuilder/Makefile
+++ b/src/fbuilder/Makefile
@@ -1,17 +1,9 @@
-.PHONY: all
-all: fbuilder
-
 ROOT = ../..
-include $(ROOT)/src/common.mk
-
-%.o : %.c $(H_FILE_LIST) ../include/common.h ../include/syscall.h $(ROOT)/config.mk
-        $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@
+-include $(ROOT)/config.mk
 
-fbuilder: $(OBJS) $(ROOT)/config.mk
-        $(CC)  $(LDFLAGS) -o $@ $(OBJS) $(LIBS) $(EXTRA_LDFLAGS)
+PROG = fbuilder
+TARGET = $(PROG)
 
-.PHONY: clean
-clean:; rm -fr *.o fbuilder *.gcov *.gcda *.gcno *.plist
+MOD_HDRS = ../include/common.h ../include/syscall.h
 
-.PHONY: distclean
-distclean: clean
+include $(ROOT)/src/prog.mk
diff --git a/src/fcopy/Makefile b/src/fcopy/Makefile
index ae128df9b..27054627c 100644
--- a/src/fcopy/Makefile
+++ b/src/fcopy/Makefile
@@ -1,17 +1,10 @@
-.PHONY: all
-all: fcopy
-
 ROOT = ../..
-include $(ROOT)/src/common.mk
-
-%.o : %.c $(H_FILE_LIST) ../include/common.h ../include/syscall.h $(ROOT)/config.mk
-        $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@
+-include $(ROOT)/config.mk
 
-fcopy: $(OBJS) ../lib/common.o $(ROOT)/config.mk
-        $(CC)  $(LDFLAGS) -o $@ $(OBJS) ../lib/common.o $(LIBS) $(EXTRA_LDFLAGS)
+PROG = fcopy
+TARGET = $(PROG)
 
-.PHONY: clean
-clean:; rm -fr *.o fcopy *.gcov *.gcda *.gcno *.plist
+MOD_HDRS = ../include/common.h ../include/syscall.h
+MOD_OBJS = ../lib/common.o
 
-.PHONY: distclean
-distclean: clean
+include $(ROOT)/src/prog.mk
diff --git a/src/fids/Makefile b/src/fids/Makefile
index e57c56b5b..44ea396d7 100644
--- a/src/fids/Makefile
+++ b/src/fids/Makefile
@@ -1,18 +1,9 @@
-.PHONY: all
-all: fids
-
 ROOT = ../..
-include $(ROOT)/src/common.mk
-
-%.o : %.c $(H_FILE_LIST) ../include/common.h $(ROOT)/config.mk
-        $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@
+-include $(ROOT)/config.mk
 
-#fseccomp: $(OBJS) ../lib/common.o ../lib/errno.o ../lib/syscall.o
-fids: $(OBJS) $(ROOT)/config.mk
-        $(CC)  $(LDFLAGS) -o $@ $(OBJS) $(LIBS) $(EXTRA_LDFLAGS)
+PROG = fids
+TARGET = $(PROG)
 
-.PHONY: clean
-clean:; rm -fr *.o fids *.gcov *.gcda *.gcno *.plist
+MOD_HDRS = ../include/common.h
 
-.PHONY: distclean
-distclean: clean
+include $(ROOT)/src/prog.mk
diff --git a/src/firecfg/Makefile b/src/firecfg/Makefile
index 3b0daed71..05cc088f4 100644
--- a/src/firecfg/Makefile
+++ b/src/firecfg/Makefile
@@ -1,17 +1,16 @@
-.PHONY: all
-all: firecfg
-
 ROOT = ../..
-include $(ROOT)/src/common.mk
+-include $(ROOT)/config.mk
 
-%.o : %.c $(H_FILE_LIST) ../include/common.h ../include/euid_common.h ../include/libnetlink.h ../include/firejail_user.h ../include/pid.h $(ROOT)/config.mk
-        $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@
+PROG = firecfg
+TARGET = $(PROG)
 
-firecfg: $(OBJS) ../lib/common.o ../lib/firejail_user.o $(ROOT)/config.mk
-        $(CC)  $(LDFLAGS) -o $@ $(OBJS) ../lib/common.o ../lib/firejail_user.o $(LIBS) $(EXTRA_LDFLAGS)
+MOD_HDRS = \
+../include/common.h \
+../include/euid_common.h \
+../include/libnetlink.h \
+../include/firejail_user.h \
+../include/pid.h
 
-.PHONY: clean
-clean:; rm -fr *.o firecfg *.gcov *.gcda *.gcno *.plist
+MOD_OBJS = ../lib/common.o ../lib/firejail_user.o
 
-.PHONY: distclean
-distclean: clean
+include $(ROOT)/src/prog.mk
diff --git a/src/firejail/Makefile b/src/firejail/Makefile
index 23444107f..4e241af7e 100644
--- a/src/firejail/Makefile
+++ b/src/firejail/Makefile
@@ -1,17 +1,25 @@
-.PHONY: all
-all: firejail
-
 ROOT = ../..
-include $(ROOT)/src/common.mk
+-include $(ROOT)/config.mk
 
-%.o : %.c $(H_FILE_LIST) ../include/rundefs.h ../include/common.h ../include/ldd_utils.h ../include/euid_common.h ../include/pid.h ../include/seccomp.h ../include/syscall_i386.h ../include/syscall_x86_64.h ../include/firejail_user.h $(ROOT)/config.mk
-        $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@
+PROG = firejail
+TARGET = $(PROG)
 
-firejail: $(OBJS) ../lib/libnetlink.o ../lib/common.o ../lib/ldd_utils.o ../lib/firejail_user.o ../lib/errno.o ../lib/syscall.o $(ROOT)/config.mk
-        $(CC)  $(LDFLAGS) -o $@ $(OBJS) ../lib/common.o ../lib/ldd_utils.o ../lib/firejail_user.o ../lib/errno.o ../lib/syscall.o $(LIBS) $(EXTRA_LDFLAGS)
+MOD_HDRS = \
+../include/rundefs.h \
+../include/common.h \
+../include/ldd_utils.h \
+../include/euid_common.h \
+../include/pid.h \
+../include/seccomp.h \
+../include/syscall_i386.h \
+../include/syscall_x86_64.h \
+../include/firejail_user.h
 
-.PHONY: clean
-clean:; rm -fr *.o firejail *.gcov *.gcda *.gcno *.plist
+MOD_OBJS = \
+../lib/common.o \
+../lib/ldd_utils.o \
+../lib/firejail_user.o \
+../lib/errno.o \
+../lib/syscall.o
 
-.PHONY: distclean
-distclean: clean
+include $(ROOT)/src/prog.mk
diff --git a/src/firemon/Makefile b/src/firemon/Makefile
index b2d2f4d14..433e4267d 100644
--- a/src/firemon/Makefile
+++ b/src/firemon/Makefile
@@ -1,17 +1,10 @@
-.PHONY: all
-all: firemon
-
 ROOT = ../..
-include $(ROOT)/src/common.mk
-
-%.o : %.c $(H_FILE_LIST) ../include/common.h ../include/pid.h $(ROOT)/config.mk
-        $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@
+-include $(ROOT)/config.mk
 
-firemon: $(OBJS) ../lib/common.o ../lib/pid.o $(ROOT)/config.mk
-        $(CC)  $(LDFLAGS) -o $@ $(OBJS) ../lib/common.o ../lib/pid.o $(LIBS) $(EXTRA_LDFLAGS)
+PROG = firemon
+TARGET = $(PROG)
 
-.PHONY: clean
-clean:; rm -fr *.o firemon *.gcov *.gcda *.gcno *.plist
+MOD_HDRS = ../include/common.h ../include/pid.h
+MOD_OBJS = ../lib/common.o ../lib/pid.o
 
-.PHONY: distclean
-distclean: clean
+include $(ROOT)/src/prog.mk
diff --git a/src/fldd/Makefile b/src/fldd/Makefile
index d9a70529b..0c127af55 100644
--- a/src/fldd/Makefile
+++ b/src/fldd/Makefile
@@ -1,17 +1,10 @@
-.PHONY: all
-all: fldd
-
 ROOT = ../..
-include $(ROOT)/src/common.mk
-
-%.o : %.c $(H_FILE_LIST) ../include/common.h ../include/syscall.h ../include/ldd_utils.h $(ROOT)/config.mk
-        $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@
+-include $(ROOT)/config.mk
 
-fldd: $(OBJS) ../lib/common.o ../lib/ldd_utils.o $(ROOT)/config.mk
-        $(CC)  $(LDFLAGS) -o $@ $(OBJS) ../lib/common.o ../lib/ldd_utils.o $(LIBS) $(EXTRA_LDFLAGS)
+PROG = fldd
+TARGET = $(PROG)
 
-.PHONY: clean
-clean:; rm -fr *.o fldd *.gcov *.gcda *.gcno *.plist
+MOD_HDRS = ../include/common.h ../include/syscall.h ../include/ldd_utils.h
+MOD_OBJS = ../lib/common.o ../lib/ldd_utils.o
 
-.PHONY: distclean
-distclean: clean
+include $(ROOT)/src/prog.mk
diff --git a/src/fnet/Makefile b/src/fnet/Makefile
index 36e95522f..91de109fa 100644
--- a/src/fnet/Makefile
+++ b/src/fnet/Makefile
@@ -1,17 +1,10 @@
-.PHONY: all
-all: fnet
-
 ROOT = ../..
-include $(ROOT)/src/common.mk
-
-%.o : %.c $(H_FILE_LIST) ../include/common.h ../include/libnetlink.h $(ROOT)/config.mk
-        $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@
+-include $(ROOT)/config.mk
 
-fnet: $(OBJS) ../lib/common.o ../lib/libnetlink.o $(ROOT)/config.mk
-        $(CC)  $(LDFLAGS) -o $@ $(OBJS) ../lib/common.o ../lib/libnetlink.o $(LIBS) $(EXTRA_LDFLAGS)
+PROG = fnet
+TARGET = $(PROG)
 
-.PHONY: clean
-clean:; rm -fr *.o fnet *.gcov *.gcda *.gcno *.plist
+MOD_HDRS = ../include/common.h ../include/libnetlink.h
+MOD_OBJS = ../lib/common.o ../lib/libnetlink.o
 
-.PHONY: distclean
-distclean: clean
+include $(ROOT)/src/prog.mk
diff --git a/src/fnetfilter/Makefile b/src/fnetfilter/Makefile
index 758561b9e..506d287ab 100644
--- a/src/fnetfilter/Makefile
+++ b/src/fnetfilter/Makefile
@@ -1,17 +1,10 @@
-.PHONY: all
-all: fnetfilter
-
 ROOT = ../..
-include $(ROOT)/src/common.mk
-
-%.o : %.c $(H_FILE_LIST) ../include/common.h ../include/syscall.h $(ROOT)/config.mk
-        $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@
+-include $(ROOT)/config.mk
 
-fnetfilter: $(OBJS) ../lib/common.o $(ROOT)/config.mk
-        $(CC)  $(LDFLAGS) -o $@ $(OBJS) ../lib/common.o $(LIBS) $(EXTRA_LDFLAGS)
+PROG = fnetfilter
+TARGET = $(PROG)
 
-.PHONY: clean
-clean:; rm -fr *.o fnetfilter *.gcov *.gcda *.gcno *.plist
+MOD_HDRS = ../include/common.h ../include/syscall.h
+MOD_OBJS = ../lib/common.o
 
-.PHONY: distclean
-distclean: clean
+include $(ROOT)/src/prog.mk
diff --git a/src/fnettrace-dns/Makefile b/src/fnettrace-dns/Makefile
index 101abd4d4..36542f567 100644
--- a/src/fnettrace-dns/Makefile
+++ b/src/fnettrace-dns/Makefile
@@ -1,17 +1,7 @@
-.PHONY: all
-all: fnettrace-dns
-
 ROOT = ../..
-include $(ROOT)/src/common.mk
-
-%.o : %.c $(H_FILE_LIST) $(ROOT)/config.mk
-        $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@
-
-fnettrace-dns: $(OBJS) $(ROOT)/config.mk
-        $(CC)  $(LDFLAGS) -o $@ $(OBJS) $(LIBS) $(EXTRA_LDFLAGS)
+-include $(ROOT)/config.mk
 
-.PHONY: clean
-clean:; rm -fr *.o fnettrace-dns *.gcov *.gcda *.gcno *.plist
+PROG = fnettrace-dns
+TARGET = $(PROG)
 
-.PHONY: distclean
-distclean: clean
+include $(ROOT)/src/prog.mk
diff --git a/src/fnettrace-icmp/Makefile b/src/fnettrace-icmp/Makefile
index 4dfdc891a..12ae42e9a 100644
--- a/src/fnettrace-icmp/Makefile
+++ b/src/fnettrace-icmp/Makefile
@@ -1,17 +1,7 @@
-.PHONY: all
-all: fnettrace-icmp
-
 ROOT = ../..
-include $(ROOT)/src/common.mk
-
-%.o : %.c $(H_FILE_LIST) $(ROOT)/config.mk
-        $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@
-
-fnettrace-icmp: $(OBJS) $(ROOT)/config.mk
-        $(CC)  $(LDFLAGS) -o $@ $(OBJS) $(LIBS) $(EXTRA_LDFLAGS)
+-include $(ROOT)/config.mk
 
-.PHONY: clean
-clean:; rm -fr *.o fnettrace-icmp *.gcov *.gcda *.gcno *.plist
+PROG = fnettrace-icmp
+TARGET = $(PROG)
 
-.PHONY: distclean
-distclean: clean
+include $(ROOT)/src/prog.mk
diff --git a/src/fnettrace-sni/Makefile b/src/fnettrace-sni/Makefile
index da7c1ca4e..8d9a437d5 100644
--- a/src/fnettrace-sni/Makefile
+++ b/src/fnettrace-sni/Makefile
@@ -1,17 +1,7 @@
-.PHONY: all
-all: fnettrace-sni
-
 ROOT = ../..
-include $(ROOT)/src/common.mk
-
-%.o : %.c $(H_FILE_LIST) $(ROOT)/config.mk
-        $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@
-
-fnettrace-sni: $(OBJS) $(ROOT)/config.mk
-        $(CC)  $(LDFLAGS) -o $@ $(OBJS) $(LIBS) $(EXTRA_LDFLAGS)
+-include $(ROOT)/config.mk
 
-.PHONY: clean
-clean:; rm -fr *.o fnettrace-sni *.gcov *.gcda *.gcno *.plist
+PROG = fnettrace-sni
+TARGET = $(PROG)
 
-.PHONY: distclean
-distclean: clean
+include $(ROOT)/src/prog.mk
diff --git a/src/fnettrace/Makefile b/src/fnettrace/Makefile
index f41a4d36d..952036ad3 100644
--- a/src/fnettrace/Makefile
+++ b/src/fnettrace/Makefile
@@ -1,17 +1,7 @@
-.PHONY: all
-all: fnettrace
-
 ROOT = ../..
-include $(ROOT)/src/common.mk
-
-%.o : %.c $(H_FILE_LIST) $(ROOT)/config.mk
-        $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@
-
-fnettrace: $(OBJS) $(ROOT)/config.mk
-        $(CC)  $(LDFLAGS) -o $@ $(OBJS) $(LIBS) $(EXTRA_LDFLAGS)
+-include $(ROOT)/config.mk
 
-.PHONY: clean
-clean:; rm -fr *.o fnettrace *.gcov *.gcda *.gcno *.plist
+PROG = fnettrace
+TARGET = $(PROG)
 
-.PHONY: distclean
-distclean: clean
+include $(ROOT)/src/prog.mk
diff --git a/src/fsec-optimize/Makefile b/src/fsec-optimize/Makefile
index 1aa49d34b..ce65f4719 100644
--- a/src/fsec-optimize/Makefile
+++ b/src/fsec-optimize/Makefile
@@ -1,17 +1,10 @@
-.PHONY: all
-all: fsec-optimize
-
 ROOT = ../..
-include $(ROOT)/src/common.mk
-
-%.o : %.c $(H_FILE_LIST) ../include/common.h ../include/seccomp.h ../include/syscall.h $(ROOT)/config.mk
-        $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@
+-include $(ROOT)/config.mk
 
-fsec-optimize: $(OBJS) ../lib/common.o ../lib/libnetlink.o $(ROOT)/config.mk
-        $(CC)  $(LDFLAGS) -o $@ $(OBJS) ../lib/common.o ../lib/errno.o $(LIBS) $(EXTRA_LDFLAGS)
+PROG = fsec-optimize
+TARGET = $(PROG)
 
-.PHONY: clean
-clean:; rm -fr *.o fsec-optimize *.gcov *.gcda *.gcno *.plist
+MOD_HDRS = ../include/common.h ../include/seccomp.h ../include/syscall.h
+MOD_OBJS = ../lib/common.o ../lib/errno.o
 
-.PHONY: distclean
-distclean: clean
+include $(ROOT)/src/prog.mk
diff --git a/src/fsec-print/Makefile b/src/fsec-print/Makefile
index b076c0588..cbe061d45 100644
--- a/src/fsec-print/Makefile
+++ b/src/fsec-print/Makefile
@@ -1,17 +1,10 @@
-.PHONY: all
-all: fsec-print
-
 ROOT = ../..
-include $(ROOT)/src/common.mk
-
-%.o : %.c $(H_FILE_LIST) ../include/common.h ../include/seccomp.h ../include/syscall.h $(ROOT)/config.mk
-        $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@
+-include $(ROOT)/config.mk
 
-fsec-print: $(OBJS) ../lib/common.o ../lib/libnetlink.o ../lib/errno.o ../lib/syscall.o $(ROOT)/config.mk
-        $(CC)  $(LDFLAGS) -o $@ $(OBJS) ../lib/common.o ../lib/errno.o ../lib/syscall.o $(LIBS) $(EXTRA_LDFLAGS)
+PROG = fsec-print
+TARGET = $(PROG)
 
-.PHONY: clean
-clean:; rm -fr *.o fsec-print *.gcov *.gcda *.gcno *.plist
+MOD_HDRS = ../include/common.h ../include/seccomp.h ../include/syscall.h
+MOD_OBJS = ../lib/common.o ../lib/errno.o ../lib/syscall.o
 
-.PHONY: distclean
-distclean: clean
+include $(ROOT)/src/prog.mk
diff --git a/src/fseccomp/Makefile b/src/fseccomp/Makefile
index 9bf4c050b..1b8d0bb48 100644
--- a/src/fseccomp/Makefile
+++ b/src/fseccomp/Makefile
@@ -1,17 +1,10 @@
-.PHONY: all
-all: fseccomp
-
 ROOT = ../..
-include $(ROOT)/src/common.mk
-
-%.o : %.c $(H_FILE_LIST) ../include/common.h ../include/syscall.h $(ROOT)/config.mk
-        $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@
+-include $(ROOT)/config.mk
 
-fseccomp: $(OBJS) ../lib/common.o ../lib/errno.o ../lib/syscall.o $(ROOT)/config.mk
-        $(CC)  $(LDFLAGS) -o $@ $(OBJS) ../lib/common.o ../lib/errno.o ../lib/syscall.o $(LIBS) $(EXTRA_LDFLAGS)
+PROG = fseccomp
+TARGET = $(PROG)
 
-.PHONY: clean
-clean:; rm -fr *.o fseccomp *.gcov *.gcda *.gcno *.plist
+MOD_HDRS = ../include/common.h ../include/syscall.h
+MOD_OBJS = ../lib/common.o ../lib/errno.o ../lib/syscall.o
 
-.PHONY: distclean
-distclean: clean
+include $(ROOT)/src/prog.mk
diff --git a/src/ftee/Makefile b/src/ftee/Makefile
index 535d7ff63..2f26ab900 100644
--- a/src/ftee/Makefile
+++ b/src/ftee/Makefile
@@ -1,17 +1,7 @@
-.PHONY: all
-all: ftee
-
 ROOT = ../..
-include $(ROOT)/src/common.mk
-
-%.o : %.c $(H_FILE_LIST) $(ROOT)/config.mk
-        $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@
-
-ftee: $(OBJS) $(ROOT)/config.mk
-        $(CC)  $(LDFLAGS) -o $@ $(OBJS) $(LIBS) $(EXTRA_LDFLAGS)
+-include $(ROOT)/config.mk
 
-.PHONY: clean
-clean:; rm -fr *.o ftee *.gcov *.gcda *.gcno *.plist
+PROG = ftee
+TARGET = $(PROG)
 
-.PHONY: distclean
-distclean: clean
+include $(ROOT)/src/prog.mk
diff --git a/src/fzenity/Makefile b/src/fzenity/Makefile
index 0358dd3e9..aeb862d9b 100644
--- a/src/fzenity/Makefile
+++ b/src/fzenity/Makefile
@@ -1,17 +1,9 @@
-.PHONY: all
-all: fzenity
-
 ROOT = ../..
-include $(ROOT)/src/common.mk
-
-%.o : %.c $(H_FILE_LIST) ../include/common.h $(ROOT)/config.mk
-        $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@
+-include $(ROOT)/config.mk
 
-fzenity: $(OBJS) $(ROOT)/config.mk
-        $(CC)  $(LDFLAGS) -o $@ $(OBJS) $(LIBS) $(EXTRA_LDFLAGS)
+PROG = fzenity
+TARGET = $(PROG)
 
-.PHONY: clean
-clean:; rm -fr *.o fzenity *.gcov *.gcda *.gcno *.plist
+MOD_HDRS = ../include/common.h
 
-.PHONY: distclean
-distclean: clean
+include $(ROOT)/src/prog.mk
diff --git a/src/jailcheck/Makefile b/src/jailcheck/Makefile
index 52feb86e6..e3b84fbf3 100644
--- a/src/jailcheck/Makefile
+++ b/src/jailcheck/Makefile
@@ -1,17 +1,10 @@
-.PHONY: all
-all: jailcheck
-
 ROOT = ../..
-include $(ROOT)/src/common.mk
-
-%.o : %.c $(H_FILE_LIST) ../include/common.h ../include/pid.h $(ROOT)/config.mk
-        $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@
+-include $(ROOT)/config.mk
 
-jailcheck: $(OBJS) $(ROOT)/config.mk
-        $(CC)  $(LDFLAGS) -o $@ $(OBJS)  ../lib/common.o ../lib/pid.o $(LIBS) $(EXTRA_LDFLAGS)
+PROG = jailcheck
+TARGET = $(PROG)
 
-.PHONY: clean
-clean:; rm -fr *.o jailcheck *.gcov *.gcda *.gcno *.plist
+MOD_HDRS = ../include/common.h ../include/pid.h
+MOD_OBJS = ../lib/common.o ../lib/pid.o
 
-.PHONY: distclean
-distclean: clean
+include $(ROOT)/src/prog.mk
diff --git a/src/lib/Makefile b/src/lib/Makefile
index d9bc63ef7..f5b92e389 100644
--- a/src/lib/Makefile
+++ b/src/lib/Makefile
@@ -1,14 +1,9 @@
 ROOT = ../..
-include $(ROOT)/src/common.mk
+-include $(ROOT)/config.mk
 
-.PHONY: all
-all: $(OBJS)
+TARGET = lib
 
-%.o : %.c $(H_FILE_LIST) $(ROOT)/config.mk
-        $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@
+include $(ROOT)/src/prog.mk
 
-.PHONY: clean
-clean:; rm -fr $(OBJS) *.gcov *.gcda *.gcno *.plist
-
-.PHONY: distclean
-distclean: clean
+.PHONY: lib
+lib: $(OBJS)
diff --git a/src/libpostexecseccomp/Makefile b/src/libpostexecseccomp/Makefile
index 5386af58b..62e167b73 100644
--- a/src/libpostexecseccomp/Makefile
+++ b/src/libpostexecseccomp/Makefile
@@ -1,24 +1,9 @@
 ROOT = ../..
 -include $(ROOT)/config.mk
 
-H_FILE_LIST       = $(sort $(wildcard *.h))
-C_FILE_LIST       = $(sort $(wildcard *.c))
-OBJS = $(C_FILE_LIST:.c=.o)
-BINOBJS =  $(foreach file, $(OBJS), $file)
-CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIC -Wformat -Wformat-security
-LDFLAGS += -pie -fPIE -Wl,-z,relro -Wl,-z,now
+SO = libpostexecseccomp.so
+TARGET = $(SO)
 
-.PHONY: all
-all: libpostexecseccomp.so
+MOD_HDRS = ../include/seccomp.h ../include/rundefs.h
 
-%.o : %.c $(H_FILE_LIST) ../include/seccomp.h ../include/rundefs.h $(ROOT)/config.mk
-        $(CC) $(CFLAGS) $(INCLUDE) -c $< -o $@
-
-libpostexecseccomp.so: $(OBJS) $(ROOT)/config.mk
-        $(CC) $(LDFLAGS) -shared -fPIC -z relro -o $@ $(OBJS) -ldl
-
-.PHONY: clean
-clean:; rm -fr $(OBJS) libpostexecseccomp.so *.plist
-
-.PHONY: distclean
-distclean: clean
+include $(ROOT)/src/so.mk
diff --git a/src/libtrace/Makefile b/src/libtrace/Makefile
index 6f28b3442..d45b3e2f6 100644
--- a/src/libtrace/Makefile
+++ b/src/libtrace/Makefile
@@ -1,24 +1,7 @@
 ROOT = ../..
 -include $(ROOT)/config.mk
 
-H_FILE_LIST       = $(sort $(wildcard *.h))
-C_FILE_LIST       = $(sort $(wildcard *.c))
-OBJS = $(C_FILE_LIST:.c=.o)
-BINOBJS =  $(foreach file, $(OBJS), $file)
-CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIC -Wformat -Wformat-security
-LDFLAGS += -pie -fPIE -Wl,-z,relro -Wl,-z,now
+SO = libtrace.so
+TARGET = $(SO)
 
-.PHONY: all
-all: libtrace.so
-
-%.o : %.c $(H_FILE_LIST) $(ROOT)/config.mk
-        $(CC) $(CFLAGS) $(INCLUDE) -c $< -o $@
-
-libtrace.so: $(OBJS) $(ROOT)/config.mk
-        $(CC) $(LDFLAGS) -shared -fPIC -z relro -o $@ $(OBJS) -ldl
-
-.PHONY: clean
-clean:; rm -fr $(OBJS) libtrace.so *.plist
-
-.PHONY: distclean
-distclean: clean
+include $(ROOT)/src/so.mk
diff --git a/src/libtracelog/Makefile b/src/libtracelog/Makefile
index c5d9c131d..bfc5adddc 100644
--- a/src/libtracelog/Makefile
+++ b/src/libtracelog/Makefile
@@ -1,24 +1,9 @@
 ROOT = ../..
 -include $(ROOT)/config.mk
 
-H_FILE_LIST       = $(sort $(wildcard *.h))
-C_FILE_LIST       = $(sort $(wildcard *.c))
-OBJS = $(C_FILE_LIST:.c=.o)
-BINOBJS =  $(foreach file, $(OBJS), $file)
-CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIC -Wformat -Wformat-security
-LDFLAGS += -pie -fPIE -Wl,-z,relro -Wl,-z,now
+SO = libtracelog.so
+TARGET = $(SO)
 
-.PHONY: all
-all: libtracelog.so
+MOD_HDRS = ../include/rundefs.h
 
-%.o : %.c $(H_FILE_LIST) ../include/rundefs.h $(ROOT)/config.mk
-        $(CC) $(CFLAGS) $(INCLUDE) -c $< -o $@
-
-libtracelog.so: $(OBJS) $(ROOT)/config.mk
-        $(CC) $(LDFLAGS) -shared -fPIC -z relro -o $@ $(OBJS) -ldl
-
-.PHONY: clean
-clean:; rm -fr $(OBJS) libtracelog.so *.plist
-
-.PHONY: distclean
-distclean: clean
+include $(ROOT)/src/so.mk
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt
index 138aae8af..7fa677ae5 100644
--- a/src/man/firejail-profile.txt
+++ b/src/man/firejail-profile.txt
@@ -14,7 +14,7 @@ Using a specific profile:
 .br
 Example:
 .br
-$ firejail --profile=/etc/firejail/kdenlive.profile --appimage kdenlive.appimage
+$ firejail --appimage --profile=/etc/firejail/kdenlive.profile kdenlive.appimage
 .br
 
 .br
@@ -25,7 +25,7 @@ $ firejail --profile=/etc/firejail/kdenlive.profile --appimage kdenlive.appimage
 .br
 Example:
 .br
-$ firejail --profile=kdenlive --appimage kdenlive.appimage
+$ firejail --appimage --profile=kdenlive kdenlive.appimage
 .br
 
 .br
@@ -179,6 +179,11 @@ can be enabled or disabled globally in Firejail's configuration file.
 
 The profile line may be any profile line that you would normally use in a profile \fBexcept\fR for "quiet" and "include" lines.
 
+Note: When using one or more conditionals and \fB--profile\fR, it is
+recommended that the relevant option(s) (such as \fB--appimage\fR) be specified
+before \fB--profile\fR, so that their respective conditional(s) (such as
+\fB?HAS_APPIMAGE\fR) inside of the profile evaluate to true.
+
 .TP
 \fBinclude other.profile
 Include other.profile file.
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index b4be1cd62..39c81312c 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -11,7 +11,7 @@ firejail [OPTIONS] [program and arguments]
 Start an AppImage program:
 .PP
 .RS
-firejail [OPTIONS] --appimage [appimage-file and arguments]
+firejail [OPTIONS] --appimage [OPTIONS] [appimage-file and arguments]
 .RE
 .PP
 #ifdef HAVE_FILE_TRANSFER
@@ -164,15 +164,22 @@ private-bin and private-lib are disabled by default when running appimages.
 .br
 Example:
 .br
-$ firejail --profile=krita --appimage krita-3.0-x86_64.appimage
+$ firejail --appimage --profile=krita krita-3.0-x86_64.appimage
 .br
-$ firejail --private --profile=krita --appimage krita-3.0-x86_64.appimage
+$ firejail --quiet --appimage --private --profile=krita krita-3.0-x86_64.appimage
 .br
 #ifdef HAVE_X11
-$ firejail --net=none --x11 --profile=krita --appimage krita-3.0-x86_64.appimage
+$ firejail --appimage --net=none --x11 --profile=krita krita-3.0-x86_64.appimage
 #endif
-.TP
+.br
+
+.br
+Note: When using both \fB--appimage\fR and \fB--profile\fR, it is recommended
+to always specify the former before the latter, so that any \fB?HAS_APPIMAGE\fR
+conditionals inside of the profile evaluate to true (see \fB?CONDITIONAL\fR in
+firejail-profile(5)).
 #ifdef HAVE_NETWORK
+.TP
 \fB\-\-bandwidth=name|pid
 Set bandwidth limits for the sandbox identified by name or PID, see \fBTRAFFIC SHAPING\fR section for more details.
 #endif
diff --git a/src/profstats/Makefile b/src/profstats/Makefile
index 0274aead2..47b39e76c 100644
--- a/src/profstats/Makefile
+++ b/src/profstats/Makefile
@@ -1,17 +1,9 @@
-.PHONY: all
-all: profstats
-
 ROOT = ../..
-include $(ROOT)/src/common.mk
-
-%.o : %.c $(H_FILE_LIST) ../include/common.h $(ROOT)/config.mk
-        $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@
+-include $(ROOT)/config.mk
 
-profstats: $(OBJS) $(ROOT)/config.mk
-        $(CC)  $(LDFLAGS) -o $@ $(OBJS) $(LIBS) $(EXTRA_LDFLAGS)
+PROG = profstats
+TARGET = $(PROG)
 
-.PHONY: clean
-clean:; rm -fr *.o profstats *.gcov *.gcda *.gcno *.plist
+MOD_HDRS = ../include/common.h
 
-.PHONY: distclean
-distclean: clean
+include $(ROOT)/src/prog.mk
diff --git a/src/prog.mk b/src/prog.mk
new file mode 100644
index 000000000..84f43142d
--- /dev/null
+++ b/src/prog.mk
@@ -0,0 +1,36 @@
+# Common definitions for building C programs and non-shared objects.
+#
+# Note: $(ROOT)/config.mk must be included before this file.
+#
+# The includer should probably define PROG and TARGET and may also want to
+# define MOD_HDRS, MOD_SRCS, MOD_OBJS, TOCLEAN and TODISTCLEAN.
+
+HDRS := $(sort $(wildcard *.h)) $(MOD_HDRS)
+SRCS := $(sort $(wildcard *.c)) $(MOD_SRCS)
+OBJS := $(SRCS:.c=.o) $(MOD_OBJS)
+
+CFLAGS += \
+        -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' \
+        -fstack-protector-all -D_FORTIFY_SOURCE=2 -Wformat -Wformat-security \
+        -fPIE \
+        -DPREFIX='"$(prefix)"' -DSYSCONFDIR='"$(sysconfdir)/firejail"' \
+        -DLIBDIR='"$(libdir)"' -DBINDIR='"$(bindir)"' \
+        -DVARDIR='"/var/lib/firejail"' \
+        $(HAVE_GCOV) $(MANFLAGS)
+
+LDFLAGS += -pie -fPIE -Wl,-z,relro -Wl,-z,now
+
+.PHONY: all
+all: $(TARGET)
+
+%.o : %.c $(HDRS) $(ROOT)/config.mk
+        $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@
+
+$(PROG): $(OBJS) $(ROOT)/config.mk
+        $(CC)  $(LDFLAGS) -o $@ $(OBJS) $(LIBS) $(EXTRA_LDFLAGS)
+
+.PHONY: clean
+clean:; rm -fr *.o $(PROG) *.gcov *.gcda *.gcno *.plist $(TOCLEAN)
+
+.PHONY: distclean
+distclean: clean; rm -fr $(TODISTCLEAN)
diff --git a/src/so.mk b/src/so.mk
new file mode 100644
index 000000000..10c43ad21
--- /dev/null
+++ b/src/so.mk
@@ -0,0 +1,32 @@
+# Common definitions for making shared objects.
+#
+# Note: $(ROOT)/config.mk must be included before this file.
+#
+# The includer should probably define SO and TARGET and may also want to define
+# MOD_HDRS, MOD_SRCS, MOD_OBJS, TOCLEAN and TODISTCLEAN.
+
+HDRS := $(sort $(wildcard *.h)) $(MOD_HDRS)
+SRCS := $(sort $(wildcard *.c)) $(MOD_SRCS)
+OBJS := $(SRCS:.c=.o) $(MOD_OBJS)
+
+CFLAGS += \
+        -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' \
+        -fstack-protector-all -D_FORTIFY_SOURCE=2 -Wformat -Wformat-security \
+        -fPIC
+
+LDFLAGS += -pie -fPIE -Wl,-z,relro -Wl,-z,now
+
+.PHONY: all
+all: $(TARGET)
+
+%.o : %.c $(HDRS) $(ROOT)/config.mk
+        $(CC) $(CFLAGS) $(INCLUDE) -c $< -o $@
+
+$(SO): $(OBJS) $(ROOT)/config.mk
+        $(CC) $(LDFLAGS) -shared -fPIC -z relro -o $@ $(OBJS) -ldl
+
+.PHONY: clean
+clean:; rm -fr $(OBJS) $(SO) *.plist $(TOCLEAN)
+
+.PHONY: distclean
+distclean: clean; rm -fr $(TODISTCLEAN)