33 files changed, 234 insertions, 356 deletions
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config
index 9ca3c5a3e..94e8b9194 100644
--- a/src/firecfg/firecfg.config
+++ b/src/firecfg/firecfg.config
@@ -11,6 +11,7 @@ Cryptocat
 Cyberfox
 Discord
 DiscordCanary
+DiscordPTB
 Documents
 FossaMail
 Fritzing
@@ -24,6 +25,7 @@ Natron
 PCSX2
 PPSSPPQt
 PPSSPPSDL
+Postman
 QMediathekView
 QOwnNotes
 Screenshot
@@ -44,6 +46,7 @@ amarok
 amule
 amuled
 android-studio
+ani-cli
 anydesk
 apktool
 apostrophe
@@ -196,6 +199,7 @@ dino
 dino-im
 discord
 discord-canary
+discord-ptb
 display
 display-im6.q16
 dnox
@@ -418,6 +422,7 @@ ipcalc
 ipcalc-ng
 iridium
 iridium-browser
+jami
 jd-gui
 jdownloader
 jerry
@@ -483,6 +488,7 @@ linphone
 linuxqq
 lmms
 lobase
+lobster
 localc
 lodraw
 loffice
@@ -533,6 +539,7 @@ meteo-qt
 microsoft-edge
 microsoft-edge-beta
 microsoft-edge-dev
+microsoft-edge-stable
 midori
 min
 mindless
@@ -677,6 +684,8 @@ pluma
 plv
 pngquant
 polari
+porn-cli
+postman
 ppsspp
 pragha
 presentations18
diff --git a/src/firejail/appimage.c b/src/firejail/appimage.c
index f93891af2..a4f727c0a 100644
--- a/src/firejail/appimage.c
+++ b/src/firejail/appimage.c
@@ -33,12 +33,10 @@ static char *devloop = NULL;	// device file
 static long unsigned size = 0;  // offset into appimage file
 #define MAXBUF 4096
-#ifdef LOOP_CTL_GET_FREE        // test for older kernels; this definition is found in /usr/include/linux/loop.h
+static void err_loop(char *msg) {
-static void err_loop(void) {
+        fprintf(stderr, "%s\n", msg);
-        fprintf(stderr, "Error: cannot configure loopback device\n");
        exit(1);
 }
-#endif
 // return 1 if found
 int appimage_find_profile(const char *archive) {
@@ -75,7 +73,6 @@ void appimage_set(const char *appimage) {
        assert(devloop == NULL);        // don't call this twice!
        EUID_ASSERT();
-#ifdef LOOP_CTL_GET_FREE
        // open appimage file
        invalid_filename(appimage, 0); // no globbing
        int ffd = open(appimage, O_RDONLY|O_CLOEXEC);
@@ -99,29 +96,46 @@ void appimage_set(const char *appimage) {
        // find or allocate a free loop device to use
        EUID_ROOT();
-        int cfd = open("/dev/loop-control", O_RDWR|O_CLOEXEC);
+        int cfd; // loop control fd
-        if (cfd == -1)
+        if ((cfd = open("/dev/loop-control", O_RDWR|O_CLOEXEC)) == -1) {
-                err_loop();
+                sleep(1); // sleep 1 second and try again
-        int devnr = ioctl(cfd, LOOP_CTL_GET_FREE);
+                if ((cfd = open("/dev/loop-control", O_RDWR|O_CLOEXEC)) == -1)
-        if (devnr == -1)
+                        err_loop("cannot open /dev/loop-control");
-                err_loop();
+        }
+        int devnr; // loop device number
+        if ((devnr = ioctl(cfd, LOOP_CTL_GET_FREE)) == -1) {
+                sleep(1); // sleep 1 second and try again
+                if ((devnr = ioctl(cfd, LOOP_CTL_GET_FREE)) == -1)
+                        err_loop("cannot get a free loop device number");
+        }
        close(cfd);
        if (asprintf(&devloop, "/dev/loop%d", devnr) == -1)
                errExit("asprintf");
+        int lfd; // loopback fd
+        if ((lfd = open(devloop, O_RDONLY|O_CLOEXEC)) == -1) {
+                sleep (1); // sleep 1 second and try again
+                if ((lfd = open(devloop, O_RDONLY|O_CLOEXEC)) == -1)
+                        err_loop("cannot open loop device");
+        }
        // associate loop device with appimage
-        int lfd = open(devloop, O_RDONLY|O_CLOEXEC);
+        if (ioctl(lfd, LOOP_SET_FD, ffd) == -1) {
-        if (lfd == -1)
+                sleep(1); // sleep 1 second and try again
-                err_loop();
+                if (ioctl(lfd, LOOP_SET_FD, ffd) == -1)
-        if (ioctl(lfd, LOOP_SET_FD, ffd) == -1)
+                        err_loop("cannot associate loop device with appimage file");
-                err_loop();
+        }
        if (size) {
                struct loop_info64 info;
                memset(&info, 0, sizeof(struct loop_info64));
                info.lo_offset = size;
-                if (ioctl(lfd,  LOOP_SET_STATUS64, &info) == -1)
+                if (ioctl(lfd,  LOOP_SET_STATUS64, &info) == -1) {
-                        err_loop();
+                        sleep(1); // sleep 1 second and try again
+                        if (ioctl(lfd,  LOOP_SET_STATUS64, &info) == -1)
+                                err_loop("cannot set loop status");
+                }
        }
        close(lfd);
        close(ffd);
@@ -143,10 +157,6 @@ void appimage_set(const char *appimage) {
                env_store_name_val("OWD", cfg.cwd, SETENV);
        __gcov_flush();
-#else
-        fprintf(stderr, "Error: /dev/loop-control interface is not supported by your kernel\n");
-        exit(1);
-#endif
 }
 // mount appimage into sandbox file system
diff --git a/src/firejail/arp.c b/src/firejail/arp.c
index bfb522d38..d4288b29e 100644
--- a/src/firejail/arp.c
+++ b/src/firejail/arp.c
@@ -299,7 +299,7 @@ static uint32_t arp_random(const char *dev, Bridge *br) {
        return 0;
 }
-// go sequentially trough all IP addresses and assign the first one not in use
+// go sequentially through all IP addresses and assign the first one not in use
 static uint32_t arp_sequential(const char *dev, Bridge *br) {
        assert(dev);
        assert(br);
diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c
index 56f983854..a39e8c667 100644
--- a/src/firejail/checkcfg.c
+++ b/src/firejail/checkcfg.c
@@ -409,6 +409,14 @@ void print_compiletime_support(void) {
 #endif
                );
+        printf("\t- private-lib support is %s\n",
+#ifdef HAVE_PRIVATE_LIB
+                "enabled"
+#else
+                "disabled"
+#endif
+                );
        printf("\t- private-cache and tmpfs as user %s\n",
 #ifdef HAVE_USERTMPFS
                "enabled"
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index 5295393f0..2cde75463 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -525,7 +525,6 @@ int macro_id(const char *name);
 // util.c
-int invalid_name(const char *name);
 void errLogExit(char* fmt, ...) __attribute__((noreturn));
 void fwarning(char* fmt, ...);
 void fmessage(char* fmt, ...);
@@ -581,6 +580,13 @@ int has_handler(pid_t pid, int signal);
 void enter_network_namespace(pid_t pid);
 int read_pid(const char *name, pid_t *pid);
 pid_t require_pid(const char *name);
+int ascii_isalnum(unsigned char c);
+int ascii_isalpha(unsigned char c);
+int ascii_isdigit(unsigned char c);
+int ascii_islower(unsigned char c);
+int ascii_isupper(unsigned char c);
+int ascii_isxdigit(unsigned char c);
+int invalid_name(const char *name);
 void check_homedir(const char *dir);
 // Get info regarding the last kernel mount operation from /proc/self/mountinfo
@@ -606,7 +612,6 @@ void fs_var_run(void);
 void fs_var_lock(void);
 void fs_var_tmp(void);
 void fs_var_utmp(void);
-void dbg_test_dir(const char *dir);
 // fs_dev.c
 void fs_dev_shm(void);
diff --git a/src/firejail/fs_dev.c b/src/firejail/fs_dev.c
index 51a58013d..9ca73eb35 100644
--- a/src/firejail/fs_dev.c
+++ b/src/firejail/fs_dev.c
@@ -177,7 +177,6 @@ static void mount_dev_shm(void) {
        int rv = mount(RUN_DEV_DIR "/shm", "/dev/shm", "none", MS_BIND, "mode=01777,gid=0");
        if (rv == -1) {
                fwarning("cannot mount the old /dev/shm in private-dev\n");
-                dbg_test_dir(RUN_DEV_DIR "/shm");
                empty_dev_shm();
                return;
        }
diff --git a/src/firejail/fs_etc.c b/src/firejail/fs_etc.c
index 3b7369ea8..dc4e5c228 100644
--- a/src/firejail/fs_etc.c
+++ b/src/firejail/fs_etc.c
@@ -111,6 +111,11 @@ char *fs_etc_build(char *str) {
 }
 void fs_resolvconf(void) {
+        if (arg_nonetwork) {
+                if (arg_debug)
+                        printf("arg_nonetwork found (--net=none). Skip creating /etc/resolv.conf file\n");
+                return;
+        }
        if (arg_debug)
                printf("Creating a new /etc/resolv.conf file\n");
        FILE *fp = fopen(RUN_RESOLVCONF_FILE, "wxe");
diff --git a/src/firejail/fs_home.c b/src/firejail/fs_home.c
index 624e74fe4..fd2441832 100644
--- a/src/firejail/fs_home.c
+++ b/src/firejail/fs_home.c
@@ -185,20 +185,10 @@ static int store_asoundrc(void) {
                errExit("asprintf");
        struct stat s;
-        if (lstat(src, &s) == 0) {
+        if (stat(src, &s) == 0) {
-                if (S_ISLNK(s.st_mode)) {
+                if (s.st_uid != getuid()) {
-                        // make sure the real path of the file is inside the home directory
+                        fwarning(".asoundrc is not owned by the current user, skipping...\n");
-                        /* coverity[toctou] */
+                        return 0;
-                        char *rp = realpath(src, NULL);
-                        if (!rp) {
-                                fprintf(stderr, "Error: Cannot access %s\n", src);
-                                exit(1);
-                        }
-                        if (strncmp(rp, cfg.homedir, strlen(cfg.homedir)) != 0 || rp[strlen(cfg.homedir)] != '/') {
-                                fprintf(stderr, "Error: .asoundrc is a symbolic link pointing to a file outside home directory\n");
-                                exit(1);
-                        }
-                        free(rp);
                }
                // create an empty file as root, and change ownership to user
diff --git a/src/firejail/fs_lib.c b/src/firejail/fs_lib.c
index e349941fa..ba7a291ee 100644
--- a/src/firejail/fs_lib.c
+++ b/src/firejail/fs_lib.c
@@ -32,35 +32,6 @@ extern void fslib_install_stdc(void);
 extern void fslib_install_firejail(void);
 extern void fslib_install_system(void);
-static int lib_cnt = 0;
-static int dir_cnt = 0;
-static const char *masked_lib_dirs[] = {
-        "/usr/lib64",
-        "/lib64",
-        "/usr/lib",
-        "/lib",
-        "/usr/local/lib64",
-        "/usr/local/lib",
-        NULL,
-};
-// return 1 if the file is in masked_lib_dirs[]
-static int valid_full_path(const char *full_path) {
-        if (strstr(full_path, ".."))
-                return 0;
-        int i = 0;
-        while (masked_lib_dirs[i]) {
-                size_t len = strlen(masked_lib_dirs[i]);
-                if (strncmp(full_path, masked_lib_dirs[i], len) == 0 &&
-                    full_path[len] == '/')
-                        return 1;
-                i++;
-        }
-        return 0;
-}
 // return 1 if symlink to firejail executable
 int is_firejail_link(const char *fname) {
        EUID_ASSERT();
@@ -116,6 +87,36 @@ char *find_in_path(const char *program) {
        return NULL;
 }
+#ifdef HAVE_PRIVATE_LIB
+static int lib_cnt = 0;
+static int dir_cnt = 0;
+static const char *masked_lib_dirs[] = {
+        "/usr/lib64",
+        "/lib64",
+        "/usr/lib",
+        "/lib",
+        "/usr/local/lib64",
+        "/usr/local/lib",
+        NULL,
+};
+// return 1 if the file is in masked_lib_dirs[]
+static int valid_full_path(const char *full_path) {
+        if (strstr(full_path, ".."))
+                return 0;
+        int i = 0;
+        while (masked_lib_dirs[i]) {
+                size_t len = strlen(masked_lib_dirs[i]);
+                if (strncmp(full_path, masked_lib_dirs[i], len) == 0 &&
+                    full_path[len] == '/')
+                        return 1;
+                i++;
+        }
+        return 0;
+}
 static char *build_dest_dir(const char *full_path) {
        assert(full_path);
        if (strstr(full_path, "/x86_64-linux-gnu/"))
@@ -465,3 +466,4 @@ void fs_private_lib(void) {
        // mount lib filesystem
        mount_directories();
 }
+#endif
+\ No newline at end of file
diff --git a/src/firejail/fs_lib2.c b/src/firejail/fs_lib2.c
index 540c3286f..583888e0e 100644
--- a/src/firejail/fs_lib2.c
+++ b/src/firejail/fs_lib2.c
@@ -36,6 +36,7 @@ typedef struct liblist_t {
        int len;
 } LibList;
+#ifdef HAVE_PRIVATE_LIB
 static LibList libc_list[] = {
        { "libselinux.so.", 0 },
        { "libpcre2-8.so.", 0 },
@@ -356,3 +357,4 @@ void fslib_install_system(void) {
                ptr++;
        }
 }
+#endif
diff --git a/src/firejail/fs_var.c b/src/firejail/fs_var.c
index 690780a0e..4787df21e 100644
--- a/src/firejail/fs_var.c
+++ b/src/firejail/fs_var.c
@@ -230,21 +230,6 @@ void fs_var_cache(void) {
        }
 }
-void dbg_test_dir(const char *dir) {
-        if (arg_debug) {
-                if (is_dir(dir))
-                        printf("%s is a directory\n", dir);
-                if (is_link(dir)) {
-                        char *lnk = realpath(dir, NULL);
-                        if (lnk) {
-                                printf("%s is a symbolic link to %s\n", dir, lnk);
-                                free(lnk);
-                        }
-                }
-        }
-}
 void fs_var_lock(void) {
        if (is_dir("/var/lock")) {
@@ -254,10 +239,8 @@ void fs_var_lock(void) {
                        errExit("mounting /lock");
                fs_logger("tmpfs /var/lock");
        }
-        else {
+        else
                fwarning("/var/lock not mounted\n");
-                dbg_test_dir("/var/lock");
-        }
 }
 void fs_var_tmp(void) {
@@ -271,10 +254,8 @@ void fs_var_tmp(void) {
                        fs_logger("tmpfs /var/tmp");
                }
        }
-        else {
+        else
                fwarning("/var/tmp not mounted\n");
-                dbg_test_dir("/var/tmp");
-        }
 }
 void fs_var_utmp(void) {
diff --git a/src/firejail/ls.c b/src/firejail/ls.c
index ea85fabfd..f2ab1c188 100644
--- a/src/firejail/ls.c
+++ b/src/firejail/ls.c
@@ -140,7 +140,7 @@ static void print_file_or_dir(const char *path, const char *fname) {
                }
        }
-        // print grup name, 8 chars maximum
+        // print group name, 8 chars maximum
        len = strlen(groupname);
        if (len > 8) {
                groupname[8] = '\0';
@@ -381,7 +381,7 @@ void sandboxfs(int op, pid_t pid, const char *path1, const char *path2) {
                        errExit("ftruncate");
                if (copy_file_by_fd(src, dest) != 0)
-                        fwarning("an error occured during copying\n");
+                        fwarning("an error occurred during copying\n");
                close(src);
                close(dest);
        }
diff --git a/src/firejail/main.c b/src/firejail/main.c
index 0e5363cb0..7e23cdc63 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -1355,8 +1355,10 @@ int main(int argc, char **argv, char **envp) {
                        arg_debug_blacklists = 1;
                else if (strcmp(argv[i], "--debug-whitelists") == 0)
                        arg_debug_whitelists = 1;
+#ifdef HAVE_PRIVATE_LIB
                else if (strcmp(argv[i], "--debug-private-lib") == 0)
                        arg_debug_private_lib = 1;
+#endif
                else if (strcmp(argv[i], "--quiet") == 0) {
                        if (!arg_debug)
                                arg_quiet = 1;
@@ -1575,7 +1577,7 @@ int main(int argc, char **argv, char **envp) {
                                exit(1);
                        }
                        invalid_filename(arg_tracefile, 0); // no globbing
-                        if (strstr(arg_tracefile, "..")) {
+                        if (strstr(arg_tracefile, "..") || has_cntrl_chars(arg_tracefile)) {
                                fprintf(stderr, "Error: invalid file name %s\n", arg_tracefile);
                                exit(1);
                        }
@@ -2137,6 +2139,7 @@ int main(int argc, char **argv, char **envp) {
                        else
                                exit_err_feature("private-bin");
                }
+#ifdef HAVE_PRIVATE_LIB
                else if (strncmp(argv[i], "--private-lib", 13) == 0) {
                        if (checkcfg(CFG_PRIVATE_LIB)) {
                                // extract private lib list (if any)
@@ -2152,6 +2155,7 @@ int main(int argc, char **argv, char **envp) {
                        else
                                exit_err_feature("private-lib");
                }
+#endif
                else if (strcmp(argv[i], "--private-tmp") == 0) {
                        arg_private_tmp = 1;
                }
@@ -2186,18 +2190,31 @@ int main(int argc, char **argv, char **envp) {
                                fprintf(stderr, "Error: please provide a name for sandbox\n");
                                return 1;
                        }
-                        if (invalid_name(cfg.name)) {
+                        if (invalid_name(cfg.name) || has_cntrl_chars(cfg.name)) {
                                fprintf(stderr, "Error: invalid sandbox name\n");
                                return 1;
                        }
                }
                else if (strncmp(argv[i], "--hostname=", 11) == 0) {
                        cfg.hostname = argv[i] + 11;
-                        if (strlen(cfg.hostname) == 0) {
+                        size_t len = strlen(cfg.hostname);
-                                fprintf(stderr, "Error: please provide a hostname for sandbox\n");
+                        if (len == 0 || len > 253) {
+                                fprintf(stderr, "Error: please provide a valid hostname for sandbox, with maximum length of 253 ASCII characters\n");
                                return 1;
                        }
-                        if (invalid_name(cfg.hostname)) {
+                        int invalid = invalid_name(cfg.hostname);
+                        char* hostname = cfg.hostname;
+                        while (*hostname && !invalid) {
+                                invalid = invalid || !(
+                                                (*hostname >= 'a' && *hostname <= 'z') ||
+                                                (*hostname >= 'A' && *hostname <= 'Z') ||
+                                                (*hostname >= '0' && *hostname <= '9') ||
+                                                (*hostname == '-' || *hostname == '.'));
+                                hostname++;
+                        }
+                        invalid = invalid || cfg.hostname[0] == '-'; // must not start with -
+                        invalid = invalid || cfg.hostname[len - 1] == '-'; // must not end with -
+                        if (invalid) {
                                fprintf(stderr, "Error: invalid hostname\n");
                                return 1;
                        }
diff --git a/src/firejail/netfilter.c b/src/firejail/netfilter.c
index b4deda562..32fdd6218 100644
--- a/src/firejail/netfilter.c
+++ b/src/firejail/netfilter.c
@@ -248,5 +248,5 @@ void netfilter_print(pid_t pid, int ipv6) {
                exit(1);
        }
-        sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, 2, iptables, "-vL");
+        sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, 2, iptables, "-nvL");
 }
diff --git a/src/firejail/network.c b/src/firejail/network.c
index c1adf87cc..3da51e195 100644
--- a/src/firejail/network.c
+++ b/src/firejail/network.c
@@ -89,31 +89,7 @@ int net_get_mtu(const char *ifname) {
        return mtu;
 }
-void net_set_mtu(const char *ifname, int mtu) {
+// return -1 if the interface was not found; if the interface was found return 0 and fill in IP address and mask
-        if (strlen(ifname) > IFNAMSIZ) {
-                fprintf(stderr, "Error: invalid network device name %s\n", ifname);
-                exit(1);
-        }
-        if (arg_debug)
-                printf("set interface %s MTU %d.\n", ifname, mtu);
-        int s;
-        struct ifreq ifr;
-        if ((s = socket(AF_INET, SOCK_DGRAM, 0)) < 0)
-                errExit("socket");
-        memset(&ifr, 0, sizeof(ifr));
-        ifr.ifr_addr.sa_family = AF_INET;
-        strncpy(ifr.ifr_name, ifname, IFNAMSIZ - 1);
-        ifr.ifr_mtu = mtu;
-        if (ioctl(s, SIOCSIFMTU, (caddr_t)&ifr) != 0)
-                fwarning("cannot set mtu for interface %s\n", ifname);
-        close(s);
-}
-// return -1 if the interface was not found; if the interface was found retrn 0 and fill in IP address and mask
 int net_get_if_addr(const char *bridge, uint32_t *ip, uint32_t *mask, uint8_t mac[6], int *mtu) {
        assert(bridge);
        assert(ip);
diff --git a/src/firejail/output.c b/src/firejail/output.c
index 57679901f..687aaba9c 100644
--- a/src/firejail/output.c
+++ b/src/firejail/output.c
@@ -66,8 +66,8 @@ void check_output(int argc, char **argv) {
        }
        // do not accept directories, links, and files with ".."
-        if (strstr(outfile, "..") || is_link(outfile) || is_dir(outfile)) {
+        if (strstr(outfile, "..") || is_link(outfile) || is_dir(outfile) || has_cntrl_chars(outfile)) {
-                fprintf(stderr, "Error: invalid output file. Links, directories and files with \"..\" are not allowed.\n");
+                fprintf(stderr, "Error: invalid output file. Links, directories, files with \"..\" and control characters in filenames are not allowed.\n");
                exit(1);
        }
diff --git a/src/firejail/restrict_users.c b/src/firejail/restrict_users.c
index b95c9a96b..c5c66549d 100644
--- a/src/firejail/restrict_users.c
+++ b/src/firejail/restrict_users.c
@@ -234,7 +234,7 @@ static void sanitize_passwd(void) {
        SET_PERMS_STREAM(fpout, 0, 0, 0644);
        fclose(fpout);
-        // mount-bind tne new password file
+        // mount-bind the new password file
        if (mount(RUN_PASSWD_FILE, "/etc/passwd", "none", MS_BIND, "mode=400,gid=0") < 0)
                errExit("mount");
@@ -369,7 +369,7 @@ static void sanitize_group(void) {
        SET_PERMS_STREAM(fpout, 0, 0, 0644);
        fclose(fpout);
-        // mount-bind tne new group file
+        // mount-bind the new group file
        if (mount(RUN_GROUP_FILE, "/etc/group", "none", MS_BIND, "mode=400,gid=0") < 0)
                errExit("mount");
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index 648fc2248..19ac8d9ec 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -949,6 +949,7 @@ int sandbox(void* sandbox_arg) {
                }
        }
+#ifdef HAVE_PRIVATE_LIB
        // private-lib is disabled for appimages
        if (arg_private_lib && !arg_appimage) {
                if (cfg.chrootdir)
@@ -959,6 +960,7 @@ int sandbox(void* sandbox_arg) {
                        fs_private_lib();
                }
        }
+#endif
 #ifdef HAVE_USERTMPFS
        if (arg_private_cache) {
diff --git a/src/firejail/sbox.c b/src/firejail/sbox.c
index 11ea5b036..ce43b4832 100644
--- a/src/firejail/sbox.c
+++ b/src/firejail/sbox.c
@@ -26,6 +26,7 @@
 #include <sys/resource.h>
 #include <sys/wait.h>
 #include "../include/seccomp.h"
+#include "../include/gcov_wrapper.h"
 #include <fcntl.h>
 #ifndef O_PATH
@@ -238,6 +239,7 @@ static int __attribute__((noreturn)) sbox_do_exec_v(unsigned filtermask, char *
                        fprintf(stderr, "Error: %s is world writable, refusing to execute\n", arg[0]);
                        exit(1);
                }
+                __gcov_dump();
                fexecve(fd, arg, new_environment);
        } else {
                assert(0);
diff --git a/src/firejail/usage.c b/src/firejail/usage.c
index 2e10fb959..b6b60d85c 100644
--- a/src/firejail/usage.c
+++ b/src/firejail/usage.c
@@ -81,7 +81,9 @@ static char *usage_str =
        "    --debug-blacklists - debug blacklisting.\n"
        "    --debug-caps - print all recognized capabilities.\n"
        "    --debug-errnos - print all recognized error numbers.\n"
+#ifdef HAVE_PRIVATE_LIB
        "    --debug-private-lib - debug for --private-lib option.\n"
+#endif
        "    --debug-protocols - print all recognized protocols.\n"
        "    --debug-syscalls - print all recognized system calls.\n"
        "    --debug-syscalls32 - print all recognized 32 bit system calls.\n"
@@ -200,14 +202,17 @@ static char *usage_str =
        "    --private=directory - use directory as user home.\n"
        "    --private-cache - temporary ~/.cache directory.\n"
        "    --private-home=file,directory - build a new user home in a temporary\n"
-        "\tfilesystem, and copy the files and directories in the list in\n"
+        "\tfilesystem, and copy the files and directories in the list in the\n"
-        "\tthe new home.\n"
+        "\tnew home.\n"
        "    --private-bin=file,file - build a new /bin in a temporary filesystem,\n"
        "\tand copy the programs in the list.\n"
        "    --private-dev - create a new /dev directory with a small number of\n"
        "\tcommon device files.\n"
        "    --private-etc=file,directory - build a new /etc in a temporary\n"
        "\tfilesystem, and copy the files and directories in the list.\n"
+#ifdef HAVE_PRIVATE_LIB
+        "    --private-lib - create a private /lib directory\n"
+#endif
        "    --private-tmp - mount a tmpfs on top of /tmp directory.\n"
        "    --private-cwd - do not inherit working directory inside jail.\n"
        "    --private-cwd=directory - set working directory inside jail.\n"
diff --git a/src/firejail/util.c b/src/firejail/util.c
index bafcd69ec..b2a0c85f1 100644
--- a/src/firejail/util.c
+++ b/src/firejail/util.c
@@ -1323,7 +1323,7 @@ void close_all(int *keep_list, size_t sz) {
                if (fd == dirfd(dir))
                        continue; // just postponed
-                // dont't close file descriptors in keep list
+                // don't close file descriptors in keep list
                int keep = 0;
                if (keep_list) {
                        size_t i;
@@ -1448,15 +1448,42 @@ static int has_link(const char *dir) {
        return 0;
 }
+int ascii_isalnum(unsigned char c) {
+        return (ascii_isalpha(c) || ascii_isdigit(c));
+}
+int ascii_isalpha(unsigned char c) {
+        return (ascii_islower(c) || ascii_isupper(c));
+}
+int ascii_isdigit(unsigned char c) {
+        return (c >= '0' && c <= '9');
+}
+int ascii_islower(unsigned char c) {
+        return (c >= 'a' && c <= 'z');
+}
+int ascii_isupper(unsigned char c) {
+        return (c >= 'A' && c <= 'Z');
+}
+int ascii_isxdigit(unsigned char c) {
+        int ret = (ascii_isdigit(c) ||
+                  (c >= 'a' && c <= 'f') ||
+                  (c >= 'A' && c <= 'F'));
+        return ret;
+}
 // allow strict ASCII letters and numbers; names with only numbers are rejected; spaces are rejected
 int invalid_name(const char *name) {
        const char *c = name;
        int only_numbers = 1;
        while (*c) {
-                if (!isalnum(*c))
+                if (!ascii_isalnum(*c))
                        return 1;
-                if (!isdigit(*c))
+                if (!ascii_isdigit(*c))
                        only_numbers = 0;
                ++c;
        }
diff --git a/src/firemon/firemon.c b/src/firemon/firemon.c
index 01167e555..d82f387ff 100644
--- a/src/firemon/firemon.c
+++ b/src/firemon/firemon.c
@@ -30,7 +30,6 @@ int arg_debug = 0;
 static int arg_route = 0;
 static int arg_arp = 0;
 static int arg_tree = 0;
-static int arg_interface = 0;
 static int arg_seccomp = 0;
 static int arg_caps = 0;
 static int arg_cpu = 0;
@@ -178,13 +177,6 @@ int main(int argc, char **argv) {
                        arg_seccomp = 1;
                else if (strcmp(argv[i], "--caps") == 0)
                        arg_caps = 1;
-                else if (strcmp(argv[i], "--interface") == 0) {
-                        if (getuid() != 0) {
-                                fprintf(stderr, "Error: you need to be root to run this command\n");
-                                exit(1);
-                        }
-                        arg_interface = 1;
-                }
 #ifdef HAVE_NETWORK
                else if (strcmp(argv[i], "--route") == 0)
                        arg_route = 1;
@@ -261,13 +253,12 @@ int main(int argc, char **argv) {
        // if --name requested without other options, print all data
        if (pid && !arg_cpu && !arg_seccomp && !arg_caps && !arg_apparmor &&
-            !arg_x11 && !arg_interface && !arg_route && !arg_arp) {
+            !arg_x11  && !arg_route && !arg_arp) {
                arg_tree = 1;
                arg_cpu = 1;
                arg_seccomp = 1;
                arg_caps = 1;
                arg_x11 = 1;
-                arg_interface = 1;
                arg_route = 1;
                arg_arp = 1;
                arg_apparmor = 1;
@@ -295,10 +286,6 @@ int main(int argc, char **argv) {
                x11((pid_t) pid, print_procs);
                print_procs = 0;
        }
-        if (arg_interface && getuid() == 0) {
-                interface((pid_t) pid, print_procs);
-                print_procs = 0;
-        }
        if (arg_route) {
                route((pid_t) pid, print_procs);
                print_procs = 0;
diff --git a/src/firemon/firemon.h b/src/firemon/firemon.h
index dae071e89..8b6e75fc3 100644
--- a/src/firemon/firemon.h
+++ b/src/firemon/firemon.h
@@ -57,9 +57,6 @@ void top(void) __attribute__((noreturn));
 // list.c
 void list(void);
-// interface.c
-void interface(pid_t pid, int print_procs);
 // arp.c
 void arp(pid_t pid, int print_procs);
diff --git a/src/firemon/interface.c b/src/firemon/interface.c
deleted file mode 100644
index a8e78133b..000000000
--- a/src/firemon/interface.c
+++ /dev/null
@@ -1,175 +0,0 @@
-/*
- * Copyright (C) 2014-2023 Firejail Authors
- *
- * This file is part of firejail project
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or
- * (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License along
- * with this program; if not, write to the Free Software Foundation, Inc.,
- * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-*/
-#include "firemon.h"
-#include "../include/gcov_wrapper.h"
-#include <sys/types.h>
-#include <sys/wait.h>
-#include <netdb.h>
-#include <arpa/inet.h>
-#include <ifaddrs.h>
-#include <net/if.h>
-#include <linux/connector.h>
-#include <linux/netlink.h>
-#include <linux/if_link.h>
-#include <linux/sockios.h>
-#include <sys/ioctl.h>
-//#include <net/route.h>
-//#include <linux/if_bridge.h>
-// print IP addresses for all interfaces
-static void net_ifprint(void) {
-        uint32_t ip;
-        uint32_t mask;
-        struct ifaddrs *ifaddr, *ifa;
-        int fd;
-        if ((fd = socket(AF_INET, SOCK_DGRAM, 0)) < 0) {
-                fprintf(stderr, "Error: cannot open AF_INET socket\n");
-                exit(1);
-        }
-        if (getifaddrs(&ifaddr) == -1)
-                errExit("getifaddrs");
-        // walk through the linked list
-        printf("  Link status:\n");
-        for (ifa = ifaddr; ifa != NULL; ifa = ifa->ifa_next) {
-                if (ifa->ifa_addr == NULL)
-                        continue;
-                if (ifa->ifa_addr->sa_family == AF_PACKET) {
-                        if (ifa->ifa_flags & IFF_RUNNING && ifa->ifa_flags & IFF_UP) {
-                                if (ifa->ifa_data != NULL) {
-                                        struct rtnl_link_stats *stats = ifa->ifa_data;
-                                        // extract mac address
-                                        struct ifreq ifr;
-                                        memset(&ifr, 0, sizeof(ifr));
-                                        strncpy(ifr.ifr_name,  ifa->ifa_name, IFNAMSIZ - 1);
-                                        int rv = ioctl (fd, SIOCGIFHWADDR, &ifr);
-                                        if (rv == 0)
-                                                printf("     %s UP, %02x:%02x:%02x:%02x:%02x:%02x\n",
-                                                        ifa->ifa_name, PRINT_MAC((unsigned char *) &ifr.ifr_hwaddr.sa_data));
-                                        else
-                                                printf("     %s UP\n", ifa->ifa_name);
-                                        printf("          tx/rx: %u/%u packets,  %u/%u bytes\n",
-                                                stats->tx_packets, stats->rx_packets,
-                                                stats->tx_bytes, stats->rx_bytes);
-                                }
-                        }
-                        else
-                                printf("     %s DOWN\n", ifa->ifa_name);
-                }
-        }
-        // walk through the linked list
-        printf("  IPv4 status:\n");
-        for (ifa = ifaddr; ifa != NULL; ifa = ifa->ifa_next) {
-                if (ifa->ifa_addr == NULL)
-                        continue;
-                if (ifa->ifa_addr->sa_family == AF_INET) {
-                        struct sockaddr_in *si = (struct sockaddr_in *) ifa->ifa_netmask;
-                        mask = ntohl(si->sin_addr.s_addr);
-                        si = (struct sockaddr_in *) ifa->ifa_addr;
-                        ip = ntohl(si->sin_addr.s_addr);
-                        char *status;
-                        if (ifa->ifa_flags & IFF_RUNNING && ifa->ifa_flags & IFF_UP)
-                                status = "UP";
-                        else
-                                status = "DOWN";
-                        printf("     %s %s, %d.%d.%d.%d/%u\n",
-                                ifa->ifa_name, status, PRINT_IP(ip), mask2bits(mask));
-                }
-        }
-        // walk through the linked list
-        printf("  IPv6 status:\n");
-        for (ifa = ifaddr; ifa != NULL; ifa = ifa->ifa_next) {
-                if (ifa->ifa_addr == NULL)
-                        continue;
-                if (ifa->ifa_addr->sa_family == AF_INET6) {
-                        char host[NI_MAXHOST];
-                        int s = getnameinfo(ifa->ifa_addr, sizeof(struct sockaddr_in6),
-                                host, NI_MAXHOST, NULL, 0, NI_NUMERICHOST);
-                        if (s == 0) {
-                                char *ptr;
-                                if ((ptr = strchr(host, '%')) != NULL)
-                                        *ptr = '\0';
-                                char *status;
-                                if (ifa->ifa_flags & IFF_RUNNING && ifa->ifa_flags & IFF_UP)
-                                        status = "UP";
-                                else
-                                        status = "DOWN";
-                                printf("     %s %s, %s\n", ifa->ifa_name, status, host);
-                        }
-                }
-        }
-        freeifaddrs(ifaddr);
-        close(fd);
-}
-static void print_sandbox(pid_t pid) {
-        pid_t child = fork();
-        if (child == -1)
-                return;
-        if (child == 0) {
-                int rv = join_namespace(pid, "net");
-                if (rv)
-                        return;
-                net_ifprint();
-                __gcov_flush();
-                _exit(0);
-        }
-        // wait for the child to finish
-        waitpid(child, NULL, 0);
-}
-void interface(pid_t pid, int print_procs) {
-        pid_read(pid); // a pid of 0 will include all processes
-        // print processes
-        int i;
-        for (i = 0; i < max_pids; i++) {
-                if (pids[i].level == 1) {
-                        if (print_procs || pid == 0)
-                                pid_print_list(i, arg_wrap);
-                        int child = find_child(i);
-                        if (child != -1) {
-                                print_sandbox(child);
-                        }
-                }
-        }
-        printf("\n");
-}
diff --git a/src/fldd/main.c b/src/fldd/main.c
index 4b645b1b3..63398ce2e 100644
--- a/src/fldd/main.c
+++ b/src/fldd/main.c
@@ -20,6 +20,7 @@
 #include "../include/common.h"
 #include "../include/ldd_utils.h"
+#ifdef HAVE_PRIVATE_LIB
 #include <fcntl.h>
 #include <sys/mman.h>
@@ -357,3 +358,9 @@ printf("\n");
                close(fd);
        return 0;
 }
+#else
+int main(void) {
+        printf("Sorry, private lib is disabled in this build\n");
+        return 0;
+}
+#endif
+\ No newline at end of file
diff --git a/src/fnet/interface.c b/src/fnet/interface.c
index ca7c744ed..50e1beaa0 100644
--- a/src/fnet/interface.c
+++ b/src/fnet/interface.c
@@ -213,6 +213,23 @@ void net_ifprint(int scan) {
                        fmessage("%-17.17s%-19.19s%-17.17s%-17.17s%-6.6s\n",
                                ifa->ifa_name, macstr, ipstr, maskstr, status);
+                        // print ipv6 address
+                        if (!scan) {
+                                struct ifaddrs *ptr = ifa->ifa_next;
+                                while (ptr) {
+                                        if (ptr->ifa_addr->sa_family == AF_INET6 && strcmp(ifa->ifa_name, ptr->ifa_name) == 0) {
+                                                struct sockaddr_in6 *s6 = (struct sockaddr_in6 *)ptr->ifa_addr;
+                                                struct in6_addr *in_addr = &s6->sin6_addr;
+                                                char buf[64];
+                                                if(inet_ntop(ptr->ifa_addr->sa_family, in_addr, buf, sizeof(buf))) {
+                                                        fmessage("%-35.35s %s\n", " ", buf);
+                                                        break;
+                                                }
+                                        }
+                                        ptr = ptr->ifa_next;
+                                }
+                        }
                        // network scanning
                        if (!scan)                              // scanning disabled
                                continue;
diff --git a/src/fnet/main.c b/src/fnet/main.c
index 96c4f1478..fc36ae977 100644
--- a/src/fnet/main.c
+++ b/src/fnet/main.c
@@ -87,7 +87,7 @@ printf("\n");
        else if (argc == 7 && strcmp(argv[1], "create") == 0 && strcmp(argv[2], "veth") == 0) {
                // create veth pair and move one end in the the namespace
                net_create_veth(argv[3], argv[4], atoi(argv[6]));
-                // connect the ohter veth end to the bridge ...
+                // connect the other veth end to the bridge ...
                net_bridge_add_interface(argv[5], argv[3]);
                // ... and bring it  up
                net_if_up(argv[3]);
diff --git a/src/fseccomp/main.c b/src/fseccomp/main.c
index 57a5a6d67..0b46daf65 100644
--- a/src/fseccomp/main.c
+++ b/src/fseccomp/main.c
@@ -23,33 +23,33 @@ int arg_quiet = 0;
 int arg_seccomp_error_action = SECCOMP_RET_ERRNO | EPERM; // error action: errno, log or kill
 static void usage(void) {
-        printf("Usage:\n");
+        printf("Usage:\n"
-        printf("\tfseccomp debug-syscalls\n");
+                "\tfseccomp debug-syscalls\n"
-        printf("\tfseccomp debug-syscalls32\n");
+                "\tfseccomp debug-syscalls32\n"
-        printf("\tfseccomp debug-errnos\n");
+                "\tfseccomp debug-errnos\n"
-        printf("\tfseccomp debug-protocols\n");
+                "\tfseccomp debug-protocols\n"
-        printf("\tfseccomp protocol build list file\n");
+                "\tfseccomp protocol build list file\n"
-        printf("\tfseccomp secondary 64 file\n");
+                "\tfseccomp secondary 64 file\n"
-        printf("\tfseccomp secondary 32 file\n");
+                "\tfseccomp secondary 32 file\n"
-        printf("\tfseccomp secondary block file\n");
+                "\tfseccomp secondary block file\n"
-        printf("\tfseccomp default file\n");
+                "\tfseccomp default file\n"
-        printf("\tfseccomp default file allow-debuggers\n");
+                "\tfseccomp default file allow-debuggers\n"
-        printf("\tfseccomp default32 file\n");
+                "\tfseccomp default32 file\n"
-        printf("\tfseccomp default32 file allow-debuggers\n");
+                "\tfseccomp default32 file allow-debuggers\n"
-        printf("\tfseccomp drop file1 file2 list\n");
+                "\tfseccomp drop file1 file2 list\n"
-        printf("\tfseccomp drop file1 file2 list allow-debuggers\n");
+                "\tfseccomp drop file1 file2 list allow-debuggers\n"
-        printf("\tfseccomp drop32 file1 file2 list\n");
+                "\tfseccomp drop32 file1 file2 list\n"
-        printf("\tfseccomp drop32 file1 file2 list allow-debuggers\n");
+                "\tfseccomp drop32 file1 file2 list allow-debuggers\n"
-        printf("\tfseccomp default drop file1 file2 list\n");
+                "\tfseccomp default drop file1 file2 list\n"
-        printf("\tfseccomp default drop file1 file2 list allow-debuggers\n");
+                "\tfseccomp default drop file1 file2 list allow-debuggers\n"
-        printf("\tfseccomp default32 drop file1 file2 list\n");
+                "\tfseccomp default32 drop file1 file2 list\n"
-        printf("\tfseccomp default32 drop file1 file2 list allow-debuggers\n");
+                "\tfseccomp default32 drop file1 file2 list allow-debuggers\n"
-        printf("\tfseccomp keep file1 file2 list\n");
+                "\tfseccomp keep file1 file2 list\n"
-        printf("\tfseccomp keep32 file1 file2 list\n");
+                "\tfseccomp keep32 file1 file2 list\n"
-        printf("\tfseccomp memory-deny-write-execute file\n");
+                "\tfseccomp memory-deny-write-execute file\n"
-        printf("\tfseccomp memory-deny-write-execute.32 file\n");
+                "\tfseccomp memory-deny-write-execute.32 file\n"
-        printf("\tfseccomp restrict-namespaces file list\n");
+                "\tfseccomp restrict-namespaces file list\n"
-        printf("\tfseccomp restrict-namespaces.32 file list\n");
+                "\tfseccomp restrict-namespaces.32 file list\n");
 }
 int main(int argc, char **argv) {
diff --git a/src/lib/firejail_user.c b/src/lib/firejail_user.c
index dc6361422..a924f26cf 100644
--- a/src/lib/firejail_user.c
+++ b/src/lib/firejail_user.c
@@ -19,7 +19,7 @@
 */
 //
-// Firejail access database inplementation
+// Firejail access database implementation
 //
 // The database is a simple list of users allowed to run firejail SUID executable
 // It is usually stored in /etc/firejail/firejail.users
diff --git a/src/lib/ldd_utils.c b/src/lib/ldd_utils.c
index 39a548887..80e3b92d7 100644
--- a/src/lib/ldd_utils.c
+++ b/src/lib/ldd_utils.c
@@ -23,6 +23,7 @@
 #include <sys/stat.h>
 #include <fcntl.h>
+#ifdef HAVE_PRIVATE_LIB
 // todo: resolve overlap with masked_lib_dirs[] array from fs_lib.c
 const char * const default_lib_paths[] = {
        "/usr/lib/x86_64-linux-gnu",    // Debian & friends
@@ -63,3 +64,4 @@ doexit:
        close(fd);
        return retval;
 }
+#endif
+\ No newline at end of file
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt
index 3fa07d1ee..fa294d888 100644
--- a/src/man/firejail-profile.txt
+++ b/src/man/firejail-profile.txt
@@ -407,12 +407,14 @@ the current user's home directory.
 All modifications are discarded when the sandbox is
 closed.
 #endif
+#ifdef HAVE_PRIVATE_LIB
 .TP
 \fBprivate-lib file,directory
 Build a new /lib directory and bring in the libraries required by the application to run.
 The files and directories in the list must be expressed as relative to
 the /lib directory.
 This feature is still under development, see \fBman 1 firejail\fR for some examples.
+#endif
 .TP
 \fBprivate-opt file,directory
 Build a new /opt in a temporary
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index 6068c9ff4..586ef9852 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -684,9 +684,11 @@ Print all recognized error numbers in the current Firejail software build and ex
 Example:
 .br
 $ firejail \-\-debug-errnos
+#ifdef HAVE_PRIVATE_LIB
 .TP
 \fB\-\-debug-private-lib
 Debug messages for --private-lib option.
+#endif
 .TP
 \fB\-\-debug-protocols
 Print all recognized protocols in the current Firejail software build and exit.
@@ -2179,6 +2181,7 @@ Example:
 .br
 $ firejail \-\-private-home=.mozilla firefox
 #endif
+#ifdef HAVE_PRIVATE_LIB
 .TP
 \fB\-\-private-lib=file,directory
 This feature is currently under heavy development. Only amd64 platforms are supported at this moment.
@@ -2234,6 +2237,7 @@ $
 .br
 Note: Support for this command is controlled in firejail.config with the
 \fBprivate-lib\fR option.
+#endif
 .TP
 \fB\-\-private-opt=file,directory
 Build a new /opt in a temporary
diff --git a/src/man/firemon.txt b/src/man/firemon.txt
index 9d0785a4a..fb0cf1175 100644
--- a/src/man/firemon.txt
+++ b/src/man/firemon.txt
@@ -30,9 +30,6 @@ Print debug messages
 \fB\-?\fR, \fB\-\-help\fR
 Print options end exit.
 .TP
-\fB\-\-interface
-Print network interface information for each sandbox.
-.TP
 \fB\-\-list
 List all sandboxes.
 .TP