Merge branch 'master' into fix-profile-builder

46 files changed, 312 insertions, 146 deletions

diff --git a/etc/Viber.profile b/etc/Viber.profile
index ecc500769..925e130de 100644
--- a/etc/Viber.profile
+++ b/etc/Viber.profile
@@ -28,12 +28,10 @@ nonewprivs
 noroot
 notv
 protocol unix,inet,inet6
-seccomp
+seccomp !chroot
 shell none
 
 disable-mnt
 private-bin awk,bash,dig,sh,Viber
 private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,hosts,localtime,machine-id,mailcap,nsswitch.conf,pki,proxychains.conf,pulse,resolv.conf,ssl,X11
 private-tmp
-
-env QTWEBENGINE_DISABLE_SANDBOX=1
diff --git a/etc/akonadi_control.profile b/etc/akonadi_control.profile
index 904c784c6..ffc613f1e 100644
--- a/etc/akonadi_control.profile
+++ b/etc/akonadi_control.profile
@@ -47,7 +47,7 @@ notv
 nou2f
 novideo
 # protocol unix,inet,inet6,netlink
-# seccomp.drop @cpu-emulation,@debug,@obsolete,@privileged,@resources,add_key,fanotify_init,io_cancel,io_destroy,kcmp,keyctl,name_to_handle_at,ni_syscall,open_by_handle_at,personality,process_vm_readv,ptrace,remap_file_pages,request_key,syslog,umount,userfaultfd,vmsplice
+# seccomp !io_getevents,!io_setup,!io_submit,!ioprio_set
 tracelog
 
 private-dev
diff --git a/etc/akregator.profile b/etc/akregator.profile
index 466eff22d..34933f283 100644
--- a/etc/akregator.profile
+++ b/etc/akregator.profile
@@ -36,7 +36,7 @@ nou2f
 novideo
 protocol unix,inet,inet6,netlink
 # chroot syscalls are needed for setting up the built-in sandbox
-seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice
+seccomp !chroot
 shell none
 
 disable-mnt
diff --git a/etc/ar.profile b/etc/ar.profile
new file mode 100644
index 000000000..6b1fb830c
--- /dev/null
+++ b/etc/ar.profile
@@ -0,0 +1,43 @@
+# Firejail profile for ar
+# Description: Create, modify, and extract from archives
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include ar.local
+# Persistent global definitions
+include globals.local
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+
+apparmor
+caps.drop all
+hostname ar
+ipc-namespace
+machine-id
+net none
+no3d
+nodbus
+nodvd
+nogroups
+nonewprivs
+#noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+x11 none
+
+private-bin ar
+private-cache
+private-dev
+
+memory-deny-write-execute
diff --git a/etc/baloo_file.profile b/etc/baloo_file.profile
index f46987cc7..6f7638fa3 100644
--- a/etc/baloo_file.profile
+++ b/etc/baloo_file.profile
@@ -39,7 +39,7 @@ nou2f
 novideo
 protocol unix
 # blacklisting of ioprio_set system calls breaks baloo_file
-seccomp.drop @cpu-emulation,@debug,@obsolete,@privileged,@resources,add_key,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,kcmp,keyctl,name_to_handle_at,ni_syscall,open_by_handle_at,personality,process_vm_readv,ptrace,remap_file_pages,request_key,syslog,umount,userfaultfd,vmsplice
+seccomp !ioprio_set
 shell none
 # x11 xorg
 
diff --git a/etc/basilisk.profile b/etc/basilisk.profile
index 5bc91dc74..8dc3847a0 100644
--- a/etc/basilisk.profile
+++ b/etc/basilisk.profile
@@ -14,8 +14,8 @@ whitelist ${HOME}/.cache/moonchild productions/basilisk
 whitelist ${HOME}/.moonchild productions
 
 # Basilisk can use the full firejail seccomp filter (unlike firefox >= 60)
-ignore seccomp.drop
 seccomp
+ignore seccomp
 
 #private-bin basilisk
 # private-etc must first be enabled in firefox-common.profile
diff --git a/etc/bibletime.profile b/etc/bibletime.profile
index 4f1b05c88..0de3bc480 100644
--- a/etc/bibletime.profile
+++ b/etc/bibletime.profile
@@ -42,7 +42,7 @@ notv
 nou2f
 novideo
 protocol unix,inet,inet6,netlink
-seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice
+seccomp !chroot
 shell none
 
 disable-mnt
diff --git a/etc/brackets.profile b/etc/brackets.profile
index b7d560bbc..13a3bef79 100644
--- a/etc/brackets.profile
+++ b/etc/brackets.profile
@@ -27,7 +27,7 @@ notv
 nou2f
 novideo
 protocol unix,inet,inet6,netlink
-seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,iopl,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,pciconfig_iobase,pciconfig_read,pciconfig_write,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,s390_mmio_read,s390_mmio_write,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice
+seccomp !chroot,!ioperm
 shell none
 
 private-cache
diff --git a/etc/clementine.profile b/etc/clementine.profile
index 147b0de4b..4d92157d0 100644
--- a/etc/clementine.profile
+++ b/etc/clementine.profile
@@ -27,7 +27,7 @@ nou2f
 novideo
 protocol unix,inet,inet6
 # blacklisting of ioprio_set system calls breaks clementine
-seccomp.drop @cpu-emulation,@debug,@obsolete,@privileged,@resources,add_key,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,kcmp,keyctl,name_to_handle_at,ni_syscall,open_by_handle_at,personality,process_vm_readv,ptrace,remap_file_pages,request_key,syslog,umount,userfaultfd,vmsplice
+seccomp !ioprio_set
 
 private-dev
 private-tmp
diff --git a/etc/code.profile b/etc/code.profile
index 7ac4e1619..6f8a25211 100644
--- a/etc/code.profile
+++ b/etc/code.profile
@@ -18,7 +18,6 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 
 caps.drop all
-net none
 netfilter
 nodvd
 nogroups
diff --git a/etc/falkon.profile b/etc/falkon.profile
index ddcda6228..0024b6660 100644
--- a/etc/falkon.profile
+++ b/etc/falkon.profile
@@ -34,7 +34,7 @@ notv
 nou2f
 protocol unix,inet,inet6,netlink
 # blacklisting of chroot system calls breaks falkon
-seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice
+seccomp !chroot
 # tracelog
 
 private-dev
diff --git a/etc/firefox-common.profile b/etc/firefox-common.profile
index 6ad4a9bc2..02d6199a0 100644
--- a/etc/firefox-common.profile
+++ b/etc/firefox-common.profile
@@ -46,7 +46,7 @@ notv
 ?BROWSER_DISABLE_U2F: nou2f
 protocol unix,inet,inet6,netlink
 # The below seccomp configuration still permits chroot syscall. See https://github.com/netblue30/firejail/issues/2506 for possible workarounds.
-seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice
+seccomp !chroot
 shell none
 # Disable tracelog, it breaks or causes major issues with many firefox based browsers, see https://github.com/netblue30/firejail/issues/1930.
 #tracelog
diff --git a/etc/gnome-schedule.profile b/etc/gnome-schedule.profile
index cbeb82465..30ca56094 100644
--- a/etc/gnome-schedule.profile
+++ b/etc/gnome-schedule.profile
@@ -58,6 +58,5 @@ tracelog
 disable-mnt
 private-cache
 private-dev
-private-etc at.allow,at.deny,cron.allow,cron.deny,fonts,ld.so.preload,pam.d,shadow
 writable-var
 
diff --git a/etc/keepassxc.profile b/etc/keepassxc.profile
index 6ef02ad47..3e1e0a2ce 100644
--- a/etc/keepassxc.profile
+++ b/etc/keepassxc.profile
@@ -29,7 +29,9 @@ machine-id
 net none
 no3d
 nodvd
-nodbus
+# Breaks 'Lock database when session is locked or lid is closed' (#2899),
+# you can safely uncomment it or add to keepassxc.local if you don't need this feature.
+#nodbus
 nogroups
 nonewprivs
 noroot
@@ -46,8 +48,5 @@ private-dev
 private-etc alternatives,fonts,ld.so.cache,machine-id
 private-tmp
 
-# 2.2.4 crashes on database open
-# memory-deny-write-execute
-
 # Mutex is stored in /tmp by default, which is broken by private-tmp
 join-or-start keepassxc
diff --git a/etc/kiwix-desktop.profile b/etc/kiwix-desktop.profile
index db8f7880c..8b7b12882 100644
--- a/etc/kiwix-desktop.profile
+++ b/etc/kiwix-desktop.profile
@@ -39,7 +39,7 @@ notv
 nou2f
 novideo
 protocol unix,inet,inet6,netlink
-seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice
+seccomp !chroot
 shell none
 
 disable-mnt
diff --git a/etc/kmail.profile b/etc/kmail.profile
index 0b602c79a..198b05a11 100644
--- a/etc/kmail.profile
+++ b/etc/kmail.profile
@@ -51,7 +51,7 @@ nou2f
 novideo
 protocol unix,inet,inet6,netlink
 # we need to allow chroot, io_getevents, ioprio_set, io_setup, io_submit system calls
-seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice
+seccomp !chroot,!io_getevents,!io_setup,!io_submit,!ioprio_set
 # tracelog
 
 private-dev
diff --git a/etc/mpd.profile b/etc/mpd.profile
index 0b5ebf705..6c5963793 100644
--- a/etc/mpd.profile
+++ b/etc/mpd.profile
@@ -31,7 +31,7 @@ novideo
 protocol unix,inet,inet6
 # blacklisting of ioprio_set system calls breaks auto-updating of
 # MPD's database when files in music_directory are changed
-seccomp.drop @cpu-emulation,@debug,@obsolete,@privileged,@resources,add_key,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,kcmp,keyctl,name_to_handle_at,ni_syscall,open_by_handle_at,personality,process_vm_readv,ptrace,remap_file_pages,request_key,syslog,umount,userfaultfd,vmsplice
+seccomp !ioprio_set
 shell none
 
 #private-bin bash,mpd
diff --git a/etc/palemoon.profile b/etc/palemoon.profile
index 11464e6cf..acb2ce176 100644
--- a/etc/palemoon.profile
+++ b/etc/palemoon.profile
@@ -14,8 +14,8 @@ whitelist ${HOME}/.cache/moonchild productions/pale moon
 whitelist ${HOME}/.moonchild productions
 
 # Palemoon can use the full firejail seccomp filter (unlike firefox >= 60)
-ignore seccomp.drop
 seccomp
+ignore seccomp
 
 #private-bin palemoon
 # private-etc must first be enabled in firefox-common.profile
diff --git a/etc/qgis.profile b/etc/qgis.profile
index 80a10efce..88ed0cd81 100644
--- a/etc/qgis.profile
+++ b/etc/qgis.profile
@@ -45,7 +45,7 @@ notv
 nou2f
 novideo
 # blacklisting of mbind system calls breaks old version
-seccomp.drop @cpu-emulation,@debug,@obsolete,@privileged,add_key,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,migrate_pages,mincore,move_pages,name_to_handle_at,ni_syscall,open_by_handle_at,remap_file_pages,request_key,set_mempolicy,syslog,umount,userfaultfd,vmsplice
+seccomp !mbind
 protocol unix,inet,inet6,netlink
 shell none
 tracelog
diff --git a/etc/qpdfview.profile b/etc/qpdfview.profile
index abbd76aff..863f57ba4 100644
--- a/etc/qpdfview.profile
+++ b/etc/qpdfview.profile
@@ -22,7 +22,8 @@ include whitelist-var-common.inc
 
 caps.drop all
 machine-id
-nodbus
+# needs D-Bus when started from a file manager
+#nodbus
 nodvd
 nogroups
 nonewprivs
diff --git a/etc/qupzilla.profile b/etc/qupzilla.profile
index 3f3270dd6..7aa71c848 100644
--- a/etc/qupzilla.profile
+++ b/etc/qupzilla.profile
@@ -21,7 +21,5 @@ mkdir ${HOME}/.config/qupzilla
 whitelist ${HOME}/.cache/qupzilla
 whitelist ${HOME}/.config/qupzilla
 
-# private-tmp - interferes with the opening of downloaded files
-
 # Redirect
 include falkon.profile
diff --git a/etc/qutebrowser.profile b/etc/qutebrowser.profile
index a7ba18292..95c189458 100644
--- a/etc/qutebrowser.profile
+++ b/etc/qutebrowser.profile
@@ -36,5 +36,5 @@ noroot
 notv
 protocol unix,inet,inet6,netlink
 # blacklisting of chroot system calls breaks qt webengine
-seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice
+seccomp !chroot
 # tracelog
diff --git a/etc/riot-desktop.profile b/etc/riot-desktop.profile
index e6af4c2cb..4372fabe1 100644
--- a/etc/riot-desktop.profile
+++ b/etc/riot-desktop.profile
@@ -7,8 +7,7 @@ include riot-desktop.local
 # added by included profile
 #include globals.local
 
-ignore seccomp
-seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mincore,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,pivot_root,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice
+seccomp !chroot
 
 # Redirect
 include riot-web.profile
diff --git a/etc/seahorse.profile b/etc/seahorse.profile
index b9a0fd149..fe29a6731 100644
--- a/etc/seahorse.profile
+++ b/etc/seahorse.profile
@@ -20,10 +20,8 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
-mkdir ${HOME}/.config/dconf
 mkdir ${HOME}/.gnupg
 mkdir ${HOME}/.ssh
-whitelist ${HOME}/.config/dconf
 whitelist ${HOME}/.gnupg
 whitelist ${HOME}/.ssh
 whitelist /tmp/ssh-*
diff --git a/etc/signal-desktop.profile b/etc/signal-desktop.profile
index 04696a918..f810a37ec 100644
--- a/etc/signal-desktop.profile
+++ b/etc/signal-desktop.profile
@@ -22,16 +22,12 @@ whitelist ${HOME}/.config/Signal
 include whitelist-common.inc
 include whitelist-var-common.inc
 
-caps.drop all
+caps.keep sys_admin,sys_chroot
 netfilter
 nodvd
 nogroups
-nonewprivs
-noroot
 notv
 nou2f
-protocol unix,inet,inet6,netlink
-seccomp
 shell none
 
 disable-mnt
diff --git a/etc/simple-scan.profile b/etc/simple-scan.profile
index 64441483d..a0c9e8303 100644
--- a/etc/simple-scan.profile
+++ b/etc/simple-scan.profile
@@ -27,7 +27,7 @@ notv
 # novideo
 protocol unix,inet,inet6,netlink
 # blacklisting of ioperm system calls breaks simple-scan
-seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@reboot,@resources,@swap,acct,add_key,bpf,chroot,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,iopl,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,pciconfig_iobase,pciconfig_read,pciconfig_write,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,s390_mmio_read,s390_mmio_write,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice
+seccomp !ioperm
 shell none
 tracelog
 
diff --git a/etc/skanlite.profile b/etc/skanlite.profile
index c10be717b..6f9bfd201 100644
--- a/etc/skanlite.profile
+++ b/etc/skanlite.profile
@@ -27,7 +27,7 @@ notv
 # novideo
 protocol unix,inet,inet6,netlink
 # blacklisting of ioperm system calls breaks skanlite
-seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@reboot,@resources,@swap,acct,add_key,bpf,chroot,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,iopl,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,pciconfig_iobase,pciconfig_read,pciconfig_write,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,s390_mmio_read,s390_mmio_write,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice
+seccomp !ioperm
 shell none
 
 # private-bin kbuildsycoca4,kdeinit4,skanlite
diff --git a/etc/skypeforlinux.profile b/etc/skypeforlinux.profile
index 8a45f2465..341c25a95 100644
--- a/etc/skypeforlinux.profile
+++ b/etc/skypeforlinux.profile
@@ -16,16 +16,13 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-xdg.inc
 
-caps.drop all
+caps.keep sys_admin,sys_chroot
 netfilter
 nodvd
 nogroups
-nonewprivs
-noroot
 notv
-protocol unix,inet,inet6,netlink
-seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,pivot_root,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice
 shell none
 
 disable-mnt
diff --git a/etc/standardnotes-desktop.profile b/etc/standardnotes-desktop.profile
index 5703f932a..aa6902854 100644
--- a/etc/standardnotes-desktop.profile
+++ b/etc/standardnotes-desktop.profile
@@ -34,7 +34,7 @@ nosound
 notv
 nou2f
 protocol unix,inet,inet6,netlink
-seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mincore,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,pivot_root,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice
+seccomp !chroot
 
 disable-mnt
 private-dev
diff --git a/etc/start-tor-browser.profile b/etc/start-tor-browser.profile
index 1c2a2cd10..a8b5d109e 100644
--- a/etc/start-tor-browser.profile
+++ b/etc/start-tor-browser.profile
@@ -28,7 +28,7 @@ notv
 nou2f
 novideo
 protocol unix,inet,inet6
-seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice
+seccomp !chroot
 shell none
 # tracelog may cause issues, see github issue #1930
 #tracelog
diff --git a/etc/tar.profile b/etc/tar.profile
index cace89965..3fba96eee 100644
--- a/etc/tar.profile
+++ b/etc/tar.profile
@@ -40,7 +40,7 @@ tracelog
 x11 none
 
 # support compressed archives
-private-bin bash,bzip2,compress,gtar,gzip,lbzip2,lzip,lzma,lzop,sh,tar,xz
+private-bin bash,bzip2,compress,firejail,gtar,gzip,lbzip2,lzip,lzma,lzop,sh,tar,xz
 private-cache
 private-dev
 private-etc alternatives,group,localtime,passwd
diff --git a/etc/teamspeak3.profile b/etc/teamspeak3.profile
index b34d15731..c1c666f58 100644
--- a/etc/teamspeak3.profile
+++ b/etc/teamspeak3.profile
@@ -33,7 +33,7 @@ notv
 nou2f
 novideo
 protocol unix,inet,inet6,netlink
-seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,pivot_root,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice
+seccomp !chroot
 shell none
 
 disable-mnt
diff --git a/etc/templates/profile.template b/etc/templates/profile.template
index 0d67e222f..10b5ee2ae 100644
--- a/etc/templates/profile.template
+++ b/etc/templates/profile.template
@@ -138,6 +138,7 @@ include globals.local
 #  - packet almost never
 #protocol unix,inet,inet6,netlink,packet
 #seccomp
+##seccomp !chroot
 ##seccomp.drop SYSCALLS (see syscalls.txt)
 #shell none
 #tracelog
diff --git a/etc/templates/syscalls.txt b/etc/templates/syscalls.txt
index bc45d9f9d..ea3b5a6b0 100644
--- a/etc/templates/syscalls.txt
+++ b/etc/templates/syscalls.txt
@@ -1,73 +1,107 @@
-Hints for writing seccomp.drop lines
-====================================
+Hints to write own seccomp filters
+==================================
+
+
+The different seccomp commands
+------------------------------
+
+Always have a look at 'man 1 firejail'.
+
+ - seccomp
+    Blocks all syscalls in the default-group.
+     - The default-group is @default-nodebuggers, unless allow-debuggers is
+       specified, then @default is used.
+     - Listed syscalls and groups are also blocked.
+     - Exceptions are possible by putting a ! in before the name of a syscall.
+ - seccomp.block-secondary
+    Allows only native syscalls, all syscalls for other architectures are blocked.
+ - seccomp.drop
+    Blocks all listed syscalls.
+     - Exceptions are possible by putting a ! in before the name of a syscall.
+ - seccomp.keep
+    Allows only listed syscalls.
+     To write your own seccomp.keep line, see:
+     - https://firejail.wordpress.com/documentation-2/seccomp-guide/
+     - https://github.com/netblue30/firejail/blob/master/contrib/syscalls.sh
 
 Definition of groups
 --------------------
 
+@aio=io_cancel,io_destroy,io_getevents,io_pgetevents,io_setup,io_submit
+@basic-io=_llseek,close,dup,dup2,dup3,lseek,pread64,preadv,preadv2,pwrite64,pwritev,pwritev2,read,readv,write,writev
+@chown=chown,chown32,fchown,fchown32,fchownat,lchown,lchown32
 @clock=adjtimex,clock_adjtime,clock_settime,settimeofday,stime
-@module=delete_module,finit_module,init_module
-@raw-io=ioperm,iopl,pciconfig_iobase,pciconfig_read,pciconfig_write,s390_mmio_read,s390_mmio_write
-@reboot=kexec_file_load,kexec_load,reboot
-@swap=swapoff,swapon
-
-@privileged=@clock,@module,@raw-io,@reboot,@swap,acct,bpf,chroot,mount,nfsservctl,pivot_root,setdomainname,sethostname,umount2,vhangup
-
 @cpu-emulation=modify_ldt,subpage_prot,switch_endian,vm86,vm86old
 @debug=lookup_dcookie,perf_event_open,process_vm_writev,rtas,s390_runtime_instr,sys_debug_setcontext
-@obsolete=_sysctl,afs_syscall,bdflush,break,create_module,ftime,get_kernel_syms,getpmsg,gtty,lock,mpx,prof,profil,putpmsg,query_module,security,sgetmask,ssetmask,stty,sysfs,tuxcall,ulimit,uselib,ustat,vserver
-@resources=mbind,migrate_pages,move_pages,set_mempolicy
-
-@default=@cpu-emulation,@debug,@obsolete,@privileged,@resources,add_key,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,name_to_handle_at,ni_syscall,open_by_handle_at,remap_file_pages,request_key,syslog,umount,userfaultfd,vmsplice
-
-@default-nodebuggers=@default,personality,process_vm_readv,ptrace
-
+@default=@clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@swap,open_by_handle_at,name_to_handle_at,ioprio_set,ni_syscall,syslog,fanotify_init,kcmp,add_key,request_key,mbind,migrate_pages,move_pages,keyctl,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,set_mempolicyvmsplice,umount,userfaultfd,acct,bpf,chroot,mount,nfsservctl,pivot_root,setdomainname,sethostname,umount2,vhangup
+@default-nodebuggers=@default,ptrace,personality,process_vm_readv
 @default-keep=execve,prctl
+@file-system=access,chdir,chmod,close,creat,faccessat,fallocate,fchdir,fchmod,fchmodat,fcntl,fcntl64,fgetxattr,flistxattr,fremovexattr,fsetxattr,fstat,fstat64,fstatat64,fstatfs,fstatfs64,ftruncate,ftruncate64,futimesat,getcwd,getdents,getdents64,getxattr,inotify_add_watch,inotify_init,inotify_init1,inotify_rm_watch,lgetxattr,link,linkat,listxattr,llistxattr,lremovexattr,lsetxattr,lstat,lstat64,mkdir,mkdirat,mknod,mknodat,mmap,mmap2,munmap,newfstatat,oldfstat,oldlstat,oldstat,open,openat,readlink,readlinkat,removexattr,rename,renameat,renameat2,rmdir,setxattr,stat,stat64,statfs,statfs64,statx,symlink,symlinkat,truncate,truncate64,unlink,unlinkat,utime,utimensat,utimes
+@io-event=_newselect,epoll_create,epoll_create1,epoll_ctl,epoll_ctl_old,epoll_pwait,epoll_wait,epoll_wait_old,eventfd,eventfd2,poll,ppoll,pselect6,select
+@ipc=ipc,memfd_create,mq_getsetattr,mq_notify,mq_open,mq_timedreceive,mq_timedsend,mq_unlink,msgctl,msgget,msgrcv,msgsnd,pipe,pipe2,process_vm_readv,process_vm_writev,semctl,semget,semop,semtimedop,shmat,shmctl,shmdt,shmget
+@keyring=add_key,keyctl,request_key
+@memlock=mlock,mlock2,mlockall,munlock,munlockall
+@module=delete_module,finit_module,init_module
+@mount=chroot,mount,pivot_root,umount,umount2
+@network-io=accept,accept4,bind,connect,getpeername,getsockname,getsockopt,listen,recv,recvfrom,recvmmsg,recvmsg,send,sendmmsg,sendmsg,sendto,setsockopt,shutdown,socket,socketcall,socketpair
+@obsolete=_sysctl,afs_syscall,bdflush,break,create_module,ftime,get_kernel_syms,getpmsg,gtty,idle,lock,mpx,prof,profil,putpmsg,query_module,security,sgetmask,ssetmask,stty,sysfs,tuxcall,ulimit,uselib,ustat,vserver
+@privileged=@chown,@clock,@module,@raw-io,@reboot,@swap,_sysctl,acct,bpf,capset,chroot,fanotify_init,mount,nfsservctl,open_by_handle_at,pivot_root,quotactl,setdomainname,setfsuid,setfsuid32,setgroups,setgroups32,sethostname,setresuid,setresuid32,setreuid,setreuid32,setuid,setuid32,umount2,vhangup
+@process=arch_prctl,capget,clone,execveat,fork,getrusage,kill,pidfd_send_signal,prctl,rt_sigqueueinfo,rt_tgsigqueueinfo,setns,swapcontext,tgkill,times,tkill,unshare,vfork,wait4,waitid,waitpid
+@raw-io=ioperm,iopl,pciconfig_iobase,pciconfig_read,pciconfig_write,s390_mmio_read,s390_mmio_write
+@reboot=kexec_load,kexec_file_load,reboot
+@resources=ioprio_set,mbind,migrate_pages,move_pages,nice,sched_setaffinity,sched_setattr,sched_setparam,sched_setscheduler,set_mempolicy
+@setuid=setgid,setgid32,setgroups,setgroups32,setregid,setregid32,setresgid,setresgid32,setresuid,setresuid32,setreuid,setreuid32,setuid,setuid32
+@signal=rt_sigaction,rt_sigpending,rt_sigprocmask,rt_sigsuspend,rt_sigtimedwait,sigaction,sigaltstack,signal,signalfd,signalfd4,sigpending,sigprocmask,sigsuspend
+@swap=swapon,swapoff
+@sync=fdatasync,fsync,msync,sync,sync_file_range,sync_file_range2,syncfs
+@system-service=@aio,@basic-io,@chown,@default,@file-system,@io-event,@ipc,@keyring,@memlock,@network-io,@process,@resources,@setuid,@signal,@sync,@timer,brk,capget,capset,copy_file_range,fadvise64,fadvise64_64,flock,get_mempolicy,getcpu,getpriority,getrandom,ioctl,ioprio_get,kcmp,madvise,mprotect,mremap,name_to_handle_at,oldolduname,olduname,personality,readahead,readdir,remap_file_pages,sched_get_priority_max,sched_get_priority_min,sched_getaffinity,sched_getattr,sched_getparam,sched_getscheduler,sched_rr_get_interval,sched_yield,sendfile,sendfile64,setfsgid,setfsgid32,setfsuid,setfsuid32,setpgid,setsid,splice,sysinfo,tee,umask,uname,userfaultfd,vmsplice
+@timer=alarm,getitimer,setitimer,timer_create,timer_delete,timer_getoverrun,timer_gettime,timer_settime,timerfd_create,timerfd_gettime,timerfd_settime,times
 
 Inheritance of groups
 ---------------------
 
-+---------+----------------+---------------+
-| @clock  | @cpu-emulation | @default-keep |
-| @module | @debug         |               |
-| @raw-io | @obsolete      |               |
-| @reboot | @resources     |               |
-| @swap   |                |               |
-+---------+----------------+---------------+
-     :              :
-+-------------+     :
-| @privileged |     :
-+-------------+     :
-     :              :
-+----------+        :
-| @default |........:
-+----------+
-    :
-+----------------------+
-| @default-nodebuggers |
-+----------------------+
-
-common used seccomp.drop lines
-------------------------------
-
-@default without chroot: @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,pivot_root,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice
-
-@default-nodebuggers without chroot: @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice
-
-Building a seccomp.drop line if seccomp breaks a programm
----------------------------------------------------------
++---------------+
+| @default-keep |
+| @mount        |
++---------------+
+
++----------------+  +---------+  +--------+  +--------------+
+| @cpu-emulation |  | @clock  |  | @chown |  | @aio         |
+| @debug         |  | @module |  +--------+  | @basic-io    |
+| @obsolete      |  | @raw-io |     :  :     | @file-system |
++----------------+  | @reboot |     :  :     | @io-event    |
+   :                | @swap   |     :  :     | @ipc         |
+   :                +---------+     :  :     | @keyring     |
+   :                  :  :          :  :     | @memlock     |
+   :    ..............:  :          :  :     | @network-io  |
+   :    :                :  ........:  :     | @process     |
+   :    :                :  :          :     | @resources   |
++----------+    +-------------+        :     | @setuid      |
+| @default |    | @privileged |        :     | @signal      |
++----------+    +-------------+        :     | @sync        |
+   :    :                              :     | @timer       |
+   :    :...........................   :     +--------------+
+   :                               :   :        :
++----------------------+        +-----------------+
+| @default-nodebuggers |        | @system-service |
++----------------------+        +-----------------+
+
+
+What to do if seccomp breaks a program
+--------------------------------------
 
 ```
 $ journalctl --grep=syscall --follow
 <...> audit[…]: SECCOMP <...> syscall=161 <...>
 $ firejail --debug-syscalls | grep 161
-161     - chroot
+161 - chroot
 ```
+Profile: `seccomp -> seccomp !chroot`
 
-TODO: write a short explanation
-TODO: suggest to use `allow-debuggers` instead of `seccomp.drop` if possible
-
-see also
---------
+Start `journalctl --grep=syscall --follow` in a terminal, then start the broken
+program. Now you see one or more long lines containing `syscall=NUMBER` somewhere.
+Stop journalctl (^C) and execute `firejail --debug-syscalls | grep NUMBER`. You
+will see something like `NUMBER  - NAME`, because you now know the name of the
+syscall, you can add an exception to seccomp by putting `!NAME` to seccomp.
 
- - contrib/syscalls.sh
- - https://firejail.wordpress.com/documentation-2/seccomp-guide/
+If the blocked syscall is ptrace, consider to add allow-debuggers to the profile.
diff --git a/etc/torbrowser-launcher.profile b/etc/torbrowser-launcher.profile
index 8485c0c4c..1183cd2f7 100644
--- a/etc/torbrowser-launcher.profile
+++ b/etc/torbrowser-launcher.profile
@@ -42,7 +42,7 @@ notv
 nou2f
 novideo
 protocol unix,inet,inet6
-seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice
+seccomp !chroot
 shell none
 # tracelog may cause issues, see github issue #1930
 #tracelog
diff --git a/etc/whitelist-common.inc b/etc/whitelist-common.inc
index 9c1b7b92c..717c82379 100644
--- a/etc/whitelist-common.inc
+++ b/etc/whitelist-common.inc
@@ -20,10 +20,6 @@ whitelist ${HOME}/.local/share/icons
 whitelist ${HOME}/.local/share/mime
 whitelist ${HOME}/.mime.types
 
-# dconf
-mkdir ${HOME}/.config/dconf
-whitelist ${HOME}/.config/dconf
-
 # fonts
 whitelist ${HOME}/.cache/fontconfig
 whitelist ${HOME}/.config/fontconfig
diff --git a/src/fcopy/main.c b/src/fcopy/main.c
index 3f507a361..a08cc66b3 100644
--- a/src/fcopy/main.c
+++ b/src/fcopy/main.c
@@ -28,11 +28,10 @@ int arg_quiet = 0;
 int arg_debug = 0;
 static int arg_follow_link = 0;
 
-static int copy_limit = 500 * 1024 *1024; // 500 MB
-#define COPY_LIMIT (
+static unsigned long long copy_limit = 500 * 1024 * 1024; // 500 MB
+static unsigned long long size_cnt = 0;
 static int size_limit_reached = 0;
 static unsigned file_cnt = 0;
-static unsigned size_cnt = 0;
 
 static char *outpath = NULL;
 static char *inpath = NULL;
@@ -187,7 +186,7 @@ static int fs_copydir(const char *infname, const struct stat *st, int ftype, str
 
         // recalculate size
         if ((s.st_size + size_cnt) > copy_limit) {
-                fprintf(stderr, "Error fcopy: size limit of %dMB reached\n", (copy_limit / 1024) / 1024);
+                fprintf(stderr, "Error fcopy: size limit of %lluMB reached\n", (copy_limit / 1024) / 1024);
                 size_limit_reached = 1;
                 free(outfname);
                 return 0;
@@ -392,9 +391,9 @@ int main(int argc, char **argv) {
         // extract copy limit size from env variable, if any
         char *cl = getenv("FIREJAIL_FILE_COPY_LIMIT");
         if (cl) {
-                copy_limit = atoi(cl) * 1024 * 1024;
+                copy_limit = strtoul(cl, NULL, 10) * 1024 * 1024;
                 if (arg_debug)
-                        printf("file copy limit %d bytes\n", copy_limit);
+                        printf("file copy limit %llu bytes\n", copy_limit);
         }
 
         // copy files
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config
index 6b2a92ad5..502449839 100644
--- a/src/firecfg/firecfg.config
+++ b/src/firecfg/firecfg.config
@@ -36,6 +36,7 @@ amule
 android-studio
 anydesk
 apktool
+ar
 arch-audit
 archaudit-report
 ardour4
diff --git a/src/fseccomp/syscall.c b/src/fseccomp/syscall.c
index 5d83786bb..1683d3140 100644
--- a/src/fseccomp/syscall.c
+++ b/src/fseccomp/syscall.c
@@ -201,11 +201,14 @@ static const SyscallGroupList sysgroups[] = {
 #endif
         },
         { .name = "@default", .list =
+          "@clock,"
           "@cpu-emulation,"
           "@debug,"
+          "@module,"
           "@obsolete,"
-          "@privileged,"
-          "@resources,"
+          "@raw-io,"
+          "@reboot,"
+          "@swap,"
 #ifdef SYS_open_by_handle_at
           "open_by_handle_at,"
 #endif
@@ -233,6 +236,15 @@ static const SyscallGroupList sysgroups[] = {
 #ifdef SYS_request_key
           "request_key,"
 #endif
+#ifdef SYS_mbind
+          "mbind,"
+#endif
+#ifdef SYS_migrate_pages
+          "migrate_pages,"
+#endif
+#ifdef SYS_move_pages
+          "move_pages,"
+#endif
 #ifdef SYS_keyctl
           "keyctl,"
 #endif
@@ -254,6 +266,9 @@ static const SyscallGroupList sysgroups[] = {
 #ifdef SYS_remap_file_pages
           "remap_file_pages,"
 #endif
+#ifdef SYS_set_mempolicy
+          "set_mempolicy"
+#endif
 #ifdef SYS_vmsplice
           "vmsplice,"
 #endif
@@ -263,6 +278,36 @@ static const SyscallGroupList sysgroups[] = {
 #ifdef SYS_userfaultfd
           "userfaultfd,"
 #endif
+#ifdef SYS_acct
+          "acct,"
+#endif
+#ifdef SYS_bpf
+          "bpf,"
+#endif
+#ifdef SYS_chroot
+          "chroot,"
+#endif
+#ifdef SYS_mount
+          "mount,"
+#endif
+#ifdef SYS_nfsservctl
+          "nfsservctl,"
+#endif
+#ifdef SYS_pivot_root
+          "pivot_root,"
+#endif
+#ifdef SYS_setdomainname
+          "setdomainname,"
+#endif
+#ifdef SYS_sethostname
+          "sethostname,"
+#endif
+#ifdef SYS_umount2
+          "umount2,"
+#endif
+#ifdef SYS_vhangup
+          "vhangup"
+#endif
 //#ifdef SYS_mincore    // 0.9.57 - problem fixed in Linux kernel 5.0; on 4.x it will break kodi, mpv, totem
 //        "mincore"
 //#endif
diff --git a/src/libtrace/libtrace.c b/src/libtrace/libtrace.c
index b3f040e8f..0c21b9b70 100644
--- a/src/libtrace/libtrace.c
+++ b/src/libtrace/libtrace.c
@@ -52,10 +52,7 @@ static orig_access_t orig_access = NULL;
 //
 // library constructor/destructor
 //
-// Replacing printf with fprintf to /dev/tty in order to fix #561
-// If you really want to turn it off, comment the following line, but its a
-// really bad idea.
-#define PRINTF_DEVTTY
+// Using fprintf to /dev/tty instead of printf in order to fix #561
 static FILE *ftty = NULL;
 static pid_t mypid = 0;
 #define MAXNAME 16
@@ -75,12 +72,8 @@ void init(void) {
                 // if exists, log to trace file
                 logfile = RUN_TRACE_FILE;
                 if (orig_access(logfile, F_OK))
-#ifdef PRINTF_DEVTTY
                         // else log to associated tty
                         logfile = "/dev/tty";
-#else
-                        logfile = "/proc/self/fd/2";
-#endif
         }
         
         // logfile
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index 9f9d8e6ec..38bc0edc4 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -1762,25 +1762,22 @@ Example:
 $ firejail \-\-net=eth0 \-\-scan
 .TP
 \fB\-\-seccomp
-Enable seccomp filter and blacklist the syscalls in the default list (@default). The default list is as follows:
-_sysctl, acct, add_key, adjtimex, afs_syscall, bdflush, bpf, break, chroot, clock_adjtime, clock_settime,
-create_module, delete_module, fanotify_init, finit_module, ftime, get_kernel_syms, getpmsg, gtty, init_module,
-io_cancel, io_destroy, io_getevents, io_setup, io_submit, ioperm, iopl, ioprio_set, kcmp, kexec_file_load,
-kexec_load, keyctl, lock, lookup_dcookie, mbind, migrate_pages, modify_ldt, mount, move_pages, mpx,
-name_to_handle_at, nfsservctl, ni_syscall, open_by_handle_at, pciconfig_iobase, pciconfig_read, pciconfig_write, perf_event_open,
-personality, pivot_root, process_vm_readv, process_vm_writev, prof, profil, ptrace, putpmsg,
-query_module, reboot, remap_file_pages, request_key, rtas, s390_mmio_read, s390_mmio_write, s390_runtime_instr,
-security, set_mempolicy, setdomainname, sethostname, settimeofday, sgetmask, ssetmask, stime, stty, subpage_prot,
-swapoff, swapon, switch_endian, sys_debug_setcontext, sysfs, syslog, tuxcall, ulimit, umount, umount2, uselib, userfaultfd, ustat, vhangup,
-vm86, vm86old, vmsplice and vserver.
+Enable seccomp filter and blacklist the syscalls in the default list,
+which is  @default-nodebuggers unless allow-debuggers is specified,
+then it is @default.
 
 .br
 To help creating useful seccomp filters more easily, the following
-system call groups are defined: @clock, @cpu-emulation, @debug,
-@default, @default-nodebuggers, @default-keep, @module, @obsolete,
-@privileged, @raw-io, @reboot, @resources and @swap. In addition, a
-system call can be specified by its number instead of name with prefix
-$, so for example $165 would be equal to mount on i386.
+system call groups are defined: @aio, @basic-io, @chown, @clock,
+@cpu-emulation, @debug, @default, @default-nodebuggers, @default-keep,
+@file-system, @io-event, @ipc, @keyring, @memlock, @module, @mount,
+@network-io, @obsolete, @privileged, @process, @raw-io, @reboot,
+@resources, @setuid, @swap, @sync, @system-service and @timer.
+More informations about groups can be found in /usr/share/doc/firejail/syscalls.txt
+
+In addition, a system call can be specified by its number instead of
+name with prefix $, so for example $165 would be equal to mount on i386.
+Exceptions can be allowed with prefix !.
 
 .br
 System architecture is strictly imposed only if flag
@@ -1798,8 +1795,10 @@ Example:
 .br
 $ firejail \-\-seccomp
 .TP
-\fB\-\-seccomp=syscall,@group
-Enable seccomp filter, blacklist the default list (@default) and the syscalls or syscall groups specified by the command.
+\fB\-\-seccomp=syscall,@group,!syscall2
+Enable seccomp filter, whitelist "syscall2", but blacklist the default
+list and the syscalls or syscall groups specified by the
+command.
 .br
 
 .br
@@ -1899,10 +1898,10 @@ rm: cannot remove `testfile': Operation not permitted
 
 
 .TP
-\fB\-\-seccomp.keep=syscall,syscall,syscall
-Enable seccomp filter, and whitelist the syscalls specified by the
-command. The system calls needed by Firejail (group @default-keep:
-prctl, execve) are handled with the preload library.
+\fB\-\-seccomp.keep=syscall,@group,!syscall2
+Enable seccomp filter, blacklist all syscall not listed and "syscall2".
+The system calls needed by Firejail (group @default-keep: prctl, execve)
+are handled with the preload library.
 .br
 
 .br
diff --git a/test/appimage/appimage-args.exp b/test/appimage/appimage-args.exp
index b8c7ee850..4c6a778b2 100755
--- a/test/appimage/appimage-args.exp
+++ b/test/appimage/appimage-args.exp
@@ -95,7 +95,7 @@ send -- "firejail --shutdown=appimage-test\r"
 
 set spawn_id $appimage_id
 expect {
-        timeout {puts "TESTING ERROR 15\n";exit}
+        timeout {puts "shutdown\n";exit}
         "AppImage unmounted"
 }
 
diff --git a/test/appimage/appimage-trace.exp b/test/appimage/appimage-trace.exp
new file mode 100755
index 000000000..574bd5a97
--- /dev/null
+++ b/test/appimage/appimage-trace.exp
@@ -0,0 +1,68 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2019 Firejail Authors
+# License GPL v2
+
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+set appimage_id $spawn_id
+
+send -- "firejail --trace --timeout=00:00:05 --appimage Leafpad-0.8.17-x86_64.AppImage\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "Child process initialized"
+}
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        "leafpad:socket"
+}
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        "leafpad:connect"
+}
+expect {
+        timeout {puts "TESTING ERROR 4\n";exit}
+        "X11-unix/X0"
+}
+expect {
+        timeout {puts "TESTING ERROR 5\n";exit}
+        "Parent is shutting down, bye"
+}
+expect {
+        timeout {puts "shutdown\n"}
+        "AppImage unmounted"
+}
+sleep 1
+
+send -- "firejail --trace --timeout=00:00:05 --appimage Leafpad-0.8.18.1.glibc2.4-x86_64.AppImage\r"
+expect {
+        timeout {puts "TESTING ERROR 11\n";exit}
+        "Child process initialized"
+}
+expect {
+        timeout {puts "TESTING ERROR 12\n";exit}
+        "leafpad:socket"
+}
+expect {
+        timeout {puts "TESTING ERROR 13\n";exit}
+        "leafpad:connect"
+}
+expect {
+        timeout {puts "TESTING ERROR 14\n";exit}
+        "X11-unix/X0"
+}
+expect {
+        timeout {puts "TESTING ERROR 15\n";exit}
+        "Parent is shutting down, bye"
+}
+expect {
+        timeout {puts "shutdown\n"}
+        "AppImage unmounted"
+}
+sleep 1
+
+
+after 100
+
+puts "\nall done\n"
diff --git a/test/appimage/appimage-v1.exp b/test/appimage/appimage-v1.exp
index 07f7d0d17..4522afa9b 100755
--- a/test/appimage/appimage-v1.exp
+++ b/test/appimage/appimage-v1.exp
@@ -83,7 +83,7 @@ send -- "firejail --shutdown=appimage-test\r"
 
 set spawn_id $appimage_id
 expect {
-        timeout {puts "TESTING ERROR 7\n";exit}
+        timeout {puts "shutdown\n"}
         "AppImage unmounted"
 }
 
diff --git a/test/appimage/appimage-v2.exp b/test/appimage/appimage-v2.exp
index 7d3ba36c2..50466958d 100755
--- a/test/appimage/appimage-v2.exp
+++ b/test/appimage/appimage-v2.exp
@@ -82,7 +82,7 @@ spawn $env(SHELL)
 send -- "firejail --shutdown=appimage-test\r"
 set spawn_id $appimage_id
 expect {
-        timeout {puts "TESTING ERROR 7\n";exit}
+        timeout {puts "shutdown\n"}
         "AppImage unmounted"
 }
 
diff --git a/test/appimage/appimage.sh b/test/appimage/appimage.sh
index bcd82750e..39c288199 100755
--- a/test/appimage/appimage.sh
+++ b/test/appimage/appimage.sh
@@ -17,3 +17,6 @@ echo "TESTING: AppImage file name (test/appimage/filename.exp)";
 
 echo "TESTING: AppImage argsv1 (test/appimage/appimage-args.exp)"
 ./appimage-args.exp
+
+echo "TESTING: AppImage trace (test/appimage/appimage-trace.exp)"
+./appimage-args.exp