15 files changed, 102 insertions, 12 deletions
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
index e5e86d8e0..66ca0d321 100644
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -53,7 +53,7 @@ jobs:
    # Initializes the CodeQL tools for scanning.
    - name: Initialize CodeQL
-      uses: github/codeql-action/init@2ca79b6fa8d3ec278944088b4aa5f46912db5d63
+      uses: github/codeql-action/init@c7f292ea4f542c473194b33813ccd4c207a6c725
      with:
        languages: ${{ matrix.language }}
        # If you wish to specify custom queries, you can do so here or in a config file.
@@ -64,7 +64,7 @@ jobs:
    # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
    # If this step fails, then you should remove it and run the build manually (see below)
    - name: Autobuild
-      uses: github/codeql-action/autobuild@2ca79b6fa8d3ec278944088b4aa5f46912db5d63
+      uses: github/codeql-action/autobuild@c7f292ea4f542c473194b33813ccd4c207a6c725
    # ℹ️ Command-line programs to run using the OS shell.
    # 📚 https://git.io/JvXDl
@@ -78,4 +78,4 @@ jobs:
    #   make release
    - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@2ca79b6fa8d3ec278944088b4aa5f46912db5d63
+      uses: github/codeql-action/analyze@c7f292ea4f542c473194b33813ccd4c207a6c725
diff --git a/README.md b/README.md
index f8ca8b29c..4627d7dcf 100644
--- a/README.md
+++ b/README.md
@@ -258,4 +258,4 @@ Stats:
 ### New profiles:
-onionshare, onionshare-cli, opera-developer, songrec, gdu, makedeb
+onionshare, onionshare-cli, opera-developer, songrec, gdu, makedeb, lbry-viewer, tuir,
diff --git a/RELNOTES b/RELNOTES
index 63da0ae5d..a7d4a9422 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -1,16 +1,23 @@
 firejail (0.9.71) baseline; urgency=low
  * work in progress
-  * feature: restrict namespaces (--restrict-namespaces) inplemented as
-    a seccomp filter for both 64 and 32 bit architectures
  * feature: On failing to remount a fuse filesystem, give warning instead of
    erroring out (#5240 #5242)
-  * feature: support for custom AppArmor profiles (--apparmor=) (#5274)
+  * feature: restrict namespaces (--restrict-namespaces) implemented as
-  * build: deduplicate configure-time vars into new config files (#5140)
+    a seccomp filter for both 64 and 32 bit architectures (#4939 #5259)
+  * feature: support for custom AppArmor profiles (--apparmor=) (#5274 #5316
+    #5317)
+  * bugfix: Flood of seccomp audit log entries (#5207)
+  * build: deduplicate configure-time vars into new config files (#5140 #5284)
  * build: fix file mode of shell scripts (644 -> 755) (#5206)
  * build: reduce autoconf input files from 32 to 2 (#5219)
  * build: add dist build directory to .gitignore (#5248)
  * build: add autoconf auto-generation comment to input files (#5251)
+  * build: Add files make uninstall forgot to remove (#5283)
+  * build: add and use TARNAME instead of NAME for paths (#5310)
  * ci: ignore git-related paths and the project license (#5249)
+  * docs: mention risk of SUID binaries and also firejail-users(5) (#5288
+    #5290)
+  * docs: set vim filetype on man pages for syntax highlighting (#5296)
 -- netblue30 <netblue30@yahoo.com>  Sat, 11 Jun 2022 09:00:00 -0500
 firejail (0.9.70) baseline; urgency=low
diff --git a/etc/apparmor/firejail-default b/etc/apparmor/firejail-default
index b4e7f642a..3cc771ed7 100644
--- a/etc/apparmor/firejail-default
+++ b/etc/apparmor/firejail-default
@@ -33,6 +33,7 @@ owner /{,var/}run/firejail/dbus/[0-9]*/[0-9]*-user w,
 #ptrace,
 # Allow obtaining some process information, but not ptrace(2)
 ptrace (read,readby) peer=@{profile_name},
+ptrace (read,readby) peer=@{profile_name}//&unconfined,
 ##########
 # Allow read access to whole filesystem and control it from firejail.
@@ -123,6 +124,7 @@ network packet,
 ##########
 # There is no equivalent in Firejail for filtering signals.
 ##########
+signal (send) peer=@{profile_name}//&unconfined,
 signal (send) peer=@{profile_name},
 signal (receive),
diff --git a/etc/inc/disable-programs.inc b/etc/inc/disable-programs.inc
index 2802d11be..7ad491460 100644
--- a/etc/inc/disable-programs.inc
+++ b/etc/inc/disable-programs.inc
@@ -149,6 +149,7 @@ blacklist ${HOME}/.cache/ksmserver-logout-greeter
 blacklist ${HOME}/.cache/ksplashqml
 blacklist ${HOME}/.cache/kube
 blacklist ${HOME}/.cache/kwin
+blacklist ${HOME}/.cache/lbry-viewer
 blacklist ${HOME}/.cache/libgweather
 blacklist ${HOME}/.cache/librewolf
 blacklist ${HOME}/.cache/liferea
@@ -503,6 +504,7 @@ blacklist ${HOME}/.config/ktorrentrc
 blacklist ${HOME}/.config/ktouch2rc
 blacklist ${HOME}/.config/kube
 blacklist ${HOME}/.config/kwriterc
+blacklist ${HOME}/.config/lbry-viewer
 blacklist ${HOME}/.config/leafpad
 blacklist ${HOME}/.config/libreoffice
 blacklist ${HOME}/.config/liferea
@@ -622,6 +624,7 @@ blacklist ${HOME}/.config/tox
 blacklist ${HOME}/.config/transgui
 blacklist ${HOME}/.config/transmission
 blacklist ${HOME}/.config/truecraft
+blacklist ${HOME}/.config/tuir
 blacklist ${HOME}/.config/tuta_integration
 blacklist ${HOME}/.config/tutanota-desktop
 blacklist ${HOME}/.config/tvbrowser
@@ -995,6 +998,7 @@ blacklist ${HOME}/.local/share/telepathy
 blacklist ${HOME}/.local/share/terasology
 blacklist ${HOME}/.local/share/torbrowser
 blacklist ${HOME}/.local/share/totem
+blacklist ${HOME}/.local/share/tuir
 blacklist ${HOME}/.local/share/uzbl
 blacklist ${HOME}/.local/share/vlc
 blacklist ${HOME}/.local/share/vpltd
diff --git a/etc/profile-a-l/gtk-lbry-viewer.profile b/etc/profile-a-l/gtk-lbry-viewer.profile
new file mode 100644
index 000000000..e1fb53b16
--- /dev/null
+++ b/etc/profile-a-l/gtk-lbry-viewer.profile
@@ -0,0 +1,12 @@
+# Firejail profile for gtk-lbry-viewer
+# Description: Gtk front-end to lbry-viewer
+# This file is overwritten after every install/update
+# Persistent local customizations
+include gtk-lbry-viewer.local
+# added by included profile
+#include globals.local
+ignore quiet
+# Redirect
+include lbry-viewer.profile
diff --git a/etc/profile-a-l/lbry-viewer.profile b/etc/profile-a-l/lbry-viewer.profile
new file mode 100644
index 000000000..f6a02ac83
--- /dev/null
+++ b/etc/profile-a-l/lbry-viewer.profile
@@ -0,0 +1,21 @@
+# Firejail profile for lbry-viewer
+# Description:CLI for searching and playing videos from LBRY, with the Librarian frontend
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include lbry-viewer.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.cache/lbry-viewer
+noblacklist ${HOME}/.config/lbry-viewer
+mkdir ${HOME}/.config/lbry-viewer
+mkdir ${HOME}/.cache/lbry-viewer
+whitelist ${HOME}/.cache/lbry-viewer
+whitelist ${HOME}/.config/lbry-viewer
+private-bin gtk-lbry-viewer,lbry-viewer
+# Redirect
+include youtube-viewers-common.profile
diff --git a/etc/profile-m-z/man.profile b/etc/profile-m-z/man.profile
index bdc6e3451..b8d221dc3 100644
--- a/etc/profile-m-z/man.profile
+++ b/etc/profile-m-z/man.profile
@@ -56,7 +56,7 @@ disable-mnt
 #private-bin apropos,bash,cat,catman,col,gpreconv,groff,grotty,gunzip,gzip,less,man,most,nroff,preconv,sed,sh,tbl,tr,troff,whatis,which,xtotroff,zcat,zsoelim
 private-cache
 private-dev
-private-etc alternatives,fonts,groff,ld.so.cache,ld.so.preload,locale,locale.alias,locale.conf,man_db.conf,manpath.config,selinux,sysless,xdg
+private-etc alternatives,fonts,groff,group,ld.so.cache,ld.so.preload,locale,locale.alias,locale.conf,login.defs,man_db.conf,manpath.config,passwd,selinux,sysless,xdg
 #private-tmp
 dbus-user none
diff --git a/etc/profile-m-z/steam.profile b/etc/profile-m-z/steam.profile
index 30f9aafcb..5e5a8e9bb 100644
--- a/etc/profile-m-z/steam.profile
+++ b/etc/profile-m-z/steam.profile
@@ -156,7 +156,10 @@ protocol unix,inet,inet6,netlink
 # seccomp sometimes causes issues (see #2951, #3267).
 # Add 'ignore seccomp' to your steam.local if you experience this.
 # mount, name_to_handle_at, pivot_root and umount2 are used by Proton >= 5.13
+# (see #4366).
 seccomp !chroot,!mount,!name_to_handle_at,!pivot_root,!ptrace,!umount2
+# process_vm_readv is used by GE-Proton7-18 (see #5185).
+seccomp.32 !process_vm_readv
 # tracelog breaks integrated browser
 #tracelog
diff --git a/etc/profile-m-z/tuir.profile b/etc/profile-m-z/tuir.profile
new file mode 100644
index 000000000..b441503c6
--- /dev/null
+++ b/etc/profile-m-z/tuir.profile
@@ -0,0 +1,23 @@
+# Firejail profile for tuir
+# Description: Browse Reddit from your terminal (rtv fork)
+# This file is overwritten after every install/update
+# Persistent local customizations
+include tuir.local
+# Persistent global definitions
+#include globals.local
+ignore mkdir ${HOME}/.config/rtv
+ignore mkdir ${HOME}/.local/share/rtv
+noblacklist ${HOME}/.config/tuir
+noblacklist ${HOME}/.local/share/tuir
+mkdir ${HOME}/.config/tuir
+mkdir ${HOME}/.local/share/tuir
+whitelist ${HOME}/.config/tuir
+whitelist ${HOME}/.local/share/tuir
+private-bin tuir
+# Redirect
+include rtv.profile
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config
index 1e10258d5..1de107a03 100644
--- a/src/firecfg/firecfg.config
+++ b/src/firecfg/firecfg.config
@@ -373,6 +373,7 @@ gravity-beams-and-evaporating-stars
 gthumb
 gtk2-youtube-viewer
 gtk3-youtube-viewer
+gtk-lbry-viewer
 gtk-pipe-viewer
 gtk-straw-viewer
 gtk-youtube-viewer
@@ -458,6 +459,7 @@ ktouch
 kube
 # kwin_x11
 kwrite
+lbry-viewer
 leafpad
 # less - breaks man
 librecad
@@ -841,6 +843,7 @@ tremulous
 trojita
 truecraft
 tshark
+tuir
 tutanota-desktop
 tuxguitar
 tvbrowser
diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index 2969db85b..9a2f8c82c 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -943,7 +943,7 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
 #endif
                return 0;
        }
-        
        if (strncmp(ptr, "apparmor ", 9) == 0) {
 #ifdef HAVE_APPARMOR
                arg_apparmor = 1;
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index 7922a53d0..0b78203d7 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -191,6 +191,13 @@ Blacklist directory or file. File globbing is supported, see \fBFILE GLOBBING\fR
 .br
 .br
+Symbolic link handling: Blacklisting a path that is a symbolic link will also
+blacklist the path that it points to.
+For example, if ~/foo is blacklisted and it points to /foo, then /foo will also
+be blacklisted.
+.br
+.br
 Example:
 .br
 $ firejail \-\-blacklist=/sbin \-\-blacklist=/usr/sbin
@@ -2958,8 +2965,14 @@ all directories in /usr.
 .br
 .br
-Symbolic link handling: with the exception of user home, both the link and the real file should be in
+Symbolic link handling: Whitelisting a path that is a symbolic link will also
-the same top directory. For user home, both the link and the real file should be owned by the user.
+whitelist the path that it points to.
+For example, if ~/foo is whitelisted and it points to ~/bar, then ~/bar will
+also be whitelisted.
+Restrictions: With the exception of the user home directory, both the link and
+the real file should be in the same top directory.
+For symbolic links in the user home directory, both the link and the real file
+should be owned by the user.
 .br
 .br
diff --git a/src/man/firemon.txt b/src/man/firemon.txt
index fd58a7168..9d0785a4a 100644
--- a/src/man/firemon.txt
+++ b/src/man/firemon.txt
@@ -118,3 +118,4 @@ Homepage: https://firejail.wordpress.com
 .BR firejail-login (5),
 .BR firejail-users (5),
 .BR jailcheck (1)
+.\" vim: set filetype=groff :
diff --git a/src/man/jailcheck.txt b/src/man/jailcheck.txt
index 483f47fb9..e889ea91b 100644
--- a/src/man/jailcheck.txt
+++ b/src/man/jailcheck.txt
@@ -115,3 +115,4 @@ Homepage: https://firejail.wordpress.com
 .BR firejail-profile (5),
 .BR firejail-login (5),
 .BR firejail-users (5),
+.\" vim: set filetype=groff :