Merge pull request #1 from netblue30/master

Bring fork up-to-date
author: curiosity-seeker <seeker@posteo.org> 2016-12-15 12:58:32 +0100
committer: GitHub <noreply@github.com> 2016-12-15 12:58:32 +0100
commit: d8ee390a6ca56fde4baad57dea7572c39d595809 (patch)
tree: 255252b15232086e6f65203cda676859ab4117a0
parent: Update quiterss.profile (diff)
parent: added a 1 second delay after xpra server is started (diff)
download: firejail-d8ee390a6ca56fde4baad57dea7572c39d595809.tar.gz
firejail-d8ee390a6ca56fde4baad57dea7572c39d595809.tar.zst
firejail-d8ee390a6ca56fde4baad57dea7572c39d595809.zip
702 files changed, 25550 insertions, 9158 deletions
diff --git a/.gitignore b/.gitignore
index 85e317827..89bf3c4fa 100644
--- a/.gitignore
+++ b/.gitignore
@@ -3,6 +3,8 @@
 *~
 *.swp
 *.rpm
+*.gcda
+*.gcno
 Makefile
 config.log
 config.status
@@ -17,3 +19,13 @@ src/firemon/firemon
 src/firecfg/firecfg
 src/ftee/ftee
 src/tags
+src/faudit/faudit
+src/fnet/fnet
+src/fseccomp/fseccomp
+src/fcopy/fcopy
+uids.h
+seccomp
+seccomp.debug
+seccomp.i386
+seccomp.amd64
diff --git a/Makefile.in b/Makefile.in
index 16f8e8717..8251f9882 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -1,6 +1,8 @@
-all: apps firejail.1 firemon.1 firecfg.1 firejail-profile.5 firejail-login.5 firejail-config.5
+all: apps man filters
 MYLIBS = src/lib
-APPS = src/firejail src/firemon src/firecfg src/libtrace src/libtracelog src/ftee
+APPS = src/firejail src/firemon src/firecfg src/libtrace src/libtracelog src/ftee src/faudit src/libconnect src/fnet src/fseccomp src/fcopy
+MANPAGES = firejail.1 firemon.1 firecfg.1 firejail-profile.5 firejail-login.5
+SECCOMP_FILTERS = seccomp seccomp.i386 seccomp.amd64
 prefix=@prefix@
 exec_prefix=@exec_prefix@
@@ -14,47 +16,55 @@ VERSION=@PACKAGE_VERSION@
 NAME=@PACKAGE_NAME@
 PACKAGE_TARNAME=@PACKAGE_TARNAME@
 DOCDIR=@docdir@
+HAVE_APPARMOR=@HAVE_APPARMOR@
+BUSYBOX_WORKAROUND=@BUSYBOX_WORKAROUND@
+uids.h:; ./mkuid.sh
 .PHONY: mylibs $(MYLIBS)
-mylibs: $(MYLIBS)
+mylibs: $(MYLIBS) uids.h
 $(MYLIBS):
        $(MAKE) -C $@
 .PHONY: apps $(APPS)
 apps: $(APPS)
-$(APPS): $(MYLIBS)
+$(APPS): $(MYLIBS) uids.h
        $(MAKE) -C $@
-firemon.1: src/man/firemon.txt
+$(MANPAGES): $(wildcard src/man/*.txt)
-        ./mkman.sh $(VERSION) src/man/firemon.txt firemon.1
+        ./mkman.sh $(VERSION) src/man/$(basename $@).txt $@
-firejail.1: src/man/firejail.txt
-        ./mkman.sh $(VERSION) src/man/firejail.txt firejail.1
+man: $(MANPAGES)
-firecfg.1: src/man/firecfg.txt
-        ./mkman.sh $(VERSION) src/man/firecfg.txt firecfg.1
+filters: src/fseccomp
-firejail-profile.5: src/man/firejail-profile.txt
+        src/fseccomp/fseccomp default seccomp
-        ./mkman.sh $(VERSION) src/man/firejail-profile.txt firejail-profile.5
+        src/fseccomp/fseccomp default seccomp.debug allow-debuggers
-firejail-login.5: src/man/firejail-login.txt
+        src/fseccomp/fseccomp secondary 32 seccomp.i386
-        ./mkman.sh $(VERSION) src/man/firejail-login.txt firejail-login.5
+        src/fseccomp/fseccomp secondary 64 seccomp.amd64
-firejail-config.5: src/man/firejail-config.txt
-        ./mkman.sh $(VERSION) src/man/firejail-config.txt firejail-config.5
 clean:
-        for dir in $(APPS); do \
+        for dir in $(APPS) $(MYLIBS); do \
-                $(MAKE) -C $$dir clean; \
-        done
-        for dir in $(MYLIBS); do \
                $(MAKE) -C $$dir clean; \
        done
-        rm -f firejail.1 firejail.1.gz firemon.1 firemon.1.gz firecfg.1 firecfg.gz firejail-profile.5 firejail-profile.5.gz firejail-login.5 firejail-login.5.gz firejail-config.5 firejail-config.5.gz firejail*.rpm
+        rm -f $(MANPAGES) $(MANPAGES:%=%.gz) firejail*.rpm
+        rm -f seccomp seccomp.debug seccomp.i386 seccomp.amd64
+        rm -f test/utils/index.html*
+        rm -f test/utils/wget-log
+        rm -f test/utils/lstesting
+        rm -f test/environment/index.html*
+        rm -f test/environment/wget-log*
+        rm -fr test/environment/-testdir
+        rm -f test/environment/logfile*
+        rm -f test/environment/index.html
+        rm -f test/environment/wget-log
+        rm -f test/sysutils/firejail_t*
+        cd test/compile; ./compile.sh --clean; cd ../..
 distclean: clean
-        for dir in $(APPS); do \
+        for dir in $(APPS) $(MYLIBS); do \
                $(MAKE) -C $$dir distclean; \
        done
-        for dir in $(MYLIBS); do \
+        rm -fr Makefile autom4te.cache config.log config.status config.h uids.h
-                $(MAKE) -C $$dir distclean; \
-        done
-        rm -fr Makefile autom4te.cache config.log config.status config.h
 realinstall:
        # firejail executable
@@ -69,133 +79,54 @@ realinstall:
        install -m 0755 -d $(DESTDIR)/$(libdir)/firejail
        install -c -m 0644 src/libtrace/libtrace.so $(DESTDIR)/$(libdir)/firejail/.
        install -c -m 0644 src/libtracelog/libtracelog.so $(DESTDIR)/$(libdir)/firejail/.
+        install -c -m 0644 src/libconnect/libconnect.so $(DESTDIR)/$(libdir)/firejail/.
        install -c -m 0755 src/ftee/ftee $(DESTDIR)/$(libdir)/firejail/.
        install -c -m 0755 src/fshaper/fshaper.sh $(DESTDIR)/$(libdir)/firejail/.
        install -c -m 0644 src/firecfg/firecfg.config $(DESTDIR)/$(libdir)/firejail/.
+        install -c -m 0755 src/faudit/faudit $(DESTDIR)/$(libdir)/firejail/.
+        install -c -m 0755 src/fnet/fnet $(DESTDIR)/$(libdir)/firejail/.
+        install -c -m 0755 src/fseccomp/fseccomp $(DESTDIR)/$(libdir)/firejail/.
+        install -c -m 0755 src/fcopy/fcopy $(DESTDIR)/$(libdir)/firejail/.
+        install -c -m 0644 seccomp $(DESTDIR)/$(libdir)/firejail/.
+        install -c -m 0644 seccomp.debug $(DESTDIR)/$(libdir)/firejail/.
+        install -c -m 0644 seccomp.i386 $(DESTDIR)/$(libdir)/firejail/.
+        install -c -m 0644 seccomp.amd64 $(DESTDIR)/$(libdir)/firejail/.
        # documents
        install -m 0755 -d $(DESTDIR)/$(DOCDIR)
        install -c -m 0644 COPYING $(DESTDIR)/$(DOCDIR)/.
        install -c -m 0644 README $(DESTDIR)/$(DOCDIR)/.
        install -c -m 0644 RELNOTES $(DESTDIR)/$(DOCDIR)/.
        # etc files
-        ./mketc.sh $(sysconfdir)
+        ./mketc.sh $(sysconfdir) $(BUSYBOX_WORKAROUND)
        install -m 0755 -d $(DESTDIR)/$(sysconfdir)/firejail
-        install -c -m 0644 .etc/audacious.profile $(DESTDIR)/$(sysconfdir)/firejail/.
+        for file in .etc/* etc/firejail.config; do \
-        install -c -m 0644 .etc/clementine.profile $(DESTDIR)/$(sysconfdir)/firejail/.
+                install -c -m 0644 $$file $(DESTDIR)/$(sysconfdir)/firejail; \
-        install -c -m 0644 .etc/epiphany.profile $(DESTDIR)/$(sysconfdir)/firejail/.
+        done
-        install -c -m 0644 .etc/qtox.profile $(DESTDIR)/$(sysconfdir)/firejail/.
-        install -c -m 0644 .etc/polari.profile $(DESTDIR)/$(sysconfdir)/firejail/.
-        install -c -m 0644 .etc/gnome-mplayer.profile $(DESTDIR)/$(sysconfdir)/firejail/.
-        install -c -m 0644 .etc/rhythmbox.profile $(DESTDIR)/$(sysconfdir)/firejail/.
-        install -c -m 0644 .etc/totem.profile $(DESTDIR)/$(sysconfdir)/firejail/.
-        install -c -m 0644 .etc/firefox.profile $(DESTDIR)/$(sysconfdir)/firejail/.
-        install -c -m 0644 .etc/icedove.profile $(DESTDIR)/$(sysconfdir)/firejail/.
-        install -c -m 0644 .etc/iceweasel.profile $(DESTDIR)/$(sysconfdir)/firejail/.
-        install -c -m 0644 .etc/midori.profile $(DESTDIR)/$(sysconfdir)/firejail/.
-        install -c -m 0644 .etc/evince.profile $(DESTDIR)/$(sysconfdir)/firejail/.
-        install -c -m 0644 .etc/chromium-browser.profile $(DESTDIR)/$(sysconfdir)/firejail/.
-        install -c -m 0644 .etc/chromium.profile $(DESTDIR)/$(sysconfdir)/firejail/.
-        install -c -m 0644 .etc/google-chrome.profile $(DESTDIR)/$(sysconfdir)/firejail/.
-        install -c -m 0644 .etc/google-chrome-stable.profile $(DESTDIR)/$(sysconfdir)/firejail/.
-        install -c -m 0644 .etc/google-chrome-beta.profile $(DESTDIR)/$(sysconfdir)/firejail/.
-        install -c -m 0644 .etc/google-chrome-unstable.profile $(DESTDIR)/$(sysconfdir)/firejail/.
-        install -c -m 0644 .etc/disable-common.inc $(DESTDIR)/$(sysconfdir)/firejail/.
-        install -c -m 0644 .etc/dropbox.profile $(DESTDIR)/$(sysconfdir)/firejail/.
-        install -c -m 0644 .etc/opera.profile $(DESTDIR)/$(sysconfdir)/firejail/.
-        install -c -m 0644 .etc/opera-beta.profile $(DESTDIR)/$(sysconfdir)/firejail/.
-        install -c -m 0644 .etc/thunderbird.profile $(DESTDIR)/$(sysconfdir)/firejail/.
-        install -c -m 0644 .etc/transmission-gtk.profile $(DESTDIR)/$(sysconfdir)/firejail/.
-        install -c -m 0644 .etc/transmission-qt.profile $(DESTDIR)/$(sysconfdir)/firejail/.
-        install -c -m 0644 .etc/vlc.profile $(DESTDIR)/$(sysconfdir)/firejail/.
-        install -c -m 0644 .etc/deluge.profile $(DESTDIR)/$(sysconfdir)/firejail/.
-        install -c -m 0644 .etc/qbittorrent.profile $(DESTDIR)/$(sysconfdir)/firejail/.
-        install -c -m 0644 .etc/generic.profile $(DESTDIR)/$(sysconfdir)/firejail/.
-        install -c -m 0644 .etc/pidgin.profile $(DESTDIR)/$(sysconfdir)/firejail/.
-        install -c -m 0644 .etc/xchat.profile $(DESTDIR)/$(sysconfdir)/firejail/.
-        install -c -m 0644 .etc/empathy.profile $(DESTDIR)/$(sysconfdir)/firejail/.
-        install -c -m 0644 .etc/server.profile $(DESTDIR)/$(sysconfdir)/firejail/.
-        install -c -m 0644 .etc/icecat.profile $(DESTDIR)/$(sysconfdir)/firejail/.
-        install -c -m 0644 .etc/quassel.profile $(DESTDIR)/$(sysconfdir)/firejail/.
-        install -c -m 0644 .etc/deadbeef.profile $(DESTDIR)/$(sysconfdir)/firejail/.
-        install -c -m 0644 .etc/filezilla.profile $(DESTDIR)/$(sysconfdir)/firejail/.
-        install -c -m 0644 .etc/fbreader.profile $(DESTDIR)/$(sysconfdir)/firejail/.
-        install -c -m 0644 .etc/spotify.profile $(DESTDIR)/$(sysconfdir)/firejail/.
-        install -c -m 0644 .etc/steam.profile $(DESTDIR)/$(sysconfdir)/firejail/.
-        install -c -m 0644 .etc/skype.profile $(DESTDIR)/$(sysconfdir)/firejail/.
-        install -c -m 0644 .etc/wine.profile $(DESTDIR)/$(sysconfdir)/firejail/.
-        install -c -m 0644 .etc/disable-devel.inc $(DESTDIR)/$(sysconfdir)/firejail/.
-        install -c -m 0644 .etc/conkeror.profile $(DESTDIR)/$(sysconfdir)/firejail/.
-        install -c -m 0644 .etc/unbound.profile $(DESTDIR)/$(sysconfdir)/firejail/.
-        install -c -m 0644 .etc/dnscrypt-proxy.profile $(DESTDIR)/$(sysconfdir)/firejail/.
-        install -c -m 0644 .etc/whitelist-common.inc $(DESTDIR)/$(sysconfdir)/firejail/.
-        install -c -m 0644 .etc/nolocal.net $(DESTDIR)/$(sysconfdir)/firejail/.
-        install -c -m 0644 .etc/webserver.net $(DESTDIR)/$(sysconfdir)/firejail/.
-        install -c -m 0644 .etc/bitlbee.profile $(DESTDIR)/$(sysconfdir)/firejail/.
-        install -c -m 0644 .etc/weechat.profile $(DESTDIR)/$(sysconfdir)/firejail/.
-        install -c -m 0644 .etc/weechat-curses.profile $(DESTDIR)/$(sysconfdir)/firejail/.
-        install -c -m 0644 .etc/hexchat.profile $(DESTDIR)/$(sysconfdir)/firejail/.
-        install -c -m 0644 .etc/rtorrent.profile $(DESTDIR)/$(sysconfdir)/firejail/.
-        install -c -m 0644 .etc/parole.profile $(DESTDIR)/$(sysconfdir)/firejail/.
-        install -c -m 0644 .etc/kmail.profile $(DESTDIR)/$(sysconfdir)/firejail/.
-        install -c -m 0644 .etc/seamonkey.profile $(DESTDIR)/$(sysconfdir)/firejail/.
-        install -c -m 0644 .etc/seamonkey-bin.profile $(DESTDIR)/$(sysconfdir)/firejail/.
-        install -c -m 0644 .etc/telegram.profile $(DESTDIR)/$(sysconfdir)/firejail/.
-        install -c -m 0644 .etc/mathematica.profile $(DESTDIR)/$(sysconfdir)/firejail/.
-        install -c -m 0644 .etc/Mathematica.profile $(DESTDIR)/$(sysconfdir)/firejail/.
-        install -c -m 0644 .etc/uget-gtk.profile $(DESTDIR)/$(sysconfdir)/firejail/.
-        install -c -m 0644 .etc/mupen64plus.profile $(DESTDIR)/$(sysconfdir)/firejail/.
-        install -c -m 0644 .etc/disable-programs.inc $(DESTDIR)/$(sysconfdir)/firejail/.
-        install -c -m 0644 .etc/disable-passwdmgr.inc $(DESTDIR)/$(sysconfdir)/firejail/.
-        install -c -m 0644 .etc/lxterminal.profile $(DESTDIR)/$(sysconfdir)/firejail/.
-        install -c -m 0644 .etc/cherrytree.profile $(DESTDIR)/$(sysconfdir)/firejail/.
-        install -c -m 0644 .etc/wesnoth.profile $(DESTDIR)/$(sysconfdir)/firejail/.
-        install -c -m 0644 .etc/hedgewars.profile $(DESTDIR)/$(sysconfdir)/firejail/.
-        install -c -m 0644 .etc/vivaldi.profile $(DESTDIR)/$(sysconfdir)/firejail/.
-        install -c -m 0644 .etc/vivaldi-beta.profile $(DESTDIR)/$(sysconfdir)/firejail/.
-        install -c -m 0644 .etc/atril.profile $(DESTDIR)/$(sysconfdir)/firejail/.
-        install -c -m 0644 .etc/qutebrowser.profile $(DESTDIR)/$(sysconfdir)/firejail/.
-        install -c -m 0644 .etc/flashpeak-slimjet.profile $(DESTDIR)/$(sysconfdir)/firejail/.
-        install -c -m 0644 .etc/ssh.profile $(DESTDIR)/$(sysconfdir)/firejail/.
-        install -c -m 0644 .etc/openbox.profile $(DESTDIR)/$(sysconfdir)/firejail/.
-        install -c -m 0644 .etc/dillo.profile $(DESTDIR)/$(sysconfdir)/firejail/.
-        install -c -m 0644 .etc/cmus.profile $(DESTDIR)/$(sysconfdir)/firejail/.
-        install -c -m 0644 .etc/dnsmasq.profile $(DESTDIR)/$(sysconfdir)/firejail/.
-        install -c -m 0644 .etc/palemoon.profile $(DESTDIR)/$(sysconfdir)/firejail/.
-        install -c -m 0644 .etc/icedove.profile $(DESTDIR)/$(sysconfdir)/firejail/.
-        install -c -m 0644 .etc/abrowser.profile $(DESTDIR)/$(sysconfdir)/firejail/.
-        install -c -m 0644 .etc/0ad.profile $(DESTDIR)/$(sysconfdir)/firejail/.
        sh -c "if [ ! -f $(DESTDIR)/$(sysconfdir)/firejail/login.users ]; then install -c -m 0644 etc/login.users $(DESTDIR)/$(sysconfdir)/firejail/.; fi;"
-        sh -c "if [ ! -f $(DESTDIR)/$(sysconfdir)/firejail/firejail.config ]; then install -c -m 0644 etc/firejail.config $(DESTDIR)/$(sysconfdir)/firejail/.; fi;"
        rm -fr .etc
+ifeq ($(HAVE_APPARMOR),-DHAVE_APPARMOR) 
+        # install apparmor profile
+        sh -c "if [ ! -d $(DESTDIR)/$(sysconfdir)/apparmor.d ]; then install -d -m 755 $(DESTDIR)/$(sysconfdir)/apparmor.d; fi;"
+        install -c -m 0644 etc/firejail-default $(DESTDIR)/$(sysconfdir)/apparmor.d/.
+endif   
        # man pages
-        rm -f firejail.1.gz
-        gzip -9n firejail.1
-        rm -f firemon.1.gz
-        gzip -9n firemon.1
-        rm -f firecfg.1.gz
-        gzip -9n firecfg.1
-        rm -f firejail-profile.5.gz
-        gzip -9n firejail-profile.5
-        rm -f firejail-login.5.gz
-        gzip -9n firejail-login.5
-        rm -f firejail-config.5.gz
-        gzip -9n firejail-config.5
        install -m 0755 -d $(DESTDIR)/$(mandir)/man1
-        install -c -m 0644 firejail.1.gz $(DESTDIR)/$(mandir)/man1/.
-        install -c -m 0644 firemon.1.gz $(DESTDIR)/$(mandir)/man1/.
-        install -c -m 0644 firecfg.1.gz $(DESTDIR)/$(mandir)/man1/.
        install -m 0755 -d $(DESTDIR)/$(mandir)/man5
-        install -c -m 0644 firejail-profile.5.gz $(DESTDIR)/$(mandir)/man5/.
+        for man in $(MANPAGES); do \
-        install -c -m 0644 firejail-login.5.gz $(DESTDIR)/$(mandir)/man5/.
+                rm -f $$man.gz; \
-        install -c -m 0644 firejail-config.5.gz $(DESTDIR)/$(mandir)/man5/.
+                gzip -9n $$man; \
-        rm -f firejail.1.gz firemon.1.gz firecfg.1.gz firejail-profile.5.gz firejail-login.5.gz firejail-config.5.gz
+                case "$$man" in \
+                        *.1) install -c -m 0644 $$man.gz $(DESTDIR)/$(mandir)/man1/; ;; \
+                        *.5) install -c -m 0644 $$man.gz $(DESTDIR)/$(mandir)/man5/; ;; \
+                esac; \
+        done
+        rm -f $(MANPAGES) $(MANPAGES:%=%.gz)
        # bash completion
        install -m 0755 -d $(DESTDIR)/$(datarootdir)/bash-completion/completions
        install -c -m 0644 src/bash_completion/firejail.bash_completion $(DESTDIR)/$(datarootdir)/bash-completion/completions/firejail
        install -c -m 0644 src/bash_completion/firemon.bash_completion $(DESTDIR)/$(datarootdir)/bash-completion/completions/firemon
        install -c -m 0644 src/bash_completion/firecfg.bash_completion $(DESTDIR)/$(datarootdir)/bash-completion/completions/firecfg
 install: all
        $(MAKE) realinstall
@@ -205,7 +136,12 @@ install-strip: all
        strip src/firecfg/firecfg
        strip src/libtrace/libtrace.so
        strip src/libtracelog/libtracelog.so
+        strip src/libconnect/libconnect.so
        strip src/ftee/ftee
+        strip src/faudit/faudit
+        strip src/fnet/fnet
+        strip src/fseccomp/fseccomp
+        strip src/fcopy/fcopy
        $(MAKE) realinstall
 uninstall:
@@ -214,30 +150,44 @@ uninstall:
        rm -f $(DESTDIR)/$(bindir)/firecfg
        rm -fr $(DESTDIR)/$(libdir)/firejail
        rm -fr $(DESTDIR)/$(datarootdir)/doc/firejail
-        rm -f $(DESTDIR)/$(mandir)/man1/firejail.1*
+        for man in $(MANPAGES); do \
-        rm -f $(DESTDIR)/$(mandir)/man1/firemon.1*
+                rm -f $(DESTDIR)/$(mandir)/man5/$$man*; \
-        rm -f $(DESTDIR)/$(mandir)/man1/firecfg.1*
+                rm -f $(DESTDIR)/$(mandir)/man1/$$man*; \
-        rm -f $(DESTDIR)/$(mandir)/man5/firejail-profile.5*
+        done
-        rm -f $(DESTDIR)/$(mandir)/man5/firejail-login.5*
-        rm -f $(DESTDIR)/$(mandir)/man5/firejail-config.5*
        rm -f $(DESTDIR)/$(datarootdir)/bash-completion/completions/firejail
        rm -f $(DESTDIR)/$(datarootdir)/bash-completion/completions/firemon
        rm -f $(DESTDIR)/$(datarootdir)/bash-completion/completions/firecfg
        
+DISTFILES = "src etc platform configure configure.ac Makefile.in install.sh mkman.sh mketc.sh mkdeb.sh mkuid.sh COPYING README RELNOTES"
+DISTFILES_TEST = "test/apps test/apps-x11 test/apps-x11-xorg test/root test/fcopy test/environment test/profiles test/utils test/compile test/filters test/network test/arguments test/fs test/sysutils"
 dist:
+        mv config.status config.status.old
        make distclean
-        rm -fr $(NAME)-$(VERSION) $(NAME)-$(VERSION).tar.bz2
+        mv config.status.old config.status
-        mkdir $(NAME)-$(VERSION)
+        rm -fr $(NAME)-$(VERSION) $(NAME)-$(VERSION).tar.xz
-        cd $(NAME)-$(VERSION); cp -a ../src .; cp -a ../etc .; cp -a ../platform .; rm -fr src/tools; cd ..
+        mkdir -p $(NAME)-$(VERSION)/test
-        cd $(NAME)-$(VERSION); cp -a ../configure .; cp -a ../configure.ac .; cp -a ../Makefile.in .; cp -a ../install.sh .; cp -a ../mkman.sh .; cp -a ../mketc.sh .; cp -a ../mkdeb.sh .;cd ..
+        cp -a "$(DISTFILES)" $(NAME)-$(VERSION)
-        cd $(NAME)-$(VERSION); cp -a ../COPYING .; cp -a ../README .; cp -a ../RELNOTES .; cd ..
+        cp -a "$(DISTFILES_TEST)" $(NAME)-$(VERSION)/test
-        cd $(NAME)-$(VERSION); rm -fr `find . -name .svn`; rm -fr $(NAME)-$(VERSION); cd ..
+        rm -rf $(NAME)-$(VERSION)/src/tools
-        tar -cjvf $(NAME)-$(VERSION).tar.bz2 $(NAME)-$(VERSION)
+        find $(NAME)-$(VERSION) -name .svn -delete
+        tar -cJvf $(NAME)-$(VERSION).tar.xz $(NAME)-$(VERSION)
        rm -fr $(NAME)-$(VERSION)
+asc:; ./mkasc.sh $(VERSION)
 deb: dist
        ./mkdeb.sh $(NAME) $(VERSION)
+snap: all
+        cd platform/snap; ./snap.sh
+install-snap: snap
+        sudo snap remove faudit; sudo snap install faudit*.snap
+test-compile: dist
+        cd test/compile; ./compile.sh $(NAME)-$(VERSION)
 .PHONY: rpms
 rpms:
        ./platform/rpm/mkrpm.sh $(NAME) $(VERSION)
@@ -250,5 +200,78 @@ cppcheck: clean
 scan-build: clean
        scan-build make
-asc:; ./mkasc.sh $(VERSION)
+#
+# make test
+#
+test-profiles:
+        cd test/profiles; ./profiles.sh | grep TESTING
+test-apps:
+        cd test/apps; ./apps.sh | grep TESTING
+test-apps-x11:
+        cd test/apps-x11; ./apps-x11.sh | grep TESTING
+test-apps-x11-xorg:
+        cd test/apps-x11-xorg; ./apps-x11-xorg.sh | grep TESTING
+test-sysutils:
+        cd test/sysutils; ./sysutils.sh | grep TESTING
+        
+test-utils:
+        cd test/utils; ./utils.sh | grep TESTING
+test-environment:
+        cd test/environment; ./environment.sh | grep TESTING
+test-filters:
+        cd test/filters; ./filters.sh | grep TESTING
+test-arguments:
+        cd test/arguments; ./arguments.sh | grep TESTING
+        
+test-fs:
+        cd test/fs; ./fs.sh | grep TESTING
+test-fcopy:
+        cd test/fcopy; ./fcopy.sh | grep TESTING
+        
+test: test-profiles test-fcopy test-fs test-utils  test-environment test-apps test-apps-x11 test-apps-x11-xorg test-filters test-arguments
+        echo "TEST COMPLETE"
+##########################################
+# Individual tests, some of them require root access
+# The tests are very intrussive, by the time you are done
+# with them you will need to restart your computer.
+##########################################
+# requires root access
+test-chroot:
+        cd test/chroot; ./chroot.sh | grep testing
+# Huge appimage files, not included in "make dist" archive
+test-appimage:
+        cd test/appimage; ./appimage.sh | grep TESTING
+# Root access, network devices are created before the test
+# restart your computer to get rid of these devices
+test-network:
+        cd test/network; ./network.sh | grep TESTING
+# Tesets running a root user
+test-root:
+        cd test/root; su -c ./root.sh | grep TESTING
+        
+# OverlayFS is not available on all platforms
+test-overlay:
+        cd test/overlay; ./overlay.sh | grep TESTING
+# For testing hidepid system, the command to set it up is "mount -o remount,rw,hidepid=2 /proc"
+test-all: test-root test-chroot test-network test-appimage test-overlay
+        echo "TEST COMPLETE"
+        
+\ No newline at end of file
diff --git a/README b/README
index 81481f512..d20503974 100644
--- a/README
+++ b/README
@@ -18,18 +18,194 @@ License: GPL v2
 Firejail Authors:
 netblue30 (netblue30@yahoo.com)
-Joan Figueras (https://github.com/figue)
+Reiner Herrmann (https://github.com/reinerh)
-        - added abrowser profile
+        - a number of build patches
+        - man page fixes
+        - Debian and Ubuntu integration
+        - clang-analyzer fixes
+        - Debian reproducible build
+        - unit testing framework
+        - moved build to .xz
+        - detached signatures for source archive
+        - recursive mkdir
+Aleksey Manevich (https://github.com/manevich)
+        - several profile fixes
+        - fix problem with relative path in storage_find function
+        - fix build for systems without bash
+        - fix double quotes/single quotes problem
+        - big rework of argument processing subsystem
+        - --join fixes
+        - spliting up cmdline.c
+        - Busybox support
+        - X11 support rewrite
+        - gether shell selection code in one place
+        - fixed several TOCTOU security problems
+        - added --fix option to firecfg utility
+        - read_pid fix
+        - added --x11=block options
+        - x11 xpra, xphyr, none profile commands
+        - added --join-or-start command
+        - CVE-2016-7545
 Fred-Barclay (https://github.com/Fred-Barclay)
+        - lots of profile fixes
        - added Vivaldi, Atril profiles
        - added PaleMoon profile
        - split Icedove and Thunderbird profiles
        - added 0ad profile
+        - fixed version for .deb packages
+        - added Warzone2100 profile
+        - blacklisted VeraCrypt
+        - added Gpredict profile
+        - added Aweather, Stellarium profiles
+        - fixed HexChat and Atril profiles
+        - fixed disable-common.inc for mate-terminal
+        - blacklisted escape-happy terminals in disable-common.inc
+        - blacklisted g++
+        - added xplayer, xreader, and xviewer profiles
+        - added Brave profile
+        - added Gitter profile
+        - various organising
+        - added LibreOffice profile
+        - added pix profile
+        - added audacity profile
+        - fixed Telegram and qtox profiles
+        - added Atom Beta and Atom profiles
+        - tightened 0ad, atril, evince, gthumb, pix, qtox, and xreader profiles
+        - several private-bin conversions
+        - added jitsi profile
+        - pidgin private-bin conversion
+        - added eom profile
+        - added gnome-chess profile
+        - added DOSBox profile
+        - evince profile enhancement
+        - tightened Spotify profile
+        - added xiphos and Tor Browser Bundle profiles
+        - added xed and pluma profiles
+        - added Cryptocat profile
+        - added wireshark profile
+valoq (https://github.com/valoq)
+        - lots of profile fixes
+        - added support for /srv in --whitelist feature
+        - Eye of GNOME, Evolution, display (imagemagik) and Wire profiles
+        - blacklist suid binaries in disable-common.inc
+        - fix man pages
+        - added keypass2, qemu profiles
+        - added amarok, ark, atool, bleachbit, brasero, dolphin, dragon, elinks, enchant, exiftool profiles
+        - added file-roller, gedit, gjs,gnome-books, gnome-documents, gnome-maps, gnome-music profiles
+        - added gnome-photos, gnome-weather, goobox, gpa, gpg, gpg-agent, highlight profiles
+        - added img2txt, k3b, kate, lynx, mediainfo, nautilus, odt2txt, pdftotext, simple-scan profiles
+        - added skanlite, ssh-agent, transmission-cli, tracker, transmission-show, w3m, xfburn, xpra profiles
+        - added wget profile
+        - disable gnupg and systemd directories under /run/user
+Lari Rauno (https://github.com/tuutti)
+        - qutebrowser profile fixes
+SpotComms (https://github.com/SpotComms)
+        - added Bless, Gnome 2048, Gnome Calculator, Gnome Contacts, JD-GUI, Lollypop, MultiMC5 profiles
+        - added PDFSam, Pithos, and Xonotic profiles
+Vasya Novikov (https://github.com/vn971)
+        - Wesnoth profile
+        - Hedegewars profile
+        - manpage fixes
+        - fixed firecfg clean/clear issue
+        - found the ugliest bug so far
+        - seccomp debug description in man page
+curiosity-seeker (https://github.com/curiosity-seeker)
+        - tightening unbound and dnscrypt-proxy profiles
+        - correct and tighten QuiteRss profile
+        - dnsmasq profile
+        - okular and gwenview profiles
+        - cherrytree profile fixes
+        - added quiterss profile
+        - added guayadeque profile
+Simon Peter (https://github.com/probonopd)
+        - set $APPIMAGE and $APPDIR environment variables
+        - AppImage version detection
+        - Leafppad type v1 and v2 appimage packages in test/appimage
+BogDan Vatra (https://github.com/bog-dan-ro)
+        - zoom profile
+Impyy (https://github.com/Impyy)
+        - added mumble profile
+Vadim A. Misbakh-Soloviov (https://github.com/msva)
+        - profile fixes
+Rafael Cavalcanti (https://github.com/rccavalcanti)
+        - chromium profile fixes for Arch Linux
+Deelvesh Bunjun (https://github.com/DeelveshBunjun)
+        - added xpdf profile
+Dara Adib (https://github.com/daradib)
+        - ssh profile fix
+        - evince profile fix
+vismir2 (https://github.com/vismir2)
+        - feh, ranger, 7z, keepass, keepassx and zathura profiles
+        - claws-mail, mutt, git, emacs, vim profiles
+        - lots of profile fixes
+        -  support for truecrypt and zuluCrypt
+graywolf (https://github.com/graywolf)
+        - spelling fix
+Tomasz Jan Góralczyk (https://github.com/tjg)
+        - fixed Steam profile
+pwnage-pineapple (https://github.com/pwnage-pineapple)
+        - update Okular profile
+Sergey Alirzaev (https://github.com/l29ah)
+        - firejail.h enum fix
+greigdp (https://github.com/greigdp)
+        - Gajim IM client profile
+        - fix Slack profile
+Icaro Perseo (https://github.com/icaroperseo)
+        - Icecat profile
+        - several profile fixes
+hamzadis (https://github.com/hamzadis)
+        - added --overlay-named=name and --overlay-path=path    
+Gaman Gabriel (https://github.com/stelariusinfinitek)
+        - inox profile
+greigdp (https://github.com/greigdp)
+        - fixed spotify profile
+        - added Slack profile
+Laurent Declercq (https://github.com/nuxwin)
+        - fixed test for shell interpreter in chroots
+Franco (nextime) Lanza (https://github.com/nextime)
+        - added --private-template/--private-home
+xee5ch (https://github.com/xee5ch)
+        - skypeforlinux profile
+Peter Hogg (https://github.com/pigmonkey)
+        - WeeChat profile
+        - rtorrent profile
+        - bitlbee profile fixes
+        - mutt profile fixes
+Thomas Jarosch (https://github.com/thomasjfox)
+        - disable keepassx in disable-passwdmgr.inc
+        - added uudeview profile
+        - added tar (gtar), unzip and unrar profile
+        - added file profile
+        - improved profile list
+        - fixed small variable glitch in stat64() / lstat64() (libtracelog)
+        - added lstat() / lstat64() support to libtrace
+        - include mkuid.sh in make dist
+Niklas Haas (https://github.com/haasn)
+        - blacklisting for keybase.io's client
+Jaykishan Mutkawoa (https://github.com/jmutkawoa)
+        - cpio profile
+Paupiah Yash (https://github.com/CaffeinatedStud)
+        - gzip  profile
+Akhil Hans Maulloo (https://github.com/kouul)
+        - xz profile
+Rahul Golam (https://github.com/technoLord)
+        - strings profile
+geg2048 (https://github.com/geg2048)
+        - kwallet profile fixes
+maces (https://github.com/maces)
+        - Franz messenger profile
+KellerFuchs (https://github.com/KellerFuchs)
+        - nonewpriv support, extended profiles for this feature
+        - make `restricted-network` prevent use of netfilter
+        - disable-common.inc additions
+ValdikSS (https://github.com/ValdikSS)
+        - Psi+, Corebird, Konversation profiles
+        - various profile fixes
 avoidr (https://github.com/avoidr)
        - whitelist fix
        - recently-used.xbel fix
        - added parole profile
-        - blacklist ncat, manpage fixes,
+        - blacklist ncat
        - hostname support in profile file
        - Google Chrome profile rework
        - added cmus profile
@@ -37,6 +213,17 @@ avoidr (https://github.com/avoidr)
        - add net iface support in profile files
        - paths fix
        - lots of profile fixes
+        - added mcabber profile
+        - fixed mpv profile
+        - various other fixes
+Ruan (https://github.com/ruany)
+        - fixed hexchat profile
+Matthew Gyurgyik (https://github.com/pyther)
+        - rpm spec and several fixes
+Joan Figueras (https://github.com/figue)
+        - added abrowser profile
+        - added Google-Play-Music-Desktop-Player
+        - added cyberfox profile
 Petter Reinholdtsen (pere@hungry.com)
        - Opera profile patch
 n1trux (https://github.com/n1trux)
@@ -52,12 +239,9 @@ dshmgh (https://github.com/dshmgh)
 yumkam (https://github.com/yumkam)
        - add compile-time option to restrict --net= to root only
        - man page fixes
-Vasya Novikov (https://github.com/vn971)
-        - Wesnoth profile
-        - Hedegewars profile
-        - manpage fixes
 mahdi1234 (https://github.com/mahdi1234)
        - cherrytree profile
+        - Seamonkey profiles
 jrabe (https://github.com/jrabe)
        - disallow access to kdbx files
        - Epiphany profile
@@ -71,19 +255,14 @@ Tom Mellor (https://github.com/kalegrill)
 Martin Carpenter (https://github.com/mcarpenter)
        - security audit and bug fixes
        - Centos 6.x support
-Aleksey Manevich (https://github.com/manevich)
-        - several profile fixes
-        - fix problem with relative path in storage_find function
-        - fix build for systems without bash
 pszxzsd (https://github.com/pszxzsd)
        -uGet profile
 Rahiel Kasim (https://github.com/rahiel)
        - Mathematica profile
+        - whitelisted Dropbox profile
+        - whitelisted keysnail config for firefox
 creideiki (https://github.com/creideiki)
        - make the sandbox process reap all children
-curiosity-seeker (https://github.com/curiosity-seeker)
-        - tightening unbound and dnscrypt-proxy profiles
-        - dnsmasq profile
 sinkuu (https://github.com/sinkuu)
        - blacklisting kwalletd
        - fix symlink invocation for programs placing symlinks in $PATH
@@ -93,8 +272,7 @@ Holger Heinz (https://github.com/hheinz)
        - manpage work
 Andrey Alekseenko (https://github.com/al42and)
        - fixing lintian warnings
-mahdi1234 (https://github.com/mahdi1234)
+        - fixed Skype profile
-        - Seamonkey profiles
 Ivan Kozik (https://github.com/ivan)
        - speed up sandbox exit
 Christian Stadelmann (https://github.com/genodeftest)
@@ -105,11 +283,6 @@ Kaan Genç (https://github.com/SeriousBug)
        - dynamic allocation of noblacklist buffer
 Veeti Paananen (https://github.com/veeti)
        - fixed Spotify profile
-Rahiel Kasim (https://github.com/rahiel)
-        - whitelist keysnail config for firefox
-Peter Hogg (https://github.com/pigmonkey)
-        - WeeChat profile
-        - rtorrent profile
 rogshdo (https://github.com/rogshdo)
        - BitlBee profile
 Bruno Nova (https://github.com/brunonova)
@@ -117,8 +290,6 @@ Bruno Nova (https://github.com/brunonova)
        - bash arguments fix
 Matt Parnell (https://github.com/ilikenwf)
        - whitelisting for core firefox related functionality
-Andrey Alekseenko (https://github.com/al42and)
-        - fixed Skype profile
 Ondra Nekola (https://github.com/satai)
        - allow firefox theming with non-global themes
 emacsomancer (https://github.com/emacsomancer)
@@ -132,8 +303,6 @@ andrew160 (https://github.com/andrew160)
        - profile and man pages fixes
 Loïc Damien (https://github.com/dzamlo)
        - small fixes
-Matthew Gyurgyik (https://github.com/pyther)
-        - rpm spec and several fixes
 greigdp (https://github.com/greigdp)
        - add Spotify profile
 Mattias Wadman (https://github.com/wader)
@@ -150,12 +319,6 @@ sarneaud (https://github.com/sarneaud)
        - various enhancements and bug fixes
 Patrick Toomey (http://sourceforge.net/u/ptoomey/profile/)
        - user namespace implementation
-Reiner Herrmann
-        - a number of build patches
-        - man page fixes
-        - Debian and Ubuntu integration
-        - clang-analyzer fixes
-        - Debian reproducible build
 sshirokov (http://sourceforge.net/u/yshirokov/profile/)
        - Patch to output "Reading profile" to stderr instead of stdout
 G4JC (http://sourceforge.net/u/gaming4jc/profile/)
diff --git a/README.md b/README.md
index 7f6f573b4..609533a91 100644
--- a/README.md
+++ b/README.md
@@ -31,255 +31,62 @@ Features: https://firejail.wordpress.com/features-3/
 Documentation: https://firejail.wordpress.com/documentation-2/
 FAQ: https://firejail.wordpress.com/support/frequently-asked-questions/
-`````
-`````
-# Current development version: 0.9.40-rc2
-Version 0.9.40-rc1 released!
-## X11 sandboxing support
-X11 support is built around Xpra (http://xpra.org/) or Xephyr.
-`````
-       --x11  Start a new X11 server using Xpra or Xephyr and attach the sand‐
-              box to this server.  The regular X11 server (display 0)  is  not
-              visible  in  the sandbox. This prevents screenshot and keylogger
-              applications started in the sandbox  from  accessing  other  X11
-              displays.  A network namespace needs to be instantiated in order
-              to deny access to X11 abstract Unix domain socket.
-              Firejail will try first Xpra, and if Xpra is  not  installed  on
-              the  system,  it  will  try to find Xephyr.  This feature is not
-              available when running as root.
-              Example:
-              $ firejail --x11 --net=eth0 firefox
-       --x11=xpra
-              Start a new X11 server using Xpra (http://xpra.org)  and  attach
-              the sandbox to this server.  Xpra is a persistent remote display
-              server and client for forwarding X11  applications  and  desktop
-              screens.  On Debian platforms Xpra is installed with the command
-              sudo apt-get install xpra.  This feature is not  available  when
-              running as root.
-              Example:
-              $ firejail --x11 --net=eth0 firefox
-       --x11=xephyr
-              Start  a  new  X11 server using Xephyr and attach the sandbox to
-              this server.  Xephyr is a display server  implementing  the  X11
-              display  server protocol.  It runs in a window just like other X
-              applications, but it is an X server itself in which you can  run
-              other software.  The default Xephyr window size is 800x600. This
-              can be modified in /etc/firejail/firejail.config file, see man 5
-              firejail-config for more details.
-              The  recommended way to use this feature is to run a window man‐
-              ager inside the sandbox.  A security profile for OpenBox is pro‐
-              vided.  On Debian platforms Xephyr is installed with the command
-              sudo apt-get install xserver-xephyr.  This feature is not avail‐
-              able when running as root.
-              Example:
-              $ firejail --x11 --net=eth0 openbox
-`````
-More information here: https://firejail.wordpress.com/documentation-2/x11-guide/
-## File transfers
-`````
-FILE TRANSFER
-       These features allow the user to inspect the filesystem container of an
-       existing sandbox and transfer files from  the  container  to  the  host
-       filesystem.
-       --get=name filename
-              Retrieve the container file and store it on the host in the cur‐
-              rent working directory.  The  container  is  specified  by  name
-              (--name option). Full path is needed for filename.
-       --get=pid filename
-              Retrieve the container file and store it on the host in the cur‐
-              rent working directory.  The container is specified  by  process
-              ID. Full path is needed for filename.
-       --ls=name dir_or_filename
-              List  container  files.   The  container  is  specified  by name
-              (--name option).  Full path is needed for dir_or_filename.
-       --ls=pid dir_or_filename
-              List container files.  The container is specified by process ID.
-              Full path is needed for dir_or_filename.
-       Examples:
-              $ firejail --name=mybrowser --private firefox
-              $ firejail --ls=mybrowser ~/Downloads
-              drwxr-xr-x netblue  netblue         4096 .
-              drwxr-xr-x netblue  netblue         4096 ..
-              -rw-r--r-- netblue  netblue         7847 x11-x305.png
-              -rw-r--r-- netblue  netblue         6800 x11-x642.png
-              -rw-r--r-- netblue  netblue        34139 xpra-clipboard.png
-              $ firejail --get=mybrowser ~/Downloads/xpra-clipboard.png
 `````
-## Firecfg
 `````
-NAME
+## User submitted profile repositories
-       Firecfg - Desktop configuration program for Firejail software.
-SYNOPSIS
-       firecfg [OPTIONS]
-DESCRIPTION
-       Firecfg is the desktop configuration utility for Firejail software. The
-       utility creates several symbolic links  to  firejail  executable.  This
-       allows the user to sandbox applications automatically, just by clicking
-       on a regular desktop menus and icons.
-       The symbolic links are placed in /usr/local/bin. For more  information,
+If you keep your Firejail profiles in a public repository, please give us a link:
-       see DESKTOP INTEGRATION section in man 1 firejail.
-OPTIONS
+* https://github.com/chiraag-nataraj/firejail-profiles
-       --clear
-              Clear all firejail symbolic links
-       -?, --help
+* https://github.com/triceratops1/fe
-              Print options end exit.
-       --list List all firejail symbolic links
+Use this issue to request new profiles: https://github.com/netblue30/firejail/issues/825
-       --version
-              Print program version and exit.
-       Example:
-       $ sudo firecfg
-       /usr/local/bin/firefox created
-       /usr/local/bin/vlc created
-       [...]
-       $ firecfg --list
-       /usr/local/bin/firefox
-       /usr/local/bin/vlc
-       [...]
-       $ sudo firecfg --clear
-       /usr/local/bin/firefox removed
-       /usr/local/bin/vlc removed
-       [...]
 `````
-## Compile time and run time configuration support
-Most Linux kernel security features require root privileges during configuration.
-The same is true for kernel networking features. Firejail (SUID binary) opens the 
-access to these features to regular users. The privilege escalation is restricted 
-to the sandbox being configured, and is not extended to the rest of the system. 
-This arrangement works fine for user desktops or servers where the access is already limited.
-If you not happy with a particular feature, all the support can be eliminated from SUID binary at compile time,
-or at run time by editing /etc/firejail/firejail.config file.
-The following features can be enabled or disabled:
 `````
-       bind   Enable or disable bind support, default enabled.
+# Current development version: 0.9.45
-       chroot Enable or disable chroot support, default enabled.
-       file-transfer
-              Enable or disable file transfer support, default enabled.
-       network
-              Enable or disable networking features, default enabled.
-       restricted-network
-              Enable  or disable restricted network support, default disabled.
-              If enabled, networking features should also be enabled  (network
-              yes).   Restricted  networking  grants access to --interface and
-              --net=ethXXX only to root user. Regular users are  only  allowed
-              --net=none.
-       secomp Enable or disable seccomp support, default enabled.
-       userns Enable or disable user namespace support, default enabled.
-       x11    Enable or disable X11 sandboxing support, default enabled.
-       xephyr-screen
-              Screen    size    for   --x11=xephyr,   default   800x600.   Run
-              /usr/bin/xrandr for a full list of resolutions available on your
-              specific setup. Examples:
-              xephyr-screen 640x480
-              xephyr-screen 800x600
-              xephyr-screen 1024x768
-              xephyr-screen 1280x1024
 `````
-## Default seccomp filter update
-Currently 50 syscalls are blacklisted by default, out of a total of 318 calls (AMD64, Debian Jessie).
-## STUN/WebRTC disabled in default netfilter configuration
-The  current netfilter configuration (--netfilter option) looks like this:
 `````
-             *filter
+## AppImage type 2 support
-              :INPUT DROP [0:0]
-              :FORWARD DROP [0:0]
-              :OUTPUT ACCEPT [0:0]
-              -A INPUT -i lo -j ACCEPT
-              -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-              # allow ping
-              -A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT
-              -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT
-              -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
-              # drop STUN (WebRTC) requests
-              -A OUTPUT -p udp --dport 3478 -j DROP
-              -A OUTPUT -p udp --dport 3479 -j DROP
-              -A OUTPUT -p tcp --dport 3478 -j DROP
-              -A OUTPUT -p tcp --dport 3479 -j DROP
-              COMMIT
 `````
-The filter is loaded by default for Firefox if a network namespace is configured:
-`````
-$ firejail --net=eth0 firefox
 `````
+## New command line options
-## Set sandbox nice value
 `````
-      --nice=value
+      --private-opt=file,directory
-              Set nice value for all processes running inside the sandbox.
+              Build  a  new /opt in a temporary filesystem, and copy the files
+              and directories in the list.  If no listed file is  found,  /opt
+              directory  will  be empty.  All modifications are discarded when
+              the sandbox is closed.
              Example:
-              $ firejail --nice=-5 firefox
+              $ firejail --private-opt=firefox /opt/firefox/firefox
-`````
-## mkdir
-`````
-$ man firejail-profile
-[...]
-       mkdir directory
-              Create   a   directory  in  user  home.  Use  this  command  for
-              whitelisted directories you need to preserve when the sandbox is
-              closed.  Subdirectories  also  need  to  be created using mkdir.
-              Example from firefox profile:
-              mkdir ~/.mozilla
+       --private-srv=file,directory
-              whitelist ~/.mozilla
+              Build a new /srv in a temporary filesystem, and copy  the  files
-              mkdir ~/.cache
+              and  directories  in the list.  If no listed file is found, /srv
-              mkdir ~/.cache/mozilla
+              directory will be empty.  All modifications are  discarded  when
-              mkdir ~/.cache/mozilla/firefox
+              the sandbox is closed.
-              whitelist ~/.cache/mozilla/firefox
-[...]
+              Example:
-`````
+              # firejail --private-srv=www /etc/init.d/apache2 start
-## New security profiles
+       --machine-id
-lxterminal, Epiphany, cherrytree, Polari, Vivaldi, Atril, qutebrowser, SlimJet, Battle for Wesnoth, Hedgewars, qTox,
+              Preserve  id  number  in  /etc/machine-id file. By default a new
-OpenSSH client, OpenBox window manager, Dillo, cmus, dnsmasq, PaleMoon, Icedove, abrowser, 0ad
+              random id is generated inside the sandbox.
+              Example:
+              $ firejail --machine-id
+`````
+## New Profiles
+xiphos, Tor Browser Bundle, display (imagemagik), Wire, mumble, zoom, Guayadeque, qemu, keypass2,
+amarok, ark, atool, bleachbit, brasero, dolphin, dragon, elinks, enchant, exiftool, file-roller, gedit,
+gjs, gnome-books, gnome-clocks, gnome-documents, gnome-maps, gnome-music, gnome-photos, gnome-weather,
+goobox, gpa, gpg, gpg-agent, highlight, img2txt, k3b, kate, lynx, mediainfo, nautilus, odt2txt, pdftotext,
+simple-scan, skanlite, ssh-agent, tracker, transmission-cli, transmission-show, w3m, xfburn, xpra, wget,
+xed, pluma, Cryptocat, Bless, Gnome 2048, Gnome Calculator, Gnome Contacts, JD-GUI, Lollypop, MultiMC5, 
+PDFSam, Pithos, Xonotic, wireshark
diff --git a/RELNOTES b/RELNOTES
index fbd620408..064553f98 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -1,12 +1,113 @@
-firejail (0.9.40-rc1) baseline; urgency=low
+firejail (0.9.45) baseline; urgency=low
+  * development version, work in progress
+  * security: overwrite /etc/resolv.conf found by Martin Carpenter
+  * secuirty: TOCTOU exploit for --get and --put found by Daniel Hodson
+  * security: invalid environment exploit found by Martin Carpenter
+  * security: split most of networking code in a separate executable
+  * security: split seccomp filter code configuration in a separate executable
+  * security: split file copying in private option in a separate executable
+  * feature: disable gnupg and systemd directories under /run/user
+  * feature: allow root user access to /dev/shm (--noblacklist=/dev/shm)
+  * feature: AppImage type 2 support
+  * feature: test coverage (gcov) support
+  * feature: private /opt directory (--private-opt, profile support)
+  * feature: private /srv directory (--private-srv, profile support)
+  * feature: spoof machine-id
+  * feature: config support for firejail prompt in terminal
+  * new profiles: xiphos, Tor Browser Bundle, display (imagemagik), Wire,
+  * new profiles: mumble, zoom, Guayadeque, qemu, keypass2, xed, pluma,
+  * new profiles: Cryptocat, Bless, Gnome 2048, Gnome Calculator, 
+  * new profiles: Gnome Contacts, JD-GUI, Lollypop, MultiMC5, PDFSam, Pithos,
+  * new profies: Xonotic, wireshark
+  * bugfixes
+ -- netblue30 <netblue30@yahoo.com>  Sun, 23 Oct 2016 08:00:00 -0500
+firejail (0.9.44) baseline; urgency=low
+  * CVE-2016-7545 submitted by Aleksey Manevich
+  * modifs: removed man firejail-config
+  * modifs: --private-tmp whitelists /tmp/.X11-unix directory
+  * modifs: Nvidia drivers added to --private-dev
+  * modifs: /srv supported by --whitelist
+  * feature: allow user access to /sys/fs (--noblacklist=/sys/fs)
+  * feature: support starting/joining sandbox is a single command
+    (--join-or-start)
+  * feature: X11 detection support for --audit
+  * feature: assign a name to the interface connected to the bridge 
+    (--veth-name)
+  * feature: all user home directories are visible (--allusers)
+  * feature: add files to sandbox container (--put)
+  * feature: blocking x11 (--x11=block)
+  * feature: X11 security extension (--x11=xorg)
+  * feature: disable 3D hardware acceleration (--no3d)
+  * feature: x11 xpra, x11 xephyr, x11 block, allusers, no3d profile commands
+  * feature: move files in sandbox (--put)
+  * feature: accept wildcard patterns in user  name field of restricted
+    shell login feature
+  * new profiles: qpdfview, mupdf, Luminance HDR, Synfig Studio, Gimp, Inkscape
+  * new profiles: feh, ranger, zathura, 7z, keepass, keepassx,
+  * new profiles: claws-mail, mutt, git, emacs, vim, xpdf, VirtualBox, OpenShot
+  * new profiles: Flowblade, Eye of GNOME (eog), Evolution
+  * bugfixes
+ -- netblue30 <netblue30@yahoo.com>  Fri, 21 Oct 2016 08:00:00 -0500
+firejail (0.9.42) baseline; urgency=low
+  * security: --whitelist deleted files, submitted by Vasya Novikov
+  * security: disable x32 ABI in seccomp, submitted by Jann Horn
+  * security: tighten --chroot, submitted by Jann Horn
+  * security: terminal sandbox escape, submitted by Stephan Sokolow
+  * security: several TOCTOU fixes submitted by Aleksey Manevich
+  * modifs: bringing back --private-home option
+  * modifs: deprecated --user option, please use "sudo -u username firejail"
+  * modifs: allow symlinks in home directory for --whitelist option
+  * modifs: Firejail prompt is enabled by env variable FIREJAIL_PROMPT="yes"
+  * modifs: recursive mkdir
+  * modifs: include /dev/snd in --private-dev
+  * modifs: seccomp filter update
+  * modifs: release archives moved to .xz format
+  * feature: AppImage support (--appimage)
+  * feature: AppArmor support (--apparmor)
+  * feature: Ubuntu snap support (/etc/firejail/snap.profile)
+  * feature: Sandbox auditing support (--audit)
+  * feature: remove environment variable (--rmenv)
+  * feature: noexec support (--noexec)
+  * feature: clean local overlay storage directory (--overlay-clean)
+  * feature: store and reuse overlay (--overlay-named)
+  * feature: allow debugging inside the sandbox with gdb and strace
+         (--allow-debuggers)
+  * feature: mkfile profile command
+  * feature: quiet profile command
+  * feature: x11 profile command
+  * feature: option to fix desktop files (firecfg --fix)
+  * compile time: Busybox support (--enable-busybox-workaround)
+  * compile time: disable overlayfs (--disable-overlayfs)
+  * compile time: disable whitlisting (--disable-whitelist)
+  * compile time: disable global config (--disable-globalcfg)
+  * run time: enable/disable overlayfs (overlayfs yes/no)
+  * run time: enable/disable  quiet as default (quiet-by-default yes/no)
+  * run time: user-defined network filter (netfilter-default)
+  * run time: enable/disable whitelisting (whitelist yes/no)
+  * run time: enable/disable remounting of /proc and /sys
+          (remount-proc-sys yes/no)
+  * run time: enable/disable chroot desktop features (chroot-desktop yes/no)
+  * profiles: Gitter, gThumb, mpv, Franz messenger, LibreOffice
+  * profiles: pix, audacity, xz, xzdec, gzip, cpio, less
+  * profiles: Atom Beta, Atom, jitsi, eom, uudeview
+  * profiles: tar (gtar), unzip, unrar, file, skypeforlinux,
+  * profiles: inox, Slack, gnome-chess. Gajim IM client, DOSBox
+  * bugfixes
+ -- netblue30 <netblue30@yahoo.com>  Thu, 8 Sept 2016 08:00:00 -0500
+firejail (0.9.40) baseline; urgency=low
  * added --nice option
  * added --x11 option
  * added --x11=xpra option
  * added --x11=xephyr option
  * added --cpu.print option
  * added filetransfer options --ls and --get
+  * added --writable-etc and --writable-var options
+  * added --read-only option
  * added mkdir, ipc-namespace, and nosound profile commands
-  * added net iface, and iprange profile commands
+  * added net, ip, defaultgw, ip6, mac, mtu and iprange profile commands
  * --version also prints compile options
  * --output option also redirects stderr
  * added compile-time option to restrict --net= to root only
@@ -18,10 +119,16 @@ firejail (0.9.40-rc1) baseline; urgency=low
  * new profiles: lxterminal, Epiphany, cherrytree, Polari, Vivaldi, Atril
  * new profiles: qutebrowser, SlimJet, Battle for Wesnoth, Hedgewars
  * new profiles: qTox, OpenSSH client, OpenBox, Dillo, cmus, dnsmasq
-  * new profiles: PaleMoon, Icedove, abrowser, 0ad
+  * new profiles: PaleMoon, Icedove, abrowser, 0ad, netsurf, Warzone2100
+  * new profiles: okular, gwenview, Google-Play-Music-Desktop-Player
+  * new profiles: Aweather, Stellarium, gpredict, quiterss, cyberfox
+  * new profiles: generic Ubuntu snap application profile, xplayer
+  * new profiles: xreader, xviewer, mcabber, Psi+, Corebird, Konversation
+  * new profiles: Brave, Gitter
+  * generic.profile renamed default.profile
  * build rpm packages using "make rpms"
  * bugfixes
- -- netblue30 <netblue30@yahoo.com>  Sun, 3 Apr 2016 08:00:00 -0500
+ -- netblue30 <netblue30@yahoo.com>  Sun, 29 May 2016 08:00:00 -0500
 firejail (0.9.38) baseline; urgency=low
  * IPv6 support (--ip6 and --netfilter6)
diff --git a/configure b/configure
index 73a5c89e6..9efba1b1d 100755
--- a/configure
+++ b/configure
@@ -1,6 +1,6 @@
 #! /bin/sh
 # Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.69 for firejail 0.9.40-rc2.
+# Generated by GNU Autoconf 2.69 for firejail 0.9.45.
 #
 # Report bugs to <netblue30@yahoo.com>.
 #
@@ -580,8 +580,8 @@ MAKEFLAGS=
 # Identity of this package.
 PACKAGE_NAME='firejail'
 PACKAGE_TARNAME='firejail'
-PACKAGE_VERSION='0.9.40-rc2'
+PACKAGE_VERSION='0.9.45'
-PACKAGE_STRING='firejail 0.9.40-rc2'
+PACKAGE_STRING='firejail 0.9.45'
 PACKAGE_BUGREPORT='netblue30@yahoo.com'
 PACKAGE_URL='http://firejail.wordpress.com'
@@ -625,17 +625,25 @@ ac_includes_default="\
 ac_subst_vars='LTLIBOBJS
 LIBOBJS
 HAVE_SECCOMP_H
-EGREP
+HAVE_GCOV
-GREP
+BUSYBOX_WORKAROUND
-CPP
 HAVE_FATAL_WARNINGS
+HAVE_WHITELIST
 HAVE_FILE_TRANSFER
 HAVE_X11
 HAVE_USERNS
 HAVE_NETWORK
+HAVE_GLOBALCFG
 HAVE_BIND
 HAVE_CHROOT
 HAVE_SECCOMP
+HAVE_PRIVATE_HOME
+HAVE_OVERLAYFS
+EXTRA_LDFLAGS
+EGREP
+GREP
+CPP
+HAVE_APPARMOR
 RANLIB
 INSTALL_DATA
 INSTALL_SCRIPT
@@ -688,14 +696,21 @@ SHELL'
 ac_subst_files=''
 ac_user_opts='
 enable_option_checking
+enable_apparmor
+enable_overlayfs
+enable_private_home
 enable_seccomp
 enable_chroot
 enable_bind
+enable_globalcfg
 enable_network
 enable_userns
 enable_x11
 enable_file_transfer
+enable_whitelist
 enable_fatal_warnings
+enable_busybox_workaround
+enable_gcov
 '
      ac_precious_vars='build_alias
 host_alias
@@ -1246,7 +1261,7 @@ if test "$ac_init_help" = "long"; then
  # Omit some internal or obsolete options to make the list less imposing.
  # This message is too long to be a string in the A/UX 3.1 sh.
  cat <<_ACEOF
-\`configure' configures firejail 0.9.40-rc2 to adapt to many kinds of systems.
+\`configure' configures firejail 0.9.45 to adapt to many kinds of systems.
 Usage: $0 [OPTION]... [VAR=VALUE]...
@@ -1307,7 +1322,7 @@ fi
 if test -n "$ac_init_help"; then
  case $ac_init_help in
-     short | recursive ) echo "Configuration of firejail 0.9.40-rc2:";;
+     short | recursive ) echo "Configuration of firejail 0.9.45:";;
   esac
  cat <<\_ACEOF
@@ -1315,16 +1330,25 @@ Optional Features:
  --disable-option-checking  ignore unrecognized --enable/--with options
  --disable-FEATURE       do not include FEATURE (same as --enable-FEATURE=no)
  --enable-FEATURE[=ARG]  include FEATURE [ARG=yes]
+  --enable-apparmor       enable apparmor
+  --disable-overlayfs     disable overlayfs
+  --disable-private-home  disable private home feature
  --disable-seccomp       disable seccomp
  --disable-chroot        disable chroot
  --disable-bind          disable bind
+  --disable-globalcfg     if the global config file firejail.cfg is not
+                          present, continue the program using defaults
  --disable-network       disable network
  --enable-network=restricted
                          restrict --net= to root only
  --disable-userns        disable user namespace
  --disable-x11           disable X11 sandboxing support
  --disable-file-transfer disable file transfer
+  --disable-whitelist     disable whitelist
  --enable-fatal-warnings -W -Wall -Werror
+  --enable-busybox-workaround
+                          enable busybox workaround
+  --enable-gcov           Gcov instrumentation
 Some influential environment variables:
  CC          C compiler command
@@ -1403,7 +1427,7 @@ fi
 test -n "$ac_init_help" && exit $ac_status
 if $ac_init_version; then
  cat <<\_ACEOF
-firejail configure 0.9.40-rc2
+firejail configure 0.9.45
 generated by GNU Autoconf 2.69
 Copyright (C) 2012 Free Software Foundation, Inc.
@@ -1455,52 +1479,6 @@ fi
 } # ac_fn_c_try_compile
-# ac_fn_c_try_link LINENO
-# -----------------------
-# Try to link conftest.$ac_ext, and return whether this succeeded.
-ac_fn_c_try_link ()
-{
-  as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack
-  rm -f conftest.$ac_objext conftest$ac_exeext
-  if { { ac_try="$ac_link"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\""
-$as_echo "$ac_try_echo"; } >&5
-  (eval "$ac_link") 2>conftest.err
-  ac_status=$?
-  if test -s conftest.err; then
-    grep -v '^ *+' conftest.err >conftest.er1
-    cat conftest.er1 >&5
-    mv -f conftest.er1 conftest.err
-  fi
-  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
-  test $ac_status = 0; } && {
-         test -z "$ac_c_werror_flag" ||
-         test ! -s conftest.err
-       } && test -s conftest$ac_exeext && {
-         test "$cross_compiling" = yes ||
-         test -x conftest$ac_exeext
-       }; then :
-  ac_retval=0
-else
-  $as_echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-        ac_retval=1
-fi
-  # Delete the IPA/IPO (Inter Procedural Analysis/Optimization) information
-  # created by the PGI compiler (conftest_ipa8_conftest.oo), as it would
-  # interfere with the next link command; also delete a directory that is
-  # left behind by Apple's compiler.  We do this before executing the actions.
-  rm -rf conftest.dSYM conftest_ipa8_conftest.oo
-  eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno
-  as_fn_set_status $ac_retval
-} # ac_fn_c_try_link
 # ac_fn_c_try_cpp LINENO
 # ----------------------
 # Try to preprocess conftest.$ac_ext, and return whether this succeeded.
@@ -1701,11 +1679,57 @@ $as_echo "$ac_res" >&6; }
  eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno
 } # ac_fn_c_check_header_compile
+# ac_fn_c_try_link LINENO
+# -----------------------
+# Try to link conftest.$ac_ext, and return whether this succeeded.
+ac_fn_c_try_link ()
+{
+  as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack
+  rm -f conftest.$ac_objext conftest$ac_exeext
+  if { { ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\""
+$as_echo "$ac_try_echo"; } >&5
+  (eval "$ac_link") 2>conftest.err
+  ac_status=$?
+  if test -s conftest.err; then
+    grep -v '^ *+' conftest.err >conftest.er1
+    cat conftest.er1 >&5
+    mv -f conftest.er1 conftest.err
+  fi
+  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+  test $ac_status = 0; } && {
+         test -z "$ac_c_werror_flag" ||
+         test ! -s conftest.err
+       } && test -s conftest$ac_exeext && {
+         test "$cross_compiling" = yes ||
+         test -x conftest$ac_exeext
+       }; then :
+  ac_retval=0
+else
+  $as_echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+        ac_retval=1
+fi
+  # Delete the IPA/IPO (Inter Procedural Analysis/Optimization) information
+  # created by the PGI compiler (conftest_ipa8_conftest.oo), as it would
+  # interfere with the next link command; also delete a directory that is
+  # left behind by Apple's compiler.  We do this before executing the actions.
+  rm -rf conftest.dSYM conftest_ipa8_conftest.oo
+  eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno
+  as_fn_set_status $ac_retval
+} # ac_fn_c_try_link
 cat >config.log <<_ACEOF
 This file contains any messages produced by compilers while
 running configure, to aid debugging if configure makes a mistake.
-It was created by firejail $as_me 0.9.40-rc2, which was
+It was created by firejail $as_me 0.9.45, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
  $ $0 $@
@@ -3062,164 +3086,20 @@ else
 fi
-HAVE_SECCOMP=""
+HAVE_APPARMOR=""
-# Check whether --enable-seccomp was given.
+# Check whether --enable-apparmor was given.
-if test "${enable_seccomp+set}" = set; then :
+if test "${enable_apparmor+set}" = set; then :
-  enableval=$enable_seccomp;
+  enableval=$enable_apparmor;
-fi
-if test "x$enable_seccomp" != "xno"; then :
-        HAVE_SECCOMP="-DHAVE_SECCOMP"
-fi
-HAVE_CHROOT=""
-# Check whether --enable-chroot was given.
-if test "${enable_chroot+set}" = set; then :
-  enableval=$enable_chroot;
-fi
-if test "x$enable_chroot" != "xno"; then :
-        HAVE_CHROOT="-DHAVE_CHROOT"
-fi
-HAVE_BIND=""
-# Check whether --enable-bind was given.
-if test "${enable_bind+set}" = set; then :
-  enableval=$enable_bind;
-fi
-if test "x$enable_bind" != "xno"; then :
-        HAVE_BIND="-DHAVE_BIND"
-fi
-HAVE_NETWORK=""
-# Check whether --enable-network was given.
-if test "${enable_network+set}" = set; then :
-  enableval=$enable_network;
-fi
-# Check whether --enable-network was given.
-if test "${enable_network+set}" = set; then :
-  enableval=$enable_network;
-fi
-if test "x$enable_network" != "xno"; then :
-        HAVE_NETWORK="-DHAVE_NETWORK"
-        if test "x$enable_network" = "xrestricted"; then :
-               HAVE_NETWORK="$HAVE_NETWORK -DHAVE_NETWORK_RESTRICTED"
-fi
-fi
-HAVE_USERNS=""
-# Check whether --enable-userns was given.
-if test "${enable_userns+set}" = set; then :
-  enableval=$enable_userns;
-fi
-if test "x$enable_userns" != "xno"; then :
-        HAVE_USERNS="-DHAVE_USERNS"
-fi
-HAVE_X11=""
-# Check whether --enable-x11 was given.
-if test "${enable_x11+set}" = set; then :
-  enableval=$enable_x11;
-fi
-if test "x$enable_x11" != "xno"; then :
-        HAVE_X11="-DHAVE_X11"
-fi
-HAVE_FILE_TRANSFER=""
-# Check whether --enable-file-transfer was given.
-if test "${enable_file_transfer+set}" = set; then :
-  enableval=$enable_file_transfer;
-fi
-if test "x$enable_file_transfer" != "xno"; then :
-        HAVE_FILE_TRANSFER="-DHAVE_FILE_TRANSFER"
-fi
-HAVE_FATAL_WARNINGS=""
-# Check whether --enable-fatal_warnings was given.
-if test "${enable_fatal_warnings+set}" = set; then :
-  enableval=$enable_fatal_warnings;
 fi
-if test "x$enable_fatal_warnings" = "xyes"; then :
+if test "x$enable_apparmor" = "xyes"; then :
-        HAVE_FATAL_WARNINGS="-W -Wall -Werror"
+        HAVE_APPARMOR="-DHAVE_APPARMOR"
 fi
-# checking pthread library
-{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for main in -lpthread" >&5
-$as_echo_n "checking for main in -lpthread... " >&6; }
-if ${ac_cv_lib_pthread_main+:} false; then :
-  $as_echo_n "(cached) " >&6
-else
-  ac_check_lib_save_LIBS=$LIBS
-LIBS="-lpthread  $LIBS"
-cat confdefs.h - <<_ACEOF >conftest.$ac_ext
-/* end confdefs.h.  */
-int
-main ()
-{
-return main ();
-  ;
-  return 0;
-}
-_ACEOF
-if ac_fn_c_try_link "$LINENO"; then :
-  ac_cv_lib_pthread_main=yes
-else
-  ac_cv_lib_pthread_main=no
-fi
-rm -f core conftest.err conftest.$ac_objext \
-    conftest$ac_exeext conftest.$ac_ext
-LIBS=$ac_check_lib_save_LIBS
-fi
-{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_pthread_main" >&5
-$as_echo "$ac_cv_lib_pthread_main" >&6; }
-if test "x$ac_cv_lib_pthread_main" = xyes; then :
-  cat >>confdefs.h <<_ACEOF
-#define HAVE_LIBPTHREAD 1
-_ACEOF
-  LIBS="-lpthread $LIBS"
-else
-  as_fn_error $? "*** POSIX thread support not installed ***" "$LINENO" 5
-fi
 ac_ext=c
 ac_cpp='$CPP $CPPFLAGS'
 ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
@@ -3617,6 +3497,263 @@ fi
 done
+if test "x$enable_apparmor" = "xyes"; then :
+        ac_fn_c_check_header_mongrel "$LINENO" "sys/apparmor.h" "ac_cv_header_sys_apparmor_h" "$ac_includes_default"
+if test "x$ac_cv_header_sys_apparmor_h" = xyes; then :
+else
+  as_fn_error $? "Couldn't find sys/apparmor.h... please install apparmor user space library and development files " "$LINENO" 5
+fi
+fi
+if test "x$enable_apparmor" = "xyes"; then :
+        EXTRA_LDFLAGS+="-lapparmor "
+fi
+HAVE_OVERLAYFS=""
+# Check whether --enable-overlayfs was given.
+if test "${enable_overlayfs+set}" = set; then :
+  enableval=$enable_overlayfs;
+fi
+if test "x$enable_overlayfs" != "xno"; then :
+        HAVE_OVERLAYFS="-DHAVE_OVERLAYFS"
+fi
+HAVE_PRIVATEHOME=""
+# Check whether --enable-private-home was given.
+if test "${enable_private_home+set}" = set; then :
+  enableval=$enable_private_home;
+fi
+if test "x$enable_private_home" != "xno"; then :
+        HAVE_PRIVATE_HOME="-DHAVE_PRIVATE_HOME"
+fi
+HAVE_SECCOMP=""
+# Check whether --enable-seccomp was given.
+if test "${enable_seccomp+set}" = set; then :
+  enableval=$enable_seccomp;
+fi
+if test "x$enable_seccomp" != "xno"; then :
+        HAVE_SECCOMP="-DHAVE_SECCOMP"
+fi
+HAVE_CHROOT=""
+# Check whether --enable-chroot was given.
+if test "${enable_chroot+set}" = set; then :
+  enableval=$enable_chroot;
+fi
+if test "x$enable_chroot" != "xno"; then :
+        HAVE_CHROOT="-DHAVE_CHROOT"
+fi
+HAVE_BIND=""
+# Check whether --enable-bind was given.
+if test "${enable_bind+set}" = set; then :
+  enableval=$enable_bind;
+fi
+if test "x$enable_bind" != "xno"; then :
+        HAVE_BIND="-DHAVE_BIND"
+fi
+HAVE_GLOBALCFG=""
+# Check whether --enable-globalcfg was given.
+if test "${enable_globalcfg+set}" = set; then :
+  enableval=$enable_globalcfg;
+fi
+if test "x$enable_globalcfg" != "xno"; then :
+        HAVE_GLOBALCFG="-DHAVE_GLOBALCFG"
+fi
+HAVE_NETWORK=""
+# Check whether --enable-network was given.
+if test "${enable_network+set}" = set; then :
+  enableval=$enable_network;
+fi
+# Check whether --enable-network was given.
+if test "${enable_network+set}" = set; then :
+  enableval=$enable_network;
+fi
+if test "x$enable_network" != "xno"; then :
+        HAVE_NETWORK="-DHAVE_NETWORK"
+        if test "x$enable_network" = "xrestricted"; then :
+               HAVE_NETWORK="$HAVE_NETWORK -DHAVE_NETWORK_RESTRICTED"
+fi
+fi
+HAVE_USERNS=""
+# Check whether --enable-userns was given.
+if test "${enable_userns+set}" = set; then :
+  enableval=$enable_userns;
+fi
+if test "x$enable_userns" != "xno"; then :
+        HAVE_USERNS="-DHAVE_USERNS"
+fi
+HAVE_X11=""
+# Check whether --enable-x11 was given.
+if test "${enable_x11+set}" = set; then :
+  enableval=$enable_x11;
+fi
+if test "x$enable_x11" != "xno"; then :
+        HAVE_X11="-DHAVE_X11"
+fi
+HAVE_FILE_TRANSFER=""
+# Check whether --enable-file-transfer was given.
+if test "${enable_file_transfer+set}" = set; then :
+  enableval=$enable_file_transfer;
+fi
+if test "x$enable_file_transfer" != "xno"; then :
+        HAVE_FILE_TRANSFER="-DHAVE_FILE_TRANSFER"
+fi
+HAVE_WHITELIST=""
+# Check whether --enable-whitelist was given.
+if test "${enable_whitelist+set}" = set; then :
+  enableval=$enable_whitelist;
+fi
+if test "x$enable_whitelist" != "xno"; then :
+        HAVE_WHITELIST="-DHAVE_WHITELIST"
+fi
+HAVE_FATAL_WARNINGS=""
+# Check whether --enable-fatal_warnings was given.
+if test "${enable_fatal_warnings+set}" = set; then :
+  enableval=$enable_fatal_warnings;
+fi
+if test "x$enable_fatal_warnings" = "xyes"; then :
+        HAVE_FATAL_WARNINGS="-W -Wall -Werror"
+fi
+BUSYBOX_WORKAROUND="no"
+# Check whether --enable-busybox-workaround was given.
+if test "${enable_busybox_workaround+set}" = set; then :
+  enableval=$enable_busybox_workaround;
+fi
+if test "x$enable_busybox_workaround" = "xyes"; then :
+        BUSYBOX_WORKAROUND="yes"
+fi
+HAVE_GCOV=""
+# Check whether --enable-gcov was given.
+if test "${enable_gcov+set}" = set; then :
+  enableval=$enable_gcov;
+fi
+if test "x$enable_gcov" = "xyes"; then :
+        HAVE_GCOV="--coverage -DHAVE_GCOV "
+        EXTRA_LDFLAGS+="-lgcov --coverage "
+fi
+# checking pthread library
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for main in -lpthread" >&5
+$as_echo_n "checking for main in -lpthread... " >&6; }
+if ${ac_cv_lib_pthread_main+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  ac_check_lib_save_LIBS=$LIBS
+LIBS="-lpthread  $LIBS"
+cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+int
+main ()
+{
+return main ();
+  ;
+  return 0;
+}
+_ACEOF
+if ac_fn_c_try_link "$LINENO"; then :
+  ac_cv_lib_pthread_main=yes
+else
+  ac_cv_lib_pthread_main=no
+fi
+rm -f core conftest.err conftest.$ac_objext \
+    conftest$ac_exeext conftest.$ac_ext
+LIBS=$ac_check_lib_save_LIBS
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_pthread_main" >&5
+$as_echo "$ac_cv_lib_pthread_main" >&6; }
+if test "x$ac_cv_lib_pthread_main" = xyes; then :
+  cat >>confdefs.h <<_ACEOF
+#define HAVE_LIBPTHREAD 1
+_ACEOF
+  LIBS="-lpthread $LIBS"
+else
+  as_fn_error $? "*** POSIX thread support not installed ***" "$LINENO" 5
+fi
 ac_fn_c_check_header_mongrel "$LINENO" "pthread.h" "ac_cv_header_pthread_h" "$ac_includes_default"
 if test "x$ac_cv_header_pthread_h" = xyes; then :
@@ -3640,7 +3777,7 @@ if test "$prefix" = /usr; then
        sysconfdir="/etc"
 fi
-ac_config_files="$ac_config_files Makefile src/lib/Makefile src/firejail/Makefile src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile src/ftee/Makefile"
+ac_config_files="$ac_config_files Makefile src/lib/Makefile src/fcopy/Makefile src/fnet/Makefile src/firejail/Makefile src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile src/ftee/Makefile src/faudit/Makefile src/libconnect/Makefile src/fseccomp/Makefile"
 cat >confcache <<\_ACEOF
 # This file is a shell script that caches the results of configure
@@ -4184,7 +4321,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
 # report actual input values of CONFIG_FILES etc. instead of their
 # values after options handling.
 ac_log="
-This file was extended by firejail $as_me 0.9.40-rc2, which was
+This file was extended by firejail $as_me 0.9.45, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
  CONFIG_FILES    = $CONFIG_FILES
@@ -4238,7 +4375,7 @@ _ACEOF
 cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
 ac_cs_version="\\
-firejail config.status 0.9.40-rc2
+firejail config.status 0.9.45
 configured by $0, generated by GNU Autoconf 2.69,
  with options \\"\$ac_cs_config\\"
@@ -4351,12 +4488,17 @@ do
  case $ac_config_target in
    "Makefile") CONFIG_FILES="$CONFIG_FILES Makefile" ;;
    "src/lib/Makefile") CONFIG_FILES="$CONFIG_FILES src/lib/Makefile" ;;
+    "src/fcopy/Makefile") CONFIG_FILES="$CONFIG_FILES src/fcopy/Makefile" ;;
+    "src/fnet/Makefile") CONFIG_FILES="$CONFIG_FILES src/fnet/Makefile" ;;
    "src/firejail/Makefile") CONFIG_FILES="$CONFIG_FILES src/firejail/Makefile" ;;
    "src/firemon/Makefile") CONFIG_FILES="$CONFIG_FILES src/firemon/Makefile" ;;
    "src/libtrace/Makefile") CONFIG_FILES="$CONFIG_FILES src/libtrace/Makefile" ;;
    "src/libtracelog/Makefile") CONFIG_FILES="$CONFIG_FILES src/libtracelog/Makefile" ;;
    "src/firecfg/Makefile") CONFIG_FILES="$CONFIG_FILES src/firecfg/Makefile" ;;
    "src/ftee/Makefile") CONFIG_FILES="$CONFIG_FILES src/ftee/Makefile" ;;
+    "src/faudit/Makefile") CONFIG_FILES="$CONFIG_FILES src/faudit/Makefile" ;;
+    "src/libconnect/Makefile") CONFIG_FILES="$CONFIG_FILES src/libconnect/Makefile" ;;
+    "src/fseccomp/Makefile") CONFIG_FILES="$CONFIG_FILES src/fseccomp/Makefile" ;;
  *) as_fn_error $? "invalid argument: \`$ac_config_target'" "$LINENO" 5;;
  esac
@@ -4818,13 +4960,22 @@ echo "   prefix: $prefix"
 echo "   sysconfdir: $sysconfdir"
 echo "   seccomp: $HAVE_SECCOMP"
 echo "   <linux/seccomp.h>: $HAVE_SECCOMP_H"
+echo "   apparmor: $HAVE_APPARMOR"
+echo "   global config: $HAVE_GLOBALCFG"
 echo "   chroot: $HAVE_CHROOT"
 echo "   bind: $HAVE_BIND"
 echo "   network: $HAVE_NETWORK"
 echo "   user namespace: $HAVE_USERNS"
 echo "   X11 sandboxing support: $HAVE_X11"
+echo "   whitelisting: $HAVE_WHITELIST"
+echo "   private home support: $HAVE_PRIVATE_HOME"
 echo "   file transfer support: $HAVE_FILE_TRANSFER"
+echo "   overlayfs support: $HAVE_OVERLAYFS"
+echo "   busybox workaround: $BUSYBOX_WORKAROUND"
+echo "   EXTRA_LDFLAGS: $EXTRA_LDFLAGS"
 echo "   fatal warnings: $HAVE_FATAL_WARNINGS"
+echo "   Gcov instrumentation: $HAVE_GCOV"
 echo
diff --git a/configure.ac b/configure.ac
index a4486b3ff..f3076f2f8 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1,5 +1,5 @@
 AC_PREREQ([2.68])
-AC_INIT(firejail, 0.9.40-rc2, netblue30@yahoo.com, , http://firejail.wordpress.com)
+AC_INIT(firejail, 0.9.45, netblue30@yahoo.com, , http://firejail.wordpress.com)
 AC_CONFIG_SRCDIR([src/firejail/main.c])
 #AC_CONFIG_HEADERS([config.h])
@@ -9,6 +9,39 @@ AC_PROG_CC
 AC_PROG_INSTALL
 AC_PROG_RANLIB
+HAVE_APPARMOR=""
+AC_ARG_ENABLE([apparmor],
+    AS_HELP_STRING([--enable-apparmor], [enable apparmor]))
+AS_IF([test "x$enable_apparmor" = "xyes"], [
+        HAVE_APPARMOR="-DHAVE_APPARMOR"
+        AC_SUBST(HAVE_APPARMOR)
+])
+AS_IF([test "x$enable_apparmor" = "xyes"], [
+        AC_CHECK_HEADER(sys/apparmor.h, , [AC_MSG_ERROR(
+        [Couldn't find sys/apparmor.h... please install apparmor user space library and development files] )])
+])
+AS_IF([test "x$enable_apparmor" = "xyes"], [
+        EXTRA_LDFLAGS+="-lapparmor "
+])
+AC_SUBST([EXTRA_LDFLAGS])
+HAVE_OVERLAYFS=""
+AC_ARG_ENABLE([overlayfs],
+    AS_HELP_STRING([--disable-overlayfs], [disable overlayfs]))
+AS_IF([test "x$enable_overlayfs" != "xno"], [
+        HAVE_OVERLAYFS="-DHAVE_OVERLAYFS"
+        AC_SUBST(HAVE_OVERLAYFS)
+])
+HAVE_PRIVATEHOME=""
+AC_ARG_ENABLE([private-home],
+    AS_HELP_STRING([--disable-private-home], [disable private home feature]))
+AS_IF([test "x$enable_private_home" != "xno"], [
+        HAVE_PRIVATE_HOME="-DHAVE_PRIVATE_HOME"
+        AC_SUBST(HAVE_PRIVATE_HOME)
+])
 HAVE_SECCOMP=""
 AC_ARG_ENABLE([seccomp],
    AS_HELP_STRING([--disable-seccomp], [disable seccomp]))
@@ -33,6 +66,14 @@ AS_IF([test "x$enable_bind" != "xno"], [
        AC_SUBST(HAVE_BIND)
 ])
+HAVE_GLOBALCFG=""
+AC_ARG_ENABLE([globalcfg],
+    AS_HELP_STRING([--disable-globalcfg], [if the global config file firejail.cfg is not present, continue the program using defaults]))
+AS_IF([test "x$enable_globalcfg" != "xno"], [
+        HAVE_GLOBALCFG="-DHAVE_GLOBALCFG"
+        AC_SUBST(HAVE_GLOBALCFG)
+])
 HAVE_NETWORK=""
 AC_ARG_ENABLE([network],
    AS_HELP_STRING([--disable-network], [disable network]))
@@ -70,6 +111,14 @@ AS_IF([test "x$enable_file_transfer" != "xno"], [
        AC_SUBST(HAVE_FILE_TRANSFER)
 ])
+HAVE_WHITELIST=""
+AC_ARG_ENABLE([whitelist],
+    AS_HELP_STRING([--disable-whitelist], [disable whitelist]))
+AS_IF([test "x$enable_whitelist" != "xno"], [
+        HAVE_WHITELIST="-DHAVE_WHITELIST"
+        AC_SUBST(HAVE_WHITELIST)
+])
 HAVE_FATAL_WARNINGS=""
 AC_ARG_ENABLE([fatal_warnings],
    AS_HELP_STRING([--enable-fatal-warnings], [-W -Wall -Werror]))
@@ -78,6 +127,25 @@ AS_IF([test "x$enable_fatal_warnings" = "xyes"], [
        AC_SUBST(HAVE_FATAL_WARNINGS)
 ])
+BUSYBOX_WORKAROUND="no"
+AC_ARG_ENABLE([busybox-workaround],
+    AS_HELP_STRING([--enable-busybox-workaround], [enable busybox workaround]))
+AS_IF([test "x$enable_busybox_workaround" = "xyes"], [
+        BUSYBOX_WORKAROUND="yes"
+        AC_SUBST(BUSYBOX_WORKAROUND)
+])
+HAVE_GCOV=""
+AC_ARG_ENABLE([gcov],
+    AS_HELP_STRING([--enable-gcov], [Gcov instrumentation]))
+AS_IF([test "x$enable_gcov" = "xyes"], [
+        HAVE_GCOV="--coverage -DHAVE_GCOV "
+        EXTRA_LDFLAGS+="-lgcov --coverage "
+        AC_SUBST(HAVE_GCOV)
+])
 # checking pthread library
 AC_CHECK_LIB([pthread], [main], [], AC_MSG_ERROR([*** POSIX thread support not installed ***]))
@@ -90,7 +158,9 @@ if test "$prefix" = /usr; then
        sysconfdir="/etc"
 fi
-AC_OUTPUT(Makefile src/lib/Makefile src/firejail/Makefile src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile src/ftee/Makefile)
+AC_OUTPUT(Makefile src/lib/Makefile src/fcopy/Makefile src/fnet/Makefile src/firejail/Makefile \
+src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile \
+src/ftee/Makefile src/faudit/Makefile src/libconnect/Makefile src/fseccomp/Makefile)
 echo
 echo "Configuration options:"
@@ -98,13 +168,22 @@ echo "   prefix: $prefix"
 echo "   sysconfdir: $sysconfdir"
 echo "   seccomp: $HAVE_SECCOMP"
 echo "   <linux/seccomp.h>: $HAVE_SECCOMP_H"
+echo "   apparmor: $HAVE_APPARMOR"
+echo "   global config: $HAVE_GLOBALCFG"
 echo "   chroot: $HAVE_CHROOT"
 echo "   bind: $HAVE_BIND"
 echo "   network: $HAVE_NETWORK"
 echo "   user namespace: $HAVE_USERNS"
 echo "   X11 sandboxing support: $HAVE_X11"
+echo "   whitelisting: $HAVE_WHITELIST"
+echo "   private home support: $HAVE_PRIVATE_HOME"
 echo "   file transfer support: $HAVE_FILE_TRANSFER"
+echo "   overlayfs support: $HAVE_OVERLAYFS"
+echo "   busybox workaround: $BUSYBOX_WORKAROUND"
+echo "   EXTRA_LDFLAGS: $EXTRA_LDFLAGS"
 echo "   fatal warnings: $HAVE_FATAL_WARNINGS"
+echo "   Gcov instrumentation: $HAVE_GCOV"
 echo
diff --git a/etc/0ad.profile b/etc/0ad.profile
index f8a3ce23d..1e7c06879 100644
--- a/etc/0ad.profile
+++ b/etc/0ad.profile
@@ -1,30 +1,31 @@
 # Firejail profile for 0ad.
+noblacklist ~/.cache/0ad
 noblacklist ~/.config/0ad
+noblacklist ~/.local/share/0ad
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
 include /etc/firejail/disable-programs.inc
-# Call these options
-caps.drop all
-seccomp
-protocol unix,inet,inet6,netlink
-netfilter
-tracelog
-noroot
 # Whitelists
-noblacklist ~/.cache/0ad
-mkdir ~/.cache
 mkdir ~/.cache/0ad
 whitelist ~/.cache/0ad
-mkdir ~/.config
 mkdir ~/.config/0ad
 whitelist ~/.config/0ad
-noblacklist ~/.local/share/0ad
-mkdir ~/.local
-mkdir ~/.local/share
 mkdir ~/.local/share/0ad
 whitelist ~/.local/share/0ad
+caps.drop all
+netfilter
+nogroups
+nonewprivs
+noroot
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+private-dev
+private-tmp
diff --git a/etc/7z.profile b/etc/7z.profile
new file mode 100644
index 000000000..0cb72ff8d
--- /dev/null
+++ b/etc/7z.profile
@@ -0,0 +1,9 @@
+# 7zip crompression tool profile
+quiet
+ignore noroot
+include /etc/firejail/default.profile
+tracelog
+net none
+shell none
+private-dev
+nosound
diff --git a/etc/Cryptocat.profile b/etc/Cryptocat.profile
new file mode 100644
index 000000000..3db34c03c
--- /dev/null
+++ b/etc/Cryptocat.profile
@@ -0,0 +1,20 @@
+# Firejail profile for 
+noblacklist ${HOME}/.config/Cryptocat
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+caps.drop all
+netfilter
+nogroups
+nonewprivs
+noroot
+nosound
+protocol unix,inet,inet6,netlink
+seccomp
+shell none
+private-dev
+private-tmp
diff --git a/etc/Cyberfox.profile b/etc/Cyberfox.profile
new file mode 100644
index 000000000..1f74606ce
--- /dev/null
+++ b/etc/Cyberfox.profile
@@ -0,0 +1,3 @@
+# Firejail profile for Cyberfox (based on Mozilla Firefox)
+include /etc/firejail/cyberfox.profile
diff --git a/etc/Mathematica.profile b/etc/Mathematica.profile
index 05131df43..e719f070f 100644
--- a/etc/Mathematica.profile
+++ b/etc/Mathematica.profile
@@ -15,5 +15,6 @@ include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
 caps.drop all
-seccomp
+nonewprivs
 noroot
+seccomp
diff --git a/etc/Telegram.profile b/etc/Telegram.profile
new file mode 100644
index 000000000..2e0f97821
--- /dev/null
+++ b/etc/Telegram.profile
@@ -0,0 +1,2 @@
+# Telegram IRC profile
+include /etc/firejail/telegram.profile
diff --git a/etc/Wire.profile b/etc/Wire.profile
new file mode 100644
index 000000000..bd9645c7f
--- /dev/null
+++ b/etc/Wire.profile
@@ -0,0 +1,3 @@
+# wire messenger profile
+include /etc/firejail/wire.profile
diff --git a/etc/abrowser.profile b/etc/abrowser.profile
index 949635258..481301420 100644
--- a/etc/abrowser.profile
+++ b/etc/abrowser.profile
@@ -1,5 +1,4 @@
 # Firejail profile for Abrowser
 noblacklist ~/.mozilla
 noblacklist ~/.cache/mozilla
 include /etc/firejail/disable-common.inc
@@ -7,17 +6,16 @@ include /etc/firejail/disable-programs.inc
 include /etc/firejail/disable-devel.inc
 caps.drop all
-seccomp
-protocol unix,inet,inet6,netlink
 netfilter
-tracelog
+nonewprivs
 noroot
+protocol unix,inet,inet6,netlink
+seccomp
+tracelog
 whitelist ${DOWNLOADS}
 mkdir ~/.mozilla
 whitelist ~/.mozilla
-mkdir ~/.cache
-mkdir ~/.cache/mozilla
 mkdir ~/.cache/mozilla/abrowser
 whitelist ~/.cache/mozilla/abrowser
 whitelist ~/dwhelper
@@ -40,13 +38,12 @@ whitelist ~/.config/lastpass
 #silverlight
-whitelist ~/.wine-pipelight 
+whitelist ~/.wine-pipelight
-whitelist ~/.wine-pipelight64 
+whitelist ~/.wine-pipelight64
-whitelist ~/.config/pipelight-widevine 
+whitelist ~/.config/pipelight-widevine
 whitelist ~/.config/pipelight-silverlight5.1
 include /etc/firejail/whitelist-common.inc
 # experimental features
 #private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,iceweasel,firefox,adobe,mime.types,mailcap,asound.conf,pulse
diff --git a/etc/amarok.profile b/etc/amarok.profile
new file mode 100644
index 000000000..8d5b35d47
--- /dev/null
+++ b/etc/amarok.profile
@@ -0,0 +1,19 @@
+# amarok profile
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+caps.drop all
+netfilter
+nogroups
+nonewprivs
+noroot
+shell none
+#seccomp
+protocol unix,inet,inet6
+#private-bin amarok
+private-dev
+private-tmp
+#private-etc none
diff --git a/etc/ark.profile b/etc/ark.profile
new file mode 100644
index 000000000..61b4c6f60
--- /dev/null
+++ b/etc/ark.profile
@@ -0,0 +1,23 @@
+# ark profile
+noblacklist ~/.config/arkrc
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+caps.drop all
+netfilter
+nogroups
+nonewprivs
+noroot
+nosound
+shell none
+seccomp
+protocol unix
+# private-bin
+private-dev
+private-tmp
+# private-etc
diff --git a/etc/atom-beta.profile b/etc/atom-beta.profile
new file mode 100644
index 000000000..fa0b316bb
--- /dev/null
+++ b/etc/atom-beta.profile
@@ -0,0 +1,20 @@
+# Firejail profile for Atom Beta.
+noblacklist ~/.atom
+noblacklist ~/.config/Atom
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-passwdmgr.inc
+caps.drop all
+netfilter
+nogroups
+nonewprivs
+noroot
+nosound
+protocol unix,inet,inet6,netlink
+seccomp
+shell none
+private-dev
+private-tmp
diff --git a/etc/atom.profile b/etc/atom.profile
new file mode 100644
index 000000000..61930d5c1
--- /dev/null
+++ b/etc/atom.profile
@@ -0,0 +1,20 @@
+# Firejail profile for Atom.
+noblacklist ~/.atom
+noblacklist ~/.config/Atom
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-passwdmgr.inc
+caps.drop all
+netfilter
+nogroups
+nonewprivs
+noroot
+nosound
+protocol unix,inet,inet6,netlink
+seccomp
+shell none
+private-dev
+private-tmp
diff --git a/etc/atool.profile b/etc/atool.profile
new file mode 100644
index 000000000..3fbfb9fc7
--- /dev/null
+++ b/etc/atool.profile
@@ -0,0 +1,24 @@
+# atool profile
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+# include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+caps.drop all
+nogroups
+nonewprivs
+noroot
+nosound
+protocol unix
+seccomp
+netfilter
+net none
+shell none
+tracelog
+# private-bin atool
+private-tmp
+private-dev
+private-etc none
diff --git a/etc/atril.profile b/etc/atril.profile
index e078c1d20..fbcca0c1b 100644
--- a/etc/atril.profile
+++ b/etc/atril.profile
@@ -1,12 +1,21 @@
 # Atril profile
+noblacklist ~/.config/atril
+noblacklist ~/.local/share
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-programs.inc
 include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
 caps.drop all
-seccomp
+nogroups
-protocol unix,inet,inet6
+nonewprivs
-netfilter
 noroot
+nosound
+protocol unix
+seccomp
+shell none
 tracelog
+private-bin atril, atril-previewer, atril-thumbnailer
+private-dev
+private-tmp
diff --git a/etc/audacious.profile b/etc/audacious.profile
index 290faa260..e5275213c 100644
--- a/etc/audacious.profile
+++ b/etc/audacious.profile
@@ -5,6 +5,7 @@ include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
 caps.drop all
-seccomp
+nonewprivs
-protocol unix,inet,inet6
 noroot
+protocol unix,inet,inet6
+seccomp
diff --git a/etc/audacity.profile b/etc/audacity.profile
new file mode 100644
index 000000000..827fa4301
--- /dev/null
+++ b/etc/audacity.profile
@@ -0,0 +1,21 @@
+# Audacity profile
+noblacklist ~/.audacity-data
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+include /etc/firejail/disable-programs.inc
+caps.drop all
+netfilter
+nogroups
+nonewprivs
+noroot
+protocol unix
+seccomp
+shell none
+tracelog
+private-bin audacity
+private-dev
+private-tmp
diff --git a/etc/aweather.profile b/etc/aweather.profile
new file mode 100644
index 000000000..fa8654f1e
--- /dev/null
+++ b/etc/aweather.profile
@@ -0,0 +1,25 @@
+# Firejail profile for aweather.
+noblacklist ~/.config/aweather
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+include /etc/firejail/disable-programs.inc
+# Whitelist
+mkdir ~/.config/aweather
+whitelist ~/.config/aweather
+caps.drop all
+netfilter
+nogroups
+nonewprivs
+noroot
+nosound
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+private-bin aweather
+private-dev
+private-tmp
diff --git a/etc/bitlbee.profile b/etc/bitlbee.profile
index fb84c260a..87d2e843a 100644
--- a/etc/bitlbee.profile
+++ b/etc/bitlbee.profile
@@ -4,8 +4,11 @@ noblacklist /usr/sbin
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-programs.inc
-protocol unix,inet,inet6
+netfilter
+nonewprivs
 private
 private-dev
+protocol unix,inet,inet6
 seccomp
-netfilter
+nosound
+read-write /var/lib/bitlbee
diff --git a/etc/bleachbit.profile b/etc/bleachbit.profile
new file mode 100644
index 000000000..0a71db9f0
--- /dev/null
+++ b/etc/bleachbit.profile
@@ -0,0 +1,21 @@
+# bleachbit profile
+include /etc/firejail/disable-common.inc
+# include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+caps.drop all
+netfilter
+nogroups
+nonewprivs
+noroot
+nosound
+shell none
+seccomp
+protocol unix
+# private-bin
+# private-dev
+# private-tmp
+# private-etc
diff --git a/etc/bless.profile b/etc/bless.profile
new file mode 100644
index 000000000..752edadf7
--- /dev/null
+++ b/etc/bless.profile
@@ -0,0 +1,20 @@
+#
+#Profile for bless
+#
+#No Blacklist Paths
+noblacklist ${HOME}/.config/bless
+#Blacklist Paths
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-passwdmgr.inc
+include /etc/firejail/disable-devel.inc
+#Options
+caps.drop all
+netfilter
+nonewprivs
+noroot
+protocol unix,inet,inet6
+seccomp
diff --git a/etc/brasero.profile b/etc/brasero.profile
new file mode 100644
index 000000000..66de6fa50
--- /dev/null
+++ b/etc/brasero.profile
@@ -0,0 +1,23 @@
+# brasero profile
+noblacklist ~/.config/brasero
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+caps.drop all
+nogroups
+nonewprivs
+noroot
+nosound
+protocol unix
+seccomp
+netfilter
+shell none
+tracelog
+# private-bin brasero
+# private-tmp
+# private-dev
+# private-etc fonts
diff --git a/etc/brave.profile b/etc/brave.profile
new file mode 100644
index 000000000..21ea7f908
--- /dev/null
+++ b/etc/brave.profile
@@ -0,0 +1,17 @@
+# Profile for Brave browser
+noblacklist ~/.config/brave
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-devel.inc
+caps.drop all
+netfilter
+nonewprivs
+noroot
+protocol unix,inet,inet6,netlink
+seccomp
+whitelist ${DOWNLOADS}
+mkdir ~/.config/brave
+whitelist ~/.config/brave
diff --git a/etc/cherrytree.profile b/etc/cherrytree.profile
index 7bcc61e98..139dec8ec 100644
--- a/etc/cherrytree.profile
+++ b/etc/cherrytree.profile
@@ -1,22 +1,18 @@
 # cherrytree note taking application
+noblacklist /usr/bin/python2*
+noblacklist /usr/lib/python3*
+noblacklist ${HOME}/.config/cherrytree
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-programs.inc
 include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
-whitelist ${HOME}/cherrytree
-mkdir ~/.config
-mkdir ~/.config/cherrytree
-whitelist ${HOME}/.config/cherrytree/
-mkdir ~/.local
-mkdir ~/.local/share
-whitelist ${HOME}/.local/share/
 caps.drop all
-seccomp
-protocol unix,inet,inet6,netlink
 netfilter
-tracelog
+nogroups
+nonewprivs
 noroot
-include /etc/firejail/whitelist-common.inc
 nosound
+seccomp
+protocol unix,inet,inet6,netlink
+tracelog
diff --git a/etc/chromium.profile b/etc/chromium.profile
index 7cf2853ca..4109af9a4 100644
--- a/etc/chromium.profile
+++ b/etc/chromium.profile
@@ -11,10 +11,8 @@ include /etc/firejail/disable-programs.inc
 netfilter
 whitelist ${DOWNLOADS}
-mkdir ~/.config
 mkdir ~/.config/chromium
 whitelist ~/.config/chromium
-mkdir ~/.cache
 mkdir ~/.cache/chromium
 whitelist ~/.cache/chromium
 mkdir ~/.pki
@@ -27,4 +25,7 @@ whitelist ~/keepassx.kdbx
 whitelist ~/.lastpass
 whitelist ~/.config/lastpass
+# specific to Arch
+whitelist ~/.config/chromium-flags.conf
 include /etc/firejail/whitelist-common.inc
diff --git a/etc/claws-mail.profile b/etc/claws-mail.profile
new file mode 100644
index 000000000..8921bb25e
--- /dev/null
+++ b/etc/claws-mail.profile
@@ -0,0 +1,23 @@
+# claws-mail profile
+noblacklist ~/.claws-mail
+noblacklist ~/.signature
+noblacklist ~/.gnupg
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+caps.drop all
+netfilter
+nonewprivs
+noroot
+nogroups
+nosound
+protocol unix,inet,inet6
+seccomp
+shell none
+private-dev
+private-tmp
diff --git a/etc/clementine.profile b/etc/clementine.profile
index c6271e6e3..5ce085358 100644
--- a/etc/clementine.profile
+++ b/etc/clementine.profile
@@ -5,6 +5,7 @@ include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
 caps.drop all
-seccomp
+nonewprivs
-protocol unix,inet,inet6
 noroot
+protocol unix,inet,inet6
+seccomp
diff --git a/etc/cmus.profile b/etc/cmus.profile
index 72b43a70f..2e2a6940c 100644
--- a/etc/cmus.profile
+++ b/etc/cmus.profile
@@ -7,10 +7,11 @@ include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
 caps.drop all
-seccomp
-protocol unix,inet,inet6
 netfilter
+nonewprivs
 noroot
+protocol unix,inet,inet6
+seccomp
 private-bin cmus
 private-etc group
diff --git a/etc/conkeror.profile b/etc/conkeror.profile
index 007eef663..e82eeec4c 100644
--- a/etc/conkeror.profile
+++ b/etc/conkeror.profile
@@ -4,10 +4,11 @@ include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-programs.inc
 caps.drop all
-seccomp
-protocol unix,inet,inet6
 netfilter
+nonewprivs
 noroot
+protocol unix,inet,inet6
+seccomp
 whitelist ~/.conkeror.mozdev.org
 whitelist ~/Downloads
diff --git a/etc/corebird.profile b/etc/corebird.profile
new file mode 100644
index 000000000..6fb8219e8
--- /dev/null
+++ b/etc/corebird.profile
@@ -0,0 +1,11 @@
+# Firejail corebird profile
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+caps.drop all
+netfilter
+noroot
+protocol unix,inet,inet6
+seccomp
diff --git a/etc/cpio.profile b/etc/cpio.profile
new file mode 100644
index 000000000..519bd244c
--- /dev/null
+++ b/etc/cpio.profile
@@ -0,0 +1,21 @@
+# cpio profile
+# /sbin and /usr/sbin are visible inside the sandbox
+# /boot is not visible and /var is heavily modified 
+quiet
+noblacklist /sbin
+noblacklist /usr/sbin
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-passwdmgr.inc
+private-dev
+seccomp
+caps.drop all
+net none
+shell none
+tracelog
+net none
+nosound
diff --git a/etc/cryptocat.profile b/etc/cryptocat.profile
new file mode 100644
index 000000000..0d392b272
--- /dev/null
+++ b/etc/cryptocat.profile
@@ -0,0 +1 @@
+include /etc/Cryptocat.profile
diff --git a/etc/cyberfox.profile b/etc/cyberfox.profile
new file mode 100644
index 000000000..84021dab3
--- /dev/null
+++ b/etc/cyberfox.profile
@@ -0,0 +1,49 @@
+# Firejail profile for Cyberfox (based on Mozilla Firefox)
+noblacklist ~/.8pecxstudios
+noblacklist ~/.cache/8pecxstudios
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-devel.inc
+caps.drop all
+netfilter
+nonewprivs
+noroot
+protocol unix,inet,inet6,netlink
+seccomp
+tracelog
+whitelist ${DOWNLOADS}
+mkdir ~/.8pecxstudios
+whitelist ~/.8pecxstudios
+mkdir ~/.cache/8pecxstudios
+whitelist ~/.cache/8pecxstudios
+whitelist ~/dwhelper
+whitelist ~/.zotero
+whitelist ~/.vimperatorrc
+whitelist ~/.vimperator
+whitelist ~/.pentadactylrc
+whitelist ~/.pentadactyl
+whitelist ~/.keysnail.js
+whitelist ~/.config/gnome-mplayer
+whitelist ~/.cache/gnome-mplayer/plugin
+whitelist ~/.pki
+# lastpass, keepassx
+whitelist ~/.keepassx
+whitelist ~/.config/keepassx
+whitelist ~/keepassx.kdbx
+whitelist ~/.lastpass
+whitelist ~/.config/lastpass
+#silverlight
+whitelist ~/.wine-pipelight
+whitelist ~/.wine-pipelight64
+whitelist ~/.config/pipelight-widevine
+whitelist ~/.config/pipelight-silverlight5.1
+include /etc/firejail/whitelist-common.inc
+# experimental features
+#private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,iceweasel,firefox,adobe,mime.types,mailcap,asound.conf,pulse
diff --git a/etc/deadbeef.profile b/etc/deadbeef.profile
index 2810e5323..04abd0a92 100644
--- a/etc/deadbeef.profile
+++ b/etc/deadbeef.profile
@@ -7,6 +7,7 @@ include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
 caps.drop all
-seccomp
+nonewprivs
-protocol unix,inet,inet6
 noroot
+protocol unix,inet,inet6
+seccomp
diff --git a/etc/default.profile b/etc/default.profile
new file mode 100644
index 000000000..603321316
--- /dev/null
+++ b/etc/default.profile
@@ -0,0 +1,24 @@
+################################
+# Generic GUI application profile
+################################
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-passwdmgr.inc
+caps.drop all
+netfilter
+nonewprivs
+noroot
+protocol unix,inet,inet6
+seccomp
+#
+# depending on you usage, you can enable some of the commands below: 
+#
+# nogroups
+# shell none
+# private-bin program
+# private-etc none
+# private-dev
+# private-tmp
diff --git a/etc/deluge.profile b/etc/deluge.profile
index 4043f58f5..c6ddec3ec 100644
--- a/etc/deluge.profile
+++ b/etc/deluge.profile
@@ -1,4 +1,4 @@
-# deluge bittorernt client profile
+# deluge bittorrernt client profile
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-programs.inc
 # deluge is using python on Debian
@@ -6,8 +6,15 @@ include /etc/firejail/disable-programs.inc
 include /etc/firejail/disable-passwdmgr.inc
 caps.drop all
-seccomp
-protocol unix,inet,inet6
 netfilter
+nonewprivs
 noroot
 nosound
+protocol unix,inet,inet6
+seccomp
+shell none
+#private-bin deluge,sh,python,uname
+private-dev
+private-tmp
diff --git a/etc/dillo.profile b/etc/dillo.profile
index 49c33fb7a..108787920 100644
--- a/etc/dillo.profile
+++ b/etc/dillo.profile
@@ -1,5 +1,4 @@
 # Firejail profile for Dillo web browser
 noblacklist ~/.dillo
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-programs.inc
@@ -7,11 +6,12 @@ include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
 caps.drop all
-seccomp
-protocol unix,inet,inet6
 netfilter
-tracelog
+nonewprivs
 noroot
+protocol unix,inet,inet6
+seccomp
+tracelog
 whitelist ${DOWNLOADS}
 mkdir ~/.dillo
@@ -20,6 +20,3 @@ mkdir ~/.fltk
 whitelist ~/.fltk
 include /etc/firejail/whitelist-common.inc
diff --git a/etc/disable-common.inc b/etc/disable-common.inc
index b1133f28f..b86c6f998 100644
--- a/etc/disable-common.inc
+++ b/etc/disable-common.inc
@@ -1,6 +1,7 @@
 # History files in $HOME
 blacklist-nolog ${HOME}/.history
 blacklist-nolog ${HOME}/.*_history
+blacklist-nolog ${HOME}/.bash_history
 blacklist ${HOME}/.local/share/systemd
 blacklist-nolog ${HOME}/.adobe
 blacklist-nolog ${HOME}/.macromedia
@@ -14,21 +15,48 @@ blacklist /etc/xdg/autostart
 blacklist ${HOME}/.kde4/Autostart
 blacklist ${HOME}/.kde4/share/autostart
 blacklist ${HOME}/.kde/Autostart
+blacklist ${HOME}/.kde/share/autostart
 blacklist ${HOME}/.config/plasma-workspace/shutdown
 blacklist ${HOME}/.config/plasma-workspace/env
 blacklist ${HOME}/.config/lxsession/LXDE/autostart
 blacklist ${HOME}/.fluxbox/startup
 blacklist ${HOME}/.config/openbox/autostart
 blacklist ${HOME}/.config/openbox/environment
+blacklist ${HOME}/.gnomerc
+blacklist /etc/X11/Xsession.d/
+# blacklist ${HOME}/.xpra - this will kill --x11=xpra cmdline option for all programs
 # VirtualBox
 blacklist ${HOME}/.VirtualBox
 blacklist ${HOME}/VirtualBox VMs
 blacklist ${HOME}/.config/VirtualBox
+# VeraCrypt
+blacklist ${PATH}/veracrypt
+blacklist ${PATH}/veracrypt-uninstall.sh
+blacklist /usr/share/veracrypt
+blacklist /usr/share/applications/veracrypt.*
+blacklist /usr/share/pixmaps/veracrypt.*
+blacklist ${HOME}/.VeraCrypt
+# TrueCrypt                                                                                                                                                                                                         
+blacklist ${PATH}/truecrypt                                                                                                                                                                                         
+blacklist ${PATH}/truecrypt-uninstall.sh                                                                                                                                                                            
+blacklist /usr/share/truecrypt                                                                                                                                                                                      
+blacklist /usr/share/applications/truecrypt.*                                                                                                                                                                       
+blacklist /usr/share/pixmaps/truecrypt.*                                                                                                                                                                            
+blacklist ${HOME}/.TrueCrypt 
+# zuluCrypt                                                                                                                                                                                                         
+blacklist ${HOME}/.zuluCrypt                                                                                                                                                                                        
+blacklist ${HOME}/.zuluCrypt-socket                                                                                                                                                                                 
+blacklist ${PATH}/zuluCrypt-cli                                                                                                                                                                                     
+blacklist ${PATH}/zuluMount-cli                                                                                                                                                                                                                                                                                                                                                              
 # var
 blacklist /var/spool/cron
 blacklist /var/spool/anacron
+blacklist /var/mail
 blacklist /var/run/acpid.socket
 blacklist /var/run/minissdpd.sock
 blacklist /var/run/rpcbind.sock
@@ -39,7 +67,7 @@ blacklist /var/lib/mysql/mysql.sock
 blacklist /var/run/docker.sock
 # etc
-blacklist /etc/cron.*
+blacklist /etc/cron*
 blacklist /etc/profile.d
 blacklist /etc/rc.local
 blacklist /etc/anacrontab
@@ -50,11 +78,15 @@ read-only ${HOME}/.xserverrc
 read-only ${HOME}/.profile
 # Shell startup files
+read-only ${HOME}/.antigen
 read-only ${HOME}/.bash_login
 read-only ${HOME}/.bashrc
 read-only ${HOME}/.bash_profile
 read-only ${HOME}/.bash_logout
+read-only ${HOME}/.zsh.d
+read-only ${HOME}/.zshenv
 read-only ${HOME}/.zshrc
+read-only ${HOME}/.zshrc.local
 read-only ${HOME}/.zlogin
 read-only ${HOME}/.zprofile
 read-only ${HOME}/.zlogout
@@ -62,8 +94,12 @@ read-only ${HOME}/.zsh_files
 read-only ${HOME}/.tcshrc
 read-only ${HOME}/.cshrc
 read-only ${HOME}/.csh_files
+read-only ${HOME}/.profile
 # Initialization files that allow arbitrary command execution
+read-only ${HOME}/.caffrc
+read-only ${HOME}/.dotfiles
+read-only ${HOME}/dotfiles
 read-only ${HOME}/.mailcap
 read-only ${HOME}/.exrc
 read-only ${HOME}/_exrc
@@ -73,10 +109,11 @@ read-only ${HOME}/.gvimrc
 read-only ${HOME}/_gvimrc
 read-only ${HOME}/.vim
 read-only ${HOME}/.emacs
+read-only ${HOME}/.emacs.d
+read-only ${HOME}/.nano
 read-only ${HOME}/.tmux.conf
 read-only ${HOME}/.iscreenrc
-read-only ${HOME}/.muttrc
+read-only ${HOME}/.reportbugrc
-read-only ${HOME}/.mutt/muttrc
 read-only ${HOME}/.xmonad
 read-only ${HOME}/.xscreensaver
@@ -84,16 +121,25 @@ read-only ${HOME}/.xscreensaver
 read-only ${HOME}/bin
 # top secret
+blacklist ${HOME}/.ecryptfs
+blacklist ${HOME}/.Private
 blacklist ${HOME}/.ssh
+blacklist ${HOME}/.cert
 blacklist ${HOME}/.gnome2/keyrings
-blacklist ${HOME}/kde4/share/apps/kwallet
+blacklist ${HOME}/.kde4/share/apps/kwallet
-blacklist ${HOME}/kde/share/apps/kwallet
+blacklist ${HOME}/.kde/share/apps/kwallet
 blacklist ${HOME}/.local/share/kwalletd
+blacklist ${HOME}/.config/keybase
 blacklist ${HOME}/.netrc
 blacklist ${HOME}/.gnupg
+blacklist ${HOME}/.caff
+blacklist ${HOME}/.smbcredentials
 blacklist ${HOME}/*.kdbx
 blacklist ${HOME}/*.kdb
 blacklist ${HOME}/*.key
+blacklist ${HOME}/.muttrc
+blacklist ${HOME}/.mutt/muttrc
+blacklist ${HOME}/.msmtprc
 blacklist /etc/shadow
 blacklist /etc/gshadow
 blacklist /etc/passwd-
@@ -106,11 +152,19 @@ blacklist /etc/shadow+
 blacklist /etc/gshadow+
 blacklist /etc/ssh
 blacklist /var/backup
+blacklist /home/.ecryptfs
+# system directories    
+blacklist /sbin
+blacklist /usr/sbin
+blacklist /usr/local/sbin
 # system management
 blacklist ${PATH}/umount
 blacklist ${PATH}/mount
 blacklist ${PATH}/fusermount
+blacklist ${PATH}/ntfs-3g
+blacklist ${PATH}/at
 blacklist ${PATH}/su
 blacklist ${PATH}/sudo
 blacklist ${PATH}/xinput
@@ -119,17 +173,45 @@ blacklist ${PATH}/xev
 blacklist ${PATH}/strace
 blacklist ${PATH}/nc
 blacklist ${PATH}/ncat
+blacklist ${PATH}/gpasswd
+blacklist ${PATH}/newgidmap
+blacklist ${PATH}/newgrp
+blacklist ${PATH}/newuidmap
+blacklist ${PATH}/pkexec
+blacklist ${PATH}/sg
+blacklist ${PATH}/crontab
+blacklist ${PATH}/ksu
+blacklist ${PATH}/chsh
+blacklist ${PATH}/chfn
+blacklist ${PATH}/chage
+blacklist ${PATH}/expiry
+blacklist ${PATH}/unix_chkpwd
+blacklist ${PATH}/procmail
+blacklist ${PATH}/mount.ecryptfs_private
-# system directories    
+# other SUID binaries
-blacklist /sbin
+blacklist /usr/lib/virtualbox
-blacklist /usr/sbin
-blacklist /usr/local/sbin
 # prevent lxterminal connecting to an existing lxterminal session
 blacklist /tmp/.lxterminal-socket*
-# disable terminals running as server
+# disable terminals running as server resulting in sandbox escape
 blacklist ${PATH}/gnome-terminal
 blacklist ${PATH}/gnome-terminal.wrapper
 blacklist ${PATH}/xfce4-terminal
 blacklist ${PATH}/xfce4-terminal.wrapper
+blacklist ${PATH}/mate-terminal
+blacklist ${PATH}/mate-terminal.wrapper
+blacklist ${PATH}/lilyterm
+blacklist ${PATH}/pantheon-terminal
+blacklist ${PATH}/roxterm
+blacklist ${PATH}/roxterm-config
+blacklist ${PATH}/terminix
+blacklist ${PATH}/urxvtc
+blacklist ${PATH}/urxvtcd
+#konsole doesn't seem to have this problem - last tested on Ubuntu 16.04
+#blacklist ${PATH}/konsole
+# kernel files
+blacklist /vmlinuz*
+blacklist /initrd*
diff --git a/etc/disable-devel.inc b/etc/disable-devel.inc
index fa77ed8d1..2ac367f37 100644
--- a/etc/disable-devel.inc
+++ b/etc/disable-devel.inc
@@ -2,20 +2,32 @@
 # GCC
 blacklist /usr/include
+#blacklist /usr/lib/gcc - seems to create problems on Gentoo
 blacklist /usr/bin/gcc*
 blacklist /usr/bin/cpp*
 blacklist /usr/bin/c9*
 blacklist /usr/bin/c8*
 blacklist /usr/bin/c++*
+blacklist /usr/bin/as
 blacklist /usr/bin/ld
 blacklist /usr/bin/gdb
+blacklist /usr/bin/g++*
+blacklist /usr/bin/x86_64-linux-gnu-g++*
+blacklist /usr/bin/x86_64-linux-gnu-gcc*
+blacklist /usr/bin/x86_64-unknown-linux-gnu-g++*
+blacklist /usr/bin/x86_64-unknown-linux-gnu-gcc*
 # clang/llvm
 blacklist /usr/bin/clang*
 blacklist /usr/bin/llvm*
-blacklist /usb/bin/lldb*
+blacklist /usr/bin/lldb*
 blacklist /usr/lib/llvm*
+# tcc - Tiny C Compiler
+blacklist /usr/bin/tcc
+blacklist /usr/bin/x86_64-tcc
+blacklist /usr/lib/tcc
 # Valgrind
 blacklist /usr/bin/valgrind*
 blacklist /usr/lib/valgrind
@@ -35,17 +47,17 @@ blacklist /usr/lib/php*
 blacklist /usr/bin/ruby
 blacklist /usr/lib/ruby
+# Programs using python: deluge, firefox addons, filezilla, cherrytree, xchat, hexchat, libreoffice
 # Python 2
-blacklist /usr/bin/python2*
+#blacklist /usr/bin/python2*
-blacklist /usr/lib/python2*
+#blacklist /usr/lib/python2*
-blacklist /usr/local/lib/python2*
+#blacklist /usr/local/lib/python2*
-blacklist /usr/include/python2*
+#blacklist /usr/include/python2*
-blacklist /usr/share/python2*
+#blacklist /usr/share/python2*
+#
 # Python 3
-blacklist /usr/bin/python3*
+#blacklist /usr/bin/python3*
-blacklist /usr/lib/python3*
+#blacklist /usr/lib/python3*
-blacklist /usr/local/lib/python3*
+#blacklist /usr/local/lib/python3*
-blacklist /usr/share/python3*
+#blacklist /usr/share/python3*
-blacklist /usr/include/python3*
+#blacklist /usr/include/python3*
diff --git a/etc/disable-passwdmgr.inc b/etc/disable-passwdmgr.inc
index c1e68d1ec..045b4d92b 100644
--- a/etc/disable-passwdmgr.inc
+++ b/etc/disable-passwdmgr.inc
@@ -1,6 +1,10 @@
 blacklist ${HOME}/.pki/nssdb
 blacklist ${HOME}/.lastpass
 blacklist ${HOME}/.keepassx
+blacklist ${HOME}/.keepass
 blacklist ${HOME}/.password-store
 blacklist ${HOME}/keepassx.kdbx
+blacklist ${HOME}/.config/keepassx
+blacklist ${HOME}/.config/keepass
+blacklist ${HOME}/.config/KeePass
diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc
index f4e66dc66..a9ca487c5 100644
--- a/etc/disable-programs.inc
+++ b/etc/disable-programs.inc
@@ -1,168 +1,269 @@
-# various programs
+blacklist ${HOME}/.*coin
+blacklist ${HOME}/.8pecxstudios
 blacklist ${HOME}/.Atom
-blacklist ${HOME}/.remmina
-blacklist ${HOME}/.tconn
 blacklist ${HOME}/.FBReader
-blacklist ${HOME}/.wine
+blacklist ${HOME}/.LuminanceHDR
 blacklist ${HOME}/.Mathematica
+blacklist ${HOME}/.Natron
+blacklist ${HOME}/.Skype
+blacklist ${HOME}/.TelegramDesktop
+blacklist ${HOME}/.VirtualBox
 blacklist ${HOME}/.Wolfram Research
-blacklist ${HOME}/.stellarium
+blacklist ${HOME}/.arduino15
-blacklist ${HOME}/.sword
+blacklist ${HOME}/.atom
-blacklist ${HOME}/.xiphos
+blacklist ${HOME}/.audacity-data
+blacklist ${HOME}/.bcast5
+blacklist ${HOME}/.cache/0ad
+blacklist ${HOME}/.cache/8pecxstudios
+blacklist ${HOME}/.cache/Franz
+blacklist ${HOME}/.cache/INRIA
+blacklist ${HOME}/.cache/QuiteRss
+blacklist ${HOME}/.cache/champlain
+blacklist ${HOME}/.cache/chromium
+blacklist ${HOME}/.cache/chromium-dev
+blacklist ${HOME}/.cache/darktable
+blacklist ${HOME}/.cache/epiphany
+blacklist ${HOME}/.cache/evolution
+blacklist ${HOME}/.cache/gajim
+blacklist ${HOME}/.cache/google-chrome
+blacklist ${HOME}/.cache/google-chrome-beta
+blacklist ${HOME}/.cache/google-chrome-unstable
+blacklist ${HOME}/.cache/icedove
+blacklist ${HOME}/.cache/inox
+blacklist ${HOME}/.cache/libgweather
+blacklist ${HOME}/.cache/midori
+blacklist ${HOME}/.cache/mozilla
+blacklist ${HOME}/.cache/mutt
+blacklist ${HOME}/.cache/netsurf
+blacklist ${HOME}/.cache/opera
+blacklist ${HOME}/.cache/opera-beta
+blacklist ${HOME}/.cache/org.gnome.Books
+blacklist ${HOME}/.cache/qutebrowser
+blacklist ${HOME}/.cache/simple-scan
+blacklist ${HOME}/.cache/slimjet
+blacklist ${HOME}/.cache/spotify
+blacklist ${HOME}/.cache/telepathy
+blacklist ${HOME}/.cache/thunderbird
+blacklist ${HOME}/.cache/torbrowser
+blacklist ${HOME}/.cache/transmission
+blacklist ${HOME}/.cache/vivaldi
+blacklist ${HOME}/.cache/wesnoth
+blacklist ${HOME}/.cache/xreader
+blacklist ${HOME}/.claws-mail
+blacklist ${HOME}/.config/0ad
 blacklist ${HOME}/.config/Atom
-blacklist ${HOME}/.config/gthumb
+blacklist ${HOME}/.config/Brackets
-blacklist ${HOME}/.config/mupen64plus
+blacklist ${HOME}/.config/Cryptocat
-blacklist ${HOME}/.config/transmission
+blacklist ${HOME}/.config/Franz
-blacklist ${HOME}/.config/uGet
+blacklist ${HOME}/.config/Gitter
+blacklist ${HOME}/.config/Google
 blacklist ${HOME}/.config/Gpredict
-blacklist ${HOME}/.config/aweather
+blacklist ${HOME}/.config/INRIA
-blacklist ${HOME}/.config/stellarium
-blacklist ${HOME}/.config/atril
-blacklist ${HOME}/.config/xreader
-blacklist ${HOME}/.config/xviewer
-blacklist ${HOME}/.config/libreoffice
-blacklist ${HOME}/.config/pix
-blacklist ${HOME}/.config/mate/eom
-blacklist ${HOME}/.kde/share/apps/okular
-blacklist ${HOME}/.kde/share/config/okularrc
-blacklist ${HOME}/.kde/share/config/okularpartrc
-blacklist ${HOME}/.kde/share/apps/gwenview
-blacklist ${HOME}/.kde/share/config/gwenviewrc
-blacklist ${HOME}/.config/qpdfview
 blacklist ${HOME}/.config/Luminance
-blacklist ${HOME}/.config/synfig
+blacklist ${HOME}/.config/Meltytech
-blacklist ${HOME}/.synfig
+blacklist ${HOME}/.config/Mumble
-blacklist ${HOME}/.inkscape
+blacklist ${HOME}/.config/QuiteRss
-blacklist ${HOME}/.gimp*
+blacklist ${HOME}/.config/QuiteRssrc
-blacklist ${HOME}/.config/zathura
+blacklist ${HOME}/.config/Slack
+blacklist ${HOME}/.config/VirtualBox
+blacklist ${HOME}/.config/Wire
+blacklist ${HOME}/.config/ardour4
+blacklist ${HOME}/.config/ardour5
+blacklist ${HOME}/.config/arkrc
+blacklist ${HOME}/.config/atril
+blacklist ${HOME}/.config/autostart
+blacklist ${HOME}/.config/autostart/dropbox.desktop
+blacklist ${HOME}/.config/aweather
+blacklist ${HOME}/.config/blender
+blacklist ${HOME}/.config/bless
+blacklist ${HOME}/.config/brasero
+blacklist ${HOME}/.config/brave
 blacklist ${HOME}/.config/cherrytree
-blacklist ${HOME}/.xpdfrc
+blacklist ${HOME}/.config/chromium
-blacklist ${HOME}/.openshot
+blacklist ${HOME}/.config/chromium-dev
-blacklist ${HOME}/.openshot_qt
+blacklist ${HOME}/.config/chromium-flags.conf
-blacklist ${HOME}/.flowblade
-blacklist ${HOME}/.config/flowblade
-blacklist ${HOME}/.config/eog
-# Media players
 blacklist ${HOME}/.config/cmus
+blacklist ${HOME}/.config/darktable
 blacklist ${HOME}/.config/deadbeef
-blacklist ${HOME}/.config/spotify
+blacklist ${HOME}/.config/dolphinrc
-blacklist ${HOME}/.config/vlc
+blacklist ${HOME}/.config/dragonplayerrc
-blacklist ${HOME}/.config/mpv
+blacklist ${HOME}/.config/enchant
-blacklist ${HOME}/.config/totem
+blacklist ${HOME}/.config/eog
-blacklist ${HOME}/.config/xplayer
+blacklist ${HOME}/.config/epiphany
-blacklist ${HOME}/.audacity-data
+blacklist ${HOME}/.config/evince
-blacklist ${HOME}/.guayadeque
+blacklist ${HOME}/.config/evolution
+blacklist ${HOME}/.config/filezilla
-# HTTP / FTP / Mail
+blacklist ${HOME}/.config/flowblade
-blacklist ${HOME}/.icedove
+blacklist ${HOME}/.config/gajim
-blacklist ${HOME}/.thunderbird
+blacklist ${HOME}/.config/gedit
-blacklist ${HOME}/.sylpheed-2.0
-blacklist ${HOME}/.config/midori
-blacklist ${HOME}/.mozilla
-blacklist ${HOME}/.config/chromium
 blacklist ${HOME}/.config/google-chrome
 blacklist ${HOME}/.config/google-chrome-beta
 blacklist ${HOME}/.config/google-chrome-unstable
+blacklist ${HOME}/.config/gthumb
+blacklist ${HOME}/.config/hexchat
+blacklist ${HOME}/.config/inox
+blacklist ${HOME}/.config/jd-gui.cfg
+blacklist ${HOME}/.config/katepartrc
+blacklist ${HOME}/.config/katerc
+blacklist ${HOME}/.config/kateschemarc
+blacklist ${HOME}/.config/katesyntaxhighlightingrc
+blacklist ${HOME}/.config/katevirc
+blacklist ${HOME}/.config/libreoffice
+blacklist ${HOME}/.config/mate/eom
+blacklist ${HOME}/.config/midori
+blacklist ${HOME}/.config/mpv
+blacklist ${HOME}/.config/mupen64plus
+blacklist ${HOME}/.config/nautilus
+blacklist ${HOME}/.config/netsurf
 blacklist ${HOME}/.config/opera
 blacklist ${HOME}/.config/opera-beta
-blacklist ${HOME}/.opera
+blacklist ${HOME}/.config/pix
-blacklist ${HOME}/.config/vivaldi
+blacklist ${HOME}/.config/pluma
-blacklist ${HOME}/.filezilla
-blacklist ${HOME}/.config/filezilla
-blacklist ${HOME}/.dillo
-blacklist ${HOME}/.conkeror.mozdev.org
-blacklist ${HOME}/.config/epiphany
-blacklist ${HOME}/.config/slimjet
-blacklist ${HOME}/.config/qutebrowser
-blacklist ${HOME}/.8pecxstudios
-blacklist ${HOME}/.config/brave
-blacklist ${HOME}/.config/inox
-blacklist ${HOME}/.muttrc
-blacklist ${HOME}/.mutt
-blacklist ${HOME}/.mutt/muttrc
-blacklist ${HOME}/.msmtprc
-blacklist ${HOME}/.config/evolution
-blacklist ${HOME}/.local/share/evolution
-blacklist ${HOME}/.cache/evolution
-# Instant Messaging
-blacklist ${HOME}/.config/hexchat
-blacklist ${HOME}/.mcabber
-blacklist ${HOME}/.mcabberrc
-blacklist ${HOME}/.purple
 blacklist ${HOME}/.config/psi+
-blacklist ${HOME}/.retroshare
+blacklist ${HOME}/.config/qpdfview
-blacklist ${HOME}/.weechat
+blacklist ${HOME}/.config/qutebrowser
-blacklist ${HOME}/.config/xchat
+blacklist ${HOME}/.config/ranger
-blacklist ${HOME}/.Skype
+blacklist ${HOME}/.config/redshift.conf
 blacklist ${HOME}/.config/skypeforlinux
+blacklist ${HOME}/.config/slimjet
+blacklist ${HOME}/.config/spotify
+blacklist ${HOME}/.config/stellarium
+blacklist ${HOME}/.config/synfig
+blacklist ${HOME}/.config/telepathy-account-widgets
+blacklist ${HOME}/.config/torbrowser
+blacklist ${HOME}/.config/totem
 blacklist ${HOME}/.config/tox
-blacklist ${HOME}/.TelegramDesktop
+blacklist ${HOME}/.config/transmission
-blacklist ${HOME}/.config/Gitter
+blacklist ${HOME}/.config/uGet
-blacklist ${HOME}/.config/Franz
+blacklist ${HOME}/.config/vivaldi
-blacklist ${HOME}/.jitsi
+blacklist ${HOME}/.config/vlc
-blacklist ${HOME}/.config/Slack
-blacklist ${HOME}/.cache/gajim
-blacklist ${HOME}/.local/share/gajim
-blacklist ${HOME}/.config/gajim
-blacklist ${HOME}/.config/Wire
-# Games
-blacklist ${HOME}/.hedgewars
-blacklist ${HOME}/.steam
 blacklist ${HOME}/.config/wesnoth
-blacklist ${HOME}/.config/0ad
+blacklist ${HOME}/.config/wire
-blacklist ${HOME}/.warzone2100-3.1
+blacklist ${HOME}/.config/wireshark
+blacklist ${HOME}/.config/xchat
+blacklist ${HOME}/.config/xed
+blacklist ${HOME}/.config/xfburn
+blacklist ${HOME}/.config/xplayer
+blacklist ${HOME}/.config/xreader
+blacklist ${HOME}/.config/xviewer
+blacklist ${HOME}/.config/zathura
+blacklist ${HOME}/.config/zoomus.conf
+blacklist ${HOME}/.conkeror.mozdev.org 
+blacklist ${HOME}/.dillo
 blacklist ${HOME}/.dosbox
+blacklist ${HOME}/.dropbox-dist
-# Cryptocoins
-blacklist ${HOME}/.*coin
 blacklist ${HOME}/.electrum*
-blacklist ${HOME}/wallet.dat
+blacklist ${HOME}/.elinks
+blacklist ${HOME}/.emacs
-# git, subversion
+blacklist ${HOME}/.emacs.d
-blacklist ${HOME}/.subversion
+blacklist ${HOME}/.filezilla
-blacklist ${HOME}/.gitconfig
+blacklist ${HOME}/.flowblade
+blacklist ${HOME}/.fltk
+blacklist ${HOME}/.gimp*
 blacklist ${HOME}/.git-credential-cache
+blacklist ${HOME}/.gitconfig
-# cache
+blacklist ${HOME}/.googleearth/Cache/
-blacklist ${HOME}/.cache/mozilla
+blacklist ${HOME}/.googleearth/Temp/
-blacklist ${HOME}/.cache/chromium
+blacklist ${HOME}/.googleearth/myplaces.backup.kml
-blacklist ${HOME}/.cache/google-chrome
+blacklist ${HOME}/.googleearth/myplaces.kml
-blacklist ${HOME}/.cache/google-chrome-beta
+blacklist ${HOME}/.guayadeque
-blacklist ${HOME}/.cache/google-chrome-unstable
+blacklist ${HOME}/.hedgewars
-blacklist ${HOME}/.cache/opera
+blacklist ${HOME}/.icedove
-blacklist ${HOME}/.cache/opera-beta
+blacklist ${HOME}/.inkscape
-blacklist ${HOME}/.cache/vivaldi
+blacklist ${HOME}/.jitsi
-blacklist ${HOME}/.cache/epiphany
+blacklist ${HOME}/.kde/share/apps/gwenview
-blacklist ${HOME}/.cache/slimjet
+blacklist ${HOME}/.kde/share/apps/okular
-blacklist ${HOME}/.cache/qutebrowser
+blacklist ${HOME}/.kde/share/config/gwenviewrc
-blacklist ${HOME}/.cache/spotify
+blacklist ${HOME}/.kde/share/config/okularpartrc
-blacklist ${HOME}/.cache/thunderbird
+blacklist ${HOME}/.kde/share/config/okularrc
-blacklist ${HOME}/.cache/icedove
+blacklist ${HOME}/.killingfloor
-blacklist ${HOME}/.cache/transmission
+blacklist ${HOME}/.linphone-history.db
-blacklist ${HOME}/.cache/wesnoth
+blacklist ${HOME}/.linphonerc
-blacklist ${HOME}/.cache/0ad
+blacklist ${HOME}/.lmmsrc.xml
-blacklist ${HOME}/.cache/8pecxstudios
+blacklist ${HOME}/.local/.share/maps-places.json
-blacklist ${HOME}/.cache/xreader
+blacklist ${HOME}/.local/lib/python2.7/site-packages
-blacklist ${HOME}/.cache/Franz
+blacklist ${HOME}/.local/share/0ad
+blacklist ${HOME}/.local/share/3909/PapersPlease
-# share
+blacklist ${HOME}/.local/share/Empathy
+blacklist ${HOME}/.local/share/Mumble
+blacklist ${HOME}/.local/share/QuiteRss
+blacklist ${HOME}/.local/share/Ricochet
+blacklist ${HOME}/.local/share/Steam
+blacklist ${HOME}/.local/share/SuperHexagon
+blacklist ${HOME}/.local/share/Terraria
+blacklist ${HOME}/.local/share/TpLogger
+blacklist ${HOME}/.local/share/aspyr-media
+blacklist ${HOME}/.local/share/cdprojektred
+blacklist ${HOME}/.local/share/data/Mumble
+blacklist ${HOME}/.local/share/dolphin
 blacklist ${HOME}/.local/share/epiphany
+blacklist ${HOME}/.local/share/evolution
+blacklist ${HOME}/.local/share/feral-interactive
+blacklist ${HOME}/.local/share/gajim
+blacklist ${HOME}/.local/share/gnome-2048
+blacklist ${HOME}/.local/share/gnome-chess
+blacklist ${HOME}/.local/share/gnome-music
+blacklist ${HOME}/.local/share/gnome-photos
+blacklist ${HOME}/.local/share/kate
+blacklist ${HOME}/.local/share/lollypop
+blacklist ${HOME}/.local/share/multimc5
 blacklist ${HOME}/.local/share/mupen64plus
+blacklist ${HOME}/.local/share/pix
+blacklist ${HOME}/.local/share/psi+
+blacklist ${HOME}/.local/share/qpdfview
 blacklist ${HOME}/.local/share/spotify
 blacklist ${HOME}/.local/share/steam
+blacklist ${HOME}/.local/share/telepathy
+blacklist ${HOME}/.local/share/torbrowser
+blacklist ${HOME}/.local/share/totem
+blacklist ${HOME}/.local/share/vpltd
+blacklist ${HOME}/.local/share/vulkan
 blacklist ${HOME}/.local/share/wesnoth
-blacklist ${HOME}/.local/share/0ad
 blacklist ${HOME}/.local/share/xplayer
-blacklist ${HOME}/.local/share/totem
+blacklist ${HOME}/.local/share/xreader
-blacklist ${HOME}/.local/share/psi+
-blacklist ${HOME}/.local/share/pix
-blacklist ${HOME}/.local/share/gnome-chess
-blacklist ${HOME}/.local/share/qpdfview
 blacklist ${HOME}/.local/share/zathura
+blacklist ${HOME}/.lv2
-# ssh
+blacklist ${HOME}/.mcabber
+blacklist ${HOME}/.mcabberrc
+blacklist ${HOME}/.mozilla
+blacklist ${HOME}/.mozilla/seamonkey
+blacklist ${HOME}/.mpdconf
+blacklist ${HOME}/.msmtprc
+blacklist ${HOME}/.multimc5
+blacklist ${HOME}/.mutt
+blacklist ${HOME}/.mutt/muttrc
+blacklist ${HOME}/.muttrc
+blacklist ${HOME}/.nv
+blacklist ${HOME}/.openshot
+blacklist ${HOME}/.openshot_qt
+blacklist ${HOME}/.opera
+blacklist ${HOME}/.opera-beta
+blacklist ${HOME}/.pki
+blacklist ${HOME}/.purple
+blacklist ${HOME}/.qemu-launcher
+blacklist ${HOME}/.remmina
+blacklist ${HOME}/.retroshare
+blacklist ${HOME}/.scribus
+blacklist ${HOME}/.steam
+blacklist ${HOME}/.steampath
+blacklist ${HOME}/.steampid
+blacklist ${HOME}/.stellarium
+blacklist ${HOME}/.subversion
+blacklist ${HOME}/.sword
+blacklist ${HOME}/.sylpheed-2.0
+blacklist ${HOME}/.synfig
+blacklist ${HOME}/.tconn
+blacklist ${HOME}/.thunderbird
+blacklist ${HOME}/.ts3client
+blacklist ${HOME}/.vst
+blacklist ${HOME}/.w3m
+blacklist ${HOME}/.warzone2100-3.1
+blacklist ${HOME}/.weechat
+blacklist ${HOME}/.wine
+blacklist ${HOME}/.wine64
+blacklist ${HOME}/.xiphos
+blacklist ${HOME}/.xonotic
+blacklist ${HOME}/.xpdfrc
+blacklist ${HOME}/.zoom
+blacklist ${HOME}/wallet.dat
 blacklist /tmp/ssh-*
diff --git a/etc/display.profile b/etc/display.profile
new file mode 100644
index 000000000..ec041bff7
--- /dev/null
+++ b/etc/display.profile
@@ -0,0 +1,23 @@
+# display (ImageMagick tool) image viewer profile
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+caps.drop all
+seccomp
+protocol unix
+netfilter
+net none
+nonewprivs
+noroot
+nogroups
+nosound
+shell none
+x11 xorg
+private-bin display 
+private-tmp
+private-dev
+private-etc none
diff --git a/etc/dnscrypt-proxy.profile b/etc/dnscrypt-proxy.profile
index bd7e19dc2..926b8bfcc 100644
--- a/etc/dnscrypt-proxy.profile
+++ b/etc/dnscrypt-proxy.profile
@@ -8,5 +8,7 @@ include /etc/firejail/disable-passwdmgr.inc
 private
 private-dev
+nosound
+no3d
 seccomp.drop mount,umount2,ptrace,kexec_load,kexec_file_load,open_by_handle_at,init_module,finit_module,delete_module,iopl,ioperm,swapon,swapoff,syslog,process_vm_readv,process_vm_writev,sysfs,_sysctl,adjtimex,clock_adjtime,lookup_dcookie,perf_event_open,fanotify_init,kcmp,add_key,request_key,keyctl,uselib,acct,modify_ldt,pivot_root,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,mbind,get_mempolicy,set_mempolicy,migrate_pages,move_pages,vmsplice,perf_event_open
diff --git a/etc/dnsmasq.profile b/etc/dnsmasq.profile
index 474bc5aca..3bd43f144 100644
--- a/etc/dnsmasq.profile
+++ b/etc/dnsmasq.profile
@@ -5,9 +5,13 @@ include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-programs.inc
 include /etc/firejail/disable-passwdmgr.inc
 include /etc/firejail/disable-devel.inc
 caps
-seccomp
-protocol unix,inet,inet6,netlink
 netfilter
+nonewprivs
 private
 private-dev
+nosound
+no3d
+protocol unix,inet,inet6,netlink
+seccomp
diff --git a/etc/dolphin.profile b/etc/dolphin.profile
new file mode 100644
index 000000000..09a86f811
--- /dev/null
+++ b/etc/dolphin.profile
@@ -0,0 +1,27 @@
+# dolphin profile
+# warning: firejail is currently not effectively constraining dolphin since used services are started by kdeinit5
+noblacklist ~/.config/dolphinrc
+noblacklist ~/.local/share/dolphin
+include /etc/firejail/disable-common.inc
+# dolphin needs to be able to start arbitrary applications so we cannot blacklist their files
+#include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+caps.drop all
+netfilter
+nogroups
+nonewprivs
+noroot
+shell none
+seccomp
+protocol unix
+# private-bin
+# private-dev
+# private-tmp
+# private-etc
diff --git a/etc/dosbox.profile b/etc/dosbox.profile
new file mode 100644
index 000000000..45fbb712a
--- /dev/null
+++ b/etc/dosbox.profile
@@ -0,0 +1,21 @@
+# Firejail profile for dosbox
+noblacklist ~/.dosbox
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+caps.drop all
+netfilter
+nogroups
+nonewprivs
+noroot
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+private-bin dosbox
+private-dev
+private-tmp
diff --git a/etc/dragon.profile b/etc/dragon.profile
new file mode 100644
index 000000000..09cb73802
--- /dev/null
+++ b/etc/dragon.profile
@@ -0,0 +1,22 @@
+# dragon player profile
+noblacklist ~/.config/dragonplayerrc
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+caps.drop all
+netfilter
+nogroups
+nonewprivs
+noroot
+shell none
+seccomp
+protocol unix,inet,inet6
+private-bin dragon
+private-dev
+private-tmp
+# private-etc
diff --git a/etc/dropbox.profile b/etc/dropbox.profile
index a0a944dce..40efd62b2 100644
--- a/etc/dropbox.profile
+++ b/etc/dropbox.profile
@@ -1,9 +1,21 @@
 # dropbox profile
+noblacklist ~/.config/autostart
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-programs.inc
 include /etc/firejail/disable-passwdmgr.inc
 caps
-seccomp
+nonewprivs
-protocol unix,inet,inet6
 noroot
+protocol unix,inet,inet6
+seccomp
+mkdir ~/Dropbox
+whitelist ~/Dropbox
+mkdir ~/.dropbox
+whitelist ~/.dropbox
+mkdir ~/.dropbox-dist
+whitelist ~/.dropbox-dist
+mkfile ~/.config/autostart/dropbox.desktop
+whitelist ~/.config/autostart/dropbox.desktop
diff --git a/etc/elinks.profile b/etc/elinks.profile
new file mode 100644
index 000000000..df817ea56
--- /dev/null
+++ b/etc/elinks.profile
@@ -0,0 +1,24 @@
+# elinks profile
+noblacklist ~/.elinks
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+caps.drop all
+nogroups
+nonewprivs
+noroot
+nosound
+protocol unix,inet,inet6
+seccomp
+netfilter
+shell none
+tracelog
+# private-bin elinks
+private-tmp
+private-dev
+# private-etc none
diff --git a/etc/emacs.profile b/etc/emacs.profile
new file mode 100644
index 000000000..2b9c5805c
--- /dev/null
+++ b/etc/emacs.profile
@@ -0,0 +1,16 @@
+# emacs profile
+noblacklist ~/.emacs
+noblacklist ~/.emacs.d
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-passwdmgr.inc
+caps.drop all
+netfilter
+nonewprivs
+noroot
+nogroups
+protocol unix,inet,inet6
+seccomp
diff --git a/etc/empathy.profile b/etc/empathy.profile
index 789bdda08..2a0a6389c 100644
--- a/etc/empathy.profile
+++ b/etc/empathy.profile
@@ -4,6 +4,9 @@ include /etc/firejail/disable-programs.inc
 include /etc/firejail/disable-devel.inc
 caps.drop all
-seccomp
-protocol unix,inet,inet6
 netfilter
+nonewprivs
+nogroups
+noroot
+protocol unix,inet,inet6
+seccomp
diff --git a/etc/enchant.profile b/etc/enchant.profile
new file mode 100644
index 000000000..cf8288919
--- /dev/null
+++ b/etc/enchant.profile
@@ -0,0 +1,23 @@
+# enchant profile
+noblacklist ~/.config/enchant
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+caps.drop all
+nogroups
+nonewprivs
+noroot
+nosound
+protocol unix
+seccomp
+netfilter
+shell none
+tracelog
+# private-bin enchant
+# private-tmp
+# private-dev
+# private-etc fonts
diff --git a/etc/eog.profile b/etc/eog.profile
new file mode 100644
index 000000000..d463f3a97
--- /dev/null
+++ b/etc/eog.profile
@@ -0,0 +1,22 @@
+# eog (gnome image viewer) profile
+noblacklist ~/.config/eog
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+caps.drop all
+netfilter
+nogroups
+nonewprivs
+noroot
+nosound
+protocol unix
+seccomp
+shell none
+private-bin eog
+private-dev
+private-etc fonts
+private-tmp
diff --git a/etc/eom.profile b/etc/eom.profile
new file mode 100644
index 000000000..dfcea82c1
--- /dev/null
+++ b/etc/eom.profile
@@ -0,0 +1,21 @@
+# Firejail profile for Eye of Mate (eom)
+noblacklist ~/.config/mate/eom
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+caps.drop all
+nogroups
+nonewprivs
+noroot
+nosound
+protocol unix
+seccomp
+shell none
+tracelog
+private-bin eom
+private-dev
+private-tmp
diff --git a/etc/epiphany.profile b/etc/epiphany.profile
index 95a673bf9..0e898f02b 100644
--- a/etc/epiphany.profile
+++ b/etc/epiphany.profile
@@ -8,19 +8,16 @@ include /etc/firejail/disable-programs.inc
 include /etc/firejail/disable-devel.inc
 whitelist ${DOWNLOADS}
-mkdir ${HOME}/.local
-mkdir ${HOME}/.local/share
 mkdir ${HOME}/.local/share/epiphany
 whitelist ${HOME}/.local/share/epiphany
-mkdir ${HOME}/.config
 mkdir ${HOME}/.config/epiphany
 whitelist ${HOME}/.config/epiphany
-mkdir ${HOME}/.cache
 mkdir ${HOME}/.cache/epiphany
 whitelist ${HOME}/.cache/epiphany
 include /etc/firejail/whitelist-common.inc
 caps.drop all
-seccomp
-protocol unix,inet,inet6
 netfilter
+nonewprivs
+protocol unix,inet,inet6
+seccomp
diff --git a/etc/evince.profile b/etc/evince.profile
index c390dcaf3..1ec384947 100644
--- a/etc/evince.profile
+++ b/etc/evince.profile
@@ -1,11 +1,25 @@
 # evince pdf reader profile
+noblacklist ~/.config/evince
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-programs.inc
 include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
 caps.drop all
-seccomp
+netfilter
-protocol unix,inet,inet6
+#net none - creates some problems on some distributions
+nogroups
+nonewprivs
 noroot
 nosound
+protocol unix
+seccomp
+shell none
+tracelog
+private-bin evince,evince-previewer,evince-thumbnailer
+private-dev
+private-etc fonts
+# evince needs access to /tmp/mozilla* to work in firefox
+# private-tmp
diff --git a/etc/evolution.profile b/etc/evolution.profile
new file mode 100644
index 000000000..ab6dd7a4a
--- /dev/null
+++ b/etc/evolution.profile
@@ -0,0 +1,25 @@
+# evolution profile
+noblacklist ~/.config/evolution
+noblacklist ~/.local/share/evolution
+noblacklist ~/.cache/evolution
+noblacklist ~/.pki
+noblacklist ~/.pki/nssdb
+noblacklist ~/.gnupg
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+caps.drop all
+netfilter
+nogroups
+nonewprivs
+noroot
+nosound
+protocol unix,inet,inet6
+seccomp
+shell none
+private-dev
+private-tmp
diff --git a/etc/exiftool.profile b/etc/exiftool.profile
new file mode 100644
index 000000000..384695473
--- /dev/null
+++ b/etc/exiftool.profile
@@ -0,0 +1,28 @@
+# exiftool profile
+noblacklist /usr/bin/perl
+noblacklist /usr/share/perl*
+noblacklist /usr/lib/perl*
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+caps.drop all
+nogroups
+nonewprivs
+noroot
+nosound
+protocol unix
+seccomp
+netfilter
+net none
+shell none
+tracelog
+# private-bin exiftool,perl
+private-tmp
+private-dev
+private-etc none
diff --git a/etc/fbreader.profile b/etc/fbreader.profile
index cfbae1c74..ec098d5fe 100644
--- a/etc/fbreader.profile
+++ b/etc/fbreader.profile
@@ -7,8 +7,14 @@ include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
 caps.drop all
-seccomp
-protocol unix,inet,inet6
 netfilter
+nonewprivs
 noroot
 nosound
+protocol unix,inet,inet6
+seccomp
+shell none
+private-bin fbreader,FBReader
+private-dev
+private-tmp
diff --git a/etc/feh.profile b/etc/feh.profile
new file mode 100644
index 000000000..2812effc9
--- /dev/null
+++ b/etc/feh.profile
@@ -0,0 +1,21 @@
+# feh image viewer profile
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+caps.drop all
+netfilter
+net none
+nogroups
+nonewprivs
+noroot
+nosound
+protocol unix
+seccomp
+shell none
+private-bin feh
+private-dev
+private-etc feh
+private-tmp
+\ No newline at end of file
diff --git a/etc/file-roller.profile b/etc/file-roller.profile
new file mode 100644
index 000000000..6116389db
--- /dev/null
+++ b/etc/file-roller.profile
@@ -0,0 +1,21 @@
+# file-roller profile
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+caps.drop all
+nogroups
+nonewprivs
+noroot
+nosound
+protocol unix
+seccomp
+netfilter
+shell none
+tracelog
+# private-bin file-roller
+# private-tmp
+private-dev
+# private-etc fonts
diff --git a/etc/file.profile b/etc/file.profile
new file mode 100644
index 000000000..d145fe12a
--- /dev/null
+++ b/etc/file.profile
@@ -0,0 +1,26 @@
+# file profile
+quiet
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-passwdmgr.inc
+caps.drop all
+hostname file
+netfilter
+net none
+no3d
+nogroups
+nonewprivs
+#noroot
+nosound
+protocol unix
+seccomp
+shell none
+tracelog
+x11 none
+blacklist /tmp/.X11-unix
+private-dev
+private-bin file
+private-etc magic.mgc,magic,localtime
diff --git a/etc/filezilla.profile b/etc/filezilla.profile
index 8542de284..a40fceec1 100644
--- a/etc/filezilla.profile
+++ b/etc/filezilla.profile
@@ -7,8 +7,14 @@ include /etc/firejail/disable-programs.inc
 include /etc/firejail/disable-devel.inc
 caps.drop all
-seccomp
-protocol unix,inet,inet6
-noroot
 netfilter
+nonewprivs
+noroot
 nosound
+protocol unix,inet,inet6
+seccomp
+shell none
+private-bin filezilla,uname,sh,python,lsb_release,fzputtygen,fzsftp
+private-dev
+private-tmp
diff --git a/etc/firefox-esr.profile b/etc/firefox-esr.profile
new file mode 100644
index 000000000..d2fde9a3f
--- /dev/null
+++ b/etc/firefox-esr.profile
@@ -0,0 +1,2 @@
+# Firejail profile for Mozilla Firefox ESR
+include /etc/firejail/firefox.profile
diff --git a/etc/firefox.profile b/etc/firefox.profile
index 1ea94a2c7..4f971f330 100644
--- a/etc/firefox.profile
+++ b/etc/firefox.profile
@@ -1,23 +1,24 @@
 # Firejail profile for Mozilla Firefox (Iceweasel in Debian)
 noblacklist ~/.mozilla
 noblacklist ~/.cache/mozilla
+noblacklist ~/.config/qpdfview
+noblacklist ~/.local/share/qpdfview
+noblacklist ~/.kde/share/apps/okular
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-programs.inc
 include /etc/firejail/disable-devel.inc
 caps.drop all
-seccomp
-protocol unix,inet,inet6,netlink
 netfilter
-tracelog
+nonewprivs
 noroot
+protocol unix,inet,inet6,netlink
+seccomp
+tracelog
 whitelist ${DOWNLOADS}
 mkdir ~/.mozilla
 whitelist ~/.mozilla
-mkdir ~/.cache
-mkdir ~/.cache/mozilla
 mkdir ~/.cache/mozilla/firefox
 whitelist ~/.cache/mozilla/firefox
 whitelist ~/dwhelper
@@ -30,6 +31,9 @@ whitelist ~/.keysnail.js
 whitelist ~/.config/gnome-mplayer
 whitelist ~/.cache/gnome-mplayer/plugin
 whitelist ~/.pki
+whitelist ~/.config/qpdfview
+whitelist ~/.local/share/qpdfview
+whitelist ~/.kde/share/apps/okular
 # lastpass, keepassx
 whitelist ~/.keepassx
@@ -40,14 +44,15 @@ whitelist ~/.config/lastpass
 #silverlight
-whitelist ~/.wine-pipelight 
+whitelist ~/.wine-pipelight
-whitelist ~/.wine-pipelight64 
+whitelist ~/.wine-pipelight64
-whitelist ~/.config/pipelight-widevine 
+whitelist ~/.config/pipelight-widevine
 whitelist ~/.config/pipelight-silverlight5.1
 include /etc/firejail/whitelist-common.inc
 # experimental features
-#private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,iceweasel,firefox,adobe,mime.types,mailcap,asound.conf,pulse
+#private-bin firefox,which,sh,dbus-launch,dbus-send,env
+#private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,xdg,gtk-2.0,gtk-3.0,X11,pango,fonts,firefox,mime.types,mailcap,asound.conf,pulse
+private-dev
+private-tmp
diff --git a/etc/firejail-default b/etc/firejail-default
new file mode 100644
index 000000000..1b0eb7658
--- /dev/null
+++ b/etc/firejail-default
@@ -0,0 +1,154 @@
+#########################################
+# Generic Firejail AppArmor profile
+#########################################
+##########
+# A simple PID declaration based on Ubuntu's @{pid}
+# Ubuntu keeps it under tunables/kernelvars and include it via tunables/global.
+# We don't know if this definition is available outside Debian and Ubuntu, so
+# we declare our own here.
+##########
+@{PID}={[1-9],[1-9][0-9],[1-9][0-9][0-9],[1-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9][0-9]}
+profile firejail-default {
+##########
+# D-Bus is a huge security hole. Uncomment this line if you need D-Bus
+# functionality.
+##########
+#dbus,
+##########
+# Mask /proc and /sys information leakage. The configuration here is barely
+# enough to run "top" or "ps aux".
+##########
+/ r,
+/[^proc,^sys]** mrwlk,
+/{,var/}run/ r,
+/{,var/}run/** r,
+/{,var/}run/user/**/dconf/ rw,
+/{,var/}run/user/**/dconf/user rw,
+/{,var/}run/user/**/pulse/ rw,
+/{,var/}run/user/**/pulse/** rw,
+/{,var/}run/firejail/mnt/fslogger r,
+/{,var/}run/firejail/appimage r,
+/{,var/}run/firejail/appimage/** r,
+/{,var/}run/firejail/appimage/** ix,
+/{run,dev}/shm/ r,
+/{run,dev}/shm/** rmwk,
+/proc/ r,
+/proc/meminfo r,
+/proc/cpuinfo r,
+/proc/filesystems r,
+/proc/uptime r,
+/proc/loadavg r,
+/proc/stat r,
+/proc/@{PID}/ r,
+/proc/@{PID}/fd/ r,
+/proc/@{PID}/task/ r,
+/proc/@{PID}/cmdline r,
+/proc/@{PID}/comm r,
+/proc/@{PID}/stat r,
+/proc/@{PID}/statm r,
+/proc/@{PID}/status r,
+/proc/@{PID}/task/@{PID}/stat r,
+/proc/sys/kernel/pid_max r,
+/proc/sys/kernel/shmmax r,
+/proc/sys/vm/overcommit_memory r,
+/proc/sys/vm/overcommit_ratio r,
+/sys/ r,
+/sys/bus/ r,
+/sys/bus/** r,
+/sys/class/ r,
+/sys/class/** r,
+/sys/devices/ r,
+/sys/devices/** r,
+/proc/@{PID}/maps r,
+/proc/@{PID}/mounts r,
+/proc/@{PID}/mountinfo r,
+/proc/@{PID}/oom_score_adj r,
+##########
+# Allow running programs only from well-known system directories. If you need
+# to run programs from your home directory, uncomment /home line.
+##########
+/lib/** ix,
+/lib64/** ix,
+/bin/** ix,
+/sbin/** ix,
+/usr/bin/** ix,
+/usr/sbin/** ix,
+/usr/local/** ix,
+/usr/lib/** ix,
+/usr/games/** ix,
+/opt/ r,
+/opt/** r,
+/opt/** ix,
+#/home/** ix,
+##########
+# Allow all networking functionality, and control it from Firejail.
+##########
+network inet,
+network inet6,
+network unix,
+network netlink,
+network raw,
+##########
+# There is no equivalent in Firejail for filtering signals.
+##########
+signal,
+##########
+# We let Firejail deal with capabilities.
+##########
+capability chown,
+capability dac_override,
+capability dac_read_search,
+capability fowner,
+capability fsetid,
+capability kill,
+capability setgid,
+capability setuid,
+capability setpcap,
+capability linux_immutable,
+capability net_bind_service,
+capability net_broadcast,
+capability net_admin,
+capability net_raw,
+capability ipc_lock,
+capability ipc_owner,
+capability sys_module,
+capability sys_rawio,
+capability sys_chroot,
+capability sys_ptrace,
+capability sys_pacct,
+capability sys_admin,
+capability sys_boot,
+capability sys_nice,
+capability sys_resource,
+capability sys_time,
+capability sys_tty_config,
+capability mknod,
+capability lease,
+capability audit_write,
+capability audit_control,
+capability setfcap,
+capability mac_override,
+capability mac_admin,
+##########
+# We let Firejail deal with mount/umount functionality.
+##########
+mount,
+remount,
+umount,
+pivot_root,
+}
diff --git a/etc/firejail.config b/etc/firejail.config
index 41cd08e68..824e3f503 100644
--- a/etc/firejail.config
+++ b/etc/firejail.config
@@ -9,24 +9,63 @@
 # Enable or disable chroot support, default enabled.
 # chroot yes
+# Use chroot for desktop programs, default enabled. The sandbox will have full
+# access to system's /dev directory in order to allow video acceleration,
+# and it will harden the rest of the chroot tree.
+# chroot-desktop yes
 # Enable or disable file transfer support, default enabled.
 # file-transfer yes
+# Enable Firejail green prompt in terminal, default disabled
+# firejail-prompt no
+# Force use of nonewprivs.  This mitigates the possibility of
+# a user abusing firejail's features to trick a privileged (suid
+# or file capabilities) process into loading code or configuration
+# that is partially under their control.  Default disabled.
+# force-nonewprivs no
 # Enable or disable networking features, default enabled.
 # network yes
+# Enable or disable overlayfs features, default enabled.
+# overlayfs yes
+# Remove /usr/local directories from private-bin list, default disabled.
+# private-bin-no-local no
+# Enable or disable private-home feature, default enabled
+# private-home yes
+# Enable --quiet as default every time the sandbox is started. Default disabled.
+# quiet-by-default no
+# Remount /proc and /sys inside the sandbox, default enabled.
+# remount-proc-sys yes
 # Enable or disable restricted network support, default disabled. If enabled,
 # networking features should also be enabled (network yes).
-# Restricted networking grants access to --interface and --net=ethXXX
+# Restricted networking grants access to --interface, --net=ethXXX and
-# only to root user. Regular users are only allowed --net=none.
+# --netfilter only to root user. Regular users are only allowed --net=none.
 # restricted-network no
+# Change default netfilter configuration. When using --netfilter option without
+# a file argument, the default filter is hardcoded (see man 1 firejail). This
+# configuration entry allows the user to change the default by specifying
+# a file containing the filter configuration. The filter file format is the
+# format of  iptables-save  and iptable-restore commands. Example:
+# netfilter-default /etc/iptables.iptables.rules
 # Enable or disable seccomp support, default enabled.
 # seccomp yes
 # Enable or disable user namespace support, default enabled.
 # userns yes
+# Enable or disable whitelisting support, default enabled.
+# whitelist yes
 # Enable or disable X11 sandboxing support, default enabled.
 # x11 yes
@@ -36,3 +75,10 @@
 # xephyr-screen 800x600
 # xephyr-screen 1024x768
 # xephyr-screen 1280x1024
+# Firejail window title in Xephyr, default enabled.
+# xephyr-window-title yes
+# Xephyr command extra parameters. None by default, and the declaration is commented out.
+# xephyr-extra-params -keybd ephyr,,,xkbmodel=evdev
+# xephyr-extra-params -grayscale
diff --git a/etc/flashpeak-slimjet.profile b/etc/flashpeak-slimjet.profile
index 94c672acf..7e0eb486b 100644
--- a/etc/flashpeak-slimjet.profile
+++ b/etc/flashpeak-slimjet.profile
@@ -15,16 +15,15 @@ include /etc/firejail/disable-programs.inc
 #
 caps.drop all
-seccomp
-protocol unix,inet,inet6,netlink
 netfilter
+nonewprivs
 noroot
+protocol unix,inet,inet6,netlink
+seccomp
 whitelist ${DOWNLOADS}
-mkdir ~/.config
 mkdir ~/.config/slimjet
 whitelist ~/.config/slimjet
-mkdir ~/.cache
 mkdir ~/.cache/slimjet
 whitelist ~/.cache/slimjet
 mkdir ~/.pki
diff --git a/etc/flowblade.profile b/etc/flowblade.profile
new file mode 100644
index 000000000..12afdb0aa
--- /dev/null
+++ b/etc/flowblade.profile
@@ -0,0 +1,13 @@
+# FlowBlade profile
+noblacklist ${HOME}/.flowblade
+noblacklist ${HOME}/.config/flowblade
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-passwdmgr.inc
+caps.drop all
+netfilter
+nonewprivs
+noroot
+protocol unix,inet,inet6,netlink
+seccomp
diff --git a/etc/franz.profile b/etc/franz.profile
new file mode 100644
index 000000000..0b3be551b
--- /dev/null
+++ b/etc/franz.profile
@@ -0,0 +1,24 @@
+# Franz profile
+noblacklist ~/.config/Franz
+noblacklist ~/.cache/Franz
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-devel.inc
+caps.drop all
+netfilter
+nonewprivs
+noroot
+protocol unix,inet,inet6,netlink
+seccomp
+#tracelog
+whitelist ${DOWNLOADS}
+mkdir ~/.config/Franz
+whitelist ~/.config/Franz
+mkdir ~/.cache/Franz
+whitelist ~/.cache/Franz
+mkdir ~/.pki
+whitelist ~/.pki
+include /etc/firejail/whitelist-common.inc
diff --git a/etc/gajim.profile b/etc/gajim.profile
new file mode 100644
index 000000000..eb60f858b
--- /dev/null
+++ b/etc/gajim.profile
@@ -0,0 +1,38 @@
+# Firejail profile for Gajim
+noblacklist ${HOME}/.cache/gajim
+noblacklist ${HOME}/.local/share/gajim
+noblacklist ${HOME}/.config/gajim
+mkdir ${HOME}/.cache/gajim
+mkdir ${HOME}/.local/share/gajim
+mkdir ${HOME}/.config/gajim
+mkdir ${HOME}/Downloads
+# Allow the local python 2.7 site packages, in case any plugins are using these
+mkdir ${HOME}/.local/lib/python2.7/site-packages/
+whitelist ${HOME}/.local/lib/python2.7/site-packages/
+read-only ${HOME}/.local/lib/python2.7/site-packages/
+whitelist ${HOME}/.cache/gajim
+whitelist ${HOME}/.local/share/gajim
+whitelist ${HOME}/.config/gajim
+whitelist ${HOME}/Downloads
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-passwdmgr.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-devel.inc
+caps.drop all
+netfilter
+nogroups
+nonewprivs
+noroot
+protocol unix,inet,inet6
+seccomp
+shell none
+#private-bin python2.7 gajim
+#private-etc fonts
+private-dev
+#private-tmp
diff --git a/etc/gedit.profile b/etc/gedit.profile
new file mode 100644
index 000000000..a25286bfa
--- /dev/null
+++ b/etc/gedit.profile
@@ -0,0 +1,26 @@
+# gedit profile
+# when gedit is started via gnome-shell, firejail is not applied because systemd will start it
+noblacklist ~/.config/gedit
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+#include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+caps.drop all
+nogroups
+nonewprivs
+noroot
+nosound
+protocol unix
+seccomp
+netfilter
+shell none
+tracelog
+# private-bin gedit
+private-tmp
+private-dev
+# private-etc fonts
diff --git a/etc/gimp.profile b/etc/gimp.profile
new file mode 100644
index 000000000..cb441fc9d
--- /dev/null
+++ b/etc/gimp.profile
@@ -0,0 +1,20 @@
+# gimp
+noblacklist ${HOME}/.gimp*
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-passwdmgr.inc
+caps.drop all
+netfilter
+nogroups
+nonewprivs
+noroot
+nosound
+protocol unix
+seccomp
+noexec ${HOME}
+noexec /tmp
+private-dev
+private-tmp
diff --git a/etc/git.profile b/etc/git.profile
new file mode 100644
index 000000000..d60e58c03
--- /dev/null
+++ b/etc/git.profile
@@ -0,0 +1,26 @@
+# git profile
+quiet
+noblacklist ~/.gitconfig
+noblacklist ~/.ssh
+noblacklist ~/.gnupg
+noblacklist ~/.emacs
+noblacklist ~/.emacs.d
+noblacklist ~/.viminfo
+noblacklist ~/.vim
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-passwdmgr.inc
+caps.drop all
+netfilter
+nogroups
+nonewprivs
+noroot
+nosound
+protocol unix,inet,inet6
+seccomp
+shell none
+private-dev
diff --git a/etc/gitter.profile b/etc/gitter.profile
new file mode 100644
index 000000000..f43f5f199
--- /dev/null
+++ b/etc/gitter.profile
@@ -0,0 +1,20 @@
+# Firejail profile for Gitter
+noblacklist ~/.config/Gitter
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-passwdmgr.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-devel.inc
+caps.drop all
+netfilter
+nogroups
+nonewprivs
+noroot
+nosound
+protocol unix,inet,inet6,netlink
+seccomp
+shell none
+private-bin gitter
+private-dev
+private-tmp
diff --git a/etc/gjs.profile b/etc/gjs.profile
new file mode 100644
index 000000000..8d71728a2
--- /dev/null
+++ b/etc/gjs.profile
@@ -0,0 +1,28 @@
+# gjs (gnome javascript bindings) profile
+# when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them
+noblacklist ~/.cache/org.gnome.Books
+noblacklist ~/.config/libreoffice
+noblacklist ~/.local/share/gnome-photos
+noblacklist ~/.cache/libgweather
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+caps.drop all
+nogroups
+nonewprivs
+noroot
+protocol unix,inet,inet6
+seccomp
+netfilter
+shell none
+tracelog
+# private-bin gjs,gnome-books,gnome-documents,gnome-photos,gnome-maps,gnome-weather
+private-tmp
+private-dev
+# private-etc fonts
diff --git a/etc/gnome-2048.profile b/etc/gnome-2048.profile
new file mode 100644
index 000000000..f9982da61
--- /dev/null
+++ b/etc/gnome-2048.profile
@@ -0,0 +1,25 @@
+#
+#Profile for gnome-2048
+#
+#No Blacklist Paths
+noblacklist ${HOME}/.local/share/gnome-2048
+#Blacklist Paths
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-passwdmgr.inc
+include /etc/firejail/disable-devel.inc
+#Whitelist Paths
+mkdir ${HOME}/.local/share/gnome-2048
+whitelist ${HOME}/.local/share/gnome-2048
+include /etc/firejail/whitelist-common.inc
+#Options
+caps.drop all
+netfilter
+nonewprivs
+noroot
+protocol unix,inet,inet6
+seccomp
diff --git a/etc/gnome-books.profile b/etc/gnome-books.profile
new file mode 100644
index 000000000..10b06e173
--- /dev/null
+++ b/etc/gnome-books.profile
@@ -0,0 +1,26 @@
+# gnome-books profile
+# when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them
+noblacklist ~/.cache/org.gnome.Books
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+caps.drop all
+nogroups
+nonewprivs
+noroot
+nosound
+protocol unix
+seccomp
+netfilter
+shell none
+tracelog
+# private-bin gjs gnome-books
+private-tmp
+private-dev
+private-etc fonts
diff --git a/etc/gnome-calculator.profile b/etc/gnome-calculator.profile
new file mode 100644
index 000000000..49e068171
--- /dev/null
+++ b/etc/gnome-calculator.profile
@@ -0,0 +1,19 @@
+#
+#Profile for gnome-calculator
+#
+#Blacklist Paths
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-passwdmgr.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/whitelist-common.inc
+#Options
+caps.drop all
+netfilter
+nonewprivs
+noroot
+protocol unix,inet,inet6
+seccomp
diff --git a/etc/gnome-chess.profile b/etc/gnome-chess.profile
new file mode 100644
index 000000000..4db485ea7
--- /dev/null
+++ b/etc/gnome-chess.profile
@@ -0,0 +1,22 @@
+# Firejail profile for gnome-chess
+noblacklist ~/.local/share/gnome-chess
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-passwdmgr.inc
+caps.drop all
+nogroups
+nonewprivs
+noroot
+nosound
+protocol unix
+seccomp
+shell none
+tracelog
+private-bin fairymax,gnome-chess,hoichess
+private-dev
+private-etc fonts,gnome-chess
+private-tmp
diff --git a/etc/gnome-clocks.profile b/etc/gnome-clocks.profile
new file mode 100644
index 000000000..6cccf9d32
--- /dev/null
+++ b/etc/gnome-clocks.profile
@@ -0,0 +1,21 @@
+# gnome-clocks profile
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+caps.drop all
+nogroups
+nonewprivs
+noroot
+nosound
+protocol unix,inet,inet6
+seccomp
+netfilter
+shell none
+tracelog
+# private-bin gnome-clocks
+private-tmp
+private-dev
+# private-etc fonts
diff --git a/etc/gnome-contacts.profile b/etc/gnome-contacts.profile
new file mode 100644
index 000000000..9dc25b26c
--- /dev/null
+++ b/etc/gnome-contacts.profile
@@ -0,0 +1,19 @@
+#
+#Profile for gnome-contacts
+#
+#Blacklist Paths
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-passwdmgr.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/whitelist-common.inc
+#Options
+caps.drop all
+netfilter
+nonewprivs
+noroot
+protocol unix,inet,inet6
+seccomp
diff --git a/etc/gnome-documents.profile b/etc/gnome-documents.profile
new file mode 100644
index 000000000..c5def7aff
--- /dev/null
+++ b/etc/gnome-documents.profile
@@ -0,0 +1,24 @@
+# gnome-documents profile
+# when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them
+noblacklist ~/.config/libreoffice
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+caps.drop all
+nogroups
+nonewprivs
+noroot
+nosound
+protocol unix
+seccomp
+netfilter
+shell none
+tracelog
+private-tmp
+private-dev
diff --git a/etc/gnome-maps.profile b/etc/gnome-maps.profile
new file mode 100644
index 000000000..f1451506e
--- /dev/null
+++ b/etc/gnome-maps.profile
@@ -0,0 +1,24 @@
+# gnome-maps profile
+# when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+caps.drop all
+nogroups
+nonewprivs
+noroot
+nosound
+protocol unix,inet,inet6
+seccomp
+netfilter
+shell none
+tracelog
+# private-bin gjs gnome-maps
+private-tmp
+private-dev
+# private-etc fonts
diff --git a/etc/gnome-mplayer.profile b/etc/gnome-mplayer.profile
index ec3698ac8..1b0fc9807 100644
--- a/etc/gnome-mplayer.profile
+++ b/etc/gnome-mplayer.profile
@@ -5,6 +5,13 @@ include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
 caps.drop all
-seccomp
+nogroups
-protocol unix,inet,inet6
+nonewprivs
 noroot
+protocol unix,inet,inet6
+seccomp
+shell none
+private-bin gnome-mplayer
+private-dev
+private-tmp
diff --git a/etc/gnome-music.profile b/etc/gnome-music.profile
new file mode 100644
index 000000000..4a8adeb22
--- /dev/null
+++ b/etc/gnome-music.profile
@@ -0,0 +1,22 @@
+# gnome-music profile
+noblacklist ~/.local/share/gnome-music
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+caps.drop all
+nogroups
+nonewprivs
+noroot
+protocol unix
+seccomp
+netfilter
+shell none
+tracelog
+# private-bin gnome-music,python3
+private-tmp
+private-dev
+# private-etc fonts
diff --git a/etc/gnome-photos.profile b/etc/gnome-photos.profile
new file mode 100644
index 000000000..8f9d60cb5
--- /dev/null
+++ b/etc/gnome-photos.profile
@@ -0,0 +1,26 @@
+# gnome-photos profile
+# when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them
+noblacklist ~/.local/share/gnome-photos
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+caps.drop all
+nogroups
+nonewprivs
+noroot
+nosound
+protocol unix
+seccomp
+netfilter
+shell none
+tracelog
+# private-bin gjs gnome-photos
+private-tmp
+private-dev
+# private-etc fonts
diff --git a/etc/gnome-weather.profile b/etc/gnome-weather.profile
new file mode 100644
index 000000000..9f93b8f15
--- /dev/null
+++ b/etc/gnome-weather.profile
@@ -0,0 +1,26 @@
+# gnome-weather profile
+# when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them
+noblacklist ~/.cache/libgweather
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+caps.drop all
+nogroups
+nonewprivs
+noroot
+nosound
+protocol unix,inet,inet6
+seccomp
+netfilter
+shell none
+tracelog
+# private-bin gjs gnome-weather
+private-tmp
+private-dev
+# private-etc fonts
diff --git a/etc/goobox.profile b/etc/goobox.profile
new file mode 100644
index 000000000..8990943fc
--- /dev/null
+++ b/etc/goobox.profile
@@ -0,0 +1,20 @@
+# goobox profile
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+caps.drop all
+nogroups
+nonewprivs
+noroot
+protocol unix
+seccomp
+netfilter
+shell none
+tracelog
+# private-bin goobox
+# private-tmp
+# private-dev
+# private-etc fonts
diff --git a/etc/google-chrome-beta.profile b/etc/google-chrome-beta.profile
index 11f9f9e33..fe870274f 100644
--- a/etc/google-chrome-beta.profile
+++ b/etc/google-chrome-beta.profile
@@ -11,10 +11,8 @@ include /etc/firejail/disable-programs.inc
 netfilter
 whitelist ${DOWNLOADS}
-mkdir ~/.config
 mkdir ~/.config/google-chrome-beta
 whitelist ~/.config/google-chrome-beta
-mkdir ~/.cache
 mkdir ~/.cache/google-chrome-beta
 whitelist ~/.cache/google-chrome-beta
 mkdir ~/.pki
diff --git a/etc/google-chrome-unstable.profile b/etc/google-chrome-unstable.profile
index f253e5a90..f6680ac2d 100644
--- a/etc/google-chrome-unstable.profile
+++ b/etc/google-chrome-unstable.profile
@@ -11,10 +11,8 @@ include /etc/firejail/disable-programs.inc
 netfilter
 whitelist ${DOWNLOADS}
-mkdir ~/.config
 mkdir ~/.config/google-chrome-unstable
 whitelist ~/.config/google-chrome-unstable
-mkdir ~/.cache
 mkdir ~/.cache/google-chrome-unstable
 whitelist ~/.cache/google-chrome-unstable
 mkdir ~/.pki
diff --git a/etc/google-chrome.profile b/etc/google-chrome.profile
index 5e168aae5..a9fcebe73 100644
--- a/etc/google-chrome.profile
+++ b/etc/google-chrome.profile
@@ -11,10 +11,8 @@ include /etc/firejail/disable-programs.inc
 netfilter
 whitelist ${DOWNLOADS}
-mkdir ~/.config
 mkdir ~/.config/google-chrome
 whitelist ~/.config/google-chrome
-mkdir ~/.cache
 mkdir ~/.cache/google-chrome
 whitelist ~/.cache/google-chrome
 mkdir ~/.pki
diff --git a/etc/google-play-music-desktop-player.profile b/etc/google-play-music-desktop-player.profile
new file mode 100644
index 000000000..b4cf8d9ac
--- /dev/null
+++ b/etc/google-play-music-desktop-player.profile
@@ -0,0 +1,18 @@
+# Google Play Music desktop player profile
+noblacklist ~/.config/Google Play Music Desktop Player
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+caps.drop all
+nonewprivs
+noroot
+netfilter
+protocol unix,inet,inet6,netlink
+seccomp
+#whitelist ~/.pulse
+#whitelist ~/.config/pulse
+whitelist ~/.config/Google Play Music Desktop Player
diff --git a/etc/gpa.profile b/etc/gpa.profile
new file mode 100644
index 000000000..7d7277190
--- /dev/null
+++ b/etc/gpa.profile
@@ -0,0 +1,23 @@
+# gpa profile
+noblacklist ~/.gnupg
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+caps.drop all
+nogroups
+nonewprivs
+noroot
+nosound
+protocol unix,inet,inet6
+seccomp
+netfilter
+shell none
+tracelog
+# private-bin gpa,gpg
+private-tmp
+private-dev
+# private-etc none
diff --git a/etc/gpg-agent.profile b/etc/gpg-agent.profile
new file mode 100644
index 000000000..b0ebdf43c
--- /dev/null
+++ b/etc/gpg-agent.profile
@@ -0,0 +1,23 @@
+# gpg-agent profile
+noblacklist ~/.gnupg
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+caps.drop all
+nogroups
+nonewprivs
+noroot
+nosound
+protocol unix
+seccomp
+netfilter
+shell none
+tracelog
+# private-bin gpg-agent,gpg
+private-tmp
+private-dev
+# private-etc none
diff --git a/etc/gpg.profile b/etc/gpg.profile
new file mode 100644
index 000000000..31372eb90
--- /dev/null
+++ b/etc/gpg.profile
@@ -0,0 +1,24 @@
+# gpg profile
+noblacklist ~/.gnupg
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+caps.drop all
+nogroups
+nonewprivs
+noroot
+nosound
+protocol unix
+seccomp
+netfilter
+net none
+shell none
+tracelog
+# private-bin gpg,gpg-agent
+private-tmp
+private-dev
+# private-etc none
diff --git a/etc/gpredict.profile b/etc/gpredict.profile
new file mode 100644
index 000000000..801304c18
--- /dev/null
+++ b/etc/gpredict.profile
@@ -0,0 +1,25 @@
+# Firejail profile for gpredict.
+noblacklist ~/.config/Gpredict
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+include /etc/firejail/disable-programs.inc
+# Whitelist
+whitelist ~/.config/Gpredict
+caps.drop all
+netfilter
+nogroups
+nonewprivs
+noroot
+nosound
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+private-bin gpredict
+private-etc fonts,resolv.conf
+private-dev
+private-tmp
diff --git a/etc/gtar.profile b/etc/gtar.profile
new file mode 100644
index 000000000..2f675cd9d
--- /dev/null
+++ b/etc/gtar.profile
@@ -0,0 +1,3 @@
+# gtar profile
+quiet
+include /etc/firejail/tar.profile
diff --git a/etc/gthumb.profile b/etc/gthumb.profile
new file mode 100644
index 000000000..055d78935
--- /dev/null
+++ b/etc/gthumb.profile
@@ -0,0 +1,21 @@
+# gthumb profile
+noblacklist ${HOME}/.config/gthumb
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+caps.drop all
+nogroups
+nonewprivs
+noroot
+nosound
+protocol unix
+seccomp
+shell none
+tracelog
+private-bin gthumb
+private-dev
+private-tmp
+\ No newline at end of file
diff --git a/etc/gwenview.profile b/etc/gwenview.profile
new file mode 100644
index 000000000..c866c9e63
--- /dev/null
+++ b/etc/gwenview.profile
@@ -0,0 +1,22 @@
+# KDE gwenview profile
+noblacklist ~/.kde/share/apps/gwenview
+noblacklist ~/.kde/share/config/gwenviewrc
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+caps.drop all
+nogroups
+nonewprivs
+noroot
+protocol unix
+seccomp
+nosound
+private-dev
+#Experimental:
+#shell none
+#private-bin gwenview
+#private-etc X11
diff --git a/etc/gzip.profile b/etc/gzip.profile
new file mode 100644
index 000000000..feb27c150
--- /dev/null
+++ b/etc/gzip.profile
@@ -0,0 +1,14 @@
+# gzip profile
+quiet
+ignore noroot
+include /etc/firejail/default.profile
+blacklist /tmp/.X11-unix
+net none
+no3d
+nosound
+shell none
+tracelog
+private-dev
diff --git a/etc/hedgewars.profile b/etc/hedgewars.profile
index 5ab7cfe72..7910b7eb0 100644
--- a/etc/hedgewars.profile
+++ b/etc/hedgewars.profile
@@ -7,11 +7,16 @@ include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
 caps.drop all
+netfilter
+nogroups
+nonewprivs
 noroot
-private-dev
 seccomp
 tracelog
+private-dev
+private-tmp
 mkdir     ~/.hedgewars
 whitelist ~/.hedgewars
 include /etc/firejail/whitelist-common.inc
diff --git a/etc/hexchat.profile b/etc/hexchat.profile
index 8f6fd6217..5cefe45b5 100644
--- a/etc/hexchat.profile
+++ b/etc/hexchat.profile
@@ -1,10 +1,28 @@
 # HexChat instant messaging profile
+# Currently in testing (may not work for all users)
 noblacklist ${HOME}/.config/hexchat
+#noblacklist /usr/lib/python2*
+#noblacklist /usr/lib/python3*
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-programs.inc
 include /etc/firejail/disable-devel.inc
 caps.drop all
-seccomp
+netfilter
-protocol unix,inet,inet6
+nogroups
+nonewprivs
 noroot
+nosound
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+mkdir ~/.config/hexchat
+whitelist ~/.config/hexchat
+include /etc/firejail/whitelist-common.inc
+private-bin hexchat
+#debug note: private-bin requires perl, python, etc on some systems
+private-dev
+private-tmp
diff --git a/etc/highlight.profile b/etc/highlight.profile
new file mode 100644
index 000000000..f95f3924a
--- /dev/null
+++ b/etc/highlight.profile
@@ -0,0 +1,24 @@
+# highlight profile
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+caps.drop all
+nogroups
+nonewprivs
+noroot
+nosound
+protocol unix
+seccomp
+netfilter
+net none
+shell none
+tracelog
+private-bin highlight
+private-tmp
+private-dev
diff --git a/etc/icecat.profile b/etc/icecat.profile
index 25d426ad2..0348076da 100644
--- a/etc/icecat.profile
+++ b/etc/icecat.profile
@@ -1,2 +1,50 @@
 # Firejail profile for GNU Icecat
-include /etc/firejail/firefox.profile
+noblacklist ~/.mozilla
+noblacklist ~/.cache/mozilla
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-devel.inc
+caps.drop all
+netfilter
+nonewprivs
+noroot
+protocol unix,inet,inet6,netlink
+seccomp
+tracelog
+whitelist ${DOWNLOADS}
+mkdir ~/.mozilla
+whitelist ~/.mozilla
+mkdir ~/.cache/mozilla/icecat
+whitelist ~/.cache/mozilla/icecat
+whitelist ~/dwhelper
+whitelist ~/.zotero
+whitelist ~/.vimperatorrc
+whitelist ~/.vimperator
+whitelist ~/.pentadactylrc
+whitelist ~/.pentadactyl
+whitelist ~/.keysnail.js
+whitelist ~/.config/gnome-mplayer
+whitelist ~/.cache/gnome-mplayer/plugin
+whitelist ~/.pki
+# lastpass, keepassx
+whitelist ~/.keepassx
+whitelist ~/.config/keepassx
+whitelist ~/keepassx.kdbx
+whitelist ~/.lastpass
+whitelist ~/.config/lastpass
+#silverlight
+whitelist ~/.wine-pipelight
+whitelist ~/.wine-pipelight64
+whitelist ~/.config/pipelight-widevine
+whitelist ~/.config/pipelight-silverlight5.1
+include /etc/firejail/whitelist-common.inc
+# experimental features
+#private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,iceweasel,firefox,adobe,mime.types,mailcap,asound.conf,pulse
diff --git a/etc/icedove.profile b/etc/icedove.profile
index e9a63c8dd..310684bdb 100644
--- a/etc/icedove.profile
+++ b/etc/icedove.profile
@@ -11,9 +11,11 @@ mkdir ~/.icedove
 whitelist ~/.icedove
 noblacklist ~/.cache/icedove
-mkdir ~/.cache
 mkdir ~/.cache/icedove
 whitelist ~/.cache/icedove
+# allow browsers
+ignore private-tmp
 include /etc/firejail/firefox.profile
+#include /etc/firejail/chromium.profile - chromium runs as suid!
diff --git a/etc/img2txt.profile b/etc/img2txt.profile
new file mode 100644
index 000000000..d55a31cd0
--- /dev/null
+++ b/etc/img2txt.profile
@@ -0,0 +1,24 @@
+# img2txt profile
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+caps.drop all
+nogroups
+nonewprivs
+noroot
+nosound
+protocol unix
+seccomp
+netfilter
+net none
+shell none
+tracelog
+#private-bin img2txt
+private-tmp
+private-dev
+#private-etc none
diff --git a/etc/inkscape.profile b/etc/inkscape.profile
new file mode 100644
index 000000000..a0e86b6c9
--- /dev/null
+++ b/etc/inkscape.profile
@@ -0,0 +1,20 @@
+# inkscape
+noblacklist ${HOME}/.inkscape
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-passwdmgr.inc
+caps.drop all
+netfilter
+nogroups
+nonewprivs
+noroot
+nosound
+protocol unix
+seccomp
+noexec ${HOME}
+noexec /tmp
+private-dev
+private-tmp
diff --git a/etc/inox.profile b/etc/inox.profile
new file mode 100644
index 000000000..49d2f2835
--- /dev/null
+++ b/etc/inox.profile
@@ -0,0 +1,24 @@
+# Inox browser profile
+noblacklist ~/.config/inox
+noblacklist ~/.cache/inox
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+netfilter
+whitelist ${DOWNLOADS}
+mkdir ~/.config/inox
+whitelist ~/.config/inox
+mkdir ~/.cache/inox
+whitelist ~/.cache/inox
+mkdir ~/.pki
+whitelist ~/.pki
+# lastpass, keepassx
+whitelist ~/.keepassx
+whitelist ~/.config/keepassx
+whitelist ~/keepassx.kdbx
+whitelist ~/.lastpass
+whitelist ~/.config/lastpass
+include /etc/firejail/whitelist-common.inc
diff --git a/etc/jd-gui.profile b/etc/jd-gui.profile
new file mode 100644
index 000000000..1d6eb41f8
--- /dev/null
+++ b/etc/jd-gui.profile
@@ -0,0 +1,19 @@
+#
+#Profile for jd-gui
+#
+noblacklist ${HOME}/.config/jd-gui.cfg
+#Blacklist Paths
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-passwdmgr.inc
+include /etc/firejail/disable-devel.inc
+#Options
+caps.drop all
+netfilter
+nonewprivs
+noroot
+protocol unix,inet,inet6
+seccomp
diff --git a/etc/jitsi.profile b/etc/jitsi.profile
new file mode 100644
index 000000000..046499abe
--- /dev/null
+++ b/etc/jitsi.profile
@@ -0,0 +1,17 @@
+# Firejail profile for jitsi
+noblacklist ~/.jitsi
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+include /etc/firejail/disable-programs.inc
+caps.drop all
+nogroups
+nonewprivs
+noroot
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+private-tmp
diff --git a/etc/k3b.profile b/etc/k3b.profile
new file mode 100644
index 000000000..8a5fff0c6
--- /dev/null
+++ b/etc/k3b.profile
@@ -0,0 +1,21 @@
+# k3b profile
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+caps.drop all
+netfilter
+nogroups
+nonewprivs
+noroot
+nosound
+shell none
+seccomp
+protocol unix
+# private-bin 
+# private-dev
+# private-tmp
+# private-etc
diff --git a/etc/kate.profile b/etc/kate.profile
new file mode 100644
index 000000000..4b07ea6cb
--- /dev/null
+++ b/etc/kate.profile
@@ -0,0 +1,28 @@
+# kate profile
+noblacklist ~/.local/share/kate
+noblacklist ~/.config/katerc
+noblacklist ~/.config/katepartrc
+noblacklist ~/.config/kateschemarc
+noblacklist ~/.config/katesyntaxhighlightingrc
+noblacklist ~/.config/katevirc
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+#include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+caps.drop all
+nogroups
+nonewprivs
+noroot
+nosound
+protocol unix
+seccomp
+netfilter
+shell none
+tracelog
+# private-bin kate
+private-tmp
+private-dev
+# private-etc fonts
diff --git a/etc/keepass.profile b/etc/keepass.profile
new file mode 100644
index 000000000..18a5f4ebd
--- /dev/null
+++ b/etc/keepass.profile
@@ -0,0 +1,21 @@
+# keepass password manager profile
+noblacklist ${HOME}/.config/keepass
+noblacklist ${HOME}/.keepass
+ 
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+caps.drop all
+nogroups
+nonewprivs
+noroot
+nosound
+protocol unix,inet,inet6
+seccomp
+netfilter
+shell none
+private-tmp
+private-dev
diff --git a/etc/keepass2.profile b/etc/keepass2.profile
new file mode 100644
index 000000000..9daa014e3
--- /dev/null
+++ b/etc/keepass2.profile
@@ -0,0 +1,5 @@
+# keepass password manager profile
+#noblacklist ${HOME}/.config/KeePass
+#noblacklist ${HOME}/.keepass
+ 
+include /etc/firejail/keepass.profile
diff --git a/etc/keepassx.profile b/etc/keepassx.profile
new file mode 100644
index 000000000..d8621773f
--- /dev/null
+++ b/etc/keepassx.profile
@@ -0,0 +1,22 @@
+# keepassx password manager profile
+noblacklist ${HOME}/.config/keepassx
+noblacklist ${HOME}/.keepassx
+noblacklist ${HOME}/keepassx.kdbx
+ 
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+caps.drop all
+nogroups
+nonewprivs
+noroot
+nosound
+protocol unix
+seccomp
+netfilter
+shell none
+private-tmp
+private-dev 
diff --git a/etc/kmail.profile b/etc/kmail.profile
index a7079661b..410ff36c6 100644
--- a/etc/kmail.profile
+++ b/etc/kmail.profile
@@ -7,8 +7,13 @@ include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
 caps.drop all
-seccomp
-protocol unix,inet,inet6,netlink
 netfilter
+nogroups
+nonewprivs
 noroot
+protocol unix,inet,inet6,netlink
+seccomp
 tracelog
+private-dev
+# private-tmp
diff --git a/etc/konversation.profile b/etc/konversation.profile
new file mode 100644
index 000000000..c00b91c18
--- /dev/null
+++ b/etc/konversation.profile
@@ -0,0 +1,14 @@
+# Firejail konversation profile
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+caps.drop all
+netfilter
+nogroups
+noroot
+seccomp
+protocol unix,inet,inet6
+private-tmp
diff --git a/etc/less.profile b/etc/less.profile
new file mode 100644
index 000000000..08758aead
--- /dev/null
+++ b/etc/less.profile
@@ -0,0 +1,11 @@
+# less profile
+quiet
+ignore noroot
+include /etc/firejail/default.profile
+net none
+nosound
+shell none
+tracelog
+private-dev
diff --git a/etc/libreoffice.profile b/etc/libreoffice.profile
new file mode 100644
index 000000000..d6aceb7a8
--- /dev/null
+++ b/etc/libreoffice.profile
@@ -0,0 +1,19 @@
+# Firejail profile for LibreOffice
+noblacklist ~/.config/libreoffice
+noblacklist /usr/local/sbin
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+caps.drop all
+netfilter
+nogroups
+nonewprivs
+noroot
+protocol unix,inet,inet6
+seccomp
+tracelog
+private-dev
+# whitelist /tmp/.X11-unix/
diff --git a/etc/localc.profile b/etc/localc.profile
new file mode 100644
index 000000000..fecd08822
--- /dev/null
+++ b/etc/localc.profile
@@ -0,0 +1,5 @@
+################################
+# LibreOffice profile
+################################
+include /etc/firejail/libreoffice.profile
diff --git a/etc/lodraw.profile b/etc/lodraw.profile
new file mode 100644
index 000000000..fecd08822
--- /dev/null
+++ b/etc/lodraw.profile
@@ -0,0 +1,5 @@
+################################
+# LibreOffice profile
+################################
+include /etc/firejail/libreoffice.profile
diff --git a/etc/loffice.profile b/etc/loffice.profile
new file mode 100644
index 000000000..fecd08822
--- /dev/null
+++ b/etc/loffice.profile
@@ -0,0 +1,5 @@
+################################
+# LibreOffice profile
+################################
+include /etc/firejail/libreoffice.profile
diff --git a/etc/lofromtemplate.profile b/etc/lofromtemplate.profile
new file mode 100644
index 000000000..fecd08822
--- /dev/null
+++ b/etc/lofromtemplate.profile
@@ -0,0 +1,5 @@
+################################
+# LibreOffice profile
+################################
+include /etc/firejail/libreoffice.profile
diff --git a/etc/loimpress.profile b/etc/loimpress.profile
new file mode 100644
index 000000000..fecd08822
--- /dev/null
+++ b/etc/loimpress.profile
@@ -0,0 +1,5 @@
+################################
+# LibreOffice profile
+################################
+include /etc/firejail/libreoffice.profile
diff --git a/etc/lollypop.profile b/etc/lollypop.profile
new file mode 100644
index 000000000..41a662bca
--- /dev/null
+++ b/etc/lollypop.profile
@@ -0,0 +1,20 @@
+#
+#Profile for lollypop
+#
+#No Blacklist Paths
+noblacklist ${HOME}/.local/share/lollypop
+#Blacklist Paths
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-passwdmgr.inc
+include /etc/firejail/disable-devel.inc
+#Options
+caps.drop all
+netfilter
+nonewprivs
+noroot
+protocol unix,inet,inet6
+seccomp
diff --git a/etc/lomath.profile b/etc/lomath.profile
new file mode 100644
index 000000000..fecd08822
--- /dev/null
+++ b/etc/lomath.profile
@@ -0,0 +1,5 @@
+################################
+# LibreOffice profile
+################################
+include /etc/firejail/libreoffice.profile
diff --git a/etc/loweb.profile b/etc/loweb.profile
new file mode 100644
index 000000000..fecd08822
--- /dev/null
+++ b/etc/loweb.profile
@@ -0,0 +1,5 @@
+################################
+# LibreOffice profile
+################################
+include /etc/firejail/libreoffice.profile
diff --git a/etc/lowriter.profile b/etc/lowriter.profile
new file mode 100644
index 000000000..fecd08822
--- /dev/null
+++ b/etc/lowriter.profile
@@ -0,0 +1,5 @@
+################################
+# LibreOffice profile
+################################
+include /etc/firejail/libreoffice.profile
diff --git a/etc/luminance-hdr.profile b/etc/luminance-hdr.profile
new file mode 100644
index 000000000..76e864e0c
--- /dev/null
+++ b/etc/luminance-hdr.profile
@@ -0,0 +1,23 @@
+# luminance-hdr
+noblacklist ${HOME}/.config/Luminance
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-passwdmgr.inc
+caps.drop all
+ipc-namespace
+netfilter
+nogroups
+nonewprivs
+noroot
+nosound
+protocol unix
+seccomp
+shell none
+tracelog
+noexec ${HOME}
+noexec /tmp
+private-tmp
+private-dev
diff --git a/etc/lxterminal.profile b/etc/lxterminal.profile
index b6acf2587..12765c299 100644
--- a/etc/lxterminal.profile
+++ b/etc/lxterminal.profile
@@ -1,11 +1,10 @@
 # lxterminal (LXDE) profile
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-programs.inc
 include /etc/firejail/disable-passwdmgr.inc
 caps.drop all
-seccomp
-protocol unix,inet,inet6
 netfilter
+protocol unix,inet,inet6
+seccomp
 #noroot - somehow this breaks on Debian Jessie!
diff --git a/etc/lynx.profile b/etc/lynx.profile
new file mode 100644
index 000000000..6e150f62e
--- /dev/null
+++ b/etc/lynx.profile
@@ -0,0 +1,22 @@
+# lynx profile
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+caps.drop all
+nogroups
+nonewprivs
+noroot
+nosound
+protocol unix,inet,inet6
+seccomp
+netfilter
+shell none
+tracelog
+# private-bin lynx
+private-tmp
+private-dev
+# private-etc none
diff --git a/etc/mcabber.profile b/etc/mcabber.profile
new file mode 100644
index 000000000..48b46dba0
--- /dev/null
+++ b/etc/mcabber.profile
@@ -0,0 +1,21 @@
+# mcabber profile
+noblacklist ${HOME}/.mcabber
+noblacklist ${HOME}/.mcabberrc
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+caps.drop all
+netfilter
+nonewprivs
+noroot
+protocol inet,inet6
+seccomp
+private-bin mcabber
+private-etc null
+private-dev
+shell none
+nosound
diff --git a/etc/mediainfo.profile b/etc/mediainfo.profile
new file mode 100644
index 000000000..c07a9a9e8
--- /dev/null
+++ b/etc/mediainfo.profile
@@ -0,0 +1,26 @@
+# mediainfo profile
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+caps.drop all
+nogroups
+nonewprivs
+noroot
+nosound
+protocol unix
+seccomp
+netfilter
+net none
+shell none
+tracelog
+private-bin mediainfo
+private-tmp
+private-dev
+private-etc none
diff --git a/etc/midori.profile b/etc/midori.profile
index 7fc27e07c..046c45d94 100644
--- a/etc/midori.profile
+++ b/etc/midori.profile
@@ -5,7 +5,9 @@ include /etc/firejail/disable-programs.inc
 include /etc/firejail/disable-devel.inc
 caps.drop all
-seccomp
-protocol unix,inet,inet6
 netfilter
+nonewprivs
+# noroot - noroot break midori on Ubuntu 14.04
+protocol unix,inet,inet6
+seccomp
diff --git a/etc/mpv.profile b/etc/mpv.profile
new file mode 100644
index 000000000..80f8de54a
--- /dev/null
+++ b/etc/mpv.profile
@@ -0,0 +1,18 @@
+# mpv media player profile
+noblacklist ${HOME}/.config/mpv
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+caps.drop all
+netfilter
+nonewprivs
+noroot
+protocol unix,inet,inet6
+seccomp
+# to test
+shell none
+private-bin mpv,youtube-dl,python2.7
diff --git a/etc/multimc5.profile b/etc/multimc5.profile
new file mode 100644
index 000000000..cc310f294
--- /dev/null
+++ b/etc/multimc5.profile
@@ -0,0 +1,27 @@
+#
+#Profile for multimc5
+#
+#No Blacklist Paths
+noblacklist ${HOME}/.local/share/multimc5
+noblacklist ${HOME}/.multimc5
+#Blacklist Paths
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-passwdmgr.inc
+include /etc/firejail/disable-devel.inc
+#Whitelist Paths
+mkdir ${HOME}/.local/share/multimc5
+whitelist ${HOME}/.local/share/multimc5
+mkdir ${HOME}/.multimc5
+whitelist ${HOME}/.multimc5
+include /etc/firejail/whitelist-common.inc
+#Options
+caps.drop all
+netfilter
+nonewprivs
+noroot
+protocol unix,inet,inet6
diff --git a/etc/mumble.profile b/etc/mumble.profile
new file mode 100644
index 000000000..ddd70822d
--- /dev/null
+++ b/etc/mumble.profile
@@ -0,0 +1,26 @@
+# mumble profile
+noblacklist ${HOME}/.config/Mumble
+noblacklist ${HOME}/.local/share/data/Mumble
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+mkdir ${HOME}/.config/Mumble
+mkdir ${HOME}/.local/share/data/Mumble
+whitelist ${HOME}/.config/Mumble
+whitelist ${HOME}/.local/share/data/Mumble
+include /etc/firejail/whitelist-common.inc
+caps.drop all
+netfilter
+nonewprivs
+nogroups
+noroot
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+private-bin mumble
+private-tmp
diff --git a/etc/mupdf.profile b/etc/mupdf.profile
new file mode 100644
index 000000000..7f9261d8b
--- /dev/null
+++ b/etc/mupdf.profile
@@ -0,0 +1,30 @@
+# mupdf reader profile
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+caps.drop all
+nogroups
+nonewprivs
+noroot
+nosound
+protocol unix
+seccomp
+netfilter
+net none
+shell none
+tracelog
+private-tmp
+private-dev
+private-etc fonts
+# mupdf will never write anything
+read-only ${HOME}
+#
+# Experimental:
+#
+#seccomp.keep access,arch_prctl,brk,clone,close,connect,execve,exit_group,fchmod,fchown,fcntl,fstat,futex,getcwd,getpeername,getrlimit,getsockname,getsockopt,lseek,lstat,mlock,mmap,mprotect,mremap,munmap,nanosleep,open,poll,prctl,read,recvfrom,recvmsg,restart_syscall,rt_sigaction,rt_sigprocmask,select,sendmsg,set_robust_list,set_tid_address,setresgid,setresuid,shmat,shmctl,shmget,shutdown,socket,stat,sysinfo,uname,unshare,wait4,write,writev
+# private-bin mupdf,sh,tempfile,rm
diff --git a/etc/mupen64plus.profile b/etc/mupen64plus.profile
index 7b38b411a..acb13e6b9 100644
--- a/etc/mupen64plus.profile
+++ b/etc/mupen64plus.profile
@@ -8,15 +8,13 @@ include /etc/firejail/disable-programs.inc
 include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
-mkdir ${HOME}/.local
-mkdir ${HOME}/.local/share
 mkdir ${HOME}/.local/share/mupen64plus
 whitelist ${HOME}/.local/share/mupen64plus/
-mkdir ${HOME}/.config
 mkdir ${HOME}/.config/mupen64plus
 whitelist ${HOME}/.config/mupen64plus/
-noroot
 caps.drop all
-seccomp
 net none
+nonewprivs
+noroot
+seccomp
diff --git a/etc/mutt.profile b/etc/mutt.profile
new file mode 100644
index 000000000..2718421c5
--- /dev/null
+++ b/etc/mutt.profile
@@ -0,0 +1,40 @@
+# mutt email client profile
+noblacklist ~/.muttrc
+noblacklist ~/.mutt
+noblacklist ~/.mutt/muttrc
+noblacklist ~/.mailcap
+noblacklist ~/.gnupg
+noblacklist ~/.mail
+noblacklist ~/.Mail
+noblacklist ~/mail
+noblacklist ~/Mail
+noblacklist ~/sent
+noblacklist ~/postponed
+noblacklist ~/.cache/mutt
+noblacklist ~/.w3m
+noblacklist ~/.elinks
+noblacklist ~/.vim
+noblacklist ~/.vimrc
+noblacklist ~/.viminfo
+noblacklist ~/.emacs
+noblacklist ~/.emacs.d
+noblacklist ~/.signature
+noblacklist ~/.bogofilter
+noblacklist ~/.msmtprc
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-passwdmgr.inc
+include /etc/firejail/disable-devel.inc
+caps.drop all
+netfilter
+nogroups
+nonewprivs
+noroot
+nosound
+protocol unix,inet,inet6
+seccomp
+shell none
+private-dev
diff --git a/etc/nautilus.profile b/etc/nautilus.profile
new file mode 100644
index 000000000..264ee0b9d
--- /dev/null
+++ b/etc/nautilus.profile
@@ -0,0 +1,26 @@
+# nautilus profile
+# Nautilus is started by systemd on most systems. Therefore it is not firejailed by default. Since there is already a nautilus process running on gnome desktops firejail will have no effect.
+noblacklist ~/.config/nautilus
+include /etc/firejail/disable-common.inc
+# nautilus needs to be able to start arbitrary applications so we cannot blacklist their files
+#include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+caps.drop all
+nogroups
+nonewprivs
+noroot
+protocol unix
+seccomp
+netfilter
+shell none
+tracelog
+# private-bin nautilus
+# private-tmp
+# private-dev
+# private-etc fonts
diff --git a/etc/netsurf.profile b/etc/netsurf.profile
new file mode 100644
index 000000000..2071e5519
--- /dev/null
+++ b/etc/netsurf.profile
@@ -0,0 +1,29 @@
+# Firejail profile for Mozilla Firefox (Iceweasel in Debian)
+noblacklist ~/.config/netsurf
+noblacklist ~/.cache/netsurf
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-devel.inc
+caps.drop all
+netfilter
+nonewprivs
+noroot
+protocol unix,inet,inet6,netlink
+seccomp
+tracelog
+whitelist ${DOWNLOADS}
+mkdir ~/.config/netsurf
+whitelist ~/.config/netsurf
+mkdir ~/.cache/netsurf
+whitelist ~/.cache/netsurf
+# lastpass, keepassx
+whitelist ~/.keepassx
+whitelist ~/.config/keepassx
+whitelist ~/keepassx.kdbx
+whitelist ~/.lastpass
+whitelist ~/.config/lastpass
+include /etc/firejail/whitelist-common.inc
diff --git a/etc/nolocal.net b/etc/nolocal.net
index 9c0c6e125..9fa785450 100644
--- a/etc/nolocal.net
+++ b/etc/nolocal.net
@@ -4,7 +4,8 @@
 :OUTPUT ACCEPT [0:0]
 ###################################################################
-# Client filter rejecting local network traffic, with the exception of DNS traffic
+# Client filter rejecting local network traffic, with the exception of
+# DNS traffic
 #
 # Usage:
 #     firejail --net=eth0 --netfilter=/etc/firejail/nolocal.net firefox
diff --git a/etc/odt2txt.profile b/etc/odt2txt.profile
new file mode 100644
index 000000000..329275022
--- /dev/null
+++ b/etc/odt2txt.profile
@@ -0,0 +1,24 @@
+# odt2txt profile
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+caps.drop all
+nogroups
+nonewprivs
+noroot
+nosound
+protocol unix
+seccomp
+netfilter
+net none
+shell none
+tracelog
+private-bin odt2txt
+private-tmp
+private-dev
+private-etc none
+read-only ${HOME}
diff --git a/etc/okular.profile b/etc/okular.profile
new file mode 100644
index 000000000..22e223cea
--- /dev/null
+++ b/etc/okular.profile
@@ -0,0 +1,25 @@
+# KDE okular profile
+noblacklist ~/.kde/share/apps/okular
+noblacklist ~/.kde/share/config/okularrc
+noblacklist ~/.kde/share/config/okularpartrc
+read-only   ~/.kde/share/config/kdeglobals
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+caps.drop all
+netfilter
+nonewprivs
+nogroups
+noroot
+nosound
+protocol unix
+seccomp
+shell none
+tracelog
+# private-bin okular,kbuildsycoca4,kbuildsycoca5  
+# private-etc X11
+private-dev
+private-tmp
diff --git a/etc/openbox.profile b/etc/openbox.profile
index 6e2e5d6fd..f812768a1 100644
--- a/etc/openbox.profile
+++ b/etc/openbox.profile
@@ -5,8 +5,7 @@
 include /etc/firejail/disable-common.inc
 caps.drop all
-seccomp
-protocol unix,inet,inet6
 netfilter
 noroot
+protocol unix,inet,inet6
+seccomp
diff --git a/etc/openshot.profile b/etc/openshot.profile
new file mode 100644
index 000000000..f12bd7d11
--- /dev/null
+++ b/etc/openshot.profile
@@ -0,0 +1,13 @@
+# OpenShot profile
+noblacklist ${HOME}/.openshot
+noblacklist ${HOME}/.openshot_qt
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-passwdmgr.inc
+caps.drop all
+netfilter
+nonewprivs
+noroot
+protocol unix,inet,inet6,netlink
+seccomp
diff --git a/etc/opera-beta.profile b/etc/opera-beta.profile
index 3d6edb286..12c91c744 100644
--- a/etc/opera-beta.profile
+++ b/etc/opera-beta.profile
@@ -8,10 +8,8 @@ include /etc/firejail/disable-devel.inc
 netfilter
 whitelist ${DOWNLOADS}
-mkdir ~/.config
 mkdir ~/.config/opera-beta
 whitelist ~/.config/opera-beta
-mkdir ~/.cache
 mkdir ~/.cache/opera-beta
 whitelist ~/.cache/opera-beta
 mkdir ~/.pki
diff --git a/etc/opera.profile b/etc/opera.profile
index ff00eb349..e0c89a195 100644
--- a/etc/opera.profile
+++ b/etc/opera.profile
@@ -9,10 +9,8 @@ include /etc/firejail/disable-devel.inc
 netfilter
 whitelist ${DOWNLOADS}
-mkdir ~/.config
 mkdir ~/.config/opera
 whitelist ~/.config/opera
-mkdir ~/.cache
 mkdir ~/.cache/opera
 whitelist ~/.cache/opera
 mkdir ~/.opera
diff --git a/etc/palemoon.profile b/etc/palemoon.profile
index fc4ea453b..71deec6bc 100644
--- a/etc/palemoon.profile
+++ b/etc/palemoon.profile
@@ -1,31 +1,30 @@
 # Firejail profile for Pale Moon
-# Noblacklists
 noblacklist ~/.moonchild productions/pale moon
 noblacklist ~/.cache/moonchild productions/pale moon
-# Included profiles
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-programs.inc
 include /etc/firejail/disable-devel.inc
 include /etc/firejail/whitelist-common.inc
-# Options
-caps.drop all
-seccomp
-protocol unix,inet,inet6,netlink
-netfilter
-tracelog
-noroot
 whitelist ${DOWNLOADS}
 mkdir ~/.moonchild productions
 whitelist ~/.moonchild productions
-mkdir ~/.cache
-mkdir ~/.cache/moonchild productions
 mkdir ~/.cache/moonchild productions/pale moon
 whitelist ~/.cache/moonchild productions/pale moon
+caps.drop all
+netfilter
+nogroups
+nonewprivs
+noroot
+protocol unix,inet,inet6,netlink
+seccomp
+shell none
+tracelog
+private-bin palemoon
+private-tmp
 # These are uncommented in the Firefox profile. If you run into trouble you may
 # want to uncomment (some of) them.
 #whitelist ~/dwhelper
@@ -40,9 +39,9 @@ whitelist ~/.cache/moonchild productions/pale moon
 #whitelist ~/.pki
 # For silverlight
-#whitelist ~/.wine-pipelight 
+#whitelist ~/.wine-pipelight
-#whitelist ~/.wine-pipelight64 
+#whitelist ~/.wine-pipelight64
-#whitelist ~/.config/pipelight-widevine 
+#whitelist ~/.config/pipelight-widevine
 #whitelist ~/.config/pipelight-silverlight5.1
@@ -55,3 +54,4 @@ whitelist ~/.config/lastpass
 # experimental features
 #private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,iceweasel,firefox,adobe,mime.types,mailcap,asound.conf,pulse
+#private-dev (disabled for now as it will interfere with webcam use in palemoon)
diff --git a/etc/parole.profile b/etc/parole.profile
index 0c9a72143..1440a9ef7 100644
--- a/etc/parole.profile
+++ b/etc/parole.profile
@@ -8,8 +8,9 @@ private-etc passwd,group,fonts
 private-bin parole,dbus-launch
 caps.drop all
-seccomp
-protocol unix,inet,inet6
 netfilter
+nonewprivs
 noroot
+protocol unix,inet,inet6
+seccomp
 shell none
diff --git a/etc/pdfsam.profile b/etc/pdfsam.profile
new file mode 100644
index 000000000..6e50f37cf
--- /dev/null
+++ b/etc/pdfsam.profile
@@ -0,0 +1,17 @@
+#
+#Profile for pdfsam
+#
+#Blacklist Paths
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-passwdmgr.inc
+include /etc/firejail/disable-devel.inc
+#Options
+caps.drop all
+netfilter
+nonewprivs
+noroot
+protocol unix,inet,inet6
+seccomp
diff --git a/etc/pdftotext.profile b/etc/pdftotext.profile
new file mode 100644
index 000000000..632c9d15e
--- /dev/null
+++ b/etc/pdftotext.profile
@@ -0,0 +1,22 @@
+# pdftotext profile
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+caps.drop all
+nogroups
+nonewprivs
+noroot
+nosound
+protocol unix
+seccomp
+netfilter
+net none
+shell none
+tracelog
+private-bin pdftotext
+private-tmp
+private-dev
+private-etc none
diff --git a/etc/pidgin.profile b/etc/pidgin.profile
index fd497f082..850706145 100644
--- a/etc/pidgin.profile
+++ b/etc/pidgin.profile
@@ -2,10 +2,20 @@
 noblacklist ${HOME}/.purple
 include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-programs.inc
 include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+include /etc/firejail/disable-programs.inc
 caps.drop all
-seccomp
+netfilter
-protocol unix,inet,inet6
+nogroups
+nonewprivs
 noroot
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+private-bin pidgin
+private-dev
+private-tmp
diff --git a/etc/pithos.profile b/etc/pithos.profile
new file mode 100644
index 000000000..8270b8bee
--- /dev/null
+++ b/etc/pithos.profile
@@ -0,0 +1,19 @@
+#
+#Profile for pithos
+#
+#Blacklist Paths
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-passwdmgr.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/whitelist-common.inc
+#Options
+caps.drop all
+netfilter
+nonewprivs
+noroot
+protocol unix,inet,inet6
+seccomp
diff --git a/etc/pix.profile b/etc/pix.profile
new file mode 100644
index 000000000..dc8192b01
--- /dev/null
+++ b/etc/pix.profile
@@ -0,0 +1,22 @@
+# Firejail profile for pix
+noblacklist ${HOME}/.config/pix
+noblacklist ${HOME}/.local/share/pix
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+caps.drop all
+nogroups
+nonewprivs
+noroot
+nosound
+protocol unix
+seccomp
+shell none
+tracelog
+private-bin pix
+private-dev
+private-tmp
+\ No newline at end of file
diff --git a/etc/pluma.profile b/etc/pluma.profile
new file mode 100644
index 000000000..895cc2369
--- /dev/null
+++ b/etc/pluma.profile
@@ -0,0 +1,21 @@
+# Firejail profile for Xed
+noblacklist ${HOME}/.config/pluma
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+caps.drop all
+net none
+nogroups
+nonewprivs
+noroot
+nosound
+seccomp
+shell none
+tracelog
+private-bin pluma
+private-dev
+private-tmp
diff --git a/etc/polari.profile b/etc/polari.profile
index 0bc46f3f7..ac9530c40 100644
--- a/etc/polari.profile
+++ b/etc/polari.profile
@@ -3,18 +3,14 @@ include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-programs.inc
 include /etc/firejail/disable-devel.inc
-mkdir ${HOME}/.local
-mkdir ${HOME}/.local/share/
 mkdir ${HOME}/.local/share/Empathy
 whitelist ${HOME}/.local/share/Empathy
 mkdir ${HOME}/.local/share/telepathy
 whitelist ${HOME}/.local/share/telepathy
 mkdir ${HOME}/.local/share/TpLogger
 whitelist ${HOME}/.local/share/TpLogger
-mkdir ${HOME}/.config
 mkdir ${HOME}/.config/telepathy-account-widgets
 whitelist ${HOME}/.config/telepathy-account-widgets
-mkdir ${HOME}/.cache
 mkdir ${HOME}/.cache/telepathy
 whitelist ${HOME}/.cache/telepathy
 mkdir ${HOME}/.purple
@@ -22,8 +18,8 @@ whitelist ${HOME}/.purple
 include /etc/firejail/whitelist-common.inc
 caps.drop all
-seccomp
-protocol unix,inet,inet6
-noroot
 netfilter
+nonewprivs
+noroot
+protocol unix,inet,inet6
+seccomp
diff --git a/etc/psi-plus.profile b/etc/psi-plus.profile
new file mode 100644
index 000000000..e4e69b9f6
--- /dev/null
+++ b/etc/psi-plus.profile
@@ -0,0 +1,22 @@
+# Firejail profile for Psi+
+noblacklist ${HOME}/.config/psi+
+noblacklist ${HOME}/.local/share/psi+
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-passwdmgr.inc
+whitelist ${DOWNLOADS}
+mkdir ~/.config/psi+
+whitelist ~/.config/psi+
+mkdir ~/.local/share/psi+
+whitelist ~/.local/share/psi+
+mkdir ~/.cache/psi+
+whitelist ~/.cache/psi+
+caps.drop all
+netfilter
+noroot
+protocol unix,inet,inet6
+seccomp
+include /etc/firejail/whitelist-common.inc
diff --git a/etc/qbittorrent.profile b/etc/qbittorrent.profile
index 8bdc745fb..89e0e4c78 100644
--- a/etc/qbittorrent.profile
+++ b/etc/qbittorrent.profile
@@ -5,8 +5,15 @@ include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
 caps.drop all
-seccomp
-protocol unix,inet,inet6
 netfilter
+nonewprivs
 noroot
 nosound
+protocol unix,inet,inet6
+seccomp
+# there are some problems with "Open destination folder", see bug #536
+#shell none
+#private-bin qbittorrent
+private-dev
+private-tmp
diff --git a/etc/qemu-launcher.profile b/etc/qemu-launcher.profile
new file mode 100644
index 000000000..f9c8e6345
--- /dev/null
+++ b/etc/qemu-launcher.profile
@@ -0,0 +1,19 @@
+# qemu-launcher profile
+noblacklist ~/.qemu-launcher
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-passwdmgr.inc
+caps.drop all
+netfilter
+nogroups
+nonewprivs
+noroot
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+private-tmp
diff --git a/etc/qemu-system-x86_64.profile b/etc/qemu-system-x86_64.profile
new file mode 100644
index 000000000..65e1e44ea
--- /dev/null
+++ b/etc/qemu-system-x86_64.profile
@@ -0,0 +1,17 @@
+# qemu profile
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-passwdmgr.inc
+caps.drop all
+netfilter
+nogroups
+nonewprivs
+noroot
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+private-tmp
diff --git a/etc/qpdfview.profile b/etc/qpdfview.profile
new file mode 100644
index 000000000..06c0db206
--- /dev/null
+++ b/etc/qpdfview.profile
@@ -0,0 +1,22 @@
+# qpdfview profile
+noblacklist ${HOME}/.config/qpdfview
+noblacklist ${HOME}/.local/share/qpdfview
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+caps.drop all
+nogroups
+nonewprivs
+noroot
+nosound
+protocol unix
+seccomp
+shell none
+tracelog
+private-bin qpdfview
+private-dev
+private-tmp
diff --git a/etc/qtox.profile b/etc/qtox.profile
index 80acc3873..81d8aa10e 100644
--- a/etc/qtox.profile
+++ b/etc/qtox.profile
@@ -3,13 +3,21 @@ noblacklist ${HOME}/.config/tox
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-programs.inc
 include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
 mkdir ${HOME}/.config/tox
 whitelist ${HOME}/.config/tox
 whitelist ${DOWNLOADS}
-include /etc/firejail/whitelist-common.inc
 caps.drop all
-seccomp
+netfilter
-protocol unix,inet,inet6
+nogroups
+nonewprivs
 noroot
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+private-bin qtox
+private-tmp
diff --git a/etc/quassel.profile b/etc/quassel.profile
index 72004da7f..f92dfeb9f 100644
--- a/etc/quassel.profile
+++ b/etc/quassel.profile
@@ -4,7 +4,8 @@ include /etc/firejail/disable-programs.inc
 include /etc/firejail/disable-devel.inc
 caps.drop all
-seccomp
+nonewprivs
-protocol unix,inet,inet6
 noroot
 netfilter
+protocol unix,inet,inet6
+seccomp
diff --git a/etc/qutebrowser.profile b/etc/qutebrowser.profile
index 934a374de..dcacd4f29 100644
--- a/etc/qutebrowser.profile
+++ b/etc/qutebrowser.profile
@@ -1,5 +1,4 @@
 # Firejail profile for Qutebrowser (Qt5-Webkit+Python) browser
 noblacklist ~/.config/qutebrowser
 noblacklist ~/.cache/qutebrowser
 include /etc/firejail/disable-common.inc
@@ -7,16 +6,18 @@ include /etc/firejail/disable-programs.inc
 include /etc/firejail/disable-devel.inc
 caps.drop all
-seccomp
-protocol unix,inet,inet6,netlink
 netfilter
-tracelog
+nonewprivs
 noroot
+protocol unix,inet,inet6,netlink
+seccomp
+tracelog
 whitelist ${DOWNLOADS}
 mkdir ~/.config/qutebrowser
 whitelist ~/.config/qutebrowser
-mkdir ~/.cache
 mkdir ~/.cache/qutebrowser
 whitelist ~/.cache/qutebrowser
+mkdir ~/.local/share/qutebrowser
+whitelist ~/.local/share/qutebrowser
 include /etc/firejail/whitelist-common.inc
diff --git a/etc/ranger.profile b/etc/ranger.profile
new file mode 100644
index 000000000..3538f3eb2
--- /dev/null
+++ b/etc/ranger.profile
@@ -0,0 +1,24 @@
+# ranger file manager profile
+noblacklist /usr/bin/perl
+#noblacklist /usr/bin/cpan*
+noblacklist /usr/share/perl*
+noblacklist /usr/lib/perl*
+noblacklist ~/.config/ranger
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+caps.drop all
+netfilter
+net none
+nogroups
+nonewprivs
+noroot
+protocol unix
+seccomp
+nosound
+private-tmp
+private-dev
diff --git a/etc/rhythmbox.profile b/etc/rhythmbox.profile
index 782cd3832..e5e192486 100644
--- a/etc/rhythmbox.profile
+++ b/etc/rhythmbox.profile
@@ -5,7 +5,15 @@ include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
 caps.drop all
-seccomp
-protocol unix,inet,inet6
-noroot
 netfilter
+nogroups
+nonewprivs
+noroot
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+private-bin rhythmbox
+private-dev
+private-tmp
diff --git a/etc/rtorrent.profile b/etc/rtorrent.profile
index ae0430830..55bfcd77f 100644
--- a/etc/rtorrent.profile
+++ b/etc/rtorrent.profile
@@ -5,8 +5,14 @@ include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
 caps.drop all
-seccomp
-protocol unix,inet,inet6
 netfilter
+nonewprivs
 noroot
 nosound
+protocol unix,inet,inet6
+seccomp
+shell none
+private-bin rtorrent
+private-dev
+private-tmp
+\ No newline at end of file
diff --git a/etc/seamonkey.profile b/etc/seamonkey.profile
index a10d5b0ec..b981d9516 100644
--- a/etc/seamonkey.profile
+++ b/etc/seamonkey.profile
@@ -6,18 +6,16 @@ include /etc/firejail/disable-programs.inc
 include /etc/firejail/disable-devel.inc
 caps.drop all
-seccomp
-protocol unix,inet,inet6,netlink
 netfilter
-tracelog
+nonewprivs
 noroot
+protocol unix,inet,inet6,netlink
+seccomp
+tracelog
 whitelist ${DOWNLOADS}
-mkdir ~/.mozilla
 mkdir ~/.mozilla/seamonkey
 whitelist ~/.mozilla/seamonkey
-mkdir ~/.cache
-mkdir ~/.cache/mozilla
 mkdir ~/.cache/mozilla/seamonkey
 whitelist ~/.cache/mozilla/seamonkey
 whitelist ~/dwhelper
@@ -41,11 +39,10 @@ whitelist ~/.lastpass
 whitelist ~/.config/lastpass
 #silverlight
-whitelist ~/.wine-pipelight 
+whitelist ~/.wine-pipelight
-whitelist ~/.wine-pipelight64 
+whitelist ~/.wine-pipelight64
-whitelist ~/.config/pipelight-widevine 
+whitelist ~/.config/pipelight-widevine
 whitelist ~/.config/pipelight-silverlight5.1
 # experimental features
 #private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,iceweasel,firefox,adobe,mime.types,mailcap,asound.conf,pulse
diff --git a/etc/server.profile b/etc/server.profile
index 1b3cb7207..b8a34feb2 100644
--- a/etc/server.profile
+++ b/etc/server.profile
@@ -6,8 +6,12 @@ include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-programs.inc
 include /etc/firejail/disable-passwdmgr.inc
+blacklist /tmp/.X11-unix
+no3d
+nosound
+seccomp
 private
 private-dev
 private-tmp
-seccomp
diff --git a/etc/simple-scan.profile b/etc/simple-scan.profile
new file mode 100644
index 000000000..03089482b
--- /dev/null
+++ b/etc/simple-scan.profile
@@ -0,0 +1,23 @@
+# simple-scan profile
+noblacklist ~/.cache/simple-scan
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+caps.drop all
+nogroups
+nonewprivs
+noroot
+nosound
+protocol unix,inet,inet6
+#seccomp
+netfilter
+shell none
+tracelog
+# private-bin simple-scan
+# private-tmp
+# private-dev
+# private-etc fonts
diff --git a/etc/skanlite.profile b/etc/skanlite.profile
new file mode 100644
index 000000000..4dcfa64d9
--- /dev/null
+++ b/etc/skanlite.profile
@@ -0,0 +1,21 @@
+# skanlite profile
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+caps.drop all
+netfilter
+nogroups
+nonewprivs
+noroot
+nosound
+shell none
+#seccomp
+protocol unix,inet,inet6
+private-bin skanlite
+# private-dev
+# private-tmp
+# private-etc
diff --git a/etc/skype.profile b/etc/skype.profile
index 26feac1a4..9cbcd5117 100644
--- a/etc/skype.profile
+++ b/etc/skype.profile
@@ -6,6 +6,7 @@ include /etc/firejail/disable-devel.inc
 caps.drop all
 netfilter
+nonewprivs
 noroot
-seccomp
 protocol unix,inet,inet6
+seccomp
diff --git a/etc/skypeforlinux.profile b/etc/skypeforlinux.profile
new file mode 100644
index 000000000..3f0a274f9
--- /dev/null
+++ b/etc/skypeforlinux.profile
@@ -0,0 +1,11 @@
+# skypeforlinux profile
+noblacklist ${HOME}/.config/skypeforlinux
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-passwdmgr.inc
+caps.drop all
+netfilter
+noroot
+seccomp
+protocol unix,inet,inet6,netlink
diff --git a/etc/slack.profile b/etc/slack.profile
new file mode 100644
index 000000000..a85a28f03
--- /dev/null
+++ b/etc/slack.profile
@@ -0,0 +1,31 @@
+# Firejail profile for Slack
+noblacklist ${HOME}/.config/Slack
+noblacklist ${HOME}/Downloads
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+blacklist /var
+caps.drop all
+name slack
+netfilter
+nogroups
+nonewprivs
+noroot
+protocol unix,inet,inet6,netlink
+seccomp
+shell none
+private-bin slack
+private-dev
+private-etc fonts,resolv.conf,ld.so.conf,ld.so.cache,localtime
+private-tmp
+mkdir ${HOME}/.config
+mkdir ${HOME}/.config/Slack
+whitelist ${HOME}/.config/Slack
+whitelist ${HOME}/Downloads
+include /etc/firejail/whitelist-common.inc
diff --git a/etc/snap.profile b/etc/snap.profile
new file mode 100644
index 000000000..e2ada3a99
--- /dev/null
+++ b/etc/snap.profile
@@ -0,0 +1,12 @@
+################################
+# Generic Ubuntu snap application profile
+################################
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-passwdmgr.inc
+whitelist ~/snap
+whitelist ${DOWNLOADS}
+include /etc/firejail/whitelist-common.inc
diff --git a/etc/soffice.profile b/etc/soffice.profile
new file mode 100644
index 000000000..fecd08822
--- /dev/null
+++ b/etc/soffice.profile
@@ -0,0 +1,5 @@
+################################
+# LibreOffice profile
+################################
+include /etc/firejail/libreoffice.profile
diff --git a/etc/spotify.profile b/etc/spotify.profile
index fd4586dd5..6dbcc03ee 100644
--- a/etc/spotify.profile
+++ b/etc/spotify.profile
@@ -7,24 +7,37 @@ include /etc/firejail/disable-programs.inc
 include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
-# Whitelist the folders needed by Spotify - This is more restrictive 
+# Whitelist the folders needed by Spotify
-# than a blacklist though, but this is all spotify requires for 
-# streaming audio
-mkdir ${HOME}/.config
 mkdir ${HOME}/.config/spotify
 whitelist ${HOME}/.config/spotify
-mkdir ${HOME}/.local
-mkdir ${HOME}/.local/share
 mkdir ${HOME}/.local/share/spotify
 whitelist ${HOME}/.local/share/spotify
-mkdir ${HOME}/.cache
 mkdir ${HOME}/.cache/spotify
 whitelist ${HOME}/.cache/spotify
-include /etc/firejail/whitelist-common.inc
 caps.drop all
-seccomp
-protocol unix,inet,inet6,netlink
 netfilter
+nogroups
+nonewprivs
 noroot
+protocol unix,inet,inet6,netlink
+seccomp
+shell none
+private-bin spotify
+private-etc fonts,machine-id,pulse,resolv.conf
+private-dev
+private-tmp
+blacklist ${HOME}/.Xauthority
+blacklist ${HOME}/.bashrc
+blacklist /boot
+blacklist /lost+found
+blacklist /media
+blacklist /mnt
+blacklist /opt
+blacklist /root
+blacklist /sbin
+blacklist /srv
+blacklist /sys
+blacklist /var
diff --git a/etc/ssh-agent.profile b/etc/ssh-agent.profile
new file mode 100644
index 000000000..548ede37d
--- /dev/null
+++ b/etc/ssh-agent.profile
@@ -0,0 +1,16 @@
+# ssh-agent
+quiet
+noblacklist ~/.ssh
+noblacklist /tmp/ssh-*
+noblacklist /etc/ssh
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-passwdmgr.inc
+caps.drop all
+netfilter
+nonewprivs
+noroot
+protocol unix,inet,inet6
+seccomp
diff --git a/etc/ssh.profile b/etc/ssh.profile
index 7b282bde6..b7a8ed2b9 100644
--- a/etc/ssh.profile
+++ b/etc/ssh.profile
@@ -1,12 +1,16 @@
 # ssh client
+quiet
 noblacklist ~/.ssh
+noblacklist /tmp/ssh-*
+noblacklist /etc/ssh
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-programs.inc
 include /etc/firejail/disable-passwdmgr.inc
 caps.drop all
-seccomp
-protocol unix,inet,inet6
 netfilter
+nonewprivs
 noroot
+protocol unix,inet,inet6
+seccomp
diff --git a/etc/start-tor-browser.profile b/etc/start-tor-browser.profile
new file mode 100644
index 000000000..ee19cee25
--- /dev/null
+++ b/etc/start-tor-browser.profile
@@ -0,0 +1,20 @@
+# Firejail profile for the Tor Brower Bundle
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+include /etc/firejail/disable-programs.inc
+caps.drop all
+netfilter
+nogroups
+nonewprivs
+noroot
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+private-bin bash,grep,sed,tail,env,gpg,id,readlink,dirname,test,mkdir,ln,sed,cp,rm,getconf
+private-etc fonts
+private-dev
+private-tmp
diff --git a/etc/steam.profile b/etc/steam.profile
index 4c96e8258..5dc5e80ff 100644
--- a/etc/steam.profile
+++ b/etc/steam.profile
@@ -8,6 +8,7 @@ include /etc/firejail/disable-passwdmgr.inc
 caps.drop all
 netfilter
+nonewprivs
 noroot
+protocol unix,inet,inet6,netlink
 seccomp
-protocol unix,inet,inet6
diff --git a/etc/stellarium.profile b/etc/stellarium.profile
new file mode 100644
index 000000000..d57c9e5f7
--- /dev/null
+++ b/etc/stellarium.profile
@@ -0,0 +1,28 @@
+# Firejail profile for Stellarium.
+noblacklist ~/.stellarium
+noblacklist ~/.config/stellarium
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+include /etc/firejail/disable-programs.inc
+# Whitelist
+mkdir ~/.stellarium
+whitelist ~/.stellarium
+mkdir ~/.config/stellarium
+whitelist ~/.config/stellarium
+caps.drop all
+netfilter
+nogroups
+nonewprivs
+noroot
+nosound
+protocol unix,inet,inet6,netlink
+seccomp
+shell none
+tracelog
+private-bin stellarium
+private-dev
+private-tmp
diff --git a/etc/strings.profile b/etc/strings.profile
new file mode 100644
index 000000000..2b7724b11
--- /dev/null
+++ b/etc/strings.profile
@@ -0,0 +1,11 @@
+# strings profile
+quiet
+ignore noroot
+include /etc/firejail/default.profile
+net none
+nosound
+shell none
+tracelog
+private-dev
diff --git a/etc/synfigstudio.profile b/etc/synfigstudio.profile
new file mode 100644
index 000000000..69b2a0db2
--- /dev/null
+++ b/etc/synfigstudio.profile
@@ -0,0 +1,19 @@
+# synfigstudio
+noblacklist ${HOME}/.config/synfig
+noblacklist ${HOME}/.synfig
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-passwdmgr.inc
+caps.drop all
+netfilter
+nonewprivs
+noroot
+protocol unix
+seccomp
+noexec ${HOME}
+noexec /tmp
+private-dev
+private-tmp
diff --git a/etc/tar.profile b/etc/tar.profile
new file mode 100644
index 000000000..3addb02fb
--- /dev/null
+++ b/etc/tar.profile
@@ -0,0 +1,18 @@
+# tar profile
+quiet
+ignore noroot
+include /etc/firejail/default.profile
+blacklist /tmp/.X11-unix
+hostname tar
+net none
+no3d
+nosound
+shell none
+tracelog
+# support compressed archives
+private-bin sh,tar,gtar,compress,gzip,lzma,xz,bzip2,lbzip2,lzip,lzop
+private-dev
+private-etc passwd,group,localtime
diff --git a/etc/telegram.profile b/etc/telegram.profile
index df6b6a270..7615c8eef 100644
--- a/etc/telegram.profile
+++ b/etc/telegram.profile
@@ -5,11 +5,8 @@ include /etc/firejail/disable-programs.inc
 include /etc/firejail/disable-devel.inc
 caps.drop all
-seccomp
-protocol unix,inet,inet6
-noroot
 netfilter
+nonewprivs
-whitelist ~/Downloads/Telegram Desktop
+noroot
-mkdir ${HOME}/.TelegramDesktop
+protocol unix,inet,inet6
-whitelist ~/.TelegramDesktop
+seccomp
diff --git a/etc/thunderbird.profile b/etc/thunderbird.profile
index 7882367b9..568343ba6 100644
--- a/etc/thunderbird.profile
+++ b/etc/thunderbird.profile
@@ -11,9 +11,11 @@ mkdir ~/.thunderbird
 whitelist ~/.thunderbird
 noblacklist ~/.cache/thunderbird
-mkdir ~/.cache
 mkdir ~/.cache/thunderbird
 whitelist ~/.cache/thunderbird
+# allow browsers
+ignore private-tmp
 include /etc/firejail/firefox.profile
+#include /etc/firejail/chromium.profile - chromium runs as suid!
diff --git a/etc/totem.profile b/etc/totem.profile
index 4d87cbb85..252b46979 100644
--- a/etc/totem.profile
+++ b/etc/totem.profile
@@ -1,11 +1,15 @@
 # Totem media player profile
+noblacklist ~/.config/totem
+noblacklist ~/.local/share/totem
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-programs.inc
 include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
 caps.drop all
-seccomp
+nonewprivs
-protocol unix,inet,inet6
 noroot
 netfilter
+protocol unix,inet,inet6
+seccomp
diff --git a/etc/tracker.profile b/etc/tracker.profile
new file mode 100644
index 000000000..217631216
--- /dev/null
+++ b/etc/tracker.profile
@@ -0,0 +1,24 @@
+# tracker profile
+# Tracker is started by systemd on most systems. Therefore it is not firejailed by default
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+caps.drop all
+nogroups
+nonewprivs
+noroot
+nosound
+protocol unix
+seccomp
+netfilter
+shell none
+tracelog
+# private-bin tracker
+# private-tmp
+# private-dev
+# private-etc fonts
diff --git a/etc/transmission-cli.profile b/etc/transmission-cli.profile
new file mode 100644
index 000000000..6cbc3415c
--- /dev/null
+++ b/etc/transmission-cli.profile
@@ -0,0 +1,23 @@
+# transmission-cli bittorrent profile
+noblacklist ${HOME}/.config/transmission
+noblacklist ${HOME}/.cache/transmission
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+caps.drop all
+netfilter
+nonewprivs
+noroot
+nosound
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+#private-bin transmission-cli
+private-tmp
+private-dev
+private-etc none
diff --git a/etc/transmission-gtk.profile b/etc/transmission-gtk.profile
index d61d36a8c..fa54ea81b 100644
--- a/etc/transmission-gtk.profile
+++ b/etc/transmission-gtk.profile
@@ -1,4 +1,4 @@
-# transmission-gtk profile
+# transmission-gtk bittorrent profile
 noblacklist ${HOME}/.config/transmission
 noblacklist ${HOME}/.cache/transmission
@@ -8,9 +8,15 @@ include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
 caps.drop all
-seccomp
-protocol unix,inet,inet6
 netfilter
+nonewprivs
 noroot
-tracelog
 nosound
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+private-bin transmission-gtk
+private-dev
+private-tmp
diff --git a/etc/transmission-qt.profile b/etc/transmission-qt.profile
index 3db7a5452..100fadc27 100644
--- a/etc/transmission-qt.profile
+++ b/etc/transmission-qt.profile
@@ -1,4 +1,4 @@
-# transmission-qt profile
+# transmission-qt bittorrent profile
 noblacklist ${HOME}/.config/transmission
 noblacklist ${HOME}/.cache/transmission
@@ -8,9 +8,15 @@ include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
 caps.drop all
-seccomp
-protocol unix,inet,inet6
 netfilter
+nonewprivs
 noroot
-tracelog
 nosound
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+private-bin transmission-qt
+private-dev
+private-tmp
diff --git a/etc/transmission-show.profile b/etc/transmission-show.profile
new file mode 100644
index 000000000..5e5284b34
--- /dev/null
+++ b/etc/transmission-show.profile
@@ -0,0 +1,24 @@
+# transmission-show profile
+noblacklist ${HOME}/.config/transmission
+noblacklist ${HOME}/.cache/transmission
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+caps.drop all
+netfilter
+net none
+nonewprivs
+noroot
+nosound
+protocol unix
+seccomp
+shell none
+tracelog
+# private-bin
+private-tmp
+private-dev
+private-etc none
diff --git a/etc/uget-gtk.profile b/etc/uget-gtk.profile
index ef5aa7d4a..3ba28f772 100644
--- a/etc/uget-gtk.profile
+++ b/etc/uget-gtk.profile
@@ -6,13 +6,19 @@ include /etc/firejail/disable-programs.inc
 include /etc/firejail/disable-devel.inc
 caps.drop all
-seccomp
-protocol unix,inet,inet6
 netfilter
+nonewprivs
 noroot
+nosound
+protocol unix,inet,inet6
+seccomp
+shell none
+private-bin uget-gtk
+private-dev
+private-tmp
 whitelist ${DOWNLOADS}
-mkdir ~/.config
 mkdir ~/.config/uGet
 whitelist ~/.config/uGet
 include /etc/firejail/whitelist-common.inc
diff --git a/etc/unbound.profile b/etc/unbound.profile
index 4365e4fee..5e2cb5f65 100644
--- a/etc/unbound.profile
+++ b/etc/unbound.profile
@@ -8,5 +8,6 @@ include /etc/firejail/disable-passwdmgr.inc
 private
 private-dev
+nosound
 seccomp.drop mount,umount2,ptrace,kexec_load,kexec_file_load,open_by_handle_at,init_module,finit_module,delete_module,iopl,ioperm,swapon,swapoff,syslog,process_vm_readv,process_vm_writev,sysfs,_sysctl,adjtimex,clock_adjtime,lookup_dcookie,perf_event_open,fanotify_init,kcmp,add_key,request_key,keyctl,uselib,acct,modify_ldt,pivot_root,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,mbind,get_mempolicy,set_mempolicy,migrate_pages,move_pages,vmsplice,perf_event_open
diff --git a/etc/unrar.profile b/etc/unrar.profile
new file mode 100644
index 000000000..bde6f4e22
--- /dev/null
+++ b/etc/unrar.profile
@@ -0,0 +1,18 @@
+# unrar profile
+quiet
+ignore noroot
+include /etc/firejail/default.profile
+blacklist /tmp/.X11-unix
+hostname unrar
+net none
+no3d
+nosound
+shell none
+tracelog
+private-bin unrar
+private-dev
+private-etc passwd,group,localtime
+private-tmp
diff --git a/etc/unzip.profile b/etc/unzip.profile
new file mode 100644
index 000000000..8c10d11a0
--- /dev/null
+++ b/etc/unzip.profile
@@ -0,0 +1,16 @@
+# unzip profile
+quiet
+ignore noroot
+include /etc/firejail/default.profile
+blacklist /tmp/.X11-unix
+hostname unzip
+net none
+no3d
+nosound
+shell none
+tracelog
+private-bin unzip
+private-dev
+private-etc passwd,group,localtime
diff --git a/etc/uudeview.profile b/etc/uudeview.profile
new file mode 100644
index 000000000..d5b750a13
--- /dev/null
+++ b/etc/uudeview.profile
@@ -0,0 +1,15 @@
+# uudeview profile
+quiet
+ignore noroot
+include /etc/firejail/default.profile
+blacklist /etc
+hostname uudeview
+net none
+nosound
+shell none
+tracelog
+private-bin uudeview
+private-dev
diff --git a/etc/vim.profile b/etc/vim.profile
new file mode 100644
index 000000000..b161fcbb0
--- /dev/null
+++ b/etc/vim.profile
@@ -0,0 +1,16 @@
+# vim profile
+noblacklist ~/.vim
+noblacklist ~/.vimrc
+noblacklist ~/.viminfo
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-passwdmgr.inc
+caps.drop all
+netfilter
+nogroups
+nonewprivs
+noroot
+protocol unix,inet,inet6
+seccomp
diff --git a/etc/virtualbox.profile b/etc/virtualbox.profile
new file mode 100644
index 000000000..36a1e0704
--- /dev/null
+++ b/etc/virtualbox.profile
@@ -0,0 +1,12 @@
+# VirtualBox profile
+noblacklist ${HOME}/.VirtualBox
+noblacklist ${HOME}/VirtualBox VMs
+noblacklist ${HOME}/.config/VirtualBox
+noblacklist /usr/bin/virtualbox
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-passwdmgr.inc
+caps.drop all
diff --git a/etc/vivaldi.profile b/etc/vivaldi.profile
index 449d9a168..08b046847 100644
--- a/etc/vivaldi.profile
+++ b/etc/vivaldi.profile
@@ -8,10 +8,8 @@ include /etc/firejail/disable-devel.inc
 netfilter
 whitelist ${DOWNLOADS}
-mkdir ~/.config
 mkdir ~/.config/vivaldi
 whitelist ~/.config/vivaldi
-mkdir ~/.cache
 mkdir ~/.cache/vivaldi
 whitelist ~/.cache/vivaldi
 include /etc/firejail/whitelist-common.inc
diff --git a/etc/vlc.profile b/etc/vlc.profile
index 061ae6f78..2fd763f25 100644
--- a/etc/vlc.profile
+++ b/etc/vlc.profile
@@ -7,7 +7,14 @@ include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
 caps.drop all
-seccomp
-protocol unix,inet,inet6
-noroot
 netfilter
+nogroups
+nonewprivs
+noroot
+protocol unix,inet,inet6,netlink
+seccomp
+shell none
+private-bin vlc,cvlc,nvlc,rvlc,qvlc,svlc
+private-dev
+private-tmp
diff --git a/etc/w3m.profile b/etc/w3m.profile
new file mode 100644
index 000000000..d765217cf
--- /dev/null
+++ b/etc/w3m.profile
@@ -0,0 +1,23 @@
+# w3m profile
+noblacklist ~/.w3m
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+caps.drop all
+nogroups
+nonewprivs
+noroot
+nosound
+protocol unix,inet,inet6
+seccomp
+netfilter
+shell none
+tracelog
+# private-bin w3m
+private-tmp
+private-dev
+private-etc none
diff --git a/etc/warzone2100.profile b/etc/warzone2100.profile
new file mode 100644
index 000000000..7c7efade8
--- /dev/null
+++ b/etc/warzone2100.profile
@@ -0,0 +1,26 @@
+# Firejail profile for warzone2100
+# Currently supports warzone2100-3.1
+noblacklist ~/.warzone2100-3.1
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+include /etc/firejail/disable-programs.inc
+# Whitelist
+mkdir ~/.warzone2100-3.1
+whitelist ~/.warzone2100-3.1
+# Call these options
+caps.drop all
+netfilter
+nogroups
+nonewprivs
+noroot
+protocol unix,inet,inet6,netlink
+seccomp
+shell none
+tracelog
+private-bin warzone2100
+private-dev
+private-tmp
diff --git a/etc/weechat.profile b/etc/weechat.profile
index 280a5f9d8..410061278 100644
--- a/etc/weechat.profile
+++ b/etc/weechat.profile
@@ -4,8 +4,12 @@ include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-programs.inc
 caps.drop all
-seccomp
-protocol unix,inet,inet6
 netfilter
+nonewprivs
 noroot
-netfilter
+protocol unix,inet,inet6
+seccomp
+# no private-bin support for various reasons:
+# Plugins loaded: alias, aspell, charset, exec, fifo, guile, irc,
+# logger, lua, perl, python, relay, ruby, script, tcl, trigger, xferloading plugins 
+\ No newline at end of file
diff --git a/etc/wesnoth.profile b/etc/wesnoth.profile
index 340ba0db5..bb489ddeb 100644
--- a/etc/wesnoth.profile
+++ b/etc/wesnoth.profile
@@ -9,20 +9,16 @@ include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
 caps.drop all
-seccomp
+nonewprivs
-protocol unix,inet,inet6
 noroot
+protocol unix,inet,inet6
+seccomp
 private-dev
+private-tmp
-whitelist /tmp/.X11-unix
-mkdir ${HOME}/.local
-mkdir ${HOME}/.local/share
 mkdir ${HOME}/.local/share/wesnoth
-mkdir ${HOME}/.config
 mkdir ${HOME}/.config/wesnoth
-mkdir ${HOME}/.cache
 mkdir ${HOME}/.cache/wesnoth
 whitelist ${HOME}/.local/share/wesnoth
 whitelist ${HOME}/.config/wesnoth
diff --git a/etc/wget.profile b/etc/wget.profile
new file mode 100644
index 000000000..d9bca2acc
--- /dev/null
+++ b/etc/wget.profile
@@ -0,0 +1,22 @@
+# wget profile
+quiet
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-passwdmgr.inc
+caps.drop all
+netfilter
+nonewprivs
+noroot
+nogroups
+nosound
+protocol unix,inet,inet6
+seccomp
+shell none
+# private-bin wget
+# private-etc resolv.conf
+private-dev
+private-tmp
diff --git a/etc/whitelist-common.inc b/etc/whitelist-common.inc
index 9d5ef3d96..d4e69948e 100644
--- a/etc/whitelist-common.inc
+++ b/etc/whitelist-common.inc
@@ -1,5 +1,6 @@
 # common whitelist for all profiles
+whitelist ~/.XCompose
 whitelist ~/.config/mimeapps.list
 whitelist ~/.icons
 whitelist ~/.config/user-dirs.dirs
@@ -13,16 +14,25 @@ whitelist ~/.fonts.d
 whitelist ~/.fontconfig
 whitelist ~/.fonts.conf
 whitelist ~/.fonts.conf.d
+whitelist ~/.local/share/fonts
 whitelist ~/.config/fontconfig
 whitelist ~/.cache/fontconfig
 # gtk
 whitelist ~/.gtkrc
 whitelist ~/.gtkrc-2.0
+whitelist ~/.config/gtk-2.0
 whitelist ~/.config/gtk-3.0
 whitelist ~/.themes
+whitelist ~/.kde/share/config/gtkrc
+whitelist ~/.kde/share/config/gtkrc-2.0
 # dconf
-mkdir ~/.config
 mkdir ~/.config/dconf
 whitelist ~/.config/dconf
+# qt/kde
+whitelist ~/.config/kdeglobals
+whitelist ~/.kde/share/config/oxygenrc
+whitelist ~/.kde/share/config/kdeglobals
+whitelist ~/.kde/share/icons
diff --git a/etc/wine.profile b/etc/wine.profile
index ea6db8511..18e5346af 100644
--- a/etc/wine.profile
+++ b/etc/wine.profile
@@ -9,5 +9,6 @@ include /etc/firejail/disable-devel.inc
 caps.drop all
 netfilter
+nonewprivs
 noroot
 seccomp
diff --git a/etc/wire.profile b/etc/wire.profile
new file mode 100644
index 000000000..ec8ed8771
--- /dev/null
+++ b/etc/wire.profile
@@ -0,0 +1,23 @@
+# wire messenger profile
+noblacklist ~/.config/Wire
+noblacklist ~/.config/wire
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+caps.drop all
+netfilter
+nonewprivs
+nogroups
+noroot
+protocol unix,inet,inet6,netlink
+seccomp
+shell none
+private-tmp
+private-dev
+# Note: the current beta version of wire is located in /opt/Wire/wire and therefore not in PATH.
+# To use wire with firejail run "firejail /opt/Wire/wire" 
diff --git a/etc/wireshark.profile b/etc/wireshark.profile
new file mode 100644
index 000000000..898fc787e
--- /dev/null
+++ b/etc/wireshark.profile
@@ -0,0 +1,22 @@
+# Firejail profile for 
+noblacklist ${HOME}/.config/wireshark
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+caps.drop all
+netfilter
+nogroups
+nonewprivs
+noroot
+nosound
+protocol unix,inet,inet6,netlink
+seccomp
+shell none
+tracelog
+private-bin wireshark
+private-dev
+private-tmp
diff --git a/etc/xchat.profile b/etc/xchat.profile
index fcea4245e..1f2865cab 100644
--- a/etc/xchat.profile
+++ b/etc/xchat.profile
@@ -6,6 +6,9 @@ include /etc/firejail/disable-programs.inc
 include /etc/firejail/disable-devel.inc
 caps.drop all
-seccomp
+nonewprivs
-protocol unix,inet,inet6
 noroot
+protocol unix,inet,inet6
+seccomp
+# private-bin requires perl, python, etc.
diff --git a/etc/xed.profile b/etc/xed.profile
new file mode 100644
index 000000000..051710a70
--- /dev/null
+++ b/etc/xed.profile
@@ -0,0 +1,21 @@
+# Firejail profile for Xed
+noblacklist ${HOME}/.config/xed
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+caps.drop all
+net none
+nogroups
+nonewprivs
+noroot
+nosound
+seccomp
+shell none
+tracelog
+private-bin xed
+private-dev
+private-tmp
diff --git a/etc/xfburn.profile b/etc/xfburn.profile
new file mode 100644
index 000000000..1dd24aa61
--- /dev/null
+++ b/etc/xfburn.profile
@@ -0,0 +1,23 @@
+# xfburn profile
+noblacklist ~/.config/xfburn
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+caps.drop all
+nogroups
+nonewprivs
+noroot
+nosound
+protocol unix
+seccomp
+netfilter
+shell none
+tracelog
+# private-bin xfburn
+# private-tmp
+# private-dev
+# private-etc fonts
diff --git a/etc/xiphos.profile b/etc/xiphos.profile
new file mode 100644
index 000000000..b7fb6ecf3
--- /dev/null
+++ b/etc/xiphos.profile
@@ -0,0 +1,30 @@
+# Firejail profile for xiphos
+noblacklist ~/.sword
+noblacklist ~/.xiphos
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+include /etc/firejail/disable-programs.inc
+blacklist ~/.bashrc
+blacklist ~/.Xauthority
+caps.drop all
+netfilter
+nogroups
+nonewprivs
+noroot
+nosound
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+private-bin xiphos
+private-etc fonts,resolv.conf,sword
+private-dev
+private-tmp
+whitelist ${HOME}/.sword
+whitelist ${HOME}/.xiphos
diff --git a/etc/xonotic-glx.profile b/etc/xonotic-glx.profile
new file mode 100644
index 000000000..b255ffdbb
--- /dev/null
+++ b/etc/xonotic-glx.profile
@@ -0,0 +1,5 @@
+#
+#Profile for xonotic:xonotic-glx
+#
+include /etc/firejail/xonotic.profile
diff --git a/etc/xonotic-sdl.profile b/etc/xonotic-sdl.profile
new file mode 100644
index 000000000..783667304
--- /dev/null
+++ b/etc/xonotic-sdl.profile
@@ -0,0 +1,5 @@
+#
+#Profile for xonotic:xonotic-sdl
+#
+include /etc/firejail/xonotic.profile
diff --git a/etc/xonotic.profile b/etc/xonotic.profile
new file mode 100644
index 000000000..75d649619
--- /dev/null
+++ b/etc/xonotic.profile
@@ -0,0 +1,25 @@
+#
+#Profile for xonotic
+#
+#No Blacklist Paths
+noblacklist ${HOME}/.xonotic
+#Blacklist Paths
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-passwdmgr.inc
+include /etc/firejail/disable-devel.inc
+#Whitelist Paths
+mkdir ${HOME}/.xonotic
+whitelist ${HOME}/.xonotic
+include /etc/firejail/whitelist-common.inc
+#Options
+caps.drop all
+netfilter
+nonewprivs
+noroot
+protocol unix,inet,inet6
+seccomp
diff --git a/etc/generic.profile b/etc/xpdf.profile
index f2c7d4114..7ea368bbe 100644
--- a/etc/generic.profile
+++ b/etc/xpdf.profile
@@ -1,15 +1,18 @@
 ################################
-# Generic GUI application profile
+# xpdf application profile
 ################################
+noblacklist ${HOME}/.xpdfrc
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-programs.inc
 include /etc/firejail/disable-passwdmgr.inc
-#blacklist ${HOME}/.wine
 caps.drop all
-seccomp
+net none
-protocol unix,inet,inet6
+nonewprivs
-netfilter
 noroot
+protocol unix
+shell none
+seccomp
+private-dev
+private-tmp
diff --git a/etc/xplayer.profile b/etc/xplayer.profile
new file mode 100644
index 000000000..191d2f67f
--- /dev/null
+++ b/etc/xplayer.profile
@@ -0,0 +1,22 @@
+# Xplayer profile
+noblacklist ~/.config/xplayer
+noblacklist ~/.local/share/xplayer
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+caps.drop all
+netfilter
+nogroups
+nonewprivs
+noroot
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+private-bin xplayer,xplayer-audio-preview,xplayer-video-thumbnailer
+private-dev
+private-tmp
diff --git a/etc/xpra.profile b/etc/xpra.profile
new file mode 100644
index 000000000..8584e4e5b
--- /dev/null
+++ b/etc/xpra.profile
@@ -0,0 +1,21 @@
+# xpra profile
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+caps.drop all
+netfilter
+nogroups
+nonewprivs
+noroot
+nosound
+shell none
+seccomp
+protocol unix,inet,inet6
+# private-bin 
+private-dev
+private-tmp
+# private-etc
diff --git a/etc/xreader.profile b/etc/xreader.profile
new file mode 100644
index 000000000..d2a000bd0
--- /dev/null
+++ b/etc/xreader.profile
@@ -0,0 +1,23 @@
+# Xreader profile
+noblacklist ~/.config/xreader
+noblacklist ~/.cache/xreader
+noblacklist ~/.local/share
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+caps.drop all
+nogroups
+nonewprivs
+noroot
+nosound
+protocol unix
+seccomp
+shell none
+tracelog
+private-bin xreader, xreader-previewer, xreader-thumbnailer
+private-dev
+private-tmp
diff --git a/etc/xviewer.profile b/etc/xviewer.profile
new file mode 100644
index 000000000..ca380b4c7
--- /dev/null
+++ b/etc/xviewer.profile
@@ -0,0 +1,21 @@
+# xviewer profile
+noblacklist ~/.config/xviewer
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+caps.drop all
+nogroups
+nonewprivs
+noroot
+nosound
+protocol unix
+seccomp
+shell none
+tracelog
+private-dev
+private-bin xviewer
+private-tmp
diff --git a/etc/xz.profile b/etc/xz.profile
new file mode 100644
index 000000000..5b29f7338
--- /dev/null
+++ b/etc/xz.profile
@@ -0,0 +1,3 @@
+# xz profile
+quiet
+include /etc/firejail/cpio.profile
diff --git a/etc/xzdec.profile b/etc/xzdec.profile
new file mode 100644
index 000000000..6164e3200
--- /dev/null
+++ b/etc/xzdec.profile
@@ -0,0 +1,14 @@
+# xzdec profile
+quiet
+ignore noroot
+include /etc/firejail/default.profile
+blacklist /tmp/.X11-unix
+net none
+no3d
+nosound
+shell none
+tracelog
+private-dev
diff --git a/etc/zathura.profile b/etc/zathura.profile
new file mode 100644
index 000000000..6c93a2480
--- /dev/null
+++ b/etc/zathura.profile
@@ -0,0 +1,26 @@
+# zathura document viewer profile
+noblacklist ~/.config/zathura
+noblacklist ~/.local/share/zathura
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+caps.drop all
+netfilter
+net none
+nogroups
+nonewprivs
+noroot
+nosound
+shell none
+seccomp
+protocol unix
+private-bin zathura
+private-dev
+private-etc fonts
+private-tmp
+read-only ~/
+read-write ~/.local/share/zathura/
diff --git a/etc/zoom.profile b/etc/zoom.profile
new file mode 100644
index 000000000..4c08868cf
--- /dev/null
+++ b/etc/zoom.profile
@@ -0,0 +1,22 @@
+# Firejail profile for zoom.us
+noblacklist ~/.config/zoomus.conf
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-devel.inc
+# Whitelists
+mkdir ~/.zoom
+whitelist ~/.zoom
+caps.drop all
+netfilter
+nonewprivs
+noroot
+protocol unix,inet,inet6
+seccomp
+private-tmp
diff --git a/gcov.sh b/gcov.sh
new file mode 100755
index 000000000..57190cad2
--- /dev/null
+++ b/gcov.sh
@@ -0,0 +1,94 @@
+#!/bin/bash
+gcov_init() {
+        USER=`whoami`
+        firejail --help > /dev/null
+        firemon --help > /dev/null
+        /usr/lib/firejail/fnet --help > /dev/null
+        /usr/lib/firejail/fseccomp --help > /dev/null
+        /usr/lib/firejail/ftee --help > /dev/null
+        /usr/lib/firejail/fcopy --help > /dev/null
+        firecfg --help > /dev/null
+        sudo chown $USER:$USER `find .`
+}
+generate() {
+        lcov -q --capture -d src/firejail -d src/firemon -d  src/fcopy -d src/fseccomp -d src/fnet -d src/ftee -d src/lib -d src/firecfg --output-file gcov-file-new
+        lcov --add-tracefile gcov-file-old --add-tracefile gcov-file-new  --output-file gcov-file
+        rm -fr gcov-dir
+        genhtml -q gcov-file --output-directory gcov-dir
+        sudo rm `find . -name *.gcda`
+        cp gcov-file gcov-file-old
+        gcov_init
+}
+gcov_init
+lcov -q --capture -d src/firejail -d src/firemon -d  src/fcopy -d src/fseccomp -d src/fnet -d src/ftee -d src/lib -d src/firecfg --output-file gcov-file-old
+#make test-environment
+#generate
+#sleep 2
+#exit
+# running tests
+make test-root
+generate
+sleep 2
+make test-chroot
+generate
+sleep 2
+make test-network
+generate
+sleep 2
+make test-appimage
+generate
+sleep 2
+make test-overlay
+generate
+sleep 2
+make test-fcopy
+generate
+sleep 2
+make test-profiles
+generate
+sleep 2
+make test-fs
+generate
+sleep 2
+make test-utils
+generate
+sleep 2
+make test-environment
+generate
+sleep 2
+make test-apps
+generate
+sleep 2
+make test-apps-x11
+generate
+sleep 2
+make test-apps-x11-xorg 
+generate
+sleep 2
+make test-filters 
+generate
+sleep 2
+make test-arguments
+generate
+sleep 2
diff --git a/mkasc.sh b/mkasc.sh
index 2c9836f17..4d5b73e20 100755
--- a/mkasc.sh
+++ b/mkasc.sh
@@ -6,5 +6,6 @@ cd /transfer
 sha256sum * > firejail-$1-unsigned
 gpg --clearsign --digest-algo SHA256 < firejail-$1-unsigned > firejail-$1.asc
 gpg --verify firejail-$1.asc
+gpg --detach-sign --armor firejail-$1.tar.xz
 rm firejail-$1-unsigned
diff --git a/mkdeb.sh b/mkdeb.sh
index 71c3b9a04..be8d618e1 100755
--- a/mkdeb.sh
+++ b/mkdeb.sh
@@ -3,7 +3,7 @@
 # a code archive should already be available
 TOP=`pwd`
-CODE_ARCHIVE="$1-$2.tar.bz2"
+CODE_ARCHIVE="$1-$2.tar.xz"
 CODE_DIR="$1-$2"
 INSTALL_DIR="${INSTALL_DIR}${CODE_DIR}/debian"
 DEBIAN_CTRL_DIR="${DEBIAN_CTRL_DIR}${CODE_DIR}/debian/DEBIAN"
@@ -15,7 +15,7 @@ echo "install directory: $INSTALL_DIR"
 echo "debian control directory: $DEBIAN_CTRL_DIR"
 echo "*****************************************"
-tar -xjvf $CODE_ARCHIVE
+tar -xJvf $CODE_ARCHIVE
 #mkdir -p $INSTALL_DIR
 cd $CODE_DIR
 ./configure --prefix=/usr
diff --git a/mketc.sh b/mketc.sh
index f44238968..f98c5479f 100755
--- a/mketc.sh
+++ b/mketc.sh
@@ -2,23 +2,21 @@
 rm -fr .etc
 mkdir .etc
-result=$(echo $1 | sed 's/\//\\\//g')
+for file in etc/*.profile etc/*.inc etc/*.net;
-echo $result
-FILES=`ls etc/*.profile`
-for file in $FILES
-do
-        sed "s/\/etc\/firejail/$result\/firejail/g" $file > .$file
-done
-FILES=`ls etc/*.inc`
-for file in $FILES
 do
-        sed "s/\/etc\/firejail/$result\/firejail/g" $file > .$file
+        sed "s;/etc/firejail;$1/firejail;g" $file > .$file
 done
-FILES=`ls etc/*.net`
+if [ "x$2" = "xyes" ]
-for file in $FILES
+then
-do
+sed -i -e '
-        sed "s/\/etc\/firejail/$result\/firejail/g" $file > .$file
+1i# Workaround for systems where common UNIX utilities are symlinks to busybox.\
-done
+# If this is not your case you can remove --enable-busybox-workaround from\
+# ./configure options, for added security.\
+noblacklist \${PATH}/mount\
+noblacklist \${PATH}/umount\
+noblacklist \${PATH}/su\
+noblacklist \${PATH}/sudo\
+noblacklist \${PATH}/nc\
+' .etc/disable-common.inc
+fi
diff --git a/mkuid.sh b/mkuid.sh
new file mode 100755
index 000000000..a59f58143
--- /dev/null
+++ b/mkuid.sh
@@ -0,0 +1,20 @@
+#!/bin/sh
+echo "extracting UID_MIN and GID_MIN"
+echo "#ifndef FIREJAIL_UIDS_H" > uids.h
+echo "#define FIREJAIL_UIDS_H" >> uids.h
+if [ -r /etc/login.defs ]
+then
+        echo "// using values extracted from /etc/login.defs" >> uids.h
+        UID_MIN=`awk '/^\s*UID_MIN\s*([0-9]*).*?$/ {print $2}' /etc/login.defs`
+        GID_MIN=`awk '/^\s*GID_MIN\s*([0-9]*).*?$/ {print $2}' /etc/login.defs`
+        echo "#define UID_MIN $UID_MIN" >> uids.h
+        echo "#define GID_MIN $GID_MIN" >> uids.h
+else
+        echo "// using default values" >> uids.h
+        echo "#define UID_MIN 1000" >> uids.h
+        echo "#define GID_MIN 1000" >> uids.h
+fi
+echo "#endif" >> uids.h
diff --git a/platform/debian/conffiles b/platform/debian/conffiles
index dc8640147..97e7cf884 100644
--- a/platform/debian/conffiles
+++ b/platform/debian/conffiles
@@ -1,85 +1,239 @@
-/etc/firejail/evince.profile
+/etc/firejail/0ad.profile
-/etc/firejail/chromium.profile
+/etc/firejail/7z.profile
+/etc/firejail/Cyberfox.profile
+/etc/firejail/Mathematica.profile
+/etc/firejail/Telegram.profile
+/etc/firejail/Wire.profile
+/etc/firejail/abrowser.profile
+/etc/firejail/amarok.profile
+/etc/firejail/ark.profile
+/etc/firejail/atom-beta.profile
+/etc/firejail/atom.profile
+/etc/firejail/atool.profile
+/etc/firejail/atril.profile
+/etc/firejail/audacious.profile
+/etc/firejail/audacity.profile
+/etc/firejail/aweather.profile
+/etc/firejail/bitlbee.profile
+/etc/firejail/bleachbit.profile
+/etc/firejail/brasero.profile
+/etc/firejail/brave.profile
+/etc/firejail/cherrytree.profile
 /etc/firejail/chromium-browser.profile
-/etc/firejail/google-chrome.profile
+/etc/firejail/chromium.profile
-/etc/firejail/google-chrome-stable.profile
+/etc/firejail/claws-mail.profile
+/etc/firejail/clementine.profile
+/etc/firejail/cmus.profile
+/etc/firejail/conkeror.profile
+/etc/firejail/corebird.profile
+/etc/firejail/cpio.profile
+/etc/firejail/cryptocat.profile
+/etc/firejail/Cryptocat.profile
+/etc/firejail/cyberfox.profile
+/etc/firejail/deadbeef.profile
+/etc/firejail/default.profile
+/etc/firejail/deluge.profile
+/etc/firejail/dillo.profile
+/etc/firejail/disable-common.inc
+/etc/firejail/disable-devel.inc
+/etc/firejail/disable-passwdmgr.inc
+/etc/firejail/disable-programs.inc
+/etc/firejail/display.profile
+/etc/firejail/dnscrypt-proxy.profile
+/etc/firejail/dnsmasq.profile
+/etc/firejail/dolphin.profile
+/etc/firejail/dosbox.profile
+/etc/firejail/dragon.profile
+/etc/firejail/dropbox.profile
+/etc/firejail/elinks.profile
+/etc/firejail/emacs.profile
+/etc/firejail/empathy.profile
+/etc/firejail/enchant.profile
+/etc/firejail/eog.profile
+/etc/firejail/eom.profile
+/etc/firejail/epiphany.profile
+/etc/firejail/evince.profile
+/etc/firejail/evolution.profile
+/etc/firejail/exiftool.profile
+/etc/firejail/fbreader.profile
+/etc/firejail/feh.profile
+/etc/firejail/file-roller.profile
+/etc/firejail/file.profile
+/etc/firejail/filezilla.profile
+/etc/firejail/firefox-esr.profile
+/etc/firejail/firefox.profile
+/etc/firejail/firejail.config
+/etc/firejail/flashpeak-slimjet.profile
+/etc/firejail/flowblade.profile
+/etc/firejail/franz.profile
+/etc/firejail/gajim.profile
+/etc/firejail/gedit.profile
+/etc/firejail/gimp.profile
+/etc/firejail/git.profile
+/etc/firejail/gitter.profile
+/etc/firejail/gjs.profile
+/etc/firejail/gnome-books.profile
+/etc/firejail/gnome-chess.profile
+/etc/firejail/gnome-clocks.profile
+/etc/firejail/gnome-documents.profile
+/etc/firejail/gnome-maps.profile
+/etc/firejail/gnome-mplayer.profile
+/etc/firejail/gnome-music.profile
+/etc/firejail/gnome-photos.profile
+/etc/firejail/gnome-weather.profile
+/etc/firejail/goobox.profile
 /etc/firejail/google-chrome-beta.profile
+/etc/firejail/google-chrome-stable.profile
 /etc/firejail/google-chrome-unstable.profile
-/etc/firejail/midori.profile
+/etc/firejail/google-chrome.profile
+/etc/firejail/google-play-music-desktop-player.profile
+/etc/firejail/gpa.profile
+/etc/firejail/gpg-agent.profile
+/etc/firejail/gpg.profile
+/etc/firejail/gpredict.profile
+/etc/firejail/gtar.profile
+/etc/firejail/gthumb.profile
+/etc/firejail/guayadeque.profile
+/etc/firejail/gwenview.profile
+/etc/firejail/gzip.profile
+/etc/firejail/hedgewars.profile
+/etc/firejail/hexchat.profile
+/etc/firejail/highlight.profile
+/etc/firejail/icecat.profile
 /etc/firejail/icedove.profile
 /etc/firejail/iceweasel.profile
-/etc/firejail/dropbox.profile
+/etc/firejail/img2txt.profile
+/etc/firejail/inkscape.profile
+/etc/firejail/inox.profile
+/etc/firejail/jitsi.profile
+/etc/firejail/k3b.profile
+/etc/firejail/kate.profile
+/etc/firejail/keepass.profile
+/etc/firejail/keepass2.profile
+/etc/firejail/keepassx.profile
+/etc/firejail/kmail.profile
+/etc/firejail/konversation.profile
+/etc/firejail/less.profile
+/etc/firejail/libreoffice.profile
+/etc/firejail/localc.profile
+/etc/firejail/lodraw.profile
+/etc/firejail/loffice.profile
+/etc/firejail/lofromtemplate.profile
 /etc/firejail/login.users
-/etc/firejail/firefox.profile
+/etc/firejail/loimpress.profile
-/etc/firejail/opera.profile
+/etc/firejail/lomath.profile
+/etc/firejail/loweb.profile
+/etc/firejail/lowriter.profile
+/etc/firejail/luminance-hdr.profile
+/etc/firejail/lxterminal.profile
+/etc/firejail/lynx.profile
+/etc/firejail/mathematica.profile
+/etc/firejail/mcabber.profile
+/etc/firejail/mediainfo.profile
+/etc/firejail/midori.profile
+/etc/firejail/mpv.profile
+/etc/firejail/mumble.profile
+/etc/firejail/mupdf.profile
+/etc/firejail/mupen64plus.profile
+/etc/firejail/mutt.profile
+/etc/firejail/nautilus.profile
+/etc/firejail/netsurf.profile
+/etc/firejail/nolocal.net
+/etc/firejail/odt2txt.profile
+/etc/firejail/okular.profile
+/etc/firejail/openbox.profile
+/etc/firejail/openshot.profile
 /etc/firejail/opera-beta.profile
-/etc/firejail/thunderbird.profile
+/etc/firejail/opera.profile
-/etc/firejail/transmission-gtk.profile
+/etc/firejail/palemoon.profile
-/etc/firejail/transmission-qt.profile
+/etc/firejail/parole.profile
-/etc/firejail/vlc.profile
+/etc/firejail/pdftotext.profile
-/etc/firejail/audacious.profile
+/etc/firejail/pidgin.profile
-/etc/firejail/clementine.profile
+/etc/firejail/pix.profile
-/etc/firejail/epiphany.profile
+/etc/firejail/pluma.profile
-/etc/firejail/qtox.profile
 /etc/firejail/polari.profile
-/etc/firejail/gnome-mplayer.profile
+/etc/firejail/psi-plus.profile
-/etc/firejail/rhythmbox.profile
-/etc/firejail/totem.profile
-/etc/firejail/deluge.profile
 /etc/firejail/qbittorrent.profile
-/etc/firejail/generic.profile
+/etc/firejail/qemu-launcher.profile
-/etc/firejail/xchat.profile
+/etc/firejail/qemu-system-x86_64.profile
-/etc/firejail/server.profile
+/etc/firejail/qpdfview.profile
+/etc/firejail/qtox.profile
 /etc/firejail/quassel.profile
-/etc/firejail/pidgin.profile
+/etc/firejail/quiterss.profile
-/etc/firejail/filezilla.profile
+/etc/firejail/qutebrowser.profile
-/etc/firejail/empathy.profile
+/etc/firejail/ranger.profile
-/etc/firejail/disable-common.inc
+/etc/firejail/rhythmbox.profile
-/etc/firejail/deadbeef.profile
+/etc/firejail/rtorrent.profile
-/etc/firejail/icecat.profile
+/etc/firejail/seamonkey-bin.profile
-/etc/firejail/fbreader.profile
+/etc/firejail/seamonkey.profile
-/etc/firejail/spotify.profile
+/etc/firejail/server.profile
+/etc/firejail/simple-scan.profile
+/etc/firejail/skanlite.profile
 /etc/firejail/skype.profile
+/etc/firejail/skypeforlinux.profile
+/etc/firejail/slack.profile
+/etc/firejail/snap.profile
+/etc/firejail/soffice.profile
+/etc/firejail/spotify.profile
+/etc/firejail/ssh-agent.profile
+/etc/firejail/ssh.profile
+/etc/firejail/start-tor-browser.profile
 /etc/firejail/steam.profile
-/etc/firejail/wine.profile
+/etc/firejail/stellarium.profile
-/etc/firejail/disable-devel.inc
+/etc/firejail/strings.profile
-/etc/firejail/conkeror.profile
+/etc/firejail/synfigstudio.profile
+/etc/firejail/tar.profile
+/etc/firejail/telegram.profile
+/etc/firejail/thunderbird.profile
+/etc/firejail/totem.profile
+/etc/firejail/tracker.profile
+/etc/firejail/transmission-cli.profile
+/etc/firejail/transmission-gtk.profile
+/etc/firejail/transmission-qt.profile
+/etc/firejail/transmission-show.profile
+/etc/firejail/uget-gtk.profile
 /etc/firejail/unbound.profile
-/etc/firejail/dnscrypt-proxy.profile
+/etc/firejail/unrar.profile
-/etc/firejail/whitelist-common.inc
+/etc/firejail/unzip.profile
-/etc/firejail/nolocal.net
+/etc/firejail/uudeview.profile
+/etc/firejail/vim.profile
+/etc/firejail/virtualbox.profile
+/etc/firejail/vivaldi-beta.profile
+/etc/firejail/vivaldi.profile
+/etc/firejail/vlc.profile
+/etc/firejail/w3m.profile
+/etc/firejail/warzone2100.profile
 /etc/firejail/webserver.net
-/etc/firejail/bitlbee.profile
-/etc/firejail/weechat.profile
 /etc/firejail/weechat-curses.profile
-/etc/firejail/hexchat.profile
+/etc/firejail/weechat.profile
-/etc/firejail/rtorrent.profile
-/etc/firejail/parole.profile
-/etc/firejail/kmail.profile
-/etc/firejail/seamonkey.profile
-/etc/firejail/seamonkey-bin.profile
-/etc/firejail/telegram.profile
-/etc/firejail/mathematica.profile
-/etc/firejail/Mathematica.profile
-/etc/firejail/uget-gtk.profile
-/etc/firejail/mupen64plus.profile
-/etc/firejail/lxterminal.profile
-/etc/firejail/cherrytree.profile
 /etc/firejail/wesnoth.profile
-/etc/firejail/hedgewars.profile
+/etc/firejail/whitelist-common.inc
-/etc/firejail/vivaldi.profile
+/etc/firejail/wine.profile
-/etc/firejail/vivaldi-beta.profile
+/etc/firejail/wire.profile
-/etc/firejail/atril.profile
+/etc/firejail/wireshark.profile
-/etc/firejail/firejail.config
+/etc/firejail/xchat.profile
-/etc/firejail/qutebrowser.profile
+/etc/firejail/xed.profile
-/etc/firejail/flashpeak-slimjet.profile
+/etc/firejail/xfburn.profile
-/etc/firejail/ssh.profile
+/etc/firejail/xiphos.profile
-/etc/firejail/openbox.profile
+/etc/firejail/xpdf.profile
-/etc/firejail/disable-programs.inc
+/etc/firejail/xplayer.profile
-/etc/firejail/disable-passwdmgr.inc
+/etc/firejail/xpra.profile
-/etc/firejail/dillo.profile
+/etc/firejail/xreader.profile
-/etc/firejail/cmus.profile
+/etc/firejail/xviewer.profile
-/etc/firejail/dnsmasq.profile
+/etc/firejail/xz.profile
-/etc/firejail/palemoon.profile
+/etc/firejail/xzdec.profile
-/etc/firejail/abrowser.profile
+/etc/firejail/zathura.profile
-/etc/firejail/0ad.profile
+/etc/firejail/zoom.profile
+/etc/firejail/wget.profile
+/etc/firejail/bless.profile
+/etc/firejail/gnome-2048.profile
+/etc/firejail/gnome-calculator.profile
+/etc/firejail/gnome-contacts.profile
+/etc/firejail/jd-gui.profile
+/etc/firejail/lollypop.profile
+/etc/firejail/multimc5.profile
+/etc/firejail/pdfsam.profile
+/etc/firejail/pithos.profile
+/etc/firejail/xonotic-glx.profile
+/etc/firejail/xonotic-sdl.profile
+/etc/firejail/xonotic.profile
diff --git a/platform/rpm/firejail.spec b/platform/rpm/firejail.spec
index e365af2d6..67280921a 100644
--- a/platform/rpm/firejail.spec
+++ b/platform/rpm/firejail.spec
@@ -33,16 +33,22 @@ rm -rf %{buildroot}
 %doc
 %defattr(-, root, root, -)
 %attr(4755, -, -) %{_bindir}/__NAME__
+%{_bindir}/firecfg
 %{_bindir}/firemon
+%{_libdir}/__NAME__/firecfg.config
 %{_libdir}/__NAME__/ftee
+%{_libdir}/__NAME__/faudit
 %{_libdir}/__NAME__/fshaper.sh
 %{_libdir}/__NAME__/libtrace.so
 %{_libdir}/__NAME__/libtracelog.so
 %{_datarootdir}/bash-completion/completions/__NAME__
+%{_datarootdir}/bash-completion/completions/firecfg
 %{_datarootdir}/bash-completion/completions/firemon
 %{_docdir}/__NAME__
 %{_mandir}/man1/__NAME__.1.gz
+%{_mandir}/man1/firecfg.1.gz
 %{_mandir}/man1/firemon.1.gz
+%{_mandir}/man5/__NAME__-config.5.gz
 %{_mandir}/man5/__NAME__-login.5.gz
 %{_mandir}/man5/__NAME__-profile.5.gz
 %config %{_sysconfdir}/__NAME__
diff --git a/platform/rpm/old-mkrpm.sh b/platform/rpm/old-mkrpm.sh
new file mode 100755
index 000000000..017d5e1c3
--- /dev/null
+++ b/platform/rpm/old-mkrpm.sh
@@ -0,0 +1,542 @@
+#!/bin/bash
+VERSION="0.9.44"
+rm -fr ~/rpmbuild
+rm -f firejail-$VERSION-1.x86_64.rpm
+mkdir -p ~/rpmbuild/{RPMS,SRPMS,BUILD,SOURCES,SPECS,tmp}
+cat <<EOF >~/.rpmmacros
+%_topdir   %(echo $HOME)/rpmbuild
+%_tmppath  %{_topdir}/tmp
+EOF
+cd ~/rpmbuild
+echo "building directory tree"
+mkdir -p firejail-$VERSION/usr/bin
+install -m 755 /usr/bin/firejail firejail-$VERSION/usr/bin/.
+install -m 755 /usr/bin/firemon firejail-$VERSION/usr/bin/.
+install -m 755 /usr/bin/firecfg firejail-$VERSION/usr/bin/.
+mkdir -p  firejail-$VERSION/usr/lib/firejail
+install -m 755 /usr/lib/firejail/faudit  firejail-$VERSION/usr/lib/firejail/.
+install -m 644 /usr/lib/firejail/firecfg.config  firejail-$VERSION/usr/lib/firejail/.
+install -m 755 /usr/lib/firejail/fshaper.sh  firejail-$VERSION/usr/lib/firejail/.
+install -m 755 /usr/lib/firejail/ftee  firejail-$VERSION/usr/lib/firejail/.
+install -m 644 /usr/lib/firejail/libtrace.so  firejail-$VERSION/usr/lib/firejail/.
+install -m 644 /usr/lib/firejail/libtracelog.so  firejail-$VERSION/usr/lib/firejail/.
+install -m 644 /usr/lib/firejail/libconnect.so  firejail-$VERSION/usr/lib/firejail/.
+mkdir -p firejail-$VERSION/usr/share/man/man1
+install -m 644 /usr/share/man/man1/firejail.1.gz firejail-$VERSION/usr/share/man/man1/.
+install -m 644 /usr/share/man/man1/firemon.1.gz firejail-$VERSION/usr/share/man/man1/.
+install -m 644 /usr/share/man/man1/firecfg.1.gz firejail-$VERSION/usr/share/man/man1/.
+mkdir -p firejail-$VERSION/usr/share/man/man5
+install -m 644 /usr/share/man/man5/firejail-profile.5.gz firejail-$VERSION/usr/share/man/man5/.
+install -m 644 /usr/share/man/man5/firejail-login.5.gz firejail-$VERSION/usr/share/man/man5/.
+mkdir -p firejail-$VERSION/usr/share/doc/packages/firejail
+install -m 644 /usr/share/doc/firejail/COPYING firejail-$VERSION/usr/share/doc/packages/firejail/.
+install -m 644 /usr/share/doc/firejail/README firejail-$VERSION/usr/share/doc/packages/firejail/.
+install -m 644 /usr/share/doc/firejail/RELNOTES firejail-$VERSION/usr/share/doc/packages/firejail/.
+mkdir -p firejail-$VERSION/etc/firejail
+install -m 644 /etc/firejail/0ad.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/abrowser.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/atom-beta.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/atom.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/atril.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/audacious.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/audacity.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/aweather.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/bitlbee.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/brave.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/cherrytree.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/chromium-browser.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/chromium.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/clementine.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/cmus.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/conkeror.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/corebird.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/cpio.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/cyberfox.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/Cyberfox.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/deadbeef.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/default.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/deluge.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/dillo.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/disable-common.inc firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/disable-devel.inc firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/disable-passwdmgr.inc firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/disable-programs.inc firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/dnscrypt-proxy.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/dnsmasq.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/dosbox.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/dropbox.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/empathy.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/eom.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/epiphany.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/evince.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/fbreader.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/file.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/filezilla.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/firefox-esr.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/firefox.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/firejail.config firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/flashpeak-slimjet.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/franz.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/gajim.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/gitter.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/gnome-chess.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/gnome-mplayer.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/google-chrome-beta.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/google-chrome.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/google-chrome-stable.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/google-chrome-unstable.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/google-play-music-desktop-player.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/gpredict.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/gtar.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/gthumb.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/gwenview.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/gzip.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/hedgewars.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/hexchat.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/icecat.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/icedove.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/iceweasel.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/inox.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/jitsi.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/kmail.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/konversation.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/less.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/libreoffice.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/localc.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/lodraw.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/loffice.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/lofromtemplate.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/login.users firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/loimpress.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/lomath.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/loweb.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/lowriter.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/lxterminal.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/mathematica.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/Mathematica.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/mcabber.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/midori.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/mpv.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/mupen64plus.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/netsurf.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/nolocal.net firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/okular.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/openbox.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/opera-beta.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/opera.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/palemoon.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/parole.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/pidgin.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/pix.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/polari.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/psi-plus.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/qbittorrent.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/qtox.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/quassel.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/quiterss.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/qutebrowser.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/rhythmbox.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/rtorrent.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/seamonkey-bin.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/seamonkey.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/server.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/skypeforlinux.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/skype.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/slack.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/snap.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/soffice.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/spotify.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/ssh.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/steam.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/stellarium.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/strings.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/tar.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/telegram.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/Telegram.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/thunderbird.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/totem.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/transmission-gtk.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/transmission-qt.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/uget-gtk.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/unbound.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/unrar.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/unzip.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/uudeview.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/vivaldi-beta.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/vivaldi.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/vlc.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/warzone2100.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/webserver.net firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/weechat-curses.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/weechat.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/wesnoth.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/whitelist-common.inc firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/wine.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/xchat.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/xplayer.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/xreader.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/xviewer.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/xzdec.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/xz.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/zathura.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/7z.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/keepass.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/keepassx.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/claws-mail.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/mutt.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/git.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/emacs.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/vim.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/xpdf.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/virtualbox.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/openshot.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/flowblade.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/eog.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/evolution.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/feh.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/gimp.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/inkscape.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/luminance-hdr.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/mupdf.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/qpdfview.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/ranger.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/synfigstudio.profile firejail-$VERSION/etc/firejail/.
+mkdir -p firejail-$VERSION/usr/share/bash-completion/completions
+install -m 644 /usr/share/bash-completion/completions/firejail  firejail-$VERSION/usr/share/bash-completion/completions/.
+install -m 644 /usr/share/bash-completion/completions/firemon  firejail-$VERSION/usr/share/bash-completion/completions/.
+install -m 644 /usr/share/bash-completion/completions/firecfg  firejail-$VERSION/usr/share/bash-completion/completions/.
+echo "building tar.gz archive"
+tar -czvf firejail-$VERSION.tar.gz firejail-$VERSION
+cp firejail-$VERSION.tar.gz SOURCES/.
+echo "building config spec"
+cat <<EOF > SPECS/firejail.spec
+%define        __spec_install_post %{nil}
+%define          debug_package %{nil}
+%define        __os_install_post %{_dbpath}/brp-compress
+Summary: Linux namepaces sandbox program
+Name: firejail
+Version: $VERSION
+Release: 1
+License: GPL+
+Group: Development/Tools
+SOURCE0 : %{name}-%{version}.tar.gz
+URL: http://firejail.wordpress.com
+BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root
+%description
+Firejail  is  a  SUID sandbox program that reduces the risk of security
+breaches by restricting the running environment of untrusted applications
+using Linux namespaces. It includes a sandbox profile for Mozilla Firefox.
+%prep
+%setup -q
+%build
+%install
+rm -rf %{buildroot}
+mkdir -p  %{buildroot}
+cp -a * %{buildroot}
+%clean
+rm -rf %{buildroot}
+%files
+%defattr(-,root,root,-)
+%config(noreplace) %{_sysconfdir}/%{name}/0ad.profile
+%config(noreplace) %{_sysconfdir}/%{name}/abrowser.profile
+%config(noreplace) %{_sysconfdir}/%{name}/atom-beta.profile
+%config(noreplace) %{_sysconfdir}/%{name}/atom.profile
+%config(noreplace) %{_sysconfdir}/%{name}/atril.profile
+%config(noreplace) %{_sysconfdir}/%{name}/audacious.profile
+%config(noreplace) %{_sysconfdir}/%{name}/audacity.profile
+%config(noreplace) %{_sysconfdir}/%{name}/aweather.profile
+%config(noreplace) %{_sysconfdir}/%{name}/bitlbee.profile
+%config(noreplace) %{_sysconfdir}/%{name}/brave.profile
+%config(noreplace) %{_sysconfdir}/%{name}/cherrytree.profile
+%config(noreplace) %{_sysconfdir}/%{name}/chromium-browser.profile
+%config(noreplace) %{_sysconfdir}/%{name}/chromium.profile
+%config(noreplace) %{_sysconfdir}/%{name}/clementine.profile
+%config(noreplace) %{_sysconfdir}/%{name}/cmus.profile
+%config(noreplace) %{_sysconfdir}/%{name}/conkeror.profile
+%config(noreplace) %{_sysconfdir}/%{name}/corebird.profile
+%config(noreplace) %{_sysconfdir}/%{name}/cpio.profile
+%config(noreplace) %{_sysconfdir}/%{name}/cyberfox.profile
+%config(noreplace) %{_sysconfdir}/%{name}/Cyberfox.profile
+%config(noreplace) %{_sysconfdir}/%{name}/deadbeef.profile
+%config(noreplace) %{_sysconfdir}/%{name}/default.profile
+%config(noreplace) %{_sysconfdir}/%{name}/deluge.profile
+%config(noreplace) %{_sysconfdir}/%{name}/dillo.profile
+%config(noreplace) %{_sysconfdir}/%{name}/disable-common.inc
+%config(noreplace) %{_sysconfdir}/%{name}/disable-devel.inc
+%config(noreplace) %{_sysconfdir}/%{name}/disable-passwdmgr.inc
+%config(noreplace) %{_sysconfdir}/%{name}/disable-programs.inc
+%config(noreplace) %{_sysconfdir}/%{name}/dnscrypt-proxy.profile
+%config(noreplace) %{_sysconfdir}/%{name}/dnsmasq.profile
+%config(noreplace) %{_sysconfdir}/%{name}/dosbox.profile
+%config(noreplace) %{_sysconfdir}/%{name}/dropbox.profile
+%config(noreplace) %{_sysconfdir}/%{name}/empathy.profile
+%config(noreplace) %{_sysconfdir}/%{name}/eom.profile
+%config(noreplace) %{_sysconfdir}/%{name}/epiphany.profile
+%config(noreplace) %{_sysconfdir}/%{name}/evince.profile
+%config(noreplace) %{_sysconfdir}/%{name}/fbreader.profile
+%config(noreplace) %{_sysconfdir}/%{name}/file.profile
+%config(noreplace) %{_sysconfdir}/%{name}/filezilla.profile
+%config(noreplace) %{_sysconfdir}/%{name}/firefox-esr.profile
+%config(noreplace) %{_sysconfdir}/%{name}/firefox.profile
+%config(noreplace) %{_sysconfdir}/%{name}/firejail.config
+%config(noreplace) %{_sysconfdir}/%{name}/flashpeak-slimjet.profile
+%config(noreplace) %{_sysconfdir}/%{name}/franz.profile
+%config(noreplace) %{_sysconfdir}/%{name}/gajim.profile
+%config(noreplace) %{_sysconfdir}/%{name}/gitter.profile
+%config(noreplace) %{_sysconfdir}/%{name}/gnome-chess.profile
+%config(noreplace) %{_sysconfdir}/%{name}/gnome-mplayer.profile
+%config(noreplace) %{_sysconfdir}/%{name}/google-chrome-beta.profile
+%config(noreplace) %{_sysconfdir}/%{name}/google-chrome.profile
+%config(noreplace) %{_sysconfdir}/%{name}/google-chrome-stable.profile
+%config(noreplace) %{_sysconfdir}/%{name}/google-chrome-unstable.profile
+%config(noreplace) %{_sysconfdir}/%{name}/google-play-music-desktop-player.profile
+%config(noreplace) %{_sysconfdir}/%{name}/gpredict.profile
+%config(noreplace) %{_sysconfdir}/%{name}/gtar.profile
+%config(noreplace) %{_sysconfdir}/%{name}/gthumb.profile
+%config(noreplace) %{_sysconfdir}/%{name}/gwenview.profile
+%config(noreplace) %{_sysconfdir}/%{name}/gzip.profile
+%config(noreplace) %{_sysconfdir}/%{name}/hedgewars.profile
+%config(noreplace) %{_sysconfdir}/%{name}/hexchat.profile
+%config(noreplace) %{_sysconfdir}/%{name}/icecat.profile
+%config(noreplace) %{_sysconfdir}/%{name}/icedove.profile
+%config(noreplace) %{_sysconfdir}/%{name}/iceweasel.profile
+%config(noreplace) %{_sysconfdir}/%{name}/inox.profile
+%config(noreplace) %{_sysconfdir}/%{name}/jitsi.profile
+%config(noreplace) %{_sysconfdir}/%{name}/kmail.profile
+%config(noreplace) %{_sysconfdir}/%{name}/konversation.profile
+%config(noreplace) %{_sysconfdir}/%{name}/less.profile
+%config(noreplace) %{_sysconfdir}/%{name}/libreoffice.profile
+%config(noreplace) %{_sysconfdir}/%{name}/localc.profile
+%config(noreplace) %{_sysconfdir}/%{name}/lodraw.profile
+%config(noreplace) %{_sysconfdir}/%{name}/loffice.profile
+%config(noreplace) %{_sysconfdir}/%{name}/lofromtemplate.profile
+%config(noreplace) %{_sysconfdir}/%{name}/login.users
+%config(noreplace) %{_sysconfdir}/%{name}/loimpress.profile
+%config(noreplace) %{_sysconfdir}/%{name}/lomath.profile
+%config(noreplace) %{_sysconfdir}/%{name}/loweb.profile
+%config(noreplace) %{_sysconfdir}/%{name}/lowriter.profile
+%config(noreplace) %{_sysconfdir}/%{name}/lxterminal.profile
+%config(noreplace) %{_sysconfdir}/%{name}/mathematica.profile
+%config(noreplace) %{_sysconfdir}/%{name}/Mathematica.profile
+%config(noreplace) %{_sysconfdir}/%{name}/mcabber.profile
+%config(noreplace) %{_sysconfdir}/%{name}/midori.profile
+%config(noreplace) %{_sysconfdir}/%{name}/mpv.profile
+%config(noreplace) %{_sysconfdir}/%{name}/mupen64plus.profile
+%config(noreplace) %{_sysconfdir}/%{name}/netsurf.profile
+%config(noreplace) %{_sysconfdir}/%{name}/nolocal.net
+%config(noreplace) %{_sysconfdir}/%{name}/okular.profile
+%config(noreplace) %{_sysconfdir}/%{name}/openbox.profile
+%config(noreplace) %{_sysconfdir}/%{name}/opera-beta.profile
+%config(noreplace) %{_sysconfdir}/%{name}/opera.profile
+%config(noreplace) %{_sysconfdir}/%{name}/palemoon.profile
+%config(noreplace) %{_sysconfdir}/%{name}/parole.profile
+%config(noreplace) %{_sysconfdir}/%{name}/pidgin.profile
+%config(noreplace) %{_sysconfdir}/%{name}/pix.profile
+%config(noreplace) %{_sysconfdir}/%{name}/polari.profile
+%config(noreplace) %{_sysconfdir}/%{name}/psi-plus.profile
+%config(noreplace) %{_sysconfdir}/%{name}/qbittorrent.profile
+%config(noreplace) %{_sysconfdir}/%{name}/qtox.profile
+%config(noreplace) %{_sysconfdir}/%{name}/quassel.profile
+%config(noreplace) %{_sysconfdir}/%{name}/quiterss.profile
+%config(noreplace) %{_sysconfdir}/%{name}/qutebrowser.profile
+%config(noreplace) %{_sysconfdir}/%{name}/rhythmbox.profile
+%config(noreplace) %{_sysconfdir}/%{name}/rtorrent.profile
+%config(noreplace) %{_sysconfdir}/%{name}/seamonkey-bin.profile
+%config(noreplace) %{_sysconfdir}/%{name}/seamonkey.profile
+%config(noreplace) %{_sysconfdir}/%{name}/server.profile
+%config(noreplace) %{_sysconfdir}/%{name}/skypeforlinux.profile
+%config(noreplace) %{_sysconfdir}/%{name}/skype.profile
+%config(noreplace) %{_sysconfdir}/%{name}/slack.profile
+%config(noreplace) %{_sysconfdir}/%{name}/snap.profile
+%config(noreplace) %{_sysconfdir}/%{name}/soffice.profile
+%config(noreplace) %{_sysconfdir}/%{name}/spotify.profile
+%config(noreplace) %{_sysconfdir}/%{name}/ssh.profile
+%config(noreplace) %{_sysconfdir}/%{name}/steam.profile
+%config(noreplace) %{_sysconfdir}/%{name}/stellarium.profile
+%config(noreplace) %{_sysconfdir}/%{name}/strings.profile
+%config(noreplace) %{_sysconfdir}/%{name}/tar.profile
+%config(noreplace) %{_sysconfdir}/%{name}/telegram.profile
+%config(noreplace) %{_sysconfdir}/%{name}/Telegram.profile
+%config(noreplace) %{_sysconfdir}/%{name}/thunderbird.profile
+%config(noreplace) %{_sysconfdir}/%{name}/totem.profile
+%config(noreplace) %{_sysconfdir}/%{name}/transmission-gtk.profile
+%config(noreplace) %{_sysconfdir}/%{name}/transmission-qt.profile
+%config(noreplace) %{_sysconfdir}/%{name}/uget-gtk.profile
+%config(noreplace) %{_sysconfdir}/%{name}/unbound.profile
+%config(noreplace) %{_sysconfdir}/%{name}/unrar.profile
+%config(noreplace) %{_sysconfdir}/%{name}/unzip.profile
+%config(noreplace) %{_sysconfdir}/%{name}/uudeview.profile
+%config(noreplace) %{_sysconfdir}/%{name}/vivaldi-beta.profile
+%config(noreplace) %{_sysconfdir}/%{name}/vivaldi.profile
+%config(noreplace) %{_sysconfdir}/%{name}/vlc.profile
+%config(noreplace) %{_sysconfdir}/%{name}/warzone2100.profile
+%config(noreplace) %{_sysconfdir}/%{name}/webserver.net
+%config(noreplace) %{_sysconfdir}/%{name}/weechat-curses.profile
+%config(noreplace) %{_sysconfdir}/%{name}/weechat.profile
+%config(noreplace) %{_sysconfdir}/%{name}/wesnoth.profile
+%config(noreplace) %{_sysconfdir}/%{name}/whitelist-common.inc
+%config(noreplace) %{_sysconfdir}/%{name}/wine.profile
+%config(noreplace) %{_sysconfdir}/%{name}/xchat.profile
+%config(noreplace) %{_sysconfdir}/%{name}/xplayer.profile
+%config(noreplace) %{_sysconfdir}/%{name}/xreader.profile
+%config(noreplace) %{_sysconfdir}/%{name}/xviewer.profile
+%config(noreplace) %{_sysconfdir}/%{name}/xzdec.profile
+%config(noreplace) %{_sysconfdir}/%{name}/xz.profile
+%config(noreplace) %{_sysconfdir}/%{name}/zathura.profile
+%config(noreplace) %{_sysconfdir}/%{name}/7z.profile
+%config(noreplace) %{_sysconfdir}/%{name}/keepass.profile
+%config(noreplace) %{_sysconfdir}/%{name}/keepassx.profile
+%config(noreplace) %{_sysconfdir}/%{name}/claws-mail.profile
+%config(noreplace) %{_sysconfdir}/%{name}/mutt.profile
+%config(noreplace) %{_sysconfdir}/%{name}/git.profile
+%config(noreplace) %{_sysconfdir}/%{name}/emacs.profile
+%config(noreplace) %{_sysconfdir}/%{name}/vim.profile
+%config(noreplace) %{_sysconfdir}/%{name}/xpdf.profile
+%config(noreplace) %{_sysconfdir}/%{name}/virtualbox.profile
+%config(noreplace) %{_sysconfdir}/%{name}/openshot.profile
+%config(noreplace) %{_sysconfdir}/%{name}/flowblade.profile
+%config(noreplace) %{_sysconfdir}/%{name}/eog.profile
+%config(noreplace) %{_sysconfdir}/%{name}/evolution.profile
+%config(noreplace) %{_sysconfdir}/%{name}/feh.profile
+%config(noreplace) %{_sysconfdir}/%{name}/inkscape.profile
+%config(noreplace) %{_sysconfdir}/%{name}/gimp.profile
+%config(noreplace) %{_sysconfdir}/%{name}/luminance-hdr.profile
+%config(noreplace) %{_sysconfdir}/%{name}/mupdf.profile
+%config(noreplace) %{_sysconfdir}/%{name}/qpdfview.profile
+%config(noreplace) %{_sysconfdir}/%{name}/ranger.profile
+%config(noreplace) %{_sysconfdir}/%{name}/synfigstudio.profile
+/usr/bin/firejail
+/usr/bin/firemon
+/usr/bin/firecfg
+/usr/lib/firejail/libtrace.so
+/usr/lib/firejail/libtracelog.so
+/usr/lib/firejail/libconnect.so
+/usr/lib/firejail/faudit
+/usr/lib/firejail/ftee
+/usr/lib/firejail/firecfg.config
+/usr/lib/firejail/fshaper.sh
+/usr/share/doc/packages/firejail/COPYING
+/usr/share/doc/packages/firejail/README
+/usr/share/doc/packages/firejail/RELNOTES
+/usr/share/man/man1/firejail.1.gz
+/usr/share/man/man1/firemon.1.gz
+/usr/share/man/man1/firecfg.1.gz
+/usr/share/man/man5/firejail-profile.5.gz
+/usr/share/man/man5/firejail-login.5.gz
+/usr/share/bash-completion/completions/firejail
+/usr/share/bash-completion/completions/firemon
+/usr/share/bash-completion/completions/firecfg
+ 
+%post
+chmod u+s /usr/bin/firejail
+%changelog
+* Fri Oct 21 2016  netblue30 <netblue30@yahoo.com> 0.9.44-1
+  - CVE-2016-7545 submitted by Aleksey Manevich
+  - modifs: removed man firejail-config
+  - modifs: --private-tmp whitelists /tmp/.X11-unix directory
+  - modifs: Nvidia drivers added to --private-dev
+  - modifs: /srv supported by --whitelist
+  - feature: allow user access to /sys/fs (--noblacklist=/sys/fs)
+  - feature: support starting/joining sandbox is a single command
+    (--join-or-start)
+  - feature: X11 detection support for --audit
+  - feature: assign a name to the interface connected to the bridge 
+    (--veth-name)
+  - feature: all user home directories are visible (--allusers)
+  - feature: add files to sandbox container (--put)
+  - feature: blocking x11 (--x11=block)
+  - feature: X11 security extension (--x11=xorg)
+  - feature: disable 3D hardware acceleration (--no3d)
+  - feature: x11 xpra, x11 xephyr, x11 block, allusers, no3d profile commands
+  - feature: move files in sandbox (--put)
+  - feature: accept wildcard patterns in user  name field of restricted
+    shell login feature
+  - new profiles: qpdfview, mupdf, Luminance HDR, Synfig Studio, Gimp, Inkscape
+  - new profiles: feh, ranger, zathura, 7z, keepass, keepassx,
+  - new profiles: claws-mail, mutt, git, emacs, vim, xpdf, VirtualBox, OpenShot
+  - new profiles: Flowblade, Eye of GNOME (eog), Evolution
+  - bugfixes
+* Thu Sep 8 2016 netblue30 <netblue30@yahoo.com> 0.9.42-1
+  - security: --whitelist deleted files, submitted by Vasya Novikov
+  - security: disable x32 ABI in seccomp, submitted by Jann Horn
+  - security: tighten --chroot, submitted by Jann Horn
+  - security: terminal sandbox escape, submitted by Stephan Sokolow
+  - security: several TOCTOU fixes submitted by Aleksey Manevich
+  - modifs: bringing back --private-home option
+  - modifs: deprecated --user option, please use "sudo -u username firejail"
+  - modifs: allow symlinks in home directory for --whitelist option
+  - modifs: Firejail prompt is enabled by env variable FIREJAIL_PROMPT="yes"
+  - modifs: recursive mkdir
+  - modifs: include /dev/snd in --private-dev
+  - modifs: seccomp filter update
+  - modifs: release archives moved to .xz format
+  - feature: AppImage support (--appimage)
+  - feature: AppArmor support (--apparmor)
+  - feature: Ubuntu snap support (/etc/firejail/snap.profile)
+  - feature: Sandbox auditing support (--audit)
+  - feature: remove environment variable (--rmenv)
+  - feature: noexec support (--noexec)
+  - feature: clean local overlay storage directory (--overlay-clean)
+  - feature: store and reuse overlay (--overlay-named)
+  - feature: allow debugging inside the sandbox with gdb and strace
+         (--allow-debuggers)
+  - feature: mkfile profile command
+  - feature: quiet profile command
+  - feature: x11 profile command
+  - feature: option to fix desktop files (firecfg --fix)
+  - compile time: Busybox support (--enable-busybox-workaround)
+  - compile time: disable overlayfs (--disable-overlayfs)
+  - compile time: disable whitlisting (--disable-whitelist)
+  - compile time: disable global config (--disable-globalcfg)
+  - run time: enable/disable overlayfs (overlayfs yes/no)
+  - run time: enable/disable  quiet as default (quiet-by-default yes/no)
+  - run time: user-defined network filter (netfilter-default)
+  - run time: enable/disable whitelisting (whitelist yes/no)
+  - run time: enable/disable remounting of /proc and /sys
+          (remount-proc-sys yes/no)
+  - run time: enable/disable chroot desktop features (chroot-desktop yes/no)
+  - profiles: Gitter, gThumb, mpv, Franz messenger, LibreOffice
+  - profiles: pix, audacity, xz, xzdec, gzip, cpio, less
+  - profiles: Atom Beta, Atom, jitsi, eom, uudeview
+  - profiles: tar (gtar), unzip, unrar, file, skypeforlinux,
+  - profiles: inox, Slack, gnome-chess. Gajim IM client, DOSBox
+  - bugfixes
+EOF
+echo "building rpm"
+rpmbuild -ba SPECS/firejail.spec
+rpm -qpl RPMS/x86_64/firejail-$VERSION-1.x86_64.rpm
+cd ..
+rm -f firejail-$VERSION-1.x86_64.rpm
+cp rpmbuild/RPMS/x86_64/firejail-$VERSION-1.x86_64.rpm .
diff --git a/platform/snap/snap.sh b/platform/snap/snap.sh
new file mode 100755
index 000000000..d7f924293
--- /dev/null
+++ b/platform/snap/snap.sh
@@ -0,0 +1,20 @@
+#!/bin/bash
+rm -fr faudit-snap
+rm -f faudit_*.snap
+mkdir faudit-snap
+cd faudit-snap
+snapcraft init
+cp ../snapcraft.yaml .
+#snapcraft stage
+mkdir -p stage/usr/lib/firejail
+cp ../../../src/faudit/faudit stage/usr/lib/firejail/.
+find stage
+snapcraft stage
+snapcraft snap
+cd ..
+mv faudit-snap/faudit_*.snap ../../.
+rm -fr faudit-snap
diff --git a/platform/snap/snapcraft.yaml b/platform/snap/snapcraft.yaml
new file mode 100644
index 000000000..7b04a2ca1
--- /dev/null
+++ b/platform/snap/snapcraft.yaml
@@ -0,0 +1,21 @@
+name: faudit  # the name of the snap
+version: 0  # the version of the snap
+summary: Fireajail audit snap edition  # 79 char long summary
+description: faudit program extracted from Firejail and packaged as a snap  # a longer description for the snap
+confinement: strict  # use "strict" to enforce system access only via declared interfaces
+apps:
+    faudit:
+        command: /usr/lib/firejail/faudit
+parts:
+    faudit:  # Replace with a part name of your liking
+        # Get more information about plugins by running
+        # snapcraft help plugins
+        # and more information about the available plugins
+        # by running
+        # snapcraft list-plugins
+        plugin: nil
+        snap:
+        - usr/lib/firejail/faudit
diff --git a/src/bash_completion/firejail.bash_completion b/src/bash_completion/firejail.bash_completion
index 21e28c98b..d3dcd57d0 100644
--- a/src/bash_completion/firejail.bash_completion
+++ b/src/bash_completion/firejail.bash_completion
@@ -47,6 +47,10 @@ _firejail()
            _filedir
            return 0
            ;;
+       --read-write)
+            _filedir
+            return 0
+            ;;
        --bind)
            _filedir
            return 0
@@ -63,6 +67,10 @@ _firejail()
            _filedir
            return 0
            ;;
+        --audit)
+            _filedir
+            return 0
+            ;;
         --net)
                comps=$(__interfaces)
            COMPREPLY=( $(compgen -W '$comps' -- "$cur") )
diff --git a/src/faudit/Makefile.in b/src/faudit/Makefile.in
new file mode 100644
index 000000000..995a0bf49
--- /dev/null
+++ b/src/faudit/Makefile.in
@@ -0,0 +1,25 @@
+all: faudit
+PREFIX=@prefix@
+VERSION=@PACKAGE_VERSION@
+NAME=@PACKAGE_NAME@
+HAVE_FATAL_WARNINGS=@HAVE_FATAL_WARNINGS@
+H_FILE_LIST       = $(sort $(wildcard *.[h]))
+C_FILE_LIST       = $(sort $(wildcard *.c))
+OBJS = $(C_FILE_LIST:.c=.o)
+BINOBJS =  $(foreach file, $(OBJS), $file)
+CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' -DPREFIX='"$(PREFIX)"' -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security
+LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now -lpthread
+%.o : %.c $(H_FILE_LIST)
+        $(CC) $(CFLAGS) $(INCLUDE) -c $< -o $@
+faudit: $(OBJS)
+        $(CC)  $(LDFLAGS) -o $@ $(OBJS)
+clean:; rm -f *.o faudit
+distclean: clean
+        rm -fr Makefile
diff --git a/src/faudit/caps.c b/src/faudit/caps.c
new file mode 100644
index 000000000..d4a62b34f
--- /dev/null
+++ b/src/faudit/caps.c
@@ -0,0 +1,79 @@
+/*
+ * Copyright (C) 2014-2016 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
+#include "faudit.h"
+#include <linux/capability.h>
+#define MAXBUF 4098
+static int extract_caps(uint64_t *val) {
+        FILE *fp = fopen("/proc/self/status", "r");
+        if (!fp)
+                return 1;
+        
+        char buf[MAXBUF];
+        while (fgets(buf, MAXBUF, fp)) {
+                if (strncmp(buf, "CapBnd:\t", 8) == 0) {
+                        char *ptr = buf + 8;
+                        unsigned long long tmp;
+                        sscanf(ptr, "%llx", &tmp);
+                        *val = tmp;
+                        fclose(fp);
+                        return 0;
+                }
+        }
+        fclose(fp);
+        return 1;
+}
+// return 1 if the capability is in tbe map
+static int check_capability(uint64_t map, int cap) {
+        int i;
+        uint64_t mask = 1ULL;
+        
+        for (i = 0; i < 64; i++, mask <<= 1) {
+                if ((i == cap) && (mask & map))
+                        return 1;
+        }
+        return 0;
+}
+void caps_test(void) {
+        uint64_t caps_val;
+        
+        if (extract_caps(&caps_val)) {
+                printf("SKIP: cannot extract capabilities on this platform.\n");
+                return;
+        }
+        
+        if (caps_val) {
+                printf("BAD: the capability map is %llx, it should be all zero. ", (unsigned long long) caps_val);
+                printf("Use \"firejail --caps.drop=all\" to fix it.\n");
+                
+                if (check_capability(caps_val, CAP_SYS_ADMIN))
+                        printf("UGLY: CAP_SYS_ADMIN is enabled.\n");
+                if (check_capability(caps_val, CAP_SYS_BOOT))
+                        printf("UGLY: CAP_SYS_BOOT is enabled.\n");
+        }
+        else
+                printf("GOOD: all capabilities are disabled.\n"); 
+}
diff --git a/src/faudit/dbus.c b/src/faudit/dbus.c
new file mode 100644
index 000000000..d92660536
--- /dev/null
+++ b/src/faudit/dbus.c
@@ -0,0 +1,95 @@
+/*
+ * Copyright (C) 2014-2016 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
+#include "faudit.h"
+#include <sys/socket.h>
+#include <sys/un.h>
+// return 0 if the connection is possible
+int check_unix(const char *sockfile) {
+        assert(sockfile);
+        int rv = -1;
+        // open socket
+        int sock = socket(AF_UNIX, SOCK_STREAM, 0);
+        if (sock == -1) 
+                return rv;
+        // connect
+        struct sockaddr_un remote;
+        memset(&remote, 0, sizeof(struct sockaddr_un));
+        remote.sun_family = AF_UNIX;
+        strncpy(remote.sun_path, sockfile, sizeof(remote.sun_path));
+        int len = strlen(remote.sun_path) + sizeof(remote.sun_family);
+        if (*sockfile == '@')
+                remote.sun_path[0] = '\0';
+        if (connect(sock, (struct sockaddr *)&remote, len) == 0)
+                rv = 0;
+        
+        close(sock);
+        return rv;
+}
+void dbus_test(void) {
+        // check the session bus
+        char *str = getenv("DBUS_SESSION_BUS_ADDRESS");
+        if (str) {
+                int rv = 0;
+                char *bus = strdup(str);
+                if (!bus)
+                        errExit("strdup");
+                char *sockfile;
+                if ((sockfile = strstr(bus, "unix:abstract=")) != NULL) {
+                        sockfile += 13;
+                        *sockfile = '@';
+                        char *ptr = strchr(sockfile, ',');
+                        if (ptr)
+                                *ptr = '\0';    
+                        rv = check_unix(sockfile);
+                        *sockfile = '@';
+                        if (rv == 0)
+                                printf("MAYBE: D-Bus socket %s is available\n", sockfile);
+                        else if (rv == -1)
+                                printf("GOOD: cannot connect to D-Bus socket %s\n", sockfile);
+                }
+                else if ((sockfile = strstr(bus, "unix:path=")) != NULL) {
+                        sockfile += 10;
+                        char *ptr = strchr(sockfile, ',');
+                        if (ptr)
+                                *ptr = '\0';
+                        rv = check_unix(sockfile);
+                        if (rv == 0)
+                                printf("MAYBE: D-Bus socket %s is available\n", sockfile);
+                        else if (rv == -1)
+                                printf("GOOD: cannot connect to D-Bus socket %s\n", sockfile);
+                }
+                else if ((sockfile = strstr(bus, "tcp:host=")) != NULL)
+                        printf("UGLY: session bus configured for TCP communication.\n");
+                else
+                        printf("GOOD: cannot find a D-Bus socket\n");
+                        
+                        
+                free(bus);
+        }
+        else
+                printf("GOOD: DBUS_SESSION_BUS_ADDRESS environment variable not configured.");
+}
diff --git a/src/faudit/dev.c b/src/faudit/dev.c
new file mode 100644
index 000000000..92f615958
--- /dev/null
+++ b/src/faudit/dev.c
@@ -0,0 +1,47 @@
+/*
+ * Copyright (C) 2014-2016 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
+#include "faudit.h"
+#include <dirent.h>
+void dev_test(void) {
+        DIR *dir;
+        if (!(dir = opendir("/dev"))) {
+                fprintf(stderr, "Error: cannot open /dev directory\n");
+                return;
+        }
+        
+        struct dirent *entry;
+        printf("INFO: files visible in /dev directory: ");
+        int cnt = 0;
+        while ((entry = readdir(dir)) != NULL) {
+                if (strcmp(entry->d_name, ".") == 0 || strcmp(entry->d_name, "..") == 0)
+                        continue;
+                
+                printf("%s, ", entry->d_name);
+                cnt++;
+        }
+        printf("\n");
+        
+        if (cnt > 20)
+                printf("MAYBE: /dev directory seems to be fully populated. Use --private-dev or --whitelist to restrict the access.\n");
+        else
+                printf("GOOD: Access to /dev directory is restricted.\n");
+        closedir(dir);
+}
diff --git a/src/faudit/faudit.h b/src/faudit/faudit.h
new file mode 100644
index 000000000..17c754c3b
--- /dev/null
+++ b/src/faudit/faudit.h
@@ -0,0 +1,68 @@
+/*
+ * Copyright (C) 2014-2016 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
+#ifndef FAUDIT_H
+#define FAUDIT_H
+#define _GNU_SOURCE
+#include <stdio.h>
+#include <stdlib.h>
+#include <stdint.h>
+#include <string.h>
+#include <unistd.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <sys/mount.h>
+#include <assert.h>
+#define errExit(msg)    do { char msgout[500]; sprintf(msgout, "Error %s:%s(%d)", msg, __FUNCTION__, __LINE__); perror(msgout); exit(1);} while (0)
+// main.c
+extern char *prog;
+// pid.c
+void pid_test(void);
+// caps.c
+void caps_test(void);
+// seccomp.c
+void seccomp_test(void);
+// syscall.c
+void syscall_helper(int argc, char **argv);
+void syscall_run(const char *name);
+// files.c
+void files_test(void);
+// network.c
+void network_test(void);
+// dbus.c
+int check_unix(const char *sockfile);
+void dbus_test(void);
+// dev.c
+void dev_test(void);
+// x11.c
+void x11_test(void);
+#endif
diff --git a/src/faudit/files.c b/src/faudit/files.c
new file mode 100644
index 000000000..67b43f22b
--- /dev/null
+++ b/src/faudit/files.c
@@ -0,0 +1,75 @@
+/*
+ * Copyright (C) 2014-2016 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
+#include "faudit.h"
+#include <fcntl.h>
+#include <pwd.h>
+static char *username = NULL;
+static char *homedir = NULL;
+static void check_home_file(const char *name) {
+        assert(homedir);
+        
+        char *fname;
+        if (asprintf(&fname, "%s/%s", homedir, name) ==  -1)
+                errExit("asprintf");
+        if (access(fname, R_OK) == 0) {
+                printf("UGLY: I can access files in %s directory. ", fname);
+                printf("Use \"firejail --blacklist=%s\" to block it.\n", fname);
+        }
+        else
+                printf("GOOD: I cannot access files in %s directory.\n", fname);
+        
+        free(fname);
+}
+void files_test(void) {
+        struct passwd *pw = getpwuid(getuid());
+        if (!pw) {
+                fprintf(stderr, "Error: cannot retrieve user account information\n");
+                return;
+        }
+        
+        username = strdup(pw->pw_name);
+        if (!username)
+                errExit("strdup");
+        homedir = strdup(pw->pw_dir);
+        if (!homedir)
+                errExit("strdup");
+        
+        // check access to .ssh directory
+        check_home_file(".ssh");
+        // check access to .gnupg directory
+        check_home_file(".gnupg");
+        // check access to Firefox browser directory
+        check_home_file(".mozilla");
+        // check access to Chromium browser directory
+        check_home_file(".config/chromium");
+        
+        // check access to Debian Icedove directory
+        check_home_file(".icedove");
+        
+        // check access to Thunderbird directory
+        check_home_file(".thunderbird");
+}
diff --git a/src/faudit/main.c b/src/faudit/main.c
new file mode 100644
index 000000000..7f47ccaf0
--- /dev/null
+++ b/src/faudit/main.c
@@ -0,0 +1,98 @@
+/*
+ * Copyright (C) 2014-2016 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
+#include "faudit.h"
+char *prog;
+int main(int argc, char **argv) {
+        // make test-arguments helper
+        if (getenv("FIREJAIL_TEST_ARGUMENTS")) {
+                printf("Arguments:\n");
+        
+                int i;
+                for (i = 0; i < argc; i++) {
+                        printf("#%s#\n", argv[i]);
+                }
+                
+                return 0;
+        }
+        if (argc != 1) {
+                int i;
+                
+                for (i = 1; i < argc; i++) {
+                        if (strcmp(argv[i], "syscall")) {
+                                syscall_helper(argc, argv);
+                                return 0;
+                        }
+                }
+                return 1;
+        }
+        printf("\n---------------- Firejail Audit: the GOOD, the BAD and the UGLY ----------------\n");
+        // extract program name
+        prog = realpath(argv[0], NULL);
+        if (prog == NULL) {
+                prog = strdup("faudit");
+                if (!prog)
+                        errExit("strdup");
+        }
+        printf("INFO: starting %s.\n", prog);
+        
+        
+        // check pid namespace
+        pid_test();
+        printf("\n");
+        
+        // check seccomp
+        seccomp_test();
+        printf("\n");
+        
+        // check capabilities
+        caps_test();
+        printf("\n");
+        // check some well-known problematic files and directories
+        files_test();
+        printf("\n");
+        
+        // network
+        network_test();
+        printf("\n");
+        
+        // dbus
+        dbus_test();
+        printf("\n");
+        // x11 test
+        x11_test();
+        printf("\n");
+        // /dev test
+        dev_test();
+        printf("\n");
+        free(prog);
+        printf("--------------------------------------------------------------------------------\n");
+        return 0;
+}
diff --git a/src/faudit/network.c b/src/faudit/network.c
new file mode 100644
index 000000000..cf1eede69
--- /dev/null
+++ b/src/faudit/network.c
@@ -0,0 +1,101 @@
+/*
+ * Copyright (C) 2014-2016 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
+#include "faudit.h"
+#include <sys/socket.h>
+#include <arpa/inet.h>
+#include <linux/netlink.h>
+#include <linux/rtnetlink.h>
+static void check_ssh(void) {
+        // open socket
+        int sock = socket(AF_INET, SOCK_STREAM, 0);
+        if (sock == -1) {
+                printf("GOOD: SSH server not available on localhost.\n");
+                return;
+        }
+        // connect to localhost
+        struct sockaddr_in server;
+        server.sin_addr.s_addr = inet_addr("127.0.0.1");
+        server.sin_family = AF_INET;
+        server.sin_port = htons(22);    
+        
+        if (connect(sock , (struct sockaddr *)&server , sizeof(server)) < 0)
+                printf("GOOD: SSH server not available on localhost.\n");
+        else {
+                printf("MAYBE: an SSH server is accessible on localhost. ");
+                printf("It could be a good idea to create a new network namespace using \"--net=none\" or \"--net=eth0\".\n");
+        }
+        
+        close(sock);
+}
+static void check_http(void) {
+        // open socket
+        int sock = socket(AF_INET, SOCK_STREAM, 0);
+        if (sock == -1) {
+                printf("GOOD: HTTP server not available on localhost.\n");
+                return;
+        }
+        // connect to localhost
+        struct sockaddr_in server;
+        server.sin_addr.s_addr = inet_addr("127.0.0.1");
+        server.sin_family = AF_INET;
+        server.sin_port = htons(80);    
+        
+        if (connect(sock , (struct sockaddr *)&server , sizeof(server)) < 0)
+                printf("GOOD: HTTP server not available on localhost.\n");
+        else {
+                printf("MAYBE: an HTTP server is accessible on localhost. ");
+                printf("It could be a good idea to create a new network namespace using \"--net=none\" or \"--net=eth0\".\n");
+        }
+        
+        close(sock);
+}
+void check_netlink(void) {
+        int sock = socket(AF_NETLINK, SOCK_RAW | SOCK_CLOEXEC, 0);
+        if (sock == -1) {
+                printf("GOOD: I cannot connect to netlink socket. Network utilities such as iproute2 will not work in the sandbox.\n");
+                return;
+        }
+        struct sockaddr_nl local;
+        memset(&local, 0, sizeof(local));
+        local.nl_family = AF_NETLINK;
+        local.nl_groups = 0; //subscriptions;
+        if (bind(sock, (struct sockaddr*)&local, sizeof(local)) < 0) {
+                printf("GOOD: I cannot connect to netlink socket. Network utilities such as iproute2 will not work in the sandbox.\n");
+                close(sock);
+                return;
+        }
+        
+        close(sock);
+        printf("MAYBE: I can connect to netlink socket. Network utilities such as iproute2 will work fine in the sandbox. ");
+        printf("You can use \"--protocol\" to disable the socket.\n");
+}
+        
+void network_test(void) {
+        check_ssh();
+        check_http();
+        check_netlink();
+}
diff --git a/src/faudit/pid.c b/src/faudit/pid.c
new file mode 100644
index 000000000..84b23fe0a
--- /dev/null
+++ b/src/faudit/pid.c
@@ -0,0 +1,99 @@
+/*
+ * Copyright (C) 2014-2016 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
+#include "faudit.h"
+void pid_test(void) {
+        char *kern_proc[] = {
+                "kthreadd",
+                "ksoftirqd",
+                "kworker",
+                "rcu_sched",
+                "rcu_bh",
+                NULL    // NULL terminated list
+        };
+        int i;
+        // look at the first 10 processes
+        int not_visible = 1;
+        for (i = 1; i <= 10; i++) { 
+                struct stat s;
+                char *fname;
+                if (asprintf(&fname, "/proc/%d/comm", i) == -1)
+                        errExit("asprintf");
+                if (stat(fname, &s) == -1) {
+                        free(fname);
+                        continue;
+                }
+                
+                // open file
+                /* coverity[toctou] */
+                FILE *fp = fopen(fname, "r");
+                if (!fp) {
+                        free(fname);
+                        continue;
+                }
+                
+                // read file
+                char buf[100];
+                if (fgets(buf, 10, fp) == NULL) {
+                        fclose(fp);
+                        free(fname);
+                        continue;
+                }
+                not_visible = 0;
+                // clean /n
+                char *ptr;
+                if ((ptr = strchr(buf, '\n')) != NULL)
+                        *ptr = '\0';
+                
+                // check process name against the kernel list
+                int j = 0;
+                while (kern_proc[j] != NULL) {
+                        if (strncmp(buf, kern_proc[j], strlen(kern_proc[j])) == 0) {
+                                fclose(fp);
+                                free(fname);
+                                printf("BAD: Process %d is not running in a PID namespace. ", getpid());
+                                printf("Are you sure you're running in a sandbox?\n");
+                                return;
+                        }
+                        j++;
+                }
+                
+                fclose(fp);
+                free(fname);
+        }
+        pid_t pid = getpid();
+        if (not_visible && pid > 100)
+                printf("BAD: Process %d is not running in a PID namespace.\n", pid);
+        else
+                printf("GOOD: process %d is running in a PID namespace.\n", pid);
+        
+        // try to guess the type of container/sandbox
+        char *str = getenv("container");
+        if (str)
+                printf("INFO: container/sandbox %s.\n", str);
+        else {
+                str = getenv("SNAP");
+                if (str)
+                        printf("INFO: this is a snap package\n");
+        }
+}
diff --git a/src/faudit/seccomp.c b/src/faudit/seccomp.c
new file mode 100644
index 000000000..7b2999467
--- /dev/null
+++ b/src/faudit/seccomp.c
@@ -0,0 +1,101 @@
+/*
+ * Copyright (C) 2014-2016 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
+#include "faudit.h"
+#define MAXBUF 4098
+static int extract_seccomp(int *val) {
+        FILE *fp = fopen("/proc/self/status", "r");
+        if (!fp)
+                return 1;
+        
+        char buf[MAXBUF];
+        while (fgets(buf, MAXBUF, fp)) {
+                if (strncmp(buf, "Seccomp:\t", 8) == 0) {
+                        char *ptr = buf + 8;
+                        int tmp;
+                        sscanf(ptr, "%d", &tmp);
+                        *val = tmp;
+                        fclose(fp);
+                        return 0;
+                }
+        }
+        fclose(fp);
+        return 1;
+}
+void seccomp_test(void) {
+        int seccomp_status;
+        int rv = extract_seccomp(&seccomp_status);
+        
+        if (rv) {
+                printf("INFO: cannot extract seccomp configuration on this platform.\n");
+                return;
+        }
+        
+        if (seccomp_status == 0) {
+                printf("BAD: seccomp disabled. Use \"firejail --seccomp\" to enable it.\n");
+        }
+        else if (seccomp_status == 1)
+                printf("GOOD: seccomp strict mode - only  read, write, _exit, and sigreturn are allowd.\n");
+        else if (seccomp_status == 2) {
+                printf("GOOD: seccomp BPF enabled.\n");
+                printf("checking syscalls: "); fflush(0);
+                printf("mount... "); fflush(0);
+                syscall_run("mount");
+                printf("umount2... "); fflush(0);
+                syscall_run("umount2");
+                printf("ptrace... "); fflush(0);
+                syscall_run("ptrace");
+                
+                printf("swapon... "); fflush(0);
+                syscall_run("swapon");
+                
+                printf("swapoff... "); fflush(0);
+                syscall_run("swapoff");
+                printf("init_module... "); fflush(0);
+                syscall_run("init_module");
+                printf("delete_module... "); fflush(0);
+                syscall_run("delete_module");
+                
+                printf("chroot... "); fflush(0);
+                syscall_run("chroot");
+                
+                printf("pivot_root... "); fflush(0);
+                syscall_run("pivot_root");
+                
+#if defined(__i386__) || defined(__x86_64__)
+                printf("iopl... "); fflush(0);
+                syscall_run("iopl");
+                
+                printf("ioperm... "); fflush(0);
+                syscall_run("ioperm");
+#endif  
+                printf("\n");
+        }
+        else
+                fprintf(stderr, "Error: unrecognized seccomp mode\n");
+}
diff --git a/src/faudit/syscall.c b/src/faudit/syscall.c
new file mode 100644
index 000000000..4cd2526ba
--- /dev/null
+++ b/src/faudit/syscall.c
@@ -0,0 +1,102 @@
+/*
+ * Copyright (C) 2014-2016 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
+#include "faudit.h"
+#include <sys/ptrace.h>
+#include <sys/swap.h>
+#if defined(__i386__) || defined(__x86_64__)
+#include <sys/io.h>
+#endif
+#include <sys/wait.h>
+extern int init_module(void *module_image, unsigned long len,
+                       const char *param_values);
+extern int finit_module(int fd, const char *param_values,
+                        int flags);
+extern int delete_module(const char *name, int flags);
+extern int pivot_root(const char *new_root, const char *put_old);
+void syscall_helper(int argc, char **argv) {
+        (void) argc;
+        
+        if (strcmp(argv[2], "mount") == 0) {
+                int rv = mount(NULL, NULL, NULL, 0, NULL);
+                (void) rv;
+                printf("\nUGLY: mount syscall permitted.\n");
+        }
+        else if (strcmp(argv[2], "umount2") == 0) {
+                umount2(NULL, 0);
+                printf("\nUGLY: umount2 syscall permitted.\n");
+        }
+        else if (strcmp(argv[2], "ptrace") == 0) {
+                ptrace(0, 0, NULL, NULL);
+                printf("\nUGLY: ptrace syscall permitted.\n");
+        }
+        else if (strcmp(argv[2], "swapon") == 0) {
+                swapon(NULL, 0);
+                printf("\nUGLY: swapon syscall permitted.\n");
+        }
+        else if (strcmp(argv[2], "swapoff") == 0) {
+                swapoff(NULL);
+                printf("\nUGLY: swapoff syscall permitted.\n");
+        }
+        else if (strcmp(argv[2], "init_module") == 0) {
+                init_module(NULL, 0, NULL);
+                printf("\nUGLY: init_module syscall permitted.\n");
+        }
+        else if (strcmp(argv[2], "delete_module") == 0) {
+                delete_module(NULL, 0);
+                printf("\nUGLY: delete_module syscall permitted.\n");
+        }
+        else if (strcmp(argv[2], "chroot") == 0) {
+                int rv = chroot("/blablabla-57281292");
+                (void) rv;
+                printf("\nUGLY: chroot syscall permitted.\n");
+        }
+        else if (strcmp(argv[2], "pivot_root") == 0) {
+                pivot_root(NULL, NULL);
+                printf("\nUGLY: pivot_root syscall permitted.\n");
+        }
+#if defined(__i386__) || defined(__x86_64__)
+        else if (strcmp(argv[2], "iopl") == 0) {
+                iopl(0L);
+                printf("\nUGLY: iopl syscall permitted.\n");
+        }
+        else if (strcmp(argv[2], "ioperm") == 0) {
+                ioperm(0, 0, 0);
+                printf("\nUGLY: ioperm syscall permitted.\n");
+        }
+#endif
+        exit(0);
+}
+void syscall_run(const char *name) {
+        assert(prog);
+        
+        pid_t child = fork();
+        if (child < 0)
+                errExit("fork");
+        if (child == 0) {
+                execl(prog, prog, "syscall", name, NULL);
+                perror("execl");
+                _exit(1);
+        }
+                
+        // wait for the child to finish
+        waitpid(child, NULL, 0);
+}
diff --git a/src/faudit/x11.c b/src/faudit/x11.c
new file mode 100644
index 000000000..43f40f4e9
--- /dev/null
+++ b/src/faudit/x11.c
@@ -0,0 +1,63 @@
+/*
+ * Copyright (C) 2014-2016 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
+#include "faudit.h"
+#include <sys/socket.h>
+#include <dirent.h>
+void x11_test(void) {
+        // check regular display 0 sockets
+        if (check_unix("/tmp/.X11-unix/X0") == 0)
+                printf("MAYBE: X11 socket /tmp/.X11-unix/X0 is available\n");
+        if (check_unix("@/tmp/.X11-unix/X0") == 0)
+                printf("MAYBE: X11 socket @/tmp/.X11-unix/X0 is available\n");
+                
+        // check all unix sockets in /tmp/.X11-unix directory
+        DIR *dir;
+        if (!(dir = opendir("/tmp/.X11-unix"))) {
+                // sleep 2 seconds and try again
+                sleep(2);
+                if (!(dir = opendir("/tmp/.X11-unix"))) {
+                        ;
+                }
+        }
+        
+        if (dir == NULL)
+                printf("GOOD: cannot open /tmp/.X11-unix directory\n");
+        else {
+                struct dirent *entry;
+                while ((entry = readdir(dir)) != NULL) {
+                        if (strcmp(entry->d_name, "X0") == 0)
+                                continue;
+                        if (strcmp(entry->d_name, ".") == 0)
+                                continue;
+                        if (strcmp(entry->d_name, "..") == 0)
+                                continue;
+                        char *name;
+                        if (asprintf(&name, "/tmp/.X11-unix/%s", entry->d_name) == -1)
+                                errExit("asprintf");
+                        if (check_unix(name) == 0)
+                                printf("MAYBE: X11 socket %s is available\n", name);
+                        free(name);
+                }
+                closedir(dir);
+        }
+}
diff --git a/src/fcopy/Makefile.in b/src/fcopy/Makefile.in
new file mode 100644
index 000000000..278957a4f
--- /dev/null
+++ b/src/fcopy/Makefile.in
@@ -0,0 +1,45 @@
+all: fcopy
+prefix=@prefix@
+exec_prefix=@exec_prefix@
+libdir=@libdir@
+sysconfdir=@sysconfdir@
+VERSION=@PACKAGE_VERSION@
+NAME=@PACKAGE_NAME@
+HAVE_SECCOMP_H=@HAVE_SECCOMP_H@
+HAVE_SECCOMP=@HAVE_SECCOMP@
+HAVE_CHROOT=@HAVE_CHROOT@
+HAVE_BIND=@HAVE_BIND@
+HAVE_FATAL_WARNINGS=@HAVE_FATAL_WARNINGS@
+HAVE_NETWORK=@HAVE_NETWORK@
+HAVE_USERNS=@HAVE_USERNS@
+HAVE_X11=@HAVE_X11@
+HAVE_FILE_TRANSFER=@HAVE_FILE_TRANSFER@
+HAVE_WHITELIST=@HAVE_WHITELIST@
+HAVE_GLOBALCFG=@HAVE_GLOBALCFG@
+HAVE_APPARMOR=@HAVE_APPARMOR@
+HAVE_OVERLAYFS=@HAVE_OVERLAYFS@
+HAVE_PRIVATE_HOME=@HAVE_PRIVATE_HOME@
+EXTRA_LDFLAGS +=@EXTRA_LDFLAGS@
+HAVE_GCOV=@HAVE_GCOV@
+EXTRA_LDFLAGS +=@EXTRA_LDFLAGS@
+H_FILE_LIST       = $(sort $(wildcard *.[h]))
+C_FILE_LIST       = $(sort $(wildcard *.c))
+OBJS = $(C_FILE_LIST:.c=.o)
+BINOBJS =  $(foreach file, $(OBJS), $file)
+CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' $(HAVE_GCOV) -DPREFIX='"$(prefix)"'  -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' $(HAVE_X11) $(HAVE_PRIVATE_HOME) $(HAVE_APPARMOR) $(HAVE_OVERLAYFS) $(HAVE_SECCOMP) $(HAVE_GLOBALCFG) $(HAVE_SECCOMP_H) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_BIND) $(HAVE_FILE_TRANSFER) $(HAVE_WHITELIST) -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security
+LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now -lpthread
+%.o : %.c $(H_FILE_LIST) ../include/common.h ../include/syscall.h
+        $(CC) $(CFLAGS) $(INCLUDE) -c $< -o $@
+fcopy: $(OBJS)
+        $(CC)  $(LDFLAGS) -o $@ $(OBJS) $(LIBS) $(EXTRA_LDFLAGS)
+clean:; rm -f *.o fcopy *.gcov *.gcda *.gcno
+distclean: clean
+        rm -fr Makefile
diff --git a/src/fcopy/main.c b/src/fcopy/main.c
new file mode 100644
index 000000000..b1e2813db
--- /dev/null
+++ b/src/fcopy/main.c
@@ -0,0 +1,340 @@
+/*
+ * Copyright (C) 2014-2016 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
+#include "../include/common.h"
+#include <fcntl.h>
+#include <ftw.h>
+#define COPY_LIMIT (500 * 1024 *1024)
+static int size_limit_reached = 0;
+static unsigned file_cnt = 0;
+static unsigned size_cnt = 0;
+static char *outpath = NULL;
+static char *inpath = NULL;
+// modified version of the function from util.c
+static void copy_file(const char *srcname, const char *destname, mode_t mode, uid_t uid, gid_t gid) {
+        assert(srcname);
+        assert(destname);
+        mode &= 07777;
+        
+        // open source
+        int src = open(srcname, O_RDONLY);
+        if (src < 0) {
+                fprintf(stderr, "Warning: cannot open %s, file not copied\n", srcname);
+                return;
+        }
+        // open destination
+        int dst = open(destname, O_CREAT|O_WRONLY|O_TRUNC, 0755);
+        if (dst < 0) {
+                fprintf(stderr, "Warning fcopy: cannot open %s, file not copied\n", destname);
+                close(src);
+                return;
+        }
+        // copy
+        ssize_t len;
+        static const int BUFLEN = 1024;
+        unsigned char buf[BUFLEN];
+        while ((len = read(src, buf, BUFLEN)) > 0) {
+                int done = 0;
+                while (done != len) {
+                        int rv = write(dst, buf + done, len - done);
+                        if (rv == -1)
+                                goto errexit;
+                        done += rv;
+                }
+        }
+        fflush(0);
+        if (fchown(dst, uid, gid) == -1)
+                goto errexit;
+        if (fchmod(dst, mode) == -1)
+                goto errexit;
+        close(src);
+        close(dst);
+        return;
+errexit:
+        close(src);
+        close(dst);
+        unlink(destname);
+        fprintf(stderr, "Warning fcopy: cannot copy %s\n", destname);
+}
+// modified version of the function in firejail/util.c
+static void mkdir_attr(const char *fname, mode_t mode, uid_t uid, gid_t gid) {
+        assert(fname);
+        mode &= 07777;
+        if (mkdir(fname, mode) == -1 ||
+            chmod(fname, mode) == -1) {
+                fprintf(stderr, "Error fcopy: failed to create %s directory\n", fname);
+                errExit("mkdir/chmod");
+        }
+        if (chown(fname, uid, gid))
+                fprintf(stderr, "Warning fcopy: failed to change ownership of %s\n", fname);
+}
+void copy_link(const char *target, const char *linkpath, mode_t mode, uid_t uid, gid_t gid) {
+        (void) mode;
+        (void) uid;
+        (void) gid;
+        char *rp = realpath(target, NULL);
+        if (rp) {
+                if (symlink(rp, linkpath) == -1)
+                        goto errout;
+                free(rp);
+        }
+        else
+                goto errout;
+        return;
+errout:
+        fprintf(stderr, "Warning fcopy: cannot create symbolic link %s\n", target);
+}
+static int first = 1;
+static int fs_copydir(const char *infname, const struct stat *st, int ftype, struct FTW *sftw) {
+        (void) st;
+        (void) sftw;
+        assert(infname);
+        assert(*infname != '\0');
+        assert(outpath);
+        assert(*outpath != '\0');
+        assert(inpath);
+        
+        // check size limit
+        if (size_limit_reached)
+                return 0;
+        char *outfname;
+        if (asprintf(&outfname, "%s%s", outpath, infname + strlen(inpath)) == -1)
+                errExit("asprintf");
+//printf("outpaht %s\n", outpath);
+//printf("inpath %s\n", inpath);
+//printf("infname %s\n", infname);
+//printf("outfname %s\n\n", outfname);
+        // don't copy it if we already have the file
+        struct stat s;
+        if (stat(outfname, &s) == 0) {
+                if (first)
+                        first = 0;
+                else    
+                        fprintf(stderr, "Warning fcopy: skipping %s, file already present\n", infname);
+                free(outfname);
+                return 0;
+        }
+        
+        // extract mode and ownership
+        if (stat(infname, &s) != 0) {
+                fprintf(stderr, "Warning fcopy: skipping %s, cannot find inode\n", infname);
+                free(outfname);
+                return 0;
+        }
+        uid_t uid = s.st_uid;
+        gid_t gid = s.st_gid;
+        mode_t mode = s.st_mode;
+        // recalculate size
+        if ((s.st_size + size_cnt) > COPY_LIMIT) {
+                fprintf(stderr, "Error fcopy: size limit of %dMB reached\n", (COPY_LIMIT / 1024) / 1024);
+                size_limit_reached = 1;
+                free(outfname);
+                return 0;
+        }
+        file_cnt++;
+        size_cnt += s.st_size;
+        if(ftype == FTW_F) {
+                copy_file(infname, outfname, mode, uid, gid);
+        }
+        else if (ftype == FTW_D) {
+                mkdir_attr(outfname, mode, uid, gid);
+        }               
+        else if (ftype == FTW_SL) {
+                copy_link(infname, outfname, mode, uid, gid);
+        }               
+        return(0);
+}
+static char *check(const char *src) {
+        struct stat s;
+        char *rsrc = realpath(src, NULL);
+        if (!rsrc || stat(rsrc, &s) == -1)
+                goto errexit;
+        // check uid
+        if (s.st_uid != getuid() || s.st_gid != getgid())
+                goto errexit;
+        // dir, link, regular file
+        if (S_ISDIR(s.st_mode) || S_ISREG(s.st_mode) || S_ISLNK(s.st_mode))
+                return rsrc;                      // normal exit from the function
+        
+errexit:
+        fprintf(stderr, "Error fcopy: invalid file %s\n", src);
+        exit(1);
+}
+static void duplicate_dir(const char *src, const char *dest, struct stat *s) {
+        (void) s;
+        char *rsrc = check(src);
+        char *rdest = check(dest);
+        inpath = rsrc;
+        outpath = rdest;
+        
+        // walk
+        if(nftw(rsrc, fs_copydir, 1, FTW_PHYS) != 0) {
+                fprintf(stderr, "Error: unable to copy file\n");
+                exit(1);
+        }
+        free(rsrc);
+        free(rdest);
+}
+static void duplicate_file(const char *src, const char *dest, struct stat *s) {
+        char *rsrc = check(src);
+        char *rdest = check(dest);
+        uid_t uid = s->st_uid;
+        gid_t gid = s->st_gid;
+        mode_t mode = s->st_mode;
+        
+        // build destination file name
+        char *name;
+        char *ptr = strrchr(rsrc, '/');
+        ptr++;
+        if (asprintf(&name, "%s/%s", rdest, ptr) == -1)
+                errExit("asprintf");
+        
+        // copy
+        copy_file(rsrc, name, mode, uid, gid);
+        free(name);
+        free(rsrc);
+        free(rdest);
+}
+static void duplicate_link(const char *src, const char *dest, struct stat *s) {
+        char *rsrc = check(src); // we drop the result and use the original name
+        char *rdest = check(dest);
+        uid_t uid = s->st_uid;
+        gid_t gid = s->st_gid;
+        mode_t mode = s->st_mode;
+        
+        // build destination file name
+        char *name;
+//      char *ptr = strrchr(rsrc, '/');
+        char *ptr = strrchr(src, '/');
+        ptr++;
+        if (asprintf(&name, "%s/%s", rdest, ptr) == -1)
+                errExit("asprintf");
+        
+        // copy
+        copy_link(rsrc, name, mode, uid, gid);
+        free(name);
+        free(rsrc);
+        free(rdest);
+}
+static void usage(void) {
+        printf("Usage: fcopy src dest\n");
+        printf("Copy src file in dest directory. If src is a directory, copy all the files in\n");
+        printf("src recoursively. If the destination directory does not exist, it will be created.\n");
+}
+int main(int argc, char **argv) {
+#if 0
+{
+//system("cat /proc/self/status");
+int i;
+for (i = 0; i < argc; i++)
+        printf("*%s* ", argv[i]);
+printf("\n");
+}
+#endif  
+        if (argc != 3) {
+                fprintf(stderr, "Error fcopy: files missing\n");
+                usage();
+                exit(1);
+        }
+        
+        // check the two files; remove ending /
+        char *src = argv[1];
+        int len = strlen(src);
+        if (src[len - 1] == '/')
+                src[len - 1] = '\0';
+        if (strcspn(src, "\\*&!?\"'<>%^(){}[];,") != (size_t)len) {
+                fprintf(stderr, "Error fcopy: invalid file name %s\n", src);
+                exit(1);
+        }
+        
+        char *dest = argv[2];
+        len = strlen(dest);
+        if (dest[len - 1] == '/')
+                dest[len - 1] = '\0';
+        if (strcspn(dest, "\\*&!?\"'<>%^(){}[];,~") != (size_t)len) {
+                fprintf(stderr, "Error fcopy: invalid file name %s\n", dest);
+                exit(1);
+        }
+        
+        // the destination should be a directory; 
+        struct stat s;
+        if (stat(dest, &s) == -1 ||
+            !S_ISDIR(s.st_mode)) {
+                fprintf(stderr, "Error fcopy: invalid destination directory\n");
+                exit(1);
+        }
+        
+        // copy files
+        if (lstat(src, &s) == -1) {
+                fprintf(stderr, "Error fcopy: cannot find source file\n");
+                exit(1);
+        }
+        if (S_ISDIR(s.st_mode))
+                duplicate_dir(src, dest, &s);
+        else if (S_ISREG(s.st_mode))
+                duplicate_file(src, dest, &s);
+        else if (S_ISLNK(s.st_mode))
+                duplicate_link(src, dest, &s);
+        else {
+                fprintf(stderr, "Error fcopy: source file unsupported\n");
+                exit(1);
+        }
+                
+        return 0;
+}
diff --git a/src/firecfg/Makefile.in b/src/firecfg/Makefile.in
index 11f8b1e8d..f9fe08768 100644
--- a/src/firecfg/Makefile.in
+++ b/src/firecfg/Makefile.in
@@ -16,22 +16,24 @@ HAVE_NETWORK=@HAVE_NETWORK@
 HAVE_USERNS=@HAVE_USERNS@
 HAVE_X11=@HAVE_X11@
 HAVE_FILE_TRANSFER=@HAVE_FILE_TRANSFER@
+HAVE_GCOV=@HAVE_GCOV@
+EXTRA_LDFLAGS +=@EXTRA_LDFLAGS@
 H_FILE_LIST       = $(sort $(wildcard *.[h]))
 C_FILE_LIST       = $(sort $(wildcard *.c))
 OBJS = $(C_FILE_LIST:.c=.o)
 BINOBJS =  $(foreach file, $(OBJS), $file)
-CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' -DPREFIX='"$(prefix)"'  -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' $(HAVE_X11) $(HAVE_SECCOMP) $(HAVE_SECCOMP_H) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_BIND) $(HAVE_FILE_TRANSFER) -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security
+CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' $(HAVE_GCOV)  -DPREFIX='"$(prefix)"'  -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' $(HAVE_X11) $(HAVE_SECCOMP) $(HAVE_SECCOMP_H) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_BIND) $(HAVE_FILE_TRANSFER) -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security
 LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now -lpthread
 %.o : %.c $(H_FILE_LIST) ../include/common.h ../include/euid_common.h ../include/libnetlink.h ../include/pid.h
        $(CC) $(CFLAGS) $(INCLUDE) -c $< -o $@
 firecfg: $(OBJS) ../lib/common.o
-        $(CC)  $(LDFLAGS) -o $@ $(OBJS) ../lib/common.o $(LIBS)
+        $(CC)  $(LDFLAGS) -o $@ $(OBJS) ../lib/common.o $(LIBS) $(EXTRA_LDFLAGS)
-clean:; rm -f *.o firecfg firecfg.1 firecfg.1.gz
+clean:; rm -f *.o firecfg firecfg.1 firecfg.1.gz *.gcov *.gcda *.gcno
 distclean: clean
        rm -fr Makefile
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config
index c28f8e352..c4f52e256 100644
--- a/src/firecfg/firecfg.config
+++ b/src/firecfg/firecfg.config
@@ -2,44 +2,159 @@
 # This is the list of programs handled by firecfg utility
 #
+# astronomy
+gpredict
+stellarium
+# bittorrent/ftp
+deluge
+dropbox
+filezilla
+qbittorrent
+rtorrent
+transmission-gtk
+transmission-qt
+transmission-cli
+transmission-show
+uget-gtk
 # browsers/email
-firefox
+abrowser
-iceweasel
+brave
-chromium-browser
 chromium
+chromium-browser
+claws-mail
 conkeror
-thunderbird
+cyberfox
-epiphany
+firefox
+firefox-esr
 flashpeak-slimjet
+epiphany
+dillo
+google-chrome
 google-chrome-beta
 google-chrome-stable
 google-chrome-unstable
-google-chrome
+iceweasel
 icecat
 icedove
 kmail
 midori
+mutt
+netsurf
 opera-beta
 opera
+palemoon
 qutebrowser
+start-tor-browser
 seamonkey
 seamonkey-bin
+thunderbird
 vivaldi-beta
 vivaldi
-dillo
+evolution
+elinks
+lynx
+w3m
-# bittorrent/ftp
+# chat/messaging
-deluge
+bitlbee
-filezilla
+corebird
-qbittorrent
+# Cryptocat is added but commented since isn't installed to a */bin... keep an eye on this
-rtorrent
+empathy
-transmission-gtk
+gitter
-transmission-qt
+hexchat
+jitsi
+konversation
+pidgin
+polari
+psi-plus
+qtox
+quassel
+skype
+telegram
+weechat
+weechat-curses
+wire
+xchat
+# dns
+dnscrypt-proxy
+dnsmaq
+unbound
+# emulators/compatibility layers
+mupen64plus
+wine
+dosbox
+virtualbox
+qemu-launcher
+qemu-system-x86_64
+# games
+0ad
+gnome-chess
+hedgewars
+steam
+wesnot
+warzone2100
+# Media
+amarok
+audacious
+audacity
+bleachbit
+brasero
+clementine
+cmus
+deadbeef
+display
+dolphin
+dragon
+exiftool
+feh
+gjs
+gnome-books
+gnome-clocks
+gnome-documents
+gnome-maps
+gnome-mplayer
+gnome-music
+goobox
+google-play-music-desktop-player
+img2txt
+k3b
+mediainfo
+mpv
+nautilus
+parole
+rhythmbox
+simple-scan
+skanlite
+spotify
+totem
+vlc
+xfburn
+xplayer
+xviewer
+eom
+# news readers
+quiterss
 # office
+atril
 cherrytree
 evince
 fbreader
+gedit
+gimp
+gthumb
+gwenview
+highlight
+inkscape
+kate
+libreoffice
 localc
 lodraw
 loffice
@@ -48,29 +163,45 @@ loimpress
 lomath
 loweb
 lowriter
+luminance-hdr
+mupdf
+qpdfview
+soffice
+synfigstudio
 Mathematica
 mathematica
+odt2txt
+okular
+pdftotext
+pix
+xpdf
+xreader
+zathura
+openshot
+flowblade
+eog
-# Media
+# other
-vlc
+atom
-audacious
+atom-beta
-clementine
+gpa
-deadbeef
+gpg
-parole
+ranger
-rhythmbox
+keepass
-totem
+keepass2
-cmus
+keepassx
+pluma
+tracker
+wireshark
+xiphos
+xed
-# chat/messaging
+# weather/climate
-bitlbee
+aweather
-empathy
+gnome-weather
-gnome-mplayer
-hexchat
+# compressing tools
-pidgin
+ark
-qtox
+atool
-quassel
+file-roller
-xchat
-# games
-hedgewars
-wesnot
diff --git a/src/firecfg/main.c b/src/firecfg/main.c
index 70d29a3ed..15ee78384 100644
--- a/src/firecfg/main.c
+++ b/src/firecfg/main.c
@@ -24,8 +24,13 @@
 #include <dirent.h>
 #include <sys/types.h>
 #include <sys/stat.h>
+#include <fcntl.h>
 #include <unistd.h>
+#include <string.h>
+#include <errno.h>
+#include <sys/mman.h>
 #include "../include/common.h"
+static int arg_debug = 0;
 static void usage(void) {
        printf("firecfg - version %s\n\n", VERSION);
@@ -37,8 +42,10 @@ static void usage(void) {
        printf("DESKTOP INTEGRATION section in man 1 firejail.\n\n");
        printf("Usage: firecfg [OPTIONS]\n\n");
        printf("   --clean - remove all firejail symbolic links.\n\n");
+        printf("   --debug - print debug messages.\n\n");
        printf("   --help, -? - this help screen.\n\n");
        printf("   --list - list all firejail symbolic links.\n\n");
+        printf("   --fix - fix .desktop files.\n\n");
        printf("   --version - print program version and exit.\n\n");
        printf("Example:\n\n");
        printf("   $ sudo firecfg\n");
@@ -49,10 +56,14 @@ static void usage(void) {
        printf("   /usr/local/bin/firefox\n");
        printf("   /usr/local/bin/vlc\n");
        printf("   [...]\n");
-        printf("   $ sudo firecfg --clear\n");
+        printf("   $ sudo firecfg --clean\n");
        printf("   /usr/local/bin/firefox removed\n");
        printf("   /usr/local/bin/vlc removed\n");
        printf("   [...]\n");
+        printf("   $ firecfg --fix\n");
+        printf("   /home/user/.local/share/applications/chromium.desktop created\n");
+        printf("   /home/user/.local/share/applications/vlc.desktop created\n");
+        printf("   [...]\n");
        printf("\n");
        printf("License GPL version 2 or later\n");
        printf("Homepage: http://firejail.wordpress.com\n\n");
@@ -67,9 +78,12 @@ static int find(const char *program, const char *directory) {
                errExit("asprintf");
                
        struct stat s;
-        if (stat(fname, &s) == 0)
+        if (stat(fname, &s) == 0) {
+                if (arg_debug)
+                        printf("found %s in directory %s\n", program, directory);
                retval = 1;
-        
+        }
+                
        free(fname);
        return retval;
 }
@@ -79,7 +93,8 @@ static int find(const char *program, const char *directory) {
 static int which(const char *program) {
        // check some well-known paths
        if (find(program, "/bin") || find(program, "/usr/bin") ||
-             find(program, "/sbin") || find(program, "/usr/sbin"))
+             find(program, "/sbin") || find(program, "/usr/sbin") ||
+             find(program, "/usr/games"))
                return 1;
                
        // check environment
@@ -205,8 +220,9 @@ static void set_file(const char *name, const char *firejail_exec) {
                errExit("asprintf");
        
        struct stat s;
-        if (stat(fname, &s) == 0)
+        if (stat(fname, &s) == 0) {
-                ; //printf("%s already present\n", fname);
+                printf("%s is already present, skipping...\n", fname);
+        }
        else {
                int rv = symlink(firejail_exec, fname);
                if (rv) {
@@ -268,7 +284,7 @@ static void set(void) {
                // empty line
                if (*start == '\0')
                        continue;
-                
                // set link
                set_file(start, firejail_exec);
        }
@@ -278,6 +294,165 @@ static void set(void) {
        free(firejail_exec);
 }
+static void fix_desktop_files(void) {
+        if (getuid() == 0) {
+                fprintf(stderr, "Error: you should run --fix as user\n");
+                exit(1);
+        }
+        char *homedir = getenv("HOME");
+        if (!homedir)
+                errExit("getenv");
+        char *user_apps_dir;
+        if (asprintf(&user_apps_dir, "%s/.local/share/applications", homedir) == -1)
+                errExit("asprintf");
+        DIR *dir = opendir("/usr/share/applications");
+        if (!dir) {
+                perror("Error: cannot open /usr/share/applications directory");
+                exit(1);
+        }
+        if (chdir("/usr/share/applications")) {
+                perror("Error: cannot chdir to /usr/share/applications");
+                exit(1);
+        }
+        struct dirent *entry;
+        while ((entry = readdir(dir)) != NULL) {
+                if (strcmp(entry->d_name, ".") == 0 || strcmp(entry->d_name, "..") == 0)
+                        continue;
+                // skip if not regular file or link
+                if (entry->d_type != DT_REG && entry->d_type != DT_LNK)
+                        continue;
+                // skip if not .desktop file
+                if (strstr(entry->d_name,".desktop") != (entry->d_name+strlen(entry->d_name)-8))
+                        continue;
+                char *filename = entry->d_name;
+                // skip links
+                if (is_link(filename))
+                        continue;
+                struct stat sb;
+                if (stat(filename, &sb) == -1)
+                        errExit("stat");
+                /* coverity[toctou] */
+                int fd = open(filename, O_RDONLY);
+                if (fd == -1)
+                        errExit("open");
+                char *buf = mmap(NULL, sb.st_size + 1, PROT_READ | PROT_WRITE, MAP_PRIVATE, fd, 0);
+                if (buf == MAP_FAILED)
+                        errExit("mmap");
+                close(fd);
+                // check format
+                if (strstr(buf, "[Desktop Entry]\n") == NULL) {
+                        if (arg_debug)
+                                fprintf(stderr, "/usr/share/applications/%s - SKIPPED: wrong format?\n", filename);
+                        munmap(buf, sb.st_size + 1);
+                        continue;
+                }
+                // get executable name
+                char *ptr1 = strstr(buf,"\nExec=");
+                if (!ptr1 || strlen(ptr1) < 7) {
+                        if (arg_debug)
+                                fprintf(stderr, "/usr/share/applications/%s - SKIPPED: wrong format?\n", filename);
+                        munmap(buf, sb.st_size + 1);
+                        continue;
+                }
+                char *execname = ptr1 + 6;
+                // https://specifications.freedesktop.org/desktop-entry-spec/latest/ar01s06.html
+                // The executable program can either be specified with its full path
+                // or with the name of the executable only
+                if (execname[0] != '/') {
+                        if (arg_debug)
+                                fprintf(stderr, "/usr/share/applications/%s - already OK\n", filename);
+                        continue;
+                }
+                // executable name can be quoted, this is rare and currently unsupported, TODO
+                if (execname[0] == '"') {
+                        if (arg_debug)
+                                fprintf(stderr, "/usr/share/applications/%s - skipped: path quoting unsupported\n", filename);
+                        continue;
+                }
+                // put '\0' at end of filename
+                char *tail = NULL;
+                char endchar = ' ';
+                if (execname[0] == '/') {
+                        char *ptr2 = index(execname, ' ');
+                        char *ptr3 = index(execname, '\n');
+                        if (ptr2 && (!ptr3 || (ptr2 < ptr3))) {
+                                endchar = ptr2[0];
+                                ptr2[0] = '\0';
+                                tail = ptr2 + 1;
+                        } else if (ptr3 && (!ptr2 || (ptr3 < ptr2))) {
+                                endchar = ptr3[0];
+                                ptr3[0] = '\0';
+                                tail = ptr3 + 1;
+                        }
+                        ptr1[5] = '\0';
+                }
+                char *bname = basename(execname);
+                assert(bname);
+                // check if basename in PATH
+                if (!which(bname)) {
+                        fprintf(stderr, "/usr/share/applications/%s - skipped, %s not in PATH\n", filename, bname);
+                        continue;
+                }
+                char *outname;
+                if (asprintf(&outname ,"%s/%s", user_apps_dir, filename) == -1)
+                        errExit("asprintf");
+                int fd1 = open(outname, O_CREAT | O_WRONLY | O_EXCL, S_IRUSR | S_IWUSR);
+                free(outname);
+                if (fd1 == -1) {
+                        fprintf(stderr, "%s/%s skipped: %s\n", user_apps_dir, filename, strerror(errno));
+                        munmap(buf, sb.st_size + 1);
+                        continue;
+                }
+                FILE *outfile = fdopen(fd1, "w");
+                if (!outfile) {
+                        fprintf(stderr, "%s/%s skipped: %s\n", user_apps_dir, filename, strerror(errno));
+                        munmap(buf, sb.st_size + 1);
+                        close(fd1);
+                        continue;
+                }
+                if (fprintf(outfile,\
+                "# Converted by firecfg --fix from /usr/share/applications/%s\n\n%s=%s%c%s",\
+                filename, buf, bname, endchar, tail) < 0) {
+                        fprintf(stderr, "Unable to write %s/%s: %s\n", user_apps_dir, filename, strerror(errno));
+                        munmap(buf, sb.st_size + 1);
+                        fclose(outfile);
+                        continue;
+                }
+                fclose(outfile);
+                munmap(buf, sb.st_size + 1);
+                printf("%s/%s created\n", user_apps_dir, filename);
+        }
+        closedir(dir);
+        free(user_apps_dir);
+}
 int main(int argc, char **argv) {
        int i;
        
@@ -288,6 +463,8 @@ int main(int argc, char **argv) {
                        usage();
                        return 0;
                }
+                else if (strcmp(argv[i], "--debug") == 0)
+                        arg_debug = 1;
                else if (strcmp(argv[i], "--version") == 0) {
                        printf("firecfg version %s\n\n", VERSION);
                        return 0;
@@ -300,6 +477,10 @@ int main(int argc, char **argv) {
                        list();
                        return 0;
                }
+                else if (strcmp(argv[i], "--fix") == 0) {
+                        fix_desktop_files();
+                        return 0;
+                }
                else {
                        fprintf(stderr, "Error: invalid command line option\n");
                        usage();
diff --git a/src/firejail/Makefile.in b/src/firejail/Makefile.in
index 3ad4ba75e..6e5071925 100644
--- a/src/firejail/Makefile.in
+++ b/src/firejail/Makefile.in
@@ -16,22 +16,28 @@ HAVE_NETWORK=@HAVE_NETWORK@
 HAVE_USERNS=@HAVE_USERNS@
 HAVE_X11=@HAVE_X11@
 HAVE_FILE_TRANSFER=@HAVE_FILE_TRANSFER@
+HAVE_WHITELIST=@HAVE_WHITELIST@
+HAVE_GLOBALCFG=@HAVE_GLOBALCFG@
+HAVE_APPARMOR=@HAVE_APPARMOR@
+HAVE_OVERLAYFS=@HAVE_OVERLAYFS@
+HAVE_PRIVATE_HOME=@HAVE_PRIVATE_HOME@
+HAVE_GCOV=@HAVE_GCOV@
+EXTRA_LDFLAGS +=@EXTRA_LDFLAGS@
 H_FILE_LIST       = $(sort $(wildcard *.[h]))
 C_FILE_LIST       = $(sort $(wildcard *.c))
 OBJS = $(C_FILE_LIST:.c=.o)
 BINOBJS =  $(foreach file, $(OBJS), $file)
-CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' -DPREFIX='"$(prefix)"'  -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' $(HAVE_X11) $(HAVE_SECCOMP) $(HAVE_SECCOMP_H) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_BIND) $(HAVE_FILE_TRANSFER) -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security
+CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"'  $(HAVE_GCOV) -DPREFIX='"$(prefix)"'  -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' $(HAVE_X11) $(HAVE_PRIVATE_HOME) $(HAVE_APPARMOR) $(HAVE_OVERLAYFS) $(HAVE_SECCOMP) $(HAVE_GLOBALCFG) $(HAVE_SECCOMP_H) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_BIND) $(HAVE_FILE_TRANSFER) $(HAVE_WHITELIST) -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security
 LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now -lpthread
-%.o : %.c $(H_FILE_LIST) ../include/common.h ../include/euid_common.h ../include/libnetlink.h ../include/pid.h
+%.o : %.c $(H_FILE_LIST) ../include/common.h ../include/euid_common.h ../include/pid.h ../include/seccomp.h ../include/syscall.h
        $(CC) $(CFLAGS) $(INCLUDE) -c $< -o $@
 firejail: $(OBJS) ../lib/libnetlink.o ../lib/common.o
-        $(CC)  $(LDFLAGS) -o $@ $(OBJS) ../lib/libnetlink.o ../lib/common.o $(LIBS)
+        $(CC)  $(LDFLAGS) -o $@ $(OBJS) ../lib/common.o $(LIBS) $(EXTRA_LDFLAGS)
-clean:; rm -f *.o firejail firejail.1 firejail.1.gz
+clean:; rm -f *.o firejail firejail.1 firejail.1.gz *.gcov *.gcda *.gcno
 distclean: clean
        rm -fr Makefile
diff --git a/src/firejail/appimage.c b/src/firejail/appimage.c
new file mode 100644
index 000000000..0d1f8cb4d
--- /dev/null
+++ b/src/firejail/appimage.c
@@ -0,0 +1,184 @@
+/*
+ * Copyright (C) 2014-2016 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
+// http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=770fe30a46a12b6fb6b63fbe1737654d28e84844
+// sudo mount -o loop krita-3.0-x86_64.appimage mnt
+#include "firejail.h"
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <sys/mount.h>
+#include <fcntl.h>
+#include <linux/loop.h>
+#include <errno.h>
+static char *devloop = NULL;    // device file 
+static char *mntdir = NULL;     // mount point in /tmp directory
+void appimage_set(const char *appimage) {
+        assert(appimage);
+        assert(devloop == NULL);        // don't call this twice!
+        EUID_ASSERT();
+        
+#ifdef LOOP_CTL_GET_FREE        // test for older kernels; this definition is found in /usr/include/linux/loop.h
+        // check appimage file
+        invalid_filename(appimage);
+        if (access(appimage, R_OK) == -1) {
+                fprintf(stderr, "Error: cannot access AppImage file\n");
+                exit(1);
+        }
+        // get appimage type and ELF size
+        // a value of 0 means we are dealing with a type1 appimage
+        long unsigned int size = appimage2_size(appimage);
+        if (arg_debug)
+                printf("AppImage ELF size %lu\n", size);
+        // open appimage file
+        /* coverity[toctou] */
+        int ffd = open(appimage, O_RDONLY|O_CLOEXEC);
+        if (ffd == -1) {
+                fprintf(stderr, "Error: cannot open AppImage file\n");
+                exit(1);
+        }
+        // find or allocate a free loop device to use
+        EUID_ROOT();
+        int cfd = open("/dev/loop-control", O_RDWR);
+        if (cfd == -1) {
+                fprintf(stderr, "Error: /dev/loop-control interface is not supported by your kernel\n");
+                exit(1);
+        }
+        int devnr = ioctl(cfd, LOOP_CTL_GET_FREE);
+        if (devnr == -1) {
+                fprintf(stderr, "Error: cannot allocate a new loopback device\n");
+                exit(1);
+        }
+        close(cfd);
+        if (asprintf(&devloop, "/dev/loop%d", devnr) == -1)
+                errExit("asprintf");
+                
+        int lfd = open(devloop, O_RDONLY);
+        if (lfd == -1) {
+                fprintf(stderr, "Error: cannot open %s\n", devloop);
+                exit(1);
+        }
+        if (ioctl(lfd, LOOP_SET_FD, ffd) == -1) {
+                fprintf(stderr, "Error: cannot configure the loopback device\n");
+                exit(1);
+        }
+        
+        if (size) {
+                struct loop_info64 info;
+                memset(&info, 0, sizeof(struct loop_info64));
+                info.lo_offset = size;
+                if (ioctl(lfd,  LOOP_SET_STATUS64, &info) == -1)
+                        errExit("configure appimage offset");
+        }
+        
+        close(lfd);
+        close(ffd);
+        EUID_USER();
+        // creates appimage mount point perms 0700
+        if (asprintf(&mntdir, "%s/.appimage-%u",  RUN_FIREJAIL_APPIMAGE_DIR, getpid()) == -1)
+                errExit("asprintf");
+        EUID_ROOT();
+        mkdir_attr(mntdir, 0700, getuid(), getgid());
+        EUID_USER();
+        
+        // mount
+        char *mode;
+        if (asprintf(&mode, "mode=700,uid=%d,gid=%d", getuid(), getgid()) == -1)
+                errExit("asprintf");
+        EUID_ROOT();
+        
+        if (size == 0) {
+                if (mount(devloop, mntdir, "iso9660",MS_MGC_VAL|MS_RDONLY,  mode) < 0)
+                        errExit("mounting appimage");
+        }
+        else {
+                if (mount(devloop, mntdir, "squashfs",MS_MGC_VAL|MS_RDONLY,  mode) < 0)
+                        errExit("mounting appimage");
+        }
+        if (arg_debug)
+                printf("appimage mounted on %s\n", mntdir);
+        EUID_USER();
+        // set environment
+        if (setenv("APPIMAGE", appimage, 1) < 0)
+                errExit("setenv");
+        if (mntdir && setenv("APPDIR", mntdir, 1) < 0)
+                errExit("setenv");
+        // build new command line
+        if (asprintf(&cfg.command_line, "%s/AppRun", mntdir) == -1)
+                errExit("asprintf");
+        
+        free(mode);
+#ifdef HAVE_GCOV
+        __gcov_flush();
+#endif
+#else
+        fprintf(stderr, "Error: /dev/loop-control interface is not supported by your kernel\n");
+        exit(1);
+#endif
+}
+void appimage_clear(void) {
+        int rv;
+        EUID_ROOT();
+        if (mntdir) {
+                int i;
+                int rv = 0;
+                for (i = 0; i < 5; i++) {
+                        rv = umount2(mntdir, MNT_FORCE);
+                        if (rv == 0)
+                                break;
+                        if (rv == -1 && errno == EBUSY) {
+                                if (!arg_quiet)
+                                        printf("Warning: EBUSY error trying to unmount %s\n", mntdir);                  
+                                sleep(2);
+                                continue;
+                        }
+                        
+                        // rv = -1
+                        if (!arg_quiet) {
+                                printf("Warning: error trying to unmount %s\n", mntdir);
+                                perror("umount");
+                        }
+                }
+                
+                if (rv == 0) {
+                        rmdir(mntdir);
+                        free(mntdir);
+                }
+        }
+        if (devloop) {
+                int lfd = open(devloop, O_RDONLY);
+                if (lfd != -1) {
+                        rv = ioctl(lfd, LOOP_CLR_FD, 0);
+                        (void) rv;
+                        close(lfd);
+                }
+        }
+}
diff --git a/src/firejail/appimage_size.c b/src/firejail/appimage_size.c
new file mode 100644
index 000000000..3f5c3150c
--- /dev/null
+++ b/src/firejail/appimage_size.c
@@ -0,0 +1,160 @@
+/*
+ * Copyright (C) 2014-2016 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ */
+/*
+Compile with:
+gcc elfsize.c -o elfsize
+Example:
+ls -l                                           126584
+Calculation using the values also reported by readelf -h:
+Start of section headers        e_shoff         124728
+Size of section headers         e_shentsize     64
+Number of section headers       e_shnum         29
+e_shoff + ( e_shentsize * e_shnum ) =           126584
+*/
+#include <elf.h>
+#include <byteswap.h>
+#include <stdio.h>
+#include <stdint.h>
+#include <errno.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <string.h>
+#include <fcntl.h>
+typedef Elf32_Nhdr Elf_Nhdr;
+static Elf64_Ehdr ehdr;
+#if __BYTE_ORDER == __LITTLE_ENDIAN
+#define ELFDATANATIVE ELFDATA2LSB
+#elif __BYTE_ORDER == __BIG_ENDIAN
+#define ELFDATANATIVE ELFDATA2MSB
+#else
+#error "Unknown machine endian"
+#endif
+static uint16_t file16_to_cpu(uint16_t val) {
+        if (ehdr.e_ident[EI_DATA] != ELFDATANATIVE)
+                val = bswap_16(val);
+        return val;
+}
+static uint32_t file32_to_cpu(uint32_t val) {
+        if (ehdr.e_ident[EI_DATA] != ELFDATANATIVE)
+                val = bswap_32(val);
+        return val;
+}
+static uint64_t file64_to_cpu(uint64_t val) {
+        if (ehdr.e_ident[EI_DATA] != ELFDATANATIVE)
+                val = bswap_64(val);
+        return val;
+}
+// return 0 if error
+static long unsigned int read_elf32(int fd) {
+        Elf32_Ehdr ehdr32;
+        ssize_t ret;
+        ret = pread(fd, &ehdr32, sizeof(ehdr32), 0);
+        if (ret < 0 || (size_t)ret != sizeof(ehdr))
+                return 0;
+        ehdr.e_shoff            = file32_to_cpu(ehdr32.e_shoff);
+        ehdr.e_shentsize        = file16_to_cpu(ehdr32.e_shentsize);
+        ehdr.e_shnum            = file16_to_cpu(ehdr32.e_shnum);
+        return(ehdr.e_shoff + (ehdr.e_shentsize * ehdr.e_shnum));
+}
+// return 0 if error
+static long unsigned int read_elf64(int fd) {
+        Elf64_Ehdr ehdr64;
+        ssize_t ret;
+        ret = pread(fd, &ehdr64, sizeof(ehdr64), 0);
+        if (ret < 0 || (size_t)ret != sizeof(ehdr))
+                return 0;
+        ehdr.e_shoff            = file64_to_cpu(ehdr64.e_shoff);
+        ehdr.e_shentsize        = file16_to_cpu(ehdr64.e_shentsize);
+        ehdr.e_shnum            = file16_to_cpu(ehdr64.e_shnum);
+        return(ehdr.e_shoff + (ehdr.e_shentsize * ehdr.e_shnum));
+}
+// return 0 if error
+// return 0 if this is not an appimgage2 file
+long unsigned int appimage2_size(const char *fname) {
+/* TODO, FIXME: This assumes that the section header table (SHT) is
+the last part of the ELF. This is usually the case but
+it could also be that the last section is the last part
+of the ELF. This should be checked for.
+*/
+        ssize_t ret;
+        int fd;
+        long unsigned int size = 0;
+        fd = open(fname, O_RDONLY);
+        if (fd < 0)
+                return 0;
+        ret = pread(fd, ehdr.e_ident, EI_NIDENT, 0);
+        if (ret != EI_NIDENT)
+                goto getout;
+        if ((ehdr.e_ident[EI_DATA] != ELFDATA2LSB) &&
+             (ehdr.e_ident[EI_DATA] != ELFDATA2MSB))
+                goto getout;
+        if(ehdr.e_ident[EI_CLASS] == ELFCLASS32) {
+                size = read_elf32(fd);
+        }
+        else if(ehdr.e_ident[EI_CLASS] == ELFCLASS64) {
+                size = read_elf64(fd);
+        }
+        else {
+                goto getout;
+        }
+        if (size == 0)
+                goto getout;
+        // look for a LZMA header at this location
+        unsigned char buf[4];
+        ret = pread(fd, buf, 4, size);
+        if (ret != 4) {
+                size = 0;
+                goto getout;
+        }
+        if (memcmp(buf, "hsqs", 4) != 0)
+                size = 0;
+getout:
+        close(fd);
+        return size;
+}
diff --git a/src/firejail/arp.c b/src/firejail/arp.c
index fb5e426b0..ddb75905f 100644
--- a/src/firejail/arp.c
+++ b/src/firejail/arp.c
@@ -40,6 +40,7 @@ typedef struct arp_hdr_t {
        uint8_t target_ip[4];
 } ArpHdr;
 // returns 0 if the address is not in use, -1 otherwise
 int arp_check(const char *dev, uint32_t destaddr, uint32_t srcaddr) {
        if (strlen(dev) > IFNAMSIZ) {
@@ -286,189 +287,4 @@ uint32_t arp_assign(const char *dev, Bridge *br) {
        return ip;
 }
-// scan interface (--scan option)
-void arp_scan(const char *dev, uint32_t ifip, uint32_t ifmask) {
-        assert(dev);
-        assert(ifip);
-//      printf("Scanning interface %s (%d.%d.%d.%d/%d)\n",
-//              dev, PRINT_IP(ifip & ifmask), mask2bits(ifmask));
-                        
-        if (strlen(dev) > IFNAMSIZ) {
-                fprintf(stderr, "Error: invalid network device name %s\n", dev);
-                exit(1);
-        }
-        
-        // find interface mac address
-        int sock;
-        if ((sock = socket(AF_INET, SOCK_RAW, IPPROTO_RAW)) < 0)
-                errExit("socket");
-        struct ifreq ifr;
-        memset(&ifr, 0, sizeof (ifr));
-        strncpy(ifr.ifr_name, dev, IFNAMSIZ);
-        if (ioctl(sock, SIOCGIFHWADDR, &ifr) < 0)
-                errExit("ioctl");
-        close(sock);
-        uint8_t mac[6];
-        memcpy (mac, ifr.ifr_hwaddr.sa_data, 6);
-        // open layer2 socket
-        if ((sock = socket(PF_PACKET, SOCK_RAW, htons (ETH_P_ALL))) < 0)
-                errExit("socket");
-        
-        // try all possible ip addresses in ascending order
-        uint32_t range = ~ifmask + 1; // the number of potential addresses
-        // this software is not supported for /31 networks
-        if (range < 4) {
-                fprintf(stderr, "Warning: this option is not supported for /31 networks\n");
-                close(sock);
-                return;
-        }
-        uint32_t dest = (ifip & ifmask) + 1;
-        uint32_t last = dest + range - 1;
-        uint32_t src = htonl(ifip);
-        // wait not more than one second for an answer
-        int header_printed = 0;
-        uint32_t last_ip = 0;
-        struct timeval ts;
-        ts.tv_sec = 2; // 2 seconds receive timeout
-        ts.tv_usec = 0;
-        
-        while (1) {
-                fd_set rfds;
-                FD_ZERO(&rfds);
-                FD_SET(sock, &rfds);
-                fd_set wfds;
-                FD_ZERO(&wfds);
-                FD_SET(sock, &wfds);
-                int maxfd = sock;
-                uint8_t frame[ETH_FRAME_LEN]; // includes eht header, vlan, and crc
-                memset(frame, 0, ETH_FRAME_LEN);        
-                int nready;
-                if (dest < last)
-                        nready = select(maxfd + 1,  &rfds, &wfds, (fd_set *) 0, NULL);
-                else            
-                        nready = select(maxfd + 1,  &rfds,  (fd_set *) 0, (fd_set *) 0, &ts);
-                
-                if (nready < 0)
-                        errExit("select");
-                        
-                if (nready == 0) { // timeout
-                        break;
-                }
-                
-                if (FD_ISSET(sock, &wfds) && dest < last) {
-                        // configure layer2 socket address information
-                        struct sockaddr_ll addr;
-                        memset(&addr, 0, sizeof(addr));
-                        if ((addr.sll_ifindex = if_nametoindex(dev)) == 0)
-                                errExit("if_nametoindex");
-                        addr.sll_family = AF_PACKET;
-                        memcpy (addr.sll_addr, mac, 6);
-                        addr.sll_halen = htons(6);
-                
-                        // build the arp packet header
-                        ArpHdr hdr;
-                        memset(&hdr, 0, sizeof(hdr));
-                        hdr.htype = htons(1);
-                        hdr.ptype = htons(ETH_P_IP);
-                        hdr.hlen = 6;
-                        hdr.plen = 4;
-                        hdr.opcode = htons(1); //ARPOP_REQUEST
-                        memcpy(hdr.sender_mac, mac, 6);
-                        memcpy(hdr.sender_ip, (uint8_t *)&src, 4);
-                        uint32_t dst = htonl(dest);
-                        memcpy(hdr.target_ip, (uint8_t *)&dst, 4);
-                
-                        // build ethernet frame
-                        uint8_t frame[ETH_FRAME_LEN]; // includes eht header, vlan, and crc
-                        memset(frame, 0, sizeof(frame));
-                        frame[0] = frame[1] = frame[2] = frame[3] = frame[4] = frame[5] = 0xff;
-                        memcpy(frame + 6, mac, 6);
-                        frame[12] = ETH_P_ARP / 256;
-                        frame[13] = ETH_P_ARP % 256;
-                        memcpy (frame + 14, &hdr, sizeof(hdr));
-                
-                        // send packet
-                        int len;
-                        if ((len = sendto (sock, frame, 14 + sizeof(ArpHdr), 0, (struct sockaddr *) &addr, sizeof (addr))) <= 0)
-                                errExit("send");
-//printf("send %d bytes to %d.%d.%d.%d\n", len, PRINT_IP(dest));                
-                        fflush(0);
-                        dest++;
-                }
-                
-                if (FD_ISSET(sock, &rfds)) {
-                        // read the incoming packet
-                        int len = recvfrom(sock, frame, ETH_FRAME_LEN, 0, NULL, NULL);
-                        if (len < 0) {
-                                perror("recvfrom");
-                        }
-                        // parse the incoming packet
-                        if ((unsigned int) len < 14 + sizeof(ArpHdr))
-                                continue;
-                        // look only at ARP packets
-                        if (frame[12] != (ETH_P_ARP / 256) || frame[13] != (ETH_P_ARP % 256))
-                                continue;
-                        ArpHdr hdr;
-                        memcpy(&hdr, frame + 14, sizeof(ArpHdr));
-                        if (hdr.opcode == htons(2)) {
-                                // check my mac and my address
-                                if (memcmp(mac, hdr.target_mac, 6) != 0)
-                                        continue;
-                                uint32_t ip;
-                                memcpy(&ip, hdr.target_ip, 4);
-                                if (ip != src)
-                                        continue;
-                                memcpy(&ip, hdr.sender_ip, 4);
-                                ip = ntohl(ip);
-                                
-                                if (ip == last_ip) // filter duplicates
-                                        continue;
-                                last_ip = ip;
-                                        
-                                // printing
-                                if (header_printed == 0) {
-                                        printf("   Network scan:\n");
-                                        
-                                        // print parent interface
-                                        if (cfg.bridge0.configured && cfg.bridge0.ip && cfg.bridge0.macvlan &&
-                                            (cfg.bridge0.ip & cfg.bridge0.mask) == (ifip & cfg.bridge0.mask))
-                                                printf("   %02x:%02x:%02x:%02x:%02x:%02x\t%d.%d.%d.%d\n",
-                                                        PRINT_MAC(cfg.bridge0.mac), PRINT_IP(cfg.bridge0.ip));
-                                        
-                                        if (cfg.bridge1.configured && cfg.bridge1.ip &&  cfg.bridge1.macvlan &&
-                                            (cfg.bridge1.ip & cfg.bridge1.mask) == (ifip & cfg.bridge1.mask))
-                                                printf("   %02x:%02x:%02x:%02x:%02x:%02x\t%d.%d.%d.%d\n",
-                                                        PRINT_MAC(cfg.bridge1.mac), PRINT_IP(cfg.bridge1.ip));
-                                        
-                                        if (cfg.bridge2.configured && cfg.bridge2.ip &&  cfg.bridge2.macvlan &&
-                                            (cfg.bridge2.ip & cfg.bridge2.mask) == (ifip & cfg.bridge2.mask))
-                                                printf("   %02x:%02x:%02x:%02x:%02x:%02x\t%d.%d.%d.%d\n",
-                                                        PRINT_MAC(cfg.bridge2.mac), PRINT_IP(cfg.bridge2.ip));
-                                        
-                                        if (cfg.bridge3.configured && cfg.bridge3.ip &&  cfg.bridge3.macvlan &&
-                                            (cfg.bridge3.ip & cfg.bridge3.mask) == (ifip & cfg.bridge3.mask))
-                                                printf("   %02x:%02x:%02x:%02x:%02x:%02x\t%d.%d.%d.%d\n",
-                                                        PRINT_MAC(cfg.bridge3.mac), PRINT_IP(cfg.bridge3.ip));
-                                        
-                                        header_printed = 1;
-                                }
-                                printf("   %02x:%02x:%02x:%02x:%02x:%02x\t%d.%d.%d.%d\n",
-                                        PRINT_MAC(hdr.sender_mac), PRINT_IP(ip));                                                                       
-                        }
-                }
-        }
-        
-        close(sock);
-}
diff --git a/src/firejail/bandwidth.c b/src/firejail/bandwidth.c
index 34c5ca509..5e9002f22 100644
--- a/src/firejail/bandwidth.c
+++ b/src/firejail/bandwidth.c
@@ -130,14 +130,8 @@ static void bandwidth_create_run_file(pid_t pid) {
        /* coverity[toctou] */
        FILE *fp = fopen(fname, "w");
        if (fp) {
+                SET_PERMS_STREAM(fp, 0, 0, 0644);
                fclose(fp);
-        
-                /* coverity[toctou] */
-                if (chmod(fname, 0644) == -1)
-                        errExit("chmod");
-                /* coverity[toctou] */
-                if (chown(fname, 0, 0) == -1)
-                        errExit("chown");
        }
        else {
                fprintf(stderr, "Error: cannot create bandwidth file\n");
@@ -180,12 +174,9 @@ void network_set_run_file(pid_t pid) {
                        fprintf(fp, "%s:%s\n", cfg.bridge2.dev, cfg.bridge2.devsandbox);
                if (cfg.bridge3.configured)
                        fprintf(fp, "%s:%s\n", cfg.bridge3.dev, cfg.bridge3.devsandbox);
-                fclose(fp);
-                if (chmod(fname, 0644) == -1)
+                SET_PERMS_STREAM(fp, 0, 0, 0644);
-                        errExit("chmod");
+                fclose(fp);
-                if (chown(fname, 0, 0) == -1)
-                        errExit("chown");
        }
        else {
                fprintf(stderr, "Error: cannot create network map file\n");
@@ -320,21 +311,6 @@ void bandwidth_set(pid_t pid, const char *dev, int down, int up) {
 //***********************************
 // command execution
 //***********************************
-void bandwidth_name(const char *name, const char *command, const char *dev, int down, int up) {
-        EUID_ASSERT();
-        if (!name || strlen(name) == 0) {
-                fprintf(stderr, "Error: invalid sandbox name\n");
-                exit(1);
-        }
-        pid_t pid;
-        if (name2pid(name, &pid)) {
-                fprintf(stderr, "Error: cannot find sandbox %s\n", name);
-                exit(1);
-        }
-        bandwidth_pid(pid, command, dev, down, up);
-}
 void bandwidth_pid(pid_t pid, const char *command, const char *dev, int down, int up) {
        EUID_ASSERT();
        //************************
@@ -459,13 +435,21 @@ void bandwidth_pid(pid_t pid, const char *command, const char *dev, int down, in
        if (setregid(0, 0))
                errExit("setregid");
+        if (!cfg.shell)
+                cfg.shell = guess_shell();
+        if (!cfg.shell) {
+                fprintf(stderr, "Error: no POSIX shell found, please use --shell command line option\n");
+                exit(1);
+        }
        char *arg[4];
-        arg[0] = "/bin/bash";
+        arg[0] = cfg.shell;
        arg[1] = "-c";
        arg[2] = cmd;
        arg[3] = NULL;
-        execvp("/bin/bash", arg);
+        clearenv();
+        execvp(arg[0], arg);
        
        // it will never get here
-        exit(0);                
+        errExit("execvp");
 }
diff --git a/src/firejail/caps.c b/src/firejail/caps.c
index 2d42c7d8a..6cfa36629 100644
--- a/src/firejail/caps.c
+++ b/src/firejail/caps.c
@@ -168,17 +168,6 @@ static CapsEntry capslist[] = {
 //
 }; // end of capslist
-const char *caps_find_nr(int nr) {
-        int i;
-        int elems = sizeof(capslist) / sizeof(capslist[0]);
-        for (i = 0; i < elems; i++) {
-                if (nr == capslist[i].nr)
-                        return capslist[i].name;
-        }
-        
-        return "unknown";
-}
 // return -1 if error, or syscall number
 static int caps_find_name(const char *name) {
        int i;
@@ -192,12 +181,10 @@ static int caps_find_name(const char *name) {
 }
 // return 1 if error, 0 if OK
-int caps_check_list(const char *clist, void (*callback)(int)) {
+void caps_check_list(const char *clist, void (*callback)(int)) {
        // don't allow empty lists
-        if (clist == NULL || *clist == '\0') {
+        if (clist == NULL || *clist == '\0')
-                fprintf(stderr, "Error: empty capabilities lists are not allowed\n");
+                goto errexit;
-                return -1;
-        }
        // work on a copy of the string
        char *str = strdup(clist);
@@ -212,11 +199,8 @@ int caps_check_list(const char *clist, void (*callback)(int)) {
                else if (*ptr == ',') {
                        *ptr = '\0';
                        int nr = caps_find_name(start);
-                        if (nr == -1) {
+                        if (nr == -1)
-                                fprintf(stderr, "Error: capability %s not found\n", start);
+                                goto errexit;
-                                free(str);
-                                return -1;
-                        }
                        else if (callback != NULL)
                                callback(nr);
                                
@@ -226,17 +210,18 @@ int caps_check_list(const char *clist, void (*callback)(int)) {
        }
        if (*start != '\0') {
                int nr = caps_find_name(start);
-                if (nr == -1) {
+                if (nr == -1) 
-                        fprintf(stderr, "Error: capability %s not found\n", start);
+                        goto errexit;
-                        free(str);      
-                        return -1;
-                }
                else if (callback != NULL)
                        callback(nr);
        }
        free(str);      
-        return 0;
+        return;
+errexit:
+        fprintf(stderr, "Error: capability \"%s\" not found\n", start);
+        exit(1);        
 }
 void caps_print(void) {
@@ -267,49 +252,53 @@ void caps_print(void) {
 // enabled by default
 int caps_default_filter(void) {
        // drop capabilities
-        if (prctl(PR_CAPBSET_DROP, CAP_SYS_MODULE, 0, 0, 0) && arg_debug)
+        if (prctl(PR_CAPBSET_DROP, CAP_SYS_MODULE, 0, 0, 0))
-                fprintf(stderr, "Warning: cannot drop CAP_SYS_MODULE");
+                goto errexit;
        else if (arg_debug)
                printf("Drop CAP_SYS_MODULE\n");
-        if (prctl(PR_CAPBSET_DROP, CAP_SYS_RAWIO, 0, 0, 0) && arg_debug)
+        if (prctl(PR_CAPBSET_DROP, CAP_SYS_RAWIO, 0, 0, 0))
-                fprintf(stderr, "Warning: cannot drop CAP_SYS_RAWIO");
+                goto errexit;
        else if (arg_debug)
                printf("Drop CAP_SYS_RAWIO\n");
-        if (prctl(PR_CAPBSET_DROP, CAP_SYS_BOOT, 0, 0, 0) && arg_debug)
+        if (prctl(PR_CAPBSET_DROP, CAP_SYS_BOOT, 0, 0, 0))
-                fprintf(stderr, "Warning: cannot drop CAP_SYS_BOOT");
+                goto errexit;
        else if (arg_debug)
                printf("Drop CAP_SYS_BOOT\n");
-        if (prctl(PR_CAPBSET_DROP, CAP_SYS_NICE, 0, 0, 0) && arg_debug)
+        if (prctl(PR_CAPBSET_DROP, CAP_SYS_NICE, 0, 0, 0))
-                fprintf(stderr, "Warning: cannot drop CAP_SYS_NICE");
+                goto errexit;
        else if (arg_debug)
                printf("Drop CAP_SYS_NICE\n");
-        if (prctl(PR_CAPBSET_DROP, CAP_SYS_TTY_CONFIG, 0, 0, 0) && arg_debug)
+        if (prctl(PR_CAPBSET_DROP, CAP_SYS_TTY_CONFIG, 0, 0, 0))
-                fprintf(stderr, "Warning: cannot drop CAP_SYS_TTY_CONFIG");
+                goto errexit;
        else if (arg_debug)
                printf("Drop CAP_SYS_TTY_CONFIG\n");
 #ifdef CAP_SYSLOG
-        if (prctl(PR_CAPBSET_DROP, CAP_SYSLOG, 0, 0, 0) && arg_debug)
+        if (prctl(PR_CAPBSET_DROP, CAP_SYSLOG, 0, 0, 0))
-                fprintf(stderr, "Warning: cannot drop CAP_SYSLOG");
+                goto errexit;
        else if (arg_debug)
                printf("Drop CAP_SYSLOG\n");
 #endif
-        if (prctl(PR_CAPBSET_DROP, CAP_MKNOD, 0, 0, 0) && arg_debug)
+        if (prctl(PR_CAPBSET_DROP, CAP_MKNOD, 0, 0, 0))
-                fprintf(stderr, "Warning: cannot drop CAP_MKNOD");
+                goto errexit;
        else if (arg_debug)
                printf("Drop CAP_MKNOD\n");
-        if (prctl(PR_CAPBSET_DROP, CAP_SYS_ADMIN, 0, 0, 0) && arg_debug)
+        if (prctl(PR_CAPBSET_DROP, CAP_SYS_ADMIN, 0, 0, 0))
-                fprintf(stderr, "Warning: cannot drop CAP_SYS_ADMIN");
+                goto errexit;
        else if (arg_debug)
                printf("Drop CAP_SYS_ADMIN\n");
        return 0;
+errexit:
+        fprintf(stderr, "Error: cannot drop capabilities\n");
+        exit(1);        
 }
 void caps_drop_all(void) {
@@ -370,19 +359,14 @@ static uint64_t extract_caps(int pid) {
        EUID_ASSERT();
        
        char *file;
-        if (asprintf(&file, "/proc/%d/status", pid) == -1) {
+        if (asprintf(&file, "/proc/%d/status", pid) == -1)
                errExit("asprintf");
-                exit(1);
-        }
        EUID_ROOT();    // grsecurity
        FILE *fp = fopen(file, "r");
        EUID_USER();    // grsecurity
-        if (!fp) {
+        if (!fp)
-                printf("Error: cannot open %s\n", file);
+                goto errexit;
-                free(file);
-                exit(1);
-        }
        
        char buf[MAXBUF];
        while (fgets(buf, MAXBUF, fp)) {
@@ -396,27 +380,13 @@ static uint64_t extract_caps(int pid) {
                }
        }
        fclose(fp);
+errexit:        
        free(file);
-        printf("Error: cannot read caps configuration\n");
+        fprintf(stderr, "Error: cannot read caps configuration\n");
        exit(1);
 }
-void caps_print_filter_name(const char *name) {
-        EUID_ASSERT();
-        if (!name || strlen(name) == 0) {
-                fprintf(stderr, "Error: invalid sandbox name\n");
-                exit(1);
-        }
-        pid_t pid;
-        if (name2pid(name, &pid)) {
-                fprintf(stderr, "Error: cannot find sandbox %s\n", name);
-                exit(1);
-        }
-        caps_print_filter(pid);
-}
 void caps_print_filter(pid_t pid) {
        EUID_ASSERT();
        
diff --git a/src/firejail/cgroup.c b/src/firejail/cgroup.c
index ebd87f0d2..d9c7af9cf 100644
--- a/src/firejail/cgroup.c
+++ b/src/firejail/cgroup.c
@@ -30,10 +30,9 @@ void save_cgroup(void) {
        if (fp) {
                fprintf(fp, "%s", cfg.cgroup);
                fflush(0);
+                SET_PERMS_STREAM(fp, 0, 0, 0644);
                if (fclose(fp))
                        goto errout;
-                if (chown(RUN_CGROUP_CFG, 0, 0) < 0)
-                        errExit("chown");
        }
        else
                goto errout;
diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c
index 430b0c5a6..c3eedc510 100644
--- a/src/firejail/checkcfg.c
+++ b/src/firejail/checkcfg.c
@@ -19,17 +19,21 @@
 */
 #include "firejail.h"
 #include <sys/stat.h>
+#include <linux/loop.h>
 #define MAX_READ 8192                             // line buffer for profile files
 static int initialized = 0;
 static int cfg_val[CFG_MAX];
 char *xephyr_screen = "800x600";
+char *xephyr_extra_params = "";
+char *netfilter_default = NULL;
 int checkcfg(int val) {
-        EUID_ASSERT();
        assert(val < CFG_MAX);
        int line = 0;
+        FILE *fp = NULL;
+        char *ptr;
        if (!initialized) {
                // initialize defaults
@@ -37,16 +41,21 @@ int checkcfg(int val) {
                for (i = 0; i < CFG_MAX; i++)
                        cfg_val[i] = 1; // most of them are enabled by default
                cfg_val[CFG_RESTRICTED_NETWORK] = 0; // disabled by default
+                cfg_val[CFG_FORCE_NONEWPRIVS] = 0; // disabled by default
+                cfg_val[CFG_PRIVATE_BIN_NO_LOCAL] = 0; // disabled by default
+                cfg_val[CFG_FIREJAIL_PROMPT] = 0; // disabled by default
                
                // open configuration file
-                char *fname;
+                const char *fname = SYSCONFDIR "/firejail.config";
-                if (asprintf(&fname, "%s/firejail.config", SYSCONFDIR) == -1)
+                fp = fopen(fname, "r");
-                        errExit("asprintf");
-                FILE *fp = fopen(fname, "r");
                if (!fp) {
+#ifdef HAVE_GLOBALCFG                   
                        fprintf(stderr, "Error: Firejail configuration file %s not found\n", fname);
                        exit(1);
+#else
+                        initialized = 1;
+                        return  cfg_val[val];
+#endif  
                }
                
                // read configuration file
@@ -57,7 +66,7 @@ int checkcfg(int val) {
                                continue;
                        // parse line                           
-                        char *ptr = line_remove_spaces(buf);
+                        ptr = line_remove_spaces(buf);
                        if (!ptr)
                                continue;
                        
@@ -106,6 +115,24 @@ int checkcfg(int val) {
                                else
                                        goto errout;
                        }
+                        // prompt
+                        else if (strncmp(ptr, "firejail-prompt ", 16) == 0) {
+                                if (strcmp(ptr + 16, "yes") == 0)
+                                        cfg_val[CFG_FIREJAIL_PROMPT] = 1;
+                                else if (strcmp(ptr + 16, "no") == 0)
+                                        cfg_val[CFG_FIREJAIL_PROMPT] = 0;
+                                else
+                                        goto errout;
+                        }
+                        // nonewprivs
+                        else if (strncmp(ptr, "force-nonewprivs ", 17) == 0) {
+                                if (strcmp(ptr + 17, "yes") == 0)
+                                        cfg_val[CFG_SECCOMP] = 1;
+                                else if (strcmp(ptr + 17, "no") == 0)
+                                        cfg_val[CFG_SECCOMP] = 0;
+                                else
+                                        goto errout;
+                        }
                        // seccomp
                        else if (strncmp(ptr, "seccomp ", 8) == 0) {
                                if (strcmp(ptr + 8, "yes") == 0)
@@ -115,6 +142,15 @@ int checkcfg(int val) {
                                else
                                        goto errout;
                        }
+                        // whitelist
+                        else if (strncmp(ptr, "whitelist ", 10) == 0) {
+                                if (strcmp(ptr + 10, "yes") == 0)
+                                        cfg_val[CFG_WHITELIST] = 1;
+                                else if (strcmp(ptr + 10, "no") == 0)
+                                        cfg_val[CFG_WHITELIST] = 0;
+                                else
+                                        goto errout;
+                        }
                        // network
                        else if (strncmp(ptr, "network ", 8) == 0) {
                                if (strcmp(ptr + 8, "yes") == 0)
@@ -133,6 +169,30 @@ int checkcfg(int val) {
                                else
                                        goto errout;
                        }
+                        // netfilter
+                        else if (strncmp(ptr, "netfilter-default ", 18) == 0) {
+                                char *fname = ptr + 18;
+                                while (*fname == ' ' || *fname == '\t')
+                                        ptr++;
+                                char *end = strchr(fname, ' ');
+                                if (end)
+                                        *end = '\0';
+                                
+                                // is the file present?
+                                struct stat s;
+                                if (stat(fname, &s) == -1) {
+                                        fprintf(stderr, "Error: netfilter-default file %s not available\n", fname);
+                                        exit(1);
+                                }
+                                
+                                if (netfilter_default)
+                                        goto errout;
+                                netfilter_default = strdup(fname);
+                                if (!netfilter_default)
+                                        errExit("strdup");
+                                if (arg_debug)
+                                        printf("netfilter default file %s\n", fname);
+                        }
                        
                        // Xephyr screen size
                        else if (strncmp(ptr, "xephyr-screen ", 14) == 0) {
@@ -145,21 +205,194 @@ int checkcfg(int val) {
                                if (asprintf(&xephyr_screen, "%dx%d", n1, n2) == -1)
                                        errExit("asprintf");
                        }
+        
+                        // xephyr window title
+                        else if (strncmp(ptr, "xephyr-window-title ", 20) == 0) {
+                                if (strcmp(ptr + 20, "yes") == 0)
+                                        cfg_val[CFG_XEPHYR_WINDOW_TITLE] = 1;
+                                else if (strcmp(ptr + 20, "no") == 0)
+                                        cfg_val[CFG_XEPHYR_WINDOW_TITLE] = 0;
+                                else
+                                        goto errout;
+                        }
+                                
+                        // Xephyr command extra parameters
+                        else if (strncmp(ptr, "xephyr-extra-params ", 19) == 0) {
+                                if (*xephyr_extra_params != '\0')
+                                        goto errout;
+                                xephyr_extra_params = strdup(ptr + 19);
+                                if (!xephyr_extra_params)
+                                        errExit("strdup");
+                        }
+                        
+                        // quiet by default
+                        else if (strncmp(ptr, "quiet-by-default ", 17) == 0) {
+                                if (strcmp(ptr + 17, "yes") == 0)
+                                        arg_quiet = 1;
+                        }
+                        // remount /proc and /sys
+                        else if (strncmp(ptr, "remount-proc-sys ", 17) == 0) {
+                                if (strcmp(ptr + 17, "yes") == 0)
+                                        cfg_val[CFG_REMOUNT_PROC_SYS] = 1;
+                                else if (strcmp(ptr + 17, "no") == 0)
+                                        cfg_val[CFG_REMOUNT_PROC_SYS] = 0;
+                                else
+                                        goto errout;
+                        }
+                        else if (strncmp(ptr, "overlayfs ", 10) == 0) {
+                                if (strcmp(ptr + 10, "yes") == 0)
+                                        cfg_val[CFG_OVERLAYFS] = 1;
+                                else if (strcmp(ptr + 10, "no") == 0)
+                                        cfg_val[CFG_OVERLAYFS] = 0;
+                                else
+                                        goto errout;
+                        }
+                        else if (strncmp(ptr, "private-home ", 13) == 0) {
+                                if (strcmp(ptr + 13, "yes") == 0)
+                                        cfg_val[CFG_PRIVATE_HOME] = 1;
+                                else if (strcmp(ptr + 13, "no") == 0)
+                                        cfg_val[CFG_PRIVATE_HOME] = 0;
+                                else
+                                        goto errout;
+                        }
+                        else if (strncmp(ptr, "chroot-desktop ", 15) == 0) {
+                                if (strcmp(ptr + 15, "yes") == 0)
+                                        cfg_val[CFG_CHROOT_DESKTOP] = 1;
+                                else if (strcmp(ptr + 15, "no") == 0)
+                                        cfg_val[CFG_CHROOT_DESKTOP] = 0;
+                                else
+                                        goto errout;
+                        }
+                        else if (strncmp(ptr, "private-bin-no-local ", 21) == 0) {
+                                if (strcmp(ptr + 21, "yes") == 0)
+                                        cfg_val[CFG_PRIVATE_BIN_NO_LOCAL] = 1;
+                                else if (strcmp(ptr + 21, "no") == 0)
+                                        cfg_val[CFG_PRIVATE_BIN_NO_LOCAL] = 0;
+                                else
+                                        goto errout;
+                        }
                        else
                                goto errout;
-                                
                        free(ptr);
                }
                fclose(fp);
-                free(fname);
                initialized = 1;
        }
        
        return cfg_val[val];
        
 errout:
+        assert(ptr);
+        free(ptr);
+        assert(fp);
+        fclose(fp);
        fprintf(stderr, "Error: invalid line %d in firejail configuration file\n", line );
        exit(1);
 }
+void print_compiletime_support(void) {
+        printf("Compile time support:\n");
+        printf("\t- AppArmor support is %s\n",
+#ifdef HAVE_APPARMOR
+                "enabled"
+#else
+                "disabled"
+#endif
+                );
+        printf("\t- AppImage support is %s\n",
+#ifdef LOOP_CTL_GET_FREE        // test for older kernels; this definition is found in /usr/include/linux/loop.h
+                "enabled"
+#else
+                "disabled"
+#endif
+                );
+        printf("\t- bind support is %s\n",
+#ifdef HAVE_BIND
+                "enabled"
+#else
+                "disabled"
+#endif
+                );
+        printf("\t- chroot support is %s\n",
+#ifdef HAVE_CHROOT
+                "enabled"
+#else
+                "disabled"
+#endif
+                );
+        printf("\t- file and directory whitelisting support is %s\n",
+#ifdef HAVE_WHITELIST
+                "enabled"
+#else
+                "disabled"
+#endif
+                );
+        printf("\t- file transfer support is %s\n",
+#ifdef HAVE_FILE_TRANSFER
+                "enabled"
+#else
+                "disabled"
+#endif
+                );
+        printf("\t- networking support is %s\n",
+#ifdef HAVE_NETWORK
+                "enabled"
+#else
+                "disabled"
+#endif
+                );
+#ifdef HAVE_NETWORK_RESTRICTED
+        printf("\t- networking features are available only to root user\n");
+#endif
+        printf("\t- overlayfs support is %s\n",
+#ifdef HAVE_OVERLAYFS
+                "enabled"
+#else
+                "disabled"
+#endif
+                );
+        printf("\t- private-home support is %s\n",
+#ifdef HAVE_PRIVATE_HOME
+                "enabled"
+#else
+                "disabled"
+#endif
+                );
+        printf("\t- seccomp-bpf support is %s\n",
+#ifdef HAVE_SECCOMP
+                "enabled"
+#else
+                "disabled"
+#endif
+                );
+        printf("\t- user namespace support is %s\n",
+#ifdef HAVE_USERNS
+                "enabled"
+#else
+                "disabled"
+#endif
+                );
+        printf("\t- X11 sandboxing support is %s\n",
+#ifdef HAVE_X11
+                "enabled"
+#else
+                "disabled"
+#endif
+                );
+}
diff --git a/src/firejail/cmdline.c b/src/firejail/cmdline.c
new file mode 100644
index 000000000..cadf4795d
--- /dev/null
+++ b/src/firejail/cmdline.c
@@ -0,0 +1,159 @@
+/*
+ * Copyright (C) 2014-2016 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
+#include "firejail.h"
+#include <string.h>
+#include <stdbool.h>
+#include <stdio.h>
+#include <linux/limits.h>
+#include <assert.h>
+#include <errno.h>
+static int cmdline_length(int argc, char **argv, int index) {
+        assert(index != -1);
+        
+        unsigned i,j;
+        int len = 0;
+        unsigned argcnt = argc - index;
+        bool in_quotes = false;
+        for (i = 0; i < argcnt; i++) {
+                in_quotes = false;
+                for (j = 0; j < strlen(argv[i + index]); j++) {
+                        if (argv[i + index][j] == '\'') {
+                                if (in_quotes)
+                                        len++;
+                                if (j > 0 && argv[i + index][j-1] == '\'')
+                                        len++;
+                                else
+                                        len += 3;
+                                in_quotes = false;
+                        } else {
+                                if (!in_quotes)
+                                        len++;
+                                len++;
+                                in_quotes = true;
+                        }
+                }
+                if (in_quotes) {
+                        len++;
+                }
+                if (strlen(argv[i + index]) == 0) {
+                        len += 2;
+                }
+                len++;
+        }
+        return len;
+}
+static void quote_cmdline(char *command_line, char *window_title, int len, int argc, char **argv, int index) {
+        assert(index != -1);
+        unsigned i,j;
+        unsigned argcnt = argc - index;
+        bool in_quotes = false;
+        char *ptr1 = command_line;
+        char *ptr2 = window_title;
+        for (i = 0; i < argcnt; i++) {
+                // enclose args by single quotes,
+                // and since single quote can't be represented in single quoted text
+                // each occurence of it should be enclosed by double quotes
+                in_quotes = false;
+                for (j = 0; j < strlen(argv[i + index]); j++) {
+                        // single quote
+                        if (argv[i + index][j] == '\'') {
+                                if (in_quotes) {
+                                        // close quotes
+                                        ptr1[0] = '\'';
+                                        ptr1++;
+                                }
+                                // previous char was single quote too
+                                if (j > 0 && argv[i + index][j-1] == '\'') {
+                                        ptr1--;
+                                        sprintf(ptr1, "\'\"");
+                                } 
+                                // this first in series
+                                else
+                                {
+                                        sprintf(ptr1, "\"\'\"");
+                                }
+                                ptr1 += strlen(ptr1);
+                                in_quotes = false;
+                        }
+                        // anything other
+                        else
+                        {
+                                if (!in_quotes) {
+                                        // open quotes
+                                        ptr1[0] = '\'';
+                                        ptr1++;
+                                }
+                                ptr1[0] = argv[i + index][j];
+                                ptr1++;
+                                in_quotes = true;
+                        }
+                }
+                // close quotes
+                if (in_quotes) {
+                        ptr1[0] = '\'';
+                        ptr1++;
+                }
+                // handle empty argument case
+                if (strlen(argv[i + index]) == 0) {
+                        sprintf(ptr1, "\'\'");
+                        ptr1 += strlen(ptr1);
+                }
+                // add space
+                sprintf(ptr1, " ");
+                ptr1 += strlen(ptr1);
+                sprintf(ptr2, "%s ", argv[i + index]);
+                ptr2 += strlen(ptr2);
+        }
+        assert((unsigned) len == strlen(command_line));
+}
+void build_cmdline(char **command_line, char **window_title, int argc, char **argv, int index) {
+        // index == -1 could happen if we have --shell=none and no program was specified
+        // the program should exit with an error before entering this function
+        assert(index != -1);
+        int len = cmdline_length(argc, argv, index);
+        if (len > ARG_MAX) {
+                errno = E2BIG;
+                errExit("cmdline_length");
+        }
+        *command_line = malloc(len + 1);
+        if (!*command_line)
+                        errExit("malloc");
+        *window_title = malloc(len + 1);
+        if (!*window_title)
+                        errExit("malloc");
+        
+        quote_cmdline(*command_line, *window_title, len, argc, argv, index);
+        assert(*command_line);
+        assert(*window_title);
+}
diff --git a/src/firejail/cpu.c b/src/firejail/cpu.c
index 1802ad5e1..7f53fed0f 100644
--- a/src/firejail/cpu.c
+++ b/src/firejail/cpu.c
@@ -78,11 +78,8 @@ void save_cpu(void) {
        FILE *fp = fopen(RUN_CPU_CFG, "w");
        if (fp) {
                fprintf(fp, "%x\n", cfg.cpus);
+                SET_PERMS_STREAM(fp, 0, 0, 0600);
                fclose(fp);
-                if (chmod(RUN_CPU_CFG, 0600) < 0)
-                        errExit("chmod");
-                if (chown(RUN_CPU_CFG, 0, 0) < 0)
-                        errExit("chown");
        }
        else {
                fprintf(stderr, "Error: cannot save cpu affinity mask\n");
@@ -171,21 +168,6 @@ static void print_cpu(int pid) {
        free(file);
 }
-void cpu_print_filter_name(const char *name) {
-        EUID_ASSERT();
-        if (!name || strlen(name) == 0) {
-                fprintf(stderr, "Error: invalid sandbox name\n");
-                exit(1);
-        }
-        pid_t pid;
-        if (name2pid(name, &pid)) {
-                fprintf(stderr, "Error: cannot find sandbox %s\n", name);
-                exit(1);
-        }
-        cpu_print_filter(pid);
-}
 void cpu_print_filter(pid_t pid) {
        EUID_ASSERT();
        
diff --git a/src/firejail/env.c b/src/firejail/env.c
index 54a6b0036..783f019a6 100644
--- a/src/firejail/env.c
+++ b/src/firejail/env.c
@@ -27,12 +27,27 @@ typedef struct env_t {
        struct env_t *next;
        char *name;
        char *value;
+        ENV_OP op;
 } Env;
 static Env *envlist = NULL;
 static void env_add(Env *env) {
-        env->next = envlist;
+        env->next = NULL;
-        envlist = env;
+        
+        // add the new entry at the end of the list
+        if (envlist == NULL) {
+                envlist = env;
+                return;
+        }
+        
+        Env *ptr = envlist;
+        while (1) {
+                if (ptr->next == NULL) {
+                        ptr->next = env;
+                        break;
+                }
+                ptr = ptr->next;
+        }
 }
 // load IBUS env variables
@@ -87,7 +102,7 @@ void env_ibus_load(void) {
                        if (arg_debug)
                                printf("%s\n", buf);
                        EUID_USER();
-                        env_store(buf);
+                        env_store(buf, SETENV);
                        EUID_ROOT();
                }
@@ -104,29 +119,39 @@ void env_defaults(void) {
        // fix qt 4.8
        if (setenv("QT_X11_NO_MITSHM", "1", 1) < 0)
                errExit("setenv");
+//      if (setenv("MOZ_NO_REMOTE, "1", 1) < 0)
+//              errExit("setenv");
        if (setenv("container", "firejail", 1) < 0) // LXC sets container=lxc,
                errExit("setenv");
-        if (arg_zsh && setenv("SHELL", "/usr/bin/zsh", 1) < 0)
+        if (!cfg.shell)
-                errExit("setenv");
+                cfg.shell = guess_shell();
-        if (arg_csh && setenv("SHELL", "/bin/csh", 1) < 0)
-                errExit("setenv");
        if (cfg.shell && setenv("SHELL", cfg.shell, 1) < 0)
                errExit("setenv");
-        // set prompt color to green
-        //export PS1='\[\e[1;32m\][\u@\h \W]\$\[\e[0m\] '
-        if (setenv("PROMPT_COMMAND", "export PS1=\"\\[\\e[1;32m\\][\\u@\\h \\W]\\$\\[\\e[0m\\] \"", 1) < 0)
-                errExit("setenv");
-        // build the window title and set it
+        // set prompt color to green
-        char *title;
+        int set_prompt = 0;
-        if (asprintf(&title, "\033]0;firejail %s\007\n", cfg.window_title) == -1)
+        if (checkcfg(CFG_FIREJAIL_PROMPT))
-                errExit("asprintf");
+                set_prompt = 1;
-        printf("%s", title);
+        else { // check FIREJAIL_PROMPT="yes" environment variable
-        free(title);
+                char *prompt = getenv("FIREJAIL_PROMPT");
+                if (prompt && strcmp(prompt, "yes") == 0)
+                        set_prompt = 1;
+        }
+        
+        if (set_prompt) {
+                //export PS1='\[\e[1;32m\][\u@\h \W]\$\[\e[0m\] '
+                if (setenv("PROMPT_COMMAND", "export PS1=\"\\[\\e[1;32m\\][\\u@\\h \\W]\\$\\[\\e[0m\\] \"", 1) < 0)
+                        errExit("setenv");
+        }
+        
+        // set the window title
+        if (!arg_quiet)
+                printf("\033]0;firejail %s\007", cfg.window_title);
+        fflush(0);
 }
 // parse and store the environment setting 
-void env_store(const char *str) {
+void env_store(const char *str, ENV_OP op) {
        EUID_ASSERT();
        assert(str);
        
@@ -134,11 +159,13 @@ void env_store(const char *str) {
        if (*str == '\0')
                goto errexit;
        char *ptr = strchr(str, '=');
-        if (!ptr)
+        if (op == SETENV) {
-                goto errexit;
+                if (!ptr)
-        ptr++;
+                        goto errexit;
-        if (*ptr == '\0')
+                ptr++;
-                goto errexit;
+                if (*ptr == '\0')
+                        goto errexit;
+        }
        // build list entry
        Env *env = malloc(sizeof(Env));
@@ -148,10 +175,13 @@ void env_store(const char *str) {
        env->name = strdup(str);
        if (env->name == NULL)
                errExit("strdup");
-        char *ptr2 = strchr(env->name, '=');
+        if (op == SETENV) {
-        assert(ptr2);
+                char *ptr2 = strchr(env->name, '=');
-        *ptr2 = '\0';
+                assert(ptr2);
-        env->value = ptr2 + 1;
+                *ptr2 = '\0';
+                env->value = ptr2 + 1;
+        }
+        env->op = op;
        
        // add entry to the list
        env_add(env);
@@ -167,8 +197,13 @@ void env_apply(void) {
        Env *env = envlist;
        
        while (env) {
-                if (setenv(env->name, env->value, 1) < 0)
+                if (env->op == SETENV) {
-                        errExit("setenv");
+                        if (setenv(env->name, env->value, 1) < 0)
+                                errExit("setenv");
+                }
+                else if (env->op == RMENV) {
+                        unsetenv(env->name);
+                }
                env = env->next;
        }
 }
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index 24ea53476..8fede5a69 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -22,10 +22,13 @@
 #include "../include/common.h"
 #include "../include/euid_common.h"
+// debug restricted shell
+//#define DEBUG_RESTRICTED_SHELL
 // filesystem
 #define RUN_FIREJAIL_BASEDIR    "/run"
 #define RUN_FIREJAIL_DIR        "/run/firejail"
+#define RUN_FIREJAIL_APPIMAGE_DIR       "/run/firejail/appimage"
 #define RUN_FIREJAIL_NAME_DIR   "/run/firejail/name"
 #define RUN_FIREJAIL_X11_DIR    "/run/firejail/x11"
 #define RUN_FIREJAIL_NETWORK_DIR        "/run/firejail/network"
@@ -34,17 +37,28 @@
 #define RUN_RO_DIR      "/run/firejail/firejail.ro.dir"
 #define RUN_RO_FILE     "/run/firejail/firejail.ro.file"
 #define RUN_MNT_DIR     "/run/firejail/mnt"     // a tmpfs is mounted on this directory before any of the files below are created
-#define RUN_SECCOMP_CFG "/run/firejail/mnt/seccomp"
 #define RUN_CGROUP_CFG  "/run/firejail/mnt/cgroup"
 #define RUN_CPU_CFG     "/run/firejail/mnt/cpu"
 #define RUN_GROUPS_CFG  "/run/firejail/mnt/groups"
 #define RUN_PROTOCOL_CFG        "/run/firejail/mnt/protocol"
-#define RUN_CP_COMMAND  "/run/firejail/mnt/cp"
 #define RUN_HOME_DIR    "/run/firejail/mnt/home"
 #define RUN_ETC_DIR     "/run/firejail/mnt/etc"
+#define RUN_OPT_DIR     "/run/firejail/mnt/opt"
+#define RUN_SRV_DIR     "/run/firejail/mnt/srv"
 #define RUN_BIN_DIR     "/run/firejail/mnt/bin"
-#define RUN_DRI_DIR     "/run/firejail/mnt/dri"
 #define RUN_PULSE_DIR   "/run/firejail/mnt/pulse"
+#define RUN_SECCOMP_PROTOCOL    "/run/firejail/mnt/seccomp.protocol"    // protocol filter
+#define RUN_SECCOMP_CFG "/run/firejail/mnt/seccomp"                     // configured filter
+#define RUN_SECCOMP_AMD64       "/run/firejail/mnt/seccomp.amd64"       // amd64 filter installed on i386 architectures
+#define RUN_SECCOMP_I386        "/run/firejail/mnt/seccomp.i386"                // i386 filter installed on amd64 architectures
+#define PATH_SECCOMP_DEFAULT (LIBDIR "/firejail/seccomp")                       // default filter built during make
+#define PATH_SECCOMP_DEFAULT_DEBUG (LIBDIR "/firejail/seccomp.debug")   // default filter built during make
+#define PATH_SECCOMP_AMD64 (LIBDIR "/firejail/seccomp.amd64")           // amd64 filter built during make
+#define PATH_SECCOMP_I386 (LIBDIR "/firejail/seccomp.i386")                     // i386 filter built during make
+#define RUN_DEV_DIR             "/run/firejail/mnt/dev"
 #define RUN_DEVLOG_FILE "/run/firejail/mnt/devlog"
 #define RUN_WHITELIST_X11_DIR   "/run/firejail/mnt/orig-x11"
@@ -52,26 +66,78 @@
 #define RUN_WHITELIST_HOME_USER_DIR     "/run/firejail/mnt/orig-home-user"      // home directory whitelisting
 #define RUN_WHITELIST_TMP_DIR   "/run/firejail/mnt/orig-tmp"
 #define RUN_WHITELIST_MEDIA_DIR "/run/firejail/mnt/orig-media"
+#define RUN_WHITELIST_MNT_DIR   "/run/firejail/mnt/orig-mnt"
 #define RUN_WHITELIST_VAR_DIR   "/run/firejail/mnt/orig-var"
 #define RUN_WHITELIST_DEV_DIR   "/run/firejail/mnt/orig-dev"
 #define RUN_WHITELIST_OPT_DIR   "/run/firejail/mnt/orig-opt"
+#define RUN_WHITELIST_SRV_DIR   "/run/firejail/mnt/orig-srv"
 #define RUN_XAUTHORITY_FILE     "/run/firejail/mnt/.Xauthority"
+#define RUN_XAUTHORITY_SEC_FILE "/run/firejail/mnt/sec.Xauthority"
 #define RUN_ASOUNDRC_FILE       "/run/firejail/mnt/.asoundrc"
 #define RUN_HOSTNAME_FILE       "/run/firejail/mnt/hostname"
 #define RUN_HOSTS_FILE  "/run/firejail/mnt/hosts"
 #define RUN_RESOLVCONF_FILE     "/run/firejail/mnt/resolv.conf"
+#define RUN_MACHINEID   "/run/firejail/mnt/machine-id"
 #define RUN_LDPRELOAD_FILE      "/run/firejail/mnt/ld.so.preload"
 #define RUN_UTMP_FILE           "/run/firejail/mnt/utmp"
 #define RUN_PASSWD_FILE         "/run/firejail/mnt/passwd"
 #define RUN_GROUP_FILE          "/run/firejail/mnt/group"
 #define RUN_FSLOGGER_FILE               "/run/firejail/mnt/fslogger"
 // profiles
-#define DEFAULT_USER_PROFILE    "generic"
+#define DEFAULT_USER_PROFILE    "default"
 #define DEFAULT_ROOT_PROFILE    "server"
 #define MAX_INCLUDE_LEVEL 6             // include levels in profile files
+#define ASSERT_PERMS(file, uid, gid, mode) \
+        do { \
+                assert(file);\
+                struct stat s;\
+                if (stat(file, &s) == -1) errExit("stat");\
+                assert(s.st_uid == uid);\
+                assert(s.st_gid == gid);\
+                assert((s.st_mode & 07777) == (mode));\
+        } while (0)
+#define ASSERT_PERMS_FD(fd, uid, gid, mode) \
+        do { \
+                struct stat s;\
+                if (stat(fd, &s) == -1) errExit("stat");\
+                assert(s.st_uid == uid);\
+                assert(s.st_gid == gid);\
+                assert((s.st_mode & 07777) == (mode));\
+        } while (0)
+#define ASSERT_PERMS_STREAM(file, uid, gid, mode) \
+        do { \
+                int fd = fileno(file);\
+                if (fd == -1) errExit("fileno");\
+                ASSERT_PERMS_FD(fd, uid, gid, (mode));\
+        } while (0)
+#define SET_PERMS_FD(fd, uid, gid, mode) \
+        do { \
+                if (fchmod(fd, (mode)) == -1)   errExit("chmod");\
+                if (fchown(fd, uid, gid) == -1) errExit("chown");\
+        } while (0)
+#define SET_PERMS_STREAM(stream, uid, gid, mode) \
+        do { \
+                int fd = fileno(stream);\
+                if (fd == -1) errExit("fileno");\
+                SET_PERMS_FD(fd, uid, gid, (mode));\
+        } while (0)
+#define SET_PERMS_STREAM_NOERR(stream, uid, gid, mode) \
+        do { \
+                int fd = fileno(stream);\
+                if (fd == -1) continue;\
+                int rv = fchmod(fd, (mode));\
+                (void) rv;\
+                rv = fchown(fd, uid, gid);\
+                (void) rv;\
+        } while (0)
 // main.c
 typedef struct bridge_t {
        // on the host
@@ -81,6 +147,8 @@ typedef struct bridge_t {
        uint8_t mac[6];         // interface mac address
        int mtu;                // interface mtu
        
+        char *veth_name;        // veth name for the device connected to the bridge
+        
        // inside the sandbox
        char *devsandbox;       // name of the device inside the sandbox
        uint32_t ipsandbox;     // ip address inside the sandbox
@@ -115,9 +183,11 @@ typedef struct profile_entry_t {
        unsigned home_dir:1;    // whitelist in /home/user directory
        unsigned tmp_dir:1;     // whitelist in /tmp directory
        unsigned media_dir:1;   // whitelist in /media directory
+        unsigned mnt_dir:1;     // whitelist in /mnt directory
        unsigned var_dir:1;     // whitelist in /var directory
        unsigned dev_dir:1;     // whitelist in /dev directory
        unsigned opt_dir:1;     // whitelist in /opt directory
+        unsigned srv_dir:1;     // whitelist in /srv directory
 }ProfileEntry;
 typedef struct config_t {
@@ -131,10 +201,14 @@ typedef struct config_t {
        char *profile_ignore[MAX_PROFILE_IGNORE];
        char *chrootdir;        // chroot directory
        char *home_private;     // private home directory
+        char *home_private_keep;        // keep list for private home directory
        char *etc_private_keep; // keep list for private etc directory
+        char *opt_private_keep; // keep list for private opt directory
+        char *srv_private_keep; // keep list for private srv directory
        char *bin_private_keep; // keep list for private bin directory
        char *cwd;              // current working directory
        char *overlay_dir;
+   char *private_template; // template dir for tmpfs home
        // networking
        char *name;             // sandbox name
@@ -156,7 +230,6 @@ typedef struct config_t {
        char *seccomp_list;//  optional seccomp list on top of default filter
        char *seccomp_list_drop;        // seccomp drop list
        char *seccomp_list_keep;        // seccomp keep list
-        char **seccomp_list_errno;      // seccomp errno[nr] lists
        char *protocol;                 // protocol list
        // rlimits
@@ -211,6 +284,7 @@ static inline int any_interface_configured(void) {
 void clear_run_files(pid_t pid);
 extern int arg_private;         // mount private /home
+extern int arg_private_template; // private /home template
 extern int arg_debug;           // print debug messages
 extern int arg_debug_check_filename;            // print debug messages for filename checking
 extern int arg_debug_blacklists;        // print debug messages for blacklists
@@ -218,9 +292,8 @@ extern int arg_debug_whitelists;	// print debug messages for whitelists
 extern int arg_nonetwork;       // --net=none
 extern int arg_command; // -c
 extern int arg_overlay;         // overlay option
-extern int arg_overlay_keep;    // place overlay diff directory in ~/.firejail
+extern int arg_overlay_keep;    // place overlay diff in a known directory
-extern int arg_zsh;             // use zsh as default shell
+extern int arg_overlay_reuse;   // allow the reuse of overlays
-extern int arg_csh;             // use csh as default shell
 extern int arg_seccomp; // enable default seccomp filter
@@ -237,6 +310,7 @@ extern int arg_rlimit_nproc;	// rlimit nproc
 extern int arg_rlimit_fsize;    // rlimit fsize
 extern int arg_rlimit_sigpending;// rlimit sigpending
 extern int arg_nogroups;        // disable supplementary groups
+extern int arg_nonewprivs;      // set the NO_NEW_PRIVS prctl
 extern int arg_noroot;          // create a new user namespace and disable root user
 extern int arg_netfilter;       // enable netfilter
 extern int arg_netfilter6;      // enable netfilter6
@@ -246,17 +320,32 @@ extern int arg_doubledash;	// double dash
 extern int arg_shell_none;      // run the program directly without a shell
 extern int arg_private_dev;     // private dev directory
 extern int arg_private_etc;     // private etc directory
+extern int arg_private_opt;     // private opt directory
+extern int arg_private_srv;     // private srv directory
 extern int arg_private_bin;     // private bin directory
 extern int arg_private_tmp;     // private tmp directory
 extern int arg_scan;            // arp-scan all interfaces
 extern int arg_whitelist;       // whitelist commad
 extern int arg_nosound; // disable sound
+extern int arg_no3d;            // disable 3d hardware acceleration
 extern int arg_quiet;           // no output for scripting
 extern int arg_join_network;    // join only the network namespace
 extern int arg_join_filesystem; // join only the mount namespace
 extern int arg_nice;            // nice value configured
 extern int arg_ipc;             // enable ipc namespace
+extern int arg_writable_etc;    // writable etc
+extern int arg_writable_var;    // writable var
+extern int arg_appimage;        // appimage
+extern int arg_audit;           // audit
+extern char *arg_audit_prog;    // audit
+extern int arg_apparmor;        // apparmor
+extern int arg_allow_debuggers; // allow debuggers
+extern int arg_x11_block;       // block X11
+extern int arg_x11_xorg;        // use X11 security extention
+extern int arg_allusers;        // all user home directories visible
+extern int arg_machineid;       // preserve /etc/machine-id
+extern int login_shell;
 extern int parent_to_child_fds[2];
 extern int child_to_parent_fds[2];
 extern pid_t sandbox_pid;
@@ -267,16 +356,17 @@ extern int fullargc;
 // main.c
 void check_user_namespace(void);
+char *guess_shell(void);
 // sandbox.c
 int sandbox(void* sandbox_arg);
+void start_application(void);
 // network_main.c
 void net_configure_bridge(Bridge *br, char *dev_name);
 void net_configure_sandbox_ip(Bridge *br);
 void net_configure_veth_pair(Bridge *br, const char *ifname, pid_t child);
 void net_check_cfg(void);
-void net_dns_print_name(const char *name);
 void net_dns_print(pid_t pid);
 void network_main(pid_t child);
@@ -287,35 +377,32 @@ void net_if_ip(const char *ifname, uint32_t ip, uint32_t mask, int mtu);
 void net_if_ip6(const char *ifname, const char *addr6);
 int net_get_if_addr(const char *bridge, uint32_t *ip, uint32_t *mask, uint8_t mac[6], int *mtu);
 int net_add_route(uint32_t dest, uint32_t mask, uint32_t gw);
-void net_ifprint(void);
-void net_bridge_add_interface(const char *bridge, const char *dev);
 uint32_t network_get_defaultgw(void);
 int net_config_mac(const char *ifname, const unsigned char mac[6]);
 int net_get_mac(const char *ifname, unsigned char mac[6]);
+void net_config_interface(const char *dev, uint32_t ip, uint32_t mask, int mtu);
+// preproc.c
+void preproc_build_firejail_dir(void);
+void preproc_mount_mnt_dir(void);
 // fs.c
-// build /run/firejail directory
-void fs_build_firejail_dir(void);
-// build /run/firejail/mnt directory
-void fs_build_mnt_dir(void);
-// grab a copy of cp command
-void fs_build_cp_command(void);
-// delete the temporary cp command
-void fs_delete_cp_command(void) ;
 // blacklist files or directoies by mounting empty files on top of them
 void fs_blacklist(void);
 // remount a directory read-only
 void fs_rdonly(const char *dir);
+// remount a directory noexec, nodev and nosuid
+void fs_noexec(const char *dir);
 // mount /proc and /sys directories
 void fs_proc_sys_dev_boot(void);
 // build a basic read-only filesystem
 void fs_basic_fs(void);
 // mount overlayfs on top of / directory
+char *fs_check_overlay_dir(const char *subdirname, int allow_reuse);
 void fs_overlayfs(void);
 // chroot into an existing directory; mount exiting /dev and update /etc/resolv.conf
 void fs_chroot(const char *rootdir);
 int fs_check_chroot_dir(const char *rootdir);
-void fs_private_tmp(void);
 // profile.c
 // find and read the profile specified by name from dir directory
@@ -340,12 +427,11 @@ void usage(void);
 // join.c
 void join(pid_t pid, int argc, char **argv, int index);
-void join_name(const char *name, int argc, char **argv, int index);
+// shutdown.c
 void shut(pid_t pid);
-void shut_name(const char *name);
 // restricted_shell.c
-extern char *restricted_user;
 int restricted_shell(const char *user);
 // arp.c
@@ -353,13 +439,6 @@ int restricted_shell(const char *user);
 int arp_check(const char *dev, uint32_t destaddr, uint32_t srcaddr);
 // assign an IP address using arp scanning
 uint32_t arp_assign(const char *dev, Bridge *br);
-// scan interface (--scan option)
-void arp_scan(const char *dev, uint32_t srcaddr, uint32_t srcmask);
-// veth.c
-int net_create_veth(const char *dev, const char *nsdev, unsigned pid);
-int net_create_macvlan(const char *dev, const char *parent, unsigned pid);
-int net_move_interface(const char *dev, unsigned pid);
 // util.c
 void drop_privs(int nogroups);
@@ -369,7 +448,7 @@ void logsignal(int s);
 void logmsg(const char *msg);
 void logargs(int argc, char **argv) ;
 void logerr(const char *msg);
-int copy_file(const char *srcname, const char *destname);
+int copy_file(const char *srcname, const char *destname, uid_t uid, gid_t gid, mode_t mode);
 int is_dir(const char *fname);
 int is_link(const char *fname);
 char *line_remove_spaces(const char *buf);
@@ -384,8 +463,14 @@ char *expand_home(const char *path, const char* homedir);
 const char *gnu_basename(const char *path);
 uid_t pid_get_uid(pid_t pid);
 void invalid_filename(const char *fname);
-uid_t get_tty_gid(void);
+uid_t get_group_id(const char *group);
-uid_t get_audio_gid(void);
+int remove_directory(const char *path);
+void flush_stdin(void);
+void create_empty_dir_as_root(const char *dir, mode_t mode);
+void create_empty_file_as_root(const char *dir, mode_t mode);
+int set_perms(const char *fname, uid_t uid, gid_t gid, mode_t mode);
+void mkdir_attr(const char *fname, mode_t mode, uid_t uid, gid_t gid);
+char *read_text_file_or_exit(const char *fname);
 // fs_var.c
 void fs_var_log(void);  // mounting /var/log
@@ -400,41 +485,46 @@ void dbg_test_dir(const char *dir);
 // fs_dev.c
 void fs_dev_shm(void);
 void fs_private_dev(void);
+void fs_dev_disable_sound(void);
+void fs_dev_disable_3d(void);
 // fs_home.c
 // private mode (--private)
 void fs_private(void);
 // private mode (--private=homedir)
 void fs_private_homedir(void);
+// private template (--private-template=templatedir)
+void fs_private_template(void);
 // check new private home directory (--private= option) - exit if it fails
 void fs_check_private_dir(void);
+// check new private template home directory (--private-template= option) exit if it fails
+void fs_check_private_template(void);
+void fs_private_home_list(void);
 // seccomp.c
+char *seccomp_check_list(const char *str);
+int seccomp_load(const char *fname);
+void seccomp_filter_32(void);
+void seccomp_filter_64(void);
 int seccomp_filter_drop(int enforce_seccomp);
 int seccomp_filter_keep(void);
-void seccomp_set(void);
-void seccomp_print_filter_name(const char *name);
 void seccomp_print_filter(pid_t pid);
-int seccomp_filter_errno(void);
 // caps.c
 int caps_default_filter(void);
 void caps_print(void);
 void caps_drop_all(void);
 void caps_set(uint64_t caps);
-int caps_check_list(const char *clist, void (*callback)(int));
+void caps_check_list(const char *clist, void (*callback)(int));
 void caps_drop_list(const char *clist);
 void caps_keep_list(const char *clist);
 void caps_print_filter(pid_t pid);
-void caps_print_filter_name(const char *name);
 // syscall.c
 const char *syscall_find_nr(int nr);
 // return -1 if error, 0 if no error
 int syscall_check_list(const char *slist, void (*callback)(int syscall, int arg), int arg);
-// print all available syscallsseccomp
-void syscall_print(void);
 // fs_trace.c
 void fs_trace_preload(void);
@@ -452,7 +542,6 @@ void read_cpu_list(const char *str);
 void set_cpu_affinity(void);
 void load_cpu(const char *fname);
 void save_cpu(void);
-void cpu_print_filter_name(const char *name);
 void cpu_print_filter(pid_t pid);
 // cgroup.c
@@ -470,21 +559,25 @@ void netfilter6(const char *fname);
 // bandwidth.c
 void bandwidth_del_run_file(pid_t pid);
-void bandwidth_name(const char *name, const char *command, const char *dev, int down, int up);
 void bandwidth_pid(pid_t pid, const char *command, const char *dev, int down, int up);
 void network_del_run_file(pid_t pid);
 void network_set_run_file(pid_t pid);
 // fs_etc.c
-void fs_check_etc_list(void);
+void fs_private_dir_list(const char *private_dir, const char *private_run_dir, const char *private_list);
-void fs_private_etc_list(void);
 // no_sandbox.c
+int check_namespace_virt(void);
 int check_kernel_procs(void);
 void run_no_sandbox(int argc, char **argv);
 // env.c
-void env_store(const char *str);
+typedef enum {
+        SETENV = 0,
+        RMENV
+} ENV_OP;
+void env_store(const char *str, ENV_OP op);
 void env_apply(void);
 void env_defaults(void);
 void env_ibus_load(void);
@@ -503,17 +596,12 @@ void pulseaudio_init(void);
 void pulseaudio_disable(void);
 // fs_bin.c
-void fs_check_bin_list(void);
 void fs_private_bin_list(void);
 // protocol.c
-void protocol_list();
-void protocol_print_filter_name(const char *name);
-void protocol_print_filter(pid_t pid);
-void protocol_store(const char *prlist);
-void protocol_filter(void);
 void protocol_filter_save(void);
 void protocol_filter_load(const char *fname);
+void protocol_print_filter(pid_t pid);
 // restrict_users.c
 void restrict_users(void);
@@ -525,46 +613,95 @@ void fs_logger2int(const char *msg1, int d);
 void fs_logger3(const char *msg1, const char *msg2, const char *msg3);
 void fs_logger_print(void);
 void fs_logger_change_owner(void);
-void fs_logger_print_log_name(const char *name);
 void fs_logger_print_log(pid_t pid);
 // run_symlink.c
 void run_symlink(int argc, char **argv);
-// user.c
-void check_user(int argc, char **argv);
 // paths.c
 char **build_paths(void);
 // fs_mkdir.c
 void fs_mkdir(const char *name);
+void fs_mkfile(const char *name);
 // x11.c
+extern int mask_x11_abstract_socket;
 void fs_x11(void);
 int x11_display(void);
 void x11_start(int argc, char **argv);
 void x11_start_xpra(int argc, char **argv);
 void x11_start_xephyr(int argc, char **argv);
-extern char *xephyr_screen;
+void x11_block(void);
 // ls.c
-#define SANDBOX_FS_LS 0
+enum {
-#define SANDBOX_FS_GET 1
+        SANDBOX_FS_LS = 0,
-void sandboxfs_name(int op, const char *name, const char *path);
+        SANDBOX_FS_GET,
-void sandboxfs(int op, pid_t pid, const char *patqh);
+        SANDBOX_FS_PUT,
+        SANDBOX_FS_MAX // this should always be the last entry
+};
+void sandboxfs(int op, pid_t pid, const char *path1, const char *path2);
 // checkcfg.c
-#define CFG_FILE_TRANSFER 0
+enum {
-#define CFG_X11 1
+        CFG_FILE_TRANSFER = 0,
-#define CFG_BIND 2
+        CFG_X11,
-#define CFG_USERNS 3
+        CFG_BIND,
-#define CFG_CHROOT 4
+        CFG_USERNS,
-#define CFG_SECCOMP 5
+        CFG_CHROOT,
-#define CFG_NETWORK 6
+        CFG_SECCOMP,
-#define CFG_RESTRICTED_NETWORK 7
+        CFG_NETWORK,
-#define CFG_MAX 8 // this should always be the last entry
+        CFG_RESTRICTED_NETWORK,
+        CFG_FORCE_NONEWPRIVS,
+        CFG_WHITELIST,
+        CFG_XEPHYR_WINDOW_TITLE,
+        CFG_REMOUNT_PROC_SYS,
+        CFG_OVERLAYFS,
+        CFG_CHROOT_DESKTOP,
+        CFG_PRIVATE_HOME,
+        CFG_PRIVATE_BIN_NO_LOCAL,
+        CFG_FIREJAIL_PROMPT,
+        CFG_MAX // this should always be the last entry
+};
+extern char *xephyr_screen;
+extern char *xephyr_extra_params;
+extern char *netfilter_default;
 int checkcfg(int val);
+void print_compiletime_support(void);
+void x11_xorg(void);
+// appimage.c
+void appimage_set(const char *appimage_path);
+void appimage_clear(void);
+const char *appimage_getdir(void);
+// appimage_size.c
+long unsigned int appimage2_size(const char *fname);
+// cmdline.c
+void build_cmdline(char **command_line, char **window_title, int argc, char **argv, int index);
+// sbox.c
+// programs
+#define PATH_FNET (LIBDIR "/firejail/fnet")
+#define PATH_FIREMON (PREFIX "/bin/firemon")
+#define PATH_FSECCOMP (LIBDIR "/firejail/fseccomp")
+#define PATH_FCOPY (LIBDIR "/firejail/fcopy")
+#define SBOX_STDIN_FILE "/run/firejail/mnt/sbox_stdin"
+// bitmapped filters for sbox_run
+#define SBOX_ROOT (1 << 0)                      // run the sandbox as root
+#define SBOX_USER (1 << 1)                      // run the sandbox as a regular user
+#define SBOX_SECCOMP (1 << 2)           // install seccomp 
+#define SBOX_CAPS_NONE (1 << 3)         // drop all capabilities
+#define SBOX_CAPS_NETWORK (1 << 4)      // caps filter for programs running network programs
+#define SBOX_ALLOW_STDIN (1 << 5)               // don't close stdin
+#define SBOX_STDIN_FROM_FILE (1 << 6)   // open file and redirect it to stdin
+// run sbox
+int sbox_run(unsigned filter, int num, ...);
 #endif
diff --git a/src/firejail/fs.c b/src/firejail/fs.c
index 7ee76d096..adddf626b 100644
--- a/src/firejail/fs.c
+++ b/src/firejail/fs.c
@@ -27,198 +27,9 @@
 #include <fcntl.h>
 #include <errno.h>
-static void create_empty_dir(void) {
+static void fs_rdwr(const char *dir);
-        struct stat s;
-        
-        if (stat(RUN_RO_DIR, &s)) {
-                /* coverity[toctou] */
-                int rv = mkdir(RUN_RO_DIR, S_IRUSR | S_IXUSR);
-                if (rv == -1)
-                        errExit("mkdir");       
-                if (chown(RUN_RO_DIR, 0, 0) < 0)
-                        errExit("chown");
-        }
-}
-static void create_empty_file(void) {
-        struct stat s;
-        if (stat(RUN_RO_FILE, &s)) {
-                /* coverity[toctou] */
-                FILE *fp = fopen(RUN_RO_FILE, "w");
-                if (!fp)
-                        errExit("fopen");
-                fclose(fp);
-                if (chown(RUN_RO_FILE, 0, 0) < 0)
-                        errExit("chown");
-                if (chmod(RUN_RO_FILE, S_IRUSR) < 0)
-                        errExit("chown");
-        }
-}
-// build /run/firejail directory
-void fs_build_firejail_dir(void) {
-        struct stat s;
-        // CentOS 6 doesn't have /run directory
-        if (stat(RUN_FIREJAIL_BASEDIR, &s)) {
-                if (arg_debug)
-                        printf("Creating %s directory\n", RUN_FIREJAIL_BASEDIR);
-                /* coverity[toctou] */
-                int rv = mkdir(RUN_FIREJAIL_BASEDIR, 0755);
-                if (rv == -1)
-                        errExit("mkdir");
-                if (chown(RUN_FIREJAIL_BASEDIR, 0, 0) < 0)
-                        errExit("chown");
-                if (chmod(RUN_FIREJAIL_BASEDIR, 0755) < 0)
-                        errExit("chmod");
-        }
-        else { // check /tmp/firejail directory belongs to root end exit if doesn't!
-                if (s.st_uid != 0 || s.st_gid != 0) {
-                        fprintf(stderr, "Error: non-root %s directory, exiting...\n", RUN_FIREJAIL_DIR);
-                        exit(1);
-                }
-        }
-        if (stat(RUN_FIREJAIL_DIR, &s)) {
-                if (arg_debug)
-                        printf("Creating %s directory\n", RUN_FIREJAIL_DIR);
-                /* coverity[toctou] */
-                int rv = mkdir(RUN_FIREJAIL_DIR, 0755);
-                if (rv == -1)
-                        errExit("mkdir");
-                if (chown(RUN_FIREJAIL_DIR, 0, 0) < 0)
-                        errExit("chown");
-                if (chmod(RUN_FIREJAIL_DIR, 0755) < 0)
-                        errExit("chmod");
-        }
-        
-        if (stat(RUN_FIREJAIL_NETWORK_DIR, &s)) {
-                if (arg_debug)
-                        printf("Creating %s directory\n", RUN_FIREJAIL_NETWORK_DIR);
-                
-                if (mkdir(RUN_FIREJAIL_NETWORK_DIR, 0755) == -1)
-                        errExit("mkdir");
-                if (chown(RUN_FIREJAIL_NETWORK_DIR, 0, 0) < 0)
-                        errExit("chown");
-                if (chmod(RUN_FIREJAIL_NETWORK_DIR, 0755) < 0)
-                        errExit("chmod");
-        }
-        
-        if (stat(RUN_FIREJAIL_BANDWIDTH_DIR, &s)) {
-                if (arg_debug)
-                        printf("Creating %s directory\n", RUN_FIREJAIL_BANDWIDTH_DIR);
-                if (mkdir(RUN_FIREJAIL_BANDWIDTH_DIR, 0755) == -1)
-                        errExit("mkdir");
-                if (chown(RUN_FIREJAIL_BANDWIDTH_DIR, 0, 0) < 0)
-                        errExit("chown");
-                if (chmod(RUN_FIREJAIL_BANDWIDTH_DIR, 0755) < 0)
-                        errExit("chmod");
-        }
-                
-        if (stat(RUN_FIREJAIL_NAME_DIR, &s)) {
-                if (arg_debug)
-                        printf("Creating %s directory\n", RUN_FIREJAIL_NAME_DIR);
-                if (mkdir(RUN_FIREJAIL_NAME_DIR, 0755) == -1)
-                        errExit("mkdir");
-                if (chown(RUN_FIREJAIL_NAME_DIR, 0, 0) < 0)
-                        errExit("chown");
-                if (chmod(RUN_FIREJAIL_NAME_DIR, 0755) < 0)
-                        errExit("chmod");
-        }
-        
-        if (stat(RUN_FIREJAIL_X11_DIR, &s)) {
-                if (arg_debug)
-                        printf("Creating %s directory\n", RUN_FIREJAIL_X11_DIR);
-                if (mkdir(RUN_FIREJAIL_X11_DIR, 0755) == -1)
-                        errExit("mkdir");
-                if (chown(RUN_FIREJAIL_X11_DIR, 0, 0) < 0)
-                        errExit("chown");
-                if (chmod(RUN_FIREJAIL_X11_DIR, 0755) < 0)
-                        errExit("chmod");
-        }
-        
-        create_empty_dir();
-        create_empty_file();
-}
-// build /tmp/firejail/mnt directory
-static int tmpfs_mounted = 0;
-#ifdef HAVE_CHROOT              
-static void fs_build_remount_mnt_dir(void) {
-        tmpfs_mounted = 0;
-        fs_build_mnt_dir();
-}
-#endif
-void fs_build_mnt_dir(void) {
-        struct stat s;
-        fs_build_firejail_dir();
-        
-        // create /run/firejail/mnt directory
-        if (stat(RUN_MNT_DIR, &s)) {
-                if (arg_debug)
-                        printf("Creating %s directory\n", RUN_MNT_DIR);
-                /* coverity[toctou] */
-                int rv = mkdir(RUN_MNT_DIR, 0755);
-                if (rv == -1)
-                        errExit("mkdir");
-                if (chown(RUN_MNT_DIR, 0, 0) < 0)
-                        errExit("chown");
-                if (chmod(RUN_MNT_DIR, 0755) < 0)
-                        errExit("chmod");
-        }
-        // ... and mount tmpfs on top of it
-        if (!tmpfs_mounted) {
-                // mount tmpfs on top of /run/firejail/mnt
-                if (arg_debug)
-                        printf("Mounting tmpfs on %s directory\n", RUN_MNT_DIR);
-                if (mount("tmpfs", RUN_MNT_DIR, "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC,  "mode=755,gid=0") < 0)
-                        errExit("mounting /tmp/firejail/mnt");
-                tmpfs_mounted = 1;
-                fs_logger2("tmpfs", RUN_MNT_DIR);
-        }
-}
-// grab a copy of cp command
-void fs_build_cp_command(void) {
-        struct stat s;
-        fs_build_mnt_dir();
-        if (stat(RUN_CP_COMMAND, &s)) {
-                char* fname = realpath("/bin/cp", NULL);
-                if (fname == NULL) {
-                        fprintf(stderr, "Error: /bin/cp not found\n");
-                        exit(1);
-                }
-                if (stat(fname, &s)) {
-                        fprintf(stderr, "Error: /bin/cp not found\n");
-                        exit(1);
-                }
-                if (is_link(fname)) {
-                        fprintf(stderr, "Error: invalid /bin/cp file\n");
-                        exit(1);
-                }
-                int rv = copy_file(fname, RUN_CP_COMMAND);
-                if (rv) {
-                        fprintf(stderr, "Error: cannot access /bin/cp\n");
-                        exit(1);
-                }
-                /* coverity[toctou] */
-                if (chown(RUN_CP_COMMAND, 0, 0))
-                        errExit("chown");
-                if (chmod(RUN_CP_COMMAND, 0755))
-                        errExit("chmod");
-                        
-                free(fname);
-        }
-}
-// delete the temporary cp command
-void fs_delete_cp_command(void) {
-        unlink(RUN_CP_COMMAND);
-}
 //***********************************************
 // process profile file
@@ -228,6 +39,8 @@ typedef enum {
        BLACKLIST_NOLOG,
        MOUNT_READONLY,
        MOUNT_TMPFS,
+        MOUNT_NOEXEC,
+        MOUNT_RDWR,
        OPERATION_MAX
 } OPERATION;
@@ -242,14 +55,9 @@ static void disable_file(OPERATION op, const char *filename) {
        assert(op <OPERATION_MAX);
        last_disable = UNSUCCESSFUL;
        
-        // rebuild /run/firejail directory in case tmpfs was mounted on top of /run
-        fs_build_firejail_dir();
-        
        // Resolve all symlinks
        char* fname = realpath(filename, NULL);
        if (fname == NULL && errno != EACCES) {
-                if (arg_debug)
-                        printf("Warning (realpath): %s is an invalid file, skipping...\n", filename);
                return;
        }
        if (fname == NULL && errno == EACCES) {
@@ -298,12 +106,17 @@ static void disable_file(OPERATION op, const char *filename) {
                // some distros put all executables under /usr/bin and make /bin a symbolic link
                if ((strcmp(fname, "/bin") == 0 || strcmp(fname, "/usr/bin") == 0) &&
                      is_link(filename) &&
-                      S_ISDIR(s.st_mode))
+                      S_ISDIR(s.st_mode)) {
-                        fprintf(stderr, "Warning: %s directory link was not blacklisted\n", filename);
+                        if (!arg_quiet)
-                        
+                                fprintf(stderr, "Warning: %s directory link was not blacklisted\n", filename);
+                }
                else {
-                        if (arg_debug)
+                        if (arg_debug) {
-                                printf("Disable %s\n", fname);
+                                if (strcmp(filename, fname))
+                                        printf("Disable %s (requesterd %s)\n", fname, filename);
+                                else
+                                        printf("Disable %s\n", fname);
+                        }
                        else if (arg_debug_blacklists) {
                                printf("Disable %s", fname);
                                if (op == BLACKLIST_FILE)
@@ -311,6 +124,7 @@ static void disable_file(OPERATION op, const char *filename) {
                                else
                                        printf(" - no logging\n");
                        }
+                        
                        if (S_ISDIR(s.st_mode)) {
                                if (mount(RUN_RO_DIR, fname, "none", MS_BIND, "mode=400,gid=0") < 0)
                                        errExit("disable file");
@@ -332,6 +146,18 @@ static void disable_file(OPERATION op, const char *filename) {
                fs_rdonly(fname);
 // todo: last_disable = SUCCESSFUL;
        }
+        else if (op == MOUNT_RDWR) {
+                if (arg_debug)
+                        printf("Mounting read-only %s\n", fname);
+                fs_rdwr(fname);
+// todo: last_disable = SUCCESSFUL;
+        }
+        else if (op == MOUNT_NOEXEC) {
+                if (arg_debug)
+                        printf("Mounting noexec %s\n", fname);
+                fs_noexec(fname);
+// todo: last_disable = SUCCESSFUL;
+        }
        else if (op == MOUNT_TMPFS) {
                if (S_ISDIR(s.st_mode)) {
                        if (arg_debug)
@@ -361,7 +187,7 @@ static void globbing(OPERATION op, const char *pattern, const char *noblacklist[
        glob_t globbuf;
        // Profiles contain blacklists for files that might not exist on a user's machine.
        // GLOB_NOCHECK makes that okay.
-        int globerr = glob(pattern, GLOB_NOCHECK | GLOB_NOSORT, NULL, &globbuf);
+        int globerr = glob(pattern, GLOB_NOCHECK | GLOB_NOSORT | GLOB_PERIOD, NULL, &globbuf);
        if (globerr) {
                fprintf(stderr, "Error: failed to glob pattern %s\n", pattern);
                exit(1);
@@ -399,7 +225,7 @@ static void globbing(OPERATION op, const char *pattern, const char *noblacklist[
 }
-// blacklist files or directoies by mounting empty files on top of them
+// blacklist files or directories by mounting empty files on top of them
 void fs_blacklist(void) {
        char *homedir = cfg.homedir;
        assert(homedir);
@@ -426,21 +252,13 @@ void fs_blacklist(void) {
                // process bind command
                if (strncmp(entry->data, "bind ", 5) == 0)  {
+                        struct stat s;
                        char *dname1 = entry->data + 5;
                        char *dname2 = split_comma(dname1);
-                        if (dname2 == NULL) {
+                        if (dname2 == NULL ||
-                                fprintf(stderr, "Error: second directory missing in bind command\n");
+                            stat(dname1, &s) == -1 ||
-                                entry = entry->next;
+                            stat(dname2, &s) == -1) {
-                                continue;
+                                fprintf(stderr, "Error: invalid bind command, directory missing\n");
-                        }
-                        struct stat s;
-                        if (stat(dname1, &s) == -1) {
-                                fprintf(stderr, "Error: cannot find %s for bind command\n", dname1);
-                                entry = entry->next;
-                                continue;
-                        }
-                        if (stat(dname2, &s) == -1) {
-                                fprintf(stderr, "Error: cannot find %s for bind command\n", dname2);
                                entry = entry->next;
                                continue;
                        }
@@ -452,11 +270,8 @@ void fs_blacklist(void) {
                        if (mount(dname1, dname2, NULL, MS_BIND|MS_REC, NULL) < 0)
                                errExit("mount bind");
                        /* coverity[toctou] */
-                        if (chown(dname2, s.st_uid, s.st_gid) == -1)
+                        if (set_perms(dname2,  s.st_uid, s.st_gid,s.st_mode))
-                                errExit("mount-bind chown");
+                                errExit("set_perms"); 
-                        /* coverity[toctou] */
-                        if (chmod(dname2, s.st_mode) == -1)
-                                errExit("mount-bind chmod");
                                
                        entry = entry->next;
                        continue;
@@ -464,12 +279,40 @@ void fs_blacklist(void) {
                // Process noblacklist command
                if (strncmp(entry->data, "noblacklist ", 12) == 0) {
-                        if (noblacklist_c >= noblacklist_m) {
+                        char **paths = build_paths();
-                        noblacklist_m *= 2;
-                        noblacklist = realloc(noblacklist, sizeof(*noblacklist) * noblacklist_m);
+                        char *enames[sizeof(paths)+1] = {0};
-                        if (noblacklist == NULL)
+                        int i = 0;
-                                errExit("failed increasing memory for noblacklist entries");}
-                        noblacklist[noblacklist_c++] = expand_home(entry->data + 12, homedir);
+                        if (strncmp(entry->data + 12, "${PATH}", 7) == 0) {
+                                // expand ${PATH} macro
+                                while (paths[i] != NULL) {
+                                        if (asprintf(&enames[i], "%s%s", paths[i], entry->data + 19) == -1)
+                                                errExit("asprintf");
+                                        i++;
+                                }
+                        } else {
+                                // expand ${HOME} macro if found or pass as is
+                                enames[0] = expand_home(entry->data + 12, homedir);
+                                enames[1] = NULL;
+                        }
+                        i = 0;
+                        while (enames[i] != NULL) {
+                                if (noblacklist_c >= noblacklist_m) {
+                                        noblacklist_m *= 2;
+                                        noblacklist = realloc(noblacklist, sizeof(*noblacklist) * noblacklist_m);
+                                        if (noblacklist == NULL)
+                                                errExit("failed increasing memory for noblacklist entries");
+                                }
+                                noblacklist[noblacklist_c++] = enames[i];
+                                i++;
+                        }
+                        while (enames[i] != NULL) {
+                                free(enames[i]);
+                        }
                        entry = entry->next;
                        continue;
                }
@@ -487,10 +330,32 @@ void fs_blacklist(void) {
                        ptr = entry->data + 10;
                        op = MOUNT_READONLY;
                }                       
+                else if (strncmp(entry->data, "read-write ", 11) == 0) {
+                        ptr = entry->data + 11;
+                        op = MOUNT_RDWR;
+                }                       
+                else if (strncmp(entry->data, "noexec ", 7) == 0) {
+                        ptr = entry->data + 7;
+                        op = MOUNT_NOEXEC;
+                }                       
                else if (strncmp(entry->data, "tmpfs ", 6) == 0) {
                        ptr = entry->data + 6;
                        op = MOUNT_TMPFS;
                }                       
+                else if (strncmp(entry->data, "mkdir ", 6) == 0) {
+                        EUID_USER();
+                        fs_mkdir(entry->data + 6);
+                        EUID_ROOT();
+                        entry = entry->next;
+                        continue;
+                }                       
+                else if (strncmp(entry->data, "mkfile ", 7) == 0) {
+                        EUID_USER();
+                        fs_mkfile(entry->data + 7);
+                        EUID_ROOT();
+                        entry = entry->next;
+                        continue;
+                }                       
                else {
                        fprintf(stderr, "Error: invalid profile line %s\n", entry->data);
                        entry = entry->next;
@@ -542,38 +407,56 @@ void fs_rdonly(const char *dir) {
        int rv = stat(dir, &s);
        if (rv == 0) {
                // mount --bind /bin /bin
-                if (mount(dir, dir, NULL, MS_BIND|MS_REC, NULL) < 0)
-                        errExit("mount read-only");
                // mount --bind -o remount,ro /bin
-                if (mount(NULL, dir, NULL, MS_BIND|MS_REMOUNT|MS_RDONLY|MS_REC, NULL) < 0)
+                if (mount(dir, dir, NULL, MS_BIND|MS_REC, NULL) < 0 ||
+                    mount(NULL, dir, NULL, MS_BIND|MS_REMOUNT|MS_RDONLY|MS_REC, NULL) < 0)
                        errExit("mount read-only");
                fs_logger2("read-only", dir);
        }
 }
-void fs_rdonly_noexit(const char *dir) {
+static void fs_rdwr(const char *dir) {
+        assert(dir);
+        // check directory exists
+        struct stat s;
+        int rv = stat(dir, &s);
+        if (rv == 0) {
+                // if the file is outside /home directory, allow only root user
+                uid_t u = getuid();
+                if (u != 0 && s.st_uid != u) {
+                        if (!arg_quiet)
+                                fprintf(stderr, "Warning: you are not allowed to change %s to read-write\n", dir);
+                        return;
+                }
+                
+                // mount --bind /bin /bin
+                // mount --bind -o remount,rw /bin
+                if (mount(dir, dir, NULL, MS_BIND|MS_REC, NULL) < 0 || 
+                    mount(NULL, dir, NULL, MS_BIND|MS_REMOUNT|MS_REC, NULL) < 0)
+                        errExit("mount read-write");
+                fs_logger2("read-write", dir);
+        }
+}
+void fs_noexec(const char *dir) {
        assert(dir);
        // check directory exists
        struct stat s;
        int rv = stat(dir, &s);
        if (rv == 0) {
-                int merr = 0;
                // mount --bind /bin /bin
-                if (mount(dir, dir, NULL, MS_BIND|MS_REC, NULL) < 0)
-                        merr = 1;
                // mount --bind -o remount,ro /bin
-                if (mount(NULL, dir, NULL, MS_BIND|MS_REMOUNT|MS_RDONLY|MS_REC, NULL) < 0)
+                if (mount(dir, dir, NULL, MS_BIND|MS_REC, NULL) < 0 || 
-                        merr = 1;
+                    mount(NULL, dir, NULL, MS_BIND|MS_REMOUNT|MS_NOEXEC|MS_NODEV|MS_NOSUID|MS_REC, NULL) < 0)
-                if (merr)
+                        errExit("mount noexec");
-                        fprintf(stderr, "Warning: cannot mount %s read-only\n", dir); 
+                fs_logger2("noexec", dir);
-                else
-                        fs_logger2("read-only", dir);
        }
 }
 // mount /proc and /sys directories
 void fs_proc_sys_dev_boot(void) {
-        struct stat s;
        if (arg_debug)
                printf("Remounting /proc and /proc/sys filesystems\n");
        if (mount("proc", "/proc", "proc", MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_REC, NULL) < 0)
@@ -581,10 +464,8 @@ void fs_proc_sys_dev_boot(void) {
        fs_logger("remount /proc");
        // remount /proc/sys readonly
-        if (mount("/proc/sys", "/proc/sys", NULL, MS_BIND | MS_REC, NULL) < 0)
+        if (mount("/proc/sys", "/proc/sys", NULL, MS_BIND | MS_REC, NULL) < 0 ||
-                errExit("mounting /proc/sys");
+            mount(NULL, "/proc/sys", NULL, MS_BIND | MS_REMOUNT | MS_RDONLY | MS_REC, NULL) < 0)
-        if (mount(NULL, "/proc/sys", NULL, MS_BIND | MS_REMOUNT | MS_RDONLY | MS_REC, NULL) < 0)
                errExit("mounting /proc/sys");
        fs_logger("read-only /proc/sys");
@@ -601,114 +482,148 @@ void fs_proc_sys_dev_boot(void) {
                        fs_logger("remount /sys");
        }
                
-        if (stat("/sys/firmware", &s) == 0) {
+        disable_file(BLACKLIST_FILE, "/sys/firmware");
-                disable_file(BLACKLIST_FILE, "/sys/firmware");
+        disable_file(BLACKLIST_FILE, "/sys/hypervisor");
-        }
+        { // allow user access to /sys/fs if "--noblacklist=/sys/fs" is present on the command line
-                
+                EUID_USER();    
-        if (stat("/sys/hypervisor", &s) == 0) {
+                profile_add("blacklist /sys/fs");
-                disable_file(BLACKLIST_FILE, "/sys/hypervisor");
+                EUID_ROOT();
-        }
-        if (stat("/sys/fs", &s) == 0) {
-                disable_file(BLACKLIST_FILE, "/sys/fs");
-        }
-        if (stat("/sys/module", &s) == 0) {
-                disable_file(BLACKLIST_FILE, "/sys/module");
-        }
-        if (stat("/sys/power", &s) == 0) {
-                disable_file(BLACKLIST_FILE, "/sys/power");
        }
+        disable_file(BLACKLIST_FILE, "/sys/module");
-//      if (mount("sysfs", "/sys", "sysfs", MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_REC, NULL) < 0)
+        disable_file(BLACKLIST_FILE, "/sys/power");
-//              errExit("mounting /sys");
+        disable_file(BLACKLIST_FILE, "/sys/kernel/debug");
+        disable_file(BLACKLIST_FILE, "/sys/kernel/vmcoreinfo");
-        // Disable SysRq
+        disable_file(BLACKLIST_FILE, "/sys/kernel/uevent_helper");
-        // a linux box can be shut down easily using the following commands (as root):
-        // # echo 1 > /proc/sys/kernel/sysrq
+        // various /proc/sys files
-        // #echo b > /proc/sysrq-trigger
+        disable_file(BLACKLIST_FILE, "/proc/sys/security");     
-        // for more information see https://www.kernel.org/doc/Documentation/sysrq.txt
+        disable_file(BLACKLIST_FILE, "/proc/sys/efi/vars");     
-        if (arg_debug)
+        disable_file(BLACKLIST_FILE, "/proc/sys/fs/binfmt_misc");       
-                printf("Disable /proc/sysrq-trigger\n");
+        disable_file(BLACKLIST_FILE, "/proc/sys/kernel/core_pattern");  
-        fs_rdonly_noexit("/proc/sysrq-trigger");
+        disable_file(BLACKLIST_FILE, "/proc/sys/kernel/modprobe");      
-        
+        disable_file(BLACKLIST_FILE, "/proc/sysrq-trigger");
-        // disable hotplug and uevent_helper
+        disable_file(BLACKLIST_FILE, "/proc/sys/kernel/hotplug");
-        if (arg_debug)
+        disable_file(BLACKLIST_FILE, "/proc/sys/vm/panic_on_oom");
-                printf("Disable /proc/sys/kernel/hotplug\n");
-        fs_rdonly_noexit("/proc/sys/kernel/hotplug");
+        // various /proc files
-        if (arg_debug)
+        disable_file(BLACKLIST_FILE, "/proc/irq");
-                printf("Disable /sys/kernel/uevent_helper\n");
+        disable_file(BLACKLIST_FILE, "/proc/bus");
-        fs_rdonly_noexit("/sys/kernel/uevent_helper");
+        disable_file(BLACKLIST_FILE, "/proc/config.gz");        
-        
+        disable_file(BLACKLIST_FILE, "/proc/sched_debug");      
-        // read-only /proc/irq and /proc/bus
+        disable_file(BLACKLIST_FILE, "/proc/timer_list");       
-        if (arg_debug)
+        disable_file(BLACKLIST_FILE, "/proc/timer_stats");      
-                printf("Disable /proc/irq\n");
-        fs_rdonly_noexit("/proc/irq");
-        if (arg_debug)
-                printf("Disable /proc/bus\n");
-        fs_rdonly_noexit("/proc/bus");
-        
-        // disable /proc/kcore
        disable_file(BLACKLIST_FILE, "/proc/kcore");
-        // disable /proc/kallsyms
        disable_file(BLACKLIST_FILE, "/proc/kallsyms");
+        disable_file(BLACKLIST_FILE, "/proc/mem");
+        disable_file(BLACKLIST_FILE, "/proc/kmem");
        
-        // disable /boot
+        // remove kernel symbol information
-        if (stat("/boot", &s) == 0) {
+        if (!arg_allow_debuggers) {
-                if (arg_debug)
+                disable_file(BLACKLIST_FILE, "/usr/src/linux");
-                        printf("Disable /boot directory\n");
+                disable_file(BLACKLIST_FILE, "/lib/modules");
+                disable_file(BLACKLIST_FILE, "/usr/lib/debug");
                disable_file(BLACKLIST_FILE, "/boot");
        }
-        
+                
        // disable /selinux
-        if (stat("/selinux", &s) == 0) {
+        disable_file(BLACKLIST_FILE, "/selinux");
-                if (arg_debug)
-                        printf("Disable /selinux directory\n");
-                disable_file(BLACKLIST_FILE, "/selinux");
-        }
        
        // disable /dev/port
-        if (stat("/dev/port", &s) == 0) {
+        disable_file(BLACKLIST_FILE, "/dev/port");
-                disable_file(BLACKLIST_FILE, "/dev/port");
-        }
        
-        if (getuid() != 0) {
+        // disable various ipc sockets
-                // disable /dev/kmsg
+        struct stat s; 
-                if (stat("/dev/kmsg", &s) == 0) {
-                        disable_file(BLACKLIST_FILE, "/dev/kmsg");
+        // disable /run/user/{uid}/gnupg
-                }
+        char *fnamegpg;
+        if (asprintf(&fnamegpg, "/run/user/%d/gnupg", getuid()) == -1)
+                errExit("asprintf");
+        if (stat(fnamegpg, &s) == -1) 
+            mkdir_attr(fnamegpg, 0700, getuid(), getgid());
+        if (stat(fnamegpg, &s) == 0)
+                disable_file(BLACKLIST_FILE, fnamegpg);
+        free(fnamegpg);
+        // disable /run/user/{uid}/systemd
+        char *fnamesysd;
+        if (asprintf(&fnamesysd, "/run/user/%d/systemd", getuid()) == -1)
+                errExit("asprintf");
+        if (stat(fnamesysd, &s) == -1) 
+                mkdir_attr(fnamesysd, 0755, getuid(), getgid());
+        if (stat(fnamesysd, &s) == 0)
+                disable_file(BLACKLIST_FILE, fnamesysd);
+        free(fnamesysd);
+        
+// todo: investigate
+#if 0
+        // breaks too many applications, option needed
+        /* // disable /run/user/{uid}/bus */
+        /* char *fnamebus; */
+        /* if (asprintf(&fnamebus, "/run/user/%d/bus", getuid()) == -1) */
+        /*     errExit("asprintf"); */
+        /* if (stat(fnamebus, &s) == 0) */
+        /*     disable_file(BLACKLIST_FILE, fnamebus); */
+        /* free(fnamebus); */
+        // WARNING: not working
+        // disable /run/user/{uid}/kdeinit*
+        //char *fnamekde;
+        //if (asprintf(&fnamekde, "/run/user/%d/kdeinit*", getuid()) == -1)
+        //    errExit("asprintf");
+        //if (stat(fnamekde, &s) == 0)
+        //    disable_file(BLACKLIST_FILE, fnamekde);
+        //free(fnamekde);
+        
+        
+        // disable /run/user/{uid}/pulse
+        /* char *fnamepulse; */
+        /* if (asprintf(&fnamepulse, "/run/user/%d/pulse", getuid()) == -1) */
+        /*     errExit("asprintf"); */
+        /* if (stat(fnamepulse, &s) == 0) */
+        /*     disable_file(BLACKLIST_FILE, fnamepulse); */
+        /* free(fnamepulse); */
+        // disable /run/user/{uid}/dconf
+        /* char *fnamedconf; */
+        /* if (asprintf(&fnamedconf, "/run/user/%d/dconf", getuid()) == -1) */
+        /*     errExit("asprintf"); */
+        /* if (stat(fnamedconf, &s) == 0) */
+        /*     disable_file(BLACKLIST_FILE, fnamedconf); */
+        /* free(fnamedconf); */
+        // dirs in /run/user/{uid}/
+        // using gnome:
+        // bus, dconf, gdm, gnome-shell, gnupg, gvfs, keyring, pulse, systemd
+        // using kde:
+        // kdeinit__0, ...
                
-                // disable /proc/kmsg
+        // more files with sockets to be blacklisted
-                if (stat("/proc/kmsg", &s) == 0) {
+        // /run/dbus /run/systemd /run/udev /run/lvm
-                        disable_file(BLACKLIST_FILE, "/proc/kmsg");
-                }
+        // /run/user/{uid} does not exist on some systems, usually used and created by desktop applications
+        
+#endif
+        if (getuid() != 0) {
+                // disable /dev/kmsg and /proc/kmsg
+                disable_file(BLACKLIST_FILE, "/dev/kmsg");
+                disable_file(BLACKLIST_FILE, "/proc/kmsg");
        }
 }
 // disable firejail configuration in /etc/firejail and in ~/.config/firejail
-static void disable_firejail_config(void) {
+static void disable_config(void) {
        struct stat s;
-        if (stat("/etc/firejail", &s) == 0)
-                disable_file(BLACKLIST_FILE, "/etc/firejail");
        char *fname;
        if (asprintf(&fname, "%s/.config/firejail", cfg.homedir) == -1)
                errExit("asprintf");
        if (stat(fname, &s) == 0)
                disable_file(BLACKLIST_FILE, fname);
-        
-        if (stat("/usr/local/etc/firejail", &s) == 0)
-                disable_file(BLACKLIST_FILE, "/usr/local/etc/firejail");
-        if (strcmp(PREFIX, "/usr/local")) {
-                if (asprintf(&fname, "%s/etc/firejail", PREFIX) == -1)
-                        errExit("asprintf");
-                if (stat(fname, &s) == 0)
-                        disable_file(BLACKLIST_FILE, fname);
-        }
-        
        free(fname);
        
        // disable run time information
@@ -725,8 +640,23 @@ static void disable_firejail_config(void) {
 // build a basic read-only filesystem
 void fs_basic_fs(void) {
+        uid_t uid = getuid();
+        
        if (arg_debug)
-                printf("Mounting read-only /bin, /sbin, /lib, /lib32, /lib64, /usr, /etc, /var\n");
+                printf("Mounting read-only /bin, /sbin, /lib, /lib32, /lib64, /usr");
+        if (!arg_writable_etc) {
+                fs_rdonly("/etc");
+                if (uid)
+                        fs_noexec("/etc");
+                if (arg_debug) printf(", /etc");
+        }
+        if (!arg_writable_var) {
+                fs_rdonly("/var");
+                if (uid)
+                        fs_noexec("/var");
+                if (arg_debug) printf(", /var");
+        }
+        if (arg_debug) printf("\n");
        fs_rdonly("/bin");
        fs_rdonly("/sbin");
        fs_rdonly("/lib");
@@ -734,26 +664,66 @@ void fs_basic_fs(void) {
        fs_rdonly("/lib32");
        fs_rdonly("/libx32");
        fs_rdonly("/usr");
-        fs_rdonly("/etc");
-        fs_rdonly("/var");
        // update /var directory in order to support multiple sandboxes running on the same root directory
-        if (!arg_private_dev)
+//      if (!arg_private_dev)
-                fs_dev_shm();
+//              fs_dev_shm();
        fs_var_lock();
        fs_var_tmp();
        fs_var_log();
        fs_var_lib();
        fs_var_cache();
        fs_var_utmp();
+        fs_machineid();
+        
        // don't leak user information
        restrict_users();
        
-        disable_firejail_config();
+        // when starting as root, firejail config is not disabled;
+        // this mode could be used to install and test new software by chaining
+        // firejail sandboxes (firejail --force)
+        if (uid)
+                disable_config();
 }
+#ifdef HAVE_OVERLAYFS
+char *fs_check_overlay_dir(const char *subdirname, int allow_reuse) {
+        struct stat s;
+        char *dirname;
+        // create ~/.firejail directory
+        if (asprintf(&dirname, "%s/.firejail", cfg.homedir) == -1)
+                errExit("asprintf");
+        if (stat(dirname, &s) == -1) {
+                mkdir_attr(dirname, 0700, 0, 0);
+        }
+        else if (is_link(dirname)) {
+                fprintf(stderr, "Error: invalid ~/.firejail directory\n");
+                exit(1);
+        }
+        free(dirname);
+        // check overlay directory
+        if (asprintf(&dirname, "%s/.firejail/%s", cfg.homedir, subdirname) == -1)
+                errExit("asprintf");
+        if (is_link(dirname)) {
+                fprintf(stderr, "Error: overlay directory is a symbolic link\n");
+                exit(1);
+        }
+        if (allow_reuse == 0) {
+                if (stat(dirname, &s) == 0) {
+                        fprintf(stderr, "Error: overlay directory already exists: %s\n", dirname);
+                        exit(1);
+                }
+        }
+        return dirname;
+}
 // mount overlayfs on top of / directory
 // mounting an overlay and chrooting into it:
 //
@@ -806,48 +776,54 @@ void fs_overlayfs(void) {
        if (major == 3 && minor < 18)
                oldkernel = 1;
        
-        // build overlay directories
-        fs_build_mnt_dir();
        char *oroot;
        if(asprintf(&oroot, "%s/oroot", RUN_MNT_DIR) == -1)
                errExit("asprintf");
-        if (mkdir(oroot, 0755))
+        mkdir_attr(oroot, 0755, 0, 0);
-                errExit("mkdir");
-        if (chown(oroot, 0, 0) < 0)
-                errExit("chown");
-        if (chmod(oroot, 0755) < 0)
-                errExit("chmod");
+        struct stat s;
        char *basedir = RUN_MNT_DIR;
        if (arg_overlay_keep) {
                // set base for working and diff directories
                basedir = cfg.overlay_dir;
-                if (mkdir(basedir, 0755) != 0) {
-                        fprintf(stderr, "Error: cannot create overlay directory\n");
+                // does the overlay exist?
-                        exit(1);
+                if (stat(basedir, &s) == 0) {
+                        if (arg_overlay_reuse == 0) {
+                                fprintf(stderr, "Error: overlay directory exists, but reuse is not allowed\n");
+                                exit(1);
+                        }
+                }
+                else {
+                        /* coverity[toctou] */
+                        if (mkdir(basedir, 0755) != 0) {
+                                fprintf(stderr, "Error: cannot create overlay directory\n");
+                                exit(1);
+                        }
                }
        }
        char *odiff;
        if(asprintf(&odiff, "%s/odiff", basedir) == -1)
                errExit("asprintf");
-        if (mkdir(odiff, 0755))
-                errExit("mkdir");
+        // no need to check arg_overlay_reuse
-        if (chown(odiff, 0, 0) < 0)
+        if (stat(odiff, &s) != 0) {
-                errExit("chown");
+                mkdir_attr(odiff, 0755, 0, 0);
-        if (chmod(odiff, 0755) < 0)
+        }
-                errExit("chmod");
+        else if (set_perms(odiff, 0, 0, 0755))
+                errExit("set_perms");
        
        char *owork;
        if(asprintf(&owork, "%s/owork", basedir) == -1)
                errExit("asprintf");
-        if (mkdir(owork, 0755))
-                errExit("mkdir");
+        // no need to check arg_overlay_reuse
-        if (chown(owork, 0, 0) < 0)
+        if (stat(owork, &s) != 0) {
+                mkdir_attr(owork, 0755, 0, 0);
+        }
+        else if (set_perms(owork, 0, 0, 0755))
                errExit("chown");
-        if (chmod(owork, 0755) < 0)
-                errExit("chmod");
        
        // mount overlayfs
        if (arg_debug)
@@ -899,21 +875,23 @@ void fs_overlayfs(void) {
                
                                if(asprintf(&hdiff, "%s/hdiff", basedir) == -1)
                                        errExit("asprintf");
-                                if (mkdir(hdiff, S_IRWXU | S_IRWXG | S_IRWXO))
-                                        errExit("mkdir");
+                                // no need to check arg_overlay_reuse
-                                if (chown(hdiff, 0, 0) < 0)
+                                if (stat(hdiff, &s) != 0) {
-                                        errExit("chown");
+                                        mkdir_attr(hdiff, S_IRWXU | S_IRWXG | S_IRWXO, 0, 0);
-                                if (chmod(hdiff, S_IRWXU  | S_IRGRP | S_IXGRP | S_IROTH | S_IXOTH) < 0)
+                                }
-                                        errExit("chmod");
+                                else if (set_perms(hdiff, 0, 0, S_IRWXU  | S_IRGRP | S_IXGRP | S_IROTH | S_IXOTH))
+                                        errExit("set_perms");
                
                                if(asprintf(&hwork, "%s/hwork", basedir) == -1)
                                        errExit("asprintf");
-                                if (mkdir(hwork, S_IRWXU | S_IRWXG | S_IRWXO))
-                                        errExit("mkdir");
+                                // no need to check arg_overlay_reuse
-                                if (chown(hwork, 0, 0) < 0)
+                                if (stat(hwork, &s) != 0) {
-                                        errExit("chown");
+                                        mkdir_attr(hwork, S_IRWXU | S_IRWXG | S_IRWXO, 0, 0);
-                                if (chmod(hwork, S_IRWXU  | S_IRGRP | S_IXGRP | S_IROTH | S_IXOTH) < 0)
+                                }
-                                        errExit("chmod");
+                                else if (set_perms(hwork, 0, 0, S_IRWXU  | S_IRGRP | S_IXGRP | S_IROTH | S_IXOTH))
+                                        errExit("set_perms");
                
                                // no homedir in overlay so now mount another overlay for /home
                                if (asprintf(&option, "lowerdir=/home,upperdir=%s,workdir=%s", hdiff, hwork) == -1)
@@ -950,37 +928,53 @@ void fs_overlayfs(void) {
                errExit("mounting /run");
        fs_logger("whitelist /run");
+        // mount-bind /tmp/.X11-unix directory
+        if (stat("/tmp/.X11-unix", &s) == 0) {
+                if (arg_debug)
+                        printf("Mounting /tmp/.X11-unix\n");
+                char *x11;
+                if (asprintf(&x11, "%s/tmp/.X11-unix", oroot) == -1)
+                        errExit("asprintf");
+                if (mount("/tmp/.X11-unix", x11, NULL, MS_BIND|MS_REC, NULL) < 0)
+                        fprintf(stderr, "Warning: cannot mount /tmp/.X11-unix in overlay\n");
+                else
+                        fs_logger("whitelist /tmp/.X11-unix");
+                free(x11);
+        }
        // chroot in the new filesystem
+#ifdef HAVE_GCOV
+        __gcov_flush();
+#endif
        if (chroot(oroot) == -1)
                errExit("chroot");
        // update /var directory in order to support multiple sandboxes running on the same root directory
-        if (!arg_private_dev)
+//      if (!arg_private_dev)
-                fs_dev_shm();
+//              fs_dev_shm();
        fs_var_lock();
        fs_var_tmp();
        fs_var_log();
        fs_var_lib();
        fs_var_cache();
        fs_var_utmp();
+        fs_machineid();
        // don't leak user information
        restrict_users();
-        // when starting as root in overlay mode, firejail config is not disabled;
+        // when starting as root, firejail config is not disabled;
        // this mode could be used to install and test new software by chaining
        // firejail sandboxes (firejail --force)
        if (getuid() != 0)
-                disable_firejail_config();
+                disable_config();
-        else
-                fprintf(stderr, "Warning: masking /etc/firejail disabled when starting the sandbox as root using --overlay option\n");
        // cleanup and exit
        free(option);
        free(oroot);
        free(odiff);
 }
+#endif
 #ifdef HAVE_CHROOT              
@@ -991,6 +985,16 @@ int fs_check_chroot_dir(const char *rootdir) {
        struct stat s;
        char *name;
+        // rootdir has to be owned by root
+        if (stat(rootdir, &s) != 0) {
+                fprintf(stderr, "Error: cannot find chroot directory\n");
+                return 1;
+        }
+        if (s.st_uid != 0) {
+                fprintf(stderr, "Error: chroot directory should be owned by root\n");
+                return 1;
+        }
        // check /dev
        if (asprintf(&name, "%s/dev", rootdir) == -1)
                errExit("asprintf");
@@ -1018,7 +1022,7 @@ int fs_check_chroot_dir(const char *rootdir) {
        }
        free(name);
        
-        // check /proc
+        // check /tmp
        if (asprintf(&name, "%s/tmp", rootdir) == -1)
                errExit("asprintf");
        if (stat(name, &s) == -1) {
@@ -1026,16 +1030,29 @@ int fs_check_chroot_dir(const char *rootdir) {
                return 1;
        }
        free(name);
-        
        // check /bin/bash
-        if (asprintf(&name, "%s/bin/bash", rootdir) == -1)
+//      if (asprintf(&name, "%s/bin/bash", rootdir) == -1)
-                errExit("asprintf");
+//              errExit("asprintf");
-        if (stat(name, &s) == -1) {
+//      if (stat(name, &s) == -1) {
-                fprintf(stderr, "Error: cannot find /bin/bash in chroot directory\n");
+//              fprintf(stderr, "Error: cannot find /bin/bash in chroot directory\n");
-                return 1;
+//              return 1;
+//      }
+//      free(name);
+        // check x11 socket directory
+        if (getenv("FIREJAIL_X11")) {
+                mask_x11_abstract_socket = 1;
+                char *name;
+                if (asprintf(&name, "%s/tmp/.X11-unix", rootdir) == -1)
+                        errExit("asprintf");
+                if (stat(name, &s) == -1) {
+                        fprintf(stderr, "Error: cannot find /tmp/.X11-unix in chroot directory\n");
+                        return 1;
+                }
+                free(name);
        }
-        free(name);
+        
        return 0;       
 }
@@ -1043,77 +1060,98 @@ int fs_check_chroot_dir(const char *rootdir) {
 void fs_chroot(const char *rootdir) {
        assert(rootdir);
        
-        //***********************************
+        if (checkcfg(CFG_CHROOT_DESKTOP)) {
-        // mount-bind a /dev in rootdir
+                // mount-bind a /dev in rootdir
-        //***********************************
+                char *newdev;
-        // mount /dev
+                if (asprintf(&newdev, "%s/dev", rootdir) == -1)
-        char *newdev;
+                        errExit("asprintf");
-        if (asprintf(&newdev, "%s/dev", rootdir) == -1)
+                if (arg_debug)
-                errExit("asprintf");
+                        printf("Mounting /dev on %s\n", newdev);
-        if (arg_debug)
+                if (mount("/dev", newdev, NULL, MS_BIND|MS_REC, NULL) < 0)
-                printf("Mounting /dev on %s\n", newdev);
+                        errExit("mounting /dev");
-        if (mount("/dev", newdev, NULL, MS_BIND|MS_REC, NULL) < 0)
+                free(newdev);
-                errExit("mounting /dev");
+                
-        
+                // x11
-        // some older distros don't have a /run directory
+                if (getenv("FIREJAIL_X11")) {
-        // create one by default
+                        mask_x11_abstract_socket = 1;
-        // no exit on error, let the user deal with any problems
+                        char *newx11;
-        char *rundir;
+                        if (asprintf(&newx11, "%s/tmp/.X11-unix", rootdir) == -1)
-        if (asprintf(&rundir, "%s/run", rootdir) == -1)
+                                errExit("asprintf");
-                errExit("asprintf");
+                        if (arg_debug)
-        if (!is_dir(rundir)) {
+                                printf("Mounting /tmp/.X11-unix on %s\n", newx11);
-                int rv = mkdir(rundir, 0755);
+                        if (mount("/tmp/.X11-unix", newx11, NULL, MS_BIND|MS_REC, NULL) < 0)
-                (void) rv;
+                                errExit("mounting /tmp/.X11-unix");
-                rv = chown(rundir, 0, 0);
+                        free(newx11);
-                (void) rv;
+                }
+                
+                // create /run/firejail directory in chroot
+                char *rundir;
+                if (asprintf(&rundir, "%s/run", rootdir) == -1)
+                        errExit("asprintf");
+                create_empty_dir_as_root(rundir, 0755);
+                free(rundir);
+                if (asprintf(&rundir, "%s/run/firejail", rootdir) == -1)
+                        errExit("asprintf");
+                create_empty_dir_as_root(rundir, 0755);
+                free(rundir);
+                
+                // create /run/firejail/mnt directory in chroot and mount the current one
+                if (asprintf(&rundir, "%s%s", rootdir, RUN_MNT_DIR) == -1)
+                        errExit("asprintf");
+                create_empty_dir_as_root(rundir, 0755);
+                if (mount(RUN_MNT_DIR, rundir, NULL, MS_BIND|MS_REC, NULL) < 0)
+                        errExit("mount bind");
+                // copy /etc/resolv.conf in chroot directory
+                // if resolv.conf in chroot is a symbolic link, this will fail
+                // no exit on error, let the user deal with the problem
+                char *fname;
+                if (asprintf(&fname, "%s/etc/resolv.conf", rootdir) == -1)
+                        errExit("asprintf");
+                if (arg_debug)
+                        printf("Updating /etc/resolv.conf in %s\n", fname);
+                if (is_link(fname)) {
+                        fprintf(stderr, "Error: invalid %s file\n", fname);
+                        exit(1);
+                }
+                if (copy_file("/etc/resolv.conf", fname, 0, 0, 0644) == -1)
+                        fprintf(stderr, "Warning: /etc/resolv.conf not initialized\n");
        }
        
-        // copy /etc/resolv.conf in chroot directory
-        // if resolv.conf in chroot is a symbolic link, this will fail
-        // no exit on error, let the user deal with the problem
-        char *fname;
-        if (asprintf(&fname, "%s/etc/resolv.conf", rootdir) == -1)
-                errExit("asprintf");
-        if (arg_debug)
-                printf("Updating /etc/resolv.conf in %s\n", fname);
-        if (is_link(fname)) {
-                fprintf(stderr, "Error: invalid %s file\n", fname);
-                exit(1);
-        }
-        if (copy_file("/etc/resolv.conf", fname) == -1)
-                fprintf(stderr, "Warning: /etc/resolv.conf not initialized\n");
-                
        // chroot into the new directory
+#ifdef HAVE_GCOV
+        __gcov_flush();
+#endif
        if (arg_debug)
                printf("Chrooting into %s\n", rootdir);
        if (chroot(rootdir) < 0)
                errExit("chroot");
-        // mount a new tmpfs in /run/firejail/mnt - the old one was lost in chroot
-        fs_build_remount_mnt_dir();
-                
-        // update /var directory in order to support multiple sandboxes running on the same root directory
-        if (!arg_private_dev)
-                fs_dev_shm();
-        fs_var_lock();
-        fs_var_tmp();
-        fs_var_log();
-        fs_var_lib();
-        fs_var_cache();
-        fs_var_utmp();
-        // don't leak user information
+        // create all other /run/firejail files and directories
-        restrict_users();
+        preproc_build_firejail_dir();
-        disable_firejail_config();
+        if (checkcfg(CFG_CHROOT_DESKTOP)) {
+                // update /var directory in order to support multiple sandboxes running on the same root directory
+//              if (!arg_private_dev)
+//                      fs_dev_shm();
+                fs_var_lock();
+                fs_var_tmp();
+                fs_var_log();
+                fs_var_lib();
+                fs_var_cache();
+                fs_var_utmp();
+                fs_machineid();
+        
+                // don't leak user information
+                restrict_users();
+        
+                // when starting as root, firejail config is not disabled;
+                // this mode could be used to install and test new software by chaining
+                // firejail sandboxes (firejail --force)
+                if (getuid() != 0)
+                        disable_config();
+        }
 }
 #endif
-void fs_private_tmp(void) {
-        // mount tmpfs on top of /run/firejail/mnt
-        if (arg_debug)
-                printf("Mounting tmpfs on /tmp directory\n");
-        if (mount("tmpfs", "/tmp", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC,  "mode=1777,gid=0") < 0)
-                errExit("mounting /tmp/firejail/mnt");
-        fs_logger2("tmpfs", "/tmp");
-}
diff --git a/src/firejail/fs_bin.c b/src/firejail/fs_bin.c
index c3d24aaac..7c56d524e 100644
--- a/src/firejail/fs_bin.c
+++ b/src/firejail/fs_bin.c
@@ -28,6 +28,8 @@ static char *paths[] = {
        "/usr/local/bin",
        "/usr/bin",
        "/bin",
+        "/usr/games",
+        "/usr/local/games",
        "/usr/local/sbin",
        "/usr/sbin",
        "/sbin",
@@ -37,19 +39,45 @@ static char *paths[] = {
 // return 1 if found, 0 if not found
 static char *check_dir_or_file(const char *name) {
        assert(name);
-        invalid_filename(name);
        
        struct stat s;
        char *fname = NULL;
        
        int i = 0;
        while (paths[i]) {
+                // private-bin-no-local can be disabled in /etc/firejail/firejail.config
+                if (checkcfg(CFG_PRIVATE_BIN_NO_LOCAL) && strstr(paths[i], "local/")) {
+                        i++;
+                        continue;
+                }
+                
+                // check file           
                if (asprintf(&fname, "%s/%s", paths[i], name) == -1)
                        errExit("asprintf");
                if (arg_debug)
                        printf("Checking %s/%s\n", paths[i], name);             
-                if (stat(fname, &s) == 0 && !S_ISDIR(s.st_mode)) // do not allow directories
+                if (stat(fname, &s) == 0 && !S_ISDIR(s.st_mode)) { // do not allow directories
+                        // check symlink to firejail executable in /usr/local/bin
+                        if (strcmp(paths[i], "/usr/local/bin") == 0 && is_link(fname)) {
+                                /* coverity[toctou] */
+                                char *actual_path = realpath(fname, NULL);
+                                if (actual_path) {
+                                        char *ptr = strstr(actual_path, "/firejail");
+                                        if (ptr && strlen(ptr) == strlen("/firejail")) {
+                                                if (arg_debug)
+                                                        printf("firejail exec symlink detected\n");
+                                                free(actual_path);
+                                                free(fname);
+                                                fname = NULL;
+                                                i++;
+                                                continue;
+                                        }
+                                        free(actual_path);
+                                }
+                                
+                        }               
                        break; // file found
+                }
                
                free(fname);
                fname = NULL;
@@ -57,7 +85,8 @@ static char *check_dir_or_file(const char *name) {
        }
        if (!fname) {
-//              fprintf(stderr, "Warning: file %s not found\n", name);
+                if (arg_debug)
+                        fprintf(stderr, "Warning: file %s not found\n", name);
                return NULL;
        }
        
@@ -65,69 +94,13 @@ static char *check_dir_or_file(const char *name) {
        return paths[i];
 }
-void fs_check_bin_list(void) {
+static void duplicate(char *fname) {
-        EUID_ASSERT();
+        if (*fname == '~' || *fname == '/' || strstr(fname, "..")) {
-        if (strstr(cfg.bin_private_keep, "..")) {
+                fprintf(stderr, "Error: \"%s\" is an invalid filename\n", fname);
-                fprintf(stderr, "Error: invalid private bin list\n");
                exit(1);
        }
-        
+        invalid_filename(fname);
-        char *dlist = strdup(cfg.bin_private_keep);
-        if (!dlist)
-                errExit("strdup");
-        // create a new list removing files not found
-        char *newlist = malloc(strlen(dlist) + 1 + 1); // +',' + '\0'
-        if (!newlist)
-                errExit("malloc");
-        *newlist = '\0';
-        char *newlistptr = newlist;
-        // check the first file
-        char *ptr = strtok(dlist, ",");
-        int notfound = 0;
-        if (check_dir_or_file(ptr)) {
-                // file found, copy the name in the new list
-                strcpy(newlistptr, ptr);
-                strcat(newlistptr, ",");
-                newlistptr += strlen(newlistptr);
-        }
-        else
-                notfound = 1;
-        // check the rest of the list
-        while ((ptr = strtok(NULL, ",")) != NULL) {
-                if (check_dir_or_file(ptr)) {
-                        // file found, copy the name in the new list
-                        strcpy(newlistptr, ptr);
-                        strcat(newlistptr, ",");
-                        newlistptr += strlen(newlistptr);
-                }
-                else
-                        notfound = 1;
-        }
-        
-        if (*newlist == '\0') {
-                fprintf(stderr, "Warning: no --private-bin list executable found, option disabled\n");
-                cfg.bin_private_keep = NULL;
-                arg_private_bin = 0;
-                free(newlist);
-        }
-        else {
-                ptr = strrchr(newlist, ',');
-                assert(ptr);
-                *ptr = '\0';
-                if (notfound)
-                        fprintf(stderr, "Warning: not all executables from --private-bin list were found. The current list is %s\n", newlist);
-                
-                cfg.bin_private_keep = newlist;
-        }
-        
-        free(dlist);
-}
-static void duplicate(char *fname) {
-        char *cmd;
        char *path = check_dir_or_file(fname);
        if (!path)
                return;
@@ -137,33 +110,9 @@ static void duplicate(char *fname) {
        if (asprintf(&full_path, "%s/%s", path, fname) == -1)
                errExit("asprintf");
        
-        char *actual_path = realpath(full_path, NULL);
+        // copy the file
-        if (actual_path) {
+        sbox_run(SBOX_ROOT| SBOX_SECCOMP, 3, PATH_FCOPY, full_path, RUN_BIN_DIR);
-                // if the file is a symbolic link not under path, make a symbolic link
+        fs_logger2("clone", fname);
-                if (is_link(full_path) && strncmp(actual_path, path, strlen(path))) {
-                        char *lnkname;
-                        if (asprintf(&lnkname, "%s/%s", RUN_BIN_DIR, fname) == -1)
-                                errExit("asprintf");
-                        int rv = symlink(actual_path, lnkname);
-                        if (rv)
-                                fprintf(stderr, "Warning cannot create symbolic link %s\n", lnkname);
-                        else if (arg_debug)
-                                printf("Created symbolic link %s -> %s\n", lnkname, actual_path);
-                        free(lnkname);
-                }
-                else {
-                        // copy the file
-                        if (asprintf(&cmd, "%s -a %s %s/%s", RUN_CP_COMMAND, actual_path, RUN_BIN_DIR, fname) == -1)
-                                errExit("asprintf");
-                        if (arg_debug)
-                                printf("%s\n", cmd);
-                        if (system(cmd))
-                                errExit("system cp -a");
-                        free(cmd);
-                }
-                free(actual_path);
-        }
        free(full_path);
 }
@@ -172,66 +121,26 @@ void fs_private_bin_list(void) {
        char *private_list = cfg.bin_private_keep;
        assert(private_list);
        
-        // check bin paths
+        // create /run/firejail/mnt/bin directory
-        int i = 0;
+        mkdir_attr(RUN_BIN_DIR, 0755, 0, 0);
-#if 0
-        while (paths[i]) {
-                struct stat s;
-                if (stat(paths[i], &s) == -1) {
-                        fprintf(stderr, "Error: cannot find %s directory\n", paths[i]);
-                        exit(1);
-                }
-                i++;
-        }
-#endif
-        // create /tmp/firejail/mnt/bin directory
-        fs_build_mnt_dir();
-        int rv = mkdir(RUN_BIN_DIR, 0755);
-        if (rv == -1)
-                errExit("mkdir");
-        if (chown(RUN_BIN_DIR, 0, 0) < 0)
-                errExit("chown");
-        if (chmod(RUN_BIN_DIR, 0755) < 0)
-                errExit("chmod");
        
-        
+        if (arg_debug)
-        // copy the list of files in the new etc directory
+                printf("Copying files in the new bin directory\n");
-        // using a new child process without root privileges
-        fs_logger_print();      // save the current log
-        pid_t child = fork();
-        if (child < 0)
-                errExit("fork");
-        if (child == 0) {
-                if (arg_debug)
-                        printf("Copying files in the new home:\n");
-                // elevate privileges - files in the new /bin directory belong to root
+        // copy the list of files in the new home directory
-                if (setreuid(0, 0) < 0)
+        char *dlist = strdup(private_list);
-                        errExit("setreuid");
+        if (!dlist)
-                if (setregid(0, 0) < 0)
+                errExit("strdup");
-                        errExit("setregid");
-                
-                // copy the list of files in the new home directory
-                char *dlist = strdup(private_list);
-                if (!dlist)
-                        errExit("strdup");
-        
        
-                char *ptr = strtok(dlist, ",");
+        char *ptr = strtok(dlist, ",");
+        duplicate(ptr);
+        while ((ptr = strtok(NULL, ",")) != NULL)
                duplicate(ptr);
-        
+        free(dlist);    
-                while ((ptr = strtok(NULL, ",")) != NULL)
-                        duplicate(ptr);
-                free(dlist);    
                fs_logger_print();
-                exit(0);
-        }
-        // wait for the child to finish
-        waitpid(child, NULL, 0);
        // mount-bind
-        i = 0;
+        int i = 0;
        while (paths[i]) {
                struct stat s;
                if (stat(paths[i], &s) == 0) {
@@ -244,29 +153,5 @@ void fs_private_bin_list(void) {
                }
                i++;
        }
-        
-        // log cloned files
-        char *dlist = strdup(private_list);
-        if (!dlist)
-                errExit("strdup");
-        
-        
-        char *ptr = strtok(dlist, ",");
-        while (ptr) {
-                i = 0;
-                while (paths[i]) {
-                        struct stat s;
-                        if (stat(paths[i], &s) == 0) {
-                                char *fname;
-                                if (asprintf(&fname, "%s/%s", paths[i], ptr) == -1)
-                                        errExit("asprintf");
-                                fs_logger2("clone", fname);
-                                free(fname);
-                        }
-                        i++;
-                }
-                ptr = strtok(NULL, ",");
-        }
-        free(dlist);
 }
diff --git a/src/firejail/fs_dev.c b/src/firejail/fs_dev.c
index 2fd450391..d710e98f2 100644
--- a/src/firejail/fs_dev.c
+++ b/src/firejail/fs_dev.c
@@ -30,17 +30,75 @@
 #endif
 #include <sys/types.h>
+typedef struct {
+        const char *dev_fname;
+        const char *run_fname;
+        int sound;
+        int hw3d;
+} DevEntry;
+static DevEntry dev[] = {
+        {"/dev/snd", RUN_DEV_DIR "/snd", 1, 0}, // sound device
+        {"/dev/dri", RUN_DEV_DIR "/dri", 0, 1},         // 3d device
+        {"/dev/nvidia0", RUN_DEV_DIR "/nvidia0", 0, 1},
+        {"/dev/nvidia1", RUN_DEV_DIR "/nvidia1", 0, 1},
+        {"/dev/nvidia2", RUN_DEV_DIR "/nvidia2", 0, 1},
+        {"/dev/nvidia3", RUN_DEV_DIR "/nvidia3", 0, 1},
+        {"/dev/nvidia4", RUN_DEV_DIR "/nvidia4", 0, 1},
+        {"/dev/nvidia5", RUN_DEV_DIR "/nvidia5", 0, 1},
+        {"/dev/nvidia6", RUN_DEV_DIR "/nvidia6", 0, 1},
+        {"/dev/nvidia7", RUN_DEV_DIR "/nvidia7", 0, 1},
+        {"/dev/nvidia8", RUN_DEV_DIR "/nvidia8", 0, 1},
+        {"/dev/nvidia9", RUN_DEV_DIR "/nvidia9", 0, 1},
+        {"/dev/nvidiactl", RUN_DEV_DIR "/nvidiactl", 0, 1},
+        {"/dev/nvidia-modset", RUN_DEV_DIR "/nvidia-modset", 0, 1},
+        {"/dev/nvidia-uvm", RUN_DEV_DIR "/nvidia-uvm", 0, 1},
+        {NULL, NULL, 0, 0}
+};
+static void deventry_mount(void) {
+        int i = 0;
+        while (dev[i].dev_fname != NULL) {
+                struct stat s;
+                if (stat(dev[i].run_fname, &s) == 0) {
+                        int dir = is_dir(dev[i].run_fname);
+                        if (arg_debug)
+                                printf("mounting %s %s\n", dev[i].run_fname, (dir)? "directory": "file");
+                        if (dir) {
+                                mkdir_attr(dev[i].dev_fname, 0755, 0, 0);
+                        }
+                        else {
+                                struct stat s;
+                                if (stat(dev[i].run_fname, &s) == -1) {
+                                        if (arg_debug)
+                                                printf("Warning: cannot stat %s file\n", dev[i].run_fname);
+                                        i++;
+                                        continue;
+                                }
+                                FILE *fp = fopen(dev[i].dev_fname, "w");
+                                if (fp) {
+                                        fprintf(fp, "\n");
+                                        SET_PERMS_STREAM(fp, s.st_uid, s.st_gid, s.st_mode);
+                                        fclose(fp);
+                                }
+                        }
+                                
+                        if (mount(dev[i].run_fname, dev[i].dev_fname, NULL, MS_BIND|MS_REC, NULL) < 0)
+                                errExit("mounting dev file");
+                        fs_logger2("whitelist", dev[i].dev_fname);
+                }
+                
+                i++;    
+        }
+}
+        
 static void create_char_dev(const char *path, mode_t mode, int major, int minor) {
        dev_t dev = makedev(major, minor);
-        int rv = mknod(path, S_IFCHR | mode, dev);
+        if (mknod(path, S_IFCHR | mode, dev) == -1)
-        if (rv == -1)
                goto errexit;
-        
        if (chmod(path, mode) < 0)
                goto errexit;
-        if (chown(path, 0, 0) < 0)
+        ASSERT_PERMS(path, 0, 0, mode);
-                goto errexit;
        return;
        
@@ -62,35 +120,19 @@ errexit:
 }
 void fs_private_dev(void){
-        int rv;
        // install a new /dev directory
        if (arg_debug)
                printf("Mounting tmpfs on /dev\n");
-        int have_dri = 0;
-        struct stat s;
-        if (stat("/dev/dri", &s) == 0)
-                have_dri = 1;
        // create DRI_DIR
-        fs_build_mnt_dir();
+        // keep a copy of dev directory
-        if (have_dri) {
+        mkdir_attr(RUN_DEV_DIR, 0755, 0, 0);
-                /* coverity[toctou] */
+        if (mount("/dev", RUN_DEV_DIR, NULL, MS_BIND|MS_REC, NULL) < 0)
-                rv = mkdir(RUN_DRI_DIR, 0755);
+                errExit("mounting /dev/dri");
-                if (rv == -1)
-                        errExit("mkdir");
+        // create DEVLOG_FILE
-                if (chown(RUN_DRI_DIR, 0, 0) < 0)
-                        errExit("chown");
-                if (chmod(RUN_DRI_DIR, 0755) < 0)
-                        errExit("chmod");
-        
-                // keep a copy of /dev/dri under DRI_DIR
-                if (mount("/dev/dri", RUN_DRI_DIR, NULL, MS_BIND|MS_REC, NULL) < 0)
-                        errExit("mounting /dev/dri");
-        }
-        
-        // restore /dev/log
        int have_devlog = 0;
+        struct stat s;
        if (stat("/dev/log", &s) == 0) {
                have_devlog = 1;
                FILE *fp = fopen(RUN_DEVLOG_FILE, "w");
@@ -108,6 +150,8 @@ void fs_private_dev(void){
        if (mount("tmpfs", "/dev", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC,  "mode=755,gid=0") < 0)
                errExit("mounting /dev");
        fs_logger("tmpfs /dev");
+        
+        deventry_mount();
        // bring back /dev/log
        if (have_devlog) {
@@ -120,32 +164,14 @@ void fs_private_dev(void){
                        fs_logger("clone /dev/log");
                }
        }               
+        if (mount(RUN_RO_DIR, RUN_DEV_DIR, "none", MS_BIND, "mode=400,gid=0") < 0)
+                errExit("disable /dev/snd");
-        // bring back the /dev/dri directory
-        if (have_dri) {
-                /* coverity[toctou] */
-                rv = mkdir("/dev/dri", 0755);
-                if (rv == -1)
-                        errExit("mkdir");
-                if (chown("/dev/dri", 0, 0) < 0)
-                        errExit("chown");
-                if (chmod("/dev/dri",0755) < 0)
-                        errExit("chmod");
-                if (mount(RUN_DRI_DIR, "/dev/dri", NULL, MS_BIND|MS_REC, NULL) < 0)
-                        errExit("mounting /dev/dri");
-                fs_logger("whitelist /dev/dri");
-        }
        
        // create /dev/shm
        if (arg_debug)
                printf("Create /dev/shm directory\n");
-        rv = mkdir("/dev/shm", 01777);
+        mkdir_attr("/dev/shm", 01777, 0, 0);
-        if (rv == -1)
-                errExit("mkdir");
-        if (chown("/dev/shm", 0, 0) < 0)
-                errExit("chown");
-        if (chmod("/dev/shm", 01777) < 0)
-                errExit("chmod");
        fs_logger("mkdir /dev/shm");
        // create devices
@@ -167,13 +193,7 @@ void fs_private_dev(void){
 #endif
        // pseudo-terminal
-        rv = mkdir("/dev/pts", 0755);
+        mkdir_attr("/dev/pts", 0755, 0, 0);
-        if (rv == -1)
-                errExit("mkdir");
-        if (chown("/dev/pts", 0, 0) < 0)
-                errExit("chown");
-        if (chmod("/dev/pts", 0755) < 0)
-                errExit("chmod");
        fs_logger("mkdir /dev/pts");
        create_char_dev("/dev/pts/ptmx", 0666, 5, 2); //"mknod -m 666 /dev/pts/ptmx c 5 2");
        fs_logger("mknod /dev/pts/ptmx");
@@ -186,7 +206,7 @@ void fs_private_dev(void){
        // mount /dev/pts
-        gid_t ttygid = get_tty_gid();
+        gid_t ttygid = get_group_id("tty");
        char *data;
        if (asprintf(&data, "newinstance,gid=%d,mode=620,ptmxmode=0666", (int) ttygid) == -1)
                errExit("asprintf");
@@ -205,6 +225,7 @@ void fs_private_dev(void){
 }
+#if 0
 void fs_dev_shm(void) {
        uid_t uid = getuid(); // set a new shm only if we started as root
        if (uid)
@@ -222,12 +243,7 @@ void fs_dev_shm(void) {
                if (lnk) {
                        if (!is_dir(lnk)) {
                                // create directory
-                                if (mkdir(lnk, 01777))
+                                mkdir_attr(lnk, 01777, 0, 0);
-                                        errExit("mkdir");
-                                if (chown(lnk, 0, 0))
-                                        errExit("chown");
-                                if (chmod(lnk, 01777))
-                                        errExit("chmod");
                        }
                        if (arg_debug)
                                printf("Mounting tmpfs on %s on behalf of /dev/shm\n", lnk);
@@ -243,3 +259,40 @@ void fs_dev_shm(void) {
                        
        }
 }
+#endif  
+static void disable_file_or_dir(const char *fname) {
+        if (arg_debug)
+                printf("disable %s\n", fname);
+        struct stat s;
+        if (stat(fname, &s) != -1) {
+                if (is_dir(fname)) {    
+                        if (mount(RUN_RO_DIR, fname, "none", MS_BIND, "mode=400,gid=0") < 0)
+                                errExit("disable directory");
+                }
+                else {
+                        if (mount(RUN_RO_FILE, fname, "none", MS_BIND, "mode=400,gid=0") < 0)
+                                errExit("disable file");
+                }               
+        }
+        fs_logger2("blacklist", fname);
+}
+void fs_dev_disable_sound(void) {
+        int i = 0;
+        while (dev[i].dev_fname != NULL) {
+                if (dev[i].sound)
+                        disable_file_or_dir(dev[i].dev_fname);
+                i++;
+        }
+}
+void fs_dev_disable_3d(void) {
+        int i = 0;
+        while (dev[i].dev_fname != NULL) {
+                if (dev[i].hw3d)
+                        disable_file_or_dir(dev[i].dev_fname);
+                i++;
+        }
+}
diff --git a/src/firejail/fs_etc.c b/src/firejail/fs_etc.c
index 1a44b1305..a27c0e41b 100644
--- a/src/firejail/fs_etc.c
+++ b/src/firejail/fs_etc.c
@@ -21,130 +21,136 @@
 #include <sys/mount.h>
 #include <sys/stat.h>
 #include <sys/types.h>
-#include <sys/wait.h>
 #include <unistd.h>
-// return 0 if file not found, 1 if found
+// spoof /etc/machine_id
-static int check_dir_or_file(const char *name) {
+void fs_machineid(void) {
-        assert(name);
+        union machineid_t {
-        invalid_filename(name);
+                uint8_t u8[16];
+                uint32_t u32[4];
+        } mid;
+        // if --machine-id flag is active, do nothing
+        if (arg_machineid)
+                return;
+        // init random number generator
+        srand(time(NULL));
        
+        // generate random id
+        mid.u32[0] = rand();
+        mid.u32[1] = rand();
+        mid.u32[2] = rand();
+        mid.u32[3] = rand();
+        
+        // UUID version 4 and DCE variant
+        mid.u8[6] = (mid.u8[6] & 0x0F) | 0x40;
+        mid.u8[8] = (mid.u8[8] & 0x3F) | 0x80;
+        
+        // write it in a file
+        FILE *fp = fopen(RUN_MACHINEID, "w");
+        if (!fp)
+                errExit("fopen");
+        fprintf(fp, "%08x%08x%08x%08x\n", mid.u32[0], mid.u32[1], mid.u32[2], mid.u32[3]);
+        fclose(fp);
+        if (set_perms(RUN_MACHINEID, 0, 0, 0444))
+                errExit("set_perms");
+                
+        struct stat s;
+        if (stat("/etc/machine-id", &s) == 0) {
+                if (arg_debug)
+                        printf("installing a new /etc/machine-id\n");
+                if (mount(RUN_MACHINEID, "/etc/machine-id", "none", MS_BIND, "mode=444,gid=0"))
+                        errExit("mount");
+        }
+        if (stat("/var/lib/dbus/machine-id", &s) == 0) {
+                if (mount(RUN_MACHINEID, "/var/lib/dbus/machine-id", "none", MS_BIND, "mode=444,gid=0"))
+                        errExit("mount");
+        }
+}
+// return 0 if file not found, 1 if found
+static int check_dir_or_file(const char *fname) {
+        assert(fname);
        struct stat s;
-        char *fname;
-        if (asprintf(&fname, "/etc/%s", name) == -1)
-                errExit("asprintf");
-        if (arg_debug)
-                printf("Checking %s\n", fname);         
        if (stat(fname, &s) == -1) {
                if (arg_debug)
                        printf("Warning: file %s not found.\n", fname);
                return 0;
        }
-        
+        // read access
+        if (access(fname, R_OK) == -1)
+                goto errexit;
        // dir or regular file
-        if (S_ISDIR(s.st_mode) || S_ISREG(s.st_mode)) {
+        if (S_ISDIR(s.st_mode) || S_ISREG(s.st_mode) || !is_link(fname))
-                free(fname);
+                return 1;       // normal exit
-                return 1;
-        }
-        if (!is_link(fname)) {
+errexit:        
-                free(fname);
-                return 1;
-        }
-        
        fprintf(stderr, "Error: invalid file type, %s.\n", fname);
        exit(1);
 }
-void fs_check_etc_list(void) {
+static void duplicate(const char *fname, const char *private_dir, const char *private_run_dir) {
-        EUID_ASSERT();
+        if (*fname == '~' || *fname == '/' || strstr(fname, "..")) {
-        if (strstr(cfg.etc_private_keep, "..")) {
+                fprintf(stderr, "Error: \"%s\" is an invalid filename\n", fname);
-                fprintf(stderr, "Error: invalid private etc list\n");
                exit(1);
        }
-        
+        invalid_filename(fname);
-        char *dlist = strdup(cfg.etc_private_keep);
-        if (!dlist)
-                errExit("strdup");
-        
-        // build a new list only with the files found
-        char *newlist = malloc(strlen(cfg.etc_private_keep) + 1);
-        if (!newlist)
-                errExit("malloc");
-        *newlist = '\0';
-        char *ptr = strtok(dlist, ",");
-        if (check_dir_or_file(ptr))
-                strcat(newlist, ptr);
-        while ((ptr = strtok(NULL, ",")) != NULL) {
-                if (check_dir_or_file(ptr)) {
-                        strcat(newlist, ",");
-                        strcat(newlist, ptr);
-                }
-        }
-        cfg.etc_private_keep = newlist;
-        
-        free(dlist);
-}
-static void duplicate(char *fname) {
-        char *cmd;
-        // copy the file - this code assumes ETC_DIR is actually MNT_DIR/etc
+        char *src;
-        if (asprintf(&cmd, "%s -a --parents /etc/%s %s", RUN_CP_COMMAND, fname, RUN_MNT_DIR) == -1)
+        if (asprintf(&src,  "%s/%s", private_dir, fname) == -1)
                errExit("asprintf");
+        if (check_dir_or_file(src) == 0) {
+                if (!arg_quiet)
+                        fprintf(stderr, "Warning: skipping %s for private %s\n", fname, private_dir);
+                free(src);
+                return;
+        }
        if (arg_debug)
-                printf("%s\n", cmd);
+                printf("copying %s to private %s\n", src, private_dir);
-        if (system(cmd))
+                
-                fprintf(stderr, "Warning (fs_etc): error copying file /etc/%s, skipping...\n", fname);
+        struct stat s;
+        if (stat(src, &s) == 0 && S_ISDIR(s.st_mode)) {
+                // create the directory in RUN_ETC_DIR
+                char *dirname;
+                if (asprintf(&dirname, "%s/%s", private_run_dir, fname) == -1)
+                        errExit("asprintf");
+                create_empty_dir_as_root(dirname, s.st_mode);
+                sbox_run(SBOX_ROOT| SBOX_SECCOMP, 3, PATH_FCOPY, src, dirname);
+                free(dirname);
+        }
+        else
+                sbox_run(SBOX_ROOT| SBOX_SECCOMP, 3, PATH_FCOPY, src, private_run_dir);
-        free(cmd);
+        fs_logger2("clone", src);
-        
+        free(src);
-        char *name;
-        if (asprintf(&name, "/etc/%s", fname) == -1)
-                errExit("asprintf");
-        fs_logger2("clone", name);
-        free(name);
 }
-void fs_private_etc_list(void) {
+void fs_private_dir_list(const char *private_dir, const char *private_run_dir, const char *private_list) {
-        char *private_list = cfg.etc_private_keep;
+        assert(private_dir);
+        assert(private_run_dir);
        assert(private_list);
        
-        struct stat s;
+        // create /run/firejail/mnt/etc directory
-        if (stat("/etc", &s) == -1) {
+        mkdir_attr(private_run_dir, 0755, 0, 0);
-                fprintf(stderr, "Error: cannot find user /etc directory\n");
+        fs_logger2("tmpfs", private_dir);
-                exit(1);
-        }
-        // create /tmp/firejail/mnt/etc directory
-        fs_build_mnt_dir();
-        int rv = mkdir(RUN_ETC_DIR, 0755);
-        if (rv == -1)
-                errExit("mkdir");
-        if (chown(RUN_ETC_DIR, 0, 0) < 0)
-                errExit("chown");
-        if (chmod(RUN_ETC_DIR, 0755) < 0)
-                errExit("chmod");
-        fs_logger("tmpfs /etc");
        
-        // copy the list of files in the new etc directory
-        // using a new child process without root privileges
        fs_logger_print();      // save the current log
-        pid_t child = fork();
-        if (child < 0)
-                errExit("fork");
+        // copy the list of files in the new etc directory
-        if (child == 0) {
+        // using a new child process with root privileges
+        if (*private_list != '\0') {
                if (arg_debug)
-                        printf("Copying files in the new etc directory:\n");
+                        printf("Copying files in the new %s directory:\n", private_dir);
-                // elevate privileges - files in the new /etc directory belong to root
-                if (setreuid(0, 0) < 0)
-                        errExit("setreuid");
-                if (setregid(0, 0) < 0)
-                        errExit("setregid");
-                
                // copy the list of files in the new home directory
                char *dlist = strdup(private_list);
                if (!dlist)
@@ -152,21 +158,18 @@ void fs_private_etc_list(void) {
        
                char *ptr = strtok(dlist, ",");
-                duplicate(ptr);
+                duplicate(ptr, private_dir, private_run_dir);
        
                while ((ptr = strtok(NULL, ",")) != NULL)
-                        duplicate(ptr);
+                        duplicate(ptr, private_dir, private_run_dir);
                free(dlist);    
                fs_logger_print();
-                exit(0);
        }
-        // wait for the child to finish
+        
-        waitpid(child, NULL, 0);
        if (arg_debug)
-                printf("Mount-bind %s on top of /etc\n", RUN_ETC_DIR);
+                printf("Mount-bind %s on top of %s\n", private_run_dir, private_dir);
-        if (mount(RUN_ETC_DIR, "/etc", NULL, MS_BIND|MS_REC, NULL) < 0)
+        if (mount(private_run_dir, private_dir, NULL, MS_BIND|MS_REC, NULL) < 0)
                errExit("mount bind");
-        fs_logger("mount /etc");
+        fs_logger2("mount", private_dir);
 }
diff --git a/src/firejail/fs_home.c b/src/firejail/fs_home.c
index d4a16da0a..0872bf0d0 100644
--- a/src/firejail/fs_home.c
+++ b/src/firejail/fs_home.c
@@ -28,11 +28,13 @@
 #include <sys/wait.h>
 #include <unistd.h>
 #include <grp.h>
+//#include <ftw.h>
 static void skel(const char *homedir, uid_t u, gid_t g) {
        char *fname;
        // zsh
-        if (arg_zsh) {
+        if (!arg_shell_none && (strcmp(cfg.shell,"/usr/bin/zsh") == 0 || strcmp(cfg.shell,"/bin/zsh") == 0)) {
                // copy skel files
                if (asprintf(&fname, "%s/.zshrc", homedir) == -1)
                        errExit("asprintf");
@@ -41,13 +43,7 @@ static void skel(const char *homedir, uid_t u, gid_t g) {
                if (stat(fname, &s) == 0)
                        return;
                if (stat("/etc/skel/.zshrc", &s) == 0) {
-                        if (is_link("/etc/skel/.zshrc")) {
+                        if (copy_file("/etc/skel/.zshrc", fname, u, g, 0644) == 0) {
-                                fprintf(stderr, "Error: invalid /etc/skel/.zshrc file\n");
-                                exit(1);
-                        }
-                        if (copy_file("/etc/skel/.zshrc", fname) == 0) {
-                                if (chown(fname, u, g) == -1)
-                                        errExit("chown");
                                fs_logger("clone /etc/skel/.zshrc");
                        }
                }
@@ -55,18 +51,15 @@ static void skel(const char *homedir, uid_t u, gid_t g) {
                        FILE *fp = fopen(fname, "w");
                        if (fp) {
                                fprintf(fp, "\n");
+                                SET_PERMS_STREAM(fp, u, g, S_IRUSR | S_IWUSR);
                                fclose(fp);
-                                if (chown(fname, u, g) == -1)
-                                        errExit("chown");
-                                if (chmod(fname, S_IRUSR | S_IWUSR) < 0)
-                                        errExit("chown");
                                fs_logger2("touch", fname);
                        }
                }
                free(fname);
        }
        // csh
-        else if (arg_csh) {
+        else if (!arg_shell_none && strcmp(cfg.shell,"/bin/csh") == 0) {
                // copy skel files
                if (asprintf(&fname, "%s/.cshrc", homedir) == -1)
                        errExit("asprintf");
@@ -75,13 +68,7 @@ static void skel(const char *homedir, uid_t u, gid_t g) {
                if (stat(fname, &s) == 0)
                        return;
                if (stat("/etc/skel/.cshrc", &s) == 0) {
-                        if (is_link("/etc/skel/.cshrc")) {
+                        if (copy_file("/etc/skel/.cshrc", fname, u, g, 0644) == 0) {
-                                fprintf(stderr, "Error: invalid /etc/skel/.cshrc file\n");
-                                exit(1);
-                        }
-                        if (copy_file("/etc/skel/.cshrc", fname) == 0) {
-                                if (chown(fname, u, g) == -1)
-                                        errExit("chown");
                                fs_logger("clone /etc/skel/.cshrc");
                        }
                }
@@ -90,11 +77,8 @@ static void skel(const char *homedir, uid_t u, gid_t g) {
                        FILE *fp = fopen(fname, "w");
                        if (fp) {
                                fprintf(fp, "\n");
+                                SET_PERMS_STREAM(fp, u, g, S_IRUSR | S_IWUSR);
                                fclose(fp);
-                                if (chown(fname, u, g) == -1)
-                                        errExit("chown");
-                                if (chmod(fname, S_IRUSR | S_IWUSR) < 0)
-                                        errExit("chown");
                                fs_logger2("touch", fname);
                        }
                }
@@ -110,14 +94,7 @@ static void skel(const char *homedir, uid_t u, gid_t g) {
                if (stat(fname, &s) == 0) 
                        return;
                if (stat("/etc/skel/.bashrc", &s) == 0) {
-                        if (is_link("/etc/skel/.bashrc")) {
+                        if (copy_file("/etc/skel/.bashrc", fname, u, g, 0644) == 0) {
-                                fprintf(stderr, "Error: invalid /etc/skel/.bashrc file\n");
-                                exit(1);
-                        }
-                        if (copy_file("/etc/skel/.bashrc", fname) == 0) {
-                                /* coverity[toctou] */
-                                if (chown(fname, u, g) == -1)
-                                        errExit("chown");
                                fs_logger("clone /etc/skel/.bashrc");
                        }
                }
@@ -127,8 +104,6 @@ static void skel(const char *homedir, uid_t u, gid_t g) {
 static int store_xauthority(void) {
        // put a copy of .Xauthority in XAUTHORITY_FILE
-        fs_build_mnt_dir();
        char *src;
        char *dest = RUN_XAUTHORITY_FILE;
        if (asprintf(&src, "%s/.Xauthority", cfg.homedir) == -1)
@@ -137,11 +112,11 @@ static int store_xauthority(void) {
        struct stat s;
        if (stat(src, &s) == 0) {
                if (is_link(src)) {
-                        fprintf(stderr, "Error: invalid .Xauthority file\n");
+                        fprintf(stderr, "Warning: invalid .Xauthority file\n");
-                        exit(1);
+                        return 0;
                }
                        
-                int rv = copy_file(src, dest);
+                int rv = copy_file(src, dest, -1, -1, 0600);
                if (rv) {
                        fprintf(stderr, "Warning: cannot transfer .Xauthority in private home directory\n");
                        return 0;
@@ -153,9 +128,6 @@ static int store_xauthority(void) {
 }
 static int store_asoundrc(void) {
-        // put a copy of .Xauthority in XAUTHORITY_FILE
-        fs_build_mnt_dir();
        char *src;
        char *dest = RUN_ASOUNDRC_FILE;
        if (asprintf(&src, "%s/.asoundrc", cfg.homedir) == -1)
@@ -165,6 +137,7 @@ static int store_asoundrc(void) {
        if (stat(src, &s) == 0) {
                if (is_link(src)) {
                        // make sure the real path of the file is inside the home directory
+                        /* coverity[toctou] */
                        char* rp = realpath(src, NULL);
                        if (!rp) {
                                fprintf(stderr, "Error: Cannot access %s\n", src);
@@ -177,7 +150,7 @@ static int store_asoundrc(void) {
                        free(rp);
                }
-                int rv = copy_file(src, dest);
+                int rv = copy_file(src, dest, -1, -1, -0644);
                if (rv) {
                        fprintf(stderr, "Warning: cannot transfer .asoundrc in private home directory\n");
                        return 0;
@@ -194,17 +167,12 @@ static void copy_xauthority(void) {
        char *dest;
        if (asprintf(&dest, "%s/.Xauthority", cfg.homedir) == -1)
                errExit("asprintf");
-        int rv = copy_file(src, dest);
+        // copy, set permissions and ownership
+        int rv = copy_file(src, dest, getuid(), getgid(), S_IRUSR | S_IWUSR);
        if (rv)
                fprintf(stderr, "Warning: cannot transfer .Xauthority in private home directory\n");
        else {
                fs_logger2("clone", dest);
-        
-                // set permissions and ownership
-                if (chown(dest, getuid(), getgid()) < 0)
-                        errExit("chown");
-                if (chmod(dest, S_IRUSR | S_IWUSR) < 0)
-                        errExit("chmod");
        }
        
        // delete the temporary file
@@ -217,17 +185,12 @@ static void copy_asoundrc(void) {
        char *dest;
        if (asprintf(&dest, "%s/.asoundrc", cfg.homedir) == -1)
                errExit("asprintf");
-        int rv = copy_file(src, dest);
+        // copy, set permissions and ownership
+        int rv = copy_file(src, dest, getuid(), getgid(), S_IRUSR | S_IWUSR);
        if (rv)
                fprintf(stderr, "Warning: cannot transfer .asoundrc in private home directory\n");
        else {
                fs_logger2("clone", dest);
-        
-                // set permissions and ownership
-                if (chown(dest, getuid(), getgid()) < 0)
-                        errExit("chown");
-                if (chmod(dest, S_IRUSR | S_IWUSR) < 0)
-                        errExit("chmod");
        }
        // delete the temporary file
@@ -250,17 +213,11 @@ void fs_private_homedir(void) {
        
        uid_t u = getuid();
        gid_t g = getgid();
-        struct stat s;
-        if (stat(homedir, &s) == -1) {
-                fprintf(stderr, "Error: cannot find user home directory\n");
-                exit(1);
-        }
-        
        // mount bind private_homedir on top of homedir
        if (arg_debug)
                printf("Mount-bind %s on top of %s\n", private_homedir, homedir);
-        if (mount(private_homedir, homedir, NULL, MS_BIND|MS_REC, NULL) < 0)
+        if (mount(private_homedir, homedir, NULL, MS_NOSUID | MS_NODEV | MS_BIND | MS_REC, NULL) < 0)
                errExit("mount bind");
        fs_logger3("mount-bind", private_homedir, cfg.homedir);
        fs_logger2("whitelist", cfg.homedir);
@@ -274,7 +231,7 @@ void fs_private_homedir(void) {
                // mask /root
                if (arg_debug)
                        printf("Mounting a new /root directory\n");
-                if (mount("tmpfs", "/root", "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME | MS_REC,  "mode=700,gid=0") < 0)
+                if (mount("tmpfs", "/root", "tmpfs", MS_NOSUID | MS_NODEV | MS_NOEXEC | MS_STRICTATIME | MS_REC,  "mode=700,gid=0") < 0)
                        errExit("mounting home directory");
                fs_logger("tmpfs /root");
        }
@@ -282,7 +239,7 @@ void fs_private_homedir(void) {
                // mask /home
                if (arg_debug)
                        printf("Mounting a new /home directory\n");
-                if (mount("tmpfs", "/home", "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME | MS_REC,  "mode=755,gid=0") < 0)
+                if (mount("tmpfs", "/home", "tmpfs", MS_NOSUID | MS_NODEV | MS_NOEXEC | MS_STRICTATIME | MS_REC,  "mode=755,gid=0") < 0)
                        errExit("mounting home directory");
                fs_logger("tmpfs /home");
        }
@@ -312,14 +269,14 @@ void fs_private(void) {
        // mask /home
        if (arg_debug)
                printf("Mounting a new /home directory\n");
-        if (mount("tmpfs", "/home", "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME | MS_REC,  "mode=755,gid=0") < 0)
+        if (mount("tmpfs", "/home", "tmpfs", MS_NOSUID | MS_NODEV | MS_NOEXEC | MS_STRICTATIME | MS_REC,  "mode=755,gid=0") < 0)
                errExit("mounting home directory");
        fs_logger("tmpfs /home");
        // mask /root
        if (arg_debug)
                printf("Mounting a new /root directory\n");
-        if (mount("tmpfs", "/root", "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME | MS_REC,  "mode=700,gid=0") < 0)
+        if (mount("tmpfs", "/root", "tmpfs", MS_NOSUID | MS_NODEV | MS_NOEXEC | MS_STRICTATIME | MS_REC,  "mode=700,gid=0") < 0)
                errExit("mounting root directory");
        fs_logger("tmpfs /root");
@@ -343,8 +300,8 @@ void fs_private(void) {
                copy_xauthority();
        if (aflag)
                copy_asoundrc();
-}
+}
 // check new private home directory (--private= option) - exit if it fails
 void fs_check_private_dir(void) {
@@ -384,3 +341,163 @@ void fs_check_private_dir(void) {
        }
 }
+//***********************************************************************************
+// --private-home
+//***********************************************************************************
+static char *check_dir_or_file(const char *name) {
+        assert(name);
+        // basic checks
+        invalid_filename(name);
+        if (arg_debug)
+                printf("Private home: checking %s\n", name);
+        // expand home directory
+        char *fname = expand_home(name, cfg.homedir);
+        assert(fname);
+        // If it doesn't start with '/', it must be relative to homedir
+        if (fname[0] != '/') {
+                char* tmp;
+                if (asprintf(&tmp, "%s/%s", cfg.homedir, fname) == -1)
+                        errExit("asprintf");
+                free(fname);
+                fname = tmp;
+        }
+        // we allow only files in user home directory or symbolic links to files or directories owned by the user
+        struct stat s;
+        if (lstat(fname, &s) == 0 && S_ISLNK(s.st_mode)) {
+                if (stat(fname, &s) == 0) {     
+                        if (s.st_uid != getuid()) {
+                                fprintf(stderr, "Error: symbolic link %s to file or directory not owned by the user\n", fname);
+                                exit(1);
+                        }
+                        return fname;
+                }
+                else {
+                        fprintf(stderr, "Error: invalid file %s\n", name);
+                        exit(1);
+                }
+        }
+        else {
+                // check the file is in user home directory, a full home directory is not allowed
+                char *rname = realpath(fname, NULL);
+                if (!rname ||
+                    strncmp(rname, cfg.homedir, strlen(cfg.homedir)) != 0 ||
+                    strcmp(rname, cfg.homedir) == 0) {
+                        fprintf(stderr, "Error: invalid file %s\n", name);
+                        exit(1);
+                }
+                
+                // only top files and directories in user home are allowed
+                char *ptr = rname + strlen(cfg.homedir);
+                assert(*ptr != '\0');
+                ptr = strchr(++ptr, '/');
+                if (ptr) {
+                        if (*ptr != '\0') {
+                                fprintf(stderr, "Error: only top files and directories in user home are allowed\n");
+                                exit(1);
+                        }
+                }
+                free(fname);
+                return rname;
+        }
+}
+static void duplicate(char *name) {
+        char *fname = check_dir_or_file(name);
+        if (arg_debug)
+                printf("Private home: duplicating %s\n", fname);
+        assert(strncmp(fname, cfg.homedir, strlen(cfg.homedir)) == 0);
+        struct stat s;
+        if (lstat(fname, &s) == -1) {
+                free(fname);
+                return;
+        }
+        else if (S_ISDIR(s.st_mode)) {
+                // create the directory in RUN_HOME_DIR
+                char *name;
+                char *ptr = strrchr(fname, '/');
+                ptr++;
+                if (asprintf(&name, "%s/%s", RUN_HOME_DIR, ptr) == -1)
+                        errExit("asprintf");
+                mkdir_attr(name, 0755, getuid(), getgid());
+                sbox_run(SBOX_USER| SBOX_CAPS_NONE | SBOX_SECCOMP, 3, PATH_FCOPY, fname, name);
+                free(name);
+        }
+        else
+                sbox_run(SBOX_USER| SBOX_CAPS_NONE | SBOX_SECCOMP, 3, PATH_FCOPY, fname, RUN_HOME_DIR);
+        fs_logger2("clone", fname);
+        fs_logger_print();      // save the current log
+        free(fname);
+}
+// private mode (--private-home=list):
+//      mount homedir on top of /home/user,
+//      tmpfs on top of  /root in nonroot mode,
+//      tmpfs on top of /tmp in root mode,
+//      set skel files,
+//      restore .Xauthority
+void fs_private_home_list(void) {
+        char *homedir = cfg.homedir;
+        char *private_list = cfg.home_private_keep;
+        assert(homedir);
+        assert(private_list);
+        int xflag = store_xauthority();
+        int aflag = store_asoundrc();
+        uid_t uid = getuid();
+        gid_t gid = getgid();
+        // create /run/firejail/mnt/home directory
+        mkdir_attr(RUN_HOME_DIR, 0755, uid, gid);
+        fs_logger_print();      // save the current log
+        if (arg_debug)
+                printf("Copying files in the new home:\n");
+        // copy the list of files in the new home directory
+        char *dlist = strdup(cfg.home_private_keep);
+        if (!dlist)
+                errExit("strdup");
+        
+        char *ptr = strtok(dlist, ",");
+        duplicate(ptr);
+        while ((ptr = strtok(NULL, ",")) != NULL)
+                duplicate(ptr);
+        fs_logger_print();      // save the current log
+        free(dlist);
+        if (arg_debug)
+                printf("Mount-bind %s on top of %s\n", RUN_HOME_DIR, homedir);
+        if (mount(RUN_HOME_DIR, homedir, NULL, MS_BIND|MS_REC, NULL) < 0)
+                errExit("mount bind");
+        if (uid != 0) {
+                // mask /root
+                if (arg_debug)
+                        printf("Mounting a new /root directory\n");
+                if (mount("tmpfs", "/root", "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME | MS_REC,  "mode=700,gid=0") < 0)
+                        errExit("mounting home directory");
+        }
+        else {
+                // mask /home
+                if (arg_debug)
+                        printf("Mounting a new /home directory\n");
+                if (mount("tmpfs", "/home", "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME | MS_REC,  "mode=755,gid=0") < 0)
+                        errExit("mounting home directory");
+        }
+        skel(homedir, uid, gid);
+        if (xflag)
+                copy_xauthority();
+        if (aflag)
+                copy_asoundrc();
+}
diff --git a/src/firejail/fs_hostname.c b/src/firejail/fs_hostname.c
index aa391c0cb..b2e1b4a99 100644
--- a/src/firejail/fs_hostname.c
+++ b/src/firejail/fs_hostname.c
@@ -27,27 +27,14 @@
 void fs_hostname(const char *hostname) {
        struct stat s;
-        fs_build_mnt_dir();
        
        // create a new /etc/hostname
        if (stat("/etc/hostname", &s) == 0) {
                if (arg_debug)
                        printf("Creating a new /etc/hostname file\n");
-                FILE *fp = fopen(RUN_HOSTNAME_FILE, "w");
+                create_empty_file_as_root(RUN_HOSTNAME_FILE, S_IRUSR | S_IWRITE | S_IRGRP | S_IROTH);
-                if (!fp) {
-                        fprintf(stderr, "Error: cannot create %s\n", RUN_HOSTNAME_FILE);
-                        exit(1);
-                }
-                fprintf(fp, "%s\n", hostname);
-                fclose(fp);
-                
-                // mode and owner
-                if (chown(RUN_HOSTNAME_FILE, 0, 0) < 0)
-                        errExit("chown");
-                if (chmod(RUN_HOSTNAME_FILE, S_IRUSR | S_IWRITE | S_IRGRP | S_IROTH ) < 0)
-                        errExit("chmod");
-                
                // bind-mount the file on top of /etc/hostname
                if (mount(RUN_HOSTNAME_FILE, "/etc/hostname", NULL, MS_BIND|MS_REC, NULL) < 0)
                        errExit("mount bind /etc/hostname");
@@ -61,14 +48,13 @@ void fs_hostname(const char *hostname) {
                // copy /etc/host into our new file, and modify it on the fly
                /* coverity[toctou] */
                FILE *fp1 = fopen("/etc/hosts", "r");
-                if (!fp1) {
+                if (!fp1)
-                        fprintf(stderr, "Error: cannot open /etc/hosts\n");
+                        goto errexit;
-                        exit(1);
-                }
                FILE *fp2 = fopen(RUN_HOSTS_FILE, "w");
                if (!fp2) {
-                        fprintf(stderr, "Error: cannot create %s\n", RUN_HOSTS_FILE);
+                        fclose(fp1);
-                        exit(1);
+                        goto errexit;
                }
                
                char buf[4096];
@@ -88,19 +74,20 @@ void fs_hostname(const char *hostname) {
                                fprintf(fp2, "%s\n", buf);
                }
                fclose(fp1);
-                fclose(fp2);
-                
                // mode and owner
-                if (chown(RUN_HOSTS_FILE, 0, 0) < 0)
+                SET_PERMS_STREAM(fp2, 0, 0, S_IRUSR | S_IWRITE | S_IRGRP | S_IROTH);
-                        errExit("chown");
+                fclose(fp2);
-                if (chmod(RUN_HOSTS_FILE, S_IRUSR | S_IWRITE | S_IRGRP | S_IROTH ) < 0)
-                        errExit("chmod");
                
                // bind-mount the file on top of /etc/hostname
                if (mount(RUN_HOSTS_FILE, "/etc/hosts", NULL, MS_BIND|MS_REC, NULL) < 0)
                        errExit("mount bind /etc/hosts");
                fs_logger("create /etc/hosts");
        }
+        return;
+errexit:
+        fprintf(stderr, "Error: cannot create hostname file\n");
+        exit(1);
 }
 void fs_resolvconf(void) {
@@ -108,7 +95,6 @@ void fs_resolvconf(void) {
                return;
        struct stat s;
-        fs_build_mnt_dir();
        
        // create a new /etc/hostname
        if (stat("/etc/resolv.conf", &s) == 0) {
@@ -126,13 +112,11 @@ void fs_resolvconf(void) {
                        fprintf(fp, "nameserver %d.%d.%d.%d\n", PRINT_IP(cfg.dns2));
                if (cfg.dns3)
                        fprintf(fp, "nameserver %d.%d.%d.%d\n", PRINT_IP(cfg.dns3));
-                fclose(fp);
-                
                // mode and owner
-                if (chown(RUN_RESOLVCONF_FILE, 0, 0) < 0)
+                SET_PERMS_STREAM(fp, 0, 0, S_IRUSR | S_IWRITE | S_IRGRP | S_IROTH);
-                        errExit("chown");
-                if (chmod(RUN_RESOLVCONF_FILE, S_IRUSR | S_IWRITE | S_IRGRP | S_IROTH ) < 0)
+                fclose(fp);
-                        errExit("chmod");
                
                // bind-mount the file on top of /etc/hostname
                if (mount(RUN_RESOLVCONF_FILE, "/etc/resolv.conf", NULL, MS_BIND|MS_REC, NULL) < 0)
diff --git a/src/firejail/fs_logger.c b/src/firejail/fs_logger.c
index 30b0fe438..052a41457 100644
--- a/src/firejail/fs_logger.c
+++ b/src/firejail/fs_logger.c
@@ -97,11 +97,7 @@ void fs_logger_print(void) {
                perror("fopen");                
                return;
        }
-        
+        SET_PERMS_STREAM_NOERR(fp, getuid(), getgid(), 0644);
-        int rv = chown(RUN_FSLOGGER_FILE, getuid(), getgid());
-        (void) rv; // best effort!
-        rv = chmod(RUN_FSLOGGER_FILE, 0644);
-        (void) rv; // best effort!
        
        FsMsg *ptr = head;
        while (ptr) {
@@ -121,22 +117,6 @@ void fs_logger_change_owner(void) {
                errExit("chown");
 }
-void fs_logger_print_log_name(const char *name) {
-        EUID_ASSERT();
-        
-        if (!name || strlen(name) == 0) {
-                fprintf(stderr, "Error: invalid sandbox name\n");
-                exit(1);
-        }
-        pid_t pid;
-        if (name2pid(name, &pid)) {
-                fprintf(stderr, "Error: cannot find sandbox %s\n", name);
-                exit(1);
-        }
-        fs_logger_print_log(pid);
-}
 void fs_logger_print_log(pid_t pid) {
        EUID_ASSERT();
diff --git a/src/firejail/fs_mkdir.c b/src/firejail/fs_mkdir.c
index 398c534bf..5b6ceae90 100644
--- a/src/firejail/fs_mkdir.c
+++ b/src/firejail/fs_mkdir.c
@@ -22,8 +22,39 @@
 #include <sys/stat.h>
 #include <unistd.h>
 #include <grp.h>
- #include <sys/wait.h>
+#include <sys/wait.h>
- 
+#include <string.h>
+static void mkdir_recursive(char *path) {
+        char *subdir = NULL;
+        struct stat s;
+        if (chdir("/")) {
+                fprintf(stderr, "Error: can't chdir to /");
+                return;
+        }
+        subdir = strtok(path, "/");
+        while(subdir) {
+                if (stat(subdir, &s) == -1) {
+                        /* coverity[toctou] */
+                        if (mkdir(subdir, 0700) == -1) {
+                                fprintf(stderr, "Warning: cannot create %s directory\n", subdir);
+                                return;
+                        }
+                } else if (!S_ISDIR(s.st_mode)) {
+                        fprintf(stderr, "Warning: '%s' exists, but is no directory\n", subdir);
+                        return;
+                }
+                if (chdir(subdir)) {
+                        fprintf(stderr, "Error: can't chdir to %s", subdir);
+                        return;
+                }
+                subdir = strtok(NULL, "/");
+        }
+}
 void fs_mkdir(const char *name) {
        EUID_ASSERT();
        
@@ -42,9 +73,72 @@ void fs_mkdir(const char *name) {
        }
        // create directory
-        if (mkdir(expanded, 0700) == -1)
+        pid_t child = fork();
-                fprintf(stderr, "Warning: cannot create %s directory\n", expanded);
+        if (child < 0)
+                errExit("fork");
+        if (child == 0) {
+                // drop privileges
+                drop_privs(0);
+                // create directory
+                mkdir_recursive(expanded);
+#ifdef HAVE_GCOV
+                __gcov_flush();
+#endif
+                _exit(0);
+        }
+        // wait for the child to finish
+        waitpid(child, NULL, 0);
 doexit:
        free(expanded);
 }       
+void fs_mkfile(const char *name) {
+        EUID_ASSERT();
+        
+        // check file name
+        invalid_filename(name);
+        char *expanded = expand_home(name, cfg.homedir);
+        if (strncmp(expanded, cfg.homedir, strlen(cfg.homedir)) != 0) {
+                fprintf(stderr, "Error: only files in user home are supported by mkfile\n");
+                exit(1);
+        }
+        struct stat s;
+        if (stat(expanded, &s) == 0) {
+                // file exists, do nothing
+                goto doexit;
+        }
+        // create file
+        pid_t child = fork();
+        if (child < 0)
+                errExit("fork");
+        if (child == 0) {
+                // drop privileges
+                drop_privs(0);
+                /* coverity[toctou] */
+                FILE *fp = fopen(expanded, "w");
+                if (!fp)
+                        fprintf(stderr, "Warning: cannot create %s file\n", expanded);
+                else {
+                        int fd = fileno(fp);
+                        if (fd == -1)
+                                errExit("fileno");
+                        int rv = fchmod(fd, 0600);
+                        (void) rv;
+                        fclose(fp);
+                }
+#ifdef HAVE_GCOV
+                __gcov_flush();
+#endif
+                _exit(0);
+        }
+        // wait for the child to finish
+        waitpid(child, NULL, 0);
+doexit:
+        free(expanded);
+}
diff --git a/src/firejail/fs_trace.c b/src/firejail/fs_trace.c
index f6ca28227..719b55048 100644
--- a/src/firejail/fs_trace.c
+++ b/src/firejail/fs_trace.c
@@ -37,19 +37,13 @@ void fs_trace_preload(void) {
                FILE *fp = fopen("/etc/ld.so.preload", "w");
                if (!fp)
                        errExit("fopen");
+                SET_PERMS_STREAM(fp, 0, 0, S_IRUSR | S_IWRITE | S_IRGRP | S_IROTH);
                fclose(fp);
-                if (chown("/etc/ld.so.preload", 0, 0) < 0)
-                        errExit("chown");
-                if (chmod("/etc/ld.so.preload", S_IRUSR | S_IWRITE | S_IRGRP | S_IROTH ) < 0)
-                        errExit("chmod");
                fs_logger("touch /etc/ld.so.preload");
        }
 }
 void fs_trace(void) {
-        // create /tmp/firejail/mnt directory
-        fs_build_mnt_dir();
-        
        // create the new ld.so.preload file and mount-bind it
        if (arg_debug)
                printf("Create the new ld.so.preload file\n");
@@ -57,21 +51,20 @@ void fs_trace(void) {
        FILE *fp = fopen(RUN_LDPRELOAD_FILE, "w");
        if (!fp)
                errExit("fopen");
-        if (arg_trace)
+        if (arg_trace) {
                fprintf(fp, "%s/firejail/libtrace.so\n", LIBDIR);
+        }
        else if (arg_tracelog) {
                fprintf(fp, "%s/firejail/libtracelog.so\n", LIBDIR);
                if (!arg_quiet)
                        printf("Blacklist violations are logged to syslog\n");
        }       
-        else
-                assert(0);
+        if (mask_x11_abstract_socket)
-                
+                fprintf(fp, "%s/firejail/libconnect.so\n", LIBDIR);
+        SET_PERMS_STREAM(fp, 0, 0, S_IRUSR | S_IWRITE | S_IRGRP | S_IROTH);
        fclose(fp);
-        if (chown(RUN_LDPRELOAD_FILE, 0, 0) < 0)
-                errExit("chown");
-        if (chmod(RUN_LDPRELOAD_FILE, S_IRUSR | S_IWRITE | S_IRGRP | S_IROTH ) < 0)
-                errExit("chmod");
        
        // mount the new preload file
        if (arg_debug)
@@ -81,5 +74,3 @@ void fs_trace(void) {
        fs_logger("create /etc/ld.so.preload");
 }
-                
-        
-\ No newline at end of file
diff --git a/src/firejail/fs_var.c b/src/firejail/fs_var.c
index f904fa5d9..f742e7e22 100644
--- a/src/firejail/fs_var.c
+++ b/src/firejail/fs_var.c
@@ -65,10 +65,9 @@ static void build_list(const char *srcdir) {
                        struct stat s;
                        char *name;
                        if (asprintf(&name, "%s/%s", srcdir, dir->d_name) == -1)
-                                continue;
+                                errExit("asprintf");
-                        if (stat(name, &s) == -1)
+                        if (stat(name, &s) == -1 ||
-                                continue;
+                            S_ISLNK(s.st_mode)) {
-                        if (S_ISLNK(s.st_mode)) {
                                free(name);
                                continue;
                        }
@@ -98,10 +97,7 @@ static void build_dirs(void) {
        // create directories under /var/log
        DirData *ptr = dirlist;
        while (ptr) {
-                if (mkdir(ptr->name, ptr->st_mode))
+                mkdir_attr(ptr->name, ptr->st_mode, ptr->st_uid, ptr->st_gid);
-                        errExit("mkdir");
-                if (chown(ptr->name, ptr->st_uid, ptr->st_gid))
-                        errExit("chown");
                fs_logger2("mkdir", ptr->name);
                ptr = ptr->next;
        }
@@ -110,6 +106,7 @@ static void build_dirs(void) {
 void fs_var_log(void) {
        build_list("/var/log");
        
+        // note: /var/log is not created here, if it does not exist, this section fails.
        // create /var/log if it doesn't exit
        if (is_dir("/var/log")) {
                // extract group id for /var/log/wtmp
@@ -121,7 +118,7 @@ void fs_var_log(void) {
                // mount a tmpfs on top of /var/log
                if (arg_debug)
                        printf("Mounting tmpfs on /var/log\n");
-                if (mount("tmpfs", "/var/log", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC,  "mode=755,gid=0") < 0)
+                if (mount("tmpfs", "/var/log", "tmpfs", MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_STRICTATIME | MS_REC,  "mode=755,gid=0") < 0)
                        errExit("mounting /var/log");
                fs_logger("tmpfs /var/log");
                
@@ -131,26 +128,22 @@ void fs_var_log(void) {
                // create an empty /var/log/wtmp file
                /* coverity[toctou] */
                FILE *fp = fopen("/var/log/wtmp", "w");
-                if (fp)
+                if (fp) {
+                        SET_PERMS_STREAM(fp, 0, wtmp_group, S_IRUSR | S_IWRITE | S_IRGRP | S_IWGRP | S_IROTH);
                        fclose(fp);
-                if (chown("/var/log/wtmp", 0, wtmp_group) < 0)
+                }
-                        errExit("chown");
-                if (chmod("/var/log/wtmp", S_IRUSR | S_IWRITE | S_IRGRP | S_IWGRP | S_IROTH ) < 0)
-                        errExit("chmod");
                fs_logger("touch /var/log/wtmp");
                        
                // create an empty /var/log/btmp file
                fp = fopen("/var/log/btmp", "w");
-                if (fp)
+                if (fp) {
+                        SET_PERMS_STREAM(fp, 0, wtmp_group, S_IRUSR | S_IWRITE | S_IRGRP | S_IWGRP);
                        fclose(fp);
-                if (chown("/var/log/btmp", 0, wtmp_group) < 0)
+                }
-                        errExit("chown");
-                if (chmod("/var/log/btmp", S_IRUSR | S_IWRITE | S_IRGRP | S_IWGRP) < 0)
-                        errExit("chmod");
                fs_logger("touch /var/log/btmp");
        }
        else
-                fprintf(stderr, "Warning: cannot mount tmpfs on top of /var/log\n");
+                fprintf(stderr, "Warning: cannot hide /var/log directory\n");
 }
 void fs_var_lib(void) {
@@ -160,7 +153,7 @@ void fs_var_lib(void) {
        if (stat("/var/lib/dhcp", &s) == 0) {
                if (arg_debug)
                        printf("Mounting tmpfs on /var/lib/dhcp\n");
-                if (mount("tmpfs", "/var/lib/dhcp", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC,  "mode=755,gid=0") < 0)
+                if (mount("tmpfs", "/var/lib/dhcp", "tmpfs", MS_NOSUID |  MS_NOEXEC | MS_NODEV | MS_STRICTATIME | MS_REC,  "mode=755,gid=0") < 0)
                        errExit("mounting /var/lib/dhcp");
                fs_logger("tmpfs /var/lib/dhcp");
                        
@@ -169,11 +162,8 @@ void fs_var_lib(void) {
                
                if (fp) {
                        fprintf(fp, "\n");
+                        SET_PERMS_STREAM(fp, 0, 0, S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH);
                        fclose(fp);
-                        if (chown("/var/lib/dhcp/dhcpd.leases", 0, 0) == -1)
-                                errExit("chown");
-                        if (chmod("/var/lib/dhcp/dhcpd.leases", S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH))
-                                errExit("chmod");
                        fs_logger("touch /var/lib/dhcp/dhcpd.leases");
                }
        }
@@ -182,7 +172,7 @@ void fs_var_lib(void) {
        if (stat("/var/lib/nginx", &s) == 0) {
                if (arg_debug)
                        printf("Mounting tmpfs on /var/lib/nginx\n");
-                if (mount("tmpfs", "/var/lib/nginx", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC,  "mode=755,gid=0") < 0)
+                if (mount("tmpfs", "/var/lib/nginx", "tmpfs", MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_STRICTATIME | MS_REC,  "mode=755,gid=0") < 0)
                        errExit("mounting /var/lib/nginx");
                fs_logger("tmpfs /var/lib/nginx");
        }                       
@@ -191,7 +181,7 @@ void fs_var_lib(void) {
        if (stat("/var/lib/snmp", &s) == 0) {
                if (arg_debug)
                        printf("Mounting tmpfs on /var/lib/snmp\n");
-                if (mount("tmpfs", "/var/lib/snmp", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC,  "mode=755,gid=0") < 0)
+                if (mount("tmpfs", "/var/lib/snmp", "tmpfs", MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_STRICTATIME | MS_REC,  "mode=755,gid=0") < 0)
                        errExit("mounting /var/lib/snmp");
                fs_logger("tmpfs /var/lib/snmp");
        }                       
@@ -200,7 +190,7 @@ void fs_var_lib(void) {
        if (stat("/var/lib/sudo", &s) == 0) {
                if (arg_debug)
                        printf("Mounting tmpfs on /var/lib/sudo\n");
-                if (mount("tmpfs", "/var/lib/sudo", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC,  "mode=755,gid=0") < 0)
+                if (mount("tmpfs", "/var/lib/sudo", "tmpfs", MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_STRICTATIME | MS_REC,  "mode=755,gid=0") < 0)
                        errExit("mounting /var/lib/sudo");
                fs_logger("tmpfs /var/lib/sudo");
        }                       
@@ -212,7 +202,7 @@ void fs_var_cache(void) {
        if (stat("/var/cache/apache2", &s) == 0) {
                if (arg_debug)
                        printf("Mounting tmpfs on /var/cache/apache2\n");
-                if (mount("tmpfs", "/var/cache/apache2", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC,  "mode=755,gid=0") < 0)
+                if (mount("tmpfs", "/var/cache/apache2", "tmpfs", MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_STRICTATIME | MS_REC,  "mode=755,gid=0") < 0)
                        errExit("mounting /var/cache/apache2");
                fs_logger("tmpfs /var/cache/apache2");
        }                       
@@ -220,7 +210,7 @@ void fs_var_cache(void) {
        if (stat("/var/cache/lighttpd", &s) == 0) {
                if (arg_debug)
                        printf("Mounting tmpfs on /var/cache/lighttpd\n");
-                if (mount("tmpfs", "/var/cache/lighttpd", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC,  "mode=755,gid=0") < 0)
+                if (mount("tmpfs", "/var/cache/lighttpd", "tmpfs", MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_STRICTATIME | MS_REC,  "mode=755,gid=0") < 0)
                        errExit("mounting /var/cache/lighttpd");
                fs_logger("tmpfs /var/cache/lighttpd");
@@ -232,18 +222,10 @@ void fs_var_cache(void) {
                        gid = p->pw_gid;
                }
                
-                int rv = mkdir("/var/cache/lighttpd/compress", 0755);
+                mkdir_attr("/var/cache/lighttpd/compress", 0755, uid, gid);
-                if (rv == -1)
-                        errExit("mkdir");
-                if (chown("/var/cache/lighttpd/compress", uid, gid) < 0)
-                        errExit("chown");
                fs_logger("mkdir /var/cache/lighttpd/compress");
-                rv = mkdir("/var/cache/lighttpd/uploads", 0755);
+                mkdir_attr("/var/cache/lighttpd/uploads", 0755, uid, gid);
-                if (rv == -1)
-                        errExit("mkdir");
-                if (chown("/var/cache/lighttpd/uploads", uid, gid) < 0)
-                        errExit("chown");
                fs_logger("/var/cache/lighttpd/uploads");
        }                       
 }
@@ -268,7 +250,7 @@ void fs_var_lock(void) {
        if (is_dir("/var/lock")) {
                if (arg_debug)
                        printf("Mounting tmpfs on /var/lock\n");
-                if (mount("tmpfs", "/var/lock", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC,  "mode=1777,gid=0") < 0)
+                if (mount("tmpfs", "/var/lock", "tmpfs", MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_STRICTATIME | MS_REC,  "mode=1777,gid=0") < 0)
                        errExit("mounting /lock");
                fs_logger("tmpfs /var/lock");
        }
@@ -277,16 +259,11 @@ void fs_var_lock(void) {
                if (lnk) {
                        if (!is_dir(lnk)) {
                                // create directory
-                                if (mkdir(lnk, S_IRWXU|S_IRWXG|S_IRWXO))
+                                mkdir_attr(lnk, S_IRWXU|S_IRWXG|S_IRWXO, 0, 0);
-                                        errExit("mkdir");
-                                if (chown(lnk, 0, 0))
-                                        errExit("chown");
-                                if (chmod(lnk, S_IRWXU|S_IRWXG|S_IRWXO))
-                                        errExit("chmod");
                        }
                        if (arg_debug)
                                printf("Mounting tmpfs on %s on behalf of /var/lock\n", lnk);
-                        if (mount("tmpfs", lnk, "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC,  "mode=1777,gid=0") < 0)
+                        if (mount("tmpfs", lnk, "tmpfs", MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_STRICTATIME | MS_REC,  "mode=1777,gid=0") < 0)
                                errExit("mounting /var/lock");
                        free(lnk);
                        fs_logger("tmpfs /var/lock");
@@ -304,7 +281,7 @@ void fs_var_tmp(void) {
                if (!is_link("/var/tmp")) {
                        if (arg_debug)
                                printf("Mounting tmpfs on /var/tmp\n");
-                        if (mount("tmpfs", "/var/tmp", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC,  "mode=1777,gid=0") < 0)
+                        if (mount("tmpfs", "/var/tmp", "tmpfs", MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_STRICTATIME | MS_REC,  "mode=1777,gid=0") < 0)
                                errExit("mounting /var/tmp");
                        fs_logger("tmpfs /var/tmp");
                }
@@ -327,9 +304,6 @@ void fs_var_utmp(void) {
                return;
        }
-        // create /tmp/firejail/mnt directory
-        fs_build_mnt_dir();
-        
        // create a new utmp file
        if (arg_debug)
                printf("Create the new utmp file\n");
@@ -353,16 +327,13 @@ void fs_var_utmp(void) {
                        
        // save new utmp file
        fwrite(&u_boot, sizeof(u_boot), 1, fp);
+        SET_PERMS_STREAM(fp, 0, utmp_group, S_IRUSR | S_IWRITE | S_IRGRP | S_IWGRP | S_IROTH);
        fclose(fp);
-        if (chown(RUN_UTMP_FILE, 0, utmp_group) < 0)
-                errExit("chown");
-        if (chmod(RUN_UTMP_FILE, S_IRUSR | S_IWRITE | S_IRGRP | S_IWGRP | S_IROTH ) < 0)
-                errExit("chmod");
        
        // mount the new utmp file
        if (arg_debug)
                printf("Mount the new utmp file\n");
-        if (mount(RUN_UTMP_FILE, UTMP_FILE, NULL, MS_BIND|MS_REC, NULL) < 0)
+        if (mount(RUN_UTMP_FILE, UTMP_FILE, NULL, MS_BIND|MS_NOSUID|MS_NOEXEC | MS_NODEV | MS_REC, NULL) < 0)
                errExit("mount bind utmp");
        fs_logger("create /var/run/utmp");
 }
diff --git a/src/firejail/fs_whitelist.c b/src/firejail/fs_whitelist.c
index 617e61dcd..b10858411 100644
--- a/src/firejail/fs_whitelist.c
+++ b/src/firejail/fs_whitelist.c
@@ -95,34 +95,29 @@ static char *resolve_downloads(void) {
                                        if (asprintf(&fname, "%s/%s", cfg.homedir, ptr1) == -1)
                                                errExit("asprintf");
                                        
-                                        if (stat(fname, &s) == -1) {
+                                        if (stat(fname, &s) == -1)
-                                                fprintf(stderr, "***\n");
-                                                fprintf(stderr, "*** Error: directory %s not found.\n", fname);
-                                                fprintf(stderr, "*** \tThis directory is configured in ~/.config/user-dirs.dirs.\n");
-                                                fprintf(stderr, "*** \tPlease create a Downloads directory.\n");
-                                                fprintf(stderr, "***\n");
                                                free(fname);
-                                                return NULL;
+                                                goto errout;
-                                        }
                                
                                        char *rv;
                                        if (asprintf(&rv, "whitelist ~/%s", ptr + 24) == -1)
                                                errExit("asprintf");
                                        return rv;
                                }
-                                else {
+                                else
-                                        fprintf(stderr, "***\n");
+                                        goto errout;
-                                        fprintf(stderr, "*** Error: invalid XDG_DOWNLOAD_DIR entry in ~/.config/user-dirs.dirs.\n");
-                                        fprintf(stderr, "*** \tPlease specify a valid Downloads directory, example:\n");
-                                        fprintf(stderr, "***\n");
-                                        fprintf(stderr, "***\t\tXDG_DOWNLOAD_DIR=\"$HOME/Downloads\"\n");
-                                        fprintf(stderr, "***\n");
-                                        return NULL;
-                                }
                        }
                }
        }
+        
        fclose(fp);
+        return NULL;
+errout:
+        fprintf(stderr, "***\n");
+        fprintf(stderr, "*** Error: Downloads directory was not found in user home.\n");
+        fprintf(stderr, "*** \tAny files saved by the program, will be lost when the sandbox is closed.\n");
+        fprintf(stderr, "***\n");
        
        return NULL;
 }
@@ -157,10 +152,8 @@ static int mkpath(const char* path, mode_t mode) {
                        }
                }
                else {
-                        if (chmod(file_path, mode) == -1)
+                        if (set_perms(file_path, uid, gid, mode))
-                                errExit("chmod");
+                                errExit("set_perms");
-                        if (chown(file_path, uid, gid) == -1)
-                                errExit("chown");
                        done = 1;
                }                       
@@ -181,66 +174,73 @@ static void whitelist_path(ProfileEntry *entry) {
        char *wfile = NULL;
        if (entry->home_dir) {
-                fname = path + strlen(cfg.homedir);
+                if (strncmp(path, cfg.homedir, strlen(cfg.homedir)) == 0) {             
-                if (*fname == '\0') {
+                        fname = path + strlen(cfg.homedir);
-                        fprintf(stderr, "Error: file %s is not in user home directory, exiting...\n", path);
+                        if (*fname == '\0')
-                        exit(1);
+                                goto errexit;
                }
+                else
+                        fname = path;
        
                if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_HOME_USER_DIR, fname) == -1)
                        errExit("asprintf");
        }
        else if (entry->tmp_dir) {
                fname = path + 4; // strlen("/tmp")
-                if (*fname == '\0') {
+                if (*fname == '\0')
-                        fprintf(stderr, "Error: file %s is not in /tmp directory, exiting...\n", path);
+                        goto errexit;
-                        exit(1);
-                }
        
                if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_TMP_DIR, fname) == -1)
                        errExit("asprintf");
        }
        else if (entry->media_dir) {
                fname = path + 6; // strlen("/media")
-                if (*fname == '\0') {
+                if (*fname == '\0')
-                        fprintf(stderr, "Error: file %s is not in /media directory, exiting...\n", path);
+                        goto errexit;
-                        exit(1);
-                }
        
                if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_MEDIA_DIR, fname) == -1)
                        errExit("asprintf");
        }
+        else if (entry->mnt_dir) {
+                fname = path + 4; // strlen("/mnt")
+                if (*fname == '\0')
+                        goto errexit;
+                if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_MNT_DIR, fname) == -1)
+                        errExit("asprintf");
+        }
        else if (entry->var_dir) {
                fname = path + 4; // strlen("/var")
-                if (*fname == '\0') {
+                if (*fname == '\0')
-                        fprintf(stderr, "Error: file %s is not in /var directory, exiting...\n", path);
+                        goto errexit;
-                        exit(1);
-                }
        
                if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_VAR_DIR, fname) == -1)
                        errExit("asprintf");
        }
        else if (entry->dev_dir) {
                fname = path + 4; // strlen("/dev")
-                if (*fname == '\0') {
+                if (*fname == '\0')
-                        fprintf(stderr, "Error: file %s is not in /dev directory, exiting...\n", path);
+                        goto errexit;
-                        exit(1);
-                }
        
                if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_DEV_DIR, fname) == -1)
                        errExit("asprintf");
        }
        else if (entry->opt_dir) {
                fname = path + 4; // strlen("/opt")
-                if (*fname == '\0') {
+                if (*fname == '\0')
-                        fprintf(stderr, "Error: file %s is not in /opt directory, exiting...\n", path);
+                        goto errexit;
-                        exit(1);
-                }
        
                if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_OPT_DIR, fname) == -1)
                        errExit("asprintf");
        }
+        else if (entry->srv_dir) {
+                fname = path + 4; // strlen("/srv")
+                if (*fname == '\0')
+                        goto errexit;
+                if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_SRV_DIR, fname) == -1)
+                        errExit("asprintf");
+        }
        // check if the file exists
        struct stat s;
        if (wfile && stat(wfile, &s) == 0) {
@@ -248,9 +248,6 @@ static void whitelist_path(ProfileEntry *entry) {
                        printf("Whitelisting %s\n", path);
        }
        else {
-                if (arg_debug || arg_debug_whitelists) {
-                        fprintf(stderr, "Warning (whitelisting): %s is an invalid file, skipping...\n", path);
-                }
                return;
        }
        
@@ -267,26 +264,31 @@ static void whitelist_path(ProfileEntry *entry) {
        
        // process regular file
        else {
-                // create an empty file
+                if (access(path, R_OK)) {
-                FILE *fp = fopen(path, "w");
+                        // create an empty file
-                if (!fp) {
+                        FILE *fp = fopen(path, "w");
-                        fprintf(stderr, "Error: cannot create empty file in home directory\n");
+                        if (!fp) {
-                        exit(1);
+                                fprintf(stderr, "Error: cannot create empty file in home directory\n");
+                                exit(1);
+                        }
+                        // set file properties
+                        SET_PERMS_STREAM(fp, s.st_uid, s.st_gid, s.st_mode);
+                        fclose(fp);
                }
-                fclose(fp);
+                else
+                        return; // the file is already present
        }
        
-        // set file properties
-        if (chown(path, s.st_uid, s.st_gid) < 0)
-                errExit("chown");
-        if (chmod(path, s.st_mode) < 0)
-                errExit("chmod");
        // mount
        if (mount(wfile, path, NULL, MS_BIND|MS_REC, NULL) < 0)
                errExit("mount bind");
        free(wfile);
+        return;
+errexit:
+        fprintf(stderr, "Error: file %s is not in the whitelisted directory\n", path);
+        exit(1);
 }
@@ -302,10 +304,11 @@ void fs_whitelist(void) {
        int home_dir = 0;       // /home/user directory flag
        int tmp_dir = 0;        // /tmp directory flag
        int media_dir = 0;      // /media directory flag
+        int mnt_dir = 0;        // /mnt directory flag
        int var_dir = 0;                // /var directory flag
        int dev_dir = 0;                // /dev directory flag
        int opt_dir = 0;                // /opt directory flag
+        int srv_dir = 0;                // /srv directory flag
        // verify whitelist files, extract symbolic links, etc.
        while (entry) {
                // handle only whitelist commands
@@ -331,6 +334,8 @@ void fs_whitelist(void) {
                }
                // replace ~/ or ${HOME} into /home/username
+//              if (new_name)
+//                      free(new_name);
                new_name = expand_home(entry->data + 10, cfg.homedir);
                assert(new_name);
                if (arg_debug)
@@ -367,13 +372,17 @@ void fs_whitelist(void) {
                                tmp_dir = 1;
                        else if (strncmp(new_name, "/media/", 7) == 0)
                                media_dir = 1;
+                        else if (strncmp(new_name, "/mnt/", 5) == 0)
+                                mnt_dir = 1;
                        else if (strncmp(new_name, "/var/", 5) == 0)
                                var_dir = 1;
                        else if (strncmp(new_name, "/dev/", 5) == 0)
                                dev_dir = 1;
                        else if (strncmp(new_name, "/opt/", 5) == 0)
                                opt_dir = 1;
+                        else if (strncmp(new_name, "/srv/", 5) == 0)
+                                opt_dir = 1;
+                        
                        continue;
                }
                
@@ -390,12 +399,16 @@ void fs_whitelist(void) {
                        entry->home_dir = 1;
                        home_dir = 1;
+                        if (arg_debug || arg_debug_whitelists)
+                                fprintf(stderr, "Debug %d: fname #%s#, cfg.homedir #%s#\n",
+                                        __LINE__, fname, cfg.homedir);
                        // both path and absolute path are under /home
                        if (strncmp(fname, cfg.homedir, strlen(cfg.homedir)) != 0) {
-                                if (arg_debug)
+                                // check if the file is owned by the user
-                                        fprintf(stderr, "Debug %d: fname #%s#, cfg.homedir #%s#\n",
+                                struct stat s;
-                                                __LINE__, fname, cfg.homedir);
+                                if (stat(fname, &s) == 0 && s.st_uid != getuid())
-                                goto errexit;
+                                        goto errexit;
                        }
                }
                else if (strncmp(new_name, "/tmp/", 5) == 0) {
@@ -403,8 +416,6 @@ void fs_whitelist(void) {
                        tmp_dir = 1;
                        // both path and absolute path are under /tmp
                        if (strncmp(fname, "/tmp/", 5) != 0) {
-                                if (arg_debug)
-                                        fprintf(stderr, "Debug %d: fname #%s#\n", __LINE__, fname);
                                goto errexit;
                        }
                }
@@ -413,8 +424,14 @@ void fs_whitelist(void) {
                        media_dir = 1;
                        // both path and absolute path are under /media
                        if (strncmp(fname, "/media/", 7) != 0) {
-                                if (arg_debug)
+                                goto errexit;
-                                        fprintf(stderr, "Debug %d: fname #%s#\n", __LINE__, fname);
+                        }
+                }
+                else if (strncmp(new_name, "/mnt/", 5) == 0) {
+                        entry->mnt_dir = 1;
+                        mnt_dir = 1;
+                        // both path and absolute path are under /mnt
+                        if (strncmp(fname, "/mnt/", 5) != 0) {
                                goto errexit;
                        }
                }
@@ -428,8 +445,6 @@ void fs_whitelist(void) {
                        else if (strcmp(new_name, "/var/lock")== 0)
                                ;
                        else if (strncmp(fname, "/var/", 5) != 0) {
-                                if (arg_debug)
-                                        fprintf(stderr, "Debug %d: fname #%s#\n", __LINE__, fname);
                                goto errexit;
                        }
                }
@@ -438,8 +453,6 @@ void fs_whitelist(void) {
                        dev_dir = 1;
                        // both path and absolute path are under /dev
                        if (strncmp(fname, "/dev/", 5) != 0) {
-                                if (arg_debug)
-                                        fprintf(stderr, "Debug %d: fname #%s#\n", __LINE__, fname);
                                goto errexit;
                        }
                }
@@ -448,14 +461,18 @@ void fs_whitelist(void) {
                        opt_dir = 1;
                        // both path and absolute path are under /dev
                        if (strncmp(fname, "/opt/", 5) != 0) {
-                                if (arg_debug)
+                                goto errexit;
-                                        fprintf(stderr, "Debug %d: fname #%s#\n", __LINE__, fname);
+                        }
+                }
+                else if (strncmp(new_name, "/srv/", 5) == 0) {
+                        entry->srv_dir = 1;
+                        srv_dir = 1;
+                        // both path and absolute path are under /srv
+                        if (strncmp(fname, "/srv/", 5) != 0) {
                                goto errexit;
                        }
                }
                else {
-                        if (arg_debug)
-                                fprintf(stderr, "Debug %d: \n", __LINE__);
                        goto errexit;
                }
@@ -480,21 +497,10 @@ void fs_whitelist(void) {
                entry = entry->next;
        }
                
-        // create mount points
-        fs_build_mnt_dir();
-        
        // /home/user
        if (home_dir) {
                // keep a copy of real home dir in RUN_WHITELIST_HOME_USER_DIR
-                int rv = mkdir(RUN_WHITELIST_HOME_USER_DIR, 0755);
+                mkdir_attr(RUN_WHITELIST_HOME_USER_DIR, 0755, getuid(), getgid());
-                if (rv == -1)
-                        errExit("mkdir");
-                if (chown(RUN_WHITELIST_HOME_USER_DIR, getuid(), getgid()) < 0)
-                        errExit("chown");
-                if (chmod(RUN_WHITELIST_HOME_USER_DIR, 0755) < 0)
-                        errExit("chmod");
-        
                if (mount(cfg.homedir, RUN_WHITELIST_HOME_USER_DIR, NULL, MS_BIND|MS_REC, NULL) < 0)
                        errExit("mount bind");
        
@@ -504,15 +510,8 @@ void fs_whitelist(void) {
        
        // /tmp mountpoint
        if (tmp_dir) {
-                // keep a copy of real /tmp directory in WHITELIST_TMP_DIR
+                // keep a copy of real /tmp directory in  
-                int rv = mkdir(RUN_WHITELIST_TMP_DIR, 1777);
+                mkdir_attr(RUN_WHITELIST_TMP_DIR, 1777, 0, 0);
-                if (rv == -1)
-                        errExit("mkdir");
-                if (chown(RUN_WHITELIST_TMP_DIR, 0, 0) < 0)
-                        errExit("chown");
-                if (chmod(RUN_WHITELIST_TMP_DIR, 1777) < 0)
-                        errExit("chmod");
-        
                if (mount("/tmp", RUN_WHITELIST_TMP_DIR, NULL, MS_BIND|MS_REC, NULL) < 0)
                        errExit("mount bind");
        
@@ -526,37 +525,51 @@ void fs_whitelist(void) {
        
        // /media mountpoint
        if (media_dir) {
-                // keep a copy of real /media directory in RUN_WHITELIST_MEDIA_DIR
+                // some distros don't have a /media directory
-                int rv = mkdir(RUN_WHITELIST_MEDIA_DIR, 0755);
+                struct stat s;
-                if (rv == -1)
+                if (stat("/media", &s) == 0) {
-                        errExit("mkdir");
+                        // keep a copy of real /media directory in RUN_WHITELIST_MEDIA_DIR
-                if (chown(RUN_WHITELIST_MEDIA_DIR, 0, 0) < 0)
+                        mkdir_attr(RUN_WHITELIST_MEDIA_DIR, 0755, 0, 0);
-                        errExit("chown");
+                        if (mount("/media", RUN_WHITELIST_MEDIA_DIR, NULL, MS_BIND|MS_REC, NULL) < 0)
-                if (chmod(RUN_WHITELIST_MEDIA_DIR, 0755) < 0)
+                                errExit("mount bind");
-                        errExit("chmod");
        
-                if (mount("/media", RUN_WHITELIST_MEDIA_DIR, NULL, MS_BIND|MS_REC, NULL) < 0)
+                        // mount tmpfs on /media
-                        errExit("mount bind");
+                        if (arg_debug || arg_debug_whitelists)
-        
+                                printf("Mounting tmpfs on /media directory\n");
-                // mount tmpfs on /media
+                        if (mount("tmpfs", "/media", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC,  "mode=755,gid=0") < 0)
-                if (arg_debug || arg_debug_whitelists)
+                                errExit("mounting tmpfs on /media");
-                        printf("Mounting tmpfs on /media directory\n");
+                        fs_logger("tmpfs /media");
-                if (mount("tmpfs", "/media", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC,  "mode=755,gid=0") < 0)
+                }
-                        errExit("mounting tmpfs on /media");
+                else
-                fs_logger("tmpfs /media");
+                        media_dir = 0;
        }
+        // /mnt mountpoint
+        if (mnt_dir) {
+                // check if /mnt directory exists
+                struct stat s;
+                if (stat("/mnt", &s) == 0) {
+                        // keep a copy of real /mnt directory in RUN_WHITELIST_MNT_DIR
+                        mkdir_attr(RUN_WHITELIST_MNT_DIR, 0755, 0, 0);
+                        if (mount("/mnt", RUN_WHITELIST_MNT_DIR, NULL, MS_BIND|MS_REC, NULL) < 0)
+                                errExit("mount bind");
+                        // mount tmpfs on /mnt
+                        if (arg_debug || arg_debug_whitelists)
+                                printf("Mounting tmpfs on /mnt directory\n");
+                        if (mount("tmpfs", "/mnt", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC,  "mode=755,gid=0") < 0)
+                                errExit("mounting tmpfs on /mnt");
+                        fs_logger("tmpfs /mnt");
+                }
+                else
+                        mnt_dir = 0;
+        }
        // /var mountpoint
        if (var_dir) {
                // keep a copy of real /var directory in RUN_WHITELIST_VAR_DIR
-                int rv = mkdir(RUN_WHITELIST_VAR_DIR, 0755);
+                mkdir_attr(RUN_WHITELIST_VAR_DIR, 0755, 0, 0);
-                if (rv == -1)
-                        errExit("mkdir");
-                if (chown(RUN_WHITELIST_VAR_DIR, 0, 0) < 0)
-                        errExit("chown");
-                if (chmod(RUN_WHITELIST_VAR_DIR, 0755) < 0)
-                        errExit("chmod");
-        
                if (mount("/var", RUN_WHITELIST_VAR_DIR, NULL, MS_BIND|MS_REC, NULL) < 0)
                        errExit("mount bind");
        
@@ -571,14 +584,7 @@ void fs_whitelist(void) {
        // /dev mountpoint
        if (dev_dir) {
                // keep a copy of real /dev directory in RUN_WHITELIST_DEV_DIR
-                int rv = mkdir(RUN_WHITELIST_DEV_DIR, 0755);
+                mkdir_attr(RUN_WHITELIST_DEV_DIR, 0755, 0, 0);
-                if (rv == -1)
-                        errExit("mkdir");
-                if (chown(RUN_WHITELIST_DEV_DIR, 0, 0) < 0)
-                        errExit("chown");
-                if (chmod(RUN_WHITELIST_DEV_DIR, 0755) < 0)
-                        errExit("chmod");
-        
                if (mount("/dev", RUN_WHITELIST_DEV_DIR, NULL, MS_BIND|MS_REC,  "mode=755,gid=0") < 0)
                        errExit("mount bind");
        
@@ -593,14 +599,7 @@ void fs_whitelist(void) {
        // /opt mountpoint
        if (opt_dir) {
                // keep a copy of real /opt directory in RUN_WHITELIST_OPT_DIR
-                int rv = mkdir(RUN_WHITELIST_OPT_DIR, 0755);
+                mkdir_attr(RUN_WHITELIST_OPT_DIR, 0755, 0, 0);
-                if (rv == -1)
-                        errExit("mkdir");
-                if (chown(RUN_WHITELIST_OPT_DIR, 0, 0) < 0)
-                        errExit("chown");
-                if (chmod(RUN_WHITELIST_OPT_DIR, 0755) < 0)
-                        errExit("chmod");
-        
                if (mount("/opt", RUN_WHITELIST_OPT_DIR, NULL, MS_BIND|MS_REC, NULL) < 0)
                        errExit("mount bind");
        
@@ -612,6 +611,29 @@ void fs_whitelist(void) {
                fs_logger("tmpfs /opt");
        }
+        // /srv mountpoint
+        if (srv_dir) {
+                // check if /srv directory exists
+                struct stat s;
+                if (stat("/srv", &s) == 0) {
+                        // keep a copy of real /srv directory in RUN_WHITELIST_SRV_DIR
+                        mkdir_attr(RUN_WHITELIST_SRV_DIR, 0755, 0, 0);
+                        if (mount("/srv", RUN_WHITELIST_SRV_DIR, NULL, MS_BIND|MS_REC, NULL) < 0)
+                                errExit("mount bind");
+                        // mount tmpfs on /srv
+                        if (arg_debug || arg_debug_whitelists)
+                                printf("Mounting tmpfs on /srv directory\n");
+                        if (mount("tmpfs", "/srv", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC,  "mode=755,gid=0") < 0)
+                                errExit("mounting tmpfs on /srv");
+                        fs_logger("tmpfs /srv");
+                }
+                else
+                        srv_dir = 0;
+        }
+        
        // go through profile rules again, and interpret whitelist commands
        entry = cfg.profile;
        while (entry) {
@@ -696,6 +718,20 @@ void fs_whitelist(void) {
                fs_logger2("tmpfs", RUN_WHITELIST_MEDIA_DIR);
        }
+        // mask the real /mnt directory, currently mounted on RUN_WHITELIST_MNT_DIR
+        if (mnt_dir) {
+                if (mount("tmpfs", RUN_WHITELIST_MNT_DIR, "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC,  "mode=755,gid=0") < 0)
+                        errExit("mount tmpfs");
+                fs_logger2("tmpfs", RUN_WHITELIST_MNT_DIR);
+        }
+        // mask the real /srv directory, currently mounted on RUN_WHITELIST_SRV_DIR
+        if (srv_dir) {
+                if (mount("tmpfs", RUN_WHITELIST_SRV_DIR, "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC,  "mode=755,gid=0") < 0)
+                        errExit("mount tmpfs");
+                fs_logger2("tmpfs", RUN_WHITELIST_SRV_DIR);
+        }
        if (new_name)
                free(new_name);
                
diff --git a/src/firejail/join.c b/src/firejail/join.c
index 98e140ce4..bcf951f33 100644
--- a/src/firejail/join.c
+++ b/src/firejail/join.c
@@ -23,12 +23,19 @@
 #include <fcntl.h>
 #include <unistd.h>
 #include <sys/prctl.h>
+#include <errno.h>
 static int apply_caps = 0;
 static uint64_t caps = 0;
 static int apply_seccomp = 0;
 #define BUFLEN 4096
+static void signal_handler(int sig){
+        flush_stdin();
+        exit(sig);
+}
 static void extract_command(int argc, char **argv, int index) {
        EUID_ASSERT();
        if (index >= argc)
@@ -48,22 +55,9 @@ static void extract_command(int argc, char **argv, int index) {
                exit(1);
        }
-        int len = 0;
-        int i;
-        // calculate command length
-        for (i = index; i < argc; i++) {
-                len += strlen(argv[i]) + 1;
-        }
-        assert(len > 0);
        // build command
-        cfg.command_line = malloc(len + 1);
+        build_cmdline(&cfg.command_line, &cfg.window_title, argc, argv, index);
-        *cfg.command_line = '\0';
-        for (i = index; i < argc; i++) {
-                strcat(cfg.command_line, argv[i]);
-                strcat(cfg.command_line, " ");
-        }
        if (arg_debug)
                printf("Extracted command #%s#\n", cfg.command_line);
 }
@@ -134,7 +128,7 @@ static void extract_caps_seccomp(pid_t pid) {
                        break;
                }
                else if (strncmp(buf, "CapBnd:", 7) == 0) {             
-                        char *ptr = buf + 8;
+                        char *ptr = buf + 7;
                        unsigned long long val;
                        sscanf(ptr, "%llx", &val);
                        apply_caps = 1;
@@ -179,26 +173,12 @@ static void extract_user_namespace(pid_t pid) {
        free(uidmap);
 }
-void join_name(const char *name, int argc, char **argv, int index) {
-        EUID_ASSERT();
-        if (!name || strlen(name) == 0) {
-                fprintf(stderr, "Error: invalid sandbox name\n");
-                exit(1);
-        }
-        pid_t pid;
-        if (name2pid(name, &pid)) {
-                fprintf(stderr, "Error: cannot find sandbox %s\n", name);
-                exit(1);
-        }
-        join(pid, argc, argv, index);
-}
 void join(pid_t pid, int argc, char **argv, int index) {
        EUID_ASSERT();
        char *homedir = cfg.homedir;
        
        extract_command(argc, argv, index);
+        signal (SIGTERM, signal_handler);
        // if the pid is that of a firejail  process, use the pid of the first child process
        EUID_ROOT();
@@ -249,15 +229,11 @@ void join(pid_t pid, int argc, char **argv, int index) {
                        exit(1);
        }
        else {
-                if (join_namespace(pid, "ipc"))
+                if (join_namespace(pid, "ipc") ||
-                        exit(1);
+                    join_namespace(pid, "net") ||
-                if (join_namespace(pid, "net"))
+                    join_namespace(pid, "pid") ||
-                        exit(1);
+                    join_namespace(pid, "uts") ||
-                if (join_namespace(pid, "pid"))
+                    join_namespace(pid, "mnt"))
-                        exit(1);
-                if (join_namespace(pid, "uts"))
-                        exit(1);
-                if (join_namespace(pid, "mnt"))
                        exit(1);
        }
@@ -297,24 +273,17 @@ void join(pid_t pid, int argc, char **argv, int index) {
                if (apply_caps == 1)    // not available for uid 0
                        caps_set(caps);
 #ifdef HAVE_SECCOMP
-                // set protocol filter
+                // read cfg.protocol from file
                if (getuid() != 0)
                        protocol_filter_load(RUN_PROTOCOL_CFG);
                if (cfg.protocol) {     // not available for uid 0
-                        protocol_filter();
+                        seccomp_load(RUN_SECCOMP_PROTOCOL);     // install filter       
                }
                                
                // set seccomp filter
                if (apply_seccomp == 1) // not available for uid 0
-                        seccomp_set();
+                        seccomp_load(RUN_SECCOMP_CFG);
-                
 #endif
-                
-                // fix qt 4.8
-                if (setenv("QT_X11_NO_MITSHM", "1", 1) < 0)
-                        errExit("setenv");
-                if (setenv("container", "firejail", 1) < 0) // LXC sets container=lxc,
-                        errExit("setenv");
                // mount user namespace or drop privileges
                if (arg_noroot) {       // not available for uid 0
@@ -322,76 +291,61 @@ void join(pid_t pid, int argc, char **argv, int index) {
                                printf("Joining user namespace\n");
                        if (join_namespace(1, "user"))
                                exit(1);
+                        // user namespace resets capabilities
+                        // set caps filter
+                        if (apply_caps == 1)    // not available for uid 0
+                                caps_set(caps);
                }
                else 
                        drop_privs(arg_nogroups);       // nogroups not available for uid 0
-                // set prompt color to green
-                //export PS1='\[\e[1;32m\][\u@\h \W]\$\[\e[0m\] '
-                if (setenv("PROMPT_COMMAND", "export PS1=\"\\[\\e[1;32m\\][\\u@\\h \\W]\\$\\[\\e[0m\\] \"", 1) < 0)
-                        errExit("setenv");
-                // run cmdline trough /bin/bash
+                // set nice
+                if (arg_nice) {
+                        errno = 0;
+                        int rv = nice(cfg.nice);
+                        (void) rv;
+                        if (errno) {
+                                fprintf(stderr, "Warning: cannot set nice value\n");
+                                errno = 0;
+                        }
+                }
+                env_defaults();
                if (cfg.command_line == NULL) {
-                        struct stat s;
+                        assert(cfg.shell);
+                        cfg.command_line = cfg.shell;
+                        cfg.window_title = cfg.shell;
+                }
-                        // replace the process with a shell
+                int cwd = 0;
-                        if (stat("/bin/bash", &s) == 0)
+                if (cfg.cwd) {
-                                execlp("/bin/bash", "/bin/bash", NULL);
+                        if (chdir(cfg.cwd) == 0)
-                        else if (stat("/usr/bin/zsh", &s) == 0)
+                                cwd = 1;
-                                execlp("/usr/bin/zsh", "/usr/bin/zsh", NULL);
-                        else if (stat("/bin/csh", &s) == 0)
-                                execlp("/bin/csh", "/bin/csh", NULL);
-                        else if (stat("/bin/sh", &s) == 0)
-                                execlp("/bin/sh", "/bin/sh", NULL);
-                        
-                        // no shell found, print an error and exit
-                        fprintf(stderr, "Error: no POSIX shell found\n");
-                        sleep(5);
-                        exit(1);
                }
-                else {
-                        // run the command supplied by the user
-                        int cwd = 0;
-                        if (cfg.cwd) {
-                                if (chdir(cfg.cwd) == 0)
-                                        cwd = 1;
-                        }
-                        
-                        if (!cwd) {
-                                if (chdir("/") < 0)
-                                        errExit("chdir");
-                                if (cfg.homedir) {
-                                        struct stat s;
-                                        if (stat(cfg.homedir, &s) == 0) {
-                                                if (chdir(cfg.homedir) < 0)
-                                                        errExit("chdir");
-                                        }
-                                }
-                        }
-                        char *arg[5];
+                if (!cwd) {
-                        arg[0] = "/bin/bash";
+                        if (chdir("/") < 0)
-                        arg[1] = "-c";
+                                errExit("chdir");
-                        if (arg_debug)
+                        if (cfg.homedir) {
-                                printf("Starting %s\n", cfg.command_line);
+                                struct stat s;
-                        if (!arg_doubledash) {
+                                if (stat(cfg.homedir, &s) == 0) {
-                                arg[2] = cfg.command_line;
+                                        /* coverity[toctou] */
-                                arg[3] = NULL;
+                                        if (chdir(cfg.homedir) < 0)
-                        }
+                                                errExit("chdir");
-                        else {
+                                }
-                                arg[2] = "--";
-                                arg[3] = cfg.command_line;
-                                arg[4] = NULL;
                        }
-                        execvp("/bin/bash", arg);
                }
+                start_application();
                // it will never get here!!!
        }
        // wait for the child to finish
        waitpid(child, NULL, 0);
+        flush_stdin();
        exit(0);
 }
diff --git a/src/firejail/list.c b/src/firejail/list.c
deleted file mode 100644
index cd53264b6..000000000
--- a/src/firejail/list.c
+++ /dev/null
@@ -1,81 +0,0 @@
-/*
- * Copyright (C) 2014-2016 Firejail Authors
- *
- * This file is part of firejail project
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or
- * (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License along
- * with this program; if not, write to the Free Software Foundation, Inc.,
- * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-*/
-#include "firejail.h"
-#include <sys/types.h>
-#include <sys/stat.h>
-static void grsec_elevate_privileges(void) {
-        struct stat s;
-        if (stat("/proc/sys/kernel/grsecurity", &s) == 0) {
-                EUID_ROOT();
-                // elevate privileges
-                if (setreuid(0, 0))
-                        errExit("setreuid");
-                if (setregid(0, 0))
-                        errExit("setregid");
-        }
-}
-void top(void) {
-        EUID_ASSERT();
-        
-        char *arg[4];
-        arg[0] = "bash";
-        arg[1] = "-c";
-        arg[2] = "firemon --top";
-        arg[3] = NULL;
-        execvp("/bin/bash", arg); 
-}
-void netstats(void) {
-        EUID_ASSERT();
-        grsec_elevate_privileges();     
-        
-        char *arg[4];
-        arg[0] = "bash";
-        arg[1] = "-c";
-        arg[2] = "firemon --netstats";
-        arg[3] = NULL;
-        execvp("/bin/bash", arg); 
-}
-void list(void) {
-        EUID_ASSERT();
-        
-        char *arg[4];
-        arg[0] = "bash";
-        arg[1] = "-c";
-        arg[2] = "firemon --list";
-        arg[3] = NULL;
-        execvp("/bin/bash", arg); 
-}
-void tree(void) {
-        EUID_ASSERT();
-        
-        char *arg[4];
-        arg[0] = "bash";
-        arg[1] = "-c";
-        arg[2] = "firemon --tree";
-        arg[3] = NULL;
-        execvp("/bin/bash", arg); 
-}
diff --git a/src/firejail/ls.c b/src/firejail/ls.c
index 444b5b69e..77eb35f97 100644
--- a/src/firejail/ls.c
+++ b/src/firejail/ls.c
@@ -185,23 +185,26 @@ static void print_directory(const char *path) {
        free(namelist);
 }
-void sandboxfs_name(int op, const char *name, const char *path) {
+char *expand_path(const char *path) {
-        EUID_ASSERT();
+        char *fname = NULL;
-        
+        if (*path == '/') {
-        if (!name || strlen(name) == 0) {
+                fname = strdup(path);
-                fprintf(stderr, "Error: invalid sandbox name\n");
+                if (!fname)
-                exit(1);
+                        errExit("strdup");
        }
-        pid_t pid;
+        else if (*path == '~') {
-        if (name2pid(name, &pid)) {
+                if (asprintf(&fname, "%s%s", cfg.homedir, path + 1) == -1)
-                fprintf(stderr, "Error: cannot find sandbox %s\n", name);
+                        errExit("asprintf");
-                exit(1);
        }
+        else {
-        sandboxfs(op, pid, path);
+                // assume the file is in current working directory
+                if (asprintf(&fname, "%s/%s", cfg.cwd, path) == -1)
+                        errExit("asprintf");
+        }               
+        return fname;
 }
-void sandboxfs(int op, pid_t pid, const char *path) {
+void sandboxfs(int op, pid_t pid, const char *path1, const char *path2) {
        EUID_ASSERT();
        // if the pid is that of a firejail  process, use the pid of the first child process
@@ -228,22 +231,17 @@ void sandboxfs(int op, pid_t pid, const char *path) {
                }
        }
-        // full path or file in current directory?
+        // expand paths
-        char *fname;
+        char *fname1 = expand_path(path1);;
-        if (*path == '/') {
+        char *fname2 = NULL;
-                fname = strdup(path);
+        if (path2 != NULL) {
-                if (!fname)
+                fname2 = expand_path(path2);
-                        errExit("strdup");
        }
-        else if (*path == '~') {
+        if (arg_debug) {
-                if (asprintf(&fname, "%s%s", cfg.homedir, path + 1) == -1)
+                printf("file1 %s\n", fname1);
-                        errExit("asprintf");
+                printf("file2 %s\n", fname2);
        }
-        else {
+                
-                fprintf(stderr, "Error: Cannot access %s\n", path);
-                exit(1);
-        }
        // sandbox root directory
        char *rootdir;
        if (asprintf(&rootdir, "/proc/%d/root", pid) == -1)
@@ -257,43 +255,39 @@ void sandboxfs(int op, pid_t pid, const char *path) {
                if (chdir("/") < 0)
                        errExit("chdir");
                
-                // access chek is performed with the real UID
+                // drop privileges
-                if (access(fname, R_OK) == -1) {
+                drop_privs(0);
-                        fprintf(stderr, "Error: Cannot access %s\n", fname);
+                // check access
+                if (access(fname1, R_OK) == -1) {
+                        fprintf(stderr, "Error: Cannot access %s\n", fname1);
+                        exit(1);
+                }
+                /* coverity[toctou] */
+                char *rp = realpath(fname1, NULL);
+                if (!rp) {
+                        fprintf(stderr, "Error: Cannot access %s\n", fname1);
                        exit(1);
                }
+                if (arg_debug)
+                        printf("realpath %s\n", rp);
+                
        
                // list directory contents
                struct stat s;
-                if (stat(fname, &s) == -1) {
+                if (stat(rp, &s) == -1) {
-                        fprintf(stderr, "Error: Cannot access %s\n", fname);
+                        fprintf(stderr, "Error: Cannot access %s\n", rp);
                        exit(1);
                }
                if (S_ISDIR(s.st_mode)) {
-                        char *rp = realpath(fname, NULL);
-                        if (!rp) {
-                                fprintf(stderr, "Error: Cannot access %s\n", fname);
-                                exit(1);
-                        }
-                        if (arg_debug)
-                                printf("realpath %s\n", rp);
-        
                        char *dir;
                        if (asprintf(&dir, "%s/", rp) == -1)
                                errExit("asprintf");
                        
                        print_directory(dir);
-                        free(rp);
                        free(dir);
                }
                else {
-                        char *rp = realpath(fname, NULL);
-                        if (!rp) {
-                                fprintf(stderr, "Error: Cannot access %s\n", fname);
-                                exit(1);
-                        }
-                        if (arg_debug)
-                                printf("realpath %s\n", rp);
                        char *split = strrchr(rp, '/');
                        if (split) {
                                *split = '\0';
@@ -302,25 +296,32 @@ void sandboxfs(int op, pid_t pid, const char *path) {
                                        printf("path %s, file %s\n", rp, rp2);
                                print_file_or_dir(rp, rp2, 1);
                        }
-                        free(rp);
                }
+                free(rp);
        }
        
        // get file from sandbox and store it in the current directory
        else if (op == SANDBOX_FS_GET) {
-                // check source file (sandbox)
+                char *src_fname =fname1;
-                char *src_fname;
+                char *dest_fname = strrchr(fname1, '/');
-                if (asprintf(&src_fname, "%s%s", rootdir, fname) == -1)
+                if (!dest_fname || *(++dest_fname) == '\0') {
-                        errExit("asprintf");
+                        fprintf(stderr, "Error: invalid file name %s\n", fname1);
-                EUID_ROOT();
-                struct stat s;
-                if (stat(src_fname, &s) == -1) {
-                        fprintf(stderr, "Error: Cannot access %s\n", fname);
                        exit(1);
                }
+                EUID_ROOT();
+                if (arg_debug)
+                        printf("copy %s to %s\n", src_fname, dest_fname);
+                // create a user-owned temporary file in /run/firejail directory
+                char tmp_fname[] = "/run/firejail/tmpget-XXXXXX";
+                int fd = mkstemp(tmp_fname);
+                if (fd != -1) {
+                        SET_PERMS_FD(fd, getuid(), getgid(), 0600);
+                        close(fd);
+                }
                
-                
+                // copy the source file into the temporary file - we need to chroot
-                // try to open the source file - we need to chroot
                pid_t child = fork();
                if (child < 0)
                        errExit("fork");
@@ -334,55 +335,139 @@ void sandboxfs(int op, pid_t pid, const char *path) {
                        // drop privileges
                        drop_privs(0);
                        
-                        // try to read the file
+                        // copy the file
-                        if (access(fname, R_OK) == -1) {
+                        if (copy_file(src_fname, tmp_fname, getuid(), getgid(), 0600))
-                                fprintf(stderr, "Error: Cannot read %s\n", fname);
+                                _exit(1);
-                                exit(1);
+#ifdef HAVE_GCOV
-                        }
+                        __gcov_flush();
-                        exit(0);
+#endif
+                        _exit(0);
                }
                // wait for the child to finish
                int status = 0;
                waitpid(child, &status, 0);
                if (WIFEXITED(status) && WEXITSTATUS(status) == 0);
-                else
+                else {
+                        unlink(tmp_fname);
                        exit(1);
-                EUID_USER();
+                }
                
-                // check destination file (host)
+                // copy the temporary file into the destionation file
-                char *dest_fname = strrchr(fname, '/');
+                child = fork();
-                if (!dest_fname || *(++dest_fname) == '\0') {
+                if (child < 0)
-                        fprintf(stderr, "Error: invalid file name %s\n", fname);
+                        errExit("fork");
+                if (child == 0) {
+                        // drop privileges
+                        drop_privs(0);
+                        
+                        // copy the file
+                        if (copy_file(tmp_fname, dest_fname, getuid(), getgid(), 0600))
+                                _exit(1);
+#ifdef HAVE_GCOV
+                        __gcov_flush();
+#endif
+                        _exit(0);
+                }
+                // wait for the child to finish
+                status = 0;
+                waitpid(child, &status, 0);
+                if (WIFEXITED(status) && WEXITSTATUS(status) == 0);
+                else {
+                        unlink(tmp_fname);
                        exit(1);
                }
                
-                if (access(dest_fname, F_OK) == -1) {
+                // remove the temporary file
-                        // try to create the file
+                unlink(tmp_fname);
-                        FILE *fp = fopen(dest_fname, "w");
+                EUID_USER();
-                        if (!fp) {
+        }
-                                fprintf(stderr, "Error: cannot create %s\n", dest_fname);
+        // get file from host and store it in the sandbox
-                                exit(1);
+        else if (op == SANDBOX_FS_PUT && path2) {
-                        }
+                char *src_fname =fname1;
-                        fclose(fp);
+                char *dest_fname = fname2;
+                EUID_ROOT();
+                if (arg_debug)
+                        printf("copy %s to %s\n", src_fname, dest_fname);
+                // create a user-owned temporary file in /run/firejail directory
+                char tmp_fname[] = "/run/firejail/tmpget-XXXXXX";
+                int fd = mkstemp(tmp_fname);
+                if (fd == -1) {
+                        fprintf(stderr, "Error: cannot create temporary file %s\n", tmp_fname);
+                        exit(1);
+                }
+                SET_PERMS_FD(fd, getuid(), getgid(), 0600);
+                close(fd);
+        
+                // copy the source file into the temporary file - we need to chroot
+                pid_t child = fork();
+                if (child < 0)
+                        errExit("fork");
+                if (child == 0) {
+                        // drop privileges
+                        drop_privs(0);
+                        
+                        // copy the file
+                        if (copy_file(src_fname, tmp_fname, getuid(), getgid(), 0600))
+                                _exit(1);
+#ifdef HAVE_GCOV
+                        __gcov_flush();
+#endif
+                        _exit(0);
                }
+                // wait for the child to finish
+                int status = 0;
+                waitpid(child, &status, 0);
+                if (WIFEXITED(status) && WEXITSTATUS(status) == 0);
                else {
-                        if (access(dest_fname, W_OK) == -1) {
+                        unlink(tmp_fname);
-                                fprintf(stderr, "Error: cannot write %s\n", dest_fname);
+                        exit(1);
-                                exit(1);
-                        }
                }
-                // copy file
+                
-                EUID_ROOT();
+                // copy the temporary file into the destionation file
-                copy_file(src_fname, dest_fname);
+                child = fork();
-                if (chown(dest_fname, getuid(), getgid()) == -1)
+                if (child < 0)
-                        errExit("chown");
+                        errExit("fork");
-                if (chmod(dest_fname, 0644) == -1)
+                if (child == 0) {
-                        errExit("chmod");
+                        // chroot
+                        if (chroot(rootdir) < 0)
+                                errExit("chroot");
+                        if (chdir("/") < 0)
+                                errExit("chdir");
+                        
+                        // drop privileges
+                        drop_privs(0);
+                        
+                        // copy the file
+                        if (copy_file(tmp_fname, dest_fname, getuid(), getgid(), 0600))
+                                _exit(1);
+#ifdef HAVE_GCOV
+                        __gcov_flush();
+#endif
+                        _exit(0);
+                }
+                // wait for the child to finish
+                status = 0;
+                waitpid(child, &status, 0);
+                if (WIFEXITED(status) && WEXITSTATUS(status) == 0);
+                else {
+                        unlink(tmp_fname);
+                        exit(1);
+                }
+                
+                // remove the temporary file
+                unlink(tmp_fname);
                EUID_USER();
        }
-        
-        free(fname);
+        if (fname2)
+                free(fname2);
+        free(fname1);
        free(rootdir);
        exit(0);
diff --git a/src/firejail/main.c b/src/firejail/main.c
index bdf960b96..b25bad9f2 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -46,21 +46,22 @@ printf("time %s:%d %u\n", __FILE__, __LINE__, (uint32_t) systick);
 #endif
 uid_t firejail_uid = 0;
+gid_t firejail_gid = 0;
 #define STACK_SIZE (1024 * 1024)
 static char child_stack[STACK_SIZE];            // space for child's stack
 Config cfg;                                     // configuration
 int arg_private = 0;                            // mount private /home and /tmp directoryu
+int arg_private_template = 0; // mount private /home using a template
 int arg_debug = 0;                              // print debug messages
-int arg_debug_check_filename;           // print debug messages for filename checking
+int arg_debug_check_filename = 0;               // print debug messages for filename checking
-int arg_debug_blacklists;                       // print debug messages for blacklists
+int arg_debug_blacklists = 0;                   // print debug messages for blacklists
-int arg_debug_whitelists;                       // print debug messages for whitelists
+int arg_debug_whitelists = 0;                   // print debug messages for whitelists
 int arg_nonetwork = 0;                          // --net=none
 int arg_command = 0;                            // -c
 int arg_overlay = 0;                            // overlay option
-int arg_overlay_keep = 0;                       // place overlay diff directory in ~/.firejail
+int arg_overlay_keep = 0;                       // place overlay diff in a known directory
-int arg_zsh = 0;                                // use zsh as default shell
+int arg_overlay_reuse = 0;                      // allow the reuse of overlays
-int arg_csh = 0;                                // use csh as default shell
 int arg_seccomp = 0;                            // enable default seccomp filter
@@ -77,6 +78,7 @@ int arg_rlimit_nproc = 0;			// rlimit nproc
 int arg_rlimit_fsize = 0;                               // rlimit fsize
 int arg_rlimit_sigpending = 0;                  // rlimit fsize
 int arg_nogroups = 0;                           // disable supplementary groups
+int arg_nonewprivs = 0;                 // set the NO_NEW_PRIVS prctl
 int arg_noroot = 0;                             // create a new user namespace and disable root user
 int arg_netfilter;                              // enable netfilter
 int arg_netfilter6;                             // enable netfilter6
@@ -86,16 +88,33 @@ int arg_doubledash = 0;			// double dash
 int arg_shell_none = 0;                 // run the program directly without a shell
 int arg_private_dev = 0;                        // private dev directory
 int arg_private_etc = 0;                        // private etc directory
+int arg_private_opt = 0;                        // private opt directory
+int arg_private_srv = 0;                        // private srv directory
 int arg_private_bin = 0;                        // private bin directory
 int arg_private_tmp = 0;                        // private tmp directory
 int arg_scan = 0;                               // arp-scan all interfaces
 int arg_whitelist = 0;                          // whitelist commad
 int arg_nosound = 0;                            // disable sound
+int arg_no3d;                                   // disable 3d hardware acceleration
 int arg_quiet = 0;                              // no output for scripting
 int arg_join_network = 0;                       // join only the network namespace
 int arg_join_filesystem = 0;                    // join only the mount namespace
 int arg_nice = 0;                               // nice value configured
 int arg_ipc = 0;                                        // enable ipc namespace
+int arg_writable_etc = 0;                       // writable etc
+int arg_writable_var = 0;                       // writable var
+int arg_appimage = 0;                           // appimage
+int arg_audit = 0;                              // audit
+char *arg_audit_prog = NULL;                    // audit
+int arg_apparmor = 0;                           // apparmor
+int arg_allow_debuggers = 0;                    // allow debuggers
+int arg_x11_block = 0;                          // block X11
+int arg_x11_xorg = 0;                           // use X11 security extention
+int arg_allusers = 0;                           // all user home directories visible
+int arg_machineid = 0;                          // preserve /etc/machine-id
+int login_shell = 0;
 int parent_to_child_fds[2];
 int child_to_parent_fds[2];
@@ -126,7 +145,8 @@ static void myexit(int rv) {
        // delete sandbox files in shared memory
        EUID_ROOT();
        clear_run_files(sandbox_pid);
-        
+        appimage_clear();
+        flush_stdin();
        exit(rv); 
 }
@@ -141,20 +161,37 @@ static void my_handler(int s){
        myexit(1);
 }
-// return 1 if error, 0 if a valid pid was found
+static pid_t extract_pid(const char *name) {
-static inline int read_pid(char *str, pid_t *pid) {
+        EUID_ASSERT();
+        if (!name || strlen(name) == 0) {
+                fprintf(stderr, "Error: invalid sandbox name\n");
+                exit(1);
+        }
+        
+        pid_t pid;
+        EUID_ROOT();
+        if (name2pid(name, &pid)) {
+                fprintf(stderr, "Error: cannot find sandbox %s\n", name);
+                exit(1);
+        }
+        EUID_USER();
+        return pid;
+}
+static pid_t read_pid(const char *str) {
        char *endptr;
        errno = 0;
        long int pidtmp = strtol(str, &endptr, 10);
        if ((errno == ERANGE && (pidtmp == LONG_MAX || pidtmp == LONG_MIN))
                || (errno != 0 && pidtmp == 0)) {
-                return 1;
+                return extract_pid(str);
        }
-        if (endptr == str) {
+        // endptr points to '\0' char in str if the entire string is valid
-                return 1;
+        if (endptr == NULL || endptr[0]!='\0') {
+                return extract_pid(str);
        }
-        *pid = (pid_t)pidtmp;
+        return (pid_t)pidtmp;
-        return 0;
 }
 // init configuration
@@ -214,10 +251,8 @@ static void check_network(Bridge *br) {
 #ifdef HAVE_USERNS
 void check_user_namespace(void) {
        EUID_ASSERT();
-        if (getuid() == 0) {
+        if (getuid() == 0)
-                fprintf(stderr, "Error: --noroot option cannot be used when starting the sandbox as root.\n");
+                goto errout;
-                exit(1);
-        }
        
        // test user namespaces available in the kernel
        struct stat s1;
@@ -227,14 +262,27 @@ void check_user_namespace(void) {
            stat("/proc/self/uid_map", &s2) == 0 &&
            stat("/proc/self/gid_map", &s3) == 0)
                arg_noroot = 1;
-        else {
+        else
-                fprintf(stderr, "Warning: user namespaces not available in the current kernel.\n");
+                goto errout;
-                arg_noroot = 0;
-        }
+        return;
+errout:
+        if (!arg_quiet || arg_debug)
+                fprintf(stderr, "Warning: noroot option is not available\n");
+        arg_noroot = 0;
 }
 #endif
-// exit commands
+static void exit_err_feature(const char *feature) {
+        fprintf(stderr, "Error: %s feature is disabled in Firejail configuration file\n", feature);
+        exit(1);
+}
+// run independent commands and exit program
+// this function handles command line options such as --version and --help
 static void run_cmd_and_exit(int i, int argc, char **argv) {
        EUID_ASSERT();
        
@@ -248,62 +296,54 @@ static void run_cmd_and_exit(int i, int argc, char **argv) {
        }
        else if (strcmp(argv[i], "--version") == 0) {
                printf("firejail version %s\n", VERSION);
-#ifndef HAVE_NETWORK
+                printf("\n");
-                printf("Networking support is disabled.\n");
+                print_compiletime_support();
-#endif
+                printf("\n");
-#ifdef HAVE_NETWORK_RESTRICTED
-                printf("Networking support is allowed only to root user.\n");
-#endif
-#ifndef HAVE_USERNS
-                printf("User namespace support is disabled.\n");
-#endif
-#ifndef HAVE_SECCOMP
-                printf("Seccomp-bpf support is disabled.\n");
-#endif
-#ifndef HAVE_BIND
-                printf("Bind support is disabled.\n");
-#endif
-#ifndef HAVE_CHROOT
-                printf("Chroot support is disabled.\n");
-#endif
-#ifndef HAVE_X11
-                printf("X11 support is disabled.\n");
-#endif
-#ifndef HAVE_FILE_TRANSFER
-                printf("File transfer support is disabled.\n");
-#endif
                exit(0);
        }
+#ifdef HAVE_OVERLAYFS
+        else if (strcmp(argv[i], "--overlay-clean") == 0) {
+                if (checkcfg(CFG_OVERLAYFS)) {
+                        char *path;
+                        if (asprintf(&path, "%s/.firejail", cfg.homedir) == -1)
+                                errExit("asprintf");
+                        EUID_ROOT();
+                        if (setreuid(0, 0) < 0 || 
+                            setregid(0, 0) < 0)
+                                errExit("setreuid/setregid");
+                        errno = 0;
+                        if (remove_directory(path))
+                                errExit("remove_directory");
+                }
+                else
+                        exit_err_feature("overlayfs");
+                exit(0);
+        }
+#endif
 #ifdef HAVE_X11
        else if (strcmp(argv[i], "--x11") == 0) {
                if (checkcfg(CFG_X11)) {
                        x11_start(argc, argv);
                        exit(0);
                }
-                else {
+                else
-                        fprintf(stderr, "Error: --x11 feature is disabled in Firejail configuration file\n");
+                        exit_err_feature("x11");
-                        exit(1);
-                }
        }
        else if (strcmp(argv[i], "--x11=xpra") == 0) {
                if (checkcfg(CFG_X11)) {
                        x11_start_xpra(argc, argv);
                        exit(0);
                }
-                else {
+                else
-                        fprintf(stderr, "Error: --x11 feature is disabled in Firejail configuration file\n");
+                        exit_err_feature("x11");
-                        exit(1);
-                }
        }
        else if (strcmp(argv[i], "--x11=xephyr") == 0) {
                if (checkcfg(CFG_X11)) {
                        x11_start_xephyr(argc, argv);
                        exit(0);
                }
-                else {
+                else
-                        fprintf(stderr, "Error: --x11 feature is disabled in Firejail configuration file\n");
+                        exit_err_feature("x11");
-                        exit(1);
-                }
        }
 #endif
 #ifdef HAVE_NETWORK     
@@ -361,16 +401,11 @@ static void run_cmd_and_exit(int i, int argc, char **argv) {
                        }       
                        
                        // extract pid or sandbox name
-                        pid_t pid;
+                        pid_t pid = read_pid(argv[i] + 12);
-                        if (read_pid(argv[i] + 12, &pid) == 0)
+                        bandwidth_pid(pid, cmd, dev, down, up);
-                                bandwidth_pid(pid, cmd, dev, down, up);
-                        else
-                                bandwidth_name(argv[i] + 12, cmd, dev, down, up);
-                }
-                else {
-                        fprintf(stderr, "Error: networking features are disabled in Firejail configuration file\n");
-                        exit(1);
                }
+                else
+                        exit_err_feature("networking");
                exit(0);
        }
 #endif
@@ -380,93 +415,68 @@ static void run_cmd_and_exit(int i, int argc, char **argv) {
 #ifdef HAVE_SECCOMP
        else if (strcmp(argv[i], "--debug-syscalls") == 0) {
                if (checkcfg(CFG_SECCOMP)) {
-                        syscall_print();
+                        int rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 2, PATH_FSECCOMP, "debug-syscalls");
-                        exit(0);
+                        exit(rv);
-                }
-                else {
-                        fprintf(stderr, "Error: seccomp feature is disabled in Firejail configuration file\n");
-                        exit(1);
                }
+                else
+                        exit_err_feature("seccomp");
        }
        else if (strcmp(argv[i], "--debug-errnos") == 0) {
                if (checkcfg(CFG_SECCOMP)) {
-                        errno_print();
+                        int rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 2, PATH_FSECCOMP, "debug-errnos");
-                }
+                        exit(rv);
-                else {
-                        fprintf(stderr, "Error: seccomp feature is disabled in Firejail configuration file\n");
-                        exit(1);
                }
+                else
+                        exit_err_feature("seccomp");
                exit(0);
        }
        else if (strncmp(argv[i], "--seccomp.print=", 16) == 0) {
                if (checkcfg(CFG_SECCOMP)) {
                        // print seccomp filter for a sandbox specified by pid or by name
-                        pid_t pid;
+                        pid_t pid = read_pid(argv[i] + 16);
-                        if (read_pid(argv[i] + 16, &pid) == 0)          
+                        seccomp_print_filter(pid);
-                                seccomp_print_filter(pid);
-                        else
-                                seccomp_print_filter_name(argv[i] + 16);
-                }
-                else {
-                        fprintf(stderr, "Error: seccomp feature is disabled in Firejail configuration file\n");
-                        exit(1);
                }
+                else
+                        exit_err_feature("seccomp");
                exit(0);
        }
        else if (strcmp(argv[i], "--debug-protocols") == 0) {
-                protocol_list();
+                int rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 2, PATH_FSECCOMP, "debug-protocols");
-                exit(0);
+                exit(rv);
        }
        else if (strncmp(argv[i], "--protocol.print=", 17) == 0) {
                if (checkcfg(CFG_SECCOMP)) {
                        // print seccomp filter for a sandbox specified by pid or by name
-                        pid_t pid;
+                        pid_t pid = read_pid(argv[i] + 17);             
-                        if (read_pid(argv[i] + 17, &pid) == 0)          
+                        protocol_print_filter(pid);
-                                protocol_print_filter(pid);
-                        else
-                                protocol_print_filter_name(argv[i] + 17);
-                }
-                else {
-                        fprintf(stderr, "Error: seccomp feature is disabled in Firejail configuration file\n");
-                        exit(1);
                }
+                else
+                        exit_err_feature("seccomp");
                exit(0);
        }
 #endif
        else if (strncmp(argv[i], "--cpu.print=", 12) == 0) {
                // join sandbox by pid or by name
-                pid_t pid;
+                pid_t pid = read_pid(argv[i] + 12);
-                if (read_pid(argv[i] + 12, &pid) == 0)          
+                cpu_print_filter(pid);
-                        cpu_print_filter(pid);
-                else
-                        cpu_print_filter_name(argv[i] + 12);
                exit(0);
        }
        else if (strncmp(argv[i], "--caps.print=", 13) == 0) {
                // join sandbox by pid or by name
-                pid_t pid;
+                pid_t pid = read_pid(argv[i] + 13);
-                if (read_pid(argv[i] + 13, &pid) == 0)          
+                caps_print_filter(pid);
-                        caps_print_filter(pid);
-                else
-                        caps_print_filter_name(argv[i] + 13);
                exit(0);
        }
        else if (strncmp(argv[i], "--fs.print=", 11) == 0) {
                // join sandbox by pid or by name
-                pid_t pid;
+                pid_t pid = read_pid(argv[i] + 11);
-                if (read_pid(argv[i] + 11, &pid) == 0)          
+                fs_logger_print_log(pid);
-                        fs_logger_print_log(pid);
-                else
-                        fs_logger_print_log_name(argv[i] + 11);
                exit(0);
        }
        else if (strncmp(argv[i], "--dns.print=", 12) == 0) {
                // join sandbox by pid or by name
-                pid_t pid;
+                pid_t pid = read_pid(argv[i] + 12);
-                if (read_pid(argv[i] + 12, &pid) == 0)          
+                net_dns_print(pid);
-                        net_dns_print(pid);
-                else
-                        net_dns_print_name(argv[i] + 12);
                exit(0);
        }
        else if (strcmp(argv[i], "--debug-caps") == 0) {
@@ -474,27 +484,42 @@ static void run_cmd_and_exit(int i, int argc, char **argv) {
                exit(0);
        }
        else if (strcmp(argv[i], "--list") == 0) {
-                list();
+                if (pid_hidepid())
+                        sbox_run(SBOX_ROOT| SBOX_CAPS_NONE | SBOX_SECCOMP, 2, PATH_FIREMON, "--list");
+                else
+                        sbox_run(SBOX_USER| SBOX_CAPS_NONE | SBOX_SECCOMP, 2, PATH_FIREMON, "--list");
                exit(0);
        }
        else if (strcmp(argv[i], "--tree") == 0) {
-                tree();
+                if (pid_hidepid())
+                        sbox_run(SBOX_ROOT | SBOX_CAPS_NONE | SBOX_SECCOMP, 2, PATH_FIREMON, "--tree");
+                else
+                        sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 2, PATH_FIREMON, "--tree");
                exit(0);
        }
        else if (strcmp(argv[i], "--top") == 0) {
-                top();
+                if (pid_hidepid())
+                        sbox_run(SBOX_ROOT | SBOX_CAPS_NONE | SBOX_SECCOMP | SBOX_ALLOW_STDIN,
+                                2, PATH_FIREMON, "--top");
+                else
+                        sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP | SBOX_ALLOW_STDIN,
+                                2, PATH_FIREMON, "--top");
                exit(0);
        }
 #ifdef HAVE_NETWORK     
        else if (strcmp(argv[i], "--netstats") == 0) {
                if (checkcfg(CFG_NETWORK)) {
-                        netstats();
+                        struct stat s;
-                }
+                        if (stat("/proc/sys/kernel/grsecurity", &s) == 0 || pid_hidepid())
-                else {
+                                sbox_run(SBOX_ROOT | SBOX_CAPS_NONE | SBOX_SECCOMP | SBOX_ALLOW_STDIN,
-                        fprintf(stderr, "Error: networking features are disabled in Firejail configuration file\n");
+                                        2, PATH_FIREMON, "--netstats");
-                        exit(1);
+                        else
+                                sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP | SBOX_ALLOW_STDIN,
+                                        2, PATH_FIREMON, "--netstats");
+                        exit(0);
                }
-                exit(0);
+                else
+                        exit_err_feature("networking");
        }
 #endif  
 #ifdef HAVE_FILE_TRANSFER
@@ -515,17 +540,42 @@ static void run_cmd_and_exit(int i, int argc, char **argv) {
                         }
                         
                        // get file
-                        pid_t pid;
+                        pid_t pid = read_pid(argv[i] + 6);
-                        if (read_pid(argv[i] + 6, &pid) == 0)           
+                        sandboxfs(SANDBOX_FS_GET, pid, path, NULL);
-                                sandboxfs(SANDBOX_FS_GET, pid, path);
-                        else
-                                sandboxfs_name(SANDBOX_FS_GET, argv[i] + 6, path);
                        exit(0);
                }
-                else {
+                else
-                        fprintf(stderr, "Error: --get feature is disabled in Firejail configuration file\n");
+                        exit_err_feature("file transfer");
-                        exit(1);
+        }
+        else if (strncmp(argv[i], "--put=", 6) == 0) {
+                if (checkcfg(CFG_FILE_TRANSFER)) {
+                        logargs(argc, argv);
+                        
+                        // verify path
+                        if ((i + 3) != argc) {
+                                fprintf(stderr, "Error: invalid --put option, 2 paths expected\n");
+                                exit(1);
+                        }
+                        char *path1 = argv[i + 1];
+                         invalid_filename(path1);
+                         if (strstr(path1, "..")) {
+                                fprintf(stderr, "Error: invalid file name %s\n", path1);
+                                exit(1);
+                         }
+                        char *path2 = argv[i + 2];
+                         invalid_filename(path2);
+                         if (strstr(path2, "..")) {
+                                fprintf(stderr, "Error: invalid file name %s\n", path2);
+                                exit(1);
+                         }
+                         
+                        // get file
+                        pid_t pid = read_pid(argv[i] + 6);
+                        sandboxfs(SANDBOX_FS_PUT, pid, path1, path2);
+                        exit(0);
                }
+                else
+                        exit_err_feature("file transfer");
        }
        else if (strncmp(argv[i], "--ls=", 5) == 0) {
                if (checkcfg(CFG_FILE_TRANSFER)) {
@@ -544,29 +594,59 @@ static void run_cmd_and_exit(int i, int argc, char **argv) {
                         }
                         
                        // list directory contents
-                        pid_t pid;
+                        pid_t pid = read_pid(argv[i] + 5);
-                        if (read_pid(argv[i] + 5, &pid) == 0)           
+                        sandboxfs(SANDBOX_FS_LS, pid, path, NULL);
-                                sandboxfs(SANDBOX_FS_LS, pid, path);
-                        else
-                                sandboxfs_name(SANDBOX_FS_LS, argv[i] + 5, path);
                        exit(0);
                }
-                else {
+                else
-                        fprintf(stderr, "Error: --ls feature is disabled in Firejail configuration file\n");
+                        exit_err_feature("file transfer");
-                        exit(1);
-                }
        }
 #endif
        else if (strncmp(argv[i], "--join=", 7) == 0) {
                logargs(argc, argv);
-                
+                if (arg_shell_none) {
+                        if (argc <= (i+1)) {
+                                fprintf(stderr, "Error: --shell=none set, but no command specified\n");
+                                exit(1);
+                        }
+                        cfg.original_program_index = i + 1;
+                }
+                if (!cfg.shell && !arg_shell_none)
+                        cfg.shell = guess_shell();
                // join sandbox by pid or by name
+                pid_t pid = read_pid(argv[i] + 7);
+                join(pid, argc, argv, i + 1);
+                exit(0);
+        }
+        else if (strncmp(argv[i], "--join-or-start=", 16) == 0) {
+                // NOTE: this is first part of option handler,
+                //               sandbox name is set in other part
+                logargs(argc, argv);
+                if (arg_shell_none) {
+                        if (argc <= (i+1)) {
+                                fprintf(stderr, "Error: --shell=none set, but no command specified\n");
+                                exit(1);
+                        }
+                        cfg.original_program_index = i + 1;
+                }
+#if 0 // todo: redo it
+                // try to join by name only
                pid_t pid;
-                if (read_pid(argv[i] + 7, &pid) == 0)           
+                if (!name2pid(argv[i] + 16, &pid)) {
+                        if (!cfg.shell && !arg_shell_none)
+                                cfg.shell = guess_shell();
                        join(pid, argc, argv, i + 1);
-                else
+                        exit(0);
-                        join_name(argv[i] + 7, argc, argv, i + 1);
+                }
-                exit(0);
+#endif          
+                // if there no such sandbox continue argument processing
        }
 #ifdef HAVE_NETWORK     
        else if (strncmp(argv[i], "--join-network=", 15) == 0) {
@@ -578,18 +658,15 @@ static void run_cmd_and_exit(int i, int argc, char **argv) {
                                exit(1);
                        }
                        
+                        if (!cfg.shell && !arg_shell_none)
+                                cfg.shell = guess_shell();
                        // join sandbox by pid or by name
-                        pid_t pid;
+                        pid_t pid = read_pid(argv[i] + 15);
-                        if (read_pid(argv[i] + 15, &pid) == 0)          
+                        join(pid, argc, argv, i + 1);
-                                join(pid, argc, argv, i + 1);
-                        else
-                                join_name(argv[i] + 15, argc, argv, i + 1);
-                }
-                else {
-                        fprintf(stderr, "Error: networking features are disabled in Firejail configuration file\n");
-                        exit(1);
                }
+                else
+                        exit_err_feature("networking");
                exit(0);
        }
 #endif
@@ -601,23 +678,20 @@ static void run_cmd_and_exit(int i, int argc, char **argv) {
                        exit(1);
                }
                
+                if (!cfg.shell && !arg_shell_none)
+                        cfg.shell = guess_shell();
                // join sandbox by pid or by name
-                pid_t pid;
+                pid_t pid = read_pid(argv[i] + 18);
-                if (read_pid(argv[i] + 18, &pid) == 0)          
+                join(pid, argc, argv, i + 1);
-                        join(pid, argc, argv, i + 1);
-                else
-                        join_name(argv[i] + 18, argc, argv, i + 1);
                exit(0);
        }
        else if (strncmp(argv[i], "--shutdown=", 11) == 0) {
                logargs(argc, argv);
                
                // shutdown sandbox by pid or by name
-                pid_t pid;
+                pid_t pid = read_pid(argv[i] + 11);
-                if (read_pid(argv[i] + 11, &pid) == 0)
+                shut(pid);
-                        shut(pid);
-                else
-                        shut_name(argv[i] + 11);
                exit(0);
        }
@@ -635,14 +709,10 @@ static void set_name_file(pid_t pid) {
                exit(1);
        }
        fprintf(fp, "%s\n", cfg.name);
-        fclose(fp);
-        
        // mode and ownership
-        if (chown(fname, 0, 0) == -1)
+        SET_PERMS_STREAM(fp, 0, 0, 0644);
-                errExit("chown");
+        fclose(fp);
-        if (chmod(fname, 0644) == -1)
-                errExit("chmod");
-        
 }
 static void delete_name_file(pid_t pid) {
@@ -651,6 +721,7 @@ static void delete_name_file(pid_t pid) {
                errExit("asprintf");
        int rv = unlink(fname);
        (void) rv;
+        free(fname);
 }
 static void set_x11_file(pid_t pid, int display) {
@@ -665,14 +736,10 @@ static void set_x11_file(pid_t pid, int display) {
                exit(1);
        }
        fprintf(fp, "%d\n", display);
-        fclose(fp);
-        
        // mode and ownership
-        if (chown(fname, 0, 0) == -1)
+        SET_PERMS_STREAM(fp, 0, 0, 0644);
-                errExit("chown");
+        fclose(fp);
-        if (chmod(fname, 0644) == -1)
-                errExit("chmod");
-        
 }
 static void delete_x11_file(pid_t pid) {
@@ -681,6 +748,45 @@ static void delete_x11_file(pid_t pid) {
                errExit("asprintf");
        int rv = unlink(fname);
        (void) rv;
+        free(fname);
+}
+char *guess_shell(void) {
+        char *shell = NULL;
+        // shells in order of preference
+        char *shells[] = {"/bin/bash", "/bin/csh", "/usr/bin/zsh", "/bin/sh", "/bin/ash", NULL };
+        int i = 0;
+        while (shells[i] != NULL) {
+                struct stat s;
+                // access call checks as real UID/GID, not as effective UID/GID
+                if (stat(shells[i], &s) == 0 && access(shells[i], R_OK) == 0) {
+                        shell = shells[i];
+                        break;
+                }
+                i++;
+        }
+        return shell;
+}
+static int check_arg(int argc, char **argv, const char *argument) {
+        int i;
+        int found = 0;
+        for (i = 1; i < argc; i++) {
+                if (strcmp(argv[i], argument) == 0) {
+                        found = 1;
+                        break;
+                }
+                // detect end of firejail params
+                if (strcmp(argv[i], "--") == 0)
+                        break;
+                if (strncmp(argv[i], "--", 2) != 0)
+                        break;
+        }
+        
+        return found;
 }
 //*******************************************
@@ -694,81 +800,62 @@ int main(int argc, char **argv) {
        int option_force = 0;
        int custom_profile = 0; // custom profile loaded
        char *custom_profile_dir = NULL; // custom profile directory
-        int arg_noprofile = 0; // use generic.profile if none other found/specified
+        int arg_noprofile = 0; // use default.profile if none other found/specified
-#ifdef HAVE_SECCOMP
-        int highest_errno = errno_highest_nr();
+        // build /run/firejail directory structure
-#endif
+        preproc_build_firejail_dir();
+        
+        if (check_arg(argc, argv, "--quiet"))
+                arg_quiet = 1;
+        if (check_arg(argc, argv, "--allow-debuggers"))
+                arg_allow_debuggers = 1;
        // drop permissions by default and rise them when required
        EUID_INIT();
        EUID_USER();
        // check argv[0] symlink wrapper if this is not a login shell
        if (*argv[0] != '-')
                run_symlink(argc, argv);
        // check if we already have a sandbox running
-        EUID_ROOT();
+        // If LXC is detected, start firejail sandbox
-        int rv = check_kernel_procs();
+        // otherwise try to detect a PID namespace by looking under /proc for specific kernel processes and:
-        EUID_USER();
+        //      - if --force flag is set, start firejail sandbox
-        if (rv == 0) {
+        //      -- if --force flag is not set, start the application in a /bin/bash shell 
-                // if --force option is passed to the program, disregard the existing sandbox
+        if (check_namespace_virt() == 0) {
-                int found = 0;
+                EUID_ROOT();
-                for (i = 1; i < argc; i++) {
+                int rv = check_kernel_procs();
-                        if (strcmp(argv[i], "--force") == 0 ||
+                EUID_USER();
-                            strcmp(argv[i], "--list") == 0 ||   
+                if (rv == 0) {
-                            strcmp(argv[i], "--netstats") == 0 ||       
+                        // if --force option is passed to the program, disregard the existing sandbox
-                            strcmp(argv[i], "--tree") == 0 ||   
+                        if (check_arg(argc, argv, "--force"))
-                            strcmp(argv[i], "--top") == 0 ||
+                                option_force = 1;
-                            strncmp(argv[i], "--ls=", 5) == 0 ||
+                        else {
-                            strncmp(argv[i], "--get=", 6) == 0 ||
+                                if (check_arg(argc, argv, "--version")) {
-                            strcmp(argv[i], "--debug-caps") == 0 ||
+                                        printf("firejail version %s\n", VERSION);
-                            strcmp(argv[i], "--debug-errnos") == 0 ||
+                                        exit(0);
-                            strcmp(argv[i], "--debug-syscalls") == 0 ||
+                                }
-                            strcmp(argv[i], "--debug-protocols") == 0 ||
+                                
-                            strcmp(argv[i], "--help") == 0 ||
+                                // start the program directly without sandboxing
-                            strcmp(argv[i], "--version") == 0 ||
+                                run_no_sandbox(argc, argv);
-                            strncmp(argv[i], "--dns.print=", 12) == 0 ||
+                                // it will never get here!
-                            strncmp(argv[i], "--bandwidth=", 12) == 0 ||
+                                assert(0);
-                            strncmp(argv[i], "--caps.print=", 13) == 0 ||
+                        }
-                            strncmp(argv[i], "--cpu.print=", 12) == 0 ||
-//********************************************************************************
-// todo: fix the following problems
-                            strncmp(argv[i], "--join=", 7) == 0 ||
-//[netblue@debian Downloads]$ firejail --join=896
-//Switching to pid 897, the first child process inside the sandbox
-//Error: seccomp file not found
-//********************************************************************************
-                            strncmp(argv[i], "--join-filesystem=", 18) == 0 ||
-                            strncmp(argv[i], "--join-network=", 15) == 0 ||
-                            strncmp(argv[i], "--fs.print=", 11) == 0 ||
-                            strncmp(argv[i], "--protocol.print=", 17) == 0 ||
-                            strncmp(argv[i], "--seccomp.print", 15) == 0 ||
-                            strncmp(argv[i], "--shutdown=", 11) == 0) {
-                                found = 1;
-                                break;
-                        }
-                        if (strcmp(argv[i], "--") == 0)
-                                break;
-                        if (strncmp(argv[i], "--", 2) != 0)
-                                break;
-                }
-                
-                if (found == 0) {
-                        // start the program directly without sandboxing
-                        run_no_sandbox(argc, argv);
-                        // it will never get here!
-                        assert(0);
                }
-                else
-                        option_force = 1;
        }
        // check root/suid
        EUID_ROOT();
        if (geteuid()) {
-                fprintf(stderr, "Error: the sandbox is not setuid root\n");
+                // only --version is supported without SUID support
+                if (check_arg(argc, argv, "--version")) {
+                        printf("firejail version %s\n", VERSION);
+                        exit(0);
+                }
+                fprintf(stderr, "Error: cannot rise privileges\n");
                exit(1);
        }
        EUID_USER();
@@ -776,10 +863,8 @@ int main(int argc, char **argv) {
        // initialize globals
        init_cfg(argc, argv);
        // check firejail directories
        EUID_ROOT();
-        fs_build_firejail_dir();
        bandwidth_del_run_file(sandbox_pid);
        network_del_run_file(sandbox_pid);
        delete_name_file(sandbox_pid);
@@ -798,15 +883,68 @@ int main(int argc, char **argv) {
                        if (strcmp(comm, "sshd") == 0) {
                                arg_quiet = 1;
                                parent_sshd = 1;
+#ifdef DEBUG_RESTRICTED_SHELL
+                                {EUID_ROOT();
+                                FILE *fp = fopen("/firelog", "w");
+                                if (fp) {
+                                        int i;
+                                        fprintf(fp, "argc %d: ", argc);
+                                        for (i = 0; i < argc; i++)
+                                                fprintf(fp, "#%s# ", argv[i]);
+                                        fprintf(fp, "\n");
+                                        fclose(fp);
+                                }
+                                EUID_USER();}
+#endif
+                                // run sftp and scp directly without any sandboxing
+                                // regular login has argv[0] == "-firejail"
+                                if (*argv[0] != '-') {
+                                        if (strcmp(argv[1], "-c") == 0 && argc > 2) {
+                                                if (strcmp(argv[2], "/usr/lib/openssh/sftp-server") == 0 ||
+                                                    strncmp(argv[2], "scp ", 4) == 0) {
+#ifdef DEBUG_RESTRICTED_SHELL
+                                                        {EUID_ROOT();
+                                                        FILE *fp = fopen("/firelog", "a");
+                                                        if (fp) {
+                                                                fprintf(fp, "run without a sandbox\n");
+                                                                fclose(fp);
+                                                        }
+                                                        EUID_USER();}
+#endif
+                                                    
+                                                        drop_privs(1);
+                                                        int rv = system(argv[2]);
+                                                        exit(rv);
+                                                }
+                                        }
+                                }
                        }
                        free(comm);
                }
        }
        
-        // is this a login shell, or a command passed by sshd insert command line options from /etc/firejail/login.users
+        // is this a login shell, or a command passed by sshd, insert command line options from /etc/firejail/login.users
        if (*argv[0] == '-' || parent_sshd) {
+                if (argc == 1)
+                        login_shell = 1;
                fullargc = restricted_shell(cfg.username);
                if (fullargc) {
+                        
+#ifdef DEBUG_RESTRICTED_SHELL
+                        {EUID_ROOT();
+                        FILE *fp = fopen("/firelog", "a");
+                        if (fp) {
+                                fprintf(fp, "fullargc %d: ",  fullargc);
+                                int i;
+                                for (i = 0; i < fullargc; i++)
+                                        fprintf(fp, "#%s# ", fullargv[i]);
+                                fprintf(fp, "\n");
+                                fclose(fp);
+                        }
+                        EUID_USER();}
+#endif
+                        
                        int j;
                        for (i = 1, j = fullargc; i < argc && j < MAX_ARGS; i++, j++, fullargc++)
                                fullargv[j] = argv[i];
@@ -814,12 +952,37 @@ int main(int argc, char **argv) {
                        // replace argc/argv with fullargc/fullargv
                        argv = fullargv;
                        argc = j;
+#ifdef DEBUG_RESTRICTED_SHELL
+                        {EUID_ROOT();
+                        FILE *fp = fopen("/firelog", "a");
+                        if (fp) {
+                                fprintf(fp, "argc %d: ", argc);
+                                int i;
+                                for (i = 0; i < argc; i++)
+                                        fprintf(fp, "#%s# ", argv[i]);
+                                fprintf(fp, "\n");
+                                fclose(fp);
+                        }
+                        EUID_USER();}
+#endif
                }
        }
        else {
                // check --output option and execute it;
                check_output(argc, argv); // the function will not return if --output option was found
-                check_user(argc, argv); // the function will not return if --user option was found
+        }
+        
+        
+        // check for force-nonewprivs in /etc/firejail/firejail.config file
+        if (checkcfg(CFG_FORCE_NONEWPRIVS))
+                arg_nonewprivs = 1;
+        
+        if (arg_allow_debuggers) {
+                char *cmd = strdup("noblacklist ${PATH}/strace");
+                if (!cmd)
+                        errExit("strdup");
+                profile_add(cmd);
        }
        
        // parse arguments
@@ -845,19 +1008,33 @@ int main(int argc, char **argv) {
                }
                else if (strcmp(argv[i], "--force") == 0)
                        ;
+                else if (strcmp(argv[i], "--allow-debuggers") == 0) {
+                        // already handled
+                }
                //*************************************
                // filtering
                //*************************************
+#ifdef HAVE_APPARMOR
+                else if (strcmp(argv[i], "--apparmor") == 0)
+                        arg_apparmor = 1;
+#endif  
 #ifdef HAVE_SECCOMP
                else if (strncmp(argv[i], "--protocol=", 11) == 0) {
                        if (checkcfg(CFG_SECCOMP)) {
-                                protocol_store(argv[i] + 11);
+                                if (cfg.protocol) {
-                        }
+                                        if (!arg_quiet)
-                        else {
+                                                fprintf(stderr, "Warning: a protocol list is present, the new list \"%s\" will not be installed\n", argv[i] + 11);
-                                fprintf(stderr, "Error: seccomp feature is disabled in Firejail configuration file\n");
+                                }
-                                exit(1);
+                                else {
+                                        // store list
+                                        cfg.protocol = strdup(argv[i] + 11);
+                                        if (!cfg.protocol)
+                                                errExit("strdup");
+                                }
                        }
+                        else 
+                                exit_err_feature("seccomp");
                }
                else if (strcmp(argv[i], "--seccomp") == 0) {
                        if (checkcfg(CFG_SECCOMP)) {
@@ -867,10 +1044,8 @@ int main(int argc, char **argv) {
                                }
                                arg_seccomp = 1;
                        }
-                        else {
+                        else
-                                fprintf(stderr, "Error: seccomp feature is disabled in Firejail configuration file\n");
+                                exit_err_feature("seccomp");
-                                exit(1);
-                        }
                }
                else if (strncmp(argv[i], "--seccomp=", 10) == 0) {
                        if (checkcfg(CFG_SECCOMP)) {
@@ -879,14 +1054,10 @@ int main(int argc, char **argv) {
                                        exit(1);
                                }
                                arg_seccomp = 1;
-                                cfg.seccomp_list = strdup(argv[i] + 10);
+                                cfg.seccomp_list = seccomp_check_list(argv[i] + 10);
-                                if (!cfg.seccomp_list)
-                                        errExit("strdup");
-                        }
-                        else {
-                                fprintf(stderr, "Error: seccomp feature is disabled in Firejail configuration file\n");
-                                exit(1);
                        }
+                        else
+                                exit_err_feature("seccomp");
                }
                else if (strncmp(argv[i], "--seccomp.drop=", 15) == 0) {
                        if (checkcfg(CFG_SECCOMP)) {
@@ -895,14 +1066,10 @@ int main(int argc, char **argv) {
                                        exit(1);
                                }
                                arg_seccomp = 1;
-                                cfg.seccomp_list_drop = strdup(argv[i] + 15);
+                                cfg.seccomp_list_drop = seccomp_check_list(argv[i] + 15);
-                                if (!cfg.seccomp_list_drop)
-                                        errExit("strdup");
-                        }
-                        else {
-                                fprintf(stderr, "Error: seccomp feature is disabled in Firejail configuration file\n");
-                                exit(1);
                        }
+                        else
+                                exit_err_feature("seccomp");
                }
                else if (strncmp(argv[i], "--seccomp.keep=", 15) == 0) {
                        if (checkcfg(CFG_SECCOMP)) {
@@ -911,48 +1078,10 @@ int main(int argc, char **argv) {
                                        exit(1);
                                }
                                arg_seccomp = 1;
-                                cfg.seccomp_list_keep = strdup(argv[i] + 15);
+                                cfg.seccomp_list_keep = seccomp_check_list(argv[i] + 15);
-                                if (!cfg.seccomp_list_keep)
-                                        errExit("strdup");
-                        }
-                        else {
-                                fprintf(stderr, "Error: seccomp feature is disabled in Firejail configuration file\n");
-                                exit(1);
-                        }
-                }
-                else if (strncmp(argv[i], "--seccomp.e", 11) == 0 && strchr(argv[i], '=')) {
-                        if (checkcfg(CFG_SECCOMP)) {
-                                if (arg_seccomp && !cfg.seccomp_list_errno) {
-                                        fprintf(stderr, "Error: seccomp already enabled\n");
-                                        exit(1);
-                                }
-                                char *eq = strchr(argv[i], '=');
-                                char *errnoname = strndup(argv[i] + 10, eq - (argv[i] + 10));
-                                int nr = errno_find_name(errnoname);
-                                if (nr == -1) {
-                                        fprintf(stderr, "Error: unknown errno %s\n", errnoname);
-                                        free(errnoname);
-                                        exit(1);
-                                }
-        
-                                if (!cfg.seccomp_list_errno)
-                                        cfg.seccomp_list_errno = calloc(highest_errno+1, sizeof(cfg.seccomp_list_errno[0]));
-        
-                                if (cfg.seccomp_list_errno[nr]) {
-                                        fprintf(stderr, "Error: errno %s already configured\n", errnoname);
-                                        free(errnoname);
-                                        exit(1);
-                                }
-                                arg_seccomp = 1;
-                                cfg.seccomp_list_errno[nr] = strdup(eq+1);
-                                if (!cfg.seccomp_list_errno[nr])
-                                        errExit("strdup");
-                                free(errnoname);
-                        }
-                        else {
-                                fprintf(stderr, "Error: seccomp feature is disabled in Firejail configuration file\n");
-                                exit(1);
                        }
+                        else
+                                exit_err_feature("seccomp");
                }
 #endif          
                else if (strcmp(argv[i], "--caps") == 0)
@@ -965,8 +1094,7 @@ int main(int argc, char **argv) {
                        if (!arg_caps_list)
                                errExit("strdup");
                        // verify caps list and exit if problems
-                        if (caps_check_list(arg_caps_list, NULL))
+                        caps_check_list(arg_caps_list, NULL);
-                                return 1;
                }
                else if (strncmp(argv[i], "--caps.keep=", 12) == 0) {
                        arg_caps_keep = 1;
@@ -974,8 +1102,7 @@ int main(int argc, char **argv) {
                        if (!arg_caps_list)
                                errExit("strdup");
                        // verify caps list and exit if problems
-                        if (caps_check_list(arg_caps_list, NULL))
+                        caps_check_list(arg_caps_list, NULL);
-                                return 1;
                }
@@ -1021,6 +1148,8 @@ int main(int argc, char **argv) {
                        read_cpu_list(argv[i] + 6);
                else if (strncmp(argv[i], "--nice=", 7) == 0) {
                        cfg.nice = atoi(argv[i] + 7);
+                        if (getuid() != 0 &&cfg.nice < 0)
+                                cfg.nice = 0;
                        arg_nice = 1;
                }
                else if (strncmp(argv[i], "--cgroup=", 9) == 0) {
@@ -1039,6 +1168,8 @@ int main(int argc, char **argv) {
                //*************************************
                // filesystem
                //*************************************
+                else if (strcmp(argv[i], "--allusers") == 0)
+                        arg_allusers = 1;
 #ifdef HAVE_BIND                
                else if (strncmp(argv[i], "--bind=", 7) == 0) {
                        if (checkcfg(CFG_BIND)) {
@@ -1049,10 +1180,8 @@ int main(int argc, char **argv) {
                                profile_check_line(line, 0, NULL);      // will exit if something wrong
                                profile_add(line);
                        }
-                        else {
+                        else
-                                fprintf(stderr, "Error: --bind feature is disabled in Firejail configuration file\n");
+                                exit_err_feature("bind");
-                                exit(1);
-                        }
                }
 #endif
                else if (strncmp(argv[i], "--tmpfs=", 8) == 0) {
@@ -1079,98 +1208,146 @@ int main(int argc, char **argv) {
                        profile_check_line(line, 0, NULL);      // will exit if something wrong
                        profile_add(line);
                }
+#ifdef HAVE_WHITELIST
                else if (strncmp(argv[i], "--whitelist=", 12) == 0) {
+                        if (checkcfg(CFG_WHITELIST)) {
+                                char *line;
+                                if (asprintf(&line, "whitelist %s", argv[i] + 12) == -1)
+                                        errExit("asprintf");
+                                
+                                profile_check_line(line, 0, NULL);      // will exit if something wrong
+                                profile_add(line);
+                        }
+                        else
+                                exit_err_feature("whitelist");
+                }
+#endif          
+                else if (strncmp(argv[i], "--read-only=", 12) == 0) {
                        char *line;
-                        if (asprintf(&line, "whitelist %s", argv[i] + 12) == -1)
+                        if (asprintf(&line, "read-only %s", argv[i] + 12) == -1)
                                errExit("asprintf");
                        
                        profile_check_line(line, 0, NULL);      // will exit if something wrong
                        profile_add(line);
                }
-                else if (strncmp(argv[i], "--read-only=", 12) == 0) {
+                else if (strncmp(argv[i], "--noexec=", 9) == 0) {
                        char *line;
-                        if (asprintf(&line, "read-only %s", argv[i] + 12) == -1)
+                        if (asprintf(&line, "noexec %s", argv[i] + 9) == -1)
                                errExit("asprintf");
                        
                        profile_check_line(line, 0, NULL);      // will exit if something wrong
                        profile_add(line);
                }
-                else if (strcmp(argv[i], "--overlay") == 0) {
+                else if (strncmp(argv[i], "--read-write=", 13) == 0) {
-                        if (cfg.chrootdir) {
+                        char *line;
-                                fprintf(stderr, "Error: --overlay and --chroot options are mutually exclusive\n");
+                        if (asprintf(&line, "read-write %s", argv[i] + 13) == -1)
-                                exit(1);
-                        }
-                        struct stat s;
-                        if (stat("/proc/sys/kernel/grsecurity", &s) == 0) {
-                                fprintf(stderr, "Error: --overlay option is not available on Grsecurity systems\n");
-                                exit(1);        
-                        }
-                        arg_overlay = 1;
-                        arg_overlay_keep = 1;
-                        
-                        // create ~/.firejail directory
-                        char *dirname;
-                        if (asprintf(&dirname, "%s/.firejail", cfg.homedir) == -1)
                                errExit("asprintf");
-                        if (stat(dirname, &s) == -1) {
-                                /* coverity[toctou] */
-                                if (mkdir(dirname, 0700))
-                                        errExit("mkdir");
-                                if (chown(dirname, getuid(), getgid()) < 0)
-                                        errExit("chown");
-                                if (chmod(dirname, 0700) < 0)
-                                        errExit("chmod");
-                        }
-                        else if (is_link(dirname)) {
-                                fprintf(stderr, "Error: invalid ~/.firejail directory\n");
-                                exit(1);
-                        }
-                        
-                        free(dirname);
                        
-                        // check overlay directory
+                        profile_check_line(line, 0, NULL);      // will exit if something wrong
-                        if (asprintf(&dirname, "%s/.firejail/%d", cfg.homedir, getpid()) == -1)
+                        profile_add(line);
-                                errExit("asprintf");
+                }
-                        if (stat(dirname, &s) == 0) {
+#ifdef HAVE_OVERLAYFS
-                                fprintf(stderr, "Error: overlay directory already exists: %s\n", dirname);
+                else if (strcmp(argv[i], "--overlay") == 0) {
-                                exit(1);
+                        if (checkcfg(CFG_OVERLAYFS)) {
+                                if (cfg.chrootdir) {
+                                        fprintf(stderr, "Error: --overlay and --chroot options are mutually exclusive\n");
+                                        exit(1);
+                                }
+                                struct stat s;
+                                if (stat("/proc/sys/kernel/grsecurity", &s) == 0) {
+                                        fprintf(stderr, "Error: --overlay option is not available on Grsecurity systems\n");
+                                        exit(1);        
+                                }
+                                arg_overlay = 1;
+                                arg_overlay_keep = 1;
+                                
+                                char *subdirname;
+                                if (asprintf(&subdirname, "%d", getpid()) == -1)
+                                        errExit("asprintf");
+                                cfg.overlay_dir = fs_check_overlay_dir(subdirname, arg_overlay_reuse);
+        
+                                free(subdirname);
                        }
-                        cfg.overlay_dir = dirname;
+                        else
+                                exit_err_feature("overlayfs");
                }
-                else if (strcmp(argv[i], "--overlay-tmpfs") == 0) {
+                else if (strncmp(argv[i], "--overlay-named=", 16) == 0) {
-                        if (cfg.chrootdir) {
+                        if (checkcfg(CFG_OVERLAYFS)) {
-                                fprintf(stderr, "Error: --overlay and --chroot options are mutually exclusive\n");
+                                if (cfg.chrootdir) {
-                                exit(1);
+                                        fprintf(stderr, "Error: --overlay and --chroot options are mutually exclusive\n");
+                                        exit(1);
+                                }
+                                struct stat s;
+                                if (stat("/proc/sys/kernel/grsecurity", &s) == 0) {
+                                        fprintf(stderr, "Error: --overlay option is not available on Grsecurity systems\n");
+                                        exit(1);
+                                }
+                                arg_overlay = 1;
+                                arg_overlay_keep = 1;
+                                arg_overlay_reuse = 1;
+                                
+                                char *subdirname = argv[i] + 16;
+                                if (subdirname == '\0') {
+                                        fprintf(stderr, "Error: invalid overlay option\n");
+                                        exit(1);
+                                }
+                                
+                                // check name
+                                invalid_filename(subdirname);
+                                if (strstr(subdirname, "..") || strstr(subdirname, "/")) {
+                                        fprintf(stderr, "Error: invalid overlay name\n");
+                                        exit(1);
+                                }
+                                cfg.overlay_dir = fs_check_overlay_dir(subdirname, arg_overlay_reuse);
                        }
-                        struct stat s;
+                        else
-                        if (stat("/proc/sys/kernel/grsecurity", &s) == 0) {
+                                exit_err_feature("overlayfs");
-                                fprintf(stderr, "Error: --overlay option is not available on Grsecurity systems\n");
+                }
-                                exit(1);        
+                else if (strcmp(argv[i], "--overlay-tmpfs") == 0) {
+                        if (checkcfg(CFG_OVERLAYFS)) {
+                                if (cfg.chrootdir) {
+                                        fprintf(stderr, "Error: --overlay and --chroot options are mutually exclusive\n");
+                                        exit(1);
+                                }
+                                struct stat s;
+                                if (stat("/proc/sys/kernel/grsecurity", &s) == 0) {
+                                        fprintf(stderr, "Error: --overlay option is not available on Grsecurity systems\n");
+                                        exit(1);        
+                                }
+                                arg_overlay = 1;
                        }
-                        arg_overlay = 1;
+                        else
+                                exit_err_feature("overlayfs");
                }
+#endif
                else if (strncmp(argv[i], "--profile=", 10) == 0) {
                        if (arg_noprofile) {
                                fprintf(stderr, "Error: --noprofile and --profile options are mutually exclusive\n");
                                exit(1);
                        }
-                        invalid_filename(argv[i] + 10);
+                        
+                        char *ppath = expand_home(argv[i] + 10, cfg.homedir);
+                        if (!ppath)
+                                errExit("strdup");
+                        invalid_filename(ppath);
                        
                        // multiple profile files are allowed!
-                        char *ptr = argv[i] + 10;
+                        if (is_dir(ppath) || is_link(ppath) || strstr(ppath, "..")) {
-                        if (is_dir(ptr) || is_link(ptr) || strstr(ptr, "..")) {
                                fprintf(stderr, "Error: invalid profile file\n");
                                exit(1);
                        }
                        
                        // access call checks as real UID/GID, not as effective UID/GID
-                        if (access(argv[i] + 10, R_OK)) {
+                        if (access(ppath, R_OK)) {
                                fprintf(stderr, "Error: cannot access profile file\n");
                                return 1;
                        }
-                        profile_read(argv[i] + 10);
+                        profile_read(ppath);
                        custom_profile = 1;
+                        free(ppath);
                }
                else if (strncmp(argv[i], "--profile-path=", 15) == 0) {
                        if (arg_noprofile) {
@@ -1255,22 +1432,46 @@ int main(int argc, char **argv) {
                                        return 1;
                                }
                                
+                                // don't allow "--chroot=/"
+                                char *rpath = realpath(cfg.chrootdir, NULL);
+                                if (rpath == NULL || strcmp(rpath, "/") == 0) {
+                                        fprintf(stderr, "Error: invalid chroot directory\n");
+                                        exit(1);
+                                }
+                                free(rpath);
+                                
                                // check chroot directory structure
                                if (fs_check_chroot_dir(cfg.chrootdir)) {
                                        fprintf(stderr, "Error: invalid chroot\n");
                                        exit(1);
                                }
                        }
-                        else {
+                        else
-                                fprintf(stderr, "Error: --chroot feature is disabled in Firejail configuration file\n");
+                                exit_err_feature("chroot");
+                }
+#endif
+                else if (strcmp(argv[i], "--writable-etc") == 0) {
+                        if (cfg.etc_private_keep) {
+                                fprintf(stderr, "Error: --private-etc and --writable-etc are mutually exclusive\n");
                                exit(1);
                        }
+                        arg_writable_etc = 1;
                }
-#endif
+                else if (strcmp(argv[i], "--writable-var") == 0) {
-                else if (strcmp(argv[i], "--private") == 0)
+                        arg_writable_var = 1;
+                }
+                else if (strcmp(argv[i], "--machine-id") == 0) {
+                        arg_machineid = 1;
+                }
+                else if (strcmp(argv[i], "--private") == 0) {
                        arg_private = 1;
+                }
                else if (strncmp(argv[i], "--private=", 10) == 0) {
+                        if (cfg.home_private_keep) {
+                                fprintf(stderr, "Error: a private list of files was already defined with --private-home option.\n");
+                                exit(1);
+                        }
                        // extract private home dirname
                        cfg.home_private = argv[i] + 10;
                        if (*cfg.home_private == '\0') {
@@ -1278,25 +1479,64 @@ int main(int argc, char **argv) {
                                exit(1);
                        }
                        fs_check_private_dir();
+                        // downgrade to --private if the directory is the user home directory
+                        if (strcmp(cfg.home_private, cfg.homedir) == 0) {
+                                free(cfg.home_private);
+                                cfg.home_private = NULL;
+                        }
                        arg_private = 1;
                }
+#ifdef HAVE_PRIVATE_HOME
+                else if (strncmp(argv[i], "--private-home=", 15) == 0) {
+                        if (checkcfg(CFG_PRIVATE_HOME)) {
+                                if (cfg.home_private) {
+                                        fprintf(stderr, "Error: a private home directory was already defined with --private option.\n");
+                                        exit(1);
+                                }
+                                
+                                // extract private home dirname
+                                cfg.home_private_keep = argv[i] + 15;
+                                arg_private = 1;
+                        }
+                        else
+                                exit_err_feature("private-home");
+                }
+#endif          
                else if (strcmp(argv[i], "--private-dev") == 0) {
                        arg_private_dev = 1;
                }
                else if (strncmp(argv[i], "--private-etc=", 14) == 0) {
+                        if (arg_writable_etc) {
+                                fprintf(stderr, "Error: --private-etc and --writable-etc are mutually exclusive\n");
+                                exit(1);
+                        }
+                        
                        // extract private etc list
                        cfg.etc_private_keep = argv[i] + 14;
                        if (*cfg.etc_private_keep == '\0') {
                                fprintf(stderr, "Error: invalid private-etc option\n");
                                exit(1);
                        }
-                        fs_check_etc_list();
+                        arg_private_etc = 1;
-                        if (*cfg.etc_private_keep != '\0')
+                }
-                                arg_private_etc = 1;
+                else if (strncmp(argv[i], "--private-opt=", 14) == 0) {
-                        else {
+                        // extract private opt list
-                                arg_private_etc = 0;
+                        cfg.opt_private_keep = argv[i] + 14;
-                                fprintf(stderr, "Warning: private-etc disabled, no file found\n");
+                        if (*cfg.opt_private_keep == '\0') {
+                                fprintf(stderr, "Error: invalid private-opt option\n");
+                                exit(1);
+                        }
+                        arg_private_opt = 1;
+                }
+                else if (strncmp(argv[i], "--private-srv=", 14) == 0) {
+                        // extract private srv list
+                        cfg.srv_private_keep = argv[i] + 14;
+                        if (*cfg.srv_private_keep == '\0') {
+                                fprintf(stderr, "Error: invalid private-etc option\n");
+                                exit(1);
                        }
+                        arg_private_srv = 1;
                }
                else if (strncmp(argv[i], "--private-bin=", 14) == 0) {
                        // extract private bin list
@@ -1306,7 +1546,6 @@ int main(int argc, char **argv) {
                                exit(1);
                        }
                        arg_private_bin = 1;
-                        fs_check_bin_list();
                }
                else if (strcmp(argv[i], "--private-tmp") == 0) {
                        arg_private_tmp = 1;
@@ -1335,17 +1574,22 @@ int main(int argc, char **argv) {
                else if (strcmp(argv[i], "--noroot") == 0) {
                        if (checkcfg(CFG_USERNS))
                                check_user_namespace();
-                        else {
+                        else
-                                fprintf(stderr, "Error: --noroot feature is disabled in Firejail configuration file\n");
+                                exit_err_feature("noroot");
-                                exit(1);
-                        }
                }
 #endif
+                else if (strcmp(argv[i], "--nonewprivs") == 0) {
+                        arg_nonewprivs = 1;
+                }
                else if (strncmp(argv[i], "--env=", 6) == 0)
-                        env_store(argv[i] + 6);
+                        env_store(argv[i] + 6, SETENV);
-                else if (strncmp(argv[i], "--nosound", 9) == 0) {
+                else if (strncmp(argv[i], "--rmenv=", 8) == 0)
+                        env_store(argv[i] + 8, RMENV);
+                else if (strcmp(argv[i], "--nosound") == 0) {
                        arg_nosound = 1;
-                        arg_private_dev = 1;
+                }
+                else if (strcmp(argv[i], "--no3d") == 0) {
+                        arg_no3d = 1;
                }
                                
                //*************************************
@@ -1401,14 +1645,13 @@ int main(int argc, char **argv) {
                                        errExit("strdup");
                                
                                if (net_get_if_addr(intf->dev, &intf->ip, &intf->mask, intf->mac, &intf->mtu)) {
-                                        fprintf(stderr, "Warning:  interface %s is not configured\n", intf->dev);
+                                        if (!arg_quiet || arg_debug)
+                                                fprintf(stderr, "Warning:  interface %s is not configured\n", intf->dev);
                                }
                                intf->configured = 1;
                        }
-                        else {
+                        else
-                                fprintf(stderr, "Error: networking features are disabled in Firejail configuration file\n");
+                                exit_err_feature("networking");
-                                exit(1);
-                        }
                }
                else if (strncmp(argv[i], "--net=", 6) == 0) {
@@ -1458,20 +1701,35 @@ int main(int argc, char **argv) {
                                }
                                net_configure_bridge(br, argv[i] + 6);
                        }
-                        else {
+                        else
-                                fprintf(stderr, "Error: networking features are disabled in Firejail configuration file\n");
+                                exit_err_feature("networking");
-                                exit(1);
+                }
+                else if (strncmp(argv[i], "--veth-name=", 12) == 0) {
+                        if (checkcfg(CFG_NETWORK)) {
+                                Bridge *br = last_bridge_configured();
+                                if (br == NULL) {
+                                        fprintf(stderr, "Error: no network device configured\n");
+                                        exit(1);
+                                }
+                                br->veth_name = strdup(argv[i] + 12);
+                                if (br->veth_name == NULL)
+                                        errExit("strdup");
+                                if (*br->veth_name == '\0') {
+                                        fprintf(stderr, "Error: no veth-name configured\n");
+                                        exit(1);
+                                }
                        }
+                        else
+                                exit_err_feature("networking");
                }
                else if (strcmp(argv[i], "--scan") == 0) {
                        if (checkcfg(CFG_NETWORK)) {
                                arg_scan = 1;
                        }
-                        else {
+                        else
-                                fprintf(stderr, "Error: networking features are disabled in Firejail configuration file\n");
+                                exit_err_feature("networking");
-                                exit(1);
-                        }
                }
                else if (strncmp(argv[i], "--iprange=", 10) == 0) {
                        if (checkcfg(CFG_NETWORK)) {
@@ -1511,10 +1769,8 @@ int main(int argc, char **argv) {
                                        return 1;
                                }
                        }
-                        else {
+                        else
-                                fprintf(stderr, "Error: networking features are disabled in Firejail configuration file\n");
+                                exit_err_feature("networking");
-                                exit(1);
-                        }
                }
                else if (strncmp(argv[i], "--mac=", 6) == 0) {
@@ -1522,23 +1778,21 @@ int main(int argc, char **argv) {
                                Bridge *br = last_bridge_configured();
                                if (br == NULL) {
                                        fprintf(stderr, "Error: no network device configured\n");
-                                        return 1;
+                                        exit(1);
                                }
                                if (mac_not_zero(br->macsandbox)) {
                                        fprintf(stderr, "Error: cannot configure the MAC address twice for the same interface\n");
-                                        return 1;
+                                        exit(1);
                                }
        
                                // read the address
                                if (atomac(argv[i] + 6, br->macsandbox)) {
                                        fprintf(stderr, "Error: invalid MAC address\n");
-                                        return 1;
+                                        exit(1);
                                }
                        }
-                        else {
+                        else
-                                fprintf(stderr, "Error: networking features are disabled in Firejail configuration file\n");
+                                exit_err_feature("networking");
-                                exit(1);
-                        }
                }
                else if (strncmp(argv[i], "--mtu=", 6) == 0) {
@@ -1546,18 +1800,16 @@ int main(int argc, char **argv) {
                                Bridge *br = last_bridge_configured();
                                if (br == NULL) {
                                        fprintf(stderr, "Error: no network device configured\n");
-                                        return 1;
+                                        exit(1);
                                }
        
                                if (sscanf(argv[i] + 6, "%d", &br->mtu) != 1 || br->mtu < 576 || br->mtu > 9198) {
                                        fprintf(stderr, "Error: invalid mtu value\n");
-                                        return 1;
+                                        exit(1);
                                }
                        }
-                        else {
+                        else
-                                fprintf(stderr, "Error: networking features are disabled in Firejail configuration file\n");
+                                exit_err_feature("networking");
-                                exit(1);
-                        }
                }
                else if (strncmp(argv[i], "--ip=", 5) == 0) {
@@ -1565,11 +1817,11 @@ int main(int argc, char **argv) {
                                Bridge *br = last_bridge_configured();
                                if (br == NULL) {
                                        fprintf(stderr, "Error: no network device configured\n");
-                                        return 1;
+                                        exit(1);
                                }
                                if (br->arg_ip_none || br->ipsandbox) {
                                        fprintf(stderr, "Error: cannot configure the IP address twice for the same interface\n");
-                                        return 1;
+                                        exit(1);
                                }
        
                                // configure this IP address for the last bridge defined
@@ -1578,14 +1830,12 @@ int main(int argc, char **argv) {
                                else {
                                        if (atoip(argv[i] + 5, &br->ipsandbox)) {
                                                fprintf(stderr, "Error: invalid IP address\n");
-                                                return 1;
+                                                exit(1);
                                        }
                                }
                        }
-                        else {
+                        else
-                                fprintf(stderr, "Error: networking features are disabled in Firejail configuration file\n");
+                                exit_err_feature("networking");
-                                exit(1);
-                        }
                }
                else if (strncmp(argv[i], "--ip6=", 6) == 0) {
@@ -1593,11 +1843,11 @@ int main(int argc, char **argv) {
                                Bridge *br = last_bridge_configured();
                                if (br == NULL) {
                                        fprintf(stderr, "Error: no network device configured\n");
-                                        return 1;
+                                        exit(1);
                                }
                                if (br->arg_ip_none || br->ip6sandbox) {
                                        fprintf(stderr, "Error: cannot configure the IP address twice for the same interface\n");
-                                        return 1;
+                                        exit(1);
                                }
        
                                // configure this IP address for the last bridge defined
@@ -1605,13 +1855,11 @@ int main(int argc, char **argv) {
                                br->ip6sandbox = argv[i] + 6;
 //                              if (atoip(argv[i] + 5, &br->ipsandbox)) {
 //                                      fprintf(stderr, "Error: invalid IP address\n");
-//                                      return 1;
+//                                      exit(1);
 //                              }
                        }
-                        else {
+                        else 
-                                fprintf(stderr, "Error: networking features are disabled in Firejail configuration file\n");
+                                exit_err_feature("networking");
-                                exit(1);
-                        }
                }
@@ -1619,13 +1867,11 @@ int main(int argc, char **argv) {
                        if (checkcfg(CFG_NETWORK)) {
                                if (atoip(argv[i] + 12, &cfg.defaultgw)) {
                                        fprintf(stderr, "Error: invalid IP address\n");
-                                        return 1;
+                                        exit(1);
                                }
                        }
-                        else {
+                        else
-                                fprintf(stderr, "Error: networking features are disabled in Firejail configuration file\n");
+                                exit_err_feature("networking");
-                                exit(1);
-                        }
                }
 #endif          
                else if (strncmp(argv[i], "--dns=", 6) == 0) {
@@ -1649,25 +1895,45 @@ int main(int argc, char **argv) {
 #ifdef HAVE_NETWORK
                else if (strcmp(argv[i], "--netfilter") == 0) {
-                        if (checkcfg(CFG_NETWORK)) {
+#ifdef HAVE_NETWORK_RESTRICTED
-                                arg_netfilter = 1;
+                        // compile time restricted networking
+                        if (getuid() != 0) {
+                                fprintf(stderr, "Error: --netfilter is only allowed for root\n");
+                                exit(1);
                        }
-                        else {
+#endif
-                                fprintf(stderr, "Error: networking features are disabled in Firejail configuration file\n");
+                        // run time restricted networking
+                        if (checkcfg(CFG_RESTRICTED_NETWORK) && getuid() != 0) {
+                                fprintf(stderr, "Error: --netfilter is only allowed for root\n");
                                exit(1);
                        }
+                        if (checkcfg(CFG_NETWORK)) {
+                                arg_netfilter = 1;
+                        }
+                        else
+                                exit_err_feature("networking");
                }
                else if (strncmp(argv[i], "--netfilter=", 12) == 0) {
+#ifdef HAVE_NETWORK_RESTRICTED
+                        // compile time restricted networking
+                        if (getuid() != 0) {
+                                fprintf(stderr, "Error: --netfilter is only allowed for root\n");
+                                exit(1);
+                        }
+#endif
+                        // run time restricted networking
+                        if (checkcfg(CFG_RESTRICTED_NETWORK) && getuid() != 0) {
+                                fprintf(stderr, "Error: --netfilter is only allowed for root\n");
+                                exit(1);
+                        }
                        if (checkcfg(CFG_NETWORK)) {
                                arg_netfilter = 1;
                                arg_netfilter_file = argv[i] + 12;
                                check_netfilter_file(arg_netfilter_file);
                        }
-                        else {
+                        else
-                                fprintf(stderr, "Error: networking features are disabled in Firejail configuration file\n");
+                                exit_err_feature("networking");
-                                exit(1);
-                        }
                }
                else if (strncmp(argv[i], "--netfilter6=", 13) == 0) {
@@ -1676,41 +1942,61 @@ int main(int argc, char **argv) {
                                arg_netfilter6_file = argv[i] + 13;
                                check_netfilter_file(arg_netfilter6_file);
                        }
-                        else {
+                        else
-                                fprintf(stderr, "Error: networking features are disabled in Firejail configuration file\n");
+                                exit_err_feature("networking");
-                                exit(1);
-                        }
                }
 #endif
                //*************************************
                // command
                //*************************************
+                else if (strcmp(argv[i], "--audit") == 0) {
+                        arg_audit_prog = LIBDIR "/firejail/faudit";
+                        arg_audit = 1;
+                }
+                else if (strncmp(argv[i], "--audit=", 8) == 0) {
+                        if (strlen(argv[i] + 8) == 0) {
+                                fprintf(stderr, "Error: invalid audit program\n");
+                                exit(1);
+                        }
+                        arg_audit_prog = strdup(argv[i] + 8);
+                        if (!arg_audit_prog)
+                                errExit("strdup");
+                        struct stat s;
+                        if (stat(arg_audit_prog, &s) != 0) {
+                                fprintf(stderr, "Error: cannot find the audit program %s\n", arg_audit_prog);
+                                exit(1);
+                        }
+                        arg_audit = 1;
+                }
+                else if (strcmp(argv[i], "--appimage") == 0)
+                        arg_appimage = 1;
                else if (strcmp(argv[i], "--csh") == 0) {
                        if (arg_shell_none) {
                        
                                fprintf(stderr, "Error: --shell=none was already specified.\n");
                                return 1;
                        }
-                        if (arg_zsh || cfg.shell ) {
+                        if (cfg.shell) {
                                fprintf(stderr, "Error: only one default user shell can be specified\n");
                                return 1;
                        }
-                        arg_csh = 1;
+                        cfg.shell = "/bin/csh";
                }
                else if (strcmp(argv[i], "--zsh") == 0) {
                        if (arg_shell_none) {
                                fprintf(stderr, "Error: --shell=none was already specified.\n");
                                return 1;
                        }
-                        if (arg_csh || cfg.shell ) {
+                        if (cfg.shell) {
                                fprintf(stderr, "Error: only one default user shell can be specified\n");
                                return 1;
                        }
-                        arg_zsh = 1;
+                        cfg.shell = "/bin/zsh";
                }
                else if (strcmp(argv[i], "--shell=none") == 0) {
                        arg_shell_none = 1;
-                        if (arg_csh || arg_zsh || cfg.shell) {
+                        if (cfg.shell) {
                                fprintf(stderr, "Error: a shell was already specified\n");
                                return 1;
                        }
@@ -1722,7 +2008,7 @@ int main(int argc, char **argv) {
                        }
                        invalid_filename(argv[i] + 8);
                        
-                        if (arg_csh || arg_zsh || cfg.shell) {
+                        if (cfg.shell) {
                                fprintf(stderr, "Error: only one user shell can be specified\n");
                                return 1;
                        }
@@ -1732,9 +2018,18 @@ int main(int argc, char **argv) {
                                fprintf(stderr, "Error: invalid shell\n");
                                exit(1);
                        }
-                        
                        // access call checks as real UID/GID, not as effective UID/GID
-                        if (access(cfg.shell, R_OK)) {
+                        if(cfg.chrootdir) {
+                                char *shellpath;
+                                if (asprintf(&shellpath, "%s%s", cfg.chrootdir, cfg.shell) == -1)
+                                        errExit("asprintf");
+                                if (access(shellpath, R_OK)) {
+                                        fprintf(stderr, "Error: cannot access shell file in chroot\n");
+                                        exit(1);
+                                }
+                                free(shellpath);
+                        } else if (access(cfg.shell, R_OK)) {
                                fprintf(stderr, "Error: cannot access shell file\n");
                                exit(1);
                        }
@@ -1746,6 +2041,30 @@ int main(int argc, char **argv) {
                                return 1;
                        }
                }
+                
+                // unlike all other x11 features, this is available always
+                else if (strcmp(argv[i], "--x11=none") == 0) {
+                        arg_x11_block = 1;
+                }
+#ifdef HAVE_X11
+                else if (strcmp(argv[i], "--x11=xorg") == 0) {
+                        if (checkcfg(CFG_X11))
+                                arg_x11_xorg = 1;
+                        else 
+                                exit_err_feature("x11");
+                }
+#endif
+                else if (strncmp(argv[i], "--join-or-start=", 16) == 0) {
+                        // NOTE: this is second part of option handler,
+                        //               atempt to find and join sandbox is done in other one
+                        // set sandbox name and start normally
+                        cfg.name = argv[i] + 16;
+                        if (strlen(cfg.name) == 0) {
+                                fprintf(stderr, "Error: please provide a name for sandbox\n");
+                                return 1;
+                        }
+                }
                else if (strcmp(argv[i], "--") == 0) {
                        // double dash - positional params to follow
                        arg_doubledash = 1;
@@ -1766,15 +2085,33 @@ int main(int argc, char **argv) {
                        }
                        
                        // we have a program name coming
-                        extract_command_name(i, argv);
+                        if (arg_appimage) {
+                                cfg.command_name = strdup(argv[i]);
+                                if (!cfg.command_name)
+                                        errExit("strdup");
+                        }
+                        else
+                                extract_command_name(i, argv);
                        prog_index = i;
                        break;
                }
        }
+        
+        // prog_index could still be -1 if no program was specified
+        if (prog_index == -1 && arg_shell_none) {
+                fprintf(stderr, "shell=none configured, but no program specified\n");
+                exit(1);
+        }
        // check trace configuration
-        if (arg_trace && arg_tracelog)
+        if (arg_trace && arg_tracelog) {
-                fprintf(stderr, "Warning: --trace and --tracelog are mutually exclusive; --tracelog disabled\n");
+                if (!arg_quiet || arg_debug)
+                        fprintf(stderr, "Warning: --trace and --tracelog are mutually exclusive; --tracelog disabled\n");
+        }
+        
+        // disable x11 abstract socket
+        if (getenv("FIREJAIL_X11"))
+                mask_x11_abstract_socket = 1;
        
        // check user namespace (--noroot) options
        if (arg_noroot) {
@@ -1798,66 +2135,41 @@ int main(int argc, char **argv) {
                free(msg);
        }
-        // build the sandbox command
+        // guess shell if unspecified
-        if (prog_index == -1 && arg_zsh) {
+        if (!arg_shell_none && !cfg.shell) {
-                cfg.command_line = "/usr/bin/zsh";
+                cfg.shell = guess_shell();
-                cfg.window_title = "/usr/bin/zsh";
+                if (!cfg.shell) {
-                cfg.command_name = "zsh";
+                        fprintf(stderr, "Error: unable to guess your shell, please set explicitly by using --shell option.\n");
-        }
+                        exit(1);
-        else if (prog_index == -1 && arg_csh) {
+                }
-                cfg.command_line = "/bin/csh";
+                if (arg_debug)
-                cfg.window_title = "/bin/csh";
+                        printf("Autoselecting %s as shell\n", cfg.shell);
-                cfg.command_name = "csh";
        }
-        else if (prog_index == -1 && cfg.shell) {
+        // build the sandbox command
+        if (prog_index == -1 && cfg.shell) {
                cfg.command_line = cfg.shell;
                cfg.window_title = cfg.shell;
                cfg.command_name = cfg.shell;
        }
-        else if (prog_index == -1) {
+        else if (arg_appimage) {
-                cfg.command_line = "/bin/bash";
+                if (arg_debug)
-                cfg.window_title = "/bin/bash";
+                        printf("Configuring appimage environment\n");
-                cfg.command_name = "bash";
+                appimage_set(cfg.command_name);
+                cfg.window_title = "appimage";
        }
        else {
-                // calculate the length of the command
+                build_cmdline(&cfg.command_line, &cfg.window_title, argc, argv, prog_index);
-                int i;
-                int len = 0;
-                int argcnt = argc - prog_index;
-                for (i = 0; i < argcnt; i++)
-                        len += strlen(argv[i + prog_index]) + 3; // + ' ' + 2 '"'
-                // build the string
-                cfg.command_line = malloc(len + 1); // + '\0'
-                if (!cfg.command_line)
-                        errExit("malloc");
-                cfg.window_title = malloc(len + 1); // + '\0'
-                if (!cfg.window_title)
-                        errExit("malloc");
-                char *ptr1 = cfg.command_line;
-                char *ptr2 = cfg.window_title;
-                for (i = 0; i < argcnt; i++) {
-                        // detect bash commands
-                        if (strstr(argv[i + prog_index], "&&") || strstr(argv[i + prog_index], "||")) {
-                                sprintf(ptr1, "%s ", argv[i + prog_index]);
-                        }
-                        else if (arg_command){
-                                sprintf(ptr1, "%s ", argv[i + prog_index]);
-                        }
-                        else {
-                                sprintf(ptr1, "\"%s\" ", argv[i + prog_index]);
-                        }
-                        sprintf(ptr2, "%s ", argv[i + prog_index]);
-                        ptr1 += strlen(ptr1);
-                        ptr2 += strlen(ptr2);
-                }
        }
+/*      else {
+                fprintf(stderr, "Error: command must be specified when --shell=none used.\n");
+                exit(1);
+        }*/
        
        assert(cfg.command_name);
        if (arg_debug)
                printf("Command name #%s#\n", cfg.command_name);
+                
                                
        // load the profile
        if (!arg_noprofile) {
@@ -1881,14 +2193,16 @@ int main(int argc, char **argv) {
                }
        }
-        // use generic.profile as the default
+        // use default.profile as the default
        if (!custom_profile && !arg_noprofile) {
-                if (cfg.chrootdir)
+                if (cfg.chrootdir) {
-                        fprintf(stderr, "Warning: default profile disabled by --chroot option\n");
+                        if (!arg_quiet || arg_debug)
-                else if (arg_overlay)
+                                fprintf(stderr, "Warning: default profile disabled by --chroot option\n");
-                        fprintf(stderr, "Warning: default profile disabled by --overlay option\n");
+                }
-//              else if (cfg.home_private_keep)
+                else if (arg_overlay) {
-//                      fprintf(stderr, "Warning: default profile disabled by --private-home option\n");
+                        if (!arg_quiet || arg_debug)
+                                fprintf(stderr, "Warning: default profile disabled by --overlay option\n");
+                }
                else {
                        // try to load a default profile
                        char *profile_name = DEFAULT_USER_PROFILE;
@@ -1911,12 +2225,20 @@ int main(int argc, char **argv) {
                                else
                                        custom_profile = profile_find(profile_name, SYSCONFDIR);
                        }
+                        if (!custom_profile) {
+                                fprintf(stderr, "Error: no default.profile installed\n");
+                                exit(1);
+                        }
                        
                        if (custom_profile && !arg_quiet)
                                printf("\n** Note: you can use --noprofile to disable %s.profile **\n\n", profile_name);
                }
        }
+        // block X11 sockets
+        if (arg_x11_block)
+                x11_block();
        // check network configuration options - it will exit if anything went wrong
        net_check_cfg();
        
@@ -1947,11 +2269,13 @@ int main(int argc, char **argv) {
                errExit("pipe");
        if (arg_noroot && arg_overlay) {
-                fprintf(stderr, "Warning: --overlay and --noroot are mutually exclusive, noroot disabled\n");
+                if (!arg_quiet || arg_debug)
+                        fprintf(stderr, "Warning: --overlay and --noroot are mutually exclusive, noroot disabled\n");
                arg_noroot = 0;
        }
        else if (arg_noroot && cfg.chrootdir) {
-                fprintf(stderr, "Warning: --chroot and --noroot are mutually exclusive, noroot disabled\n");
+                if (!arg_quiet || arg_debug)
+                        fprintf(stderr, "Warning: --chroot and --noroot are mutually exclusive, noroot disabled\n");
                arg_noroot = 0;
        }
@@ -2012,7 +2336,10 @@ int main(int argc, char **argv) {
                        network_main(child);
                        if (arg_debug)
                                printf("Host network configured\n");                    
-                        exit(0);                        
+#ifdef HAVE_GCOV
+                        __gcov_flush();
+#endif
+                        _exit(0);                       
                }
                // wait for the child to finish
@@ -2061,16 +2388,30 @@ int main(int argc, char **argv) {
                ptr += strlen(ptr);
                
                //  add tty group
-                gid_t ttygid = get_tty_gid();
+                gid_t g = get_group_id("tty");
-                if (ttygid) {
+                if (g) {
-                        sprintf(ptr, "%d %d 1\n", ttygid, ttygid);
+                        sprintf(ptr, "%d %d 1\n", g, g);
                        ptr += strlen(ptr);
                }
                
                //  add audio group
-                gid_t audiogid = get_audio_gid();
+                g = get_group_id("audio");
-                if (ttygid) {
+                if (g) {
-                        sprintf(ptr, "%d %d 1\n", audiogid, audiogid);
+                        sprintf(ptr, "%d %d 1\n", g, g);
+                        ptr += strlen(ptr);
+                }
+                
+                //  add video group
+                g = get_group_id("video");
+                if (g) {
+                        sprintf(ptr, "%d %d 1\n", g, g);
+                        ptr += strlen(ptr);
+                }
+                
+                //  add games group
+                g = get_group_id("games");
+                if (g) {
+                        sprintf(ptr, "%d %d 1\n", g, g);
                }
                
                EUID_ROOT();
@@ -2084,8 +2425,10 @@ int main(int argc, char **argv) {
        close(parent_to_child_fds[1]);
 
        EUID_ROOT();
-        if (lockfd != -1)
+        if (lockfd != -1) {
                flock(lockfd, LOCK_UN);
+                close(lockfd);
+        }
        // create name file under /run/firejail
        
@@ -2101,13 +2444,6 @@ int main(int argc, char **argv) {
        waitpid(child, &status, 0);
        // free globals
-#ifdef HAVE_SECCOMP
-        if (cfg.seccomp_list_errno) {
-                for (i = 0; i < highest_errno; i++)
-                        free(cfg.seccomp_list_errno[i]);
-                free(cfg.seccomp_list_errno);
-        }
-#endif
        if (cfg.profile) {
                ProfileEntry *prf = cfg.profile;
                while (prf != NULL) {
diff --git a/src/firejail/netfilter.c b/src/firejail/netfilter.c
index 71abfb53d..9e759ec70 100644
--- a/src/firejail/netfilter.c
+++ b/src/firejail/netfilter.c
@@ -47,67 +47,14 @@ void check_netfilter_file(const char *fname) {
        EUID_ASSERT();
        invalid_filename(fname);
        
-        if (is_dir(fname) || is_link(fname) || strstr(fname, "..")) {
+        if (is_dir(fname) || is_link(fname) || strstr(fname, "..") || access(fname, R_OK )) {
-                fprintf(stderr, "Error: invalid network filter file\n");
+                fprintf(stderr, "Error: invalid network filter file %s\n", fname);
-                exit(1);
-        }
-        // access call checks as real UID/GID, not as effective UID/GID
-        if (access(fname, R_OK)) {
-                fprintf(stderr, "Error: cannot access network filter file\n");
                exit(1);
        }
 }
 void netfilter(const char *fname) {
-        // default filter
-        char *filter = client_filter;
-        // custom filter
-        int allocated = 0;
-        if (fname) {
-                // buffer the filter
-                struct stat s;
-                if (stat(fname, &s) == -1) {
-                        fprintf(stderr, "Error: cannot find network filter file %s\n", fname);
-                        exit(1);
-                }
-                filter = malloc(s.st_size + 1);   // + '\0'
-                if (!filter)
-                        errExit("malloc");
-                memset(filter, 0, s.st_size + 1);
-                /* coverity[toctou] */
-                FILE *fp = fopen(fname, "r");
-                if (!fp) {
-                        fprintf(stderr, "Error: cannot open network filter file %s\n", fname);
-                        exit(1);
-                }
-                size_t sz = fread(filter, 1, s.st_size, fp);
-                if ((off_t)sz != s.st_size) {
-                        fprintf(stderr, "Error: cannot read network filter file %s\n", fname);
-                        exit(1);
-                }
-                fclose(fp);
-                allocated = 1;
-        }
-        // temporarily mount a tempfs on top of /tmp directory
-        if (mount("tmpfs", "/tmp", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC,  "mode=755,gid=0") < 0)
-                errExit("mounting /tmp");
-        // create the filter file
-        FILE *fp = fopen("/tmp/netfilter", "w");
-        if (!fp) {
-                fprintf(stderr, "Error: cannot open /tmp/netfilter file\n");
-                exit(1);
-        }
-        fprintf(fp, "%s\n", filter);
-        fclose(fp);
        // find iptables command
        struct stat s;
        char *iptables = NULL;
@@ -121,108 +68,56 @@ void netfilter(const char *fname) {
                iptables_restore = "/usr/sbin/iptables-restore";
        }
        if (iptables == NULL || iptables_restore == NULL) {
-                fprintf(stderr, "Error: iptables command not found\n");
+                fprintf(stderr, "Error: iptables command not found, netfilter not configured\n");
-                goto doexit;
+                return;
        }
-        // push filter
+        // read filter
-        pid_t child = fork();
+        char *filter = client_filter;
-        if (child < 0)
+        int allocated = 0;
-                errExit("fork");
+        if (netfilter_default)
-        if (child == 0) {
+                fname = netfilter_default;
-                if (arg_debug)
+        if (fname) {
-                        printf("Installing network filter:\n%s\n", filter);
+                filter = read_text_file_or_exit(fname);
+                allocated = 1;
-                int fd;
-                if((fd = open("/tmp/netfilter", O_RDONLY)) == -1) {
-                        fprintf(stderr,"Error: cannot open /tmp/netfilter\n");
-                        exit(1);
-                }
-                dup2(fd,STDIN_FILENO);
-                // wipe out environment variables
-                environ = NULL;
-                execl(iptables_restore, iptables_restore, NULL);
-                // it will never get here!!!
        }
-        // wait for the child to finish
-        waitpid(child, NULL, 0);
-        // debug
+        // create the filter file
-        if (arg_debug) {
+        FILE *fp = fopen(SBOX_STDIN_FILE, "w");
-                child = fork();
+        if (!fp) {
-                if (child < 0)
+                fprintf(stderr, "Error: cannot open %s\n", SBOX_STDIN_FILE);
-                        errExit("fork");
+                exit(1);
-                if (child == 0) {
-                        // elevate privileges in order to get grsecurity working
-                        if (setreuid(0, 0))
-                                errExit("setreuid");
-                        if (setregid(0, 0))
-                                errExit("setregid");
-                        environ = NULL;
-                        execl(iptables, iptables, "-vL", NULL);
-                        // it will never get here!!!
-                }
-                // wait for the child to finish
-                waitpid(child, NULL, 0);
        }
+        fprintf(fp, "%s\n", filter);
+        fclose(fp);
+        // push filter
+        if (arg_debug)
+                printf("Installing network filter:\n%s\n", filter);
+                
+        // first run of iptables on this platform installs a number of kernel modules such as ip_tables, x_tables, iptable_filter
+        // we run this command with caps and seccomp disabled in order to allow the loading of these modules
+        sbox_run(SBOX_ROOT /* | SBOX_CAPS_NETWORK | SBOX_SECCOMP*/ | SBOX_STDIN_FROM_FILE, 1, iptables_restore);
+        unlink(SBOX_STDIN_FILE);
-doexit:
+        // debug
-        // unmount /tmp
+        if (arg_debug) 
-        umount("/tmp");
+                sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, 2, iptables, "-vL");
        if (allocated)
                free(filter);
+        return;
 }
 void netfilter6(const char *fname) {
        if (fname == NULL)
                return;
                
-        char *filter;
-        // buffer the filter
-        struct stat s;
-        if (stat(fname, &s) == -1) {
-                fprintf(stderr, "Error: cannot find network filter file %s\n", fname);
-                exit(1);
-        }
-        filter = malloc(s.st_size + 1);   // + '\0'
-        if (!filter)
-                errExit("malloc");
-        memset(filter, 0, s.st_size + 1);
-        /* coverity[toctou] */
-        FILE *fp = fopen(fname, "r");
-        if (!fp) {
-                fprintf(stderr, "Error: cannot open network filter file %s\n", fname);
-                exit(1);
-        }
-        size_t sz = fread(filter, 1, s.st_size, fp);
-        if ((off_t)sz != s.st_size) {
-                fprintf(stderr, "Error: cannot read network filter file %s\n", fname);
-                exit(1);
-        }
-        fclose(fp);
-        // temporarily mount a tempfs on top of /tmp directory
-        if (mount("tmpfs", "/tmp", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC,  "mode=755,gid=0") < 0)
-                errExit("mounting /tmp");
-        // create the filter file
-        fp = fopen("/tmp/netfilter6", "w");
-        if (!fp) {
-                fprintf(stderr, "Error: cannot open /tmp/netfilter6 file\n");
-                exit(1);
-        }
-        fprintf(fp, "%s\n", filter);
-        fclose(fp);
        // find iptables command
        char *ip6tables = NULL;
        char *ip6tables_restore = NULL;
+        struct stat s;
        if (stat("/sbin/ip6tables", &s) == 0) {
                ip6tables = "/sbin/ip6tables";
                ip6tables_restore = "/sbin/ip6tables-restore";
@@ -232,49 +127,33 @@ void netfilter6(const char *fname) {
                ip6tables_restore = "/usr/sbin/ip6tables-restore";
        }
        if (ip6tables == NULL || ip6tables_restore == NULL) {
-                fprintf(stderr, "Error: ip6tables command not found\n");
+                fprintf(stderr, "Error: ip6tables command not found, netfilter6 not configured\n");
-                goto doexit;
+                return;
        }
-        // push filter
+        // create the filter file
-        pid_t child = fork();
+        char *filter = read_text_file_or_exit(fname);
-        if (child < 0)
+        FILE *fp = fopen(SBOX_STDIN_FILE, "w");
-                errExit("fork");
+        if (!fp) {
-        if (child == 0) {
+                fprintf(stderr, "Error: cannot open %s\n", SBOX_STDIN_FILE);
-                if (arg_debug)
+                exit(1);
-                        printf("Installing network filter:\n%s\n", filter);
-                int fd;
-                if((fd = open("/tmp/netfilter6", O_RDONLY)) == -1) {
-                        fprintf(stderr,"Error: cannot open /tmp/netfilter6\n");
-                        exit(1);
-                }
-                dup2(fd,STDIN_FILENO);
-                // wipe out environment variables
-                environ = NULL;
-                execl(ip6tables_restore, ip6tables_restore, NULL);
-                // it will never get here!!!
        }
-        // wait for the child to finish
+        fprintf(fp, "%s\n", filter);
-        waitpid(child, NULL, 0);
+        fclose(fp);
+        // push filter
+        if (arg_debug)
+                printf("Installing network filter:\n%s\n", filter);
+        // first run of iptables on this platform installs a number of kernel modules such as ip_tables, x_tables, iptable_filter
+        // we run this command with caps and seccomp disabled in order to allow the loading of these modules
+        sbox_run(SBOX_ROOT | /* SBOX_CAPS_NETWORK | SBOX_SECCOMP | */ SBOX_STDIN_FROM_FILE, 1, ip6tables_restore);
+        unlink(SBOX_STDIN_FILE);
+        
        // debug
-        if (arg_debug) {
+        if (arg_debug)
-                child = fork();
+                sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, 2, ip6tables, "-vL");
-                if (child < 0)
-                        errExit("fork");
-                if (child == 0) {
-                        environ = NULL;
-                        execl(ip6tables, ip6tables, "-vL", NULL);
-                        // it will never get here!!!
-                }
-                // wait for the child to finish
-                waitpid(child, NULL, 0);
-        }
-doexit:
-        // unmount /tmp
-        umount("/tmp");
        free(filter);
+        return;
 }
diff --git a/src/firejail/network.c b/src/firejail/network.c
index aac48e521..6d09d770f 100644
--- a/src/firejail/network.c
+++ b/src/firejail/network.c
@@ -28,70 +28,6 @@
 #include <net/route.h>
 #include <linux/if_bridge.h>
-// scan interfaces in current namespace and print IP address/mask for each interface
-void net_ifprint(void) {
-        uint32_t ip;
-        uint32_t mask;
-        struct ifaddrs *ifaddr, *ifa;
-        if (getifaddrs(&ifaddr) == -1)
-                errExit("getifaddrs");
-        printf("%-17.17s%-19.19s%-17.17s%-17.17s%-6.6s\n",
-                "Interface", "MAC", "IP", "Mask", "Status");
-        // walk through the linked list
-        for (ifa = ifaddr; ifa != NULL; ifa = ifa->ifa_next) {
-                if (ifa->ifa_addr == NULL)
-                        continue;
-                if (ifa->ifa_addr->sa_family == AF_INET) {
-                        struct sockaddr_in *si = (struct sockaddr_in *) ifa->ifa_netmask;
-                        mask = ntohl(si->sin_addr.s_addr);
-                        si = (struct sockaddr_in *) ifa->ifa_addr;
-                        ip = ntohl(si->sin_addr.s_addr);
-                        // interface status
-                        char *status;
-                        if (ifa->ifa_flags & IFF_RUNNING && ifa->ifa_flags & IFF_UP)
-                                status = "UP";
-                        else
-                                status = "DOWN";
-                        // ip address and mask
-                        char ipstr[30];
-                        sprintf(ipstr, "%d.%d.%d.%d", PRINT_IP(ip));
-                        char maskstr[30];
-                        sprintf(maskstr, "%d.%d.%d.%d", PRINT_IP(mask));
-                        
-                        // mac address
-                        unsigned char mac[6];
-                        net_get_mac(ifa->ifa_name, mac);
-                        char macstr[30];
-                        if (strcmp(ifa->ifa_name, "lo") == 0)
-                                macstr[0] = '\0';
-                        else
-                                sprintf(macstr, "%02x:%02x:%02x:%02x:%02x:%02x", PRINT_MAC(mac));
-                        // print                                
-                        printf("%-17.17s%-19.19s%-17.17s%-17.17s%-6.6s\n",
-                                ifa->ifa_name, macstr, ipstr, maskstr, status);
-                        // network scanning
-                        if (!arg_scan)                          // scanning disabled
-                                continue;
-                        if (strcmp(ifa->ifa_name, "lo") == 0)   // no loopbabck scanning
-                                continue;
-                        if (mask2bits(mask) < 16)               // not scanning large networks
-                                continue;
-                        if (!ip)                                        // if not configured
-                                continue;
-                        // only if the interface is up and running
-                        if (ifa->ifa_flags & IFF_RUNNING && ifa->ifa_flags & IFF_UP)
-                                arp_scan(ifa->ifa_name, ip, mask);
-                }
-        }
-        freeifaddrs(ifaddr);
-}
 int net_get_mtu(const char *ifname) {
        int mtu = 0;
@@ -190,95 +126,11 @@ void net_if_up(const char *ifname) {
                fprintf(stderr, "Error: invalid network device name %s\n", ifname);
                exit(1);
        }
-        
+        sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, 3, 
-        int sock = socket(AF_INET,SOCK_DGRAM,0);
+                PATH_FNET, "ifup", ifname);
-        if (sock < 0)
+}       
-                errExit("socket");
-        // get the existing interface flags
-        struct ifreq ifr;
-        memset(&ifr, 0, sizeof(ifr));
-        strncpy(ifr.ifr_name, ifname, IFNAMSIZ);
-        ifr.ifr_addr.sa_family = AF_INET;
-        // read the existing flags
-        if (ioctl(sock, SIOCGIFFLAGS, &ifr ) < 0) {
-                close(sock);
-                errExit("ioctl");
-        }
-        ifr.ifr_flags |= IFF_UP;
-        // set the new flags
-        if (ioctl( sock, SIOCSIFFLAGS, &ifr ) < 0) {
-                close(sock);
-                errExit("ioctl");
-        }
-        // checking
-        // read the existing flags
-        if (ioctl(sock, SIOCGIFFLAGS, &ifr ) < 0) {
-                close(sock);
-                errExit("ioctl");
-        }
-        // wait not more than 500ms for the interface to come up
-        int cnt = 0;
-        while (cnt < 50) {
-                usleep(10000);                    // sleep 10ms
-                // read the existing flags
-                if (ioctl(sock, SIOCGIFFLAGS, &ifr ) < 0) {
-                        close(sock);
-                        errExit("ioctl");
-                }
-                if (ifr.ifr_flags & IFF_RUNNING)
-                        break;
-                cnt++;
-        }
-        close(sock);
-}
-// bring interface up
-void net_if_down(const char *ifname) {
-        if (strlen(ifname) > IFNAMSIZ) {
-                fprintf(stderr, "Error: invalid network device name %s\n", ifname);
-                exit(1);
-        }
-        
-        int sock = socket(AF_INET,SOCK_DGRAM,0);
-        if (sock < 0)
-                errExit("socket");
-        // get the existing interface flags
-        struct ifreq ifr;
-        memset(&ifr, 0, sizeof(ifr));
-        strncpy(ifr.ifr_name, ifname, IFNAMSIZ);
-        ifr.ifr_addr.sa_family = AF_INET;
-        // read the existing flags
-        if (ioctl(sock, SIOCGIFFLAGS, &ifr ) < 0) {
-                close(sock);
-                errExit("ioctl");
-        }
-        ifr.ifr_flags &= ~IFF_UP;
-        // set the new flags
-        if (ioctl( sock, SIOCSIFFLAGS, &ifr ) < 0) {
-                close(sock);
-                errExit("ioctl");
-        }
-        close(sock);
-}
-struct ifreq6 {
-        struct in6_addr ifr6_addr;
-        uint32_t ifr6_prefixlen;
-        unsigned int ifr6_ifindex;
-};
 // configure interface ipv6 address
 // ex: firejail --net=eth0 --ip6=2001:0db8:0:f101::1/64
 void net_if_ip6(const char *ifname, const char *addr6) {
@@ -287,107 +139,11 @@ void net_if_ip6(const char *ifname, const char *addr6) {
                exit(1);
        }
        
-        // extract prefix
+        sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, 5, 
-        unsigned long prefix;
+                PATH_FNET, "config", "ipv6", ifname, addr6);
-        char *ptr;
-        if ((ptr = strchr(addr6, '/'))) {
-                prefix = atol(ptr + 1);
-                if (prefix > 128) {
-                        fprintf(stderr, "Error: invalid prefix for IPv6 address %s\n", addr6);
-                        exit(1);
-                }
-                *ptr = '\0';    // mark the end of the address
-        }
-        else
-                prefix = 128;
-        // extract address
-        struct sockaddr_in6 sin6;
-        memset(&sin6, 0, sizeof(sin6));
-        sin6.sin6_family = AF_INET6;
-        int rv = inet_pton(AF_INET6, addr6, sin6.sin6_addr.s6_addr);
-        if (rv <= 0) {
-                fprintf(stderr, "Error: invalid IPv6 address %s\n", addr6);
-                exit(1);
-        }
-        // open socket
-        int sock = socket(PF_INET6, SOCK_DGRAM, IPPROTO_IP);
-        if (sock < 0) {
-                fprintf(stderr, "Error: IPv6 is not supported on this system\n");
-                exit(1);
-        }
-        // find interface index
-        struct ifreq ifr;
-        memset(&ifr, 0, sizeof(ifr));
-        strncpy(ifr.ifr_name, ifname, IFNAMSIZ);
-        ifr.ifr_addr.sa_family = AF_INET;
-        if (ioctl(sock, SIOGIFINDEX, &ifr) < 0) {
-                perror("ioctl SIOGIFINDEX");
-                exit(1);
-        }
-        // configure address
-        struct ifreq6 ifr6;
-        memset(&ifr6, 0, sizeof(ifr6));
-        ifr6.ifr6_prefixlen = prefix;
-        ifr6.ifr6_ifindex = ifr.ifr_ifindex;
-        memcpy((char *) &ifr6.ifr6_addr, (char *) &sin6.sin6_addr, sizeof(struct in6_addr));
-        if (ioctl(sock, SIOCSIFADDR, &ifr6) < 0) {
-                perror("ioctl SIOCSIFADDR");
-                exit(1);
-        }
-        
-        close(sock);
-}
-// configure interface ipv4 address
-void net_if_ip(const char *ifname, uint32_t ip, uint32_t mask, int mtu) {
-        if (strlen(ifname) > IFNAMSIZ) {
-                fprintf(stderr, "Error: invalid network device name %s\n", ifname);
-                exit(1);
-        }
-        if (arg_debug)
-                printf("configure interface %s\n", ifname);
-        int sock = socket(AF_INET,SOCK_DGRAM,0);
-        if (sock < 0)
-                errExit("socket");
-        struct ifreq ifr;
-        memset(&ifr, 0, sizeof(ifr));
-        strncpy(ifr.ifr_name, ifname, IFNAMSIZ);
-        ifr.ifr_addr.sa_family = AF_INET;
-        ((struct sockaddr_in *)&ifr.ifr_addr)->sin_addr.s_addr = htonl(ip);
-        if (ioctl( sock, SIOCSIFADDR, &ifr ) < 0) {
-                close(sock);
-                errExit("ioctl");
-        }
-        if (ip != 0) {
-                ((struct sockaddr_in *)&ifr.ifr_addr)->sin_addr.s_addr =  htonl(mask);
-                if (ioctl( sock, SIOCSIFNETMASK, &ifr ) < 0) {
-                        close(sock);
-                        errExit("ioctl");
-                }
-        }
-        
-        // configure mtu
-        if (mtu > 0) {
-                ifr.ifr_mtu = mtu;
-                if (ioctl( sock, SIOCSIFMTU, &ifr ) < 0) {
-                        close(sock);
-                        errExit("ioctl");
-                }
-        }
-        close(sock);
-        usleep(10000);                            // sleep 10ms
 }
 // add an IP route, return -1 if error, 0 if the route was added
 int net_add_route(uint32_t ip, uint32_t mask, uint32_t gw) {
        int sock;
@@ -425,52 +181,6 @@ int net_add_route(uint32_t ip, uint32_t mask, uint32_t gw) {
 }
-// add a veth device to a bridge
-void net_bridge_add_interface(const char *bridge, const char *dev) {
-        if (strlen(bridge) > IFNAMSIZ) {
-                fprintf(stderr, "Error: invalid network device name %s\n", bridge);
-                exit(1);
-        }
-        // somehow adding the interface to the bridge resets MTU on bridge device!!!
-        // workaround: restore MTU on the bridge device
-        // todo: put a real fix in
-        int mtu1 = net_get_mtu(bridge);
-        struct ifreq ifr;
-        int err;
-        int ifindex = if_nametoindex(dev);
-        if (ifindex <= 0)
-                errExit("if_nametoindex");
-        int sock;
-        if ((sock = socket(AF_INET, SOCK_STREAM, 0)) < 0)
-                errExit("socket");
-        memset(&ifr, 0, sizeof(ifr));
-        strncpy(ifr.ifr_name, bridge, IFNAMSIZ);
-#ifdef SIOCBRADDIF
-        ifr.ifr_ifindex = ifindex;
-        err = ioctl(sock, SIOCBRADDIF, &ifr);
-        if (err < 0)
-#endif
-        {
-                unsigned long args[4] = { BRCTL_ADD_IF, ifindex, 0, 0 };
-                ifr.ifr_data = (char *) args;
-                err = ioctl(sock, SIOCDEVPRIVATE, &ifr);
-        }
-        (void) err;
-        close(sock);
-        int mtu2 = net_get_mtu(bridge);
-        if (mtu1 != mtu2) {
-                if (arg_debug)
-                        printf("Restoring MTU for %s\n", bridge);
-                net_set_mtu(bridge, mtu1);
-        }
-}
 #define BUFSIZE 1024
 uint32_t network_get_defaultgw(void) {
@@ -504,20 +214,15 @@ uint32_t network_get_defaultgw(void) {
 }
 int net_config_mac(const char *ifname, const unsigned char mac[6]) {
-        struct ifreq ifr;
+        char *macstr;
-        int sock;
+        if (asprintf(&macstr, "%02x:%02x:%02x:%02x:%02x:%02x",
+                mac[0], mac[1], mac[2], mac[3], mac[4], mac[5]) == -1)
-        if ((sock = socket(AF_INET, SOCK_STREAM, 0)) < 0)
+                errExit("asprintf");
-                errExit("socket");
-        memset(&ifr, 0, sizeof(ifr));
+        sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, 5, 
-        strncpy(ifr.ifr_name, ifname, IFNAMSIZ);
+                PATH_FNET, "config", "mac", ifname, macstr);
-        ifr.ifr_hwaddr.sa_family = ARPHRD_ETHER;
-        memcpy(ifr.ifr_hwaddr.sa_data, mac, 6);
        
-        if (ioctl(sock, SIOCSIFHWADDR, &ifr) == -1)
+        free(macstr);
-                errExit("ioctl");
-        close(sock);
        return 0;
 }
@@ -540,3 +245,27 @@ int net_get_mac(const char *ifname, unsigned char mac[6]) {
        close(sock);
        return 0;
 }
+void net_config_interface(const char *dev, uint32_t ip, uint32_t mask, int mtu) {
+        assert(dev);
+        
+        char *ipstr;
+        if (asprintf(&ipstr, "%llu", (long long unsigned) ip) == -1)
+                errExit("asprintf");
+        char *maskstr;
+        if (asprintf(&maskstr, "%llu", (long long unsigned) mask) == -1)
+                errExit("asprintf");
+        char *mtustr;
+        if (asprintf(&mtustr, "%d", mtu) == -1)
+                errExit("asprintf");
+        
+        sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, 7, 
+                PATH_FNET, "config", "interface", dev, ipstr, maskstr, mtustr);
+        free(ipstr);
+        free(maskstr);
+        free(mtustr);
+}
diff --git a/src/firejail/network.txt b/src/firejail/network.txt
index 673d5b941..f6df0f485 100644
--- a/src/firejail/network.txt
+++ b/src/firejail/network.txt
@@ -13,7 +13,7 @@ net_configure_bridge(br, device) {
 }
 net_configure_sandbox_ip(br) {
-        if br->ip_snadbox
+        if br->ip_sandbox
                check br->ipsandbox inside the bridge network
                arp_check(br->ipsandbox)        // send an arp req to check if anybody else is using this address
        else
diff --git a/src/firejail/network_main.c b/src/firejail/network_main.c
index e6d5cd5d7..9fbc09d2b 100644
--- a/src/firejail/network_main.c
+++ b/src/firejail/network_main.c
@@ -23,6 +23,7 @@
 #include <sys/stat.h>
 #include <unistd.h>
 #include <net/if.h>
+#include <stdarg.h>
 // configure bridge structure
 // - extract ip address and mask from the bridge interface
@@ -56,9 +57,12 @@ void net_configure_bridge(Bridge *br, char *dev_name) {
                }
        }
+        // allow unconfigured interfaces
        if (net_get_if_addr(br->dev, &br->ip, &br->mask, br->mac, &br->mtu)) {
-                fprintf(stderr, "Error: interface %s is not configured\n", br->dev);
+                fprintf(stderr, "Warning: the network interface %s is not configured\n", br->dev);
-                exit(1);
+                br->configured = 1;
+                br->arg_ip_none = 1;
+                return;
        }
        if (arg_debug) {
                if (br->macvlan == 0)
@@ -117,15 +121,18 @@ void net_configure_veth_pair(Bridge *br, const char *ifname, pid_t child) {
        // create a veth pair
        char *dev;
-        if (asprintf(&dev, "veth%u%s", getpid(), ifname) < 0)
+        if (br->veth_name == NULL) {
+                if (asprintf(&dev, "veth%u%s", getpid(), ifname) < 0)
+                        errExit("asprintf");
+        }
+        else
+                dev = br->veth_name;
+                
+        char *cstr;
+        if (asprintf(&cstr, "%d", child) == -1)
                errExit("asprintf");
-        net_create_veth(dev, ifname, child);
+        sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, 7, PATH_FNET, "create", "veth", dev, ifname, br->dev, cstr);
+        free(cstr);
-        // add interface to the bridge
-        net_bridge_add_interface(br->dev, dev);
-        // bring up the interface
-        net_if_up(dev);
        char *msg;
        if (asprintf(&msg, "%d.%d.%d.%d address assigned to sandbox", PRINT_IP(br->ipsandbox)) == -1)
@@ -224,23 +231,6 @@ void net_check_cfg(void) {
        }
 }
-void net_dns_print_name(const char *name) {
-        EUID_ASSERT();
-        if (!name || strlen(name) == 0) {
-                fprintf(stderr, "Error: invalid sandbox name\n");
-                exit(1);
-        }
-        pid_t pid;
-        if (name2pid(name, &pid)) {
-                fprintf(stderr, "Error: cannot find sandbox %s\n", name);
-                exit(1);
-        }
-        net_dns_print(pid);
-}
 #define MAXBUF 4096
 void net_dns_print(pid_t pid) {
        EUID_ASSERT();
@@ -282,47 +272,53 @@ void net_dns_print(pid_t pid) {
 }
 void network_main(pid_t child) {
+        char *cstr;
+        if (asprintf(&cstr, "%d", child) == -1)
+                errExit("asprintf");
        // create veth pair or macvlan device
        if (cfg.bridge0.configured) {
                if (cfg.bridge0.macvlan == 0) {
                        net_configure_veth_pair(&cfg.bridge0, "eth0", child);
                }
                else
-                        net_create_macvlan(cfg.bridge0.devsandbox, cfg.bridge0.dev, child);
+                        sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, 6, PATH_FNET, "create", "macvlan", cfg.bridge0.devsandbox, cfg.bridge0.dev, cstr);
        }
        
        if (cfg.bridge1.configured) {
                if (cfg.bridge1.macvlan == 0)
                        net_configure_veth_pair(&cfg.bridge1, "eth1", child);
                else
-                        net_create_macvlan(cfg.bridge1.devsandbox, cfg.bridge1.dev, child);
+                        sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, 6, PATH_FNET, "create", "macvlan", cfg.bridge1.devsandbox, cfg.bridge1.dev, cstr);
        }
        
        if (cfg.bridge2.configured) {
                if (cfg.bridge2.macvlan == 0)
                        net_configure_veth_pair(&cfg.bridge2, "eth2", child);
                else
-                        net_create_macvlan(cfg.bridge2.devsandbox, cfg.bridge2.dev, child);
+                        sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, 6, PATH_FNET, "create", "macvlan", cfg.bridge2.devsandbox, cfg.bridge2.dev, cstr);
        }
        
        if (cfg.bridge3.configured) {
                if (cfg.bridge3.macvlan == 0)
                        net_configure_veth_pair(&cfg.bridge3, "eth3", child);
                else
-                        net_create_macvlan(cfg.bridge3.devsandbox, cfg.bridge3.dev, child);
+                        sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, 6, PATH_FNET, "create", "macvlan", cfg.bridge3.devsandbox, cfg.bridge3.dev, cstr);
        }
        // move interfaces in sandbox
        if (cfg.interface0.configured) {
-                net_move_interface(cfg.interface0.dev, child);
+                sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, 4, PATH_FNET, "moveif", cfg.interface0.dev, cstr);
        }
        if (cfg.interface1.configured) {
-                net_move_interface(cfg.interface1.dev, child);
+                sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, 4, PATH_FNET, "moveif", cfg.interface1.dev, cstr);
        }
        if (cfg.interface2.configured) {
-                net_move_interface(cfg.interface2.dev, child);
+                sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, 4, PATH_FNET, "moveif", cfg.interface3.dev, cstr);
        }
        if (cfg.interface3.configured) {
-                net_move_interface(cfg.interface3.dev, child);
+                sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, 4, PATH_FNET, "moveif", cfg.interface3.dev, cstr);
        }
+        free(cstr);
 }
diff --git a/src/firejail/no_sandbox.c b/src/firejail/no_sandbox.c
index a9242f035..c56d90994 100644
--- a/src/firejail/no_sandbox.c
+++ b/src/firejail/no_sandbox.c
@@ -23,6 +23,65 @@
 #include <unistd.h>
 #include <grp.h>
+#define MAX_BUF 4096
+int is_container(const char *str) {
+        assert(str);
+        if (strcmp(str, "lxc") == 0 ||
+             strcmp(str, "docker") == 0 ||
+             strcmp(str, "lxc-libvirt") == 0 ||
+             strcmp(str, "systemd-nspawn") == 0 ||
+             strcmp(str, "rkt") == 0)
+                return 1;
+        return 0;
+}
+// returns 1 if we are running under LXC
+int check_namespace_virt(void) {
+        EUID_ASSERT();
+        
+        // check container environment variable
+        char *str = getenv("container");
+        if (str && is_container(str))
+                return 1;
+        
+        // check PID 1 container environment variable
+        EUID_ROOT();
+        FILE *fp = fopen("/proc/1/environ", "r");
+        if (fp) {
+                int c = 0;
+                while (c != EOF) {
+                        // read one line
+                        char buf[MAX_BUF];
+                        int i = 0;
+                        while ((c = fgetc(fp)) != EOF) {
+                                if (c == 0)
+                                        break;
+                                buf[i] = (char) c;
+                                if (++i == (MAX_BUF - 1))
+                                        break;
+                        }
+                        buf[i] = '\0';
+                        
+                        // check env var name
+                        if (strncmp(buf, "container=", 10) == 0) {
+                                // found it
+                                if (is_container(buf + 10)) {
+                                        fclose(fp);
+                                        EUID_USER();
+                                        return 1;
+                                }
+                        }
+//                      printf("i %d c %d, buf #%s#\n", i, c, buf);
+                }
+                
+                fclose(fp);
+        }
+                
+        EUID_USER();
+        return 0;
+}
 // check process space for kernel processes
 // return 1 if found, 0 if not found
 int check_kernel_procs(void) {
@@ -103,44 +162,73 @@ int check_kernel_procs(void) {
 void run_no_sandbox(int argc, char **argv) {
        EUID_ASSERT();
-        // build command
+        // process limited subset of options
-        char *command = NULL;
+        int i;
-        int allocated = 0;
+        for (i = 0; i < argc; i++) {
-        if (argc == 1)
+                if (strcmp(argv[i], "--debug") == 0)
-                command = "/bin/bash";
+                        arg_debug = 1;
-        else {
+                else if (strcmp(argv[i], "--csh") == 0 ||
-                // calculate length
+                    strcmp(argv[i], "--zsh") == 0 ||
-                int len = 0;
+                    strcmp(argv[i], "--shell=none") == 0 ||
-                int i;
+                    strncmp(argv[i], "--shell=", 8) == 0)
-                for (i = 1; i < argc; i++) {
+                        fprintf(stderr, "Warning: shell-related command line options are disregarded - using SHELL environment variable");
-                        if (*argv[i] == '-')
+        }
-                                continue;
+        // use $SHELL to get shell used in sandbox
+        char *shell =  getenv("SHELL");
+        if (shell && access(shell, R_OK) == 0)
+                cfg.shell = shell;
+        // guess shell otherwise
+        if (!cfg.shell) {
+                cfg.shell = guess_shell();
+                if (arg_debug)
+                        printf("Autoselecting %s as shell\n", cfg.shell);
+        }
+        if (!cfg.shell) {
+                fprintf(stderr, "Error: unable to guess your shell, please set SHELL environment variable\n");
+                exit(1);
+        }
+        int prog_index = 0;
+        // find first non option arg:
+        //      - first argument not starting wiht --,
+        //      - whatever follows after -c (example: firejail -c ls)
+        for (i = 1; i < argc; i++) {
+                if (strcmp(argv[i], "-c") == 0) {
+                        prog_index = i + 1;
+                        if (prog_index == argc) {
+                                fprintf(stderr, "Error: option -c requires an argument\n");
+                                exit(1);
+                        }
                        break;
                }
-                int start_index = i;
+                // check first argument not starting with --
-                for (i = start_index; i < argc; i++)
+                if (strncmp(argv[i],"--",2) != 0) {
-                        len += strlen(argv[i]) + 1;
+                        prog_index = i;
-                
+                        break;
-                // allocate
-                command = malloc(len + 1);
-                if (!command)
-                        errExit("malloc");
-                memset(command, 0, len + 1);
-                allocated = 1;
-                
-                // copy
-                for (i = start_index; i < argc; i++) {
-                        strcat(command, argv[i]);
-                        strcat(command, " ");
                }
        }
-        
-        // start the program in /bin/sh
+        if (prog_index == 0) {
-        fprintf(stderr, "Warning: an existing sandbox was detected. "
+                cfg.command_line = cfg.shell;
-                "%s will run without any additional sandboxing features in a /bin/sh shell\n", command);
+                cfg.window_title = cfg.shell;
-        int rv = system(command);
+        } else {
-        (void) rv;
+                build_cmdline(&cfg.command_line, &cfg.window_title, argc, argv, prog_index);
-        if (allocated)
+        }
-                free(command);
-        exit(1);
+        cfg.original_argv = argv;
+        cfg.original_program_index = prog_index;
+        char *command;
+        if (prog_index == 0)
+                command = cfg.shell;
+        else
+                command = argv[prog_index];
+        if (!arg_quiet)
+                fprintf(stderr, "Warning: an existing sandbox was detected. "
+                        "%s will run without any additional sandboxing features\n", command);
+        arg_quiet = 1;
+        start_application();
 }
diff --git a/src/firejail/output.c b/src/firejail/output.c
index 269ac25ea..91fe7f164 100644
--- a/src/firejail/output.c
+++ b/src/firejail/output.c
@@ -27,7 +27,6 @@ void check_output(int argc, char **argv) {
        
        int i;
        char *outfile = NULL;
-//      drop_privs(0);
        int found = 0;
        for (i = 1; i < argc; i++) {
@@ -91,6 +90,7 @@ void check_output(int argc, char **argv) {
        sprintf(ptr, "2>&1 | %s/firejail/ftee %s", LIBDIR, outfile);
        // run command
+        drop_privs(0);
        char *a[4];
        a[0] = "/bin/bash";
        a[1] = "-c";
diff --git a/src/firejail/preproc.c b/src/firejail/preproc.c
new file mode 100644
index 000000000..d2db7d3dd
--- /dev/null
+++ b/src/firejail/preproc.c
@@ -0,0 +1,91 @@
+/*
+ * Copyright (C) 2014-2016 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
+#include "firejail.h"
+#include <sys/mount.h>
+#include <sys/stat.h>
+static int tmpfs_mounted = 0;
+// build /run/firejail directory
+void preproc_build_firejail_dir(void) {
+        struct stat s;
+        // CentOS 6 doesn't have /run directory
+        if (stat(RUN_FIREJAIL_BASEDIR, &s)) {
+                create_empty_dir_as_root(RUN_FIREJAIL_BASEDIR, 0755);
+        }
+        if (stat(RUN_FIREJAIL_DIR, &s)) {
+                create_empty_dir_as_root(RUN_FIREJAIL_DIR, 0755);
+        }
+        
+        if (stat(RUN_FIREJAIL_NETWORK_DIR, &s)) {
+                create_empty_dir_as_root(RUN_FIREJAIL_NETWORK_DIR, 0755);
+        }
+        
+        if (stat(RUN_FIREJAIL_BANDWIDTH_DIR, &s)) {
+                create_empty_dir_as_root(RUN_FIREJAIL_BANDWIDTH_DIR, 0755);
+        }
+                
+        if (stat(RUN_FIREJAIL_NAME_DIR, &s)) {
+                create_empty_dir_as_root(RUN_FIREJAIL_NAME_DIR, 0755);
+        }
+        
+        if (stat(RUN_FIREJAIL_X11_DIR, &s)) {
+                create_empty_dir_as_root(RUN_FIREJAIL_X11_DIR, 0755);
+        }
+        
+        if (stat(RUN_FIREJAIL_APPIMAGE_DIR, &s)) {
+                create_empty_dir_as_root(RUN_FIREJAIL_APPIMAGE_DIR, 0755);
+        }
+        
+        if (stat(RUN_MNT_DIR, &s)) {
+                create_empty_dir_as_root(RUN_MNT_DIR, 0755);
+        }
+        create_empty_file_as_root(RUN_RO_FILE, S_IRUSR);
+        create_empty_dir_as_root(RUN_RO_DIR, S_IRUSR);
+}
+// build /run/firejail/mnt directory
+void preproc_mount_mnt_dir(void) {
+        // mount tmpfs on top of /run/firejail/mnt
+        if (!tmpfs_mounted) {
+                if (arg_debug)
+                        printf("Mounting tmpfs on %s directory\n", RUN_MNT_DIR);
+                if (mount("tmpfs", RUN_MNT_DIR, "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC,  "mode=755,gid=0") < 0)
+                        errExit("mounting /run/firejail/mnt");
+                tmpfs_mounted = 1;
+                fs_logger2("tmpfs", RUN_MNT_DIR);
+                
+                //copy defaultl seccomp files
+                copy_file(PATH_SECCOMP_I386, RUN_SECCOMP_I386, getuid(), getgid(), 0644);
+                copy_file(PATH_SECCOMP_AMD64, RUN_SECCOMP_AMD64, getuid(), getgid(), 0644);
+                if (arg_allow_debuggers)
+                        copy_file(PATH_SECCOMP_DEFAULT_DEBUG, RUN_SECCOMP_CFG, getuid(), getgid(), 0644);
+                else
+                        copy_file(PATH_SECCOMP_DEFAULT, RUN_SECCOMP_CFG, getuid(), getgid(), 0644);
+                        
+                // as root, create an empty RUN_SECCOMP_PROTOCOL file
+                create_empty_file_as_root(RUN_SECCOMP_PROTOCOL, 0644);
+                if (set_perms(RUN_SECCOMP_PROTOCOL, getuid(), getgid(), 0644))
+                        errExit("set_perms");
+        }
+}
diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index 6ded0ca2f..da3daf95a 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -63,6 +63,13 @@ int profile_find(const char *name, const char *dir) {
 // run-time profiles
 //***************************************************
+static void warning_feature_disabled(const char *feature) {
+        if (!arg_quiet)
+                fprintf(stderr, "Warning: %s feature is disabled in Firejail configuration file\n", feature);
+}
 // check profile line; if line == 0, this was generated from a command line option
 // return 1 if the command is to be added to the linked list of profile commands
 // return 0 if the command was already executed inside the function
@@ -105,7 +112,12 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
        // mkdir 
        if (strncmp(ptr, "mkdir ", 6) == 0) {
                fs_mkdir(ptr + 6);
-                return 0;
+                return 1;       // process mkdir again while applying blacklists
+        }
+        // mkfile 
+        if (strncmp(ptr, "mkfile ", 7) == 0) {
+                fs_mkfile(ptr + 7);
+                return 1;       // process mkfile again while applying blacklists
        }
        // sandbox name
        else if (strncmp(ptr, "name ", 5) == 0) {
@@ -126,17 +138,21 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
                if (checkcfg(CFG_USERNS))
                        check_user_namespace();
                else
-                        fprintf(stderr, "Warning: user namespace feature is disabled in Firejail configuration file\n");
+                        warning_feature_disabled("noroot");
 #endif
                return 0;
        }
+        else if (strcmp(ptr, "nonewprivs") == 0) {
+                arg_nonewprivs = 1;
+                return 0;
+        }
        else if (strcmp(ptr, "seccomp") == 0) {
 #ifdef HAVE_SECCOMP
                if (checkcfg(CFG_SECCOMP))
                        arg_seccomp = 1;
                else
-                        fprintf(stderr, "Warning: user seccomp feature is disabled in Firejail configuration file\n");
+                        warning_feature_disabled("seccomp");
 #endif
                return 0;
        }
@@ -160,6 +176,21 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
                arg_private = 1;
                return 0;
        }
+        if (strncmp(ptr, "private-home ", 13) == 0) {
+#ifdef HAVE_PRIVATE_HOME
+                if (checkcfg(CFG_PRIVATE_HOME)) {
+                        cfg.home_private_keep = ptr + 13;
+                        arg_private = 1;
+                }
+                else
+                        warning_feature_disabled("private-home");
+#endif
+                return 0;
+        }
+        else if (strcmp(ptr, "allusers") == 0) {
+                arg_allusers = 1;
+                return 0;
+        }
        else if (strcmp(ptr, "private-dev") == 0) {
                arg_private_dev = 1;
                return 0;
@@ -174,7 +205,10 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
        }
        else if (strcmp(ptr, "nosound") == 0) {
                arg_nosound = 1;
-                arg_private_dev = 1;
+                return 0;
+        }
+        else if (strcmp(ptr, "no3d") == 0) {
+                arg_no3d = 1;
                return 0;
        }
        else if (strcmp(ptr, "netfilter") == 0) {
@@ -182,7 +216,7 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
                if (checkcfg(CFG_NETWORK))
                        arg_netfilter = 1;
                else
-                        fprintf(stderr, "Warning: networking features are disabled in Firejail configuration file\n");
+                        warning_feature_disabled("networking");
 #endif
                return 0;
        }
@@ -196,7 +230,7 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
                        check_netfilter_file(arg_netfilter_file);
                }
                else
-                        fprintf(stderr, "Warning: networking features are disabled in Firejail configuration file\n");
+                        warning_feature_disabled("networking");
 #endif
                return 0;
        }
@@ -210,7 +244,7 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
                        check_netfilter_file(arg_netfilter6_file);
                }
                else
-                        fprintf(stderr, "Warning: networking features are disabled in Firejail configuration file\n");
+                        warning_feature_disabled("networking");
 #endif
                return 0;
        }
@@ -228,7 +262,7 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
                        cfg.interface3.configured = 0;
                }
                else
-                        fprintf(stderr, "Warning: networking features are disabled in Firejail configuration file\n");
+                        warning_feature_disabled("networking");
 #endif
                return 0;
        }
@@ -269,11 +303,34 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
                        net_configure_bridge(br, ptr + 4);
                }
                else
-                        fprintf(stderr, "Warning: networking features are disabled in Firejail configuration file\n");
+                        warning_feature_disabled("networking");
 #endif
                return 0;
        }
        
+        else if (strncmp(ptr, "veth-name ", 10) == 0) {
+#ifdef HAVE_NETWORK
+                if (checkcfg(CFG_NETWORK)) {
+                        Bridge *br = last_bridge_configured();
+                        if (br == NULL) {
+                                fprintf(stderr, "Error: no network device configured\n");
+                                exit(1);
+                        }
+                        br->veth_name = strdup(ptr + 10);
+                        if (br->veth_name == NULL)
+                                errExit("strdup");
+                        if (*br->veth_name == '\0') {
+                                fprintf(stderr, "Error: no veth-name configured\n");
+                                exit(1);
+                        }
+                }
+                else
+                        warning_feature_disabled("networking");
+#endif
+                return 0;
+        }
        else if (strncmp(ptr, "iprange ", 8) == 0) {
 #ifdef HAVE_NETWORK
                if (checkcfg(CFG_NETWORK)) {
@@ -314,24 +371,162 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
                        }
                }
                else
-                        fprintf(stderr, "Warning: networking features are disabled in Firejail configuration file\n");
+                        warning_feature_disabled("networking");
+#endif
+                return 0;
+        }
+        else if (strncmp(ptr, "mac ", 4) == 0) {
+#ifdef HAVE_NETWORK
+                if (checkcfg(CFG_NETWORK)) {
+                        Bridge *br = last_bridge_configured();
+                        if (br == NULL) {
+                                fprintf(stderr, "Error: no network device configured\n");
+                                exit(1);
+                        }
+                        
+                        if (mac_not_zero(br->macsandbox)) {
+                                fprintf(stderr, "Error: cannot configure the MAC address twice for the same interface\n");
+                                exit(1);
+                        }
+                        // read the address
+                        if (atomac(ptr + 4, br->macsandbox)) {
+                                fprintf(stderr, "Error: invalid MAC address\n");
+                                exit(1);
+                        }
+                }
+                else
+                        warning_feature_disabled("networking");
+#endif
+                return 0;
+        }
+        else if (strncmp(ptr, "mtu ", 4) == 0) {
+#ifdef HAVE_NETWORK
+                if (checkcfg(CFG_NETWORK)) {
+                        Bridge *br = last_bridge_configured();
+                        if (br == NULL) {
+                                fprintf(stderr, "Error: no network device configured\n");
+                                exit(1);
+                        }
+                        
+                        if (sscanf(ptr + 4, "%d", &br->mtu) != 1 || br->mtu < 576 || br->mtu > 9198) {
+                                fprintf(stderr, "Error: invalid mtu value\n");
+                                exit(1);
+                        }
+                }
+                else
+                        warning_feature_disabled("networking");
+#endif
+                return 0;
+        }
+        else if (strncmp(ptr, "ip ", 3) == 0) {
+#ifdef HAVE_NETWORK
+                if (checkcfg(CFG_NETWORK)) {
+                        Bridge *br = last_bridge_configured();
+                        if (br == NULL) {
+                                fprintf(stderr, "Error: no network device configured\n");
+                                exit(1);
+                        }
+                        if (br->arg_ip_none || br->ipsandbox) {
+                                fprintf(stderr, "Error: cannot configure the IP address twice for the same interface\n");
+                                exit(1);
+                        }
+                        // configure this IP address for the last bridge defined
+                        if (strcmp(ptr + 3, "none") == 0)
+                                br->arg_ip_none = 1;
+                        else {
+                                if (atoip(ptr + 3, &br->ipsandbox)) {
+                                        fprintf(stderr, "Error: invalid IP address\n");
+                                        exit(1);
+                                }
+                        }
+                }
+                else
+                        warning_feature_disabled("networking");
+#endif
+                return 0;
+        }
+        else if (strncmp(ptr, "ip6 ", 4) == 0) {
+#ifdef HAVE_NETWORK
+                if (checkcfg(CFG_NETWORK)) {
+                        Bridge *br = last_bridge_configured();
+                        if (br == NULL) {
+                                fprintf(stderr, "Error: no network device configured\n");
+                                exit(1);
+                        }
+                        if (br->arg_ip_none || br->ip6sandbox) {
+                                fprintf(stderr, "Error: cannot configure the IP address twice for the same interface\n");
+                                exit(1);
+                        }
+                        // configure this IP address for the last bridge defined
+                        // todo: verify ipv6 syntax
+                        br->ip6sandbox = ptr + 4;
+//                      if (atoip(argv[i] + 5, &br->ipsandbox)) {
+//                              fprintf(stderr, "Error: invalid IP address\n");
+//                              exit(1);
+//                      }
+                        
+                }
+                else
+                        warning_feature_disabled("networking");
+#endif
+                return 0;
+        }
+        else if (strncmp(ptr, "defaultgw ", 10) == 0) {
+#ifdef HAVE_NETWORK
+                if (checkcfg(CFG_NETWORK)) {
+                        if (atoip(ptr + 10, &cfg.defaultgw)) {
+                                fprintf(stderr, "Error: invalid IP address\n");
+                                exit(1);
+                        }
+                }
+                else
+                        warning_feature_disabled("networking");
+#endif
+                return 0;
+        }
+        if (strcmp(ptr, "apparmor") == 0) {
+#ifdef HAVE_APPARMOR            
+                arg_apparmor = 1;
 #endif
                return 0;
        }
-        
        if (strncmp(ptr, "protocol ", 9) == 0) {
 #ifdef HAVE_SECCOMP
-                if (checkcfg(CFG_SECCOMP))
+                if (checkcfg(CFG_SECCOMP)) {
-                        protocol_store(ptr + 9);
+                        if (cfg.protocol) {
+                                if (!arg_quiet)
+                                        fprintf(stderr, "Warning: a protocol list is present, the new list \"%s\" will not be installed\n", ptr + 9);
+                                return 0;
+                        }
+                        
+                        // store list
+                        cfg.protocol = strdup(ptr + 9);
+                        if (!cfg.protocol)
+                                errExit("strdup");
+                }
                else
-                        fprintf(stderr, "Warning: user seccomp feature is disabled in Firejail configuration file\n");
+                        warning_feature_disabled("seccomp");
 #endif
                return 0;
        }
        
        if (strncmp(ptr, "env ", 4) == 0) {
-                env_store(ptr + 4);
+                env_store(ptr + 4, SETENV);
+                return 0;
+        }
+        if (strncmp(ptr, "rmenv ", 6) == 0) {
+                env_store(ptr + 6, RMENV);
                return 0;
        }
        
@@ -340,12 +535,10 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
 #ifdef HAVE_SECCOMP
                if (checkcfg(CFG_SECCOMP)) {
                        arg_seccomp = 1;
-                        cfg.seccomp_list = strdup(ptr + 8);
+                        cfg.seccomp_list = seccomp_check_list(ptr + 8);
-                        if (!cfg.seccomp_list)
-                                errExit("strdup");
                }
-                else
+                else if (!arg_quiet)
-                        fprintf(stderr, "Warning: user seccomp feature is disabled in Firejail configuration file\n");
+                        warning_feature_disabled("seccomp");
 #endif
                return 0;
@@ -356,12 +549,10 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
 #ifdef HAVE_SECCOMP
                if (checkcfg(CFG_SECCOMP)) {
                        arg_seccomp = 1;
-                        cfg.seccomp_list_drop = strdup(ptr + 13);
+                        cfg.seccomp_list_drop = seccomp_check_list(ptr + 13);
-                        if (!cfg.seccomp_list_drop)
-                                errExit("strdup");
                }
                else
-                        fprintf(stderr, "Warning: user seccomp feature is disabled in Firejail configuration file\n");
+                        warning_feature_disabled("seccomp");
 #endif          
                return 0;
        }
@@ -371,12 +562,10 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
 #ifdef HAVE_SECCOMP
                if (checkcfg(CFG_SECCOMP)) {
                        arg_seccomp = 1;
-                        cfg.seccomp_list_keep= strdup(ptr + 13);
+                        cfg.seccomp_list_keep= seccomp_check_list(ptr + 13);
-                        if (!cfg.seccomp_list_keep)
-                                errExit("strdup");
                }
                else
-                        fprintf(stderr, "Warning: user seccomp feature is disabled in Firejail configuration file\n");
+                        warning_feature_disabled("seccomp");
 #endif          
                return 0;
        }
@@ -387,9 +576,8 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
                arg_caps_list = strdup(ptr + 10);
                if (!arg_caps_list)
                        errExit("strdup");
-                // verify seccomp list and exit if problems
+                // verify caps list and exit if problems
-                if (caps_check_list(arg_caps_list, NULL))
+                caps_check_list(arg_caps_list, NULL);
-                        exit(1);
                return 0;
        }
        
@@ -399,9 +587,8 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
                arg_caps_list = strdup(ptr + 10);
                if (!arg_caps_list)
                        errExit("strdup");
-                // verify seccomp list and exit if problems
+                // verify caps list and exit if problems
-                if (caps_check_list(arg_caps_list, NULL))
+                caps_check_list(arg_caps_list, NULL);
-                        exit(1);
                return 0;
        }
@@ -441,6 +628,8 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
        // nice value
        if (strncmp(ptr, "nice ", 4) == 0) {
                cfg.nice = atoi(ptr + 5);
+                if (getuid() != 0 &&cfg.nice < 0)
+                        cfg.nice = 0;
                arg_nice = 1;
                return 0;
        }
@@ -451,6 +640,26 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
                return 0;
        }
        
+        // writable-etc
+        if (strcmp(ptr, "writable-etc") == 0) {
+                if (cfg.etc_private_keep) {
+                        fprintf(stderr, "Error: private-etc and writable-etc are mutually exclusive\n");
+                        exit(1);
+                }
+                arg_writable_etc = 1;
+                return 0;
+        }
+        
+        if (strcmp(ptr, "machine-id") == 0) {
+                arg_machineid = 1;
+                return 0;
+        }
+        // writable-var
+        if (strcmp(ptr, "writable-var") == 0) {
+                arg_writable_var = 1;
+                return 0;
+        }
+        
        // private directory
        if (strncmp(ptr, "private ", 8) == 0) {
                cfg.home_private = ptr + 8;
@@ -459,16 +668,104 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
                return 0;
        }
+        if (strcmp(ptr, "x11 none") == 0) {
+                arg_x11_block = 1;
+                return 0;
+        }
+        if (strcmp(ptr, "x11 xephyr") == 0) {
+#ifdef HAVE_X11
+                if (checkcfg(CFG_X11)) {
+                        char *x11env = getenv("FIREJAIL_X11");
+                        if (x11env && strcmp(x11env, "yes") == 0) {
+                                mask_x11_abstract_socket = 1;
+                                return 0;
+                        }
+                        else {
+                                // start x11
+                                x11_start_xephyr(cfg.original_argc, cfg.original_argv);
+                                exit(0);
+                        }
+                }
+                else
+                        warning_feature_disabled("x11");
+#endif
+                return 0;
+        }
+        if (strcmp(ptr, "x11 xorg") == 0) {
+#ifdef HAVE_X11
+                if (checkcfg(CFG_X11))
+                        arg_x11_xorg = 1;
+                else
+                        warning_feature_disabled("x11");
+#endif
+                return 0;
+        }
+        if (strcmp(ptr, "x11 xpra") == 0) {
+#ifdef HAVE_X11
+                if (checkcfg(CFG_X11)) {
+                        char *x11env = getenv("FIREJAIL_X11");
+                        if (x11env && strcmp(x11env, "yes") == 0) {
+                                mask_x11_abstract_socket = 1;
+                                return 0;
+                        }
+                        else {
+                                // start x11
+                                x11_start_xpra(cfg.original_argc, cfg.original_argv);
+                                exit(0);
+                        }
+                }
+                else
+                        warning_feature_disabled("x11");
+#endif
+                return 0;
+        }
+        
+        if (strcmp(ptr, "x11") == 0) {
+#ifdef HAVE_X11
+                if (checkcfg(CFG_X11)) {
+                        char *x11env = getenv("FIREJAIL_X11");
+                        if (x11env && strcmp(x11env, "yes") == 0) {
+                                mask_x11_abstract_socket = 1;
+                                return 0;
+                        }
+                        else {
+                                // start x11
+                                x11_start(cfg.original_argc, cfg.original_argv);
+                                exit(0);                
+                        }
+                }
+                else
+                        warning_feature_disabled("x11");
+#endif          
+                return 0;
+        }
+        
        // private /etc list of files and directories
        if (strncmp(ptr, "private-etc ", 12) == 0) {
-                cfg.etc_private_keep = ptr + 12;
+                if (arg_writable_etc) {
-                fs_check_etc_list();
+                        fprintf(stderr, "Error: --private-etc and --writable-etc are mutually exclusive\n");
-                if (*cfg.etc_private_keep != '\0')
+                        exit(1);
-                        arg_private_etc = 1;
-                else {
-                        arg_private_etc = 0;
-                        fprintf(stderr, "Warning: private-etc disabled, no file found\n");
                }
+                cfg.etc_private_keep = ptr + 12;
+                arg_private_etc = 1;
+                
+                return 0;
+        }
+        // private /opt list of files and directories
+        if (strncmp(ptr, "private-opt ", 12) == 0) {
+                cfg.opt_private_keep = ptr + 12;
+                arg_private_opt = 1;
+                
+                return 0;
+        }
+        // private /srv list of files and directories
+        if (strncmp(ptr, "private-srv ", 12) == 0) {
+                cfg.srv_private_keep = ptr + 12;
+                arg_private_srv = 1;
                
                return 0;
        }
@@ -477,7 +774,6 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
        if (strncmp(ptr, "private-bin ", 12) == 0) {
                cfg.bin_private_keep = ptr + 12;
                arg_private_bin = 1;
-                fs_check_bin_list();
                return 0;
        }
@@ -514,13 +810,10 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
                        *(dname2 - 1) = ',';
                        return 1;
                }
-                else {
+                else
-                        fprintf(stderr, "Warning: bind feature is disabled in Firejail configuration file\n");
+                        warning_feature_disabled("bind");
-                        return 0;                       
-                }
-#else
-                return 0;
 #endif          
+                return 0;
        }
        // rlimit
@@ -569,6 +862,30 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
                return 0;               
        }
+        if (strncmp(ptr, "join-or-start ", 14) == 0) {
+                // try to join by name only
+                pid_t pid;
+                if (!name2pid(ptr + 14, &pid)) {
+                        if (!cfg.shell && !arg_shell_none)
+                                cfg.shell = guess_shell();
+                        // find first non-option arg
+                        int i;
+                        for (i = 1; i < cfg.original_argc && strncmp(cfg.original_argv[i], "--", 2) != 0; i++);
+                        join(pid, cfg.original_argc,cfg.original_argv, i + 1);
+                        exit(0);
+                }
+                // set sandbox name and start normally
+                cfg.name = ptr + 14;
+                if (strlen(cfg.name) == 0) {
+                        fprintf(stderr, "Error: invalid sandbox name\n");
+                        exit(1);
+                }
+                return 0;
+        }
        // rest of filesystem
        if (strncmp(ptr, "blacklist ", 10) == 0)
                ptr += 10;
@@ -577,11 +894,23 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
        else if (strncmp(ptr, "noblacklist ", 12) == 0)
                ptr += 12;
        else if (strncmp(ptr, "whitelist ", 10) == 0) {
-                arg_whitelist = 1;
+#ifdef HAVE_WHITELIST           
-                ptr += 10;
+                if (checkcfg(CFG_WHITELIST)) {
+                        arg_whitelist = 1;
+                        ptr += 10;
+                }
+                else
+                        return 0;
+#else           
+                return 0;
+#endif
        }
        else if (strncmp(ptr, "read-only ", 10) == 0)
                ptr += 10;
+        else if (strncmp(ptr, "read-write ", 11) == 0)
+                ptr += 11;
+        else if (strncmp(ptr, "noexec ", 7) == 0)
+                ptr += 7;
        else if (strncmp(ptr, "tmpfs ", 6) == 0) {
                if (getuid() != 0) {
                        fprintf(stderr, "Error: tmpfs available only when running the sandbox as root\n");
@@ -651,6 +980,16 @@ void profile_read(const char *fname) {
                exit(1);
        }
+        // allow debuggers
+        if (arg_allow_debuggers) {
+                char *tmp = strrchr(fname, '/');
+                if (tmp && *(tmp + 1) != '\0') {
+                        tmp++;
+                        if (strcmp(tmp, "disable-devel.inc") == 0)
+                                return;
+                }
+        }
        // open profile file:
        FILE *fp = fopen(fname, "r");
        if (fp == NULL) {
@@ -658,8 +997,7 @@ void profile_read(const char *fname) {
                exit(1);
        }
-        if (!arg_quiet)
+        int msg_printed = 0;
-                fprintf(stderr, "Reading profile %s\n", fname);
        // read the file line by line
        char buf[MAX_READ + 1];
@@ -677,6 +1015,18 @@ void profile_read(const char *fname) {
                        continue;
                }
                
+                // process quiet
+                if (strcmp(ptr, "quiet") == 0) {
+                        arg_quiet = 1;
+                        free(ptr);
+                        continue;
+                }
+                if (!msg_printed) {
+                        if (!arg_quiet)
+                                fprintf(stderr, "Reading profile %s\n", fname);
+                        msg_printed = 1;
+                }
                // process include
                if (strncmp(ptr, "include ", 8) == 0) {
                        include_level++;
@@ -703,6 +1053,9 @@ void profile_read(const char *fname) {
 //              else {
 //                      free(ptr);
 //              }
+#ifdef HAVE_GCOV
+                __gcov_flush();
+#endif
        }
        fclose(fp);
 }
diff --git a/src/firejail/protocol.c b/src/firejail/protocol.c
index 7e5ab7dfb..2a09ed010 100644
--- a/src/firejail/protocol.c
+++ b/src/firejail/protocol.c
@@ -18,269 +18,18 @@
 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 */
-/*
-        struct sock_filter filter[] = {
-                VALIDATE_ARCHITECTURE,
-                EXAMINE_SYSCALL,
-                ONLY(SYS_socket),
-                EXAMINE_ARGUMENT(0), // allow only AF_INET and AF_INET6, drop everything else
-                WHITELIST(AF_INET),
-                WHITELIST(AF_INET6),
-                WHITELIST(AF_PACKET),
-                RETURN_ERRNO(ENOTSUP)
-        };
-        struct sock_fprog prog = {
-                .len = (unsigned short)(sizeof(filter) / sizeof(filter[0])),
-                .filter = filter,
-        };
-        if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) {
-                perror("prctl(NO_NEW_PRIVS)");
-                return 1;
-        }
-        if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog)) {
-                perror("prctl");
-                return 1;
-        }
-*/
 #ifdef HAVE_SECCOMP
 #include "firejail.h"
-#include "seccomp.h"
+#include "../include/seccomp.h"
-#include <sys/types.h>
-#include <sys/socket.h>
-static char *protocol[] = {
-        "unix",
-        "inet",
-        "inet6",
-        "netlink",
-        "packet",
-        NULL
-};
-static struct sock_filter protocol_filter_command[] = {
-        WHITELIST(AF_UNIX),
-        WHITELIST(AF_INET),
-        WHITELIST(AF_INET6),
-        WHITELIST(AF_NETLINK),
-        WHITELIST(AF_PACKET)
-};
-// Note: protocol[] and protocol_filter_command are synchronized
-// command length
-struct sock_filter whitelist[] = {
-        WHITELIST(AF_UNIX)
-};
-unsigned whitelist_len = sizeof(whitelist) / sizeof(struct sock_filter);
-static int is_protocol(const char *p) {
-        int i = 0;
-        while (protocol[i] != NULL) {
-                if (strcmp(protocol[i], p) == 0)
-                        return 1;
-                i++;
-        }
-        return 0;
-}       
-static struct sock_filter *find_protocol_domain(const char *p) {
-        int i = 0;
-        while (protocol[i] != NULL) {
-                if (strcmp(protocol[i], p) == 0)
-                        return &protocol_filter_command[i * whitelist_len];
-                i++;
-        }
-        return NULL;
-}       
-// --debug-protocols
-void protocol_list(void) {
-        EUID_ASSERT();
-        
-#ifndef SYS_socket
-        fprintf(stderr, "Warning: --protocol not supported on this platform\n");
-        return;
-#endif
-        int i = 0;
-        while (protocol[i] != NULL) {
-                printf("%s, ", protocol[i]);
-                i++;
-        }
-        printf("\n");
-}
-// check protocol list and store it in cfg structure
-void protocol_store(const char *prlist) {
-        EUID_ASSERT();
-        assert(prlist);
-        
-        if (cfg.protocol && !arg_quiet) {
-                fprintf(stderr, "Warning: a protocol list is present, the new list \"%s\" will not be installed\n", prlist);
-                return;
-        }
-        
-        // temporary list
-        char *tmplist = strdup(prlist);
-        if (!tmplist)
-                errExit("strdup");
-        
-        // check list
-        char *token = strtok(tmplist, ",");
-        if (!token)
-                goto errout;
-                
-        while (token) {
-                if (!is_protocol(token))
-                        goto errout;
-                token = strtok(NULL, ",");
-        }       
-        free(tmplist);
-        
-        // store list
-        cfg.protocol = strdup(prlist);
-        if (!cfg.protocol)
-                errExit("strdup");
-        return;
-                
-errout:
-        fprintf(stderr, "Error: invalid protocol list\n");
-        exit(1);
-}       
-// install protocol filter
-void protocol_filter(void) {
-        assert(cfg.protocol);
-        if (arg_debug)
-                printf("Set protocol filter: %s\n", cfg.protocol);
-#ifndef SYS_socket
-        (void) find_protocol_domain;
-        fprintf(stderr, "Warning: --protocol not supported on this platform\n");
-        return;
-#else
-        // build the filter
-        struct sock_filter filter[32];  // big enough
-        memset(&filter[0], 0, sizeof(filter));
-        uint8_t *ptr = (uint8_t *) &filter[0];
-        
-        // header
-        struct sock_filter filter_start[] = {
-                VALIDATE_ARCHITECTURE,
-                EXAMINE_SYSCALL,
-                ONLY(SYS_socket),
-                EXAMINE_ARGUMENT(0)
-        };
-        memcpy(ptr, &filter_start[0], sizeof(filter_start));
-        ptr += sizeof(filter_start);
-#if 0
-printf("entries %u\n", (unsigned) (sizeof(filter_start) / sizeof(struct sock_filter)));
-{
-        unsigned j;
-        unsigned char *ptr2 = (unsigned char *) &filter[0];
-        for (j = 0; j < sizeof(filter); j++, ptr2++) {
-                if ((j % (sizeof(struct sock_filter))) == 0)
-                        printf("\n%u: ", 1 + (unsigned) (j / (sizeof(struct sock_filter))));
-                printf("%02x, ", (*ptr2) & 0xff);
-        }
-        printf("\n");
-}
-printf("whitelist_len %u, struct sock_filter len %u\n", whitelist_len, (unsigned) sizeof(struct sock_filter));
-#endif
-        // parse list and add commands
-        char *tmplist = strdup(cfg.protocol);
-        if (!tmplist)
-                errExit("strdup");
-        char *token = strtok(tmplist, ",");
-        if (!token)
-                errExit("strtok");
-                
-        while (token) {
-                struct sock_filter *domain = find_protocol_domain(token);
-                assert(domain);
-                memcpy(ptr, domain, whitelist_len * sizeof(struct sock_filter));
-                ptr += whitelist_len * sizeof(struct sock_filter);
-                token = strtok(NULL, ",");
-#if 0
-printf("entries %u\n",  (unsigned) ((uint64_t) ptr - (uint64_t) (filter)) / (unsigned) sizeof(struct sock_filter));
-{
-        unsigned j;
-        unsigned char *ptr2 = (unsigned char *) &filter[0];
-        for (j = 0; j < sizeof(filter); j++, ptr2++) {
-                if ((j % (sizeof(struct sock_filter))) == 0)
-                        printf("\n%u: ", 1 + (unsigned) (j / (sizeof(struct sock_filter))));
-                printf("%02x, ", (*ptr2) & 0xff);
-        }
-        printf("\n");
-}
-#endif
-        }       
-        free(tmplist);
-        // add end of filter
-        struct sock_filter filter_end[] = {
-                RETURN_ERRNO(ENOTSUP)
-        };
-        memcpy(ptr, &filter_end[0], sizeof(filter_end));
-        ptr += sizeof(filter_end);
-#if 0
-printf("entries %u\n",  (unsigned) ((uint64_t) ptr - (uint64_t) (filter)) / (unsigned) sizeof(struct sock_filter));
-{
-        unsigned j;
-        unsigned char *ptr2 = (unsigned char *) &filter[0];
-        for (j = 0; j < sizeof(filter); j++, ptr2++) {
-                if ((j % (sizeof(struct sock_filter))) == 0)
-                        printf("\n%u: ", 1 + (unsigned) (j / (sizeof(struct sock_filter))));
-                printf("%02x, ", (*ptr2) & 0xff);
-        }
-        printf("\n");
-}
-#endif  
-        // install filter
-        unsigned short entries = (unsigned short) ((uintptr_t) ptr - (uintptr_t) (filter)) / (unsigned) sizeof(struct sock_filter);
-        struct sock_fprog prog = {
-                .len = entries,
-                .filter = filter,
-        };
-        if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog) || prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) {
-                fprintf(stderr, "Warning: seccomp disabled, it requires a Linux kernel version 3.5 or newer.\n");
-                return;
-        }
-#endif // SYS_socket    
-}
 void protocol_filter_save(void) {
        // save protocol filter configuration in PROTOCOL_CFG
-        fs_build_mnt_dir();
        FILE *fp = fopen(RUN_PROTOCOL_CFG, "w");
        if (!fp)
                errExit("fopen");
        fprintf(fp, "%s\n", cfg.protocol);
+        SET_PERMS_STREAM(fp, 0, 0, 0600);
        fclose(fp);
-        if (chmod(RUN_PROTOCOL_CFG, 0600) < 0)
-                errExit("chmod");
-        if (chown(RUN_PROTOCOL_CFG, 0, 0) < 0)
-                errExit("chown");
 }
 void protocol_filter_load(const char *fname) {
@@ -310,29 +59,6 @@ void protocol_filter_load(const char *fname) {
 // --protocol.print
-void protocol_print_filter_name(const char *name) {
-        EUID_ASSERT();
-        
-        (void) name;
-#ifdef SYS_socket
-        if (!name || strlen(name) == 0) {
-                fprintf(stderr, "Error: invalid sandbox name\n");
-                exit(1);
-        }
-        pid_t pid;
-        if (name2pid(name, &pid)) {
-                fprintf(stderr, "Error: cannot find sandbox %s\n", name);
-                exit(1);
-        }
-        protocol_print_filter(pid);
-#else
-        fprintf(stderr, "Warning: --protocol not supported on this platform\n");
-        return;
-#endif
-}
-// --protocol.print
 void protocol_print_filter(pid_t pid) {
        EUID_ASSERT();
        
diff --git a/src/firejail/pulseaudio.c b/src/firejail/pulseaudio.c
index 1eb5e59e1..f890dd534 100644
--- a/src/firejail/pulseaudio.c
+++ b/src/firejail/pulseaudio.c
@@ -53,16 +53,32 @@ doexit:
 // disable pulseaudio socket
 void pulseaudio_disable(void) {
+        if (arg_debug)
+                printf("disable pulseaudio\n");
        // blacklist user config directory
        disable_file(cfg.homedir, ".config/pulse");
+        // blacklist pulseaudio socket in XDG_RUNTIME_DIR
+        char *name = getenv("XDG_RUNTIME_DIR");
+        if (name)
+                disable_file(name, "pulse/native");
+        // try the default location anyway
+        char *path;
+        if (asprintf(&path, "/run/user/%d", getuid()) == -1)
+                errExit("asprintf");
+        disable_file(path, "pulse/native");
+        free(path);
+                
        // blacklist any pulse* file in /tmp directory
        DIR *dir;
        if (!(dir = opendir("/tmp"))) {
                // sleep 2 seconds and try again
                sleep(2);
                if (!(dir = opendir("/tmp"))) {
-                        fprintf(stderr, "Warning: cannot open /tmp directory. PulseAudio sockets are not disabled\n");
                        return;
                }
        }
@@ -76,10 +92,6 @@ void pulseaudio_disable(void) {
        closedir(dir);
-        // blacklist XDG_RUNTIME_DIR
-        char *name = getenv("XDG_RUNTIME_DIR");
-        if (name)
-                disable_file(name, "pulse/native");
 }
@@ -92,33 +104,23 @@ void pulseaudio_init(void) {
                return;
         
        // create the new user pulseaudio directory
-         fs_build_mnt_dir();
        int rv = mkdir(RUN_PULSE_DIR, 0700);
        (void) rv; // in --chroot mode the directory can already be there
-        if (chown(RUN_PULSE_DIR, getuid(), getgid()) < 0)
+        if (set_perms(RUN_PULSE_DIR, getuid(), getgid(), 0700))
-                errExit("chown");
+                errExit("set_perms");
-        if (chmod(RUN_PULSE_DIR, 0700) < 0)
-                errExit("chmod");
        // create the new client.conf file
        char *pulsecfg = NULL;
        if (asprintf(&pulsecfg, "%s/client.conf", RUN_PULSE_DIR) == -1)
                errExit("asprintf");
-        if (is_link("/etc/pulse/client.conf")) {
+        if (copy_file("/etc/pulse/client.conf", pulsecfg, -1, -1, 0644))
-                fprintf(stderr, "Error: invalid /etc/pulse/client.conf file\n");
-                exit(1);
-        }
-        if (copy_file("/etc/pulse/client.conf", pulsecfg))
                errExit("copy_file");
        FILE *fp = fopen(pulsecfg, "a+");
        if (!fp)
                errExit("fopen");
        fprintf(fp, "%s", "\nenable-shm = no\n");
+        SET_PERMS_STREAM(fp, getuid(), getgid(), 0644);
        fclose(fp);
-        if (chmod(pulsecfg, 0644) == -1)
-                errExit("chmod");
-        if (chown(pulsecfg, getuid(), getgid()) == -1)
-                errExit("chown");
        // create ~/.config/pulse directory if not present
        char *dir1;
@@ -127,22 +129,19 @@ void pulseaudio_init(void) {
        if (stat(dir1, &s) == -1) {
                int rv = mkdir(dir1, 0755);
                if (rv == 0) {
-                        rv = chown(dir1, getuid(), getgid());
+                        if (set_perms(dir1, getuid(), getgid(), 0755))
-                        (void) rv;
+                                {;} // do nothing
-                        rv = chmod(dir1, 0755);
-                        (void) rv;
                }
        }
        free(dir1);
        if (asprintf(&dir1, "%s/.config/pulse", cfg.homedir) == -1)
                errExit("asprintf");
        if (stat(dir1, &s) == -1) {
+                /* coverity[toctou] */
                int rv = mkdir(dir1, 0700);
                if (rv == 0) {
-                        rv = chown(dir1, getuid(), getgid());
+                        if (set_perms(dir1, getuid(), getgid(), 0700))
-                        (void) rv;
+                                {;} // do nothing
-                        rv = chmod(dir1, 0700);
-                        (void) rv;
                }
        }
        free(dir1);
diff --git a/src/firejail/restrict_users.c b/src/firejail/restrict_users.c
index 5a41c441b..393851148 100644
--- a/src/firejail/restrict_users.c
+++ b/src/firejail/restrict_users.c
@@ -26,6 +26,7 @@
 #include <dirent.h>
 #include <fcntl.h>
 #include <errno.h>
+#include "../../uids.h"
 #define MAXBUF 1024
@@ -72,7 +73,6 @@ static void sanitize_home(void) {
                return;
        }
        
-        fs_build_mnt_dir();
        if (mkdir(RUN_WHITELIST_HOME_DIR, 0755) == -1)
                errExit("mkdir");
@@ -95,10 +95,8 @@ static void sanitize_home(void) {
        fs_logger2("mkdir", cfg.homedir);
        
        // set mode and ownership
-        if (chown(cfg.homedir, s.st_uid, s.st_gid) == -1)
+        if (set_perms(cfg.homedir, s.st_uid, s.st_gid, s.st_mode))
-                errExit("chown");
+                errExit("set_perms");
-        if (chmod(cfg.homedir, s.st_mode) == -1)
-                errExit("chmod");
        // mount user home directory
        if (mount(RUN_WHITELIST_HOME_DIR, cfg.homedir, NULL, MS_BIND|MS_REC, NULL) < 0)
@@ -118,7 +116,7 @@ static void sanitize_passwd(void) {
        if (stat("/etc/passwd", &s) == -1)
                return;
        if (arg_debug)
-                printf("Sanitizing /etc/passwd\n");
+                printf("Sanitizing /etc/passwd, UID_MIN %d\n", UID_MIN);
        if (is_link("/etc/passwd")) {
                fprintf(stderr, "Error: invalid /etc/passwd\n");
                exit(1);
@@ -126,7 +124,6 @@ static void sanitize_passwd(void) {
        FILE *fpin = NULL;
        FILE *fpout = NULL;
-        fs_build_mnt_dir();
        // open files
        /* coverity[toctou] */
@@ -170,7 +167,7 @@ static void sanitize_passwd(void) {
                int rv = sscanf(ptr, "%d:", &uid);
                if (rv == 0 || uid < 0)
                        goto errout;
-                if (uid < 1000) { // todo extract UID_MIN from /etc/login.def
+                if (uid < UID_MIN) {
                        fprintf(fpout, "%s", buf);
                        continue;
                }
@@ -186,12 +183,9 @@ static void sanitize_passwd(void) {
                fprintf(fpout, "%s", buf);
        }
        fclose(fpin);
+        SET_PERMS_STREAM(fpout, 0, 0, 0644);
        fclose(fpout);
-        if (chown(RUN_PASSWD_FILE, 0, 0) == -1)
-                errExit("chown");
-        if (chmod(RUN_PASSWD_FILE, 0644) == -1)
-                errExit("chmod");
-                
        // mount-bind tne new password file
        if (mount(RUN_PASSWD_FILE, "/etc/passwd", "none", MS_BIND, "mode=400,gid=0") < 0)
                errExit("mount");
@@ -255,7 +249,7 @@ static void sanitize_group(void) {
        if (stat("/etc/group", &s) == -1)
                return;
        if (arg_debug)
-                printf("Sanitizing /etc/group\n");
+                printf("Sanitizing /etc/group, GID_MIN %d\n", GID_MIN);
        if (is_link("/etc/group")) {
                fprintf(stderr, "Error: invalid /etc/group\n");
                exit(1);
@@ -263,7 +257,6 @@ static void sanitize_group(void) {
        FILE *fpin = NULL;
        FILE *fpout = NULL;
-        fs_build_mnt_dir();
        // open files
        /* coverity[toctou] */
@@ -306,7 +299,7 @@ static void sanitize_group(void) {
                int rv = sscanf(ptr, "%d:", &gid);
                if (rv == 0 || gid < 0)
                        goto errout;
-                if (gid < 1000) { // todo extract GID_MIN from /etc/login.def
+                if (gid < GID_MIN) {
                        if (copy_line(fpout, buf, ptr))
                                goto errout;
                        continue;
@@ -318,12 +311,9 @@ static void sanitize_group(void) {
                        goto errout;
        }
        fclose(fpin);
+        SET_PERMS_STREAM(fpout, 0, 0, 0644);
        fclose(fpout);
-        if (chown(RUN_GROUP_FILE, 0, 0) == -1)
-                errExit("chown");
-        if (chmod(RUN_GROUP_FILE, 0644) == -1)
-                errExit("chmod");
-                
        // mount-bind tne new group file
        if (mount(RUN_GROUP_FILE, "/etc/group", "none", MS_BIND, "mode=400,gid=0") < 0)
                errExit("mount");
@@ -340,6 +330,9 @@ errout:
 }
 void restrict_users(void) {
+        if (arg_allusers)
+                return;
+                
        // only in user mode
        if (getuid()) {
                if (strncmp(cfg.homedir, "/home/", 6) == 0) {
@@ -347,7 +340,7 @@ void restrict_users(void) {
                        sanitize_home();
                }
                else {
-                        // user has the home diercotry outside /home
+                        // user has the home directory outside /home
                        // mount tmpfs on top of /home in order to hide it
                        if (mount("tmpfs", "/home", "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME | MS_REC,  "mode=755,gid=0") < 0)
                                errExit("mount tmpfs");
diff --git a/src/firejail/restricted_shell.c b/src/firejail/restricted_shell.c
index ee6e94957..979bb1eed 100644
--- a/src/firejail/restricted_shell.c
+++ b/src/firejail/restricted_shell.c
@@ -18,6 +18,7 @@
 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 */
 #include "firejail.h"
+#include <fnmatch.h>
 #define MAX_READ 4096   // maximum line length
 char *restricted_user = NULL;
@@ -40,7 +41,7 @@ int restricted_shell(const char *user) {
        char buf[MAX_READ];
        while (fgets(buf, MAX_READ, fp)) {
                lineno++;
-                
                // remove empty spaces at the beginning of the line
                char *ptr = buf;
                while (*ptr == ' ' || *ptr == '\t') { 
@@ -48,21 +49,26 @@ int restricted_shell(const char *user) {
                }
                if (*ptr == '\n' || *ptr == '#')
                        continue;
+                //
+                // parse line
+                //
                
-                // parse line   
+                // extract users
                char *usr = ptr;
                char *args = strchr(usr, ':');
                if (args == NULL) {
                        fprintf(stderr, "Error: users.conf line %d\n", lineno);
                        exit(1);
                }
+                
                *args = '\0';
                args++;
                ptr = strchr(args, '\n');
                if (ptr)
                        *ptr = '\0';
                
-                // if nothing follows, continue
+                // extract firejail command line arguments
                char *ptr2 = args;
                int found = 0;
                while (*ptr2 != '\0') {
@@ -70,29 +76,42 @@ int restricted_shell(const char *user) {
                                found = 1;
                                break;
                        }
+                        ptr2++;
                }
+                // if nothing follows, continue
                if (!found)
                        continue;
                
-                // process user
+                // user name globbing
-                if (strcmp(user, usr) == 0) {
+                if (fnmatch(usr, user, 0) == 0) {
-                        restricted_user = strdup(user);
+                        // process program arguments
-                        // extract program arguments
                        fullargv[0] = "firejail";
                        int i;
                        ptr = args;
                        for (i = 1; i < MAX_ARGS; i++) {
-                                fullargv[i] = ptr;
+                                // skip blanks
-                                while (*ptr != ' ' && *ptr != '\t' && *ptr != '\0')
+                                while (*ptr == ' ' || *ptr == '\t')
                                        ptr++;
+                                fullargv[i] = ptr;
+#ifdef DEBUG_RESTRICTED_SHELL
+                                {EUID_ROOT();
+                                FILE *fp = fopen("/firelog", "a");
+                                if (fp) {
+                                        fprintf(fp, "i %d ptr #%s#\n", i, fullargv[i]);
+                                        fclose(fp);
+                                }
+                                EUID_USER();}
+#endif                          
+                                
                                if (*ptr != '\0') {
+                                        // go to the end of the word
+                                        while (*ptr != ' ' && *ptr != '\t' && *ptr != '\0')
+                                                ptr++;
                                        *ptr ='\0';
                                        fullargv[i] = strdup(fullargv[i]);
-                                        if (fullargv[i] == NULL) {
+                                        if (fullargv[i] == NULL)
-                                                fprintf(stderr, "Error: cannot allocate memory\n");
+                                                errExit("strdup");
-                                                exit(1);
-                                        }
                                        ptr++;
                                        while (*ptr == ' ' || *ptr == '\t')
                                                ptr++;
@@ -108,7 +127,7 @@ int restricted_shell(const char *user) {
                }
        }
        fclose(fp);
-                         
        return 0;   
 }
diff --git a/src/firejail/rlimit.c b/src/firejail/rlimit.c
index a774fd6f5..47dd846d2 100644
--- a/src/firejail/rlimit.c
+++ b/src/firejail/rlimit.c
@@ -27,6 +27,9 @@ void set_rlimits(void) {
        if (arg_rlimit_nofile) {
                rl.rlim_cur = (rlim_t) cfg.rlimit_nofile;
                rl.rlim_max = (rlim_t) cfg.rlimit_nofile;
+#ifdef HAVE_GCOV        // gcov-instrumented programs might crash at this point
+                __gcov_dump();
+#endif
                if (setrlimit(RLIMIT_NOFILE, &rl) == -1)
                        errExit("setrlimit");
                if (arg_debug)
@@ -36,6 +39,9 @@ void set_rlimits(void) {
        if (arg_rlimit_nproc) {
                rl.rlim_cur = (rlim_t) cfg.rlimit_nproc;
                rl.rlim_max = (rlim_t) cfg.rlimit_nproc;
+#ifdef HAVE_GCOV
+                __gcov_dump();
+#endif
                if (setrlimit(RLIMIT_NPROC, &rl) == -1)
                        errExit("setrlimit");
                if (arg_debug)
@@ -45,6 +51,9 @@ void set_rlimits(void) {
        if (arg_rlimit_fsize) {
                rl.rlim_cur = (rlim_t) cfg.rlimit_fsize;
                rl.rlim_max = (rlim_t) cfg.rlimit_fsize;
+#ifdef HAVE_GCOV
+                __gcov_dump();
+#endif
                if (setrlimit(RLIMIT_FSIZE, &rl) == -1)
                        errExit("setrlimit");
                if (arg_debug)
@@ -54,6 +63,9 @@ void set_rlimits(void) {
        if (arg_rlimit_sigpending) {
                rl.rlim_cur = (rlim_t) cfg.rlimit_sigpending;
                rl.rlim_max = (rlim_t) cfg.rlimit_sigpending;
+#ifdef HAVE_GCOV
+                __gcov_dump();
+#endif
                if (setrlimit(RLIMIT_SIGPENDING, &rl) == -1)
                        errExit("setrlimit");
                if (arg_debug)
diff --git a/src/firejail/run_symlink.c b/src/firejail/run_symlink.c
index d57816e12..753c50208 100644
--- a/src/firejail/run_symlink.c
+++ b/src/firejail/run_symlink.c
@@ -59,6 +59,7 @@ void run_symlink(int argc, char **argv) {
                struct stat s;
                if (stat(name, &s) == 0) {
+                        /* coverity[toctou] */
                        char* rp = realpath(name, NULL);
                        if (!rp)
                                errExit("realpath");
@@ -89,16 +90,22 @@ void run_symlink(int argc, char **argv) {
        if (asprintf(&firejail, "%s/bin/firejail", PREFIX) == -1)
                errExit("asprintf");
-        printf("Redirecting symlink to %s\n", program);
+        // drop privileges
+        if (setgid(getgid()) < 0)
+                errExit("setgid/getgid");
+        if (setuid(getuid()) < 0)
+                errExit("setuid/getuid");
        // run command
        char *a[3 + argc];
        a[0] = firejail;
        a[1] = program;
        int i;
-        for (i = 0; i < (argc - 1); i++)
+        for (i = 0; i < (argc - 1); i++) {
                a[i + 2] = argv[i + 1];
+        }
        a[i + 2] = NULL;
+        assert(getenv("LD_PRELOAD") == NULL);   
        execvp(a[0], a); 
        perror("execvp");
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index 3f3564295..50fcd6ed0 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -28,12 +28,23 @@
 #include <sys/types.h>
 #include <dirent.h>
 #include <errno.h>
+#include <fcntl.h>
 #include <sched.h>
 #ifndef CLONE_NEWUSER
 #define CLONE_NEWUSER   0x10000000
 #endif
+#include <sys/prctl.h>
+#ifndef PR_SET_NO_NEW_PRIVS
+# define PR_SET_NO_NEW_PRIVS 38
+#endif
+#ifdef HAVE_APPARMOR
+#include <sys/apparmor.h>
+#endif
 static int monitored_pid = 0;
 static void sandbox_handler(int sig){
        if (!arg_quiet) {
@@ -70,8 +81,11 @@ static void sandbox_handler(int sig){
                
        }
        // broadcast a SIGKILL
        kill(-1, SIGKILL);
+        flush_stdin();
        exit(sig);
 }
@@ -94,9 +108,8 @@ void save_nogroups(void) {
        FILE *fp = fopen(RUN_GROUPS_CFG, "w");
        if (fp) {
                fprintf(fp, "\n");
+                SET_PERMS_STREAM(fp, 0, 0, 0644); // assume mode 0644
                fclose(fp);
-                if (chown(RUN_GROUPS_CFG, 0, 0) < 0)
-                        errExit("chown");
        }
        else {
                fprintf(stderr, "Error: cannot save nogroups state\n");
@@ -109,7 +122,7 @@ static void sandbox_if_up(Bridge *br) {
        assert(br);
        if (!br->configured)
                return;
-                
        char *dev = br->devsandbox;
        net_if_up(dev);
@@ -124,8 +137,7 @@ static void sandbox_if_up(Bridge *br) {
                assert(br->ipsandbox);
                if (arg_debug)
                        printf("Configuring %d.%d.%d.%d address on interface %s\n", PRINT_IP(br->ipsandbox), dev);
-                net_if_ip(dev, br->ipsandbox, br->mask, br->mtu);
+                net_config_interface(dev, br->ipsandbox, br->mask, br->mtu);
-                net_if_up(dev);
        }
        else if (br->arg_ip_none == 0 && br->macvlan == 1) {
                // reassign the macvlan address
@@ -147,8 +159,7 @@ static void sandbox_if_up(Bridge *br) {
                        
                if (arg_debug)
                        printf("Configuring %d.%d.%d.%d address on interface %s\n", PRINT_IP(br->ipsandbox), dev);
-                net_if_ip(dev, br->ipsandbox, br->mask, br->mtu);
+                net_config_interface(dev, br->ipsandbox, br->mask, br->mtu);
-                net_if_up(dev);
        }
        
        if (br->ip6sandbox)
@@ -198,6 +209,12 @@ static int monitor_application(pid_t app_pid) {
                if (arg_debug)
                        printf("Sandbox monitor: waitpid %u retval %d status %d\n", monitored_pid, rv, status);
+                // if /proc is not remounted, we cannot check /proc directory,
+                // for now we just get out of here
+                // todo: find another way of checking child processes!
+                if (!checkcfg(CFG_REMOUNT_PROC_SYS))
+                        break;
                DIR *dir;
                if (!(dir = opendir("/proc"))) {
                        // sleep 2 seconds and try again
@@ -219,12 +236,15 @@ static int monitor_application(pid_t app_pid) {
                        
                        // todo: make this generic
                        // Dillo browser leaves a dpid process running, we need to shut it down
+                        int found = 0;
                        if (strcmp(cfg.command_name, "dillo") == 0) {
                                char *pidname = pid_proc_comm(pid);
                                if (pidname && strcmp(pidname, "dpid") == 0)
-                                        break;
+                                        found = 1;
                                free(pidname);
                        }
+                        if (found)
+                                break;
                        monitored_pid = pid;
                        break;
@@ -237,40 +257,44 @@ static int monitor_application(pid_t app_pid) {
        // return the latest exit status.
        return status;
+}
-#if 0
+void start_audit(void) {
-// todo: find a way to shut down interfaces before closing the namespace
+        char *audit_prog;
-// the problem is we don't have enough privileges to shutdown interfaces in this moment
+        if (asprintf(&audit_prog, "%s/firejail/faudit", LIBDIR) == -1)
-        // shut down bridge/macvlan interfaces
+                errExit("asprintf");
-        if (any_bridge_configured()) {
+        assert(getenv("LD_PRELOAD") == NULL);   
-                
+        execl(audit_prog, audit_prog, NULL);
-                if (cfg.bridge0.configured) {
+        perror("execl");
-                        printf("Shutting down %s\n", cfg.bridge0.devsandbox);
+        exit(1);
-                        net_if_down( cfg.bridge0.devsandbox);
-                }
-                if (cfg.bridge1.configured) {
-                        printf("Shutting down %s\n", cfg.bridge1.devsandbox);
-                        net_if_down( cfg.bridge1.devsandbox);
-                }
-                if (cfg.bridge2.configured) {
-                        printf("Shutting down %s\n", cfg.bridge2.devsandbox);
-                        net_if_down( cfg.bridge2.devsandbox);
-                }
-                if (cfg.bridge3.configured) {
-                        printf("Shutting down %s\n", cfg.bridge3.devsandbox);
-                        net_if_down( cfg.bridge3.devsandbox);
-                }
-                usleep(20000);  // 20 ms sleep
-        }       
-#endif  
 }
+void start_application(void) {
+//if (setsid() == -1)
+//errExit("setsid");
-static void start_application(void) {
+        // set environment
+        env_defaults();
+        env_apply();
+        if (arg_debug) {
+                printf("starting application\n");
+                printf("LD_PRELOAD=%s\n", getenv("LD_PRELOAD"));
+        }
+        
+        //****************************************
+        // audit
+        //****************************************
+        if (arg_audit) {
+                assert(arg_audit_prog);
+#ifdef HAVE_GCOV
+        __gcov_dump();
+#endif
+                execl(arg_audit_prog, arg_audit_prog, NULL);
+        }
        //****************************************
        // start the program without using a shell
        //****************************************
-        if (arg_shell_none) {
+        else if (arg_shell_none) {
                if (arg_debug) {
                        int i;
                        for (i = cfg.original_program_index; i < cfg.original_argc; i++) {
@@ -288,36 +312,37 @@ static void start_application(void) {
                if (!arg_command && !arg_quiet)
                        printf("Child process initialized\n");
+#ifdef HAVE_GCOV
+        __gcov_dump();
+#endif
                execvp(cfg.original_argv[cfg.original_program_index], &cfg.original_argv[cfg.original_program_index]);
+                exit(1);
        }
        //****************************************
        // start the program using a shell
        //****************************************
        else {
-                // choose the shell requested by the user, or use bash as default
+                assert(cfg.shell);
-                char *sh;
+                assert(cfg.command_line);
-                if (cfg.shell)
-                        sh = cfg.shell;
-                else if (arg_zsh)
-                        sh = "/usr/bin/zsh";
-                else if (arg_csh)
-                        sh = "/bin/csh";
-                else
-                        sh = "/bin/bash";
-                        
                char *arg[5];
                int index = 0;
-                arg[index++] = sh;
+                arg[index++] = cfg.shell;
-                arg[index++] = "-c";
+                if (login_shell) {
-                assert(cfg.command_line);
+                        arg[index++] = "-l";
-                if (arg_debug)
+                        if (arg_debug)
-                        printf("Starting %s\n", cfg.command_line);
+                                printf("Starting %s login shell\n", cfg.shell);
-                if (arg_doubledash) 
+                } else {
-                        arg[index++] = "--";
+                        arg[index++] = "-c";
-                arg[index++] = cfg.command_line;
+                        if (arg_debug)
+                                printf("Running %s command through %s\n", cfg.command_line, cfg.shell);
+                        if (arg_doubledash)
+                                arg[index++] = "--";
+                        arg[index++] = cfg.command_line;
+                }
                arg[index] = NULL;
                assert(index < 5);
-                
                if (arg_debug) {
                        char *msg;
                        if (asprintf(&msg, "sandbox %d, execvp into %s", sandbox_pid, cfg.command_line) == -1)
@@ -325,7 +350,7 @@ static void start_application(void) {
                        logmsg(msg);
                        free(msg);
                }
-                
                if (arg_debug) {
                        int i;
                        for (i = 0; i < 5; i++) {
@@ -334,17 +359,43 @@ static void start_application(void) {
                                printf("execvp argument %d: %s\n", i, arg[i]);
                        }
                }
-                
                if (!arg_command && !arg_quiet)
                        printf("Child process initialized\n");
-                execvp(sh, arg);
+#ifdef HAVE_GCOV
+        __gcov_dump();
+#endif
+                execvp(arg[0], arg);
        }
-        
        perror("execvp");
        exit(1); // it should never get here!!!
 }
+static void enforce_filters(void) {
+        // force default seccomp inside the chroot, no keep or drop list
+        // the list build on top of the default drop list is kept intact
+        arg_seccomp = 1;
+        if (cfg.seccomp_list_drop) {
+                free(cfg.seccomp_list_drop);
+                cfg.seccomp_list_drop = NULL;
+        }
+        if (cfg.seccomp_list_keep) {
+                free(cfg.seccomp_list_keep);
+                cfg.seccomp_list_keep = NULL;
+        }
+        
+        // disable all capabilities
+        if (arg_caps_default_filter || arg_caps_list)
+                fprintf(stderr, "Warning: all capabilities disabled for a regular user in chroot\n");
+        arg_caps_drop_all = 1;
+        
+        // drop all supplementary groups; /etc/group file inside chroot
+        // is controlled by a regular usr
+        arg_nogroups = 1;
+        if (!arg_quiet)
+                printf("Dropping all Linux capabilities and enforcing default seccomp filter\n");
+}
 int sandbox(void* sandbox_arg) {
        // Get rid of unused parameter warning
@@ -364,6 +415,7 @@ int sandbox(void* sandbox_arg) {
        if (arg_debug && child_pid == 1)
                printf("PID namespace installed\n");
        //****************************
        // set hostname
        //****************************
@@ -379,7 +431,8 @@ int sandbox(void* sandbox_arg) {
        if (mount(NULL, "/", NULL, MS_SLAVE | MS_REC, NULL) < 0) {
                chk_chroot();
        }
-        
+        // ... and mount a tmpfs on top of /run/firejail/mnt directory
+        preproc_mount_mnt_dir();
        
        //****************************
        // log sandbox data
@@ -396,7 +449,7 @@ int sandbox(void* sandbox_arg) {
        fs_logger("install mount namespace");
        
        //****************************
-        // netfilter etc.
+        // netfilter
        //****************************
        if (arg_netfilter && any_bridge_configured()) { // assuming by default the client filter
                netfilter(arg_netfilter_file);
@@ -405,6 +458,101 @@ int sandbox(void* sandbox_arg) {
                netfilter6(arg_netfilter6_file);
        }
+        //****************************
+        // networking
+        //****************************
+        int gw_cfg_failed = 0; // default gw configuration flag
+        if (arg_nonetwork) {
+                net_if_up("lo");
+                if (arg_debug)
+                        printf("Network namespace enabled, only loopback interface available\n");
+        }
+        else if (any_bridge_configured() || any_interface_configured()) {
+                // configure lo and eth0...eth3
+                net_if_up("lo");
+                
+                if (mac_not_zero(cfg.bridge0.macsandbox))
+                        net_config_mac(cfg.bridge0.devsandbox, cfg.bridge0.macsandbox);
+                sandbox_if_up(&cfg.bridge0);
+                
+                if (mac_not_zero(cfg.bridge1.macsandbox))
+                        net_config_mac(cfg.bridge1.devsandbox, cfg.bridge1.macsandbox);
+                sandbox_if_up(&cfg.bridge1);
+                
+                if (mac_not_zero(cfg.bridge2.macsandbox))
+                        net_config_mac(cfg.bridge2.devsandbox, cfg.bridge2.macsandbox);
+                sandbox_if_up(&cfg.bridge2);
+                
+                if (mac_not_zero(cfg.bridge3.macsandbox))
+                        net_config_mac(cfg.bridge3.devsandbox, cfg.bridge3.macsandbox);
+                sandbox_if_up(&cfg.bridge3);
+                
+                // moving an interface in a namespace using --interface will reset the interface configuration;
+                // we need to put the configuration back
+                if (cfg.interface0.configured && cfg.interface0.ip) {
+                        if (arg_debug)
+                                printf("Configuring %d.%d.%d.%d address on interface %s\n", PRINT_IP(cfg.interface0.ip), cfg.interface0.dev);
+                        net_config_interface(cfg.interface0.dev, cfg.interface0.ip, cfg.interface0.mask, cfg.interface0.mtu);
+                }                       
+                if (cfg.interface1.configured && cfg.interface1.ip) {
+                        if (arg_debug)
+                                printf("Configuring %d.%d.%d.%d address on interface %s\n", PRINT_IP(cfg.interface1.ip), cfg.interface1.dev);
+                        net_config_interface(cfg.interface1.dev, cfg.interface1.ip, cfg.interface1.mask, cfg.interface1.mtu);
+                }                       
+                if (cfg.interface2.configured && cfg.interface2.ip) {
+                        if (arg_debug)
+                                printf("Configuring %d.%d.%d.%d address on interface %s\n", PRINT_IP(cfg.interface2.ip), cfg.interface2.dev);
+                        net_config_interface(cfg.interface2.dev, cfg.interface2.ip, cfg.interface2.mask, cfg.interface2.mtu);
+                }                       
+                if (cfg.interface3.configured && cfg.interface3.ip) {
+                        if (arg_debug)
+                                printf("Configuring %d.%d.%d.%d address on interface %s\n", PRINT_IP(cfg.interface3.ip), cfg.interface3.dev);
+                        net_config_interface(cfg.interface3.dev, cfg.interface3.ip, cfg.interface3.mask, cfg.interface3.mtu);
+                }                       
+                        
+                // add a default route
+                if (cfg.defaultgw) {
+                        // set the default route
+                        if (net_add_route(0, 0, cfg.defaultgw)) {
+                                fprintf(stderr, "Warning: cannot configure default route\n");
+                                gw_cfg_failed = 1;
+                        }
+                }
+                if (arg_debug)
+                        printf("Network namespace enabled\n");
+        }
+        
+        // print network configuration
+        if (!arg_quiet) {
+                if (any_bridge_configured() || any_interface_configured() || cfg.defaultgw || cfg.dns1) {
+                        printf("\n");
+                        if (any_bridge_configured() || any_interface_configured()) {
+//                              net_ifprint();
+                                if (arg_scan)
+                                        sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, 3, PATH_FNET, "printif", "scan");
+                                else
+                                        sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, 2, PATH_FNET, "printif", "scan");
+                                
+                        }
+                        if (cfg.defaultgw != 0) {
+                                if (gw_cfg_failed)
+                                        printf("Default gateway configuration failed\n");
+                                else
+                                        printf("Default gateway %d.%d.%d.%d\n", PRINT_IP(cfg.defaultgw));
+                        }
+                        if (cfg.dns1 != 0)
+                                printf("DNS server %d.%d.%d.%d\n", PRINT_IP(cfg.dns1));
+                        if (cfg.dns2 != 0)
+                                printf("DNS server %d.%d.%d.%d\n", PRINT_IP(cfg.dns2));
+                        if (cfg.dns3 != 0)
+                                printf("DNS server %d.%d.%d.%d\n", PRINT_IP(cfg.dns3));
+                        printf("\n");
+                }
+        }
        // load IBUS env variables
        if (arg_nonetwork || any_bridge_configured() || any_interface_configured()) {
                // do nothing - there are problems with ibus version 1.5.11
@@ -412,11 +560,26 @@ int sandbox(void* sandbox_arg) {
        else
                env_ibus_load();
        
-        // grab a copy of cp command
+        //****************************
-        fs_build_cp_command();
+        // fs pre-processing:
-        
+        //  - build seccomp filters
+        //  - create an empty /etc/ld.so.preload
+        //****************************
+#ifdef HAVE_SECCOMP
+        if (cfg.protocol) {
+                if (arg_debug)
+                        printf("Build protocol filter: %s\n", cfg.protocol);
+                // build the seccomp filter as a regular user
+                int rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 5,
+                        PATH_FSECCOMP, "protocol", "build", cfg.protocol, RUN_SECCOMP_PROTOCOL);
+                if (rv)
+                        exit(rv);
+        }
+#endif  
        // trace pre-install
-        if (arg_trace || arg_tracelog)
+        if (arg_trace || arg_tracelog || mask_x11_abstract_socket)
                fs_trace_preload();
        //****************************
@@ -425,39 +588,23 @@ int sandbox(void* sandbox_arg) {
 #ifdef HAVE_SECCOMP
        int enforce_seccomp = 0;
 #endif
+        if (arg_appimage) {
+                enforce_filters();
+#ifdef HAVE_SECCOMP
+                enforce_seccomp = 1;
+#endif          
+        }
 #ifdef HAVE_CHROOT              
        if (cfg.chrootdir) {
                fs_chroot(cfg.chrootdir);
-                // redo cp command
-                fs_build_cp_command();
                
                // force caps and seccomp if not started as root
                if (getuid() != 0) {
-                        // force default seccomp inside the chroot, no keep or drop list
+                        enforce_filters();
-                        // the list build on top of the default drop list is kept intact
-                        arg_seccomp = 1;
 #ifdef HAVE_SECCOMP
                        enforce_seccomp = 1;
 #endif
-                        if (cfg.seccomp_list_drop) {
-                                free(cfg.seccomp_list_drop);
-                                cfg.seccomp_list_drop = NULL;
-                        }
-                        if (cfg.seccomp_list_keep) {
-                                free(cfg.seccomp_list_keep);
-                                cfg.seccomp_list_keep = NULL;
-                        }
-                        
-                        // disable all capabilities
-                        if (arg_caps_default_filter || arg_caps_list)
-                                fprintf(stderr, "Warning: all capabilities disabled for a regular user during chroot\n");
-                        arg_caps_drop_all = 1;
-                        
-                        // drop all supplementary groups; /etc/group file inside chroot
-                        // is controlled by a regular usr
-                        arg_nogroups = 1;
-                        if (!arg_quiet)
-                                printf("Dropping all Linux capabilities and enforcing default seccomp filter\n");
                }
                else
                        arg_seccomp = 1;
@@ -465,17 +612,28 @@ int sandbox(void* sandbox_arg) {
                //****************************
                // trace pre-install, this time inside chroot
                //****************************
-                if (arg_trace || arg_tracelog)
+                if (arg_trace || arg_tracelog || mask_x11_abstract_socket)
                        fs_trace_preload();
        }
        else 
 #endif          
-        if (arg_overlay)        
+#ifdef HAVE_OVERLAYFS
+        if (arg_overlay)        {
                fs_overlayfs();
+                // force caps and seccomp if not started as root
+                if (getuid() != 0) {
+                        enforce_filters();
+#ifdef HAVE_SECCOMP
+                        enforce_seccomp = 1;
+#endif
+                }
+                else
+                        arg_seccomp = 1;
+        }
        else
+#endif
                fs_basic_fs();
        
        //****************************
        // set hostname in /etc/hostname
        //****************************
@@ -487,145 +645,153 @@ int sandbox(void* sandbox_arg) {
        // private mode
        //****************************
        if (arg_private) {
-                if (cfg.home_private)   // --private=
+                if (cfg.home_private) { // --private=
-                        fs_private_homedir();
+                        if (cfg.chrootdir)
+                                fprintf(stderr, "Warning: private=directory feature is disabled in chroot\n");
+                        else if (arg_overlay)
+                                fprintf(stderr, "Warning: private=directory feature is disabled in overlay\n");
+                        else
+                                fs_private_homedir();
+                }
+                else if (cfg.home_private_keep) { // --private-home=
+                        if (cfg.chrootdir)
+                                fprintf(stderr, "Warning: private-home= feature is disabled in chroot\n");
+                        else if (arg_overlay)
+                                fprintf(stderr, "Warning: private-home= feature is disabled in overlay\n");
+                        else
+                                fs_private_home_list();
+                }
                else // --private
                        fs_private();
        }
-        
-        if (arg_private_dev)
+        if (arg_private_dev) {
-                fs_private_dev();
+                if (cfg.chrootdir)
+                        fprintf(stderr, "Warning: private-dev feature is disabled in chroot\n");
+                else if (arg_overlay)
+                        fprintf(stderr, "Warning: private-dev feature is disabled in overlay\n");
+                else
+                        fs_private_dev();
+        }
+                
        if (arg_private_etc) {
-                fs_private_etc_list();
+                if (cfg.chrootdir)
-                // create /etc/ld.so.preload file again
+                        fprintf(stderr, "Warning: private-etc feature is disabled in chroot\n");
-                if (arg_trace || arg_tracelog)
+                else if (arg_overlay)
-                        fs_trace_preload();
+                        fprintf(stderr, "Warning: private-etc feature is disabled in overlay\n");
+                else {
+                        fs_private_dir_list("/etc", RUN_ETC_DIR, cfg.etc_private_keep);
+                        // create /etc/ld.so.preload file again
+                        if (arg_trace || arg_tracelog || mask_x11_abstract_socket)
+                                fs_trace_preload();
+                }
+        }
+        
+        if (arg_private_opt) {
+                if (cfg.chrootdir)
+                        fprintf(stderr, "Warning: private-opt feature is disabled in chroot\n");
+                else if (arg_overlay)
+                        fprintf(stderr, "Warning: private-opt feature is disabled in overlay\n");
+                else {
+                        fs_private_dir_list("/opt", RUN_OPT_DIR, cfg.opt_private_keep);
+                }
+        }
+        
+        if (arg_private_srv) {
+                if (cfg.chrootdir)
+                        fprintf(stderr, "Warning: private-srv feature is disabled in chroot\n");
+                else if (arg_overlay)
+                        fprintf(stderr, "Warning: private-srv feature is disabled in overlay\n");
+                else {
+                        fs_private_dir_list("/srv", RUN_SRV_DIR, cfg.srv_private_keep);
+                }
+        }
+        
+        if (arg_private_bin) {
+                if (cfg.chrootdir)
+                        fprintf(stderr, "Warning: private-bin feature is disabled in chroot\n");
+                else if (arg_overlay)
+                        fprintf(stderr, "Warning: private-bin feature is disabled in overlay\n");
+                else {
+                        // for --x11=xorg we need to add xauth command
+                        if (arg_x11_xorg) {
+                                EUID_USER();
+                                char *tmp;
+                                if (asprintf(&tmp, "%s,xauth", cfg.bin_private_keep) == -1)
+                                        errExit("asprintf");
+                                cfg.bin_private_keep = tmp;
+                                EUID_ROOT();
+                        }
+                        fs_private_bin_list();
+                }
        }
-        if (arg_private_bin)
+        
-                fs_private_bin_list();
+        if (arg_private_tmp) {
-        if (arg_private_tmp)
+                if (cfg.chrootdir)
-                fs_private_tmp();
+                        fprintf(stderr, "Warning: private-tmp feature is disabled in chroot\n");
+                else if (arg_overlay)
+                        fprintf(stderr, "Warning: private-tmp feature is disabled in overlay\n");
+                else {
+                        // private-tmp is implemented as a whitelist
+                        EUID_USER();
+                        profile_add("whitelist /tmp/.X11-unix");
+                        EUID_ROOT();
+                }
+        }
+        
+        //****************************
+        // update /proc, /sys, /dev, /boot directorymy
+        //****************************
+        if (checkcfg(CFG_REMOUNT_PROC_SYS))
+                fs_proc_sys_dev_boot();
        
        //****************************
        // apply the profile file
        //****************************
-        if (cfg.profile) {
+        // apply all whitelist commands ... 
-                // apply all whitelist commands ... 
+        if (cfg.chrootdir)
+                fprintf(stderr, "Warning: whitelist feature is disabled in chroot\n");
+        else if (arg_overlay)
+                fprintf(stderr, "Warning: whitelist feature is disabled in overlay\n");
+        else
                fs_whitelist();
-                
+        
-                // ... followed by blacklist commands
+        // ... followed by blacklist commands
-                fs_blacklist();
+        fs_blacklist(); // mkdir and mkfile are processed all over again
-        }
        
        //****************************
        // install trace
        //****************************
-        if (arg_trace || arg_tracelog)
+        if (arg_trace || arg_tracelog || mask_x11_abstract_socket)
                fs_trace();
                
        //****************************
-        // update /proc, /dev, /boot directorymy
+        // nosound/no3d and fix for pulseaudio 7.0
-        //****************************
-        fs_proc_sys_dev_boot();
-        
-        //****************************
-        // --nosound and fix for pulseaudio 7.0
        //****************************
-        if (arg_nosound)
+        if (arg_nosound) {
+                // disable pulseaudio
                pulseaudio_disable();
+                // disable /dev/snd
+                fs_dev_disable_sound();
+        }
        else
                pulseaudio_init();
        
+        if (arg_no3d)
+                fs_dev_disable_3d();
+        
        //****************************
-        // networking
+        // set dns
        //****************************
-        if (arg_nonetwork) {
-                net_if_up("lo");
-                if (arg_debug)
-                        printf("Network namespace enabled, only loopback interface available\n");
-        }
-        else if (any_bridge_configured() || any_interface_configured()) {
-                // configure lo and eth0...eth3
-                net_if_up("lo");
-                
-                if (mac_not_zero(cfg.bridge0.macsandbox))
-                        net_config_mac(cfg.bridge0.devsandbox, cfg.bridge0.macsandbox);
-                sandbox_if_up(&cfg.bridge0);
-                
-                if (mac_not_zero(cfg.bridge1.macsandbox))
-                        net_config_mac(cfg.bridge1.devsandbox, cfg.bridge1.macsandbox);
-                sandbox_if_up(&cfg.bridge1);
-                
-                if (mac_not_zero(cfg.bridge2.macsandbox))
-                        net_config_mac(cfg.bridge2.devsandbox, cfg.bridge2.macsandbox);
-                sandbox_if_up(&cfg.bridge2);
-                
-                if (mac_not_zero(cfg.bridge3.macsandbox))
-                        net_config_mac(cfg.bridge3.devsandbox, cfg.bridge3.macsandbox);
-                sandbox_if_up(&cfg.bridge3);
-                
-                // add a default route
-                if (cfg.defaultgw) {
-                        // set the default route
-                        if (net_add_route(0, 0, cfg.defaultgw))
-                                fprintf(stderr, "Warning: cannot configure default route\n");
-                }
-                
-                // enable interfaces
-                if (cfg.interface0.configured && cfg.interface0.ip) {
-                        if (arg_debug)
-                                printf("Configuring %d.%d.%d.%d address on interface %s\n", PRINT_IP(cfg.interface0.ip), cfg.interface0.dev);
-                        net_if_ip(cfg.interface0.dev, cfg.interface0.ip, cfg.interface0.mask, cfg.interface0.mtu);
-                        net_if_up(cfg.interface0.dev);
-                }                       
-                if (cfg.interface1.configured && cfg.interface1.ip) {
-                        if (arg_debug)
-                                printf("Configuring %d.%d.%d.%d address on interface %s\n", PRINT_IP(cfg.interface1.ip), cfg.interface1.dev);
-                        net_if_ip(cfg.interface1.dev, cfg.interface1.ip, cfg.interface1.mask, cfg.interface1.mtu);
-                        net_if_up(cfg.interface1.dev);
-                }                       
-                if (cfg.interface2.configured && cfg.interface2.ip) {
-                        if (arg_debug)
-                                printf("Configuring %d.%d.%d.%d address on interface %s\n", PRINT_IP(cfg.interface2.ip), cfg.interface2.dev);
-                        net_if_ip(cfg.interface2.dev, cfg.interface2.ip, cfg.interface2.mask, cfg.interface2.mtu);
-                        net_if_up(cfg.interface2.dev);
-                }                       
-                if (cfg.interface3.configured && cfg.interface3.ip) {
-                        if (arg_debug)
-                                printf("Configuring %d.%d.%d.%d address on interface %s\n", PRINT_IP(cfg.interface3.ip), cfg.interface3.dev);
-                        net_if_ip(cfg.interface3.dev, cfg.interface3.ip, cfg.interface3.mask, cfg.interface3.mtu);
-                        net_if_up(cfg.interface3.dev);
-                }                       
-                        
-                if (arg_debug)
-                        printf("Network namespace enabled\n");
-        }
-        
-        // if any dns server is configured, it is time to set it now
        fs_resolvconf();
+        
+        //****************************
+        // fs post-processing
+        //****************************
        fs_logger_print();
        fs_logger_change_owner();
-        // print network configuration
-        if (!arg_quiet) {
-                if (any_bridge_configured() || any_interface_configured() || cfg.defaultgw || cfg.dns1) {
-                        printf("\n");
-                        if (any_bridge_configured() || any_interface_configured())
-                                net_ifprint();
-                        if (cfg.defaultgw != 0)
-                                printf("Default gateway %d.%d.%d.%d\n", PRINT_IP(cfg.defaultgw));
-                        if (cfg.dns1 != 0)
-                                printf("DNS server %d.%d.%d.%d\n", PRINT_IP(cfg.dns1));
-                        if (cfg.dns2 != 0)
-                                printf("DNS server %d.%d.%d.%d\n", PRINT_IP(cfg.dns2));
-                        if (cfg.dns3 != 0)
-                                printf("DNS server %d.%d.%d.%d\n", PRINT_IP(cfg.dns3));
-                        printf("\n");
-                }
-        }
-        
-        fs_delete_cp_command();
        //****************************
        // set application environment
        //****************************
@@ -649,12 +815,6 @@ int sandbox(void* sandbox_arg) {
                }
        }
        
-        // set environment
-        env_defaults();
-        
-        // set user-supplied environment variables
-        env_apply();
        // set nice
        if (arg_nice) {
                errno = 0;
@@ -668,6 +828,8 @@ int sandbox(void* sandbox_arg) {
        
        // clean /tmp/.X11-unix sockets
        fs_x11();
+        if (arg_x11_xorg)
+                x11_xorg();
        
        //****************************
        // set security filters
@@ -679,35 +841,35 @@ int sandbox(void* sandbox_arg) {
        // set rlimits
        set_rlimits();
-        // set seccomp
+        // set cpu affinity
+        if (cfg.cpus) {
+                save_cpu(); // save cpu affinity mask to CPU_CFG file
+                set_cpu_affinity();
+        }
+        
+        // save cgroup in CGROUP_CFG file
+        if (cfg.cgroup)
+                save_cgroup();
+        // set seccomp //todo: push it down after drop_privs and/or configuring noroot
 #ifdef HAVE_SECCOMP
        // install protocol filter
        if (cfg.protocol) {
-                protocol_filter();      // install filter       
+                if (arg_debug)
-                protocol_filter_save(); // save filter in PROTOCOL_CFG
+                        printf("Install protocol filter: %s\n", cfg.protocol);
+                seccomp_load(RUN_SECCOMP_PROTOCOL);     // install filter       
+                protocol_filter_save(); // save filter in RUN_PROTOCOL_CFG
        }
        // if a keep list is available, disregard the drop list
        if (arg_seccomp == 1) {
                if (cfg.seccomp_list_keep)
                        seccomp_filter_keep();
-                else if (cfg.seccomp_list_errno)
-                        seccomp_filter_errno(); 
                else
                        seccomp_filter_drop(enforce_seccomp);
        }
 #endif
-        // set cpu affinity
-        if (cfg.cpus) {
-                save_cpu(); // save cpu affinity mask to CPU_CFG file
-                set_cpu_affinity();
-        }
-        
-        // save cgroup in CGROUP_CFG file
-        if (cfg.cgroup)
-                save_cgroup();
        //****************************************
        // drop privileges or create a new user namespace
        //****************************************
@@ -715,7 +877,7 @@ int sandbox(void* sandbox_arg) {
        if (arg_noroot) {
                int rv = unshare(CLONE_NEWUSER);
                if (rv == -1) {
-                        fprintf(stderr, "Warning: cannot mount a new user namespace, going forward without it...\n");
+                        fprintf(stderr, "Warning: cannot create a new user namespace, going forward without it...\n");
                        drop_privs(arg_nogroups);
                        arg_noroot = 0;
                }
@@ -739,6 +901,18 @@ int sandbox(void* sandbox_arg) {
                        printf("noroot user namespace installed\n");
                set_caps();
        }
+        
+        //****************************************
+        // Set NO_NEW_PRIVS if desired
+        //****************************************
+        if (arg_nonewprivs) {
+                int no_new_privs = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
+                if(no_new_privs != 0)
+                        fprintf(stderr, "Warning: NO_NEW_PRIVS disabled, it requires a Linux kernel version 3.5 or newer.\n");
+                else if (arg_debug)
+                        printf("NO_NEW_PRIVS set\n");
+        }
        //****************************************
        // fork the application and monitor it
@@ -746,13 +920,27 @@ int sandbox(void* sandbox_arg) {
        pid_t app_pid = fork();
        if (app_pid == -1)
                errExit("fork");
-                
        if (app_pid == 0) {
+#ifdef HAVE_APPARMOR
+                if (arg_apparmor) {
+                        errno = 0;
+                        if (aa_change_onexec("firejail-default")) {
+                                fprintf(stderr, "Error: cannot confine the application using AppArmor.\n");
+                                fprintf(stderr, "Maybe firejail-default AppArmor profile is not loaded into the kernel.\n");
+                                fprintf(stderr, "As root, run \"aa-enforce firejail-default\" to load it.\n");
+                                exit(1);
+                        }
+                        else if (arg_debug)
+                                printf("AppArmor enabled\n");
+                }
+#endif          
                prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); // kill the child in case the parent died
                start_application();    // start app
        }
        int status = monitor_application(app_pid);      // monitor application
+        flush_stdin();
        if (WIFEXITED(status)) {
                // if we had a proper exit, return that exit status
diff --git a/src/firejail/sbox.c b/src/firejail/sbox.c
new file mode 100644
index 000000000..f28bbaf1a
--- /dev/null
+++ b/src/firejail/sbox.c
@@ -0,0 +1,221 @@
+/*
+ * Copyright (C) 2014-2016 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
+#include "firejail.h"
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <unistd.h>
+#include <net/if.h>
+#include <stdarg.h>
+ #include <sys/wait.h>
+#include "../include/seccomp.h"
+static struct sock_filter filter[] = {
+        VALIDATE_ARCHITECTURE,
+        EXAMINE_SYSCALL,
+#if defined(__x86_64__)
+#define X32_SYSCALL_BIT 0x40000000
+        // handle X32 ABI
+        BPF_JUMP(BPF_JMP+BPF_JGE+BPF_K, X32_SYSCALL_BIT, 1, 0),
+        BPF_JUMP(BPF_JMP+BPF_JGE+BPF_K, 0, 1, 0),
+        RETURN_ERRNO(EPERM),
+#endif
+        // syscall list
+#ifdef SYS_mount                
+        BLACKLIST(SYS_mount),  // mount/unmount filesystems
+#endif
+#ifdef SYS_umount2              
+        BLACKLIST(SYS_umount2),
+#endif
+#ifdef SYS_ptrace               
+        BLACKLIST(SYS_ptrace), // trace processes
+#endif
+#ifdef SYS_kexec_file_load              
+        BLACKLIST(SYS_kexec_file_load),
+#endif
+#ifdef SYS_kexec_load           
+        BLACKLIST(SYS_kexec_load), // loading a different kernel
+#endif
+#ifdef SYS_name_to_handle_at            
+        BLACKLIST(SYS_name_to_handle_at),
+#endif
+#ifdef SYS_open_by_handle_at            
+        BLACKLIST(SYS_open_by_handle_at), // open by handle
+#endif
+#ifdef SYS_init_module          
+        BLACKLIST(SYS_init_module), // kernel module handling
+#endif
+#ifdef SYS_finit_module // introduced in 2013
+        BLACKLIST(SYS_finit_module),
+#endif
+#ifdef SYS_create_module
+        BLACKLIST(SYS_create_module),
+#endif
+#ifdef SYS_delete_module                
+        BLACKLIST(SYS_delete_module),
+#endif
+#ifdef SYS_iopl         
+        BLACKLIST(SYS_iopl), // io permissions
+#endif
+#ifdef  SYS_ioperm      
+        BLACKLIST(SYS_ioperm),
+#endif
+#ifdef SYS_iopl         
+        BLACKLIST(SYS_iopl), // io permissions
+#endif
+#ifdef  SYS_ioprio_set  
+        BLACKLIST(SYS_ioprio_set),
+#endif
+#ifdef SYS_ni_syscall // new io permissions call on arm devices
+        BLACKLIST(SYS_ni_syscall),
+#endif
+#ifdef SYS_swapon               
+        BLACKLIST(SYS_swapon), // swap on/off
+#endif
+#ifdef SYS_swapoff              
+        BLACKLIST(SYS_swapoff),
+#endif
+#ifdef SYS_syslog               
+        BLACKLIST(SYS_syslog), // kernel printk control
+#endif
+        RETURN_ALLOW
+};
+static struct sock_fprog prog = {
+        .len = (unsigned short)(sizeof(filter) / sizeof(filter[0])),
+        .filter = filter,
+};
+typedef struct sbox_config {
+        char *name;
+        char *path;
+        unsigned filters;
+} SboxConfig;
+int sbox_run(unsigned filter, int num, ...) {
+        EUID_ROOT();
+        
+        int i;
+        va_list valist;
+        va_start(valist, num);
+        // build argument list
+        char *arg[num + 1];
+        for (i = 0; i < num; i++)
+                arg[i] = va_arg(valist, char*);
+        arg[i] = NULL;
+        va_end(valist);
+        
+        if (arg_debug) {
+                printf("sbox run: ");
+                for (i = 0; i <= num; i++)
+                        printf("%s ", arg[i]);
+                printf("\n");
+        }
+        pid_t child = fork();
+        if (child < 0)
+                errExit("fork");
+        if (child == 0) {
+                // clean the new process
+                clearenv();
+                
+                if (filter & SBOX_STDIN_FROM_FILE) {
+                        int fd;
+                        if((fd = open(SBOX_STDIN_FILE, O_RDONLY)) == -1) {
+                                fprintf(stderr,"Error: cannot open /tmp/netfilter\n");
+                                exit(1);
+                        }
+                        dup2(fd,STDIN_FILENO);
+                }
+                else if ((filter & SBOX_ALLOW_STDIN) == 0) {
+                        int fd = open("/dev/null",O_RDWR, 0);
+                        if (fd != -1)
+                                dup2(fd, STDIN_FILENO);
+                        else // the user could run the sandbox without /dev/null
+                                close(STDIN_FILENO);
+                }
+                
+                // close all other file descriptors
+                int max = 20; // getdtablesize() is overkill for a firejail process
+                for (i = 3; i < max; i++)
+                        close(i); // close open files
+                if (arg_debug) {
+                        printf("sbox file descriptors:\n");
+                        int rv = system("ls -l /proc/self/fd");
+                        (void) rv;      
+                }
+                umask(027);     
+                // apply filters
+                if (filter & SBOX_CAPS_NONE) {
+                        caps_drop_all();
+                }
+                else if (filter & SBOX_CAPS_NETWORK) {
+#ifndef HAVE_GCOV // the following filter will prevent GCOV from saving info in .gcda files
+                        uint64_t set = ((uint64_t) 1) << CAP_NET_ADMIN;
+                        set |=  ((uint64_t) 1) << CAP_NET_RAW;
+                        caps_set(set);
+#endif
+                }       
+                if (filter & SBOX_SECCOMP) {
+                        if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) {
+                                perror("prctl(NO_NEW_PRIVS)");
+                        }
+                        if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog)) {
+                                perror("prctl(PR_SET_SECCOMP)");
+                        }
+                }
+                if (filter & SBOX_ROOT) {
+                        // elevate privileges in order to get grsecurity working
+                        if (setreuid(0, 0))
+                                errExit("setreuid");
+                        if (setregid(0, 0))
+                                errExit("setregid");
+                }
+                else if (filter & SBOX_USER)
+                        drop_privs(1);
+                clearenv();
+                if (arg[0])     // get rid of scan-build warning
+                        execvp(arg[0], arg);
+                else
+                        assert(0);
+                perror("execl");
+                _exit(1);
+        }
+        int status;
+        if (waitpid(child, &status, 0) == -1 ) {
+                errExit("waitpid");
+        }
+        if (WIFEXITED(status) && status != 0) {
+                fprintf(stderr, "Error: failed to run %s\n", arg[0]);
+                exit(1);
+        }
+        
+        return status;
+}
diff --git a/src/firejail/seccomp.c b/src/firejail/seccomp.c
index 7108b5a05..96dfdaff2 100644
--- a/src/firejail/seccomp.c
+++ b/src/firejail/seccomp.c
@@ -20,798 +20,188 @@
 #ifdef HAVE_SECCOMP
 #include "firejail.h"
-#include "seccomp.h"
+#include "../include/seccomp.h"
-#define SECSIZE 128 // initial filter size
+char *seccomp_check_list(const char *str) {
-static struct sock_filter *sfilter = NULL;
+        assert(str);
-static int sfilter_alloc_size = 0;
+        if (strlen(str) == 0) {
-static int sfilter_index = 0;
+                fprintf(stderr, "Error: empty syscall lists are not allowed\n");
+                exit(1);
-// debug filter
-void filter_debug(void) {
-        // start filter
-        struct sock_filter filter[] = {
-                VALIDATE_ARCHITECTURE,
-                EXAMINE_SYSCALL
-        };
-        // print sizes
-        printf("SECCOMP Filter:\n");
-        if (sfilter == NULL) {
-                printf("SECCOMP filter not allocated\n");
-                return;
        }
-        if (sfilter_index < 4)
-                return;
        
-        // test the start of the filter
+        int len = strlen(str) + 1;
-        if (memcmp(sfilter, filter, sizeof(filter)) == 0) {
+        char *rv = malloc(len);
-                printf("  VALIDATE_ARCHITECTURE\n");
+        if (!rv)
-                printf("  EXAMINE_SYSCAL\n");
+                errExit("malloc");
-        }
+        memset(rv, 0, len);
        
-        // loop trough blacklists
+        const char *ptr1 = str;
-        int i = 4;
+        char *ptr2 = rv;
-        while (i < sfilter_index) {
+        while (*ptr1 != '\0') {
-                // minimal parsing!
+                if (isalnum(*ptr1) || *ptr1 == '_' || *ptr1 == ',' || *ptr1 == ':')
-                unsigned char *ptr = (unsigned char *) &sfilter[i];
+                        *ptr2++ = *ptr1++;
-                int *nr = (int *) (ptr + 4);
-                if (*ptr        == 0x15 && *(ptr +14) == 0xff && *(ptr + 15) == 0x7f ) {
-                        printf("  WHITELIST %d %s\n", *nr, syscall_find_nr(*nr));
-                        i += 2;
-                }
-                else if (*ptr   == 0x15 && *(ptr +14) == 0 && *(ptr + 15) == 0) {
-                        printf("  BLACKLIST %d %s\n", *nr, syscall_find_nr(*nr));
-                        i += 2;
-                }
-                else if (*ptr   == 0x15 && *(ptr +14) == 0x5 && *(ptr + 15) == 0) {
-                        int err = *(ptr + 13) << 8 | *(ptr + 12);
-                        printf("  ERRNO %d %s %d %s\n", *nr, syscall_find_nr(*nr), err, errno_find_nr(err));
-                        i += 2;
-                }
-                else if (*ptr == 0x06 && *(ptr +6) == 0 && *(ptr + 7) == 0 ) {
-                        printf("  KILL_PROCESS\n");
-                        i++;
-                }
-                else if (*ptr == 0x06 && *(ptr +6) == 0xff && *(ptr + 7) == 0x7f ) {
-                        printf("  RETURN_ALLOW\n");
-                        i++;
-                }
                else {
-                        printf("  UNKNOWN ENTRY!!!\n");
+                        fprintf(stderr, "Error: invalid syscall list\n");
-                        i++;
+                        exit(1);
                }
        }
+                                                
+        return rv;
 }
-// initialize filter
-static void filter_init(void) {
-        if (sfilter) {
-                assert(0);
-                return;
-        }
-//      if (arg_debug)
-//              printf("Initialize seccomp filter\n");  
-        // allocate a filter of SECSIZE
-        sfilter = malloc(sizeof(struct sock_filter) * SECSIZE);
-        if (!sfilter)
-                errExit("malloc");
-        memset(sfilter, 0, sizeof(struct sock_filter) * SECSIZE);
-        sfilter_alloc_size = SECSIZE;
-        
-        // copy the start entries
-        struct sock_filter filter[] = {
-                VALIDATE_ARCHITECTURE,
-                EXAMINE_SYSCALL
-        };
-        sfilter_index = sizeof(filter) / sizeof(struct sock_filter);    
-        memcpy(sfilter, filter, sizeof(filter));
-}
-static void filter_realloc(void) {
-        assert(sfilter);
-        assert(sfilter_alloc_size);
-        assert(sfilter_index);
-        if (arg_debug)
-                printf("Allocating more seccomp filter entries\n");
-        
-        // allocate the new memory
-        struct sock_filter *old = sfilter;
-        sfilter = malloc(sizeof(struct sock_filter) * (sfilter_alloc_size + SECSIZE));
-        if (!sfilter)
-                errExit("malloc");
-        memset(sfilter, 0, sizeof(struct sock_filter) *  (sfilter_alloc_size + SECSIZE));
-        
-        // copy old filter
-        memcpy(sfilter, old, sizeof(struct sock_filter) *  sfilter_alloc_size);
-        sfilter_alloc_size += SECSIZE;
-}
-static void filter_add_whitelist(int syscall, int arg) {
-        (void) arg;
-        assert(sfilter);
-        assert(sfilter_alloc_size);
-        assert(sfilter_index);
-//      if (arg_debug)
-//              printf("Whitelisting syscall %d %s\n", syscall, syscall_find_nr(syscall));
-        
-        if ((sfilter_index + 2) > sfilter_alloc_size)
-                filter_realloc();
-        
-        struct sock_filter filter[] = {
-                WHITELIST(syscall)
-        };
-#if 0
-{
-        int i;
-        unsigned char *ptr = (unsigned char *) &filter[0];
-        for (i = 0; i < sizeof(filter); i++, ptr++)
-                printf("%x, ", (*ptr) & 0xff);
-        printf("\n");
-}
-#endif
-        memcpy(&sfilter[sfilter_index], filter, sizeof(filter));
-        sfilter_index += sizeof(filter) / sizeof(struct sock_filter);   
-}
-static void filter_add_blacklist(int syscall, int arg) {
+int seccomp_load(const char *fname) {
-        (void) arg;
+        assert(fname);
-        assert(sfilter);
-        assert(sfilter_alloc_size);
-        assert(sfilter_index);
-//      if (arg_debug)
-//              printf("Blacklisting syscall %d %s\n", syscall, syscall_find_nr(syscall));
        
-        if ((sfilter_index + 2) > sfilter_alloc_size)
+        // open filter file
-                filter_realloc();
+        int fd = open(fname, O_RDONLY);
-        
-        struct sock_filter filter[] = {
-                BLACKLIST(syscall)
-        };
-#if 0
-{
-        int i;
-        unsigned char *ptr = (unsigned char *) &filter[0];
-        for (i = 0; i < sizeof(filter); i++, ptr++)
-                printf("%x, ", (*ptr) & 0xff);
-        printf("\n");
-}
-#endif
-        memcpy(&sfilter[sfilter_index], filter, sizeof(filter));
-        sfilter_index += sizeof(filter) / sizeof(struct sock_filter);   
-}
-static void filter_add_errno(int syscall, int arg) {
-        assert(sfilter);
-        assert(sfilter_alloc_size);
-        assert(sfilter_index);
-//      if (arg_debug)
-//              printf("Errno syscall %d %d %s\n", syscall, arg, syscall_find_nr(syscall));
-        if ((sfilter_index + 2) > sfilter_alloc_size)
-                filter_realloc();
-        struct sock_filter filter[] = {
-                BLACKLIST_ERRNO(syscall, arg)
-        };
-#if 0
-{
-        int i;
-        unsigned char *ptr = (unsigned char *) &filter[0];
-        for (i = 0; i < sizeof(filter); i++, ptr++)
-                printf("%x, ", (*ptr) & 0xff);
-        printf("\n");
-}
-#endif
-        memcpy(&sfilter[sfilter_index], filter, sizeof(filter));
-        sfilter_index += sizeof(filter) / sizeof(struct sock_filter);
-}
-static void filter_end_blacklist(void) {
-        assert(sfilter);
-        assert(sfilter_alloc_size);
-        assert(sfilter_index);
-//      if (arg_debug)
-//              printf("Ending syscall filter\n");
-        if ((sfilter_index + 2) > sfilter_alloc_size)
-                filter_realloc();
-        
-        struct sock_filter filter[] = {
-                RETURN_ALLOW
-        };
-#if 0   
-{
-        int i;
-        unsigned char *ptr = (unsigned char *) &filter[0];
-        for (i = 0; i < sizeof(filter); i++, ptr++)
-                printf("%x, ", (*ptr) & 0xff);
-        printf("\n");
-}
-#endif
-        memcpy(&sfilter[sfilter_index], filter, sizeof(filter));
-        sfilter_index += sizeof(filter) / sizeof(struct sock_filter);   
-}
-static void filter_end_whitelist(void) {
-        assert(sfilter);
-        assert(sfilter_alloc_size);
-        assert(sfilter_index);
-        if (arg_debug)
-                printf("Ending syscall filter\n");
-        if ((sfilter_index + 2) > sfilter_alloc_size)
-                filter_realloc();
-        
-        struct sock_filter filter[] = {
-                KILL_PROCESS
-        };
-#if 0   
-{
-        int i;
-        unsigned char *ptr = (unsigned char *) &filter[0];
-        for (i = 0; i < sizeof(filter); i++, ptr++)
-                printf("%x, ", (*ptr) & 0xff);
-        printf("\n");
-}
-#endif
-        memcpy(&sfilter[sfilter_index], filter, sizeof(filter));
-        sfilter_index += sizeof(filter) / sizeof(struct sock_filter);   
-}
-// save seccomp filter in  /run/firejail/mnt/seccomp
-static void write_seccomp_file(void) {
-        fs_build_mnt_dir();
-        assert(sfilter);
-        int fd = open(RUN_SECCOMP_CFG, O_CREAT | O_WRONLY, S_IRUSR | S_IWUSR);
        if (fd == -1)
-                errExit("open");
+                goto errexit;
+        // calculate the number of entries
+        int size = lseek(fd, 0, SEEK_END);
+        if (size == -1)
+                goto errexit;
+        if (lseek(fd, 0 , SEEK_SET) == -1)
+                goto errexit;
+        unsigned short entries = (unsigned short) size / (unsigned short) sizeof(struct sock_filter);
        if (arg_debug)
-                printf("Save seccomp filter, size %u bytes\n", (unsigned) (sfilter_index * sizeof(struct sock_filter)));
+                printf("reading %d seccomp entries from %s\n", entries, fname);
-        errno = 0;
-        ssize_t sz = write(fd, sfilter, sfilter_index * sizeof(struct sock_filter));
+        // read filter
-        if (sz != (ssize_t)(sfilter_index * sizeof(struct sock_filter))) {
+        struct sock_filter *filter = malloc(size);
-                fprintf(stderr, "Error: cannot save seccomp filter\n");
+        if (filter == NULL)
-                exit(1);
+                goto errexit;
-        }
+        memset(filter, 0, size);
+        int rd = 0;
+        while (rd < size) {
+                int rv = read(fd, (unsigned char *) filter + rd, size - rd);
+                if (rv == -1)
+                        goto errexit;
+                rd += rv;
+        }
+        
+        // close file
        close(fd);
-        if (chown(RUN_SECCOMP_CFG, 0, 0) < 0)
-                errExit("chown");
-}
-// read seccomp filter from /run/firejail/mnt/seccomp
-static void read_seccomp_file(const char *fname) {
-        assert(sfilter == NULL && sfilter_index == 0);
-        // check file
+        // install filter
-        struct stat s;
+        struct sock_fprog prog = {
-        if (stat(fname, &s) == -1) {
+                .len = entries,
-                fprintf(stderr, "Warning: seccomp file not found\n");
+                .filter = filter,
-                return;
+        };
-        }
+        if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog) || prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) {
-        ssize_t sz = s.st_size;
+                fprintf(stderr, "Warning: seccomp disabled, it requires a Linux kernel version 3.5 or newer.\n");
-        if (sz == 0 || (sz % sizeof(struct sock_filter)) != 0) {
+                return 1;
-                fprintf(stderr, "Error: invalid seccomp file\n");
-                exit(1);
-        }
-        sfilter = malloc(sz);
-        if (!sfilter)
-                errExit("malloc");
-                
-        // read file
-        /* coverity[toctou] */
-        int fd = open(fname,O_RDONLY);
-        if (fd == -1)
-                errExit("open");
-        errno = 0;              
-        ssize_t size = read(fd, sfilter, sz);
-        if (size != sz) {
-                fprintf(stderr, "Error: invalid seccomp file\n");
-                exit(1);
        }
-        sfilter_index = sz / sizeof(struct sock_filter);
-        if (arg_debug)
-                printf("Read seccomp filter, size %u bytes\n", (unsigned) (sfilter_index * sizeof(struct sock_filter)));
-        close(fd);
        
-        if (arg_debug)
+        return 0;
-                filter_debug();
+        
+errexit:
+        fprintf(stderr, "Error: cannot read %s\n", fname);
+        exit(1);
 }
 // i386 filter installed on amd64 architectures
 void seccomp_filter_32(void) {
-        // hardcoded syscall values
+        if (seccomp_load(RUN_SECCOMP_I386) == 0) {
-        struct sock_filter filter[] = {
+                if (arg_debug)
-                VALIDATE_ARCHITECTURE_32,
+                        printf("Dual i386/amd64 seccomp filter configured\n");
-                EXAMINE_SYSCALL,
-                BLACKLIST(21), // mount
-                BLACKLIST(52), // umount2
-                BLACKLIST(26), // ptrace
-                BLACKLIST(283), // kexec_load
-                BLACKLIST(342), // open_by_handle_at
-                BLACKLIST(128), // init_module
-                BLACKLIST(350), // finit_module
-                BLACKLIST(129), // delete_module
-                BLACKLIST(110), // iopl
-                BLACKLIST(101), // ioperm
-                BLACKLIST(87), // swapon
-                BLACKLIST(115), // swapoff
-                BLACKLIST(103), // syslog
-                BLACKLIST(347), // process_vm_readv
-                BLACKLIST(348), // process_vm_writev
-                BLACKLIST(135), // sysfs
-                BLACKLIST(149), // _sysctl
-                BLACKLIST(124), // adjtimex
-                BLACKLIST(343), // clock_adjtime
-                BLACKLIST(253), // lookup_dcookie
-                BLACKLIST(336), // perf_event_open
-                BLACKLIST(338), // fanotify_init
-                BLACKLIST(349), // kcmp
-                BLACKLIST(286), // add_key
-                BLACKLIST(287), // request_key
-                BLACKLIST(288), // keyctl
-                BLACKLIST(86), // uselib
-                BLACKLIST(51), // acct
-                BLACKLIST(123), // modify_ldt
-                BLACKLIST(217), // pivot_root
-                BLACKLIST(245), // io_setup
-                BLACKLIST(246), // io_destroy
-                BLACKLIST(247), // io_getevents
-                BLACKLIST(248), // io_submit
-                BLACKLIST(249), // io_cancel
-                BLACKLIST(257), // remap_file_pages
-                BLACKLIST(274), // mbind
-                BLACKLIST(275), // get_mempolicy
-                BLACKLIST(276), // set_mempolicy
-                BLACKLIST(294), // migrate_pages
-                BLACKLIST(317), // move_pages
-                BLACKLIST(316), // vmsplice
-                BLACKLIST(61),  // chroot
-                BLACKLIST(88), // reboot
-                BLACKLIST(169), // nfsservctl
-                BLACKLIST(130), // get_kernel_syms
-                RETURN_ALLOW
-        };
-        struct sock_fprog prog = {
-                .len = (unsigned short)(sizeof(filter) / sizeof(filter[0])),
-                .filter = filter,
-        };
-        if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog) || prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) {
-                ;
-        }
-        else if (arg_debug) {
-                printf("Dual i386/amd64 seccomp filter configured\n");
        }
 }
 // amd64 filter installed on i386 architectures
 void seccomp_filter_64(void) {
-        // hardcoded syscall values
+        if (seccomp_load(RUN_SECCOMP_AMD64) == 0) {
-        struct sock_filter filter[] = {
+                if (arg_debug)
-                VALIDATE_ARCHITECTURE_64,
+                        printf("Dual i386/amd64 seccomp filter configured\n");
-                EXAMINE_SYSCALL,
-                BLACKLIST(165), // mount
-                BLACKLIST(166), // umount2
-                BLACKLIST(101), // ptrace
-                BLACKLIST(246), // kexec_load
-                BLACKLIST(304), // open_by_handle_at
-                BLACKLIST(175), // init_module
-                BLACKLIST(313), // finit_module
-                BLACKLIST(176), // delete_module
-                BLACKLIST(172), // iopl
-                BLACKLIST(173), // ioperm
-                BLACKLIST(167), // swapon
-                BLACKLIST(168), // swapoff
-                BLACKLIST(103), // syslog
-                BLACKLIST(310), // process_vm_readv
-                BLACKLIST(311), // process_vm_writev
-                BLACKLIST(139), // sysfs
-                BLACKLIST(156), // _sysctl
-                BLACKLIST(159), // adjtimex
-                BLACKLIST(305), // clock_adjtime
-                BLACKLIST(212), // lookup_dcookie
-                BLACKLIST(298), // perf_event_open
-                BLACKLIST(300), // fanotify_init
-                BLACKLIST(312), // kcmp
-                BLACKLIST(248), // add_key
-                BLACKLIST(249), // request_key
-                BLACKLIST(250), // keyctl
-                BLACKLIST(134), // uselib
-                BLACKLIST(163), // acct
-                BLACKLIST(154), // modify_ldt
-                BLACKLIST(155), // pivot_root
-                BLACKLIST(206), // io_setup
-                BLACKLIST(207), // io_destroy
-                BLACKLIST(208), // io_getevents
-                BLACKLIST(209), // io_submit
-                BLACKLIST(210), // io_cancel
-                BLACKLIST(216), // remap_file_pages
-                BLACKLIST(237), // mbind
-                BLACKLIST(239), // get_mempolicy
-                BLACKLIST(238), // set_mempolicy
-                BLACKLIST(256), // migrate_pages
-                BLACKLIST(279), // move_pages
-                BLACKLIST(278), // vmsplice
-                BLACKLIST(161), // chroot
-                BLACKLIST(184), // tuxcall
-                BLACKLIST(169), // reboot
-                BLACKLIST(180), // nfsservctl
-                BLACKLIST(177), // get_kernel_syms
-                RETURN_ALLOW
-        };
-        struct sock_fprog prog = {
-                .len = (unsigned short)(sizeof(filter) / sizeof(filter[0])),
-                .filter = filter,
-        };
-        if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog) || prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) {
-                ;
-        }
-        else if (arg_debug) {
-                printf("Dual i386/amd64 seccomp filter configured\n");
        }
 }
 // drop filter for seccomp option
 int seccomp_filter_drop(int enforce_seccomp) {
-        filter_init();
-        
        // default seccomp
-        if (cfg.seccomp_list_drop == NULL) {
+        if (cfg.seccomp_list_drop == NULL && cfg.seccomp_list == NULL) {
 #if defined(__x86_64__)
                seccomp_filter_32();
 #endif
 #if defined(__i386__)
                seccomp_filter_64();
 #endif
+        }
-#ifdef SYS_mount                
+        // default seccomp filter with additional drop list
-                filter_add_blacklist(SYS_mount, 0);
+        else if (cfg.seccomp_list && cfg.seccomp_list_drop == NULL) {
-#endif
+#if defined(__x86_64__)
-#ifdef SYS_umount2              
+                seccomp_filter_32();
-                filter_add_blacklist(SYS_umount2, 0);
-#endif
-#ifdef SYS_ptrace               
-                filter_add_blacklist(SYS_ptrace, 0);
-#endif
-#ifdef SYS_kexec_load           
-                filter_add_blacklist(SYS_kexec_load, 0);
-#endif
-#ifdef SYS_kexec_file_load              
-                filter_add_blacklist(SYS_kexec_file_load, 0);
-#endif
-#ifdef SYS_open_by_handle_at            
-                filter_add_blacklist(SYS_open_by_handle_at, 0);
-#endif
-#ifdef SYS_init_module          
-                filter_add_blacklist(SYS_init_module, 0);
-#endif
-#ifdef SYS_finit_module // introduced in 2013
-                filter_add_blacklist(SYS_finit_module, 0);
-#endif
-#ifdef SYS_delete_module                
-                filter_add_blacklist(SYS_delete_module, 0);
-#endif
-#ifdef SYS_iopl         
-                filter_add_blacklist(SYS_iopl, 0);
-#endif
-#ifdef  SYS_ioperm      
-                filter_add_blacklist(SYS_ioperm, 0);
-#endif
-#ifdef SYS_ni_syscall // new io permissions call on arm devices
-                filter_add_blacklist(SYS_ni_syscall, 0);
-#endif
-#ifdef SYS_swapon               
-                filter_add_blacklist(SYS_swapon, 0);
-#endif
-#ifdef SYS_swapoff              
-                filter_add_blacklist(SYS_swapoff, 0);
-#endif
-#ifdef SYS_syslog               
-                filter_add_blacklist(SYS_syslog, 0);
-#endif
-#ifdef SYS_process_vm_readv             
-                filter_add_blacklist(SYS_process_vm_readv, 0);
 #endif
-#ifdef SYS_process_vm_writev            
+#if defined(__i386__)
-                filter_add_blacklist(SYS_process_vm_writev, 0);
+                seccomp_filter_64();
 #endif
+                if (arg_debug)
-// mknod removed in 0.9.29 - it brakes Zotero extension
+                        printf("Build default+drop seccomp filter\n");
-//#ifdef SYS_mknod              
-//              filter_add_blacklist(SYS_mknod, 0);
-//#endif
                
-                // new syscalls in 0.9,23               
+                // build the seccomp filter as a regular user
-#ifdef SYS_sysfs                
+                int rv;
-                filter_add_blacklist(SYS_sysfs, 0);
+                if (arg_allow_debuggers)
-#endif
+                        rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 6,
-#ifdef SYS__sysctl      
+                                PATH_FSECCOMP, "default", "drop", RUN_SECCOMP_CFG, cfg.seccomp_list, "allow-debuggers");
-                filter_add_blacklist(SYS__sysctl, 0);
+                else
-#endif
+                        rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 5,
-#ifdef SYS_adjtimex             
+                                PATH_FSECCOMP, "default", "drop", RUN_SECCOMP_CFG, cfg.seccomp_list);
-                filter_add_blacklist(SYS_adjtimex, 0);
+                if (rv)
-#endif
+                        exit(rv);
-#ifdef  SYS_clock_adjtime       
-                filter_add_blacklist(SYS_clock_adjtime, 0);
-#endif
-#ifdef SYS_lookup_dcookie               
-                filter_add_blacklist(SYS_lookup_dcookie, 0);
-#endif
-#ifdef  SYS_perf_event_open     
-                filter_add_blacklist(SYS_perf_event_open, 0);
-#endif
-#ifdef  SYS_fanotify_init       
-                filter_add_blacklist(SYS_fanotify_init, 0);
-#endif
-#ifdef SYS_kcmp
-                filter_add_blacklist(SYS_kcmp, 0);
-#endif
-// 0.9.32
-#ifdef SYS_add_key
-                filter_add_blacklist(SYS_add_key, 0);
-#endif
-#ifdef SYS_request_key
-                filter_add_blacklist(SYS_request_key, 0);
-#endif
-#ifdef SYS_keyctl
-                filter_add_blacklist(SYS_keyctl, 0);
-#endif
-#ifdef SYS_uselib
-                filter_add_blacklist(SYS_uselib, 0);
-#endif
-#ifdef SYS_acct
-                filter_add_blacklist(SYS_acct, 0);
-#endif
-#ifdef SYS_modify_ldt
-                filter_add_blacklist(SYS_modify_ldt, 0);
-#endif
-        //#ifdef SYS_unshare
-        //              filter_add_blacklist(SYS_unshare, 0);
-        //#endif
-#ifdef SYS_pivot_root
-                filter_add_blacklist(SYS_pivot_root, 0);
-#endif
-        //#ifdef SYS_quotactl
-        //              filter_add_blacklist(SYS_quotactl, 0);
-        //#endif
-#ifdef SYS_io_setup
-                filter_add_blacklist(SYS_io_setup, 0);
-#endif
-#ifdef SYS_io_destroy
-                filter_add_blacklist(SYS_io_destroy, 0);
-#endif
-#ifdef SYS_io_getevents
-                filter_add_blacklist(SYS_io_getevents, 0);
-#endif
-#ifdef SYS_io_submit
-                filter_add_blacklist(SYS_io_submit, 0);
-#endif
-#ifdef SYS_io_cancel
-                filter_add_blacklist(SYS_io_cancel, 0);
-#endif
-#ifdef SYS_remap_file_pages
-                filter_add_blacklist(SYS_remap_file_pages, 0);
-#endif
-#ifdef SYS_mbind
-                filter_add_blacklist(SYS_mbind, 0);
-#endif
-#ifdef SYS_get_mempolicy
-                filter_add_blacklist(SYS_get_mempolicy, 0);
-#endif
-#ifdef SYS_set_mempolicy
-                filter_add_blacklist(SYS_set_mempolicy, 0);
-#endif
-#ifdef SYS_migrate_pages
-                filter_add_blacklist(SYS_migrate_pages, 0);
-#endif
-#ifdef SYS_move_pages
-                filter_add_blacklist(SYS_move_pages, 0);
-#endif
-#ifdef SYS_vmsplice
-                filter_add_blacklist(SYS_vmsplice, 0);
-#endif
-#ifdef SYS_chroot
-                filter_add_blacklist(SYS_chroot, 0);
-#endif
-        //#ifdef SYS_set_robust_list
-        //              filter_add_blacklist(SYS_set_robust_list, 0);
-        //#endif
-        //#ifdef SYS_get_robust_list
-        //              filter_add_blacklist(SYS_get_robust_list, 0);
-        //#endif
- // CHECK_SECCOMP(seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EPERM), SCMP_SYS(clone), 1,
- //     SCMP_A0(SCMP_CMP_MASKED_EQ, CLONE_NEWUSER, CLONE_NEWUSER)));
-// 0.9.39
-#ifdef SYS_tuxcall
-                filter_add_blacklist(SYS_tuxcall, 0);
-#endif
-#ifdef SYS_reboot
-                filter_add_blacklist(SYS_reboot, 0);
-#endif
-#ifdef SYS_nfsservctl
-                filter_add_blacklist(SYS_nfsservctl, 0);
-#endif
-#ifdef SYS_get_kernel_syms
-                filter_add_blacklist(SYS_get_kernel_syms, 0);
-#endif
-        }
-        // default seccomp filter with additional drop list
-        if (cfg.seccomp_list && cfg.seccomp_list_drop == NULL) {
-                if (syscall_check_list(cfg.seccomp_list, filter_add_blacklist, 0)) {
-                        fprintf(stderr, "Error: cannot load seccomp filter\n");
-                        exit(1);
-                }
-        }
-        // drop list
-        else if (cfg.seccomp_list == NULL && cfg.seccomp_list_drop) {
-                if (syscall_check_list(cfg.seccomp_list_drop, filter_add_blacklist, 0)) {
-                        fprintf(stderr, "Error: cannot load seccomp filter\n");
-                        exit(1);
-                }
        }
        
-        
+        // drop list without defaults - secondary filters are not installed
-        filter_end_blacklist();
+        else if (cfg.seccomp_list == NULL && cfg.seccomp_list_drop) {
-        if (arg_debug)
+                if (arg_debug)
-                filter_debug();
+                        printf("Build drop seccomp filter\n");
-        // save seccomp filter in  /tmp/firejail/mnt/seccomp
+                // build the seccomp filter as a regular user
-        // in order to use it in --join operations
+                int rv;
-        write_seccomp_file();
+                if (arg_allow_debuggers)
+                        rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 5,
+                                PATH_FSECCOMP, "drop", RUN_SECCOMP_CFG, cfg.seccomp_list_drop,  "allow-debuggers");
-        struct sock_fprog prog = {
-                .len = sfilter_index,
-                .filter = sfilter,
-        };
-        if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog) || prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) {
-                if (enforce_seccomp) {
-                        fprintf(stderr, "Error: a seccomp-enabled Linux kernel is required, exiting...\n");
-                        exit(1);
-                }
                else
-                        fprintf(stderr, "Warning: seccomp disabled, it requires a Linux kernel version 3.5 or newer.\n");
+                        rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 4,
+                                PATH_FSECCOMP, "drop", RUN_SECCOMP_CFG, cfg.seccomp_list_drop);
-                return 1;
+                if (rv)
+                        exit(rv);
        }
-        
+        else {
-        return 0;
+                assert(0);
-}
-// keep filter for seccomp option
-int seccomp_filter_keep(void) {
-        filter_init();
-        // these 4 syscalls are used by firejail after the seccomp filter is initialized
-        filter_add_whitelist(SYS_setuid, 0);
-        filter_add_whitelist(SYS_setgid, 0);
-        filter_add_whitelist(SYS_setgroups, 0);
-        filter_add_whitelist(SYS_dup, 0);
-        
-        // apply keep list
-        if (cfg.seccomp_list_keep) {
-                if (syscall_check_list(cfg.seccomp_list_keep, filter_add_whitelist, 0)) {
-                        fprintf(stderr, "Error: cannot load seccomp filter\n");
-                        exit(1);
-                }
        }
        
-        filter_end_whitelist();
+        // load the filter
-        if (arg_debug)
+        if (seccomp_load(RUN_SECCOMP_CFG) == 0) {
-                filter_debug();
+                if (arg_debug)
+                        printf("seccomp filter configured\n");
-        // save seccomp filter in  /tmp/firejail/mnt/seccomp
-        // in order to use it in --join operations
-        write_seccomp_file();
-        struct sock_fprog prog = {
-                .len = sfilter_index,
-                .filter = sfilter,
-        };
-        if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog) || prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) {
-                fprintf(stderr, "Warning: seccomp disabled, it requires a Linux kernel version 3.5 or newer.\n");
-                return 1;
        }
-        else if (arg_debug) {
+        else if (enforce_seccomp) {
-                printf("seccomp enabled\n");
+                fprintf(stderr, "Error: a seccomp-enabled Linux kernel is required, exiting...\n");
+                exit(1);
        }
        
-        return 0;
+        if (arg_debug && access(PATH_FSECCOMP, X_OK) == 0)
-}
+                sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 3,
+                        PATH_FSECCOMP, "print", RUN_SECCOMP_CFG);
-// errno filter for seccomp option
-int seccomp_filter_errno(void) {
-        int i;
-        int higest_errno = errno_highest_nr();
-        filter_init();
-        // apply errno list
-        for (i = 0; i < higest_errno; i++) {
-                if (cfg.seccomp_list_errno[i]) {
-                        if (syscall_check_list(cfg.seccomp_list_errno[i], filter_add_errno, i)) {
-                                fprintf(stderr, "Error: cannot load seccomp filter\n");
-                                exit(1);
-                        }
-                }
-        }
-        filter_end_blacklist();
-        if (arg_debug)
-                filter_debug();
-        // save seccomp filter in  /tmp/firejail/mnt/seccomp
-        // in order to use it in --join operations
-        write_seccomp_file();
-        struct sock_fprog prog = {
+        return seccomp_load(RUN_SECCOMP_CFG);
-                .len = sfilter_index,
-                .filter = sfilter,
-        };
-        if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog) || prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) {
-                fprintf(stderr, "Warning: seccomp disabled, it requires a Linux kernel version 3.5 or newer.\n");
-                return 1;
-        }
-        else if (arg_debug) {
-                printf("seccomp enabled\n");
-        }
-        return 0;
 }
+// keep filter for seccomp option
+int seccomp_filter_keep(void) {
-void seccomp_set(void) {
+        if (arg_debug)
-        // read seccomp filter from  /tmp/firejail/mnt/seccomp
+                printf("Build drop seccomp filter\n");
-        read_seccomp_file(RUN_SECCOMP_CFG);
-        
-        // apply filter
-        struct sock_fprog prog = {
-                .len = sfilter_index,
-                .filter = sfilter,
-        };
        
-        if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog) || prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) {
+        // build the seccomp filter as a regular user
-                fprintf(stderr, "Warning: seccomp disabled, it requires a Linux kernel version 3.5 or newer.\n");
+        sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 4,
-                return;
+                PATH_FSECCOMP, "keep", RUN_SECCOMP_CFG, cfg.seccomp_list_keep);
-        }
+        if (arg_debug)
-        else if (arg_debug) {
+                printf("seccomp filter configured\n");
-                printf("seccomp enabled\n");
-        }
-}
-void seccomp_print_filter_name(const char *name) {
-        EUID_ASSERT();
-        if (!name || strlen(name) == 0) {
-                fprintf(stderr, "Error: invalid sandbox name\n");
-                exit(1);
-        }
-        pid_t pid;
-        if (name2pid(name, &pid)) {
-                fprintf(stderr, "Error: cannot find sandbox %s\n", name);
-                exit(1);
-        }
-        seccomp_print_filter(pid);
+                
+        return seccomp_load(RUN_SECCOMP_CFG);
 }
 void seccomp_print_filter(pid_t pid) {
@@ -853,10 +243,8 @@ void seccomp_print_filter(pid_t pid) {
                exit(1);
        }
-        // read and print the filter
+        // read and print the filter - run this as root, the user doesn't have access
-        read_seccomp_file(fname);
+        sbox_run(SBOX_ROOT | SBOX_SECCOMP, 3, PATH_FSECCOMP, "print", fname);
-        drop_privs(1);
-        filter_debug();
        free(fname);
        exit(0);
diff --git a/src/firejail/shutdown.c b/src/firejail/shutdown.c
index 8d8035bfb..c23e87321 100644
--- a/src/firejail/shutdown.c
+++ b/src/firejail/shutdown.c
@@ -23,22 +23,6 @@
 #include <fcntl.h>
 #include <sys/prctl.h>
-void shut_name(const char *name) {
-        EUID_ASSERT();
-        if (!name || strlen(name) == 0) {
-                fprintf(stderr, "Error: invalid sandbox name\n");
-                exit(1);
-        }
-        
-        pid_t pid;
-        if (name2pid(name, &pid)) {
-                fprintf(stderr, "Error: cannot find sandbox %s\n", name);
-                exit(1);
-        }
-        shut(pid);
-}
 void shut(pid_t pid) {
        EUID_ASSERT();
        
diff --git a/src/firejail/usage.c b/src/firejail/usage.c
index 539785f21..db3c25a5a 100644
--- a/src/firejail/usage.c
+++ b/src/firejail/usage.c
@@ -23,330 +23,193 @@ void usage(void) {
        printf("firejail - version %s\n\n", VERSION);
        printf("Firejail is a SUID sandbox program that reduces the risk of security breaches by\n");
        printf("restricting the running environment of untrusted applications using Linux\n");
-        printf("namespaces. It includes a sandbox profile for Mozilla Firefox.\n\n");
+        printf("namespaces.\n");
        printf("\n");
-        printf("Usage: firejail [options] [program and arguments]\n\n");
+        printf("Usage: firejail [options] [program and arguments]\n");
        printf("\n");
-        printf("Without any options, the sandbox consists of a filesystem chroot build from the\n");
+        printf("Options:\n");
-        printf("current system directories  mounted  read-only,  and  new PID and IPC\n");
+        printf("    -- - signal the end of options and disables further option processing.\n");
-        printf("namespaces. If no program is specified as an argument, /bin/bash is started by\n");
+        printf("    --allow-debuggers - allow tools such as strace and gdb inside the sandbox.\n");
-        printf("default in the sandbox.\n\n");
+        printf("    --allusers - all user home directories are visible inside the sandbox.\n");
-        printf("\n");
+        printf("    --apparmor - enable AppArmor confinement.\n");
-        printf("Options:\n\n");
+        printf("    --appimage - sandbox an AppImage application.\n");
-        printf("    -- - signal the end of options and disables further option processing.\n\n");
+        printf("    --audit[=test-program] - audit the sandbox.\n");
 #ifdef HAVE_NETWORK     
-        printf("    --bandwidth=name|pid - set  bandwidth  limits  for  the sandbox identified\n");
+        printf("    --bandwidth=name|pid - set  bandwidth  limits\n");
-        printf("\tby name or PID, see Traffic Shaping section fo more details.\n\n");
 #endif
 #ifdef HAVE_BIND                
-        printf("    --bind=dirname1,dirname2 - mount-bind dirname1 on top of dirname2.\n\n");
+        printf("    --bind=dirname1,dirname2 - mount-bind dirname1 on top of dirname2.\n");
-        printf("    --bind=filename1,filename2 - mount-bind filename1 on top of filename2.\n\n");
+        printf("    --bind=filename1,filename2 - mount-bind filename1 on top of filename2.\n");
 #endif
-        printf("    --blacklist=dirname_or_filename - blacklist directory or file.\n\n");
+        printf("    --blacklist=filename - blacklist directory or file.\n");
-        printf("    -c - execute command and exit.\n\n");
+        printf("    -c - execute command and exit.\n");
-        printf("    --caps - enable default Linux capabilities filter.\n\n");
+        printf("    --caps - enable default Linux capabilities filter.\n");
-        printf("    --caps.drop=all - drop all capabilities.\n\n");
+        printf("    --caps.drop=all - drop all capabilities.\n");
-        printf("    --caps.drop=capability,capability - blacklist capabilities filter.\n\n");
+        printf("    --caps.drop=capability,capability - blacklist capabilities filter.\n");
-        printf("    --caps.keep=capability,capability - whitelist capabilities filter.\n\n");
+        printf("    --caps.keep=capability,capability - whitelist capabilities filter.\n");
-        printf("    --caps.print=name|pid - print the caps filter for the sandbox identified\n");
+        printf("    --caps.print=name|pid - print the caps filter.\n");
-        printf("\tby name or PID.\n\n");
        printf("    --cgroup=tasks-file - place the sandbox in the specified control group.\n");
-        printf("\ttasks-file is the full path of cgroup tasks file.\n\n");
 #ifdef HAVE_CHROOT              
-        printf("    --chroot=dirname - chroot into directory.\n\n");
+        printf("    --chroot=dirname - chroot into directory.\n");
+#endif
+        printf("    --cpu=cpu-number,cpu-number - set cpu affinity.\n");
+        printf("    --cpu.print=name|pid - print the cpus in use.\n");
+        printf("    --csh - use /bin/csh as default shell.\n");
+        printf("    --debug - print sandbox debug messages.\n");
+        printf("    --debug-blacklists - debug blacklisting.\n");
+        printf("    --debug-caps - print all recognized capabilities.\n");
+        printf("    --debug-check-filename - debug filename checking.\n");
+        printf("    --debug-errnos - print all recognized error numbers.\n");
+        printf("    --debug-protocols - print all recognized protocols.\n");
+        printf("    --debug-syscalls - print all recognized system calls.\n");
+#ifdef HAVE_WHITELIST   
+        printf("    --debug-whitelists - debug whitelisting.\n");
 #endif
-        printf("    --cpu=cpu-number,cpu-number - set cpu affinity.\n\n");
-        printf("    --cpu.print=name|pid - print the cup in use by the sandbox identified\n");
-        printf("\tby name or PID.\n\n");
-        printf("    --csh - use /bin/csh as default shell.\n\n");
-        
-        printf("    --debug - print sandbox debug messages.\n\n");
-        printf("    --debug-blacklists - debug blacklisting.\n\n");
-        printf("    --debug-caps - print all recognized capabilities in the current Firejail\n");
-        printf("\tsoftware build.\n\n");
-        printf("    --debug-check-filename - debug filename checking.\n\n");
-        printf("    --debug-errnos - print all recognized error numbers in the current Firejail\n");
-        printf("\tsoftware build.\n\n");
-        printf("    --debug-protocols - print all recognized protocols in the current Firejail\n");
-        printf("\tsoftware build.\n\n");
-        printf("    --debug-syscalls - print all recognized system calls in the current Firejail\n");
-        printf("\tsoftware build.\n\n");
-        printf("    --debug-whitelists - debug whitelisting.\n\n");
 #ifdef HAVE_NETWORK     
-        printf("    --defaultgw=address - use this address as default gateway in the new network\n");
+        printf("    --defaultgw=address - configure default gateway.\n");
-        printf("\tnamespace.\n\n");
 #endif
-        printf("    --dns=address - set a DNS server for the sandbox. Up to three DNS servers\n");
+        printf("    --dns=address - set DNS server.\n");
-        printf("\tcan be defined.\n\n");
+        printf("    --dns.print=name|pid - print DNS configuration.\n");
-        printf("    --dns.print=name|pid - print DNS configuration for the sandbox identified\n");
-        printf("\tby name or PID.\n\n");
        
-        printf("    --env=name=value - set environment variable in the new sandbox.\n\n");
+        printf("    --env=name=value - set environment variable.\n");
-        printf("    --fs.print=name|pid - print the filesystem log for the sandbox identified\n");
+        printf("    --fs.print=name|pid - print the filesystem log.\n");
-        printf("\tby name or PID.\n\n");
+        printf("    --get=name|pid filename - get a file from sandbox container.\n");
-        printf("    --get=name|pid filename - get a file from sandbox container.\n\n");
+        printf("    --help, -? - this help screen.\n");
-        printf("    --help, -? - this help screen.\n\n");
+        printf("    --hostname=name - set sandbox hostname.\n");
-        printf("    --hostname=name - set sandbox hostname.\n\n");
+        printf("    --ignore=command - ignore command in profile files.\n");
-        printf("    --ignore=command - ignore command in profile files.\n\n");
 #ifdef HAVE_NETWORK     
-        printf("    --interface=name - move interface in a new network namespace. Up to four\n");
+        printf("    --interface=name - move interface in sandbox.\n");
-        printf("\t--interface options can be specified.\n\n");
+        printf("    --ip=address - set interface IP address.\n");
-        printf("    --ip=address - set interface IP address.\n\n");
+        printf("    --ip=none - no IP address and no default gateway are configured.\n");
-        printf("    --ip=none - no IP address and no default gateway address are configured\n");
+        printf("    --ip6=address - set interface IPv6 address.\n");
-        printf("\tin the new network namespace. Use this option in case you intend to\n");
+        printf("    --iprange=address,address - configure an IP address in this range.\n");
-        printf("\tstart an external DHCP client in the sandbox.\n\n");
-        printf("    --ip6=address - set interface IPv6 address.\n\n");
-        printf("    --iprange=address,address - configure an IP address in this range.\n\n");
 #endif
-        printf("    --ipc-namespace - enable a new IPC namespace if the sandbox was started as\n");
+        printf("    --ipc-namespace - enable a new IPC namespace.\n");
-        printf("\tregular user. IPC namespace is enabled by default only if the sandbox\n");
+        printf("    --join=name|pid - join the sandbox.\n");
-        printf("\tis started as root.\n\n");
+        printf("    --join-filesystem=name|pid - join the mount namespace.\n");
-        printf("    --join=name|pid - join the sandbox identified by name or PID.\n\n");
-        printf("    --join-filesystem=name|pid - join the mount namespace of the sandbox\n");
-        printf("\tidentified by name or PID.\n\n");
 #ifdef HAVE_NETWORK     
-        printf("    --join-network=name|pid - join the network namespace of the sandbox\n");
+        printf("    --join-network=name|pid - join the network namespace.\n");
-        printf("\tidentified by name or PID.\n\n");
 #endif
-        printf("    --list - list all sandboxes.\n\n");
+        printf("    --list - list all sandboxes.\n");
-        printf("    --ls=name|pid dir_or_filename - list files in sandbox container.\n\n");
+        printf("    --ls=name|pid dir_or_filename - list files in sandbox container.\n");
 #ifdef HAVE_NETWORK     
-        printf("    --mac=xx:xx:xx:xx:xx:xx - set interface MAC address.\n\n");
+        printf("    --mac=xx:xx:xx:xx:xx:xx - set interface MAC address.\n");
-        printf("    --mtu=number - set interface MTU.\n\n");
 #endif
-        printf("    --name=name - set sandbox name.\n\n");
+        printf("    --machine-id - preserve /etc/machine-id\n");
 #ifdef HAVE_NETWORK     
-        printf("    --net=bridgename - enable network namespaces and connect to this bridge\n");
+        printf("    --mtu=number - set interface MTU.\n");
-        printf("\tdevice. Up to four --net devices can be defined.\n\n");
+#endif
+        printf("    --name=name - set sandbox name.\n");
+#ifdef HAVE_NETWORK     
+        printf("    --net=bridgename - enable network namespaces and connect to this bridge.\n");
        printf("    --net=ethernet_interface - enable network namespaces and connect to this\n");
-        printf("\tEthernet interface using the standard Linux macvlan driver. Up to four\n");
+        printf("\tEthernet interface.\n");
-        printf("\t--net devices can be defined.\n\n");
+        printf("    --net=none - enable a new, unconnected network namespace.\n");
-        
+        printf("    --netfilter[=filename] - enable the default client network filter.\n");
-        printf("    --net=none - enable a new, unconnected network namespace.\n\n");
+        printf("    --netfilter6=filename - enable the IPv6 network filter.\n");
+        printf("    --netstats - monitor network statistics.\n");
-        printf("    --netfilter - enable the default client network filter in the new\n");
-        printf("\tnetwork namespace.\n\n");
-        printf("    --netfilter=filename - enable the network filter specified by\n");
-        printf("\tfilename in the new network namespace. The filter file format\n");
-        printf("\tis the format of iptables-save and iptable-restore commands.\n\n");
-        printf("    --netfilter6=filename - enable the IPv6 network filter specified by\n");
-        printf("\tfilename in the new network namespace. The filter file format\n");
-        printf("\tis the format of ip6tables-save and ip6table-restore commands.\n\n");
-        printf("    --netstats - monitor network statistics for sandboxes creating a new\n");
-        printf("\tnetwork namespace.\n\n");
 #endif
-        printf("    --nice=value - set nice value\n\n");
+        printf("    --nice=value - set nice value.\n");
-        printf("    --noblacklist=dirname_or_filename - disable blacklist for directory or\n");
+        printf("    --no3d - disable 3D hardware acceleration.\n");
-        printf("\tfile.\n\n");
+        printf("    --noblacklist=filename - disable blacklist for file or directory .\n");
-        printf("    --nogroups - disable supplementary groups. Without this option,\n");
+        printf("    --noexec=filename - remount the file or directory noexec nosuid and nodev.\n");
-        printf("\tsupplementary groups are enabled for the user starting the sandbox.\n");
+        printf("    --nogroups - disable supplementary groups.\n");
-        printf("\t For root, groups are always disabled.\n\n");
+        printf("    --noprofile - do not use a security profile.\n");
-        printf("    --noprofile - do not use a profile.  Profile priority is use the one\n");
-        printf("\tspecified on the command line, next try to find one that\n");
-        printf("\tmatches the command name, and lastly use %s.profile\n", DEFAULT_USER_PROFILE);
-        printf("\tif running as regular user or %s.profile if running as\n", DEFAULT_ROOT_PROFILE);
-        printf("\troot.\n\n");
 #ifdef HAVE_USERNS                      
-        printf("    --noroot - install a user namespace with a single user - the current\n");
+        printf("    --noroot - install a user namespace with only the current user.\n");
-        printf("\tuser. root user does not exist in the new namespace. This option\n");
-        printf("\tis not supported for --chroot and --overlay configurations.\n\n");
 #endif
-        printf("    --nosound - disable sound system.\n\n");
+        printf("    --nonewprivs - sets the NO_NEW_PRIVS prctl.\n");
-                
+        printf("    --output=logfile - stdout logging and log rotation.\n");
-        printf("    --output=logfile - stdout logging and log rotation. Copy stdout and stderr\n");
-        printf("\tto logfile, and keep the size of the file under 500KB using log\n");
-        printf("\trotation. Five files with prefixes .1 to .5 are used in\n");
-        printf("\trotation.\n\n");
-        
        printf("    --overlay - mount a filesystem overlay on top of the current filesystem.\n");
-        printf("\tThe upper filesystem layer is persistent, and stored in\n");
+        printf("    --overlay-named=name - mount a filesystem overlay on top of the current\n");
-        printf("\t$HOME/.firejail directory. (OverlayFS support is required in\n");
+        printf("\tfilesystem, and store it in name directory.\n");
-        printf("\tLinux kernel for this option to work). \n\n");   
+        printf("    --overlay-tmpfs - mount a temporary filesystem overlay on top of the current\n");
+        printf("\tfilesystem.\n");   
-        printf("    --overlay-tmpfs - mount a filesystem overlay on top of the current\n");
+        printf("    --overlay-clean - clean all overlays stored in $HOME/.firejail directory.\n");
-        printf("\tfilesystem. The upper layer is stored in a tmpfs filesystem,\n");
+        printf("    --private - temporary home directory.\n");
-        printf("\tand it is discarded when the sandbox is closed. (OverlayFS\n");
+        printf("    --private=directory - use directory as user home.\n");
-        printf("\tsupport is required in Linux kernel for this option to work).\n\n");   
+        printf("    --private-home=file,directory - build a new user home in a temporary\n");
+        printf("\tfilesystem, and copy the files and directories in the list in\n");
-        printf("    --private - mount new /root and /home/user directories in temporary\n");
+        printf("\tthe new home.\n");
-        printf("\tfilesystems. All modifications are discarded when the sandbox is\n");
-        printf("\tclosed.\n\n");
-        printf("    --private=directory - use directory as user home.\n\n");
        printf("    --private-bin=file,file - build a new /bin in a temporary filesystem,\n");
-        printf("\tand copy the programs in the list.\n\n");
+        printf("\tand copy the programs in the list.\n");
        printf("    --private-dev - create a new /dev directory. Only dri, null, full, zero,\n");
-        printf("\ttty, pst, ptms, random, urandom, log and shm devices are available.\n\n");
+        printf("\ttty, pst, ptms, random, snd, urandom, log and shm devices are available.\n");
        printf("    --private-etc=file,directory - build a new /etc in a temporary\n");
        printf("\tfilesystem, and copy the files and directories in the list.\n");
-        printf("\tAll modifications are discarded when the sandbox is closed.\n\n");
+        printf("    --private-tmp - mount a tmpfs on top of /tmp directory.\n");
-        
+        printf("    --profile=filename - use a custom profile.\n");
-        printf("    --private-tmp - mount a tmpfs on top of /tmp directory\n\n");
+        printf("    --profile-path=directory - use this directory to look for profile files.\n");
-        
-        printf("    --profile=filename - use a custom profile.\n\n");
-        printf("    --profile-path=directory - use this directory to look for profile files.\n\n");
-        
        printf("    --protocol=protocol,protocol,protocol - enable protocol filter.\n");
-        printf("\tProtocol values: unix, inet, inet6, netlink, packet.\n\n");
+        printf("    --protocol.print=name|pid - print the protocol filter.\n");
-        printf("    --protocol.print=name|pid - print the protocol filter for the sandbox\n");
+        printf("    --put=name|pid src-filename dest-filename - put a file in sandbox container.\n");
-        printf("\tidentified by name or PID.\n\n");
+        printf("    --quiet - turn off Firejail's output.\n");
-        
+        printf("    --read-only=filename - set directory or file read-only..\n");
-        printf("    --quiet - turn off Firejail's output.\n\n");
+        printf("    --read-write=filename - set directory or file read-write..\n");
-        printf("    --read-only=dirname_or_filename - set directory or file read-only..\n\n");
        printf("    --rlimit-fsize=number - set the maximum file size that can be created\n");
-        printf("\tby a process.\n\n");
+        printf("\tby a process.\n");
        printf("    --rlimit-nofile=number - set the maximum number of files that can be\n");
-        printf("\topened by a process.\n\n");
+        printf("\topened by a process.\n");
        printf("    --rlimit-nproc=number - set the maximum number of processes that can be\n");
-        printf("\tcreated for the real user ID of the calling process.\n\n");
+        printf("\tcreated for the real user ID of the calling process.\n");
        printf("    --rlimit-sigpending=number - set the maximum number of pending signals\n");
-        printf("\tfor a process.\n\n");
+        printf("\tfor a process.\n");
+        printf("    --rmenv=name - remove environment variable in the new sandbox.\n");
 #ifdef HAVE_NETWORK     
        printf("    --scan - ARP-scan all the networks from inside a network namespace.\n");
-        printf("\tThis makes it possible to detect macvlan kernel device drivers\n");
-        printf("\trunning on the current host.\n\n");
 #endif  
 #ifdef HAVE_SECCOMP
-        printf("    --seccomp - enable seccomp filter and apply the default blacklist.\n\n");
+        printf("    --seccomp - enable seccomp filter and apply the default blacklist.\n");
-        
        printf("    --seccomp=syscall,syscall,syscall - enable seccomp filter, blacklist the\n");
-        printf("\tdefault syscall list and the syscalls specified by the command.\n\n");
+        printf("\tdefault syscall list and the syscalls specified by the command.\n");
-        
        printf("    --seccomp.drop=syscall,syscall,syscall - enable seccomp filter, and\n");
-        printf("\tblacklist the syscalls specified by the command.\n\n");
+        printf("\tblacklist the syscalls specified by the command.\n");
-        
        printf("    --seccomp.keep=syscall,syscall,syscall - enable seccomp filter, and\n");
-        printf("\twhitelist the syscalls specified by the command.\n\n");
+        printf("\twhitelist the syscalls specified by the command.\n");
-        
        printf("    --seccomp.<errno>=syscall,syscall,syscall - enable seccomp filter, and\n");
-        printf("\treturn errno for the syscalls specified by the command.\n\n");
+        printf("\treturn errno for the syscalls specified by the command.\n");
-        
        printf("    --seccomp.print=name|pid - print the seccomp filter for the sandbox\n");
-        printf("\tidentified by name or PID.\n\n");
+        printf("\tidentified by name or PID.\n");
 #endif
+        printf("    --shell=none - run the program directly without a user shell.\n");
-        printf("    --shell=none - run the program directly without a user shell.\n\n");
+        printf("    --shell=program - set default user shell.\n");
-        printf("    --shell=program - set default user shell.\n\n");
+        printf("    --shutdown=name|pid - shutdown the sandbox identified by name or PID.\n");
-        printf("    --shutdown=name|pid - shutdown the sandbox identified by name or PID.\n\n");
        printf("    --tmpfs=dirname - mount a tmpfs filesystem on directory dirname.\n");
-        printf("\tThis option is available only when running the sandbox as root.\n\n");
+        printf("    --top - monitor the most CPU-intensive sandboxes.\n");
-        printf("    --top - monitor the most CPU-intensive sandboxes.\n\n");
+        printf("    --trace - trace open, access and connect system calls.\n");
-        printf("    --trace - trace open, access and connect system calls.\n\n");
        printf("    --tracelog - add a syslog message for every access to files or\n");
-        printf("\tdirectoires blacklisted by the security profile.\n\n");
+        printf("\tdirectoires blacklisted by the security profile.\n");
-        printf("    --tree - print a tree of all sandboxed processes.\n\n");
+        printf("    --tree - print a tree of all sandboxed processes.\n");
-        printf("    --user=new_user - switch the user before starting the sandbox.\n\n");
+        printf("    --version - print program version and exit.\n");
-        printf("    --version - print program version and exit.\n\n");
-        printf("    --whitelist=dirname_or_filename - whitelist directory or file.\n\n");
-        printf("    --x11 - enable X11 server. The software checks first if Xpra is installed,\n");
-        printf("\tthen it checks if Xephyr is installed.\n\n");
-        printf("    --x11=xpra - enable Xpra X11 server.\n\n");
-        printf("    --x11=xephyr - enable Xephyr X11 server. The window size is 800x600.\n\n");
-        printf("    --zsh - use /usr/bin/zsh as default shell.\n\n");
-        printf("\n");
-        printf("\n");
 #ifdef HAVE_NETWORK     
-        printf("Traffic Shaping\n\n");
+        printf("    --veth-name=name - use this name for the interface connected to the bridge.\n"); 
-        
+#endif  
-        printf("Network bandwidth is an expensive resource shared among  all  sandboxes\n");
+#ifdef HAVE_WHITELIST   
-        printf("running  on a system.  Traffic shaping allows the user to increase network\n");
+        printf("    --whitelist=filename - whitelist directory or file.\n");
-        printf("performance by controlling the amount of data that flows into and out of the\n");
+#endif  
-        printf("sandboxes. Firejail  implements  a simple rate-limiting shaper based on Linux\n");
+        printf("    --writable-etc - /etc directory is mounted read-write.\n");
-        printf("command tc. The shaper works at sandbox level, and can be used  only  for\n");
+        printf("    --writable-var - /var directory is mounted read-write.\n");
-        printf("sandboxes configured with new network namespaces.\n\n");
+        printf("    --x11 - enable X11 sandboxing. The software checks first if Xpra is\n");
+        printf("\tinstalled, then it checks if Xephyr is installed. If all fails, it will\n");
-        printf("Set rate-limits:\n");
+        printf("\tattempt to use X11 security extension.\n");
-        printf("    firejail  --bandwidth={name|pid} set network-name down-speed up-speed\n\n");
+        printf("    --x11=none - disable access to X11 sockets.\n");
-        printf("Clear rate-limits:\n");
+        printf("    --x11=xephyr - enable Xephyr X11 server. The window size is 800x600.\n");
-        printf("    firejail --bandwidth={name|pid} clear network-name\n\n");
+        printf("    --x11=xorg - enable X11 security extension.\n");
-        printf("Status:\n");
+        printf("    --x11=xpra - enable Xpra X11 server.\n");
-        printf("    firejail --bandwidth={name|pid} status\n\n");
+        printf("    --zsh - use /usr/bin/zsh as default shell.\n");
-        printf("where:\n");
-            printf("    name - sandbox name\n");
-            printf("    pid - sandbox pid\n");
-            printf("    network-name - network name as used by --net option\n");
-            printf("    down-speed - download speed in KB/s (decimal kilobyte per second)\n");
-            printf("    up-speed - upload speed in KB/s (decimal kilobyte per second)\n");
-        printf("\n");
-        printf("Example:\n");
-            printf("    $ firejail --name=mybrowser --net=eth0 firefox &\n");
-            printf("    $ firejail --bandwidth=mybrowser set eth0 80 20\n");
-            printf("    $ firejail --bandwidth=mybrowser status\n");
-            printf("    $ firejail --bandwidth=mybrowser clear eth0\n");
-        printf("\n");
-        printf("\n");
-#endif
-        printf("Monitoring\n\n");
-        printf("Option --list prints a list of all sandboxes. The format for each entry is as\n");
-        printf("follows:\n\n");
-        printf("    PID:USER:Command\n\n");
-        printf("Option --tree prints the tree of processes running in the sandbox. The format\n");
-        printf("for each process entry is as follows:\n\n");
-        printf("    PID:USER:Command\n\n");
-        printf("Option --top is similar to the UNIX top command, however it applies only to\n");
-        printf("sandboxes. Listed below are the available fields (columns) in alphabetical\n");
-        printf("order:\n\n");
-        printf("    Command - command used to start the sandbox.\n");
-        printf("    CPU%% - CPU usage, the sandbox share of the elapsed CPU time since the\n");
-        printf("\tlast screen update\n");
-        printf("    PID - Unique process ID for the task controlling the sandbox.\n");
-        printf("    Prcs - number of processes running in sandbox, including the controlling\n");
-        printf("\tprocess.\n");
-        printf("    RES - Resident Memory Size (KiB), sandbox non-swapped physical memory.\n");
-        printf("\tIt is a sum of the RES values for all processes running in the\n");
-        printf("\tsandbox.\n");
-        printf("    SHR - Shared Memory Size (KiB), it reflects memory shared with other\n");
-        printf("\tprocesses. It is a sum of the SHR values for all processes running\n");
-        printf("\tin the sandbox, including the controlling process.\n");
-        printf("    Uptime - sandbox running time in hours:minutes:seconds format.\n");
-        printf("    User - The owner of the sandbox.\n");
-        printf("\n");
-        printf("\n");
-        printf("Profile files\n\n");
-        printf("Several command line configuration options can be passed to the program using\n");
-        printf("profile files. Default Firejail profile files are stored in /etc/firejail\n");
-        printf("directory, user profile files are stored in ~/.config/firejail directory. See\n");
-        printf("man 5 firejail-profile for more information.\n\n");
-        printf("\n");
-        printf("Restricted shell\n\n");
-        printf("To  configure a restricted shell, replace /bin/bash with /usr/bin/firejail in\n");
-        printf("/etc/password file for each user that needs to  be  restricted.\n");
-        printf("Alternatively, you can specify /usr/bin/firejail  in adduser command:\n\n");
-        printf("   adduser --shell /usr/bin/firejail username\n\n");
-        printf("Arguments to be passed to firejail executable upon login are  declared  in\n");
-        printf("/etc/firejail/login.users file.\n\n");
        printf("\n");
-        printf("Examples:\n\n");
+        printf("Examples:\n");
-        printf("    $ firejail\n");
-        printf("\tstart a regular /bin/bash session in sandbox\n");
        printf("    $ firejail firefox\n");
        printf("\tstart Mozilla Firefox\n");
        printf("    $ firejail --debug firefox\n");
        printf("\tdebug Firefox sandbox\n");
-        printf("    $ firejail --private firefox\n");
+        printf("    $ firejail --private --sna=8.8.8.8 firefox\n");
-        printf("\tstart Firefox with a new, empty home directory\n");
+        printf("\tstart Firefox with a new, empty home directory, and a well-known DNS\n");
-        printf("    $ firejail --net=br0 ip=10.10.20.10\n");
+        printf("\tserver setting.\n");
-        printf("\tstart a /bin/bash session in a new network namespace; the session is\n");
+        printf("    $ firejail --net=eth0 firefox\n");
-        printf("\tconnected to the main network using br0 bridge device, an IP address\n");
+        printf("\tstart Firefox in a new network namespace\n");
-        printf("\tof 10.10.20.10 is assigned to the sandbox\n");
+        printf("    $ firejail --x11=xorg firefox\n");
-        printf("    $ firejail --net=br0 --net=br1 --net=br2\n");
+        printf("\tstart Firefox and sandbox X11\n");
-        printf("\tstart a /bin/bash session in a new network namespace and connect it\n");
-        printf("\tto br0, br1, and br2 host bridge devices\n");
        printf("    $ firejail --list\n");
        printf("\tlist all running sandboxes\n");
        printf("\n");
diff --git a/src/firejail/user.c b/src/firejail/user.c
deleted file mode 100644
index a2f34392c..000000000
--- a/src/firejail/user.c
+++ /dev/null
@@ -1,115 +0,0 @@
-/*
- * Copyright (C) 2014-2016 Firejail Authors
- *
- * This file is part of firejail project
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or
- * (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License along
- * with this program; if not, write to the Free Software Foundation, Inc.,
- * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
- */
-#include "firejail.h"
-#include <sys/types.h>
-#include <sys/stat.h>
-#include <unistd.h>
-#include <grp.h>
-#include <pwd.h>
-void check_user(int argc, char **argv) {
-        EUID_ASSERT();
-        int i;
-        char *user = NULL;
-        int found = 0;
-        for (i = 1; i < argc; i++) {
-                // check options
-                if (strcmp(argv[i], "--") == 0)
-                        break;
-                if (strncmp(argv[i], "--", 2) != 0)
-                        break;
-                
-                // check user option            
-                if (strncmp(argv[i], "--user=", 7) == 0) {
-                        found = 1;
-                        user = argv[i] + 7;
-                        break;
-                }
-        }
-        if (!found)
-                return;
-        // check root
-        if (getuid() != 0) {
-                fprintf(stderr, "Error: you need to be root to use --user command line option\n");
-                exit(1);
-        }
-        
-        // switch user
-        struct passwd *pw = getpwnam(user);
-        if (!pw) {
-                fprintf(stderr, "Error: cannot find user %s\n", user);
-                exit(1);
-        }
-        printf("Switching to user %s, UID %d, GID %d\n", user, pw->pw_uid, pw->pw_gid);
-        int rv = initgroups(user, pw->pw_gid);
-        if (rv == -1) {
-                perror("initgroups");
-                fprintf(stderr, "Error: cannot switch to user %s\n", user);
-        }
-        rv = setgid(pw->pw_gid);
-        if (rv == -1) {
-                perror("setgid");
-                fprintf(stderr, "Error: cannot switch to user %s\n", user);
-        }
-        rv = setuid(pw->pw_uid);
-        if (rv == -1) {
-                perror("setuid");
-                fprintf(stderr, "Error: cannot switch to user %s\n", user);
-        }
-        // build the new command line
-        int len = 0;
-        for (i = 0; i < argc; i++) {
-                len += strlen(argv[i]) + 1; // + ' '
-        }
-        
-        char *cmd = malloc(len + 1); // + '\0'
-        if (!cmd)
-                errExit("malloc");
-        
-        char *ptr = cmd;
-        int first = 1;
-        for (i = 0; i < argc; i++) {
-                if (strncmp(argv[i], "--user=", 7) == 0 && first) {
-                        first = 0;
-                        continue;
-                }
-                
-                ptr += sprintf(ptr, "%s ", argv[i]);
-        }
-        // run command
-        char *a[4];
-        a[0] = "/bin/bash";
-        a[1] = "-c";
-        a[2] = cmd;
-        a[3] = NULL;
-        execvp(a[0], a); 
-        perror("execvp");
-        exit(1);
-}
diff --git a/src/firejail/util.c b/src/firejail/util.c
index da73bbfd5..75f2acdb9 100644
--- a/src/firejail/util.c
+++ b/src/firejail/util.c
@@ -17,18 +17,23 @@
 * with this program; if not, write to the Free Software Foundation, Inc.,
 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 */
+#define _XOPEN_SOURCE 500
 #include "firejail.h"
+#include <ftw.h>
 #include <sys/stat.h>
 #include <fcntl.h>
 #include <syslog.h>
 #include <errno.h>
 #include <dirent.h>
 #include <grp.h>
+#include <sys/ioctl.h>
+#include <termios.h>
 #define MAX_GROUPS 1024
 // drop privileges
 // - for root group or if nogroups is set, supplementary groups are not configured
 void drop_privs(int nogroups) {
+        EUID_ROOT();
        gid_t gid = getgid();
        // configure supplementary groups
@@ -77,7 +82,7 @@ void drop_privs(int nogroups) {
 int mkpath_as_root(const char* path) {
        assert(path && *path);
-        
        // work on a copy of the path
        char *file_path = strdup(path);
        if (!file_path)
@@ -95,24 +100,21 @@ int mkpath_as_root(const char* path) {
                        }
                }
                else {
-                        if (chmod(file_path, 0755) == -1)
+                        if (set_perms(file_path, 0, 0, 0755))
-                                errExit("chmod");
+                                errExit("set_perms");
-                        if (chown(file_path, 0, 0) == -1)
-                                errExit("chown");
                        done = 1;
-                }                       
+                }
                *p='/';
        }
        if (done)
                fs_logger2("mkpath", path);
-                
        free(file_path);
        return 0;
 }
 void logsignal(int s) {
        if (!arg_debug)
                return;
@@ -167,8 +169,8 @@ void logerr(const char *msg) {
 }
-// return -1 if error, 0 if no error
+// return -1 if error, 0 if no error; if destname already exists, return error
-int copy_file(const char *srcname, const char *destname) {
+int copy_file(const char *srcname, const char *destname, uid_t uid, gid_t gid, mode_t mode) {
        assert(srcname);
        assert(destname);
@@ -204,18 +206,25 @@ int copy_file(const char *srcname, const char *destname) {
                        done += rv;
                }
        }
+        fflush(0);
+        if (fchown(dst, uid, gid) == -1)
+                errExit("fchown");
+        if (fchmod(dst, mode) == -1)
+                errExit("fchmod");
        close(src);
        close(dst);
        return 0;
 }
 // return 1 if the file is a directory
 int is_dir(const char *fname) {
        assert(fname);
        if (*fname == '\0')
                return 0;
-        
        // if fname doesn't end in '/', add one
        int rv;
        struct stat s;
@@ -226,20 +235,21 @@ int is_dir(const char *fname) {
                if (asprintf(&tmp, "%s/", fname) == -1) {
                        fprintf(stderr, "Error: cannot allocate memory, %s:%d\n", __FILE__, __LINE__);
                        errExit("asprintf");
-                }               
+                }
                rv = stat(tmp, &s);
                free(tmp);
        }
-        
        if (rv == -1)
                return 0;
-                
        if (S_ISDIR(s.st_mode))
                return 1;
        return 0;
 }
 // return 1 if the file is a link
 int is_link(const char *fname) {
        assert(fname);
@@ -324,7 +334,7 @@ char *split_comma(char *str) {
 int not_unsigned(const char *str) {
        EUID_ASSERT();
-        
        int rv = 0;
        const char *ptr = str;
        while (*ptr != ' ' && *ptr != '\t' && *ptr != '\0') {
@@ -346,7 +356,7 @@ int find_child(pid_t parent, pid_t *child) {
        *child = 0;                               // use it to flag a found child
        DIR *dir;
-        EUID_ROOT(); // grsecurity fix
+        EUID_ROOT();                              // grsecurity fix
        if (!(dir = opendir("/proc"))) {
                // sleep 2 seconds and try again
                sleep(2);
@@ -403,13 +413,11 @@ int find_child(pid_t parent, pid_t *child) {
 }
 void extract_command_name(int index, char **argv) {
        EUID_ASSERT();
        assert(argv);
        assert(argv[index]);
        // configure command index
        cfg.original_program_index = index;
@@ -418,13 +426,13 @@ void extract_command_name(int index, char **argv) {
                errExit("strdup");
        // if we have a symbolic link, use the real path to extract the name
-        if (is_link(argv[index])) {
+//      if (is_link(argv[index])) {
-                char*newname = realpath(argv[index], NULL);
+//              char*newname = realpath(argv[index], NULL);
-                if (newname) {
+//              if (newname) {
-                        free(str);
+//                      free(str);
-                        str = newname;
+//                      str = newname;
-                }
+//              }
-        }
+//      }
        // configure command name
        cfg.command_name = str;
@@ -446,7 +454,6 @@ void extract_command_name(int index, char **argv) {
                        exit(1);
                }
                char *tmp = strdup(ptr);
                if (!tmp)
                        errExit("strdup");
@@ -532,6 +539,7 @@ void notify_other(int fd) {
        fclose(stream);
 }
 // This function takes a pathname supplied by the user and expands '~' and
 // '${HOME}' at the start, to refer to a path relative to the user's home
 // directory (supplied).
@@ -540,7 +548,7 @@ void notify_other(int fd) {
 char *expand_home(const char *path, const char* homedir) {
        assert(path);
        assert(homedir);
-        
        // Replace home macro
        char *new_name = NULL;
        if (strncmp(path, "${HOME}", 7) == 0) {
@@ -548,15 +556,19 @@ char *expand_home(const char *path, const char* homedir) {
                        errExit("asprintf");
                return new_name;
        }
-        else if (strncmp(path, "~/", 2) == 0) {
+        else if (*path == '~') {
                if (asprintf(&new_name, "%s%s", homedir, path + 1) == -1)
                        errExit("asprintf");
                return new_name;
        }
-        
-        return strdup(path);
+        char *rv = strdup(path);
+        if (!rv)
+                errExit("strdup");
+        return rv;
 }
 // Equivalent to the GNU version of basename, which is incompatible with
 // the POSIX basename. A few lines of code saves any portability pain.
 // https://www.gnu.org/software/libc/manual/html_node/Finding-Tokens-in-a-String.html#index-basename
@@ -567,17 +579,18 @@ const char *gnu_basename(const char *path) {
        return last_slash+1;
 }
 uid_t pid_get_uid(pid_t pid) {
        EUID_ASSERT();
        uid_t rv = 0;
-        
        // open status file
        char *file;
        if (asprintf(&file, "/proc/%u/status", pid) == -1) {
                perror("asprintf");
                exit(1);
        }
-        EUID_ROOT();    // grsecurity fix
+        EUID_ROOT();                              // grsecurity fix
        FILE *fp = fopen(file, "r");
        if (!fp) {
                free(file);
@@ -596,16 +609,16 @@ uid_t pid_get_uid(pid_t pid) {
                        }
                        if (*ptr == '\0')
                                break;
-                                
                        rv = atoi(ptr);
-                        break; // break regardless!
+                        break;                    // break regardless!
                }
        }
        fclose(fp);
        free(file);
-        EUID_USER();    // grsecurity fix
+        EUID_USER();                              // grsecurity fix
-        
        if (rv == 0) {
                fprintf(stderr, "Error: cannot read /proc file\n");
                exit(1);
@@ -613,14 +626,15 @@ uid_t pid_get_uid(pid_t pid) {
        return rv;
 }
 void invalid_filename(const char *fname) {
-        EUID_ASSERT();
+//      EUID_ASSERT();
        assert(fname);
        const char *ptr = fname;
-        
        if (arg_debug_check_filename)
                printf("Checking filename %s\n", fname);
-        
        if (strncmp(ptr, "${HOME}", 7) == 0)
                ptr = fname + 7;
        else if (strncmp(ptr, "${PATH}", 7) == 0)
@@ -636,22 +650,172 @@ void invalid_filename(const char *fname) {
        }
 }
-uid_t get_tty_gid(void) {
+uid_t get_group_id(const char *group) {
        // find tty group id
-        gid_t ttygid = 0;
+        gid_t gid = 0;
-        struct group *g = getgrnam("tty");
+        struct group *g = getgrnam(group);
        if (g)
-                ttygid = g->gr_gid;
+                gid = g->gr_gid;
-        return ttygid;
+        return gid;
 }
-uid_t get_audio_gid(void) {
-        // find tty group id
-        gid_t audiogid = 0;
-        struct group *g = getgrnam("audio");
-        if (g)
-                audiogid = g->gr_gid;
-        return audiogid;
+static int remove_callback(const char *fpath, const struct stat *sb, int typeflag, struct FTW *ftwbuf) {
+        (void) sb;
+        (void) typeflag;
+        (void) ftwbuf;
+        
+        int rv = remove(fpath);
+        if (rv)
+                perror(fpath);
+        return rv;
 }
+int remove_directory(const char *path) {
+        // FTW_PHYS - do not follow symbolic links
+        return nftw(path, remove_callback, 64, FTW_DEPTH | FTW_PHYS);
+}
+void flush_stdin(void) {
+        if (isatty(STDIN_FILENO)) {
+                int cnt = 0;
+                int rv = ioctl(STDIN_FILENO, FIONREAD, &cnt);
+                if (rv == 0 && cnt) {
+                        if (!arg_quiet)
+                                printf("Warning: removing %d bytes from stdin\n", cnt);
+                        rv = ioctl(STDIN_FILENO, TCFLSH, TCIFLUSH);
+                        (void) rv;
+                }
+        }
+}
+void create_empty_dir_as_root(const char *dir, mode_t mode) {
+        assert(dir);
+        mode &= 07777;
+        struct stat s;
+        
+        if (stat(dir, &s)) {
+                if (arg_debug)
+                        printf("Creating empty %s directory\n", dir);
+                /* coverity[toctou] */
+                if (mkdir(dir, mode) == -1)
+                        errExit("mkdir");
+                if (set_perms(dir, 0, 0, mode))
+                        errExit("set_perms");
+                ASSERT_PERMS(dir, 0, 0, mode);
+        }
+}
+void create_empty_file_as_root(const char *fname, mode_t mode) {
+        assert(fname);
+        mode &= 07777;
+        struct stat s;
+        if (stat(fname, &s)) {
+                if (arg_debug)
+                        printf("Creating empty %s file\n", fname);
+                /* coverity[toctou] */
+                FILE *fp = fopen(fname, "w");
+                if (!fp)
+                        errExit("fopen");
+                SET_PERMS_STREAM(fp, 0, 0, S_IRUSR);
+                fclose(fp);
+                if (chmod(fname, mode) == -1)
+                        errExit("chmod");
+        }
+}
+// return 1 if error
+int set_perms(const char *fname, uid_t uid, gid_t gid, mode_t mode) {
+        assert(fname);
+        if (chmod(fname, mode) == -1)
+                return 1;
+        if (chown(fname, uid, gid) == -1)
+                return 1;
+        return 0;
+}
+void mkdir_attr(const char *fname, mode_t mode, uid_t uid, gid_t gid) {
+        assert(fname);
+        mode &= 07777;
+#if 0   
+        printf("fname %s, uid %d, gid %d, mode %x - ", fname, uid, gid, (unsigned) mode);
+        if (S_ISLNK(mode))
+                printf("l");
+        else if (S_ISDIR(mode))
+                printf("d");
+        else if (S_ISCHR(mode))
+                printf("c");
+        else if (S_ISBLK(mode))
+                printf("b");
+        else if (S_ISSOCK(mode))
+                printf("s");
+        else
+                printf("-");
+        printf( (mode & S_IRUSR) ? "r" : "-");
+        printf( (mode & S_IWUSR) ? "w" : "-");
+        printf( (mode & S_IXUSR) ? "x" : "-");
+        printf( (mode & S_IRGRP) ? "r" : "-");
+        printf( (mode & S_IWGRP) ? "w" : "-");
+        printf( (mode & S_IXGRP) ? "x" : "-");
+        printf( (mode & S_IROTH) ? "r" : "-");
+        printf( (mode & S_IWOTH) ? "w" : "-");
+        printf( (mode & S_IXOTH) ? "x" : "-");
+        printf("\n");
+#endif  
+        if (mkdir(fname, mode) == -1 ||
+            chmod(fname, mode) == -1 ||
+            chown(fname, uid, gid)) {
+                fprintf(stderr, "Error: failed to create %s directory\n", fname);
+                errExit("mkdir/chmod");
+        }
+        ASSERT_PERMS(fname, uid, gid, mode);
+}
+char *read_text_file_or_exit(const char *fname) {
+        assert(fname);
+        
+        // open file
+        int fd = open(fname, O_RDONLY);
+        if (fd == -1) {
+                fprintf(stderr, "Error: cannot read %s\n", fname);
+                exit(1);
+        }
+        int size = lseek(fd, 0, SEEK_END);
+        if (size == -1)
+                goto errexit;
+        if (lseek(fd, 0 , SEEK_SET) == -1)
+                goto errexit;
+        
+        // allocate memory
+        char *data = malloc(size + 1);    // + '\0'
+        if (data == NULL)
+                goto errexit;
+        memset(data, 0, size + 1);
+        // read file
+        int rd = 0;
+        while (rd < size) {
+                int rv = read(fd, (unsigned char *) data + rd, size - rd);
+                if (rv == -1) {
+                        goto errexit;
+                }
+                rd += rv;
+        }
+        
+        // close file
+        close(fd);
+        return data;
+        
+errexit:
+        close(fd);
+        fprintf(stderr, "Error: cannot read %s\n", fname);
+        exit(1);
+}
+\ No newline at end of file
diff --git a/src/firejail/x11.c b/src/firejail/x11.c
index ef1095a49..91017237d 100644
--- a/src/firejail/x11.c
+++ b/src/firejail/x11.c
@@ -20,11 +20,14 @@
 #include "firejail.h"
 #include <sys/types.h>
 #include <sys/stat.h>
+#include <fcntl.h>
 #include <unistd.h>
 #include <signal.h>
 #include <stdlib.h>
 #include <dirent.h>
 #include <sys/mount.h>
+#include <sys/wait.h>
+int mask_x11_abstract_socket = 0;
 #ifdef HAVE_X11
 // return 1 if xpra is installed on the system
@@ -49,6 +52,31 @@ static int x11_check_xephyr(void) {
        return 1;
 }
+// check for X11 abstract sockets
+static int x11_abstract_sockets_present(void) {
+        char *path;
+        EUID_ROOT(); // grsecurity fix
+        FILE *fp = fopen("/proc/net/unix", "r");
+        EUID_USER();
+        if (!fp)
+                errExit("fopen");
+        while (fscanf(fp, "%*s %*s %*s %*s %*s %*s %*s %ms\n", &path) != EOF) {
+                if (path && strncmp(path, "@/tmp/.X11-unix/", 16) == 0) {
+                        free(path);
+                        fclose(fp);
+                        return 1;
+                }
+        }
+        free(path);
+        fclose(fp);
+        return 0;
+}
 static int random_display_number(void) {
        int i;
        int found = 1;
@@ -109,10 +137,8 @@ void fs_x11(void) {
        int rv = mkdir(RUN_WHITELIST_X11_DIR, 1777);
        if (rv == -1)
                errExit("mkdir");
-        if (chown(RUN_WHITELIST_X11_DIR, 0, 0) < 0)
+        if (set_perms(RUN_WHITELIST_X11_DIR, 0, 0, 1777))
-                errExit("chown");
+                errExit("set_perms");
-        if (chmod(RUN_WHITELIST_X11_DIR, 1777) < 0)
-                errExit("chmod");
        if (mount("/tmp/.X11-unix", RUN_WHITELIST_X11_DIR, NULL, MS_BIND|MS_REC, NULL) < 0)
                errExit("mount bind");
@@ -125,18 +151,15 @@ void fs_x11(void) {
        fs_logger("tmpfs /tmp/.X11-unix");
        // create an empty file
+        /* coverity[toctou] */
        FILE *fp = fopen(x11file, "w");
        if (!fp) {
                fprintf(stderr, "Error: cannot create empty file in x11 directory\n");
                exit(1);
        }
-        fclose(fp);
        // set file properties
-        if (chown(x11file, s.st_uid, s.st_gid) < 0)
+        SET_PERMS_STREAM(fp, s.st_uid, s.st_gid, s.st_mode);
-                errExit("chown");
+        fclose(fp);
-        if (chmod(x11file, s.st_mode) < 0)
-                errExit("chmod");
        // mount
        char *wx11file;
@@ -164,15 +187,17 @@ void x11_start_xephyr(int argc, char **argv) {
        EUID_ASSERT();
        int i;
        struct stat s;
-        pid_t client = 0;
+        pid_t jail = 0;
        pid_t server = 0;
        
+        setenv("FIREJAIL_X11", "yes", 1);
        // unfortunately, xephyr does a number of weird things when started by root user!!!
        if (getuid() == 0) {
-                fprintf(stderr, "Error: this feature is not available when running as root\n");
+                fprintf(stderr, "Error: X11 sandboxing is not available when running as root\n");
                exit(1);
        }
+        drop_privs(0);
        // check xephyr
        if (x11_check_xephyr() == 0) {
@@ -183,23 +208,78 @@ void x11_start_xephyr(int argc, char **argv) {
        }
        
        int display = random_display_number();
+        char *display_str;
-        // start xephyr
+        if (asprintf(&display_str, ":%d", display) == -1)
-        char *cmd1;
-        if (asprintf(&cmd1, "Xephyr -ac -br -title \"firejail x11 sandbox\" -noreset -screen %s :%d", xephyr_screen, display) == -1)
                errExit("asprintf");
-        
-        int len = 50; // DISPLAY...
+        assert(xephyr_screen);
-        for (i = 0; i < argc; i++) {
+        char *server_argv[256] = { "Xephyr", "-ac", "-br", "-noreset", "-screen", xephyr_screen }; // rest initialyzed to NULL
-                len += strlen(argv[i]) + 1; // + ' '
+        unsigned pos = 0;
+        while (server_argv[pos] != NULL) pos++;
+        if (checkcfg(CFG_XEPHYR_WINDOW_TITLE)) {
+                server_argv[pos++] = "-title";
+                server_argv[pos++] = "firejail x11 sandbox";
+        }
+        assert(xephyr_extra_params); // should be "" if empty
+        // parse xephyr_extra_params
+        // very basic quoting support
+        char *temp = strdup(xephyr_extra_params);
+        if (*xephyr_extra_params != '\0') {
+                if (!temp)
+                        errExit("strdup");
+                bool dquote = false;
+                bool squote = false;
+                for (i = 0; i < (int) strlen(xephyr_extra_params); i++) {
+                        if (temp[i] == '\"') {
+                                dquote = !dquote;
+                                if (dquote) temp[i] = '\0'; // replace closing quote by \0
+                        }
+                        if (temp[i] == '\'') {
+                                squote = !squote;
+                                if (squote) temp[i] = '\0'; // replace closing quote by \0
+                        }
+                        if (!dquote && !squote && temp[i] == ' ') temp[i] = '\0';
+                        if (dquote && squote) {
+                                fprintf(stderr, "Error: mixed quoting found while parsing xephyr_extra_params\n");
+                                exit(1);
+                        }
+                }
+                if (dquote) {
+                        fprintf(stderr, "Error: unclosed quote found while parsing xephyr_extra_params\n");
+                        exit(1);
+                }
+                for (i = 0; i < (int) strlen(xephyr_extra_params)-1; i++) {
+                        if (pos >= (sizeof(server_argv)/sizeof(*server_argv)) - 2) {
+                                fprintf(stderr, "Error: arg count limit exceeded while parsing xephyr_extra_params\n");
+                                exit(1);
+                        }
+                        if (temp[i] == '\0' && (temp[i+1] == '\"' || temp[i+1] == '\'')) server_argv[pos++] = temp + i + 2;
+                        else if (temp[i] == '\0' && temp[i+1] != '\0') server_argv[pos++] = temp + i + 1;
+                }
        }
        
-        char *cmd2 = malloc(len + 1); // + '\0'
+        server_argv[pos++] = display_str;
-        if (!cmd2)
+        server_argv[pos++] = NULL;
-                errExit("malloc");
+        assert(pos < (sizeof(server_argv)/sizeof(*server_argv))); // no overrun
+        assert(server_argv[pos-1] == NULL); // last element is null
        
-        sprintf(cmd2, "DISPLAY=:%d ", display);
+        if (arg_debug) {
-        char *ptr = cmd2 + strlen(cmd2);
+                size_t i = 0;
+                printf("xephyr server:");
+                while (server_argv[i]!=NULL) {
+                        printf(" \"%s\"", server_argv[i]);
+                        i++;
+                }
+                putchar('\n');
+        }
+        // remove --x11 arg
+        char *jail_argv[argc+2];
+        int j = 0;
        for (i = 0; i < argc; i++) {
                if (strcmp(argv[i], "--x11") == 0)
                        continue;
@@ -207,32 +287,40 @@ void x11_start_xephyr(int argc, char **argv) {
                        continue;
                if (strcmp(argv[i], "--x11=xephyr") == 0)
                        continue;
-                ptr += sprintf(ptr, "%s ", argv[i]);
+                jail_argv[j] = argv[i];
+                j++;
+        }
+        jail_argv[j] = NULL;
+        assert(j < argc+2); // no overrun
+        if (arg_debug) {
+                size_t i = 0;
+                printf("xephyr client:");
+                while (jail_argv[i]!=NULL) {
+                        printf(" \"%s\"", jail_argv[i]);
+                        i++;
+                }
+                putchar('\n');
        }
-        if (arg_debug)
-                printf("xephyr server: %s\n", cmd1);    
-        if (arg_debug)
-                printf("xephyr client: %s\n", cmd2);    
        
-        signal(SIGHUP,SIG_IGN); // fix sleep(1) below
        server = fork();
        if (server < 0)
                errExit("fork");
        if (server == 0) {
                if (arg_debug)
                        printf("Starting xephyr...\n");
-        
-                char *a[4];
+                // running without privileges - see drop_privs call above
-                a[0] = "/bin/bash";
+                assert(getenv("LD_PRELOAD") == NULL);   
-                a[1] = "-c";
+                execvp(server_argv[0], server_argv);
-                a[2] = cmd1;
-                a[3] = NULL;
-        
-                execvp(a[0], a); 
                perror("execvp");
-                exit(1);
+                _exit(1);
        }
+        if (arg_debug)
+                printf("xephyr server pid %d\n", server);
        // check X11 socket
        char *fname;
        if (asprintf(&fname, "/tmp/.X11-unix/X%d", display) == -1)
@@ -250,7 +338,6 @@ void x11_start_xephyr(int argc, char **argv) {
                exit(1);
        }
        free(fname);
-        sleep(1);
        
        if (arg_debug) {
                printf("X11 sockets: "); fflush(0);
@@ -258,26 +345,40 @@ void x11_start_xephyr(int argc, char **argv) {
                (void) rv;
        }
+        setenv("DISPLAY", display_str, 1);
        // run attach command
-        client = fork();
+        jail = fork();
-        if (client < 0)
+        if (jail < 0)
                errExit("fork");
-        if (client == 0) {
+        if (jail == 0) {
-                printf("\n*** Attaching to Xephyr display %d ***\n\n", display);
+                if (!arg_quiet)
-                char *a[4];
+                        printf("\n*** Attaching to Xephyr display %d ***\n\n", display);
-                a[0] = "/bin/bash";
-                a[1] = "-c";
+                // running without privileges - see drop_privs call above
-                a[2] = cmd2;
+                assert(getenv("LD_PRELOAD") == NULL);   
-                a[3] = NULL;
+                execvp(jail_argv[0], jail_argv);
-        
-                execvp(a[0], a); 
                perror("execvp");
-                exit(1);
+                _exit(1);
        }
-        sleep(1);
-        
+        // cleanup
-        if (!arg_quiet)
+        free(display_str);
-                printf("Xephyr server pid %d, client pid %d\n", server, client);
+        free(temp);
+        // wait for either server or jail termination
+        pid_t pid = wait(NULL);
+        // see which process terminated and kill other
+        if (pid == server) {
+                kill(jail, SIGTERM);
+        } else if (pid == jail) {
+                kill(server, SIGTERM);
+        }
+        // without this closing Xephyr window may mess your terminal:
+        // "monitoring" process will release terminal before
+        // jail process ends and releases terminal
+        wait(NULL); // fulneral
        exit(0);
 }
@@ -289,12 +390,14 @@ void x11_start_xpra(int argc, char **argv) {
        pid_t client = 0;
        pid_t server = 0;
        
+        setenv("FIREJAIL_X11", "yes", 1);
        // unfortunately, xpra does a number of weird things when started by root user!!!
        if (getuid() == 0) {
-                fprintf(stderr, "Error: this feature is not available when running as root\n");
+                fprintf(stderr, "Error: X11 sandboxing is not available when running as root\n");
                exit(1);
        }
+        drop_privs(0);
        // check xpra
        if (x11_check_xpra() == 0) {
@@ -304,58 +407,44 @@ void x11_start_xpra(int argc, char **argv) {
        }
        
        int display = random_display_number();
+        char *display_str;
+        if (asprintf(&display_str, ":%d", display) == -1)
+                errExit("asprintf");
        // build the start command
-        int len = 50; // xpra start...
+        char *server_argv[] = { "xpra", "start", display_str, "--no-daemon",  NULL };
-        for (i = 0; i < argc; i++) {
-                len += strlen(argv[i]) + 1; // + ' '
+        int fd_null = -1;
-        }
+        if (arg_quiet) {
-        
+                fd_null = open("/dev/null", O_RDWR);
-        char *cmd1 = malloc(len + 1); // + '\0'
+                if (fd_null == -1)
-        if (!cmd1)
+                        errExit("open");
-                errExit("malloc");
-        
-        sprintf(cmd1, "xpra start :%d --exit-with-children --start-child=\"", display);
-        char *ptr = cmd1 + strlen(cmd1);
-        for (i = 0; i < argc; i++) {
-                if (strcmp(argv[i], "--x11") == 0)
-                        continue;
-                if (strcmp(argv[i], "--x11=xpra") == 0)
-                        continue;
-                if (strcmp(argv[i], "--x11=xephyr") == 0)
-                        continue;
-                ptr += sprintf(ptr, "%s ", argv[i]);
        }
-        sprintf(ptr, "\"");
-        if (arg_debug)
-                printf("xpra server: %s\n", cmd1);      
-        
-        // build the attach command
-        char *cmd2;
-        if (asprintf(&cmd2, "xpra --title=\"firejail x11 sandbox\" attach :%d", display) == -1)
-                errExit("asprintf");
-        if (arg_debug)
-                printf("xpra client: %s\n", cmd2);
-        signal(SIGHUP,SIG_IGN); // fix sleep(1) below
+        // start
        server = fork();
        if (server < 0)
                errExit("fork");
        if (server == 0) {
                if (arg_debug)
                        printf("Starting xpra...\n");
+                if (arg_quiet && fd_null != -1) {
+                        dup2(fd_null,0);
+                        dup2(fd_null,1);
+                        dup2(fd_null,2);
+                }
        
-                char *a[4];
+                // running without privileges - see drop_privs call above
-                a[0] = "/bin/bash";
+                assert(getenv("LD_PRELOAD") == NULL);   
-                a[1] = "-c";
+                execvp(server_argv[0], server_argv);
-                a[2] = cmd1;
-                a[3] = NULL;
-        
-                execvp(a[0], a); 
                perror("execvp");
-                exit(1);
+                _exit(1);
        }
+        // add a small delay, on some systems it takes some time for the server to start
+        sleep(1);
        // check X11 socket
        char *fname;
        if (asprintf(&fname, "/tmp/.X11-unix/X%d", display) == -1)
@@ -366,14 +455,13 @@ void x11_start_xpra(int argc, char **argv) {
                sleep(1);
                if (stat(fname, &s) == 0)
                        break;
-        };
+        }
        
        if (n == 10) {
                fprintf(stderr, "Error: failed to start xpra\n");
                exit(1);
        }
        free(fname);
-        sleep(1);
        
        if (arg_debug) {
                printf("X11 sockets: "); fflush(0);
@@ -381,28 +469,118 @@ void x11_start_xpra(int argc, char **argv) {
                (void) rv;
        }
+        // build attach command
+        char *attach_argv[] = { "xpra", "--title=\"firejail x11 sandbox\"", "attach", display_str, NULL };
        // run attach command
        client = fork();
        if (client < 0)
                errExit("fork");
        if (client == 0) {
-                printf("\n*** Attaching to xpra display %d ***\n\n", display);
+                if (arg_quiet && fd_null != -1) {
-                char *a[4];
+                        dup2(fd_null,0);
-                a[0] = "/bin/bash";
+                        dup2(fd_null,1);
-                a[1] = "-c";
+                        dup2(fd_null,2);
-                a[2] = cmd2;
+                }
-                a[3] = NULL;
-        
+                if (!arg_quiet)
-                execvp(a[0], a); 
+                        printf("\n*** Attaching to xpra display %d ***\n\n", display);
+                // running without privileges - see drop_privs call above
+                assert(getenv("LD_PRELOAD") == NULL);   
+                execvp(attach_argv[0], attach_argv);
+                perror("execvp");
+                _exit(1);
+        }
+        setenv("DISPLAY", display_str, 1);
+        // build jail command
+        char *firejail_argv[argc+2];
+        int pos = 0;
+        for (i = 0; i < argc; i++) {
+                if (strcmp(argv[i], "--x11") == 0)
+                        continue;
+                if (strcmp(argv[i], "--x11=xpra") == 0)
+                        continue;
+                if (strcmp(argv[i], "--x11=xephyr") == 0)
+                        continue;
+                firejail_argv[pos] = argv[i];
+                pos++;
+        }
+        firejail_argv[pos] = NULL;
+        assert(pos < (argc+2));
+        assert(!firejail_argv[pos]);
+        // start jail
+        pid_t jail = fork();
+        if (jail < 0)
+                errExit("fork");
+        if (jail == 0) {
+                // running without privileges - see drop_privs call above
+                assert(getenv("LD_PRELOAD") == NULL);   
+                if (firejail_argv[0]) // shut up llvm scan-build
+                        execvp(firejail_argv[0], firejail_argv);
                perror("execvp");
                exit(1);
        }
-        sleep(1);
-        
-        if (!arg_quiet)
-                printf("Xpra server pid %d, client pid %d\n", server, client);
-        exit(0);
+        if (!arg_quiet)
+                printf("Xpra server pid %d, xpra client pid %d, jail %d\n", server, client, jail);
+        sleep(1); // let jail start
+        // wait for jail or server to end
+        while (1) {
+                pid_t pid = wait(NULL);
+                if (pid == jail) {
+                        char *stop_argv[] = { "xpra", "stop", display_str, NULL };
+                        pid_t stop = fork();
+                        if (stop < 0)
+                                errExit("fork");
+                        if (stop == 0) {
+                                if (arg_quiet && fd_null != -1) {
+                                        dup2(fd_null,0);
+                                        dup2(fd_null,1);
+                                        dup2(fd_null,2);
+                                }
+                                // running without privileges - see drop_privs call above
+                                assert(getenv("LD_PRELOAD") == NULL);   
+                                execvp(stop_argv[0], stop_argv);
+                                perror("execvp");
+                                _exit(1);
+                        }
+                        // wait for xpra server to stop, 10 seconds limit
+                        while (++n < 10) {
+                                sleep(1);
+                                pid = waitpid(server, NULL, WNOHANG);
+                                if (pid == server)
+                                        break;
+                        }
+                        if (arg_debug) {
+                                if (n == 10)
+                                        printf("failed to stop xpra server gratefully\n");
+                                else
+                                        printf("xpra server successfully stopped in %d secs\n", n);
+                        }
+                        
+                        // kill xpra server and xpra client
+                        kill(client, SIGTERM);
+                        kill(server, SIGTERM);
+                        exit(0);
+                }
+                else if (pid == server) {
+                        // kill firejail process
+                        kill(jail, SIGTERM);
+                        // kill xpra client (should die with server, but...)
+                        kill(client, SIGTERM);
+                        exit(0);
+                }
+        }
 }
 void x11_start(int argc, char **argv) {
@@ -410,7 +588,7 @@ void x11_start(int argc, char **argv) {
        // unfortunately, xpra does a number of weird things when started by root user!!!
        if (getuid() == 0) {
-                fprintf(stderr, "Error: this feature is not available when running as root\n");
+                fprintf(stderr, "Error: X11 sandboxing is not available when running as root\n");
                exit(1);
        }
@@ -428,3 +606,129 @@ void x11_start(int argc, char **argv) {
 }
 #endif
+void x11_block(void) {
+#ifdef HAVE_X11
+        mask_x11_abstract_socket = 1;
+        // check abstract socket presence and network namespace options
+        if ((!arg_nonetwork && !cfg.bridge0.configured && !cfg.interface0.configured)
+                && x11_abstract_sockets_present()) {
+                fprintf(stderr, "ERROR: --x11=none specified, but abstract X11 socket still accessible.\n"
+                                                "Additional setup required. To block abstract X11 socket you can either:\n"
+                                                " * use network namespace in firejail (--net=none, --net=...)\n"
+                                                " * add \"-nolisten local\" to xserver options\n"
+                                                "   (eg. to your display manager config, or /etc/X11/xinit/xserverrc)\n");
+                exit(1);
+        }
+        // blacklist sockets
+        profile_check_line("blacklist /tmp/.X11-unix", 0, NULL);
+        profile_add(strdup("blacklist /tmp/.X11-unix"));
+        // blacklist .Xauthority
+        profile_check_line("blacklist ${HOME}/.Xauthority", 0, NULL);
+        profile_add(strdup("blacklist ${HOME}/.Xauthority"));
+        char *xauthority = getenv("XAUTHORITY");
+        if (xauthority) {
+                char *line;
+                if (asprintf(&line, "blacklist %s", xauthority) == -1)
+                        errExit("asprintf");
+                profile_check_line(line, 0, NULL);
+                profile_add(line);
+        }
+        // clear environment
+        env_store("DISPLAY", RMENV);
+        env_store("XAUTHORITY", RMENV);
+#endif
+}
+void x11_xorg(void) {
+#ifdef HAVE_X11
+        // destination - create an empty ~/.Xauthotrity file if it doesn't exist already, and use it as a mount point
+        char *dest;
+        if (asprintf(&dest, "%s/.Xauthority", cfg.homedir) == -1)
+                errExit("asprintf");
+        struct stat s;
+        if (stat(dest, &s) == -1) {
+                // create an .Xauthority file
+                FILE *fp = fopen(dest, "w");
+                if (!fp)
+                        errExit("fopen");
+                SET_PERMS_STREAM(fp, getuid(), getgid(), 0600);
+                fclose(fp);
+        }
+        // check xauth utility is present in the system
+        if (stat("/usr/bin/xauth", &s) == -1) {
+                fprintf(stderr, "Error: cannot find /usr/bin/xauth executable\n");
+                exit(1);
+        }
+        // create a temporary .Xauthority file
+        char tmpfname[] = "/tmp/.tmpXauth-XXXXXX";
+        int fd = mkstemp(tmpfname);
+        if (fd == -1) {
+                fprintf(stderr, "Error: cannot create .Xauthority file\n");
+                exit(1);
+        }
+        close(fd);
+        if (chown(tmpfname, getuid(), getgid()) == -1)
+                errExit("chown");
+        pid_t child = fork();
+        if (child < 0)
+                errExit("fork");
+        if (child == 0) {
+                // generate the new .Xauthority file using xauth utility
+                if (arg_debug)
+                        printf("Generating a new .Xauthority file\n");
+                drop_privs(1);
+                char *display = getenv("DISPLAY");
+                if (!display)
+                        display = ":0.0";
+                
+                clearenv();
+                execlp("/usr/bin/xauth", "/usr/bin/xauth", "-f", tmpfname,
+                        "generate", display, "MIT-MAGIC-COOKIE-1", "untrusted", NULL); 
+                
+#ifdef HAVE_GCOV
+                __gcov_flush();
+#endif
+                _exit(0);
+        }
+        // wait for the child to finish
+        waitpid(child, NULL, 0);
+        // check the file was created and set mode and ownership
+        if (stat(tmpfname, &s) == -1) {
+                fprintf(stderr, "Error: cannot create the new .Xauthority file\n");
+                exit(1);
+        }
+        if (set_perms(tmpfname, getuid(), getgid(), 0600))
+                errExit("set_perms");
+        
+        // move the temporary file in RUN_XAUTHORITY_SEC_FILE in order to have it deleted
+        // automatically when the sandbox is closed
+        if (copy_file(tmpfname, RUN_XAUTHORITY_SEC_FILE, getuid(), getgid(), 0600)) {
+                fprintf(stderr, "Error: cannot create the new .Xauthority file\n");
+                exit(1);
+        }
+        if (set_perms(RUN_XAUTHORITY_SEC_FILE, getuid(), getgid(), 0600))
+                errExit("set_perms");
+        /* coverity[toctou] */
+        unlink(tmpfname);
+        
+        // mount
+        if (mount(RUN_XAUTHORITY_SEC_FILE, dest, "none", MS_BIND, "mode=0600") == -1) {
+                fprintf(stderr, "Error: cannot mount the new .Xauthority file\n");
+                exit(1);
+        }
+        if (set_perms(dest, getuid(), getgid(), 0600))
+                errExit("set_perms");
+        free(dest);
+#endif  
+}
diff --git a/src/firemon/Makefile.in b/src/firemon/Makefile.in
index 21888d354..efc48b212 100644
--- a/src/firemon/Makefile.in
+++ b/src/firemon/Makefile.in
@@ -4,21 +4,26 @@ PREFIX=@prefix@
 VERSION=@PACKAGE_VERSION@
 NAME=@PACKAGE_NAME@
 HAVE_FATAL_WARNINGS=@HAVE_FATAL_WARNINGS@
+HAVE_GCOV=@HAVE_GCOV@
+EXTRA_LDFLAGS +=@EXTRA_LDFLAGS@
 H_FILE_LIST       = $(sort $(wildcard *.[h]))
 C_FILE_LIST       = $(sort $(wildcard *.c))
 OBJS = $(C_FILE_LIST:.c=.o)
 BINOBJS =  $(foreach file, $(OBJS), $file)
-CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security
+CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' $(HAVE_GCOV) -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security
 LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now 
+HAVE_GCOV=@HAVE_GCOV@
+EXTRA_LDFLAGS +=@EXTRA_LDFLAGS@
 %.o : %.c $(H_FILE_LIST)
        $(CC) $(CFLAGS) $(INCLUDE) -c $< -o $@
 firemon: $(OBJS) ../lib/common.o ../lib/pid.o
-        $(CC)  $(LDFLAGS) -o $@ $(OBJS) ../lib/common.o ../lib/pid.o $(LIBS)
+        $(CC)  $(LDFLAGS) -o $@ $(OBJS) ../lib/common.o ../lib/pid.o $(LIBS) $(EXTRA_LDFLAGS)
-clean:; rm -f *.o firemon
+clean:; rm -f *.o firemon *.gcov *.gcda *.gcno
 distclean: clean
        rm -fr Makefile
diff --git a/src/firemon/arp.c b/src/firemon/arp.c
index 7cb8ff4c3..014f6a904 100644
--- a/src/firemon/arp.c
+++ b/src/firemon/arp.c
@@ -72,17 +72,15 @@ static void print_arp(const char *fname) {
 }
-void arp(pid_t pid) {
+void arp(pid_t pid, int print_procs) {
-        if (getuid() == 0)
-                firemon_drop_privs();
-        
        pid_read(pid);
        
        // print processes
        int i;
        for (i = 0; i < max_pids; i++) {
                if (pids[i].level == 1) {
-                        pid_print_list(i, 0);
+                        if (print_procs || pid == 0)
+                                pid_print_list(i, 0);
                        int child = find_child(i);
                        if (child != -1) {
                                char *fname;
@@ -90,10 +88,10 @@ void arp(pid_t pid) {
                                        errExit("asprintf");
                                print_arp(fname);
                                free(fname);
-                                printf("\n");
                        }
                }
        }
+        printf("\n");
 }
diff --git a/src/firemon/caps.c b/src/firemon/caps.c
index 5cd9b5d0d..3f8a139ae 100644
--- a/src/firemon/caps.c
+++ b/src/firemon/caps.c
@@ -24,7 +24,6 @@ static void print_caps(int pid) {
        char *file;
        if (asprintf(&file, "/proc/%d/status", pid) == -1) {
                errExit("asprintf");
-                exit(1);
        }
        FILE *fp = fopen(file, "r");
@@ -48,17 +47,15 @@ static void print_caps(int pid) {
        free(file);
 }
                        
-void caps(pid_t pid) {
+void caps(pid_t pid, int print_procs) {
-        if (getuid() == 0)
-                firemon_drop_privs();
-        
        pid_read(pid);  // include all processes
        
        // print processes
        int i;
        for (i = 0; i < max_pids; i++) {
                if (pids[i].level == 1) {
-                        pid_print_list(i, 0);
+                        if (print_procs || pid == 0)
+                                pid_print_list(i, 0);
                        int child = find_child(i);
                        if (child != -1)
                                print_caps(child);
diff --git a/src/firemon/cgroup.c b/src/firemon/cgroup.c
index 0b93390ae..e20e1d449 100644
--- a/src/firemon/cgroup.c
+++ b/src/firemon/cgroup.c
@@ -44,21 +44,20 @@ static void print_cgroup(int pid) {
        free(file);
 }
                        
-void cgroup(pid_t pid) {
+void cgroup(pid_t pid, int print_procs) {
-        if (getuid() == 0)
-                firemon_drop_privs();
-        
        pid_read(pid);
        
        // print processes
        int i;
        for (i = 0; i < max_pids; i++) {
                if (pids[i].level == 1) {
-                        pid_print_list(i, 0);
+                        if (print_procs || pid == 0)
+                                pid_print_list(i, 0);
                        int child = find_child(i);
                        if (child != -1)
                                print_cgroup(child);
                }
        }
+        printf("\n");
 }
diff --git a/src/firemon/cpu.c b/src/firemon/cpu.c
index 06658f58c..47c935686 100644
--- a/src/firemon/cpu.c
+++ b/src/firemon/cpu.c
@@ -48,21 +48,20 @@ static void print_cpu(int pid) {
        free(file);
 }
                        
-void cpu(pid_t pid) {
+void cpu(pid_t pid, int print_procs) {
-        if (getuid() == 0)
-                firemon_drop_privs();
-        
        pid_read(pid);
        
        // print processes
        int i;
        for (i = 0; i < max_pids; i++) {
                if (pids[i].level == 1) {
-                        pid_print_list(i, 0);
+                        if (print_procs || pid == 0)
+                                pid_print_list(i, 0);
                        int child = find_child(i);
                        if (child != -1)
                                print_cpu(child);
                }
        }
+        printf("\n");
 }
diff --git a/src/firemon/firemon.c b/src/firemon/firemon.c
index 3140c5f70..b63e37444 100644
--- a/src/firemon/firemon.c
+++ b/src/firemon/firemon.c
@@ -25,7 +25,6 @@
 #include <grp.h>
 #include <sys/stat.h>
 
 static int arg_route = 0;
 static int arg_arp = 0;
 static int arg_tree = 0;
@@ -35,6 +34,9 @@ static int arg_caps = 0;
 static int arg_cpu = 0;
 static int arg_cgroup = 0;
 static int arg_x11 = 0;
+static int arg_top = 0;
+static int arg_list = 0;
+static int arg_netstats = 0;
 int arg_nowrap = 0;
 static struct termios tlocal;   // startup terminal setting
@@ -62,17 +64,6 @@ int find_child(int id) {
        return -1;
 }
-// drop privileges
-void firemon_drop_privs(void) {
-        // drop privileges
-        if (setgroups(0, NULL) < 0)
-                errExit("setgroups");
-        if (setgid(getgid()) < 0)
-                errExit("setgid/getgid");
-        if (setuid(getuid()) < 0)
-                errExit("setuid/getuid");
-}
 // sleep and wait for a key to be pressed
 void firemon_sleep(int st) {
        if (terminal_set == 0) {
@@ -129,53 +120,44 @@ int main(int argc, char **argv) {
                }
                
                // options without a pid argument
-                else if (strcmp(argv[i], "--top") == 0) {
+                else if (strcmp(argv[i], "--top") == 0)
-                        top(); // never to return
+                        arg_top = 1;
-                }
+                else if (strcmp(argv[i], "--list") == 0)
-                else if (strcmp(argv[i], "--list") == 0) {
+                        arg_list = 1;
-                        list();
+                else if (strcmp(argv[i], "--tree") == 0)
-                        return 0;
+                        arg_tree = 1;
-                }
                else if (strcmp(argv[i], "--netstats") == 0) {
                        struct stat s;
                        if (getuid() != 0 && stat("/proc/sys/kernel/grsecurity", &s) == 0) {
                                fprintf(stderr, "Error: this feature is not available on Grsecurity systems\n");
                                exit(1);
                        }       
+                        arg_netstats = 1;
-                        netstats();
-                        return 0;
                }
                // cumulative options with or without a pid argument
-                else if (strcmp(argv[i], "--x11") == 0) {
+                else if (strcmp(argv[i], "--x11") == 0)
                        arg_x11 = 1;
-                }
+                else if (strcmp(argv[i], "--cgroup") == 0)
-                else if (strcmp(argv[i], "--cgroup") == 0) {
                        arg_cgroup = 1;
-                }
+                else if (strcmp(argv[i], "--cpu") == 0)
-                else if (strcmp(argv[i], "--cpu") == 0) {
                        arg_cpu = 1;
-                }
+                else if (strcmp(argv[i], "--seccomp") == 0)
-                else if (strcmp(argv[i], "--seccomp") == 0) {
                        arg_seccomp = 1;
-                }
+                else if (strcmp(argv[i], "--caps") == 0)
-                else if (strcmp(argv[i], "--caps") == 0) {
                        arg_caps = 1;
-                }
-                else if (strcmp(argv[i], "--tree") == 0) {
-                        arg_tree = 1;
-                }
                else if (strcmp(argv[i], "--interface") == 0) {
+                        if (getuid() != 0) {
+                                fprintf(stderr, "Error: you need to be root to run this command\n");
+                                exit(1);
+                        }
                        arg_interface = 1;
                }
-                else if (strcmp(argv[i], "--route") == 0) {
+                else if (strcmp(argv[i], "--route") == 0)
                        arg_route = 1;
-                }
+                else if (strcmp(argv[i], "--arp") == 0)
-                else if (strcmp(argv[i], "--arp") == 0) {
                        arg_arp = 1;
-                }
                else if (strncmp(argv[i], "--name=", 7) == 0) {
                        char *name = argv[i] + 7;
@@ -212,27 +194,66 @@ int main(int argc, char **argv) {
                }
        }
-        if (arg_tree)
+        // allow only root user if /proc is mounted hidepid
+        if (pid_hidepid() && getuid() != 0) {
+                fprintf(stderr, "Error: /proc is mounted hidepid, you would need to be root to run this command\n");
+                exit(1);
+        }
+        
+        if (arg_top) {
+                top(); 
+                return 0;
+        }
+        if (arg_list) {
+                list();
+                return 0;
+        }
+        if (arg_netstats) {
+                netstats();
+                return 0;               
+        }
+        
+        // cumulative options
+        int print_procs = 1;
+        if (arg_tree) {
                tree((pid_t) pid);
-        if (arg_interface)
+                print_procs = 0;
-                interface((pid_t) pid);
+        }
-        if (arg_route)
+        if (arg_cpu) {
-                route((pid_t) pid);
+                cpu((pid_t) pid, print_procs);
-        if (arg_arp)
+                print_procs = 0;
-                arp((pid_t) pid);
+        }
-        if (arg_seccomp)
+        if (arg_seccomp) {
-                seccomp((pid_t) pid);
+                seccomp((pid_t) pid, print_procs);
-        if (arg_caps)
+                print_procs = 0;
-                caps((pid_t) pid);
+        }
-        if (arg_cpu)
+        if (arg_caps) {
-                cpu((pid_t) pid);
+                caps((pid_t) pid, print_procs);
-        if (arg_cgroup)
+                print_procs = 0;
-                cgroup((pid_t) pid);
+        }
-        if (arg_x11)
+        if (arg_cgroup) {
-                x11((pid_t) pid);
+                cgroup((pid_t) pid, print_procs);
+                print_procs = 0;
+        }
+        if (arg_x11) {
+                x11((pid_t) pid, print_procs);
+                print_procs = 0;
+        }
+        if (arg_interface) {
+                interface((pid_t) pid, print_procs);
+                print_procs = 0;
+        }
+        if (arg_route) {
+                route((pid_t) pid, print_procs);
+                print_procs = 0;
+        }
+        if (arg_arp) {
+                arp((pid_t) pid, print_procs);
+                print_procs = 0;
+        }
        
-        if (!arg_route && !arg_arp && !arg_interface && !arg_tree && !arg_caps && !arg_seccomp && !arg_x11)
+        if (print_procs)
-                procevent((pid_t) pid); // never to return
+                procevent((pid_t) pid);
                
        return 0;
 }
diff --git a/src/firemon/firemon.h b/src/firemon/firemon.h
index 522ece077..c78023888 100644
--- a/src/firemon/firemon.h
+++ b/src/firemon/firemon.h
@@ -38,7 +38,6 @@ static inline void firemon_clrscr(void) {
 // firemon.c
 extern int arg_nowrap;
 int find_child(int id);
-void firemon_drop_privs(void);
 void firemon_sleep(int st);
@@ -55,25 +54,25 @@ void top(void);
 void list(void);
 // interface.c
-void interface(pid_t pid);
+void interface(pid_t pid, int print_procs);
 // arp.c
-void arp(pid_t pid);
+void arp(pid_t pid, int print_procs);
 // route.c
-void route(pid_t pid);
+void route(pid_t pid, int print_procs);
 // caps.c
-void caps(pid_t pid);
+void caps(pid_t pid, int print_procs);
 // seccomp.c
-void seccomp(pid_t pid);
+void seccomp(pid_t pid, int print_procs);
 // cpu.c
-void cpu(pid_t pid);
+void cpu(pid_t pid, int print_procs);
 // cgroup.c
-void cgroup(pid_t pid);
+void cgroup(pid_t pid, int print_procs);
 // tree.c
 void tree(pid_t pid);
@@ -82,6 +81,6 @@ void tree(pid_t pid);
 void netstats(void);
 // x11.c
-void x11(pid_t pid);
+void x11(pid_t pid, int print_procs);
 #endif
diff --git a/src/firemon/interface.c b/src/firemon/interface.c
index 5a89e1491..def9cd5ac 100644
--- a/src/firemon/interface.c
+++ b/src/firemon/interface.c
@@ -145,32 +145,31 @@ static void print_sandbox(pid_t pid) {
                if (rv)
                        return;
                net_ifprint();
-                printf("\n");
+#ifdef HAVE_GCOV
-                exit(0);
+                __gcov_flush();
+#endif
+                _exit(0);
        }
        
        // wait for the child to finish
        waitpid(child, NULL, 0);
 }
-void interface(pid_t pid) {
+void interface(pid_t pid, int print_procs) {
-        if (getuid() != 0) {
-                fprintf(stderr, "Error: you need to be root to run this command\n");
-                exit(1);
-        }
-        
        pid_read(pid); // a pid of 0 will include all processes
        
        // print processes
        int i;
        for (i = 0; i < max_pids; i++) {
                if (pids[i].level == 1) {
-                        pid_print_list(i, 0);
+                        if (print_procs || pid == 0)
+                                pid_print_list(i, 0);
                        int child = find_child(i);
                        if (child != -1) {
                                print_sandbox(child);
                        }
                }
        }
+        printf("\n");
 }
diff --git a/src/firemon/list.c b/src/firemon/list.c
index 901627c2a..acff13a28 100644
--- a/src/firemon/list.c
+++ b/src/firemon/list.c
@@ -20,9 +20,6 @@
 #include "firemon.h"
 void list(void) {
-        if (getuid() == 0)
-                firemon_drop_privs();
-        
        pid_read(0);    // include all processes
        
        // print processes
diff --git a/src/firemon/netstats.c b/src/firemon/netstats.c
index 89e4202bd..534d783cb 100644
--- a/src/firemon/netstats.c
+++ b/src/firemon/netstats.c
@@ -26,6 +26,10 @@
 #define MAXBUF 4096
+// ip -s link: device stats
+// ss -s: socket stats
 static char *get_header(void) {
        char *rv;
        if (asprintf(&rv, "%-5.5s %-9.9s %-10.10s %-10.10s %s",
@@ -166,9 +170,6 @@ static void print_proc(int index, int itv, int col) {
 }
 void netstats(void) {
-        if (getuid() == 0)
-                firemon_drop_privs();
-        
        pid_read(0);    // include all processes
        
        printf("Displaying network statistics only for sandboxes using a new network namespace.\n");
@@ -215,6 +216,9 @@ void netstats(void) {
                                print_proc(i, itv, col);
                        }
                }
+#ifdef HAVE_GCOV
+                        __gcov_flush();
+#endif
        }
 }
diff --git a/src/firemon/procevent.c b/src/firemon/procevent.c
index e2dd5aaa2..edae21951 100644
--- a/src/firemon/procevent.c
+++ b/src/firemon/procevent.c
@@ -28,6 +28,8 @@
 #include <arpa/inet.h>
 #include <time.h>
 #include <fcntl.h>
+#include <sys/uio.h>
 #define PIDS_BUFLEN 4096
 #define SERVER_PORT 889 // 889-899 is left unassigned by IANA
@@ -41,10 +43,8 @@ static int pid_is_firejail(pid_t pid) {
        
        // open /proc/self/comm
        char *file;
-        if (asprintf(&file, "/proc/%u/comm", pid) == -1) {
+        if (asprintf(&file, "/proc/%u/comm", pid) == -1)
-                perror("asprintf");
+                errExit("asprintf");
-                exit(1);
-        }
        
        FILE *fp = fopen(file, "r");
        if (!fp) {
@@ -89,7 +89,8 @@ static int pid_is_firejail(pid_t pid) {
        
                // list of firejail arguments that don't trigger sandbox creation
                // the initial -- is not included 
-                char *firejail_args = "ls list tree x11 help version top netstats debug-syscalls debug-errnos debug-protocols";
+                char *firejail_args = "ls list tree x11 help version top netstats debug-syscalls debug-errnos debug-protocols "
+                        "protocol.print debug.caps shutdown bandwidth caps.print cpu.print debug-caps fs.print get overlay-clean ";
                
                int i;
                char *start;
@@ -189,6 +190,10 @@ static int procevent_monitor(const int sock, pid_t mypid) {
        tv.tv_usec = 0;
        while (1) {
+#ifdef HAVE_GCOV
+                __gcov_flush();
+#endif
 #define BUFFSIZE 4096 
                char __attribute__ ((aligned(NLMSG_ALIGNTO)))buf[BUFFSIZE];
                
diff --git a/src/firemon/route.c b/src/firemon/route.c
index 398965671..fb58b169d 100644
--- a/src/firemon/route.c
+++ b/src/firemon/route.c
@@ -181,17 +181,15 @@ static void print_route(const char *fname) {
 }
-void route(pid_t pid) {
+void route(pid_t pid, int print_procs) {
-        if (getuid() == 0)
-                firemon_drop_privs();
-        
        pid_read(pid);
        
        // print processes
        int i;
        for (i = 0; i < max_pids; i++) {
                if (pids[i].level == 1) {
-                        pid_print_list(i, 0);
+                        if (print_procs || pid == 0)
+                                pid_print_list(i, 0);
                        int child = find_child(i);
                        if (child != -1) {
                                char *fname;
@@ -204,10 +202,10 @@ void route(pid_t pid) {
                                        errExit("asprintf");
                                print_route(fname);
                                free(fname);
-                                printf("\n");
                        }
                }
        }
+        printf("\n");
 }
diff --git a/src/firemon/seccomp.c b/src/firemon/seccomp.c
index 71771c72d..f11c624ea 100644
--- a/src/firemon/seccomp.c
+++ b/src/firemon/seccomp.c
@@ -22,10 +22,8 @@
 #define MAXBUF 4098
 static void print_seccomp(int pid) {
        char *file;
-        if (asprintf(&file, "/proc/%d/status", pid) == -1) {
+        if (asprintf(&file, "/proc/%d/status", pid) == -1)
                errExit("asprintf");
-                exit(1);
-        }
        FILE *fp = fopen(file, "r");
        if (!fp) {
@@ -48,17 +46,15 @@ static void print_seccomp(int pid) {
        free(file);
 }
                        
-void seccomp(pid_t pid) {
+void seccomp(pid_t pid, int print_procs) {
-        if (getuid() == 0)
-                firemon_drop_privs();
-        
        pid_read(pid);  // include all processes
        
        // print processes
        int i;
        for (i = 0; i < max_pids; i++) {
                if (pids[i].level == 1) {
-                        pid_print_list(i, 0);
+                        if (print_procs || pid == 0)
+                                pid_print_list(i, 0);
                        int child = find_child(i);
                        if (child != -1)
                                print_seccomp(child);
diff --git a/src/firemon/top.c b/src/firemon/top.c
index a6da6f64e..94271523c 100644
--- a/src/firemon/top.c
+++ b/src/firemon/top.c
@@ -232,9 +232,6 @@ void head_print(int col, int row) {
 }
 void top(void) {
-        if (getuid() == 0)
-                firemon_drop_privs();
        while (1) {
                // clear linked list
                head_clear();
@@ -295,6 +292,9 @@ void top(void) {
                        }
                }
                head_print(col, row);
+#ifdef HAVE_GCOV
+                        __gcov_flush();
+#endif
        }
 }
diff --git a/src/firemon/tree.c b/src/firemon/tree.c
index b05eb92f9..6d8b37ecb 100644
--- a/src/firemon/tree.c
+++ b/src/firemon/tree.c
@@ -20,10 +20,7 @@
 #include "firemon.h"
 void tree(pid_t pid) {
-        if (getuid() == 0)
+        pid_read(pid);
-                firemon_drop_privs();
-        
-        pid_read(pid);  // include all processes
        
        // print processes
        int i;
diff --git a/src/firemon/x11.c b/src/firemon/x11.c
index e30c2d78b..73dc310d3 100644
--- a/src/firemon/x11.c
+++ b/src/firemon/x11.c
@@ -22,39 +22,35 @@
 #include <sys/stat.h>
 #include <unistd.h>
                        
-void x11(pid_t pid) {
+void x11(pid_t pid, int print_procs) {
-        if (getuid() == 0)
-                firemon_drop_privs();
-        
        pid_read(pid);
        
        // print processes
        int i;
        for (i = 0; i < max_pids; i++) {
                if (pids[i].level == 1) {
-                        pid_print_list(i, 0);
+                        if (print_procs || pid == 0)
+                                pid_print_list(i, 0);
                        
                        char *x11file;
                        // todo: use macro from src/firejail/firejail.h for /run/firejail/x11 directory
                        if (asprintf(&x11file, "/run/firejail/x11/%d", i) == -1)
                                errExit("asprintf");
-                        struct stat s;
+                        FILE *fp = fopen(x11file, "r");
-                        if (stat(x11file, &s) == 0) {
+                        if (!fp) {
-                                FILE *fp = fopen(x11file, "r");
+                                free(x11file);
-                                if (!fp) {
+                                continue;
-                                        free(x11file);
-                                        continue;
-                                }
-                                int display;
-                                int rv = fscanf(fp, "%d", &display);
-                                if (rv == 1)
-                                        printf("   DISPLAY :%d\n", display);
-                                fclose(fp);
                        }
+                        int display;
+                        int rv = fscanf(fp, "%d", &display);
+                        if (rv == 1)
+                                printf("  DISPLAY :%d\n", display);
+                        fclose(fp);
                        free(x11file);
                }
        }
+        printf("\n");
 }
diff --git a/src/fnet/Makefile.in b/src/fnet/Makefile.in
new file mode 100644
index 000000000..32f08882a
--- /dev/null
+++ b/src/fnet/Makefile.in
@@ -0,0 +1,45 @@
+all: fnet
+prefix=@prefix@
+exec_prefix=@exec_prefix@
+libdir=@libdir@
+sysconfdir=@sysconfdir@
+VERSION=@PACKAGE_VERSION@
+NAME=@PACKAGE_NAME@
+HAVE_SECCOMP_H=@HAVE_SECCOMP_H@
+HAVE_SECCOMP=@HAVE_SECCOMP@
+HAVE_CHROOT=@HAVE_CHROOT@
+HAVE_BIND=@HAVE_BIND@
+HAVE_FATAL_WARNINGS=@HAVE_FATAL_WARNINGS@
+HAVE_NETWORK=@HAVE_NETWORK@
+HAVE_USERNS=@HAVE_USERNS@
+HAVE_X11=@HAVE_X11@
+HAVE_FILE_TRANSFER=@HAVE_FILE_TRANSFER@
+HAVE_WHITELIST=@HAVE_WHITELIST@
+HAVE_GLOBALCFG=@HAVE_GLOBALCFG@
+HAVE_APPARMOR=@HAVE_APPARMOR@
+HAVE_OVERLAYFS=@HAVE_OVERLAYFS@
+HAVE_PRIVATE_HOME=@HAVE_PRIVATE_HOME@
+EXTRA_LDFLAGS +=@EXTRA_LDFLAGS@
+HAVE_GCOV=@HAVE_GCOV@
+EXTRA_LDFLAGS +=@EXTRA_LDFLAGS@
+H_FILE_LIST       = $(sort $(wildcard *.[h]))
+C_FILE_LIST       = $(sort $(wildcard *.c))
+OBJS = $(C_FILE_LIST:.c=.o)
+BINOBJS =  $(foreach file, $(OBJS), $file)
+CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' $(HAVE_GCOV) -DPREFIX='"$(prefix)"'  -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' $(HAVE_X11) $(HAVE_PRIVATE_HOME) $(HAVE_APPARMOR) $(HAVE_OVERLAYFS) $(HAVE_SECCOMP) $(HAVE_GLOBALCFG) $(HAVE_SECCOMP_H) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_BIND) $(HAVE_FILE_TRANSFER) $(HAVE_WHITELIST) -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security
+LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now -lpthread
+%.o : %.c $(H_FILE_LIST) ../include/common.h ../include/libnetlink.h
+        $(CC) $(CFLAGS) $(INCLUDE) -c $< -o $@
+fnet: $(OBJS) ../lib/libnetlink.o
+        $(CC)  $(LDFLAGS) -o $@ $(OBJS) ../lib/libnetlink.o $(LIBS) $(EXTRA_LDFLAGS)
+clean:; rm -f *.o fnet *.gcov *.gcda *.gcno
+distclean: clean
+        rm -fr Makefile
diff --git a/src/fnet/arp.c b/src/fnet/arp.c
new file mode 100644
index 000000000..96684fdf9
--- /dev/null
+++ b/src/fnet/arp.c
@@ -0,0 +1,208 @@
+/*
+ * Copyright (C) 2014-2016 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
+#include "fnet.h"
+#include <sys/socket.h>
+#include <sys/ioctl.h>
+#include <linux/if_ether.h>                       //TCP/IP Protocol Suite for Linux
+#include <net/if.h>
+#include <netinet/in.h>
+#include <linux/ip.h>
+#include <linux/udp.h>
+#include <linux/tcp.h>
+#include <linux/if_packet.h>
+typedef struct arp_hdr_t {
+        uint16_t htype;
+        uint16_t ptype;
+        uint8_t hlen;
+        uint8_t plen;
+        uint16_t opcode;
+        uint8_t sender_mac[6];
+        uint8_t sender_ip[4];
+        uint8_t target_mac[6];
+        uint8_t target_ip[4];
+} ArpHdr;
+// scan interface (--scan option)
+void arp_scan(const char *dev, uint32_t ifip, uint32_t ifmask) {
+        assert(dev);
+        assert(ifip);
+//      printf("Scanning interface %s (%d.%d.%d.%d/%d)\n",
+//              dev, PRINT_IP(ifip & ifmask), mask2bits(ifmask));
+                        
+        if (strlen(dev) > IFNAMSIZ) {
+                fprintf(stderr, "Error: invalid network device name %s\n", dev);
+                exit(1);
+        }
+        
+        // find interface mac address
+        int sock;
+        if ((sock = socket(AF_INET, SOCK_RAW, IPPROTO_RAW)) < 0)
+                errExit("socket");
+        struct ifreq ifr;
+        memset(&ifr, 0, sizeof (ifr));
+        strncpy(ifr.ifr_name, dev, IFNAMSIZ);
+        if (ioctl(sock, SIOCGIFHWADDR, &ifr) < 0)
+                errExit("ioctl");
+        close(sock);
+        uint8_t mac[6];
+        memcpy (mac, ifr.ifr_hwaddr.sa_data, 6);
+        // open layer2 socket
+        if ((sock = socket(PF_PACKET, SOCK_RAW, htons (ETH_P_ALL))) < 0)
+                errExit("socket");
+        
+        // try all possible ip addresses in ascending order
+        uint32_t range = ~ifmask + 1; // the number of potential addresses
+        // this software is not supported for /31 networks
+        if (range < 4) {
+                fprintf(stderr, "Warning: this option is not supported for /31 networks\n");
+                close(sock);
+                return;
+        }
+        uint32_t dest = (ifip & ifmask) + 1;
+        uint32_t last = dest + range - 1;
+        uint32_t src = htonl(ifip);
+        // wait not more than one second for an answer
+        int header_printed = 0;
+        uint32_t last_ip = 0;
+        struct timeval ts;
+        ts.tv_sec = 2; // 2 seconds receive timeout
+        ts.tv_usec = 0;
+        
+        while (1) {
+                fd_set rfds;
+                FD_ZERO(&rfds);
+                FD_SET(sock, &rfds);
+                fd_set wfds;
+                FD_ZERO(&wfds);
+                FD_SET(sock, &wfds);
+                int maxfd = sock;
+                uint8_t frame[ETH_FRAME_LEN]; // includes eht header, vlan, and crc
+                memset(frame, 0, ETH_FRAME_LEN);        
+                int nready;
+                if (dest < last)
+                        nready = select(maxfd + 1,  &rfds, &wfds, (fd_set *) 0, NULL);
+                else            
+                        nready = select(maxfd + 1,  &rfds,  (fd_set *) 0, (fd_set *) 0, &ts);
+                
+                if (nready < 0)
+                        errExit("select");
+                        
+                if (nready == 0) { // timeout
+                        break;
+                }
+                
+                if (FD_ISSET(sock, &wfds) && dest < last) {
+                        // configure layer2 socket address information
+                        struct sockaddr_ll addr;
+                        memset(&addr, 0, sizeof(addr));
+                        if ((addr.sll_ifindex = if_nametoindex(dev)) == 0)
+                                errExit("if_nametoindex");
+                        addr.sll_family = AF_PACKET;
+                        memcpy (addr.sll_addr, mac, 6);
+                        addr.sll_halen = htons(6);
+                
+                        // build the arp packet header
+                        ArpHdr hdr;
+                        memset(&hdr, 0, sizeof(hdr));
+                        hdr.htype = htons(1);
+                        hdr.ptype = htons(ETH_P_IP);
+                        hdr.hlen = 6;
+                        hdr.plen = 4;
+                        hdr.opcode = htons(1); //ARPOP_REQUEST
+                        memcpy(hdr.sender_mac, mac, 6);
+                        memcpy(hdr.sender_ip, (uint8_t *)&src, 4);
+                        uint32_t dst = htonl(dest);
+                        memcpy(hdr.target_ip, (uint8_t *)&dst, 4);
+                
+                        // build ethernet frame
+                        uint8_t frame[ETH_FRAME_LEN]; // includes eht header, vlan, and crc
+                        memset(frame, 0, sizeof(frame));
+                        frame[0] = frame[1] = frame[2] = frame[3] = frame[4] = frame[5] = 0xff;
+                        memcpy(frame + 6, mac, 6);
+                        frame[12] = ETH_P_ARP / 256;
+                        frame[13] = ETH_P_ARP % 256;
+                        memcpy (frame + 14, &hdr, sizeof(hdr));
+                
+                        // send packet
+                        int len;
+                        if ((len = sendto (sock, frame, 14 + sizeof(ArpHdr), 0, (struct sockaddr *) &addr, sizeof (addr))) <= 0)
+                                errExit("send");
+//printf("send %d bytes to %d.%d.%d.%d\n", len, PRINT_IP(dest));                
+                        fflush(0);
+                        dest++;
+                }
+                
+                if (FD_ISSET(sock, &rfds)) {
+                        // read the incoming packet
+                        int len = recvfrom(sock, frame, ETH_FRAME_LEN, 0, NULL, NULL);
+                        if (len < 0) {
+                                perror("recvfrom");
+                        }
+                        // parse the incoming packet
+                        if ((unsigned int) len < 14 + sizeof(ArpHdr))
+                                continue;
+                        // look only at ARP packets
+                        if (frame[12] != (ETH_P_ARP / 256) || frame[13] != (ETH_P_ARP % 256))
+                                continue;
+                        ArpHdr hdr;
+                        memcpy(&hdr, frame + 14, sizeof(ArpHdr));
+                        if (hdr.opcode == htons(2)) {
+                                // check my mac and my address
+                                if (memcmp(mac, hdr.target_mac, 6) != 0)
+                                        continue;
+                                uint32_t ip;
+                                memcpy(&ip, hdr.target_ip, 4);
+                                if (ip != src)
+                                        continue;
+                                memcpy(&ip, hdr.sender_ip, 4);
+                                ip = ntohl(ip);
+                                
+                                if (ip == last_ip) // filter duplicates
+                                        continue;
+                                last_ip = ip;
+                                        
+                                // printing
+                                if (header_printed == 0) {
+                                        printf("   Network scan:\n");
+                                        header_printed = 1;
+                                }
+                                printf("   %02x:%02x:%02x:%02x:%02x:%02x\t%d.%d.%d.%d\n",
+                                        PRINT_MAC(hdr.sender_mac), PRINT_IP(ip));                                                                       
+                        }
+                }
+        }
+        
+        close(sock);
+}
diff --git a/src/fnet/fnet.h b/src/fnet/fnet.h
new file mode 100644
index 000000000..0c5e5baef
--- /dev/null
+++ b/src/fnet/fnet.h
@@ -0,0 +1,49 @@
+ /*
+ * Copyright (C) 2014-2016 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
+#ifndef FNET_H
+#define FNET_H
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <assert.h>
+#include "../include/common.h"
+// veth.c
+int net_create_veth(const char *dev, const char *nsdev, unsigned pid);
+int net_create_macvlan(const char *dev, const char *parent, unsigned pid);
+int net_move_interface(const char *dev, unsigned pid);
+// interface.c
+void net_bridge_add_interface(const char *bridge, const char *dev);
+void net_if_up(const char *ifname);
+int net_get_mtu(const char *ifname);
+void net_set_mtu(const char *ifname, int mtu);
+void net_ifprint(int scan);
+int net_get_mac(const char *ifname, unsigned char mac[6]);
+void net_if_ip(const char *ifname, uint32_t ip, uint32_t mask, int mtu);
+int net_if_mac(const char *ifname, const unsigned char mac[6]);
+void net_if_ip6(const char *ifname, const char *addr6);
+// arp.c
+void arp_scan(const char *dev, uint32_t ifip, uint32_t ifmask);
+#endif
diff --git a/src/fnet/interface.c b/src/fnet/interface.c
new file mode 100644
index 000000000..3958efddd
--- /dev/null
+++ b/src/fnet/interface.c
@@ -0,0 +1,370 @@
+ /*
+ * Copyright (C) 2014-2016 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
+#include "fnet.h"
+#include <arpa/inet.h>
+#include <sys/socket.h>
+#include <sys/ioctl.h>
+#include <netdb.h>
+#include <ifaddrs.h>
+#include <net/if.h>
+#include <net/if_arp.h>
+#include <net/route.h>
+#include <linux/if_bridge.h>
+static void check_if_name(const char *ifname) {
+        if (strlen(ifname) > IFNAMSIZ) {
+                fprintf(stderr, "Error fnet: invalid network device name %s\n", ifname);
+                exit(1);
+        }
+}
+// add a veth device to a bridge
+void net_bridge_add_interface(const char *bridge, const char *dev) {
+        check_if_name(bridge);
+        check_if_name(dev);
+        
+        // somehow adding the interface to the bridge resets MTU on bridge device!!!
+        // workaround: restore MTU on the bridge device
+        // todo: put a real fix in
+        int mtu1 = net_get_mtu(bridge);
+        struct ifreq ifr;
+        int err;
+        int ifindex = if_nametoindex(dev);
+        if (ifindex <= 0)
+                errExit("if_nametoindex");
+        int sock;
+        if ((sock = socket(AF_INET, SOCK_STREAM, 0)) < 0)
+                errExit("socket");
+        memset(&ifr, 0, sizeof(ifr));
+        strncpy(ifr.ifr_name, bridge, IFNAMSIZ);
+#ifdef SIOCBRADDIF
+        ifr.ifr_ifindex = ifindex;
+        err = ioctl(sock, SIOCBRADDIF, &ifr);
+        if (err < 0)
+#endif
+        {
+                unsigned long args[4] = { BRCTL_ADD_IF, ifindex, 0, 0 };
+                ifr.ifr_data = (char *) args;
+                err = ioctl(sock, SIOCDEVPRIVATE, &ifr);
+        }
+        (void) err;
+        close(sock);
+        int mtu2 = net_get_mtu(bridge);
+        if (mtu1 != mtu2)
+                net_set_mtu(bridge, mtu1);
+}
+// bring interface up
+void net_if_up(const char *ifname) {
+        check_if_name(ifname);
+        
+        int sock = socket(AF_INET,SOCK_DGRAM,0);
+        if (sock < 0)
+                errExit("socket");
+        // get the existing interface flags
+        struct ifreq ifr;
+        memset(&ifr, 0, sizeof(ifr));
+        strncpy(ifr.ifr_name, ifname, IFNAMSIZ);
+        ifr.ifr_addr.sa_family = AF_INET;
+        // read the existing flags
+        if (ioctl(sock, SIOCGIFFLAGS, &ifr ) < 0)
+                errExit("ioctl");
+        ifr.ifr_flags |= IFF_UP;
+        // set the new flags
+        if (ioctl( sock, SIOCSIFFLAGS, &ifr ) < 0)
+                errExit("ioctl");
+        // checking
+        // read the existing flags
+        if (ioctl(sock, SIOCGIFFLAGS, &ifr ) < 0)
+                errExit("ioctl");
+        // wait not more than 500ms for the interface to come up
+        int cnt = 0;
+        while (cnt < 50) {
+                usleep(10000);                    // sleep 10ms
+                // read the existing flags
+                if (ioctl(sock, SIOCGIFFLAGS, &ifr ) < 0)
+                        errExit("ioctl");
+                if (ifr.ifr_flags & IFF_RUNNING)
+                        break;
+                cnt++;
+        }
+        close(sock);
+}
+int net_get_mtu(const char *ifname) {
+        check_if_name(ifname);
+        int mtu = 0;
+        int s;
+        struct ifreq ifr;
+        if ((s = socket(AF_INET, SOCK_DGRAM, 0)) < 0)
+                errExit("socket");
+        memset(&ifr, 0, sizeof(ifr));
+        ifr.ifr_addr.sa_family = AF_INET;
+        strncpy(ifr.ifr_name, ifname, IFNAMSIZ);
+        if (ioctl(s, SIOCGIFMTU, (caddr_t)&ifr) == 0)
+                mtu = ifr.ifr_mtu;
+        close(s);
+        
+        
+        return mtu;
+}
+void net_set_mtu(const char *ifname, int mtu) {
+        check_if_name(ifname);
+        int s;
+        struct ifreq ifr;
+        if ((s = socket(AF_INET, SOCK_DGRAM, 0)) < 0)
+                errExit("socket");
+        memset(&ifr, 0, sizeof(ifr));
+        ifr.ifr_addr.sa_family = AF_INET;
+        strncpy(ifr.ifr_name, ifname, IFNAMSIZ);
+        ifr.ifr_mtu = mtu;
+        if (ioctl(s, SIOCSIFMTU, (caddr_t)&ifr) != 0)
+                fprintf(stderr, "Warning fnet: cannot set mtu for interface %s\n", ifname);
+        close(s);
+}
+// scan interfaces in current namespace and print IP address/mask for each interface
+void net_ifprint(int scan) {
+        uint32_t ip;
+        uint32_t mask;
+        struct ifaddrs *ifaddr, *ifa;
+        if (getifaddrs(&ifaddr) == -1)
+                errExit("getifaddrs");
+        printf("%-17.17s%-19.19s%-17.17s%-17.17s%-6.6s\n",
+                "Interface", "MAC", "IP", "Mask", "Status");
+        // walk through the linked list
+        for (ifa = ifaddr; ifa != NULL; ifa = ifa->ifa_next) {
+                if (ifa->ifa_addr == NULL)
+                        continue;
+                if (ifa->ifa_addr->sa_family == AF_INET) {
+                        struct sockaddr_in *si = (struct sockaddr_in *) ifa->ifa_netmask;
+                        mask = ntohl(si->sin_addr.s_addr);
+                        si = (struct sockaddr_in *) ifa->ifa_addr;
+                        ip = ntohl(si->sin_addr.s_addr);
+                        // interface status
+                        char *status;
+                        if (ifa->ifa_flags & IFF_RUNNING && ifa->ifa_flags & IFF_UP)
+                                status = "UP";
+                        else
+                                status = "DOWN";
+                        // ip address and mask
+                        char ipstr[30];
+                        sprintf(ipstr, "%d.%d.%d.%d", PRINT_IP(ip));
+                        char maskstr[30];
+                        sprintf(maskstr, "%d.%d.%d.%d", PRINT_IP(mask));
+                        
+                        // mac address
+                        unsigned char mac[6];
+                        net_get_mac(ifa->ifa_name, mac);
+                        char macstr[30];
+                        if (strcmp(ifa->ifa_name, "lo") == 0)
+                                macstr[0] = '\0';
+                        else
+                                sprintf(macstr, "%02x:%02x:%02x:%02x:%02x:%02x", PRINT_MAC(mac));
+                        // print                                
+                        printf("%-17.17s%-19.19s%-17.17s%-17.17s%-6.6s\n",
+                                ifa->ifa_name, macstr, ipstr, maskstr, status);
+                        // network scanning
+                        if (!scan)                              // scanning disabled
+                                continue;
+                        if (strcmp(ifa->ifa_name, "lo") == 0)   // no loopbabck scanning
+                                continue;
+                        if (mask2bits(mask) < 16)               // not scanning large networks
+                                continue;
+                        if (!ip)                                        // if not configured
+                                continue;
+                        // only if the interface is up and running
+                        if (ifa->ifa_flags & IFF_RUNNING && ifa->ifa_flags & IFF_UP)
+                                arp_scan(ifa->ifa_name, ip, mask);
+                }
+        }
+        freeifaddrs(ifaddr);
+}
+int net_get_mac(const char *ifname, unsigned char mac[6]) {
+        check_if_name(ifname);
+        struct ifreq ifr;
+        int sock;
+        if ((sock = socket(AF_INET, SOCK_STREAM, 0)) < 0)
+                errExit("socket");
+        memset(&ifr, 0, sizeof(ifr));
+        strncpy(ifr.ifr_name, ifname, IFNAMSIZ);
+        ifr.ifr_hwaddr.sa_family = ARPHRD_ETHER;
+        
+        if (ioctl(sock, SIOCGIFHWADDR, &ifr) == -1)
+                errExit("ioctl");
+        memcpy(mac, ifr.ifr_hwaddr.sa_data, 6);
+        close(sock);
+        return 0;
+}
+// configure interface ipv4 address
+void net_if_ip(const char *ifname, uint32_t ip, uint32_t mask, int mtu) {
+        check_if_name(ifname);
+        int sock = socket(AF_INET,SOCK_DGRAM,0);
+        if (sock < 0)
+                errExit("socket");
+        struct ifreq ifr;
+        memset(&ifr, 0, sizeof(ifr));
+        strncpy(ifr.ifr_name, ifname, IFNAMSIZ);
+        ifr.ifr_addr.sa_family = AF_INET;
+        ((struct sockaddr_in *)&ifr.ifr_addr)->sin_addr.s_addr = htonl(ip);
+        if (ioctl( sock, SIOCSIFADDR, &ifr ) < 0) 
+                errExit("ioctl");
+        if (ip != 0) {
+                ((struct sockaddr_in *)&ifr.ifr_addr)->sin_addr.s_addr =  htonl(mask);
+                if (ioctl( sock, SIOCSIFNETMASK, &ifr ) < 0)
+                        errExit("ioctl");
+        }
+        
+        // configure mtu
+        if (mtu > 0) {
+                ifr.ifr_mtu = mtu;
+                if (ioctl( sock, SIOCSIFMTU, &ifr ) < 0)
+                        errExit("ioctl");
+        }
+        close(sock);
+        usleep(10000);                            // sleep 10ms
+        return;
+}
+int net_if_mac(const char *ifname, const unsigned char mac[6]) {
+        check_if_name(ifname);
+        struct ifreq ifr;
+        int sock;
+        if ((sock = socket(AF_INET, SOCK_STREAM, 0)) < 0)
+                errExit("socket");
+        memset(&ifr, 0, sizeof(ifr));
+        strncpy(ifr.ifr_name, ifname, IFNAMSIZ);
+        ifr.ifr_hwaddr.sa_family = ARPHRD_ETHER;
+        memcpy(ifr.ifr_hwaddr.sa_data, mac, 6);
+        
+        if (ioctl(sock, SIOCSIFHWADDR, &ifr) == -1)
+                errExit("ioctl");
+        close(sock);
+        return 0;
+}
+// configure interface ipv6 address
+// ex: firejail --net=eth0 --ip6=2001:0db8:0:f101::1/64
+struct ifreq6 {
+        struct in6_addr ifr6_addr;
+        uint32_t ifr6_prefixlen;
+        unsigned int ifr6_ifindex;
+};
+void net_if_ip6(const char *ifname, const char *addr6) {
+        check_if_name(ifname);
+        if (strchr(addr6, ':') == NULL) {
+                fprintf(stderr, "Error fnet: invalid IPv6 address %s\n", addr6);
+                exit(1);
+        }
+        
+        // extract prefix
+        unsigned long prefix;
+        char *ptr;
+        if ((ptr = strchr(addr6, '/'))) {
+                prefix = atol(ptr + 1);
+                if (prefix > 128) {
+                        fprintf(stderr, "Error fnet: invalid prefix for IPv6 address %s\n", addr6);
+                        exit(1);
+                }
+                *ptr = '\0';    // mark the end of the address
+        }
+        else
+                prefix = 128;
+        // extract address
+        struct sockaddr_in6 sin6;
+        memset(&sin6, 0, sizeof(sin6));
+        sin6.sin6_family = AF_INET6;
+        int rv = inet_pton(AF_INET6, addr6, sin6.sin6_addr.s6_addr);
+        if (rv <= 0) {
+                fprintf(stderr, "Error fnet: invalid IPv6 address %s\n", addr6);
+                exit(1);
+        }
+        // open socket
+        int sock = socket(PF_INET6, SOCK_DGRAM, IPPROTO_IP);
+        if (sock < 0) {
+                fprintf(stderr, "Error fnet: IPv6 is not supported on this system\n");
+                exit(1);
+        }
+        // find interface index
+        struct ifreq ifr;
+        memset(&ifr, 0, sizeof(ifr));
+        strncpy(ifr.ifr_name, ifname, IFNAMSIZ);
+        ifr.ifr_addr.sa_family = AF_INET;
+        if (ioctl(sock, SIOGIFINDEX, &ifr) < 0) {
+                perror("ioctl SIOGIFINDEX");
+                exit(1);
+        }
+        // configure address
+        struct ifreq6 ifr6;
+        memset(&ifr6, 0, sizeof(ifr6));
+        ifr6.ifr6_prefixlen = prefix;
+        ifr6.ifr6_ifindex = ifr.ifr_ifindex;
+        memcpy((char *) &ifr6.ifr6_addr, (char *) &sin6.sin6_addr, sizeof(struct in6_addr));
+        if (ioctl(sock, SIOCSIFADDR, &ifr6) < 0) {
+                perror("ioctl SIOCSIFADDR");
+                exit(1);
+        }
+        
+        close(sock);
+}
diff --git a/src/fnet/main.c b/src/fnet/main.c
new file mode 100644
index 000000000..4e7807d07
--- /dev/null
+++ b/src/fnet/main.c
@@ -0,0 +1,103 @@
+ /*
+ * Copyright (C) 2014-2016 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
+#include "fnet.h"
+static void usage(void) {
+        printf("Usage:\n");
+        printf("\tfnet create veth dev1 dev2 bridge child\n");
+        printf("\tfnet create macvlan dev parent child\n");
+        printf("\tfnet moveif dev proc\n");
+        printf("\tfnet printif\n");
+        printf("\tfnet printif scan\n");
+        printf("\tfnet config interface dev ip mask mtu\n");
+        printf("\tfnet config mac addr\n");
+        printf("\tfnet config ipv6 dev ipn");
+        printf("\tfmet ifup dev\n");
+}
+int main(int argc, char **argv) {
+#if 0
+{
+//system("cat /proc/self/status");
+int i;
+for (i = 0; i < argc; i++)
+        printf("*%s* ", argv[i]);
+printf("\n");
+}       
+#endif
+        if (argc < 2) {
+                usage();
+                return 1;
+        }
+        if (strcmp(argv[1], "-h") == 0 || strcmp(argv[1], "--help") == 0 || strcmp(argv[1], "-?") ==0) {
+                usage();
+                return 0;
+        }
+        else if (argc == 3 && strcmp(argv[1], "ifup") == 0) {
+                net_if_up(argv[2]);
+        }
+        else if (argc == 2 && strcmp(argv[1], "printif") == 0) {
+                net_ifprint(0);
+        }
+        else if (argc == 3 && strcmp(argv[1], "printif") == 0 && strcmp(argv[2], "scan") == 0) {
+                net_ifprint(1);
+        }
+        else if (argc == 7 && strcmp(argv[1], "create") == 0 && strcmp(argv[2], "veth") == 0) {
+                // create veth pair and move one end in the the namespace
+                net_create_veth(argv[3], argv[4], atoi(argv[6]));
+                // connect the ohter veth end to the bridge ...
+                net_bridge_add_interface(argv[5], argv[3]);
+                // ... and bring it  up
+                net_if_up(argv[3]);
+        }
+        else if (argc == 6 && strcmp(argv[1], "create") == 0 && strcmp(argv[2], "macvlan") == 0) {
+                net_create_macvlan(argv[3], argv[4], atoi(argv[5]));
+        }
+        else if (argc == 7 && strcmp(argv[1], "config") == 0 && strcmp(argv[2], "interface") == 0) {
+                char *dev = argv[3];
+                uint32_t ip = (uint32_t)  atoll(argv[4]);
+                uint32_t mask = (uint32_t)  atoll(argv[5]);
+                int mtu = atoi(argv[6]);
+                // configure interface
+                net_if_ip(dev, ip, mask, mtu);
+                // ... and bring it  up
+                net_if_up(dev);
+        }
+        else if (argc == 5 && strcmp(argv[1], "config") == 0 && strcmp(argv[2], "mac") == 0) {
+                unsigned char mac[6];
+                if (atomac(argv[4], mac)) {
+                        fprintf(stderr, "Error fnet: invalid mac address %s\n", argv[4]);
+                }
+                net_if_mac(argv[3], mac);
+        }
+        else if (argc == 4 && strcmp(argv[1], "moveif") == 0) {
+                net_move_interface(argv[2], atoi(argv[3]));
+        }
+        else if (argc == 5 && strcmp(argv[1], "config") == 0 && strcmp(argv[2], "ipv6") == 0) {
+                net_if_ip6(argv[3], argv[4]);
+        }
+        else {
+                fprintf(stderr, "Error fnet: invalid arguments\n");
+                return 1;
+        }
+        return 0;
+}
diff --git a/src/firejail/veth.c b/src/fnet/veth.c
index df3c1d1f9..546fafcec 100644
--- a/src/firejail/veth.c
+++ b/src/fnet/veth.c
@@ -45,7 +45,7 @@
 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 */
-#include "firejail.h"
+#include "fnet.h"
 #include "../include/libnetlink.h"
 #include <linux/veth.h>
 #include <net/if.h>
@@ -63,8 +63,6 @@ int net_create_veth(const char *dev, const char *nsdev, unsigned pid) {
        int len;
        struct iplink_req req;
-        if (arg_debug)
-                printf("create veth %s/%s/%u\n", dev, nsdev, pid);
        assert(dev);
        assert(nsdev);
        assert(pid);
@@ -113,6 +111,8 @@ int net_create_veth(const char *dev, const char *nsdev, unsigned pid) {
        if (rtnl_talk(&rth, &req.n, 0, 0, NULL) < 0)
                exit(2);
+        rtnl_close(&rth);
+        
        return 0;
 }
@@ -120,8 +120,6 @@ int net_create_veth(const char *dev, const char *nsdev, unsigned pid) {
 int net_create_macvlan(const char *dev, const char *parent, unsigned pid) {
        int len;
        struct iplink_req req;
-        if (arg_debug)
-                printf("create macvlan %s, parent %s\n", dev, parent);
        assert(dev);
        assert(parent);
@@ -177,6 +175,8 @@ int net_create_macvlan(const char *dev, const char *parent, unsigned pid) {
        if (rtnl_talk(&rth, &req.n, 0, 0, NULL) < 0)
                exit(2);
+        rtnl_close(&rth);
+        
        return 0;
 }
@@ -184,8 +184,6 @@ int net_create_macvlan(const char *dev, const char *parent, unsigned pid) {
 // when the interface is moved, netlink does not preserve interface configuration
 int net_move_interface(const char *dev, unsigned pid) {
        struct iplink_req req;
-        if (arg_debug)
-                printf("move device %s inside the namespace\n", dev);
        assert(dev);
        if (rtnl_open(&rth, 0) < 0) {
@@ -215,6 +213,8 @@ int net_move_interface(const char *dev, unsigned pid) {
        if (rtnl_talk(&rth, &req.n, 0, 0, NULL) < 0)
                exit(2);
+        rtnl_close(&rth);
+        
        return 0;
 }
diff --git a/src/fseccomp/Makefile.in b/src/fseccomp/Makefile.in
new file mode 100644
index 000000000..04c46f128
--- /dev/null
+++ b/src/fseccomp/Makefile.in
@@ -0,0 +1,45 @@
+all: fseccomp
+prefix=@prefix@
+exec_prefix=@exec_prefix@
+libdir=@libdir@
+sysconfdir=@sysconfdir@
+VERSION=@PACKAGE_VERSION@
+NAME=@PACKAGE_NAME@
+HAVE_SECCOMP_H=@HAVE_SECCOMP_H@
+HAVE_SECCOMP=@HAVE_SECCOMP@
+HAVE_CHROOT=@HAVE_CHROOT@
+HAVE_BIND=@HAVE_BIND@
+HAVE_FATAL_WARNINGS=@HAVE_FATAL_WARNINGS@
+HAVE_NETWORK=@HAVE_NETWORK@
+HAVE_USERNS=@HAVE_USERNS@
+HAVE_X11=@HAVE_X11@
+HAVE_FILE_TRANSFER=@HAVE_FILE_TRANSFER@
+HAVE_WHITELIST=@HAVE_WHITELIST@
+HAVE_GLOBALCFG=@HAVE_GLOBALCFG@
+HAVE_APPARMOR=@HAVE_APPARMOR@
+HAVE_OVERLAYFS=@HAVE_OVERLAYFS@
+HAVE_PRIVATE_HOME=@HAVE_PRIVATE_HOME@
+EXTRA_LDFLAGS +=@EXTRA_LDFLAGS@
+HAVE_GCOV=@HAVE_GCOV@
+EXTRA_LDFLAGS +=@EXTRA_LDFLAGS@
+H_FILE_LIST       = $(sort $(wildcard *.[h]))
+C_FILE_LIST       = $(sort $(wildcard *.c))
+OBJS = $(C_FILE_LIST:.c=.o)
+BINOBJS =  $(foreach file, $(OBJS), $file)
+CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' $(HAVE_GCOV) -DPREFIX='"$(prefix)"'  -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' $(HAVE_X11) $(HAVE_PRIVATE_HOME) $(HAVE_APPARMOR) $(HAVE_OVERLAYFS) $(HAVE_SECCOMP) $(HAVE_GLOBALCFG) $(HAVE_SECCOMP_H) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_BIND) $(HAVE_FILE_TRANSFER) $(HAVE_WHITELIST) -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security
+LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now -lpthread
+%.o : %.c $(H_FILE_LIST) ../include/common.h ../include/syscall.h
+        $(CC) $(CFLAGS) $(INCLUDE) -c $< -o $@
+fseccomp: $(OBJS)
+        $(CC)  $(LDFLAGS) -o $@ $(OBJS) $(LIBS) $(EXTRA_LDFLAGS)
+clean:; rm -f *.o fseccomp *.gcov *.gcda *.gcno
+distclean: clean
+        rm -fr Makefile
diff --git a/src/firejail/errno.c b/src/fseccomp/errno.c
index c493dfa09..dbee916d4 100644
--- a/src/firejail/errno.c
+++ b/src/fseccomp/errno.c
@@ -17,9 +17,8 @@
 * with this program; if not, write to the Free Software Foundation, Inc.,
 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 */
+#include "fseccomp.h"
-#ifdef HAVE_SECCOMP
-#include "firejail.h"
 #include <errno.h>
 //#include <attr/xattr.h>
@@ -171,20 +170,7 @@ static ErrnoEntry errnolist[] = {
 #endif  
 };
-int errno_highest_nr(void) {
-        int i, max = 0;
-        int elems = sizeof(errnolist) / sizeof(errnolist[0]);
-        for (i = 0; i < elems; i++) {
-                if (errnolist[i].nr > max)
-                        max = errnolist[i].nr;
-        }
-        return max;
-}
 int errno_find_name(const char *name) {
-        EUID_ASSERT();
-        
        int i;
        int elems = sizeof(errnolist) / sizeof(errnolist[0]);
        for (i = 0; i < elems; i++) {
@@ -206,9 +192,9 @@ char *errno_find_nr(int nr) {
        return "unknown";
 }
 void errno_print(void) {
-        EUID_ASSERT();
-        
        int i;
        int elems = sizeof(errnolist) / sizeof(errnolist[0]);
        for (i = 0; i < elems; i++) {
@@ -216,5 +202,3 @@ void errno_print(void) {
        }
        printf("\n");
 }
-#endif // HAVE_SECCOMP
diff --git a/src/fseccomp/fseccomp.h b/src/fseccomp/fseccomp.h
new file mode 100644
index 000000000..504f1c23f
--- /dev/null
+++ b/src/fseccomp/fseccomp.h
@@ -0,0 +1,68 @@
+/*
+ * Copyright (C) 2014-2016 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
+#ifndef FSECCOMP_H
+#define FSECCOMP_H
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <assert.h>
+#include "../include/common.h"
+// syscall.c
+void syscall_print(void);
+int syscall_check_list(const char *slist, void (*callback)(int fd, int syscall, int arg), int fd, int arg);
+int syscall_find_name(const char *name);
+char *syscall_find_nr(int nr);
+// errno.c
+void errno_print(void);
+int errno_find_name(const char *name);
+char *errno_find_nr(int nr);
+// protocol.c
+void protocol_print(void);
+void protocol_build_filter(const char *prlist, const char *fname);
+// seccomp_secondary.c
+void seccomp_secondary_64(const char *fname);
+void seccomp_secondary_32(const char *fname);
+// seccomp_file.c
+void filter_init(int fd);
+void filter_add_whitelist(int fd, int syscall, int arg);
+void filter_add_blacklist(int fd, int syscall, int arg);
+void filter_add_errno(int fd, int syscall, int arg);
+void filter_end_blacklist(int fd);
+void filter_end_whitelist(int fd);
+// seccomp.c
+// default list
+void seccomp_default(const char *fname, int allow_debuggers);
+// drop list
+void seccomp_drop(const char *fname, char *list, int allow_debuggers);
+// default+drop list
+void seccomp_default_drop(const char *fname, char *list, int allow_debuggers);
+// whitelisted filter
+void seccomp_keep(const char *fname, char *list);
+// seccomp_print
+void filter_print(const char *fname);
+#endif
diff --git a/src/fseccomp/main.c b/src/fseccomp/main.c
new file mode 100644
index 000000000..2f85a786b
--- /dev/null
+++ b/src/fseccomp/main.c
@@ -0,0 +1,93 @@
+/*
+ * Copyright (C) 2014-2016 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
+#include "fseccomp.h"
+static void usage(void) {
+        printf("Usage:\n");
+        printf("\tfseccomp debug-syscalls\n");
+        printf("\tfseccomp debug-errnos\n");
+        printf("\tfseccomp debug-protocols\n");
+        printf("\tfseccomp protocol build list file\n");
+        printf("\tfseccomp secondary 64 file\n");
+        printf("\tfseccomp secondary 32 file\n");
+        printf("\tfseccomp default file\n");
+        printf("\tfseccomp default file allow-debuggers\n");
+        printf("\tfseccomp drop file list\n");
+        printf("\tfseccomp drop file list allow-debuggers\n");
+        printf("\tfseccomp default drop file list\n");
+        printf("\tfseccomp default drop file list allow-debuggers\n");
+        printf("\tfseccomp keep file list\n");
+        printf("\tfseccomp print file\n");
+}
+int main(int argc, char **argv) {
+#if 0
+{
+//system("cat /proc/self/status");
+int i;
+for (i = 0; i < argc; i++)
+        printf("*%s* ", argv[i]);
+printf("\n");
+}       
+#endif
+        if (argc < 2) {
+                usage();
+                return 1;
+        }
+                
+        if (strcmp(argv[1], "-h") == 0 || strcmp(argv[1], "--help") == 0 || strcmp(argv[1], "-?") ==0) {
+                usage();
+                return 0;
+        }
+        else if (argc == 2 && strcmp(argv[1], "debug-syscalls") == 0)
+                syscall_print();
+        else if (argc == 2 && strcmp(argv[1], "debug-errnos") == 0)
+                errno_print();
+        else if (argc == 2 && strcmp(argv[1], "debug-protocols") == 0)
+                protocol_print();
+        else if (argc == 5 && strcmp(argv[1], "protocol") == 0 && strcmp(argv[2], "build") == 0)
+                protocol_build_filter(argv[3], argv[4]);
+        else if (argc == 4 && strcmp(argv[1], "secondary") == 0 && strcmp(argv[2], "64") == 0)
+                seccomp_secondary_64(argv[3]);
+        else if (argc == 4 && strcmp(argv[1], "secondary") == 0 && strcmp(argv[2], "32") == 0) 
+                seccomp_secondary_32(argv[3]);
+        else if (argc == 3 && strcmp(argv[1], "default") == 0)
+                seccomp_default(argv[2], 0);
+        else if (argc == 4 && strcmp(argv[1], "default") == 0 && strcmp(argv[3], "allow-debuggers") == 0)
+                seccomp_default(argv[2], 1);
+        else if (argc == 4 && strcmp(argv[1], "drop") == 0)
+                seccomp_drop(argv[2], argv[3], 0);
+        else if (argc == 5 && strcmp(argv[1], "drop") == 0 && strcmp(argv[4], "allow-debuggers") == 0)
+                seccomp_drop(argv[2], argv[3], 1);
+        else if (argc == 5 && strcmp(argv[1], "default") == 0 && strcmp(argv[2], "drop") == 0)
+                seccomp_default_drop(argv[3], argv[4], 0);
+        else if (argc == 6 && strcmp(argv[1], "default") == 0 && strcmp(argv[2], "drop") == 0 && strcmp(argv[5], "allow-debuggers") == 0)
+                seccomp_default_drop(argv[3], argv[4], 1);
+        else if (argc == 4 && strcmp(argv[1], "keep") == 0)
+                seccomp_keep(argv[2], argv[3]);
+        else if (argc == 3 && strcmp(argv[1], "print") == 0)
+                filter_print(argv[2]);
+        else {
+                fprintf(stderr, "Error fseccomp: invalid arguments\n");
+                return 1;
+        }
+        return 0;
+}
+\ No newline at end of file
diff --git a/src/fseccomp/protocol.c b/src/fseccomp/protocol.c
new file mode 100644
index 000000000..7bf560fe1
--- /dev/null
+++ b/src/fseccomp/protocol.c
@@ -0,0 +1,219 @@
+/*
+ * Copyright (C) 2014-2016 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
+/*
+        struct sock_filter filter[] = {
+                VALIDATE_ARCHITECTURE,
+                EXAMINE_SYSCALL,
+                ONLY(SYS_socket),
+                EXAMINE_ARGUMENT(0), // allow only AF_INET and AF_INET6, drop everything else
+                WHITELIST(AF_INET),
+                WHITELIST(AF_INET6),
+                WHITELIST(AF_PACKET),
+                RETURN_ERRNO(ENOTSUP)
+        };
+        struct sock_fprog prog = {
+                .len = (unsigned short)(sizeof(filter) / sizeof(filter[0])),
+                .filter = filter,
+        };
+        if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) {
+                perror("prctl(NO_NEW_PRIVS)");
+                return 1;
+        }
+        if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog)) {
+                perror("prctl");
+                return 1;
+        }
+*/
+#include "fseccomp.h"
+#include "../include/seccomp.h"
+#include <sys/syscall.h>
+#include <sys/types.h>
+#include <sys/socket.h>
+static char *protocol[] = {
+        "unix",
+        "inet",
+        "inet6",
+        "netlink",
+        "packet",
+        NULL
+};
+static struct sock_filter protocol_filter_command[] = {
+        WHITELIST(AF_UNIX),
+        WHITELIST(AF_INET),
+        WHITELIST(AF_INET6),
+        WHITELIST(AF_NETLINK),
+        WHITELIST(AF_PACKET)
+};
+// Note: protocol[] and protocol_filter_command are synchronized
+// command length
+struct sock_filter whitelist[] = {
+        WHITELIST(AF_UNIX)
+};
+unsigned whitelist_len = sizeof(whitelist) / sizeof(struct sock_filter);
+static struct sock_filter *find_protocol_domain(const char *p) {
+        int i = 0;
+        while (protocol[i] != NULL) {
+                if (strcmp(protocol[i], p) == 0)
+                        return &protocol_filter_command[i * whitelist_len];
+                i++;
+        }
+        return NULL;
+}       
+void protocol_print(void) {
+#ifndef SYS_socket
+        fprintf(stderr, "Warning fseccomp: firejail --protocol not supported on this platform\n");
+        return;
+#endif
+        int i = 0;
+        while (protocol[i] != NULL) {
+                printf("%s, ", protocol[i]);
+                i++;
+        }
+        printf("\n");
+}
+// install protocol filter
+void protocol_build_filter(const char *prlist, const char *fname) {
+        assert(prlist);
+        assert(fname);
+#ifndef SYS_socket
+        fprintf(stderr, "Warning fseccomp: --protocol not supported on this platform\n");
+        return;
+#else
+        // build the filter
+        struct sock_filter filter[32];  // big enough
+        memset(&filter[0], 0, sizeof(filter));
+        uint8_t *ptr = (uint8_t *) &filter[0];
+        
+        // header
+        struct sock_filter filter_start[] = {
+                VALIDATE_ARCHITECTURE,
+                EXAMINE_SYSCALL,
+                ONLY(SYS_socket),
+                EXAMINE_ARGUMENT(0)
+        };
+        memcpy(ptr, &filter_start[0], sizeof(filter_start));
+        ptr += sizeof(filter_start);
+#if 0
+printf("entries %u\n", (unsigned) (sizeof(filter_start) / sizeof(struct sock_filter)));
+{
+        unsigned j;
+        unsigned char *ptr2 = (unsigned char *) &filter[0];
+        for (j = 0; j < sizeof(filter); j++, ptr2++) {
+                if ((j % (sizeof(struct sock_filter))) == 0)
+                        printf("\n%u: ", 1 + (unsigned) (j / (sizeof(struct sock_filter))));
+                printf("%02x, ", (*ptr2) & 0xff);
+        }
+        printf("\n");
+}
+printf("whitelist_len %u, struct sock_filter len %u\n", whitelist_len, (unsigned) sizeof(struct sock_filter));
+#endif
+        // parse list and add commands
+        char *tmplist = strdup(prlist);
+        if (!tmplist)
+                errExit("strdup");
+        char *token = strtok(tmplist, ",");
+        if (!token)
+                errExit("strtok");
+                
+        while (token) {
+                struct sock_filter *domain = find_protocol_domain(token);
+                if (domain == NULL) {
+                        fprintf(stderr, "Error fseccomp: %s is not a valid protocol\n", token);
+                        exit(1);
+                }
+                memcpy(ptr, domain, whitelist_len * sizeof(struct sock_filter));
+                ptr += whitelist_len * sizeof(struct sock_filter);
+                token = strtok(NULL, ",");
+#if 0
+printf("entries %u\n",  (unsigned) ((uint64_t) ptr - (uint64_t) (filter)) / (unsigned) sizeof(struct sock_filter));
+{
+        unsigned j;
+        unsigned char *ptr2 = (unsigned char *) &filter[0];
+        for (j = 0; j < sizeof(filter); j++, ptr2++) {
+                if ((j % (sizeof(struct sock_filter))) == 0)
+                        printf("\n%u: ", 1 + (unsigned) (j / (sizeof(struct sock_filter))));
+                printf("%02x, ", (*ptr2) & 0xff);
+        }
+        printf("\n");
+}
+#endif
+        }       
+        free(tmplist);
+        // add end of filter
+        struct sock_filter filter_end[] = {
+                RETURN_ERRNO(ENOTSUP)
+        };
+        memcpy(ptr, &filter_end[0], sizeof(filter_end));
+        ptr += sizeof(filter_end);
+#if 0
+printf("entries %u\n",  (unsigned) ((uint64_t) ptr - (uint64_t) (filter)) / (unsigned) sizeof(struct sock_filter));
+{
+        unsigned j;
+        unsigned char *ptr2 = (unsigned char *) &filter[0];
+        for (j = 0; j < sizeof(filter); j++, ptr2++) {
+                if ((j % (sizeof(struct sock_filter))) == 0)
+                        printf("\n%u: ", 1 + (unsigned) (j / (sizeof(struct sock_filter))));
+                printf("%02x, ", (*ptr2) & 0xff);
+        }
+        printf("\n");
+}
+#endif  
+        // save filter to file
+        int dst = open(fname, O_CREAT|O_WRONLY|O_TRUNC, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH);
+        if (dst < 0) {
+                fprintf(stderr, "Error fseccomp: cannot open %s file\n", fname);
+                exit(1);
+        }
+        
+        int size = (int) ((uintptr_t) ptr - (uintptr_t) (filter));
+        int written = 0;
+        while (written < size) {
+                int rv = write(dst, (unsigned char *) filter + written, size - written);
+                if (rv == -1) {
+                        fprintf(stderr, "Error fseccomp: cannot write %s file\n", fname);
+                        exit(1);
+                }
+                written += rv;
+        }
+        close(dst);
+#endif // SYS_socket    
+}
diff --git a/src/fseccomp/seccomp.c b/src/fseccomp/seccomp.c
new file mode 100644
index 000000000..cc6edc8ca
--- /dev/null
+++ b/src/fseccomp/seccomp.c
@@ -0,0 +1,292 @@
+/*
+ * Copyright (C) 2014-2016 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
+#include "fseccomp.h"
+#include "../include/seccomp.h"
+#include <sys/syscall.h>
+static void add_default_list(int fd, int allow_debuggers) {
+#ifdef SYS_mount
+        filter_add_blacklist(fd, SYS_mount, 0);
+#endif
+#ifdef SYS_umount2
+        filter_add_blacklist(fd, SYS_umount2, 0);
+#endif
+        if (!allow_debuggers) {
+#ifdef SYS_ptrace
+                filter_add_blacklist(fd, SYS_ptrace, 0);
+#endif
+        }
+#ifdef SYS_kexec_load
+        filter_add_blacklist(fd, SYS_kexec_load, 0);
+#endif
+#ifdef SYS_kexec_file_load
+        filter_add_blacklist(fd, SYS_kexec_file_load, 0);
+#endif
+#ifdef SYS_open_by_handle_at
+        filter_add_blacklist(fd, SYS_open_by_handle_at, 0);
+#endif
+#ifdef SYS_name_to_handle_at
+        filter_add_blacklist(fd, SYS_name_to_handle_at, 0);
+#endif
+#ifdef SYS_init_module
+        filter_add_blacklist(fd, SYS_init_module, 0);
+#endif
+#ifdef SYS_finit_module
+        filter_add_blacklist(fd, SYS_finit_module, 0);
+#endif
+#ifdef SYS_create_module
+        filter_add_blacklist(fd, SYS_create_module, 0);
+#endif
+#ifdef SYS_delete_module
+        filter_add_blacklist(fd, SYS_delete_module, 0);
+#endif
+#ifdef SYS_iopl
+        filter_add_blacklist(fd, SYS_iopl, 0);
+#endif
+#ifdef  SYS_ioperm
+        filter_add_blacklist(fd, SYS_ioperm, 0);
+#endif
+#ifdef  SYS_ioprio_set
+        filter_add_blacklist(fd, SYS_ioprio_set, 0);
+#endif
+#ifdef SYS_ni_syscall
+        filter_add_blacklist(fd, SYS_ni_syscall, 0);
+#endif
+#ifdef SYS_swapon
+        filter_add_blacklist(fd, SYS_swapon, 0);
+#endif
+#ifdef SYS_swapoff
+        filter_add_blacklist(fd, SYS_swapoff, 0);
+#endif
+#ifdef SYS_syslog
+        filter_add_blacklist(fd, SYS_syslog, 0);
+#endif
+        if (!allow_debuggers) {
+#ifdef SYS_process_vm_readv
+                filter_add_blacklist(fd, SYS_process_vm_readv, 0);
+#endif
+        }
+#ifdef SYS_process_vm_writev
+        filter_add_blacklist(fd, SYS_process_vm_writev, 0);
+#endif
+        // mknod removed in 0.9.29 - it brakes Zotero extension
+        //#ifdef SYS_mknod
+        //              filter_add_blacklist(SYS_mknod, 0);
+        //#endif
+#ifdef SYS_sysfs
+        filter_add_blacklist(fd, SYS_sysfs, 0);
+#endif
+#ifdef SYS__sysctl
+        filter_add_blacklist(fd, SYS__sysctl, 0);
+#endif
+#ifdef SYS_adjtimex
+        filter_add_blacklist(fd, SYS_adjtimex, 0);
+#endif
+#ifdef  SYS_clock_adjtime
+        filter_add_blacklist(fd, SYS_clock_adjtime, 0);
+#endif
+#ifdef SYS_lookup_dcookie
+        filter_add_blacklist(fd, SYS_lookup_dcookie, 0);
+#endif
+#ifdef  SYS_perf_event_open
+        filter_add_blacklist(fd, SYS_perf_event_open, 0);
+#endif
+#ifdef  SYS_fanotify_init
+        filter_add_blacklist(fd, SYS_fanotify_init, 0);
+#endif
+#ifdef SYS_kcmp
+        filter_add_blacklist(fd, SYS_kcmp, 0);
+#endif
+#ifdef SYS_add_key
+        filter_add_blacklist(fd, SYS_add_key, 0);
+#endif
+#ifdef SYS_request_key
+        filter_add_blacklist(fd, SYS_request_key, 0);
+#endif
+#ifdef SYS_keyctl
+        filter_add_blacklist(fd, SYS_keyctl, 0);
+#endif
+#ifdef SYS_uselib
+        filter_add_blacklist(fd, SYS_uselib, 0);
+#endif
+#ifdef SYS_acct
+        filter_add_blacklist(fd, SYS_acct, 0);
+#endif
+#ifdef SYS_modify_ldt
+        filter_add_blacklist(fd, SYS_modify_ldt, 0);
+#endif
+#ifdef SYS_pivot_root
+        filter_add_blacklist(fd, SYS_pivot_root, 0);
+#endif
+#ifdef SYS_io_setup
+        filter_add_blacklist(fd, SYS_io_setup, 0);
+#endif
+#ifdef SYS_io_destroy
+        filter_add_blacklist(fd, SYS_io_destroy, 0);
+#endif
+#ifdef SYS_io_getevents
+        filter_add_blacklist(fd, SYS_io_getevents, 0);
+#endif
+#ifdef SYS_io_submit
+        filter_add_blacklist(fd, SYS_io_submit, 0);
+#endif
+#ifdef SYS_io_cancel
+        filter_add_blacklist(fd, SYS_io_cancel, 0);
+#endif
+#ifdef SYS_remap_file_pages
+        filter_add_blacklist(fd, SYS_remap_file_pages, 0);
+#endif
+#ifdef SYS_mbind
+        filter_add_blacklist(fd, SYS_mbind, 0);
+#endif
+#ifdef SYS_get_mempolicy
+        filter_add_blacklist(fd, SYS_get_mempolicy, 0);
+#endif
+#ifdef SYS_set_mempolicy
+        filter_add_blacklist(fd, SYS_set_mempolicy, 0);
+#endif
+#ifdef SYS_migrate_pages
+        filter_add_blacklist(fd, SYS_migrate_pages, 0);
+#endif
+#ifdef SYS_move_pages
+        filter_add_blacklist(fd, SYS_move_pages, 0);
+#endif
+#ifdef SYS_vmsplice
+        filter_add_blacklist(fd, SYS_vmsplice, 0);
+#endif
+#ifdef SYS_chroot
+        filter_add_blacklist(fd, SYS_chroot, 0);
+#endif
+#ifdef SYS_tuxcall
+        filter_add_blacklist(fd, SYS_tuxcall, 0);
+#endif
+#ifdef SYS_reboot
+        filter_add_blacklist(fd, SYS_reboot, 0);
+#endif
+#ifdef SYS_nfsservctl
+        filter_add_blacklist(fd, SYS_nfsservctl, 0);
+#endif
+#ifdef SYS_get_kernel_syms
+        filter_add_blacklist(fd, SYS_get_kernel_syms, 0);
+#endif
+}
+// default list
+void seccomp_default(const char *fname, int allow_debuggers) {
+        assert(fname);
+        // open file
+        int fd = open(fname, O_CREAT|O_WRONLY|O_TRUNC, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH);
+        if (fd < 0) {
+                fprintf(stderr, "Error fseccomp: cannot open %s file\n", fname);
+                exit(1);
+        }
+        // build filter
+        filter_init(fd);
+        add_default_list(fd, allow_debuggers);
+        filter_end_blacklist(fd);
+        
+        // close file
+        close(fd);
+}
+// drop list
+void seccomp_drop(const char *fname, char *list, int allow_debuggers) {
+        assert(fname);
+        (void) allow_debuggers; // todo: to implemnet it
+        // open file
+        int fd = open(fname, O_CREAT|O_WRONLY|O_TRUNC, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH);
+        if (fd < 0) {
+                fprintf(stderr, "Error fseccomp: cannot open %s file\n", fname);
+                exit(1);
+        }
+        // build filter
+        filter_init(fd);
+        if (syscall_check_list(list, filter_add_blacklist, fd, 0)) {
+                fprintf(stderr, "Error fseccomp: cannot build seccomp filter\n");
+                exit(1);
+        }
+        filter_end_blacklist(fd);
+        
+        // close file
+        close(fd);
+}
+// default+drop
+void seccomp_default_drop(const char *fname, char *list, int allow_debuggers) {
+        assert(fname);
+        // open file
+        int fd = open(fname, O_CREAT|O_WRONLY|O_TRUNC, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH);
+        if (fd < 0) {
+                fprintf(stderr, "Error fseccomp: cannot open %s file\n", fname);
+                exit(1);
+        }
+        // build filter
+        filter_init(fd);
+        add_default_list(fd, allow_debuggers);
+        if (syscall_check_list(list, filter_add_blacklist, fd, 0)) {
+                fprintf(stderr, "Error fseccomp: cannot build seccomp filter\n");
+                exit(1);
+        }
+        filter_end_blacklist(fd);
+        
+        // close file
+        close(fd);
+}
+void seccomp_keep(const char *fname, char *list) {
+        // open file
+        int fd = open(fname, O_CREAT|O_WRONLY|O_TRUNC, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH);
+        if (fd < 0) {
+                fprintf(stderr, "Error fseccomp: cannot open %s file\n", fname);
+                exit(1);
+        }
+        // build filter
+        filter_init(fd);
+        // these 4 syscalls are used by firejail after the seccomp filter is initialized
+        filter_add_whitelist(fd, SYS_setuid, 0);
+        filter_add_whitelist(fd, SYS_setgid, 0);
+        filter_add_whitelist(fd, SYS_setgroups, 0);
+        filter_add_whitelist(fd, SYS_dup, 0);
+        filter_add_whitelist(fd, SYS_prctl, 0);
+        
+        if (syscall_check_list(list, filter_add_whitelist, fd, 0)) {
+                fprintf(stderr, "Error fseccomp: cannot build seccomp filter\n");
+                exit(1);
+        }
+        
+        filter_end_whitelist(fd);
+        
+        // close file
+        close(fd);
+}
diff --git a/src/fseccomp/seccomp_file.c b/src/fseccomp/seccomp_file.c
new file mode 100644
index 000000000..10ef9dd31
--- /dev/null
+++ b/src/fseccomp/seccomp_file.c
@@ -0,0 +1,108 @@
+/*
+ * Copyright (C) 2014-2016 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
+#include "fseccomp.h"
+#include "../include/seccomp.h"
+#include <sys/syscall.h>
+static void write_to_file(int fd, void *data, int size) {
+        assert(data);
+        assert(size);
+        
+        int written = 0;
+        while (written < size) {
+                int rv = write(fd, (unsigned char *) data + written, size - written);
+                if (rv == -1) {
+                        fprintf(stderr, "Error fseccomp: cannot write seccomp file\n");
+                        exit(1);
+                }
+                written += rv;
+        }
+}
+void filter_init(int fd) {
+#if defined(__x86_64__)
+#define X32_SYSCALL_BIT 0x40000000
+        struct sock_filter filter[] = {
+                VALIDATE_ARCHITECTURE,
+                EXAMINE_SYSCALL,
+                // handle X32 ABI
+                BPF_JUMP(BPF_JMP+BPF_JGE+BPF_K, X32_SYSCALL_BIT, 1, 0),
+                BPF_JUMP(BPF_JMP+BPF_JGE+BPF_K, 0, 1, 0),
+                RETURN_ERRNO(EPERM)
+        };
+#else
+        struct sock_filter filter[] = {
+                VALIDATE_ARCHITECTURE,
+                EXAMINE_SYSCALL
+        };
+#endif
+#if 0
+{
+        int i;
+        unsigned char *ptr = (unsigned char *) &filter[0];
+        for (i = 0; i < sizeof(filter); i++, ptr++)
+                printf("%x, ", (*ptr) & 0xff);
+        printf("\n");
+}
+#endif
+        write_to_file(fd, filter, sizeof(filter));
+}
+void filter_add_whitelist(int fd, int syscall, int arg) {
+        (void) arg;
+        
+        struct sock_filter filter[] = {
+                WHITELIST(syscall)
+        };
+        write_to_file(fd, filter, sizeof(filter));
+}
+void filter_add_blacklist(int fd, int syscall, int arg) {
+        (void) arg;
+        
+        struct sock_filter filter[] = {
+                BLACKLIST(syscall)
+        };
+        write_to_file(fd, filter, sizeof(filter));
+}
+void filter_add_errno(int fd, int syscall, int arg) {
+        struct sock_filter filter[] = {
+                BLACKLIST_ERRNO(syscall, arg)
+        };
+        write_to_file(fd, filter, sizeof(filter));
+}
+void filter_end_blacklist(int fd) {
+        struct sock_filter filter[] = {
+                RETURN_ALLOW
+        };
+        write_to_file(fd, filter, sizeof(filter));
+}
+void filter_end_whitelist(int fd) {
+        struct sock_filter filter[] = {
+                KILL_PROCESS
+        };
+        write_to_file(fd, filter, sizeof(filter));
+}
diff --git a/src/fseccomp/seccomp_print.c b/src/fseccomp/seccomp_print.c
new file mode 100644
index 000000000..e22c682dc
--- /dev/null
+++ b/src/fseccomp/seccomp_print.c
@@ -0,0 +1,122 @@
+/*
+ * Copyright (C) 2014-2016 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
+#include "fseccomp.h"
+#include "../include/seccomp.h"
+#include <sys/syscall.h>
+static struct sock_filter *filter = NULL;
+static int filter_cnt = 0;
+static void load_seccomp(const char *fname) {
+        assert(fname);
+        
+        // open filter file
+        int fd = open(fname, O_RDONLY);
+        if (fd == -1)
+                goto errexit;
+        // calculate the number of entries
+        int size = lseek(fd, 0, SEEK_END);
+        if (size == -1)
+                goto errexit;
+        if (lseek(fd, 0 , SEEK_SET) == -1)
+                goto errexit;
+        unsigned short entries = (unsigned short) size / (unsigned short) sizeof(struct sock_filter);
+        filter_cnt = entries;
+        
+        // read filter
+        filter = malloc(size);
+        if (filter == NULL)
+                goto errexit;
+        memset(filter, 0, size);
+        int rd = 0;
+        while (rd < size) {
+                int rv = read(fd, (unsigned char *) filter + rd, size - rd);
+                if (rv == -1)
+                        goto errexit;
+                rd += rv;
+        }
+        
+        // close file
+        close(fd);
+        return;
+errexit:
+        fprintf(stderr, "Error fseccomp: cannot read %s\n", fname);
+        exit(1);
+}
+// debug filter
+void filter_print(const char *fname) {
+        assert(fname);
+        load_seccomp(fname);
+        
+        // start filter
+        struct sock_filter start[] = {
+                VALIDATE_ARCHITECTURE,
+                EXAMINE_SYSCALL
+        };
+        // print sizes
+        printf("SECCOMP Filter:\n");
+        // test the start of the filter
+        if (memcmp(&start[0], filter, sizeof(start)) == 0) {
+                printf("  VALIDATE_ARCHITECTURE\n");
+                printf("  EXAMINE_SYSCAL\n");
+        }
+        else {
+                printf("Invalid seccomp filter %s\n", fname);
+                return;
+        }
+        
+        // loop trough blacklists
+        int i = 4;
+        while (i < filter_cnt) {
+                // minimal parsing!
+                unsigned char *ptr = (unsigned char *) &filter[i];
+                int *nr = (int *) (ptr + 4);
+                if (*ptr        == 0x15 && *(ptr +14) == 0xff && *(ptr + 15) == 0x7f ) {
+                        printf("  WHITELIST %d %s\n", *nr, syscall_find_nr(*nr));
+                        i += 2;
+                }
+                else if (*ptr   == 0x15 && *(ptr +14) == 0 && *(ptr + 15) == 0) {
+                        printf("  BLACKLIST %d %s\n", *nr, syscall_find_nr(*nr));
+                        i += 2;
+                }
+                else if (*ptr   == 0x15 && *(ptr +14) == 0x5 && *(ptr + 15) == 0) {
+                        int err = *(ptr + 13) << 8 | *(ptr + 12);
+                        printf("  ERRNO %d %s %d %s\n", *nr, syscall_find_nr(*nr), err, errno_find_nr(err));
+                        i += 2;
+                }
+                else if (*ptr == 0x06 && *(ptr +6) == 0 && *(ptr + 7) == 0 ) {
+                        printf("  KILL_PROCESS\n");
+                        i++;
+                }
+                else if (*ptr == 0x06 && *(ptr +6) == 0xff && *(ptr + 7) == 0x7f ) {
+                        printf("  RETURN_ALLOW\n");
+                        i++;
+                }
+                else {
+                        printf("  UNKNOWN ENTRY!!!\n");
+                        i++;
+                }
+        }
+}
diff --git a/src/fseccomp/seccomp_secondary.c b/src/fseccomp/seccomp_secondary.c
new file mode 100644
index 000000000..a856e5aef
--- /dev/null
+++ b/src/fseccomp/seccomp_secondary.c
@@ -0,0 +1,183 @@
+/*
+ * Copyright (C) 2014-2016 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
+#include "fseccomp.h"
+#include "../include/seccomp.h"
+#include <sys/syscall.h>
+void seccomp_secondary_64(const char *fname) {
+        // hardcoded syscall values
+        struct sock_filter filter[] = {
+                VALIDATE_ARCHITECTURE_64,
+                EXAMINE_SYSCALL,
+                BLACKLIST(165), // mount
+                BLACKLIST(166), // umount2
+// todo: implement --allow-debuggers            
+                BLACKLIST(101), // ptrace
+                BLACKLIST(246), // kexec_load
+                BLACKLIST(304), // open_by_handle_at
+                BLACKLIST(303), // name_to_handle_at
+                BLACKLIST(174), // create_module
+                BLACKLIST(175), // init_module
+                BLACKLIST(313), // finit_module
+                BLACKLIST(176), // delete_module
+                BLACKLIST(172), // iopl
+                BLACKLIST(173), // ioperm
+                BLACKLIST(251), // ioprio_set
+                BLACKLIST(167), // swapon
+                BLACKLIST(168), // swapoff
+                BLACKLIST(103), // syslog
+                BLACKLIST(310), // process_vm_readv
+                BLACKLIST(311), // process_vm_writev
+                BLACKLIST(139), // sysfs
+                BLACKLIST(156), // _sysctl
+                BLACKLIST(159), // adjtimex
+                BLACKLIST(305), // clock_adjtime
+                BLACKLIST(212), // lookup_dcookie
+                BLACKLIST(298), // perf_event_open
+                BLACKLIST(300), // fanotify_init
+                BLACKLIST(312), // kcmp
+                BLACKLIST(248), // add_key
+                BLACKLIST(249), // request_key
+                BLACKLIST(250), // keyctl
+                BLACKLIST(134), // uselib
+                BLACKLIST(163), // acct
+                BLACKLIST(154), // modify_ldt
+                BLACKLIST(155), // pivot_root
+                BLACKLIST(206), // io_setup
+                BLACKLIST(207), // io_destroy
+                BLACKLIST(208), // io_getevents
+                BLACKLIST(209), // io_submit
+                BLACKLIST(210), // io_cancel
+                BLACKLIST(216), // remap_file_pages
+                BLACKLIST(237), // mbind
+                BLACKLIST(239), // get_mempolicy
+                BLACKLIST(238), // set_mempolicy
+                BLACKLIST(256), // migrate_pages
+                BLACKLIST(279), // move_pages
+                BLACKLIST(278), // vmsplice
+                BLACKLIST(161), // chroot
+                BLACKLIST(184), // tuxcall
+                BLACKLIST(169), // reboot
+                BLACKLIST(180), // nfsservctl
+                BLACKLIST(177), // get_kernel_syms
+                
+                RETURN_ALLOW
+        };
+        // save filter to file
+        int dst = open(fname, O_CREAT|O_WRONLY|O_TRUNC, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH);
+        if (dst < 0) {
+                fprintf(stderr, "Error fseccomp: cannot open %s file\n", fname);
+                exit(1);
+        }
+        
+        int size = (int) sizeof(filter);
+        int written = 0;
+        while (written < size) {
+                int rv = write(dst, (unsigned char *) filter + written, size - written);
+                if (rv == -1) {
+                        fprintf(stderr, "Error fseccomp: cannot write %s file\n", fname);
+                        exit(1);
+                }
+                written += rv;
+        }
+        close(dst);
+}
+// i386 filter installed on amd64 architectures
+void seccomp_secondary_32(const char *fname) {
+        // hardcoded syscall values
+        struct sock_filter filter[] = {
+                VALIDATE_ARCHITECTURE_32,
+                EXAMINE_SYSCALL,
+                BLACKLIST(21), // mount
+                BLACKLIST(52), // umount2
+// todo: implement --allow-debuggers            
+                BLACKLIST(26), // ptrace
+                BLACKLIST(283), // kexec_load
+                BLACKLIST(341), // name_to_handle_at
+                BLACKLIST(342), // open_by_handle_at
+                BLACKLIST(127), // create_module
+                BLACKLIST(128), // init_module
+                BLACKLIST(350), // finit_module
+                BLACKLIST(129), // delete_module
+                BLACKLIST(110), // iopl
+                BLACKLIST(101), // ioperm
+                BLACKLIST(289), // ioprio_set
+                BLACKLIST(87), // swapon
+                BLACKLIST(115), // swapoff
+                BLACKLIST(103), // syslog
+                BLACKLIST(347), // process_vm_readv
+                BLACKLIST(348), // process_vm_writev
+                BLACKLIST(135), // sysfs
+                BLACKLIST(149), // _sysctl
+                BLACKLIST(124), // adjtimex
+                BLACKLIST(343), // clock_adjtime
+                BLACKLIST(253), // lookup_dcookie
+                BLACKLIST(336), // perf_event_open
+                BLACKLIST(338), // fanotify_init
+                BLACKLIST(349), // kcmp
+                BLACKLIST(286), // add_key
+                BLACKLIST(287), // request_key
+                BLACKLIST(288), // keyctl
+                BLACKLIST(86), // uselib
+                BLACKLIST(51), // acct
+                BLACKLIST(123), // modify_ldt
+                BLACKLIST(217), // pivot_root
+                BLACKLIST(245), // io_setup
+                BLACKLIST(246), // io_destroy
+                BLACKLIST(247), // io_getevents
+                BLACKLIST(248), // io_submit
+                BLACKLIST(249), // io_cancel
+                BLACKLIST(257), // remap_file_pages
+                BLACKLIST(274), // mbind
+                BLACKLIST(275), // get_mempolicy
+                BLACKLIST(276), // set_mempolicy
+                BLACKLIST(294), // migrate_pages
+                BLACKLIST(317), // move_pages
+                BLACKLIST(316), // vmsplice
+                BLACKLIST(61),  // chroot
+                BLACKLIST(88), // reboot
+                BLACKLIST(169), // nfsservctl
+                BLACKLIST(130), // get_kernel_syms
+                
+                RETURN_ALLOW
+        };
+        // save filter to file
+        int dst = open(fname, O_CREAT|O_WRONLY|O_TRUNC, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH);
+        if (dst < 0) {
+                fprintf(stderr, "Error fseccomp: cannot open %s file\n", fname);
+                exit(1);
+        }
+        
+        int size = (int) sizeof(filter);
+        int written = 0;
+        while (written < size) {
+                int rv = write(dst, (unsigned char *) filter + written, size - written);
+                if (rv == -1) {
+                        fprintf(stderr, "Error fseccomp: cannot write %s file\n", fname);
+                        exit(1);
+                }
+                written += rv;
+        }
+        close(dst);
+}
diff --git a/src/firejail/syscall.c b/src/fseccomp/syscall.c
index 985cc8bb8..7c2c4cbb2 100644
--- a/src/firejail/syscall.c
+++ b/src/fseccomp/syscall.c
@@ -17,9 +17,7 @@
 * with this program; if not, write to the Free Software Foundation, Inc.,
 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 */
+#include "fseccomp.h"
-#ifdef HAVE_SECCOMP
-#include "firejail.h"
 #include <sys/syscall.h>
 typedef struct {
@@ -31,13 +29,25 @@ static SyscallEntry syslist[] = {
 //
 // code generated using tools/extract-syscall
 //
-#include "syscall.h"
+#include "../include/syscall.h"
 //
 // end of generated code
 //
 }; // end of syslist
-const char *syscall_find_nr(int nr) {
+// return -1 if error, or syscall number
+int syscall_find_name(const char *name) {
+        int i;
+        int elems = sizeof(syslist) / sizeof(syslist[0]);
+        for (i = 0; i < elems; i++) {
+                if (strcmp(name, syslist[i].name) == 0)
+                        return syslist[i].nr;
+        }
+        
+        return -1;
+}
+char *syscall_find_nr(int nr) {
        int i;
        int elems = sizeof(syslist) / sizeof(syslist[0]);
        for (i = 0; i < elems; i++) {
@@ -48,24 +58,61 @@ const char *syscall_find_nr(int nr) {
        return "unknown";
 }
-// return -1 if error, or syscall number
+void syscall_print(void) {
-static int syscall_find_name(const char *name) {
        int i;
        int elems = sizeof(syslist) / sizeof(syslist[0]);
        for (i = 0; i < elems; i++) {
-                if (strcmp(name, syslist[i].name) == 0)
+                printf("%d\t- %s\n", syslist[i].nr, syslist[i].name);
-                        return syslist[i].nr;
        }
+        printf("\n");
+}
+// allowed input:
+// - syscall
+// - syscall(error)
+static void syscall_process_name(const char *name, int *syscall_nr, int *error_nr) {
+        assert(name);
+        if (strlen(name) == 0)
+                goto error;
+        *error_nr = -1;
        
-        return -1;
+        // syntax check
+        char *str = strdup(name);
+        if (!str)
+                errExit("strdup");
+        char *syscall_name = str;
+        char *error_name = strchr(str, ':');
+        if (error_name) {
+                *error_name = '\0';
+                error_name++;
+        }
+        if (strlen(syscall_name) == 0) {
+                free(str);
+                goto error;
+        }
+        *syscall_nr = syscall_find_name(syscall_name);
+        if (error_name) {
+                *error_nr = errno_find_name(error_name);
+                if (*error_nr == -1)
+                        *syscall_nr = -1;
+        }
+        free(str);
+        return;
+        
+error:
+        fprintf(stderr, "Error fseccomp: invalid syscall list entry %s\n", name);
+        exit(1);
 }
 // return 1 if error, 0 if OK
-int syscall_check_list(const char *slist, void (*callback)(int syscall, int arg), int arg) {
+int syscall_check_list(const char *slist, void (*callback)(int fd, int syscall, int arg), int fd, int arg) {
        // don't allow empty lists
        if (slist == NULL || *slist == '\0') {
-                fprintf(stderr, "Error: empty syscall lists are not allowed\n");
+                fprintf(stderr, "Error fseccomp: empty syscall lists are not allowed\n");
-                return -1;
+                exit(1);
        }
        // work on a copy of the string
@@ -73,44 +120,27 @@ int syscall_check_list(const char *slist, void (*callback)(int syscall, int arg)
        if (!str)
                errExit("strdup");
-        char *ptr = str;
+        char *ptr =strtok(str, ",");
-        char *start = str;
+        if (ptr == NULL) {
-        while (*ptr != '\0') {
+                fprintf(stderr, "Error fseccomp: empty syscall lists are not allowed\n");
-                if (islower(*ptr) || isdigit(*ptr) || *ptr == '_')
+                exit(1);
-                        ;
-                else if (*ptr == ',') {
-                        *ptr = '\0';
-                        int nr = syscall_find_name(start);
-                        if (nr == -1)
-                                fprintf(stderr, "Warning: syscall %s not found\n", start);
-                        else if (callback != NULL)
-                                callback(nr, arg);
-                                
-                        start = ptr + 1;
-                }
-                ptr++;
        }
-        if (*start != '\0') {
-                int nr = syscall_find_name(start);
+        while (ptr) {
-                if (nr == -1)
+                int syscall_nr;
-                        fprintf(stderr, "Warning: syscall %s not found\n", start);
+                int error_nr;
-                else if (callback != NULL)
+                syscall_process_name(ptr, &syscall_nr, &error_nr);
-                        callback(nr, arg);
+                if (syscall_nr == -1)
+                        fprintf(stderr, "Warning fseccomp: syscall %s not found\n", ptr);
+                else if (callback != NULL) {
+                        if (error_nr != -1)
+                                filter_add_errno(fd, syscall_nr, error_nr);
+                        else
+                                callback(fd, syscall_nr, arg);
+                }
+                ptr = strtok(NULL, ",");
        }
        
        free(str);
        return 0;
 }
-void syscall_print(void) {
-        EUID_ASSERT();
-        
-        int i;
-        int elems = sizeof(syslist) / sizeof(syslist[0]);
-        for (i = 0; i < elems; i++) {
-                printf("%d\t- %s\n", syslist[i].nr, syslist[i].name);
-        }
-        printf("\n");
-}
-#endif // HAVE_SECCOMP
diff --git a/src/ftee/Makefile.in b/src/ftee/Makefile.in
index be159225f..ad508cadd 100644
--- a/src/ftee/Makefile.in
+++ b/src/ftee/Makefile.in
@@ -4,21 +4,23 @@ PREFIX=@prefix@
 VERSION=@PACKAGE_VERSION@
 NAME=@PACKAGE_NAME@
 HAVE_FATAL_WARNINGS=@HAVE_FATAL_WARNINGS@
+HAVE_GCOV=@HAVE_GCOV@
+EXTRA_LDFLAGS +=@EXTRA_LDFLAGS@
 H_FILE_LIST       = $(sort $(wildcard *.[h]))
 C_FILE_LIST       = $(sort $(wildcard *.c))
 OBJS = $(C_FILE_LIST:.c=.o)
 BINOBJS =  $(foreach file, $(OBJS), $file)
-CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' -DPREFIX='"$(PREFIX)"' -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security
+CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' $(HAVE_GCOV) -DPREFIX='"$(PREFIX)"' -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security
 LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now -lpthread
 %.o : %.c $(H_FILE_LIST)
        $(CC) $(CFLAGS) $(INCLUDE) -c $< -o $@
 ftee: $(OBJS)
-        $(CC)  $(LDFLAGS) -o $@ $(OBJS)
+        $(CC)  $(LDFLAGS) -o $@ $(OBJS) $(EXTRA_LDFLAGS)
-clean:; rm -f *.o ftee
+clean:; rm -f *.o ftee *.gcov *.gcda *.gcno
 distclean: clean
        rm -fr Makefile
diff --git a/src/ftee/main.c b/src/ftee/main.c
index 8daea8487..2b27baa5a 100644
--- a/src/ftee/main.c
+++ b/src/ftee/main.c
@@ -179,10 +179,6 @@ static int is_link(const char *fname) {
        return 0;
 }
 static void usage(void) {
        printf("Usage: ftee filename\n");
 }
@@ -193,37 +189,33 @@ int main(int argc, char **argv) {
                usage();
                exit(1);
        }
+        if (strcmp(argv[1], "--help") == 0) {
+                usage();
+                return 0;
+        }
        char *fname = argv[1];
        // do not accept directories, links, and files with ".."
-        if (strstr(fname, "..") || is_link(fname) || is_dir(fname)) {
+        if (strstr(fname, "..") || is_link(fname) || is_dir(fname))
-                fprintf(stderr, "Error: invalid output file. Links, directories and files with \"..\" are not allowed.\n");
+                goto errexit;
-                exit(1);
-        }
        
        struct stat s;
        if (stat(fname, &s) == 0) {
                // check permissions
-                if (s.st_uid != getuid() || s.st_gid != getgid()) {
+                if (s.st_uid != getuid() || s.st_gid != getgid())
-                        fprintf(stderr, "Error: the output file needs to be owned by the current user.\n");
+                        goto errexit;
-                        exit(1);
-                }
                
                // check hard links
-                if (s.st_nlink != 1) {
+                if (s.st_nlink != 1)
-                        fprintf(stderr, "Error: no hard links allowed.\n");
+                        goto errexit;
-                        exit(1);
-                }
        }
        // check if we can append to this file
        /* coverity[toctou] */
        FILE *fp = fopen(fname, "a");
-        if (!fp) {
+        if (!fp)
-                fprintf(stderr, "Error: cannot open output file %s\n", fname);
+                goto errexit;
-                exit(1);
-        }
        fclose(fp);
@@ -244,4 +236,8 @@ int main(int argc, char **argv) {
        
        log_close();
        return 0;
+errexit:
+        fprintf(stderr, "Error ftee: invalid output file.\n");
+        return 1;
 }
diff --git a/src/include/common.h b/src/include/common.h
index cd4b9c874..108820290 100644
--- a/src/include/common.h
+++ b/src/include/common.h
@@ -32,7 +32,7 @@
 #include <ctype.h>
 #include <assert.h>
-#define errExit(msg)    do { char msgout[500]; sprintf(msgout, "Error %s:%s(%d)", msg, __FUNCTION__, __LINE__); perror(msgout); exit(1);} while (0)
+#define errExit(msg)    do { char msgout[500]; sprintf(msgout, "Error %s: %s:%d %s", msg, __FILE__, __LINE__, __FUNCTION__); perror(msgout); exit(1);} while (0)
 // macro to print ip addresses in a printf statement
 #define PRINT_IP(A) \
@@ -113,4 +113,6 @@ int join_namespace(pid_t pid, char *type);
 int name2pid(const char *name, pid_t *pid);
 char *pid_proc_comm(const pid_t pid);
 char *pid_proc_cmdline(const pid_t pid);
+int pid_proc_cmdline_x11_xpra_xephyr(const pid_t pid);
+int pid_hidepid(void);
 #endif
diff --git a/src/include/euid_common.h b/src/include/euid_common.h
index f07cf2868..752df5fff 100644
--- a/src/include/euid_common.h
+++ b/src/include/euid_common.h
@@ -31,25 +31,32 @@
 }
 extern uid_t firejail_uid;
+extern uid_t firejail_gid;
 static inline void EUID_ROOT(void) {
        if (seteuid(0) == -1)
-                fprintf(stderr, "Error: cannot switch euid to root\n");
+                fprintf(stderr, "Warning: cannot switch euid to root\n");
+        if (setegid(0) == -1)
+                fprintf(stderr, "Warning: cannot switch egid to root\n");
 }
 static inline void EUID_USER(void) {
        if (seteuid(firejail_uid) == -1)
-                fprintf(stderr, "Error: cannot switch euid to user\n");
+                errExit("seteuid");
+        if (setegid(firejail_gid) == -1)
+                errExit("setegid");
 }
 static inline void EUID_PRINT(void) {
        printf("debug: uid %d, euid %d\n", getuid(), geteuid());
+        printf("debug: gid %d, egid %d\n", getgid(), getegid());
 }
 static inline void EUID_INIT(void) {
        firejail_uid = getuid();
+        firejail_gid = getgid();
 }
 #endif
diff --git a/src/firejail/seccomp.h b/src/include/seccomp.h
index 7d646dd9e..7d646dd9e 100644
--- a/src/firejail/seccomp.h
+++ b/src/include/seccomp.h
diff --git a/src/firejail/syscall.h b/src/include/syscall.h
index 5b2cb4915..9a29779c9 100644
--- a/src/firejail/syscall.h
+++ b/src/include/syscall.h
@@ -20,7 +20,6 @@
 // content extracted from /bits/syscall.h file form glibc 2.22
 // using ../tools/extract_syscall tool
 #if !defined __x86_64__
 #ifdef SYS__llseek
 #ifdef __NR__llseek
@@ -37,6 +36,11 @@
        {"_sysctl", __NR__sysctl},
 #endif
 #endif
+#ifdef SYS_accept4
+#ifdef __NR_accept4
+        {"accept4", __NR_accept4},
+#endif
+#endif
 #ifdef SYS_access
 #ifdef __NR_access
        {"access", __NR_access},
@@ -72,6 +76,11 @@
        {"bdflush", __NR_bdflush},
 #endif
 #endif
+#ifdef SYS_bind
+#ifdef __NR_bind
+        {"bind", __NR_bind},
+#endif
+#endif
 #ifdef SYS_bpf
 #ifdef __NR_bpf
        {"bpf", __NR_bpf},
@@ -157,6 +166,16 @@
        {"close", __NR_close},
 #endif
 #endif
+#ifdef SYS_connect
+#ifdef __NR_connect
+        {"connect", __NR_connect},
+#endif
+#endif
+#ifdef SYS_copy_file_range
+#ifdef __NR_copy_file_range
+        {"copy_file_range", __NR_copy_file_range},
+#endif
+#endif
 #ifdef SYS_creat
 #ifdef __NR_creat
        {"creat", __NR_creat},
@@ -492,6 +511,11 @@
        {"getitimer", __NR_getitimer},
 #endif
 #endif
+#ifdef SYS_getpeername
+#ifdef __NR_getpeername
+        {"getpeername", __NR_getpeername},
+#endif
+#endif
 #ifdef SYS_getpgid
 #ifdef __NR_getpgid
        {"getpgid", __NR_getpgid},
@@ -562,6 +586,16 @@
        {"getsid", __NR_getsid},
 #endif
 #endif
+#ifdef SYS_getsockname
+#ifdef __NR_getsockname
+        {"getsockname", __NR_getsockname},
+#endif
+#endif
+#ifdef SYS_getsockopt
+#ifdef __NR_getsockopt
+        {"getsockopt", __NR_getsockopt},
+#endif
+#endif
 #ifdef SYS_gettid
 #ifdef __NR_gettid
        {"gettid", __NR_gettid},
@@ -722,6 +756,11 @@
        {"linkat", __NR_linkat},
 #endif
 #endif
+#ifdef SYS_listen
+#ifdef __NR_listen
+        {"listen", __NR_listen},
+#endif
+#endif
 #ifdef SYS_listxattr
 #ifdef __NR_listxattr
        {"listxattr", __NR_listxattr},
@@ -777,6 +816,11 @@
        {"mbind", __NR_mbind},
 #endif
 #endif
+#ifdef SYS_membarrier
+#ifdef __NR_membarrier
+        {"membarrier", __NR_membarrier},
+#endif
+#endif
 #ifdef SYS_memfd_create
 #ifdef __NR_memfd_create
        {"memfd_create", __NR_memfd_create},
@@ -817,6 +861,11 @@
        {"mlock", __NR_mlock},
 #endif
 #endif
+#ifdef SYS_mlock2
+#ifdef __NR_mlock2
+        {"mlock2", __NR_mlock2},
+#endif
+#endif
 #ifdef SYS_mlockall
 #ifdef __NR_mlockall
        {"mlockall", __NR_mlockall},
@@ -1122,11 +1171,21 @@
        {"reboot", __NR_reboot},
 #endif
 #endif
+#ifdef SYS_recvfrom
+#ifdef __NR_recvfrom
+        {"recvfrom", __NR_recvfrom},
+#endif
+#endif
 #ifdef SYS_recvmmsg
 #ifdef __NR_recvmmsg
        {"recvmmsg", __NR_recvmmsg},
 #endif
 #endif
+#ifdef SYS_recvmsg
+#ifdef __NR_recvmsg
+        {"recvmsg", __NR_recvmsg},
+#endif
+#endif
 #ifdef SYS_remap_file_pages
 #ifdef __NR_remap_file_pages
        {"remap_file_pages", __NR_remap_file_pages},
@@ -1292,6 +1351,16 @@
        {"sendmmsg", __NR_sendmmsg},
 #endif
 #endif
+#ifdef SYS_sendmsg
+#ifdef __NR_sendmsg
+        {"sendmsg", __NR_sendmsg},
+#endif
+#endif
+#ifdef SYS_sendto
+#ifdef __NR_sendto
+        {"sendto", __NR_sendto},
+#endif
+#endif
 #ifdef SYS_set_mempolicy
 #ifdef __NR_set_mempolicy
        {"set_mempolicy", __NR_set_mempolicy},
@@ -1432,6 +1501,11 @@
        {"setsid", __NR_setsid},
 #endif
 #endif
+#ifdef SYS_setsockopt
+#ifdef __NR_setsockopt
+        {"setsockopt", __NR_setsockopt},
+#endif
+#endif
 #ifdef SYS_settimeofday
 #ifdef __NR_settimeofday
        {"settimeofday", __NR_settimeofday},
@@ -1457,6 +1531,11 @@
        {"sgetmask", __NR_sgetmask},
 #endif
 #endif
+#ifdef SYS_shutdown
+#ifdef __NR_shutdown
+        {"shutdown", __NR_shutdown},
+#endif
+#endif
 #ifdef SYS_sigaction
 #ifdef __NR_sigaction
        {"sigaction", __NR_sigaction},
@@ -1502,11 +1581,21 @@
        {"sigsuspend", __NR_sigsuspend},
 #endif
 #endif
+#ifdef SYS_socket
+#ifdef __NR_socket
+        {"socket", __NR_socket},
+#endif
+#endif
 #ifdef SYS_socketcall
 #ifdef __NR_socketcall
        {"socketcall", __NR_socketcall},
 #endif
 #endif
+#ifdef SYS_socketpair
+#ifdef __NR_socketpair
+        {"socketpair", __NR_socketpair},
+#endif
+#endif
 #ifdef SYS_splice
 #ifdef __NR_splice
        {"splice", __NR_splice},
@@ -1722,6 +1811,11 @@
        {"uselib", __NR_uselib},
 #endif
 #endif
+#ifdef SYS_userfaultfd
+#ifdef __NR_userfaultfd
+        {"userfaultfd", __NR_userfaultfd},
+#endif
+#endif
 #ifdef SYS_ustat
 #ifdef __NR_ustat
        {"ustat", __NR_ustat},
@@ -1934,6 +2028,11 @@
        {"connect", __NR_connect},
 #endif
 #endif
+#ifdef SYS_copy_file_range
+#ifdef __NR_copy_file_range
+        {"copy_file_range", __NR_copy_file_range},
+#endif
+#endif
 #ifdef SYS_creat
 #ifdef __NR_creat
        {"creat", __NR_creat},
@@ -2484,6 +2583,11 @@
        {"mbind", __NR_mbind},
 #endif
 #endif
+#ifdef SYS_membarrier
+#ifdef __NR_membarrier
+        {"membarrier", __NR_membarrier},
+#endif
+#endif
 #ifdef SYS_memfd_create
 #ifdef __NR_memfd_create
        {"memfd_create", __NR_memfd_create},
@@ -2524,6 +2628,11 @@
        {"mlock", __NR_mlock},
 #endif
 #endif
+#ifdef SYS_mlock2
+#ifdef __NR_mlock2
+        {"mlock2", __NR_mlock2},
+#endif
+#endif
 #ifdef SYS_mlockall
 #ifdef __NR_mlockall
        {"mlockall", __NR_mlockall},
@@ -3354,6 +3463,11 @@
        {"uselib", __NR_uselib},
 #endif
 #endif
+#ifdef SYS_userfaultfd
+#ifdef __NR_userfaultfd
+        {"userfaultfd", __NR_userfaultfd},
+#endif
+#endif
 #ifdef SYS_ustat
 #ifdef __NR_ustat
        {"ustat", __NR_ustat},
@@ -3546,6 +3660,11 @@
        {"connect", __NR_connect},
 #endif
 #endif
+#ifdef SYS_copy_file_range
+#ifdef __NR_copy_file_range
+        {"copy_file_range", __NR_copy_file_range},
+#endif
+#endif
 #ifdef SYS_creat
 #ifdef __NR_creat
        {"creat", __NR_creat},
@@ -4071,6 +4190,11 @@
        {"mbind", __NR_mbind},
 #endif
 #endif
+#ifdef SYS_membarrier
+#ifdef __NR_membarrier
+        {"membarrier", __NR_membarrier},
+#endif
+#endif
 #ifdef SYS_memfd_create
 #ifdef __NR_memfd_create
        {"memfd_create", __NR_memfd_create},
@@ -4111,6 +4235,11 @@
        {"mlock", __NR_mlock},
 #endif
 #endif
+#ifdef SYS_mlock2
+#ifdef __NR_mlock2
+        {"mlock2", __NR_mlock2},
+#endif
+#endif
 #ifdef SYS_mlockall
 #ifdef __NR_mlockall
        {"mlockall", __NR_mlockall},
@@ -4921,6 +5050,11 @@
        {"unshare", __NR_unshare},
 #endif
 #endif
+#ifdef SYS_userfaultfd
+#ifdef __NR_userfaultfd
+        {"userfaultfd", __NR_userfaultfd},
+#endif
+#endif
 #ifdef SYS_ustat
 #ifdef __NR_ustat
        {"ustat", __NR_ustat},
diff --git a/src/lib/Makefile.in b/src/lib/Makefile.in
index 71f96bab1..5549aca11 100644
--- a/src/lib/Makefile.in
+++ b/src/lib/Makefile.in
@@ -2,12 +2,14 @@ PREFIX=@prefix@
 VERSION=@PACKAGE_VERSION@
 NAME=@PACKAGE_NAME@
 HAVE_FATAL_WARNINGS=@HAVE_FATAL_WARNINGS@
+HAVE_GCOV=@HAVE_GCOV@
+EXTRA_LDFLAGS +=@EXTRA_LDFLAGS@
 H_FILE_LIST       = $(sort $(wildcard *.[h]))
 C_FILE_LIST       = $(sort $(wildcard *.c))
 OBJS = $(C_FILE_LIST:.c=.o)
 BINOBJS =  $(foreach file, $(OBJS), $file)
-CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIC -Wformat -Wformat-security
+CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' $(HAVE_GCOV) -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIC -Wformat -Wformat-security
 LDFLAGS:=-pic -Wl,-z,relro -Wl,-z,now 
 all: $(OBJS)
@@ -15,7 +17,7 @@ all: $(OBJS)
 %.o : %.c $(H_FILE_LIST)
        $(CC) $(CFLAGS) $(INCLUDE) -c $< -o $@
-clean:; rm -f $(OBJS)
+clean:; rm -f $(OBJS) *.gcov *.gcda *.gcno
 distclean: clean
        rm -fr Makefile
diff --git a/src/lib/common.c b/src/lib/common.c
index 8ea926df1..3f66fa72a 100644
--- a/src/lib/common.c
+++ b/src/lib/common.c
@@ -39,22 +39,23 @@ int join_namespace(pid_t pid, char *type) {
                errExit("asprintf");
        
        int fd = open(path, O_RDONLY);
-        if (fd < 0) {
+        if (fd < 0)
-                free(path);
+                goto errout;
-                fprintf(stderr, "Error: cannot open /proc/%u/ns/%s.\n", pid, type);
-                return -1;
-        }
        if (syscall(__NR_setns, fd, 0) < 0) {
-                free(path);
-                fprintf(stderr, "Error: cannot join namespace %s.\n", type);
                close(fd);
-                return -1;
+                goto errout;
        }
        close(fd);
        free(path);
        return 0;
+errout:
+        free(path);
+        fprintf(stderr, "Error: cannot join namespace %s\\n", type);
+        return -1;
+        
 }
 // return 1 if error
@@ -187,8 +188,6 @@ char *pid_proc_cmdline(const pid_t pid) {
        for (i = 0; i < len; i++) {
                if (buffer[i] == '\0')
                        buffer[i] = ' ';
-//              if (buffer[i] >= 0x80) // execv in progress!!!
-//                      return NULL;
        }
        // return a malloc copy of the command line
@@ -199,3 +198,90 @@ char *pid_proc_cmdline(const pid_t pid) {
        }
        return rv;
 }
+// return 1 if firejail --x11 on command line
+int pid_proc_cmdline_x11_xpra_xephyr(const pid_t pid) {
+        // if comm is not firejail return 0
+        char *comm = pid_proc_comm(pid);
+        if (comm == NULL)
+                return 0;
+        if (strcmp(comm, "firejail") != 0) {
+                free(comm);
+                return 0;
+        }
+        free(comm);
+        // open /proc/pid/cmdline file
+        char *fname;
+        int fd;
+        if (asprintf(&fname, "/proc/%d/cmdline", pid) == -1)
+                return 0;
+        if ((fd = open(fname, O_RDONLY)) < 0) {
+                free(fname);
+                return 0;
+        }
+        free(fname);
+        // read file
+        unsigned char buffer[BUFLEN];
+        ssize_t len;
+        if ((len = read(fd, buffer, sizeof(buffer) - 1)) <= 0) {
+                close(fd);
+                return 0;
+        }
+        buffer[len] = '\0';
+        close(fd);
+        // skip the first argument
+        int i;
+        for (i = 0; buffer[i] != '\0'; i++);
+        // parse remaining command line options
+        while (1) {
+                // extract argument
+                i++;
+                if (i >= len)
+                        break;
+                char *arg = (char *)buffer + i;
+                // detect the last command line option
+                if (strcmp(arg, "--") == 0)
+                        break;
+                if (strncmp(arg, "--", 2) != 0)
+                        break;
+                
+                if (strcmp(arg, "--x11=xorg") == 0)
+                        return 0;
+                
+                // check x11 xpra or xephyr
+                if (strncmp(arg, "--x11", 5) == 0)
+                        return 1;
+                i += strlen(arg);
+        }
+        return 0;
+}
+// return 1 if /proc is mounted hidepid, or if /proc/mouns access is denied
+#define BUFLEN 4096
+int pid_hidepid(void) {
+        FILE *fp = fopen("/proc/mounts", "r");
+        if (!fp)
+                return 1;
+                
+        char buf[BUFLEN];
+        while (fgets(buf, BUFLEN, fp)) {
+                if (strstr(buf, "proc /proc proc")) {
+                        fclose(fp);
+                        // check hidepid
+                        if (strstr(buf, "hidepid=2") || strstr(buf, "hidepid=1"))
+                                return 1;
+                        return 0;
+                }
+        }
+        
+        fclose(fp);
+        return 0;
+}
diff --git a/src/lib/libnetlink.c b/src/lib/libnetlink.c
index 07457eefe..417ef2c5f 100644
--- a/src/lib/libnetlink.c
+++ b/src/lib/libnetlink.c
@@ -105,6 +105,7 @@ int rtnl_open(struct rtnl_handle *rth, unsigned subscriptions)
        return rtnl_open_byproto(rth, subscriptions, NETLINK_ROUTE);
 }
+#if 0
 int rtnl_wilddump_request(struct rtnl_handle *rth, int family, int type)
 {
        return rtnl_wilddump_req_filter(rth, family, type, RTEXT_FILTER_VF);
@@ -303,6 +304,7 @@ int rtnl_dump_filter(struct rtnl_handle *rth,
        return rtnl_dump_filter_l(rth, a);
 }
+#endif
 int rtnl_talk(struct rtnl_handle *rtnl, struct nlmsghdr *n, pid_t peer,
              unsigned groups, struct nlmsghdr *answer)
@@ -422,6 +424,7 @@ int rtnl_talk(struct rtnl_handle *rtnl, struct nlmsghdr *n, pid_t peer,
        }
 }
+#if 0
 int rtnl_listen(struct rtnl_handle *rtnl,
                rtnl_filter_t handler,
                void *jarg)
@@ -580,7 +583,7 @@ int addattrstrz(struct nlmsghdr *n, int maxlen, int type, const char *str)
 {
        return addattr_l(n, maxlen, type, str, strlen(str)+1);
 }
+#endif
 int addattr_l(struct nlmsghdr *n, int maxlen, int type, const void *data,
@@ -632,46 +635,8 @@ printf("\tdata length: %d\n", alen);
        return 0;
 }
-#if 0
-int addattr_l(struct nlmsghdr *n, int maxlen, int type, const void *data,
-              int alen)
-{
-printf("%s: adding type %d, length %d ", __FUNCTION__, type, alen);
-if (type == IFLA_INFO_KIND) {
-if (alen)
-        printf("(IFLA_INFO_KIND %s)\n", (char *)data);  
-else
-printf("(VETH_INFO_PEER)\n");
-}
-else if (type == IFLA_IFNAME) {
-printf("(IFLA_IFNAME %s)\n", (char *) data);
-}
-else if (type == IFLA_NET_NS_PID) {
-printf("(IFLA_NET_NS_PID %u)\n", *((unsigned *) data));
-}
-else if (type == IFLA_LINKINFO)
-printf("(IFLA_LINKINFO)\n");
-else if (type == IFLA_INFO_DATA)
-printf("(IFLA_INFO_DATA)\n");
-else
-        printf("\n");
-        int len = RTA_LENGTH(alen);
-        struct rtattr *rta;
-        if (NLMSG_ALIGN(n->nlmsg_len) + RTA_ALIGN(len) > maxlen) {
-                fprintf(stderr, "addattr_l ERROR: message exceeded bound of %d\n",maxlen);
-                return -1;
-        }
-        rta = NLMSG_TAIL(n);
-        rta->rta_type = type;
-        rta->rta_len = len;
-        memcpy(RTA_DATA(rta), data, alen);
-        n->nlmsg_len = NLMSG_ALIGN(n->nlmsg_len) + RTA_ALIGN(len);
-        return 0;
-}
-#endif
+#if 0
 int addraw_l(struct nlmsghdr *n, int maxlen, const void *data, int len)
 {
        if ((int)(NLMSG_ALIGN(n->nlmsg_len) + NLMSG_ALIGN(len)) > maxlen) {
@@ -723,7 +688,7 @@ int rta_addattr32(struct rtattr *rta, int maxlen, int type, __u32 data)
        int len = RTA_LENGTH(4);
        struct rtattr *subrta;
-        if (RTA_ALIGN(rta->rta_len) + len > maxlen) {
+        if ((int) (RTA_ALIGN(rta->rta_len) + len) > maxlen) {
                fprintf(stderr,"rta_addattr32: Error! max allowed bound %d exceeded\n",maxlen);
                return -1;
        }
@@ -741,7 +706,7 @@ int rta_addattr_l(struct rtattr *rta, int maxlen, int type,
        struct rtattr *subrta;
        int len = RTA_LENGTH(alen);
-        if (RTA_ALIGN(rta->rta_len) + RTA_ALIGN(len) > maxlen) {
+        if ((int) (RTA_ALIGN(rta->rta_len) + RTA_ALIGN(len)) > maxlen) {
                fprintf(stderr,"rta_addattr_l: Error! max allowed bound %d exceeded\n",maxlen);
                return -1;
        }
@@ -802,3 +767,4 @@ int __parse_rtattr_nested_compat(struct rtattr *tb[], int max, struct rtattr *rt
        memset(tb, 0, sizeof(struct rtattr *) * (max + 1));
        return 0;
 }
+#endif
diff --git a/src/lib/pid.c b/src/lib/pid.c
index d1ade389e..42687274e 100644
--- a/src/lib/pid.c
+++ b/src/lib/pid.c
@@ -29,16 +29,14 @@
 //Process pids[max_pids];
 Process *pids = NULL;
 int max_pids=32769;
-#define PIDS_BUFLEN 4096
 // get the memory associated with this pid
 void pid_getmem(unsigned pid, unsigned *rss, unsigned *shared) {
        // open stat file
        char *file;
-        if (asprintf(&file, "/proc/%u/statm", pid) == -1) {
+        if (asprintf(&file, "/proc/%u/statm", pid) == -1)
-                perror("asprintf");
+                errExit("asprintf");
-                exit(1);
+                
-        }
        FILE *fp = fopen(file, "r");
        if (!fp) {
                free(file);
@@ -60,10 +58,9 @@ void pid_getmem(unsigned pid, unsigned *rss, unsigned *shared) {
 void pid_get_cpu_time(unsigned pid, unsigned *utime, unsigned *stime) {
        // open stat file
        char *file;
-        if (asprintf(&file, "/proc/%u/stat", pid) == -1) {
+        if (asprintf(&file, "/proc/%u/stat", pid) == -1)
-                perror("asprintf");
+                errExit("asprintf");
-                exit(1);
-        }
        FILE *fp = fopen(file, "r");
        if (!fp) {
                free(file);
@@ -94,10 +91,9 @@ myexit:
 unsigned long long pid_get_start_time(unsigned pid) {
        // open stat file
        char *file;
-        if (asprintf(&file, "/proc/%u/stat", pid) == -1) {
+        if (asprintf(&file, "/proc/%u/stat", pid) == -1)
-                perror("asprintf");
+                errExit("asprintf");
-                exit(1);
-        }
        FILE *fp = fopen(file, "r");
        if (!fp) {
                free(file);
@@ -139,10 +135,8 @@ uid_t pid_get_uid(pid_t pid) {
        // open status file
        char *file;
-        if (asprintf(&file, "/proc/%u/status", pid) == -1) {
+        if (asprintf(&file, "/proc/%u/status", pid) == -1)
-                perror("asprintf");
+                errExit("asprintf");
-                exit(1);
-        }
        FILE *fp = fopen(file, "r");
        if (!fp) {
@@ -317,10 +311,9 @@ void pid_read(pid_t mon_pid) {
                        
                // open stat file
                char *file;
-                if (asprintf(&file, "/proc/%u/status", pid) == -1) {
+                if (asprintf(&file, "/proc/%u/status", pid) == -1)
-                        perror("asprintf");
+                        errExit("asprintf");
-                        exit(1);
-                }
                FILE *fp = fopen(file, "r");
                if (!fp) {
                        free(file);
@@ -340,18 +333,12 @@ void pid_read(pid_t mon_pid) {
                                        exit(1);
                                }
-                                if (mon_pid == 0 && strncmp(ptr, "firejail", 8) == 0) {
+                                if ((strncmp(ptr, "firejail", 8) == 0) && (mon_pid == 0 || mon_pid == pid)) {
-                                        pids[pid].level = 1;
+                                        if (pid_proc_cmdline_x11_xpra_xephyr(pid))
-                                }
+                                                pids[pid].level = -1;
-                                else if (mon_pid == pid && strncmp(ptr, "firejail", 8) == 0) {
+                                        else
-                                        pids[pid].level = 1;
+                                                pids[pid].level = 1;
                                }
-//                              else if (mon_pid == 0 && strncmp(ptr, "lxc-execute", 11) == 0) {
-//                                      pids[pid].level = 1;
-//                              }
-//                              else if (mon_pid == pid && strncmp(ptr, "lxc-execute", 11) == 0) {
-//                                      pids[pid].level = 1;
-//                              }
                                else
                                        pids[pid].level = -1;
                        }
diff --git a/src/libconnect/Makefile.in b/src/libconnect/Makefile.in
new file mode 100644
index 000000000..5b7a8d0f1
--- /dev/null
+++ b/src/libconnect/Makefile.in
@@ -0,0 +1,25 @@
+PREFIX=@prefix@
+VERSION=@PACKAGE_VERSION@
+NAME=@PACKAGE_NAME@
+HAVE_FATAL_WARNINGS=@HAVE_FATAL_WARNINGS@
+H_FILE_LIST       = $(sort $(wildcard *.[h]))
+C_FILE_LIST       = $(sort $(wildcard *.c))
+OBJS = $(C_FILE_LIST:.c=.o)
+BINOBJS =  $(foreach file, $(OBJS), $file)
+CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIC -Wformat -Wformat-security
+LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now 
+all: libconnect.so
+%.o : %.c $(H_FILE_LIST)
+        $(CC) $(CFLAGS) $(INCLUDE) -c $< -o $@
+libconnect.so: $(OBJS)
+        $(CC) $(LDFLAGS) -shared -fPIC -z relro -o $@ $(OBJS) -ldl
+clean:; rm -f $(OBJS) libconnect.so
+distclean: clean
+        rm -fr Makefile
diff --git a/src/libconnect/libconnect.c b/src/libconnect/libconnect.c
new file mode 100644
index 000000000..18c4d81f5
--- /dev/null
+++ b/src/libconnect/libconnect.c
@@ -0,0 +1,66 @@
+/*
+ * Copyright (C) 2014-2016 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
+#define _GNU_SOURCE
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <dlfcn.h>
+#include <sys/types.h>
+#include <unistd.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <arpa/inet.h>
+#include <sys/un.h>
+#include <sys/stat.h>
+#include <dirent.h>
+#include <errno.h>
+//#define DEBUG
+//static int check_sockaddr(int sockfd, const char *call, const struct sockaddr *addr, int rv) {
+static int check_sockaddr(const struct sockaddr *addr) {
+        if (addr->sa_family == AF_UNIX) {
+                struct sockaddr_un *a = (struct sockaddr_un *) addr;
+                if (a->sun_path[0] == '\0' && strstr(a->sun_path + 1, "X11-unix")) {
+//                      printf("@%s\n", a->sun_path + 1);
+                        errno = ENOENT;
+                        return -1;
+                }
+        }
+        
+        return 0;
+}
+//
+// syscalls
+//
+// connect
+typedef int (*orig_connect_t)(int sockfd, const struct sockaddr *addr, socklen_t addrlen);
+static orig_connect_t orig_connect = NULL;
+int connect(int sockfd, const struct sockaddr *addr, socklen_t addrlen) {
+        if (!orig_connect)
+                orig_connect = (orig_connect_t)dlsym(RTLD_NEXT, "connect");
+                        
+        if (check_sockaddr(addr) == -1)
+                return -1;
+                
+        return orig_connect(sockfd, addr, addrlen);
+}
diff --git a/src/libtrace/libtrace.c b/src/libtrace/libtrace.c
index a3d1571f7..dde3df2ea 100644
--- a/src/libtrace/libtrace.c
+++ b/src/libtrace/libtrace.c
@@ -423,11 +423,36 @@ int stat(const char *pathname, struct stat *buf) {
 typedef int (*orig_stat64_t)(const char *pathname, struct stat64 *buf);
 static orig_stat64_t orig_stat64 = NULL;
 int stat64(const char *pathname, struct stat64 *buf) {
-        if (!orig_stat)
+        if (!orig_stat64)
                orig_stat64 = (orig_stat64_t)dlsym(RTLD_NEXT, "stat64");
                        
        int rv = orig_stat64(pathname, buf);
-        printf("%u:%s:stat %s:%d\n", pid(), name(), pathname, rv);
+        printf("%u:%s:stat64 %s:%d\n", pid(), name(), pathname, rv);
+        return rv;
+}
+#endif /* __GLIBC__ */
+// lstat
+typedef int (*orig_lstat_t)(const char *pathname, struct stat *buf);
+static orig_lstat_t orig_lstat = NULL;
+int lstat(const char *pathname, struct stat *buf) {
+        if (!orig_lstat)
+                orig_lstat = (orig_lstat_t)dlsym(RTLD_NEXT, "lstat");
+        int rv = orig_lstat(pathname, buf);
+        printf("%u:%s:lstat %s:%d\n", pid(), name(), pathname, rv);
+        return rv;
+}
+#ifdef __GLIBC__
+typedef int (*orig_lstat64_t)(const char *pathname, struct stat64 *buf);
+static orig_lstat64_t orig_lstat64 = NULL;
+int lstat64(const char *pathname, struct stat64 *buf) {
+        if (!orig_lstat64)
+                orig_lstat64 = (orig_lstat64_t)dlsym(RTLD_NEXT, "lstat64");
+        int rv = orig_lstat64(pathname, buf);
+        printf("%u:%s:lstat64 %s:%d\n", pid(), name(), pathname, rv);
        return rv;
 }
 #endif /* __GLIBC__ */
diff --git a/src/libtracelog/libtracelog.c b/src/libtracelog/libtracelog.c
index c3fd40a67..90fe726de 100644
--- a/src/libtracelog/libtracelog.c
+++ b/src/libtracelog/libtracelog.c
@@ -31,6 +31,7 @@
 #include <sys/stat.h>
 #include <syslog.h>
 #include <dirent.h>
+#include <limits.h>
 //#define DEBUG
@@ -91,9 +92,9 @@ static void storage_add(const char *str) {
        storage[h] = ptr;
 }
-char* cwd = NULL; // global variable for keeping current working directory
+// global variable to keep current working directory
-typedef int (*orig_chdir_t)(const char *pathname);
+static char* cwd = NULL;
-static orig_chdir_t orig_chdir = NULL;
 static char *storage_find(const char *str) {
 #ifdef DEBUG
        printf("storage find %s\n", str);
@@ -107,17 +108,23 @@ static char *storage_find(const char *str) {
        const char *tofind = str;
        int allocated = 0;
-        if (strstr(str, "..") || strstr(str, "/./") || strstr(str, "//") || str[0]!='/') {
+        if (strstr(str, "..") || strstr(str, "/./") || strstr(str, "//") || str[0] != '/') {
-                if (!orig_chdir)
+                if (cwd != NULL && str[0] != '/') {
-                        orig_chdir = (orig_chdir_t)dlsym(RTLD_NEXT, "chdir");
+                        char *fullpath=malloc(PATH_MAX);
-                if (!orig_chdir(cwd)) {
+                        if (!fullpath) {
-#ifdef DEBUG
+                                fprintf(stderr, "Error: cannot allocate memory\n");
-                        printf("chdir failed\n");
+                                return NULL;
-#endif
+                        }
-                        return NULL;
+                        if (snprintf(fullpath, PATH_MAX, "%s/%s", cwd, str)<3) {
+                                fprintf(stderr, "Error: snprintf failed\n");
+                                free(fullpath);
+                                return NULL;
+                        }
+                        tofind = realpath(fullpath, NULL);
+                        free(fullpath);
+                } else {
+                        tofind = realpath(str, NULL);
                }
-                tofind = realpath(str, NULL);
                if (!tofind) {
 #ifdef DEBUG
                        printf("realpath failed\n");
@@ -156,9 +163,9 @@ static char *storage_find(const char *str) {
 #define RUN_FSLOGGER_FILE               "/run/firejail/mnt/fslogger"
 #define MAXBUF 4096
 static int blacklist_loaded = 0;
-static char *sandbox_pid_str = 0;
+static char *sandbox_pid_str = NULL;
 static char *sandbox_name_str = NULL;
-void load_blacklist(void) {
+static void load_blacklist(void) {
        if (blacklist_loaded)
                return;
        
@@ -177,13 +184,15 @@ void load_blacklist(void) {
                        char *ptr = strchr(buf, '\n');
                        if (ptr)
                                *ptr = '\0';
-                        sandbox_pid_str = strdup(buf + 13);
+                        if (sandbox_pid_str == NULL)
+                                sandbox_pid_str = strdup(buf + 13);
                }
                else if (strncmp(buf, "sandbox name: ", 14) == 0) {
                        char *ptr = strchr(buf, '\n');
                        if (ptr)
                                *ptr = '\0';
-                        sandbox_name_str = strdup(buf + 14);
+                        if (sandbox_name_str == NULL)
+                                sandbox_name_str = strdup(buf + 14);
                }
                else if (strncmp(buf, "blacklist ", 10) == 0) {
                        char *ptr = strchr(buf, '\n');
@@ -556,7 +565,7 @@ int stat64(const char *pathname, struct stat64 *buf) {
 #ifdef DEBUG
        printf("%s %s\n", __FUNCTION__, pathname);
 #endif
-        if (!orig_stat)
+        if (!orig_stat64)
                orig_stat64 = (orig_stat64_t)dlsym(RTLD_NEXT, "stat64");
        if (!blacklist_loaded)
                load_blacklist();
@@ -592,7 +601,7 @@ int lstat64(const char *pathname, struct stat64 *buf) {
 #ifdef DEBUG
        printf("%s %s\n", __FUNCTION__, pathname);
 #endif
-        if (!orig_lstat)
+        if (!orig_lstat64)
                orig_lstat64 = (orig_lstat64_t)dlsym(RTLD_NEXT, "lstat64");
        if (!blacklist_loaded)
                load_blacklist();
@@ -641,9 +650,8 @@ DIR *opendir(const char *pathname) {
 }
 // chdir
-// definition of orig_chdir placed before storage_find function
+typedef int (*orig_chdir_t)(const char *pathname);
-//typedef int (*orig_chdir_t)(const char *pathname);
+static orig_chdir_t orig_chdir = NULL;
-//static orig_chdir_t orig_chdir = NULL;
 int chdir(const char *pathname) {
 #ifdef DEBUG
        printf("%s %s\n", __FUNCTION__, pathname);
@@ -662,3 +670,32 @@ int chdir(const char *pathname) {
        int rv = orig_chdir(pathname);
        return rv;
 }
+// fchdir
+typedef int (*orig_fchdir_t)(int fd);
+static orig_fchdir_t orig_fchdir = NULL;
+int fchdir(int fd) {
+#ifdef DEBUG
+        printf("%s %d\n", __FUNCTION__, fd);
+#endif
+        if (!orig_fchdir)
+                orig_fchdir = (orig_fchdir_t)dlsym(RTLD_NEXT, "fchdir");
+        free(cwd);
+        char *pathname=malloc(PATH_MAX);
+        if (pathname) {
+                if (snprintf(pathname,PATH_MAX,"/proc/self/fd/%d", fd)>0) {
+                        cwd = realpath(pathname, NULL);
+                } else {
+                        cwd = NULL;
+                        fprintf(stderr, "Error: snprintf failed\n");
+                }
+                free(pathname);
+        } else {
+                fprintf(stderr, "Error: cannot allocate memory\n");
+                cwd = NULL;
+        }
+        int rv = orig_fchdir(fd);
+        return rv;
+}
diff --git a/src/man/firecfg.txt b/src/man/firecfg.txt
index decc1af73..b9d336c4c 100644
--- a/src/man/firecfg.txt
+++ b/src/man/firecfg.txt
@@ -10,19 +10,25 @@ sandbox applications automatically, just by clicking on a regular desktop
 menus and icons.
 The symbolic links are placed in /usr/local/bin. For more information, see
-DESKTOP INTEGRATION section in man 1 firejail.
+\fBDESKTOP INTEGRATION\fR section in \fBman 1 firejail\fR.
 .SH OPTIONS
 .TP
 \fB\-\-clean
 Remove all firejail symbolic links.
 .TP
+\fB\-\-debug
+Print debug messages.
+.TP
 \fB\-?\fR, \fB\-\-help\fR
 Print options end exit.
 .TP
 \fB\-\-list
 List all firejail symbolic links
 .TP
+\fB\-\-fix
+Fix .desktop files. Some .desktop files use full path to executable. Firecfg will check .desktop files in /usr/share/applications/, replace full path by name if it is in PATH, and write result to $HOME/.local/share/applications/.
+.TP
 \fB\-\-version
 Print program version and exit.
@@ -48,13 +54,22 @@ $ firecfg --list
 .br
 [...]
 .br
-$ sudo firecfg --clear
+$ sudo firecfg --clean
 .br
 /usr/local/bin/firefox removed
 .br
 /usr/local/bin/vlc removed
 .br
 [...]
+.br
+$ firecfg --fix
+.br
+/home/user/.local/share/applications/chromium.desktop created
+.br
+/home/user/.local/share/applications/vlc.desktop created
+.br
+[...]
 .SH LICENSE
 This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.
@@ -65,6 +80,5 @@ Homepage: http://firejail.wordpress.com
 \&\flfiremon\fR\|(1),
 \&\flfirejail-profile\fR\|(5),
 \&\flfirejail-login\fR\|(5)
-\&\flfirejail-config\fR\|(5)
diff --git a/src/man/firejail-config.txt b/src/man/firejail-config.txt
deleted file mode 100644
index fcf4109ee..000000000
--- a/src/man/firejail-config.txt
+++ /dev/null
@@ -1,81 +0,0 @@
-.TH FIREJAIL-CONFIG 5 "MONTH YEAR" "VERSION" "firejail.config man page"
-.SH NAME
-firejail.config \- Firejail run time configuration file
-.SH DESCRIPTION
-/etc/firejail/firejail.config is the system-wide configuration file for Firejail.
-It allows the system administrator to enable or disable a number of
-features and Linux kernel security technologies used by Firejail sandbox.
-The file contains keyword-argument pairs, one per line.
-Use 'yes' or 'no' as configuration values.
-Note that some of these features can also be enabled or disabled at compile
-time. Most features are enabled by default both at compile time and
-at run time.
-.TP
-\fBbind
-Enable or disable bind support, default enabled.
-.TP
-\fBchroot
-Enable or disable chroot support, default enabled.
-.TP
-\fBfile-transfer
-Enable or disable file transfer support, default enabled.
-.TP
-\fBnetwork
-Enable or disable networking features, default enabled.
-.TP
-\fBrestricted-network
-Enable or disable restricted network support, default disabled. If enabled,
-networking features should also be enabled (network yes).
-Restricted networking grants access to --interface and --net=ethXXX
-only to root user. Regular users are only allowed --net=none.
-.TP
-\fBsecomp
-Enable or disable seccomp support, default enabled.
-.TP
-\fBuserns
-Enable or disable user namespace support, default enabled.
-.TP
-\fBx11
-Enable or disable X11 sandboxing support, default enabled.
-.TP
-\fBxephyr-screen
-Screen size for --x11=xephyr, default 800x600. Run /usr/bin/xrandr for
-a full list of resolutions available on your specific setup. Examples:
-.br
-.br
-xephyr-screen 640x480
-.br
-xephyr-screen 800x600
-.br
-xephyr-screen 1024x768
-.br
-xephyr-screen 1280x1024
-.SH FILES
-/etc/firejail/firejail.config
-.SH LICENSE
-Firejail is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.
-.PP
-Homepage: http://firejail.wordpress.com
-.SH SEE ALSO
-\&\flfirejail\fR\|(1),
-\&\flfiremon\fR\|(1),
-\&\flfirecfg\fR\|(1),
-\&\flfirejail-profile\fR\|(5)
-\&\flfirejail-login\fR\|(5)
diff --git a/src/man/firejail-login.txt b/src/man/firejail-login.txt
index 6cd9ce3cb..796179d0b 100644
--- a/src/man/firejail-login.txt
+++ b/src/man/firejail-login.txt
@@ -13,9 +13,13 @@ Example:
        netblue:--net=none --protocol=unix
+Wildcard patterns are accepted in the user name field:
+        user*: --private
 .SH RESTRICTED SHELL
 To configure a restricted shell, replace /bin/bash with /usr/bin/firejail in
-/etc/password file for each user that needs to be restricted. Alternatively,
+/etc/passwd file for each user that needs to be restricted. Alternatively,
 you can specify /usr/bin/firejail  using adduser or usermod commands:
 adduser \-\-shell /usr/bin/firejail username
@@ -34,6 +38,5 @@ Homepage: http://firejail.wordpress.com
 \&\flfiremon\fR\|(1),
 \&\flfirecfg\fR\|(1),
 \&\flfirejail-profile\fR\|(5)
-\&\flfirejail-config\fR\|(5)
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt
index 9045c1122..fa522c154 100644
--- a/src/man/firejail-profile.txt
+++ b/src/man/firejail-profile.txt
@@ -44,7 +44,7 @@ To disable default profile loading, use --noprofile command option. Example:
 .RS
 $ firejail
 .br
-Reading profile /etc/firejail/generic.profile
+Reading profile /etc/firejail/default.profile
 .br
 Parent pid 8553, child pid 8554
 .br
@@ -93,11 +93,17 @@ If the file name matches file_name, the file will not be blacklisted in any blac
 Example: "noblacklist ${HOME}/.mozilla"
 .TP
-\fBignore command
+\fBignore
 Ignore command.
 Example: "ignore seccomp"
+.TP
+\fBquiet
+Disable Firejail's output. This should be the first uncommented command in the profile file.
+Example: "quiet"
 .SH Filesystem
 These profile entries define a chroot filesystem built on top of the existing
 host filesystem. Each line describes a file element that is removed from
@@ -122,11 +128,16 @@ blacklist ${PATH}/ifconfig
 blacklist ${HOME}/.ssh
 .TP
-\fBread-only file_or_directory
+\fBblacklist-nolog file_or_directory
-Make directory or file read-only.
+When --tracelog flag is set, blacklisting generates syslog messages if the sandbox tries to access the file or directory.
-.TP
+blacklist-nolog command disables syslog messages for this particular file or directory. Examples:
-\fBtmpfs directory
+.br
-Mount an empty tmpfs filesystem on top of directory. This option is available only when running the sandbox as root.
+.br
+blacklist-nolog /usr/bin
+.br
+blacklist-nolog /usr/bin/gcc*
 .TP
 \fBbind directory1,directory2
 Mount-bind directory1 on top of directory2. This option is only available when running as root.
@@ -135,8 +146,14 @@ Mount-bind directory1 on top of directory2. This option is only available when r
 Mount-bind file1 on top of file2. This option is only available when running as root.
 .TP
 \fBmkdir directory
-Create a directory in user home. Use this command for whitelisted directories you need to preserve
+Create a directory in user home before the sandbox is started.
-when the sandbox is closed. Subdirectories also need to be created using mkdir. Example from
+The directory is created if it doesn't already exist.
+.br
+.br
+Use this command for whitelisted directories you need to preserve
+when the sandbox is closed. Without it, the application will create the directory, and the directory
+will be deleted when the sandbox is closed. Subdirectories are recursively created. Example from
 firefox profile:
 .br
@@ -145,14 +162,17 @@ mkdir ~/.mozilla
 .br
 whitelist ~/.mozilla
 .br
-mkdir ~/.cache
-.br
-mkdir ~/.cache/mozilla
-.br
 mkdir ~/.cache/mozilla/firefox
 .br
 whitelist ~/.cache/mozilla/firefox
 .TP
+\fBmkfile file
+Similar to mkdir, this command creates a file in user home before the sandbox is started.
+The file is created if it doesn't already exist, but it's target directory has to exist.
+.TP
+\fBnoexec file_or_directory
+Remount the file or the directory noexec, nodev and nosuid.
+.TP
 \fBprivate
 Mount new /root and /home/user directories in temporary
 filesystems. All modifications are discarded when the sandbox is
@@ -161,6 +181,12 @@ closed.
 \fBprivate directory
 Use directory as user home.
 .TP
+\fBprivate-home file,directory
+Build a new user home in a temporary
+filesystem, and copy the files and directories in the list in the
+new home. All modifications are discarded when the sandbox is
+closed.
+.TP
 \fBprivate-bin file,file
 Build a new /bin in a temporary filesystem, and copy the programs in the list.
 The same directory is also bind-mounted over /sbin, /usr/bin and /usr/sbin.
@@ -173,20 +199,54 @@ Build a new /etc in a temporary
 filesystem, and copy the files and directories in the list.
 All modifications are discarded when the sandbox is closed.
 .TP
+\fBprivate-opt file,directory
+Build a new /optin a temporary
+filesystem, and copy the files and directories in the list.
+All modifications are discarded when the sandbox is closed.
+.TP
+\fBprivate-srv file,directory
+Build a new /srv in a temporary
+filesystem, and copy the files and directories in the list.
+All modifications are discarded when the sandbox is closed.
+.TP
 \fBprivate-tmp
-Mount an empty temporary filesystem on top of /tmp directory.
+Mount an empty temporary filesystem on top of /tmp directory whitelisting /tmp/.X11-unix.
 .TP
-\fBwhitelist file_or_directory
+\fBread-only file_or_directory
-Build a new user home in a temporary filesystem, and mount-bind file_or_directory.
+Make directory or file read-only.
-The modifications to file_or_directory are persistent, everything else is discarded
+.TP
-when the sandbox is closed.
+\fBread-write file_or_directory
+Make directory or file read-write.
+.TP
+\fBtmpfs directory
+Mount an empty tmpfs filesystem on top of directory. This option is available only when running the sandbox as root.
 .TP
 \fBtracelog
 Blacklist violations logged to syslog.
+.TP
+\fBwhitelist file_or_directory
+Whitelist directory or file. A temporary file system is mounted on the top directory, and the
+whitelisted files are mount-binded inside. Modifications to whitelisted files are persistent,
+everything else is discarded when the sandbox is closed. The top directory could be 
+user home, /dev, /media, /mnt, /opt, /srv, /var, and /tmp.
+.br
+.br
+Symbolic link handling: with the exception of user home, both the link and the real file should be in
+the same top directory. For user home, both the link and the real file should be owned by the user.
+.TP
+\fBwritable-etc
+Mount /etc directory read-write.
+.TP
+\fBwritable-var
+Mount /var directory read-write.
 .SH Security filters
 The following security filters are currently implemented:
 .TP
+\fBapparmor
+Enable AppArmor confinement.
+.TP
 \fBcaps
 Enable default Linux capabilities filter.
 .TP
@@ -205,10 +265,7 @@ first argument to socket system call. Recognized values: \fBunix\fR,
 \fBinet\fR, \fBinet6\fR, \fBnetlink\fR and \fBpacket\fR.
 .TP
 \fBseccomp
-Enable default seccomp filter.  The default list is as follows:
+Enable seccomp filter and blacklist the syscalls in the default list. See man 1 firejail for more details.
-mount, umount2, ptrace, kexec_load, open_by_handle_at, init_module, finit_module, delete_module,
-iopl, ioperm, swapon, swapoff, syslog, process_vm_readv and process_vm_writev,
-sysfs,_sysctl, adjtimex, clock_adjtime, lookup_dcookie, perf_event_open, fanotify_init and kcmp.
 .TP
 \fBseccomp syscall,syscall,syscall
 Enable seccomp filter and blacklist the system calls in the list on top of default seccomp filter.
@@ -219,9 +276,32 @@ Enable seccomp filter and blacklist  the system calls in the list.
 \fBseccomp.keep syscall,syscall,syscall
 Enable seccomp filter and whitelist the system calls in the list.
 .TP
+\fBnonewprivs
+Sets the NO_NEW_PRIVS prctl.  This ensures that child processes
+cannot acquire new privileges using execve(2);  in particular,
+this means that calling a suid binary (or one with file capabilities)
+does not result in an increase of privilege.
+.TP
 \fBnoroot
 Use this command  to enable an user namespace. The namespace has only one user, the current user.
 There is no root account (uid 0) defined in the namespace.
+.TP
+\fBx11
+Enable X11 sandboxing.
+.TP
+\fBx11 none
+Blacklist /tmp/.X11-unix directory, ${HOME}/.Xauthority and file specified in ${XAUTHORITY} environment variable.
+Remove DISPLAY and XAUTHORITY environment variables.
+Stop with error message if X11 abstract socket will be accessible in jail.
+.TP
+\fBx11 xephyr
+Enable X11 sandboxing with xephyr.
+.TP
+\fBx11 xorg
+Enable X11 sandboxing with X11 security extension.
+.TP
+\fBx11 xpra
+Enable X11 sandboxing with xpra.
 .SH Resource limits, CPU affinity, Control Groups
 These profile entries define the limits on system resources (rlimits) for the processes inside the sandbox.
@@ -255,6 +335,10 @@ The sandbox is placed in g1 control group.
 .SH User Environment
 .TP
+\fBallusers
+All user home directories are visible inside the sandbox. By default, only current user home directory is visible.
+.TP
 \fBname sandboxname
 Set sandbox name. Example:
 .br
@@ -284,9 +368,18 @@ Enable IPC namespace.
 .TP
 \fBnosound
 Disable sound system.
+.TP
+\fBno3d
+Disable 3D hardware acceleration.
 .SH Networking
 Networking features available in profile files.
+.TP
+\fBdefaultgw address
+Use this address as default gateway in the new network namespace.
+.TP
 \fBdns address
 Set a DNS server for the sandbox. Up to three DNS servers can be defined.
@@ -295,6 +388,45 @@ Set a DNS server for the sandbox. Up to three DNS servers can be defined.
 Set a hostname for the sandbox.
 .TP
+\fBip address
+Assign IP addresses to the last network interface defined by a net command. A
+default gateway is assigned by default.
+.br
+.br
+Example:
+.br
+net eth0
+.br
+ip 10.10.20.56
+.TP
+\fBip none
+No IP address and no default gateway are configured for the last interface
+defined by a net command. Use this option
+in case you intend to start an external DHCP client in the sandbox.
+.br
+.br
+Example:
+.br
+net eth0
+.br
+ip none
+.TP
+\fBip6 address
+Assign IPv6 addresses to the last network interface defined by a net command.
+.br
+.br
+Example:
+.br
+net eth0
+.br
+ip6 2001:0db8:0:f101::1/64
+.TP
 \fBiprange address,address
 Assign  an  IP address in the provided range to the last network
 interface defined by  a  net command.  A  default  gateway  is assigned by default.
@@ -311,6 +443,20 @@ iprange 192.168.1.150,192.168.1.160
 .br
 .TP
+\fBmac address
+Assign MAC addresses to the last network interface defined by a net command.
+.TP
+\fBmachine-id
+Preserve id number in /etc/machine-id file. By default a new random id is generated inside the sandbox.
+.TP
+\fBmtu number
+Assign a MTU value to the last network interface defined by a net command.
+.TP
 \fBnetfilter
 If a new network namespace is created, enabled default network filter.
@@ -345,6 +491,17 @@ available in the new namespace is a new loopback interface (lo).
 Use this option to deny network access to programs that don't
 really need network access.
+.TP
+\fBveth-name name
+Use this name for the interface connected to the bridge for --net=bridge_interface commands, 
+instead of the default one.
+.SH Other
+.TP
+\fBjoin-or-start sandboxname
+Join the sandbox identified by name or start a new one.
+Same as "firejail --join=sandboxname" command if sandbox with specified name exists, otherwise same as "name sandboxname".
 .SH RELOCATING PROFILES
 For various reasons some users might want to keep the profile files in a different directory.
 Using \fB--profile-path\fR command line option, Firejail can be instructed to look for profiles
@@ -388,7 +545,6 @@ Homepage: http://firejail.wordpress.com
 \&\flfiremon\fR\|(1),
 \&\flfirecfg\fR\|(1),
 \&\flfirejail-login\fR\|(5)
-\&\flfirejail-config\fR\|(5)
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index 23db832c1..5b43b1ca5 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -11,7 +11,7 @@ firejail [OPTIONS] [program and arguments]
 File transfer from an existing sandbox
 .PP
 .RS
-firejail {\-\-ls | \-\-get} dir_or_filename
+firejail {\-\-ls | \-\-get | \-\-put} dir_or_filename
 .RE
 .PP
 Network traffic shaping for an existing sandbox:
@@ -50,15 +50,16 @@ of applications. The software includes security profiles for a number of more co
 Linux programs, such as Mozilla Firefox, Chromium, VLC, Transmission etc.
 .SH USAGE
-Without any options, the sandbox consists of a chroot filesystem build in a new mount namespace,
+Without any options, the sandbox consists of a filesystem build in a new mount namespace,
-and new PID and UTS namespaces. IPC, network and user namespaces can be added using the command line options.
+and new PID and UTS namespaces. IPC, network and user namespaces can be added using the
-The default Firejail filesystem is based on the host filesystem with the main directories mounted read-only.
+command line options. The default Firejail filesystem is based on the host filesystem with the main 
-Only /home and /tmp are writable.
+system directories mounted read-only. These directories are /etc, /var, /usr, /bin, /sbin, /lib, /lib32, 
+/libx32 and /lib64. Only /home and /tmp are writable.
 .PP
 As it starts up, Firejail tries to find a security profile based on the name of the application.
 If an appropriate profile is not found, Firejail will use a default profile.
 The default profile is quite restrictive. In case the application doesn't work, use --noprofile option 
-to disable it. For more information, please see \fBSECURITY PROFILES\fR section.
+to disable it. For more information, please see \fBSECURITY PROFILES\fR section below.
 .PP
 If a program argument is not specified, Firejail starts /bin/bash shell.
 Examples:
@@ -74,6 +75,46 @@ $ firejail [OPTIONS] firefox        # starting Mozilla Firefox
 \fB\-\-
 Signal the end of options and disables further option processing.
 .TP
+\fB\-\-allow-debuggers
+Allow tools such as strace and gdb inside the sandbox.
+.br
+.br
+Example:
+.br
+$ firejail  --allow-debuggers --profile=/etc/firejail/firefox.profile strace -f firefox
+.TP
+\fB\-\-allusers
+All directories under /home are visible inside the sandbox. By default, only current user home directory is visible.
+.br
+.br
+Example:
+.br
+$ firejail --allusers
+.TP
+\fB\-\-apparmor
+Enable AppArmor confinement. For more information, please see \fBAPPARMOR\fR section below.
+.TP
+\fB\-\-appimage
+Sandbox an AppImage (http://appimage.org/) application.
+.br
+.br
+Example:
+.br
+$ firejail --appimage krita-3.0-x86_64.appimage
+.br
+$ firejail --appimage --private krita-3.0-x86_64.appimage
+.br
+$ firejail --appimage --net=none --x11 krita-3.0-x86_64.appimage
+.TP
+\fB\-\-audit
+Audit the sandbox, see \fBAUDIT\fR section for more details.
+.TP
+\fB\-\-audit=test-program
+Audit the sandbox, see \fBAUDIT\fR section for more details.
+.TP
 \fB\-\-bandwidth=name|pid
 Set bandwidth limits for the sandbox identified by name or PID, see \fBTRAFFIC SHAPING\fR section for more details.
 .TP
@@ -152,14 +193,7 @@ Example:
 .br
 $ sudo firejail \-\-caps.keep=chown,net_bind_service,setgid,\\
 setuid /etc/init.d/nginx start
-.br
-.br
-A short note about mixing \-\-whitelist and \-\-read-only options. Whitelisted directories
-should be made read-only independently. Making a parent directory read-only, will not
-make the whitelist read-only. Example:
-.br
-$ firejail --whitelist=~/work --read-only=~/ --read-only=~/work
 .TP
 \fB\-\-caps.print=name|pid
 Print the caps filter for the sandbox identified by name or by PID.
@@ -194,7 +228,8 @@ Example:
 .TP
 \fB\-\-chroot=dirname
-Chroot the sandbox into a root filesystem. If the sandbox is started as a
+Chroot the sandbox into a root filesystem. Unlike the regular filesystem container,
+the system directories are mounted read-write. If the sandbox is started as a
 regular user, default seccomp and capabilities filters are enabled. This
 option is not available on Grsecurity systems.
 .br
@@ -465,6 +500,11 @@ in case you intend to start an external DHCP client in the sandbox.
 Example:
 .br
 $ firejail \-\-net=eth0 \-\-\ip=none
+.br
+.br
+If the corresponding interface doesn't have an IP address configured, this
+option is enabled by default.
 .TP
 \fB\-\-ip6=address
@@ -547,19 +587,19 @@ $ firejail --net=eth0 --name=browser firefox &
 .br
 # change netfilter configuration
 .br
-$ sudo firejail --join-network=browser "cat /etc/firejail/nolocal.net | /sbin/iptables-restore"
+$ sudo firejail --join-network=browser bash -c "cat /etc/firejail/nolocal.net | /sbin/iptables-restore"
 .br
 .br
 # verify netfilter configuration
 .br
-$ sudo firejail --join-network=browser "/sbin/iptables -vL"
+$ sudo firejail --join-network=browser /sbin/iptables -vL
 .br
 .br
 # verify  IP addresses
 .br
-$ sudo firejail --join-network=browser "ip addr"
+$ sudo firejail --join-network=browser ip addr
 .br
 Switching to pid 1932, the first child process inside the sandbox
 .br
@@ -588,6 +628,13 @@ Switching to pid 1932, the first child process inside the sandbox
       valid_lft forever preferred_lft forever
 .TP
+\fB\-\-join-or-start=name
+Join the sandbox identified by name or start a new one.
+Same as "firejail --join=name" if sandbox with specified name exists, otherwise same as "firejail --name=name ..."
+.br
+Note that in contrary to other join options there is respective profile option.
+.TP
 \fB\-\-ls=name|pid dir_or_filename
 List files in sandbox container, see \fBFILE TRANSFER\fR section for more details.
@@ -619,6 +666,16 @@ Example:
 $ firejail \-\-net=eth0 \-\-mac=00:11:22:33:44:55 firefox
 .TP
+\fB\-\-machine-id
+Preserve id number in /etc/machine-id file. By default a new random id is generated inside the sandbox.
+.br
+.br
+Example:
+.br
+$ firejail \-\-machine-id
+.TP
 \fB\-\-mtu=number
 Assign a MTU value to the last network interface defined by a \-\-net option.
 .br
@@ -798,13 +855,23 @@ PID  User    RX(KB/s) TX(KB/s) Command
 .TP
 \fB\-\-nice=value
 Set nice value for all processes running inside the sandbox.
+Only root may specify a negative value.
 .br
 .br
 Example:
 .br
-$ firejail --nice=-5 firefox
+$ firejail --nice=2 firefox
+.TP
+\fB\-\-no3d
+Disable 3D hardware acceleration.
+.br
+.br
+Example:
+.br
+$ firejail --no3d firefox
 .TP
 \fB\-\-noblacklist=dirname_or_filename
@@ -831,6 +898,21 @@ $ nc dict.org 2628
 220 pan.alephnull.com dictd 1.12.1/rf on Linux 3.14-1-amd64
 .br
 .TP
+\fB\-\-noexec=dirname_or_filename
+Remount directory or file noexec, nodev and nosuid.
+.br
+.br
+Example:
+.br
+$ firejail \-\-noexec=/tmp
+.br
+.br
+/etc and /var are noexec by default if the sandbox was started as a regular user. If there are more than one mount operation
+on the path of the file or directory, noexec should be applied to the last one. Always check if the change took effect inside the sandbox.
+.TP
 \fB\-\-nogroups
 Disable supplementary groups. Without this option, supplementary groups are enabled for the user starting the
 sandbox. For root user supplementary groups are always disabled.
@@ -865,7 +947,7 @@ Example:
 .br
 $ firejail
 .br
-Reading profile /etc/firejail/generic.profile
+Reading profile /etc/firejail/default.profile
 .br
 Parent pid 8553, child pid 8554
 .br
@@ -908,6 +990,14 @@ ping: icmp open socket: Operation not permitted
 $
 .TP
+\fB\-\-nonewprivs
+Sets the NO_NEW_PRIVS prctl.  This ensures that child processes
+cannot acquire new privileges using execve(2);  in particular,
+this means that calling a suid binary (or one with file capabilities)
+does not result in an increase of privilege. This option
+is enabled by default if seccomp filter is activated.
+.TP
 \fB\-\-nosound
 Disable sound system.
 .br
@@ -946,13 +1036,15 @@ $ ls -l sandboxlog*
 .TP
 \fB\-\-overlay
-Mount a filesystem overlay on top of the current filesystem. All filesystem modifications go into the overlay.
+Mount a filesystem overlay on top of the current filesystem.  Unlike the regular filesystem container,
-The overlay is stored in $HOME/.firejail directory. This option is not available on Grsecurity systems.
+the system directories are mounted read-write. All filesystem modifications go into the overlay.
+The overlay is stored in $HOME/.firejail/<PID> directory.
 .br
 .br
 OverlayFS support is required in Linux kernel for this option to work.
-OverlayFS was officially introduced in Linux kernel version 3.18
+OverlayFS was officially introduced in Linux kernel version 3.18.
+This option is not available on Grsecurity systems.
 .br
 .br
@@ -961,14 +1053,34 @@ Example:
 $ firejail \-\-overlay firefox
 .TP
+\fB\-\-overlay-named=name
+Mount a filesystem overlay on top of the current filesystem.  Unlike the regular filesystem container,
+the system directories are mounted read-write. All filesystem modifications go into the overlay.
+The overlay is stored in $HOME/.firejail/<NAME> directory. The created overlay can be reused between multiple
+sessions.
+.br
+.br
+OverlayFS support is required in Linux kernel for this option to work.
+OverlayFS was officially introduced in Linux kernel version 3.18.
+This option is not available on Grsecurity systems.
+.br
+.br
+Example:
+.br
+$ firejail \-\-overlay-named=jail1 firefox
+.TP
 \fB\-\-overlay-tmpfs
 Mount a filesystem overlay on top of the current filesystem. All filesystem modifications go into the overlay,
-and are discarded when the sandbox is closed. This option is not available on Grsecurity systems.
+and are discarded when the sandbox is closed.
 .br
 .br
 OverlayFS support is required in Linux kernel for this option to work.
-OverlayFS was officially introduced in Linux kernel version 3.18
+OverlayFS was officially introduced in Linux kernel version 3.18.
+This option is not available on Grsecurity systems.
 .br
 .br
@@ -977,6 +1089,17 @@ Example:
 $ firejail \-\-overlay-tmpfs firefox
 .TP
+\fB\-\-overlay-clean
+Clean all overlays stored in $HOME/.firejail directory. Overlays created with --overlay-path=path
+outside $HOME/.firejail will not be deleted.
+.br
+.br
+Example:
+.br
+$ firejail \-\-overlay-clean
+.TP
 \fB\-\-private
 Mount new /root and /home/user directories in temporary
 filesystems. All modifications are discarded when the sandbox is
@@ -998,9 +1121,24 @@ Example:
 $ firejail \-\-private=/home/netblue/firefox-home firefox
 .TP
+\fB\-\-private-home=file,directory
+Build a new user home in a temporary
+filesystem, and copy the files and directories in the list in the
+new home. All modifications are discarded when the sandbox is
+closed.
+.br
+.br
+Example:
+.br
+$ firejail \-\-private-home=.mozilla firefox
+.TP
 \fB\-\-private-bin=file,file
 Build a new /bin in a temporary filesystem, and copy the programs in the list.
+If no listed file is found, /bin directory will be empty.
 The same directory is also bind-mounted over /sbin, /usr/bin, /usr/sbin and /usr/local/bin.
+All modifications are discarded when the sandbox is closed. 
 .br
 .br
@@ -1018,7 +1156,7 @@ bash  cat  ls  sed
 .TP
 \fB\-\-private-dev
-Create a new /dev directory. Only dri, null, full, zero, tty, pts, ptmx, random, urandom, log and shm devices are available.
+Create a new /dev directory. Only dri, null, full, zero, tty, pts, ptmx, random, snd, urandom, log and shm devices are available.
 .br
 .br
@@ -1032,14 +1170,15 @@ Child process initialized
 .br
 $ ls /dev
 .br
-dri  full  log  null  ptmx  pts  random  shm  tty  urandom  zero
+dri  full  log  null  ptmx  pts  random  shm  snd  tty  urandom  zero
 .br
 $
 .TP
 \fB\-\-private-etc=file,directory
 Build a new /etc in a temporary
 filesystem, and copy the files and directories in the list.
-All modifications are discarded when the sandbox is closed.
+If no listed file is found, /etc directory will be empty.
+All modifications are discarded when the sandbox is closed. 
 .br
 .br
@@ -1050,8 +1189,34 @@ $ firejail --private-etc=group,hostname,localtime, \\
 nsswitch.conf,passwd,resolv.conf
 .TP
+\fB\-\-private-opt=file,directory
+Build a new /opt in a temporary
+filesystem, and copy the files and directories in the list.
+If no listed file is found, /opt directory will be empty.
+All modifications are discarded when the sandbox is closed. 
+.br
+.br
+Example:
+.br
+$ firejail --private-opt=firefox /opt/firefox/firefox
+.TP
+\fB\-\-private-srv=file,directory
+Build a new /srv in a temporary
+filesystem, and copy the files and directories in the list.
+If no listed file is found, /srv directory will be empty.
+All modifications are discarded when the sandbox is closed. 
+.br
+.br
+Example:
+.br
+# firejail --private-srv=www /etc/init.d/apache2 start
+.TP
 \fB\-\-private-tmp
-Mount an empty temporary filesystem on top of /tmp directory.
+Mount an empty temporary filesystem on top of /tmp directory whitelisting /tmp/.X11-unix.
 .br
 .br
@@ -1120,6 +1285,9 @@ $ firejail \-\-protocol.print=3272
 .br
 unix,inet,inet6,netlink
 .TP
+\fB\-\-put=name|pid src-filename dest-filename
+Put a file in sandbox container, see \fBFILE TRANSFER\fR section for more details.
+.TP
 \fB\-\-quiet
 Turn off Firejail's output.
 .TP
@@ -1131,6 +1299,31 @@ Set directory or file read-only.
 Example:
 .br
 $ firejail \-\-read-only=~/.mozilla firefox
+.br
+.br
+A short note about mixing \-\-whitelist and \-\-read-only options. Whitelisted directories
+should be made read-only independently. Making a parent directory read-only, will not
+make the whitelist read-only. Example:
+.br
+.br
+$ firejail --whitelist=~/work --read-only=~ --read-only=~/work
+.TP
+\fB\-\-read-write=dirname_or_filename
+Set directory or file read-write. Only files or directories belonging to the current user are allowed for
+this operation. Example:
+.br
+.br
+$ mkdir ~/test
+.br
+$ touch ~/test/a
+.br
+$ firejail --read-only=~/test --read-write=~/test/a
 .TP
 \fB\-\-rlimit-fsize=number
 Set the maximum file size that can be created by a process.
@@ -1143,6 +1336,17 @@ Set the maximum number of processes that can be created for the real user ID of
 .TP
 \fB\-\-rlimit-sigpending=number
 Set the maximum number of pending signals for a process.
+.TP
+\fB\-\-rmenv=name
+Remove environment variable in the new sandbox.
+.br
+.br
+Example:
+.br
+$ firejail \-\-rmenv=DBUS_SESSION_BUS_ADDRESS
 .TP
 \fB\-\-scan
 ARP-scan all the networks from inside a network namespace.
@@ -1156,13 +1360,13 @@ $ firejail \-\-net=eth0 \-\-scan
 .TP
 \fB\-\-seccomp
 Enable seccomp filter and blacklist the syscalls in the default list. The default list is as follows:
-mount, umount2, ptrace, kexec_load, kexec_file_load, open_by_handle_at, init_module, finit_module, delete_module,
+mount, umount2, ptrace, kexec_load, kexec_file_load, name_to_handle_at, open_by_handle_at, create_module, init_module, finit_module, delete_module,
-iopl, ioperm, swapon, swapoff, syslog, process_vm_readv, process_vm_writev,
+iopl, ioperm, ioprio_set, swapon, swapoff, syslog, process_vm_readv, process_vm_writev,
 sysfs,_sysctl, adjtimex, clock_adjtime, lookup_dcookie, perf_event_open, fanotify_init, kcmp,
 add_key, request_key, keyctl, uselib, acct, modify_ldt, pivot_root, io_setup,
 io_destroy, io_getevents, io_submit, io_cancel,
 remap_file_pages, mbind, get_mempolicy, set_mempolicy,
-migrate_pages, move_pages, vmsplice, perf_event_open, chroot,
+migrate_pages, move_pages, vmsplice, chroot,
 tuxcall, reboot, mfsservctl and get_kernel_syms.
 .br
@@ -1173,6 +1377,10 @@ both 32-bit and 64-bit filters are installed.
 .br
 .br
+Firejail will print seccomp violations to the audit log if the kernel was compiled with audit support (CONFIG_AUDIT flag).
+.br
+.br
 Example:
 .br
 $ firejail \-\-seccomp
@@ -1425,15 +1633,7 @@ $ firejail \-\-tree
 11969:netblue:firejail \-\-net=eth0 transmission-gtk 
 .br
  11970:netblue:transmission-gtk 
-.TP
-\fB\-\-user=new-user
-Switch the user before starting the sandbox. This command should be run as root.
-.br
-.br
-Example:
-.br
-# firejail \-\-user=www-data
 .TP
 \fB\-\-version
 Print program version and exit.
@@ -1445,66 +1645,106 @@ Example:
 $ firejail \-\-version
 .br
 firejail version 0.9.27
+.TP
+\fB\-\-veth-name=name
+Use this name for the interface connected to the bridge for --net=bridge_interface commands, 
+instead of the default one.
+.br
+.br
+Example:
+.br
+$ firejail \-\-net=br0 --veth-name=if0
 .TP
 \fB\-\-whitelist=dirname_or_filename
-Whitelist directory or file. This feature is implemented only for user home, /dev, /media, /opt, /var, and /tmp directories.
+Whitelist directory or file. A temporary file system is mounted on the top directory, and the
-When whitlisting symbolic links, both the link and the real file should be in the same top directory
+whitelisted files are mount-binded inside. Modifications to whitelisted files are persistent,
-(home user, /media, /var etc.)
+everything else is discarded when the sandbox is closed. The top directory could be 
+user home, /dev, /media, /mnt, /opt, /srv, /var, and /tmp.
+.br
+.br
+Symbolic link handling: with the exception of user home, both the link and the real file should be in
+the same top directory. For user home, both the link and the real file should be owned by the user.
 .br
 .br
 Example:
 .br
-$ firejail \-\-whitelist=~/.mozilla \-\-whitelist=~/Downloads
+$ firejail \-\-noprofile \-\-whitelist=~/.mozilla
 .br
 $ firejail \-\-whitelist=/tmp/.X11-unix --whitelist=/dev/null
 .br
 $ firejail "\-\-whitelist=/home/username/My Virtual Machines"
 .TP
-\fB\-\-x11
+\fB\-\-writable-etc
-Start a new X11 server using Xpra or Xephyr and attach the sandbox to this server.
+Mount /etc directory read-write.
-The regular X11 server (display 0) is not visible in the sandbox. This prevents screenshot and keylogger
-applications started in the sandbox from accessing other X11 displays.
-A network namespace needs to be instantiated in order to deny access to X11 abstract Unix domain socket.
 .br
 .br
-Firejail will try first Xpra, and if Xpra is not installed on the system, it will try to find Xephyr.
+Example:
-This feature is not available when running as root. 
+.br
+$ sudo firejail --writable-etc
+.TP
+\fB\-\-writable-var
+Mount /var directory read-write.
 .br
 .br
 Example:
 .br
-$ firejail \-\-x11 --net=eth0 firefox
+$ sudo firejail --writable-var
 .TP
-\fB\-\-x11=xpra
+\fB\-\-x11
-Start a new X11 server using Xpra (http://xpra.org) and attach the sandbox to this server.
+Sandbox the application using Xpra, Xephyr or Xorg security extension.
-Xpra is a persistent remote display server and client for forwarding X11 applications and desktop screens.
+The sandbox will prevents screenshot and keylogger applications started inside the sandbox from accessing
-On Debian platforms Xpra is installed with the command \fBsudo apt-get install xpra\fR.
+clients running outside the sandbox.
-This feature is not available when running as root.
+Firejail will try first Xpra, and if Xpra is not installed on the system, it will try to find Xephyr.
+If all fails, Firejail will not attempt to use X11 security extension.
+.br
+.br
+Xpra and Xephyr modes require a network namespace to be instantiated in order to disable
+X11 abstract Unix socket. If this is not possible, the user can disable the abstract socket
+by adding "-nolisten local" on Xorg command line.
 .br
 .br
 Example:
 .br
-$ firejail \-\-x11=xpra --net=eth0 firefox
+$ firejail \-\-x11 --net=eth0 firefox
+.TP
+\fB\-\-x11=none
+Blacklist /tmp/.X11-unix directory, ${HOME}/.Xauthority and the file specified in ${XAUTHORITY} environment variable.
+Remove DISPLAY and XAUTHORITY environment variables.
+Stop with error message if X11 abstract socket will be accessible in jail.
 .TP
 \fB\-\-x11=xephyr
-Start a new X11 server using Xephyr and attach the sandbox to this server.
+Start Xephyr and attach the sandbox to this server.
 Xephyr is a display server implementing the X11 display server protocol.
-It runs in a window just like other X applications, but it is an X server itself in which you can run other software.
+A network namespace needs to be instantiated in order to deny access to X11 abstract Unix domain socket.
-The default Xephyr window size is 800x600. This can be modified in /etc/firejail/firejail.config file,
+.br
-see \fBman 5 firejail-config\fR for more details.
+.br
+Xephyr runs in a window just like any other X11 application. The default window size is 800x600.
+This can be modified in /etc/firejail/firejail.config file.
 .br
 .br
 The recommended way to use this feature is to run a window manager inside the sandbox.
 A security profile for OpenBox is provided.
-On Debian platforms Xephyr is installed with the command \fBsudo apt-get install xserver-xephyr\fR.
+.br
+.br
+Xephyr is developed by Xorg project. On Debian platforms it is installed with the command \fBsudo apt-get install xserver-xephyr\fR.
 This feature is not available when running as root. 
 .br
@@ -1514,6 +1754,42 @@ Example:
 $ firejail \-\-x11=xephyr --net=eth0 openbox
 .TP
+\fB\-\-x11=xorg
+Sandbox the application using the untrusted mode implemented by X11 security extension. 
+The extension is available in Xorg package
+and it is installed by default on most Linux distributions. It provides support for a simple trusted/untrusted 
+connection model. Untrusted clients are restricted in certain ways to prevent them from reading window
+contents of other clients, stealing input events, etc.
+The untrusted mode has several limitations. A lot of regular programs  assume they are a trusted X11 clients
+and will crash or lock up when run in untrusted mode. Chromium browser and xterm are two examples.
+Firefox and transmission-gtk seem to be working fine.
+A network namespace is not required for this option.
+.br
+.br
+Example:
+.br
+$ firejail \-\-x11=xorg firefox
+.TP
+\fB\-\-x11=xpra
+Start Xpra (http://xpra.org) and attach the sandbox to this server.
+Xpra is a persistent remote display server and client for forwarding X11 applications and desktop screens.
+A network namespace needs to be instantiated in order to deny access to X11 abstract Unix domain socket.
+.br
+.br
+On Debian platforms Xpra is installed with the command \fBsudo apt-get install xpra\fR.
+This feature is not available when running as root.
+.br
+.br
+Example:
+.br
+$ firejail \-\-x11=xpra --net=eth0 firefox
+.TP
 \fB\-\-zsh
 Use /usr/bin/zsh as default user shell.
 .br
@@ -1576,6 +1852,44 @@ $ firejail --tree
      1221:netblue:/usr/lib/firefox/firefox
 .RE
+.SH APPARMOR
+.TP
+AppArmor support is disabled by default at compile time. Use --enable-apparmor configuration option to enable it:
+.br
+.br
+$ ./configure --prefix=/usr --enable-apparmor
+.TP
+During software install, a generic AppArmor profile file, firejail-default, is placed in /etc/apparmor.d directory. The profile needs to be loaded into the kernel by running the following command as root:
+.br
+.br
+# aa-enforce firejail-default
+.TP
+The installed profile tries to replicate some advanced security features inspired by kernel-based Grsecurity:
+.br
+.br
+- Prevent information leakage in /proc and /sys directories. The resulting filesystem is barely enough for running
+commands such as "top" and "ps aux".
+.br
+.br
+- Allow running programs only from well-known system paths, such as /bin, /sbin, /usr/bin etc. Running
+programs and scripts from user home or other directories writable by the user is not allowed.
+.br
+.br
+- Disable D-Bus. D-Bus has long been a huge security hole, and most programs don't use it anyway.
+You should have no problems running Chromium or Firefox.
+.TP
+To enable AppArmor confinement on top of your current Firejail security features, pass \fB\-\-apparmor\fR flag to Firejail command line. You can also include \fBapparmor\fR command in a Firejail profile file. Example:
+.br
+.br
+$ firejail --apparmor firefox
 .SH FILE TRANSFER
 These features allow the user to inspect the filesystem container of an existing sandbox
 and transfer files from the container to the host filesystem.
@@ -1583,12 +1897,16 @@ and transfer files from the container to the host filesystem.
 .TP
 \fB\-\-get=name|pid filename
 Retrieve the container file and store it on the host in the current working directory.
-The container is specified by name or PID. Full path is needed for filename.
+The container is specified by name or PID.
 .TP
 \fB\-\-ls=name|pid dir_or_filename
 List container files. The container is specified by name or PID.
-Full path is needed for dir_or_filename.
+.TP
+\fB\-\-put=name|pid src-filename dest-filename
+Put src-filename in sandbox container.
+The container is specified by name or PID.
 .TP
 Examples:
@@ -1614,7 +1932,11 @@ drwxr-xr-x netblue  netblue         4096 ..
 .br
 $ firejail \-\-get=mybrowser ~/Downloads/xpra-clipboard.png
+.br
+.br
+$ firejail \-\-put=mybrowser xpra-clipboard.png ~/Downloads/xpra-clipboard.png
+.br
 .SH TRAFFIC SHAPING
 Network bandwidth is an expensive resource shared among all sandboxes running on a system.
@@ -1626,15 +1948,15 @@ The shaper works at sandbox level, and can be used only for sandboxes configured
 Set rate-limits:
-        firejail --bandwidth=name|pid set network download upload
+        $ firejail --bandwidth=name|pid set network download upload
 Clear rate-limits:
-        firejail --bandwidth=name|pid clear network
+        $ firejail --bandwidth=name|pid clear network
 Status:
-        firejail --bandwidth=name|pid status
+        $ firejail --bandwidth=name|pid status
 where:
 .br
@@ -1658,6 +1980,26 @@ Example:
 .br
        $ firejail \-\-bandwidth=mybrowser clear eth0
+.SH AUDIT
+Audit feature allows the user to point out gaps in security profiles. The
+implementation replaces the program to be sandboxed with a test program. By
+default, we use faudit program distributed with Firejail. A custom test program
+can also be supplied by the user. Examples:
+Running the default audit program:
+.br
+        $ firejail --audit transmission-gtk
+Running a custom audit program:
+.br
+        $ firejail --audit=~/sandbox-test transmission-gtk
+In the examples above, the sandbox configures transmission-gtk profile and
+starts the test program. The real program, transmission-gtk, will not be
+started.
+Limitations: audit feature is not implemented for --x11 commands.
 .SH MONITORING
 Option \-\-list prints a list of all sandboxes. The format
 for each process entry is as follows:
@@ -1751,7 +2093,7 @@ To disable default profile loading, use --noprofile command option. Example:
 .RS
 $ firejail
 .br
-Reading profile /etc/firejail/generic.profile
+Reading profile /etc/firejail/default.profile
 .br
 Parent pid 8553, child pid 8554
 .br
@@ -1818,7 +2160,6 @@ Homepage: http://firejail.wordpress.com
 \&\flfirecfg\fR\|(1),
 \&\flfirejail-profile\fR\|(5),
 \&\flfirejail-login\fR\|(5)
-\&\flfirejail-config\fR\|(5)
diff --git a/src/man/firemon.txt b/src/man/firemon.txt
index ef99b0927..bd84401af 100644
--- a/src/man/firemon.txt
+++ b/src/man/firemon.txt
@@ -109,6 +109,5 @@ Homepage: http://firejail.wordpress.com
 \&\flfirecfg\fR\|(1),
 \&\flfirejail-profile\fR\|(5),
 \&\flfirejail-login\fR\|(5)
-\&\flfirejail-config\fR\|(5)
diff --git a/src/tools/mkcoverit.sh b/src/tools/mkcoverit.sh
index 4af84a7a1..65b06f9fa 100755
--- a/src/tools/mkcoverit.sh
+++ b/src/tools/mkcoverit.sh
@@ -1,13 +1,13 @@
 #!/bin/bash
 # unpack firejail archive
-ARCFIREJAIL=`ls *.tar.bz2| grep firejail`
+ARCFIREJAIL=`ls *.tar.xz| grep firejail`
 if [ "$?" -eq 0 ];
 then
        echo "preparing $ARCFIREJAIL"
-        DIRFIREJAIL=`basename $ARCFIREJAIL  .tar.bz2`
+        DIRFIREJAIL=`basename $ARCFIREJAIL  .tar.xz`
        rm -fr $DIRFIREJAIL
-        tar -xjvf $ARCFIREJAIL
+        tar -xJvf $ARCFIREJAIL
        cd $DIRFIREJAIL
        ./configure --prefix=/usr
        cd ..
diff --git a/src/tools/unchroot b/src/tools/unchroot
deleted file mode 100755
index d32ce2682..000000000
--- a/src/tools/unchroot
+++ /dev/null
Binary files differ
diff --git a/src/tools/unchroot.c b/src/tools/unchroot.c
deleted file mode 100644
index 21731296e..000000000
--- a/src/tools/unchroot.c
+++ /dev/null
@@ -1,125 +0,0 @@
-#include <stdio.h>
-#include <stdlib.h>
-#include <errno.h>
-#include <fcntl.h>
-#include <string.h>
-#include <unistd.h>
-#include <sys/stat.h>
-#include <sys/types.h>
-/* 
- ** You should set NEED_FCHDIR to 1 if the chroot() on your
- ** system changes the working directory of the calling
- ** process to the same directory as the process was chroot()ed
- ** to.
- **
- ** It is known that you do not need to set this value if you
- ** running on Solaris 2.7 and below.
- **
- */
-#define NEED_FCHDIR 0
-#define TEMP_DIR "waterbuffalo"
-/* Break out of a chroot() environment in C */
-int main() {
-        int x;                                    /* Used to move up a directory tree */
-        int done=0;                               /* Are we done yet ? */
-#ifdef NEED_FCHDIR
-        int dir_fd;                               /* File descriptor to directory */
-#endif
-        struct stat sbuf;                         /* The stat() buffer */
-        /* 
-         ** First we create the temporary directory if it doesn't exist
-         */
-        if (stat(TEMP_DIR,&sbuf)<0) {
-                if (errno==ENOENT) {
-                        if (mkdir(TEMP_DIR,0755)<0) {
-                                fprintf(stderr,"Failed to create %s - %s\n", TEMP_DIR,
-                                        strerror(errno));
-                                exit(1);
-                        }
-                }
-                else {
-                        fprintf(stderr,"Failed to stat %s - %s\n", TEMP_DIR,
-                                strerror(errno));
-                        exit(1);
-                }
-        }
-        else if (!S_ISDIR(sbuf.st_mode)) {
-                fprintf(stderr,"Error - %s is not a directory!\n",TEMP_DIR);
-                exit(1);
-        }
-#ifdef NEED_FCHDIR
-        /* 
-         ** Now we open the current working directory
-         **
-         ** Note: Only required if chroot() changes the calling program's
-         **       working directory to the directory given to chroot().
-         **
-         */
-        if ((dir_fd=open(".",O_RDONLY))<0) {
-                fprintf(stderr,"Failed to open \".\" for reading - %s\n",
-                        strerror(errno));
-                exit(1);
-        }
-#endif
-        /* 
-         ** Next we chroot() to the temporary directory
-         */
-        if (chroot(TEMP_DIR)<0) {
-                fprintf(stderr,"Failed to chroot to %s - %s\n",TEMP_DIR,
-                        strerror(errno));
-                exit(1);
-        }
-#ifdef NEED_FCHDIR
-        /* 
-         ** Partially break out of the chroot by doing an fchdir()
-         **
-         ** This only partially breaks out of the chroot() since whilst
-         ** our current working directory is outside of the chroot() jail,
-         ** our root directory is still within it. Thus anything which refers
-         ** to "/" will refer to files under the chroot() point.
-         **
-         ** Note: Only required if chroot() changes the calling program's
-         **       working directory to the directory given to chroot().
-         **
-         */
-        if (fchdir(dir_fd)<0) {
-                fprintf(stderr,"Failed to fchdir - %s\n",
-                        strerror(errno));
-                exit(1);
-        }
-        close(dir_fd);
-#endif
-        /* 
-         ** Completely break out of the chroot by recursing up the directory
-         ** tree and doing a chroot to the current working directory (which will
-         ** be the real "/" at that point). We just do a chdir("..") lots of
-         ** times (1024 times for luck :). If we hit the real root directory before
-         ** we have finished the loop below it doesn't matter as .. in the root
-         ** directory is the same as . in the root.
-         **
-         ** We do the final break out by doing a chroot(".") which sets the root
-         ** directory to the current working directory - at this point the real
-         ** root directory.
-         */
-        for(x=0;x<1024;x++) {
-                chdir("..");
-        }
-        chroot(".");
-        /* 
-         ** We're finally out - so exec a shell in interactive mode
-         */
-        if (execl("/bin/sh","-i",NULL)<0) {
-                fprintf(stderr,"Failed to exec - %s\n",strerror(errno));
-                exit(1);
-        }
-}
diff --git a/test/appimage/Leafpad-0.8.17-x86_64.AppImage b/test/appimage/Leafpad-0.8.17-x86_64.AppImage
new file mode 100644
index 000000000..865f6b44c
--- /dev/null
+++ b/test/appimage/Leafpad-0.8.17-x86_64.AppImage
Binary files differ
diff --git a/test/appimage/Leafpad-0.8.18.1.glibc2.4-x86_64.AppImage b/test/appimage/Leafpad-0.8.18.1.glibc2.4-x86_64.AppImage
new file mode 100644
index 000000000..d167431f3
--- /dev/null
+++ b/test/appimage/Leafpad-0.8.18.1.glibc2.4-x86_64.AppImage
Binary files differ
diff --git a/test/appimage/appimage-v1.exp b/test/appimage/appimage-v1.exp
new file mode 100755
index 000000000..f1c1c10f5
--- /dev/null
+++ b/test/appimage/appimage-v1.exp
@@ -0,0 +1,85 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+send -- "firejail --name=appimage-test --debug --appimage Leafpad-0.8.17-x86_64.AppImage\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "Child process initialized"
+}
+sleep 2
+spawn $env(SHELL)
+send -- "firejail --list\r"
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        ":firejail"
+}
+expect {
+        timeout {puts "TESTING ERROR 3.1\n";exit}
+        "appimage Leafpad"
+}
+after 100
+# grsecurity exit
+send -- "file /proc/sys/kernel/grsecurity\r"
+expect {
+        timeout {puts "TESTING ERROR - grsecurity detection\n";exit}
+        "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit}
+        "cannot open" {puts "grsecurity not present\n"}
+}
+send -- "firejail --name=blablabla\r"
+expect {
+        timeout {puts "TESTING ERROR 4\n";exit}
+        "Child process initialized"
+}
+sleep 2
+spawn $env(SHELL)
+send -- "firemon --seccomp\r"
+expect {
+        timeout {puts "TESTING ERROR 5\n";exit}
+        "need to be root" {puts "/proc mounted as hidepid, exiting...\n"; exit}
+        "appimage Leafpad"
+}
+expect {
+        timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit}
+        "Seccomp:       2"
+}
+expect {
+        timeout {puts "TESTING ERROR 5.1\n";exit}
+        "name=blablabla"
+}
+after 100
+send -- "firemon --caps\r"
+expect {
+        timeout {puts "TESTING ERROR 6\n";exit}
+        "appimage Leafpad"
+}
+expect {
+        timeout {puts "TESTING ERROR 6.1\n";exit}
+        "CapBnd:"
+}
+expect {
+        timeout {puts "TESTING ERROR 6.2\n";exit}
+        "0000000000000000"
+}
+expect {
+        timeout {puts "TESTING ERROR 6.3\n";exit}
+        "name=blablabla"
+}
+after 100
+spawn $env(SHELL)
+send -- "firejail --shutdown=appimage-test\r"
+sleep 3
+puts "\nall done\n"
diff --git a/test/appimage/appimage-v2.exp b/test/appimage/appimage-v2.exp
new file mode 100755
index 000000000..5cb9d0849
--- /dev/null
+++ b/test/appimage/appimage-v2.exp
@@ -0,0 +1,85 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+send -- "firejail --appimage Leafpad-0.8.18.1.glibc2.4-x86_64.AppImage\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "Child process initialized"
+}
+sleep 2
+spawn $env(SHELL)
+send -- "firejail --list\r"
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        ":firejail"
+}
+expect {
+        timeout {puts "TESTING ERROR 3.1\n";exit}
+        "appimage Leafpad"
+}
+after 100
+# grsecurity exit
+send -- "file /proc/sys/kernel/grsecurity\r"
+expect {
+        timeout {puts "TESTING ERROR - grsecurity detection\n";exit}
+        "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit}
+        "cannot open" {puts "grsecurity not present\n"}
+}
+send -- "firejail --name=blablabla\r"
+expect {
+        timeout {puts "TESTING ERROR 4\n";exit}
+        "Child process initialized"
+}
+sleep 2
+spawn $env(SHELL)
+send -- "firemon --seccomp\r"
+expect {
+        timeout {puts "TESTING ERROR 5\n";exit}
+        "need to be root" {puts "/proc mounted as hidepid, exiting...\n"; exit}
+        "appimage Leafpad"
+}
+expect {
+        timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit}
+        "Seccomp:       2"
+}
+expect {
+        timeout {puts "TESTING ERROR 5.1\n";exit}
+        "name=blablabla"
+}
+after 100
+send -- "firemon --caps\r"
+expect {
+        timeout {puts "TESTING ERROR 6\n";exit}
+        "appimage Leafpad"
+}
+expect {
+        timeout {puts "TESTING ERROR 6.1\n";exit}
+        "CapBnd:"
+}
+expect {
+        timeout {puts "TESTING ERROR 6.2\n";exit}
+        "0000000000000000"
+}
+expect {
+        timeout {puts "TESTING ERROR 6.3\n";exit}
+        "name=blablabla"
+}
+after 100
+spawn $env(SHELL)
+send -- "firejail --shutdown=appimage-test\r"
+sleep 3
+puts "\nall done\n"
diff --git a/test/appimage/appimage.sh b/test/appimage/appimage.sh
new file mode 100755
index 000000000..db221ec8a
--- /dev/null
+++ b/test/appimage/appimage.sh
@@ -0,0 +1,16 @@
+#!/bin/bash
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
+export MALLOC_CHECK_=3
+export MALLOC_PERTURB_=$(($RANDOM % 255 + 1))
+echo "TESTING: AppImage v1 (test/appimage/appimage-v1.exp)"
+./appimage-v1.exp
+echo "TESTING: AppImage v2 (test/appimage/appimage-v2.exp)"
+./appimage-v2.exp
+echo "TESTING: AppImage file name (test/appimage/filename.exp)";
+./filename.exp
+\ No newline at end of file
diff --git a/test/appimage/filename.exp b/test/appimage/filename.exp
new file mode 100755
index 000000000..ce8d70464
--- /dev/null
+++ b/test/appimage/filename.exp
@@ -0,0 +1,35 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+send -- "firejail --appimage \"bla;bla\"\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "is an invalid filename"
+}
+after 100
+send -- "firejail --appimage /etc/shadow\r"
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        "cannot access"
+}
+after 100
+send -- "firejail --appimage appimage.sh\r"
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        "Error mounting appimage"
+}
+after 100
+puts "\nall done\n"
diff --git a/test/apps-x11-xorg/apps-x11-xorg.sh b/test/apps-x11-xorg/apps-x11-xorg.sh
new file mode 100755
index 000000000..b05914b52
--- /dev/null
+++ b/test/apps-x11-xorg/apps-x11-xorg.sh
@@ -0,0 +1,35 @@
+#!/bin/bash
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
+export MALLOC_CHECK_=3
+export MALLOC_PERTURB_=$(($RANDOM % 255 + 1))
+which firefox
+if [ "$?" -eq 0 ];
+then
+        echo "TESTING: firefox x11 xorg"
+        ./firefox.exp
+else
+        echo "TESTING SKIP: firefox not found"
+fi
+which transmission-gtk
+if [ "$?" -eq 0 ];
+then
+        echo "TESTING: transmission-gtk x11 xorg"
+        ./transmission-gtk.exp
+else
+        echo "TESTING SKIP: transmission-gtk not found"
+fi
+which icedove
+if [ "$?" -eq 0 ];
+then
+        echo "TESTING: icedove x11 xorg"
+        ./icedove.exp
+else
+        echo "TESTING SKIP: icedove not found"
+fi
diff --git a/test/apps-x11-xorg/firefox.exp b/test/apps-x11-xorg/firefox.exp
new file mode 100755
index 000000000..66b82fe92
--- /dev/null
+++ b/test/apps-x11-xorg/firefox.exp
@@ -0,0 +1,91 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+send -- "firejail --name=test --x11=xorg firefox -no-remote www.gentoo.org\r"
+sleep 10
+spawn $env(SHELL)
+send -- "firejail --list\r"
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        ":firejail"
+}
+expect {
+        timeout {puts "TESTING ERROR 3.1\n";exit}
+        "firefox" {puts "firefox detected\n";}
+        "iceweasel" {puts "iceweasel detected\n";}
+}
+expect {
+        timeout {puts "TESTING ERROR 3.2\n";exit}
+        "no-remote"
+}
+sleep 1
+# grsecurity exit
+send -- "file /proc/sys/kernel/grsecurity\r"
+expect {
+        timeout {puts "TESTING ERROR - grsecurity detection\n";exit}
+        "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit}
+        "cannot open" {puts "grsecurity not present\n"}
+}
+send -- "firejail --name=blablabla\r"
+expect {
+        timeout {puts "TESTING ERROR 4\n";exit}
+        "Child process initialized"
+}
+sleep 2
+spawn $env(SHELL)
+send -- "firemon --seccomp\r"
+expect {
+        timeout {puts "TESTING ERROR 5\n";exit}
+        "need to be root" {puts "/proc mounted as hidepid, exiting...\n"; exit}
+        " firefox" {puts "firefox detected\n";}
+        " iceweasel" {puts "iceweasel detected\n";}
+}
+expect {
+        timeout {puts "TESTING ERROR 5.0\n";exit}
+        "no-remote"
+}
+expect {
+        timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit}
+        "Seccomp:       2"
+}
+expect {
+        timeout {puts "TESTING ERROR 5.1\n";exit}
+        "name=blablabla"
+}
+sleep 1
+send -- "firemon --caps\r"
+expect {
+        timeout {puts "TESTING ERROR 6\n";exit}
+        " firefox" {puts "firefox detected\n";}
+        " iceweasel" {puts "iceweasel detected\n";}
+}
+expect {
+        timeout {puts "TESTING ERROR 6.0\n";exit}
+        "no-remote"
+}
+expect {
+        timeout {puts "TESTING ERROR 6.1\n";exit}
+        "CapBnd:"
+}
+expect {
+        timeout {puts "TESTING ERROR 6.2\n";exit}
+        "0000000000000000"
+}
+expect {
+        timeout {puts "TESTING ERROR 6.3\n";exit}
+        "name=blablabla"
+}
+sleep 1
+send -- "firejail --shutdown=test\r"
+sleep 3
+puts "\nall done\n"
diff --git a/test/apps-x11-xorg/icedove.exp b/test/apps-x11-xorg/icedove.exp
new file mode 100755
index 000000000..667c2259f
--- /dev/null
+++ b/test/apps-x11-xorg/icedove.exp
@@ -0,0 +1,86 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+send -- "firejail --name=test --x11=xorg icedove\r"
+sleep 10
+spawn $env(SHELL)
+send -- "firejail --list\r"
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        ":firejail"
+}
+expect {
+        timeout {puts "TESTING ERROR 3.1\n";exit}
+        "icedove"
+}
+sleep 1
+# grsecurity exit
+send -- "file /proc/sys/kernel/grsecurity\r"
+expect {
+        timeout {puts "TESTING ERROR - grsecurity detection\n";exit}
+        "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit}
+        "cannot open" {puts "grsecurity not present\n"}
+}
+send -- "firejail --name=blablabla\r"
+expect {
+        timeout {puts "TESTING ERROR 4\n";exit}
+        "Child process initialized"
+}
+sleep 2
+spawn $env(SHELL)
+send -- "firemon --seccomp\r"
+expect {
+        timeout {puts "TESTING ERROR 5\n";exit}
+        "need to be root" {puts "/proc mounted as hidepid, exiting...\n"; exit}
+        ":firejail"
+}
+expect {
+        timeout {puts "TESTING ERROR 5.0\n";exit}
+        "icedove"
+}
+expect {
+        timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit}
+        "Seccomp:       2"
+}
+expect {
+        timeout {puts "TESTING ERROR 5.1\n";exit}
+        "name=blablabla"
+}
+sleep 2
+send -- "firemon --caps\r"
+expect {
+        timeout {puts "TESTING ERROR 6\n";exit}
+        ":firejail"
+}
+expect {
+        timeout {puts "TESTING ERROR 6.0\n";exit}
+        "icedove"
+}
+expect {
+        timeout {puts "TESTING ERROR 6.1\n";exit}
+        "CapBnd"
+}
+expect {
+        timeout {puts "TESTING ERROR 6.2\n";exit}
+        "0000000000000000"
+}
+expect {
+        timeout {puts "TESTING ERROR 6.3\n";exit}
+        "name=blablabla"
+}
+sleep 1
+send -- "firejail --shutdown=test\r"
+sleep 3
+puts "\nall done\n"
diff --git a/test/apps-x11-xorg/transmission-gtk.exp b/test/apps-x11-xorg/transmission-gtk.exp
new file mode 100755
index 000000000..c52cb5b3a
--- /dev/null
+++ b/test/apps-x11-xorg/transmission-gtk.exp
@@ -0,0 +1,86 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+send -- "firejail --name=test --x11=xorg transmission-gtk\r"
+sleep 10
+spawn $env(SHELL)
+send -- "firejail --list\r"
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        ":firejail"
+}
+expect {
+        timeout {puts "TESTING ERROR 3.1\n";exit}
+        "transmission-gtk"
+}
+sleep 1
+# grsecurity exit
+send -- "file /proc/sys/kernel/grsecurity\r"
+expect {
+        timeout {puts "TESTING ERROR - grsecurity detection\n";exit}
+        "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit}
+        "cannot open" {puts "grsecurity not present\n"}
+}
+send -- "firejail --name=blablabla\r"
+expect {
+        timeout {puts "TESTING ERROR 4\n";exit}
+        "Child process initialized"
+}
+sleep 2
+spawn $env(SHELL)
+send -- "firemon --seccomp\r"
+expect {
+        timeout {puts "TESTING ERROR 5\n";exit}
+        "need to be root" {puts "/proc mounted as hidepid, exiting...\n"; exit}
+        ":firejail"
+}
+expect {
+        timeout {puts "TESTING ERROR 5.0\n";exit}
+        "transmission-gtk"
+}
+expect {
+        timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit}
+        "Seccomp:       2"
+}
+expect {
+        timeout {puts "TESTING ERROR 5.1\n";exit}
+        "name=blablabla"
+}
+sleep 1
+send -- "firemon --caps\r"
+expect {
+        timeout {puts "TESTING ERROR 6\n";exit}
+        ":firejail"
+}
+expect {
+        timeout {puts "TESTING ERROR 6.0\n";exit}
+        "transmission-gtk"
+}
+expect {
+        timeout {puts "TESTING ERROR 6.1\n";exit}
+        "CapBnd"
+}
+expect {
+        timeout {puts "TESTING ERROR 6.2\n";exit}
+        "0000000000000000"
+}
+expect {
+        timeout {puts "TESTING ERROR 6.3\n";exit}
+        "name=blablabla"
+}
+sleep 1
+send -- "firejail --shutdown=test\r"
+sleep 3
+puts "\nall done\n"
diff --git a/test/apps-x11/apps-x11.sh b/test/apps-x11/apps-x11.sh
new file mode 100755
index 000000000..4a8671dbd
--- /dev/null
+++ b/test/apps-x11/apps-x11.sh
@@ -0,0 +1,88 @@
+#!/bin/bash
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
+export MALLOC_CHECK_=3
+export MALLOC_PERTURB_=$(($RANDOM % 255 + 1))
+echo "TESTING: no x11 (test/apps-x11/x11-none.exp)"
+./x11-none.exp
+which xterm
+if [ "$?" -eq 0 ];
+then
+        echo "TESTING: xterm x11 xorg"
+        ./xterm-xorg.exp
+        which xpra
+        if [ "$?" -eq 0 ];
+        then
+        echo "TESTING: xterm x11 xpra"
+        ./xterm-xpra.exp
+        fi
+        
+        which Xephyr
+        if [ "$?" -eq 0 ];
+        then
+        echo "TESTING: xterm x11 xephyr"
+        ./xterm-xephyr.exp
+        fi
+else
+        echo "TESTING SKIP: xterm not found"
+fi
+# check xpra/xephyr
+which xpra
+if [ "$?" -eq 0 ];
+then
+        echo "xpra found"
+else
+        echo "xpra not found"
+        which Xephyr
+        if [ "$?" -eq 0 ];
+        then
+                echo "Xephyr found"
+        else
+                echo "TESTING SKIP: xpra and/or Xephyr not found"
+                exit
+        fi
+fi
+which firefox
+if [ "$?" -eq 0 ];
+then
+        echo "TESTING: firefox x11"
+        ./firefox.exp
+else
+        echo "TESTING SKIP: firefox not found"
+fi
+which chromium
+if [ "$?" -eq 0 ];
+then
+        echo "TESTING: chromium x11"
+        ./chromium.exp
+else
+        echo "TESTING SKIP: chromium not found"
+fi
+which transmission-gtk
+if [ "$?" -eq 0 ];
+then
+        echo "TESTING: transmission-gtk x11"
+        ./transmission-gtk.exp
+else
+        echo "TESTING SKIP: transmission-gtk not found"
+fi
+which icedove
+if [ "$?" -eq 0 ];
+then
+        echo "TESTING: icedove x11"
+        ./icedove.exp
+else
+        echo "TESTING SKIP: icedove not found"
+fi
diff --git a/test/chromium-x11.exp b/test/apps-x11/chromium.exp
index bcac3233c..2505c0c37 100755
--- a/test/chromium-x11.exp
+++ b/test/apps-x11/chromium.exp
@@ -1,10 +1,13 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
 set timeout 10
 spawn $env(SHELL)
 match_max 100000
-send -- "firejail --name=test --x11 --net=br0 chromium www.gentoo.org\r"
+send -- "firejail --name=test --x11 chromium www.gentoo.org\r"
 sleep 10
 spawn $env(SHELL)
@@ -37,6 +40,7 @@ spawn $env(SHELL)
 send -- "firemon --seccomp\r"
 expect {
        timeout {puts "TESTING ERROR 5\n";exit}
+        "need to be root" {puts "/proc mounted as hidepid, exiting...\n"; exit}
        ":firejail"
 }
 expect {
diff --git a/test/apps-x11/firefox.exp b/test/apps-x11/firefox.exp
new file mode 100755
index 000000000..6a50c8884
--- /dev/null
+++ b/test/apps-x11/firefox.exp
@@ -0,0 +1,91 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+send -- "firejail --name=test --x11 firefox -no-remote www.gentoo.org\r"
+sleep 10
+spawn $env(SHELL)
+send -- "firejail --list\r"
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        ":firejail"
+}
+expect {
+        timeout {puts "TESTING ERROR 3.1\n";exit}
+        "firefox" {puts "firefox detected\n";}
+        "iceweasel" {puts "iceweasel detected\n";}
+}
+expect {
+        timeout {puts "TESTING ERROR 3.2\n";exit}
+        "no-remote"
+}
+sleep 1
+# grsecurity exit
+send -- "file /proc/sys/kernel/grsecurity\r"
+expect {
+        timeout {puts "TESTING ERROR - grsecurity detection\n";exit}
+        "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit}
+        "cannot open" {puts "grsecurity not present\n"}
+}
+send -- "firejail --name=blablabla\r"
+expect {
+        timeout {puts "TESTING ERROR 4\n";exit}
+        "Child process initialized"
+}
+sleep 2
+spawn $env(SHELL)
+send -- "firemon --seccomp\r"
+expect {
+        timeout {puts "TESTING ERROR 5\n";exit}
+        "need to be root" {puts "/proc mounted as hidepid, exiting...\n"; exit}
+        " firefox" {puts "firefox detected\n";}
+        " iceweasel" {puts "iceweasel detected\n";}
+}
+expect {
+        timeout {puts "TESTING ERROR 5.0\n";exit}
+        "no-remote"
+}
+expect {
+        timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit}
+        "Seccomp:       2"
+}
+expect {
+        timeout {puts "TESTING ERROR 5.1\n";exit}
+        "name=blablabla"
+}
+sleep 1
+send -- "firemon --caps\r"
+expect {
+        timeout {puts "TESTING ERROR 6\n";exit}
+        " firefox" {puts "firefox detected\n";}
+        " iceweasel" {puts "iceweasel detected\n";}
+}
+expect {
+        timeout {puts "TESTING ERROR 6.0\n";exit}
+        "no-remote"
+}
+expect {
+        timeout {puts "TESTING ERROR 6.1\n";exit}
+        "CapBnd:"
+}
+expect {
+        timeout {puts "TESTING ERROR 6.2\n";exit}
+        "0000000000000000"
+}
+expect {
+        timeout {puts "TESTING ERROR 6.3\n";exit}
+        "name=blablabla"
+}
+sleep 1
+send -- "firejail --shutdown=test\r"
+sleep 3
+puts "\nall done\n"
diff --git a/test/apps-x11/icedove.exp b/test/apps-x11/icedove.exp
new file mode 100755
index 000000000..e306e33ce
--- /dev/null
+++ b/test/apps-x11/icedove.exp
@@ -0,0 +1,86 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+send -- "firejail --name=test --x11 icedove\r"
+sleep 10
+spawn $env(SHELL)
+send -- "firejail --list\r"
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        ":firejail"
+}
+expect {
+        timeout {puts "TESTING ERROR 3.1\n";exit}
+        "icedove"
+}
+sleep 1
+# grsecurity exit
+send -- "file /proc/sys/kernel/grsecurity\r"
+expect {
+        timeout {puts "TESTING ERROR - grsecurity detection\n";exit}
+        "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit}
+        "cannot open" {puts "grsecurity not present\n"}
+}
+send -- "firejail --name=blablabla\r"
+expect {
+        timeout {puts "TESTING ERROR 4\n";exit}
+        "Child process initialized"
+}
+sleep 2
+spawn $env(SHELL)
+send -- "firemon --seccomp\r"
+expect {
+        timeout {puts "TESTING ERROR 5\n";exit}
+        "need to be root" {puts "/proc mounted as hidepid, exiting...\n"; exit}
+        ":firejail"
+}
+expect {
+        timeout {puts "TESTING ERROR 5.0\n";exit}
+        "icedove"
+}
+expect {
+        timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit}
+        "Seccomp:       2"
+}
+expect {
+        timeout {puts "TESTING ERROR 5.1\n";exit}
+        "name=blablabla"
+}
+sleep 2
+send -- "firemon --caps\r"
+expect {
+        timeout {puts "TESTING ERROR 6\n";exit}
+        ":firejail"
+}
+expect {
+        timeout {puts "TESTING ERROR 6.0\n";exit}
+        "icedove"
+}
+expect {
+        timeout {puts "TESTING ERROR 6.1\n";exit}
+        "CapBnd"
+}
+expect {
+        timeout {puts "TESTING ERROR 6.2\n";exit}
+        "0000000000000000"
+}
+expect {
+        timeout {puts "TESTING ERROR 6.3\n";exit}
+        "name=blablabla"
+}
+sleep 1
+send -- "firejail --shutdown=test\r"
+sleep 3
+puts "\nall done\n"
diff --git a/test/transmission-gtk-x11.exp b/test/apps-x11/transmission-gtk.exp
index 4ee3de701..4083a121f 100755
--- a/test/transmission-gtk-x11.exp
+++ b/test/apps-x11/transmission-gtk.exp
@@ -1,10 +1,13 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
 set timeout 10
 spawn $env(SHELL)
 match_max 100000
-send -- "firejail --name=test --net=br0 --x11 transmission-gtk\r"
+send -- "firejail --name=test --x11 transmission-gtk\r"
 sleep 10
 spawn $env(SHELL)
@@ -38,6 +41,7 @@ spawn $env(SHELL)
 send -- "firemon --seccomp\r"
 expect {
        timeout {puts "TESTING ERROR 5\n";exit}
+        "need to be root" {puts "/proc mounted as hidepid, exiting...\n"; exit}
        ":firejail"
 }
 expect {
diff --git a/test/apps-x11/x11-none.exp b/test/apps-x11/x11-none.exp
new file mode 100755
index 000000000..e9908839b
--- /dev/null
+++ b/test/apps-x11/x11-none.exp
@@ -0,0 +1,48 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+send -- "firejail --name=test --x11=none\r"
+expect {
+        timeout {puts "TESTING ERROR 0\n";exit}
+        "use network namespace in firejail"
+}
+sleep 1
+send -- "firejail --name=test --net=none --x11=none\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "Child process initialized"
+}
+sleep 1
+send -- "ls -al /tmp/.X11-unix\r"
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        "cannot open directory"
+}
+after 100
+send -- "xterm\r"
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        "DISPLAY is not set"
+}
+after 100
+send -- "export DISPLAY=:0.0\r"
+after 100
+send -- "xterm\r"
+expect {
+        timeout {puts "TESTING ERROR 4\n";exit}
+        "Xt error"
+}
+after 100
+puts "\nall done\n"
diff --git a/test/apps-x11/x11-xephyr.exp b/test/apps-x11/x11-xephyr.exp
new file mode 100755
index 000000000..41a413890
--- /dev/null
+++ b/test/apps-x11/x11-xephyr.exp
@@ -0,0 +1,59 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+send -- "firejail --name=test --x11=xephyr xterm\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "Child process initialized"
+}
+exit
+sleep 5
+expect {
+        timeout {puts "TESTING ERROR 0\n";exit}
+        "use network namespace in firejail"
+}
+sleep 1
+send -- "firejail --name=test --net=none --x11=none\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "Child process initialized"
+}
+sleep 1
+send -- "ls -al /tmp/.X11-unix\r"
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        "cannot open directory"
+}
+after 100
+send -- "xterm\r"
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        "DISPLAY is not set"
+}
+after 100
+send -- "export DISPLAY=:0.0\r"
+after 100
+send -- "xterm\r"
+expect {
+        timeout {puts "TESTING ERROR 4\n";exit}
+        "Xt error"
+}
+after 100
+puts "\nall done\n"
diff --git a/test/apps-x11/xterm-xephyr.exp b/test/apps-x11/xterm-xephyr.exp
new file mode 100755
index 000000000..5b4299478
--- /dev/null
+++ b/test/apps-x11/xterm-xephyr.exp
@@ -0,0 +1,86 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+send -- "firejail --name=test --x11=xephyr xterm\r"
+sleep 10
+spawn $env(SHELL)
+send -- "firejail --list\r"
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        ":firejail"
+}
+expect {
+        timeout {puts "TESTING ERROR 3.1\n";exit}
+        "xterm"
+}
+sleep 1
+# grsecurity exit
+send -- "file /proc/sys/kernel/grsecurity\r"
+expect {
+        timeout {puts "TESTING ERROR - grsecurity detection\n";exit}
+        "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit}
+        "cannot open" {puts "grsecurity not present\n"}
+}
+send -- "firejail --name=blablabla\r"
+expect {
+        timeout {puts "TESTING ERROR 4\n";exit}
+        "Child process initialized"
+}
+sleep 2
+spawn $env(SHELL)
+send -- "firemon --seccomp\r"
+expect {
+        timeout {puts "TESTING ERROR 5\n";exit}
+        "need to be root" {puts "/proc mounted as hidepid, exiting...\n"; exit}
+        ":firejail"
+}
+expect {
+        timeout {puts "TESTING ERROR 5.0\n";exit}
+        "xterm"
+}
+expect {
+        timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit}
+        "Seccomp:       2"
+}
+expect {
+        timeout {puts "TESTING ERROR 5.1\n";exit}
+        "name=blablabla"
+}
+sleep 1
+send -- "firemon --caps\r"
+expect {
+        timeout {puts "TESTING ERROR 6\n";exit}
+        ":firejail"
+}
+expect {
+        timeout {puts "TESTING ERROR 6.0\n";exit}
+        "xterm"
+}
+expect {
+        timeout {puts "TESTING ERROR 6.1\n";exit}
+        "CapBnd"
+}
+expect {
+        timeout {puts "TESTING ERROR 6.2\n";exit}
+        "0000000000000000"
+}
+expect {
+        timeout {puts "TESTING ERROR 6.3\n";exit}
+        "name=blablabla"
+}
+sleep 1
+send -- "firejail --shutdown=test\r"
+sleep 3
+puts "\nall done\n"
diff --git a/test/apps-x11/xterm-xorg.exp b/test/apps-x11/xterm-xorg.exp
new file mode 100755
index 000000000..fbc88f196
--- /dev/null
+++ b/test/apps-x11/xterm-xorg.exp
@@ -0,0 +1,86 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+send -- "firejail --name=test --x11=xorg xterm\r"
+sleep 10
+spawn $env(SHELL)
+send -- "firejail --list\r"
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        ":firejail"
+}
+expect {
+        timeout {puts "TESTING ERROR 3.1\n";exit}
+        "xterm"
+}
+sleep 1
+# grsecurity exit
+send -- "file /proc/sys/kernel/grsecurity\r"
+expect {
+        timeout {puts "TESTING ERROR - grsecurity detection\n";exit}
+        "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit}
+        "cannot open" {puts "grsecurity not present\n"}
+}
+send -- "firejail --name=blablabla\r"
+expect {
+        timeout {puts "TESTING ERROR 4\n";exit}
+        "Child process initialized"
+}
+sleep 2
+spawn $env(SHELL)
+send -- "firemon --seccomp\r"
+expect {
+        timeout {puts "TESTING ERROR 5\n";exit}
+        "need to be root" {puts "/proc mounted as hidepid, exiting...\n"; exit}
+        ":firejail"
+}
+expect {
+        timeout {puts "TESTING ERROR 5.0\n";exit}
+        "xterm"
+}
+expect {
+        timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit}
+        "Seccomp:       2"
+}
+expect {
+        timeout {puts "TESTING ERROR 5.1\n";exit}
+        "name=blablabla"
+}
+sleep 1
+send -- "firemon --caps\r"
+expect {
+        timeout {puts "TESTING ERROR 6\n";exit}
+        ":firejail"
+}
+expect {
+        timeout {puts "TESTING ERROR 6.0\n";exit}
+        "xterm"
+}
+expect {
+        timeout {puts "TESTING ERROR 6.1\n";exit}
+        "CapBnd"
+}
+expect {
+        timeout {puts "TESTING ERROR 6.2\n";exit}
+        "0000000000000000"
+}
+expect {
+        timeout {puts "TESTING ERROR 6.3\n";exit}
+        "name=blablabla"
+}
+sleep 1
+send -- "firejail --shutdown=test\r"
+sleep 3
+puts "\nall done\n"
diff --git a/test/apps-x11/xterm-xpra.exp b/test/apps-x11/xterm-xpra.exp
new file mode 100755
index 000000000..1fb5df486
--- /dev/null
+++ b/test/apps-x11/xterm-xpra.exp
@@ -0,0 +1,98 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+send -- "firejail --name=test --x11=xpra xterm\r"
+sleep 10
+spawn $env(SHELL)
+send -- "firejail --list\r"
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        ":firejail"
+}
+expect {
+        timeout {puts "TESTING ERROR 3.1\n";exit}
+        "xterm"
+}
+sleep 1
+# grsecurity exit
+send -- "file /proc/sys/kernel/grsecurity\r"
+expect {
+        timeout {puts "TESTING ERROR - grsecurity detection\n";exit}
+        "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit}
+        "cannot open" {puts "grsecurity not present\n"}
+}
+send -- "firejail --name=blablabla\r"
+expect {
+        timeout {puts "TESTING ERROR 4\n";exit}
+        "Child process initialized"
+}
+sleep 2
+spawn $env(SHELL)
+send -- "firemon --seccomp\r"
+expect {
+        timeout {puts "TESTING ERROR 5\n";exit}
+        "need to be root" {puts "/proc mounted as hidepid, exiting...\n"; exit}
+        ":firejail"
+}
+expect {
+        timeout {puts "TESTING ERROR 5.0\n";exit}
+        "xterm"
+}
+expect {
+        timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit}
+        "Seccomp:       2"
+}
+expect {
+        timeout {puts "TESTING ERROR 5.1\n";exit}
+        "name=blablabla"
+}
+sleep 1
+send -- "firemon --caps\r"
+expect {
+        timeout {puts "TESTING ERROR 6\n";exit}
+        ":firejail"
+}
+expect {
+        timeout {puts "TESTING ERROR 6.0\n";exit}
+        "xterm"
+}
+expect {
+        timeout {puts "TESTING ERROR 6.1\n";exit}
+        "CapBnd"
+}
+expect {
+        timeout {puts "TESTING ERROR 6.2\n";exit}
+        "0000000000000000"
+}
+expect {
+        timeout {puts "TESTING ERROR 6.3\n";exit}
+        "name=blablabla"
+}
+sleep 1
+send -- "firemon --x11\r"
+expect {
+        timeout {puts "TESTING ERROR 7\n";exit}
+        "name=test xterm"
+}
+expect {
+        timeout {puts "TESTING ERROR 7.1\n";exit}
+        "DISPLAY"
+}
+sleep 1
+send -- "firejail --shutdown=test\r"
+sleep 3
+puts "\nall done\n"
diff --git a/test/test-apps.sh b/test/apps/apps.sh
index 5ada20549..38307b284 100755
--- a/test/test-apps.sh
+++ b/test/apps/apps.sh
@@ -1,4 +1,10 @@
 #!/bin/bash
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
+export MALLOC_CHECK_=3
+export MALLOC_PERTURB_=$(($RANDOM % 255 + 1))
 which firefox
 if [ "$?" -eq 0 ];
@@ -6,7 +12,7 @@ then
        echo "TESTING: firefox"
        ./firefox.exp
 else
-        echo "TESTING: firefox not found"
+        echo "TESTING SKIP: firefox not found"
 fi
 which midori
@@ -15,7 +21,7 @@ then
        echo "TESTING: midori"
        ./midori.exp
 else
-        echo "TESTING: midori not found"
+        echo "TESTING SKIP: midori not found"
 fi
 which chromium
@@ -24,16 +30,7 @@ then
        echo "TESTING: chromium"
        ./chromium.exp
 else
-        echo "TESTING: chromium not found"
+        echo "TESTING SKIP: chromium not found"
-fi
-which google-chrome
-if [ "$?" -eq 0 ];
-then
-        echo "TESTING: google-chrome"
-        ./chromium.exp
-else
-        echo "TESTING: google-chrome not found"
 fi
 which opera
@@ -42,7 +39,7 @@ then
        echo "TESTING: opera"
        ./opera.exp
 else
-        echo "TESTING: opera not found"
+        echo "TESTING SKIP: opera not found"
 fi
 which transmission-gtk
@@ -51,7 +48,7 @@ then
        echo "TESTING: transmission-gtk"
        ./transmission-gtk.exp
 else
-        echo "TESTING: transmission-gtk not found"
+        echo "TESTING SKIP: transmission-gtk not found"
 fi
 which transmission-qt
@@ -60,7 +57,34 @@ then
        echo "TESTING: transmission-qt"
        ./transmission-qt.exp
 else
-        echo "TESTING: transmission-qt not found"
+        echo "TESTING SKIP: transmission-qt not found"
+fi
+which qbittorrent
+if [ "$?" -eq 0 ];
+then
+        echo "TESTING: qbittorrent"
+        ./qbittorrent.exp
+else
+        echo "TESTING SKIP: qbittorrent not found"
+fi
+which uget-gtk
+if [ "$?" -eq 0 ];
+then
+        echo "TESTING: uget"
+        ./uget-gtk.exp
+else
+        echo "TESTING SKIP: uget-gtk not found"
+fi
+which filezilla
+if [ "$?" -eq 0 ];
+then
+        echo "TESTING: filezilla"
+        ./filezilla.exp
+else
+        echo "TESTING SKIP: filezilla not found"
 fi
 which evince
@@ -69,7 +93,17 @@ then
        echo "TESTING: evince"
        ./evince.exp
 else
-        echo "TESTING: evince not found"
+        echo "TESTING SKIP: evince not found"
+fi
+which gthumb
+if [ "$?" -eq 0 ];
+then
+        echo "TESTING: gthumb"
+        ./gthumb.exp
+else
+        echo "TESTING SKIP: gthumb not found"
 fi
 which icedove
@@ -78,7 +112,7 @@ then
        echo "TESTING: icedove"
        ./icedove.exp
 else
-        echo "TESTING: icedove not found"
+        echo "TESTING SKIP: icedove not found"
 fi
 which vlc
@@ -87,7 +121,7 @@ then
        echo "TESTING: vlc"
        ./vlc.exp
 else
-        echo "TESTING: vlc not found"
+        echo "TESTING SKIP: vlc not found"
 fi
 which fbreader
@@ -96,7 +130,7 @@ then
        echo "TESTING: fbreader"
        ./fbreader.exp
 else
-        echo "TESTING: fbreader not found"
+        echo "TESTING SKIP: fbreader not found"
 fi
 which deluge
@@ -105,7 +139,7 @@ then
        echo "TESTING: deluge"
        ./deluge.exp
 else
-        echo "TESTING: deluge not found"
+        echo "TESTING SKIP: deluge not found"
 fi
 which gnome-mplayer
@@ -114,7 +148,7 @@ then
        echo "TESTING: gnome-mplayer"
        ./gnome-mplayer.exp
 else
-        echo "TESTING: gnome-mplayer not found"
+        echo "TESTING SKIP: gnome-mplayer not found"
 fi
 which xchat
@@ -123,7 +157,7 @@ then
        echo "TESTING: xchat"
        ./xchat.exp
 else
-        echo "TESTING: xchat not found"
+        echo "TESTING SKIP: xchat not found"
 fi
 which hexchat
@@ -132,16 +166,7 @@ then
        echo "TESTING: hexchat"
        ./hexchat.exp
 else
-        echo "TESTING: hexchat not found"
+        echo "TESTING SKIP: hexchat not found"
-fi
-which weechat-curses
-if [ "$?" -eq 0 ];
-then
-        echo "TESTING: weechat"
-        ./weechat.exp
-else
-        echo "TESTING: weechat not found"
 fi
 which wine
@@ -150,6 +175,6 @@ then
        echo "TESTING: wine"
        ./wine.exp
 else
-        echo "TESTING: wine not found"
+        echo "TESTING SKIP: wine not found"
 fi
diff --git a/test/chromium.exp b/test/apps/chromium.exp
index 676f7e314..d43f70f8e 100755
--- a/test/chromium.exp
+++ b/test/apps/chromium.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
 set timeout 10
 spawn $env(SHELL)
@@ -25,7 +28,7 @@ expect {
        timeout {puts "TESTING ERROR 3.1\n";exit}
        "chromium"
 }
-sleep 1
+after 100
 # grsecurity exit
 send -- "file /proc/sys/kernel/grsecurity\r"
@@ -46,6 +49,7 @@ spawn $env(SHELL)
 send -- "firemon --seccomp\r"
 expect {
        timeout {puts "TESTING ERROR 5\n";exit}
+        "need to be root" {puts "/proc mounted as hidepid, exiting...\n"; exit}
        ":firejail chromium"
 }
 expect {
@@ -56,7 +60,7 @@ expect {
        timeout {puts "TESTING ERROR 5.1\n";exit}
        "name=blablabla"
 }
-sleep 1
+after 100
 send -- "firemon --caps\r"
 expect {
        timeout {puts "TESTING ERROR 6\n";exit}
@@ -74,7 +78,7 @@ expect {
        timeout {puts "TESTING ERROR 6.3\n";exit}
        "name=blablabla"
 }
-sleep 1
+after 100
 puts "\n"
diff --git a/test/deluge.exp b/test/apps/deluge.exp
index 9f5063495..0bf1baae2 100755
--- a/test/deluge.exp
+++ b/test/apps/deluge.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
 set timeout 10
 spawn $env(SHELL)
@@ -25,7 +28,7 @@ expect {
        timeout {puts "TESTING ERROR 3.1\n";exit}
        "deluge"
 }
-sleep 1
+after 100
 # grsecurity exit
 send -- "file /proc/sys/kernel/grsecurity\r"
@@ -46,6 +49,7 @@ spawn $env(SHELL)
 send -- "firemon --seccomp\r"
 expect {
        timeout {puts "TESTING ERROR 5\n";exit}
+        "need to be root" {puts "/proc mounted as hidepid, exiting...\n"; exit}
        ":firejail deluge"
 }
 expect {
@@ -56,7 +60,7 @@ expect {
        timeout {puts "TESTING ERROR 5.1\n";exit}
        "name=blablabla"
 }
-sleep 1
+after 100
 send -- "firemon --caps\r"
 expect {
        timeout {puts "TESTING ERROR 6\n";exit}
@@ -74,7 +78,7 @@ expect {
        timeout {puts "TESTING ERROR 6.3\n";exit}
        "name=blablabla"
 }
-sleep 1
+after 100
 puts "\n"
diff --git a/test/evince.exp b/test/apps/evince.exp
index 3c3ad4bdd..71f760a9c 100755
--- a/test/evince.exp
+++ b/test/apps/evince.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
 set timeout 10
 spawn $env(SHELL)
@@ -25,7 +28,7 @@ expect {
        timeout {puts "TESTING ERROR 3.1\n";exit}
        "evince"
 }
-sleep 1
+after 100
 # grsecurity exit
 send -- "file /proc/sys/kernel/grsecurity\r"
@@ -46,6 +49,7 @@ spawn $env(SHELL)
 send -- "firemon --seccomp\r"
 expect {
        timeout {puts "TESTING ERROR 5\n";exit}
+        "need to be root" {puts "/proc mounted as hidepid, exiting...\n"; exit}
        ":firejail evince"
 }
 expect {
@@ -56,7 +60,7 @@ expect {
        timeout {puts "TESTING ERROR 5.1\n";exit}
        "name=blablabla"
 }
-sleep 1
+after 100
 send -- "firemon --caps\r"
 expect {
        timeout {puts "TESTING ERROR 6\n";exit}
@@ -74,7 +78,7 @@ expect {
        timeout {puts "TESTING ERROR 6.3\n";exit}
        "name=blablabla"
 }
-sleep 1
+after 100
 puts "\nall done\n"
diff --git a/test/fbreader.exp b/test/apps/fbreader.exp
index d2bee880e..99c48d87c 100755
--- a/test/fbreader.exp
+++ b/test/apps/fbreader.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
 set timeout 10
 spawn $env(SHELL)
@@ -25,7 +28,7 @@ expect {
        timeout {puts "TESTING ERROR 3.1\n";exit}
        "fbreader"
 }
-sleep 1
+after 100
 # grsecurity exit
 send -- "file /proc/sys/kernel/grsecurity\r"
@@ -46,6 +49,7 @@ spawn $env(SHELL)
 send -- "firemon --seccomp\r"
 expect {
        timeout {puts "TESTING ERROR 5\n";exit}
+        "need to be root" {puts "/proc mounted as hidepid, exiting...\n"; exit}
        ":firejail fbreader"
 }
 expect {
@@ -56,7 +60,7 @@ expect {
        timeout {puts "TESTING ERROR 5.1\n";exit}
        "name=blablabla"
 }
-sleep 1
+after 100
 send -- "firemon --caps\r"
 expect {
        timeout {puts "TESTING ERROR 6\n";exit}
@@ -74,7 +78,7 @@ expect {
        timeout {puts "TESTING ERROR 6.3\n";exit}
        "name=blablabla"
 }
-sleep 1
+after 100
 puts "\nall done\n"
diff --git a/test/apps/filezilla.exp b/test/apps/filezilla.exp
new file mode 100755
index 000000000..2f7038184
--- /dev/null
+++ b/test/apps/filezilla.exp
@@ -0,0 +1,84 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+send -- "firejail filezilla\r"
+expect {
+        timeout {puts "TESTING ERROR 0\n";exit}
+        "Reading profile /etc/firejail/filezilla.profile"
+}
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "Child process initialized"
+}
+sleep 3
+spawn $env(SHELL)
+send -- "firejail --list\r"
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        ":firejail"
+}
+expect {
+        timeout {puts "TESTING ERROR 3.1\n";exit}
+        "filezilla"
+}
+after 100
+# grsecurity exit
+send -- "file /proc/sys/kernel/grsecurity\r"
+expect {
+        timeout {puts "TESTING ERROR - grsecurity detection\n";exit}
+        "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit}
+        "cannot open" {puts "grsecurity not present\n"}
+}
+send -- "firejail --name=blablabla\r"
+expect {
+        timeout {puts "TESTING ERROR 4\n";exit}
+        "Child process initialized"
+}
+sleep 2
+spawn $env(SHELL)
+send -- "firemon --seccomp\r"
+expect {
+        timeout {puts "TESTING ERROR 5\n";exit}
+        "need to be root" {puts "/proc mounted as hidepid, exiting...\n"; exit}
+        ":firejail filezilla"
+}
+expect {
+        timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit}
+        "Seccomp:       2"
+}
+expect {
+        timeout {puts "TESTING ERROR 5.1\n";exit}
+        "name=blablabla"
+}
+after 100
+send -- "firemon --caps\r"
+expect {
+        timeout {puts "TESTING ERROR 6\n";exit}
+        ":firejail filezilla"
+}
+expect {
+        timeout {puts "TESTING ERROR 6.1\n";exit}
+        "CapBnd:"
+}
+expect {
+        timeout {puts "TESTING ERROR 6.2\n";exit}
+        "0000000000000000"
+}
+expect {
+        timeout {puts "TESTING ERROR 6.3\n";exit}
+        "name=blablabla"
+}
+after 100
+puts "\nall done\n"
diff --git a/test/firefox.exp b/test/apps/firefox.exp
index 2585e4b5c..5745d9270 100755
--- a/test/firefox.exp
+++ b/test/apps/firefox.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
 set timeout 10
 spawn $env(SHELL)
@@ -30,7 +33,7 @@ expect {
        timeout {puts "TESTING ERROR 3.2\n";exit}
        "no-remote"
 }
-sleep 1
+after 100
 # grsecurity exit
 send -- "file /proc/sys/kernel/grsecurity\r"
@@ -52,6 +55,7 @@ spawn $env(SHELL)
 send -- "firemon --seccomp\r"
 expect {
        timeout {puts "TESTING ERROR 5\n";exit}
+        "need to be root" {puts "/proc mounted as hidepid, exiting...\n"; exit}
        " firefox" {puts "firefox detected\n";}
        " iceweasel" {puts "iceweasel detected\n";}
 }
@@ -67,7 +71,7 @@ expect {
        timeout {puts "TESTING ERROR 5.1\n";exit}
        "name=blablabla"
 }
-sleep 1
+after 100
 send -- "firemon --caps\r"
 expect {
        timeout {puts "TESTING ERROR 6\n";exit}
@@ -90,7 +94,7 @@ expect {
        timeout {puts "TESTING ERROR 6.3\n";exit}
        "name=blablabla"
 }
-sleep 1
+after 100
 puts "\n"
diff --git a/test/gnome-mplayer.exp b/test/apps/gnome-mplayer.exp
index 6965322fc..6f0e5a312 100755
--- a/test/gnome-mplayer.exp
+++ b/test/apps/gnome-mplayer.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
 set timeout 10
 spawn $env(SHELL)
@@ -13,7 +16,7 @@ expect {
        timeout {puts "TESTING ERROR 1\n";exit}
        "Child process initialized"
 }
-sleep 10
+sleep 5
 spawn $env(SHELL)
 send -- "firejail --list\r"
@@ -25,7 +28,7 @@ expect {
        timeout {puts "TESTING ERROR 3.1\n";exit}
        "gnome-mplayer"
 }
-sleep 1
+after 100
 # grsecurity exit
 send -- "file /proc/sys/kernel/grsecurity\r"
@@ -46,6 +49,7 @@ spawn $env(SHELL)
 send -- "firemon --seccomp\r"
 expect {
        timeout {puts "TESTING ERROR 5\n";exit}
+        "need to be root" {puts "/proc mounted as hidepid, exiting...\n"; exit}
        ":firejail gnome-mplayer"
 }
 expect {
@@ -56,7 +60,7 @@ expect {
        timeout {puts "TESTING ERROR 5.1\n";exit}
        "name=blablabla"
 }
-sleep 1
+after 100
 send -- "firemon --caps\r"
 expect {
        timeout {puts "TESTING ERROR 6\n";exit}
@@ -74,7 +78,7 @@ expect {
        timeout {puts "TESTING ERROR 6.3\n";exit}
        "name=blablabla"
 }
-sleep 1
+after 100
 puts "\nall done\n"
diff --git a/test/weechat.exp b/test/apps/gthumb.exp
index 630af55ee..13132cef6 100755
--- a/test/weechat.exp
+++ b/test/apps/gthumb.exp
@@ -1,13 +1,16 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
 set timeout 10
 spawn $env(SHELL)
 match_max 100000
-send -- "firejail weechat-curses\r"
+send -- "firejail gthumb\r"
 expect {
        timeout {puts "TESTING ERROR 0\n";exit}
-        "Reading profile /etc/firejail/weechat.profile"
+        "Reading profile /etc/firejail/gthumb.profile"
 }
 expect {
        timeout {puts "TESTING ERROR 1\n";exit}
@@ -23,9 +26,9 @@ expect {
 }
 expect {
        timeout {puts "TESTING ERROR 3.1\n";exit}
-        "weechat-curses"
+        "gthumb"
 }
-sleep 1
+after 100
 # grsecurity exit
 send -- "file /proc/sys/kernel/grsecurity\r"
@@ -46,7 +49,8 @@ spawn $env(SHELL)
 send -- "firemon --seccomp\r"
 expect {
        timeout {puts "TESTING ERROR 5\n";exit}
-        "weechat-curses"
+        "need to be root" {puts "/proc mounted as hidepid, exiting...\n"; exit}
+        ":firejail gthumb"
 }
 expect {
        timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit}
@@ -56,11 +60,11 @@ expect {
        timeout {puts "TESTING ERROR 5.1\n";exit}
        "name=blablabla"
 }
-sleep 1
+after 100
 send -- "firemon --caps\r"
 expect {
        timeout {puts "TESTING ERROR 6\n";exit}
-        "weechat-curses"
+        ":firejail gthumb"
 }
 expect {
        timeout {puts "TESTING ERROR 6.1\n";exit}
@@ -74,7 +78,7 @@ expect {
        timeout {puts "TESTING ERROR 6.3\n";exit}
        "name=blablabla"
 }
-sleep 1
+after 100
-puts "\n"
+puts "\nall done\n"
diff --git a/test/hexchat.exp b/test/apps/hexchat.exp
index 7e99c8cdf..5d0bc1093 100755
--- a/test/hexchat.exp
+++ b/test/apps/hexchat.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
 set timeout 10
 spawn $env(SHELL)
@@ -25,7 +28,7 @@ expect {
        timeout {puts "TESTING ERROR 3.1\n";exit}
        "hexchat"
 }
-sleep 1
+after 100
 # grsecurity exit
 send -- "file /proc/sys/kernel/grsecurity\r"
@@ -46,6 +49,7 @@ spawn $env(SHELL)
 send -- "firemon --seccomp\r"
 expect {
        timeout {puts "TESTING ERROR 5\n";exit}
+        "need to be root" {puts "/proc mounted as hidepid, exiting...\n"; exit}
        "hexchat"
 }
 expect {
@@ -56,7 +60,7 @@ expect {
        timeout {puts "TESTING ERROR 5.1\n";exit}
        "name=blablabla"
 }
-sleep 1
+after 100
 send -- "firemon --caps\r"
 expect {
        timeout {puts "TESTING ERROR 6\n";exit}
@@ -74,7 +78,7 @@ expect {
        timeout {puts "TESTING ERROR 6.3\n";exit}
        "name=blablabla"
 }
-sleep 1
+after 100
 puts "\n"
diff --git a/test/icedove.exp b/test/apps/icedove.exp
index 344febb93..c0fbd9fc8 100755
--- a/test/icedove.exp
+++ b/test/apps/icedove.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
 set timeout 10
 spawn $env(SHELL)
@@ -25,7 +28,7 @@ expect {
        timeout {puts "TESTING ERROR 3.1\n";exit}
        "icedove"
 }
-sleep 1
+after 100
 # grsecurity exit
 send -- "file /proc/sys/kernel/grsecurity\r"
@@ -46,6 +49,7 @@ spawn $env(SHELL)
 send -- "firemon --seccomp\r"
 expect {
        timeout {puts "TESTING ERROR 5\n";exit}
+        "need to be root" {puts "/proc mounted as hidepid, exiting...\n"; exit}
        ":firejail icedove"
 }
 expect {
@@ -56,7 +60,7 @@ expect {
        timeout {puts "TESTING ERROR 5.1\n";exit}
        "name=blablabla"
 }
-sleep 1
+after 100
 send -- "firemon --caps\r"
 expect {
        timeout {puts "TESTING ERROR 6\n";exit}
@@ -74,7 +78,7 @@ expect {
        timeout {puts "TESTING ERROR 6.3\n";exit}
        "name=blablabla"
 }
-sleep 1
+after 100
 puts "\nall done\n"
diff --git a/test/midori.exp b/test/apps/midori.exp
index 470f5de77..45d70eda1 100755
--- a/test/midori.exp
+++ b/test/apps/midori.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
 set timeout 10
 spawn $env(SHELL)
@@ -13,7 +16,7 @@ expect {
        timeout {puts "TESTING ERROR 1\n";exit}
        "Child process initialized"
 }
-sleep 10
+sleep 5
 spawn $env(SHELL)
 send -- "firejail --list\r"
@@ -25,7 +28,7 @@ expect {
        timeout {puts "TESTING ERROR 3.1\n";exit}
        "midori"
 }
-sleep 1
+after 100
 # grsecurity exit
 send -- "file /proc/sys/kernel/grsecurity\r"
@@ -46,6 +49,7 @@ spawn $env(SHELL)
 send -- "firemon --seccomp\r"
 expect {
        timeout {puts "TESTING ERROR 5\n";exit}
+        "need to be root" {puts "/proc mounted as hidepid, exiting...\n"; exit}
        ":firejail midori"
 }
 expect {
@@ -56,7 +60,7 @@ expect {
        timeout {puts "TESTING ERROR 5.1\n";exit}
        "name=blablabla"
 }
-sleep 1
+after 100
 send -- "firemon --caps\r"
 expect {
        timeout {puts "TESTING ERROR 6\n";exit}
@@ -74,7 +78,7 @@ expect {
        timeout {puts "TESTING ERROR 6.3n";exit}
        "name=blablabla"
 }
-sleep 1
+after 100
 puts "\n"
diff --git a/test/opera.exp b/test/apps/opera.exp
index 23eed5504..036fc2e21 100755
--- a/test/opera.exp
+++ b/test/apps/opera.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
 set timeout 10
 spawn $env(SHELL)
@@ -25,7 +28,7 @@ expect {
        timeout {puts "TESTING ERROR 3.1\n";exit}
        "opera"
 }
-sleep 1
+after 100
 # grsecurity exit
 send -- "file /proc/sys/kernel/grsecurity\r"
@@ -46,6 +49,7 @@ spawn $env(SHELL)
 send -- "firemon --seccomp\r"
 expect {
        timeout {puts "TESTING ERROR 5\n";exit}
+        "need to be root" {puts "/proc mounted as hidepid, exiting...\n"; exit}
        ":firejail opera"
 }
 expect {
@@ -56,7 +60,7 @@ expect {
        timeout {puts "TESTING ERROR 5.1\n";exit}
        "name=blablabla"
 }
-sleep 1
+after 100
 send -- "firemon --caps\r"
 expect {
        timeout {puts "TESTING ERROR 6\n";exit}
@@ -74,7 +78,7 @@ expect {
        timeout {puts "TESTING ERROR 6.3\n";exit}
        "name=blablabla"
 }
-sleep 1
+after 100
 puts "\n"
diff --git a/test/apps/qbittorrent.exp b/test/apps/qbittorrent.exp
new file mode 100755
index 000000000..8bc6d8564
--- /dev/null
+++ b/test/apps/qbittorrent.exp
@@ -0,0 +1,84 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+send -- "firejail qbittorrent\r"
+expect {
+        timeout {puts "TESTING ERROR 0\n";exit}
+        "Reading profile /etc/firejail/qbittorrent.profile"
+}
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "Child process initialized"
+}
+sleep 3
+spawn $env(SHELL)
+send -- "firejail --list\r"
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        ":firejail"
+}
+expect {
+        timeout {puts "TESTING ERROR 3.1\n";exit}
+        "qbittorrent"
+}
+after 100
+# grsecurity exit
+send -- "file /proc/sys/kernel/grsecurity\r"
+expect {
+        timeout {puts "TESTING ERROR - grsecurity detection\n";exit}
+        "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit}
+        "cannot open" {puts "grsecurity not present\n"}
+}
+send -- "firejail --name=blablabla\r"
+expect {
+        timeout {puts "TESTING ERROR 4\n";exit}
+        "Child process initialized"
+}
+sleep 2
+spawn $env(SHELL)
+send -- "firemon --seccomp\r"
+expect {
+        timeout {puts "TESTING ERROR 5\n";exit}
+        "need to be root" {puts "/proc mounted as hidepid, exiting...\n"; exit}
+        ":firejail qbittorrent"
+}
+expect {
+        timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit}
+        "Seccomp:       2"
+}
+expect {
+        timeout {puts "TESTING ERROR 5.1\n";exit}
+        "name=blablabla"
+}
+after 100
+send -- "firemon --caps\r"
+expect {
+        timeout {puts "TESTING ERROR 6\n";exit}
+        ":firejail qbittorrent"
+}
+expect {
+        timeout {puts "TESTING ERROR 6.1\n";exit}
+        "CapBnd:"
+}
+expect {
+        timeout {puts "TESTING ERROR 6.2\n";exit}
+        "0000000000000000"
+}
+expect {
+        timeout {puts "TESTING ERROR 6.3\n";exit}
+        "name=blablabla"
+}
+after 100
+puts "\n"
diff --git a/test/transmission-gtk.exp b/test/apps/transmission-gtk.exp
index 1acfc6f94..70700d523 100755
--- a/test/transmission-gtk.exp
+++ b/test/apps/transmission-gtk.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
 set timeout 10
 spawn $env(SHELL)
@@ -9,7 +12,7 @@ expect {
        timeout {puts "TESTING ERROR 1\n";exit}
        "Child process initialized"
 }
-sleep 10
+sleep 5
 spawn $env(SHELL)
 send -- "firejail --list\r"
@@ -21,7 +24,7 @@ expect {
        timeout {puts "TESTING ERROR 3.1\n";exit}
        "transmission-gtk"
 }
-sleep 1
+after 100
 # grsecurity exit
 send -- "file /proc/sys/kernel/grsecurity\r"
@@ -41,6 +44,7 @@ spawn $env(SHELL)
 send -- "firemon --seccomp\r"
 expect {
        timeout {puts "TESTING ERROR 5\n";exit}
+        "need to be root" {puts "/proc mounted as hidepid, exiting...\n"; exit}
        ":firejail transmission-gtk"
 }
 expect {
@@ -51,7 +55,7 @@ expect {
        timeout {puts "TESTING ERROR 5.1\n";exit}
        "name=blablabla"
 }
-sleep 1
+after 100
 send -- "firemon --caps\r"
 expect {
        timeout {puts "TESTING ERROR 6\n";exit}
@@ -69,7 +73,7 @@ expect {
        timeout {puts "TESTING ERROR 6.3\n";exit}
        "name=blablabla"
 }
-sleep 1
+after 100
 puts "\nall done\n"
diff --git a/test/transmission-qt.exp b/test/apps/transmission-qt.exp
index 944fd28a2..3773b1dc2 100755
--- a/test/transmission-qt.exp
+++ b/test/apps/transmission-qt.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
 set timeout 10
 spawn $env(SHELL)
@@ -13,7 +16,7 @@ expect {
        timeout {puts "TESTING ERROR 1\n";exit}
        "Child process initialized"
 }
-sleep 10
+sleep 3
 spawn $env(SHELL)
 send -- "firejail --list\r"
@@ -25,7 +28,7 @@ expect {
        timeout {puts "TESTING ERROR 3.1\n";exit}
        "transmission-qt"
 }
-sleep 1
+after 100
 # grsecurity exit
 send -- "file /proc/sys/kernel/grsecurity\r"
@@ -46,6 +49,7 @@ spawn $env(SHELL)
 send -- "firemon --seccomp\r"
 expect {
        timeout {puts "TESTING ERROR 5\n";exit}
+        "need to be root" {puts "/proc mounted as hidepid, exiting...\n"; exit}
        ":firejail transmission-qt"
 }
 expect {
@@ -56,7 +60,7 @@ expect {
        timeout {puts "TESTING ERROR 5.1\n";exit}
        "name=blablabla"
 }
-sleep 1
+after 100
 send -- "firemon --caps\r"
 expect {
        timeout {puts "TESTING ERROR 6\n";exit}
@@ -74,7 +78,7 @@ expect {
        timeout {puts "TESTING ERROR 6.3\n";exit}
        "name=blablabla"
 }
-sleep 1
+after 100
 puts "\nall done\n"
diff --git a/test/apps/uget-gtk.exp b/test/apps/uget-gtk.exp
new file mode 100755
index 000000000..22c2a0831
--- /dev/null
+++ b/test/apps/uget-gtk.exp
@@ -0,0 +1,84 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+send -- "firejail uget-gtk\r"
+expect {
+        timeout {puts "TESTING ERROR 0\n";exit}
+        "Reading profile /etc/firejail/uget-gtk.profile"
+}
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "Child process initialized"
+}
+sleep 3
+spawn $env(SHELL)
+send -- "firejail --list\r"
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        ":firejail"
+}
+expect {
+        timeout {puts "TESTING ERROR 3.1\n";exit}
+        "uget-gtk"
+}
+after 100
+# grsecurity exit
+send -- "file /proc/sys/kernel/grsecurity\r"
+expect {
+        timeout {puts "TESTING ERROR - grsecurity detection\n";exit}
+        "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit}
+        "cannot open" {puts "grsecurity not present\n"}
+}
+send -- "firejail --name=blablabla\r"
+expect {
+        timeout {puts "TESTING ERROR 4\n";exit}
+        "Child process initialized"
+}
+sleep 2
+spawn $env(SHELL)
+send -- "firemon --seccomp\r"
+expect {
+        timeout {puts "TESTING ERROR 5\n";exit}
+        "need to be root" {puts "/proc mounted as hidepid, exiting...\n"; exit}
+        ":firejail uget-gtk"
+}
+expect {
+        timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit}
+        "Seccomp:       2"
+}
+expect {
+        timeout {puts "TESTING ERROR 5.1\n";exit}
+        "name=blablabla"
+}
+after 100
+send -- "firemon --caps\r"
+expect {
+        timeout {puts "TESTING ERROR 6\n";exit}
+        ":firejail uget-gtk"
+}
+expect {
+        timeout {puts "TESTING ERROR 6.1\n";exit}
+        "CapBnd:"
+}
+expect {
+        timeout {puts "TESTING ERROR 6.2\n";exit}
+        "0000000000000000"
+}
+expect {
+        timeout {puts "TESTING ERROR 6.3\n";exit}
+        "name=blablabla"
+}
+after 100
+puts "\nall done\n"
diff --git a/test/vlc.exp b/test/apps/vlc.exp
index 290c0fc2f..b94ef8e12 100755
--- a/test/vlc.exp
+++ b/test/apps/vlc.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
 set timeout 10
 spawn $env(SHELL)
@@ -25,7 +28,7 @@ expect {
        timeout {puts "TESTING ERROR 3.1\n";exit}
        "vlc"
 }
-sleep 1
+after 100
 # grsecurity exit
 send -- "file /proc/sys/kernel/grsecurity\r"
@@ -46,6 +49,7 @@ spawn $env(SHELL)
 send -- "firemon --seccomp\r"
 expect {
        timeout {puts "TESTING ERROR 5\n";exit}
+        "need to be root" {puts "/proc mounted as hidepid, exiting...\n"; exit}
        ":firejail vlc"
 }
 expect {
@@ -56,7 +60,7 @@ expect {
        timeout {puts "TESTING ERROR 5.1\n";exit}
        "name=blablabla"
 }
-sleep 1
+after 100
 send -- "firemon --caps\r"
 expect {
        timeout {puts "TESTING ERROR 6\n";exit}
@@ -74,7 +78,7 @@ expect {
        timeout {puts "TESTING ERROR 6.3\n";exit}
        "name=blablabla"
 }
-sleep 1
+after 100
 puts "\nall done\n"
diff --git a/test/wine.exp b/test/apps/wine.exp
index f5b7d12b4..a2f465acb 100755
--- a/test/wine.exp
+++ b/test/apps/wine.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
 set timeout 10
 spawn $env(SHELL)
diff --git a/test/xchat.exp b/test/apps/xchat.exp
index cde89d754..f3284caf7 100755
--- a/test/xchat.exp
+++ b/test/apps/xchat.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
 set timeout 10
 spawn $env(SHELL)
@@ -25,7 +28,7 @@ expect {
        timeout {puts "TESTING ERROR 3.1\n";exit}
        "xchat"
 }
-sleep 1
+after 100
 # grsecurity exit
 send -- "file /proc/sys/kernel/grsecurity\r"
@@ -46,6 +49,7 @@ spawn $env(SHELL)
 send -- "firemon --seccomp\r"
 expect {
        timeout {puts "TESTING ERROR 5\n";exit}
+        "need to be root" {puts "/proc mounted as hidepid, exiting...\n"; exit}
        " xchat"
 }
 expect {
@@ -56,7 +60,7 @@ expect {
        timeout {puts "TESTING ERROR 5.1\n";exit}
        "name=blablabla"
 }
-sleep 1
+after 100
 send -- "firemon --caps\r"
 expect {
        timeout {puts "TESTING ERROR 6\n";exit}
@@ -74,7 +78,7 @@ expect {
        timeout {puts "TESTING ERROR 6.3\n";exit}
        "name=blablabla"
 }
-sleep 1
+after 100
 puts "\n"
diff --git a/test/arguments/arguments.sh b/test/arguments/arguments.sh
new file mode 100755
index 000000000..db4c9b472
--- /dev/null
+++ b/test/arguments/arguments.sh
@@ -0,0 +1,23 @@
+#!/bin/bash
+[ -f argtest ] || make argtest
+echo "TESTING: 1. regular bash session"
+./bashrun.exp
+sleep 1
+echo "TESTING: 2. symbolic link to firejail"
+./symrun.exp
+rm -fr symtest
+sleep 1
+echo "TESTING: 3. --join option"
+./joinrun.exp
+sleep 1
+echo "TESTING: 4. --output option"
+./outrun.exp
+rm out
+rm out.*
diff --git a/test/arguments/bashrun.exp b/test/arguments/bashrun.exp
new file mode 100755
index 000000000..a3c9e382d
--- /dev/null
+++ b/test/arguments/bashrun.exp
@@ -0,0 +1,86 @@
+#!/usr/bin/expect -f
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+send --  "./bashrun.sh\r"
+expect {
+        timeout {puts "TESTING ERROR 1.1.1\n";exit}
+        "Arguments:"
+}
+expect {
+        timeout {puts "TESTING ERROR 1.1.2\n";exit}
+        "#arg1#"
+}
+expect {
+        timeout {puts "TESTING ERROR 1.1.3\n";exit}
+        "#arg2#"
+}
+expect {
+        timeout {puts "TESTING ERROR 1.2.1\n";exit}
+        "Arguments:"
+}
+expect {
+        timeout {puts "TESTING ERROR 1.2.2\n";exit}
+        "#arg1 tail#"
+}
+expect {
+        timeout {puts "TESTING ERROR 1.2.3\n";exit}
+        "#arg2 tail#"
+}
+expect {
+        timeout {puts "TESTING ERROR 1.3.1\n";exit}
+        "Arguments:"
+}
+expect {
+        timeout {puts "TESTING ERROR 1.3.2\n";exit}
+        "#arg1 tail#"
+}
+expect {
+        timeout {puts "TESTING ERROR 1.3.3\n";exit}
+        "#arg2 tail#"
+}
+expect {
+        timeout {puts "TESTING ERROR 1.4.1\n";exit}
+        "Arguments:"
+}
+expect {
+        timeout {puts "TESTING ERROR 1.4.2\n";exit}
+        "#arg1 tail#"
+}
+expect {
+        timeout {puts "TESTING ERROR 1.4.3\n";exit}
+        "#arg2 tail#"
+}
+expect {
+        timeout {puts "TESTING ERROR 1.5.1\n";exit}
+        "Arguments:"
+}
+expect {
+        timeout {puts "TESTING ERROR 1.5.2\n";exit}
+        "#arg1&tail#"
+}
+expect {
+        timeout {puts "TESTING ERROR 1.5.3\n";exit}
+        "#arg2&tail#"
+}
+expect {
+        timeout {puts "TESTING ERROR 1.6.1\n";exit}
+        "Arguments:"
+}
+expect {
+        timeout {puts "TESTING ERROR 1.6.2\n";exit}
+        "#arg1&tail#"
+}
+expect {
+        timeout {puts "TESTING ERROR 1.6.3\n";exit}
+        "#arg2&tail#"
+}
+puts "\nall done\n"
diff --git a/test/arguments/bashrun.sh b/test/arguments/bashrun.sh
new file mode 100755
index 000000000..0797c92c2
--- /dev/null
+++ b/test/arguments/bashrun.sh
@@ -0,0 +1,22 @@
+#!/bin/bash
+echo "TESTING: 1.1 - simple args"
+firejail --env=FIREJAIL_TEST_ARGUMENTS=yes --quiet /usr/lib/firejail/faudit arg1 arg2
+# simple quotes, testing spaces in file names
+echo "TESTING: 1.2 - args with space and \""
+firejail --env=FIREJAIL_TEST_ARGUMENTS=yes --quiet /usr/lib/firejail/faudit "arg1 tail" "arg2 tail"
+echo "TESTING: 1.3 - args with space and '"
+firejail --env=FIREJAIL_TEST_ARGUMENTS=yes --quiet /usr/lib/firejail/faudit 'arg1 tail' 'arg2 tail'
+# escaped space in file names
+echo "TESTING: 1.4 - args with space and \\"
+firejail --env=FIREJAIL_TEST_ARGUMENTS=yes --quiet /usr/lib/firejail/faudit arg1\ tail arg2\ tail
+# & char appears in URLs - URLs should be quoted
+echo "TESTING: 1.5 - args with & and \""
+firejail --env=FIREJAIL_TEST_ARGUMENTS=yes --quiet /usr/lib/firejail/faudit "arg1&tail" "arg2&tail"
+echo "TESTING: 1.6 - args with & and '"
+firejail --env=FIREJAIL_TEST_ARGUMENTS=yes --quiet /usr/lib/firejail/faudit 'arg1&tail' 'arg2&tail'
diff --git a/test/arguments/joinrun.exp b/test/arguments/joinrun.exp
new file mode 100755
index 000000000..8e8570e4f
--- /dev/null
+++ b/test/arguments/joinrun.exp
@@ -0,0 +1,91 @@
+#!/usr/bin/expect -f
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+send -- "firejail --name=joinrun\r"
+sleep 2
+spawn $env(SHELL)
+send --  "./joinrun.sh\r"
+expect {
+        timeout {puts "TESTING ERROR 3.1.1\n";exit}
+        "Arguments:"
+}
+expect {
+        timeout {puts "TESTING ERROR 3.1.2\n";exit}
+        "#arg1#"
+}
+expect {
+        timeout {puts "TESTING ERROR 3.1.3\n";exit}
+        "#arg2#"
+}
+expect {
+        timeout {puts "TESTING ERROR 3.2.1\n";exit}
+        "Arguments:"
+}
+expect {
+        timeout {puts "TESTING ERROR 3.2.2\n";exit}
+        "#arg1 tail#"
+}
+expect {
+        timeout {puts "TESTING ERROR 3.2.3\n";exit}
+        "#arg2 tail#"
+}
+expect {
+        timeout {puts "TESTING ERROR 3.3.1\n";exit}
+        "Arguments:"
+}
+expect {
+        timeout {puts "TESTING ERROR 3.3.2\n";exit}
+        "#arg1 tail#"
+}
+expect {
+        timeout {puts "TESTING ERROR 3.3.3\n";exit}
+        "#arg2 tail#"
+}
+expect {
+        timeout {puts "TESTING ERROR 3.4.1\n";exit}
+        "Arguments:"
+}
+expect {
+        timeout {puts "TESTING ERROR 3.4.2\n";exit}
+        "#arg1 tail#"
+}
+expect {
+        timeout {puts "TESTING ERROR 3.4.3\n";exit}
+        "#arg2 tail#"
+}
+expect {
+        timeout {puts "TESTING ERROR 3.5.1\n";exit}
+        "Arguments:"
+}
+expect {
+        timeout {puts "TESTING ERROR 3.5.2\n";exit}
+        "#arg1&tail#"
+}
+expect {
+        timeout {puts "TESTING ERROR 3.5.3\n";exit}
+        "#arg2&tail#"
+}
+expect {
+        timeout {puts "TESTING ERROR 3.6.1\n";exit}
+        "Arguments:"
+}
+expect {
+        timeout {puts "TESTING ERROR 3.6.2\n";exit}
+        "#arg1&tail#"
+}
+expect {
+        timeout {puts "TESTING ERROR 3.6.3\n";exit}
+        "#arg2&tail#"
+}
+puts "\nall done\n"
diff --git a/test/arguments/joinrun.sh b/test/arguments/joinrun.sh
new file mode 100755
index 000000000..2743d823e
--- /dev/null
+++ b/test/arguments/joinrun.sh
@@ -0,0 +1,22 @@
+#!/bin/bash
+echo "TESTING: 3.1 - simple args"
+firejail --env=FIREJAIL_TEST_ARGUMENTS=yes --join=joinrun /usr/lib/firejail/faudit arg1 arg2
+# simple quotes, testing spaces in file names
+echo "TESTING: 3.2 - args with space and \""
+firejail--env=FIREJAIL_TEST_ARGUMENTS=yes  --quiet /usr/lib/firejail/faudit "arg1 tail" "arg2 tail"
+echo "TESTING: 3.3 - args with space and '"
+firejail --env=FIREJAIL_TEST_ARGUMENTS=yes --quiet /usr/lib/firejail/faudit 'arg1 tail' 'arg2 tail'
+# escaped space in file names
+echo "TESTING: 3.4 - args with space and \\"
+firejail--env=FIREJAIL_TEST_ARGUMENTS=yes  --quiet /usr/lib/firejail/faudit arg1\ tail arg2\ tail
+# & char appears in URLs - URLs should be quoted
+echo "TESTING: 3.5 - args with & and \""
+firejail --env=FIREJAIL_TEST_ARGUMENTS=yes --quiet /usr/lib/firejail/faudit "arg1&tail" "arg2&tail"
+echo "TESTING: 3.6 - args with & and '"
+firejail --env=FIREJAIL_TEST_ARGUMENTS=yes --quiet /usr/lib/firejail/faudit 'arg1&tail' 'arg2&tail'
diff --git a/test/arguments/outrun.exp b/test/arguments/outrun.exp
new file mode 100755
index 000000000..d28e75661
--- /dev/null
+++ b/test/arguments/outrun.exp
@@ -0,0 +1,90 @@
+#!/usr/bin/expect -f
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+send --  "./outrun.sh\r"
+expect {
+        timeout {puts "TESTING ERROR 4.1.1\n";exit}
+        "Arguments:"
+}
+expect {
+        timeout {puts "TESTING ERROR 4.1.2\n";exit}
+        "#arg1#"
+}
+expect {
+        timeout {puts "TESTING ERROR 4.1.3\n";exit}
+        "#arg2#"
+}
+exit
+#***************************************************
+#  breaking down from here on - bug to fix
+#***************************************************
+expect {
+        timeout {puts "TESTING ERROR 4.2.1\n";exit}
+        "Arguments:"
+}
+expect {
+        timeout {puts "TESTING ERROR 4.2.2\n";exit}
+        "#arg1 tail#"
+}
+expect {
+        timeout {puts "TESTING ERROR 4.2.3\n";exit}
+        "#arg2 tail#"
+}
+expect {
+        timeout {puts "TESTING ERROR 4.3.1\n";exit}
+        "Arguments:"
+}
+expect {
+        timeout {puts "TESTING ERROR 4.3.2\n";exit}
+        "#arg1 tail#"
+}
+expect {
+        timeout {puts "TESTING ERROR 4.3.3\n";exit}
+        "#arg2 tail#"
+}
+expect {
+        timeout {puts "TESTING ERROR 4.4.1\n";exit}
+        "Arguments:"
+}
+expect {
+        timeout {puts "TESTING ERROR 4.4.2\n";exit}
+        "#arg1 tail#"
+}
+expect {
+        timeout {puts "TESTING ERROR 4.4.3\n";exit}
+        "#arg2 tail#"
+}
+expect {
+        timeout {puts "TESTING ERROR 4.5.1\n";exit}
+        "Arguments:"
+}
+expect {
+        timeout {puts "TESTING ERROR 4.5.2\n";exit}
+        "#arg1&tail#"
+}
+expect {
+        timeout {puts "TESTING ERROR 4.5.3\n";exit}
+        "#arg2&tail#"
+}
+expect {
+        timeout {puts "TESTING ERROR 4.6.1\n";exit}
+        "Arguments:"
+}
+expect {
+        timeout {puts "TESTING ERROR 4.6.2\n";exit}
+        "#arg1&tail#"
+}
+expect {
+        timeout {puts "TESTING ERROR 4.6.3\n";exit}
+        "#arg2&tail#"
+}
+puts "\nall done\n"
diff --git a/test/arguments/outrun.sh b/test/arguments/outrun.sh
new file mode 100755
index 000000000..a21243873
--- /dev/null
+++ b/test/arguments/outrun.sh
@@ -0,0 +1,22 @@
+#!/bin/bash
+echo "TESTING: 4.1 - simple args"
+firejail --env=FIREJAIL_TEST_ARGUMENTS=yes --output=out /usr/lib/firejail/faudit arg1 arg2
+# simple quotes, testing spaces in file names
+echo "TESTING: 4.2 - args with space and \""
+firejail --env=FIREJAIL_TEST_ARGUMENTS=yes --output=out /usr/lib/firejail/faudit "arg1 tail" "arg2 tail"
+echo "TESTING: 4.3 - args with space and '"
+firejail--env=FIREJAIL_TEST_ARGUMENTS=yes  --output=out /usr/lib/firejail/faudit 'arg1 tail' 'arg2 tail'
+# escaped space in file names
+echo "TESTING: 4.4 - args with space and \\"
+firejail--env=FIREJAIL_TEST_ARGUMENTS=yes  --output=out /usr/lib/firejail/faudit arg1\ tail arg2\ tail
+# & char appears in URLs - URLs should be quoted
+echo "TESTING: 4.5 - args with & and \""
+firejail --env=FIREJAIL_TEST_ARGUMENTS=yes --output=out /usr/lib/firejail/faudit "arg1&tail" "arg2&tail"
+echo "TESTING: 4.6 - args with & and '"
+firejail--env=FIREJAIL_TEST_ARGUMENTS=yes  --output=out /usr/lib/firejail/faudit 'arg1&tail' 'arg2&tail'
diff --git a/test/arguments/symrun.exp b/test/arguments/symrun.exp
new file mode 100755
index 000000000..10e7ac6c8
--- /dev/null
+++ b/test/arguments/symrun.exp
@@ -0,0 +1,71 @@
+#!/usr/bin/expect -f
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+send --  "./symrun.sh\r"
+expect {
+        timeout {puts "TESTING ERROR 2.1.1\n";exit}
+        "Arguments:"
+}
+expect {
+        timeout {puts "TESTING ERROR 2.1.2\n";exit}
+        "#arg1#"
+}
+expect {
+        timeout {puts "TESTING ERROR 2.1.3\n";exit}
+        "#arg2#"
+}
+expect {
+        timeout {puts "TESTING ERROR 2.3.1\n";exit}
+        "Arguments:"
+}
+expect {
+        timeout {puts "TESTING ERROR 2.3.2\n";exit}
+        "#arg1 tail#"
+}
+expect {
+        timeout {puts "TESTING ERROR 2.3.3\n";exit}
+        "#arg2 tail#"
+}
+expect {
+        timeout {puts "TESTING ERROR 2.4.1\n";exit}
+        "Arguments:"
+}
+expect {
+        timeout {puts "TESTING ERROR 2.4.2\n";exit}
+        "#arg1 tail#"
+}
+expect {
+        timeout {puts "TESTING ERROR 2.4.3\n";exit}
+        "#arg2 tail#"
+}
+expect {
+        timeout {puts "TESTING ERROR 2.5.1\n";exit}
+        "Arguments:"
+}
+expect {
+        timeout {puts "TESTING ERROR 2.5.2\n";exit}
+        "#arg1&tail#"
+}
+expect {
+        timeout {puts "TESTING ERROR 2.5.3\n";exit}
+        "#arg2&tail#"
+}
+expect {
+        timeout {puts "TESTING ERROR 2.6.1\n";exit}
+        "Arguments:"
+}
+expect {
+        timeout {puts "TESTING ERROR 2.6.2\n";exit}
+        "#arg1&tail#"
+}
+expect {
+        timeout {puts "TESTING ERROR 2.6.3\n";exit}
+        "#arg2&tail#"
+}
diff --git a/test/arguments/symrun.sh b/test/arguments/symrun.sh
new file mode 100755
index 000000000..d28f024a8
--- /dev/null
+++ b/test/arguments/symrun.sh
@@ -0,0 +1,30 @@
+#!/bin/bash
+mkdir symtest
+ln -s /usr/bin/firejail symtest/argtest
+# search for argtest in current directory
+export PATH=$PATH:.
+echo "TESTING: 2.1 - simple args"
+symtest/argtest arg1 arg2
+# simple quotes, testing spaces in file names
+echo "TESTING: 2.2 - args with space and \""
+symtest/argtest "arg1 tail" "arg2 tail"
+echo "TESTING: 2.3 - args with space and '"
+symtest/argtest 'arg1 tail' 'arg2 tail'
+# escaped space in file names
+echo "TESTING: 2.4 - args with space and \\"
+symtest/argtest arg1\ tail arg2\ tail
+# & char appears in URLs - URLs should be quoted
+echo "TESTING: 2.5 - args with & and \""
+symtest/argtest "arg1&tail" "arg2&tail"
+echo "TESTING: 2.6 - args with & and '"
+symtest/argtest 'arg1&tail' 'arg2&tail'
+rm -fr symtest
diff --git a/test/auto/autotest.sh b/test/auto/autotest.sh
deleted file mode 100755
index 0fb7565af..000000000
--- a/test/auto/autotest.sh
+++ /dev/null
@@ -1,202 +0,0 @@
-#!/bin/bash
-arr[1]="TEST 1: svn and standard compilation"
-arr[2]="TEST 2: cppcheck"
-arr[3]="TEST 3: compile seccomp disabled, chroot disabled, bind disabled"
-arr[4]="TEST 4: rvtest"
-arr[5]="TEST 5: expect test as root, no malloc perturb"
-arr[6]="TEST 6: expect test as user, no malloc perturb"
-arr[7]="TEST 7: expect test as root, malloc perturb"
-arr[8]="TEST 8: expect test as user, malloc perturb"
-# remove previous reports and output file
-cleanup() {
-        rm -f out-test
-        rm -f output*
-        rm -f report*
-        rm -fr firejail-trunk
-}
-print_title() {
-        echo
-        echo
-        echo
-        echo "**************************************************"
-        echo $1
-        echo "**************************************************"
-}
-while [ $# -gt 0 ]; do    # Until you run out of parameters . . .
-    case "$1" in
-    --clean)
-        cleanup
-        exit
-        ;;
-    --help)
-        echo "./autotest.sh [--clean|--help]"
-        exit
-        ;;
-    esac
-    shift       # Check next set of parameters.
-done
-cleanup
-# enable sudo
-sudo ls -al
-#*****************************************************************
-# TEST 1
-#*****************************************************************
-# - checkout source code
-# - check compilation
-# - install
-#*****************************************************************
-print_title "${arr[1]}"
-svn checkout svn://svn.code.sf.net/p/firejail/code-0/trunk firejail-trunk
-cd firejail-trunk
-./configure --prefix=/usr 2>&1 | tee ../output-configure
-make -j4 2>&1 | tee ../output-make
-sudo make install 2>&1 | tee ../output-install
-cd src/tools
-gcc -o rvtest rvtest.c
-cd ../..
-cd test
-sudo ./configure > /dev/null
-cd ../..
-grep warning output-configure output-make output-install > ./report-test1
-grep error output-configure output-make output-install >> ./report-test1
-cat report-test1 > out-test1
-#*****************************************************************
-# TEST 2
-#*****************************************************************
-# - run cppcheck
-#*****************************************************************
-print_title "${arr[2]}"
-cd firejail-trunk
-cp /home/netblue/bin/cfg/std.cfg .
-cppcheck --force . 2>&1 | tee ../output-cppcheck
-cd ..
-grep error output-cppcheck > report-test2
-cat report-test2 > out-test2
-#*****************************************************************
-# TEST 3
-#*****************************************************************
-# - disable seccomp configuration
-# - check compilation
-#*****************************************************************
-print_title "${arr[3]}"
-# seccomp
-cd firejail-trunk
-make distclean
-./configure --prefix=/usr --disable-seccomp 2>&1 | tee ../output-configure-noseccomp
-make -j4 2>&1 | tee ../output-make-noseccomp
-cd ..
-grep warning output-configure-noseccomp output-make-noseccomp > ./report-test3
-grep error output-configure-noseccomp output-make-noseccomp >> ./report-test3
-# chroot
-cd firejail-trunk
-make distclean
-./configure --prefix=/usr --disable-chroot 2>&1 | tee ../output-configure-nochroot
-make -j4 2>&1 | tee ../output-make-nochroot
-cd ..
-grep warning output-configure-nochroot output-make-nochroot >> ./report-test3
-grep error output-configure-nochroot output-make-nochroot >> ./report-test3
-# bind
-cd firejail-trunk
-make distclean
-./configure --prefix=/usr --disable-bind 2>&1 | tee ../output-configure-nobind
-make -j4 2>&1 | tee ../output-make-nobind
-cd ..
-grep warning output-configure-nobind output-make-nobind >> ./report-test3
-grep error output-configure-nobind output-make-nobind >> ./report-test3
-# save result
-cat report-test3 > out-test3
-#*****************************************************************
-# TEST 4
-#*****************************************************************
-# - rvtest
-#*****************************************************************
-print_title "${arr[4]}"
-cd firejail-trunk
-cd test
-../src/tools/rvtest test.rv 2>/dev/null | tee ../../output-test4 | grep TESTING
-cd ../..
-grep TESTING output-test4 > ./report-test4
-grep ERROR report-test4 > out-test4
-#*****************************************************************
-# TEST 5
-#*****************************************************************
-# - expect test as root, no malloc perturb
-#*****************************************************************
-print_title "${arr[5]}"
-cd firejail-trunk/test
-sudo ./test-root.sh 2>&1 | tee ../../output-test5 | grep TESTING
-cd ../..
-grep TESTING output-test5 > ./report-test5
-grep ERROR report-test5 > out-test5
-#*****************************************************************
-# TEST 6
-#*****************************************************************
-# - expect test as user, no malloc perturb
-#*****************************************************************
-print_title "${arr[6]}"
-cd firejail-trunk/test
-./test.sh 2>&1 | tee ../../output-test6 | grep TESTING
-cd ../..
-grep TESTING output-test6 > ./report-test6
-grep ERROR report-test6 > out-test6
-#*****************************************************************
-# TEST 7
-#*****************************************************************
-# - expect test as root, malloc perturb
-#*****************************************************************
-print_title "${arr[7]}"
-export MALLOC_CHECK_=3
-export MALLOC_PERTURB_=$(($RANDOM % 255 + 1))
-cd firejail-trunk/test
-sudo ./test-root.sh 2>&1 | tee ../../output-test7 | grep TESTING
-cd ../..
-grep TESTING output-test7 > ./report-test7
-grep ERROR report-test7 > out-test7
-#*****************************************************************
-# TEST 8
-#*****************************************************************
-# - expect test as user, malloc perturb
-#*****************************************************************
-print_title "${arr[8]}"
-cd firejail-trunk/test
-./test.sh 2>&1 | tee ../../output-test8| grep TESTING
-cd ../..
-grep TESTING output-test8 > ./report-test8
-grep ERROR report-test8 > out-test8
-#*****************************************************************
-# PRINT REPORTS
-#*****************************************************************
-echo
-echo
-echo
-echo
-echo "**********************************************************"
-echo "TEST RESULTS"
-echo "**********************************************************"
-wc -l out-test*
-rm out-test*
-echo
-exit
diff --git a/test/chroot-resolvconf.exp b/test/chroot-resolvconf.exp
deleted file mode 100755
index 2d0da2fb0..000000000
--- a/test/chroot-resolvconf.exp
+++ /dev/null
@@ -1,14 +0,0 @@
-#!/usr/bin/expect -f
-set timeout 10
-spawn $env(SHELL)
-match_max 100000
-send -- "firejail --chroot=/tmp/chroot /bin/bash\r"
-expect {
-        timeout {puts "TESTING ERROR 0\n";exit}
-        "invalid /tmp/chroot/etc/resolv.conf file"
-}
-puts "\nall done\n"
diff --git a/test/chroot/chroot.sh b/test/chroot/chroot.sh
new file mode 100755
index 000000000..34bff2a67
--- /dev/null
+++ b/test/chroot/chroot.sh
@@ -0,0 +1,21 @@
+#!/bin/bash
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
+export MALLOC_CHECK_=3
+export MALLOC_PERTURB_=$(($RANDOM % 255 + 1))
+rm -f unchroot
+gcc -o unchroot unchroot.c
+sudo ./configure
+echo "TESTING: chroot (test/chroot/fs_chroot.exp)"
+./fs_chroot.exp
+echo "TESTING: unchroot as root (test/chroot/unchroot-as-root.exp)"
+sudo ./unchroot-as-root.exp
+rm -f unchroot
diff --git a/test/chroot/configure b/test/chroot/configure
new file mode 100755
index 000000000..ba8238803
--- /dev/null
+++ b/test/chroot/configure
@@ -0,0 +1,46 @@
+#!/bin/bash
+# build a very small chroot
+ROOTDIR="/tmp/chroot"                   # default chroot directory
+DEFAULT_FILES="/bin/bash /bin/sh "      # basic chroot files
+DEFAULT_FILES+="/etc/passwd /etc/nsswitch.conf /etc/group "
+DEFAULT_FILES+=`find /lib -name libnss*`        # files required by glibc
+DEFAULT_FILES+=" /bin/cp /bin/ls /bin/cat /bin/ps /bin/netstat /bin/ping /sbin/ifconfig /usr/bin/touch /bin/ip /bin/hostname /bin/grep /usr/bin/dig /usr/bin/openssl /usr/bin/id /usr/bin/getent /usr/bin/whoami /usr/bin/wc /usr/bin/wget /bin/umount"
+rm -fr $ROOTDIR
+mkdir -p $ROOTDIR/{root,bin,lib,lib64,usr,home,etc,dev/shm,tmp,var/run,var/tmp,var/lock,var/log,proc}
+chmod 777 $ROOTDIR/tmp
+mkdir -p $ROOTDIR/etc/firejail
+mkdir -p $ROOTDIR/home/netblue/.config/firejail
+chown netblue:netblue $ROOTDIR/home/netblue
+chown netblue:netblue $ROOTDIR/home/netblue/.config
+cp /home/netblue/.Xauthority $ROOTDIR/home/netblue/.
+cp -a /etc/skel $ROOTDIR/etc/.
+mkdir $ROOTDIR/home/someotheruser
+mkdir $ROOTDIR/boot
+mkdir $ROOTDIR/selinux
+cp /etc/passwd $ROOTDIR/etc/.
+cp /etc/group $ROOTDIR/etc/.
+cp /etc/hosts $ROOTDIR/etc/.
+cp /etc/hostname $ROOTDIR/etc/.
+mkdir -p $ROOTDIR/usr/lib/x86_64-linux-gnu
+cp -a /usr/lib/x86_64-linux-gnu/openssl-1.0.0 $ROOTDIR/usr/lib/x86_64-linux-gnu/.
+cp -a /usr/lib/ssl $ROOTDIR/usr/lib/.
+touch $ROOTDIR/var/log/syslog
+touch $ROOTDIR/var/tmp/somefile
+SORTED=`for FILE in $* $DEFAULT_FILES; do echo " $FILE "; ldd $FILE | grep -v dynamic | cut -d " " -f 3; done | sort -u`
+for FILE in $SORTED
+do
+        cp --parents $FILE $ROOTDIR
+done
+cp --parents /lib64/ld-linux-x86-64.so.2 $ROOTDIR
+cp --parents /lib/ld-linux.so.2 $ROOTDIR
+cp unchroot $ROOTDIR/.
+touch $ROOTDIR/this-is-my-chroot
+cd $ROOTDIR; find .
+mkdir -p usr/lib/firejail/
+cp /usr/lib/firejail/libtrace.so usr/lib/firejail/.
+echo "To enter the chroot directory run: firejail --chroot=$ROOTDIR"
diff --git a/test/fs_chroot.exp b/test/chroot/fs_chroot.exp
index aeb5669e1..295ff8ff9 100755
--- a/test/fs_chroot.exp
+++ b/test/chroot/fs_chroot.exp
@@ -20,19 +20,14 @@ expect {
 sleep 1
 send -- "bash\r"
 sleep 1
-send -- "ls /; pwd\r"
+send -- "ls /\r"
 expect {
        timeout {puts "TESTING ERROR 0.2\n";exit}
        "this-is-my-chroot"
 }
-expect {
+after 100
-        timeout {puts "TESTING ERROR 0.3\n";exit}
-        "home"
-}
+send -- "ps aux\r"
-send -- "ps aux; pwd\r"
 expect {
        timeout {puts "TESTING ERROR 1\n";exit}
        "/bin/bash"
@@ -45,23 +40,14 @@ expect {
        timeout {puts "TESTING ERROR 3\n";exit}
        "ps aux"
 }
-expect {
+after 100
-        timeout {puts "TESTING ERROR 4\n";exit}
-        "home"
-}
-sleep 1
+send -- "ps aux | wc -l; pwd\r"
-send -- "ps aux |wc -l; pwd\r"
 expect {
        timeout {puts "TESTING ERROR 5\n";exit}
        "6"
 }
-expect {
+after 100
-        timeout {puts "TESTING ERROR 6\n";exit}
-        "home"
-}
-sleep 1
 puts "all done\n"
diff --git a/test/chroot/unchroot-as-root.exp b/test/chroot/unchroot-as-root.exp
new file mode 100755
index 000000000..9f8a1d784
--- /dev/null
+++ b/test/chroot/unchroot-as-root.exp
@@ -0,0 +1,27 @@
+#!/usr/bin/expect -f
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+send -- "firejail  --chroot=/tmp/chroot\r"
+expect {
+        timeout {puts "TESTING ERROR 0\n";exit}
+        "Error: --chroot option is not available on Grsecurity systems" {puts "\nall done\n"; exit}
+        "Child process initialized" {puts "chroot available\n"};
+}
+sleep 1
+send -- "cd /\r"
+after 100
+send -- "./unchroot\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "Bad system call"
+}
+after 100
+puts "all done\n"
diff --git a/test/chroot/unchroot.c b/test/chroot/unchroot.c
new file mode 100644
index 000000000..1982e07f3
--- /dev/null
+++ b/test/chroot/unchroot.c
@@ -0,0 +1,40 @@
+// simple unchroot example from http://linux-vserver.org/Secure_chroot_Barrier
+#include <unistd.h>
+#include <stdlib.h>
+#include <stdio.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+void die(char *msg) {
+        perror(msg);
+        exit(1);
+}
+int main(int argc, char *argv[])
+{
+        int i;
+        
+        if (chdir("/") != 0)
+                die("chdir(/)");
+        
+        if (mkdir("baz", 0777) != 0)
+                ; //die("mkdir(baz)");
+        
+        if (chroot("baz") != 0)
+                die("chroot(baz)");
+        
+        for (i=0; i<50; i++) {
+                if (chdir("..") != 0)
+                        die("chdir(..)");
+        }
+        
+        if (chroot(".") != 0)
+                die("chroot(.)");
+        
+        printf("Exploit seems to work. =)\n");
+        
+        execl("/bin/bash", "bash", "-i", (char *)0);
+        die("exec bash");
+        
+        exit(0);
+}
diff --git a/test/compile/compile.sh b/test/compile/compile.sh
index e3e9bef2b..44e67fe22 100755
--- a/test/compile/compile.sh
+++ b/test/compile/compile.sh
@@ -9,13 +9,18 @@ arr[6]="TEST 6: compile network disabled"
 arr[7]="TEST 7: compile X11 disabled"
 arr[8]="TEST 8: compile network restricted"
 arr[9]="TEST 9: compile file transfer disabled"
+arr[10]="TEST 10: compile disable whitelist"
+arr[11]="TEST 11: compile disable global config"
+arr[12]="TEST 12: compile apparmor"
+arr[13]="TEST 13: compile busybox"
+arr[14]="TEST 14: compile overlayfs disabled"
+arr[15]="TEST 15: compile apparmor enabled"
 # remove previous reports and output file
 cleanup() {
        rm -f report*
        rm -fr firejail
-        rm oc* om*
+        rm -f oc* om*
 }
 print_title() {
@@ -27,6 +32,7 @@ print_title() {
        echo "**************************************************"
 }
+DIST="$1"
 while [ $# -gt 0 ]; do    # Until you run out of parameters . . .
    case "$1" in
    --clean)
@@ -42,36 +48,33 @@ while [ $# -gt 0 ]; do    # Until you run out of parameters . . .
 done
 cleanup
-# enable sudo
-sudo ls -al
 #*****************************************************************
 # TEST 1
 #*****************************************************************
 # - checkout source code
-# - check compilation
-# - install
 #*****************************************************************
 print_title "${arr[1]}"
-git clone https://github.com/netblue30/firejail.git
+echo "$DIST"
+tar -xJvf ../../$DIST.tar.xz
+mv $DIST firejail
 cd firejail
 ./configure --prefix=/usr --enable-fatal-warnings 2>&1 | tee ../output-configure
 make -j4 2>&1 | tee ../output-make
-sudo make install 2>&1 | tee ../output-install
 cd ..
-grep Warning output-configure output-make output-install > ./report-test1
+grep Warning output-configure output-make > ./report-test1
-grep Error output-configure output-make output-install >> ./report-test1
+grep Error output-configure output-make >> ./report-test1
 cp output-configure oc1
 cp output-make om1
-rm output-configure output-make output-install
+rm output-configure output-make
 #*****************************************************************
 # TEST 2
 #*****************************************************************
 # - disable seccomp configuration
-# - check compilation
 #*****************************************************************
 print_title "${arr[2]}"
 # seccomp
@@ -90,7 +93,6 @@ rm output-configure output-make
 # TEST 3
 #*****************************************************************
 # - disable chroot configuration
-# - check compilation
 #*****************************************************************
 print_title "${arr[3]}"
 # seccomp
@@ -109,7 +111,6 @@ rm output-configure output-make
 # TEST 4
 #*****************************************************************
 # - disable bind configuration
-# - check compilation
 #*****************************************************************
 print_title "${arr[4]}"
 # seccomp
@@ -128,7 +129,6 @@ rm output-configure output-make
 # TEST 5
 #*****************************************************************
 # - disable user namespace configuration
-# - check compilation
 #*****************************************************************
 print_title "${arr[5]}"
 # seccomp
@@ -166,7 +166,6 @@ rm output-configure output-make
 # TEST 7
 #*****************************************************************
 # - disable X11 support
-# - check compilation
 #*****************************************************************
 print_title "${arr[7]}"
 # seccomp
@@ -186,7 +185,6 @@ rm output-configure output-make
 # TEST 8
 #*****************************************************************
 # - enable network restricted
-# - check compilation
 #*****************************************************************
 print_title "${arr[8]}"
 # seccomp
@@ -206,13 +204,12 @@ rm output-configure output-make
 # TEST 9
 #*****************************************************************
 # - disable file transfer
-# - check compilation
 #*****************************************************************
 print_title "${arr[9]}"
 # seccomp
 cd firejail
 make distclean
-./configure --prefix=/usr --enable-network=restricted  --enable-fatal-warnings 2>&1 | tee ../output-configure
+./configure --prefix=/usr --disable-file-transfer  --enable-fatal-warnings 2>&1 | tee ../output-configure
 make -j4 2>&1 | tee ../output-make
 cd ..
 grep Warning output-configure output-make > ./report-test9
@@ -221,6 +218,114 @@ cp output-configure oc9
 cp output-make om9
 rm output-configure output-make
+#*****************************************************************
+# TEST 10
+#*****************************************************************
+# - disable whitelist
+#*****************************************************************
+print_title "${arr[10]}"
+# seccomp
+cd firejail
+make distclean
+./configure --prefix=/usr --disable-whitelist  --enable-fatal-warnings 2>&1 | tee ../output-configure
+make -j4 2>&1 | tee ../output-make
+cd ..
+grep Warning output-configure output-make > ./report-test10
+grep Error output-configure output-make >> ./report-test10
+cp output-configure oc10
+cp output-make om10
+rm output-configure output-make
+#*****************************************************************
+# TEST 11
+#*****************************************************************
+# - disable global config
+#*****************************************************************
+print_title "${arr[11]}"
+# seccomp
+cd firejail
+make distclean
+./configure --prefix=/usr --disable-globalcfg  --enable-fatal-warnings 2>&1 | tee ../output-configure
+make -j4 2>&1 | tee ../output-make
+cd ..
+grep Warning output-configure output-make > ./report-test11
+grep Error output-configure output-make >> ./report-test11
+cp output-configure oc11
+cp output-make om11
+rm output-configure output-make
+#*****************************************************************
+# TEST 12
+#*****************************************************************
+# - enable apparmor
+#*****************************************************************
+print_title "${arr[12]}"
+# seccomp
+cd firejail
+make distclean
+./configure --prefix=/usr --enable-apparmor  --enable-fatal-warnings 2>&1 | tee ../output-configure
+make -j4 2>&1 | tee ../output-make
+cd ..
+grep Warning output-configure output-make > ./report-test12
+grep Error output-configure output-make >> ./report-test12
+cp output-configure oc12
+cp output-make om12
+rm output-configure output-make
+#*****************************************************************
+# TEST 13
+#*****************************************************************
+# - enable busybox workaround
+#*****************************************************************
+print_title "${arr[13]}"
+# seccomp
+cd firejail
+make distclean
+./configure --prefix=/usr --enable-busybox-workaround --enable-fatal-warnings 2>&1 | tee ../output-configure
+make -j4 2>&1 | tee ../output-make
+cd ..
+grep Warning output-configure output-make > ./report-test13
+grep Error output-configure output-make >> ./report-test13
+cp output-configure oc13
+cp output-make om13
+rm output-configure output-make
+#*****************************************************************
+# TEST 14
+#*****************************************************************
+# - disable overlayfs
+#*****************************************************************
+print_title "${arr[14]}"
+# seccomp
+cd firejail
+make distclean
+./configure --prefix=/usr --disable-overlayfs --enable-fatal-warnings 2>&1 | tee ../output-configure
+make -j4 2>&1 | tee ../output-make
+cd ..
+grep Warning output-configure output-make > ./report-test14
+grep Error output-configure output-make >> ./report-test14
+cp output-configure oc14
+cp output-make om14
+rm output-configure output-make
+#*****************************************************************
+# TEST 15
+#*****************************************************************
+# - enable apparmor
+#*****************************************************************
+print_title "${arr[15]}"
+# seccomp
+cd firejail
+make distclean
+./configure --prefix=/usr --enable-apparmor --enable-fatal-warnings 2>&1 | tee ../output-configure
+make -j4 2>&1 | tee ../output-make
+cd ..
+grep Warning output-configure output-make > ./report-test15
+grep Error output-configure output-make >> ./report-test15
+cp output-configure oc15
+cp output-make om15
+rm output-configure output-make
 #*****************************************************************
 # PRINT REPORTS
@@ -245,3 +350,10 @@ echo ${arr[6]}
 echo ${arr[7]}
 echo ${arr[8]}
 echo ${arr[9]}
+echo ${arr[10]}
+echo ${arr[11]}
+echo ${arr[12]}
+echo ${arr[13]}
+echo ${arr[14]}
+echo ${arr[15]}
diff --git a/test/configure b/test/configure
index bdf36fcad..9acd021c8 100755
--- a/test/configure
+++ b/test/configure
@@ -28,7 +28,7 @@ ROOTDIR="/tmp/chroot"			# default chroot directory
 DEFAULT_FILES="/bin/bash /bin/sh "      # basic chroot files
 DEFAULT_FILES+="/etc/passwd /etc/nsswitch.conf /etc/group "
 DEFAULT_FILES+=`find /lib -name libnss*`        # files required by glibc
-DEFAULT_FILES+=" /bin/cp /bin/ls /bin/cat /bin/ps /bin/netstat /bin/ping /sbin/ifconfig /usr/bin/touch /bin/hostname /bin/grep /usr/bin/dig /usr/bin/openssl /usr/bin/id /usr/bin/getent /usr/bin/whoami /usr/bin/wc /usr/bin/wget /bin/umount"
+DEFAULT_FILES+=" /bin/cp /bin/ls /bin/cat /bin/ps /bin/netstat /bin/ping /sbin/ifconfig /usr/bin/touch /bin/ip /bin/hostname /bin/grep /usr/bin/dig /usr/bin/openssl /usr/bin/id /usr/bin/getent /usr/bin/whoami /usr/bin/wc /usr/bin/wget /bin/umount"
 rm -fr $ROOTDIR
 mkdir -p $ROOTDIR/{root,bin,lib,lib64,usr,home,etc,dev/shm,tmp,var/run,var/tmp,var/lock,var/log,proc}
diff --git a/test/dns.exp b/test/dns.exp
deleted file mode 100755
index 96513f278..000000000
--- a/test/dns.exp
+++ /dev/null
@@ -1,69 +0,0 @@
-#!/usr/bin/expect -f
-set timeout 30
-spawn $env(SHELL)
-match_max 100000
-# no chroot
-send -- "firejail --trace --dns=208.67.222.222 wget -q debian.org\r"
-expect {
-        timeout {puts "TESTING ERROR 1.1\n";exit}
-        "Child process initialized"
-}
-expect {
-        timeout {puts "TESTING ERROR 1.2\n";exit}
-        "1:wget:connect 208.67.222.222:53"
-}
-sleep 1
-send -- "rm index.html\r"
-sleep 1
-# with chroot
-send -- "firejail --chroot=/tmp/chroot --trace --dns=208.67.222.222 wget -q debian.org\r"
-expect {
-        timeout {puts "TESTING ERROR 2.1\n";exit}
-        "Child process initialized"
-}
-expect {
-        timeout {puts "TESTING ERROR 2.2\n";exit}
-        "1:wget:connect 208.67.222.222:53"
-}
-sleep 1
-send -- "rm index.html\r"
-sleep 1
-# net eth0
-send -- "firejail --net=eth0 --trace --dns=208.67.222.222 wget -q debian.org\r"
-expect {
-        timeout {puts "TESTING ERROR 3.1\n";exit}
-        "Child process initialized"
-}
-expect {
-        timeout {puts "TESTING ERROR 3.2\n";exit}
-        "1:wget:connect 208.67.222.222:53"
-}
-sleep 1
-send -- "rm index.html\r"
-sleep 1
-# net eth0 and chroot
-send -- "firejail --net=eth0 --chroot=/tmp/chroot --trace --dns=208.67.222.222 wget -q debian.org\r"
-expect {
-        timeout {puts "TESTING ERROR 4.1\n";exit}
-        "Child process initialized"
-}
-expect {
-        timeout {puts "TESTING ERROR 4.2\n";exit}
-        "1:wget:connect 208.67.222.222:53"
-}
-sleep 1
-send -- "rm index.html\r"
-sleep 1
-puts "\n"
diff --git a/test/environment/allow-debuggers.exp b/test/environment/allow-debuggers.exp
new file mode 100755
index 000000000..8a404decb
--- /dev/null
+++ b/test/environment/allow-debuggers.exp
@@ -0,0 +1,40 @@
+#!/usr/bin/expect -f
+set timeout 10
+cd /home
+spawn $env(SHELL)
+match_max 100000
+send -- "firejail --profile=/etc/firejail/firefox.profile --allow-debuggers strace ls\r"
+expect {
+        timeout {puts "TESTING ERROR 0\n";exit}
+        "Child process initialized"
+}
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "ioctl"
+}
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        "exit_group"
+}
+after 100
+send -- "firejail --allow-debuggers --profile=/etc/firejail/firefox.profile strace ls\r"
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        "Child process initialized"
+}
+expect {
+        timeout {puts "TESTING ERROR 4\n";exit}
+        "ioctl"
+}       
+expect {
+        timeout {puts "TESTING ERROR 5\n";exit}
+        "exit_group"
+}
+after 100
+puts "\nall done\n"
diff --git a/test/shell_csh.exp b/test/environment/csh.exp
index a2634f633..46e4bb3ca 100755
--- a/test/shell_csh.exp
+++ b/test/environment/csh.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
 set timeout 10
 spawn $env(SHELL)
@@ -11,16 +14,13 @@ expect {
 }
 sleep 1
-send -- "ls -al;pwd\r"
+send -- "find /home\r"
 expect {
        timeout {puts "TESTING ERROR 1\n";exit}
        ".cshrc"
 }
-expect {
-        timeout {puts "TESTING ERROR 1.1\n";exit}
+send -- "env | grep SHELL\r"
-        "home"
-}
-send -- "env | grep SHELL;pwd\r"
 expect {
        timeout {puts "TESTING ERROR 2\n";exit}
        "SHELL"
@@ -29,12 +29,8 @@ expect {
        timeout {puts "TESTING ERROR 2.1\n";exit}
        "/bin/csh"
 }
-expect {
-        timeout {puts "TESTING ERROR 2.2\n";exit}
-        "home"
-}
 send -- "exit\r"
-sleep 1
+after 100
 puts "\n"
diff --git a/test/shell_dash.exp b/test/environment/dash.exp
index f5a60719e..cd051ea7c 100755
--- a/test/shell_dash.exp
+++ b/test/environment/dash.exp
@@ -1,6 +1,7 @@
 #!/usr/bin/expect -f
 set timeout 10
+cd /home
 spawn $env(SHELL)
 match_max 100000
@@ -35,7 +36,7 @@ expect {
        "home"
 }
 send -- "exit\r"
-sleep 1
+after 100
 puts "\n"
diff --git a/test/environment/dns.exp b/test/environment/dns.exp
new file mode 100755
index 000000000..0d12a82f2
--- /dev/null
+++ b/test/environment/dns.exp
@@ -0,0 +1,76 @@
+#!/usr/bin/expect -f
+set timeout 30
+spawn $env(SHELL)
+match_max 100000
+send -- "firejail --dns=8.8.4.4 --dns=8.8.8.8 --dns=4.2.2.1\r"
+expect {
+        timeout {puts "TESTING ERROR 2.1\n";exit}
+        "Child process initialized"
+}
+sleep 1
+send -- "cat /etc/resolv.conf\r"
+expect {
+        timeout {puts "TESTING ERROR 2.2\n";exit}
+        "nameserver 8.8.4.4"
+}
+expect {
+        timeout {puts "TESTING ERROR 2.3\n";exit}
+        "nameserver 8.8.8.8"
+}
+expect {
+        timeout {puts "TESTING ERROR 2.4\n";exit}
+        "nameserver 4.2.2.1"
+}
+after 100
+send -- "exit\r"
+sleep 1
+send -- "firejail --profile=dns.profile\r"
+expect {
+        timeout {puts "TESTING ERROR 12.1\n";exit}
+        "Child process initialized"
+}
+sleep 1
+send -- "cat /etc/resolv.conf\r"
+expect {
+        timeout {puts "TESTING ERROR 12.2\n";exit}
+        "nameserver 8.8.4.4"
+}
+expect {
+        timeout {puts "TESTING ERROR 12.3\n";exit}
+        "nameserver 8.8.8.8"
+}
+expect {
+        timeout {puts "TESTING ERROR 12.4\n";exit}
+        "nameserver 4.2.2.1"
+}
+after 100
+send -- "exit\r"
+sleep 1
+send -- "firejail --trace --dns=208.67.222.222 wget -q debian.org\r"
+expect {
+        timeout {puts "TESTING ERROR 1.2\n";exit}
+        "connect"
+}
+expect {
+        timeout {puts "TESTING ERROR 1.2\n";exit}
+        "208.67.222.222"
+}
+expect {
+        timeout {puts "TESTING ERROR 1.2\n";exit}
+        "53"
+}
+after 100
+send -- "rm index.html\r"
+after 100
+send -- "exit\r"
+sleep 1
+puts "\nall done\n"
diff --git a/test/environment/dns.profile b/test/environment/dns.profile
new file mode 100644
index 000000000..d1b842c86
--- /dev/null
+++ b/test/environment/dns.profile
@@ -0,0 +1,3 @@
+dns 8.8.4.4
+dns 8.8.8.8
+dns 4.2.2.1
diff --git a/test/doubledash.exp b/test/environment/doubledash.exp
index 668468980..2eaa7d9ce 100755
--- a/test/doubledash.exp
+++ b/test/environment/doubledash.exp
@@ -36,25 +36,25 @@ expect {
 sleep 3
 spawn $env(SHELL)
-send --  "firejail --list;pwd\r"
+send --  "firejail --list;ls -d /tmp\r"
 expect {
        timeout {puts "TESTING ERROR 6\n";exit}
        "name=testing"
 }
 expect {
        timeout {puts "TESTING ERROR 7\n";exit}
-        "home"
+        "/tmp"
 }
-send --  "firejail --list;pwd\r"
+send --  "firejail --list;ls -d /tmp\r"
 expect {
        timeout {puts "TESTING ERROR 8 (join)\n";exit}
        "join=testing"
 }
 expect {
        timeout {puts "TESTING ERROR 9\n";exit}
-        "home"
+        "/tmp"
 }
-sleep 1
+after 100
 puts "\n"
diff --git a/test/env.exp b/test/environment/env.exp
index d7aee3c64..8f72400b0 100755
--- a/test/env.exp
+++ b/test/environment/env.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
 set timeout 10
 spawn $env(SHELL)
@@ -28,7 +31,7 @@ expect {
        "ENV3"
 }
 send -- "exit\r"
-sleep 1
+after 100
 #***********************************************
 send -- "firejail --profile=env.profile\r"
diff --git a/test/env.profile b/test/environment/env.profile
index ba66e6210..ba66e6210 100644
--- a/test/env.profile
+++ b/test/environment/env.profile
diff --git a/test/environment/environment.sh b/test/environment/environment.sh
new file mode 100755
index 000000000..2bb5a249e
--- /dev/null
+++ b/test/environment/environment.sh
@@ -0,0 +1,113 @@
+#!/bin/bash
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
+export MALLOC_CHECK_=3
+export MALLOC_PERTURB_=$(($RANDOM % 255 + 1))
+echo "TESTING: DNS (test/environment/dns.exp)"
+./dns.exp
+echo "TESTING: doubledash (test/environment/doubledash.exp"
+mkdir -- -testdir
+touch -- -testdir/ttt
+cp -- /bin/bash -testdir/.
+./doubledash.exp
+rm -fr -- -testdir
+echo "TESTING: output (test/environment/output.exp)"
+./output.exp
+echo "TESTING: extract command (extract_command.exp)"
+./extract_command.exp
+echo "TESTING: environment variables (test/environment/env.exp)"
+./env.exp
+echo "TESTING: shell none(test/environment/shell-none.exp)"
+./shell-none.exp
+which dash
+if [ "$?" -eq 0 ];
+then
+        echo "TESTING: dash (test/environment/dash.exp)"
+        ./dash.exp
+else
+        echo "TESTING SKIP: dash not found"
+fi
+which csh
+if [ "$?" -eq 0 ];
+then
+        echo "TESTING: csh (test/environment/csh.exp)"
+        ./csh.exp
+else
+        echo "TESTING SKIP: csh not found"
+fi
+which zsh
+if [ "$?" -eq 0 ];
+then
+        echo "TESTING: zsh (test/environment/zsh.exp)"
+        ./zsh.exp
+else
+        echo "TESTING SKIP: zsh not found"
+fi
+echo "TESTING: firejail in firejail - single sandbox (test/environment/firejail-in-firejail.exp)"
+./firejail-in-firejail.exp
+echo "TESTING: firejail in firejail - force new sandbox (test/environment/firejail-in-firejail2.exp)"
+./firejail-in-firejail2.exp
+which aplay
+if [ "$?" -eq 0 ];
+then
+        echo "TESTING: sound (test/environment/sound.exp)"
+        ./sound.exp
+else
+        echo "TESTING SKIP: aplay not found"
+fi
+echo "TESTING: nice (test/environment/nice.exp)"
+./nice.exp
+echo "TESTING: quiet (test/environment/quiet.exp)"
+./quiet.exp
+which strace
+if [ "$?" -eq 0 ];
+then
+        echo "TESTING: --allow-debuggers (test/environment/allow-debuggers.exp)"
+        ./allow-debuggers.exp
+else
+        echo "TESTING SKIP: strace not found"
+fi
+# to install ibus:
+#       $ sudo apt-get install ibus-table-array30
+#       $ ibus-setup
+find ~/.config/ibus/bus | grep unix-0
+if [ "$?" -eq 0 ];
+then
+        echo "TESTING: ibus (test/environment/ibus.exp)"
+        ./ibus.exp
+else
+        echo "TESTING SKIP: ibus not configured"
+fi
+echo "TESTING: rlimit (test/rlimit/rlimit.exp)"
+./rlimit.exp
+echo "TESTING: rlimit profile (test/rlimit/rlimit-profile.exp)"
+./rlimit-profile.exp
+echo "TESTING: rlimit errors (test/rlimit/rlimit-bad.exp)"
+./rlimit-bad.exp
+echo "TESTING: rlimit errors profile (test/rlimit/rlimit-bad-profile.exp)"
+./rlimit-bad-profile.exp
diff --git a/test/extract_command.exp b/test/environment/extract_command.exp
index 99c1cc134..266f66ff5 100755
--- a/test/extract_command.exp
+++ b/test/environment/extract_command.exp
@@ -7,7 +7,7 @@ match_max 100000
 send -- "firejail --debug ls -al\r"
 expect {
        timeout {puts "TESTING ERROR 0\n";exit}
-        "Reading profile /etc/firejail/generic.profile"
+        "Reading profile /etc/firejail/default.profile"
 }
 expect {
        timeout {puts "TESTING ERROR 2\n";exit}
@@ -17,7 +17,7 @@ expect {
        timeout {puts "TESTING ERROR 2\n";exit}
        "Parent is shutting down, bye"
 }
-sleep 1
+after 100
 puts "\nall done\n"
diff --git a/test/environment/firejail-in-firejail.exp b/test/environment/firejail-in-firejail.exp
new file mode 100755
index 000000000..2b851ee72
--- /dev/null
+++ b/test/environment/firejail-in-firejail.exp
@@ -0,0 +1,49 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+send --  "firejail\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "Child process initialized"
+}
+sleep 1
+send --  "firejail\r"
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        "Warning: an existing sandbox was detected"
+}
+after 100
+send --  "exit\r"
+after 100
+send --  "firejail --force\r"
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        "cannot rise privileges"
+}
+after 100
+send --  "firejail --version\r"
+expect {
+        timeout {puts "TESTING ERROR 4\n";exit}
+        "firejail version"
+}
+after 100
+send --  "firejail --version --force\r"
+expect {
+        timeout {puts "TESTING ERROR 5\n";exit}
+        "firejail version"
+}
+after 100
+puts "\nall done\n"
diff --git a/test/environment/firejail-in-firejail2.exp b/test/environment/firejail-in-firejail2.exp
new file mode 100755
index 000000000..330e5e372
--- /dev/null
+++ b/test/environment/firejail-in-firejail2.exp
@@ -0,0 +1,51 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+send --  "firejail --noprofile\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "Child process initialized"
+}
+sleep 1
+send --  "firejail\r"
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        "Warning: an existing sandbox was detected"
+}
+after 100
+send --  "exit\r"
+after 100
+send --  "firejail --force\r"
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        "Child process initialized"
+}
+after 100
+send --  "exit\r"
+after 100
+send --  "firejail --version\r"
+expect {
+        timeout {puts "TESTING ERROR 4\n";exit}
+        "firejail version"
+}
+after 100
+send --  "firejail --version --force\r"
+expect {
+        timeout {puts "TESTING ERROR 5\n";exit}
+        "firejail version"
+}
+after 100
+puts "\nall done\n"
diff --git a/test/sysrq-trigger.exp b/test/environment/ibus.exp
index 18fb4a01a..4344011a6 100755
--- a/test/sysrq-trigger.exp
+++ b/test/environment/ibus.exp
@@ -1,6 +1,7 @@
 #!/usr/bin/expect -f
 set timeout 10
+cd /home
 spawn $env(SHELL)
 match_max 100000
@@ -9,13 +10,19 @@ expect {
        timeout {puts "TESTING ERROR 0\n";exit}
        "Child process initialized"
 }
-sleep 1
+after 100
-send -- "echo b > /proc/sysrq-trigger\r"
+send -- "env | grep IBUS\r"
 expect {
        timeout {puts "TESTING ERROR 1\n";exit}
-        "Read-only file system"
+        "IBUS_ADDRESS"
 }
-sleep 1
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        "IBUS_DAEMON_PID"
+}
+after 100
+puts "\nall done\n"
-puts "\n"
diff --git a/test/nice.exp b/test/environment/nice.exp
index f4afb547d..2e0e95ea1 100755
--- a/test/nice.exp
+++ b/test/environment/nice.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
 set timeout 10
 spawn $env(SHELL)
@@ -14,7 +17,7 @@ sleep 1
 send -- "top -b -n 1\r"
 expect {
        timeout {puts "TESTING ERROR 1\n";exit}
-        "netblue"
+        $env(USER)
 }
 expect {
        timeout {puts "TESTING ERROR 2\n";exit}
@@ -26,7 +29,7 @@ expect {
 }
 expect {
        timeout {puts "TESTING ERROR 4\n";exit}
-        "netblu"
+        $env(USER)
 }
 expect {
        timeout {puts "TESTING ERROR 5\n";exit}
@@ -39,7 +42,7 @@ expect {
 sleep 1
 send -- "exit\r"
-sleep 1
+after 100
 send -- "firejail --profile=nice.profile\r"
 expect {
@@ -51,7 +54,7 @@ sleep 1
 send -- "top -b -n 1\r"
 expect {
        timeout {puts "TESTING ERROR 11\n";exit}
-        "netblue"
+        $env(USER)
 }
 expect {
        timeout {puts "TESTING ERROR 12\n";exit}
@@ -63,7 +66,7 @@ expect {
 }
 expect {
        timeout {puts "TESTING ERROR 14\n";exit}
-        "netblu"
+        $env(USER)
 }
 expect {
        timeout {puts "TESTING ERROR 15\n";exit}
diff --git a/test/nice.profile b/test/environment/nice.profile
index d02c8f58b..d02c8f58b 100644
--- a/test/nice.profile
+++ b/test/environment/nice.profile
diff --git a/test/output.exp b/test/environment/output.exp
index 90a9d64b6..10c325832 100755
--- a/test/output.exp
+++ b/test/environment/output.exp
@@ -59,8 +59,7 @@ expect {
        timeout {puts "TESTING ERROR 7\n";exit}
        "logfile.5"
 }
-sleep 1
+after 100
 send -- "rm -f logfile*\r"
-sleep 1
+after 100
+puts "\nall done\n"
-puts "\n"
diff --git a/test/output.sh b/test/environment/output.sh
index 2be188e3a..2be188e3a 100755
--- a/test/output.sh
+++ b/test/environment/output.sh
diff --git a/test/environment/quiet.exp b/test/environment/quiet.exp
new file mode 100755
index 000000000..8d7c8d4c0
--- /dev/null
+++ b/test/environment/quiet.exp
@@ -0,0 +1,21 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
+set timeout 4
+spawn $env(SHELL)
+match_max 100000
+# check ip address
+send -- "firejail --quiet echo done\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "Reading profile" {puts "TESTING ERROR 2\n";exit}
+        "Child process initialized" {puts "TESTING ERROR 3\n";exit}
+        "done"
+}
+after 100
+puts "\nall done\n"
diff --git a/test/environment/rlimit-bad-profile.exp b/test/environment/rlimit-bad-profile.exp
new file mode 100755
index 000000000..80693a4a0
--- /dev/null
+++ b/test/environment/rlimit-bad-profile.exp
@@ -0,0 +1,35 @@
+#!/usr/bin/expect -f
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+send -- "firejail --profile=rlimit-bad1.profile\r"
+expect {
+        timeout {puts "TESTING ERROR 4\n";exit}
+        "Invalid rlimit option"
+}
+after 100
+send -- "firejail --profile=rlimit-bad2.profile\r"
+expect {
+        timeout {puts "TESTING ERROR 5\n";exit}
+        "Invalid rlimit option"
+}
+after 100
+send -- "firejail --profile=rlimit-bad3.profile\r"
+expect {
+        timeout {puts "TESTING ERROR 6\n";exit}
+        "Invalid rlimit option"
+}
+after 100
+send -- "firejail --profile=rlimit-bad4.profile\r"
+expect {
+        timeout {puts "TESTING ERROR 7\n";exit}
+        "Invalid rlimit option"
+}
+after 100
+puts "\nall done\n"
diff --git a/test/environment/rlimit-bad.exp b/test/environment/rlimit-bad.exp
new file mode 100755
index 000000000..574e7e174
--- /dev/null
+++ b/test/environment/rlimit-bad.exp
@@ -0,0 +1,34 @@
+#!/usr/bin/expect -f
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+send -- "firejail --rlimit-fsize=-1024\r"
+expect {
+        timeout {puts "TESTING ERROR 0\n";exit}
+        "invalid rlimt fsize"
+}
+after 100
+send -- "firejail --rlimit-nofile=asdf\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "invalid rlimt nofile"
+}
+after 100
+send -- "firejail --rlimit-nproc=100.23\r"
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        "invalid rlimt nproc"
+}
+after 100
+send -- "firejail --rlimit-sigpending=2345-78\r"
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        "invalid rlimt sigpending"
+}
+after 100
+puts "\nall done\n"
diff --git a/test/environment/rlimit-bad1.profile b/test/environment/rlimit-bad1.profile
new file mode 100644
index 000000000..b6d3340d8
--- /dev/null
+++ b/test/environment/rlimit-bad1.profile
@@ -0,0 +1 @@
+rlimit-fsize -1024
diff --git a/test/environment/rlimit-bad2.profile b/test/environment/rlimit-bad2.profile
new file mode 100644
index 000000000..ef3f243c6
--- /dev/null
+++ b/test/environment/rlimit-bad2.profile
@@ -0,0 +1 @@
+rlimit-nofile asdf
diff --git a/test/environment/rlimit-bad3.profile b/test/environment/rlimit-bad3.profile
new file mode 100644
index 000000000..af016a29f
--- /dev/null
+++ b/test/environment/rlimit-bad3.profile
@@ -0,0 +1 @@
+rlimit-nproc 100.23
diff --git a/test/environment/rlimit-bad4.profile b/test/environment/rlimit-bad4.profile
new file mode 100644
index 000000000..aabe3d008
--- /dev/null
+++ b/test/environment/rlimit-bad4.profile
@@ -0,0 +1 @@
+rlimit-sigpending 67asd56
+\ No newline at end of file
diff --git a/test/profile_rlimit.exp b/test/environment/rlimit-profile.exp
index 7d2637444..a9e54a405 100755
--- a/test/profile_rlimit.exp
+++ b/test/environment/rlimit-profile.exp
@@ -1,6 +1,7 @@
 #!/usr/bin/expect -f
 set timeout 10
+#cd /home
 spawn $env(SHELL)
 match_max 100000
@@ -11,7 +12,7 @@ expect {
 }
 sleep 1
-send -- "cat /proc/self/limits; pwd\r"
+send -- "cat /proc/self/limits\r"
 expect {
        timeout {puts "TESTING ERROR 1.1\n";exit}
        "Max file size             1024                 1024"
@@ -28,9 +29,5 @@ expect {
        timeout {puts "TESTING ERROR 1.4\n";exit}
        "Max pending signals       200                  200"
 }
-expect {
+after 100
-        timeout {puts "TESTING ERROR 1.5\n";exit}
+puts "\nall done\n"
-        "home"
-}
-sleep 1
-puts "\n"
diff --git a/test/option_rlimit.exp b/test/environment/rlimit.exp
index 17d2bd9d1..611f69821 100755
--- a/test/option_rlimit.exp
+++ b/test/environment/rlimit.exp
@@ -1,6 +1,7 @@
 #!/usr/bin/expect -f
 set timeout 10
+cd /home
 spawn $env(SHELL)
 match_max 100000
@@ -32,5 +33,5 @@ expect {
        timeout {puts "TESTING ERROR 1.5\n";exit}
        "home"
 }
-sleep 1
+after 100
 puts "\n"
diff --git a/test/rlimit.profile b/test/environment/rlimit.profile
index 271891c03..271891c03 100644
--- a/test/rlimit.profile
+++ b/test/environment/rlimit.profile
diff --git a/test/environment/shell-none.exp b/test/environment/shell-none.exp
new file mode 100755
index 000000000..8f3df794f
--- /dev/null
+++ b/test/environment/shell-none.exp
@@ -0,0 +1,48 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+send -- "firejail  --shell=none\r"
+expect {
+        timeout {puts "TESTING ERROR 0\n";exit}
+        "shell=none configured, but no program specified"
+}
+sleep 1
+send -- "firejail  --profile=shell-none.profile\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "shell=none configured, but no program specified"
+}
+after 100
+send -- "firejail  --shell=none ls\r"
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        "Child process initialized"
+}
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        "environment.sh"
+}
+after 100
+send -- "firejail  --profile=shell-none.profile ls\r"
+expect {
+        timeout {puts "TESTING ERROR 4\n";exit}
+        "Child process initialized"
+}
+expect {
+        timeout {puts "TESTING ERROR 5\n";exit}
+        "environment.sh"
+}
+after 100
+puts "\nall done\n"
diff --git a/test/environment/shell-none.profile b/test/environment/shell-none.profile
new file mode 100644
index 000000000..f16ebe3a0
--- /dev/null
+++ b/test/environment/shell-none.profile
@@ -0,0 +1 @@
+shell none
diff --git a/test/sound.exp b/test/environment/sound.exp
index 078f8b416..dd55add89 100755
--- a/test/sound.exp
+++ b/test/environment/sound.exp
@@ -1,4 +1,8 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
 set timeout 10
 spawn $env(SHELL)
@@ -73,7 +77,7 @@ expect {
        timeout {puts "TESTING ERROR 25\n";exit}
        "Parent is shutting down"
 }
-sleep 2
+after 100
-puts "\n"
+puts "\nall done\n"
diff --git a/test/sound.profile b/test/environment/sound.profile
index 2f83a0bbb..2f83a0bbb 100644
--- a/test/sound.profile
+++ b/test/environment/sound.profile
diff --git a/test/shell_zsh.exp b/test/environment/zsh.exp
index 1d73fd926..578951ce0 100755
--- a/test/shell_zsh.exp
+++ b/test/environment/zsh.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
 set timeout 10
 spawn $env(SHELL)
@@ -11,15 +14,12 @@ expect {
 }
 sleep 1
-send -- "ls -al;pwd\r"
+send -- "find /home\r"
 expect {
        timeout {puts "TESTING ERROR 1\n";exit}
        ".zshrc"
 }
-expect {
-        timeout {puts "TESTING ERROR 1.1\n";exit}
-        "home"
-}
 send -- "env | grep SHELL;pwd\r"
 expect {
        timeout {puts "TESTING ERROR 2\n";exit}
@@ -27,14 +27,10 @@ expect {
 }
 expect {
        timeout {puts "TESTING ERROR 2.1\n";exit}
-        "/usr/bin/zsh"
+        "/bin/zsh"
-}
-expect {
-        timeout {puts "TESTING ERROR 2.2\n";exit}
-        "home"
 }
 send -- "exit\r"
-sleep 1
+after 100
-puts "\n"
+puts "\nall done\n"
diff --git a/test/fcopy/cmdline.exp b/test/fcopy/cmdline.exp
new file mode 100755
index 000000000..24bb19351
--- /dev/null
+++ b/test/fcopy/cmdline.exp
@@ -0,0 +1,46 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+send -- "/usr/lib/firejail/fcopy\r"
+expect {
+        timeout {puts "TESTING ERROR 0\n";exit}
+        "files missing"
+}
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "Usage:"
+}
+after 100
+send -- "/usr/lib/firejail/fcopy foo\r"
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        "files missing"
+}
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        "Usage:"
+}
+after 100
+send -- "/usr/lib/firejail/fcopy f%oo1 foo2\r"
+expect {
+        timeout {puts "TESTING ERROR 4\n";exit}
+        "invalid file name"
+}
+after 100
+send -- "/usr/lib/firejail/fcopy foo1 f,oo2\r"
+expect {
+        timeout {puts "TESTING ERROR 5\n";exit}
+        "invalid file name"
+}
+after 100
+puts "\nall done\n"
diff --git a/test/fcopy/dircopy.exp b/test/fcopy/dircopy.exp
new file mode 100755
index 000000000..00b0204ae
--- /dev/null
+++ b/test/fcopy/dircopy.exp
@@ -0,0 +1,106 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
+#
+# copy directory src to dest
+#
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+send -- "rm -fr dest/*\r"
+after 100
+send -- "/usr/lib/firejail/fcopy src dest\r"
+after 100
+send -- "find dest\r"
+expect {
+        timeout {puts "TESTING ERROR 0\n";exit}
+        "dest/"
+}
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "dest/a"
+}
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        "dest/a/b"
+}
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        "dest/a/b/file4"
+}
+expect {
+        timeout {puts "TESTING ERROR 4\n";exit}
+        "dest/a/file3"
+}
+expect {
+        timeout {puts "TESTING ERROR 5\n";exit}
+        "dest/dircopy.exp"
+}
+expect {
+        timeout {puts "TESTING ERROR 6\n";exit}
+        "dest/file2"
+}
+expect {
+        timeout {puts "TESTING ERROR 7\n";exit}
+        "dest/file1"
+}
+after 100
+send -- "ls -al dest\r"
+expect {
+        timeout {puts "TESTING ERROR 8\n";exit}
+        "drwxr-xr-x"
+}
+expect {
+        timeout {puts "TESTING ERROR 9\n";exit}
+        "a"
+}
+expect {
+        timeout {puts "TESTING ERROR 10\n";exit}
+        "lrwxrwxrwx"
+}
+expect {
+        timeout {puts "TESTING ERROR 11\n";exit}
+        "dircopy.exp"
+}
+expect {
+        timeout {puts "TESTING ERROR 12\n";exit}
+        "rwxr-xr-x"
+}
+expect {
+        timeout {puts "TESTING ERROR 13\n";exit}
+        "file1"
+}
+expect {
+        timeout {puts "TESTING ERROR 14\n";exit}
+        "rw-r--r--"
+}
+expect {
+        timeout {puts "TESTING ERROR 15\n";exit}
+        "file2"
+}
+after 100
+send -- "diff -q src/a/b/file4 dest/a/b/file4; echo done\r"
+expect {
+        timeout {puts "TESTING ERROR 16\n";exit}
+        "differ" {puts "TESTING ERROR 17\n";exit}
+        "done"
+}
+send -- "file dest/dircopy.exp\r"
+expect {
+        timeout {puts "TESTING ERROR 18\n";exit}
+        "symbolic link"
+}
+send -- "rm -fr dest/*\r"
+after 100
+puts "\nall done\n"
diff --git a/test/fcopy/fcopy.sh b/test/fcopy/fcopy.sh
new file mode 100755
index 000000000..dcda5ca31
--- /dev/null
+++ b/test/fcopy/fcopy.sh
@@ -0,0 +1,23 @@
+#!/bin/bash
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
+export MALLOC_CHECK_=3
+export MALLOC_PERTURB_=$(($RANDOM % 255 + 1))
+mkdir dest
+echo "TESTING: fcopy cmdline (test/fcopy/cmdline.exp)"
+./cmdline.exp
+echo "TESTING: fcopy directory (test/fcopy/dircopy.exp)"
+./dircopy.exp
+echo "TESTING: fcopy file (test/fcopy/filecopy.exp)"
+./filecopy.exp
+echo "TESTING: fcopy link (test/fcopy/linkcopy.exp)"
+./linkcopy.exp
+rm -fr dest/*
diff --git a/test/fcopy/filecopy.exp b/test/fcopy/filecopy.exp
new file mode 100755
index 000000000..d1f0a4424
--- /dev/null
+++ b/test/fcopy/filecopy.exp
@@ -0,0 +1,54 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
+#
+# copy directory src to dest
+#
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+send -- "rm -fr dest/*\r"
+after 100
+send -- "/usr/lib/firejail/fcopy dircopy.exp dest\r"
+after 100
+send -- "find dest\r"
+expect {
+        timeout {puts "TESTING ERROR 0\n";exit}
+        "dest/"
+}
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "dest/dircopy.exp"
+}
+after 100
+send -- "ls -al dest\r"
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        "rwxr-xr-x"
+}
+after 100
+send -- "diff -q dircopy.exp dest/dircopy.exp; echo done\r"
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        "differ" {puts "TESTING ERROR 4\n";exit}
+        "done"
+}
+send -- "file dest/dircopy.exp\r"
+expect {
+        timeout {puts "TESTING ERROR 5\n";exit}
+        "ASCII text"
+}
+send -- "rm -fr dest/*\r"
+after 100
+puts "\nall done\n"
diff --git a/test/fcopy/linkcopy.exp b/test/fcopy/linkcopy.exp
new file mode 100755
index 000000000..9927e18fe
--- /dev/null
+++ b/test/fcopy/linkcopy.exp
@@ -0,0 +1,54 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
+#
+# copy directory src to dest
+#
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+send -- "rm -fr dest/*\r"
+after 100
+send -- "/usr/lib/firejail/fcopy src/dircopy.exp dest\r"
+after 100
+send -- "find dest\r"
+expect {
+        timeout {puts "TESTING ERROR 0\n";exit}
+        "dest/"
+}
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "dest/dircopy.exp"
+}
+after 100
+send -- "ls -al dest\r"
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        "lrwxrwxrwx"
+}
+after 100
+send -- "diff -q dircopy.exp dest/dircopy.exp; echo done\r"
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        "differ" {puts "TESTING ERROR 4\n";exit}
+        "done"
+}
+send -- "file dest/dircopy.exp\r"
+expect {
+        timeout {puts "TESTING ERROR 5\n";exit}
+        "symbolic link"
+}
+send -- "rm -fr dest/*\r"
+after 100
+puts "\nall done\n"
diff --git a/test/fcopy/src/a/b/file4 b/test/fcopy/src/a/b/file4
new file mode 100644
index 000000000..ac318d7ab
--- /dev/null
+++ b/test/fcopy/src/a/b/file4
@@ -0,0 +1,11 @@
+Lorem ipsum dolor sit amet, consectetur adipiscing elit. Etiam interdum at massa non aliquam. Maecenas molestie id orci volutpat porta. Praesent aliquam nunc quis mi tristique, ac feugiat enim rutrum. Nulla vitae metus sodales, pellentesque risus sit amet, volutpat nisl. Curabitur accumsan arcu congue lacus porta laoreet. Nulla facilisi. Integer nec augue id magna gravida tincidunt id vitae lorem. Curabitur facilisis, tellus vel pellentesque pretium, odio dolor efficitur lorem, et tincidunt dui enim cursus lacus. Cras a orci ac magna semper dapibus nec et velit. Nullam aliquam sollicitudin auctor.
+Mauris ac quam vel purus volutpat semper eget a ante. Curabitur arcu nisl, dapibus ac lectus ac, porttitor fermentum metus. Aliquam et sem aliquam magna interdum ultricies at eu orci. Aenean tortor augue, volutpat nec magna nec, rutrum bibendum justo. Vivamus ex quam, auctor ut pellentesque mattis, aliquet a eros. Etiam ac lacus ac ante ullamcorper sollicitudin a quis orci. Suspendisse quis justo ac mauris cursus finibus quis at elit. Vestibulum elementum finibus diam, eget convallis purus aliquet et. Fusce fermentum ornare urna, non ornare nisl tincidunt consectetur. Donec et lacus vitae ex eleifend porttitor id ut odio. Quisque luctus eget lorem et sollicitudin.
+Aliquam libero elit, finibus a nisl a, commodo viverra turpis. Nam pulvinar in est sit amet fermentum. Praesent scelerisque tempus lectus, ac porta elit sodales rutrum. Duis faucibus faucibus urna eget accumsan. Vivamus in turpis ut massa rhoncus pretium nec et lorem. Aenean at tellus eget metus porta ornare. Aliquam erat volutpat. Donec hendrerit a massa vel malesuada. Integer varius sapien et orci viverra pretium. In at velit aliquet, vulputate nisi lobortis, aliquam augue.
+Ut aliquam turpis ut lorem aliquam, in faucibus elit pulvinar. Vivamus viverra tortor ornare, lacinia leo sit amet, auctor arcu. Sed erat leo, pellentesque vel nibh a, malesuada vehicula purus. Vivamus est dolor, aliquet quis facilisis fermentum, varius in dolor. Nunc quis libero feugiat, imperdiet est vitae, mollis risus. Vestibulum elementum mattis lorem vitae gravida. Nullam id tellus interdum, aliquam erat eu, laoreet nunc. Aliquam ut felis vel mauris maximus pellentesque.
+Vestibulum tempus mauris eget ex interdum, vitae vehicula tortor sollicitudin. Pellentesque et dolor cursus dui vulputate laoreet. Morbi eu bibendum quam, at ultrices elit. Vestibulum dictum enim sit amet ultricies imperdiet. Praesent congue magna ac mauris mattis, a iaculis ante aliquet. Vivamus at egestas ex. Suspendisse orci dolor, pharetra at aliquam a, faucibus facilisis leo. Quisque semper lorem eget elit commodo pretium. Aenean posuere augue quis arcu finibus, sit amet fringilla risus congue. Pellentesque rutrum nunc leo, aliquam lobortis lacus molestie nec. Donec convallis congue diam, ullamcorper vestibulum dui varius nec. Praesent pellentesque nisi risus. In aliquam molestie malesuada. Nulla facilisis a risus eu tristique. Morbi molestie et arcu quis efficitur. Curabitur cursus vestibulum luctus.
diff --git a/test/fcopy/src/a/file3 b/test/fcopy/src/a/file3
new file mode 100644
index 000000000..e69de29bb
--- /dev/null
+++ b/test/fcopy/src/a/file3
diff --git a/test/fcopy/src/dircopy.exp b/test/fcopy/src/dircopy.exp
new file mode 120000
index 000000000..2acf88f7b
--- /dev/null
+++ b/test/fcopy/src/dircopy.exp
@@ -0,0 +1 @@
+../dircopy.exp
+\ No newline at end of file
diff --git a/test/fcopy/src/file1 b/test/fcopy/src/file1
new file mode 100755
index 000000000..e69de29bb
--- /dev/null
+++ b/test/fcopy/src/file1
diff --git a/test/fcopy/src/file2 b/test/fcopy/src/file2
new file mode 100644
index 000000000..e69de29bb
--- /dev/null
+++ b/test/fcopy/src/file2
diff --git a/test/features/1.2.exp b/test/features/1.2.exp
index 6f7cae888..bcb227304 100755
--- a/test/features/1.2.exp
+++ b/test/features/1.2.exp
@@ -34,7 +34,7 @@ expect {
 }
 expect {
        timeout {puts "TESTING ERROR 1.4\n";exit}
-        "proc /proc/sysrq-trigger proc"
+        "/proc/sysrq-trigger"
 }
 #expect {
 #       timeout {puts "TESTING ERROR 1.5\n";exit}
@@ -42,11 +42,11 @@ expect {
 #}
 expect {
        timeout {puts "TESTING ERROR 1.6\n";exit}
-        "proc /proc/irq proc"
+        "/proc/irq"
 }
 expect {
        timeout {puts "TESTING ERROR 1.7\n";exit}
-        "proc /proc/bus proc"
+        "/proc/bus"
 }
 after 100
 send -- "exit\r"
@@ -115,22 +115,22 @@ if { $chroot == "chroot" } {
                timeout {puts "TESTING ERROR 5.3\n";exit}
                "proc /proc/sys proc"
        }
-        expect {
+#       expect {
-                timeout {puts "TESTING ERROR 5.4\n";exit}
+#               timeout {puts "TESTING ERROR 5.4\n";exit}
-                "proc /proc/sysrq-trigger proc"
+#               "proc /proc/sysrq-trigger proc"
-        }
+#       }
 #       expect {
 #               timeout {puts "TESTING ERROR 5.5\n";exit}
 #               "proc /proc/sys/kernel/hotplug"
 #       }
-        expect {
+#       expect {
-                timeout {puts "TESTING ERROR 5.6\n";exit}
+#               timeout {puts "TESTING ERROR 5.6\n";exit}
-                "proc /proc/irq proc"
+#               "proc /proc/irq proc"
-        }
+#       }
-        expect {
+#       expect {
-                timeout {puts "TESTING ERROR 5.7\n";exit}
+#               timeout {puts "TESTING ERROR 5.7\n";exit}
-                "proc /proc/bus proc"
+#               "proc /proc/bus proc"
-        }
+#       }
        after 100
        send -- "exit\r"
        sleep 1
diff --git a/test/features/1.8.exp b/test/features/1.8.exp
index 493a87328..4c6d3f3dc 100755
--- a/test/features/1.8.exp
+++ b/test/features/1.8.exp
@@ -20,12 +20,6 @@ expect {
 }
 sleep 1
-send -- "ls /etc/firejail\r"
-expect {
-        timeout {puts "TESTING ERROR 1\n";exit}
-        "Permission denied"
-}
-after 100
 send -- "ls ~/.config/firejail\r"
 expect {
        timeout {puts "TESTING ERROR 1.1\n";exit}
@@ -77,12 +71,6 @@ if { $overlay == "overlay" } {
                "Child process initialized" {puts "normal system\n"}
        }
        sleep 1
-        send -- "ls /etc/firejail\r"
-        expect {
-                timeout {puts "TESTING ERROR 3\n";exit}
-                "Permission denied"
-        }
-        after 100
        send -- "ls ~/.config/firejail\r"
        expect {
                timeout {puts "TESTING ERROR 3.1\n";exit}
@@ -134,12 +122,6 @@ if { $chroot == "chroot" } {
                "Child process initialized"
        }
        sleep 1
-        send -- "ls /etc/firejail\r"
-        expect {
-                timeout {puts "TESTING ERROR 5\n";exit}
-                "Permission denied"
-        }
-        after 100
        send -- "ls ~/.config/firejail\r"
        expect {
                timeout {puts "TESTING ERROR 5.1\n";exit}
diff --git a/test/features/3.5.exp b/test/features/3.5.exp
index aed5fe836..f4b544b3d 100755
--- a/test/features/3.5.exp
+++ b/test/features/3.5.exp
@@ -22,8 +22,8 @@ sleep 1
 send -- "ls -l /dev | wc -l\r"
 expect {
        timeout {puts "TESTING ERROR 1.1\n";exit}
-        "12" { puts "Debian\n"}
+        "13" { puts "Debian\n"}
-        "11" { puts "Centos\n"}
+        "12" { puts "Centos\n"}
 }
 after 100
@@ -45,8 +45,8 @@ if { $overlay == "overlay" } {
        send -- "ls -l /dev | wc -l\r"
        expect {
                timeout {puts "TESTING ERROR 3.1\n";exit}
-                "12" { puts "Debian\n"}
+                "13" { puts "Debian\n"}
-                "11" { puts "Centos\n"}
+                "12" { puts "Centos\n"}
        }
        
        after 100
@@ -68,7 +68,7 @@ if { $chroot == "chroot" } {
        send -- "ls -l /dev | wc -l\r"
        expect {
                timeout {puts "TESTING ERROR 5.1\n";exit}
-                "11"
+                "12"
        }
        
        after 100
diff --git a/test/features/3.6.exp b/test/features/3.6.exp
index a00517716..389e63a1d 100755
--- a/test/features/3.6.exp
+++ b/test/features/3.6.exp
@@ -60,14 +60,19 @@ if { $chroot == "chroot" } {
        expect {
                timeout {puts "TESTING ERROR 4\n";exit}
                "chroot option is not available" {puts "grsecurity\n"; exit}
+                "private-etc feature is disabled in chroot"
+        }
+        expect {
+                timeout {puts "TESTING ERROR 5\n";exit}
+                "chroot option is not available" {puts "grsecurity\n"; exit}
                "Child process initialized"
        }
        sleep 1
        
-        send -- "ls -al /etc | wc -l\r"
+        send -- "ls /etc | grep firejail\r"
        expect {
-                timeout {puts "TESTING ERROR 5.1\n";exit}
+                timeout {puts "TESTING ERROR 6\n";exit}
-                "10"
+                "firejail"
        }
        
        after 100
diff --git a/test/features/3.8.exp b/test/features/3.8.exp
index 94a1abf67..d941fa9b7 100755
--- a/test/features/3.8.exp
+++ b/test/features/3.8.exp
@@ -61,14 +61,18 @@ if { $chroot == "chroot" } {
        send -- "firejail --noprofile --chroot=/tmp/chroot --private-bin=bash,cat,cp,ls,wc\r"
        expect {
                timeout {puts "TESTING ERROR 4\n";exit}
+                "private-bin feature is disabled in chroot"
+        }
+        expect {
+                timeout {puts "TESTING ERROR 5\n";exit}
                "Child process initialized"
        }
        sleep 1
        
        send -- "ls -l /usr/bin | wc -l\r"
        expect {
-                timeout {puts "TESTING ERROR 5.1\n";exit}
+                timeout {puts "TESTING ERROR 6\n";exit}
-                "6"
+                "9"
        }
        
        after 100
diff --git a/test/filters/caps-print.exp b/test/filters/caps-print.exp
new file mode 100755
index 000000000..d9d662239
--- /dev/null
+++ b/test/filters/caps-print.exp
@@ -0,0 +1,103 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+send -- "firejail --name=test --noprofile --caps --debug\r"
+expect {
+        timeout {puts "TESTING ERROR 0\n";exit}
+        "Drop CAP_SYS_MODULE"
+}
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "Drop CAP_SYS_RAWIO"
+}
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        "Drop CAP_SYS_BOOT"
+}
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        "Drop CAP_SYS_NICE"
+}
+expect {
+        timeout {puts "TESTING ERROR 4\n";exit}
+        "Drop CAP_SYS_TTY_CONFIG"
+}
+expect {
+        timeout {puts "TESTING ERROR 5\n";exit}
+        "Drop CAP_SYSLOG"
+}
+expect {
+        timeout {puts "TESTING ERROR 6\n";exit}
+        "Drop CAP_MKNOD"
+}
+expect {
+        timeout {puts "TESTING ERROR 7\n";exit}
+        "Drop CAP_SYS_ADMIN"
+}
+expect {
+        timeout {puts "TESTING ERROR 8\n";exit}
+        "Child process initialized"
+}
+sleep 1
+spawn $env(SHELL)
+send -- "firejail --caps.print=test\r"
+expect {
+        timeout {puts "TESTING ERROR 9\n";exit}
+        "chown               - enabled"
+}
+expect {
+        timeout {puts "TESTING ERROR 10\n";exit}
+        "setgid              - enabled"
+}
+expect {
+        timeout {puts "TESTING ERROR 11\n";exit}
+        "setuid              - enabled"
+}
+expect {
+        timeout {puts "TESTING ERROR 12\n";exit}
+        "mknod               - disabled"
+}
+expect {
+        timeout {puts "TESTING ERROR 13\n";exit}
+        "syslog              - disabled"
+}
+after 100
+send -- "firejail --debug-caps\r"
+expect {
+        timeout {puts "TESTING ERROR 9\n";exit}
+        "21     - sys_admin"
+}
+expect {
+        timeout {puts "TESTING ERROR 9\n";exit}
+        "22     - sys_boot"
+}
+expect {
+        timeout {puts "TESTING ERROR 9\n";exit}
+        "23     - sys_nice"
+}
+expect {
+        timeout {puts "TESTING ERROR 9\n";exit}
+        "24     - sys_resource"
+}
+after 100
+send -- "firejail --caps.keep=\"bla bla bla\"\r"
+expect {
+        timeout {puts "TESTING ERROR 10\n";exit}
+        "capability"
+}
+expect {
+        timeout {puts "TESTING ERROR 11\n";exit}
+        "not found"
+}
+after 100
+puts "\nall done\n"
diff --git a/test/filters/caps.exp b/test/filters/caps.exp
new file mode 100755
index 000000000..2954f2e58
--- /dev/null
+++ b/test/filters/caps.exp
@@ -0,0 +1,139 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+send -- "firejail --caps.keep=chown,fowner --noprofile\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "Child process initialized"
+}
+after 100
+send -- "cat /proc/self/status\r"
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        "CapBnd:        0000000000000009"
+}
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        "Seccomp:"
+}
+send -- "exit\r"
+sleep 1
+send -- "firejail --caps.drop=all --noprofile\r"
+expect {
+        timeout {puts "TESTING ERROR 4\n";exit}
+        "Child process initialized"
+}
+after 100
+send -- "cat /proc/self/status\r"
+expect {
+        timeout {puts "TESTING ERROR 5\n";exit}
+        "CapBnd:        0000000000000000"
+}
+expect {
+        timeout {puts "TESTING ERROR 6\n";exit}
+        "Seccomp:"
+}
+send -- "exit\r"
+sleep 1
+send -- "firejail --caps.drop=chown,dac_override,dac_read_search,fowner --noprofile\r"
+expect {
+        timeout {puts "TESTING ERROR 7\n";exit}
+        "Child process initialized"
+}
+after 100
+send -- "cat /proc/self/status\r"
+expect {
+        timeout {puts "TESTING ERROR 8\n";exit}
+        "CapBnd:"
+}
+expect {
+        timeout {puts "TESTING ERROR 9\n";exit}
+        "fffffff0"
+}
+expect {
+        timeout {puts "TESTING ERROR 10\n";exit}
+        "Seccomp:"
+}
+send -- "exit\r"
+sleep 1
+send -- "firejail --profile=caps1.profile --debug\r"
+expect {
+        timeout {puts "TESTING ERROR 11\n";exit}
+        "Drop CAP_SYS_MODULE"
+}
+expect {
+        timeout {puts "TESTING ERROR 12\n";exit}
+        "Drop CAP_SYS_ADMIN"
+}
+expect {
+        timeout {puts "TESTING ERROR 13\n";exit}
+        "Drop CAP_" {puts "TESTING ERROR 14\n";exit}
+        "Child process initialized"
+}
+after 100
+send -- "exit\r"
+sleep 1
+## tofix: possible problem with caps.keep in profile files
+##send -- "firejail --caps.keep=chown,fowner --noprofile\r"
+#send -- "firejail --profile=caps2.profile\r"
+#expect {
+#       timeout {puts "TESTING ERROR 15\n";exit}
+#       "Child process initialized"
+#}
+#after 100
+#
+#send -- "cat /proc/self/status\r"
+#expect {
+#       timeout {puts "TESTING ERROR 16\n";exit}
+#       "CapBnd:        0000000000000009"
+#}
+#expect {
+#       timeout {puts "TESTING ERROR 17\n";exit}
+#       "Seccomp:"
+#}
+#send -- "exit\r"
+#sleep 1
+#send -- "firejail --caps.drop=chown,dac_override,dac_read_search,fowner --noprofile\r"
+send -- "firejail --profile=caps3.profile\r"
+expect {
+        timeout {puts "TESTING ERROR 18\n";exit}
+        "Child process initialized"
+}
+after 100
+send -- "cat /proc/self/status\r"
+expect {
+        timeout {puts "TESTING ERROR 19\n";exit}
+        "CapBnd:"
+}
+expect {
+        timeout {puts "TESTING ERROR 20\n";exit}
+        "fffffff0"
+}
+expect {
+        timeout {puts "TESTING ERROR 21\n";exit}
+        "Seccomp:"
+}
+send -- "exit\r"
+sleep 1
+after 100
+puts "\nall done\n"
diff --git a/test/filters/caps1.profile b/test/filters/caps1.profile
new file mode 100644
index 000000000..8b0c3b340
--- /dev/null
+++ b/test/filters/caps1.profile
@@ -0,0 +1 @@
+caps
diff --git a/test/filters/caps2.profile b/test/filters/caps2.profile
new file mode 100644
index 000000000..4f0016fad
--- /dev/null
+++ b/test/filters/caps2.profile
@@ -0,0 +1 @@
+caps.drop chown,dac_override,dac_read_search,fowner
+\ No newline at end of file
diff --git a/test/filters/caps3.profile b/test/filters/caps3.profile
new file mode 100644
index 000000000..4f0016fad
--- /dev/null
+++ b/test/filters/caps3.profile
@@ -0,0 +1 @@
+caps.drop chown,dac_override,dac_read_search,fowner
+\ No newline at end of file
diff --git a/test/filters/filters.sh b/test/filters/filters.sh
new file mode 100755
index 000000000..fea4a0296
--- /dev/null
+++ b/test/filters/filters.sh
@@ -0,0 +1,71 @@
+#!/bin/bash
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
+export MALLOC_CHECK_=3
+export MALLOC_PERTURB_=$(($RANDOM % 255 + 1))
+echo "TESTING: noroot (test/filters/noroot.exp)"
+./noroot.exp
+echo "TESTING: capabilities (test/filters/caps.exp)"
+./caps.exp
+echo "TESTING: capabilities print (test/filters/caps-print.exp)"
+./caps-print.exp
+rm -f seccomp-test-file
+if [ "$(uname -m)" = "x86_64" ]; then
+       echo "TESTING: fseccomp (test/filters/fseccomp.exp)"
+        ./fseccomp.exp
+else
+        echo "TESTING SKIP: fseccomp test implemented only for x86_64"
+fi
+rm -f seccomp-test-file
+if [ "$(uname -m)" = "x86_64" ]; then
+        echo "TESTING: protocol (test/filters/protocol.exp)"
+        ./protocol.exp
+else
+        echo "TESTING SKIP: protocol, running only on x86_64"
+fi
+echo "TESTING: seccomp bad empty (test/filters/seccomp-bad-empty.exp)"
+./seccomp-bad-empty.exp
+echo "TESTING: seccomp debug  (test/filters/seccomp-debug.exp)"
+./seccomp-debug.exp
+echo "TESTING: seccomp errno (test/filters/seccomp-errno.exp)"
+./seccomp-errno.exp
+echo "TESTING: seccomp su (test/filters/seccomp-su.exp)"
+./seccomp-su.exp
+which strace
+if [ $? -eq 0 ]; then
+        echo "TESTING: seccomp ptrace (test/filters/seccomp-ptrace.exp)"
+        ./seccomp-ptrace.exp
+else
+        echo "TESTING SKIP: ptrace, strace not found"
+fi
+echo "TESTING: seccomp chmod - seccomp lists (test/filters/seccomp-chmod.exp)"
+./seccomp-chmod.exp
+echo "TESTING: seccomp chmod profile - seccomp lists (test/filters/seccomp-chmod-profile.exp)"
+./seccomp-chmod-profile.exp
+# todo:  fix pwd and add seccomp-chown.exp
+echo "TESTING: seccomp empty (test/filters/seccomp-empty.exp)"
+./seccomp-empty.exp
+if [ "$(uname -m)" = "x86_64" ]; then
+        echo "TESTING: seccomp dual filter (test/filters/seccomp-dualfilter.exp)"
+        ./seccomp-dualfilter.exp
+else
+        echo "TESTING SKIP: seccomp dual, not running on x86_64"
+fi
diff --git a/test/filters/fseccomp.exp b/test/filters/fseccomp.exp
new file mode 100755
index 000000000..8a9a8f9dc
--- /dev/null
+++ b/test/filters/fseccomp.exp
@@ -0,0 +1,138 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+after 100
+send -- "/usr/lib/firejail/fseccomp debug-syscalls\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "1      - write"
+}
+after 100
+send -- "/usr/lib/firejail/fseccomp debug-errnos\r"
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        "1      - EPERM"
+}
+after 100
+send -- "/usr/lib/firejail/fseccomp debug-protocols\r"
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        "unix, inet, inet6, netlink, packet,"
+}
+after 100
+send -- "/usr/lib/firejail/fseccomp protocol build unix,inet seccomp-test-file\r"
+after 100
+send -- "/usr/lib/firejail/fseccomp print seccomp-test-file\r"
+expect {
+        timeout {puts "TESTING ERROR 4.1\n";exit}
+        "WHITELIST 41 socket"
+}
+after 100
+send -- "/usr/lib/firejail/fseccomp secondary 64 seccomp-test-file\r"
+after 100
+send -- "/usr/lib/firejail/fseccomp print seccomp-test-file\r"
+expect {
+        timeout {puts "TESTING ERROR 5.1\n";exit}
+        "BLACKLIST 165 mount"
+}
+expect {
+        timeout {puts "TESTING ERROR 5.2\n";exit}
+        "BLACKLIST 166 umount2"
+}
+expect {
+        timeout {puts "TESTING ERROR 5.3\n";exit}
+        "RETURN_ALLOW"
+}
+after 100
+send -- "/usr/lib/firejail/fseccomp default seccomp-test-file\r"
+after 100
+send -- "/usr/lib/firejail/fseccomp print seccomp-test-file\r"
+expect {
+        timeout {puts "TESTING ERROR 6.1\n";exit}
+        "BLACKLIST 165 mount"
+}
+expect {
+        timeout {puts "TESTING ERROR 6.2\n";exit}
+        "BLACKLIST 166 umount2"
+}
+expect {
+        timeout {puts "TESTING ERROR 6.3\n";exit}
+        "RETURN_ALLOW"
+}
+after 100
+send -- "/usr/lib/firejail/fseccomp drop seccomp-test-file chmod,chown\r"
+after 100
+send -- "/usr/lib/firejail/fseccomp print seccomp-test-file\r"
+expect {
+        timeout {puts "TESTING ERROR 7.1\n";exit}
+        "BLACKLIST 165 mount" {puts "TESTING ERROR 7.2\n";exit}
+        "BLACKLIST 166 umount2" {puts "TESTING ERROR 7.3\n";exit}
+        "BLACKLIST 90 chmod"
+}
+expect {
+        timeout {puts "TESTING ERROR 7.4\n";exit}
+        "BLACKLIST 92 chown"
+}
+expect {
+        timeout {puts "TESTING ERROR 7.5\n";exit}
+        "RETURN_ALLOW"
+}
+after 100
+send -- "/usr/lib/firejail/fseccomp default drop seccomp-test-file chmod,chown\r"
+after 100
+send -- "/usr/lib/firejail/fseccomp print seccomp-test-file\r"
+expect {
+        timeout {puts "TESTING ERROR 8.1\n";exit}
+        "BLACKLIST 165 mount"
+}
+expect {
+        timeout {puts "TESTING ERROR 8.2\n";exit}
+        "BLACKLIST 166 umount2"
+}
+expect {
+        timeout {puts "TESTING ERROR 8.3\n";exit}
+        "BLACKLIST 90 chmod"
+}
+expect {
+        timeout {puts "TESTING ERROR 8.4\n";exit}
+        "BLACKLIST 92 chown"
+}
+expect {
+        timeout {puts "TESTING ERROR 8.5\n";exit}
+        "RETURN_ALLOW"
+}
+after 100
+send -- "/usr/lib/firejail/fseccomp keep seccomp-test-file chmod,chown\r"
+after 100
+send -- "/usr/lib/firejail/fseccomp print seccomp-test-file\r"
+expect {
+        timeout {puts "TESTING ERROR 9.1\n";exit}
+        "WHITELIST 90 chmod"
+}
+expect {
+        timeout {puts "TESTING ERROR 9.2\n";exit}
+        "WHITELIST 92 chown"
+}
+expect {
+        timeout {puts "TESTING ERROR 9.3\n";exit}
+        "KILL_PROCESS"
+}
+after 100
+puts "\nall done\n"
diff --git a/test/filters/noroot.exp b/test/filters/noroot.exp
new file mode 100755
index 000000000..b011f2bf9
--- /dev/null
+++ b/test/filters/noroot.exp
@@ -0,0 +1,160 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+send -- "firejail --noprofile --noroot --caps.drop=all --seccomp\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "cannot create a new user namespace" {puts "TESTING SKIP: user namespace not available\n"; exit}
+        "Child process initialized"
+}
+sleep 1
+send -- "cat /proc/self/status\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "CapBnd:        0000000000000000"
+}
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        "Seccomp:"
+}
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        "2"
+}
+expect {
+        timeout {puts "TESTING ERROR 4\n";exit}
+        "Cpus_allowed:"
+}
+puts "\n"
+send -- "ping 0\r"
+expect {
+        timeout {puts "TESTING ERROR 5\n";exit}
+        "Operation not permitted"
+}
+send -- "whoami\r"
+expect {
+        timeout {puts "TESTING ERROR 6\n";exit}
+        $env(USER)
+}
+send -- "sudo -s\r"
+expect {
+        timeout {puts "TESTING ERROR 7\n";exit}
+        "effective uid is not 0, is sudo installed setuid root?" { puts "OK\n";}
+        "sudo must be owned by uid 0 and have the setuid bit set" { puts "OK\n";}
+        "Bad system call" { puts "OK\n";}
+}
+send -- "cat /proc/self/uid_map | wc -l\r"
+expect {
+        timeout {puts "TESTING ERROR 8\n";exit}
+        "1"
+}
+send -- "cat /proc/self/gid_map | wc -l\r"
+expect {
+        timeout {puts "TESTING ERROR 9\n";exit}
+        "5"
+}
+puts "\n"
+send -- "exit\r"
+sleep 2
+send -- "firejail --name=test --noroot --noprofile\r"
+expect {
+        timeout {puts "TESTING ERROR 10\n";exit}
+        "Child process initialized"
+}
+sleep 1
+send -- "cat /proc/self/status\r"
+expect {
+        timeout {puts "TESTING ERROR 11\n";exit}
+        "CapBnd:"
+}
+expect {
+        timeout {puts "TESTING ERROR 12\n";exit}
+        "ffffffff"
+}
+expect {
+        timeout {puts "TESTING ERROR 13\n";exit}
+        "Seccomp:"
+}
+expect {
+        timeout {puts "TESTING ERROR 14\n";exit}
+        "0"
+}
+expect {
+        timeout {puts "TESTING ERROR 15\n";exit}
+        "Cpus_allowed:"
+}
+puts "\n"
+send -- "whoami\r"
+expect {
+        timeout {puts "TESTING ERROR 16\n";exit}
+        $env(USER)
+}
+send -- "sudo -s\r"
+expect {
+        timeout {puts "TESTING ERROR 17\n";exit}
+        "effective uid is not 0, is sudo installed setuid root?" { puts "OK\n";}
+        "sudo must be owned by uid 0 and have the setuid bit set" { puts "OK\n";}
+}
+send -- "ping 0\r"
+expect {
+        timeout {puts "TESTING ERROR 18\n";exit}
+        "Operation not permitted"
+}
+send -- "cat /proc/self/uid_map | wc -l\r"
+expect {
+        timeout {puts "TESTING ERROR 19\n";exit}
+        "1"
+}
+send -- "cat /proc/self/gid_map | wc -l\r"
+expect {
+        timeout {puts "TESTING ERROR 20\n";exit}
+        "5"
+}
+spawn $env(SHELL)
+send -- "firejail --debug --join=test\r"
+expect {
+        timeout {puts "TESTING ERROR 21\n";exit}
+        "User namespace detected"
+}
+expect {
+        timeout {puts "TESTING ERROR 22\n";exit}
+        "Joining user namespace"
+}
+sleep 1
+send -- "sudo -s\r"
+expect {
+        timeout {puts "TESTING ERROR 23\n";exit}
+        "effective uid is not 0, is sudo installed setuid root?" { puts "OK\n";}
+        "sudo must be owned by uid 0 and have the setuid bit set" { puts "OK\n";}
+        "Permission denied" { puts "OK\n";}
+}
+send -- "cat /proc/self/uid_map | wc -l\r"
+expect {
+        timeout {puts "TESTING ERROR 24\n";exit}
+        "1"
+}
+send -- "cat /proc/self/gid_map | wc -l\r"
+expect {
+        timeout {puts "TESTING ERROR 25\n";exit}
+        "5"
+}
+after 100
+puts "\nall done\n"
diff --git a/test/protocol.exp b/test/filters/protocol.exp
index 018f4cd9b..835f645b2 100755
--- a/test/protocol.exp
+++ b/test/filters/protocol.exp
@@ -1,16 +1,21 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
 set timeout 10
 spawn $env(SHELL)
 match_max 100000
-send -- "firejail --noprofile --protocol=unix ../src/tools/syscall_test socket\r"
+send -- "firejail --noprofile --protocol=unix ./syscall_test socket\r"
 expect {
        timeout {puts "TESTING ERROR 1\n";exit}
+        "Permission denied" {puts "TESTING SKIP: permission denied\n"; exit}
        "Child process initialized"
 }
 expect {
        timeout {puts "TESTING ERROR 1.1\n";exit}
+        "Permission denied" {puts "TESTING SKIP: permission denied\n"; exit}
        "socket AF_INET"
 }
 expect {
@@ -47,7 +52,7 @@ expect {
 }
 sleep 1
-send -- "firejail --noprofile --protocol=inet6,packet ../src/tools/syscall_test socket\r"
+send -- "firejail --noprofile --protocol=inet6,packet ./syscall_test socket\r"
 expect {
        timeout {puts "TESTING ERROR 2\n";exit}
        "Child process initialized"
@@ -91,7 +96,7 @@ expect {
 sleep 1
 # profile testing
-send -- "firejail --profile=protocol1.profile ../src/tools/syscall_test socket\r"
+send -- "firejail --profile=protocol1.profile ./syscall_test socket\r"
 expect {
        timeout {puts "TESTING ERROR 3\n";exit}
        "Child process initialized"
@@ -134,7 +139,7 @@ expect {
 }
 sleep 1
-send -- "firejail --profile=protocol2.profile ../src/tools/syscall_test socket\r"
+send -- "firejail --profile=protocol2.profile ./syscall_test socket\r"
 expect {
        timeout {puts "TESTING ERROR 4\n";exit}
        "Child process initialized"
@@ -175,10 +180,6 @@ expect {
        timeout {puts "TESTING ERROR 4.9\n";exit}
        "after socket"
 }
-sleep 1
+after 100
 puts "\nall done\n"
diff --git a/test/protocol1.profile b/test/filters/protocol1.profile
index 3e1ea2a29..3e1ea2a29 100644
--- a/test/protocol1.profile
+++ b/test/filters/protocol1.profile
diff --git a/test/protocol2.profile b/test/filters/protocol2.profile
index b7eb4ab91..b7eb4ab91 100644
--- a/test/protocol2.profile
+++ b/test/filters/protocol2.profile
diff --git a/test/seccomp-bad-empty.exp b/test/filters/seccomp-bad-empty.exp
index 631d67743..1bd9c9b1f 100755
--- a/test/seccomp-bad-empty.exp
+++ b/test/filters/seccomp-bad-empty.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
 set timeout 10
 spawn $env(SHELL)
@@ -33,6 +36,6 @@ expect {
        timeout {puts "TESTING ERROR 7\n";exit}
        "Error: line 1 in seccomp-bad-empty2.profile is invalid"
 }
-sleep 1
+after 100
 puts "\nall done\n"
diff --git a/test/seccomp-bad-empty.profile b/test/filters/seccomp-bad-empty.profile
index 2d4fcde7c..2d4fcde7c 100644
--- a/test/seccomp-bad-empty.profile
+++ b/test/filters/seccomp-bad-empty.profile
diff --git a/test/seccomp-bad-empty2.profile b/test/filters/seccomp-bad-empty2.profile
index c4e6c9f74..c4e6c9f74 100644
--- a/test/seccomp-bad-empty2.profile
+++ b/test/filters/seccomp-bad-empty2.profile
diff --git a/test/ip6.exp b/test/filters/seccomp-chmod-profile.exp
index fba47d095..463ce05e9 100755
--- a/test/ip6.exp
+++ b/test/filters/seccomp-chmod-profile.exp
@@ -1,43 +1,51 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
 set timeout 10
 spawn $env(SHELL)
 match_max 100000
-send -- "firejail --debug --noprofile --net=br0 --ip6=2001:0db8:0:f101::1/64 --netfilter6=ipv6.net\r"
+send --  "firejail --profile=seccomp.profile --private\r"
 expect {
        timeout {puts "TESTING ERROR 0\n";exit}
-        "Installing network filter"
+        "Child process initialized"
 }
+sleep 2
+send -- "cd ~; echo done\r"
 expect {
        timeout {puts "TESTING ERROR 1\n";exit}
-        "DROP"
+        "done"
 }
+send -- "touch testfile; echo done\r"
 expect {
        timeout {puts "TESTING ERROR 2\n";exit}
-        "2001:db8:1f0a:3ec::2"
+        "done"
 }
+send -- "ls -l testfile; echo done\r"
 expect {
        timeout {puts "TESTING ERROR 3\n";exit}
-        "Child process initialized"
+        "testfile"
 }
-sleep 2
-send -- "/sbin/ifconfig\r"
 expect {
        timeout {puts "TESTING ERROR 4\n";exit}
-        "inet6"
+        "done"
 }
+send -- "chmod +x testfile; echo done\r"
 expect {
        timeout {puts "TESTING ERROR 5\n";exit}
-        "2001:db8:0:f101::1"
+        "Bad system call"
 }
 expect {
        timeout {puts "TESTING ERROR 6\n";exit}
-        "Scope:Global" { puts "Debian\n"}
+        "done"
-        "scopeid 0x0<global>" { puts "Arch\n"}
 }
+send -- "exit\r"
+after 100
 puts "\nall done\n"
diff --git a/test/pid.exp b/test/filters/seccomp-chmod.exp
index cdeb9d5fb..b17990e3a 100755
--- a/test/pid.exp
+++ b/test/filters/seccomp-chmod.exp
@@ -1,49 +1,51 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
 set timeout 10
 spawn $env(SHELL)
 match_max 100000
-send -- "firejail\r"
+send --  "firejail --seccomp=chmod,fchmod,fchmodat --private\r"
 expect {
        timeout {puts "TESTING ERROR 0\n";exit}
        "Child process initialized"
 }
-sleep 1
+sleep 2
-# test processes
+send -- "cd ~; echo done\r"
-send -- "bash\r"
-sleep 1
-send -- "ps aux; pwd\r"
 expect {
        timeout {puts "TESTING ERROR 1\n";exit}
-        "/bin/bash"
+        "done"
 }
+send -- "touch testfile; echo done\r"
 expect {
        timeout {puts "TESTING ERROR 2\n";exit}
-        "bash"
+        "done"
 }
+send -- "ls -l testfile; echo done\r"
 expect {
        timeout {puts "TESTING ERROR 3\n";exit}
-        "ps aux"
+        "testfile"
 }
 expect {
        timeout {puts "TESTING ERROR 4\n";exit}
-        "home"
+        "done"
 }
-sleep 1
-send -- "ps aux |wc -l; pwd\r"
+send -- "chmod +x testfile; echo done\r"
 expect {
        timeout {puts "TESTING ERROR 5\n";exit}
-        "6" {puts "normal system\n"}
+        "Bad system call"
-        "5" {puts "grsecurity\n"}
 }
 expect {
        timeout {puts "TESTING ERROR 6\n";exit}
-        "home"
+        "done"
 }
-sleep 1
+send -- "exit\r"
+after 100
 puts "\nall done\n"
diff --git a/test/seccomp-chown.exp b/test/filters/seccomp-chown.exp
index 69b896700..a54d279f1 100755
--- a/test/seccomp-chown.exp
+++ b/test/filters/seccomp-chown.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
 set timeout 10
 spawn $env(SHELL)
@@ -42,5 +45,5 @@ expect {
 send -- "exit\r"
-sleep 1
+after 100
-puts "\n"
+puts "\nall done\n"
diff --git a/test/seccomp-debug.exp b/test/filters/seccomp-debug.exp
index 1034f040e..dbc0d37a9 100755
--- a/test/seccomp-debug.exp
+++ b/test/filters/seccomp-debug.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
 set timeout 10
 spawn $env(SHELL)
diff --git a/test/filters/seccomp-dualfilter.exp b/test/filters/seccomp-dualfilter.exp
new file mode 100755
index 000000000..958dab528
--- /dev/null
+++ b/test/filters/seccomp-dualfilter.exp
@@ -0,0 +1,55 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
+set timeout 1
+spawn $env(SHELL)
+match_max 100000
+send -- "./syscall_test\r"
+expect {
+        timeout {puts "\nTESTING SKIP: 64-bit support missing\n";exit}
+        "Usage"
+}
+send -- "./syscall_test32\r"
+expect {
+        timeout {puts "\nTESTING SKIP: 32-bit support missing\n";exit}
+        "Usage"
+}
+set timeout 10
+send -- "firejail ./syscall_test mount\r"
+expect {
+        timeout {puts "TESTING ERROR 0\n";exit}
+        "Child process initialized"
+}
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "before mount"
+}
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        "after mount" {puts "TESTING ERROR 3\n";exit}
+        "Parent is shutting down"
+}
+sleep 1
+send -- "firejail ./syscall_test32 mount\r"
+expect {
+        timeout {puts "TESTING ERROR 4\n";exit}
+        "Child process initialized"
+}
+expect {
+        timeout {puts "TESTING ERROR 5\n";exit}
+        "before mount"
+}
+expect {
+        timeout {puts "TESTING ERROR 6\n";exit}
+        "after mount" {puts "TESTING ERROR 7\n";exit}
+        "Parent is shutting down"
+}
+after 100
+puts "\nall done\n"
diff --git a/test/seccomp-empty.exp b/test/filters/seccomp-empty.exp
index 11abf2e00..d150dac7d 100755
--- a/test/seccomp-empty.exp
+++ b/test/filters/seccomp-empty.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
 set timeout 10
 spawn $env(SHELL)
@@ -141,5 +144,6 @@ expect {
 }
 sleep 2
 send -- "exit\r"
+after 100
 puts "\n"
diff --git a/test/seccomp-empty.profile b/test/filters/seccomp-empty.profile
index 8f71f55a5..8f71f55a5 100644
--- a/test/seccomp-empty.profile
+++ b/test/filters/seccomp-empty.profile
diff --git a/test/filters/seccomp-errno.exp b/test/filters/seccomp-errno.exp
new file mode 100755
index 000000000..c3af2fbe9
--- /dev/null
+++ b/test/filters/seccomp-errno.exp
@@ -0,0 +1,54 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+send -- "touch seccomp-test-file\r"
+after 100
+send --  "firejail --seccomp=unlinkat:ENOENT rm seccomp-test-file\r"
+expect {
+        timeout {puts "TESTING ERROR 0\n";exit}
+        "No such file or directory"
+}
+sleep 1
+send --  "firejail --seccomp=unlinkat:ENOENT --debug rm seccomp-test-file\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "unlinkat 2 ENOENT"
+}
+sleep 1
+send --  "firejail --seccomp=unlinkat:ENOENT,mkdir:ENOENT\r"
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        "Child process initialized"
+}
+sleep 1
+send -- "rm seccomp-test-file\r"
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        "No such file or directory"
+}
+after 100
+puts "\n"
+send -- "mkdir seccomp-test-dir\r"
+expect {
+        timeout {puts "TESTING ERROR 4\n";exit}
+        "No such file or directory"
+}
+after 100
+puts "\n"
+send -- "exit\r"
+sleep 1
+send -- "rm seccomp-test-file\r"
+after 100
+puts "all done\n"
diff --git a/test/seccomp-ptrace.exp b/test/filters/seccomp-ptrace.exp
index 9a9b7430e..bb87b96ea 100755
--- a/test/seccomp-ptrace.exp
+++ b/test/filters/seccomp-ptrace.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
 set timeout 10
 spawn $env(SHELL)
@@ -19,5 +22,5 @@ expect {
 }
 send -- "exit\r"
-sleep 1
+after 100
 puts "all done\n"
diff --git a/test/seccomp-su.exp b/test/filters/seccomp-su.exp
index dcae6f869..3feabc20f 100755
--- a/test/seccomp-su.exp
+++ b/test/filters/seccomp-su.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
 set timeout 10
 spawn $env(SHELL)
@@ -14,21 +17,24 @@ sleep 2
 send -- "sudo su -\r"
 expect {
        timeout {puts "TESTING ERROR 1\n";exit}
-        "effective uid is not 0"
+        "effective uid is not 0" {puts "OK\n"}
+        "Bad system call" {puts "OK\n"}
 }
 send -- "sudo ls\r"
 expect {
        timeout {puts "TESTING ERROR 2\n";exit}
-        "effective uid is not 0"
+        "effective uid is not 0" {puts "OK\n"}
+        "Bad system call" {puts "OK\n"}
 }
 send -- "ping google.com\r"
 expect {
-        timeout {puts "TESTING ERROR 2\n";exit}
+        timeout {puts "TESTING ERROR 3\n";exit}
-        "Operation not permitted"
+        "Operation not permitted" {puts "OK\n"}
+        "unknown host" {puts "OK\n"}
 }
 send -- "exit\r"
-sleep 1
+after 100
 puts "all done\n"
diff --git a/test/seccomp.profile b/test/filters/seccomp.profile
index cb0b15aee..cb0b15aee 100644
--- a/test/seccomp.profile
+++ b/test/filters/seccomp.profile
diff --git a/src/tools/syscall_test b/test/filters/syscall_test
index bf29c5b99..bf29c5b99 100755
--- a/src/tools/syscall_test
+++ b/test/filters/syscall_test
Binary files differ
diff --git a/src/tools/syscall_test.c b/test/filters/syscall_test.c
index b3f43c755..422af619d 100644
--- a/src/tools/syscall_test.c
+++ b/test/filters/syscall_test.c
@@ -1,3 +1,7 @@
+// This file is part of Firejail project
+// Copyright (C) 2014-2016 Firejail Authors
+// License GPL v2
 #include <stdlib.h>
 #include <stdio.h>
 #include <unistd.h>
diff --git a/src/tools/syscall_test32 b/test/filters/syscall_test32
index 8d72f58c4..8d72f58c4 100755
--- a/src/tools/syscall_test32
+++ b/test/filters/syscall_test32
Binary files differ
diff --git a/test/firejail-in-firejail.exp b/test/firejail-in-firejail.exp
deleted file mode 100755
index 5ba18d1fa..000000000
--- a/test/firejail-in-firejail.exp
+++ /dev/null
@@ -1,21 +0,0 @@
-#!/usr/bin/expect -f
-set timeout 10
-spawn $env(SHELL)
-match_max 100000
-send --  "firejail\r"
-expect {
-        timeout {puts "TESTING ERROR 1\n";exit}
-        "Child process initialized"
-}
-sleep 1
-send --  "firejail\r"
-expect {
-        timeout {puts "TESTING ERROR 1\n";exit}
-        "Warning: an existing sandbox was detected"
-}
-sleep 1
-puts "\nall done\n"
diff --git a/test/firejail-in-firejail2.exp b/test/firejail-in-firejail2.exp
deleted file mode 100755
index b0fed0dae..000000000
--- a/test/firejail-in-firejail2.exp
+++ /dev/null
@@ -1,21 +0,0 @@
-#!/usr/bin/expect -f
-set timeout 10
-spawn $env(SHELL)
-match_max 100000
-send --  "firejail --noprofile\r"
-expect {
-        timeout {puts "TESTING ERROR 1\n";exit}
-        "Child process initialized"
-}
-sleep 1
-send --  "firejail --force\r"
-expect {
-        timeout {puts "TESTING ERROR 1\n";exit}
-        "Child process initialized"
-}
-sleep 1
-puts "\nall done\n"
diff --git a/test/fs/fs.sh b/test/fs/fs.sh
new file mode 100755
index 000000000..611b62b09
--- /dev/null
+++ b/test/fs/fs.sh
@@ -0,0 +1,116 @@
+#!/bin/bash
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
+export MALLOC_CHECK_=3
+export MALLOC_PERTURB_=$(($RANDOM % 255 + 1))
+rm -fr ~/_firejail_test_*
+echo "TESTING: mkdir/mkfile (test/fs/mkdir_mkfile.exp)"
+./mkdir_mkfile.exp
+rm -fr ~/_firejail_test_*
+mkdir ~/_firejail_test_dir
+touch ~/_firejail_test_dir/a
+mkdir ~/_firejail_test_dir/test1
+touch ~/_firejail_test_dir/test1/b
+echo "TESTING: read/write (test/fs/read-write.exp)"
+./read-write.exp
+rm -fr ~/_firejail_test_*
+echo "TESTING: /sys/fs access (test/fs/sys_fs.exp)"
+./sys_fs.exp
+echo "TESTING: kmsg access (test/fs/kmsg.exp)"
+./kmsg.exp
+echo "TESTING: read/write /var/tmp (test/fs/fs_var_tmp.exp)"
+./fs_var_tmp.exp
+echo "TESTING: read/write /var/lock (test/fs/fs_var_lock.exp)"
+./fs_var_lock.exp
+echo "TESTING: read/write /dev/shm (test/fs/fs_dev_shm.exp)"
+./fs_dev_shm.exp
+echo "TESTING: private (test/fs/private.exp)"
+./private.exp
+echo "TESTING: private home (test/fs/private-home.exp)"
+./private-home.exp
+echo "TESTING: private home dir (test/fs/private-home-dir.exp)"
+./private-home-dir.exp
+echo "TESTING: private home dir same as user home (test/fs/private-homedir.exp)"
+./private-homedir.exp
+echo "TESTING: private-etc (test/fs/private-etc.exp)"
+./private-etc.exp
+echo "TESTING: empty private-etc (test/fs/private-etc-empty.exp)"
+./private-etc-empty.exp
+echo "TESTING: private-bin (test/fs/private-bin.exp)"
+./private-bin.exp
+echo "TESTING: whitelist empty (test/fs/whitelist-empty.exp)"
+./whitelist-empty.exp
+echo "TESTING: private whitelist (test/fs/private-whitelist.exp)"
+./private-whitelist.exp
+echo "TESTING: whitelist ~/Downloads (test/fs/whitelist-downloads.exp)"
+./whitelist-downloads.exp
+echo "TESTING: invalid filename (test/fs/invalid_filename.exp)"
+./invalid_filename.exp
+echo "TESTING: blacklist directory (test/fs/option_blacklist.exp)"
+./option_blacklist.exp
+echo "TESTING: blacklist file (test/fs/option_blacklist_file.exp)"
+./option_blacklist_file.exp
+echo "TESTING: blacklist glob (test/fs/option_blacklist_glob.exp)"
+./option_blacklist_glob.exp
+echo "TESTING: bind as user (test/fs/option_bind_user.exp)"
+./option_bind_user.exp
+echo "TESTING: recursive mkdir (test/fs/mkdir.exp)"
+./mkdir.exp
+echo "TESTING: double whitelist (test/fs/whitelist-double.exp)"
+./whitelist-double.exp
+echo "TESTING: whitelist (test/fs/whitelist.exp)"
+./whitelist.exp
+echo "TESTING: whitelist dev, var(test/fs/whitelist-dev.exp)"
+./whitelist-dev.exp
+echo "TESTING: fscheck --bind non root (test/fs/fscheck-bindnoroot.exp)"
+./fscheck-bindnoroot.exp
+echo "TESTING: fscheck --tmpfs non root (test/fs/fscheck-tmpfs.exp)"
+./fscheck-tmpfs.exp
+echo "TESTING: fscheck --private= (test/fs/fscheck-private.exp)"
+./fscheck-private.exp
+echo "TESTING: fscheck --read-only= (test/fs/fscheck-readonly.exp)"
+./fscheck-readonly.exp
+#cleanup
+rm -fr ~/fjtest-dir
+rm -fr ~/fjtest-dir-lnk
+rm -f ~/fjtest-file
+rm -f ~/fjtest-file-lnk
+rm -f /tmp/fjtest-file
+rm -fr /tmp/fjtest-dir
+rm -fr ~/_firejail_test_*
diff --git a/test/fs_dev_shm.exp b/test/fs/fs_dev_shm.exp
index b54f24eb5..8150dfa61 100755
--- a/test/fs_dev_shm.exp
+++ b/test/fs/fs_dev_shm.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
 set timeout 10
 spawn $env(SHELL)
@@ -12,33 +15,33 @@ expect {
 }
 sleep 1
-send -- "echo mytest > /dev/shm/ttt;pwd\r"
+send -- "echo mytest > /dev/shm/ttt;echo done\r"
 expect {
        timeout {puts "TESTING ERROR 1\n";exit}
-        "home"
+        "done"
 }
-send -- "cat /dev/shm/ttt;pwd\r"
+send -- "cat /dev/shm/ttt;echo done\r"
 expect {
-        timeout {puts "TESTING ERROR 2.1\n";exit}
+        timeout {puts "TESTING ERROR 2\n";exit}
        "mytest"
 }
 expect {
-        timeout {puts "TESTING ERROR 2\n";exit}
+        timeout {puts "TESTING ERROR 3\n";exit}
-        "home"
+        "done"
 }
-send -- "rm /dev/shm/ttt;pwd\r"
+send -- "rm /dev/shm/ttt;echo done\r"
 expect {
-        timeout {puts "TESTING ERROR 3\n";exit}
+        timeout {puts "TESTING ERROR 4\n";exit}
-        "home"
+        "done"
 }
-send -- "cat /dev/shm/ttt;pwd\r"
+send -- "cat /dev/shm/ttt;echo done\r"
 expect {
-        timeout {puts "TESTING ERROR 4\n";exit}
+        timeout {puts "TESTING ERROR 5\n";exit}
-        "mytest" {puts "TESTING ERROR 4.1\n";exit}
+        "mytest" {puts "TESTING ERROR 6\n";exit}
-        "home"
+        "done"
 }
 sleep 1
@@ -48,40 +51,40 @@ sleep 1
 # redo the test with --private
 send -- "firejail\r"
 expect {
-        timeout {puts "TESTING ERROR 10\n";exit}
+        timeout {puts "TESTING ERROR 7\n";exit}
        "Child process initialized"
 }
 sleep 1
-send -- "echo mytest > /dev/shm/ttt;pwd\r"
+send -- "echo mytest > /dev/shm/ttt;echo done\r"
 expect {
-        timeout {puts "TESTING ERROR 11\n";exit}
+        timeout {puts "TESTING ERROR 8\n";exit}
-        "home"
+        "done"
 }
-send -- "cat /dev/shm/ttt;pwd\r"
+send -- "cat /dev/shm/ttt;echo done\r"
 expect {
-        timeout {puts "TESTING ERROR 12.1\n";exit}
+        timeout {puts "TESTING ERROR 9\n";exit}
        "mytest"
 }
 expect {
-        timeout {puts "TESTING ERROR 12\n";exit}
+        timeout {puts "TESTING ERROR 10\n";exit}
-        "home"
+        "done"
 }
-send -- "rm /dev/shm/ttt;pwd\r"
+send -- "rm /dev/shm/ttt;echo done\r"
 expect {
-        timeout {puts "TESTING ERROR 13\n";exit}
+        timeout {puts "TESTING ERROR 11\n";exit}
-        "home"
+        "done"
 }
-send -- "cat /dev/shm/ttt;pwd\r"
+send -- "cat /dev/shm/ttt;echo done\r"
 expect {
-        timeout {puts "TESTING ERROR 14\n";exit}
+        timeout {puts "TESTING ERROR 12\n";exit}
-        "mytest" {puts "TESTING ERROR 14.1\n";exit}
+        "mytest" {puts "TESTING ERROR 13\n";exit}
-        "home"
+        "done"
 }
-sleep 1
+after 100
-puts "\n"
+puts "\nall done\n"
diff --git a/test/fs/fs_var_lock.exp b/test/fs/fs_var_lock.exp
new file mode 100755
index 000000000..5879dca52
--- /dev/null
+++ b/test/fs/fs_var_lock.exp
@@ -0,0 +1,90 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+# testing read-write /var/lock
+send -- "firejail\r"
+expect {
+        timeout {puts "TESTING ERROR 0\n";exit}
+        "Child process initialized"
+}
+sleep 1
+send -- "echo mytest > /var/lock/ttt;echo done\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "done"
+}
+send -- "cat /var/lock/ttt;echo done\r"
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        "mytest"
+}
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        "done"
+}
+send -- "rm /var/lock/ttt;echo done\r"
+expect {
+        timeout {puts "TESTING ERROR 4\n";exit}
+        "done"
+}
+send -- "cat /var/lock/ttt;echo done\r"
+expect {
+        timeout {puts "TESTING ERROR 5\n";exit}
+        "mytest" {puts "TESTING ERROR 6\n";exit}
+        "done"
+}
+sleep 1
+send -- "exit\r"
+sleep 1
+# redo the test with --private
+send -- "firejail\r"
+expect {
+        timeout {puts "TESTING ERROR 7\n";exit}
+        "Child process initialized"
+}
+sleep 1
+send -- "echo mytest > /var/lock/ttt;echo done\r"
+expect {
+        timeout {puts "TESTING ERROR 8\n";exit}
+        "done"
+}
+send -- "cat /var/lock/ttt;echo done\r"
+expect {
+        timeout {puts "TESTING ERROR 9\n";exit}
+        "mytest"
+}
+expect {
+        timeout {puts "TESTING ERROR 10\n";exit}
+        "done"
+}
+send -- "rm /var/lock/ttt;echo done\r"
+expect {
+        timeout {puts "TESTING ERROR 11\n";exit}
+        "done"
+}
+send -- "cat /var/lock/ttt;echo done\r"
+expect {
+        timeout {puts "TESTING ERROR 12\n";exit}
+        "mytest" {puts "TESTING ERROR 13\n";exit}
+        "done"
+}
+after 100
+puts "\nall done\n"
diff --git a/test/fs_var_tmp.exp b/test/fs/fs_var_tmp.exp
index 95ceeb2a4..a3bc5afe2 100755
--- a/test/fs_var_tmp.exp
+++ b/test/fs/fs_var_tmp.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
 set timeout 10
 spawn $env(SHELL)
@@ -12,33 +15,33 @@ expect {
 }
 sleep 1
-send -- "echo mytest > /var/tmp/ttt;pwd\r"
+send -- "echo mytest > /var/tmp/ttt;echo done\r"
 expect {
        timeout {puts "TESTING ERROR 1\n";exit}
-        "home"
+        "done"
 }
-send -- "cat /var/tmp/ttt;pwd\r"
+send -- "cat /var/tmp/ttt;echo done\r"
 expect {
-        timeout {puts "TESTING ERROR 2.1\n";exit}
+        timeout {puts "TESTING ERROR 2\n";exit}
        "mytest"
 }
 expect {
-        timeout {puts "TESTING ERROR 2\n";exit}
+        timeout {puts "TESTING ERROR 3\n";exit}
-        "home"
+        "done"
 }
-send -- "rm /var/tmp/ttt;pwd\r"
+send -- "rm /var/tmp/ttt;echo done\r"
 expect {
-        timeout {puts "TESTING ERROR 3\n";exit}
+        timeout {puts "TESTING ERROR 4\n";exit}
-        "home"
+        "done"
 }
-send -- "cat /var/tmp/ttt;pwd\r"
+send -- "cat /var/tmp/ttt;echo done\r"
 expect {
-        timeout {puts "TESTING ERROR 4\n";exit}
+        timeout {puts "TESTING ERROR 5\n";exit}
-        "mytest" {puts "TESTING ERROR 4.1\n";exit}
+        "mytest" {puts "TESTING ERROR 6\n";exit}
-        "home"
+        "done"
 }
 sleep 1
@@ -48,40 +51,40 @@ sleep 1
 # redo the test with --private
 send -- "firejail\r"
 expect {
-        timeout {puts "TESTING ERROR 10\n";exit}
+        timeout {puts "TESTING ERROR 7\n";exit}
        "Child process initialized"
 }
 sleep 1
-send -- "echo mytest > /var/tmp/ttt;pwd\r"
+send -- "echo mytest > /var/tmp/ttt;echo done\r"
 expect {
-        timeout {puts "TESTING ERROR 11\n";exit}
+        timeout {puts "TESTING ERROR 8\n";exit}
-        "home"
+        "done"
 }
-send -- "cat /var/tmp/ttt;pwd\r"
+send -- "cat /var/tmp/ttt;echo done\r"
 expect {
-        timeout {puts "TESTING ERROR 12.1\n";exit}
+        timeout {puts "TESTING ERROR 9\n";exit}
        "mytest"
 }
 expect {
-        timeout {puts "TESTING ERROR 12\n";exit}
+        timeout {puts "TESTING ERROR 10\n";exit}
-        "home"
+        "done"
 }
-send -- "rm /var/tmp/ttt;pwd\r"
+send -- "rm /var/tmp/ttt;echo done\r"
 expect {
-        timeout {puts "TESTING ERROR 13\n";exit}
+        timeout {puts "TESTING ERROR 11\n";exit}
-        "home"
+        "done"
 }
-send -- "cat /var/tmp/ttt;pwd\r"
+send -- "cat /var/tmp/ttt;echo done\r"
 expect {
-        timeout {puts "TESTING ERROR 14\n";exit}
+        timeout {puts "TESTING ERROR 12\n";exit}
-        "mytest" {puts "TESTING ERROR 14.1\n";exit}
+        "mytest" {puts "TESTING ERROR 13\n";exit}
-        "home"
+        "done"
 }
-sleep 1
+after 100
-puts "\n"
+puts "\nall done\n"
diff --git a/test/fscheck-bindnoroot.exp b/test/fs/fscheck-bindnoroot.exp
index 796a7d975..8cbe2b8af 100755
--- a/test/fscheck-bindnoroot.exp
+++ b/test/fs/fscheck-bindnoroot.exp
@@ -5,10 +5,13 @@ spawn $env(SHELL)
 match_max 100000
 # dir
-send -- "firejail --net=br0 --bind=fscheck-dir,/etc\r"
+send -- "firejail --net=br0 --bind=testdir1,/etc\r"
 expect {
        timeout {puts "TESTING ERROR 0\n";exit}
        "Error"
 }
 after 100
+puts "\nall done\n"
diff --git a/test/fs/fscheck-private.exp b/test/fs/fscheck-private.exp
new file mode 100755
index 000000000..28c921538
--- /dev/null
+++ b/test/fs/fscheck-private.exp
@@ -0,0 +1,50 @@
+#!/usr/bin/expect -f
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+# file link
+#send -- "firejail --private=fscheck-file-link\r"
+#expect {
+#       timeout {puts "TESTING ERROR 2\n";exit}
+#       "Error"
+#}
+#after 100
+# file 
+send -- "firejail --private=testfile1\r"
+expect {
+        timeout {puts "TESTING ERROR 2.1\n";exit}
+        "Error"
+}
+after 100
+# ..
+send -- "firejail --private=../fs/testfile1\r"
+expect {
+        timeout {puts "TESTING ERROR 2.2\n";exit}
+        "Error"
+}
+after 100
+# no file
+send -- "firejail --private=../test/nodir\r"
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        "Error"
+}
+after 100
+# same owner
+send -- "firejail --private=/etc\r"
+expect {
+        timeout {puts "TESTING ERROR 4\n";exit}
+        "Error"
+}
+after 100
+puts "\nall done\n"
diff --git a/test/fscheck-readonly.exp b/test/fs/fscheck-readonly.exp
index e0f0a8a1d..4d7528e50 100755
--- a/test/fscheck-readonly.exp
+++ b/test/fs/fscheck-readonly.exp
@@ -5,10 +5,11 @@ spawn $env(SHELL)
 match_max 100000
 # dir
-send -- "firejail --net=br0 --read-only=../test/fscheck-dir\r"
+send -- "firejail --read-only=../test/testdir1\r"
 expect {
        timeout {puts "TESTING ERROR 0\n";exit}
        "Error"
 }
 after 100
+puts "\nall done\n"
diff --git a/test/fscheck-tmpfs.exp b/test/fs/fscheck-tmpfs.exp
index d5bbccd96..deac5a631 100755
--- a/test/fscheck-tmpfs.exp
+++ b/test/fs/fscheck-tmpfs.exp
@@ -5,7 +5,7 @@ spawn $env(SHELL)
 match_max 100000
 # ..
-send -- "firejail --net=br0 --tmpfs=../test/fscheck-dir\r"
+send -- "firejail --tmpfs=fscheck-dir\r"
 expect {
        timeout {puts "TESTING ERROR 0.1\n";exit}
        "Error"
diff --git a/test/invalid_filename.exp b/test/fs/invalid_filename.exp
index fe8bd8c25..a6efc24b6 100755
--- a/test/invalid_filename.exp
+++ b/test/fs/invalid_filename.exp
@@ -1,23 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
-#invalid_filename checks:
+# Copyright (C) 2014-2016 Firejail Authors
-#
+# License GPL v2
-#--bind (two files) - profile.c - Note: The test is not implemented here, need to be root to test it
-#--blacklist - profile.c
-#--cgroup - cgroup.c
-#--chroot - main.c
-#--netfilter - netfilter.c
-#--output - output.c
-#--private - fs_home.c
-#--privte-bin (list) - fs_bin.c
-#--private-home (list) - fs_home.c
-#--private-etc (list) - fs_etc.c
-#--profile - main.c
-#--read_only - profile.c
-#--shell - main.c
-#--tmpfs - profile.c
-#--white-list
 set timeout 10
 spawn $env(SHELL)
@@ -125,6 +109,21 @@ expect {
 }
 after 100
+send -- "firejail --debug-check-filename --noprofile --private-home=\"bla&&bla\"\r"
+expect {
+        timeout {puts "TESTING ERROR 8.1\n";exit}
+        "Checking filename bla&&bla"
+}
+expect {
+        timeout {puts "TESTING ERROR 8.2\n";exit}
+        "Error:"
+}
+expect {
+        timeout {puts "TESTING ERROR 8.3\n";exit}
+        "is an invalid filename"
+}
+after 100
 send -- "firejail --debug-check-filename --noprofile --private-etc=\"bla&&bla\"\r"
 expect {
        timeout {puts "TESTING ERROR 9.1\n";exit}
@@ -201,7 +200,5 @@ expect {
 }
 after 100
 puts "\nall done\n"
diff --git a/test/kmsg.exp b/test/fs/kmsg.exp
index 096bdb708..abc711aee 100755
--- a/test/kmsg.exp
+++ b/test/fs/kmsg.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
 set timeout 10
 spawn $env(SHELL)
@@ -16,14 +19,14 @@ expect {
        timeout {puts "TESTING ERROR 2\n";exit}
        "Permission denied"
 }
-sleep 1
+after 100
 send -- "cat /proc/kmsg\r"
 expect {
        timeout {puts "TESTING ERROR 3\n";exit}
        "Permission denied"
 }
-sleep 1
+after 100
 puts "\nall done\n"
diff --git a/test/fs/mkdir.exp b/test/fs/mkdir.exp
new file mode 100755
index 000000000..111db06db
--- /dev/null
+++ b/test/fs/mkdir.exp
@@ -0,0 +1,20 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2016 Firejail Authors
+# License GPL v2
+set timeout 3
+spawn $env(SHELL)
+match_max 100000
+send -- "firejail --profile=mkdir.profile find ~/.firejail_test\r"
+expect {
+        timeout {puts "TESTING ERROR 1.1\n";exit}
+        "Warning: cannot create" { puts "TESTING ERROR 1.2\n";exit}
+        "No such file or directory" { puts "TESTING ERROR 1.3\n";exit}
+        ".firejail_test/a/b/c/d.txt"
+}
+send -- "rm -rf ~/.firejail_test\r"
+after 100
+puts "\nall done\n"
diff --git a/test/fs/mkdir.profile b/test/fs/mkdir.profile
new file mode 100644
index 000000000..61b44c9ac
--- /dev/null
+++ b/test/fs/mkdir.profile
@@ -0,0 +1,2 @@
+mkdir ~/.firejail_test/a/b/c
+mkfile ~/.firejail_test/a/b/c/d.txt
diff --git a/test/fs/mkdir_mkfile.exp b/test/fs/mkdir_mkfile.exp
new file mode 100755
index 000000000..98163bf77
--- /dev/null
+++ b/test/fs/mkdir_mkfile.exp
@@ -0,0 +1,46 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+# testing profile and private
+send -- "firejail --private --profile=mkdir_mkfile.profile\r"
+expect {
+        timeout {puts "TESTING ERROR 0\n";exit}
+        "Child process initialized"
+}
+sleep 1
+send -- "find ~\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "_firejail_test_file"
+}
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "_firejail_test_dir"
+}
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "_firejail_test_dir/dir1"
+}
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "_firejail_test_dir/dir1/dir2"
+}
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "_firejail_test_dir/dir1/dir2/dir3"
+}
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "_firejail_test_dir/dir1/dir2/dir3/file1"
+}
+after 100
+puts "all done\n"
diff --git a/test/fs/mkdir_mkfile.profile b/test/fs/mkdir_mkfile.profile
new file mode 100644
index 000000000..d179c62ac
--- /dev/null
+++ b/test/fs/mkdir_mkfile.profile
@@ -0,0 +1,4 @@
+mkdir ~/_firejail_test_dir
+mkfile ~/_firejail_test_file
+mkdir ~/_firejail_test_dir/dir1/dir2/dir3
+mkfile ~/_firejail_test_dir/dir1/dir2/dir3/file1
diff --git a/test/option_bind_user.exp b/test/fs/option_bind_user.exp
index 9d2d17d7f..a2912968e 100755
--- a/test/option_bind_user.exp
+++ b/test/fs/option_bind_user.exp
@@ -9,7 +9,7 @@ expect {
        timeout {puts "TESTING ERROR 0\n";exit}
        "bind option is available only if running as root"
 }
-sleep 1
+after 100
 puts "\n"
diff --git a/test/option_blacklist.exp b/test/fs/option_blacklist.exp
index b80d0cc60..6554d438f 100755
--- a/test/option_blacklist.exp
+++ b/test/fs/option_blacklist.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
 set timeout 10
 spawn $env(SHELL)
@@ -11,25 +14,25 @@ expect {
 }
 sleep 1
-send -- "ls -l /var;pwd\r"
+send -- "ls -l /var;echo done\r"
 expect {
        timeout {puts "TESTING ERROR 1\n";exit}
        "Permission denied"
 }
 expect {
        timeout {puts "TESTING ERROR 2\n";exit}
-        "home"
+        "done"
 }
-send -- "cd /var;pwd\r"
+send -- "cd /var;echo done\r"
 expect {
        timeout {puts "TESTING ERROR 3\n";exit}
        "Permission denied"
 }
 expect {
        timeout {puts "TESTING ERROR 4\n";exit}
-        "home"
+        "done"
 }
-sleep 1
+after 100
 puts "\n"
diff --git a/test/option_blacklist_file.exp b/test/fs/option_blacklist_file.exp
index ecdfe3b82..b0164136c 100755
--- a/test/option_blacklist_file.exp
+++ b/test/fs/option_blacklist_file.exp
@@ -11,16 +11,16 @@ expect {
 }
 sleep 1
-send -- "cat /etc/passwd;pwd\r"
+send -- "cat /etc/passwd;echo done\r"
 expect {
        timeout {puts "TESTING ERROR 1\n";exit}
        "Permission denied"
 }
 expect {
        timeout {puts "TESTING ERROR 2\n";exit}
-        "home"
+        "done"
 }
-sleep 1
+after 100
 puts "\n"
diff --git a/test/fs/option_blacklist_glob.exp b/test/fs/option_blacklist_glob.exp
new file mode 100755
index 000000000..5a96cacc9
--- /dev/null
+++ b/test/fs/option_blacklist_glob.exp
@@ -0,0 +1,33 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+send -- "firejail --blacklist=testdir1/*\r"
+expect {
+        timeout {puts "TESTING ERROR 0\n";exit}
+        "Child process initialized"
+}
+sleep 1
+send -- "cd testdir1\r"
+sleep 1
+send -- "cat .file\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "Permission denied"
+}
+send -- "ls .directory\r"
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        "Permission denied"
+}
+after 100
+puts "\n"
diff --git a/test/private-bin.exp b/test/fs/private-bin.exp
index a82d2b213..f7181d218 100755
--- a/test/private-bin.exp
+++ b/test/fs/private-bin.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
 set timeout 10
 spawn $env(SHELL)
@@ -62,10 +65,29 @@ expect {
        "sh"
 }
 send -- "exit\r"
+after 100
+send -- "firejail --private-bin=/etc/shadow\r"
+expect {
+        timeout {puts "TESTING ERROR 8\n";exit}
+        "invalid filename"
+}
+after 100
+send -- "firejail --private-bin=\"bla;bla\"\r"
+expect {
+        timeout {puts "TESTING ERROR 9\n";exit}
+        "is an invalid filename"
+}
+after 100
-sleep 1
+send -- "firejail --private-etc=../bin/ls\r"
+expect {
+        timeout {puts "TESTING ERROR 10\n";exit}
+        "is an invalid filename"
+}
+after 100
 puts "\nall done\n"
diff --git a/test/private-bin.profile b/test/fs/private-bin.profile
index 24cf5929a..24cf5929a 100644
--- a/test/private-bin.profile
+++ b/test/fs/private-bin.profile
diff --git a/test/fs/private-etc-empty.exp b/test/fs/private-etc-empty.exp
new file mode 100755
index 000000000..5ddce8678
--- /dev/null
+++ b/test/fs/private-etc-empty.exp
@@ -0,0 +1,42 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+send -- "firejail --private-etc=blablabla\r"
+expect {
+        timeout {puts "TESTING ERROR 0\n";exit}
+        "Child process initialized"
+}
+sleep 1
+send -- "ls -l /etc | wc -l\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "0" {puts "Debian\n"}
+        "1" {puts "Arch\n"}
+}
+send -- "exit\r"
+sleep 1
+send -- "firejail --profile=private-etc-empty.profile\r"
+expect {
+        timeout {puts "TESTING ERROR 0\n";exit}
+        "Child process initialized"
+}
+sleep 1
+send -- "ls -l /etc | wc -l\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "0" {puts "Debian\n"}
+        "1" {puts "Arch\n"}
+}
+after 100
+puts "\nall done\n"
diff --git a/test/fs/private-etc-empty.profile b/test/fs/private-etc-empty.profile
new file mode 100644
index 000000000..38aa8cd68
--- /dev/null
+++ b/test/fs/private-etc-empty.profile
@@ -0,0 +1 @@
+private-etc blablabla
diff --git a/test/fs/private-etc.exp b/test/fs/private-etc.exp
new file mode 100755
index 000000000..36b5d247c
--- /dev/null
+++ b/test/fs/private-etc.exp
@@ -0,0 +1,73 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+# directory with ~
+send -- "firejail --private-etc=passwd,group,resolv.conf,X11\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "Child process initialized"
+}
+sleep 1
+send -- "LC_ALL=C ls -al /etc\r"
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        "X11"
+}
+expect {
+        timeout {puts "TESTING ERROR 4\n";exit}
+        "group"
+}
+expect {
+        timeout {puts "TESTING ERROR 5\n";exit}
+        "passwd"
+}
+expect {
+        timeout {puts "TESTING ERROR 6\n";exit}
+        "resolv.conf"
+}
+send -- "file /etc/shadow\r"
+expect {
+        timeout {puts "TESTING ERROR 7\n";exit}
+        "No such file or directory"
+}
+after 100
+send -- "exit\r"
+sleep 1
+send -- "firejail --private-etc=shadow\r"
+expect {
+        timeout {puts "TESTING ERROR 8\n";exit}
+        "invalid file type"
+}
+after 100
+send -- "firejail --private-etc=\"bla;bla\"\r"
+expect {
+        timeout {puts "TESTING ERROR 9\n";exit}
+        "is an invalid filename"
+}
+after 100
+send -- "firejail --private-etc=../bin/ls\r"
+expect {
+        timeout {puts "TESTING ERROR 10\n";exit}
+        "is an invalid filename"
+}
+after 100
+after 100
+puts "\nall done\n"
diff --git a/test/fs/private-home-dir.exp b/test/fs/private-home-dir.exp
new file mode 100755
index 000000000..5491be834
--- /dev/null
+++ b/test/fs/private-home-dir.exp
@@ -0,0 +1,70 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+if {[file exists ~/.asoundrc]} {
+        puts "found .asoundrc file\n"
+} else {
+        send -- "touch ~/.asoundrc\r"
+}
+after 100
+if {[file exists ~/.Xauthority]} {
+        puts "found .Xauthority file\n"
+} else {
+        send -- "touch ~/.Xauthority\r"
+}
+after 100
+send -- "mkdir ~/_firejail_test_dir_\r"
+sleep 1
+# testing profile and private
+send -- "firejail --private=~/_firejail_test_dir_\r"
+expect {
+        timeout {puts "TESTING ERROR 0\n";exit}
+        "Child process initialized"
+}
+sleep 1
+send -- "ls -l ~\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "total 0"
+}
+after 100
+send -- "ls -al ~\r"
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        ".asoundrc"
+}
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        ".bashrc"
+}
+expect {
+        timeout {puts "TESTING ERROR 4\n";exit}
+        ".Xauthority"
+}
+after 100
+send -- "exit\r"
+sleep 1
+# testing profile and private
+send -- "firejail --private=/etc\r"
+expect {
+        timeout {puts "TESTING ERROR 5\n";exit}
+        "private directory should be owned by the current user"
+}
+sleep 1
+puts "all done\n"
diff --git a/test/fs/private-home.exp b/test/fs/private-home.exp
new file mode 100755
index 000000000..3840d1cb8
--- /dev/null
+++ b/test/fs/private-home.exp
@@ -0,0 +1,103 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+# create some test files in user home directory
+send -- "touch ~/_firejail_test_file1\r"
+after 100
+send -- "touch ~/_firejail_test_file2\r"
+after 100
+send -- "mkdir ~/_firejail_test_dir1\r"
+after 100
+send -- "mkdir ~/_firejail_test_dir1/_firejail_test_dir2\r"
+after 100
+send -- "touch ~/_firejail_test_dir1/_firejail_test_dir2/_firejail_test_file3\r"
+after 100
+send -- "ln -s /etc ~/_firejail_test_link1\r"
+after 100
+send -- "ln -s ~/_firejail_test_dir1 ~/_firejail_test_link2\r"
+after 100
+send -- "firejail --private-home=_firejail_test_file1,_firejail_test_file2,_firejail_test_dir1\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "Child process initialized"
+}
+after 100
+send -- "find ~\r"
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        "_firejail_test_file3"
+}
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        "_firejail_test_file2"
+}
+expect {
+        timeout {puts "TESTING ERROR 4\n";exit}
+        "_firejail_test_file1"
+}
+after 100
+send -- "exit\r"
+sleep 1
+send -- "firejail --private-home=\"bla;bla\"\r"
+expect {
+        timeout {puts "TESTING ERROR 5\n";exit}
+        "is an invalid filename"
+}
+after 100
+send -- "firejail --private-home=/etc/shadow\r"
+expect {
+        timeout {puts "TESTING ERROR 6\n";exit}
+        "invalid file"
+}
+after 100
+send -- "firejail --private-home=/etc/passwd\r"
+expect {
+        timeout {puts "TESTING ERROR 7\n";exit}
+        "invalid file"
+}
+after 100
+send -- "firejail --private-home=../../etc/passwd\r"
+expect {
+        timeout {puts "TESTING ERROR 8\n";exit}
+        "invalid file"
+}
+after 100
+send -- "firejail --private-home=_firejail_test_link1\r"
+expect {
+        timeout {puts "TESTING ERROR 9\n";exit}
+        "to file or directory not owned by the user"
+}
+after 100
+send -- "firejail --private-home=_firejail_test_link2\r"
+expect {
+        timeout {puts "TESTING ERROR 10\n";exit}
+        "Child process initialized"
+}
+after 100
+send -- "file file ~/_firejail_test_link2\r"
+expect {
+        timeout {puts "TESTING ERROR 11\n";exit}
+        "broken symbolic link"
+}
+send -- "exit\r"
+send -- "rm -f ~/_firejail_test*\r"
+after 100
+puts "\nall done\n"
diff --git a/test/fs/private-homedir.exp b/test/fs/private-homedir.exp
new file mode 100755
index 000000000..35085948a
--- /dev/null
+++ b/test/fs/private-homedir.exp
@@ -0,0 +1,25 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+send -- "firejail --private=~\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "Child process initialized"
+}
+after 100
+send -- "ls -l ~\r"
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        "total 0"
+}
+after 100
+puts "\nall done\n"
diff --git a/test/private-whitelist.exp b/test/fs/private-whitelist.exp
index 7379241ef..4dadeacb1 100755
--- a/test/private-whitelist.exp
+++ b/test/fs/private-whitelist.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
 set timeout 10
 spawn $env(SHELL)
@@ -9,26 +12,28 @@ expect {
        timeout {puts "TESTING ERROR 1\n";exit}
        "Child process initialized"
 }
-sleep 1
+after 100
 send -- "ls -al /tmp\r"
 expect {
        timeout {puts "TESTING ERROR 2\n";exit}
        ".X11-unix"
 }
-sleep 1
+after 100
 send -- "ls -a /tmp | wc -l\r"
 expect {
        timeout {puts "TESTING ERROR 3\n";exit}
        "3"
 }
-sleep 1
+after 100
 send -- "ls -a ~ | wc -l\r"
 expect {
        timeout {puts "TESTING ERROR 4\n";exit}
-        "5"
+        "3" {puts "3\n"}
+        "4" {puts "4\n"}
+        "5" {puts "5\n"}
 }
 sleep 1
diff --git a/test/fs/private.exp b/test/fs/private.exp
new file mode 100755
index 000000000..8114ee45d
--- /dev/null
+++ b/test/fs/private.exp
@@ -0,0 +1,58 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+if {[file exists ~/.asoundrc]} {
+        puts "found .asoundrc file\n"
+} else {
+        send -- "touch ~/.asoundrc\r"
+}
+after 100
+if {[file exists ~/.Xauthority]} {
+        puts "found .Xauthority file\n"
+} else {
+        send -- "touch ~/.Xauthority\r"
+}
+after 100
+# testing profile and private
+send -- "firejail --private\r"
+expect {
+        timeout {puts "TESTING ERROR 0\n";exit}
+        "Child process initialized"
+}
+sleep 1
+send -- "ls -l ~\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "total 0"
+}
+after 100
+send -- "ls -al ~\r"
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        ".asoundrc"
+}
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        ".bashrc"
+}
+expect {
+        timeout {puts "TESTING ERROR 4\n";exit}
+        ".Xauthority"
+}
+after 100
+send -- "exit\r"
+sleep 1
+puts "all done\n"
diff --git a/test/fs/read-write.exp b/test/fs/read-write.exp
new file mode 100755
index 000000000..19a915f66
--- /dev/null
+++ b/test/fs/read-write.exp
@@ -0,0 +1,35 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+send -- "firejail --read-only=~/_firejail_test_dir --read-write=~/_firejail_test_dir/test1\r"
+expect {
+        timeout {puts "TESTING ERROR 0\n";exit}
+        "Child process initialized"
+}
+sleep 1
+send -- "echo mytest > ~/_firejail_test_dir/a\r"
+expect {
+        timeout {puts "TESTING ERROR 5\n";exit}
+        "Read-only file system"
+}
+after 100
+send -- "echo mytest > ~/_firejail_test_dir/test1/b\r"
+sleep 1
+send -- "cat ~/_firejail_test_dir/test1/b\r"
+expect {
+        timeout {puts "TESTING ERROR 5\n";exit}
+        "mytest"
+}
+after 100
+puts "\nall done\n"
diff --git a/test/fs/sys_fs.exp b/test/fs/sys_fs.exp
new file mode 100755
index 000000000..f512776d9
--- /dev/null
+++ b/test/fs/sys_fs.exp
@@ -0,0 +1,44 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+send -- "firejail\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "Child process initialized"
+}
+sleep 1
+send -- "ls /sys/fs\r"
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        "Permission denied"
+}
+after 100
+send -- "exit\r"
+sleep 1
+send -- "firejail --noblacklist=/sys/fs\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "Child process initialized"
+}
+sleep 1
+send -- "ls /sys/fs\r"
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        "cgroup"
+}
+after 100
+send -- "exit\r"
+after 100
+puts "\nall done\n"
diff --git a/test/fs/testdir1/.directory/file b/test/fs/testdir1/.directory/file
new file mode 100644
index 000000000..e69de29bb
--- /dev/null
+++ b/test/fs/testdir1/.directory/file
diff --git a/test/fs/testdir1/.file b/test/fs/testdir1/.file
new file mode 100644
index 000000000..e69de29bb
--- /dev/null
+++ b/test/fs/testdir1/.file
diff --git a/test/fs/testfile1 b/test/fs/testfile1
new file mode 100644
index 000000000..e69de29bb
--- /dev/null
+++ b/test/fs/testfile1
diff --git a/test/fs/user-dirs.dirs b/test/fs/user-dirs.dirs
new file mode 100644
index 000000000..0d19da4e4
--- /dev/null
+++ b/test/fs/user-dirs.dirs
@@ -0,0 +1,15 @@
+# This file is written by xdg-user-dirs-update
+# If you want to change or add directories, just edit the line you're
+# interested in. All local changes will be retained on the next run
+# Format is XDG_xxx_DIR="$HOME/yyy", where yyy is a shell-escaped
+# homedir-relative path, or XDG_xxx_DIR="/yyy", where /yyy is an
+# absolute path. No other format is supported.
+# 
+XDG_DESKTOP_DIR="$HOME/Desktop"
+XDG_DOWNLOAD_DIR="$HOME/Downloads"
+XDG_TEMPLATES_DIR="$HOME/Templates"
+XDG_PUBLICSHARE_DIR="$HOME/Public"
+XDG_DOCUMENTS_DIR="$HOME/Documents"
+XDG_MUSIC_DIR="$HOME/Music"
+XDG_PICTURES_DIR="$HOME/Pictures"
+XDG_VIDEOS_DIR="$HOME/Videos"
diff --git a/test/fs/whitelist-dev.exp b/test/fs/whitelist-dev.exp
new file mode 100755
index 000000000..a19d5cedf
--- /dev/null
+++ b/test/fs/whitelist-dev.exp
@@ -0,0 +1,47 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+send -- "firejail --whitelist=/dev/null --debug\r"
+expect {
+        timeout {puts "TESTING ERROR 0\n";exit}
+        "Child process initialized"
+}
+sleep 1
+send -- "ls -l /dev | find /dev | wc -l\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "2"
+}
+after 100
+send -- "exit\r"
+sleep 1
+send -- "firejail --whitelist=/var/tmp --debug\r"
+expect {
+        timeout {puts "TESTING ERROR 0\n";exit}
+        "Child process initialized"
+}
+sleep 1
+send -- "ls -l /dev | find /dev | wc -l\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "2"
+}
+after 100
+send -- "exit\r"
+sleep 1
+after 100
+puts "\nall done\n"
diff --git a/test/fs/whitelist-double.exp b/test/fs/whitelist-double.exp
new file mode 100755
index 000000000..fc05f9322
--- /dev/null
+++ b/test/fs/whitelist-double.exp
@@ -0,0 +1,42 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+send -- "echo 123 > /tmp/firejal-deleteme\r"
+sleep 1
+send -- "firejail --whitelist=/tmp/firejal-deleteme --whitelist=/tmp/firejal-deleteme\r"
+expect {
+        timeout {puts "TESTING ERROR 0\n";exit}
+        "Child process initialized"
+}
+sleep 1
+send -- "cat /tmp/firejal-deleteme\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "123"
+}
+send -- "exit\r"
+sleep 1
+send -- "cat /tmp/firejal-deleteme\r"
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        "123"
+}
+send -- "rm /tmp/firejal-deleteme\r"
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        "0"
+}
+after 100
+puts "\nall done\n"
diff --git a/test/fs/whitelist-downloads.exp b/test/fs/whitelist-downloads.exp
new file mode 100755
index 000000000..6af318d2b
--- /dev/null
+++ b/test/fs/whitelist-downloads.exp
@@ -0,0 +1,49 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+send -- "cp user-dirs.dirs /tmp/.\r"
+after 100
+send -- "firejail --private --noprofile\r"
+expect {
+        timeout {puts "TESTING ERROR 0\n";exit}
+        "Child process initialized"
+}
+after 100
+send -- "firejail --force --profile=/etc/firejail/firefox.profile\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "cannot whitelist Downloads directory"
+}
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        "Child process initialized"
+}
+after 100
+send -- "exit\r"
+after 100
+send -- "cp /tmp/user-dirs.dirs ~/.config/.\r"
+after 100
+send -- "firejail --force --profile=/etc/firejail/firefox.profile\r"
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        "cannot whitelist Downloads directory"
+}
+expect {
+        timeout {puts "TESTING ERROR 4\n";exit}
+        "Child process initialized"
+}
+after 100
+puts "\nall done\n"
diff --git a/test/whitelist-empty.exp b/test/fs/whitelist-empty.exp
index 226b019db..71bb8f914 100755
--- a/test/whitelist-empty.exp
+++ b/test/fs/whitelist-empty.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
 set timeout 30
 spawn $env(SHELL)
@@ -46,5 +49,6 @@ expect {
        "0"
 }
+after 100
 puts "\nall done\n"
diff --git a/test/fs/whitelist.exp b/test/fs/whitelist.exp
new file mode 100755
index 000000000..9b631b884
--- /dev/null
+++ b/test/fs/whitelist.exp
@@ -0,0 +1,226 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+# cleanup
+send -- "rm -fr ~/fjtest-dir\r"
+after 200
+send -- "rm -fr ~/fjtest-dir-lnk\r"
+after 200
+send -- "rm ~/fjtest-file\r"
+after 200
+send -- "rm ~/fjtest-file-lnk\r"
+after 200
+send -- "rm /tmp/fjtest-file\r"
+after 200
+send -- "rm -fr /tmp/fjtest-dir\r"
+after 200
+# simple files and directories
+send -- "mkdir -p ~/fjtest-dir/fjtest-dir\r"
+after 200
+send -- "echo 123 > ~/fjtest-file\r"
+after 200
+send -- "echo 123 > ~/fjtest-dir/fjtest-file\r"
+after 200
+send -- "echo 123 > ~/fjtest-dir/fjtest-dir/fjtest-file\r"
+after 200
+send -- "ln -s ~/fjtest-file ~/fjtest-file-lnk\r"
+after 200
+send -- "ln -s ~/fjtest-dir ~/fjtest-dir-lnk\r"
+after 200
+send -- "firejail --whitelist=~/fjtest-file --whitelist=~/fjtest-dir --debug\r"
+expect {
+        timeout {puts "TESTING ERROR 0\n";exit}
+        "Child process initialized"
+}
+sleep 1
+send -- "ls -l ~/ | grep -v total | wc -l\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "2"
+}
+send -- "cat ~/fjtest-file\r"
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        "123"
+}
+send -- "cat ~/fjtest-dir/fjtest-file\r"
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        "123"
+}
+send -- "cat ~/fjtest-dir/fjtest-dir/fjtest-file\r"
+expect {
+        timeout {puts "TESTING ERROR 4\n";exit}
+        "123"
+}
+send -- "exit\r"
+sleep 1
+# simple files and directories
+send -- "firejail --whitelist=~/fjtest-dir/fjtest-dir/fjtest-file\r"
+expect {
+        timeout {puts "TESTING ERROR 10\n";exit}
+        "Child process initialized"
+}
+sleep 1
+send -- "ls -l ~/ | grep -v total | wc -l\r"
+expect {
+        timeout {puts "TESTING ERROR 11\n";exit}
+        "1"
+}
+send -- "cat ~/fjtest-dir/fjtest-dir/fjtest-file\r"
+expect {
+        timeout {puts "TESTING ERROR 12\n";exit}
+        "123"
+}
+send -- "exit\r"
+sleep 1
+# symlinks
+send -- "firejail --whitelist=~/fjtest-file-lnk --whitelist=~/fjtest-dir-lnk\r"
+expect {
+        timeout {puts "TESTING ERROR 20\n";exit}
+        "Child process initialized"
+}
+sleep 1
+send -- "ls -l ~/ | grep -v total | wc -l\r"
+expect {
+        timeout {puts "TESTING ERROR 21\n";exit}
+        "4"
+}
+send -- "cat ~/fjtest-file\r"
+expect {
+        timeout {puts "TESTING ERROR 22\n";exit}
+        "123"
+}
+send -- "cat ~/fjtest-dir/fjtest-file\r"
+expect {
+        timeout {puts "TESTING ERROR 23\n";exit}
+        "123"
+}
+send -- "cat ~/fjtest-dir/fjtest-dir/fjtest-file\r"
+expect {
+        timeout {puts "TESTING ERROR 24\n";exit}
+        "123"
+}
+send -- "cat ~/fjtest-file-lnk\r"
+expect {
+        timeout {puts "TESTING ERROR 25\n";exit}
+        "123"
+}
+send -- "cat ~/fjtest-dir-lnk/fjtest-file\r"
+expect {
+        timeout {puts "TESTING ERROR 26\n";exit}
+        "123"
+}
+send -- "cat ~/fjtest-dir-lnk/fjtest-dir/fjtest-file\r"
+expect {
+        timeout {puts "TESTING ERROR 27\n";exit}
+        "123"
+}
+send -- "exit\r"
+sleep 1
+# symlinks outside home to a file we don't own
+send -- "rm ~/fjtest-file-lnk\r"
+after 200
+send -- "ln -s /etc/passwd ~/fjtest-file-lnk\r"
+after 200
+send -- "firejail --whitelist=~/fjtest-file-lnk --whitelist=~/fjtest-dir-lnk\r"
+expect {
+        timeout {puts "TESTING ERROR 30\n";exit}
+        "invalid whitelist path"
+}
+expect {
+        timeout {puts "TESTING ERROR 31\n";exit}
+        "exiting"
+}
+sleep 1
+# symlinks outside home to a file we own
+send -- "rm -fr ~/fjtest-dir-lnk\r"
+after 200
+send -- "rm ~/fjtest-file-lnk\r"
+after 200
+send -- "echo 123 > /tmp/fjtest-file\r"
+after 200
+send -- "mkdir /tmp/fjtest-dir\r"
+after 200
+send -- "echo 123 > /tmp/fjtest-dir/fjtest-file\r"
+after 200
+send -- "ln -s /tmp/fjtest-file ~/fjtest-file-lnk\r"
+after 200
+send -- "ln -s /tmp/fjtest-dir ~/fjtest-dir-lnk\r"
+after 200
+send -- "firejail --whitelist=~/fjtest-file-lnk --whitelist=~/fjtest-dir-lnk\r"
+expect {
+        timeout {puts "TESTING ERROR 40\n";exit}
+        "Child process initialized"
+}
+sleep 1
+send -- "ls -l ~/ | grep -v total | wc -l\r"
+expect {
+        timeout {puts "TESTING ERROR 41\n";exit}
+        "2"
+}
+send -- "cat ~/fjtest-file-lnk\r"
+expect {
+        timeout {puts "TESTING ERROR 42\n";exit}
+        "123"
+}
+send -- "cat ~/fjtest-dir-lnk/fjtest-file\r"
+expect {
+        timeout {puts "TESTING ERROR 43\n";exit}
+        "123"
+}
+send -- "exit\r"
+sleep 1
+# cleanup
+send -- "rm -fr ~/fjtest-dir\r"
+after 200
+send -- "rm -fr ~/fjtest-dir-lnk\r"
+after 200
+send -- "rm ~/fjtest-file\r"
+after 200
+send -- "rm ~/fjtest-file-lnk\r"
+after 200
+send -- "rm /tmp/fjtest-file\r"
+after 200
+send -- "rm -fr /tmp/fjtest-dir\r"
+after 200
+puts "\nall done\n"
diff --git a/test/fs_var_lock.exp b/test/fs_var_lock.exp
deleted file mode 100755
index dfcf571f4..000000000
--- a/test/fs_var_lock.exp
+++ /dev/null
@@ -1,87 +0,0 @@
-#!/usr/bin/expect -f
-set timeout 10
-spawn $env(SHELL)
-match_max 100000
-# testing read-write /var/lock
-send -- "firejail\r"
-expect {
-        timeout {puts "TESTING ERROR 0\n";exit}
-        "Child process initialized"
-}
-sleep 1
-send -- "echo mytest > /var/lock/ttt;pwd\r"
-expect {
-        timeout {puts "TESTING ERROR 1\n";exit}
-        "home"
-}
-send -- "cat /var/lock/ttt;pwd\r"
-expect {
-        timeout {puts "TESTING ERROR 2.1\n";exit}
-        "mytest"
-}
-expect {
-        timeout {puts "TESTING ERROR 2\n";exit}
-        "home"
-}
-send -- "rm /var/lock/ttt;pwd\r"
-expect {
-        timeout {puts "TESTING ERROR 3\n";exit}
-        "home"
-}
-send -- "cat /var/lock/ttt;pwd\r"
-expect {
-        timeout {puts "TESTING ERROR 4\n";exit}
-        "mytest" {puts "TESTING ERROR 4.1\n";exit}
-        "home"
-}
-sleep 1
-send -- "exit\r"
-sleep 1
-# redo the test with --private
-send -- "firejail\r"
-expect {
-        timeout {puts "TESTING ERROR 10\n";exit}
-        "Child process initialized"
-}
-sleep 1
-send -- "echo mytest > /var/lock/ttt;pwd\r"
-expect {
-        timeout {puts "TESTING ERROR 11\n";exit}
-        "home"
-}
-send -- "cat /var/lock/ttt;pwd\r"
-expect {
-        timeout {puts "TESTING ERROR 12.1\n";exit}
-        "mytest"
-}
-expect {
-        timeout {puts "TESTING ERROR 12\n";exit}
-        "home"
-}
-send -- "rm /var/lock/ttt;pwd\r"
-expect {
-        timeout {puts "TESTING ERROR 13\n";exit}
-        "home"
-}
-send -- "cat /var/lock/ttt;pwd\r"
-expect {
-        timeout {puts "TESTING ERROR 14\n";exit}
-        "mytest" {puts "TESTING ERROR 14.1\n";exit}
-        "home"
-}
-sleep 1
-puts "\n"
diff --git a/test/fscheck-private.exp b/test/fscheck-private.exp
deleted file mode 100755
index 8e485cc03..000000000
--- a/test/fscheck-private.exp
+++ /dev/null
@@ -1,70 +0,0 @@
-#!/usr/bin/expect -f
-set timeout 10
-spawn $env(SHELL)
-match_max 100000
-# ..
-#send -- "firejail --net=br0 --private=../test/fscheck-dir\r"
-#expect {
-#       timeout {puts "TESTING ERROR 0.1\n";exit}
-#       "Error"
-#}
-#after 100
-# dir link
-#send -- "firejail --net=br0 --private=fscheck-dir-link\r"
-#expect {
-#       timeout {puts "TESTING ERROR 1\n";exit}
-#       "Error"
-#}
-#after 100
-# ..
-#send -- "firejail --net=br0 --private=../test/fscheck-dir-link\r"
-#expect {
-#       timeout {puts "TESTING ERROR 1.1\n";exit}
-#       "Error"
-#}
-#after 100
-# file link
-send -- "firejail --net=br0 --private=fscheck-file-link\r"
-expect {
-        timeout {puts "TESTING ERROR 2\n";exit}
-        "Error"
-}
-after 100
-# file 
-send -- "firejail --net=br0 --private=fscheck-file\r"
-expect {
-        timeout {puts "TESTING ERROR 2.1\n";exit}
-        "Error"
-}
-after 100
-# ..
-send -- "firejail --net=br0 --private=../test/fscheck-file\r"
-expect {
-        timeout {puts "TESTING ERROR 2.2\n";exit}
-        "Error"
-}
-after 100
-# no file
-send -- "firejail --net=br0 --private=../test/nodir\r"
-expect {
-        timeout {puts "TESTING ERROR 3\n";exit}
-        "Error"
-}
-after 100
-# same owner
-send -- "firejail --net=br0 --private=/etc\r"
-expect {
-        timeout {puts "TESTING ERROR 4\n";exit}
-        "Error"
-}
-after 100
diff --git a/test/google-chrome.exp b/test/google-chrome.exp
deleted file mode 100755
index 389988e3c..000000000
--- a/test/google-chrome.exp
+++ /dev/null
@@ -1,80 +0,0 @@
-#!/usr/bin/expect -f
-set timeout 10
-spawn $env(SHELL)
-match_max 100000
-send -- "firejail google-chrome www.gentoo.org\r"
-expect {
-        timeout {puts "TESTING ERROR 0\n";exit}
-        "Reading profile /etc/firejail/google-chrome.profile"
-}
-expect {
-        timeout {puts "TESTING ERROR 1\n";exit}
-        "Child process initialized"
-}
-sleep 10
-spawn $env(SHELL)
-send -- "firejail --list\r"
-expect {
-        timeout {puts "TESTING ERROR 3\n";exit}
-        ":firejail"
-}
-expect {
-        timeout {puts "TESTING ERROR 3.1\n";exit}
-        "google-chrome"
-}
-sleep 1
-# grsecurity exit
-send -- "file /proc/sys/kernel/grsecurity\r"
-expect {
-        timeout {puts "TESTING ERROR - grsecurity detection\n";exit}
-        "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit}
-        "cannot open" {puts "grsecurity not present\n"}
-}
-send -- "firejail --name=blablabla\r"
-expect {
-        timeout {puts "TESTING ERROR 4\n";exit}
-        "Child process initialized"
-}
-sleep 2
-spawn $env(SHELL)
-send -- "firemon --seccomp\r"
-expect {
-        timeout {puts "TESTING ERROR 5\n";exit}
-        ":firejail google-chrome"
-}
-expect {
-        timeout {puts "TESTING ERROR 5.1\n";exit}
-        "Seccomp:       0"
-}
-expect {
-        timeout {puts "TESTING ERROR 5.1\n";exit}
-        "name=blablabla"
-}
-sleep 1
-send -- "firemon --caps\r"
-expect {
-        timeout {puts "TESTING ERROR 6\n";exit}
-        ":firejail google-chrome"
-}
-expect {
-        timeout {puts "TESTING ERROR 6.1\n";exit}
-        "CapBnd:"
-}
-expect {
-        timeout {puts "TESTING ERROR 6.2\n";exit}
-        "fffffffff"
-}
-expect {
-        timeout {puts "TESTING ERROR 6.3\n";exit}
-        "name=blablabla"
-}
-sleep 1
-puts "\n"
diff --git a/test/net_interface.exp b/test/net_interface.exp
deleted file mode 100755
index 4b55187ff..000000000
--- a/test/net_interface.exp
+++ /dev/null
@@ -1,88 +0,0 @@
-#!/usr/bin/expect -f
-set timeout 10
-spawn $env(SHELL)
-match_max 100000
-send -- "ip link add link eth0 name eth0.100 type vlan id 100\r"
-sleep 1
-send -- "ip link add link eth0 name eth0.101 type vlan id 101\r"
-sleep 1
-send -- "ip link add link eth0 name eth0.102 type vlan id 102\r"
-sleep 1
-send -- "ip link add link eth0 name eth0.103 type vlan id 103\r"
-sleep 1
-send -- "ip link add link eth0 name eth0.104 type vlan id 104\r"
-sleep 1
-puts "\n"
-send -- "/sbin/ifconfig eth0.100 10.200.0.1/24\r"
-sleep 1
-send -- "/sbin/ifconfig eth0.101 10.200.1.1/24\r"
-sleep 1
-send -- "/sbin/ifconfig eth0.102 10.200.2.1/24\r"
-sleep 1
-send -- "/sbin/ifconfig eth0.103 10.200.3.1/24\r"
-sleep 1
-send -- "/sbin/ifconfig eth0.104 10.200.4.1/24\r"
-sleep 1
-puts "\n"
-send -- "firejail --noprofile --interface=eth0.100 --interface=eth0.101 --interface=eth0.102 --interface=eth0.103 --interface=eth0.104\r"
-expect {
-        timeout {puts "TESTING ERROR 0\n";exit}
-        "maximum 4 interfaces are allowed"
-}
-sleep 1
-send -- "firejail --noprofile --interface=eth0.100 --interface=eth0.101 --interface=eth0.102 --interface=eth0.103\r"
-expect {
-        timeout {puts "TESTING ERROR 1\n";exit}
-        "eth0.100"
-}
-expect {
-        timeout {puts "TESTING ERROR 1.1\n";exit}
-        "UP"
-}
-expect {
-        timeout {puts "TESTING ERROR 2\n";exit}
-        "eth0.101"
-}
-expect {
-        timeout {puts "TESTING ERROR 2.2\n";exit}
-        "UP"
-}
-expect {
-        timeout {puts "TESTING ERROR 3\n";exit}
-        "eth0.102"
-}
-expect {
-        timeout {puts "TESTING ERROR 3.1\n";exit}
-        "UP"
-}
-expect {
-        timeout {puts "TESTING ERROR 4\n";exit}
-        "eth0.103"
-}
-expect {
-        timeout {puts "TESTING ERROR 4.1\n";exit}
-        "UP"
-}
-sleep 1
-send -- "exit\r"
-sleep 1
-send -- "firejail --noprofile --interface=eth0.104\r"
-expect {
-        timeout {puts "TESTING ERROR 5\n";exit}
-        "eth0.104"
-}
-expect {
-        timeout {puts "TESTING ERROR 5.1\n";exit}
-        "UP"
-}
-puts "all done\n"
diff --git a/test/4bridges_arp.exp b/test/network/4bridges_arp.exp
index 6a3e6db2a..6383aad5e 100755
--- a/test/4bridges_arp.exp
+++ b/test/network/4bridges_arp.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
 set timeout 10
 spawn $env(SHELL)
@@ -26,9 +29,9 @@ expect {
        timeout {puts "TESTING ERROR 0.4\n";exit}
        "Child process initialized"
 }
-sleep 2
+sleep 1
 send -- "exit\r"
-sleep 2
+sleep 1
 # check eth1
 send -- "firejail --net=br0 --net=br1 --net=br2 --net=br3\r"
@@ -52,9 +55,9 @@ expect {
        timeout {puts "TESTING ERROR 1.4\n";exit}
        "Child process initialized"
 }
-sleep 2
+sleep 1
 send -- "exit\r"
-sleep 2
+sleep 1
 # check eth2
@@ -79,9 +82,9 @@ expect {
        timeout {puts "TESTING ERROR 2.4\n";exit}
        "Child process initialized"
 }
-sleep 2
+sleep 1
 send -- "exit\r"
-sleep 2
+sleep 1
@@ -107,9 +110,9 @@ expect {
        timeout {puts "TESTING ERROR 4\n";exit}
        "Child process initialized"
 }
-sleep 2
+sleep 1
 send -- "exit\r"
-sleep 2
+sleep 1
@@ -164,7 +167,8 @@ expect {
        timeout {puts "TESTING ERROR 10.2\n";exit}
        "10.10.50.0/24 dev eth3  proto kernel  scope link"
 }
-sleep 1
+send -- "exit\r"
+after 100
 puts "\nall done\n"
diff --git a/test/4bridges_ip.exp b/test/network/4bridges_ip.exp
index 8068aeebb..e762ac285 100755
--- a/test/4bridges_ip.exp
+++ b/test/network/4bridges_ip.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
 set timeout 10
 spawn $env(SHELL)
@@ -26,9 +29,9 @@ expect {
        timeout {puts "TESTING ERROR 0.4\n";exit}
        "Child process initialized"
 }
-sleep 2
+sleep 1
 send -- "exit\r"
-sleep 2
+sleep 1
 # check eth1
 send -- "firejail --net=br0 --net=br1 --ip=10.10.30.50 --net=br2 --ip=10.10.40.100 --net=br3\r"
@@ -52,9 +55,9 @@ expect {
        timeout {puts "TESTING ERROR 1.4\n";exit}
        "Child process initialized"
 }
-sleep 2
+sleep 1
 send -- "exit\r"
-sleep 2
+sleep 1
 # check eth2
@@ -79,9 +82,9 @@ expect {
        timeout {puts "TESTING ERROR 2.4\n";exit}
        "Child process initialized"
 }
-sleep 2
+sleep 1
 send -- "exit\r"
-sleep 2
+sleep 1
@@ -107,9 +110,9 @@ expect {
        timeout {puts "TESTING ERROR 4\n";exit}
        "Child process initialized"
 }
-sleep 2
+sleep 1
 send -- "exit\r"
-sleep 2
+sleep 1
@@ -168,7 +171,8 @@ expect {
        "10.10.50.0/24 dev eth3  proto kernel  scope link"
 }
-sleep 1
+send -- "exit\r"
+after 100
 puts "\nall done\n"
diff --git a/test/network/README b/test/network/README
new file mode 100644
index 000000000..4404c53b0
--- /dev/null
+++ b/test/network/README
@@ -0,0 +1,14 @@
+Warning: this test requires root access to configure a number of bridge, mac
+and vlan devices. Please take a look at configure file. By the time you are
+finished testing, you'll probably have to reboot the computer to get your
+networking subsytem back to normal.
+Limitations - to be investigated and fixed:
+        - the test is assuming an eth0 wired interface to be present
+        - using netstat and ifconfig - this needs to be moved to iproute2
+        - configure script inserts an entry in system netfilter configuration
+        - the test will probably not work on grsecurity settings
+        - macvlan interfaces don't seem to work correctly under VirtualBox
+Run the test:
+        $ ./network.sh | grep TESTING
diff --git a/test/bandwidth.exp b/test/network/bandwidth.exp
index 33b351296..8a2e46e04 100755
--- a/test/bandwidth.exp
+++ b/test/network/bandwidth.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
 set timeout 10
 spawn $env(SHELL)
@@ -9,13 +12,13 @@ expect {
        timeout {puts "TESTING ERROR 0\n";exit}
        "Child process initialized"
 }
-sleep 2
+sleep 1
 spawn $env(SHELL)
 send -- "firejail --bandwidth=test status\r"
 expect {
        timeout {puts "TESTING ERROR 1\n";exit}
-        "qdisc noqueue 0: dev eth0"
+        "qdisc * 0: dev eth0"
 }
 sleep 1
@@ -51,12 +54,12 @@ expect {
 }
 sleep 1
-send -- "firejail --bandwidth=test status; pwd\r"
+send -- "firejail --bandwidth=test status; echo done\r"
 expect {
        timeout {puts "TESTING ERROR 8\n";exit}
        "rate 80Kbit burst 10Kb" {puts "TESTING ERROR 9\n";exit}
-        "home" {puts "ok\n"}
+        "done"
 }
-sleep 1
+after 100
 puts "\nall done\n"
diff --git a/test/network/configure b/test/network/configure
new file mode 100755
index 000000000..35d938340
--- /dev/null
+++ b/test/network/configure
@@ -0,0 +1,27 @@
+#!/bin/bash
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
+brctl addbr br0
+ifconfig br0 10.10.20.1/29 up
+# NAT masquerade
+iptables -t nat -A POSTROUTING -o eth0 -s 10.10.20.0/29 -j MASQUERADE
+# port forwarding
+# iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to 10.10.20.2:80
+        
+brctl addbr br1
+ifconfig br1 10.10.30.1/24 up
+brctl addbr br2
+ifconfig br2 10.10.40.1/24 up
+brctl addbr br3
+ifconfig br3 10.10.50.1/24 up
+brctl addbr br4
+ifconfig br4 10.10.60.1/24 up
+ip link add link eth0 name eth0.5 type vlan id 5
+/sbin/ifconfig eth0.5 10.10.205.10/24 up
+ip link add link eth0 name eth0.6 type vlan id 6
+/sbin/ifconfig eth0.6 10.10.206.10/24 up
+ip link add link eth0 name eth0.7 type vlan id 7
+/sbin/ifconfig eth0.7 10.10.207.10/24 up
diff --git a/test/network/dns-print.exp b/test/network/dns-print.exp
new file mode 100755
index 000000000..9cdc14a6d
--- /dev/null
+++ b/test/network/dns-print.exp
@@ -0,0 +1,31 @@
+#!/usr/bin/expect -f
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+send --  "firejail --name=test-dns --net=eth0 --dns=1.2.3.4 --dns=2.3.4.5 --dns=3.4.5.6\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "Child process initialized"
+}
+sleep 1
+spawn $env(SHELL)
+send --  "firejail --dns.print=test-dns\r"
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        "nameserver 1.2.3.4"
+}
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        "nameserver 2.3.4.5"
+}
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        "nameserver 3.4.5.6"
+}
+after 100
+puts "\nall done\n"
diff --git a/test/network/firemon-arp.exp b/test/network/firemon-arp.exp
new file mode 100755
index 000000000..71fa1660f
--- /dev/null
+++ b/test/network/firemon-arp.exp
@@ -0,0 +1,50 @@
+#!/usr/bin/expect -f
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+#send -- "ping -c 3 192.168.1.1\r"
+#expect {
+#       timeout {puts "TESTING ERROR 0\n";exit}
+#       "3 packets transmitted"
+#}
+#sleep 1
+send --  "firejail --name=test1\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "Child process initialized"
+}
+sleep 1
+spawn $env(SHELL)
+send --  "firejail --name=test2\r"
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        "Child process initialized"
+}
+sleep 1
+spawn $env(SHELL)
+send -- "firemon --arp\r"
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        "name=test1"
+}
+expect {
+        timeout {puts "TESTING ERROR 4\n";exit}
+        "192.168.1.1 dev eth0 lladdr" {puts "Debian testing\n";}
+        "192.168.1.1 dev enp0s3 lladdr" {puts "Centos 7 testing\n";}
+}
+expect {
+        timeout {puts "TESTING ERROR 5\n";exit}
+        "REACHABLE"
+}
+expect {
+        timeout {puts "TESTING ERROR 6\n";exit}
+        "name=test2"
+}
+after 100
+puts "\nall done\n"
diff --git a/test/network/firemon-interfaces.exp b/test/network/firemon-interfaces.exp
new file mode 100755
index 000000000..deb8594af
--- /dev/null
+++ b/test/network/firemon-interfaces.exp
@@ -0,0 +1,67 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+send -- "firejail --net=eth0 --name=test1\r"
+expect {
+        timeout {puts "TESTING ERROR 9\n";exit}
+        "Child process initialized"
+}
+sleep 1
+spawn $env(SHELL)
+send -- "firejail --net=eth0 --name=test2\r"
+expect {
+        timeout {puts "TESTING ERROR 9\n";exit}
+        "Child process initialized"
+}
+sleep 1
+spawn $env(SHELL)
+send -- "firemon --interface\r"
+expect {
+        timeout {puts "TESTING ERROR 9\n";exit}
+        "Link status"
+}
+expect {
+        timeout {puts "TESTING ERROR 9\n";exit}
+        "lo UP"
+}
+expect {
+        timeout {puts "TESTING ERROR 9\n";exit}
+        "eth0-"
+}
+expect {
+        timeout {puts "TESTING ERROR 9\n";exit}
+        "IPv4 status"
+}
+expect {
+        timeout {puts "TESTING ERROR 9\n";exit}
+        "lo UP"
+}
+expect {
+        timeout {puts "TESTING ERROR 9\n";exit}
+        "eth0-"
+}
+expect {
+        timeout {puts "TESTING ERROR 9\n";exit}
+        "IPv6 status"
+}
+expect {
+        timeout {puts "TESTING ERROR 9\n";exit}
+        "lo UP"
+}
+expect {
+        timeout {puts "TESTING ERROR 9\n";exit}
+        "eth0-"
+}
+after 100
+puts "\n"
diff --git a/test/firemon-route.exp b/test/network/firemon-route.exp
index a48116675..19a705778 100755
--- a/test/firemon-route.exp
+++ b/test/network/firemon-route.exp
@@ -4,7 +4,7 @@ set timeout 10
 spawn $env(SHELL)
 match_max 100000
-send --  "firejail\r"
+send --  "firejail --name=test1\r"
 expect {
        timeout {puts "TESTING ERROR 0\n";exit}
        "Child process initialized"
@@ -12,22 +12,38 @@ expect {
 sleep 1
 spawn $env(SHELL)
-send -- "firemon --route\r"
+send --  "firejail --name=test2\r"
 expect {
        timeout {puts "TESTING ERROR 1\n";exit}
+        "Child process initialized"
+}
+sleep 1
+spawn $env(SHELL)
+send -- "firemon --route\r"
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        "name=test1"
+}
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
        "0.0.0.0/0 via 192.168.1.1, dev eth0, metric 0" {puts "Debian testing\n";}
        "0.0.0.0/0 via 192.168.1.1, dev enp0s3, metric 1024" {puts "Centos 7 testing\n";}
        "0.0.0.0/0 via 192.168.1.1, dev enp0s3, metric 0" {puts "OpenSUSE testing\n";}
-        "0.0.0.0/0 via 192.168.1.1, dev enp0s3, metric 100" {puts "Arch testing\n";}
+            "0.0.0.0/0 via 192.168.1.1, dev enp0s3, metric 100" {puts "Arch testing\n";}
 }
 expect {
-        timeout {puts "TESTING ERROR 2\n";exit}
+        timeout {puts "TESTING ERROR 4\n";exit}
        "10.10.30.0/24, dev br1, scope link src 10.10.30.1"
 }
 expect {
-        timeout {puts "TESTING ERROR 3\n";exit}
+        timeout {puts "TESTING ERROR 5\n";exit}
        "10.10.50.0/24, dev br3, scope link src 10.10.50.1"
 }
-sleep 1
+expect {
+        timeout {puts "TESTING ERROR 6\n";exit}
+        "name=test2"
+}
+after 100
-puts "\n"
+puts "\nalldone\n"
diff --git a/test/hostname.exp b/test/network/hostname.exp
index 4e5c7e073..73d06725f 100755
--- a/test/hostname.exp
+++ b/test/network/hostname.exp
@@ -1,25 +1,29 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
 set timeout 10
 spawn $env(SHELL)
 match_max 100000
-send --  "firejail --hostname=baluba --noprofile\r"
+send --  "firejail --hostname=bingo --noprofile\r"
 expect {
        timeout {puts "TESTING ERROR 1\n";exit}
        "Child process initialized"
 }
 sleep 1
-send -- "ping -c 3 baluba;pwd\r"
+send -- "ping -c 3 bingo; echo done\r"
 expect {
        timeout {puts "TESTING ERROR 2\n";exit}
        "3 packets transmitted, 3 received"
 }
 expect {
        timeout {puts "TESTING ERROR 3\n";exit}
-        "home"
+        "done"
 }
-sleep 1
+send -- "exit\r"
+after 100
 puts "all done\n"
diff --git a/test/network/interface.exp b/test/network/interface.exp
new file mode 100755
index 000000000..bd8777c33
--- /dev/null
+++ b/test/network/interface.exp
@@ -0,0 +1,66 @@
+#!/usr/bin/expect -f
+#
+# interface
+#
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+set overlay [lindex $argv 0]
+set chroot [lindex $argv 1]
+#
+# N
+#
+# todo: seems to be unable to find interface eth0.7
+#send -- "firejail --noprofile --interface=eth0.5 --interface=eth0.6 --interface=eth0.7\r"
+send -- "firejail --noprofile --interface=eth0.5 --interface=eth0.6\r"
+expect {
+        timeout {puts "TESTING ERROR 0\n";exit}
+        "Child process initialized"
+}
+sleep 1
+send -- "/sbin/ifconfig\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "eth0.5"
+}
+expect {
+        timeout {puts "TESTING ERROR 2n";exit}
+        "Link"
+}
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        "10.10.205.10"
+}
+expect {
+        timeout {puts "TESTING ERROR 4\n";exit}
+        "UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1"
+}
+after 100
+send -- "/sbin/ifconfig\r"
+expect {
+        timeout {puts "TESTING ERROR 5\n";exit}
+        "eth0.6"
+}
+expect {
+        timeout {puts "TESTING ERROR 6\n";exit}
+        "Link"
+}
+expect {
+        timeout {puts "TESTING ERROR 7\n";exit}
+        "10.10.206.10"
+}
+expect {
+        timeout {puts "TESTING ERROR 8\n";exit}
+        "UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1"
+}
+after 100
+send -- "exit\r"
+sleep 1
+puts "\nall done\n"
diff --git a/test/network/ip6.exp b/test/network/ip6.exp
new file mode 100755
index 000000000..1db16c28a
--- /dev/null
+++ b/test/network/ip6.exp
@@ -0,0 +1,89 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+send -- "firejail --debug --noprofile --net=br0 --ip6=2001:0db8:0:f101::1/64 --netfilter6=ipv6.net\r"
+expect {
+        timeout {puts "TESTING ERROR 0\n";exit}
+        "Installing network filter"
+}
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "DROP"
+}
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        "unable to initialize table 'filter'" {puts "\nTESTING SKIP 2: no IPv6 support\n"; exit}
+        "2001:db8:1f0a:3ec::2"
+}
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        "Child process initialized"
+}
+sleep 2
+send -- "/sbin/ifconfig\r"
+expect {
+        timeout {puts "TESTING ERROR 4\n";exit}
+        "inet6"
+}
+expect {
+        timeout {puts "TESTING ERROR 5\n";exit}
+        "2001:db8:0:f101::1"
+}
+expect {
+        timeout {puts "TESTING ERROR 6\n";exit}
+        "Scope:Global" { puts "Debian\n"}
+        "scopeid 0x0<global>" { puts "Arch\n"}
+}
+send -- "exit\r"
+sleep 2
+send -- "firejail --debug --profile=ip6.profile\r"
+expect {
+        timeout {puts "TESTING ERROR 10\n";exit}
+        "Installing network filter"
+}
+expect {
+        timeout {puts "TESTING ERROR 11\n";exit}
+        "DROP"
+}
+expect {
+        timeout {puts "TESTING ERROR 12\n";exit}
+        "unable to initialize table 'filter'" {puts "\nTESTING SKIP 2: no IPv6 support\n"; exit}
+        "2001:db8:1f0a:3ec::2"
+}
+expect {
+        timeout {puts "TESTING ERROR 13\n";exit}
+        "Child process initialized"
+}
+sleep 2
+send -- "/sbin/ifconfig\r"
+expect {
+        timeout {puts "TESTING ERROR 14\n";exit}
+        "inet6"
+}
+expect {
+        timeout {puts "TESTING ERROR 15\n";exit}
+        "2001:db8:0:f101::1"
+}
+expect {
+        timeout {puts "TESTING ERROR 16\n";exit}
+        "Scope:Global" { puts "Debian\n"}
+        "scopeid 0x0<global>" { puts "Arch\n"}
+}
+send -- "exit\r"
+after 100
+puts "\nall done\n"
diff --git a/test/network/ip6.profile b/test/network/ip6.profile
new file mode 100644
index 000000000..87afa3941
--- /dev/null
+++ b/test/network/ip6.profile
@@ -0,0 +1,3 @@
+net br0
+ip6 2001:0db8:0:f101::1/64
+netfilter6 ipv6.net
diff --git a/test/network/iprange.exp b/test/network/iprange.exp
new file mode 100755
index 000000000..a1b2ccab4
--- /dev/null
+++ b/test/network/iprange.exp
@@ -0,0 +1,103 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+send -- "firejail --net=br1 --iprange=10.10.30.50,10.10.30.55\r"
+expect {
+        timeout {puts "TESTING ERROR 0\n";exit}
+        "eth0"
+}
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "10.10.30.50" {puts "10.10.30.50\n"}
+        "10.10.30.51" {puts "10.10.30.51\n"}
+        "10.10.30.52" {puts "10.10.30.52\n"}
+        "10.10.30.53" {puts "10.10.30.53\n"}
+        "10.10.30.54" {puts "10.10.30.54\n"}
+        "10.10.30.55" {puts "10.10.30.55\n"}
+}
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        "255.255.255.0"
+}
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        "Child process initialized"
+}
+sleep 1
+send -- "exit\r"
+sleep 2
+send -- "firejail --profile=iprange.profile\r"
+expect {
+        timeout {puts "TESTING ERROR 5\n";exit}
+        "eth0"
+}
+expect {
+        timeout {puts "TESTING ERROR 6\n";exit}
+        "10.10.30.50" {puts "10.10.30.50\n"}
+        "10.10.30.51" {puts "10.10.30.51\n"}
+        "10.10.30.52" {puts "10.10.30.52\n"}
+        "10.10.30.53" {puts "10.10.30.53\n"}
+        "10.10.30.54" {puts "10.10.30.54\n"}
+        "10.10.30.55" {puts "10.10.30.55\n"}
+}
+expect {
+        timeout {puts "TESTING ERROR 7\n";exit}
+        "255.255.255.0"
+}
+expect {
+        timeout {puts "TESTING ERROR 8\n";exit}
+        "Child process initialized"
+}
+sleep 1
+send -- "exit\r"
+sleep 2
+send -- "firejail --iprange=10.10.30.50,10.10.30.55\r"
+expect {
+        timeout {puts "TESTING ERROR 9\n";exit}
+        "no network device configured"
+}
+after 100
+send -- "firejail --net=br1 --iprange=10.10.30.50,10.10.30.55 --iprange=10.10.30.50,10.10.30.55\r"
+expect {
+        timeout {puts "TESTING ERROR 10\n";exit}
+        "cannot configure the IP range twice for the same interface"
+}
+after 100
+send -- "firejail --net=br1 --iprange=10.10.30.50\r"
+expect {
+        timeout {puts "TESTING ERROR 11\n";exit}
+        "invalid IP range"
+}
+after 100
+send -- "firejail --net=br0 --iprange=10.10.30.50,10.10.30.55\r"
+expect {
+        timeout {puts "TESTING ERROR 12\n";exit}
+        "IP range addresses not in network range"
+}
+after 100
+send -- "firejail --net=br1 --iprange=10.10.30.55,10.10.30.50\r"
+expect {
+        timeout {puts "TESTING ERROR 12\n";exit}
+        "invalid IP range"
+}
+after 100
+after 100
+puts "\nall done\n"
diff --git a/test/network/iprange.profile b/test/network/iprange.profile
new file mode 100644
index 000000000..ecc01cd93
--- /dev/null
+++ b/test/network/iprange.profile
@@ -0,0 +1,2 @@
+net br1
+iprange 10.10.30.50,10.10.30.55
diff --git a/test/ipv6.net b/test/network/ipv6.net
index cc8f22943..cc8f22943 100644
--- a/test/ipv6.net
+++ b/test/network/ipv6.net
diff --git a/test/network/net-profile.profile b/test/network/net-profile.profile
new file mode 100644
index 000000000..05052b6dc
--- /dev/null
+++ b/test/network/net-profile.profile
@@ -0,0 +1,10 @@
+net br0
+mac 00:11:22:33:44:55
+mtu 1000
+net br1
+ip 10.10.30.50
+net br2
+ip 10.10.40.100
+net br3
+defaultgw 10.10.20.2
diff --git a/test/net_arp.exp b/test/network/net_arp.exp
index 9e07744f3..fdd30f218 100755
--- a/test/net_arp.exp
+++ b/test/network/net_arp.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
 set timeout 10
 spawn $env(SHELL)
@@ -66,6 +69,6 @@ expect {
        "sleep 20"
 }
-# wait for snadboxes to be shutdown
+# wait for sandboxes to be shutdown
 sleep 30
 puts "\n"
diff --git a/test/net_badip.exp b/test/network/net_badip.exp
index 71b69e104..d13a6144e 100755
--- a/test/net_badip.exp
+++ b/test/network/net_badip.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
 set timeout 10
 spawn $env(SHELL)
@@ -10,7 +13,7 @@ expect {
        timeout {puts "TESTING ERROR 0.0\n";exit}
        "the IP address is not"
 }
-sleep 1
+after 100
 puts "\n"
diff --git a/test/net_defaultgw.exp b/test/network/net_defaultgw.exp
index 840f2ccac..6291ae5ba 100755
--- a/test/net_defaultgw.exp
+++ b/test/network/net_defaultgw.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
 set timeout 10
 spawn $env(SHELL)
@@ -40,7 +43,8 @@ expect {
        timeout {puts "TESTING ERROR 10.2\n";exit}
        "10.10.20.0/29 dev eth0  proto kernel  scope link"
 }
-sleep 1
+send -- "exit\r"
+after 100
 puts "\nall done\n"
diff --git a/test/net_defaultgw2.exp b/test/network/net_defaultgw2.exp
index db14e17cb..7620e4899 100755
--- a/test/net_defaultgw2.exp
+++ b/test/network/net_defaultgw2.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
 set timeout 10
 spawn $env(SHELL)
@@ -34,7 +37,8 @@ expect {
        timeout {puts "TESTING ERROR 10.3\n";exit}
        "10.10.30.0/24 dev eth1  proto kernel  scope link"
 }
-sleep 1
+send -- "exit\r"
+after 100
 puts "\nall done\n"
diff --git a/test/net_defaultgw3.exp b/test/network/net_defaultgw3.exp
index 64da9dfca..a47324adc 100755
--- a/test/net_defaultgw3.exp
+++ b/test/network/net_defaultgw3.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
 set timeout 10
 spawn $env(SHELL)
@@ -11,7 +14,8 @@ expect {
        "default gateway 10.10.95.89 is not in the range of any network"
 }
-sleep 1
+after 100
 puts "\n"
diff --git a/test/net_ip.exp b/test/network/net_ip.exp
index f5d487ecc..0fa84243a 100755
--- a/test/net_ip.exp
+++ b/test/network/net_ip.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
 set timeout 10
 spawn $env(SHELL)
@@ -26,9 +29,9 @@ expect {
        timeout {puts "TESTING ERROR 4\n";exit}
        "Child process initialized"
 }
-sleep 2
+sleep 1
 send -- "exit\r"
-sleep 2
+sleep 1
 # check loopback
 send -- "firejail --net=br0 --ip=10.10.20.5 --protocol=unix,inet,netlink\r"
@@ -66,7 +69,8 @@ expect {
        timeout {puts "TESTING ERROR 10\n";exit}
        "10.10.20.0/29 dev eth0  proto kernel  scope link"
 }
-sleep 1
+send -- "exit\r"
+after 100
 puts "\n"
diff --git a/test/net_local.exp b/test/network/net_local.exp
index 642213658..d58135785 100755
--- a/test/net_local.exp
+++ b/test/network/net_local.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
 set timeout 10
 spawn $env(SHELL)
@@ -14,9 +17,9 @@ expect {
        timeout {puts "TESTING ERROR 4\n";exit}
        "Child process initialized"
 }
-sleep 2
+sleep 1
 send -- "exit\r"
-sleep 2
+sleep 1
 # check loopback
 send -- "firejail --noprofile\r"
@@ -40,6 +43,8 @@ expect {
        timeout {puts "TESTING ERROR 7\n";exit}
        "255.0.0.0"
 }
+send -- "exit\r"
+after 100
 puts "all done\n"
diff --git a/test/net_mac.exp b/test/network/net_mac.exp
index 076634730..d3cd8163f 100755
--- a/test/net_mac.exp
+++ b/test/network/net_mac.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
 set timeout 10
 spawn $env(SHELL)
@@ -30,7 +33,8 @@ expect {
        timeout {puts "TESTING ERROR 4\n";exit}
        "Child process initialized"
 }
-sleep 1
+send -- "exit\r"
+after 100
 puts "\nall done\n"
diff --git a/test/network/net_macvlan2.exp b/test/network/net_macvlan2.exp
new file mode 100755
index 000000000..7f21fc083
--- /dev/null
+++ b/test/network/net_macvlan2.exp
@@ -0,0 +1,43 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+send -- "firejail --net=eth0 --net=eth0 --net=eth0 --net=eth0\r"
+expect {
+        timeout {puts "TESTING ERROR 0.1\n";exit}
+        "eth0-"
+}
+expect {
+        timeout {puts "TESTING ERROR 0.2\n";exit}
+        "eth1-"
+}
+expect {
+        timeout {puts "TESTING ERROR 0.3\n";exit}
+        "eth2-"
+}
+expect {
+        timeout {puts "TESTING ERROR 0.4\n";exit}
+        "eth3-"
+}
+expect {
+        timeout {puts "TESTING ERROR 0.5\n";exit}
+        "Default gateway 192.168.1.1"
+}
+expect {
+        timeout {puts "TESTING ERROR 0.6\n";exit}
+        "Child process initialized"
+}
+after 100
+send -- "exit\r"
+sleep 1
+after 100
+puts "\nall done\n"
diff --git a/test/net_mtu.exp b/test/network/net_mtu.exp
index 7943b2866..eb9c5d08c 100755
--- a/test/net_mtu.exp
+++ b/test/network/net_mtu.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
 set timeout 10
 spawn $env(SHELL)
@@ -25,6 +28,8 @@ expect {
        timeout {puts "TESTING ERROR 4\n";exit}
        "state UP"
 }
+send -- "exit\r"
+after 100
 puts "\nall done\n"
diff --git a/test/net_netfilter.exp b/test/network/net_netfilter.exp
index 989fcc407..737485d07 100755
--- a/test/net_netfilter.exp
+++ b/test/network/net_netfilter.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
 set timeout 10
 spawn $env(SHELL)
@@ -26,7 +29,7 @@ expect {
        timeout {puts "TESTING ERROR 4\n";exit}
        "Child process initialized"
 }
-sleep 2
+sleep 1
 send -- "exit\r"
 sleep 1
@@ -40,7 +43,7 @@ expect {
        "ACCEPT     icmp --  any    any     anywhere" {puts "TESTING ERROR 5.1\n";exit}
        "Child process initialized"
 }
-sleep 2
+sleep 1
 send -- "exit\r"
 sleep 1
@@ -54,7 +57,7 @@ expect {
        timeout {puts "TESTING ERROR 6.1\n";exit}
        "Child process initialized"
 }
-sleep 2
+sleep 1
 send -- "ping -c 1 -w 3 10.10.20.1\r"
 expect {
        timeout {puts "TESTING ERROR 6.2\n";exit}
diff --git a/test/net_noip.exp b/test/network/net_noip.exp
index 8d28adb39..b557d116c 100755
--- a/test/net_noip.exp
+++ b/test/network/net_noip.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
 set timeout 10
 spawn $env(SHELL)
@@ -16,25 +19,26 @@ send -- "bash\r"
 sleep 1
 # no default gateway configured
-send -- "netstat -rn;pwd\r"
+send -- "netstat -rn;echo done\r"
 expect {
        timeout {puts "TESTING ERROR 2\n";exit}
        "0.0.0.0" {puts "TESTING ERROR 3\n";exit}
        "eth0" {puts "TESTING ERROR 4\n";exit}
-        "home"
+        "done"
 }
 sleep 1
 # eth0 configured
-send -- "/sbin/ifconfig;pwd\r"
+send -- "/sbin/ifconfig;echo done\r"
 expect {
        timeout {puts "TESTING ERROR 5\n";exit}
        "eth0"
 }
 expect {
        timeout {puts "TESTING ERROR 6\n";exit}
-        "home"
+        "done"
 }
+send -- "exit\r"
 after 100
 puts "all done\n"
diff --git a/test/net_noip2.exp b/test/network/net_noip2.exp
index 58f90422b..c86ea4900 100755
--- a/test/net_noip2.exp
+++ b/test/network/net_noip2.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
 set timeout 10
 spawn $env(SHELL)
@@ -16,25 +19,26 @@ send -- "bash\r"
 sleep 1
 # no default gateway configured
-send -- "netstat -rn;pwd\r"
+send -- "netstat -rn;echo done\r"
 expect {
        timeout {puts "TESTING ERROR 2\n";exit}
        "0.0.0.0" {puts "TESTING ERROR 3\n";exit}
        "eth0" {puts "TESTING ERROR 4\n";exit}
-        "home"
+        "done"
 }
 sleep 1
 # eth0 configured
-send -- "/sbin/ifconfig;pwd\r"
+send -- "/sbin/ifconfig;echo done\r"
 expect {
        timeout {puts "TESTING ERROR 5\n";exit}
        "eth0"
 }
 expect {
        timeout {puts "TESTING ERROR 6\n";exit}
-        "home"
+        "done"
 }
+send -- "exit\r"
 after 100
 puts "all done\n"
diff --git a/test/net_none.exp b/test/network/net_none.exp
index 54b6cb946..1761eb423 100755
--- a/test/net_none.exp
+++ b/test/network/net_none.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
 set timeout 10
 spawn $env(SHELL)
@@ -16,20 +19,20 @@ sleep 1
 # test default gw
 send -- "bash\r"
 sleep 1
-send -- "netstat -rn; pwd\r"
+send -- "netstat -rn; echo done\r"
 expect {
        timeout {puts "TESTING ERROR 1\n";exit}
        "0.0.0.0" {puts "TESTING ERROR 1.1\n";exit}
-        "home"
+        "done"
 }
 sleep 1
 # check again devices
-send -- "cat /proc/1/net/dev;pwd\r"
+send -- "cat /proc/1/net/dev;echo done\r"
 expect {
        timeout {puts "TESTING ERROR 2\n";exit}
        "eth0" {puts "TESTING ERROR 2.1\n";exit}
-        "home"
+        "done"
 }
 send -- "exit\r"
 sleep 1
@@ -48,21 +51,22 @@ sleep 1
 # test default gw
 send -- "bash\r"
 sleep 1
-send -- "netstat -rn; pwd\r"
+send -- "netstat -rn; echo done\r"
 expect {
        timeout {puts "TESTING ERROR 4\n";exit}
        "0.0.0.0" {puts "TESTING ERROR 4.1\n";exit}
-        "home"
+        "done"
 }
 sleep 1
 # check again devices
-send -- "cat /proc/1/net/dev;pwd\r"
+send -- "cat /proc/1/net/dev;echo done\r"
 expect {
        timeout {puts "TESTING ERROR 5\n";exit}
        "eth0" {puts "TESTING ERROR 5.1\n";exit}
-        "home"
+        "done"
 }
-sleep 1
+send -- "exit\r"
+after 100
-puts "\n"
+puts "\nall done\n"
diff --git a/test/net_none.profile b/test/network/net_none.profile
index 079c08ea8..079c08ea8 100644
--- a/test/net_none.profile
+++ b/test/network/net_none.profile
diff --git a/test/network/net_profile.exp b/test/network/net_profile.exp
new file mode 100755
index 000000000..29008d811
--- /dev/null
+++ b/test/network/net_profile.exp
@@ -0,0 +1,77 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+# check eth0
+send -- "firejail --profile=net-profile.profile\r"
+expect {
+        timeout {puts "TESTING ERROR 0.0\n";exit}
+        "eth0"
+}
+expect {
+        timeout {puts "TESTING ERROR 0.1\n";exit}
+        "00:11:22:33:44:55"
+}
+expect {
+        timeout {puts "TESTING ERROR 0.1\n";exit}
+        "10.10.20"
+}
+expect {
+        timeout {puts "TESTING ERROR 0.2\n";exit}
+        "255.255.255.248"
+}
+expect {
+        timeout {puts "TESTING ERROR 0.3\n";exit}
+        "UP"
+}
+expect {
+        timeout {puts "TESTING ERROR 0.4\n";exit}
+        "Child process initialized"
+}
+sleep 1
+send -- "ip route show\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "10.10.30.0/24 dev eth1  proto kernel  scope link  src 10.10.30.50"
+}
+send -- "ip route show\r"
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        "10.10.40.0/24 dev eth2  proto kernel  scope link  src 10.10.40.100"
+}
+# check default gw
+send -- "ip route show\r"
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        "default via 10.10.20.2 dev eth0"
+}
+# check mtu
+send -- "ip link show\r"
+expect {
+        timeout {puts "TESTING ERROR 4\n";exit}
+        "eth0"
+}
+expect {
+        timeout {puts "TESTING ERROR 5\n";exit}
+        "mtu 1000"
+}
+expect {
+        timeout {puts "TESTING ERROR 6\n";exit}
+        "state UP"
+}
+send -- "exit\r"
+after 100
+puts "\nall done\n"
diff --git a/test/network/net_scan.exp b/test/network/net_scan.exp
new file mode 100755
index 000000000..5afbbeea6
--- /dev/null
+++ b/test/network/net_scan.exp
@@ -0,0 +1,75 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+# 
+send -- "firejail --net=br1 --ip=10.10.30.50\r"
+expect {
+        timeout {puts "TESTING ERROR 0\n";exit}
+        "eth0"
+}
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "10.10.30.50"
+}
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        "255.255.255.0"
+}
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        "Child process initialized"
+}
+sleep 1
+spawn $env(SHELL)
+send -- "firejail --net=br1 --ip=10.10.30.51\r"
+expect {
+        timeout {puts "TESTING ERROR 4\n";exit}
+        "eth0"
+}
+expect {
+        timeout {puts "TESTING ERROR 5\n";exit}
+        "10.10.30.51"
+}
+expect {
+        timeout {puts "TESTING ERROR 6\n";exit}
+        "255.255.255.0"
+}
+expect {
+        timeout {puts "TESTING ERROR 7\n";exit}
+        "Child process initialized"
+}
+sleep 1
+spawn $env(SHELL)
+send -- "firejail --net=br1 --scan\r"
+expect {
+        timeout {puts "TESTING ERROR 8\n";exit}
+        "eth0"
+}
+expect {
+        timeout {puts "TESTING ERROR 9\n";exit}
+        "10.10.30.50"
+}
+expect {
+        timeout {puts "TESTING ERROR 10\n";exit}
+        "10.10.30.51"
+}
+expect {
+        timeout {puts "TESTING ERROR 11\n";exit}
+        "Child process initialized"
+}
+sleep 1
+after 100
+puts "\nall done\n"
diff --git a/test/network/net_veth.exp b/test/network/net_veth.exp
new file mode 100755
index 000000000..04091047b
--- /dev/null
+++ b/test/network/net_veth.exp
@@ -0,0 +1,142 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+send -- "firejail --net=eth0\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "lo"
+}
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        "127.0.0.1"
+}
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        "255.0.0.0"
+}
+expect {
+        timeout {puts "TESTING ERROR 4\n";exit}
+        "UP"
+}
+expect {
+        timeout {puts "TESTING ERROR 5\n";exit}
+        "eth0-"
+}
+expect {
+        timeout {puts "TESTING ERROR 6\n";exit}
+        "255.255.255.0"
+}
+expect {
+        timeout {puts "TESTING ERROR 7\n";exit}
+        "UP"
+}
+expect {
+        timeout {puts "TESTING ERROR 8\n";exit}
+        "Default gateway"
+}
+expect {
+        timeout {puts "TESTING ERROR 9\n";exit}
+        "Child process initialized"
+}
+sleep 1
+send -- "exit\r"
+sleep 1
+send -- "firejail --net=eth0 --net=eth0 --net=eth0 --net=eth0\r"
+expect {
+        timeout {puts "TESTING ERROR 11\n";exit}
+        "lo"
+}
+expect {
+        timeout {puts "TESTING ERROR 12\n";exit}
+        "127.0.0.1"
+}
+expect {
+        timeout {puts "TESTING ERROR 13\n";exit}
+        "255.0.0.0"
+}
+expect {
+        timeout {puts "TESTING ERROR 14\n";exit}
+        "UP"
+}
+expect {
+        timeout {puts "TESTING ERROR 15\n";exit}
+        "eth0-"
+}
+expect {
+        timeout {puts "TESTING ERROR 16\n";exit}
+        "255.255.255.0"
+}
+expect {
+        timeout {puts "TESTING ERROR 17\n";exit}
+        "UP"
+}
+expect {
+        timeout {puts "TESTING ERROR 18\n";exit}
+        "eth1-"
+}
+expect {
+        timeout {puts "TESTING ERROR 19\n";exit}
+        "255.255.255.0"
+}
+expect {
+        timeout {puts "TESTING ERROR 20\n";exit}
+        "UP"
+}
+expect {
+        timeout {puts "TESTING ERROR 5\n";exit}
+        "eth2-"
+}
+expect {
+        timeout {puts "TESTING ERROR 21\n";exit}
+        "255.255.255.0"
+}
+expect {
+        timeout {puts "TESTING ERROR 22\n";exit}
+        "UP"
+}
+expect {
+        timeout {puts "TESTING ERROR 23\n";exit}
+        "eth3-"
+}
+expect {
+        timeout {puts "TESTING ERROR 24\n";exit}
+        "255.255.255.0"
+}
+expect {
+        timeout {puts "TESTING ERROR 25\n";exit}
+        "UP"
+}
+expect {
+        timeout {puts "TESTING ERROR 26\n";exit}
+        "Default gateway"
+}
+expect {
+        timeout {puts "TESTING ERROR 27\n";exit}
+        "Child process initialized"
+}
+sleep 1
+send -- "exit\r"
+sleep 1
+send -- "firejail --net=eth0 --ip=10.10.20.1\r"
+expect {
+        timeout {puts "TESTING ERROR 27\n";exit}
+        "the IP address is not in the interface range"
+}
+after 100
+puts "\n"
diff --git a/test/netfilter.filter b/test/network/netfilter.filter
index 3e232065c..3e232065c 100644
--- a/test/netfilter.filter
+++ b/test/network/netfilter.filter
diff --git a/test/netfilter.profile b/test/network/netfilter.profile
index 824c6cd0f..824c6cd0f 100644
--- a/test/netfilter.profile
+++ b/test/network/netfilter.profile
diff --git a/test/network/netstats.exp b/test/network/netstats.exp
new file mode 100755
index 000000000..41232061d
--- /dev/null
+++ b/test/network/netstats.exp
@@ -0,0 +1,39 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+send -- "firejail --net=eth0 --name=test1\r"
+expect {
+        timeout {puts "TESTING ERROR 9\n";exit}
+        "Child process initialized"
+}
+sleep 1
+spawn $env(SHELL)
+send -- "firejail --net=eth0 --name=test2\r"
+expect {
+        timeout {puts "TESTING ERROR 9\n";exit}
+        "Child process initialized"
+}
+sleep 1
+spawn $env(SHELL)
+send -- "firejail --netstats\r"
+sleep 4
+expect {
+        timeout {puts "TESTING ERROR 9\n";exit}
+        "name=test1"
+}
+expect {
+        timeout {puts "TESTING ERROR 9\n";exit}
+        "name=test2"
+}
+after 100
+puts "\n"
diff --git a/test/network/network.sh b/test/network/network.sh
new file mode 100755
index 000000000..94df9935e
--- /dev/null
+++ b/test/network/network.sh
@@ -0,0 +1,100 @@
+#!/bin/bash
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
+export MALLOC_CHECK_=3
+export MALLOC_PERTURB_=$(($RANDOM % 255 + 1))
+sudo ./configure
+echo "TESTING: firemon interface (firemon-interfaces.exp)"
+sudo ./firemon-interfaces.exp
+echo "TESTING: print dns (dns-print.exp)"
+./dns-print.exp
+echo "TESTING: firemon arp (firemon-arp.exp)"
+./firemon-arp.exp
+echo "TESTING: firemon netstats (netstats.exp)"
+./netstats.exp
+echo "TESTING: firemon route (firemon-route.exp)"
+./firemon-route.exp
+echo "TESTING: network profile (net_profile.exp)"
+./net_profile.exp
+echo "TESTING: bandwidth (bandwidth.exp)"
+./bandwidth.exp
+echo "TESTING: IPv6 support (ip6.exp)"
+./ip6.exp
+echo "TESTING: local network (net_local.exp)"
+./net_local.exp
+echo "TESTING: no network (net_none.exp)"
+./net_none.exp
+echo "TESTING: network IP (net_ip.exp)"
+./net_ip.exp
+echo "TESTING: network MAC (net_mac.exp)"
+sleep 2
+./net_mac.exp
+echo "TESTING: network MTU (net_mtu.exp)"
+./net_mtu.exp
+echo "TESTING: network hostname (hostname.exp)"
+./hostname.exp
+echo "TESTING: network bad IP (net_badip.exp)"
+./net_badip.exp
+echo "TESTING: network no IP test 1 (net_noip.exp)"
+./net_noip.exp
+echo "TESTING: network no IP test 2 (net_noip2.exp)"
+./net_noip2.exp
+echo "TESTING: network default gateway test 1 (net_defaultgw.exp)"
+./net_defaultgw.exp
+echo "TESTING: network default gateway test 2 (net_defaultgw2.exp)"
+./net_defaultgw2.exp
+echo "TESTING: network default gateway test 3 (net_defaultgw3.exp)"
+./net_defaultgw3.exp
+echo "TESTING: scan (net_scan.exp)"
+./net_scan.exp
+echo "TESTING: mtu (mtu.exp)"
+./mtu.exp
+echo "TESTING: interface (interface.exp)"
+./interface.exp
+echo "TESTING: veth (net_veth.exp)"
+./net_veth.exp
+echo "TESTING: netfilter (net_netfilter.exp)"
+./net_netfilter.exp
+echo "TESTING: iprange (iprange.exp)"
+./iprange.exp
+echo "TESTING: veth-name (veth-name.exp)"
+./veth-name.exp
+echo "TESTING: macvlan2 (net_macvlan2.exp)"
+./net_macvlan2.exp
+echo "TESTING: 4 bridges ARP (4bridges_arp.exp)"
+./4bridges_arp.exp
+echo "TESTING: 4 bridges IP (4bridges_ip.exp)"
+./4bridges_ip.exp
diff --git a/test/network/veth-name.exp b/test/network/veth-name.exp
new file mode 100755
index 000000000..36ed41d92
--- /dev/null
+++ b/test/network/veth-name.exp
@@ -0,0 +1,77 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+# 
+send -- "firejail --net=br1 --ip=10.10.30.50 --veth-name=blablabla\r"
+expect {
+        timeout {puts "TESTING ERROR 0\n";exit}
+        "eth0"
+}
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "10.10.30.50"
+}
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        "255.255.255.0"
+}
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        "Child process initialized"
+}
+sleep 1
+spawn $env(SHELL)
+send -- "ip link show\r"
+expect {
+        timeout {puts "TESTING ERROR 4\n";exit}
+        "blablabla"
+}
+expect {
+        timeout {puts "TESTING ERROR 5\n";exit}
+        "master br1 state UP"
+}
+sleep 1
+send -- "firejail --profile=veth-name.profile\r"
+expect {
+        timeout {puts "TESTING ERROR 6\n";exit}
+        "eth0"
+}
+expect {
+        timeout {puts "TESTING ERROR 7\n";exit}
+        "10.10.60.51"
+}
+expect {
+        timeout {puts "TESTING ERROR 8\n";exit}
+        "255.255.255.0"
+}
+expect {
+        timeout {puts "TESTING ERROR 9\n";exit}
+        "Child process initialized"
+}
+sleep 1
+spawn $env(SHELL)
+send -- "ip link show\r"
+expect {
+        timeout {puts "TESTING ERROR 10\n";exit}
+        "bingo"
+}
+expect {
+        timeout {puts "TESTING ERROR 11\n";exit}
+        "master br4 state UP"
+}
+sleep 1
+after 100
+puts "\nall done\n"
diff --git a/test/network/veth-name.profile b/test/network/veth-name.profile
new file mode 100644
index 000000000..f00a74d63
--- /dev/null
+++ b/test/network/veth-name.profile
@@ -0,0 +1,3 @@
+net br4
+ip 10.10.60.51
+veth-name bingo
diff --git a/test/noroot.exp b/test/noroot.exp
deleted file mode 100755
index 37d55fe78..000000000
--- a/test/noroot.exp
+++ /dev/null
@@ -1,117 +0,0 @@
-#!/usr/bin/expect -f
-set timeout 10
-spawn $env(SHELL)
-match_max 100000
-send -- "firejail --debug --noprofile --noroot --caps.drop=all --seccomp --cpu=0,1 --name=noroot-sandbox\r"
-expect {
-        timeout {puts "TESTING ERROR 0.1\n";exit}
-        "Child process initialized"
-}
-sleep 1
-send -- "cat /proc/self/status\r"
-expect {
-        timeout {puts "TESTING ERROR 1\n";exit}
-        "CapBnd:"
-}
-expect {
-        timeout {puts "TESTING ERROR 1.1\n";exit}
-        "0000000000000000"
-}
-send -- "cat /proc/self/status\r"
-expect {
-        timeout {puts "TESTING ERROR 2\n";exit}
-        "Cpus_allowed:"
-}
-expect {
-        timeout {puts "TESTING ERROR 2.1\n";exit}
-        "3"
-}
-expect {
-        timeout {puts "TESTING ERROR 2.2\n";exit}
-        "Cpus_allowed_list:"
-}
-puts "\n"
-send -- "cat /proc/self/status\r"
-expect {
-        timeout {puts "TESTING ERROR 2\n";exit}
-        "Seccomp:"
-}
-expect {
-        timeout {puts "TESTING ERROR 2.1\n";exit}
-        "2"
-}
-expect {
-        timeout {puts "TESTING ERROR 2.2\n";exit}
-        "Cpus_allowed:"
-}
-puts "\n"
-send -- "ping 0\r"
-expect {
-        timeout {puts "TESTING ERROR 4\n";exit}
-        "Operation not permitted"
-}
-puts "\n"
-send -- "whoami\r"
-expect {
-        timeout {puts "TESTING ERROR 55\\n";exit}
-        "netblue"
-}
-puts "\n"
-send -- "exit\r"
-sleep 2
-send -- "firejail --noroot --noprofile\r"
-expect {
-        timeout {puts "TESTING ERROR 6\n";exit}
-        "Child process initialized"
-}
-sleep 1
-send -- "whoami\r"
-expect {
-        timeout {puts "TESTING ERROR 7\n";exit}
-        "netblue"
-}
-send -- "sudo -s\r"
-expect {
-        timeout {puts "TESTING ERROR 8\n";exit}
-        "effective uid is not 0, is sudo installed setuid root?" { puts "OK\n";}
-        "sudo must be owned by uid 0 and have the setuid bit set" { puts "OK\n";}
-}
-puts "\n"
-send -- "exit\r"
-sleep 2
-send -- "firejail --name=test --noroot --noprofile\r"
-expect {
-        timeout {puts "TESTING ERROR 9\n";exit}
-        "Child process initialized"
-}
-sleep 1
-spawn $env(SHELL)
-send -- "firejail --debug --join=test\r"
-expect {
-        timeout {puts "TESTING ERROR 9\n";exit}
-        "User namespace detected"
-}
-expect {
-        timeout {puts "TESTING ERROR 9\n";exit}
-        "Joining user namespace"
-}
-sleep 1
-send -- "sudo -s\r"
-expect {
-        timeout {puts "TESTING ERROR 8\n";exit}
-        "effective uid is not 0, is sudo installed setuid root?" { puts "OK\n";}
-        "sudo must be owned by uid 0 and have the setuid bit set" { puts "OK\n";}
-}
-puts "all done\n"
diff --git a/test/notes b/test/notes
deleted file mode 100644
index 864cd5519..000000000
--- a/test/notes
+++ /dev/null
@@ -1,13 +0,0 @@
-Testing --nosound
-Get a list of active PulseAudio clients:
-$ pacmd info | grep application.process.binary
-                application.process.binary = "lxpanel"
-                application.process.binary = "plugin-container"
-                application.process.binary = "plugin-container"
- 
-Find active PulseAudio socket:
-$ netstat -l | grep pulse
-unix  2      [ ACC ]     STREAM     LISTENING     10669    /tmp/pulse-WwG6ohxIJmGO/cli
-unix  2      [ ACC ]     STREAM     LISTENING     12584    /tmp/pulse-WwG6ohxIJmGO/dbus-socket
-unix  2      [ ACC ]     STREAM     LISTENING     12581    /tmp/pulse-WwG6ohxIJmGO/native
diff --git a/test/option-join-profile.exp b/test/option-join-profile.exp
deleted file mode 100755
index 9200980a1..000000000
--- a/test/option-join-profile.exp
+++ /dev/null
@@ -1,39 +0,0 @@
-#!/usr/bin/expect -f
-set timeout 10
-spawn $env(SHELL)
-match_max 100000
-send --  "firejail --profile=name.profile\r"
-expect {
-        timeout {puts "TESTING ERROR 0\n";exit}
-        "Child process initialized"
-}
-sleep 3
-spawn $env(SHELL)
-send --  "firejail --join=jointesting;pwd\r"
-expect {
-        timeout {puts "TESTING ERROR 1\n";exit}
-        "Switching to pid"
-}
-sleep 3
-spawn $env(SHELL)
-send --  "firejail --shutdown=jointesting;pwd\r"
-expect {
-        timeout {puts "TESTING ERROR 3\n";exit}
-        "home"
-}
-sleep 5
-send --  "firejail --list;pwd\r"
-expect {
-        timeout {puts "TESTING ERROR 4\n";exit}
-        "jointesting" {puts "TESTING ERROR 5\n";exit}
-        "home"
-}
-sleep 1
-puts "\nall done\n"
diff --git a/test/option-join.exp b/test/option-join.exp
deleted file mode 100755
index 6250e87a2..000000000
--- a/test/option-join.exp
+++ /dev/null
@@ -1,39 +0,0 @@
-#!/usr/bin/expect -f
-set timeout 10
-spawn $env(SHELL)
-match_max 100000
-send --  "firejail --name=svntesting\r"
-expect {
-        timeout {puts "TESTING ERROR 0\n";exit}
-        "Child process initialized"
-}
-sleep 3
-spawn $env(SHELL)
-send --  "firejail --join=svntesting;pwd\r"
-expect {
-        timeout {puts "TESTING ERROR 1\n";exit}
-        "Switching to pid"
-}
-sleep 1
-spawn $env(SHELL)
-send --  "firejail --shutdown=svntesting;pwd\r"
-expect {
-        timeout {puts "TESTING ERROR 3\n";exit}
-        "home"
-}
-sleep 1
-send --  "firejail --list;pwd\r"
-expect {
-        timeout {puts "TESTING ERROR 4\n";exit}
-        "svntesting" {puts "TESTING ERROR 5\n";exit}
-        "home"
-}
-sleep 1
-puts "\nall done\n"
diff --git a/test/option-join2.exp b/test/option-join2.exp
deleted file mode 100755
index 630b62d9e..000000000
--- a/test/option-join2.exp
+++ /dev/null
@@ -1,39 +0,0 @@
-#!/usr/bin/expect -f
-set timeout 10
-spawn $env(SHELL)
-match_max 100000
-send --  "firejail --name=\"svn testing\"\r"
-expect {
-        timeout {puts "TESTING ERROR 0\n";exit}
-        "Child process initialized"
-}
-sleep 3
-spawn $env(SHELL)
-send --  "firejail --join=\"svn testing\";pwd\r"
-expect {
-        timeout {puts "TESTING ERROR 1\n";exit}
-        "Switching to pid"
-}
-sleep 1
-spawn $env(SHELL)
-send --  "firejail --shutdown=\"svn testing\";pwd\r"
-expect {
-        timeout {puts "TESTING ERROR 3\n";exit}
-        "home"
-}
-sleep 1
-send --  "firejail --list;pwd\r"
-expect {
-        timeout {puts "TESTING ERROR 4\n";exit}
-        "svn testing" {puts "TESTING ERROR 5\n";exit}
-        "home"
-}
-sleep 1
-puts "\nall done\n"
diff --git a/test/option-join3.exp b/test/option-join3.exp
deleted file mode 100755
index aa8a445df..000000000
--- a/test/option-join3.exp
+++ /dev/null
@@ -1,39 +0,0 @@
-#!/usr/bin/expect -f
-set timeout 10
-spawn $env(SHELL)
-match_max 100000
-send --  "firejail --name=svn\\ testing\r"
-expect {
-        timeout {puts "TESTING ERROR 0\n";exit}
-        "Child process initialized"
-}
-sleep 3
-spawn $env(SHELL)
-send --  "firejail --join=svn\\ testing;pwd\r"
-expect {
-        timeout {puts "TESTING ERROR 1\n";exit}
-        "Switching to pid"
-}
-sleep 1
-spawn $env(SHELL)
-send --  "firejail --shutdown=svn\\ testing;pwd\r"
-expect {
-        timeout {puts "TESTING ERROR 3\n";exit}
-        "home"
-}
-sleep 1
-send --  "firejail --list;pwd\r"
-expect {
-        timeout {puts "TESTING ERROR 4\n";exit}
-        "svn testing" {puts "TESTING ERROR 5\n";exit}
-        "home"
-}
-sleep 1
-puts "\nall done\n"
diff --git a/test/option-shutdown.exp b/test/option-shutdown.exp
deleted file mode 100755
index e869f7611..000000000
--- a/test/option-shutdown.exp
+++ /dev/null
@@ -1,30 +0,0 @@
-#!/usr/bin/expect -f
-set timeout 10
-spawn $env(SHELL)
-match_max 100000
-send --  "firejail --name=shutdowntesting\r"
-expect {
-        timeout {puts "TESTING ERROR 0\n";exit}
-        "Child process initialized"
-}
-sleep 3
-spawn $env(SHELL)
-send --  "firejail --shutdown=shutdowntesting;pwd\r"
-expect {
-        timeout {puts "TESTING ERROR 4\n";exit}
-        "home"
-}
-sleep 1
-send --  "firejail --list;pwd\r"
-expect {
-        timeout {puts "TESTING ERROR 5\n";exit}
-        "shutdowntesting" {puts "TESTING ERROR 6\n";exit}
-        "home"
-}
-sleep 1
-puts "\nalldone\n"
diff --git a/test/option-trace.exp b/test/option-trace.exp
deleted file mode 100755
index 38038b58e..000000000
--- a/test/option-trace.exp
+++ /dev/null
@@ -1,25 +0,0 @@
-#!/usr/bin/expect -f
-set timeout 10
-spawn $env(SHELL)
-match_max 100000
-send --  "firejail --trace\r"
-expect {
-        timeout {puts "TESTING ERROR 0\n";exit}
-        "Child process initialized"
-}
-expect {
-        timeout {puts "TESTING ERROR 1\n";exit}
-        "bash:open /dev/tty" {puts "64bit\n"}
-        "bash:open64 /dev/tty" {puts "32bit\n"}
-}
-expect {
-        timeout {puts "TESTING ERROR 3\n";exit}
-        "bash:access /etc/terminfo/x/xterm" {puts "debian\n"}
-        "bash:access /usr/share/terminfo/x/xterm" {puts "arch\n"}
-}
-sleep 1
-puts "\nall done\n"
diff --git a/test/overlay/firefox-x11-xorg.exp b/test/overlay/firefox-x11-xorg.exp
new file mode 100755
index 000000000..76c0e55fc
--- /dev/null
+++ b/test/overlay/firefox-x11-xorg.exp
@@ -0,0 +1,90 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+send -- "firejail --overlay --name=test --x11=xorg firefox -no-remote www.gentoo.org\r"
+sleep 10
+spawn $env(SHELL)
+send -- "firejail --list\r"
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        ":firejail"
+}
+expect {
+        timeout {puts "TESTING ERROR 3.1\n";exit}
+        "firefox" {puts "firefox detected\n";}
+        "iceweasel" {puts "iceweasel detected\n";}
+}
+expect {
+        timeout {puts "TESTING ERROR 3.2\n";exit}
+        "no-remote"
+}
+sleep 1
+# grsecurity exit
+send -- "file /proc/sys/kernel/grsecurity\r"
+expect {
+        timeout {puts "TESTING ERROR - grsecurity detection\n";exit}
+        "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit}
+        "cannot open" {puts "grsecurity not present\n"}
+}
+send -- "firejail --overlay --name=blablabla\r"
+expect {
+        timeout {puts "TESTING ERROR 4\n";exit}
+        "Child process initialized"
+}
+sleep 2
+spawn $env(SHELL)
+send -- "firemon --seccomp\r"
+expect {
+        timeout {puts "TESTING ERROR 5\n";exit}
+        " firefox" {puts "firefox detected\n";}
+        " iceweasel" {puts "iceweasel detected\n";}
+}
+expect {
+        timeout {puts "TESTING ERROR 5.0\n";exit}
+        "no-remote"
+}
+expect {
+        timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit}
+        "Seccomp:       2"
+}
+expect {
+        timeout {puts "TESTING ERROR 5.1\n";exit}
+        "name=blablabla"
+}
+sleep 1
+send -- "firemon --caps\r"
+expect {
+        timeout {puts "TESTING ERROR 6\n";exit}
+        " firefox" {puts "firefox detected\n";}
+        " iceweasel" {puts "iceweasel detected\n";}
+}
+expect {
+        timeout {puts "TESTING ERROR 6.0\n";exit}
+        "no-remote"
+}
+expect {
+        timeout {puts "TESTING ERROR 6.1\n";exit}
+        "CapBnd:"
+}
+expect {
+        timeout {puts "TESTING ERROR 6.2\n";exit}
+        "0000000000000000"
+}
+expect {
+        timeout {puts "TESTING ERROR 6.3\n";exit}
+        "name=blablabla"
+}
+sleep 1
+send -- "firejail --shutdown=test\r"
+sleep 3
+puts "\nall done\n"
diff --git a/test/firefox-x11.exp b/test/overlay/firefox-x11.exp
index 7e30437db..aa248f328 100755
--- a/test/firefox-x11.exp
+++ b/test/overlay/firefox-x11.exp
@@ -1,10 +1,13 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
 set timeout 10
 spawn $env(SHELL)
 match_max 100000
-send -- "firejail --name=test --x11 --net=br0 firefox -no-remote www.gentoo.org\r"
+send -- "firejail --overlay --name=test --x11 firefox -no-remote www.gentoo.org\r"
 sleep 10
 spawn $env(SHELL)
@@ -30,7 +33,7 @@ expect {
        "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit}
        "cannot open" {puts "grsecurity not present\n"}
 }
-send -- "firejail --name=blablabla\r"
+send -- "firejail --name=blablabla --overlay\r"
 expect {
        timeout {puts "TESTING ERROR 4\n";exit}
        "Child process initialized"
diff --git a/test/overlay/firefox.exp b/test/overlay/firefox.exp
new file mode 100755
index 000000000..6ef23558d
--- /dev/null
+++ b/test/overlay/firefox.exp
@@ -0,0 +1,99 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+send -- "firejail --overlay firefox -no-remote www.gentoo.org\r"
+expect {
+        timeout {puts "TESTING ERROR 0\n";exit}
+        "Reading profile /etc/firejail/firefox.profile"
+}
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "Child process initialized"
+}
+sleep 10
+spawn $env(SHELL)
+send -- "firejail --list\r"
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        ":firejail"
+}
+expect {
+        timeout {puts "TESTING ERROR 3.1\n";exit}
+        "firefox" {puts "firefox detected\n";}
+        "iceweasel" {puts "iceweasel detected\n";}
+}
+expect {
+        timeout {puts "TESTING ERROR 3.2\n";exit}
+        "no-remote"
+}
+after 100
+# grsecurity exit
+send -- "file /proc/sys/kernel/grsecurity\r"
+expect {
+        timeout {puts "TESTING ERROR - grsecurity detection\n";exit}
+        "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit}
+        "cannot open" {puts "grsecurity not present\n"}
+}
+send -- "firejail --name=blablabla --overlay\r"
+expect {
+        timeout {puts "TESTING ERROR 4\n";exit}
+        "Child process initialized"
+}
+sleep 2
+spawn $env(SHELL)
+send -- "firemon --seccomp\r"
+expect {
+        timeout {puts "TESTING ERROR 5\n";exit}
+        " firefox" {puts "firefox detected\n";}
+        " iceweasel" {puts "iceweasel detected\n";}
+}
+expect {
+        timeout {puts "TESTING ERROR 5.0\n";exit}
+        "no-remote"
+}
+expect {
+        timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit}
+        "Seccomp:       2"
+}
+expect {
+        timeout {puts "TESTING ERROR 5.1\n";exit}
+        "name=blablabla"
+}
+after 100
+send -- "firemon --caps\r"
+expect {
+        timeout {puts "TESTING ERROR 6\n";exit}
+        " firefox" {puts "firefox detected\n";}
+        " iceweasel" {puts "iceweasel detected\n";}
+}
+expect {
+        timeout {puts "TESTING ERROR 6.0\n";exit}
+        "no-remote"
+}
+expect {
+        timeout {puts "TESTING ERROR 6.1\n";exit}
+        "CapBnd:"
+}
+expect {
+        timeout {puts "TESTING ERROR 6.2\n";exit}
+        "0000000000000000"
+}
+expect {
+        timeout {puts "TESTING ERROR 6.3\n";exit}
+        "name=blablabla"
+}
+after 100
+puts "\nall done\n"
diff --git a/test/overlay/fs-named.exp b/test/overlay/fs-named.exp
new file mode 100755
index 000000000..2ccb22bb1
--- /dev/null
+++ b/test/overlay/fs-named.exp
@@ -0,0 +1,66 @@
+#!/usr/bin/expect -f
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+send -- "firejail --overlay-named=firejail-test\r"
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        "not available for kernels older than 3.18" {puts "\nTESTING: overlayfs not available\n"; exit}
+        "Error: --overlay option is not available on Grsecurity systems" {puts "\nTESTING: overlayfs not available\n"; exit}
+        "Child process initialized" {puts "found\n"}
+}
+sleep 1
+send -- "echo xyzxyzxyz > ~/_firejail_test_file; echo done\r"
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        "done"
+}
+after 100
+send -- "cat  ~/_firejail_test_file; echo done\r"
+expect {
+        timeout {puts "TESTING ERROR 4\n";exit}
+        "xyzxyzxyz"
+}
+expect {
+        timeout {puts "TESTING ERROR 4.1\n";exit}
+        "done"
+}
+after 100
+send -- "exit\r"
+sleep 2
+send -- "cat  ~/_firejail_test_file; echo done\r"
+expect {
+        timeout {puts "TESTING ERROR 5\n";exit}
+        "xyzxyzxyz" {puts "TESTING ERROR 5.1\n";exit}
+        "done"
+}
+after 100
+send -- "firejail --overlay-named=firejail-test\r"
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        "not available for kernels older than 3.18" {puts "\nTESTING: overlayfs not available\n"; exit}
+        "Error: --overlay option is not available on Grsecurity systems" {puts "\nTESTING: overlayfs not available\n"; exit}
+        "Child process initialized" {puts "found\n"}
+}
+sleep 1
+send -- "cat  ~/_firejail_test_file; echo done\r"
+expect {
+        timeout {puts "TESTING ERROR 4\n";exit}
+        "xyzxyzxyz"
+}
+expect {
+        timeout {puts "TESTING ERROR 4.1\n";exit}
+        "done"
+}
+after 100
+puts "\nall done\n"
diff --git a/test/fs_overlay.exp b/test/overlay/fs-tmpfs.exp
index b7eeba80f..658d16779 100755
--- a/test/fs_overlay.exp
+++ b/test/overlay/fs-tmpfs.exp
@@ -4,63 +4,59 @@ set timeout 10
 spawn $env(SHELL)
 match_max 100000
-send -- "rm -f /tmp/firejail-overlay-test;pwd\r"
+send -- "firejail --overlay-clean\r"
+after 100
+send -- "file ~/.firejail\r"
 expect {
        timeout {puts "TESTING ERROR 0\n";exit}
-        "home"
+        "cannot open"
 }
+after 100
-send -- "ls > /tmp/firejail-overlay-test;pwd\r"
+send -- "firejail --overlay-tmpfs\r"
 expect {
        timeout {puts "TESTING ERROR 1\n";exit}
-        "home"
-}
-send -- "firejail --noprofile --overlay\r"
-expect {
-        timeout {puts "TESTING ERROR 2\n";exit}
        "not available for kernels older than 3.18" {puts "\nTESTING: overlayfs not available\n"; exit}
        "Error: --overlay option is not available on Grsecurity systems" {puts "\nTESTING: overlayfs not available\n"; exit}
        "Child process initialized" {puts "found\n"}
 }
 sleep 1
-send -- "echo xyzxyzxyz > /tmp/firejail-overlay-test;pwd\r"
+send -- "echo xyzxyzxyz > ~/_firejail_test_file; echo done\r"
 expect {
-        timeout {puts "TESTING ERROR 3\n";exit}
+        timeout {puts "TESTING ERROR 2\n";exit}
-        "home"
+        "done"
 }
-sleep 1
+after 100
-send -- "cat  /tmp/firejail-overlay-test;pwd\r"
+send -- "cat  ~/_firejail_test_file; echo done\r"
 expect {
-        timeout {puts "TESTING ERROR 4\n";exit}
+        timeout {puts "TESTING ERROR 3\n";exit}
        "xyzxyzxyz"
 }
 expect {
-        timeout {puts "TESTING ERROR 4.1\n";exit}
+        timeout {puts "TESTING ERROR 4\n";exit}
-        "home"
+        "done"
 }
-sleep 1
+after 100
 send -- "exit\r"
-sleep 2
+sleep 1
-send -- "cat  /tmp/firejail-overlay-test;pwd\r"
+send -- "cat  ~/_firejail_test_file; echo done\r"
 expect {
        timeout {puts "TESTING ERROR 5\n";exit}
-        "xyzxyzxyz" {puts "TESTING ERROR 5.1\n";exit}
+        "xyzxyzxyz" {puts "TESTING ERROR 6\n";exit}
-        "home"
+        "done"
 }
+after 100
-sleep 1
+send -- "file ~/.firejail\r"
-send -- "rm -f /tmp/firejail-overlay-test;pwd\r"
 expect {
-        timeout {puts "TESTING ERROR 0\n";exit}
+        timeout {puts "TESTING ERROR 7\n";exit}
-        "home"
+        "cannot open"
 }
+after 100
+puts "\nall done\n"
-sleep 1
-puts "all done \n"
diff --git a/test/overlay/fs.exp b/test/overlay/fs.exp
new file mode 100755
index 000000000..15ada9203
--- /dev/null
+++ b/test/overlay/fs.exp
@@ -0,0 +1,46 @@
+#!/usr/bin/expect -f
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+send -- "firejail --overlay\r"
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        "not available for kernels older than 3.18" {puts "\nTESTING: overlayfs not available\n"; exit}
+        "Error: --overlay option is not available on Grsecurity systems" {puts "\nTESTING: overlayfs not available\n"; exit}
+        "Child process initialized" {puts "found\n"}
+}
+sleep 1
+send -- "echo xyzxyzxyz > ~/_firejail_test_file; echo done\r"
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        "done"
+}
+after 100
+send -- "cat  ~/_firejail_test_file; echo done\r"
+expect {
+        timeout {puts "TESTING ERROR 4\n";exit}
+        "xyzxyzxyz"
+}
+expect {
+        timeout {puts "TESTING ERROR 4.1\n";exit}
+        "done"
+}
+after 100
+send -- "exit\r"
+sleep 2
+send -- "cat  ~/_firejail_test_file; echo done\r"
+expect {
+        timeout {puts "TESTING ERROR 5\n";exit}
+        "xyzxyzxyz" {puts "TESTING ERROR 5.1\n";exit}
+        "done"
+}
+after 100
+puts "\nall done\n"
diff --git a/test/overlay/overlay.sh b/test/overlay/overlay.sh
new file mode 100755
index 000000000..4c9ebe5b0
--- /dev/null
+++ b/test/overlay/overlay.sh
@@ -0,0 +1,67 @@
+#!/bin/bash
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
+export MALLOC_CHECK_=3
+export MALLOC_PERTURB_=$(($RANDOM % 255 + 1))
+echo "TESTING: overlay fs (test/overlay/fs.exp)"
+rm -fr ~/_firejail_test_*
+./fs.exp
+rm -fr ~/_firejail_test_*
+echo "TESTING: overlay named fs (test/overlay/fs-named.exp)"
+rm -fr ~/_firejail_test_*
+./fs-named.exp
+rm -fr ~/_firejail_test_*
+echo "TESTING: overlay tmpfs fs (test/overlay/fs-tmpfs.exp)"
+rm -fr ~/_firejail_test_*
+./fs-tmpfs.exp
+rm -fr ~/_firejail_test_*
+which firefox
+if [ "$?" -eq 0 ];
+then
+        echo "TESTING: overlay firefox"
+        ./firefox.exp
+else
+        echo "TESTING SKIP: firefox not found"
+fi
+which firefox
+if [ "$?" -eq 0 ];
+then
+        echo "TESTING: overlay firefox x11 xorg"
+        ./firefox.exp
+else
+        echo "TESTING SKIP: firefox not found"
+fi
+# check xpra/xephyr
+which xpra
+if [ "$?" -eq 0 ];
+then
+        echo "xpra found"
+else
+        echo "xpra not found"
+        which Xephyr
+        if [ "$?" -eq 0 ];
+        then
+                echo "Xephyr found"
+        else
+                echo "TESTING SKIP: xpra and/or Xephyr not found"
+                exit
+        fi
+fi
+which firefox
+if [ "$?" -eq 0 ];
+then
+        echo "TESTING: overlay firefox x11"
+        ./firefox-x11.exp
+else
+        echo "TESTING SKIP: firefox not found"
+fi
diff --git a/test/private-etc.exp b/test/private-etc.exp
deleted file mode 100755
index db1d1df3a..000000000
--- a/test/private-etc.exp
+++ /dev/null
@@ -1,42 +0,0 @@
-#!/usr/bin/expect -f
-set timeout 10
-spawn $env(SHELL)
-match_max 100000
-# directory with ~
-send -- "firejail --private-etc=passwd,group,resolv.conf,X11\r"
-expect {
-        timeout {puts "TESTING ERROR 1\n";exit}
-        "Child process initialized"
-}
-sleep 1
-send -- "ls -al /etc\r"
-expect {
-        timeout {puts "TESTING ERROR 3\n";exit}
-        "group"
-}
-expect {
-        timeout {puts "TESTING ERROR 4\n";exit}
-        "passwd"
-}
-expect {
-        timeout {puts "TESTING ERROR 5\n";exit}
-        "resolv.conf"
-}
-expect {
-        timeout {puts "TESTING ERROR 6\n";exit}
-        "X11"
-}
-send -- "ls -al /etc\r"
-expect {
-        timeout {puts "TESTING ERROR 7\n";exit}
-        "shadow" {puts "TESTING ERROR 8\n";exit}
-        "X11"
-}
-sleep 1
-puts "\nall done\n"
diff --git a/test/private.exp b/test/private.exp
deleted file mode 100755
index a5920c37b..000000000
--- a/test/private.exp
+++ /dev/null
@@ -1,97 +0,0 @@
-#!/usr/bin/expect -f
-set timeout 10
-spawn $env(SHELL)
-match_max 100000
-if { $argc != 1 } {
-        puts "TESTING ERROR: argument missing"
-        puts "Usage: private.exp username"
-        puts "where username is the name of the current user"
-        exit
-}
-# testing profile and private
-send -- "firejail --private --profile=/etc/firejail/generic.profile\r"
-expect {
-        timeout {puts "TESTING ERROR 0\n";exit}
-        "Child process initialized"
-}
-sleep 1
-send -- "exit\r"
-sleep 1
-send -- "firejail --private --noprofile\r"
-expect {
-        timeout {puts "TESTING ERROR 0\n";exit}
-        "Child process initialized"
-}
-sleep 1
-send -- "ls -al; pwd\r"
-expect {
-        timeout {puts "TESTING ERROR 0.1\n";exit}
-        ".bashrc"
-}
-expect {
-        timeout {puts "TESTING ERROR 0.2\n";exit}
-        [lindex $argv 0]
-}
-send -- "ls -al; pwd\r"
-expect {
-        timeout {
-                # OpenSUSE doesn't use .Xauthority from user home directory
-                send -- "env | grep XAUTHORITY\r"
-                expect {
-                        timeout {puts "TESTING ERROR 0.3\n";exit}
-                        "/run/lightdm/netblue/xauthority"
-                }
-        }
-        ".Xauthority"
-}
-expect {
-        timeout {puts "TESTING ERROR 0.4\n";exit}
-        [lindex $argv 0]
-}
-# testing private only
-send -- "bash\r"
-sleep 1
-# owner /home/netblue
-send -- "ls -l /home;pwd\r"
-expect {
-        timeout {puts "TESTING ERROR 1\n";exit}
-        [lindex $argv 0]
-}
-expect {
-        timeout {puts "TESTING ERROR 1.1\n";exit}
-        [lindex $argv 0]
-}
-expect {
-        timeout {puts "TESTING ERROR 1.2\n";exit}
-        [lindex $argv 0]
-}
-expect {
-        timeout {puts "TESTING ERROR 1.3\n";exit}
-        "home"
-}
-sleep 1
-# owner /tmp
-send -- "stat -c %U%a /tmp;pwd\r"
-expect {
-        timeout {puts "TESTING ERROR 2\n";exit}
-        "root777" {puts "version 1\n";}
-            "root1777" {puts "version 2\n";}
-        "nobody777" {puts "version 3\n";}
-            "nobody1777" {puts "version 4\n";}
-}
-expect {
-        timeout {puts "TESTING ERROR 2.1\n";exit}
-        "home"
-}
-sleep 1
-puts "all done\n"
diff --git a/test/private_dir.exp b/test/private_dir.exp
index 9dfb2ea9f..a4beeba27 100755
--- a/test/private_dir.exp
+++ b/test/private_dir.exp
@@ -42,7 +42,7 @@ expect {
 send -- "ls -al | wc -l;pwd\r"
 expect {
        timeout {puts "TESTING ERROR 1\n";exit}
-        "7" {puts "normal system\n";}
+        "6" {puts "normal system\n";}
        "5" {puts "OpenSUSE\n";}
 }
 expect {
diff --git a/test/private_dir_profile.exp b/test/private_dir_profile.exp
index 5b38ad0bb..8d1c74444 100755
--- a/test/private_dir_profile.exp
+++ b/test/private_dir_profile.exp
@@ -42,7 +42,7 @@ expect {
 send -- "ls -al | wc -l;pwd\r"
 expect {
        timeout {puts "TESTING ERROR 1\n";exit}
-        "7" {puts "normal system\n";}
+        "6" {puts "normal system\n";}
        "5" {puts "OpenSUSE\n";}
 }
 expect {
diff --git a/test/profile_tmpfs.exp b/test/profile_tmpfs.exp
deleted file mode 100755
index a2faa32f7..000000000
--- a/test/profile_tmpfs.exp
+++ /dev/null
@@ -1,37 +0,0 @@
-#!/usr/bin/expect -f
-set timeout 10
-spawn $env(SHELL)
-match_max 100000
-send -- "mkdir /tmp/firejailtestdir\r"
-sleep 1
-send -- "ls > /tmp/firejailtestdir/tmpfile\r"
-sleep 1
-send -- "firejail --profile=tmpfs.profile\r"
-expect {
-        timeout {puts "TESTING ERROR 0\n";exit}
-        "Child process initialized"
-}
-# testing private only
-send -- "bash\r"
-sleep 1
-send -- "ls -l /tmp/firejailtestdir;pwd\r"
-expect {
-        timeout {puts "TESTING ERROR 1.1\n";exit}
-        "tmpfile" {puts "TESTING ERROR 1\n";exit}
-        "home"
-}
-sleep 1
-send -- "exit\r"
-sleep 1
-send -- "exit\r"
-sleep 1
-send -- "rm -fr  /tmp/firejailtestdir\r"
-sleep 1
-puts "\n"
diff --git a/test/ignore.exp b/test/profiles/ignore.exp
index c5ea25684..0c5691e9a 100755
--- a/test/ignore.exp
+++ b/test/profiles/ignore.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
 set timeout 10
 spawn $env(SHELL)
@@ -43,5 +46,5 @@ expect {
        "Child process initialized"
 }
+after 100
 puts "\nall done\n"
diff --git a/test/ignore.profile b/test/profiles/ignore.profile
index aec231ad2..aec231ad2 100644
--- a/test/ignore.profile
+++ b/test/profiles/ignore.profile
diff --git a/test/ignore2.profile b/test/profiles/ignore2.profile
index 49fcd8324..49fcd8324 100644
--- a/test/ignore2.profile
+++ b/test/profiles/ignore2.profile
diff --git a/test/profile_followlnk.exp b/test/profiles/profile_followlnk.exp
index e2ede2865..eb3d04852 100755
--- a/test/profile_followlnk.exp
+++ b/test/profiles/profile_followlnk.exp
@@ -5,34 +5,22 @@ spawn $env(SHELL)
 match_max 100000
 send -- "mkdir /tmp/firejailtestdir\r"
-sleep 1
 send -- "ln -s /tmp/firejailtestdir  /tmp/firejailtestdirlnk\r"
-sleep 1
 send -- "touch /tmp/firejailtestfile\r"
-sleep 1
 send -- "ln -s /tmp/firejailtestfile /tmp/firejailtestfilelnk\r"
 sleep 1
-send -- "firejail --profile=readonly-lnk.profile --debug\r"
+send -- "firejail --profile=readonly-lnk.profile\r"
 expect {
        timeout {puts "TESTING ERROR 0\n";exit}
        "Child process initialized"
 }
-# testing private only
+send -- "ls > /tmp/firejailtestdirlnk/ttt\r"
-send -- "bash\r"
-sleep 1
-send -- "ls > /tmp/firejailtestdirlnk/ttt;pwd\r"
 expect {
        timeout {puts "TESTING ERROR 1\n";exit}
        "Read-only file system"
 }
-expect {
-        timeout {puts "TESTING ERROR 1.1\n";exit}
-        "home"
-}
 sleep 1
 send -- "ls > /tmp/firejailtestfilelnk;pwd\r"
@@ -40,29 +28,11 @@ expect {
        timeout {puts "TESTING ERROR 2\n";exit}
        "Read-only file system"
 }
-expect {
-        timeout {puts "TESTING ERROR 2.1\n";exit}
-        "home"
-}
 sleep 1
 send -- "exit\r"
-sleep 1
+after 100
-send -- "pwd\r"
-expect {
-        timeout {puts "TESTING ERROR 3\n";exit}
-        "home"
-}
-sleep 1
-send -- "exit\r"
-sleep 1
-send -- "pwd\r"
-expect {
-        timeout {puts "TESTING ERROR 4\n";exit}
-        "home"
-}
-sleep 2
 send -- "rm -fr /tmp/firejailtest*\r"
-sleep 1
+after 100
-puts "\n"
+puts "\nall done\n"
diff --git a/test/profile_noperm.exp b/test/profiles/profile_noperm.exp
index b3ed558bc..b3b031cb2 100755
--- a/test/profile_noperm.exp
+++ b/test/profiles/profile_noperm.exp
@@ -9,5 +9,5 @@ expect {
        timeout {puts "TESTING ERROR 0\n";exit}
        "cannot access profile"
 }
-sleep 1
+after 100
-puts "\n"
+puts "\nall done\n"
diff --git a/test/profile_readonly.exp b/test/profiles/profile_readonly.exp
index 046b0d738..c1c9544a6 100755
--- a/test/profile_readonly.exp
+++ b/test/profiles/profile_readonly.exp
@@ -5,7 +5,6 @@ spawn $env(SHELL)
 match_max 100000
 send -- "mkdir /tmp/firejailtestdir\r"
-sleep 1
 send -- "touch /tmp/firejailtestfile\r"
 sleep 1
@@ -14,51 +13,24 @@ expect {
        timeout {puts "TESTING ERROR 0\n";exit}
        "Child process initialized"
 }
+sleep 2
-# testing private only
+send -- "ls > /tmp/firejailtestdir/ttt\r"
-send -- "bash\r"
-sleep 1
-send -- "ls > /tmp/firejailtestdir/ttt;pwd\r"
 expect {
        timeout {puts "TESTING ERROR 1\n";exit}
        "Read-only file system"
 }
-expect {
-        timeout {puts "TESTING ERROR 1.1\n";exit}
-        "home"
-}
 sleep 1
-send -- "ls > /tmp/firejailtestfile;pwd\r"
+send -- "ls > /tmp/firejailtestfile\r"
 expect {
        timeout {puts "TESTING ERROR 2\n";exit}
        "Read-only file system"
 }
-expect {
-        timeout {puts "TESTING ERROR 2.1\n";exit}
-        "home"
-}
-sleep 1
-send -- "exit\r"
-sleep 1
-send -- "pwd\r"
-expect {
-        timeout {puts "TESTING ERROR 3\n";exit}
-        "home"
-}
-sleep 1
 send -- "exit\r"
-sleep 1
+after 100
-send -- "pwd\r"
-expect {
-        timeout {puts "TESTING ERROR 4\n";exit}
-        "home"
-}
-sleep 2
 send -- "rm -fr /tmp/firejailtest*\r"
-sleep 1
+after 100
-puts "\n"
+puts "\nall done\n"
diff --git a/test/profile_syntax.exp b/test/profiles/profile_syntax.exp
index 559947276..d1be2074a 100755
--- a/test/profile_syntax.exp
+++ b/test/profiles/profile_syntax.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
 set timeout 10
 spawn $env(SHELL)
@@ -22,42 +25,30 @@ sleep 1
 send -- "ls -l /etc/shadow\r"
 expect {
        timeout {puts "TESTING ERROR 3\n";exit}
-        "root root 0"
+        "root root"
 }
 sleep 1
-send -- "rmdir;pwd\r"
+send -- "rmdir\r"
 expect {
        timeout {puts "TESTING ERROR 4\n";exit}
        "Permission denied"
 }
-expect {
-        timeout {puts "TESTING ERROR 5\n";exit}
-        "home"
-}
 sleep 1
-send -- "mount;pwd\r"
+send -- "mount\r"
 expect {
        timeout {puts "TESTING ERROR 6\n";exit}
        "Permission denied"
 }
-expect {
-        timeout {puts "TESTING ERROR 7\n";exit}
-        "home"
-}
 sleep 1
-send -- "umount;pwd\r"
+send -- "umount\r"
 expect {
        timeout {puts "TESTING ERROR 8\n";exit}
        "Permission denied"
 }
-expect {
-        timeout {puts "TESTING ERROR 9\n";exit}
-        "home"
-}
 send -- "exit\r"
-sleep 1
+after 100
-puts "\n"
+puts "\nall done\n"
diff --git a/test/profile_syntax2.exp b/test/profiles/profile_syntax2.exp
index 96e85ba93..9dca35ca2 100755
--- a/test/profile_syntax2.exp
+++ b/test/profiles/profile_syntax2.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
 set timeout 10
 spawn $env(SHELL)
@@ -42,6 +45,6 @@ expect {
        timeout {puts "TESTING ERROR 8\n";exit}
        "Child process initialized"
 }
+send -- "exit\r"
-sleep 1
+after 100
 puts "\nall done\n"
diff --git a/test/profiles/profiles.sh b/test/profiles/profiles.sh
new file mode 100755
index 000000000..ca0b9fb29
--- /dev/null
+++ b/test/profiles/profiles.sh
@@ -0,0 +1,34 @@
+#!/bin/bash
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
+export MALLOC_CHECK_=3
+export MALLOC_PERTURB_=$(($RANDOM % 255 + 1))
+echo "TESTING: default profiles installed in /etc"
+PROFILES=`ls /etc/firejail/*.profile`
+for PROFILE in $PROFILES
+do
+        echo "TESTING: $PROFILE"
+        ./test-profile.exp $PROFILE
+done
+echo "TESTING: profile syntax (test/profiles/profile_syntax.exp)"
+./profile_syntax.exp
+echo "TESTING: profile syntax 2 (test/profiles/profile_syntax2.exp)"
+./profile_syntax2.exp
+echo "TESTING: ignore command (test/profiles/ignore.exp)"
+./ignore.exp
+echo "TESTING: profile read-only (test/profiles/profile_readonly.exp)"
+./profile_readonly.exp
+echo "TESTING: profile read-only links (test/profiles/profile_readonly.exp)"
+./profile_followlnk.exp
+echo "TESTING: profile no permissions (test/profiles/profile_noperm.exp)"
+./profile_noperm.exp
diff --git a/test/readonly-lnk.profile b/test/profiles/readonly-lnk.profile
index 71ffb1a26..71ffb1a26 100644
--- a/test/readonly-lnk.profile
+++ b/test/profiles/readonly-lnk.profile
diff --git a/test/readonly.profile b/test/profiles/readonly.profile
index 55d89e3d7..55d89e3d7 100644
--- a/test/readonly.profile
+++ b/test/profiles/readonly.profile
diff --git a/test/test-profile.exp b/test/profiles/test-profile.exp
index a03e8db31..a6b4a5aad 100755
--- a/test/test-profile.exp
+++ b/test/profiles/test-profile.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
 set timeout 10
 spawn $env(SHELL)
@@ -10,10 +13,10 @@ if { $argc != 1 } {
        exit
 }
-send -- "firejail --profile=$argv /bin/bash\r"
+send -- "firejail --profile=$argv echo done\r"
 expect {
        timeout {puts "TESTING ERROR 0\n";exit}
-        "Child process initialized"
+        "done"
 }
 send -- "exit\r"
 after 100
diff --git a/test/test.profile b/test/profiles/test.profile
index 1d69cc960..1d69cc960 100644
--- a/test/test.profile
+++ b/test/profiles/test.profile
diff --git a/test/test2.profile b/test/profiles/test2.profile
index d7e1a1f21..d7e1a1f21 100644
--- a/test/test2.profile
+++ b/test/profiles/test2.profile
diff --git a/test/quiet.exp b/test/quiet.exp
deleted file mode 100755
index fa46aebf2..000000000
--- a/test/quiet.exp
+++ /dev/null
@@ -1,17 +0,0 @@
-#!/usr/bin/expect -f
-set timeout 4
-spawn $env(SHELL)
-match_max 100000
-# check ip address
-send -- "firejail --net=br0 --quiet\r"
-expect {
-        "Child process initialized" {puts "TESTING ERROR 1\n";exit}
-        "Interface" {puts "TESTING ERROR 1\n";exit}
-}
-sleep 1
-send -- "\r"
-puts "\nall done\n"
diff --git a/test/servers3.exp b/test/root/apache2.exp
index eccdaa1d9..0b102bad5 100755
--- a/test/servers3.exp
+++ b/test/root/apache2.exp
@@ -4,16 +4,6 @@ set timeout 5
 spawn $env(SHELL)
 match_max 100000
-send -- "sudo ls; sudo whoami; sudo pwd\r"
-expect {
-        timeout {puts "TESTING ERROR: you need to root run this test as root\n";exit}
-        "root"
-}
-send -- "pkill apache\r"
-sleep 2
 send -- "firejail --name=apache /etc/init.d/apache2 start\r"
 expect {
        timeout {puts "TESTING ERROR 0\n";exit}
diff --git a/test/root/firecfg.exp b/test/root/firecfg.exp
new file mode 100755
index 000000000..b4864988d
--- /dev/null
+++ b/test/root/firecfg.exp
@@ -0,0 +1,46 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+send -- "firecfg\r"
+sleep 1
+send --  "firecfg --clean\r"
+expect {
+        timeout {puts "TESTING ERROR 0\n";exit}
+        "/usr/local/bin/firefox removed"
+}
+after 100
+send -- "file /usr/local/bin/firefox; echo done\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "symbolic link to /usr/bin/firejail"  {puts "TESTING ERROR 2\n";exit}
+        "done"
+}
+after 100
+send --  "firecfg\r"
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        "/usr/local/bin/firefox created"
+}
+after 100
+send -- "file /usr/local/bin/firefox\r"
+expect {
+        timeout {puts "TESTING ERROR 4\n";exit}
+        "symbolic link to /usr/bin/firejail"
+}
+after 100
+send -- "firecfg --list\r"
+expect {
+        timeout {puts "TESTING ERROR 5\n";exit}
+        "/usr/local/bin/firefox"
+}
+after 100
+puts "\nall done\n"
diff --git a/test/root/firejail.config b/test/root/firejail.config
new file mode 100644
index 000000000..71ff2f4e9
--- /dev/null
+++ b/test/root/firejail.config
@@ -0,0 +1,20 @@
+bind yes
+chroot yes
+chroot-desktop yes
+file-transfer yes
+force-nonewprivs no
+network yes
+overlayfs yes
+private-bin-no-local no
+private-home yes
+quiet-by-default no
+remount-proc-sys yes
+restricted-network no
+# netfilter-default /etc/iptables.iptables.rules
+seccomp yes
+userns yes
+whitelist yes
+x11 yes
+xephyr-screen 800x600
+xephyr-window-title yes
+xephyr-extra-params -grayscale
diff --git a/test/root/firemon-events.exp b/test/root/firemon-events.exp
new file mode 100755
index 000000000..4f305e51d
--- /dev/null
+++ b/test/root/firemon-events.exp
@@ -0,0 +1,72 @@
+#!/usr/bin/expect -f
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+# start firemon
+set firemon_id $spawn_id
+send -- "firemon\r"
+sleep 1
+# start firejail
+spawn $env(SHELL)
+set firejail_id $spawn_id
+send -- "firejail\r"
+expect {
+        timeout {puts "TESTING ERROR 0\n";exit}
+        "Child process initialized"
+}
+# get messages on firemon
+set spawn_id $firemon_id
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "exec"
+}
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        "/bin/bash -c /bin/bash"
+}
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        "exec"
+}
+expect {
+        timeout {puts "TESTING ERROR 4\n";exit}
+        "/bin/bash"
+}
+expect {
+        timeout {puts "TESTING ERROR 5\n";exit}
+        "fork"
+}
+expect {
+        timeout {puts "TESTING ERROR 6\n";exit}
+        "child"
+}
+expect {
+        timeout {puts "TESTING ERROR 7\n";exit}
+        "/bin/bash"
+}
+after 100
+# exit firejail
+set spawn_id $firejail_id
+send -- "exit\r"
+sleep 1
+# get messages on firemon
+set spawn_id $firemon_id
+expect {
+        timeout {puts "TESTING ERROR 8\n";exit}
+        "exit"
+}
+expect {
+        timeout {puts "TESTING ERROR 9\n";exit}
+        "EXIT SANDBOX"
+}
+puts "\nall done\n"
diff --git a/test/servers4.exp b/test/root/isc-dhcp.exp
index 86500707a..5d9597e7c 100755
--- a/test/servers4.exp
+++ b/test/root/isc-dhcp.exp
@@ -4,15 +4,6 @@ set timeout 5
 spawn $env(SHELL)
 match_max 100000
-send -- "sudo ls; sudo whoami; sudo pwd\r"
-expect {
-        timeout {puts "TESTING ERROR: you need to root run this test as root\n";exit}
-        "root"
-}
-send -- "pkill dhcpd\r"
-sleep 2
 send -- "firejail --name=dhcpd /etc/init.d/isc-dhcp-server start\r"
 expect {
        timeout {puts "TESTING ERROR 0\n";exit}
diff --git a/test/root/join.exp b/test/root/join.exp
new file mode 100755
index 000000000..e4a4e87af
--- /dev/null
+++ b/test/root/join.exp
@@ -0,0 +1,52 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
+set timeout 10
+cd /home
+spawn $env(SHELL)
+match_max 100000
+send --  "firejail --name=jointesting --cpu=0 --nice=2\r"
+expect {
+        timeout {puts "TESTING ERROR 0\n";exit}
+        "Child process initialized"
+}
+sleep 2
+spawn $env(SHELL)
+send --  "firejail --join=jointesting\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "Switching to pid"
+}
+sleep 1
+send -- "ps aux\r"
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        "/bin/bash"
+}
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        "/bin/bash"
+}
+send -- "exit\r"
+sleep 1
+send --  "firejail --join-network=jointesting\r"
+expect {
+        timeout {puts "TESTING ERROR 4\n";exit}
+        "Child process initialized"
+}
+send -- "exit\r"
+sleep 1
+send --  "firejail --join-filesystem=jointesting\r"
+expect {
+        timeout {puts "TESTING ERROR 5\n";exit}
+        "Child process initialized"
+}
+after 100
+puts "\nall done\n"
diff --git a/test/servers6.exp b/test/root/nginx.exp
index 9ef4ea514..82ebe0ee7 100755
--- a/test/servers6.exp
+++ b/test/root/nginx.exp
@@ -4,16 +4,6 @@ set timeout 5
 spawn $env(SHELL)
 match_max 100000
-send -- "sudo ls; sudo whoami; sudo pwd\r"
-expect {
-        timeout {puts "TESTING ERROR: you need to root run this test as root\n";exit}
-        "root"
-}
-send -- "pkill nginx\r"
-sleep 2
 send -- "firejail --name=nginx /etc/init.d/nginx start\r"
 expect {
        timeout {puts "TESTING ERROR 0\n";exit}
diff --git a/test/option_bind_directory.exp b/test/root/option_bind_directory.exp
index 3233c68de..3233c68de 100755
--- a/test/option_bind_directory.exp
+++ b/test/root/option_bind_directory.exp
diff --git a/test/option_bind_file.exp b/test/root/option_bind_file.exp
index 8926e0391..8926e0391 100755
--- a/test/option_bind_file.exp
+++ b/test/root/option_bind_file.exp
diff --git a/test/option_tmpfs.exp b/test/root/option_tmpfs.exp
index 6522ef2d3..3d492dfdb 100755
--- a/test/option_tmpfs.exp
+++ b/test/root/option_tmpfs.exp
@@ -16,13 +16,9 @@ expect {
        timeout {puts "TESTING ERROR 1\n";exit}
        "total 0"
 }
-expect {
+after 100
-        timeout {puts "TESTING ERROR 2\n";exit}
-        "/root"
-}
-sleep 1
 send -- "exit\r"
-sleep 2
+sleep 1
 send -- "firejail --debug-check-filename --tmpfs=\"bla&&bla\"\r"
 expect {
@@ -40,5 +36,5 @@ expect {
 after 100
-puts "\nalldone\n"
+puts "\nall done\n"
diff --git a/test/root/private.exp b/test/root/private.exp
new file mode 100755
index 000000000..9ce9716f9
--- /dev/null
+++ b/test/root/private.exp
@@ -0,0 +1,90 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+send --  "firejail --private\r"
+expect {
+        timeout {puts "TESTING ERROR 0\n";exit}
+        "Child process initialized"
+}
+sleep 2
+send --  "ls -l /home\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "total 0"
+}
+after 100
+send --  "ls -l /root\r"
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        "total 0"
+}
+after 100
+send -- "exit\r"
+sleep 1
+send -- "touch /opt/firejail-test-file\r"
+after 100
+send -- "mkdir /opt/firejail-test-dir\r"
+after 100
+send -- "touch /opt/firejail-test-dir/firejail-test-file\r"
+after 100
+send -- "firejail --private-opt=firejail-test-file,firejail-test-dir --debug\r"
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        "Child process initialized"
+}
+sleep 1
+send -- "find /opt | wc -l\r"
+expect {
+        timeout {puts "TESTING ERROR 4\n";exit}
+        "4"
+}
+after 100
+send -- "exit\r"
+sleep 1
+send -- "touch /srv/firejail-test-file\r"
+after 100
+send -- "mkdir /srv/firejail-test-dir\r"
+after 100
+send -- "touch /srv/firejail-test-dir/firejail-test-file\r"
+after 100
+send -- "firejail --private-srv=firejail-test-file,firejail-test-dir --debug\r"
+expect {
+        timeout {puts "TESTING ERROR 5\n";exit}
+        "Child process initialized"
+}
+sleep 1
+send -- "find /srv | wc -l\r"
+expect {
+        timeout {puts "TESTING ERROR 6\n";exit}
+        "4"
+}
+after 100
+send -- "exit\r"
+sleep 1
+puts "\nall done\n"
diff --git a/test/root/profile_tmpfs.exp b/test/root/profile_tmpfs.exp
new file mode 100755
index 000000000..25f73b50b
--- /dev/null
+++ b/test/root/profile_tmpfs.exp
@@ -0,0 +1,40 @@
+#!/usr/bin/expect -f
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+send -- "firejail --profile=tmpfs.profile\r"
+expect {
+        timeout {puts "TESTING ERROR 0\n";exit}
+        "Child process initialized"
+}
+sleep 1
+send -- "ls -l /var;pwd\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "total 0"
+}
+after 100
+send -- "exit\r"
+sleep 1
+send -- "firejail --debug-check-filename --profile=tmpfs-bad.profile\r"
+expect {
+        timeout {puts "TESTING ERROR 13.1\n";exit}
+        "Checking filename bla&&bla"
+}
+expect {
+        timeout {puts "TESTING ERROR 13.2\n";exit}
+        "Error:"
+}
+expect {
+        timeout {puts "TESTING ERROR 13.3\n";exit}
+        "is an invalid filename"
+}
+after 100
+puts "\nall done\n"
diff --git a/test/root/root.sh b/test/root/root.sh
new file mode 100755
index 000000000..9764b3804
--- /dev/null
+++ b/test/root/root.sh
@@ -0,0 +1,114 @@
+#!/bin/bash
+# set a new firejail config file
+cp firejail.config /etc/firejail/firejail.config
+#********************************
+# servers
+#********************************
+if [ -f /etc/init.d/snmpd ]
+then
+        echo "TESTING: snmpd (test/root/snmpd.exp)"
+        ./snmpd.exp
+else
+        echo "TESTING SKIP: snmpd  not found"
+fi
+if [ -f /etc/init.d/apache2 ]
+then
+        echo "TESTING: apache2 (test/root/apache2.exp)"
+        ./apache2.exp
+else
+        echo "TESTING SKIP: apache2  not found"
+fi
+if [ -f /etc/init.d/isc-dhcp-server ]
+then
+        echo "TESTING: isc dhcp server (test/root/isc-dhscp.exp)"
+        ./isc-dhcp.exp
+else
+        echo "TESTING SKIP: isc dhcp server not found"
+fi
+if [ -f /etc/init.d/unbound ]
+then
+        echo "TESTING: unbound (test/root/unbound.exp)"
+        ./unbound.exp
+else
+        echo "TESTING SKIP: unbound  not found"
+fi
+if [ -f /etc/init.d/nginx ]
+then
+        echo "TESTING: nginx (test/root/nginx.exp)"
+        ./nginx.exp
+else
+        echo "TESTING SKIP: nginx  not found"
+fi
+#********************************
+# filesystem
+#********************************
+echo "TESTING: fs private (test/root/private.exp)"
+./private.exp
+echo "TESTING: fs whitelist mnt, opt, media (test/root/whitelist-mnt.exp)"
+./whitelist.exp
+#********************************
+# utils
+#********************************
+echo "TESTING: join (test/root/join.exp)"
+./join.exp
+#********************************
+# seccomp
+#********************************
+echo "TESTING: seccomp umount (test/root/seccomp-umount.exp)"
+./seccomp-umount.exp
+echo "TESTING: seccomp chmod (test/root/seccomp-chmod.exp)"
+./seccomp-chmod.exp
+echo "TESTING: seccomp chown (test/root/seccomp-chown.exp)"
+./seccomp-chown.exp
+#********************************
+# command line options
+#********************************
+echo "TESTING: tmpfs (test/root/option_tmpfs.exp)"
+./option_tmpfs.exp
+echo "TESTING: profile tmpfs (test/root/profile_tmpfs)"
+./profile_tmpfs.exp
+echo "TESTING: bind directory (test/root/option_bind_directory.exp)"
+./option_bind_directory.exp
+echo "TESTING: bind file (test/root/option_bind_file.exp)"
+echo hello > tmpfile
+./option_bind_file.exp
+rm -f tmpfile
+#********************************
+# firemon
+#********************************
+echo "TESTING: firemon events (test/root/firemon-events.exp)"
+./firemon-events.exp
+#********************************
+# firecfg
+#********************************
+which firefox
+if [ "$?" -eq 0 ];
+then
+        echo "TESTING: firecfg (test/root/firecfg.exp)"
+        ./firecfg.exp
+else
+        echo "TESTING SKIP: firecfg, firefox not found"
+fi
+# restore the default config file
+cp ../../etc/firejail.config /etc/firejail/firejail.config
diff --git a/test/root/seccomp-chmod.exp b/test/root/seccomp-chmod.exp
new file mode 100755
index 000000000..b17990e3a
--- /dev/null
+++ b/test/root/seccomp-chmod.exp
@@ -0,0 +1,51 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+send --  "firejail --seccomp=chmod,fchmod,fchmodat --private\r"
+expect {
+        timeout {puts "TESTING ERROR 0\n";exit}
+        "Child process initialized"
+}
+sleep 2
+send -- "cd ~; echo done\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "done"
+}
+send -- "touch testfile; echo done\r"
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        "done"
+}
+send -- "ls -l testfile; echo done\r"
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        "testfile"
+}
+expect {
+        timeout {puts "TESTING ERROR 4\n";exit}
+        "done"
+}
+send -- "chmod +x testfile; echo done\r"
+expect {
+        timeout {puts "TESTING ERROR 5\n";exit}
+        "Bad system call"
+}
+expect {
+        timeout {puts "TESTING ERROR 6\n";exit}
+        "done"
+}
+send -- "exit\r"
+after 100
+puts "\nall done\n"
diff --git a/test/seccomp-chmod.exp b/test/root/seccomp-chown.exp
index b4a213206..a54d279f1 100755
--- a/test/seccomp-chmod.exp
+++ b/test/root/seccomp-chown.exp
@@ -1,10 +1,13 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
 set timeout 10
 spawn $env(SHELL)
 match_max 100000
-send --  "firejail --seccomp=chmod,fchmod,fchmodat --private\r"
+send --  "firejail --seccomp=chown,fchown,fchownat,lchown --private\r"
 expect {
        timeout {puts "TESTING ERROR 0\n";exit}
        "Child process initialized"
@@ -29,7 +32,7 @@ expect {
        "/home"
 }
-send -- "chmod +x testfile;pwd\r"
+send -- "chown netblue:netblue testfile;pwd\r"
 expect {
        timeout {puts "TESTING ERROR 2\n";exit}
        "Bad system call"
@@ -42,5 +45,5 @@ expect {
 send -- "exit\r"
-sleep 1
+after 100
-puts "\n"
+puts "\nall done\n"
diff --git a/test/seccomp-umount.exp b/test/root/seccomp-umount.exp
index c0107a084..c441c5fc4 100755
--- a/test/seccomp-umount.exp
+++ b/test/root/seccomp-umount.exp
@@ -1,16 +1,13 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
 set timeout 10
 spawn $env(SHELL)
 match_max 100000
-send -- "sudo ls; sudo whoami; sudo pwd\r"
+send --  "firejail --seccomp --noprofile\r"
-expect {
-        timeout {puts "TESTING ERROR: you need to root run this test as root\n";exit}
-        "root"
-}
-send --  "firejail --net=br0 --ip=10.10.20.5 --seccomp --noprofile\r"
 expect {
        timeout {puts "TESTING ERROR 0\n";exit}
        "Child process initialized"
@@ -24,5 +21,5 @@ expect {
 }
 send -- "exit\r"
-sleep 1
+after 100
 puts "\n"
diff --git a/test/servers2.exp b/test/root/snmpd.exp
index 90e34470f..610fdb13a 100755
--- a/test/servers2.exp
+++ b/test/root/snmpd.exp
@@ -4,16 +4,6 @@ set timeout 5
 spawn $env(SHELL)
 match_max 100000
-send -- "sudo ls; sudo whoami; sudo pwd\r"
-expect {
-        timeout {puts "TESTING ERROR: you need to root run this test as root\n";exit}
-        "root"
-}
-send -- "pkill snmpd\r"
-sleep 2
 send -- "firejail --name=snmpd /etc/init.d/snmpd start\r"
 expect {
        timeout {puts "TESTING ERROR 0\n";exit}
diff --git a/test/root/tmpfs-bad.profile b/test/root/tmpfs-bad.profile
new file mode 100644
index 000000000..7264e18ff
--- /dev/null
+++ b/test/root/tmpfs-bad.profile
@@ -0,0 +1 @@
+tmpfs bla&&bla
diff --git a/test/root/tmpfs.profile b/test/root/tmpfs.profile
new file mode 100644
index 000000000..55a6f7ebc
--- /dev/null
+++ b/test/root/tmpfs.profile
@@ -0,0 +1 @@
+tmpfs /var
diff --git a/test/servers5.exp b/test/root/unbound.exp
index 193e662ff..9c496306a 100755
--- a/test/servers5.exp
+++ b/test/root/unbound.exp
@@ -4,15 +4,6 @@ set timeout 5
 spawn $env(SHELL)
 match_max 100000
-send -- "sudo ls; sudo whoami; sudo pwd\r"
-expect {
-        timeout {puts "TESTING ERROR: you need to root run this test as root\n";exit}
-        "root"
-}
-send -- "pkill unbound\r"
-sleep 2
 send -- "firejail --name=unbound unbound\r"
 expect {
        timeout {puts "TESTING ERROR 0\n";exit}
diff --git a/test/root/whitelist.exp b/test/root/whitelist.exp
new file mode 100755
index 000000000..f6936c048
--- /dev/null
+++ b/test/root/whitelist.exp
@@ -0,0 +1,118 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+send -- "touch /mnt/firejail-test-file\r"
+after 100
+send -- "mkdir /mnt/firejail-test-dir\r"
+after 100
+send -- "touch /mnt/firejail-test-dir/firejail-test-file\r"
+after 100
+send -- "firejail --whitelist=/mnt/firejail-test-file --whitelist=/mnt/firejail-test-dir --debug\r"
+expect {
+        timeout {puts "TESTING ERROR 0\n";exit}
+        "Child process initialized"
+}
+sleep 1
+send -- "find /mnt | wc -l\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "4"
+}
+after 100
+send -- "exit\r"
+sleep 1
+send -- "touch /opt/firejail-test-file\r"
+after 100
+send -- "mkdir /opt/firejail-test-dir\r"
+after 100
+send -- "touch /opt/firejail-test-dir/firejail-test-file\r"
+after 100
+send -- "firejail --whitelist=/opt/firejail-test-file  --whitelist=/opt/firejail-test-dir --debug\r"
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        "Child process initialized"
+}
+sleep 1
+send -- "find /opt | wc -l\r"
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        "4"
+}
+after 100
+send -- "exit\r"
+sleep 1
+send -- "touch /media/firejail-test-file\r"
+after 100
+send -- "mkdir /media/firejail-test-dir\r"
+after 100
+send -- "touch /media/firejail-test-dir/firejail-test-file\r"
+after 100
+send -- "firejail --whitelist=/media/firejail-test-file --whitelist=/media/firejail-test-dir --debug\r"
+expect {
+        timeout {puts "TESTING ERROR 4\n";exit}
+        "Child process initialized"
+}
+sleep 1
+send -- "find /media | wc -l\r"
+expect {
+        timeout {puts "TESTING ERROR 5\n";exit}
+        "4"
+}
+after 100
+send -- "exit\r"
+sleep 1
+send -- "firejail --whitelist=/var/run --whitelist=/var/lock --debug\r"
+expect {
+        timeout {puts "TESTING ERROR 6\n";exit}
+        "Child process initialized"
+}
+sleep 1
+send -- "find /var | wc -l\r"
+expect {
+        timeout {puts "TESTING ERROR 7\n";exit}
+        ""
+}
+after 100
+send -- "exit\r"
+sleep 1
+send -- "touch /srv/firejail-test-file\r"
+after 100
+send -- "mkdir /srv/firejail-test-dir\r"
+after 100
+send -- "touch /srv/firejail-test-dir/firejail-test-file\r"
+after 100
+send -- "firejail --whitelist=/srv/firejail-test-file --whitelist=/srv/firejail-test-dir --debug\r"
+expect {
+        timeout {puts "TESTING ERROR 8\n";exit}
+        "Child process initialized"
+}
+sleep 1
+send -- "find /srv | wc -l\r"
+expect {
+        timeout {puts "TESTING ERROR 9\n";exit}
+        "4"
+}
+after 100
+send -- "exit\r"
+after 100
+puts "\nall done\n"
diff --git a/test/seccomp-chmod-profile.exp b/test/seccomp-chmod-profile.exp
deleted file mode 100755
index 098328cea..000000000
--- a/test/seccomp-chmod-profile.exp
+++ /dev/null
@@ -1,46 +0,0 @@
-#!/usr/bin/expect -f
-set timeout 10
-spawn $env(SHELL)
-match_max 100000
-send --  "firejail --profile=seccomp.profile --private\r"
-expect {
-        timeout {puts "TESTING ERROR 0\n";exit}
-        "Child process initialized"
-}
-sleep 2
-send -- "touch testfile;pwd\r"
-expect {
-        timeout {puts "TESTING ERROR 1\n";exit}
-        "/root" {puts "running as root"}
-        "/home"
-}
-send -- "ls -l testfile;pwd\r"
-expect {
-        timeout {puts "TESTING ERROR 2\n";exit}
-        "testfile"
-}
-expect {
-        timeout {puts "TESTING ERROR 3\n";exit}
-        "/root" {puts "running as root"}
-        "/home"
-}
-send -- "chmod +x testfile;pwd\r"
-expect {
-        timeout {puts "TESTING ERROR 2\n";exit}
-        "Bad system call"
-}
-expect {
-        timeout {puts "TESTING ERROR 3\n";exit}
-        "/root" {puts "running as root"}
-        "/home"
-}
-send -- "exit\r"
-sleep 1
-puts "\n"
diff --git a/test/seccomp-errno.exp b/test/seccomp-errno.exp
deleted file mode 100755
index e6678ab8f..000000000
--- a/test/seccomp-errno.exp
+++ /dev/null
@@ -1,87 +0,0 @@
-#!/usr/bin/expect -f
-set timeout 10
-spawn $env(SHELL)
-match_max 100000
-send -- "touch seccomp-test-file\r"
-sleep 1
-send --  "firejail --seccomp.enoent=unlinkat rm seccomp-test-file\r"
-expect {
-        timeout {puts "TESTING ERROR 0\n";exit}
-        "No such file or directory"
-}
-sleep 1
-send --  "firejail --seccomp.enoent=unlinkat --debug rm seccomp-test-file\r"
-expect {
-        timeout {puts "TESTING ERROR 1\n";exit}
-        "unlinkat 2 ENOENT"
-}
-sleep 1
-send --  "firejail --seccomp.enoent=unlinkat,mkdir\r"
-expect {
-        timeout {puts "TESTING ERROR 2\n";exit}
-        "Child process initialized"
-}
-sleep 1
-send -- "rm seccomp-test-file\r"
-expect {
-        timeout {puts "TESTING ERROR 3\n";exit}
-        "No such file or directory"
-}
-after 100
-puts "\n"
-send -- "mkdir seccomp-test-dir\r"
-expect {
-        timeout {puts "TESTING ERROR 4\n";exit}
-        "No such file or directory"
-}
-after 100
-puts "\n"
-send -- "exit\r"
-sleep 1
-send --  "firejail --seccomp.enoent=unlinkat --seccomp.enoent=mkdir\r"
-expect {
-        timeout {puts "TESTING ERROR 5\n";exit}
-        "errno enoent already configured"
-}
-sleep 1
-send --  "firejail --seccomp.enoent=unlinkat --seccomp.eperm=mkdir\r"
-expect {
-        timeout {puts "TESTING ERROR 6\n";exit}
-        "Child process initialized"
-}
-sleep 1
-send -- "rm seccomp-test-file\r"
-expect {
-        timeout {puts "TESTING ERROR 7\n";exit}
-        "No such file or directory"
-}
-after 100
-puts "\n"
-send -- "mkdir seccomp-test-dir\r"
-expect {
-        timeout {puts "TESTING ERROR 8\n";exit}
-        "Operation not permitted"
-}
-after 100
-puts "\n"
-send -- "exit\r"
-sleep 1
-send -- "rm seccomp-test-file\r"
-sleep 1
-puts "all done\n"
diff --git a/test/net_macvlan.exp b/test/stress/net_macvlan.exp
index 20d022de9..6ea4a6adf 100755
--- a/test/net_macvlan.exp
+++ b/test/stress/net_macvlan.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
 set timeout 10
 spawn $env(SHELL)
@@ -9,7 +12,7 @@ spawn $env(SHELL)
 send -- "firejail --net=eth0 --ip=192.168.1.60\r"
 expect {
        timeout {puts "TESTING ERROR 1.1\n";puts "Please open a sandbox on 192.168.1.60\n";exit}
-        "the address 192.168.1.60 is already in use"
+        "192.168.1.60 is interface eth0 address"
 }
@@ -83,6 +86,8 @@ while { $i <= $MAXi } {
        after 100
 #       sleep 1
 }
+send -- "exit\r"
+after 100
 puts "\n"
diff --git a/test/stress/stress.sh b/test/stress/stress.sh
new file mode 100755
index 000000000..35c846071
--- /dev/null
+++ b/test/stress/stress.sh
@@ -0,0 +1,11 @@
+#!/bin/bash
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
+export MALLOC_CHECK_=3
+export MALLOC_PERTURB_=$(($RANDOM % 255 + 1))
+echo "TESTING: macvlan (net_macvlan.exp)"
+./net_macvlan.exp
diff --git a/test/sysutils/cpio.exp b/test/sysutils/cpio.exp
new file mode 100755
index 000000000..9755d8737
--- /dev/null
+++ b/test/sysutils/cpio.exp
@@ -0,0 +1,26 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+send -- "find /usr/share/doc/firejail | /bin/cpio -ov > firejail_t1\r"
+sleep 1
+send -- "find /usr/share/doc/firejail | firejail /bin/cpio -ov > firejail_t2\r"
+sleep 1
+send -- "diff -s firejail_t1 firejail_t2\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "firejail_t1 and firejail_t2 are identical"
+}
+send -- "rm firejail_t*\r"
+sleep 1
+puts "\nall done\n"
diff --git a/test/sysutils/file.exp b/test/sysutils/file.exp
new file mode 100755
index 000000000..a8ad84d12
--- /dev/null
+++ b/test/sysutils/file.exp
@@ -0,0 +1,18 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+send -- "echo 'test string for firejail test' > /tmp/firejail_test.txt; firejail file /tmp/firejail_test.txt\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "ASCII text"
+}
+send -- "rm /tmp/firejail_test.txt\r"
+sleep 1
+puts "\nall done\n"
diff --git a/test/sysutils/gzip.exp b/test/sysutils/gzip.exp
new file mode 100755
index 000000000..ab0e727de
--- /dev/null
+++ b/test/sysutils/gzip.exp
@@ -0,0 +1,26 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+send -- "/bin/gzip -c /usr/bin/firejail > firejail_t1\r"
+sleep 1
+send -- "firejail /bin/gzip -c /usr/bin/firejail > firejail_t2\r"
+sleep 1
+send -- "diff -s firejail_t1 firejail_t2\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "firejail_t1 and firejail_t2 are identical"
+}
+send -- "rm firejail_t*\r"
+sleep 1
+puts "\nall done\n"
diff --git a/test/sysutils/less.exp b/test/sysutils/less.exp
new file mode 100755
index 000000000..720830304
--- /dev/null
+++ b/test/sysutils/less.exp
@@ -0,0 +1,20 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+send -- "firejail less ../../Makefile.in\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "MYLIBS"
+}
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        "APPS"
+}
+puts "\nall done\n"
diff --git a/test/sysutils/strings.exp b/test/sysutils/strings.exp
new file mode 100755
index 000000000..1fd0f5dc0
--- /dev/null
+++ b/test/sysutils/strings.exp
@@ -0,0 +1,26 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+send -- "/usr/bin/strings /usr/bin/firejail > firejail_t1\r"
+sleep 1
+send -- "firejail /usr/bin/strings /usr/bin/firejail > firejail_t2\r"
+sleep 1
+send -- "diff -s firejail_t1 firejail_t2\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "firejail_t1 and firejail_t2 are identical"
+}
+send -- "rm firejail_t*\r"
+sleep 1
+puts "\nall done\n"
diff --git a/test/sysutils/sysutils.sh b/test/sysutils/sysutils.sh
new file mode 100755
index 000000000..99939133d
--- /dev/null
+++ b/test/sysutils/sysutils.sh
@@ -0,0 +1,80 @@
+#!/bin/bash
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
+export MALLOC_CHECK_=3
+export MALLOC_PERTURB_=$(($RANDOM % 255 + 1))
+which cpio
+if [ "$?" -eq 0 ];
+then
+        echo "TESTING: cpio"
+        ./cpio.exp
+else
+        echo "TESTING SKIP: cpio not found"
+fi
+#which strings
+#if [ "$?" -eq 0 ];
+#then
+#       echo "TESTING: strings"
+#       ./strings.exp
+#else
+#       echo "TESTING SKIP: strings not found"
+#fi
+which gzip
+if [ "$?" -eq 0 ];
+then
+        echo "TESTING: gzip"
+        ./gzip.exp
+else
+        echo "TESTING SKIP: gzip not found"
+fi
+which xzdec
+if [ "$?" -eq 0 ];
+then
+        echo "TESTING: xzdec"
+        ./xzdec.exp
+else
+        echo "TESTING SKIP: xzdec not found"
+fi
+which xz
+if [ "$?" -eq 0 ];
+then
+        echo "TESTING: xz"
+        ./xz.exp
+else
+        echo "TESTING SKIP: xz not found"
+fi
+which less
+if [ "$?" -eq 0 ];
+then
+        echo "TESTING: less"
+        ./less.exp
+else
+        echo "TESTING SKIP: less not found"
+fi
+which file
+if [ "$?" -eq 0 ];
+then
+        echo "TESTING: file"
+        ./file.exp
+else
+        echo "TESTING SKIP: file not found"
+fi
+which tar
+if [ "$?" -eq 0 ];
+then
+        echo "TESTING: tar"
+        ./tar.exp
+else
+        echo "TESTING SKIP: tar not found"
+fi
diff --git a/test/sysutils/tar.exp b/test/sysutils/tar.exp
new file mode 100755
index 000000000..f41d67d6f
--- /dev/null
+++ b/test/sysutils/tar.exp
@@ -0,0 +1,46 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+send -- "firejail /bin/tar -cjvf firejail_t2 /usr/share/doc/firejail\r"
+expect {
+        timeout {puts "TESTING ERROR 1.1\n";exit}
+        "Error" {puts "TESTING ERROR 1.2\n";exit}
+        "/usr/share/doc/firejail/README"
+}
+after 100
+send -- "stat -c '|%s|' firejail_t2; uname -s\r"
+expect {
+        timeout {puts "TESTING ERROR 2.1\n";exit}
+        "|0|" {puts "TESTING ERROR 2.2\n";exit}
+        "Linux"
+}
+sleep 1
+send -- "firejail /bin/tar --compare --file=firejail_t2 -C / | wc\r"
+expect {
+        timeout {puts "TESTING ERROR 3.1\n";exit}
+        "This does not look like a tar archive" {puts "TESTING ERROR 3.2\n"; exit}
+        "      0       0       0"
+}
+sleep 1
+send -- "/bin/tar --compare --file=firejail_t2 -C / | wc\r"
+expect {
+        timeout {puts "TESTING ERROR 4.1\n";exit}
+        "This does not look like a tar archive" {puts "TESTING ERROR 4.2\n"; exit}
+        "      0       0       0"
+}
+sleep 1
+send -- "rm firejail_t*\r"
+sleep 1
+puts "\nall done\n"
diff --git a/test/sysutils/xz.exp b/test/sysutils/xz.exp
new file mode 100755
index 000000000..11d0e560c
--- /dev/null
+++ b/test/sysutils/xz.exp
@@ -0,0 +1,26 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+send -- "/usr/bin/xz -c /usr/bin/firejail > firejail_t1\r"
+sleep 1
+send -- "firejail /usr/bin/xz -c /usr/bin/firejail > firejail_t2\r"
+sleep 1
+send -- "diff -s firejail_t1 firejail_t2\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "firejail_t1 and firejail_t2 are identical"
+}
+send -- "rm firejail_t*\r"
+sleep 1
+puts "\nall done\n"
diff --git a/test/sysutils/xzdec.exp b/test/sysutils/xzdec.exp
new file mode 100755
index 000000000..0ea6f5fb0
--- /dev/null
+++ b/test/sysutils/xzdec.exp
@@ -0,0 +1,29 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+send -- "/usr/bin/xz -c /usr/bin/firejail > firejail_t3\r"
+sleep 1
+send -- "/usr/bin/xzdec -c firejail_t3 > firejail_t1\r"
+sleep 1
+send -- "firejail /usr/bin/xzdec -c firejail_t3 > firejail_t2\r"
+sleep 1
+send -- "diff -s firejail_t1 firejail_t2\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "firejail_t1 and firejail_t2 are identical"
+} 
+send -- "rm firejail_t*\r"
+sleep 1
+puts "\nall done\n"
diff --git a/test/test-apps-x11.sh b/test/test-apps-x11.sh
deleted file mode 100755
index 6521fa2b0..000000000
--- a/test/test-apps-x11.sh
+++ /dev/null
@@ -1,29 +0,0 @@
-#!/bin/bash
-which firefox
-if [ "$?" -eq 0 ];
-then
-        echo "TESTING: firefox x11"
-        ./firefox-x11.exp
-else
-        echo "TESTING: firefox not found"
-fi
-which chromium
-if [ "$?" -eq 0 ];
-then
-        echo "TESTING: chromium x11"
-        ./chromium-x11.exp
-else
-        echo "TESTING: chromium not found"
-fi
-which transmission-gtk
-if [ "$?" -eq 0 ];
-then
-        echo "TESTING: transmission-gtk x11"
-        ./transmission-gtk.exp
-else
-        echo "TESTING: transmission-gtk not found"
-fi
diff --git a/test/test-nonet.sh b/test/test-nonet.sh
deleted file mode 100755
index 3df8b2d4e..000000000
--- a/test/test-nonet.sh
+++ /dev/null
@@ -1,44 +0,0 @@
-#!/bin/bash
-echo "TESTING: version"
-./option_version.exp
-echo "TESTING: help"
-./option_help.exp
-echo "TESTING: man"
-./option_man.exp
-echo "TESTING: list"
-./option_list.exp
-echo "TESTING: PID"
-./pid.exp
-echo "TESTING: profile no permissions"
-./profile_noperm.exp
-echo "TESTING: profile syntax"
-./profile_syntax.exp
-echo "TESTING: profile read-only"
-./profile_readonly.exp
-echo "TESTING: profile tmpfs"
-./profile_tmpfs.exp
-echo "TESTING: private"
-./private.exp `whoami`
-echo "TESTING: read/write /var/tmp"
-./fs_var_tmp.exp
-echo "TESTING: read/write /var/run"
-./fs_var_run.exp
-echo "TESTING: read/write /var/lock"
-./fs_var_lock.exp
-echo "TESTING: read/write /dev/shm"
-./fs_dev_shm.exp
diff --git a/test/test-profiles.sh b/test/test-profiles.sh
deleted file mode 100755
index d9142885b..000000000
--- a/test/test-profiles.sh
+++ /dev/null
@@ -1,10 +0,0 @@
-#!/bin/bash
-echo "TESTING: default profiles installed in /etc"
-PROFILES=`ls /etc/firejail/*.profile`
-for PROFILE in $PROFILES
-do
-        echo "TESTING: $PROFILE"
-        ./test-profile.exp $PROFILE
-done
diff --git a/test/test-root.sh b/test/test-root.sh
deleted file mode 100755
index 7e1a0b968..000000000
--- a/test/test-root.sh
+++ /dev/null
@@ -1,82 +0,0 @@
-#!/bin/bash
-./chk_config.exp
-echo "TESTING: tmpfs (option_tmpfs.exp)"
-./option_tmpfs.exp
-echo "TESTING: profile tmpfs (profile_tmpfs)"
-./profile_tmpfs.exp
-echo "TESTING: network interfaces (net_interface.exp)"
-./net_interface.exp
-echo "TESTING: chroot (fs_chroot_asroot.exp)"
-./fs_chroot_asroot.exp
-if [ -f /etc/init.d/snmpd ]
-then
-        echo "TESTING: servers snmpd, private-dev (servers2.exp)"
-        ./servers2.exp
-fi
-if [ -f /etc/init.d/apache2 ]
-then
-        echo "TESTING: servers apache2, private-dev, private-tmp (servers3.exp)"
-        ./servers3.exp
-fi
-if [ -f /etc/init.d/isc-dhcp-server ]
-then
-        echo "TESTING: servers isc dhcp server, private-dev (servers4.exp)"
-        ./servers4.exp
-fi
-if [ -f /etc/init.d/unbound ]
-then
-        echo "TESTING: servers unbound, private-dev, private-tmp (servers5.exp)"
-        ./servers5.exp
-fi
-if [ -f /etc/init.d/nginx ]
-then
-        echo "TESTING: servers nginx, private-dev, private-tmp (servers6.exp)"
-        ./servers6.exp
-fi
-echo "TESTING: /proc/sysrq-trigger reset disabled (sysrq-trigger.exp)"
-./sysrq-trigger.exp
-echo "TESTING: seccomp umount (seccomp-umount.exp)"
-./seccomp-umount.exp
-echo "TESTING: seccomp chmod (seccomp-chmod.exp)"
-./seccomp-chmod.exp
-echo "TESTING: seccomp chown (seccomp-chown.exp)"
-./seccomp-chown.exp
-echo "TESTING: bind directory (option_bind_directory.exp)"
-./option_bind_directory.exp
-echo "TESTING: bind file (option_bind_file.exp)"
-echo hello > tmpfile
-./option_bind_file.exp
-rm -f tmpfile
-echo "TESTING: firemon --interface (firemon-interface.exp)"
-./firemon-interface.exp
-if [ -f /sys/fs/cgroup/g1/tasks ]
-then
-        echo "TESTING: firemon --cgroup (firemon-cgroup.exp)"
-        ./firemon-cgroup.exp
-fi
-echo "TESTING: chroot resolv.conf (chroot-resolvconf.exp)"
-rm -f tmpfile
-touch tmpfile
-rm -f /tmp/chroot/etc/resolv.conf
-ln -s tmp /tmp/chroot/etc/resolv.conf
-./chroot-resolvconf.exp
-rm -f tmpfile
diff --git a/test/test.sh b/test/test.sh
index c6fe4f299..4b7d5bb6d 100755
--- a/test/test.sh
+++ b/test/test.sh
@@ -1,70 +1,15 @@
 #!/bin/bash
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
 ./chk_config.exp
-./test-profiles.sh
 ./fscheck.sh
-echo "TESTING: cpu.print (cpu-print.exp)"
-echo "TESTING:    failing under VirtualBox where there is only one CPU"
-./cpu-print.exp
-echo "TESTING: bandwidth (bandwidth.exp)"
-./bandwidth.exp
-echo "TESTING: file transfer (ls.exp)"
-./ls.exp
-echo "TESTING: fs.print (fs-print.exp)"
-./fs-print.exp
-echo "TESTING: dns.print (dns-print.exp)"
-./dns-print.exp
-echo "TESTING: caps.print (caps-print.exp)"
-./caps-print.exp
-echo "TESTING: seccomp.print (seccomp-print.exp)"
-./seccomp-print.exp
-echo "TESTING: protocol.print (protocol-print.exp)"
-./protocol-print.exp
-echo "TESTING: sound (sound.exp)"
-./sound.exp
-echo "TESTING: nice (nice.exp)"
-./nice.exp
 echo "TESTING: tty (tty.exp)"
 ./tty.exp
-echo "TESTING: protocol (protocol.exp)"
-./protocol.exp
-echo "TESTING: invalid filename (invalid_filename.exp)"
-./invalid_filename.exp
-echo "TESTING: environment variables (env.exp)"
-./env.exp
-echo "TESTING: whitelist empty (whitelist-empty.exp)"
-./whitelist-empty.exp
-echo "TESTING: ignore command (ignore.exp)"
-./ignore.exp
-echo "TESTING: private-etc (private-etc.exp)"
-./private-etc.exp
-echo "TESTING: private-bin (private-bin.exp)"
-./private-bin.exp
-echo "TESTING: private whitelist (private-whitelist.exp)"
-echo "TESTING:    failing on OpenSUSE"
-./private-whitelist.exp
 sleep 1
 rm -fr dir\ with\ space
 mkdir dir\ with\ space
@@ -82,102 +27,9 @@ rm -fr auto2
 rm -fr auto3
 rm -fr auto4
-echo "TESTING: version (option_version.exp)"
-./option_version.exp
-echo "TESTING: help (option_help.exp)"
-./option_help.exp
-echo "TESTING: man (option_man.exp)"
-./option_man.exp
-echo "TESTING: list (option_list.exp)"
-./option_list.exp
-echo "TESTING: tree (option_tree.exp)"
-./option_tree.exp
-if [ -f /proc/self/uid_map ];
-then
-        echo "TESTING: noroot (noroot.exp)"
-        ./noroot.exp
-else
-        echo "TESTING: user namespaces not available"
-fi
-echo "TESTING: doubledash"
-mkdir -- -testdir
-touch -- -testdir/ttt
-cp -- /bin/bash -testdir/.
-./doubledash.exp
-rm -fr -- -testdir
-echo "TESTING: trace1 (option-trace.exp)"
-./option-trace.exp
-echo "TESTING: trace2 (trace.exp)"
-rm -f index.html*
-./trace.exp
-rm -f index.html*
-echo "TESTING: extract command (extract_command.exp)"
-./extract_command.exp
-echo "TESTING: kmsg access (kmsg.exp)"
-./kmsg.exp
-echo "TESTING: rlimit (option_rlimit.exp)"
-./option_rlimit.exp
-echo "TESTING: shutdown (option_shutdown.exp)"
-./option-shutdown.exp
-echo "TESTING: shutdown2 (option_shutdown2.exp)"
-./option-shutdown2.exp
-echo "TESTING: shutdown3 (option_shutdown3.exp)"
-./option-shutdown3.exp
-echo "TESTING: shutdown4 (option_shutdown4.exp)"
-./option-shutdown4.exp
-echo "TESTING: join (option-join.exp)"
-./option-join.exp
-echo "TESTING: join2 (option-join2.exp)"
-./option-join2.exp
-echo "TESTING: join3 (option-join3.exp)"
-./option-join3.exp
-echo "TESTING: join profile (option-join-profile.exp)"
-./option-join-profile.exp
-echo "TESTING: firejail in firejail - single sandbox (firejail-in-firejail.exp)"
-./firejail-in-firejail.exp
-echo "TESTING: firejail in firejail - force new sandbox (firejail-in-firejail2.exp)"
-./firejail-in-firejail2.exp
 echo "TESTING: chroot overlay (option_chroot_overlay.exp)"
 ./option_chroot_overlay.exp
-echo "TESTING: blacklist directory (option_blacklist.exp)"
-./option_blacklist.exp
-echo "TESTING: blacklist file (opiton_blacklist_file.exp)"
-./option_blacklist_file.exp
-echo "TESTING: bind as user (option_bind_user.exp)"
-./option_bind_user.exp
-if [ -d /home/bingo ];
-then
-        echo "TESTING: home sanitize (opiton_version.exp)"
-        ./option_version.exp
-fi
 echo "TESTING: chroot as user (fs_chroot.exp)"
 ./fs_chroot.exp
@@ -190,47 +42,7 @@ ls -al > tmpreadonly
 sleep 5
 rm -f tmpreadonly
-echo "TESTING: zsh (shell_zsh.exp)"
-./shell_zsh.exp
-echo "TESTING: csh (shell_csh.exp)"
-./shell_csh.exp
-which dash
-if [ "$?" -eq 0 ];
-then
-        echo "TESTING: dash (shell_dash.exp)"
-        ./shell_dash.exp
-else
-        echo "TESTING: dash not found"
-fi
-./test-apps.sh
-./test-apps-x11.sh
-echo "TESTING: PID (pid.exp)"
-./pid.exp
-echo "TESTING: output (output.exp)"
-./output.exp
-echo "TESTING: profile no permissions (profile_noperm.exp)"
-./profile_noperm.exp
-echo "TESTING: profile syntax (profile_syntax.exp)"
-./profile_syntax.exp
-echo "TESTING: profile syntax 2 (profile_syntax2.exp)"
-./profile_syntax2.exp
-echo "TESTING: profile rlimit (profile_rlimit.exp)"
-./profile_rlimit.exp
-echo "TESTING: profile read-only (profile_readonly.exp)"
-./profile_readonly.exp
-echo "TESTING: private (private.exp)"
-./private.exp `whoami`
 echo "TESTING: private directory (private_dir.exp)"
 rm -fr dirprivate
@@ -247,113 +59,13 @@ rm -fr dirprivate
 echo "TESTING: overlayfs (fs_overlay.exp)"
 ./fs_overlay.exp
-echo "TESTING: seccomp debug  (seccomp-debug.exp)"
-./seccomp-debug.exp
-echo "TESTING: seccomp errno (seccomp-errno.exp)"
-./seccomp-errno.exp
-echo "TESTING: seccomp su (seccomp-su.exp)"
-./seccomp-su.exp
-echo "TESTING: seccomp ptrace (seccomp-ptrace.exp)"
-./seccomp-ptrace.exp
-echo "TESTING: seccomp chmod - seccomp lists (seccomp-chmod.exp)"
-./seccomp-chmod.exp
-echo "TESTING: seccomp chmod profile - seccomp lists (seccomp-chmod-profile.exp)"
-./seccomp-chmod-profile.exp
-echo "TESTING: seccomp empty (seccomp-empty.exp)"
-./seccomp-empty.exp
-echo "TESTING: seccomp bad empty (seccomp-bad-empty.exp)"
-./seccomp-bad-empty.exp
-echo "TESTING: seccomp dual filter (seccomp-dualfilter.exp)"
-./seccomp-dualfilter.exp
-echo "TESTING: read/write /var/tmp (fs_var_tmp.exp)"
-./fs_var_tmp.exp
-echo "TESTING: read/write /var/lock (fs_var_lock.exp)"
-./fs_var_lock.exp
-echo "TESTING: read/write /dev/shm (fs_dev_shm.exp)"
-./fs_dev_shm.exp
-echo "TESTING: quiet (quiet.exp)"
-./quiet.exp
-echo "TESTING: IPv6 support (ip6.exp)"
-echo "TESTING:    broken on Centos - todo"
-./ip6.exp
-echo "TESTING: local network (net_local.exp)"
-./net_local.exp
-echo "TESTING: no network (net_none.exp)"
-./net_none.exp
-echo "TESTING: network IP (net_ip.exp)"
-./net_ip.exp
-echo "TESTING: network MAC (net_mac.exp)"
-sleep 2
-./net_mac.exp
-echo "TESTING: network MTU (net_mtu.exp)"
-./net_mtu.exp
-echo "TESTING: network hostname (hostname.exp)"
-./hostname.exp
-echo "TESTING: network bad IP (net_badip.exp)"
-./net_badip.exp
-echo "TESTING: network no IP test 1 (net_noip.exp)"
-./net_noip.exp
-echo "TESTING: network no IP test 2 (net_noip2.exp)"
-./net_noip2.exp
-echo "TESTING: network default gateway test 1 (net_defaultgw.exp)"
-./net_defaultgw.exp
-echo "TESTING: network default gateway test 2 (net_defaultgw2.exp)"
-./net_defaultgw2.exp
-echo "TESTING: network default gateway test 3 (net_defaultgw3.exp)"
-./net_defaultgw3.exp
-echo "TESTING: netfilter (net_netfilter.exp)"
-./net_netfilter.exp
-echo "TESTING: 4 bridges ARP (4bridges_arp.exp)"
-./4bridges_arp.exp
-echo "TESTING: 4 bridges IP (4bridges_ip.exp)"
-./4bridges_ip.exp
 echo "TESTING: login SSH (login_ssh.exp)"
 ./login_ssh.exp
-echo "TESTING: ARP (net_arp.exp)"
-./net_arp.exp
-echo "TESTING: DNS (dns.exp)"
-./dns.exp
 echo "TESTING: firemon --arp (firemon-arp.exp)"
 ./firemon-arp.exp
 echo "TESTING: firemon --route (firemon-route.exp)"
 ./firemon-route.exp
-echo "TESTING: firemon --seccomp (firemon-seccomp.exp)"
-./firemon-seccomp.exp
-echo "TESTING: firemon --caps (firemon-caps.exp)"
-./firemon-caps.exp
diff --git a/test/tmpfs.profile b/test/tmpfs.profile
deleted file mode 100644
index 0680f4d69..000000000
--- a/test/tmpfs.profile
+++ /dev/null
@@ -1 +0,0 @@
-tmpfs /tmp/firejailtestdir
-\ No newline at end of file
diff --git a/test/utils/audit.exp b/test/utils/audit.exp
new file mode 100755
index 000000000..931b46981
--- /dev/null
+++ b/test/utils/audit.exp
@@ -0,0 +1,79 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+send -- "firejail --audit\r"
+expect {
+        timeout {puts "TESTING ERROR 0\n";exit}
+        "Firejail Audit"
+}
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "is running in a PID namespace"
+}
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        "container/sandbox firejail"
+}
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        "seccomp BPF enabled"
+}
+expect {
+        timeout {puts "TESTING ERROR 4\n";exit}
+        "all capabilities are disabled"
+}
+expect {
+        timeout {puts "TESTING ERROR 5\n";exit}
+        "dev directory seems to be fully populated"
+}
+after 100
+send -- "firejail --audit=/usr/lib/firejail/faudit\r"
+expect {
+        timeout {puts "TESTING ERROR 6\n";exit}
+        "Firejail Audit"
+}
+expect {
+        timeout {puts "TESTING ERROR 7\n";exit}
+        "is running in a PID namespace"
+}
+expect {
+        timeout {puts "TESTING ERROR 8\n";exit}
+        "container/sandbox firejail"
+}
+expect {
+        timeout {puts "TESTING ERROR 9\n";exit}
+        "seccomp BPF enabled"
+}
+expect {
+        timeout {puts "TESTING ERROR 10\n";exit}
+        "all capabilities are disabled"
+}
+expect {
+        timeout {puts "TESTING ERROR 11\n";exit}
+        "dev directory seems to be fully populated"
+}
+after 100
+send -- "firejail --audit=blablabla\r"
+expect {
+        timeout {puts "TESTING ERROR 12\n";exit}
+        "cannot find the audit program"
+}
+after 100
+send -- "firejail --audit=\r"
+expect {
+        timeout {puts "TESTING ERROR 12\n";exit}
+        "invalid audit program"
+}
+after 100
+puts "\nall done\n"
diff --git a/test/caps-print.exp b/test/utils/caps-print.exp
index 39e5ec50a..fa5239da2 100755
--- a/test/caps-print.exp
+++ b/test/utils/caps-print.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
 set timeout 10
 spawn $env(SHELL)
@@ -25,5 +28,5 @@ expect {
        timeout {puts "TESTING ERROR 3\n";exit}
        "net_raw             - disabled"
 }
-sleep 1
+after 100
 puts "\nall done\n"
diff --git a/test/caps1.profile b/test/utils/caps1.profile
index e14655b2e..e14655b2e 100644
--- a/test/caps1.profile
+++ b/test/utils/caps1.profile
diff --git a/test/caps2.profile b/test/utils/caps2.profile
index cb2258c52..cb2258c52 100644
--- a/test/caps2.profile
+++ b/test/utils/caps2.profile
diff --git a/test/catchsignal-master.sh b/test/utils/catchsignal-master.sh
index 62a1801cc..62a1801cc 100755
--- a/test/catchsignal-master.sh
+++ b/test/utils/catchsignal-master.sh
diff --git a/test/catchsignal.sh b/test/utils/catchsignal.sh
index 87a1d0adf..87a1d0adf 100755
--- a/test/catchsignal.sh
+++ b/test/utils/catchsignal.sh
diff --git a/test/catchsignal2.sh b/test/utils/catchsignal2.sh
index 424350397..424350397 100755
--- a/test/catchsignal2.sh
+++ b/test/utils/catchsignal2.sh
diff --git a/test/cpu-print.exp b/test/utils/cpu-print.exp
index d8e3fbb04..ca2e57313 100755
--- a/test/cpu-print.exp
+++ b/test/utils/cpu-print.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
 set timeout 10
 spawn $env(SHELL)
@@ -17,5 +20,5 @@ expect {
        timeout {puts "TESTING ERROR 1\n";exit}
        "Cpus_allowed_list:     1-2"
 }
-sleep 1
+after 100
 puts "\nall done\n"
diff --git a/test/dns-print.exp b/test/utils/dns-print.exp
index ee7b08e5e..406ab5149 100755
--- a/test/dns-print.exp
+++ b/test/utils/dns-print.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
 set timeout 10
 spawn $env(SHELL)
@@ -17,5 +20,5 @@ expect {
        timeout {puts "TESTING ERROR 1\n";exit}
        "nameserver 1.2.3.4"
 }
-sleep 1
+after 100
 puts "\nall done\n"
diff --git a/test/firemon-caps.exp b/test/utils/firemon-caps.exp
index 3dd6384db..76aa13725 100755
--- a/test/firemon-caps.exp
+++ b/test/utils/firemon-caps.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
 set timeout 10
 spawn $env(SHELL)
@@ -63,6 +66,7 @@ spawn $env(SHELL)
 send -- "firemon --caps\r"
 expect {
        timeout {puts "TESTING ERROR 8.1\n";exit}
+        "need to be root" {puts "TESTING SKIP: /proc mounted as hidepid\n"; exit}
        "bingo1"
 }
 expect {
diff --git a/test/utils/firemon-cgroup.exp b/test/utils/firemon-cgroup.exp
new file mode 100755
index 000000000..b1ab083ae
--- /dev/null
+++ b/test/utils/firemon-cgroup.exp
@@ -0,0 +1,41 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+send --  "firejail --name=test1\r"
+expect {
+        timeout {puts "TESTING ERROR 0\n";exit}
+        "Child process initialized"
+}
+sleep 1
+spawn $env(SHELL)
+send --  "firejail --name=test2\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "Child process initialized"
+}
+sleep 1
+spawn $env(SHELL)
+send --  "firemon --cgroup\r"
+sleep 4
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        "need to be root" {puts "TESTING SKIP: /proc mounted as hidepid\n"; exit}
+        "name=test1"
+}
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        "name=test2"
+}
+after 100
+puts "\nall done\n"
diff --git a/test/seccomp-dualfilter.exp b/test/utils/firemon-cpu.exp
index afdf8a53a..00156c909 100755
--- a/test/seccomp-dualfilter.exp
+++ b/test/utils/firemon-cpu.exp
@@ -1,38 +1,44 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
 set timeout 10
 spawn $env(SHELL)
 match_max 100000
-send -- "firejail ../src/tools/syscall_test mount\r"
+send --  "firejail --name=test1\r"
 expect {
        timeout {puts "TESTING ERROR 0\n";exit}
        "Child process initialized"
 }
+sleep 1
+spawn $env(SHELL)
+send --  "firejail --name=test2\r"
 expect {
        timeout {puts "TESTING ERROR 1\n";exit}
-        "before mount"
+        "Child process initialized"
 }
+sleep 1
+spawn $env(SHELL)
+send --  "firemon --cpu\r"
 expect {
        timeout {puts "TESTING ERROR 2\n";exit}
-        "after mount" {puts "TESTING ERROR 2.1\n";exit}
+        "need to be root" {puts "TESTING SKIP: /proc mounted as hidepid\n"; exit}
-        "Parent is shutting down"
+        "name=test1"
 }
-sleep 1
-send -- "firejail ../src/tools/syscall_test32 mount\r"
 expect {
        timeout {puts "TESTING ERROR 3\n";exit}
-        "Child process initialized"
+        "Cpus_allowed_list"
 }
 expect {
        timeout {puts "TESTING ERROR 4\n";exit}
-        "before mount"
+        "name=test2"
-}
-expect {
-        timeout {puts "TESTING ERROR 5\n";exit}
-        "after mount" {puts "TESTING ERROR 5.1\n";exit}
-        "Parent is shutting down"
 }
+after 100
 puts "\nall done\n"
diff --git a/test/utils/firemon-interface.exp b/test/utils/firemon-interface.exp
new file mode 100755
index 000000000..edafd1639
--- /dev/null
+++ b/test/utils/firemon-interface.exp
@@ -0,0 +1,18 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+send --  "firemon --interface\r"
+expect {
+        timeout {puts "TESTING ERROR 0\n";exit}
+        "you need to be root"
+}
+after 100
+puts "\nall done\n"
diff --git a/test/utils/firemon-name.exp b/test/utils/firemon-name.exp
new file mode 100755
index 000000000..c5dbfabab
--- /dev/null
+++ b/test/utils/firemon-name.exp
@@ -0,0 +1,28 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+send --  "firejail --name=test\r"
+expect {
+        timeout {puts "TESTING ERROR 0\n";exit}
+        "Child process initialized"
+}
+sleep 1
+spawn $env(SHELL)
+send --  "firemon --cpu --name=test\r"
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        "need to be root" {puts "TESTING SKIP: /proc mounted as hidepid\n"; exit}
+        "Cpus_allowed_list"
+}
+after 100
+puts "\nall done\n"
diff --git a/test/firemon-seccomp.exp b/test/utils/firemon-seccomp.exp
index 55817faf3..26c478344 100755
--- a/test/firemon-seccomp.exp
+++ b/test/utils/firemon-seccomp.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
 set timeout 10
 spawn $env(SHELL)
@@ -26,6 +29,7 @@ spawn $env(SHELL)
 send -- "firemon --seccomp\r"
 expect {
        timeout {puts "TESTING ERROR 1\n";exit}
+        "need to be root" {puts "TESTING SKIP: /proc mounted as hidepid\n"; exit}
        "bingo1"
 }
 expect {
@@ -37,7 +41,7 @@ expect {
        "bingo2"
 }
 expect {
-        timeout {puts "TESTING ERROR 3\n";exit}
+        timeout {puts "TESTING ERROR 4\n";exit}
        "Seccomp:       0"
 }
 after 100
diff --git a/test/utils/firemon-version.exp b/test/utils/firemon-version.exp
new file mode 100755
index 000000000..639c15c29
--- /dev/null
+++ b/test/utils/firemon-version.exp
@@ -0,0 +1,18 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+send --  "firemon --version\r"
+expect {
+        timeout {puts "TESTING ERROR 0\n";exit}
+        "firemon version"
+}
+after 100
+puts "\nall done\n"
diff --git a/test/fs-print.exp b/test/utils/fs-print.exp
index 48056a3bf..4d4ceb718 100755
--- a/test/fs-print.exp
+++ b/test/utils/fs-print.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
 set timeout 10
 spawn $env(SHELL)
@@ -25,5 +28,5 @@ expect {
        timeout {puts "TESTING ERROR 3\n";exit}
        "blacklist /proc/kmsg"
 }
-sleep 1
+after 100
 puts "\nall done\n"
diff --git a/test/option_help.exp b/test/utils/help.exp
index f4518219c..5b9864578 100755
--- a/test/option_help.exp
+++ b/test/utils/help.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
 set timeout 10
 spawn $env(SHELL)
diff --git a/test/firemon-interface.exp b/test/utils/join-profile.exp
index 6a82ae41e..a2078c2f6 100755
--- a/test/firemon-interface.exp
+++ b/test/utils/join-profile.exp
@@ -4,31 +4,32 @@ set timeout 10
 spawn $env(SHELL)
 match_max 100000
-send --  "firejail\r"
+send --  "firejail --profile=name.profile\r"
 expect {
        timeout {puts "TESTING ERROR 0\n";exit}
        "Child process initialized"
 }
-sleep 1
+sleep 2
 spawn $env(SHELL)
-send -- "firemon --interface\r"
+send --  "firejail --join=jointesting\r"
 expect {
        timeout {puts "TESTING ERROR 1\n";exit}
-        "lo UP"
+        "Switching to pid"
 }
+sleep 1
+send -- "ps aux\r"
 expect {
        timeout {puts "TESTING ERROR 2\n";exit}
-        "10.10.20.1/29"
+        "/bin/bash"
-}
-expect {
-        timeout {puts "TESTING ERROR 3\n";exit}
-        "10.10.50.1/24"
 }
 expect {
        timeout {puts "TESTING ERROR 3\n";exit}
-        "br3"
+        "/bin/bash"
 }
-sleep 1
-puts "\n"
+send -- "exit"
+after 100
+puts "\nall done\n"
diff --git a/test/utils/join.exp b/test/utils/join.exp
new file mode 100755
index 000000000..79fe99f2d
--- /dev/null
+++ b/test/utils/join.exp
@@ -0,0 +1,51 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
+set timeout 10
+cd /home
+spawn $env(SHELL)
+match_max 100000
+send --  "firejail --name=jointesting --cpu=0 --nice=2\r"
+expect {
+        timeout {puts "TESTING ERROR 0\n";exit}
+        "Child process initialized"
+}
+sleep 2
+spawn $env(SHELL)
+send --  "firejail --join=jointesting\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "Switching to pid"
+}
+sleep 1
+send -- "ps aux\r"
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        "/bin/bash"
+}
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        "/bin/bash"
+}
+send -- "exit\r"
+sleep 1
+send --  "firejail --join-network=jointesting\r"
+expect {
+        timeout {puts "TESTING ERROR 4\n";exit}
+        "is only available to root user"
+}
+after 100
+send --  "firejail --join-filesystem=jointesting\r"
+expect {
+        timeout {puts "TESTING ERROR 5\n";exit}
+        "is only available to root user"
+}
+after 100
+puts "\nall done\n"
diff --git a/test/utils/join2.exp b/test/utils/join2.exp
new file mode 100755
index 000000000..5895eb730
--- /dev/null
+++ b/test/utils/join2.exp
@@ -0,0 +1,38 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
+set timeout 10
+cd /home
+spawn $env(SHELL)
+match_max 100000
+send --  "firejail --name=\"join testing\"\r"
+expect {
+        timeout {puts "TESTING ERROR 0\n";exit}
+        "Child process initialized"
+}
+sleep 2
+spawn $env(SHELL)
+send --  "firejail --join=\"join testing\"\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "Switching to pid"
+}
+sleep 1
+send -- "ps aux\r"
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        "/bin/bash"
+}
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        "/bin/bash"
+}
+send -- "exit"
+after 100
+puts "\nall done\n"
diff --git a/test/utils/join3.exp b/test/utils/join3.exp
new file mode 100755
index 000000000..3ccc47bf9
--- /dev/null
+++ b/test/utils/join3.exp
@@ -0,0 +1,38 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
+set timeout 10
+cd /home
+spawn $env(SHELL)
+match_max 100000
+send --  "firejail --name=join\\ testing\r"
+expect {
+        timeout {puts "TESTING ERROR 0\n";exit}
+        "Child process initialized"
+}
+sleep 2
+spawn $env(SHELL)
+send --  "firejail --join=join\\ testing\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "Switching to pid"
+}
+sleep 1
+send -- "ps aux\r"
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        "/bin/bash"
+}
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        "/bin/bash"
+}
+send -- "exit"
+after 100
+puts "\nall done\n"
diff --git a/test/firemon-arp.exp b/test/utils/join4.exp
index 3fc8c2aee..c367dd770 100755
--- a/test/firemon-arp.exp
+++ b/test/utils/join4.exp
@@ -1,34 +1,38 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
 set timeout 10
+cd /home
 spawn $env(SHELL)
 match_max 100000
-send -- "ping -c 3 192.168.1.1\r"
+send --  "firejail --name=123test\r"
 expect {
        timeout {puts "TESTING ERROR 0\n";exit}
-        "3 packets transmitted"
+        "Child process initialized"
 }
-sleep 1
+sleep 2
-send --  "firejail\r"
+spawn $env(SHELL)
+send --  "firejail --join=123test\r"
 expect {
        timeout {puts "TESTING ERROR 1\n";exit}
-        "Child process initialized"
+        "Switching to pid"
 }
 sleep 1
+send -- "ps aux\r"
-spawn $env(SHELL)
-send -- "firemon --arp\r"
 expect {
        timeout {puts "TESTING ERROR 2\n";exit}
-        "192.168.1.1 dev eth0 lladdr" {puts "Debian testing\n";}
+        "/bin/bash"
-        "192.168.1.1 dev enp0s3 lladdr" {puts "Centos 7 testing\n";}
 }
 expect {
        timeout {puts "TESTING ERROR 3\n";exit}
-        "REACHABLE"
+        "/bin/bash"
 }
-sleep 1
-puts "\n"
+send -- "exit"
+after 100
+puts "\nall done\n"
diff --git a/test/option_list.exp b/test/utils/list.exp
index b9c73e52b..69db1f568 100755
--- a/test/option_list.exp
+++ b/test/utils/list.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
 set timeout 10
 spawn $env(SHELL)
diff --git a/test/ls.exp b/test/utils/ls.exp
index 5fe6d79c6..ff6867c51 100755
--- a/test/ls.exp
+++ b/test/utils/ls.exp
@@ -3,6 +3,8 @@
 set timeout 10
 spawn $env(SHELL)
 match_max 100000
+set firstspawn $spawn_id
 send -- "rm -f lstesting\r"
 sleep 1
@@ -11,11 +13,11 @@ expect {
        timeout {puts "TESTING ERROR 0\n";exit}
        "Child process initialized"
 }
-sleep 2
+sleep 1
-send -- "echo my_testing > lstesting\r"
+send -- "echo my_testing > ~/lstesting\r"
-sleep 2
+after 100
+# ls
 spawn $env(SHELL)
 send -- "firejail --ls=test ~/.\r"
 expect {
@@ -23,19 +25,45 @@ expect {
        "lstesting"
 }
 sleep 1
+# get
 send -- "firejail --get=test ~/lstesting\r"
-expect {
-        timeout {puts "TESTING ERROR 1\n";exit}
-        "lstesting"
-}
 sleep 1
 send -- "cat lstesting\r"
 expect {
-        timeout {puts "TESTING ERROR 1\n";exit}
+        timeout {puts "TESTING ERROR 2n";exit}
        "my_testing"
 }
+after 100
+# put
+send -- "echo put_test > ~/lstesting\r"
+after 100
+send -- "firejail --put=test ~/lstesting ~/lstesting_2\r"
 sleep 1
-send -- "rm -f lstesting\r"
+set spawn_id $firstspawn
+send -- "ls -al ~\r"
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        "lstesting_2"
+}
+after 100
+send -- "cat ~/lstesting_2\r"
+expect {
+        timeout {puts "TESTING ERROR 4\n";exit}
+        "put_test"
+}
+after 100
+send -- "exit\r"
 sleep 1
+send -- "rm -f lstesting\r"
+after 100
 puts "\nall done\n"
diff --git a/test/option_man.exp b/test/utils/man.exp
index d941a2432..d29f760b0 100755
--- a/test/option_man.exp
+++ b/test/utils/man.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
 set timeout 10
 spawn $env(SHELL)
diff --git a/test/name.profile b/test/utils/name.profile
index 1aa9f2d64..1aa9f2d64 100644
--- a/test/name.profile
+++ b/test/utils/name.profile
diff --git a/test/protocol-print.exp b/test/utils/protocol-print.exp
index 4d1ae34d6..b4b94ea93 100755
--- a/test/protocol-print.exp
+++ b/test/utils/protocol-print.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
 set timeout 10
 spawn $env(SHELL)
@@ -17,5 +20,5 @@ expect {
        timeout {puts "TESTING ERROR 1\n";exit}
        "unix,inet,inet6"
 }
-sleep 1
+after 100
 puts "\nall done\n"
diff --git a/test/seccomp-print.exp b/test/utils/seccomp-print.exp
index b4e6ed35e..f6ff1e721 100755
--- a/test/seccomp-print.exp
+++ b/test/utils/seccomp-print.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
 set timeout 10
 spawn $env(SHELL)
@@ -29,5 +32,5 @@ expect {
        timeout {puts "TESTING ERROR 4\n";exit}
        "RETURN_ALLOW"
 }
-sleep 1
+after 100
 puts "\nall done\n"
diff --git a/test/utils/shutdown.exp b/test/utils/shutdown.exp
new file mode 100755
index 000000000..1ab231bf4
--- /dev/null
+++ b/test/utils/shutdown.exp
@@ -0,0 +1,49 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
+set timeout 10
+cd /home
+spawn $env(SHELL)
+match_max 100000
+send --  "firejail --name=shutdowntesting\r"
+expect {
+        timeout {puts "TESTING ERROR 0\n";exit}
+        "Child process initialized"
+}
+sleep 2
+spawn $env(SHELL)
+send --  "firejail --shutdown=shutdowntesting; echo done\r"
+expect {
+        timeout {puts "TESTING ERROR 4\n";exit}
+        "done"
+}
+sleep 5
+spawn $env(SHELL)
+send --  "firejail --list;echo done\r"
+expect {
+        timeout {puts "TESTING ERROR 5\n";exit}
+        "shutdowntesting" {puts "TESTING ERROR 6\n";exit}
+        "done"
+}
+sleep 1
+send --  "firejail --shutdown=sutdowntesting\r"
+expect {
+        timeout {puts "TESTING ERROR 5\n";exit}
+        "cannot find sandbox sutdowntesting"
+}
+after 100
+send --  "firejail --shutdown=10\r"
+expect {
+        timeout {puts "TESTING ERROR 5\n";exit}
+        "this is not a firejail sandbox"
+}
+after 100
+puts "\nall done\n"
diff --git a/test/option-shutdown2.exp b/test/utils/shutdown2.exp
index 403bc30be..777a73ec9 100755
--- a/test/option-shutdown2.exp
+++ b/test/utils/shutdown2.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
 set timeout 10
 spawn $env(SHELL)
@@ -37,6 +40,6 @@ expect {
        timeout {puts "TESTING ERROR 5\n";exit}
        "5"
 }
-sleep 1
+after 100
 puts "\nalldone\n"
diff --git a/test/option-shutdown3.exp b/test/utils/shutdown3.exp
index 0ef371cd8..a74fb3386 100755
--- a/test/option-shutdown3.exp
+++ b/test/utils/shutdown3.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
 set timeout 10
 spawn $env(SHELL)
@@ -57,6 +60,6 @@ expect {
        timeout {puts "TESTING ERROR 10\n";exit}
        "5"
 }
-sleep 1
+after 100
 puts "\nalldone\n"
diff --git a/test/option-shutdown4.exp b/test/utils/shutdown4.exp
index f188ec66d..2942ba3d5 100755
--- a/test/option-shutdown4.exp
+++ b/test/utils/shutdown4.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
 set timeout 10
 spawn $env(SHELL)
@@ -57,10 +60,6 @@ expect {
        timeout {puts "TESTING ERROR 50\n";exit}
        "50"
 }
-expect {
+after 100
-        timeout {puts "TESTING ERROR 60\n";exit}
-        "Killed"
-}
-sleep 1
 puts "\nalldone\n"
diff --git a/test/utils/top.exp b/test/utils/top.exp
new file mode 100755
index 000000000..d530e5a85
--- /dev/null
+++ b/test/utils/top.exp
@@ -0,0 +1,40 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+send --  "firejail --name=test1\r"
+expect {
+        timeout {puts "TESTING ERROR 0\n";exit}
+        "Child process initialized"
+}
+sleep 1
+spawn $env(SHELL)
+send --  "firejail --name=test2\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "Child process initialized"
+}
+sleep 1
+spawn $env(SHELL)
+send --  "firejail --top\r"
+sleep 4
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        "name=test1"
+}
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        "name=test2"
+}
+after 100
+puts "\nall done\n"
diff --git a/test/trace.exp b/test/utils/trace.exp
index 21dd6a559..78a04b273 100755
--- a/test/trace.exp
+++ b/test/utils/trace.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
 set timeout 30
 spawn $env(SHELL)
@@ -76,6 +79,7 @@ expect {
        timeout {puts "TESTING ERROR 8.6\n";exit}
        "wget:fopen64 index.html" {puts "OK\n";}
        "wget:fopen index.html" {puts "OK\n";}
+        "Parent is shutting down" {puts "OK\n";}
 }
 sleep 1
@@ -86,9 +90,26 @@ expect {
 }
 expect {
        timeout {puts "TESTING ERROR 10\n";exit}
-        "rm:unlinkat index.html"
+        "rm:unlinkat index.html" {puts "OK\n";}
+        "Parent is shutting down" {puts "OK\n";}
 }
 sleep 1
+send --  "firejail --trace\r"
+expect {
+        timeout {puts "TESTING ERROR 11\n";exit}
+        "Child process initialized"
+}
+expect {
+        timeout {puts "TESTING ERROR 12\n";exit}
+        "bash:open /dev/tty" {puts "64bit\n"}
+        "bash:open64 /dev/tty" {puts "32bit\n"}
+}
+expect {
+        timeout {puts "TESTING ERROR 13\n";exit}
+        "bash:access /etc/terminfo/" {puts "debian\n"}
+        "bash:access /usr/share/terminfo/" {puts "arch\n"}
+}
+after 100
 puts "\nall done\n"
diff --git a/test/option_tree.exp b/test/utils/tree.exp
index 1841907d1..a8ef763f1 100755
--- a/test/option_tree.exp
+++ b/test/utils/tree.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
 set timeout 10
 spawn $env(SHELL)
diff --git a/test/utils/utils.sh b/test/utils/utils.sh
new file mode 100755
index 000000000..04702597f
--- /dev/null
+++ b/test/utils/utils.sh
@@ -0,0 +1,114 @@
+#!/bin/bash
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
+export MALLOC_CHECK_=3
+export MALLOC_PERTURB_=$(($RANDOM % 255 + 1))
+echo "TESTING: audit (test/utils/audit.exp)"
+./audit.exp
+echo "TESTING: version (test/utils/version.exp)"
+./version.exp
+echo "TESTING: help (test/utils/help.exp)"
+./help.exp
+which man
+if [ "$?" -eq 0 ];
+then
+        echo "TESTING: man (test/utils/man.exp)"
+        ./man.exp
+else
+        echo "TESTING SKIP: man not found"
+fi
+echo "TESTING: list (test/utils/list.exp)"
+./list.exp
+echo "TESTING: tree (test/utils/tree.exp)"
+./tree.exp
+if [ $(grep -c ^processor /proc/cpuinfo) -gt 1 ];
+then
+        echo "TESTING: cpu.print (test/utils/cpu-print.exp)"
+        ./cpu-print.exp
+else
+        echo "TESTING SKIP: cpu.print, not enough CPUs"
+fi
+echo "TESTING: fs.print (test/utils/fs-print.exp)"
+./fs-print.exp
+echo "TESTING: dns.print (test/utils/dns-print.exp)"
+./dns-print.exp
+echo "TESTING: caps.print (test/utils/caps-print.exp)"
+./caps-print.exp
+echo "TESTING: seccomp.print (test/utils/seccomp-print.exp)"
+./seccomp-print.exp
+echo "TESTING: protocol.print (test/utils/protocol-print.exp)"
+./protocol-print.exp
+echo "TESTING: shutdown (test/utils/shutdown.exp)"
+./shutdown.exp
+echo "TESTING: shutdown2 (test/utils/shutdown2.exp)"
+./shutdown2.exp
+echo "TESTING: shutdown3 (test/utils/shutdown3.exp)"
+./shutdown3.exp
+echo "TESTING: shutdown4 (test/utils/shutdown4.exp)"
+./shutdown4.exp
+echo "TESTING: join (test/utils/join.exp)"
+./join.exp
+echo "TESTING: join2 (test/utils/join2.exp)"
+./join2.exp
+echo "TESTING: join3 (test/utils/join3.exp)"
+./join3.exp
+echo "TESTING: join3 (test/utils/join4.exp)"
+./join4.exp
+echo "TESTING: join profile (test/utils/join-profile.exp)"
+./join-profile.exp
+echo "TESTING: trace (test/utils/trace.exp)"
+rm -f index.html*
+./trace.exp
+rm -f index.html*
+echo "TESTING: top (test/utils/top.exp)"
+./top.exp
+echo "TESTING: file transfer (test/utils/ls.exp)"
+./ls.exp
+echo "TESTING: firemon seccomp (test/utils/firemon-seccomp.exp)"
+./firemon-seccomp.exp
+echo "TESTING: firemon caps (test/utils/firemon-caps.exp)"
+./firemon-caps.exp
+echo "TESTING: firemon cpu (test/utils/firemon-cpu.exp)"
+./firemon-cpu.exp
+echo "TESTING: firemon cgroup (test/utils/firemon-cgroup.exp)"
+./firemon-cgroup.exp
+echo "TESTING: firemon version (test/utils/firemon-version.exp)"
+./firemon-version.exp
+echo "TESTING: firemon interface (test/utils/firemon-interface.exp)"
+./firemon-interface.exp
+echo "TESTING: firemon name (test/utils/firemon-name.exp)"
+./firemon-name.exp
diff --git a/test/option_version.exp b/test/utils/version.exp
index 44c0c217f..2ce6f1680 100755
--- a/test/option_version.exp
+++ b/test/utils/version.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
 set timeout 10
 spawn $env(SHELL)
diff --git a/todo b/todo
index da732be9f..86917e6cd 100644
--- a/todo
+++ b/todo
@@ -74,11 +74,230 @@ CapEff:	0000000000000000
 CapBnd: 0000003fffffffff
 CapAmb: 0000000000000000
-11. cleanup thunderbird profile - disable-common was commented out
+11. check seccomp on Docker: https://docs.docker.com/engine/security/seccomp/
-12. check seccomp on Docker: https://docs.docker.com/engine/security/seccomp/
 Seccomp lists:
 https://github.com/torvalds/linux/blob/1e75a9f34a5ed5902707fb74b468356c55142b71/arch/x86/entry/syscalls/syscall_64.tbl
 https://github.com/torvalds/linux/blob/1e75a9f34a5ed5902707fb74b468356c55142b71/arch/x86/entry/syscalls/syscall_32.tbl
-13. check for --chroot why .config/pulse dir is not created
+12. check for --chroot why .config/pulse dir is not created
+13. print error line number for profile files in  profile_check_line()
+14. make rpms problems
+$ firejail --version
+firejail version 0.9.40
+User namespace support is disabled.
+$ rpmlint firejail-0.9.40-1.x86_64.rpm 
+firejail.x86_64: E: no-changelogname-tag
+firejail.x86_64: W: unstripped-binary-or-object /usr/lib64/firejail/libtracelog.so
+firejail.x86_64: W: unstripped-binary-or-object /usr/lib64/firejail/libtrace.so
+firejail.x86_64: E: missing-call-to-setgroups /usr/lib64/firejail/libtrace.so
+firejail.x86_64: W: conffile-without-noreplace-flag /etc/firejail/google-play-music-desktop-player.profile
+firejail.x86_64: W: conffile-without-noreplace-flag /etc/firejail/rtorrent.profi
+$ rpmlint firejail-0.9.40-1.src.rpm
+firejail.src: E: no-changelogname-tag
+firejail.src: W: invalid-url Source0: https://github.com/netblue30/firejail/archive/0.9.40.tar.gz#/firejail-0.9.40.tar.gz HTTP Error 404: Not Found
+1 packages and 0 specfiles checked; 1 errors, 1 warnings.
+15. bug: capabiliteis declared on the command line take precedence over caps declared in profiles
+$ firejail  --caps.keep=chown,net_bind_service src/faudit/faudit
+Reading profile /etc/firejail/default.profile
+Reading profile /etc/firejail/disable-common.inc
+Reading profile /etc/firejail/disable-programs.inc
+Reading profile /etc/firejail/disable-passwdmgr.inc
+** Note: you can use --noprofile to disable default.profile **
+Parent pid 6872, child pid 6873
+Child process initialized
+----- Firejail Audit: the Good, the Bad and the Ugly -----
+GOOD: Process PID 2, running in a PID namespace
+Container/sandbox: firejail
+GOOD: all capabilities are disabled
+Parent is shutting down, bye...
+16. Sound devices:
+/dev/snd
+    /dev/snd/pcmC0D0 -> /dev/audio0 (/dev/audio) -> minor 4
+    /dev/snd/pcmC0D0 -> /dev/dsp0 (/dev/dsp) -> minor 3
+    /dev/snd/pcmC0D1 -> /dev/adsp0 (/dev/adsp) -> minor 12
+    /dev/snd/pcmC1D0 -> /dev/audio1 -> minor 4+16 = 20
+    /dev/snd/pcmC1D0 -> /dev/dsp1 -> minor 3+16 = 19
+    /dev/snd/pcmC1D1 -> /dev/adsp1 -> minor 12+16 = 28
+    /dev/snd/pcmC2D0 -> /dev/audio2 -> minor 4+32 = 36
+    /dev/snd/pcmC2D0 -> /dev/dsp2 -> minor 3+32 = 35
+    /dev/snd/pcmC2D1 -> /dev/adsp2 -> minor 12+32 = 44
+17. test 3d acceleration
+$ lspci -nn | grep VGA
+# apt-get install mesa-utils
+$ glxinfo  | grep rendering
+The output should be:
+direct rendering: Yes
+        
+$ glxinfo | grep "renderer string"
+OpenGL renderer string: Gallium 0.4 on AMD KAVERI
+glxgears stuck to 60fps may be due to VSync signal synchronization.
+To disable Vsync
+$ vblank_mode=0 glxgears
+19. testing snaps
+Install firejail from official repository
+sudo apt-get install firejail
+Check firejail version
+firejail --version
+Above command outputs: firejail version 0.9.38
+Search the snap 'ubuntu clock' application
+sudo snap find ubuntu-clock-app
+Install 'ubuntu clock' application using snap
+sudo snap install ubuntu-clock-app
+Ubuntu snap packages are installed in /snap/// directory and can be executed from /snap/bin/
+cd /snap/bin/
+ls -l
+Note: We see application name is: ubuntu-clock-app.clock
+Run application
+/snap/bin/ubuntu-clock-app.clock
+Note: Application starts-up without a problem and clock is displayed.
+Close application using mouse.
+Now try to firejail the application.
+firejail /snap/bin/ubuntu-clock-app.clock
+-------- Error message --------
+Reading profile /etc/firejail/generic.profile
+Reading profile /etc/firejail/disable-mgmt.inc
+Reading profile /etc/firejail/disable-secret.inc
+Reading profile /etc/firejail/disable-common.inc
+** Note: you can use --noprofile to disable generic.profile **
+Parent pid 3770, child pid 3771
+Child process initialized
+need to run as root or suid
+parent is shutting down, bye...
+-------- End of Error message --------
+Try running as root as message instructs.
+sudo firejail /snap/bin/ubuntu-clock-app.clock
+extract env for process
+ps e -p <pid> | sed 's/ /\n/g' 
+20. check default disable - from grsecurity
+GRKERNSEC_HIDESYM
+/proc/kallsyms and other files
+GRKERNSEC_PROC_USER
+If you say Y here, non-root users will only be able to view their own
+processes, and restricts them from viewing network-related information,
+and viewing kernel symbol and module information.
+GRKERNSEC_PROC_ADD
+If you say Y here, additional restrictions will be placed on
+/proc that keep normal users from viewing device information and 
+slabinfo information that could be useful for exploits.
+21. Core Infrastructure Initiative (CII) Best Practices
+Proposal
+Someone closely involved with the project could go thought the criteria and keep them up-to-date.
+References
+    https://bestpractices.coreinfrastructure.org
+    https://twit.tv/shows/floss-weekly/episodes/389
+22. add support for read-write and noexec to Firetools
+23. AppArmor
+$ sudo apt-get install apparmor apparmor-profiles apparmor-utils apparmor-notify
+$ sudo apt-get install libapparmor-dev
+$ sudo perl -pi -e 's,GRUB_CMDLINE_LINUX="(.*)"$,GRUB_CMDLINE_LINUX="$1 apparmor=1 security=apparmor",' /etc/default/grub
+$ sudo update-grub
+$ sudo reboot
+If you are using auditd, start aa-notify to get notification whenever a program causes a DENIED message.
+$ sudo aa-notify -p -f /var/log/audit/audit.log
+$ sudo cat /sys/kernel/security/apparmor/profiles | grep firejail
+firejail-default (enforce)
+24. check monitor proc behaviour for sandboxes with --blacklist=/proc
+also check --apparmor in this case
+25. fix firemon and firetools on systems with hidepid=2
+sudo mount -o remount,rw,hidepid=2 /proc
+26. mupdf profile
+27. LUKS 
+dm-crypt+LUKS – dm-crypt is a transparent disk encryption subsystem in 
+Linux kernel v2.6+ and later and DragonFly BSD. It can encrypt whole disks, 
+removable media, partitions, software RAID volumes, logical volumes, and files.
+28. Merge --dbus=none from https://github.com/Sidnioulz/firejail
+  // block dbus session bus the hard way if necessary
+  if (cfg.dbus == 0) {
+    char *dbus_path;
+                if (asprintf(&dbus_path, "/run/user/%d/bus", getuid()) == -1)
+                        errExit("asprintf");
+    fs_blacklist_file(dbus_path);
+    free(dbus_path);
+}
+29. grsecurity - move test after "firejail --name=blablabla" in /test/apps*
+30.
+$ sudo firejail --fs.print=test
+[sudo] password for netblue: 
+tmpfs /run/firejail/mnt                 << ????????????????
+sandbox name: test
+sandbox pid: 5790
+sandbox filesystem: local
+install mount namespace
+read-only /etc
+read-only /var
+read-only /bin
+31. --private and --allusers are coliding
+32. machine-id defined in rfc4122
author	curiosity-seeker <seeker@posteo.org>	2016-12-15 12:58:32 +0100
committer	GitHub <noreply@github.com>	2016-12-15 12:58:32 +0100
commit	d8ee390a6ca56fde4baad57dea7572c39d595809 (patch)
tree	255252b15232086e6f65203cda676859ab4117a0
parent	Update quiterss.profile (diff)
parent	added a 1 second delay after xpra server is started (diff)
download	firejail-d8ee390a6ca56fde4baad57dea7572c39d595809.tar.gz firejail-d8ee390a6ca56fde4baad57dea7572c39d595809.tar.zst firejail-d8ee390a6ca56fde4baad57dea7572c39d595809.zip