jailtest

16 files changed, 398 insertions, 162 deletions

diff --git a/README.md b/README.md
index bf067012b..ab9e91791 100644
--- a/README.md
+++ b/README.md
@@ -226,7 +226,11 @@ DESCRIPTION
               jailtest creates test files in the directories specified by  the
               user and tries to read them from inside the sandbox.
 
-       The program is running as root exclusively under sudo.
+       4. AppArmor test
+
+       5. Seccomp test
+
+       The program is started as root using sudo.
 
 OPTIONS
        --debug
@@ -239,7 +243,8 @@ OPTIONS
               Print program version and exit.
 
        [directory]
-              One or more directories in user home to test for read access.
+              One  or  more  directories in user home to test for read access.
+              ~/.ssh and ~/.gnupg are tested by default.
 
 OUTPUT
        For each sandbox detected we print the following line:
@@ -250,17 +255,28 @@ OUTPUT
        rectories and various warnings.
 
 EXAMPLE
-       $ sudo jailtest ~/.ssh ~/.gnupg
-       1429:netblue::/usr/bin/firejail /opt/firefox/firefox
-          Virtual dirs: /home/netblue, /tmp, /var/tmp, /dev, /etc,
-       5602:netblue::/usr/bin/firejail /usr/bin/ssh netblue@x.y.z.net
-          Virtual dirs: /var/tmp, /dev,
+       $ sudo jailtest
+       2014:netblue::firejail /usr/bin/gimp
+          Virtual dirs: /tmp, /var/tmp, /dev, /usr/share,
+          Warning: I can run programs in /home/netblue
+
+       2055:netblue::firejail /usr/bin/ssh -X netblue@x.y.z.net
+          Virtual dirs: /var/tmp, /dev, /usr/share, /run/user/1000,
           Warning: I can read ~/.ssh
-       5926:netblue::/usr/bin/firejail /usr/bin/gimp-2.10
+
+       2186:netblue:libreoffice:firejail --appimage /opt/LibreOffice-fresh.ap‐
+       pimage
           Virtual dirs: /tmp, /var/tmp, /dev,
+
+       26090:netblue::/usr/bin/firejail /opt/firefox/firefox
+          Virtual dirs: /home/netblue, /tmp, /var/tmp, /dev, /etc, /usr/share,
+                        /run/user/1000,
+
+       26160:netblue:tor:firejail --private=~/tor-browser_en-US ./start-tor
+          Warning: AppArmor not enabled
+          Virtual dirs: /home/netblue, /tmp, /var/tmp, /dev, /etc, /bin,
+                        /usr/share, /run/user/1000,
           Warning: I can run programs in /home/netblue
-       6394:netblue:libreoffice:/usr/bin/firejail libreoffice
-          Virtual dirs: /tmp, /var/tmp, /dev,
 
 LICENSE
        This program is free software; you can redistribute it and/or modify it
@@ -271,8 +287,8 @@ LICENSE
        Homepage: https://firejail.wordpress.com
 
 SEE ALSO
-       firejail(1),  firecfg(1),  firejail-profile(5), firejail-login(5) fire‐
-       jail-users(5)
+       firejail(1),  firemon(1), firecfg(1), firejail-profile(5), firejail-lo‐
+       gin(5), firejail-users(5),
 
 0.9.65                             Feb 2021                        JAILTEST(1)
 `````
@@ -287,28 +303,28 @@ $ ./profstats *.profile
 Warning: multiple caps in transmission-daemon.profile
 
 Stats:
-    profiles                    1064
-    include local profile       1064   (include profile-name.local)
-    include globals             1064   (include globals.local)
-    blacklist ~/.ssh            959   (include disable-common.inc)
-    seccomp                     975
-    capabilities                1063
-    noexec                      944   (include disable-exec.inc)
-    memory-deny-write-execute   229
-    apparmor                    605
-    private-bin                 564
-    private-dev                 932
-    private-etc                 462
-    private-tmp                 823
-    whitelist home directory    502
-    whitelist var               744   (include whitelist-var-common.inc)
-    whitelist run/user          461   (include whitelist-runuser-common.inc
+    profiles                    1077
+    include local profile       1077   (include profile-name.local)
+    include globals             1077   (include globals.local)
+    blacklist ~/.ssh            971   (include disable-common.inc)
+    seccomp                     988
+    capabilities                1076
+    noexec                      960   (include disable-exec.inc)
+    memory-deny-write-execute   231
+    apparmor                    621
+    private-bin                 571
+    private-dev                 949
+    private-etc                 470
+    private-tmp                 835
+    whitelist home directory    508
+    whitelist var               758   (include whitelist-var-common.inc)
+    whitelist run/user          539   (include whitelist-runuser-common.inc
                                         or blacklist ${RUNUSER})
-    whitelist usr/share         451   (include whitelist-usr-share-common.inc
-    net none                    345
-    dbus-user none              564
-    dbus-user filter            85
-    dbus-system none            696
+    whitelist usr/share         526   (include whitelist-usr-share-common.inc
+    net none                    354
+    dbus-user none              573
+    dbus-user filter            86
+    dbus-system none            706
     dbus-system filter          7
 ```
 
diff --git a/src/jailtest/access.c b/src/jailtest/access.c
index e68227bd2..4e737dc7a 100644
--- a/src/jailtest/access.c
+++ b/src/jailtest/access.c
@@ -1,3 +1,22 @@
+/*
+ * Copyright (C) 2014-2021 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
 #include "jailtest.h"
 #include <dirent.h>
 #include <sys/wait.h>
diff --git a/src/jailtest/apparmor.c b/src/jailtest/apparmor.c
new file mode 100644
index 000000000..43ab8fad0
--- /dev/null
+++ b/src/jailtest/apparmor.c
@@ -0,0 +1,40 @@
+/*
+ * Copyright (C) 2014-2021 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
+#include "jailtest.h"
+
+#ifdef HAVE_APPARMOR
+#include <sys/apparmor.h>
+
+void apparmor_test(pid_t pid) {
+        char *label = NULL;
+        char *mode = NULL;
+        int rv = aa_gettaskcon(pid, &label, &mode);
+        if (rv == -1 || mode == NULL)
+                printf("   Warning: AppArmor not enabled\n");
+}
+
+
+#else
+void apparmor_test(uid_t pid) {
+        (void) pid;
+        return;
+}
+#endif
+
diff --git a/src/jailtest/jailtest.h b/src/jailtest/jailtest.h
index 678f94bef..10174cc9a 100644
--- a/src/jailtest/jailtest.h
+++ b/src/jailtest/jailtest.h
@@ -1,3 +1,22 @@
+/*
+ * Copyright (C) 2014-2021 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
 #ifndef JAILTEST_H
 #define JAILTEST_H
 
@@ -8,6 +27,7 @@ extern uid_t user_uid;
 extern gid_t user_gid;
 extern char *user_name;
 extern char *user_home_dir;
+extern char *user_run_dir;
 
 // access.c
 void access_setup(const char *directory);
@@ -23,10 +43,16 @@ void virtual_setup(const char *directory);
 void virtual_destroy(void);
 void virtual_test(void);
 
+// apparmor.c
+void apparmor_test(pid_t pid);
+
+// seccomp.c
+void seccomp_test(pid_t pid);
+
 // utils.c
 char *get_sudo_user(void);
 char *get_homedir(const char *user, uid_t *uid, gid_t *gid);
-int find_child(pid_t parent, pid_t *child);
+int find_child(pid_t pid);
 pid_t switch_to_child(pid_t pid);
 
 #endif
\ No newline at end of file
diff --git a/src/jailtest/main.c b/src/jailtest/main.c
index 78f162706..850277bc5 100644
--- a/src/jailtest/main.c
+++ b/src/jailtest/main.c
@@ -1,3 +1,22 @@
+/*
+ * Copyright (C) 2014-2021 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
 #include "jailtest.h"
 #include "../include/firejail_user.h"
 #include "../include/pid.h"
@@ -7,6 +26,7 @@ uid_t user_uid = 0;
 gid_t user_gid = 0;
 char *user_name = NULL;
 char *user_home_dir = NULL;
+char *user_run_dir = NULL;
 int arg_debug = 0;
 
 static char *usage_str =
@@ -73,9 +93,13 @@ int main(int argc, char **argv) {
                 fprintf(stderr, "Error: root user not supported\n");
                 exit(1);
         }
+        if (asprintf(&user_run_dir, "/run/user/%d", user_uid) == -1)
+                errExit("asprintf");
 
         // test setup
         atexit(cleanup);
+        access_setup("~/.ssh");
+        access_setup("~/.gnupg");
         if (findex > 0) {
                 for (i = findex; i < argc; i++)
                         access_setup(argv[i]);
@@ -88,6 +112,10 @@ int main(int argc, char **argv) {
         virtual_setup("/dev");
         virtual_setup("/etc");
         virtual_setup("/bin");
+        virtual_setup("/usr/share");
+        virtual_setup(user_run_dir);
+
+
 
         // print processes
         pid_read(0);
@@ -98,8 +126,12 @@ int main(int argc, char **argv) {
                                 continue;
 
                         // in case the pid is that of a firejail process, use the pid of the first child process
-                        uid_t pid = switch_to_child(i);
+                        uid_t pid = find_child(i);
+                        printf("\n");
                         pid_print_list(i, 0); //  no wrapping
+                        apparmor_test(pid);
+                        seccomp_test(pid);
+                        fflush(0);
 
                         pid_t child = fork();
                         if (child == -1)
@@ -111,6 +143,7 @@ int main(int argc, char **argv) {
                                         noexec_test(user_home_dir);
                                         noexec_test("/tmp");
                                         noexec_test("/var/tmp");
+                                        noexec_test(user_run_dir);
                                         access_test();
                                 }
                                 else {
diff --git a/src/jailtest/noexec.c b/src/jailtest/noexec.c
index d2f85514a..4347b7eef 100644
--- a/src/jailtest/noexec.c
+++ b/src/jailtest/noexec.c
@@ -1,3 +1,22 @@
+/*
+ * Copyright (C) 2014-2021 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
 #include "jailtest.h"
 #include <sys/wait.h>
 #include <sys/stat.h>
diff --git a/src/jailtest/seccomp.c b/src/jailtest/seccomp.c
new file mode 100644
index 000000000..2cecb4b4d
--- /dev/null
+++ b/src/jailtest/seccomp.c
@@ -0,0 +1,47 @@
+/*
+ * Copyright (C) 2014-2021 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
+#include "jailtest.h"
+#define MAXBUF 4096
+
+void seccomp_test(pid_t pid) {
+        char *file;
+        if (asprintf(&file, "/proc/%d/status", pid) == -1)
+                errExit("asprintf");
+
+        FILE *fp = fopen(file, "r");
+        if (!fp) {
+                printf("  Error: cannot open %s\n", file);
+                free(file);
+                return;
+        }
+
+        char buf[MAXBUF];
+        while (fgets(buf, MAXBUF, fp)) {
+                if (strncmp(buf, "Seccomp:", 8) == 0) {
+                        int val = -1;
+                        int rv = sscanf(buf + 8, "\t%d", &val);
+                        if (rv != 1 || val == 0)
+                                printf("   Warning: seccomp not enabled\n");
+                        break;
+                }
+        }
+        fclose(fp);
+        free(file);
+}
diff --git a/src/jailtest/utils.c b/src/jailtest/utils.c
index b24783355..41c21b753 100644
--- a/src/jailtest/utils.c
+++ b/src/jailtest/utils.c
@@ -1,4 +1,24 @@
+/*
+ * Copyright (C) 2014-2021 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
 #include "jailtest.h"
+#include "../include/pid.h"
 #include <errno.h>
 #include <pwd.h>
 #include <dirent.h>
@@ -38,87 +58,45 @@ errexit:
         exit(1);
 }
 
-int find_child(pid_t parent, pid_t *child) {
-        *child = 0;                               // use it to flag a found child
+// find the second child process for the specified pid
+// return -1 if not found
+//
+// Example:
+//14776:netblue:/usr/bin/firejail /usr/bin/transmission-qt
+//  14777:netblue:/usr/bin/firejail /usr/bin/transmission-qt
+//    14792:netblue:/usr/bin/transmission-qt
+// We need 14792, the first real sandboxed process
+// duplicate from src/firemon/main.c
+int find_child(int id) {
+        int i;
+        int first_child = -1;
 
-        DIR *dir;
-        if (!(dir = opendir("/proc"))) {
-                // sleep 2 seconds and try again
-                sleep(2);
-                if (!(dir = opendir("/proc"))) {
-                        fprintf(stderr, "Error: cannot open /proc directory\n");
-                        exit(1);
-                }
-        }
-
-        struct dirent *entry;
-        char *end;
-        while (*child == 0 && (entry = readdir(dir))) {
-                pid_t pid = strtol(entry->d_name, &end, 10);
-                if (end == entry->d_name || *end)
-                        continue;
-                if (pid == parent)
-                        continue;
-
-                // open stat file
-                char *file;
-                if (asprintf(&file, "/proc/%u/status", pid) == -1) {
-                        perror("asprintf");
-                        exit(1);
-                }
-                FILE *fp = fopen(file, "r");
-                if (!fp) {
-                        free(file);
-                        continue;
-                }
-
-                // look for firejail executable name
-                char buf[BUFLEN];
-                while (fgets(buf, BUFLEN - 1, fp)) {
-                        if (strncmp(buf, "PPid:", 5) == 0) {
-                                char *ptr = buf + 5;
-                                while (*ptr != '\0' && (*ptr == ' ' || *ptr == '\t')) {
-                                        ptr++;
-                                }
-                                if (*ptr == '\0') {
-                                        fprintf(stderr, "Error: cannot read /proc file\n");
-                                        exit(1);
-                                }
-                                if (parent == atoi(ptr)) {
-                                        // we don't want /usr/bin/xdg-dbus-proxy!
-                                        char *cmdline = pid_proc_cmdline(pid);
-                                        if (strncmp(cmdline, XDG_DBUS_PROXY_PATH, strlen(XDG_DBUS_PROXY_PATH)) != 0)
-                                                *child = pid;
-                                        free(cmdline);
-                                }
-                                break;            // stop reading the file
+        // find the first child
+        for (i = 0; i < max_pids; i++) {
+                if (pids[i].level == 2 && pids[i].parent == id) {
+                        // skip /usr/bin/xdg-dbus-proxy (started by firejail for dbus filtering)
+                        char *cmdline = pid_proc_cmdline(i);
+                        if (strncmp(cmdline, XDG_DBUS_PROXY_PATH, strlen(XDG_DBUS_PROXY_PATH)) == 0) {
+                                free(cmdline);
+                                continue;
                         }
+                        free(cmdline);
+                        first_child = i;
+                        break;
                 }
-                fclose(fp);
-                free(file);
         }
-        closedir(dir);
-        return (*child)? 0:1;                     // 0 = found, 1 = not found
-}
 
-pid_t switch_to_child(pid_t pid) {
-        pid_t rv = pid;
-        errno = 0;
-        char *comm = pid_proc_comm(pid);
-        if (!comm) {
-                if (errno == ENOENT)
-                        fprintf(stderr, "Error: cannot find process with pid %d\n", pid);
-                else
-                        fprintf(stderr, "Error: cannot read /proc file\n");
-                exit(1);
-        }
+        if (first_child == -1)
+                return -1;
 
-        if (strcmp(comm, "firejail") == 0) {
-                if (find_child(pid, &rv) == 1) {
-                        fprintf(stderr, "Error: no valid sandbox\n");
-                        exit(1);
-                }
+        // find the second-level child
+        for (i = 0; i < max_pids; i++) {
+                if (pids[i].level == 3 && pids[i].parent == first_child)
+                        return i;
         }
-        free(comm);
-        return rv;
+
+        // if a second child is not found, return the first child pid
+        // this happens for processes sandboxed with --join
+        return first_child;
 }
+
diff --git a/src/jailtest/virtual.c b/src/jailtest/virtual.c
index 48296fdb1..fcdcf9720 100644
--- a/src/jailtest/virtual.c
+++ b/src/jailtest/virtual.c
@@ -1,3 +1,22 @@
+/*
+ * Copyright (C) 2014-2021 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
 #include "jailtest.h"
 #include <dirent.h>
 #include <sys/wait.h>
@@ -64,7 +83,8 @@ void virtual_test(void) {
         assert(user_uid);
         int i;
 
-        printf("   Virtual dirs: "); fflush(0);
+        int cnt = 0;
+        cnt += printf("   Virtual dirs: "); fflush(0);
 
         for (i = 0; i < files_cnt; i++) {
                 assert(files[i]);
@@ -85,15 +105,21 @@ void virtual_test(void) {
                         FILE *fp = fopen(files[i], "r");
                         if (fp)
                                 fclose(fp);
-                        else
-                                printf("%s, ", dirs[i]);
+                        else {
+                                if (cnt == 0)
+                                        cnt += printf("\n                 ");
+                                cnt += printf("%s, ", dirs[i]);
+                                if (cnt > 60)
+                                        cnt = 0;
+                        }
                         fflush(0);
-                        exit(0);
+                        exit(cnt);
                 }
 
                 // wait for the child to finish
                 int status;
                 wait(&status);
+                cnt = WEXITSTATUS(status);
         }
         printf("\n");
 }
diff --git a/src/man/firecfg.txt b/src/man/firecfg.txt
index 2c02aee47..dbb9397c6 100644
--- a/src/man/firecfg.txt
+++ b/src/man/firecfg.txt
@@ -130,8 +130,9 @@ This program is free software; you can redistribute it and/or modify it under th
 .PP
 Homepage: https://firejail.wordpress.com
 .SH SEE ALSO
-\&\flfirejail\fR\|(1),
-\&\flfiremon\fR\|(1),
-\&\flfirejail-profile\fR\|(5),
-\&\flfirejail-login\fR\|(5)
-\&\flfirejail-users\fR\|(5)
+.BR firejail (1),
+.BR firemon (1),
+.BR firejail-profile (5),
+.BR firejail-login (5),
+.BR firejail-users (5),
+.BR jailtest (1)
diff --git a/src/man/firejail-login.txt b/src/man/firejail-login.txt
index 430e86cc8..ce27729b7 100644
--- a/src/man/firejail-login.txt
+++ b/src/man/firejail-login.txt
@@ -34,8 +34,9 @@ Firejail is free software; you can redistribute it and/or modify it under the te
 .PP
 Homepage: https://firejail.wordpress.com
 .SH SEE ALSO
-\&\flfirejail\fR\|(1),
-\&\flfiremon\fR\|(1),
-\&\flfirecfg\fR\|(1),
-\&\flfirejail-profile\fR\|(5)
-\&\flfirejail-users\fR\|(5)
+.BR firejail (1),
+.BR firemon (1),
+.BR firecfg (1),
+.BR firejail-profile (5),
+.BR firejail-users (5),
+.BR jailtest (1)
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt
index 5e77b5f70..c7dc4c434 100644
--- a/src/man/firejail-profile.txt
+++ b/src/man/firejail-profile.txt
@@ -889,10 +889,12 @@ Firejail is free software; you can redistribute it and/or modify it under the te
 .PP
 Homepage: https://firejail.wordpress.com
 .SH SEE ALSO
-\&\flfirejail\fR\|(1),
-\&\flfiremon\fR\|(1),
-\&\flfirecfg\fR\|(1),
-\&\flfirejail-login\fR\|(5),
-\&\flfirejail-users\fR\|(5),
+.BR firejail (1),
+.BR firemon (1),
+.BR firecfg (1),
+.BR firejail-login (5),
+.BR firejail-users (5),
+.BR jailtest (1)
+
 .UR https://github.com/netblue30/firejail/wiki/Creating-Profiles
 .UE
diff --git a/src/man/firejail-users.txt b/src/man/firejail-users.txt
index 6fa09e05e..c5a9c1848 100644
--- a/src/man/firejail-users.txt
+++ b/src/man/firejail-users.txt
@@ -54,8 +54,9 @@ as published by the Free Software Foundation; either version 2 of the License, o
 .PP
 Homepage: https://firejail.wordpress.com
 .SH SEE ALSO
-\&\flfirejail\fR\|(1),
-\&\flfiremon\fR\|(1),
-\&\flfirecfg\fR\|(1),
-\&\flfirejail-profile\fR\|(5)
-\&\flfirejail-login\fR\|(5)
+.BR firejail (1),
+.BR firemon (1),
+.BR firecfg (1),
+.BR firejail-profile (5),
+.BR firejail-login (5),
+.BR jailtest (1)
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index e85a02ee8..9e89d4e79 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -3332,11 +3332,13 @@ This program is free software; you can redistribute it and/or modify it under th
 .PP
 Homepage: https://firejail.wordpress.com
 .SH SEE ALSO
-\&\flfiremon\fR\|(1),
-\&\flfirecfg\fR\|(1),
-\&\flfirejail-profile\fR\|(5),
-\&\flfirejail-login\fR\|(5),
-\&\flfirejail-users\fR\|(5),
+.BR firemon (1),
+.BR firecfg (1),
+.BR firejail-profile (5),
+.BR firejail-login (5),
+.BR firejail-users (5),
+.BR jailtest (1)
+
 .UR https://github.com/netblue30/firejail/wiki
 .UE ,
 .UR https://github.com/netblue30/firejail
diff --git a/src/man/firemon.txt b/src/man/firemon.txt
index cea6c0265..64f15a1f0 100644
--- a/src/man/firemon.txt
+++ b/src/man/firemon.txt
@@ -115,8 +115,9 @@ This program is free software; you can redistribute it and/or modify it under th
 .PP
 Homepage: https://firejail.wordpress.com
 .SH SEE ALSO
-\&\flfirejail\fR\|(1),
-\&\flfirecfg\fR\|(1),
-\&\flfirejail-profile\fR\|(5),
-\&\flfirejail-login\fR\|(5)
-\&\flfirejail-users\fR\|(5)
+.BR firejail (1),
+.BR firecfg (1),
+.BR firejail-profile (5),
+.BR firejail-login (5),
+.BR firejail-users (5),
+.BR jailtest (1)
diff --git a/src/man/jailtest.txt b/src/man/jailtest.txt
index bc1999163..1b64097ea 100644
--- a/src/man/jailtest.txt
+++ b/src/man/jailtest.txt
@@ -19,9 +19,12 @@ and tries to run them form inside the sandbox, thus testing if the directory is
 \fB3. Read access test
 jailtest creates test files in the directories specified by the user and tries to read
 them from inside the sandbox.
-
 .TP
-The program is running as root exclusively under sudo.
+\fB4. AppArmor test
+.TP
+\fB5. Seccomp test
+.TP
+The program is started as root using sudo.
 
 .SH OPTIONS
 .TP
@@ -35,7 +38,7 @@ Print options end exit.
 Print program version and exit.
 .TP
 \fB[directory]
-One or more directories in user home to test for read access.
+One or more directories in user home to test for read access. ~/.ssh and ~/.gnupg are tested by default.
 
 .SH OUTPUT
 For each sandbox detected we print the following line:
@@ -46,37 +49,58 @@ It is followed by relevant sandbox information, such as the virtual directories
 
 .SH EXAMPLE
 
+$ sudo jailtest
 .br
-$ sudo jailtest ~/.ssh ~/.gnupg
+2014:netblue::firejail /usr/bin/gimp
 .br
-1429:netblue::/usr/bin/firejail /opt/firefox/firefox
+   Virtual dirs: /tmp, /var/tmp, /dev, /usr/share,
 .br
-   Virtual dirs: /home/netblue, /tmp, /var/tmp, /dev, /etc,
+   Warning: I can run programs in /home/netblue
+.br
+
 .br
-5602:netblue::/usr/bin/firejail /usr/bin/ssh netblue@x.y.z.net
+2055:netblue::firejail /usr/bin/ssh -X netblue@x.y.z.net
 .br
-   Virtual dirs: /var/tmp, /dev,
+   Virtual dirs: /var/tmp, /dev, /usr/share, /run/user/1000,
 .br
    Warning: I can read ~/.ssh
 .br
-5926:netblue::/usr/bin/firejail /usr/bin/gimp-2.10
+
+.br
+2186:netblue:libreoffice:firejail --appimage /opt/LibreOffice-fresh.appimage
 .br
    Virtual dirs: /tmp, /var/tmp, /dev,
 .br
-   Warning: I can run programs in /home/netblue
+
 .br
-6394:netblue:libreoffice:/usr/bin/firejail libreoffice
+26090:netblue::/usr/bin/firejail /opt/firefox/firefox
 .br
-   Virtual dirs: /tmp, /var/tmp, /dev,
+   Virtual dirs: /home/netblue, /tmp, /var/tmp, /dev, /etc, /usr/share,
 .br
+                 /run/user/1000,
+.br
+
+.br
+26160:netblue:tor:firejail --private=~/tor-browser_en-US ./start-tor
+.br
+   Warning: AppArmor not enabled
+.br
+   Virtual dirs: /home/netblue, /tmp, /var/tmp, /dev, /etc, /bin,
+.br
+                 /usr/share, /run/user/1000,
+.br
+   Warning: I can run programs in /home/netblue
+.br
+
 
 .SH LICENSE
 This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.
 .PP
 Homepage: https://firejail.wordpress.com
 .SH SEE ALSO
-\&\flfirejail\fR\|(1),
-\&\flfirecfg\fR\|(1),
-\&\flfirejail-profile\fR\|(5),
-\&\flfirejail-login\fR\|(5)
-\&\flfirejail-users\fR\|(5)
+.BR firejail (1),
+.BR firemon (1),
+.BR firecfg (1),
+.BR firejail-profile (5),
+.BR firejail-login (5),
+.BR firejail-users (5),