44 files changed, 438 insertions, 119 deletions

diff --git a/.github/ISSUE_TEMPLATE/bug_report.md b/.github/ISSUE_TEMPLATE/bug_report.md
index fc74640d4..37056a1ce 100644
--- a/.github/ISSUE_TEMPLATE/bug_report.md
+++ b/.github/ISSUE_TEMPLATE/bug_report.md
@@ -22,7 +22,7 @@ _Describe the bug_
 
 _Steps to reproduce the behavior_
 
-1. Run in bash `LC_ALL=C firejail PROGRAM` (`LC_ALL=C` to get a consistent
+1. Run in bash `LC_ALL=C firejail /path/to/program` (`LC_ALL=C` to get a consistent
    output in English that can be understood by everybody)
 2. Click on '....'
 3. Scroll down to '....'
diff --git a/.github/workflows/build-extra.yml b/.github/workflows/build-extra.yml
index f390e87d1..72ba685b5 100644
--- a/.github/workflows/build-extra.yml
+++ b/.github/workflows/build-extra.yml
@@ -44,7 +44,7 @@ jobs:
     timeout-minutes: 10
     steps:
     - name: Harden Runner
-      uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4
+      uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10
       with:
         egress-policy: block
         allowed-endpoints: >
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index d53044cad..b4ae7a2e9 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -60,7 +60,7 @@ jobs:
     timeout-minutes: 10
     steps:
     - name: Harden Runner
-      uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4
+      uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10
       with:
         egress-policy: block
         allowed-endpoints: >
diff --git a/.github/workflows/check-c.yml b/.github/workflows/check-c.yml
index 2a479c546..c41c67798 100644
--- a/.github/workflows/check-c.yml
+++ b/.github/workflows/check-c.yml
@@ -46,7 +46,7 @@ jobs:
     timeout-minutes: 10
     steps:
     - name: Harden Runner
-      uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4
+      uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10
       with:
         egress-policy: block
         allowed-endpoints: >
@@ -79,7 +79,7 @@ jobs:
     timeout-minutes: 10
     steps:
     - name: Harden Runner
-      uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4
+      uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10
       with:
         egress-policy: block
         allowed-endpoints: >
@@ -109,7 +109,7 @@ jobs:
     timeout-minutes: 10
     steps:
     - name: Harden Runner
-      uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4
+      uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10
       with:
         egress-policy: block
         allowed-endpoints: >
@@ -143,7 +143,7 @@ jobs:
 
     steps:
     - name: Harden Runner
-      uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4
+      uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10
       with:
         disable-sudo: true
         egress-policy: block
@@ -161,7 +161,7 @@ jobs:
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@b7cec7526559c32f1616476ff32d17ba4c59b2d6
+      uses: github/codeql-action/init@f079b8493333aace61c81488f8bd40919487bd9f
       with:
         languages: cpp
 
@@ -172,4 +172,4 @@ jobs:
       run: make -j "$(nproc)"
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@b7cec7526559c32f1616476ff32d17ba4c59b2d6
+      uses: github/codeql-action/analyze@f079b8493333aace61c81488f8bd40919487bd9f
diff --git a/.github/workflows/check-profiles.yml b/.github/workflows/check-profiles.yml
index 5bff9328e..a7974a994 100644
--- a/.github/workflows/check-profiles.yml
+++ b/.github/workflows/check-profiles.yml
@@ -33,7 +33,7 @@ jobs:
 
     steps:
     - name: Harden Runner
-      uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4
+      uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10
       with:
         disable-sudo: true
         egress-policy: block
diff --git a/.github/workflows/check-python.yml b/.github/workflows/check-python.yml
index 73b7d9c67..0bb67e05e 100644
--- a/.github/workflows/check-python.yml
+++ b/.github/workflows/check-python.yml
@@ -31,7 +31,7 @@ jobs:
 
     steps:
     - name: Harden Runner
-      uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4
+      uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10
       with:
         disable-sudo: true
         egress-policy: block
@@ -51,9 +51,9 @@ jobs:
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@b7cec7526559c32f1616476ff32d17ba4c59b2d6
+      uses: github/codeql-action/init@f079b8493333aace61c81488f8bd40919487bd9f
       with:
         languages: python
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@b7cec7526559c32f1616476ff32d17ba4c59b2d6
+      uses: github/codeql-action/analyze@f079b8493333aace61c81488f8bd40919487bd9f
diff --git a/.github/workflows/codespell.yml b/.github/workflows/codespell.yml
index fe88dc5a9..1e8486bd7 100644
--- a/.github/workflows/codespell.yml
+++ b/.github/workflows/codespell.yml
@@ -24,7 +24,7 @@ jobs:
     timeout-minutes: 5
     steps:
     - name: Harden Runner
-      uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4
+      uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10
       with:
         egress-policy: block
         allowed-endpoints: >
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index 12e8d2dac..ea9890b5e 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -54,7 +54,7 @@ jobs:
       SHELL: /bin/bash
     steps:
     - name: Harden Runner
-      uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4
+      uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10
       with:
         egress-policy: block
         allowed-endpoints: >
@@ -103,7 +103,7 @@ jobs:
       SHELL: /bin/bash
     steps:
     - name: Harden Runner
-      uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4
+      uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10
       with:
         egress-policy: block
         allowed-endpoints: >
@@ -143,7 +143,7 @@ jobs:
       SHELL: /bin/bash
     steps:
     - name: Harden Runner
-      uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4
+      uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10
       with:
         egress-policy: block
         allowed-endpoints: >
@@ -183,7 +183,7 @@ jobs:
       SHELL: /bin/bash
     steps:
     - name: Harden Runner
-      uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4
+      uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10
       with:
         egress-policy: block
         allowed-endpoints: >
@@ -225,7 +225,7 @@ jobs:
       SHELL: /bin/bash
     steps:
     - name: Harden Runner
-      uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4
+      uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10
       with:
         egress-policy: block
         allowed-endpoints: >
diff --git a/Makefile b/Makefile
index 12d0d57a5..d93f28b22 100644
--- a/Makefile
+++ b/Makefile
@@ -2,12 +2,19 @@
 ROOT = .
 -include config.mk
 
-# Default programs
+# Default programs (in configure.ac).
 CC ?= cc
 CODESPELL ?= codespell
 CPPCHECK ?= cppcheck
 GAWK ?= gawk
+GZIP ?= gzip
 SCAN_BUILD ?= scan-build
+STRIP ?= strip
+TAR ?= tar
+
+# Default programs (not in configure.ac).
+INSTALL ?= install
+RM ?= rm -f
 
 ifneq ($(HAVE_MAN),no)
 MAN_TARGET = man
@@ -71,7 +78,7 @@ $(MYDIRS):
 
 .PHONY: strip
 strip: all
-        strip $(ALL_ITEMS)
+        $(STRIP) $(ALL_ITEMS)
 
 .PHONY: filters
 filters: $(SECCOMP_FILTERS)
@@ -183,115 +190,119 @@ clean:
         done
         $(MAKE) -C src/man clean
         $(MAKE) -C test clean
-        rm -f $(SECCOMP_FILTERS)
-        rm -f $(SYNTAX_FILES)
-        rm -fr ./$(TARNAME)-$(VERSION) ./$(TARNAME)-$(VERSION).tar.xz
-        rm -f ./$(TARNAME)*.deb
-        rm -f ./$(TARNAME)*.rpm
+        $(RM) $(SECCOMP_FILTERS)
+        $(RM) $(SYNTAX_FILES)
+        $(RM) -r ./$(TARNAME)-$(VERSION) ./$(TARNAME)-$(VERSION).tar.xz
+        $(RM) ./$(TARNAME)*.deb
+        $(RM) ./$(TARNAME)*.rpm
 
 .PHONY: distclean
 distclean: clean
-        rm -fr autom4te.cache config.log config.mk config.sh config.status
+        $(RM) -r autom4te.cache config.log config.mk config.sh config.status
 
 .PHONY: install
 install: all config.mk
         # firejail executable
-        install -m 0755 -d $(DESTDIR)$(bindir)
-        install -m 0755 src/firejail/firejail $(DESTDIR)$(bindir)
+        $(INSTALL) -m 0755 -d $(DESTDIR)$(bindir)
+        $(INSTALL) -m 0755 -t $(DESTDIR)$(bindir) src/firejail/firejail
 ifeq ($(HAVE_SUID),-DHAVE_SUID)
         chmod u+s $(DESTDIR)$(bindir)/firejail
 endif
         # firemon executable
-        install -m 0755 src/firemon/firemon $(DESTDIR)$(bindir)
+        $(INSTALL) -m 0755 -t $(DESTDIR)$(bindir) src/firemon/firemon
         # firecfg executable
-        install -m 0755 src/firecfg/firecfg $(DESTDIR)$(bindir)
+        $(INSTALL) -m 0755 -t $(DESTDIR)$(bindir) src/firecfg/firecfg
         # jailcheck executable
-        install -m 0755 src/jailcheck/jailcheck $(DESTDIR)$(bindir)
+        $(INSTALL) -m 0755 -t $(DESTDIR)$(bindir) src/jailcheck/jailcheck
         # libraries and plugins
-        install -m 0755 -d $(DESTDIR)$(libdir)/firejail
-        install -m 0755 -t $(DESTDIR)$(libdir)/firejail src/firecfg/firejail-welcome.sh
-        install -m 0644 -t $(DESTDIR)$(libdir)/firejail $(MYLIBS) $(SECCOMP_FILTERS)
-        install -m 0755 -t $(DESTDIR)$(libdir)/firejail $(SBOX_APPS)
-        install -m 0755 -t $(DESTDIR)$(libdir)/firejail src/profstats/profstats
-        install -m 0755 -t $(DESTDIR)$(libdir)/firejail src/etc-cleanup/etc-cleanup
+        $(INSTALL) -m 0755 -d $(DESTDIR)$(libdir)/firejail
+        $(INSTALL) -m 0755 -t $(DESTDIR)$(libdir)/firejail src/firecfg/firejail-welcome.sh
+        $(INSTALL) -m 0644 -t $(DESTDIR)$(libdir)/firejail $(MYLIBS) $(SECCOMP_FILTERS)
+        $(INSTALL) -m 0755 -t $(DESTDIR)$(libdir)/firejail $(SBOX_APPS)
+        $(INSTALL) -m 0755 -t $(DESTDIR)$(libdir)/firejail src/profstats/profstats
+        $(INSTALL) -m 0755 -t $(DESTDIR)$(libdir)/firejail src/etc-cleanup/etc-cleanup
         # plugins w/o read permission (non-dumpable)
-        install -m 0711 -t $(DESTDIR)$(libdir)/firejail $(SBOX_APPS_NON_DUMPABLE)
-        install -m 0711 -t $(DESTDIR)$(libdir)/firejail src/fshaper/fshaper.sh
-        install -m 0644 -t $(DESTDIR)$(libdir)/firejail src/fnettrace/static-ip-map
+        $(INSTALL) -m 0711 -t $(DESTDIR)$(libdir)/firejail $(SBOX_APPS_NON_DUMPABLE)
+        $(INSTALL) -m 0711 -t $(DESTDIR)$(libdir)/firejail src/fshaper/fshaper.sh
+        $(INSTALL) -m 0644 -t $(DESTDIR)$(libdir)/firejail src/fnettrace/static-ip-map
 ifeq ($(HAVE_CONTRIB_INSTALL),yes)
         # contrib scripts
-        install -m 0755 -t $(DESTDIR)$(libdir)/firejail contrib/*.py contrib/*.sh
+        $(INSTALL) -m 0755 -t $(DESTDIR)$(libdir)/firejail contrib/*.py contrib/*.sh
         # vim syntax
-        install -m 0755 -d $(DESTDIR)$(datarootdir)/vim/vimfiles/ftdetect
-        install -m 0755 -d $(DESTDIR)$(datarootdir)/vim/vimfiles/syntax
-        install -m 0644 contrib/vim/ftdetect/firejail.vim $(DESTDIR)$(datarootdir)/vim/vimfiles/ftdetect
-        install -m 0644 contrib/syntax/files/firejail.vim $(DESTDIR)$(datarootdir)/vim/vimfiles/syntax
+        $(INSTALL) -m 0755 -d $(DESTDIR)$(datarootdir)/vim/vimfiles/ftdetect
+        $(INSTALL) -m 0644 -t $(DESTDIR)$(datarootdir)/vim/vimfiles/ftdetect contrib/vim/ftdetect/firejail.vim
+        $(INSTALL) -m 0755 -d $(DESTDIR)$(datarootdir)/vim/vimfiles/syntax
+        $(INSTALL) -m 0644 -t $(DESTDIR)$(datarootdir)/vim/vimfiles/syntax contrib/syntax/files/firejail.vim
         # gtksourceview language-specs
-        install -m 0755 -d $(DESTDIR)$(datarootdir)/gtksourceview-5/language-specs
-        install -m 0644 contrib/syntax/files/firejail-profile.lang $(DESTDIR)$(datarootdir)/gtksourceview-5/language-specs
+        $(INSTALL) -m 0755 -d $(DESTDIR)$(datarootdir)/gtksourceview-5/language-specs
+        $(INSTALL) -m 0644 -t $(DESTDIR)$(datarootdir)/gtksourceview-5/language-specs contrib/syntax/files/firejail-profile.lang
 endif
         # documents
-        install -m 0755 -d $(DESTDIR)$(docdir)
-        install -m 0644 -t $(DESTDIR)$(docdir) COPYING README RELNOTES etc/templates/*
+        $(INSTALL) -m 0755 -d $(DESTDIR)$(docdir)
+        $(INSTALL) -m 0644 -t $(DESTDIR)$(docdir) COPYING README RELNOTES etc/templates/*
         # profiles and settings
-        install -m 0755 -d $(DESTDIR)$(sysconfdir)/firejail
-        install -m 0755 -d $(DESTDIR)$(sysconfdir)/firejail/firecfg.d
-        install -m 0644 -t $(DESTDIR)$(sysconfdir)/firejail src/firecfg/firecfg.config
-        install -m 0644 -t $(DESTDIR)$(sysconfdir)/firejail etc/profile-a-l/*.profile etc/profile-m-z/*.profile etc/inc/*.inc etc/net/*.net etc/firejail.config
-        sh -c "if [ ! -f $(DESTDIR)/$(sysconfdir)/firejail/login.users ]; then install -c -m 0644 etc/login.users $(DESTDIR)/$(sysconfdir)/firejail/.; fi;"
+        $(INSTALL) -m 0755 -d $(DESTDIR)$(sysconfdir)/firejail
+        $(INSTALL) -m 0755 -d $(DESTDIR)$(sysconfdir)/firejail/firecfg.d
+        $(INSTALL) -m 0644 -t $(DESTDIR)$(sysconfdir)/firejail src/firecfg/firecfg.config
+        $(INSTALL) -m 0644 -t $(DESTDIR)$(sysconfdir)/firejail etc/profile-a-l/*.profile etc/profile-m-z/*.profile etc/inc/*.inc etc/net/*.net etc/firejail.config
+        sh -c "if [ ! -f $(DESTDIR)$(sysconfdir)/firejail/login.users ]; then \
+                $(INSTALL) -m 0644 -t $(DESTDIR)$(sysconfdir)/firejail etc/login.users; \
+        fi"
 ifeq ($(HAVE_IDS),-DHAVE_IDS)
-        install -m 0644 -t $(DESTDIR)$(sysconfdir)/firejail etc/ids.config
+        $(INSTALL) -m 0644 -t $(DESTDIR)$(sysconfdir)/firejail etc/ids.config
 endif
 ifeq ($(BUSYBOX_WORKAROUND),yes)
         ./mketc.sh $(DESTDIR)$(sysconfdir)/firejail/disable-common.inc
 endif
 ifeq ($(HAVE_APPARMOR),-DHAVE_APPARMOR)
         # install apparmor profile
-        sh -c "if [ ! -d $(DESTDIR)/$(sysconfdir)/apparmor.d ]; then install -d -m 755 $(DESTDIR)/$(sysconfdir)/apparmor.d; fi;"
-        install -m 0644 etc/apparmor/firejail-default $(DESTDIR)$(sysconfdir)/apparmor.d
+        $(INSTALL) -m 0755 -d $(DESTDIR)$(sysconfdir)/apparmor.d
+        $(INSTALL) -m 0644 -t $(DESTDIR)$(sysconfdir)/apparmor.d etc/apparmor/firejail-default
         # install apparmor profile customization file
-        sh -c "if [ ! -d $(DESTDIR)/$(sysconfdir)/apparmor.d/local ]; then install -d -m 755 $(DESTDIR)/$(sysconfdir)/apparmor.d/local; fi;"
-        sh -c "if [ ! -f $(DESTDIR)/$(sysconfdir)/apparmor.d/local/firejail-default ]; then install -c -m 0644 etc/apparmor/firejail-local $(DESTDIR)/$(sysconfdir)/apparmor.d/local/firejail-default; fi;"
+        $(INSTALL) -m 0755 -d $(DESTDIR)$(sysconfdir)/apparmor.d/local
+        sh -c "if [ ! -f $(DESTDIR)$(sysconfdir)/apparmor.d/local/firejail-default ]; then \
+                $(INSTALL) -m 0644 etc/apparmor/firejail-local $(DESTDIR)$(sysconfdir)/apparmor.d/local/firejail-default; \
+        fi"
         # install apparmor base abstraction drop-in
-        sh -c "if [ ! -d $(DESTDIR)/$(sysconfdir)/apparmor.d/abstractions ]; then install -d -m 755 $(DESTDIR)/$(sysconfdir)/apparmor.d/abstractions; fi;"
-        sh -c "if [ ! -d $(DESTDIR)/$(sysconfdir)/apparmor.d/abstractions/base.d ]; then install -d -m 755 $(DESTDIR)/$(sysconfdir)/apparmor.d/abstractions/base.d; fi;"
-        install -m 0644 etc/apparmor/firejail-base $(DESTDIR)$(sysconfdir)/apparmor.d/abstractions/base.d
+        $(INSTALL) -m 0755 -d $(DESTDIR)$(sysconfdir)/apparmor.d/abstractions/base.d
+        $(INSTALL) -m 0644 -t $(DESTDIR)$(sysconfdir)/apparmor.d/abstractions/base.d etc/apparmor/firejail-base
 endif
 ifneq ($(HAVE_MAN),no)
         # man pages
-        install -m 0755 -d $(DESTDIR)$(mandir)/man1 $(DESTDIR)$(mandir)/man5
-        install -m 0644 $(MANPAGES1_GZ) $(DESTDIR)$(mandir)/man1/
-        install -m 0644 $(MANPAGES5_GZ) $(DESTDIR)$(mandir)/man5/
+        $(INSTALL) -m 0755 -d $(DESTDIR)$(mandir)/man1
+        $(INSTALL) -m 0644 -t $(DESTDIR)$(mandir)/man1 $(MANPAGES1_GZ)
+        $(INSTALL) -m 0755 -d $(DESTDIR)$(mandir)/man5
+        $(INSTALL) -m 0644 -t $(DESTDIR)$(mandir)/man5 $(MANPAGES5_GZ)
 endif
         # bash completion
-        install -m 0755 -d $(DESTDIR)$(datarootdir)/bash-completion/completions
-        install -m 0644 src/bash_completion/firejail.bash_completion $(DESTDIR)$(datarootdir)/bash-completion/completions/firejail
-        install -m 0644 src/bash_completion/firemon.bash_completion $(DESTDIR)$(datarootdir)/bash-completion/completions/firemon
-        install -m 0644 src/bash_completion/firecfg.bash_completion $(DESTDIR)$(datarootdir)/bash-completion/completions/firecfg
+        $(INSTALL) -m 0755 -d $(DESTDIR)$(datarootdir)/bash-completion/completions
+        $(INSTALL) -m 0644 src/bash_completion/firejail.bash_completion $(DESTDIR)$(datarootdir)/bash-completion/completions/firejail
+        $(INSTALL) -m 0644 src/bash_completion/firemon.bash_completion $(DESTDIR)$(datarootdir)/bash-completion/completions/firemon
+        $(INSTALL) -m 0644 src/bash_completion/firecfg.bash_completion $(DESTDIR)$(datarootdir)/bash-completion/completions/firecfg
         # zsh completion
-        install -m 0755 -d $(DESTDIR)$(datarootdir)/zsh/site-functions
-        install -m 0644 src/zsh_completion/_firejail $(DESTDIR)$(datarootdir)/zsh/site-functions/
+        $(INSTALL) -m 0755 -d $(DESTDIR)$(datarootdir)/zsh/site-functions
+        $(INSTALL) -m 0644 -t $(DESTDIR)$(datarootdir)/zsh/site-functions src/zsh_completion/_firejail
 
 .PHONY: install-strip
 install-strip: strip install
 
 .PHONY: uninstall
 uninstall: config.mk
-        rm -f $(DESTDIR)$(bindir)/firejail
-        rm -f $(DESTDIR)$(bindir)/firemon
-        rm -f $(DESTDIR)$(bindir)/firecfg
-        rm -f $(DESTDIR)$(bindir)/jailcheck
-        rm -fr $(DESTDIR)$(libdir)/firejail
-        rm -fr $(DESTDIR)$(datarootdir)/doc/firejail
-        rm -f $(addprefix $(DESTDIR)$(mandir)/man1/,$(notdir $(MANPAGES1_GZ)))
-        rm -f $(addprefix $(DESTDIR)$(mandir)/man5/,$(notdir $(MANPAGES5_GZ)))
-        rm -f $(DESTDIR)$(datarootdir)/bash-completion/completions/firejail
-        rm -f $(DESTDIR)$(datarootdir)/bash-completion/completions/firemon
-        rm -f $(DESTDIR)$(datarootdir)/bash-completion/completions/firecfg
-        rm -f $(DESTDIR)$(datarootdir)/zsh/site-functions/_firejail
-        rm -f $(DESTDIR)$(datarootdir)/vim/vimfiles/ftdetect/firejail.vim
-        rm -f $(DESTDIR)$(datarootdir)/vim/vimfiles/syntax/firejail.vim
-        rm -f $(DESTDIR)$(datarootdir)/gtksourceview-5/language-specs/firejail-profile.lang
+        $(RM) $(DESTDIR)$(bindir)/firejail
+        $(RM) $(DESTDIR)$(bindir)/firemon
+        $(RM) $(DESTDIR)$(bindir)/firecfg
+        $(RM) $(DESTDIR)$(bindir)/jailcheck
+        $(RM) -r $(DESTDIR)$(libdir)/firejail
+        $(RM) -r $(DESTDIR)$(datarootdir)/doc/firejail
+        $(RM) $(addprefix $(DESTDIR)$(mandir)/man1/,$(notdir $(MANPAGES1_GZ)))
+        $(RM) $(addprefix $(DESTDIR)$(mandir)/man5/,$(notdir $(MANPAGES5_GZ)))
+        $(RM) $(DESTDIR)$(datarootdir)/bash-completion/completions/firejail
+        $(RM) $(DESTDIR)$(datarootdir)/bash-completion/completions/firemon
+        $(RM) $(DESTDIR)$(datarootdir)/bash-completion/completions/firecfg
+        $(RM) $(DESTDIR)$(datarootdir)/zsh/site-functions/_firejail
+        $(RM) $(DESTDIR)$(datarootdir)/vim/vimfiles/ftdetect/firejail.vim
+        $(RM) $(DESTDIR)$(datarootdir)/vim/vimfiles/syntax/firejail.vim
+        $(RM) $(DESTDIR)$(datarootdir)/gtksourceview-5/language-specs/firejail-profile.lang
         @echo "If you want to install a different version of firejail, you might also need to run 'rm -fr $(DESTDIR)$(sysconfdir)/firejail', see #2038."
 
 # Note: Keep this list in sync with `paths` in .github/workflows/build.yml.
@@ -336,9 +347,9 @@ dist: clean config.mk
         mkdir -p $(TARNAME)-$(VERSION)/test
         cp -a $(DISTFILES) $(TARNAME)-$(VERSION)
         cp -a $(DISTFILES_TEST) $(TARNAME)-$(VERSION)/test
-        rm -rf $(TARNAME)-$(VERSION)/src/tools
-        tar -cJvf $(TARNAME)-$(VERSION).tar.xz $(TARNAME)-$(VERSION)
-        rm -fr $(TARNAME)-$(VERSION)
+        $(RM) -r $(TARNAME)-$(VERSION)/src/tools
+        $(TAR) -cJvf $(TARNAME)-$(VERSION).tar.xz $(TARNAME)-$(VERSION)
+        $(RM) -r $(TARNAME)-$(VERSION)
 
 .PHONY: asc
 asc: config.sh
diff --git a/RELNOTES b/RELNOTES
index 673e8a20d..2e1fbf0b5 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -40,6 +40,8 @@ firejail (0.9.73) baseline; urgency=low
     (#5965 #5976)
   * bugfix: firejail --ls reports wrong file sizes for large files (#5982
     #6086)
+  * bugfix: fix various resource leaks (#6367)
+  * bugfix: profstats: fix restrict-namespaces max count (#6369)
   * build: auto-generate syntax files (#5627)
   * build: mark all phony targets as such (#5637)
   * build: mkdeb.sh: pass all arguments to ./configure (#5654)
@@ -73,6 +75,8 @@ firejail (0.9.73) baseline; urgency=low
   * build: sort.py: add -i/-n/-- options (#6290 #6339)
   * build: add strip target and simplify install targets (#6342)
   * build: remove clean dependency from cppcheck targets (#6343)
+  * build: allow overriding common tools (#6354)
+  * build: standardize install commands (#6366)
   * ci: always update the package db before installing packages (#5742)
   * ci: fix codeql unable to download its own bundle (#5783)
   * ci: split configure/build/install commands on gitlab (#5784)
@@ -98,6 +102,8 @@ firejail (0.9.73) baseline; urgency=low
   * docs: fix typos (#5693)
   * docs: markdown formatting and misc improvements (#5757)
   * docs: add uninstall instructions to README.md (#5812)
+  * docs: add precedence info to manpage & fix noblacklist example (#6358
+    #6359)
   * legal: selinux.c: Split Copyright notice & use same license as upstream
     (#5667)
   * profiles: qutebrowser: fix links not opening in the existing instance
@@ -122,6 +128,8 @@ firejail (0.9.73) baseline; urgency=low
   * profiles: add allow-php.inc to profile.template (#6299)
   * profiles: clarify and add opengl-game to profile.template (#6300)
   * profiles: allow-ssh: allow /etc/ssh/ssh_revoked_hosts (#6308 #6309)
+  * profiles: libreoffice: support signing documents with GPG (#6352 #6353)
+  * profiles: blacklist i3 IPC socket & dir except for i3 itself (#6361)
   * new profiles: fix-qdf, qpdf, zlib-flate, standard-notes, url-eater
  -- netblue30 <netblue30@yahoo.com>  Mon, 17 Jan 2023 09:00:00 -0500
 
diff --git a/config.mk.in b/config.mk.in
index a7f66fbb5..812573a14 100644
--- a/config.mk.in
+++ b/config.mk.in
@@ -78,7 +78,10 @@ CC=@CC@
 CODESPELL=@CODESPELL@
 CPPCHECK=@CPPCHECK@
 GAWK=@GAWK@
+GZIP=@GZIP@
 SCAN_BUILD=@SCAN_BUILD@
+STRIP=@STRIP@
+TAR=@TAR@
 
 CFLAGS=@CFLAGS@
 CPPFLAGS=@CPPFLAGS@
diff --git a/configure b/configure
index 348c02cbb..00c1a89bf 100755
--- a/configure
+++ b/configure
@@ -682,7 +682,10 @@ PKG_CONFIG
 HAVE_APPARMOR
 HAVE_IDS
 DEPS_CFLAGS
+TAR
+STRIP
 SCAN_BUILD
+GZIP
 GAWK
 CPPCHECK
 CODESPELL
@@ -3414,6 +3417,53 @@ fi
   test -n "$GAWK" && break
 done
 
+for ac_prog in gzip
+do
+  # Extract the first word of "$ac_prog", so it can be a program name with args.
+set dummy $ac_prog; ac_word=$2
+{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
+printf %s "checking for $ac_word... " >&6; }
+if test ${ac_cv_prog_GZIP+y}
+then :
+  printf %s "(cached) " >&6
+else $as_nop
+  if test -n "$GZIP"; then
+  ac_cv_prog_GZIP="$GZIP" # Let the user override the test.
+else
+as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+  IFS=$as_save_IFS
+  case $as_dir in #(((
+    '') as_dir=./ ;;
+    */) ;;
+    *) as_dir=$as_dir/ ;;
+  esac
+    for ac_exec_ext in '' $ac_executable_extensions; do
+  if as_fn_executable_p "$as_dir$ac_word$ac_exec_ext"; then
+    ac_cv_prog_GZIP="$ac_prog"
+    printf "%s\n" "$as_me:${as_lineno-$LINENO}: found $as_dir$ac_word$ac_exec_ext" >&5
+    break 2
+  fi
+done
+  done
+IFS=$as_save_IFS
+
+fi
+fi
+GZIP=$ac_cv_prog_GZIP
+if test -n "$GZIP"; then
+  { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $GZIP" >&5
+printf "%s\n" "$GZIP" >&6; }
+else
+  { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: no" >&5
+printf "%s\n" "no" >&6; }
+fi
+
+
+  test -n "$GZIP" && break
+done
+
 for ac_prog in scan-build
 do
   # Extract the first word of "$ac_prog", so it can be a program name with args.
@@ -3461,6 +3511,100 @@ fi
   test -n "$SCAN_BUILD" && break
 done
 
+for ac_prog in strip
+do
+  # Extract the first word of "$ac_prog", so it can be a program name with args.
+set dummy $ac_prog; ac_word=$2
+{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
+printf %s "checking for $ac_word... " >&6; }
+if test ${ac_cv_prog_STRIP+y}
+then :
+  printf %s "(cached) " >&6
+else $as_nop
+  if test -n "$STRIP"; then
+  ac_cv_prog_STRIP="$STRIP" # Let the user override the test.
+else
+as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+  IFS=$as_save_IFS
+  case $as_dir in #(((
+    '') as_dir=./ ;;
+    */) ;;
+    *) as_dir=$as_dir/ ;;
+  esac
+    for ac_exec_ext in '' $ac_executable_extensions; do
+  if as_fn_executable_p "$as_dir$ac_word$ac_exec_ext"; then
+    ac_cv_prog_STRIP="$ac_prog"
+    printf "%s\n" "$as_me:${as_lineno-$LINENO}: found $as_dir$ac_word$ac_exec_ext" >&5
+    break 2
+  fi
+done
+  done
+IFS=$as_save_IFS
+
+fi
+fi
+STRIP=$ac_cv_prog_STRIP
+if test -n "$STRIP"; then
+  { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $STRIP" >&5
+printf "%s\n" "$STRIP" >&6; }
+else
+  { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: no" >&5
+printf "%s\n" "no" >&6; }
+fi
+
+
+  test -n "$STRIP" && break
+done
+
+for ac_prog in tar
+do
+  # Extract the first word of "$ac_prog", so it can be a program name with args.
+set dummy $ac_prog; ac_word=$2
+{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
+printf %s "checking for $ac_word... " >&6; }
+if test ${ac_cv_prog_TAR+y}
+then :
+  printf %s "(cached) " >&6
+else $as_nop
+  if test -n "$TAR"; then
+  ac_cv_prog_TAR="$TAR" # Let the user override the test.
+else
+as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+  IFS=$as_save_IFS
+  case $as_dir in #(((
+    '') as_dir=./ ;;
+    */) ;;
+    *) as_dir=$as_dir/ ;;
+  esac
+    for ac_exec_ext in '' $ac_executable_extensions; do
+  if as_fn_executable_p "$as_dir$ac_word$ac_exec_ext"; then
+    ac_cv_prog_TAR="$ac_prog"
+    printf "%s\n" "$as_me:${as_lineno-$LINENO}: found $as_dir$ac_word$ac_exec_ext" >&5
+    break 2
+  fi
+done
+  done
+IFS=$as_save_IFS
+
+fi
+fi
+TAR=$ac_cv_prog_TAR
+if test -n "$TAR"; then
+  { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $TAR" >&5
+printf "%s\n" "$TAR" >&6; }
+else
+  { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: no" >&5
+printf "%s\n" "no" >&6; }
+fi
+
+
+  test -n "$TAR" && break
+done
+
 
 DEPS_CFLAGS=""
 
diff --git a/configure.ac b/configure.ac
index 73bd334f8..3701b7b4c 100644
--- a/configure.ac
+++ b/configure.ac
@@ -22,7 +22,10 @@ AC_PROG_CC
 AC_CHECK_PROGS([CODESPELL], [codespell])
 AC_CHECK_PROGS([CPPCHECK], [cppcheck])
 AC_CHECK_PROGS([GAWK], [gawk])
+AC_CHECK_PROGS([GZIP], [gzip])
 AC_CHECK_PROGS([SCAN_BUILD], [scan-build])
+AC_CHECK_PROGS([STRIP], [strip])
+AC_CHECK_PROGS([TAR], [tar])
 
 DEPS_CFLAGS=""
 AC_SUBST([DEPS_CFLAGS])
diff --git a/etc/inc/disable-common.inc b/etc/inc/disable-common.inc
index 55aabbc73..14f7d8cf7 100644
--- a/etc/inc/disable-common.inc
+++ b/etc/inc/disable-common.inc
@@ -167,6 +167,10 @@ blacklist ${RUNUSER}/gnome-session-leader-fifo
 blacklist ${RUNUSER}/gnome-shell
 blacklist ${RUNUSER}/gsconnect
 
+# i3 IPC socket (allows arbitrary shell script execution)
+blacklist ${RUNUSER}/i3/ipc-socket.*
+blacklist /tmp/i3-*/ipc-socket.*
+
 # systemd
 blacklist ${HOME}/.config/systemd
 blacklist ${HOME}/.local/share/systemd
diff --git a/etc/inc/disable-programs.inc b/etc/inc/disable-programs.inc
index f638e1d97..a856e81f4 100644
--- a/etc/inc/disable-programs.inc
+++ b/etc/inc/disable-programs.inc
@@ -140,6 +140,7 @@ blacklist ${HOME}/.cache/google-chrome-beta
 blacklist ${HOME}/.cache/google-chrome-unstable
 blacklist ${HOME}/.cache/gradio
 blacklist ${HOME}/.cache/gummi
+blacklist ${HOME}/.cache/hashcat
 blacklist ${HOME}/.cache/icedove
 blacklist ${HOME}/.cache/inkscape
 blacklist ${HOME}/.cache/inox
@@ -259,6 +260,7 @@ blacklist ${HOME}/.clonk
 blacklist ${HOME}/.config/0ad
 blacklist ${HOME}/.config/1Password
 blacklist ${HOME}/.config/2048-qt
+blacklist ${HOME}/.config/ArmCord
 blacklist ${HOME}/.config/Atom
 blacklist ${HOME}/.config/Audaciousrc
 blacklist ${HOME}/.config/Authenticator
@@ -973,6 +975,7 @@ blacklist ${HOME}/.local/share/gnote
 blacklist ${HOME}/.local/share/godot
 blacklist ${HOME}/.local/share/gradio
 blacklist ${HOME}/.local/share/gwenview
+blacklist ${HOME}/.local/share/hashcat
 blacklist ${HOME}/.local/share/i2p
 blacklist ${HOME}/.local/share/io.github.lainsce.Notejot
 blacklist ${HOME}/.local/share/jami
@@ -1250,11 +1253,13 @@ blacklist ${HOME}/yt-dlp.conf
 blacklist ${HOME}/yt-dlp.conf.txt
 blacklist ${RUNUSER}/*firefox*
 blacklist ${RUNUSER}/akonadi
+blacklist ${RUNUSER}/i3
 blacklist ${RUNUSER}/psd/*firefox*
 blacklist ${RUNUSER}/qutebrowser
 blacklist /etc/ssmtp
 blacklist /tmp/.wine-*
 blacklist /tmp/akonadi-*
+blacklist /tmp/i3-*
 blacklist /tmp/lwjgl_*
 blacklist /var/games/nethack
 blacklist /var/games/slashem
diff --git a/etc/profile-a-l/armcord.profile b/etc/profile-a-l/armcord.profile
new file mode 100644
index 000000000..470e0dee0
--- /dev/null
+++ b/etc/profile-a-l/armcord.profile
@@ -0,0 +1,40 @@
+# Firejail profile for armcord
+# Description: Standalone Discord client
+# This file is overwritten after every install/update
+# Persistent local customizations
+include armcord.local
+# Persistent global definitions
+include globals.local
+
+# Modules might depend on nodejs.
+# Add the below lines to your armcord.local if you need this.
+# Allow node (disabled by disable-interpreters.inc)
+#include allow-nodejs.inc
+#private-bin node
+
+# The lines below are needed to find the default Firefox profile name, to allow
+# opening links in an existing instance of Firefox (note that it still fails if
+# there isn't a Firefox instance running with the default profile; see #5352)
+noblacklist ${HOME}/.mozilla
+whitelist ${HOME}/.mozilla/firefox/profiles.ini
+
+noblacklist ${HOME}/.config/ArmCord
+
+mkdir ${HOME}/.config/ArmCord
+whitelist ${HOME}/.config/ArmCord
+whitelist /opt/armcord
+whitelist /usr/share/armcord
+
+ignore novideo
+private-bin armcord
+
+dbus-user filter
+dbus-user.talk org.freedesktop.Notifications
+# Allow D-Bus communication with Firefox for opening links
+dbus-user.talk org.mozilla.*
+ignore dbus-user none
+
+join-or-start armcord
+
+# Redirect
+include electron-common.profile
diff --git a/etc/profile-a-l/claws-mail.profile b/etc/profile-a-l/claws-mail.profile
index 53db480a4..14497bba9 100644
--- a/etc/profile-a-l/claws-mail.profile
+++ b/etc/profile-a-l/claws-mail.profile
@@ -6,6 +6,11 @@ include claws-mail.local
 # Persistent global definitions
 include globals.local
 
+# Note: If you use things like claws-mail's "fancy" (html rendering) plugin and
+# the X11 window freezes, 'no3d' is likely the cause.  In which case, try
+# adding the following line to claws-mail.local:
+#ignore no3d
+
 noblacklist ${HOME}/.claws-mail
 
 mkdir ${HOME}/.claws-mail
diff --git a/etc/profile-a-l/email-common.profile b/etc/profile-a-l/email-common.profile
index 2929d6a75..42971ecae 100644
--- a/etc/profile-a-l/email-common.profile
+++ b/etc/profile-a-l/email-common.profile
@@ -52,7 +52,7 @@ whitelist ${RUNUSER}/gnupg
 whitelist /usr/share/bogofilter
 whitelist /usr/share/gnupg
 whitelist /usr/share/gnupg2
-whitelist /var/lib/clamav 
+whitelist /var/lib/clamav
 whitelist /var/mail
 whitelist /var/spool/mail
 include whitelist-common.inc
diff --git a/etc/profile-a-l/hashcat.profile b/etc/profile-a-l/hashcat.profile
index e5b0a06af..b4e0d53f3 100644
--- a/etc/profile-a-l/hashcat.profile
+++ b/etc/profile-a-l/hashcat.profile
@@ -9,7 +9,9 @@ include globals.local
 
 blacklist ${RUNUSER}/wayland-*
 
+noblacklist ${HOME}/.cache/hashcat
 noblacklist ${HOME}/.hashcat
+noblacklist ${HOME}/.local/share/hashcat
 noblacklist /usr/include
 noblacklist ${DOCUMENTS}
 
diff --git a/etc/profile-a-l/i3.profile b/etc/profile-a-l/i3.profile
index 2268072ef..412e31762 100644
--- a/etc/profile-a-l/i3.profile
+++ b/etc/profile-a-l/i3.profile
@@ -8,6 +8,10 @@ include globals.local
 
 # all applications started in i3 will run in this profile
 noblacklist ${HOME}/.config/i3
+noblacklist ${RUNUSER}/i3
+noblacklist ${RUNUSER}/i3/ipc-socket.*
+noblacklist /tmp/i3-*
+noblacklist /tmp/i3-*/ipc-socket.*
 include disable-common.inc
 
 caps.drop all
diff --git a/etc/profile-a-l/libreoffice.profile b/etc/profile-a-l/libreoffice.profile
index d7144d8c3..f9e018a33 100644
--- a/etc/profile-a-l/libreoffice.profile
+++ b/etc/profile-a-l/libreoffice.profile
@@ -9,6 +9,16 @@ include globals.local
 noblacklist /usr/local/sbin
 noblacklist ${HOME}/.config/libreoffice
 
+# libreoffice can sign documents with GPG
+noblacklist ${HOME}/.gnupg
+read-only ${HOME}/.gnupg/trustdb.gpg
+read-only ${HOME}/.gnupg/pubring.kbx
+blacklist ${HOME}/.gnupg/crls.d
+blacklist ${HOME}/.gnupg/openpgp-revocs.d
+blacklist ${HOME}/.gnupg/private-keys-v1.d
+blacklist ${HOME}/.gnupg/pubring.kbx~
+blacklist ${HOME}/.gnupg/random_seed
+
 # libreoffice uses java for some functionality.
 # Add 'ignore include allow-java.inc' to your libreoffice.local if you don't need that functionality.
 # Allow java (blacklisted by disable-devel.inc)
diff --git a/etc/profile-m-z/noprofile.profile b/etc/profile-m-z/noprofile.profile
index 7d0e01d98..c2e4999ea 100644
--- a/etc/profile-m-z/noprofile.profile
+++ b/etc/profile-m-z/noprofile.profile
@@ -15,6 +15,8 @@
 
 noblacklist /sys/fs
 noblacklist /sys/module
+nowhitelist /sys/module/nvidia*
+ignore read-only /sys/module/nvidia*
 
 allow-debuggers
 allusers
diff --git a/src/bash_completion/Makefile b/src/bash_completion/Makefile
index c7ef6afc6..c06323f64 100644
--- a/src/bash_completion/Makefile
+++ b/src/bash_completion/Makefile
@@ -2,14 +2,17 @@
 ROOT = ../..
 -include $(ROOT)/config.mk
 
+GAWK ?= gawk
+RM ?= rm -f
+
 .PHONY: all
 all: firejail.bash_completion
 
 firejail.bash_completion: firejail.bash_completion.in $(ROOT)/config.mk
         $(GAWK) -f ../man/preproc.awk -- $(MANFLAGS) < $< > $@.tmp
         sed "s|_SYSCONFDIR_|$(sysconfdir)|" < $@.tmp > $@
-        rm $@.tmp
+        $(RM) $@.tmp
 
 .PHONY: clean
 clean:
-        rm -fr firejail.bash_completion
+        $(RM) -r firejail.bash_completion
diff --git a/src/fids/main.c b/src/fids/main.c
index 92b6468f3..415694f1e 100644
--- a/src/fids/main.c
+++ b/src/fids/main.c
@@ -106,9 +106,9 @@ static void file_checksum(const char *fname) {
         }
         else {
                 content = mmap(NULL, size, PROT_READ, MAP_PRIVATE, fd, 0);
-                close(fd);
                 mmapped = 1;
         }
+        close(fd);
 
         unsigned char checksum[KEY_SIZE / 8];
         blake2b(checksum, sizeof(checksum), content, size);
diff --git a/src/firecfg/desktop_files.c b/src/firecfg/desktop_files.c
index 1895e437b..8c21757ab 100644
--- a/src/firecfg/desktop_files.c
+++ b/src/firecfg/desktop_files.c
@@ -300,6 +300,7 @@ void fix_desktop_files(const char *homedir) {
 
                 if (stat(outname, &sb) == 0) {
                         printf("   %s skipped: file exists\n", filename);
+                        free(outname);
                         if (change_exec)
                                 free(change_exec);
                         continue;
@@ -308,6 +309,7 @@ void fix_desktop_files(const char *homedir) {
                 FILE *fpin = fopen(filename, "r");
                 if (!fpin) {
                         fprintf(stderr, "Warning: cannot open /usr/share/applications/%s\n", filename);
+                        free(outname);
                         if (change_exec)
                                 free(change_exec);
                         continue;
@@ -317,6 +319,7 @@ void fix_desktop_files(const char *homedir) {
                 if (!fpout) {
                         fprintf(stderr, "Warning: cannot open ~/.local/share/applications/%s\n", outname);
                         fclose(fpin);
+                        free(outname);
                         if (change_exec)
                                 free(change_exec);
                         continue;
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config
index b6eb06d65..8d0a30521 100644
--- a/src/firecfg/firecfg.config
+++ b/src/firecfg/firecfg.config
@@ -63,6 +63,7 @@ arduino
 aria2c
 ark
 arm
+armcord
 artha
 assogiate
 asunder
diff --git a/src/firejail/bandwidth.c b/src/firejail/bandwidth.c
index db130afd3..cbfcc90ed 100644
--- a/src/firejail/bandwidth.c
+++ b/src/firejail/bandwidth.c
@@ -198,6 +198,8 @@ static void read_bandwidth_file(pid_t pid) {
 
                 fclose(fp);
         }
+
+        free(fname);
 }
 
 static void write_bandwidth_file(pid_t pid) {
@@ -217,6 +219,7 @@ static void write_bandwidth_file(pid_t pid) {
                         ptr = ptr->next;
                 }
                 fclose(fp);
+                free(fname);
         }
         else
                 goto errout;
diff --git a/src/firejail/fs.c b/src/firejail/fs.c
index cdad5e220..abef85515 100644
--- a/src/firejail/fs.c
+++ b/src/firejail/fs.c
@@ -743,10 +743,20 @@ void fs_proc_sys_dev_boot(void) {
 
         disable_file(BLACKLIST_FILE, "/sys/firmware");
         disable_file(BLACKLIST_FILE, "/sys/hypervisor");
-        { // allow user access to some directories in /sys/ by specifying 'noblacklist' option
-                profile_add("blacklist /sys/fs");
+
+        // Soft-block some paths in /sys/ (can be undone in profiles).
+        profile_add("blacklist /sys/fs");
+
+        // Hardware acceleration with the nvidia proprietary driver may fail
+        // without access to these paths (see #6372).
+        if (access("/dev/nvidiactl", R_OK) == 0 && arg_no3d == 0) {
+                profile_add("whitelist /sys/module/nvidia*");
+                profile_add("read-only /sys/module/nvidia*");
+        }
+        else {
                 profile_add("blacklist /sys/module");
         }
+
         disable_file(BLACKLIST_FILE, "/sys/power");
         disable_file(BLACKLIST_FILE, "/sys/kernel/debug");
         disable_file(BLACKLIST_FILE, "/sys/kernel/vmcoreinfo");
diff --git a/src/firejail/fs_dev.c b/src/firejail/fs_dev.c
index fa88bbe12..e8e486f12 100644
--- a/src/firejail/fs_dev.c
+++ b/src/firejail/fs_dev.c
@@ -52,7 +52,8 @@ typedef struct {
 
 static DevEntry dev[] = {
         {"/dev/snd", RUN_DEV_DIR "/snd", DEV_SOUND},    // sound device
-        {"/dev/dri", RUN_DEV_DIR "/dri", DEV_3D},               // 3d device
+        {"/dev/dri", RUN_DEV_DIR "/dri", DEV_3D},               // 3d devices
+        {"/dev/kfd", RUN_DEV_DIR "/kfd", DEV_3D},
         {"/dev/nvidia0", RUN_DEV_DIR "/nvidia0", DEV_3D},
         {"/dev/nvidia1", RUN_DEV_DIR "/nvidia1", DEV_3D},
         {"/dev/nvidia2", RUN_DEV_DIR "/nvidia2", DEV_3D},
diff --git a/src/firejail/fs_home.c b/src/firejail/fs_home.c
index 7c3f3835b..9d9832c15 100644
--- a/src/firejail/fs_home.c
+++ b/src/firejail/fs_home.c
@@ -67,8 +67,10 @@ static void skel(const char *homedir) {
                 if (asprintf(&fname, "%s/.zshrc", homedir) == -1)
                         errExit("asprintf");
                 // don't copy it if we already have the file
-                if (access(fname, F_OK) == 0)
+                if (access(fname, F_OK) == 0) {
+                        free(fname);
                         return;
+                }
                 if (is_link(fname)) { // access(3) on dangling symlinks fails, try again using lstat
                         fprintf(stderr, "Error: invalid %s file\n", fname);
                         exit(1);
@@ -91,8 +93,10 @@ static void skel(const char *homedir) {
                 if (asprintf(&fname, "%s/.cshrc", homedir) == -1)
                         errExit("asprintf");
                 // don't copy it if we already have the file
-                if (access(fname, F_OK) == 0)
+                if (access(fname, F_OK) == 0) {
+                        free(fname);
                         return;
+                }
                 if (is_link(fname)) { // access(3) on dangling symlinks fails, try again using lstat
                         fprintf(stderr, "Error: invalid %s file\n", fname);
                         exit(1);
@@ -115,8 +119,10 @@ static void skel(const char *homedir) {
                 if (asprintf(&fname, "%s/.bashrc", homedir) == -1)
                         errExit("asprintf");
                 // don't copy it if we already have the file
-                if (access(fname, F_OK) == 0)
+                if (access(fname, F_OK) == 0) {
+                        free(fname);
                         return;
+                }
                 if (is_link(fname)) { // access(3) on dangling symlinks fails, try again using lstat
                         fprintf(stderr, "Error: invalid %s file\n", fname);
                         exit(1);
diff --git a/src/firejail/ids.c b/src/firejail/ids.c
index 40bbe6d02..0759a205d 100644
--- a/src/firejail/ids.c
+++ b/src/firejail/ids.c
@@ -42,6 +42,7 @@ static void ids_init(void) {
         if (dup(fd) != STDOUT_FILENO)
                 errExit("dup");
         close(fd);
+        free(fname);
 
         sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 3, PATH_FIDS, "--init", cfg.homedir);
 }
@@ -63,6 +64,7 @@ static void ids_check(void) {
         if (dup(fd) != STDIN_FILENO)
                 errExit("dup");
         close(fd);
+        free(fname);
 
         sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP| SBOX_ALLOW_STDIN, 3, PATH_FIDS, "--check", cfg.homedir);
 }
diff --git a/src/firejail/run_files.c b/src/firejail/run_files.c
index cb078b580..4bd0ba459 100644
--- a/src/firejail/run_files.c
+++ b/src/firejail/run_files.c
@@ -122,6 +122,7 @@ void set_name_run_file(pid_t pid) {
         // mode and ownership
         SET_PERMS_STREAM(fp, 0, 0, 0644);
         fclose(fp);
+        free(fname);
 }
 
 
@@ -141,6 +142,7 @@ void set_x11_run_file(pid_t pid, int display) {
         // mode and ownership
         SET_PERMS_STREAM(fp, 0, 0, 0644);
         fclose(fp);
+        free(fname);
 }
 
 void set_profile_run_file(pid_t pid, const char *fname) {
diff --git a/src/firejail/util.c b/src/firejail/util.c
index 323133f8d..5d7c244b1 100644
--- a/src/firejail/util.c
+++ b/src/firejail/util.c
@@ -1392,6 +1392,7 @@ void enter_network_namespace(pid_t pid) {
                 fprintf(stderr, "Error: the sandbox doesn't use a new network namespace\n");
                 exit(1);
         }
+        free(name);
 
         // join the namespace
         EUID_ROOT();
diff --git a/src/firemon/netstats.c b/src/firemon/netstats.c
index 39dc38ec9..e70174b1e 100644
--- a/src/firemon/netstats.c
+++ b/src/firemon/netstats.c
@@ -152,10 +152,12 @@ static void print_proc(int index, int itv, int col) {
         struct stat s;
         if (stat(name, &s) == -1) {
                 // the sandbox doesn't have a --net= option, don't print
+                free(name);
                 if (cmd)
                         free(cmd);
                 return;
         }
+        free(name);
 
         // pid
         char pidstr[11];
diff --git a/src/jailcheck/access.c b/src/jailcheck/access.c
index 50c51839b..5fbcb5a15 100644
--- a/src/jailcheck/access.c
+++ b/src/jailcheck/access.c
@@ -80,10 +80,13 @@ void access_setup(const char *directory) {
         FILE *fp = fopen(test_file, "w");
         if (!fp) {
                 printf("Warning: I cannot create test file in directory %s, skipping...\n", directory);
+                free(test_file);
+                free(path);
                 return;
         }
         fprintf(fp, "this file was created by firetest utility, you can safely delete it\n");
         fclose(fp);
+        free(path);
         int rv = chown(test_file, user_uid, user_gid);
         if (rv)
                 errExit("chown");
diff --git a/src/jailcheck/noexec.c b/src/jailcheck/noexec.c
index 37234c648..e5657135d 100644
--- a/src/jailcheck/noexec.c
+++ b/src/jailcheck/noexec.c
@@ -55,6 +55,7 @@ void noexec_setup(void) {
                         execfile_len = s.st_size;
                         close(fd);
                 }
+                free(self);
         }
 }
 
@@ -110,4 +111,5 @@ void noexec_test(const char *path) {
         wait(&status);
         int rv = unlink(fname);
         (void) rv;
+        free(fname);
 }
diff --git a/src/jailcheck/virtual.c b/src/jailcheck/virtual.c
index d4bfd1923..348efc784 100644
--- a/src/jailcheck/virtual.c
+++ b/src/jailcheck/virtual.c
@@ -49,6 +49,7 @@ void virtual_setup(const char *directory) {
         FILE *fp = fopen(test_file, "w");
         if (!fp) {
                 printf("Warning: I cannot create test file in directory %s, skipping...\n", directory);
+                free(test_file);
                 return;
         }
         fprintf(fp, "this file was created by firetest utility, you can safely delete it\n");
diff --git a/src/man/Makefile b/src/man/Makefile
index 1c1fd49a5..767920e2b 100644
--- a/src/man/Makefile
+++ b/src/man/Makefile
@@ -2,6 +2,10 @@
 ROOT = ../..
 -include $(ROOT)/config.mk
 
+GAWK ?= gawk
+GZIP ?= gzip
+RM ?= rm -f
+
 MOD_DIR := $(ROOT)/src/man
 MANPAGES_IN := $(sort $(wildcard $(MOD_DIR)/*.in))
 MANPAGES_GZ := $(MANPAGES_IN:.in=.gz)
@@ -19,8 +23,8 @@ $(MOD_DIR)/%: $(MOD_DIR)/%.in $(ROOT)/config.mk
 # foo.1.gz: foo.1
 $(MOD_DIR)/%.gz: $(MOD_DIR)/%
         @printf 'Generating %s from %s\n' $@ $<
-        @rm -f $@
-        @gzip -n9 $<
+        @$(RM) $@
+        @$(GZIP) -n9 $<
 
 .PHONY: clean
-clean:; rm -f *.1 *.5 *.gz
+clean:; $(RM) *.1 *.5 *.gz
diff --git a/src/man/firejail.1.in b/src/man/firejail.1.in
index 87bd6fcc2..fa2329d67 100644
--- a/src/man/firejail.1.in
+++ b/src/man/firejail.1.in
@@ -95,7 +95,12 @@ $ firejail [OPTIONS]                # starting the program specified in $SHELL,
 $ firejail [OPTIONS] firefox        # starting Mozilla Firefox
 .PP
 # sudo firejail [OPTIONS] /etc/init.d/nginx start
-
+.PP
+When an option is specified multiple times (whether in a profile, on the
+command line, or both) or conflicts with a related option, the
+precedence/behavior is option-specific and usually documented in the
+\fBOPTIONS\fR section below. Note that an option specified in a profile can
+generally be disabled on the command line using \fB--ignore\fR.
 .SH OPTIONS
 .TP
 \fB\-\-
@@ -1729,6 +1734,16 @@ See --keep-config-pulse.
 Disable blacklist for this directory or file.
 .br
 
+Note that blacklist entries containing ${PATH} can not currently be partially
+disabled for individual expanded paths. Only the whole unexpanded path
+including ${PATH} can be disabled, which then applies to all expansions.
+This limitation does not apply to expansions of other variables or wildcards.
+For details, see
+.UR https://github.com/netblue30/firejail/issues/6360
+#6360
+.UE
+.br
+
 .br
 Example:
 .br
@@ -1744,6 +1759,14 @@ $ exit
 .br
 $ firejail --noblacklist=/bin/nc
 .br
+bash: /bin/nc: Permission denied
+.br
+$ exit
+.br
+
+.br
+$ firejail --noblacklist='${PATH}/nc'
+.br
 $ nc dict.org 2628
 .br
 220 pan.alephnull.com dictd 1.12.1/rf on Linux 3.14-1-amd64
diff --git a/src/profstats/main.c b/src/profstats/main.c
index ad27bfe79..10eee3c4b 100644
--- a/src/profstats/main.c
+++ b/src/profstats/main.c
@@ -344,7 +344,7 @@ int main(int argc, char **argv) {
                 if (cnt_seccomp > (seccomp + 1))
                         cnt_seccomp = seccomp + 1;
                 if (cnt_restrict_namespaces > (restrict_namespaces + 1))
-                        cnt_seccomp = restrict_namespaces + 1;
+                        cnt_restrict_namespaces = restrict_namespaces + 1;
                 if (cnt_dbus_user_none > (dbususernone + 1))
                         cnt_dbus_user_none = dbususernone + 1;
                 if (cnt_dbus_user_filter > (dbususerfilter + 1))
diff --git a/src/prog.mk b/src/prog.mk
index a639e87fc..3e89a6ba8 100644
--- a/src/prog.mk
+++ b/src/prog.mk
@@ -5,6 +5,9 @@
 # The includer should probably define PROG and TARGET and may also want to
 # define EXTRA_OBJS and extend CLEANFILES.
 
+CC ?= cc
+RM ?= rm -f
+
 HDRS :=
 SRCS := $(sort $(wildcard $(MOD_DIR)/*.c))
 OBJS := $(SRCS:.c=.o)
@@ -25,4 +28,4 @@ $(PROG): $(OBJS) $(EXTRA_OBJS) $(ROOT)/config.mk
         $(CC) $(PROG_LDFLAGS) $(LDFLAGS) -o $@ $(OBJS) $(EXTRA_OBJS) $(LIBS)
 
 .PHONY: clean
-clean:; rm -fr $(PROG) $(CLEANFILES)
+clean:; $(RM) -r $(PROG) $(CLEANFILES)
diff --git a/src/so.mk b/src/so.mk
index ac76ffc30..63a0da7ce 100644
--- a/src/so.mk
+++ b/src/so.mk
@@ -5,6 +5,9 @@
 # The includer should probably define SO and TARGET and may also want to define
 # EXTRA_OBJS and extend CLEANFILES.
 
+CC ?= cc
+RM ?= rm -f
+
 HDRS :=
 SRCS := $(sort $(wildcard $(MOD_DIR)/*.c))
 OBJS := $(SRCS:.c=.o)
@@ -25,4 +28,4 @@ $(SO): $(OBJS) $(EXTRA_OBJS) $(ROOT)/config.mk
         $(CC) $(SO_LDFLAGS) -shared $(LDFLAGS) -o $@ $(OBJS) $(EXTRA_OBJS) -ldl
 
 .PHONY: clean
-clean:; rm -fr $(SO) $(CLEANFILES)
+clean:; $(RM) -r $(SO) $(CLEANFILES)
diff --git a/src/zsh_completion/Makefile b/src/zsh_completion/Makefile
index e964d39ec..cbc476a73 100644
--- a/src/zsh_completion/Makefile
+++ b/src/zsh_completion/Makefile
@@ -2,14 +2,17 @@
 ROOT = ../..
 -include $(ROOT)/config.mk
 
+GAWK ?= gawk
+RM ?= rm -f
+
 .PHONY: all
 all: _firejail
 
 _firejail: _firejail.in $(ROOT)/config.mk
         $(GAWK) -f ../man/preproc.awk -- $(MANFLAGS) < $< > $@.tmp
         sed "s|_SYSCONFDIR_|$(sysconfdir)|" < $@.tmp > $@
-        rm $@.tmp
+        $(RM) $@.tmp
 
 .PHONY: clean
 clean:
-        rm -fr _firejail
+        $(RM) -r _firejail
diff --git a/test/Makefile b/test/Makefile
index 52fada86c..89855d082 100644
--- a/test/Makefile
+++ b/test/Makefile
@@ -2,6 +2,8 @@
 ROOT = ..
 -include $(ROOT)/config.mk
 
+RM ?= rm -f
+
 TESTS=$(patsubst %/,%,$(wildcard */))
 
 .PHONY: $(TESTS)
@@ -11,14 +13,14 @@ $(TESTS):
 
 .PHONY: clean
 clean:
-        for test in $(TESTS); do rm -f "$$test/$$test.log"; done
-        rm -fr environment/-testdir
-        rm -f environment/index.html*
-        rm -f environment/logfile*
-        rm -f environment/wget-log*
-        rm -f sysutils/firejail_t*
-        rm -f utils/firejail-test-file*
-        rm -f utils/index.html*
-        rm -f utils/lstesting
-        rm -f utils/wget-log
+        for test in $(TESTS); do $(RM) "$$test/$$test.log"; done
+        $(RM) -r environment/-testdir
+        $(RM) environment/index.html*
+        $(RM) environment/logfile*
+        $(RM) environment/wget-log*
+        $(RM) sysutils/firejail_t*
+        $(RM) utils/firejail-test-file*
+        $(RM) utils/index.html*
+        $(RM) utils/lstesting
+        $(RM) utils/wget-log
         cd compile && (./compile.sh --clean || true)