30 files changed, 202 insertions, 91 deletions

diff --git a/RELNOTES b/RELNOTES
index c989b00ff..6a629476d 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -1,6 +1,11 @@
 firejail (0.9.65) baseline; urgency=low
   * deprecated --audit options, relpaced by jailcheck utility
   * deprecated follow-symlink-as-user from firejail.config
+  * new firejail.config settings: private-bin, private-etc
+  * new firejail.config settings: private-opt, private-srv
+  * new firejail.config settings: whitelist-disable-topdir
+  * new firejail.config settings: seccomp-filter-add
+  * removed kcmp syscall from seccomp default filter
   * rename --noautopulse to keep-config-pulse
   * filtering environment variables
   * zsh completion
diff --git a/etc/firejail.config b/etc/firejail.config
index f5b3d5efa..43db49422 100644
--- a/etc/firejail.config
+++ b/etc/firejail.config
@@ -113,6 +113,10 @@
 # Enable or disable seccomp support, default enabled.
 # seccomp yes
 
+# Add rules to the default seccomp filter. Same syntax as for --seccomp=
+# None by default; this is an example.
+# seccomp-filter-add !chroot,kcmp,mincore
+
 # Seccomp error action, kill, log or errno (EPERM, ENOSYS etc)
 # seccomp-error-action EPERM
 
diff --git a/etc/profile-a-l/cargo.profile b/etc/profile-a-l/cargo.profile
index 043fd6718..7cf04c550 100644
--- a/etc/profile-a-l/cargo.profile
+++ b/etc/profile-a-l/cargo.profile
@@ -34,6 +34,7 @@ include disable-xdg.inc
 #whitelist ${HOME}/.cargo
 #whitelist ${HOME}/.rustup
 #include whitelist-common.inc
+whitelist /usr/share/pkgconfig
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-a-l/chromium-common.profile b/etc/profile-a-l/chromium-common.profile
index f7493aa82..b0e0254d4 100644
--- a/etc/profile-a-l/chromium-common.profile
+++ b/etc/profile-a-l/chromium-common.profile
@@ -37,8 +37,9 @@ include whitelist-var-common.inc
 # Add the next line to your chromium-common.local if your kernel allows unprivileged userns clone.
 #include chromium-common-hardened.inc.profile
 
-# Add the next line to your chromium-common.local to allow screen sharing under wayland.
+# Add the next two lines to your chromium-common.local to allow screen sharing under wayland.
 #whitelist ${RUNUSER}/pipewire-0
+#whitelist /usr/share/pipewire/client.conf
 
 apparmor
 caps.keep sys_admin,sys_chroot
diff --git a/etc/profile-a-l/firefox.profile b/etc/profile-a-l/firefox.profile
index 7874c882f..3ad67734d 100644
--- a/etc/profile-a-l/firefox.profile
+++ b/etc/profile-a-l/firefox.profile
@@ -56,8 +56,9 @@ dbus-user.own org.mpris.MediaPlayer2.firefox.*
 #dbus-user.own org.mpris.MediaPlayer2.plasma-browser-integration
 #dbus-user.talk org.kde.JobViewServer
 #dbus-user.talk org.kde.kuiserver
-# Add the next two lines to your firefox.local to allow screen sharing under wayland.
+# Add the next three lines to your firefox.local to allow screen sharing under wayland.
 #whitelist ${RUNUSER}/pipewire-0
+#whitelist /usr/share/pipewire/client.conf
 #dbus-user.talk org.freedesktop.portal.*
 # Add the next line to your firefox.local if screen sharing sharing still does not work
 # with the above lines (might depend on the portal implementation).
diff --git a/etc/profile-a-l/librewolf.profile b/etc/profile-a-l/librewolf.profile
index 8e3e58f19..da047357a 100644
--- a/etc/profile-a-l/librewolf.profile
+++ b/etc/profile-a-l/librewolf.profile
@@ -44,8 +44,9 @@ dbus-user filter
 #dbus-user.own org.mpris.MediaPlayer2.plasma-browser-integration
 #dbus-user.talk org.kde.JobViewServer
 #dbus-user.talk org.kde.kuiserver
-# Add the next lines to your librewolf.local to allow screensharing under Wayland.
+# Add the next three lines to your librewolf.local to allow screensharing under Wayland.
 #whitelist ${RUNUSER}/pipewire-0
+#whitelist /usr/share/pipewire/client.conf
 #dbus-user.talk org.freedesktop.portal.*
 # Also add the next line to your librewolf.local if screensharing does not work with
 # the above lines (depends on the portal implementation).
diff --git a/etc/templates/syscalls.txt b/etc/templates/syscalls.txt
index 0775f60ff..3992c984a 100644
--- a/etc/templates/syscalls.txt
+++ b/etc/templates/syscalls.txt
@@ -33,7 +33,7 @@ Definition of groups
 @clock=adjtimex,clock_adjtime,clock_settime,settimeofday,stime
 @cpu-emulation=modify_ldt,subpage_prot,switch_endian,vm86,vm86old
 @debug=lookup_dcookie,perf_event_open,process_vm_writev,rtas,s390_runtime_instr,sys_debug_setcontext
-@default=@clock,@cpu-emulation,@debug,@module,@mount,@obsolete,@raw-io,@reboot,@swap,open_by_handle_at,name_to_handle_at,ioprio_set,ni_syscall,syslog,fanotify_init,kcmp,add_key,request_key,mbind,migrate_pages,move_pages,keyctl,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,set_mempolicyvmsplice,userfaultfd,acct,bpf,nfsservctl,setdomainname,sethostname,vhangup
+@default=@clock,@cpu-emulation,@debug,@module,@mount,@obsolete,@raw-io,@reboot,@swap,open_by_handle_at,name_to_handle_at,ioprio_set,ni_syscall,syslog,fanotify_init,add_key,request_key,mbind,migrate_pages,move_pages,keyctl,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,set_mempolicyvmsplice,userfaultfd,acct,bpf,nfsservctl,setdomainname,sethostname,vhangup
 @default-nodebuggers=@default,ptrace,personality,process_vm_readv
 @default-keep=execveat,execve,prctl
 @file-system=access,chdir,chmod,close,creat,faccessat,faccessat2,fallocate,fchdir,fchmod,fchmodat,fcntl,fcntl64,fgetxattr,flistxattr,fremovexattr,fsetxattr,fstat,fstat64,fstatat64,fstatfs,fstatfs64,ftruncate,ftruncate64,futimesat,getcwd,getdents,getdents64,getxattr,inotify_add_watch,inotify_init,inotify_init1,inotify_rm_watch,lgetxattr,link,linkat,listxattr,llistxattr,lremovexattr,lsetxattr,lstat,lstat64,mkdir,mkdirat,mknod,mknodat,mmap,mmap2,munmap,newfstatat,oldfstat,oldlstat,oldstat,open,openat,readlink,readlinkat,removexattr,rename,renameat,renameat2,rmdir,setxattr,stat,stat64,statfs,statfs64,statx,symlink,symlinkat,truncate,truncate64,unlink,unlinkat,utime,utimensat,utimes
diff --git a/src/firejail/appimage.c b/src/firejail/appimage.c
index a96415985..056640eec 100644
--- a/src/firejail/appimage.c
+++ b/src/firejail/appimage.c
@@ -29,7 +29,7 @@
 #include <errno.h>
 
 #ifdef HAVE_GCOV
-#include <gcov.h>
+#include "../include/gcov_wrapper.h"
 #endif
 
 static char *devloop = NULL;    // device file
diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c
index f3ab0a6d8..1e9f4b641 100644
--- a/src/firejail/checkcfg.c
+++ b/src/firejail/checkcfg.c
@@ -35,6 +35,7 @@ char *xvfb_extra_params = "";
 char *netfilter_default = NULL;
 unsigned long join_timeout = 5000000; // microseconds
 char *config_seccomp_error_action_str = "EPERM";
+char *config_seccomp_filter_add = NULL;
 char **whitelist_reject_topdirs = NULL;
 
 int checkcfg(int val) {
@@ -225,6 +226,10 @@ int checkcfg(int val) {
                         else if (strncmp(ptr, "join-timeout ", 13) == 0)
                                 join_timeout = strtoul(ptr + 13, NULL, 10) * 1000000; // seconds to microseconds
 
+                        // add rules to default seccomp filter
+                        else if (strncmp(ptr, "seccomp-filter-add ", 19) == 0)
+                                config_seccomp_filter_add = seccomp_check_list(ptr + 19);
+
                         // seccomp error action
                         else if (strncmp(ptr, "seccomp-error-action ", 21) == 0) {
                                 if (strcmp(ptr + 21, "kill") == 0)
diff --git a/src/firejail/chroot.c b/src/firejail/chroot.c
index edc31cdea..0d4baa618 100644
--- a/src/firejail/chroot.c
+++ b/src/firejail/chroot.c
@@ -30,7 +30,7 @@
 #endif
 
 #ifdef HAVE_GCOV
-#include <gcov.h>
+#include "../include/gcov_wrapper.h"
 #endif
 
 // exit if error
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index c84965074..9971d30b6 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -5,7 +5,7 @@
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; eithe r version 2 of the License, or
+ * the Free Software Foundation; either version 2 of the License, or
  * (at your option) any later version.
  *
  * This program is distributed in the hope that it will be useful,
@@ -508,7 +508,7 @@ void logargs(int argc, char **argv) ;
 void logerr(const char *msg);
 void set_nice(int inc);
 int copy_file(const char *srcname, const char *destname, uid_t uid, gid_t gid, mode_t mode);
-void copy_file_as_user(const char *srcname, const char *destname, uid_t uid, gid_t gid, mode_t mode);
+void copy_file_as_user(const char *srcname, const char *destname, mode_t mode);
 void copy_file_from_user_to_root(const char *srcname, const char *destname, uid_t uid, gid_t gid, mode_t mode);
 void touch_file_as_user(const char *fname, mode_t mode);
 int is_dir(const char *fname);
@@ -810,6 +810,7 @@ extern char *xvfb_extra_params;
 extern char *netfilter_default;
 extern unsigned long join_timeout;
 extern char *config_seccomp_error_action_str;
+extern char *config_seccomp_filter_add;
 extern char **whitelist_reject_topdirs;
 
 int checkcfg(int val);
diff --git a/src/firejail/fs.c b/src/firejail/fs.c
index 4ae7dbfa4..806fa9249 100644
--- a/src/firejail/fs.c
+++ b/src/firejail/fs.c
@@ -34,7 +34,7 @@
 #endif
 
 #ifdef HAVE_GCOV
-#include <gcov.h>
+#include "../include/gcov_wrapper.h"
 #endif
 
 #define MAX_BUF 4096
diff --git a/src/firejail/fs_home.c b/src/firejail/fs_home.c
index eab952eb8..0ed476063 100644
--- a/src/firejail/fs_home.c
+++ b/src/firejail/fs_home.c
@@ -34,12 +34,13 @@
 #define O_PATH 010000000
 #endif
 
-static void skel(const char *homedir, uid_t u, gid_t g) {
-        char *fname;
+static void skel(const char *homedir) {
+        EUID_ASSERT();
 
         // zsh
         if (!arg_shell_none && (strcmp(cfg.shell,"/usr/bin/zsh") == 0 || strcmp(cfg.shell,"/bin/zsh") == 0)) {
                 // copy skel files
+                char *fname;
                 if (asprintf(&fname, "%s/.zshrc", homedir) == -1)
                         errExit("asprintf");
                 // don't copy it if we already have the file
@@ -50,7 +51,7 @@ static void skel(const char *homedir, uid_t u, gid_t g) {
                         exit(1);
                 }
                 if (access("/etc/skel/.zshrc", R_OK) == 0) {
-                        copy_file_as_user("/etc/skel/.zshrc", fname, u, g, 0644); // regular user
+                        copy_file_as_user("/etc/skel/.zshrc", fname, 0644); // regular user
                         fs_logger("clone /etc/skel/.zshrc");
                         fs_logger2("clone", fname);
                 }
@@ -64,6 +65,7 @@ static void skel(const char *homedir, uid_t u, gid_t g) {
         // csh
         else if (!arg_shell_none && strcmp(cfg.shell,"/bin/csh") == 0) {
                 // copy skel files
+                char *fname;
                 if (asprintf(&fname, "%s/.cshrc", homedir) == -1)
                         errExit("asprintf");
                 // don't copy it if we already have the file
@@ -74,7 +76,7 @@ static void skel(const char *homedir, uid_t u, gid_t g) {
                         exit(1);
                 }
                 if (access("/etc/skel/.cshrc", R_OK) == 0) {
-                        copy_file_as_user("/etc/skel/.cshrc", fname, u, g, 0644); // regular user
+                        copy_file_as_user("/etc/skel/.cshrc", fname, 0644); // regular user
                         fs_logger("clone /etc/skel/.cshrc");
                         fs_logger2("clone", fname);
                 }
@@ -88,6 +90,7 @@ static void skel(const char *homedir, uid_t u, gid_t g) {
         // bash etc.
         else {
                 // copy skel files
+                char *fname;
                 if (asprintf(&fname, "%s/.bashrc", homedir) == -1)
                         errExit("asprintf");
                 // don't copy it if we already have the file
@@ -98,7 +101,7 @@ static void skel(const char *homedir, uid_t u, gid_t g) {
                         exit(1);
                 }
                 if (access("/etc/skel/.bashrc", R_OK) == 0) {
-                        copy_file_as_user("/etc/skel/.bashrc", fname, u, g, 0644); // regular user
+                        copy_file_as_user("/etc/skel/.bashrc", fname, 0644); // regular user
                         fs_logger("clone /etc/skel/.bashrc");
                         fs_logger2("clone", fname);
                 }
@@ -108,6 +111,7 @@ static void skel(const char *homedir, uid_t u, gid_t g) {
 }
 
 static int store_xauthority(void) {
+        EUID_ASSERT();
         if (arg_x11_block)
                 return 0;
 
@@ -118,7 +122,7 @@ static int store_xauthority(void) {
                 errExit("asprintf");
 
         struct stat s;
-        if (lstat_as_user(src, &s) == 0) {
+        if (lstat(src, &s) == 0) {
                 if (S_ISLNK(s.st_mode)) {
                         fwarning("invalid .Xauthority file\n");
                         free(src);
@@ -126,6 +130,7 @@ static int store_xauthority(void) {
                 }
 
                 // create an empty file as root, and change ownership to user
+                EUID_ROOT();
                 FILE *fp = fopen(dest, "we");
                 if (fp) {
                         fprintf(fp, "\n");
@@ -134,10 +139,11 @@ static int store_xauthority(void) {
                 }
                 else
                         errExit("fopen");
+                EUID_USER();
 
-                copy_file_as_user(src, dest, getuid(), getgid(), 0600); // regular user
-                fs_logger2("clone", dest);
+                copy_file_as_user(src, dest, 0600); // regular user
                 selinux_relabel_path(dest, src);
+                fs_logger2("clone", dest);
                 free(src);
                 return 1; // file copied
         }
@@ -147,6 +153,7 @@ static int store_xauthority(void) {
 }
 
 static int store_asoundrc(void) {
+        EUID_ASSERT();
         if (arg_nosound)
                 return 0;
 
@@ -157,11 +164,11 @@ static int store_asoundrc(void) {
                 errExit("asprintf");
 
         struct stat s;
-        if (lstat_as_user(src, &s) == 0) {
+        if (lstat(src, &s) == 0) {
                 if (S_ISLNK(s.st_mode)) {
                         // make sure the real path of the file is inside the home directory
                         /* coverity[toctou] */
-                        char *rp = realpath_as_user(src);
+                        char *rp = realpath(src, NULL);
                         if (!rp) {
                                 fprintf(stderr, "Error: Cannot access %s\n", src);
                                 exit(1);
@@ -174,6 +181,7 @@ static int store_asoundrc(void) {
                 }
 
                 // create an empty file as root, and change ownership to user
+                EUID_ROOT();
                 FILE *fp = fopen(dest, "we");
                 if (fp) {
                         fprintf(fp, "\n");
@@ -182,10 +190,11 @@ static int store_asoundrc(void) {
                 }
                 else
                         errExit("fopen");
+                EUID_USER();
 
-                copy_file_as_user(src, dest, getuid(), getgid(), 0644); // regular user
-                selinux_relabel_path(dest, src);
+                copy_file_as_user(src, dest, 0644); // regular user
                 fs_logger2("clone", dest);
+                selinux_relabel_path(dest, src);
                 free(src);
                 return 1; // file copied
         }
@@ -195,6 +204,7 @@ static int store_asoundrc(void) {
 }
 
 static void copy_xauthority(void) {
+        EUID_ASSERT();
         // copy XAUTHORITY_FILE in the new home directory
         char *src = RUN_XAUTHORITY_FILE ;
         char *dest;
@@ -207,16 +217,18 @@ static void copy_xauthority(void) {
                 exit(1);
         }
 
-        copy_file_as_user(src, dest, getuid(), getgid(), S_IRUSR | S_IWUSR); // regular user
-        selinux_relabel_path(dest, src);
+        copy_file_as_user(src, dest, S_IRUSR | S_IWUSR); // regular user
         fs_logger2("clone", dest);
+        selinux_relabel_path(dest, dest);
         free(dest);
 
-        // delete the temporary file
-        unlink(src);
+        EUID_ROOT();
+        unlink(src); // delete the temporary file
+        EUID_USER();
 }
 
 static void copy_asoundrc(void) {
+        EUID_ASSERT();
         // copy ASOUNDRC_FILE in the new home directory
         char *src = RUN_ASOUNDRC_FILE ;
         char *dest;
@@ -229,13 +241,14 @@ static void copy_asoundrc(void) {
                 exit(1);
         }
 
-        copy_file_as_user(src, dest, getuid(), getgid(), S_IRUSR | S_IWUSR); // regular user
-        selinux_relabel_path(dest, src);
+        copy_file_as_user(src, dest, S_IRUSR | S_IWUSR); // regular user
         fs_logger2("clone", dest);
+        selinux_relabel_path(dest, dest);
         free(dest);
 
-        // delete the temporary file
-        unlink(src);
+        EUID_ROOT();
+        unlink(src); // delete the temporary file
+        EUID_USER();
 }
 
 // private mode (--private=homedir):
@@ -248,18 +261,18 @@ void fs_private_homedir(void) {
         char *private_homedir = cfg.home_private;
         assert(homedir);
         assert(private_homedir);
+        EUID_ASSERT();
+
+        uid_t u = getuid();
+        // gid_t g = getgid();
 
         int xflag = store_xauthority();
         int aflag = store_asoundrc();
 
-        uid_t u = getuid();
-        gid_t g = getgid();
-
         // mount bind private_homedir on top of homedir
         if (arg_debug)
                 printf("Mount-bind %s on top of %s\n", private_homedir, homedir);
         // get file descriptors for homedir and private_homedir, fails if there is any symlink
-        EUID_USER();
         int src = safer_openat(-1, private_homedir, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC);
         if (src == -1)
                 errExit("opening private directory");
@@ -287,6 +300,7 @@ void fs_private_homedir(void) {
         EUID_ROOT();
         if (bind_mount_by_fd(src, dst))
                 errExit("mount bind");
+        EUID_USER();
 
         // check /proc/self/mountinfo to confirm the mount is ok
         MountData *mptr = get_last_mount();
@@ -305,6 +319,7 @@ void fs_private_homedir(void) {
 //      if (chmod(homedir, s.st_mode) == -1)
 //              errExit("mount-bind chmod");
 
+        EUID_ROOT();
         if (u != 0) {
                 // mask /root
                 if (arg_debug)
@@ -323,8 +338,9 @@ void fs_private_homedir(void) {
                 selinux_relabel_path("/home", "/home");
                 fs_logger("tmpfs /home");
         }
+        EUID_USER();
 
-        skel(homedir, u, g);
+        skel(homedir);
         if (xflag)
                 copy_xauthority();
         if (aflag)
@@ -339,12 +355,15 @@ void fs_private_homedir(void) {
 void fs_private(void) {
         char *homedir = cfg.homedir;
         assert(homedir);
+        EUID_ASSERT();
+
         uid_t u = getuid();
         gid_t g = getgid();
 
         int xflag = store_xauthority();
         int aflag = store_asoundrc();
 
+        EUID_ROOT();
         // mask /root
         if (arg_debug)
                 printf("Mounting a new /root directory\n");
@@ -387,8 +406,9 @@ void fs_private(void) {
 
                 selinux_relabel_path(homedir, homedir);
         }
+        EUID_USER();
 
-        skel(homedir, u, g);
+        skel(homedir);
         if (xflag)
                 copy_xauthority();
         if (aflag)
@@ -530,26 +550,29 @@ static void duplicate(char *name) {
 //      set skel files,
 //      restore .Xauthority
 void fs_private_home_list(void) {
-        timetrace_start();
-
         char *homedir = cfg.homedir;
         char *private_list = cfg.home_private_keep;
         assert(homedir);
         assert(private_list);
+        EUID_ASSERT();
 
-        int xflag = store_xauthority();
-        int aflag = store_asoundrc();
+        timetrace_start();
 
         uid_t uid = getuid();
         gid_t gid = getgid();
 
+        int xflag = store_xauthority();
+        int aflag = store_asoundrc();
+
         // create /run/firejail/mnt/home directory
+        EUID_ROOT();
         mkdir_attr(RUN_HOME_DIR, 0755, uid, gid);
         selinux_relabel_path(RUN_HOME_DIR, homedir);
+
         fs_logger_print();      // save the current log
+        EUID_USER();
 
         // copy the list of files in the new home directory
-        EUID_USER();
         if (arg_debug)
                 printf("Copying files in the new home:\n");
         char *dlist = strdup(cfg.home_private_keep);
@@ -587,6 +610,7 @@ void fs_private_home_list(void) {
         EUID_ROOT();
         if (bind_mount_path_to_fd(RUN_HOME_DIR, fd))
                 errExit("mount bind");
+        EUID_USER();
         close(fd);
 
         // check /proc/self/mountinfo to confirm the mount is ok
@@ -595,11 +619,7 @@ void fs_private_home_list(void) {
                 errLogExit("invalid private-home mount");
         fs_logger2("tmpfs", homedir);
 
-        // mask RUN_HOME_DIR, it is writable and not noexec
-        if (mount("tmpfs", RUN_HOME_DIR, "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME,  "mode=755,gid=0") < 0)
-                errExit("mounting tmpfs");
-        fs_logger2("tmpfs", RUN_HOME_DIR);
-
+        EUID_ROOT();
         if (uid != 0) {
                 // mask /root
                 if (arg_debug)
@@ -619,7 +639,12 @@ void fs_private_home_list(void) {
                 fs_logger("tmpfs /home");
         }
 
-        skel(homedir, uid, gid);
+        // mask RUN_HOME_DIR, it is writable and not noexec
+        if (mount("tmpfs", RUN_HOME_DIR, "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME,  "mode=755,gid=0") < 0)
+                errExit("mounting tmpfs");
+        EUID_USER();
+
+        skel(homedir);
         if (xflag)
                 copy_xauthority();
         if (aflag)
diff --git a/src/firejail/fs_mkdir.c b/src/firejail/fs_mkdir.c
index bbc2aa938..0195435f9 100644
--- a/src/firejail/fs_mkdir.c
+++ b/src/firejail/fs_mkdir.c
@@ -26,7 +26,7 @@
 #include <string.h>
 
 #ifdef HAVE_GCOV
-#include <gcov.h>
+#include "../include/gcov_wrapper.h"
 #endif
 
 static void check(const char *fname) {
diff --git a/src/firejail/fs_whitelist.c b/src/firejail/fs_whitelist.c
index 370035a4d..943f275de 100644
--- a/src/firejail/fs_whitelist.c
+++ b/src/firejail/fs_whitelist.c
@@ -374,9 +374,11 @@ static void tmpfs_topdirs(const TopDir *topdirs) {
         }
 
         // user home directory
-        if (tmpfs_home)
-                // checks owner if outside /home
-                fs_private();
+        if (tmpfs_home) {
+                EUID_USER();
+                fs_private(); // checks owner if outside /home
+                EUID_ROOT();
+        }
 
         // /run/user/$UID directory
         if (tmpfs_runuser) {
diff --git a/src/firejail/ls.c b/src/firejail/ls.c
index 6ee557648..ae7e89741 100644
--- a/src/firejail/ls.c
+++ b/src/firejail/ls.c
@@ -32,7 +32,7 @@
 //#include <stdlib.h>
 
 #ifdef HAVE_GCOV
-#include <gcov.h>
+#include "../include/gcov_wrapper.h"
 #endif
 
 // uid/gid cache
diff --git a/src/firejail/main.c b/src/firejail/main.c
index b376095f1..7b32f6f07 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -45,7 +45,7 @@
 #endif
 
 #ifdef HAVE_GCOV
-#include <gcov.h>
+#include "../include/gcov_wrapper.h"
 #endif
 
 #ifdef __ia64__
@@ -967,7 +967,7 @@ void filter_add_blacklist_override(int fd, int syscall, int arg, void *ptrarg, b
 static int check_postexec(const char *list) {
         char *prelist, *postlist;
 
-        if (list) {
+        if (list && list[0]) {
                 syscalls_in_list(list, "@default-keep", -1, &prelist, &postlist, true);
                 if (postlist)
                         return 1;
@@ -2895,6 +2895,15 @@ int main(int argc, char **argv, char **envp) {
         // check network configuration options - it will exit if anything went wrong
         net_check_cfg();
 
+        // customization of default seccomp filter
+        if (config_seccomp_filter_add) {
+                if (arg_seccomp && !cfg.seccomp_list_keep && !cfg.seccomp_list_drop)
+                        profile_list_augment(&cfg.seccomp_list, config_seccomp_filter_add);
+
+                if (arg_seccomp32 && !cfg.seccomp_list_keep32 && !cfg.seccomp_list_drop32)
+                        profile_list_augment(&cfg.seccomp_list32, config_seccomp_filter_add);
+        }
+
         if (arg_seccomp)
                 arg_seccomp_postexec = check_postexec(cfg.seccomp_list) || check_postexec(cfg.seccomp_list_drop);
 
diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index 5b1478918..7b21eb387 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -24,7 +24,7 @@
 #include <sys/stat.h>
 
 #ifdef HAVE_GCOV
-#include <gcov.h>
+#include "../include/gcov_wrapper.h"
 #endif
 
 extern char *xephyr_screen;
diff --git a/src/firejail/rlimit.c b/src/firejail/rlimit.c
index dd6fec972..2666486fa 100644
--- a/src/firejail/rlimit.c
+++ b/src/firejail/rlimit.c
@@ -22,7 +22,7 @@
 #include <sys/resource.h>
 
 #ifdef HAVE_GCOV
-#include <gcov.h>
+#include "../include/gcov_wrapper.h"
 #endif
 
 void set_rlimits(void) {
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index e06ba3617..99abce57f 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -50,7 +50,7 @@
 #endif
 
 #ifdef HAVE_GCOV
-#include <gcov.h>
+#include "../include/gcov_wrapper.h"
 #endif
 
 static int force_nonewprivs = 0;
@@ -840,6 +840,7 @@ int sandbox(void* sandbox_arg) {
         // private mode
         //****************************
         if (arg_private) {
+                EUID_USER();
                 if (cfg.home_private) { // --private=
                         if (cfg.chrootdir)
                                 fwarning("private=directory feature is disabled in chroot\n");
@@ -858,6 +859,7 @@ int sandbox(void* sandbox_arg) {
                 }
                 else // --private
                         fs_private();
+                EUID_ROOT();
         }
 
         if (arg_private_dev)
diff --git a/src/firejail/seccomp.c b/src/firejail/seccomp.c
index 9670fe816..3d9bf9082 100644
--- a/src/firejail/seccomp.c
+++ b/src/firejail/seccomp.c
@@ -208,7 +208,8 @@ int seccomp_filter_drop(bool native) {
         //      - seccomp
         if (cfg.seccomp_list_drop == NULL) {
                 // default seccomp if error action is not changed
-                if (cfg.seccomp_list == NULL && arg_seccomp_error_action == DEFAULT_SECCOMP_ERROR_ACTION) {
+                if ((cfg.seccomp_list == NULL || cfg.seccomp_list[0] == '\0')
+                    && arg_seccomp_error_action == DEFAULT_SECCOMP_ERROR_ACTION) {
                         if (arg_seccomp_block_secondary)
                                 seccomp_filter_block_secondary();
                         else {
@@ -261,7 +262,7 @@ int seccomp_filter_drop(bool native) {
                         }
 
                         // build the seccomp filter as a regular user
-                        if (list)
+                        if (list && list[0])
                                 if (arg_allow_debuggers)
                                         rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 7,
                                                       PATH_FSECCOMP, command, "drop", filter, postexec_filter, list, "allow-debuggers");
diff --git a/src/firejail/util.c b/src/firejail/util.c
index 68b76b8e8..55998e6c3 100644
--- a/src/firejail/util.c
+++ b/src/firejail/util.c
@@ -45,7 +45,7 @@
 #endif
 
 #ifdef HAVE_GCOV
-#include <gcov.h>
+#include "../include/gcov_wrapper.h"
 #endif
 
 #define MAX_GROUPS 1024
@@ -370,7 +370,7 @@ int copy_file(const char *srcname, const char *destname, uid_t uid, gid_t gid, m
 }
 
 // return -1 if error, 0 if no error
-void copy_file_as_user(const char *srcname, const char *destname, uid_t uid, gid_t gid, mode_t mode) {
+void copy_file_as_user(const char *srcname, const char *destname, mode_t mode) {
         pid_t child = fork();
         if (child < 0)
                 errExit("fork");
@@ -378,8 +378,8 @@ void copy_file_as_user(const char *srcname, const char *destname, uid_t uid, gid
                 // drop privileges
                 drop_privs(0);
 
-                // copy, set permissions and ownership
-                int rv = copy_file(srcname, destname, uid, gid, mode); // already a regular user
+                // copy, set permissions
+                int rv = copy_file(srcname, destname, -1, -1, mode); // already a regular user
                 if (rv)
                         fwarning("cannot copy %s\n", srcname);
 #ifdef HAVE_GCOV
@@ -1231,6 +1231,7 @@ unsigned extract_timeout(const char *str) {
 }
 
 void disable_file_or_dir(const char *fname) {
+        assert(geteuid() == 0);
         assert(fname);
 
         EUID_USER();
diff --git a/src/firejail/x11.c b/src/firejail/x11.c
index 0619ff380..896aa2fd3 100644
--- a/src/firejail/x11.c
+++ b/src/firejail/x11.c
@@ -1290,9 +1290,11 @@ void x11_xorg(void) {
         if (envar) {
                 char *rp = realpath(envar, NULL);
                 if (rp) {
-                        if (strcmp(rp, dest) != 0)
-                                // disable_file_or_dir returns with EUID 0
+                        if (strcmp(rp, dest) != 0) {
+                                EUID_ROOT();
                                 disable_file_or_dir(rp);
+                                EUID_USER();
+                        }
                         free(rp);
                 }
         }
diff --git a/src/firemon/interface.c b/src/firemon/interface.c
index b93d4a5a2..372cdee41 100644
--- a/src/firemon/interface.c
+++ b/src/firemon/interface.c
@@ -34,7 +34,7 @@
 //#include <linux/if_bridge.h>
 
 #ifdef HAVE_GCOV
-#include <gcov.h>
+#include "../include/gcov_wrapper.h"
 #endif
 
 // print IP addresses for all interfaces
diff --git a/src/firemon/netstats.c b/src/firemon/netstats.c
index 23d228e26..bc951aa26 100644
--- a/src/firemon/netstats.c
+++ b/src/firemon/netstats.c
@@ -25,7 +25,7 @@
 #include <unistd.h>
 
 #ifdef HAVE_GCOV
-#include <gcov.h>
+#include "../include/gcov_wrapper.h"
 #endif
 
 #define MAXBUF 4096
diff --git a/src/firemon/procevent.c b/src/firemon/procevent.c
index 4e809681e..79f487582 100644
--- a/src/firemon/procevent.c
+++ b/src/firemon/procevent.c
@@ -31,7 +31,7 @@
 #include <sys/uio.h>
 
 #ifdef HAVE_GCOV
-#include <gcov.h>
+#include "../include/gcov_wrapper.h"
 #endif
 
 #define PIDS_BUFLEN 4096
diff --git a/src/firemon/top.c b/src/firemon/top.c
index 9d6f34991..d0f911e60 100644
--- a/src/firemon/top.c
+++ b/src/firemon/top.c
@@ -25,7 +25,7 @@
 #include <unistd.h>
 
 #ifdef HAVE_GCOV
-#include <gcov.h>
+#include "../include/gcov_wrapper.h"
 #endif
 
 static unsigned pgs_rss = 0;
diff --git a/src/include/gcov_wrapper.h b/src/include/gcov_wrapper.h
new file mode 100644
index 000000000..2f409309d
--- /dev/null
+++ b/src/include/gcov_wrapper.h
@@ -0,0 +1,40 @@
+/*
+ * Copyright (C) 2021 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ */
+
+#ifndef GCOV_WRAPPER_H
+#define GCOV_WRAPPER_H
+
+#include <gcov.h>
+
+/*
+ * __gcov_flush was removed on gcc 11.1.0 (as it's no longer needed), but it
+ * appears to be the safe/"correct" way to do things on previous versions (as
+ * it ensured proper locking, which is now done elsewhere).  Thus, keep using
+ * it in the code and ensure that it exists, in order to support gcc <11.1.0
+ * and gcc >=11.1.0, respectively.
+ */
+#if __GNUC__ > 11 || (__GNUC__ == 11 && __GNUC_MINOR__ >= 1)
+static void __gcov_flush(void) {
+       __gcov_dump();
+       __gcov_reset();
+}
+#endif
+
+#endif /* GCOV_WRAPPER_H */
diff --git a/src/lib/syscall.c b/src/lib/syscall.c
index b3131ac17..d0d9ff5aa 100644
--- a/src/lib/syscall.c
+++ b/src/lib/syscall.c
@@ -253,9 +253,6 @@ static const SyscallGroupList sysgroups[] = {
 #ifdef SYS_fanotify_init
           "fanotify_init,"
 #endif
-#ifdef SYS_kcmp
-          "kcmp,"
-#endif
 #ifdef SYS_add_key
           "add_key,"
 #endif
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index d18811316..0462705c0 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -2178,7 +2178,7 @@ $ firejail \-\-net=eth0 \-\-scan
 .TP
 \fB\-\-seccomp
 Enable seccomp filter and blacklist the syscalls in the default list,
-which is  @default-nodebuggers unless allow-debuggers is specified,
+which is  @default-nodebuggers unless \-\-allow-debuggers is specified,
 then it is @default.
 
 .br
@@ -2189,18 +2189,13 @@ system call groups are defined: @aio, @basic-io, @chown, @clock,
 @network-io, @obsolete, @privileged, @process, @raw-io, @reboot,
 @resources, @setuid, @swap, @sync, @system-service and @timer.
 More information about groups can be found in /usr/share/doc/firejail/syscalls.txt
-
-In addition, a system call can be specified by its number instead of
-name with prefix $, so for example $165 would be equal to mount on i386.
-Exceptions can be allowed with prefix !.
+.br
 
 .br
 System architecture is strictly imposed only if flag
 \-\-seccomp.block-secondary is used. The filter is applied at run time
 only if the correct architecture was detected. For the case of I386
-and AMD64 both 32-bit and 64-bit filters are installed. On a 64 bit
-architecture, an additional filter for 32 bit system calls can be
-installed with \-\-seccomp.32.
+and AMD64 both 32-bit and 64-bit filters are installed.
 .br
 
 .br
@@ -2211,11 +2206,18 @@ Firejail will print seccomp violations to the audit log if the kernel was compil
 Example:
 .br
 $ firejail \-\-seccomp
+.br
+
+.br
+The default list can be customized, see \-\-seccomp= for a description. It can be customized
+also globally in /etc/firejail/firejail.config file.
+
 .TP
 \fB\-\-seccomp=syscall,@group,!syscall2
-Enable seccomp filter, whitelist "syscall2", but blacklist the default
-list and the syscalls or syscall groups specified by the
-command.
+Enable seccomp filter, blacklist the default list and the syscalls or syscall groups
+specified by the command, but don't blacklist "syscall2". On a 64 bit
+architecture, an additional filter for 32 bit system calls can be
+installed with \-\-seccomp.32.
 .br
 
 .br
@@ -2225,6 +2227,13 @@ $ firejail \-\-seccomp=utime,utimensat,utimes firefox
 .br
 $ firejail \-\-seccomp=@clock,mkdir,unlinkat transmission-gtk
 .br
+$ firejail '\-\-seccomp=@ipc,!pipe,!pipe2' audacious
+.br
+
+.br
+Syscalls can be specified by their number if prefix $ is added,
+so for example $165 would be equal to mount on i386.
+.br
 
 .br
 Instead of dropping the syscall by returning EPERM, another error
@@ -2237,6 +2246,7 @@ by using \fBsyscall:kill\fR syntax, or the attempt may be logged with
 
 .br
 Example:
+.br
 $ firejail \-\-seccomp=unlinkat:ENOENT,utimensat,utimes
 .br
 Parent pid 10662, child pid 10663
@@ -2245,9 +2255,13 @@ Child process initialized
 .br
 $ touch testfile
 .br
+$ ls testfile
+.br
+testfile
+.br
 $ rm testfile
 .br
-rm: cannot remove `testfile': Operation not permitted
+rm: cannot remove `testfile': No such file or directory
 .br
 
 .br
@@ -2260,7 +2274,7 @@ filters.
 .br
 Example:
 .br
-$ firejail \-\-noprofile \-\-shell=none \-\-seccomp=execve bash
+$ firejail \-\-noprofile \-\-shell=none \-\-seccomp=execve sh
 .br
 Parent pid 32751, child pid 32752
 .br
@@ -2272,8 +2286,7 @@ Child process initialized in 46.44 ms
 .br
 $ ls
 .br
-Bad system call
-.br
+Operation not permitted
 
 .TP
 \fB\-\-seccomp.block-secondary
@@ -2317,15 +2330,15 @@ Child process initialized
 .br
 $ touch testfile
 .br
+$ ls testfile
+.br
+testfile
+.br
 $ rm testfile
 .br
-rm: cannot remove `testfile': Operation not permitted
+rm: cannot remove `testfile': No such file or directory
 .br
 
-
-
-
-
 .TP
 \fB\-\-seccomp.keep=syscall,@group,!syscall2
 Enable seccomp filter, blacklist all syscall not listed and "syscall2".