52 files changed, 285 insertions, 160 deletions

diff --git a/.github/workflows/build-extra.yml b/.github/workflows/build-extra.yml
index c812e4572..dd0dc4da0 100644
--- a/.github/workflows/build-extra.yml
+++ b/.github/workflows/build-extra.yml
@@ -60,17 +60,20 @@ jobs:
         allowed-endpoints: >
           azure.archive.ubuntu.com:80
           github.com:443
-    - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab
+    - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9
     - name: update package information
-      run: sudo apt-get update
+      run: sudo apt-get update -qy
     - name: install dependencies
-      run: sudo apt-get install libapparmor-dev libselinux1-dev
+      run: >
+        sudo apt-get install -qy
+        libapparmor-dev libselinux1-dev
     - name: print env
       run: ./ci/printenv.sh
     - name: configure
       run: >
         CC=clang-14 ./configure --enable-fatal-warnings --enable-apparmor
         --enable-selinux
+        || (cat config.log; exit 1)
     - name: make
       run: make
     - name: make install
@@ -87,19 +90,22 @@ jobs:
         allowed-endpoints: >
           azure.archive.ubuntu.com:80
           github.com:443
-    - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab
+    - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9
     - name: update package information
-      run: sudo apt-get update
+      run: sudo apt-get update -qy
     - name: install clang-tools-14 and dependencies
-      run: sudo apt-get install clang-tools-14 libapparmor-dev libselinux1-dev
+      run: >
+        sudo apt-get install -qy
+        clang-tools-14 libapparmor-dev libselinux1-dev
     - name: print env
       run: ./ci/printenv.sh
     - name: configure
       run: >
         CC=clang-14 ./configure --enable-fatal-warnings --enable-apparmor
         --enable-selinux
+        || (cat config.log; exit 1)
     - name: scan-build
-      run: NO_EXTRA_CFLAGS="yes" scan-build-14 --status-bugs make
+      run: scan-build-14 --status-bugs make
   cppcheck:
     runs-on: ubuntu-22.04
     steps:
@@ -110,11 +116,11 @@ jobs:
         allowed-endpoints: >
           azure.archive.ubuntu.com:80
           github.com:443
-    - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab
+    - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9
     - name: update package information
-      run: sudo apt-get update
+      run: sudo apt-get update -qy
     - name: install cppcheck
-      run: sudo apt-get install cppcheck
+      run: sudo apt-get install -qy cppcheck
     - run: cppcheck --version
     - name: cppcheck
       run: >
@@ -132,11 +138,11 @@ jobs:
         allowed-endpoints: >
           azure.archive.ubuntu.com:80
           github.com:443
-    - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab
+    - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9
     - name: update package information
-      run: sudo apt-get update
+      run: sudo apt-get update -qy
     - name: install cppcheck
-      run: sudo apt-get install cppcheck
+      run: sudo apt-get install -qy cppcheck
     - run: cppcheck --version
     - name: cppcheck
       run: cppcheck -q --force --error-exitcode=1 --enable=warning,performance .
@@ -150,11 +156,11 @@ jobs:
         allowed-endpoints: >
           azure.archive.ubuntu.com:80
           github.com:443
-    - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab
+    - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9
     - name: update package information
-      run: sudo apt-get update
+      run: sudo apt-get update -qy
     - name: install dependencies
-      run: sudo apt-get install codespell
+      run: sudo apt-get install -qy codespell
     - run: codespell --version
     - name: codespell
       run: make codespell
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index e896ba8e0..afa8d1305 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -61,12 +61,12 @@ jobs:
           www.debian.org:443
           www.debian.org:80
           yahoo.com:1025
-    - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab
+    - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9
     - name: update package information
-      run: sudo apt-get update
+      run: sudo apt-get update -qy
     - name: install dependencies
       run: >
-        sudo apt-get install
+        sudo apt-get install -qy
         gcc-12 libapparmor-dev libselinux1-dev expect xzdec whois
         bridge-utils
     - name: print env
@@ -75,6 +75,7 @@ jobs:
       run: >
         CC=gcc-12 ./configure --prefix=/usr --enable-fatal-warnings
         --enable-analyzer --enable-apparmor --enable-selinux
+        || (cat config.log; exit 1)
     - name: make
       run: make
     - name: make install
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
index 8c17646a3..eec359f40 100644
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -86,14 +86,14 @@ jobs:
           uploads.github.com:443
 
     - name: Checkout repository
-      uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab
+      uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9
 
     - name: print env
       run: ./ci/printenv.sh
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@83f0fe6c4988d98a455712a27f0255212bba9bd4
+      uses: github/codeql-action/init@6c089f53dd51dc3fc7e599c3cb5356453a52ca9e
       with:
         languages: ${{ matrix.language }}
         # If you wish to specify custom queries, you can do so here or in a config file.
@@ -104,7 +104,7 @@ jobs:
     # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
     # If this step fails, then you should remove it and run the build manually (see below)
     - name: Autobuild
-      uses: github/codeql-action/autobuild@83f0fe6c4988d98a455712a27f0255212bba9bd4
+      uses: github/codeql-action/autobuild@6c089f53dd51dc3fc7e599c3cb5356453a52ca9e
 
     # ℹ️ Command-line programs to run using the OS shell.
     # 📚 https://git.io/JvXDl
@@ -118,4 +118,4 @@ jobs:
     #   make release
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@83f0fe6c4988d98a455712a27f0255212bba9bd4
+      uses: github/codeql-action/analyze@6c089f53dd51dc3fc7e599c3cb5356453a52ca9e
diff --git a/.github/workflows/profile-checks.yml b/.github/workflows/profile-checks.yml
index 8500481cd..8418a390b 100644
--- a/.github/workflows/profile-checks.yml
+++ b/.github/workflows/profile-checks.yml
@@ -31,7 +31,7 @@ jobs:
         allowed-endpoints: >
           github.com:443
 
-    - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab
+    - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9
     - name: print env
       run: ./ci/printenv.sh
     - run: python3 --version
diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 38d121c49..cb88c0263 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -8,28 +8,32 @@
 
 build_ubuntu_package:
     image: ubuntu:rolling
+    variables:
+        DEBIAN_FRONTEND: noninteractive
     script:
-        - apt-get update -qq
+        - apt-get update -qy
         - >
-            DEBIAN_FRONTEND=noninteractive apt-get install -y -qq
-            build-essential lintian libapparmor-dev pkg-config python3 gawk
+            apt-get install --no-install-recommends -qy
+            build-essential fakeroot lintian libapparmor-dev pkg-config gawk
+            | grep -Ev '^(Selecting|Preparing to unpack|Unpacking)'
         - ./ci/printenv.sh
-        - ./configure
+        - ./configure || (cat config.log; exit 1)
         - make deb
         - dpkg -i firejail*.deb
         - command -V firejail && firejail --version
-        # - python3 --version
-        # - python3 contrib/sort.py etc/profile-*/*.profile etc/inc/*.inc
 
 build_debian_package:
     image: debian:buster
+    variables:
+        DEBIAN_FRONTEND: noninteractive
     script:
-        - apt-get update -qq
+        - apt-get update -qy
         - >
-            apt-get install -y -qq
-            build-essential lintian libapparmor-dev pkg-config gawk
+            apt-get install --no-install-recommends -qy
+            build-essential fakeroot lintian libapparmor-dev pkg-config gawk
+            | grep -Ev '^(Selecting|Preparing to unpack|Unpacking)'
         - ./ci/printenv.sh
-        - ./configure
+        - ./configure || (cat config.log; exit 1)
         - make deb
         - dpkg -i firejail*.deb
         - command -V firejail && firejail --version
@@ -40,7 +44,7 @@ build_redhat_package:
         - dnf update -y
         - dnf install -y rpm-build gcc make
         - ./ci/printenv.sh
-        - ./configure --prefix=/usr
+        - ./configure --prefix=/usr || (cat config.log; exit 1)
         - make rpms
         - rpm -i firejail*.rpm
         - command -V firejail && firejail --version
@@ -51,36 +55,35 @@ build_fedora_package:
         - dnf update -y
         - dnf install -y rpm-build gcc make
         - ./ci/printenv.sh
-        - ./configure --prefix=/usr
+        - ./configure --prefix=/usr || (cat config.log; exit 1)
         - make rpms
         - rpm -i firejail*.rpm
         - command -V firejail && firejail --version
-        # - python3 --version
-        # - python3 contrib/sort.py etc/profile-*/*.profile etc/inc/*.inc
 
 build_src_package:
     image: alpine:latest
     script:
         - apk update
         - apk upgrade
-        - apk add build-base linux-headers python3 gawk
+        - apk add build-base linux-headers gawk
         - ./ci/printenv.sh
-        - ./configure --prefix=/usr
+        - ./configure --prefix=/usr || (cat config.log; exit 1)
         - make
         - make install-strip
         - command -V firejail && firejail --version
-        # - python3 --version
-        # - python3 contrib/sort.py etc/profile-*/*.profile etc/inc/*.inc
 
 build_no_apparmor:
     image: ubuntu:latest
+    variables:
+        DEBIAN_FRONTEND: noninteractive
     script:
-        - apt-get update -qq
+        - apt-get update -qy
         - >
-            DEBIAN_FRONTEND=noninteractive apt-get install -y -qq
-            build-essential lintian pkg-config gawk
+            apt-get install --no-install-recommends -qy
+            build-essential fakeroot lintian pkg-config gawk
+            | grep -Ev '^(Selecting|Preparing to unpack|Unpacking)'
         - ./ci/printenv.sh
-        - ./configure
+        - ./configure || (cat config.log; exit 1)
         - make dist
         - ./mkdeb.sh --disable-apparmor
         - dpkg -i firejail*.deb
@@ -92,6 +95,7 @@ debian_ci:
     variables:
         DEBFULLNAME: "$GITLAB_USER_NAME"
         DEBEMAIL: "$GITLAB_USER_EMAIL"
+        DEBIAN_FRONTEND: noninteractive
     before_script:
         - git checkout -B ci_build "$CI_COMMIT_SHA"
         - gitlab-ci-enable-sid
@@ -101,7 +105,7 @@ debian_ci:
             deb-src http://deb.debian.org/debian sid main
             deb-src http://deb.debian.org/debian experimental main
             EOF
-        - apt-get update
+        - apt-get update -qy
         - git config user.name "$DEBFULLNAME"
         - git config user.email "$DEBEMAIL"
         - |
@@ -122,7 +126,7 @@ debian_ci:
         - git commit -m 'add debian/'
         - export CI_COMMIT_SHA="$(git rev-parse HEAD)"
     script:
-        - apt-get --no-install-recommends install -y -qq gawk
+        - apt-get install --no-install-recommends -qy gawk
         - ./ci/printenv.sh
         - gitlab-ci-git-buildpackage
         - gitlab-ci-lintian
diff --git a/Makefile b/Makefile
index 749457b1b..4607926b4 100644
--- a/Makefile
+++ b/Makefile
@@ -1,3 +1,6 @@
+.SUFFIXES:
+MAKEFLAGS += -r
+
 ROOT = .
 -include config.mk
 
@@ -358,7 +361,7 @@ cppcheck: clean
 
 .PHONY: scan-build
 scan-build: clean
-        NO_EXTRA_CFLAGS="yes" scan-build make
+        scan-build make
 
 .PHONY: codespell
 codespell: clean
@@ -380,36 +383,45 @@ $(TEST_TARGETS):
 
 
 # extract some data about the testing setup: kernel, network connectivity, user
+.PHONY: lab-setup
 lab-setup:; uname -r; ldd --version | grep GLIBC; pwd; whoami; ip addr show; cat /etc/resolv.conf; cat /etc/hosts; ls /etc
 
+.PHONY: test
 test: lab-setup test-profiles test-fcopy test-fnetfilter test-fs test-private-etc test-utils test-sysutils test-environment test-apps test-apps-x11 test-apps-x11-xorg test-filters test-seccomp-extra
         echo "TEST COMPLETE"
 
+.PHONY: test-noprofiles
 test-noprofiles: lab-setup test-fcopy test-fnetfilter test-fs test-utils test-sysutils test-environment test-apps test-apps-x11 test-apps-x11-xorg test-filters
         echo "TEST COMPLETE"
 
 # not included in "make dist" and "make test"
+.PHONY: test-appimage
 test-appimage:
         $(MAKE) -C test $(subst test-,,$@)
 
 # using sudo; not included in "make dist" and "make test"
+.PHONY: test-chroot
 test-chroot:
         $(MAKE) -C test $(subst test-,,$@)
 
 # using sudo; not included in "make dist" and "make test"
+.PHONY: test-network
 test-network:
         $(MAKE) -C test $(subst test-,,$@)
 
 # using sudo; not included in "make dist" and "make test"
+.PHONY: test-apparmor
 test-apparmor:
         $(MAKE) -C test $(subst test-,,$@)
 
 # using sudo; not included in "make dist" and "make test"
+.PHONY: test-firecfg
 test-firecfg:
         $(MAKE) -C test $(subst test-,,$@)
 
 
 # old gihub test; the new test is driven directly from .github/workflows/build.yml
+.PHONY: test-github
 test-github: lab-setup test-profiles test-fcopy test-fnetfilter test-fs test-utils test-sysutils test-environment
         echo "TEST COMPLETE"
 
@@ -419,6 +431,7 @@ test-github: lab-setup test-profiles test-fcopy test-fnetfilter test-fs test-uti
 # with them you will need to restart your computer.
 ##########################################
 # private-lib is disabled by default in /etc/firejail/firejail.config
+.PHONY: test-private-lib
 test-private-lib:
         $(MAKE) -C test $(subst test-,,$@)
 
diff --git a/RELNOTES b/RELNOTES
index 9922dbdb4..bf56218f6 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -7,21 +7,24 @@ firejail (0.9.73) baseline; urgency=low
   * feature: add IPv6 support for --net.print option
   * modif: Stop forwarding own double-dash to the shell (#5599 #5600)
   * modif: Prevent sandbox name (--name=) and host name (--hostname=)
-    from containing only digits (#5578)
+    from containing only digits (#5578 #5741)
   * modif: Escape control characters of the command line (#5613)
-  * modif: Allow only letters and digits for sandbox name (--name=) and
-    host name (--hostname=)
+  * modif: Allow mostly only ASCII letters and digits for sandbox name
+    (--name=) and host name (--hostname=) (#5708 #5856)
   * modif: remove firemon --interface option (duplicating --net.print option)
+  * modif: make private-lib a configure-time option, disabled by default (see
+    --enable-private-lib) (#5727 #5732)
   * modif: Improve --version/--help & print version on startup (#5829)
   * bugfix: qutebrowser: links will not open in the existing instance (#5601
     #5618)
   * bugfix: fix --hostname and --hosts-file commands
   * bugfix: arp.c: ensure positive timeout on select(2) (#5806)
   * build: auto-generate syntax files (#5627)
-  * build: mark most phony targets as such (#5637)
+  * build: mark all phony targets as such (#5637)
   * build: mkdeb.sh: pass all arguments to ./configure (#5654)
   * build: deb: enable apparmor by default & remove deb-apparmor (#5668)
   * build: Fix whitespace and add .editorconfig (#5674)
+  * build: enable compiler warnings by default (#5842)
   * ci: always update the package db before installing packages (#5742)
   * ci: fix codeql unable to download its own bundle (#5783)
   * ci: split configure/build/install commands on gitlab (#5784)
@@ -29,6 +32,8 @@ firejail (0.9.73) baseline; urgency=low
   * ci: formatting and misc improvements (#5802)
   * ci: run for every branch instead of just master (#5815)
   * ci: upgrade debian:stretch to debian:buster (#5818)
+  * ci: standardize apt-get update/install & misc improvements (#5857)
+  * contrib/vim: match profile files more broadly (#5850)
   * test: split individual test groups in github workflows
   * test: add chroot, appimage and network tests in github workflows
   * docs: remove apparmor options in --help when building without apparmor
diff --git a/config.mk.in b/config.mk.in
index 6b6cf1b99..dea3d8a52 100644
--- a/config.mk.in
+++ b/config.mk.in
@@ -61,9 +61,5 @@ LDFLAGS=@LDFLAGS@
 # Project variables
 LIBS=@LIBS@
 
-ifdef NO_EXTRA_CFLAGS
-else
 EXTRA_CFLAGS +=@EXTRA_CFLAGS@
-endif
-
 EXTRA_LDFLAGS +=@EXTRA_LDFLAGS@
diff --git a/configure b/configure
index ceb09bd31..068274fea 100755
--- a/configure
+++ b/configure
@@ -2925,44 +2925,6 @@ else
   :
 fi
 
-{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether C compiler accepts -mretpoline" >&5
-$as_echo_n "checking whether C compiler accepts -mretpoline... " >&6; }
-if ${ax_cv_check_cflags___mretpoline+:} false; then :
-  $as_echo_n "(cached) " >&6
-else
-
-  ax_check_save_flags=$CFLAGS
-  CFLAGS="$CFLAGS  -mretpoline"
-  cat confdefs.h - <<_ACEOF >conftest.$ac_ext
-/* end confdefs.h.  */
-
-int
-main ()
-{
-
-  ;
-  return 0;
-}
-_ACEOF
-if ac_fn_c_try_compile "$LINENO"; then :
-  ax_cv_check_cflags___mretpoline=yes
-else
-  ax_cv_check_cflags___mretpoline=no
-fi
-rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
-  CFLAGS=$ax_check_save_flags
-fi
-{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ax_cv_check_cflags___mretpoline" >&5
-$as_echo "$ax_cv_check_cflags___mretpoline" >&6; }
-if test "x$ax_cv_check_cflags___mretpoline" = xyes; then :
-
-        HAVE_SPECTRE="yes"
-        EXTRA_CFLAGS="$EXTRA_CFLAGS -mretpoline"
-
-else
-  :
-fi
-
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether C compiler accepts -fstack-clash-protection" >&5
 $as_echo_n "checking whether C compiler accepts -fstack-clash-protection... " >&6; }
 if ${ax_cv_check_cflags___fstack_clash_protection+:} false; then :
diff --git a/configure.ac b/configure.ac
index 30b031801..93de61b95 100644
--- a/configure.ac
+++ b/configure.ac
@@ -25,10 +25,6 @@ AX_CHECK_COMPILE_FLAG([-mindirect-branch=thunk], [
         HAVE_SPECTRE="yes"
         EXTRA_CFLAGS="$EXTRA_CFLAGS -mindirect-branch=thunk"
 ])
-AX_CHECK_COMPILE_FLAG([-mretpoline], [
-        HAVE_SPECTRE="yes"
-        EXTRA_CFLAGS="$EXTRA_CFLAGS -mretpoline"
-])
 AX_CHECK_COMPILE_FLAG([-fstack-clash-protection], [
         HAVE_SPECTRE="yes"
         EXTRA_CFLAGS="$EXTRA_CFLAGS -fstack-clash-protection"
diff --git a/contrib/vim/ftdetect/firejail.vim b/contrib/vim/ftdetect/firejail.vim
index 2edc741da..6180048f7 100644
--- a/contrib/vim/ftdetect/firejail.vim
+++ b/contrib/vim/ftdetect/firejail.vim
@@ -1,6 +1,12 @@
-autocmd BufNewFile,BufRead /etc/firejail/*.profile      setfiletype firejail
-autocmd BufNewFile,BufRead /etc/firejail/*.local        setfiletype firejail
+" Default paths
 autocmd BufNewFile,BufRead /etc/firejail/*.inc          setfiletype firejail
-autocmd BufNewFile,BufRead ~/.config/firejail/*.profile setfiletype firejail
-autocmd BufNewFile,BufRead ~/.config/firejail/*.local   setfiletype firejail
+autocmd BufNewFile,BufRead /etc/firejail/*.local        setfiletype firejail
+autocmd BufNewFile,BufRead /etc/firejail/*.profile      setfiletype firejail
 autocmd BufNewFile,BufRead ~/.config/firejail/*.inc     setfiletype firejail
+autocmd BufNewFile,BufRead ~/.config/firejail/*.local   setfiletype firejail
+autocmd BufNewFile,BufRead ~/.config/firejail/*.profile setfiletype firejail
+
+" Arbitrary paths
+autocmd BufNewFile,BufRead */firejail/*.inc             set filetype=firejail
+autocmd BufNewFile,BufRead */firejail/*.local           set filetype=firejail
+autocmd BufNewFile,BufRead */firejail/*.profile         set filetype=firejail
diff --git a/etc/profile-a-l/fdns.profile b/etc/profile-a-l/fdns.profile
index 77e16a56b..4dbf3c194 100644
--- a/etc/profile-a-l/fdns.profile
+++ b/etc/profile-a-l/fdns.profile
@@ -21,6 +21,7 @@ include disable-xdg.inc
 #include whitelist-usr-share-common.inc
 #include whitelist-var-common.inc
 
+apparmor /usr/bin/fdns
 caps.keep kill,net_bind_service,setgid,setuid,sys_admin,sys_chroot
 ipc-namespace
 # netfilter /etc/firejail/webserver.net
@@ -47,4 +48,3 @@ private-etc @tls-ca,fdns
 private-tmp
 
 memory-deny-write-execute
-restrict-namespaces
diff --git a/etc/profile-m-z/vmplayer.profile b/etc/profile-m-z/vmplayer.profile
new file mode 100644
index 000000000..4b386fed7
--- /dev/null
+++ b/etc/profile-m-z/vmplayer.profile
@@ -0,0 +1,8 @@
+# Firejail profile for vmware-player
+# Description: VMWare Workstation Player, used for running virtual machines
+# This file is overwritten after every install/update
+# Persistent local customizations
+include vmplayer.local
+
+# Redirect
+include vmware.profile
diff --git a/etc/profile-m-z/vmware-player.profile b/etc/profile-m-z/vmware-player.profile
index 582a0f693..8be9acc92 100644
--- a/etc/profile-m-z/vmware-player.profile
+++ b/etc/profile-m-z/vmware-player.profile
@@ -1,5 +1,5 @@
 # Firejail profile for vmware-player
-# Description: The industry standard for running multiple operating systems as virtual machines on a single Linux PC.
+# Description: VMWare Workstation Player, used for running virtual machines
 # This file is overwritten after every install/update
 # Persistent local customizations
 include vmware-player.local
diff --git a/etc/profile-m-z/vmware-view.profile b/etc/profile-m-z/vmware-view.profile
index c2fd14811..e924d2119 100644
--- a/etc/profile-m-z/vmware-view.profile
+++ b/etc/profile-m-z/vmware-view.profile
@@ -1,5 +1,5 @@
 # Firejail profile for vmware-view
-# Description: VMware Horizon Client
+# Description: VMware Horizon Client, used as a remote desktop client
 # This file is overwritten after every install/update
 # Persistent local customizations
 include vmware-view.local
diff --git a/etc/profile-m-z/vmware-workstation.profile b/etc/profile-m-z/vmware-workstation.profile
index 6290b57f4..5311cd123 100644
--- a/etc/profile-m-z/vmware-workstation.profile
+++ b/etc/profile-m-z/vmware-workstation.profile
@@ -1,5 +1,5 @@
 # Firejail profile for vmware-workstation
-# Description: The industry standard for running multiple operating systems as virtual machines on a single Linux PC.
+# Description: VMWare Workstation Player, used for running virtual machines
 # This file is overwritten after every install/update
 # Persistent local customizations
 include vmware-workstation.local
diff --git a/etc/profile-m-z/vmware.profile b/etc/profile-m-z/vmware.profile
index 7619ef47b..ed4a47a83 100644
--- a/etc/profile-m-z/vmware.profile
+++ b/etc/profile-m-z/vmware.profile
@@ -1,5 +1,5 @@
 # Firejail profile for vmware
-# Description: The industry standard for running multiple operating systems as virtual machines on a single Linux PC.
+# Description: VMWare Workstation Player, used for running virtual machines
 # This file is overwritten after every install/update
 # Persistent local customizations
 include vmware.local
@@ -11,7 +11,7 @@ noblacklist ${HOME}/.vmware
 noblacklist /usr/lib/vmware
 
 include disable-common.inc
-include disable-devel.inc
+#include disable-devel.inc # gcc is used to compile kernel modules
 include disable-exec.inc
 include disable-interpreters.inc
 include disable-programs.inc
diff --git a/src/bash_completion/Makefile b/src/bash_completion/Makefile
index e787a7b92..6d5c45532 100644
--- a/src/bash_completion/Makefile
+++ b/src/bash_completion/Makefile
@@ -1,9 +1,12 @@
-.PHONY: all
-all: firejail.bash_completion
+.SUFFIXES:
+MAKEFLAGS += -r
 
 ROOT = ../..
 -include $(ROOT)/config.mk
 
+.PHONY: all
+all: firejail.bash_completion
+
 firejail.bash_completion: firejail.bash_completion.in $(ROOT)/config.mk
         gawk -f ../man/preproc.awk -- $(MANFLAGS) < $< > $@.tmp
         sed "s|_SYSCONFDIR_|$(sysconfdir)|" < $@.tmp > $@
diff --git a/src/etc-cleanup/Makefile b/src/etc-cleanup/Makefile
index 10c28cd76..7c542c4a9 100644
--- a/src/etc-cleanup/Makefile
+++ b/src/etc-cleanup/Makefile
@@ -1,3 +1,6 @@
+.SUFFIXES:
+MAKEFLAGS += -r
+
 ROOT = ../..
 -include $(ROOT)/config.mk
 
diff --git a/src/fbuilder/Makefile b/src/fbuilder/Makefile
index ad73e8960..803ea18a3 100644
--- a/src/fbuilder/Makefile
+++ b/src/fbuilder/Makefile
@@ -1,3 +1,6 @@
+.SUFFIXES:
+MAKEFLAGS += -r
+
 ROOT = ../..
 -include $(ROOT)/config.mk
 
diff --git a/src/fcopy/Makefile b/src/fcopy/Makefile
index 27054627c..29ea719a3 100644
--- a/src/fcopy/Makefile
+++ b/src/fcopy/Makefile
@@ -1,3 +1,6 @@
+.SUFFIXES:
+MAKEFLAGS += -r
+
 ROOT = ../..
 -include $(ROOT)/config.mk
 
diff --git a/src/fids/Makefile b/src/fids/Makefile
index 44ea396d7..1aaac5c75 100644
--- a/src/fids/Makefile
+++ b/src/fids/Makefile
@@ -1,3 +1,6 @@
+.SUFFIXES:
+MAKEFLAGS += -r
+
 ROOT = ../..
 -include $(ROOT)/config.mk
 
diff --git a/src/firecfg/Makefile b/src/firecfg/Makefile
index 05cc088f4..c9489e3a4 100644
--- a/src/firecfg/Makefile
+++ b/src/firecfg/Makefile
@@ -1,3 +1,6 @@
+.SUFFIXES:
+MAKEFLAGS += -r
+
 ROOT = ../..
 -include $(ROOT)/config.mk
 
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config
index 1e996ef72..fdda5c2c7 100644
--- a/src/firecfg/firecfg.config
+++ b/src/firecfg/firecfg.config
@@ -895,9 +895,10 @@ vivaldi-beta
 vivaldi-snapshot
 vivaldi-stable
 vlc
-vmware
-vmware-player
-vmware-workstation
+#vmplayer - unable to install kernel modules (see #5861)
+#vmware - unable to install kernel modules (see #5861)
+#vmware-player - unable to install kernel modules (see #5861)
+#vmware-workstation - unable to install kernel modules (see #5861)
 vscodium
 vulturesclaw
 vultureseye
diff --git a/src/firejail/Makefile b/src/firejail/Makefile
index 47edc5ac6..064373588 100644
--- a/src/firejail/Makefile
+++ b/src/firejail/Makefile
@@ -1,3 +1,6 @@
+.SUFFIXES:
+MAKEFLAGS += -r
+
 ROOT = ../..
 -include $(ROOT)/config.mk
 
diff --git a/src/firejail/main.c b/src/firejail/main.c
index 1835d8de2..070eb47f3 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -2187,34 +2187,21 @@ int main(int argc, char **argv, char **envp) {
                 else if (strncmp(argv[i], "--name=", 7) == 0) {
                         cfg.name = argv[i] + 7;
                         if (strlen(cfg.name) == 0) {
-                                fprintf(stderr, "Error: please provide a name for sandbox\n");
+                                fprintf(stderr, "Error: invalid sandbox name: cannot be empty\n");
                                 return 1;
                         }
-                        if (invalid_name(cfg.name) || has_cntrl_chars(cfg.name)) {
+                        if (invalid_name(cfg.name)) {
                                 fprintf(stderr, "Error: invalid sandbox name\n");
                                 return 1;
                         }
                 }
                 else if (strncmp(argv[i], "--hostname=", 11) == 0) {
                         cfg.hostname = argv[i] + 11;
-                        size_t len = strlen(cfg.hostname);
-                        if (len == 0 || len > 253) {
-                                fprintf(stderr, "Error: please provide a valid hostname for sandbox, with maximum length of 253 ASCII characters\n");
+                        if (strlen(cfg.hostname) == 0) {
+                                fprintf(stderr, "Error: invalid hostname: cannot be empty\n");
                                 return 1;
                         }
-                        int invalid = invalid_name(cfg.hostname);
-                        char* hostname = cfg.hostname;
-                        while (*hostname && !invalid) {
-                                invalid = invalid || !(
-                                                (*hostname >= 'a' && *hostname <= 'z') ||
-                                                (*hostname >= 'A' && *hostname <= 'Z') ||
-                                                (*hostname >= '0' && *hostname <= '9') ||
-                                                (*hostname == '-' || *hostname == '.'));
-                                hostname++;
-                        }
-                        invalid = invalid || cfg.hostname[0] == '-'; // must not start with -
-                        invalid = invalid || cfg.hostname[len - 1] == '-'; // must not end with -
-                        if (invalid) {
+                        if (invalid_name(cfg.hostname)) {
                                 fprintf(stderr, "Error: invalid hostname\n");
                                 return 1;
                         }
@@ -2847,7 +2834,11 @@ int main(int argc, char **argv, char **envp) {
                         // set sandbox name and start normally
                         cfg.name = argv[i] + 16;
                         if (strlen(cfg.name) == 0) {
-                                fprintf(stderr, "Error: please provide a name for sandbox\n");
+                                fprintf(stderr, "Error: invalid sandbox name: cannot be empty\n");
+                                return 1;
+                        }
+                        if (invalid_name(cfg.name)) {
+                                fprintf(stderr, "Error: invalid sandbox name\n");
                                 return 1;
                         }
                 }
diff --git a/src/firejail/no_sandbox.c b/src/firejail/no_sandbox.c
index 22ee9dc3c..9c5e3ee58 100644
--- a/src/firejail/no_sandbox.c
+++ b/src/firejail/no_sandbox.c
@@ -120,7 +120,7 @@ int check_kernel_procs(void) {
 
                 // read file
                 char buf[100];
-                if (fgets(buf, 10, fp) == NULL) {
+                if (fgets(buf, 100, fp) == NULL) {
                         fwarning("cannot read %s\n", fname);
                         fclose(fp);
                         free(fname);
diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index 202bcf4da..ae881664b 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -326,22 +326,13 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
         }
         // sandbox name
         else if (strncmp(ptr, "name ", 5) == 0) {
-                int only_numbers = 1;
                 cfg.name = ptr + 5;
                 if (strlen(cfg.name) == 0) {
-                        fprintf(stderr, "Error: invalid sandbox name\n");
+                        fprintf(stderr, "Error: invalid sandbox name: cannot be empty\n");
                         exit(1);
                 }
-                const char *c = cfg.name;
-                while (*c) {
-                        if (!isdigit(*c)) {
-                                only_numbers = 0;
-                                break;
-                        }
-                        ++c;
-                }
-                if (only_numbers) {
-                        fprintf(stderr, "Error: invalid sandbox name: it only contains digits\n");
+                if (invalid_name(cfg.name)) {
+                        fprintf(stderr, "Error: invalid sandbox name\n");
                         exit(1);
                 }
                 return 0;
@@ -1165,6 +1156,14 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
         // hostname
         if (strncmp(ptr, "hostname ", 9) == 0) {
                 cfg.hostname = ptr + 9;
+                if (strlen(cfg.hostname) == 0) {
+                        fprintf(stderr, "Error: invalid hostname: cannot be empty\n");
+                        exit(1);
+                }
+                if (invalid_name(cfg.hostname)) {
+                        fprintf(stderr, "Error: invalid hostname\n");
+                        exit(1);
+                }
                 return 0;
         }
 
@@ -1647,6 +1646,10 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
                         // set sandbox name and start normally
                         cfg.name = ptr + 14;
                         if (strlen(cfg.name) == 0) {
+                                fprintf(stderr, "Error: invalid sandbox name: cannot be empty\n");
+                                exit(1);
+                        }
+                        if (invalid_name(cfg.name)) {
                                 fprintf(stderr, "Error: invalid sandbox name\n");
                                 exit(1);
                         }
diff --git a/src/firejail/util.c b/src/firejail/util.c
index a0af3d4bf..555486916 100644
--- a/src/firejail/util.c
+++ b/src/firejail/util.c
@@ -1476,23 +1476,46 @@ int ascii_isxdigit(unsigned char c) {
         return ret;
 }
 
-// allow strict ASCII letters and numbers; names with only numbers are rejected; spaces are rejected
+// Note: Keep this in sync with NAME VALIDATION in src/man/firejail.txt.
+//
+// Allow only ASCII letters, digits and a few special characters; names with
+// only numbers are rejected; spaces and control characters are rejected.
 int invalid_name(const char *name) {
         const char *c = name;
-
         int only_numbers = 1;
+
+        if (strlen(name) > 253)
+                return 1;
+
+        // must start with alnum
+        if (!ascii_isalnum(*c))
+                return 1;
+        if (!ascii_isdigit(*c))
+                only_numbers = 0;
+        ++c;
+
         while (*c) {
-                if (!ascii_isalnum(*c))
-                        return 1;
-                if (!ascii_isdigit(*c))
+                switch (*c) {
+                case '-':
+                case '.':
+                case '_':
                         only_numbers = 0;
+                        break;
+                default:
+                        if (!ascii_isalnum(*c))
+                                return 1;
+                        if (!ascii_isdigit(*c))
+                                only_numbers = 0;
+                }
                 ++c;
         }
-        if (only_numbers)
+
+        // must end with alnum
+        --c;
+        if (!ascii_isalnum(*c))
                 return 1;
 
-        // restrict name to 64 chars max
-        if (strlen(name) > 64)
+        if (only_numbers)
                 return 1;
 
         return 0;
diff --git a/src/firemon/Makefile b/src/firemon/Makefile
index 433e4267d..514eb98eb 100644
--- a/src/firemon/Makefile
+++ b/src/firemon/Makefile
@@ -1,3 +1,6 @@
+.SUFFIXES:
+MAKEFLAGS += -r
+
 ROOT = ../..
 -include $(ROOT)/config.mk
 
diff --git a/src/fldd/Makefile b/src/fldd/Makefile
index 0c127af55..35ce019a7 100644
--- a/src/fldd/Makefile
+++ b/src/fldd/Makefile
@@ -1,3 +1,6 @@
+.SUFFIXES:
+MAKEFLAGS += -r
+
 ROOT = ../..
 -include $(ROOT)/config.mk
 
diff --git a/src/fnet/Makefile b/src/fnet/Makefile
index 91de109fa..a40d69b11 100644
--- a/src/fnet/Makefile
+++ b/src/fnet/Makefile
@@ -1,3 +1,6 @@
+.SUFFIXES:
+MAKEFLAGS += -r
+
 ROOT = ../..
 -include $(ROOT)/config.mk
 
diff --git a/src/fnetfilter/Makefile b/src/fnetfilter/Makefile
index 506d287ab..fbae2e027 100644
--- a/src/fnetfilter/Makefile
+++ b/src/fnetfilter/Makefile
@@ -1,3 +1,6 @@
+.SUFFIXES:
+MAKEFLAGS += -r
+
 ROOT = ../..
 -include $(ROOT)/config.mk
 
diff --git a/src/fnettrace-dns/Makefile b/src/fnettrace-dns/Makefile
index 36542f567..3c825467c 100644
--- a/src/fnettrace-dns/Makefile
+++ b/src/fnettrace-dns/Makefile
@@ -1,3 +1,6 @@
+.SUFFIXES:
+MAKEFLAGS += -r
+
 ROOT = ../..
 -include $(ROOT)/config.mk
 
diff --git a/src/fnettrace-icmp/Makefile b/src/fnettrace-icmp/Makefile
index 12ae42e9a..9e94fa144 100644
--- a/src/fnettrace-icmp/Makefile
+++ b/src/fnettrace-icmp/Makefile
@@ -1,3 +1,6 @@
+.SUFFIXES:
+MAKEFLAGS += -r
+
 ROOT = ../..
 -include $(ROOT)/config.mk
 
diff --git a/src/fnettrace-sni/Makefile b/src/fnettrace-sni/Makefile
index 8d9a437d5..21dfde3d3 100644
--- a/src/fnettrace-sni/Makefile
+++ b/src/fnettrace-sni/Makefile
@@ -1,3 +1,6 @@
+.SUFFIXES:
+MAKEFLAGS += -r
+
 ROOT = ../..
 -include $(ROOT)/config.mk
 
diff --git a/src/fnettrace/Makefile b/src/fnettrace/Makefile
index 952036ad3..a952a84a4 100644
--- a/src/fnettrace/Makefile
+++ b/src/fnettrace/Makefile
@@ -1,3 +1,6 @@
+.SUFFIXES:
+MAKEFLAGS += -r
+
 ROOT = ../..
 -include $(ROOT)/config.mk
 
diff --git a/src/fsec-optimize/Makefile b/src/fsec-optimize/Makefile
index ce65f4719..40511bdaa 100644
--- a/src/fsec-optimize/Makefile
+++ b/src/fsec-optimize/Makefile
@@ -1,3 +1,6 @@
+.SUFFIXES:
+MAKEFLAGS += -r
+
 ROOT = ../..
 -include $(ROOT)/config.mk
 
diff --git a/src/fsec-print/Makefile b/src/fsec-print/Makefile
index cbe061d45..6f09e9161 100644
--- a/src/fsec-print/Makefile
+++ b/src/fsec-print/Makefile
@@ -1,3 +1,6 @@
+.SUFFIXES:
+MAKEFLAGS += -r
+
 ROOT = ../..
 -include $(ROOT)/config.mk
 
diff --git a/src/fseccomp/Makefile b/src/fseccomp/Makefile
index 1b8d0bb48..bd5c92113 100644
--- a/src/fseccomp/Makefile
+++ b/src/fseccomp/Makefile
@@ -1,3 +1,6 @@
+.SUFFIXES:
+MAKEFLAGS += -r
+
 ROOT = ../..
 -include $(ROOT)/config.mk
 
diff --git a/src/ftee/Makefile b/src/ftee/Makefile
index 2f26ab900..8b4e7fdf4 100644
--- a/src/ftee/Makefile
+++ b/src/ftee/Makefile
@@ -1,3 +1,6 @@
+.SUFFIXES:
+MAKEFLAGS += -r
+
 ROOT = ../..
 -include $(ROOT)/config.mk
 
diff --git a/src/fzenity/Makefile b/src/fzenity/Makefile
index aeb862d9b..6b93886f5 100644
--- a/src/fzenity/Makefile
+++ b/src/fzenity/Makefile
@@ -1,3 +1,6 @@
+.SUFFIXES:
+MAKEFLAGS += -r
+
 ROOT = ../..
 -include $(ROOT)/config.mk
 
diff --git a/src/jailcheck/Makefile b/src/jailcheck/Makefile
index e3b84fbf3..029fd422b 100644
--- a/src/jailcheck/Makefile
+++ b/src/jailcheck/Makefile
@@ -1,3 +1,6 @@
+.SUFFIXES:
+MAKEFLAGS += -r
+
 ROOT = ../..
 -include $(ROOT)/config.mk
 
diff --git a/src/lib/Makefile b/src/lib/Makefile
index f5b92e389..e359bba08 100644
--- a/src/lib/Makefile
+++ b/src/lib/Makefile
@@ -1,3 +1,6 @@
+.SUFFIXES:
+MAKEFLAGS += -r
+
 ROOT = ../..
 -include $(ROOT)/config.mk
 
diff --git a/src/libpostexecseccomp/Makefile b/src/libpostexecseccomp/Makefile
index 62e167b73..874de098e 100644
--- a/src/libpostexecseccomp/Makefile
+++ b/src/libpostexecseccomp/Makefile
@@ -1,3 +1,6 @@
+.SUFFIXES:
+MAKEFLAGS += -r
+
 ROOT = ../..
 -include $(ROOT)/config.mk
 
diff --git a/src/libtrace/Makefile b/src/libtrace/Makefile
index d45b3e2f6..d261828ea 100644
--- a/src/libtrace/Makefile
+++ b/src/libtrace/Makefile
@@ -1,3 +1,6 @@
+.SUFFIXES:
+MAKEFLAGS += -r
+
 ROOT = ../..
 -include $(ROOT)/config.mk
 
diff --git a/src/libtracelog/Makefile b/src/libtracelog/Makefile
index bfc5adddc..5e14a5dbe 100644
--- a/src/libtracelog/Makefile
+++ b/src/libtracelog/Makefile
@@ -1,3 +1,6 @@
+.SUFFIXES:
+MAKEFLAGS += -r
+
 ROOT = ../..
 -include $(ROOT)/config.mk
 
diff --git a/src/man/Makefile b/src/man/Makefile
index 283822d1f..ce55ffd34 100644
--- a/src/man/Makefile
+++ b/src/man/Makefile
@@ -1,9 +1,12 @@
-.PHONY: all
-all: firecfg.man firejail.man firejail-login.man firejail-users.man firejail-profile.man firemon.man jailcheck.man
+.SUFFIXES:
+MAKEFLAGS += -r
 
 ROOT = ../..
 -include $(ROOT)/config.mk
 
+.PHONY: all
+all: firecfg.man firejail.man firejail-login.man firejail-users.man firejail-profile.man firemon.man jailcheck.man
+
 %.man: %.txt $(ROOT)/config.mk
         gawk -f ./preproc.awk -- $(MANFLAGS) < $< > $@
 
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index 586ef9852..19fc94ebd 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -876,6 +876,8 @@ Print options end exit.
 \fB\-\-hostname=name
 Set sandbox hostname.
 .br
+For valid names, see the \fBNAME VALIDATION\fR section.
+.br
 
 .br
 Example:
@@ -1180,7 +1182,9 @@ Switching to pid 1932, the first child process inside the sandbox
 .TP
 \fB\-\-join-or-start=name
 Join the sandbox identified by name or start a new one.
-Same as "firejail --join=name" if sandbox with specified name exists, otherwise same as "firejail --name=name ..."
+Same as "firejail --join=name" if sandbox with specified name exists, otherwise
+same as "firejail --name=name ...".
+See \fB\-\-name\fR for details.
 .br
 Note that in contrary to other join options there is respective profile option.
 
@@ -1340,8 +1344,13 @@ $ firejail \-\-net=eth0 \-\-mtu=1492
 \fB\-\-name=name
 Set sandbox name. Several options, such as \-\-join and \-\-shutdown, can use
 this name to identify a sandbox.
-The name cannot contain only digits, as that is treated as a PID in the other options, such as in \-\-join.
+The name cannot contain only digits, as that is treated as a PID in the other
+options, such as in \-\-join.
+.br
+For valid names, see the \fBNAME VALIDATION\fR section.
+.br
 
+.br
 In case the name supplied by the user is already in use by another sandbox, Firejail will assign a
 new name as "name-PID", where PID is the process ID of the sandbox. This functionality
 can be disabled at run time in /etc/firejail/firejail.config file, by setting "name-change" flag to "no".
@@ -3296,6 +3305,17 @@ Example:
 $ firejail --net=eth0 --x11=xephyr --xephyr-screen=640x480 firefox
 .br
 #endif
+.\" Note: Keep this in sync with invalid_name() in src/firejail/util.c.
+.SH NAME VALIDATION
+For simplicity, the same name validation is used for multiple options.
+Rules:
+.PP
+The name must be 1-253 characters long.
+The name can only contain ASCII letters, digits and the special characters
+"-._" (that is, the name cannot contain spaces or control characters).
+The name cannot contain only digits.
+The first and last characters must be an ASCII letter or digit and the name
+may contain special characters in the middle.
 #ifdef HAVE_APPARMOR
 .SH APPARMOR
 .TP
diff --git a/src/profstats/Makefile b/src/profstats/Makefile
index 47b39e76c..936b575e1 100644
--- a/src/profstats/Makefile
+++ b/src/profstats/Makefile
@@ -1,3 +1,6 @@
+.SUFFIXES:
+MAKEFLAGS += -r
+
 ROOT = ../..
 -include $(ROOT)/config.mk
 
diff --git a/src/zsh_completion/Makefile b/src/zsh_completion/Makefile
index d7bc1038a..fab53ca0a 100644
--- a/src/zsh_completion/Makefile
+++ b/src/zsh_completion/Makefile
@@ -1,9 +1,12 @@
-.PHONY: all
-all: _firejail
+.SUFFIXES:
+MAKEFLAGS += -r
 
 ROOT = ../..
 -include $(ROOT)/config.mk
 
+.PHONY: all
+all: _firejail
+
 _firejail: _firejail.in $(ROOT)/config.mk
         gawk -f ../man/preproc.awk -- $(MANFLAGS) < $< > $@.tmp
         sed "s|_SYSCONFDIR_|$(sysconfdir)|" < $@.tmp > $@
diff --git a/test/Makefile b/test/Makefile
index 2c376da58..02a628928 100644
--- a/test/Makefile
+++ b/test/Makefile
@@ -1,3 +1,9 @@
+.SUFFIXES:
+MAKEFLAGS += -r
+
+ROOT = ..
+-include $(ROOT)/config.mk
+
 TESTS=$(patsubst %/,%,$(wildcard */))
 
 .PHONY: $(TESTS)