From 4b6892092a77b61a0de485966a7561ec61c72928 Mon Sep 17 00:00:00 2001
From: layderv <20249311+layderv@users.noreply.github.com>
Date: Mon, 9 Jan 2023 18:03:03 -0500
Subject: [PATCH 01/18] Prevent sandbox name from containing only digits

Names should not contain only numbers,
as they are used in other commands as PIDs.
---
 src/firejail/main.c    | 13 +++++++++++++
 src/firejail/profile.c | 13 +++++++++++++
 src/man/firejail.txt   |  1 +
 3 files changed, 27 insertions(+)

diff --git a/src/firejail/main.c b/src/firejail/main.c
index 18e9ae651..36b4d2477 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -2161,11 +2161,24 @@ int main(int argc, char **argv, char **envp) {
 		// hostname, etc
 		//*************************************
 		else if (strncmp(argv[i], "--name=", 7) == 0) {
+			int only_numbers = 1;
 			cfg.name = argv[i] + 7;
 			if (strlen(cfg.name) == 0) {
 				fprintf(stderr, "Error: please provide a name for sandbox\n");
 				return 1;
 			}
+			const char *c = cfg.name;
+			while (*c) {
+				if (!isdigit(*c)) {
+					only_numbers = 0;
+					break;
+				}
+				++c;
+			}
+			if (only_numbers) {
+				fprintf(stderr, "Error: invalid sandbox name: it only contains digits\n");
+				return 1;
+			}
 		}
 		else if (strncmp(argv[i], "--hostname=", 11) == 0) {
 			cfg.hostname = argv[i] + 11;
diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index acf206da6..c1419aada 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -326,11 +326,24 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
 	}
 	// sandbox name
 	else if (strncmp(ptr, "name ", 5) == 0) {
+		int only_numbers = 1;
 		cfg.name = ptr + 5;
 		if (strlen(cfg.name) == 0) {
 			fprintf(stderr, "Error: invalid sandbox name\n");
 			exit(1);
 		}
+		const char *c = cfg.name;
+		while (*c) {
+			if (!isdigit(*c)) {
+				only_numbers = 0;
+				break;
+			}
+			++c;
+		}
+		if (only_numbers) {
+			fprintf(stderr, "Error: invalid sandbox name: it only contains digits\n");
+			exit(1);
+		}
 		return 0;
 	}
 	else if (strcmp(ptr, "ipc-namespace") == 0) {
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index 39c81312c..29f15a74f 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -1330,6 +1330,7 @@ $ firejail \-\-net=eth0 \-\-mtu=1492
 \fB\-\-name=name
 Set sandbox name. Several options, such as \-\-join and \-\-shutdown, can use
 this name to identify a sandbox.
+The name cannot contain only digits, as that is treated as a PID in the other options, such as in \-\-join.
 
 In case the name supplied by the user is already in use by another sandbox, Firejail will assign a
 new name as "name-PID", where PID is the process ID of the sandbox. This functionality

From cb65de5054c205e26131868725d33ce5aca4024a Mon Sep 17 00:00:00 2001
From: "Kelvin M. Klann" <kmk3.code@protonmail.com>
Date: Tue, 24 Jan 2023 13:54:54 -0300
Subject: [PATCH 02/18] ci: sort items on paths-ignore lists

See commit 9bf5e453c ("ci: sort items on paths-ignore lists",
2022-07-12) / PR #5481.
---
 .github/workflows/build-extra.yml     | 4 ++--
 .github/workflows/codeql-analysis.yml | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/build-extra.yml b/.github/workflows/build-extra.yml
index c1c240922..f777174d7 100644
--- a/.github/workflows/build-extra.yml
+++ b/.github/workflows/build-extra.yml
@@ -5,9 +5,9 @@ on:
     branches: [ master ]
     paths-ignore:
       - '.github/ISSUE_TEMPLATE/*'
-      - 'etc/**'
       - 'contrib/gtksourceview-5/**'
       - 'contrib/vim/**'
+      - 'etc/**'
       - 'src/man/*.txt'
       - .git-blame-ignore-revs
       - .github/dependabot.yml
@@ -27,9 +27,9 @@ on:
     branches: [ master ]
     paths-ignore:
       - '.github/ISSUE_TEMPLATE/*'
-      - 'etc/**'
       - 'contrib/gtksourceview-5/**'
       - 'contrib/vim/**'
+      - 'etc/**'
       - 'src/man/*.txt'
       - .git-blame-ignore-revs
       - .github/dependabot.yml
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
index b86d432f9..115919477 100644
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -10,9 +10,9 @@ on:
     branches: [ master ]
     paths-ignore:
       - '.github/ISSUE_TEMPLATE/*'
-      - 'etc/**'
       - 'contrib/gtksourceview-5/**'
       - 'contrib/vim/**'
+      - 'etc/**'
       - 'src/man/*.txt'
       - .git-blame-ignore-revs
       - .github/dependabot.yml
@@ -32,9 +32,9 @@ on:
     branches: [ master ]
     paths-ignore:
       - '.github/ISSUE_TEMPLATE/*'
-      - 'etc/**'
       - 'contrib/gtksourceview-5/**'
       - 'contrib/vim/**'
+      - 'etc/**'
       - 'src/man/*.txt'
       - .git-blame-ignore-revs
       - .github/dependabot.yml

From 403115565351a5a4277d45b96b1c37a347f1d0b4 Mon Sep 17 00:00:00 2001
From: "Kelvin M. Klann" <kmk3.code@protonmail.com>
Date: Thu, 26 Jan 2023 16:22:03 -0300
Subject: [PATCH 03/18] build: run commands silently on config targets

And also add an "error: " prefix, to make the output clearer.

Before:

    $ rm -f config.mk; make config.mk
    printf 'run ./configure to generate %s\n' "config.mk" >&2
    run ./configure to generate config.mk
    false
    make: *** No rule to make target 'config.mk'.  Stop.

After:

    $ rm -f config.mk; make config.mk
    error: run ./configure to generate config.mk
    make: *** No rule to make target 'config.mk'.  Stop.

This amends commit e21637ca8 ("makefiles: add generated files as
dependencies", 2022-06-23) / PR #5219.
---
 Makefile | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/Makefile b/Makefile
index 119bf6b4b..a412aa767 100644
--- a/Makefile
+++ b/Makefile
@@ -25,8 +25,8 @@ ALL_ITEMS = $(APPS) $(SBOX_APPS) $(SBOX_APPS_NON_DUMPABLE) $(MYLIBS)
 all: all_items mydirs $(MAN_TARGET) filters
 
 config.mk config.sh:
-	printf 'run ./configure to generate %s\n' "$@" >&2
-	false
+	@printf 'error: run ./configure to generate %s\n' "$@" >&2
+	@false
 
 .PHONY: all_items $(ALL_ITEMS)
 all_items: $(ALL_ITEMS)

From fab675241bde7946c2eebab4cff0145b8a8ccdac Mon Sep 17 00:00:00 2001
From: "Kelvin M. Klann" <kmk3.code@protonmail.com>
Date: Wed, 25 Jan 2023 13:09:38 -0300
Subject: [PATCH 04/18] build: move man page targets to after seccomp filters

The seccomp filters are used by firejail itself at runtime (and are
installed to `$(libdir)`), while the man pages are used by an external
program (and installing them is optional; see `HAVE_MAN`), so reorder
them.

Misc: The seccomp filter targets were apparently added on commit
64431c712 ("seccomp work 1", 2016-11-20).
---
 Makefile | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/Makefile b/Makefile
index a412aa767..4809b4b7b 100644
--- a/Makefile
+++ b/Makefile
@@ -17,12 +17,12 @@ SBOX_APPS_NON_DUMPABLE += src/fnettrace-icmp/fnettrace-icmp
 MYDIRS = src/lib $(MAN_SRC) $(COMPLETIONDIRS)
 MYLIBS = src/libpostexecseccomp/libpostexecseccomp.so src/libtrace/libtrace.so src/libtracelog/libtracelog.so
 COMPLETIONS = src/zsh_completion/_firejail src/bash_completion/firejail.bash_completion
-MANPAGES = firejail.1 firemon.1 firecfg.1 firejail-profile.5 firejail-login.5 firejail-users.5 jailcheck.1
 SECCOMP_FILTERS = seccomp seccomp.debug seccomp.32 seccomp.block_secondary seccomp.mdwx seccomp.mdwx.32
+MANPAGES = firejail.1 firemon.1 firecfg.1 firejail-profile.5 firejail-login.5 firejail-users.5 jailcheck.1
 ALL_ITEMS = $(APPS) $(SBOX_APPS) $(SBOX_APPS_NON_DUMPABLE) $(MYLIBS)
 
 .PHONY: all
-all: all_items mydirs $(MAN_TARGET) filters
+all: all_items mydirs filters $(MAN_TARGET)
 
 config.mk config.sh:
 	@printf 'error: run ./configure to generate %s\n' "$@" >&2
@@ -38,11 +38,6 @@ mydirs: $(MYDIRS)
 $(MYDIRS):
 	$(MAKE) -C $@
 
-$(MANPAGES): src/man config.mk
-	./mkman.sh $(VERSION) src/man/$(basename $@).man $@
-
-man: $(MANPAGES)
-
 filters: $(SECCOMP_FILTERS) $(SBOX_APPS_NON_DUMPABLE)
 seccomp: src/fseccomp/fseccomp src/fsec-optimize/fsec-optimize
 	src/fseccomp/fseccomp default seccomp
@@ -65,14 +60,19 @@ seccomp.mdwx: src/fseccomp/fseccomp
 seccomp.mdwx.32: src/fseccomp/fseccomp
 	src/fseccomp/fseccomp memory-deny-write-execute.32 seccomp.mdwx.32
 
+$(MANPAGES): src/man config.mk
+	./mkman.sh $(VERSION) src/man/$(basename $@).man $@
+
+man: $(MANPAGES)
+
 .PHONY: clean
 clean:
 	for dir in $$(dirname $(ALL_ITEMS)) $(MYDIRS); do \
 		$(MAKE) -C $$dir clean; \
 	done
 	$(MAKE) -C test clean
-	rm -f $(MANPAGES) $(MANPAGES:%=%.gz) firejail*.rpm
 	rm -f $(SECCOMP_FILTERS)
+	rm -f $(MANPAGES) $(MANPAGES:%=%.gz) firejail*.rpm
 	rm -f test/utils/index.html*
 	rm -f test/utils/wget-log
 	rm -f test/utils/firejail-test-file*

From 33d538bbe551580d771a30417f3c103394ee9a4b Mon Sep 17 00:00:00 2001
From: "Kelvin M. Klann" <kmk3.code@protonmail.com>
Date: Fri, 27 Jan 2023 19:38:54 -0300
Subject: [PATCH 05/18] mutt.profile: add ~/.mutthistory

From the manual of mutt 2.2.9:

> 3.125. history_file
>
>    Type: path
>    Default: "~/.mutthistory"
>
>    The file in which Mutt will save its history.
---
 etc/inc/disable-common.inc   | 1 +
 etc/profile-m-z/mutt.profile | 2 ++
 2 files changed, 3 insertions(+)

diff --git a/etc/inc/disable-common.inc b/etc/inc/disable-common.inc
index 44e45d416..81aac0b53 100644
--- a/etc/inc/disable-common.inc
+++ b/etc/inc/disable-common.inc
@@ -25,6 +25,7 @@ blacklist-nolog ${HOME}/.local/share/nvim
 blacklist-nolog ${HOME}/.local/state/nvim
 blacklist-nolog ${HOME}/.macromedia
 blacklist-nolog ${HOME}/.mupdf.history
+blacklist-nolog ${HOME}/.mutthistory
 blacklist-nolog ${HOME}/.python-history
 blacklist-nolog ${HOME}/.python_history
 blacklist-nolog ${HOME}/.pythonhist
diff --git a/etc/profile-m-z/mutt.profile b/etc/profile-m-z/mutt.profile
index 52d30669f..a26a25573 100644
--- a/etc/profile-m-z/mutt.profile
+++ b/etc/profile-m-z/mutt.profile
@@ -23,6 +23,7 @@ noblacklist ${HOME}/.mail
 noblacklist ${HOME}/.mailcap
 noblacklist ${HOME}/.msmtprc
 noblacklist ${HOME}/.mutt
+noblacklist ${HOME}/.mutthistory
 noblacklist ${HOME}/.muttrc
 noblacklist ${HOME}/.nanorc
 noblacklist ${HOME}/.signature
@@ -89,6 +90,7 @@ whitelist ${HOME}/.mail
 whitelist ${HOME}/.mailcap
 whitelist ${HOME}/.msmtprc
 whitelist ${HOME}/.mutt
+whitelist ${HOME}/.mutthistory
 whitelist ${HOME}/.muttrc
 whitelist ${HOME}/.nanorc
 whitelist ${HOME}/.signature

From 3d82b71a48c8e5013c4aeed3cd00c7979060c298 Mon Sep 17 00:00:00 2001
From: "Kelvin M. Klann" <kmk3.code@protonmail.com>
Date: Fri, 27 Jan 2023 18:35:15 -0300
Subject: [PATCH 06/18] mutt.profile: stop creating editor/browser paths

To reduce the amount of spam created in the user home directory.

It's unlikely that these paths are going to be both:

* Created only after mutt is first opened through firejail and
* Created from within mutt

Also, no other profile does that:

    $ git grep -El '(mkdir|mkfile) \$\{HOME\}/\.(emacs|nano|vim)' -- etc
    etc/profile-m-z/mutt.profile

So just whitelist them if they already exist.

Added on commit a8a8e33bc ("Add whitelisting to mutt; improve geary, new
profile for neomutt", 2020-12-28) / PR #3849.
---
 etc/profile-m-z/mutt.profile | 9 ---------
 1 file changed, 9 deletions(-)

diff --git a/etc/profile-m-z/mutt.profile b/etc/profile-m-z/mutt.profile
index a26a25573..7e1849079 100644
--- a/etc/profile-m-z/mutt.profile
+++ b/etc/profile-m-z/mutt.profile
@@ -55,26 +55,17 @@ mkdir ${HOME}/.Mail
 mkdir ${HOME}/.bogofilter
 mkdir ${HOME}/.cache/mutt
 mkdir ${HOME}/.config/mutt
-mkdir ${HOME}/.config/nano
-mkdir ${HOME}/.elinks
-mkdir ${HOME}/.emacs.d
 mkdir ${HOME}/.gnupg
 mkdir ${HOME}/.mail
 mkdir ${HOME}/.mutt
-mkdir ${HOME}/.vim
-mkdir ${HOME}/.w3m
 mkdir ${HOME}/Mail
 mkdir ${HOME}/mail
 mkdir ${HOME}/postponed
 mkdir ${HOME}/sent
-mkfile ${HOME}/.emacs
 mkfile ${HOME}/.mailcap
 mkfile ${HOME}/.msmtprc
 mkfile ${HOME}/.muttrc
-mkfile ${HOME}/.nanorc
 mkfile ${HOME}/.signature
-mkfile ${HOME}/.viminfo
-mkfile ${HOME}/.vimrc
 whitelist ${DOCUMENTS}
 whitelist ${DOWNLOADS}
 whitelist ${HOME}/.Mail

From 4a3e0d8789edd0cfd26c66f5ba85138e7fea06e7 Mon Sep 17 00:00:00 2001
From: "Kelvin M. Klann" <kmk3.code@protonmail.com>
Date: Fri, 27 Jan 2023 19:45:03 -0300
Subject: [PATCH 07/18] mutt.profile: stop creating config files for other
 programs

Let either the respective program or the user create the file.

* ~/.bogofilter: Used by the bogofilter program
* ~/.msmtprc: Used by the msmtp program

Added on commit a8a8e33bc ("Add whitelisting to mutt; improve geary, new
profile for neomutt", 2020-12-28) / PR #3849.
---
 etc/profile-m-z/mutt.profile | 2 --
 1 file changed, 2 deletions(-)

diff --git a/etc/profile-m-z/mutt.profile b/etc/profile-m-z/mutt.profile
index 7e1849079..bce56743a 100644
--- a/etc/profile-m-z/mutt.profile
+++ b/etc/profile-m-z/mutt.profile
@@ -52,7 +52,6 @@ include disable-programs.inc
 include disable-xdg.inc
 
 mkdir ${HOME}/.Mail
-mkdir ${HOME}/.bogofilter
 mkdir ${HOME}/.cache/mutt
 mkdir ${HOME}/.config/mutt
 mkdir ${HOME}/.gnupg
@@ -63,7 +62,6 @@ mkdir ${HOME}/mail
 mkdir ${HOME}/postponed
 mkdir ${HOME}/sent
 mkfile ${HOME}/.mailcap
-mkfile ${HOME}/.msmtprc
 mkfile ${HOME}/.muttrc
 mkfile ${HOME}/.signature
 whitelist ${DOCUMENTS}

From 88ba851893362dacdbde6ff9527675b07affff27 Mon Sep 17 00:00:00 2001
From: "Kelvin M. Klann" <kmk3.code@protonmail.com>
Date: Mon, 23 Jan 2023 23:03:57 -0300
Subject: [PATCH 08/18] build: move syntax files to contrib/syntax/files

Having all of syntax files in the same directory makes it easier to
reference all of them at once on a makefile (such as with
`contrib/syntax/files/*.in`).

Also, this makes the path to the gtksourceview language-spec shorter.
Current path/new path:

* contrib/gtksourceview-5/language-specs/firejail-profile.lang
* contrib/syntax/files/firejail-profile.lang

Currently, adding a rule to the root Makefile to generate the
language-spec in the same directory as an input file would take at least
95 characters (with only a single dependency):

    contrib/gtksourceview-5/language-specs/%.lang: contrib/gtksourceview-5/language-specs/%.lang.in

With this commit, the above shortened to 59 characters:

    contrib/syntax/files/%.lang: contrib/syntax/files/%.lang.in

Which should make it more readable.

Relates to #2679 #5502.
---
 .github/workflows/build-extra.yml                           | 4 ++--
 .github/workflows/codeql-analysis.yml                       | 4 ++--
 Makefile                                                    | 6 +++---
 .../language-specs => syntax/files}/firejail-profile.lang   | 0
 contrib/{vim/syntax => syntax/files}/firejail.vim           | 0
 5 files changed, 7 insertions(+), 7 deletions(-)
 rename contrib/{gtksourceview-5/language-specs => syntax/files}/firejail-profile.lang (100%)
 rename contrib/{vim/syntax => syntax/files}/firejail.vim (100%)

diff --git a/.github/workflows/build-extra.yml b/.github/workflows/build-extra.yml
index f777174d7..a7b7c8a3e 100644
--- a/.github/workflows/build-extra.yml
+++ b/.github/workflows/build-extra.yml
@@ -5,7 +5,7 @@ on:
     branches: [ master ]
     paths-ignore:
       - '.github/ISSUE_TEMPLATE/*'
-      - 'contrib/gtksourceview-5/**'
+      - 'contrib/syntax/**'
       - 'contrib/vim/**'
       - 'etc/**'
       - 'src/man/*.txt'
@@ -27,7 +27,7 @@ on:
     branches: [ master ]
     paths-ignore:
       - '.github/ISSUE_TEMPLATE/*'
-      - 'contrib/gtksourceview-5/**'
+      - 'contrib/syntax/**'
       - 'contrib/vim/**'
       - 'etc/**'
       - 'src/man/*.txt'
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
index 115919477..eb9c28345 100644
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -10,7 +10,7 @@ on:
     branches: [ master ]
     paths-ignore:
       - '.github/ISSUE_TEMPLATE/*'
-      - 'contrib/gtksourceview-5/**'
+      - 'contrib/syntax/**'
       - 'contrib/vim/**'
       - 'etc/**'
       - 'src/man/*.txt'
@@ -32,7 +32,7 @@ on:
     branches: [ master ]
     paths-ignore:
       - '.github/ISSUE_TEMPLATE/*'
-      - 'contrib/gtksourceview-5/**'
+      - 'contrib/syntax/**'
       - 'contrib/vim/**'
       - 'etc/**'
       - 'src/man/*.txt'
diff --git a/Makefile b/Makefile
index 4809b4b7b..45bdf1d57 100644
--- a/Makefile
+++ b/Makefile
@@ -124,10 +124,10 @@ ifeq ($(HAVE_CONTRIB_INSTALL),yes)
 	install -m 0755 -d $(DESTDIR)$(datarootdir)/vim/vimfiles/ftdetect
 	install -m 0755 -d $(DESTDIR)$(datarootdir)/vim/vimfiles/syntax
 	install -m 0644 contrib/vim/ftdetect/firejail.vim $(DESTDIR)$(datarootdir)/vim/vimfiles/ftdetect
-	install -m 0644 contrib/vim/syntax/firejail.vim $(DESTDIR)$(datarootdir)/vim/vimfiles/syntax
-	# gtksourceview-5 language-specs
+	install -m 0644 contrib/syntax/files/firejail.vim $(DESTDIR)$(datarootdir)/vim/vimfiles/syntax
+	# gtksourceview language-specs
 	install -m 0755 -d $(DESTDIR)$(datarootdir)/gtksourceview-5/language-specs
-	install -m 0644 contrib/gtksourceview-5/language-specs/firejail-profile.lang $(DESTDIR)$(datarootdir)/gtksourceview-5/language-specs
+	install -m 0644 contrib/syntax/files/firejail-profile.lang $(DESTDIR)$(datarootdir)/gtksourceview-5/language-specs
 endif
 	# documents
 	install -m 0755 -d $(DESTDIR)$(docdir)
diff --git a/contrib/gtksourceview-5/language-specs/firejail-profile.lang b/contrib/syntax/files/firejail-profile.lang
similarity index 100%
rename from contrib/gtksourceview-5/language-specs/firejail-profile.lang
rename to contrib/syntax/files/firejail-profile.lang
diff --git a/contrib/vim/syntax/firejail.vim b/contrib/syntax/files/firejail.vim
similarity index 100%
rename from contrib/vim/syntax/firejail.vim
rename to contrib/syntax/files/firejail.vim

From c7c4f57d13b0e5720ee672a1761663d739d0bffa Mon Sep 17 00:00:00 2001
From: "Kelvin M. Klann" <kmk3.code@protonmail.com>
Date: Wed, 25 Jan 2023 01:37:40 -0300
Subject: [PATCH 09/18] build: auto-generate syntax lists

Changes:

* Use the commands from contrib/vim/syntax/firejail.vim to create
  makefile targets to generate syntax lists in contrib/syntax/lists
* Add contrib/syntax/files/example.in as an example of how to generate
  syntax files
* Generate and add the syntax lists, to make it easier to spot if they
  are properly updated when a new command is added or if their recipes
  also need changes
* Add "syntax" and "contrib" makefile targets

Note: The generation commands are executed mostly silently to avoid
generating too much noise when also making other targets.

Note2: In some generation commands, a `$$` escape is used to pass `$` to
the shell, to avoid being interpreted by make as the start of a macro.

Note3: `@make_input@` is used in example.in to make it clear that the
file is generated (and that it is generated by make rather than
configure), similarly to how `@configure_input@` is used in configure
input files.  See also apparmor.vim:

    $ head -n 2 /usr/share/vim/vimfiles/syntax/apparmor.vim
    " generated from apparmor.vim.in by create-apparmor.vim.py
    " do not edit this file - edit apparmor.vim.in or create-apparmor.vim.py instead

Environment: apparmor 3.1.2-1 on Artix Linux.

Relates to #2679 #5502 #5577 #5612.
---
 .gitignore                                    |   1 +
 Makefile                                      |  70 +++
 contrib/syntax/files/example.in               |  16 +
 .../syntax/lists/profile_commands_arg0.list   |  50 ++
 .../syntax/lists/profile_commands_arg1.list   |  76 +++
 .../syntax/lists/profile_conditionals.list    |   9 +
 contrib/syntax/lists/profile_macros.list      |  10 +
 contrib/syntax/lists/syscall_groups.list      |  29 ++
 contrib/syntax/lists/syscalls.list            | 454 ++++++++++++++++++
 contrib/syntax/lists/system_errnos.list       | 135 ++++++
 10 files changed, 850 insertions(+)
 create mode 100644 contrib/syntax/files/example.in
 create mode 100644 contrib/syntax/lists/profile_commands_arg0.list
 create mode 100644 contrib/syntax/lists/profile_commands_arg1.list
 create mode 100644 contrib/syntax/lists/profile_conditionals.list
 create mode 100644 contrib/syntax/lists/profile_macros.list
 create mode 100644 contrib/syntax/lists/syscall_groups.list
 create mode 100644 contrib/syntax/lists/syscalls.list
 create mode 100644 contrib/syntax/lists/system_errnos.list

diff --git a/.gitignore b/.gitignore
index 7333b1c8d..a6af8f67a 100644
--- a/.gitignore
+++ b/.gitignore
@@ -16,6 +16,7 @@ config.log
 config.mk
 config.sh
 config.status
+contrib/syntax/files/example
 firejail-*.tar.xz
 firejail-login.5
 firejail-profile.5
diff --git a/Makefile b/Makefile
index 45bdf1d57..df06aed87 100644
--- a/Makefile
+++ b/Makefile
@@ -19,6 +19,22 @@ MYLIBS = src/libpostexecseccomp/libpostexecseccomp.so src/libtrace/libtrace.so s
 COMPLETIONS = src/zsh_completion/_firejail src/bash_completion/firejail.bash_completion
 SECCOMP_FILTERS = seccomp seccomp.debug seccomp.32 seccomp.block_secondary seccomp.mdwx seccomp.mdwx.32
 MANPAGES = firejail.1 firemon.1 firecfg.1 firejail-profile.5 firejail-login.5 firejail-users.5 jailcheck.1
+
+SYSCALL_HEADERS := $(sort $(wildcard src/include/syscall*.h))
+
+# Lists of keywords used in profiles; used for generating syntax files.
+SYNTAX_LISTS = \
+	contrib/syntax/lists/profile_commands_arg0.list \
+	contrib/syntax/lists/profile_commands_arg1.list \
+	contrib/syntax/lists/profile_conditionals.list \
+	contrib/syntax/lists/profile_macros.list \
+	contrib/syntax/lists/syscall_groups.list \
+	contrib/syntax/lists/syscalls.list \
+	contrib/syntax/lists/system_errnos.list
+
+SYNTAX_FILES_IN := $(sort $(wildcard contrib/syntax/files/*.in))
+SYNTAX_FILES := $(SYNTAX_FILES_IN:.in=)
+
 ALL_ITEMS = $(APPS) $(SBOX_APPS) $(SBOX_APPS_NON_DUMPABLE) $(MYLIBS)
 
 .PHONY: all
@@ -65,6 +81,59 @@ $(MANPAGES): src/man config.mk
 
 man: $(MANPAGES)
 
+# Makes all targets in contrib/
+.PHONY: contrib
+contrib: syntax
+
+.PHONY: syntax
+syntax: $(SYNTAX_FILES)
+
+# TODO: include/rlimit are false positives
+contrib/syntax/lists/profile_commands_arg0.list: src/firejail/profile.c
+	@sed -En 's/.*strn?cmp\(ptr, "([^ "]*[^ ])".*/\1/p' $< | \
+	grep -Ev '^(include|rlimit)$$' | sed 's/\./\\./' | sort -u >$@
+
+# TODO: private-lib is special-cased in the code and doesn't match the regex
+contrib/syntax/lists/profile_commands_arg1.list: src/firejail/profile.c
+	@{ sed -En 's/.*strn?cmp\(ptr, "([^"]+) ".*/\1/p' $<; echo private-lib; } | \
+	sort -u >$@
+
+contrib/syntax/lists/profile_conditionals.list: src/firejail/profile.c
+	@awk -- 'BEGIN {process=0;} /^Cond conditionals\[\] = \{$$/ {process=1;} \
+		/\t*\{"[^"]+".*/ \
+		{ if (process) {print gensub(/^\t*\{"([^"]+)".*$$/, "\\1", 1);} } \
+		/^\t\{ NULL, NULL \}$$/ {process=0;}' \
+		$< | sort -u >$@
+
+contrib/syntax/lists/profile_macros.list: src/firejail/macros.c
+	@sed -En 's/.*\$$\{([^}]+)\}.*/\1/p' $< | sort -u >$@
+
+contrib/syntax/lists/syscall_groups.list: src/lib/syscall.c
+	@sed -En 's/.*"@([^",]+).*/\1/p' $< | sort -u >$@
+
+contrib/syntax/lists/syscalls.list: $(SYSCALL_HEADERS)
+	@sed -n 's/{\s\+"\([^"]\+\)",.*},/\1/p' $(SYSCALL_HEADERS) | \
+	sort -u >$@
+
+contrib/syntax/lists/system_errnos.list: src/lib/errno.c
+	@sed -En 's/.*"(E[^"]+).*/\1/p' $< | sort -u >$@
+
+pipe_fromlf = { tr '\n' '|' | sed 's/|$$//'; }
+space_fromlf = { tr '\n' ' ' | sed 's/ $$//'; }
+edit_syntax_file = sed \
+	-e "s/@make_input@/$$(basename $@).  Generated from $$(basename $<) by make./" \
+	-e "s/@FJ_PROFILE_COMMANDS_ARG0@/$$($(pipe_fromlf) <contrib/syntax/lists/profile_commands_arg0.list)/" \
+	-e "s/@FJ_PROFILE_COMMANDS_ARG1@/$$($(pipe_fromlf) <contrib/syntax/lists/profile_commands_arg1.list)/" \
+	-e "s/@FJ_PROFILE_CONDITIONALS@/$$($(pipe_fromlf) <contrib/syntax/lists/profile_conditionals.list)/" \
+	-e "s/@FJ_PROFILE_MACROS@/$$($(pipe_fromlf) <contrib/syntax/lists/profile_macros.list)/" \
+	-e "s/@FJ_SYSCALLS@/$$($(space_fromlf) <contrib/syntax/lists/syscalls.list)/" \
+	-e "s/@FJ_SYSCALL_GROUPS@/$$($(pipe_fromlf) <contrib/syntax/lists/syscall_groups.list)/" \
+	-e "s/@FJ_SYSTEM_ERRNOS@/$$($(pipe_fromlf) <contrib/syntax/lists/system_errnos.list)/"
+
+contrib/syntax/files/example: contrib/syntax/files/example.in $(SYNTAX_LISTS)
+	@printf 'Generating %s from %s\n' $@ $<
+	@$(edit_syntax_file) $< >$@
+
 .PHONY: clean
 clean:
 	for dir in $$(dirname $(ALL_ITEMS)) $(MYDIRS); do \
@@ -73,6 +142,7 @@ clean:
 	$(MAKE) -C test clean
 	rm -f $(SECCOMP_FILTERS)
 	rm -f $(MANPAGES) $(MANPAGES:%=%.gz) firejail*.rpm
+	rm -f $(SYNTAX_FILES)
 	rm -f test/utils/index.html*
 	rm -f test/utils/wget-log
 	rm -f test/utils/firejail-test-file*
diff --git a/contrib/syntax/files/example.in b/contrib/syntax/files/example.in
new file mode 100644
index 000000000..74bcdc079
--- /dev/null
+++ b/contrib/syntax/files/example.in
@@ -0,0 +1,16 @@
+# @make_input@
+# Example file to check the values of input variables.
+
+FJ_PROFILE_COMMANDS_ARG0 = @FJ_PROFILE_COMMANDS_ARG0@
+
+FJ_PROFILE_COMMANDS_ARG1 = @FJ_PROFILE_COMMANDS_ARG1@
+
+FJ_PROFILE_CONDITIONALS = @FJ_PROFILE_CONDITIONALS@
+
+FJ_PROFILE_MACROS = @FJ_PROFILE_MACROS@
+
+FJ_SYSCALLS = @FJ_SYSCALLS@
+
+FJ_SYSCALL_GROUPS = @FJ_SYSCALL_GROUPS@
+
+FJ_SYSTEM_ERRNOS = @FJ_SYSTEM_ERRNOS@
diff --git a/contrib/syntax/lists/profile_commands_arg0.list b/contrib/syntax/lists/profile_commands_arg0.list
new file mode 100644
index 000000000..a402671a6
--- /dev/null
+++ b/contrib/syntax/lists/profile_commands_arg0.list
@@ -0,0 +1,50 @@
+allow-debuggers
+allusers
+apparmor
+apparmor-replace
+apparmor-stack
+caps
+deterministic-exit-code
+deterministic-shutdown
+disable-mnt
+ipc-namespace
+keep-config-pulse
+keep-dev-shm
+keep-var-tmp
+machine-id
+memory-deny-write-execute
+netfilter
+netlock
+no3d
+noautopulse
+nodbus
+nodvd
+nogroups
+noinput
+nonewprivs
+noprinters
+noroot
+nosound
+notv
+nou2f
+novideo
+overlay
+overlay-tmpfs
+private
+private-cache
+private-cwd
+private-dev
+private-etc
+private-lib
+private-tmp
+quiet
+restrict-namespaces
+seccomp
+seccomp\.block-secondary
+tab
+tracelog
+writable-etc
+writable-run-user
+writable-var
+writable-var-log
+x11
diff --git a/contrib/syntax/lists/profile_commands_arg1.list b/contrib/syntax/lists/profile_commands_arg1.list
new file mode 100644
index 000000000..c703f2257
--- /dev/null
+++ b/contrib/syntax/lists/profile_commands_arg1.list
@@ -0,0 +1,76 @@
+apparmor
+bind
+blacklist
+blacklist-nolog
+caps.drop
+caps.keep
+cpu
+dbus-system.broadcast
+dbus-system.call
+dbus-system.own
+dbus-system.see
+dbus-system.talk
+dbus-user.broadcast
+dbus-user.call
+dbus-user.own
+dbus-user.see
+dbus-user.talk
+defaultgw
+dns
+env
+hostname
+hosts-file
+ignore
+include
+ip
+ip6
+iprange
+join-or-start
+keep-fd
+mac
+mkdir
+mkfile
+mtu
+name
+net
+netfilter
+netfilter6
+netmask
+netns
+nice
+noblacklist
+noexec
+nowhitelist
+overlay-named
+private
+private-bin
+private-cwd
+private-etc
+private-home
+private-lib
+private-opt
+private-srv
+protocol
+read-only
+read-write
+restrict-namespaces
+rlimit-as
+rlimit-cpu
+rlimit-fsize
+rlimit-nofile
+rlimit-nproc
+rlimit-sigpending
+rmenv
+seccomp
+seccomp-error-action
+seccomp.32
+seccomp.32.drop
+seccomp.32.keep
+seccomp.drop
+seccomp.keep
+timeout
+tmpfs
+veth-name
+whitelist
+whitelist-ro
+xephyr-screen
diff --git a/contrib/syntax/lists/profile_conditionals.list b/contrib/syntax/lists/profile_conditionals.list
new file mode 100644
index 000000000..2cae76c96
--- /dev/null
+++ b/contrib/syntax/lists/profile_conditionals.list
@@ -0,0 +1,9 @@
+ALLOW_TRAY
+BROWSER_ALLOW_DRM
+BROWSER_DISABLE_U2F
+HAS_APPIMAGE
+HAS_NET
+HAS_NODBUS
+HAS_NOSOUND
+HAS_PRIVATE
+HAS_X11
diff --git a/contrib/syntax/lists/profile_macros.list b/contrib/syntax/lists/profile_macros.list
new file mode 100644
index 000000000..4ba780f11
--- /dev/null
+++ b/contrib/syntax/lists/profile_macros.list
@@ -0,0 +1,10 @@
+CFG
+DESKTOP
+DOCUMENTS
+DOWNLOADS
+HOME
+MUSIC
+PATH
+PICTURES
+RUNUSER
+VIDEOS
diff --git a/contrib/syntax/lists/syscall_groups.list b/contrib/syntax/lists/syscall_groups.list
new file mode 100644
index 000000000..fb42ae5f7
--- /dev/null
+++ b/contrib/syntax/lists/syscall_groups.list
@@ -0,0 +1,29 @@
+aio
+basic-io
+chown
+clock
+cpu-emulation
+debug
+default
+default-keep
+default-nodebuggers
+file-system
+io-event
+ipc
+keyring
+memlock
+module
+mount
+network-io
+obsolete
+privileged
+process
+raw-io
+reboot
+resources
+setuid
+signal
+swap
+sync
+system-service
+timer
diff --git a/contrib/syntax/lists/syscalls.list b/contrib/syntax/lists/syscalls.list
new file mode 100644
index 000000000..abb740b24
--- /dev/null
+++ b/contrib/syntax/lists/syscalls.list
@@ -0,0 +1,454 @@
+_llseek
+_newselect
+_sysctl
+accept
+accept4
+access
+acct
+add_key
+adjtimex
+afs_syscall
+alarm
+arch_prctl
+arm_fadvise64_64
+arm_sync_file_range
+bdflush
+bind
+bpf
+break
+brk
+capget
+capset
+chdir
+chmod
+chown
+chown32
+chroot
+clock_adjtime
+clock_adjtime64
+clock_getres
+clock_getres_time64
+clock_gettime
+clock_gettime64
+clock_nanosleep
+clock_nanosleep_time64
+clock_settime
+clock_settime64
+clone
+clone3
+close
+close_range
+connect
+copy_file_range
+creat
+create_module
+delete_module
+dup
+dup2
+dup3
+epoll_create
+epoll_create1
+epoll_ctl
+epoll_ctl_old
+epoll_pwait
+epoll_pwait2
+epoll_wait
+epoll_wait_old
+eventfd
+eventfd2
+execve
+execveat
+exit
+exit_group
+faccessat
+faccessat2
+fadvise64
+fadvise64_64
+fallocate
+fanotify_init
+fanotify_mark
+fchdir
+fchmod
+fchmodat
+fchown
+fchown32
+fchownat
+fcntl
+fcntl64
+fdatasync
+fgetxattr
+finit_module
+flistxattr
+flock
+fork
+fremovexattr
+fsconfig
+fsetxattr
+fsmount
+fsopen
+fspick
+fstat
+fstat64
+fstatat64
+fstatfs
+fstatfs64
+fsync
+ftime
+ftruncate
+ftruncate64
+futex
+futex_time64
+futex_waitv
+futimesat
+get_kernel_syms
+get_mempolicy
+get_robust_list
+get_thread_area
+getcpu
+getcwd
+getdents
+getdents64
+getegid
+getegid32
+geteuid
+geteuid32
+getgid
+getgid32
+getgroups
+getgroups32
+getitimer
+getpeername
+getpgid
+getpgrp
+getpid
+getpmsg
+getppid
+getpriority
+getrandom
+getresgid
+getresgid32
+getresuid
+getresuid32
+getrlimit
+getrusage
+getsid
+getsockname
+getsockopt
+gettid
+gettimeofday
+getuid
+getuid32
+getxattr
+gtty
+idle
+init_module
+inotify_add_watch
+inotify_init
+inotify_init1
+inotify_rm_watch
+io_cancel
+io_destroy
+io_getevents
+io_pgetevents
+io_pgetevents_time64
+io_setup
+io_submit
+io_uring_enter
+io_uring_register
+io_uring_setup
+ioctl
+ioperm
+iopl
+ioprio_get
+ioprio_set
+ipc
+kcmp
+kexec_file_load
+kexec_load
+keyctl
+kill
+landlock_add_rule
+landlock_create_ruleset
+landlock_restrict_self
+lchown
+lchown32
+lgetxattr
+link
+linkat
+listen
+listxattr
+llistxattr
+lock
+lookup_dcookie
+lremovexattr
+lseek
+lsetxattr
+lstat
+lstat64
+madvise
+mbind
+membarrier
+memfd_create
+migrate_pages
+mincore
+mkdir
+mkdirat
+mknod
+mknodat
+mlock
+mlock2
+mlockall
+mmap
+mmap2
+modify_ldt
+mount
+mount_setattr
+move_mount
+move_pages
+mprotect
+mpx
+mq_getsetattr
+mq_notify
+mq_open
+mq_timedreceive
+mq_timedreceive_time64
+mq_timedsend
+mq_timedsend_time64
+mq_unlink
+mremap
+msgctl
+msgget
+msgrcv
+msgsnd
+msync
+munlock
+munlockall
+munmap
+name_to_handle_at
+nanosleep
+newfstatat
+nfsservctl
+nice
+oldfstat
+oldlstat
+oldolduname
+oldstat
+olduname
+open
+open_by_handle_at
+open_tree
+openat
+openat2
+pause
+pciconfig_iobase
+pciconfig_read
+pciconfig_write
+perf_event_open
+personality
+pidfd_getfd
+pidfd_open
+pidfd_send_signal
+pipe
+pipe2
+pivot_root
+pkey_alloc
+pkey_free
+pkey_mprotect
+poll
+ppoll
+ppoll_time64
+prctl
+pread64
+preadv
+preadv2
+prlimit64
+process_madvise
+process_mrelease
+process_vm_readv
+process_vm_writev
+prof
+profil
+pselect6
+pselect6_time64
+ptrace
+putpmsg
+pwrite64
+pwritev
+pwritev2
+query_module
+quotactl
+quotactl_fd
+read
+readahead
+readdir
+readlink
+readlinkat
+readv
+reboot
+recv
+recvfrom
+recvmmsg
+recvmmsg_time64
+recvmsg
+remap_file_pages
+removexattr
+rename
+renameat
+renameat2
+request_key
+restart_syscall
+rmdir
+rseq
+rt_sigaction
+rt_sigpending
+rt_sigprocmask
+rt_sigqueueinfo
+rt_sigreturn
+rt_sigsuspend
+rt_sigtimedwait
+rt_sigtimedwait_time64
+rt_tgsigqueueinfo
+sched_get_priority_max
+sched_get_priority_min
+sched_getaffinity
+sched_getattr
+sched_getparam
+sched_getscheduler
+sched_rr_get_interval
+sched_rr_get_interval_time64
+sched_setaffinity
+sched_setattr
+sched_setparam
+sched_setscheduler
+sched_yield
+seccomp
+security
+select
+semctl
+semget
+semop
+semtimedop
+semtimedop_time64
+send
+sendfile
+sendfile64
+sendmmsg
+sendmsg
+sendto
+set_mempolicy
+set_robust_list
+set_thread_area
+set_tid_address
+setdomainname
+setfsgid
+setfsgid32
+setfsuid
+setfsuid32
+setgid
+setgid32
+setgroups
+setgroups32
+sethostname
+setitimer
+setns
+setpgid
+setpriority
+setregid
+setregid32
+setresgid
+setresgid32
+setresuid
+setresuid32
+setreuid
+setreuid32
+setrlimit
+setsid
+setsockopt
+settimeofday
+setuid
+setuid32
+setxattr
+sgetmask
+shmat
+shmctl
+shmdt
+shmget
+shutdown
+sigaction
+sigaltstack
+signal
+signalfd
+signalfd4
+sigpending
+sigprocmask
+sigreturn
+sigsuspend
+socket
+socketcall
+socketpair
+splice
+ssetmask
+stat
+stat64
+statfs
+statfs64
+statx
+stime
+stty
+swapoff
+swapon
+symlink
+symlinkat
+sync
+sync_file_range
+syncfs
+sysfs
+sysinfo
+syslog
+tee
+tgkill
+time
+timer_create
+timer_delete
+timer_getoverrun
+timer_gettime
+timer_gettime64
+timer_settime
+timer_settime64
+timerfd_create
+timerfd_gettime
+timerfd_gettime64
+timerfd_settime
+timerfd_settime64
+times
+tkill
+truncate
+truncate64
+tuxcall
+ugetrlimit
+ulimit
+umask
+umount
+umount2
+uname
+unlink
+unlinkat
+unshare
+uselib
+userfaultfd
+ustat
+utime
+utimensat
+utimensat_time64
+utimes
+vfork
+vhangup
+vm86
+vm86old
+vmsplice
+vserver
+wait4
+waitid
+waitpid
+write
+writev
diff --git a/contrib/syntax/lists/system_errnos.list b/contrib/syntax/lists/system_errnos.list
new file mode 100644
index 000000000..f0f816943
--- /dev/null
+++ b/contrib/syntax/lists/system_errnos.list
@@ -0,0 +1,135 @@
+E2BIG
+EACCES
+EADDRINUSE
+EADDRNOTAVAIL
+EADV
+EAFNOSUPPORT
+EAGAIN
+EALREADY
+EBADE
+EBADF
+EBADFD
+EBADMSG
+EBADR
+EBADRQC
+EBADSLT
+EBFONT
+EBUSY
+ECANCELED
+ECHILD
+ECHRNG
+ECOMM
+ECONNABORTED
+ECONNREFUSED
+ECONNRESET
+EDEADLK
+EDEADLOCK
+EDESTADDRREQ
+EDOM
+EDOTDOT
+EDQUOT
+EEXIST
+EFAULT
+EFBIG
+EHOSTDOWN
+EHOSTUNREACH
+EHWPOISON
+EIDRM
+EILSEQ
+EINPROGRESS
+EINTR
+EINVAL
+EIO
+EISCONN
+EISDIR
+EISNAM
+EKEYEXPIRED
+EKEYREJECTED
+EKEYREVOKED
+EL2HLT
+EL2NSYNC
+EL3HLT
+EL3RST
+ELIBACC
+ELIBBAD
+ELIBEXEC
+ELIBMAX
+ELIBSCN
+ELNRNG
+ELOOP
+EMEDIUMTYPE
+EMFILE
+EMLINK
+EMSGSIZE
+EMULTIHOP
+ENAMETOOLONG
+ENAVAIL
+ENETDOWN
+ENETRESET
+ENETUNREACH
+ENFILE
+ENOANO
+ENOATTR
+ENOBUFS
+ENOCSI
+ENODATA
+ENODEV
+ENOENT
+ENOEXEC
+ENOKEY
+ENOLCK
+ENOLINK
+ENOMEDIUM
+ENOMEM
+ENOMSG
+ENONET
+ENOPKG
+ENOPROTOOPT
+ENOSPC
+ENOSR
+ENOSTR
+ENOSYS
+ENOTBLK
+ENOTCONN
+ENOTDIR
+ENOTEMPTY
+ENOTNAM
+ENOTRECOVERABLE
+ENOTSOCK
+ENOTSUP
+ENOTTY
+ENOTUNIQ
+ENXIO
+EOPNOTSUPP
+EOVERFLOW
+EOWNERDEAD
+EPERM
+EPFNOSUPPORT
+EPIPE
+EPROTO
+EPROTONOSUPPORT
+EPROTOTYPE
+ERANGE
+EREMCHG
+EREMOTE
+EREMOTEIO
+ERESTART
+ERFKILL
+EROFS
+ESHUTDOWN
+ESOCKTNOSUPPORT
+ESPIPE
+ESRCH
+ESRMNT
+ESTALE
+ESTRPIPE
+ETIME
+ETIMEDOUT
+ETOOMANYREFS
+ETXTBSY
+EUCLEAN
+EUNATCH
+EUSERS
+EWOULDBLOCK
+EXDEV
+EXFULL

From aad1351ab111372232cbdd249a12a194b9884f7b Mon Sep 17 00:00:00 2001
From: "Kelvin M. Klann" <kmk3.code@protonmail.com>
Date: Mon, 23 Jan 2023 17:35:51 -0300
Subject: [PATCH 10/18] build: auto-generate syntax files

Changes:

* Generate firejail.vim from firejail.vim.in
* Generate firejail-profile.lang from firejail-profile.lang.in
* Update the manual syntax file steps on the new command checklist on
  CONTRIBUTING.md to use `make syntax` instead

Relates to #2679 #5502 #5577 #5612.
---
 .gitignore                                    |   2 +
 CONTRIBUTING.md                               |   3 +-
 Makefile                                      |  10 ++
 ...-profile.lang => firejail-profile.lang.in} |   7 +-
 contrib/syntax/files/firejail.vim             | 104 ------------------
 contrib/syntax/files/firejail.vim.in          |  99 +++++++++++++++++
 6 files changed, 116 insertions(+), 109 deletions(-)
 rename contrib/syntax/files/{firejail-profile.lang => firejail-profile.lang.in} (59%)
 delete mode 100644 contrib/syntax/files/firejail.vim
 create mode 100644 contrib/syntax/files/firejail.vim.in

diff --git a/.gitignore b/.gitignore
index a6af8f67a..db3b16893 100644
--- a/.gitignore
+++ b/.gitignore
@@ -17,6 +17,8 @@ config.mk
 config.sh
 config.status
 contrib/syntax/files/example
+contrib/syntax/files/firejail-profile.lang
+contrib/syntax/files/firejail.vim
 firejail-*.tar.xz
 firejail-login.5
 firejail-profile.5
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
index 9a5f19b54..9463ba465 100644
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -38,8 +38,7 @@ If you add a new command, here's the checklist:
 
  - [ ] Update manpages: firejail(1) and firejail-profile(5)
  - [ ] Update shell completions
- - [ ] Update vim syntax files
- - [ ] Update gtksourceview language specs
+ - [ ] Update syntax files (run `make syntax`)
  - [ ] Update --help
 
 # Editing the wiki
diff --git a/Makefile b/Makefile
index df06aed87..aa55c376e 100644
--- a/Makefile
+++ b/Makefile
@@ -134,6 +134,16 @@ contrib/syntax/files/example: contrib/syntax/files/example.in $(SYNTAX_LISTS)
 	@printf 'Generating %s from %s\n' $@ $<
 	@$(edit_syntax_file) $< >$@
 
+# gtksourceview language-specs
+contrib/syntax/files/%.lang: contrib/syntax/files/%.lang.in $(SYNTAX_LISTS)
+	@printf 'Generating %s from %s\n' $@ $<
+	@$(edit_syntax_file) $< >$@
+
+# vim syntax files
+contrib/syntax/files/%.vim: contrib/syntax/files/%.vim.in $(SYNTAX_LISTS)
+	@printf 'Generating %s from %s\n' $@ $<
+	@$(edit_syntax_file) $< >$@
+
 .PHONY: clean
 clean:
 	for dir in $$(dirname $(ALL_ITEMS)) $(MYDIRS); do \
diff --git a/contrib/syntax/files/firejail-profile.lang b/contrib/syntax/files/firejail-profile.lang.in
similarity index 59%
rename from contrib/syntax/files/firejail-profile.lang
rename to contrib/syntax/files/firejail-profile.lang.in
index 61c37f98f..acd5c86ce 100644
--- a/contrib/syntax/files/firejail-profile.lang
+++ b/contrib/syntax/files/firejail-profile.lang.in
@@ -1,4 +1,5 @@
 <?xml version="1.0" encoding="UTF-8"?>
+<!-- @make_input@ -->
 <!-- vim: set ts=2 sts=2 sw=2 et: -->
 <!--
   https://gitlab.gnome.org/GNOME/gtksourceview/-/blob/master/docs/lang-tutorial.md
@@ -20,15 +21,15 @@
 
   <definitions>
     <define-regex id="commands-with-arguments" extended="true">
-      (apparmor|bind|blacklist-nolog|blacklist|caps.drop|caps.keep|cpu|dbus-system.broadcast|dbus-system.call|dbus-system.own|dbus-system.see|dbus-system.talk|dbus-system|dbus-user.broadcast|dbus-user.call|dbus-user.own|dbus-user.see|dbus-user.talk|dbus-user|defaultgw|dns|env|hostname|hosts-file|ignore|include|ip6|ip|iprange|join-or-start|keep-fd|mac|mkdir|mkfile|mtu|name|net|netfilter6|netfilter|netmask|netns|nice|noblacklist|noexec|nowhitelist|overlay-named|private-bin|private-cwd|private-etc|private-home|private-lib|private-opt|private-srv|private|protocol|read-only|read-write|restrict-namespaces|rlimit-as|rlimit-cpu|rlimit-fsize|rlimit-nofile|rlimit-nproc|rlimit-sigpending|rlimit|rmenv|seccomp-error-action|seccomp.32.drop|seccomp.32.keep|seccomp.32|seccomp.drop|seccomp.keep|seccomp|shell|timeout|tmpfs|veth-name|whitelist-ro|whitelist|x11|xephyr-screen)
+      (@FJ_PROFILE_COMMANDS_ARG1@)
     </define-regex>
 
     <define-regex id="commands-without-arguments" extended="true">
-      (allow-debuggers|allusers|apparmor|caps|deterministic-exit-code|deterministic-shutdown|disable-mnt|ipc-namespace|keep-config-pulse|keep-dev-shm|keep-fd|keep-var-tmp|machine-id|memory-deny-write-execute|netfilter|no3d|noautopulse|nodbus|nodvd|nogroups|noinput|nonewprivs|noprinters|noroot|nosound|notv|nou2f|novideo|overlay-tmpfs|overlay|private-cache|private-cwd|private-dev|private-lib|private-tmp|private|quiet|restrict-namespaces|seccomp.32|seccomp.block-secondary|seccomp|tab|tracelog|writable-etc|writable-run-user|writable-var-log|writable-var|x11)
+      (@FJ_PROFILE_COMMANDS_ARG0@)
     </define-regex>
 
     <define-regex id="conditions" extended="true">
-      (ALLOW_TRAY|BROWSER_ALLOW_DRM|BROWSER_DISABLE_U2F|HAS_APPIMAGE|HAS_NET|HAS_NODBUS|HAS_NOSOUND|HAS_X11)
+      (@FJ_PROFILE_CONDITIONALS@)
     </define-regex>
 
     <context id="conditional-line">
diff --git a/contrib/syntax/files/firejail.vim b/contrib/syntax/files/firejail.vim
deleted file mode 100644
index c844350d8..000000000
--- a/contrib/syntax/files/firejail.vim
+++ /dev/null
@@ -1,104 +0,0 @@
-" Vim syntax file
-" Language: Firejail security sandbox profile
-" URL: https://github.com/netblue30/firejail
-
-if exists("b:current_syntax")
-  finish
-endif
-
-
-syn iskeyword @,48-57,_,.,-
-
-
-syn keyword fjTodo TODO FIXME XXX NOTE contained
-syn match fjComment "#.*$" contains=fjTodo
-
-"TODO: highlight "dangerous" capabilities differently, as is done in apparmor.vim?
-syn keyword fjCapability audit_control audit_read audit_write block_suspend chown dac_override dac_read_search fowner fsetid ipc_lock ipc_owner kill lease linux_immutable mac_admin mac_override mknod net_admin net_bind_service net_broadcast net_raw setgid setfcap setpcap setuid sys_admin sys_boot sys_chroot sys_module sys_nice sys_pacct sys_ptrace sys_rawio sys_resource sys_time sys_tty_config syslog wake_alarm nextgroup=fjCapabilityList contained
-syn match fjCapabilityList /,/ nextgroup=fjCapability contained
-
-syn keyword fjNamespaces cgroup ipc net mnt pid time user uts nextgroup=fjNamespacesList contained
-syn match fjNamespacesList /,/ nextgroup=fjNamespaces contained
-
-syn keyword fjProtocol unix inet inet6 netlink packet nextgroup=fjProtocolList contained
-syn match fjProtocolList /,/ nextgroup=fjProtocol contained
-
-" Syscalls grabbed from: src/include/syscall*.h
-" Generate list with: sed -n 's/{\s\+"\([^"]\+\)",.*},/\1/p' src/include/syscall*.h | sort -u | tr '\n' ' '
-syn keyword fjSyscall _llseek _newselect _sysctl accept accept4 access acct add_key adjtimex afs_syscall alarm arch_prctl arm_fadvise64_64 arm_sync_file_range bdflush bind bpf break brk capget capset chdir chmod chown chown32 chroot clock_adjtime clock_adjtime64 clock_getres clock_getres_time64 clock_gettime clock_gettime64 clock_nanosleep clock_nanosleep_time64 clock_settime clock_settime64 clone clone3 close connect copy_file_range creat create_module delete_module dup dup2 dup3 epoll_create epoll_create1 epoll_ctl epoll_ctl_old epoll_pwait epoll_wait epoll_wait_old eventfd eventfd2 execve execveat exit exit_group faccessat faccessat2 fadvise64 fadvise64_64 fallocate fanotify_init fanotify_mark fchdir fchmod fchmodat fchown fchown32 fchownat fcntl fcntl64 fdatasync fgetxattr finit_module flistxattr flock fork fremovexattr fsconfig fsetxattr fsmount fsopen fspick fstat fstat64 fstatat64 fstatfs fstatfs64 fsync ftime ftruncate ftruncate64 futex futex_time64 futimesat getcpu getcwd getdents getdents64 getegid getegid32 geteuid geteuid32 getgid getgid32 getgroups getgroups32 getitimer get_kernel_syms get_mempolicy getpeername getpgid getpgrp getpid getpmsg getppid getpriority getrandom getresgid getresgid32 getresuid getresuid32 getrlimit get_robust_list getrusage getsid getsockname getsockopt get_thread_area gettid gettimeofday getuid getuid32 getxattr gtty idle init_module inotify_add_watch inotify_init inotify_init1 inotify_rm_watch io_cancel ioctl io_destroy io_getevents ioperm io_pgetevents io_pgetevents_time64 iopl ioprio_get ioprio_set io_setup io_submit io_uring_enter io_uring_register io_uring_setup ipc kcmp kexec_file_load kexec_load keyctl kill lchown lchown32 lgetxattr link linkat listen listxattr llistxattr lock lookup_dcookie lremovexattr lseek lsetxattr lstat lstat64 madvise mbind membarrier memfd_create migrate_pages mincore mkdir mkdirat mknod mknodat mlock mlock2 mlockall mmap mmap2 modify_ldt mount move_mount move_pages mprotect mpx mq_getsetattr mq_notify mq_open mq_timedreceive mq_timedreceive_time64 mq_timedsend mq_timedsend_time64 mq_unlink mremap msgctl msgget msgrcv msgsnd msync munlock munlockall munmap name_to_handle_at nanosleep newfstatat nfsservctl nice oldfstat oldlstat oldolduname oldstat olduname open openat open_by_handle_at open_tree pause pciconfig_iobase pciconfig_read pciconfig_write perf_event_open personality pidfd_open pidfd_send_signal pipe pipe2 pivot_root pkey_alloc pkey_free pkey_mprotect poll ppoll ppoll_time64 prctl pread64 preadv preadv2 prlimit64 process_vm_readv process_vm_writev prof profil pselect6 pselect6_time64 ptrace putpmsg pwrite64 pwritev pwritev2 query_module quotactl read readahead readdir readlink readlinkat readv reboot recv recvfrom recvmmsg recvmmsg_time64 recvmsg remap_file_pages removexattr rename renameat renameat2 request_key restart_syscall rmdir rseq rt_sigaction rt_sigpending rt_sigprocmask rt_sigqueueinfo rt_sigreturn rt_sigsuspend rt_sigtimedwait rt_sigtimedwait_time64 rt_tgsigqueueinfo sched_getaffinity sched_getattr sched_getparam sched_get_priority_max sched_get_priority_min sched_getscheduler sched_rr_get_interval sched_rr_get_interval_time64 sched_setaffinity sched_setattr sched_setparam sched_setscheduler sched_yield seccomp security select semctl semget semop semtimedop semtimedop_time64 send sendfile sendfile64 sendmmsg sendmsg sendto setdomainname setfsgid setfsgid32 setfsuid setfsuid32 setgid setgid32 setgroups setgroups32 sethostname setitimer set_mempolicy setns setpgid setpriority setregid setregid32 setresgid setresgid32 setresuid setresuid32 setreuid setreuid32 setrlimit set_robust_list setsid setsockopt set_thread_area set_tid_address settimeofday setuid setuid32 setxattr sgetmask shmat shmctl shmdt shmget shutdown sigaction sigaltstack signal signalfd signalfd4 sigpending sigprocmask sigreturn sigsuspend socket socketcall socketpair splice ssetmask stat stat64 statfs statfs64 statx stime stty swapoff swapon symlink symlinkat sync sync_file_range sync_file_range2 syncfs syscall sysfs sysinfo syslog tee tgkill time timer_create timer_delete timerfd_create timerfd_gettime timerfd_gettime64 timerfd_settime timerfd_settime64 timer_getoverrun timer_gettime timer_gettime64 timer_settime timer_settime64 times tkill truncate truncate64 tuxcall ugetrlimit ulimit umask umount umount2 uname unlink unlinkat unshare uselib userfaultfd ustat utime utimensat utimensat_time64 utimes vfork vhangup vm86 vm86old vmsplice vserver wait4 waitid waitpid write writev nextgroup=fjSyscallErrno contained
-" Syscall groups grabbed from: src/fseccomp/syscall.c
-" Generate list with: sed -En 's/.*"@([^",]+).*/\1/p' src/lib/syscall.c | sort -u | tr '\n' '|'
-syn match fjSyscall /\v\@(aio|basic-io|chown|clock|cpu-emulation|debug|default|default-keep|default-nodebuggers|file-system|io-event|ipc|keyring|memlock|module|mount|network-io|obsolete|privileged|process|raw-io|reboot|resources|setuid|signal|swap|sync|system-service|timer)>/ nextgroup=fjSyscallErrno contained
-syn match fjSyscall /\$[0-9]\+/ nextgroup=fjSyscallErrno contained
-" Errnos grabbed from: src/fseccomp/errno.c
-" Generate list with: sed -En 's/.*"(E[^"]+).*/\1/p' src/lib/errno.c | sort -u | tr '\n' '|'
-syn match fjSyscallErrno /\v(:(E2BIG|EACCES|EADDRINUSE|EADDRNOTAVAIL|EADV|EAFNOSUPPORT|EAGAIN|EALREADY|EBADE|EBADF|EBADFD|EBADMSG|EBADR|EBADRQC|EBADSLT|EBFONT|EBUSY|ECANCELED|ECHILD|ECHRNG|ECOMM|ECONNABORTED|ECONNREFUSED|ECONNRESET|EDEADLK|EDEADLOCK|EDESTADDRREQ|EDOM|EDOTDOT|EDQUOT|EEXIST|EFAULT|EFBIG|EHOSTDOWN|EHOSTUNREACH|EHWPOISON|EIDRM|EILSEQ|EINPROGRESS|EINTR|EINVAL|EIO|EISCONN|EISDIR|EISNAM|EKEYEXPIRED|EKEYREJECTED|EKEYREVOKED|EL2HLT|EL2NSYNC|EL3HLT|EL3RST|ELIBACC|ELIBBAD|ELIBEXEC|ELIBMAX|ELIBSCN|ELNRNG|ELOOP|EMEDIUMTYPE|EMFILE|EMLINK|EMSGSIZE|EMULTIHOP|ENAMETOOLONG|ENAVAIL|ENETDOWN|ENETRESET|ENETUNREACH|ENFILE|ENOANO|ENOATTR|ENOBUFS|ENOCSI|ENODATA|ENODEV|ENOENT|ENOEXEC|ENOKEY|ENOLCK|ENOLINK|ENOMEDIUM|ENOMEM|ENOMSG|ENONET|ENOPKG|ENOPROTOOPT|ENOSPC|ENOSR|ENOSTR|ENOSYS|ENOTBLK|ENOTCONN|ENOTDIR|ENOTEMPTY|ENOTNAM|ENOTRECOVERABLE|ENOTSOCK|ENOTSUP|ENOTTY|ENOTUNIQ|ENXIO|EOPNOTSUPP|EOVERFLOW|EOWNERDEAD|EPERM|EPFNOSUPPORT|EPIPE|EPROTO|EPROTONOSUPPORT|EPROTOTYPE|ERANGE|EREMCHG|EREMOTE|EREMOTEIO|ERESTART|ERFKILL|EROFS|ESHUTDOWN|ESOCKTNOSUPPORT|ESPIPE|ESRCH|ESRMNT|ESTALE|ESTRPIPE|ETIME|ETIMEDOUT|ETOOMANYREFS|ETXTBSY|EUCLEAN|EUNATCH|EUSERS|EWOULDBLOCK|EXDEV|EXFULL)>)?/ nextgroup=fjSyscallList contained
-syn match fjSyscallList /,/ nextgroup=fjSyscall contained
-
-syn keyword fjX11Sandbox none xephyr xorg xpra xvfb contained
-syn keyword fjSeccompAction kill log ERRNO contained
-
-syn match fjEnvVar "[A-Za-z0-9_]\+=" contained
-syn match fjRmenvVar "[A-Za-z0-9_]\+" contained
-
-syn keyword fjAll all contained
-syn keyword fjNone none contained
-syn keyword fjLo lo contained
-syn keyword fjFilter filter contained
-
-" Variable names grabbed from: src/firejail/macros.c
-" Generate list with: sed -En 's/.*\$\{([^}]+)\}.*/\1/p' src/firejail/macros.c | sort -u | tr '\n' '|'
-syn match fjVar /\v\$\{(CFG|DESKTOP|DOCUMENTS|DOWNLOADS|HOME|MUSIC|PATH|PICTURES|RUNUSER|VIDEOS)}/
-
-" Commands grabbed from: src/firejail/profile.c
-" Generate list with: { sed -En 's/.*strn?cmp\(ptr, "([^"]+) ".*/\1/p' src/firejail/profile.c; echo private-lib; } | grep -Ev '^(include|ignore|caps\.drop|caps\.keep|protocol|restrict-namespaces|seccomp|seccomp\.drop|seccomp\.keep|env|rmenv|net|ip)$' | sort -u | tr '\n' '|' # private-lib is special-cased in the code and doesn't match the regex; grep-ed patterns are handled later with 'syn match nextgroup=' directives (except for include which is special-cased as a fjCommandNoCond keyword)
-syn match fjCommand /\v(apparmor|bind|blacklist|blacklist-nolog|cpu|defaultgw|dns|hostname|hosts-file|ip6|iprange|join-or-start|mac|mkdir|mkfile|mtu|name|netfilter|netfilter6|netmask|nice|noblacklist|noexec|nowhitelist|overlay-named|private|private-bin|private-cwd|private-etc|private-home|private-lib|private-opt|private-srv|read-only|read-write|rlimit-as|rlimit-cpu|rlimit-fsize|rlimit-nofile|rlimit-nproc|rlimit-sigpending|timeout|tmpfs|veth-name|whitelist|xephyr-screen) / skipwhite contained
-" Generate list with: sed -En 's/.*strn?cmp\(ptr, "([^ "]*[^ ])".*/\1/p' src/firejail/profile.c | grep -Ev '^(include|rlimit|quiet)$' | sed 's/\./\\./' | sort -u | tr '\n' '|' # include/rlimit are false positives, quiet is special-cased below
-syn match fjCommand /\v(allow-debuggers|allusers|apparmor|caps|deterministic-exit-code|deterministic-shutdown|disable-mnt|ipc-namespace|keep-config-pulse|keep-dev-shm|keep-fd|keep-var-tmp|machine-id|memory-deny-write-execute|netfilter|no3d|noautopulse|nodbus|nodvd|nogroups|noinput|nonewprivs|noprinters|noroot|nosound|notv|nou2f|novideo|overlay|overlay-tmpfs|private|private-cache|private-cwd|private-dev|private-lib|private-tmp|seccomp|seccomp\.32|seccomp\.block-secondary|tracelog|writable-etc|writable-run-user|writable-var|writable-var-log|x11)$/ contained
-syn match fjCommand /ignore / nextgroup=fjCommand,fjCommandNoCond skipwhite contained
-syn match fjCommand /caps\.drop / nextgroup=fjCapability,fjAll skipwhite contained
-syn match fjCommand /caps\.keep / nextgroup=fjCapability skipwhite contained
-syn match fjCommand /protocol / nextgroup=fjProtocol skipwhite contained
-syn match fjCommand /restrict-namespaces / nextgroup=fjNamespaces skipwhite contained
-syn match fjCommand /\vseccomp(\.32)?(\.drop|\.keep)? / nextgroup=fjSyscall skipwhite contained
-syn match fjCommand /x11 / nextgroup=fjX11Sandbox skipwhite contained
-syn match fjCommand /env / nextgroup=fjEnvVar skipwhite contained
-syn match fjCommand /rmenv / nextgroup=fjRmenvVar skipwhite contained
-syn match fjCommand /shell / nextgroup=fjNone skipwhite contained
-syn match fjCommand /net / nextgroup=fjNone,fjLo skipwhite contained
-syn match fjCommand /ip / nextgroup=fjNone skipwhite contained
-syn match fjCommand /seccomp-error-action / nextgroup=fjSeccompAction skipwhite contained
-syn match fjCommand /\vdbus-(user|system) / nextgroup=fjFilter,fjNone skipwhite contained
-syn match fjCommand /\vdbus-(user|system)\.(broadcast|call|own|see|talk) / skipwhite contained
-" Commands that can't be inside a ?CONDITIONAL: statement
-syn match fjCommandNoCond /include / skipwhite contained
-syn match fjCommandNoCond /quiet$/ contained
-
-" Conditionals grabbed from: src/firejail/profile.c
-" Generate list with: awk -- 'BEGIN {process=0;} /^Cond conditionals\[\] = \{$/ {process=1;} /\t*\{"[^"]+".*/ { if (process) {print gensub(/^\t*\{"([^"]+)".*$/, "\\1", 1);} } /^\t\{ NULL, NULL \}$/ {process=0;}' src/firejail/profile.c | sort -u | tr '\n' '|'
-syn match fjConditional /\v\?(ALLOW_TRAY|BROWSER_ALLOW_DRM|BROWSER_DISABLE_U2F|HAS_APPIMAGE|HAS_NET|HAS_NODBUS|HAS_NOSOUND|HAS_X11) ?:/ nextgroup=fjCommand skipwhite contained
-
-" A line is either a command, a conditional or a comment
-syn match fjStatement /^/ nextgroup=fjCommand,fjCommandNoCond,fjConditional,fjComment
-
-hi def link fjTodo Todo
-hi def link fjComment Comment
-hi def link fjCommand Statement
-hi def link fjCommandNoCond Statement
-hi def link fjConditional Macro
-hi def link fjVar Identifier
-hi def link fjCapability Type
-hi def link fjProtocol Type
-hi def link fjSyscall Type
-hi def link fjSyscallErrno Constant
-hi def link fjX11Sandbox Type
-hi def link fjEnvVar Type
-hi def link fjRmenvVar Type
-hi def link fjAll Type
-hi def link fjNone Type
-hi def link fjLo Type
-hi def link fjFilter Type
-hi def link fjSeccompAction Type
-
-
-let b:current_syntax = "firejail"
diff --git a/contrib/syntax/files/firejail.vim.in b/contrib/syntax/files/firejail.vim.in
new file mode 100644
index 000000000..ec6b29e4f
--- /dev/null
+++ b/contrib/syntax/files/firejail.vim.in
@@ -0,0 +1,99 @@
+" @make_input@
+" Vim syntax file
+" Language: Firejail security sandbox profile
+" URL: https://github.com/netblue30/firejail
+
+if exists("b:current_syntax")
+  finish
+endif
+
+
+syn iskeyword @,48-57,_,.,-
+
+
+syn keyword fjTodo TODO FIXME XXX NOTE contained
+syn match fjComment "#.*$" contains=fjTodo
+
+"TODO: highlight "dangerous" capabilities differently, as is done in apparmor.vim?
+syn keyword fjCapability audit_control audit_read audit_write block_suspend chown dac_override dac_read_search fowner fsetid ipc_lock ipc_owner kill lease linux_immutable mac_admin mac_override mknod net_admin net_bind_service net_broadcast net_raw setgid setfcap setpcap setuid sys_admin sys_boot sys_chroot sys_module sys_nice sys_pacct sys_ptrace sys_rawio sys_resource sys_time sys_tty_config syslog wake_alarm nextgroup=fjCapabilityList contained
+syn match fjCapabilityList /,/ nextgroup=fjCapability contained
+
+syn keyword fjNamespaces cgroup ipc net mnt pid time user uts nextgroup=fjNamespacesList contained
+syn match fjNamespacesList /,/ nextgroup=fjNamespaces contained
+
+syn keyword fjProtocol unix inet inet6 netlink packet nextgroup=fjProtocolList contained
+syn match fjProtocolList /,/ nextgroup=fjProtocol contained
+
+" Syscalls (auto-generated)
+syn keyword fjSyscall @FJ_SYSCALLS@ nextgroup=fjSyscallErrno contained
+" Syscall groups (auto-generated)
+syn match fjSyscall /\v\@(@FJ_SYSCALL_GROUPS@)>/ nextgroup=fjSyscallErrno contained
+syn match fjSyscall /\$[0-9]\+/ nextgroup=fjSyscallErrno contained
+" Errnos (auto-generated)
+syn match fjSyscallErrno /\v(:(@FJ_SYSTEM_ERRNOS@)>)?/ nextgroup=fjSyscallList contained
+syn match fjSyscallList /,/ nextgroup=fjSyscall contained
+
+syn keyword fjX11Sandbox none xephyr xorg xpra xvfb contained
+syn keyword fjSeccompAction kill log ERRNO contained
+
+syn match fjEnvVar "[A-Za-z0-9_]\+=" contained
+syn match fjRmenvVar "[A-Za-z0-9_]\+" contained
+
+syn keyword fjAll all contained
+syn keyword fjNone none contained
+syn keyword fjLo lo contained
+syn keyword fjFilter filter contained
+
+" Variable names (auto-generated)
+syn match fjVar /\v\$\{(@FJ_PROFILE_MACROS@)}/
+
+" Profile commands with 1 argument (auto-generated)
+syn match fjCommand /\v(@FJ_PROFILE_COMMANDS_ARG1@) / skipwhite contained
+" Profile commands with 0 arguments (auto-generated)
+syn match fjCommand /\v(@FJ_PROFILE_COMMANDS_ARG0@)$/ contained
+syn match fjCommand /ignore / nextgroup=fjCommand,fjCommandNoCond skipwhite contained
+syn match fjCommand /caps\.drop / nextgroup=fjCapability,fjAll skipwhite contained
+syn match fjCommand /caps\.keep / nextgroup=fjCapability skipwhite contained
+syn match fjCommand /protocol / nextgroup=fjProtocol skipwhite contained
+syn match fjCommand /restrict-namespaces / nextgroup=fjNamespaces skipwhite contained
+syn match fjCommand /\vseccomp(\.32)?(\.drop|\.keep)? / nextgroup=fjSyscall skipwhite contained
+syn match fjCommand /x11 / nextgroup=fjX11Sandbox skipwhite contained
+syn match fjCommand /env / nextgroup=fjEnvVar skipwhite contained
+syn match fjCommand /rmenv / nextgroup=fjRmenvVar skipwhite contained
+syn match fjCommand /shell / nextgroup=fjNone skipwhite contained
+syn match fjCommand /net / nextgroup=fjNone,fjLo skipwhite contained
+syn match fjCommand /ip / nextgroup=fjNone skipwhite contained
+syn match fjCommand /seccomp-error-action / nextgroup=fjSeccompAction skipwhite contained
+syn match fjCommand /\vdbus-(user|system) / nextgroup=fjFilter,fjNone skipwhite contained
+syn match fjCommand /\vdbus-(user|system)\.(broadcast|call|own|see|talk) / skipwhite contained
+" Commands that can't be inside a ?CONDITIONAL: statement
+syn match fjCommandNoCond /include / skipwhite contained
+syn match fjCommandNoCond /quiet$/ contained
+
+" Conditionals (auto-generated)
+syn match fjConditional /\v\?(@FJ_PROFILE_CONDITIONALS@) ?:/ nextgroup=fjCommand skipwhite contained
+
+" A line is either a command, a conditional or a comment
+syn match fjStatement /^/ nextgroup=fjCommand,fjCommandNoCond,fjConditional,fjComment
+
+hi def link fjTodo Todo
+hi def link fjComment Comment
+hi def link fjCommand Statement
+hi def link fjCommandNoCond Statement
+hi def link fjConditional Macro
+hi def link fjVar Identifier
+hi def link fjCapability Type
+hi def link fjProtocol Type
+hi def link fjSyscall Type
+hi def link fjSyscallErrno Constant
+hi def link fjX11Sandbox Type
+hi def link fjEnvVar Type
+hi def link fjRmenvVar Type
+hi def link fjAll Type
+hi def link fjNone Type
+hi def link fjLo Type
+hi def link fjFilter Type
+hi def link fjSeccompAction Type
+
+
+let b:current_syntax = "firejail"

From 757e5f4b258aad12bdc6a0ec9c0903297db030e2 Mon Sep 17 00:00:00 2001
From: "Kelvin M. Klann" <kmk3.code@protonmail.com>
Date: Wed, 25 Jan 2023 01:45:55 -0300
Subject: [PATCH 11/18] build: make contrib target by default

Make the syntax target by default to make it harder to forget to update
the syntax files.

Note that the syntax files are built mostly silently and that they are
generated relatively fast (they only take 40~70ms to build on a not
exactly recent machine with `make clean; time make -j 4 syntax`), so
they should not add much noise nor time noise when just trying to build
firejail, for example.
---
 CONTRIBUTING.md | 2 +-
 Makefile        | 6 +++++-
 2 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
index 9463ba465..97730e533 100644
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -38,7 +38,7 @@ If you add a new command, here's the checklist:
 
  - [ ] Update manpages: firejail(1) and firejail-profile(5)
  - [ ] Update shell completions
- - [ ] Update syntax files (run `make syntax`)
+ - [ ] Update syntax files (run `make syntax` or just `make`)
  - [ ] Update --help
 
 # Editing the wiki
diff --git a/Makefile b/Makefile
index aa55c376e..cbe59349c 100644
--- a/Makefile
+++ b/Makefile
@@ -6,6 +6,10 @@ MAN_TARGET = man
 MAN_SRC = src/man
 endif
 
+ifneq ($(HAVE_CONTRIB_INSTALL),no)
+CONTRIB_TARGET = contrib
+endif
+
 COMPLETIONDIRS = src/zsh_completion src/bash_completion
 
 APPS = src/firecfg/firecfg src/firejail/firejail src/firemon/firemon src/profstats/profstats src/jailcheck/jailcheck
@@ -38,7 +42,7 @@ SYNTAX_FILES := $(SYNTAX_FILES_IN:.in=)
 ALL_ITEMS = $(APPS) $(SBOX_APPS) $(SBOX_APPS_NON_DUMPABLE) $(MYLIBS)
 
 .PHONY: all
-all: all_items mydirs filters $(MAN_TARGET)
+all: all_items mydirs filters $(MAN_TARGET) $(CONTRIB_TARGET)
 
 config.mk config.sh:
 	@printf 'error: run ./configure to generate %s\n' "$@" >&2

From a071ed8fa5232a658a69c2079c9f72a10c8e171c Mon Sep 17 00:00:00 2001
From: glitsj16 <glitsj16@users.noreply.github.com>
Date: Sat, 28 Jan 2023 19:17:09 +0000
Subject: [PATCH 12/18] atool: fix private-etc

---
 etc/profile-a-l/atool.profile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/etc/profile-a-l/atool.profile b/etc/profile-a-l/atool.profile
index 6399bc1a3..b2bc17c67 100644
--- a/etc/profile-a-l/atool.profile
+++ b/etc/profile-a-l/atool.profile
@@ -13,7 +13,7 @@ include allow-perl.inc
 noroot
 
 # without login.defs atool complains and uses UID/GID 1000 by default
-private-etc alternatives,group,ld.so.cache,ld.so.preload,login.defs,passwd
+private-etc alternatives,group,ld.so.cache,ld.so.preload,login.defs,passwd,resolv.conf
 private-tmp
 
 # Redirect

From d30e709b79ea774d4d24e6db712145e4c793066f Mon Sep 17 00:00:00 2001
From: "Kelvin M. Klann" <kmk3.code@protonmail.com>
Date: Sat, 28 Jan 2023 15:29:15 -0300
Subject: [PATCH 13/18] build: sort with C locale when generating syntax lists

To ensure a consistent order.

Misc: This might also make it a bit faster.
---
 Makefile | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/Makefile b/Makefile
index cbe59349c..443c3183f 100644
--- a/Makefile
+++ b/Makefile
@@ -95,32 +95,32 @@ syntax: $(SYNTAX_FILES)
 # TODO: include/rlimit are false positives
 contrib/syntax/lists/profile_commands_arg0.list: src/firejail/profile.c
 	@sed -En 's/.*strn?cmp\(ptr, "([^ "]*[^ ])".*/\1/p' $< | \
-	grep -Ev '^(include|rlimit)$$' | sed 's/\./\\./' | sort -u >$@
+	grep -Ev '^(include|rlimit)$$' | sed 's/\./\\./' | LC_ALL=C sort -u >$@
 
 # TODO: private-lib is special-cased in the code and doesn't match the regex
 contrib/syntax/lists/profile_commands_arg1.list: src/firejail/profile.c
 	@{ sed -En 's/.*strn?cmp\(ptr, "([^"]+) ".*/\1/p' $<; echo private-lib; } | \
-	sort -u >$@
+	LC_ALL=C sort -u >$@
 
 contrib/syntax/lists/profile_conditionals.list: src/firejail/profile.c
 	@awk -- 'BEGIN {process=0;} /^Cond conditionals\[\] = \{$$/ {process=1;} \
 		/\t*\{"[^"]+".*/ \
 		{ if (process) {print gensub(/^\t*\{"([^"]+)".*$$/, "\\1", 1);} } \
 		/^\t\{ NULL, NULL \}$$/ {process=0;}' \
-		$< | sort -u >$@
+		$< | LC_ALL=C sort -u >$@
 
 contrib/syntax/lists/profile_macros.list: src/firejail/macros.c
-	@sed -En 's/.*\$$\{([^}]+)\}.*/\1/p' $< | sort -u >$@
+	@sed -En 's/.*\$$\{([^}]+)\}.*/\1/p' $< | LC_ALL=C sort -u >$@
 
 contrib/syntax/lists/syscall_groups.list: src/lib/syscall.c
-	@sed -En 's/.*"@([^",]+).*/\1/p' $< | sort -u >$@
+	@sed -En 's/.*"@([^",]+).*/\1/p' $< | LC_ALL=C sort -u >$@
 
 contrib/syntax/lists/syscalls.list: $(SYSCALL_HEADERS)
 	@sed -n 's/{\s\+"\([^"]\+\)",.*},/\1/p' $(SYSCALL_HEADERS) | \
-	sort -u >$@
+	LC_ALL=C sort -u >$@
 
 contrib/syntax/lists/system_errnos.list: src/lib/errno.c
-	@sed -En 's/.*"(E[^"]+).*/\1/p' $< | sort -u >$@
+	@sed -En 's/.*"(E[^"]+).*/\1/p' $< | LC_ALL=C sort -u >$@
 
 pipe_fromlf = { tr '\n' '|' | sed 's/|$$//'; }
 space_fromlf = { tr '\n' ' ' | sed 's/ $$//'; }

From 59bf4c0f2fa93729e664542844f6354ad5915830 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Mon, 30 Jan 2023 06:04:59 +0000
Subject: [PATCH 14/18] build(deps): bump github/codeql-action from 2.1.39 to
 2.2.1

Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.1.39 to 2.2.1.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](https://github.com/github/codeql-action/compare/a34ca99b4610d924e04c68db79e503e1f79f9f02...3ebbd71c74ef574dbc558c82f70e52732c8b44fe)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 .github/workflows/codeql-analysis.yml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
index b86d432f9..e9daff6de 100644
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -88,7 +88,7 @@ jobs:
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@a34ca99b4610d924e04c68db79e503e1f79f9f02
+      uses: github/codeql-action/init@3ebbd71c74ef574dbc558c82f70e52732c8b44fe
       with:
         languages: ${{ matrix.language }}
         # If you wish to specify custom queries, you can do so here or in a config file.
@@ -99,7 +99,7 @@ jobs:
     # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
     # If this step fails, then you should remove it and run the build manually (see below)
     - name: Autobuild
-      uses: github/codeql-action/autobuild@a34ca99b4610d924e04c68db79e503e1f79f9f02
+      uses: github/codeql-action/autobuild@3ebbd71c74ef574dbc558c82f70e52732c8b44fe
 
     # ℹ️ Command-line programs to run using the OS shell.
     # 📚 https://git.io/JvXDl
@@ -113,4 +113,4 @@ jobs:
     #   make release
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@a34ca99b4610d924e04c68db79e503e1f79f9f02
+      uses: github/codeql-action/analyze@3ebbd71c74ef574dbc558c82f70e52732c8b44fe

From 5d5f554ab133bb56d22a58000d58e5a957ee37c5 Mon Sep 17 00:00:00 2001
From: netblue30 <netblue30@protonmail.com>
Date: Mon, 30 Jan 2023 08:14:13 -0500
Subject: [PATCH 15/18] private-etc: moved group names to @group syntax; GUI
 group renamed as @x11 group; added nvidia and X11 directories to @x11 group.

---
 README.md                              | 25 ++++++++++++-------------
 etc/profile-a-l/curl.profile           |  2 +-
 etc/profile-a-l/firefox-common.profile |  2 +-
 etc/profile-a-l/gimp.profile           |  2 +-
 etc/profile-a-l/inkscape.profile       |  2 +-
 etc/profile-m-z/warzone2100.profile    |  2 +-
 src/firejail/fs_etc.c                  | 12 ++++++------
 src/include/etc_groups.h               | 16 +++++++++-------
 src/man/firejail.txt                   | 18 +++++++++---------
 9 files changed, 41 insertions(+), 40 deletions(-)

diff --git a/README.md b/README.md
index f261da2a3..7d1c88c65 100644
--- a/README.md
+++ b/README.md
@@ -184,7 +184,7 @@ We also keep a list of profile fixes for previous released versions in [etc-fixe
 
 ### private-etc rework
 `````
-       --private-etc, --private-etc=file,directory
+       --private-etc, --private-etc=file,directory,@group
               The files installed by --private-etc are copies of the  original
               system  files  from  /etc  directory.   By  default, the command
               brings in a skeleton of files and directories used by most  con‐
@@ -192,24 +192,23 @@ We also keep a list of profile fixes for previous released versions in [etc-fixe
 
               $ firejail --private-etc dig debian.org
 
-              For X11/GTK/QT/Gnome/KDE  programs add GUI group as a parameter.
-              Example:
+              For  X11/GTK/QT/Gnome/KDE   programs add @x11 group as a parame‐
+              ter. Example:
 
-              $ firejail --private-etc=GUI,python* gimp
+              $ firejail --private-etc=@x11,gcrypt,python* gimp
 
-              /etc/python* directories are not part of the generic GUI  group.
-              These directories are reuqired by Gimp plugin system. File glob‐
-              bing is supported.
+              gcrypt and /etc/python* directories are not part of the  generic
+              @x11 group.  File globbing is supported.
 
-              For games, add GAMES group:
+              For games, add @games group:
 
-              $ firejail --private-etc=GUI,GAMES warzone2100
+              $ firejail --private-etc=@games,@x11 warzone2100
 
-              Sound and networking files are  included  automatically,  unless
-              --nosound  or  --net=none  are  specified.   Files for encrypted
-              TLS/SSL protocol are in TLS-CA group.
+              Sound  and  networking  files are included automatically, unless
+              --nosound or --net=none  are  specified.   Files  for  encrypted
+              TLS/SSL protocol are in @tls-ca group.
 
-              $ firejail --private-etc=TLS-CA,wgetrc wget https://debian.org
+              $ firejail --private-etc=@tls-ca,wgetrc wget https://debian.org
 
               Note: The easiest way to extract the list of /etc files accessed
               by your program is using strace utility:
diff --git a/etc/profile-a-l/curl.profile b/etc/profile-a-l/curl.profile
index 88b29cfbd..bfe8764d5 100644
--- a/etc/profile-a-l/curl.profile
+++ b/etc/profile-a-l/curl.profile
@@ -54,7 +54,7 @@ tracelog
 private-cache
 private-dev
 # private-etc alternatives,ca-certificates,crypto-policies,pki,resolv.conf,ssl
-private-etc TLS-CA
+private-etc @tls-ca
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-a-l/firefox-common.profile b/etc/profile-a-l/firefox-common.profile
index 3365c0829..57c9b5dfb 100644
--- a/etc/profile-a-l/firefox-common.profile
+++ b/etc/profile-a-l/firefox-common.profile
@@ -60,7 +60,7 @@ disable-mnt
 # private-etc below works fine on most distributions. There are some problems on CentOS.
 # Add it to your firefox-common.local if you want to enable it.
 #private-etc alternatives,asound.conf,ca-certificates,crypto-policies,dconf,fonts,group,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,localtime,machine-id,mailcap,mime.types,nsswitch.conf,pango,passwd,pki,pulse,resolv.conf,selinux,ssl,X11,xdg
-private-etc GUI,mailcap,mime.types,NETWORK,os-release,TLS-CA
+private-etc @tls-ca,@x11,mailcap,mime.types,os-release
 private-tmp
 
 blacklist ${PATH}/curl
diff --git a/etc/profile-a-l/gimp.profile b/etc/profile-a-l/gimp.profile
index d9515c867..f29929a72 100644
--- a/etc/profile-a-l/gimp.profile
+++ b/etc/profile-a-l/gimp.profile
@@ -59,7 +59,7 @@ seccomp !mbind
 tracelog
 
 private-dev
-private-etc gcrypt,GUI,python*
+private-etc @x11,gcrypt,python*
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-a-l/inkscape.profile b/etc/profile-a-l/inkscape.profile
index 1e75781ab..abe75f2ae 100644
--- a/etc/profile-a-l/inkscape.profile
+++ b/etc/profile-a-l/inkscape.profile
@@ -54,7 +54,7 @@ tracelog
 # private-bin inkscape,potrace,python* - problems on Debian stretch
 private-cache
 private-dev
-private-etc ImageMagick*,inkscape: GUI,python*
+private-etc @x11,ImageMagick*,python*
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-m-z/warzone2100.profile b/etc/profile-m-z/warzone2100.profile
index 6000bd98f..b0eea4380 100644
--- a/etc/profile-m-z/warzone2100.profile
+++ b/etc/profile-m-z/warzone2100.profile
@@ -46,7 +46,7 @@ tracelog
 disable-mnt
 private-bin bash,dash,sh,warzone2100,which
 private-dev
-private-etc GAMES,GUI
+private-etc @games,@x11
 private-tmp
 
 restrict-namespaces
diff --git a/src/firejail/fs_etc.c b/src/firejail/fs_etc.c
index ad5e8585d..83f140d80 100644
--- a/src/firejail/fs_etc.c
+++ b/src/firejail/fs_etc.c
@@ -77,15 +77,15 @@ char *fs_etc_build(char *str) {
 		char* ptr = strtok(str, ",");
 		while (ptr) {
 			// look for standard groups
-			if (strcmp(ptr, "TLS-CA") == 0)
+			if (strcmp(ptr, "@tls-ca") == 0)
 				etc_copy_group(&etc_group_tls_ca[0]);
-			if (strcmp(ptr, "GUI") == 0)
-				etc_copy_group(&etc_group_gui[0]);
-			if (strcmp(ptr, "SOUND") == 0)
+			if (strcmp(ptr, "@x11") == 0)
+				etc_copy_group(&etc_group_x11[0]);
+			if (strcmp(ptr, "@sound") == 0)
 				etc_copy_group(&etc_group_sound[0]);
-			if (strcmp(ptr, "NETWORK") == 0)
+			if (strcmp(ptr, "@network") == 0)
 				etc_copy_group(&etc_group_network[0]);
-			if (strcmp(ptr, "GAMES") == 0)
+			if (strcmp(ptr, "@games") == 0)
 				etc_copy_group(&etc_group_games[0]);
 			else
 				etc_add(ptr);
diff --git a/src/include/etc_groups.h b/src/include/etc_groups.h
index 421837fbb..fcb824778 100644
--- a/src/include/etc_groups.h
+++ b/src/include/etc_groups.h
@@ -23,7 +23,7 @@
 
 #define ETC_MAX 256
 
-// DEFAULT
+// @default
 static char *etc_list[ETC_MAX + 1] = { // plus 1 for ending NULL pointer
 	"alternatives",
 	"fonts",
@@ -42,7 +42,7 @@ static char *etc_list[ETC_MAX + 1] = { // plus 1 for ending NULL pointer
 	NULL
 };
 
-// SOUND
+// @sound
 static char *etc_group_sound[] = {
 	"alsa",
 	"asound.conf",
@@ -51,7 +51,7 @@ static char *etc_group_sound[] = {
 	NULL
 };
 
-// NETWORK
+// @network
 static char*etc_group_network[] = {
 	"hostname",
 	"hosts",
@@ -60,7 +60,7 @@ static char*etc_group_network[] = {
 	NULL
 };
 
-// TLS-CA
+// @tls-ca
 static char *etc_group_tls_ca[] = {
 	"ca-certificates",
 	"crypto-policies",
@@ -70,8 +70,8 @@ static char *etc_group_tls_ca[] = {
 	NULL
 };
 
-// GUI
-static char *etc_group_gui[] = {
+// @x11
+static char *etc_group_x11[] = {
 	"xdg",
 	"drirc",
 	"dconf",
@@ -80,10 +80,12 @@ static char *etc_group_gui[] = {
 	"kde4rc",
 	"kde5rc",
 	"pango", // text rendering/internationalization
+	"nvidia",
+	"X11",
 	NULL
 };
 
-// GAMES
+// @games
 static char *etc_group_games[] = {
 	"timidity", // MIDI
 	"timidity.cfg",
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index e60c139a5..a088d971a 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -2127,27 +2127,27 @@ cdrom  cdrw  dri  dvd  dvdrw  full  log  null  ptmx  pts  random  shm  snd  sr0
 .br
 $
 .TP
-\fB\-\-private-etc, \-\-private-etc=file,directory
+\fB\-\-private-etc, \-\-private-etc=file,directory,@group
 The files installed by \-\-private-etc are copies of the original system files from /etc directory.
 By default, the command brings in a skeleton of files and directories used by most console tools:
 
 $ firejail --private-etc dig debian.org
 
-For X11/GTK/QT/Gnome/KDE  programs add GUI group as a parameter. Example:
+For X11/GTK/QT/Gnome/KDE  programs add @x11 group as a parameter. Example:
 
-$ firejail --private-etc=GUI,python* gimp
+$ firejail --private-etc=@x11,gcrypt,python* gimp
 
-/etc/python* directories are not part of the generic GUI group.
-These directories are reuqired by Gimp plugin system. File globbing is supported.
+gcrypt and /etc/python* directories are not part of the generic @x11 group.
+File globbing is supported.
 
-For games, add GAMES group:
+For games, add @games group:
 
-$ firejail --private-etc=GUI,GAMES warzone2100
+$ firejail --private-etc=@games,@x11 warzone2100
 
 Sound and networking files are included automatically, unless \-\-nosound or \-\-net=none are specified.
-Files for encrypted TLS/SSL protocol are in TLS-CA group.
+Files for encrypted TLS/SSL protocol are in @tls-ca group.
 
-$ firejail --private-etc=TLS-CA,wgetrc wget https://debian.org
+$ firejail --private-etc=@tls-ca,wgetrc wget https://debian.org
 
 
 Note: The easiest way to extract the list of /etc files accessed by your program is using strace utility:

From 29941afe88b395a51be7ec446b7fc2f844794220 Mon Sep 17 00:00:00 2001
From: "Kelvin M. Klann" <kmk3.code@protonmail.com>
Date: Mon, 28 Dec 2020 09:30:27 -0300
Subject: [PATCH 16/18] disable-common.inc: remove redundant history entry

This is already blocked by the first entry:

    blacklist-nolog ${HOME}/.*_history

Added on commit 1d56e466c ("three new blacklist in disable-common.inc",
2019-06-18).
---
 etc/inc/disable-common.inc | 1 -
 1 file changed, 1 deletion(-)

diff --git a/etc/inc/disable-common.inc b/etc/inc/disable-common.inc
index 81aac0b53..920bdf182 100644
--- a/etc/inc/disable-common.inc
+++ b/etc/inc/disable-common.inc
@@ -27,7 +27,6 @@ blacklist-nolog ${HOME}/.macromedia
 blacklist-nolog ${HOME}/.mupdf.history
 blacklist-nolog ${HOME}/.mutthistory
 blacklist-nolog ${HOME}/.python-history
-blacklist-nolog ${HOME}/.python_history
 blacklist-nolog ${HOME}/.pythonhist
 blacklist-nolog ${HOME}/.lesshst
 blacklist-nolog ${HOME}/.viminfo

From 83f8f7d7d909aafea4840297f05f0bc8124edfba Mon Sep 17 00:00:00 2001
From: "Kelvin M. Klann" <kmk3.code@protonmail.com>
Date: Mon, 28 Dec 2020 09:23:25 -0300
Subject: [PATCH 17/18] disable-common.inc: sort history file paths

---
 etc/inc/disable-common.inc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/etc/inc/disable-common.inc b/etc/inc/disable-common.inc
index 920bdf182..66a309d85 100644
--- a/etc/inc/disable-common.inc
+++ b/etc/inc/disable-common.inc
@@ -18,6 +18,7 @@ blacklist-nolog ${HOME}/.histfile
 blacklist-nolog ${HOME}/.history
 blacklist-nolog ${HOME}/.kde/share/apps/klipper
 blacklist-nolog ${HOME}/.kde4/share/apps/klipper
+blacklist-nolog ${HOME}/.lesshst
 blacklist-nolog ${HOME}/.local/share/fish/fish_history
 blacklist-nolog ${HOME}/.local/share/ibus-typing-booster
 blacklist-nolog ${HOME}/.local/share/klipper
@@ -28,7 +29,6 @@ blacklist-nolog ${HOME}/.mupdf.history
 blacklist-nolog ${HOME}/.mutthistory
 blacklist-nolog ${HOME}/.python-history
 blacklist-nolog ${HOME}/.pythonhist
-blacklist-nolog ${HOME}/.lesshst
 blacklist-nolog ${HOME}/.viminfo
 blacklist-nolog /tmp/clipmenu*
 

From 897f5791ddb531b4ecf90e360f8332a4089fee2e Mon Sep 17 00:00:00 2001
From: netblue30 <netblue30@protonmail.com>
Date: Mon, 30 Jan 2023 20:45:32 -0500
Subject: [PATCH 18/18] merges

---
 README   | 4 ++++
 RELNOTES | 1 +
 2 files changed, 5 insertions(+)

diff --git a/README b/README
index 74318fa16..762668a88 100644
--- a/README
+++ b/README
@@ -125,6 +125,8 @@ Alexander Stein (https://github.com/ajstein)
 alkim0 (https://github.com/alkim0)
 	- warn when encountering EIO during remount
 	- Add profile for chafa
+amano-kenji  (https://github.com/amano-kenji)
+	- fix private-etc in qutebrowser profile
 Amin Vakil (https://github.com/aminvakil)
 	- whois profile fix
 	- added profile for strawberry
@@ -679,6 +681,8 @@ Laurent Declercq (https://github.com/nuxwin)
 	- fixed test for shell interpreter in chroots
 LaurentGH (https://github.com/LaurentGH)
 	- allow private-bin parameters to be absolute paths
+layderv (https://github.com/layderv)
+	- prevent sandbox name from containing only digits
 lecso7 (https://github.com/lecso7)
 	- added goldendict profile
 	- allow evince to read .cbz file format
diff --git a/RELNOTES b/RELNOTES
index 478bf297d..6230fe81b 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -1,6 +1,7 @@
 firejail (0.9.73) baseline; urgency=low
   * work in progress
   * modif: Stop forwarding own double-dash to the shell (#5599 #5600)
+  * modif: prevent sandbox name from containing only digits (#5578)
   * docs: remove apparmor options in --help when building without apparmor
     support (#5589)
   * fix: qutebrowser not opening tabs (#5601)