27 files changed, 326 insertions, 213 deletions

diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config
index f23488e20..e58fe39ec 100644
--- a/src/firecfg/firecfg.config
+++ b/src/firecfg/firecfg.config
@@ -38,6 +38,8 @@ abrowser
 akonadi_control
 akregator
 alacarte
+alpine
+alpinef
 amarok
 amule
 amuled
diff --git a/src/firejail/appimage.c b/src/firejail/appimage.c
index a96415985..2266fa499 100644
--- a/src/firejail/appimage.c
+++ b/src/firejail/appimage.c
@@ -21,6 +21,7 @@
 // sudo mount -o loop krita-3.0-x86_64.appimage mnt
 
 #include "firejail.h"
+#include "../include/gcov_wrapper.h"
 #include <sys/types.h>
 #include <sys/stat.h>
 #include <sys/mount.h>
@@ -28,10 +29,6 @@
 #include <linux/loop.h>
 #include <errno.h>
 
-#ifdef HAVE_GCOV
-#include <gcov.h>
-#endif
-
 static char *devloop = NULL;    // device file
 static long unsigned size = 0;  // offset into appimage file
 #define MAXBUF 4096
@@ -144,9 +141,8 @@ void appimage_set(const char *appimage) {
 
         if (cfg.cwd)
                 env_store_name_val("OWD", cfg.cwd, SETENV);
-#ifdef HAVE_GCOV
+
         __gcov_flush();
-#endif
 #else
         fprintf(stderr, "Error: /dev/loop-control interface is not supported by your kernel\n");
         exit(1);
diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c
index f3ab0a6d8..1e9f4b641 100644
--- a/src/firejail/checkcfg.c
+++ b/src/firejail/checkcfg.c
@@ -35,6 +35,7 @@ char *xvfb_extra_params = "";
 char *netfilter_default = NULL;
 unsigned long join_timeout = 5000000; // microseconds
 char *config_seccomp_error_action_str = "EPERM";
+char *config_seccomp_filter_add = NULL;
 char **whitelist_reject_topdirs = NULL;
 
 int checkcfg(int val) {
@@ -225,6 +226,10 @@ int checkcfg(int val) {
                         else if (strncmp(ptr, "join-timeout ", 13) == 0)
                                 join_timeout = strtoul(ptr + 13, NULL, 10) * 1000000; // seconds to microseconds
 
+                        // add rules to default seccomp filter
+                        else if (strncmp(ptr, "seccomp-filter-add ", 19) == 0)
+                                config_seccomp_filter_add = seccomp_check_list(ptr + 19);
+
                         // seccomp error action
                         else if (strncmp(ptr, "seccomp-error-action ", 21) == 0) {
                                 if (strcmp(ptr + 21, "kill") == 0)
diff --git a/src/firejail/chroot.c b/src/firejail/chroot.c
index edc31cdea..37ec22117 100644
--- a/src/firejail/chroot.c
+++ b/src/firejail/chroot.c
@@ -20,6 +20,7 @@
 
 #ifdef HAVE_CHROOT
 #include "firejail.h"
+#include "../include/gcov_wrapper.h"
 #include <sys/mount.h>
 #include <sys/sendfile.h>
 #include <errno.h>
@@ -29,10 +30,6 @@
 #define O_PATH 010000000
 #endif
 
-#ifdef HAVE_GCOV
-#include <gcov.h>
-#endif
-
 // exit if error
 void fs_check_chroot_dir(void) {
         EUID_ASSERT();
@@ -263,9 +260,8 @@ void fs_chroot(const char *rootdir) {
         // update chroot resolv.conf
         update_file(parentfd, "etc/resolv.conf");
 
-#ifdef HAVE_GCOV
         __gcov_flush();
-#endif
+
         // create /run/firejail/mnt/oroot
         char *oroot = RUN_OVERLAY_ROOT;
         if (mkdir(oroot, 0755) == -1)
diff --git a/src/firejail/dbus.c b/src/firejail/dbus.c
index bfa28fcba..9a4cb2e6b 100644
--- a/src/firejail/dbus.c
+++ b/src/firejail/dbus.c
@@ -470,7 +470,7 @@ void dbus_apply_policy(void) {
         create_empty_dir_as_root(RUN_DBUS_DIR, 0755);
 
         if (arg_dbus_user != DBUS_POLICY_ALLOW) {
-                create_empty_file_as_root(RUN_DBUS_USER_SOCKET, 0700);
+                create_empty_file_as_root(RUN_DBUS_USER_SOCKET, 0600);
 
                 if (arg_dbus_user == DBUS_POLICY_FILTER) {
                         assert(dbus_user_proxy_socket != NULL);
@@ -509,7 +509,7 @@ void dbus_apply_policy(void) {
         }
 
         if (arg_dbus_system != DBUS_POLICY_ALLOW) {
-                create_empty_file_as_root(RUN_DBUS_SYSTEM_SOCKET, 0700);
+                create_empty_file_as_root(RUN_DBUS_SYSTEM_SOCKET, 0600);
 
                 if (arg_dbus_system == DBUS_POLICY_FILTER) {
                         assert(dbus_system_proxy_socket != NULL);
diff --git a/src/firejail/dhcp.c b/src/firejail/dhcp.c
index 47dd39ac0..ec482e2ea 100644
--- a/src/firejail/dhcp.c
+++ b/src/firejail/dhcp.c
@@ -160,9 +160,6 @@ void dhcp_start(void) {
                 exit(1);
         }
 
-        sbox_run(SBOX_ROOT| SBOX_SECCOMP, 4, PATH_FCOPY, "--follow-link", dhclient_path, RUN_MNT_DIR);
-        dhclient_path = RUN_MNT_DIR "/dhclient";
-
         EUID_ROOT();
         if (mkdir(RUN_DHCLIENT_DIR, 0700))
                 errExit("mkdir");
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index 622be4d97..9971d30b6 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -5,7 +5,7 @@
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; eithe r version 2 of the License, or
+ * the Free Software Foundation; either version 2 of the License, or
  * (at your option) any later version.
  *
  * This program is distributed in the hope that it will be useful,
@@ -498,6 +498,7 @@ int macro_id(const char *name);
 void errLogExit(char* fmt, ...) __attribute__((noreturn));
 void fwarning(char* fmt, ...);
 void fmessage(char* fmt, ...);
+long long unsigned parse_arg_size(char *str);
 void drop_privs(int nogroups);
 int mkpath_as_root(const char* path);
 void extract_command_name(int index, char **argv);
@@ -507,7 +508,7 @@ void logargs(int argc, char **argv) ;
 void logerr(const char *msg);
 void set_nice(int inc);
 int copy_file(const char *srcname, const char *destname, uid_t uid, gid_t gid, mode_t mode);
-void copy_file_as_user(const char *srcname, const char *destname, uid_t uid, gid_t gid, mode_t mode);
+void copy_file_as_user(const char *srcname, const char *destname, mode_t mode);
 void copy_file_from_user_to_root(const char *srcname, const char *destname, uid_t uid, gid_t gid, mode_t mode);
 void touch_file_as_user(const char *fname, mode_t mode);
 int is_dir(const char *fname);
@@ -809,6 +810,7 @@ extern char *xvfb_extra_params;
 extern char *netfilter_default;
 extern unsigned long join_timeout;
 extern char *config_seccomp_error_action_str;
+extern char *config_seccomp_filter_add;
 extern char **whitelist_reject_topdirs;
 
 int checkcfg(int val);
diff --git a/src/firejail/fs.c b/src/firejail/fs.c
index 6a49f1465..0e26eb505 100644
--- a/src/firejail/fs.c
+++ b/src/firejail/fs.c
@@ -18,6 +18,7 @@
  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 */
 #include "firejail.h"
+#include "../include/gcov_wrapper.h"
 #include <sys/mount.h>
 #include <sys/stat.h>
 #include <sys/statvfs.h>
@@ -33,10 +34,6 @@
 #define O_PATH 010000000
 #endif
 
-#ifdef HAVE_GCOV
-#include <gcov.h>
-#endif
-
 #define MAX_BUF 4096
 #define EMPTY_STRING ("")
 // check noblacklist statements not matched by a proper blacklist in disable-*.inc files
@@ -171,21 +168,28 @@ static void disable_file(OPERATION op, const char *filename) {
                 fs_remount_rec(fname, op);
         }
         else if (op == MOUNT_TMPFS) {
-                if (S_ISDIR(s.st_mode)) {
-                        if (getuid()) {
-                                if (strncmp(cfg.homedir, fname, strlen(cfg.homedir)) != 0 ||
-                                    fname[strlen(cfg.homedir)] != '/') {
-                                        fprintf(stderr, "Error: tmpfs outside $HOME is only available for root\n");
-                                        exit(1);
-                                }
+                if (!S_ISDIR(s.st_mode)) {
+                        fwarning("%s is not a directory; cannot mount a tmpfs on top of it.\n", fname);
+                        free(fname);
+                        return;
+                }
+
+                uid_t uid = getuid();
+                if (uid != 0) {
+                        // only user owned directories in user home
+                        if (s.st_uid != uid ||
+                            strncmp(cfg.homedir, fname, strlen(cfg.homedir)) != 0 ||
+                            fname[strlen(cfg.homedir)] != '/') {
+                                fwarning("you are not allowed to mount a tmpfs on %s\n", fname);
+                                free(fname);
+                                return;
                         }
-                        // fs_tmpfs returns with EUID 0
-                        fs_tmpfs(fname, getuid());
-                        selinux_relabel_path(fname, fname);
-                        EUID_USER();
                 }
-                else
-                        fwarning("%s is not a directory; cannot mount a tmpfs on top of it.\n", fname);
+
+                fs_tmpfs(fname, uid);
+                EUID_USER(); // fs_tmpfs returns with EUID 0
+
+                selinux_relabel_path(fname, fname);
         }
         else
                 assert(0);
@@ -1206,9 +1210,8 @@ void fs_overlayfs(void) {
         fs_logger("whitelist /tmp");
 
         // chroot in the new filesystem
-#ifdef HAVE_GCOV
         __gcov_flush();
-#endif
+
         if (chroot(oroot) == -1)
                 errExit("chroot");
 
diff --git a/src/firejail/fs_home.c b/src/firejail/fs_home.c
index eab952eb8..0ed476063 100644
--- a/src/firejail/fs_home.c
+++ b/src/firejail/fs_home.c
@@ -34,12 +34,13 @@
 #define O_PATH 010000000
 #endif
 
-static void skel(const char *homedir, uid_t u, gid_t g) {
-        char *fname;
+static void skel(const char *homedir) {
+        EUID_ASSERT();
 
         // zsh
         if (!arg_shell_none && (strcmp(cfg.shell,"/usr/bin/zsh") == 0 || strcmp(cfg.shell,"/bin/zsh") == 0)) {
                 // copy skel files
+                char *fname;
                 if (asprintf(&fname, "%s/.zshrc", homedir) == -1)
                         errExit("asprintf");
                 // don't copy it if we already have the file
@@ -50,7 +51,7 @@ static void skel(const char *homedir, uid_t u, gid_t g) {
                         exit(1);
                 }
                 if (access("/etc/skel/.zshrc", R_OK) == 0) {
-                        copy_file_as_user("/etc/skel/.zshrc", fname, u, g, 0644); // regular user
+                        copy_file_as_user("/etc/skel/.zshrc", fname, 0644); // regular user
                         fs_logger("clone /etc/skel/.zshrc");
                         fs_logger2("clone", fname);
                 }
@@ -64,6 +65,7 @@ static void skel(const char *homedir, uid_t u, gid_t g) {
         // csh
         else if (!arg_shell_none && strcmp(cfg.shell,"/bin/csh") == 0) {
                 // copy skel files
+                char *fname;
                 if (asprintf(&fname, "%s/.cshrc", homedir) == -1)
                         errExit("asprintf");
                 // don't copy it if we already have the file
@@ -74,7 +76,7 @@ static void skel(const char *homedir, uid_t u, gid_t g) {
                         exit(1);
                 }
                 if (access("/etc/skel/.cshrc", R_OK) == 0) {
-                        copy_file_as_user("/etc/skel/.cshrc", fname, u, g, 0644); // regular user
+                        copy_file_as_user("/etc/skel/.cshrc", fname, 0644); // regular user
                         fs_logger("clone /etc/skel/.cshrc");
                         fs_logger2("clone", fname);
                 }
@@ -88,6 +90,7 @@ static void skel(const char *homedir, uid_t u, gid_t g) {
         // bash etc.
         else {
                 // copy skel files
+                char *fname;
                 if (asprintf(&fname, "%s/.bashrc", homedir) == -1)
                         errExit("asprintf");
                 // don't copy it if we already have the file
@@ -98,7 +101,7 @@ static void skel(const char *homedir, uid_t u, gid_t g) {
                         exit(1);
                 }
                 if (access("/etc/skel/.bashrc", R_OK) == 0) {
-                        copy_file_as_user("/etc/skel/.bashrc", fname, u, g, 0644); // regular user
+                        copy_file_as_user("/etc/skel/.bashrc", fname, 0644); // regular user
                         fs_logger("clone /etc/skel/.bashrc");
                         fs_logger2("clone", fname);
                 }
@@ -108,6 +111,7 @@ static void skel(const char *homedir, uid_t u, gid_t g) {
 }
 
 static int store_xauthority(void) {
+        EUID_ASSERT();
         if (arg_x11_block)
                 return 0;
 
@@ -118,7 +122,7 @@ static int store_xauthority(void) {
                 errExit("asprintf");
 
         struct stat s;
-        if (lstat_as_user(src, &s) == 0) {
+        if (lstat(src, &s) == 0) {
                 if (S_ISLNK(s.st_mode)) {
                         fwarning("invalid .Xauthority file\n");
                         free(src);
@@ -126,6 +130,7 @@ static int store_xauthority(void) {
                 }
 
                 // create an empty file as root, and change ownership to user
+                EUID_ROOT();
                 FILE *fp = fopen(dest, "we");
                 if (fp) {
                         fprintf(fp, "\n");
@@ -134,10 +139,11 @@ static int store_xauthority(void) {
                 }
                 else
                         errExit("fopen");
+                EUID_USER();
 
-                copy_file_as_user(src, dest, getuid(), getgid(), 0600); // regular user
-                fs_logger2("clone", dest);
+                copy_file_as_user(src, dest, 0600); // regular user
                 selinux_relabel_path(dest, src);
+                fs_logger2("clone", dest);
                 free(src);
                 return 1; // file copied
         }
@@ -147,6 +153,7 @@ static int store_xauthority(void) {
 }
 
 static int store_asoundrc(void) {
+        EUID_ASSERT();
         if (arg_nosound)
                 return 0;
 
@@ -157,11 +164,11 @@ static int store_asoundrc(void) {
                 errExit("asprintf");
 
         struct stat s;
-        if (lstat_as_user(src, &s) == 0) {
+        if (lstat(src, &s) == 0) {
                 if (S_ISLNK(s.st_mode)) {
                         // make sure the real path of the file is inside the home directory
                         /* coverity[toctou] */
-                        char *rp = realpath_as_user(src);
+                        char *rp = realpath(src, NULL);
                         if (!rp) {
                                 fprintf(stderr, "Error: Cannot access %s\n", src);
                                 exit(1);
@@ -174,6 +181,7 @@ static int store_asoundrc(void) {
                 }
 
                 // create an empty file as root, and change ownership to user
+                EUID_ROOT();
                 FILE *fp = fopen(dest, "we");
                 if (fp) {
                         fprintf(fp, "\n");
@@ -182,10 +190,11 @@ static int store_asoundrc(void) {
                 }
                 else
                         errExit("fopen");
+                EUID_USER();
 
-                copy_file_as_user(src, dest, getuid(), getgid(), 0644); // regular user
-                selinux_relabel_path(dest, src);
+                copy_file_as_user(src, dest, 0644); // regular user
                 fs_logger2("clone", dest);
+                selinux_relabel_path(dest, src);
                 free(src);
                 return 1; // file copied
         }
@@ -195,6 +204,7 @@ static int store_asoundrc(void) {
 }
 
 static void copy_xauthority(void) {
+        EUID_ASSERT();
         // copy XAUTHORITY_FILE in the new home directory
         char *src = RUN_XAUTHORITY_FILE ;
         char *dest;
@@ -207,16 +217,18 @@ static void copy_xauthority(void) {
                 exit(1);
         }
 
-        copy_file_as_user(src, dest, getuid(), getgid(), S_IRUSR | S_IWUSR); // regular user
-        selinux_relabel_path(dest, src);
+        copy_file_as_user(src, dest, S_IRUSR | S_IWUSR); // regular user
         fs_logger2("clone", dest);
+        selinux_relabel_path(dest, dest);
         free(dest);
 
-        // delete the temporary file
-        unlink(src);
+        EUID_ROOT();
+        unlink(src); // delete the temporary file
+        EUID_USER();
 }
 
 static void copy_asoundrc(void) {
+        EUID_ASSERT();
         // copy ASOUNDRC_FILE in the new home directory
         char *src = RUN_ASOUNDRC_FILE ;
         char *dest;
@@ -229,13 +241,14 @@ static void copy_asoundrc(void) {
                 exit(1);
         }
 
-        copy_file_as_user(src, dest, getuid(), getgid(), S_IRUSR | S_IWUSR); // regular user
-        selinux_relabel_path(dest, src);
+        copy_file_as_user(src, dest, S_IRUSR | S_IWUSR); // regular user
         fs_logger2("clone", dest);
+        selinux_relabel_path(dest, dest);
         free(dest);
 
-        // delete the temporary file
-        unlink(src);
+        EUID_ROOT();
+        unlink(src); // delete the temporary file
+        EUID_USER();
 }
 
 // private mode (--private=homedir):
@@ -248,18 +261,18 @@ void fs_private_homedir(void) {
         char *private_homedir = cfg.home_private;
         assert(homedir);
         assert(private_homedir);
+        EUID_ASSERT();
+
+        uid_t u = getuid();
+        // gid_t g = getgid();
 
         int xflag = store_xauthority();
         int aflag = store_asoundrc();
 
-        uid_t u = getuid();
-        gid_t g = getgid();
-
         // mount bind private_homedir on top of homedir
         if (arg_debug)
                 printf("Mount-bind %s on top of %s\n", private_homedir, homedir);
         // get file descriptors for homedir and private_homedir, fails if there is any symlink
-        EUID_USER();
         int src = safer_openat(-1, private_homedir, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC);
         if (src == -1)
                 errExit("opening private directory");
@@ -287,6 +300,7 @@ void fs_private_homedir(void) {
         EUID_ROOT();
         if (bind_mount_by_fd(src, dst))
                 errExit("mount bind");
+        EUID_USER();
 
         // check /proc/self/mountinfo to confirm the mount is ok
         MountData *mptr = get_last_mount();
@@ -305,6 +319,7 @@ void fs_private_homedir(void) {
 //      if (chmod(homedir, s.st_mode) == -1)
 //              errExit("mount-bind chmod");
 
+        EUID_ROOT();
         if (u != 0) {
                 // mask /root
                 if (arg_debug)
@@ -323,8 +338,9 @@ void fs_private_homedir(void) {
                 selinux_relabel_path("/home", "/home");
                 fs_logger("tmpfs /home");
         }
+        EUID_USER();
 
-        skel(homedir, u, g);
+        skel(homedir);
         if (xflag)
                 copy_xauthority();
         if (aflag)
@@ -339,12 +355,15 @@ void fs_private_homedir(void) {
 void fs_private(void) {
         char *homedir = cfg.homedir;
         assert(homedir);
+        EUID_ASSERT();
+
         uid_t u = getuid();
         gid_t g = getgid();
 
         int xflag = store_xauthority();
         int aflag = store_asoundrc();
 
+        EUID_ROOT();
         // mask /root
         if (arg_debug)
                 printf("Mounting a new /root directory\n");
@@ -387,8 +406,9 @@ void fs_private(void) {
 
                 selinux_relabel_path(homedir, homedir);
         }
+        EUID_USER();
 
-        skel(homedir, u, g);
+        skel(homedir);
         if (xflag)
                 copy_xauthority();
         if (aflag)
@@ -530,26 +550,29 @@ static void duplicate(char *name) {
 //      set skel files,
 //      restore .Xauthority
 void fs_private_home_list(void) {
-        timetrace_start();
-
         char *homedir = cfg.homedir;
         char *private_list = cfg.home_private_keep;
         assert(homedir);
         assert(private_list);
+        EUID_ASSERT();
 
-        int xflag = store_xauthority();
-        int aflag = store_asoundrc();
+        timetrace_start();
 
         uid_t uid = getuid();
         gid_t gid = getgid();
 
+        int xflag = store_xauthority();
+        int aflag = store_asoundrc();
+
         // create /run/firejail/mnt/home directory
+        EUID_ROOT();
         mkdir_attr(RUN_HOME_DIR, 0755, uid, gid);
         selinux_relabel_path(RUN_HOME_DIR, homedir);
+
         fs_logger_print();      // save the current log
+        EUID_USER();
 
         // copy the list of files in the new home directory
-        EUID_USER();
         if (arg_debug)
                 printf("Copying files in the new home:\n");
         char *dlist = strdup(cfg.home_private_keep);
@@ -587,6 +610,7 @@ void fs_private_home_list(void) {
         EUID_ROOT();
         if (bind_mount_path_to_fd(RUN_HOME_DIR, fd))
                 errExit("mount bind");
+        EUID_USER();
         close(fd);
 
         // check /proc/self/mountinfo to confirm the mount is ok
@@ -595,11 +619,7 @@ void fs_private_home_list(void) {
                 errLogExit("invalid private-home mount");
         fs_logger2("tmpfs", homedir);
 
-        // mask RUN_HOME_DIR, it is writable and not noexec
-        if (mount("tmpfs", RUN_HOME_DIR, "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME,  "mode=755,gid=0") < 0)
-                errExit("mounting tmpfs");
-        fs_logger2("tmpfs", RUN_HOME_DIR);
-
+        EUID_ROOT();
         if (uid != 0) {
                 // mask /root
                 if (arg_debug)
@@ -619,7 +639,12 @@ void fs_private_home_list(void) {
                 fs_logger("tmpfs /home");
         }
 
-        skel(homedir, uid, gid);
+        // mask RUN_HOME_DIR, it is writable and not noexec
+        if (mount("tmpfs", RUN_HOME_DIR, "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME,  "mode=755,gid=0") < 0)
+                errExit("mounting tmpfs");
+        EUID_USER();
+
+        skel(homedir);
         if (xflag)
                 copy_xauthority();
         if (aflag)
diff --git a/src/firejail/fs_mkdir.c b/src/firejail/fs_mkdir.c
index bbc2aa938..4983db0a0 100644
--- a/src/firejail/fs_mkdir.c
+++ b/src/firejail/fs_mkdir.c
@@ -18,6 +18,7 @@
  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
  */
 #include "firejail.h"
+#include "../include/gcov_wrapper.h"
 #include <sys/types.h>
 #include <sys/stat.h>
 #include <unistd.h>
@@ -25,10 +26,6 @@
 #include <sys/wait.h>
 #include <string.h>
 
-#ifdef HAVE_GCOV
-#include <gcov.h>
-#endif
-
 static void check(const char *fname) {
         // manufacture /run/user directory
         char *runuser;
@@ -98,9 +95,9 @@ void fs_mkdir(const char *name) {
 
                 // create directory
                 mkdir_recursive(expanded);
-#ifdef HAVE_GCOV
+
                 __gcov_flush();
-#endif
+
                 _exit(0);
         }
         // wait for the child to finish
diff --git a/src/firejail/fs_whitelist.c b/src/firejail/fs_whitelist.c
index 370035a4d..943f275de 100644
--- a/src/firejail/fs_whitelist.c
+++ b/src/firejail/fs_whitelist.c
@@ -374,9 +374,11 @@ static void tmpfs_topdirs(const TopDir *topdirs) {
         }
 
         // user home directory
-        if (tmpfs_home)
-                // checks owner if outside /home
-                fs_private();
+        if (tmpfs_home) {
+                EUID_USER();
+                fs_private(); // checks owner if outside /home
+                EUID_ROOT();
+        }
 
         // /run/user/$UID directory
         if (tmpfs_runuser) {
diff --git a/src/firejail/ls.c b/src/firejail/ls.c
index 6ee557648..70985ba9e 100644
--- a/src/firejail/ls.c
+++ b/src/firejail/ls.c
@@ -19,6 +19,7 @@
 */
 
 #include "firejail.h"
+#include "../include/gcov_wrapper.h"
 #include <sys/types.h>
 #include <sys/stat.h>
 #include <sys/wait.h>
@@ -31,10 +32,6 @@
 //#include <stdio.h>
 //#include <stdlib.h>
 
-#ifdef HAVE_GCOV
-#include <gcov.h>
-#endif
-
 // uid/gid cache
 static uid_t c_uid = 0;
 static char *c_uid_name = NULL;
@@ -353,9 +350,8 @@ void sandboxfs(int op, pid_t pid, const char *path1, const char *path2) {
                         ls(fname1);
                 else
                         cat(fname1);
-#ifdef HAVE_GCOV
+
                 __gcov_flush();
-#endif
         }
         // get file from host and store it in the sandbox
         else if (op == SANDBOX_FS_PUT && path2) {
@@ -387,9 +383,9 @@ void sandboxfs(int op, pid_t pid, const char *path1, const char *path2) {
                         // copy the file
                         if (copy_file(src_fname, tmp_fname, getuid(), getgid(), 0600)) // already a regular user
                                 _exit(1);
-#ifdef HAVE_GCOV
+
                         __gcov_flush();
-#endif
+
                         _exit(0);
                 }
 
@@ -419,9 +415,9 @@ void sandboxfs(int op, pid_t pid, const char *path1, const char *path2) {
                         // copy the file
                         if (copy_file(tmp_fname, dest_fname, getuid(), getgid(), 0600)) // already a regular user
                                 _exit(1);
-#ifdef HAVE_GCOV
+
                         __gcov_flush();
-#endif
+
                         _exit(0);
                 }
 
diff --git a/src/firejail/main.c b/src/firejail/main.c
index 02366a08c..7a0d52837 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -20,6 +20,7 @@
 #include "firejail.h"
 #include "../include/pid.h"
 #include "../include/firejail_user.h"
+#include "../include/gcov_wrapper.h"
 #include "../include/syscall.h"
 #include "../include/seccomp.h"
 #define _GNU_SOURCE
@@ -44,10 +45,6 @@
 #define O_PATH 010000000
 #endif
 
-#ifdef HAVE_GCOV
-#include <gcov.h>
-#endif
-
 #ifdef __ia64__
 /* clone(2) has a different interface on ia64, as it needs to know
    the size of the stack */
@@ -967,7 +964,7 @@ void filter_add_blacklist_override(int fd, int syscall, int arg, void *ptrarg, b
 static int check_postexec(const char *list) {
         char *prelist, *postlist;
 
-        if (list) {
+        if (list && list[0]) {
                 syscalls_in_list(list, "@default-keep", -1, &prelist, &postlist, true);
                 if (postlist)
                         return 1;
@@ -1496,8 +1493,11 @@ int main(int argc, char **argv, char **envp) {
                         arg_rlimit_nproc = 1;
                 }
                 else if (strncmp(argv[i], "--rlimit-fsize=", 15) == 0) {
-                        check_unsigned(argv[i] + 15, "Error: invalid rlimit");
-                        sscanf(argv[i] + 15, "%llu", &cfg.rlimit_fsize);
+                        cfg.rlimit_fsize = parse_arg_size(argv[i] + 15);
+                        if (cfg.rlimit_fsize == 0) {
+                                perror("Error: invalid rlimit-fsize. Only use positive numbers and k, m or g suffix.");
+                                exit(1);
+                        }
                         arg_rlimit_fsize = 1;
                 }
                 else if (strncmp(argv[i], "--rlimit-sigpending=", 20) == 0) {
@@ -1506,8 +1506,11 @@ int main(int argc, char **argv, char **envp) {
                         arg_rlimit_sigpending = 1;
                 }
                 else if (strncmp(argv[i], "--rlimit-as=", 12) == 0) {
-                        check_unsigned(argv[i] + 12, "Error: invalid rlimit");
-                        sscanf(argv[i] + 12, "%llu", &cfg.rlimit_as);
+                        cfg.rlimit_as = parse_arg_size(argv[i] + 12);
+                        if (cfg.rlimit_as == 0) {
+                                perror("Error: invalid rlimit-as. Only use positive numbers and k, m or g suffix.");
+                                exit(1);
+                        }
                         arg_rlimit_as = 1;
                 }
                 else if (strncmp(argv[i], "--ipc-namespace", 15) == 0)
@@ -2889,6 +2892,15 @@ int main(int argc, char **argv, char **envp) {
         // check network configuration options - it will exit if anything went wrong
         net_check_cfg();
 
+        // customization of default seccomp filter
+        if (config_seccomp_filter_add) {
+                if (arg_seccomp && !cfg.seccomp_list_keep && !cfg.seccomp_list_drop)
+                        profile_list_augment(&cfg.seccomp_list, config_seccomp_filter_add);
+
+                if (arg_seccomp32 && !cfg.seccomp_list_keep32 && !cfg.seccomp_list_drop32)
+                        profile_list_augment(&cfg.seccomp_list32, config_seccomp_filter_add);
+        }
+
         if (arg_seccomp)
                 arg_seccomp_postexec = check_postexec(cfg.seccomp_list) || check_postexec(cfg.seccomp_list_drop);
 
@@ -3024,9 +3036,9 @@ int main(int argc, char **argv, char **envp) {
                         network_main(child);
                         if (arg_debug)
                                 printf("Host network configured\n");
-#ifdef HAVE_GCOV
+
                         __gcov_flush();
-#endif
+
                         _exit(0);
                 }
 
diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index 807a77bd7..e52bdc6e3 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -18,15 +18,12 @@
  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 */
 #include "firejail.h"
+#include "../include/gcov_wrapper.h"
 #include "../include/seccomp.h"
 #include "../include/syscall.h"
 #include <dirent.h>
 #include <sys/stat.h>
 
-#ifdef HAVE_GCOV
-#include <gcov.h>
-#endif
-
 extern char *xephyr_screen;
 
 #define MAX_READ 8192                             // line buffer for profile files
@@ -1510,8 +1507,11 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
                         arg_rlimit_nproc = 1;
                 }
                 else if (strncmp(ptr, "rlimit-fsize ", 13) == 0) {
-                        check_unsigned(ptr + 13, "Error: invalid rlimit in profile file: ");
-                        sscanf(ptr + 13, "%llu", &cfg.rlimit_fsize);
+                        cfg.rlimit_fsize = parse_arg_size(ptr + 13);
+                        if (cfg.rlimit_fsize == 0) {
+                                perror("Error: invalid rlimit-fsize in profile file. Only use positive numbers and k, m or g suffix.");
+                                exit(1);
+                        }
                         arg_rlimit_fsize = 1;
                 }
                 else if (strncmp(ptr, "rlimit-sigpending ", 18) == 0) {
@@ -1520,8 +1520,11 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
                         arg_rlimit_sigpending = 1;
                 }
                 else if (strncmp(ptr, "rlimit-as ", 10) == 0) {
-                        check_unsigned(ptr + 10, "Error: invalid rlimit in profile file: ");
-                        sscanf(ptr + 10, "%llu", &cfg.rlimit_as);
+                        cfg.rlimit_as = parse_arg_size(ptr + 10);
+                        if (cfg.rlimit_as == 0) {
+                                perror("Error: invalid rlimit-as in profile file. Only use positive numbers and k, m or g suffix.");
+                                exit(1);
+                        }
                         arg_rlimit_as = 1;
                 }
                 else {
@@ -1799,9 +1802,8 @@ void profile_read(const char *fname) {
 //              else {
 //                      free(ptr);
 //              }
-#ifdef HAVE_GCOV
+
                 __gcov_flush();
-#endif
         }
         fclose(fp);
 }
diff --git a/src/firejail/rlimit.c b/src/firejail/rlimit.c
index dd6fec972..f177f4b89 100644
--- a/src/firejail/rlimit.c
+++ b/src/firejail/rlimit.c
@@ -18,13 +18,10 @@
  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 */
 #include "firejail.h"
+#include "../include/gcov_wrapper.h"
 #include <sys/time.h>
 #include <sys/resource.h>
 
-#ifdef HAVE_GCOV
-#include <gcov.h>
-#endif
-
 void set_rlimits(void) {
         EUID_ASSERT();
         // resource limits
@@ -37,9 +34,9 @@ void set_rlimits(void) {
                 // set the new limit
                 rl.rlim_cur = (rlim_t) cfg.rlimit_cpu;
                 rl.rlim_max = (rlim_t) cfg.rlimit_cpu;
-#ifdef HAVE_GCOV
+
                 __gcov_dump();
-#endif
+
                 if (setrlimit(RLIMIT_CPU, &rl) == -1)
                         errExit("setrlimit");
                 if (arg_debug)
@@ -54,9 +51,10 @@ void set_rlimits(void) {
                 // set the new limit
                 rl.rlim_cur = (rlim_t) cfg.rlimit_nofile;
                 rl.rlim_max = (rlim_t) cfg.rlimit_nofile;
-#ifdef HAVE_GCOV        // gcov-instrumented programs might crash at this point
+
+                // gcov-instrumented programs might crash at this point
                 __gcov_dump();
-#endif
+
                 if (setrlimit(RLIMIT_NOFILE, &rl) == -1)
                         errExit("setrlimit");
                 if (arg_debug)
@@ -71,9 +69,9 @@ void set_rlimits(void) {
                 // set the new limit
                 rl.rlim_cur = (rlim_t) cfg.rlimit_nproc;
                 rl.rlim_max = (rlim_t) cfg.rlimit_nproc;
-#ifdef HAVE_GCOV
+
                 __gcov_dump();
-#endif
+
                 if (setrlimit(RLIMIT_NPROC, &rl) == -1)
                         errExit("setrlimit");
                 if (arg_debug)
@@ -88,9 +86,9 @@ void set_rlimits(void) {
                 // set the new limit
                 rl.rlim_cur = (rlim_t) cfg.rlimit_fsize;
                 rl.rlim_max = (rlim_t) cfg.rlimit_fsize;
-#ifdef HAVE_GCOV
+
                 __gcov_dump();
-#endif
+
                 if (setrlimit(RLIMIT_FSIZE, &rl) == -1)
                         errExit("setrlimit");
                 if (arg_debug)
@@ -105,9 +103,9 @@ void set_rlimits(void) {
                 // set the new limit
                 rl.rlim_cur = (rlim_t) cfg.rlimit_sigpending;
                 rl.rlim_max = (rlim_t) cfg.rlimit_sigpending;
-#ifdef HAVE_GCOV
+
                 __gcov_dump();
-#endif
+
                 if (setrlimit(RLIMIT_SIGPENDING, &rl) == -1)
                         errExit("setrlimit");
                 if (arg_debug)
@@ -122,9 +120,9 @@ void set_rlimits(void) {
                 // set the new limit
                 rl.rlim_cur = (rlim_t) cfg.rlimit_as;
                 rl.rlim_max = (rlim_t) cfg.rlimit_as;
-#ifdef HAVE_GCOV
+
                 __gcov_dump();
-#endif
+
                 if (setrlimit(RLIMIT_AS, &rl) == -1)
                         errExit("setrlimit");
                 if (arg_debug)
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index e06ba3617..fd359c39e 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -19,6 +19,7 @@
 */
 
 #include "firejail.h"
+#include "../include/gcov_wrapper.h"
 #include "../include/seccomp.h"
 #include <sys/mman.h>
 #include <sys/mount.h>
@@ -49,10 +50,6 @@
 #include <sys/apparmor.h>
 #endif
 
-#ifdef HAVE_GCOV
-#include <gcov.h>
-#endif
-
 static int force_nonewprivs = 0;
 
 static int monitored_pid = 0;
@@ -507,9 +504,8 @@ void start_application(int no_sandbox, int fd, char *set_sandbox_status) {
                         exit(1);
                 }
 
-#ifdef HAVE_GCOV
                 __gcov_dump();
-#endif
+
                 seccomp_install_filters();
 
                 if (set_sandbox_status)
@@ -563,9 +559,8 @@ void start_application(int no_sandbox, int fd, char *set_sandbox_status) {
                 if (!arg_command && !arg_quiet)
                         print_time();
 
-#ifdef HAVE_GCOV
                 __gcov_dump();
-#endif
+
                 seccomp_install_filters();
 
                 if (set_sandbox_status)
@@ -840,6 +835,7 @@ int sandbox(void* sandbox_arg) {
         // private mode
         //****************************
         if (arg_private) {
+                EUID_USER();
                 if (cfg.home_private) { // --private=
                         if (cfg.chrootdir)
                                 fwarning("private=directory feature is disabled in chroot\n");
@@ -858,6 +854,7 @@ int sandbox(void* sandbox_arg) {
                 }
                 else // --private
                         fs_private();
+                EUID_ROOT();
         }
 
         if (arg_private_dev)
diff --git a/src/firejail/seccomp.c b/src/firejail/seccomp.c
index 9670fe816..3d9bf9082 100644
--- a/src/firejail/seccomp.c
+++ b/src/firejail/seccomp.c
@@ -208,7 +208,8 @@ int seccomp_filter_drop(bool native) {
         //      - seccomp
         if (cfg.seccomp_list_drop == NULL) {
                 // default seccomp if error action is not changed
-                if (cfg.seccomp_list == NULL && arg_seccomp_error_action == DEFAULT_SECCOMP_ERROR_ACTION) {
+                if ((cfg.seccomp_list == NULL || cfg.seccomp_list[0] == '\0')
+                    && arg_seccomp_error_action == DEFAULT_SECCOMP_ERROR_ACTION) {
                         if (arg_seccomp_block_secondary)
                                 seccomp_filter_block_secondary();
                         else {
@@ -261,7 +262,7 @@ int seccomp_filter_drop(bool native) {
                         }
 
                         // build the seccomp filter as a regular user
-                        if (list)
+                        if (list && list[0])
                                 if (arg_allow_debuggers)
                                         rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 7,
                                                       PATH_FSECCOMP, command, "drop", filter, postexec_filter, list, "allow-debuggers");
diff --git a/src/firejail/util.c b/src/firejail/util.c
index 47c367aad..de31ebdd6 100644
--- a/src/firejail/util.c
+++ b/src/firejail/util.c
@@ -19,6 +19,7 @@
  */
 #define _XOPEN_SOURCE 500
 #include "firejail.h"
+#include "../include/gcov_wrapper.h"
 #include <ftw.h>
 #include <sys/stat.h>
 #include <sys/mount.h>
@@ -31,6 +32,9 @@
 #include <sys/wait.h>
 #include <limits.h>
 
+#include <string.h>
+#include <ctype.h>
+
 #include <fcntl.h>
 #ifndef O_PATH
 #define O_PATH 010000000
@@ -41,15 +45,49 @@
 #include <linux/openat2.h>
 #endif
 
-#ifdef HAVE_GCOV
-#include <gcov.h>
-#endif
-
 #define MAX_GROUPS 1024
 #define MAXBUF 4098
 #define EMPTY_STRING ("")
 
 
+long long unsigned parse_arg_size(char *str) {
+        long long unsigned result = 0;
+        int len = strlen(str);
+        sscanf(str, "%llu", &result);
+
+        char suffix = *(str + len - 1);
+        if (!isdigit(suffix) && (suffix == 'k' || suffix == 'm' || suffix == 'g')) {
+                len -= 1;
+        }
+
+        /* checks for is value valid positive number */
+        for (int i = 0; i < len; i++) {
+                if (!isdigit(*(str+i))) {
+                        return 0;
+                }
+        }
+
+        if (isdigit(suffix))
+                return result;
+
+        switch (suffix) {
+        case 'k':
+                result *= 1024;
+                break;
+        case 'm':
+                result *= 1024 * 1024;
+                break;
+        case 'g':
+                result *= 1024 * 1024 * 1024;
+                break;
+        default:
+                result = 0;
+                break;
+        }
+
+        return result;
+}
+
 // send the error to /var/log/auth.log and exit after a small delay
 void errLogExit(char* fmt, ...) {
         va_list args;
@@ -329,7 +367,7 @@ int copy_file(const char *srcname, const char *destname, uid_t uid, gid_t gid, m
 }
 
 // return -1 if error, 0 if no error
-void copy_file_as_user(const char *srcname, const char *destname, uid_t uid, gid_t gid, mode_t mode) {
+void copy_file_as_user(const char *srcname, const char *destname, mode_t mode) {
         pid_t child = fork();
         if (child < 0)
                 errExit("fork");
@@ -337,13 +375,13 @@ void copy_file_as_user(const char *srcname, const char *destname, uid_t uid, gid
                 // drop privileges
                 drop_privs(0);
 
-                // copy, set permissions and ownership
-                int rv = copy_file(srcname, destname, uid, gid, mode); // already a regular user
+                // copy, set permissions
+                int rv = copy_file(srcname, destname, -1, -1, mode); // already a regular user
                 if (rv)
                         fwarning("cannot copy %s\n", srcname);
-#ifdef HAVE_GCOV
+
                 __gcov_flush();
-#endif
+
                 _exit(0);
         }
         // wait for the child to finish
@@ -375,9 +413,9 @@ void copy_file_from_user_to_root(const char *srcname, const char *destname, uid_
                         close(src);
                 }
                 close(dst);
-#ifdef HAVE_GCOV
+
                 __gcov_flush();
-#endif
+
                 _exit(0);
         }
         // wait for the child to finish
@@ -406,9 +444,9 @@ void touch_file_as_user(const char *fname, mode_t mode) {
                 }
                 else
                         fwarning("cannot create %s\n", fname);
-#ifdef HAVE_GCOV
+
                 __gcov_flush();
-#endif
+
                 _exit(0);
         }
         // wait for the child to finish
@@ -1015,9 +1053,9 @@ int remove_overlay_directory(void) {
                         // remove ~/.firejail
                         if (rmdir(path) == -1)
                                 errExit("rmdir");
-#ifdef HAVE_GCOV
+
                         __gcov_flush();
-#endif
+
                         _exit(0);
                 }
                 // wait for the child to finish
@@ -1073,9 +1111,9 @@ int create_empty_dir_as_user(const char *dir, mode_t mode) {
                         }
                         else if (arg_debug)
                                 printf("Directory %s not created: %s\n", dir, strerror(errno));
-#ifdef HAVE_GCOV
+
                         __gcov_flush();
-#endif
+
                         _exit(0);
                 }
                 waitpid(child, NULL, 0);
@@ -1190,6 +1228,7 @@ unsigned extract_timeout(const char *str) {
 }
 
 void disable_file_or_dir(const char *fname) {
+        assert(geteuid() == 0);
         assert(fname);
 
         EUID_USER();
diff --git a/src/firejail/x11.c b/src/firejail/x11.c
index 0619ff380..896aa2fd3 100644
--- a/src/firejail/x11.c
+++ b/src/firejail/x11.c
@@ -1290,9 +1290,11 @@ void x11_xorg(void) {
         if (envar) {
                 char *rp = realpath(envar, NULL);
                 if (rp) {
-                        if (strcmp(rp, dest) != 0)
-                                // disable_file_or_dir returns with EUID 0
+                        if (strcmp(rp, dest) != 0) {
+                                EUID_ROOT();
                                 disable_file_or_dir(rp);
+                                EUID_USER();
+                        }
                         free(rp);
                 }
         }
diff --git a/src/firemon/interface.c b/src/firemon/interface.c
index b93d4a5a2..780e3d706 100644
--- a/src/firemon/interface.c
+++ b/src/firemon/interface.c
@@ -18,6 +18,7 @@
  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 */
 #include "firemon.h"
+#include "../include/gcov_wrapper.h"
 #include <sys/types.h>
 #include <sys/wait.h>
 #include <netdb.h>
@@ -33,10 +34,6 @@
 //#include <net/route.h>
 //#include <linux/if_bridge.h>
 
-#ifdef HAVE_GCOV
-#include <gcov.h>
-#endif
-
 // print IP addresses for all interfaces
 static void net_ifprint(void) {
         uint32_t ip;
@@ -149,9 +146,9 @@ static void print_sandbox(pid_t pid) {
                 if (rv)
                         return;
                 net_ifprint();
-#ifdef HAVE_GCOV
+
                 __gcov_flush();
-#endif
+
                 _exit(0);
         }
 
diff --git a/src/firemon/netstats.c b/src/firemon/netstats.c
index 23d228e26..9d8e5d7f5 100644
--- a/src/firemon/netstats.c
+++ b/src/firemon/netstats.c
@@ -18,16 +18,13 @@
  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 */
 #include "firemon.h"
+#include "../include/gcov_wrapper.h"
 #include <termios.h>
 #include <sys/ioctl.h>
 #include <sys/types.h>
 #include <sys/stat.h>
 #include <unistd.h>
 
-#ifdef HAVE_GCOV
-#include <gcov.h>
-#endif
-
 #define MAXBUF 4096
 
 // ip -s link: device stats
@@ -246,8 +243,7 @@ void netstats(void) {
                                 print_proc(i, itv, col);
                         }
                 }
-#ifdef HAVE_GCOV
-                        __gcov_flush();
-#endif
+
+                __gcov_flush();
         }
 }
diff --git a/src/firemon/procevent.c b/src/firemon/procevent.c
index 4e809681e..716a9cba4 100644
--- a/src/firemon/procevent.c
+++ b/src/firemon/procevent.c
@@ -18,6 +18,7 @@
  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 */
 #include "firemon.h"
+#include "../include/gcov_wrapper.h"
 #include <sys/socket.h>
 #include <linux/connector.h>
 #include <linux/netlink.h>
@@ -30,10 +31,6 @@
 #include <fcntl.h>
 #include <sys/uio.h>
 
-#ifdef HAVE_GCOV
-#include <gcov.h>
-#endif
-
 #define PIDS_BUFLEN 4096
 #define SERVER_PORT 889 // 889-899 is left unassigned by IANA
 
@@ -234,9 +231,7 @@ static void __attribute__((noreturn)) procevent_monitor(const int sock, pid_t my
         tv.tv_usec = 0;
 
         while (1) {
-#ifdef HAVE_GCOV
                 __gcov_flush();
-#endif
 
 #define BUFFSIZE 4096
                 char __attribute__ ((aligned(NLMSG_ALIGNTO)))buf[BUFFSIZE];
diff --git a/src/firemon/top.c b/src/firemon/top.c
index 9d6f34991..2217cc7de 100644
--- a/src/firemon/top.c
+++ b/src/firemon/top.c
@@ -18,16 +18,13 @@
  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 */
 #include "firemon.h"
+#include "../include/gcov_wrapper.h"
 #include <termios.h>
 #include <sys/ioctl.h>
 #include <sys/types.h>
 #include <sys/stat.h>
 #include <unistd.h>
 
-#ifdef HAVE_GCOV
-#include <gcov.h>
-#endif
-
 static unsigned pgs_rss = 0;
 static unsigned pgs_shared = 0;
 static unsigned clocktick = 0;
@@ -330,8 +327,7 @@ void top(void) {
                         }
                 }
                 head_print(col, row);
-#ifdef HAVE_GCOV
-                        __gcov_flush();
-#endif
+
+                __gcov_flush();
         }
 }
diff --git a/src/include/gcov_wrapper.h b/src/include/gcov_wrapper.h
new file mode 100644
index 000000000..4aafb8e18
--- /dev/null
+++ b/src/include/gcov_wrapper.h
@@ -0,0 +1,46 @@
+/*
+ * Copyright (C) 2021 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ */
+
+#ifndef GCOV_WRAPPER_H
+#define GCOV_WRAPPER_H
+
+#ifdef HAS_GCOV
+#include <gcov.h>
+
+/*
+ * __gcov_flush was removed on gcc 11.1.0 (as it's no longer needed), but it
+ * appears to be the safe/"correct" way to do things on previous versions (as
+ * it ensured proper locking, which is now done elsewhere).  Thus, keep using
+ * it in the code and ensure that it exists, in order to support gcc <11.1.0
+ * and gcc >=11.1.0, respectively.
+ */
+#if __GNUC__ > 11 || (__GNUC__ == 11 && __GNUC_MINOR__ >= 1)
+static void __gcov_flush(void) {
+       __gcov_dump();
+       __gcov_reset();
+}
+#endif
+#else
+#define __gcov_dump() ((void)0)
+#define __gcov_reset() ((void)0)
+#define __gcov_flush() ((void)0)
+#endif /* HAS_GCOV */
+
+#endif /* GCOV_WRAPPER_H */
diff --git a/src/lib/syscall.c b/src/lib/syscall.c
index b3131ac17..d0d9ff5aa 100644
--- a/src/lib/syscall.c
+++ b/src/lib/syscall.c
@@ -253,9 +253,6 @@ static const SyscallGroupList sysgroups[] = {
 #ifdef SYS_fanotify_init
           "fanotify_init,"
 #endif
-#ifdef SYS_kcmp
-          "kcmp,"
-#endif
 #ifdef SYS_add_key
           "add_key,"
 #endif
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt
index 6f3bef7f2..db58e0910 100644
--- a/src/man/firejail-profile.txt
+++ b/src/man/firejail-profile.txt
@@ -420,7 +420,7 @@ Make directory or file read-only.
 Make directory or file read-write.
 .TP
 \fBtmpfs directory
-Mount an empty tmpfs filesystem on top of directory. This option is available only when running the sandbox as root.
+Mount an empty tmpfs filesystem on top of directory. Directories outside user home or not owned by the user are not allowed. Sandboxes running as root are exempt from these restrictions.
 .TP
 \fBtracelog
 Blacklist violations logged to syslog.
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index 3212a88e4..0462705c0 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -2129,6 +2129,7 @@ $ firejail --read-only=~/test --read-write=~/test/a
 .TP
 \fB\-\-rlimit-as=number
 Set the maximum size of the process's virtual memory (address space) in bytes.
+Use k(ilobyte), m(egabyte) or g(igabyte) for size suffix (base 1024).
 
 .TP
 \fB\-\-rlimit-cpu=number
@@ -2142,6 +2143,7 @@ track of CPU seconds for each process independently.
 .TP
 \fB\-\-rlimit-fsize=number
 Set the maximum file size that can be created by a process.
+Use k(ilobyte), m(egabyte) or g(igabyte) for size suffix (base 1024).
 .TP
 \fB\-\-rlimit-nofile=number
 Set the maximum number of files that can be opened by a process.
@@ -2176,7 +2178,7 @@ $ firejail \-\-net=eth0 \-\-scan
 .TP
 \fB\-\-seccomp
 Enable seccomp filter and blacklist the syscalls in the default list,
-which is  @default-nodebuggers unless allow-debuggers is specified,
+which is  @default-nodebuggers unless \-\-allow-debuggers is specified,
 then it is @default.
 
 .br
@@ -2187,18 +2189,13 @@ system call groups are defined: @aio, @basic-io, @chown, @clock,
 @network-io, @obsolete, @privileged, @process, @raw-io, @reboot,
 @resources, @setuid, @swap, @sync, @system-service and @timer.
 More information about groups can be found in /usr/share/doc/firejail/syscalls.txt
-
-In addition, a system call can be specified by its number instead of
-name with prefix $, so for example $165 would be equal to mount on i386.
-Exceptions can be allowed with prefix !.
+.br
 
 .br
 System architecture is strictly imposed only if flag
 \-\-seccomp.block-secondary is used. The filter is applied at run time
 only if the correct architecture was detected. For the case of I386
-and AMD64 both 32-bit and 64-bit filters are installed. On a 64 bit
-architecture, an additional filter for 32 bit system calls can be
-installed with \-\-seccomp.32.
+and AMD64 both 32-bit and 64-bit filters are installed.
 .br
 
 .br
@@ -2209,11 +2206,18 @@ Firejail will print seccomp violations to the audit log if the kernel was compil
 Example:
 .br
 $ firejail \-\-seccomp
+.br
+
+.br
+The default list can be customized, see \-\-seccomp= for a description. It can be customized
+also globally in /etc/firejail/firejail.config file.
+
 .TP
 \fB\-\-seccomp=syscall,@group,!syscall2
-Enable seccomp filter, whitelist "syscall2", but blacklist the default
-list and the syscalls or syscall groups specified by the
-command.
+Enable seccomp filter, blacklist the default list and the syscalls or syscall groups
+specified by the command, but don't blacklist "syscall2". On a 64 bit
+architecture, an additional filter for 32 bit system calls can be
+installed with \-\-seccomp.32.
 .br
 
 .br
@@ -2223,6 +2227,13 @@ $ firejail \-\-seccomp=utime,utimensat,utimes firefox
 .br
 $ firejail \-\-seccomp=@clock,mkdir,unlinkat transmission-gtk
 .br
+$ firejail '\-\-seccomp=@ipc,!pipe,!pipe2' audacious
+.br
+
+.br
+Syscalls can be specified by their number if prefix $ is added,
+so for example $165 would be equal to mount on i386.
+.br
 
 .br
 Instead of dropping the syscall by returning EPERM, another error
@@ -2235,6 +2246,7 @@ by using \fBsyscall:kill\fR syntax, or the attempt may be logged with
 
 .br
 Example:
+.br
 $ firejail \-\-seccomp=unlinkat:ENOENT,utimensat,utimes
 .br
 Parent pid 10662, child pid 10663
@@ -2243,9 +2255,13 @@ Child process initialized
 .br
 $ touch testfile
 .br
+$ ls testfile
+.br
+testfile
+.br
 $ rm testfile
 .br
-rm: cannot remove `testfile': Operation not permitted
+rm: cannot remove `testfile': No such file or directory
 .br
 
 .br
@@ -2258,7 +2274,7 @@ filters.
 .br
 Example:
 .br
-$ firejail \-\-noprofile \-\-shell=none \-\-seccomp=execve bash
+$ firejail \-\-noprofile \-\-shell=none \-\-seccomp=execve sh
 .br
 Parent pid 32751, child pid 32752
 .br
@@ -2270,8 +2286,7 @@ Child process initialized in 46.44 ms
 .br
 $ ls
 .br
-Bad system call
-.br
+Operation not permitted
 
 .TP
 \fB\-\-seccomp.block-secondary
@@ -2315,15 +2330,15 @@ Child process initialized
 .br
 $ touch testfile
 .br
+$ ls testfile
+.br
+testfile
+.br
 $ rm testfile
 .br
-rm: cannot remove `testfile': Operation not permitted
+rm: cannot remove `testfile': No such file or directory
 .br
 
-
-
-
-
 .TP
 \fB\-\-seccomp.keep=syscall,@group,!syscall2
 Enable seccomp filter, blacklist all syscall not listed and "syscall2".
@@ -2566,14 +2581,13 @@ Kill the sandbox automatically after the time has elapsed. The time is specified
 $ firejail \-\-timeout=01:30:00 firefox
 .TP
 \fB\-\-tmpfs=dirname
-Mount a writable tmpfs filesystem on directory dirname. This option is available only when running the sandbox as root.
-File globbing is supported, see \fBFILE GLOBBING\fR section for more details.
+Mount a writable tmpfs filesystem on directory dirname. Directories outside user home or not owned by the user are not allowed. Sandboxes running as root are exempt from these restrictions. File globbing is supported, see \fBFILE GLOBBING\fR section for more details.
 .br
 
 .br
 Example:
 .br
-# firejail \-\-tmpfs=/var
+$ firejail \-\-tmpfs=~/.local/share
 .TP
 \fB\-\-top
 Monitor the most CPU-intensive sandboxes, see \fBMONITORING\fR section for more details.