Merge pull request #2 from netblue30/master

merge upstream

559 files changed, 3684 insertions, 1326 deletions

diff --git a/.gitignore b/.gitignore
index 89bf3c4fa..1b2c7fc7b 100644
--- a/.gitignore
+++ b/.gitignore
@@ -6,6 +6,7 @@
 *.gcda
 *.gcno
 Makefile
+autom4te.cache/
 config.log
 config.status
 firejail-login.5
diff --git a/Makefile.in b/Makefile.in
index 8251f9882..7ed27c89d 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -1,6 +1,6 @@
 all: apps man filters
 MYLIBS = src/lib
-APPS = src/firejail src/firemon src/firecfg src/libtrace src/libtracelog src/ftee src/faudit src/libconnect src/fnet src/fseccomp src/fcopy
+APPS = src/firejail src/firemon src/firecfg src/libtrace src/libtracelog src/ftee src/faudit src/fnet src/fseccomp src/fcopy
 MANPAGES = firejail.1 firemon.1 firecfg.1 firejail-profile.5 firejail-login.5
 SECCOMP_FILTERS = seccomp seccomp.i386 seccomp.amd64
 
@@ -79,9 +79,10 @@ realinstall:
         install -m 0755 -d $(DESTDIR)/$(libdir)/firejail
         install -c -m 0644 src/libtrace/libtrace.so $(DESTDIR)/$(libdir)/firejail/.
         install -c -m 0644 src/libtracelog/libtracelog.so $(DESTDIR)/$(libdir)/firejail/.
-        install -c -m 0644 src/libconnect/libconnect.so $(DESTDIR)/$(libdir)/firejail/.
         install -c -m 0755 src/ftee/ftee $(DESTDIR)/$(libdir)/firejail/.
         install -c -m 0755 src/fshaper/fshaper.sh $(DESTDIR)/$(libdir)/firejail/.
+        install -c -m 0755 src/fgit/fgit-install.sh $(DESTDIR)/$(libdir)/firejail/.
+        install -c -m 0755 src/fgit/fgit-uninstall.sh $(DESTDIR)/$(libdir)/firejail/.
         install -c -m 0644 src/firecfg/firecfg.config $(DESTDIR)/$(libdir)/firejail/.
         install -c -m 0755 src/faudit/faudit $(DESTDIR)/$(libdir)/firejail/.
         install -c -m 0755 src/fnet/fnet $(DESTDIR)/$(libdir)/firejail/.
@@ -91,6 +92,10 @@ realinstall:
         install -c -m 0644 seccomp.debug $(DESTDIR)/$(libdir)/firejail/.
         install -c -m 0644 seccomp.i386 $(DESTDIR)/$(libdir)/firejail/.
         install -c -m 0644 seccomp.amd64 $(DESTDIR)/$(libdir)/firejail/.
+        install -c -m 0755 contrib/fix_private-bin.py $(DESTDIR)/$(libdir)/firejail/.
+        install -c -m 0755 contrib/fjclip.py $(DESTDIR)/$(libdir)/firejail/.
+        install -c -m 0755 contrib/fjdisplay.py $(DESTDIR)/$(libdir)/firejail/.
+        install -c -m 0755 contrib/fjresize.py $(DESTDIR)/$(libdir)/firejail/.
         # documents
         install -m 0755 -d $(DESTDIR)/$(DOCDIR)
         install -c -m 0644 COPYING $(DESTDIR)/$(DOCDIR)/.
@@ -136,7 +141,6 @@ install-strip: all
         strip src/firecfg/firecfg
         strip src/libtrace/libtrace.so
         strip src/libtracelog/libtracelog.so
-        strip src/libconnect/libconnect.so
         strip src/ftee/ftee
         strip src/faudit/faudit
         strip src/fnet/fnet
@@ -158,7 +162,7 @@ uninstall:
         rm -f $(DESTDIR)/$(datarootdir)/bash-completion/completions/firemon
         rm -f $(DESTDIR)/$(datarootdir)/bash-completion/completions/firecfg
         
-DISTFILES = "src etc platform configure configure.ac Makefile.in install.sh mkman.sh mketc.sh mkdeb.sh mkuid.sh COPYING README RELNOTES"
+DISTFILES = "src etc platform contrib configure configure.ac Makefile.in install.sh mkman.sh mketc.sh mkdeb.sh mkuid.sh COPYING README RELNOTES"
 DISTFILES_TEST = "test/apps test/apps-x11 test/apps-x11-xorg test/root test/fcopy test/environment test/profiles test/utils test/compile test/filters test/network test/arguments test/fs test/sysutils"
 
 dist:
diff --git a/README b/README
index 751480868..71e329792 100644
--- a/README
+++ b/README
@@ -15,6 +15,17 @@ Documentation and support: https://firejail.wordpress.com/
 Development: https://github.com/netblue30/firejail
 License: GPL v2
 
+Compile and install
+
+$ git clone https://github.com/netblue30/firejail.git
+$ cd firejail
+$ ./configure && make && sudo make install-strip
+
+On Debian/Ubuntu you will need to install git and a compiler:
+
+$ sudo apt-get install build-essential
+
+
 Firejail Authors:
 
 netblue30 (netblue30@yahoo.com)
@@ -83,6 +94,11 @@ Fred-Barclay (https://github.com/Fred-Barclay)
         - added xed and pluma profiles
         - added Cryptocat profile
         - added wireshark profile
+        - uudeview profile fix
+        - fixed palemoon and qbittorrent profiles
+        - compile/install scripts for --git-install/--git-uninstall commands
+        - tighten keepassx
+        - added Thunar profile
 valoq (https://github.com/valoq)
         - lots of profile fixes
         - added support for /srv in --whitelist feature
@@ -97,6 +113,37 @@ valoq (https://github.com/valoq)
         - added skanlite, ssh-agent, transmission-cli, tracker, transmission-show, w3m, xfburn, xpra profiles
         - added wget profile
         - disable gnupg and systemd directories under /run/user
+        - added iridium browser profile
+Zack Weinberg (https://github.com/zackw)
+        - removed libconnect
+        - fixed memory corruption in noblacklist processing
+        - rework DISPLAY environment parsing
+        - rework masking X11 sockets in /tmp/.X11-unix directory
+        - rework xpra and xephyr detection
+        - rework abstract X11 socket detection
+        - rework X11 display number assignment
+        - rework X11 xorg processing
+        - rework fcopy, --follow-link support in fcopy
+        - follow link support in --private-bin
+        - wait_for_other function rewrite
+Austin S. Hemmelgarn (https://github.com/Ferroin)
+        - unbound profile update
+Igor Bukanov (https://github.com/ibukanov)
+        - found/fiixed privilege escalation in --hosts-file option
+Cat (https://github.com/ecat3)
+        - prevent tmux connecting to an existing session
+Zack Weinberg (https://github.com/zackw)
+        - sdded support for joining a persistent, named network namespace
+GSI (https://github.com/GSI)
+        - added Uzbl browser profile
+Mike Frysinger (vapier@gentoo.org)
+        - Gentoo compile patch
+Jericho (https://github.com/attritionorg)
+        - spelling
+Pixel Fairy (https://github.com/xahare)
+        - added fjclip.py, fjdisplay.py and fjresize.py in contrib section
+pshpsh (https://github.com/pshpsh)
+        - added FossaMail profile
 eventyrer (https://github.com/eventyrer)
         - update gnome-mplayer.profile
 thewisenerd (https://github.com/thewisenerd)
@@ -104,10 +151,13 @@ thewisenerd (https://github.com/thewisenerd)
         - use $SHELL variable if the shell is not specified
 SYN-cook (https://github.com/SYN-cook)
         - keepass/keepassx browser fixes
+        - disable-common.inc fixes
+        - blacklist GNOME keyring and Konqueror
+        - fixed Keepass(x) profiles
 thewisenerd (https://github.com/thewisenerd)
         - appimage: pass commandline arguments
 KOLANICH (https://github.com/KOLANICH)
-        - added symlink fixer
+        - added symlink fixer fix_private-bin.py in contrib section
 Jesse Smith (https://github.com/slicer69)
         - added QupZilla profile
 Lari Rauno (https://github.com/tuutti)
@@ -213,6 +263,10 @@ KellerFuchs (https://github.com/KellerFuchs)
         - nonewpriv support, extended profiles for this feature
         - make `restricted-network` prevent use of netfilter
         - disable-common.inc additions
+        - make mutt and msmtp's rc files read-only
+        - added support for .local profile files in /etc/firejail
+        - fixed Cryptocat profile
+        - make ~/.local read-only
 ValdikSS (https://github.com/ValdikSS)
         - Psi+, Corebird, Konversation profiles
         - various profile fixes
@@ -292,6 +346,7 @@ Ivan Kozik (https://github.com/ivan)
         - speed up sandbox exit
 Christian Stadelmann (https://github.com/genodeftest)
         - profile fixes
+        - evolution profile fix
 pirate486743186 (https://github.com/pirate486743186)
         - KMail profile
 Kaan Genç (https://github.com/SeriousBug)
@@ -355,4 +410,4 @@ pstn (https://github.com/pstn)
 Alexey Kuznetsov (kuznet@ms2.inr.ac.ru)
         - src/lib/libnetlink.c extracted from iproute2 software package
         
-Copyright (C) 2014-2016 Firejail Authors
+Copyright (C) 2014-2017 Firejail Authors
diff --git a/README.md b/README.md
index 9057a9a88..687877c73 100644
--- a/README.md
+++ b/README.md
@@ -22,6 +22,10 @@ $ firejail transmission-gtk   # starting Transmission BitTorrent
 $ firejail vlc                # starting VideoLAN Client
 $ sudo firejail /etc/init.d/nginx start
 `````
+
+[![About Firejail](video.png)](http://www.youtube.com/watch?v=Yk1HVPOeoTc)
+
+
 Project webpage: https://firejail.wordpress.com/
 
 Download and Installation: https://firejail.wordpress.com/download-2/
@@ -35,6 +39,17 @@ FAQ: https://firejail.wordpress.com/support/frequently-asked-questions/
 `````
 
 `````
+## Compile and install
+`````
+$ git clone https://github.com/netblue30/firejail.git
+$ cd firejail
+$ ./configure && make && sudo make install-strip
+`````
+On Debian/Ubuntu you will need to install git and a compiler:
+`````
+$ sudo apt-get install git build-essential
+`````
+
 ## User submitted profile repositories
 
 If you keep your Firejail profiles in a public repository, please give us a link:
@@ -51,7 +66,9 @@ Use this issue to request new profiles: https://github.com/netblue30/firejail/is
 `````
 
 `````
-## AppImage type 2 support
+## AppImage
+
+Added AppImage type 2 support, and support for passing command line arguments to appimages.
 `````
 
 `````
@@ -75,9 +92,9 @@ Use this issue to request new profiles: https://github.com/netblue30/firejail/is
               Example:
               # firejail --private-srv=www /etc/init.d/apache2 start
 
-       --machine-id
-              Preserve  id  number  in  /etc/machine-id file. By default a new
-              random id is generated inside the sandbox.
+      --machine-id
+              Spoof id number in /etc/machine-id file - a  new  random  id  is
+              generated inside the sandbox.
 
               Example:
               $ firejail --machine-id
@@ -89,7 +106,46 @@ Use this issue to request new profiles: https://github.com/netblue30/firejail/is
               Example:
               $   firejail    --allow-private-blacklist   --private=~/priv-dir
               --blacklist=~/.mozilla
+
+      --hosts-file=file
+              Use file as /etc/hosts.
+
+              Example:
+              $ firejail --hosts-file=~/myhosts firefox
              
+      --writable-var-log
+              Use the real /var/log directory, not  a  clone.  By  default,  a
+              tmpfs  is  mounted  on top of /var/log directory, and a skeleton
+              filesystem is created based on the original /var/log.
+
+              Example:
+              $ sudo firejail --writable-var-log
+              
+       --git-install
+              Download, compile and install mainline git version  of  Firejail
+              from  the  official  repository  on  GitHub.   The  software  is
+              installed in /usr/local/bin, and takes precedence over the (old)
+              version installed in /usr/bin. If for any reason the new version
+              doesn't work, the user can uninstall  it  using  --git-uninstall
+              command and revert to the old version.
+
+              Prerequisites: git and compile support are required for this com‐
+              mand to work. On Debian/Ubuntu systems this support is installed
+              using "sudo apt-get install build-essential git".
+
+              Example:
+
+              $ firejail --git-install
+
+       --git-uninstall
+              Remove    the   Firejail   version   previously   installed   in
+              /usr/local/bin using --git-install command.
+
+              Example:
+
+              $ firejail --git-uninstall
+
+
 `````
 ## New Profiles
 xiphos, Tor Browser Bundle, display (imagemagik), Wire, mumble, zoom, Guayadeque, qemu, keypass2,
@@ -98,5 +154,5 @@ gjs, gnome-books, gnome-clocks, gnome-documents, gnome-maps, gnome-music, gnome-
 goobox, gpa, gpg, gpg-agent, highlight, img2txt, k3b, kate, lynx, mediainfo, nautilus, odt2txt, pdftotext,
 simple-scan, skanlite, ssh-agent, tracker, transmission-cli, transmission-show, w3m, xfburn, xpra, wget,
 xed, pluma, Cryptocat, Bless, Gnome 2048, Gnome Calculator, Gnome Contacts, JD-GUI, Lollypop, MultiMC5,
-PDFSam, Pithos, Xonotic, wireshark, keepassx2, QupZilla
-
+PDFSam, Pithos, Xonotic, wireshark, keepassx2, QupZilla, FossaMail, Uzbl browser, xmms, iridium browser,
+Kino, Thunar
diff --git a/RELNOTES b/RELNOTES
index 2d57b1a88..54078875b 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -1,31 +1,47 @@
 firejail (0.9.45) baseline; urgency=low
   * development version, work in progress
-  * security: overwrite /etc/resolv.conf found by Martin Carpenter
-  * secuirty: TOCTOU exploit for --get and --put found by Daniel Hodson
-  * security: invalid environment exploit found by Martin Carpenter
+  * Gentoo compile patch
+  * security: --bandwidth root shell found by Martin Carpenter (CVE-2017-5207)
+  * security: disabled --allow-debuggers when running on kernel
+    versions prior to 4.8; a kernel bug in ptrace system call
+    allows a full bypass of seccomp filter; problem reported by Lizzie Dixon
+    (CVE-2017-5206)
+  * security: overwrite /etc/resolv.conf found by Martin Carpenter (CVE-2016-10118)
+  * security: TOCTOU exploit for --get and --put found by Daniel Hodson
+  * security: invalid environment exploit found by Martin Carpenter (CVE-2016-10122)
   * security: split most of networking code in a separate executable
   * security: split seccomp filter code configuration in a separate executable
   * security: split file copying in private option in a separate executable
+  * security: root exploit found by Sebastian Krahmer (CVE-2017-5180)
+  * security: ~/.pki directory whitelisted and later blacklisted. This affects 
+    most browsers, and disables the custom certificates installed by the user.
   * feature: disable gnupg and systemd directories under /run/user
-  * feature: allow root user access to /dev/shm (--noblacklist=/dev/shm)
-  * feature: AppImage type 2 support
   * feature: test coverage (gcov) support
+  * feature: allow root user access to /dev/shm (--noblacklist=/dev/shm)
   * feature: private /opt directory (--private-opt, profile support)
   * feature: private /srv directory (--private-srv, profile support)
-  * feature: spoof machine-id
+  * feature: spoof machine-id (--machine-id, profile support)
+  * feature: allow blacklists under --private (--allow-private-blacklist, profile support)
+  * feature: user-defined /etc/hosts file (--hosts-file, profile support)
+  * feature: support for the real /var/log directory (--writable-var-log, profile support)
   * feature: config support for firejail prompt in terminals
+  * feature: AppImage type 2 support
   * feature: pass command line arguments to appimages
-  * feature: --allow-private-blacklist option
+  * feature: allow non-seccomp setup for OverlayFS sandboxes - more work to come
+  * feature: added a number o Python scripts for handling sandboxes
+  * feature: allow local customization using .local files under /etc/firejail
+  * feature: follow-symlink-as-user runtime config option in /etc/firejail/firejail.config
   * new profiles: xiphos, Tor Browser Bundle, display (imagemagik), Wire,
   * new profiles: mumble, zoom, Guayadeque, qemu, keypass2, xed, pluma,
   * new profiles: Cryptocat, Bless, Gnome 2048, Gnome Calculator,
   * new profiles: Gnome Contacts, JD-GUI, Lollypop, MultiMC5, PDFSam, Pithos,
-  * new profies: Xonotic, wireshark, keepassx2, QupZilla
+  * new profies: Xonotic, wireshark, keepassx2, QupZilla, FossaMail,
+  * new profiles: Uzbl browser, iridium browser, Thunar
   * bugfixes
  -- netblue30 <netblue30@yahoo.com>  Sun, 23 Oct 2016 08:00:00 -0500
 
 firejail (0.9.44) baseline; urgency=low
-  * CVE-2016-7545 submitted by Aleksey Manevich
+  * CVE-2016-9016 submitted by Aleksey Manevich
   * modifs: removed man firejail-config
   * modifs: --private-tmp whitelists /tmp/.X11-unix directory
   * modifs: Nvidia drivers added to --private-dev
@@ -142,11 +158,12 @@ firejail (0.9.38) baseline; urgency=low
   * added KMail, Seamonkey, Telegram, Mathematica, uGet,
   *   and mupen64plus profiles
   * --chroot in user mode allowed only if seccomp support is available
-  *   in current Linux kernel
+  *   in current Linux kernel (CVE-2016-10123)
   * deprecated --private-home feature
   * the first protocol list installed takes precedence
-  * --tmpfs option allowed only running as root
+  * --tmpfs option allowed only running as root (CVE-2016-10117)
   * added --private-tmp option
+  * weak permissions (CVE-2016-10119, CVE-2016-10120, CVE-2016-10121)
   * bugfixes
  -- netblue30 <netblue30@yahoo.com>  Tue, 2 Feb 2016 10:00:00 -0500
 
diff --git a/configure b/configure
index 9efba1b1d..4ff257b66 100755
--- a/configure
+++ b/configure
@@ -625,6 +625,7 @@ ac_includes_default="\
 ac_subst_vars='LTLIBOBJS
 LIBOBJS
 HAVE_SECCOMP_H
+HAVE_GIT_INSTALL
 HAVE_GCOV
 BUSYBOX_WORKAROUND
 HAVE_FATAL_WARNINGS
@@ -711,6 +712,7 @@ enable_whitelist
 enable_fatal_warnings
 enable_busybox_workaround
 enable_gcov
+enable_git_install
 '
       ac_precious_vars='build_alias
 host_alias
@@ -1349,6 +1351,7 @@ Optional Features:
   --enable-busybox-workaround
                           enable busybox workaround
   --enable-gcov           Gcov instrumentation
+  --enable-git-install    enable git install feature
 
 Some influential environment variables:
   CC          C compiler command
@@ -3100,6 +3103,7 @@ if test "x$enable_apparmor" = "xyes"; then :
 fi
 
 
+
 ac_ext=c
 ac_cpp='$CPP $CPPFLAGS'
 ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
@@ -3711,6 +3715,18 @@ if test "x$enable_gcov" = "xyes"; then :
 fi
 
 
+HAVE_GIT_INSTALL=""
+# Check whether --enable-git-install was given.
+if test "${enable_git_install+set}" = set; then :
+  enableval=$enable_git_install;
+fi
+
+if test "x$enable_git_install" = "xyes"; then :
+
+        HAVE_GIT_INSTALL="-DHAVE_GIT_INSTALL"
+
+
+fi
 
 # checking pthread library
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for main in -lpthread" >&5
@@ -3777,7 +3793,7 @@ if test "$prefix" = /usr; then
         sysconfdir="/etc"
 fi
 
-ac_config_files="$ac_config_files Makefile src/lib/Makefile src/fcopy/Makefile src/fnet/Makefile src/firejail/Makefile src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile src/ftee/Makefile src/faudit/Makefile src/libconnect/Makefile src/fseccomp/Makefile"
+ac_config_files="$ac_config_files Makefile src/lib/Makefile src/fcopy/Makefile src/fnet/Makefile src/firejail/Makefile src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile src/ftee/Makefile src/faudit/Makefile src/fseccomp/Makefile"
 
 cat >confcache <<\_ACEOF
 # This file is a shell script that caches the results of configure
@@ -4497,7 +4513,6 @@ do
     "src/firecfg/Makefile") CONFIG_FILES="$CONFIG_FILES src/firecfg/Makefile" ;;
     "src/ftee/Makefile") CONFIG_FILES="$CONFIG_FILES src/ftee/Makefile" ;;
     "src/faudit/Makefile") CONFIG_FILES="$CONFIG_FILES src/faudit/Makefile" ;;
-    "src/libconnect/Makefile") CONFIG_FILES="$CONFIG_FILES src/libconnect/Makefile" ;;
     "src/fseccomp/Makefile") CONFIG_FILES="$CONFIG_FILES src/fseccomp/Makefile" ;;
 
   *) as_fn_error $? "invalid argument: \`$ac_config_target'" "$LINENO" 5;;
@@ -4971,6 +4986,7 @@ echo "   whitelisting: $HAVE_WHITELIST"
 echo "   private home support: $HAVE_PRIVATE_HOME"
 echo "   file transfer support: $HAVE_FILE_TRANSFER"
 echo "   overlayfs support: $HAVE_OVERLAYFS"
+echo "   git install support: $HAVE_GIT_INSTALL"
 echo "   busybox workaround: $BUSYBOX_WORKAROUND"
 echo "   EXTRA_LDFLAGS: $EXTRA_LDFLAGS"
 echo "   fatal warnings: $HAVE_FATAL_WARNINGS"
diff --git a/configure.ac b/configure.ac
index f3076f2f8..c04bfed89 100644
--- a/configure.ac
+++ b/configure.ac
@@ -17,6 +17,7 @@ AS_IF([test "x$enable_apparmor" = "xyes"], [
         AC_SUBST(HAVE_APPARMOR)
 ])
 
+
 AS_IF([test "x$enable_apparmor" = "xyes"], [
         AC_CHECK_HEADER(sys/apparmor.h, , [AC_MSG_ERROR(
         [Couldn't find sys/apparmor.h... please install apparmor user space library and development files] )])
@@ -146,6 +147,13 @@ AS_IF([test "x$enable_gcov" = "xyes"], [
 ])
 
 
+HAVE_GIT_INSTALL=""
+AC_ARG_ENABLE([git-install],
+    AS_HELP_STRING([--enable-git-install], [enable git install feature]))
+AS_IF([test "x$enable_git_install" = "xyes"], [
+        HAVE_GIT_INSTALL="-DHAVE_GIT_INSTALL"
+        AC_SUBST(HAVE_GIT_INSTALL)
+])
 
 # checking pthread library
 AC_CHECK_LIB([pthread], [main], [], AC_MSG_ERROR([*** POSIX thread support not installed ***]))
@@ -160,7 +168,7 @@ fi
 
 AC_OUTPUT(Makefile src/lib/Makefile src/fcopy/Makefile src/fnet/Makefile src/firejail/Makefile \
 src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile \
-src/ftee/Makefile src/faudit/Makefile src/libconnect/Makefile src/fseccomp/Makefile)
+src/ftee/Makefile src/faudit/Makefile src/fseccomp/Makefile)
 
 echo
 echo "Configuration options:"
@@ -179,6 +187,7 @@ echo "   whitelisting: $HAVE_WHITELIST"
 echo "   private home support: $HAVE_PRIVATE_HOME"
 echo "   file transfer support: $HAVE_FILE_TRANSFER"
 echo "   overlayfs support: $HAVE_OVERLAYFS"
+echo "   git install support: $HAVE_GIT_INSTALL"
 echo "   busybox workaround: $BUSYBOX_WORKAROUND"
 echo "   EXTRA_LDFLAGS: $EXTRA_LDFLAGS"
 echo "   fatal warnings: $HAVE_FATAL_WARNINGS"
diff --git a/contrib/fix_private-bin.py b/contrib/fix_private-bin.py
new file mode 100755
index 000000000..270c758a2
--- /dev/null
+++ b/contrib/fix_private-bin.py
@@ -0,0 +1,157 @@
+#!/usr/bin/python3
+
+__author__ = "KOLANICH"
+__copyright__ = """This is free and unencumbered software released into the public domain.
+
+Anyone is free to copy, modify, publish, use, compile, sell, or
+distribute this software, either in source code form or as a compiled
+binary, for any purpose, commercial or non-commercial, and by any
+means.
+
+In jurisdictions that recognize copyright laws, the author or authors
+of this software dedicate any and all copyright interest in the
+software to the public domain. We make this dedication for the benefit
+of the public at large and to the detriment of our heirs and
+successors. We intend this dedication to be an overt act of
+relinquishment in perpetuity of all present and future rights to this
+software under copyright law.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
+IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR
+OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE,
+ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR
+OTHER DEALINGS IN THE SOFTWARE.
+
+For more information, please refer to <http://unlicense.org/>"""
+__license__ = "Unlicense"
+
+import sys, os, glob, re
+
+privRx=re.compile("^(?:#\s*)?private-bin")
+
+def fixSymlinkedBins(files, replMap):
+        """
+        Used to add filenames to private-bin directives of files if the ones present are mentioned in replMap
+        replMap is a dict where key is the marker filename and value is the filename to add
+        """
+        
+        rxs=dict()
+        for (old,new) in replMap.items():
+                rxs[old]=re.compile("\\b"+old+"\\b")
+                rxs[new]=re.compile("\\b"+new+"\\b")
+        #print(rxs)
+        
+        for filename in files:
+                lines=None
+                with open(filename,"r") as file:
+                        lines=file.readlines()
+                
+                shouldUpdate=False
+                for (i,line) in enumerate(lines):
+                        if privRx.search(line):
+                                for (old,new) in replMap.items():
+                                        if rxs[old].search(line) and not rxs[new].search(line):
+                                                lines[i]=rxs[old].sub(old+","+new, line)
+                                                shouldUpdate=True
+                                                print(lines[i])
+                
+                if shouldUpdate:
+                        with open(filename,"w") as file:
+                                file.writelines(lines)
+                        pass
+
+def createSetOfBinaries(files):
+        """
+        Creates a set of binaries mentioned in private-bin directives of files.
+        """
+        s=set()
+        for filename in files:
+                lines=None
+                with open(filename,"r") as file:
+                        for line in file:
+                                if privRx.search(line):
+                                        bins=line.split(",")
+                                        bins[0]=bins[0].split(" ")[-1]
+                                        bins = [n.strip() for n in bins]
+                                        s=s|set(bins)
+        return s
+
+def createSymlinkTable(binDirs, binariesSet):
+        """
+        creates a dict of symlinked binaries in the system where a key is a symlink name and value is a symlinked binary.
+        binDirs are folders to look into for binaries symlinks
+        binariesSet is a set of binaries to be checked if they are actually a symlinks
+        """
+        m=dict()
+        toProcess=binariesSet
+        while len(toProcess)!=0:
+                additional=set()
+                for sh in toProcess:
+                        for bD in binDirs:
+                                p=bD+os.path.sep+sh
+                                if os.path.exists(p):
+                                        if os.path.islink(p):
+                                                m[sh]=os.readlink(p)
+                                                additional.add(m[sh].split(" ")[0])
+                                        else:
+                                                pass
+                                        break
+                toProcess=additional
+        return m
+
+def doTheFixes(profilesPath, binDirs):
+        """
+        Fixes private-bin in .profiles for firejail. The pipeline is as follows:
+        discover files -> discover mentioned binaries ->
+        discover the ones which are symlinks ->
+        make a look-up table for fix ->
+        filter the ones can be fixed (we cannot fix the ones which are not in directories for binaries) ->
+        apply fix
+        """
+        files=glob.glob(profilesPath+os.path.sep+"*.profile")
+        bins=createSetOfBinaries(files)
+        #print("The binaries used are:")
+        #print(bins)
+        stbl=createSymlinkTable(binDirs,bins)
+        print("The replacement table is:")
+        print(stbl)
+        stbl={a[0]:a[1] for a in stbl.items() if a[0].find(os.path.sep) < 0 and a[1].find(os.path.sep)<0}
+        print("Filtered replacement table is:")
+        print(stbl)
+        fixSymlinkedBins(files,stbl)
+
+def printHelp():
+        print("python3 "+os.path.basename(__file__)+" <dir with .profile files>\nThe default dir is "+defaultProfilesPath+"\n"+doTheFixes.__doc__)
+
+def main():
+        """The main function. Parses the commandline args, shows messages and calles the function actually doing the work."""
+        print(repr(sys.argv))
+        defaultProfilesPath="../etc"
+        if len(sys.argv)>2 or (len(sys.argv)==2 and (sys.argv[1] == '-h' or sys.argv[1] == '--help') ):
+                printHelp()
+                exit(1)
+        
+        profilesPath=None
+        if len(sys.argv)==2:
+                if os.path.isdir(sys.argv[1]):
+                        profilesPath=os.path.abspath(sys.argv[1])
+                else:
+                        if os.path.exists(sys.argv[1]):
+                                print(sys.argv[1]+" is not a dir")
+                        else:
+                                print(sys.argv[1]+" does not exist")
+                        printHelp()
+                        exit(1)
+        else:
+                print("Using default profiles dir: " + defaultProfilesPath)
+                profilesPath=defaultProfilesPath
+
+        binDirs=["/bin","/usr/bin","/usr/sbin","/usr/local/bin","/usr/local/sbin"]
+        print("Binaries dirs are:")
+        print(binDirs)
+        doTheFixes(profilesPath, binDirs)
+
+if __name__ == "__main__":
+        main()
diff --git a/contrib/fix_private-bin_for_symlinked_sh.py b/contrib/fix_private-bin_for_symlinked_sh.py
deleted file mode 100644
index 705e46e46..000000000
--- a/contrib/fix_private-bin_for_symlinked_sh.py
+++ /dev/null
@@ -1,68 +0,0 @@
-#!/usr/bin/python3
-
-import sys, os, glob, re
-
-privRx=re.compile("^(?:#\s*)?private-bin")
-
-def fixSymlinkedBins(files, replMap):
-        rxs=dict()
-        for (old,new) in replMap.items():
-                rxs[old]=re.compile("\\b"+old+"\\b")
-                rxs[new]=re.compile("\\b"+new+"\\b")
-        print(rxs)
-        
-        for filename in files:
-                lines=None
-                with open(filename,"r") as file:
-                        lines=file.readlines()
-                
-                shouldUpdate=False
-                for (i,line) in enumerate(lines):
-                        if privRx.search(line):
-                                for (old,new) in replMap.items():
-                                        if rxs[old].search(line) and not rxs[new].search(line):
-                                                lines[i]=rxs[old].sub(old+","+new, line)
-                                                shouldUpdate=True
-                                                print(lines[i])
-                
-                if shouldUpdate:
-                        with open(filename,"w") as file:
-                                file.writelines(lines)
-                                pass
-
-def createListOfBinaries(files):
-        s=set()
-        for filename in files:
-                lines=None
-                with open(filename,"r") as file:
-                        for line in file:
-                                if privRx.search(line):
-                                        bins=line.split(",")
-                                        bins[0]=bins[0].split(" ")[-1]
-                                        bins = [n.strip() for n in bins]
-                                        s=s|set(bins)
-        return s
-
-def createSymlinkTable(binDirs, binariesSet):
-        m=dict()
-        for sh in binariesSet:
-                for bD in binDirs:
-                        p=bD+os.path.sep+sh
-                        if os.path.exists(p):
-                                if os.path.islink(p):
-                                        m[sh]=os.readlink(p)
-                                else:
-                                        pass
-                                break
-        return m
-
-
-sh="sh"
-binDirs=["/bin","/usr/bin","/usr/sbin","/usr/local/bin","/usr/local/sbin"]
-profilesPath="."
-files=glob.glob(profilesPath+os.path.sep+"*.profile")
-
-bins=createListOfBinaries(files)
-stbl=createSymlinkTable(binDirs,bins)
-print(stbl)
-fixSymlinkedBins(files,{a[0]:a[1] for a in stbl.items() if a[0].find("/") < 0 and a[1].find("/")<0})
diff --git a/contrib/fjclip.py b/contrib/fjclip.py
new file mode 100755
index 000000000..cd12cd289
--- /dev/null
+++ b/contrib/fjclip.py
@@ -0,0 +1,35 @@
+#!/usr/bin/env python
+
+import re
+import sys
+import subprocess
+import fjdisplay
+
+usage = """fjclip.py src dest. src or dest can be named firejails or - for stdin or stdout.
+firemon --x11 to see available running x11 firejails. firejail names can be shortened
+to least ambiguous. for example 'work-libreoffice' can be shortened to 'work' if no
+other firejails name starts with 'work'.
+warning: browsers are dangerous. clipboards from browsers are dangerous.  see
+https://github.com/dxa4481/Pastejacking 
+fjclip.py strips whitespace from both
+ends, but does nothing else to protect you.  use a simple gui text editor like
+gedit if you want to see what your pasting.""" 
+
+if len(sys.argv) != 3 or sys.argv == '-h' or sys.argv == '--help':
+    print(usage)
+    exit(1)
+
+if sys.argv[1] == '-':
+    clipin_raw = sys.stdin.read()
+else:
+    display = fjdisplay.getdisplay(sys.argv[1])
+    clipin_raw = subprocess.check_output(['xsel','-b','--display',display])
+
+clipin = clipin_raw.strip()
+
+if sys.argv[2] == '-':
+    print(clipin)
+else:
+    display = fjdisplay.getdisplay(sys.argv[2])
+    clipout = subprocess.Popen(['xsel','-b','-i','--display',display],stdin=subprocess.PIPE)
+    clipout.communicate(clipin)
\ No newline at end of file
diff --git a/contrib/fjdisplay.py b/contrib/fjdisplay.py
new file mode 100755
index 000000000..0e0ef01ec
--- /dev/null
+++ b/contrib/fjdisplay.py
@@ -0,0 +1,43 @@
+#!/usr/bin/env python
+
+import re
+import sys
+import subprocess
+
+usage = """fjdisplay.py name-of-firejail
+returns the display in the form of ':NNN'
+"""
+
+def getfirejails():
+    output = subprocess.check_output(['firemon','--x11'])
+    firejails = {}
+    name = ''
+    for line in output.split('\n'):
+        namematch = re.search('--name=(\w+\S*)',line)
+        if namematch:
+          name = namematch.group(1)
+        displaymatch = re.search('DISPLAY (:\d+)',line) 
+        if displaymatch:
+          firejails[name] = displaymatch.group(1)
+    return firejails
+
+def getdisplay(name):
+    firejails = getfirejails()
+    fjlist = '\n'.join(firejails.keys())
+    namere = re.compile('^'+name+'.*', re.MULTILINE)
+    matchingjails = namere.findall(fjlist)
+    if len(matchingjails) == 1:
+        return firejails[matchingjails[0]]
+    if len(matchingjails) == 0:
+        raise NameError("firejail {} does not exist".format(name))
+    else:
+        raise NameError("ambiguous firejail name")
+
+if __name__ == '__main__':
+    if '-h' in sys.argv or '--help' in sys.argv or len(sys.argv) > 2:
+        print(usage)
+        exit()
+    if len(sys.argv) == 1:
+        print(getfirejails())
+    if len(sys.argv) == 2:
+        print (getdisplay(sys.argv[1]))
\ No newline at end of file
diff --git a/contrib/fjresize.py b/contrib/fjresize.py
new file mode 100755
index 000000000..52b289159
--- /dev/null
+++ b/contrib/fjresize.py
@@ -0,0 +1,25 @@
+#!/usr/bin/env python
+
+import sys
+import fjdisplay
+import subprocess
+
+usage = """usage: fjresize.py firejail-name displaysize
+resize firejail xephyr windows.
+fjdisplay.py with no other arguments will list running named firejails with displays.
+fjresize.py with only a firejail name will list valid resolutions.
+names can be shortend as long its unambiguous.
+note: you may need to move the xephyr window for the resize to take effect
+example:
+    fjresize.py browser 1280x800
+"""
+
+
+if len(sys.argv) == 2:
+    out = subprocess.check_output(['xrandr','--display',fjdisplay.getdisplay(sys.argv[1])])
+    print(out)
+elif len(sys.argv) == 3: 
+    out = subprocess.check_output(['xrandr','--display',fjdisplay.getdisplay(sys.argv[1]),'--output','default','--mode',sys.argv[2]])
+    print(out)
+else:
+    print(usage)
\ No newline at end of file
diff --git a/contrib/update_deb.sh b/contrib/update_deb.sh
new file mode 100755
index 000000000..c2adffaf8
--- /dev/null
+++ b/contrib/update_deb.sh
@@ -0,0 +1,12 @@
+#!/bin/sh
+# Purpose: Fetch, compile, and install firejail from GitHub source. For 
+#                       Debian-based distros only (Ubuntu, Mint, etc).
+set -e 
+git clone --depth=1 https://www.github.com/netblue30/firejail.git
+cd firejail
+./configure --prefix=/usr
+make deb
+sudo dpkg -i firejail*.deb
+echo "Firejail was updated!"
+cd ..
+rm -rf firejail
diff --git a/etc/0ad.profile b/etc/0ad.profile
index 1e7c06879..84addc229 100644
--- a/etc/0ad.profile
+++ b/etc/0ad.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/0ad.local
+
 # Firejail profile for 0ad.
 noblacklist ~/.cache/0ad
 noblacklist ~/.config/0ad
diff --git a/etc/7z.profile b/etc/7z.profile
index 319126540..102de44ee 100644
--- a/etc/7z.profile
+++ b/etc/7z.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/7z.local
+
 # 7zip crompression tool profile
 quiet
 ignore noroot
diff --git a/etc/Cryptocat.profile b/etc/Cryptocat.profile
index 3db34c03c..da7f93791 100644
--- a/etc/Cryptocat.profile
+++ b/etc/Cryptocat.profile
@@ -1,4 +1,8 @@
-# Firejail profile for 
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/Cryptocat.local
+
+# Firejail profile for Cryptocat
 noblacklist ${HOME}/.config/Cryptocat
 
 include /etc/firejail/disable-common.inc
diff --git a/etc/Cyberfox.profile b/etc/Cyberfox.profile
index 1f74606ce..bd2765bc7 100644
--- a/etc/Cyberfox.profile
+++ b/etc/Cyberfox.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/Cyberfox.local
+
 # Firejail profile for Cyberfox (based on Mozilla Firefox)
 
 include /etc/firejail/cyberfox.profile
diff --git a/etc/FossaMail.profile b/etc/FossaMail.profile
new file mode 100644
index 000000000..e0ba131ed
--- /dev/null
+++ b/etc/FossaMail.profile
@@ -0,0 +1,6 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/FossaMail.local
+
+# Firejail profile for FossaMail
+include /etc/firejail/fossamail.profile
diff --git a/etc/Mathematica.profile b/etc/Mathematica.profile
index e719f070f..2fe19c570 100644
--- a/etc/Mathematica.profile
+++ b/etc/Mathematica.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/Mathematica.local
+
 # Mathematica profile
 noblacklist ${HOME}/.Mathematica
 noblacklist ${HOME}/.Wolfram Research
diff --git a/etc/Telegram.profile b/etc/Telegram.profile
index 2e0f97821..6ccda7929 100644
--- a/etc/Telegram.profile
+++ b/etc/Telegram.profile
@@ -1,2 +1,6 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/Telegram.local
+
 # Telegram IRC profile
 include /etc/firejail/telegram.profile
diff --git a/etc/Thunar.profile b/etc/Thunar.profile
new file mode 100644
index 000000000..5a27177e0
--- /dev/null
+++ b/etc/Thunar.profile
@@ -0,0 +1,23 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/Thunar.local
+
+# Firejail profile for thunar
+noblacklist ~/.config/Thunar
+noblacklist ~/.config/xfce4/xfconf/xfce-perchannel-xml/thunar.xml
+
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+
+caps.drop all
+netfilter
+nogroups
+nonewprivs
+noroot
+nosound
+protocol unix
+seccomp
+shell none
+tracelog
diff --git a/etc/VirtualBox.profile b/etc/VirtualBox.profile
index ff0a4b6ef..5e011b1fc 100644
--- a/etc/VirtualBox.profile
+++ b/etc/VirtualBox.profile
@@ -1 +1,5 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/VirtualBox.local
+
 include /etc/firejail/virtualbox.profile
diff --git a/etc/Wire.profile b/etc/Wire.profile
index bd9645c7f..0895353d1 100644
--- a/etc/Wire.profile
+++ b/etc/Wire.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/Wire.local
+
 # wire messenger profile
 
 include /etc/firejail/wire.profile
diff --git a/etc/abrowser.profile b/etc/abrowser.profile
index f25bbd94d..bdd56e42f 100644
--- a/etc/abrowser.profile
+++ b/etc/abrowser.profile
@@ -1,6 +1,11 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/abrowser.local
+
 # Firejail profile for Abrowser
 noblacklist ~/.mozilla
 noblacklist ~/.cache/mozilla
+noblacklist ~/.pki
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-programs.inc
 include /etc/firejail/disable-devel.inc
diff --git a/etc/amarok.profile b/etc/amarok.profile
index 8d5b35d47..c2a400fe4 100644
--- a/etc/amarok.profile
+++ b/etc/amarok.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/amarok.local
+
 # amarok profile
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-programs.inc
diff --git a/etc/ark.profile b/etc/ark.profile
index 61b4c6f60..20a2d10e0 100644
--- a/etc/ark.profile
+++ b/etc/ark.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/ark.local
+
 # ark profile
 noblacklist ~/.config/arkrc
 
diff --git a/etc/atom-beta.profile b/etc/atom-beta.profile
index fa0b316bb..4c50687aa 100644
--- a/etc/atom-beta.profile
+++ b/etc/atom-beta.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/atom-beta.local
+
 # Firejail profile for Atom Beta.
 noblacklist ~/.atom
 noblacklist ~/.config/Atom
diff --git a/etc/atom.profile b/etc/atom.profile
index 61930d5c1..fc0e1b69c 100644
--- a/etc/atom.profile
+++ b/etc/atom.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/atom.local
+
 # Firejail profile for Atom.
 noblacklist ~/.atom
 noblacklist ~/.config/Atom
diff --git a/etc/atool.profile b/etc/atool.profile
index 578a88fc7..37a2e09e4 100644
--- a/etc/atool.profile
+++ b/etc/atool.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/atool.local
+
 # atool profile
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-programs.inc
diff --git a/etc/atril.profile b/etc/atril.profile
index fbcca0c1b..1125f4f3c 100644
--- a/etc/atril.profile
+++ b/etc/atril.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/atril.local
+
 # Atril profile
 noblacklist ~/.config/atril
 noblacklist ~/.local/share
diff --git a/etc/audacious.profile b/etc/audacious.profile
index e5275213c..63ba9af9c 100644
--- a/etc/audacious.profile
+++ b/etc/audacious.profile
@@ -1,4 +1,9 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/audacious.local
+
 # Audacious media player profile
+noblacklist ~/.config/audacious
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-programs.inc
 include /etc/firejail/disable-devel.inc
diff --git a/etc/audacity.profile b/etc/audacity.profile
index 827fa4301..4394416ff 100644
--- a/etc/audacity.profile
+++ b/etc/audacity.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/audacity.local
+
 # Audacity profile
 noblacklist ~/.audacity-data
 
diff --git a/etc/aweather.profile b/etc/aweather.profile
index fa8654f1e..b6ed0de51 100644
--- a/etc/aweather.profile
+++ b/etc/aweather.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/aweather.local
+
 # Firejail profile for aweather.
 noblacklist ~/.config/aweather
 include /etc/firejail/disable-common.inc
diff --git a/etc/bitlbee.profile b/etc/bitlbee.profile
index 87d2e843a..b056a54e3 100644
--- a/etc/bitlbee.profile
+++ b/etc/bitlbee.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/bitlbee.local
+
 # BitlBee instant messaging profile
 noblacklist /sbin
 noblacklist /usr/sbin
diff --git a/etc/bleachbit.profile b/etc/bleachbit.profile
index 0a71db9f0..b406b9985 100644
--- a/etc/bleachbit.profile
+++ b/etc/bleachbit.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/bleachbit.local
+
 # bleachbit profile
 include /etc/firejail/disable-common.inc
 # include /etc/firejail/disable-programs.inc
diff --git a/etc/bless.profile b/etc/bless.profile
index 752edadf7..b8325de39 100644
--- a/etc/bless.profile
+++ b/etc/bless.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/bless.local
+
 #
 #Profile for bless
 #
diff --git a/etc/brasero.profile b/etc/brasero.profile
index 66de6fa50..6d84b0ca5 100644
--- a/etc/brasero.profile
+++ b/etc/brasero.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/brasero.local
+
 # brasero profile
 noblacklist ~/.config/brasero
 
diff --git a/etc/brave.profile b/etc/brave.profile
index 21ea7f908..d7678d5d5 100644
--- a/etc/brave.profile
+++ b/etc/brave.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/brave.local
+
 # Profile for Brave browser
 noblacklist ~/.config/brave
 include /etc/firejail/disable-common.inc
diff --git a/etc/cherrytree.profile b/etc/cherrytree.profile
index 139dec8ec..8d7585fb9 100644
--- a/etc/cherrytree.profile
+++ b/etc/cherrytree.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/cherrytree.local
+
 # cherrytree note taking application
 noblacklist /usr/bin/python2*
 noblacklist /usr/lib/python3*
diff --git a/etc/chromium-browser.profile b/etc/chromium-browser.profile
index d989b736b..e7dd5afe3 100644
--- a/etc/chromium-browser.profile
+++ b/etc/chromium-browser.profile
@@ -1,2 +1,6 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/chromium-browser.local
+
 # Chromium browser profile
 include /etc/firejail/chromium.profile
diff --git a/etc/chromium.profile b/etc/chromium.profile
index 7610d9b26..531f9156c 100644
--- a/etc/chromium.profile
+++ b/etc/chromium.profile
@@ -1,6 +1,11 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/chromium.local
+
 # Chromium browser profile
 noblacklist ~/.config/chromium
 noblacklist ~/.cache/chromium
+noblacklist ~/.pki
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-programs.inc
 
diff --git a/etc/claws-mail.profile b/etc/claws-mail.profile
index 8921bb25e..3bffb9b0a 100644
--- a/etc/claws-mail.profile
+++ b/etc/claws-mail.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/claws-mail.local
+
 # claws-mail profile
 noblacklist ~/.claws-mail
 noblacklist ~/.signature
diff --git a/etc/clementine.profile b/etc/clementine.profile
index 5ce085358..f92413a36 100644
--- a/etc/clementine.profile
+++ b/etc/clementine.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/clementine.local
+
 # Clementine media player profile
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-programs.inc
diff --git a/etc/cmus.profile b/etc/cmus.profile
index 2e2a6940c..50bfbf7c8 100644
--- a/etc/cmus.profile
+++ b/etc/cmus.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/cmus.local
+
 # cmus profile
 noblacklist ${HOME}/.config/cmus
 
diff --git a/etc/conkeror.profile b/etc/conkeror.profile
index e82eeec4c..b87aa835d 100644
--- a/etc/conkeror.profile
+++ b/etc/conkeror.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/conkeror.local
+
 # Firejail profile for Conkeror web browser profile
 noblacklist ${HOME}/.conkeror.mozdev.org
 include /etc/firejail/disable-common.inc
diff --git a/etc/corebird.profile b/etc/corebird.profile
index 6fb8219e8..a6514af5a 100644
--- a/etc/corebird.profile
+++ b/etc/corebird.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/corebird.local
+
 # Firejail corebird profile
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-programs.inc
diff --git a/etc/cpio.profile b/etc/cpio.profile
index cf89acdac..d4b0e6d2d 100644
--- a/etc/cpio.profile
+++ b/etc/cpio.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/cpio.local
+
 # cpio profile
 # /sbin and /usr/sbin are visible inside the sandbox
 # /boot is not visible and /var is heavily modified 
diff --git a/etc/cryptocat.profile b/etc/cryptocat.profile
index 0d392b272..ea5c5c69b 100644
--- a/etc/cryptocat.profile
+++ b/etc/cryptocat.profile
@@ -1 +1,5 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/cryptocat.local
+
 include /etc/Cryptocat.profile
diff --git a/etc/cyberfox.profile b/etc/cyberfox.profile
index f722915f0..3dffe187c 100644
--- a/etc/cyberfox.profile
+++ b/etc/cyberfox.profile
@@ -1,6 +1,11 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/cyberfox.local
+
 # Firejail profile for Cyberfox (based on Mozilla Firefox)
 noblacklist ~/.8pecxstudios
 noblacklist ~/.cache/8pecxstudios
+noblacklist ~/.pki
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-programs.inc
 include /etc/firejail/disable-devel.inc
diff --git a/etc/deadbeef.profile b/etc/deadbeef.profile
index 04abd0a92..603d6345c 100644
--- a/etc/deadbeef.profile
+++ b/etc/deadbeef.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/deadbeef.local
+
 # DeaDBeeF media player profile
 noblacklist ${HOME}/.config/deadbeef
 
diff --git a/etc/default.profile b/etc/default.profile
index 603321316..66b04896f 100644
--- a/etc/default.profile
+++ b/etc/default.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/default.local
+
 ################################
 # Generic GUI application profile
 ################################
diff --git a/etc/deluge.profile b/etc/deluge.profile
index c6ddec3ec..7b4a49db5 100644
--- a/etc/deluge.profile
+++ b/etc/deluge.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/deluge.local
+
 # deluge bittorrernt client profile
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-programs.inc
diff --git a/etc/dillo.profile b/etc/dillo.profile
index 108787920..f8a3e5252 100644
--- a/etc/dillo.profile
+++ b/etc/dillo.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/dillo.local
+
 # Firejail profile for Dillo web browser
 noblacklist ~/.dillo
 include /etc/firejail/disable-common.inc
diff --git a/etc/disable-common.inc b/etc/disable-common.inc
index 22f54604a..79732b197 100644
--- a/etc/disable-common.inc
+++ b/etc/disable-common.inc
@@ -1,3 +1,7 @@
+# This file is overwritten during software install. 
+# Persistent customizations should go in a .local file.
+include /etc/firejail/disable-common.local
+
 # History files in $HOME
 blacklist-nolog ${HOME}/.history
 blacklist-nolog ${HOME}/.*_history
@@ -72,12 +76,9 @@ blacklist /etc/profile.d
 blacklist /etc/rc.local
 blacklist /etc/anacrontab
 
-# General startup files
+# Startup files
 read-only ${HOME}/.xinitrc
 read-only ${HOME}/.xserverrc
-read-only ${HOME}/.profile
-
-# Shell startup files
 read-only ${HOME}/.antigen
 read-only ${HOME}/.bash_login
 read-only ${HOME}/.bashrc
@@ -96,12 +97,21 @@ read-only ${HOME}/.tcshrc
 read-only ${HOME}/.cshrc
 read-only ${HOME}/.csh_files
 read-only ${HOME}/.profile
+read-only ${HOME}/.forward
+read-only ${HOME}/.login
+read-only ${HOME}/.logout
+read-only ${HOME}/.pgpkey
+read-only ${HOME}/.plan
+read-only ${HOME}/.project
 
 # Initialization files that allow arbitrary command execution
 read-only ${HOME}/.caffrc
 read-only ${HOME}/.dotfiles
 read-only ${HOME}/dotfiles
 read-only ${HOME}/.mailcap
+read-only ${HOME}/.muttrc
+read-only ${HOME}/.mutt/muttrc
+read-only ${HOME}/.msmtprc
 read-only ${HOME}/.exrc
 read-only ${HOME}/_exrc
 read-only ${HOME}/.vimrc
@@ -118,8 +128,16 @@ read-only ${HOME}/.reportbugrc
 read-only ${HOME}/.xmonad
 read-only ${HOME}/.xscreensaver
 
-# The user ~/bin directory can override commands such as ls
+# Make directories commonly found in $PATH read-only
 read-only ${HOME}/bin
+read-only ${HOME}/.gem
+read-only ${HOME}/.luarocks
+read-only ${HOME}/.npm-packages
+
+# Make the contents of ~/.local read-only,
+#  except the commonly-used ~/.local/share
+read-only  ${HOME}/.local
+read-write ${HOME}/.local/share
 
 # top secret
 blacklist ${HOME}/.ecryptfs
@@ -197,6 +215,8 @@ blacklist /usr/lib64/virtualbox
 
 # prevent lxterminal connecting to an existing lxterminal session
 blacklist /tmp/.lxterminal-socket*
+# prevent tmux connecting to an existing session
+blacklist /tmp/tmux-*
 
 # disable terminals running as server resulting in sandbox escape
 blacklist ${PATH}/gnome-terminal
diff --git a/etc/disable-devel.inc b/etc/disable-devel.inc
index 2ac367f37..24c739b5b 100644
--- a/etc/disable-devel.inc
+++ b/etc/disable-devel.inc
@@ -1,3 +1,7 @@
+# This file is overwritten during software install. 
+# Persistent customizations should go in a .local file.
+include /etc/firejail/disable-devel.local
+
 # development tools
 
 # GCC
diff --git a/etc/disable-passwdmgr.inc b/etc/disable-passwdmgr.inc
index 8f8aa1c2c..c4112d4d5 100644
--- a/etc/disable-passwdmgr.inc
+++ b/etc/disable-passwdmgr.inc
@@ -1,3 +1,7 @@
+# This file is overwritten during software install. 
+# Persistent customizations should go in a .local file.
+include /etc/firejail/disable-passwdmgr.local
+
 blacklist ${HOME}/.pki/nssdb
 blacklist ${HOME}/.lastpass
 blacklist ${HOME}/.keepassx
diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc
index 69f0a2e1b..c59285e85 100644
--- a/etc/disable-programs.inc
+++ b/etc/disable-programs.inc
@@ -1,3 +1,7 @@
+# This file is overwritten during software install. 
+# Persistent customizations should go in a .local file.
+include /etc/firejail/disable-programs.local
+
 blacklist ${HOME}/.*coin
 blacklist ${HOME}/.8pecxstudios
 blacklist ${HOME}/.Atom
@@ -66,12 +70,14 @@ blacklist ${HOME}/.config/Mumble
 blacklist ${HOME}/.config/QuiteRss
 blacklist ${HOME}/.config/QuiteRssrc
 blacklist ${HOME}/.config/Slack
+blacklist ${HOME}/.config/Thunar
 blacklist ${HOME}/.config/VirtualBox
 blacklist ${HOME}/.config/Wire
 blacklist ${HOME}/.config/ardour4
 blacklist ${HOME}/.config/ardour5
 blacklist ${HOME}/.config/arkrc
 blacklist ${HOME}/.config/atril
+blacklist ${HOME}/.config/audacious
 blacklist ${HOME}/.config/autostart
 blacklist ${HOME}/.config/autostart/dropbox.desktop
 blacklist ${HOME}/.config/aweather
@@ -145,6 +151,7 @@ blacklist ${HOME}/.config/wireshark
 blacklist ${HOME}/.config/xchat
 blacklist ${HOME}/.config/xed
 blacklist ${HOME}/.config/xfburn
+blacklist ${HOME}/.config/xfce4/xfconf/xfce-perchannel-xml/thunar.xml
 blacklist ${HOME}/.config/xplayer
 blacklist ${HOME}/.config/xreader
 blacklist ${HOME}/.config/xviewer
@@ -278,3 +285,5 @@ blacklist ${HOME}/.xpdfrc
 blacklist ${HOME}/.zoom
 blacklist ${HOME}/wallet.dat
 blacklist /tmp/ssh-*
+blacklist ${HOME}/.kinorc
+blacklist ${HOME}/.kino-history
diff --git a/etc/display.profile b/etc/display.profile
index ec041bff7..83fbc965a 100644
--- a/etc/display.profile
+++ b/etc/display.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/display.local
+
 # display (ImageMagick tool) image viewer profile
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-programs.inc
diff --git a/etc/dnscrypt-proxy.profile b/etc/dnscrypt-proxy.profile
index 926b8bfcc..c69707181 100644
--- a/etc/dnscrypt-proxy.profile
+++ b/etc/dnscrypt-proxy.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/dnscrypt-proxy.local
+
 # security profile for dnscrypt-proxy
 noblacklist /sbin
 noblacklist /usr/sbin
diff --git a/etc/dnsmasq.profile b/etc/dnsmasq.profile
index 3bd43f144..0af4a3f62 100644
--- a/etc/dnsmasq.profile
+++ b/etc/dnsmasq.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/dnsmasq.local
+
 # dnsmasq profile
 noblacklist /sbin
 noblacklist /usr/sbin
diff --git a/etc/dolphin.profile b/etc/dolphin.profile
index 09a86f811..2b7919083 100644
--- a/etc/dolphin.profile
+++ b/etc/dolphin.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/dolphin.local
+
 # dolphin profile
 
 # warning: firejail is currently not effectively constraining dolphin since used services are started by kdeinit5
diff --git a/etc/dosbox.profile b/etc/dosbox.profile
index 45fbb712a..3ef6931fc 100644
--- a/etc/dosbox.profile
+++ b/etc/dosbox.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/dosbox.local
+
 # Firejail profile for dosbox
 noblacklist ~/.dosbox
 
diff --git a/etc/dragon.profile b/etc/dragon.profile
index 09cb73802..b6228fd41 100644
--- a/etc/dragon.profile
+++ b/etc/dragon.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/dragon.local
+
 # dragon player profile
 noblacklist ~/.config/dragonplayerrc
 
diff --git a/etc/dropbox.profile b/etc/dropbox.profile
index 40efd62b2..b58fa0ed1 100644
--- a/etc/dropbox.profile
+++ b/etc/dropbox.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/dropbox.local
+
 # dropbox profile
 noblacklist ~/.config/autostart
 include /etc/firejail/disable-common.inc
diff --git a/etc/elinks.profile b/etc/elinks.profile
index ade15f203..1fad33d54 100644
--- a/etc/elinks.profile
+++ b/etc/elinks.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/elinks.local
+
 # elinks profile
 noblacklist ~/.elinks
 
diff --git a/etc/emacs.profile b/etc/emacs.profile
index 2b9c5805c..21767402f 100644
--- a/etc/emacs.profile
+++ b/etc/emacs.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/emacs.local
+
 # emacs profile
 noblacklist ~/.emacs
 noblacklist ~/.emacs.d
diff --git a/etc/empathy.profile b/etc/empathy.profile
index 2a0a6389c..4cf90908f 100644
--- a/etc/empathy.profile
+++ b/etc/empathy.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/empathy.local
+
 # Empathy instant messaging profile
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-programs.inc
diff --git a/etc/enchant.profile b/etc/enchant.profile
index cf8288919..8b1995a95 100644
--- a/etc/enchant.profile
+++ b/etc/enchant.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/enchant.local
+
 # enchant profile
 noblacklist ~/.config/enchant
 
diff --git a/etc/eog.profile b/etc/eog.profile
index d463f3a97..c5afec7fa 100644
--- a/etc/eog.profile
+++ b/etc/eog.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/eog.local
+
 # eog (gnome image viewer) profile
 noblacklist ~/.config/eog
 
diff --git a/etc/eom.profile b/etc/eom.profile
index dfcea82c1..a7e10ba9e 100644
--- a/etc/eom.profile
+++ b/etc/eom.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/eom.local
+
 # Firejail profile for Eye of Mate (eom)
 noblacklist ~/.config/mate/eom
 
diff --git a/etc/epiphany.profile b/etc/epiphany.profile
index 0e898f02b..1bf259440 100644
--- a/etc/epiphany.profile
+++ b/etc/epiphany.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/epiphany.local
+
 # Epiphany browser profile
 noblacklist ${HOME}/.config/epiphany
 noblacklist ${HOME}/.cache/epiphany
diff --git a/etc/evince.profile b/etc/evince.profile
index 1ec384947..94cefdd8b 100644
--- a/etc/evince.profile
+++ b/etc/evince.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/evince.local
+
 # evince pdf reader profile
 noblacklist ~/.config/evince
 
diff --git a/etc/evolution.profile b/etc/evolution.profile
index ab6dd7a4a..cb6615716 100644
--- a/etc/evolution.profile
+++ b/etc/evolution.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/evolution.local
+
 # evolution profile
 noblacklist ~/.config/evolution
 noblacklist ~/.local/share/evolution
@@ -6,6 +10,9 @@ noblacklist ~/.pki
 noblacklist ~/.pki/nssdb
 noblacklist ~/.gnupg
 
+noblacklist /var/spool/mail
+noblacklist /var/mail
+
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-programs.inc
 include /etc/firejail/disable-devel.inc
diff --git a/etc/exiftool.profile b/etc/exiftool.profile
index 1cae8c093..356735421 100644
--- a/etc/exiftool.profile
+++ b/etc/exiftool.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/exiftool.local
+
 # exiftool profile
 noblacklist /usr/bin/perl
 noblacklist /usr/share/perl*
diff --git a/etc/fbreader.profile b/etc/fbreader.profile
index ec098d5fe..77bf89f35 100644
--- a/etc/fbreader.profile
+++ b/etc/fbreader.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/fbreader.local
+
 # fbreader ebook reader profile
 noblacklist ${HOME}/.FBReader
 
diff --git a/etc/feh.profile b/etc/feh.profile
index 2812effc9..e00b6a821 100644
--- a/etc/feh.profile
+++ b/etc/feh.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/feh.local
+
 # feh image viewer profile
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-programs.inc
diff --git a/etc/file-roller.profile b/etc/file-roller.profile
index 6116389db..804d20ce1 100644
--- a/etc/file-roller.profile
+++ b/etc/file-roller.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/file-roller.local
+
 # file-roller profile
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-programs.inc
diff --git a/etc/file.profile b/etc/file.profile
index d145fe12a..2f972212e 100644
--- a/etc/file.profile
+++ b/etc/file.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/file.local
+
 # file profile
 quiet
 include /etc/firejail/disable-common.inc
diff --git a/etc/filezilla.profile b/etc/filezilla.profile
index a40fceec1..5f2636bf5 100644
--- a/etc/filezilla.profile
+++ b/etc/filezilla.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/filezilla.local
+
 # FileZilla ftp profile
 noblacklist ${HOME}/.filezilla
 noblacklist ${HOME}/.config/filezilla
diff --git a/etc/firefox-esr.profile b/etc/firefox-esr.profile
index d2fde9a3f..753f64526 100644
--- a/etc/firefox-esr.profile
+++ b/etc/firefox-esr.profile
@@ -1,2 +1,6 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/firefox-esr.local
+
 # Firejail profile for Mozilla Firefox ESR
 include /etc/firejail/firefox.profile
diff --git a/etc/firefox.profile b/etc/firefox.profile
index c3a9b2a62..5f891ea3c 100644
--- a/etc/firefox.profile
+++ b/etc/firefox.profile
@@ -1,9 +1,14 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/firefox.local
+
 # Firejail profile for Mozilla Firefox (Iceweasel in Debian)
 noblacklist ~/.mozilla
 noblacklist ~/.cache/mozilla
 noblacklist ~/.config/qpdfview
 noblacklist ~/.local/share/qpdfview
 noblacklist ~/.kde/share/apps/okular
+noblacklist ~/.pki
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-programs.inc
 include /etc/firejail/disable-devel.inc
@@ -30,6 +35,7 @@ whitelist ~/.pentadactyl
 whitelist ~/.keysnail.js
 whitelist ~/.config/gnome-mplayer
 whitelist ~/.cache/gnome-mplayer/plugin
+mkdir ~/.pki
 whitelist ~/.pki
 whitelist ~/.config/qpdfview
 whitelist ~/.local/share/qpdfview
diff --git a/etc/firejail.config b/etc/firejail.config
index 824e3f503..766802a7d 100644
--- a/etc/firejail.config
+++ b/etc/firejail.config
@@ -20,6 +20,12 @@
 # Enable Firejail green prompt in terminal, default disabled
 # firejail-prompt no
 
+# Follow symlink as user. While using --whitelist feature,
+# symlinks pointing outside home directory are followed only
+# if both the link and the real file are owned by the user.
+# Enabled by default
+# follow-symlink-as-user yes
+
 # Force use of nonewprivs.  This mitigates the possibility of
 # a user abusing firejail's features to trick a privileged (suid
 # or file capabilities) process into loading code or configuration
@@ -79,6 +85,6 @@
 # Firejail window title in Xephyr, default enabled.
 # xephyr-window-title yes
 
-# Xephyr command extra parameters. None by default, and the declaration is commented out.
+# Xephyr command extra parameters. None by default; these are examples.
 # xephyr-extra-params -keybd ephyr,,,xkbmodel=evdev
 # xephyr-extra-params -grayscale
diff --git a/etc/flashpeak-slimjet.profile b/etc/flashpeak-slimjet.profile
index 3c23ff6f6..56437ba06 100644
--- a/etc/flashpeak-slimjet.profile
+++ b/etc/flashpeak-slimjet.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/flashpeak-slimjet.local
+
 # SlimJet browser profile
 # This is a whitelisted profile, the internal browser sandbox
 # is disabled because it requires sudo password. The command
@@ -7,6 +11,7 @@
 #
 noblacklist ~/.config/slimjet
 noblacklist ~/.cache/slimjet
+noblacklist ~/.pki
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-programs.inc
 
diff --git a/etc/flowblade.profile b/etc/flowblade.profile
index 12afdb0aa..e60417081 100644
--- a/etc/flowblade.profile
+++ b/etc/flowblade.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/flowblade.local
+
 # FlowBlade profile
 noblacklist ${HOME}/.flowblade
 noblacklist ${HOME}/.config/flowblade
diff --git a/etc/fossamail.profile b/etc/fossamail.profile
new file mode 100644
index 000000000..3caaad71c
--- /dev/null
+++ b/etc/fossamail.profile
@@ -0,0 +1,19 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/fossamail.local
+
+# Firejail profile for FossaMail
+
+noblacklist ~/.gnupg
+mkdir ~/.gnupg
+whitelist ~/.gnupg
+
+noblacklist ~/.fossamail
+mkdir ~/.fossamail
+whitelist ~/.fossamail
+
+noblacklist ~/.cache/fossamail
+mkdir ~/.cache/fossamail
+whitelist ~/.cache/fossamail
+
+include /etc/firejail/firefox.profile
diff --git a/etc/franz.profile b/etc/franz.profile
index 0b3be551b..05ff72a47 100644
--- a/etc/franz.profile
+++ b/etc/franz.profile
@@ -1,6 +1,11 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/franz.local
+
 # Franz profile
 noblacklist ~/.config/Franz
 noblacklist ~/.cache/Franz
+noblacklist ~/.pki
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-programs.inc
 include /etc/firejail/disable-devel.inc
diff --git a/etc/gajim.profile b/etc/gajim.profile
index eb60f858b..bac6cc466 100644
--- a/etc/gajim.profile
+++ b/etc/gajim.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/gajim.local
+
 # Firejail profile for Gajim
 noblacklist ${HOME}/.cache/gajim
 noblacklist ${HOME}/.local/share/gajim
diff --git a/etc/gedit.profile b/etc/gedit.profile
index a25286bfa..9f4eee9b3 100644
--- a/etc/gedit.profile
+++ b/etc/gedit.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/gedit.local
+
 # gedit profile
 
 # when gedit is started via gnome-shell, firejail is not applied because systemd will start it
diff --git a/etc/gimp.profile b/etc/gimp.profile
index cb441fc9d..d07398a41 100644
--- a/etc/gimp.profile
+++ b/etc/gimp.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/gimp.local
+
 # gimp
 noblacklist ${HOME}/.gimp*
 include /etc/firejail/disable-common.inc
diff --git a/etc/git.profile b/etc/git.profile
index 80e534e20..5fbacd7fa 100644
--- a/etc/git.profile
+++ b/etc/git.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/git.local
+
 # git profile
 quiet
 noblacklist ~/.gitconfig
diff --git a/etc/gitter.profile b/etc/gitter.profile
index f43f5f199..054d859f8 100644
--- a/etc/gitter.profile
+++ b/etc/gitter.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/gitter.local
+
 # Firejail profile for Gitter
 noblacklist ~/.config/Gitter
 include /etc/firejail/disable-common.inc
diff --git a/etc/gjs.profile b/etc/gjs.profile
index 8d71728a2..24ec70e86 100644
--- a/etc/gjs.profile
+++ b/etc/gjs.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/gjs.local
+
 # gjs (gnome javascript bindings) profile
 
 # when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them
diff --git a/etc/gnome-2048.profile b/etc/gnome-2048.profile
index f9982da61..95c0daccd 100644
--- a/etc/gnome-2048.profile
+++ b/etc/gnome-2048.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/gnome-2048.local
+
 #
 #Profile for gnome-2048
 #
diff --git a/etc/gnome-books.profile b/etc/gnome-books.profile
index 10b06e173..692e32896 100644
--- a/etc/gnome-books.profile
+++ b/etc/gnome-books.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/gnome-books.local
+
 # gnome-books profile
 
 # when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them
diff --git a/etc/gnome-calculator.profile b/etc/gnome-calculator.profile
index 49e068171..714a97650 100644
--- a/etc/gnome-calculator.profile
+++ b/etc/gnome-calculator.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/gnome-calculator.local
+
 #
 #Profile for gnome-calculator
 #
diff --git a/etc/gnome-chess.profile b/etc/gnome-chess.profile
index 4db485ea7..3dcc98b72 100644
--- a/etc/gnome-chess.profile
+++ b/etc/gnome-chess.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/gnome-chess.local
+
 # Firejail profile for gnome-chess
 noblacklist ~/.local/share/gnome-chess
 
diff --git a/etc/gnome-clocks.profile b/etc/gnome-clocks.profile
index 6cccf9d32..30598f348 100644
--- a/etc/gnome-clocks.profile
+++ b/etc/gnome-clocks.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/gnome-clocks.local
+
 # gnome-clocks profile
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-programs.inc
diff --git a/etc/gnome-contacts.profile b/etc/gnome-contacts.profile
index 9dc25b26c..b61cd3c74 100644
--- a/etc/gnome-contacts.profile
+++ b/etc/gnome-contacts.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/gnome-contacts.local
+
 #
 #Profile for gnome-contacts
 #
diff --git a/etc/gnome-documents.profile b/etc/gnome-documents.profile
index c5def7aff..9d3b8172b 100644
--- a/etc/gnome-documents.profile
+++ b/etc/gnome-documents.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/gnome-documents.local
+
 # gnome-documents profile
 
 # when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them
diff --git a/etc/gnome-maps.profile b/etc/gnome-maps.profile
index f1451506e..54c0eb99c 100644
--- a/etc/gnome-maps.profile
+++ b/etc/gnome-maps.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/gnome-maps.local
+
 # gnome-maps profile
 
 # when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them
diff --git a/etc/gnome-mplayer.profile b/etc/gnome-mplayer.profile
index 488c7e0b8..cd268aed7 100644
--- a/etc/gnome-mplayer.profile
+++ b/etc/gnome-mplayer.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/gnome-mplayer.local
+
 # GNOME MPlayer profile
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-programs.inc
@@ -12,6 +16,6 @@ protocol unix,inet,inet6
 seccomp
 shell none
 
-private-bin gnome-mplayer,mplayer
+# private-bin gnome-mplayer,mplayer
 private-dev
 private-tmp
diff --git a/etc/gnome-music.profile b/etc/gnome-music.profile
index 4a8adeb22..9136015e9 100644
--- a/etc/gnome-music.profile
+++ b/etc/gnome-music.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/gnome-music.local
+
 # gnome-music profile
 noblacklist ~/.local/share/gnome-music
 
diff --git a/etc/gnome-photos.profile b/etc/gnome-photos.profile
index 8f9d60cb5..d1636e02e 100644
--- a/etc/gnome-photos.profile
+++ b/etc/gnome-photos.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/gnome-photos.local
+
 # gnome-photos profile
 
 # when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them
diff --git a/etc/gnome-weather.profile b/etc/gnome-weather.profile
index 9f93b8f15..925420a5a 100644
--- a/etc/gnome-weather.profile
+++ b/etc/gnome-weather.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/gnome-weather.local
+
 # gnome-weather profile
 
 # when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them
diff --git a/etc/goobox.profile b/etc/goobox.profile
index 8990943fc..6aaec1354 100644
--- a/etc/goobox.profile
+++ b/etc/goobox.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/goobox.local
+
 # goobox profile
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-programs.inc
diff --git a/etc/google-chrome-beta.profile b/etc/google-chrome-beta.profile
index 3d483967c..2f09edb7a 100644
--- a/etc/google-chrome-beta.profile
+++ b/etc/google-chrome-beta.profile
@@ -1,6 +1,11 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/google-chrome-beta.local
+
 # Google Chrome beta browser profile
 noblacklist ~/.config/google-chrome-beta
 noblacklist ~/.cache/google-chrome-beta
+noblacklist ~/.pki
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-programs.inc
 
diff --git a/etc/google-chrome-stable.profile b/etc/google-chrome-stable.profile
index 78c8ca6e5..b8d9d6917 100644
--- a/etc/google-chrome-stable.profile
+++ b/etc/google-chrome-stable.profile
@@ -1,2 +1,6 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/google-chrome-stable.local
+
 # Google Chrome browser profile
 include /etc/firejail/google-chrome.profile
diff --git a/etc/google-chrome-unstable.profile b/etc/google-chrome-unstable.profile
index 0189ce40b..e0dc37034 100644
--- a/etc/google-chrome-unstable.profile
+++ b/etc/google-chrome-unstable.profile
@@ -1,6 +1,11 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/google-chrome-unstable.local
+
 # Google Chrome unstable browser profile
 noblacklist ~/.config/google-chrome-unstable
 noblacklist ~/.cache/google-chrome-unstable
+noblacklist ~/.pki
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-programs.inc
 
diff --git a/etc/google-chrome.profile b/etc/google-chrome.profile
index 3083c2afd..dfb30dc7e 100644
--- a/etc/google-chrome.profile
+++ b/etc/google-chrome.profile
@@ -1,6 +1,11 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/google-chrome.local
+
 # Google Chrome browser profile
 noblacklist ~/.config/google-chrome
 noblacklist ~/.cache/google-chrome
+noblacklist ~/.pki
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-programs.inc
 
diff --git a/etc/google-play-music-desktop-player.profile b/etc/google-play-music-desktop-player.profile
index b4cf8d9ac..dbe07cfee 100644
--- a/etc/google-play-music-desktop-player.profile
+++ b/etc/google-play-music-desktop-player.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/google-play-music-desktop-player.local
+
 # Google Play Music desktop player profile
 noblacklist ~/.config/Google Play Music Desktop Player
 
diff --git a/etc/gpa.profile b/etc/gpa.profile
index 7d7277190..7618fdd41 100644
--- a/etc/gpa.profile
+++ b/etc/gpa.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/gpa.local
+
 # gpa profile
 noblacklist ~/.gnupg
 
@@ -18,6 +22,4 @@ shell none
 tracelog
 
 # private-bin gpa,gpg
-private-tmp
 private-dev
-# private-etc none
diff --git a/etc/gpg-agent.profile b/etc/gpg-agent.profile
index 59c7383d7..7beaca6f2 100644
--- a/etc/gpg-agent.profile
+++ b/etc/gpg-agent.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/gpg-agent.local
+
 # gpg-agent profile
 noblacklist ~/.gnupg
 
@@ -11,7 +15,7 @@ nogroups
 nonewprivs
 noroot
 nosound
-protocol unix
+protocol unix,inet,inet6
 seccomp
 netfilter
 no3d
@@ -21,6 +25,4 @@ tracelog
 blacklist /tmp/.X11-unix
 
 # private-bin gpg-agent,gpg
-private-tmp
 private-dev
-# private-etc none
diff --git a/etc/gpg.profile b/etc/gpg.profile
index d711c6f3e..92e42cc4b 100644
--- a/etc/gpg.profile
+++ b/etc/gpg.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/gpg.local
+
 # gpg profile
 noblacklist ~/.gnupg
 
@@ -11,10 +15,9 @@ nogroups
 nonewprivs
 noroot
 nosound
-protocol unix
+protocol unix,inet,inet6
 seccomp
 netfilter
-net none
 no3d
 shell none
 tracelog
@@ -22,6 +25,4 @@ tracelog
 blacklist /tmp/.X11-unix
 
 # private-bin gpg,gpg-agent
-private-tmp
 private-dev
-# private-etc none
diff --git a/etc/gpredict.profile b/etc/gpredict.profile
index 801304c18..9e8af2016 100644
--- a/etc/gpredict.profile
+++ b/etc/gpredict.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/gpredict.local
+
 # Firejail profile for gpredict.
 noblacklist ~/.config/Gpredict
 include /etc/firejail/disable-common.inc
diff --git a/etc/gtar.profile b/etc/gtar.profile
index 2f675cd9d..2fcdbaa83 100644
--- a/etc/gtar.profile
+++ b/etc/gtar.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/gtar.local
+
 # gtar profile
 quiet
 include /etc/firejail/tar.profile
diff --git a/etc/gthumb.profile b/etc/gthumb.profile
index 055d78935..d8c438181 100644
--- a/etc/gthumb.profile
+++ b/etc/gthumb.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/gthumb.local
+
 # gthumb profile
 noblacklist ${HOME}/.config/gthumb
 
diff --git a/etc/guayadeque.profile b/etc/guayadeque.profile
index 0c6ad00be..3c8da9e46 100644
--- a/etc/guayadeque.profile
+++ b/etc/guayadeque.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/guayadeque.local
+
 noblacklist ${HOME}/.guayadeque
 
 include /etc/firejail/disable-common.inc
diff --git a/etc/gwenview.profile b/etc/gwenview.profile
index c866c9e63..f636792f0 100644
--- a/etc/gwenview.profile
+++ b/etc/gwenview.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/gwenview.local
+
 # KDE gwenview profile
 noblacklist ~/.kde/share/apps/gwenview
 noblacklist ~/.kde/share/config/gwenviewrc
diff --git a/etc/gzip.profile b/etc/gzip.profile
index feb27c150..2eca4d8b6 100644
--- a/etc/gzip.profile
+++ b/etc/gzip.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/gzip.local
+
 # gzip profile
 quiet
 ignore noroot
diff --git a/etc/hedgewars.profile b/etc/hedgewars.profile
index 7910b7eb0..4e469bd42 100644
--- a/etc/hedgewars.profile
+++ b/etc/hedgewars.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/hedgewars.local
+
 # whitelist profile for Hedgewars (game)
 noblacklist ${HOME}/.hedgewars
 
diff --git a/etc/hexchat.profile b/etc/hexchat.profile
index 5cefe45b5..53f447f7e 100644
--- a/etc/hexchat.profile
+++ b/etc/hexchat.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/hexchat.local
+
 # HexChat instant messaging profile
 # Currently in testing (may not work for all users)
 noblacklist ${HOME}/.config/hexchat
diff --git a/etc/highlight.profile b/etc/highlight.profile
index 4bab18349..446a3fbb7 100644
--- a/etc/highlight.profile
+++ b/etc/highlight.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/highlight.local
+
 # highlight profile
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-programs.inc
diff --git a/etc/icecat.profile b/etc/icecat.profile
index 038afc876..144f5c4eb 100644
--- a/etc/icecat.profile
+++ b/etc/icecat.profile
@@ -1,6 +1,11 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/icecat.local
+
 # Firejail profile for GNU Icecat
 noblacklist ~/.mozilla
 noblacklist ~/.cache/mozilla
+noblacklist ~/.pki
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-programs.inc
 include /etc/firejail/disable-devel.inc
diff --git a/etc/icedove.profile b/etc/icedove.profile
index 310684bdb..b5265e992 100644
--- a/etc/icedove.profile
+++ b/etc/icedove.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/icedove.local
+
 # Firejail profile for Mozilla Thunderbird (Icedove in Debian Stable)
 # Users have icedove set to open a browser by clicking a link in an email
 # We are not allowed to blacklist browser-specific directories
diff --git a/etc/iceweasel.profile b/etc/iceweasel.profile
index e9b32846a..d5c29a5ce 100644
--- a/etc/iceweasel.profile
+++ b/etc/iceweasel.profile
@@ -1,2 +1,6 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/iceweasel.local
+
 # Firejail profile for Mozilla Firefox (Iceweasel in Debian)
 include /etc/firejail/firefox.profile
diff --git a/etc/img2txt.profile b/etc/img2txt.profile
index d55a31cd0..15692b2b0 100644
--- a/etc/img2txt.profile
+++ b/etc/img2txt.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/img2txt.local
+
 # img2txt profile
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-programs.inc
diff --git a/etc/inkscape.profile b/etc/inkscape.profile
index a0e86b6c9..000a35fd9 100644
--- a/etc/inkscape.profile
+++ b/etc/inkscape.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/inkscape.local
+
 # inkscape
 noblacklist ${HOME}/.inkscape
 include /etc/firejail/disable-common.inc
diff --git a/etc/inox.profile b/etc/inox.profile
index 6f6d140e2..8e95208ab 100644
--- a/etc/inox.profile
+++ b/etc/inox.profile
@@ -1,6 +1,11 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/inox.local
+
 # Inox browser profile
 noblacklist ~/.config/inox
 noblacklist ~/.cache/inox
+noblacklist ~/.pki
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-programs.inc
 
diff --git a/etc/iridium-browser.profile b/etc/iridium-browser.profile
new file mode 100644
index 000000000..7a2f889dc
--- /dev/null
+++ b/etc/iridium-browser.profile
@@ -0,0 +1,6 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/iridium-browser.local
+
+include /etc/firejail/iridium.profile
+
diff --git a/etc/iridium.profile b/etc/iridium.profile
new file mode 100644
index 000000000..69ea483aa
--- /dev/null
+++ b/etc/iridium.profile
@@ -0,0 +1,33 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/iridium.local
+
+# Iridium browser profile
+noblacklist ~/.config/iridium
+noblacklist ~/.cache/iridium
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+
+# chromium/iridium is distributed with a perl script on Arch
+# include /etc/firejail/disable-devel.inc
+#
+
+netfilter
+
+whitelist ${DOWNLOADS}
+mkdir ~/.config/iridium
+whitelist ~/.config/iridium
+mkdir ~/.cache/iridium
+whitelist ~/.cache/iridium
+mkdir ~/.pki
+whitelist ~/.pki
+
+# lastpass, keepass
+# for keepass we additionally need to whitelist our .kdbx password database
+whitelist ~/.keepass
+whitelist ~/.config/keepass
+whitelist ~/.config/KeePass
+whitelist ~/.lastpass
+whitelist ~/.config/lastpass
+
+include /etc/firejail/whitelist-common.inc
diff --git a/etc/jd-gui.profile b/etc/jd-gui.profile
index 1d6eb41f8..2ba1a4380 100644
--- a/etc/jd-gui.profile
+++ b/etc/jd-gui.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/jd-gui.local
+
 #
 #Profile for jd-gui
 #
diff --git a/etc/jitsi.profile b/etc/jitsi.profile
index 046499abe..5d502fffe 100644
--- a/etc/jitsi.profile
+++ b/etc/jitsi.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/jitsi.local
+
 # Firejail profile for jitsi
 noblacklist ~/.jitsi
 include /etc/firejail/disable-common.inc
diff --git a/etc/k3b.profile b/etc/k3b.profile
index 8a5fff0c6..68b825c5e 100644
--- a/etc/k3b.profile
+++ b/etc/k3b.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/k3b.local
+
 # k3b profile
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-programs.inc
diff --git a/etc/kate.profile b/etc/kate.profile
index 4b07ea6cb..466786e61 100644
--- a/etc/kate.profile
+++ b/etc/kate.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/kate.local
+
 # kate profile
 noblacklist ~/.local/share/kate
 noblacklist ~/.config/katerc
diff --git a/etc/keepass.profile b/etc/keepass.profile
index eb7d92a7c..d269c3e8a 100644
--- a/etc/keepass.profile
+++ b/etc/keepass.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/keepass.local
+
 # keepass password manager profile
 noblacklist ${HOME}/.keepass
 noblacklist ${HOME}/.config/keepass
diff --git a/etc/keepass2.profile b/etc/keepass2.profile
index 1ee2644d5..dbf7a4180 100644
--- a/etc/keepass2.profile
+++ b/etc/keepass2.profile
@@ -1,2 +1,6 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/keepass2.local
+
 # keepass password manager profile
 include /etc/firejail/keepass.profile
diff --git a/etc/keepassx.profile b/etc/keepassx.profile
index bb74bb629..379b8a668 100644
--- a/etc/keepassx.profile
+++ b/etc/keepassx.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/keepassx.local
+
 # keepassx password manager profile
 noblacklist ${HOME}/.config/keepassx
 noblacklist ${HOME}/.keepassx
@@ -10,14 +14,17 @@ include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
 
 caps.drop all
+net none
 nogroups
 nonewprivs
 noroot
 nosound
 protocol unix
 seccomp
-netfilter
 shell none
+tracelog
 
+private-bin keepassx
+private-etc fonts
+private-dev
 private-tmp
-private-dev 
diff --git a/etc/keepassx2.profile b/etc/keepassx2.profile
index bb74bb629..a21caf3f1 100644
--- a/etc/keepassx2.profile
+++ b/etc/keepassx2.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/keepassx2.local
+
 # keepassx password manager profile
 noblacklist ${HOME}/.config/keepassx
 noblacklist ${HOME}/.keepassx
@@ -10,14 +14,16 @@ include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
 
 caps.drop all
+net none
 nogroups
 nonewprivs
 noroot
 nosound
 protocol unix
 seccomp
-netfilter
 shell none
 
+private-bin keepassx2
+private-etc fonts
+private-dev
 private-tmp
-private-dev 
diff --git a/etc/kino.profile b/etc/kino.profile
new file mode 100644
index 000000000..70269e75a
--- /dev/null
+++ b/etc/kino.profile
@@ -0,0 +1,30 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/kino.local
+
+################################
+# Generic GUI application profile
+################################
+noblacklist ~/.kinorc
+noblacklist ~/.kino-history
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-passwdmgr.inc
+
+caps.drop all
+netfilter
+nonewprivs
+noroot
+protocol unix,inet,inet6
+seccomp
+
+#
+# depending on you usage, you can enable some of the commands below: 
+#
+# nogroups
+# shell none
+# private-bin program
+# private-etc none
+# private-dev
+# private-tmp
+
diff --git a/etc/kmail.profile b/etc/kmail.profile
index 410ff36c6..b930f6e48 100644
--- a/etc/kmail.profile
+++ b/etc/kmail.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/kmail.local
+
 # kmail profile
 noblacklist ${HOME}/.gnupg
 
diff --git a/etc/konversation.profile b/etc/konversation.profile
index c00b91c18..0b920bd6a 100644
--- a/etc/konversation.profile
+++ b/etc/konversation.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/konversation.local
+
 # Firejail konversation profile
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-programs.inc
diff --git a/etc/less.profile b/etc/less.profile
index c01dfc466..23fbc4ba2 100644
--- a/etc/less.profile
+++ b/etc/less.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/less.local
+
 # less profile
 quiet
 ignore noroot
diff --git a/etc/libreoffice.profile b/etc/libreoffice.profile
index d6aceb7a8..685073e7c 100644
--- a/etc/libreoffice.profile
+++ b/etc/libreoffice.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/libreoffice.local
+
 # Firejail profile for LibreOffice
 noblacklist ~/.config/libreoffice
 noblacklist /usr/local/sbin
diff --git a/etc/localc.profile b/etc/localc.profile
index fecd08822..14c34c722 100644
--- a/etc/localc.profile
+++ b/etc/localc.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/localc.local
+
 ################################
 # LibreOffice profile
 ################################
diff --git a/etc/lodraw.profile b/etc/lodraw.profile
index fecd08822..5be66c5de 100644
--- a/etc/lodraw.profile
+++ b/etc/lodraw.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/lodraw.local
+
 ################################
 # LibreOffice profile
 ################################
diff --git a/etc/loffice.profile b/etc/loffice.profile
index fecd08822..5f931502c 100644
--- a/etc/loffice.profile
+++ b/etc/loffice.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/loffice.local
+
 ################################
 # LibreOffice profile
 ################################
diff --git a/etc/lofromtemplate.profile b/etc/lofromtemplate.profile
index fecd08822..9899ddf58 100644
--- a/etc/lofromtemplate.profile
+++ b/etc/lofromtemplate.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/lofromtemplate.local
+
 ################################
 # LibreOffice profile
 ################################
diff --git a/etc/login.users b/etc/login.users
index bc6ac4b09..81f12c6b1 100644
--- a/etc/login.users
+++ b/etc/login.users
@@ -9,6 +9,12 @@
 #
 #       netblue:--net=none --protocol=unix
 #
+# Wildcard patterns are accepted in the user name field:
+#
+#       user*: --private
+#
+# The example will do --private for user1, user2, and so on.
+#
 # The extra arguments are inserted into program command line if firejail
 # was started as a login shell.
 
diff --git a/etc/loimpress.profile b/etc/loimpress.profile
index fecd08822..4de330d67 100644
--- a/etc/loimpress.profile
+++ b/etc/loimpress.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/loimpress.local
+
 ################################
 # LibreOffice profile
 ################################
diff --git a/etc/lollypop.profile b/etc/lollypop.profile
index 41a662bca..06ed415d6 100644
--- a/etc/lollypop.profile
+++ b/etc/lollypop.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/lollypop.local
+
 #
 #Profile for lollypop
 #
diff --git a/etc/lomath.profile b/etc/lomath.profile
index fecd08822..cbe13f474 100644
--- a/etc/lomath.profile
+++ b/etc/lomath.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/lomath.local
+
 ################################
 # LibreOffice profile
 ################################
diff --git a/etc/loweb.profile b/etc/loweb.profile
index fecd08822..f5e13db02 100644
--- a/etc/loweb.profile
+++ b/etc/loweb.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/loweb.local
+
 ################################
 # LibreOffice profile
 ################################
diff --git a/etc/lowriter.profile b/etc/lowriter.profile
index fecd08822..b6c6ed407 100644
--- a/etc/lowriter.profile
+++ b/etc/lowriter.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/lowriter.local
+
 ################################
 # LibreOffice profile
 ################################
diff --git a/etc/luminance-hdr.profile b/etc/luminance-hdr.profile
index 76e864e0c..1b06b27c3 100644
--- a/etc/luminance-hdr.profile
+++ b/etc/luminance-hdr.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/luminance-hdr.local
+
 # luminance-hdr
 noblacklist ${HOME}/.config/Luminance
 include /etc/firejail/disable-common.inc
diff --git a/etc/lxterminal.profile b/etc/lxterminal.profile
index 12765c299..5d76adf4c 100644
--- a/etc/lxterminal.profile
+++ b/etc/lxterminal.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/lxterminal.local
+
 # lxterminal (LXDE) profile
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-programs.inc
diff --git a/etc/lynx.profile b/etc/lynx.profile
index 3e8d72103..de428c214 100644
--- a/etc/lynx.profile
+++ b/etc/lynx.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/lynx.local
+
 # lynx profile
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-programs.inc
diff --git a/etc/mathematica.profile b/etc/mathematica.profile
index 9410054ae..c880b1daa 100644
--- a/etc/mathematica.profile
+++ b/etc/mathematica.profile
@@ -1,2 +1,6 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/mathematica.local
+
 # Mathematica profile
 include /etc/firejail/Mathematica.profile
diff --git a/etc/mcabber.profile b/etc/mcabber.profile
index 48b46dba0..87e672501 100644
--- a/etc/mcabber.profile
+++ b/etc/mcabber.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/mcabber.local
+
 # mcabber profile
 noblacklist ${HOME}/.mcabber
 noblacklist ${HOME}/.mcabberrc
diff --git a/etc/mediainfo.profile b/etc/mediainfo.profile
index 65d12c49e..9b4adc26f 100644
--- a/etc/mediainfo.profile
+++ b/etc/mediainfo.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/mediainfo.local
+
 # mediainfo profile
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-programs.inc
diff --git a/etc/midori.profile b/etc/midori.profile
index 046c45d94..44e5e7417 100644
--- a/etc/midori.profile
+++ b/etc/midori.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/midori.local
+
 # Midori browser profile
 noblacklist ${HOME}/.config/midori
 include /etc/firejail/disable-common.inc
diff --git a/etc/mpv.profile b/etc/mpv.profile
index 80f8de54a..d7a8d37e8 100644
--- a/etc/mpv.profile
+++ b/etc/mpv.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/mpv.local
+
 # mpv media player profile
 noblacklist ${HOME}/.config/mpv
 
diff --git a/etc/multimc5.profile b/etc/multimc5.profile
index cc310f294..6b8946be3 100644
--- a/etc/multimc5.profile
+++ b/etc/multimc5.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/multimc5.local
+
 #
 #Profile for multimc5
 #
diff --git a/etc/mumble.profile b/etc/mumble.profile
index ddd70822d..d5405a6ae 100644
--- a/etc/mumble.profile
+++ b/etc/mumble.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/mumble.local
+
 # mumble profile
 noblacklist ${HOME}/.config/Mumble
 noblacklist ${HOME}/.local/share/data/Mumble
diff --git a/etc/mupdf.profile b/etc/mupdf.profile
index 7f9261d8b..712552965 100644
--- a/etc/mupdf.profile
+++ b/etc/mupdf.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/mupdf.local
+
 # mupdf reader profile
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-programs.inc
diff --git a/etc/mupen64plus.profile b/etc/mupen64plus.profile
index acb13e6b9..80e75e836 100644
--- a/etc/mupen64plus.profile
+++ b/etc/mupen64plus.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/mupen64plus.local
+
 # mupen64plus profile
 # manually whitelist ROM files
 noblacklist ${HOME}/.config/mupen64plus
diff --git a/etc/mutt.profile b/etc/mutt.profile
index 5a714de4a..2f0809f02 100644
--- a/etc/mutt.profile
+++ b/etc/mutt.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/mutt.local
+
 # mutt email client profile
 noblacklist ~/.muttrc
 noblacklist ~/.mutt
diff --git a/etc/nautilus.profile b/etc/nautilus.profile
index 264ee0b9d..85f9ab7d7 100644
--- a/etc/nautilus.profile
+++ b/etc/nautilus.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/nautilus.local
+
 # nautilus profile
 
 # Nautilus is started by systemd on most systems. Therefore it is not firejailed by default. Since there is already a nautilus process running on gnome desktops firejail will have no effect.
diff --git a/etc/netsurf.profile b/etc/netsurf.profile
index 644a1605b..4c10a3e98 100644
--- a/etc/netsurf.profile
+++ b/etc/netsurf.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/netsurf.local
+
 # Firejail profile for Mozilla Firefox (Iceweasel in Debian)
 noblacklist ~/.config/netsurf
 noblacklist ~/.cache/netsurf
diff --git a/etc/odt2txt.profile b/etc/odt2txt.profile
index c4e28f70e..3880895f3 100644
--- a/etc/odt2txt.profile
+++ b/etc/odt2txt.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/odt2txt.local
+
 # odt2txt profile
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-programs.inc
diff --git a/etc/okular.profile b/etc/okular.profile
index 22e223cea..2875d2ef5 100644
--- a/etc/okular.profile
+++ b/etc/okular.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/okular.local
+
 # KDE okular profile
 noblacklist ~/.kde/share/apps/okular
 noblacklist ~/.kde/share/config/okularrc
diff --git a/etc/openbox.profile b/etc/openbox.profile
index f812768a1..7e074f5b5 100644
--- a/etc/openbox.profile
+++ b/etc/openbox.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/openbox.local
+
 #######################################
 # OpenBox window manager profile
 # - all applications started in OpenBox will run in this profile
diff --git a/etc/openshot.profile b/etc/openshot.profile
index f12bd7d11..25e9a4066 100644
--- a/etc/openshot.profile
+++ b/etc/openshot.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/openshot.local
+
 # OpenShot profile
 noblacklist ${HOME}/.openshot
 noblacklist ${HOME}/.openshot_qt
diff --git a/etc/opera-beta.profile b/etc/opera-beta.profile
index 4cdb0a9eb..dba7cf68c 100644
--- a/etc/opera-beta.profile
+++ b/etc/opera-beta.profile
@@ -1,6 +1,11 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/opera-beta.local
+
 # Opera-beta browser profile
 noblacklist ~/.config/opera-beta
 noblacklist ~/.cache/opera-beta
+noblacklist ~/.pki
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-programs.inc
 include /etc/firejail/disable-devel.inc
diff --git a/etc/opera.profile b/etc/opera.profile
index a337ccc5b..57395ea72 100644
--- a/etc/opera.profile
+++ b/etc/opera.profile
@@ -1,7 +1,12 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/opera.local
+
 # Opera browser profile
 noblacklist ~/.config/opera
 noblacklist ~/.cache/opera
 noblacklist ~/.opera
+noblacklist ~/.pki
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-programs.inc
 include /etc/firejail/disable-devel.inc
diff --git a/etc/palemoon.profile b/etc/palemoon.profile
index 1476369a1..41eef8d91 100644
--- a/etc/palemoon.profile
+++ b/etc/palemoon.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/palemoon.local
+
 # Firejail profile for Pale Moon
 noblacklist ~/.moonchild productions/pale moon
 noblacklist ~/.cache/moonchild productions/pale moon
@@ -23,6 +27,7 @@ shell none
 tracelog
 
 private-bin palemoon
+private-opt palemoon
 private-tmp
 
 # These are uncommented in the Firefox profile. If you run into trouble you may
diff --git a/etc/parole.profile b/etc/parole.profile
index 1440a9ef7..58a9f2c6c 100644
--- a/etc/parole.profile
+++ b/etc/parole.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/parole.local
+
 # Profile for Parole, the default XFCE4 media player
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-programs.inc
diff --git a/etc/pdfsam.profile b/etc/pdfsam.profile
index 6e50f37cf..37adabb39 100644
--- a/etc/pdfsam.profile
+++ b/etc/pdfsam.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/pdfsam.local
+
 #
 #Profile for pdfsam
 #
diff --git a/etc/pdftotext.profile b/etc/pdftotext.profile
index fe9e9e3cd..ce19f1760 100644
--- a/etc/pdftotext.profile
+++ b/etc/pdftotext.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/pdftotext.local
+
 # pdftotext profile
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-programs.inc
diff --git a/etc/pidgin.profile b/etc/pidgin.profile
index 850706145..5c5cb0a5b 100644
--- a/etc/pidgin.profile
+++ b/etc/pidgin.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/pidgin.local
+
 # Pidgin profile
 noblacklist ${HOME}/.purple
 
diff --git a/etc/pithos.profile b/etc/pithos.profile
index 8270b8bee..500e35989 100644
--- a/etc/pithos.profile
+++ b/etc/pithos.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/pithos.local
+
 #
 #Profile for pithos
 #
diff --git a/etc/pix.profile b/etc/pix.profile
index dc8192b01..c36a5f96e 100644
--- a/etc/pix.profile
+++ b/etc/pix.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/pix.local
+
 # Firejail profile for pix
 noblacklist ${HOME}/.config/pix
 noblacklist ${HOME}/.local/share/pix
diff --git a/etc/pluma.profile b/etc/pluma.profile
index 895cc2369..719a26928 100644
--- a/etc/pluma.profile
+++ b/etc/pluma.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/pluma.local
+
 # Firejail profile for Xed
 noblacklist ${HOME}/.config/pluma
 
diff --git a/etc/polari.profile b/etc/polari.profile
index ac9530c40..834a8b3d6 100644
--- a/etc/polari.profile
+++ b/etc/polari.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/polari.local
+
 # Polari IRC profile
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-programs.inc
diff --git a/etc/psi-plus.profile b/etc/psi-plus.profile
index e4e69b9f6..45cb22ee4 100644
--- a/etc/psi-plus.profile
+++ b/etc/psi-plus.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/psi-plus.local
+
 # Firejail profile for Psi+
 noblacklist ${HOME}/.config/psi+
 noblacklist ${HOME}/.local/share/psi+
diff --git a/etc/qbittorrent.profile b/etc/qbittorrent.profile
index 89e0e4c78..4a454d2f6 100644
--- a/etc/qbittorrent.profile
+++ b/etc/qbittorrent.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/qbittorrent.local
+
 # qbittorrent bittorrent profile
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-programs.inc
@@ -6,6 +10,7 @@ include /etc/firejail/disable-passwdmgr.inc
 
 caps.drop all
 netfilter
+nogroups
 nonewprivs
 noroot
 nosound
diff --git a/etc/qemu-launcher.profile b/etc/qemu-launcher.profile
index f9c8e6345..328f1a30d 100644
--- a/etc/qemu-launcher.profile
+++ b/etc/qemu-launcher.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/qemu-launcher.local
+
 # qemu-launcher profile
 noblacklist ~/.qemu-launcher
 
diff --git a/etc/qemu-system-x86_64.profile b/etc/qemu-system-x86_64.profile
index 65e1e44ea..16e822901 100644
--- a/etc/qemu-system-x86_64.profile
+++ b/etc/qemu-system-x86_64.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/qemu-system-x86_64.local
+
 # qemu profile
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-programs.inc
diff --git a/etc/qpdfview.profile b/etc/qpdfview.profile
index 06c0db206..97f06f848 100644
--- a/etc/qpdfview.profile
+++ b/etc/qpdfview.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/qpdfview.local
+
 # qpdfview profile
 noblacklist ${HOME}/.config/qpdfview
 noblacklist ${HOME}/.local/share/qpdfview
diff --git a/etc/qtox.profile b/etc/qtox.profile
index 81d8aa10e..40a959d05 100644
--- a/etc/qtox.profile
+++ b/etc/qtox.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/qtox.local
+
 # qTox instant messaging profile
 noblacklist ${HOME}/.config/tox
 include /etc/firejail/disable-common.inc
diff --git a/etc/quassel.profile b/etc/quassel.profile
index f92dfeb9f..6fd438073 100644
--- a/etc/quassel.profile
+++ b/etc/quassel.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/quassel.local
+
 # Quassel IRC profile
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-programs.inc
diff --git a/etc/quiterss.profile b/etc/quiterss.profile
index 47ab77675..f4e4f96d3 100644
--- a/etc/quiterss.profile
+++ b/etc/quiterss.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/quiterss.local
+
 noblacklist ${HOME}/.cache/QuiteRss
 noblacklist ${HOME}/.config/QuiteRss
 noblacklist ${HOME}/.config/QuiteRssrc
diff --git a/etc/qupzilla.profile b/etc/qupzilla.profile
index 387ddeffa..3f5cb60c0 100644
--- a/etc/qupzilla.profile
+++ b/etc/qupzilla.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/qupzilla.local
+
 # Firejail profile for Qupzilla web browser
 noblacklist ${HOME}/.config/qupzilla
 noblacklist ${HOME}/.cache/qupzilla
diff --git a/etc/qutebrowser.profile b/etc/qutebrowser.profile
index dcacd4f29..f43307ef9 100644
--- a/etc/qutebrowser.profile
+++ b/etc/qutebrowser.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/qutebrowser.local
+
 # Firejail profile for Qutebrowser (Qt5-Webkit+Python) browser
 noblacklist ~/.config/qutebrowser
 noblacklist ~/.cache/qutebrowser
diff --git a/etc/ranger.profile b/etc/ranger.profile
index 3538f3eb2..0cabca11e 100644
--- a/etc/ranger.profile
+++ b/etc/ranger.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/ranger.local
+
 # ranger file manager profile
 noblacklist /usr/bin/perl
 #noblacklist /usr/bin/cpan*
diff --git a/etc/rhythmbox.profile b/etc/rhythmbox.profile
index e5e192486..0f7a3fa5b 100644
--- a/etc/rhythmbox.profile
+++ b/etc/rhythmbox.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/rhythmbox.local
+
 # Rhythmbox media player profile
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-programs.inc
diff --git a/etc/rtorrent.profile b/etc/rtorrent.profile
index 55bfcd77f..2f8a527cc 100644
--- a/etc/rtorrent.profile
+++ b/etc/rtorrent.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/rtorrent.local
+
 # rtorrent bittorrent profile
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-programs.inc
diff --git a/etc/seamonkey-bin.profile b/etc/seamonkey-bin.profile
index fff8c1258..ff8936014 100644
--- a/etc/seamonkey-bin.profile
+++ b/etc/seamonkey-bin.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/seamonkey-bin.local
+
 # Firejail profile for Seamonkey based off Mozilla Firefox
 include /etc/firejail/seamonkey.profile
 
diff --git a/etc/seamonkey.profile b/etc/seamonkey.profile
index 5d817acce..bfcdf5873 100644
--- a/etc/seamonkey.profile
+++ b/etc/seamonkey.profile
@@ -1,6 +1,11 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/seamonkey.local
+
 # Firejail profile for Seamoneky based off Mozilla Firefox
 noblacklist ~/.mozilla
 noblacklist ~/.cache/mozilla
+noblacklist ~/.pki
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-programs.inc
 include /etc/firejail/disable-devel.inc
diff --git a/etc/server.profile b/etc/server.profile
index b8a34feb2..d1d7dffa9 100644
--- a/etc/server.profile
+++ b/etc/server.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/server.local
+
 # generic server profile
 # it allows /sbin and /usr/sbin directories - this is where servers are installed
 noblacklist /sbin
diff --git a/etc/simple-scan.profile b/etc/simple-scan.profile
index 03089482b..ee7e50ba7 100644
--- a/etc/simple-scan.profile
+++ b/etc/simple-scan.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/simple-scan.local
+
 # simple-scan profile
 noblacklist ~/.cache/simple-scan
 
diff --git a/etc/skanlite.profile b/etc/skanlite.profile
index 667b775c8..b1b4b5a96 100644
--- a/etc/skanlite.profile
+++ b/etc/skanlite.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/skanlite.local
+
 # skanlite profile
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-programs.inc
diff --git a/etc/skype.profile b/etc/skype.profile
index 9cbcd5117..169a1dd51 100644
--- a/etc/skype.profile
+++ b/etc/skype.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/skype.local
+
 # Skype profile
 noblacklist ${HOME}/.Skype
 include /etc/firejail/disable-common.inc
diff --git a/etc/skypeforlinux.profile b/etc/skypeforlinux.profile
index 3f0a274f9..d3bbf3e53 100644
--- a/etc/skypeforlinux.profile
+++ b/etc/skypeforlinux.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/skypeforlinux.local
+
 # skypeforlinux profile
 noblacklist ${HOME}/.config/skypeforlinux
 include /etc/firejail/disable-common.inc
diff --git a/etc/slack.profile b/etc/slack.profile
index a85a28f03..6a2dae253 100644
--- a/etc/slack.profile
+++ b/etc/slack.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/slack.local
+
 # Firejail profile for Slack
 noblacklist ${HOME}/.config/Slack
 noblacklist ${HOME}/Downloads
diff --git a/etc/snap.profile b/etc/snap.profile
index e2ada3a99..085ce8e2a 100644
--- a/etc/snap.profile
+++ b/etc/snap.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/snap.local
+
 ################################
 # Generic Ubuntu snap application profile
 ################################
diff --git a/etc/soffice.profile b/etc/soffice.profile
index fecd08822..737419a8f 100644
--- a/etc/soffice.profile
+++ b/etc/soffice.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/soffice.local
+
 ################################
 # LibreOffice profile
 ################################
diff --git a/etc/spotify.profile b/etc/spotify.profile
index 6dbcc03ee..843038a2b 100644
--- a/etc/spotify.profile
+++ b/etc/spotify.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/spotify.local
+
 # Spotify media player profile
 noblacklist ${HOME}/.config/spotify
 noblacklist ${HOME}/.cache/spotify
diff --git a/etc/ssh-agent.profile b/etc/ssh-agent.profile
index bea3a6061..43d9f62fa 100644
--- a/etc/ssh-agent.profile
+++ b/etc/ssh-agent.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/ssh-agent.local
+
 # ssh-agent
 quiet
 noblacklist ~/.ssh
diff --git a/etc/ssh.profile b/etc/ssh.profile
index b7a8ed2b9..b1ef6b27e 100644
--- a/etc/ssh.profile
+++ b/etc/ssh.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/ssh.local
+
 # ssh client
 quiet
 noblacklist ~/.ssh
diff --git a/etc/start-tor-browser.profile b/etc/start-tor-browser.profile
index ee19cee25..c13f85a66 100644
--- a/etc/start-tor-browser.profile
+++ b/etc/start-tor-browser.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/start-tor-browser.local
+
 # Firejail profile for the Tor Brower Bundle
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-devel.inc
@@ -14,7 +18,7 @@ seccomp
 shell none
 tracelog
 
-private-bin bash,grep,sed,tail,env,gpg,id,readlink,dirname,test,mkdir,ln,sed,cp,rm,getconf
+private-bin bash,grep,tail,env,gpg,id,readlink,dirname,test,mkdir,ln,sed,cp,rm,getconf
 private-etc fonts
 private-dev
 private-tmp
diff --git a/etc/steam.profile b/etc/steam.profile
index 5dc5e80ff..b527589de 100644
--- a/etc/steam.profile
+++ b/etc/steam.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/steam.local
+
 # Steam profile (applies to games/apps launched from Steam as well)
 noblacklist ${HOME}/.steam
 noblacklist ${HOME}/.local/share/steam
diff --git a/etc/stellarium.profile b/etc/stellarium.profile
index d57c9e5f7..fc952be34 100644
--- a/etc/stellarium.profile
+++ b/etc/stellarium.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/stellarium.local
+
 # Firejail profile for Stellarium.
 noblacklist ~/.stellarium
 noblacklist ~/.config/stellarium
diff --git a/etc/strings.profile b/etc/strings.profile
index 2bbab1366..bfa089bd0 100644
--- a/etc/strings.profile
+++ b/etc/strings.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/strings.local
+
 # strings profile
 quiet
 ignore noroot
diff --git a/etc/synfigstudio.profile b/etc/synfigstudio.profile
index 69b2a0db2..636b09bd0 100644
--- a/etc/synfigstudio.profile
+++ b/etc/synfigstudio.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/synfigstudio.local
+
 # synfigstudio
 noblacklist ${HOME}/.config/synfig
 noblacklist ${HOME}/.synfig
diff --git a/etc/tar.profile b/etc/tar.profile
index 3addb02fb..0162be718 100644
--- a/etc/tar.profile
+++ b/etc/tar.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/tar.local
+
 # tar profile
 quiet
 ignore noroot
diff --git a/etc/telegram.profile b/etc/telegram.profile
index 7615c8eef..c5e72fe76 100644
--- a/etc/telegram.profile
+++ b/etc/telegram.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/telegram.local
+
 # Telegram IRC profile
 noblacklist ${HOME}/.TelegramDesktop
 include /etc/firejail/disable-common.inc
diff --git a/etc/thunar.profile b/etc/thunar.profile
new file mode 100644
index 000000000..868f80912
--- /dev/null
+++ b/etc/thunar.profile
@@ -0,0 +1 @@
+include /etc/firejail/Thunar.profile
diff --git a/etc/thunderbird.profile b/etc/thunderbird.profile
index 568343ba6..88ab7501e 100644
--- a/etc/thunderbird.profile
+++ b/etc/thunderbird.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/thunderbird.local
+
 # Firejail profile for Mozilla Thunderbird
 # Users have thunderbird set to open a browser by clicking a link in an email
 # We are not allowed to blacklist browser-specific directories
diff --git a/etc/totem.profile b/etc/totem.profile
index 252b46979..0b3942cf0 100644
--- a/etc/totem.profile
+++ b/etc/totem.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/totem.local
+
 # Totem media player profile
 noblacklist ~/.config/totem
 noblacklist ~/.local/share/totem
diff --git a/etc/tracker.profile b/etc/tracker.profile
index 7f4f371eb..56528785a 100644
--- a/etc/tracker.profile
+++ b/etc/tracker.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/tracker.local
+
 # tracker profile
 
 # Tracker is started by systemd on most systems. Therefore it is not firejailed by default
diff --git a/etc/transmission-cli.profile b/etc/transmission-cli.profile
index 6cbc3415c..dbcc8d041 100644
--- a/etc/transmission-cli.profile
+++ b/etc/transmission-cli.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/transmission-cli.local
+
 # transmission-cli bittorrent profile
 noblacklist ${HOME}/.config/transmission
 noblacklist ${HOME}/.cache/transmission
diff --git a/etc/transmission-gtk.profile b/etc/transmission-gtk.profile
index fa54ea81b..dcd3317ef 100644
--- a/etc/transmission-gtk.profile
+++ b/etc/transmission-gtk.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/transmission-gtk.local
+
 # transmission-gtk bittorrent profile
 noblacklist ${HOME}/.config/transmission
 noblacklist ${HOME}/.cache/transmission
diff --git a/etc/transmission-qt.profile b/etc/transmission-qt.profile
index 100fadc27..ed63f7cff 100644
--- a/etc/transmission-qt.profile
+++ b/etc/transmission-qt.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/transmission-qt.local
+
 # transmission-qt bittorrent profile
 noblacklist ${HOME}/.config/transmission
 noblacklist ${HOME}/.cache/transmission
diff --git a/etc/transmission-show.profile b/etc/transmission-show.profile
index 5e5284b34..0b88789b1 100644
--- a/etc/transmission-show.profile
+++ b/etc/transmission-show.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/transmission-show.local
+
 # transmission-show profile
 noblacklist ${HOME}/.config/transmission
 noblacklist ${HOME}/.cache/transmission
diff --git a/etc/uget-gtk.profile b/etc/uget-gtk.profile
index 3ba28f772..cc5d4dda5 100644
--- a/etc/uget-gtk.profile
+++ b/etc/uget-gtk.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/uget-gtk.local
+
 # uGet profile
 noblacklist ${HOME}/.config/uGet
 
diff --git a/etc/unbound.profile b/etc/unbound.profile
index 5e2cb5f65..0bd46b7f4 100644
--- a/etc/unbound.profile
+++ b/etc/unbound.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/unbound.local
+
 # security profile for unbound (https://unbound.net)
 noblacklist /sbin
 noblacklist /usr/sbin
@@ -9,5 +13,6 @@ include /etc/firejail/disable-passwdmgr.inc
 private
 private-dev
 nosound
+no3d
 seccomp.drop mount,umount2,ptrace,kexec_load,kexec_file_load,open_by_handle_at,init_module,finit_module,delete_module,iopl,ioperm,swapon,swapoff,syslog,process_vm_readv,process_vm_writev,sysfs,_sysctl,adjtimex,clock_adjtime,lookup_dcookie,perf_event_open,fanotify_init,kcmp,add_key,request_key,keyctl,uselib,acct,modify_ldt,pivot_root,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,mbind,get_mempolicy,set_mempolicy,migrate_pages,move_pages,vmsplice,perf_event_open
 
diff --git a/etc/unrar.profile b/etc/unrar.profile
index bde6f4e22..da187bfef 100644
--- a/etc/unrar.profile
+++ b/etc/unrar.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/unrar.local
+
 # unrar profile
 quiet
 ignore noroot
diff --git a/etc/unzip.profile b/etc/unzip.profile
index 8c10d11a0..24767c86f 100644
--- a/etc/unzip.profile
+++ b/etc/unzip.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/unzip.local
+
 # unzip profile
 quiet
 ignore noroot
diff --git a/etc/uudeview.profile b/etc/uudeview.profile
index d5b750a13..5f41188af 100644
--- a/etc/uudeview.profile
+++ b/etc/uudeview.profile
@@ -1,9 +1,12 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/uudeview.local
+
 # uudeview profile
 quiet
 ignore noroot
 include /etc/firejail/default.profile
 
-blacklist /etc
 
 hostname uudeview
 net none
@@ -13,3 +16,4 @@ tracelog
 
 private-bin uudeview
 private-dev
+private-etc ld.so.preload
diff --git a/etc/uzbl-browser.profile b/etc/uzbl-browser.profile
new file mode 100644
index 000000000..ce0b0d0a5
--- /dev/null
+++ b/etc/uzbl-browser.profile
@@ -0,0 +1,33 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/uzbl-browser.local
+
+# Firejail profile for uzbl-browser
+
+noblacklist ~/.config/uzbl
+noblacklist ~/.gnupg
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-devel.inc
+
+caps.drop all
+netfilter
+nonewprivs
+noroot
+protocol unix,inet,inet6
+seccomp
+tracelog
+
+mkdir ~/.config/uzbl
+whitelist ~/.config/uzbl
+mkdir ~/.local/share/uzbl
+whitelist ~/.local/share/uzbl
+
+whitelist ${DOWNLOADS}
+
+mkdir ~/.gnupg
+whitelist ~/.gnupg
+mkdir ~/.password-store
+whitelist ~/.password-store
+
+include /etc/firejail/whitelist-common.inc
diff --git a/etc/vim.profile b/etc/vim.profile
index b161fcbb0..e89104e17 100644
--- a/etc/vim.profile
+++ b/etc/vim.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/vim.local
+
 # vim profile
 noblacklist ~/.vim
 noblacklist ~/.vimrc
diff --git a/etc/virtualbox.profile b/etc/virtualbox.profile
index 1e765b89b..57ead818e 100644
--- a/etc/virtualbox.profile
+++ b/etc/virtualbox.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/virtualbox.local
+
 # virtualbox profile
 noblacklist ${HOME}/.VirtualBox
 noblacklist ${HOME}/VirtualBox VMs
diff --git a/etc/vivaldi-beta.profile b/etc/vivaldi-beta.profile
index 5426c4a2d..3b7c7d2b4 100644
--- a/etc/vivaldi-beta.profile
+++ b/etc/vivaldi-beta.profile
@@ -1,2 +1,6 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/vivaldi-beta.local
+
 # Vivaldi Beta browser profile
 include /etc/firejail/vivaldi.profile
diff --git a/etc/vivaldi.profile b/etc/vivaldi.profile
index b3a096069..0667c4114 100644
--- a/etc/vivaldi.profile
+++ b/etc/vivaldi.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/vivaldi.local
+
 # Vivaldi browser profile
 noblacklist ~/.config/vivaldi
 noblacklist ~/.cache/vivaldi
diff --git a/etc/vlc.profile b/etc/vlc.profile
index 2fd763f25..9d1cdb4c8 100644
--- a/etc/vlc.profile
+++ b/etc/vlc.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/vlc.local
+
 # VLC media player profile
 noblacklist ${HOME}/.config/vlc
 
@@ -8,7 +12,7 @@ include /etc/firejail/disable-passwdmgr.inc
 
 caps.drop all
 netfilter
-nogroups
+# nogroups
 nonewprivs
 noroot
 protocol unix,inet,inet6,netlink
diff --git a/etc/w3m.profile b/etc/w3m.profile
index 7ee91bb70..45546440a 100644
--- a/etc/w3m.profile
+++ b/etc/w3m.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/w3m.local
+
 # w3m profile
 noblacklist ~/.w3m
 
diff --git a/etc/warzone2100.profile b/etc/warzone2100.profile
index 7c7efade8..702097d98 100644
--- a/etc/warzone2100.profile
+++ b/etc/warzone2100.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/warzone2100.local
+
 # Firejail profile for warzone2100
 # Currently supports warzone2100-3.1
 noblacklist ~/.warzone2100-3.1
diff --git a/etc/weechat-curses.profile b/etc/weechat-curses.profile
index 4a92f0b34..345196dfb 100644
--- a/etc/weechat-curses.profile
+++ b/etc/weechat-curses.profile
@@ -1,2 +1,6 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/weechat-curses.local
+
 # Weechat IRC profile (Debian)
 include /etc/firejail/weechat.profile
diff --git a/etc/weechat.profile b/etc/weechat.profile
index 410061278..870e02677 100644
--- a/etc/weechat.profile
+++ b/etc/weechat.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/weechat.local
+
 # Weechat IRC profile
 noblacklist ${HOME}/.weechat
 include /etc/firejail/disable-common.inc
diff --git a/etc/wesnoth.profile b/etc/wesnoth.profile
index bb489ddeb..212466f5a 100644
--- a/etc/wesnoth.profile
+++ b/etc/wesnoth.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/wesnoth.local
+
 # Whitelist-based profile for "Battle for Wesnoth" (game).
 noblacklist ${HOME}/.config/wesnoth
 noblacklist ${HOME}/.cache/wesnoth
diff --git a/etc/wget.profile b/etc/wget.profile
index ff4b92bae..cd156a376 100644
--- a/etc/wget.profile
+++ b/etc/wget.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/wget.local
+
 # wget profile
 quiet
 include /etc/firejail/disable-common.inc
diff --git a/etc/whitelist-common.inc b/etc/whitelist-common.inc
index d4e69948e..cf7797100 100644
--- a/etc/whitelist-common.inc
+++ b/etc/whitelist-common.inc
@@ -1,3 +1,6 @@
+# Local customizations come here
+include /etc/firejail/whitelist-common.local
+
 # common whitelist for all profiles
 
 whitelist ~/.XCompose
diff --git a/etc/wine.profile b/etc/wine.profile
index 18e5346af..c732d6edf 100644
--- a/etc/wine.profile
+++ b/etc/wine.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/wine.local
+
 # wine profile
 noblacklist ${HOME}/.steam
 noblacklist ${HOME}/.local/share/steam
diff --git a/etc/wire.profile b/etc/wire.profile
index ec8ed8771..79ac893a9 100644
--- a/etc/wire.profile
+++ b/etc/wire.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/wire.local
+
 # wire messenger profile
 noblacklist ~/.config/Wire
 noblacklist ~/.config/wire
diff --git a/etc/wireshark.profile b/etc/wireshark.profile
index 898fc787e..90909edf1 100644
--- a/etc/wireshark.profile
+++ b/etc/wireshark.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/wireshark.local
+
 # Firejail profile for 
 noblacklist ${HOME}/.config/wireshark
 
@@ -6,17 +10,21 @@ include /etc/firejail/disable-programs.inc
 include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
 
-caps.drop all
+# 
+# The profile allows users to run wireshark as root
+#
+#caps.drop all
+#noroot 
+#protocol unix,inet,inet6,netlink
+
 netfilter
 nogroups
 nonewprivs
-noroot
 nosound
-protocol unix,inet,inet6,netlink
 seccomp
 shell none
 tracelog
 
-private-bin wireshark
+#private-bin wireshark
 private-dev
 private-tmp
diff --git a/etc/xchat.profile b/etc/xchat.profile
index 1f2865cab..0571746b3 100644
--- a/etc/xchat.profile
+++ b/etc/xchat.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/xchat.local
+
 # XChat IRC profile
 noblacklist ${HOME}/.config/xchat
 
diff --git a/etc/xed.profile b/etc/xed.profile
index 051710a70..c8076923a 100644
--- a/etc/xed.profile
+++ b/etc/xed.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/xed.local
+
 # Firejail profile for Xed
 noblacklist ${HOME}/.config/xed
 
diff --git a/etc/xfburn.profile b/etc/xfburn.profile
index 1dd24aa61..a05d844d0 100644
--- a/etc/xfburn.profile
+++ b/etc/xfburn.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/xfburn.local
+
 # xfburn profile
 noblacklist ~/.config/xfburn
 
diff --git a/etc/xiphos.profile b/etc/xiphos.profile
index b7fb6ecf3..7522c00d7 100644
--- a/etc/xiphos.profile
+++ b/etc/xiphos.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/xiphos.local
+
 # Firejail profile for xiphos
 noblacklist ~/.sword
 noblacklist ~/.xiphos
diff --git a/etc/xmms.profile b/etc/xmms.profile
new file mode 100644
index 000000000..b33727c2c
--- /dev/null
+++ b/etc/xmms.profile
@@ -0,0 +1,23 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/xmms.local
+
+# Firejail profile for XMMS
+noblacklist ${HOME}/.xmms
+
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+
+caps.drop all
+netfilter
+nonewprivs
+noroot
+protocol unix,inet,inet6
+seccomp
+shell none
+no3d
+
+private-bin xmms
+private-dev
diff --git a/etc/xonotic-glx.profile b/etc/xonotic-glx.profile
index b255ffdbb..2f57340de 100644
--- a/etc/xonotic-glx.profile
+++ b/etc/xonotic-glx.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/xonotic-glx.local
+
 #
 #Profile for xonotic:xonotic-glx
 #
diff --git a/etc/xonotic-sdl.profile b/etc/xonotic-sdl.profile
index 783667304..9af845958 100644
--- a/etc/xonotic-sdl.profile
+++ b/etc/xonotic-sdl.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/xonotic-sdl.local
+
 #
 #Profile for xonotic:xonotic-sdl
 #
diff --git a/etc/xonotic.profile b/etc/xonotic.profile
index 75d649619..f2690c6c3 100644
--- a/etc/xonotic.profile
+++ b/etc/xonotic.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/xonotic.local
+
 #
 #Profile for xonotic
 #
diff --git a/etc/xpdf.profile b/etc/xpdf.profile
index 7ea368bbe..b77bc76ac 100644
--- a/etc/xpdf.profile
+++ b/etc/xpdf.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/xpdf.local
+
 ################################
 # xpdf application profile
 ################################
diff --git a/etc/xplayer.profile b/etc/xplayer.profile
index 191d2f67f..d5b80fbc0 100644
--- a/etc/xplayer.profile
+++ b/etc/xplayer.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/xplayer.local
+
 # Xplayer profile
 noblacklist ~/.config/xplayer
 noblacklist ~/.local/share/xplayer
diff --git a/etc/xpra.profile b/etc/xpra.profile
index 32be90b19..d0fff2ebf 100644
--- a/etc/xpra.profile
+++ b/etc/xpra.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/xpra.local
+
 # xpra profile
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-programs.inc
diff --git a/etc/xreader.profile b/etc/xreader.profile
index d2a000bd0..2e6015aef 100644
--- a/etc/xreader.profile
+++ b/etc/xreader.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/xreader.local
+
 # Xreader profile
 noblacklist ~/.config/xreader
 noblacklist ~/.cache/xreader
diff --git a/etc/xviewer.profile b/etc/xviewer.profile
index ca380b4c7..d784ddfb3 100644
--- a/etc/xviewer.profile
+++ b/etc/xviewer.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/xviewer.local
+
 # xviewer profile
 noblacklist ~/.config/xviewer
 
diff --git a/etc/xz.profile b/etc/xz.profile
index 5b29f7338..2f7d9cae5 100644
--- a/etc/xz.profile
+++ b/etc/xz.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/xz.local
+
 # xz profile
 quiet
 include /etc/firejail/cpio.profile
diff --git a/etc/xzdec.profile b/etc/xzdec.profile
index 6164e3200..e938b81ec 100644
--- a/etc/xzdec.profile
+++ b/etc/xzdec.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/xzdec.local
+
 # xzdec profile
 quiet
 ignore noroot
diff --git a/etc/zathura.profile b/etc/zathura.profile
index 6c93a2480..f75541dad 100644
--- a/etc/zathura.profile
+++ b/etc/zathura.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/zathura.local
+
 # zathura document viewer profile
 noblacklist ~/.config/zathura
 noblacklist ~/.local/share/zathura
diff --git a/etc/zoom.profile b/etc/zoom.profile
index 4c08868cf..809356d95 100644
--- a/etc/zoom.profile
+++ b/etc/zoom.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/zoom.local
+
 # Firejail profile for zoom.us
 noblacklist ~/.config/zoomus.conf
 
diff --git a/platform/debian/conffiles b/platform/debian/conffiles
index 9afe42be8..edaf1781b 100644
--- a/platform/debian/conffiles
+++ b/platform/debian/conffiles
@@ -240,3 +240,12 @@
 /etc/firejail/xonotic.profile
 /etc/firejail/VirtualBox.profile
 /etc/firejail/qupzilla.profile
+/etc/firejail/FossaMail.profile
+/etc/firejail/fossamail.profile
+/etc/firejail/uzbl-browser.profile
+/etc/firejail/xmms.profile
+/etc/firejail/iridium-browser.profile
+/etc/firejail/iridium.profile
+/etc/firejail/kino.profile
+/etc/firejail/Thunar.profile
+/etc/firejail/thunar.profile
diff --git a/platform/rpm/old-mkrpm.sh b/platform/rpm/old-mkrpm.sh
index 017d5e1c3..6c8a4c240 100755
--- a/platform/rpm/old-mkrpm.sh
+++ b/platform/rpm/old-mkrpm.sh
@@ -24,7 +24,6 @@ install -m 755 /usr/lib/firejail/fshaper.sh  firejail-$VERSION/usr/lib/firejail/
 install -m 755 /usr/lib/firejail/ftee  firejail-$VERSION/usr/lib/firejail/.
 install -m 644 /usr/lib/firejail/libtrace.so  firejail-$VERSION/usr/lib/firejail/.
 install -m 644 /usr/lib/firejail/libtracelog.so  firejail-$VERSION/usr/lib/firejail/.
-install -m 644 /usr/lib/firejail/libconnect.so  firejail-$VERSION/usr/lib/firejail/.
 
 mkdir -p firejail-$VERSION/usr/share/man/man1
 install -m 644 /usr/share/man/man1/firejail.1.gz firejail-$VERSION/usr/share/man/man1/.
@@ -436,7 +435,6 @@ rm -rf %{buildroot}
 
 /usr/lib/firejail/libtrace.so
 /usr/lib/firejail/libtracelog.so
-/usr/lib/firejail/libconnect.so
 /usr/lib/firejail/faudit
 /usr/lib/firejail/ftee
 /usr/lib/firejail/firecfg.config
diff --git a/src/bash_completion/firejail.bash_completion b/src/bash_completion/firejail.bash_completion
index d3dcd57d0..0f71c74dc 100644
--- a/src/bash_completion/firejail.bash_completion
+++ b/src/bash_completion/firejail.bash_completion
@@ -23,6 +23,10 @@ _firejail()
             _filedir
             return 0
             ;;
+        --hosts-file)
+            _filedir
+            return 0
+            ;;
         --chroot)
             _filedir -d
             return 0
diff --git a/src/faudit/caps.c b/src/faudit/caps.c
index d4a62b34f..b200c6792 100644
--- a/src/faudit/caps.c
+++ b/src/faudit/caps.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2016 Firejail Authors
+ * Copyright (C) 2014-2017 Firejail Authors
  *
  * This file is part of firejail project
  *
diff --git a/src/faudit/dbus.c b/src/faudit/dbus.c
index d92660536..1b1fbb817 100644
--- a/src/faudit/dbus.c
+++ b/src/faudit/dbus.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2016 Firejail Authors
+ * Copyright (C) 2014-2017 Firejail Authors
  *
  * This file is part of firejail project
  *
diff --git a/src/faudit/dev.c b/src/faudit/dev.c
index 92f615958..74adbca9c 100644
--- a/src/faudit/dev.c
+++ b/src/faudit/dev.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2016 Firejail Authors
+ * Copyright (C) 2014-2017 Firejail Authors
  *
  * This file is part of firejail project
  *
diff --git a/src/faudit/faudit.h b/src/faudit/faudit.h
index 17c754c3b..16a13d0ff 100644
--- a/src/faudit/faudit.h
+++ b/src/faudit/faudit.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2016 Firejail Authors
+ * Copyright (C) 2014-2017 Firejail Authors
  *
  * This file is part of firejail project
  *
diff --git a/src/faudit/files.c b/src/faudit/files.c
index 67b43f22b..46256f5f0 100644
--- a/src/faudit/files.c
+++ b/src/faudit/files.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2016 Firejail Authors
+ * Copyright (C) 2014-2017 Firejail Authors
  *
  * This file is part of firejail project
  *
diff --git a/src/faudit/main.c b/src/faudit/main.c
index 7f47ccaf0..2572bf332 100644
--- a/src/faudit/main.c
+++ b/src/faudit/main.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2016 Firejail Authors
+ * Copyright (C) 2014-2017 Firejail Authors
  *
  * This file is part of firejail project
  *
diff --git a/src/faudit/network.c b/src/faudit/network.c
index cf1eede69..67c11e835 100644
--- a/src/faudit/network.c
+++ b/src/faudit/network.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2016 Firejail Authors
+ * Copyright (C) 2014-2017 Firejail Authors
  *
  * This file is part of firejail project
  *
diff --git a/src/faudit/pid.c b/src/faudit/pid.c
index 84b23fe0a..34f6d1691 100644
--- a/src/faudit/pid.c
+++ b/src/faudit/pid.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2016 Firejail Authors
+ * Copyright (C) 2014-2017 Firejail Authors
  *
  * This file is part of firejail project
  *
diff --git a/src/faudit/seccomp.c b/src/faudit/seccomp.c
index 7b2999467..fe814598b 100644
--- a/src/faudit/seccomp.c
+++ b/src/faudit/seccomp.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2016 Firejail Authors
+ * Copyright (C) 2014-2017 Firejail Authors
  *
  * This file is part of firejail project
  *
diff --git a/src/faudit/syscall.c b/src/faudit/syscall.c
index 4cd2526ba..40b1ecc84 100644
--- a/src/faudit/syscall.c
+++ b/src/faudit/syscall.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2016 Firejail Authors
+ * Copyright (C) 2014-2017 Firejail Authors
  *
  * This file is part of firejail project
  *
diff --git a/src/faudit/x11.c b/src/faudit/x11.c
index 43f40f4e9..4cf1511a5 100644
--- a/src/faudit/x11.c
+++ b/src/faudit/x11.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2016 Firejail Authors
+ * Copyright (C) 2014-2017 Firejail Authors
  *
  * This file is part of firejail project
  *
diff --git a/src/fcopy/main.c b/src/fcopy/main.c
index b1e2813db..9f19b6dd8 100644
--- a/src/fcopy/main.c
+++ b/src/fcopy/main.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2016 Firejail Authors
+ * Copyright (C) 2014-2017 Firejail Authors
  *
  * This file is part of firejail project
  *
@@ -21,6 +21,9 @@
 #include "../include/common.h"
 #include <fcntl.h>
 #include <ftw.h>
+#include <errno.h>
+
+static int arg_follow_link = 0;
 
 
 #define COPY_LIMIT (500 * 1024 *1024)
@@ -34,245 +37,244 @@ static char *inpath = NULL;
 
 // modified version of the function from util.c
 static void copy_file(const char *srcname, const char *destname, mode_t mode, uid_t uid, gid_t gid) {
-        assert(srcname);
-        assert(destname);
-        mode &= 07777;
-        
-        // open source
-        int src = open(srcname, O_RDONLY);
-        if (src < 0) {
-                fprintf(stderr, "Warning: cannot open %s, file not copied\n", srcname);
-                return;
-        }
-
-        // open destination
-        int dst = open(destname, O_CREAT|O_WRONLY|O_TRUNC, 0755);
-        if (dst < 0) {
-                fprintf(stderr, "Warning fcopy: cannot open %s, file not copied\n", destname);
-                close(src);
-                return;
-        }
-
-        // copy
-        ssize_t len;
-        static const int BUFLEN = 1024;
-        unsigned char buf[BUFLEN];
-        while ((len = read(src, buf, BUFLEN)) > 0) {
-                int done = 0;
-                while (done != len) {
-                        int rv = write(dst, buf + done, len - done);
-                        if (rv == -1)
-                                goto errexit;
-                        done += rv;
-                }
-        }
-        fflush(0);
-
-        if (fchown(dst, uid, gid) == -1)
-                goto errexit;
-        if (fchmod(dst, mode) == -1)
-                goto errexit;
-
-        close(src);
-        close(dst);
-
-        return;
+        assert(srcname);
+        assert(destname);
+        mode &= 07777;
+
+        // open source
+        int src = open(srcname, O_RDONLY);
+        if (src < 0) {
+                fprintf(stderr, "Warning fcopy: cannot open %s, file not copied\n", srcname);
+                return;
+        }
+
+        // open destination
+        int dst = open(destname, O_CREAT|O_WRONLY|O_TRUNC, 0755);
+        if (dst < 0) {
+                fprintf(stderr, "Warning fcopy: cannot open %s, file not copied\n", destname);
+                close(src);
+                return;
+        }
+
+        // copy
+        ssize_t len;
+        static const int BUFLEN = 1024;
+        unsigned char buf[BUFLEN];
+        while ((len = read(src, buf, BUFLEN)) > 0) {
+                int done = 0;
+                while (done != len) {
+                        int rv = write(dst, buf + done, len - done);
+                        if (rv == -1)
+                                goto errexit;
+                        done += rv;
+                }
+        }
+        fflush(0);
+
+        if (fchown(dst, uid, gid) == -1)
+                goto errexit;
+        if (fchmod(dst, mode) == -1)
+                goto errexit;
+
+        close(src);
+        close(dst);
+
+        return;
 
 errexit:
-        close(src);
-        close(dst);
-        unlink(destname);
-        fprintf(stderr, "Warning fcopy: cannot copy %s\n", destname);
+        close(src);
+        close(dst);
+        unlink(destname);
+        fprintf(stderr, "Warning fcopy: cannot copy %s\n", destname);
 }
 
 
 
 // modified version of the function in firejail/util.c
 static void mkdir_attr(const char *fname, mode_t mode, uid_t uid, gid_t gid) {
-        assert(fname);
-        mode &= 07777;
-
-        if (mkdir(fname, mode) == -1 ||
-            chmod(fname, mode) == -1) {
-                fprintf(stderr, "Error fcopy: failed to create %s directory\n", fname);
-                errExit("mkdir/chmod");
-        }
-        if (chown(fname, uid, gid))
-                fprintf(stderr, "Warning fcopy: failed to change ownership of %s\n", fname);
+        assert(fname);
+        mode &= 07777;
+
+        if (mkdir(fname, mode) == -1 ||
+            chmod(fname, mode) == -1) {
+                fprintf(stderr, "Error fcopy: failed to create %s directory\n", fname);
+                errExit("mkdir/chmod");
+        }
+        if (chown(fname, uid, gid))
+                fprintf(stderr, "Warning fcopy: failed to change ownership of %s\n", fname);
 }
 
 void copy_link(const char *target, const char *linkpath, mode_t mode, uid_t uid, gid_t gid) {
-        (void) mode;
-        (void) uid;
-        (void) gid;
-        char *rp = realpath(target, NULL);
-        if (rp) {
-                if (symlink(rp, linkpath) == -1)
-                        goto errout;
-                free(rp);
-        }
-        else
-                goto errout;
-
-        return;
+        (void) mode;
+        (void) uid;
+        (void) gid;
+        char *rp = realpath(target, NULL);
+        if (rp) {
+                if (symlink(rp, linkpath) == -1)
+                        goto errout;
+                free(rp);
+        }
+        else
+                goto errout;
+
+        return;
 errout:
-        fprintf(stderr, "Warning fcopy: cannot create symbolic link %s\n", target);
+        fprintf(stderr, "Warning fcopy: cannot create symbolic link %s\n", target);
 }
 
 static int first = 1;
 static int fs_copydir(const char *infname, const struct stat *st, int ftype, struct FTW *sftw) {
-        (void) st;
-        (void) sftw;
-        assert(infname);
-        assert(*infname != '\0');
-        assert(outpath);
-        assert(*outpath != '\0');
-        assert(inpath);
-        
-        // check size limit
-        if (size_limit_reached)
-                return 0;
-
-
-        char *outfname;
-        if (asprintf(&outfname, "%s%s", outpath, infname + strlen(inpath)) == -1)
-                errExit("asprintf");
-
-//printf("outpaht %s\n", outpath);
-//printf("inpath %s\n", inpath);
-//printf("infname %s\n", infname);
-//printf("outfname %s\n\n", outfname);
-
-        // don't copy it if we already have the file
-        struct stat s;
-        if (stat(outfname, &s) == 0) {
-                if (first)
-                        first = 0;
-                else    
-                        fprintf(stderr, "Warning fcopy: skipping %s, file already present\n", infname);
-                free(outfname);
-                return 0;
-        }
-        
-        // extract mode and ownership
-        if (stat(infname, &s) != 0) {
-                fprintf(stderr, "Warning fcopy: skipping %s, cannot find inode\n", infname);
-                free(outfname);
-                return 0;
-        }
-        uid_t uid = s.st_uid;
-        gid_t gid = s.st_gid;
-        mode_t mode = s.st_mode;
-
-        // recalculate size
-        if ((s.st_size + size_cnt) > COPY_LIMIT) {
-                fprintf(stderr, "Error fcopy: size limit of %dMB reached\n", (COPY_LIMIT / 1024) / 1024);
-                size_limit_reached = 1;
-                free(outfname);
-                return 0;
-        }
-
-        file_cnt++;
-        size_cnt += s.st_size;
-
-        if(ftype == FTW_F) {
-                copy_file(infname, outfname, mode, uid, gid);
-        }
-        else if (ftype == FTW_D) {
-                mkdir_attr(outfname, mode, uid, gid);
-        }               
-        else if (ftype == FTW_SL) {
-                copy_link(infname, outfname, mode, uid, gid);
-        }               
-
-        return(0);
+        (void) st;
+        (void) sftw;
+        assert(infname);
+        assert(*infname != '\0');
+        assert(outpath);
+        assert(*outpath != '\0');
+        assert(inpath);
+
+        // check size limit
+        if (size_limit_reached)
+                return 0;
+
+
+        char *outfname;
+        if (asprintf(&outfname, "%s%s", outpath, infname + strlen(inpath)) == -1)
+                errExit("asprintf");
+
+        // don't copy it if we already have the file
+        struct stat s;
+        if (stat(outfname, &s) == 0) {
+                if (first)
+                        first = 0;
+                else
+                        fprintf(stderr, "Warning fcopy: skipping %s, file already present\n", infname);
+                free(outfname);
+                return 0;
+        }
+
+        // extract mode and ownership
+        if (stat(infname, &s) != 0) {
+                fprintf(stderr, "Warning fcopy: skipping %s, cannot find inode\n", infname);
+                free(outfname);
+                return 0;
+        }
+        uid_t uid = s.st_uid;
+        gid_t gid = s.st_gid;
+        mode_t mode = s.st_mode;
+
+        // recalculate size
+        if ((s.st_size + size_cnt) > COPY_LIMIT) {
+                fprintf(stderr, "Error fcopy: size limit of %dMB reached\n", (COPY_LIMIT / 1024) / 1024);
+                size_limit_reached = 1;
+                free(outfname);
+                return 0;
+        }
+
+        file_cnt++;
+        size_cnt += s.st_size;
+
+        if(ftype == FTW_F) {
+                copy_file(infname, outfname, mode, uid, gid);
+        }
+        else if (ftype == FTW_D) {
+                mkdir_attr(outfname, mode, uid, gid);
+        }
+        else if (ftype == FTW_SL) {
+                copy_link(infname, outfname, mode, uid, gid);
+        }
+
+        return(0);
 }
 
 static char *check(const char *src) {
-        struct stat s;
-        char *rsrc = realpath(src, NULL);
-        if (!rsrc || stat(rsrc, &s) == -1)
-                goto errexit;
-
-        // check uid
-        if (s.st_uid != getuid() || s.st_gid != getgid())
-                goto errexit;
-
-        // dir, link, regular file
-        if (S_ISDIR(s.st_mode) || S_ISREG(s.st_mode) || S_ISLNK(s.st_mode))
-                return rsrc;                      // normal exit from the function
-        
+        struct stat s;
+        char *rsrc = realpath(src, NULL);
+        if (!rsrc || stat(rsrc, &s) == -1)
+                goto errexit;
+
+        // check uid
+        if (s.st_uid != getuid() || s.st_gid != getgid())
+                goto errexit;
+
+        // dir, link, regular file
+        if (S_ISDIR(s.st_mode) || S_ISREG(s.st_mode) || S_ISLNK(s.st_mode))
+                return rsrc;                      // normal exit from the function
+
 errexit:
-        fprintf(stderr, "Error fcopy: invalid file %s\n", src);
-        exit(1);
+        fprintf(stderr, "Error fcopy: invalid file %s\n", src);
+        exit(1);
 }
 
 static void duplicate_dir(const char *src, const char *dest, struct stat *s) {
-        (void) s;
-        char *rsrc = check(src);
-        char *rdest = check(dest);
-        inpath = rsrc;
-        outpath = rdest;
-        
-        // walk
-        if(nftw(rsrc, fs_copydir, 1, FTW_PHYS) != 0) {
-                fprintf(stderr, "Error: unable to copy file\n");
-                exit(1);
-        }
-
-        free(rsrc);
-        free(rdest);
+        (void) s;
+        char *rsrc = check(src);
+        char *rdest = check(dest);
+        inpath = rsrc;
+        outpath = rdest;
+
+        // walk
+        if(nftw(rsrc, fs_copydir, 1, FTW_PHYS) != 0) {
+                fprintf(stderr, "Error: unable to copy file\n");
+                exit(1);
+        }
+
+        free(rsrc);
+        free(rdest);
 }
 
 static void duplicate_file(const char *src, const char *dest, struct stat *s) {
-        char *rsrc = check(src);
-        char *rdest = check(dest);
-        uid_t uid = s->st_uid;
-        gid_t gid = s->st_gid;
-        mode_t mode = s->st_mode;
-        
-        // build destination file name
-        char *name;
-        char *ptr = strrchr(rsrc, '/');
-        ptr++;
-        if (asprintf(&name, "%s/%s", rdest, ptr) == -1)
-                errExit("asprintf");
-        
-        // copy
-        copy_file(rsrc, name, mode, uid, gid);
-
-        free(name);
-        free(rsrc);
-        free(rdest);
+        char *rsrc = check(src);
+        char *rdest = check(dest);
+        uid_t uid = s->st_uid;
+        gid_t gid = s->st_gid;
+        mode_t mode = s->st_mode;
+
+        // build destination file name
+        char *name;
+        char *ptr = (arg_follow_link)? strrchr(src, '/'): strrchr(rsrc, '/');
+        ptr++;
+        if (asprintf(&name, "%s/%s", rdest, ptr) == -1)
+                errExit("asprintf");
+
+        // copy
+        copy_file(rsrc, name, mode, uid, gid);
+
+        free(name);
+        free(rsrc);
+        free(rdest);
 }
 
 static void duplicate_link(const char *src, const char *dest, struct stat *s) {
-        char *rsrc = check(src); // we drop the result and use the original name
-        char *rdest = check(dest);
-        uid_t uid = s->st_uid;
-        gid_t gid = s->st_gid;
-        mode_t mode = s->st_mode;
-        
-        // build destination file name
-        char *name;
-//      char *ptr = strrchr(rsrc, '/');
-        char *ptr = strrchr(src, '/');
-        ptr++;
-        if (asprintf(&name, "%s/%s", rdest, ptr) == -1)
-                errExit("asprintf");
-        
-        // copy
-        copy_link(rsrc, name, mode, uid, gid);
-
-        free(name);
-        free(rsrc);
-        free(rdest);
+        char *rsrc = check(src); // we drop the result and use the original name
+        char *rdest = check(dest);
+        uid_t uid = s->st_uid;
+        gid_t gid = s->st_gid;
+        mode_t mode = s->st_mode;
+
+        // build destination file name
+        char *name;
+//     char *ptr = strrchr(rsrc, '/');
+        char *ptr = strrchr(src, '/');
+        ptr++;
+        if (asprintf(&name, "%s/%s", rdest, ptr) == -1)
+                errExit("asprintf");
+
+        // copy
+        copy_link(rsrc, name, mode, uid, gid);
+
+        free(name);
+        free(rsrc);
+        free(rdest);
 }
 
 static void usage(void) {
-        printf("Usage: fcopy src dest\n");
-        printf("Copy src file in dest directory. If src is a directory, copy all the files in\n");
-        printf("src recoursively. If the destination directory does not exist, it will be created.\n");
+        fputs("Usage: fcopy [--follow-link] src dest\n"
+              "\n"
+              "Copy SRC to DEST/SRC. SRC may be a file, directory, or symbolic link.\n"
+              "If SRC is a directory it is copied recursively.  If it is a symlink,\n"
+              "the link itself is duplicated, unless --follow-link is given,\n"
+              "in which case the destination of the link is copied.\n"
+              "DEST must already exist and must be a directory.\n", stderr);
 }
 
 int main(int argc, char **argv) {
@@ -285,56 +287,70 @@ for (i = 0; i < argc; i++)
 printf("\n");
 }
 #endif  
-        if (argc != 3) {
-                fprintf(stderr, "Error fcopy: files missing\n");
-                usage();
-                exit(1);
-        }
-        
-        // check the two files; remove ending /
-        char *src = argv[1];
-        int len = strlen(src);
-        if (src[len - 1] == '/')
-                src[len - 1] = '\0';
-        if (strcspn(src, "\\*&!?\"'<>%^(){}[];,") != (size_t)len) {
-                fprintf(stderr, "Error fcopy: invalid file name %s\n", src);
-                exit(1);
-        }
-        
-        char *dest = argv[2];
-        len = strlen(dest);
-        if (dest[len - 1] == '/')
-                dest[len - 1] = '\0';
-        if (strcspn(dest, "\\*&!?\"'<>%^(){}[];,~") != (size_t)len) {
-                fprintf(stderr, "Error fcopy: invalid file name %s\n", dest);
-                exit(1);
-        }
-        
-
-        // the destination should be a directory; 
-        struct stat s;
-        if (stat(dest, &s) == -1 ||
-            !S_ISDIR(s.st_mode)) {
-                fprintf(stderr, "Error fcopy: invalid destination directory\n");
-                exit(1);
-        }
-        
-        // copy files
-        if (lstat(src, &s) == -1) {
-                fprintf(stderr, "Error fcopy: cannot find source file\n");
-                exit(1);
-        }
-
-        if (S_ISDIR(s.st_mode))
-                duplicate_dir(src, dest, &s);
-        else if (S_ISREG(s.st_mode))
-                duplicate_file(src, dest, &s);
-        else if (S_ISLNK(s.st_mode))
-                duplicate_link(src, dest, &s);
-        else {
-                fprintf(stderr, "Error fcopy: source file unsupported\n");
-                exit(1);
-        }
-                
-        return 0;
+        char *src;
+        char *dest;
+
+        if (argc == 3) {
+                src = argv[1];
+                dest = argv[2];
+                arg_follow_link = 0;
+        }
+        else if (argc == 4 && !strcmp(argv[1], "--follow-link")) {
+                src = argv[2];
+                dest = argv[3];
+                arg_follow_link = 1;
+        }
+        else {
+                    fprintf(stderr, "Error: arguments missing\n");
+                usage();
+                exit(1);
+        }
+
+        // check the two files; remove ending /
+        int len = strlen(src);
+        if (src[len - 1] == '/')
+                src[len - 1] = '\0';
+        if (strcspn(src, "\\*&!?\"'<>%^(){}[];,") != (size_t)len) {
+                fprintf(stderr, "Error fcopy: invalid source file name %s\n", src);
+                exit(1);
+        }
+
+        len = strlen(dest);
+        if (dest[len - 1] == '/')
+                dest[len - 1] = '\0';
+        if (strcspn(dest, "\\*&!?\"'<>%^(){}[];,~") != (size_t)len) {
+                fprintf(stderr, "Error fcopy: invalid dest file name %s\n", dest);
+                exit(1);
+        }
+
+
+        // the destination should be a directory;
+        struct stat s;
+        if (stat(dest, &s) == -1) {
+                fprintf(stderr, "Error fcopy: dest dir %s: %s\n", dest, strerror(errno));
+                exit(1);
+        }
+        if (!S_ISDIR(s.st_mode)) {
+                fprintf(stderr, "Error fcopy: dest %s is not a directory\n", dest);
+                exit(1);
+        }
+
+        // copy files
+        if ((arg_follow_link ? stat : lstat)(src, &s) == -1) {
+                fprintf(stderr, "Error fcopy: src %s: %s\n", src, strerror(errno));
+                exit(1);
+        }
+
+        if (S_ISDIR(s.st_mode))
+                duplicate_dir(src, dest, &s);
+        else if (S_ISREG(s.st_mode))
+                duplicate_file(src, dest, &s);
+        else if (S_ISLNK(s.st_mode))
+                duplicate_link(src, dest, &s);
+        else {
+                fprintf(stderr, "Error fcopy: src %s is an unsupported type of file\n", src);
+                exit(1);
+        }
+
+        return 0;
 }
diff --git a/src/fgit/fgit-install.sh b/src/fgit/fgit-install.sh
new file mode 100755
index 000000000..1f710c688
--- /dev/null
+++ b/src/fgit/fgit-install.sh
@@ -0,0 +1,20 @@
+#!/bin/sh
+# Purpose: Fetch, compile, and install firejail from GitHub source. Package-manager agnostic.
+#
+
+set -e          # exit immediately if one of the commands fails
+cd /tmp         # by the time we start this, we should have a tmpfs mounted on top of /tmp
+git clone --depth=1 https://www.github.com/netblue30/firejail.git
+cd firejail
+./configure --enable-git-install
+make
+sudo make install-strip
+echo "**********************************************************************"
+echo "Mainline git Firejail version was installed in /usr/local."
+echo "If you want to remove it, run"
+echo
+echo "           firejail --git-uninstall"
+echo
+echo "**********************************************************************"
+cd ..
+rm -rf firejail
diff --git a/src/fgit/fgit-uninstall.sh b/src/fgit/fgit-uninstall.sh
new file mode 100644
index 000000000..bc7cc9563
--- /dev/null
+++ b/src/fgit/fgit-uninstall.sh
@@ -0,0 +1,16 @@
+#!/bin/sh
+# Purpose: Fetch, compile, and install firejail from GitHub source. Package-manager agnostic.
+#
+
+set -e          # exit immediately if one of the commands fails
+cd /tmp         # by the time we start this, we should have a tmpfs mounted on top of /tmp
+git clone --depth=1 https://www.github.com/netblue30/firejail.git
+cd firejail
+./configure --enable-git-install
+sudo make uninstall
+echo "**********************************************************************"
+echo "Firejail mainline git version uninstalled from /usr/local"
+echo
+echo "**********************************************************************"
+cd ..
+rm -rf firejail
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config
index fe65a5077..7c959cd04 100644
--- a/src/firecfg/firecfg.config
+++ b/src/firecfg/firecfg.config
@@ -80,7 +80,7 @@ xchat
 
 # dns
 dnscrypt-proxy
-dnsmaq
+dnsmasq
 unbound
 
 # emulators/compatibility layers
@@ -135,6 +135,7 @@ spotify
 totem
 vlc
 xfburn
+xmms
 xplayer
 xviewer
 eom
@@ -184,14 +185,14 @@ eog
 # other
 atom
 atom-beta
-gpa
-gpg
 ranger
 keepass
 keepass2
 keepassx
 keepassx2
 pluma
+Thunar
+thunar
 tracker
 wireshark
 xiphos
diff --git a/src/firecfg/main.c b/src/firecfg/main.c
index 15ee78384..054df9e09 100644
--- a/src/firecfg/main.c
+++ b/src/firecfg/main.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2016 netblue30 (netblue30@yahoo.com)
+ * Copyright (C) 2014-2017 netblue30 (netblue30@yahoo.com)
  *
  * This file is part of firejail project
  *
diff --git a/src/firejail/Makefile.in b/src/firejail/Makefile.in
index 6e5071925..80f35ff4d 100644
--- a/src/firejail/Makefile.in
+++ b/src/firejail/Makefile.in
@@ -22,13 +22,14 @@ HAVE_APPARMOR=@HAVE_APPARMOR@
 HAVE_OVERLAYFS=@HAVE_OVERLAYFS@
 HAVE_PRIVATE_HOME=@HAVE_PRIVATE_HOME@
 HAVE_GCOV=@HAVE_GCOV@
+HAVE_GIT_INSTALL=@HAVE_GIT_INSTALL@
 EXTRA_LDFLAGS +=@EXTRA_LDFLAGS@
 
 H_FILE_LIST       = $(sort $(wildcard *.[h]))
 C_FILE_LIST       = $(sort $(wildcard *.c))
 OBJS = $(C_FILE_LIST:.c=.o)
 BINOBJS =  $(foreach file, $(OBJS), $file)
-CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"'  $(HAVE_GCOV) -DPREFIX='"$(prefix)"'  -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' $(HAVE_X11) $(HAVE_PRIVATE_HOME) $(HAVE_APPARMOR) $(HAVE_OVERLAYFS) $(HAVE_SECCOMP) $(HAVE_GLOBALCFG) $(HAVE_SECCOMP_H) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_BIND) $(HAVE_FILE_TRANSFER) $(HAVE_WHITELIST) -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security
+CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"'  $(HAVE_GCOV) $(HAVE_GIT_INSTALL) -DPREFIX='"$(prefix)"'  -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' $(HAVE_X11) $(HAVE_PRIVATE_HOME) $(HAVE_APPARMOR) $(HAVE_OVERLAYFS) $(HAVE_SECCOMP) $(HAVE_GLOBALCFG) $(HAVE_SECCOMP_H) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_BIND) $(HAVE_FILE_TRANSFER) $(HAVE_WHITELIST) -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security
 LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now -lpthread
 
 %.o : %.c $(H_FILE_LIST) ../include/common.h ../include/euid_common.h ../include/pid.h ../include/seccomp.h ../include/syscall.h
diff --git a/src/firejail/appimage.c b/src/firejail/appimage.c
index 0d1f8cb4d..4cc5cc180 100644
--- a/src/firejail/appimage.c
+++ b/src/firejail/appimage.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2016 Firejail Authors
+ * Copyright (C) 2014-2017 Firejail Authors
  *
  * This file is part of firejail project
  *
diff --git a/src/firejail/appimage_size.c b/src/firejail/appimage_size.c
index 3f5c3150c..1632440ed 100644
--- a/src/firejail/appimage_size.c
+++ b/src/firejail/appimage_size.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2016 Firejail Authors
+ * Copyright (C) 2014-2017 Firejail Authors
  *
  * This file is part of firejail project
  *
diff --git a/src/firejail/arp.c b/src/firejail/arp.c
index ddb75905f..55ffbb301 100644
--- a/src/firejail/arp.c
+++ b/src/firejail/arp.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2016 Firejail Authors
+ * Copyright (C) 2014-2017 Firejail Authors
  *
  * This file is part of firejail project
  *
diff --git a/src/firejail/bandwidth.c b/src/firejail/bandwidth.c
index 5e9002f22..998fe5ffe 100644
--- a/src/firejail/bandwidth.c
+++ b/src/firejail/bandwidth.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2016 Firejail Authors
+ * Copyright (C) 2014-2017 Firejail Authors
  *
  * This file is part of firejail project
  *
@@ -435,15 +435,8 @@ void bandwidth_pid(pid_t pid, const char *command, const char *dev, int down, in
         if (setregid(0, 0))
                 errExit("setregid");
 
-        if (!cfg.shell)
-                cfg.shell = guess_shell();
-        if (!cfg.shell) {
-                fprintf(stderr, "Error: no POSIX shell found, please use --shell command line option\n");
-                exit(1);
-        }
-
         char *arg[4];
-        arg[0] = cfg.shell;
+        arg[0] = "/bin/sh";
         arg[1] = "-c";
         arg[2] = cmd;
         arg[3] = NULL;
diff --git a/src/firejail/caps.c b/src/firejail/caps.c
index 6cfa36629..521187e3a 100644
--- a/src/firejail/caps.c
+++ b/src/firejail/caps.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2016Firejail Authors
+ * Copyright (C) 2014-2017Firejail Authors
  *
  * This file is part of firejail project
  *
diff --git a/src/firejail/cgroup.c b/src/firejail/cgroup.c
index d9c7af9cf..143180bfb 100644
--- a/src/firejail/cgroup.c
+++ b/src/firejail/cgroup.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2016 Firejail Authors
+ * Copyright (C) 2014-2017 Firejail Authors
  *
  * This file is part of firejail project
  *
diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c
index c3eedc510..dff892ea3 100644
--- a/src/firejail/checkcfg.c
+++ b/src/firejail/checkcfg.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2016 Firejail Authors
+ * Copyright (C) 2014-2017 Firejail Authors
  *
  * This file is part of firejail project
  *
@@ -124,12 +124,21 @@ int checkcfg(int val) {
                                 else
                                         goto errout;
                         }
+                        // follow symlink as user
+                        else if (strncmp(ptr, "follow-symlink-as-user ", 23) == 0) {
+                                if (strcmp(ptr + 23, "yes") == 0)
+                                        cfg_val[CFG_FOLLOW_SYMLINK_AS_USER] = 1;
+                                else if (strcmp(ptr + 23, "no") == 0)
+                                        cfg_val[CFG_FOLLOW_SYMLINK_AS_USER] = 0;
+                                else
+                                        goto errout;
+                        }
                         // nonewprivs
                         else if (strncmp(ptr, "force-nonewprivs ", 17) == 0) {
                                 if (strcmp(ptr + 17, "yes") == 0)
-                                        cfg_val[CFG_SECCOMP] = 1;
+                                        cfg_val[CFG_FORCE_NONEWPRIVS] = 1;
                                 else if (strcmp(ptr + 17, "no") == 0)
-                                        cfg_val[CFG_SECCOMP] = 0;
+                                        cfg_val[CFG_FORCE_NONEWPRIVS] = 0;
                                 else
                                         goto errout;
                         }
@@ -351,6 +360,13 @@ void print_compiletime_support(void) {
 #endif
                 );
 
+        printf("\t- git install support is %s\n",
+#ifdef HAVE_GIT_INSTALL
+                "enabled"
+#else
+                "disabled"
+#endif
+                );
 
 #ifdef HAVE_NETWORK_RESTRICTED
         printf("\t- networking features are available only to root user\n");
@@ -395,4 +411,5 @@ void print_compiletime_support(void) {
                 "disabled"
 #endif
                 );
+                
 }
diff --git a/src/firejail/cmdline.c b/src/firejail/cmdline.c
index a17758f8b..60301ed58 100644
--- a/src/firejail/cmdline.c
+++ b/src/firejail/cmdline.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2016 Firejail Authors
+ * Copyright (C) 2014-2017 Firejail Authors
  *
  * This file is part of firejail project
  *
diff --git a/src/firejail/cpu.c b/src/firejail/cpu.c
index 7f53fed0f..7a3e056c1 100644
--- a/src/firejail/cpu.c
+++ b/src/firejail/cpu.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2016 Firejail Authors
+ * Copyright (C) 2014-2017 Firejail Authors
  *
  * This file is part of firejail project
  *
diff --git a/src/firejail/env.c b/src/firejail/env.c
index 783f019a6..c54b429c3 100644
--- a/src/firejail/env.c
+++ b/src/firejail/env.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2016 Firejail Authors
+ * Copyright (C) 2014-2017 Firejail Authors
  *
  * This file is part of firejail project
  *
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index 36cf47435..fbf83abb3 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2016 Firejail Authors
+ * Copyright (C) 2014-2017 Firejail Authors
  *
  * This file is part of firejail project
  *
@@ -105,7 +105,7 @@
 #define ASSERT_PERMS_FD(fd, uid, gid, mode) \
         do { \
                 struct stat s;\
-                if (stat(fd, &s) == -1) errExit("stat");\
+                if (fstat(fd, &s) == -1) errExit("fstat");\
                 assert(s.st_uid == uid);\
                 assert(s.st_gid == gid);\
                 assert((s.st_mode & 07777) == (mode));\
@@ -213,6 +213,7 @@ typedef struct config_t {
         // networking
         char *name;             // sandbox name
         char *hostname; // host name
+        char *hosts_file;               // hosts file to be installed in the sandbox
         uint32_t defaultgw;     // default gateway
         Bridge bridge0;
         Bridge bridge1;
@@ -317,6 +318,7 @@ extern int arg_netfilter;	// enable netfilter
 extern int arg_netfilter6;      // enable netfilter6
 extern char *arg_netfilter_file;        // netfilter file
 extern char *arg_netfilter6_file;       // netfilter file
+extern char *arg_netns;         // "ip netns"-created network namespace to use
 extern int arg_doubledash;      // double dash
 extern int arg_shell_none;      // run the program directly without a shell
 extern int arg_private_dev;     // private dev directory
@@ -336,6 +338,7 @@ extern int arg_nice;		// nice value configured
 extern int arg_ipc;             // enable ipc namespace
 extern int arg_writable_etc;    // writable etc
 extern int arg_writable_var;    // writable var
+extern int arg_writable_var_log; // writable /var/log
 extern int arg_appimage;        // appimage
 extern int arg_audit;           // audit
 extern char *arg_audit_prog;    // audit
@@ -403,7 +406,7 @@ char *fs_check_overlay_dir(const char *subdirname, int allow_reuse);
 void fs_overlayfs(void);
 // chroot into an existing directory; mount exiting /dev and update /etc/resolv.conf
 void fs_chroot(const char *rootdir);
-int fs_check_chroot_dir(const char *rootdir);
+void fs_check_chroot_dir(const char *rootdir);
 
 // profile.c
 // find and read the profile specified by name from dir directory
@@ -450,6 +453,9 @@ void logmsg(const char *msg);
 void logargs(int argc, char **argv) ;
 void logerr(const char *msg);
 int copy_file(const char *srcname, const char *destname, uid_t uid, gid_t gid, mode_t mode);
+void copy_file_as_user(const char *srcname, const char *destname, uid_t uid, gid_t gid, mode_t mode);
+void copy_file_from_user_to_root(const char *srcname, const char *destname, uid_t uid, gid_t gid, mode_t mode);
+void touch_file_as_user(const char *fname, uid_t uid, gid_t gid, mode_t mode);
 int is_dir(const char *fname);
 int is_link(const char *fname);
 char *line_remove_spaces(const char *buf);
@@ -534,6 +540,9 @@ void fs_trace(void);
 // fs_hostname.c
 void fs_hostname(const char *hostname);
 void fs_resolvconf(void);
+char *fs_check_hosts_fiile(const char *fname);
+void fs_store_hosts_file(void);
+void fs_mount_hosts_file(void);
 
 // rlimit.c
 void set_rlimits(void);
@@ -558,6 +567,11 @@ void check_netfilter_file(const char *fname);
 void netfilter(const char *fname);
 void netfilter6(const char *fname);
 
+// netns.c
+void check_netns(const char *nsname);
+void netns(const char *nsname);
+void netns_mounts(const char *nsname);
+
 // bandwidth.c
 void bandwidth_del_run_file(pid_t pid);
 void bandwidth_pid(pid_t pid, const char *command, const char *dev, int down, int up);
@@ -622,6 +636,8 @@ void run_symlink(int argc, char **argv);
 
 // paths.c
 char **build_paths(void);
+unsigned int count_paths(void);
+int program_in_path(const char *program);
 
 // fs_mkdir.c
 void fs_mkdir(const char *name);
@@ -664,6 +680,7 @@ enum {
         CFG_PRIVATE_HOME,
         CFG_PRIVATE_BIN_NO_LOCAL,
         CFG_FIREJAIL_PROMPT,
+        CFG_FOLLOW_SYMLINK_AS_USER,
         CFG_MAX // this should always be the last entry
 };
 extern char *xephyr_screen;
@@ -706,5 +723,9 @@ void build_appimage_cmdline(char **command_line, char **window_title, int argc,
 int sbox_run(unsigned filter, int num, ...);
 
 
+// git.c
+void git_install();
+void git_uninstall();
+
 #endif
 
diff --git a/src/firejail/fs.c b/src/firejail/fs.c
index e2fc09533..c386f70cf 100644
--- a/src/firejail/fs.c
+++ b/src/firejail/fs.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2016 Firejail Authors
+ * Copyright (C) 2014-2017 Firejail Authors
  *
  * This file is part of firejail project
  *
@@ -20,6 +20,7 @@
 #include "firejail.h"
 #include <sys/mount.h>
 #include <sys/stat.h>
+#include <sys/wait.h>
 #include <linux/limits.h>
 #include <fnmatch.h>
 #include <glob.h>
@@ -288,26 +289,35 @@ void fs_blacklist(void) {
 
                 // Process noblacklist command
                 if (strncmp(entry->data, "noblacklist ", 12) == 0) {
-                        char **paths = build_paths();
-
-                        char *enames[sizeof(paths)+1] = {0};
-                        int i = 0;
+                        char **enames;
+                        int i;
 
                         if (strncmp(entry->data + 12, "${PATH}", 7) == 0) {
                                 // expand ${PATH} macro
-                                while (paths[i] != NULL) {
-                                        if (asprintf(&enames[i], "%s%s", paths[i], entry->data + 19) == -1)
+                                char **paths = build_paths();
+                                unsigned int npaths = count_paths();
+                                enames = calloc(npaths, sizeof(char *));
+                                if (!enames)
+                                        errExit("calloc");
+
+                                for (i = 0; paths[i]; i++) {
+                                        if (asprintf(&enames[i], "%s%s", paths[i],
+                                                entry->data + 19) == -1)
                                                 errExit("asprintf");
-                                        i++;
                                 }
-                        } else {
+                                assert(enames[npaths-1] == 0);
+
+                        }
+                        else {
                                 // expand ${HOME} macro if found or pass as is
+                                enames = calloc(2, sizeof(char *));
+                                if (!enames)
+                                        errExit("calloc");
                                 enames[0] = expand_home(entry->data + 12, homedir);
-                                enames[1] = NULL;
+                                assert(enames[1] == 0);
                         }
 
-                        i = 0;
-                        while (enames[i] != NULL) {
+                        for (i = 0; enames[i]; i++) {
                                 if (noblacklist_c >= noblacklist_m) {
                                         noblacklist_m *= 2;
                                         noblacklist = realloc(noblacklist, sizeof(*noblacklist) * noblacklist_m);
@@ -315,12 +325,9 @@ void fs_blacklist(void) {
                                                 errExit("failed increasing memory for noblacklist entries");
                                 }
                                 noblacklist[noblacklist_c++] = enames[i];
-                                i++;
                         }
 
-                        while (enames[i] != NULL) {
-                                free(enames[i]);
-                        }
+                        free(enames);
 
                         entry = entry->next;
                         continue;
@@ -571,58 +578,6 @@ void fs_proc_sys_dev_boot(void) {
         }
         free(fname);
         
-// todo: investigate
-#if 0
-        // breaks too many applications, option needed
-        /* // disable /run/user/{uid}/bus */
-        /* char *fnamebus; */
-        /* if (asprintf(&fnamebus, "/run/user/%d/bus", getuid()) == -1) */
-        /*     errExit("asprintf"); */
-        /* if (stat(fnamebus, &s) == 0) */
-        /*     disable_file(BLACKLIST_FILE, fnamebus); */
-        /* free(fnamebus); */
-
-        // WARNING: not working
-        // disable /run/user/{uid}/kdeinit*
-        //char *fnamekde;
-        //if (asprintf(&fnamekde, "/run/user/%d/kdeinit*", getuid()) == -1)
-        //    errExit("asprintf");
-        //if (stat(fnamekde, &s) == 0)
-        //    disable_file(BLACKLIST_FILE, fnamekde);
-        //free(fnamekde);
-        
-        
-        // disable /run/user/{uid}/pulse
-        /* char *fnamepulse; */
-        /* if (asprintf(&fnamepulse, "/run/user/%d/pulse", getuid()) == -1) */
-        /*     errExit("asprintf"); */
-        /* if (stat(fnamepulse, &s) == 0) */
-        /*     disable_file(BLACKLIST_FILE, fnamepulse); */
-        /* free(fnamepulse); */
-
-        // disable /run/user/{uid}/dconf
-        /* char *fnamedconf; */
-        /* if (asprintf(&fnamedconf, "/run/user/%d/dconf", getuid()) == -1) */
-        /*     errExit("asprintf"); */
-        /* if (stat(fnamedconf, &s) == 0) */
-        /*     disable_file(BLACKLIST_FILE, fnamedconf); */
-        /* free(fnamedconf); */
-
-
-        // dirs in /run/user/{uid}/
-        // using gnome:
-        // bus, dconf, gdm, gnome-shell, gnupg, gvfs, keyring, pulse, systemd
-
-        // using kde:
-        // kdeinit__0, ...
-                
-        // more files with sockets to be blacklisted
-        // /run/dbus /run/systemd /run/udev /run/lvm
-
-        // /run/user/{uid} does not exist on some systems, usually used and created by desktop applications
-        
-#endif
-
         if (getuid() != 0) {
                 // disable /dev/kmsg and /proc/kmsg
                 disable_file(BLACKLIST_FILE, "/dev/kmsg");
@@ -681,11 +636,13 @@ void fs_basic_fs(void) {
         fs_rdonly("/usr");
 
         // update /var directory in order to support multiple sandboxes running on the same root directory
-//      if (!arg_private_dev)
-//              fs_dev_shm();
         fs_var_lock();
         fs_var_tmp();
-        fs_var_log();
+        if (!arg_writable_var_log)
+                fs_var_log();
+        else
+                fs_rdwr("/var/log");
+        
         fs_var_lib();
         fs_var_cache();
         fs_var_utmp();
@@ -711,10 +668,36 @@ char *fs_check_overlay_dir(const char *subdirname, int allow_reuse) {
         // create ~/.firejail directory
         if (asprintf(&dirname, "%s/.firejail", cfg.homedir) == -1)
                 errExit("asprintf");
+                
+        if (is_link(dirname)) {
+                fprintf(stderr, "Error: invalid ~/.firejail directory\n");
+                exit(1);
+        }
         if (stat(dirname, &s) == -1) {
-                mkdir_attr(dirname, 0700, 0, 0);
+                // create directory
+                pid_t child = fork();
+                if (child < 0)
+                        errExit("fork");
+                if (child == 0) {
+                        // drop privileges
+                        drop_privs(0);
+        
+                        // create directory
+                        if (mkdir(dirname, 0700))
+                                errExit("mkdir");
+                        if (chmod(dirname, 0700) == -1)
+                                errExit("chmod");
+                        ASSERT_PERMS(dirname, getuid(), getgid(), 0700);
+                        _exit(0);
+                }
+                // wait for the child to finish
+                waitpid(child, NULL, 0);
+                if (stat(dirname, &s) == -1) {
+                        fprintf(stderr, "Error: cannot create ~/.firejail directory\n");
+                        exit(1);
+                }
         }
-        else if (is_link(dirname)) {
+        else if (s.st_uid != getuid()) {
                 fprintf(stderr, "Error: invalid ~/.firejail directory\n");
                 exit(1);
         }
@@ -969,7 +952,11 @@ void fs_overlayfs(void) {
 //              fs_dev_shm();
         fs_var_lock();
         fs_var_tmp();
-        fs_var_log();
+        if (!arg_writable_var_log)
+                fs_var_log();
+        else
+                fs_rdwr("/var/log");
+                
         fs_var_lib();
         fs_var_cache();
         fs_var_utmp();
@@ -994,20 +981,25 @@ void fs_overlayfs(void) {
 
 #ifdef HAVE_CHROOT              
 // return 1 if error
-int fs_check_chroot_dir(const char *rootdir) {
+void fs_check_chroot_dir(const char *rootdir) {
         EUID_ASSERT();
         assert(rootdir);
         struct stat s;
         char *name;
 
+        if (strcmp(rootdir, "/tmp") == 0 || strcmp(rootdir, "/var/tmp") == 0) {
+                fprintf(stderr, "Error: invalid chroot directory\n");
+                exit(1);
+        }
+
         // rootdir has to be owned by root
         if (stat(rootdir, &s) != 0) {
                 fprintf(stderr, "Error: cannot find chroot directory\n");
-                return 1;
+                exit(1);
         }
         if (s.st_uid != 0) {
                 fprintf(stderr, "Error: chroot directory should be owned by root\n");
-                return 1;
+                exit(1);
         }
 
         // check /dev
@@ -1015,7 +1007,11 @@ int fs_check_chroot_dir(const char *rootdir) {
                 errExit("asprintf");
         if (stat(name, &s) == -1) {
                 fprintf(stderr, "Error: cannot find /dev in chroot directory\n");
-                return 1;
+                exit(1);
+        }
+        if (s.st_uid != 0) {
+                fprintf(stderr, "Error: chroot /dev directory should be owned by root\n");
+                exit(1);
         }
         free(name);
 
@@ -1024,7 +1020,11 @@ int fs_check_chroot_dir(const char *rootdir) {
                 errExit("asprintf");
         if (stat(name, &s) == -1) {
                 fprintf(stderr, "Error: cannot find /var/tmp in chroot directory\n");
-                return 1;
+                exit(1);
+        }
+        if (s.st_uid != 0) {
+                fprintf(stderr, "Error: chroot /var/tmp directory should be owned by root\n");
+                exit(1);
         }
         free(name);
         
@@ -1033,7 +1033,11 @@ int fs_check_chroot_dir(const char *rootdir) {
                 errExit("asprintf");
         if (stat(name, &s) == -1) {
                 fprintf(stderr, "Error: cannot find /proc in chroot directory\n");
-                return 1;
+                exit(1);
+        }
+        if (s.st_uid != 0) {
+                fprintf(stderr, "Error: chroot /proc directory should be owned by root\n");
+                exit(1);
         }
         free(name);
         
@@ -1042,18 +1046,41 @@ int fs_check_chroot_dir(const char *rootdir) {
                 errExit("asprintf");
         if (stat(name, &s) == -1) {
                 fprintf(stderr, "Error: cannot find /tmp in chroot directory\n");
-                return 1;
+                exit(1);
+        }
+        if (s.st_uid != 0) {
+                fprintf(stderr, "Error: chroot /tmp directory should be owned by root\n");
+                exit(1);
+        }
+        free(name);
+
+        // check /etc
+        if (asprintf(&name, "%s/etc", rootdir) == -1)
+                errExit("asprintf");
+        if (stat(name, &s) == -1) {
+                fprintf(stderr, "Error: cannot find /etc in chroot directory\n");
+                exit(1);
+        }
+        if (s.st_uid != 0) {
+                fprintf(stderr, "Error: chroot /etc directory should be owned by root\n");
+                exit(1);
         }
         free(name);
 
-        // check /bin/bash
-//      if (asprintf(&name, "%s/bin/bash", rootdir) == -1)
-//              errExit("asprintf");
-//      if (stat(name, &s) == -1) {
-//              fprintf(stderr, "Error: cannot find /bin/bash in chroot directory\n");
-//              return 1;
-//      }
-//      free(name);
+        // check /etc/resolv.conf
+        if (asprintf(&name, "%s/etc/resolv.conf", rootdir) == -1)
+                errExit("asprintf");
+        if (stat(name, &s) == 0) {
+                if (s.st_uid != 0) {
+                        fprintf(stderr, "Error: chroot /etc/resolv.conf should be owned by root\n");
+                        exit(1);
+                }
+        }
+        if (is_link(name)) {
+                fprintf(stderr, "Error: invalid %s file\n", name);
+                exit(1);
+        }
+        free(name);
 
         // check x11 socket directory
         if (getenv("FIREJAIL_X11")) {
@@ -1063,12 +1090,14 @@ int fs_check_chroot_dir(const char *rootdir) {
                         errExit("asprintf");
                 if (stat(name, &s) == -1) {
                         fprintf(stderr, "Error: cannot find /tmp/.X11-unix in chroot directory\n");
-                        return 1;
+                        exit(1);
+                }
+                if (s.st_uid != 0) {
+                        fprintf(stderr, "Error: chroot /tmp/.X11-unix directory should be owned by root\n");
+                        exit(1);
                 }
                 free(name);
         }
-        
-        return 0;       
 }
 
 // chroot into an existing directory; mount exiting /dev and update /etc/resolv.conf
@@ -1099,10 +1128,16 @@ void fs_chroot(const char *rootdir) {
                         free(newx11);
                 }
                 
+                // some older distros don't have a /run directory
+                // create one by default
                 // create /run/firejail directory in chroot
                 char *rundir;
                 if (asprintf(&rundir, "%s/run", rootdir) == -1)
                         errExit("asprintf");
+                if (is_link(rundir)) {
+                        fprintf(stderr, "Error: invalid run directory inside chroot\n");
+                        exit(1);
+                }
                 create_empty_dir_as_root(rundir, 0755);
                 free(rundir);
                 if (asprintf(&rundir, "%s/run/firejail", rootdir) == -1)
@@ -1129,7 +1164,7 @@ void fs_chroot(const char *rootdir) {
                         fprintf(stderr, "Error: invalid %s file\n", fname);
                         exit(1);
                 }
-                if (copy_file("/etc/resolv.conf", fname, 0, 0, 0644) == -1)
+                if (copy_file("/etc/resolv.conf", fname, 0, 0, 0644) == -1) // root needed
                         fprintf(stderr, "Warning: /etc/resolv.conf not initialized\n");
         }
         
@@ -1151,7 +1186,11 @@ void fs_chroot(const char *rootdir) {
 //                      fs_dev_shm();
                 fs_var_lock();
                 fs_var_tmp();
-                fs_var_log();
+                if (!arg_writable_var_log)
+                        fs_var_log();
+                else
+                        fs_rdwr("/var/log");
+                        
                 fs_var_lib();
                 fs_var_cache();
                 fs_var_utmp();
diff --git a/src/firejail/fs_bin.c b/src/firejail/fs_bin.c
index 7c56d524e..3473fca4c 100644
--- a/src/firejail/fs_bin.c
+++ b/src/firejail/fs_bin.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2016 Firejail Authors
+ * Copyright (C) 2014-2017 Firejail Authors
  *
  * This file is part of firejail project
  *
@@ -111,7 +111,7 @@ static void duplicate(char *fname) {
                 errExit("asprintf");
         
         // copy the file
-        sbox_run(SBOX_ROOT| SBOX_SECCOMP, 3, PATH_FCOPY, full_path, RUN_BIN_DIR);
+        sbox_run(SBOX_ROOT| SBOX_SECCOMP, 4, PATH_FCOPY, "--follow-link", full_path, RUN_BIN_DIR);
         fs_logger2("clone", fname);
         free(full_path);
 }
diff --git a/src/firejail/fs_dev.c b/src/firejail/fs_dev.c
index d710e98f2..fd21e7515 100644
--- a/src/firejail/fs_dev.c
+++ b/src/firejail/fs_dev.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2016 Firejail Authors
+ * Copyright (C) 2014-2017 Firejail Authors
  *
  * This file is part of firejail project
  *
@@ -28,6 +28,7 @@
 #ifndef _BSD_SOURCE
 #define _BSD_SOURCE 
 #endif
+#include <sys/sysmacros.h>
 #include <sys/types.h>
 
 typedef struct {
@@ -51,7 +52,7 @@ static DevEntry dev[] = {
         {"/dev/nvidia8", RUN_DEV_DIR "/nvidia8", 0, 1},
         {"/dev/nvidia9", RUN_DEV_DIR "/nvidia9", 0, 1},
         {"/dev/nvidiactl", RUN_DEV_DIR "/nvidiactl", 0, 1},
-        {"/dev/nvidia-modset", RUN_DEV_DIR "/nvidia-modset", 0, 1},
+        {"/dev/nvidia-modeset", RUN_DEV_DIR "/nvidia-modeset", 0, 1},
         {"/dev/nvidia-uvm", RUN_DEV_DIR "/nvidia-uvm", 0, 1},
         {NULL, NULL, 0, 0}
 };
diff --git a/src/firejail/fs_etc.c b/src/firejail/fs_etc.c
index 479383af2..19c2210b3 100644
--- a/src/firejail/fs_etc.c
+++ b/src/firejail/fs_etc.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2016 Firejail Authors
+ * Copyright (C) 2014-2017 Firejail Authors
  *
  * This file is part of firejail project
  *
@@ -31,8 +31,8 @@ void fs_machineid(void) {
                 uint32_t u32[4];
         } mid;
 
-        // if --machine-id flag is active, do nothing
-        if (arg_machineid)
+        // if --machine-id flag is inactive, do nothing
+        if (arg_machineid == 0)
                 return;
 
         // init random number generator
diff --git a/src/firejail/fs_home.c b/src/firejail/fs_home.c
index 0872bf0d0..3364ef797 100644
--- a/src/firejail/fs_home.c
+++ b/src/firejail/fs_home.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2016 Firejail Authors
+ * Copyright (C) 2014-2017 Firejail Authors
  *
  * This file is part of firejail project
  *
@@ -42,19 +42,17 @@ static void skel(const char *homedir, uid_t u, gid_t g) {
                 // don't copy it if we already have the file
                 if (stat(fname, &s) == 0)
                         return;
+                if (is_link(fname)) { // stat on dangling symlinks fails, try again using lstat
+                        fprintf(stderr, "Error: invalid %s file\n", fname);
+                        exit(1);
+                }
                 if (stat("/etc/skel/.zshrc", &s) == 0) {
-                        if (copy_file("/etc/skel/.zshrc", fname, u, g, 0644) == 0) {
-                                fs_logger("clone /etc/skel/.zshrc");
-                        }
+                        copy_file_as_user("/etc/skel/.zshrc", fname, u, g, 0644); // regular user
+                        fs_logger("clone /etc/skel/.zshrc");
                 }
-                else { // 
-                        FILE *fp = fopen(fname, "w");
-                        if (fp) {
-                                fprintf(fp, "\n");
-                                SET_PERMS_STREAM(fp, u, g, S_IRUSR | S_IWUSR);
-                                fclose(fp);
-                                fs_logger2("touch", fname);
-                        }
+                else {
+                        touch_file_as_user(fname, u, g, 0644);
+                        fs_logger2("touch", fname);
                 }
                 free(fname);
         }
@@ -64,23 +62,21 @@ static void skel(const char *homedir, uid_t u, gid_t g) {
                 if (asprintf(&fname, "%s/.cshrc", homedir) == -1)
                         errExit("asprintf");
                 struct stat s;
+                
                 // don't copy it if we already have the file
                 if (stat(fname, &s) == 0)
                         return;
+                if (is_link(fname)) { // stat on dangling symlinks fails, try again using lstat
+                        fprintf(stderr, "Error: invalid %s file\n", fname);
+                        exit(1);
+                }
                 if (stat("/etc/skel/.cshrc", &s) == 0) {
-                        if (copy_file("/etc/skel/.cshrc", fname, u, g, 0644) == 0) {
-                                fs_logger("clone /etc/skel/.cshrc");
-                        }
+                        copy_file_as_user("/etc/skel/.cshrc", fname, u, g, 0644); // regular user
+                        fs_logger("clone /etc/skel/.cshrc");
                 }
-                else { // 
-                        /* coverity[toctou] */
-                        FILE *fp = fopen(fname, "w");
-                        if (fp) {
-                                fprintf(fp, "\n");
-                                SET_PERMS_STREAM(fp, u, g, S_IRUSR | S_IWUSR);
-                                fclose(fp);
-                                fs_logger2("touch", fname);
-                        }
+                else {
+                        touch_file_as_user(fname, u, g, 0644);
+                        fs_logger2("touch", fname);
                 }
                 free(fname);
         }
@@ -93,10 +89,13 @@ static void skel(const char *homedir, uid_t u, gid_t g) {
                 // don't copy it if we already have the file
                 if (stat(fname, &s) == 0) 
                         return;
+                if (is_link(fname)) { // stat on dangling symlinks fails, try again using lstat
+                        fprintf(stderr, "Error: invalid %s file\n", fname);
+                        exit(1);
+                }
                 if (stat("/etc/skel/.bashrc", &s) == 0) {
-                        if (copy_file("/etc/skel/.bashrc", fname, u, g, 0644) == 0) {
-                                fs_logger("clone /etc/skel/.bashrc");
-                        }
+                        copy_file_as_user("/etc/skel/.bashrc", fname, u, g, 0644); // regular user
+                        fs_logger("clone /etc/skel/.bashrc");
                 }
                 free(fname);
         }
@@ -106,6 +105,14 @@ static int store_xauthority(void) {
         // put a copy of .Xauthority in XAUTHORITY_FILE
         char *src;
         char *dest = RUN_XAUTHORITY_FILE;
+        // create an empty file as root, and change ownership to user
+        FILE *fp = fopen(dest, "w");
+        if (fp) {
+                fprintf(fp, "\n");
+                SET_PERMS_STREAM(fp, getuid(), getgid(), 0600);
+                fclose(fp);
+        }
+        
         if (asprintf(&src, "%s/.Xauthority", cfg.homedir) == -1)
                 errExit("asprintf");
         
@@ -115,12 +122,9 @@ static int store_xauthority(void) {
                         fprintf(stderr, "Warning: invalid .Xauthority file\n");
                         return 0;
                 }
-                        
-                int rv = copy_file(src, dest, -1, -1, 0600);
-                if (rv) {
-                        fprintf(stderr, "Warning: cannot transfer .Xauthority in private home directory\n");
-                        return 0;
-                }
+
+                copy_file_as_user(src, dest, getuid(), getgid(), 0600); // regular user
+                fs_logger2("clone", dest);
                 return 1; // file copied
         }
         
@@ -128,8 +132,17 @@ static int store_xauthority(void) {
 }
 
 static int store_asoundrc(void) {
+        // put a copy of .Xauthority in XAUTHORITY_FILE
         char *src;
         char *dest = RUN_ASOUNDRC_FILE;
+        // create an empty file as root, and change ownership to user
+        FILE *fp = fopen(dest, "w");
+        if (fp) {
+                fprintf(fp, "\n");
+                SET_PERMS_STREAM(fp, getuid(), getgid(), 0644);
+                fclose(fp);
+        }
+        
         if (asprintf(&src, "%s/.asoundrc", cfg.homedir) == -1)
                 errExit("asprintf");
         
@@ -150,11 +163,8 @@ static int store_asoundrc(void) {
                         free(rp);
                 }
 
-                int rv = copy_file(src, dest, -1, -1, -0644);
-                if (rv) {
-                        fprintf(stderr, "Warning: cannot transfer .asoundrc in private home directory\n");
-                        return 0;
-                }
+                copy_file_as_user(src, dest, getuid(), getgid(), 0644); // regular user
+                fs_logger2("clone", dest);
                 return 1; // file copied
         }
         
@@ -167,13 +177,15 @@ static void copy_xauthority(void) {
         char *dest;
         if (asprintf(&dest, "%s/.Xauthority", cfg.homedir) == -1)
                 errExit("asprintf");
-        // copy, set permissions and ownership
-        int rv = copy_file(src, dest, getuid(), getgid(), S_IRUSR | S_IWUSR);
-        if (rv)
-                fprintf(stderr, "Warning: cannot transfer .Xauthority in private home directory\n");
-        else {
-                fs_logger2("clone", dest);
+        
+        // if destination is a symbolic link, exit the sandbox!!!
+        if (is_link(dest)) {
+                fprintf(stderr, "Error: %s is a symbolic link\n", dest);
+                exit(1);
         }
+
+        copy_file_as_user(src, dest, getuid(), getgid(), S_IRUSR | S_IWUSR); // regular user
+        fs_logger2("clone", dest);
         
         // delete the temporary file
         unlink(src);
@@ -185,14 +197,16 @@ static void copy_asoundrc(void) {
         char *dest;
         if (asprintf(&dest, "%s/.asoundrc", cfg.homedir) == -1)
                 errExit("asprintf");
-        // copy, set permissions and ownership
-        int rv = copy_file(src, dest, getuid(), getgid(), S_IRUSR | S_IWUSR);
-        if (rv)
-                fprintf(stderr, "Warning: cannot transfer .asoundrc in private home directory\n");
-        else {
-                fs_logger2("clone", dest);
+        
+        // if destination is a symbolic link, exit the sandbox!!!
+        if (is_link(dest)) {
+                fprintf(stderr, "Error: %s is a symbolic link\n", dest);
+                exit(1);
         }
 
+        copy_file_as_user(src, dest, getuid(), getgid(), S_IRUSR | S_IWUSR); // regular user
+        fs_logger2("clone", dest);
+
         // delete the temporary file
         unlink(src);
 }
diff --git a/src/firejail/fs_hostname.c b/src/firejail/fs_hostname.c
index b2e1b4a99..535526409 100644
--- a/src/firejail/fs_hostname.c
+++ b/src/firejail/fs_hostname.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2016 Firejail Authors
+ * Copyright (C) 2014-2017 Firejail Authors
  *
  * This file is part of firejail project
  *
@@ -42,7 +42,7 @@ void fs_hostname(const char *hostname) {
         }
         
         // create a new /etc/hosts
-        if (stat("/etc/hosts", &s) == 0) {
+        if (cfg.hosts_file == NULL && stat("/etc/hosts", &s) == 0) {
                 if (arg_debug)
                         printf("Creating a new /etc/hosts file\n");
                 // copy /etc/host into our new file, and modify it on the fly
@@ -79,9 +79,7 @@ void fs_hostname(const char *hostname) {
                 fclose(fp2);
                 
                 // bind-mount the file on top of /etc/hostname
-                if (mount(RUN_HOSTS_FILE, "/etc/hosts", NULL, MS_BIND|MS_REC, NULL) < 0)
-                        errExit("mount bind /etc/hosts");
-                fs_logger("create /etc/hosts");
+                fs_mount_hosts_file();
         }
         return;
 
@@ -129,4 +127,49 @@ void fs_resolvconf(void) {
         }
 }
 
+char *fs_check_hosts_fiile(const char *fname) {
+        assert(fname);
+        invalid_filename(fname);
+        char *rv = expand_home(fname, cfg.homedir);
+
+        // no a link
+        if (is_link(rv))
+                goto errexit;
         
+        // the user has read access to the file
+        if (access(rv, R_OK))
+                goto errexit;
+
+        return rv;
+errexit:
+        fprintf(stderr, "Error: invalid file %s\n", fname);
+        exit(1);
+}
+
+void fs_store_hosts_file(void) {
+        copy_file_from_user_to_root(cfg.hosts_file, RUN_HOSTS_FILE, 0, 0, 0644); // root needed
+}
+
+void fs_mount_hosts_file(void) {
+        // check /etc/hosts file
+        struct stat s;
+        if (stat("/etc/hosts", &s) == -1)
+                goto errexit;
+        // not a link
+        if (is_link("/etc/hosts"))
+                goto errexit;
+        // owned by root
+        if (s.st_uid != 0)
+                goto errexit;
+
+        // bind-mount the file on top of /etc/hostname
+        if (mount(RUN_HOSTS_FILE, "/etc/hosts", NULL, MS_BIND|MS_REC, NULL) < 0)
+                errExit("mount bind /etc/hosts");
+        fs_logger("create /etc/hosts");
+        return;
+
+errexit:
+        fprintf(stderr, "Error: invalid /etc/hosts file\n");
+        exit(1);
+}
+
diff --git a/src/firejail/fs_logger.c b/src/firejail/fs_logger.c
index 052a41457..a2b6b317e 100644
--- a/src/firejail/fs_logger.c
+++ b/src/firejail/fs_logger.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2016 Firejail Authors
+ * Copyright (C) 2014-2017 Firejail Authors
  *
  * This file is part of firejail project
  *
diff --git a/src/firejail/fs_mkdir.c b/src/firejail/fs_mkdir.c
index 5b6ceae90..a0bda7443 100644
--- a/src/firejail/fs_mkdir.c
+++ b/src/firejail/fs_mkdir.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2016 Firejail Authors
+ * Copyright (C) 2014-2017 Firejail Authors
  *
  * This file is part of firejail project
  *
@@ -112,33 +112,8 @@ void fs_mkfile(const char *name) {
         }
 
         // create file
-        pid_t child = fork();
-        if (child < 0)
-                errExit("fork");
-        if (child == 0) {
-                // drop privileges
-                drop_privs(0);
-
-                /* coverity[toctou] */
-                FILE *fp = fopen(expanded, "w");
-                if (!fp)
-                        fprintf(stderr, "Warning: cannot create %s file\n", expanded);
-                else {
-                        int fd = fileno(fp);
-                        if (fd == -1)
-                                errExit("fileno");
-                        int rv = fchmod(fd, 0600);
-                        (void) rv;
-                        fclose(fp);
-                }
-#ifdef HAVE_GCOV
-                __gcov_flush();
-#endif
-                _exit(0);
-        }
-        // wait for the child to finish
-        waitpid(child, NULL, 0);
-
+        touch_file_as_user(expanded, getuid(), getgid(), 0600);
+        
 doexit:
         free(expanded);
 }
diff --git a/src/firejail/fs_trace.c b/src/firejail/fs_trace.c
index 719b55048..2a58d1eb2 100644
--- a/src/firejail/fs_trace.c
+++ b/src/firejail/fs_trace.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2016 Firejail Authors
+ * Copyright (C) 2014-2017 Firejail Authors
  *
  * This file is part of firejail project
  *
@@ -60,9 +60,6 @@ void fs_trace(void) {
                         printf("Blacklist violations are logged to syslog\n");
         }       
 
-        if (mask_x11_abstract_socket)
-                fprintf(fp, "%s/firejail/libconnect.so\n", LIBDIR);
-
         SET_PERMS_STREAM(fp, 0, 0, S_IRUSR | S_IWRITE | S_IRGRP | S_IROTH);
         fclose(fp);
         
diff --git a/src/firejail/fs_var.c b/src/firejail/fs_var.c
index f742e7e22..bbea3b392 100644
--- a/src/firejail/fs_var.c
+++ b/src/firejail/fs_var.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2016 Firejail Authors
+ * Copyright (C) 2014-2017 Firejail Authors
  *
  * This file is part of firejail project
  *
diff --git a/src/firejail/fs_whitelist.c b/src/firejail/fs_whitelist.c
index 0970642db..1794e4b35 100644
--- a/src/firejail/fs_whitelist.c
+++ b/src/firejail/fs_whitelist.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2016 Firejail Authors
+ * Copyright (C) 2014-2017 Firejail Authors
  *
  * This file is part of firejail project
  *
@@ -406,10 +406,12 @@ void fs_whitelist(void) {
 
                         // both path and absolute path are under /home
                         if (strncmp(fname, cfg.homedir, strlen(cfg.homedir)) != 0) {
-                                // check if the file is owned by the user
-                                struct stat s;
-                                if (stat(fname, &s) == 0 && s.st_uid != getuid())
-                                        goto errexit;
+                                if (checkcfg(CFG_FOLLOW_SYMLINK_AS_USER)) {
+                                        // check if the file is owned by the user
+                                        struct stat s;
+                                        if (stat(fname, &s) == 0 && s.st_uid != getuid())
+                                                goto errexit;
+                                }
                         }
                 }
                 else if (strncmp(new_name, "/tmp/", 5) == 0) {
diff --git a/src/firejail/git.c b/src/firejail/git.c
new file mode 100644
index 000000000..c4dd54a1b
--- /dev/null
+++ b/src/firejail/git.c
@@ -0,0 +1,90 @@
+/*
+ * Copyright (C) 2014-2017 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ */
+
+#ifdef HAVE_GIT_INSTALL
+ 
+#include "firejail.h"
+#include <sys/utsname.h>
+#include <sched.h>
+#include <sys/mount.h>
+
+// install a very simple mount namespace sandbox with a tmpfs on top of /tmp
+// and drop privileges
+static void sbox_ns(void) {
+        if (unshare(CLONE_NEWNS) < 0)
+                errExit("unshare");
+
+        // mount events are not forwarded between the host the sandbox
+        if (mount(NULL, "/", NULL, MS_SLAVE | MS_REC, NULL) < 0) {
+                errExit("mount");
+        }
+
+        // mount a tmpfs on top of /tmp
+        if (mount(NULL, "/tmp", "tmpfs", 0, NULL) < 0)
+                errExit("mount");
+
+
+        // drop privileges
+        if (setgid(getgid()) < 0)
+                errExit("setgid/getgid");
+        if (setuid(getuid()) < 0)
+                errExit("setuid/getuid");
+        assert(getenv("LD_PRELOAD") == NULL);   
+
+        printf("Running as "); fflush(0);
+        int rv = system("whoami");
+        (void) rv;
+        printf("/tmp directory: "); fflush(0);
+        rv = system("ls -l /tmp");
+        (void) rv;
+}
+                
+
+void git_install(void) {
+        // redirect to "/usr/bin/firejail --noprofile --private-tmp /usr/lib/firejail/fgit-install.sh"
+        EUID_ASSERT();
+        EUID_ROOT();
+        
+        // install a mount namespace with a tmpfs on top of /tmp
+        sbox_ns();
+        
+        // run command
+        const char *cmd = LIBDIR "/firejail/fgit-install.sh";
+        int rv = system(cmd);
+        (void) rv;
+        exit(0);
+}
+
+void git_uninstall(void) {
+        // redirect to "/usr/bin/firejail --noprofile --private-tmp /usr/lib/firejail/fgit-install.sh"
+        EUID_ASSERT();
+        EUID_ROOT();
+        
+        // install a mount namespace with a tmpfs on top of /tmp
+        sbox_ns();
+        
+        // run command
+        const char *cmd = LIBDIR "/firejail/fgit-uninstall.sh";
+        int rv = system(cmd);
+        (void) rv;
+        exit(0);
+}
+        
+#endif // HAVE_GIT_INSTALL
diff --git a/src/firejail/join.c b/src/firejail/join.c
index bcf951f33..fa19243b8 100644
--- a/src/firejail/join.c
+++ b/src/firejail/join.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2016 Firejail Authors
+ * Copyright (C) 2014-2017 Firejail Authors
  *
  * This file is part of firejail project
  *
diff --git a/src/firejail/ls.c b/src/firejail/ls.c
index 77eb35f97..7b51ee697 100644
--- a/src/firejail/ls.c
+++ b/src/firejail/ls.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2016 Firejail Authors
+ * Copyright (C) 2014-2017 Firejail Authors
  *
  * This file is part of firejail project
  *
@@ -336,7 +336,7 @@ void sandboxfs(int op, pid_t pid, const char *path1, const char *path2) {
                         drop_privs(0);
                         
                         // copy the file
-                        if (copy_file(src_fname, tmp_fname, getuid(), getgid(), 0600))
+                        if (copy_file(src_fname, tmp_fname, getuid(), getgid(), 0600)) // already a regular user
                                 _exit(1);
 #ifdef HAVE_GCOV
                         __gcov_flush();
@@ -362,7 +362,7 @@ void sandboxfs(int op, pid_t pid, const char *path1, const char *path2) {
                         drop_privs(0);
                         
                         // copy the file
-                        if (copy_file(tmp_fname, dest_fname, getuid(), getgid(), 0600))
+                        if (copy_file(tmp_fname, dest_fname, getuid(), getgid(), 0600)) // already a regular user
                                 _exit(1);
 #ifdef HAVE_GCOV
                         __gcov_flush();
@@ -411,7 +411,7 @@ void sandboxfs(int op, pid_t pid, const char *path1, const char *path2) {
                         drop_privs(0);
                         
                         // copy the file
-                        if (copy_file(src_fname, tmp_fname, getuid(), getgid(), 0600))
+                        if (copy_file(src_fname, tmp_fname, getuid(), getgid(), 0600)) // already a regular user
                                 _exit(1);
 #ifdef HAVE_GCOV
                         __gcov_flush();
@@ -443,7 +443,7 @@ void sandboxfs(int op, pid_t pid, const char *path1, const char *path2) {
                         drop_privs(0);
                         
                         // copy the file
-                        if (copy_file(tmp_fname, dest_fname, getuid(), getgid(), 0600))
+                        if (copy_file(tmp_fname, dest_fname, getuid(), getgid(), 0600)) // already a regular user
                                 _exit(1);
 #ifdef HAVE_GCOV
                         __gcov_flush();
diff --git a/src/firejail/main.c b/src/firejail/main.c
index e70e20eec..310795abf 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2016 Firejail Authors
+ * Copyright (C) 2014-2017 Firejail Authors
  *
  * This file is part of firejail project
  *
@@ -35,6 +35,7 @@
 #include <signal.h>
 #include <time.h>
 #include <net/if.h>
+#include <sys/utsname.h>
 
 #if 0
 #include <sys/times.h>
@@ -84,6 +85,7 @@ int arg_netfilter;				// enable netfilter
 int arg_netfilter6;                             // enable netfilter6
 char *arg_netfilter_file = NULL;                        // netfilter file
 char *arg_netfilter6_file = NULL;               // netfilter6 file
+char *arg_netns = NULL;                 // "ip netns"-created network namespace to use
 int arg_doubledash = 0;                 // double dash
 int arg_shell_none = 0;                 // run the program directly without a shell
 int arg_private_dev = 0;                        // private dev directory
@@ -112,7 +114,8 @@ int arg_x11_block = 0;				// block X11
 int arg_x11_xorg = 0;                           // use X11 security extention
 int arg_allusers = 0;                           // all user home directories visible
 int arg_machineid = 0;                          // preserve /etc/machine-id
-int arg_allow_private_blacklist = 0;  // blacklist things in private directories
+int arg_allow_private_blacklist = 0;            // blacklist things in private directories
+int arg_writable_var_log;                       // writable /var/log
 
 int login_shell = 0;
 
@@ -817,17 +820,43 @@ int main(int argc, char **argv) {
         
         if (check_arg(argc, argv, "--quiet"))
                 arg_quiet = 1;
-        if (check_arg(argc, argv, "--allow-debuggers"))
+        if (check_arg(argc, argv, "--allow-debuggers")) {
+                // check kernel version
+                struct utsname u;
+                int rv = uname(&u);
+                if (rv != 0)
+                        errExit("uname");
+                int major;
+                int minor;
+                if (2 != sscanf(u.release, "%d.%d", &major, &minor)) {
+                        fprintf(stderr, "Error: cannot extract Linux kernel version: %s\n", u.version);
+                        exit(1);
+                }
+                if (major < 4 || (major == 4 && minor < 8)) {
+                        fprintf(stderr, "Error: --allow-debuggers is disabled on Linux kernels prior to 4.8. "
+                                "A bug in ptrace call allows a full bypass of the seccomp filter. "
+                                "Your current kernel version is %d.%d.\n", major, minor);
+                        exit(1);
+                }
+
                 arg_allow_debuggers = 1;
+        }
 
         // drop permissions by default and rise them when required
         EUID_INIT();
         EUID_USER();
 
+#ifdef HAVE_GIT_INSTALL
+        // process git-install and git-uninstall
+        if (check_arg(argc, argv, "--git-install"))
+                git_install(); // this function will not return
+        if (check_arg(argc, argv, "--git-uninstall"))
+                git_uninstall(); // this function will not return
+#endif
 
         // check argv[0] symlink wrapper if this is not a login shell
         if (*argv[0] != '-')
-                run_symlink(argc, argv);
+                run_symlink(argc, argv); // this function will not return
 
         // check if we already have a sandbox running
         // If LXC is detected, start firejail sandbox
@@ -1333,6 +1362,8 @@ int main(int argc, char **argv) {
                 }
 #endif
                 else if (strncmp(argv[i], "--profile=", 10) == 0) {
+                        // multiple profile files are allowed!
+
                         if (arg_noprofile) {
                                 fprintf(stderr, "Error: --noprofile and --profile options are mutually exclusive\n");
                                 exit(1);
@@ -1341,19 +1372,6 @@ int main(int argc, char **argv) {
                         char *ppath = expand_home(argv[i] + 10, cfg.homedir);
                         if (!ppath)
                                 errExit("strdup");
-                        invalid_filename(ppath);
-                        
-                        // multiple profile files are allowed!
-                        if (is_dir(ppath) || is_link(ppath) || strstr(ppath, "..")) {
-                                fprintf(stderr, "Error: invalid profile file\n");
-                                exit(1);
-                        }
-                        
-                        // access call checks as real UID/GID, not as effective UID/GID
-                        if (access(ppath, R_OK)) {
-                                fprintf(stderr, "Error: cannot access profile file\n");
-                                return 1;
-                        }
 
                         profile_read(ppath);
                         custom_profile = 1;
@@ -1448,13 +1466,10 @@ int main(int argc, char **argv) {
                                         fprintf(stderr, "Error: invalid chroot directory\n");
                                         exit(1);
                                 }
-                                free(rpath);
+                                cfg.chrootdir = rpath;
                                 
                                 // check chroot directory structure
-                                if (fs_check_chroot_dir(cfg.chrootdir)) {
-                                        fprintf(stderr, "Error: invalid chroot\n");
-                                        exit(1);
-                                }
+                                fs_check_chroot_dir(cfg.chrootdir);
                         }
                         else
                                 exit_err_feature("chroot");
@@ -1470,6 +1485,9 @@ int main(int argc, char **argv) {
                 else if (strcmp(argv[i], "--writable-var") == 0) {
                         arg_writable_var = 1;
                 }
+                else if (strcmp(argv[i], "--writable-var-log") == 0) {
+                        arg_writable_var_log = 1;
+                }
                 else if (strcmp(argv[i], "--machine-id") == 0) {
                         arg_machineid = 1;
                 }
@@ -1929,6 +1947,9 @@ int main(int argc, char **argv) {
                                 return 1;
                         }
                 }
+                
+                else if (strncmp(argv[i], "--hosts-file=", 13) == 0)
+                        cfg.hosts_file = fs_check_hosts_fiile(argv[i] + 13);
 
 #ifdef HAVE_NETWORK
                 else if (strcmp(argv[i], "--netfilter") == 0) {
@@ -1982,6 +2003,15 @@ int main(int argc, char **argv) {
                         else
                                 exit_err_feature("networking");
                 }
+
+                else if (strncmp(argv[i], "--netns=", 8) == 0) {
+                        if (checkcfg(CFG_NETWORK)) {
+                                arg_netns = argv[i] + 8;
+                                check_netns(arg_netns);
+                        }
+                        else
+                                exit_err_feature("networking");
+                }
 #endif
                 //*************************************
                 // command
@@ -2102,6 +2132,12 @@ int main(int argc, char **argv) {
                                 return 1;
                         }
                 }
+                else if (strcmp(argv[i], "--git-install") == 0 ||
+                        strcmp(argv[i], "--git-uninstall") == 0) {
+                        fprintf(stderr, "This feature is not enabled in the current build\n");
+                        exit(1);
+                }
+                
                 else if (strcmp(argv[i], "--") == 0) {
                         // double dash - positional params to follow
                         arg_doubledash = 1;
diff --git a/src/firejail/netfilter.c b/src/firejail/netfilter.c
index 9e759ec70..ea1d45dd7 100644
--- a/src/firejail/netfilter.c
+++ b/src/firejail/netfilter.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2016 Firejail Authors
+ * Copyright (C) 2014-2017 Firejail Authors
  *
  * This file is part of firejail project
  *
diff --git a/src/firejail/netns.c b/src/firejail/netns.c
new file mode 100644
index 000000000..477d56b3d
--- /dev/null
+++ b/src/firejail/netns.c
@@ -0,0 +1,114 @@
+/*
+ * Copyright (C) 2017 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ */
+#include "firejail.h"
+#include <stdio.h>
+#include <string.h>
+#include <errno.h>
+#include <sys/types.h>
+#include <sys/mount.h>
+#include <sys/stat.h>
+#include <sys/syscall.h>
+#include <dirent.h>
+#include <fcntl.h>
+#include <sched.h>
+#include <unistd.h>
+
+static char *netns_control_file(const char *nsname) {
+        char *rv = 0;
+        if (asprintf(&rv, "/var/run/netns/%s", nsname) <= 0)
+                errExit("asprintf");
+        return rv;
+}
+
+static char *netns_etc_dir(const char *nsname) {
+        char *rv = 0;
+        if (asprintf(&rv, "/etc/netns/%s", nsname) <= 0)
+                errExit("asprintf");
+        return rv;
+}
+
+void check_netns(const char *nsname) {
+        if (strchr(nsname, '/') || strstr(nsname, "..")) {
+                fprintf(stderr, "Error: invalid netns name %s\n", nsname);
+                exit(1);
+        }
+        invalid_filename(nsname);
+        char *control_file = netns_control_file(nsname);
+
+        EUID_ASSERT();
+
+        struct stat st;
+        if (lstat(control_file, &st)) {
+                fprintf(stderr, "Error: invalid netns '%s' (%s: %s)\n",
+                        nsname, control_file, strerror(errno));
+                exit(1);
+        }
+        if (!S_ISREG(st.st_mode)) {
+                fprintf(stderr, "Error: invalid netns '%s' (%s: not a regular file)\n",
+                        nsname, control_file);
+                exit(1);
+        }
+        free(control_file);
+}
+
+void netns(const char *nsname) {
+        char *control_file = netns_control_file(nsname);
+        int nsfd = open(control_file, O_RDONLY|O_CLOEXEC);
+        if (nsfd < 0) {
+                fprintf(stderr, "Error: cannot open netns '%s' (%s: %s)\n",
+                        nsname, control_file, strerror(errno));
+                exit(1);
+        }
+        if (syscall(__NR_setns, nsfd, CLONE_NEWNET) < 0) {
+                fprintf(stderr, "Error: cannot join netns '%s': %s\n",
+                        nsname, strerror(errno));
+                exit(1);
+        }
+        close(nsfd);
+        free(control_file);
+}
+
+void netns_mounts(const char *nsname) {
+        char *etcdir = netns_etc_dir(nsname);
+        char *netns_name, *etc_name;
+        struct dirent *entry;
+        DIR *dir;
+
+        dir = opendir(etcdir);
+        if (!dir) {
+                free(etcdir);
+                return;
+        }
+        while ((entry = readdir(dir))) {
+                if (!strcmp(entry->d_name, ".") || !strcmp(entry->d_name, ".."))
+                        continue;
+                if (asprintf(&netns_name, "%s/%s", etcdir, entry->d_name) < 0 ||
+                    asprintf(&etc_name, "/etc/%s", entry->d_name) < 0)
+                        errExit("asprintf");
+                if (mount(netns_name, etc_name, "none", MS_BIND, 0) < 0) {
+                        fprintf(stderr, "Warning: bind %s -> %s failed: %s\n",
+                                netns_name, etc_name, strerror(errno));
+                }
+                free(netns_name);
+                free(etc_name);
+        }
+        closedir(dir);
+        free(etcdir);
+}
diff --git a/src/firejail/network.c b/src/firejail/network.c
index 6d09d770f..673c607ca 100644
--- a/src/firejail/network.c
+++ b/src/firejail/network.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2016 Firejail Authors
+ * Copyright (C) 2014-2017 Firejail Authors
  *
  * This file is part of firejail project
  *
diff --git a/src/firejail/network_main.c b/src/firejail/network_main.c
index 9fbc09d2b..924a94091 100644
--- a/src/firejail/network_main.c
+++ b/src/firejail/network_main.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2016 Firejail Authors
+ * Copyright (C) 2014-2017 Firejail Authors
  *
  * This file is part of firejail project
  *
diff --git a/src/firejail/no_sandbox.c b/src/firejail/no_sandbox.c
index c56d90994..1828405db 100644
--- a/src/firejail/no_sandbox.c
+++ b/src/firejail/no_sandbox.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2016 Firejail Authors
+ * Copyright (C) 2014-2017 Firejail Authors
  *
  * This file is part of firejail project
  *
diff --git a/src/firejail/output.c b/src/firejail/output.c
index 91fe7f164..4872c57ba 100644
--- a/src/firejail/output.c
+++ b/src/firejail/output.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2016 Firejail Authors
+ * Copyright (C) 2014-2017 Firejail Authors
  *
  * This file is part of firejail project
  *
diff --git a/src/firejail/paths.c b/src/firejail/paths.c
index 97a1d5a98..454255717 100644
--- a/src/firejail/paths.c
+++ b/src/firejail/paths.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2016 Firejail Authors
+ * Copyright (C) 2014-2017 Firejail Authors
  *
  * This file is part of firejail project
  *
@@ -18,83 +18,134 @@
  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 */
 #include "firejail.h"
+#include <sys/stat.h>
 
-static char **paths = NULL;
-static int path_cnt = 0;
-static char initialized = 0;
+static char **paths = 0;
+static unsigned int path_cnt = 0;
+static unsigned int longest_path_elt = 0;
 
-static void add_path(const char *path) {
-        assert(paths);
-        assert(path_cnt);
-        
-        // filter out duplicates
-        int i;
-        int empty = 0;
-        for (i = 0; i < path_cnt; i++) {
-                if (paths[i] && strcmp(path, paths[i]) == 0) {
-                        return;
-                }
-                if (!paths[i]) {
-                        empty = i;
-                        break;
-                }
+static void init_paths(void) {
+        char *path = getenv("PATH");
+        char *p;
+        if (!path) {
+                path = "/usr/local/bin:/usr/bin:/bin:/usr/local/sbin:/usr/sbin:/sbin";
+                setenv("PATH", path, 1);
         }
-
-        paths[empty] = strdup(path);
-        if (!paths[empty])
+        path = strdup(path);
+        if (!path)
                 errExit("strdup");
+
+        // size the paths array
+        for (p = path; *p; p++)
+                if (*p == ':')
+                        path_cnt++;
+        path_cnt += 2; // one because we were counting fenceposts, one for the NULL at the end
+
+        paths = calloc(path_cnt, sizeof(char *));
+        if (!paths)
+                errExit("calloc");
+
+        // fill in 'paths' with pointers to elements of 'path'
+        char *elt;
+        unsigned int i = 0, j;
+        unsigned int len;
+        while ((elt = strsep(&path, ":")) != 0) {
+                // skip any entry that is not absolute
+                if (elt[0] != '/')
+                        goto skip;
+
+                // strip trailing slashes (this also prevents '/' from being a path entry).
+                len = strlen(elt);
+                while (len > 0 && elt[len-1] == '/')
+                        elt[--len] = '\0';
+                if (len == 0)
+                        goto skip;
+
+                // filter out duplicate entries
+                for (j = 0; j < i; j++)
+                        if (strcmp(elt, paths[j]) == 0)
+                                goto skip;
+
+                paths[i++] = elt;
+                if (len > longest_path_elt)
+                        longest_path_elt = len;
+
+                skip:;
+        }
+
+        assert(paths[i] == 0);
+        // path_cnt may be too big now, if entries were skipped above
+        path_cnt = i+1;
 }
 
+
 char **build_paths(void) {
-        if (initialized) {
-                assert(paths);
-                return paths;
-        }
-        initialized = 1;
-        
-        int cnt = 5;    // 4 default paths + 1 NULL to end the array
-        char *path1 = getenv("PATH");
-        if (path1) {
-                char *path2 = strdup(path1);
-                if (!path2)
-                        errExit("strdup");
-                
-                // use path2 to count the entries
-                char *ptr = strtok(path2, ":");
-                while (ptr) {
-                        cnt++;
-                        ptr = strtok(NULL, ":");
-                }
-                free(path2);
-                path_cnt = cnt;
-
-                // allocate paths array
-                paths = malloc(sizeof(char *) * cnt);
-                if (!paths)
-                        errExit("malloc");
-                memset(paths, 0, sizeof(char *) * cnt);
-
-                // add default paths
-                add_path("/usr/local/bin");
-                add_path("/usr/bin");
-                add_path("/bin");
-                add_path("/usr/local/sbin");
-                add_path("/usr/sbin");
-                add_path("/sbin");
-
-                path2 = strdup(path1);
-                if (!path2)
-                        errExit("strdup");
-                
-                // use path2 to count the entries
-                ptr = strtok(path2, ":");
-                while (ptr) {
-                        cnt++;
-                        add_path(ptr);
-                        ptr = strtok(NULL, ":");
+        if (!paths)
+                init_paths();
+        assert(paths);
+        return paths;
+}
+
+// Note: the NULL element at the end of 'paths' is included in this count.
+unsigned int count_paths(void) {
+        if (!path_cnt)
+                init_paths();
+        assert(path_cnt);
+        return path_cnt;
+}
+
+// Return 1 if PROGRAM exists in $PATH and is runnable by the
+// invoking user (not root).
+// In other words, tests "will execvp(PROGRAM, ...) succeed?"
+int program_in_path(const char *program) {
+        assert(program && *program);
+        assert(strchr(program, '/') == 0);
+        assert(strcmp(program, ".") != 0);
+        assert(strcmp(program, "..") != 0);
+
+        if (!paths)
+                init_paths();
+        assert(paths);
+
+        size_t proglen = strlen(program);
+        char *scratch = malloc(longest_path_elt + proglen + 2);
+        if (!scratch)
+                errExit("malloc");
+
+        int found = 0;
+        size_t dlen;
+        char **p;
+        for (p = paths; *p; p++) {
+                char *dir = *p;
+                dlen = strlen(dir);
+
+                // init_paths should ensure that this is true; as long
+                // as it is true, 'scratch' has enough space for "$p/$program".
+                assert(dlen <= longest_path_elt);
+
+                memcpy(scratch, dir, dlen);
+                scratch[dlen++] = '/';
+
+                // copy proglen+1 bytes to copy the nul terminator at
+                // the end of 'program'.
+                memcpy(scratch + dlen, program, proglen+1);
+
+                if (access(scratch, X_OK) == 0) {
+                        // must also verify that this is a regular file
+                        // ('x' permission means something different for directories).
+                        // exec follows symlinks, so use stat, not lstat.
+                        struct stat st;
+                        if (stat(scratch, &st)) {
+                                perror(scratch);
+                                exit(1);
+                        }
+                        if (S_ISREG(st.st_mode)) {
+                                found = 1;
+                                break;
+                        }
                 }
-                free(path2);
         }
-        
-        return paths;
+
+        free(scratch);
+        return found;
 }
diff --git a/src/firejail/preproc.c b/src/firejail/preproc.c
index d2db7d3dd..b834e6275 100644
--- a/src/firejail/preproc.c
+++ b/src/firejail/preproc.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2016 Firejail Authors
+ * Copyright (C) 2014-2017 Firejail Authors
  *
  * This file is part of firejail project
  *
@@ -76,12 +76,12 @@ void preproc_mount_mnt_dir(void) {
                 fs_logger2("tmpfs", RUN_MNT_DIR);
                 
                 //copy defaultl seccomp files
-                copy_file(PATH_SECCOMP_I386, RUN_SECCOMP_I386, getuid(), getgid(), 0644);
-                copy_file(PATH_SECCOMP_AMD64, RUN_SECCOMP_AMD64, getuid(), getgid(), 0644);
+                copy_file(PATH_SECCOMP_I386, RUN_SECCOMP_I386, getuid(), getgid(), 0644); // root needed
+                copy_file(PATH_SECCOMP_AMD64, RUN_SECCOMP_AMD64, getuid(), getgid(), 0644); // root needed
                 if (arg_allow_debuggers)
-                        copy_file(PATH_SECCOMP_DEFAULT_DEBUG, RUN_SECCOMP_CFG, getuid(), getgid(), 0644);
+                        copy_file(PATH_SECCOMP_DEFAULT_DEBUG, RUN_SECCOMP_CFG, getuid(), getgid(), 0644); // root needed
                 else
-                        copy_file(PATH_SECCOMP_DEFAULT, RUN_SECCOMP_CFG, getuid(), getgid(), 0644);
+                        copy_file(PATH_SECCOMP_DEFAULT, RUN_SECCOMP_CFG, getuid(), getgid(), 0644); // root needed
                         
                 // as root, create an empty RUN_SECCOMP_PROTOCOL file
                 create_empty_file_as_root(RUN_SECCOMP_PROTOCOL, 0644);
diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index fab4f1efa..5684a2d95 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2016 Firejail Authors
+ * Copyright (C) 2014-2017 Firejail Authors
  *
  * This file is part of firejail project
  *
@@ -215,6 +215,10 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
                 arg_no3d = 1;
                 return 0;
         }
+        else if (strcmp(ptr, "allow-private-blacklist") == 0) {
+                arg_allow_private_blacklist = 1;
+                return 0;
+        }       
         else if (strcmp(ptr, "netfilter") == 0) {
 #ifdef HAVE_NETWORK
                 if (checkcfg(CFG_NETWORK))
@@ -602,6 +606,12 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
                 return 0;
         }
         
+        // hosts-file
+        if (strncmp(ptr, "hosts-file ", 11) == 0) {
+                cfg.hosts_file = fs_check_hosts_fiile(ptr + 11);
+                return 0;
+        }
+        
         // dns
         if (strncmp(ptr, "dns ", 4) == 0) {
                 uint32_t dns;
@@ -663,6 +673,10 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
                 arg_writable_var = 1;
                 return 0;
         }
+        if (strcmp(ptr, "writable-var-log") == 0) {
+                arg_writable_var_log = 1;
+                return 0;
+        }
         
         // private directory
         if (strncmp(ptr, "private ", 8) == 0) {
@@ -999,10 +1013,25 @@ void profile_read(const char *fname) {
                 exit(1);        
         }
 
+        // check file
         if (strlen(fname) == 0) {
                 fprintf(stderr, "Error: invalid profile file\n");
                 exit(1);
         }
+        invalid_filename(fname);
+        if (is_dir(fname) || is_link(fname) || strstr(fname, "..")) {
+                fprintf(stderr, "Error: invalid profile file\n");
+                exit(1);
+        }
+        if (access(fname, R_OK)) {
+                // if the file ends in ".local", do not exit
+                char *ptr = strstr(fname, ".local");
+                if (ptr && strlen(ptr) == 6)
+                        return;
+                
+                fprintf(stderr, "Error: cannot access profile file\n");
+                exit(1);
+        }
 
         // allow debuggers
         if (arg_allow_debuggers) {
@@ -1013,7 +1042,7 @@ void profile_read(const char *fname) {
                                 return;
                 }
         }
-
+        
         // open profile file:
         FILE *fp = fopen(fname, "r");
         if (fp == NULL) {
diff --git a/src/firejail/protocol.c b/src/firejail/protocol.c
index 2a09ed010..382d469f1 100644
--- a/src/firejail/protocol.c
+++ b/src/firejail/protocol.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2016 Firejail Authors
+ * Copyright (C) 2014-2017 Firejail Authors
  *
  * This file is part of firejail project
  *
diff --git a/src/firejail/pulseaudio.c b/src/firejail/pulseaudio.c
index f890dd534..ead5dd361 100644
--- a/src/firejail/pulseaudio.c
+++ b/src/firejail/pulseaudio.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2016 Firejail Authors
+ * Copyright (C) 2014-2017 Firejail Authors
  *
  * This file is part of firejail project
  *
@@ -22,6 +22,7 @@
 #include <sys/stat.h>
 #include <sys/mount.h>
 #include <dirent.h>
+#include <sys/wait.h>
 
 static void disable_file(const char *path, const char *file) {
         assert(file);
@@ -113,7 +114,7 @@ void pulseaudio_init(void) {
         char *pulsecfg = NULL;
         if (asprintf(&pulsecfg, "%s/client.conf", RUN_PULSE_DIR) == -1)
                 errExit("asprintf");
-        if (copy_file("/etc/pulse/client.conf", pulsecfg, -1, -1, 0644))
+        if (copy_file("/etc/pulse/client.conf", pulsecfg, -1, -1, 0644)) // root needed
                 errExit("copy_file");
         FILE *fp = fopen(pulsecfg, "a+");
         if (!fp)
@@ -127,21 +128,63 @@ void pulseaudio_init(void) {
         if (asprintf(&dir1, "%s/.config", cfg.homedir) == -1)
                 errExit("asprintf");
         if (stat(dir1, &s) == -1) {
-                int rv = mkdir(dir1, 0755);
-                if (rv == 0) {
-                        if (set_perms(dir1, getuid(), getgid(), 0755))
-                                {;} // do nothing
+                pid_t child = fork();
+                if (child < 0)
+                        errExit("fork");
+                if (child == 0) {
+                        // drop privileges
+                        drop_privs(0);
+        
+                        int rv = mkdir(dir1, 0755);
+                        if (rv == 0) {
+                                if (set_perms(dir1, getuid(), getgid(), 0755))
+                                        {;} // do nothing
+                        }
+#ifdef HAVE_GCOV
+                        __gcov_flush();
+#endif
+                        _exit(0);
+                }
+                // wait for the child to finish
+                waitpid(child, NULL, 0);
+        }
+        else {
+                // make sure the directory is owned by the user
+                if (s.st_uid != getuid()) {
+                        fprintf(stderr, "Error: user .config directory is not owned by the current user\n");
+                        exit(1);
                 }
         }
         free(dir1);
+        
         if (asprintf(&dir1, "%s/.config/pulse", cfg.homedir) == -1)
                 errExit("asprintf");
         if (stat(dir1, &s) == -1) {
-                /* coverity[toctou] */
-                int rv = mkdir(dir1, 0700);
-                if (rv == 0) {
-                        if (set_perms(dir1, getuid(), getgid(), 0700))
-                                {;} // do nothing
+                pid_t child = fork();
+                if (child < 0)
+                        errExit("fork");
+                if (child == 0) {
+                        // drop privileges
+                        drop_privs(0);
+        
+                        int rv = mkdir(dir1, 0700);
+                        if (rv == 0) {
+                                if (set_perms(dir1, getuid(), getgid(), 0700))
+                                        {;} // do nothing
+                        }
+#ifdef HAVE_GCOV
+                        __gcov_flush();
+#endif
+                        _exit(0);
+                }
+                // wait for the child to finish
+                waitpid(child, NULL, 0);
+        }
+        else {
+                // make sure the directory is owned by the user
+                if (s.st_uid != getuid()) {
+                        fprintf(stderr, "Error: user .config/pulse directory is not owned by the current user\n");
+                        exit(1);
                 }
         }
         free(dir1);
diff --git a/src/firejail/restrict_users.c b/src/firejail/restrict_users.c
index 393851148..774e2908f 100644
--- a/src/firejail/restrict_users.c
+++ b/src/firejail/restrict_users.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2016 Firejail Authors
+ * Copyright (C) 2014-2017 Firejail Authors
  *
  * This file is part of firejail project
  *
diff --git a/src/firejail/restricted_shell.c b/src/firejail/restricted_shell.c
index 979bb1eed..9919c4656 100644
--- a/src/firejail/restricted_shell.c
+++ b/src/firejail/restricted_shell.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2016 Firejail Authors
+ * Copyright (C) 2014-2017 Firejail Authors
  *
  * This file is part of firejail project
  *
diff --git a/src/firejail/rlimit.c b/src/firejail/rlimit.c
index 47dd846d2..5e30e56a3 100644
--- a/src/firejail/rlimit.c
+++ b/src/firejail/rlimit.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2016 Firejail Authors
+ * Copyright (C) 2014-2017 Firejail Authors
  *
  * This file is part of firejail project
  *
diff --git a/src/firejail/run_symlink.c b/src/firejail/run_symlink.c
index 753c50208..57f04485b 100644
--- a/src/firejail/run_symlink.c
+++ b/src/firejail/run_symlink.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2016 Firejail Authors
+ * Copyright (C) 2014-2017 Firejail Authors
  *
  * This file is part of firejail project
  *
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index 50fcd6ed0..84ee5ee11 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2016 Firejail Authors
+ * Copyright (C) 2014-2017 Firejail Authors
  *
  * This file is part of firejail project
  *
@@ -386,7 +386,7 @@ static void enforce_filters(void) {
         }
         
         // disable all capabilities
-        if (arg_caps_default_filter || arg_caps_list)
+        if ((arg_caps_default_filter || arg_caps_list) && !arg_quiet)
                 fprintf(stderr, "Warning: all capabilities disabled for a regular user in chroot\n");
         arg_caps_drop_all = 1;
         
@@ -467,6 +467,11 @@ int sandbox(void* sandbox_arg) {
                 if (arg_debug)
                         printf("Network namespace enabled, only loopback interface available\n");
         }
+        else if (arg_netns) {
+                netns(arg_netns);
+                if (arg_debug)
+                        printf("Network namespace '%s' activated\n", arg_netns);
+        }
         else if (any_bridge_configured() || any_interface_configured()) {
                 // configure lo and eth0...eth3
                 net_if_up("lo");
@@ -515,7 +520,8 @@ int sandbox(void* sandbox_arg) {
                 if (cfg.defaultgw) {
                         // set the default route
                         if (net_add_route(0, 0, cfg.defaultgw)) {
-                                fprintf(stderr, "Warning: cannot configure default route\n");
+                                if (!arg_quiet)
+                                        fprintf(stderr, "Warning: cannot configure default route\n");
                                 gw_cfg_failed = 1;
                         }
                 }
@@ -579,9 +585,13 @@ int sandbox(void* sandbox_arg) {
 #endif  
 
         // trace pre-install
-        if (arg_trace || arg_tracelog || mask_x11_abstract_socket)
+        if (arg_trace || arg_tracelog)
                 fs_trace_preload();
 
+        // store hosts file
+        if (cfg.hosts_file)
+                fs_store_hosts_file();
+
         //****************************
         // configure filesystem
         //****************************
@@ -612,11 +622,11 @@ int sandbox(void* sandbox_arg) {
                 //****************************
                 // trace pre-install, this time inside chroot
                 //****************************
-                if (arg_trace || arg_tracelog || mask_x11_abstract_socket)
+                if (arg_trace || arg_tracelog)
                         fs_trace_preload();
         }
         else 
-#endif          
+#endif
 #ifdef HAVE_OVERLAYFS
         if (arg_overlay)        {
                 fs_overlayfs();
@@ -635,13 +645,6 @@ int sandbox(void* sandbox_arg) {
                 fs_basic_fs();
         
         //****************************
-        // set hostname in /etc/hostname
-        //****************************
-        if (cfg.hostname) {
-                fs_hostname(cfg.hostname);
-        }
-        
-        //****************************
         // private mode
         //****************************
         if (arg_private) {
@@ -682,7 +685,7 @@ int sandbox(void* sandbox_arg) {
                 else {
                         fs_private_dir_list("/etc", RUN_ETC_DIR, cfg.etc_private_keep);
                         // create /etc/ld.so.preload file again
-                        if (arg_trace || arg_tracelog || mask_x11_abstract_socket)
+                        if (arg_trace || arg_tracelog)
                                 fs_trace_preload();
                 }
         }
@@ -738,6 +741,22 @@ int sandbox(void* sandbox_arg) {
                         EUID_ROOT();
                 }
         }
+
+        
+        //****************************
+        // hosts and hostname
+        //****************************
+        if (cfg.hostname)
+                fs_hostname(cfg.hostname);
+
+        if (cfg.hosts_file)
+                fs_mount_hosts_file();
+
+        //****************************
+        // /etc overrides from the network namespace
+        //****************************
+        if (arg_netns)
+                netns_mounts(arg_netns);
         
         //****************************
         // update /proc, /sys, /dev, /boot directorymy
@@ -762,7 +781,7 @@ int sandbox(void* sandbox_arg) {
         //****************************
         // install trace
         //****************************
-        if (arg_trace || arg_tracelog || mask_x11_abstract_socket)
+        if (arg_trace || arg_tracelog)
                 fs_trace();
                 
         //****************************
@@ -821,7 +840,8 @@ int sandbox(void* sandbox_arg) {
                 int rv = nice(cfg.nice);
                 (void) rv;
                 if (errno) {
-                        fprintf(stderr, "Warning: cannot set nice value\n");
+                        if (!arg_quiet)
+                                fprintf(stderr, "Warning: cannot set nice value\n");
                         errno = 0;
                 }
         }
@@ -877,7 +897,8 @@ int sandbox(void* sandbox_arg) {
         if (arg_noroot) {
                 int rv = unshare(CLONE_NEWUSER);
                 if (rv == -1) {
-                        fprintf(stderr, "Warning: cannot create a new user namespace, going forward without it...\n");
+                        if (!arg_quiet)
+                                fprintf(stderr, "Warning: cannot create a new user namespace, going forward without it...\n");
                         drop_privs(arg_nogroups);
                         arg_noroot = 0;
                 }
@@ -908,7 +929,7 @@ int sandbox(void* sandbox_arg) {
         if (arg_nonewprivs) {
                 int no_new_privs = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
 
-                if(no_new_privs != 0)
+                if(no_new_privs != 0 && !arg_quiet)
                         fprintf(stderr, "Warning: NO_NEW_PRIVS disabled, it requires a Linux kernel version 3.5 or newer.\n");
                 else if (arg_debug)
                         printf("NO_NEW_PRIVS set\n");
diff --git a/src/firejail/sbox.c b/src/firejail/sbox.c
index f28bbaf1a..467745a64 100644
--- a/src/firejail/sbox.c
+++ b/src/firejail/sbox.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2016 Firejail Authors
+ * Copyright (C) 2014-2017 Firejail Authors
  *
  * This file is part of firejail project
  *
diff --git a/src/firejail/seccomp.c b/src/firejail/seccomp.c
index 96dfdaff2..ee10f3abf 100644
--- a/src/firejail/seccomp.c
+++ b/src/firejail/seccomp.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2016 Firejail Authors
+ * Copyright (C) 2014-2017 Firejail Authors
  *
  * This file is part of firejail project
  *
diff --git a/src/firejail/shutdown.c b/src/firejail/shutdown.c
index c23e87321..3c150738b 100644
--- a/src/firejail/shutdown.c
+++ b/src/firejail/shutdown.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2016 Firejail Authors
+ * Copyright (C) 2014-2017 Firejail Authors
  *
  * This file is part of firejail project
  *
diff --git a/src/firejail/usage.c b/src/firejail/usage.c
index 9f4dfd44c..ae3993aec 100644
--- a/src/firejail/usage.c
+++ b/src/firejail/usage.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2016 Firejail Authors
+ * Copyright (C) 2014-2017 Firejail Authors
  *
  * This file is part of firejail project
  *
@@ -76,8 +76,14 @@ void usage(void) {
         printf("    --env=name=value - set environment variable.\n");
         printf("    --fs.print=name|pid - print the filesystem log.\n");
         printf("    --get=name|pid filename - get a file from sandbox container.\n");
+#ifdef HAVE_GIT_INSTALL
+        printf("    --git-install - download, compile and install mainline git version\n");
+        printf("\tof Firejail.\n");
+        printf("    --git-uninstall - uninstall mainline git version of Firejail\n");
+#endif
         printf("    --help, -? - this help screen.\n");
         printf("    --hostname=name - set sandbox hostname.\n");
+        printf("    --hosts-file=file - use file as /etc/hosts.\n");
         printf("    --ignore=command - ignore command in profile files.\n");
 #ifdef HAVE_NETWORK     
         printf("    --interface=name - move interface in sandbox.\n");
@@ -191,6 +197,7 @@ void usage(void) {
 #endif  
         printf("    --writable-etc - /etc directory is mounted read-write.\n");
         printf("    --writable-var - /var directory is mounted read-write.\n");
+        printf("    --writable-var-log - use the real /var/log directory, not a clone.\n");
         printf("    --x11 - enable X11 sandboxing. The software checks first if Xpra is\n");
         printf("\tinstalled, then it checks if Xephyr is installed. If all fails, it will\n");
         printf("\tattempt to use X11 security extension.\n");
diff --git a/src/firejail/util.c b/src/firejail/util.c
index 75f2acdb9..9b9308670 100644
--- a/src/firejail/util.c
+++ b/src/firejail/util.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2016 Firejail Authors
+ * Copyright (C) 2014-2017 Firejail Authors
  *
  * This file is part of firejail project
  *
@@ -28,6 +28,7 @@
 #include <grp.h>
 #include <sys/ioctl.h>
 #include <termios.h>
+#include <sys/wait.h>
 
 #define MAX_GROUPS 1024
 // drop privileges
@@ -168,6 +169,25 @@ void logerr(const char *msg) {
         closelog();
 }
 
+static int copy_file_by_fd(int src, int dst) {
+        assert(src >= 0);
+        assert(dst >= 0);
+
+        ssize_t len;
+        static const int BUFLEN = 1024;
+        unsigned char buf[BUFLEN];
+        while ((len = read(src, buf, BUFLEN)) > 0) {
+                int done = 0;
+                while (done != len) {
+                        int rv = write(dst, buf + done, len - done);
+                        if (rv == -1)
+                                return -1;
+                        done += rv;
+                }
+        }
+        fflush(0);
+        return 0;
+}
 
 // return -1 if error, 0 if no error; if destname already exists, return error
 int copy_file(const char *srcname, const char *destname, uid_t uid, gid_t gid, mode_t mode) {
@@ -177,47 +197,114 @@ int copy_file(const char *srcname, const char *destname, uid_t uid, gid_t gid, m
         // open source
         int src = open(srcname, O_RDONLY);
         if (src < 0) {
-                fprintf(stderr, "Warning: cannot open %s, file not copied\n", srcname);
+                fprintf(stderr, "Warning: cannot open source file %s, file not copied\n", srcname);
                 return -1;
         }
 
         // open destination
         int dst = open(destname, O_CREAT|O_WRONLY|O_TRUNC, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH);
         if (dst < 0) {
-                fprintf(stderr, "Warning: cannot open %s, file not copied\n", destname);
+                fprintf(stderr, "Warning: cannot open destination file %s, file not copied\n", destname);
                 close(src);
                 return -1;
         }
 
-        // copy
-        ssize_t len;
-        static const int BUFLEN = 1024;
-        unsigned char buf[BUFLEN];
-        while ((len = read(src, buf, BUFLEN)) > 0) {
-                int done = 0;
-                while (done != len) {
-                        int rv = write(dst, buf + done, len - done);
-                        if (rv == -1) {
-                                close(src);
-                                close(dst);
-                                return -1;
-                        }
+        int errors = copy_file_by_fd(src, dst);
+        if (!errors) {
+                if (fchown(dst, uid, gid) == -1)
+                        errExit("fchown");
+                if (fchmod(dst, mode) == -1)
+                        errExit("fchmod");
+        }
+        close(src);
+        close(dst);
+        return errors;
+}
 
-                        done += rv;
-                }
+// return -1 if error, 0 if no error
+void copy_file_as_user(const char *srcname, const char *destname, uid_t uid, gid_t gid, mode_t mode) {
+        pid_t child = fork();
+        if (child < 0)
+                errExit("fork");
+        if (child == 0) {
+                // drop privileges
+                drop_privs(0);
+
+                // copy, set permissions and ownership
+                int rv = copy_file(srcname, destname, uid, gid, mode); // already a regular user
+                if (rv)
+                        fprintf(stderr, "Warning: cannot copy %s\n", srcname);
+#ifdef HAVE_GCOV
+                __gcov_flush();
+#endif
+                _exit(0);
+        }
+        // wait for the child to finish
+        waitpid(child, NULL, 0);
+}
+
+void copy_file_from_user_to_root(const char *srcname, const char *destname, uid_t uid, gid_t gid, mode_t mode) {
+        // open destination
+        int dst = open(destname, O_CREAT|O_WRONLY|O_TRUNC, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH);
+        if (dst < 0) {
+                fprintf(stderr, "Warning: cannot open destination file %s, file not copied\n", destname);
+                return;
         }
-        fflush(0);
 
+        pid_t child = fork();
+        if (child < 0)
+                errExit("fork");
+        if (child == 0) {
+                // drop privileges
+                drop_privs(0);
+
+                int src = open(srcname, O_RDONLY);
+                if (src < 0) {
+                        fprintf(stderr, "Warning: cannot open source file %s, file not copied\n", srcname);
+                } else {
+                        if (copy_file_by_fd(src, dst)) {
+                                fprintf(stderr, "Warning: cannot copy %s\n", srcname);
+                        }
+                        close(src);
+                }
+                close(dst);
+#ifdef HAVE_GCOV
+                __gcov_flush();
+#endif
+                _exit(0);
+        }
+        // wait for the child to finish
+        waitpid(child, NULL, 0);
         if (fchown(dst, uid, gid) == -1)
                 errExit("fchown");
         if (fchmod(dst, mode) == -1)
                 errExit("fchmod");
-
-        close(src);
         close(dst);
-        return 0;
 }
 
+// return -1 if error, 0 if no error
+void touch_file_as_user(const char *fname, uid_t uid, gid_t gid, mode_t mode) {
+        pid_t child = fork();
+        if (child < 0)
+                errExit("fork");
+        if (child == 0) {
+                // drop privileges
+                drop_privs(0);
+
+                FILE *fp = fopen(fname, "w");
+                if (fp) {
+                        fprintf(fp, "\n");
+                        SET_PERMS_STREAM(fp, uid, gid, mode);
+                        fclose(fp);
+                }
+#ifdef HAVE_GCOV
+                __gcov_flush();
+#endif
+                _exit(0);
+        }
+        // wait for the child to finish
+        waitpid(child, NULL, 0);
+}
 
 // return 1 if the file is a directory
 int is_dir(const char *fname) {
@@ -518,16 +605,37 @@ void wait_for_other(int fd) {
                 *ptr = '\0';
         }
         else {
-                fprintf(stderr, "Error: cannot establish communication with the parent, exiting...\n");
+                fprintf(stderr, "Error: proc %d cannot sync with peer: %s\n",
+                        getpid(), ferror(stream) ? strerror(errno) : "unexpected EOF");
+
+                int status = 0;
+                pid_t pid = wait(&status);
+                if (pid != -1) {
+                        if (WIFEXITED(status))
+                                fprintf(stderr, "Peer %d unexpectedly exited with status %d\n",
+                                        pid, WEXITSTATUS(status));
+                        else if (WIFSIGNALED(status))
+                                fprintf(stderr, "Peer %d unexpectedly killed (%s)\n",
+                                        pid, strsignal(WTERMSIG(status)));
+                        else
+                                fprintf(stderr, "Peer %d unexpectedly exited "
+                                        "(un-decodable wait status %04x)\n", pid, status);
+                }
                 exit(1);
         }
+
         if (strcmp(childstr, "arg_noroot=0") == 0)
                 arg_noroot = 0;
+        else if (strcmp(childstr, "arg_noroot=1") == 0)
+                arg_noroot = 1;
+        else {
+                fprintf(stderr, "Error: unexpected message from peer: %s\n", childstr);
+                exit(1);
+        }
 
         fclose(stream);
 }
 
-
 void notify_other(int fd) {
         FILE* stream;
         int newfd = dup(fd);
@@ -561,6 +669,11 @@ char *expand_home(const char *path, const char* homedir) {
                         errExit("asprintf");
                 return new_name;
         }
+        else if (strncmp(path, "${CFG}", 6) == 0) {
+                if (asprintf(&new_name, "%s%s", SYSCONFDIR, path + 6) == -1)
+                        errExit("asprintf");
+                return new_name;
+        }
 
         char *rv = strdup(path);
         if (!rv)
@@ -818,4 +931,4 @@ errexit:
         close(fd);
         fprintf(stderr, "Error: cannot read %s\n", fname);
         exit(1);
-}
\ No newline at end of file
+}
diff --git a/src/firejail/x11.c b/src/firejail/x11.c
index 91017237d..5bbc327a6 100644
--- a/src/firejail/x11.c
+++ b/src/firejail/x11.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2016 Firejail Authors
+ * Copyright (C) 2014-2017 Firejail Authors
  *
  * This file is part of firejail project
  *
@@ -20,6 +20,8 @@
 #include "firejail.h"
 #include <sys/types.h>
 #include <sys/stat.h>
+#include <sys/socket.h>
+#include <sys/un.h>
 #include <fcntl.h>
 #include <unistd.h>
 #include <signal.h>
@@ -27,157 +29,176 @@
 #include <dirent.h>
 #include <sys/mount.h>
 #include <sys/wait.h>
+#include <errno.h>
+#include <limits.h>
 int mask_x11_abstract_socket = 0;
 
-#ifdef HAVE_X11
-// return 1 if xpra is installed on the system
-static int x11_check_xpra(void) {
-        struct stat s;
-        
-        // check xpra
-        if (stat("/usr/bin/xpra", &s) == -1)
-                return 0;
 
-        return 1;
-}
+// Parse the DISPLAY environment variable and return a display number.
+// Returns -1 if DISPLAY is not set, or is set to anything other than :ddd.
+int x11_display(void) {
+        const char *display_str = getenv("DISPLAY");
+        char *endp;
+        unsigned long display;
+
+        if (!display_str) {
+                if (arg_debug)
+                        fputs("DISPLAY is not set\n", stderr);
+                return -1;
+        }
 
-// return 1 if xephyr is installed on the system
-static int x11_check_xephyr(void) {
-        struct stat s;
-        
-        // check xephyr
-        if (stat("/usr/bin/Xephyr", &s) == -1)
-                return 0;
+        if (display_str[0] != ':' || display_str[1] < '0' || display_str[1] > '9') {
+                if (arg_debug)
+                        fprintf(stderr, "unsupported DISPLAY form '%s'\n", display_str);
+                return -1;
+        }
 
-        return 1;
+        errno = 0;
+        display = strtoul(display_str+1, &endp, 10);
+        if (endp == display_str+1 || (*endp != '\0' && *endp != '.')) { // handling DISPLAY=:0 and also :0.0
+                if (arg_debug)
+                        fprintf(stderr, "unsupported DISPLAY form '%s'\n", display_str);
+                return -1;
+        }
+        if (errno || display > (unsigned long)INT_MAX) {
+                if (arg_debug)
+                        fprintf(stderr, "display number %s is outside the valid range\n",
+                                display_str+1);
+                return -1;
+        }
+
+        if (arg_debug)
+                fprintf(stderr, "DISPLAY=%s parsed as %lu\n", display_str, display);
+
+        return (int)display;
 }
 
+
+#ifdef HAVE_X11
 // check for X11 abstract sockets
 static int x11_abstract_sockets_present(void) {
-        char *path;
 
         EUID_ROOT(); // grsecurity fix
         FILE *fp = fopen("/proc/net/unix", "r");
-        EUID_USER();
-
         if (!fp)
                 errExit("fopen");
+        EUID_USER();
 
-        while (fscanf(fp, "%*s %*s %*s %*s %*s %*s %*s %ms\n", &path) != EOF) {
-                if (path && strncmp(path, "@/tmp/.X11-unix/", 16) == 0) {
-                        free(path);
-                        fclose(fp);
-                        return 1;
+        char *linebuf = 0;
+        size_t bufsz = 0;
+        int found = 0;
+        errno = 0;
+
+        for (;;) {
+                if (getline(&linebuf, &bufsz, fp) == -1) {
+                        if (errno)
+                                errExit("getline");
+                        break;
+                }
+                // The last space-separated field in 'linebuf' is the
+                // pathname of the socket.  Abstract sockets' pathnames
+                // all begin with '@/', normal ones begin with '/'.
+                char *p = strrchr(linebuf, ' ');
+                if (!p) {
+                        fputs("error parsing /proc/net/unix\n", stderr);
+                        exit(1);
+                }
+                if (strncmp(p+1, "@/tmp/.X11-unix/", 16) == 0) {
+                        found = 1;
+                        break;
                 }
         }
 
-        free(path);
+        free(linebuf);
         fclose(fp);
-
-        return 0;
+        return found;
 }
 
+// Choose a random, unallocated display number.  This has an inherent
+// and unavoidable TOCTOU race, since we cannot create either the
+// socket or a lockfile ourselves.
 static int random_display_number(void) {
+        int display;
+        int found = 0;
         int i;
-        int found = 1;
-        int display;
+
+        struct sockaddr_un sa;
+        // The -1 here is because we need space to inject a
+        // leading nul byte.
+        int sun_pathmax = (int)(sizeof sa.sun_path - 1);
+        assert((size_t)sun_pathmax == sizeof sa.sun_path - 1);
+        int sun_pathlen;
+
+        int sockfd = socket(AF_UNIX, SOCK_STREAM, 0);
+        if (sockfd == -1)
+                errExit("socket");
+
         for (i = 0; i < 100; i++) {
-                display = rand() % 1024;
-                if (display < 10)
-                        continue;
-                char *fname;
-                if (asprintf(&fname, "/tmp/.X11-unix/X%d", display) == -1)
-                        errExit("asprintf");
-                struct stat s;
-                if (stat(fname, &s) == -1) {
-                        found = 1;
-                        break;
-                }
-        }
+                // We try display numbers in the range 21 through 1000.
+                // Normal X servers typically use displays in the 0-10 range;
+                // ssh's X11 forwarding uses 10-20, and login screens
+                // (e.g. gdm3) may use displays above 1000.
+                display = rand() % 979 + 21;
+
+                // The display number might be claimed by a server listening
+                // in _either_ the normal or the abstract namespace; they
+                // don't necessarily do both.  The easiest way to check is
+                // to try to connect, both ways.
+                memset(&sa, 0, sizeof sa);
+                sa.sun_family = AF_UNIX;
+                sun_pathlen = snprintf(sa.sun_path, sun_pathmax,
+                                       "/tmp/.X11-unix/X%d", display);
+                if (sun_pathlen >= sun_pathmax) {
+                        fprintf(stderr, "sun_path too small for display :%d"
+                                " (only %d bytes usable)\n", display, sun_pathmax);
+                        exit(1);
+                }
+
+                if (connect(sockfd, (struct sockaddr *)&sa,
+                            offsetof(struct sockaddr_un, sun_path) + sun_pathlen + 1) == 0) {
+                        close(sockfd);
+                        sockfd = socket(AF_UNIX, SOCK_STREAM, 0);
+                        if (sockfd == -1)
+                                errExit("socket");
+                        continue;
+                }
+                if (errno != ECONNREFUSED && errno != ENOENT)
+                        errExit("connect");
+
+                // Name not claimed in the normal namespace; now try it
+                // in the abstract namespace.  Note that abstract-namespace
+                // names are NOT nul-terminated; they extend to the length
+                // specified as the third argument to 'connect'.
+                memmove(sa.sun_path + 1, sa.sun_path, sun_pathlen + 1);
+                sa.sun_path[0] = '\0';
+                if (connect(sockfd, (struct sockaddr *)&sa,
+                            offsetof(struct sockaddr_un, sun_path) + 1 + sun_pathlen) == 0) {
+                        close(sockfd);
+                        sockfd = socket(AF_UNIX, SOCK_STREAM, 0);
+                        if (sockfd == -1)
+                                errExit("socket");
+                        continue;
+                }
+                if (errno != ECONNREFUSED && errno != ENOENT)
+                        errExit("connect");
+
+                // This display number is unclaimed.  Of course, it could
+                // be claimed before we get around to doing it...
+                found = 1;
+                break;
+        }
+        close(sockfd);
+
         if (!found) {
-                fprintf(stderr, "Error: cannot pick up a random X11 display number, exiting...\n");
+                fputs("Error: cannot find an unallocated X11 display number, "
+                      "exiting...\n", stderr);
                 exit(1);
         }
-        
         return display;
 }
 #endif
 
-// return display number, -1 if not configured
-int x11_display(void) {
-        // extract display
-        char *d = getenv("DISPLAY");
-        if (!d)
-                return - 1;
-        
-        int display;
-        int rv = sscanf(d, ":%d", &display);
-        if (rv != 1)
-                return -1;
-        if (arg_debug)
-                printf("DISPLAY %s, %d\n", d, display);
-        
-        return display;
-}
-
-void fs_x11(void) {
-#ifdef HAVE_X11
-        int display = x11_display();
-        if (display <= 0)
-                return;
 
-        char *x11file;
-        if (asprintf(&x11file, "/tmp/.X11-unix/X%d", display) == -1)
-                errExit("asprintf");
-        struct stat s;
-        if (stat(x11file, &s) == -1)
-                return;
-
-        // keep a copy of real /tmp/.X11-unix directory in WHITELIST_TMP_DIR
-        int rv = mkdir(RUN_WHITELIST_X11_DIR, 1777);
-        if (rv == -1)
-                errExit("mkdir");
-        if (set_perms(RUN_WHITELIST_X11_DIR, 0, 0, 1777))
-                errExit("set_perms");
-
-        if (mount("/tmp/.X11-unix", RUN_WHITELIST_X11_DIR, NULL, MS_BIND|MS_REC, NULL) < 0)
-                errExit("mount bind");
-
-        // mount tmpfs on /tmp/.X11-unix
-        if (arg_debug || arg_debug_whitelists)
-                printf("Mounting tmpfs on /tmp/.X11-unix directory\n");
-        if (mount("tmpfs", "/tmp/.X11-unix", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC,  "mode=1777,gid=0") < 0)
-                errExit("mounting tmpfs on /tmp");
-        fs_logger("tmpfs /tmp/.X11-unix");
-
-        // create an empty file
-        /* coverity[toctou] */
-        FILE *fp = fopen(x11file, "w");
-        if (!fp) {
-                fprintf(stderr, "Error: cannot create empty file in x11 directory\n");
-                exit(1);
-        }
-        // set file properties
-        SET_PERMS_STREAM(fp, s.st_uid, s.st_gid, s.st_mode);
-        fclose(fp);
-
-        // mount
-        char *wx11file;
-        if (asprintf(&wx11file, "%s/X%d", RUN_WHITELIST_X11_DIR, display) == -1)
-                errExit("asprintf");
-        if (mount(wx11file, x11file, NULL, MS_BIND|MS_REC, NULL) < 0)
-                errExit("mount bind");
-         fs_logger2("whitelist", x11file);
-
-        free(x11file);
-        free(wx11file);
-        
-        // block access to RUN_WHITELIST_X11_DIR
-         if (mount(RUN_RO_DIR, RUN_WHITELIST_X11_DIR, "none", MS_BIND, "mode=400,gid=0") == -1)
-                errExit("mount");
-         fs_logger2("blacklist", RUN_WHITELIST_X11_DIR);
-#endif
-}
 
 
 #ifdef HAVE_X11
@@ -200,7 +221,7 @@ void x11_start_xephyr(int argc, char **argv) {
         drop_privs(0);
 
         // check xephyr
-        if (x11_check_xephyr() == 0) {
+        if (!program_in_path("Xephyr")) {
                 fprintf(stderr, "\nError: Xephyr program was not found in /usr/bin directory, please install it:\n");
                 fprintf(stderr, "   Debian/Ubuntu/Mint: sudo apt-get install xserver-xephyr\n");
                 fprintf(stderr, "   Arch: sudo pacman -S xorg-server-xephyr\n");
@@ -400,7 +421,7 @@ void x11_start_xpra(int argc, char **argv) {
         drop_privs(0);
 
         // check xpra
-        if (x11_check_xpra() == 0) {
+        if (!program_in_path("xpra")) {
                 fprintf(stderr, "\nError: Xpra program was not found in /usr/bin directory, please install it:\n");
                 fprintf(stderr, "   Debian/Ubuntu/Mint: sudo apt-get install xpra\n");
                 exit(0);
@@ -593,9 +614,9 @@ void x11_start(int argc, char **argv) {
         }
 
         // check xpra
-        if (x11_check_xpra() == 1)
+        if (program_in_path("xpra"))
                 x11_start_xpra(argc, argv);
-        else if (x11_check_xephyr() == 1)
+        else if (program_in_path("Xephyr"))
                 x11_start_xephyr(argc, argv);
         else {
                 fprintf(stderr, "\nError: Xpra or Xephyr not found in /usr/bin directory, please install one of them:\n");
@@ -604,116 +625,113 @@ void x11_start(int argc, char **argv) {
                 exit(0);
         }
 }
-
 #endif
 
-void x11_block(void) {
+// Porting notes:
+// 
+// 1. merge #1100 from zackw:
+//     Attempting to run xauth -f directly on a file in /run/firejail/mnt/ directory fails on Debian 8
+//     with this message:
+//            xauth:  timeout in locking authority file /run/firejail/mnt/sec.Xauthority-Qt5Mu4
+//            Failed to create untrusted X cookie: xauth: exit 1
+//     For this reason we run xauth on a file in a tmpfs filesystem mounted on /tmp. This was
+//     a partial merge.
+//
+// 2. Since we cannot deal with the TOCTOU condition when mounting .Xauthority in user home
+// directory, we need to make sure /usr/bin/xauth executable is the real thing, and not
+// something picked up on $PATH.
+//
+// 3. If for any reason xauth command fails, we exit the sandbox. On Debian 8 this happens
+// when using a network namespace. Somehow, xauth tries to connect to the abstract socket,
+// and it fails because of the network namespace - it should try to connect to the regular
+// Unix socket! If we ignore the fail condition, the program will be started on X server without
+// the security extension loaded.
+void x11_xorg(void) {
 #ifdef HAVE_X11
-        mask_x11_abstract_socket = 1;
 
-        // check abstract socket presence and network namespace options
-        if ((!arg_nonetwork && !cfg.bridge0.configured && !cfg.interface0.configured)
-                && x11_abstract_sockets_present()) {
-                fprintf(stderr, "ERROR: --x11=none specified, but abstract X11 socket still accessible.\n"
-                                                "Additional setup required. To block abstract X11 socket you can either:\n"
-                                                " * use network namespace in firejail (--net=none, --net=...)\n"
-                                                " * add \"-nolisten local\" to xserver options\n"
-                                                "   (eg. to your display manager config, or /etc/X11/xinit/xserverrc)\n");
+        // check xauth utility is present in the system
+        struct stat s;
+        if (stat("/usr/bin/xauth", &s) == -1) {
+                fprintf(stderr, "Error: xauth utility not found in PATH.  Please install it:\n"
+                                "   Debian/Ubuntu/Mint: sudo apt-get install xauth\n");
                 exit(1);
         }
-
-        // blacklist sockets
-        profile_check_line("blacklist /tmp/.X11-unix", 0, NULL);
-        profile_add(strdup("blacklist /tmp/.X11-unix"));
-
-        // blacklist .Xauthority
-        profile_check_line("blacklist ${HOME}/.Xauthority", 0, NULL);
-        profile_add(strdup("blacklist ${HOME}/.Xauthority"));
-        char *xauthority = getenv("XAUTHORITY");
-        if (xauthority) {
-                char *line;
-                if (asprintf(&line, "blacklist %s", xauthority) == -1)
-                        errExit("asprintf");
-                profile_check_line(line, 0, NULL);
-                profile_add(line);
-        }
-
-        // clear environment
-        env_store("DISPLAY", RMENV);
-        env_store("XAUTHORITY", RMENV);
-#endif
-}
-
-void x11_xorg(void) {
-#ifdef HAVE_X11
-        // destination - create an empty ~/.Xauthotrity file if it doesn't exist already, and use it as a mount point
-        char *dest;
-        if (asprintf(&dest, "%s/.Xauthority", cfg.homedir) == -1)
-                errExit("asprintf");
-        struct stat s;
-        if (stat(dest, &s) == -1) {
-                // create an .Xauthority file
-                FILE *fp = fopen(dest, "w");
-                if (!fp)
-                        errExit("fopen");
-                SET_PERMS_STREAM(fp, getuid(), getgid(), 0600);
-                fclose(fp);
+        if (s.st_uid != 0 && s.st_gid != 0) {
+                fprintf(stderr, "Error: invalid /usr/bin/xauth executable\n");
+                exit(1);
         }
 
-        // check xauth utility is present in the system
-        if (stat("/usr/bin/xauth", &s) == -1) {
-                fprintf(stderr, "Error: cannot find /usr/bin/xauth executable\n");
+        // get DISPLAY env
+        char *display = getenv("DISPLAY");
+        if (!display) {
+                fputs("Error: --x11=xorg requires an 'outer' X11 server to use.\n", stderr);
                 exit(1);
         }
 
-        // create a temporary .Xauthority file
+        // temporarily mount a tempfs on top of /tmp directory
+        if (mount("tmpfs", "/tmp", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC,  "mode=777,gid=0") < 0)
+                errExit("mounting /tmp");
+
+        // create the temporary .Xauthority file
+        if (arg_debug)
+                printf("Generating a new .Xauthority file\n");
         char tmpfname[] = "/tmp/.tmpXauth-XXXXXX";
         int fd = mkstemp(tmpfname);
         if (fd == -1) {
                 fprintf(stderr, "Error: cannot create .Xauthority file\n");
                 exit(1);
         }
-        close(fd);
-        if (chown(tmpfname, getuid(), getgid()) == -1)
+        if (fchown(fd, getuid(), getgid()) == -1)
                 errExit("chown");
+        close(fd);
 
         pid_t child = fork();
         if (child < 0)
                 errExit("fork");
         if (child == 0) {
-                // generate the new .Xauthority file using xauth utility
-                if (arg_debug)
-                        printf("Generating a new .Xauthority file\n");
                 drop_privs(1);
-
-                char *display = getenv("DISPLAY");
-                if (!display)
-                        display = ":0.0";
-                
                 clearenv();
-                execlp("/usr/bin/xauth", "/usr/bin/xauth", "-f", tmpfname,
-                        "generate", display, "MIT-MAGIC-COOKIE-1", "untrusted", NULL); 
-                
 #ifdef HAVE_GCOV
                 __gcov_flush();
 #endif
-                _exit(0);
+                execlp("/usr/bin/xauth", "/usr/bin/xauth", "-v", "-f", tmpfname,
+                        "generate", display, "MIT-MAGIC-COOKIE-1", "untrusted", NULL); 
+                
+                _exit(127);
+        }
+
+        // wait for the xauth process to finish
+        int status;
+        if (waitpid(child, &status, 0) != child)
+                errExit("waitpid");
+        if (WIFEXITED(status) && WEXITSTATUS(status) == 0) {
+                 /* success */
+        } else if (WIFEXITED(status)) {
+                fprintf(stderr, "Failed to create untrusted X cookie: xauth: exit %d\n",
+                        WEXITSTATUS(status));
+                exit(1);
+        } else if (WIFSIGNALED(status)) {
+                fprintf(stderr, "Failed to create untrusted X cookie: xauth: %s\n",
+                        strsignal(WTERMSIG(status)));
+                exit(1);
+        } else {
+                fprintf(stderr, "Failed to create untrusted X cookie: "
+                        "xauth: un-decodable exit status %04x\n", status);
+                exit(1);
         }
 
-        // wait for the child to finish
-        waitpid(child, NULL, 0);
-
-        // check the file was created and set mode and ownership
+        // ensure the file has the correct permissions and move it
+        // into the correct location.
         if (stat(tmpfname, &s) == -1) {
-                fprintf(stderr, "Error: cannot create the new .Xauthority file\n");
+                fprintf(stderr, "Error: .Xauthority file was not created\n");
                 exit(1);
         }
         if (set_perms(tmpfname, getuid(), getgid(), 0600))
                 errExit("set_perms");
         
         // move the temporary file in RUN_XAUTHORITY_SEC_FILE in order to have it deleted
-        // automatically when the sandbox is closed
-        if (copy_file(tmpfname, RUN_XAUTHORITY_SEC_FILE, getuid(), getgid(), 0600)) {
+        // automatically when the sandbox is closed (rename doesn't work)
+        if (copy_file(tmpfname, RUN_XAUTHORITY_SEC_FILE, getuid(), getgid(), 0600)) { // root needed
                 fprintf(stderr, "Error: cannot create the new .Xauthority file\n");
                 exit(1);
         }
@@ -721,14 +739,132 @@ void x11_xorg(void) {
                 errExit("set_perms");
         /* coverity[toctou] */
         unlink(tmpfname);
+        umount("/tmp");
         
+
+        // Ensure there is already a file in the usual location, so that bind-mount below will work.
+        // todo: fix TOCTOU races, currently managed by imposing /usr/bin/xauth as executable
+        char *dest;
+        if (asprintf(&dest, "%s/.Xauthority", cfg.homedir) == -1)
+                errExit("asprintf");
+        if (stat(dest, &s) == -1) {
+                // create an .Xauthority file
+                touch_file_as_user(dest, getuid(), getgid(), 0600);
+        }
+        if (is_link(dest)) {
+                fprintf(stderr, "Error: .Xauthority is a symbolic link\n");
+                exit(1);
+        }
+
         // mount
         if (mount(RUN_XAUTHORITY_SEC_FILE, dest, "none", MS_BIND, "mode=0600") == -1) {
                 fprintf(stderr, "Error: cannot mount the new .Xauthority file\n");
                 exit(1);
         }
+        // just  in case...
         if (set_perms(dest, getuid(), getgid(), 0600))
                 errExit("set_perms");
         free(dest);
 #endif  
 }
+
+void fs_x11(void) {
+#ifdef HAVE_X11
+        int display = x11_display();
+        if (display <= 0)
+                return;
+
+        char *x11file;
+        if (asprintf(&x11file, "/tmp/.X11-unix/X%d", display) == -1)
+                errExit("asprintf");
+        struct stat x11stat;
+        if (stat(x11file, &x11stat) == -1 || !S_ISSOCK(x11stat.st_mode)) {
+                free(x11file);
+                return;
+        }
+
+        if (arg_debug || arg_debug_whitelists)
+                fprintf(stderr, "Masking all X11 sockets except %s\n", x11file);
+
+               // Move the real /tmp/.X11-unix to a scratch location
+                // so we can still access x11file after we mount a
+                // tmpfs over /tmp/.X11-unix.
+                int rv = mkdir(RUN_WHITELIST_X11_DIR, 0700);
+                if (rv == -1)
+                        errExit("mkdir");
+                if (set_perms(RUN_WHITELIST_X11_DIR, 0, 0, 0700))
+                        errExit("set_perms");
+
+                if (mount("/tmp/.X11-unix", RUN_WHITELIST_X11_DIR, 0, MS_BIND|MS_REC, 0) < 0)
+                        errExit("mount bind");
+
+                // This directory must be mode 1777, or Xlib will barf.
+                if (mount("tmpfs", "/tmp/.X11-unix", "tmpfs",
+                          MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_STRICTATIME | MS_REC,
+                          "mode=1777,uid=0,gid=0") < 0)
+                        errExit("mounting tmpfs on /tmp/.X11-unix");
+                fs_logger("tmpfs /tmp/.X11-unix");
+
+                // create an empty file which will have the desired socket bind-mounted over it
+                int fd = open(x11file, O_RDWR|O_CREAT|O_EXCL, x11stat.st_mode & ~S_IFMT);
+                if (fd < 0)
+                        errExit(x11file);
+                if (fchown(fd, x11stat.st_uid, x11stat.st_gid))
+                        errExit("fchown");
+                close(fd);
+
+                // do the mount
+                char *wx11file;
+                if (asprintf(&wx11file, "%s/X%d", RUN_WHITELIST_X11_DIR, display) == -1)
+                        errExit("asprintf");
+                if (mount(wx11file, x11file, NULL, MS_BIND|MS_REC, NULL) < 0)
+                        errExit("mount bind");
+                fs_logger2("whitelist", x11file);
+
+                free(x11file);
+                free(wx11file);
+
+                // block access to RUN_WHITELIST_X11_DIR
+                if (mount(RUN_RO_DIR, RUN_WHITELIST_X11_DIR, 0, MS_BIND, 0) < 0)
+                        errExit("mount");
+                fs_logger2("blacklist", RUN_WHITELIST_X11_DIR);
+#endif
+}
+
+void x11_block(void) {
+#ifdef HAVE_X11
+        mask_x11_abstract_socket = 1;
+
+        // check abstract socket presence and network namespace options
+        if ((!arg_nonetwork && !cfg.bridge0.configured && !cfg.interface0.configured)
+                && x11_abstract_sockets_present()) {
+                fprintf(stderr, "ERROR: --x11=none specified, but abstract X11 socket still accessible.\n"
+                                                "Additional setup required. To block abstract X11 socket you can either:\n"
+                                                " * use network namespace in firejail (--net=none, --net=...)\n"
+                                                " * add \"-nolisten local\" to xserver options\n"
+                                                "   (eg. to your display manager config, or /etc/X11/xinit/xserverrc)\n");
+                exit(1);
+        }
+
+        // blacklist sockets
+        profile_check_line("blacklist /tmp/.X11-unix", 0, NULL);
+        profile_add(strdup("blacklist /tmp/.X11-unix"));
+
+        // blacklist .Xauthority
+        profile_check_line("blacklist ${HOME}/.Xauthority", 0, NULL);
+        profile_add(strdup("blacklist ${HOME}/.Xauthority"));
+        char *xauthority = getenv("XAUTHORITY");
+        if (xauthority) {
+                char *line;
+                if (asprintf(&line, "blacklist %s", xauthority) == -1)
+                        errExit("asprintf");
+                profile_check_line(line, 0, NULL);
+                profile_add(line);
+        }
+
+        // clear environment
+        env_store("DISPLAY", RMENV);
+        env_store("XAUTHORITY", RMENV);
+#endif
+}
+
diff --git a/src/firemon/arp.c b/src/firemon/arp.c
index 014f6a904..cef48fb0d 100644
--- a/src/firemon/arp.c
+++ b/src/firemon/arp.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2016 netblue30 (netblue30@yahoo.com)
+ * Copyright (C) 2014-2017 netblue30 (netblue30@yahoo.com)
  *
  * This file is part of firejail project
  *
diff --git a/src/firemon/caps.c b/src/firemon/caps.c
index 3f8a139ae..8837c9ee7 100644
--- a/src/firemon/caps.c
+++ b/src/firemon/caps.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2016 netblue30 (netblue30@yahoo.com)
+ * Copyright (C) 2014-2017 netblue30 (netblue30@yahoo.com)
  *
  * This file is part of firejail project
  *
diff --git a/src/firemon/cgroup.c b/src/firemon/cgroup.c
index e20e1d449..bbb28f619 100644
--- a/src/firemon/cgroup.c
+++ b/src/firemon/cgroup.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2016 netblue30 (netblue30@yahoo.com)
+ * Copyright (C) 2014-2017 netblue30 (netblue30@yahoo.com)
  *
  * This file is part of firejail project
  *
diff --git a/src/firemon/firemon.c b/src/firemon/firemon.c
index b63e37444..da5cc2d97 100644
--- a/src/firemon/firemon.c
+++ b/src/firemon/firemon.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2016 netblue30 (netblue30@yahoo.com)
+ * Copyright (C) 2014-2017 netblue30 (netblue30@yahoo.com)
  *
  * This file is part of firejail project
  *
diff --git a/src/firemon/firemon.h b/src/firemon/firemon.h
index c78023888..caf6b50c2 100644
--- a/src/firemon/firemon.h
+++ b/src/firemon/firemon.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2016 netblue30 (netblue30@yahoo.com)
+ * Copyright (C) 2014-2017 netblue30 (netblue30@yahoo.com)
  *
  * This file is part of firejail project
  *
diff --git a/src/firemon/interface.c b/src/firemon/interface.c
index def9cd5ac..ba3c9fceb 100644
--- a/src/firemon/interface.c
+++ b/src/firemon/interface.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2016 netblue30 (netblue30@yahoo.com)
+ * Copyright (C) 2014-2017 netblue30 (netblue30@yahoo.com)
  *
  * This file is part of firejail project
  *
diff --git a/src/firemon/list.c b/src/firemon/list.c
index acff13a28..1df737e8c 100644
--- a/src/firemon/list.c
+++ b/src/firemon/list.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2016 netblue30 (netblue30@yahoo.com)
+ * Copyright (C) 2014-2017 netblue30 (netblue30@yahoo.com)
  *
  * This file is part of firejail project
  *
diff --git a/src/firemon/netstats.c b/src/firemon/netstats.c
index 534d783cb..8d78b094b 100644
--- a/src/firemon/netstats.c
+++ b/src/firemon/netstats.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2016 netblue30 (netblue30@yahoo.com)
+ * Copyright (C) 2014-2017 netblue30 (netblue30@yahoo.com)
  *
  * This file is part of firejail project
  *
diff --git a/src/firemon/procevent.c b/src/firemon/procevent.c
index edae21951..ebcb7a72c 100644
--- a/src/firemon/procevent.c
+++ b/src/firemon/procevent.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2016 netblue30 (netblue30@yahoo.com)
+ * Copyright (C) 2014-2017 netblue30 (netblue30@yahoo.com)
  *
  * This file is part of firejail project
  *
@@ -70,7 +70,9 @@ static int pid_is_firejail(pid_t pid) {
                         errExit("asprintf");
                 if ((fd = open(fname, O_RDONLY)) < 0) {
                         free(fname);
-                        rv = 0;
+#ifdef DEBUG_PRCTL
+                        printf("%s: %d, comm %s, rv %d\n", __FUNCTION__, __LINE__, buf, rv);
+#endif
                         goto doexit;
                 }
                 free(fname);
@@ -81,7 +83,9 @@ static int pid_is_firejail(pid_t pid) {
                 ssize_t len;
                 if ((len = read(fd, buffer, sizeof(buffer) - 1)) <= 0) {
                         close(fd);
-                        rv = 0;
+#ifdef DEBUG_PRCTL
+                        printf("%s: %d, comm %s, rv %d\n", __FUNCTION__, __LINE__, buf, rv);
+#endif
                         goto doexit;
                 }
                 buffer[len] = '\0';
@@ -89,8 +93,12 @@ static int pid_is_firejail(pid_t pid) {
         
                 // list of firejail arguments that don't trigger sandbox creation
                 // the initial -- is not included 
-                char *firejail_args = "ls list tree x11 help version top netstats debug-syscalls debug-errnos debug-protocols "
-                        "protocol.print debug.caps shutdown bandwidth caps.print cpu.print debug-caps fs.print get overlay-clean ";
+                char *exclude_args[] = {
+                        "ls", "list", "tree", "x11", "help", "version", "top", "netstats", "debug-syscalls",
+                        "debug-errnos", "debug-protocols", "protocol.print",  "debug.caps", 
+                        "shutdown", "bandwidth", "caps.print", "cpu.print", "debug-caps",
+                        "fs.print", "get", "overlay-clean", NULL
+                };
                 
                 int i;
                 char *start;
@@ -105,16 +113,26 @@ static int pid_is_firejail(pid_t pid) {
                         }
                         if (strncmp(start, "--", 2) != 0)
                                 break;
+                        start += 2;
                         
                         // clan starting with =
-                        char *ptr = strchr(start + 2, '=');
+                        char *ptr = strchr(start, '=');
                         if (ptr)
                                 *ptr = '\0';
                         
-                        if (strstr(firejail_args, start + 2)) {
-                                rv = 0;
-                                break;
+                        // look into exclude list
+                        int j = 0;
+                        while (exclude_args[j] != NULL) {
+                                if (strcmp(start, exclude_args[j]) == 0) {
+                                        rv = 0;
+#ifdef DEBUG_PRCTL
+printf("start=#%s#,  ptr=#%s#, flip rv %d\n", start, ptr, rv);                          
+#endif
+                                        break;
+                                }
+                                j++;
                         }
+                        
                         start = (char *) buffer + i + 1;
                 }
         }
diff --git a/src/firemon/route.c b/src/firemon/route.c
index fb58b169d..dff594431 100644
--- a/src/firemon/route.c
+++ b/src/firemon/route.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2016 netblue30 (netblue30@yahoo.com)
+ * Copyright (C) 2014-2017 netblue30 (netblue30@yahoo.com)
  *
  * This file is part of firejail project
  *
diff --git a/src/firemon/seccomp.c b/src/firemon/seccomp.c
index f11c624ea..d50692b37 100644
--- a/src/firemon/seccomp.c
+++ b/src/firemon/seccomp.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2016 netblue30 (netblue30@yahoo.com)
+ * Copyright (C) 2014-2017 netblue30 (netblue30@yahoo.com)
  *
  * This file is part of firejail project
  *
diff --git a/src/firemon/top.c b/src/firemon/top.c
index 94271523c..3ed976af1 100644
--- a/src/firemon/top.c
+++ b/src/firemon/top.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2016 netblue30 (netblue30@yahoo.com)
+ * Copyright (C) 2014-2017 netblue30 (netblue30@yahoo.com)
  *
  * This file is part of firejail project
  *
diff --git a/src/firemon/tree.c b/src/firemon/tree.c
index 6d8b37ecb..3fdcc4d37 100644
--- a/src/firemon/tree.c
+++ b/src/firemon/tree.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2016 netblue30 (netblue30@yahoo.com)
+ * Copyright (C) 2014-2017 netblue30 (netblue30@yahoo.com)
  *
  * This file is part of firejail project
  *
diff --git a/src/firemon/usage.c b/src/firemon/usage.c
index 74a2a61f0..1768237b3 100644
--- a/src/firemon/usage.c
+++ b/src/firemon/usage.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2016 netblue30 (netblue30@yahoo.com)
+ * Copyright (C) 2014-2017 netblue30 (netblue30@yahoo.com)
  *
  * This file is part of firejail project
  *
diff --git a/src/firemon/x11.c b/src/firemon/x11.c
index 73dc310d3..97cfffe64 100644
--- a/src/firemon/x11.c
+++ b/src/firemon/x11.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2016 netblue30 (netblue30@yahoo.com)
+ * Copyright (C) 2014-2017 netblue30 (netblue30@yahoo.com)
  *
  * This file is part of firejail project
  *
diff --git a/src/fnet/arp.c b/src/fnet/arp.c
index 96684fdf9..a7f0a603a 100644
--- a/src/fnet/arp.c
+++ b/src/fnet/arp.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2016 Firejail Authors
+ * Copyright (C) 2014-2017 Firejail Authors
  *
  * This file is part of firejail project
  *
diff --git a/src/fnet/fnet.h b/src/fnet/fnet.h
index 0c5e5baef..d6080e283 100644
--- a/src/fnet/fnet.h
+++ b/src/fnet/fnet.h
@@ -1,5 +1,5 @@
  /*
- * Copyright (C) 2014-2016 Firejail Authors
+ * Copyright (C) 2014-2017 Firejail Authors
  *
  * This file is part of firejail project
  *
diff --git a/src/fnet/interface.c b/src/fnet/interface.c
index 3958efddd..5813db337 100644
--- a/src/fnet/interface.c
+++ b/src/fnet/interface.c
@@ -1,5 +1,5 @@
  /*
- * Copyright (C) 2014-2016 Firejail Authors
+ * Copyright (C) 2014-2017 Firejail Authors
  *
  * This file is part of firejail project
  *
diff --git a/src/fnet/main.c b/src/fnet/main.c
index 4e7807d07..6ec8e5f84 100644
--- a/src/fnet/main.c
+++ b/src/fnet/main.c
@@ -1,5 +1,5 @@
  /*
- * Copyright (C) 2014-2016 Firejail Authors
+ * Copyright (C) 2014-2017 Firejail Authors
  *
  * This file is part of firejail project
  *
diff --git a/src/fnet/veth.c b/src/fnet/veth.c
index 546fafcec..86d9d5190 100644
--- a/src/fnet/veth.c
+++ b/src/fnet/veth.c
@@ -26,7 +26,7 @@
  *
  */
  /*
- * Copyright (C) 2014-2016 Firejail Authors
+ * Copyright (C) 2014-2017 Firejail Authors
  *
  * This file is part of firejail project
  *
diff --git a/src/fseccomp/errno.c b/src/fseccomp/errno.c
index dbee916d4..3e92a1f9d 100644
--- a/src/fseccomp/errno.c
+++ b/src/fseccomp/errno.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2016 Firejail Authors
+ * Copyright (C) 2014-2017 Firejail Authors
  *
  * This file is part of firejail project
  *
diff --git a/src/fseccomp/fseccomp.h b/src/fseccomp/fseccomp.h
index 504f1c23f..e0d423b4a 100644
--- a/src/fseccomp/fseccomp.h
+++ b/src/fseccomp/fseccomp.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2016 Firejail Authors
+ * Copyright (C) 2014-2017 Firejail Authors
  *
  * This file is part of firejail project
  *
diff --git a/src/fseccomp/main.c b/src/fseccomp/main.c
index 2f85a786b..134b840f2 100644
--- a/src/fseccomp/main.c
+++ b/src/fseccomp/main.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2016 Firejail Authors
+ * Copyright (C) 2014-2017 Firejail Authors
  *
  * This file is part of firejail project
  *
diff --git a/src/fseccomp/protocol.c b/src/fseccomp/protocol.c
index 7bf560fe1..e9f65e7e8 100644
--- a/src/fseccomp/protocol.c
+++ b/src/fseccomp/protocol.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2016 Firejail Authors
+ * Copyright (C) 2014-2017 Firejail Authors
  *
  * This file is part of firejail project
  *
diff --git a/src/fseccomp/seccomp.c b/src/fseccomp/seccomp.c
index cc6edc8ca..f252e36b6 100644
--- a/src/fseccomp/seccomp.c
+++ b/src/fseccomp/seccomp.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2016 Firejail Authors
+ * Copyright (C) 2014-2017 Firejail Authors
  *
  * This file is part of firejail project
  *
diff --git a/src/fseccomp/seccomp_file.c b/src/fseccomp/seccomp_file.c
index 10ef9dd31..d706b3359 100644
--- a/src/fseccomp/seccomp_file.c
+++ b/src/fseccomp/seccomp_file.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2016 Firejail Authors
+ * Copyright (C) 2014-2017 Firejail Authors
  *
  * This file is part of firejail project
  *
diff --git a/src/fseccomp/seccomp_print.c b/src/fseccomp/seccomp_print.c
index e22c682dc..d18f2efa5 100644
--- a/src/fseccomp/seccomp_print.c
+++ b/src/fseccomp/seccomp_print.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2016 Firejail Authors
+ * Copyright (C) 2014-2017 Firejail Authors
  *
  * This file is part of firejail project
  *
diff --git a/src/fseccomp/seccomp_secondary.c b/src/fseccomp/seccomp_secondary.c
index a856e5aef..79c85eb75 100644
--- a/src/fseccomp/seccomp_secondary.c
+++ b/src/fseccomp/seccomp_secondary.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2016 Firejail Authors
+ * Copyright (C) 2014-2017 Firejail Authors
  *
  * This file is part of firejail project
  *
diff --git a/src/fseccomp/syscall.c b/src/fseccomp/syscall.c
index 7c2c4cbb2..398a49578 100644
--- a/src/fseccomp/syscall.c
+++ b/src/fseccomp/syscall.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2016 Firejail Authors
+ * Copyright (C) 2014-2017 Firejail Authors
  *
  * This file is part of firejail project
  *
diff --git a/src/ftee/ftee.h b/src/ftee/ftee.h
index 15d1a090e..b663f1f38 100644
--- a/src/ftee/ftee.h
+++ b/src/ftee/ftee.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2016 netblue30 (netblue30@yahoo.com)
+ * Copyright (C) 2014-2017 netblue30 (netblue30@yahoo.com)
  *
  * This file is part of firejail project
  *
diff --git a/src/ftee/main.c b/src/ftee/main.c
index 2b27baa5a..d425be07c 100644
--- a/src/ftee/main.c
+++ b/src/ftee/main.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2016 netblue30 (netblue30@yahoo.com)
+ * Copyright (C) 2014-2017 netblue30 (netblue30@yahoo.com)
  *
  * This file is part of firejail project
  *
diff --git a/src/include/common.h b/src/include/common.h
index 108820290..fc4059334 100644
--- a/src/include/common.h
+++ b/src/include/common.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2016 netblue30 (netblue30@yahoo.com)
+ * Copyright (C) 2014-2017 netblue30 (netblue30@yahoo.com)
  *
  * This file is part of firejail project
  *
diff --git a/src/include/euid_common.h b/src/include/euid_common.h
index 752df5fff..29a3bdf4b 100644
--- a/src/include/euid_common.h
+++ b/src/include/euid_common.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2016 netblue30 (netblue30@yahoo.com)
+ * Copyright (C) 2014-2017 netblue30 (netblue30@yahoo.com)
  *
  * This file is part of firejail project
  *
diff --git a/src/include/pid.h b/src/include/pid.h
index b7878ddb5..e8e20d575 100644
--- a/src/include/pid.h
+++ b/src/include/pid.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2016 netblue30 (netblue30@yahoo.com)
+ * Copyright (C) 2014-2017 netblue30 (netblue30@yahoo.com)
  *
  * This file is part of firejail project
  *
diff --git a/src/include/seccomp.h b/src/include/seccomp.h
index 7d646dd9e..ced1ed2e3 100644
--- a/src/include/seccomp.h
+++ b/src/include/seccomp.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2016 Firejail Authors
+ * Copyright (C) 2014-2017 Firejail Authors
  *
  * This file is part of firejail project
  *
diff --git a/src/include/syscall.h b/src/include/syscall.h
index 9a29779c9..c49760703 100644
--- a/src/include/syscall.h
+++ b/src/include/syscall.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2016 Firejail Authors
+ * Copyright (C) 2014-2017 Firejail Authors
  *
  * This file is part of firejail project
  *
diff --git a/src/lib/common.c b/src/lib/common.c
index 3f66fa72a..6f2cebf12 100644
--- a/src/lib/common.c
+++ b/src/lib/common.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2016 netblue30 (netblue30@yahoo.com)
+ * Copyright (C) 2014-2017 netblue30 (netblue30@yahoo.com)
  *
  * This file is part of firejail project
  *
diff --git a/src/lib/pid.c b/src/lib/pid.c
index 42687274e..7ae5a8d3e 100644
--- a/src/lib/pid.c
+++ b/src/lib/pid.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2016 netblue30 (netblue30@yahoo.com)
+ * Copyright (C) 2014-2017 netblue30 (netblue30@yahoo.com)
  *
  * This file is part of firejail project
  *
diff --git a/src/libconnect/Makefile.in b/src/libconnect/Makefile.in
deleted file mode 100644
index 5b7a8d0f1..000000000
--- a/src/libconnect/Makefile.in
+++ /dev/null
@@ -1,25 +0,0 @@
-PREFIX=@prefix@
-VERSION=@PACKAGE_VERSION@
-NAME=@PACKAGE_NAME@
-HAVE_FATAL_WARNINGS=@HAVE_FATAL_WARNINGS@
-
-H_FILE_LIST       = $(sort $(wildcard *.[h]))
-C_FILE_LIST       = $(sort $(wildcard *.c))
-OBJS = $(C_FILE_LIST:.c=.o)
-BINOBJS =  $(foreach file, $(OBJS), $file)
-CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIC -Wformat -Wformat-security
-LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now 
-
-all: libconnect.so
-
-%.o : %.c $(H_FILE_LIST)
-        $(CC) $(CFLAGS) $(INCLUDE) -c $< -o $@
-
-libconnect.so: $(OBJS)
-        $(CC) $(LDFLAGS) -shared -fPIC -z relro -o $@ $(OBJS) -ldl
-
-
-clean:; rm -f $(OBJS) libconnect.so
-
-distclean: clean
-        rm -fr Makefile
diff --git a/src/libconnect/libconnect.c b/src/libconnect/libconnect.c
deleted file mode 100644
index 18c4d81f5..000000000
--- a/src/libconnect/libconnect.c
+++ /dev/null
@@ -1,66 +0,0 @@
-/*
- * Copyright (C) 2014-2016 Firejail Authors
- *
- * This file is part of firejail project
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or
- * (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License along
- * with this program; if not, write to the Free Software Foundation, Inc.,
- * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-*/
-#define _GNU_SOURCE
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <dlfcn.h>
-#include <sys/types.h>
-#include <unistd.h>
-#include <sys/socket.h>
-#include <netinet/in.h>
-#include <arpa/inet.h>
-#include <sys/un.h>
-#include <sys/stat.h>
-#include <dirent.h>
-#include <errno.h>
-
-//#define DEBUG
-
-//static int check_sockaddr(int sockfd, const char *call, const struct sockaddr *addr, int rv) {
-static int check_sockaddr(const struct sockaddr *addr) {
-        if (addr->sa_family == AF_UNIX) {
-                struct sockaddr_un *a = (struct sockaddr_un *) addr;
-                if (a->sun_path[0] == '\0' && strstr(a->sun_path + 1, "X11-unix")) {
-//                      printf("@%s\n", a->sun_path + 1);
-                        errno = ENOENT;
-                        return -1;
-                }
-        }
-        
-        return 0;
-}
-
-//
-// syscalls
-//
-
-// connect
-typedef int (*orig_connect_t)(int sockfd, const struct sockaddr *addr, socklen_t addrlen);
-static orig_connect_t orig_connect = NULL;
-int connect(int sockfd, const struct sockaddr *addr, socklen_t addrlen) {
-        if (!orig_connect)
-                orig_connect = (orig_connect_t)dlsym(RTLD_NEXT, "connect");
-                        
-        if (check_sockaddr(addr) == -1)
-                return -1;
-                
-        return orig_connect(sockfd, addr, addrlen);
-}
diff --git a/src/libtrace/libtrace.c b/src/libtrace/libtrace.c
index dde3df2ea..1be89052c 100644
--- a/src/libtrace/libtrace.c
+++ b/src/libtrace/libtrace.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2016 Firejail Authors
+ * Copyright (C) 2014-2017 Firejail Authors
  *
  * This file is part of firejail project
  *
diff --git a/src/libtracelog/libtracelog.c b/src/libtracelog/libtracelog.c
index 90fe726de..abacb7115 100644
--- a/src/libtracelog/libtracelog.c
+++ b/src/libtracelog/libtracelog.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2016 Firejail Authors
+ * Copyright (C) 2014-2017 Firejail Authors
  *
  * This file is part of firejail project
  *
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt
index fa522c154..aa1aec567 100644
--- a/src/man/firejail-profile.txt
+++ b/src/man/firejail-profile.txt
@@ -81,11 +81,21 @@ Include other.profile file.
 
 Example: "include /etc/firejail/disable-common.inc"
 
-other.profile file name can be prefixed with ${HOME}. This will force Firejail to look for the
-file in user home directory.
+The file name can be prefixed with a macro such as ${HOME} or ${CFG}.
+${HOME} is expanded as user home directory, and ${CFG} is expanded as
+Firejail system configuration directory - in most cases /etc/firejail or
+/usr/local/etc/firejail.
 
 Example: "include ${HOME}/myprofiles/profile1" will load "~/myprofiles/profile1" file.
 
+Example: "include ${CFG}/firefox.profile" will load "/etc/firejail/firefox.profile" file.
+
+System configuration files in ${CFG} are overwritten during software installation.
+Persistent configuration at system level is handled in ".local" files. For every
+profile file in ${CFG} directory, the user can create a corresponding .local file 
+storing modifications to the persistent configuration. Persistent .local files
+are included at the start of regular profile files.
+
 .TP
 \fBnoblacklist file_name
 If the file name matches file_name, the file will not be blacklisted in any blacklist commands that follow.
@@ -240,6 +250,11 @@ Mount /etc directory read-write.
 .TP
 \fBwritable-var
 Mount /var directory read-write.
+.TP
+\fBwritable-var-log
+Use the real /var/log directory, not a clone. By default, a tmpfs is mounted on top of /var/log
+directory, and a skeleton filesystem is created based on the original /var/log.
+
 .SH Security filters
 The following security filters are currently implemented:
 
@@ -388,6 +403,10 @@ Set a DNS server for the sandbox. Up to three DNS servers can be defined.
 Set a hostname for the sandbox.
 
 .TP
+\fBhosts-file file
+Use file as /etc/hosts.
+
+.TP
 \fBip address
 Assign IP addresses to the last network interface defined by a net command. A
 default gateway is assigned by default.
@@ -448,7 +467,7 @@ Assign MAC addresses to the last network interface defined by a net command.
 
 .TP
 \fBmachine-id
-Preserve id number in /etc/machine-id file. By default a new random id is generated inside the sandbox.
+Spoof id number in /etc/machine-id file - a new random id is generated inside the sandbox.
 
 .TP
 \fBmtu number
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index 60c21cbc1..f978661dc 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -76,7 +76,9 @@ $ firejail [OPTIONS] firefox        # starting Mozilla Firefox
 Signal the end of options and disables further option processing.
 .TP
 \fB\-\-allow-debuggers
-Allow tools such as strace and gdb inside the sandbox.
+Allow tools such as strace and gdb inside the sandbox. This option is only available
+when running on Linux kernels 4.8 or newer - a kernel bug in ptrace system call allows a full
+bypass of the seccomp filter.
 .br
 
 .br
@@ -190,7 +192,7 @@ Define a custom blacklist Linux capabilities filter.
 .br
 Example:
 .br
-$ firejail \-\-caps.keep=net_broadcast,net_admin,net_raw
+$ firejail \-\-caps.drop=net_broadcast,net_admin,net_raw
 
 .TP
 \fB\-\-caps.keep=capability,capability,capability
@@ -451,6 +453,39 @@ $ firejail \-\-fs.print=3272
 \fB\-\-get=name|pid filename
 Get a file from sandbox container, see \fBFILE TRANSFER\fR section for more details.
 
+
+.TP
+\fB\-\-git-install
+Download, compile and install mainline git version of Firejail from the official repository on GitHub.
+The software is installed in /usr/local/bin, and takes precedence over the (old) version
+installed in /usr/bin. If for any reason the new version doesn't work, the user can uninstall it
+using \-\-git-uninstall command and revert to the old version.
+.br
+
+.br
+Prerequisites: git and compile support are required for this command to work. On Debian/Ubuntu
+systems this support is installed using "sudo apt-get install build-essential git".
+.br
+
+.br
+Example:
+.br
+
+.br
+$ firejail \-\-git-install
+
+.TP
+\fB\-\-git-uninstall
+Remove the Firejail version previously installed in /usr/local/bin using \-\-git-install command.
+.br
+
+.br
+Example:
+.br
+
+.br
+$ firejail \-\-git-uninstall
+
 .TP
 \fB\-?\fR, \fB\-\-help\fR
 Print options end exit.
@@ -467,6 +502,16 @@ Example:
 $ firejail \-\-hostname=officepc firefox
 
 .TP
+\fB\-\-hosts-file=file
+Use file as /etc/hosts.
+.br
+
+.br
+Example:
+.br
+$ firejail \-\-hosts-file=~/myhosts firefox
+
+.TP
 \fB\-\-ignore=command
 Ignore command in profile file.
 .br
@@ -676,7 +721,7 @@ $ firejail \-\-net=eth0 \-\-mac=00:11:22:33:44:55 firefox
 
 .TP
 \fB\-\-machine-id
-Preserve id number in /etc/machine-id file. By default a new random id is generated inside the sandbox.
+Spoof id number in /etc/machine-id file - a new random id is generated inside the sandbox.
 .br
 
 .br
@@ -759,6 +804,11 @@ Example:
 $ firejail \-\-net=none vlc
 
 .TP
+\fB\-\-netns=name
+Run the program in a named, persistent network namespace.  These can
+be created and configured using "ip netns".
+
+.TP
 \fB\-\-netfilter
 Enable a default client network filter in the new network namespace.
 New network namespaces are created using \-\-net option. If a new network namespaces is not created,
@@ -1708,6 +1758,17 @@ Example:
 .br
 $ sudo firejail --writable-var
 
+.TP
+\fB\-\-writable-var-log
+Use the real /var/log directory, not a clone. By default, a tmpfs is mounted on top of /var/log
+directory, and a skeleton filesystem is created based on the original /var/log.
+.br
+
+.br
+Example:
+.br
+$ sudo firejail --writable-var-log
+
 
 .TP
 \fB\-\-x11
diff --git a/src/tools/extract_caps.c b/src/tools/extract_caps.c
index ed6319be5..66d86e1a6 100644
--- a/src/tools/extract_caps.c
+++ b/src/tools/extract_caps.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2016 netblue30 (netblue30@yahoo.com)
+ * Copyright (C) 2014-2017 netblue30 (netblue30@yahoo.com)
  *
  * This file is part of firejail project
  *
diff --git a/src/tools/extract_syscalls.c b/src/tools/extract_syscalls.c
index 3ab4d66e0..9af24b8cd 100644
--- a/src/tools/extract_syscalls.c
+++ b/src/tools/extract_syscalls.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2016 netblue30 (netblue30@yahoo.com)
+ * Copyright (C) 2014-2017 netblue30 (netblue30@yahoo.com)
  *
  * This file is part of firejail project
  *
diff --git a/src/tools/rvtest.c b/src/tools/rvtest.c
index 4dbeb7ffc..d108672d2 100644
--- a/src/tools/rvtest.c
+++ b/src/tools/rvtest.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2016 netblue30 (netblue30@yahoo.com)
+ * Copyright (C) 2014-2017 netblue30 (netblue30@yahoo.com)
  *
  * This file is part of firejail project
  *
diff --git a/test/appimage/appimage-args.exp b/test/appimage/appimage-args.exp
index 93dba69ad..f304f5b94 100755
--- a/test/appimage/appimage-args.exp
+++ b/test/appimage/appimage-args.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2016 Firejail Authors
+# Copyright (C) 2014-2017 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/appimage/appimage-v1.exp b/test/appimage/appimage-v1.exp
index f1c1c10f5..d9b64af1d 100755
--- a/test/appimage/appimage-v1.exp
+++ b/test/appimage/appimage-v1.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2016 Firejail Authors
+# Copyright (C) 2014-2017 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/appimage/appimage-v2.exp b/test/appimage/appimage-v2.exp
index 5cb9d0849..10443a1c7 100755
--- a/test/appimage/appimage-v2.exp
+++ b/test/appimage/appimage-v2.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2016 Firejail Authors
+# Copyright (C) 2014-2017 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/appimage/appimage.sh b/test/appimage/appimage.sh
index bb646e189..6d0fcf081 100755
--- a/test/appimage/appimage.sh
+++ b/test/appimage/appimage.sh
@@ -1,6 +1,6 @@
 #!/bin/bash
 # This file is part of Firejail project
-# Copyright (C) 2014-2016 Firejail Authors
+# Copyright (C) 2014-2017 Firejail Authors
 # License GPL v2
 
 export MALLOC_CHECK_=3
diff --git a/test/appimage/filename.exp b/test/appimage/filename.exp
index ce8d70464..5038ab21c 100755
--- a/test/appimage/filename.exp
+++ b/test/appimage/filename.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2016 Firejail Authors
+# Copyright (C) 2014-2017 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/apps-x11-xorg/apps-x11-xorg.sh b/test/apps-x11-xorg/apps-x11-xorg.sh
index b05914b52..d39d8390e 100755
--- a/test/apps-x11-xorg/apps-x11-xorg.sh
+++ b/test/apps-x11-xorg/apps-x11-xorg.sh
@@ -1,6 +1,6 @@
 #!/bin/bash
 # This file is part of Firejail project
-# Copyright (C) 2014-2016 Firejail Authors
+# Copyright (C) 2014-2017 Firejail Authors
 # License GPL v2
 
 export MALLOC_CHECK_=3
diff --git a/test/apps-x11-xorg/firefox.exp b/test/apps-x11-xorg/firefox.exp
index 66b82fe92..4da9e5a16 100755
--- a/test/apps-x11-xorg/firefox.exp
+++ b/test/apps-x11-xorg/firefox.exp
@@ -1,13 +1,13 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2016 Firejail Authors
+# Copyright (C) 2014-2017 Firejail Authors
 # License GPL v2
 
 set timeout 10
 spawn $env(SHELL)
 match_max 100000
 
-send -- "firejail --name=test --x11=xorg firefox -no-remote www.gentoo.org\r"
+send -- "firejail --name=test --x11=xorg --ignore=net --ignore=netfilter --ignore=iprange firefox -no-remote www.gentoo.org\r"
 sleep 10
 
 spawn $env(SHELL)
diff --git a/test/apps-x11-xorg/icedove.exp b/test/apps-x11-xorg/icedove.exp
index 667c2259f..ce1d38222 100755
--- a/test/apps-x11-xorg/icedove.exp
+++ b/test/apps-x11-xorg/icedove.exp
@@ -1,13 +1,13 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2016 Firejail Authors
+# Copyright (C) 2014-2017 Firejail Authors
 # License GPL v2
 
 set timeout 10
 spawn $env(SHELL)
 match_max 100000
 
-send -- "firejail --name=test --x11=xorg icedove\r"
+send -- "firejail --name=test --x11=xorg --ignore=net --ignore=netfilter --ignore=iprange icedove\r"
 sleep 10
 
 spawn $env(SHELL)
diff --git a/test/apps-x11-xorg/transmission-gtk.exp b/test/apps-x11-xorg/transmission-gtk.exp
index c52cb5b3a..c6d9ba13a 100755
--- a/test/apps-x11-xorg/transmission-gtk.exp
+++ b/test/apps-x11-xorg/transmission-gtk.exp
@@ -1,13 +1,13 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2016 Firejail Authors
+# Copyright (C) 2014-2017 Firejail Authors
 # License GPL v2
 
 set timeout 10
 spawn $env(SHELL)
 match_max 100000
 
-send -- "firejail --name=test --x11=xorg transmission-gtk\r"
+send -- "firejail --name=test --x11=xorg --ignore=net --ignore=netfilter --ignore=iprange transmission-gtk\r"
 sleep 10
 
 spawn $env(SHELL)
diff --git a/test/apps-x11/apps-x11.sh b/test/apps-x11/apps-x11.sh
index 4a8671dbd..739a94f2e 100755
--- a/test/apps-x11/apps-x11.sh
+++ b/test/apps-x11/apps-x11.sh
@@ -1,6 +1,6 @@
 #!/bin/bash
 # This file is part of Firejail project
-# Copyright (C) 2014-2016 Firejail Authors
+# Copyright (C) 2014-2017 Firejail Authors
 # License GPL v2
 
 export MALLOC_CHECK_=3
diff --git a/test/apps-x11/chromium.exp b/test/apps-x11/chromium.exp
index 2505c0c37..eeedd99c4 100755
--- a/test/apps-x11/chromium.exp
+++ b/test/apps-x11/chromium.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2016 Firejail Authors
+# Copyright (C) 2014-2017 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/apps-x11/firefox.exp b/test/apps-x11/firefox.exp
index 6a50c8884..5464e39cd 100755
--- a/test/apps-x11/firefox.exp
+++ b/test/apps-x11/firefox.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2016 Firejail Authors
+# Copyright (C) 2014-2017 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/apps-x11/icedove.exp b/test/apps-x11/icedove.exp
index e306e33ce..f81d814a7 100755
--- a/test/apps-x11/icedove.exp
+++ b/test/apps-x11/icedove.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2016 Firejail Authors
+# Copyright (C) 2014-2017 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/apps-x11/transmission-gtk.exp b/test/apps-x11/transmission-gtk.exp
index 4083a121f..8dae20e31 100755
--- a/test/apps-x11/transmission-gtk.exp
+++ b/test/apps-x11/transmission-gtk.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2016 Firejail Authors
+# Copyright (C) 2014-2017 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/apps-x11/x11-none.exp b/test/apps-x11/x11-none.exp
index e9908839b..1f3e1439a 100755
--- a/test/apps-x11/x11-none.exp
+++ b/test/apps-x11/x11-none.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2016 Firejail Authors
+# Copyright (C) 2014-2017 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/apps-x11/x11-xephyr.exp b/test/apps-x11/x11-xephyr.exp
index 41a413890..31a434103 100755
--- a/test/apps-x11/x11-xephyr.exp
+++ b/test/apps-x11/x11-xephyr.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2016 Firejail Authors
+# Copyright (C) 2014-2017 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/apps-x11/xterm-xephyr.exp b/test/apps-x11/xterm-xephyr.exp
index 5b4299478..c36121a75 100755
--- a/test/apps-x11/xterm-xephyr.exp
+++ b/test/apps-x11/xterm-xephyr.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2016 Firejail Authors
+# Copyright (C) 2014-2017 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/apps-x11/xterm-xorg.exp b/test/apps-x11/xterm-xorg.exp
index fbc88f196..04fc4b960 100755
--- a/test/apps-x11/xterm-xorg.exp
+++ b/test/apps-x11/xterm-xorg.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2016 Firejail Authors
+# Copyright (C) 2014-2017 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/apps-x11/xterm-xpra.exp b/test/apps-x11/xterm-xpra.exp
index 1fb5df486..e769e5e20 100755
--- a/test/apps-x11/xterm-xpra.exp
+++ b/test/apps-x11/xterm-xpra.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2016 Firejail Authors
+# Copyright (C) 2014-2017 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/apps/apps.sh b/test/apps/apps.sh
index 38307b284..4b7afe1a9 100755
--- a/test/apps/apps.sh
+++ b/test/apps/apps.sh
@@ -1,6 +1,6 @@
 #!/bin/bash
 # This file is part of Firejail project
-# Copyright (C) 2014-2016 Firejail Authors
+# Copyright (C) 2014-2017 Firejail Authors
 # License GPL v2
 
 export MALLOC_CHECK_=3
diff --git a/test/apps/chromium.exp b/test/apps/chromium.exp
index d43f70f8e..635c07afa 100755
--- a/test/apps/chromium.exp
+++ b/test/apps/chromium.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2016 Firejail Authors
+# Copyright (C) 2014-2017 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/apps/deluge.exp b/test/apps/deluge.exp
index 0bf1baae2..3f83a1e01 100755
--- a/test/apps/deluge.exp
+++ b/test/apps/deluge.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2016 Firejail Authors
+# Copyright (C) 2014-2017 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/apps/evince.exp b/test/apps/evince.exp
index 71f760a9c..dbad46068 100755
--- a/test/apps/evince.exp
+++ b/test/apps/evince.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2016 Firejail Authors
+# Copyright (C) 2014-2017 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/apps/fbreader.exp b/test/apps/fbreader.exp
index 99c48d87c..b5c58c909 100755
--- a/test/apps/fbreader.exp
+++ b/test/apps/fbreader.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2016 Firejail Authors
+# Copyright (C) 2014-2017 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/apps/filezilla.exp b/test/apps/filezilla.exp
index 2f7038184..7bef9dc27 100755
--- a/test/apps/filezilla.exp
+++ b/test/apps/filezilla.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2016 Firejail Authors
+# Copyright (C) 2014-2017 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/apps/firefox.exp b/test/apps/firefox.exp
index 5745d9270..06b5a3bc3 100755
--- a/test/apps/firefox.exp
+++ b/test/apps/firefox.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2016 Firejail Authors
+# Copyright (C) 2014-2017 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/apps/gnome-mplayer.exp b/test/apps/gnome-mplayer.exp
index 6f0e5a312..0e879d33b 100755
--- a/test/apps/gnome-mplayer.exp
+++ b/test/apps/gnome-mplayer.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2016 Firejail Authors
+# Copyright (C) 2014-2017 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/apps/gthumb.exp b/test/apps/gthumb.exp
index 13132cef6..ae2976910 100755
--- a/test/apps/gthumb.exp
+++ b/test/apps/gthumb.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2016 Firejail Authors
+# Copyright (C) 2014-2017 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/apps/hexchat.exp b/test/apps/hexchat.exp
index 5d0bc1093..74f0a9fb6 100755
--- a/test/apps/hexchat.exp
+++ b/test/apps/hexchat.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2016 Firejail Authors
+# Copyright (C) 2014-2017 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/apps/icedove.exp b/test/apps/icedove.exp
index c0fbd9fc8..1acb59112 100755
--- a/test/apps/icedove.exp
+++ b/test/apps/icedove.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2016 Firejail Authors
+# Copyright (C) 2014-2017 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/apps/midori.exp b/test/apps/midori.exp
index 45d70eda1..764f3e4a4 100755
--- a/test/apps/midori.exp
+++ b/test/apps/midori.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2016 Firejail Authors
+# Copyright (C) 2014-2017 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/apps/opera.exp b/test/apps/opera.exp
index 036fc2e21..8a8885afa 100755
--- a/test/apps/opera.exp
+++ b/test/apps/opera.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2016 Firejail Authors
+# Copyright (C) 2014-2017 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/apps/qbittorrent.exp b/test/apps/qbittorrent.exp
index 8bc6d8564..bf23390a1 100755
--- a/test/apps/qbittorrent.exp
+++ b/test/apps/qbittorrent.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2016 Firejail Authors
+# Copyright (C) 2014-2017 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/apps/transmission-gtk.exp b/test/apps/transmission-gtk.exp
index 70700d523..d9e5869c8 100755
--- a/test/apps/transmission-gtk.exp
+++ b/test/apps/transmission-gtk.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2016 Firejail Authors
+# Copyright (C) 2014-2017 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/apps/transmission-qt.exp b/test/apps/transmission-qt.exp
index 3773b1dc2..189919720 100755
--- a/test/apps/transmission-qt.exp
+++ b/test/apps/transmission-qt.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2016 Firejail Authors
+# Copyright (C) 2014-2017 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/apps/uget-gtk.exp b/test/apps/uget-gtk.exp
index 22c2a0831..10a14e11a 100755
--- a/test/apps/uget-gtk.exp
+++ b/test/apps/uget-gtk.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2016 Firejail Authors
+# Copyright (C) 2014-2017 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/apps/vlc.exp b/test/apps/vlc.exp
index b94ef8e12..a1d4cc6b2 100755
--- a/test/apps/vlc.exp
+++ b/test/apps/vlc.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2016 Firejail Authors
+# Copyright (C) 2014-2017 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/apps/wine.exp b/test/apps/wine.exp
index a2f465acb..fc181c0cc 100755
--- a/test/apps/wine.exp
+++ b/test/apps/wine.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2016 Firejail Authors
+# Copyright (C) 2014-2017 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/apps/xchat.exp b/test/apps/xchat.exp
index f3284caf7..8df9f8925 100755
--- a/test/apps/xchat.exp
+++ b/test/apps/xchat.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2016 Firejail Authors
+# Copyright (C) 2014-2017 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/chroot/chroot.sh b/test/chroot/chroot.sh
index 34bff2a67..e7911caa0 100755
--- a/test/chroot/chroot.sh
+++ b/test/chroot/chroot.sh
@@ -1,6 +1,6 @@
 #!/bin/bash
 # This file is part of Firejail project
-# Copyright (C) 2014-2016 Firejail Authors
+# Copyright (C) 2014-2017 Firejail Authors
 # License GPL v2
 
 export MALLOC_CHECK_=3
diff --git a/test/environment/csh.exp b/test/environment/csh.exp
index 46e4bb3ca..bd0cf8c86 100755
--- a/test/environment/csh.exp
+++ b/test/environment/csh.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2016 Firejail Authors
+# Copyright (C) 2014-2017 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/environment/env.exp b/test/environment/env.exp
index 8f72400b0..9e2ba1e1c 100755
--- a/test/environment/env.exp
+++ b/test/environment/env.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2016 Firejail Authors
+# Copyright (C) 2014-2017 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/environment/environment.sh b/test/environment/environment.sh
index 2bb5a249e..e2b9cb9d4 100755
--- a/test/environment/environment.sh
+++ b/test/environment/environment.sh
@@ -1,6 +1,6 @@
 #!/bin/bash
 # This file is part of Firejail project
-# Copyright (C) 2014-2016 Firejail Authors
+# Copyright (C) 2014-2017 Firejail Authors
 # License GPL v2
 
 export MALLOC_CHECK_=3
diff --git a/test/environment/firejail-in-firejail.exp b/test/environment/firejail-in-firejail.exp
index 2b851ee72..c2e2be596 100755
--- a/test/environment/firejail-in-firejail.exp
+++ b/test/environment/firejail-in-firejail.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2016 Firejail Authors
+# Copyright (C) 2014-2017 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/environment/firejail-in-firejail2.exp b/test/environment/firejail-in-firejail2.exp
index 330e5e372..db64d59ed 100755
--- a/test/environment/firejail-in-firejail2.exp
+++ b/test/environment/firejail-in-firejail2.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2016 Firejail Authors
+# Copyright (C) 2014-2017 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/environment/nice.exp b/test/environment/nice.exp
index 2e0e95ea1..2c00d1485 100755
--- a/test/environment/nice.exp
+++ b/test/environment/nice.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2016 Firejail Authors
+# Copyright (C) 2014-2017 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/environment/quiet.exp b/test/environment/quiet.exp
index 8d7c8d4c0..bab395f71 100755
--- a/test/environment/quiet.exp
+++ b/test/environment/quiet.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2016 Firejail Authors
+# Copyright (C) 2014-2017 Firejail Authors
 # License GPL v2
 
 set timeout 4
diff --git a/test/environment/shell-none.exp b/test/environment/shell-none.exp
index 8f3df794f..69c8db067 100755
--- a/test/environment/shell-none.exp
+++ b/test/environment/shell-none.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2016 Firejail Authors
+# Copyright (C) 2014-2017 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/environment/sound.exp b/test/environment/sound.exp
index dd55add89..f1a251f34 100755
--- a/test/environment/sound.exp
+++ b/test/environment/sound.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2016 Firejail Authors
+# Copyright (C) 2014-2017 Firejail Authors
 # License GPL v2
 
 
diff --git a/test/environment/zsh.exp b/test/environment/zsh.exp
index 578951ce0..4380f476c 100755
--- a/test/environment/zsh.exp
+++ b/test/environment/zsh.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2016 Firejail Authors
+# Copyright (C) 2014-2017 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/fcopy/cmdline.exp b/test/fcopy/cmdline.exp
index 24bb19351..10dd8da58 100755
--- a/test/fcopy/cmdline.exp
+++ b/test/fcopy/cmdline.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2016 Firejail Authors
+# Copyright (C) 2014-2017 Firejail Authors
 # License GPL v2
 
 set timeout 10
@@ -10,7 +10,7 @@ match_max 100000
 send -- "/usr/lib/firejail/fcopy\r"
 expect {
         timeout {puts "TESTING ERROR 0\n";exit}
-        "files missing"
+        "arguments missing"
 }
 expect {
         timeout {puts "TESTING ERROR 1\n";exit}
@@ -21,7 +21,7 @@ after 100
 send -- "/usr/lib/firejail/fcopy foo\r"
 expect {
         timeout {puts "TESTING ERROR 2\n";exit}
-        "files missing"
+        "arguments missing"
 }
 expect {
         timeout {puts "TESTING ERROR 3\n";exit}
@@ -32,14 +32,14 @@ after 100
 send -- "/usr/lib/firejail/fcopy f%oo1 foo2\r"
 expect {
         timeout {puts "TESTING ERROR 4\n";exit}
-        "invalid file name"
+        "invalid source file name"
 }
 after 100
 
 send -- "/usr/lib/firejail/fcopy foo1 f,oo2\r"
 expect {
         timeout {puts "TESTING ERROR 5\n";exit}
-        "invalid file name"
+        "invalid dest file name"
 }
 after 100
 
diff --git a/test/fcopy/dircopy.exp b/test/fcopy/dircopy.exp
index dc8c80569..a0fd409a6 100755
--- a/test/fcopy/dircopy.exp
+++ b/test/fcopy/dircopy.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2016 Firejail Authors
+# Copyright (C) 2014-2017 Firejail Authors
 # License GPL v2
 
 #
diff --git a/test/fcopy/fcopy.sh b/test/fcopy/fcopy.sh
index dcda5ca31..0ae50399a 100755
--- a/test/fcopy/fcopy.sh
+++ b/test/fcopy/fcopy.sh
@@ -1,6 +1,6 @@
 #!/bin/bash
 # This file is part of Firejail project
-# Copyright (C) 2014-2016 Firejail Authors
+# Copyright (C) 2014-2017 Firejail Authors
 # License GPL v2
 
 export MALLOC_CHECK_=3
diff --git a/test/fcopy/filecopy.exp b/test/fcopy/filecopy.exp
index d1f0a4424..a89eaf40f 100755
--- a/test/fcopy/filecopy.exp
+++ b/test/fcopy/filecopy.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2016 Firejail Authors
+# Copyright (C) 2014-2017 Firejail Authors
 # License GPL v2
 
 #
diff --git a/test/fcopy/linkcopy.exp b/test/fcopy/linkcopy.exp
index 9927e18fe..beceb3675 100755
--- a/test/fcopy/linkcopy.exp
+++ b/test/fcopy/linkcopy.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2016 Firejail Authors
+# Copyright (C) 2014-2017 Firejail Authors
 # License GPL v2
 
 #
diff --git a/test/filters/caps-print.exp b/test/filters/caps-print.exp
index d9d662239..605041e22 100755
--- a/test/filters/caps-print.exp
+++ b/test/filters/caps-print.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2016 Firejail Authors
+# Copyright (C) 2014-2017 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/filters/caps.exp b/test/filters/caps.exp
index 2954f2e58..aff5f03c2 100755
--- a/test/filters/caps.exp
+++ b/test/filters/caps.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2016 Firejail Authors
+# Copyright (C) 2014-2017 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/filters/filters.sh b/test/filters/filters.sh
index fea4a0296..73e0e4d5c 100755
--- a/test/filters/filters.sh
+++ b/test/filters/filters.sh
@@ -1,6 +1,6 @@
 #!/bin/bash
 # This file is part of Firejail project
-# Copyright (C) 2014-2016 Firejail Authors
+# Copyright (C) 2014-2017 Firejail Authors
 # License GPL v2
 
 export MALLOC_CHECK_=3
diff --git a/test/filters/fseccomp.exp b/test/filters/fseccomp.exp
index 8a9a8f9dc..4d876df08 100755
--- a/test/filters/fseccomp.exp
+++ b/test/filters/fseccomp.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2016 Firejail Authors
+# Copyright (C) 2014-2017 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/filters/noroot.exp b/test/filters/noroot.exp
index b011f2bf9..2c7218c87 100755
--- a/test/filters/noroot.exp
+++ b/test/filters/noroot.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2016 Firejail Authors
+# Copyright (C) 2014-2017 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/filters/protocol.exp b/test/filters/protocol.exp
index 835f645b2..71f54b08a 100755
--- a/test/filters/protocol.exp
+++ b/test/filters/protocol.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2016 Firejail Authors
+# Copyright (C) 2014-2017 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/filters/seccomp-bad-empty.exp b/test/filters/seccomp-bad-empty.exp
index 1bd9c9b1f..9cfbac109 100755
--- a/test/filters/seccomp-bad-empty.exp
+++ b/test/filters/seccomp-bad-empty.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2016 Firejail Authors
+# Copyright (C) 2014-2017 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/filters/seccomp-chmod-profile.exp b/test/filters/seccomp-chmod-profile.exp
index 463ce05e9..22615420d 100755
--- a/test/filters/seccomp-chmod-profile.exp
+++ b/test/filters/seccomp-chmod-profile.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2016 Firejail Authors
+# Copyright (C) 2014-2017 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/filters/seccomp-chmod.exp b/test/filters/seccomp-chmod.exp
index b17990e3a..35c6f69c2 100755
--- a/test/filters/seccomp-chmod.exp
+++ b/test/filters/seccomp-chmod.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2016 Firejail Authors
+# Copyright (C) 2014-2017 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/filters/seccomp-chown.exp b/test/filters/seccomp-chown.exp
index a54d279f1..7d9da5e5a 100755
--- a/test/filters/seccomp-chown.exp
+++ b/test/filters/seccomp-chown.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2016 Firejail Authors
+# Copyright (C) 2014-2017 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/filters/seccomp-debug.exp b/test/filters/seccomp-debug.exp
index dbc0d37a9..a95f3bd23 100755
--- a/test/filters/seccomp-debug.exp
+++ b/test/filters/seccomp-debug.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2016 Firejail Authors
+# Copyright (C) 2014-2017 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/filters/seccomp-dualfilter.exp b/test/filters/seccomp-dualfilter.exp
index 958dab528..abf093201 100755
--- a/test/filters/seccomp-dualfilter.exp
+++ b/test/filters/seccomp-dualfilter.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2016 Firejail Authors
+# Copyright (C) 2014-2017 Firejail Authors
 # License GPL v2
 
 set timeout 1
diff --git a/test/filters/seccomp-empty.exp b/test/filters/seccomp-empty.exp
index d150dac7d..2cd316953 100755
--- a/test/filters/seccomp-empty.exp
+++ b/test/filters/seccomp-empty.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2016 Firejail Authors
+# Copyright (C) 2014-2017 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/filters/seccomp-errno.exp b/test/filters/seccomp-errno.exp
index c3af2fbe9..eeb0824f2 100755
--- a/test/filters/seccomp-errno.exp
+++ b/test/filters/seccomp-errno.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2016 Firejail Authors
+# Copyright (C) 2014-2017 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/filters/seccomp-ptrace.exp b/test/filters/seccomp-ptrace.exp
index bb87b96ea..2c6d9d25e 100755
--- a/test/filters/seccomp-ptrace.exp
+++ b/test/filters/seccomp-ptrace.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2016 Firejail Authors
+# Copyright (C) 2014-2017 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/filters/seccomp-su.exp b/test/filters/seccomp-su.exp
index 3feabc20f..62135abb8 100755
--- a/test/filters/seccomp-su.exp
+++ b/test/filters/seccomp-su.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2016 Firejail Authors
+# Copyright (C) 2014-2017 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/filters/syscall_test.c b/test/filters/syscall_test.c
index 422af619d..48e8f29f5 100644
--- a/test/filters/syscall_test.c
+++ b/test/filters/syscall_test.c
@@ -1,5 +1,5 @@
 // This file is part of Firejail project
-// Copyright (C) 2014-2016 Firejail Authors
+// Copyright (C) 2014-2017 Firejail Authors
 // License GPL v2
 
 #include <stdlib.h>
diff --git a/test/fs/fs.sh b/test/fs/fs.sh
index 611b62b09..85eeaaf81 100755
--- a/test/fs/fs.sh
+++ b/test/fs/fs.sh
@@ -1,6 +1,6 @@
 #!/bin/bash
 # This file is part of Firejail project
-# Copyright (C) 2014-2016 Firejail Authors
+# Copyright (C) 2014-2017 Firejail Authors
 # License GPL v2
 
 export MALLOC_CHECK_=3
diff --git a/test/fs/fs_dev_shm.exp b/test/fs/fs_dev_shm.exp
index 8150dfa61..1d810084c 100755
--- a/test/fs/fs_dev_shm.exp
+++ b/test/fs/fs_dev_shm.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2016 Firejail Authors
+# Copyright (C) 2014-2017 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/fs/fs_var_lock.exp b/test/fs/fs_var_lock.exp
index 5879dca52..919b75f34 100755
--- a/test/fs/fs_var_lock.exp
+++ b/test/fs/fs_var_lock.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2016 Firejail Authors
+# Copyright (C) 2014-2017 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/fs/fs_var_tmp.exp b/test/fs/fs_var_tmp.exp
index a3bc5afe2..50679db6d 100755
--- a/test/fs/fs_var_tmp.exp
+++ b/test/fs/fs_var_tmp.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2016 Firejail Authors
+# Copyright (C) 2014-2017 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/fs/invalid_filename.exp b/test/fs/invalid_filename.exp
index a6efc24b6..db15bb6ba 100755
--- a/test/fs/invalid_filename.exp
+++ b/test/fs/invalid_filename.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2016 Firejail Authors
+# Copyright (C) 2014-2017 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/fs/kmsg.exp b/test/fs/kmsg.exp
index abc711aee..9d9467eac 100755
--- a/test/fs/kmsg.exp
+++ b/test/fs/kmsg.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2016 Firejail Authors
+# Copyright (C) 2014-2017 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/fs/mkdir_mkfile.exp b/test/fs/mkdir_mkfile.exp
index 98163bf77..e2e7d3ef0 100755
--- a/test/fs/mkdir_mkfile.exp
+++ b/test/fs/mkdir_mkfile.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2016 Firejail Authors
+# Copyright (C) 2014-2017 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/fs/option_blacklist.exp b/test/fs/option_blacklist.exp
index 6554d438f..dcdf5facc 100755
--- a/test/fs/option_blacklist.exp
+++ b/test/fs/option_blacklist.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2016 Firejail Authors
+# Copyright (C) 2014-2017 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/fs/option_blacklist_glob.exp b/test/fs/option_blacklist_glob.exp
index 5a96cacc9..f682ed619 100755
--- a/test/fs/option_blacklist_glob.exp
+++ b/test/fs/option_blacklist_glob.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2016 Firejail Authors
+# Copyright (C) 2014-2017 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/fs/private-bin.exp b/test/fs/private-bin.exp
index f7181d218..b8722130a 100755
--- a/test/fs/private-bin.exp
+++ b/test/fs/private-bin.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2016 Firejail Authors
+# Copyright (C) 2014-2017 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/fs/private-etc-empty.exp b/test/fs/private-etc-empty.exp
index 5ddce8678..b91da07f3 100755
--- a/test/fs/private-etc-empty.exp
+++ b/test/fs/private-etc-empty.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2016 Firejail Authors
+# Copyright (C) 2014-2017 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/fs/private-etc.exp b/test/fs/private-etc.exp
index 36b5d247c..c4b0da7b2 100755
--- a/test/fs/private-etc.exp
+++ b/test/fs/private-etc.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2016 Firejail Authors
+# Copyright (C) 2014-2017 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/fs/private-home-dir.exp b/test/fs/private-home-dir.exp
index f85a939b1..77baeeb5f 100755
--- a/test/fs/private-home-dir.exp
+++ b/test/fs/private-home-dir.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2016 Firejail Authors
+# Copyright (C) 2014-2017 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/fs/private-home.exp b/test/fs/private-home.exp
index 3840d1cb8..259eb4f9e 100755
--- a/test/fs/private-home.exp
+++ b/test/fs/private-home.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2016 Firejail Authors
+# Copyright (C) 2014-2017 Firejail Authors
 # License GPL v2
 
 set timeout 10
@@ -89,7 +89,7 @@ expect {
         "Child process initialized"
 }
 after 100
-send -- "file file ~/_firejail_test_link2\r"
+send -- "file ~/_firejail_test_link2\r"
 expect {
         timeout {puts "TESTING ERROR 11\n";exit}
         "broken symbolic link"
diff --git a/test/fs/private-homedir.exp b/test/fs/private-homedir.exp
index 35085948a..4a8cf8369 100755
--- a/test/fs/private-homedir.exp
+++ b/test/fs/private-homedir.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2016 Firejail Authors
+# Copyright (C) 2014-2017 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/fs/private-whitelist.exp b/test/fs/private-whitelist.exp
index 6a1ad535c..0e75868b3 100755
--- a/test/fs/private-whitelist.exp
+++ b/test/fs/private-whitelist.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2016 Firejail Authors
+# Copyright (C) 2014-2017 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/fs/private.exp b/test/fs/private.exp
index 8114ee45d..c7059079d 100755
--- a/test/fs/private.exp
+++ b/test/fs/private.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2016 Firejail Authors
+# Copyright (C) 2014-2017 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/fs/read-write.exp b/test/fs/read-write.exp
index 19a915f66..c648f83dd 100755
--- a/test/fs/read-write.exp
+++ b/test/fs/read-write.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2016 Firejail Authors
+# Copyright (C) 2014-2017 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/fs/sys_fs.exp b/test/fs/sys_fs.exp
index f512776d9..8f63aedf7 100755
--- a/test/fs/sys_fs.exp
+++ b/test/fs/sys_fs.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2016 Firejail Authors
+# Copyright (C) 2014-2017 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/fs/whitelist-dev.exp b/test/fs/whitelist-dev.exp
index 827f32126..213542c88 100755
--- a/test/fs/whitelist-dev.exp
+++ b/test/fs/whitelist-dev.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2016 Firejail Authors
+# Copyright (C) 2014-2017 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/fs/whitelist-double.exp b/test/fs/whitelist-double.exp
index fc05f9322..dd2336ce1 100755
--- a/test/fs/whitelist-double.exp
+++ b/test/fs/whitelist-double.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2016 Firejail Authors
+# Copyright (C) 2014-2017 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/fs/whitelist-downloads.exp b/test/fs/whitelist-downloads.exp
index 6af318d2b..f3eb0d6a2 100755
--- a/test/fs/whitelist-downloads.exp
+++ b/test/fs/whitelist-downloads.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2016 Firejail Authors
+# Copyright (C) 2014-2017 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/fs/whitelist-empty.exp b/test/fs/whitelist-empty.exp
index 71bb8f914..e1c3ffb4a 100755
--- a/test/fs/whitelist-empty.exp
+++ b/test/fs/whitelist-empty.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2016 Firejail Authors
+# Copyright (C) 2014-2017 Firejail Authors
 # License GPL v2
 
 set timeout 30
diff --git a/test/fs/whitelist.exp b/test/fs/whitelist.exp
index 9b631b884..20492c739 100755
--- a/test/fs/whitelist.exp
+++ b/test/fs/whitelist.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2016 Firejail Authors
+# Copyright (C) 2014-2017 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/network/4bridges_arp.exp b/test/network/4bridges_arp.exp
index 6383aad5e..80760eb3a 100755
--- a/test/network/4bridges_arp.exp
+++ b/test/network/4bridges_arp.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2016 Firejail Authors
+# Copyright (C) 2014-2017 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/network/4bridges_ip.exp b/test/network/4bridges_ip.exp
index e762ac285..5e136926b 100755
--- a/test/network/4bridges_ip.exp
+++ b/test/network/4bridges_ip.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2016 Firejail Authors
+# Copyright (C) 2014-2017 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/network/bandwidth.exp b/test/network/bandwidth.exp
index 8a2e46e04..25845c728 100755
--- a/test/network/bandwidth.exp
+++ b/test/network/bandwidth.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2016 Firejail Authors
+# Copyright (C) 2014-2017 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/network/firemon-interfaces.exp b/test/network/firemon-interfaces.exp
index deb8594af..7a95ccb18 100755
--- a/test/network/firemon-interfaces.exp
+++ b/test/network/firemon-interfaces.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2016 Firejail Authors
+# Copyright (C) 2014-2017 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/network/hostname.exp b/test/network/hostname.exp
index 73d06725f..0acb6a5ac 100755
--- a/test/network/hostname.exp
+++ b/test/network/hostname.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2016 Firejail Authors
+# Copyright (C) 2014-2017 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/network/ip6.exp b/test/network/ip6.exp
index 1db16c28a..d03cb7c37 100755
--- a/test/network/ip6.exp
+++ b/test/network/ip6.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2016 Firejail Authors
+# Copyright (C) 2014-2017 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/network/iprange.exp b/test/network/iprange.exp
index a1b2ccab4..d37a44e4f 100755
--- a/test/network/iprange.exp
+++ b/test/network/iprange.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2016 Firejail Authors
+# Copyright (C) 2014-2017 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/network/net_arp.exp b/test/network/net_arp.exp
index fdd30f218..98ed8d9f1 100755
--- a/test/network/net_arp.exp
+++ b/test/network/net_arp.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2016 Firejail Authors
+# Copyright (C) 2014-2017 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/network/net_badip.exp b/test/network/net_badip.exp
index d13a6144e..2467b3ef2 100755
--- a/test/network/net_badip.exp
+++ b/test/network/net_badip.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2016 Firejail Authors
+# Copyright (C) 2014-2017 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/network/net_defaultgw.exp b/test/network/net_defaultgw.exp
index 6291ae5ba..c7178616a 100755
--- a/test/network/net_defaultgw.exp
+++ b/test/network/net_defaultgw.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2016 Firejail Authors
+# Copyright (C) 2014-2017 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/network/net_defaultgw2.exp b/test/network/net_defaultgw2.exp
index 7620e4899..088dfeee8 100755
--- a/test/network/net_defaultgw2.exp
+++ b/test/network/net_defaultgw2.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2016 Firejail Authors
+# Copyright (C) 2014-2017 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/network/net_defaultgw3.exp b/test/network/net_defaultgw3.exp
index a47324adc..bf5d00b34 100755
--- a/test/network/net_defaultgw3.exp
+++ b/test/network/net_defaultgw3.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2016 Firejail Authors
+# Copyright (C) 2014-2017 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/network/net_ip.exp b/test/network/net_ip.exp
index 0fa84243a..c6b84781c 100755
--- a/test/network/net_ip.exp
+++ b/test/network/net_ip.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2016 Firejail Authors
+# Copyright (C) 2014-2017 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/network/net_local.exp b/test/network/net_local.exp
index d58135785..4e0cef329 100755
--- a/test/network/net_local.exp
+++ b/test/network/net_local.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2016 Firejail Authors
+# Copyright (C) 2014-2017 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/network/net_mac.exp b/test/network/net_mac.exp
index d3cd8163f..dd3391d8e 100755
--- a/test/network/net_mac.exp
+++ b/test/network/net_mac.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2016 Firejail Authors
+# Copyright (C) 2014-2017 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/network/net_macvlan2.exp b/test/network/net_macvlan2.exp
index 7f21fc083..b6cab7c7b 100755
--- a/test/network/net_macvlan2.exp
+++ b/test/network/net_macvlan2.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2016 Firejail Authors
+# Copyright (C) 2014-2017 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/network/net_mtu.exp b/test/network/net_mtu.exp
index eb9c5d08c..6748d9ec5 100755
--- a/test/network/net_mtu.exp
+++ b/test/network/net_mtu.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2016 Firejail Authors
+# Copyright (C) 2014-2017 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/network/net_netfilter.exp b/test/network/net_netfilter.exp
index 737485d07..3c43a481f 100755
--- a/test/network/net_netfilter.exp
+++ b/test/network/net_netfilter.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2016 Firejail Authors
+# Copyright (C) 2014-2017 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/network/net_noip.exp b/test/network/net_noip.exp
index b557d116c..dfe0abb66 100755
--- a/test/network/net_noip.exp
+++ b/test/network/net_noip.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2016 Firejail Authors
+# Copyright (C) 2014-2017 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/network/net_noip2.exp b/test/network/net_noip2.exp
index c86ea4900..b6f725523 100755
--- a/test/network/net_noip2.exp
+++ b/test/network/net_noip2.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2016 Firejail Authors
+# Copyright (C) 2014-2017 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/network/net_none.exp b/test/network/net_none.exp
index 1761eb423..0d3701f22 100755
--- a/test/network/net_none.exp
+++ b/test/network/net_none.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2016 Firejail Authors
+# Copyright (C) 2014-2017 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/network/net_profile.exp b/test/network/net_profile.exp
index 29008d811..febbcfcd7 100755
--- a/test/network/net_profile.exp
+++ b/test/network/net_profile.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2016 Firejail Authors
+# Copyright (C) 2014-2017 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/network/net_scan.exp b/test/network/net_scan.exp
index 5afbbeea6..bb46f9c60 100755
--- a/test/network/net_scan.exp
+++ b/test/network/net_scan.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2016 Firejail Authors
+# Copyright (C) 2014-2017 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/network/net_veth.exp b/test/network/net_veth.exp
index 04091047b..e31f5da55 100755
--- a/test/network/net_veth.exp
+++ b/test/network/net_veth.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2016 Firejail Authors
+# Copyright (C) 2014-2017 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/network/netstats.exp b/test/network/netstats.exp
index 41232061d..2e6649ae3 100755
--- a/test/network/netstats.exp
+++ b/test/network/netstats.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2016 Firejail Authors
+# Copyright (C) 2014-2017 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/network/network.sh b/test/network/network.sh
index 94df9935e..2c60be0a5 100755
--- a/test/network/network.sh
+++ b/test/network/network.sh
@@ -1,6 +1,6 @@
 #!/bin/bash
 # This file is part of Firejail project
-# Copyright (C) 2014-2016 Firejail Authors
+# Copyright (C) 2014-2017 Firejail Authors
 # License GPL v2
 
 export MALLOC_CHECK_=3
diff --git a/test/network/veth-name.exp b/test/network/veth-name.exp
index 36ed41d92..ccfb208ff 100755
--- a/test/network/veth-name.exp
+++ b/test/network/veth-name.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2016 Firejail Authors
+# Copyright (C) 2014-2017 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/overlay/firefox-x11-xorg.exp b/test/overlay/firefox-x11-xorg.exp
index 76c0e55fc..723431baa 100755
--- a/test/overlay/firefox-x11-xorg.exp
+++ b/test/overlay/firefox-x11-xorg.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2016 Firejail Authors
+# Copyright (C) 2014-2017 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/overlay/firefox-x11.exp b/test/overlay/firefox-x11.exp
index aa248f328..982bd8149 100755
--- a/test/overlay/firefox-x11.exp
+++ b/test/overlay/firefox-x11.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2016 Firejail Authors
+# Copyright (C) 2014-2017 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/overlay/firefox.exp b/test/overlay/firefox.exp
index 6ef23558d..5614198cd 100755
--- a/test/overlay/firefox.exp
+++ b/test/overlay/firefox.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2016 Firejail Authors
+# Copyright (C) 2014-2017 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/overlay/overlay.sh b/test/overlay/overlay.sh
index 4c9ebe5b0..94ad6a3cd 100755
--- a/test/overlay/overlay.sh
+++ b/test/overlay/overlay.sh
@@ -1,6 +1,6 @@
 #!/bin/bash
 # This file is part of Firejail project
-# Copyright (C) 2014-2016 Firejail Authors
+# Copyright (C) 2014-2017 Firejail Authors
 # License GPL v2
 
 export MALLOC_CHECK_=3
diff --git a/test/profiles/ignore.exp b/test/profiles/ignore.exp
index 0c5691e9a..cdb38e97b 100755
--- a/test/profiles/ignore.exp
+++ b/test/profiles/ignore.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2016 Firejail Authors
+# Copyright (C) 2014-2017 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/profiles/profile_syntax.exp b/test/profiles/profile_syntax.exp
index d1be2074a..74b0d5a53 100755
--- a/test/profiles/profile_syntax.exp
+++ b/test/profiles/profile_syntax.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2016 Firejail Authors
+# Copyright (C) 2014-2017 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/profiles/profile_syntax2.exp b/test/profiles/profile_syntax2.exp
index 9dca35ca2..5726c0408 100755
--- a/test/profiles/profile_syntax2.exp
+++ b/test/profiles/profile_syntax2.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2016 Firejail Authors
+# Copyright (C) 2014-2017 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/profiles/profiles.sh b/test/profiles/profiles.sh
index ca0b9fb29..3be10bedd 100755
--- a/test/profiles/profiles.sh
+++ b/test/profiles/profiles.sh
@@ -1,6 +1,6 @@
 #!/bin/bash
 # This file is part of Firejail project
-# Copyright (C) 2014-2016 Firejail Authors
+# Copyright (C) 2014-2017 Firejail Authors
 # License GPL v2
 
 export MALLOC_CHECK_=3
diff --git a/test/profiles/test-profile.exp b/test/profiles/test-profile.exp
index a6b4a5aad..6bc47f33f 100755
--- a/test/profiles/test-profile.exp
+++ b/test/profiles/test-profile.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2016 Firejail Authors
+# Copyright (C) 2014-2017 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/root/firecfg.exp b/test/root/firecfg.exp
index b4864988d..c9085e8c8 100755
--- a/test/root/firecfg.exp
+++ b/test/root/firecfg.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2016 Firejail Authors
+# Copyright (C) 2014-2017 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/root/join.exp b/test/root/join.exp
index e4a4e87af..c70fff93d 100755
--- a/test/root/join.exp
+++ b/test/root/join.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2016 Firejail Authors
+# Copyright (C) 2014-2017 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/root/private.exp b/test/root/private.exp
index 9ce9716f9..479d7afb1 100755
--- a/test/root/private.exp
+++ b/test/root/private.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2016 Firejail Authors
+# Copyright (C) 2014-2017 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/root/seccomp-chmod.exp b/test/root/seccomp-chmod.exp
index b17990e3a..35c6f69c2 100755
--- a/test/root/seccomp-chmod.exp
+++ b/test/root/seccomp-chmod.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2016 Firejail Authors
+# Copyright (C) 2014-2017 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/root/seccomp-chown.exp b/test/root/seccomp-chown.exp
index a54d279f1..7d9da5e5a 100755
--- a/test/root/seccomp-chown.exp
+++ b/test/root/seccomp-chown.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2016 Firejail Authors
+# Copyright (C) 2014-2017 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/root/seccomp-umount.exp b/test/root/seccomp-umount.exp
index c441c5fc4..90e240e74 100755
--- a/test/root/seccomp-umount.exp
+++ b/test/root/seccomp-umount.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2016 Firejail Authors
+# Copyright (C) 2014-2017 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/root/whitelist.exp b/test/root/whitelist.exp
index f6936c048..06a9a5419 100755
--- a/test/root/whitelist.exp
+++ b/test/root/whitelist.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2016 Firejail Authors
+# Copyright (C) 2014-2017 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/stress/net_macvlan.exp b/test/stress/net_macvlan.exp
index 6ea4a6adf..187b5c39f 100755
--- a/test/stress/net_macvlan.exp
+++ b/test/stress/net_macvlan.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2016 Firejail Authors
+# Copyright (C) 2014-2017 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/stress/stress.sh b/test/stress/stress.sh
index 35c846071..96bbaf61b 100755
--- a/test/stress/stress.sh
+++ b/test/stress/stress.sh
@@ -1,6 +1,6 @@
 #!/bin/bash
 # This file is part of Firejail project
-# Copyright (C) 2014-2016 Firejail Authors
+# Copyright (C) 2014-2017 Firejail Authors
 # License GPL v2
 
 export MALLOC_CHECK_=3
diff --git a/test/sysutils/cpio.exp b/test/sysutils/cpio.exp
index 9755d8737..e7e69df45 100755
--- a/test/sysutils/cpio.exp
+++ b/test/sysutils/cpio.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2016 Firejail Authors
+# Copyright (C) 2014-2017 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/sysutils/file.exp b/test/sysutils/file.exp
index a8ad84d12..c220ab82e 100755
--- a/test/sysutils/file.exp
+++ b/test/sysutils/file.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2016 Firejail Authors
+# Copyright (C) 2014-2017 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/sysutils/gzip.exp b/test/sysutils/gzip.exp
index ab0e727de..b56c27ceb 100755
--- a/test/sysutils/gzip.exp
+++ b/test/sysutils/gzip.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2016 Firejail Authors
+# Copyright (C) 2014-2017 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/sysutils/less.exp b/test/sysutils/less.exp
index 720830304..5ff11174d 100755
--- a/test/sysutils/less.exp
+++ b/test/sysutils/less.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2016 Firejail Authors
+# Copyright (C) 2014-2017 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/sysutils/strings.exp b/test/sysutils/strings.exp
index 1fd0f5dc0..0d18b8079 100755
--- a/test/sysutils/strings.exp
+++ b/test/sysutils/strings.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2016 Firejail Authors
+# Copyright (C) 2014-2017 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/sysutils/sysutils.sh b/test/sysutils/sysutils.sh
index 99939133d..02eb0f41d 100755
--- a/test/sysutils/sysutils.sh
+++ b/test/sysutils/sysutils.sh
@@ -1,6 +1,6 @@
 #!/bin/bash
 # This file is part of Firejail project
-# Copyright (C) 2014-2016 Firejail Authors
+# Copyright (C) 2014-2017 Firejail Authors
 # License GPL v2
 
 export MALLOC_CHECK_=3
diff --git a/test/sysutils/tar.exp b/test/sysutils/tar.exp
index f41d67d6f..989f9ada2 100755
--- a/test/sysutils/tar.exp
+++ b/test/sysutils/tar.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2016 Firejail Authors
+# Copyright (C) 2014-2017 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/sysutils/xz.exp b/test/sysutils/xz.exp
index 11d0e560c..13ae6007b 100755
--- a/test/sysutils/xz.exp
+++ b/test/sysutils/xz.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2016 Firejail Authors
+# Copyright (C) 2014-2017 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/sysutils/xzdec.exp b/test/sysutils/xzdec.exp
index 0ea6f5fb0..e60c1af64 100755
--- a/test/sysutils/xzdec.exp
+++ b/test/sysutils/xzdec.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2016 Firejail Authors
+# Copyright (C) 2014-2017 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/test.sh b/test/test.sh
index 4b7d5bb6d..f0330e139 100755
--- a/test/test.sh
+++ b/test/test.sh
@@ -1,6 +1,6 @@
 #!/bin/bash
 # This file is part of Firejail project
-# Copyright (C) 2014-2016 Firejail Authors
+# Copyright (C) 2014-2017 Firejail Authors
 # License GPL v2
 
 ./chk_config.exp
diff --git a/test/utils/audit.exp b/test/utils/audit.exp
index 931b46981..566493947 100755
--- a/test/utils/audit.exp
+++ b/test/utils/audit.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2016 Firejail Authors
+# Copyright (C) 2014-2017 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/utils/caps-print.exp b/test/utils/caps-print.exp
index fa5239da2..d9d48bd50 100755
--- a/test/utils/caps-print.exp
+++ b/test/utils/caps-print.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2016 Firejail Authors
+# Copyright (C) 2014-2017 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/utils/cpu-print.exp b/test/utils/cpu-print.exp
index 0a6f46102..f639f7c9f 100755
--- a/test/utils/cpu-print.exp
+++ b/test/utils/cpu-print.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2016 Firejail Authors
+# Copyright (C) 2014-2017 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/utils/dns-print.exp b/test/utils/dns-print.exp
index 406ab5149..461231735 100755
--- a/test/utils/dns-print.exp
+++ b/test/utils/dns-print.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2016 Firejail Authors
+# Copyright (C) 2014-2017 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/utils/firemon-caps.exp b/test/utils/firemon-caps.exp
index 76aa13725..dd02611df 100755
--- a/test/utils/firemon-caps.exp
+++ b/test/utils/firemon-caps.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2016 Firejail Authors
+# Copyright (C) 2014-2017 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/utils/firemon-cgroup.exp b/test/utils/firemon-cgroup.exp
index b1ab083ae..156edaa8f 100755
--- a/test/utils/firemon-cgroup.exp
+++ b/test/utils/firemon-cgroup.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2016 Firejail Authors
+# Copyright (C) 2014-2017 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/utils/firemon-cpu.exp b/test/utils/firemon-cpu.exp
index 00156c909..7cb20105f 100755
--- a/test/utils/firemon-cpu.exp
+++ b/test/utils/firemon-cpu.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2016 Firejail Authors
+# Copyright (C) 2014-2017 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/utils/firemon-interface.exp b/test/utils/firemon-interface.exp
index edafd1639..8fbdf7740 100755
--- a/test/utils/firemon-interface.exp
+++ b/test/utils/firemon-interface.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2016 Firejail Authors
+# Copyright (C) 2014-2017 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/utils/firemon-name.exp b/test/utils/firemon-name.exp
index c5dbfabab..dc7cbee99 100755
--- a/test/utils/firemon-name.exp
+++ b/test/utils/firemon-name.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2016 Firejail Authors
+# Copyright (C) 2014-2017 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/utils/firemon-seccomp.exp b/test/utils/firemon-seccomp.exp
index 26c478344..56727a0be 100755
--- a/test/utils/firemon-seccomp.exp
+++ b/test/utils/firemon-seccomp.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2016 Firejail Authors
+# Copyright (C) 2014-2017 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/utils/firemon-version.exp b/test/utils/firemon-version.exp
index 639c15c29..c297bec43 100755
--- a/test/utils/firemon-version.exp
+++ b/test/utils/firemon-version.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2016 Firejail Authors
+# Copyright (C) 2014-2017 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/utils/fs-print.exp b/test/utils/fs-print.exp
index 4d4ceb718..11b4c9b7e 100755
--- a/test/utils/fs-print.exp
+++ b/test/utils/fs-print.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2016 Firejail Authors
+# Copyright (C) 2014-2017 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/utils/help.exp b/test/utils/help.exp
index 5b9864578..4c3aede9b 100755
--- a/test/utils/help.exp
+++ b/test/utils/help.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2016 Firejail Authors
+# Copyright (C) 2014-2017 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/utils/join.exp b/test/utils/join.exp
index 79fe99f2d..b74b0b17a 100755
--- a/test/utils/join.exp
+++ b/test/utils/join.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2016 Firejail Authors
+# Copyright (C) 2014-2017 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/utils/join2.exp b/test/utils/join2.exp
index 5895eb730..b7d1f345f 100755
--- a/test/utils/join2.exp
+++ b/test/utils/join2.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2016 Firejail Authors
+# Copyright (C) 2014-2017 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/utils/join3.exp b/test/utils/join3.exp
index 3ccc47bf9..c0cc7c2e4 100755
--- a/test/utils/join3.exp
+++ b/test/utils/join3.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2016 Firejail Authors
+# Copyright (C) 2014-2017 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/utils/join4.exp b/test/utils/join4.exp
index c367dd770..c953320e0 100755
--- a/test/utils/join4.exp
+++ b/test/utils/join4.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2016 Firejail Authors
+# Copyright (C) 2014-2017 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/utils/list.exp b/test/utils/list.exp
index 69db1f568..321f2bc50 100755
--- a/test/utils/list.exp
+++ b/test/utils/list.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2016 Firejail Authors
+# Copyright (C) 2014-2017 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/utils/man.exp b/test/utils/man.exp
index d29f760b0..a28370c65 100755
--- a/test/utils/man.exp
+++ b/test/utils/man.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2016 Firejail Authors
+# Copyright (C) 2014-2017 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/utils/protocol-print.exp b/test/utils/protocol-print.exp
index b4b94ea93..12ad98a41 100755
--- a/test/utils/protocol-print.exp
+++ b/test/utils/protocol-print.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2016 Firejail Authors
+# Copyright (C) 2014-2017 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/utils/seccomp-print.exp b/test/utils/seccomp-print.exp
index f6ff1e721..5a76d7fcc 100755
--- a/test/utils/seccomp-print.exp
+++ b/test/utils/seccomp-print.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2016 Firejail Authors
+# Copyright (C) 2014-2017 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/utils/shutdown.exp b/test/utils/shutdown.exp
index 1ab231bf4..eb87c5d4f 100755
--- a/test/utils/shutdown.exp
+++ b/test/utils/shutdown.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2016 Firejail Authors
+# Copyright (C) 2014-2017 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/utils/shutdown2.exp b/test/utils/shutdown2.exp
index 777a73ec9..f92c8b2b1 100755
--- a/test/utils/shutdown2.exp
+++ b/test/utils/shutdown2.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2016 Firejail Authors
+# Copyright (C) 2014-2017 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/utils/shutdown3.exp b/test/utils/shutdown3.exp
index a74fb3386..4c2c616b2 100755
--- a/test/utils/shutdown3.exp
+++ b/test/utils/shutdown3.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2016 Firejail Authors
+# Copyright (C) 2014-2017 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/utils/shutdown4.exp b/test/utils/shutdown4.exp
index 2942ba3d5..7d3c27164 100755
--- a/test/utils/shutdown4.exp
+++ b/test/utils/shutdown4.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2016 Firejail Authors
+# Copyright (C) 2014-2017 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/utils/top.exp b/test/utils/top.exp
index d530e5a85..7117cb883 100755
--- a/test/utils/top.exp
+++ b/test/utils/top.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2016 Firejail Authors
+# Copyright (C) 2014-2017 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/utils/trace.exp b/test/utils/trace.exp
index eedc0f23f..614580016 100755
--- a/test/utils/trace.exp
+++ b/test/utils/trace.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2016 Firejail Authors
+# Copyright (C) 2014-2017 Firejail Authors
 # License GPL v2
 
 set timeout 30
diff --git a/test/utils/tree.exp b/test/utils/tree.exp
index a8ef763f1..53f8cf795 100755
--- a/test/utils/tree.exp
+++ b/test/utils/tree.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2016 Firejail Authors
+# Copyright (C) 2014-2017 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/utils/utils.sh b/test/utils/utils.sh
index 04702597f..751f1f8e7 100755
--- a/test/utils/utils.sh
+++ b/test/utils/utils.sh
@@ -1,6 +1,6 @@
 #!/bin/bash
 # This file is part of Firejail project
-# Copyright (C) 2014-2016 Firejail Authors
+# Copyright (C) 2014-2017 Firejail Authors
 # License GPL v2
 
 export MALLOC_CHECK_=3
diff --git a/test/utils/version.exp b/test/utils/version.exp
index 2ce6f1680..261e40466 100755
--- a/test/utils/version.exp
+++ b/test/utils/version.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2016 Firejail Authors
+# Copyright (C) 2014-2017 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/video.png b/video.png
new file mode 100644
index 000000000..f9642f466
--- /dev/null
+++ b/video.png