16 files changed, 167 insertions, 138 deletions

diff --git a/src/bash_completion/firejail.bash_completion.in b/src/bash_completion/firejail.bash_completion.in
index f68edf380..ff411c807 100644
--- a/src/bash_completion/firejail.bash_completion.in
+++ b/src/bash_completion/firejail.bash_completion.in
@@ -5,7 +5,7 @@
 # http://bash-completion.alioth.debian.org
 #*******************************************************************
 
-__interfaces(){
+__interfaces() {
     cut -f 1 -d ':' /proc/net/dev | tail -n +3 | grep -v lo | xargs
 }
 
@@ -90,11 +90,11 @@ _firejail()
             _filedir
             return 0
             ;;
-         --net)
-                comps=$(__interfaces)
+        --net)
+            comps=$(__interfaces)
             COMPREPLY=( $(compgen -W '$comps' -- "$cur") )
             return 0
-                ;;
+            ;;
     esac
 
     $split && return 0
diff --git a/src/fcopy/main.c b/src/fcopy/main.c
index 31810de9a..f279af89f 100644
--- a/src/fcopy/main.c
+++ b/src/fcopy/main.c
@@ -88,7 +88,8 @@ static void selinux_relabel_path(const char *path, const char *inside_path) {
                 if (arg_debug)
                         printf("Relabeling %s as %s (%s)\n", path, inside_path, fcon);
 
-                setfilecon_raw(procfs_path, fcon);
+                if (setfilecon_raw(procfs_path, fcon) != 0 && arg_debug)
+                        printf("Cannot relabel %s: %s\n", path, strerror(errno));
         }
         freecon(fcon);
  close:
diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c
index 06e6f0ccb..e5d837bbb 100644
--- a/src/firejail/checkcfg.c
+++ b/src/firejail/checkcfg.c
@@ -58,6 +58,7 @@ int checkcfg(int val) {
                 cfg_val[CFG_XPRA_ATTACH] = 0;
                 cfg_val[CFG_SECCOMP_ERROR_ACTION] = -1;
                 cfg_val[CFG_BROWSER_ALLOW_DRM] = 0;
+                cfg_val[CFG_ALLOW_TRAY] = 0;
 
                 // open configuration file
                 const char *fname = SYSCONFDIR "/firejail.config";
@@ -122,6 +123,7 @@ int checkcfg(int val) {
                         PARSE_YESNO(CFG_XPRA_ATTACH, "xpra-attach")
                         PARSE_YESNO(CFG_BROWSER_DISABLE_U2F, "browser-disable-u2f")
                         PARSE_YESNO(CFG_BROWSER_ALLOW_DRM, "browser-allow-drm")
+                        PARSE_YESNO(CFG_ALLOW_TRAY, "allow-tray")
 #undef PARSE_YESNO
 
                         // netfilter
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index bcc7e6ed1..730c37aed 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -563,7 +563,7 @@ typedef struct {
 
 // mountinfo.c
 MountData *get_last_mount(void);
-int get_mount_id(const char *path);
+int get_mount_id(int fd);
 char **build_mount_array(const int mount_id, const char *path);
 
 // fs_var.c
@@ -802,6 +802,7 @@ enum {
         CFG_NAME_CHANGE,
         CFG_SECCOMP_ERROR_ACTION,
         // CFG_FILE_COPY_LIMIT - file copy limit handled using setenv/getenv
+        CFG_ALLOW_TRAY,
         CFG_MAX // this should always be the last entry
 };
 extern char *xephyr_screen;
diff --git a/src/firejail/fs.c b/src/firejail/fs.c
index dd4c2139d..3144156a3 100644
--- a/src/firejail/fs.c
+++ b/src/firejail/fs.c
@@ -200,8 +200,6 @@ static void disable_file(OPERATION op, const char *filename) {
                 }
 
                 fs_tmpfs(fname, uid);
-                EUID_USER(); // fs_tmpfs returns with EUID 0
-
                 selinux_relabel_path(fname, fname);
         }
         else
@@ -282,6 +280,8 @@ static void globbing(OPERATION op, const char *pattern, const char *noblacklist[
 
 // blacklist files or directories by mounting empty files on top of them
 void fs_blacklist(void) {
+        EUID_ASSERT();
+
         ProfileEntry *entry = cfg.profile;
         if (!entry)
                 return;
@@ -293,7 +293,6 @@ void fs_blacklist(void) {
         if (noblacklist == NULL)
                 errExit("failed allocating memory for noblacklist entries");
 
-        EUID_USER();
         while (entry) {
                 OPERATION op = OPERATION_MAX;
                 char *ptr;
@@ -469,8 +468,6 @@ void fs_blacklist(void) {
         for (i = 0; i < noblacklist_c; i++)
                 free(noblacklist[i]);
         free(noblacklist);
-
-        EUID_ROOT();
 }
 
 //***********************************************
@@ -479,7 +476,7 @@ void fs_blacklist(void) {
 
 // mount a writable tmpfs on directory; requires a resolved path
 void fs_tmpfs(const char *dir, unsigned check_owner) {
-        EUID_USER();
+        EUID_ASSERT();
         assert(dir);
         if (arg_debug)
                 printf("Mounting tmpfs on %s, check owner: %s\n", dir, (check_owner)? "yes": "no");
@@ -504,12 +501,13 @@ void fs_tmpfs(const char *dir, unsigned check_owner) {
                 errExit("fstatvfs");
         unsigned long flags = buf.f_flag & ~(MS_RDONLY|MS_BIND|MS_REMOUNT);
         // mount via the symbolic link in /proc/self/fd
-        EUID_ROOT();
         char *proc;
         if (asprintf(&proc, "/proc/self/fd/%d", fd) == -1)
                 errExit("asprintf");
+        EUID_ROOT();
         if (mount("tmpfs", proc, "tmpfs", flags|MS_NOSUID|MS_NODEV, options) < 0)
                 errExit("mounting tmpfs");
+        EUID_USER();
         // check the last mount operation
         MountData *mdata = get_last_mount();
         if (strcmp(mdata->fstype, "tmpfs") != 0 || strcmp(mdata->dir, dir) != 0)
@@ -635,34 +633,30 @@ out:
 }
 
 // remount recursively; requires a resolved path
-static void fs_remount_rec(const char *dir, OPERATION op) {
+static void fs_remount_rec(const char *path, OPERATION op) {
         EUID_ASSERT();
-        assert(dir);
+        assert(op < OPERATION_MAX);
+        assert(path);
 
-        struct stat s;
-        if (stat(dir, &s) != 0)
-                return;
-        if (!S_ISDIR(s.st_mode)) {
-                // no need to search in /proc/self/mountinfo for submounts if not a directory
-                fs_remount_simple(dir, op);
+        // no need to search /proc/self/mountinfo for submounts if not a directory
+        int fd = open(path, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC);
+        if (fd < 0) {
+                fs_remount_simple(path, op);
                 return;
         }
-        // get mount point of the directory
-        int mountid = get_mount_id(dir);
-        if (mountid == -1)
-                return;
-        if (mountid == -2) {
-                // falling back to a simple remount on old kernels
-                static int mount_warning = 0;
-                if (!mount_warning) {
-                        fwarning("read-only, read-write and noexec options are not applied recursively\n");
-                        mount_warning = 1;
-                }
-                fs_remount_simple(dir, op);
+
+        // get mount id of the directory
+        int mountid = get_mount_id(fd);
+        close(fd);
+        if (mountid < 0) {
+                // falling back to a simple remount
+                fwarning("%s %s not applied recursively\n", opstr[op], path);
+                fs_remount_simple(path, op);
                 return;
         }
+
         // build array with all mount points that need to get remounted
-        char **arr = build_mount_array(mountid, dir);
+        char **arr = build_mount_array(mountid, path);
         assert(arr);
         // remount
         char **tmp = arr;
diff --git a/src/firejail/fs_dev.c b/src/firejail/fs_dev.c
index 8cc3ecc62..a43b18344 100644
--- a/src/firejail/fs_dev.c
+++ b/src/firejail/fs_dev.c
@@ -330,8 +330,10 @@ void fs_dev_disable_sound(void) {
         }
 
         // disable all jack sockets in /dev/shm
+        EUID_USER();
         glob_t globbuf;
         int globerr = glob("/dev/shm/jack*", GLOB_NOSORT, NULL, &globbuf);
+        EUID_ROOT();
         if (globerr)
                 return;
 
diff --git a/src/firejail/fs_home.c b/src/firejail/fs_home.c
index 0ed476063..590337da1 100644
--- a/src/firejail/fs_home.c
+++ b/src/firejail/fs_home.c
@@ -395,14 +395,16 @@ void fs_private(void) {
                         }
                         if (chown(homedir, u, g) < 0)
                                 errExit("chown");
-
                         fs_logger2("mkdir", homedir);
                         fs_logger2("tmpfs", homedir);
                 }
-                else
+                else {
                         // mask user home directory
                         // the directory should be owned by the current user
+                        EUID_USER();
                         fs_tmpfs(homedir, 1);
+                        EUID_ROOT();
+                }
 
                 selinux_relabel_path(homedir, homedir);
         }
@@ -564,12 +566,13 @@ void fs_private_home_list(void) {
         int xflag = store_xauthority();
         int aflag = store_asoundrc();
 
-        // create /run/firejail/mnt/home directory
         EUID_ROOT();
+        // create /run/firejail/mnt/home directory
         mkdir_attr(RUN_HOME_DIR, 0755, uid, gid);
         selinux_relabel_path(RUN_HOME_DIR, homedir);
 
-        fs_logger_print();      // save the current log
+        // save the current log
+        fs_logger_print();
         EUID_USER();
 
         // copy the list of files in the new home directory
diff --git a/src/firejail/fs_whitelist.c b/src/firejail/fs_whitelist.c
index 943f275de..7afebed1f 100644
--- a/src/firejail/fs_whitelist.c
+++ b/src/firejail/fs_whitelist.c
@@ -105,6 +105,7 @@ static int whitelist_mkpath(const char* path, mode_t mode) {
 }
 
 static void whitelist_file(int dirfd, const char *relpath, const char *path) {
+        EUID_ASSERT();
         assert(relpath && path);
 
         // open mount source, using a file descriptor that refers to the
@@ -130,12 +131,9 @@ static void whitelist_file(int dirfd, const char *relpath, const char *path) {
         }
 
         // create mount target as root, except if inside home or run/user/$UID directory
-        int userprivs = 0;
-        if ((strncmp(path, cfg.homedir, homedir_len) == 0 && path[homedir_len] == '/') ||
-            (strncmp(path, runuser, runuser_len) == 0 && path[runuser_len] == '/')) {
-                EUID_USER();
-                userprivs = 1;
-        }
+        if ((strncmp(path, cfg.homedir, homedir_len) != 0 || path[homedir_len] != '/') &&
+            (strncmp(path, runuser, runuser_len) != 0 || path[runuser_len] != '/'))
+                EUID_ROOT();
 
         // create path of the mount target
         int fd2 = whitelist_mkpath(path, 0755);
@@ -146,8 +144,7 @@ static void whitelist_file(int dirfd, const char *relpath, const char *path) {
                 if (arg_debug || arg_debug_whitelists)
                         printf("Debug %d: skip whitelist %s\n", __LINE__, path);
                 close(fd);
-                if (userprivs)
-                        EUID_ROOT();
+                EUID_USER();
                 return;
         }
 
@@ -166,8 +163,7 @@ static void whitelist_file(int dirfd, const char *relpath, const char *path) {
                         }
                         close(fd);
                         close(fd2);
-                        if (userprivs)
-                                EUID_ROOT();
+                        EUID_USER();
                         return;
                 }
                 fd3 = openat(fd2, file, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC);
@@ -184,19 +180,17 @@ static void whitelist_file(int dirfd, const char *relpath, const char *path) {
                 }
                 close(fd);
                 close(fd2);
-                if (userprivs)
-                        EUID_ROOT();
+                EUID_USER();
                 return;
         }
-
         close(fd2);
-        if (userprivs)
-                EUID_ROOT();
 
         if (arg_debug || arg_debug_whitelists)
                 printf("Whitelisting %s\n", path);
+        EUID_ROOT();
         if (bind_mount_by_fd(fd, fd3))
                 errExit("mount bind");
+        EUID_USER();
         // check the last mount operation
         MountData *mptr = get_last_mount(); // will do exit(1) if the mount cannot be found
 #ifdef TEST_MOUNTINFO
@@ -219,22 +213,19 @@ static void whitelist_file(int dirfd, const char *relpath, const char *path) {
 }
 
 static void whitelist_symlink(const char *link, const char *target) {
+        EUID_ASSERT();
         assert(link && target);
 
         // create files as root, except if inside home or run/user/$UID directory
-        int userprivs = 0;
-        if ((strncmp(link, cfg.homedir, homedir_len) == 0 && link[homedir_len] == '/') ||
-            (strncmp(link, runuser, runuser_len) == 0 && link[runuser_len] == '/')) {
-                EUID_USER();
-                userprivs = 1;
-        }
+        if ((strncmp(link, cfg.homedir, homedir_len) != 0 || link[homedir_len] != '/') &&
+            (strncmp(link, runuser, runuser_len) != 0 || link[runuser_len] != '/'))
+                EUID_ROOT();
 
         int fd = whitelist_mkpath(link, 0755);
         if (fd == -1) {
                 if (arg_debug || arg_debug_whitelists)
                         printf("Debug %d: cannot create symbolic link %s\n", __LINE__, link);
-                if (userprivs)
-                        EUID_ROOT();
+                EUID_USER();
                 return;
         }
 
@@ -252,8 +243,7 @@ static void whitelist_symlink(const char *link, const char *target) {
                 printf("Created symbolic link %s -> %s\n", link, target);
 
         close(fd);
-        if (userprivs)
-                EUID_ROOT();
+        EUID_USER();
 }
 
 static void globbing(const char *pattern) {
@@ -330,10 +320,11 @@ static void tmpfs_topdirs(const TopDir *topdirs) {
                 // init tmpfs
                 if (strcmp(topdirs[i].path, "/run") == 0) {
                         // restore /run/firejail directory
-                        if (mkdir(RUN_FIREJAIL_DIR, 0755) == -1)
-                                errExit("mkdir");
+                        EUID_ROOT();
+                        mkdir_attr(RUN_FIREJAIL_DIR, 0755, 0, 0);
                         if (bind_mount_fd_to_path(fd, RUN_FIREJAIL_DIR))
                                 errExit("mount bind");
+                        EUID_USER();
                         close(fd);
                         fs_logger2("whitelist", RUN_FIREJAIL_DIR);
 
@@ -351,12 +342,14 @@ static void tmpfs_topdirs(const TopDir *topdirs) {
                                         errExit("asprintf");
                                 if (strcmp(env, pamtmpdir) == 0) {
                                         // create empty user-owned /tmp/user/$UID directory
+                                        EUID_ROOT();
                                         mkdir_attr("/tmp/user", 0711, 0, 0);
                                         selinux_relabel_path("/tmp/user", "/tmp/user");
                                         fs_logger("mkdir /tmp/user");
                                         mkdir_attr(pamtmpdir, 0700, getuid(), 0);
                                         selinux_relabel_path(pamtmpdir, pamtmpdir);
                                         fs_logger2("mkdir", pamtmpdir);
+                                        EUID_USER();
                                 }
                                 free(pamtmpdir);
                         }
@@ -374,11 +367,8 @@ static void tmpfs_topdirs(const TopDir *topdirs) {
         }
 
         // user home directory
-        if (tmpfs_home) {
-                EUID_USER();
+        if (tmpfs_home)
                 fs_private(); // checks owner if outside /home
-                EUID_ROOT();
-        }
 
         // /run/user/$UID directory
         if (tmpfs_runuser) {
@@ -402,6 +392,7 @@ static int reject_topdir(const char *dir) {
 // keep track of whitelist top level directories by adding them to an array
 // open each directory
 static TopDir *add_topdir(const char *dir, TopDir *topdirs, const char *path) {
+        EUID_ASSERT();
         assert(dir && path);
 
         // /proc and /sys are not allowed
@@ -516,6 +507,8 @@ static char *extract_topdir(const char *path) {
 }
 
 void fs_whitelist(void) {
+        EUID_ASSERT();
+
         ProfileEntry *entry = cfg.profile;
         if (!entry)
                 return;
@@ -536,7 +529,6 @@ void fs_whitelist(void) {
                 errExit("calloc");
 
         // verify whitelist files, extract symbolic links, etc.
-        EUID_USER();
         while (entry) {
                 int nowhitelist_flag = 0;
 
@@ -630,7 +622,7 @@ void fs_whitelist(void) {
                 if (!fname) {
                         if (arg_debug || arg_debug_whitelists) {
                                 printf("Removed path: %s\n", entry->data);
-                                printf("\texpanded: %s\n", new_name);
+                                printf("\tnew_name: %s\n", new_name);
                                 printf("\trealpath: (null)\n");
                                 printf("\t%s\n", strerror(errno));
                         }
@@ -712,7 +704,6 @@ void fs_whitelist(void) {
         free(nowhitelist);
 
         // mount tmpfs on all top level directories
-        EUID_ROOT();
         tmpfs_topdirs(topdirs);
 
         // go through profile rules again, and interpret whitelist commands
diff --git a/src/firejail/mountinfo.c b/src/firejail/mountinfo.c
index 64a94bd84..304f80eee 100644
--- a/src/firejail/mountinfo.c
+++ b/src/firejail/mountinfo.c
@@ -19,6 +19,7 @@
 */
 
 #include "firejail.h"
+#include <errno.h>
 
 #include <fcntl.h>
 #ifndef O_PATH
@@ -151,53 +152,71 @@ MountData *get_last_mount(void) {
         return &mdata;
 }
 
-// Extract the mount id from /proc/self/fdinfo and return it.
-int get_mount_id(const char *path) {
+// Returns mount id, or -1 if fd refers to a procfs or sysfs file
+static int get_mount_id_from_handle(int fd) {
         EUID_ASSERT();
-        assert(path);
 
-        int fd = open(path, O_PATH|O_CLOEXEC);
-        if (fd == -1)
-                return -1;
+        char *proc;
+        if (asprintf(&proc, "/proc/self/fd/%d", fd) == -1)
+                errExit("asprintf");
+        struct file_handle *fh = malloc(sizeof *fh);
+        if (!fh)
+                errExit("malloc");
+        fh->handle_bytes = 0;
+
+        int rv = -1;
+        int tmp;
+        if (name_to_handle_at(-1, proc, fh, &tmp, AT_SYMLINK_FOLLOW) != -1) {
+                fprintf(stderr, "Error: unexpected result from name_to_handle_at\n");
+                exit(1);
+        }
+        if (errno == EOVERFLOW && fh->handle_bytes)
+                rv = tmp;
+
+        free(proc);
+        free(fh);
+        return rv;
+}
+
+// Returns mount id, or -1 on kernels < 3.15
+static int get_mount_id_from_fdinfo(int fd) {
+        EUID_ASSERT();
+        int rv = -1;
 
-        char *fdinfo;
-        if (asprintf(&fdinfo, "/proc/self/fdinfo/%d", fd) == -1)
+        char *proc;
+        if (asprintf(&proc, "/proc/self/fdinfo/%d", fd) == -1)
                 errExit("asprintf");
         EUID_ROOT();
-        FILE *fp = fopen(fdinfo, "re");
+        FILE *fp = fopen(proc, "re");
         EUID_USER();
-        free(fdinfo);
         if (!fp)
                 goto errexit;
 
-        // read the file
         char buf[MAX_BUF];
-        if (fgets(buf, MAX_BUF, fp) == NULL)
-                goto errexit;
-        do {
+        while (fgets(buf, MAX_BUF, fp)) {
                 if (strncmp(buf, "mnt_id:", 7) == 0) {
-                        char *ptr = buf + 7;
-                        while (*ptr != '\0' && (*ptr == ' ' || *ptr == '\t')) {
-                                ptr++;
-                        }
-                        if (*ptr == '\0')
+                        if (sscanf(buf + 7, "%d", &rv) != 1)
                                 goto errexit;
-                        fclose(fp);
-                        close(fd);
-                        return atoi(ptr);
+                        break;
                 }
-        } while (fgets(buf, MAX_BUF, fp));
+        }
 
-        // fallback, kernels older than 3.15 don't expose the mount id in this place
+        free(proc);
         fclose(fp);
-        close(fd);
-        return -2;
+        return rv;
 
 errexit:
         fprintf(stderr, "Error: cannot read proc file\n");
         exit(1);
 }
 
+int get_mount_id(int fd) {
+        int rv = get_mount_id_from_fdinfo(fd);
+        if (rv < 0)
+                rv = get_mount_id_from_handle(fd);
+        return rv;
+}
+
 // Check /proc/self/mountinfo if path contains any mounts points.
 // Returns an array that can be iterated over for recursive remounting.
 char **build_mount_array(const int mount_id, const char *path) {
diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index 059100fcb..5390249ea 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -175,6 +175,10 @@ static int check_allow_drm(void) {
         return checkcfg(CFG_BROWSER_ALLOW_DRM) != 0;
 }
 
+static int check_allow_tray(void) {
+        return checkcfg(CFG_ALLOW_TRAY) != 0;
+}
+
 Cond conditionals[] = {
         {"HAS_APPIMAGE", check_appimage},
         {"HAS_NET", check_netoptions},
@@ -184,6 +188,7 @@ Cond conditionals[] = {
         {"HAS_X11", check_x11},
         {"BROWSER_DISABLE_U2F", check_disable_u2f},
         {"BROWSER_ALLOW_DRM", check_allow_drm},
+        {"ALLOW_TRAY", check_allow_tray},
         { NULL, NULL }
 };
 
@@ -630,7 +635,7 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
 #endif
                 return 0;
         }
-        else if (strncmp(ptr, "netns  ", 6) == 0) {
+        else if (strncmp(ptr, "netns ", 6) == 0) {
 #ifdef HAVE_NETWORK
                 if (checkcfg(CFG_NETWORK)) {
                         arg_netns = ptr + 6;
@@ -981,10 +986,10 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
                         warning_feature_disabled("seccomp");
                 return 0;
         }
-        if (strncmp(ptr, "seccomp.32.drop ", 13) == 0) {
+        if (strncmp(ptr, "seccomp.32.drop ", 16) == 0) {
                 if (checkcfg(CFG_SECCOMP)) {
                         arg_seccomp32 = 1;
-                        cfg.seccomp_list_drop32 = seccomp_check_list(ptr + 13);
+                        cfg.seccomp_list_drop32 = seccomp_check_list(ptr + 16);
                 }
                 else
                         warning_feature_disabled("seccomp");
@@ -1001,10 +1006,10 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
                         warning_feature_disabled("seccomp");
                 return 0;
         }
-        if (strncmp(ptr, "seccomp.32.keep ", 13) == 0) {
+        if (strncmp(ptr, "seccomp.32.keep ", 16) == 0) {
                 if (checkcfg(CFG_SECCOMP)) {
                         arg_seccomp32 = 1;
-                        cfg.seccomp_list_keep32 = seccomp_check_list(ptr + 13);
+                        cfg.seccomp_list_keep32 = seccomp_check_list(ptr + 16);
                 }
                 else
                         warning_feature_disabled("seccomp");
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index 7a1ce737b..b776a0cc5 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -1007,10 +1007,12 @@ int sandbox(void* sandbox_arg) {
         // apply the profile file
         //****************************
         // apply all whitelist commands ...
+        EUID_USER();
         fs_whitelist();
 
         // ... followed by blacklist commands
         fs_blacklist(); // mkdir and mkfile are processed all over again
+        EUID_ROOT();
 
         //****************************
         // nosound/no3d/notv/novideo and fix for pulseaudio 7.0
diff --git a/src/firejail/selinux.c b/src/firejail/selinux.c
index 6969e7a3d..fa59882ed 100644
--- a/src/firejail/selinux.c
+++ b/src/firejail/selinux.c
@@ -21,6 +21,7 @@
 #include "firejail.h"
 #include <sys/types.h>
 #include <sys/stat.h>
+#include <errno.h>
 
 #include <fcntl.h>
 #ifndef O_PATH
@@ -57,7 +58,17 @@ void selinux_relabel_path(const char *path, const char *inside_path)
 
         /* Open the file as O_PATH, to pin it while we determine and adjust the label
          * Defeat symlink races by not allowing symbolic links */
+        int called_as_root = 0;
+        if (geteuid() == 0)
+                called_as_root = 1;
+        if (called_as_root)
+                EUID_USER();
+
         fd = safer_openat(-1, path, O_NOFOLLOW|O_CLOEXEC|O_PATH);
+
+        if (called_as_root)
+                EUID_ROOT();
+
         if (fd < 0)
                 return;
         if (fstat(fd, &st) < 0)
@@ -68,8 +79,16 @@ void selinux_relabel_path(const char *path, const char *inside_path)
                 if (arg_debug)
                         printf("Relabeling %s as %s (%s)\n", path, inside_path, fcon);
 
-                setfilecon_raw(procfs_path, fcon);
+                if (!called_as_root)
+                        EUID_ROOT();
+
+                if (setfilecon_raw(procfs_path, fcon) != 0 && arg_debug)
+                        printf("Cannot relabel %s: %s\n", path, strerror(errno));
+
+                if (!called_as_root)
+                        EUID_USER();
         }
+
         freecon(fcon);
  close:
         close(fd);
diff --git a/src/firejail/util.c b/src/firejail/util.c
index 094a68c60..f0df45eb2 100644
--- a/src/firejail/util.c
+++ b/src/firejail/util.c
@@ -459,31 +459,21 @@ int is_dir(const char *fname) {
         if (*fname == '\0')
                 return 0;
 
-        int called_as_root = 0;
-        if (geteuid() == 0)
-                called_as_root = 1;
-
-        if (called_as_root)
-                EUID_USER();
-
         // if fname doesn't end in '/', add one
         int rv;
         struct stat s;
         if (fname[strlen(fname) - 1] == '/')
-                rv = stat(fname, &s);
+                rv = stat_as_user(fname, &s);
         else {
                 char *tmp;
                 if (asprintf(&tmp, "%s/", fname) == -1) {
                         fprintf(stderr, "Error: cannot allocate memory, %s:%d\n", __FILE__, __LINE__);
                         errExit("asprintf");
                 }
-                rv = stat(tmp, &s);
+                rv = stat_as_user(tmp, &s);
                 free(tmp);
         }
 
-        if (called_as_root)
-                EUID_ROOT();
-
         if (rv == -1)
                 return 0;
 
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt
index a768829a1..a1eccaa5e 100644
--- a/src/man/firejail-profile.txt
+++ b/src/man/firejail-profile.txt
@@ -78,7 +78,7 @@ in your desktop environment copy the profile file in ~/.config/firejail director
 Several command line options can be passed to the program using
 profile files. Firejail chooses the profile file as follows:
 
-\fB1.\fR If a profile file is provided by the user with \-\-profile option, the profile file is loaded. If a profile name is given, it is searched for first in the ~/.config/firejail directory and if not found then in  /etc/firejail directory. Profile names do not include the .profile suffix.
+\fB1.\fR If a profile file is provided by the user with \-\-profile option, the profile file is loaded. If a profile name is given, it is searched for first in the ~/.config/firejail directory and if not found then in /etc/firejail directory. Profile names do not include the .profile suffix.
 Example:
 .PP
 .RS
@@ -174,7 +174,7 @@ Example: "?HAS_APPIMAGE: whitelist ${HOME}/special/appimage/dir"
 
 This example will load the whitelist profile line only if the \-\-appimage option has been specified on the command line.
 
-Currently the only conditionals supported this way are HAS_APPIMAGE, HAS_NET, HAS_NODBUS, HAS_NOSOUND, HAS_PRIVATE and HAS_X11. The conditionals BROWSER_DISABLE_U2F and BROWSER_ALLOW_DRM
+Currently the only conditionals supported this way are HAS_APPIMAGE, HAS_NET, HAS_NODBUS, HAS_NOSOUND, HAS_PRIVATE and HAS_X11. The conditionals ALLOW_TRAY, BROWSER_DISABLE_U2F and BROWSER_ALLOW_DRM
 can be enabled or disabled globally in Firejail's configuration file.
 
 The profile line may be any profile line that you would normally use in a profile \fBexcept\fR for "quiet" and "include" lines.
@@ -324,16 +324,16 @@ Remount the file or the directory noexec, nodev and nosuid.
 #ifdef HAVE_OVERLAYFS
 .TP
 \fBoverlay
-Mount  a  filesystem  overlay  on top of the current filesystem.
-The overlay is stored in $HOME/.firejail/<PID>  directory.
+Mount a filesystem overlay on top of the current filesystem.
+The overlay is stored in $HOME/.firejail/<PID> directory.
 .TP
 \fBoverlay-named name
-Mount  a  filesystem  overlay  on top of the current filesystem.
-The overlay is stored in $HOME/.firejail/name  directory.
+Mount a filesystem overlay on top of the current filesystem.
+The overlay is stored in $HOME/.firejail/name directory.
 .TP
 \fBoverlay-tmpfs
-Mount  a  filesystem  overlay  on top of the current filesystem.
-All filesystem  modifications are discarded when the sandbox is closed.
+Mount a filesystem overlay on top of the current filesystem.
+All filesystem modifications are discarded when the sandbox is closed.
 #endif
 .TP
 \fBprivate
@@ -487,12 +487,12 @@ does not result in an increase of privilege.
 #ifdef HAVE_USERNS
 .TP
 \fBnoroot
-Use this command  to enable an user namespace. The namespace has only one user, the current user.
+Use this command to enable an user namespace. The namespace has only one user, the current user.
 There is no root account (uid 0) defined in the namespace.
 #endif
 .TP
 \fBprotocol protocol1,protocol2,protocol3
-Enable protocol filter. The filter is based on seccomp and  checks the
+Enable protocol filter. The filter is based on seccomp and checks the
 first argument to socket system call. Recognized values: \fBunix\fR,
 \fBinet\fR, \fBinet6\fR, \fBnetlink\fR, \fBpacket\fR and \fBbluetooth\fR.
 .TP
@@ -873,8 +873,8 @@ a DHCP client and releasing the lease manually.
 
 .TP
 \fBiprange address,address
-Assign  an  IP address in the provided range to the last network
-interface defined by  a  net command.  A  default  gateway  is assigned by default.
+Assign an IP address in the provided range to the last network
+interface defined by a net command.  A default gateway is assigned by default.
 .br
 
 .br
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index 0462705c0..2883ab257 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -45,7 +45,7 @@ firejail {\-? | \-\-debug-caps | \-\-debug-errnos | \-\-debug-syscalls | \-\-deb
 #ifdef HAVE_LTS
 This is Firejail long-term support (LTS), an enterprise focused version of the software,
 LTS is usually supported for two or three years.
-During this time  only bugs and the occasional documentation problems are fixed.
+During this time only bugs and the occasional documentation problems are fixed.
 The attack surface of the SUID executable was greatly reduced by removing some of the features.
 .br
 
@@ -109,7 +109,7 @@ ptrace system call allows a full bypass of the seccomp filter.
 .br
 Example:
 .br
-$ firejail  --allow-debuggers --profile=/etc/firejail/firefox.profile strace -f firefox
+$ firejail --allow-debuggers --profile=/etc/firejail/firefox.profile strace -f firefox
 .TP
 \fB\-\-allusers
 All directories under /home are visible inside the sandbox. By default, only current user home directory is visible.
@@ -947,7 +947,7 @@ $ firejail \-\-net=eth0 \-\-\iprange=192.168.1.100,192.168.1.150
 
 .TP
 \fB\-\-ipc-namespace
-Enable  a new IPC namespace if the sandbox was started as a regular user. IPC namespace is enabled by default
+Enable a new IPC namespace if the sandbox was started as a regular user. IPC namespace is enabled by default
 for sandboxes started as root.
 .br
 
@@ -1014,7 +1014,7 @@ $ sudo firejail --join-network=browser /sbin/iptables -vL
 .br
 
 .br
-# verify  IP addresses
+# verify IP addresses
 .br
 $ sudo firejail --join-network=browser ip addr
 .br
@@ -2134,7 +2134,7 @@ Use k(ilobyte), m(egabyte) or g(igabyte) for size suffix (base 1024).
 .TP
 \fB\-\-rlimit-cpu=number
 Set the maximum limit, in seconds, for the amount of CPU time each
-sandboxed process  can consume. When the limit is reached, the processes are killed.
+sandboxed process can consume. When the limit is reached, the processes are killed.
 
 The CPU limit is a limit on CPU seconds rather than elapsed time. CPU seconds is basically how many seconds
 the CPU has been in use and does not necessarily directly relate to the elapsed time. Linux kernel keeps
@@ -2178,7 +2178,7 @@ $ firejail \-\-net=eth0 \-\-scan
 .TP
 \fB\-\-seccomp
 Enable seccomp filter and blacklist the syscalls in the default list,
-which is  @default-nodebuggers unless \-\-allow-debuggers is specified,
+which is @default-nodebuggers unless \-\-allow-debuggers is specified,
 then it is @default.
 
 .br
@@ -2865,7 +2865,7 @@ and it is installed by default on most Linux distributions. It provides support
 connection model. Untrusted clients are restricted in certain ways to prevent them from reading window
 contents of other clients, stealing input events, etc.
 
-The untrusted mode has several limitations. A lot of regular programs  assume they are a trusted X11 clients
+The untrusted mode has several limitations. A lot of regular programs assume they are a trusted X11 clients
 and will crash or lock up when run in untrusted mode. Chromium browser and xterm are two examples.
 Firefox and transmission-gtk seem to be working fine.
 A network namespace is not required for this option.
@@ -3256,7 +3256,7 @@ The owner of the sandbox.
 .SH RESTRICTED SHELL
 To configure a restricted shell, replace /bin/bash with /usr/bin/firejail in
 /etc/passwd file for each user that needs to be restricted. Alternatively,
-you can specify /usr/bin/firejail  in adduser command:
+you can specify /usr/bin/firejail in adduser command:
 
 adduser \-\-shell /usr/bin/firejail username
 
@@ -3266,7 +3266,7 @@ Additional arguments passed to firejail executable upon login are declared in /e
 Several command line options can be passed to the program using
 profile files. Firejail chooses the profile file as follows:
 
-1. If a profile file is provided by the user with --profile=FILE option, the profile FILE is loaded. If a profile name is given, it is searched for first in the ~/.config/firejail directory and if not found then in  /etc/firejail directory. Profile names do not include the .profile suffix. If there is a file with the same name as the given profile name, it will be used instead of doing the profile search. To force a profile search, prefix the profile name with a colon (:), eg. --profile=:PROFILE_NAME.
+1. If a profile file is provided by the user with --profile=FILE option, the profile FILE is loaded. If a profile name is given, it is searched for first in the ~/.config/firejail directory and if not found then in /etc/firejail directory. Profile names do not include the .profile suffix. If there is a file with the same name as the given profile name, it will be used instead of doing the profile search. To force a profile search, prefix the profile name with a colon (:), eg. --profile=:PROFILE_NAME.
 Example:
 .PP
 .RS
diff --git a/src/man/firemon.txt b/src/man/firemon.txt
index 76b2f7be2..c4e6e15b3 100644
--- a/src/man/firemon.txt
+++ b/src/man/firemon.txt
@@ -56,7 +56,7 @@ Print route table for each sandbox.
 Print seccomp configuration for each sandbox.
 .TP
 \fB\-\-top
-Monitor the most CPU-intensive sandboxes. This command  is similar to
+Monitor the most CPU-intensive sandboxes. This command is similar to
 the regular UNIX top command, however it applies only to sandboxes.
 .TP
 \fB\-\-tree