30 files changed, 299 insertions, 130 deletions

diff --git a/.gitignore b/.gitignore
index 39380446b..70ced1a99 100644
--- a/.gitignore
+++ b/.gitignore
@@ -19,6 +19,7 @@ firejail-users.5
 firejail.1
 firemon.1
 firecfg.1
+mkdeb.sh
 src/firejail/firejail
 src/firemon/firemon
 src/firecfg/firecfg
diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 2205c796c..204ebda95 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -9,7 +9,7 @@ build_ubuntu_package:
     image: ubuntu:rolling
     script:
         - apt-get update -qq
-        - apt-get install -y -qq build-essential lintian pkg-config python3
+        - DEBIAN_FRONTEND=noninteractive apt-get install -y -qq build-essential lintian pkg-config python3
         - ./configure --prefix=/usr && make deb && dpkg -i firejail*.deb
         - python3 contrib/sort.py etc/profile-*/*.profile etc/inc/*.inc
 
@@ -20,12 +20,12 @@ build_debian_package:
         - apt-get install -y -qq build-essential lintian pkg-config
         - ./configure --prefix=/usr && make deb && dpkg -i firejail*.deb
 
-#build_redhat_package:
-#    image: centos:latest
-#    script:
-#        - yum update -y
-#        - yum install -y rpm-build gcc make
-#        - ./configure --prefix=/usr && make rpms && yum install -y firejail*.rpm
+build_redhat_package:
+    image: centos:latest
+    script:
+        - dnf update -y
+        - dnf install -y rpm-build gcc make
+        - ./configure --prefix=/usr && make rpms && rpm -i firejail*.rpm
 
 build_fedora_package:
     image: fedora:latest
@@ -48,8 +48,8 @@ build_apparmor:
     image: ubuntu:latest
     script:
         - apt-get update -qq
-        - apt-get install -y -qq build-essential lintian libapparmor-dev pkg-config
-        - ./configure --prefix=/usr && make deb-apparmor && dpkg -i firejail-apparmor*.deb
+        - DEBIAN_FRONTEND=noninteractive apt-get install -y -qq build-essential lintian libapparmor-dev pkg-config
+        - ./configure --prefix=/usr && make deb-apparmor && dpkg -i firejail*.deb
 
 cppcheck:
     image: debian:latest
diff --git a/Makefile.in b/Makefile.in
index 0da33544c..575c5d614 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -28,13 +28,13 @@ SECCOMP_FILTERS = seccomp seccomp.debug seccomp.32 seccomp.block_secondary secco
 endif
 ALL_ITEMS = $(APPS) $(SBOX_APPS) $(MYLIBS)
 
-.PHONY: all_items man filters
+.PHONY: all_items $(ALL_ITEMS)
 all_items: $(ALL_ITEMS)
 $(ALL_ITEMS): $(MYDIRS)
         $(MAKE) -C $(dir $@)
 
 .PHONY: mydirs
-mydirs: $(MYDIRS)
+mydirs: mydirs $(MYDIRS)
 $(MYDIRS):
         $(MAKE) -C $@
 
@@ -183,7 +183,7 @@ uninstall:
         rm -f $(DESTDIR)/$(datarootdir)/bash-completion/completions/firecfg
         @echo "If you want to install a different version of firejail, you might also need to run 'rm -fr $(DESTDIR)/$(sysconfdir)/firejail', see #2038."
 
-DISTFILES = "src etc m4 platform contrib configure configure.ac Makefile.in install.sh mkman.sh mketc.sh mkdeb.sh mkdeb-apparmor.sh COPYING README RELNOTES"
+DISTFILES = "src etc m4 platform contrib configure configure.ac Makefile.in install.sh mkman.sh mketc.sh mkdeb.sh.in COPYING README RELNOTES"
 DISTFILES_TEST = "test/apps test/apps-x11 test/apps-x11-xorg test/root test/fcopy test/environment test/profiles test/utils test/compile test/filters test/network test/arguments test/fs test/sysutils test/chroot"
 
 dist:
@@ -202,10 +202,10 @@ dist:
 asc:; ./mkasc.sh $(VERSION)
 
 deb: dist
-        ./mkdeb.sh $(NAME) $(VERSION)
+        ./mkdeb.sh
 
 deb-apparmor: dist
-        ./mkdeb-apparmor.sh $(NAME) $(VERSION)
+        ./mkdeb.sh -apparmor
 
 test-compile: dist
         cd test/compile; ./compile.sh $(NAME)-$(VERSION)
diff --git a/README b/README
index 48683ed8a..d4b591cc1 100644
--- a/README
+++ b/README
@@ -511,6 +511,8 @@ Lukáš Krejčí (https://github.com/lskrejci)
         - fixed parsing of --keep-var-tmp
 luzpaz (https://github.com/luzpaz)
         - code spelling fixes
+Mace Muilman (https://github.com/mace015)
+        - google-chrome{,beta,unstable} flags
 maces (https://github.com/maces)
         - Franz messenger profile
 Madura A (https://github.com/manushanga)
diff --git a/RELNOTES b/RELNOTES
index 12ca15b48..9f97f8ab1 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -33,7 +33,7 @@ firejail (0.9.63) baseline; urgency=low
   * new profiles: mirrormagic, mrrescue, scorched3d-wrapper, scorchwentbonkers
   * new profiles: seahorse-adventures, wordwarvi, xbill, gnome-klotski
   * new profiles: swell-foop, fdns, five-or-more, steam-runtime, jitsi-meet-desktop
-  * new profiles: nicontine
+  * new profiles: nicotine, plv, mocp
  -- netblue30 <netblue30@yahoo.com>  Tue, 21 Apr 2020 08:00:00 -0500
 
 firejail (0.9.62) baseline; urgency=low
diff --git a/configure b/configure
index f587bb25e..12881fcaf 100755
--- a/configure
+++ b/configure
@@ -4186,6 +4186,8 @@ if test "$prefix" = /usr; then
         test "$sysconfdir" = '${prefix}/etc' && sysconfdir="/etc"
 fi
 
+ac_config_files="$ac_config_files mkdeb.sh"
+
 ac_config_files="$ac_config_files Makefile src/common.mk src/lib/Makefile src/fcopy/Makefile src/fnet/Makefile src/firejail/Makefile src/fnetfilter/Makefile src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile src/fbuilder/Makefile src/fsec-print/Makefile src/ftee/Makefile src/faudit/Makefile src/fseccomp/Makefile src/fldd/Makefile src/libpostexecseccomp/Makefile src/fsec-optimize/Makefile src/profstats/Makefile"
 
 cat >confcache <<\_ACEOF
@@ -4895,6 +4897,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
 for ac_config_target in $ac_config_targets
 do
   case $ac_config_target in
+    "mkdeb.sh") CONFIG_FILES="$CONFIG_FILES mkdeb.sh" ;;
     "Makefile") CONFIG_FILES="$CONFIG_FILES Makefile" ;;
     "src/common.mk") CONFIG_FILES="$CONFIG_FILES src/common.mk" ;;
     "src/lib/Makefile") CONFIG_FILES="$CONFIG_FILES src/lib/Makefile" ;;
@@ -5333,6 +5336,11 @@ which seems to be undefined.  Please make sure it is defined" >&2;}
 
   esac
 
+
+  case $ac_file$ac_mode in
+    "mkdeb.sh":F) chmod +x mkdeb.sh ;;
+
+  esac
 done # for ac_tag
 
 
diff --git a/configure.ac b/configure.ac
index 8cf170c80..feb0b38a6 100644
--- a/configure.ac
+++ b/configure.ac
@@ -204,6 +204,7 @@ if test "$prefix" = /usr; then
         test "$sysconfdir" = '${prefix}/etc' && sysconfdir="/etc"
 fi
 
+AC_CONFIG_FILES([mkdeb.sh], [chmod +x mkdeb.sh])
 AC_OUTPUT(Makefile src/common.mk src/lib/Makefile src/fcopy/Makefile src/fnet/Makefile src/firejail/Makefile src/fnetfilter/Makefile \
 src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile src/fbuilder/Makefile src/fsec-print/Makefile \
 src/ftee/Makefile src/faudit/Makefile src/fseccomp/Makefile src/fldd/Makefile src/libpostexecseccomp/Makefile src/fsec-optimize/Makefile \
diff --git a/etc/apparmor/firejail-default b/etc/apparmor/firejail-default
index e68e51c63..fc6690752 100644
--- a/etc/apparmor/firejail-default
+++ b/etc/apparmor/firejail-default
@@ -19,6 +19,8 @@ profile firejail-default flags=(attach_disconnected,mediate_deleted) {
 #include <abstractions/dbus-strict>
 #include <abstractions/dbus-session-strict>
 dbus,
+# Add rule in order to avoid dbus-*=filter breakage (#3432)
+owner /{,var/}run/firejail/dbus/[0-9]*/[0-9]*-user w,
 
 ##########
 # With ptrace it is possible to inspect and hijack running programs.
diff --git a/etc/inc/disable-common.inc b/etc/inc/disable-common.inc
index 3fd3cc7b2..ce3b24584 100644
--- a/etc/inc/disable-common.inc
+++ b/etc/inc/disable-common.inc
@@ -144,12 +144,16 @@ blacklist ${RUNUSER}/kdesud_*
 blacklist ${HOME}/.local/share/gnome-shell
 # no direct modification of dconf database
 read-only ${HOME}/.config/dconf
+blacklist ${RUNUSER}/gnome-session-leader-fifo
+blacklist ${RUNUSER}/gnome-shell
+blacklist ${RUNUSER}/gsconnect
 
 # systemd
 blacklist ${HOME}/.config/systemd
 blacklist ${HOME}/.local/share/systemd
 blacklist /var/lib/systemd
 blacklist ${PATH}/systemd-run
+blacklist ${RUNUSER}/systemd
 # creates problems on Arch where /etc/resolv.conf is a symlink to /var/run/systemd/resolve/resolv.conf
 #blacklist /var/run/systemd
 
@@ -175,6 +179,13 @@ blacklist /var/cache/libvirt
 blacklist /var/lib/libvirt
 blacklist /var/log/libvirt
 
+# OCI-Containers / Podman
+blacklist ${RUNUSER}/containers
+blacklist ${RUNUSER}/crun
+blacklist ${RUNUSER}/libpod
+blacklist ${RUNUSER}/runc
+blacklist ${RUNUSER}/toolbox
+
 # VeraCrypt
 blacklist ${HOME}/.VeraCrypt
 blacklist ${PATH}/veracrypt
@@ -389,6 +400,7 @@ blacklist /usr/sbin
 
 # system management
 blacklist ${PATH}/at
+blacklist ${PATH}/busybox
 blacklist ${PATH}/chage
 blacklist ${PATH}/chfn
 blacklist ${PATH}/chsh
@@ -477,6 +489,9 @@ blacklist /var/lib/flatpak
 # most of the time bwrap is SUID binary
 blacklist ${PATH}/bwrap
 
+# snap
+blacklist ${RUNUSER}/snapd-session-agent.socket
+
 # mail directories used by mutt
 blacklist ${HOME}/.Mail
 blacklist ${HOME}/.mail
@@ -501,3 +516,9 @@ blacklist ${PATH}/dns2tcp
 blacklist ${PATH}/iodine
 blacklist ${PATH}/knsupdate
 blacklist ${PATH}/resolvectl
+
+# rest of ${RUNUSER}
+blacklist ${RUNUSER}/*.lock
+blacklist ${RUNUSER}/inaccessible
+blacklist ${RUNUSER}/update-notifier.pid
+blacklist ${RUNUSER}/pk-debconf-socket
diff --git a/etc/inc/disable-programs.inc b/etc/inc/disable-programs.inc
index 89189b533..89bfa540e 100644
--- a/etc/inc/disable-programs.inc
+++ b/etc/inc/disable-programs.inc
@@ -108,6 +108,7 @@ blacklist ${HOME}/.config/MuseScore
 blacklist ${HOME}/.config/MusicBrainz
 blacklist ${HOME}/.config/Nathan Osman
 blacklist ${HOME}/.config/Nylas Mail
+blacklist ${HOME}/.config/PacmanLogViewer
 blacklist ${HOME}/.config/PBE
 blacklist ${HOME}/.config/Philipp Schmieder
 blacklist ${HOME}/.config/QGIS
@@ -160,6 +161,12 @@ blacklist ${HOME}/.config/cantata
 blacklist ${HOME}/.config/catfish
 blacklist ${HOME}/.config/celluloid
 blacklist ${HOME}/.config/cherrytree
+blacklist ${HOME}/.config/chrome-beta-flags.conf
+blacklist ${HOME}/.config/chrome-beta-flags.config
+blacklist ${HOME}/.config/chrome-flags.conf
+blacklist ${HOME}/.config/chrome-flags.config
+blacklist ${HOME}/.config/chrome-unstable-flags.conf
+blacklist ${HOME}/.config/chrome-unstable-flags.config
 blacklist ${HOME}/.config/chromium
 blacklist ${HOME}/.config/chromium-dev
 blacklist ${HOME}/.config/chromium-flags.conf
@@ -553,6 +560,7 @@ blacklist ${HOME}/.local/share/dolphin
 blacklist ${HOME}/.local/share/emailidentities
 blacklist ${HOME}/.local/share/epiphany
 blacklist ${HOME}/.local/share/evolution
+blacklist ${HOME}/.local/share/FasterThanLight
 blacklist ${HOME}/.local/share/feedreader
 blacklist ${HOME}/.local/share/feral-interactive
 blacklist ${HOME}/.local/share/five-or-more
@@ -581,6 +589,7 @@ blacklist ${HOME}/.local/share/godot
 blacklist ${HOME}/.local/share/gradio
 blacklist ${HOME}/.local/share/gwenview
 blacklist ${HOME}/.local/share/i2p
+blacklist ${HOME}/.local/share/IntoTheBreach
 blacklist ${HOME}/.local/share/kaffeine
 blacklist ${HOME}/.local/share/kalgebra
 blacklist ${HOME}/.local/share/kate
@@ -621,6 +630,7 @@ blacklist ${HOME}/.local/share/okular
 blacklist ${HOME}/.local/share/onlyoffice
 blacklist ${HOME}/.local/share/orage
 blacklist ${HOME}/.local/share/org.kde.gwenview
+blacklist ${HOME}/.local/share/Paradox Interactive
 blacklist ${HOME}/.local/share/pix
 blacklist ${HOME}/.local/share/plasma_notes
 blacklist ${HOME}/.local/share/profanity
@@ -654,12 +664,14 @@ blacklist ${HOME}/.local/share/zathura
 blacklist ${HOME}/.lv2
 blacklist ${HOME}/.magicor
 blacklist ${HOME}/.masterpdfeditor
+blacklist ${HOME}/.mbwarband
 blacklist ${HOME}/.mcabber
 blacklist ${HOME}/.mcabberrc
 blacklist ${HOME}/.mediathek3
 blacklist ${HOME}/.megaglest
 blacklist ${HOME}/.minetest
 blacklist ${HOME}/.mirrormagic
+blacklist ${HOME}/.moc
 blacklist ${HOME}/.moonchild productions/basilisk
 blacklist ${HOME}/.moonchild productions/pale moon
 blacklist ${HOME}/.mozilla
@@ -686,6 +698,7 @@ blacklist ${HOME}/.openttd
 blacklist ${HOME}/.opera
 blacklist ${HOME}/.opera-beta
 blacklist ${HOME}/.ostrichriders
+blacklist ${HOME}/.paradoxinteractive
 blacklist ${HOME}/.parallelrealities/blobwars
 blacklist ${HOME}/.penguin-command
 blacklist ${HOME}/.pingus
diff --git a/etc/profile-a-l/dino-im.profile b/etc/profile-a-l/dino-im.profile
new file mode 100644
index 000000000..ae0549d3e
--- /dev/null
+++ b/etc/profile-a-l/dino-im.profile
@@ -0,0 +1,14 @@
+# Firejail profile for dino-im
+# Description: Modern XMPP Chat Client using GTK+/Vala, Ubuntu specific bin name
+# This file is overwritten after every install/update
+# Persistent local customizations
+include dino-im.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Add Ubuntu specific binary name
+private-bin dino-im
+
+# Redirect
+include dino.profile
diff --git a/etc/profile-a-l/google-chrome-beta.profile b/etc/profile-a-l/google-chrome-beta.profile
index 73101f509..a62e4cf74 100644
--- a/etc/profile-a-l/google-chrome-beta.profile
+++ b/etc/profile-a-l/google-chrome-beta.profile
@@ -8,10 +8,16 @@ include globals.local
 noblacklist ${HOME}/.cache/google-chrome-beta
 noblacklist ${HOME}/.config/google-chrome-beta
 
+noblacklist ${HOME}/.config/chrome-beta-flags.conf
+noblacklist ${HOME}/.config/chrome-beta-flags.config
+
 mkdir ${HOME}/.cache/google-chrome-beta
 mkdir ${HOME}/.config/google-chrome-beta
 whitelist ${HOME}/.cache/google-chrome-beta
 whitelist ${HOME}/.config/google-chrome-beta
 
+whitelist ${HOME}/.config/chrome-beta-flags.conf
+whitelist ${HOME}/.config/chrome-beta-flags.config
+
 # Redirect
 include chromium-common.profile
diff --git a/etc/profile-a-l/google-chrome-unstable.profile b/etc/profile-a-l/google-chrome-unstable.profile
index 50e9923aa..14547eab2 100644
--- a/etc/profile-a-l/google-chrome-unstable.profile
+++ b/etc/profile-a-l/google-chrome-unstable.profile
@@ -8,10 +8,16 @@ include globals.local
 noblacklist ${HOME}/.cache/google-chrome-unstable
 noblacklist ${HOME}/.config/google-chrome-unstable
 
+noblacklist ${HOME}/.config/chrome-unstable-flags.conf
+noblacklist ${HOME}/.config/chrome-unstable-flags.config
+
 mkdir ${HOME}/.cache/google-chrome-unstable
 mkdir ${HOME}/.config/google-chrome-unstable
 whitelist ${HOME}/.cache/google-chrome-unstable
 whitelist ${HOME}/.config/google-chrome-unstable
 
+whitelist ${HOME}/.config/chrome-unstable-flags.conf
+whitelist ${HOME}/.config/chrome-unstable-flags.config
+
 # Redirect
 include chromium-common.profile
diff --git a/etc/profile-a-l/google-chrome.profile b/etc/profile-a-l/google-chrome.profile
index c69e98271..66f76caa0 100644
--- a/etc/profile-a-l/google-chrome.profile
+++ b/etc/profile-a-l/google-chrome.profile
@@ -8,10 +8,16 @@ include globals.local
 noblacklist ${HOME}/.cache/google-chrome
 noblacklist ${HOME}/.config/google-chrome
 
+noblacklist ${HOME}/.config/chrome-flags.conf
+noblacklist ${HOME}/.config/chrome-flags.config
+
 mkdir ${HOME}/.cache/google-chrome
 mkdir ${HOME}/.config/google-chrome
 whitelist ${HOME}/.cache/google-chrome
 whitelist ${HOME}/.config/google-chrome
 
+whitelist ${HOME}/.config/chrome-flags.conf
+whitelist ${HOME}/.config/chrome-flags.config
+
 # Redirect
 include chromium-common.profile
diff --git a/etc/profile-m-z/mocp.profile b/etc/profile-m-z/mocp.profile
new file mode 100644
index 000000000..6fc7a4d67
--- /dev/null
+++ b/etc/profile-m-z/mocp.profile
@@ -0,0 +1,53 @@
+# Firejail profile for mocp
+# Description: A powerful & easy to use console audio player
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include mocp.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.moc
+noblacklist ${MUSIC}
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+include whitelist-usr-share-common.inc
+include whitelist-runuser-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+ipc-namespace
+netfilter
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6,netlink
+seccomp
+shell none
+tracelog
+
+private-bin mocp
+private-cache
+private-dev
+private-etc alternatives,asound.conf,ca-certificates,crypto-policies,group,machine-id,pki,pulse,resolv.conf,ssl
+private-tmp
+
+dbus-user none
+dbus-system none
+
+memory-deny-write-execute
+read-only ${HOME}
+read-write ${HOME}/.moc
diff --git a/etc/profile-m-z/mpg123.profile b/etc/profile-m-z/mpg123.profile
index 6e18aa401..b1ab81c1e 100644
--- a/etc/profile-m-z/mpg123.profile
+++ b/etc/profile-m-z/mpg123.profile
@@ -1,13 +1,13 @@
 # Firejail profile for mpg123
 # Description: MPEG audio player/decoder
 # This file is overwritten after every install/update
+quiet
 # Persistent local customizations
 include mpg123.local
 # Persistent global definitions
 include globals.local
 
 noblacklist ${MUSIC}
-noblacklist ${VIDEOS}
 
 include disable-common.inc
 include disable-devel.inc
@@ -23,19 +23,23 @@ include whitelist-var-common.inc
 apparmor
 caps.drop all
 netfilter
+no3d
 nogroups
 nonewprivs
 noroot
+notv
 nou2f
+novideo
 protocol unix,inet,inet6,netlink
 seccomp
 shell none
+tracelog
 
 #private-bin mpg123*
 private-dev
 private-tmp
 
-memory-deny-write-execute
-
 dbus-user none
 dbus-system none
+
+memory-deny-write-execute
diff --git a/etc/profile-m-z/plv.profile b/etc/profile-m-z/plv.profile
new file mode 100644
index 000000000..7ff59ea77
--- /dev/null
+++ b/etc/profile-m-z/plv.profile
@@ -0,0 +1,59 @@
+# Firejail profile for plv
+# Description: Inspect pacman log files
+# This file is overwritten after every install/update
+# Persistent local customizations
+include plv.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/PacmanLogViewer
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.config/PacmanLogViewer
+whitelist ${HOME}/.config/PacmanLogViewer
+whitelist /var/log/pacman*
+include whitelist-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-runuser-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+ipc-namespace
+machine-id
+net none
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-bin plv
+private-cache
+private-dev
+private-etc alternatives,fonts
+private-opt none
+private-tmp
+writable-var-log
+
+dbus-user none
+dbus-system none
+
+#memory-deny-write-execute - breaks opening file-chooser
+read-only ${HOME}
+read-write ${HOME}/.config/PacmanLogViewer
diff --git a/etc/profile-m-z/secret-tool.profile b/etc/profile-m-z/secret-tool.profile
index 70d9a5b1d..99ba11d30 100644
--- a/etc/profile-m-z/secret-tool.profile
+++ b/etc/profile-m-z/secret-tool.profile
@@ -1,6 +1,7 @@
 # Firejail profile for secret-tool
 # Description: Library for storing and retrieving passwords and other secrets
 # This file is overwritten after every install/update
+quiet
 # Persistent local customizations
 include secret-tool.local
 # Persistent global definitions
diff --git a/etc/profile-m-z/steam.profile b/etc/profile-m-z/steam.profile
index a5e9a9932..004664a79 100644
--- a/etc/profile-m-z/steam.profile
+++ b/etc/profile-m-z/steam.profile
@@ -10,12 +10,17 @@ noblacklist ${HOME}/.killingfloor
 noblacklist ${HOME}/.local/share/3909/PapersPlease
 noblacklist ${HOME}/.local/share/aspyr-media
 noblacklist ${HOME}/.local/share/cdprojektred
+noblacklist ${HOME}/.local/share/FasterThanLight
 noblacklist ${HOME}/.local/share/feral-interactive
+noblacklist ${HOME}/.local/share/IntoTheBreach
+noblacklist ${HOME}/.local/share/Paradox Interactive
 noblacklist ${HOME}/.local/share/Steam
 noblacklist ${HOME}/.local/share/SuperHexagon
 noblacklist ${HOME}/.local/share/Terraria
 noblacklist ${HOME}/.local/share/vpltd
 noblacklist ${HOME}/.local/share/vulkan
+noblacklist ${HOME}/.mbwarband
+noblacklist ${HOME}/.paradoxinteractive
 noblacklist ${HOME}/.steam
 noblacklist ${HOME}/.steampath
 noblacklist ${HOME}/.steampid
@@ -41,7 +46,9 @@ mkdir ${HOME}/.killingfloor
 mkdir ${HOME}/.local/share/3909/PapersPlease
 mkdir ${HOME}/.local/share/aspyr-media
 mkdir ${HOME}/.local/share/cdprojektred
+mkdir ${HOME}/.local/share/FasterThanLight
 mkdir ${HOME}/.local/share/feral-interactive
+mkdir ${HOME}/.local/share/IntoTheBreach
 mkdir ${HOME}/.local/share/Paradox Interactive
 mkdir ${HOME}/.local/share/Steam
 mkdir ${HOME}/.local/share/SuperHexagon
@@ -58,7 +65,9 @@ whitelist ${HOME}/.killingfloor
 whitelist ${HOME}/.local/share/3909/PapersPlease
 whitelist ${HOME}/.local/share/aspyr-media
 whitelist ${HOME}/.local/share/cdprojektred
+whitelist ${HOME}/.local/share/FasterThanLight
 whitelist ${HOME}/.local/share/feral-interactive
+whitelist ${HOME}/.local/share/IntoTheBreach
 whitelist ${HOME}/.local/share/Paradox Interactive
 whitelist ${HOME}/.local/share/Steam
 whitelist ${HOME}/.local/share/SuperHexagon
@@ -70,7 +79,6 @@ whitelist ${HOME}/.paradoxinteractive
 whitelist ${HOME}/.steam
 whitelist ${HOME}/.steampath
 whitelist ${HOME}/.steampid
-whitelist ${HOME}/.steampid
 include whitelist-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/profile-m-z/wire-desktop.profile b/etc/profile-m-z/wire-desktop.profile
index c1250b1f0..8f6014dc3 100644
--- a/etc/profile-m-z/wire-desktop.profile
+++ b/etc/profile-m-z/wire-desktop.profile
@@ -9,7 +9,6 @@ include wire-desktop.local
 
 # Debian/Ubuntu use /opt/Wire. As that is not in PATH by default, run `firejail /opt/Wire/wire-desktop` to start it.
 
-ignore caps.drop all
 ignore dbus-user none
 ignore dbus-system none
 
@@ -22,8 +21,9 @@ mkdir ${HOME}/.config/Wire
 whitelist ${HOME}/.config/Wire
 include whitelist-common.inc
 
-caps.keep sys_admin,sys_chroot
 nou2f
+ignore seccomp
+seccomp !chroot
 shell none
 
 disable-mnt
diff --git a/etc/profile-m-z/yelp.profile b/etc/profile-m-z/yelp.profile
index 7053f98e8..08b31f1ff 100644
--- a/etc/profile-m-z/yelp.profile
+++ b/etc/profile-m-z/yelp.profile
@@ -21,6 +21,7 @@ whitelist ${HOME}/.config/yelp
 whitelist /usr/share/doc
 whitelist /usr/share/help
 whitelist /usr/share/yelp
+whitelist /usr/share/yelp-tools
 whitelist /usr/share/yelp-xsl
 include whitelist-common.inc
 include whitelist-runuser-common.inc
diff --git a/mkdeb.sh b/mkdeb.sh
deleted file mode 100755
index dd784eb8a..000000000
--- a/mkdeb.sh
+++ /dev/null
@@ -1,56 +0,0 @@
-#!/bin/sh
-# This file is part of Firejail project
-# Copyright (C) 2014-2020 Firejail Authors
-# License GPL v2
-
-# based on http://tldp.org/HOWTO/html_single/Debian-Binary-Package-Building-HOWTO/
-# a code archive should already be available
-
-set -e
-
-TOP=`pwd`
-CODE_ARCHIVE="$1-$2.tar.xz"
-CODE_DIR="$1-$2"
-INSTALL_DIR="${INSTALL_DIR}${CODE_DIR}/debian"
-DEBIAN_CTRL_DIR="${DEBIAN_CTRL_DIR}${CODE_DIR}/debian/DEBIAN"
-
-echo "*****************************************"
-echo "code archive: $CODE_ARCHIVE"
-echo "code directory: $CODE_DIR"
-echo "install directory: $INSTALL_DIR"
-echo "debian control directory: $DEBIAN_CTRL_DIR"
-echo "*****************************************"
-
-tar -xJvf $CODE_ARCHIVE
-#mkdir -p $INSTALL_DIR
-cd $CODE_DIR
-./configure --prefix=/usr
-make -j2
-mkdir debian
-DESTDIR=debian make install-strip
-
-cd ..
-echo "*****************************************"
-SIZE=`du -s $INSTALL_DIR`
-echo "install size $SIZE"
-echo "*****************************************"
-
-mv $INSTALL_DIR/usr/share/doc/firejail/RELNOTES $INSTALL_DIR/usr/share/doc/firejail/changelog.Debian
-gzip -9 -n $INSTALL_DIR/usr/share/doc/firejail/changelog.Debian
-rm $INSTALL_DIR/usr/share/doc/firejail/COPYING
-install -m644 platform/debian/copyright $INSTALL_DIR/usr/share/doc/firejail/.
-mkdir -p $DEBIAN_CTRL_DIR
-sed "s/FIREJAILVER/$2/g"  platform/debian/control.$(dpkg-architecture -qDEB_HOST_ARCH) > $DEBIAN_CTRL_DIR/control
-
-mkdir -p $INSTALL_DIR/usr/share/lintian/overrides/
-install -m644 platform/debian/firejail.lintian-overrides $INSTALL_DIR/usr/share/lintian/overrides/firejail
-
-find $INSTALL_DIR/etc -type f | sed "s,^$INSTALL_DIR,," | LC_ALL=C sort > $DEBIAN_CTRL_DIR/conffiles
-chmod 644 $DEBIAN_CTRL_DIR/conffiles
-find $INSTALL_DIR  -type d | xargs chmod 755
-cd $CODE_DIR
-fakeroot dpkg-deb --build debian
-lintian debian.deb
-mv debian.deb ../firejail_$2_1_$(dpkg-architecture -qDEB_HOST_ARCH).deb
-cd ..
-rm -fr $CODE_DIR
diff --git a/mkdeb-apparmor.sh b/mkdeb.sh.in
index 3c560179c..efb477920 100755
--- a/mkdeb-apparmor.sh
+++ b/mkdeb.sh.in
@@ -7,10 +7,24 @@
 # a code archive should already be available
 
 set -e
+NAME=@PACKAGE_NAME@
+VERSION=@PACKAGE_VERSION@
+PACKAGE_TARNAME=@PACKAGE_TARNAME@
+HAVE_APPARMOR=@HAVE_APPARMOR@
+HAVE_SELINUX=@HAVE_SELINUX@
+EXTRA_VERSION=$1
+
+CONFIG_ARGS="--prefix=/usr"
+if [ -n "$HAVE_APPARMOR" ]; then
+    CONFIG_ARGS="$CONFIG_ARGS --enable-apparmor"
+fi
+if [ -n "$HAVE_SELINUX" ]; then
+    CONFIG_ARGS="$CONFIG_ARGS --enable-selinux"
+fi
 
 TOP=`pwd`
-CODE_ARCHIVE="$1-$2.tar.xz"
-CODE_DIR="$1-$2"
+CODE_ARCHIVE="$NAME-$VERSION.tar.xz"
+CODE_DIR="$NAME-$VERSION"
 INSTALL_DIR="${INSTALL_DIR}${CODE_DIR}/debian"
 DEBIAN_CTRL_DIR="${DEBIAN_CTRL_DIR}${CODE_DIR}/debian/DEBIAN"
 
@@ -24,7 +38,7 @@ echo "*****************************************"
 tar -xJvf $CODE_ARCHIVE
 #mkdir -p $INSTALL_DIR
 cd $CODE_DIR
-./configure --prefix=/usr --enable-apparmor
+./configure $CONFIG_ARGS
 make -j2
 mkdir debian
 DESTDIR=debian make install-strip
@@ -40,7 +54,7 @@ gzip -9 -n $INSTALL_DIR/usr/share/doc/firejail/changelog.Debian
 rm $INSTALL_DIR/usr/share/doc/firejail/COPYING
 install -m644 platform/debian/copyright $INSTALL_DIR/usr/share/doc/firejail/.
 mkdir -p $DEBIAN_CTRL_DIR
-sed "s/FIREJAILVER/$2/g"  platform/debian/control.$(dpkg-architecture -qDEB_HOST_ARCH) > $DEBIAN_CTRL_DIR/control
+sed "s/FIREJAILVER/$VERSION/g"  platform/debian/control.$(dpkg-architecture -qDEB_HOST_ARCH) > $DEBIAN_CTRL_DIR/control
 
 mkdir -p $INSTALL_DIR/usr/share/lintian/overrides/
 install -m644 platform/debian/firejail.lintian-overrides $INSTALL_DIR/usr/share/lintian/overrides/firejail
@@ -51,6 +65,6 @@ find $INSTALL_DIR  -type d | xargs chmod 755
 cd $CODE_DIR
 fakeroot dpkg-deb --build debian
 lintian debian.deb
-mv debian.deb ../firejail-apparmor_$2_1_$(dpkg-architecture -qDEB_HOST_ARCH).deb
+mv debian.deb ../firejail_${VERSION}${EXTRA_VERSION}_1_$(dpkg-architecture -qDEB_HOST_ARCH).deb
 cd ..
 rm -fr $CODE_DIR
diff --git a/platform/rpm/firejail.spec b/platform/rpm/firejail.spec
index b32407c7d..da91f5a4f 100644
--- a/platform/rpm/firejail.spec
+++ b/platform/rpm/firejail.spec
@@ -1,7 +1,7 @@
 Name: __NAME__
 Version: __VERSION__
 Release: 1
-Summary: Linux namepaces sandbox program
+Summary: Linux namespaces sandbox program
 
 License: GPLv2+
 Group: Development/Tools
@@ -19,7 +19,7 @@ using Linux namespaces. It includes a sandbox profile for Mozilla Firefox.
 %setup -q
 
 %build
-%configure --disable-userns --disable-contrib-install
+%configure __CONFIG_OPT__
 make %{?_smp_mflags}
 
 %install
diff --git a/platform/rpm/mkrpm.sh b/platform/rpm/mkrpm.sh
index 348bea7f2..2bdead7a8 100755
--- a/platform/rpm/mkrpm.sh
+++ b/platform/rpm/mkrpm.sh
@@ -3,7 +3,7 @@
 # Copyright (C) 2014-2020 Firejail Authors
 # License GPL v2
 #
-# Usage: ./platform/rpm/mkrpm.sh firejail <version>
+# Usage: ./platform/rpm/mkrpm.sh firejail <version> "<config options>"
 #
 # Builds rpms in a temporary directory then places the result in the
 # current working directory.
@@ -11,6 +11,7 @@
 name=$1
 # Strip any trailing prefix from the version like -rc1 etc
 version=$(echo "$2" | sed 's/\-.*//g')
+config_opt=$3
 
 if [[ ! -f platform/rpm/${name}.spec ]]; then
     echo error: spec file not found for name \"${name}\"
@@ -22,6 +23,10 @@ if [[ -z "${version}" ]]; then
     exit 1
 fi
 
+if [[ -z "${config_opt}" ]]; then
+    config_opt="--disable-userns --disable-contrib-install"
+fi
+
 # Make a temporary directory and arrange to clean up on exit
 tmpdir=$(mktemp -d)
 mkdir -p ${tmpdir}/{BUILD,RPMS,SOURCES,SPECS,SRPMS}
@@ -32,7 +37,10 @@ trap cleanup EXIT
 
 # Create the spec file
 tmp_spec_file=${tmpdir}/SPECS/${name}.spec
-sed -e "s/__NAME__/${name}/g" -e "s/__VERSION__/${version}/g" platform/rpm/${name}.spec >${tmp_spec_file}
+sed -e "s/__NAME__/${name}/g" \
+    -e "s/__VERSION__/${version}/g" \
+    -e "s/__CONFIG_OPT__/${config_opt}/g" \
+    platform/rpm/${name}.spec >${tmp_spec_file}
 # FIXME: We could parse RELNOTES and create a %changelog section here
 
 # Copy the source to build into a tarball
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config
index 2ed70664b..251b23905 100644
--- a/src/firecfg/firecfg.config
+++ b/src/firecfg/firecfg.config
@@ -156,6 +156,7 @@ dig
 digikam
 dillo
 dino
+dino-im
 discord
 discord-canary
 display
@@ -441,6 +442,7 @@ min
 mindless
 minetest
 mirrormagic
+mocp
 mousepad
 mp3splt
 mp3splt-gtk
@@ -549,6 +551,7 @@ planmaker18
 planmaker18free
 playonlinux
 pluma
+plv
 pngquant
 polari
 ppsspp
diff --git a/src/firejail/fs.c b/src/firejail/fs.c
index b906f3047..2000ffc62 100644
--- a/src/firejail/fs.c
+++ b/src/firejail/fs.c
@@ -111,6 +111,13 @@ static void disable_file(OPERATION op, const char *filename) {
                 return;
         }
 
+        // check for firejail executable
+        // we migth have a file found in ${PATH} pointing to /usr/bin/firejail
+        // blacklisting it here will end up breaking situations like user clicks on a link in Thunderbird
+        //     and expects Firefox to open in the same sandbox
+        if (strcmp(BINDIR "/firejail", fname) == 0)
+                return;
+
         // modify the file
         if (op == BLACKLIST_FILE || op == BLACKLIST_NOLOG) {
                 // some distros put all executables under /usr/bin and make /bin a symbolic link
diff --git a/test/fs/mkdir_mkfile.exp b/test/fs/mkdir_mkfile.exp
index 109984035..82dab1ddf 100755
--- a/test/fs/mkdir_mkfile.exp
+++ b/test/fs/mkdir_mkfile.exp
@@ -22,23 +22,23 @@ expect {
         "_firejail_test_dir"
 }
 expect {
-        timeout {puts "TESTING ERROR 1\n";exit}
+        timeout {puts "TESTING ERROR 2\n";exit}
         "_firejail_test_dir/dir1"
 }
 expect {
-        timeout {puts "TESTING ERROR 1\n";exit}
+        timeout {puts "TESTING ERROR 3\n";exit}
         "_firejail_test_dir/dir1/dir2"
 }
 expect {
-        timeout {puts "TESTING ERROR 1\n";exit}
+        timeout {puts "TESTING ERROR 4\n";exit}
         "_firejail_test_dir/dir1/dir2/dir3"
 }
 expect {
-        timeout {puts "TESTING ERROR 1\n";exit}
+        timeout {puts "TESTING ERROR 5\n";exit}
         "_firejail_test_dir/dir1/dir2/dir3/file1"
 }
 expect {
-        timeout {puts "TESTING ERROR 1\n";exit}
+        timeout {puts "TESTING ERROR 6\n";exit}
         "_firejail_test_file"
 }
 after 100
@@ -47,8 +47,8 @@ after 100
 
 send -- "firejail --profile=mkfile.profile\r"
 expect {
-        timeout {puts "TESTING ERROR 1\n";exit}
-        "only files in user home or /tmp"
+        timeout {puts "TESTING ERROR 7\n";exit}
+        "only files or directories in user home, /tmp"
 }
 after 100
 
diff --git a/test/utils/build.exp b/test/utils/build.exp
index ae46ffa6e..ac4f30326 100755
--- a/test/utils/build.exp
+++ b/test/utils/build.exp
@@ -7,22 +7,21 @@ set timeout 10
 spawn $env(SHELL)
 match_max 100000
 
+send -- "echo testing > ~/firejail-test-file-7699\r"
+after 100
+
 send -- "firejail --build cat ~/firejail-test-file-7699\r"
 expect {
         timeout {puts "TESTING ERROR 0\n";exit}
-        "whitelist ~/firejail-test-file-7699"
-}
-expect {
-        timeout {puts "TESTING ERROR 0.1\n";exit}
-        "include /etc/firejail/whitelist-common.inc"
+        "whitelist $\{HOME\}/firejail-test-file-7699"
 }
 expect {
         timeout {puts "TESTING ERROR 1\n";exit}
-        "private-tmp"
+        "include whitelist-common.inc"
 }
 expect {
         timeout {puts "TESTING ERROR 2\n";exit}
-        "private-dev"
+        "blacklist /usr/share"
 }
 expect {
         timeout {puts "TESTING ERROR 3\n";exit}
@@ -34,26 +33,40 @@ expect {
 }
 expect {
         timeout {puts "TESTING ERROR 5\n";exit}
-        "caps.drop all"
+        "private-dev"
 }
 expect {
         timeout {puts "TESTING ERROR 6\n";exit}
-        "nonewprivs"
+        "private-etc"
 }
 expect {
         timeout {puts "TESTING ERROR 7\n";exit}
-        "seccomp"
+        "private-tmp"
 }
 expect {
         timeout {puts "TESTING ERROR 8\n";exit}
-        "net none"
+        "caps.drop all"
 }
 expect {
         timeout {puts "TESTING ERROR 9\n";exit}
+        "nonewprivs"
+}
+expect {
+        timeout {puts "TESTING ERROR 10\n";exit}
+        "seccomp"
+}
+expect {
+        timeout {puts "TESTING ERROR 11\n";exit}
+        "net none"
+}
+expect {
+        timeout {puts "TESTING ERROR 12\n";exit}
         "shell none"
 }
 after 100
 
+
+
 send -- "firejail --build cat /etc/passwd\r"
 expect {
         timeout {puts "TESTING ERROR 10\n";exit}
@@ -72,21 +85,6 @@ expect {
 }
 after 100
 
-
-#send -- "firejail --build cat /var/tmp/firejail-test-file-7699\r"
-#expect {
-#       timeout {puts "TESTING ERROR 11\n";exit}
-#       "whitelist /var/tmp/firejail-test-file-7699"
-#}
-#after 100
-
-#send -- "firejail --build man firejail\r"
-#expect {
-#       timeout {puts "TESTING ERROR 12\n";exit}
-#       "whitelist /usr/share/man"
-#}
-#after 100
-
 send -- "firejail --build wget --output-document=~ debian.org\r"
 expect {
         timeout {puts "TESTING ERROR 13\n";exit}
@@ -98,10 +96,4 @@ expect {
 }
 after 100
 
-
-send -- "firejail --build cat /tmp/firejail-test-file-7699\r"
-#todo - bug: it comes back with private-tmp
-sleep 1
-
-
 puts "all done\n"
diff --git a/test/utils/utils.sh b/test/utils/utils.sh
index 82ccc82bb..48a8051fa 100755
--- a/test/utils/utils.sh
+++ b/test/utils/utils.sh
@@ -13,14 +13,9 @@ if [ -f /etc/debian_version ]; then
 fi
 export PATH="$PATH:/usr/lib/firejail:/usr/lib64/firejail"
 
-echo "testing" > ~/firejail-test-file-7699
-echo "testing" > /tmp/firejail-test-file-7699
-echo "testing" > /var/tmp/firejail-test-file-7699
 echo "TESTING: build (test/utils/build.exp)"
 ./build.exp
 rm -f ~/firejail-test-file-7699
-rm -f /tmp/firejail-test-file-7699
-rm -f /var/tmp/firejail-test-file-7699
 rm -f firejail-test-file-4388
 
 if [ $(readlink /proc/self) -lt 100 ]; then