Merge remote-tracking branch 'upstream/master'

102 files changed, 540 insertions, 149 deletions

diff --git a/README b/README
index 28b126e6b..2c3fbf67b 100644
--- a/README
+++ b/README
@@ -116,6 +116,7 @@ curiosity-seeker (https://github.com/curiosity-seeker)
         - added guayadeque profile
         - added VirtualBox.profile
         - various other profile fixes
+        - added digiKam profile
 Daan Bakker (https://github.com/dbakker)
         - protect shell startup files
 Dara Adib (https://github.com/daradib)
@@ -186,6 +187,7 @@ Fred-Barclay (https://github.com/Fred-Barclay)
         - added mousepad, qpicview, and cvlc profiles
         - added BibleTime profile
         - added caja and galculator profiles
+        - added Catfish profile
 G4JC (http://sourceforge.net/u/gaming4jc/profile/)
         - ARM support
         - profile fixes
@@ -399,9 +401,11 @@ startx2017 (https://github.com/startx2017)
         - firecfg fix: create ~/.local/share/applications directory if it doesn't exist
         - firejail.config cleanup
         - --quiet fixes
-        - 0.9.38-LTS branch maintainer
+        - bugfixes branches maintainer
         - firemon --top speed-up
         - Blender and 2048-qt profiles
+        - handbrake profile
+        - mplayer and smplayer profiles
 thewisenerd (https://github.com/thewisenerd)
         - allow multiple private-home commands
         - use $SHELL variable if the shell is not specified
diff --git a/README.md b/README.md
index 54d1cd475..aef7e96fa 100644
--- a/README.md
+++ b/README.md
@@ -62,18 +62,9 @@ Use this issue to request new profiles: https://github.com/netblue30/firejail/is
 `````
 
 `````
-# Current development version: 0.9.47
+# Current development version: 0.9.49
 
-## Profile changes
+## New profiles:
 
-All profiles include /etc/firejail/globals.local for persistent customizations across all applications. For example, you
-can set here a global DNS "dns 8.8.8.8". The file is not overwritten during software install.
+curl, mplayer2, SMPlayer, Calibre, ebook-viewer
 
-**The following BitTorrent clients have been whitelisted: Transmission, Deluge, qBitTorrent, KTorrent. Configuration files and
-~/Downloads directory are real, everything else is placed on a temporary filesystem and discarded when the
-sandboxed is closed. Please configure your client to put downloaded files in ~/Download directory. 
-The plan is to have all bittorrent clients whitelisted in the next release.**
-
-## New profiles
-
-vym, darktable
diff --git a/RELNOTES b/RELNOTES
index 763282fb8..b7a0c49e7 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -1,8 +1,22 @@
-firejail (0.9.47) baseline; urgency=low
-  * work in progress
-  * added /etc/firejail/globals.local for global customizations
+firejail (0.9.49) baseline; urgency=low
+  * work in progress!
+  * new profiles: curl
   * bugfixes
- -- netblue30 <netblue30@yahoo.com>  Tue, 23 May 2017 08:00:00 -0500
+ -- netblue30 <netblue30@yahoo.com>  Mon, 12 Jun 2017 20:00:00 -0500
+
+firejail (0.9.48) baseline; urgency=low
+  * modifs: whitelisted Transmission, Deluge, qBitTorrent, KTorrent;
+    please use ~/Downloads directory for saving files
+  * modifs: AppArmor made optional; a warning is printed on the screen
+    if the sandbox fails to load the AppArmor profile
+  * feature: --novideo
+  * feature: drop discretionary access control capabilities for
+    root sandboxes
+  * feature: added /etc/firejail/globals.local for global customizations
+  * feature: profile support in overlayfs mode
+  * new profiles: vym, darktable, Waterfox, digiKam, Catfish, HandBrake
+  * bugfixes
+ -- netblue30 <netblue30@yahoo.com>  Mon, 12 Jun 2017 08:00:00 -0500
 
 firejail (0.9.46) baseline; urgency=low
   * security: split most of networking code in a separate executable
diff --git a/configure b/configure
index 2de213647..f8a606f88 100755
--- a/configure
+++ b/configure
@@ -1,6 +1,6 @@
 #! /bin/sh
 # Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.69 for firejail 0.9.47.
+# Generated by GNU Autoconf 2.69 for firejail 0.9.49.
 #
 # Report bugs to <netblue30@yahoo.com>.
 #
@@ -580,8 +580,8 @@ MAKEFLAGS=
 # Identity of this package.
 PACKAGE_NAME='firejail'
 PACKAGE_TARNAME='firejail'
-PACKAGE_VERSION='0.9.47'
-PACKAGE_STRING='firejail 0.9.47'
+PACKAGE_VERSION='0.9.49'
+PACKAGE_STRING='firejail 0.9.49'
 PACKAGE_BUGREPORT='netblue30@yahoo.com'
 PACKAGE_URL='http://firejail.wordpress.com'
 
@@ -1265,7 +1265,7 @@ if test "$ac_init_help" = "long"; then
   # Omit some internal or obsolete options to make the list less imposing.
   # This message is too long to be a string in the A/UX 3.1 sh.
   cat <<_ACEOF
-\`configure' configures firejail 0.9.47 to adapt to many kinds of systems.
+\`configure' configures firejail 0.9.49 to adapt to many kinds of systems.
 
 Usage: $0 [OPTION]... [VAR=VALUE]...
 
@@ -1326,7 +1326,7 @@ fi
 
 if test -n "$ac_init_help"; then
   case $ac_init_help in
-     short | recursive ) echo "Configuration of firejail 0.9.47:";;
+     short | recursive ) echo "Configuration of firejail 0.9.49:";;
    esac
   cat <<\_ACEOF
 
@@ -1434,7 +1434,7 @@ fi
 test -n "$ac_init_help" && exit $ac_status
 if $ac_init_version; then
   cat <<\_ACEOF
-firejail configure 0.9.47
+firejail configure 0.9.49
 generated by GNU Autoconf 2.69
 
 Copyright (C) 2012 Free Software Foundation, Inc.
@@ -1736,7 +1736,7 @@ cat >config.log <<_ACEOF
 This file contains any messages produced by compilers while
 running configure, to aid debugging if configure makes a mistake.
 
-It was created by firejail $as_me 0.9.47, which was
+It was created by firejail $as_me 0.9.49, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
 
   $ $0 $@
@@ -4355,7 +4355,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
 # report actual input values of CONFIG_FILES etc. instead of their
 # values after options handling.
 ac_log="
-This file was extended by firejail $as_me 0.9.47, which was
+This file was extended by firejail $as_me 0.9.49, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
 
   CONFIG_FILES    = $CONFIG_FILES
@@ -4409,7 +4409,7 @@ _ACEOF
 cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
 ac_cs_version="\\
-firejail config.status 0.9.47
+firejail config.status 0.9.49
 configured by $0, generated by GNU Autoconf 2.69,
   with options \\"\$ac_cs_config\\"
 
diff --git a/configure.ac b/configure.ac
index dc59e5b15..7f9b12d97 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1,5 +1,5 @@
 AC_PREREQ([2.68])
-AC_INIT(firejail, 0.9.47, netblue30@yahoo.com, , http://firejail.wordpress.com)
+AC_INIT(firejail, 0.9.49, netblue30@yahoo.com, , http://firejail.wordpress.com)
 AC_CONFIG_SRCDIR([src/firejail/main.c])
 #AC_CONFIG_HEADERS([config.h])
 
diff --git a/etc/0ad.profile b/etc/0ad.profile
index 596cb845a..e946c1418 100644
--- a/etc/0ad.profile
+++ b/etc/0ad.profile
@@ -29,6 +29,7 @@ netfilter
 nogroups
 nonewprivs
 noroot
+novideo
 protocol unix,inet,inet6
 seccomp
 shell none
diff --git a/etc/7z.profile b/etc/7z.profile
index f36735303..c7c857dc8 100644
--- a/etc/7z.profile
+++ b/etc/7z.profile
@@ -1,3 +1,4 @@
+quiet
 # Persistent global definitions go here
 include /etc/firejail/globals.local
 
@@ -6,7 +7,6 @@ include /etc/firejail/globals.local
 include /etc/firejail/7z.local
 
 # 7zip crompression tool profile
-quiet
 ignore noroot
 
 include /etc/firejail/default.profile
@@ -15,6 +15,8 @@ blacklist /tmp/.X11-unix
 
 tracelog
 net none
+nosound
+novideo
 shell none
 private-dev
 nosound
diff --git a/etc/atom-beta.profile b/etc/atom-beta.profile
index 5a42e28e8..367aa5672 100644
--- a/etc/atom-beta.profile
+++ b/etc/atom-beta.profile
@@ -19,6 +19,7 @@ nogroups
 nonewprivs
 noroot
 nosound
+novideo
 protocol unix,inet,inet6,netlink
 seccomp
 shell none
diff --git a/etc/atom.profile b/etc/atom.profile
index fc9e49eab..726682617 100644
--- a/etc/atom.profile
+++ b/etc/atom.profile
@@ -19,6 +19,7 @@ nogroups
 nonewprivs
 noroot
 nosound
+novideo
 protocol unix,inet,inet6,netlink
 seccomp
 shell none
diff --git a/etc/atool.profile b/etc/atool.profile
index 3f4b60312..a66b4b1c5 100644
--- a/etc/atool.profile
+++ b/etc/atool.profile
@@ -16,6 +16,7 @@ nogroups
 nonewprivs
 noroot
 nosound
+novideo
 protocol unix
 seccomp
 netfilter
diff --git a/etc/atril.profile b/etc/atril.profile
index a9199f512..0abad494a 100644
--- a/etc/atril.profile
+++ b/etc/atril.profile
@@ -18,6 +18,7 @@ nogroups
 nonewprivs
 noroot
 nosound
+novideo
 protocol unix
 seccomp
 shell none
diff --git a/etc/audacity.profile b/etc/audacity.profile
index 67b625f2b..5b38d84e8 100644
--- a/etc/audacity.profile
+++ b/etc/audacity.profile
@@ -21,6 +21,7 @@ no3d
 nogroups
 nonewprivs
 noroot
+novideo
 protocol unix
 seccomp
 shell none
diff --git a/etc/aweather.profile b/etc/aweather.profile
index 73bf1cc5a..9d8e336cd 100644
--- a/etc/aweather.profile
+++ b/etc/aweather.profile
@@ -22,6 +22,7 @@ nogroups
 nonewprivs
 noroot
 nosound
+novideo
 protocol unix,inet,inet6
 seccomp
 shell none
diff --git a/etc/baloo_file.profile b/etc/baloo_file.profile
index 9caef7508..2fe6d1927 100644
--- a/etc/baloo_file.profile
+++ b/etc/baloo_file.profile
@@ -22,6 +22,7 @@ nogroups
 nonewprivs
 noroot
 nosound
+novideo
 protocol unix
 # Baloo makes ioprio_set system calls, which are blacklisted by default.
 seccomp.drop mount,umount2,ptrace,kexec_load,kexec_file_load,name_to_handle_at,open_by_handle_at,create_module,init_module,finit_module,delete_module,iopl,ioperm,swapon,swapoff,syslog,process_vm_readv,process_vm_writev,sysfs,_sysctl,adjtimex,clock_adjtime,lookup_dcookie,perf_event_open,fanotify_init,kcmp,add_key,request_key,keyctl,uselib,acct,modify_ldt,pivot_root,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,mbind,get_mempolicy,set_mempolicy,migrate_pages,move_pages,vmsplice,chroot,tuxcall,reboot,mfsservctl,get_kernel_syms,bpf,clock_settime,personality,process_vm_writev,query_module,settimeofday,stime,umount,userfaultfd,ustat,vm86,vm86old
diff --git a/etc/bibletime.profile b/etc/bibletime.profile
index 9b205456a..2162151a1 100644
--- a/etc/bibletime.profile
+++ b/etc/bibletime.profile
@@ -29,6 +29,7 @@ nogroups
 nonewprivs
 noroot
 nosound
+novideo
 protocol unix,inet,inet6,netlink
 seccomp
 shell none
diff --git a/etc/bleachbit.profile b/etc/bleachbit.profile
index 40c7a5c83..345dd119a 100644
--- a/etc/bleachbit.profile
+++ b/etc/bleachbit.profile
@@ -20,6 +20,7 @@ nogroups
 nonewprivs
 noroot
 nosound
+novideo
 protocol unix
 seccomp
 shell none
diff --git a/etc/bless.profile b/etc/bless.profile
index 436c06a15..c9ccfc02e 100644
--- a/etc/bless.profile
+++ b/etc/bless.profile
@@ -28,6 +28,7 @@ nogroups
 nonewprivs
 noroot
 nosound
+novideo
 protocol unix
 seccomp
 shell none
diff --git a/etc/brasero.profile b/etc/brasero.profile
index ac9ea8a7c..d013e0b8e 100644
--- a/etc/brasero.profile
+++ b/etc/brasero.profile
@@ -20,9 +20,9 @@ nogroups
 nonewprivs
 noroot
 nosound
+novideo
 protocol unix
 seccomp
-netfilter
 shell none
 tracelog
 
diff --git a/etc/calibre.profile b/etc/calibre.profile
new file mode 100644
index 000000000..b75e0c276
--- /dev/null
+++ b/etc/calibre.profile
@@ -0,0 +1,35 @@
+# Persistent global definitions go here
+include /etc/firejail/globals.local
+
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/calibre.local
+
+noblacklist ~/.config/calibre
+noblacklist ~/.cache/calibre
+
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+#include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+
+caps.drop all
+#ipc-namespace
+netfilter
+no3d
+nogroups
+nonewprivs
+noroot
+nosound
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+
+#private-bin
+private-dev
+private-tmp
+
+noexec ${HOME}
+noexec /tmp
diff --git a/etc/catfish.profile b/etc/catfish.profile
new file mode 100644
index 000000000..0deaca1b5
--- /dev/null
+++ b/etc/catfish.profile
@@ -0,0 +1,32 @@
+# Persistent global definitions go here
+include /etc/firejail/globals.local
+
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/catfish.local
+
+# Firejail profile for catfish
+noblacklist ~/.config/catfish
+
+# We can't blacklist much since catfish
+# is for finding files/content
+include /etc/firejail/disable-devel.inc
+
+caps.drop all
+net none
+no3d
+nogroups
+nonewprivs
+noroot
+nosound
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+
+# These options work but are disabled in case
+# a users wants to search in these directories.
+#private-bin bash,catfish,env,locate,ls,mlocate,python,python2,python2.7,python3,python3.5,python3.5m,python3m
+#private-dev
+#private-tmp
diff --git a/etc/cherrytree.profile b/etc/cherrytree.profile
index 258be50d6..0ac71ca3c 100644
--- a/etc/cherrytree.profile
+++ b/etc/cherrytree.profile
@@ -20,6 +20,7 @@ nogroups
 nonewprivs
 noroot
 nosound
+novideo
 seccomp
 protocol unix,inet,inet6,netlink
 tracelog
diff --git a/etc/chromium.profile b/etc/chromium.profile
index 7e73634ec..2728bf74a 100644
--- a/etc/chromium.profile
+++ b/etc/chromium.profile
@@ -34,7 +34,7 @@ nogroups
 shell none
 
 private-dev
-private-tmp
+#private-tmp - problems with multiple browser sessions
 
 noexec ${HOME}
 noexec /tmp
diff --git a/etc/clementine.profile b/etc/clementine.profile
index 0f585e43e..ccacc632d 100644
--- a/etc/clementine.profile
+++ b/etc/clementine.profile
@@ -14,6 +14,7 @@ include /etc/firejail/disable-passwdmgr.inc
 caps.drop all
 nonewprivs
 noroot
+novideo
 protocol unix,inet,inet6
 # Clementine makes ioprio_set system calls, which are blacklisted by default.
 seccomp.drop mount,umount2,ptrace,kexec_load,kexec_file_load,name_to_handle_at,open_by_handle_at,create_module,init_module,finit_module,delete_module,iopl,ioperm,swapon,swapoff,syslog,process_vm_readv,process_vm_writev,sysfs,_sysctl,adjtimex,clock_adjtime,lookup_dcookie,perf_event_open,fanotify_init,kcmp,add_key,request_key,keyctl,uselib,acct,modify_ldt,pivot_root,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,mbind,get_mempolicy,set_mempolicy,migrate_pages,move_pages,vmsplice,chroot,tuxcall,reboot,mfsservctl,get_kernel_syms,bpf,clock_settime,personality,process_vm_writev,query_module,settimeofday,stime,umount,userfaultfd,ustat,vm86,vm86old
diff --git a/etc/clipit.profile b/etc/clipit.profile
index cd744a022..b671b253b 100644
--- a/etc/clipit.profile
+++ b/etc/clipit.profile
@@ -15,6 +15,7 @@ caps.drop all
 netfilter
 nonewprivs
 noroot
+novideo
 protocol unix,inet,inet6
 seccomp
 
diff --git a/etc/cpio.profile b/etc/cpio.profile
index f38e0a6ce..fe1dc0408 100644
--- a/etc/cpio.profile
+++ b/etc/cpio.profile
@@ -1,3 +1,4 @@
+quiet
 # Persistent global definitions go here
 include /etc/firejail/globals.local
 
@@ -8,7 +9,6 @@ include /etc/firejail/cpio.local
 # cpio profile
 # /sbin and /usr/sbin are visible inside the sandbox
 # /boot is not visible and /var is heavily modified
-quiet
 noblacklist /sbin
 noblacklist /usr/sbin
 include /etc/firejail/disable-common.inc
diff --git a/etc/curl.profile b/etc/curl.profile
new file mode 100644
index 000000000..58b5f050a
--- /dev/null
+++ b/etc/curl.profile
@@ -0,0 +1,35 @@
+quiet
+# Persistent global definitions go here
+include /etc/firejail/globals.local
+
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/curl.local
+
+# curl profile
+noblacklist ~/.curlrc
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-passwdmgr.inc
+
+caps.drop all
+#ipc-namespace
+netfilter
+no3d
+nogroups
+nonewprivs
+noroot
+nosound
+protocol unix,inet,inet6
+seccomp
+shell none
+
+blacklist /tmp/.X11-unix
+
+# private-bin curl
+private-dev
+# private-etc resolv.conf
+private-tmp
+
+noexec ${HOME}
+noexec /tmp
diff --git a/etc/deadbeef.profile b/etc/deadbeef.profile
index 8d50dedda..486df1d99 100644
--- a/etc/deadbeef.profile
+++ b/etc/deadbeef.profile
@@ -20,6 +20,7 @@ no3d
 nogroups
 nonewprivs
 noroot
+novideo
 protocol unix,inet,inet6
 seccomp
 shell none
diff --git a/etc/deluge.profile b/etc/deluge.profile
index db2d339c7..4e7d90e53 100644
--- a/etc/deluge.profile
+++ b/etc/deluge.profile
@@ -24,6 +24,7 @@ netfilter
 nonewprivs
 noroot
 nosound
+novideo
 protocol unix,inet,inet6
 seccomp
 
diff --git a/etc/dia.profile b/etc/dia.profile
index fc564b96d..4e009afd7 100644
--- a/etc/dia.profile
+++ b/etc/dia.profile
@@ -14,6 +14,7 @@ caps.drop all
 netfilter
 nonewprivs
 noroot
+novideo
 protocol unix,inet,inet6
 seccomp
 
diff --git a/etc/digikam.profile b/etc/digikam.profile
new file mode 100644
index 000000000..fd19953a0
--- /dev/null
+++ b/etc/digikam.profile
@@ -0,0 +1,33 @@
+# Persistent global definitions go here
+include /etc/firejail/globals.local
+
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/digikam.local
+
+noblacklist ${HOME}/.kde4/share/apps/digikam
+noblacklist ${HOME}/.kde/share/apps/digikam
+noblacklist ${HOME}/.config/digikamrc
+
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-passwdmgr.inc
+include /etc/firejail/disable-devel.inc
+
+caps.drop all
+netfilter
+nonewprivs
+noroot
+protocol unix,inet,inet6,netlink
+
+# This is a seccomp whitelist profile for  Debian jessie, Kubuntu 17.04.
+# Uncomment seccomp.keep line and try it out. By default only the regular seccomp blacklist profile is enabled.
+#seccomp.keep fallocate,getrusage,openat,access,arch_prctl,bind,brk,chdir,chmod,clock_getres,clone,close,connect,dup2,dup3,eventfd2,execve,fadvise64,fcntl,fdatasync,flock,fstat,fstatfs,ftruncate,futex,getcwd,getdents,getegid,geteuid,getgid,getpeername,getpgrp,getpid,getppid,getrandom,getresgid,getresuid,getrlimit,getsockname,getsockopt,gettid,getuid,inotify_add_watch,inotify_init,inotify_init1,inotify_rm_watch,ioctl,lseek,lstat,madvise,mbind,memfd_create,mkdir,mmap,mprotect,msync,munmap,nanosleep,open,pipe,pipe2,poll,ppoll,prctl,pread64,pwrite64,read,readlink,readlinkat,recvfrom,recvmsg,rename,rt_sigaction,rt_sigprocmask,rt_sigreturn,sched_getaffinity,sched_getparam,sched_get_priority_max,sched_get_priority_min,sched_getscheduler,sched_setscheduler,sched_yield,sendmsg,sendto,setgid,setresgid,setresuid,set_robust_list,setsid,setsockopt,set_tid_address,setuid,shmat,shmctl,shmdt,shmget,shutdown,socket,stat,statfs,sysinfo,timerfd_create,umask,uname,unlink,wait4,waitid,write,writev,fchmod,fchown,unshare,exit,exit_group
+seccomp
+
+nogroups
+shell none
+# private-bin program
+# private-etc none
+# private-dev - prevents libdc1394 loading; this lib is used to connect to a camera device
+private-tmp
diff --git a/etc/dino.profile b/etc/dino.profile
index a979cad7c..6d63e894e 100644
--- a/etc/dino.profile
+++ b/etc/dino.profile
@@ -26,6 +26,7 @@ nogroups
 nonewprivs
 noroot
 nosound
+novideo
 protocol unix,inet,inet6
 seccomp
 shell none
diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc
index af0bbfce6..7a3ca37ed 100644
--- a/etc/disable-programs.inc
+++ b/etc/disable-programs.inc
@@ -62,6 +62,8 @@ blacklist ${HOME}/.config/borg
 blacklist ${HOME}/.config/brasero
 blacklist ${HOME}/.config/brave
 blacklist ${HOME}/.config/caja
+blacklist ${HOME}/.config/calibre
+blacklist ${HOME}/.config/catfish
 blacklist ${HOME}/.config/cherrytree
 blacklist ${HOME}/.config/chromium
 blacklist ${HOME}/.config/chromium-dev
@@ -71,6 +73,7 @@ blacklist ${HOME}/.config/cmus
 blacklist ${HOME}/.config/darktable
 blacklist ${HOME}/.config/deadbeef
 blacklist ${HOME}/.config/deluge
+blacklist ${HOME}/.config/digikam
 blacklist ${HOME}/.config/dolphinrc
 blacklist ${HOME}/.config/dragonplayerrc
 blacklist ${HOME}/.config/enchant
@@ -85,11 +88,12 @@ blacklist ${HOME}/.config/galculator
 blacklist ${HOME}/.config/geany
 blacklist ${HOME}/.config/geeqie
 blacklist ${HOME}/.config/gedit
+blacklist ${HOME}/.config/ghb
 blacklist ${HOME}/.config/globaltime
 blacklist ${HOME}/.config/google-chrome
 blacklist ${HOME}/.config/google-chrome-beta
 blacklist ${HOME}/.config/google-chrome-unstable
-blacklist ${HOME}./config/gpicview
+blacklist ${HOME}/.config/gpicview
 blacklist ${HOME}/.config/gthumb
 blacklist ${HOME}/.config/gwenviewrc
 blacklist ${HOME}/.config/hexchat
@@ -103,6 +107,7 @@ blacklist ${HOME}/.config/katesyntaxhighlightingrc
 blacklist ${HOME}/.config/katevirc
 blacklist ${HOME}/.config/kdeconnect
 blacklist ${HOME}/.config/knotesrc
+blacklist ${HOME}/.config/ktorrentrc
 blacklist ${HOME}/.config/leafpad
 blacklist ${HOME}/.config/libreoffice
 blacklist ${HOME}/.config/lximage-qt
@@ -136,6 +141,7 @@ blacklist ${HOME}/.config/redshift.conf
 blacklist ${HOME}/.config/scribus
 blacklist ${HOME}/.config/skypeforlinux
 blacklist ${HOME}/.config/slimjet
+blacklist ${HOME}/.config/smplayer
 blacklist ${HOME}/.config/spotify
 blacklist ${HOME}/.config/stellarium
 blacklist ${HOME}/.config/synfig
@@ -166,6 +172,7 @@ blacklist ${HOME}/.config/xviewer
 blacklist ${HOME}/.config/zathura
 blacklist ${HOME}/.config/zoomus.conf
 blacklist ${HOME}/.conkeror.mozdev.org
+blacklist ${HOME}/.curlrc
 blacklist ${HOME}/.dia
 blacklist ${HOME}/.dillo
 blacklist ${HOME}/.dosbox
@@ -200,6 +207,7 @@ blacklist ${HOME}/.kde4/share/apps/okular
 blacklist ${HOME}/.kde4/share/config/baloofilerc
 blacklist ${HOME}/.kde4/share/config/baloorc
 blacklist ${HOME}/.kde4/share/config/gwenviewrc
+blacklist ${HOME}/.kde4/share/config/digikam
 blacklist ${HOME}/.kde4/share/config/k3brc
 blacklist ${HOME}/.kde4/share/config/kcookiejarrc
 blacklist ${HOME}/.kde4/share/config/khtmlrc
@@ -217,6 +225,7 @@ blacklist ${HOME}/.kde/share/apps/konqueror
 blacklist ${HOME}/.kde/share/apps/okular
 blacklist ${HOME}/.kde/share/config/baloofilerc
 blacklist ${HOME}/.kde/share/config/baloorc
+blacklist ${HOME}/.kde/share/config/digikam
 blacklist ${HOME}/.kde/share/config/gwenviewrc
 blacklist ${HOME}/.kde/share/config/k3brc
 blacklist ${HOME}/.kde/share/config/kcookiejarrc
@@ -253,7 +262,7 @@ blacklist ${HOME}/.local/share/caja-python
 blacklist ${HOME}/.local/share/cdprojektred
 blacklist ${HOME}/.local/share/clipit
 blacklist ${HOME}/.local/share/data/Mumble
-blacklist ${HOME}./local/share/dino
+blacklist ${HOME}/.local/share/dino
 blacklist ${HOME}/.local/share/dolphin
 blacklist ${HOME}/.local/share/epiphany
 blacklist ${HOME}/.local/share/evolution
@@ -265,6 +274,7 @@ blacklist ${HOME}/.local/share/gnome-chess
 blacklist ${HOME}/.local/share/gnome-music
 blacklist ${HOME}/.local/share/gnome-photos
 blacklist ${HOME}/.local/share/kate
+blacklist ${HOME}/.local/share/ktorrentrc
 blacklist ${HOME}/.local/share/lollypop
 blacklist ${HOME}/.local/share/meld
 blacklist ${HOME}/.local/share/multimc5
@@ -298,6 +308,7 @@ blacklist ${HOME}/.mcabberrc
 blacklist ${HOME}/.mediathek3
 blacklist ${HOME}/.mozilla
 blacklist ${HOME}/.mpdconf
+blacklist ${HOME}/.mplayer
 blacklist ${HOME}/.msmtprc
 blacklist ${HOME}/.multimc5
 blacklist ${HOME}/.mutt
@@ -332,6 +343,7 @@ blacklist ${HOME}/.vst
 blacklist ${HOME}/.w3m
 blacklist ${HOME}/.warzone2100-3.*
 blacklist ${HOME}/.weechat
+blacklist ${HOME}/.wgetrc
 blacklist ${HOME}/.wine
 blacklist ${HOME}/.wine64
 blacklist ${HOME}/.xiphos
@@ -350,6 +362,7 @@ blacklist ${HOME}/.cache/INRIA
 blacklist ${HOME}/.cache/QuiteRss
 blacklist ${HOME}/.cache/attic
 blacklist ${HOME}/.cache/borg
+blacklist ${HOME}/.cache/calibre
 blacklist ${HOME}/.cache/champlain
 blacklist ${HOME}/.cache/chromium
 blacklist ${HOME}/.cache/qupzilla
diff --git a/etc/dragon.profile b/etc/dragon.profile
index 661f663c3..d099f1d9d 100644
--- a/etc/dragon.profile
+++ b/etc/dragon.profile
@@ -18,6 +18,7 @@ netfilter
 nogroups
 nonewprivs
 noroot
+novideo
 shell none
 seccomp
 protocol unix,inet,inet6
diff --git a/etc/dropbox.profile b/etc/dropbox.profile
index e0097a8ea..19076704b 100644
--- a/etc/dropbox.profile
+++ b/etc/dropbox.profile
@@ -14,6 +14,7 @@ include /etc/firejail/disable-passwdmgr.inc
 caps
 nonewprivs
 noroot
+novideo
 protocol unix,inet,inet6
 seccomp
 
diff --git a/etc/ebook-viewer.profile b/etc/ebook-viewer.profile
new file mode 100644
index 000000000..ba28e3550
--- /dev/null
+++ b/etc/ebook-viewer.profile
@@ -0,0 +1,10 @@
+# Persistent global definitions go here
+include /etc/firejail/globals.local
+
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/ebook-viewer.local
+
+# Firejail profile for ebook-viewer (Calibre)
+include /etc/firejail/calibre.profile
+net none
diff --git a/etc/elinks.profile b/etc/elinks.profile
index 76a7e6b94..597e43fb8 100644
--- a/etc/elinks.profile
+++ b/etc/elinks.profile
@@ -14,11 +14,12 @@ include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
 
 caps.drop all
+no3d
 nogroups
 nonewprivs
 noroot
 nosound
-no3d
+novideo
 protocol unix,inet,inet6
 seccomp
 netfilter
diff --git a/etc/engrampa.profile b/etc/engrampa.profile
index f409a8dd4..081a5f6b0 100644
--- a/etc/engrampa.profile
+++ b/etc/engrampa.profile
@@ -16,6 +16,7 @@ nogroups
 nonewprivs
 noroot
 nosound
+novideo
 protocol unix
 seccomp
 netfilter
diff --git a/etc/eog.profile b/etc/eog.profile
index 447a41a86..1b9926ec9 100644
--- a/etc/eog.profile
+++ b/etc/eog.profile
@@ -24,6 +24,7 @@ nogroups
 nonewprivs
 noroot
 nosound
+novideo
 protocol unix
 seccomp
 shell none
diff --git a/etc/eom.profile b/etc/eom.profile
index d2622ebcf..b5eedd989 100644
--- a/etc/eom.profile
+++ b/etc/eom.profile
@@ -19,6 +19,7 @@ nogroups
 nonewprivs
 noroot
 nosound
+novideo
 protocol unix
 seccomp
 shell none
diff --git a/etc/evince.profile b/etc/evince.profile
index 51ed3fbf3..6719244da 100644
--- a/etc/evince.profile
+++ b/etc/evince.profile
@@ -22,6 +22,7 @@ nogroups
 nonewprivs
 noroot
 nosound
+novideo
 protocol unix
 seccomp
 shell none
diff --git a/etc/file.profile b/etc/file.profile
index a757dce5a..915bf1088 100644
--- a/etc/file.profile
+++ b/etc/file.profile
@@ -1,3 +1,4 @@
+quiet
 # Persistent global definitions go here
 include /etc/firejail/globals.local
 
@@ -6,7 +7,6 @@ include /etc/firejail/globals.local
 include /etc/firejail/file.local
 
 # file profile
-quiet
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-programs.inc
 include /etc/firejail/disable-passwdmgr.inc
diff --git a/etc/firefox.profile b/etc/firefox.profile
index 9d047db97..70b41a240 100644
--- a/etc/firefox.profile
+++ b/etc/firefox.profile
@@ -13,7 +13,10 @@ noblacklist ~/.local/share/qpdfview
 noblacklist ~/.kde4/share/apps/okular
 noblacklist ~/.kde/share/apps/okular
 noblacklist ~/.local/share/okular
+noblacklist ~/.config/okularpartrc
+noblacklist ~/.config/okularrc
 noblacklist ~/.pki
+
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-programs.inc
 include /etc/firejail/disable-devel.inc
@@ -48,6 +51,8 @@ whitelist ~/.pki
 whitelist ~/.lastpass
 whitelist ~/.config/qpdfview
 whitelist ~/.local/share/qpdfview
+whitelist ~/.config/okularrc
+whitelist ~/.config/okularpartrc
 whitelist ~/.kde4/share/apps/okular
 whitelist ~/.kde/share/apps/okular
 whitelist ~/.local/share/okular
diff --git a/etc/ghb.profile b/etc/ghb.profile
new file mode 100644
index 000000000..2068c3136
--- /dev/null
+++ b/etc/ghb.profile
@@ -0,0 +1,9 @@
+# Persistent global definitions go here
+include /etc/firejail/globals.local
+
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/ghb.local
+
+# HandBrake
+include /etc/firejail/handbrake.profile
diff --git a/etc/gimp-2.8.profile b/etc/gimp-2.8.profile
index 1902fac72..ce6cee7a5 100644
--- a/etc/gimp-2.8.profile
+++ b/etc/gimp-2.8.profile
@@ -1,4 +1,8 @@
 # Persistent global definitions go here
 include /etc/firejail/globals.local
 
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/gimp-2.8.local
+
 include /etc/firejail/gimp.profile
diff --git a/etc/git.profile b/etc/git.profile
index a8e7bf882..5fa3ef95e 100644
--- a/etc/git.profile
+++ b/etc/git.profile
@@ -1,3 +1,4 @@
+quiet
 # Persistent global definitions go here
 include /etc/firejail/globals.local
 
@@ -6,7 +7,6 @@ include /etc/firejail/globals.local
 include /etc/firejail/git.local
 
 # git profile
-quiet
 noblacklist ~/.gitconfig
 noblacklist ~/.ssh
 noblacklist ~/.gnupg
diff --git a/etc/gtar.profile b/etc/gtar.profile
index cd15b7156..9a4325082 100644
--- a/etc/gtar.profile
+++ b/etc/gtar.profile
@@ -1,3 +1,4 @@
+quiet
 # Persistent global definitions go here
 include /etc/firejail/globals.local
 
@@ -6,5 +7,4 @@ include /etc/firejail/globals.local
 include /etc/firejail/gtar.local
 
 # gtar profile
-quiet
 include /etc/firejail/tar.profile
diff --git a/etc/gzip.profile b/etc/gzip.profile
index 2ba4e0b58..5a2a5d26e 100644
--- a/etc/gzip.profile
+++ b/etc/gzip.profile
@@ -1,3 +1,4 @@
+quiet
 # Persistent global definitions go here
 include /etc/firejail/globals.local
 
@@ -6,7 +7,6 @@ include /etc/firejail/globals.local
 include /etc/firejail/gzip.local
 
 # gzip profile
-quiet
 ignore noroot
 include /etc/firejail/default.profile
 
diff --git a/etc/handbrake-gtk.profile b/etc/handbrake-gtk.profile
new file mode 100644
index 000000000..a162352de
--- /dev/null
+++ b/etc/handbrake-gtk.profile
@@ -0,0 +1,9 @@
+# Persistent global definitions go here
+include /etc/firejail/globals.local
+
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/handbrake-gtk.local
+
+# HandBrake
+include /etc/firejail/handbrake.profile
diff --git a/etc/handbrake.profile b/etc/handbrake.profile
new file mode 100644
index 000000000..0f3f32250
--- /dev/null
+++ b/etc/handbrake.profile
@@ -0,0 +1,30 @@
+# Persistent global definitions go here
+include /etc/firejail/globals.local
+
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/handbrake.local
+
+noblacklist ~/.config/ghb
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-passwdmgr.inc
+
+caps.drop all
+netfilter
+nonewprivs
+noroot
+# netlink required!
+protocol unix,inet,inet6,netlink
+seccomp
+
+#
+# depending on your usage, you can enable some of the commands below:
+#
+nogroups
+shell none
+# private-bin program
+# private-etc none
+#private-dev
+private-tmp
+nosound
diff --git a/etc/keepassx.profile b/etc/keepassx.profile
index 9aeed0057..34e260f8f 100644
--- a/etc/keepassx.profile
+++ b/etc/keepassx.profile
@@ -17,6 +17,7 @@ include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
 
 caps.drop all
+machine-id
 net none
 no3d
 nogroups
@@ -28,8 +29,8 @@ seccomp
 shell none
 tracelog
 
-private-bin keepassx
-private-etc fonts
+private-bin keepassx,keepassx2
+private-etc fonts,machine-id
 private-dev
 private-tmp
 
diff --git a/etc/ktorrent.profile b/etc/ktorrent.profile
index 5b7e5e667..59c2827cd 100644
--- a/etc/ktorrent.profile
+++ b/etc/ktorrent.profile
@@ -8,6 +8,8 @@ include /etc/firejail/ktorrent.local
 ################################
 # Generic GUI application profile
 ################################
+noblacklist ~/.config/ktorrentrc
+noblacklist ~/.local/share/ktorrent
 noblacklist ~/.kde/share/config/ktorrentrc
 noblacklist ~/.kde4/share/config/ktorrentrc
 noblacklist ~/.kde/share/apps/ktorrent
@@ -16,7 +18,10 @@ include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-programs.inc
 include /etc/firejail/disable-passwdmgr.inc
 
-
+mkfile ~/.config/ktorrentrc
+whitelist ~/.config/ktorrentrc
+mkdir ~/.local/share/ktorrent
+whitelist ~/.local/share/ktorrent
 mkdir ~/.kde/share/config/ktorrentrc
 whitelist ~/.kde/share/config/ktorrentrc
 mkdir ~/.kde4/share/config/ktorrentrc
diff --git a/etc/less.profile b/etc/less.profile
index 273b47a7a..dd63d3e2e 100644
--- a/etc/less.profile
+++ b/etc/less.profile
@@ -1,3 +1,4 @@
+quiet
 # Persistent global definitions go here
 include /etc/firejail/globals.local
 
@@ -6,7 +7,6 @@ include /etc/firejail/globals.local
 include /etc/firejail/less.local
 
 # less profile
-quiet
 ignore noroot
 include /etc/firejail/default.profile
 
diff --git a/etc/mate-calculator.profile b/etc/mate-calculator.profile
index 67a9f244e..acc687b81 100644
--- a/etc/mate-calculator.profile
+++ b/etc/mate-calculator.profile
@@ -1,4 +1,8 @@
 # Persistent global definitions go here
 include /etc/firejail/globals.local
 
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/mate-calculator.local
+
 #include /etc/firejail/mate-calc.profile
diff --git a/etc/mplayer.profile b/etc/mplayer.profile
new file mode 100644
index 000000000..879223e1a
--- /dev/null
+++ b/etc/mplayer.profile
@@ -0,0 +1,31 @@
+# Persistent global definitions go here
+include /etc/firejail/globals.local
+
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/mplayer.local
+
+# mplayer profile
+noblacklist ${HOME}/.mplayer
+
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+
+caps.drop all
+#ipc-namespace
+netfilter
+# nogroups
+nonewprivs
+noroot
+protocol unix,inet,inet6,netlink
+seccomp
+shell none
+
+private-dev
+private-tmp
+private-bin mplayer
+
+noexec ${HOME}
+noexec /tmp
diff --git a/etc/qpdfview.profile b/etc/qpdfview.profile
index 1fe0a1f63..97bd2b0b1 100644
--- a/etc/qpdfview.profile
+++ b/etc/qpdfview.profile
@@ -6,7 +6,7 @@ include /etc/firejail/globals.local
 include /etc/firejail/qpdfview.local
 
 # qpdfview profile
-noblacklist ${HOME}./config/qt5ct
+noblacklist ${HOME}/.config/qt5ct
 noblacklist ${HOME}/.config/qpdfview
 noblacklist ${HOME}/.local/share/qpdfview
 
diff --git a/etc/server.profile b/etc/server.profile
index 31a81b88f..2d79fa1c8 100644
--- a/etc/server.profile
+++ b/etc/server.profile
@@ -18,6 +18,7 @@ blacklist /tmp/.X11-unix
 no3d
 nosound
 seccomp
+caps
 
 private
 private-dev
diff --git a/etc/smplayer.profile b/etc/smplayer.profile
new file mode 100644
index 000000000..6a5c115b7
--- /dev/null
+++ b/etc/smplayer.profile
@@ -0,0 +1,32 @@
+# Persistent global definitions go here
+include /etc/firejail/globals.local
+
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/smplayer.local
+
+# smplayer profile
+noblacklist ${HOME}/.config/smplayer
+noblacklist ${HOME}/.mplayer
+
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+
+caps.drop all
+#ipc-namespace
+netfilter
+# nogroups
+nonewprivs
+noroot
+protocol unix,inet,inet6,netlink
+seccomp
+shell none
+
+private-dev
+private-tmp
+private-bin smplayer,mplayer
+
+noexec ${HOME}
+noexec /tmp
diff --git a/etc/ssh-agent.profile b/etc/ssh-agent.profile
index bbb0baade..ab47067f1 100644
--- a/etc/ssh-agent.profile
+++ b/etc/ssh-agent.profile
@@ -1,3 +1,4 @@
+quiet
 # Persistent global definitions go here
 include /etc/firejail/globals.local
 
@@ -6,7 +7,6 @@ include /etc/firejail/globals.local
 include /etc/firejail/ssh-agent.local
 
 # ssh-agent
-quiet
 noblacklist ~/.ssh
 noblacklist /tmp/ssh-*
 noblacklist /etc/ssh
diff --git a/etc/ssh.profile b/etc/ssh.profile
index 7ea78535d..e592841a1 100644
--- a/etc/ssh.profile
+++ b/etc/ssh.profile
@@ -1,3 +1,4 @@
+quiet
 # Persistent global definitions go here
 include /etc/firejail/globals.local
 
@@ -6,7 +7,6 @@ include /etc/firejail/globals.local
 include /etc/firejail/ssh.local
 
 # ssh client
-quiet
 noblacklist ~/.ssh
 noblacklist /tmp/ssh-*
 noblacklist /etc/ssh
diff --git a/etc/strings.profile b/etc/strings.profile
index b12c42f0d..a9301c652 100644
--- a/etc/strings.profile
+++ b/etc/strings.profile
@@ -1,3 +1,4 @@
+quiet
 # Persistent global definitions go here
 include /etc/firejail/globals.local
 
@@ -6,7 +7,6 @@ include /etc/firejail/globals.local
 include /etc/firejail/strings.local
 
 # strings profile
-quiet
 ignore noroot
 include /etc/firejail/default.profile
 
diff --git a/etc/tar.profile b/etc/tar.profile
index 0661286b4..577e795f8 100644
--- a/etc/tar.profile
+++ b/etc/tar.profile
@@ -1,3 +1,4 @@
+quiet
 # Persistent global definitions go here
 include /etc/firejail/globals.local
 
@@ -6,7 +7,6 @@ include /etc/firejail/globals.local
 include /etc/firejail/tar.local
 
 # tar profile
-quiet
 ignore noroot
 include /etc/firejail/default.profile
 
diff --git a/etc/thunar.profile b/etc/thunar.profile
index cd84acf39..d8389ebc8 100644
--- a/etc/thunar.profile
+++ b/etc/thunar.profile
@@ -1,4 +1,8 @@
 # Persistent global definitions go here
 include /etc/firejail/globals.local
 
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/thunar.local
+
 include /etc/firejail/Thunar.profile
diff --git a/etc/thunderbird.profile b/etc/thunderbird.profile
index 8a5bf1f7b..c693a53b3 100644
--- a/etc/thunderbird.profile
+++ b/etc/thunderbird.profile
@@ -25,6 +25,11 @@ noblacklist ~/.cache/thunderbird
 mkdir ~/.cache/thunderbird
 whitelist ~/.cache/thunderbird
 
+whitelist ~/.config/mimeapps.list
+read-only ~/.config/mimeapps.list
+whitelist ~/.local/share/applications
+read-only ~/.local/share/applications
+
 # allow browsers
 ignore private-tmp
 include /etc/firejail/firefox.profile
diff --git a/etc/unrar.profile b/etc/unrar.profile
index 1375c9b48..62d6665ec 100644
--- a/etc/unrar.profile
+++ b/etc/unrar.profile
@@ -1,3 +1,4 @@
+quiet
 # Persistent global definitions go here
 include /etc/firejail/globals.local
 
@@ -6,7 +7,6 @@ include /etc/firejail/globals.local
 include /etc/firejail/unrar.local
 
 # unrar profile
-quiet
 ignore noroot
 include /etc/firejail/default.profile
 
diff --git a/etc/unzip.profile b/etc/unzip.profile
index 581d65167..130e57ae9 100644
--- a/etc/unzip.profile
+++ b/etc/unzip.profile
@@ -1,3 +1,4 @@
+quiet
 # Persistent global definitions go here
 include /etc/firejail/globals.local
 
@@ -6,7 +7,6 @@ include /etc/firejail/globals.local
 include /etc/firejail/unzip.local
 
 # unzip profile
-quiet
 ignore noroot
 include /etc/firejail/default.profile
 blacklist /tmp/.X11-unix
diff --git a/etc/uudeview.profile b/etc/uudeview.profile
index c795619a0..46f28179b 100644
--- a/etc/uudeview.profile
+++ b/etc/uudeview.profile
@@ -1,3 +1,4 @@
+quiet
 # Persistent global definitions go here
 include /etc/firejail/globals.local
 
@@ -6,7 +7,6 @@ include /etc/firejail/globals.local
 include /etc/firejail/uudeview.local
 
 # uudeview profile
-quiet
 ignore noroot
 include /etc/firejail/default.profile
 
diff --git a/etc/vivaldi-beta.profile b/etc/vivaldi-beta.profile
index 51954c643..f2c2f4cc0 100644
--- a/etc/vivaldi-beta.profile
+++ b/etc/vivaldi-beta.profile
@@ -6,4 +6,4 @@ include /etc/firejail/globals.local
 include /etc/firejail/vivaldi-beta.local
 
 # Vivaldi Beta browser profile
-include /etc/firejail/vivaldi-stable.profile
+include /etc/firejail/vivaldi.profile
diff --git a/etc/vivaldi-stable.profile b/etc/vivaldi-stable.profile
index a57b2dd78..9b2ccd4f3 100644
--- a/etc/vivaldi-stable.profile
+++ b/etc/vivaldi-stable.profile
@@ -4,19 +4,5 @@ include /etc/firejail/globals.local
 # This file is overwritten during software install.
 # Persistent customizations should go in a .local file.
 include /etc/firejail/vivaldi.local
-noblacklist ~/.cache/vivaldi
 
-# Vivaldi browser profile
-noblacklist ~/.config/vivaldi
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-programs.inc
-include /etc/firejail/disable-devel.inc
-
-netfilter
-
-whitelist ${DOWNLOADS}
-mkdir ~/.config/vivaldi
-whitelist ~/.config/vivaldi
-mkdir ~/.cache/vivaldi
-whitelist ~/.cache/vivaldi
-include /etc/firejail/whitelist-common.inc
+include /etc/firejail/vivaldi.profile
diff --git a/etc/vivaldi.profile b/etc/vivaldi.profile
index c01c6d608..25d78439d 100644
--- a/etc/vivaldi.profile
+++ b/etc/vivaldi.profile
@@ -6,4 +6,19 @@ include /etc/firejail/globals.local
 include /etc/firejail/vivaldi.local
 
 # Vivaldi browser profile
-include /etc/firejail/vivaldi-stable.profile
+noblacklist ~/.cache/vivaldi
+
+# Vivaldi browser profile
+noblacklist ~/.config/vivaldi
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-devel.inc
+
+netfilter
+
+whitelist ${DOWNLOADS}
+mkdir ~/.config/vivaldi
+whitelist ~/.config/vivaldi
+mkdir ~/.cache/vivaldi
+whitelist ~/.cache/vivaldi
+include /etc/firejail/whitelist-common.inc
diff --git a/etc/vlc.profile b/etc/vlc.profile
index efd6d04a6..b36e844ff 100644
--- a/etc/vlc.profile
+++ b/etc/vlc.profile
@@ -24,7 +24,7 @@ seccomp
 shell none
 
 private-bin vlc,cvlc,nvlc,rvlc,qvlc,svlc
-# private-dev
+private-dev
 private-tmp
 
 noexec ${HOME}
diff --git a/etc/wget.profile b/etc/wget.profile
index 562c7bbf1..801e034ea 100644
--- a/etc/wget.profile
+++ b/etc/wget.profile
@@ -1,3 +1,4 @@
+quiet
 # Persistent global definitions go here
 include /etc/firejail/globals.local
 
@@ -6,7 +7,7 @@ include /etc/firejail/globals.local
 include /etc/firejail/wget.local
 
 # wget profile
-quiet
+noblacklist ~/.wgetrc
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-programs.inc
 include /etc/firejail/disable-passwdmgr.inc
diff --git a/etc/xz.profile b/etc/xz.profile
index f01906610..a3c1ab3ca 100644
--- a/etc/xz.profile
+++ b/etc/xz.profile
@@ -1,3 +1,4 @@
+quiet
 # Persistent global definitions go here
 include /etc/firejail/globals.local
 
@@ -6,5 +7,4 @@ include /etc/firejail/globals.local
 include /etc/firejail/xz.local
 
 # xz profile
-quiet
 include /etc/firejail/cpio.profile
diff --git a/etc/xzdec.profile b/etc/xzdec.profile
index 21cb15556..2a84bf0ee 100644
--- a/etc/xzdec.profile
+++ b/etc/xzdec.profile
@@ -1,3 +1,4 @@
+quiet
 # Persistent global definitions go here
 include /etc/firejail/globals.local
 
@@ -6,7 +7,6 @@ include /etc/firejail/globals.local
 include /etc/firejail/xzdec.local
 
 # xzdec profile
-quiet
 ignore noroot
 include /etc/firejail/default.profile
 
diff --git a/etc/youtube-dl.profile b/etc/youtube-dl.profile
index 8d925a354..e1ed3ccab 100644
--- a/etc/youtube-dl.profile
+++ b/etc/youtube-dl.profile
@@ -1,3 +1,4 @@
+quiet
 # Persistent global definitions go here
 include /etc/firejail/globals.local
 
@@ -24,7 +25,6 @@ protocol unix,inet,inet6
 seccomp
 shell none
 tracelog
-quiet
 
 private-dev
 
diff --git a/platform/debian/conffiles b/platform/debian/conffiles
index 9c99a918a..f35168735 100644
--- a/platform/debian/conffiles
+++ b/platform/debian/conffiles
@@ -32,6 +32,7 @@
 /etc/firejail/brasero.profile
 /etc/firejail/brave.profile
 /etc/firejail/caja.profile
+/etc/firejail/catfish.profile
 /etc/firejail/cherrytree.profile
 /etc/firejail/chromium-browser.profile
 /etc/firejail/chromium.profile
@@ -49,6 +50,7 @@
 /etc/firejail/default.profile
 /etc/firejail/deluge.profile
 /etc/firejail/dia.profile
+/etc/firejail/digikam.profile
 /etc/firejail/dillo.profile
 /etc/firejail/dino.profile
 /etc/firejail/disable-common.inc
@@ -303,3 +305,12 @@
 /etc/firejail/zoom.profile
 /etc/firejail/vym.profile
 /etc/firejail/darktable.profile
+/etc/firejail/waterfox.profile
+/etc/firejail/handbrake.profile
+/etc/firejail/curl.profile
+/etc/firejail/mplayer.profile
+/etc/firejail/smplayer.profile
+/etc/firejail/ebook-viewer.profile
+/etc/firejail/calibre.profile
+/etc/firejail/handbrake-gtk.profile
+/etc/firejail/ghb.profile
diff --git a/platform/rpm/old-mkrpm.sh b/platform/rpm/old-mkrpm.sh
index 108759049..ef1a51c93 100755
--- a/platform/rpm/old-mkrpm.sh
+++ b/platform/rpm/old-mkrpm.sh
@@ -1,5 +1,5 @@
 #!/bin/bash
-VERSION="0.9.46"
+VERSION="0.9.48"
 rm -fr ~/rpmbuild
 rm -f firejail-$VERSION-1.x86_64.rpm
 
@@ -409,6 +409,13 @@ rm -rf %{buildroot}
 %{_sysconfdir}/%{name}/xfce4-dict.profile
 %{_sysconfdir}/%{name}/xfce4-notes.profile
 %{_sysconfdir}/%{name}/youtube-dl.profile
+%{_sysconfdir}/%{name}/catfish.profile
+%{_sysconfdir}/%{name}/darktable.profile
+%{_sysconfdir}/%{name}/digikam.profile
+%{_sysconfdir}/%{name}/handbrake.profile
+%{_sysconfdir}/%{name}/vym.profile
+%{_sysconfdir}/%{name}/waterfox.profile
+
 
 
 /usr/bin/firejail
@@ -451,6 +458,8 @@ rm -rf %{buildroot}
 chmod u+s /usr/bin/firejail
 
 %changelog
+* Mon Jun 12 2017  netblue30 <netblue30@yahoo.com> 0.9.48-1
+
 * Mon May 15 2017  netblue30 <netblue30@yahoo.com> 0.9.46-1
 
 * Fri Oct 21 2016  netblue30 <netblue30@yahoo.com> 0.9.44-1
diff --git a/src/faudit/main.c b/src/faudit/main.c
index 8ab0de5a6..57c709767 100644
--- a/src/faudit/main.c
+++ b/src/faudit/main.c
@@ -38,7 +38,7 @@ int main(int argc, char **argv) {
                 int i;
 
                 for (i = 1; i < argc; i++) {
-                        if (strcmp(argv[i], "syscall")) {
+                        if (strcmp(argv[i], "syscall") == 0) {
                                 syscall_helper(argc, argv);
                                 return 0;
                         }
diff --git a/src/faudit/syscall.c b/src/faudit/syscall.c
index 2925a6c30..9661f81e6 100644
--- a/src/faudit/syscall.c
+++ b/src/faudit/syscall.c
@@ -34,6 +34,9 @@ extern int pivot_root(const char *new_root, const char *put_old);
 void syscall_helper(int argc, char **argv) {
         (void) argc;
 
+        if (argc < 3)
+                return;
+
         if (strcmp(argv[2], "mount") == 0) {
                 int rv = mount(NULL, NULL, NULL, 0, NULL);
                 (void) rv;
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config
index e58c8ee52..c68db372b 100644
--- a/src/firecfg/firecfg.config
+++ b/src/firecfg/firecfg.config
@@ -1,5 +1,5 @@
 # /usr/lib/firejail/firecfg.config - firecfg utility configuration file
-# This is the list of programs in alfabetical order handled by firecfg utility
+# This is the list of programs in alphabetical order handled by firecfg utility
 #
 0ad
 2048-qt
@@ -23,6 +23,8 @@ bless
 blender
 brasero
 brave
+calibre
+catfish
 cherrytree
 chromium
 chromium-browser
@@ -39,6 +41,7 @@ darktable
 deadbeef
 deluge
 dia
+digikam
 dillo
 dino
 display
@@ -48,6 +51,7 @@ dolphin
 dosbox
 dragon
 dropbox
+ebook-viewer
 elinks
 empathy
 eog
@@ -70,6 +74,7 @@ galculator
 geany
 gedit
 geeqie
+ghb
 gimp
 gitter
 gjs
@@ -97,6 +102,8 @@ gpredict
 gthumb
 gucharmap
 gwenview
+handbrake
+handbrake-gtk
 hedgewars
 hexchat
 highlight
@@ -150,6 +157,7 @@ mediathekview
 meld
 midori
 mousepad
+mplayer
 mpv
 multimc5
 mumble
@@ -196,6 +204,7 @@ skanlite
 skype
 skypeforlinux
 slack
+smplayer
 soffice
 spectacle
 spotify
@@ -224,6 +233,7 @@ vlc
 vym
 w3m
 warzone2100
+waterfox
 weechat
 weechat-curses
 wesnot
diff --git a/src/firejail/appimage.c b/src/firejail/appimage.c
index 976750f8f..0f7ab40ff 100644
--- a/src/firejail/appimage.c
+++ b/src/firejail/appimage.c
@@ -31,17 +31,19 @@
 static char *devloop = NULL;    // device file
 static char *mntdir = NULL;     // mount point in /tmp directory
 
+#ifdef LOOP_CTL_GET_FREE        // test for older kernels; this definition is found in /usr/include/linux/loop.h
 static void err_loop(void) {
         fprintf(stderr, "Error: cannot configure loopback device\n");
         exit(1);
 }
+#endif
 
 void appimage_set(const char *appimage) {
         assert(appimage);
         assert(devloop == NULL);        // don't call this twice!
         EUID_ASSERT();
 
-#ifdef LOOP_CTL_GET_FREE        // test for older kernels; this definition is found in /usr/include/linux/loop.h
+#ifdef LOOP_CTL_GET_FREE
         // check appimage file
         invalid_filename(appimage);
         if (access(appimage, R_OK) == -1) {
diff --git a/src/firejail/caps.c b/src/firejail/caps.c
index d45ba20ce..ff4d3a9d7 100644
--- a/src/firejail/caps.c
+++ b/src/firejail/caps.c
@@ -248,10 +248,19 @@ void caps_print(void) {
         }
 }
 
+// drop discretionary access control capabilities for root sandboxes
+void caps_drop_dac_override(void) {
+        if (getuid() == 0) {
+                if (prctl(PR_CAPBSET_DROP, CAP_DAC_OVERRIDE, 0, 0, 0));
+                else if (arg_debug)
+                        printf("Drop CAP_DAC_OVERRIDE\n");
+
+                if (prctl(PR_CAPBSET_DROP, CAP_DAC_READ_SEARCH, 0, 0, 0));
+                else if (arg_debug)
+                        printf("Drop CAP_DAC_READ_SEARCH\n");
+        }
+}
 
-
-
-// enabled by default
 int caps_default_filter(void) {
         // drop capabilities
         if (prctl(PR_CAPBSET_DROP, CAP_SYS_MODULE, 0, 0, 0))
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index 91b9c7be7..8bf2a75c3 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -500,6 +500,7 @@ void fs_dev_shm(void);
 void fs_private_dev(void);
 void fs_dev_disable_sound(void);
 void fs_dev_disable_3d(void);
+void fs_dev_disable_video(void);
 
 // fs_home.c
 // private mode (--private)
@@ -533,6 +534,7 @@ void caps_check_list(const char *clist, void (*callback)(int));
 void caps_drop_list(const char *clist);
 void caps_keep_list(const char *clist);
 void caps_print_filter(pid_t pid);
+void caps_drop_dac_override(void);
 
 // syscall.c
 const char *syscall_find_nr(int nr);
@@ -718,6 +720,7 @@ void build_appimage_cmdline(char **command_line, char **window_title, int argc,
 // programs
 #define PATH_FNET (LIBDIR "/firejail/fnet")
 #define PATH_FIREMON (PREFIX "/bin/firemon")
+#define PATH_FIREJAIL (PREFIX "/bin/firejail")
 #define PATH_FSECCOMP (LIBDIR "/firejail/fseccomp")
 #define PATH_FCOPY (LIBDIR "/firejail/fcopy")
 #define SBOX_STDIN_FILE "/run/firejail/mnt/sbox_stdin"
diff --git a/src/firejail/fs_dev.c b/src/firejail/fs_dev.c
index 159c8e654..fdaa0b355 100644
--- a/src/firejail/fs_dev.c
+++ b/src/firejail/fs_dev.c
@@ -35,37 +35,37 @@ typedef struct {
         const char *dev_fname;
         const char *run_fname;
         int sound;
-        int video;
         int hw3d;
+        int video;
 } DevEntry;
 
 static DevEntry dev[] = {
-        {"/dev/snd", RUN_DEV_DIR "/snd", 1, 0}, // sound device
-        {"/dev/dri", RUN_DEV_DIR "/dri", 0, 1},         // 3d device
-        {"/dev/nvidia0", RUN_DEV_DIR "/nvidia0", 0, 1},
-        {"/dev/nvidia1", RUN_DEV_DIR "/nvidia1", 0, 1},
-        {"/dev/nvidia2", RUN_DEV_DIR "/nvidia2", 0, 1},
-        {"/dev/nvidia3", RUN_DEV_DIR "/nvidia3", 0, 1},
-        {"/dev/nvidia4", RUN_DEV_DIR "/nvidia4", 0, 1},
-        {"/dev/nvidia5", RUN_DEV_DIR "/nvidia5", 0, 1},
-        {"/dev/nvidia6", RUN_DEV_DIR "/nvidia6", 0, 1},
-        {"/dev/nvidia7", RUN_DEV_DIR "/nvidia7", 0, 1},
-        {"/dev/nvidia8", RUN_DEV_DIR "/nvidia8", 0, 1},
-        {"/dev/nvidia9", RUN_DEV_DIR "/nvidia9", 0, 1},
-        {"/dev/nvidiactl", RUN_DEV_DIR "/nvidiactl", 0, 1},
-        {"/dev/nvidia-modeset", RUN_DEV_DIR "/nvidia-modeset", 0, 1},
-        {"/dev/nvidia-uvm", RUN_DEV_DIR "/nvidia-uvm", 0, 1},
-        {"/dev/video0", RUN_DEV_DIR "/video0", 0, 1},
-        {"/dev/video1", RUN_DEV_DIR "/video1", 0, 1},
-        {"/dev/video2", RUN_DEV_DIR "/video2", 0, 1},
-        {"/dev/video3", RUN_DEV_DIR "/video3", 0, 1},
-        {"/dev/video4", RUN_DEV_DIR "/video4", 0, 1},
-        {"/dev/video5", RUN_DEV_DIR "/video5", 0, 1},
-        {"/dev/video6", RUN_DEV_DIR "/video6", 0, 1},
-        {"/dev/video7", RUN_DEV_DIR "/video7", 0, 1},
-        {"/dev/video8", RUN_DEV_DIR "/video8", 0, 1},
-        {"/dev/video9", RUN_DEV_DIR "/video9", 0, 1},
-        {NULL, NULL, 0, 0}
+        {"/dev/snd", RUN_DEV_DIR "/snd", 1, 0, 0},      // sound device
+        {"/dev/dri", RUN_DEV_DIR "/dri", 0, 1, 0},              // 3d device
+        {"/dev/nvidia0", RUN_DEV_DIR "/nvidia0", 0, 1, 0},
+        {"/dev/nvidia1", RUN_DEV_DIR "/nvidia1", 0, 1, 0},
+        {"/dev/nvidia2", RUN_DEV_DIR "/nvidia2", 0, 1, 0},
+        {"/dev/nvidia3", RUN_DEV_DIR "/nvidia3", 0, 1, 0},
+        {"/dev/nvidia4", RUN_DEV_DIR "/nvidia4", 0, 1, 0},
+        {"/dev/nvidia5", RUN_DEV_DIR "/nvidia5", 0, 1, 0},
+        {"/dev/nvidia6", RUN_DEV_DIR "/nvidia6", 0, 1, 0},
+        {"/dev/nvidia7", RUN_DEV_DIR "/nvidia7", 0, 1, 0},
+        {"/dev/nvidia8", RUN_DEV_DIR "/nvidia8", 0, 1, 0},
+        {"/dev/nvidia9", RUN_DEV_DIR "/nvidia9", 0, 1, 0},
+        {"/dev/nvidiactl", RUN_DEV_DIR "/nvidiactl", 0, 1, 0},
+        {"/dev/nvidia-modeset", RUN_DEV_DIR "/nvidia-modeset", 0, 1, 0},
+        {"/dev/nvidia-uvm", RUN_DEV_DIR "/nvidia-uvm", 0, 1, 0},
+        {"/dev/video0", RUN_DEV_DIR "/video0", 0, 0, 1}, // video camera devices
+        {"/dev/video1", RUN_DEV_DIR "/video1", 0, 0, 1},
+        {"/dev/video2", RUN_DEV_DIR "/video2", 0, 0, 1},
+        {"/dev/video3", RUN_DEV_DIR "/video3", 0, 0, 1},
+        {"/dev/video4", RUN_DEV_DIR "/video4", 0, 0, 1},
+        {"/dev/video5", RUN_DEV_DIR "/video5", 0, 0, 1},
+        {"/dev/video6", RUN_DEV_DIR "/video6", 0, 0, 1},
+        {"/dev/video7", RUN_DEV_DIR "/video7", 0, 0, 1},
+        {"/dev/video8", RUN_DEV_DIR "/video8", 0, 0, 1},
+        {"/dev/video9", RUN_DEV_DIR "/video9", 0, 0, 1},
+        {NULL, NULL, 0, 0, 0}
 };
 
 static void deventry_mount(void) {
diff --git a/src/firejail/fs_var.c b/src/firejail/fs_var.c
index 9452d162d..11e9eabf5 100644
--- a/src/firejail/fs_var.c
+++ b/src/firejail/fs_var.c
@@ -326,7 +326,8 @@ void fs_var_utmp(void) {
         endutent();
 
         // save new utmp file
-        fwrite(&u_boot, sizeof(u_boot), 1, fp);
+        int rv = fwrite(&u_boot, sizeof(u_boot), 1, fp);
+        (void) rv;
         SET_PERMS_STREAM(fp, 0, utmp_group, S_IRUSR | S_IWRITE | S_IRGRP | S_IWGRP | S_IROTH);
         fclose(fp);
 
diff --git a/src/firejail/join.c b/src/firejail/join.c
index b5b45a3bf..4c0537413 100644
--- a/src/firejail/join.c
+++ b/src/firejail/join.c
@@ -242,6 +242,9 @@ void join(pid_t pid, int argc, char **argv, int index) {
         if (child < 0)
                 errExit("fork");
         if (child == 0) {
+                // drop discretionary access control capabilities for root sandboxes
+                caps_drop_dac_override();
+                
                 // chroot into /proc/PID/root directory
                 char *rootdir;
                 if (asprintf(&rootdir, "/proc/%d/root", pid) == -1)
diff --git a/src/firejail/main.c b/src/firejail/main.c
index 95c325f9f..cff61f64a 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -2272,9 +2272,9 @@ int main(int argc, char **argv) {
                 if (cfg.chrootdir) {
                         fwarning("default profile disabled by --chroot option\n");
                 }
-                else if (arg_overlay) {
-                        fwarning("default profile disabled by --overlay option\n");
-                }
+//              else if (arg_overlay) {
+//                      fwarning("default profile disabled by --overlay option\n");
+//              }
                 else {
                         // try to load a default profile
                         char *profile_name = DEFAULT_USER_PROFILE;
diff --git a/src/firejail/no_sandbox.c b/src/firejail/no_sandbox.c
index b37c5abf7..07c42006d 100644
--- a/src/firejail/no_sandbox.c
+++ b/src/firejail/no_sandbox.c
@@ -209,6 +209,11 @@ void run_no_sandbox(int argc, char **argv) {
                         break;
                 }
         }
+        // if shell is /usr/bin/firejail, replace it with /bin/bash
+        if (strcmp(cfg.shell, PATH_FIREJAIL) == 0) {
+                cfg.shell = "/bin/bash";
+                prog_index = 0;
+        }
 
         if (prog_index == 0) {
                 cfg.command_line = cfg.shell;
diff --git a/src/firejail/run_symlink.c b/src/firejail/run_symlink.c
index a9298a33f..ed885d3b1 100644
--- a/src/firejail/run_symlink.c
+++ b/src/firejail/run_symlink.c
@@ -86,10 +86,6 @@ void run_symlink(int argc, char **argv) {
 
 
         // start the argv[0] program in a new sandbox
-        char *firejail;
-        if (asprintf(&firejail, "%s/bin/firejail", PREFIX) == -1)
-                errExit("asprintf");
-
         // drop privileges
         if (setgid(getgid()) < 0)
                 errExit("setgid/getgid");
@@ -98,7 +94,7 @@ void run_symlink(int argc, char **argv) {
 
         // run command
         char *a[3 + argc];
-        a[0] = firejail;
+        a[0] =PATH_FIREJAIL;
         a[1] = program;
         int i;
         for (i = 0; i < (argc - 1); i++) {
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index 7f82e2253..4ee05d070 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -99,6 +99,9 @@ static void set_caps(void) {
                 caps_keep_list(arg_caps_list);
         else if (arg_caps_default_filter)
                 caps_default_filter();
+        
+        // drop discretionary access control capabilities for root sandboxes
+        caps_drop_dac_override();
 }
 
 void save_nogroups(void) {
@@ -896,8 +899,7 @@ int sandbox(void* sandbox_arg) {
         // set security filters
         //****************************
         // set capabilities
-//      if (!arg_noroot)
-                set_caps();
+        set_caps();
 
         // set rlimits
         set_rlimits();
@@ -989,10 +991,9 @@ int sandbox(void* sandbox_arg) {
                 if (arg_apparmor) {
                         errno = 0;
                         if (aa_change_onexec("firejail-default")) {
-                                fprintf(stderr, "Error: cannot confine the application using AppArmor.\n");
-                                fprintf(stderr, "Maybe firejail-default AppArmor profile is not loaded into the kernel.\n");
-                                fprintf(stderr, "As root, run \"aa-enforce firejail-default\" to load it.\n");
-                                exit(1);
+                                fwarning("Cannot confine the application using AppArmor.\n"
+                                        "Maybe firejail-default AppArmor profile is not loaded into the kernel.\n"
+                                        "As root, run \"aa-enforce firejail-default\" to load it.\n");
                         }
                         else if (arg_debug)
                                 printf("AppArmor enabled\n");
diff --git a/src/firejail/seccomp.c b/src/firejail/seccomp.c
index 72a5874f8..15379215c 100644
--- a/src/firejail/seccomp.c
+++ b/src/firejail/seccomp.c
@@ -68,7 +68,7 @@ int seccomp_load(const char *fname) {
                 goto errexit;
         unsigned short entries = (unsigned short) size / (unsigned short) sizeof(struct sock_filter);
         if (arg_debug)
-                printf("reading %d seccomp entries from %s\n", entries, fname);
+                printf("configuring %d seccomp entries from %s\n", entries, fname);
 
         // read filter
         struct sock_filter *filter = malloc(size);
@@ -205,6 +205,8 @@ int seccomp_filter_keep(void) {
                 printf("seccomp filter configured\n");
 
 
+        if (arg_debug && access(PATH_FSECCOMP, X_OK) == 0)
+                sbox_run(SBOX_ROOT | SBOX_SECCOMP, 3, PATH_FSECCOMP, "print", RUN_SECCOMP_CFG);
         return seccomp_load(RUN_SECCOMP_CFG);
 }
 
diff --git a/src/firejail/usage.c b/src/firejail/usage.c
index 76930e1de..6f8298589 100644
--- a/src/firejail/usage.c
+++ b/src/firejail/usage.c
@@ -220,7 +220,7 @@ void usage(void) {
         printf("\tstart Mozilla Firefox\n");
         printf("    $ firejail --debug firefox\n");
         printf("\tdebug Firefox sandbox\n");
-        printf("    $ firejail --private --sna=8.8.8.8 firefox\n");
+        printf("    $ firejail --private --dns=8.8.8.8 firefox\n");
         printf("\tstart Firefox with a new, empty home directory, and a well-known DNS\n");
         printf("\tserver setting.\n");
         printf("    $ firejail --net=eth0 firefox\n");
diff --git a/src/firejail/x11.c b/src/firejail/x11.c
index 5ce156603..79ebc3b1b 100644
--- a/src/firejail/x11.c
+++ b/src/firejail/x11.c
@@ -639,7 +639,7 @@ void x11_start_xpra(int argc, char **argv) {
 
         // build the start command
         char *server_argv[256] = {                // rest initialyzed to NULL
-                 "xpra", "start", display_str, "--no-daemon",
+                 "xpra", "start", display_str, "--no-daemon", "--use-display",
         };
         unsigned pos = 0;
         while (server_argv[pos] != NULL) pos++;
@@ -736,7 +736,7 @@ void x11_start_xpra(int argc, char **argv) {
         }
 
         // add a small delay, on some systems it takes some time for the server to start
-        sleep(1);
+        sleep(5);
 
         // check X11 socket
         char *fname;
diff --git a/src/ftee/main.c b/src/ftee/main.c
index 2628a77c5..6aede324c 100644
--- a/src/ftee/main.c
+++ b/src/ftee/main.c
@@ -129,7 +129,8 @@ static void log_write(const unsigned char *str, int len, const char *fname) {
                 out_cnt = len;
         }
 
-        fwrite(str, len, 1, out_fp);
+        int rv = fwrite(str, len, 1, out_fp);
+        (void) rv;
         fflush(0);
 }
 
@@ -230,7 +231,8 @@ int main(int argc, char **argv) {
                 if (n <= 0)
                         break;
 
-                fwrite(buf, n, 1, stdout);
+                int rv = fwrite(buf, n, 1, stdout);
+                (void) rv;
                 log_write(buf, n, fname);
         }
 
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt
index cbffa9ce4..e4ef90944 100644
--- a/src/man/firejail-profile.txt
+++ b/src/man/firejail-profile.txt
@@ -407,6 +407,7 @@ Disable sound system.
 .TP
 \fBnovideo
 Disable video devices.
+.TP
 \fBno3d
 Disable 3D hardware acceleration.
 
diff --git a/test/apps-x11/chromium.exp b/test/apps-x11/chromium.exp
index 3ec2bc049..a7eace125 100755
--- a/test/apps-x11/chromium.exp
+++ b/test/apps-x11/chromium.exp
@@ -71,7 +71,7 @@ expect {
 }
 expect {
         timeout {puts "TESTING ERROR 6.2\n";exit}
-        "fffffffff"
+        "00240000"
 }
 expect {
         timeout {puts "TESTING ERROR 6.3\n";exit}
diff --git a/test/apps/chromium.exp b/test/apps/chromium.exp
index 041918d7f..6b784e395 100755
--- a/test/apps/chromium.exp
+++ b/test/apps/chromium.exp
@@ -72,7 +72,7 @@ expect {
 }
 expect {
         timeout {puts "TESTING ERROR 6.2\n";exit}
-        "fffffffff"
+        "00240000"
 }
 expect {
         timeout {puts "TESTING ERROR 6.3\n";exit}
diff --git a/test/arguments/joinrun.exp b/test/arguments/joinrun.exp
index 097becacc..97972e5e8 100755
--- a/test/arguments/joinrun.exp
+++ b/test/arguments/joinrun.exp
@@ -35,10 +35,6 @@ expect {
         timeout {puts "TESTING ERROR 3.2.3\n";exit}
         "#arg2 tail#"
 }
-
-# todo: remove exit and fix it
-exit
-
 expect {
         timeout {puts "TESTING ERROR 3.3.1\n";exit}
         "Arguments:"
diff --git a/test/arguments/joinrun.sh b/test/arguments/joinrun.sh
index 3ed166839..b00ea0e80 100755
--- a/test/arguments/joinrun.sh
+++ b/test/arguments/joinrun.sh
@@ -5,18 +5,18 @@ firejail --env=FIREJAIL_TEST_ARGUMENTS=yes --join=joinrun faudit arg1 arg2
 
 # simple quotes, testing spaces in file names
 echo "TESTING: 3.2 - args with space and \""
-firejail--env=FIREJAIL_TEST_ARGUMENTS=yes  --quiet faudit "arg1 tail" "arg2 tail"
+firejail --env=FIREJAIL_TEST_ARGUMENTS=yes --join=joinrun faudit "arg1 tail" "arg2 tail"
 
 echo "TESTING: 3.3 - args with space and '"
-firejail --env=FIREJAIL_TEST_ARGUMENTS=yes --quiet faudit 'arg1 tail' 'arg2 tail'
+firejail --env=FIREJAIL_TEST_ARGUMENTS=yes --join=joinrun faudit 'arg1 tail' 'arg2 tail'
 
 # escaped space in file names
 echo "TESTING: 3.4 - args with space and \\"
-firejail--env=FIREJAIL_TEST_ARGUMENTS=yes  --quiet faudit arg1\ tail arg2\ tail
+firejail --env=FIREJAIL_TEST_ARGUMENTS=yes --join=joinrun faudit arg1\ tail arg2\ tail
 
 # & char appears in URLs - URLs should be quoted
 echo "TESTING: 3.5 - args with & and \""
-firejail --env=FIREJAIL_TEST_ARGUMENTS=yes --quiet faudit "arg1&tail" "arg2&tail"
+firejail --env=FIREJAIL_TEST_ARGUMENTS=yes --join=joinrun faudit "arg1&tail" "arg2&tail"
 
 echo "TESTING: 3.6 - args with & and '"
-firejail --env=FIREJAIL_TEST_ARGUMENTS=yes --quiet faudit 'arg1&tail' 'arg2&tail'
+firejail --env=FIREJAIL_TEST_ARGUMENTS=yes --join=joinrun faudit 'arg1&tail' 'arg2&tail'
diff --git a/test/arguments/outrun.sh b/test/arguments/outrun.sh
index e2b3046d6..5bc3b1e37 100755
--- a/test/arguments/outrun.sh
+++ b/test/arguments/outrun.sh
@@ -8,15 +8,15 @@ echo "TESTING: 4.2 - args with space and \""
 firejail --env=FIREJAIL_TEST_ARGUMENTS=yes --output=out faudit "arg1 tail" "arg2 tail"
 
 echo "TESTING: 4.3 - args with space and '"
-firejail--env=FIREJAIL_TEST_ARGUMENTS=yes  --output=out faudit 'arg1 tail' 'arg2 tail'
+firejail --env=FIREJAIL_TEST_ARGUMENTS=yes --output=out faudit 'arg1 tail' 'arg2 tail'
 
 # escaped space in file names
 echo "TESTING: 4.4 - args with space and \\"
-firejail--env=FIREJAIL_TEST_ARGUMENTS=yes  --output=out faudit arg1\ tail arg2\ tail
+firejail --env=FIREJAIL_TEST_ARGUMENTS=yes --output=out faudit arg1\ tail arg2\ tail
 
 # & char appears in URLs - URLs should be quoted
 echo "TESTING: 4.5 - args with & and \""
 firejail --env=FIREJAIL_TEST_ARGUMENTS=yes --output=out faudit "arg1&tail" "arg2&tail"
 
 echo "TESTING: 4.6 - args with & and '"
-firejail--env=FIREJAIL_TEST_ARGUMENTS=yes  --output=out faudit 'arg1&tail' 'arg2&tail'
+firejail --env=FIREJAIL_TEST_ARGUMENTS=yes --output=out faudit 'arg1&tail' 'arg2&tail'
diff --git a/test/arguments/symrun.sh b/test/arguments/symrun.sh
index d28f024a8..db5f06835 100755
--- a/test/arguments/symrun.sh
+++ b/test/arguments/symrun.sh
@@ -1,30 +1,31 @@
 #!/bin/bash
 
 mkdir symtest
-ln -s /usr/bin/firejail symtest/argtest
+ln -s /usr/bin/firejail symtest/faudit
 
-# search for argtest in current directory
+# search for faudit in current directory
 export PATH=$PATH:.
+export FIREJAIL_TEST_ARGUMENTS=yes
 
 echo "TESTING: 2.1 - simple args"
-symtest/argtest arg1 arg2
+symtest/faudit arg1 arg2
 
 # simple quotes, testing spaces in file names
 echo "TESTING: 2.2 - args with space and \""
-symtest/argtest "arg1 tail" "arg2 tail"
+symtest/faudit "arg1 tail" "arg2 tail"
 
 echo "TESTING: 2.3 - args with space and '"
-symtest/argtest 'arg1 tail' 'arg2 tail'
+symtest/faudit 'arg1 tail' 'arg2 tail'
 
 # escaped space in file names
 echo "TESTING: 2.4 - args with space and \\"
-symtest/argtest arg1\ tail arg2\ tail
+symtest/faudit arg1\ tail arg2\ tail
 
 # & char appears in URLs - URLs should be quoted
 echo "TESTING: 2.5 - args with & and \""
-symtest/argtest "arg1&tail" "arg2&tail"
+symtest/faudit "arg1&tail" "arg2&tail"
 
 echo "TESTING: 2.6 - args with & and '"
-symtest/argtest 'arg1&tail' 'arg2&tail'
+symtest/faudit 'arg1&tail' 'arg2&tail'
 
 rm -fr symtest
diff --git a/test/filters/syscall_test b/test/filters/syscall_test
index 12edd2d64..bf29c5b99 100755
--- a/test/filters/syscall_test
+++ b/test/filters/syscall_test
diff --git a/test/filters/syscall_test32 b/test/filters/syscall_test32
index 29af1e073..8d72f58c4 100755
--- a/test/filters/syscall_test32
+++ b/test/filters/syscall_test32