64 files changed, 653 insertions, 180 deletions

diff --git a/.github/ISSUE_TEMPLATE/bug_report.md b/.github/ISSUE_TEMPLATE/bug_report.md
index fc74640d4..37056a1ce 100644
--- a/.github/ISSUE_TEMPLATE/bug_report.md
+++ b/.github/ISSUE_TEMPLATE/bug_report.md
@@ -22,7 +22,7 @@ _Describe the bug_
 
 _Steps to reproduce the behavior_
 
-1. Run in bash `LC_ALL=C firejail PROGRAM` (`LC_ALL=C` to get a consistent
+1. Run in bash `LC_ALL=C firejail /path/to/program` (`LC_ALL=C` to get a consistent
    output in English that can be understood by everybody)
 2. Click on '....'
 3. Scroll down to '....'
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index 30242923d..7335f1eb2 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -3,5 +3,5 @@ updates:
   - package-ecosystem: "github-actions"
     directory: "/"
     schedule:
-      interval: "weekly"
-    open-pull-requests-limit: 2
+      interval: "monthly"
+    open-pull-requests-limit: 4
diff --git a/.github/workflows/build-extra.yml b/.github/workflows/build-extra.yml
index 97a7b20d1..72ba685b5 100644
--- a/.github/workflows/build-extra.yml
+++ b/.github/workflows/build-extra.yml
@@ -44,7 +44,7 @@ jobs:
     timeout-minutes: 10
     steps:
     - name: Harden Runner
-      uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4
+      uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10
       with:
         egress-policy: block
         allowed-endpoints: >
@@ -52,7 +52,7 @@ jobs:
           github.com:443
           packages.microsoft.com:443
           ppa.launchpadcontent.net:443
-    - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b
+    - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29
     - name: update package information
       run: sudo apt-get update -qy
     - name: install dependencies
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 93a115daa..b4ae7a2e9 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -60,7 +60,7 @@ jobs:
     timeout-minutes: 10
     steps:
     - name: Harden Runner
-      uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4
+      uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10
       with:
         egress-policy: block
         allowed-endpoints: >
@@ -68,7 +68,7 @@ jobs:
           github.com:443
           packages.microsoft.com:443
           ppa.launchpadcontent.net:443
-    - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b
+    - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29
     - name: update package information
       run: sudo apt-get update -qy
     - name: install dependencies
diff --git a/.github/workflows/check-c.yml b/.github/workflows/check-c.yml
index 03955b3f9..c41c67798 100644
--- a/.github/workflows/check-c.yml
+++ b/.github/workflows/check-c.yml
@@ -46,7 +46,7 @@ jobs:
     timeout-minutes: 10
     steps:
     - name: Harden Runner
-      uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4
+      uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10
       with:
         egress-policy: block
         allowed-endpoints: >
@@ -56,7 +56,7 @@ jobs:
           packages.microsoft.com:443
           ppa.launchpadcontent.net:443
           security.ubuntu.com:80
-    - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b
+    - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29
     - name: update package information
       run: sudo apt-get update -qy
     - name: install clang-tools-14 and dependencies
@@ -79,7 +79,7 @@ jobs:
     timeout-minutes: 10
     steps:
     - name: Harden Runner
-      uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4
+      uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10
       with:
         egress-policy: block
         allowed-endpoints: >
@@ -89,7 +89,7 @@ jobs:
           packages.microsoft.com:443
           ppa.launchpadcontent.net:443
           security.ubuntu.com:80
-    - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b
+    - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29
     - name: update package information
       run: sudo apt-get update -qy
     - name: install cppcheck
@@ -109,7 +109,7 @@ jobs:
     timeout-minutes: 10
     steps:
     - name: Harden Runner
-      uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4
+      uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10
       with:
         egress-policy: block
         allowed-endpoints: >
@@ -120,7 +120,7 @@ jobs:
           ppa.launchpad.net:80
           ppa.launchpadcontent.net:443
           security.ubuntu.com:80
-    - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b
+    - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29
     - name: update package information
       run: sudo apt-get update -qy
     - name: install cppcheck
@@ -143,7 +143,7 @@ jobs:
 
     steps:
     - name: Harden Runner
-      uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4
+      uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10
       with:
         disable-sudo: true
         egress-policy: block
@@ -154,14 +154,14 @@ jobs:
           uploads.github.com:443
 
     - name: Checkout repository
-      uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b
+      uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29
 
     - name: print env
       run: ./ci/printenv.sh
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@d39d31e687223d841ef683f52467bd88e9b21c14
+      uses: github/codeql-action/init@f079b8493333aace61c81488f8bd40919487bd9f
       with:
         languages: cpp
 
@@ -172,4 +172,4 @@ jobs:
       run: make -j "$(nproc)"
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@d39d31e687223d841ef683f52467bd88e9b21c14
+      uses: github/codeql-action/analyze@f079b8493333aace61c81488f8bd40919487bd9f
diff --git a/.github/workflows/check-profiles.yml b/.github/workflows/check-profiles.yml
index 5613b6bb7..a7974a994 100644
--- a/.github/workflows/check-profiles.yml
+++ b/.github/workflows/check-profiles.yml
@@ -33,14 +33,14 @@ jobs:
 
     steps:
     - name: Harden Runner
-      uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4
+      uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10
       with:
         disable-sudo: true
         egress-policy: block
         allowed-endpoints: >
           github.com:443
 
-    - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b
+    - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29
     - name: print env
       run: ./ci/printenv.sh
     - run: python3 --version
diff --git a/.github/workflows/check-python.yml b/.github/workflows/check-python.yml
index 8d8e2ac23..0bb67e05e 100644
--- a/.github/workflows/check-python.yml
+++ b/.github/workflows/check-python.yml
@@ -31,7 +31,7 @@ jobs:
 
     steps:
     - name: Harden Runner
-      uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4
+      uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10
       with:
         disable-sudo: true
         egress-policy: block
@@ -44,16 +44,16 @@ jobs:
           uploads.github.com:443
 
     - name: Checkout repository
-      uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b
+      uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29
 
     - name: print env
       run: ./ci/printenv.sh
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@d39d31e687223d841ef683f52467bd88e9b21c14
+      uses: github/codeql-action/init@f079b8493333aace61c81488f8bd40919487bd9f
       with:
         languages: python
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@d39d31e687223d841ef683f52467bd88e9b21c14
+      uses: github/codeql-action/analyze@f079b8493333aace61c81488f8bd40919487bd9f
diff --git a/.github/workflows/codespell.yml b/.github/workflows/codespell.yml
index c492a2a03..1e8486bd7 100644
--- a/.github/workflows/codespell.yml
+++ b/.github/workflows/codespell.yml
@@ -24,7 +24,7 @@ jobs:
     timeout-minutes: 5
     steps:
     - name: Harden Runner
-      uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4
+      uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10
       with:
         egress-policy: block
         allowed-endpoints: >
@@ -34,7 +34,7 @@ jobs:
           packages.microsoft.com:443
           ppa.launchpadcontent.net:443
           security.ubuntu.com:80
-    - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b
+    - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29
     - name: update package information
       run: sudo apt-get update -qy
     - name: install dependencies
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index 2613a30a8..ea9890b5e 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -54,7 +54,7 @@ jobs:
       SHELL: /bin/bash
     steps:
     - name: Harden Runner
-      uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4
+      uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10
       with:
         egress-policy: block
         allowed-endpoints: >
@@ -62,7 +62,7 @@ jobs:
           github.com:443
           packages.microsoft.com:443
           ppa.launchpadcontent.net:443
-    - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b
+    - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29
     - name: update package information
       run: sudo apt-get update -qy
     - name: install dependencies
@@ -103,7 +103,7 @@ jobs:
       SHELL: /bin/bash
     steps:
     - name: Harden Runner
-      uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4
+      uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10
       with:
         egress-policy: block
         allowed-endpoints: >
@@ -111,7 +111,7 @@ jobs:
           github.com:443
           packages.microsoft.com:443
           ppa.launchpadcontent.net:443
-    - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b
+    - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29
     - name: update package information
       run: sudo apt-get update -qy
     - name: install dependencies
@@ -143,7 +143,7 @@ jobs:
       SHELL: /bin/bash
     steps:
     - name: Harden Runner
-      uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4
+      uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10
       with:
         egress-policy: block
         allowed-endpoints: >
@@ -151,7 +151,7 @@ jobs:
           github.com:443
           packages.microsoft.com:443
           ppa.launchpadcontent.net:443
-    - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b
+    - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29
     - name: update package information
       run: sudo apt-get update -qy
     - name: install dependencies
@@ -183,7 +183,7 @@ jobs:
       SHELL: /bin/bash
     steps:
     - name: Harden Runner
-      uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4
+      uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10
       with:
         egress-policy: block
         allowed-endpoints: >
@@ -194,7 +194,7 @@ jobs:
           ppa.launchpadcontent.net:443
           www.debian.org:443
           www.debian.org:80
-    - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b
+    - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29
     - name: update package information
       run: sudo apt-get update -qy
     - name: install dependencies
@@ -225,7 +225,7 @@ jobs:
       SHELL: /bin/bash
     steps:
     - name: Harden Runner
-      uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4
+      uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10
       with:
         egress-policy: block
         allowed-endpoints: >
@@ -240,7 +240,7 @@ jobs:
           www.debian.org:443
           www.debian.org:80
           yahoo.com:1025
-    - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b
+    - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29
     - name: update package information
       run: sudo apt-get update -qy
     - name: install dependencies
diff --git a/Makefile b/Makefile
index 158a3c222..d93f28b22 100644
--- a/Makefile
+++ b/Makefile
@@ -2,12 +2,19 @@
 ROOT = .
 -include config.mk
 
-# Default programs
+# Default programs (in configure.ac).
 CC ?= cc
 CODESPELL ?= codespell
 CPPCHECK ?= cppcheck
 GAWK ?= gawk
+GZIP ?= gzip
 SCAN_BUILD ?= scan-build
+STRIP ?= strip
+TAR ?= tar
+
+# Default programs (not in configure.ac).
+INSTALL ?= install
+RM ?= rm -f
 
 ifneq ($(HAVE_MAN),no)
 MAN_TARGET = man
@@ -69,6 +76,10 @@ mydirs: $(MYDIRS)
 $(MYDIRS):
         $(MAKE) -C $@
 
+.PHONY: strip
+strip: all
+        $(STRIP) $(ALL_ITEMS)
+
 .PHONY: filters
 filters: $(SECCOMP_FILTERS)
 seccomp: src/fseccomp/fseccomp src/fsec-optimize/fsec-optimize Makefile
@@ -179,121 +190,119 @@ clean:
         done
         $(MAKE) -C src/man clean
         $(MAKE) -C test clean
-        rm -f $(SECCOMP_FILTERS)
-        rm -f $(SYNTAX_FILES)
-        rm -fr ./$(TARNAME)-$(VERSION) ./$(TARNAME)-$(VERSION).tar.xz
-        rm -f ./$(TARNAME)*.deb
-        rm -f ./$(TARNAME)*.rpm
+        $(RM) $(SECCOMP_FILTERS)
+        $(RM) $(SYNTAX_FILES)
+        $(RM) -r ./$(TARNAME)-$(VERSION) ./$(TARNAME)-$(VERSION).tar.xz
+        $(RM) ./$(TARNAME)*.deb
+        $(RM) ./$(TARNAME)*.rpm
 
 .PHONY: distclean
 distclean: clean
-        rm -fr autom4te.cache config.log config.mk config.sh config.status
+        $(RM) -r autom4te.cache config.log config.mk config.sh config.status
 
-.PHONY: realinstall
-realinstall: config.mk
+.PHONY: install
+install: all config.mk
         # firejail executable
-        install -m 0755 -d $(DESTDIR)$(bindir)
-        install -m 0755 src/firejail/firejail $(DESTDIR)$(bindir)
+        $(INSTALL) -m 0755 -d $(DESTDIR)$(bindir)
+        $(INSTALL) -m 0755 -t $(DESTDIR)$(bindir) src/firejail/firejail
 ifeq ($(HAVE_SUID),-DHAVE_SUID)
         chmod u+s $(DESTDIR)$(bindir)/firejail
 endif
         # firemon executable
-        install -m 0755 src/firemon/firemon $(DESTDIR)$(bindir)
+        $(INSTALL) -m 0755 -t $(DESTDIR)$(bindir) src/firemon/firemon
         # firecfg executable
-        install -m 0755 src/firecfg/firecfg $(DESTDIR)$(bindir)
+        $(INSTALL) -m 0755 -t $(DESTDIR)$(bindir) src/firecfg/firecfg
         # jailcheck executable
-        install -m 0755 src/jailcheck/jailcheck $(DESTDIR)$(bindir)
+        $(INSTALL) -m 0755 -t $(DESTDIR)$(bindir) src/jailcheck/jailcheck
         # libraries and plugins
-        install -m 0755 -d $(DESTDIR)$(libdir)/firejail
-        install -m 0755 -t $(DESTDIR)$(libdir)/firejail src/firecfg/firejail-welcome.sh
-        install -m 0644 -t $(DESTDIR)$(libdir)/firejail $(MYLIBS) $(SECCOMP_FILTERS)
-        install -m 0755 -t $(DESTDIR)$(libdir)/firejail $(SBOX_APPS)
-        install -m 0755 -t $(DESTDIR)$(libdir)/firejail src/profstats/profstats
-        install -m 0755 -t $(DESTDIR)$(libdir)/firejail src/etc-cleanup/etc-cleanup
+        $(INSTALL) -m 0755 -d $(DESTDIR)$(libdir)/firejail
+        $(INSTALL) -m 0755 -t $(DESTDIR)$(libdir)/firejail src/firecfg/firejail-welcome.sh
+        $(INSTALL) -m 0644 -t $(DESTDIR)$(libdir)/firejail $(MYLIBS) $(SECCOMP_FILTERS)
+        $(INSTALL) -m 0755 -t $(DESTDIR)$(libdir)/firejail $(SBOX_APPS)
+        $(INSTALL) -m 0755 -t $(DESTDIR)$(libdir)/firejail src/profstats/profstats
+        $(INSTALL) -m 0755 -t $(DESTDIR)$(libdir)/firejail src/etc-cleanup/etc-cleanup
         # plugins w/o read permission (non-dumpable)
-        install -m 0711 -t $(DESTDIR)$(libdir)/firejail $(SBOX_APPS_NON_DUMPABLE)
-        install -m 0711 -t $(DESTDIR)$(libdir)/firejail src/fshaper/fshaper.sh
-        install -m 0644 -t $(DESTDIR)$(libdir)/firejail src/fnettrace/static-ip-map
+        $(INSTALL) -m 0711 -t $(DESTDIR)$(libdir)/firejail $(SBOX_APPS_NON_DUMPABLE)
+        $(INSTALL) -m 0711 -t $(DESTDIR)$(libdir)/firejail src/fshaper/fshaper.sh
+        $(INSTALL) -m 0644 -t $(DESTDIR)$(libdir)/firejail src/fnettrace/static-ip-map
 ifeq ($(HAVE_CONTRIB_INSTALL),yes)
         # contrib scripts
-        install -m 0755 -t $(DESTDIR)$(libdir)/firejail contrib/*.py contrib/*.sh
+        $(INSTALL) -m 0755 -t $(DESTDIR)$(libdir)/firejail contrib/*.py contrib/*.sh
         # vim syntax
-        install -m 0755 -d $(DESTDIR)$(datarootdir)/vim/vimfiles/ftdetect
-        install -m 0755 -d $(DESTDIR)$(datarootdir)/vim/vimfiles/syntax
-        install -m 0644 contrib/vim/ftdetect/firejail.vim $(DESTDIR)$(datarootdir)/vim/vimfiles/ftdetect
-        install -m 0644 contrib/syntax/files/firejail.vim $(DESTDIR)$(datarootdir)/vim/vimfiles/syntax
+        $(INSTALL) -m 0755 -d $(DESTDIR)$(datarootdir)/vim/vimfiles/ftdetect
+        $(INSTALL) -m 0644 -t $(DESTDIR)$(datarootdir)/vim/vimfiles/ftdetect contrib/vim/ftdetect/firejail.vim
+        $(INSTALL) -m 0755 -d $(DESTDIR)$(datarootdir)/vim/vimfiles/syntax
+        $(INSTALL) -m 0644 -t $(DESTDIR)$(datarootdir)/vim/vimfiles/syntax contrib/syntax/files/firejail.vim
         # gtksourceview language-specs
-        install -m 0755 -d $(DESTDIR)$(datarootdir)/gtksourceview-5/language-specs
-        install -m 0644 contrib/syntax/files/firejail-profile.lang $(DESTDIR)$(datarootdir)/gtksourceview-5/language-specs
+        $(INSTALL) -m 0755 -d $(DESTDIR)$(datarootdir)/gtksourceview-5/language-specs
+        $(INSTALL) -m 0644 -t $(DESTDIR)$(datarootdir)/gtksourceview-5/language-specs contrib/syntax/files/firejail-profile.lang
 endif
         # documents
-        install -m 0755 -d $(DESTDIR)$(docdir)
-        install -m 0644 -t $(DESTDIR)$(docdir) COPYING README RELNOTES etc/templates/*
+        $(INSTALL) -m 0755 -d $(DESTDIR)$(docdir)
+        $(INSTALL) -m 0644 -t $(DESTDIR)$(docdir) COPYING README RELNOTES etc/templates/*
         # profiles and settings
-        install -m 0755 -d $(DESTDIR)$(sysconfdir)/firejail
-        install -m 0755 -d $(DESTDIR)$(sysconfdir)/firejail/firecfg.d
-        install -m 0644 -t $(DESTDIR)$(sysconfdir)/firejail src/firecfg/firecfg.config
-        install -m 0644 -t $(DESTDIR)$(sysconfdir)/firejail etc/profile-a-l/*.profile etc/profile-m-z/*.profile etc/inc/*.inc etc/net/*.net etc/firejail.config
-        sh -c "if [ ! -f $(DESTDIR)/$(sysconfdir)/firejail/login.users ]; then install -c -m 0644 etc/login.users $(DESTDIR)/$(sysconfdir)/firejail/.; fi;"
+        $(INSTALL) -m 0755 -d $(DESTDIR)$(sysconfdir)/firejail
+        $(INSTALL) -m 0755 -d $(DESTDIR)$(sysconfdir)/firejail/firecfg.d
+        $(INSTALL) -m 0644 -t $(DESTDIR)$(sysconfdir)/firejail src/firecfg/firecfg.config
+        $(INSTALL) -m 0644 -t $(DESTDIR)$(sysconfdir)/firejail etc/profile-a-l/*.profile etc/profile-m-z/*.profile etc/inc/*.inc etc/net/*.net etc/firejail.config
+        sh -c "if [ ! -f $(DESTDIR)$(sysconfdir)/firejail/login.users ]; then \
+                $(INSTALL) -m 0644 -t $(DESTDIR)$(sysconfdir)/firejail etc/login.users; \
+        fi"
 ifeq ($(HAVE_IDS),-DHAVE_IDS)
-        install -m 0644 -t $(DESTDIR)$(sysconfdir)/firejail etc/ids.config
+        $(INSTALL) -m 0644 -t $(DESTDIR)$(sysconfdir)/firejail etc/ids.config
 endif
 ifeq ($(BUSYBOX_WORKAROUND),yes)
         ./mketc.sh $(DESTDIR)$(sysconfdir)/firejail/disable-common.inc
 endif
 ifeq ($(HAVE_APPARMOR),-DHAVE_APPARMOR)
         # install apparmor profile
-        sh -c "if [ ! -d $(DESTDIR)/$(sysconfdir)/apparmor.d ]; then install -d -m 755 $(DESTDIR)/$(sysconfdir)/apparmor.d; fi;"
-        install -m 0644 etc/apparmor/firejail-default $(DESTDIR)$(sysconfdir)/apparmor.d
+        $(INSTALL) -m 0755 -d $(DESTDIR)$(sysconfdir)/apparmor.d
+        $(INSTALL) -m 0644 -t $(DESTDIR)$(sysconfdir)/apparmor.d etc/apparmor/firejail-default
         # install apparmor profile customization file
-        sh -c "if [ ! -d $(DESTDIR)/$(sysconfdir)/apparmor.d/local ]; then install -d -m 755 $(DESTDIR)/$(sysconfdir)/apparmor.d/local; fi;"
-        sh -c "if [ ! -f $(DESTDIR)/$(sysconfdir)/apparmor.d/local/firejail-default ]; then install -c -m 0644 etc/apparmor/firejail-local $(DESTDIR)/$(sysconfdir)/apparmor.d/local/firejail-default; fi;"
+        $(INSTALL) -m 0755 -d $(DESTDIR)$(sysconfdir)/apparmor.d/local
+        sh -c "if [ ! -f $(DESTDIR)$(sysconfdir)/apparmor.d/local/firejail-default ]; then \
+                $(INSTALL) -m 0644 etc/apparmor/firejail-local $(DESTDIR)$(sysconfdir)/apparmor.d/local/firejail-default; \
+        fi"
         # install apparmor base abstraction drop-in
-        sh -c "if [ ! -d $(DESTDIR)/$(sysconfdir)/apparmor.d/abstractions ]; then install -d -m 755 $(DESTDIR)/$(sysconfdir)/apparmor.d/abstractions; fi;"
-        sh -c "if [ ! -d $(DESTDIR)/$(sysconfdir)/apparmor.d/abstractions/base.d ]; then install -d -m 755 $(DESTDIR)/$(sysconfdir)/apparmor.d/abstractions/base.d; fi;"
-        install -m 0644 etc/apparmor/firejail-base $(DESTDIR)$(sysconfdir)/apparmor.d/abstractions/base.d
+        $(INSTALL) -m 0755 -d $(DESTDIR)$(sysconfdir)/apparmor.d/abstractions/base.d
+        $(INSTALL) -m 0644 -t $(DESTDIR)$(sysconfdir)/apparmor.d/abstractions/base.d etc/apparmor/firejail-base
 endif
 ifneq ($(HAVE_MAN),no)
         # man pages
-        install -m 0755 -d $(DESTDIR)$(mandir)/man1 $(DESTDIR)$(mandir)/man5
-        install -m 0644 $(MANPAGES1_GZ) $(DESTDIR)$(mandir)/man1/
-        install -m 0644 $(MANPAGES5_GZ) $(DESTDIR)$(mandir)/man5/
+        $(INSTALL) -m 0755 -d $(DESTDIR)$(mandir)/man1
+        $(INSTALL) -m 0644 -t $(DESTDIR)$(mandir)/man1 $(MANPAGES1_GZ)
+        $(INSTALL) -m 0755 -d $(DESTDIR)$(mandir)/man5
+        $(INSTALL) -m 0644 -t $(DESTDIR)$(mandir)/man5 $(MANPAGES5_GZ)
 endif
         # bash completion
-        install -m 0755 -d $(DESTDIR)$(datarootdir)/bash-completion/completions
-        install -m 0644 src/bash_completion/firejail.bash_completion $(DESTDIR)$(datarootdir)/bash-completion/completions/firejail
-        install -m 0644 src/bash_completion/firemon.bash_completion $(DESTDIR)$(datarootdir)/bash-completion/completions/firemon
-        install -m 0644 src/bash_completion/firecfg.bash_completion $(DESTDIR)$(datarootdir)/bash-completion/completions/firecfg
+        $(INSTALL) -m 0755 -d $(DESTDIR)$(datarootdir)/bash-completion/completions
+        $(INSTALL) -m 0644 src/bash_completion/firejail.bash_completion $(DESTDIR)$(datarootdir)/bash-completion/completions/firejail
+        $(INSTALL) -m 0644 src/bash_completion/firemon.bash_completion $(DESTDIR)$(datarootdir)/bash-completion/completions/firemon
+        $(INSTALL) -m 0644 src/bash_completion/firecfg.bash_completion $(DESTDIR)$(datarootdir)/bash-completion/completions/firecfg
         # zsh completion
-        install -m 0755 -d $(DESTDIR)$(datarootdir)/zsh/site-functions
-        install -m 0644 src/zsh_completion/_firejail $(DESTDIR)$(datarootdir)/zsh/site-functions/
-
-.PHONY: install
-install: all
-        $(MAKE) realinstall
+        $(INSTALL) -m 0755 -d $(DESTDIR)$(datarootdir)/zsh/site-functions
+        $(INSTALL) -m 0644 -t $(DESTDIR)$(datarootdir)/zsh/site-functions src/zsh_completion/_firejail
 
 .PHONY: install-strip
-install-strip: all
-        strip $(ALL_ITEMS)
-        $(MAKE) realinstall
+install-strip: strip install
 
 .PHONY: uninstall
 uninstall: config.mk
-        rm -f $(DESTDIR)$(bindir)/firejail
-        rm -f $(DESTDIR)$(bindir)/firemon
-        rm -f $(DESTDIR)$(bindir)/firecfg
-        rm -f $(DESTDIR)$(bindir)/jailcheck
-        rm -fr $(DESTDIR)$(libdir)/firejail
-        rm -fr $(DESTDIR)$(datarootdir)/doc/firejail
-        rm -f $(addprefix $(DESTDIR)$(mandir)/man1/,$(notdir $(MANPAGES1_GZ)))
-        rm -f $(addprefix $(DESTDIR)$(mandir)/man5/,$(notdir $(MANPAGES5_GZ)))
-        rm -f $(DESTDIR)$(datarootdir)/bash-completion/completions/firejail
-        rm -f $(DESTDIR)$(datarootdir)/bash-completion/completions/firemon
-        rm -f $(DESTDIR)$(datarootdir)/bash-completion/completions/firecfg
-        rm -f $(DESTDIR)$(datarootdir)/zsh/site-functions/_firejail
-        rm -f $(DESTDIR)$(datarootdir)/vim/vimfiles/ftdetect/firejail.vim
-        rm -f $(DESTDIR)$(datarootdir)/vim/vimfiles/syntax/firejail.vim
-        rm -f $(DESTDIR)$(datarootdir)/gtksourceview-5/language-specs/firejail-profile.lang
+        $(RM) $(DESTDIR)$(bindir)/firejail
+        $(RM) $(DESTDIR)$(bindir)/firemon
+        $(RM) $(DESTDIR)$(bindir)/firecfg
+        $(RM) $(DESTDIR)$(bindir)/jailcheck
+        $(RM) -r $(DESTDIR)$(libdir)/firejail
+        $(RM) -r $(DESTDIR)$(datarootdir)/doc/firejail
+        $(RM) $(addprefix $(DESTDIR)$(mandir)/man1/,$(notdir $(MANPAGES1_GZ)))
+        $(RM) $(addprefix $(DESTDIR)$(mandir)/man5/,$(notdir $(MANPAGES5_GZ)))
+        $(RM) $(DESTDIR)$(datarootdir)/bash-completion/completions/firejail
+        $(RM) $(DESTDIR)$(datarootdir)/bash-completion/completions/firemon
+        $(RM) $(DESTDIR)$(datarootdir)/bash-completion/completions/firecfg
+        $(RM) $(DESTDIR)$(datarootdir)/zsh/site-functions/_firejail
+        $(RM) $(DESTDIR)$(datarootdir)/vim/vimfiles/ftdetect/firejail.vim
+        $(RM) $(DESTDIR)$(datarootdir)/vim/vimfiles/syntax/firejail.vim
+        $(RM) $(DESTDIR)$(datarootdir)/gtksourceview-5/language-specs/firejail-profile.lang
         @echo "If you want to install a different version of firejail, you might also need to run 'rm -fr $(DESTDIR)$(sysconfdir)/firejail', see #2038."
 
 # Note: Keep this list in sync with `paths` in .github/workflows/build.yml.
@@ -338,9 +347,9 @@ dist: clean config.mk
         mkdir -p $(TARNAME)-$(VERSION)/test
         cp -a $(DISTFILES) $(TARNAME)-$(VERSION)
         cp -a $(DISTFILES_TEST) $(TARNAME)-$(VERSION)/test
-        rm -rf $(TARNAME)-$(VERSION)/src/tools
-        tar -cJvf $(TARNAME)-$(VERSION).tar.xz $(TARNAME)-$(VERSION)
-        rm -fr $(TARNAME)-$(VERSION)
+        $(RM) -r $(TARNAME)-$(VERSION)/src/tools
+        $(TAR) -cJvf $(TARNAME)-$(VERSION).tar.xz $(TARNAME)-$(VERSION)
+        $(RM) -r $(TARNAME)-$(VERSION)
 
 .PHONY: asc
 asc: config.sh
@@ -363,13 +372,13 @@ extras: all
         $(MAKE) -C extras/firetools
 
 .PHONY: cppcheck
-cppcheck: clean
+cppcheck:
         $(CPPCHECK) --force --error-exitcode=1 --enable=warning,performance \
           -i src/firejail/checkcfg.c -i src/firejail/main.c .
 
 # For cppcheck 1.x; see .github/workflows/check-c.yml
 .PHONY: cppcheck-old
-cppcheck-old: clean
+cppcheck-old:
         $(CPPCHECK) --force --error-exitcode=1 --enable=warning,performance .
 
 .PHONY: scan-build
diff --git a/RELNOTES b/RELNOTES
index 19f54ebc9..2e1fbf0b5 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -40,6 +40,8 @@ firejail (0.9.73) baseline; urgency=low
     (#5965 #5976)
   * bugfix: firejail --ls reports wrong file sizes for large files (#5982
     #6086)
+  * bugfix: fix various resource leaks (#6367)
+  * bugfix: profstats: fix restrict-namespaces max count (#6369)
   * build: auto-generate syntax files (#5627)
   * build: mark all phony targets as such (#5637)
   * build: mkdeb.sh: pass all arguments to ./configure (#5654)
@@ -70,7 +72,11 @@ firejail (0.9.73) baseline; urgency=low
   * build: reduce hardcoding and inconsistencies (#6230)
   * build: sort.py: filter empty and duplicate items (#6261)
   * build: fix "warning: "_FORTIFY_SOURCE" redefined" (#6282 #6283)
-  * build: sort.py: add and require -i to edit in-place (#6290)
+  * build: sort.py: add -i/-n/-- options (#6290 #6339)
+  * build: add strip target and simplify install targets (#6342)
+  * build: remove clean dependency from cppcheck targets (#6343)
+  * build: allow overriding common tools (#6354)
+  * build: standardize install commands (#6366)
   * ci: always update the package db before installing packages (#5742)
   * ci: fix codeql unable to download its own bundle (#5783)
   * ci: split configure/build/install commands on gitlab (#5784)
@@ -85,6 +91,7 @@ firejail (0.9.73) baseline; urgency=low
   * ci: allow running workflows manually (#6026)
   * ci: re-enable sort.py (#6104)
   * ci: add timeout limits (#6178)
+  * ci: make dependabot updates monthly and bump PR limit (#6338)
   * contrib/syntax: remove 'text/plain' from firejail-profile.lang.in (#6057
     #6059)
   * contrib/vim: match profile files more broadly (#5850)
@@ -95,6 +102,8 @@ firejail (0.9.73) baseline; urgency=low
   * docs: fix typos (#5693)
   * docs: markdown formatting and misc improvements (#5757)
   * docs: add uninstall instructions to README.md (#5812)
+  * docs: add precedence info to manpage & fix noblacklist example (#6358
+    #6359)
   * legal: selinux.c: Split Copyright notice & use same license as upstream
     (#5667)
   * profiles: qutebrowser: fix links not opening in the existing instance
@@ -119,6 +128,8 @@ firejail (0.9.73) baseline; urgency=low
   * profiles: add allow-php.inc to profile.template (#6299)
   * profiles: clarify and add opengl-game to profile.template (#6300)
   * profiles: allow-ssh: allow /etc/ssh/ssh_revoked_hosts (#6308 #6309)
+  * profiles: libreoffice: support signing documents with GPG (#6352 #6353)
+  * profiles: blacklist i3 IPC socket & dir except for i3 itself (#6361)
   * new profiles: fix-qdf, qpdf, zlib-flate, standard-notes, url-eater
  -- netblue30 <netblue30@yahoo.com>  Mon, 17 Jan 2023 09:00:00 -0500
 
diff --git a/config.mk.in b/config.mk.in
index a7f66fbb5..812573a14 100644
--- a/config.mk.in
+++ b/config.mk.in
@@ -78,7 +78,10 @@ CC=@CC@
 CODESPELL=@CODESPELL@
 CPPCHECK=@CPPCHECK@
 GAWK=@GAWK@
+GZIP=@GZIP@
 SCAN_BUILD=@SCAN_BUILD@
+STRIP=@STRIP@
+TAR=@TAR@
 
 CFLAGS=@CFLAGS@
 CPPFLAGS=@CPPFLAGS@
diff --git a/configure b/configure
index 348c02cbb..00c1a89bf 100755
--- a/configure
+++ b/configure
@@ -682,7 +682,10 @@ PKG_CONFIG
 HAVE_APPARMOR
 HAVE_IDS
 DEPS_CFLAGS
+TAR
+STRIP
 SCAN_BUILD
+GZIP
 GAWK
 CPPCHECK
 CODESPELL
@@ -3414,6 +3417,53 @@ fi
   test -n "$GAWK" && break
 done
 
+for ac_prog in gzip
+do
+  # Extract the first word of "$ac_prog", so it can be a program name with args.
+set dummy $ac_prog; ac_word=$2
+{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
+printf %s "checking for $ac_word... " >&6; }
+if test ${ac_cv_prog_GZIP+y}
+then :
+  printf %s "(cached) " >&6
+else $as_nop
+  if test -n "$GZIP"; then
+  ac_cv_prog_GZIP="$GZIP" # Let the user override the test.
+else
+as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+  IFS=$as_save_IFS
+  case $as_dir in #(((
+    '') as_dir=./ ;;
+    */) ;;
+    *) as_dir=$as_dir/ ;;
+  esac
+    for ac_exec_ext in '' $ac_executable_extensions; do
+  if as_fn_executable_p "$as_dir$ac_word$ac_exec_ext"; then
+    ac_cv_prog_GZIP="$ac_prog"
+    printf "%s\n" "$as_me:${as_lineno-$LINENO}: found $as_dir$ac_word$ac_exec_ext" >&5
+    break 2
+  fi
+done
+  done
+IFS=$as_save_IFS
+
+fi
+fi
+GZIP=$ac_cv_prog_GZIP
+if test -n "$GZIP"; then
+  { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $GZIP" >&5
+printf "%s\n" "$GZIP" >&6; }
+else
+  { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: no" >&5
+printf "%s\n" "no" >&6; }
+fi
+
+
+  test -n "$GZIP" && break
+done
+
 for ac_prog in scan-build
 do
   # Extract the first word of "$ac_prog", so it can be a program name with args.
@@ -3461,6 +3511,100 @@ fi
   test -n "$SCAN_BUILD" && break
 done
 
+for ac_prog in strip
+do
+  # Extract the first word of "$ac_prog", so it can be a program name with args.
+set dummy $ac_prog; ac_word=$2
+{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
+printf %s "checking for $ac_word... " >&6; }
+if test ${ac_cv_prog_STRIP+y}
+then :
+  printf %s "(cached) " >&6
+else $as_nop
+  if test -n "$STRIP"; then
+  ac_cv_prog_STRIP="$STRIP" # Let the user override the test.
+else
+as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+  IFS=$as_save_IFS
+  case $as_dir in #(((
+    '') as_dir=./ ;;
+    */) ;;
+    *) as_dir=$as_dir/ ;;
+  esac
+    for ac_exec_ext in '' $ac_executable_extensions; do
+  if as_fn_executable_p "$as_dir$ac_word$ac_exec_ext"; then
+    ac_cv_prog_STRIP="$ac_prog"
+    printf "%s\n" "$as_me:${as_lineno-$LINENO}: found $as_dir$ac_word$ac_exec_ext" >&5
+    break 2
+  fi
+done
+  done
+IFS=$as_save_IFS
+
+fi
+fi
+STRIP=$ac_cv_prog_STRIP
+if test -n "$STRIP"; then
+  { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $STRIP" >&5
+printf "%s\n" "$STRIP" >&6; }
+else
+  { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: no" >&5
+printf "%s\n" "no" >&6; }
+fi
+
+
+  test -n "$STRIP" && break
+done
+
+for ac_prog in tar
+do
+  # Extract the first word of "$ac_prog", so it can be a program name with args.
+set dummy $ac_prog; ac_word=$2
+{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
+printf %s "checking for $ac_word... " >&6; }
+if test ${ac_cv_prog_TAR+y}
+then :
+  printf %s "(cached) " >&6
+else $as_nop
+  if test -n "$TAR"; then
+  ac_cv_prog_TAR="$TAR" # Let the user override the test.
+else
+as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+  IFS=$as_save_IFS
+  case $as_dir in #(((
+    '') as_dir=./ ;;
+    */) ;;
+    *) as_dir=$as_dir/ ;;
+  esac
+    for ac_exec_ext in '' $ac_executable_extensions; do
+  if as_fn_executable_p "$as_dir$ac_word$ac_exec_ext"; then
+    ac_cv_prog_TAR="$ac_prog"
+    printf "%s\n" "$as_me:${as_lineno-$LINENO}: found $as_dir$ac_word$ac_exec_ext" >&5
+    break 2
+  fi
+done
+  done
+IFS=$as_save_IFS
+
+fi
+fi
+TAR=$ac_cv_prog_TAR
+if test -n "$TAR"; then
+  { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $TAR" >&5
+printf "%s\n" "$TAR" >&6; }
+else
+  { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: no" >&5
+printf "%s\n" "no" >&6; }
+fi
+
+
+  test -n "$TAR" && break
+done
+
 
 DEPS_CFLAGS=""
 
diff --git a/configure.ac b/configure.ac
index 73bd334f8..3701b7b4c 100644
--- a/configure.ac
+++ b/configure.ac
@@ -22,7 +22,10 @@ AC_PROG_CC
 AC_CHECK_PROGS([CODESPELL], [codespell])
 AC_CHECK_PROGS([CPPCHECK], [cppcheck])
 AC_CHECK_PROGS([GAWK], [gawk])
+AC_CHECK_PROGS([GZIP], [gzip])
 AC_CHECK_PROGS([SCAN_BUILD], [scan-build])
+AC_CHECK_PROGS([STRIP], [strip])
+AC_CHECK_PROGS([TAR], [tar])
 
 DEPS_CFLAGS=""
 AC_SUBST([DEPS_CFLAGS])
diff --git a/contrib/sort.py b/contrib/sort.py
index b65d87ab7..d6e601ff8 100755
--- a/contrib/sort.py
+++ b/contrib/sort.py
@@ -11,7 +11,7 @@ from sys import argv, exit as sys_exit, stderr
 __doc__ = f"""\
 Sort the arguments of commands in profiles.
 
-Usage: {path.basename(argv[0])} [-i] [/path/to/profile ...]
+Usage: {path.basename(argv[0])} [-i] [-n] [--] [/path/to/profile ...]
 
 The following commands are supported:
 
@@ -21,13 +21,15 @@ The following commands are supported:
 Note that this is only applicable to commands that support multiple arguments.
 
 Options:
-    -i  Edit the profile file(s) in-place.
+    -i  Edit the profile file(s) in-place (this is the default).
+    -n  Do not edit the profile file(s) in-place.
+    --  End of options
 
 Examples:
-    $ {argv[0]} -i MyAwesomeProfile.profile
-    $ {argv[0]} -i new_profile.profile second_new_profile.profile
-    $ {argv[0]} -i ~/.config/firejail/*.{{profile,inc,local}}
-    $ sudo {argv[0]} -i /etc/firejail/*.{{profile,inc,local}}
+    $ {argv[0]} MyAwesomeProfile.profile
+    $ {argv[0]} new_profile.profile second_new_profile.profile
+    $ {argv[0]} ~/.config/firejail/*.{{profile,inc,local}}
+    $ sudo {argv[0]} /etc/firejail/*.{{profile,inc,local}}
 
 Exit Codes:
   0: Success: No profiles needed fixing.
@@ -101,10 +103,22 @@ def check_profile(filename, overwrite):
 
 
 def main(args):
-    overwrite = False
-    if len(args) > 0 and args[0] == "-i":
-        overwrite = True
-        args.pop(0)
+    overwrite = True
+    while len(args) > 0:
+        if args[0] == "-i":
+            overwrite = True
+            args.pop(0)
+        elif args[0] == "-n":
+            overwrite = False
+            args.pop(0)
+        elif args[0] == "--":
+            args.pop(0)
+            break
+        elif args[0][0] == "-":
+            print(f"[ Error ] Unknown option: {args[0]}", file=stderr)
+            return 2
+        else:
+            break
 
     if len(args) < 1:
         print(__doc__, file=stderr)
diff --git a/etc/inc/disable-common.inc b/etc/inc/disable-common.inc
index 55aabbc73..14f7d8cf7 100644
--- a/etc/inc/disable-common.inc
+++ b/etc/inc/disable-common.inc
@@ -167,6 +167,10 @@ blacklist ${RUNUSER}/gnome-session-leader-fifo
 blacklist ${RUNUSER}/gnome-shell
 blacklist ${RUNUSER}/gsconnect
 
+# i3 IPC socket (allows arbitrary shell script execution)
+blacklist ${RUNUSER}/i3/ipc-socket.*
+blacklist /tmp/i3-*/ipc-socket.*
+
 # systemd
 blacklist ${HOME}/.config/systemd
 blacklist ${HOME}/.local/share/systemd
diff --git a/etc/inc/disable-programs.inc b/etc/inc/disable-programs.inc
index 1f373279c..6e624a1ea 100644
--- a/etc/inc/disable-programs.inc
+++ b/etc/inc/disable-programs.inc
@@ -100,6 +100,7 @@ blacklist ${HOME}/.cache/cantata
 blacklist ${HOME}/.cache/champlain
 blacklist ${HOME}/.cache/chromium
 blacklist ${HOME}/.cache/chromium-dev
+blacklist ${HOME}/.cache/claws-mail
 blacklist ${HOME}/.cache/cliqz
 blacklist ${HOME}/.cache/com.github.johnfactotum.Foliate
 blacklist ${HOME}/.cache/darktable
@@ -140,6 +141,7 @@ blacklist ${HOME}/.cache/google-chrome-beta
 blacklist ${HOME}/.cache/google-chrome-unstable
 blacklist ${HOME}/.cache/gradio
 blacklist ${HOME}/.cache/gummi
+blacklist ${HOME}/.cache/hashcat
 blacklist ${HOME}/.cache/icedove
 blacklist ${HOME}/.cache/inkscape
 blacklist ${HOME}/.cache/inox
@@ -189,6 +191,7 @@ blacklist ${HOME}/.cache/mutt
 blacklist ${HOME}/.cache/mypaint
 blacklist ${HOME}/.cache/netsurf
 blacklist ${HOME}/.cache/nheko
+blacklist ${HOME}/.cache/nhex
 blacklist ${HOME}/.cache/nvim
 blacklist ${HOME}/.cache/ocenaudio
 blacklist ${HOME}/.cache/okular
@@ -258,6 +261,7 @@ blacklist ${HOME}/.clonk
 blacklist ${HOME}/.config/0ad
 blacklist ${HOME}/.config/1Password
 blacklist ${HOME}/.config/2048-qt
+blacklist ${HOME}/.config/ArmCord
 blacklist ${HOME}/.config/Atom
 blacklist ${HOME}/.config/Audaciousrc
 blacklist ${HOME}/.config/Authenticator
@@ -936,6 +940,7 @@ blacklist ${HOME}/.local/share/data/MusE
 blacklist ${HOME}/.local/share/data/MuseScore
 blacklist ${HOME}/.local/share/data/nomacs
 blacklist ${HOME}/.local/share/data/qBittorrent
+blacklist ${HOME}/.local/share/dev.nhex
 blacklist ${HOME}/.local/share/dino
 blacklist ${HOME}/.local/share/dolphin
 blacklist ${HOME}/.local/share/dolphin-emu
@@ -971,6 +976,7 @@ blacklist ${HOME}/.local/share/gnote
 blacklist ${HOME}/.local/share/godot
 blacklist ${HOME}/.local/share/gradio
 blacklist ${HOME}/.local/share/gwenview
+blacklist ${HOME}/.local/share/hashcat
 blacklist ${HOME}/.local/share/i2p
 blacklist ${HOME}/.local/share/io.github.lainsce.Notejot
 blacklist ${HOME}/.local/share/jami
@@ -1248,11 +1254,13 @@ blacklist ${HOME}/yt-dlp.conf
 blacklist ${HOME}/yt-dlp.conf.txt
 blacklist ${RUNUSER}/*firefox*
 blacklist ${RUNUSER}/akonadi
+blacklist ${RUNUSER}/i3
 blacklist ${RUNUSER}/psd/*firefox*
 blacklist ${RUNUSER}/qutebrowser
 blacklist /etc/ssmtp
 blacklist /tmp/.wine-*
 blacklist /tmp/akonadi-*
+blacklist /tmp/i3-*
 blacklist /tmp/lwjgl_*
 blacklist /var/games/nethack
 blacklist /var/games/slashem
diff --git a/etc/profile-a-l/armcord.profile b/etc/profile-a-l/armcord.profile
new file mode 100644
index 000000000..470e0dee0
--- /dev/null
+++ b/etc/profile-a-l/armcord.profile
@@ -0,0 +1,40 @@
+# Firejail profile for armcord
+# Description: Standalone Discord client
+# This file is overwritten after every install/update
+# Persistent local customizations
+include armcord.local
+# Persistent global definitions
+include globals.local
+
+# Modules might depend on nodejs.
+# Add the below lines to your armcord.local if you need this.
+# Allow node (disabled by disable-interpreters.inc)
+#include allow-nodejs.inc
+#private-bin node
+
+# The lines below are needed to find the default Firefox profile name, to allow
+# opening links in an existing instance of Firefox (note that it still fails if
+# there isn't a Firefox instance running with the default profile; see #5352)
+noblacklist ${HOME}/.mozilla
+whitelist ${HOME}/.mozilla/firefox/profiles.ini
+
+noblacklist ${HOME}/.config/ArmCord
+
+mkdir ${HOME}/.config/ArmCord
+whitelist ${HOME}/.config/ArmCord
+whitelist /opt/armcord
+whitelist /usr/share/armcord
+
+ignore novideo
+private-bin armcord
+
+dbus-user filter
+dbus-user.talk org.freedesktop.Notifications
+# Allow D-Bus communication with Firefox for opening links
+dbus-user.talk org.mozilla.*
+ignore dbus-user none
+
+join-or-start armcord
+
+# Redirect
+include electron-common.profile
diff --git a/etc/profile-a-l/claws-mail.profile b/etc/profile-a-l/claws-mail.profile
index 53db480a4..2d2f0e48d 100644
--- a/etc/profile-a-l/claws-mail.profile
+++ b/etc/profile-a-l/claws-mail.profile
@@ -6,9 +6,17 @@ include claws-mail.local
 # Persistent global definitions
 include globals.local
 
+# Note: If you use things like claws-mail's "fancy" (html rendering) plugin and
+# the X11 window freezes, 'no3d' is likely the cause.  In which case, try
+# adding the following line to claws-mail.local:
+#ignore no3d
+
+noblacklist ${HOME}/.cache/claws-mail
 noblacklist ${HOME}/.claws-mail
 
+mkdir ${HOME}/.cache/claws-mail
 mkdir ${HOME}/.claws-mail
+whitelist ${HOME}/.cache/claws-mail
 whitelist ${HOME}/.claws-mail
 
 # Add the below lines to your claws-mail.local if you use python-based plugins.
diff --git a/etc/profile-a-l/electron-mail.profile b/etc/profile-a-l/electron-mail.profile
index 544756877..603ea4e2f 100644
--- a/etc/profile-a-l/electron-mail.profile
+++ b/etc/profile-a-l/electron-mail.profile
@@ -35,7 +35,7 @@ dbus-user filter
 dbus-user.talk org.freedesktop.Notifications
 dbus-user.talk org.freedesktop.secrets
 dbus-user.talk org.gnome.keyring.SystemPrompter
-# allow D-Bus communication with firefox for opening links
+# Allow D-Bus communication with Firefox for opening links
 dbus-user.talk org.mozilla.*
 
 # Redirect
diff --git a/etc/profile-a-l/email-common.profile b/etc/profile-a-l/email-common.profile
index cffa85fd5..42971ecae 100644
--- a/etc/profile-a-l/email-common.profile
+++ b/etc/profile-a-l/email-common.profile
@@ -10,7 +10,6 @@ include email-common.local
 noblacklist ${HOME}/.bogofilter
 noblacklist ${HOME}/.bsfilter
 noblacklist ${HOME}/.gnupg
-noblacklist ${HOME}/.mozilla
 noblacklist ${HOME}/.signature
 # when storing mail outside the default ${HOME}/Mail path, 'noblacklist' the custom path in your email-common.local
 # and 'blacklist' it in your disable-common.local too so it is kept hidden from other applications
@@ -31,6 +30,12 @@ include disable-interpreters.inc
 include disable-programs.inc
 include disable-xdg.inc
 
+# The lines below are needed to find the default Firefox profile name, to allow
+# opening links in an existing instance of Firefox (note that it still fails if
+# there isn't a Firefox instance running with the default profile; see #5352)
+noblacklist ${HOME}/.mozilla
+whitelist ${HOME}/.mozilla/firefox/profiles.ini
+
 mkdir ${HOME}/.gnupg
 mkfile ${HOME}/.config/mimeapps.list
 mkfile ${HOME}/.signature
@@ -38,7 +43,6 @@ whitelist ${HOME}/.bogofilter
 whitelist ${HOME}/.bsfilter
 whitelist ${HOME}/.config/mimeapps.list
 whitelist ${HOME}/.gnupg
-whitelist ${HOME}/.mozilla/firefox/profiles.ini
 whitelist ${HOME}/.signature
 whitelist ${DOCUMENTS}
 whitelist ${DOWNLOADS}
@@ -48,7 +52,7 @@ whitelist ${RUNUSER}/gnupg
 whitelist /usr/share/bogofilter
 whitelist /usr/share/gnupg
 whitelist /usr/share/gnupg2
-whitelist /var/lib/clamav 
+whitelist /var/lib/clamav
 whitelist /var/mail
 whitelist /var/spool/mail
 include whitelist-common.inc
@@ -90,6 +94,7 @@ dbus-user.talk org.freedesktop.Notifications
 dbus-user.talk org.freedesktop.secrets
 dbus-user.talk org.gnome.keyring.*
 dbus-user.talk org.gnome.seahorse.*
+# Allow D-Bus communication with Firefox for opening links
 dbus-user.talk org.mozilla.*
 dbus-system none
 
diff --git a/etc/profile-a-l/fluffychat.profile b/etc/profile-a-l/fluffychat.profile
index 63fe28f2f..e1b13edad 100644
--- a/etc/profile-a-l/fluffychat.profile
+++ b/etc/profile-a-l/fluffychat.profile
@@ -64,7 +64,7 @@ private-tmp
 
 dbus-user filter
 dbus-user.talk org.freedesktop.secrets
-# allow D-Bus communication with firefox for opening links
+# Allow D-Bus communication with Firefox for opening links
 dbus-user.talk org.mozilla.*
 dbus-system filter
 dbus-system.talk org.freedesktop.NetworkManager
diff --git a/etc/profile-a-l/geary.profile b/etc/profile-a-l/geary.profile
index da240c36a..1303922c8 100644
--- a/etc/profile-a-l/geary.profile
+++ b/etc/profile-a-l/geary.profile
@@ -14,9 +14,9 @@ noblacklist ${HOME}/.config/geary
 noblacklist ${HOME}/.local/share/evolution
 noblacklist ${HOME}/.local/share/geary
 noblacklist ${HOME}/.local/share/pki
-noblacklist ${HOME}/.mozilla
 noblacklist ${HOME}/.pki
 
+# sh is needed to allow Firefox to open links
 include allow-bin-sh.inc
 
 include disable-common.inc
@@ -27,6 +27,12 @@ include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
 
+# The lines below are needed to find the default Firefox profile name, to allow
+# opening links in an existing instance of Firefox (note that it still fails if
+# there isn't a Firefox instance running with the default profile; see #5352)
+noblacklist ${HOME}/.mozilla
+whitelist ${HOME}/.mozilla/firefox/profiles.ini
+
 mkdir ${HOME}/.cache/evolution
 mkdir ${HOME}/.cache/folks
 mkdir ${HOME}/.cache/geary
@@ -43,7 +49,6 @@ whitelist ${HOME}/.config/geary
 whitelist ${HOME}/.local/share/evolution
 whitelist ${HOME}/.local/share/geary
 whitelist ${HOME}/.local/share/pki
-whitelist ${HOME}/.mozilla/firefox/profiles.ini
 whitelist ${HOME}/.pki
 whitelist /usr/share/geary
 include whitelist-common.inc
@@ -88,6 +93,7 @@ dbus-user.talk org.gnome.OnlineAccounts
 dbus-user.talk org.gnome.evolution.dataserver.AddressBook10
 dbus-user.talk org.gnome.evolution.dataserver.Sources5
 ?ALLOW_TRAY: dbus-user.talk org.kde.StatusNotifierWatcher
+# Allow D-Bus communication with Firefox for opening links
 dbus-user.talk org.mozilla.*
 dbus-system none
 
diff --git a/etc/profile-a-l/gtk-youtube-viewers-common.profile b/etc/profile-a-l/gtk-youtube-viewers-common.profile
index 049448a23..b27a4fa35 100644
--- a/etc/profile-a-l/gtk-youtube-viewers-common.profile
+++ b/etc/profile-a-l/gtk-youtube-viewers-common.profile
@@ -18,5 +18,5 @@ whitelist ${HOME}/.mozilla/firefox/profiles.ini
 private-bin firefox,xterm
 
 dbus-user filter
-# allow D-Bus communication with firefox for opening links
+# Allow D-Bus communication with Firefox for opening links
 dbus-user.talk org.mozilla.*
diff --git a/etc/profile-a-l/hashcat.profile b/etc/profile-a-l/hashcat.profile
index e5b0a06af..b4e0d53f3 100644
--- a/etc/profile-a-l/hashcat.profile
+++ b/etc/profile-a-l/hashcat.profile
@@ -9,7 +9,9 @@ include globals.local
 
 blacklist ${RUNUSER}/wayland-*
 
+noblacklist ${HOME}/.cache/hashcat
 noblacklist ${HOME}/.hashcat
+noblacklist ${HOME}/.local/share/hashcat
 noblacklist /usr/include
 noblacklist ${DOCUMENTS}
 
diff --git a/etc/profile-a-l/hexchat.profile b/etc/profile-a-l/hexchat.profile
index def7bf25f..82c83f970 100644
--- a/etc/profile-a-l/hexchat.profile
+++ b/etc/profile-a-l/hexchat.profile
@@ -11,6 +11,9 @@ noblacklist ${HOME}/.config/hexchat
 # Allow /bin/sh (blacklisted by disable-shell.inc)
 include allow-bin-sh.inc
 
+# Allow lua (blacklisted by disable-interpreters.inc)
+include allow-lua.inc
+
 # Allow perl (blacklisted by disable-interpreters.inc)
 include allow-perl.inc
 
@@ -18,17 +21,24 @@ include allow-perl.inc
 include allow-python2.inc
 include allow-python3.inc
 
+blacklist /usr/libexec
+
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
+include disable-proc.inc
 include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
 
 mkdir ${HOME}/.config/hexchat
+whitelist ${DOWNLOADS}
 whitelist ${HOME}/.config/hexchat
 include whitelist-common.inc
+include whitelist-run-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
 caps.drop all
@@ -39,20 +49,27 @@ nodvd
 nogroups
 noinput
 nonewprivs
+noprinters
 noroot
 notv
 nou2f
 novideo
 protocol unix,inet,inet6
 seccomp
+seccomp.block-secondary
 tracelog
 
 disable-mnt
-# debug note: private-bin requires perl, python, etc on some systems
+# If you need Lua and/or Perl support, add the relevant binaries from
+# allow-lua.inc/allow-perl.inc to private-bin in your hexchat.local.
 private-bin hexchat,python*,sh
 private-dev
 #private-lib # python problems
 private-tmp
 
+dbus-user filter
+dbus-user.own org.hexchat.service
+dbus-system none
+
 #memory-deny-write-execute # breaks python
 restrict-namespaces
diff --git a/etc/profile-a-l/i3.profile b/etc/profile-a-l/i3.profile
index 2268072ef..412e31762 100644
--- a/etc/profile-a-l/i3.profile
+++ b/etc/profile-a-l/i3.profile
@@ -8,6 +8,10 @@ include globals.local
 
 # all applications started in i3 will run in this profile
 noblacklist ${HOME}/.config/i3
+noblacklist ${RUNUSER}/i3
+noblacklist ${RUNUSER}/i3/ipc-socket.*
+noblacklist /tmp/i3-*
+noblacklist /tmp/i3-*/ipc-socket.*
 include disable-common.inc
 
 caps.drop all
diff --git a/etc/profile-a-l/kube.profile b/etc/profile-a-l/kube.profile
index 1f8757edb..79b286e58 100644
--- a/etc/profile-a-l/kube.profile
+++ b/etc/profile-a-l/kube.profile
@@ -13,6 +13,9 @@ noblacklist ${HOME}/.gnupg
 noblacklist ${HOME}/.local/share/kube
 noblacklist ${HOME}/.local/share/sink
 
+# sh is needed to allow Firefox to open links
+include allow-bin-sh.inc
+
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
@@ -78,7 +81,7 @@ dbus-user filter
 dbus-user.talk ca.desrt.dconf
 dbus-user.talk org.freedesktop.secrets
 dbus-user.talk org.freedesktop.Notifications
-# allow D-Bus communication with firefox for opening links
+# Allow D-Bus communication with Firefox for opening links
 dbus-user.talk org.mozilla.*
 dbus-system none
 
diff --git a/etc/profile-a-l/lettura.profile b/etc/profile-a-l/lettura.profile
index 94a455355..32f0909fb 100644
--- a/etc/profile-a-l/lettura.profile
+++ b/etc/profile-a-l/lettura.profile
@@ -11,6 +11,9 @@ noblacklist ${HOME}/.config/com.lettura.dev
 noblacklist ${HOME}/.lettura
 noblacklist ${HOME}/.local/share/com.lettura.dev
 
+# sh is needed to allow Firefox to open links
+include allow-bin-sh.inc
+
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
@@ -69,7 +72,7 @@ private-tmp
 dbus-user filter
 dbus-user.talk org.freedesktop.Notifications
 ?ALLOW_TRAY: dbus-user.talk org.kde.StatusNotifierWatcher
-# allow D-Bus communication with firefox for opening links
+# Allow D-Bus communication with Firefox for opening links
 dbus-user.talk org.mozilla.*
 dbus-system none
 
diff --git a/etc/profile-a-l/libreoffice.profile b/etc/profile-a-l/libreoffice.profile
index d7144d8c3..f9e018a33 100644
--- a/etc/profile-a-l/libreoffice.profile
+++ b/etc/profile-a-l/libreoffice.profile
@@ -9,6 +9,16 @@ include globals.local
 noblacklist /usr/local/sbin
 noblacklist ${HOME}/.config/libreoffice
 
+# libreoffice can sign documents with GPG
+noblacklist ${HOME}/.gnupg
+read-only ${HOME}/.gnupg/trustdb.gpg
+read-only ${HOME}/.gnupg/pubring.kbx
+blacklist ${HOME}/.gnupg/crls.d
+blacklist ${HOME}/.gnupg/openpgp-revocs.d
+blacklist ${HOME}/.gnupg/private-keys-v1.d
+blacklist ${HOME}/.gnupg/pubring.kbx~
+blacklist ${HOME}/.gnupg/random_seed
+
 # libreoffice uses java for some functionality.
 # Add 'ignore include allow-java.inc' to your libreoffice.local if you don't need that functionality.
 # Allow java (blacklisted by disable-devel.inc)
diff --git a/etc/profile-a-l/linuxqq.profile b/etc/profile-a-l/linuxqq.profile
index e900c0914..278797fb3 100644
--- a/etc/profile-a-l/linuxqq.profile
+++ b/etc/profile-a-l/linuxqq.profile
@@ -7,15 +7,20 @@ include linuxqq.local
 include globals.local
 
 noblacklist ${HOME}/.config/QQ
-noblacklist ${HOME}/.mozilla
 
+# sh is needed to allow Firefox to open links
 include allow-bin-sh.inc
 
 include disable-shell.inc
 
+# The lines below are needed to find the default Firefox profile name, to allow
+# opening links in an existing instance of Firefox (note that it still fails if
+# there isn't a Firefox instance running with the default profile; see #5352)
+noblacklist ${HOME}/.mozilla
+whitelist ${HOME}/.mozilla/firefox/profiles.ini
+
 mkdir ${HOME}/.config/QQ
 whitelist ${HOME}/.config/QQ
-whitelist ${HOME}/.mozilla/firefox/profiles.ini
 whitelist ${DESKTOP}
 whitelist /opt/QQ
 
@@ -34,6 +39,7 @@ dbus-user.talk org.freedesktop.portal.IBus
 dbus-user.talk org.freedesktop.ScreenSaver
 dbus-user.talk org.gnome.Mutter.IdleMonitor
 ?ALLOW_TRAY: dbus-user.talk org.kde.StatusNotifierWatcher
+# Allow D-Bus communication with Firefox for opening links
 dbus-user.talk org.mozilla.*
 ignore dbus-user none
 
diff --git a/etc/profile-a-l/loupe.profile b/etc/profile-a-l/loupe.profile
index 5d39341f5..9406053fd 100644
--- a/etc/profile-a-l/loupe.profile
+++ b/etc/profile-a-l/loupe.profile
@@ -10,7 +10,9 @@ noblacklist ${HOME}/.local/share/Trash
 noblacklist ${HOME}/.Steam
 noblacklist ${HOME}/.steam
 
-#include disable-common.inc
+noblacklist ${PATH}/bwrap
+
+include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
@@ -22,7 +24,7 @@ include whitelist-runuser-common.inc
 #include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
-apparmor
+#apparmor
 caps.drop all
 ipc-namespace
 machine-id
@@ -44,7 +46,13 @@ protocol unix,netlink
 seccomp.block-secondary
 tracelog
 
+private-bin bwrap,loupe
 private-cache
 private-dev
 private-etc @x11
 private-tmp
+
+dbus-user none
+dbus-system none
+
+#read-only ${HOME} # breaks "Move to trash" and "Set as background"
diff --git a/etc/profile-m-z/nhex.profile b/etc/profile-m-z/nhex.profile
new file mode 100644
index 000000000..184e41a9a
--- /dev/null
+++ b/etc/profile-m-z/nhex.profile
@@ -0,0 +1,62 @@
+# Firejail profile for nhex
+# Description: Tauri-based IRC client inspired by HexChat
+# This file is overwritten after every install/update
+# Persistent local customizations
+include nhex.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.cache/nhex
+noblacklist ${HOME}/.local/share/dev.nhex
+
+blacklist /usr/libexec
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-proc.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.cache/nhex
+mkdir ${HOME}/.local/share/dev.nhex
+whitelist ${DOWNLOADS}
+whitelist ${HOME}/.cache/nhex
+whitelist ${HOME}/.local/share/dev.nhex
+include whitelist-common.inc
+include whitelist-run-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+caps.drop all
+machine-id
+netfilter
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noprinters
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+seccomp.block-secondary
+tracelog
+
+disable-mnt
+private-bin nhex
+private-cache
+private-dev
+private-tmp
+
+dbus-user none
+dbus-system none
+
+restrict-namespaces
diff --git a/etc/profile-m-z/noprofile.profile b/etc/profile-m-z/noprofile.profile
index 7d0e01d98..c2e4999ea 100644
--- a/etc/profile-m-z/noprofile.profile
+++ b/etc/profile-m-z/noprofile.profile
@@ -15,6 +15,8 @@
 
 noblacklist /sys/fs
 noblacklist /sys/module
+nowhitelist /sys/module/nvidia*
+ignore read-only /sys/module/nvidia*
 
 allow-debuggers
 allusers
diff --git a/etc/profile-m-z/signal-desktop.profile b/etc/profile-m-z/signal-desktop.profile
index 8cb4e4173..d1db0ba86 100644
--- a/etc/profile-m-z/signal-desktop.profile
+++ b/etc/profile-m-z/signal-desktop.profile
@@ -5,6 +5,9 @@ include signal-desktop.local
 # Persistent global definitions
 include globals.local
 
+# sh is needed to allow Firefox to open links
+include allow-bin-sh.inc
+
 ignore novideo
 
 ignore noexec /tmp
@@ -25,7 +28,7 @@ private-etc @tls-ca
 dbus-user filter
 # allow D-Bus notifications
 dbus-user.talk org.freedesktop.Notifications
-# allow D-Bus communication with firefox for opening links
+# Allow D-Bus communication with Firefox for opening links
 dbus-user.talk org.mozilla.*
 
 ignore dbus-user none
diff --git a/etc/profile-m-z/steam.profile b/etc/profile-m-z/steam.profile
index e0ced2030..d44da9f71 100644
--- a/etc/profile-m-z/steam.profile
+++ b/etc/profile-m-z/steam.profile
@@ -159,7 +159,8 @@ nonewprivs
 noroot
 notv
 nou2f
-# For VR support add 'ignore novideo' to your steam.local.
+# To allow VR and camera-based motion tracking, add 'ignore novideo' to your
+# steam.local.
 novideo
 protocol unix,inet,inet6,netlink
 # seccomp sometimes causes issues (see #2951, #3267).
diff --git a/etc/profile-m-z/thunderbird.profile b/etc/profile-m-z/thunderbird.profile
index 979971ac2..fda32d038 100644
--- a/etc/profile-m-z/thunderbird.profile
+++ b/etc/profile-m-z/thunderbird.profile
@@ -15,7 +15,7 @@ dbus-user filter
 dbus-user.own org.mozilla.thunderbird.*
 dbus-user.talk ca.desrt.dconf
 dbus-user.talk org.freedesktop.Notifications
-# allow D-Bus communication with firefox for opening links
+# Allow D-Bus communication with Firefox for opening links
 dbus-user.talk org.mozilla.*
 # e2ee email needs writable-run-user
 # https://support.mozilla.org/en-US/kb/introduction-to-e2e-encryption
diff --git a/etc/profile-m-z/trojita.profile b/etc/profile-m-z/trojita.profile
index 5e9e7f127..dc0f5b906 100644
--- a/etc/profile-m-z/trojita.profile
+++ b/etc/profile-m-z/trojita.profile
@@ -10,6 +10,9 @@ noblacklist ${HOME}/.abook
 noblacklist ${HOME}/.cache/flaska.net/trojita
 noblacklist ${HOME}/.config/flaska.net
 
+# sh is needed to allow Firefox to open links
+include allow-bin-sh.inc
+
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
@@ -61,7 +64,7 @@ private-tmp
 
 dbus-user filter
 dbus-user.talk org.freedesktop.secrets
-# allow D-Bus communication with firefox for opening links
+# Allow D-Bus communication with Firefox for opening links
 dbus-user.talk org.mozilla.*
 dbus-system none
 
diff --git a/etc/profile-m-z/tutanota-desktop.profile b/etc/profile-m-z/tutanota-desktop.profile
index f0a0cacaf..6c6de108b 100644
--- a/etc/profile-m-z/tutanota-desktop.profile
+++ b/etc/profile-m-z/tutanota-desktop.profile
@@ -40,7 +40,7 @@ dbus-user filter
 dbus-user.talk org.freedesktop.Notifications
 dbus-user.talk org.freedesktop.secrets
 dbus-user.talk org.gnome.keyring.SystemPrompter
-# allow D-Bus communication with firefox for opening links
+# Allow D-Bus communication with Firefox for opening links
 dbus-user.talk org.mozilla.*
 
 # Redirect
diff --git a/etc/profile-m-z/yelp.profile b/etc/profile-m-z/yelp.profile
index f957954dd..dbde8e0be 100644
--- a/etc/profile-m-z/yelp.profile
+++ b/etc/profile-m-z/yelp.profile
@@ -8,6 +8,9 @@ include globals.local
 
 noblacklist ${HOME}/.config/yelp
 
+# sh is needed to allow Firefox to open links
+include allow-bin-sh.inc
+
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
@@ -16,6 +19,12 @@ include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
 
+# The lines below are needed to find the default Firefox profile name, to allow
+# opening links in an existing instance of Firefox (note that it still fails if
+# there isn't a Firefox instance running with the default profile; see #5352)
+noblacklist ${HOME}/.mozilla
+whitelist ${HOME}/.mozilla/firefox/profiles.ini
+
 mkdir ${HOME}/.config/yelp
 whitelist ${HOME}/.config/yelp
 whitelist /usr/libexec/webkit2gtk-4.0
@@ -59,6 +68,8 @@ private-tmp
 dbus-user filter
 dbus-user.own org.gnome.Yelp
 dbus-user.talk ca.desrt.dconf
+# Allow D-Bus communication with Firefox for opening links
+dbus-user.talk org.mozilla.*
 dbus-system none
 
 # read-only ${HOME} breaks some features:
diff --git a/etc/profile-m-z/zeal.profile b/etc/profile-m-z/zeal.profile
index d576dbefd..f862bfce0 100644
--- a/etc/profile-m-z/zeal.profile
+++ b/etc/profile-m-z/zeal.profile
@@ -10,6 +10,9 @@ noblacklist ${HOME}/.cache/Zeal
 noblacklist ${HOME}/.config/Zeal
 noblacklist ${HOME}/.local/share/Zeal
 
+# sh is needed to allow Firefox to open links
+include allow-bin-sh.inc
+
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
@@ -19,8 +22,9 @@ include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
 
-# Allow zeal to open links in Firefox browsers.
-# This also requires dbus-user filtering (see below).
+# The lines below are needed to find the default Firefox profile name, to allow
+# opening links in an existing instance of Firefox (note that it still fails if
+# there isn't a Firefox instance running with the default profile; see #5352)
 noblacklist ${HOME}/.mozilla
 whitelist ${HOME}/.mozilla/firefox/profiles.ini
 
@@ -63,8 +67,9 @@ private-etc @tls-ca,@x11,host.conf,mime.types,rpc,services
 private-tmp
 
 dbus-user filter
-dbus-user.talk org.mozilla.*
 ?ALLOW_TRAY: dbus-user.talk org.kde.StatusNotifierWatcher
+# Allow D-Bus communication with Firefox for opening links
+dbus-user.talk org.mozilla.*
 dbus-system none
 
 #memory-deny-write-execute # breaks on Arch
diff --git a/src/bash_completion/Makefile b/src/bash_completion/Makefile
index c7ef6afc6..c06323f64 100644
--- a/src/bash_completion/Makefile
+++ b/src/bash_completion/Makefile
@@ -2,14 +2,17 @@
 ROOT = ../..
 -include $(ROOT)/config.mk
 
+GAWK ?= gawk
+RM ?= rm -f
+
 .PHONY: all
 all: firejail.bash_completion
 
 firejail.bash_completion: firejail.bash_completion.in $(ROOT)/config.mk
         $(GAWK) -f ../man/preproc.awk -- $(MANFLAGS) < $< > $@.tmp
         sed "s|_SYSCONFDIR_|$(sysconfdir)|" < $@.tmp > $@
-        rm $@.tmp
+        $(RM) $@.tmp
 
 .PHONY: clean
 clean:
-        rm -fr firejail.bash_completion
+        $(RM) -r firejail.bash_completion
diff --git a/src/fids/main.c b/src/fids/main.c
index 92b6468f3..415694f1e 100644
--- a/src/fids/main.c
+++ b/src/fids/main.c
@@ -106,9 +106,9 @@ static void file_checksum(const char *fname) {
         }
         else {
                 content = mmap(NULL, size, PROT_READ, MAP_PRIVATE, fd, 0);
-                close(fd);
                 mmapped = 1;
         }
+        close(fd);
 
         unsigned char checksum[KEY_SIZE / 8];
         blake2b(checksum, sizeof(checksum), content, size);
diff --git a/src/firecfg/desktop_files.c b/src/firecfg/desktop_files.c
index 1895e437b..8c21757ab 100644
--- a/src/firecfg/desktop_files.c
+++ b/src/firecfg/desktop_files.c
@@ -300,6 +300,7 @@ void fix_desktop_files(const char *homedir) {
 
                 if (stat(outname, &sb) == 0) {
                         printf("   %s skipped: file exists\n", filename);
+                        free(outname);
                         if (change_exec)
                                 free(change_exec);
                         continue;
@@ -308,6 +309,7 @@ void fix_desktop_files(const char *homedir) {
                 FILE *fpin = fopen(filename, "r");
                 if (!fpin) {
                         fprintf(stderr, "Warning: cannot open /usr/share/applications/%s\n", filename);
+                        free(outname);
                         if (change_exec)
                                 free(change_exec);
                         continue;
@@ -317,6 +319,7 @@ void fix_desktop_files(const char *homedir) {
                 if (!fpout) {
                         fprintf(stderr, "Warning: cannot open ~/.local/share/applications/%s\n", outname);
                         fclose(fpin);
+                        free(outname);
                         if (change_exec)
                                 free(change_exec);
                         continue;
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config
index 8a20d939f..8d0a30521 100644
--- a/src/firecfg/firecfg.config
+++ b/src/firecfg/firecfg.config
@@ -63,6 +63,7 @@ arduino
 aria2c
 ark
 arm
+armcord
 artha
 assogiate
 asunder
@@ -647,6 +648,7 @@ newsflash
 nextcloud
 nextcloud-desktop
 nheko
+nhex
 nicotine
 nitroshare
 nitroshare-cli
diff --git a/src/firejail/bandwidth.c b/src/firejail/bandwidth.c
index db130afd3..cbfcc90ed 100644
--- a/src/firejail/bandwidth.c
+++ b/src/firejail/bandwidth.c
@@ -198,6 +198,8 @@ static void read_bandwidth_file(pid_t pid) {
 
                 fclose(fp);
         }
+
+        free(fname);
 }
 
 static void write_bandwidth_file(pid_t pid) {
@@ -217,6 +219,7 @@ static void write_bandwidth_file(pid_t pid) {
                         ptr = ptr->next;
                 }
                 fclose(fp);
+                free(fname);
         }
         else
                 goto errout;
diff --git a/src/firejail/fs.c b/src/firejail/fs.c
index cdad5e220..abef85515 100644
--- a/src/firejail/fs.c
+++ b/src/firejail/fs.c
@@ -743,10 +743,20 @@ void fs_proc_sys_dev_boot(void) {
 
         disable_file(BLACKLIST_FILE, "/sys/firmware");
         disable_file(BLACKLIST_FILE, "/sys/hypervisor");
-        { // allow user access to some directories in /sys/ by specifying 'noblacklist' option
-                profile_add("blacklist /sys/fs");
+
+        // Soft-block some paths in /sys/ (can be undone in profiles).
+        profile_add("blacklist /sys/fs");
+
+        // Hardware acceleration with the nvidia proprietary driver may fail
+        // without access to these paths (see #6372).
+        if (access("/dev/nvidiactl", R_OK) == 0 && arg_no3d == 0) {
+                profile_add("whitelist /sys/module/nvidia*");
+                profile_add("read-only /sys/module/nvidia*");
+        }
+        else {
                 profile_add("blacklist /sys/module");
         }
+
         disable_file(BLACKLIST_FILE, "/sys/power");
         disable_file(BLACKLIST_FILE, "/sys/kernel/debug");
         disable_file(BLACKLIST_FILE, "/sys/kernel/vmcoreinfo");
diff --git a/src/firejail/fs_dev.c b/src/firejail/fs_dev.c
index fa88bbe12..e8e486f12 100644
--- a/src/firejail/fs_dev.c
+++ b/src/firejail/fs_dev.c
@@ -52,7 +52,8 @@ typedef struct {
 
 static DevEntry dev[] = {
         {"/dev/snd", RUN_DEV_DIR "/snd", DEV_SOUND},    // sound device
-        {"/dev/dri", RUN_DEV_DIR "/dri", DEV_3D},               // 3d device
+        {"/dev/dri", RUN_DEV_DIR "/dri", DEV_3D},               // 3d devices
+        {"/dev/kfd", RUN_DEV_DIR "/kfd", DEV_3D},
         {"/dev/nvidia0", RUN_DEV_DIR "/nvidia0", DEV_3D},
         {"/dev/nvidia1", RUN_DEV_DIR "/nvidia1", DEV_3D},
         {"/dev/nvidia2", RUN_DEV_DIR "/nvidia2", DEV_3D},
diff --git a/src/firejail/fs_home.c b/src/firejail/fs_home.c
index 7c3f3835b..9d9832c15 100644
--- a/src/firejail/fs_home.c
+++ b/src/firejail/fs_home.c
@@ -67,8 +67,10 @@ static void skel(const char *homedir) {
                 if (asprintf(&fname, "%s/.zshrc", homedir) == -1)
                         errExit("asprintf");
                 // don't copy it if we already have the file
-                if (access(fname, F_OK) == 0)
+                if (access(fname, F_OK) == 0) {
+                        free(fname);
                         return;
+                }
                 if (is_link(fname)) { // access(3) on dangling symlinks fails, try again using lstat
                         fprintf(stderr, "Error: invalid %s file\n", fname);
                         exit(1);
@@ -91,8 +93,10 @@ static void skel(const char *homedir) {
                 if (asprintf(&fname, "%s/.cshrc", homedir) == -1)
                         errExit("asprintf");
                 // don't copy it if we already have the file
-                if (access(fname, F_OK) == 0)
+                if (access(fname, F_OK) == 0) {
+                        free(fname);
                         return;
+                }
                 if (is_link(fname)) { // access(3) on dangling symlinks fails, try again using lstat
                         fprintf(stderr, "Error: invalid %s file\n", fname);
                         exit(1);
@@ -115,8 +119,10 @@ static void skel(const char *homedir) {
                 if (asprintf(&fname, "%s/.bashrc", homedir) == -1)
                         errExit("asprintf");
                 // don't copy it if we already have the file
-                if (access(fname, F_OK) == 0)
+                if (access(fname, F_OK) == 0) {
+                        free(fname);
                         return;
+                }
                 if (is_link(fname)) { // access(3) on dangling symlinks fails, try again using lstat
                         fprintf(stderr, "Error: invalid %s file\n", fname);
                         exit(1);
diff --git a/src/firejail/ids.c b/src/firejail/ids.c
index 40bbe6d02..0759a205d 100644
--- a/src/firejail/ids.c
+++ b/src/firejail/ids.c
@@ -42,6 +42,7 @@ static void ids_init(void) {
         if (dup(fd) != STDOUT_FILENO)
                 errExit("dup");
         close(fd);
+        free(fname);
 
         sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 3, PATH_FIDS, "--init", cfg.homedir);
 }
@@ -63,6 +64,7 @@ static void ids_check(void) {
         if (dup(fd) != STDIN_FILENO)
                 errExit("dup");
         close(fd);
+        free(fname);
 
         sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP| SBOX_ALLOW_STDIN, 3, PATH_FIDS, "--check", cfg.homedir);
 }
diff --git a/src/firejail/landlock.c b/src/firejail/landlock.c
index 3ac1bddae..2b3512320 100644
--- a/src/firejail/landlock.c
+++ b/src/firejail/landlock.c
@@ -139,7 +139,7 @@ static void _ll_fs(const char *allowed_path, const __u64 allowed_access,
         target.parent_fd = allowed_fd;
         target.allowed_access = allowed_access;
         int error = landlock_add_rule(ll_ruleset_fd, LANDLOCK_RULE_PATH_BENEATH,
-                                  &target, 0);
+                                      &target, 0);
         if (error) {
                 fprintf(stderr, "Error: %s: failed to add Landlock rule "
                                 "(abi=%d fs=%llx) for %s: %s\n",
@@ -170,7 +170,6 @@ static void ll_fs(const char *allowed_path, const __u64 allowed_access,
                 return;
         }
 
-
         expanded_path = expand_macros(allowed_path);
         _ll_fs(expanded_path, allowed_access, caller);
         free(expanded_path);
diff --git a/src/firejail/run_files.c b/src/firejail/run_files.c
index cb078b580..4bd0ba459 100644
--- a/src/firejail/run_files.c
+++ b/src/firejail/run_files.c
@@ -122,6 +122,7 @@ void set_name_run_file(pid_t pid) {
         // mode and ownership
         SET_PERMS_STREAM(fp, 0, 0, 0644);
         fclose(fp);
+        free(fname);
 }
 
 
@@ -141,6 +142,7 @@ void set_x11_run_file(pid_t pid, int display) {
         // mode and ownership
         SET_PERMS_STREAM(fp, 0, 0, 0644);
         fclose(fp);
+        free(fname);
 }
 
 void set_profile_run_file(pid_t pid, const char *fname) {
diff --git a/src/firejail/util.c b/src/firejail/util.c
index 323133f8d..5d7c244b1 100644
--- a/src/firejail/util.c
+++ b/src/firejail/util.c
@@ -1392,6 +1392,7 @@ void enter_network_namespace(pid_t pid) {
                 fprintf(stderr, "Error: the sandbox doesn't use a new network namespace\n");
                 exit(1);
         }
+        free(name);
 
         // join the namespace
         EUID_ROOT();
diff --git a/src/firemon/netstats.c b/src/firemon/netstats.c
index 39dc38ec9..e70174b1e 100644
--- a/src/firemon/netstats.c
+++ b/src/firemon/netstats.c
@@ -152,10 +152,12 @@ static void print_proc(int index, int itv, int col) {
         struct stat s;
         if (stat(name, &s) == -1) {
                 // the sandbox doesn't have a --net= option, don't print
+                free(name);
                 if (cmd)
                         free(cmd);
                 return;
         }
+        free(name);
 
         // pid
         char pidstr[11];
diff --git a/src/jailcheck/access.c b/src/jailcheck/access.c
index 50c51839b..5fbcb5a15 100644
--- a/src/jailcheck/access.c
+++ b/src/jailcheck/access.c
@@ -80,10 +80,13 @@ void access_setup(const char *directory) {
         FILE *fp = fopen(test_file, "w");
         if (!fp) {
                 printf("Warning: I cannot create test file in directory %s, skipping...\n", directory);
+                free(test_file);
+                free(path);
                 return;
         }
         fprintf(fp, "this file was created by firetest utility, you can safely delete it\n");
         fclose(fp);
+        free(path);
         int rv = chown(test_file, user_uid, user_gid);
         if (rv)
                 errExit("chown");
diff --git a/src/jailcheck/noexec.c b/src/jailcheck/noexec.c
index 37234c648..e5657135d 100644
--- a/src/jailcheck/noexec.c
+++ b/src/jailcheck/noexec.c
@@ -55,6 +55,7 @@ void noexec_setup(void) {
                         execfile_len = s.st_size;
                         close(fd);
                 }
+                free(self);
         }
 }
 
@@ -110,4 +111,5 @@ void noexec_test(const char *path) {
         wait(&status);
         int rv = unlink(fname);
         (void) rv;
+        free(fname);
 }
diff --git a/src/jailcheck/virtual.c b/src/jailcheck/virtual.c
index d4bfd1923..348efc784 100644
--- a/src/jailcheck/virtual.c
+++ b/src/jailcheck/virtual.c
@@ -49,6 +49,7 @@ void virtual_setup(const char *directory) {
         FILE *fp = fopen(test_file, "w");
         if (!fp) {
                 printf("Warning: I cannot create test file in directory %s, skipping...\n", directory);
+                free(test_file);
                 return;
         }
         fprintf(fp, "this file was created by firetest utility, you can safely delete it\n");
diff --git a/src/man/Makefile b/src/man/Makefile
index 1c1fd49a5..767920e2b 100644
--- a/src/man/Makefile
+++ b/src/man/Makefile
@@ -2,6 +2,10 @@
 ROOT = ../..
 -include $(ROOT)/config.mk
 
+GAWK ?= gawk
+GZIP ?= gzip
+RM ?= rm -f
+
 MOD_DIR := $(ROOT)/src/man
 MANPAGES_IN := $(sort $(wildcard $(MOD_DIR)/*.in))
 MANPAGES_GZ := $(MANPAGES_IN:.in=.gz)
@@ -19,8 +23,8 @@ $(MOD_DIR)/%: $(MOD_DIR)/%.in $(ROOT)/config.mk
 # foo.1.gz: foo.1
 $(MOD_DIR)/%.gz: $(MOD_DIR)/%
         @printf 'Generating %s from %s\n' $@ $<
-        @rm -f $@
-        @gzip -n9 $<
+        @$(RM) $@
+        @$(GZIP) -n9 $<
 
 .PHONY: clean
-clean:; rm -f *.1 *.5 *.gz
+clean:; $(RM) *.1 *.5 *.gz
diff --git a/src/man/firejail.1.in b/src/man/firejail.1.in
index 87bd6fcc2..fa2329d67 100644
--- a/src/man/firejail.1.in
+++ b/src/man/firejail.1.in
@@ -95,7 +95,12 @@ $ firejail [OPTIONS]                # starting the program specified in $SHELL,
 $ firejail [OPTIONS] firefox        # starting Mozilla Firefox
 .PP
 # sudo firejail [OPTIONS] /etc/init.d/nginx start
-
+.PP
+When an option is specified multiple times (whether in a profile, on the
+command line, or both) or conflicts with a related option, the
+precedence/behavior is option-specific and usually documented in the
+\fBOPTIONS\fR section below. Note that an option specified in a profile can
+generally be disabled on the command line using \fB--ignore\fR.
 .SH OPTIONS
 .TP
 \fB\-\-
@@ -1729,6 +1734,16 @@ See --keep-config-pulse.
 Disable blacklist for this directory or file.
 .br
 
+Note that blacklist entries containing ${PATH} can not currently be partially
+disabled for individual expanded paths. Only the whole unexpanded path
+including ${PATH} can be disabled, which then applies to all expansions.
+This limitation does not apply to expansions of other variables or wildcards.
+For details, see
+.UR https://github.com/netblue30/firejail/issues/6360
+#6360
+.UE
+.br
+
 .br
 Example:
 .br
@@ -1744,6 +1759,14 @@ $ exit
 .br
 $ firejail --noblacklist=/bin/nc
 .br
+bash: /bin/nc: Permission denied
+.br
+$ exit
+.br
+
+.br
+$ firejail --noblacklist='${PATH}/nc'
+.br
 $ nc dict.org 2628
 .br
 220 pan.alephnull.com dictd 1.12.1/rf on Linux 3.14-1-amd64
diff --git a/src/profstats/main.c b/src/profstats/main.c
index ad27bfe79..10eee3c4b 100644
--- a/src/profstats/main.c
+++ b/src/profstats/main.c
@@ -344,7 +344,7 @@ int main(int argc, char **argv) {
                 if (cnt_seccomp > (seccomp + 1))
                         cnt_seccomp = seccomp + 1;
                 if (cnt_restrict_namespaces > (restrict_namespaces + 1))
-                        cnt_seccomp = restrict_namespaces + 1;
+                        cnt_restrict_namespaces = restrict_namespaces + 1;
                 if (cnt_dbus_user_none > (dbususernone + 1))
                         cnt_dbus_user_none = dbususernone + 1;
                 if (cnt_dbus_user_filter > (dbususerfilter + 1))
diff --git a/src/prog.mk b/src/prog.mk
index a639e87fc..3e89a6ba8 100644
--- a/src/prog.mk
+++ b/src/prog.mk
@@ -5,6 +5,9 @@
 # The includer should probably define PROG and TARGET and may also want to
 # define EXTRA_OBJS and extend CLEANFILES.
 
+CC ?= cc
+RM ?= rm -f
+
 HDRS :=
 SRCS := $(sort $(wildcard $(MOD_DIR)/*.c))
 OBJS := $(SRCS:.c=.o)
@@ -25,4 +28,4 @@ $(PROG): $(OBJS) $(EXTRA_OBJS) $(ROOT)/config.mk
         $(CC) $(PROG_LDFLAGS) $(LDFLAGS) -o $@ $(OBJS) $(EXTRA_OBJS) $(LIBS)
 
 .PHONY: clean
-clean:; rm -fr $(PROG) $(CLEANFILES)
+clean:; $(RM) -r $(PROG) $(CLEANFILES)
diff --git a/src/so.mk b/src/so.mk
index ac76ffc30..63a0da7ce 100644
--- a/src/so.mk
+++ b/src/so.mk
@@ -5,6 +5,9 @@
 # The includer should probably define SO and TARGET and may also want to define
 # EXTRA_OBJS and extend CLEANFILES.
 
+CC ?= cc
+RM ?= rm -f
+
 HDRS :=
 SRCS := $(sort $(wildcard $(MOD_DIR)/*.c))
 OBJS := $(SRCS:.c=.o)
@@ -25,4 +28,4 @@ $(SO): $(OBJS) $(EXTRA_OBJS) $(ROOT)/config.mk
         $(CC) $(SO_LDFLAGS) -shared $(LDFLAGS) -o $@ $(OBJS) $(EXTRA_OBJS) -ldl
 
 .PHONY: clean
-clean:; rm -fr $(SO) $(CLEANFILES)
+clean:; $(RM) -r $(SO) $(CLEANFILES)
diff --git a/src/zsh_completion/Makefile b/src/zsh_completion/Makefile
index e964d39ec..cbc476a73 100644
--- a/src/zsh_completion/Makefile
+++ b/src/zsh_completion/Makefile
@@ -2,14 +2,17 @@
 ROOT = ../..
 -include $(ROOT)/config.mk
 
+GAWK ?= gawk
+RM ?= rm -f
+
 .PHONY: all
 all: _firejail
 
 _firejail: _firejail.in $(ROOT)/config.mk
         $(GAWK) -f ../man/preproc.awk -- $(MANFLAGS) < $< > $@.tmp
         sed "s|_SYSCONFDIR_|$(sysconfdir)|" < $@.tmp > $@
-        rm $@.tmp
+        $(RM) $@.tmp
 
 .PHONY: clean
 clean:
-        rm -fr _firejail
+        $(RM) -r _firejail
diff --git a/test/Makefile b/test/Makefile
index 52fada86c..89855d082 100644
--- a/test/Makefile
+++ b/test/Makefile
@@ -2,6 +2,8 @@
 ROOT = ..
 -include $(ROOT)/config.mk
 
+RM ?= rm -f
+
 TESTS=$(patsubst %/,%,$(wildcard */))
 
 .PHONY: $(TESTS)
@@ -11,14 +13,14 @@ $(TESTS):
 
 .PHONY: clean
 clean:
-        for test in $(TESTS); do rm -f "$$test/$$test.log"; done
-        rm -fr environment/-testdir
-        rm -f environment/index.html*
-        rm -f environment/logfile*
-        rm -f environment/wget-log*
-        rm -f sysutils/firejail_t*
-        rm -f utils/firejail-test-file*
-        rm -f utils/index.html*
-        rm -f utils/lstesting
-        rm -f utils/wget-log
+        for test in $(TESTS); do $(RM) "$$test/$$test.log"; done
+        $(RM) -r environment/-testdir
+        $(RM) environment/index.html*
+        $(RM) environment/logfile*
+        $(RM) environment/wget-log*
+        $(RM) sysutils/firejail_t*
+        $(RM) utils/firejail-test-file*
+        $(RM) utils/index.html*
+        $(RM) utils/lstesting
+        $(RM) utils/wget-log
         cd compile && (./compile.sh --clean || true)