24 files changed, 113 insertions, 106 deletions
diff --git a/.github/workflows/build-extra.yml b/.github/workflows/build-extra.yml
index 6f9a4bc2c..9296062c1 100644
--- a/.github/workflows/build-extra.yml
+++ b/.github/workflows/build-extra.yml
@@ -4,7 +4,10 @@ on:
  push:
    branches: [ master ]
    paths-ignore:
+      - .git-blame-ignore-revs
+      - .gitignore
      - CONTRIBUTING.md
+      - COPYING
      - README
      - README.md
      - RELNOTES
@@ -16,7 +19,10 @@ on:
  pull_request:
    branches: [ master ]
    paths-ignore:
+      - .git-blame-ignore-revs
+      - .gitignore
      - CONTRIBUTING.md
+      - COPYING
      - README
      - README.md
      - RELNOTES
@@ -28,11 +34,13 @@ on:
 jobs:
  build-clang:
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-22.04
    steps:
    - uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b
+    - name: install dependencies
+      run: sudo apt-get install libapparmor-dev libselinux1-dev
    - name: configure
-      run: CC=clang-11 ./configure --enable-fatal-warnings
+      run: CC=clang-14 ./configure --enable-fatal-warnings --enable-apparmor --enable-selinux
    - name: make
      run: make
    - name: make install
@@ -40,16 +48,26 @@ jobs:
    - name: print version
      run: command -V firejail && firejail --version
  scan-build:
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-22.04
    steps:
    - uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b
-    - name: install clang-tools-11
+    - name: install clang-tools-14 and dependencies
-      run: sudo apt-get install clang-tools-11
+      run: sudo apt-get install clang-tools-14 libapparmor-dev libselinux1-dev
    - name: configure
-      run: CC=clang-11 ./configure --enable-fatal-warnings
+      run: CC=clang-14 ./configure --enable-fatal-warnings --enable-apparmor --enable-selinux
    - name: scan-build
-      run: NO_EXTRA_CFLAGS="yes" scan-build-11 --status-bugs make
+      run: NO_EXTRA_CFLAGS="yes" scan-build-14 --status-bugs make
  cppcheck:
+    runs-on: ubuntu-22.04
+    steps:
+    - uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b
+    - name: install cppcheck
+      run: sudo apt-get install cppcheck
+    - name: cppcheck
+      run: cppcheck -q --force --error-exitcode=1 --enable=warning,performance -i src/firejail/checkcfg.c -i src/firejail/main.c .
+  # new cppcheck version currently chokes on checkcfg.c and main.c, therefore scan all files also
+  # with older cppcheck version from ubuntu 20.04.
+  cppcheck_old:
    runs-on: ubuntu-20.04
    steps:
    - uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index cc7893305..3203e0677 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -4,7 +4,10 @@ on:
  push:
    branches: [ master ]
    paths-ignore:
+      - .git-blame-ignore-revs
+      - .gitignore
      - CONTRIBUTING.md
+      - COPYING
      - README
      - README.md
      - RELNOTES
@@ -12,7 +15,10 @@ on:
  pull_request:
    branches: [ master ]
    paths-ignore:
+      - .git-blame-ignore-revs
+      - .gitignore
      - CONTRIBUTING.md
+      - COPYING
      - README
      - README.md
      - RELNOTES
@@ -20,15 +26,15 @@ on:
 jobs:
  build_and_test:
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-22.04
    steps:
    - uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b
    - name: update package information
      run: sudo apt-get update
    - name: install dependencies
-      run: sudo apt-get install gcc-11 libapparmor-dev libselinux1-dev expect xzdec
+      run: sudo apt-get install gcc-12 libapparmor-dev libselinux1-dev expect xzdec
    - name: configure
-      run: CC=gcc-11 ./configure --enable-fatal-warnings --enable-analyzer --enable-apparmor --enable-selinux --prefix=/usr
+      run: CC=gcc-12 ./configure --enable-fatal-warnings --enable-analyzer --enable-apparmor --enable-selinux --prefix=/usr
    - name: make
      run: make
    - name: make install
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
index d34a48aa3..4a09ad9d8 100644
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -9,7 +9,10 @@ on:
  push:
    branches: [ master ]
    paths-ignore:
+      - .git-blame-ignore-revs
+      - .gitignore
      - CONTRIBUTING.md
+      - COPYING
      - README
      - README.md
      - RELNOTES
@@ -19,7 +22,10 @@ on:
    # The branches below must be a subset of the branches above
    branches: [ master ]
    paths-ignore:
+      - .git-blame-ignore-revs
+      - .gitignore
      - CONTRIBUTING.md
+      - COPYING
      - README
      - README.md
      - RELNOTES
@@ -47,7 +53,7 @@ jobs:
    # Initializes the CodeQL tools for scanning.
    - name: Initialize CodeQL
-      uses: github/codeql-action/init@3f62b754e23e0dd60f91b744033e1dc1654c0ec6
+      uses: github/codeql-action/init@3e7e3b32d0fb8283594bb0a76cc60a00918b0969
      with:
        languages: ${{ matrix.language }}
        # If you wish to specify custom queries, you can do so here or in a config file.
@@ -58,7 +64,7 @@ jobs:
    # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
    # If this step fails, then you should remove it and run the build manually (see below)
    - name: Autobuild
-      uses: github/codeql-action/autobuild@3f62b754e23e0dd60f91b744033e1dc1654c0ec6
+      uses: github/codeql-action/autobuild@3e7e3b32d0fb8283594bb0a76cc60a00918b0969
    # ℹ️ Command-line programs to run using the OS shell.
    # 📚 https://git.io/JvXDl
@@ -72,4 +78,4 @@ jobs:
    #   make release
    - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@3f62b754e23e0dd60f91b744033e1dc1654c0ec6
+      uses: github/codeql-action/analyze@3e7e3b32d0fb8283594bb0a76cc60a00918b0969
diff --git a/.github/workflows/profile-checks.yml b/.github/workflows/profile-checks.yml
index 9138e8a57..d235aeb64 100644
--- a/.github/workflows/profile-checks.yml
+++ b/.github/workflows/profile-checks.yml
@@ -18,7 +18,7 @@ on:
 jobs:
  profile-checks:
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b
    - name: sort.py
diff --git a/.gitignore b/.gitignore
index 66daccf5d..b5d29dc19 100644
--- a/.gitignore
+++ b/.gitignore
@@ -10,6 +10,7 @@
 .directory
 *.man
 .vscode
+/firejail-*/
 autom4te.cache/
 config.log
 config.mk
diff --git a/config.mk.in b/config.mk.in
index e76b7ac34..e0be0e656 100644
--- a/config.mk.in
+++ b/config.mk.in
@@ -1,3 +1,5 @@
+# @configure_input@
+#
 # Configure-time variable definitions and any other common definition that can
 # be safely included by all makefiles.
 #
diff --git a/config.sh.in b/config.sh.in
index 28251b3d5..3d54ff189 100644
--- a/config.sh.in
+++ b/config.sh.in
@@ -1,2 +1,3 @@
+# @configure_input@
 NAME=@PACKAGE_NAME@
 VERSION=@PACKAGE_VERSION@
diff --git a/etc/profile-m-z/onionshare-gui.profile b/etc/profile-m-z/onionshare-gui.profile
index fbf4c3ef0..db923056a 100644
--- a/etc/profile-m-z/onionshare-gui.profile
+++ b/etc/profile-m-z/onionshare-gui.profile
@@ -11,6 +11,8 @@ noblacklist ${HOME}/.config/onionshare
 # Allow python (blacklisted by disable-interpreters.inc)
 include allow-python3.inc
+blacklist /sys/class/net
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
diff --git a/etc/profile-m-z/torbrowser-launcher.profile b/etc/profile-m-z/torbrowser-launcher.profile
index 700a10be8..9d66c5fa4 100644
--- a/etc/profile-m-z/torbrowser-launcher.profile
+++ b/etc/profile-m-z/torbrowser-launcher.profile
@@ -16,6 +16,7 @@ include allow-python2.inc
 include allow-python3.inc
 blacklist /srv
+blacklist /sys/class/net
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-m-z/torbrowser.profile b/etc/profile-m-z/torbrowser.profile
index fc579b973..15ca5b550 100644
--- a/etc/profile-m-z/torbrowser.profile
+++ b/etc/profile-m-z/torbrowser.profile
@@ -13,6 +13,7 @@ noblacklist ${HOME}/.cache/mozilla
 noblacklist ${HOME}/.mozilla
 blacklist /usr/libexec
+blacklist /sys/class/net
 mkdir ${HOME}/.cache/mozilla/torbrowser
 mkdir ${HOME}/.mozilla
diff --git a/etc/profile-m-z/viewnior.profile b/etc/profile-m-z/viewnior.profile
index 47e618ae2..6d7fa94e7 100644
--- a/etc/profile-m-z/viewnior.profile
+++ b/etc/profile-m-z/viewnior.profile
@@ -19,6 +19,7 @@ include disable-interpreters.inc
 include disable-programs.inc
 include disable-shell.inc
+whitelist /usr/share/viewnior
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/m4/ax_check_compile_flag.m4 b/m4/ax_check_compile_flag.m4
index dcabb92a1..bd753b34d 100644
--- a/m4/ax_check_compile_flag.m4
+++ b/m4/ax_check_compile_flag.m4
@@ -29,33 +29,12 @@
 #   Copyright (c) 2008 Guido U. Draheim <guidod@gmx.de>
 #   Copyright (c) 2011 Maarten Bosmans <mkbosmans@gmail.com>
 #
-#   This program is free software: you can redistribute it and/or modify it
+#   Copying and distribution of this file, with or without modification, are
-#   under the terms of the GNU General Public License as published by the
+#   permitted in any medium without royalty provided the copyright notice
-#   Free Software Foundation, either version 3 of the License, or (at your
+#   and this notice are preserved.  This file is offered as-is, without any
-#   option) any later version.
+#   warranty.
-#
-#   This program is distributed in the hope that it will be useful, but
-#   WITHOUT ANY WARRANTY; without even the implied warranty of
-#   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General
-#   Public License for more details.
-#
-#   You should have received a copy of the GNU General Public License along
-#   with this program. If not, see <https://www.gnu.org/licenses/>.
-#
-#   As a special exception, the respective Autoconf Macro's copyright owner
-#   gives unlimited permission to copy, distribute and modify the configure
-#   scripts that are the output of Autoconf when processing the Macro. You
-#   need not follow the terms of the GNU General Public License when using
-#   or distributing such scripts, even though portions of the text of the
-#   Macro appear in them. The GNU General Public License (GPL) does govern
-#   all other use of the material that constitutes the Autoconf Macro.
-#
-#   This special exception to the GPL applies to versions of the Autoconf
-#   Macro released by the Autoconf Archive. When you make and distribute a
-#   modified version of the Autoconf Macro, you may extend this special
-#   exception to the GPL to apply to your modified version as well.
-#serial 5
+#serial 6
 AC_DEFUN([AX_CHECK_COMPILE_FLAG],
 [AC_PREREQ(2.64)dnl for _AC_LANG_PREFIX and AS_VAR_IF
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index b744ebd45..167b6a843 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -386,7 +386,6 @@ char *guess_shell(void);
 #define SANDBOX_DONE '1'
 int sandbox(void* sandbox_arg);
 void start_application(int no_sandbox, int fd, char *set_sandbox_status) __attribute__((noreturn));
-void set_apparmor(void);
 // network_main.c
 void net_configure_sandbox_ip(Bridge *br);
diff --git a/src/firejail/fs_bin.c b/src/firejail/fs_bin.c
index 2b0b3003e..6228e9740 100644
--- a/src/firejail/fs_bin.c
+++ b/src/firejail/fs_bin.c
@@ -27,7 +27,7 @@
 static int prog_cnt = 0;
-static char *paths[] = {
+static const char * const paths[] = {
        "/usr/local/bin",
        "/usr/bin",
        "/bin",
@@ -40,7 +40,7 @@ static char *paths[] = {
 };
 // return 1 if found, 0 if not found
-static char *check_dir_or_file(const char *name) {
+static const char *check_dir_or_file(const char *name) {
        EUID_ASSERT();
        assert(name);
        struct stat s;
@@ -160,7 +160,7 @@ static void duplicate(char *fname) {
        else {
                // Find the standard directory (by looping through paths[])
                // where the filename fname is located
-                char *path = check_dir_or_file(fname);
+                const char *path = check_dir_or_file(fname);
                if (!path)
                        return;
                if (asprintf(&full_path, "%s/%s", path, fname) == -1)
diff --git a/src/firejail/fs_var.c b/src/firejail/fs_var.c
index 9523875d7..ad5ee6759 100644
--- a/src/firejail/fs_var.c
+++ b/src/firejail/fs_var.c
@@ -300,7 +300,7 @@ void fs_var_utmp(void) {
        // read current utmp
        struct utmp *u;
-        struct utmp u_boot;
+        struct utmp u_boot = {0};
        setutent();
        while ((u = getutent()) != NULL) {
                if (u->ut_type == BOOT_TIME) {
diff --git a/src/firejail/join.c b/src/firejail/join.c
index ec9c922ef..96d891a49 100644
--- a/src/firejail/join.c
+++ b/src/firejail/join.c
@@ -33,10 +33,6 @@
 #define PR_SET_NO_NEW_PRIVS 38
 #endif
-#ifdef HAVE_APPARMOR
-#include <sys/apparmor.h>
-#endif
 static int apply_caps = 0;
 static uint64_t caps = 0;
 static unsigned display = 0;
@@ -137,6 +133,8 @@ static void extract_nogroups(ProcessHandle sandbox) {
        if (process_rootfs_stat(sandbox, RUN_GROUPS_CFG, &s) == 0)
                arg_nogroups = 1;
+        else if (errno != ENOENT)
+                errExit("stat");
 }
 static void extract_nonewprivs(ProcessHandle sandbox) {
@@ -144,6 +142,8 @@ static void extract_nonewprivs(ProcessHandle sandbox) {
        if (process_rootfs_stat(sandbox, RUN_NONEWPRIVS_CFG, &s) == 0)
                arg_nonewprivs = 1;
+        else if (errno != ENOENT)
+                errExit("stat");
 }
 static void extract_caps(ProcessHandle sandbox) {
@@ -481,13 +481,6 @@ void join(pid_t pid, int argc, char **argv, int index) {
                EUID_USER();
                unpin_process(sandbox);
-                // set nonewprivs
-                if (arg_nonewprivs == 1) {      // not available for uid 0
-                        int rv = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
-                        if (arg_debug && rv == 0)
-                                printf("NO_NEW_PRIVS set\n");
-                }
                int cwd = 0;
                if (cfg.cwd) {
                        if (chdir(cfg.cwd) == 0)
@@ -507,16 +500,23 @@ void join(pid_t pid, int argc, char **argv, int index) {
                        }
                }
+                // set nonewprivs
+#ifndef HAVE_FORCE_NONEWPRIVS
+                if (arg_nonewprivs == 1)        // not available for uid 0
+#endif
+                {
+                        if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) != 0)
+                                errExit("prctl");
+                        if (arg_debug)
+                                printf("NO_NEW_PRIVS set\n");
+                }
                // drop privileges
                drop_privs(arg_nogroups);
                // kill the child in case the parent died
                prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0);
-#ifdef HAVE_APPARMOR
-                set_apparmor();
-#endif
                extract_command(argc, argv, index);
                if (cfg.command_line == NULL)
                        cfg.window_title = cfg.usershell;
diff --git a/src/firejail/main.c b/src/firejail/main.c
index 5a7254de2..55f623138 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -1239,7 +1239,8 @@ int main(int argc, char **argv, char **envp) {
        if (check_arg(argc, argv, "--appimage", 1))
                arg_appimage = 1;
-        // check for force-nonewprivs in /etc/firejail/firejail.config file
+        // load configuration file /etc/firejail/firejail.config
+        // and check for force-nonewprivs
        if (checkcfg(CFG_FORCE_NONEWPRIVS))
                arg_nonewprivs = 1;
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index 507e916c8..b1b3407b4 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -50,7 +50,6 @@
 #include <sys/apparmor.h>
 #endif
-static int force_nonewprivs = 0;
 extern int just_run_the_shell;
 static int monitored_pid = 0;
@@ -128,7 +127,7 @@ static void set_caps(void) {
 }
 #ifdef HAVE_APPARMOR
-void set_apparmor(void) {
+static void set_apparmor(void) {
        EUID_ASSERT();
        if (checkcfg(CFG_APPARMOR) && arg_apparmor) {
                if (aa_change_onexec("firejail-default")) {
@@ -486,6 +485,9 @@ static void close_file_descriptors(void) {
 void start_application(int no_sandbox, int fd, char *set_sandbox_status) {
        if (no_sandbox == 0) {
+#ifdef HAVE_APPARMOR
+                set_apparmor();
+#endif
                close_file_descriptors();
                // set nice and rlimits
@@ -626,7 +628,6 @@ static void enforce_filters(void) {
        fmessage("\n** Warning: dropping all Linux capabilities and setting NO_NEW_PRIVS prctl **\n\n");
        // enforce NO_NEW_PRIVS
        arg_nonewprivs = 1;
-        force_nonewprivs = 1;
        // disable all capabilities
        arg_caps_drop_all = 1;
@@ -829,14 +830,9 @@ int sandbox(void* sandbox_arg) {
                        exit(rv);
        }
-#ifdef HAVE_FORCE_NONEWPRIVS
-        bool always_enforce_filters = true;
-#else
-        bool always_enforce_filters = false;
-#endif
        // for --appimage, --chroot and --overlay* we force NO_NEW_PRIVS
        // and drop all capabilities
-        if (getuid() != 0 && (arg_appimage || cfg.chrootdir || arg_overlay || always_enforce_filters))
+        if (getuid() != 0 && (arg_appimage || cfg.chrootdir || arg_overlay))
                enforce_filters();
        // need ld.so.preload if tracing or seccomp with any non-default lists
@@ -1273,17 +1269,15 @@ int sandbox(void* sandbox_arg) {
        //****************************************
        // Set NO_NEW_PRIVS if desired
        //****************************************
-        if (arg_nonewprivs) {
+#ifndef HAVE_FORCE_NONEWPRIVS
-                prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
+        if (arg_nonewprivs)
+#endif
-                if (prctl(PR_GET_NO_NEW_PRIVS, 0, 0, 0, 0) != 1) {
+        {
-                        fwarning("cannot set NO_NEW_PRIVS, it requires a Linux kernel version 3.5 or newer.\n");
+                if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) != 0) {
-                        if (force_nonewprivs) {
+                        fprintf(stderr, "Error: cannot set NO_NEW_PRIVS, it requires a Linux kernel version 3.5 or newer.\n");
-                                fprintf(stderr, "Error: NO_NEW_PRIVS required for this sandbox, exiting ...\n");
+                        exit(1);
-                                exit(1);
-                        }
                }
-                else if (arg_debug)
+                if (arg_debug)
                        printf("NO_NEW_PRIVS set\n");
        }
@@ -1309,10 +1303,7 @@ int sandbox(void* sandbox_arg) {
                errExit("fork");
        if (app_pid == 0) {
-#ifdef HAVE_APPARMOR
+                start_application(0, -1, set_sandbox_status);   // this function does not return
-                set_apparmor();
-#endif
-                start_application(0, -1, set_sandbox_status);
        }
        munmap(set_sandbox_status, 1);
diff --git a/src/lib/ldd_utils.c b/src/lib/ldd_utils.c
index bc4f7cf9c..a50b759c3 100644
--- a/src/lib/ldd_utils.c
+++ b/src/lib/ldd_utils.c
@@ -47,7 +47,7 @@ int is_lib_64(const char *exe) {
        if (fd < 0)
                return 0;
-        unsigned char buf[EI_NIDENT];
+        unsigned char buf[EI_NIDENT] = {0};
        ssize_t len = 0;
        while (len < EI_NIDENT) {
                ssize_t sz = read(fd, buf + len, EI_NIDENT - len);
diff --git a/test/Makefile b/test/Makefile
index 2f3a97d73..2c376da58 100644
--- a/test/Makefile
+++ b/test/Makefile
@@ -3,7 +3,7 @@ TESTS=$(patsubst %/,%,$(wildcard */))
 .PHONY: $(TESTS)
 $(TESTS):
        cd $@ && ./$@.sh 2>&1 | tee $@.log
-        cd $@ && grep -a TESTING $@.log && grep -a -L "TESTING ERROR" $@.log
+        cd $@ && grep -a TESTING $@.log && ! grep -a -q "TESTING ERROR" $@.log
 .PHONY: clean
 clean:
diff --git a/test/environment/dns.exp b/test/environment/dns.exp
index b5a8c119b..2c00cfa1c 100755
--- a/test/environment/dns.exp
+++ b/test/environment/dns.exp
@@ -110,23 +110,23 @@ expect {
 send -- "exit\r"
 sleep 1
-send -- "firejail --trace --dns=208.67.222.222 wget -q debian.org\r"
+# test disabled, as Github CI uses systemd-resolved, which does not work
-expect {
+# properly with --dns=, so curl does not use the specified nameserver
-        timeout {puts "TESTING ERROR 6.1\n";exit}
+#send -- "firejail --trace --dns=208.67.222.222 -- curl --silent --output /dev/null debian.org\r"
-        "connect"
+#expect {
-}
+#       timeout {puts "TESTING ERROR 6.1\n";exit}
-expect {
+#       "connect"
-        timeout {puts "TESTING ERROR 6.2\n";exit}
+#}
-        "208.67.222.222"
+#expect {
-}
+#       timeout {puts "TESTING ERROR 6.2\n";exit}
-expect {
+#       "208.67.222.222"
-        timeout {puts "TESTING ERROR 6.3\n";exit}
+#}
-        "53"
+#expect {
-}
+#       timeout {puts "TESTING ERROR 6.3\n";exit}
-after 100
+#       "53"
+#}
+#after 100
-send -- "rm index.html\r"
-after 100
 send -- "exit\r"
 sleep 1
diff --git a/test/sysutils/less.exp b/test/sysutils/less.exp
index e6698eab0..01a298fe0 100755
--- a/test/sysutils/less.exp
+++ b/test/sysutils/less.exp
@@ -11,6 +11,7 @@ send -- "firejail less sysutils.sh\r"
 expect {
        timeout {puts "TESTING ERROR 1\n";exit}
        "(press RETURN)" {puts "TESTING SKIP 1.1\n";exit}
+        "Press RETURN to continue" {puts "TESTING SKIP 1.2\n";exit}
        "MALLOC_CHECK"
 }
 expect {
diff --git a/test/utils/man.exp b/test/utils/man.exp
index 3a0ca46d6..f62859a8f 100755
--- a/test/utils/man.exp
+++ b/test/utils/man.exp
@@ -11,6 +11,7 @@ send -- "man firejail\r"
 expect {
        timeout {puts "TESTING ERROR 0\n";exit}
        "(press RETURN)" {puts "TESTING SKIP 1.1\n";exit}
+        "Press RETURN to continue" {puts "TESTING SKIP 1.2\n";exit}
        "Linux namespaces sandbox program"
 }
 after 100
diff --git a/test/utils/trace.exp b/test/utils/trace.exp
index f14001c88..beb59d337 100755
--- a/test/utils/trace.exp
+++ b/test/utils/trace.exp
@@ -68,10 +68,6 @@ expect {
        "wget:fopen /etc/wgetrc"  {puts "OK\n";}
 }
 expect {
-        timeout {puts "TESTING ERROR 8.4\n";exit}
-        "wget:fopen /etc/hosts"
-}
-expect {
        timeout {puts "TESTING ERROR 8.5\n";exit}
        "wget:connect"
 }