14 files changed, 80 insertions, 22 deletions

diff --git a/src/fbuilder/build_profile.c b/src/fbuilder/build_profile.c
index ab6eaf1dd..089dff663 100644
--- a/src/fbuilder/build_profile.c
+++ b/src/fbuilder/build_profile.c
@@ -138,6 +138,7 @@ void build_profile(int argc, char **argv, int index, FILE *fp) {
                 fprintf(fp, "#noinput\t# disable input devices\n");
                 fprintf(fp, "nonewprivs\n");
                 fprintf(fp, "noroot\n");
+                fprintf(fp, "#notpm\t# disable TPM devices\n");
                 fprintf(fp, "#notv\t# disable DVB TV devices\n");
                 fprintf(fp, "#nou2f\t# disable U2F devices\n");
                 fprintf(fp, "#novideo\t# disable video capture devices\n");
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config
index 8d0a30521..08170bee6 100644
--- a/src/firecfg/firecfg.config
+++ b/src/firecfg/firecfg.config
@@ -97,10 +97,11 @@ basilisk
 bcompare
 beaker
 bibletime
-bijiben
+#bijiben # webkit2gtk-4.x requires bwrap (see #3647)
 bitcoin-qt
 bitlbee
 bitwarden
+bitwarden-desktop
 bleachbit
 blender
 blender-2.8
@@ -227,6 +228,7 @@ dragon
 drawio
 drill
 dropbox
+dtui
 easystroke
 ebook-convert
 ebook-edit
@@ -824,7 +826,7 @@ soffice
 sol
 sound-juicer
 soundconverter
-spectacle
+#spectacle # may be broken on wayland (see #5127)
 spectral
 spotify
 sqlitebrowser
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index 736af018d..8683e0f77 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -368,6 +368,7 @@ extern int arg_noprofile;	// use default.profile if none other found/specified
 extern int arg_memory_deny_write_execute;       // block writable and executable memory
 extern int arg_notv;    // --notv
 extern int arg_nodvd;   // --nodvd
+extern int arg_notpm;   // --notpm
 extern int arg_nou2f;   // --nou2f
 extern int arg_noinput; // --noinput
 extern int arg_deterministic_exit_code; // always exit with first child's exit status
@@ -646,6 +647,7 @@ void fs_dev_disable_3d(void);
 void fs_dev_disable_video(void);
 void fs_dev_disable_tv(void);
 void fs_dev_disable_dvd(void);
+void fs_dev_disable_tpm(void);
 void fs_dev_disable_u2f(void);
 void fs_dev_disable_input(void);
 
diff --git a/src/firejail/fs_dev.c b/src/firejail/fs_dev.c
index e8e486f12..34a26464a 100644
--- a/src/firejail/fs_dev.c
+++ b/src/firejail/fs_dev.c
@@ -39,6 +39,7 @@ typedef enum {
         DEV_VIDEO,
         DEV_TV,
         DEV_DVD,
+        DEV_TPM,
         DEV_U2F,
         DEV_INPUT
 } DEV_TYPE;
@@ -79,6 +80,12 @@ static DevEntry dev[] = {
         {"/dev/video9", RUN_DEV_DIR "/video9", DEV_VIDEO},
         {"/dev/dvb", RUN_DEV_DIR "/dvb", DEV_TV}, // DVB (Digital Video Broadcasting) - TV device
         {"/dev/sr0", RUN_DEV_DIR "/sr0", DEV_DVD}, // for DVD and audio CD players
+        {"/dev/tpm0", RUN_DEV_DIR "/tpm0", DEV_TPM}, // TPM (Trusted Platform Module) devices
+        {"/dev/tpm1", RUN_DEV_DIR "/tpm1", DEV_TPM},
+        {"/dev/tpm2", RUN_DEV_DIR "/tpm2", DEV_TPM},
+        {"/dev/tpm3", RUN_DEV_DIR "/tpm3", DEV_TPM},
+        {"/dev/tpm4", RUN_DEV_DIR "/tpm4", DEV_TPM},
+        {"/dev/tpm5", RUN_DEV_DIR "/tpm5", DEV_TPM},
         {"/dev/hidraw0", RUN_DEV_DIR "/hidraw0", DEV_U2F},
         {"/dev/hidraw1", RUN_DEV_DIR "/hidraw1", DEV_U2F},
         {"/dev/hidraw2", RUN_DEV_DIR "/hidraw2", DEV_U2F},
@@ -105,6 +112,7 @@ static void deventry_mount(void) {
                             (dev[i].type == DEV_VIDEO && arg_novideo == 0) ||
                             (dev[i].type == DEV_TV && arg_notv == 0) ||
                             (dev[i].type == DEV_DVD && arg_nodvd == 0) ||
+                            (dev[i].type == DEV_TPM && arg_notpm == 0) ||
                             (dev[i].type == DEV_U2F && arg_nou2f == 0) ||
                             (dev[i].type == DEV_INPUT && arg_noinput == 0)) {
 
@@ -384,6 +392,15 @@ void fs_dev_disable_dvd(void) {
         }
 }
 
+void fs_dev_disable_tpm(void) {
+        int i = 0;
+        while (dev[i].dev_fname != NULL) {
+                if (dev[i].type == DEV_TPM)
+                        disable_file_or_dir(dev[i].dev_fname);
+                i++;
+        }
+}
+
 void fs_dev_disable_u2f(void) {
         int i = 0;
         while (dev[i].dev_fname != NULL) {
diff --git a/src/firejail/main.c b/src/firejail/main.c
index acbb4bf38..27ae68eb0 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -155,6 +155,7 @@ int arg_noprofile = 0; // use default.profile if none other found/specified
 int arg_memory_deny_write_execute = 0;          // block writable and executable memory
 int arg_notv = 0;       // --notv
 int arg_nodvd = 0; // --nodvd
+int arg_notpm = 0; // --notpm
 int arg_nou2f = 0; // --nou2f
 int arg_noinput = 0; // --noinput
 int arg_deterministic_exit_code = 0;    // always exit with first child's exit status
@@ -2209,6 +2210,8 @@ int main(int argc, char **argv, char **envp) {
                         arg_notv = 1;
                 else if (strcmp(argv[i], "--nodvd") == 0)
                         arg_nodvd = 1;
+                else if (strcmp(argv[i], "--notpm") == 0)
+                        arg_notpm = 1;
                 else if (strcmp(argv[i], "--nou2f") == 0)
                         arg_nou2f = 1;
                 else if (strcmp(argv[i], "--noinput") == 0)
diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index 4c6830250..1bb008f5f 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -618,6 +618,10 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
 #endif
                 return 1;
         }
+        else if (strcmp(ptr, "notpm") == 0) {
+                arg_notpm = 1;
+                return 0;
+        }
         else if (strcmp(ptr, "nou2f") == 0) {
                 arg_nou2f = 1;
                 return 0;
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index 9e2b10d9c..57c90d489 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -1101,6 +1101,9 @@ int sandbox(void* sandbox_arg) {
         if (arg_nodvd)
                 fs_dev_disable_dvd();
 
+        if (arg_notpm)
+                fs_dev_disable_tpm();
+
         if (arg_nou2f)
                 fs_dev_disable_u2f();
 
diff --git a/src/firejail/usage.c b/src/firejail/usage.c
index 248b35853..01a7330fd 100644
--- a/src/firejail/usage.c
+++ b/src/firejail/usage.c
@@ -189,8 +189,8 @@ static const char *const usage_str =
         "    --noroot - install a user namespace with only the current user.\n"
 #endif
         "    --nosound - disable sound system.\n"
-        "    --noautopulse - disable automatic ~/.config/pulse init.\n"
         "    --novideo - disable video devices.\n"
+        "    --notpm - disable TPM devices.\n"
         "    --nou2f - disable U2F devices.\n"
         "    --nowhitelist=filename - disable whitelist for file or directory.\n"
         "    --oom=value - configure OutOfMemory killer for the sandbox\n"
diff --git a/src/firemon/procevent.c b/src/firemon/procevent.c
index 430730374..1a6f23919 100644
--- a/src/firemon/procevent.c
+++ b/src/firemon/procevent.c
@@ -396,6 +396,8 @@ static void __attribute__((noreturn)) procevent_monitor(const int sock, pid_t my
                                         sprintf(lineptr, " sid ");
                                         break;
 
+// Note: PROC_EVENT_COREDUMP only exists since Linux 3.10 (see #6414).
+#ifdef PROC_EVENT_COREDUMP
                                 case PROC_EVENT_COREDUMP:
                                         pid = proc_ev->event_data.coredump.process_tgid;
 #ifdef DEBUG_PRCTL
@@ -403,6 +405,7 @@ static void __attribute__((noreturn)) procevent_monitor(const int sock, pid_t my
 #endif
                                         sprintf(lineptr, " coredump ");
                                         break;
+#endif /* PROC_EVENT_COREDUMP */
 
                                 case PROC_EVENT_COMM:
                                         pid = proc_ev->event_data.comm.process_tgid;
diff --git a/src/fshaper/fshaper.sh b/src/fshaper/fshaper.sh
index cd2bf79bf..16a2485bf 100755
--- a/src/fshaper/fshaper.sh
+++ b/src/fshaper/fshaper.sh
@@ -3,13 +3,9 @@
 # Copyright (C) 2014-2024 Firejail Authors
 # License GPL v2
 
-TCFILE=""
-if [ -x "/usr/sbin/tc" ]; then
-        TCFILE="/usr/sbin/tc"
-elif [ -x "/sbin/tc" ]; then
-        TCFILE="/sbin/tc";
-else
-        echo "Error: traffic control utility (tc) not found";
+TCFILE="$(PATH=/usr/sbin:/sbin:/run/current-system/sw/bin command -v tc)"
+if [ -z "$TCFILE" ]; then
+        echo "Error: traffic control utility (tc) not found"
         exit 1
 fi
 
diff --git a/src/man/firejail-profile.5.in b/src/man/firejail-profile.5.in
index 8c039eb46..89784a984 100644
--- a/src/man/firejail-profile.5.in
+++ b/src/man/firejail-profile.5.in
@@ -382,9 +382,11 @@ Set working directory inside jail to the home directory, and failing that, the r
 Set working directory inside the jail. Full directory path is required. Symbolic links are not allowed.
 .TP
 \fBprivate-dev
-Create a new /dev directory. Only disc, dri, dvb, hidraw, null, full, zero, tty, pts, ptmx,
-random, snd, urandom, video, log, shm and usb devices are available.
-Use the options no3d, nodvd, nosound, notv, nou2f and novideo for additional restrictions.
+Create a new /dev directory.
+Only disc, dri, dvb, full, hidraw, log, null, ptmx, pts, random, shm, snd, tpm,
+tty, urandom, usb, video and zero devices are available.
+Use the options no3d, nodvd, nosound, notpm, notv, nou2f and novideo for
+additional restrictions.
 
 .TP
 \fBprivate-etc file,directory
@@ -817,6 +819,9 @@ Disable input devices.
 \fBnosound
 Disable sound system.
 .TP
+\fBnotpm
+Disable Trusted Platform Module (TPM) devices.
+.TP
 \fBnotv
 Disable DVB (Digital Video Broadcasting) TV devices.
 .TP
diff --git a/src/man/firejail.1.in b/src/man/firejail.1.in
index fa2329d67..4edb0902e 100644
--- a/src/man/firejail.1.in
+++ b/src/man/firejail.1.in
@@ -207,7 +207,7 @@ $ firejail \-\-blacklist=/sbin \-\-blacklist=/usr/sbin
 .br
 $ firejail \-\-blacklist=~/.mozilla
 .br
-$ firejail "\-\-blacklist=/home/username/My Virtual Machines"
+$ firejail \-\-blacklist="/home/username/My Virtual Machines"
 .br
 $ firejail \-\-blacklist=/home/username/My\\ Virtual\\ Machines
 .TP
@@ -1919,6 +1919,16 @@ Example:
 $ firejail \-\-nosound firefox
 
 .TP
+\fB\-\-notpm
+Disable Trusted Platform Module (TPM) devices.
+.br
+
+.br
+Example:
+.br
+$ firejail \-\-notpm
+
+.TP
 \fB\-\-notv
 Disable DVB (Digital Video Broadcasting) TV devices.
 .br
@@ -2108,7 +2118,7 @@ File globbing is supported, see \fBFILE GLOBBING\fR section for more details.
 .br
 Example:
 .br
-$ firejail \-\-private-bin=bash,sed,ls,cat
+$ firejail \-\-private-bin=bash,cat,ls,sed
 .br
 Parent pid 20841, child pid 20842
 .br
@@ -2172,8 +2182,11 @@ $ pwd
 
 .TP
 \fB\-\-private-dev
-Create a new /dev directory. Only disc, dri, dvb, hidraw, null, full, zero, tty, pts, ptmx, random, snd, urandom, video, log, shm and usb devices are available.
-Use the options --no3d, --nodvd, --nosound, --notv, --nou2f and --novideo for additional restrictions.
+Create a new /dev directory.
+Only disc, dri, dvb, full, hidraw, log, null, ptmx, pts, random, shm, snd, tpm,
+tty, urandom, usb, video and zero devices are available.
+Use the options \-\-no3d, \-\-nodvd, \-\-nosound, \-\-notpm, \-\-notv,
+\-\-nou2f and \-\-novideo for additional restrictions.
 .br
 
 .br
@@ -2191,7 +2204,7 @@ cdrom  cdrw  dri  dvd  dvdrw  full  log  null  ptmx  pts  random  shm  snd  sr0
 .br
 $
 .TP
-\fB\-\-private-etc, \-\-private-etc=file,directory,@group
+\fB\-\-private-etc, \-\-private-etc=@group,file,directory
 The files installed by \-\-private-etc are copies of the original system files from /etc directory.
 By default, the command brings in a skeleton of files and directories used by most console tools:
 
@@ -3130,7 +3143,9 @@ $ firejail \-\-noprofile \-\-whitelist=~/.mozilla
 .br
 $ firejail \-\-whitelist=/tmp/.X11-unix \-\-whitelist=/dev/null
 .br
-$ firejail "\-\-whitelist=/home/username/My Virtual Machines"
+$ firejail \-\-whitelist="/home/username/My Virtual Machines"
+.br
+$ firejail \-\-whitelist=/home/username/My\\ Virtual\\ Machines
 .br
 $ firejail \-\-whitelist=~/work* \-\-whitelist=/var/backups*
 
diff --git a/src/man/mkman.sh b/src/man/mkman.sh
index 00c4ffe72..d854b6537 100755
--- a/src/man/mkman.sh
+++ b/src/man/mkman.sh
@@ -5,8 +5,15 @@
 
 set -e
 
-MONTH="$(LC_ALL=C date -u --date="@${SOURCE_DATE_EPOCH:-$(date +%s)}" +%b)"
-YEAR="$(LC_ALL=C date -u --date="@${SOURCE_DATE_EPOCH:-$(date +%s)}" +%Y)"
+test -z "$SOURCE_DATE_EPOCH" && SOURCE_DATE_EPOCH="$(date +%s)"
+
+format='+%b %Y'
+date="$(LC_ALL=C date -u -d "@$SOURCE_DATE_EPOCH" "$format" 2>/dev/null ||
+        LC_ALL=C date -u -r "$SOURCE_DATE_EPOCH" "$format" 2>/dev/null ||
+        LC_ALL=C date -u "$format")"
+
+MONTH="$(printf '%s\n' "$date" | cut -f 1 -d ' ')"
+YEAR="$(printf '%s\n' "$date" | cut -f 2 -d ' ')"
 
 sed \
   -e "s/VERSION/$1/g" \
diff --git a/src/zsh_completion/_firejail.in b/src/zsh_completion/_firejail.in
index 15e9a5111..ecfe2ffdf 100644
--- a/src/zsh_completion/_firejail.in
+++ b/src/zsh_completion/_firejail.in
@@ -124,7 +124,6 @@ _firejail_args=(
     # many would enjoy getting a list from -20..20
     '--nice=-[set nice value]: :(1 10 15 20)'
     '--no3d[disable 3D hardware acceleration]'
-    '--noautopulse[disable automatic ~/.config/pulse init]'
     '--noblacklist=-[disable blacklist for file or directory]: :_files'
     '--nodbus[disable D-Bus access]'
     '--nodvd[disable DVD and audio CD devices]'
@@ -134,6 +133,7 @@ _firejail_args=(
     '--nonewprivs[sets the NO_NEW_PRIVS prctl]'
     '--noprinters[disable printers]'
     '--nosound[disable sound system]'
+    '--notpm[disable TPM devices]'
     '--nou2f[disable U2F devices]'
     '--novideo[disable video devices]'
     '--private[temporary home directory]'