11 files changed, 196 insertions, 116 deletions

diff --git a/src/fcopy/main.c b/src/fcopy/main.c
index a56e8a91b..84fe44d73 100644
--- a/src/fcopy/main.c
+++ b/src/fcopy/main.c
@@ -277,7 +277,7 @@ static int fs_copydir(const char *infname, const struct stat *st, int ftype, str
 
         // don't copy it if we already have the file
         struct stat s;
-        if (stat(outfname, &s) == 0) {
+        if (lstat(outfname, &s) == 0) {
                 if (first)
                         first = 0;
                 else if (!arg_quiet)
@@ -286,7 +286,7 @@ static int fs_copydir(const char *infname, const struct stat *st, int ftype, str
         }
 
         // extract mode and ownership
-        if (stat(infname, &s) != 0)
+        if (lstat(infname, &s) != 0)
                 goto out;
 
         uid_t uid = s.st_uid;
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config
index 19c3166fa..558fe51ed 100644
--- a/src/firecfg/firecfg.config
+++ b/src/firecfg/firecfg.config
@@ -834,6 +834,7 @@ thunderbird-beta
 thunderbird-wayland
 tidal-hifi
 tilp
+tiny-rdm
 tor-browser
 tor-browser-ar
 tor-browser-ca
diff --git a/src/firecfg/firecfg.h b/src/firecfg/firecfg.h
index 8f74a1198..11e3ebc67 100644
--- a/src/firecfg/firecfg.h
+++ b/src/firecfg/firecfg.h
@@ -37,6 +37,16 @@
 #include "../include/common.h"
 #define MAX_BUF 4096
 
+// config files
+#define FIRECFG_CFGFILE SYSCONFDIR "/firecfg.config"
+#define FIRECFG_CONF_GLOB SYSCONFDIR "/firecfg.d/*.conf"
+
+// programs
+#define FIREJAIL_EXEC PREFIX "/bin/firejail"
+#define FIREJAIL_WELCOME_SH LIBDIR "/firejail/firejail-welcome.sh"
+#define FZENITY_EXEC        LIBDIR "/firejail/fzenity"
+#define ZENITY_EXEC "/usr/bin/zenity"
+#define SUDO_EXEC "sudo"
 
 // main.c
 extern int arg_debug;
diff --git a/src/firecfg/main.c b/src/firecfg/main.c
index 4ec81c5b3..604b12633 100644
--- a/src/firecfg/main.c
+++ b/src/firecfg/main.c
@@ -20,6 +20,8 @@
 
 #include "firecfg.h"
 #include "../include/firejail_user.h"
+#include <glob.h>
+
 int arg_debug = 0;
 char *arg_bindir = "/usr/local/bin";
 int arg_guide = 0;
@@ -76,10 +78,6 @@ static void list(void) {
                 exit(1);
         }
 
-        char *firejail_exec;
-        if (asprintf(&firejail_exec, "%s/bin/firejail", PREFIX) == -1)
-                errExit("asprintf");
-
         struct dirent *entry;
         while ((entry = readdir(dir)) != NULL) {
                 if (strcmp(entry->d_name, ".") == 0 || strcmp(entry->d_name, "..") == 0)
@@ -92,7 +90,7 @@ static void list(void) {
                 if (is_link(fullname)) {
                         char* fname = realpath(fullname, NULL);
                         if (fname) {
-                                if (strcmp(fname, firejail_exec) == 0)
+                                if (strcmp(fname, FIREJAIL_EXEC) == 0)
                                         printf("%s\n", fullname);
                                 free(fname);
                         }
@@ -101,7 +99,6 @@ static void list(void) {
         }
 
         closedir(dir);
-        free(firejail_exec);
 }
 
 static void clean(void) {
@@ -114,10 +111,6 @@ static void clean(void) {
                 exit(1);
         }
 
-        char *firejail_exec;
-        if (asprintf(&firejail_exec, "%s/bin/firejail", PREFIX) == -1)
-                errExit("asprintf");
-
         struct dirent *entry;
         while ((entry = readdir(dir)) != NULL) {
                 if (strcmp(entry->d_name, ".") == 0 || strcmp(entry->d_name, "..") == 0)
@@ -130,7 +123,7 @@ static void clean(void) {
                 if (is_link(fullname)) {
                         char* fname = realpath(fullname, NULL);
                         if (fname) {
-                                if (strcmp(fname, firejail_exec) == 0) {
+                                if (strcmp(fname, FIREJAIL_EXEC) == 0) {
                                         char *ptr = strrchr(fullname, '/');
                                         assert(ptr);
                                         ptr++;
@@ -147,10 +140,43 @@ static void clean(void) {
         }
 
         closedir(dir);
-        free(firejail_exec);
         printf("\n");
 }
 
+#define ignorelist_maxlen 2048
+static const char *ignorelist[ignorelist_maxlen];
+static int ignorelist_len = 0;
+
+static int append_ignorelist(const char *const str) {
+        assert(str);
+        if (ignorelist_len >= ignorelist_maxlen) {
+                fprintf(stderr, "Warning: Ignore list is full (%d/%d), skipping %s\n",
+                        ignorelist_len, ignorelist_maxlen, str);
+                return 0;
+        }
+
+        printf("   ignoring '%s'\n", str);
+        const char *const dup = strdup(str);
+        if (!dup)
+                errExit("strdup");
+
+        ignorelist[ignorelist_len] = dup;
+        ignorelist_len++;
+
+        return 1;
+}
+
+static int in_ignorelist(const char *const str) {
+        assert(str);
+        int i;
+        for (i = 0; i < ignorelist_len; i++) {
+                if (strcmp(str, ignorelist[i]) == 0)
+                        return 1;
+        }
+
+        return 0;
+}
+
 static void set_file(const char *name, const char *firejail_exec) {
         if (which(name) == 0)
                 return;
@@ -165,35 +191,26 @@ static void set_file(const char *name, const char *firejail_exec) {
                 if (rv) {
                         fprintf(stderr, "Error: cannot create %s symbolic link\n", fname);
                         perror("symlink");
-                }
-                else
+                } else {
                         printf("   %s created\n", name);
-        }
-        else {
-          fprintf(stderr, "Warning: cannot create %s - already exists! Skipping...\n", fname);
+                }
+        } else {
+                fprintf(stderr, "Warning: cannot create %s - already exists! Skipping...\n", fname);
         }
 
         free(fname);
 }
 
-// parse /etc/firejail/firecfg.config file
-static void set_links_firecfg(void) {
-        char *cfgfile;
-        if (asprintf(&cfgfile, "%s/firecfg.config", SYSCONFDIR) == -1)
-                errExit("asprintf");
-
-        char *firejail_exec;
-        if (asprintf(&firejail_exec, "%s/bin/firejail", PREFIX) == -1)
-                errExit("asprintf");
+// parse a single config file
+static void set_links_firecfg(const char *cfgfile) {
+        printf("Configuring symlinks in %s based on %s\n", arg_bindir, cfgfile);
 
-        // parse /etc/firejail/firecfg.config file
         FILE *fp = fopen(cfgfile, "r");
         if (!fp) {
                 perror("fopen");
                 fprintf(stderr, "Error: cannot open %s\n", cfgfile);
                 exit(1);
         }
-        printf("Configuring symlinks in %s based on firecfg.config\n", arg_bindir);
 
         char buf[MAX_BUF];
         int lineno = 0;
@@ -223,13 +240,43 @@ static void set_links_firecfg(void) {
                 if (*start == '\0')
                         continue;
 
+                // handle ignore command
+                if (*start == '!') {
+                        append_ignorelist(start + 1);
+                        continue;
+                }
+
                 // set link
-                set_file(start, firejail_exec);
+                if (!in_ignorelist(start))
+                        set_file(start, FIREJAIL_EXEC);
+                else
+                        printf("   %s ignored\n", start);
         }
 
         fclose(fp);
-        free(cfgfile);
-        free(firejail_exec);
+        printf("\n");
+}
+
+// parse all config files matching pattern
+static void set_links_firecfg_glob(const char *pattern) {
+        printf("Looking for config files in %s\n", pattern);
+
+        glob_t globbuf;
+        int globerr = glob(pattern, 0, NULL, &globbuf);
+        if (globerr == GLOB_NOMATCH) {
+                fprintf(stderr, "No matches for glob pattern %s\n", pattern);
+                goto out;
+        } else if (globerr != 0) {
+                fprintf(stderr, "Warning: Failed to match glob pattern %s: %s\n",
+                        pattern, strerror(errno));
+                goto out;
+        }
+
+        size_t i;
+        for (i = 0; i < globbuf.gl_pathc; i++)
+                set_links_firecfg(globbuf.gl_pathv[i]);
+out:
+        globfree(&globbuf);
 }
 
 // parse ~/.config/firejail/ directory
@@ -246,10 +293,6 @@ static void set_links_homedir(const char *homedir) {
                 return;
         }
 
-        char *firejail_exec;
-        if (asprintf(&firejail_exec, "%s/bin/firejail", PREFIX) == -1)
-                errExit("asprintf");
-
         // parse ~/.config/firejail/ directory
         printf("\nConfiguring symlinks in %s based on local firejail config directory\n", arg_bindir);
 
@@ -260,6 +303,7 @@ static void set_links_homedir(const char *homedir) {
                 free(dirname);
                 return;
         }
+        free(dirname);
 
         struct dirent *entry;
         while ((entry = readdir(dir))) {
@@ -280,12 +324,10 @@ static void set_links_homedir(const char *homedir) {
                 }
 
                 *ptr = '\0';
-                set_file(exec, firejail_exec);
+                set_file(exec, FIREJAIL_EXEC);
                 free(exec);
         }
         closedir(dir);
-
-        free(firejail_exec);
 }
 
 static const char *get_sudo_user(void) {
@@ -449,18 +491,20 @@ int main(int argc, char **argv) {
         }
 
         if (arg_guide) {
+                const char *zenity_exec;
+                if (arg_debug)
+                        zenity_exec = FZENITY_EXEC;
+                else
+                        zenity_exec = ZENITY_EXEC;
+
                 char *cmd;
-if (arg_debug) {
-                if (asprintf(&cmd, "sudo %s/firejail/firejail-welcome.sh /usr/lib/firejail/fzenity %s %s", LIBDIR, SYSCONFDIR, user) == -1)
+                if (asprintf(&cmd, "%s %s %s %s %s",
+                             SUDO_EXEC, FIREJAIL_WELCOME_SH, zenity_exec, SYSCONFDIR, user) == -1)
                         errExit("asprintf");
-}
-else {
-                if (asprintf(&cmd, "sudo %s/firejail/firejail-welcome.sh /usr/bin/zenity %s %s", LIBDIR, SYSCONFDIR, user) == -1)
-                        errExit("asprintf");
-}
+
                 int status = system(cmd);
                 if (status == -1) {
-                        fprintf(stderr, "Error: cannot run firejail-welcome.sh\n");
+                        fprintf(stderr, "Error: cannot run %s\n", FIREJAIL_WELCOME_SH);
                         exit(1);
                 }
                 free(cmd);
@@ -474,12 +518,15 @@ else {
         // clear all symlinks
         clean();
 
-        // set new symlinks based on /etc/firejail/firecfg.config
-        set_links_firecfg();
+        // set new symlinks based on .conf files
+        set_links_firecfg_glob(FIRECFG_CONF_GLOB);
+
+        // set new symlinks based on firecfg.config
+        set_links_firecfg(FIRECFG_CFGFILE);
 
         if (getuid() == 0) {
                 // add user to firejail access database - only for root
-                printf("\nAdding user %s to Firejail access database in %s/firejail.users\n", user, SYSCONFDIR);
+                printf("Adding user %s to Firejail access database in %s/firejail.users\n", user, SYSCONFDIR);
                 // temporarily set the umask, access database must be world-readable
                 mode_t orig_umask = umask(022);
                 firejail_user_add(user);
diff --git a/src/firejail/fs_lib2.c b/src/firejail/fs_lib2.c
index 583888e0e..b43c36c1a 100644
--- a/src/firejail/fs_lib2.c
+++ b/src/firejail/fs_lib2.c
@@ -166,8 +166,12 @@ void fslib_install_firejail(void) {
                 fslib_mount_libs(RUN_MNT_DIR "/dhclient", 1); // parse as user
 
         // bring in xauth libraries
+
+        char *xauth_bin = find_in_path("xauth");
         if (arg_x11_xorg)
-                fslib_mount_libs("/usr/bin/xauth", 1); // parse as user
+                fslib_mount_libs(xauth_bin, 1); // parse as user
+
+        free(xauth_bin);
 
         fmessage("Firejail libraries installed in %0.2f ms\n", timetrace_end());
 }
diff --git a/src/firejail/ls.c b/src/firejail/ls.c
index f2ab1c188..6dc4904fc 100644
--- a/src/firejail/ls.c
+++ b/src/firejail/ls.c
@@ -154,7 +154,7 @@ static void print_file_or_dir(const char *path, const char *fname) {
 
         // file size
         char *sz;
-        if (asprintf(&sz, "%d", (int) s.st_size) == -1)
+        if (asprintf(&sz, "%jd", (intmax_t) s.st_size) == -1)
                 errExit("asprintf");
 
         // file name
diff --git a/src/firejail/main.c b/src/firejail/main.c
index b39693af7..5bcc3a0e5 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -1600,7 +1600,7 @@ int main(int argc, char **argv, char **envp) {
                         arg_trace = 1;
                 else if (strncmp(argv[i], "--trace=", 8) == 0) {
                         arg_trace = 1;
-                        arg_tracefile = argv[i] + 8;
+                        arg_tracefile = expand_macros(argv[i] + 8);
                         if (*arg_tracefile == '\0') {
                                 fprintf(stderr, "Error: invalid trace option\n");
                                 exit(1);
@@ -1610,13 +1610,6 @@ int main(int argc, char **argv, char **envp) {
                                 fprintf(stderr, "Error: invalid file name %s\n", arg_tracefile);
                                 exit(1);
                         }
-                        // if the filename starts with ~, expand the home directory
-                        if (*arg_tracefile == '~') {
-                                char *tmp;
-                                if (asprintf(&tmp, "%s%s", cfg.homedir, arg_tracefile + 1) == -1)
-                                        errExit("asprintf");
-                                arg_tracefile = tmp;
-                        }
                 }
                 else if (strcmp(argv[i], "--tracelog") == 0) {
                         if (checkcfg(CFG_TRACELOG))
@@ -1981,20 +1974,13 @@ int main(int argc, char **argv, char **envp) {
                                 }
 
                                 // extract chroot dirname
-                                cfg.chrootdir = argv[i] + 9;
+                                cfg.chrootdir = expand_macros(argv[i] + 9);
                                 if (*cfg.chrootdir == '\0') {
                                         fprintf(stderr, "Error: invalid chroot option\n");
                                         exit(1);
                                 }
                                 invalid_filename(cfg.chrootdir, 0); // no globbing
 
-                                // if the directory starts with ~, expand the home directory
-                                if (*cfg.chrootdir == '~') {
-                                        char *tmp;
-                                        if (asprintf(&tmp, "%s%s", cfg.homedir, cfg.chrootdir + 1) == -1)
-                                                errExit("asprintf");
-                                        cfg.chrootdir = tmp;
-                                }
                                 // check chroot directory
                                 fs_check_chroot_dir();
                         }
@@ -2776,16 +2762,7 @@ int main(int argc, char **argv, char **envp) {
                 else if (strncmp(argv[i], "--netfilter=", 12) == 0) {
                         if (checkcfg(CFG_NETWORK)) {
                                 arg_netfilter = 1;
-                                arg_netfilter_file = argv[i] + 12;
-
-                                // expand tilde
-                                if (*arg_netfilter_file == '~') {
-                                        char *tmp;
-                                        if (asprintf(&tmp, "%s%s", cfg.homedir, arg_netfilter_file + 1) == -1)
-                                                errExit("asprintf");
-                                        arg_netfilter_file = tmp;
-                                }
-
+                                arg_netfilter_file = expand_macros(argv[i] + 12);
                                 check_netfilter_file(arg_netfilter_file);
                         }
                         else
@@ -2795,16 +2772,7 @@ int main(int argc, char **argv, char **envp) {
                 else if (strncmp(argv[i], "--netfilter6=", 13) == 0) {
                         if (checkcfg(CFG_NETWORK)) {
                                 arg_netfilter6 = 1;
-                                arg_netfilter6_file = argv[i] + 13;
-
-                                // expand tilde
-                                if (*arg_netfilter6_file == '~') {
-                                        char *tmp;
-                                        if (asprintf(&tmp, "%s%s", cfg.homedir, arg_netfilter6_file + 1) == -1)
-                                                errExit("asprintf");
-                                        arg_netfilter6_file = tmp;
-                                }
-
+                                arg_netfilter6_file = expand_macros(argv[i] + 13);
                                 check_netfilter_file(arg_netfilter6_file);
                         }
                         else
diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index e3554eb12..62d3c78e7 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -635,9 +635,7 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
 #ifdef HAVE_NETWORK
                 if (checkcfg(CFG_NETWORK)) {
                         arg_netfilter = 1;
-                        arg_netfilter_file = strdup(ptr + 10);
-                        if (!arg_netfilter_file)
-                                errExit("strdup");
+                        arg_netfilter_file = expand_macros(ptr + 10);
                         check_netfilter_file(arg_netfilter_file);
                 }
                 else
@@ -649,9 +647,7 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
 #ifdef HAVE_NETWORK
                 if (checkcfg(CFG_NETWORK)) {
                         arg_netfilter6 = 1;
-                        arg_netfilter6_file = strdup(ptr + 11);
-                        if (!arg_netfilter6_file)
-                                errExit("strdup");
+                        arg_netfilter6_file = expand_macros(ptr + 11);
                         check_netfilter_file(arg_netfilter6_file);
                 }
                 else
diff --git a/src/firejail/x11.c b/src/firejail/x11.c
index 2eaa9bde5..3721a2c2c 100644
--- a/src/firejail/x11.c
+++ b/src/firejail/x11.c
@@ -1164,7 +1164,6 @@ void x11_start(int argc, char **argv) {
 }
 #endif
 
-
 void x11_xorg(void) {
 #ifdef HAVE_X11
 
@@ -1175,31 +1174,38 @@ void x11_xorg(void) {
                 exit(1);
         }
 
+        char *xauth_bin = find_in_path("xauth");
+
         // check xauth utility is present in the system
-        struct stat s;
-        if (stat("/usr/bin/xauth", &s) == -1) {
-                fprintf(stderr, "Error: xauth utility not found in /usr/bin. Please install it:\n");
+        if (!xauth_bin) {
+                fprintf(stderr, "Error: xauth utility not found in PATH. Please install it:\n");
                 fprintf(stderr, "   Debian/Ubuntu/Mint: sudo apt-get install xauth\n");
                 fprintf(stderr, "   Arch: sudo pacman -S xorg-xauth\n");
                 fprintf(stderr, "   Fedora: sudo dnf install xorg-x11-xauth\n");
                 exit(1);
         }
+
+        struct stat s;
+        if (stat(xauth_bin, &s) == -1) {
+                fprintf(stderr, "Error: %s: %s\n", xauth_bin, strerror(errno));
+                exit(1);
+        }
         if ((s.st_uid != 0 && s.st_gid != 0) || (s.st_mode & S_IWOTH)) {
-                fprintf(stderr, "Error: invalid /usr/bin/xauth executable\n");
+                fprintf(stderr, "Error: invalid %s executable\n", xauth_bin);
                 exit(1);
         }
         if (s.st_size > 1024 * 1024) {
-                fprintf(stderr, "Error: /usr/bin/xauth executable is too large\n");
+                fprintf(stderr, "Error: %s executable is too large\n", xauth_bin);
                 exit(1);
         }
-        // copy /usr/bin/xauth in the sandbox and set mode to 0711
+        // copy xauth in the sandbox and set mode to 0711
         // users are not able to trace the running xauth this way
         if (arg_debug)
-                printf("Copying /usr/bin/xauth to %s\n", RUN_XAUTH_FILE);
-        if (copy_file("/usr/bin/xauth", RUN_XAUTH_FILE, 0, 0, 0711)) {
-                fprintf(stderr, "Error: cannot copy /usr/bin/xauth executable\n");
-                exit(1);
-        }
+                printf("Copying %s to %s\n", xauth_bin, RUN_XAUTH_FILE);
+
+        copy_file_from_user_to_root(xauth_bin, RUN_XAUTH_FILE, 0, 0, 0711);
+
+        free(xauth_bin);
 
         fmessage("Generating a new .Xauthority file\n");
         mkdir_attr(RUN_XAUTHORITY_SEC_DIR, 0700, getuid(), getgid());
diff --git a/src/fnettrace/static-ip-map.txt b/src/fnettrace/static-ip-map.txt
index aeac58c6a..830df058f 100644
--- a/src/fnettrace/static-ip-map.txt
+++ b/src/fnettrace/static-ip-map.txt
@@ -92,7 +92,7 @@
 8.8.4.0/24 Google DNS
 8.8.8.0/24 Google DNS
 8.20.247.20/32 Comodo DNS
-8.26.56.26/32 Comodo DNS
+8.26.56.0/24 Comodo DNS
 9.9.9.0/24 Quad9 DNS
 45.90.28.0/22 NextDNS
 45.11.45.0/24 DNS-SB
@@ -103,8 +103,7 @@
 76.76.10.0/24 ControlD DNS
 76.76.19.0/24 Alternate DNS
 76.223.122.150/32 Alternate DNS
-77.88.8.8/32 Yandex DNS
-77.88.8.1/32 Yandex DNS
+77.88.8.0/24 Yandex DNS
 80.80.80.0/24 Freenom DNS Cloud
 80.80.81.0/24 Freenom DNS Cloud
 84.200.69.80/32 DSN Watch
@@ -123,8 +122,7 @@
 205.171.3.66/32 CentyrLink DNS
 205.171.202.166/32 CentyrLink DNS
 208.67.216.0/21 OpenDNS
-216.146.35.35/32 Dyn DNS
-216.146.36.36/32 Dyn DNS
+216.146.32.0/20 Dyn DNS
 
 # whois
 45.88.202.0/24 Anonymize Inc WHOIS Privacy Service
@@ -288,6 +286,7 @@
 192.187.114.96/29 BitChute
 192.187.118.168/29 BitChute
 192.187.121.208/29 BitChute
+192.187.122.72/29 BitChute
 192.187.123.112/29 BitChute
 192.187.126.0/29 BitChute
 198.204.226.120/29 BitChute
diff --git a/src/man/firecfg.1.in b/src/man/firecfg.1.in
index a85fbc5da..e43a573de 100644
--- a/src/man/firecfg.1.in
+++ b/src/man/firecfg.1.in
@@ -29,9 +29,13 @@ Note: The examples use \fBsudo\fR, but \fBdoas\fR is also supported.
 To set it up, run "sudo firecfg" after installing Firejail software.
 The same command should also be run after
 installing new programs. If the program is supported by Firejail, the symbolic link in /usr/local/bin
-will be created. For a full list of programs supported by default run "cat /etc/firejail/firecfg.config".
-
-For user-driven manual integration, see \fBDESKTOP INTEGRATION\fR section in \fBman 1 firejail\fR.
+will be created.
+.PP
+To configure the list of programs used by firecfg when creating symlinks, see
+\fBFILES\fR and \fBSYNTAX\fR.
+.PP
+For user-driven manual integration, see \fBDESKTOP INTEGRATION\fR section in
+\fBman 1 firejail\fR.
 .SH DEFAULT ACTIONS
 The following actions are implemented by default by running sudo firecfg:
 
@@ -135,8 +139,53 @@ $ sudo firecfg --clean
 /usr/local/bin/vlc removed
 .br
 [...]
+.SH FILES
+.PP
+Configuration files are searched for and parsed in the following paths:
+.PP
+.RS
+1. /etc/firejail/firecfg.d/*.conf (in alphabetical order)
+.br
+2. /etc/firejail/firecfg.config
+.RE
+.PP
+The programs that are supported by default are listed in
+/etc/firejail/firecfg.config.
+It is recommended to leave it as is and put all customizations inside
+/etc/firejail/firecfg.d/.
+.PP
+Profile files are also searched in the user configuration directory:
+.PP
+.RS
+3. ~/.config/firejail/*.profile
+.RE
+.PP
+For every \fBPROGRAM.profile\fR file found, firecfg attempts to create a
+symlink for "PROGRAM", as if "PROGRAM" was listed in a configuration file.
+.SH SYNTAX
+Configuration file syntax:
+.PP
+A line that starts with \fB#\fR is considered a comment.
+.br
+A line that starts with \fB!PROGRAM\fR means to ignore "PROGRAM" when creating
+symlinks.
+.br
+A line that starts with anything else is considered to be the name of an
+executable and firecfg will attempt to create a symlink for it.
+.PP
+For example, to prevent firecfg from creating symlinks for "firefox" and
+"patch" while attempting to create a symlink for "myprog", the following lines
+could be added to /etc/firejail/firecfg.d/10-my.conf:
+.PP
+.RS
+!firefox
+.br
+!patch
+.br
 
-
+.br
+myprog
+.RE
 .SH LICENSE
 This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.
 .PP