24 files changed, 144 insertions, 89 deletions

diff --git a/.github/workflows/build-extra.yml b/.github/workflows/build-extra.yml
index 6f9a4bc2c..9296062c1 100644
--- a/.github/workflows/build-extra.yml
+++ b/.github/workflows/build-extra.yml
@@ -4,7 +4,10 @@ on:
   push:
     branches: [ master ]
     paths-ignore:
+      - .git-blame-ignore-revs
+      - .gitignore
       - CONTRIBUTING.md
+      - COPYING
       - README
       - README.md
       - RELNOTES
@@ -16,7 +19,10 @@ on:
   pull_request:
     branches: [ master ]
     paths-ignore:
+      - .git-blame-ignore-revs
+      - .gitignore
       - CONTRIBUTING.md
+      - COPYING
       - README
       - README.md
       - RELNOTES
@@ -28,11 +34,13 @@ on:
 
 jobs:
   build-clang:
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-22.04
     steps:
     - uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b
+    - name: install dependencies
+      run: sudo apt-get install libapparmor-dev libselinux1-dev
     - name: configure
-      run: CC=clang-11 ./configure --enable-fatal-warnings
+      run: CC=clang-14 ./configure --enable-fatal-warnings --enable-apparmor --enable-selinux
     - name: make
       run: make
     - name: make install
@@ -40,16 +48,26 @@ jobs:
     - name: print version
       run: command -V firejail && firejail --version
   scan-build:
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-22.04
     steps:
     - uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b
-    - name: install clang-tools-11
-      run: sudo apt-get install clang-tools-11
+    - name: install clang-tools-14 and dependencies
+      run: sudo apt-get install clang-tools-14 libapparmor-dev libselinux1-dev
     - name: configure
-      run: CC=clang-11 ./configure --enable-fatal-warnings
+      run: CC=clang-14 ./configure --enable-fatal-warnings --enable-apparmor --enable-selinux
     - name: scan-build
-      run: NO_EXTRA_CFLAGS="yes" scan-build-11 --status-bugs make
+      run: NO_EXTRA_CFLAGS="yes" scan-build-14 --status-bugs make
   cppcheck:
+    runs-on: ubuntu-22.04
+    steps:
+    - uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b
+    - name: install cppcheck
+      run: sudo apt-get install cppcheck
+    - name: cppcheck
+      run: cppcheck -q --force --error-exitcode=1 --enable=warning,performance -i src/firejail/checkcfg.c -i src/firejail/main.c .
+  # new cppcheck version currently chokes on checkcfg.c and main.c, therefore scan all files also
+  # with older cppcheck version from ubuntu 20.04.
+  cppcheck_old:
     runs-on: ubuntu-20.04
     steps:
     - uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index cc7893305..3203e0677 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -4,7 +4,10 @@ on:
   push:
     branches: [ master ]
     paths-ignore:
+      - .git-blame-ignore-revs
+      - .gitignore
       - CONTRIBUTING.md
+      - COPYING
       - README
       - README.md
       - RELNOTES
@@ -12,7 +15,10 @@ on:
   pull_request:
     branches: [ master ]
     paths-ignore:
+      - .git-blame-ignore-revs
+      - .gitignore
       - CONTRIBUTING.md
+      - COPYING
       - README
       - README.md
       - RELNOTES
@@ -20,15 +26,15 @@ on:
 
 jobs:
   build_and_test:
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-22.04
     steps:
     - uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b
     - name: update package information
       run: sudo apt-get update
     - name: install dependencies
-      run: sudo apt-get install gcc-11 libapparmor-dev libselinux1-dev expect xzdec
+      run: sudo apt-get install gcc-12 libapparmor-dev libselinux1-dev expect xzdec
     - name: configure
-      run: CC=gcc-11 ./configure --enable-fatal-warnings --enable-analyzer --enable-apparmor --enable-selinux --prefix=/usr
+      run: CC=gcc-12 ./configure --enable-fatal-warnings --enable-analyzer --enable-apparmor --enable-selinux --prefix=/usr
     - name: make
       run: make
     - name: make install
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
index d34a48aa3..4a09ad9d8 100644
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -9,7 +9,10 @@ on:
   push:
     branches: [ master ]
     paths-ignore:
+      - .git-blame-ignore-revs
+      - .gitignore
       - CONTRIBUTING.md
+      - COPYING
       - README
       - README.md
       - RELNOTES
@@ -19,7 +22,10 @@ on:
     # The branches below must be a subset of the branches above
     branches: [ master ]
     paths-ignore:
+      - .git-blame-ignore-revs
+      - .gitignore
       - CONTRIBUTING.md
+      - COPYING
       - README
       - README.md
       - RELNOTES
@@ -47,7 +53,7 @@ jobs:
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@3f62b754e23e0dd60f91b744033e1dc1654c0ec6
+      uses: github/codeql-action/init@3e7e3b32d0fb8283594bb0a76cc60a00918b0969
       with:
         languages: ${{ matrix.language }}
         # If you wish to specify custom queries, you can do so here or in a config file.
@@ -58,7 +64,7 @@ jobs:
     # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
     # If this step fails, then you should remove it and run the build manually (see below)
     - name: Autobuild
-      uses: github/codeql-action/autobuild@3f62b754e23e0dd60f91b744033e1dc1654c0ec6
+      uses: github/codeql-action/autobuild@3e7e3b32d0fb8283594bb0a76cc60a00918b0969
 
     # ℹ️ Command-line programs to run using the OS shell.
     # 📚 https://git.io/JvXDl
@@ -72,4 +78,4 @@ jobs:
     #   make release
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@3f62b754e23e0dd60f91b744033e1dc1654c0ec6
+      uses: github/codeql-action/analyze@3e7e3b32d0fb8283594bb0a76cc60a00918b0969
diff --git a/.github/workflows/profile-checks.yml b/.github/workflows/profile-checks.yml
index 9138e8a57..d235aeb64 100644
--- a/.github/workflows/profile-checks.yml
+++ b/.github/workflows/profile-checks.yml
@@ -18,7 +18,7 @@ on:
 
 jobs:
   profile-checks:
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-latest
     steps:
     - uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b
     - name: sort.py
diff --git a/.gitignore b/.gitignore
index 66daccf5d..b5d29dc19 100644
--- a/.gitignore
+++ b/.gitignore
@@ -10,6 +10,7 @@
 .directory
 *.man
 .vscode
+/firejail-*/
 autom4te.cache/
 config.log
 config.mk
diff --git a/etc/profile-m-z/onionshare-gui.profile b/etc/profile-m-z/onionshare-gui.profile
index fbf4c3ef0..db923056a 100644
--- a/etc/profile-m-z/onionshare-gui.profile
+++ b/etc/profile-m-z/onionshare-gui.profile
@@ -11,6 +11,8 @@ noblacklist ${HOME}/.config/onionshare
 # Allow python (blacklisted by disable-interpreters.inc)
 include allow-python3.inc
 
+blacklist /sys/class/net
+
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
diff --git a/etc/profile-m-z/remmina.profile b/etc/profile-m-z/remmina.profile
index 6b98c5976..79630f09c 100644
--- a/etc/profile-m-z/remmina.profile
+++ b/etc/profile-m-z/remmina.profile
@@ -13,6 +13,9 @@ noblacklist ${HOME}/.local/share/remmina
 # Allow ssh (blacklisted by disable-common.inc)
 include allow-ssh.inc
 
+# Allow python (blacklisted by disable-interpreters.inc)
+include allow-python3.inc
+
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
diff --git a/etc/profile-m-z/torbrowser-launcher.profile b/etc/profile-m-z/torbrowser-launcher.profile
index 700a10be8..9d66c5fa4 100644
--- a/etc/profile-m-z/torbrowser-launcher.profile
+++ b/etc/profile-m-z/torbrowser-launcher.profile
@@ -16,6 +16,7 @@ include allow-python2.inc
 include allow-python3.inc
 
 blacklist /srv
+blacklist /sys/class/net
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-m-z/torbrowser.profile b/etc/profile-m-z/torbrowser.profile
index fc579b973..15ca5b550 100644
--- a/etc/profile-m-z/torbrowser.profile
+++ b/etc/profile-m-z/torbrowser.profile
@@ -13,6 +13,7 @@ noblacklist ${HOME}/.cache/mozilla
 noblacklist ${HOME}/.mozilla
 
 blacklist /usr/libexec
+blacklist /sys/class/net
 
 mkdir ${HOME}/.cache/mozilla/torbrowser
 mkdir ${HOME}/.mozilla
diff --git a/etc/profile-m-z/viewnior.profile b/etc/profile-m-z/viewnior.profile
index 47e618ae2..6d7fa94e7 100644
--- a/etc/profile-m-z/viewnior.profile
+++ b/etc/profile-m-z/viewnior.profile
@@ -19,6 +19,7 @@ include disable-interpreters.inc
 include disable-programs.inc
 include disable-shell.inc
 
+whitelist /usr/share/viewnior
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/templates/syscalls.txt b/etc/templates/syscalls.txt
index 827b075e5..c33e6d602 100644
--- a/etc/templates/syscalls.txt
+++ b/etc/templates/syscalls.txt
@@ -27,26 +27,26 @@ Always have a look at 'man 1 firejail'.
 Definition of groups
 --------------------
 
-@aio=io_cancel,io_destroy,io_getevents,io_pgetevents,io_setup,io_submit
-@basic-io=_llseek,close,dup,dup2,dup3,lseek,pread64,preadv,preadv2,pwrite64,pwritev,pwritev2,read,readv,write,writev
+@aio=io_cancel,io_destroy,io_getevents,io_pgetevents,io_setup,io_submit,io_uring_enter,io_uring_register,io_uring_setup
+@basic-io=_llseek,close,close_range,dup,dup2,dup3,lseek,pread64,preadv,preadv2,pwrite64,pwritev,pwritev2,read,readv,write,writev
 @chown=chown,chown32,fchown,fchown32,fchownat,lchown,lchown32
 @clock=adjtimex,clock_adjtime,clock_settime,settimeofday,stime
 @cpu-emulation=modify_ldt,subpage_prot,switch_endian,vm86,vm86old
-@debug=lookup_dcookie,perf_event_open,process_vm_writev,rtas,s390_runtime_instr,sys_debug_setcontext
+@debug=lookup_dcookie,perf_event_open,pidfd_getfd,process_vm_writev,rtas,s390_runtime_instr,sys_debug_setcontext
 @default=@clock,@cpu-emulation,@debug,@module,@mount,@obsolete,@raw-io,@reboot,@swap,open_by_handle_at,name_to_handle_at,ioprio_set,ni_syscall,syslog,fanotify_init,add_key,request_key,mbind,migrate_pages,move_pages,keyctl,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,set_mempolicyvmsplice,userfaultfd,acct,bpf,nfsservctl,setdomainname,sethostname,vhangup
 @default-nodebuggers=@default,ptrace,personality,process_vm_readv
 @default-keep=execveat,execve,prctl
-@file-system=access,chdir,chmod,close,creat,faccessat,faccessat2,fallocate,fchdir,fchmod,fchmodat,fcntl,fcntl64,fgetxattr,flistxattr,fremovexattr,fsetxattr,fstat,fstat64,fstatat64,fstatfs,fstatfs64,ftruncate,ftruncate64,futimesat,getcwd,getdents,getdents64,getxattr,inotify_add_watch,inotify_init,inotify_init1,inotify_rm_watch,lgetxattr,link,linkat,listxattr,llistxattr,lremovexattr,lsetxattr,lstat,lstat64,mkdir,mkdirat,mknod,mknodat,mmap,mmap2,munmap,newfstatat,oldfstat,oldlstat,oldstat,open,openat,readlink,readlinkat,removexattr,rename,renameat,renameat2,rmdir,setxattr,stat,stat64,statfs,statfs64,statx,symlink,symlinkat,truncate,truncate64,unlink,unlinkat,utime,utimensat,utimes
+@file-system=access,chdir,chmod,close,close_range,creat,faccessat,faccessat2,fallocate,fchdir,fchmod,fchmodat,fcntl,fcntl64,fgetxattr,flistxattr,fremovexattr,fsetxattr,fstat,fstat64,fstatat64,fstatfs,fstatfs64,ftruncate,ftruncate64,futimesat,getcwd,getdents,getdents64,getxattr,inotify_add_watch,inotify_init,inotify_init1,inotify_rm_watch,lgetxattr,link,linkat,listxattr,llistxattr,lremovexattr,lsetxattr,lstat,lstat64,mkdir,mkdirat,mknod,mknodat,mmap,mmap2,munmap,newfstatat,oldfstat,oldlstat,oldstat,open,openat,openat2,readlink,readlinkat,removexattr,rename,renameat,renameat2,rmdir,setxattr,stat,stat64,statfs,statfs64,statx,symlink,symlinkat,truncate,truncate64,unlink,unlinkat,utime,utimensat,utimes
 @io-event=_newselect,epoll_create,epoll_create1,epoll_ctl,epoll_ctl_old,epoll_pwait,epoll_wait,epoll_wait_old,eventfd,eventfd2,poll,ppoll,pselect6,select
-@ipc=ipc,memfd_create,mq_getsetattr,mq_notify,mq_open,mq_timedreceive,mq_timedsend,mq_unlink,msgctl,msgget,msgrcv,msgsnd,pipe,pipe2,process_vm_readv,process_vm_writev,semctl,semget,semop,semtimedop,shmat,shmctl,shmdt,shmget
+@ipc=ipc,memfd_create,mq_getsetattr,mq_notify,mq_open,mq_timedreceive,mq_timedsend,mq_unlink,msgctl,msgget,msgrcv,msgsnd,pipe,pipe2,process_madvise,process_vm_readv,process_vm_writev,semctl,semget,semop,semtimedop,shmat,shmctl,shmdt,shmget
 @keyring=add_key,keyctl,request_key
 @memlock=mlock,mlock2,mlockall,munlock,munlockall
 @module=delete_module,finit_module,init_module
-@mount=chroot,mount,pivot_root,umount,umount2
+@mount=chroot,fsconfig,fsmount,fsopen,fspick,mount,move_mount,open_tree,pivot_root,umount,umount2
 @network-io=accept,accept4,bind,connect,getpeername,getsockname,getsockopt,listen,recv,recvfrom,recvmmsg,recvmsg,send,sendmmsg,sendmsg,sendto,setsockopt,shutdown,socket,socketcall,socketpair
 @obsolete=_sysctl,afs_syscall,bdflush,break,create_module,ftime,get_kernel_syms,getpmsg,gtty,idle,lock,mpx,prof,profil,putpmsg,query_module,security,sgetmask,ssetmask,stty,sysfs,tuxcall,ulimit,uselib,ustat,vserver
 @privileged=@chown,@clock,@module,@raw-io,@reboot,@swap,_sysctl,acct,bpf,capset,chroot,fanotify_init,mount,nfsservctl,open_by_handle_at,pivot_root,quotactl,setdomainname,setfsuid,setfsuid32,setgroups,setgroups32,sethostname,setresuid,setresuid32,setreuid,setreuid32,setuid,setuid32,umount2,vhangup
-@process=arch_prctl,capget,clone,execveat,fork,getrusage,kill,pidfd_send_signal,prctl,rt_sigqueueinfo,rt_tgsigqueueinfo,setns,swapcontext,tgkill,times,tkill,unshare,vfork,wait4,waitid,waitpid
+@process=arch_prctl,capget,clone,clone3,execveat,fork,getrusage,kill,pidfd_open,pidfd_send_signal,prctl,rt_sigqueueinfo,rt_tgsigqueueinfo,setns,swapcontext,tgkill,times,tkill,unshare,vfork,wait4,waitid,waitpid
 @raw-io=ioperm,iopl,pciconfig_iobase,pciconfig_read,pciconfig_write,s390_mmio_read,s390_mmio_write
 @reboot=kexec_load,kexec_file_load,reboot
 @resources=ioprio_set,mbind,migrate_pages,move_pages,nice,sched_setaffinity,sched_setattr,sched_setparam,sched_setscheduler,set_mempolicy
diff --git a/m4/ax_check_compile_flag.m4 b/m4/ax_check_compile_flag.m4
index dcabb92a1..bd753b34d 100644
--- a/m4/ax_check_compile_flag.m4
+++ b/m4/ax_check_compile_flag.m4
@@ -29,33 +29,12 @@
 #   Copyright (c) 2008 Guido U. Draheim <guidod@gmx.de>
 #   Copyright (c) 2011 Maarten Bosmans <mkbosmans@gmail.com>
 #
-#   This program is free software: you can redistribute it and/or modify it
-#   under the terms of the GNU General Public License as published by the
-#   Free Software Foundation, either version 3 of the License, or (at your
-#   option) any later version.
-#
-#   This program is distributed in the hope that it will be useful, but
-#   WITHOUT ANY WARRANTY; without even the implied warranty of
-#   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General
-#   Public License for more details.
-#
-#   You should have received a copy of the GNU General Public License along
-#   with this program. If not, see <https://www.gnu.org/licenses/>.
-#
-#   As a special exception, the respective Autoconf Macro's copyright owner
-#   gives unlimited permission to copy, distribute and modify the configure
-#   scripts that are the output of Autoconf when processing the Macro. You
-#   need not follow the terms of the GNU General Public License when using
-#   or distributing such scripts, even though portions of the text of the
-#   Macro appear in them. The GNU General Public License (GPL) does govern
-#   all other use of the material that constitutes the Autoconf Macro.
-#
-#   This special exception to the GPL applies to versions of the Autoconf
-#   Macro released by the Autoconf Archive. When you make and distribute a
-#   modified version of the Autoconf Macro, you may extend this special
-#   exception to the GPL to apply to your modified version as well.
+#   Copying and distribution of this file, with or without modification, are
+#   permitted in any medium without royalty provided the copyright notice
+#   and this notice are preserved.  This file is offered as-is, without any
+#   warranty.
 
-#serial 5
+#serial 6
 
 AC_DEFUN([AX_CHECK_COMPILE_FLAG],
 [AC_PREREQ(2.64)dnl for _AC_LANG_PREFIX and AS_VAR_IF
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index f8a23678a..96e3f735e 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -385,7 +385,6 @@ char *guess_shell(void);
 #define SANDBOX_DONE '1'
 int sandbox(void* sandbox_arg);
 void start_application(int no_sandbox, int fd, char *set_sandbox_status) __attribute__((noreturn));
-void set_apparmor(void);
 
 // network_main.c
 void net_configure_sandbox_ip(Bridge *br);
diff --git a/src/firejail/fs_bin.c b/src/firejail/fs_bin.c
index 2b0b3003e..6228e9740 100644
--- a/src/firejail/fs_bin.c
+++ b/src/firejail/fs_bin.c
@@ -27,7 +27,7 @@
 
 static int prog_cnt = 0;
 
-static char *paths[] = {
+static const char * const paths[] = {
         "/usr/local/bin",
         "/usr/bin",
         "/bin",
@@ -40,7 +40,7 @@ static char *paths[] = {
 };
 
 // return 1 if found, 0 if not found
-static char *check_dir_or_file(const char *name) {
+static const char *check_dir_or_file(const char *name) {
         EUID_ASSERT();
         assert(name);
         struct stat s;
@@ -160,7 +160,7 @@ static void duplicate(char *fname) {
         else {
                 // Find the standard directory (by looping through paths[])
                 // where the filename fname is located
-                char *path = check_dir_or_file(fname);
+                const char *path = check_dir_or_file(fname);
                 if (!path)
                         return;
                 if (asprintf(&full_path, "%s/%s", path, fname) == -1)
diff --git a/src/firejail/fs_var.c b/src/firejail/fs_var.c
index 9523875d7..ad5ee6759 100644
--- a/src/firejail/fs_var.c
+++ b/src/firejail/fs_var.c
@@ -300,7 +300,7 @@ void fs_var_utmp(void) {
 
         // read current utmp
         struct utmp *u;
-        struct utmp u_boot;
+        struct utmp u_boot = {0};
         setutent();
         while ((u = getutent()) != NULL) {
                 if (u->ut_type == BOOT_TIME) {
diff --git a/src/firejail/join.c b/src/firejail/join.c
index ec9c922ef..4e636ca27 100644
--- a/src/firejail/join.c
+++ b/src/firejail/join.c
@@ -33,10 +33,6 @@
 #define PR_SET_NO_NEW_PRIVS 38
 #endif
 
-#ifdef HAVE_APPARMOR
-#include <sys/apparmor.h>
-#endif
-
 static int apply_caps = 0;
 static uint64_t caps = 0;
 static unsigned display = 0;
@@ -513,10 +509,6 @@ void join(pid_t pid, int argc, char **argv, int index) {
                 // kill the child in case the parent died
                 prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0);
 
-#ifdef HAVE_APPARMOR
-                set_apparmor();
-#endif
-
                 extract_command(argc, argv, index);
                 if (cfg.command_line == NULL)
                         cfg.window_title = cfg.usershell;
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index e8c4a445a..e72b03e15 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -128,7 +128,7 @@ static void set_caps(void) {
 }
 
 #ifdef HAVE_APPARMOR
-void set_apparmor(void) {
+static void set_apparmor(void) {
         EUID_ASSERT();
         if (checkcfg(CFG_APPARMOR) && arg_apparmor) {
                 if (aa_change_onexec("firejail-default")) {
@@ -486,6 +486,9 @@ static void close_file_descriptors(void) {
 
 void start_application(int no_sandbox, int fd, char *set_sandbox_status) {
         if (no_sandbox == 0) {
+#ifdef HAVE_APPARMOR
+                set_apparmor();
+#endif
                 close_file_descriptors();
 
                 // set nice and rlimits
@@ -1299,10 +1302,7 @@ int sandbox(void* sandbox_arg) {
                 errExit("fork");
 
         if (app_pid == 0) {
-#ifdef HAVE_APPARMOR
-                set_apparmor();
-#endif
-                start_application(0, -1, set_sandbox_status);
+                start_application(0, -1, set_sandbox_status);   // this function does not return
         }
 
         munmap(set_sandbox_status, 1);
diff --git a/src/lib/ldd_utils.c b/src/lib/ldd_utils.c
index bc4f7cf9c..a50b759c3 100644
--- a/src/lib/ldd_utils.c
+++ b/src/lib/ldd_utils.c
@@ -47,7 +47,7 @@ int is_lib_64(const char *exe) {
         if (fd < 0)
                 return 0;
 
-        unsigned char buf[EI_NIDENT];
+        unsigned char buf[EI_NIDENT] = {0};
         ssize_t len = 0;
         while (len < EI_NIDENT) {
                 ssize_t sz = read(fd, buf + len, EI_NIDENT - len);
diff --git a/src/lib/syscall.c b/src/lib/syscall.c
index a17f6423a..29cf6318f 100644
--- a/src/lib/syscall.c
+++ b/src/lib/syscall.c
@@ -92,7 +92,16 @@ static const SyscallGroupList sysgroups[] = {
           "io_setup,"
 #endif
 #ifdef SYS_io_submit
-          "io_submit"
+          "io_submit,"
+#endif
+#ifdef SYS_io_uring_enter
+          "io_uring_enter,"
+#endif
+#ifdef SYS_io_uring_register
+          "io_uring_register,"
+#endif
+#ifdef SYS_io_uring_setup
+          "io_uring_setup"
 #endif
         },
         { .name = "@basic-io", .list =
@@ -102,6 +111,9 @@ static const SyscallGroupList sysgroups[] = {
 #ifdef SYS_close
           "close,"
 #endif
+#ifdef SYS_close_range
+          "close_range,"
+#endif
 #ifdef SYS_dup
           "dup,"
 #endif
@@ -212,6 +224,9 @@ static const SyscallGroupList sysgroups[] = {
 #ifdef SYS_perf_event_open
           "perf_event_open,"
 #endif
+#ifdef SYS_pidfd_getfd
+          "pidfd_getfd,"
+#endif
 #ifdef SYS_process_vm_writev
           "process_vm_writev,"
 #endif
@@ -290,7 +305,7 @@ static const SyscallGroupList sysgroups[] = {
           "remap_file_pages,"
 #endif
 #ifdef SYS_set_mempolicy
-          "set_mempolicy"
+          "set_mempolicy,"
 #endif
 #ifdef SYS_vmsplice
           "vmsplice,"
@@ -350,6 +365,9 @@ static const SyscallGroupList sysgroups[] = {
 #ifdef SYS_close
           "close,"
 #endif
+#ifdef SYS_close_range
+          "close_range,"
+#endif
 #ifdef SYS_creat
           "creat,"
 #endif
@@ -503,6 +521,9 @@ static const SyscallGroupList sysgroups[] = {
 #ifdef SYS_openat
           "openat,"
 #endif
+#ifdef SYS_openat2
+          "openat2,"
+#endif
 #ifdef SYS_readlink
           "readlink,"
 #endif
@@ -657,6 +678,9 @@ static const SyscallGroupList sysgroups[] = {
 #ifdef SYS_pipe2
           "pipe2,"
 #endif
+#ifdef SYS_process_madvise
+          "process_madvise,"
+#endif
 #ifdef SYS_process_vm_readv
           "process_vm_readv,"
 #endif
@@ -731,9 +755,27 @@ static const SyscallGroupList sysgroups[] = {
 #ifdef SYS_chroot
           "chroot,"
 #endif
+#ifdef SYS_fsconfig
+          "fsconfig,"
+#endif
+#ifdef SYS_fsmount
+          "fsmount,"
+#endif
+#ifdef SYS_fsopen
+          "fsopen,"
+#endif
+#ifdef SYS_fspick
+          "fspick,"
+#endif
 #ifdef SYS_mount
           "mount,"
 #endif
+#ifdef SYS_move_mount
+          "move_mount,"
+#endif
+#ifdef SYS_open_tree
+          "open_tree,"
+#endif
 #ifdef SYS_pivot_root
           "pivot_root,"
 #endif
@@ -985,6 +1027,9 @@ static const SyscallGroupList sysgroups[] = {
 #ifdef SYS_clone
           "clone,"
 #endif
+#ifdef SYS_clone3
+          "clone3,"
+#endif
 #ifdef SYS_execveat
           "execveat,"
 #endif
@@ -997,6 +1042,9 @@ static const SyscallGroupList sysgroups[] = {
 #ifdef SYS_kill
           "kill,"
 #endif
+#ifdef SYS_pidfd_open
+          "pidfd_open,"
+#endif
 #ifdef SYS_pidfd_send_signal
           "pidfd_send_signal,"
 #endif
diff --git a/test/Makefile b/test/Makefile
index 2f3a97d73..2c376da58 100644
--- a/test/Makefile
+++ b/test/Makefile
@@ -3,7 +3,7 @@ TESTS=$(patsubst %/,%,$(wildcard */))
 .PHONY: $(TESTS)
 $(TESTS):
         cd $@ && ./$@.sh 2>&1 | tee $@.log
-        cd $@ && grep -a TESTING $@.log && grep -a -L "TESTING ERROR" $@.log
+        cd $@ && grep -a TESTING $@.log && ! grep -a -q "TESTING ERROR" $@.log
 
 .PHONY: clean
 clean:
diff --git a/test/environment/dns.exp b/test/environment/dns.exp
index b5a8c119b..2c00cfa1c 100755
--- a/test/environment/dns.exp
+++ b/test/environment/dns.exp
@@ -110,23 +110,23 @@ expect {
 send -- "exit\r"
 sleep 1
 
-send -- "firejail --trace --dns=208.67.222.222 wget -q debian.org\r"
-expect {
-        timeout {puts "TESTING ERROR 6.1\n";exit}
-        "connect"
-}
-expect {
-        timeout {puts "TESTING ERROR 6.2\n";exit}
-        "208.67.222.222"
-}
-expect {
-        timeout {puts "TESTING ERROR 6.3\n";exit}
-        "53"
-}
-after 100
+# test disabled, as Github CI uses systemd-resolved, which does not work
+# properly with --dns=, so curl does not use the specified nameserver
+#send -- "firejail --trace --dns=208.67.222.222 -- curl --silent --output /dev/null debian.org\r"
+#expect {
+#       timeout {puts "TESTING ERROR 6.1\n";exit}
+#       "connect"
+#}
+#expect {
+#       timeout {puts "TESTING ERROR 6.2\n";exit}
+#       "208.67.222.222"
+#}
+#expect {
+#       timeout {puts "TESTING ERROR 6.3\n";exit}
+#       "53"
+#}
+#after 100
 
-send -- "rm index.html\r"
-after 100
 send -- "exit\r"
 sleep 1
 
diff --git a/test/sysutils/less.exp b/test/sysutils/less.exp
index e6698eab0..01a298fe0 100755
--- a/test/sysutils/less.exp
+++ b/test/sysutils/less.exp
@@ -11,6 +11,7 @@ send -- "firejail less sysutils.sh\r"
 expect {
         timeout {puts "TESTING ERROR 1\n";exit}
         "(press RETURN)" {puts "TESTING SKIP 1.1\n";exit}
+        "Press RETURN to continue" {puts "TESTING SKIP 1.2\n";exit}
         "MALLOC_CHECK"
 }
 expect {
diff --git a/test/utils/man.exp b/test/utils/man.exp
index 3a0ca46d6..f62859a8f 100755
--- a/test/utils/man.exp
+++ b/test/utils/man.exp
@@ -11,6 +11,7 @@ send -- "man firejail\r"
 expect {
         timeout {puts "TESTING ERROR 0\n";exit}
         "(press RETURN)" {puts "TESTING SKIP 1.1\n";exit}
+        "Press RETURN to continue" {puts "TESTING SKIP 1.2\n";exit}
         "Linux namespaces sandbox program"
 }
 after 100
diff --git a/test/utils/trace.exp b/test/utils/trace.exp
index f14001c88..beb59d337 100755
--- a/test/utils/trace.exp
+++ b/test/utils/trace.exp
@@ -68,10 +68,6 @@ expect {
         "wget:fopen /etc/wgetrc"  {puts "OK\n";}
 }
 expect {
-        timeout {puts "TESTING ERROR 8.4\n";exit}
-        "wget:fopen /etc/hosts"
-}
-expect {
         timeout {puts "TESTING ERROR 8.5\n";exit}
         "wget:connect"
 }