37 files changed, 277 insertions, 67 deletions

diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
index 4f8f7e4fc..66ca0d321 100644
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -53,7 +53,7 @@ jobs:
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@0c670bbf0414f39666df6ce8e718ec5662c21e03
+      uses: github/codeql-action/init@c7f292ea4f542c473194b33813ccd4c207a6c725
       with:
         languages: ${{ matrix.language }}
         # If you wish to specify custom queries, you can do so here or in a config file.
@@ -64,7 +64,7 @@ jobs:
     # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
     # If this step fails, then you should remove it and run the build manually (see below)
     - name: Autobuild
-      uses: github/codeql-action/autobuild@0c670bbf0414f39666df6ce8e718ec5662c21e03
+      uses: github/codeql-action/autobuild@c7f292ea4f542c473194b33813ccd4c207a6c725
 
     # ℹ️ Command-line programs to run using the OS shell.
     # 📚 https://git.io/JvXDl
@@ -78,4 +78,4 @@ jobs:
     #   make release
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@0c670bbf0414f39666df6ce8e718ec5662c21e03
+      uses: github/codeql-action/analyze@c7f292ea4f542c473194b33813ccd4c207a6c725
diff --git a/Makefile b/Makefile
index 11e19ec37..0ea19a48a 100644
--- a/Makefile
+++ b/Makefile
@@ -124,8 +124,8 @@ ifeq ($(HAVE_CONTRIB_INSTALL),yes)
         install -m 0644 contrib/vim/syntax/firejail.vim $(DESTDIR)$(datarootdir)/vim/vimfiles/syntax
 endif
         # documents
-        install -m 0755 -d $(DESTDIR)$(DOCDIR)
-        install -m 0644 -t $(DESTDIR)$(DOCDIR) COPYING README RELNOTES etc/templates/*
+        install -m 0755 -d $(DESTDIR)$(docdir)
+        install -m 0644 -t $(DESTDIR)$(docdir) COPYING README RELNOTES etc/templates/*
         # profiles and settings
         install -m 0755 -d $(DESTDIR)$(sysconfdir)/firejail
         install -m 0644 -t $(DESTDIR)$(sysconfdir)/firejail src/firecfg/firecfg.config
@@ -179,8 +179,8 @@ uninstall: config.mk
         rm -f $(DESTDIR)$(bindir)/firejail
         rm -f $(DESTDIR)$(bindir)/firemon
         rm -f $(DESTDIR)$(bindir)/firecfg
+        rm -f $(DESTDIR)$(bindir)/jailcheck
         rm -fr $(DESTDIR)$(libdir)/firejail
-        rm -fr $(DESTDIR)$(libdir)/jailcheck
         rm -fr $(DESTDIR)$(datarootdir)/doc/firejail
         for man in $(MANPAGES); do \
                 rm -f $(DESTDIR)$(mandir)/man5/$$man*; \
@@ -189,6 +189,9 @@ uninstall: config.mk
         rm -f $(DESTDIR)$(datarootdir)/bash-completion/completions/firejail
         rm -f $(DESTDIR)$(datarootdir)/bash-completion/completions/firemon
         rm -f $(DESTDIR)$(datarootdir)/bash-completion/completions/firecfg
+        rm -f $(DESTDIR)$(datarootdir)/zsh/site-functions/_firejail
+        rm -f $(DESTDIR)$(datarootdir)/vim/vimfiles/ftdetect/firejail.vim
+        rm -f $(DESTDIR)$(datarootdir)/vim/vimfiles/syntax/firejail.vim
         @echo "If you want to install a different version of firejail, you might also need to run 'rm -fr $(DESTDIR)$(sysconfdir)/firejail', see #2038."
 
 DISTFILES = \
@@ -218,14 +221,14 @@ dist: config.mk
         make distclean
         mv config.status.old config.status
         mv config.sh.old config.sh
-        rm -fr $(NAME)-$(VERSION) $(NAME)-$(VERSION).tar.xz
-        mkdir -p $(NAME)-$(VERSION)/test
-        cp -a $(DISTFILES) $(NAME)-$(VERSION)
-        cp -a $(DISTFILES_TEST) $(NAME)-$(VERSION)/test
-        rm -rf $(NAME)-$(VERSION)/src/tools
-        find $(NAME)-$(VERSION) -name .svn -delete
-        tar -cJvf $(NAME)-$(VERSION).tar.xz $(NAME)-$(VERSION)
-        rm -fr $(NAME)-$(VERSION)
+        rm -fr $(TARNAME)-$(VERSION) $(TARNAME)-$(VERSION).tar.xz
+        mkdir -p $(TARNAME)-$(VERSION)/test
+        cp -a $(DISTFILES) $(TARNAME)-$(VERSION)
+        cp -a $(DISTFILES_TEST) $(TARNAME)-$(VERSION)/test
+        rm -rf $(TARNAME)-$(VERSION)/src/tools
+        find $(TARNAME)-$(VERSION) -name .svn -delete
+        tar -cJvf $(TARNAME)-$(VERSION).tar.xz $(TARNAME)-$(VERSION)
+        rm -fr $(TARNAME)-$(VERSION)
 
 asc: config.mk
         ./mkasc.sh $(VERSION)
@@ -237,11 +240,11 @@ deb-apparmor: dist config.sh
         ./mkdeb.sh -apparmor --enable-apparmor
 
 test-compile: dist config.mk
-        cd test/compile; ./compile.sh $(NAME)-$(VERSION)
+        cd test/compile; ./compile.sh $(TARNAME)-$(VERSION)
 
 .PHONY: rpms
 rpms: src/man config.mk
-        ./platform/rpm/mkrpm.sh $(NAME) $(VERSION)
+        ./platform/rpm/mkrpm.sh $(TARNAME) $(VERSION)
 
 extras: all
         $(MAKE) -C extras/firetools
diff --git a/README b/README
index 713f5ca3f..3e0f043a6 100644
--- a/README
+++ b/README
@@ -182,6 +182,8 @@ avoidr (https://github.com/avoidr)
         - added mcabber profile
         - fixed mpv profile
         - various other fixes
+Азалия Смарагдова/ChrysoliteAzalea (https://github.com/ChrysoliteAzalea)
+        -  add support for custom AppArmor profiles (--apparmor=)
 backspac (https://github.com/backspac)
         - firecfg fixes
         - add steam-runtime alias
@@ -856,11 +858,15 @@ pszxzsd (https://github.com/pszxzsd)
         -uGet profile
 pwnage-pineapple (https://github.com/pwnage-pineapple)
         - update Okular profile
+Quentin Retornaz (https://github.com/qretornaz-adapei42)
+        - microsoft-edge profiles fixes
 Quentin Minster (https://github.com/laomaiweng)
         - propagate --quiet to children Firejail'ed processes
         - nodbus enhancements/bugfixes
         - added vim syntax and ftdetect files
         - Allow exec from /usr/libexec & co. with AppArmor
+ra1nb0w (https://github.com/ra1nb0w)
+        - fix vmware profile
 Rafael Cavalcanti (https://github.com/rccavalcanti)
         - chromium profile fixes for Arch Linux
 Rahiel Kasim (https://github.com/rahiel)
diff --git a/README.md b/README.md
index 22fd03b9f..f8ca8b29c 100644
--- a/README.md
+++ b/README.md
@@ -182,6 +182,43 @@ We also keep a list of profile fixes for previous released versions in [etc-fixe
 
 Milestone page: https://github.com/netblue30/firejail/milestone/1
 
+### Restrict namespaces
+
+`````
+       --restrict-namespaces
+              Install a seccomp filter that  blocks  attempts  to  create  new
+              cgroup, ipc, net, mount, pid, time, user or uts namespaces.
+
+              Example:
+              $ firejail --restrict-namespaces
+
+       --restrict-namespaces=cgroup,ipc,net,mnt,pid,time,user,uts
+              Install  a  seccomp filter that blocks attempts to create any of
+              the specified namespaces. The filter examines the  arguments  of
+              clone, unshare and setns system calls and returns error EPERM to
+              the process (or kills it or logs the attempt, see  --seccomp-er‐
+              ror-action below) if necessary. Note that the filter is not able
+              to examine the arguments of clone3 system calls, and always  re‐
+              sponds to these calls with error ENOSYS.
+
+              Example:
+              $ firejail --restrict-namespaces=user,net
+`````
+
+#### Support for custom AppArmor profiles
+
+`````
+      --apparmor
+              Enable AppArmor confinement with the "firejail-default" AppArmor
+              profile.   For more information, please see APPARMOR section be‐
+              low.
+
+       --apparmor=profile_name
+              Enable AppArmor confinement  with  a  custom  AppArmor  profile.
+              Note  that  profile  in question must already be loaded into the
+              kernel.  For more information, please see APPARMOR  section  be‐
+`````
+
 ### Profile Statistics
 
 A small tool to print profile statistics. Compile and install as usual. The tool is installed in /usr/lib/firejail directory.
@@ -221,4 +258,4 @@ Stats:
 
 ### New profiles:
 
-onionshare, onionshare-cli, opera-developer, songrec
+onionshare, onionshare-cli, opera-developer, songrec, gdu, makedeb
diff --git a/RELNOTES b/RELNOTES
index d2fe40101..a7d4a9422 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -1,13 +1,23 @@
 firejail (0.9.71) baseline; urgency=low
   * work in progress
-  * feat: On failing to remount a fuse filesystem, give warning instead of
-  * erroring out (#5240 #5242)
-  * build: deduplicate configure-time vars into new config files (#5140)
+  * feature: On failing to remount a fuse filesystem, give warning instead of
+    erroring out (#5240 #5242)
+  * feature: restrict namespaces (--restrict-namespaces) implemented as
+    a seccomp filter for both 64 and 32 bit architectures (#4939 #5259)
+  * feature: support for custom AppArmor profiles (--apparmor=) (#5274 #5316
+    #5317)
+  * bugfix: Flood of seccomp audit log entries (#5207)
+  * build: deduplicate configure-time vars into new config files (#5140 #5284)
   * build: fix file mode of shell scripts (644 -> 755) (#5206)
   * build: reduce autoconf input files from 32 to 2 (#5219)
   * build: add dist build directory to .gitignore (#5248)
   * build: add autoconf auto-generation comment to input files (#5251)
+  * build: Add files make uninstall forgot to remove (#5283)
+  * build: add and use TARNAME instead of NAME for paths (#5310)
   * ci: ignore git-related paths and the project license (#5249)
+  * docs: mention risk of SUID binaries and also firejail-users(5) (#5288
+    #5290)
+  * docs: set vim filetype on man pages for syntax highlighting (#5296)
  -- netblue30 <netblue30@yahoo.com>  Sat, 11 Jun 2022 09:00:00 -0500
 
 firejail (0.9.70) baseline; urgency=low
diff --git a/config.mk.in b/config.mk.in
index e0be0e656..9973b7eaa 100644
--- a/config.mk.in
+++ b/config.mk.in
@@ -7,19 +7,20 @@
 # up overriding the includer's intended default target (which by default is the
 # first target encountered).
 
-CC=@CC@
+NAME=@PACKAGE_NAME@
+TARNAME=@PACKAGE_TARNAME@
+PACKAGE_TARNAME=@PACKAGE_TARNAME@ # needed by docdir
+VERSION=@PACKAGE_VERSION@
+
 prefix=@prefix@
 exec_prefix=@exec_prefix@
 bindir=@bindir@
 libdir=@libdir@
 datarootdir=@datarootdir@
+docdir=@docdir@
 mandir=@mandir@
 sysconfdir=@sysconfdir@
 
-VERSION=@PACKAGE_VERSION@
-NAME=@PACKAGE_NAME@
-PACKAGE_TARNAME=@PACKAGE_TARNAME@
-DOCDIR=@docdir@
 HAVE_APPARMOR=@HAVE_APPARMOR@
 HAVE_CONTRIB_INSTALL=@HAVE_CONTRIB_INSTALL@
 BUSYBOX_WORKAROUND=@BUSYBOX_WORKAROUND@
@@ -50,6 +51,7 @@ HAVE_ONLY_SYSCFG_PROFILES=@HAVE_ONLY_SYSCFG_PROFILES@
 
 MANFLAGS = $(HAVE_LTS) $(HAVE_OUTPUT) $(HAVE_X11) $(HAVE_PRIVATE_HOME) $(HAVE_APPARMOR) $(HAVE_IDS) $(HAVE_OVERLAYFS) $(HAVE_USERTMPFS) $(HAVE_DBUSPROXY) $(HAVE_FIRETUNNEL) $(HAVE_GLOBALCFG) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_FILE_TRANSFER) $(HAVE_SELINUX) $(HAVE_SUID) $(HAVE_FORCE_NONEWPRIVS) $(HAVE_ONLY_SYSCFG_PROFILES)
 
+CC=@CC@
 CFLAGS=@CFLAGS@
 
 ifdef NO_EXTRA_CFLAGS
diff --git a/config.sh.in b/config.sh.in
index 3d54ff189..0a91c68f2 100644
--- a/config.sh.in
+++ b/config.sh.in
@@ -1,3 +1,8 @@
 # @configure_input@
-NAME=@PACKAGE_NAME@
-VERSION=@PACKAGE_VERSION@
+#
+# shellcheck shell=sh
+# shellcheck disable=SC2034
+
+NAME="@PACKAGE_NAME@"
+TARNAME="@PACKAGE_TARNAME@"
+VERSION="@PACKAGE_VERSION@"
diff --git a/contrib/vim/syntax/firejail.vim b/contrib/vim/syntax/firejail.vim
index 9099a0808..0c8ebdbd8 100644
--- a/contrib/vim/syntax/firejail.vim
+++ b/contrib/vim/syntax/firejail.vim
@@ -52,7 +52,7 @@ syn match fjVar /\v\$\{(CFG|DESKTOP|DOCUMENTS|DOWNLOADS|HOME|MUSIC|PATH|PICTURES
 
 " Commands grabbed from: src/firejail/profile.c
 " Generate list with: { rg -o 'strn?cmp\(ptr, "([^"]+) "' -r '$1' src/firejail/profile.c; echo private-lib; } | grep -vEx '(include|ignore|caps\.drop|caps\.keep|protocol|restrict-namespaces|seccomp|seccomp\.drop|seccomp\.keep|env|rmenv|net|ip)' | sort -u | tr $'\n' '|' # private-lib is special-cased in the code and doesn't match the regex; grep-ed patterns are handled later with 'syn match nextgroup=' directives (except for include which is special-cased as a fjCommandNoCond keyword)
-syn match fjCommand /\v(bind|blacklist|blacklist-nolog|cpu|defaultgw|dns|hostname|hosts-file|ip6|iprange|join-or-start|mac|mkdir|mkfile|mtu|name|netfilter|netfilter6|netmask|nice|noblacklist|noexec|nowhitelist|overlay-named|private|private-bin|private-cwd|private-etc|private-home|private-lib|private-opt|private-srv|read-only|read-write|rlimit-as|rlimit-cpu|rlimit-fsize|rlimit-nofile|rlimit-nproc|rlimit-sigpending|timeout|tmpfs|veth-name|whitelist|xephyr-screen) / skipwhite contained
+syn match fjCommand /\v(apparmor|bind|blacklist|blacklist-nolog|cpu|defaultgw|dns|hostname|hosts-file|ip6|iprange|join-or-start|mac|mkdir|mkfile|mtu|name|netfilter|netfilter6|netmask|nice|noblacklist|noexec|nowhitelist|overlay-named|private|private-bin|private-cwd|private-etc|private-home|private-lib|private-opt|private-srv|read-only|read-write|rlimit-as|rlimit-cpu|rlimit-fsize|rlimit-nofile|rlimit-nproc|rlimit-sigpending|timeout|tmpfs|veth-name|whitelist|xephyr-screen) / skipwhite contained
 " Generate list with: rg -o 'strn?cmp\(ptr, "([^ "]*[^ ])"' -r '$1' src/firejail/profile.c | grep -vEx '(include|rlimit|quiet)' | sed -e 's/\./\\./' | sort -u | tr $'\n' '|' # include/rlimit are false positives, quiet is special-cased below
 syn match fjCommand /\v(allow-debuggers|allusers|apparmor|caps|deterministic-exit-code|deterministic-shutdown|disable-mnt|ipc-namespace|keep-config-pulse|keep-dev-shm|keep-fd|keep-var-tmp|machine-id|memory-deny-write-execute|netfilter|no3d|noautopulse|nodbus|nodvd|nogroups|noinput|nonewprivs|noprinters|noroot|nosound|notv|nou2f|novideo|overlay|overlay-tmpfs|private|private-cache|private-cwd|private-dev|private-lib|private-tmp|seccomp|seccomp\.32|seccomp\.block-secondary|tracelog|writable-etc|writable-run-user|writable-var|writable-var-log|x11)$/ contained
 syn match fjCommand /ignore / nextgroup=fjCommand,fjCommandNoCond skipwhite contained
diff --git a/etc/apparmor/firejail-default b/etc/apparmor/firejail-default
index b4e7f642a..3cc771ed7 100644
--- a/etc/apparmor/firejail-default
+++ b/etc/apparmor/firejail-default
@@ -33,6 +33,7 @@ owner /{,var/}run/firejail/dbus/[0-9]*/[0-9]*-user w,
 #ptrace,
 # Allow obtaining some process information, but not ptrace(2)
 ptrace (read,readby) peer=@{profile_name},
+ptrace (read,readby) peer=@{profile_name}//&unconfined,
 
 ##########
 # Allow read access to whole filesystem and control it from firejail.
@@ -123,6 +124,7 @@ network packet,
 ##########
 # There is no equivalent in Firejail for filtering signals.
 ##########
+signal (send) peer=@{profile_name}//&unconfined,
 signal (send) peer=@{profile_name},
 signal (receive),
 
diff --git a/etc/inc/disable-programs.inc b/etc/inc/disable-programs.inc
index 79da8d5f5..7ad491460 100644
--- a/etc/inc/disable-programs.inc
+++ b/etc/inc/disable-programs.inc
@@ -156,6 +156,7 @@ blacklist ${HOME}/.cache/liferea
 blacklist ${HOME}/.cache/lutris
 blacklist ${HOME}/.cache/marker
 blacklist ${HOME}/.cache/matrix-mirage
+blacklist ${HOME}/.cache/microsoft-edge
 blacklist ${HOME}/.cache/microsoft-edge-beta
 blacklist ${HOME}/.cache/microsoft-edge-dev
 blacklist ${HOME}/.cache/midori
@@ -522,6 +523,7 @@ blacklist ${HOME}/.config/meld
 blacklist ${HOME}/.config/menulibre.cfg
 blacklist ${HOME}/.config/meteo-qt
 blacklist ${HOME}/.config/mfusion
+blacklist ${HOME}/.config/microsoft-edge
 blacklist ${HOME}/.config/microsoft-edge-beta
 blacklist ${HOME}/.config/microsoft-edge-dev
 blacklist ${HOME}/.config/midori
@@ -622,6 +624,7 @@ blacklist ${HOME}/.config/tox
 blacklist ${HOME}/.config/transgui
 blacklist ${HOME}/.config/transmission
 blacklist ${HOME}/.config/truecraft
+blacklist ${HOME}/.config/tuir
 blacklist ${HOME}/.config/tuta_integration
 blacklist ${HOME}/.config/tutanota-desktop
 blacklist ${HOME}/.config/tvbrowser
@@ -995,6 +998,7 @@ blacklist ${HOME}/.local/share/telepathy
 blacklist ${HOME}/.local/share/terasology
 blacklist ${HOME}/.local/share/torbrowser
 blacklist ${HOME}/.local/share/totem
+blacklist ${HOME}/.local/share/tuir
 blacklist ${HOME}/.local/share/uzbl
 blacklist ${HOME}/.local/share/vlc
 blacklist ${HOME}/.local/share/vpltd
diff --git a/etc/profile-a-l/audacity.profile b/etc/profile-a-l/audacity.profile
index b517620db..2831fec72 100644
--- a/etc/profile-a-l/audacity.profile
+++ b/etc/profile-a-l/audacity.profile
@@ -20,7 +20,8 @@ include disable-xdg.inc
 
 include whitelist-var-common.inc
 
-apparmor
+## Enabling App Armor appears to break some Fedora / Arch installs
+#apparmor
 caps.drop all
 net none
 no3d
diff --git a/etc/profile-a-l/gdu.profile b/etc/profile-a-l/gdu.profile
new file mode 100644
index 000000000..783183bea
--- /dev/null
+++ b/etc/profile-a-l/gdu.profile
@@ -0,0 +1,46 @@
+# Firejail profile for gdu
+# Description: Fast disk usage analyzer with console interface
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include gdu.local
+# Persistent global definitions
+include globals.local
+
+blacklist ${RUNUSER}/wayland-*
+
+include disable-exec.inc
+
+apparmor
+caps.drop all
+ipc-namespace
+machine-id
+net none
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+# block the socket syscall to simulate an be empty protocol line, see #639
+seccomp socket
+seccomp.block-secondary
+x11 none
+
+private-dev
+
+dbus-user none
+dbus-system none
+
+memory-deny-write-execute
+
+# gdu has built-in delete (d), empty (e) dir/file support and shell spawning (b) features.
+# Depending on workflow and use case the sandbox can be hardened by adding the
+# lines below to your gdu.local if you don't need/want these functionalities.
+#include disable-shell.inc
+#private-bin gdu
+#read-only ${HOME}
diff --git a/etc/profile-m-z/makedeb.profile b/etc/profile-m-z/makedeb.profile
new file mode 100644
index 000000000..f45bfca3a
--- /dev/null
+++ b/etc/profile-m-z/makedeb.profile
@@ -0,0 +1,13 @@
+# Firejail profile for makedeb
+# Description: A utility to automate the building of Debian packages
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include makedeb.local
+# Persistent global definitions
+#include globals.local
+
+ignore noblacklist /var/lib/pacman
+
+# Redirect
+include makepkg.profile
diff --git a/etc/profile-m-z/makepkg.profile b/etc/profile-m-z/makepkg.profile
index dd2f0b318..4ec6ef82e 100644
--- a/etc/profile-m-z/makepkg.profile
+++ b/etc/profile-m-z/makepkg.profile
@@ -1,4 +1,5 @@
 # Firejail profile for makepkg
+# Description: A utility to automate the building of Arch Linux packages
 # This file is overwritten after every install/update
 quiet
 # Persistent local customizations
diff --git a/etc/profile-m-z/man.profile b/etc/profile-m-z/man.profile
index bdc6e3451..b8d221dc3 100644
--- a/etc/profile-m-z/man.profile
+++ b/etc/profile-m-z/man.profile
@@ -56,7 +56,7 @@ disable-mnt
 #private-bin apropos,bash,cat,catman,col,gpreconv,groff,grotty,gunzip,gzip,less,man,most,nroff,preconv,sed,sh,tbl,tr,troff,whatis,which,xtotroff,zcat,zsoelim
 private-cache
 private-dev
-private-etc alternatives,fonts,groff,ld.so.cache,ld.so.preload,locale,locale.alias,locale.conf,man_db.conf,manpath.config,selinux,sysless,xdg
+private-etc alternatives,fonts,groff,group,ld.so.cache,ld.so.preload,locale,locale.alias,locale.conf,login.defs,man_db.conf,manpath.config,passwd,selinux,sysless,xdg
 #private-tmp
 
 dbus-user none
diff --git a/etc/profile-m-z/microsoft-edge-beta.profile b/etc/profile-m-z/microsoft-edge-beta.profile
index 095038f08..63844ad70 100644
--- a/etc/profile-m-z/microsoft-edge-beta.profile
+++ b/etc/profile-m-z/microsoft-edge-beta.profile
@@ -14,7 +14,7 @@ mkdir ${HOME}/.config/microsoft-edge-beta
 whitelist ${HOME}/.cache/microsoft-edge-beta
 whitelist ${HOME}/.config/microsoft-edge-beta
 
-private-opt microsoft
+whitelist /opt/microsoft/msedge-beta
 
 # Redirect
 include chromium-common.profile
diff --git a/etc/profile-m-z/microsoft-edge-dev.profile b/etc/profile-m-z/microsoft-edge-dev.profile
index 039cd36a8..b01fd7c25 100644
--- a/etc/profile-m-z/microsoft-edge-dev.profile
+++ b/etc/profile-m-z/microsoft-edge-dev.profile
@@ -14,7 +14,7 @@ mkdir ${HOME}/.config/microsoft-edge-dev
 whitelist ${HOME}/.cache/microsoft-edge-dev
 whitelist ${HOME}/.config/microsoft-edge-dev
 
-private-opt microsoft
+whitelist /opt/microsoft/msedge-dev
 
 # Redirect
 include chromium-common.profile
diff --git a/etc/profile-m-z/microsoft-edge.profile b/etc/profile-m-z/microsoft-edge.profile
index f427507d1..4cd8c85a5 100644
--- a/etc/profile-m-z/microsoft-edge.profile
+++ b/etc/profile-m-z/microsoft-edge.profile
@@ -1,11 +1,20 @@
 # Firejail profile for Microsoft Edge
-# Description: Web browser from Microsoft
+# Description: Web browser from Microsoft,stable channel
 # This file is overwritten after every install/update
 # Persistent local customizations
 include microsoft-edge.local
 # Persistent global definitions
-# added by included profile
-#include globals.local
+include globals.local
+
+noblacklist ${HOME}/.cache/microsoft-edge
+noblacklist ${HOME}/.config/microsoft-edge
+
+mkdir ${HOME}/.cache/microsoft-edge
+mkdir ${HOME}/.config/microsoft-edge
+whitelist ${HOME}/.cache/microsoft-edge
+whitelist ${HOME}/.config/microsoft-edge
+
+whitelist /opt/microsoft/msedge
 
 # Redirect
-include microsoft-edge-dev.profile
+include chromium-common.profile
diff --git a/etc/profile-m-z/neomutt.profile b/etc/profile-m-z/neomutt.profile
index 5d482adca..9000b7972 100644
--- a/etc/profile-m-z/neomutt.profile
+++ b/etc/profile-m-z/neomutt.profile
@@ -50,31 +50,11 @@ include disable-programs.inc
 include disable-xdg.inc
 
 mkdir ${HOME}/.Mail
-mkdir ${HOME}/.bogofilter
-mkdir ${HOME}/.config/mutt
-mkdir ${HOME}/.config/nano
-mkdir ${HOME}/.config/neomutt
-mkdir ${HOME}/.elinks
-mkdir ${HOME}/.emacs.d
-mkdir ${HOME}/.gnupg
 mkdir ${HOME}/.mail
-mkdir ${HOME}/.mutt
-mkdir ${HOME}/.neomutt
-mkdir ${HOME}/.vim
-mkdir ${HOME}/.w3m
 mkdir ${HOME}/Mail
 mkdir ${HOME}/mail
 mkdir ${HOME}/postponed
 mkdir ${HOME}/sent
-mkfile ${HOME}/.emacs
-mkfile ${HOME}/.mailcap
-mkfile ${HOME}/.msmtprc
-mkfile ${HOME}/.muttrc
-mkfile ${HOME}/.nanorc
-mkfile ${HOME}/.neomuttrc
-mkfile ${HOME}/.signature
-mkfile ${HOME}/.viminfo
-mkfile ${HOME}/.vimrc
 whitelist ${DOCUMENTS}
 whitelist ${DOWNLOADS}
 whitelist ${HOME}/.Mail
diff --git a/etc/profile-m-z/steam.profile b/etc/profile-m-z/steam.profile
index 30f9aafcb..5e5a8e9bb 100644
--- a/etc/profile-m-z/steam.profile
+++ b/etc/profile-m-z/steam.profile
@@ -156,7 +156,10 @@ protocol unix,inet,inet6,netlink
 # seccomp sometimes causes issues (see #2951, #3267).
 # Add 'ignore seccomp' to your steam.local if you experience this.
 # mount, name_to_handle_at, pivot_root and umount2 are used by Proton >= 5.13
+# (see #4366).
 seccomp !chroot,!mount,!name_to_handle_at,!pivot_root,!ptrace,!umount2
+# process_vm_readv is used by GE-Proton7-18 (see #5185).
+seccomp.32 !process_vm_readv
 # tracelog breaks integrated browser
 #tracelog
 
diff --git a/etc/profile-m-z/tuir.profile b/etc/profile-m-z/tuir.profile
new file mode 100644
index 000000000..b441503c6
--- /dev/null
+++ b/etc/profile-m-z/tuir.profile
@@ -0,0 +1,23 @@
+# Firejail profile for tuir
+# Description: Browse Reddit from your terminal (rtv fork)
+# This file is overwritten after every install/update
+# Persistent local customizations
+include tuir.local
+# Persistent global definitions
+#include globals.local
+
+ignore mkdir ${HOME}/.config/rtv
+ignore mkdir ${HOME}/.local/share/rtv
+
+noblacklist ${HOME}/.config/tuir
+noblacklist ${HOME}/.local/share/tuir
+
+mkdir ${HOME}/.config/tuir
+mkdir ${HOME}/.local/share/tuir
+whitelist ${HOME}/.config/tuir
+whitelist ${HOME}/.local/share/tuir
+
+private-bin tuir
+
+# Redirect
+include rtv.profile
diff --git a/etc/profile-m-z/vmware.profile b/etc/profile-m-z/vmware.profile
index 627bb57a8..74c951fe6 100644
--- a/etc/profile-m-z/vmware.profile
+++ b/etc/profile-m-z/vmware.profile
@@ -38,6 +38,6 @@ tracelog
 #disable-mnt
 # Add the next line to your vmware.local to enable private-bin.
 #private-bin env,bash,sh,ovftool,vmafossexec,vmaf_*,vmnet-*,vmplayer,vmrest,vmrun,vmss2core,vmstat,vmware,vmware-*
-private-etc alsa,alternatives,asound.conf,ca-certificates,conf.d,crypto-policies,dconf,fonts,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,ld.so.preload,localtime,machine-id,passwd,pki,pulse,resolv.conf,ssl,vmware,vmware-installer,vmware-vix
+private-etc alsa,alternatives,asound.conf,ca-certificates,conf.d,crypto-policies,dconf,fonts,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,ld.so.preload,localtime,machine-id,mtab,passwd,pki,pulse,resolv.conf,ssl,vmware,vmware-installer,vmware-vix
 dbus-user none
 dbus-system none
diff --git a/mkdeb.sh b/mkdeb.sh
index a98261ba6..5f65e80b2 100755
--- a/mkdeb.sh
+++ b/mkdeb.sh
@@ -14,8 +14,8 @@ EXTRA_VERSION=$1
 
 test "$#" -gt 0 && shift
 
-CODE_ARCHIVE="$NAME-$VERSION.tar.xz"
-CODE_DIR="$NAME-$VERSION"
+CODE_ARCHIVE="$TARNAME-$VERSION.tar.xz"
+CODE_DIR="$TARNAME-$VERSION"
 INSTALL_DIR="${INSTALL_DIR}${CODE_DIR}/debian"
 DEBIAN_CTRL_DIR="${DEBIAN_CTRL_DIR}${CODE_DIR}/debian/DEBIAN"
 
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config
index a7a1351ff..1de107a03 100644
--- a/src/firecfg/firecfg.config
+++ b/src/firecfg/firecfg.config
@@ -289,6 +289,7 @@ gapplication
 gcalccmd
 gcloud
 gconf-editor
+gdu
 geany
 geary
 gedit
@@ -842,6 +843,7 @@ tremulous
 trojita
 truecraft
 tshark
+tuir
 tutanota-desktop
 tuxguitar
 tvbrowser
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index 167b6a843..0a4dffb75 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -338,6 +338,7 @@ extern int arg_writable_run_user;	// writable /run/user
 extern int arg_writable_var_log; // writable /var/log
 extern int arg_appimage;        // appimage
 extern int arg_apparmor;        // apparmor
+extern char *apparmor_profile;  // apparmor profile
 extern int arg_allow_debuggers; // allow debuggers
 extern int arg_x11_block;       // block X11
 extern int arg_x11_xorg;        // use X11 security extension
diff --git a/src/firejail/main.c b/src/firejail/main.c
index 55f623138..29c25dfc5 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -133,6 +133,7 @@ int arg_writable_run_user = 0;			// writable /run/user
 int arg_writable_var_log = 0;           // writable /var/log
 int arg_appimage = 0;                           // appimage
 int arg_apparmor = 0;                           // apparmor
+char *apparmor_profile = NULL;  // apparmor profile
 int arg_allow_debuggers = 0;                    // allow debuggers
 int arg_x11_block = 0;                          // block X11
 int arg_x11_xorg = 0;                           // use X11 security extension
@@ -1287,8 +1288,14 @@ int main(int argc, char **argv, char **envp) {
                 // filtering
                 //*************************************
 #ifdef HAVE_APPARMOR
-                else if (strcmp(argv[i], "--apparmor") == 0)
+                else if (strcmp(argv[i], "--apparmor") == 0) {
                         arg_apparmor = 1;
+                        apparmor_profile = "firejail-default";
+                }
+                else if (strncmp(argv[i], "--apparmor=", 11) == 0) {
+                        arg_apparmor = 1;
+                        apparmor_profile = argv[i] + 11;
+                }
 #endif
                 else if (strncmp(argv[i], "--protocol=", 11) == 0) {
                         if (checkcfg(CFG_SECCOMP)) {
diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index dc1aff49a..f406e2c53 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -939,6 +939,17 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
         if (strcmp(ptr, "apparmor") == 0) {
 #ifdef HAVE_APPARMOR
                 arg_apparmor = 1;
+                apparmor_profile = "firejail-default";
+#endif
+                return 0;
+        }
+
+        if (strncmp(ptr, "apparmor ", 9) == 0) {
+#ifdef HAVE_APPARMOR
+                arg_apparmor = 1;
+                apparmor_profile = strdup(ptr + 9);
+                if (!apparmor_profile)
+                        errExit("strdup");
 #endif
                 return 0;
         }
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index b1b3407b4..9299268a3 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -130,7 +130,7 @@ static void set_caps(void) {
 static void set_apparmor(void) {
         EUID_ASSERT();
         if (checkcfg(CFG_APPARMOR) && arg_apparmor) {
-                if (aa_change_onexec("firejail-default")) {
+                if (aa_stack_onexec(apparmor_profile)) {
                         fwarning("Cannot confine the application using AppArmor.\n"
                                 "Maybe firejail-default AppArmor profile is not loaded into the kernel.\n"
                                 "As root, run \"aa-enforce firejail-default\" to load it.\n");
diff --git a/src/firejail/usage.c b/src/firejail/usage.c
index c3c17393c..e11081eed 100644
--- a/src/firejail/usage.c
+++ b/src/firejail/usage.c
@@ -30,7 +30,9 @@ static char *usage_str =
         "    -- - signal the end of options and disables further option processing.\n"
         "    --allow-debuggers - allow tools such as strace and gdb inside the sandbox.\n"
         "    --allusers - all user home directories are visible inside the sandbox.\n"
-        "    --apparmor - enable AppArmor confinement.\n"
+        "    --apparmor - enable AppArmor confinement with the default profile.\n"
+        "    --apparmor=profile_name - enable AppArmor confinement with a\n"
+        "\tcustom profile.\n"
         "    --apparmor.print=name|pid - print apparmor status.\n"
         "    --appimage - sandbox an AppImage application.\n"
 #ifdef HAVE_NETWORK
diff --git a/src/man/firecfg.txt b/src/man/firecfg.txt
index 280a4aff1..42add6a41 100644
--- a/src/man/firecfg.txt
+++ b/src/man/firecfg.txt
@@ -146,3 +146,4 @@ Homepage: https://firejail.wordpress.com
 .BR firejail-login (5),
 .BR firejail-users (5),
 .BR jailcheck (1)
+.\" vim: set filetype=groff :
diff --git a/src/man/firejail-login.txt b/src/man/firejail-login.txt
index 05afd55b5..f03fc3c37 100644
--- a/src/man/firejail-login.txt
+++ b/src/man/firejail-login.txt
@@ -40,3 +40,4 @@ Homepage: https://firejail.wordpress.com
 .BR firejail-profile (5),
 .BR firejail-users (5),
 .BR jailcheck (1)
+.\" vim: set filetype=groff :
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt
index be1f55f0f..138aae8af 100644
--- a/src/man/firejail-profile.txt
+++ b/src/man/firejail-profile.txt
@@ -478,7 +478,11 @@ Allow tools such as strace and gdb inside the sandbox by whitelisting system cal
 #ifdef HAVE_APPARMOR
 .TP
 \fBapparmor
-Enable AppArmor confinement.
+Enable AppArmor confinement with the "firejail-default" AppArmor profile.
+.TP
+\fBapparmor profile_name
+Enable AppArmor confinement with a custom AppArmor profile.
+Note that the profile in question must already be loaded into the kernel.
 #endif
 .TP
 \fBcaps
@@ -1031,3 +1035,4 @@ Homepage: https://firejail.wordpress.com
 
 .UR https://github.com/netblue30/firejail/wiki/Creating-Profiles
 .UE
+.\" vim: set filetype=groff :
diff --git a/src/man/firejail-users.txt b/src/man/firejail-users.txt
index e3cce7ed5..7aa151680 100644
--- a/src/man/firejail-users.txt
+++ b/src/man/firejail-users.txt
@@ -60,3 +60,4 @@ Homepage: https://firejail.wordpress.com
 .BR firejail-profile (5),
 .BR firejail-login (5),
 .BR jailcheck (1)
+.\" vim: set filetype=groff :
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index 087d1c85a..1dd5508b3 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -67,6 +67,17 @@ Firejail allows the user to manage application security using security profiles.
 Each profile defines a set of permissions for a specific application or group
 of applications. The software includes security profiles for a number of more common
 Linux programs, such as Mozilla Firefox, Chromium, VLC, Transmission etc.
+.\" TODO: Explain the security/usability tradeoffs from #4601.
+.PP
+Firejail is currently implemented as an SUID binary, which means that if a
+malicious or compromised user account manages to exploit a bug in Firejail,
+that could ultimately lead to a privilege escalation to root.
+To mitigate this, it is recommended to only allow trusted users to run firejail
+(see firejail-users(5) for details on how to achieve that).
+For more details on the security/usability tradeoffs of Firejail, see:
+.UR https://github.com/netblue30/firejail/discussions/4601
+#4601
+.UE
 .PP
 Alternative sandbox technologies like snap (https://snapcraft.io/) and flatpak (https://flatpak.org/)
 are not supported. Snap and flatpak packages have their own native management tools and will
@@ -122,7 +133,13 @@ $ firejail --allusers
 #ifdef HAVE_APPARMOR
 .TP
 \fB\-\-apparmor
-Enable AppArmor confinement. For more information, please see \fBAPPARMOR\fR section below.
+Enable AppArmor confinement with the "firejail-default" AppArmor profile.
+For more information, please see \fBAPPARMOR\fR section below.
+.TP
+\fB\-\-apparmor=profile_name
+Enable AppArmor confinement with a custom AppArmor profile.
+Note that profile in question must already be loaded into the kernel.
+For more information, please see \fBAPPARMOR\fR section below.
 .TP
 \fB\-\-apparmor.print=name|pid
 Print the AppArmor confinement status for the sandbox identified by name or by PID.
@@ -174,6 +191,13 @@ Blacklist directory or file. File globbing is supported, see \fBFILE GLOBBING\fR
 .br
 
 .br
+Symbolic link handling: Blacklisting a path that is a symbolic link will also
+blacklist the path that it points to.
+For example, if ~/foo is blacklisted and it points to /foo, then /foo will also
+be blacklisted.
+.br
+
+.br
 Example:
 .br
 $ firejail \-\-blacklist=/sbin \-\-blacklist=/usr/sbin
@@ -2905,8 +2929,14 @@ all directories in /usr.
 .br
 
 .br
-Symbolic link handling: with the exception of user home, both the link and the real file should be in
-the same top directory. For user home, both the link and the real file should be owned by the user.
+Symbolic link handling: Whitelisting a path that is a symbolic link will also
+whitelist the path that it points to.
+For example, if ~/foo is whitelisted and it points to ~/bar, then ~/bar will
+also be whitelisted.
+Restrictions: With the exception of the user home directory, both the link and
+the real file should be in the same top directory.
+For symbolic links in the user home directory, both the link and the real file
+should be owned by the user.
 .br
 
 .br
@@ -3611,3 +3641,4 @@ Homepage: https://firejail.wordpress.com
 .UE ,
 .UR https://github.com/netblue30/firejail
 .UE
+.\" vim: set filetype=groff :
diff --git a/src/man/firemon.txt b/src/man/firemon.txt
index fd58a7168..9d0785a4a 100644
--- a/src/man/firemon.txt
+++ b/src/man/firemon.txt
@@ -118,3 +118,4 @@ Homepage: https://firejail.wordpress.com
 .BR firejail-login (5),
 .BR firejail-users (5),
 .BR jailcheck (1)
+.\" vim: set filetype=groff :
diff --git a/src/man/jailcheck.txt b/src/man/jailcheck.txt
index 483f47fb9..e889ea91b 100644
--- a/src/man/jailcheck.txt
+++ b/src/man/jailcheck.txt
@@ -115,3 +115,4 @@ Homepage: https://firejail.wordpress.com
 .BR firejail-profile (5),
 .BR firejail-login (5),
 .BR firejail-users (5),
+.\" vim: set filetype=groff :
diff --git a/src/zsh_completion/_firejail.in b/src/zsh_completion/_firejail.in
index 605000e31..2b67c2a00 100644
--- a/src/zsh_completion/_firejail.in
+++ b/src/zsh_completion/_firejail.in
@@ -171,7 +171,8 @@ _firejail_args=(
     '--writable-var-log[use the real /var/log directory, not a clone]'
 
 #ifdef HAVE_APPARMOR
-    '--apparmor[enable AppArmor confinement]'
+    '--apparmor[enable AppArmor confinement with the default profile]'
+    '--apparmor=-[enable AppArmor confinement with a custom profile]: :'
     '--apparmor.print=-[print apparmor status name|pid]:firejail:_all_firejails'
 #endif