26 files changed, 102 insertions, 59 deletions
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
index 9b82ab240..1c4c952f5 100644
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -93,7 +93,7 @@ jobs:
    # Initializes the CodeQL tools for scanning.
    - name: Initialize CodeQL
-      uses: github/codeql-action/init@f6e388ebf0efc915c6c5b165b019ee61a6746a38
+      uses: github/codeql-action/init@46ed16ded91731b2df79a2893d3aea8e9f03b5c4
      with:
        languages: ${{ matrix.language }}
        # If you wish to specify custom queries, you can do so here or in a config file.
@@ -104,7 +104,7 @@ jobs:
    # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
    # If this step fails, then you should remove it and run the build manually (see below)
    - name: Autobuild
-      uses: github/codeql-action/autobuild@f6e388ebf0efc915c6c5b165b019ee61a6746a38
+      uses: github/codeql-action/autobuild@46ed16ded91731b2df79a2893d3aea8e9f03b5c4
    # ℹ️ Command-line programs to run using the OS shell.
    # 📚 https://git.io/JvXDl
@@ -118,4 +118,4 @@ jobs:
    #   make release
    - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@f6e388ebf0efc915c6c5b165b019ee61a6746a38
+      uses: github/codeql-action/analyze@46ed16ded91731b2df79a2893d3aea8e9f03b5c4
diff --git a/.gitignore b/.gitignore
index aae7b817d..2285c3e5d 100644
--- a/.gitignore
+++ b/.gitignore
@@ -6,9 +6,9 @@
 *.rpm
 *.gcda
 *.gcno
+*.gz
 *.DS_Store
 .directory
-*.man
 .vscode
 /firejail-*/
 autom4te.cache/
@@ -20,14 +20,6 @@ contrib/syntax/files/example
 contrib/syntax/files/firejail-profile.lang
 contrib/syntax/files/firejail.vim
 firejail-*.tar.xz
-firejail-login.5
-firejail-profile.5
-firejail-config.5
-firejail-users.5
-firejail.1
-firemon.1
-firecfg.1
-jailcheck.1
 src/fnettrace-dns/fnettrace-dns
 src/fnettrace-sni/fnettrace-sni
 src/fnettrace-icmp/fnettrace-icmp
@@ -61,7 +53,12 @@ seccomp.64
 seccomp.block_secondary
 seccomp.mdwx
 seccomp.mdwx.32
+seccomp.namespaces
+seccomp.namespaces.32
 aclocal.m4
 __pycache__
 *.pyc
 *.pyo
+src/fnettrace/static-ip-map
+src/man/*.1
+src/man/*.5
diff --git a/Makefile b/Makefile
index 35bd9dc44..53b57a0e1 100644
--- a/Makefile
+++ b/Makefile
@@ -4,7 +4,6 @@ ROOT = .
 ifneq ($(HAVE_MAN),no)
 MAN_TARGET = man
-MAN_SRC = src/man
 endif
 ifneq ($(HAVE_CONTRIB_INSTALL),no)
@@ -19,11 +18,15 @@ SBOX_APPS_NON_DUMPABLE = src/fcopy/fcopy src/fldd/fldd src/fnet/fnet src/fnetfil
 SBOX_APPS_NON_DUMPABLE += src/fsec-optimize/fsec-optimize src/fsec-print/fsec-print src/fseccomp/fseccomp
 SBOX_APPS_NON_DUMPABLE += src/fnettrace/fnettrace src/fnettrace-dns/fnettrace-dns src/fnettrace-sni/fnettrace-sni
 SBOX_APPS_NON_DUMPABLE += src/fnettrace-icmp/fnettrace-icmp
-MYDIRS = src/lib $(MAN_SRC) $(COMPLETIONDIRS)
+MYDIRS = src/lib $(COMPLETIONDIRS)
 MYLIBS = src/libpostexecseccomp/libpostexecseccomp.so src/libtrace/libtrace.so src/libtracelog/libtracelog.so
 COMPLETIONS = src/zsh_completion/_firejail src/bash_completion/firejail.bash_completion
-SECCOMP_FILTERS = seccomp seccomp.debug seccomp.32 seccomp.block_secondary seccomp.mdwx seccomp.mdwx.32
+SECCOMP_FILTERS = seccomp seccomp.debug seccomp.32 seccomp.block_secondary seccomp.mdwx seccomp.mdwx.32 seccomp.namespaces seccomp.namespaces.32
-MANPAGES = firejail.1 firemon.1 firecfg.1 firejail-profile.5 firejail-login.5 firejail-users.5 jailcheck.1
+MANPAGES1_IN := $(sort $(wildcard src/man/*.1.in))
+MANPAGES5_IN := $(sort $(wildcard src/man/*.5.in))
+MANPAGES1_GZ := $(MANPAGES1_IN:.in=.gz)
+MANPAGES5_GZ := $(MANPAGES5_IN:.in=.gz)
 SYSCALL_HEADERS := $(sort $(wildcard src/include/syscall*.h))
@@ -49,7 +52,7 @@ config.mk config.sh:
        @printf 'error: run ./configure to generate %s\n' "$@" >&2
        @false
-.PHONY: all_items $(ALL_ITEMS)
+.PHONY: all_items
 all_items: $(ALL_ITEMS)
 $(ALL_ITEMS): $(MYDIRS)
        $(MAKE) -C $(dir $@)
@@ -60,7 +63,7 @@ $(MYDIRS):
        $(MAKE) -C $@
 .PHONY: filters
-filters: $(SECCOMP_FILTERS) $(SBOX_APPS_NON_DUMPABLE)
+filters: $(SECCOMP_FILTERS)
 seccomp: src/fseccomp/fseccomp src/fsec-optimize/fsec-optimize
        src/fseccomp/fseccomp default seccomp
        src/fsec-optimize/fsec-optimize seccomp
@@ -82,11 +85,15 @@ seccomp.mdwx: src/fseccomp/fseccomp
 seccomp.mdwx.32: src/fseccomp/fseccomp
        src/fseccomp/fseccomp memory-deny-write-execute.32 seccomp.mdwx.32
-$(MANPAGES): src/man config.mk
+seccomp.namespaces: src/fseccomp/fseccomp
-        ./mkman.sh $(VERSION) src/man/$(basename $@).man $@
+        src/fseccomp/fseccomp restrict-namespaces seccomp.namespaces cgroup,ipc,net,mnt,pid,time,user,uts
+seccomp.namespaces.32: src/fseccomp/fseccomp
+        src/fseccomp/fseccomp restrict-namespaces seccomp.namespaces.32 cgroup,ipc,net,mnt,pid,time,user,uts
 .PHONY: man
-man: $(MANPAGES)
+man:
+        $(MAKE) -C src/man
 # Makes all targets in contrib/
 .PHONY: contrib
@@ -156,9 +163,10 @@ clean:
        for dir in $$(dirname $(ALL_ITEMS)) $(MYDIRS); do \
                $(MAKE) -C $$dir clean; \
        done
+        $(MAKE) -C src/man clean
        $(MAKE) -C test clean
        rm -f $(SECCOMP_FILTERS)
-        rm -f $(MANPAGES) $(MANPAGES:%=%.gz) firejail*.rpm
+        rm -f firejail*.rpm
        rm -f $(SYNTAX_FILES)
        rm -f src/fnettrace/static-ip-map
        rm -f test/utils/index.html*
@@ -248,15 +256,8 @@ endif
 ifneq ($(HAVE_MAN),no)
        # man pages
        install -m 0755 -d $(DESTDIR)$(mandir)/man1 $(DESTDIR)$(mandir)/man5
-        for man in $(MANPAGES); do \
+        install -m 0644 $(MANPAGES1_GZ) $(DESTDIR)$(mandir)/man1/
-                rm -f $$man.gz; \
+        install -m 0644 $(MANPAGES5_GZ) $(DESTDIR)$(mandir)/man5/
-                gzip -9n $$man; \
-                case "$$man" in \
-                        *.1) install -m 0644 $$man.gz $(DESTDIR)$(mandir)/man1/; ;; \
-                        *.5) install -m 0644 $$man.gz $(DESTDIR)$(mandir)/man5/; ;; \
-                esac; \
-        done
-        rm -f $(MANPAGES) $(MANPAGES:%=%.gz)
 endif
        # bash completion
        install -m 0755 -d $(DESTDIR)$(datarootdir)/bash-completion/completions
@@ -284,10 +285,8 @@ uninstall: config.mk
        rm -f $(DESTDIR)$(bindir)/jailcheck
        rm -fr $(DESTDIR)$(libdir)/firejail
        rm -fr $(DESTDIR)$(datarootdir)/doc/firejail
-        for man in $(MANPAGES); do \
+        rm -f $(addprefix $(DESTDIR)$(mandir)/man1/,$(notdir $(MANPAGES1_GZ)))
-                rm -f $(DESTDIR)$(mandir)/man5/$$man*; \
+        rm -f $(addprefix $(DESTDIR)$(mandir)/man5/,$(notdir $(MANPAGES5_GZ)))
-                rm -f $(DESTDIR)$(mandir)/man1/$$man*; \
-        done
        rm -f $(DESTDIR)$(datarootdir)/bash-completion/completions/firejail
        rm -f $(DESTDIR)$(datarootdir)/bash-completion/completions/firemon
        rm -f $(DESTDIR)$(datarootdir)/bash-completion/completions/firecfg
@@ -312,7 +311,6 @@ install.sh \
 m4 \
 mkdeb.sh \
 mketc.sh \
-mkman.sh \
 platform \
 src
diff --git a/RELNOTES b/RELNOTES
index 718ac17a4..dfa62a7c0 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -6,6 +6,7 @@ firejail (0.9.73) baseline; urgency=low
    overwritten using --hostname command
  * feature: add IPv6 support for --net.print option
  * feature: QUIC (HTTP/3) support in --nettrace
+  * feature: use seccomp filters build at install time for --restrict-namespaces
  * modif: Stop forwarding own double-dash to the shell (#5599 #5600)
  * modif: Prevent sandbox name (--name=) and host name (--hostname=)
    from containing only digits (#5578 #5741)
@@ -29,6 +30,9 @@ firejail (0.9.73) baseline; urgency=low
  * build: remove -mretpoline and NO_EXTRA_CFLAGS (#5859)
  * build: disable all built-in implicit make rules (#5864)
  * build: organize and standardize make vars and targets (#5866)
+  * build: fix seccomp filters and man pages always being rebuilt when running
+    make
+  * build: simplify code related to man pages (#5898)
  * ci: always update the package db before installing packages (#5742)
  * ci: fix codeql unable to download its own bundle (#5783)
  * ci: split configure/build/install commands on gitlab (#5784)
diff --git a/etc/inc/disable-programs.inc b/etc/inc/disable-programs.inc
index 33bcbc51b..f95ddf2fa 100644
--- a/etc/inc/disable-programs.inc
+++ b/etc/inc/disable-programs.inc
@@ -433,6 +433,7 @@ blacklist ${HOME}/.config/equalx
 blacklist ${HOME}/.config/evince
 blacklist ${HOME}/.config/evolution
 blacklist ${HOME}/.config/falkon
+blacklist ${HOME}/.config/feh
 blacklist ${HOME}/.config/filezilla
 blacklist ${HOME}/.config/flameshot
 blacklist ${HOME}/.config/flaska.net
diff --git a/etc/profile-a-l/ani-cli.profile b/etc/profile-a-l/ani-cli.profile
index f05653719..613f74ce5 100644
--- a/etc/profile-a-l/ani-cli.profile
+++ b/etc/profile-a-l/ani-cli.profile
@@ -30,7 +30,7 @@ noprinters
 notv
 disable-mnt
-private-bin ani-cli,aria2c,cat,cp,curl,cut,ffmpeg,fzf,grep,head,mkdir,mv,nl,nohup,patch,sed,sh,sort,tail,tput,tr,uname,wc
+private-bin ani-cli,aria2c,cat,cp,curl,cut,ffmpeg,fzf,grep,head,mkdir,mv,nl,nohup,patch,printf,rm,rofi,sed,sh,sort,tail,tput,tr,uname,wc
 #private-cache
 private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,mime.types,nsswitch.conf,pango,pki,protocols,pulse,resolv.conf,rpc,services,ssl,X11,xdg
 private-tmp
diff --git a/etc/profile-a-l/feh.profile b/etc/profile-a-l/feh.profile
index 82b3f7645..2efd10ba2 100644
--- a/etc/profile-a-l/feh.profile
+++ b/etc/profile-a-l/feh.profile
@@ -7,23 +7,33 @@ include feh.local
 # Persistent global definitions
 include globals.local
+noblacklist ${HOME}/.config/feh
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
+include disable-proc.inc
 include disable-programs.inc
 include disable-shell.inc
+include whitelist-run-common.inc
+include whitelist-runuser-common.inc
 # Add the next line to your feh.local to enable network access.
 #include feh-network.inc.profile
+apparmor
 caps.drop all
+ipc-namespace
+machine-id
 net none
 no3d
 nodvd
 nogroups
 noinput
 nonewprivs
+noprinters
 noroot
 nosound
 notv
@@ -31,6 +41,8 @@ nou2f
 novideo
 protocol unix
 seccomp
+seccomp.block-secondary
+tracelog
 private-bin feh,jpegexiforient,jpegtran
 private-cache
diff --git a/etc/profile-m-z/server.profile b/etc/profile-m-z/server.profile
index 5b71fe6c3..05170267b 100644
--- a/etc/profile-m-z/server.profile
+++ b/etc/profile-m-z/server.profile
@@ -93,4 +93,4 @@ dbus-user none
 # deterministic-shutdown
 # memory-deny-write-execute
 # read-only ${HOME}
-restrict-namespaces
+# restrict-namespaces
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index d85b470e6..c791913ea 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -357,6 +357,7 @@ extern int arg_deterministic_exit_code;	// always exit with first child's exit s
 extern int arg_deterministic_shutdown;  // shut down the sandbox if first child dies
 extern int arg_keep_fd_all;     // inherit all file descriptors to sandbox
 extern int arg_netlock; // netlocker
+extern int arg_restrict_namespaces;
 typedef enum {
        DBUS_POLICY_ALLOW,      // Allow unrestricted access to the bus
diff --git a/src/firejail/fs_hostname.c b/src/firejail/fs_hostname.c
index cddf3c903..29f805e1a 100644
--- a/src/firejail/fs_hostname.c
+++ b/src/firejail/fs_hostname.c
@@ -152,7 +152,7 @@ void fs_mount_hosts_file(void) {
        // check /etc/hosts file
        struct stat s;
        if (stat("/etc/hosts", &s) == -1)
-                goto errexit;
+                return;
        // owned by root
        if (s.st_uid != 0)
                goto errexit;
diff --git a/src/firejail/main.c b/src/firejail/main.c
index 732ca93c2..45b199db4 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -165,6 +165,7 @@ int arg_tab = 0;
 int login_shell = 0;
 int just_run_the_shell = 0;
 int arg_netlock = 0;
+int arg_restrict_namespaces = 0;
 int parent_to_child_fds[2];
 int child_to_parent_fds[2];
@@ -1508,8 +1509,10 @@ int main(int argc, char **argv, char **envp) {
                                exit_err_feature("seccomp");
                }
                else if (strcmp(argv[i], "--restrict-namespaces") == 0) {
-                        if (checkcfg(CFG_SECCOMP))
+                        if (checkcfg(CFG_SECCOMP)) {
+                                arg_restrict_namespaces = 1;
                                profile_list_augment(&cfg.restrict_namespaces, "cgroup,ipc,net,mnt,pid,time,user,uts");
+                        }
                        else
                                exit_err_feature("seccomp");
                }
diff --git a/src/firejail/preproc.c b/src/firejail/preproc.c
index 6055ec95b..e0c11a005 100644
--- a/src/firejail/preproc.c
+++ b/src/firejail/preproc.c
@@ -96,12 +96,16 @@ void preproc_mount_mnt_dir(void) {
                if (set_perms(RUN_SECCOMP_PROTOCOL, getuid(), getgid(), 0644))
                        errExit("set_perms");
                if (cfg.restrict_namespaces) {
+                        copy_file(PATH_SECCOMP_NAMESPACES, RUN_SECCOMP_NS, getuid(), getgid(), 0644); // root needed
+                        copy_file(PATH_SECCOMP_NAMESPACES_32, RUN_SECCOMP_NS_32, getuid(), getgid(), 0644); // root needed
+#if 0
                        create_empty_file_as_root(RUN_SECCOMP_NS, 0644);
                        if (set_perms(RUN_SECCOMP_NS, getuid(), getgid(), 0644))
                                errExit("set_perms");
                        create_empty_file_as_root(RUN_SECCOMP_NS_32, 0644);
                        if (set_perms(RUN_SECCOMP_NS_32, getuid(), getgid(), 0644))
                                errExit("set_perms");
+#endif
                }
                create_empty_file_as_root(RUN_SECCOMP_POSTEXEC, 0644);
                if (set_perms(RUN_SECCOMP_POSTEXEC, getuid(), getgid(), 0644))
diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index ae881664b..07449f646 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -1088,8 +1088,10 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
        // restrict-namespaces
        if (strcmp(ptr, "restrict-namespaces") == 0) {
-                if (checkcfg(CFG_SECCOMP))
+                if (checkcfg(CFG_SECCOMP)) {
+                        arg_restrict_namespaces = 1;
                        profile_list_augment(&cfg.restrict_namespaces, "cgroup,ipc,net,mnt,pid,time,user,uts");
+                }
                else
                        warning_feature_disabled("seccomp");
                return 0;
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index 19ac8d9ec..538f5be67 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -987,12 +987,8 @@ int sandbox(void* sandbox_arg) {
        //****************************
        // hosts and hostname
        //****************************
-//      if (cfg.hostname)
        fs_hostname();
-//      if (cfg.hosts_file)
-//              fs_mount_hosts_file();
        //****************************
        // /etc overrides from the network namespace
        //****************************
@@ -1215,7 +1211,19 @@ int sandbox(void* sandbox_arg) {
                seccomp_load(RUN_SECCOMP_MDWX_32);
        }
-        if (cfg.restrict_namespaces) {
+        if (arg_restrict_namespaces) {
+                if (arg_seccomp_error_action != EPERM) {
+                        seccomp_filter_namespaces(true, cfg.restrict_namespaces);
+                        seccomp_filter_namespaces(false, cfg.restrict_namespaces);
+                }
+                if (arg_debug)
+                        printf("Install namespaces filter\n");
+                seccomp_load(RUN_SECCOMP_NS);   // install filter
+                seccomp_load(RUN_SECCOMP_NS_32);
+        }
+        else if (cfg.restrict_namespaces) {
                seccomp_filter_namespaces(true, cfg.restrict_namespaces);
                seccomp_filter_namespaces(false, cfg.restrict_namespaces);
diff --git a/src/fnettrace/Makefile b/src/fnettrace/Makefile
index 9748a3b47..68a4cbdc0 100644
--- a/src/fnettrace/Makefile
+++ b/src/fnettrace/Makefile
@@ -11,6 +11,3 @@ include $(ROOT)/src/prog.mk
 all: $(TARGET) static-ip-map
 static-ip-map: static-ip-map.txt fnettrace
        ./fnettrace --squash-map=static-ip-map.txt > static-ip-map
diff --git a/src/fnettrace/static-ip-map.txt b/src/fnettrace/static-ip-map.txt
index 92c55d148..2742e71c5 100644
--- a/src/fnettrace/static-ip-map.txt
+++ b/src/fnettrace/static-ip-map.txt
@@ -359,6 +359,7 @@
 172.105.128.0/23 Linode
 # Akamai
+2.16.0.0/13 Akamai
 23.0.0.0/12 Akamai
 23.32.0.0/11 Akamai
 23.64.0.0/14 Akamai
diff --git a/src/include/rundefs.h b/src/include/rundefs.h
index 7fc0f21f3..d36851a4e 100644
--- a/src/include/rundefs.h
+++ b/src/include/rundefs.h
@@ -79,6 +79,8 @@
 #define PATH_SECCOMP_DEBUG_32           LIBDIR "/firejail/seccomp.debug32"              // 32bit arch debug filter built during make
 #define PATH_SECCOMP_MDWX               LIBDIR "/firejail/seccomp.mdwx"                 // filter for memory-deny-write-execute built during make
 #define PATH_SECCOMP_MDWX_32            LIBDIR "/firejail/seccomp.mdwx.32"
+#define PATH_SECCOMP_NAMESPACES LIBDIR "/firejail/seccomp.namespaces"   // filter for restrict-namespaces
+#define PATH_SECCOMP_NAMESPACES_32      LIBDIR "/firejail/seccomp.namespaces.32"
 #define PATH_SECCOMP_BLOCK_SECONDARY    LIBDIR "/firejail/seccomp.block_secondary"      // secondary arch blocking filter built during make
 #define RUN_DEV_DIR                     RUN_MNT_DIR "/dev"
diff --git a/src/man/Makefile b/src/man/Makefile
index 197f76192..526ed7fcb 100644
--- a/src/man/Makefile
+++ b/src/man/Makefile
@@ -2,14 +2,25 @@
 ROOT = ../..
 -include $(ROOT)/config.mk
+MOD_DIR := $(ROOT)/src/man
+MANPAGES_IN := $(sort $(wildcard $(MOD_DIR)/*.in))
+MANPAGES_GZ := $(MANPAGES_IN:.in=.gz)
+TARGET = $(MANPAGES_GZ)
 .PHONY: all
-all: firecfg.man firejail.man firejail-login.man firejail-users.man firejail-profile.man firemon.man jailcheck.man
+all: $(TARGET)
-%.man: %.txt $(ROOT)/config.mk
+# foo.1: foo.1.in
-        gawk -f ./preproc.awk -- $(MANFLAGS) < $< > $@
+$(MOD_DIR)/%: $(MOD_DIR)/%.in $(ROOT)/config.mk
+        @printf 'Generating %s from %s\n' $@ $<
+        @gawk -f $(MOD_DIR)/preproc.awk -- $(MANFLAGS) <$< | \
+          $(MOD_DIR)/mkman.sh $(VERSION) >$@
-.PHONY: clean
+# foo.1.gz: foo.1
-clean:; rm -fr *.man
+$(MOD_DIR)/%.gz: $(MOD_DIR)/%
+        @printf 'Generating %s from %s\n' $@ $<
+        @rm -f $@
+        @gzip -n9 $<
-.PHONY: distclean
+.PHONY: clean
-distclean: clean
+clean:; rm -f *.1 *.5 *.gz
diff --git a/src/man/firecfg.txt b/src/man/firecfg.1.in
index 42add6a41..42add6a41 100644
--- a/src/man/firecfg.txt
+++ b/src/man/firecfg.1.in
diff --git a/src/man/firejail-login.txt b/src/man/firejail-login.5.in
index f03fc3c37..f03fc3c37 100644
--- a/src/man/firejail-login.txt
+++ b/src/man/firejail-login.5.in
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.5.in
index fa294d888..fa294d888 100644
--- a/src/man/firejail-profile.txt
+++ b/src/man/firejail-profile.5.in
diff --git a/src/man/firejail-users.txt b/src/man/firejail-users.5.in
index 7aa151680..7aa151680 100644
--- a/src/man/firejail-users.txt
+++ b/src/man/firejail-users.5.in
diff --git a/src/man/firejail.txt b/src/man/firejail.1.in
index 19fc94ebd..19fc94ebd 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.1.in
diff --git a/src/man/firemon.txt b/src/man/firemon.1.in
index fb0cf1175..fb0cf1175 100644
--- a/src/man/firemon.txt
+++ b/src/man/firemon.1.in
diff --git a/src/man/jailcheck.txt b/src/man/jailcheck.1.in
index e889ea91b..e889ea91b 100644
--- a/src/man/jailcheck.txt
+++ b/src/man/jailcheck.1.in
diff --git a/mkman.sh b/src/man/mkman.sh
index 58a44ecda..0302e0778 100755
--- a/mkman.sh
+++ b/src/man/mkman.sh
@@ -5,8 +5,10 @@
 set -e
-sed "s/VERSION/$1/g" "$2" > "$3"
 MONTH="$(LC_ALL=C date -u --date="@${SOURCE_DATE_EPOCH:-$(date +%s)}" +%b)"
-sed -i "s/MONTH/$MONTH/g" "$3"
 YEAR="$(LC_ALL=C date -u --date="@${SOURCE_DATE_EPOCH:-$(date +%s)}" +%Y)"
-sed -i "s/YEAR/$YEAR/g" "$3"
+sed \
+  -e "s/VERSION/$1/g" \
+  -e "s/MONTH/$MONTH/g" \
+  -e "s/YEAR/$YEAR/g"