43 files changed, 446 insertions, 269 deletions

diff --git a/.github/workflows/build-extra.yml b/.github/workflows/build-extra.yml
index 9ba69e2a4..c812e4572 100644
--- a/.github/workflows/build-extra.yml
+++ b/.github/workflows/build-extra.yml
@@ -2,7 +2,6 @@ name: Build-extra CI
 
 on:
   push:
-    branches: [ master ]
     paths-ignore:
       - '.github/ISSUE_TEMPLATE/*'
       - 'contrib/syntax/**'
@@ -12,6 +11,7 @@ on:
       - .git-blame-ignore-revs
       - .github/dependabot.yml
       - .github/pull_request_template.md
+      - .github/workflows/build.yml
       - .github/workflows/codeql-analysis.yml
       - .github/workflows/profile-checks.yml
       - .gitignore
@@ -24,7 +24,6 @@ on:
       - SECURITY.md
       - src/firecfg/firecfg.config
   pull_request:
-    branches: [ master ]
     paths-ignore:
       - '.github/ISSUE_TEMPLATE/*'
       - 'contrib/syntax/**'
@@ -34,6 +33,7 @@ on:
       - .git-blame-ignore-revs
       - .github/dependabot.yml
       - .github/pull_request_template.md
+      - .github/workflows/build.yml
       - .github/workflows/codeql-analysis.yml
       - .github/workflows/profile-checks.yml
       - .gitignore
@@ -54,7 +54,7 @@ jobs:
     runs-on: ubuntu-22.04
     steps:
     - name: Harden Runner
-      uses: step-security/harden-runner@6b3083af2869dc3314a0257a42f4af696cc79ba3
+      uses: step-security/harden-runner@128a63446a954579617e875aaab7d2978154e969
       with:
         egress-policy: block
         allowed-endpoints: >
@@ -65,8 +65,12 @@ jobs:
       run: sudo apt-get update
     - name: install dependencies
       run: sudo apt-get install libapparmor-dev libselinux1-dev
+    - name: print env
+      run: ./ci/printenv.sh
     - name: configure
-      run: CC=clang-14 ./configure --enable-fatal-warnings --enable-apparmor --enable-selinux
+      run: >
+        CC=clang-14 ./configure --enable-fatal-warnings --enable-apparmor
+        --enable-selinux
     - name: make
       run: make
     - name: make install
@@ -77,7 +81,7 @@ jobs:
     runs-on: ubuntu-22.04
     steps:
     - name: Harden Runner
-      uses: step-security/harden-runner@6b3083af2869dc3314a0257a42f4af696cc79ba3
+      uses: step-security/harden-runner@128a63446a954579617e875aaab7d2978154e969
       with:
         egress-policy: block
         allowed-endpoints: >
@@ -88,15 +92,19 @@ jobs:
       run: sudo apt-get update
     - name: install clang-tools-14 and dependencies
       run: sudo apt-get install clang-tools-14 libapparmor-dev libselinux1-dev
+    - name: print env
+      run: ./ci/printenv.sh
     - name: configure
-      run: CC=clang-14 ./configure --enable-fatal-warnings --enable-apparmor --enable-selinux
+      run: >
+        CC=clang-14 ./configure --enable-fatal-warnings --enable-apparmor
+        --enable-selinux
     - name: scan-build
       run: NO_EXTRA_CFLAGS="yes" scan-build-14 --status-bugs make
   cppcheck:
     runs-on: ubuntu-22.04
     steps:
     - name: Harden Runner
-      uses: step-security/harden-runner@6b3083af2869dc3314a0257a42f4af696cc79ba3
+      uses: step-security/harden-runner@128a63446a954579617e875aaab7d2978154e969
       with:
         egress-policy: block
         allowed-endpoints: >
@@ -107,15 +115,18 @@ jobs:
       run: sudo apt-get update
     - name: install cppcheck
       run: sudo apt-get install cppcheck
+    - run: cppcheck --version
     - name: cppcheck
-      run: cppcheck -q --force --error-exitcode=1 --enable=warning,performance -i src/firejail/checkcfg.c -i src/firejail/main.c .
-  # new cppcheck version currently chokes on checkcfg.c and main.c, therefore scan all files also
-  # with older cppcheck version from ubuntu 20.04.
+      run: >
+        cppcheck -q --force --error-exitcode=1 --enable=warning,performance
+        -i src/firejail/checkcfg.c -i src/firejail/main.c .
+  # new cppcheck version currently chokes on checkcfg.c and main.c, therefore
+  # scan all files also with older cppcheck version from ubuntu 20.04.
   cppcheck_old:
     runs-on: ubuntu-20.04
     steps:
     - name: Harden Runner
-      uses: step-security/harden-runner@6b3083af2869dc3314a0257a42f4af696cc79ba3
+      uses: step-security/harden-runner@128a63446a954579617e875aaab7d2978154e969
       with:
         egress-policy: block
         allowed-endpoints: >
@@ -126,13 +137,14 @@ jobs:
       run: sudo apt-get update
     - name: install cppcheck
       run: sudo apt-get install cppcheck
+    - run: cppcheck --version
     - name: cppcheck
       run: cppcheck -q --force --error-exitcode=1 --enable=warning,performance .
   codespell:
     runs-on: ubuntu-22.04
     steps:
     - name: Harden Runner
-      uses: step-security/harden-runner@6b3083af2869dc3314a0257a42f4af696cc79ba3
+      uses: step-security/harden-runner@128a63446a954579617e875aaab7d2978154e969
       with:
         egress-policy: block
         allowed-endpoints: >
@@ -143,5 +155,6 @@ jobs:
       run: sudo apt-get update
     - name: install dependencies
       run: sudo apt-get install codespell
+    - run: codespell --version
     - name: codespell
       run: make codespell
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 93ad0ebf1..e896ba8e0 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -2,12 +2,12 @@ name: Build CI
 
 on:
   push:
-    branches: [ master ]
     paths-ignore:
       - '.github/ISSUE_TEMPLATE/*'
       - .git-blame-ignore-revs
       - .github/dependabot.yml
       - .github/pull_request_template.md
+      - .github/workflows/build-extra.yml
       - .github/workflows/codeql-analysis.yml
       - .github/workflows/profile-checks.yml
       - .gitignore
@@ -19,12 +19,12 @@ on:
       - RELNOTES
       - SECURITY.md
   pull_request:
-    branches: [ master ]
     paths-ignore:
       - '.github/ISSUE_TEMPLATE/*'
       - .git-blame-ignore-revs
       - .github/dependabot.yml
       - .github/pull_request_template.md
+      - .github/workflows/build-extra.yml
       - .github/workflows/codeql-analysis.yml
       - .github/workflows/profile-checks.yml
       - .gitignore
@@ -42,17 +42,22 @@ permissions:  # added using https://github.com/step-security/secure-workflows
 jobs:
   build_and_test:
     runs-on: ubuntu-22.04
+    env:
+      SHELL: /bin/bash
     steps:
     - name: Harden Runner
-      uses: step-security/harden-runner@6b3083af2869dc3314a0257a42f4af696cc79ba3
+      uses: step-security/harden-runner@128a63446a954579617e875aaab7d2978154e969
       with:
         egress-policy: block
         allowed-endpoints: >
+          1.1.1.1:1025
           azure.archive.ubuntu.com:80
           debian.org:80
+          dns.quad9.net:53
           github.com:443
           packages.microsoft.com:443
           ppa.launchpadcontent.net:443
+          whois.pir.org:43
           www.debian.org:443
           www.debian.org:80
           yahoo.com:1025
@@ -60,44 +65,35 @@ jobs:
     - name: update package information
       run: sudo apt-get update
     - name: install dependencies
-      run: sudo apt-get install gcc-12 libapparmor-dev libselinux1-dev expect xzdec whois bridge-utils
+      run: >
+        sudo apt-get install
+        gcc-12 libapparmor-dev libselinux1-dev expect xzdec whois
+        bridge-utils
+    - name: print env
+      run: ./ci/printenv.sh
     - name: configure
-      run: CC=gcc-12 ./configure --prefix=/usr --enable-fatal-warnings --enable-analyzer --enable-apparmor --enable-selinux
+      run: >
+        CC=gcc-12 ./configure --prefix=/usr --enable-fatal-warnings
+        --enable-analyzer --enable-apparmor --enable-selinux
     - name: make
       run: make
     - name: make install
       run: sudo make install
     - name: print firejail version
       run: command -V firejail && firejail --version
-    - name: lab setup
-      run: SHELL=/bin/bash make lab-setup
-    - name: run seccomp extra tests
-      run: SHELL=/bin/bash make test-seccomp-extra
-    - name: run firecfg tests
-      run: SHELL=/bin/bash make test-firecfg
-    - name: run capabilities tests
-      run: SHELL=/bin/bash make test-capabilities
-    - name: run apparmor tests
-      run: SHELL=/bin/bash make test-apparmor
-    - name: run appimage tests
-      run: SHELL=/bin/bash make test-appimage
-    - name: run chroot tests
-      run: SHELL=/bin/bash make test-chroot
-    - name: run sysutils tests
-      run: SHELL=/bin/bash make test-sysutils
-    - name: run private-etc tests
-      run: SHELL=/bin/bash make test-private-etc
-    - name: run profile tests
-      run: SHELL=/bin/bash make test-profiles
-    - name: run fcopy tests
-      run: SHELL=/bin/bash make test-fcopy
-    - name: run fnetfilter tests
-      run: SHELL=/bin/bash make test-fnetfilter
-    - name: run fs tests
-      run: SHELL=/bin/bash make test-fs
-    - name: run utils tests
-      run: SHELL=/bin/bash make test-utils
-    - name: run environment tests
-      run: SHELL=/bin/bash make test-environment
-    - name: run network tests
-      run: SHELL=/bin/bash make test-network
+    - run: make lab-setup
+    - run: make test-seccomp-extra
+    - run: make test-firecfg
+    - run: make test-capabilities
+    - run: make test-apparmor
+    - run: make test-appimage
+    - run: make test-chroot
+    - run: make test-sysutils
+    - run: make test-private-etc
+    - run: make test-profiles
+    - run: make test-fcopy
+    - run: make test-fnetfilter
+    - run: make test-fs
+    - run: make test-utils
+    - run: make test-environment
+    - run: make test-network
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
index a3242ff90..68f14d729 100644
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -7,7 +7,6 @@ name: "CodeQL"
 
 on:
   push:
-    branches: [ master ]
     paths-ignore:
       - '.github/ISSUE_TEMPLATE/*'
       - 'contrib/syntax/**'
@@ -17,6 +16,8 @@ on:
       - .git-blame-ignore-revs
       - .github/dependabot.yml
       - .github/pull_request_template.md
+      - .github/workflows/build-extra.yml
+      - .github/workflows/build.yml
       - .github/workflows/profile-checks.yml
       - .gitignore
       - .gitlab-ci.yml
@@ -28,8 +29,6 @@ on:
       - SECURITY.md
       - src/firecfg/firecfg.config
   pull_request:
-    # The branches below must be a subset of the branches above
-    branches: [ master ]
     paths-ignore:
       - '.github/ISSUE_TEMPLATE/*'
       - 'contrib/syntax/**'
@@ -39,6 +38,8 @@ on:
       - .git-blame-ignore-revs
       - .github/dependabot.yml
       - .github/pull_request_template.md
+      - .github/workflows/build-extra.yml
+      - .github/workflows/build.yml
       - .github/workflows/profile-checks.yml
       - .gitignore
       - .gitlab-ci.yml
@@ -74,7 +75,7 @@ jobs:
 
     steps:
     - name: Harden Runner
-      uses: step-security/harden-runner@6b3083af2869dc3314a0257a42f4af696cc79ba3
+      uses: step-security/harden-runner@128a63446a954579617e875aaab7d2978154e969
       with:
         disable-sudo: true
         egress-policy: block
@@ -87,9 +88,12 @@ jobs:
     - name: Checkout repository
       uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab
 
+    - name: print env
+      run: ./ci/printenv.sh
+
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@b2c19fb9a2a485599ccf4ed5d65527d94bc57226
+      uses: github/codeql-action/init@29b1f65c5e92e24fe6b6647da1eaabe529cec70f
       with:
         languages: ${{ matrix.language }}
         # If you wish to specify custom queries, you can do so here or in a config file.
@@ -100,7 +104,7 @@ jobs:
     # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
     # If this step fails, then you should remove it and run the build manually (see below)
     - name: Autobuild
-      uses: github/codeql-action/autobuild@b2c19fb9a2a485599ccf4ed5d65527d94bc57226
+      uses: github/codeql-action/autobuild@29b1f65c5e92e24fe6b6647da1eaabe529cec70f
 
     # ℹ️ Command-line programs to run using the OS shell.
     # 📚 https://git.io/JvXDl
@@ -114,4 +118,4 @@ jobs:
     #   make release
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@b2c19fb9a2a485599ccf4ed5d65527d94bc57226
+      uses: github/codeql-action/analyze@29b1f65c5e92e24fe6b6647da1eaabe529cec70f
diff --git a/.github/workflows/profile-checks.yml b/.github/workflows/profile-checks.yml
index 64069f917..8500481cd 100644
--- a/.github/workflows/profile-checks.yml
+++ b/.github/workflows/profile-checks.yml
@@ -2,7 +2,6 @@ name: Profile Checks
 
 on:
   push:
-    branches: [ master ]
     paths:
       - 'ci/check/profiles/**'
       - 'etc/**'
@@ -10,7 +9,6 @@ on:
       - contrib/sort.py
       - src/firecfg/firecfg.config
   pull_request:
-    branches: [ master ]
     paths:
       - 'ci/check/profiles/**'
       - 'etc/**'
@@ -26,7 +24,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - name: Harden Runner
-      uses: step-security/harden-runner@6b3083af2869dc3314a0257a42f4af696cc79ba3
+      uses: step-security/harden-runner@128a63446a954579617e875aaab7d2978154e969
       with:
         disable-sudo: true
         egress-policy: block
@@ -34,12 +32,24 @@ jobs:
           github.com:443
 
     - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab
+    - name: print env
+      run: ./ci/printenv.sh
+    - run: python3 --version
+
 #   - name: sort.py
-#      run: ./ci/check/profiles/sort.py etc/inc/*.inc etc/{profile-a-l,profile-m-z}/*.profile
+#     run: >
+#       ./ci/check/profiles/sort.py
+#       etc/inc/*.inc etc/{profile-a-l,profile-m-z}/*.profile
 # Currently broken (see #5610)
-#    - name: private-etc-always-required.sh
-#      run: ./ci/check/profiles/private-etc-always-required.sh etc/inc/*.inc etc/{profile-a-l,profile-m-z}/*.profile
+#   - name: private-etc-always-required.sh
+#     run: >
+#       ./ci/check/profiles/private-etc-always-required.sh
+#       etc/inc/*.inc etc/{profile-a-l,profile-m-z}/*.profile
     - name: sort-disable-programs.sh
-      run: ./ci/check/profiles/sort-disable-programs.sh etc/inc/disable-programs.inc
+      run: >
+        ./ci/check/profiles/sort-disable-programs.sh
+        etc/inc/disable-programs.inc
     - name: sort-firecfg.config.sh
-      run: ./ci/check/profiles/sort-firecfg.config.sh src/firecfg/firecfg.config
+      run: >
+        ./ci/check/profiles/sort-firecfg.config.sh
+        src/firecfg/firecfg.config
diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index a0241e994..38d121c49 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -5,22 +5,30 @@
 # and fedora:latest for new setups
 # 3. Alpine for installing directly from source
 # Also builds apparmor package for Ubuntu LTS
+
 build_ubuntu_package:
     image: ubuntu:rolling
     script:
         - apt-get update -qq
-        - DEBIAN_FRONTEND=noninteractive apt-get install -y -qq build-essential lintian libapparmor-dev pkg-config python3 gawk
+        - >
+            DEBIAN_FRONTEND=noninteractive apt-get install -y -qq
+            build-essential lintian libapparmor-dev pkg-config python3 gawk
+        - ./ci/printenv.sh
         - ./configure
         - make deb
         - dpkg -i firejail*.deb
         - command -V firejail && firejail --version
+        # - python3 --version
         # - python3 contrib/sort.py etc/profile-*/*.profile etc/inc/*.inc
 
 build_debian_package:
-    image: debian:stretch
+    image: debian:buster
     script:
         - apt-get update -qq
-        - apt-get install -y -qq build-essential lintian libapparmor-dev pkg-config gawk
+        - >
+            apt-get install -y -qq
+            build-essential lintian libapparmor-dev pkg-config gawk
+        - ./ci/printenv.sh
         - ./configure
         - make deb
         - dpkg -i firejail*.deb
@@ -31,6 +39,7 @@ build_redhat_package:
     script:
         - dnf update -y
         - dnf install -y rpm-build gcc make
+        - ./ci/printenv.sh
         - ./configure --prefix=/usr
         - make rpms
         - rpm -i firejail*.rpm
@@ -41,10 +50,12 @@ build_fedora_package:
     script:
         - dnf update -y
         - dnf install -y rpm-build gcc make
+        - ./ci/printenv.sh
         - ./configure --prefix=/usr
         - make rpms
         - rpm -i firejail*.rpm
         - command -V firejail && firejail --version
+        # - python3 --version
         # - python3 contrib/sort.py etc/profile-*/*.profile etc/inc/*.inc
 
 build_src_package:
@@ -53,17 +64,22 @@ build_src_package:
         - apk update
         - apk upgrade
         - apk add build-base linux-headers python3 gawk
+        - ./ci/printenv.sh
         - ./configure --prefix=/usr
         - make
         - make install-strip
         - command -V firejail && firejail --version
-        # - python3 contrib/sort.py etc/*.{profile,inc}
+        # - python3 --version
+        # - python3 contrib/sort.py etc/profile-*/*.profile etc/inc/*.inc
 
 build_no_apparmor:
     image: ubuntu:latest
     script:
         - apt-get update -qq
-        - DEBIAN_FRONTEND=noninteractive apt-get install -y -qq build-essential lintian pkg-config gawk
+        - >
+            DEBIAN_FRONTEND=noninteractive apt-get install -y -qq
+            build-essential lintian pkg-config gawk
+        - ./ci/printenv.sh
         - ./configure
         - make dist
         - ./mkdeb.sh --disable-apparmor
@@ -77,21 +93,36 @@ debian_ci:
         DEBFULLNAME: "$GITLAB_USER_NAME"
         DEBEMAIL: "$GITLAB_USER_EMAIL"
     before_script:
-        - git checkout -B ci_build $CI_COMMIT_SHA
+        - git checkout -B ci_build "$CI_COMMIT_SHA"
         - gitlab-ci-enable-sid
         - gitlab-ci-enable-experimental
-        - echo "deb-src http://deb.debian.org/debian sid main" >> /etc/apt/sources.list
-        - echo "deb-src http://deb.debian.org/debian experimental main" >> /etc/apt/sources.list
+        - |
+            cat >>/etc/apt/sources.list <<EOF
+            deb-src http://deb.debian.org/debian sid main
+            deb-src http://deb.debian.org/debian experimental main
+            EOF
         - apt-get update
         - git config user.name "$DEBFULLNAME"
         - git config user.email "$DEBEMAIL"
-        - cd $CI_PROJECT_DIR/.. && (apt-get source --download-only -t experimental firejail || apt-get source --download-only firejail)
-        - cd $CI_PROJECT_DIR && tar xf ../firejail_*.debian.tar.*
+        - |
+            cd "$CI_PROJECT_DIR/.."
+            apt-get source --download-only -t experimental firejail ||
+            apt-get source --download-only firejail
+        - |
+            cd "$CI_PROJECT_DIR"
+            tar xf ../firejail_*.debian.tar.*
         - rm -rf debian/patches/
-        - VERSION=$(grep ^PACKAGE_VERSION= configure | cut -d"'" -f2) && dch -v ${VERSION}-0.1~ci "Non-maintainer upload." && git archive -o ../firejail_${VERSION}.orig.tar.gz HEAD && pristine-tar commit ../firejail_${VERSION}.orig.tar.gz ci_build && git branch -m pristine-tar origin/pristine-tar
-        - git add debian && git commit -m "add debian/"
-        - export CI_COMMIT_SHA=$(git rev-parse HEAD)
+        - |
+            VERSION="$(grep ^PACKAGE_VERSION= configure | cut -d "'" -f 2)"
+            dch -v "${VERSION}-0.1~ci" 'Non-maintainer upload.'
+            git archive -o "../firejail_${VERSION}.orig.tar.gz" HEAD
+            pristine-tar commit "../firejail_${VERSION}.orig.tar.gz" ci_build
+            git branch -m pristine-tar origin/pristine-tar
+        - git add debian
+        - git commit -m 'add debian/'
+        - export CI_COMMIT_SHA="$(git rev-parse HEAD)"
     script:
         - apt-get --no-install-recommends install -y -qq gawk
+        - ./ci/printenv.sh
         - gitlab-ci-git-buildpackage
         - gitlab-ci-lintian
diff --git a/Makefile b/Makefile
index 98f368789..749457b1b 100644
--- a/Makefile
+++ b/Makefile
@@ -364,6 +364,10 @@ scan-build: clean
 codespell: clean
         codespell --ignore-regex "UE|creat|shotcut|ether" src test
 
+.PHONY: print-env
+print-env:
+        ./ci/printenv.sh
+
 #
 # make test
 #
diff --git a/README.md b/README.md
index 09a3276e6..781304451 100644
--- a/README.md
+++ b/README.md
@@ -235,6 +235,20 @@ You can also use this tool to get a list of syscalls needed by a program:
 
 * [contrib/syscalls.sh](contrib/syscalls.sh)
 
+## Uninstalling
+
+firecfg creates symlinks in /usr/local/bin, so to fully remove firejail, run
+the following before uninstalling:
+
+```sh
+sudo firecfg --clean
+```
+
+See `man firecfg` for details.
+
+Note: Broken symlinks are ignored when searching for an executable in `$PATH`,
+so uninstalling without doing the above should not cause issues.
+
 ## Latest released version: 0.9.72
 
 ## Current development version: 0.9.73
diff --git a/RELNOTES b/RELNOTES
index 7d6f835ad..72bdeb8f7 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -15,6 +15,7 @@ firejail (0.9.73) baseline; urgency=low
   * bugfix: qutebrowser: links will not open in the existing instance (#5601
     #5618)
   * bugfix: fix --hostname and --hosts-file commands
+  * bugfix: arp.c: ensure positive timeout on select(2) (#5806)
   * build: auto-generate syntax files (#5627)
   * build: mark most phony targets as such (#5637)
   * build: mkdeb.sh: pass all arguments to ./configure (#5654)
@@ -23,12 +24,17 @@ firejail (0.9.73) baseline; urgency=low
   * ci: always update the package db before installing packages (#5742)
   * ci: fix codeql unable to download its own bundle (#5783)
   * ci: split configure/build/install commands on gitlab (#5784)
+  * ci: fix swapped name/email arguments in debian_ci (#5795)
+  * ci: formatting and misc improvements (#5802)
+  * ci: run for every branch instead of just master (#5815)
+  * ci: upgrade debian:stretch to debian:buster (#5818)
   * test: split individual test groups in github workflows
   * test: add chroot, appimage and network tests in github workflows
   * docs: remove apparmor options in --help when building without apparmor
     support (#5589)
   * docs: fix typos (#5693)
   * docs: markdown formatting and misc improvements (#5757)
+  * docs: add uninstall instructions to README.md (#5812)
   * legal: selinux.c: Split Copyright notice & use same license as upstream
     (#5667)
   * new profiles: fix-qdf, qpdf, zlib-flate, standard-notes, url-eater
diff --git a/ci/printenv.sh b/ci/printenv.sh
new file mode 100755
index 000000000..4b7e03fa7
--- /dev/null
+++ b/ci/printenv.sh
@@ -0,0 +1,25 @@
+#!/bin/sh
+# Print information that may be useful for debugging CI.
+
+test -f /etc/os-release && . /etc/os-release
+
+cat <<EOF
+nproc:  $(nproc)
+kernel: $(uname -srvm)
+distro: $PRETTY_NAME
+sh:     $(ls -l /bin/sh | sed 's|.* /bin|/bin|')
+user:   $(id | cut -f -2 -d ' ')
+
+[/etc/os-release]
+$(cat /etc/os-release)
+EOF
+
+if test -z "$CI_VERBOSE"; then
+        exit
+fi
+
+cat <<EOF
+
+[env]
+$(env | LC_ALL=C sort)
+EOF
diff --git a/etc/inc/allow-python2.inc b/etc/inc/allow-python2.inc
index b0525e2e1..0d4ab8c35 100644
--- a/etc/inc/allow-python2.inc
+++ b/etc/inc/allow-python2.inc
@@ -2,6 +2,7 @@
 # Persistent customizations should go in a .local file.
 include allow-python2.local
 
+noblacklist ${HOME}/.local/lib/python2*
 noblacklist ${PATH}/python2*
 noblacklist /usr/include/python2*
 noblacklist /usr/lib/python2*
diff --git a/etc/inc/allow-python3.inc b/etc/inc/allow-python3.inc
index d968886b0..0693fb7e7 100644
--- a/etc/inc/allow-python3.inc
+++ b/etc/inc/allow-python3.inc
@@ -2,6 +2,7 @@
 # Persistent customizations should go in a .local file.
 include allow-python3.local
 
+noblacklist ${HOME}/.local/lib/python3*
 noblacklist ${PATH}/python3*
 noblacklist /usr/include/python3*
 noblacklist /usr/lib/python3*
diff --git a/etc/inc/disable-interpreters.inc b/etc/inc/disable-interpreters.inc
index ca43e5ed9..4e3590fed 100644
--- a/etc/inc/disable-interpreters.inc
+++ b/etc/inc/disable-interpreters.inc
@@ -61,6 +61,7 @@ blacklist /usr/lib64/ruby
 
 # Programs using python: deluge, firefox addons, filezilla, cherrytree, xchat, hexchat, libreoffice, scribus
 # Python 2
+blacklist ${HOME}/.local/lib/python2*
 blacklist ${PATH}/python2*
 blacklist /usr/include/python2*
 blacklist /usr/lib/python2*
@@ -70,6 +71,7 @@ blacklist /usr/share/python2*
 # You will want to add noblacklist for python3 stuff in the firefox and/or chromium profiles if you use the Gnome connector (see Issue #2026)
 
 # Python 3
+blacklist ${HOME}/.local/lib/python3*
 blacklist ${PATH}/python3*
 blacklist /usr/include/python3*
 blacklist /usr/lib/python3*
diff --git a/etc/profile-a-l/email-common.profile b/etc/profile-a-l/email-common.profile
index 7d5c859e9..2f595f274 100644
--- a/etc/profile-a-l/email-common.profile
+++ b/etc/profile-a-l/email-common.profile
@@ -20,6 +20,9 @@ noblacklist /var/spool/mail
 
 noblacklist ${DOCUMENTS}
 
+# Allow perl (blacklisted by disable-interpreters.inc)
+include allow-perl.inc
+
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
@@ -30,15 +33,18 @@ include disable-xdg.inc
 mkdir ${HOME}/.gnupg
 mkfile ${HOME}/.config/mimeapps.list
 mkfile ${HOME}/.signature
+whitelist ${HOME}/.bogofilter
+whitelist ${HOME}/.bsfilter
 whitelist ${HOME}/.config/mimeapps.list
-whitelist ${HOME}/.mozilla/firefox/profiles.ini
 whitelist ${HOME}/.gnupg
+whitelist ${HOME}/.mozilla/firefox/profiles.ini
 whitelist ${HOME}/.signature
 whitelist ${DOCUMENTS}
 whitelist ${DOWNLOADS}
 # when storing mail outside the default ${HOME}/Mail path, 'whitelist' the custom path in your email-common.local
 whitelist ${HOME}/Mail
 whitelist ${RUNUSER}/gnupg
+whitelist /usr/share/bogofilter
 whitelist /usr/share/gnupg
 whitelist /usr/share/gnupg2
 whitelist /var/mail
@@ -70,7 +76,7 @@ tracelog
 # disable-mnt
 private-cache
 private-dev
-private-etc @tls-ca,@x11,gnupg,hosts.conf,mailname,timezone
+private-etc @tls-ca,@x11,bogofilter,bogofilter.cf,gnupg,hosts.conf,mailname,timezone
 private-tmp
 # encrypting and signing email
 writable-run-user
diff --git a/etc/profile-m-z/mpv.profile b/etc/profile-m-z/mpv.profile
index 9dcc9dec3..85f414562 100644
--- a/etc/profile-m-z/mpv.profile
+++ b/etc/profile-m-z/mpv.profile
@@ -75,7 +75,7 @@ nonewprivs
 noroot
 nou2f
 protocol unix,inet,inet6,netlink
-seccomp
+seccomp !set_mempolicy
 seccomp.block-secondary
 tracelog
 
diff --git a/src/etc-cleanup/Makefile b/src/etc-cleanup/Makefile
index 349da8821..10c28cd76 100644
--- a/src/etc-cleanup/Makefile
+++ b/src/etc-cleanup/Makefile
@@ -4,6 +4,6 @@ ROOT = ../..
 PROG = etc-cleanup
 TARGET = $(PROG)
 
-MOD_HDRS = ../include/etc-groups.h
+MOD_HDRS = ../include/etc_groups.h
 
 include $(ROOT)/src/prog.mk
diff --git a/src/etc-cleanup/main.c b/src/etc-cleanup/main.c
index 6c7bea6d6..f15ba53cd 100644
--- a/src/etc-cleanup/main.c
+++ b/src/etc-cleanup/main.c
@@ -212,13 +212,16 @@ static void process_file(const char *fname) {
         }
 }
 
+static const char *const usage_str =
+        "usage: cleanup-etc [options] file.profile [file.profile]\n"
+        "Group and clean private-etc entries in one or more profile files.\n"
+        "Options:\n"
+        "   --debug - print debug messages\n"
+        "   -h, -?, --help - this help screen\n"
+        "   --replace - replace profile file\n";
+
 static void usage(void) {
-        printf("usage: cleanup-etc [options] file.profile [file.profile]\n");
-        printf("Group and clean private-etc entries in one or more profile files.\n");
-        printf("Options:\n");
-        printf("   --debug - print debug messages\n");
-        printf("   -h, -?, --help - this help screen\n");
-        printf("   --replace - replace profile file\n");
+        puts(usage_str);
 }
 
 int main(int argc, char **argv) {
diff --git a/src/fbuilder/main.c b/src/fbuilder/main.c
index 7fdf9af68..a85d4a931 100644
--- a/src/fbuilder/main.c
+++ b/src/fbuilder/main.c
@@ -21,9 +21,12 @@
 int arg_debug = 0;
 int arg_appimage = 0;
 
+static const char *const usage_str =
+        "Firejail profile builder\n"
+        "Usage: firejail [--debug] --build[=profile-file] program-and-arguments\n";
+
 static void usage(void) {
-        printf("Firejail profile builder\n");
-        printf("Usage: firejail [--debug] --build[=profile-file] program-and-arguments\n");
+        puts(usage_str);
 }
 
 int main(int argc, char **argv) {
diff --git a/src/fcopy/main.c b/src/fcopy/main.c
index ce2efb295..a56e8a91b 100644
--- a/src/fcopy/main.c
+++ b/src/fcopy/main.c
@@ -416,18 +416,19 @@ static void duplicate_link(const char *src, const char *dest, struct stat *s) {
         free(rdest);
 }
 
+static const char *const usage_str =
+        "Usage: fcopy [--follow-link] src dest\n"
+        "\n"
+        "Copy SRC to DEST/SRC. SRC may be a file, directory, or symbolic link.\n"
+        "If SRC is a directory it is copied recursively.  If it is a symlink,\n"
+        "the link itself is duplicated, unless --follow-link is given,\n"
+        "in which case the destination of the link is copied.\n"
+        "DEST must already exist and must be a directory.\n";
 
 static void usage(void) {
-        fputs("Usage: fcopy [--follow-link] src dest\n"
-                "\n"
-                "Copy SRC to DEST/SRC. SRC may be a file, directory, or symbolic link.\n"
-                "If SRC is a directory it is copied recursively.  If it is a symlink,\n"
-                "the link itself is duplicated, unless --follow-link is given,\n"
-                "in which case the destination of the link is copied.\n"
-                "DEST must already exist and must be a directory.\n", stderr);
+        fputs(usage_str, stderr);
 }
 
-
 int main(int argc, char **argv) {
 #if 0
         {
diff --git a/src/fids/main.c b/src/fids/main.c
index f1dfdac8e..915edb6ca 100644
--- a/src/fids/main.c
+++ b/src/fids/main.c
@@ -318,10 +318,11 @@ static void process_config(const char *fname) {
         include_level--;
 }
 
-
+static const char *const usage_str =
+        "Usage: fids [--help|-h|-?] --init|--check homedir\n";
 
 void usage(void) {
-        printf("Usage: fids [--help|-h|-?] --init|--check homedir\n");
+        puts(usage_str);
 }
 
 int main(int argc, char **argv) {
diff --git a/src/firecfg/main.c b/src/firecfg/main.c
index e1ff7e17a..da962c35d 100644
--- a/src/firecfg/main.c
+++ b/src/firecfg/main.c
@@ -24,7 +24,7 @@ int arg_debug = 0;
 char *arg_bindir = "/usr/local/bin";
 int arg_guide = 0;
 
-static char *usage_str =
+static const char *const usage_str =
         "Firecfg is the desktop configuration utility for Firejail software. The utility\n"
         "creates several symbolic links to firejail executable. This allows the user to\n"
         "sandbox applications automatically, just by clicking on a regular desktop\n"
@@ -57,14 +57,17 @@ static char *usage_str =
         "   [...]\n"
         "\n"
         "License GPL version 2 or later\n"
-        "Homepage: https://firejail.wordpress.com\n\n";
+        "Homepage: https://firejail.wordpress.com\n";
+
+static void print_version(void) {
+        printf("firecfg version %s\n\n", VERSION);
+}
 
 static void usage(void) {
-        printf("firecfg - version %s\n\n", VERSION);
+        print_version();
         puts(usage_str);
 }
 
-
 static void list(void) {
         DIR *dir = opendir(arg_bindir);
         if (!dir) {
@@ -364,7 +367,7 @@ int main(int argc, char **argv) {
                 else if (strcmp(argv[i], "--debug") == 0)
                         arg_debug = 1;
                 else if (strcmp(argv[i], "--version") == 0) {
-                        printf("firecfg version %s\n\n", VERSION);
+                        print_version();
                         return 0;
                 }
                 else if (strcmp(argv[i], "--clean") == 0) {
@@ -410,6 +413,7 @@ int main(int argc, char **argv) {
                 }
         }
 
+        print_version();
         if (arg_debug)
                 printf("%s %d %d %d %d\n", user, getuid(), getgid(), geteuid(), getegid());
 
diff --git a/src/firejail/arp.c b/src/firejail/arp.c
index d4288b29e..ed14eb171 100644
--- a/src/firejail/arp.c
+++ b/src/firejail/arp.c
@@ -197,7 +197,11 @@ int arp_check(const char *dev, uint32_t destaddr) {
                 double timeout = timerend - now;
                 ts.tv_sec = timeout;
                 ts.tv_usec = (timeout - ts.tv_sec) * 1000000;
-                int nready = select(maxfd + 1,  &fds, (fd_set *) 0, (fd_set *) 0, &ts);
+                if (ts.tv_sec < 0)
+                        ts.tv_sec = 0;
+                if (ts.tv_usec < 0)
+                        ts.tv_usec = 0;
+                int nready = select(maxfd + 1, &fds, (fd_set *) 0, (fd_set *) 0, &ts);
                 if (nready < 0)
                         errExit("select");
                 else if (nready == 0) { // timeout
diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c
index a39e8c667..d2289bb40 100644
--- a/src/firejail/checkcfg.c
+++ b/src/firejail/checkcfg.c
@@ -305,147 +305,128 @@ errout:
         exit(1);
 }
 
-void print_version(void) {
-        printf("firejail version %s\n", VERSION);
-        printf("\n");
-        print_compiletime_support();
-        printf("\n");
-}
-
-void print_compiletime_support(void) {
-        printf("Compile time support:\n");
-        printf("\t- always force nonewprivs support is %s\n",
+static const char *const compiletime_support =
+        "Compile time support:"
+        "\n\t- always force nonewprivs support is "
 #ifdef HAVE_FORCE_NONEWPRIVS
                 "enabled"
 #else
                 "disabled"
 #endif
-                );
 
-        printf("\t- AppArmor support is %s\n",
+        "\n\t- AppArmor support is "
 #ifdef HAVE_APPARMOR
                 "enabled"
 #else
                 "disabled"
 #endif
-                );
 
-        printf("\t- AppImage support is %s\n",
+        "\n\t- AppImage support is "
 #ifdef LOOP_CTL_GET_FREE        // test for older kernels; this definition is found in /usr/include/linux/loop.h
                 "enabled"
 #else
                 "disabled"
 #endif
-                );
 
-        printf("\t- chroot support is %s\n",
+        "\n\t- chroot support is "
 #ifdef HAVE_CHROOT
                 "enabled"
 #else
                 "disabled"
 #endif
-                );
 
-        printf("\t- D-BUS proxy support is %s\n",
+        "\n\t- D-BUS proxy support is "
 #ifdef HAVE_DBUSPROXY
                 "enabled"
 #else
                 "disabled"
 #endif
-                );
 
-        printf("\t- file transfer support is %s\n",
+        "\n\t- file transfer support is "
 #ifdef HAVE_FILE_TRANSFER
                 "enabled"
 #else
                 "disabled"
 #endif
-                );
 
-        printf("\t- firetunnel support is %s\n",
+        "\n\t- firetunnel support is "
 #ifdef HAVE_FIRETUNNEL
                 "enabled"
 #else
                 "disabled"
 #endif
-                );
 
-        printf("\t- IDS support is %s\n",
+        "\n\t- IDS support is "
 #ifdef HAVE_IDS
                 "enabled"
 #else
                 "disabled"
 #endif
-                );
 
-        printf("\t- networking support is %s\n",
+        "\n\t- networking support is "
 #ifdef HAVE_NETWORK
                 "enabled"
 #else
                 "disabled"
 #endif
-                );
 
-        printf("\t- output logging is %s\n",
+        "\n\t- output logging is "
 #ifdef HAVE_OUTPUT
                 "enabled"
 #else
                 "disabled"
 #endif
-                );
-        printf("\t- overlayfs support is %s\n",
+
+        "\n\t- overlayfs support is "
 #ifdef HAVE_OVERLAYFS
                 "enabled"
 #else
                 "disabled"
 #endif
-                );
 
-        printf("\t- private-home support is %s\n",
+        "\n\t- private-home support is "
 #ifdef HAVE_PRIVATE_HOME
                 "enabled"
 #else
                 "disabled"
 #endif
-                );
 
-        printf("\t- private-lib support is %s\n",
+        "\n\t- private-lib support is "
 #ifdef HAVE_PRIVATE_LIB
                 "enabled"
 #else
                 "disabled"
 #endif
-                );
 
-        printf("\t- private-cache and tmpfs as user %s\n",
+        "\n\t- private-cache and tmpfs as user "
 #ifdef HAVE_USERTMPFS
                 "enabled"
 #else
                 "disabled"
 #endif
-                );
 
-        printf("\t- SELinux support is %s\n",
+        "\n\t- SELinux support is "
 #ifdef HAVE_SELINUX
                 "enabled"
 #else
                 "disabled"
 #endif
-                );
 
-        printf("\t- user namespace support is %s\n",
+        "\n\t- user namespace support is "
 #ifdef HAVE_USERNS
                 "enabled"
 #else
                 "disabled"
 #endif
-                );
 
-        printf("\t- X11 sandboxing support is %s\n",
+        "\n\t- X11 sandboxing support is "
 #ifdef HAVE_X11
                 "enabled"
 #else
                 "disabled"
 #endif
-                );
+        "\n";
+
+void print_compiletime_support(void) {
+        puts(compiletime_support);
 }
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index 2cde75463..d85b470e6 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -477,6 +477,8 @@ void tree(void);
 void top(void);
 
 // usage.c
+void print_version(void);
+void print_version_full(void);
 void usage(void);
 
 // process.c
@@ -856,7 +858,6 @@ extern char *config_seccomp_filter_add;
 extern char **whitelist_reject_topdirs;
 
 int checkcfg(int val);
-void print_version(void);
 void print_compiletime_support(void);
 
 // appimage.c
diff --git a/src/firejail/main.c b/src/firejail/main.c
index 7e23cdc63..1835d8de2 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -369,7 +369,7 @@ static void run_cmd_and_exit(int i, int argc, char **argv) {
                 exit(0);
         }
         else if (strcmp(argv[i], "--version") == 0) {
-                print_version();
+                print_version_full();
                 exit(0);
         }
 #ifdef HAVE_OVERLAYFS
@@ -1128,7 +1128,7 @@ int main(int argc, char **argv, char **envp) {
                 EUID_USER();
                 if (rv == 0) {
                         if (check_arg(argc, argv, "--version", 1)) {
-                                print_version();
+                                print_version_full();
                                 exit(0);
                         }
 
@@ -3010,6 +3010,11 @@ int main(int argc, char **argv, char **envp) {
         }
         EUID_ASSERT();
 
+        // Note: Only attempt to print non-debug information to stdout after
+        // all profiles have been loaded (because a profile may set arg_quiet)
+        if (!arg_quiet)
+                print_version();
+
         // block X11 sockets
         if (arg_x11_block)
                 x11_block();
diff --git a/src/firejail/sbox.c b/src/firejail/sbox.c
index ce43b4832..59b74ec5c 100644
--- a/src/firejail/sbox.c
+++ b/src/firejail/sbox.c
@@ -132,6 +132,24 @@ static int __attribute__((noreturn)) sbox_do_exec_v(unsigned filtermask, char *
 #ifdef SYS_umount2
                         BLACKLIST(SYS_umount2),
 #endif
+#ifdef SYS_fsopen
+                        BLACKLIST(SYS_fsopen), // mount syscalls introduced 2019
+#endif
+#ifdef SYS_fsconfig
+                        BLACKLIST(SYS_fsconfig),
+#endif
+#ifdef SYS_fsmount
+                        BLACKLIST(SYS_fsmount),
+#endif
+#ifdef SYS_move_mount
+                        BLACKLIST(SYS_move_mount),
+#endif
+#ifdef SYS_fspick
+                        BLACKLIST(SYS_fspick),
+#endif
+#ifdef SYS_open_tree
+                        BLACKLIST(SYS_open_tree),
+#endif
 #ifdef SYS_ptrace
                         BLACKLIST(SYS_ptrace), // trace processes
 #endif
@@ -186,6 +204,9 @@ static int __attribute__((noreturn)) sbox_do_exec_v(unsigned filtermask, char *
 #ifdef SYS_syslog
                         BLACKLIST(SYS_syslog), // kernel printk control
 #endif
+#ifdef SYS_personality
+                        BLACKLIST(SYS_personality), // execution domain
+#endif
                         RETURN_ALLOW
                 };
 
diff --git a/src/firejail/usage.c b/src/firejail/usage.c
index b6b60d85c..e8758c807 100644
--- a/src/firejail/usage.c
+++ b/src/firejail/usage.c
@@ -19,7 +19,7 @@
 */
 #include "firejail.h"
 
-static char *usage_str =
+static const char *const usage_str =
         "Firejail is a SUID sandbox program that reduces the risk of security breaches by\n"
         "restricting the running environment of untrusted applications using Linux\n"
         "namespaces.\n"
@@ -311,11 +311,18 @@ static char *usage_str =
         "\tlist all running sandboxes\n"
         "\n"
         "License GPL version 2 or later\n"
-        "Homepage: https://firejail.wordpress.com\n"
-        "\n";
+        "Homepage: https://firejail.wordpress.com\n";
 
+void print_version(void) {
+        printf("firejail version %s\n\n", VERSION);
+}
+
+void print_version_full(void) {
+        print_version();
+        print_compiletime_support();
+}
 
 void usage(void) {
-        printf("firejail - version %s\n\n", VERSION);
+        print_version();
         puts(usage_str);
 }
diff --git a/src/firemon/firemon.c b/src/firemon/firemon.c
index d82f387ff..958fa1b03 100644
--- a/src/firemon/firemon.c
+++ b/src/firemon/firemon.c
@@ -145,7 +145,7 @@ int main(int argc, char **argv) {
                         return 0;
                 }
                 else if (strcmp(argv[i], "--version") == 0) {
-                        printf("firemon version %s\n\n", VERSION);
+                        print_version();
                         return 0;
                 }
                 else if (strcmp(argv[i], "--debug") == 0)
diff --git a/src/firemon/firemon.h b/src/firemon/firemon.h
index 8b6e75fc3..be83352bb 100644
--- a/src/firemon/firemon.h
+++ b/src/firemon/firemon.h
@@ -49,6 +49,7 @@ void firemon_sleep(int st);
 void procevent(pid_t pid) __attribute__((noreturn));
 
 // usage.c
+void print_version(void);
 void usage(void);
 
 // top.c
diff --git a/src/firemon/usage.c b/src/firemon/usage.c
index 169ec9163..afd2b552a 100644
--- a/src/firemon/usage.c
+++ b/src/firemon/usage.c
@@ -19,7 +19,7 @@
 */
 #include "firemon.h"
 
-static char *help_str =
+static const char *const usage_str =
         "Usage: firemon [OPTIONS] [PID]\n\n"
         "Monitor processes started in a Firejail sandbox. Without any PID specified,\n"
         "all processes started by Firejail are monitored. Descendants of these processes\n"
@@ -75,10 +75,13 @@ static char *help_str =
         "\tUser - The owner of the sandbox.\n"
         "\n"
         "License GPL version 2 or later\n"
-        "Homepage: https://firejail.wordpress.com\n"
-        "\n";
+        "Homepage: https://firejail.wordpress.com\n";
+
+void print_version(void) {
+        printf("firemon version %s\n\n", VERSION);
+}
 
 void usage(void) {
-        printf("firemon - version %s\n", VERSION);
-        puts(help_str);
+        print_version();
+        puts(usage_str);
 }
diff --git a/src/fldd/main.c b/src/fldd/main.c
index 63398ce2e..c28cad72e 100644
--- a/src/fldd/main.c
+++ b/src/fldd/main.c
@@ -282,12 +282,13 @@ static void walk_directory(const char *dirname) {
         }
 }
 
-
+static const char *const usage_str =
+        "Usage: fldd program_or_directory [file]\n"
+        "Print a list of libraries used by program or store it in the file.\n"
+        "Print a list of libraries used by all .so files in a directory or store it in the file.\n";
 
 static void usage(void) {
-        printf("Usage: fldd program_or_directory [file]\n");
-        printf("Print a list of libraries used by program or store it in the file.\n");
-        printf("Print a list of libraries used by all .so files in a directory or store it in the file.\n");
+        puts(usage_str);
 }
 
 int main(int argc, char **argv) {
@@ -363,4 +364,4 @@ int main(void) {
         printf("Sorry, private lib is disabled in this build\n");
         return 0;
 }
-#endif
\ No newline at end of file
+#endif
diff --git a/src/fnet/main.c b/src/fnet/main.c
index fc36ae977..d1c8170ca 100644
--- a/src/fnet/main.c
+++ b/src/fnet/main.c
@@ -35,19 +35,21 @@ void fmessage(char* fmt, ...) { // TODO: this function is duplicated in src/fire
         fflush(0);
 }
 
+static const char *const usage_str =
+        "Usage:\n"
+        "\tfnet create veth dev1 dev2 bridge child\n"
+        "\tfnet create macvlan dev parent child\n"
+        "\tfnet moveif dev proc\n"
+        "\tfnet printif\n"
+        "\tfnet printif scan\n"
+        "\tfnet config interface dev ip mask mtu\n"
+        "\tfnet config mac addr\n"
+        "\tfnet config ipv6 dev ip\n"
+        "\tfnet ifup dev\n"
+        "\tfnet waitll dev\n";
 
 static void usage(void) {
-        printf("Usage:\n");
-        printf("\tfnet create veth dev1 dev2 bridge child\n");
-        printf("\tfnet create macvlan dev parent child\n");
-        printf("\tfnet moveif dev proc\n");
-        printf("\tfnet printif\n");
-        printf("\tfnet printif scan\n");
-        printf("\tfnet config interface dev ip mask mtu\n");
-        printf("\tfnet config mac addr\n");
-        printf("\tfnet config ipv6 dev ip\n");
-        printf("\tfnet ifup dev\n");
-        printf("\tfnet waitll dev\n");
+        puts(usage_str);
 }
 
 int main(int argc, char **argv) {
diff --git a/src/fnetfilter/main.c b/src/fnetfilter/main.c
index 8c0f6c297..1b0335d68 100644
--- a/src/fnetfilter/main.c
+++ b/src/fnetfilter/main.c
@@ -45,9 +45,12 @@ static char *default_filter =
 "-A OUTPUT -p tcp --dport 3479 -j DROP\n"
 "COMMIT\n";
 
+static const char *const usage_str =
+        "Usage:\n"
+        "\tfnetfilter netfilter-command destination-file\n";
+
 static void usage(void) {
-        printf("Usage:\n");
-        printf("\tfnetfilter netfilter-command destination-file\n");
+        puts(usage_str);
 }
 
 static void err_exit_cannot_open_file(const char *fname) {
diff --git a/src/fnettrace-dns/main.c b/src/fnettrace-dns/main.c
index 64feec5fe..1cde1942c 100644
--- a/src/fnettrace-dns/main.c
+++ b/src/fnettrace-dns/main.c
@@ -167,13 +167,13 @@ static void run_trace(void) {
 
         close(s);
 }
-
+static const char *const usage_str =
+        "Usage: fnettrace-dns [OPTIONS]\n"
+        "Options:\n"
+        "   --help, -? - this help screen\n";
 
 static void usage(void) {
-        printf("Usage: fnettrace-dns [OPTIONS]\n");
-        printf("Options:\n");
-        printf("   --help, -? - this help screen\n");
-        printf("\n");
+        puts(usage_str);
 }
 
 int main(int argc, char **argv) {
diff --git a/src/fnettrace-icmp/main.c b/src/fnettrace-icmp/main.c
index 714917547..516a9fc5b 100644
--- a/src/fnettrace-icmp/main.c
+++ b/src/fnettrace-icmp/main.c
@@ -201,11 +201,13 @@ static void run_trace(void) {
         close(s);
 }
 
+static const char *const usage_str =
+        "Usage: fnettrace-icmp [OPTIONS]\n"
+        "Options:\n"
+        "   --help, -? - this help screen\n";
+
 static void usage(void) {
-        printf("Usage: fnettrace-icmp [OPTIONS]\n");
-        printf("Options:\n");
-        printf("   --help, -? - this help screen\n");
-        printf("\n");
+        puts(usage_str);
 }
 
 int main(int argc, char **argv) {
diff --git a/src/fnettrace-sni/main.c b/src/fnettrace-sni/main.c
index b8490b4f7..e7782d656 100644
--- a/src/fnettrace-sni/main.c
+++ b/src/fnettrace-sni/main.c
@@ -204,12 +204,13 @@ static void run_trace(void) {
         close(s);
 }
 
+static const char *const usage_str =
+        "Usage: fnettrace-sni [OPTIONS]\n"
+        "Options:\n"
+        "   --help, -? - this help screen\n";
 
 static void usage(void) {
-        printf("Usage: fnettrace-sni [OPTIONS]\n");
-        printf("Options:\n");
-        printf("   --help, -? - this help screen\n");
-        printf("\n");
+        puts(usage_str);
 }
 
 int main(int argc, char **argv) {
diff --git a/src/fnettrace/main.c b/src/fnettrace/main.c
index 2f421562e..178ac3631 100644
--- a/src/fnettrace/main.c
+++ b/src/fnettrace/main.c
@@ -668,18 +668,20 @@ void logprintf(char *fmt, ...) {
         va_end(args);
 }
 
+static const char *const usage_str =
+        "Usage: fnettrace [OPTIONS]\n"
+        "Options:\n"
+        "   --help, -? - this help screen\n"
+        "   --log=filename - netlocker logfile\n"
+        "   --netfilter - build the firewall rules and commit them.\n"
+        "   --tail - \"tail -f\" functionality\n"
+        "Examples:\n"
+        "   # fnettrace                              - traffic trace\n"
+        "   # fnettrace --netfilter --log=logfile    - netlocker, dump output in logfile\n"
+        "   # fnettrace --tail --log=logifile        - similar to \"tail -f logfile\"\n";
+
 static void usage(void) {
-        printf("Usage: fnettrace [OPTIONS]\n");
-        printf("Options:\n");
-        printf("   --help, -? - this help screen\n");
-        printf("   --log=filename - netlocker logfile\n");
-        printf("   --netfilter - build the firewall rules and commit them.\n");
-        printf("   --tail - \"tail -f\" functionality\n");
-        printf("Examples:\n");
-        printf("   # fnettrace                              - traffic trace\n");
-        printf("   # fnettrace --netfilter --log=logfile    - netlocker, dump output in logfile\n");
-        printf("   # fnettrace --tail --log=logifile        - similar to \"tail -f logfile\"\n");
-        printf("\n");
+        puts(usage_str);
 }
 
 int main(int argc, char **argv) {
diff --git a/src/fsec-optimize/main.c b/src/fsec-optimize/main.c
index 0bc521c0d..38ba7c697 100644
--- a/src/fsec-optimize/main.c
+++ b/src/fsec-optimize/main.c
@@ -22,9 +22,12 @@
 
 int arg_seccomp_error_action = SECCOMP_RET_ERRNO | EPERM; // error action: errno, log or kill
 
+static const char *const usage_str =
+        "Usage:\n"
+        "\tfsec-optimize file - optimize seccomp filter\n";
+
 static void usage(void) {
-        printf("Usage:\n");
-        printf("\tfsec-optimize file - optimize seccomp filter\n");
+        puts(usage_str);
 }
 
 int main(int argc, char **argv) {
diff --git a/src/fsec-print/main.c b/src/fsec-print/main.c
index 696c6bc0c..4d3e38648 100644
--- a/src/fsec-print/main.c
+++ b/src/fsec-print/main.c
@@ -19,9 +19,12 @@
 */
 #include "fsec_print.h"
 
+static const char *const usage_str =
+        "Usage:\n"
+        "\tfsec-print file - disassemble seccomp filter\n";
+
 static void usage(void) {
-        printf("Usage:\n");
-        printf("\tfsec-print file - disassemble seccomp filter\n");
+        puts(usage_str);
 }
 
 int arg_quiet = 0;
diff --git a/src/fseccomp/main.c b/src/fseccomp/main.c
index 0b46daf65..e7823d3c5 100644
--- a/src/fseccomp/main.c
+++ b/src/fseccomp/main.c
@@ -22,34 +22,37 @@
 int arg_quiet = 0;
 int arg_seccomp_error_action = SECCOMP_RET_ERRNO | EPERM; // error action: errno, log or kill
 
+static const char *const usage_str =
+        "Usage:\n"
+        "\tfseccomp debug-syscalls\n"
+        "\tfseccomp debug-syscalls32\n"
+        "\tfseccomp debug-errnos\n"
+        "\tfseccomp debug-protocols\n"
+        "\tfseccomp protocol build list file\n"
+        "\tfseccomp secondary 64 file\n"
+        "\tfseccomp secondary 32 file\n"
+        "\tfseccomp secondary block file\n"
+        "\tfseccomp default file\n"
+        "\tfseccomp default file allow-debuggers\n"
+        "\tfseccomp default32 file\n"
+        "\tfseccomp default32 file allow-debuggers\n"
+        "\tfseccomp drop file1 file2 list\n"
+        "\tfseccomp drop file1 file2 list allow-debuggers\n"
+        "\tfseccomp drop32 file1 file2 list\n"
+        "\tfseccomp drop32 file1 file2 list allow-debuggers\n"
+        "\tfseccomp default drop file1 file2 list\n"
+        "\tfseccomp default drop file1 file2 list allow-debuggers\n"
+        "\tfseccomp default32 drop file1 file2 list\n"
+        "\tfseccomp default32 drop file1 file2 list allow-debuggers\n"
+        "\tfseccomp keep file1 file2 list\n"
+        "\tfseccomp keep32 file1 file2 list\n"
+        "\tfseccomp memory-deny-write-execute file\n"
+        "\tfseccomp memory-deny-write-execute.32 file\n"
+        "\tfseccomp restrict-namespaces file list\n"
+        "\tfseccomp restrict-namespaces.32 file list\n";
+
 static void usage(void) {
-        printf("Usage:\n"
-                "\tfseccomp debug-syscalls\n"
-                "\tfseccomp debug-syscalls32\n"
-                "\tfseccomp debug-errnos\n"
-                "\tfseccomp debug-protocols\n"
-                "\tfseccomp protocol build list file\n"
-                "\tfseccomp secondary 64 file\n"
-                "\tfseccomp secondary 32 file\n"
-                "\tfseccomp secondary block file\n"
-                "\tfseccomp default file\n"
-                "\tfseccomp default file allow-debuggers\n"
-                "\tfseccomp default32 file\n"
-                "\tfseccomp default32 file allow-debuggers\n"
-                "\tfseccomp drop file1 file2 list\n"
-                "\tfseccomp drop file1 file2 list allow-debuggers\n"
-                "\tfseccomp drop32 file1 file2 list\n"
-                "\tfseccomp drop32 file1 file2 list allow-debuggers\n"
-                "\tfseccomp default drop file1 file2 list\n"
-                "\tfseccomp default drop file1 file2 list allow-debuggers\n"
-                "\tfseccomp default32 drop file1 file2 list\n"
-                "\tfseccomp default32 drop file1 file2 list allow-debuggers\n"
-                "\tfseccomp keep file1 file2 list\n"
-                "\tfseccomp keep32 file1 file2 list\n"
-                "\tfseccomp memory-deny-write-execute file\n"
-                "\tfseccomp memory-deny-write-execute.32 file\n"
-                "\tfseccomp restrict-namespaces file list\n"
-                "\tfseccomp restrict-namespaces.32 file list\n");
+        puts(usage_str);
 }
 
 int main(int argc, char **argv) {
diff --git a/src/ftee/main.c b/src/ftee/main.c
index 0a492b41e..a34a76b26 100644
--- a/src/ftee/main.c
+++ b/src/ftee/main.c
@@ -180,8 +180,11 @@ static int is_link(const char *fname) {
         return 0;
 }
 
+static const char *const usage_str =
+        "Usage: ftee filename\n";
+
 static void usage(void) {
-        printf("Usage: ftee filename\n");
+        puts(usage_str);
 }
 
 int main(int argc, char **argv) {
diff --git a/src/jailcheck/main.c b/src/jailcheck/main.c
index 8e0aaa860..27da309ea 100644
--- a/src/jailcheck/main.c
+++ b/src/jailcheck/main.c
@@ -29,16 +29,19 @@ char *user_home_dir = NULL;
 char *user_run_dir = NULL;
 int arg_debug = 0;
 
-static char *usage_str =
+static const char *const usage_str =
         "Usage: jailcheck [options] directory [directory]\n\n"
         "Options:\n"
         "   --debug - print debug messages.\n"
         "   --help, -? - this help screen.\n"
         "   --version - print program version and exit.\n";
 
+static void print_version(void) {
+        printf("jailcheck version %s\n\n", VERSION);
+}
 
 static void usage(void) {
-        printf("firetest - version %s\n\n", VERSION);
+        print_version();
         puts(usage_str);
 }
 
@@ -62,7 +65,7 @@ int main(int argc, char **argv) {
                         return 0;
                 }
                 else if (strcmp(argv[i], "--version") == 0) {
-                        printf("firetest version %s\n\n", VERSION);
+                        print_version();
                         return 0;
                 }
                 else if (strncmp(argv[i], "--hello=", 8) == 0) { // used by noexec test
diff --git a/src/profstats/main.c b/src/profstats/main.c
index d5e57e7cc..49ed1637a 100644
--- a/src/profstats/main.c
+++ b/src/profstats/main.c
@@ -74,32 +74,34 @@ static int arg_restrict_namespaces = 0;
 
 static char *profile = NULL;
 
+static const char *const usage_str =
+        "profstats - print profile statistics\n"
+        "Usage: profstats [options] file[s]\n"
+        "Options:\n"
+        "   --apparmor - print profiles without apparmor\n"
+        "   --caps - print profiles without caps\n"
+        "   --dbus-system-none - print profiles without \"dbus-system none\"\n"
+        "   --dbus-user-none - print profiles without \"dbus-user none\"\n"
+        "   --ssh - print profiles without \"include disable-common.inc\"\n"
+        "   --noexec - print profiles without \"include disable-exec.inc\"\n"
+        "   --noroot - print profiles without \"noroot\"\n"
+        "   --private-bin - print profiles without private-bin\n"
+        "   --private-dev - print profiles without private-dev\n"
+        "   --private-etc - print profiles without private-etc\n"
+        "   --private-tmp - print profiles without private-tmp\n"
+        "   --print-blacklist - print all --blacklist for a profile\n"
+        "   --print-whitelist - print all --private and --whitelist for a profile\n"
+        "   --seccomp - print profiles without seccomp\n"
+        "   --memory-deny-write-execute - print profiles without \"memory-deny-write-execute\"\n"
+        "   --restrict-namespaces - print profiles without \"restrict-namespaces\"\n"
+        "   --whitelist-home - print profiles whitelisting home directory\n"
+        "   --whitelist-var - print profiles without \"include whitelist-var-common.inc\"\n"
+        "   --whitelist-runuser - print profiles without \"include whitelist-runuser-common.inc\" or \"blacklist ${RUNUSER}\"\n"
+        "   --whitelist-usrshare - print profiles without \"include whitelist-usr-share-common.inc\"\n"
+        "   --debug\n";
+
 static void usage(void) {
-        printf("profstats - print profile statistics\n");
-        printf("Usage: profstats [options] file[s]\n");
-        printf("Options:\n");
-        printf("   --apparmor - print profiles without apparmor\n");
-        printf("   --caps - print profiles without caps\n");
-        printf("   --dbus-system-none - print profiles without \"dbus-system none\"\n");
-        printf("   --dbus-user-none - print profiles without \"dbus-user none\"\n");
-        printf("   --ssh - print profiles without \"include disable-common.inc\"\n");
-        printf("   --noexec - print profiles without \"include disable-exec.inc\"\n");
-        printf("   --noroot - print profiles without \"noroot\"\n");
-        printf("   --private-bin - print profiles without private-bin\n");
-        printf("   --private-dev - print profiles without private-dev\n");
-        printf("   --private-etc - print profiles without private-etc\n");
-        printf("   --private-tmp - print profiles without private-tmp\n");
-        printf("   --print-blacklist - print all --blacklist for a profile\n");
-        printf("   --print-whitelist - print all --private and --whitelist for a profile\n");
-        printf("   --seccomp - print profiles without seccomp\n");
-        printf("   --memory-deny-write-execute - print profiles without \"memory-deny-write-execute\"\n");
-        printf("   --restrict-namespaces - print profiles without \"restrict-namespaces\"\n");
-        printf("   --whitelist-home - print profiles whitelisting home directory\n");
-        printf("   --whitelist-var - print profiles without \"include whitelist-var-common.inc\"\n");
-        printf("   --whitelist-runuser - print profiles without \"include whitelist-runuser-common.inc\" or \"blacklist ${RUNUSER}\"\n");
-        printf("   --whitelist-usrshare - print profiles without \"include whitelist-usr-share-common.inc\"\n");
-        printf("   --debug\n");
-        printf("\n");
+        puts(usage_str);
 }
 
 static void process_file(char *fname) {
diff --git a/test/chroot/fs_chroot.exp b/test/chroot/fs_chroot.exp
index eb1349112..8bdaa507c 100755
--- a/test/chroot/fs_chroot.exp
+++ b/test/chroot/fs_chroot.exp
@@ -60,11 +60,12 @@ expect {
         timeout {puts "TESTING ERROR 8\n";exit}
         "No such file or directory"
 }
-after 100
-send -- "/bin/ping 1.1.1.1\r"
-expect {
-        timeout {puts "TESTING ERROR 9\n";exit}
-        "Operation not permitted"
-}
+# FIXME: Sometimes ping works normally
+#after 100
+#send -- "/bin/ping 1.1.1.1\r"
+#expect {
+#       timeout {puts "TESTING ERROR 9\n";exit}
+#       "Operation not permitted"
+#}
 
 puts "all done\n"