Merge branch 'master' into kuesji/master

115 files changed, 1775 insertions, 792 deletions

diff --git a/Makefile.in b/Makefile.in
index 6be62cb6e..17bd76464 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -31,7 +31,7 @@ SBOX_APPS_NON_DUMPABLE = src/fcopy/fcopy src/fldd/fldd src/fnet/fnet src/fnetfil
 MYDIRS = src/lib $(MAN_SRC) $(COMPLETIONDIRS)
 MYLIBS = src/libpostexecseccomp/libpostexecseccomp.so src/libtrace/libtrace.so src/libtracelog/libtracelog.so
 COMPLETIONS = src/zsh_completion/_firejail src/bash_completion/firejail.bash_completion
-MANPAGES = firejail.1 firemon.1 firecfg.1 firejail-profile.5 firejail-login.5 firejail-users.5 jailcheck.5
+MANPAGES = firejail.1 firemon.1 firecfg.1 firejail-profile.5 firejail-login.5 firejail-users.5 jailcheck.1
 SBOX_APPS_NON_DUMPABLE += src/fsec-optimize/fsec-optimize src/fsec-print/fsec-print src/fseccomp/fseccomp
 SECCOMP_FILTERS = seccomp seccomp.debug seccomp.32 seccomp.block_secondary seccomp.mdwx seccomp.mdwx.32
 ALL_ITEMS = $(APPS) $(SBOX_APPS) $(SBOX_APPS_NON_DUMPABLE) $(MYLIBS)
diff --git a/README b/README
index 522fdc34a..b8c0aef44 100644
--- a/README
+++ b/README
@@ -109,6 +109,7 @@ Amin Vakil (https://github.com/aminvakil)
         - whois profile fix
         - added profile for strawberry
         - w3m profile fix
+        - disable seccomp in wireshark profile
 Andreas Hunkeler (https://github.com/Karneades)
         - Add profile for offical Linux Teams application
 Andrey Alekseenko (https://github.com/al42and)
@@ -203,6 +204,7 @@ Bundy01 (https://github.com/Bundy01)
         - fixup geary
         - add gradio profile
         - update virtualbox.profile
+        - Quodlibet profile
 BytesTuner (https://github.com/BytesTuner)
         - provided keepassxc profile
 caoliver (https://github.com/caoliver)
@@ -435,6 +437,8 @@ hamzadis (https://github.com/hamzadis)
         - added --overlay-named=name and --overlay-path=path
 Hans-Christoph Steiner (https://github.com/eighthave)
         - added xournal profile
+Harald Kubota (https://github.com/haraldkubota)
+        - zsh completion
 hawkey116477 (https://github.com/hawkeye116477)
         - added Waterfox profile
         - updated Cyberfox profile
@@ -496,6 +500,7 @@ Jean-Philippe Eisenbarth (https://github.com/jpeisenbarth)
         - fixed spotify.profile
 Jeff Squyres (https://github.com/jsquyres)
         - various manpage fixes
+        - cmdline.c: optionally quote the resulting command line
 Jericho (https://github.com/attritionorg)
         - spelling
 Jesse Smith (https://github.com/slicer69)
@@ -520,6 +525,7 @@ Jose Riha (https://github.com/jose1711)
         - Add davfs2 secrets file to blacklist
         - Add profile for udiskie
         - fix udiskie.profile
+        - improve hints for allowing browser access to Gnome extensions connector
 jrabe (https://github.com/jrabe)
         - disallow access to kdbx files
         - Epiphany profile
@@ -555,6 +561,7 @@ Kishore96in (https://github.com/Kishore96in)
         -  jitsi-meet-desktop profile
         - konversatin profile fix
         - added Neochat profile
+        - added whitelist-1793-workaround.inc
 KOLANICH (https://github.com/KOLANICH)
         - added symlink fixer fix_private-bin.py in contrib section
         - update fix_private-bin.py
@@ -610,6 +617,8 @@ Mattias Wadman (https://github.com/wader)
         - seccomp errno filter support
 Matthew Gyurgyik (https://github.com/pyther)
         - rpm spec and several fixes
+Matthew Cline (https://github.com/matthew-cline)
+        - steam profile and dropbox profile fixes
 matu3ba (https://github.com/matu3ba)
         - evince hardening, dbus removed
         - fix dia profile
@@ -649,12 +658,20 @@ Nick Fox (https://github.com/njfox)
         - fix wire-desktop.profile on arch
 NickMolloy (https://github.com/NickMolloy)
         - ARP address length fix
+Nico (https://github.com/dr460nf1r3)
+        - added FireDragon profile
+Nicola Davide Mannarelli (https://github.com/nidamanx)
+        - fix "Could not create AF_NETLINK socket"
+        - added nextcloud profiles
+        - Firefox, KeepassXC, Telegram fixes
 Niklas Haas (https://github.com/haasn)
         - blacklisting for keybase.io's client
 Niklas Goerke (https://github.com/Niklas974)
         - update QOwnNotes profile
 Nikos Chantziaras (https://github.com/realnc)
         - fix audio support for Discord
+nolanl (https://github.com/nolanl)
+        - added localtime to signal-desktop's profile
 nyancat18 (https://github.com/nyancat18)
         - added ardour4, dooble, karbon, krita profiles
 Ondra Nekola (https://github.com/satai)
@@ -702,6 +719,8 @@ Petter Reinholdtsen (pere@hungry.com)
 PharmaceuticalCobweb (https://github.com/PharmaceuticalCobweb)
         - fix quiterss profile
         - added profile for gnome-ring
+pholodniak (https://github.com/pholodniak)
+        - profstats fixes
 pianoslum (https://github.com/pianoslum)
         - nodbus breaking evince two-page-view warning
 pirate486743186 (https://github.com/pirate486743186)
@@ -709,6 +728,17 @@ pirate486743186 (https://github.com/pirate486743186)
         - mpsyt profile
         - fix youtube-dl and mpv
         - fix gnome-mpv profile
+        - fix gunzip profile
+        - reorganizing youtube-viewers
+        - fix pluma profile
+        - whitelist /var/lib/aspell
+        - mcomix fixes
+        - fixing engrampa profile
+        - adding qcomicbook and pipe-viewer in disable-programs
+        - newsboat/newsbeuter profiles
+        - fix atril profile
+        - rtv profile
+        - reorganizing links browsers
 Pixel Fairy (https://github.com/xahare)
         - added fjclip.py, fjdisplay.py and fjresize.py in contrib section
 PizzaDude (https://github.com/pizzadude)
@@ -745,6 +775,7 @@ Rahul Golam (https://github.com/technoLord)
 RandomVoid (https://github.com/RandomVoid)
         - fix building C# projects in Godot
         - fix Lutris profile
+        - fix running games with enabled Feral GameMode in Lutris
 Raphaël Droz (https://github.com/drzraf)
         - zoom profile fixes
 realaltffour (https://github.com/realaltffour)
@@ -786,6 +817,8 @@ rusty-snake (https://github.com/rusty-snake)
         - some typo fixes
         - added profile templates
         - added sort.py to contrib
+sak96 (https://github.com/sak96)
+        - discord profile fixes
 Salvo 'LtWorf' Tomaselli (https://github.com/ltworf)
         - fixed ktorrent profile
 sarneaud (https://github.com/sarneaud)
@@ -814,6 +847,8 @@ sinkuu (https://github.com/sinkuu)
         - fix symlink invocation for programs placing symlinks in $PATH
 Simo Piiroinen (https://github.com/spiiroin)
         - Jolla/SailfishOS patches
+slowpeek (https://github.com/slowpeek)
+        - refine appimage example in docs
 smitsohu (https://github.com/smitsohu)
         - read-only kde4 services directory
         - enhanced mediathekview profile
@@ -939,6 +974,10 @@ Topi Miettinen (https://github.com/topimiettinen)
         - improve loading of seccomp filter and memory-deny-write-execute feature
         - private-lib feature
         - make --nodbus block also system D-Bus socket
+Ted Robertson  (https://github.com/tredondo)
+        - webstorm profile fixes
+        - added bcompare profile
+        - various documentation fixes
 user1024 (user1024@tut.by)
         - electron profile whitelisting
         - fixed Rocket.Chat profile
@@ -1003,6 +1042,9 @@ Vladimir Schowalter (https://github.com/VladimirSchowalter20)
         - apparmor profile enhancements
         - various KDE profile enhancements
         read-only kde5 services directory
+Vladislav Nepogodin (https://github.com/vnepogodin)
+        - added Librewolf profiles
+        - added Sway profile
 xee5ch (https://github.com/xee5ch)
         - skypeforlinux profile
 Ypnose (https://github.com/Ypnose)
diff --git a/README.md b/README.md
index c524a328d..c235759e9 100644
--- a/README.md
+++ b/README.md
@@ -126,18 +126,18 @@ $ cd firejail
 $ ./configure && make && sudo make install-strip
 `````
 On Debian/Ubuntu you will need to install git and gcc compiler. AppArmor
-development libraries and pkg-config are required when using --apparmor
+development libraries and pkg-config are required when using `--apparmor`
 ./configure option:
 `````
 $ sudo apt-get install git build-essential libapparmor-dev pkg-config gawk
 `````
-For --selinux option, add libselinux1-dev (libselinux-devel for Fedora).
+For `--selinux` option, add libselinux1-dev (libselinux-devel for Fedora).
 
 Detailed information on using firejail from git is available on the [wiki](https://github.com/netblue30/firejail/wiki/Using-firejail-from-git).
 
 ## Running the sandbox
 
-To start the sandbox, prefix your command with “firejail”:
+To start the sandbox, prefix your command with `firejail`:
 
 `````
 $ firejail firefox            # starting Mozilla Firefox
@@ -145,7 +145,7 @@ $ firejail transmission-gtk   # starting Transmission BitTorrent
 $ firejail vlc                # starting VideoLAN Client
 $ sudo firejail /etc/init.d/nginx start
 `````
-Run "firejail --list" in a terminal to list all active sandboxes. Example:
+Run `firejail --list` in a terminal to list all active sandboxes. Example:
 `````
 $ firejail --list
 1617:netblue:/usr/bin/firejail /usr/bin/firefox-esr
@@ -188,9 +188,7 @@ Use this issue to request new profiles: [#1139](https://github.com/netblue30/fir
 You can also use this tool to get a list of syscalls needed by a program: [contrib/syscalls.sh](contrib/syscalls.sh).
 
 We also keep a list of profile fixes for previous released versions in [etc-fixes](https://github.com/netblue30/firejail/tree/master/etc-fixes) directory.
-`````
 
-`````
 ## Latest released version: 0.9.64
 
 ## Current development version: 0.9.65
@@ -334,5 +332,6 @@ avidemux, calligragemini, vmware-player, vmware-workstation, gget, com.github.ph
 pcsxr, PPSSPPSDL, openmw, openmw-launcher, jami-gnome, PCSX2, bcompare, b2sum, cksum, md5sum, sha1sum, sha224sum,
 sha256sum, sha384sum, sha512sum, sum, librewold-nightly, Quodlibet, tmux, sway, alienarena, alienarena-wrapper,
 ballbuster, ballbuster-wrapper, colorful, colorful-wrapper, gl-117, gl-117-wrapper, glaxium, glaxium-wrapper,
-pinball, pinball-wrapper, etr-wrapper, neverball-wrapper, neverputt-wrapper, supertuxkart-wrapper, firedragon
-neochat, node, nvm, cargo, LibreCAD, blobby, funnyboat
+pinball, pinball-wrapper, etr-wrapper, neverball-wrapper, neverputt-wrapper, supertuxkart-wrapper, firedragon,
+neochat, node, nvm, cargo, LibreCAD, blobby, funnyboat, pipe-viewer, gtk-pipe-viewer, links2, xlinks2, googler, ddgr,
+tin
diff --git a/RELNOTES b/RELNOTES
index 74ef66fb9..c989b00ff 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -1,6 +1,7 @@
 firejail (0.9.65) baseline; urgency=low
-  * deprecated --audit options, relpaced by jailtest
+  * deprecated --audit options, relpaced by jailcheck utility
   * deprecated follow-symlink-as-user from firejail.config
+  * rename --noautopulse to keep-config-pulse
   * filtering environment variables
   * zsh completion
   * command line: --mkdir, --mkfile
@@ -31,8 +32,9 @@ firejail (0.9.65) baseline; urgency=low
   * colorful, colorful-wrapper, gl-117, gl-117-wrapper, glaxium,
   * glaxium-wrapper, pinball, pinball-wrapper, etr-wrapper, firedragon
   * neverball-wrapper, neverputt-wrapper, supertuxkart-wrapper, neochat,
-  * cargo, LibreCAD, blobby, funnyboat
- -- netblue30 <netblue30@yahoo.com>  Tue, 9 Feb 2021 09:00:00 -0500
+  * cargo, LibreCAD, blobby, funnyboat, pipe-viewer, gtk-pipe-viewer
+  * links2, xlinks2, googler, ddgr, tin
+ -- netblue30 <netblue30@yahoo.com>  Wed, 2 Jun 2021 09:00:00 -0500
 
 firejail (0.9.64.4) baseline; urgency=low
   * disabled overlayfs, pending multiple fixes (CVE-2021-26910)
diff --git a/configure b/configure
index b75848bea..9162b6c90 100755
--- a/configure
+++ b/configure
@@ -1,6 +1,6 @@
 #! /bin/sh
 # Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.69 for firejail 0.9.65.
+# Generated by GNU Autoconf 2.69 for firejail 0.9.66rc1.
 #
 # Report bugs to <netblue30@protonmail.com>.
 #
@@ -580,8 +580,8 @@ MAKEFLAGS=
 # Identity of this package.
 PACKAGE_NAME='firejail'
 PACKAGE_TARNAME='firejail'
-PACKAGE_VERSION='0.9.65'
-PACKAGE_STRING='firejail 0.9.65'
+PACKAGE_VERSION='0.9.66rc1'
+PACKAGE_STRING='firejail 0.9.66rc1'
 PACKAGE_BUGREPORT='netblue30@protonmail.com'
 PACKAGE_URL='https://firejail.wordpress.com'
 
@@ -1299,7 +1299,7 @@ if test "$ac_init_help" = "long"; then
   # Omit some internal or obsolete options to make the list less imposing.
   # This message is too long to be a string in the A/UX 3.1 sh.
   cat <<_ACEOF
-\`configure' configures firejail 0.9.65 to adapt to many kinds of systems.
+\`configure' configures firejail 0.9.66rc1 to adapt to many kinds of systems.
 
 Usage: $0 [OPTION]... [VAR=VALUE]...
 
@@ -1361,7 +1361,7 @@ fi
 
 if test -n "$ac_init_help"; then
   case $ac_init_help in
-     short | recursive ) echo "Configuration of firejail 0.9.65:";;
+     short | recursive ) echo "Configuration of firejail 0.9.66rc1:";;
    esac
   cat <<\_ACEOF
 
@@ -1481,7 +1481,7 @@ fi
 test -n "$ac_init_help" && exit $ac_status
 if $ac_init_version; then
   cat <<\_ACEOF
-firejail configure 0.9.65
+firejail configure 0.9.66rc1
 generated by GNU Autoconf 2.69
 
 Copyright (C) 2012 Free Software Foundation, Inc.
@@ -1783,7 +1783,7 @@ cat >config.log <<_ACEOF
 This file contains any messages produced by compilers while
 running configure, to aid debugging if configure makes a mistake.
 
-It was created by firejail $as_me 0.9.65, which was
+It was created by firejail $as_me 0.9.66rc1, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
 
   $ $0 $@
@@ -4910,7 +4910,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
 # report actual input values of CONFIG_FILES etc. instead of their
 # values after options handling.
 ac_log="
-This file was extended by firejail $as_me 0.9.65, which was
+This file was extended by firejail $as_me 0.9.66rc1, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
 
   CONFIG_FILES    = $CONFIG_FILES
@@ -4964,7 +4964,7 @@ _ACEOF
 cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
 ac_cs_version="\\
-firejail config.status 0.9.65
+firejail config.status 0.9.66rc1
 configured by $0, generated by GNU Autoconf 2.69,
   with options \\"\$ac_cs_config\\"
 
@@ -5560,47 +5560,49 @@ $as_echo "$as_me: WARNING: unrecognized options: $ac_unrecognized_opts" >&2;}
 fi
 
 
-echo
-echo "Configuration options:"
-echo "   prefix: $prefix"
-echo "   sysconfdir: $sysconfdir"
-echo "   apparmor: $HAVE_APPARMOR"
-echo "   SELinux labeling support: $HAVE_SELINUX"
-echo "   global config: $HAVE_GLOBALCFG"
-echo "   chroot: $HAVE_CHROOT"
-echo "   network: $HAVE_NETWORK"
-echo "   user namespace: $HAVE_USERNS"
-echo "   X11 sandboxing support: $HAVE_X11"
-echo "   whitelisting: $HAVE_WHITELIST"
-echo "   private home support: $HAVE_PRIVATE_HOME"
-echo "   file transfer support: $HAVE_FILE_TRANSFER"
-echo "   overlayfs support: $HAVE_OVERLAYFS"
-echo "   DBUS proxy support: $HAVE_DBUSPROXY"
-echo "   allow tmpfs as regular user: $HAVE_USERTMPFS"
-echo "   enable --ouput logging: $HAVE_OUTPUT"
-echo "   Manpage support: $HAVE_MAN"
-echo "   firetunnel support: $HAVE_FIRETUNNEL"
-echo "   busybox workaround: $BUSYBOX_WORKAROUND"
-echo "   Spectre compiler patch: $HAVE_SPECTRE"
-echo "   EXTRA_LDFLAGS: $EXTRA_LDFLAGS"
-echo "   EXTRA_CFLAGS: $EXTRA_CFLAGS"
-echo "   fatal warnings: $HAVE_FATAL_WARNINGS"
-echo "   Gcov instrumentation: $HAVE_GCOV"
-echo "   Install contrib scripts: $HAVE_CONTRIB_INSTALL"
-echo "   Install as a SUID executable: $HAVE_SUID"
-echo "   LTS: $HAVE_LTS"
-echo "   Always enforce filters: $HAVE_FORCE_NONEWPRIVS"
-echo
-
+cat <<EOF
+
+Configuration options:
+   prefix: $prefix
+   sysconfdir: $sysconfdir
+   apparmor: $HAVE_APPARMOR
+   SELinux labeling support: $HAVE_SELINUX
+   global config: $HAVE_GLOBALCFG
+   chroot: $HAVE_CHROOT
+   network: $HAVE_NETWORK
+   user namespace: $HAVE_USERNS
+   X11 sandboxing support: $HAVE_X11
+   whitelisting: $HAVE_WHITELIST
+   private home support: $HAVE_PRIVATE_HOME
+   file transfer support: $HAVE_FILE_TRANSFER
+   overlayfs support: $HAVE_OVERLAYFS
+   DBUS proxy support: $HAVE_DBUSPROXY
+   allow tmpfs as regular user: $HAVE_USERTMPFS
+   enable --ouput logging: $HAVE_OUTPUT
+   Manpage support: $HAVE_MAN
+   firetunnel support: $HAVE_FIRETUNNEL
+   busybox workaround: $BUSYBOX_WORKAROUND
+   Spectre compiler patch: $HAVE_SPECTRE
+   EXTRA_LDFLAGS: $EXTRA_LDFLAGS
+   EXTRA_CFLAGS: $EXTRA_CFLAGS
+   fatal warnings: $HAVE_FATAL_WARNINGS
+   Gcov instrumentation: $HAVE_GCOV
+   Install contrib scripts: $HAVE_CONTRIB_INSTALL
+   Install as a SUID executable: $HAVE_SUID
+   LTS: $HAVE_LTS
+   Always enforce filters: $HAVE_FORCE_NONEWPRIVS
+
+EOF
 
 if test "$HAVE_LTS" = -DHAVE_LTS; then
-        echo
-        echo
-        echo "*********************************************************"
-        echo "*    Warning: Long-term support (LTS) was enabled!      *"
-        echo "*    Most compile-time options have bean rewritten!     *"
-        echo "*********************************************************"
-        echo
-        echo
-fi
+        cat <<\EOF
+
 
+*********************************************************
+*    Warning: Long-term support (LTS) was enabled!      *
+*    Most compile-time options have bean rewritten!     *
+*********************************************************
+
+
+EOF
+fi
diff --git a/configure.ac b/configure.ac
index 4af69766d..f37db5926 100644
--- a/configure.ac
+++ b/configure.ac
@@ -12,7 +12,7 @@
 #
 
 AC_PREREQ([2.68])
-AC_INIT(firejail, 0.9.65, netblue30@protonmail.com, , https://firejail.wordpress.com)
+AC_INIT([firejail],[0.9.66rc1],[netblue30@protonmail.com],[],[https://firejail.wordpress.com])
 AC_CONFIG_SRCDIR([src/firejail/main.c])
 
 AC_CONFIG_MACRO_DIR([m4])
@@ -304,53 +304,56 @@ if test "$prefix" = /usr; then
 fi
 
 AC_CONFIG_FILES([mkdeb.sh], [chmod +x mkdeb.sh])
-AC_OUTPUT(Makefile src/common.mk src/lib/Makefile src/fcopy/Makefile src/fnet/Makefile src/firejail/Makefile src/fnetfilter/Makefile \
+AC_CONFIG_FILES([Makefile src/common.mk src/lib/Makefile src/fcopy/Makefile src/fnet/Makefile src/firejail/Makefile src/fnetfilter/Makefile \
 src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile src/fbuilder/Makefile src/fsec-print/Makefile \
 src/ftee/Makefile src/fseccomp/Makefile src/fldd/Makefile src/libpostexecseccomp/Makefile src/fsec-optimize/Makefile \
 src/profstats/Makefile src/man/Makefile src/zsh_completion/Makefile src/bash_completion/Makefile test/Makefile \
-src/jailcheck/Makefile)
-
-echo
-echo "Configuration options:"
-echo "   prefix: $prefix"
-echo "   sysconfdir: $sysconfdir"
-echo "   apparmor: $HAVE_APPARMOR"
-echo "   SELinux labeling support: $HAVE_SELINUX"
-echo "   global config: $HAVE_GLOBALCFG"
-echo "   chroot: $HAVE_CHROOT"
-echo "   network: $HAVE_NETWORK"
-echo "   user namespace: $HAVE_USERNS"
-echo "   X11 sandboxing support: $HAVE_X11"
-echo "   whitelisting: $HAVE_WHITELIST"
-echo "   private home support: $HAVE_PRIVATE_HOME"
-echo "   file transfer support: $HAVE_FILE_TRANSFER"
-echo "   overlayfs support: $HAVE_OVERLAYFS"
-echo "   DBUS proxy support: $HAVE_DBUSPROXY"
-echo "   allow tmpfs as regular user: $HAVE_USERTMPFS"
-echo "   enable --ouput logging: $HAVE_OUTPUT"
-echo "   Manpage support: $HAVE_MAN"
-echo "   firetunnel support: $HAVE_FIRETUNNEL"
-echo "   busybox workaround: $BUSYBOX_WORKAROUND"
-echo "   Spectre compiler patch: $HAVE_SPECTRE"
-echo "   EXTRA_LDFLAGS: $EXTRA_LDFLAGS"
-echo "   EXTRA_CFLAGS: $EXTRA_CFLAGS"
-echo "   fatal warnings: $HAVE_FATAL_WARNINGS"
-echo "   Gcov instrumentation: $HAVE_GCOV"
-echo "   Install contrib scripts: $HAVE_CONTRIB_INSTALL"
-echo "   Install as a SUID executable: $HAVE_SUID"
-echo "   LTS: $HAVE_LTS"
-echo "   Always enforce filters: $HAVE_FORCE_NONEWPRIVS"
-echo
-
+src/jailcheck/Makefile])
+AC_OUTPUT
+
+cat <<EOF
+
+Configuration options:
+   prefix: $prefix
+   sysconfdir: $sysconfdir
+   apparmor: $HAVE_APPARMOR
+   SELinux labeling support: $HAVE_SELINUX
+   global config: $HAVE_GLOBALCFG
+   chroot: $HAVE_CHROOT
+   network: $HAVE_NETWORK
+   user namespace: $HAVE_USERNS
+   X11 sandboxing support: $HAVE_X11
+   whitelisting: $HAVE_WHITELIST
+   private home support: $HAVE_PRIVATE_HOME
+   file transfer support: $HAVE_FILE_TRANSFER
+   overlayfs support: $HAVE_OVERLAYFS
+   DBUS proxy support: $HAVE_DBUSPROXY
+   allow tmpfs as regular user: $HAVE_USERTMPFS
+   enable --ouput logging: $HAVE_OUTPUT
+   Manpage support: $HAVE_MAN
+   firetunnel support: $HAVE_FIRETUNNEL
+   busybox workaround: $BUSYBOX_WORKAROUND
+   Spectre compiler patch: $HAVE_SPECTRE
+   EXTRA_LDFLAGS: $EXTRA_LDFLAGS
+   EXTRA_CFLAGS: $EXTRA_CFLAGS
+   fatal warnings: $HAVE_FATAL_WARNINGS
+   Gcov instrumentation: $HAVE_GCOV
+   Install contrib scripts: $HAVE_CONTRIB_INSTALL
+   Install as a SUID executable: $HAVE_SUID
+   LTS: $HAVE_LTS
+   Always enforce filters: $HAVE_FORCE_NONEWPRIVS
+
+EOF
 
 if test "$HAVE_LTS" = -DHAVE_LTS; then
-        echo
-        echo
-        echo "*********************************************************"
-        echo "*    Warning: Long-term support (LTS) was enabled!      *"
-        echo "*    Most compile-time options have bean rewritten!     *"
-        echo "*********************************************************"
-        echo
-        echo
-fi
+        cat <<\EOF
+
 
+*********************************************************
+*    Warning: Long-term support (LTS) was enabled!      *
+*    Most compile-time options have bean rewritten!     *
+*********************************************************
+
+
+EOF
+fi
diff --git a/contrib/jail_prober.py b/contrib/jail_prober.py
index 9205d9b3e..f89f97ac4 100755
--- a/contrib/jail_prober.py
+++ b/contrib/jail_prober.py
@@ -70,6 +70,19 @@ def get_args(profile_path):
     return profile
 
 
+def absolute_include(word):
+    home = os.environ['HOME']
+    path = home + '/.config/firejail/'
+
+    option, filename = word.split('=')
+    absolute_filename = path + filename
+
+    if not os.path.isfile(absolute_filename):
+        absolute_filename = '${CFG}/' + filename
+
+    return option + '=' + absolute_filename
+
+
 def arg_converter(arg_list, style):
     """
     Convert between firejail command-line arguments (--example=something) and
@@ -94,9 +107,12 @@ def arg_converter(arg_list, style):
     if style == 'to_profile':
         new_args = [word[2:] for word in new_args]
 
-    # Remove invalid '--include' args if converting to command-line form
     elif style == 'to_commandline':
-        new_args = [word for word in new_args if 'include' not in word]
+        new_args = [
+            absolute_include(word) if word.startswith('--include')
+            else word
+            for word in new_args
+        ]
 
     return new_args
 
@@ -148,8 +164,12 @@ def run_firejail(program, all_args):
 
 
 def main():
-    profile_path = sys.argv[1]
-    program = sys.argv[2]
+    try:
+        profile_path = sys.argv[1]
+        program = sys.argv[2]
+    except IndexError:
+        print('USAGE: jail_prober.py <PROFILE-PATH> <PROGRAM>')
+        sys.exit()
     # Quick error check and extract arguments
     check_params(profile_path)
     profile = get_args(profile_path)
diff --git a/contrib/vim/ftdetect/firejail.vim b/contrib/vim/ftdetect/firejail.vim
index a8ba5cd75..2edc741da 100644
--- a/contrib/vim/ftdetect/firejail.vim
+++ b/contrib/vim/ftdetect/firejail.vim
@@ -1,6 +1,6 @@
-autocmd BufNewFile,BufRead /etc/firejail/*.profile      set filetype=firejail
-autocmd BufNewFile,BufRead /etc/firejail/*.local        set filetype=firejail
-autocmd BufNewFile,BufRead /etc/firejail/*.inc          set filetype=firejail
-autocmd BufNewFile,BufRead ~/.config/firejail/*.profile set filetype=firejail
-autocmd BufNewFile,BufRead ~/.config/firejail/*.local   set filetype=firejail
-autocmd BufNewFile,BufRead ~/.config/firejail/*.inc     set filetype=firejail
+autocmd BufNewFile,BufRead /etc/firejail/*.profile      setfiletype firejail
+autocmd BufNewFile,BufRead /etc/firejail/*.local        setfiletype firejail
+autocmd BufNewFile,BufRead /etc/firejail/*.inc          setfiletype firejail
+autocmd BufNewFile,BufRead ~/.config/firejail/*.profile setfiletype firejail
+autocmd BufNewFile,BufRead ~/.config/firejail/*.local   setfiletype firejail
+autocmd BufNewFile,BufRead ~/.config/firejail/*.inc     setfiletype firejail
diff --git a/contrib/vim/syntax/firejail.vim b/contrib/vim/syntax/firejail.vim
index 8775ae71d..d07690ee2 100644
--- a/contrib/vim/syntax/firejail.vim
+++ b/contrib/vim/syntax/firejail.vim
@@ -20,19 +20,20 @@ syn match fjCapabilityList /,/ nextgroup=fjCapability contained
 syn keyword fjProtocol unix inet inet6 netlink packet nextgroup=fjProtocolList contained
 syn match fjProtocolList /,/ nextgroup=fjProtocol contained
 
-" Syscalls grabbed from: src/include/syscall.h
-" Generate list with: rg -o '"([^"]+)' -r '$1' src/include/syscall.h | sort -u | tr $'\n' ' '
-syn keyword fjSyscall _llseek _newselect _sysctl accept accept4 access acct add_key adjtimex afs_syscall alarm arch_prctl bdflush bind bpf break brk capget capset chdir chmod chown chown32 chroot clock_adjtime clock_getres clock_gettime clock_nanosleep clock_settime clone close connect copy_file_range creat create_module delete_module dup dup2 dup3 epoll_create epoll_create1 epoll_ctl epoll_ctl_old epoll_pwait epoll_wait epoll_wait_old eventfd eventfd2 execve execveat exit exit_group faccessat faccessat2 fadvise64 fadvise64_64 fallocate fanotify_init fanotify_mark fchdir fchmod fchmodat fchown fchown32 fchownat fcntl fcntl64 fdatasync fgetxattr finit_module flistxattr flock fork fremovexattr fsetxattr fstat fstat64 fstatat64 fstatfs fstatfs64 fsync ftime ftruncate ftruncate64 futex futimesat get_kernel_syms get_mempolicy get_robust_list get_thread_area getcpu getcwd getdents getdents64 getegid getegid32 geteuid geteuid32 getgid getgid32 getgroups getgroups32 getitimer getpeername getpgid getpgrp getpid getpmsg getppid getpriority getrandom getresgid getresgid32 getresuid getresuid32 getrlimit getrusage getsid getsockname getsockopt gettid gettimeofday getuid getuid32 getxattr gtty idle init_module inotify_add_watch inotify_init inotify_init1 inotify_rm_watch io_cancel io_destroy io_getevents io_setup io_submit ioctl ioperm iopl ioprio_get ioprio_set ipc kcmp kexec_file_load kexec_load keyctl kill lchown lchown32 lgetxattr link linkat listen listxattr llistxattr lock lookup_dcookie lremovexattr lseek lsetxattr lstat lstat64 madvise mbind membarrier memfd_create migrate_pages mincore mkdir mkdirat mknod mknodat mlock mlock2 mlockall mmap mmap2 modify_ldt mount move_pages mprotect mpx mq_getsetattr mq_notify mq_open mq_timedreceive mq_timedsend mq_unlink mremap msgctl msgget msgrcv msgsnd msync munlock munlockall munmap name_to_handle_at nanosleep newfstatat nfsservctl nice oldfstat oldlstat oldolduname oldstat olduname open open_by_handle_at openat pause perf_event_open personality pipe pipe2 pivot_root pkey_alloc pkey_free pkey_mprotect poll ppoll prctl pread64 preadv preadv2 prlimit64 process_vm_readv process_vm_writev prof profil pselect6 ptrace putpmsg pwrite64 pwritev pwritev2 query_module quotactl read readahead readdir readlink readlinkat readv reboot recvfrom recvmmsg recvmsg remap_file_pages removexattr rename renameat renameat2 request_key restart_syscall rmdir rt_sigaction rt_sigpending rt_sigprocmask rt_sigqueueinfo rt_sigreturn rt_sigsuspend rt_sigtimedwait rt_tgsigqueueinfo sched_get_priority_max sched_get_priority_min sched_getaffinity sched_getattr sched_getparam sched_getscheduler sched_rr_get_interval sched_setaffinity sched_setattr sched_setparam sched_setscheduler sched_yield seccomp security select semctl semget semop semtimedop sendfile sendfile64 sendmmsg sendmsg sendto set_mempolicy set_robust_list set_thread_area set_tid_address setdomainname setfsgid setfsgid32 setfsuid setfsuid32 setgid setgid32 setgroups setgroups32 sethostname setitimer setns setpgid setpriority setregid setregid32 setresgid setresgid32 setresuid setresuid32 setreuid setreuid32 setrlimit setsid setsockopt settimeofday setuid setuid32 setxattr sgetmask shmat shmctl shmdt shmget shutdown sigaction sigaltstack signal signalfd signalfd4 sigpending sigprocmask sigreturn sigsuspend socket socketcall socketpair splice ssetmask stat stat64 statfs statfs64 statx stime stty swapoff swapon symlink symlinkat sync sync_file_range syncfs sysfs sysinfo syslog tee tgkill time timer_create timer_delete timer_getoverrun timer_gettime timer_settime timerfd_create timerfd_gettime timerfd_settime times tkill truncate truncate64 tuxcall ugetrlimit ulimit umask umount umount2 uname unlink unlinkat unshare uselib userfaultfd ustat utime utimensat utimes vfork vhangup vm86 vm86old vmsplice vserver wait4 waitid waitpid write writev nextgroup=fjSyscallErrno contained
+" Syscalls grabbed from: src/include/syscall*.h
+" Generate list with: sed -ne 's/{\s\+"\([^"]\+\)",.*},/\1/p' src/include/syscall*.h | sort -u | tr $'\n' ' '
+syn keyword fjSyscall _llseek _newselect _sysctl accept accept4 access acct add_key adjtimex afs_syscall alarm arch_prctl arm_fadvise64_64 arm_sync_file_range bdflush bind bpf break brk capget capset chdir chmod chown chown32 chroot clock_adjtime clock_adjtime64 clock_getres clock_getres_time64 clock_gettime clock_gettime64 clock_nanosleep clock_nanosleep_time64 clock_settime clock_settime64 clone clone3 close connect copy_file_range creat create_module delete_module dup dup2 dup3 epoll_create epoll_create1 epoll_ctl epoll_ctl_old epoll_pwait epoll_wait epoll_wait_old eventfd eventfd2 execve execveat exit exit_group faccessat faccessat2 fadvise64 fadvise64_64 fallocate fanotify_init fanotify_mark fchdir fchmod fchmodat fchown fchown32 fchownat fcntl fcntl64 fdatasync fgetxattr finit_module flistxattr flock fork fremovexattr fsconfig fsetxattr fsmount fsopen fspick fstat fstat64 fstatat64 fstatfs fstatfs64 fsync ftime ftruncate ftruncate64 futex futex_time64 futimesat getcpu getcwd getdents getdents64 getegid getegid32 geteuid geteuid32 getgid getgid32 getgroups getgroups32 getitimer get_kernel_syms get_mempolicy getpeername getpgid getpgrp getpid getpmsg getppid getpriority getrandom getresgid getresgid32 getresuid getresuid32 getrlimit get_robust_list getrusage getsid getsockname getsockopt get_thread_area gettid gettimeofday getuid getuid32 getxattr gtty idle init_module inotify_add_watch inotify_init inotify_init1 inotify_rm_watch io_cancel ioctl io_destroy io_getevents ioperm io_pgetevents io_pgetevents_time64 iopl ioprio_get ioprio_set io_setup io_submit io_uring_enter io_uring_register io_uring_setup ipc kcmp kexec_file_load kexec_load keyctl kill lchown lchown32 lgetxattr link linkat listen listxattr llistxattr lock lookup_dcookie lremovexattr lseek lsetxattr lstat lstat64 madvise mbind membarrier memfd_create migrate_pages mincore mkdir mkdirat mknod mknodat mlock mlock2 mlockall mmap mmap2 modify_ldt mount move_mount move_pages mprotect mpx mq_getsetattr mq_notify mq_open mq_timedreceive mq_timedreceive_time64 mq_timedsend mq_timedsend_time64 mq_unlink mremap msgctl msgget msgrcv msgsnd msync munlock munlockall munmap name_to_handle_at nanosleep newfstatat nfsservctl nice oldfstat oldlstat oldolduname oldstat olduname open openat open_by_handle_at open_tree pause pciconfig_iobase pciconfig_read pciconfig_write perf_event_open personality pidfd_open pidfd_send_signal pipe pipe2 pivot_root pkey_alloc pkey_free pkey_mprotect poll ppoll ppoll_time64 prctl pread64 preadv preadv2 prlimit64 process_vm_readv process_vm_writev prof profil pselect6 pselect6_time64 ptrace putpmsg pwrite64 pwritev pwritev2 query_module quotactl read readahead readdir readlink readlinkat readv reboot recv recvfrom recvmmsg recvmmsg_time64 recvmsg remap_file_pages removexattr rename renameat renameat2 request_key restart_syscall rmdir rseq rt_sigaction rt_sigpending rt_sigprocmask rt_sigqueueinfo rt_sigreturn rt_sigsuspend rt_sigtimedwait rt_sigtimedwait_time64 rt_tgsigqueueinfo sched_getaffinity sched_getattr sched_getparam sched_get_priority_max sched_get_priority_min sched_getscheduler sched_rr_get_interval sched_rr_get_interval_time64 sched_setaffinity sched_setattr sched_setparam sched_setscheduler sched_yield seccomp security select semctl semget semop semtimedop semtimedop_time64 send sendfile sendfile64 sendmmsg sendmsg sendto setdomainname setfsgid setfsgid32 setfsuid setfsuid32 setgid setgid32 setgroups setgroups32 sethostname setitimer set_mempolicy setns setpgid setpriority setregid setregid32 setresgid setresgid32 setresuid setresuid32 setreuid setreuid32 setrlimit set_robust_list setsid setsockopt set_thread_area set_tid_address settimeofday setuid setuid32 setxattr sgetmask shmat shmctl shmdt shmget shutdown sigaction sigaltstack signal signalfd signalfd4 sigpending sigprocmask sigreturn sigsuspend socket socketcall socketpair splice ssetmask stat stat64 statfs statfs64 statx stime stty swapoff swapon symlink symlinkat sync sync_file_range sync_file_range2 syncfs syscall sysfs sysinfo syslog tee tgkill time timer_create timer_delete timerfd_create timerfd_gettime timerfd_gettime64 timerfd_settime timerfd_settime64 timer_getoverrun timer_gettime timer_gettime64 timer_settime timer_settime64 times tkill truncate truncate64 tuxcall ugetrlimit ulimit umask umount umount2 uname unlink unlinkat unshare uselib userfaultfd ustat utime utimensat utimensat_time64 utimes vfork vhangup vm86 vm86old vmsplice vserver wait4 waitid waitpid write writev nextgroup=fjSyscallErrno contained
 " Syscall groups grabbed from: src/fseccomp/syscall.c
-" Generate list with: rg -o '"@([^",]+)' -r '$1' src/fseccomp/syscall.c | sort -u | tr $'\n' '|'
-syn match fjSyscall /\v\@(clock|cpu-emulation|debug|default|default-keep|default-nodebuggers|module|obsolete|privileged|raw-io|reboot|resources|swap)>/ nextgroup=fjSyscallErrno contained
+" Generate list with: rg -o '"@([^",]+)' -r '$1' src/lib/syscall.c | sort -u | tr $'\n' '|'
+syn match fjSyscall /\v\@(aio|basic-io|chown|clock|cpu-emulation|debug|default|default-keep|default-nodebuggers|file-system|io-event|ipc|keyring|memlock|module|mount|network-io|obsolete|privileged|process|raw-io|reboot|resources|setuid|signal|swap|sync|system-service|timer)>/ nextgroup=fjSyscallErrno contained
 syn match fjSyscall /\$[0-9]\+/ nextgroup=fjSyscallErrno contained
 " Errnos grabbed from: src/fseccomp/errno.c
-" Generate list with: rg -o '"(E[^"]+)' -r '$1' src/fseccomp/errno.c | sort -u | tr $'\n' '|'
+" Generate list with: rg -o '"(E[^"]+)' -r '$1' src/lib/errno.c | sort -u | tr $'\n' '|'
 syn match fjSyscallErrno /\v(:(E2BIG|EACCES|EADDRINUSE|EADDRNOTAVAIL|EADV|EAFNOSUPPORT|EAGAIN|EALREADY|EBADE|EBADF|EBADFD|EBADMSG|EBADR|EBADRQC|EBADSLT|EBFONT|EBUSY|ECANCELED|ECHILD|ECHRNG|ECOMM|ECONNABORTED|ECONNREFUSED|ECONNRESET|EDEADLK|EDEADLOCK|EDESTADDRREQ|EDOM|EDOTDOT|EDQUOT|EEXIST|EFAULT|EFBIG|EHOSTDOWN|EHOSTUNREACH|EHWPOISON|EIDRM|EILSEQ|EINPROGRESS|EINTR|EINVAL|EIO|EISCONN|EISDIR|EISNAM|EKEYEXPIRED|EKEYREJECTED|EKEYREVOKED|EL2HLT|EL2NSYNC|EL3HLT|EL3RST|ELIBACC|ELIBBAD|ELIBEXEC|ELIBMAX|ELIBSCN|ELNRNG|ELOOP|EMEDIUMTYPE|EMFILE|EMLINK|EMSGSIZE|EMULTIHOP|ENAMETOOLONG|ENAVAIL|ENETDOWN|ENETRESET|ENETUNREACH|ENFILE|ENOANO|ENOATTR|ENOBUFS|ENOCSI|ENODATA|ENODEV|ENOENT|ENOEXEC|ENOKEY|ENOLCK|ENOLINK|ENOMEDIUM|ENOMEM|ENOMSG|ENONET|ENOPKG|ENOPROTOOPT|ENOSPC|ENOSR|ENOSTR|ENOSYS|ENOTBLK|ENOTCONN|ENOTDIR|ENOTEMPTY|ENOTNAM|ENOTRECOVERABLE|ENOTSOCK|ENOTSUP|ENOTTY|ENOTUNIQ|ENXIO|EOPNOTSUPP|EOVERFLOW|EOWNERDEAD|EPERM|EPFNOSUPPORT|EPIPE|EPROTO|EPROTONOSUPPORT|EPROTOTYPE|ERANGE|EREMCHG|EREMOTE|EREMOTEIO|ERESTART|ERFKILL|EROFS|ESHUTDOWN|ESOCKTNOSUPPORT|ESPIPE|ESRCH|ESRMNT|ESTALE|ESTRPIPE|ETIME|ETIMEDOUT|ETOOMANYREFS|ETXTBSY|EUCLEAN|EUNATCH|EUSERS|EWOULDBLOCK|EXDEV|EXFULL)>)?/ nextgroup=fjSyscallList contained
 syn match fjSyscallList /,/ nextgroup=fjSyscall contained
 
 syn keyword fjX11Sandbox none xephyr xorg xpra xvfb contained
+syn keyword fjSeccompAction kill log ERRNO contained
 
 syn match fjEnvVar "[A-Za-z0-9_]\+=" contained
 syn match fjRmenvVar "[A-Za-z0-9_]\+" contained
@@ -40,6 +41,7 @@ syn match fjRmenvVar "[A-Za-z0-9_]\+" contained
 syn keyword fjAll all contained
 syn keyword fjNone none contained
 syn keyword fjLo lo contained
+syn keyword fjFilter filter contained
 
 " Variable names grabbed from: src/firejail/macros.c
 " Generate list with: rg -o '\$\{([^}]+)\}' -r '$1' src/firejail/macros.c | sort -u | tr $'\n' '|'
@@ -47,27 +49,30 @@ syn match fjVar /\v\$\{(CFG|DESKTOP|DOCUMENTS|DOWNLOADS|HOME|MUSIC|PATH|PICTURES
 
 " Commands grabbed from: src/firejail/profile.c
 " Generate list with: { rg -o 'strn?cmp\(ptr, "([^"]+) "' -r '$1' src/firejail/profile.c; echo private-lib; } | grep -vEx '(include|ignore|caps\.drop|caps\.keep|protocol|seccomp|seccomp\.drop|seccomp\.keep|env|rmenv|net|ip)' | sort -u | tr $'\n' '|' # private-lib is special-cased in the code and doesn't match the regex; grep-ed patterns are handled later with 'syn match nextgroup=' directives (except for include which is special-cased as a fjCommandNoCond keyword)
-syn match fjCommand /\v(bind|blacklist|blacklist-nolog|cgroup|cpu|defaultgw|dns|hostname|hosts-file|ip6|iprange|join-or-start|mac|mkdir|mkfile|mtu|name|netfilter|netfilter6|netmask|nice|noblacklist|noexec|nowhitelist|overlay-named|private|private-bin|private-etc|private-home|private-lib|private-opt|private-srv|read-only|read-write|rlimit-as|rlimit-cpu|rlimit-fsize|rlimit-nofile|rlimit-nproc|rlimit-sigpending|timeout|tmpfs|veth-name|whitelist|xephyr-screen) / skipwhite contained
+syn match fjCommand /\v(bind|blacklist|blacklist-nolog|cgroup|cpu|defaultgw|dns|hostname|hosts-file|ip6|iprange|join-or-start|mac|mkdir|mkfile|mtu|name|netfilter|netfilter6|netmask|nice|noblacklist|noexec|nowhitelist|overlay-named|private|private-bin|private-cwd|private-etc|private-home|private-lib|private-opt|private-srv|read-only|read-write|rlimit-as|rlimit-cpu|rlimit-fsize|rlimit-nofile|rlimit-nproc|rlimit-sigpending|timeout|tmpfs|veth-name|whitelist|xephyr-screen) / skipwhite contained
 " Generate list with: rg -o 'strn?cmp\(ptr, "([^ "]*[^ ])"' -r '$1' src/firejail/profile.c | grep -vEx '(include|rlimit|quiet)' | sed -e 's/\./\\./' | sort -u | tr $'\n' '|' # include/rlimit are false positives, quiet is special-cased below
-syn match fjCommand /\v(allusers|apparmor|caps|disable-mnt|ipc-namespace|keep-config-pulse|keep-dev-shm|keep-var-tmp|machine-id|memory-deny-write-execute|netfilter|no3d|noautopulse|nodbus|nodvd|nogroups|noinput|nonewprivs|noroot|nosound|notv|nou2f|novideo|overlay|overlay-tmpfs|private|private-cache|private-dev|private-lib|private-tmp|seccomp|seccomp\.block-secondary|tracelog|writable-etc|writable-run-user|writable-var|writable-var-log|x11)$/ contained
+syn match fjCommand /\v(allow-debuggers|allusers|apparmor|caps|disable-mnt|ipc-namespace|keep-config-pulse|keep-dev-shm|keep-var-tmp|machine-id|memory-deny-write-execute|netfilter|no3d|noautopulse|nodbus|nodvd|nogroups|noinput|nonewprivs|noroot|nosound|notv|nou2f|novideo|overlay|overlay-tmpfs|private|private-cache|private-cwd|private-dev|private-lib|private-tmp|seccomp|seccomp\.32|seccomp\.block-secondary|tracelog|writable-etc|writable-run-user|writable-var|writable-var-log|x11)$/ contained
 syn match fjCommand /ignore / nextgroup=fjCommand,fjCommandNoCond skipwhite contained
 syn match fjCommand /caps\.drop / nextgroup=fjCapability,fjAll skipwhite contained
 syn match fjCommand /caps\.keep / nextgroup=fjCapability skipwhite contained
 syn match fjCommand /protocol / nextgroup=fjProtocol skipwhite contained
-syn match fjCommand /\vseccomp(\.drop|\.keep)? / nextgroup=fjSyscall skipwhite contained
+syn match fjCommand /\vseccomp(\.32)?(\.drop|\.keep)? / nextgroup=fjSyscall skipwhite contained
 syn match fjCommand /x11 / nextgroup=fjX11Sandbox skipwhite contained
 syn match fjCommand /env / nextgroup=fjEnvVar skipwhite contained
 syn match fjCommand /rmenv / nextgroup=fjRmenvVar skipwhite contained
 syn match fjCommand /shell / nextgroup=fjNone skipwhite contained
 syn match fjCommand /net / nextgroup=fjNone,fjLo skipwhite contained
 syn match fjCommand /ip / nextgroup=fjNone skipwhite contained
+syn match fjCommand /seccomp-error-action / nextgroup=fjSeccompAction skipwhite contained
+syn match fjCommand /\vdbus-(user|system) / nextgroup=fjFilter,fjNone skipwhite contained
+syn match fjCommand /\vdbus-(user|system)\.(broadcast|call|own|see|talk) / skipwhite contained
 " Commands that can't be inside a ?CONDITIONAL: statement
 syn match fjCommandNoCond /include / skipwhite contained
 syn match fjCommandNoCond /quiet$/ contained
 
 " Conditionals grabbed from: src/firejail/profile.c
 " Generate list with: awk -- 'BEGIN {process=0;} /^Cond conditionals\[\] = \{$/ {process=1;} /\t*\{"[^"]+".*/ { if (process) {print gensub(/^\t*\{"([^"]+)".*$/, "\\1", 1);} } /^\t\{ NULL, NULL \}$/ {process=0;}' src/firejail/profile.c | sort -u | tr $'\n' '|'
-syn match fjConditional /\v\?(BROWSER_ALLOW_DRM|BROWSER_DISABLE_U2F|HAS_APPIMAGE|HAS_NODBUS) ?:/ nextgroup=fjCommand skipwhite contained
+syn match fjConditional /\v\?(BROWSER_ALLOW_DRM|BROWSER_DISABLE_U2F|HAS_APPIMAGE|HAS_NET|HAS_NODBUS|HAS_NOSOUND|HAS_X11) ?:/ nextgroup=fjCommand skipwhite contained
 
 " A line is either a command, a conditional or a comment
 syn match fjStatement /^/ nextgroup=fjCommand,fjCommandNoCond,fjConditional,fjComment
@@ -88,6 +93,8 @@ hi def link fjRmenvVar Type
 hi def link fjAll Type
 hi def link fjNone Type
 hi def link fjLo Type
+hi def link fjFilter Type
+hi def link fjSeccompAction Type
 
 
 let b:current_syntax = "firejail"
diff --git a/etc/firejail.config b/etc/firejail.config
index c671efef9..f5b3d5efa 100644
--- a/etc/firejail.config
+++ b/etc/firejail.config
@@ -35,11 +35,6 @@
 # cannot be overridden by --noblacklist or --ignore.
 # disable-mnt no
 
-# Set the limit for file copy in several --private-* options. The size is set
-# in megabytes. By default we allow up to 500MB.
-# Note: the files are copied in RAM.
-# file-copy-limit 500
-
 # Enable or disable file transfer support, default enabled.
 # file-transfer yes
 
@@ -77,18 +72,35 @@
 # Enable or disable overlayfs features, default enabled.
 # overlayfs yes
 
+# Set the limit for file copy in several --private-* options. The size is set
+# in megabytes. By default we allow up to 500MB.
+# Note: the files are copied in RAM.
+# file-copy-limit 500
+
+# Enable or disable private-bin feature, default enabled.
+# private-bin yes
+
 # Remove /usr/local directories from private-bin list, default disabled.
 # private-bin-no-local no
 
 # Enable or disable private-cache feature, default enabled
 # private-cache yes
 
+# Enable or disable private-etc feature, default enabled.
+# private-etc yes
+
 # Enable or disable private-home feature, default enabled
 # private-home yes
 
 # Enable or disable private-lib feature, default enabled
 # private-lib yes
 
+# Enable or disable private-opt feature, default enabled.
+# private-opt yes
+
+# Enable or disable private-srv feature, default enabled.
+# private-srv yes
+
 # Enable --quiet as default every time the sandbox is started. Default disabled.
 # quiet-by-default no
 
diff --git a/etc/inc/disable-programs.inc b/etc/inc/disable-programs.inc
index 518587957..0e575e5eb 100644
--- a/etc/inc/disable-programs.inc
+++ b/etc/inc/disable-programs.inc
@@ -39,6 +39,8 @@ blacklist ${HOME}/.WebStorm*
 blacklist ${HOME}/.Wolfram Research
 blacklist ${HOME}/.ZAP
 blacklist ${HOME}/.abook
+blacklist ${HOME}/.addressbook
+blacklist ${HOME}/.alpine-smime
 blacklist ${HOME}/.aMule
 blacklist ${HOME}/.android
 blacklist ${HOME}/.anydesk
@@ -589,6 +591,7 @@ blacklist ${HOME}/.kodi
 blacklist ${HOME}/.librewolf
 blacklist ${HOME}/.lincity-ng
 blacklist ${HOME}/.links
+blacklist ${HOME}/.links2
 blacklist ${HOME}/.linphone-history.db
 blacklist ${HOME}/.linphonerc
 blacklist ${HOME}/.lmmsrc.xml
@@ -809,6 +812,7 @@ blacklist ${HOME}/.netactview
 blacklist ${HOME}/.neverball
 blacklist ${HOME}/.newsbeuter
 blacklist ${HOME}/.newsboat
+blacklist ${HOME}/.newsrc
 blacklist ${HOME}/.nicotine
 blacklist ${HOME}/.node-gyp
 blacklist ${HOME}/.npm
@@ -829,6 +833,14 @@ blacklist ${HOME}/.paradoxinteractive
 blacklist ${HOME}/.parallelrealities/blobwars
 blacklist ${HOME}/.pcsxr
 blacklist ${HOME}/.penguin-command
+blacklist ${HOME}/.pine-crash
+blacklist ${HOME}/.pine-debug1
+blacklist ${HOME}/.pine-debug2
+blacklist ${HOME}/.pine-debug3
+blacklist ${HOME}/.pine-debug4
+blacklist ${HOME}/.pine-interrupted-mail
+blacklist ${HOME}/.pinerc
+blacklist ${HOME}/.pinercex
 blacklist ${HOME}/.pingus
 blacklist ${HOME}/.pioneer
 blacklist ${HOME}/.purple
@@ -866,6 +878,7 @@ blacklist ${HOME}/.teeworlds
 blacklist ${HOME}/.texlive20*
 blacklist ${HOME}/.thunderbird
 blacklist ${HOME}/.tilp
+blacklist ${HOME}/.tin
 blacklist ${HOME}/.tooling
 blacklist ${HOME}/.tor-browser*
 blacklist ${HOME}/.torcs
diff --git a/etc/profile-a-l/0ad.profile b/etc/profile-a-l/0ad.profile
index 454a15ab2..4009853d3 100644
--- a/etc/profile-a-l/0ad.profile
+++ b/etc/profile-a-l/0ad.profile
@@ -10,6 +10,8 @@ noblacklist ${HOME}/.cache/0ad
 noblacklist ${HOME}/.config/0ad
 noblacklist ${HOME}/.local/share/0ad
 
+blacklist /usr/libexec
+
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
diff --git a/etc/profile-a-l/alpine.profile b/etc/profile-a-l/alpine.profile
new file mode 100644
index 000000000..0b5cf0df0
--- /dev/null
+++ b/etc/profile-a-l/alpine.profile
@@ -0,0 +1,104 @@
+# Firejail profile for alpine
+# Description: Text-based email and newsgroups reader
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include alpine.local
+# Persistent global definitions
+include globals.local
+
+# Workaround for bug https://github.com/netblue30/firejail/issues/2747
+# firejail --private-bin=sh --include='${CFG}/allow-bin-sh.inc' --profile=alpine sh -c '(alpine)'
+
+noblacklist /var/mail
+noblacklist /var/spool/mail
+noblacklist ${DOCUMENTS}
+noblacklist ${HOME}/.addressbook
+noblacklist ${HOME}/.alpine-smime
+noblacklist ${HOME}/.mailcap
+noblacklist ${HOME}/.mh_profile
+noblacklist ${HOME}/.mime.types
+noblacklist ${HOME}/.newsrc
+noblacklist ${HOME}/.pine-crash
+noblacklist ${HOME}/.pine-debug1
+noblacklist ${HOME}/.pine-debug2
+noblacklist ${HOME}/.pine-debug3
+noblacklist ${HOME}/.pine-debug4
+noblacklist ${HOME}/.pine-interrupted-mail
+noblacklist ${HOME}/.pinerc
+noblacklist ${HOME}/.pinercex
+noblacklist ${HOME}/.signature
+noblacklist ${HOME}/mail
+
+blacklist /tmp/.X11-unix
+blacklist ${RUNUSER}/wayland-*
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+#whitelist ${DOCUMENTS}
+#whitelist ${DOWNLOADS}
+#whitelist ${HOME}/.addressbook
+#whitelist ${HOME}/.alpine-smime
+#whitelist ${HOME}/.mailcap
+#whitelist ${HOME}/.mh_profile
+#whitelist ${HOME}/.mime.types
+#whitelist ${HOME}/.newsrc
+#whitelist ${HOME}/.pine-crash
+#whitelist ${HOME}/.pine-interrupted-mail
+#whitelist ${HOME}/.pinerc
+#whitelist ${HOME}/.pinercex
+#whitelist ${HOME}/.pine-debug1
+#whitelist ${HOME}/.pine-debug2
+#whitelist ${HOME}/.pine-debug3
+#whitelist ${HOME}/.pine-debug4
+#whitelist ${HOME}/.signature
+#whitelist ${HOME}/mail
+whitelist /var/mail
+whitelist /var/spool/mail
+#include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+ipc-namespace
+machine-id
+netfilter
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+seccomp.block-secondary
+shell none
+tracelog
+
+disable-mnt
+private-bin alpine
+private-cache
+private-dev
+private-etc alternatives,c-client.cf,ca-certificates,crypto-policies,host.conf,hostname,hosts,krb5.keytab,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,mailcap,mime.types,nsswitch.conf,passwd,pine.conf,pinerc.fixed,pki,protocols,resolv.conf,rpc,services,ssl,terminfo,xdg
+private-tmp
+writable-run-user
+writable-var
+
+dbus-user none
+dbus-system none
+
+memory-deny-write-execute
+read-only ${HOME}/.signature
diff --git a/etc/profile-a-l/alpinef.profile b/etc/profile-a-l/alpinef.profile
new file mode 100644
index 000000000..97b97fe5f
--- /dev/null
+++ b/etc/profile-a-l/alpinef.profile
@@ -0,0 +1,14 @@
+# Firejail profile for alpinef
+# Description: Text-based email and newsgroups reader using function keys
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include alpinef.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+private-bin alpinef
+
+# Redirect
+include alpine.profile
diff --git a/etc/profile-a-l/apostrophe.profile b/etc/profile-a-l/apostrophe.profile
index 54abdb234..01566314f 100644
--- a/etc/profile-a-l/apostrophe.profile
+++ b/etc/profile-a-l/apostrophe.profile
@@ -31,6 +31,7 @@ include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
 
+whitelist /usr/libexec/webkit2gtk-4.0
 whitelist /usr/share/apostrophe
 whitelist /usr/share/texlive
 whitelist /usr/share/texmf
diff --git a/etc/profile-a-l/bijiben.profile b/etc/profile-a-l/bijiben.profile
index 721a6c082..854fe5cb9 100644
--- a/etc/profile-a-l/bijiben.profile
+++ b/etc/profile-a-l/bijiben.profile
@@ -20,6 +20,7 @@ include disable-xdg.inc
 mkdir ${HOME}/.local/share/bijiben
 whitelist ${HOME}/.local/share/bijiben
 whitelist ${HOME}/.cache/tracker
+whitelist /usr/libexec/webkit2gtk-4.0
 whitelist /usr/share/bijiben
 whitelist /usr/share/tracker
 whitelist /usr/share/tracker3
diff --git a/etc/profile-a-l/celluloid.profile b/etc/profile-a-l/celluloid.profile
index f02161b9b..1c539cc93 100644
--- a/etc/profile-a-l/celluloid.profile
+++ b/etc/profile-a-l/celluloid.profile
@@ -17,6 +17,8 @@ include allow-lua.inc
 include allow-python2.inc
 include allow-python3.inc
 
+blacklist /usr/libexec
+
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
diff --git a/etc/profile-a-l/chromium-browser-privacy.profile b/etc/profile-a-l/chromium-browser-privacy.profile
index 0283a6934..8803a4d9d 100644
--- a/etc/profile-a-l/chromium-browser-privacy.profile
+++ b/etc/profile-a-l/chromium-browser-privacy.profile
@@ -6,6 +6,8 @@ include chromium-browser-privacy.local
 noblacklist ${HOME}/.cache/ungoogled-chromium
 noblacklist ${HOME}/.config/ungoogled-chromium
 
+blacklist /usr/libexec
+
 mkdir ${HOME}/.cache/ungoogled-chromium
 mkdir ${HOME}/.config/ungoogled-chromium
 whitelist ${HOME}/.cache/ungoogled-chromium
diff --git a/etc/profile-a-l/ddgr.profile b/etc/profile-a-l/ddgr.profile
new file mode 100644
index 000000000..b1d41ddf7
--- /dev/null
+++ b/etc/profile-a-l/ddgr.profile
@@ -0,0 +1,13 @@
+# Firejail profile for ddgr
+# Description: Search DuckDuckGo from your terminal
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include ddgr.local
+# Persistent global definitions
+include globals.local
+
+private-bin ddgr
+
+# Redirect
+include googler-common.profile
diff --git a/etc/profile-a-l/elinks.profile b/etc/profile-a-l/elinks.profile
index 8120725d2..5a29eb24b 100644
--- a/etc/profile-a-l/elinks.profile
+++ b/etc/profile-a-l/elinks.profile
@@ -1,6 +1,7 @@
 # Firejail profile for elinks
 # Description: Advanced text-mode WWW browser
 # This file is overwritten after every install/update
+quiet
 # Persistent local customizations
 include elinks.local
 # Persistent global definitions
@@ -8,37 +9,10 @@ include globals.local
 
 noblacklist ${HOME}/.elinks
 
-blacklist /tmp/.X11-unix
-blacklist ${RUNUSER}/wayland-*
+mkdir ${HOME}/.elinks
+whitelist ${HOME}/.elinks
 
-include disable-common.inc
-include disable-devel.inc
-include disable-interpreters.inc
-include disable-passwdmgr.inc
-include disable-programs.inc
-include disable-xdg.inc
+private-bin elinks
 
-include whitelist-runuser-common.inc
-
-caps.drop all
-netfilter
-no3d
-nodvd
-nogroups
-noinput
-nonewprivs
-noroot
-nosound
-notv
-nou2f
-novideo
-protocol unix,inet,inet6
-seccomp
-shell none
-tracelog
-
-# private-bin elinks
-private-cache
-private-dev
-# private-etc alternatives,ca-certificates,crypto-policies,pki,ssl
-private-tmp
+# Redirect
+include links-common.profile
diff --git a/etc/profile-a-l/eo-common.profile b/etc/profile-a-l/eo-common.profile
index 8e8047b00..fe7913e77 100644
--- a/etc/profile-a-l/eo-common.profile
+++ b/etc/profile-a-l/eo-common.profile
@@ -11,6 +11,8 @@ noblacklist ${HOME}/.local/share/Trash
 noblacklist ${HOME}/.Steam
 noblacklist ${HOME}/.steam
 
+blacklist /usr/libexec
+
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
diff --git a/etc/profile-a-l/etr.profile b/etc/profile-a-l/etr.profile
index d44d419c1..fdff1e4b5 100644
--- a/etc/profile-a-l/etr.profile
+++ b/etc/profile-a-l/etr.profile
@@ -8,6 +8,8 @@ include globals.local
 
 noblacklist ${HOME}/.etr
 
+blacklist /usr/libexec
+
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
diff --git a/etc/profile-a-l/evince.profile b/etc/profile-a-l/evince.profile
index adcb29063..a9e39b15c 100644
--- a/etc/profile-a-l/evince.profile
+++ b/etc/profile-a-l/evince.profile
@@ -13,6 +13,8 @@ include globals.local
 noblacklist ${HOME}/.config/evince
 noblacklist ${DOCUMENTS}
 
+blacklist /usr/libexec
+
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
diff --git a/etc/profile-a-l/file-roller.profile b/etc/profile-a-l/file-roller.profile
index 0b8a8cd6c..4e651ed61 100644
--- a/etc/profile-a-l/file-roller.profile
+++ b/etc/profile-a-l/file-roller.profile
@@ -13,6 +13,7 @@ include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
 
+whitelist /usr/libexec/file-roller
 whitelist /usr/share/file-roller
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-a-l/firefox.profile b/etc/profile-a-l/firefox.profile
index b22a78458..7874c882f 100644
--- a/etc/profile-a-l/firefox.profile
+++ b/etc/profile-a-l/firefox.profile
@@ -17,6 +17,8 @@ include globals.local
 noblacklist ${HOME}/.cache/mozilla
 noblacklist ${HOME}/.mozilla
 
+blacklist /usr/libexec
+
 mkdir ${HOME}/.cache/mozilla/firefox
 mkdir ${HOME}/.mozilla
 whitelist ${HOME}/.cache/mozilla/firefox
diff --git a/etc/profile-a-l/frogatto.profile b/etc/profile-a-l/frogatto.profile
index fa56d2b2d..b4ad81046 100644
--- a/etc/profile-a-l/frogatto.profile
+++ b/etc/profile-a-l/frogatto.profile
@@ -18,6 +18,7 @@ include disable-xdg.inc
 
 mkdir ${HOME}/.frogatto
 whitelist ${HOME}/.frogatto
+whitelist /usr/libexec/frogatto
 whitelist /usr/share/frogatto
 include whitelist-common.inc
 include whitelist-runuser-common.inc
diff --git a/etc/profile-a-l/gapplication.profile b/etc/profile-a-l/gapplication.profile
index f2da60c87..3a8c055f2 100644
--- a/etc/profile-a-l/gapplication.profile
+++ b/etc/profile-a-l/gapplication.profile
@@ -7,6 +7,7 @@ include gapplication.local
 include globals.local
 
 blacklist ${RUNUSER}/wayland-*
+blacklist /usr/libexec
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-a-l/gfeeds.profile b/etc/profile-a-l/gfeeds.profile
index 7ec8ba810..f894a42ca 100644
--- a/etc/profile-a-l/gfeeds.profile
+++ b/etc/profile-a-l/gfeeds.profile
@@ -31,6 +31,7 @@ whitelist ${HOME}/.cache/gfeeds
 whitelist ${HOME}/.cache/org.gabmus.gfeeds
 whitelist ${HOME}/.config/org.gabmus.gfeeds.json
 whitelist ${HOME}/.config/org.gabmus.gfeeds.saved_articles
+whitelist /usr/libexec/webkit2gtk-4.0
 whitelist /usr/share/gfeeds
 include whitelist-common.inc
 include whitelist-runuser-common.inc
diff --git a/etc/profile-a-l/gnome-maps.profile b/etc/profile-a-l/gnome-maps.profile
index cf2ac2f75..23aab343f 100644
--- a/etc/profile-a-l/gnome-maps.profile
+++ b/etc/profile-a-l/gnome-maps.profile
@@ -18,6 +18,8 @@ noblacklist ${HOME}/.local/share/maps-places.json
 # Allow gjs (blacklisted by disable-interpreters.inc)
 include allow-gjs.inc
 
+blacklist /usr/libexec
+
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
diff --git a/etc/profile-a-l/gnome-passwordsafe.profile b/etc/profile-a-l/gnome-passwordsafe.profile
index 763d67b92..fee5f88b9 100644
--- a/etc/profile-a-l/gnome-passwordsafe.profile
+++ b/etc/profile-a-l/gnome-passwordsafe.profile
@@ -13,6 +13,8 @@ noblacklist ${HOME}/*.kdbx
 # Allow python (blacklisted by disable-interpreters.inc)
 include allow-python3.inc
 
+blacklist /usr/libexec
+
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
diff --git a/etc/profile-a-l/googler-common.profile b/etc/profile-a-l/googler-common.profile
new file mode 100644
index 000000000..2d0bce52b
--- /dev/null
+++ b/etc/profile-a-l/googler-common.profile
@@ -0,0 +1,62 @@
+# Firejail profile for googler clones
+# Description: common profile for googler clones
+# This file is overwritten after every install/update
+# Persistent local customizations
+include googler-common.local
+# Persistent global definitions
+# added by caller profile
+#include globals.local
+
+blacklist /tmp/.X11-unix
+blacklist ${RUNUSER}
+
+noblacklist ${HOME}/.w3m
+
+# Allow /bin/sh (blacklisted by disable-shell.inc)
+include allow-bin-sh.inc
+# Allow python (blacklisted by disable-interpreters.inc)
+include allow-python3.inc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+whitelist ${HOME}/.w3m
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+ipc-namespace
+machine-id
+netfilter
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+seccomp.block-secondary
+shell none
+tracelog
+
+disable-mnt
+private-bin env,python3*,sh,w3m
+private-cache
+private-dev
+private-etc ca-certificates,crypto-policies,host.conf,hostname,hosts,nsswitch.conf,pki,protocols,resolv.conf,rpc,services,ssl
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-a-l/googler.profile b/etc/profile-a-l/googler.profile
new file mode 100644
index 000000000..9d67006f6
--- /dev/null
+++ b/etc/profile-a-l/googler.profile
@@ -0,0 +1,13 @@
+# Firejail profile for googler
+# Description: Search Google from your terminal
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include googler.local
+# Persistent global definitions
+include globals.local
+
+private-bin googler
+
+# Redirect
+include googler-common.profile
diff --git a/etc/profile-a-l/gunzip.profile b/etc/profile-a-l/gunzip.profile
index 6e97c6b78..584d88f85 100644
--- a/etc/profile-a-l/gunzip.profile
+++ b/etc/profile-a-l/gunzip.profile
@@ -7,5 +7,7 @@ include gunzip.local
 # added by included profile
 #include globals.local
 
+include allow-bin-sh.inc
+
 # Redirect
 include gzip.profile
diff --git a/etc/profile-a-l/hexchat.profile b/etc/profile-a-l/hexchat.profile
index f72af0b4a..b887de147 100644
--- a/etc/profile-a-l/hexchat.profile
+++ b/etc/profile-a-l/hexchat.profile
@@ -8,6 +8,9 @@ include globals.local
 
 noblacklist ${HOME}/.config/hexchat
 
+# Allow /bin/sh (blacklisted by disable-shell.inc)
+include allow-bin-sh.inc
+
 # Allow perl (blacklisted by disable-interpreters.inc)
 include allow-perl.inc
 
@@ -48,7 +51,7 @@ tracelog
 
 disable-mnt
 # debug note: private-bin requires perl, python, etc on some systems
-private-bin hexchat,python*
+private-bin hexchat,python*,sh
 private-dev
 #private-lib - python problems
 private-tmp
diff --git a/etc/profile-a-l/keepassxc.profile b/etc/profile-a-l/keepassxc.profile
index c352a5d89..f71dcf82b 100644
--- a/etc/profile-a-l/keepassxc.profile
+++ b/etc/profile-a-l/keepassxc.profile
@@ -22,6 +22,8 @@ noblacklist ${HOME}/.config/vivaldi
 noblacklist ${HOME}/.local/share/torbrowser
 noblacklist ${HOME}/.mozilla
 
+blacklist /usr/libexec
+
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
diff --git a/etc/profile-a-l/kodi.profile b/etc/profile-a-l/kodi.profile
index b72632bf4..b7091f1fc 100644
--- a/etc/profile-a-l/kodi.profile
+++ b/etc/profile-a-l/kodi.profile
@@ -8,6 +8,10 @@ include globals.local
 
 # noexec ${HOME} breaks plugins
 ignore noexec ${HOME}
+# Add the following to your kodi.local if you use a CEC Adapter.
+#ignore nogroups
+#ignore noroot
+#ignore private-dev
 
 noblacklist ${HOME}/.kodi
 noblacklist ${MUSIC}
diff --git a/etc/profile-a-l/libreoffice.profile b/etc/profile-a-l/libreoffice.profile
index e4440eac0..b1a24888c 100644
--- a/etc/profile-a-l/libreoffice.profile
+++ b/etc/profile-a-l/libreoffice.profile
@@ -14,6 +14,8 @@ noblacklist ${HOME}/.config/libreoffice
 # Allow java (blacklisted by disable-devel.inc)
 include allow-java.inc
 
+blacklist /usr/libexec
+
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
diff --git a/etc/profile-a-l/links-common.profile b/etc/profile-a-l/links-common.profile
new file mode 100644
index 000000000..cd885b1d4
--- /dev/null
+++ b/etc/profile-a-l/links-common.profile
@@ -0,0 +1,63 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include links-common.local
+
+# common profile for links browsers
+
+blacklist /tmp/.X11-unix
+blacklist ${RUNUSER}/wayland-*
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+# Additional noblacklist files/directories (blacklisted in disable-programs.inc)
+# used as associated programs can be added in your links-common.local.
+include disable-programs.inc
+include disable-xdg.inc
+
+whitelist ${DOWNLOADS}
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+caps.drop all
+ipc-namespace
+# Add 'ignore machine-id' to your links-common.local if you want to restrict access to
+# the user-configured associated media player.
+machine-id
+netfilter
+# Add 'ignore no3d' to your links-common.local if you want to restrict access to
+# the user-configured associated media player.
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+# Add 'ignore nosound' to your links-common.local if you want to restrict access to
+# the user-configured associated media player.
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+
+disable-mnt
+# Add  'private-bin PROGRAM1,PROGRAM2' to your links-common.local  if you want to use user-configured programs.
+private-bin sh
+private-cache
+private-dev
+private-etc alternatives,ca-certificates,crypto-policies,nsswitch.conf,pki,resolv.conf,ssl
+# Add the next line to your links-common.local to allow external media players.
+# private-etc alsa,asound.conf,machine-id,openal,pulse
+private-tmp
+
+dbus-user none
+dbus-system none
+
+memory-deny-write-execute
diff --git a/etc/profile-a-l/links.profile b/etc/profile-a-l/links.profile
index a1eeda14a..8ce39cc7f 100644
--- a/etc/profile-a-l/links.profile
+++ b/etc/profile-a-l/links.profile
@@ -9,58 +9,10 @@ include globals.local
 
 noblacklist ${HOME}/.links
 
-blacklist /tmp/.X11-unix
-blacklist ${RUNUSER}/wayland-*
-
-include disable-common.inc
-include disable-devel.inc
-include disable-exec.inc
-include disable-interpreters.inc
-include disable-passwdmgr.inc
-# Additional noblacklist files/directories (blacklisted in disable-programs.inc)
-# used as associated programs can be added in your links.local.
-include disable-programs.inc
-include disable-xdg.inc
-
 mkdir ${HOME}/.links
 whitelist ${HOME}/.links
-whitelist ${DOWNLOADS}
-include whitelist-runuser-common.inc
-include whitelist-var-common.inc
-
-caps.drop all
-ipc-namespace
-# Add 'ignore machine-id' to your links.local if you want to restrict access to
-# the user-configured associated media player.
-machine-id
-netfilter
-# Add 'ignore no3d' to your links.local if you want to restrict access to
-# the user-configured associated media player.
-no3d
-nodvd
-nogroups
-noinput
-nonewprivs
-noroot
-# Add 'ignore nosound' to your links.local if you want to restrict access to
-# the user-configured associated media player.
-nosound
-notv
-nou2f
-novideo
-protocol unix,inet,inet6
-seccomp
-shell none
-tracelog
 
-disable-mnt
-# Add  'private-bin PROGRAM1,PROGRAM2' to your links.local  if you want to use user-configured programs.
-private-bin links,sh
-private-cache
-private-dev
-private-etc alternatives,ca-certificates,crypto-policies,nsswitch.conf,pki,resolv.conf,ssl
-# Add the next line to your links.local to allow external media players.
-# private-etc alsa,asound.conf,machine-id,openal,pulse
-private-tmp
+private-bin links
 
-memory-deny-write-execute
+# Redirect
+include links-common.profile
diff --git a/etc/profile-a-l/links2.profile b/etc/profile-a-l/links2.profile
new file mode 100644
index 000000000..5f91dfcd2
--- /dev/null
+++ b/etc/profile-a-l/links2.profile
@@ -0,0 +1,18 @@
+# Firejail profile for links2
+# Description: Text WWW browser with a graphic version
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include links2.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.links2
+
+mkdir ${HOME}/.links2
+whitelist ${HOME}/.links2
+
+private-bin links2
+
+# Redirect
+include links-common.profile
diff --git a/etc/profile-m-z/marker.profile b/etc/profile-m-z/marker.profile
index 087c02964..bd56a8221 100644
--- a/etc/profile-m-z/marker.profile
+++ b/etc/profile-m-z/marker.profile
@@ -25,6 +25,7 @@ include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
 
+whitelist /usr/libexec/webkit2gtk-4.0
 whitelist /usr/share/com.github.fabiocolacio.marker
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-m-z/mcomix.profile b/etc/profile-m-z/mcomix.profile
new file mode 100644
index 000000000..fcd1e24e5
--- /dev/null
+++ b/etc/profile-m-z/mcomix.profile
@@ -0,0 +1,74 @@
+# Firejail profile for mcomix
+# Description: A comic book and manga viewer in python
+# This file is overwritten after every install/update
+# Persistent local customizations
+include mcomix.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/mcomix
+noblacklist ${HOME}/.local/share/mcomix
+noblacklist ${DOCUMENTS}
+
+# Allow /bin/sh (blacklisted by disable-shell.inc)
+include allow-bin-sh.inc
+
+# Allow python (blacklisted by disable-interpreters.inc)
+# mcomix <= 1.2 uses python2
+include allow-python2.inc
+include allow-python3.inc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-write-mnt.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.config/mcomix
+mkdir ${HOME}/.local/share/mcomix
+whitelist /usr/share/mcomix
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+include whitelist-runuser-common.inc
+
+apparmor
+caps.drop all
+machine-id
+net none
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+seccomp.block-secondary
+shell none
+tracelog
+
+# mcomix <= 1.2 uses python2
+private-bin 7z,lha,mcomix,mutool,python*,rar,sh,unrar,unzip
+private-cache
+private-dev
+# mcomix <= 1.2 uses gtk-2.0
+private-etc alternatives,dconf,fonts,gconf,gtk-2.0,gtk-3.0,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,mime.types,pango,passwd,X11,xdg
+private-tmp
+
+dbus-user none
+dbus-system none
+
+read-only ${HOME}
+read-write ${HOME}/.config/mcomix
+read-write ${HOME}/.local/share/mcomix
+#to allow ${HOME}/.local/share/recently-used.xbel
+read-write ${HOME}/.local/share
+# used by mcomix <= 1.2, tip, make a symbolic link to .cache/thumbnails
+read-write ${HOME}/.thumbnails
diff --git a/etc/profile-m-z/megaglest.profile b/etc/profile-m-z/megaglest.profile
index 972838729..f07b9166a 100644
--- a/etc/profile-m-z/megaglest.profile
+++ b/etc/profile-m-z/megaglest.profile
@@ -20,6 +20,7 @@ include disable-xdg.inc
 mkdir ${HOME}/.megaglest
 whitelist ${HOME}/.megaglest
 whitelist /usr/share/megaglest
+whitelist /usr/share/games/megaglest    # Debian version
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-m-z/meld.profile b/etc/profile-m-z/meld.profile
index 1225cc107..2a8bb3acf 100644
--- a/etc/profile-m-z/meld.profile
+++ b/etc/profile-m-z/meld.profile
@@ -29,6 +29,8 @@ include allow-python3.inc
 # Allow ssh (blacklisted by disable-common.inc)
 include allow-ssh.inc
 
+blacklist /usr/libexec
+
 # Add the next line to your meld.local if you don't need to compare files in disable-common.inc.
 #include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-m-z/minecraft-launcher.profile b/etc/profile-m-z/minecraft-launcher.profile
index 2536d0b38..1028e374a 100644
--- a/etc/profile-m-z/minecraft-launcher.profile
+++ b/etc/profile-m-z/minecraft-launcher.profile
@@ -31,7 +31,6 @@ include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
-apparmor
 caps.drop all
 netfilter
 nodvd
diff --git a/etc/profile-m-z/mpv.profile b/etc/profile-m-z/mpv.profile
index 310f36ea1..af5c214f7 100644
--- a/etc/profile-m-z/mpv.profile
+++ b/etc/profile-m-z/mpv.profile
@@ -35,6 +35,8 @@ include allow-lua.inc
 include allow-python2.inc
 include allow-python3.inc
 
+blacklist /usr/libexec
+
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
diff --git a/etc/profile-m-z/mrrescue.profile b/etc/profile-m-z/mrrescue.profile
index 035a7e625..e3ceb3bd4 100644
--- a/etc/profile-m-z/mrrescue.profile
+++ b/etc/profile-m-z/mrrescue.profile
@@ -14,6 +14,8 @@ include allow-bin-sh.inc
 # Allow lua (blacklisted by disable-interpreters.inc)
 include allow-lua.inc
 
+blacklist /usr/libexec
+
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
diff --git a/etc/profile-m-z/pingus.profile b/etc/profile-m-z/pingus.profile
index 3889d87d2..f1fdfcbad 100644
--- a/etc/profile-m-z/pingus.profile
+++ b/etc/profile-m-z/pingus.profile
@@ -11,6 +11,8 @@ noblacklist ${HOME}/.pingus
 # Allow /bin/sh (blacklisted by disable-shell.inc)
 include allow-bin-sh.inc
 
+blacklist /usr/libexec
+
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
diff --git a/etc/profile-m-z/qcomicbook.profile b/etc/profile-m-z/qcomicbook.profile
new file mode 100644
index 000000000..0e52d7fc4
--- /dev/null
+++ b/etc/profile-m-z/qcomicbook.profile
@@ -0,0 +1,68 @@
+# Firejail profile for qcomicbook
+# Description: A comic book and manga viewer in QT
+# This file is overwritten after every install/update
+# Persistent local customizations
+include qcomicbook.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.cache/PawelStolowski
+noblacklist ${HOME}/.config/PawelStolowski
+noblacklist ${HOME}/.local/share/PawelStolowski
+noblacklist ${DOCUMENTS}
+
+# Allow /bin/sh (blacklisted by disable-shell.inc)
+include allow-bin-sh.inc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-write-mnt.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.cache/PawelStolowski
+mkdir ${HOME}/.config/PawelStolowski
+mkdir ${HOME}/.local/share/PawelStolowski
+whitelist /usr/share/qcomicbook
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+machine-id
+net none
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+seccomp.block-secondary
+shell none
+tracelog
+
+private-bin 7z,7zr,qcomicbook,rar,sh,tar,unace,unrar,unzip
+private-cache
+private-dev
+private-etc alternatives,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,mime.types,pango,passwd,Trolltech.conf,X11,xdg
+private-tmp
+
+dbus-user none
+dbus-system none
+
+read-only ${HOME}
+read-write ${HOME}/.cache/PawelStolowski
+read-write ${HOME}/.config/PawelStolowski
+read-write ${HOME}/.local/share/PawelStolowski
+#to allow ${HOME}/.local/share/recently-used.xbel
+read-write ${HOME}/.local/share
diff --git a/etc/profile-m-z/rtin.profile b/etc/profile-m-z/rtin.profile
new file mode 100644
index 000000000..cd84ce05e
--- /dev/null
+++ b/etc/profile-m-z/rtin.profile
@@ -0,0 +1,8 @@
+# Firejail profile for rtin
+# Description: ncurses-based Usenet newsreader
+#              symlink to tin, same as `tin -r`
+# This file is overwritten after every install/update
+# Persistent local customizations
+include rtin.local
+
+include tin.profile
diff --git a/etc/profile-m-z/scorched3d.profile b/etc/profile-m-z/scorched3d.profile
index aac3e721f..b1989e474 100644
--- a/etc/profile-m-z/scorched3d.profile
+++ b/etc/profile-m-z/scorched3d.profile
@@ -19,6 +19,7 @@ include disable-xdg.inc
 mkdir ${HOME}/.scorched3d
 whitelist ${HOME}/.scorched3d
 whitelist /usr/share/scorched3d
+whitelist /usr/share/games/scorched3d
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-m-z/seahorse-adventures.profile b/etc/profile-m-z/seahorse-adventures.profile
index 131dcbb68..7799ab7ed 100644
--- a/etc/profile-m-z/seahorse-adventures.profile
+++ b/etc/profile-m-z/seahorse-adventures.profile
@@ -6,6 +6,9 @@ include seahorse-adventures.local
 # Persistent global definitions
 include globals.local
 
+# Allow /bin/sh (blacklisted by disable-shell.inc)
+include allow-bin-sh.inc
+
 # Allow python (blacklisted by disable-interpreters.inc)
 include allow-python2.inc
 include allow-python3.inc
@@ -20,6 +23,7 @@ include disable-shell.inc
 include disable-xdg.inc
 
 whitelist /usr/share/seahorse-adventures
+whitelist /usr/share/games/seahorse-adventures
 include whitelist-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
@@ -42,7 +46,7 @@ tracelog
 
 disable-mnt
 private
-private-bin python*,seahorse-adventures
+private-bin bash,dash,python*,seahorse-adventures,sh
 private-cache
 private-dev
 private-etc machine-id
diff --git a/etc/profile-m-z/slack.profile b/etc/profile-m-z/slack.profile
index 9ad772cd5..51f6c8b00 100644
--- a/etc/profile-m-z/slack.profile
+++ b/etc/profile-m-z/slack.profile
@@ -18,12 +18,14 @@ ignore dbus-system none
 
 noblacklist ${HOME}/.config/Slack
 
+include allow-bin-sh.inc
+
 include disable-shell.inc
 
 mkdir ${HOME}/.config/Slack
 whitelist ${HOME}/.config/Slack
 
-private-bin locale,slack
+private-bin electron,electron[0-9],electron[0-9][0-9],locale,sh,slack
 private-etc alternatives,asound.conf,ca-certificates,crypto-policies,debian_version,fedora-release,fonts,group,ld.so.cache,ld.so.conf,localtime,machine-id,os-release,passwd,pki,pulse,redhat-release,resolv.conf,ssl,system-release,system-release-cpe
 
 # Redirect
diff --git a/etc/profile-m-z/supertux2.profile b/etc/profile-m-z/supertux2.profile
index dd456f085..cfd7a63ea 100644
--- a/etc/profile-m-z/supertux2.profile
+++ b/etc/profile-m-z/supertux2.profile
@@ -20,6 +20,7 @@ include disable-xdg.inc
 mkdir ${HOME}/.local/share/supertux2
 whitelist ${HOME}/.local/share/supertux2
 whitelist /usr/share/supertux2
+whitelist /usr/share/games/supertux2    # Debian version
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-m-z/supertuxkart.profile b/etc/profile-m-z/supertuxkart.profile
index 6a0ed46e0..4eb8f921c 100644
--- a/etc/profile-m-z/supertuxkart.profile
+++ b/etc/profile-m-z/supertuxkart.profile
@@ -10,6 +10,8 @@ noblacklist ${HOME}/.config/supertuxkart
 noblacklist ${HOME}/.cache/supertuxkart
 noblacklist ${HOME}/.local/share/supertuxkart
 
+blacklist /usr/libexec
+
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
@@ -26,6 +28,7 @@ whitelist ${HOME}/.config/supertuxkart
 whitelist ${HOME}/.cache/supertuxkart
 whitelist ${HOME}/.local/share/supertuxkart
 whitelist /usr/share/supertuxkart
+whitelist /usr/share/games/supertuxkart # Debian version
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-m-z/telegram-desktop.profile b/etc/profile-m-z/telegram-desktop.profile
index e0c5aee9e..7463b761f 100644
--- a/etc/profile-m-z/telegram-desktop.profile
+++ b/etc/profile-m-z/telegram-desktop.profile
@@ -2,7 +2,7 @@
 # Description: Official Telegram Desktop client
 # This file is overwritten after every install/update
 # Persistent local customizations
-include tekegram-desktop.local
+include telegram-desktop.local
 # Persistent global definitions
 # added by included profile
 #include globals.local
diff --git a/etc/profile-m-z/tin.profile b/etc/profile-m-z/tin.profile
new file mode 100644
index 000000000..e0ed3090a
--- /dev/null
+++ b/etc/profile-m-z/tin.profile
@@ -0,0 +1,69 @@
+# Firejail profile for tin
+# Description: ncurses-based Usenet newsreader
+# This file is overwritten after every install/update
+# Persistent local customizations
+include tin.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.newsrc
+noblacklist ${HOME}/.tin
+
+blacklist /tmp/.X11-unix
+blacklist ${RUNUSER}
+blacklist /usr/libexec
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.tin
+mkfile ${HOME}/.newsrc
+# Note: files/directories directly in ${HOME} can't be whitelisted, as
+#       tin saves .newsrc by renaming a temporary file, which is not possible for
+#       bind-mounted files.
+#whitelist ${HOME}/.newsrc
+#whitelist ${HOME}/.tin
+#include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+ipc-namespace
+machine-id
+netfilter
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol inet,inet6
+seccomp
+seccomp.block-secondary
+shell none
+tracelog
+
+disable-mnt
+private-bin rtin,tin
+private-cache
+private-dev
+private-etc passwd,resolv.conf,terminfo,tin
+private-lib terminfo
+private-tmp
+
+dbus-user none
+dbus-system none
+
+memory-deny-write-execute
diff --git a/etc/profile-m-z/tuxguitar.profile b/etc/profile-m-z/tuxguitar.profile
index d0bcbe79f..3cd496412 100644
--- a/etc/profile-m-z/tuxguitar.profile
+++ b/etc/profile-m-z/tuxguitar.profile
@@ -6,6 +6,9 @@ include tuxguitar.local
 # Persistent global definitions
 include globals.local
 
+# tuxguitar fails to launch
+ignore noexec ${HOME}
+
 noblacklist ${HOME}/.tuxguitar*
 noblacklist ${DOCUMENTS}
 noblacklist ${MUSIC}
@@ -41,6 +44,3 @@ tracelog
 
 private-dev
 private-tmp
-
-# noexec ${HOME} - tuxguitar may fail to launch
-noexec /tmp
diff --git a/etc/profile-m-z/w3m.profile b/etc/profile-m-z/w3m.profile
index 131213ed2..69b2c6c59 100644
--- a/etc/profile-m-z/w3m.profile
+++ b/etc/profile-m-z/w3m.profile
@@ -17,18 +17,32 @@ noblacklist ${HOME}/.w3m
 blacklist /tmp/.X11-unix
 blacklist ${RUNUSER}/wayland-*
 
+# Allow /bin/sh (blacklisted by disable-shell.inc)
+include allow-bin-sh.inc
+
+# Allow perl (blacklisted by disable-interpreters.inc)
 include allow-perl.inc
 
 include disable-common.inc
 include disable-devel.inc
+include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 include disable-xdg.inc
 
+mkdir ${HOME}/.w3m
+whitelist /usr/share/w3m
+whitelist ${DOWNLOADS}
+whitelist ${HOME}/.w3m
 include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
 
 caps.drop all
+ipc-namespace
+machine-id
 netfilter
 no3d
 nodvd
@@ -45,8 +59,14 @@ seccomp
 shell none
 tracelog
 
-# private-bin w3m
+disable-mnt
+private-bin perl,sh,w3m
 private-cache
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,pki,resolv.conf,ssl
+private-etc alternatives,ca-certificates,crypto-policies,mailcap,nsswitch.conf,pki,resolv.conf,ssl
 private-tmp
+
+dbus-user none
+dbus-system none
+
+memory-deny-write-execute
diff --git a/etc/profile-m-z/weechat.profile b/etc/profile-m-z/weechat.profile
index 3a93d2ec7..76935212f 100644
--- a/etc/profile-m-z/weechat.profile
+++ b/etc/profile-m-z/weechat.profile
@@ -11,6 +11,7 @@ noblacklist ${HOME}/.weechat
 include disable-common.inc
 include disable-programs.inc
 
+whitelist /usr/share/weechat
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/profile-m-z/xlinks.profile b/etc/profile-m-z/xlinks.profile
index 7987af280..d5e25cfe7 100644
--- a/etc/profile-m-z/xlinks.profile
+++ b/etc/profile-m-z/xlinks.profile
@@ -8,7 +8,6 @@ include xlinks.local
 #include globals.local
 
 noblacklist /tmp/.X11-unix
-noblacklist ${HOME}/.links
 
 include whitelist-common.inc
 
diff --git a/etc/profile-m-z/xlinks2 b/etc/profile-m-z/xlinks2
new file mode 100644
index 000000000..1ae6a60ca
--- /dev/null
+++ b/etc/profile-m-z/xlinks2
@@ -0,0 +1,20 @@
+# Firejail profile for xlinks2
+# Description: Text WWW browser (X11)
+# This file is overwritten after every install/update
+# Persistent local customizations
+include xlinks2.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+noblacklist /tmp/.X11-unix
+
+include whitelist-common.inc
+
+# if you want to use user-configured programs add 'private-bin PROGRAM1,PROGRAM2'
+# to your xlinks.local or append 'PROGRAM1,PROGRAM2' to this private-bin line
+private-bin xlinks2
+private-etc fonts
+
+# Redirect
+include links2.profile
diff --git a/etc/profile-m-z/yelp.profile b/etc/profile-m-z/yelp.profile
index 93054bfed..dee154409 100644
--- a/etc/profile-m-z/yelp.profile
+++ b/etc/profile-m-z/yelp.profile
@@ -19,6 +19,7 @@ include disable-xdg.inc
 
 mkdir ${HOME}/.config/yelp
 whitelist ${HOME}/.config/yelp
+whitelist /usr/libexec/webkit2gtk-4.0
 whitelist /usr/share/doc
 whitelist /usr/share/groff
 whitelist /usr/share/help
diff --git a/etc/profile-m-z/zathura.profile b/etc/profile-m-z/zathura.profile
index a39729685..d0e68c980 100644
--- a/etc/profile-m-z/zathura.profile
+++ b/etc/profile-m-z/zathura.profile
@@ -17,12 +17,14 @@ include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
+include disable-write-mnt.inc
 include disable-xdg.inc
 
 mkdir ${HOME}/.config/zathura
 mkdir ${HOME}/.local/share/zathura
 whitelist /usr/share/doc
 whitelist /usr/share/zathura
+include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
@@ -41,6 +43,7 @@ nou2f
 novideo
 protocol unix
 seccomp
+seccomp.block-secondary
 shell none
 tracelog
 
diff --git a/etc/templates/profile.template b/etc/templates/profile.template
index fcc7fe949..18e4e8bce 100644
--- a/etc/templates/profile.template
+++ b/etc/templates/profile.template
@@ -59,14 +59,6 @@ include globals.local
 ##ignore noexec ${HOME}
 ##ignore noexec /tmp
 
-##blacklist PATH
-# Disable X11 (CLI only), see also 'x11 none' below
-#blacklist /tmp/.X11-unix
-# Disable Wayland
-#blacklist ${RUNUSER}/wayland-*
-# Disable RUNUSER (cli only; supersedes Disable Wayland)
-#blacklist ${RUNUSER}
-
 # It is common practice to add files/dirs containing program-specific configuration
 # (often ${HOME}/PROGRAMNAME or ${HOME}/.config/PROGRAMNAME) into disable-programs.inc
 # (keep list sorted) and then disable blacklisting below.
@@ -109,6 +101,17 @@ include globals.local
 # Allow ssh (blacklisted by disable-common.inc)
 #include allow-ssh.inc
 
+##blacklist PATH
+# Disable X11 (CLI only), see also 'x11 none' below
+#blacklist /tmp/.X11-unix
+# Disable Wayland
+#blacklist ${RUNUSER}/wayland-*
+# Disable RUNUSER (cli only; supersedes Disable Wayland)
+#blacklist ${RUNUSER}
+# Remove the next blacklist if you system has no /usr/libexec dir,
+# otherwise try to add it.
+#blacklist /usr/libexec
+
 # disable-*.inc includes
 # remove disable-write-mnt.inc if you set disable-mnt
 #include disable-common.inc
@@ -189,7 +192,7 @@ include globals.local
 #  GUI: fonts,pango,X11
 #  GTK: dconf,gconf,gtk-2.0,gtk-3.0
 #  KDE: kde4rc,kde5rc
-#  Networking: ca-certificates,crypto-policies,host.conf,hostname,hosts,nsswitch.conf,pki,protocols,resolv.conf,services,rpc,ssl
+#  Networking: ca-certificates,crypto-policies,host.conf,hostname,hosts,nsswitch.conf,pki,protocols,resolv.conf,rpc,services,ssl
 #    Extra: gai.conf,proxychains.conf
 #  Qt: Trolltech.conf
 ##private-lib LIBS
diff --git a/platform/rpm/firejail.spec b/platform/rpm/firejail.spec
index acdc8d561..86cd6006e 100644
--- a/platform/rpm/firejail.spec
+++ b/platform/rpm/firejail.spec
@@ -45,8 +45,8 @@ rm -rf %{buildroot}
 %{_mandir}/man1/__NAME__.1.gz
 %{_mandir}/man1/firecfg.1.gz
 %{_mandir}/man1/firemon.1.gz
+%{_mandir}/man1/jailcheck.1.gz
 %{_mandir}/man5/__NAME__-login.5.gz
 %{_mandir}/man5/__NAME__-profile.5.gz
 %{_mandir}/man5/__NAME__-users.5.gz
-%{_mandir}/man5/jailcheck.5.gz
 %config(noreplace) %{_sysconfdir}/__NAME__
diff --git a/src/fcopy/main.c b/src/fcopy/main.c
index 572e9f601..31810de9a 100644
--- a/src/fcopy/main.c
+++ b/src/fcopy/main.c
@@ -19,11 +19,15 @@
  */
 
 #include "../include/common.h"
-#include <fcntl.h>
 #include <ftw.h>
 #include <errno.h>
 #include <pwd.h>
 
+#include <fcntl.h>
+#ifndef O_PATH
+#define O_PATH 010000000
+#endif
+
 #if HAVE_SELINUX
 #include <sys/stat.h>
 #include <sys/types.h>
@@ -55,7 +59,7 @@ static void selinux_relabel_path(const char *path, const char *inside_path) {
         assert(path);
         assert(inside_path);
 #if HAVE_SELINUX
-        char procfs_path[64];
+        char procfs_path[64];
         char *fcon = NULL;
         int fd;
         struct stat st;
@@ -69,20 +73,23 @@ static void selinux_relabel_path(const char *path, const char *inside_path) {
         if (!label_hnd)
                 label_hnd = selabel_open(SELABEL_CTX_FILE, NULL, 0);
 
+        if (!label_hnd)
+                errExit("selabel_open");
+
         /* Open the file as O_PATH, to pin it while we determine and adjust the label */
-        fd = open(path, O_NOFOLLOW|O_CLOEXEC|O_PATH);
+        fd = open(path, O_NOFOLLOW|O_CLOEXEC|O_PATH);
         if (fd < 0)
                 return;
         if (fstat(fd, &st) < 0)
                 goto close;
 
-        if (selabel_lookup_raw(label_hnd, &fcon, inside_path, st.st_mode)  == 0) {
+        if (selabel_lookup_raw(label_hnd, &fcon, inside_path, st.st_mode)  == 0) {
                 sprintf(procfs_path, "/proc/self/fd/%i", fd);
                 if (arg_debug)
                         printf("Relabeling %s as %s (%s)\n", path, inside_path, fcon);
 
                 setfilecon_raw(procfs_path, fcon);
-        }
+        }
         freecon(fcon);
  close:
         close(fd);
@@ -340,7 +347,7 @@ static char *check(const char *src) {
 
 errexit:
         free(rsrc);
-        fprintf(stderr, "Error fcopy: invalid file %s\n", src);
+        fprintf(stderr, "Error fcopy: invalid ownership for file %s\n", src);
         exit(1);
 }
 
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config
index f0e3a887f..e58fe39ec 100644
--- a/src/firecfg/firecfg.config
+++ b/src/firecfg/firecfg.config
@@ -38,6 +38,8 @@ abrowser
 akonadi_control
 akregator
 alacarte
+alpine
+alpinef
 amarok
 amule
 amuled
@@ -167,6 +169,7 @@ cvlc
 cyberfox
 darktable
 dconf-editor
+ddgr
 ddgtk
 deadbeef
 deluge
@@ -350,6 +353,7 @@ google-chrome-unstable
 google-earth
 google-earth-pro
 google-play-music-desktop-player
+googler
 gpa
 gpicview
 gpredict
@@ -452,6 +456,7 @@ liferea
 lightsoff
 lincity-ng
 links
+links2
 linphone
 lmms
 lobase
@@ -491,6 +496,7 @@ mathematica
 matrix-mirage
 mattermost-desktop
 mcabber
+mcomix
 mediainfo
 mediathekview
 megaglest
@@ -651,6 +657,7 @@ pybitmessage
 # pycharm-professional
 # pzstd - disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095)
 qbittorrent
+qcomicbook
 qemu-launcher
 qgis
 qlipper
@@ -871,6 +878,7 @@ xfce4-notes
 xfce4-screenshooter
 xiphos
 xlinks
+xlinks2
 xmms
 xmr-stak
 xonotic
diff --git a/src/firejail/appimage.c b/src/firejail/appimage.c
index 6b9fed765..a96415985 100644
--- a/src/firejail/appimage.c
+++ b/src/firejail/appimage.c
@@ -28,8 +28,13 @@
 #include <linux/loop.h>
 #include <errno.h>
 
+#ifdef HAVE_GCOV
+#include <gcov.h>
+#endif
+
 static char *devloop = NULL;    // device file
 static long unsigned size = 0;  // offset into appimage file
+#define MAXBUF 4096
 
 #ifdef LOOP_CTL_GET_FREE        // test for older kernels; this definition is found in /usr/include/linux/loop.h
 static void err_loop(void) {
@@ -38,6 +43,36 @@ static void err_loop(void) {
 }
 #endif
 
+// return 1 if found
+int appimage_find_profile(const char *archive) {
+        assert(archive);
+        assert(strlen(archive));
+
+        // try to match the name of the archive with the list of programs in /usr/lib/firejail/firecfg.config
+        FILE *fp = fopen(LIBDIR "/firejail/firecfg.config", "r");
+        if (!fp) {
+                fprintf(stderr, "Error: cannot find %s, firejail is not correctly installed\n", LIBDIR "/firejail/firecfg.config");
+                exit(1);
+        }
+        char buf[MAXBUF];
+        while (fgets(buf, MAXBUF, fp)) {
+                if (*buf == '#')
+                        continue;
+                char *ptr = strchr(buf, '\n');
+                if (ptr)
+                        *ptr = '\0';
+                if (strcasestr(archive, buf)) {
+                        fclose(fp);
+                        return profile_find_firejail(buf, 1);
+                }
+        }
+
+        fclose(fp);
+        return 0;
+
+}
+
+
 void appimage_set(const char *appimage) {
         assert(appimage);
         assert(devloop == NULL);        // don't call this twice!
diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c
index cb087d395..f3ab0a6d8 100644
--- a/src/firejail/checkcfg.c
+++ b/src/firejail/checkcfg.c
@@ -110,10 +110,14 @@ int checkcfg(int val) {
                         PARSE_YESNO(CFG_RESTRICTED_NETWORK, "restricted-network")
                         PARSE_YESNO(CFG_XEPHYR_WINDOW_TITLE, "xephyr-window-title")
                         PARSE_YESNO(CFG_OVERLAYFS, "overlayfs")
-                        PARSE_YESNO(CFG_PRIVATE_HOME, "private-home")
+                        PARSE_YESNO(CFG_PRIVATE_BIN, "private-bin")
+                        PARSE_YESNO(CFG_PRIVATE_BIN_NO_LOCAL, "private-bin-no-local")
                         PARSE_YESNO(CFG_PRIVATE_CACHE, "private-cache")
+                        PARSE_YESNO(CFG_PRIVATE_ETC, "private-etc")
+                        PARSE_YESNO(CFG_PRIVATE_HOME, "private-home")
                         PARSE_YESNO(CFG_PRIVATE_LIB, "private-lib")
-                        PARSE_YESNO(CFG_PRIVATE_BIN_NO_LOCAL, "private-bin-no-local")
+                        PARSE_YESNO(CFG_PRIVATE_OPT, "private-opt")
+                        PARSE_YESNO(CFG_PRIVATE_SRV, "private-srv")
                         PARSE_YESNO(CFG_DISABLE_MNT, "disable-mnt")
                         PARSE_YESNO(CFG_XPRA_ATTACH, "xpra-attach")
                         PARSE_YESNO(CFG_BROWSER_DISABLE_U2F, "browser-disable-u2f")
@@ -130,8 +134,7 @@ int checkcfg(int val) {
                                         *end = '\0';
 
                                 // is the file present?
-                                struct stat s;
-                                if (stat(fname, &s) == -1) {
+                                if (access(fname, F_OK) == -1) {
                                         fprintf(stderr, "Error: netfilter-default file %s not available\n", fname);
                                         exit(1);
                                 }
@@ -294,7 +297,7 @@ errout:
 
 void print_compiletime_support(void) {
         printf("Compile time support:\n");
-        printf("\t- Always force nonewprivs support is %s\n",
+        printf("\t- always force nonewprivs support is %s\n",
 #ifdef HAVE_FORCE_NONEWPRIVS
                 "enabled"
 #else
diff --git a/src/firejail/chroot.c b/src/firejail/chroot.c
index 757ffb1f7..edc31cdea 100644
--- a/src/firejail/chroot.c
+++ b/src/firejail/chroot.c
@@ -29,6 +29,9 @@
 #define O_PATH 010000000
 #endif
 
+#ifdef HAVE_GCOV
+#include <gcov.h>
+#endif
 
 // exit if error
 void fs_check_chroot_dir(void) {
@@ -163,12 +166,8 @@ void fs_chroot(const char *rootdir) {
         int fd = openat(parentfd, "dev", O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC);
         if (fd == -1)
                 errExit("open");
-        char *proc;
-        if (asprintf(&proc, "/proc/self/fd/%d", fd) == -1)
-                errExit("asprintf");
-        if (mount("/dev", proc, NULL, MS_BIND|MS_REC, NULL) < 0)
+        if (bind_mount_path_to_fd("/dev", fd))
                 errExit("mounting /dev");
-        free(proc);
         close(fd);
 
 #ifdef HAVE_X11
@@ -192,11 +191,8 @@ void fs_chroot(const char *rootdir) {
                 fd = openat(parentfd, "tmp/.X11-unix", O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC);
                 if (fd == -1)
                         errExit("open");
-                if (asprintf(&proc, "/proc/self/fd/%d", fd) == -1)
-                        errExit("asprintf");
-                if (mount("/tmp/.X11-unix", proc, NULL, MS_BIND|MS_REC, NULL) < 0)
+                if (bind_mount_path_to_fd("/tmp/.X11-unix", fd))
                         errExit("mounting /tmp/.X11-unix");
-                free(proc);
                 close(fd);
         }
 #endif // HAVE_X11
@@ -225,19 +221,11 @@ void fs_chroot(const char *rootdir) {
                         fprintf(stderr, "Error: cannot open %s\n", pulse);
                         exit(1);
                 }
-                free(pulse);
-
-                char *proc_src, *proc_dst;
-                if (asprintf(&proc_src, "/proc/self/fd/%d", src) == -1)
-                        errExit("asprintf");
-                if (asprintf(&proc_dst, "/proc/self/fd/%d", dst) == -1)
-                        errExit("asprintf");
-                if (mount(proc_src, proc_dst, NULL, MS_BIND|MS_REC, NULL) < 0)
-                        errExit("mount bind");
-                free(proc_src);
-                free(proc_dst);
+                if (bind_mount_by_fd(src, dst))
+                        errExit("mounting pulseaudio");
                 close(src);
                 close(dst);
+                free(pulse);
 
                 // update /etc/machine-id in chroot
                 update_file(parentfd, "etc/machine-id");
@@ -256,11 +244,8 @@ void fs_chroot(const char *rootdir) {
         fd = openat(parentfd, &RUN_FIREJAIL_LIB_DIR[1], O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC);
         if (fd == -1)
                 errExit("open");
-        if (asprintf(&proc, "/proc/self/fd/%d", fd) == -1)
-                errExit("asprintf");
-        if (mount(RUN_FIREJAIL_LIB_DIR, proc, NULL, MS_BIND|MS_REC, NULL) < 0)
+        if (bind_mount_path_to_fd(RUN_FIREJAIL_LIB_DIR, fd))
                 errExit("mount bind");
-        free(proc);
         close(fd);
 
         // create /run/firejail/mnt directory in chroot
@@ -271,11 +256,8 @@ void fs_chroot(const char *rootdir) {
         fd = openat(parentfd, &RUN_MNT_DIR[1], O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC);
         if (fd == -1)
                 errExit("open");
-        if (asprintf(&proc, "/proc/self/fd/%d", fd) == -1)
-                errExit("asprintf");
-        if (mount(RUN_MNT_DIR, proc, NULL, MS_BIND|MS_REC, NULL) < 0)
+        if (bind_mount_path_to_fd(RUN_MNT_DIR, fd))
                 errExit("mount bind");
-        free(proc);
         close(fd);
 
         // update chroot resolv.conf
@@ -289,11 +271,8 @@ void fs_chroot(const char *rootdir) {
         if (mkdir(oroot, 0755) == -1)
                 errExit("mkdir");
         // mount the chroot dir on top of /run/firejail/mnt/oroot in order to reuse the apparmor rules for overlay
-        if (asprintf(&proc, "/proc/self/fd/%d", parentfd) == -1)
-                errExit("asprintf");
-        if (mount(proc, oroot, NULL, MS_BIND|MS_REC, NULL) < 0)
+        if (bind_mount_fd_to_path(parentfd, oroot))
                 errExit("mounting rootdir oroot");
-        free(proc);
         close(parentfd);
         // chroot into the new directory
         if (arg_debug)
diff --git a/src/firejail/cmdline.c b/src/firejail/cmdline.c
index f902c4e1c..2fa68a55d 100644
--- a/src/firejail/cmdline.c
+++ b/src/firejail/cmdline.c
@@ -26,7 +26,7 @@
 #include <assert.h>
 #include <errno.h>
 
-static int cmdline_length(int argc, char **argv, int index) {
+static int cmdline_length(int argc, char **argv, int index, bool want_extra_quotes) {
         assert(index != -1);
 
         unsigned i,j;
@@ -46,10 +46,11 @@ static int cmdline_length(int argc, char **argv, int index) {
                                         len += 3;
                                 in_quotes = false;
                         } else {
-                                if (!in_quotes)
+                                if (!in_quotes && want_extra_quotes)
                                         len++;
                                 len++;
-                                in_quotes = true;
+                                if (want_extra_quotes)
+                                        in_quotes = true;
                         }
                 }
                 if (in_quotes) {
@@ -64,7 +65,7 @@ static int cmdline_length(int argc, char **argv, int index) {
         return len;
 }
 
-static void quote_cmdline(char *command_line, char *window_title, int len, int argc, char **argv, int index) {
+static void quote_cmdline(char *command_line, char *window_title, int len, int argc, char **argv, int index, bool want_extra_quotes) {
         assert(index != -1);
 
         unsigned i,j;
@@ -103,14 +104,15 @@ static void quote_cmdline(char *command_line, char *window_title, int len, int a
                         // anything other
                         else
                         {
-                                if (!in_quotes) {
+                                if (!in_quotes && want_extra_quotes) {
                                         // open quotes
                                         ptr1[0] = '\'';
                                         ptr1++;
                                 }
                                 ptr1[0] = argv[i + index][j];
                                 ptr1++;
-                                in_quotes = true;
+                                if (want_extra_quotes)
+                                        in_quotes = true;
                         }
                 }
                 // close quotes
@@ -134,12 +136,12 @@ static void quote_cmdline(char *command_line, char *window_title, int len, int a
         assert((unsigned) len == strlen(command_line));
 }
 
-void build_cmdline(char **command_line, char **window_title, int argc, char **argv, int index) {
+void build_cmdline(char **command_line, char **window_title, int argc, char **argv, int index, bool want_extra_quotes) {
         // index == -1 could happen if we have --shell=none and no program was specified
         // the program should exit with an error before entering this function
         assert(index != -1);
 
-        int len = cmdline_length(argc, argv, index);
+        int len = cmdline_length(argc, argv, index, want_extra_quotes);
         if (len > ARG_MAX) {
                 errno = E2BIG;
                 errExit("cmdline_length");
@@ -152,7 +154,7 @@ void build_cmdline(char **command_line, char **window_title, int argc, char **ar
         if (!*window_title)
                         errExit("malloc");
 
-        quote_cmdline(*command_line, *window_title, len, argc, argv, index);
+        quote_cmdline(*command_line, *window_title, len, argc, argv, index, want_extra_quotes);
 
         if (arg_debug)
                 printf("Building quoted command line: %s\n", *command_line);
@@ -161,17 +163,17 @@ void build_cmdline(char **command_line, char **window_title, int argc, char **ar
         assert(*window_title);
 }
 
-void build_appimage_cmdline(char **command_line, char **window_title, int argc, char **argv, int index) {
+void build_appimage_cmdline(char **command_line, char **window_title, int argc, char **argv, int index, bool want_extra_quotes) {
         // index == -1 could happen if we have --shell=none and no program was specified
         // the program should exit with an error before entering this function
         assert(index != -1);
 
         char *apprun_path = RUN_FIREJAIL_APPIMAGE_DIR "/AppRun";
 
-        int len1 = cmdline_length(argc, argv, index);  // length of argv w/o changes
-        int len2 = cmdline_length(1, &argv[index], 0); // apptest.AppImage
-        int len3 = cmdline_length(1, &apprun_path, 0); // /run/firejail/appimage/AppRun
-        int len4 = (len1 - len2 + len3) + 1;           // apptest.AppImage is replaced by /path/to/AppRun
+        int len1 = cmdline_length(argc, argv, index, want_extra_quotes);  // length of argv w/o changes
+        int len2 = cmdline_length(1, &argv[index], 0, want_extra_quotes); // apptest.AppImage
+        int len3 = cmdline_length(1, &apprun_path, 0, want_extra_quotes); // /run/firejail/appimage/AppRun
+        int len4 = (len1 - len2 + len3) + 1;                              // apptest.AppImage is replaced by /path/to/AppRun
 
         if (len4 > ARG_MAX) {
                 errno = E2BIG;
@@ -187,7 +189,7 @@ void build_appimage_cmdline(char **command_line, char **window_title, int argc,
                         errExit("malloc");
 
         // run default quote_cmdline
-        quote_cmdline(command_line_tmp, *window_title, len1, argc, argv, index);
+        quote_cmdline(command_line_tmp, *window_title, len1, argc, argv, index, want_extra_quotes);
 
         assert(command_line_tmp);
         assert(*window_title);
diff --git a/src/firejail/dbus.c b/src/firejail/dbus.c
index b8aa2c974..9a4cb2e6b 100644
--- a/src/firejail/dbus.c
+++ b/src/firejail/dbus.c
@@ -258,12 +258,8 @@ static char *find_user_socket_by_format(char *format) {
         if (asprintf(&dbus_user_socket, format, (int) getuid()) == -1)
                 errExit("asprintf");
         struct stat s;
-        if (stat(dbus_user_socket, &s) == -1) {
-                if (errno == ENOENT)
-                        goto fail;
-                return NULL;
-                errExit("stat");
-        }
+        if (lstat(dbus_user_socket, &s) == -1)
+                goto fail;
         if (!S_ISSOCK(s.st_mode))
                 goto fail;
         return dbus_user_socket;
@@ -426,12 +422,8 @@ static void socket_overlay(char *socket_path, char *proxy_path) {
                 errno = ENOTSOCK;
                 errExit("mounting DBus proxy socket");
         }
-        char *proxy_fd_path;
-        if (asprintf(&proxy_fd_path, "/proc/self/fd/%d", fd) == -1)
-                errExit("asprintf");
-        if (mount(proxy_path, socket_path, NULL, MS_BIND | MS_REC, NULL) == -1)
+        if (bind_mount_fd_to_path(fd, socket_path))
                 errExit("mount bind");
-        free(proxy_fd_path);
         close(fd);
 }
 
@@ -478,7 +470,7 @@ void dbus_apply_policy(void) {
         create_empty_dir_as_root(RUN_DBUS_DIR, 0755);
 
         if (arg_dbus_user != DBUS_POLICY_ALLOW) {
-                create_empty_file_as_root(RUN_DBUS_USER_SOCKET, 0700);
+                create_empty_file_as_root(RUN_DBUS_USER_SOCKET, 0600);
 
                 if (arg_dbus_user == DBUS_POLICY_FILTER) {
                         assert(dbus_user_proxy_socket != NULL);
@@ -517,7 +509,7 @@ void dbus_apply_policy(void) {
         }
 
         if (arg_dbus_system != DBUS_POLICY_ALLOW) {
-                create_empty_file_as_root(RUN_DBUS_SYSTEM_SOCKET, 0700);
+                create_empty_file_as_root(RUN_DBUS_SYSTEM_SOCKET, 0600);
 
                 if (arg_dbus_system == DBUS_POLICY_FILTER) {
                         assert(dbus_system_proxy_socket != NULL);
diff --git a/src/firejail/dhcp.c b/src/firejail/dhcp.c
index 5bcdcad37..ec482e2ea 100644
--- a/src/firejail/dhcp.c
+++ b/src/firejail/dhcp.c
@@ -153,19 +153,13 @@ void dhcp_start(void) {
         if (!any_dhcp())
                 return;
 
-        char *dhclient_path = RUN_MNT_DIR "/dhclient";;
+        char *dhclient_path = RUN_MNT_DIR "/dhclient";
         struct stat s;
         if (stat(dhclient_path, &s) == -1) {
-                dhclient_path = "/usr/sbin/dhclient";
-                if (stat(dhclient_path, &s) == -1) {
-                        fprintf(stderr, "Error: dhclient was not found.\n");
-                        exit(1);
-                }
+                fprintf(stderr, "Error: %s was not found.\n", dhclient_path);
+                exit(1);
         }
 
-        sbox_run(SBOX_ROOT| SBOX_SECCOMP, 4, PATH_FCOPY, "--follow-link", dhclient_path, RUN_MNT_DIR);
-        dhclient_path = RUN_MNT_DIR "/dhclient";
-
         EUID_ROOT();
         if (mkdir(RUN_DHCLIENT_DIR, 0700))
                 errExit("mkdir");
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index 756a5d095..c84965074 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -5,7 +5,7 @@
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or
+ * the Free Software Foundation; eithe r version 2 of the License, or
  * (at your option) any later version.
  *
  * This program is distributed in the hope that it will be useful,
@@ -45,6 +45,15 @@
                 assert(s.st_gid == gid);\
                 assert((s.st_mode & 07777) == (mode));\
         } while (0)
+#define ASSERT_PERMS_AS_USER(file, uid, gid, mode) \
+        do { \
+                assert(file);\
+                struct stat s;\
+                if (stat_as_user(file, &s) == -1) errExit("stat");\
+                assert(s.st_uid == uid);\
+                assert(s.st_gid == gid);\
+                assert((s.st_mode & 07777) == (mode));\
+        } while (0)
 #define ASSERT_PERMS_FD(fd, uid, gid, mode) \
         do { \
                 struct stat s;\
@@ -504,6 +513,9 @@ void copy_file_from_user_to_root(const char *srcname, const char *destname, uid_
 void touch_file_as_user(const char *fname, mode_t mode);
 int is_dir(const char *fname);
 int is_link(const char *fname);
+char *realpath_as_user(const char *fname);
+int stat_as_user(const char *fname, struct stat *s);
+int lstat_as_user(const char *fname, struct stat *s);
 void trim_trailing_slash_or_dot(char *path);
 char *line_remove_spaces(const char *buf);
 char *split_comma(char *str);
@@ -527,11 +539,15 @@ unsigned extract_timeout(const char *str);
 void disable_file_or_dir(const char *fname);
 void disable_file_path(const char *path, const char *file);
 int safer_openat(int dirfd, const char *path, int flags);
+int remount_by_fd(int dst, unsigned long mountflags);
+int bind_mount_by_fd(int src, int dst);
+int bind_mount_path_to_fd(const char *srcname, int dst);
+int bind_mount_fd_to_path(int src, const char *destname);
 int has_handler(pid_t pid, int signal);
 void enter_network_namespace(pid_t pid);
 int read_pid(const char *name, pid_t *pid);
 pid_t require_pid(const char *name);
-void check_homedir(void);
+void check_homedir(const char *dir);
 
 // Get info regarding the last kernel mount operation from /proc/self/mountinfo
 // The return value points to a static area, and will be overwritten by subsequent calls.
@@ -763,8 +779,14 @@ enum {
         CFG_WHITELIST,
         CFG_XEPHYR_WINDOW_TITLE,
         CFG_OVERLAYFS,
-        CFG_PRIVATE_HOME,
+        CFG_PRIVATE_BIN,
         CFG_PRIVATE_BIN_NO_LOCAL,
+        CFG_PRIVATE_CACHE,
+        CFG_PRIVATE_ETC,
+        CFG_PRIVATE_HOME,
+        CFG_PRIVATE_LIB,
+        CFG_PRIVATE_OPT,
+        CFG_PRIVATE_SRV,
         CFG_FIREJAIL_PROMPT,
         CFG_DISABLE_MNT,
         CFG_JOIN,
@@ -772,10 +794,8 @@ enum {
         CFG_XPRA_ATTACH,
         CFG_BROWSER_DISABLE_U2F,
         CFG_BROWSER_ALLOW_DRM,
-        CFG_PRIVATE_LIB,
         CFG_APPARMOR,
         CFG_DBUS,
-        CFG_PRIVATE_CACHE,
         CFG_CGROUP,
         CFG_NAME_CHANGE,
         CFG_SECCOMP_ERROR_ACTION,
@@ -796,6 +816,7 @@ int checkcfg(int val);
 void print_compiletime_support(void);
 
 // appimage.c
+int appimage_find_profile(const char *archive);
 void appimage_set(const char *appimage_path);
 void appimage_mount(void);
 void appimage_clear(void);
@@ -804,8 +825,8 @@ void appimage_clear(void);
 long unsigned int appimage2_size(int fd);
 
 // cmdline.c
-void build_cmdline(char **command_line, char **window_title, int argc, char **argv, int index);
-void build_appimage_cmdline(char **command_line, char **window_title, int argc, char **argv, int index);
+void build_cmdline(char **command_line, char **window_title, int argc, char **argv, int index, bool want_extra_quotes);
+void build_appimage_cmdline(char **command_line, char **window_title, int argc, char **argv, int index, bool want_extra_quotes);
 
 // sbox.c
 // programs
diff --git a/src/firejail/fs.c b/src/firejail/fs.c
index 09de11de9..4ae7dbfa4 100644
--- a/src/firejail/fs.c
+++ b/src/firejail/fs.c
@@ -33,6 +33,10 @@
 #define O_PATH 010000000
 #endif
 
+#ifdef HAVE_GCOV
+#include <gcov.h>
+#endif
+
 #define MAX_BUF 4096
 #define EMPTY_STRING ("")
 // check noblacklist statements not matched by a proper blacklist in disable-*.inc files
@@ -54,16 +58,10 @@ static char *opstr[] = {
         [MOUNT_RDWR_NOCHECK] = "read-write",
 };
 
-typedef enum {
-        UNSUCCESSFUL,
-        SUCCESSFUL
-} LAST_DISABLE_OPERATION;
-LAST_DISABLE_OPERATION last_disable = UNSUCCESSFUL;
-
 static void disable_file(OPERATION op, const char *filename) {
         assert(filename);
         assert(op <OPERATION_MAX);
-        last_disable = UNSUCCESSFUL;
+        EUID_ASSERT();
 
         // Resolve all symlinks
         char* fname = realpath(filename, NULL);
@@ -71,20 +69,24 @@ static void disable_file(OPERATION op, const char *filename) {
                 return;
         }
         if (fname == NULL && errno == EACCES) {
-                if (arg_debug)
-                        printf("Debug: no access to file %s, forcing mount\n", filename);
                 // realpath and stat functions will fail on FUSE filesystems
                 // they don't seem to like a uid of 0
                 // force mounting
-                int rv = mount(RUN_RO_DIR, filename, "none", MS_BIND, "mode=400,gid=0");
-                if (rv == 0)
-                        last_disable = SUCCESSFUL;
-                else {
-                        rv = mount(RUN_RO_FILE, filename, "none", MS_BIND, "mode=400,gid=0");
-                        if (rv == 0)
-                                last_disable = SUCCESSFUL;
+                int fd = open(filename, O_PATH|O_CLOEXEC);
+                if (fd < 0) {
+                        if (arg_debug)
+                                printf("Warning (blacklisting): cannot open %s: %s\n", filename, strerror(errno));
+                        return;
                 }
-                if (last_disable == SUCCESSFUL) {
+
+                EUID_ROOT();
+                int err = bind_mount_path_to_fd(RUN_RO_DIR, fd);
+                if (err != 0)
+                        err = bind_mount_path_to_fd(RUN_RO_FILE, fd);
+                EUID_USER();
+                close(fd);
+
+                if (err == 0) {
                         if (arg_debug)
                                 printf("Disable %s\n", filename);
                         if (op == BLACKLIST_FILE)
@@ -92,21 +94,18 @@ static void disable_file(OPERATION op, const char *filename) {
                         else
                                 fs_logger2("blacklist-nolog", filename);
                 }
-                else {
-                        if (arg_debug)
-                                printf("Warning (blacklisting): %s is an invalid file, skipping...\n", filename);
-                }
+                else if (arg_debug)
+                        printf("Warning (blacklisting): cannot mount on %s\n", filename);
 
                 return;
         }
 
         // if the file is not present, do nothing
+        assert(fname);
         struct stat s;
-        if (fname == NULL)
-                return;
-        if (stat(fname, &s) == -1) {
+        if (stat(fname, &s) < 0) {
                 if (arg_debug)
-                        fwarning("%s does not exist, skipping...\n", fname);
+                        printf("Warning (blacklisting): cannot access %s: %s\n", fname, strerror(errno));
                 free(fname);
                 return;
         }
@@ -115,8 +114,10 @@ static void disable_file(OPERATION op, const char *filename) {
         // we migth have a file found in ${PATH} pointing to /usr/bin/firejail
         // blacklisting it here will end up breaking situations like user clicks on a link in Thunderbird
         //     and expects Firefox to open in the same sandbox
-        if (strcmp(BINDIR "/firejail", fname) == 0)
+        if (strcmp(BINDIR "/firejail", fname) == 0) {
+                free(fname);
                 return;
+        }
 
         // modify the file
         if (op == BLACKLIST_FILE || op == BLACKLIST_NOLOG) {
@@ -141,15 +142,25 @@ static void disable_file(OPERATION op, const char *filename) {
                                         printf(" - no logging\n");
                         }
 
+                        int fd = open(fname, O_PATH|O_CLOEXEC);
+                        if (fd < 0) {
+                                if (arg_debug)
+                                        printf("Warning (blacklisting): cannot open %s: %s\n", fname, strerror(errno));
+                                free(fname);
+                                return;
+                        }
+                        EUID_ROOT();
                         if (S_ISDIR(s.st_mode)) {
-                                if (mount(RUN_RO_DIR, fname, "none", MS_BIND, "mode=400,gid=0") < 0)
+                                if (bind_mount_path_to_fd(RUN_RO_DIR, fd) < 0)
                                         errExit("disable file");
                         }
                         else {
-                                if (mount(RUN_RO_FILE, fname, "none", MS_BIND, "mode=400,gid=0") < 0)
+                                if (bind_mount_path_to_fd(RUN_RO_FILE, fd) < 0)
                                         errExit("disable file");
                         }
-                        last_disable = SUCCESSFUL;
+                        EUID_USER();
+                        close(fd);
+
                         if (op == BLACKLIST_FILE)
                                 fs_logger2("blacklist", fname);
                         else
@@ -158,23 +169,30 @@ static void disable_file(OPERATION op, const char *filename) {
         }
         else if (op == MOUNT_READONLY || op == MOUNT_RDWR || op == MOUNT_NOEXEC) {
                 fs_remount_rec(fname, op);
-                // todo: last_disable = SUCCESSFUL;
         }
         else if (op == MOUNT_TMPFS) {
-                if (S_ISDIR(s.st_mode)) {
-                        if (getuid()) {
-                                if (strncmp(cfg.homedir, fname, strlen(cfg.homedir)) != 0 ||
-                                    fname[strlen(cfg.homedir)] != '/') {
-                                        fprintf(stderr, "Error: tmpfs outside $HOME is only available for root\n");
-                                        exit(1);
-                                }
+                if (!S_ISDIR(s.st_mode)) {
+                        fwarning("%s is not a directory; cannot mount a tmpfs on top of it.\n", fname);
+                        free(fname);
+                        return;
+                }
+
+                uid_t uid = getuid();
+                if (uid != 0) {
+                        // only user owned directories in user home
+                        if (s.st_uid != uid ||
+                            strncmp(cfg.homedir, fname, strlen(cfg.homedir)) != 0 ||
+                            fname[strlen(cfg.homedir)] != '/') {
+                                fwarning("you are not allowed to mount a tmpfs on %s\n", fname);
+                                free(fname);
+                                return;
                         }
-                        fs_tmpfs(fname, getuid());
-                        selinux_relabel_path(fname, fname);
-                        last_disable = SUCCESSFUL;
                 }
-                else
-                        fwarning("%s is not a directory; cannot mount a tmpfs on top of it.\n", fname);
+
+                fs_tmpfs(fname, uid);
+                EUID_USER(); // fs_tmpfs returns with EUID 0
+
+                selinux_relabel_path(fname, fname);
         }
         else
                 assert(0);
@@ -191,6 +209,7 @@ static int *nbcheck = NULL;
 // Treat pattern as a shell glob pattern and blacklist matching files
 static void globbing(OPERATION op, const char *pattern, const char *noblacklist[], size_t noblacklist_len) {
         assert(pattern);
+        EUID_ASSERT();
 
 #ifdef TEST_NO_BLACKLIST_MATCHING
         if (nbcheck_start == 0) {
@@ -264,6 +283,7 @@ void fs_blacklist(void) {
         if (noblacklist == NULL)
                 errExit("failed allocating memory for noblacklist entries");
 
+        EUID_USER();
         while (entry) {
                 OPERATION op = OPERATION_MAX;
                 char *ptr;
@@ -294,11 +314,13 @@ void fs_blacklist(void) {
                         if (arg_debug)
                                 printf("Mount-bind %s on top of %s\n", dname1, dname2);
                         // preserve dname2 mode and ownership
+                        // EUID_ROOT(); - option not accessible to non-root users
                         if (mount(dname1, dname2, NULL, MS_BIND|MS_REC, NULL) < 0)
                                 errExit("mount bind");
                         /* coverity[toctou] */
                         if (set_perms(dname2,  s.st_uid, s.st_gid,s.st_mode))
                                 errExit("set_perms");
+                        // EUID_USER();
 
                         entry = entry->next;
                         continue;
@@ -376,16 +398,12 @@ void fs_blacklist(void) {
                         op = MOUNT_TMPFS;
                 }
                 else if (strncmp(entry->data, "mkdir ", 6) == 0) {
-                        EUID_USER();
                         fs_mkdir(entry->data + 6);
-                        EUID_ROOT();
                         entry = entry->next;
                         continue;
                 }
                 else if (strncmp(entry->data, "mkfile ", 7) == 0) {
-                        EUID_USER();
                         fs_mkfile(entry->data + 7);
-                        EUID_ROOT();
                         entry = entry->next;
                         continue;
                 }
@@ -441,6 +459,8 @@ void fs_blacklist(void) {
         for (i = 0; i < noblacklist_c; i++)
                 free(noblacklist[i]);
         free(noblacklist);
+
+        EUID_ROOT();
 }
 
 //***********************************************
@@ -449,6 +469,7 @@ void fs_blacklist(void) {
 
 // mount a writable tmpfs on directory; requires a resolved path
 void fs_tmpfs(const char *dir, unsigned check_owner) {
+        EUID_USER();
         assert(dir);
         if (arg_debug)
                 printf("Mounting tmpfs on %s, check owner: %s\n", dir, (check_owner)? "yes": "no");
@@ -473,6 +494,7 @@ void fs_tmpfs(const char *dir, unsigned check_owner) {
                 errExit("fstatvfs");
         unsigned long flags = buf.f_flag & ~(MS_RDONLY|MS_BIND);
         // mount via the symbolic link in /proc/self/fd
+        EUID_ROOT();
         char *proc;
         if (asprintf(&proc, "/proc/self/fd/%d", fd) == -1)
                 errExit("asprintf");
@@ -490,38 +512,42 @@ void fs_tmpfs(const char *dir, unsigned check_owner) {
 
 // remount path, preserving other mount flags; requires a resolved path
 static void fs_remount_simple(const char *path, OPERATION op) {
+        EUID_ASSERT();
         assert(path);
 
         // open path without following symbolic links
-        int fd1 = safer_openat(-1, path, O_PATH|O_NOFOLLOW|O_CLOEXEC);
-        if (fd1 == -1)
+        int fd = safer_openat(-1, path, O_PATH|O_NOFOLLOW|O_CLOEXEC);
+        if (fd < 0)
                 goto out;
-        struct stat s1;
-        if (fstat(fd1, &s1) == -1) {
+
+        struct stat s;
+        if (fstat(fd, &s) < 0) {
                 // fstat can fail with EACCES if path is a FUSE mount,
                 // mounted without 'allow_root' or 'allow_other'
                 if (errno != EACCES)
                         errExit("fstat");
-                close(fd1);
+                close(fd);
                 goto out;
         }
         // get mount flags
         struct statvfs buf;
-        if (fstatvfs(fd1, &buf) == -1)
-                errExit("fstatvfs");
+        if (fstatvfs(fd, &buf) < 0) {
+                close(fd);
+                goto out;
+        }
         unsigned long flags = buf.f_flag;
 
         // read-write option
         if (op == MOUNT_RDWR || op == MOUNT_RDWR_NOCHECK) {
                 // nothing to do if there is no read-only flag
                 if ((flags & MS_RDONLY) == 0) {
-                        close(fd1);
+                        close(fd);
                         return;
                 }
                 // allow only user owned directories, except the user is root
-                if (op != MOUNT_RDWR_NOCHECK && getuid() != 0 && s1.st_uid != getuid()) {
+                if (op != MOUNT_RDWR_NOCHECK && getuid() != 0 && s.st_uid != getuid()) {
                         fwarning("you are not allowed to change %s to read-write\n", path);
-                        close(fd1);
+                        close(fd);
                         return;
                 }
                 flags &= ~MS_RDONLY;
@@ -530,7 +556,7 @@ static void fs_remount_simple(const char *path, OPERATION op) {
         else if (op == MOUNT_NOEXEC) {
                 // nothing to do if path is mounted noexec already
                 if ((flags & (MS_NOEXEC|MS_NODEV|MS_NOSUID)) == (MS_NOEXEC|MS_NODEV|MS_NOSUID)) {
-                        close(fd1);
+                        close(fd);
                         return;
                 }
                 flags |= MS_NOEXEC|MS_NODEV|MS_NOSUID;
@@ -539,7 +565,7 @@ static void fs_remount_simple(const char *path, OPERATION op) {
         else if (op == MOUNT_READONLY) {
                 // nothing to do if path is mounted read-only already
                 if ((flags & MS_RDONLY) == MS_RDONLY) {
-                        close(fd1);
+                        close(fd);
                         return;
                 }
                 flags |= MS_RDONLY;
@@ -549,29 +575,37 @@ static void fs_remount_simple(const char *path, OPERATION op) {
 
         if (arg_debug)
                 printf("Mounting %s %s\n", opstr[op], path);
+
+        // make path a mount point:
         // mount --bind path path
-        char *proc;
-        if (asprintf(&proc, "/proc/self/fd/%d", fd1) == -1)
-                errExit("asprintf");
-        if (mount(proc, proc, NULL, MS_BIND|MS_REC, NULL) < 0)
-                errExit("mount");
-        free(proc);
+        EUID_ROOT();
+        int err = bind_mount_by_fd(fd, fd);
+        EUID_USER();
+        if (err) {
+                close(fd);
+                goto out;
+        }
 
-        // mount --bind -o remount,ro path
-        // need to open path again without following symbolic links
+        // remount the mount point
+        // need to open path again
         int fd2 = safer_openat(-1, path, O_PATH|O_NOFOLLOW|O_CLOEXEC);
-        if (fd2 == -1)
-                errExit("open");
+        close(fd); // earliest timepoint to close fd
+        if (fd2 < 0)
+                goto out;
+
+        // device and inode number should be the same
         struct stat s2;
-        if (fstat(fd2, &s2) == -1)
+        if (fstat(fd2, &s2) < 0)
                 errExit("fstat");
-        // device and inode number should be the same
-        if (s1.st_dev != s2.st_dev || s1.st_ino != s2.st_ino)
+        if (s.st_dev != s2.st_dev || s.st_ino != s2.st_ino)
                 errLogExit("invalid %s mount", opstr[op]);
-        if (asprintf(&proc, "/proc/self/fd/%d", fd2) == -1)
-                errExit("asprintf");
-        if (mount(NULL, proc, NULL, flags|MS_BIND|MS_REMOUNT, NULL) < 0)
-                errExit("mount");
+
+        EUID_ROOT();
+        err = remount_by_fd(fd2, flags);
+        EUID_USER();
+        close(fd2);
+        if (err)
+                goto out;
 
         // run a sanity check on /proc/self/mountinfo and confirm that target of the last
         // mount operation was path; if there are other mount points contained inside path,
@@ -582,10 +616,8 @@ static void fs_remount_simple(const char *path, OPERATION op) {
            (*(mptr->dir + len) != '\0' && *(mptr->dir + len) != '/'))
            && strcmp(path, "/") != 0) // support read-only=/
                 errLogExit("invalid %s mount", opstr[op]);
+
         fs_logger2(opstr[op], path);
-        free(proc);
-        close(fd1);
-        close(fd2);
         return;
 
 out:
@@ -594,7 +626,9 @@ out:
 
 // remount recursively; requires a resolved path
 static void fs_remount_rec(const char *dir, OPERATION op) {
+        EUID_ASSERT();
         assert(dir);
+
         struct stat s;
         if (stat(dir, &s) != 0)
                 return;
@@ -632,6 +666,14 @@ static void fs_remount_rec(const char *dir, OPERATION op) {
 // resolve a path and remount it
 void fs_remount(const char *path, OPERATION op, int rec) {
         assert(path);
+
+        int called_as_root = 0;
+        if (geteuid() == 0)
+                called_as_root = 1;
+
+        if (called_as_root)
+                EUID_USER();
+
         char *rpath = realpath(path, NULL);
         if (rpath) {
                 if (rec)
@@ -640,10 +682,14 @@ void fs_remount(const char *path, OPERATION op, int rec) {
                         fs_remount_simple(rpath, op);
                 free(rpath);
         }
+
+        if (called_as_root)
+                EUID_ROOT();
 }
 
 // Disable /mnt, /media, /run/mount and /run/media access
 void fs_mnt(const int enforce) {
+        EUID_USER();
         if (enforce) {
                 // disable-mnt set in firejail.config
                 // overriding with noblacklist is not possible in this case
@@ -653,13 +699,12 @@ void fs_mnt(const int enforce) {
                 disable_file(BLACKLIST_FILE, "/run/media");
         }
         else {
-                EUID_USER();
                 profile_add("blacklist /mnt");
                 profile_add("blacklist /media");
                 profile_add("blacklist /run/mount");
                 profile_add("blacklist /run/media");
-                EUID_ROOT();
         }
+        EUID_ROOT();
 }
 
 
@@ -674,7 +719,6 @@ void fs_proc_sys_dev_boot(void) {
                 errExit("mounting /proc/sys");
         fs_logger("read-only /proc/sys");
 
-
         /* Mount a version of /sys that describes the network namespace */
         if (arg_debug)
                 printf("Remounting /sys directory\n");
@@ -689,13 +733,13 @@ void fs_proc_sys_dev_boot(void) {
         else
                 fs_logger("remount /sys");
 
+        EUID_USER();
+
         disable_file(BLACKLIST_FILE, "/sys/firmware");
         disable_file(BLACKLIST_FILE, "/sys/hypervisor");
         { // allow user access to some directories in /sys/ by specifying 'noblacklist' option
-                EUID_USER();
                 profile_add("blacklist /sys/fs");
                 profile_add("blacklist /sys/module");
-                EUID_ROOT();
         }
         disable_file(BLACKLIST_FILE, "/sys/power");
         disable_file(BLACKLIST_FILE, "/sys/kernel/debug");
@@ -739,12 +783,8 @@ void fs_proc_sys_dev_boot(void) {
         // disable /dev/port
         disable_file(BLACKLIST_FILE, "/dev/port");
 
-
-
         // disable various ipc sockets in /run/user
         if (!arg_writable_run_user) {
-                struct stat s;
-
                 char *fname;
                 if (asprintf(&fname, "/run/user/%d", getuid()) == -1)
                         errExit("asprintf");
@@ -755,8 +795,7 @@ void fs_proc_sys_dev_boot(void) {
                                 errExit("asprintf");
                         if (create_empty_dir_as_user(fnamegpg, 0700))
                                 fs_logger2("create", fnamegpg);
-                        if (stat(fnamegpg, &s) == 0)
-                                disable_file(BLACKLIST_FILE, fnamegpg);
+                        disable_file(BLACKLIST_FILE, fnamegpg);
                         free(fnamegpg);
 
                         // disable /run/user/{uid}/systemd
@@ -765,8 +804,7 @@ void fs_proc_sys_dev_boot(void) {
                                 errExit("asprintf");
                         if (create_empty_dir_as_user(fnamesysd, 0755))
                                 fs_logger2("create", fnamesysd);
-                        if (stat(fnamesysd, &s) == 0)
-                                disable_file(BLACKLIST_FILE, fnamesysd);
+                        disable_file(BLACKLIST_FILE, fnamesysd);
                         free(fnamesysd);
                 }
                 free(fname);
@@ -777,35 +815,30 @@ void fs_proc_sys_dev_boot(void) {
                 disable_file(BLACKLIST_FILE, "/dev/kmsg");
                 disable_file(BLACKLIST_FILE, "/proc/kmsg");
         }
+
+        EUID_ROOT();
 }
 
 // disable firejail configuration in ~/.config/firejail
 void disable_config(void) {
-        struct stat s;
-
+        EUID_USER();
         char *fname;
         if (asprintf(&fname, "%s/.config/firejail", cfg.homedir) == -1)
                 errExit("asprintf");
-        if (stat(fname, &s) == 0)
-                disable_file(BLACKLIST_FILE, fname);
+        disable_file(BLACKLIST_FILE, fname);
         free(fname);
 
         // disable run time information
-        if (stat(RUN_FIREJAIL_NETWORK_DIR, &s) == 0)
-                disable_file(BLACKLIST_FILE, RUN_FIREJAIL_NETWORK_DIR);
-        if (stat(RUN_FIREJAIL_BANDWIDTH_DIR, &s) == 0)
-                disable_file(BLACKLIST_FILE, RUN_FIREJAIL_BANDWIDTH_DIR);
-        if (stat(RUN_FIREJAIL_NAME_DIR, &s) == 0)
-                disable_file(BLACKLIST_FILE, RUN_FIREJAIL_NAME_DIR);
-        if (stat(RUN_FIREJAIL_PROFILE_DIR, &s) == 0)
-                disable_file(BLACKLIST_FILE, RUN_FIREJAIL_PROFILE_DIR);
-        if (stat(RUN_FIREJAIL_X11_DIR, &s) == 0)
-                disable_file(BLACKLIST_FILE, RUN_FIREJAIL_X11_DIR);
+        disable_file(BLACKLIST_FILE, RUN_FIREJAIL_NETWORK_DIR);
+        disable_file(BLACKLIST_FILE, RUN_FIREJAIL_BANDWIDTH_DIR);
+        disable_file(BLACKLIST_FILE, RUN_FIREJAIL_NAME_DIR);
+        disable_file(BLACKLIST_FILE, RUN_FIREJAIL_PROFILE_DIR);
+        disable_file(BLACKLIST_FILE, RUN_FIREJAIL_X11_DIR);
+        EUID_ROOT();
 }
 
 
 // build a basic read-only filesystem
-// top level directories could be links, run no after-mount checks
 void fs_basic_fs(void) {
         uid_t uid = getuid();
 
@@ -815,6 +848,7 @@ void fs_basic_fs(void) {
         if (mount("proc", "/proc", "proc", MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_REC, NULL) < 0)
                 errExit("mounting /proc");
 
+        EUID_USER();
         if (arg_debug)
                 printf("Basic read-only filesystem:\n");
         if (!arg_writable_etc) {
@@ -834,6 +868,7 @@ void fs_basic_fs(void) {
         fs_remount("/lib64", MOUNT_READONLY, 1);
         fs_remount("/lib32", MOUNT_READONLY, 1);
         fs_remount("/libx32", MOUNT_READONLY, 1);
+        EUID_ROOT();
 
         // update /var directory in order to support multiple sandboxes running on the same root directory
         fs_var_lock();
@@ -862,6 +897,7 @@ void fs_basic_fs(void) {
 #ifdef HAVE_OVERLAYFS
 char *fs_check_overlay_dir(const char *subdirname, int allow_reuse) {
         assert(subdirname);
+        EUID_ASSERT();
         struct stat s;
         char *dirname;
 
@@ -1221,6 +1257,7 @@ void fs_overlayfs(void) {
 
 // this function is called from sandbox.c before blacklist/whitelist functions
 void fs_private_tmp(void) {
+        EUID_ASSERT();
         if (arg_debug)
                 printf("Generate private-tmp whitelist commands\n");
 
@@ -1241,8 +1278,8 @@ void fs_private_tmp(void) {
 
         // whitelist x11 directory
         profile_add("whitelist /tmp/.X11-unix");
-        // read-only x11 directory
-        profile_add("read-only /tmp/.X11-unix");
+        // read-only x11 directory
+        profile_add("read-only /tmp/.X11-unix");
 
         // whitelist any pulse* file in /tmp directory
         // some distros use PulseAudio sockets under /tmp instead of the socket in /urn/user
diff --git a/src/firejail/fs_dev.c b/src/firejail/fs_dev.c
index 8c2870a4d..8cc3ecc62 100644
--- a/src/firejail/fs_dev.c
+++ b/src/firejail/fs_dev.c
@@ -187,8 +187,10 @@ static void mount_dev_shm(void) {
 static void process_dev_shm(void) {
         // Jack audio keeps an Unix socket under (/dev/shm/jack_default_1000_0 or /dev/shm/jack/...)
         // looking for jack socket
+        EUID_USER();
         glob_t globbuf;
         int globerr = glob(RUN_DEV_DIR "/shm/jack*", GLOB_NOSORT, NULL, &globbuf);
+        EUID_ROOT();
         if (globerr && !arg_keep_dev_shm) {
                 empty_dev_shm();
                 return;
diff --git a/src/firejail/fs_home.c b/src/firejail/fs_home.c
index 4bcefa443..eab952eb8 100644
--- a/src/firejail/fs_home.c
+++ b/src/firejail/fs_home.c
@@ -42,15 +42,14 @@ static void skel(const char *homedir, uid_t u, gid_t g) {
                 // copy skel files
                 if (asprintf(&fname, "%s/.zshrc", homedir) == -1)
                         errExit("asprintf");
-                struct stat s;
                 // don't copy it if we already have the file
-                if (stat(fname, &s) == 0)
+                if (access(fname, F_OK) == 0)
                         return;
-                if (is_link(fname)) { // stat on dangling symlinks fails, try again using lstat
+                if (is_link(fname)) { // access(3) on dangling symlinks fails, try again using lstat
                         fprintf(stderr, "Error: invalid %s file\n", fname);
                         exit(1);
                 }
-                if (stat("/etc/skel/.zshrc", &s) == 0) {
+                if (access("/etc/skel/.zshrc", R_OK) == 0) {
                         copy_file_as_user("/etc/skel/.zshrc", fname, u, g, 0644); // regular user
                         fs_logger("clone /etc/skel/.zshrc");
                         fs_logger2("clone", fname);
@@ -67,16 +66,14 @@ static void skel(const char *homedir, uid_t u, gid_t g) {
                 // copy skel files
                 if (asprintf(&fname, "%s/.cshrc", homedir) == -1)
                         errExit("asprintf");
-                struct stat s;
-
                 // don't copy it if we already have the file
-                if (stat(fname, &s) == 0)
+                if (access(fname, F_OK) == 0)
                         return;
-                if (is_link(fname)) { // stat on dangling symlinks fails, try again using lstat
+                if (is_link(fname)) { // access(3) on dangling symlinks fails, try again using lstat
                         fprintf(stderr, "Error: invalid %s file\n", fname);
                         exit(1);
                 }
-                if (stat("/etc/skel/.cshrc", &s) == 0) {
+                if (access("/etc/skel/.cshrc", R_OK) == 0) {
                         copy_file_as_user("/etc/skel/.cshrc", fname, u, g, 0644); // regular user
                         fs_logger("clone /etc/skel/.cshrc");
                         fs_logger2("clone", fname);
@@ -93,15 +90,14 @@ static void skel(const char *homedir, uid_t u, gid_t g) {
                 // copy skel files
                 if (asprintf(&fname, "%s/.bashrc", homedir) == -1)
                         errExit("asprintf");
-                struct stat s;
                 // don't copy it if we already have the file
-                if (stat(fname, &s) == 0)
+                if (access(fname, F_OK) == 0)
                         return;
-                if (is_link(fname)) { // stat on dangling symlinks fails, try again using lstat
+                if (is_link(fname)) { // access(3) on dangling symlinks fails, try again using lstat
                         fprintf(stderr, "Error: invalid %s file\n", fname);
                         exit(1);
                 }
-                if (stat("/etc/skel/.bashrc", &s) == 0) {
+                if (access("/etc/skel/.bashrc", R_OK) == 0) {
                         copy_file_as_user("/etc/skel/.bashrc", fname, u, g, 0644); // regular user
                         fs_logger("clone /etc/skel/.bashrc");
                         fs_logger2("clone", fname);
@@ -122,8 +118,8 @@ static int store_xauthority(void) {
                 errExit("asprintf");
 
         struct stat s;
-        if (stat(src, &s) == 0) {
-                if (is_link(src)) {
+        if (lstat_as_user(src, &s) == 0) {
+                if (S_ISLNK(s.st_mode)) {
                         fwarning("invalid .Xauthority file\n");
                         free(src);
                         return 0;
@@ -161,11 +157,11 @@ static int store_asoundrc(void) {
                 errExit("asprintf");
 
         struct stat s;
-        if (stat(src, &s) == 0) {
-                if (is_link(src)) {
+        if (lstat_as_user(src, &s) == 0) {
+                if (S_ISLNK(s.st_mode)) {
                         // make sure the real path of the file is inside the home directory
                         /* coverity[toctou] */
-                        char* rp = realpath(src, NULL);
+                        char *rp = realpath_as_user(src);
                         if (!rp) {
                                 fprintf(stderr, "Error: Cannot access %s\n", src);
                                 exit(1);
@@ -234,6 +230,7 @@ static void copy_asoundrc(void) {
         }
 
         copy_file_as_user(src, dest, getuid(), getgid(), S_IRUSR | S_IWUSR); // regular user
+        selinux_relabel_path(dest, src);
         fs_logger2("clone", dest);
         free(dest);
 
@@ -262,6 +259,7 @@ void fs_private_homedir(void) {
         if (arg_debug)
                 printf("Mount-bind %s on top of %s\n", private_homedir, homedir);
         // get file descriptors for homedir and private_homedir, fails if there is any symlink
+        EUID_USER();
         int src = safer_openat(-1, private_homedir, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC);
         if (src == -1)
                 errExit("opening private directory");
@@ -286,17 +284,10 @@ void fs_private_homedir(void) {
                 exit(1);
         }
         // mount via the links in /proc/self/fd
-        char *proc_src, *proc_dst;
-        if (asprintf(&proc_src, "/proc/self/fd/%d", src) == -1)
-                errExit("asprintf");
-        if (asprintf(&proc_dst, "/proc/self/fd/%d", dst) == -1)
-                errExit("asprintf");
-        if (mount(proc_src, proc_dst, NULL, MS_NOSUID | MS_NODEV | MS_BIND | MS_REC, NULL) < 0)
+        EUID_ROOT();
+        if (bind_mount_by_fd(src, dst))
                 errExit("mount bind");
-        free(proc_src);
-        free(proc_dst);
-        close(src);
-        close(dst);
+
         // check /proc/self/mountinfo to confirm the mount is ok
         MountData *mptr = get_last_mount();
         size_t len = strlen(homedir);
@@ -304,6 +295,8 @@ void fs_private_homedir(void) {
            (*(mptr->dir + len) != '\0' && *(mptr->dir + len) != '/'))
                 errLogExit("invalid private mount");
 
+        close(src);
+        close(dst);
         fs_logger3("mount-bind", private_homedir, homedir);
         fs_logger2("whitelist", homedir);
 // preserve mode and ownership
@@ -438,6 +431,7 @@ void fs_check_private_cwd(const char *dir) {
 // --private-home
 //***********************************************************************************
 static char *check_dir_or_file(const char *name) {
+        EUID_ASSERT();
         assert(name);
 
         // basic checks
@@ -498,6 +492,7 @@ errexit:
 }
 
 static void duplicate(char *name) {
+        EUID_ASSERT();
         char *fname = check_dir_or_file(name);
 
         if (arg_debug)
@@ -553,10 +548,10 @@ void fs_private_home_list(void) {
         selinux_relabel_path(RUN_HOME_DIR, homedir);
         fs_logger_print();      // save the current log
 
+        // copy the list of files in the new home directory
+        EUID_USER();
         if (arg_debug)
                 printf("Copying files in the new home:\n");
-
-        // copy the list of files in the new home directory
         char *dlist = strdup(cfg.home_private_keep);
         if (!dlist)
                 errExit("strdup");
@@ -589,13 +584,11 @@ void fs_private_home_list(void) {
                 exit(1);
         }
         // mount using the file descriptor
-        char *proc;
-        if (asprintf(&proc, "/proc/self/fd/%d", fd) == -1)
-                errExit("asprintf");
-        if (mount(RUN_HOME_DIR, proc, NULL, MS_BIND|MS_REC, NULL) < 0)
+        EUID_ROOT();
+        if (bind_mount_path_to_fd(RUN_HOME_DIR, fd))
                 errExit("mount bind");
-        free(proc);
         close(fd);
+
         // check /proc/self/mountinfo to confirm the mount is ok
         MountData *mptr = get_last_mount();
         if (strcmp(mptr->dir, homedir) != 0 || strcmp(mptr->fstype, "tmpfs") != 0)
diff --git a/src/firejail/fs_lib.c b/src/firejail/fs_lib.c
index 5df356d04..9d7a17cf3 100644
--- a/src/firejail/fs_lib.c
+++ b/src/firejail/fs_lib.c
@@ -178,8 +178,7 @@ void fslib_mount(const char *full_path) {
 
         if (*full_path == '\0' ||
             !valid_full_path(full_path) ||
-            access(full_path, F_OK) != 0 ||
-            stat(full_path, &s) != 0 ||
+            stat_as_user(full_path, &s) != 0 ||
             s.st_uid != 0)
                 return;
 
@@ -203,7 +202,7 @@ void fslib_mount_libs(const char *full_path, unsigned user) {
         }
 
         if (arg_debug || arg_debug_private_lib)
-                printf("    fslib_mount_libs %s (parse as %s)\n", full_path, user ? "user" : "root");
+                printf("    fslib_mount_libs %s\n", full_path);
         // create an empty RUN_LIB_FILE and allow the user to write to it
         unlink(RUN_LIB_FILE);                     // in case is there
         create_empty_file_as_root(RUN_LIB_FILE, 0644);
@@ -212,7 +211,7 @@ void fslib_mount_libs(const char *full_path, unsigned user) {
 
         // run fldd to extract the list of files
         if (arg_debug || arg_debug_private_lib)
-                printf("    running fldd %s\n", full_path);
+                printf("    running fldd %s as %s\n", full_path, user ? "user" : "root");
         unsigned mask;
         if (user)
                 mask = SBOX_USER;
@@ -246,7 +245,7 @@ static void load_library(const char *fname) {
 
         // existing file owned by root
         struct stat s;
-        if (!access(fname, F_OK) && stat(fname, &s) == 0 && s.st_uid == 0) {
+        if (stat_as_user(fname, &s) == 0 && s.st_uid == 0) {
                 // load directories, regular 64 bit libraries, and 64 bit executables
                 if (S_ISDIR(s.st_mode))
                         fslib_mount(fname);
@@ -286,19 +285,21 @@ static void install_list_entry(const char *lib) {
 #define DO_GLOBBING
 #ifdef DO_GLOBBING
                 // globbing
+                EUID_USER();
                 glob_t globbuf;
                 int globerr = glob(fname, GLOB_NOCHECK | GLOB_NOSORT | GLOB_PERIOD, NULL, &globbuf);
                 if (globerr) {
                         fprintf(stderr, "Error: failed to glob private-lib pattern %s\n", fname);
                         exit(1);
                 }
+                EUID_ROOT();
                 size_t j;
                 for (j = 0; j < globbuf.gl_pathc; j++) {
                         assert(globbuf.gl_pathv[j]);
 //printf("glob %s\n", globbuf.gl_pathv[j]);
                         // GLOB_NOCHECK - no pattern matched returns the original pattern; try to load it anyway
 
-                        // foobar/* includes foobar/. and foobar/..
+                        // foobar/* expands to foobar/. and foobar/..
                         const char *base = gnu_basename(globbuf.gl_pathv[j]);
                         if (strcmp(base, ".") == 0 || strcmp(base, "..") == 0)
                                 continue;
diff --git a/src/firejail/fs_mkdir.c b/src/firejail/fs_mkdir.c
index 8cfeea582..bbc2aa938 100644
--- a/src/firejail/fs_mkdir.c
+++ b/src/firejail/fs_mkdir.c
@@ -25,6 +25,9 @@
 #include <sys/wait.h>
 #include <string.h>
 
+#ifdef HAVE_GCOV
+#include <gcov.h>
+#endif
 
 static void check(const char *fname) {
         // manufacture /run/user directory
diff --git a/src/firejail/fs_trace.c b/src/firejail/fs_trace.c
index 1fc38361e..475a391ec 100644
--- a/src/firejail/fs_trace.c
+++ b/src/firejail/fs_trace.c
@@ -71,12 +71,8 @@ void fs_tracefile(void) {
         // mount using the symbolic link in /proc/self/fd
         if (arg_debug)
                 printf("Bind mount %s to %s\n", arg_tracefile, RUN_TRACE_FILE);
-        char *proc;
-        if (asprintf(&proc, "/proc/self/fd/%d", fd) == -1)
-                errExit("asprintf");
-        if (mount(proc, RUN_TRACE_FILE, NULL, MS_BIND|MS_REC, NULL) < 0)
+        if (bind_mount_fd_to_path(fd, RUN_TRACE_FILE))
                 errExit("mount bind " RUN_TRACE_FILE);
-        free(proc);
         close(fd);
         // now that RUN_TRACE_FILE is user-writable, mount it noexec
         fs_remount(RUN_TRACE_FILE, MOUNT_NOEXEC, 0);
diff --git a/src/firejail/fs_var.c b/src/firejail/fs_var.c
index bae3d6df0..20e262d80 100644
--- a/src/firejail/fs_var.c
+++ b/src/firejail/fs_var.c
@@ -323,4 +323,8 @@ void fs_var_utmp(void) {
         if (mount(RUN_UTMP_FILE, UTMP_FILE, NULL, MS_BIND|MS_NOSUID|MS_NOEXEC | MS_NODEV | MS_REC, NULL) < 0)
                 errExit("mount bind utmp");
         fs_logger2("create", UTMP_FILE);
+
+        // blacklist RUN_UTMP_FILE
+        if (mount(RUN_RO_FILE, RUN_UTMP_FILE, NULL, MS_BIND, "mode=400,gid=0") < 0)
+                errExit("mount bind");
 }
diff --git a/src/firejail/fs_whitelist.c b/src/firejail/fs_whitelist.c
index 77bb5e5bb..370035a4d 100644
--- a/src/firejail/fs_whitelist.c
+++ b/src/firejail/fs_whitelist.c
@@ -195,15 +195,7 @@ static void whitelist_file(int dirfd, const char *relpath, const char *path) {
 
         if (arg_debug || arg_debug_whitelists)
                 printf("Whitelisting %s\n", path);
-
-        // in order to make this mount resilient against symlink attacks, use
-        // magic links in /proc/self/fd instead of mounting the paths directly
-        char *proc_src, *proc_dst;
-        if (asprintf(&proc_src, "/proc/self/fd/%d", fd) == -1)
-                errExit("asprintf");
-        if (asprintf(&proc_dst, "/proc/self/fd/%d", fd3) == -1)
-                errExit("asprintf");
-        if (mount(proc_src, proc_dst, NULL, MS_BIND | MS_REC, NULL) < 0)
+        if (bind_mount_by_fd(fd, fd3))
                 errExit("mount bind");
         // check the last mount operation
         MountData *mptr = get_last_mount(); // will do exit(1) if the mount cannot be found
@@ -221,8 +213,6 @@ static void whitelist_file(int dirfd, const char *relpath, const char *path) {
         //  - there should be more than one '/' char in dest string
         if (mptr->dir == strrchr(mptr->dir, '/'))
                 errLogExit("invalid whitelist mount");
-        free(proc_src);
-        free(proc_dst);
         close(fd);
         close(fd3);
         fs_logger2("whitelist", path);
@@ -267,6 +257,7 @@ static void whitelist_symlink(const char *link, const char *target) {
 }
 
 static void globbing(const char *pattern) {
+        EUID_ASSERT();
         assert(pattern);
 
         // globbing
@@ -304,7 +295,6 @@ static void globbing(const char *pattern) {
 }
 
 // mount tmpfs on all top level directories
-// home directories *inside* /run/user/$UID are not fully supported
 static void tmpfs_topdirs(const TopDir *topdirs) {
         int tmpfs_home = 0;
         int tmpfs_runuser = 0;
@@ -335,18 +325,15 @@ static void tmpfs_topdirs(const TopDir *topdirs) {
 
                 // mount tmpfs
                 fs_tmpfs(topdirs[i].path, 0);
+                selinux_relabel_path(topdirs[i].path, topdirs[i].path);
 
                 // init tmpfs
                 if (strcmp(topdirs[i].path, "/run") == 0) {
                         // restore /run/firejail directory
                         if (mkdir(RUN_FIREJAIL_DIR, 0755) == -1)
                                 errExit("mkdir");
-                        char *proc;
-                        if (asprintf(&proc, "/proc/self/fd/%d", fd) == -1)
-                                errExit("asprintf");
-                        if (mount(proc, RUN_FIREJAIL_DIR, NULL, MS_BIND | MS_REC, NULL) < 0)
+                        if (bind_mount_fd_to_path(fd, RUN_FIREJAIL_DIR))
                                 errExit("mount bind");
-                        free(proc);
                         close(fd);
                         fs_logger2("whitelist", RUN_FIREJAIL_DIR);
 
@@ -384,8 +371,6 @@ static void tmpfs_topdirs(const TopDir *topdirs) {
                         const char *rel = cfg.homedir + topdir_len + 1;
                         whitelist_file(topdirs[i].fd, rel, cfg.homedir);
                 }
-
-                selinux_relabel_path(topdirs[i].path, topdirs[i].path);
         }
 
         // user home directory
@@ -423,6 +408,13 @@ static TopDir *add_topdir(const char *dir, TopDir *topdirs, const char *path) {
             strcmp(dir, "/sys") == 0)
                 whitelist_error(path);
 
+        // whitelisting home directory is disabled if --private option is present
+        if (arg_private && strcmp(dir, cfg.homedir) == 0) {
+                if (arg_debug || arg_debug_whitelists)
+                        printf("Debug %d: skip %s - a private home dir is configured!\n", __LINE__, path);
+                return NULL;
+        }
+
         // do nothing if directory doesn't exist
         struct stat s;
         if (lstat(dir, &s) != 0) {
@@ -460,9 +452,9 @@ static TopDir *add_topdir(const char *dir, TopDir *topdirs, const char *path) {
                 errExit("strdup");
 
         // open the directory, don't follow symbolic links
-        rv->fd = safer_openat(-1, rv->path, O_PATH|O_NOFOLLOW|O_DIRECTORY|O_CLOEXEC);
+        rv->fd = safer_openat(-1, dir, O_PATH|O_NOFOLLOW|O_DIRECTORY|O_CLOEXEC);
         if (rv->fd == -1) {
-                fprintf(stderr, "Error: cannot open %s\n", rv->path);
+                fprintf(stderr, "Error: cannot open %s\n", dir);
                 exit(1);
         }
 
@@ -743,10 +735,11 @@ void fs_whitelist(void) {
                         }
 
                         // create the link if any
-                        if (link)
+                        if (link) {
                                 whitelist_symlink(link, file);
+                                free(link);
+                        }
 
-                        free(link);
                         free(file);
                         free(entry->wparam);
                         entry->wparam = NULL;
diff --git a/src/firejail/join.c b/src/firejail/join.c
index bab4b830f..394bbb528 100644
--- a/src/firejail/join.c
+++ b/src/firejail/join.c
@@ -147,7 +147,7 @@ static void extract_command(int argc, char **argv, int index) {
         }
 
         // build command
-        build_cmdline(&cfg.command_line, &cfg.window_title, argc, argv, index);
+        build_cmdline(&cfg.command_line, &cfg.window_title, argc, argv, index, true);
 }
 
 static void extract_nogroups(pid_t pid) {
diff --git a/src/firejail/ls.c b/src/firejail/ls.c
index 796c42290..6ee557648 100644
--- a/src/firejail/ls.c
+++ b/src/firejail/ls.c
@@ -31,6 +31,10 @@
 //#include <stdio.h>
 //#include <stdlib.h>
 
+#ifdef HAVE_GCOV
+#include <gcov.h>
+#endif
+
 // uid/gid cache
 static uid_t c_uid = 0;
 static char *c_uid_name = NULL;
diff --git a/src/firejail/macros.c b/src/firejail/macros.c
index bcac1feb4..cd29d8f85 100644
--- a/src/firejail/macros.c
+++ b/src/firejail/macros.c
@@ -149,6 +149,7 @@ static char *resolve_xdg(const char *var) {
 
 // returns mallocated memory
 static char *resolve_hardcoded(char *entries[]) {
+        EUID_ASSERT();
         char *fname;
         struct stat s;
 
diff --git a/src/firejail/main.c b/src/firejail/main.c
index 4afd1d6b6..b376095f1 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -44,6 +44,10 @@
 #define O_PATH 010000000
 #endif
 
+#ifdef HAVE_GCOV
+#include <gcov.h>
+#endif
+
 #ifdef __ia64__
 /* clone(2) has a different interface on ia64, as it needs to know
    the size of the stack */
@@ -259,8 +263,8 @@ static void init_cfg(int argc, char **argv) {
                 fprintf(stderr, "Error: user %s doesn't have a user directory assigned\n", cfg.username);
                 exit(1);
         }
+        check_homedir(pw->pw_dir);
         cfg.homedir = clean_pathname(pw->pw_dir);
-        check_homedir();
 
         // initialize random number generator
         sandbox_pid = getpid();
@@ -862,12 +866,11 @@ static void run_cmd_and_exit(int i, int argc, char **argv) {
 char *guess_shell(void) {
         const char *shell;
         char *retval;
-        struct stat s;
 
         shell = env_get("SHELL");
         if (shell) {
                 invalid_filename(shell, 0); // no globbing
-                if (!is_dir(shell) && strstr(shell, "..") == NULL && stat(shell, &s) == 0 && access(shell, X_OK) == 0 &&
+                if (access(shell, X_OK) == 0 && !is_dir(shell) && strstr(shell, "..") == NULL &&
                     strcmp(shell, PATH_FIREJAIL) != 0)
                         goto found;
         }
@@ -878,12 +881,15 @@ char *guess_shell(void) {
         int i = 0;
         while (shells[i] != NULL) {
                 // access call checks as real UID/GID, not as effective UID/GID
-                if (stat(shells[i], &s) == 0 && access(shells[i], X_OK) == 0) {
+                if (access(shells[i], X_OK) == 0) {
                         shell = shells[i];
-                        break;
+                        goto found;
                 }
                 i++;
         }
+
+        return NULL;
+
  found:
         retval = strdup(shell);
         if (!retval)
@@ -1256,8 +1262,10 @@ int main(int argc, char **argv, char **envp) {
         for (i = 1; i < argc; i++) {
                 run_cmd_and_exit(i, argc, argv); // will exit if the command is recognized
 
-                if (strcmp(argv[i], "--debug") == 0 && !arg_quiet)
+                if (strcmp(argv[i], "--debug") == 0) {
                         arg_debug = 1;
+                        arg_quiet = 0;
+                }
                 else if (strcmp(argv[i], "--debug-blacklists") == 0)
                         arg_debug_blacklists = 1;
                 else if (strcmp(argv[i], "--debug-whitelists") == 0)
@@ -1265,8 +1273,8 @@ int main(int argc, char **argv, char **envp) {
                 else if (strcmp(argv[i], "--debug-private-lib") == 0)
                         arg_debug_private_lib = 1;
                 else if (strcmp(argv[i], "--quiet") == 0) {
-                        arg_quiet = 1;
-                        arg_debug = 0;
+                        if (!arg_debug)
+                                arg_quiet = 1;
                 }
                 else if (strcmp(argv[i], "--allow-debuggers") == 0) {
                         // already handled
@@ -1910,8 +1918,6 @@ int main(int argc, char **argv, char **envp) {
                 }
                 else if (strcmp(argv[i], "--private") == 0) {
                         arg_private = 1;
-                        // disable whitelisting in home directory
-                        profile_add("whitelist ~/*");
                 }
                 else if (strncmp(argv[i], "--private=", 10) == 0) {
                         if (cfg.home_private_keep) {
@@ -1933,8 +1939,6 @@ int main(int argc, char **argv, char **envp) {
                                 cfg.home_private = NULL;
                         }
                         arg_private = 1;
-                        // disable whitelisting in home directory
-                        profile_add("whitelist ~/*");
                 }
 #ifdef HAVE_PRIVATE_HOME
                 else if (strncmp(argv[i], "--private-home=", 15) == 0) {
@@ -1967,61 +1971,77 @@ int main(int argc, char **argv, char **envp) {
                         arg_keep_dev_shm = 1;
                 }
                 else if (strncmp(argv[i], "--private-etc=", 14) == 0) {
-                        if (arg_writable_etc) {
-                                fprintf(stderr, "Error: --private-etc and --writable-etc are mutually exclusive\n");
-                                exit(1);
-                        }
+                        if (checkcfg(CFG_PRIVATE_ETC)) {
+                                if (arg_writable_etc) {
+                                        fprintf(stderr, "Error: --private-etc and --writable-etc are mutually exclusive\n");
+                                        exit(1);
+                                }
 
-                        // extract private etc list
-                        if (*(argv[i] + 14) == '\0') {
-                                fprintf(stderr, "Error: invalid private-etc option\n");
-                                exit(1);
+                                // extract private etc list
+                                if (*(argv[i] + 14) == '\0') {
+                                        fprintf(stderr, "Error: invalid private-etc option\n");
+                                        exit(1);
+                                }
+                                if (cfg.etc_private_keep) {
+                                        if ( asprintf(&cfg.etc_private_keep, "%s,%s", cfg.etc_private_keep, argv[i] + 14) < 0 )
+                                                errExit("asprintf");
+                                } else
+                                        cfg.etc_private_keep = argv[i] + 14;
+                                arg_private_etc = 1;
                         }
-                        if (cfg.etc_private_keep) {
-                                if ( asprintf(&cfg.etc_private_keep, "%s,%s", cfg.etc_private_keep, argv[i] + 14) < 0 )
-                                        errExit("asprintf");
-                        } else
-                                cfg.etc_private_keep = argv[i] + 14;
-                        arg_private_etc = 1;
+                        else
+                                exit_err_feature("private-etc");
                 }
                 else if (strncmp(argv[i], "--private-opt=", 14) == 0) {
-                        // extract private opt list
-                        if (*(argv[i] + 14) == '\0') {
-                                fprintf(stderr, "Error: invalid private-opt option\n");
-                                exit(1);
+                        if (checkcfg(CFG_PRIVATE_OPT)) {
+                                // extract private opt list
+                                if (*(argv[i] + 14) == '\0') {
+                                        fprintf(stderr, "Error: invalid private-opt option\n");
+                                        exit(1);
+                                }
+                                if (cfg.opt_private_keep) {
+                                        if ( asprintf(&cfg.opt_private_keep, "%s,%s", cfg.opt_private_keep, argv[i] + 14) < 0 )
+                                                errExit("asprintf");
+                                } else
+                                        cfg.opt_private_keep = argv[i] + 14;
+                                arg_private_opt = 1;
                         }
-                        if (cfg.opt_private_keep) {
-                                if ( asprintf(&cfg.opt_private_keep, "%s,%s", cfg.opt_private_keep, argv[i] + 14) < 0 )
-                                        errExit("asprintf");
-                        } else
-                                cfg.opt_private_keep = argv[i] + 14;
-                        arg_private_opt = 1;
+                        else
+                                exit_err_feature("private-opt");
                 }
                 else if (strncmp(argv[i], "--private-srv=", 14) == 0) {
-                        // extract private srv list
-                        if (*(argv[i] + 14) == '\0') {
-                                fprintf(stderr, "Error: invalid private-srv option\n");
-                                exit(1);
+                        if (checkcfg(CFG_PRIVATE_SRV)) {
+                                // extract private srv list
+                                if (*(argv[i] + 14) == '\0') {
+                                        fprintf(stderr, "Error: invalid private-srv option\n");
+                                        exit(1);
+                                }
+                                if (cfg.srv_private_keep) {
+                                        if ( asprintf(&cfg.srv_private_keep, "%s,%s", cfg.srv_private_keep, argv[i] + 14) < 0 )
+                                                errExit("asprintf");
+                                } else
+                                        cfg.srv_private_keep = argv[i] + 14;
+                                arg_private_srv = 1;
                         }
-                        if (cfg.srv_private_keep) {
-                                if ( asprintf(&cfg.srv_private_keep, "%s,%s", cfg.srv_private_keep, argv[i] + 14) < 0 )
-                                        errExit("asprintf");
-                        } else
-                                cfg.srv_private_keep = argv[i] + 14;
-                        arg_private_srv = 1;
+                        else
+                                exit_err_feature("private-srv");
                 }
                 else if (strncmp(argv[i], "--private-bin=", 14) == 0) {
-                        // extract private bin list
-                        if (*(argv[i] + 14) == '\0') {
-                                fprintf(stderr, "Error: invalid private-bin option\n");
-                                exit(1);
+                        if (checkcfg(CFG_PRIVATE_BIN)) {
+                                // extract private bin list
+                                if (*(argv[i] + 14) == '\0') {
+                                        fprintf(stderr, "Error: invalid private-bin option\n");
+                                        exit(1);
+                                }
+                                if (cfg.bin_private_keep) {
+                                        if ( asprintf(&cfg.bin_private_keep, "%s,%s", cfg.bin_private_keep, argv[i] + 14) < 0 )
+                                                errExit("asprintf");
+                                } else
+                                        cfg.bin_private_keep = argv[i] + 14;
+                                arg_private_bin = 1;
                         }
-                        if (cfg.bin_private_keep) {
-                                if ( asprintf(&cfg.bin_private_keep, "%s,%s", cfg.bin_private_keep, argv[i] + 14) < 0 )
-                                        errExit("asprintf");
-                        } else
-                                cfg.bin_private_keep = argv[i] + 14;
-                        arg_private_bin = 1;
+                        else
+                                exit_err_feature("private-bin");
                 }
                 else if (strncmp(argv[i], "--private-lib", 13) == 0) {
                         if (checkcfg(CFG_PRIVATE_LIB)) {
@@ -2809,6 +2829,11 @@ int main(int argc, char **argv, char **envp) {
         // build the sandbox command
         if (prog_index == -1 && cfg.shell) {
                 assert(cfg.command_line == NULL); // runs cfg.shell
+                if (arg_appimage) {
+                        fprintf(stderr, "Error: no appimage archive specified\n");
+                        exit(1);
+                }
+
                 cfg.window_title = cfg.shell;
                 cfg.command_name = cfg.shell;
         }
@@ -2816,10 +2841,11 @@ int main(int argc, char **argv, char **envp) {
                 if (arg_debug)
                         printf("Configuring appimage environment\n");
                 appimage_set(cfg.command_name);
-                build_appimage_cmdline(&cfg.command_line, &cfg.window_title, argc, argv, prog_index);
+                build_appimage_cmdline(&cfg.command_line, &cfg.window_title, argc, argv, prog_index, true);
         }
         else {
-                build_cmdline(&cfg.command_line, &cfg.window_title, argc, argv, prog_index);
+                // Only add extra quotes if we were not launched by sshd.
+                build_cmdline(&cfg.command_line, &cfg.window_title, argc, argv, prog_index, !parent_sshd);
         }
 /*      else {
                 fprintf(stderr, "Error: command must be specified when --shell=none used.\n");
@@ -2833,7 +2859,13 @@ int main(int argc, char **argv, char **envp) {
 
         // load the profile
         if (!arg_noprofile && !custom_profile) {
-                custom_profile = profile_find_firejail(cfg.command_name, 1);
+                if (arg_appimage) {
+                        custom_profile = appimage_find_profile(cfg.command_name);
+                        // disable shell=* for appimages
+                        arg_shell_none = 0;
+                }
+                else
+                        custom_profile = profile_find_firejail(cfg.command_name, 1);
         }
 
         // use default.profile as the default
@@ -2847,7 +2879,7 @@ int main(int argc, char **argv, char **envp) {
                 custom_profile = profile_find_firejail(profile_name, 1);
 
                 if (!custom_profile) {
-                        fprintf(stderr, "Error: no default.profile installed\n");
+                        fprintf(stderr, "Error: no %s installed\n", profile_name);
                         exit(1);
                 }
 
diff --git a/src/firejail/mountinfo.c b/src/firejail/mountinfo.c
index a700729d3..64a94bd84 100644
--- a/src/firejail/mountinfo.c
+++ b/src/firejail/mountinfo.c
@@ -22,7 +22,7 @@
 
 #include <fcntl.h>
 #ifndef O_PATH
-# define O_PATH 010000000
+#define O_PATH 010000000
 #endif
 
 #define MAX_BUF 4096
@@ -153,6 +153,7 @@ MountData *get_last_mount(void) {
 
 // Extract the mount id from /proc/self/fdinfo and return it.
 int get_mount_id(const char *path) {
+        EUID_ASSERT();
         assert(path);
 
         int fd = open(path, O_PATH|O_CLOEXEC);
@@ -162,7 +163,9 @@ int get_mount_id(const char *path) {
         char *fdinfo;
         if (asprintf(&fdinfo, "/proc/self/fdinfo/%d", fd) == -1)
                 errExit("asprintf");
+        EUID_ROOT();
         FILE *fp = fopen(fdinfo, "re");
+        EUID_USER();
         free(fdinfo);
         if (!fp)
                 goto errexit;
diff --git a/src/firejail/no_sandbox.c b/src/firejail/no_sandbox.c
index 0e153c47b..665bef73d 100644
--- a/src/firejail/no_sandbox.c
+++ b/src/firejail/no_sandbox.c
@@ -204,7 +204,7 @@ void run_no_sandbox(int argc, char **argv) {
                 // force --shell=none in order to not break firecfg symbolic links
                 arg_shell_none = 1;
 
-                build_cmdline(&cfg.command_line, &cfg.window_title, argc, argv, prog_index);
+                build_cmdline(&cfg.command_line, &cfg.window_title, argc, argv, prog_index, true);
         }
 
         fwarning("an existing sandbox was detected. "
diff --git a/src/firejail/paths.c b/src/firejail/paths.c
index b800fa944..d58a9d272 100644
--- a/src/firejail/paths.c
+++ b/src/firejail/paths.c
@@ -136,7 +136,7 @@ int program_in_path(const char *program) {
                         // ('x' permission means something different for directories).
                         // exec follows symlinks, so use stat, not lstat.
                         struct stat st;
-                        if (stat(scratch, &st)) {
+                        if (stat_as_user(scratch, &st)) {
                                 perror(scratch);
                                 exit(1);
                         }
diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index ea8773a51..5b1478918 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -22,6 +22,11 @@
 #include "../include/syscall.h"
 #include <dirent.h>
 #include <sys/stat.h>
+
+#ifdef HAVE_GCOV
+#include <gcov.h>
+#endif
+
 extern char *xephyr_screen;
 
 #define MAX_READ 8192                             // line buffer for profile files
@@ -1275,56 +1280,69 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
 
         // private /etc list of files and directories
         if (strncmp(ptr, "private-etc ", 12) == 0) {
-                if (arg_writable_etc) {
-                        fprintf(stderr, "Error: --private-etc and --writable-etc are mutually exclusive\n");
-                        exit(1);
-                }
-                if (cfg.etc_private_keep) {
-                        if ( asprintf(&cfg.etc_private_keep, "%s,%s", cfg.etc_private_keep, ptr + 12) < 0 )
-                                errExit("asprintf");
-                } else {
-                        cfg.etc_private_keep = ptr + 12;
+                if (checkcfg(CFG_PRIVATE_ETC)) {
+                        if (arg_writable_etc) {
+                                fprintf(stderr, "Error: --private-etc and --writable-etc are mutually exclusive\n");
+                                exit(1);
+                        }
+                        if (cfg.etc_private_keep) {
+                                if ( asprintf(&cfg.etc_private_keep, "%s,%s", cfg.etc_private_keep, ptr + 12) < 0 )
+                                        errExit("asprintf");
+                        } else {
+                                cfg.etc_private_keep = ptr + 12;
+                        }
+                        arg_private_etc = 1;
                 }
-                arg_private_etc = 1;
-
+                else
+                        warning_feature_disabled("private-etc");
                 return 0;
         }
 
         // private /opt list of files and directories
         if (strncmp(ptr, "private-opt ", 12) == 0) {
-                if (cfg.opt_private_keep) {
-                        if ( asprintf(&cfg.opt_private_keep, "%s,%s", cfg.opt_private_keep, ptr + 12) < 0 )
-                                errExit("asprintf");
-                } else {
-                        cfg.opt_private_keep = ptr + 12;
+                if (checkcfg(CFG_PRIVATE_OPT)) {
+                        if (cfg.opt_private_keep) {
+                                if ( asprintf(&cfg.opt_private_keep, "%s,%s", cfg.opt_private_keep, ptr + 12) < 0 )
+                                        errExit("asprintf");
+                        } else {
+                                cfg.opt_private_keep = ptr + 12;
+                        }
+                        arg_private_opt = 1;
                 }
-                arg_private_opt = 1;
-
+                else
+                        warning_feature_disabled("private-opt");
                 return 0;
         }
 
         // private /srv list of files and directories
         if (strncmp(ptr, "private-srv ", 12) == 0) {
-                if (cfg.srv_private_keep) {
-                        if ( asprintf(&cfg.srv_private_keep, "%s,%s", cfg.srv_private_keep, ptr + 12) < 0 )
-                                errExit("asprintf");
-                } else {
-                        cfg.srv_private_keep = ptr + 12;
+                if (checkcfg(CFG_PRIVATE_SRV)) {
+                        if (cfg.srv_private_keep) {
+                                if ( asprintf(&cfg.srv_private_keep, "%s,%s", cfg.srv_private_keep, ptr + 12) < 0 )
+                                        errExit("asprintf");
+                        } else {
+                                cfg.srv_private_keep = ptr + 12;
+                        }
+                        arg_private_srv = 1;
                 }
-                arg_private_srv = 1;
-
+                else
+                        warning_feature_disabled("private-srv");
                 return 0;
         }
 
         // private /bin list of files
         if (strncmp(ptr, "private-bin ", 12) == 0) {
-                if (cfg.bin_private_keep) {
-                        if ( asprintf(&cfg.bin_private_keep, "%s,%s", cfg.bin_private_keep, ptr + 12) < 0 )
-                                errExit("asprintf");
-                } else {
-                        cfg.bin_private_keep = ptr + 12;
+                if (checkcfg(CFG_PRIVATE_BIN)) {
+                        if (cfg.bin_private_keep) {
+                                if ( asprintf(&cfg.bin_private_keep, "%s,%s", cfg.bin_private_keep, ptr + 12) < 0 )
+                                        errExit("asprintf");
+                        } else {
+                                cfg.bin_private_keep = ptr + 12;
+                        }
+                        arg_private_bin = 1;
                 }
-                arg_private_bin = 1;
+                else
+                        warning_feature_disabled("private-bin");
                 return 0;
         }
 
@@ -1740,7 +1758,7 @@ void profile_read(const char *fname) {
                 if (strcmp(ptr, "quiet") == 0) {
                         if (is_in_ignore_list(ptr))
                                 arg_quiet = 0;
-                        else
+                        else if (!arg_debug)
                                 arg_quiet = 1;
                         free(ptr);
                         continue;
diff --git a/src/firejail/pulseaudio.c b/src/firejail/pulseaudio.c
index 1b01a71c6..f8d4c2f3c 100644
--- a/src/firejail/pulseaudio.c
+++ b/src/firejail/pulseaudio.c
@@ -75,31 +75,34 @@ void pulseaudio_disable(void) {
         closedir(dir);
 }
 
-static void pulseaudio_fallback(const char *path) {
-        assert(path);
-
-        fmessage("Cannot mount tmpfs on %s/.config/pulse\n", cfg.homedir);
-        env_store_name_val("PULSE_CLIENTCONFIG", path, SETENV);
-}
-
 // disable shm in pulseaudio (issue #69)
 void pulseaudio_init(void) {
-        struct stat s;
-
         // do we have pulseaudio in the system?
-        if (stat(PULSE_CLIENT_SYSCONF, &s) == -1) {
+        if (access(PULSE_CLIENT_SYSCONF, R_OK)) {
                 if (arg_debug)
-                        printf("%s not found\n", PULSE_CLIENT_SYSCONF);
+                        printf("Cannot read %s\n", PULSE_CLIENT_SYSCONF);
                 return;
         }
 
+        // create ~/.config/pulse directory if not present
+        char *homeusercfg = NULL;
+        if (asprintf(&homeusercfg, "%s/.config", cfg.homedir) == -1)
+                errExit("asprintf");
+        if (create_empty_dir_as_user(homeusercfg, 0700))
+                fs_logger2("create", homeusercfg);
+
+        free(homeusercfg);
+        if (asprintf(&homeusercfg, "%s/.config/pulse", cfg.homedir) == -1)
+                errExit("asprintf");
+        if (create_empty_dir_as_user(homeusercfg, 0700))
+                fs_logger2("create", homeusercfg);
+
         // create the new user pulseaudio directory
+        // that will be mounted over ~/.config/pulse
         if (mkdir(RUN_PULSE_DIR, 0700) == -1)
                 errExit("mkdir");
-        selinux_relabel_path(RUN_PULSE_DIR, RUN_PULSE_DIR);
-        // mount it nosuid, noexec, nodev
+        selinux_relabel_path(RUN_PULSE_DIR, homeusercfg);
         fs_remount(RUN_PULSE_DIR, MOUNT_NOEXEC, 0);
-
         // create the new client.conf file
         char *pulsecfg = NULL;
         if (asprintf(&pulsecfg, "%s/client.conf", RUN_PULSE_DIR) == -1)
@@ -116,37 +119,14 @@ void pulseaudio_init(void) {
         if (set_perms(RUN_PULSE_DIR, getuid(), getgid(), 0700))
                 errExit("set_perms");
 
-        // create ~/.config/pulse directory if not present
-        char *homeusercfg = NULL;
-        if (asprintf(&homeusercfg, "%s/.config", cfg.homedir) == -1)
-                errExit("asprintf");
-        if (create_empty_dir_as_user(homeusercfg, 0700))
-                fs_logger2("create", homeusercfg);
-
-        free(homeusercfg);
-        if (asprintf(&homeusercfg, "%s/.config/pulse", cfg.homedir) == -1)
-                errExit("asprintf");
-        if (create_empty_dir_as_user(homeusercfg, 0700))
-                fs_logger2("create", homeusercfg);
-
         // if ~/.config/pulse exists and there are no symbolic links, mount the new directory
         // else set environment variable
+        EUID_USER();
         int fd = safer_openat(-1, homeusercfg, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC);
+        EUID_ROOT();
         if (fd == -1) {
-                pulseaudio_fallback(pulsecfg);
-                goto out;
-        }
-        // confirm the actual mount destination is owned by the user
-        if (fstat(fd, &s) == -1) { // FUSE
-                if (errno != EACCES)
-                        errExit("fstat");
-                close(fd);
-                pulseaudio_fallback(pulsecfg);
-                goto out;
-        }
-        if (s.st_uid != getuid()) {
-                close(fd);
-                pulseaudio_fallback(pulsecfg);
+                fwarning("not mounting tmpfs on %s\n", homeusercfg);
+                env_store_name_val("PULSE_CLIENTCONFIG", pulsecfg, SETENV);
                 goto out;
         }
         // preserve a read-only mount
@@ -158,17 +138,13 @@ void pulseaudio_init(void) {
         // mount via the link in /proc/self/fd
         if (arg_debug)
                 printf("Mounting %s on %s\n", RUN_PULSE_DIR, homeusercfg);
-        char *proc;
-        if (asprintf(&proc, "/proc/self/fd/%d", fd) == -1)
-                errExit("asprintf");
-        if (mount(RUN_PULSE_DIR, proc, "none", MS_BIND, NULL) < 0)
+        if (bind_mount_path_to_fd(RUN_PULSE_DIR, fd))
                 errExit("mount pulseaudio");
         // check /proc/self/mountinfo to confirm the mount is ok
         MountData *mptr = get_last_mount();
         if (strcmp(mptr->dir, homeusercfg) != 0 || strcmp(mptr->fstype, "tmpfs") != 0)
                 errLogExit("invalid pulseaudio mount");
         fs_logger2("tmpfs", homeusercfg);
-        free(proc);
         close(fd);
 
         char *p;
diff --git a/src/firejail/restrict_users.c b/src/firejail/restrict_users.c
index 53e395b89..6f17231a4 100644
--- a/src/firejail/restrict_users.c
+++ b/src/firejail/restrict_users.c
@@ -104,12 +104,8 @@ static void sanitize_home(void) {
         selinux_relabel_path(cfg.homedir, cfg.homedir);
 
         // bring back real user home directory
-        char *proc;
-        if (asprintf(&proc, "/proc/self/fd/%d", fd) == -1)
-                errExit("asprintf");
-        if (mount(proc, cfg.homedir, NULL, MS_BIND|MS_REC, NULL) < 0)
+        if (bind_mount_fd_to_path(fd, cfg.homedir))
                 errExit("mount bind");
-        free(proc);
         close(fd);
 
         if (!arg_private)
@@ -154,12 +150,8 @@ static void sanitize_run(void) {
         selinux_relabel_path(runuser, runuser);
 
         // bring back real run/user/$UID directory
-        char *proc;
-        if (asprintf(&proc, "/proc/self/fd/%d", fd) == -1)
-                errExit("asprintf");
-        if (mount(proc, runuser, NULL, MS_BIND|MS_REC, NULL) < 0)
+        if (bind_mount_fd_to_path(fd, runuser))
                 errExit("mount bind");
-        free(proc);
         close(fd);
 
         fs_logger2("whitelist", runuser);
@@ -246,6 +238,11 @@ static void sanitize_passwd(void) {
         // mount-bind tne new password file
         if (mount(RUN_PASSWD_FILE, "/etc/passwd", "none", MS_BIND, "mode=400,gid=0") < 0)
                 errExit("mount");
+
+        // blacklist RUN_PASSWD_FILE
+        if (mount(RUN_RO_FILE, RUN_PASSWD_FILE, "none", MS_BIND, "mode=400,gid=0") < 0)
+                errExit("mount");
+
         fs_logger("create /etc/passwd");
 
         return;
@@ -376,6 +373,11 @@ static void sanitize_group(void) {
         // mount-bind tne new group file
         if (mount(RUN_GROUP_FILE, "/etc/group", "none", MS_BIND, "mode=400,gid=0") < 0)
                 errExit("mount");
+
+        // blacklist RUN_GROUP_FILE
+        if (mount(RUN_RO_FILE, RUN_GROUP_FILE, "none", MS_BIND, "mode=400,gid=0") < 0)
+                errExit("mount");
+
         fs_logger("create /etc/group");
 
         return;
diff --git a/src/firejail/rlimit.c b/src/firejail/rlimit.c
index 78f00bc63..dd6fec972 100644
--- a/src/firejail/rlimit.c
+++ b/src/firejail/rlimit.c
@@ -21,6 +21,10 @@
 #include <sys/time.h>
 #include <sys/resource.h>
 
+#ifdef HAVE_GCOV
+#include <gcov.h>
+#endif
+
 void set_rlimits(void) {
         EUID_ASSERT();
         // resource limits
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index a6bcec02c..e06ba3617 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -49,6 +49,9 @@
 #include <sys/apparmor.h>
 #endif
 
+#ifdef HAVE_GCOV
+#include <gcov.h>
+#endif
 
 static int force_nonewprivs = 0;
 
diff --git a/src/firejail/sbox.c b/src/firejail/sbox.c
index 4a8dd1bf7..37111324a 100644
--- a/src/firejail/sbox.c
+++ b/src/firejail/sbox.c
@@ -265,7 +265,6 @@ int sbox_run(unsigned filtermask, int num, ...) {
 }
 
 int sbox_run_v(unsigned filtermask, char * const arg[]) {
-        EUID_ROOT();
         assert(arg);
 
         if (arg_debug) {
@@ -285,6 +284,7 @@ int sbox_run_v(unsigned filtermask, char * const arg[]) {
         if (child < 0)
                 errExit("fork");
         if (child == 0) {
+                EUID_ROOT();
                 sbox_do_exec_v(filtermask, arg);
         }
 
@@ -293,7 +293,7 @@ int sbox_run_v(unsigned filtermask, char * const arg[]) {
                 errExit("waitpid");
         }
         if (WIFEXITED(status) && WEXITSTATUS(status) != 0) {
-                fprintf(stderr, "Error: failed to run %s\n", arg[0]);
+                fprintf(stderr, "Error: failed to run %s, exiting...\n", arg[0]);
                 exit(1);
         }
 
diff --git a/src/firejail/selinux.c b/src/firejail/selinux.c
index 06189d7f6..6969e7a3d 100644
--- a/src/firejail/selinux.c
+++ b/src/firejail/selinux.c
@@ -19,10 +19,13 @@
 */
 #if HAVE_SELINUX
 #include "firejail.h"
-
 #include <sys/types.h>
 #include <sys/stat.h>
+
 #include <fcntl.h>
+#ifndef O_PATH
+#define O_PATH 010000000
+#endif
 
 #include <selinux/context.h>
 #include <selinux/label.h>
@@ -52,8 +55,9 @@ void selinux_relabel_path(const char *path, const char *inside_path)
         if (!label_hnd)
                 errExit("selabel_open");
 
-        /* Open the file as O_PATH, to pin it while we determine and adjust the label */
-        fd = open(path, O_NOFOLLOW|O_CLOEXEC|O_PATH);
+        /* Open the file as O_PATH, to pin it while we determine and adjust the label
+         * Defeat symlink races by not allowing symbolic links */
+        fd = safer_openat(-1, path, O_NOFOLLOW|O_CLOEXEC|O_PATH);
         if (fd < 0)
                 return;
         if (fstat(fd, &st) < 0)
diff --git a/src/firejail/shutdown.c b/src/firejail/shutdown.c
index fbfe1765b..d1be6eed4 100644
--- a/src/firejail/shutdown.c
+++ b/src/firejail/shutdown.c
@@ -36,8 +36,10 @@ void shut(pid_t pid) {
                 }
                 free(comm);
         }
-        else
-                errExit("/proc/PID/comm");
+        else {
+                fprintf(stderr, "Error: cannot find process %d\n", pid);
+                exit(1);
+        }
 
         // check privileges for non-root users
         uid_t uid = getuid();
diff --git a/src/firejail/util.c b/src/firejail/util.c
index e2a4a1d90..68b76b8e8 100644
--- a/src/firejail/util.c
+++ b/src/firejail/util.c
@@ -44,6 +44,10 @@
 #include <linux/openat2.h>
 #endif
 
+#ifdef HAVE_GCOV
+#include <gcov.h>
+#endif
+
 #define MAX_GROUPS 1024
 #define MAXBUF 4098
 #define EMPTY_STRING ("")
@@ -435,11 +439,11 @@ void touch_file_as_user(const char *fname, mode_t mode) {
                 // drop privileges
                 drop_privs(0);
 
-                FILE *fp = fopen(fname, "wx");
-                if (fp) {
-                        fprintf(fp, "\n");
-                        SET_PERMS_STREAM(fp, -1, -1, mode);
-                        fclose(fp);
+                int fd = open(fname, O_RDONLY|O_CREAT|O_EXCL|O_CLOEXEC, S_IRUSR | S_IWUSR);
+                if (fd > -1) {
+                        int err = fchmod(fd, mode);
+                        (void) err;
+                        close(fd);
                 }
                 else
                         fwarning("cannot create %s\n", fname);
@@ -458,6 +462,13 @@ int is_dir(const char *fname) {
         if (*fname == '\0')
                 return 0;
 
+        int called_as_root = 0;
+        if (geteuid() == 0)
+                called_as_root = 1;
+
+        if (called_as_root)
+                EUID_USER();
+
         // if fname doesn't end in '/', add one
         int rv;
         struct stat s;
@@ -473,6 +484,9 @@ int is_dir(const char *fname) {
                 free(tmp);
         }
 
+        if (called_as_root)
+                EUID_ROOT();
+
         if (rv == -1)
                 return 0;
 
@@ -488,18 +502,83 @@ int is_link(const char *fname) {
         if (*fname == '\0')
                 return 0;
 
-        char *dup = strdup(fname);
-        if (!dup)
+        int called_as_root = 0;
+        if (geteuid() == 0)
+                called_as_root = 1;
+
+        if (called_as_root)
+                EUID_USER();
+
+        // remove trailing '/' if any
+        char *tmp = strdup(fname);
+        if (!tmp)
                 errExit("strdup");
-        trim_trailing_slash_or_dot(dup);
+        trim_trailing_slash_or_dot(tmp);
 
         char c;
-        ssize_t rv = readlink(dup, &c, 1);
+        ssize_t rv = readlink(tmp, &c, 1);
+        free(tmp);
+
+        if (called_as_root)
+                EUID_ROOT();
 
-        free(dup);
         return (rv != -1);
 }
 
+char *realpath_as_user(const char *fname) {
+        assert(fname);
+
+        int called_as_root = 0;
+        if (geteuid() == 0)
+                called_as_root = 1;
+
+        if (called_as_root)
+                EUID_USER();
+
+        char *rv = realpath(fname, NULL);
+
+        if (called_as_root)
+                EUID_ROOT();
+
+        return rv;
+}
+
+int stat_as_user(const char *fname, struct stat *s) {
+        assert(fname);
+
+        int called_as_root = 0;
+        if (geteuid() == 0)
+                called_as_root = 1;
+
+        if (called_as_root)
+                EUID_USER();
+
+        int rv = stat(fname, s);
+
+        if (called_as_root)
+                EUID_ROOT();
+
+        return rv;
+}
+
+int lstat_as_user(const char *fname, struct stat *s) {
+        assert(fname);
+
+        int called_as_root = 0;
+        if (geteuid() == 0)
+                called_as_root = 1;
+
+        if (called_as_root)
+                EUID_USER();
+
+        int rv = lstat(fname, s);
+
+        if (called_as_root)
+                EUID_ROOT();
+
+        return rv;
+}
+
 // remove all slashes and single dots from the end of a path
 // for example /foo/bar///././. -> /foo/bar
 void trim_trailing_slash_or_dot(char *path) {
@@ -688,9 +767,11 @@ int find_child(pid_t parent, pid_t *child) {
                                 if (parent == atoi(ptr)) {
                                         // we don't want /usr/bin/xdg-dbus-proxy!
                                         char *cmdline = pid_proc_cmdline(pid);
-                                        if (strncmp(cmdline, XDG_DBUS_PROXY_PATH, strlen(XDG_DBUS_PROXY_PATH)) != 0)
-                                                *child = pid;
-                                        free(cmdline);
+                                        if (cmdline) {
+                                                if (strncmp(cmdline, XDG_DBUS_PROXY_PATH, strlen(XDG_DBUS_PROXY_PATH)) != 0)
+                                                        *child = pid;
+                                                free(cmdline);
+                                        }
                                 }
                                 break;            // stop reading the file
                         }
@@ -930,35 +1011,37 @@ static int remove_callback(const char *fpath, const struct stat *sb, int typefla
 
 int remove_overlay_directory(void) {
         EUID_ASSERT();
-        struct stat s;
         sleep(1);
 
         char *path;
         if (asprintf(&path, "%s/.firejail", cfg.homedir) == -1)
                 errExit("asprintf");
 
-        if (lstat(path, &s) == 0) {
-                // deal with obvious problems such as symlinks and root ownership
-                if (!S_ISDIR(s.st_mode)) {
-                        if (S_ISLNK(s.st_mode))
-                                fprintf(stderr, "Error: %s is a symbolic link\n", path);
-                        else
-                                fprintf(stderr, "Error: %s is not a directory\n", path);
-                        exit(1);
-                }
-                if (s.st_uid != getuid()) {
-                        fprintf(stderr, "Error: %s is not owned by the current user\n", path);
-                        exit(1);
-                }
-
+        if (access(path, F_OK) == 0) {
                 pid_t child = fork();
                 if (child < 0)
                         errExit("fork");
                 if (child == 0) {
-                        // open ~/.firejail, fails if there is any symlink
-                        int fd = safer_openat(-1, path, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC);
-                        if (fd == -1)
-                                errExit("safer_openat");
+                        // open ~/.firejail
+                        int fd = safer_openat(-1, path, O_PATH|O_NOFOLLOW|O_CLOEXEC);
+                        if (fd == -1) {
+                                fprintf(stderr, "Error: cannot open %s\n", path);
+                                exit(1);
+                        }
+                        struct stat s;
+                        if (fstat(fd, &s) == -1)
+                                errExit("fstat");
+                        if (!S_ISDIR(s.st_mode)) {
+                                if (S_ISLNK(s.st_mode))
+                                        fprintf(stderr, "Error: %s is a symbolic link\n", path);
+                                else
+                                        fprintf(stderr, "Error: %s is not a directory\n", path);
+                                exit(1);
+                        }
+                        if (s.st_uid != getuid()) {
+                                fprintf(stderr, "Error: %s is not owned by the current user\n", path);
+                                exit(1);
+                        }
                         // chdir to ~/.firejail
                         if (fchdir(fd) == -1)
                                 errExit("fchdir");
@@ -981,7 +1064,7 @@ int remove_overlay_directory(void) {
                 // wait for the child to finish
                 waitpid(child, NULL, 0);
                 // check if ~/.firejail was deleted
-                if (stat(path, &s) == 0)
+                if (access(path, F_OK) == 0)
                         return 1;
         }
         return 0;
@@ -1014,9 +1097,8 @@ void flush_stdin(void) {
 int create_empty_dir_as_user(const char *dir, mode_t mode) {
         assert(dir);
         mode &= 07777;
-        struct stat s;
 
-        if (stat(dir, &s)) {
+        if (access(dir, F_OK) != 0) {
                 if (arg_debug)
                         printf("Creating empty %s directory\n", dir);
                 pid_t child = fork();
@@ -1027,8 +1109,8 @@ int create_empty_dir_as_user(const char *dir, mode_t mode) {
                         drop_privs(0);
 
                         if (mkdir(dir, mode) == 0) {
-                                if (chmod(dir, mode) == -1)
-                                        {;} // do nothing
+                                int err = chmod(dir, mode);
+                                (void) err;
                         }
                         else if (arg_debug)
                                 printf("Directory %s not created: %s\n", dir, strerror(errno));
@@ -1038,7 +1120,7 @@ int create_empty_dir_as_user(const char *dir, mode_t mode) {
                         _exit(0);
                 }
                 waitpid(child, NULL, 0);
-                if (stat(dir, &s) == 0)
+                if (access(dir, F_OK) == 0)
                         return 1;
         }
         return 0;
@@ -1149,20 +1231,34 @@ unsigned extract_timeout(const char *str) {
 }
 
 void disable_file_or_dir(const char *fname) {
+        assert(fname);
+
+        EUID_USER();
+        int fd = open(fname, O_PATH|O_CLOEXEC);
+        EUID_ROOT();
+        if (fd < 0)
+                return;
+
         struct stat s;
-        if (stat(fname, &s) != -1) {
-                if (arg_debug)
-                        printf("blacklist %s\n", fname);
-                if (is_dir(fname)) {
-                        if (mount(RUN_RO_DIR, fname, "none", MS_BIND, "mode=400,gid=0") < 0)
-                                errExit("disable directory");
-                }
-                else {
-                        if (mount(RUN_RO_FILE, fname, "none", MS_BIND, "mode=400,gid=0") < 0)
-                                errExit("disable file");
-                }
-                fs_logger2("blacklist", fname);
+        if (fstat(fd, &s) < 0) { // FUSE
+                if (errno != EACCES)
+                        errExit("fstat");
+                close(fd);
+                return;
         }
+
+        if (arg_debug)
+                printf("blacklist %s\n", fname);
+        if (S_ISDIR(s.st_mode)) {
+                if (bind_mount_path_to_fd(RUN_RO_DIR, fd) < 0)
+                        errExit("disable directory");
+        }
+        else {
+                if (bind_mount_path_to_fd(RUN_RO_FILE, fd) < 0)
+                        errExit("disable file");
+        }
+        close(fd);
+        fs_logger2("blacklist", fname);
 }
 
 void disable_file_path(const char *path, const char *file) {
@@ -1249,6 +1345,60 @@ int safer_openat(int dirfd, const char *path, int flags) {
         return fd;
 }
 
+int remount_by_fd(int dst, unsigned long mountflags) {
+        char *proc;
+        if (asprintf(&proc, "/proc/self/fd/%d", dst) < 0)
+                errExit("asprintf");
+
+        int rv = mount(NULL, proc, NULL, mountflags|MS_BIND|MS_REMOUNT, NULL);
+        if (rv < 0 && arg_debug)
+                printf("Failed mount: %s\n", strerror(errno));
+
+        free(proc);
+        return rv;
+}
+
+int bind_mount_by_fd(int src, int dst) {
+        char *proc_src, *proc_dst;
+        if (asprintf(&proc_src, "/proc/self/fd/%d", src) < 0 ||
+            asprintf(&proc_dst, "/proc/self/fd/%d", dst) < 0)
+                errExit("asprintf");
+
+        int rv = mount(proc_src, proc_dst, NULL, MS_BIND|MS_REC, NULL);
+        if (rv < 0 && arg_debug)
+                printf("Failed mount: %s\n", strerror(errno));
+
+        free(proc_src);
+        free(proc_dst);
+        return rv;
+}
+
+int bind_mount_fd_to_path(int src, const char *destname) {
+        char *proc;
+        if (asprintf(&proc, "/proc/self/fd/%d", src) < 0)
+                errExit("asprintf");
+
+        int rv = mount(proc, destname, NULL, MS_BIND|MS_REC, NULL);
+        if (rv < 0 && arg_debug)
+                printf("Failed mount: %s\n", strerror(errno));
+
+        free(proc);
+        return rv;
+}
+
+int bind_mount_path_to_fd(const char *srcname, int dst) {
+        char *proc;
+        if (asprintf(&proc, "/proc/self/fd/%d", dst) < 0)
+                errExit("asprintf");
+
+        int rv = mount(srcname, proc, NULL, MS_BIND|MS_REC, NULL);
+        if (rv < 0 && arg_debug)
+                printf("Failed mount: %s\n", strerror(errno));
+
+        free(proc);
+        return rv;
+}
+
 int has_handler(pid_t pid, int signal) {
         if (signal > 0 && signal <= SIGRTMAX) {
                 char *fname;
@@ -1358,14 +1508,14 @@ static int has_link(const char *dir) {
         return 0;
 }
 
-void check_homedir(void) {
-        assert(cfg.homedir);
-        if (cfg.homedir[0] != '/') {
+void check_homedir(const char *dir) {
+        assert(dir);
+        if (dir[0] != '/') {
                 fprintf(stderr, "Error: invalid user directory \"%s\"\n", cfg.homedir);
                 exit(1);
         }
         // symlinks are rejected in many places
-        if (has_link(cfg.homedir)) {
+        if (has_link(dir)) {
                 fprintf(stderr, "No full support for symbolic links in path of user directory.\n"
                         "Please provide resolved path in password database (/etc/passwd).\n\n");
         }
diff --git a/src/firejail/x11.c b/src/firejail/x11.c
index 257d376a1..0619ff380 100644
--- a/src/firejail/x11.c
+++ b/src/firejail/x11.c
@@ -204,7 +204,6 @@ static int random_display_number(void) {
 void x11_start_xvfb(int argc, char **argv) {
         EUID_ASSERT();
         int i;
-        struct stat s;
         pid_t jail = 0;
         pid_t server = 0;
 
@@ -348,7 +347,7 @@ void x11_start_xvfb(int argc, char **argv) {
         // wait for x11 server to start
         while (++n < 10) {
                 sleep(1);
-                if (stat(fname, &s) == 0)
+                if (access(fname, F_OK) == 0)
                         break;
         };
 
@@ -427,7 +426,6 @@ static char *extract_setting(int argc, char **argv, const char *argument) {
 void x11_start_xephyr(int argc, char **argv) {
         EUID_ASSERT();
         int i;
-        struct stat s;
         pid_t jail = 0;
         pid_t server = 0;
 
@@ -586,7 +584,7 @@ void x11_start_xephyr(int argc, char **argv) {
         // wait for x11 server to start
         while (++n < 10) {
                 sleep(1);
-                if (stat(fname, &s) == 0)
+                if (access(fname, F_OK) == 0)
                         break;
         };
 
@@ -701,7 +699,6 @@ static char * get_title_arg_str() {
 static void __attribute__((noreturn)) x11_start_xpra_old(int argc, char **argv, int display, char *display_str) {
         EUID_ASSERT();
         int i;
-        struct stat s;
         pid_t client = 0;
         pid_t server = 0;
 
@@ -818,7 +815,7 @@ static void __attribute__((noreturn)) x11_start_xpra_old(int argc, char **argv,
         // wait for x11 server to start
         while (++n < 10) {
                 sleep(1);
-                if (stat(fname, &s) == 0)
+                if (access(fname, F_OK) == 0)
                         break;
         }
 
@@ -1207,14 +1204,13 @@ void x11_xorg(void) {
         fmessage("Generating a new .Xauthority file\n");
         mkdir_attr(RUN_XAUTHORITY_SEC_DIR, 0700, getuid(), getgid());
         // create new Xauthority file in RUN_XAUTHORITY_SEC_DIR
+        EUID_USER();
         char tmpfname[] = RUN_XAUTHORITY_SEC_DIR "/.Xauth-XXXXXX";
         int fd = mkstemp(tmpfname);
         if (fd == -1) {
                 fprintf(stderr, "Error: cannot create .Xauthority file\n");
                 exit(1);
         }
-        if (fchown(fd, getuid(), getgid()) == -1)
-                errExit("chown");
         close(fd);
 
         // run xauth
@@ -1224,16 +1220,14 @@ void x11_xorg(void) {
         else
                 sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 7, RUN_XAUTH_FILE, "-f", tmpfname,
                         "generate", display, "MIT-MAGIC-COOKIE-1", "untrusted");
-        // remove xauth copy
-        unlink(RUN_XAUTH_FILE);
 
         // ensure there is already a file ~/.Xauthority, so that bind-mount below will work.
         char *dest;
         if (asprintf(&dest, "%s/.Xauthority", cfg.homedir) == -1)
                 errExit("asprintf");
-        if (lstat(dest, &s) == -1) {
+        if (access(dest, F_OK) == -1) {
                 touch_file_as_user(dest, 0600);
-                if (stat(dest, &s) == -1) {
+                if (access(dest, F_OK) == -1) {
                         fprintf(stderr, "Error: cannot create %s\n", dest);
                         exit(1);
                 }
@@ -1276,21 +1270,16 @@ void x11_xorg(void) {
         // mount via the link in /proc/self/fd
         if (arg_debug)
                 printf("Mounting %s on %s\n", tmpfname, dest);
-        char *proc_src, *proc_dst;
-        if (asprintf(&proc_src, "/proc/self/fd/%d", src) == -1)
-                errExit("asprintf");
-        if (asprintf(&proc_dst, "/proc/self/fd/%d", dst) == -1)
-                errExit("asprintf");
-        if (mount(proc_src, proc_dst, NULL, MS_BIND, NULL) == -1) {
+        EUID_ROOT();
+        if (bind_mount_by_fd(src, dst)) {
                 fprintf(stderr, "Error: cannot mount the new .Xauthority file\n");
                 exit(1);
         }
+        EUID_USER();
         // check /proc/self/mountinfo to confirm the mount is ok
         MountData *mptr = get_last_mount();
         if (strcmp(mptr->dir, dest) != 0 || strcmp(mptr->fstype, "tmpfs") != 0)
                 errLogExit("invalid .Xauthority mount");
-        free(proc_src);
-        free(proc_dst);
         close(src);
         close(dst);
 
@@ -1302,6 +1291,7 @@ void x11_xorg(void) {
                 char *rp = realpath(envar, NULL);
                 if (rp) {
                         if (strcmp(rp, dest) != 0)
+                                // disable_file_or_dir returns with EUID 0
                                 disable_file_or_dir(rp);
                         free(rp);
                 }
@@ -1311,9 +1301,13 @@ void x11_xorg(void) {
         free(dest);
 
         // mask RUN_XAUTHORITY_SEC_DIR
+        EUID_ROOT();
         if (mount("tmpfs", RUN_XAUTHORITY_SEC_DIR, "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME,  "mode=755,gid=0") < 0)
                 errExit("mounting tmpfs");
         fs_logger2("tmpfs", RUN_XAUTHORITY_SEC_DIR);
+
+        // cleanup
+        unlink(RUN_XAUTH_FILE);
 #endif
 }
 
@@ -1327,7 +1321,7 @@ void fs_x11(void) {
         struct stat s1, s2;
         if (stat("/tmp", &s1) != 0 || lstat("/tmp/.X11-unix", &s2) != 0)
                 return;
-        if ((s1.st_mode & S_ISVTX) == 0) {
+        if ((s1.st_mode & S_ISVTX) != S_ISVTX) {
                 fwarning("cannot mask X11 sockets: sticky bit not set on /tmp directory\n");
                 return;
         }
@@ -1335,68 +1329,46 @@ void fs_x11(void) {
                 fwarning("cannot mask X11 sockets: /tmp/.X11-unix not owned by root user\n");
                 return;
         }
+
+        // the mount source is under control of the user, so be careful and
+        // mount without following symbolic links, using a file descriptor
         char *x11file;
         if (asprintf(&x11file, "/tmp/.X11-unix/X%d", display) == -1)
                 errExit("asprintf");
-        struct stat x11stat;
-        if (lstat(x11file, &x11stat) != 0 || !S_ISSOCK(x11stat.st_mode)) {
+        int src = open(x11file, O_PATH|O_NOFOLLOW|O_CLOEXEC);
+        if (src < 0) {
+                free(x11file);
+                return;
+        }
+        struct stat s3;
+        if (fstat(src, &s3) < 0)
+                errExit("fstat");
+        if (!S_ISSOCK(s3.st_mode)) {
+                close(src);
                 free(x11file);
                 return;
         }
 
         if (arg_debug || arg_debug_whitelists)
                 fprintf(stderr, "Masking all X11 sockets except %s\n", x11file);
-
-        // Move the real /tmp/.X11-unix to a scratch location
-        // so we can still access x11file after we mount a
-        // tmpfs over /tmp/.X11-unix.
-        if (mkdir(RUN_WHITELIST_X11_DIR, 0700) == -1)
-                errExit("mkdir");
-        if (mount("/tmp/.X11-unix", RUN_WHITELIST_X11_DIR, 0, MS_BIND|MS_REC, 0) < 0)
-                errExit("mount bind");
-
         // This directory must be mode 1777
         if (mount("tmpfs", "/tmp/.X11-unix", "tmpfs",
                 MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_STRICTATIME,
                 "mode=1777,uid=0,gid=0") < 0)
                 errExit("mounting tmpfs on /tmp/.X11-unix");
+        selinux_relabel_path("/tmp/.X11-unix", "/tmp/.X11-unix");
         fs_logger("tmpfs /tmp/.X11-unix");
 
         // create an empty root-owned file which will have the desired socket bind-mounted over it
-        int fd = open(x11file, O_RDONLY|O_CREAT|O_EXCL|O_CLOEXEC, S_IRUSR | S_IWUSR);
-        if (fd < 0)
-                errExit(x11file);
-        close(fd);
+        int dst = open(x11file, O_RDONLY|O_CREAT|O_EXCL|O_CLOEXEC, S_IRUSR | S_IWUSR);
+        if (dst < 0)
+                errExit("open");
 
-        // the mount source is under control of the user, so be careful and
-        // mount without following symbolic links, using a file descriptor
-        char *wx11file;
-        if (asprintf(&wx11file, "%s/X%d", RUN_WHITELIST_X11_DIR, display) == -1)
-                errExit("asprintf");
-        fd = safer_openat(-1, wx11file, O_PATH|O_NOFOLLOW|O_CLOEXEC);
-        if (fd == -1)
-                errExit("opening X11 socket");
-        // confirm once more we are mounting a socket
-        if (fstat(fd, &x11stat) == -1)
-                errExit("fstat");
-        if (!S_ISSOCK(x11stat.st_mode)) {
-                errno = ENOTSOCK;
-                errExit("mounting X11 socket");
-        }
-        char *proc;
-        if (asprintf(&proc, "/proc/self/fd/%d", fd) == -1)
-                errExit("asprintf");
-        if (mount(proc, x11file, NULL, MS_BIND|MS_REC, NULL) < 0)
+        if (bind_mount_by_fd(src, dst))
                 errExit("mount bind");
+        close(src);
+        close(dst);
         fs_logger2("whitelist", x11file);
-        close(fd);
-        free(proc);
-
-        // block access to RUN_WHITELIST_X11_DIR
-        if (mount(RUN_RO_DIR, RUN_WHITELIST_X11_DIR, 0, MS_BIND, 0) < 0)
-                errExit("mount");
-        fs_logger2("blacklist", RUN_WHITELIST_X11_DIR);
-        free(wx11file);
         free(x11file);
 #endif
 }
diff --git a/src/firemon/interface.c b/src/firemon/interface.c
index e04b6f431..b93d4a5a2 100644
--- a/src/firemon/interface.c
+++ b/src/firemon/interface.c
@@ -33,6 +33,10 @@
 //#include <net/route.h>
 //#include <linux/if_bridge.h>
 
+#ifdef HAVE_GCOV
+#include <gcov.h>
+#endif
+
 // print IP addresses for all interfaces
 static void net_ifprint(void) {
         uint32_t ip;
diff --git a/src/firemon/netstats.c b/src/firemon/netstats.c
index 850959eb3..23d228e26 100644
--- a/src/firemon/netstats.c
+++ b/src/firemon/netstats.c
@@ -24,6 +24,10 @@
 #include <sys/stat.h>
 #include <unistd.h>
 
+#ifdef HAVE_GCOV
+#include <gcov.h>
+#endif
+
 #define MAXBUF 4096
 
 // ip -s link: device stats
diff --git a/src/firemon/procevent.c b/src/firemon/procevent.c
index 8085d2d29..4e809681e 100644
--- a/src/firemon/procevent.c
+++ b/src/firemon/procevent.c
@@ -30,6 +30,10 @@
 #include <fcntl.h>
 #include <sys/uio.h>
 
+#ifdef HAVE_GCOV
+#include <gcov.h>
+#endif
+
 #define PIDS_BUFLEN 4096
 #define SERVER_PORT 889 // 889-899 is left unassigned by IANA
 
diff --git a/src/firemon/top.c b/src/firemon/top.c
index a25e3c0d8..9d6f34991 100644
--- a/src/firemon/top.c
+++ b/src/firemon/top.c
@@ -24,6 +24,10 @@
 #include <sys/stat.h>
 #include <unistd.h>
 
+#ifdef HAVE_GCOV
+#include <gcov.h>
+#endif
+
 static unsigned pgs_rss = 0;
 static unsigned pgs_shared = 0;
 static unsigned clocktick = 0;
diff --git a/src/include/rundefs.h b/src/include/rundefs.h
index a172dd511..3db750da3 100644
--- a/src/include/rundefs.h
+++ b/src/include/rundefs.h
@@ -79,12 +79,8 @@
 #define PATH_SECCOMP_MDWX_32            LIBDIR "/firejail/seccomp.mdwx.32"
 #define PATH_SECCOMP_BLOCK_SECONDARY    LIBDIR "/firejail/seccomp.block_secondary"      // secondary arch blocking filter built during make
 
-
 #define RUN_DEV_DIR                     RUN_MNT_DIR "/dev"
 #define RUN_DEVLOG_FILE                 RUN_MNT_DIR "/devlog"
-
-#define RUN_WHITELIST_X11_DIR           RUN_MNT_DIR "/orig-x11"
-
 #define RUN_XAUTHORITY_FILE             RUN_MNT_DIR "/.Xauthority"              // private options
 #define RUN_XAUTH_FILE                  RUN_MNT_DIR "/xauth"                    // x11=xorg
 #define RUN_XAUTHORITY_SEC_DIR          RUN_MNT_DIR "/.sec.Xauthority"          // x11=xorg
diff --git a/src/jailcheck/access.c b/src/jailcheck/access.c
index c18d64a82..3c2f46495 100644
--- a/src/jailcheck/access.c
+++ b/src/jailcheck/access.c
@@ -36,7 +36,7 @@ void access_setup(const char *directory) {
         assert(user_home_dir);
 
         if (files_cnt >= MAX_TEST_FILES) {
-                fprintf(stderr, "Error: maximum number of test directories exceded\n");
+                fprintf(stderr, "Error: maximum number of test directories exceeded\n");
                 exit(1);
         }
 
diff --git a/src/jailcheck/jailcheck.h b/src/jailcheck/jailcheck.h
index 32be1c978..be3104da3 100644
--- a/src/jailcheck/jailcheck.h
+++ b/src/jailcheck/jailcheck.h
@@ -53,6 +53,8 @@ void apparmor_test(pid_t pid);
 // seccomp.c
 void seccomp_test(pid_t pid);
 
+// network.c
+void network_test(void);
 // utils.c
 char *get_sudo_user(void);
 char *get_homedir(const char *user, uid_t *uid, gid_t *gid);
diff --git a/src/jailcheck/main.c b/src/jailcheck/main.c
index 4d642bf96..812ac5808 100644
--- a/src/jailcheck/main.c
+++ b/src/jailcheck/main.c
@@ -157,6 +157,7 @@ int main(int argc, char **argv) {
                         seccomp_test(pid);
                         fflush(0);
 
+                        // filesystem tests
                         pid_t child = fork();
                         if (child == -1)
                                 errExit("fork");
@@ -185,6 +186,28 @@ int main(int argc, char **argv) {
                         }
                         int status;
                         wait(&status);
+
+                        // network test
+                        child = fork();
+                        if (child == -1)
+                                errExit("fork");
+                        if (child == 0) {
+                                int rv = join_namespace(pid, "net");
+                                if (rv == 0)
+                                        network_test();
+                                else {
+                                        printf("   Error: I cannot join the process network stack\n");
+                                        exit(1);
+                                }
+
+                                // drop privileges in order not to trigger cleanup()
+                                if (setgid(user_gid) != 0)
+                                        errExit("setgid");
+                                if (setuid(user_uid) != 0)
+                                        errExit("setuid");
+                                return 0;
+                        }
+                        wait(&status);
                 }
         }
 
diff --git a/src/jailcheck/network.c b/src/jailcheck/network.c
new file mode 100644
index 000000000..636344e77
--- /dev/null
+++ b/src/jailcheck/network.c
@@ -0,0 +1,56 @@
+/*
+ * Copyright (C) 2014-2021 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
+#include "jailcheck.h"
+#include <netdb.h>
+#include <arpa/inet.h>
+#include <ifaddrs.h>
+#include <net/if.h>
+#include <linux/connector.h>
+#include <linux/netlink.h>
+#include <linux/if_link.h>
+#include <linux/sockios.h>
+#include <sys/ioctl.h>
+
+
+void network_test(void) {
+        // I am root running in a network namespace
+        struct ifaddrs *ifaddr, *ifa;
+        int found = 0;
+
+        // walk through the linked list
+        if (getifaddrs(&ifaddr) == -1)
+                errExit("getifaddrs");
+        for (ifa = ifaddr; ifa != NULL; ifa = ifa->ifa_next) {
+                if (strcmp(ifa->ifa_name, "lo") == 0)
+                        continue;
+                found = 1;
+                break;
+        }
+
+        freeifaddrs(ifaddr);
+
+        if (found)
+                printf("   Networking: enabled\n");
+        else
+                printf("   Networking: disabled\n");
+}
+
+
+
diff --git a/src/jailcheck/sysfiles.c b/src/jailcheck/sysfiles.c
index caeb580af..9a0d6350e 100644
--- a/src/jailcheck/sysfiles.c
+++ b/src/jailcheck/sysfiles.c
@@ -34,7 +34,7 @@ void sysfiles_setup(const char *file) {
         assert(file);
 
         if (files_cnt >= MAX_TEST_FILES) {
-                fprintf(stderr, "Error: maximum number of system test files exceded\n");
+                fprintf(stderr, "Error: maximum number of system test files exceeded\n");
                 exit(1);
         }
 
diff --git a/src/lib/ldd_utils.c b/src/lib/ldd_utils.c
index cd60d74e4..c5dde85b0 100644
--- a/src/lib/ldd_utils.c
+++ b/src/lib/ldd_utils.c
@@ -50,7 +50,7 @@ int is_lib_64(const char *exe) {
         unsigned char buf[EI_NIDENT];
         ssize_t len = 0;
         while (len < EI_NIDENT) {
-                ssize_t sz = read(fd, buf, EI_NIDENT);
+                ssize_t sz = read(fd, buf + len, EI_NIDENT - len);
                 if (sz <= 0)
                         goto doexit;
                 len += sz;
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt
index 12e841af5..db58e0910 100644
--- a/src/man/firejail-profile.txt
+++ b/src/man/firejail-profile.txt
@@ -420,7 +420,7 @@ Make directory or file read-only.
 Make directory or file read-write.
 .TP
 \fBtmpfs directory
-Mount an empty tmpfs filesystem on top of directory. This option is available only when running the sandbox as root.
+Mount an empty tmpfs filesystem on top of directory. Directories outside user home or not owned by the user are not allowed. Sandboxes running as root are exempt from these restrictions.
 .TP
 \fBtracelog
 Blacklist violations logged to syslog.
@@ -428,8 +428,9 @@ Blacklist violations logged to syslog.
 \fBwhitelist file_or_directory
 Whitelist directory or file. A temporary file system is mounted on the top directory, and the
 whitelisted files are mount-binded inside. Modifications to whitelisted files are persistent,
-everything else is discarded when the sandbox is closed. The top directory could be
-user home, /dev, /etc, /media, /mnt, /opt, /srv, /sys/module, /usr/share, /var, and /tmp.
+everything else is discarded when the sandbox is closed. The top directory can be
+all directories in / (except /proc and /sys), /sys/module, /run/user/$UID, $HOME and
+all directories in /usr.
 .br
 
 .br
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index c72a1dbd8..d18811316 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -2568,14 +2568,13 @@ Kill the sandbox automatically after the time has elapsed. The time is specified
 $ firejail \-\-timeout=01:30:00 firefox
 .TP
 \fB\-\-tmpfs=dirname
-Mount a writable tmpfs filesystem on directory dirname. This option is available only when running the sandbox as root.
-File globbing is supported, see \fBFILE GLOBBING\fR section for more details.
+Mount a writable tmpfs filesystem on directory dirname. Directories outside user home or not owned by the user are not allowed. Sandboxes running as root are exempt from these restrictions. File globbing is supported, see \fBFILE GLOBBING\fR section for more details.
 .br
 
 .br
 Example:
 .br
-# firejail \-\-tmpfs=/var
+$ firejail \-\-tmpfs=~/.local/share
 .TP
 \fB\-\-top
 Monitor the most CPU-intensive sandboxes, see \fBMONITORING\fR section for more details.
@@ -2725,8 +2724,9 @@ $ firejail \-\-net=br0 --veth-name=if0
 \fB\-\-whitelist=dirname_or_filename
 Whitelist directory or file. A temporary file system is mounted on the top directory, and the
 whitelisted files are mount-binded inside. Modifications to whitelisted files are persistent,
-everything else is discarded when the sandbox is closed. The top directory could be
-user home, /dev, /etc, /media, /mnt, /opt, /run/user/$UID, /srv, /sys/module, /tmp, /usr/share and /var.
+everything else is discarded when the sandbox is closed. The top directory can be
+all directories in / (except /proc and /sys), /sys/module, /run/user/$UID, $HOME and
+all directories in /usr.
 .br
 
 .br
diff --git a/src/man/jailcheck.txt b/src/man/jailcheck.txt
index c80e305cc..483f47fb9 100644
--- a/src/man/jailcheck.txt
+++ b/src/man/jailcheck.txt
@@ -23,6 +23,8 @@ them from inside the sandbox.
 .TP
 \fB5. Seccomp test
 .TP
+\fB6. Networking test
+.TP
 The program is started as root using sudo.
 
 .SH OPTIONS
@@ -56,6 +58,8 @@ $ sudo jailcheck
 .br
    Warning: I can run programs in /home/netblue
 .br
+   Networking: disabled
+.br
 
 .br
 2055:netblue::firejail /usr/bin/ssh -X netblue@x.y.z.net
@@ -64,12 +68,16 @@ $ sudo jailcheck
 .br
    Warning: I can read ~/.ssh
 .br
+   Networking: enabled
+.br
 
 .br
 2186:netblue:libreoffice:firejail --appimage /opt/LibreOffice-fresh.appimage
 .br
    Virtual dirs: /tmp, /var/tmp, /dev,
 .br
+   Networking: enabled
+.br
 
 .br
 26090:netblue::/usr/bin/firejail /opt/firefox/firefox
@@ -78,6 +86,8 @@ $ sudo jailcheck
 .br
                  /run/user/1000,
 .br
+   Networking: enabled
+.br
 
 .br
 26160:netblue:tor:firejail --private=~/tor-browser_en-US ./start-tor
@@ -90,6 +100,8 @@ $ sudo jailcheck
 .br
    Warning: I can run programs in /home/netblue
 .br
+   Networking: enabled
+.br
 
 
 .SH LICENSE
diff --git a/test/fs/fscheck-tmpfs.exp b/test/fs/fscheck-tmpfs.exp
index 8dd08aa72..78b6efb76 100755
--- a/test/fs/fscheck-tmpfs.exp
+++ b/test/fs/fscheck-tmpfs.exp
@@ -41,7 +41,7 @@ after 500
 send -- "firejail --noprofile --tmpfs=/tmp/fjtest-dir\r"
 expect {
         timeout {puts "TESTING ERROR 5\n";exit}
-        "Error"
+        "Warning: you are not allowed to mount a tmpfs"
 }
 after 500