Merge branch 'master' into whitelist-ro

64 files changed, 1163 insertions, 686 deletions

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
new file mode 100644
index 000000000..30242923d
--- /dev/null
+++ b/.github/dependabot.yml
@@ -0,0 +1,7 @@
+version: 2
+updates:
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    open-pull-requests-limit: 2
diff --git a/.github/workflows/build-extra.yml b/.github/workflows/build-extra.yml
index fd1f23954..b598c40e3 100644
--- a/.github/workflows/build-extra.yml
+++ b/.github/workflows/build-extra.yml
@@ -30,7 +30,7 @@ jobs:
   build-clang:
     runs-on: ubuntu-20.04
     steps:
-    - uses: actions/checkout@v2
+    - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579
     - name: configure
       run: CC=clang-11 ./configure --enable-fatal-warnings
     - name: make
@@ -38,7 +38,7 @@ jobs:
   scan-build:
     runs-on: ubuntu-20.04
     steps:
-    - uses: actions/checkout@v2
+    - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579
     - name: install clang-tools-11
       run: sudo apt-get install clang-tools-11
     - name: configure
@@ -48,7 +48,7 @@ jobs:
   cppcheck:
     runs-on: ubuntu-20.04
     steps:
-    - uses: actions/checkout@v2
+    - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579
     - name: install cppcheck
       run: sudo apt-get install cppcheck
     - name: cppcheck
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 141e43168..f321b5f7f 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -22,7 +22,7 @@ jobs:
   build_and_test:
     runs-on: ubuntu-20.04
     steps:
-    - uses: actions/checkout@v2
+    - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579
     - name: install dependencies
       run: sudo apt-get install gcc-11 libapparmor-dev libselinux1-dev expect xzdec
     - name: configure
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
index 4476963b5..b69bb728e 100644
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -43,11 +43,11 @@ jobs:
 
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v2
+      uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@v1
+      uses: github/codeql-action/init@5f532563584d71fdef14ee64d17bafb34f751ce5
       with:
         languages: ${{ matrix.language }}
         # If you wish to specify custom queries, you can do so here or in a config file.
@@ -58,7 +58,7 @@ jobs:
     # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
     # If this step fails, then you should remove it and run the build manually (see below)
     - name: Autobuild
-      uses: github/codeql-action/autobuild@v1
+      uses: github/codeql-action/autobuild@5f532563584d71fdef14ee64d17bafb34f751ce5
 
     # ℹ️ Command-line programs to run using the OS shell.
     # 📚 https://git.io/JvXDl
@@ -72,4 +72,4 @@ jobs:
     #   make release
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v1
+      uses: github/codeql-action/analyze@5f532563584d71fdef14ee64d17bafb34f751ce5
diff --git a/.github/workflows/profile-checks.yml b/.github/workflows/profile-checks.yml
index 951a8b8cf..57a978d55 100644
--- a/.github/workflows/profile-checks.yml
+++ b/.github/workflows/profile-checks.yml
@@ -20,7 +20,7 @@ jobs:
   profile-checks:
     runs-on: ubuntu-20.04
     steps:
-    - uses: actions/checkout@v2
+    - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579
     - name: sort.py
       run: ./ci/check/profiles/sort.py etc/inc/*.inc etc/{profile-a-l,profile-m-z}/*.profile
     - name: private-etc-always-required.sh
diff --git a/.gitignore b/.gitignore
index ace86f218..29e0b63d6 100644
--- a/.gitignore
+++ b/.gitignore
@@ -43,6 +43,7 @@ src/profstats/profstats
 src/bash_completion/firejail.bash_completion
 src/zsh_completion/_firejail
 src/jailcheck/jailcheck
+src/fnettrace/fnettrace
 uids.h
 seccomp
 seccomp.debug
diff --git a/Makefile.in b/Makefile.in
index abc86c2c3..4422cf8a9 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -28,11 +28,12 @@ all: all_items mydirs $(MAN_TARGET) filters
 APPS = src/firecfg/firecfg src/firejail/firejail src/firemon/firemon src/profstats/profstats src/jailcheck/jailcheck
 SBOX_APPS = src/fbuilder/fbuilder src/ftee/ftee src/fids/fids
 SBOX_APPS_NON_DUMPABLE = src/fcopy/fcopy src/fldd/fldd src/fnet/fnet src/fnetfilter/fnetfilter
+SBOX_APPS_NON_DUMPABLE += src/fsec-optimize/fsec-optimize src/fsec-print/fsec-print src/fseccomp/fseccomp
+SBOX_APPS_NON_DUMPABLE += src/fnettrace/fnettrace
 MYDIRS = src/lib $(MAN_SRC) $(COMPLETIONDIRS)
 MYLIBS = src/libpostexecseccomp/libpostexecseccomp.so src/libtrace/libtrace.so src/libtracelog/libtracelog.so
 COMPLETIONS = src/zsh_completion/_firejail src/bash_completion/firejail.bash_completion
 MANPAGES = firejail.1 firemon.1 firecfg.1 firejail-profile.5 firejail-login.5 firejail-users.5 jailcheck.1
-SBOX_APPS_NON_DUMPABLE += src/fsec-optimize/fsec-optimize src/fsec-print/fsec-print src/fseccomp/fseccomp
 SECCOMP_FILTERS = seccomp seccomp.debug seccomp.32 seccomp.block_secondary seccomp.mdwx seccomp.mdwx.32
 ALL_ITEMS = $(APPS) $(SBOX_APPS) $(SBOX_APPS_NON_DUMPABLE) $(MYLIBS)
 
@@ -83,6 +84,7 @@ clean:
         rm -f $(SECCOMP_FILTERS)
         rm -f test/utils/index.html*
         rm -f test/utils/wget-log
+        rm -f test/utils/firejail-test-file*
         rm -f test/utils/lstesting
         rm -f test/environment/index.html*
         rm -f test/environment/wget-log*
@@ -138,8 +140,6 @@ endif
         install -m 0644 -t $(DESTDIR)$(sysconfdir)/firejail src/firecfg/firecfg.config
         install -m 0644 -t $(DESTDIR)$(sysconfdir)/firejail etc/profile-a-l/*.profile etc/profile-m-z/*.profile etc/inc/*.inc etc/net/*.net etc/firejail.config etc/ids.config
         sh -c "if [ ! -f $(DESTDIR)/$(sysconfdir)/firejail/login.users ]; then install -c -m 0644 etc/login.users $(DESTDIR)/$(sysconfdir)/firejail/.; fi;"
-        # program used track profile statistics during development - no manpage, this is not a user program
-        install -m 755 -t $(DESTDIR)$(sysconfdir)/firejail src/profstats/profstats
 ifeq ($(BUSYBOX_WORKAROUND),yes)
         ./mketc.sh $(DESTDIR)$(sysconfdir)/firejail/disable-common.inc
 endif
diff --git a/README b/README
index 805210ad9..97d47a857 100644
--- a/README
+++ b/README
@@ -256,6 +256,7 @@ crass (https://github.com/crass)
 croket (https://github.com/crocket)
         - fix librewolf profile
         - added profiles for imv, retroarch, and torbrowser
+        - fix dino profile
 curiosity-seeker (https://github.com/curiosity-seeker - old)
 curiosityseeker (https://github.com/curiosityseeker - new)
         - tightening unbound and dnscrypt-proxy profiles
@@ -343,6 +344,7 @@ Felipe Barriga Richards (https://github.com/fbarriga)
         - --private-etc fix
 fenuks (https://github.com/fenuks)
         - fix sound in games using FMOD
+        - allow /opt/tor-browser for Tor Browser profile
 Florian Begusch (https://github.com/florianbegusch)
         - (la)tex profiles
         - fixed transmission-common.profile
@@ -471,6 +473,7 @@ hlein (https://github.com/hlein)
         - strip out \r's from jail prober
         - make env/arg sanity check failure messages more useful
         - relocate firecfg.config to /etc/firejail/
+        - fix display profile for Gentoo distribution
 Holger Heinz (https://github.com/hheinz)
         - manpage work
 Haowei Yu (https://github.com/sfc-gh-hyu)
@@ -559,6 +562,8 @@ Jose Riha (https://github.com/jose1711)
         - improve hints for allowing browser access to Gnome extensions connector
         - fix warshow, jumpnbump, tremulous, blobwars profile fixes
         - drop noinput for games with gampad/joystick support
+        - goldendict profile fix
+        - whitelist /usr/share/nextcloud to allow access to translation files
 jrabe (https://github.com/jrabe)
         - disallow access to kdbx files
         - Epiphany profile
@@ -879,6 +884,8 @@ Sebastian Hafner (https://github.com/DropNib)
 Senemu (https://github.com/Senemu)
         - protection for .pythonrc.py
         - fixed evince
+Seonwoo Lee (https://github.com/seonwoolee)
+        - fix teams ignoring input sources e.g. microphones
 Sergey Alirzaev (https://github.com/l29ah)
         - firejail.h enum fix
         - firefox-common-addons.inc: + tridactyl
@@ -1098,8 +1105,14 @@ Vladislav Nepogodin (https://github.com/vnepogodin)
         - added Sway profile
         - fix CLion profile
         - fixes for disable-programs.inc
+        - CachyBrowser profile
+Hugo Osvaldo Barrera (https://github.com/WhyNotHugo)
+        - Skype profile tweaks
 xee5ch (https://github.com/xee5ch)
         - skypeforlinux profile
+York Zhao (https://github.com/YorkZ)
+        - tor browser profile fix
+        - allow telegram to open hyperlinks
 Ypnose (https://github.com/Ypnose)
         - disable-shell.inc: add mksh shell
 yumkam (https://github.com/yumkam)
diff --git a/README.md b/README.md
index 33b23f418..e52a02d34 100644
--- a/README.md
+++ b/README.md
@@ -94,9 +94,49 @@ https://unparalleled.eu/blog/2021/20210208-rigged-race-against-firejail-for-loca
 
 ## Installing
 
-Try installing Firejail from your system packages first. Firejail is included in Alpine, ALT Linux, Arch, Artix, Chakra, Debian, Deepin, Devuan, Fedora, Gentoo, Manjaro, Mint, NixOS, Parabola, Parrot, PCLinuxOS, ROSA, Solus, Slackware/SlackBuilds, Trisquel, Ubuntu, Void and possibly others.
+### Debian
 
-The firejail 0.9.52-LTS version is deprecated. On Ubuntu 18.04 LTS users are advised to use the [PPA](https://launchpad.net/~deki/+archive/ubuntu/firejail). On Debian stable (bullseye) we recommend to use the [backports](https://packages.debian.org/bullseye-backports/firejail) package.
+Debian stable (bullseye): We recommend to use the [backports](https://packages.debian.org/bullseye-backports/firejail) package.
+
+### Ubuntu
+
+For Ubuntu 18.04+ and derivatives (such as Linux Mint), users are **strongly advised** to use the [PPA](https://launchpad.net/~deki/+archive/ubuntu/firejail).
+
+How to add and install from the PPA:
+
+```sh
+sudo add-apt-repository ppa:deki/firejail
+sudo apt-get update
+sudo apt-get install firejail firejail-profiles
+```
+
+Reason: The firejail package for Ubuntu 20.04 has been left vulnerable to CVE-2021-26910 for months after a patch for it was posted on Launchpad:
+
+* [firejail version in Ubuntu 20.04 LTS is vulnerable to CVE-2021-26910](https://bugs.launchpad.net/ubuntu/+source/firejail/+bug/1916767)
+
+See also <https://wiki.ubuntu.com/SecurityTeam/FAQ>:
+
+> What software is supported by the Ubuntu Security team?
+>
+> Ubuntu is currently divided into four components: main, restricted, universe
+> and multiverse. All binary packages in main and restricted are supported by
+> the Ubuntu Security team for the life of an Ubuntu release, while binary
+> packages in universe and multiverse are supported by the Ubuntu community.
+
+Additionally, the PPA version is likely to be more recent and to contain more profile fixes.
+
+See the following discussions for details:
+
+* [Should I keep using the version of firejail available in my distro repos?](https://github.com/netblue30/firejail/discussions/4666)
+* [How to install the latest version on Ubuntu and derivatives](https://github.com/netblue30/firejail/discussions/4663)
+
+### Other
+
+Try installing Firejail from your distribution.
+
+Firejail is included in Alpine, ALT Linux, Arch, Artix, Chakra, Debian, Deepin, Devuan, Fedora, Gentoo, Manjaro, Mint, NixOS, Parabola, Parrot, PCLinuxOS, ROSA, Solus, Slackware/SlackBuilds, Trisquel, Ubuntu, Void and possibly others.
+
+Note: The firejail 0.9.52-LTS version is deprecated.
 
 You can also install one of the [released packages](http://sourceforge.net/projects/firejail/files/firejail), or clone Firejail’s source code from our Git repository and compile manually:
 
@@ -256,40 +296,61 @@ INTRUSION DETECTION SYSTEM (IDS)
               as it contains running processes.
 `````
 
+### Network Monitor
+`````
+       --nettrace=name|pid
+              Monitor TCP and UDP traffic coming into the sandbox specified by
+              name or pid. Only networked sandboxes  created  with  --net  are
+              supported.
+
+              $ firejail --nettrace=browser
+              9.9.9.9:53              =>      192.168.1.60    UDP: 122 B/sec
+              72.21.91.29:80          =>      192.168.1.60    TCP: 257 B/sec
+              80.92.126.65:123        =>      192.168.1.60    UDP: 25 B/sec
+              69.30.241.50:443        =>      192.168.1.60    TCP: 88 KB/sec
+              140.82.112.4:443        =>      192.168.1.60    TCP: 1861 B/sec
+
+              (14 streams in the last one minute)
+
+`````
+
 ### Profile Statistics
 
-A small tool to print profile statistics. Compile as usual and run in /etc/profiles:
+A small tool to print profile statistics. Compile and install as usual. The tool is installed in /usr/lib/firejail directory.
+Run it over the profiles in /etc/profiles:
 ```
-$ sudo cp src/profstats/profstats /etc/firejail/.
-$ cd /etc/firejail
-$ ./profstats *.profile
-    profiles                    1167
-    include local profile       1167   (include profile-name.local)
-    include globals             1136   (include globals.local)
-    blacklist ~/.ssh            1042   (include disable-common.inc)
-    seccomp                     1062
-    capabilities                1163
-    noexec                      1049   (include disable-exec.inc)
-    noroot                      971
-    memory-deny-write-execute   256
-    apparmor                    693
-    private-bin                 677
-    private-dev                 1027
-    private-etc                 532
-    private-tmp                 897
-    whitelist home directory    557
-    whitelist var               836   (include whitelist-var-common.inc)
-    whitelist run/user          1137   (include whitelist-runuser-common.inc
+$ /usr/lib/firejail/profstats /etc/firejail/*.profile
+No include .local found in /etc/firejail/noprofile.profile
+Warning: multiple caps in /etc/firejail/transmission-daemon.profile
+
+Stats:
+    profiles                    1176
+    include local profile       1175   (include profile-name.local)
+    include globals             1144   (include globals.local)
+    blacklist ~/.ssh            1050   (include disable-common.inc)
+    seccomp                     1070
+    capabilities                1171
+    noexec                      1057   (include disable-exec.inc)
+    noroot                      979
+    memory-deny-write-execute   258
+    apparmor                    700
+    private-bin                 681
+    private-dev                 1033
+    private-etc                 533
+    private-tmp                 905
+    whitelist home directory    562
+    whitelist var               842   (include whitelist-var-common.inc)
+    whitelist run/user          1145   (include whitelist-runuser-common.inc
                                         or blacklist ${RUNUSER})
-    whitelist usr/share         609   (include whitelist-usr-share-common.inc
-    net none                    396
-    dbus-user none              656
-    dbus-user filter            108
-    dbus-system none            808
+    whitelist usr/share         614   (include whitelist-usr-share-common.inc
+    net none                    399
+    dbus-user none              662
+    dbus-user filter            113
+    dbus-system none            816
     dbus-system filter          10
 ```
 
 ### New profiles:
 
 clion-eap, lifeograph, io.github.lainsce.Notejot, rednotebook, zim, microsoft-edge-beta, ncdu2, gallery-dl, yt-dlp, goldendict, bundle,
-cmake, make, meson, pip, codium, telnet, ftp, OpenStego, imv, retroarch, torbrowser
+cmake, make, meson, pip, codium, telnet, ftp, OpenStego, imv, retroarch, torbrowser, CachyBrowser
diff --git a/RELNOTES b/RELNOTES
index 5d276e376..d0211ce27 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -1,21 +1,23 @@
 firejail (0.9.67) baseline; urgency=low
   * work in progress
-  * exit code: distinguish fatal signals by adding 128
+  * exit code: distinguish fatal signals by adding 128 (#4533)
   * intrusion detection system (--ids-init, --ids-check)
   * deterministic shutdown (--deterministic-exit-code,
-     --deterministic-shutdown)
+     --deterministic-shutdown) (#4635)
+  * noprinters command (#4607)
+  * network monitor (--nettrace)
   * build: firecfg.config is now installed to /etc/firejail/ (#4669)
-  * deprecated --disable-whitelist at compile time
-  * deprecated whitelist=yes/no in /etc/firejail/firejail.config
-  * new condition: ALLOW_TRAY
-  * remove (some) environment variables with auth-tokens
-  * new includes: whitelist-run-common.inc, disable-X11.inc
-  * removed includes: disable-passwordmgr.inc
+  * removed --disable-whitelist at compile time
+  * removed whitelist=yes/no in /etc/firejail/firejail.config
+  * new condition: ALLOW_TRAY (#4510 #4599)
+  * remove (some) environment variables with auth-tokens (#4157)
+  * new includes: whitelist-run-common.inc (#4288), disable-X11.inc (#4462)
+  * removed includes: disable-passwordmgr.inc (#4461)
   * new profiles: microsoft-edge-beta, clion-eap, lifeograph, zim
   * new profiles: io.github.lainsce.Notejot, rednotebook, gallery-dl
   * new profiles: yt-dlp, goldendict, goldendict, bundle, cmake
   * new profiles: make, meson, pip, codium, telnet, ftp, OpenStego
-  * new profiles: imv, retroarch, torbrowser
+  * new profiles: imv, retroarch, torbrowser, CachyBrowser
  -- netblue30 <netblue30@yahoo.com>  Thu, 29 Jul 2021 09:00:00 -0500
 
 firejail (0.9.66) baseline; urgency=low
diff --git a/configure b/configure
index da886a541..a8c9a1d96 100755
--- a/configure
+++ b/configure
@@ -4271,7 +4271,7 @@ fi
 
 ac_config_files="$ac_config_files mkdeb.sh"
 
-ac_config_files="$ac_config_files Makefile src/common.mk src/lib/Makefile src/fcopy/Makefile src/fnet/Makefile src/firejail/Makefile src/fnetfilter/Makefile src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile src/fbuilder/Makefile src/fsec-print/Makefile src/ftee/Makefile src/fseccomp/Makefile src/fldd/Makefile src/libpostexecseccomp/Makefile src/fsec-optimize/Makefile src/profstats/Makefile src/man/Makefile src/zsh_completion/Makefile src/bash_completion/Makefile test/Makefile src/jailcheck/Makefile src/fids/Makefile"
+ac_config_files="$ac_config_files Makefile src/common.mk src/lib/Makefile src/fcopy/Makefile src/fnet/Makefile src/firejail/Makefile src/fnetfilter/Makefile src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile src/fbuilder/Makefile src/fsec-print/Makefile src/ftee/Makefile src/fseccomp/Makefile src/fldd/Makefile src/libpostexecseccomp/Makefile src/fsec-optimize/Makefile src/profstats/Makefile src/man/Makefile src/zsh_completion/Makefile src/bash_completion/Makefile test/Makefile src/jailcheck/Makefile src/fids/Makefile src/fnettrace/Makefile"
 
 cat >confcache <<\_ACEOF
 # This file is a shell script that caches the results of configure
@@ -5006,6 +5006,7 @@ do
     "test/Makefile") CONFIG_FILES="$CONFIG_FILES test/Makefile" ;;
     "src/jailcheck/Makefile") CONFIG_FILES="$CONFIG_FILES src/jailcheck/Makefile" ;;
     "src/fids/Makefile") CONFIG_FILES="$CONFIG_FILES src/fids/Makefile" ;;
+    "src/fnettrace/Makefile") CONFIG_FILES="$CONFIG_FILES src/fnettrace/Makefile" ;;
 
   *) as_fn_error $? "invalid argument: \`$ac_config_target'" "$LINENO" 5;;
   esac
diff --git a/configure.ac b/configure.ac
index bf501506d..232d49e1e 100644
--- a/configure.ac
+++ b/configure.ac
@@ -272,7 +272,7 @@ AC_CONFIG_FILES([Makefile src/common.mk src/lib/Makefile src/fcopy/Makefile src/
 src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile src/fbuilder/Makefile src/fsec-print/Makefile \
 src/ftee/Makefile src/fseccomp/Makefile src/fldd/Makefile src/libpostexecseccomp/Makefile src/fsec-optimize/Makefile \
 src/profstats/Makefile src/man/Makefile src/zsh_completion/Makefile src/bash_completion/Makefile test/Makefile \
-src/jailcheck/Makefile src/fids/Makefile])
+src/jailcheck/Makefile src/fids/Makefile src/fnettrace/Makefile])
 AC_OUTPUT
 
 cat <<EOF
diff --git a/etc/inc/disable-common.inc b/etc/inc/disable-common.inc
index 3ec13e482..b1ec25987 100644
--- a/etc/inc/disable-common.inc
+++ b/etc/inc/disable-common.inc
@@ -630,3 +630,5 @@ blacklist ${RUNUSER}/inaccessible
 blacklist ${RUNUSER}/pk-debconf-socket
 blacklist ${RUNUSER}/update-notifier.pid
 
+# tor-browser
+blacklist ${HOME}/.local/opt/tor-browser
diff --git a/etc/inc/disable-programs.inc b/etc/inc/disable-programs.inc
index 4e440de1e..9226bb0f2 100644
--- a/etc/inc/disable-programs.inc
+++ b/etc/inc/disable-programs.inc
@@ -85,6 +85,7 @@ blacklist ${HOME}/.cache/attic
 blacklist ${HOME}/.cache/babl
 blacklist ${HOME}/.cache/bnox
 blacklist ${HOME}/.cache/borg
+blacklist ${HOME}/.cache/cachy
 blacklist ${HOME}/.cache/calibre
 blacklist ${HOME}/.cache/cantata
 blacklist ${HOME}/.cache/champlain
@@ -223,6 +224,7 @@ blacklist ${HOME}/.cache/youtube-dl
 blacklist ${HOME}/.cache/youtube-viewer
 blacklist ${HOME}/.cache/yt-dlp
 blacklist ${HOME}/.cache/zim
+blacklist ${HOME}/.cachy
 blacklist ${HOME}/.cargo
 blacklist ${HOME}/.claws-mail
 blacklist ${HOME}/.clion*
@@ -239,6 +241,7 @@ blacklist ${HOME}/.config/Bitwarden
 blacklist ${HOME}/.config/Brackets
 blacklist ${HOME}/.config/BraveSoftware
 blacklist ${HOME}/.config/Clementine
+blacklist ${HOME}/.config/ClipGrab
 blacklist ${HOME}/.config/Code
 blacklist ${HOME}/.config/Code - OSS
 blacklist ${HOME}/.config/Code Industry
@@ -635,6 +638,7 @@ blacklist ${HOME}/.config/youtube-music-desktop-app
 blacklist ${HOME}/.config/youtube-viewer
 blacklist ${HOME}/.config/youtubemusic-nativefier-040164
 blacklist ${HOME}/.config/yt-dlp
+blacklist ${HOME}/.config/yt-dlp.conf
 blacklist ${HOME}/.config/zathura
 blacklist ${HOME}/.config/zim
 blacklist ${HOME}/.config/zoomus.conf
@@ -1126,6 +1130,7 @@ blacklist ${HOME}/mps
 blacklist ${HOME}/openstego.ini
 blacklist ${HOME}/wallet.dat
 blacklist ${HOME}/yt-dlp.conf
+blacklist ${HOME}/yt-dlp.conf.txt
 blacklist ${RUNUSER}/*firefox*
 blacklist /tmp/.wine-*
 blacklist /tmp/akonadi-*
diff --git a/etc/profile-a-l/cachy-browser.profile b/etc/profile-a-l/cachy-browser.profile
new file mode 100644
index 000000000..7a14d9464
--- /dev/null
+++ b/etc/profile-a-l/cachy-browser.profile
@@ -0,0 +1,56 @@
+# Firejail profile for Cachy-Browser
+# Description: Librewolf fork based on enhanced privacy with gentoo patchset
+# This file is overwritten after every install/update
+# Persistent local customizations
+include cachy-browser.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.cache/cachy
+noblacklist ${HOME}/.cachy
+
+mkdir ${HOME}/.cache/cachy
+mkdir ${HOME}/.cachy
+whitelist ${HOME}/.cache/cachy
+whitelist ${HOME}/.cachy
+
+# Add the next lines to your cachy-browser.local if you want to use the migration wizard.
+#noblacklist ${HOME}/.mozilla
+#whitelist ${HOME}/.mozilla
+
+# To enable KeePassXC Plugin add one of the following lines to your cachy-browser.local.
+# NOTE: start KeePassXC before CachyBrowser and keep it open to allow communication between them.
+#whitelist ${RUNUSER}/kpxc_server
+#whitelist ${RUNUSER}/org.keepassxc.KeePassXC.BrowserServer
+
+whitelist /usr/share/doc
+whitelist /usr/share/gtk-doc/html
+whitelist /usr/share/mozilla
+whitelist /usr/share/webext
+include whitelist-usr-share-common.inc
+
+# Add the next line to your cachy-browser.local to enable private-bin (Arch Linux).
+#private-bin dbus-launch,dbus-send,cachy-browser,sh
+# Add the next line to your cachy-browser.local to enable private-etc.
+# NOTE: private-etc must first be enabled in firefox-common.local.
+#private-etc cachy-browser
+
+dbus-user filter
+dbus-user.own org.mozilla.cachybrowser.*
+# Add the next line to your cachy-browser.local to enable native notifications.
+#dbus-user.talk org.freedesktop.Notifications
+# Add the next line to your cachy-browser.local to allow inhibiting screensavers.
+#dbus-user.talk org.freedesktop.ScreenSaver
+# Add the next lines to your cachy-browser.local for plasma browser integration.
+#dbus-user.own org.mpris.MediaPlayer2.plasma-browser-integration
+#dbus-user.talk org.kde.JobViewServer
+#dbus-user.talk org.kde.kuiserver
+# Add the next line to your cachy-browser.local to allow screensharing under Wayland.
+#dbus-user.talk org.freedesktop.portal.Desktop
+# Also add the next line to your cachy-browser.local if screensharing does not work with
+# the above lines (depends on the portal implementation).
+#ignore noroot
+ignore dbus-user none
+
+# Redirect
+include firefox-common.profile
diff --git a/etc/profile-a-l/chromium-common.profile b/etc/profile-a-l/chromium-common.profile
index 7bfb61688..2992a2d6f 100644
--- a/etc/profile-a-l/chromium-common.profile
+++ b/etc/profile-a-l/chromium-common.profile
@@ -53,6 +53,9 @@ private-cache
 ?BROWSER_DISABLE_U2F: private-dev
 #private-tmp - issues when using multiple browser sessions
 
+blacklist ${PATH}/curl
+blacklist ${PATH}/wget
+
 #dbus-user none - prevents access to passwords saved in GNOME Keyring and KWallet, also breaks Gnome connector.
 dbus-system none
 
diff --git a/etc/profile-a-l/clipgrab.profile b/etc/profile-a-l/clipgrab.profile
index f3c77fa77..084f0ccad 100644
--- a/etc/profile-a-l/clipgrab.profile
+++ b/etc/profile-a-l/clipgrab.profile
@@ -6,10 +6,14 @@ include clipgrab.local
 # Persistent global definitions
 include globals.local
 
+noblacklist ${HOME}/.config/ClipGrab
 noblacklist ${HOME}/.config/Philipp Schmieder
 noblacklist ${HOME}/.pki
 noblacklist ${VIDEOS}
 
+# Allow python (blacklisted by disable-interpreters.inc)
+include allow-python3.inc
+
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
diff --git a/etc/profile-a-l/com.github.tchx84.Flatseal.profile b/etc/profile-a-l/com.github.tchx84.Flatseal.profile
new file mode 100644
index 000000000..a095104f0
--- /dev/null
+++ b/etc/profile-a-l/com.github.tchx84.Flatseal.profile
@@ -0,0 +1,65 @@
+# Firejail profile for flatseal
+# This file is overwritten after every install/update
+# Persistent local customizations
+include com.github.tchx84.Flatseal.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.local/share/flatpak/overrides
+noblacklist /var/lib/flatpak/app
+
+# Allow gjs (blacklisted by disable-interpreters.inc)
+include allow-gjs.inc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-proc.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.local/share/flatpak/overrides
+whitelist ${HOME}/.local/share/flatpak/overrides
+include whitelist-common.inc
+include whitelist-run-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+net none
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noprinters
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+seccomp.block-secondary
+shell none
+tracelog
+
+disable-mnt
+private-bin com.github.tchx84.Flatseal,gjs
+private-cache
+private-dev
+private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.preload
+private-tmp
+
+dbus-user filter
+dbus-user.own com.github.tchx84.Flatseal
+dbus-user.talk ca.desrt.dconf
+dbus-user.talk org.freedesktop.impl.portal.PermissionStore
+dbus-user.talk org.gnome.Software
+dbus-system none
+
+read-write ${HOME}/.local/share/flatpak/overrides
diff --git a/etc/profile-a-l/dino.profile b/etc/profile-a-l/dino.profile
index b1a9550f1..3c5a64215 100644
--- a/etc/profile-a-l/dino.profile
+++ b/etc/profile-a-l/dino.profile
@@ -32,7 +32,7 @@ nonewprivs
 noroot
 notv
 nou2f
-protocol unix,inet,inet6
+protocol unix,inet,inet6,netlink
 seccomp
 seccomp.block-secondary
 shell none
diff --git a/etc/profile-a-l/elinks.profile b/etc/profile-a-l/elinks.profile
index 5a29eb24b..a3596bb5e 100644
--- a/etc/profile-a-l/elinks.profile
+++ b/etc/profile-a-l/elinks.profile
@@ -9,6 +9,9 @@ include globals.local
 
 noblacklist ${HOME}/.elinks
 
+# Allow lua (blacklisted by disable-interpreters.inc)
+include allow-lua.inc
+
 mkdir ${HOME}/.elinks
 whitelist ${HOME}/.elinks
 
diff --git a/etc/profile-a-l/firefox-common.profile b/etc/profile-a-l/firefox-common.profile
index ef647b5a0..e7d438b46 100644
--- a/etc/profile-a-l/firefox-common.profile
+++ b/etc/profile-a-l/firefox-common.profile
@@ -59,6 +59,9 @@ disable-mnt
 #private-etc alternatives,asound.conf,ca-certificates,crypto-policies,dconf,fonts,group,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,localtime,machine-id,mailcap,mime.types,nsswitch.conf,pango,passwd,pki,pulse,resolv.conf,selinux,ssl,X11,xdg
 private-tmp
 
+blacklist ${PATH}/curl
+blacklist ${PATH}/wget
+
 # 'dbus-user none' breaks various desktop integration features like global menus, native notifications,
 # Gnome connector, KDE connect and power management on KDE Plasma.
 dbus-user none
diff --git a/etc/profile-a-l/highlight.profile b/etc/profile-a-l/highlight.profile
index 0145f7ceb..97f190723 100644
--- a/etc/profile-a-l/highlight.profile
+++ b/etc/profile-a-l/highlight.profile
@@ -8,6 +8,9 @@ include globals.local
 
 blacklist ${RUNUSER}
 
+# Allow lua (blacklisted by disable-interpreters.inc)
+include allow-lua.inc
+
 include disable-common.inc
 include disable-devel.inc
 include disable-interpreters.inc
diff --git a/etc/profile-m-z/mpv.profile b/etc/profile-m-z/mpv.profile
index e6faba78a..e58beec0c 100644
--- a/etc/profile-m-z/mpv.profile
+++ b/etc/profile-m-z/mpv.profile
@@ -26,7 +26,11 @@ include globals.local
 
 noblacklist ${HOME}/.config/mpv
 noblacklist ${HOME}/.config/youtube-dl
+noblacklist ${HOME}/.config/yt-dlp
+noblacklist ${HOME}/.config/yt-dlp.conf
 noblacklist ${HOME}/.netrc
+noblacklist ${HOME}/yt-dlp.conf
+noblacklist ${HOME}/yt-dlp.conf.txt
 
 # Allow lua (blacklisted by disable-interpreters.inc)
 include allow-lua.inc
@@ -46,16 +50,19 @@ include disable-shell.inc
 
 read-only ${DESKTOP}
 mkdir ${HOME}/.config/mpv
-mkdir ${HOME}/.config/youtube-dl
 mkfile ${HOME}/.netrc
 whitelist ${HOME}/.config/mpv
 whitelist ${HOME}/.config/youtube-dl
+whitelist ${HOME}/.config/yt-dlp
+whitelist ${HOME}/.config/yt-dlp.conf
 whitelist ${HOME}/.netrc
-include whitelist-common.inc
-include whitelist-player-common.inc
+whitelist ${HOME}/yt-dlp.conf
+whitelist ${HOME}/yt-dlp.conf.txt
 whitelist /usr/share/lua
 whitelist /usr/share/lua*
 whitelist /usr/share/vulkan
+include whitelist-common.inc
+include whitelist-player-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/profile-m-z/nextcloud.profile b/etc/profile-m-z/nextcloud.profile
index 354d3351e..2e4a95125 100644
--- a/etc/profile-m-z/nextcloud.profile
+++ b/etc/profile-m-z/nextcloud.profile
@@ -29,6 +29,7 @@ mkdir ${HOME}/.local/share/Nextcloud
 whitelist ${HOME}/Nextcloud
 whitelist ${HOME}/.config/Nextcloud
 whitelist ${HOME}/.local/share/Nextcloud
+whitelist /usr/share/nextcloud
 # Add the next lines to your nextcloud.local to allow sync in more directories.
 #whitelist ${DOCUMENTS}
 #whitelist ${MUSIC}
diff --git a/etc/profile-m-z/skypeforlinux.profile b/etc/profile-m-z/skypeforlinux.profile
index ed04eda8e..3ddebb765 100644
--- a/etc/profile-m-z/skypeforlinux.profile
+++ b/etc/profile-m-z/skypeforlinux.profile
@@ -14,8 +14,8 @@ ignore include whitelist-var-common.inc
 ignore nou2f
 ignore novideo
 ignore private-dev
+
 ignore dbus-user none
-ignore dbus-system none
 
 # breaks Skype
 ignore apparmor
@@ -23,7 +23,16 @@ ignore noexec /tmp
 
 noblacklist ${HOME}/.config/skypeforlinux
 
+mkdir ${HOME}/.config/skypeforlinux
+whitelist ${HOME}/.config/skypeforlinux
+
 # private-dev - needs /dev/disk
 
+dbus-user filter
+dbus-user.talk org.freedesktop.Notifications
+dbus-user.talk org.freedesktop.secrets
+# Note: Skype will log out the current session on start-up without this:
+dbus-user.talk org.kde.StatusNotifierWatcher
+
 # Redirect
 include electron.profile
diff --git a/etc/profile-m-z/teams-for-linux.profile b/etc/profile-m-z/teams-for-linux.profile
index ee19bcd00..5711c1b36 100644
--- a/etc/profile-m-z/teams-for-linux.profile
+++ b/etc/profile-m-z/teams-for-linux.profile
@@ -11,6 +11,8 @@ ignore include disable-xdg.inc
 ignore include whitelist-runuser-common.inc
 ignore include whitelist-usr-share-common.inc
 
+ignore noinput
+
 ignore dbus-user none
 ignore dbus-system none
 
diff --git a/etc/profile-m-z/teams.profile b/etc/profile-m-z/teams.profile
index c8d98cbaa..ad52ca45f 100644
--- a/etc/profile-m-z/teams.profile
+++ b/etc/profile-m-z/teams.profile
@@ -13,6 +13,8 @@ ignore include whitelist-usr-share-common.inc
 ignore novideo
 ignore private-tmp
 
+ignore novideo
+
 # see #3404
 ignore apparmor
 ignore dbus-user none
diff --git a/etc/profile-m-z/telegram.profile b/etc/profile-m-z/telegram.profile
index dc1f77664..ce0119078 100644
--- a/etc/profile-m-z/telegram.profile
+++ b/etc/profile-m-z/telegram.profile
@@ -8,6 +8,9 @@ include globals.local
 noblacklist ${HOME}/.TelegramDesktop
 noblacklist ${HOME}/.local/share/TelegramDesktop
 
+# Allow opening hyperlinks
+include allow-bin-sh.inc
+
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
@@ -41,7 +44,7 @@ seccomp.block-secondary
 shell none
 
 disable-mnt
-private-bin telegram,Telegram,telegram-desktop
+private-bin bash,sh,telegram,Telegram,telegram-desktop,xdg-open
 private-cache
 private-dev
 private-etc alsa,alternatives,ca-certificates,crypto-policies,fonts,group,ld.so.cache,ld.so.preload,localtime,machine-id,os-release,passwd,pki,pulse,resolv.conf,ssl,xdg
diff --git a/etc/profile-m-z/tor-browser.profile b/etc/profile-m-z/tor-browser.profile
index 76a0e1fa5..13f422b0a 100644
--- a/etc/profile-m-z/tor-browser.profile
+++ b/etc/profile-m-z/tor-browser.profile
@@ -7,9 +7,12 @@ include tor-browser.local
 #include globals.local
 
 noblacklist ${HOME}/.tor-browser
+noblacklist ${HOME}/.local/opt/tor-browser
 
 mkdir ${HOME}/.tor-browser
 whitelist ${HOME}/.tor-browser
+mkdir ${HOME}/.local/opt/tor-browser
+whitelist ${HOME}/.local/opt/tor-browser
 
 # Redirect
 include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/torbrowser-launcher.profile b/etc/profile-m-z/torbrowser-launcher.profile
index e7b8ecd3f..469e99d02 100644
--- a/etc/profile-m-z/torbrowser-launcher.profile
+++ b/etc/profile-m-z/torbrowser-launcher.profile
@@ -15,7 +15,6 @@ noblacklist ${HOME}/.local/share/torbrowser
 include allow-python2.inc
 include allow-python3.inc
 
-blacklist /opt
 blacklist /srv
 
 include disable-common.inc
@@ -30,6 +29,7 @@ mkdir ${HOME}/.local/share/torbrowser
 whitelist ${DOWNLOADS}
 whitelist ${HOME}/.config/torbrowser
 whitelist ${HOME}/.local/share/torbrowser
+whitelist /opt/tor-browser
 whitelist /usr/share/torbrowser-launcher
 include whitelist-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-m-z/yt-dlp.profile b/etc/profile-m-z/yt-dlp.profile
index 32e873aa5..6e835b03f 100644
--- a/etc/profile-m-z/yt-dlp.profile
+++ b/etc/profile-m-z/yt-dlp.profile
@@ -10,7 +10,9 @@ include yt-dlp.local
 
 noblacklist ${HOME}/.cache/yt-dlp
 noblacklist ${HOME}/.config/yt-dlp
+noblacklist ${HOME}/.config/yt-dlp.conf
 noblacklist ${HOME}/yt-dlp.conf
+noblacklist ${HOME}/yt-dlp.conf.txt
 
 private-bin ffprobe,yt-dlp
 private-etc alternatives,ld.so.cache,ld.so.preload,yt-dlp.conf
diff --git a/src/firecfg/desktop_files.c b/src/firecfg/desktop_files.c
index 06b0a117f..c1aaf740c 100644
--- a/src/firecfg/desktop_files.c
+++ b/src/firecfg/desktop_files.c
@@ -168,9 +168,9 @@ void fix_desktop_files(char *homedir) {
 
                 char *filename = entry->d_name;
 
-                // skip links
-                if (is_link(filename))
-                        continue;
+                // skip links - Discord on Arch #4235 seems to be a symlink to /opt directory
+//              if (is_link(filename))
+//                      continue;
 
                 // no profile in /etc/firejail, no desktop file fixing
                 if (!have_profile(filename, homedir))
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config
index 117c6f6ae..4bfdb7e57 100644
--- a/src/firecfg/firecfg.config
+++ b/src/firecfg/firecfg.config
@@ -109,6 +109,7 @@ brave-browser-stable
 # bzcat - disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095)
 bzflag
 # bzip2 - disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095)
+cachy-browser
 calibre
 calligra
 calligraauthor
@@ -157,6 +158,7 @@ com.github.bleakgrey.tootle
 com.github.dahenson.agenda
 com.github.johnfactotum.Foliate
 com.github.phase1geo.minder
+com.github.tchx84.Flatseal
 com.gitlab.newsflash
 conkeror
 conky
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index a7673ae20..bc4cfe3fc 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -506,7 +506,8 @@ void errLogExit(char* fmt, ...) __attribute__((noreturn));
 void fwarning(char* fmt, ...);
 void fmessage(char* fmt, ...);
 long long unsigned parse_arg_size(char *str);
-void drop_privs(int nogroups);
+int check_can_drop_all_groups();
+void drop_privs(int force_nogroups);
 int mkpath_as_root(const char* path);
 void extract_command_name(int index, char **argv);
 void logsignal(int s);
@@ -657,6 +658,8 @@ void set_cgroup(const char *fname, pid_t pid);
 void check_output(int argc, char **argv);
 
 // netfilter.c
+void netfilter_netlock(pid_t pid);
+void netfilter_trace(pid_t pid);
 void check_netfilter_file(const char *fname);
 void netfilter(const char *fname);
 void netfilter6(const char *fname);
diff --git a/src/firejail/fs_home.c b/src/firejail/fs_home.c
index 4558934da..b410ba68e 100644
--- a/src/firejail/fs_home.c
+++ b/src/firejail/fs_home.c
@@ -456,15 +456,20 @@ void fs_check_private_dir(void) {
 void fs_check_private_cwd(const char *dir) {
         EUID_ASSERT();
         invalid_filename(dir, 0); // no globbing
+        if (strcmp(dir, ".") == 0 || *dir != '/')
+                goto errout;
 
         // Expand the working directory
         cfg.cwd = expand_macros(dir);
 
         // realpath/is_dir not used because path may not exist outside of jail
-        if (strstr(cfg.cwd, "..")) {
-                fprintf(stderr, "Error: invalid private working directory\n");
-                exit(1);
-        }
+        if (strstr(cfg.cwd, ".."))
+                goto errout;
+
+        return;
+errout:
+        fprintf(stderr, "Error: invalid private working directory\n");
+        exit(1);
 }
 
 //***********************************************************************************
diff --git a/src/firejail/main.c b/src/firejail/main.c
index 59e88bdc6..3b12f7ca1 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -408,6 +408,10 @@ static void run_cmd_and_exit(int i, int argc, char **argv) {
         }
 #endif
 #ifdef HAVE_NETWORK
+        else if (strncmp(argv[i], "--nettrace=", 11) == 0) {
+                pid_t pid = require_pid(argv[i] + 11);
+                netfilter_trace(pid);
+        }
         else if (strncmp(argv[i], "--bandwidth=", 12) == 0) {
                 if (checkcfg(CFG_NETWORK)) {
                         logargs(argc, argv);
@@ -990,8 +994,10 @@ int main(int argc, char **argv, char **envp) {
         int option_cgroup = 0;
         int custom_profile = 0; // custom profile loaded
         int arg_caps_cmdline = 0;       // caps requested on command line (used to break out of --chroot)
+        int arg_netlock = 0;
         char **ptr;
 
+
         // sanitize the umask
         orig_umask = umask(022);
 
@@ -1013,10 +1019,10 @@ int main(int argc, char **argv, char **envp) {
 
         // sanity check for arguments
         for (i = 0; i < argc; i++) {
-                if (*argv[i] == 0) {
-                        fprintf(stderr, "Error: too short arguments: argv[%d] is empty\n", i);
-                        exit(1);
-                }
+//              if (*argv[i] == 0) { // see #4395 - bug reported by Debian
+//                      fprintf(stderr, "Error: too short arguments: argv[%d] is empty\n", i);
+//                      exit(1);
+//              }
                 if (strlen(argv[i]) >= MAX_ARG_LEN) {
                         fprintf(stderr, "Error: too long arguments: argv[%d] len (%zu) >= MAX_ARG_LEN (%d)\n", i, strlen(argv[i]), MAX_ARG_LEN);
                         exit(1);
@@ -1574,7 +1580,6 @@ int main(int argc, char **argv, char **envp) {
                         profile_add(line);
                 }
 
-                // blacklist/deny
                 else if (strncmp(argv[i], "--blacklist=", 12) == 0) {
                         char *line;
                         if (asprintf(&line, "blacklist %s", argv[i] + 12) == -1)
@@ -1583,14 +1588,6 @@ int main(int argc, char **argv, char **envp) {
                         profile_check_line(line, 0, NULL);      // will exit if something wrong
                         profile_add(line);
                 }
-                else if (strncmp(argv[i], "--deny=", 7) == 0) {
-                        char *line;
-                        if (asprintf(&line, "blacklist %s", argv[i] + 7) == -1)
-                                errExit("asprintf");
-
-                        profile_check_line(line, 0, NULL);      // will exit if something wrong
-                        profile_add(line);
-                }
                 else if (strncmp(argv[i], "--noblacklist=", 14) == 0) {
                         char *line;
                         if (asprintf(&line, "noblacklist %s", argv[i] + 14) == -1)
@@ -1599,16 +1596,6 @@ int main(int argc, char **argv, char **envp) {
                         profile_check_line(line, 0, NULL);      // will exit if something wrong
                         profile_add(line);
                 }
-                else if (strncmp(argv[i], "--nodeny=", 9) == 0) {
-                        char *line;
-                        if (asprintf(&line, "noblacklist %s", argv[i] + 9) == -1)
-                                errExit("asprintf");
-
-                        profile_check_line(line, 0, NULL);      // will exit if something wrong
-                        profile_add(line);
-                }
-
-                // whitelist
                 else if (strncmp(argv[i], "--whitelist=", 12) == 0) {
                         char *line;
                         if (asprintf(&line, "whitelist %s", argv[i] + 12) == -1)
@@ -1617,14 +1604,6 @@ int main(int argc, char **argv, char **envp) {
                         profile_check_line(line, 0, NULL);      // will exit if something wrong
                         profile_add(line);
                 }
-                else if (strncmp(argv[i], "--allow=", 8) == 0) {
-                        char *line;
-                        if (asprintf(&line, "whitelist %s", argv[i] + 8) == -1)
-                                errExit("asprintf");
-
-                        profile_check_line(line, 0, NULL);      // will exit if something wrong
-                        profile_add(line);
-                }
                 else if (strncmp(argv[i], "--nowhitelist=", 14) == 0) {
                         char *line;
                         if (asprintf(&line, "nowhitelist %s", argv[i] + 14) == -1)
@@ -1633,15 +1612,6 @@ int main(int argc, char **argv, char **envp) {
                         profile_check_line(line, 0, NULL);      // will exit if something wrong
                         profile_add(line);
                 }
-                else if (strncmp(argv[i], "--noallow=", 10) == 0) {
-                        char *line;
-                        if (asprintf(&line, "nowhitelist %s", argv[i] + 10) == -1)
-                                errExit("asprintf");
-
-                        profile_check_line(line, 0, NULL);      // will exit if something wrong
-                        profile_add(line);
-                }
-
 
                 else if (strncmp(argv[i], "--mkdir=", 8) == 0) {
                         char *line;
@@ -2324,6 +2294,12 @@ int main(int argc, char **argv, char **envp) {
                 //*************************************
                 // network
                 //*************************************
+                else if (strcmp(argv[i], "--netlock") == 0)
+                        arg_netlock = 1;
+                else if (strncmp(argv[i], "--netlock=", 10) == 0) {
+                        pid_t pid = require_pid(argv[i] + 10);
+                        netfilter_netlock(pid);
+                }
                 else if (strcmp(argv[i], "--net=none") == 0) {
                         arg_nonetwork  = 1;
                         cfg.bridge0.configured = 0;
@@ -2642,7 +2618,7 @@ int main(int argc, char **argv, char **envp) {
                         else if (cfg.dns4 == NULL)
                                 cfg.dns4 = dns;
                         else {
-                                fwarning("Warning: up to 4 DNS servers can be specified, %s ignored\n", dns);
+                                fwarning("up to 4 DNS servers can be specified, %s ignored\n", dns);
                                 free(dns);
                         }
                 }
@@ -3155,62 +3131,64 @@ int main(int argc, char **argv, char **envp) {
                 ptr += strlen(ptr);
 
                 gid_t g;
-                // add audio group
-                if (!arg_nosound) {
-                        g = get_group_id("audio");
-                        if (g) {
-                                sprintf(ptr, "%d %d 1\n", g, g);
-                                ptr += strlen(ptr);
+                if (!arg_nogroups || !check_can_drop_all_groups()) {
+                        // add audio group
+                        if (!arg_nosound) {
+                                g = get_group_id("audio");
+                                if (g) {
+                                        sprintf(ptr, "%d %d 1\n", g, g);
+                                        ptr += strlen(ptr);
+                                }
                         }
-                }
 
-                // add video group
-                if (!arg_novideo) {
-                        g = get_group_id("video");
-                        if (g) {
-                                sprintf(ptr, "%d %d 1\n", g, g);
-                                ptr += strlen(ptr);
+                        // add video group
+                        if (!arg_novideo) {
+                                g = get_group_id("video");
+                                if (g) {
+                                        sprintf(ptr, "%d %d 1\n", g, g);
+                                        ptr += strlen(ptr);
+                                }
                         }
-                }
 
-                // add render group
-                if (!arg_no3d) {
-                        g = get_group_id("render");
-                        if (g) {
-                                sprintf(ptr, "%d %d 1\n", g, g);
-                                ptr += strlen(ptr);
+                        // add render group
+                        if (!arg_no3d) {
+                                g = get_group_id("render");
+                                if (g) {
+                                        sprintf(ptr, "%d %d 1\n", g, g);
+                                        ptr += strlen(ptr);
+                                }
                         }
-                }
 
-                // add lp group
-                if (!arg_noprinters) {
-                        g = get_group_id("lp");
-                        if (g) {
-                                sprintf(ptr, "%d %d 1\n", g, g);
-                                ptr += strlen(ptr);
+                        // add lp group
+                        if (!arg_noprinters) {
+                                g = get_group_id("lp");
+                                if (g) {
+                                        sprintf(ptr, "%d %d 1\n", g, g);
+                                        ptr += strlen(ptr);
+                                }
                         }
-                }
 
-                // add cdrom/optical groups
-                if (!arg_nodvd) {
-                        g = get_group_id("cdrom");
-                        if (g) {
-                                sprintf(ptr, "%d %d 1\n", g, g);
-                                ptr += strlen(ptr);
-                        }
-                        g = get_group_id("optical");
-                        if (g) {
-                                sprintf(ptr, "%d %d 1\n", g, g);
-                                ptr += strlen(ptr);
+                        // add cdrom/optical groups
+                        if (!arg_nodvd) {
+                                g = get_group_id("cdrom");
+                                if (g) {
+                                        sprintf(ptr, "%d %d 1\n", g, g);
+                                        ptr += strlen(ptr);
+                                }
+                                g = get_group_id("optical");
+                                if (g) {
+                                        sprintf(ptr, "%d %d 1\n", g, g);
+                                        ptr += strlen(ptr);
+                                }
                         }
-                }
 
-                // add input group
-                if (!arg_noinput) {
-                        g = get_group_id("input");
-                        if (g) {
-                                sprintf(ptr, "%d %d 1\n", g, g);
-                                ptr += strlen(ptr);
+                        // add input group
+                        if (!arg_noinput) {
+                                g = get_group_id("input");
+                                if (g) {
+                                        sprintf(ptr, "%d %d 1\n", g, g);
+                                        ptr += strlen(ptr);
+                                }
                         }
                 }
 
@@ -3254,6 +3232,16 @@ int main(int argc, char **argv, char **envp) {
         }
         EUID_USER();
 
+        // lock netfilter firewall
+        if (arg_netlock) {
+                char *cmd;
+                if (asprintf(&cmd, "firejail --netlock=%d&", getpid()) == -1)
+                        errExit("asprintf");
+                int rv = system(cmd);
+                (void) rv;
+                free(cmd);
+        }
+
         int status = 0;
         //*****************************
         // following code is signal-safe
@@ -3271,26 +3259,6 @@ int main(int argc, char **argv, char **envp) {
         // end of signal-safe code
         //*****************************
 
-#if 0
-// at this point the sandbox was closed and we are on our way out
-// it would make sense to move this before waitpid above to free some memory
-// crash for now as of issue #3662 from dhcp code
-        // free globals
-        if (cfg.profile) {
-                ProfileEntry *prf = cfg.profile;
-                while (prf != NULL) {
-                        ProfileEntry *next = prf->next;
-printf("data #%s#\n", prf->data);
-                        if (prf->data)
-                                free(prf->data);
-printf("link #%s#\n", prf->link);
-                        if (prf->link)
-                                free(prf->link);
-                        free(prf);
-                        prf = next;
-                }
-        }
-#endif
 
 
         if (WIFEXITED(status)){
diff --git a/src/firejail/netfilter.c b/src/firejail/netfilter.c
index fc79dddec..f412950f2 100644
--- a/src/firejail/netfilter.c
+++ b/src/firejail/netfilter.c
@@ -24,6 +24,91 @@
 #include <sys/wait.h>
 #include <fcntl.h>
 
+void netfilter_netlock(pid_t pid) {
+        EUID_ASSERT();
+
+        // give the sandbox a chance to start up before entering the network namespace
+        sleep(1);
+        enter_network_namespace(pid);
+
+        char *flog;
+        if (asprintf(&flog, "/run/firejail/network/%d-netlock", getpid()) == -1)
+                errExit("asprintf");
+        FILE *fp = fopen(flog, "w");
+        if (!fp)
+                errExit("fopen");
+        fclose(fp);
+
+        // try to find a X terminal
+        char *terminal = NULL;
+        if (access("/usr/bin/lxterminal", X_OK) == 0)
+                terminal = "/usr/bin/lxterminal";
+        else if (access("/usr/bin/xterm", X_OK) == 0)
+                terminal = "/usr/bin/xterm";
+        else if (access("/usr/bin/xfce4-terminal", X_OK) == 0)
+                terminal = "/usr/bin/xfce4-terminal";
+        else if (access("/usr/bin/konsole", X_OK) == 0)
+                terminal = "/usr/bin/konsole";
+// problem: newer gnome-terminal versions don't support -e command line option???
+//      else if (access("/usr/bin/gnome-terminal", X_OK) == 0)
+//              terminal = "/usr/bin/gnome-terminal";
+
+        if (terminal) {
+                pid_t p = fork();
+                if (p == -1)
+                        ; // run without terminal logger
+                else if (p == 0) { // child
+                        drop_privs(0);
+
+                        char *cmd;
+                        if (asprintf(&cmd, "%s -e \"tail -f %s\"", terminal, flog) == -1)
+                                errExit("asprintf");
+                        int rv = system(cmd);
+                        (void) rv;
+                        exit(0);
+                }
+        }
+
+        char *cmd;
+        if (asprintf(&cmd, "%s/firejail/fnettrace --netfilter --log=%s", LIBDIR, flog) == -1)
+                errExit("asprintf");
+        free(flog);
+
+        //************************
+        // build command
+        //************************
+        char *arg[4];
+        arg[0] = "/bin/sh";
+        arg[1] = "-c";
+        arg[2] = cmd;
+        arg[3] = NULL;
+        clearenv();
+        sbox_exec_v(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, arg);
+        // it will never get here!!
+}
+
+void netfilter_trace(pid_t pid) {
+        EUID_ASSERT();
+
+        enter_network_namespace(pid);
+        char *cmd;
+        if (asprintf(&cmd, "%s/firejail/fnettrace", LIBDIR) == -1)
+                errExit("asprintf");
+
+        //************************
+        // build command
+        //************************
+        char *arg[4];
+        arg[0] = "/bin/sh";
+        arg[1] = "-c";
+        arg[2] = cmd;
+        arg[3] = NULL;
+
+        clearenv();
+        sbox_exec_v(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, arg);
+        // it will never get here!!
+}
+
 void check_netfilter_file(const char *fname) {
         EUID_ASSERT();
 
diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index 7757c1814..92dbecac1 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -1106,7 +1106,7 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
                 else if (cfg.dns4 == NULL)
                         cfg.dns4 = dns;
                 else {
-                        fwarning("Warning: up to 4 DNS servers can be specified, %s ignored\n", dns);
+                        fwarning("up to 4 DNS servers can be specified, %s ignored\n", dns);
                         free(dns);
                 }
                 return 0;
@@ -1752,44 +1752,7 @@ void profile_read(const char *fname) {
                         continue;
                 }
 
-                // translate allow/deny to whitelist/blacklist
-                if (strncmp(ptr, "allow ", 6) == 0) {
-                        char *tmp;
-                        if (asprintf(&tmp, "whitelist %s", ptr + 6) == -1)
-                                errExit("asprintf");
-                        free(ptr);
-                        ptr = tmp;
-                }
-                else if (strncmp(ptr, "deny ", 5) == 0) {
-                        char *tmp;
-                        if (asprintf(&tmp, "blacklist %s", ptr + 5) == -1)
-                                errExit("asprintf");
-                        free(ptr);
-                        ptr = tmp;
-                }
-                else if (strncmp(ptr, "deny-nolog ", 11) == 0) {
-                        char *tmp;
-                        if (asprintf(&tmp, "blacklist-nolog %s", ptr + 11) == -1)
-                                errExit("asprintf");
-                        free(ptr);
-                        ptr = tmp;
-                }
-                // translate noallow/nodeny to nowhitelist/noblacklist
-                else if (strncmp(ptr, "noallow ", 8) == 0) {
-                        char *tmp;
-                        if (asprintf(&tmp, "nowhitelist %s", ptr + 8) == -1)
-                                errExit("asprintf");
-                        free(ptr);
-                        ptr = tmp;
-                }
-                else if (strncmp(ptr, "nodeny ", 7) == 0) {
-                        char *tmp;
-                        if (asprintf(&tmp, "noblacklist %s", ptr + 7) == -1)
-                                errExit("asprintf");
-                        free(ptr);
-                        ptr = tmp;
-                }
-                else if (strncmp(ptr, "whitelist-ro ", 13) == 0) {
+                if (strncmp(ptr, "whitelist-ro ", 13) == 0) {
                         char *whitelist, *readonly;
                         if (asprintf(&whitelist, "whitelist %s", ptr + 13) == -1)
                                 errExit("asprintf");
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index 3887b5701..53b1e6914 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -1058,6 +1058,11 @@ int sandbox(void* sandbox_arg) {
         EUID_USER();
         int cwd = 0;
         if (cfg.cwd) {
+                if (is_link(cfg.cwd)) {
+                        fprintf(stderr, "Error: unable to enter private working directory: %s\n", cfg.cwd);
+                        exit(1);
+                }
+
                 if (chdir(cfg.cwd) == 0)
                         cwd = 1;
                 else if (arg_private_cwd) {
@@ -1225,7 +1230,7 @@ int sandbox(void* sandbox_arg) {
         //****************************************
         // drop privileges
         //****************************************
-        drop_privs(arg_nogroups);
+        drop_privs(0);
 
         // kill the sandbox in case the parent died
         prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0);
diff --git a/src/firejail/usage.c b/src/firejail/usage.c
index 4a0f05528..b993cb80c 100644
--- a/src/firejail/usage.c
+++ b/src/firejail/usage.c
@@ -150,6 +150,7 @@ static char *usage_str =
         "\tparent interfaces.\n"
         "    --netns=name - Run the program in a named, persistent network namespace.\n"
         "    --netstats - monitor network statistics.\n"
+        "    --nettrace - monitor TCP and UDP traffic coming into the sandbox.\n"
 #endif
         "    --nice=value - set nice value.\n"
         "    --no3d - disable 3D hardware acceleration.\n"
diff --git a/src/firejail/util.c b/src/firejail/util.c
index 97afe9649..c1c31b43c 100644
--- a/src/firejail/util.c
+++ b/src/firejail/util.c
@@ -103,6 +103,41 @@ void errLogExit(char* fmt, ...) {
         exit(1);
 }
 
+// Returns whether all supplementary groups can be safely dropped
+int check_can_drop_all_groups() {
+        static int can_drop_all_groups = -1;
+
+        // Avoid needlessly checking (and printing) things twice
+        if (can_drop_all_groups != -1)
+                goto out;
+
+        // nvidia cards require video group; ignore nogroups
+        if (access("/dev/nvidiactl", R_OK) == 0 && arg_no3d == 0) {
+                fwarning("NVIDIA card detected, nogroups command ignored\n");
+                can_drop_all_groups = 0;
+                goto out;
+        }
+
+        /* When we are not sure that the system has working seat-based ACLs
+         * (e.g.: probably yes on (e)udev + (e)logind, probably not on eudev +
+         * seatd), supplementary groups (e.g.: audio and input) might be needed
+         * to avoid breakage (e.g.: audio or gamepads not working).  See #4600
+         * and #4603.
+         */
+        if (access("/run/systemd/seats/", F_OK) != 0) {
+                fwarning("logind not detected, nogroups command ignored\n");
+                can_drop_all_groups = 0;
+                goto out;
+        }
+
+        if (arg_debug)
+                fprintf(stderr, "nogroups command not ignored\n");
+        can_drop_all_groups = 1;
+
+out:
+        return can_drop_all_groups;
+}
+
 static int find_group(gid_t group, const gid_t *groups, int ngroups) {
         int i;
         for (i = 0; i < ngroups; i++) {
@@ -141,6 +176,9 @@ static void clean_supplementary_groups(gid_t gid) {
         if (rv == -1)
                 goto clean_all;
 
+        if (arg_nogroups && check_can_drop_all_groups())
+                goto clean_all;
+
         // clean supplementary group list
         gid_t new_groups[MAX_GROUPS];
         int new_ngroups = 0;
@@ -215,21 +253,22 @@ clean_all:
 
 
 // drop privileges
-// - for root group or if nogroups is set, supplementary groups are not configured
-void drop_privs(int nogroups) {
+// - for root group or if force_nogroups is set, supplementary groups are not configured
+void drop_privs(int force_nogroups) {
         gid_t gid = getgid();
         if (arg_debug)
-                printf("Drop privileges: pid %d, uid %d, gid %d, nogroups %d\n",  getpid(), getuid(), gid, nogroups);
+                printf("Drop privileges: pid %d, uid %d, gid %d, force_nogroups %d\n",
+                       getpid(), getuid(), gid, force_nogroups);
 
         // configure supplementary groups
         EUID_ROOT();
-        if (gid == 0 || nogroups) {
+        if (gid == 0 || force_nogroups) {
                 if (setgroups(0, NULL) < 0)
                         errExit("setgroups");
                 if (arg_debug)
                         printf("No supplementary groups\n");
         }
-        else if (arg_noroot)
+        else if (arg_noroot || arg_nogroups)
                 clean_supplementary_groups(gid);
 
         // set uid/gid
diff --git a/src/fnettrace/Makefile.in b/src/fnettrace/Makefile.in
new file mode 100644
index 000000000..755ddcc3a
--- /dev/null
+++ b/src/fnettrace/Makefile.in
@@ -0,0 +1,17 @@
+.PHONY: all
+all: fnettrace
+
+include ../common.mk
+
+%.o : %.c $(H_FILE_LIST)
+        $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@
+
+fnettrace: $(OBJS)
+        $(CC)  $(LDFLAGS) -o $@ $(OBJS) $(LIBS) $(EXTRA_LDFLAGS)
+
+.PHONY: clean
+clean:; rm -fr *.o fnettrace *.gcov *.gcda *.gcno *.plist
+
+.PHONY: distclean
+distclean: clean
+        rm -fr Makefile
diff --git a/src/fnettrace/fnettrace.h b/src/fnettrace/fnettrace.h
new file mode 100644
index 000000000..9c34e17ca
--- /dev/null
+++ b/src/fnettrace/fnettrace.h
@@ -0,0 +1,64 @@
+#ifndef FNETTRACE_H
+#define FNETTRACE_H
+
+#include "../include/common.h"
+#include <unistd.h>
+#include <sys/stat.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <time.h>
+#include <stdarg.h>
+
+//#define NETLOCK_INTERVAL 60
+#define NETLOCK_INTERVAL 60
+#define DISPLAY_INTERVAL 3
+
+void logprintf(char* fmt, ...);
+
+static inline void ansi_topleft(int tolog) {
+        char str[] = {0x1b, '[', '1', ';',  '1', 'H', '\0'};
+        if (tolog)
+                logprintf("%s", str);
+        else
+                printf("%s", str);
+        fflush(0);
+}
+
+static inline void ansi_clrscr(int tolog) {
+        ansi_topleft(tolog);
+        char str[] = {0x1b, '[', '0', 'J', '\0'};
+        if (tolog)
+                logprintf("%s", str);
+        else
+                printf("%s", str);
+        fflush(0);
+}
+
+static inline void ansi_linestart(int tolog) {
+        char str[] = {0x1b, '[', '0', 'G', '\0'};
+        if (tolog)
+                logprintf("%s", str);
+        else
+                printf("%s", str);
+        fflush(0);
+}
+
+static inline void ansi_clrline(int tolog) {
+        ansi_linestart(tolog);
+        char str[] = {0x1b, '[', '0', 'K', '\0'};
+        if (tolog)
+                logprintf("%s", str);
+        else
+                printf("%s", str);
+        fflush(0);
+}
+
+static inline uint8_t hash(uint32_t ip) {
+        uint8_t *ptr = (uint8_t *) &ip;
+        // simple byte xor
+        return *ptr ^ *(ptr + 1) ^ *(ptr + 2) ^ *(ptr + 3);
+}
+
+
+
+#endif
\ No newline at end of file
diff --git a/src/fnettrace/main.c b/src/fnettrace/main.c
new file mode 100644
index 000000000..f036d0c9e
--- /dev/null
+++ b/src/fnettrace/main.c
@@ -0,0 +1,433 @@
+#include "fnettrace.h"
+#define MAX_BUF_SIZE (64 * 1024)
+
+static int arg_netfilter = 0;
+static char *arg_log = NULL;
+
+typedef struct hlist_t {
+        struct hlist_t *next;
+        uint32_t ip_src;
+        uint32_t ip_dst;
+        uint16_t port_src;
+        uint64_t  bytes;
+        int instance;
+#define MAX_TTL 20 // 20 * DISPLAY_INTERVAL = 1 minute
+        short ttl;
+        uint8_t protocol;
+} HList;
+
+#define HMAX 256
+HList *htable[HMAX] = {NULL};
+static int htable_empty = 1;
+
+static void hlist_add(uint32_t ip_src, uint32_t ip_dst, uint8_t protocol, uint16_t port_src, uint64_t bytes) {
+        uint8_t h = hash(ip_src);
+        htable_empty = 0;
+
+        // find
+        int instance = 0;
+        HList *ptr = htable[h];
+        while (ptr) {
+                if (ptr->ip_src == ip_src) {
+                        instance++;
+                        if (ptr->ip_dst == ip_dst && ptr->port_src == port_src && ptr->protocol == protocol) {
+                                ptr->bytes += bytes;
+                                ptr->ttl = MAX_TTL;
+                                return;
+                        }
+                }
+                ptr = ptr->next;
+        }
+
+        HList *hnew = malloc(sizeof(HList));
+        hnew->ip_src = ip_src;
+        hnew->ip_dst = ip_dst;
+        hnew->port_src = port_src;
+        hnew->protocol = protocol;
+        hnew->next = NULL;
+        hnew->bytes = bytes;
+        hnew->ttl = MAX_TTL;
+        hnew->instance = instance + 1;
+        if (htable[h] == NULL)
+                htable[h] = hnew;
+        else {
+                hnew->next = htable[h];
+                htable[h] = hnew;
+        }
+
+        ansi_clrline(1);
+        logprintf("  %u.%u.%u.%u\n", PRINT_IP(hnew->ip_src));
+}
+
+// remove entries with a ttl <= 0
+static void hlist_clean_ttl() {
+        if (htable_empty)
+                return;
+
+        int i;
+        for (i = 0; i < HMAX; i++) {
+                HList *ptr = htable[i];
+                HList *parent = NULL;
+                while (ptr) {
+                        if (--ptr->ttl <= 0) {
+                                HList *tmp = ptr;
+                                ptr = ptr->next;
+                                if (parent)
+                                        parent->next = ptr;
+                                else
+                                        htable[i] = ptr;
+                                free(tmp);
+                        }
+                        else {
+                                parent = ptr;
+                                ptr = ptr->next;
+                        }
+                }
+        }
+}
+
+static void hlist_print() {
+        ansi_clrscr(0);
+        if (htable_empty)
+                return;
+        if (arg_netfilter)
+                printf("\n\n");
+        static int clear_cnt = 0;
+
+        int i;
+        int cnt = 0;
+        int cnt_printed = 0;
+        for (i = 0; i < HMAX; i++) {
+                HList *ptr = htable[i];
+                while (ptr) {
+                        if (ptr->bytes) {
+                                cnt_printed++;
+                                char ip_src[30];
+                                sprintf(ip_src, "%u.%u.%u.%u:%u", PRINT_IP(ptr->ip_src), ptr->port_src);
+                                char ip_dst[30];
+                                sprintf(ip_dst, "%u.%u.%u.%u", PRINT_IP(ptr->ip_dst));
+                                printf("%-25s =>      %-25s\t%s:",
+                                        ip_src,
+                                        ip_dst,
+                                        (ptr->protocol == 6)? "TCP": "UDP");
+
+                                if (ptr->bytes > (DISPLAY_INTERVAL * 1024 * 2)) // > 2 KB/second
+                                        printf(" %lu KB/sec\n",
+                                                ptr->bytes / (DISPLAY_INTERVAL * 1024));
+                                else
+                                        printf(" %lu B/sec\n",
+                                                ptr->bytes / DISPLAY_INTERVAL);
+                                ptr->bytes = 0;
+                        }
+
+                        ptr = ptr->next;
+                        cnt++;
+                }
+        }
+
+        if (cnt_printed < 7) {
+                for (i = 0; i < 7 - cnt_printed; i++)
+                        printf("\n");
+        }
+
+        if (!arg_netfilter) {
+                printf("(%d %s in the last one minute)\n", cnt, (cnt == 1)? "stream": "streams");
+                hlist_clean_ttl();
+        }
+}
+
+static void run_trace(void) {
+        logprintf("accumulating traffic for %d seconds...\n", NETLOCK_INTERVAL);
+
+        // trace only rx ipv4 tcp and upd
+        int s1 = socket(AF_INET, SOCK_RAW, IPPROTO_TCP);
+        int s2 = socket(AF_INET, SOCK_RAW, IPPROTO_UDP);
+        if (s1 < 0 || s2 < 0)
+                errExit("socket");
+
+        unsigned start = time(NULL);
+        unsigned last_print_traces = 0;
+        unsigned last_print_remaining = 0;
+        unsigned char buf[MAX_BUF_SIZE];
+        int progress_cnt = 0;
+        while (1) {
+                unsigned end = time(NULL);
+                if (arg_netfilter && end - start >= NETLOCK_INTERVAL) {
+                        ansi_clrline(1);
+                        break;
+                }
+                if (end % DISPLAY_INTERVAL == 1 && last_print_traces != end) { // first print after 1 second
+                        hlist_print();
+                        last_print_traces = end;
+                }
+                if (arg_netfilter && last_print_remaining != end) {
+                        ansi_clrline(1);
+                        int secs = NETLOCK_INTERVAL - (end  - start);
+                        logprintf("%d %s remaining   ", secs, (secs == 1)? "second": "seconds");
+                        last_print_remaining = end;
+                }
+
+                fd_set rfds;
+                FD_ZERO(&rfds);
+                FD_SET(s1, &rfds);
+                FD_SET(s2, &rfds);
+                int maxfd = (s1 > s2) ? s1 : s2;
+                 maxfd++;
+                struct timeval tv;
+                tv.tv_sec = 1;
+                tv.tv_usec = 0;
+                int rv = select(maxfd, &rfds, NULL, NULL, &tv);
+                if (rv < 0)
+                        errExit("select");
+                else if (rv == 0)
+                        continue;
+
+
+
+                int sock = (FD_ISSET(s1, &rfds)) ? s1 : s2;
+
+                unsigned char buf[MAX_BUF_SIZE];
+                unsigned bytes = recvfrom(sock, buf, MAX_BUF_SIZE, 0, NULL, NULL);
+                if (bytes >= 20) { // size of IP header
+                        // filter out loopback traffic
+                        if (buf[12] != 127) {
+                                uint32_t ip_src;
+                                memcpy(&ip_src, buf + 12, 4);
+                                ip_src = ntohl(ip_src);
+
+                                uint32_t ip_dst;
+                                memcpy(&ip_dst, buf + 16, 4);
+                                ip_dst = ntohl(ip_dst);
+
+                                uint8_t hlen = (buf[0] & 0x0f) * 4;
+                                uint16_t port_src;
+                                memcpy(&port_src, buf + hlen, 2);
+                                port_src = ntohs(port_src);
+
+                                hlist_add(ip_src, ip_dst, buf[9], port_src, (uint64_t) bytes);
+                        }
+                }
+        }
+
+        close(s1);
+        close(s2);
+}
+
+static char *filter_start =
+"*filter\n"
+":INPUT DROP [0:0]\n"
+":FORWARD DROP [0:0]\n"
+":OUTPUT DROP [0:0]\n";
+
+// return 1 if error
+static int print_filter(FILE *fp) {
+        if (htable_empty)
+                return 1;
+        fprintf(fp, "%s\n", filter_start);
+        fprintf(fp, "-A INPUT -s 127.0.0.0/8 -j ACCEPT\n");
+        fprintf(fp, "-A OUTPUT -d 127.0.0.0/8 -j ACCEPT\n");
+        fprintf(fp, "\n");
+
+        int i;
+        for (i = 0; i < HMAX; i++) {
+                HList *ptr = htable[i];
+                while (ptr) {
+                        if (ptr->instance == 1) {
+                                char *protocol = (ptr->protocol == 6)? "tcp": "udp";
+                                fprintf(fp, "-A INPUT -s %u.%u.%u.%u -sport %u -p %s  -j ACCEPT\n",
+                                        PRINT_IP(ptr->ip_src),
+                                        ptr->port_src,
+                                        protocol);
+                                fprintf(fp, "-A OUTPUT -d %u.%u.%u.%u -dport %u -p %s  -j ACCEPT\n",
+                                        PRINT_IP(ptr->ip_src),
+                                        ptr->port_src,
+                                        protocol);
+                                fprintf(fp, "\n");
+                        }
+                        ptr = ptr->next;
+                }
+        }
+        fprintf(fp, "COMMIT\n");
+
+        return 0;
+}
+
+static char *flush_rules[] = {
+        "-P INPUT ACCEPT",
+        "-P FORWARD ACCEPT",
+        "-P OUTPUT ACCEPT",
+        "-F",
+        "-X",
+        "-t nat -F",
+        "-t nat -X",
+        "-t mangle -F",
+        "-t mangle -X",
+        "iptables -t raw -F",
+        "-t raw -X",
+        NULL
+};
+
+static void flush_netfilter(void) {
+        // find iptables command
+        struct stat s;
+        char *iptables = NULL;
+        if (stat("/sbin/iptables", &s) == 0)
+                iptables = "/sbin/iptables";
+        else if (stat("/usr/sbin/iptables", &s) == 0)
+                iptables = "/usr/sbin/iptables";
+        if (iptables == NULL) {
+                fprintf(stderr, "Error: iptables command not found, netfilter not configured\n");
+                exit(1);
+        }
+
+        int i = 0;
+        while (flush_rules[i]) {
+                char *cmd;
+                if (asprintf(&cmd, "%s %s", iptables, flush_rules[i]) == -1)
+                        errExit("asprintf");
+                int rv = system(cmd);
+                (void) rv;
+                free(cmd);
+                i++;
+        }
+}
+
+static void deploy_netfilter(void) {
+        int rv;
+        char *cmd;
+
+        // create temporary file
+        char fname[] = "/tmp/firejail-XXXXXX";
+        int fd = mkstemp(fname);
+        if (fd == -1) {
+                fprintf(stderr, "Error: cannot create temporary configuration file\n");
+                exit(1);
+        }
+
+        FILE* fp = fdopen(fd, "w");
+        if (!fp) {
+                rv = unlink(fname);
+                (void) rv;
+                fprintf(stderr, "Error: cannot create temporary configuration file\n");
+                exit(1);
+        }
+        print_filter(fp);
+        fclose(fp);
+
+        if (arg_log) {
+                logprintf("\n");
+                logprintf(">>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>\n");
+                if (asprintf(&cmd, "cat %s >> %s", fname, arg_log) == -1)
+                        errExit("asprintf");
+                rv = system(cmd);
+                (void) rv;
+                free(cmd);
+                logprintf("<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<\n");
+        }
+
+        // find iptables command
+        struct stat s;
+        char *iptables = NULL;
+        char *iptables_restore = NULL;
+        if (stat("/sbin/iptables", &s) == 0) {
+                iptables = "/sbin/iptables";
+                iptables_restore = "/sbin/iptables-restore";
+        }
+        else if (stat("/usr/sbin/iptables", &s) == 0) {
+                iptables = "/usr/sbin/iptables";
+                iptables_restore = "/usr/sbin/iptables-restore";
+        }
+        if (iptables == NULL || iptables_restore == NULL) {
+                fprintf(stderr, "Error: iptables command not found, netfilter not configured\n");
+                rv = unlink(fname);
+                (void) rv;
+                exit(1);
+        }
+
+        // configuring
+        if (asprintf(&cmd, "%s %s", iptables_restore, fname) == -1)
+                errExit("asprintf");
+        rv = system(cmd);
+        if (rv)
+                fprintf(stdout, "Warning: possible netfilter problem!");
+        free(cmd);
+
+        sleep(1);
+        if (asprintf(&cmd, "%s %s", iptables_restore, fname) == -1)
+                errExit("asprintf");
+        rv = system(cmd);
+        free(cmd);
+
+        printf("Current firewall configuration:\n\n");
+        if (asprintf(&cmd, "%s -vL -n", iptables) == -1)
+                errExit("asprintf");
+        rv = system(cmd);
+
+        rv = unlink(fname);
+        (void) rv;
+        logprintf("\nfirewall deployed\n");
+}
+
+void logprintf(char* fmt, ...) {
+        if (!arg_log)
+                return;
+
+        FILE *fp = fopen(arg_log, "a");
+        if (fp) { // disregard if error
+                va_list args;
+                va_start(args,fmt);
+                vfprintf(fp, fmt, args);
+                va_end(args);
+                fclose(fp);
+        }
+}
+
+static void usage(void) {
+        printf("Usage: fnetlock [OPTIONS]\n");
+        printf("Options:\n");
+        printf("   --help, -? - this help screen\n");
+        printf("   --netfilter - build the firewall rules and commit them.\n");
+        printf("   --log=filename - logfile\n");
+        printf("\n");
+}
+
+int main(int argc, char **argv) {
+        int i;
+        printf("\n\n");
+
+        if (getuid() != 0) {
+                fprintf(stderr, "Error: you need to be root to run this program\n");
+                return 1;
+        }
+
+        for (i = 1; i < argc; i++) {
+                if (strcmp(argv[i], "--help") == 0 || strcmp(argv[i], "-?") == 0) {
+                        usage();
+                        return 0;
+                }
+                else if (strcmp(argv[i], "--netfilter") == 0)
+                        arg_netfilter = 1;
+                else if (strncmp(argv[i], "--log=", 6) == 0)
+                        arg_log = argv[i] + 6;
+                else {
+                        fprintf(stderr, "Error: invalid argument\n");
+                        return 1;
+                }
+        }
+
+        if (arg_netfilter) {
+                logprintf("starting network lockdown\n");
+                flush_netfilter();
+        }
+
+        ansi_clrscr(0);
+        run_trace();
+        if (arg_netfilter) {
+                deploy_netfilter();
+                sleep(3);
+                if (arg_log)
+                        unlink(arg_log);
+        }
+
+        return 0;
+}
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt
index f6c905d59..9c251ec34 100644
--- a/src/man/firejail-profile.txt
+++ b/src/man/firejail-profile.txt
@@ -358,7 +358,7 @@ modifications are discarded when the sandbox is closed.
 Set working directory inside jail to the home directory, and failing that, the root directory.
 .TP
 \fBprivate-cwd directory
-Set working directory inside the jail.
+Set working directory inside the jail. Full directory path is required. Symbolic links are not allowed.
 .TP
 \fBprivate-dev
 Create a new /dev directory. Only disc, dri, dvb, hidraw, null, full, zero, tty, pts, ptmx,
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index b5cb1e7c2..b366fed7c 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -1256,7 +1256,7 @@ $ firejail \-\-net=br0 \-\-net=br1
 .TP
 \fB\-\-net=ethernet_interface|wireless_interface
 Enable a new network namespace and connect it
-to this ethernet interface using the standard Linux macvlan|ipvaln
+to this ethernet interface using the standard Linux macvlan|ipvlan
 driver. Unless specified with option \-\-ip and \-\-defaultgw, an
 IP address and a default gateway will be assigned automatically
 to the sandbox. The IP address is verified using ARP before
@@ -1479,6 +1479,29 @@ PID  User    RX(KB/s) TX(KB/s) Command
 1294 netblue 53.355   1.473    firejail \-\-net=eth0 firefox
 .br
 7383 netblue 9.045    0.112    firejail \-\-net=eth0 transmission
+.TP
+\fB\-\-nettrace=name|pid
+Monitor TCP and UDP traffic coming into the sandbox specified by name or pid. Only networked sandboxes
+created with \-\-net are supported.
+.br
+
+.br
+$ firejail --nettrace=browser
+.br
+9.9.9.9:53              =>      192.168.1.60    UDP: 122 B/sec
+.br
+72.21.91.29:80          =>      192.168.1.60    TCP: 257 B/sec
+.br
+80.92.126.65:123        =>      192.168.1.60    UDP: 25 B/sec
+.br
+69.30.241.50:443        =>      192.168.1.60    TCP: 88 KB/sec
+.br
+140.82.112.4:443        =>      192.168.1.60    TCP: 1861 B/sec
+.br
+
+.br
+(14 streams in the last one minute)
+
 #endif
 .TP
 \fB\-\-nice=value
@@ -1863,7 +1886,6 @@ $ firejail \-\-private-cache openbox
 .TP
 \fB\-\-private-cwd
 Set working directory inside jail to the home directory, and failing that, the root directory.
-.br
 Does not impact working directory of profile include paths.
 .br
 
@@ -1884,7 +1906,7 @@ $ pwd
 .TP
 \fB\-\-private-cwd=directory
 Set working directory inside the jail.
-.br
+Full directory path is required. Symbolic links are not allowed.
 Does not impact working directory of profile include paths.
 .br
 
diff --git a/src/profstats/Makefile.in b/src/profstats/Makefile.in
index e025f5939..fa1b4f200 100644
--- a/src/profstats/Makefile.in
+++ b/src/profstats/Makefile.in
@@ -3,7 +3,7 @@ all: profstats
 
 include ../common.mk
 
-%.o : %.c $(H_FILE_LIST)
+%.o : %.c $(H_FILE_LIST) ../include/common.h
         $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@
 
 profstats: $(OBJS)
diff --git a/src/profstats/main.c b/src/profstats/main.c
index 9ddbb2633..bc5047bfe 100644
--- a/src/profstats/main.c
+++ b/src/profstats/main.c
@@ -10,17 +10,15 @@
  *
  * This program is distributed in the hope that it will be useful,
  * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  * GNU General Public License for more details.
  *
  * You should have received a copy of the GNU General Public License along
  * with this program; if not, write to the Free Software Foundation, Inc.,
  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 */
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <assert.h>
+
+#include "../include/common.h"
 
 #define MAXBUF 2048
 // stats
@@ -99,8 +97,9 @@ static void usage(void) {
         printf("\n");
 }
 
-void process_file(const char *fname) {
+static void process_file(char *fname) {
         assert(fname);
+        char *tmpfname = NULL;
 
         if (arg_debug)
                 printf("processing #%s#\n", fname);
@@ -109,9 +108,19 @@ void process_file(const char *fname) {
 
         FILE *fp = fopen(fname, "r");
         if (!fp) {
-                fprintf(stderr, "Warning: cannot open %s, while processing %s\n", fname, profile);
-                level--;
-                return;
+                // the file was not found in the current directory
+                // look for it in /etc/firejail directory
+                if (asprintf(&tmpfname, "%s/%s", SYSCONFDIR, fname) == -1)
+                        errExit("asprintf");
+
+                fp = fopen(tmpfname, "r");
+                if (!fp) {
+                        fprintf(stderr, "Warning: cannot open %s or %s, while processing %s\n", fname, tmpfname, profile);
+                        free(tmpfname);
+                        level--;
+                        return;
+                }
+                fname = tmpfname;
         }
 
         int have_include_local = 0;
@@ -204,6 +213,8 @@ void process_file(const char *fname) {
         if (!have_include_local)
                 printf("No include .local found in %s\n", fname);
         level--;
+        if (tmpfname)
+                free(tmpfname);
 }
 
 int main(int argc, char **argv) {
diff --git a/src/tools/profcleaner.c b/src/tools/profcleaner.c
deleted file mode 100644
index beff93199..000000000
--- a/src/tools/profcleaner.c
+++ /dev/null
@@ -1,75 +0,0 @@
-/*
- * Copyright (C) 2014-2021 Firejail Authors
- *
- * This file is part of firejail project
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or
- * (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License along
- * with this program; if not, write to the Free Software Foundation, Inc.,
- * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-*/
-
-//*************************************************************
-// Small utility program to convert profiles from blacklist/whitelist to deny/allow
-// Compile:
-//       gcc -o profcleaner profcleaner.c
-// Usage:
-//       profcleaner *.profile
-//*************************************************************
-
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <unistd.h>
-#define MAXBUF 4096
-
-int main(int argc, char **argv) {
-        printf("Usage: profcleaner files\n");
-        int i;
-
-        for (i = 1; i < argc; i++) {
-                FILE *fp = fopen(argv[i], "r");
-                if (!fp) {
-                        fprintf(stderr, "Error: cannot open %s\n", argv[i]);
-                        return 1;
-                }
-
-                FILE *fpout = fopen("profcleaner-tmp", "w");
-                if (!fpout) {
-                        fprintf(stderr, "Error: cannot open output file\n");
-                        return 1;
-                }
-
-                char buf[MAXBUF];
-                while (fgets(buf, MAXBUF, fp)) {
-                        if (strncmp(buf, "blacklist-nolog", 15) == 0)
-                                fprintf(fpout, "deny-nolog %s", buf + 15);
-                        else if (strncmp(buf, "blacklist", 9) == 0)
-                                fprintf(fpout, "deny %s", buf + 9);
-                        else if (strncmp(buf, "noblacklist", 11) == 0)
-                                fprintf(fpout, "nodeny %s", buf + 11);
-                        else if (strncmp(buf, "whitelist", 9) == 0)
-                                fprintf(fpout, "allow %s", buf + 9);
-                        else if (strncmp(buf, "nowhitelist", 11) == 0)
-                                fprintf(fpout, "noallow %s", buf + 11);
-                        else
-                                fprintf(fpout, "%s", buf);
-                }
-
-                fclose(fp);
-                fclose(fpout);
-                unlink(argv[i]);
-                rename("profcleaner-tmp", argv[i]);
-        }
-
-        return 0;
-}
diff --git a/src/tools/profcleaner.sh b/src/tools/profcleaner.sh
deleted file mode 100755
index 96402aed6..000000000
--- a/src/tools/profcleaner.sh
+++ /dev/null
@@ -1,45 +0,0 @@
-#!/bin/bash
-
-# Copyright (C) 2021 Firejail Authors
-#
-# This file is part of firejail project
-#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation; either version 2 of the License, or
-# (at your option) any later version.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License along
-# with this program; if not, write to the Free Software Foundation, Inc.,
-# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-
-if [[ $1 == --help ]]; then
-        cat <<-EOM
-        USAGE:
-          profcleaner.sh --help        Show this help message and exit
-          profcleaner.sh --system      Clean all profiles in /etc/firejail
-          profcleaner.sh --user        Clean all profiles in ~/.config/firejail
-          profcleaner.sh /path/to/profile1 /path/to/profile2 ...
-        EOM
-        exit 0
-fi
-
-if [[ $1 == --system ]]; then
-        profiles=(/etc/firejail/*.{inc,local,profile})
-elif [[ $1 == --user ]]; then
-        profiles=("$HOME"/.config/firejail/*.{inc,local,profile})
-else
-        profiles=("$@")
-fi
-
-sed -i -E \
-        -e "s/^(# |#)?(ignore )?blacklist/\1\2deny/" \
-        -e "s/^(# |#)?(ignore )?noblacklist/\1\2nodeny/" \
-        -e "s/^(# |#)?(ignore )?whitelist/\1\2allow/" \
-        -e "s/^(# |#)?(ignore )?nowhitelist/\1\2noallow/" \
-        "${profiles[@]}"
diff --git a/src/zsh_completion/_firejail.in b/src/zsh_completion/_firejail.in
index 6ce71aed8..8c1d758cc 100644
--- a/src/zsh_completion/_firejail.in
+++ b/src/zsh_completion/_firejail.in
@@ -48,8 +48,8 @@ _firejail_args=(
     '*::arguments:_normal'
 
     '--appimage[sandbox an AppImage application]'
-    '--build[build a profile for the application and print it on stdout]'
-    '--build=-[build a profile for the application and save it]: :_files'
+    '--build[build a whitelisted profile for the application and print it on stdout]'
+    '--build=-[build a whitelisted profile for the application and save it]: :_files'
     # Ignore that you can do -? too as it's the only short option
     '--help[this help screen]'
     '--join=-[join the sandbox name|pid]: :_all_firejails'
@@ -66,14 +66,14 @@ _firejail_args=(
     '--ids-init[initialize IDS database]'
 
     '--debug[print sandbox debug messages]'
-    '--debug-allow[debug file system access]'
+    '--debug-blacklists[debug blacklisting]'
     '--debug-caps[print all recognized capabilities]'
-    '--debug-deny[debug file system access]'
     '--debug-errnos[print all recognized error numbers]'
     '--debug-private-lib[debug for --private-lib option]'
     '--debug-protocols[print all recognized protocols]'
     '--debug-syscalls[print all recognized system calls]'
     '--debug-syscalls32[print all recognized 32 bit system calls]'
+    '--debug-whitelists[debug whitelisting]'
 
     '--caps.print=-[print the caps filter name|pid]:firejail:_all_firejails'
     '--cpu.print=-[print the cpus in use name|pid]: :_all_firejails'
@@ -86,13 +86,13 @@ _firejail_args=(
     '--allusers[all user home directories are visible inside the sandbox]'
     # Should be _files, a comma and files or files -/
     '*--bind=-[mount-bind dirname1/filename1 on top of dirname2/filename2]: :(file1,file2 dir1,dir2)'
+    '*--blacklist=-[blacklist directory or file]: :_files'
     '--caps[enable default Linux capabilities filter]'
     '--caps.drop=all[drop all capabilities]'
     '*--caps.drop=-[drop capabilities: all|cap1,cap2,...]: :_caps'
     '*--caps.keep=-[keep capabilities: cap1,cap2,...]: :_caps'
     '--cgroup=-[place the sandbox in the specified control group]: :'
     '--cpu=-[set cpu affinity]: :->cpus'
-    '*--deny=-[deny access to directory or file]: :_files'
     "--deterministic-exit-code[always exit with first child's status code]"
     '--deterministic-shutdown[terminate orphan processes]'
     '*--dns=-[set DNS server]: :'
@@ -116,7 +116,7 @@ _firejail_args=(
     '--nice=-[set nice value]: :(1 10 15 20)'
     '--no3d[disable 3D hardware acceleration]'
     '--noautopulse[disable automatic ~/.config/pulse init]'
-    '--nodeny=-[disable deny command for file or directory]: :_files'
+    '--noblacklist=-[disable blacklist for file or directory]: :_files'
     '--nodbus[disable D-Bus access]'
     '--nodvd[disable DVD and audio CD devices]'
     '*--noexec=-[remount the file or directory noexec nosuid and nodev]: :_files'
@@ -147,13 +147,13 @@ _firejail_args=(
     '--rlimit-nproc=-[set the maximum number of processes that can be created for the real user ID of the calling process]: :'
     '--rlimit-sigpending=-[set the maximum number of pending signals for a process]: :'
     '*--rmenv=-[remove environment variable in the new sandbox]: :_values environment-variables $(env | cut -d= -f1)'
-    '--seccomp[enable seccomp filter and drop the default syscalls]: :'
-    '--seccomp=-[enable seccomp filter, drop the default syscall list and the syscalls specified by the command]: :->seccomp'
+    '--seccomp[enable seccomp filter and apply the default blacklist]: :'
+    '--seccomp=-[enable seccomp filter, blacklist the default syscall list and the syscalls specified by the command]: :->seccomp'
     '--seccomp.block-secondary[build only the native architecture filters]'
-    '*--seccomp.drop=-[enable seccomp filter, and drop the syscalls specified by the command]: :->seccomp'
-    '*--seccomp.keep=-[enable seccomp filter, and allow the syscalls specified by the command]: :->seccomp'
-    '*--seccomp.32.drop=-[enable seccomp filter, and drop the 32 bit syscalls specified by the command]: :'
-    '*--seccomp.32.keep=-[enable seccomp filter, and drop the 32 bit syscalls specified by the command]: :'
+    '*--seccomp.drop=-[enable seccomp filter, and blacklist the syscalls specified by the command]: :->seccomp'
+    '*--seccomp.keep=-[enable seccomp filter, and whitelist the syscalls specified by the command]: :->seccomp'
+    '*--seccomp.32.drop=-[enable seccomp filter, and blacklist the 32 bit syscalls specified by the command]: :'
+    '*--seccomp.32.keep=-[enable seccomp filter, and whitelist the 32 bit syscalls specified by the command]: :'
     # FIXME: Add errnos
     '--seccomp-error-action=-[change error code, kill process or log the attempt]: :(kill log)'
     '--shell=none[run the program directly without a user shell]'
@@ -161,7 +161,7 @@ _firejail_args=(
     '--timeout=-[kill the sandbox automatically after the time has elapsed]: :'
     #'(--tracelog)--trace[trace open, access and connect system calls]'
     '(--tracelog)--trace=-[trace open, access and connect system calls]: :_files'
-    '(--trace)--tracelog[add a syslog message for every access to files or directories dropped by the security profile]'
+    '(--trace)--tracelog[add a syslog message for every access to files or directories blacklisted by the security profile]'
     '(--private-etc)--writable-etc[/etc directory is mounted read-write]'
     '--writable-run-user[allow access to /run/user/$UID/systemd and /run/user/$UID/gnupg]'
     '--writable-var[/var directory is mounted read-write]'
@@ -255,8 +255,8 @@ _firejail_args=(
     '*--tmpfs=-[mount a tmpfs filesystem on directory dirname]: :_files -/'
 #endif
 
-    '*--noallow=-[disable allow command for file or directory]: :_files'
-    '*--allow=-[allow file system access]: :_files'
+    '*--nowhitelist=-[disable whitelist for file or directory]: :_files'
+    '*--whitelist=-[whitelist directory or file]: :_files'
 
 #ifdef HAVE_X11
     '--x11[enable X11 sandboxing. The software checks first if Xpra is installed, then it checks if Xephyr is installed. If all fails, it will attempt to use X11 security extension]'
diff --git a/test/filters/filters.sh b/test/filters/filters.sh
index a9f06b60a..eb4e4702c 100755
--- a/test/filters/filters.sh
+++ b/test/filters/filters.sh
@@ -115,13 +115,6 @@ echo "TESTING: seccomp numeric (test/filters/seccomp-numeric.exp)"
 ./seccomp-numeric.exp
 
 if [ "$(uname -m)" = "x86_64" ]; then
-        echo "TESTING: seccomp dual filter (test/filters/seccomp-dualfilter.exp)"
-        ./seccomp-dualfilter.exp
-else
-        echo "TESTING SKIP: seccomp dual, not running on x86_64"
-fi
-
-if [ "$(uname -m)" = "x86_64" ]; then
        echo "TESTING: seccomp join (test/filters/seccomp-join.exp)"
         ./seccomp-join.exp
 else
diff --git a/test/filters/fseccomp.exp b/test/filters/fseccomp.exp
index 59f812d6d..6becbff22 100755
--- a/test/filters/fseccomp.exp
+++ b/test/filters/fseccomp.exp
@@ -111,7 +111,7 @@ expect {
 }
 expect {
         timeout {puts "TESTING ERROR 9.3\n";exit}
-        "ret KILL"
+        "ret ERRNO"
 }
 
 
diff --git a/test/filters/memwrexe b/test/filters/memwrexe
index 669f0d320..1173cdc07 100755
--- a/test/filters/memwrexe
+++ b/test/filters/memwrexe
diff --git a/test/filters/memwrexe-32 b/test/filters/memwrexe-32
index 70c98b796..bdf71dcb4 100755
--- a/test/filters/memwrexe-32
+++ b/test/filters/memwrexe-32
diff --git a/test/filters/memwrexe.c b/test/filters/memwrexe.c
index 4fbf05f78..d8bf4edaa 100644
--- a/test/filters/memwrexe.c
+++ b/test/filters/memwrexe.c
@@ -42,6 +42,11 @@ int main(int argc, char **argv) {
                 }
 
                 void *p = mmap (0, size, PROT_WRITE|PROT_READ|PROT_EXEC, MAP_SHARED, fd, 0);
+                if (p == MAP_FAILED) {
+                        printf("mmap failed\n");
+                        return 0;
+                }
+
                 printf("mmap successful\n");
 
                 // wait for expect to timeout
@@ -70,7 +75,12 @@ int main(int argc, char **argv) {
                         return 1;
                 }
 
-                mprotect(p, size, PROT_READ|PROT_WRITE|PROT_EXEC);
+                int rv = mprotect(p, size, PROT_READ|PROT_WRITE|PROT_EXEC);
+                if (rv) {
+                        printf("mprotect failed\n");
+                        return 1;
+                }
+
                 printf("mprotect successful\n");
 
                 // wait for expect to timeout
@@ -82,7 +92,7 @@ int main(int argc, char **argv) {
         else if (strcmp(argv[1], "memfd_create") == 0) {
                 int fd = syscall(SYS_memfd_create, "memfd_create", 0);
                 if (fd == -1) {
-                        fprintf(stderr, "TESTING ERROR: cannot run memfd_create test\n");
+                        printf("memfd_create failed\n");
                         return 1;
                 }
                 printf("memfd_create successful\n");
diff --git a/test/filters/noroot.exp b/test/filters/noroot.exp
index 64f72f610..5fc16c47f 100755
--- a/test/filters/noroot.exp
+++ b/test/filters/noroot.exp
@@ -72,7 +72,7 @@ expect {
 send -- "cat /proc/self/gid_map | wc -l\r"
 expect {
         timeout {puts "TESTING ERROR 12\n";exit}
-        "5"
+        "9"
 }
 
 
@@ -104,7 +104,7 @@ expect {
 send -- "cat /proc/self/gid_map | wc -l\r"
 expect {
         timeout {puts "TESTING ERROR 17\n";exit}
-        "5"
+        "9"
 }
 
 # check seccomp disabled and all caps enabled
diff --git a/test/filters/protocol.exp b/test/filters/protocol.exp
index 071460e4c..09c742378 100755
--- a/test/filters/protocol.exp
+++ b/test/filters/protocol.exp
@@ -7,179 +7,38 @@ set timeout 10
 spawn $env(SHELL)
 match_max 100000
 
-send -- "firejail --noprofile --protocol=unix ./syscall_test socket\r"
+send -- "firejail --noprofile --protocol=unix --debug\r"
 expect {
         timeout {puts "TESTING ERROR 1\n";exit}
-        "Permission denied" {puts "TESTING SKIP: permission denied\n"; exit}
-        "Child process initialized"
+        "0009: 20 00 00 00000000   ld  data.syscall-number"
 }
 expect {
-        timeout {puts "TESTING ERROR 1.1\n";exit}
-        "Permission denied" {puts "TESTING SKIP: permission denied\n"; exit}
-        "socket AF_INET"
-}
-expect {
-        timeout {puts "TESTING ERROR 1.2\n";exit}
-        "Operation not supported"
-}
-expect {
-        timeout {puts "TESTING ERROR 1.3\n";exit}
-        "socket AF_INET6"
-}
-expect {
-        timeout {puts "TESTING ERROR 1.4\n";exit}
-        "Operation not supported"
-}
-expect {
-        timeout {puts "TESTING ERROR 1.5\n";exit}
-        "socket AF_NETLINK"
-}
-expect {
-        timeout {puts "TESTING ERROR 1.6\n";exit}
-        "Operation not supported"
-}
-expect {
-        timeout {puts "TESTING ERROR 1.7\n";exit}
-        "socket AF_UNIX"
-}
-expect {
-        timeout {puts "TESTING ERROR 1.8\n";exit}
-        "socket AF_PACKETX"
-}
-expect {
-        timeout {puts "TESTING ERROR 1.9\n";exit}
-        "Operation not supported"
-}
-sleep 1
-
-send -- "firejail --noprofile --protocol=inet6,packet ./syscall_test socket\r"
-expect {
         timeout {puts "TESTING ERROR 2\n";exit}
-        "Child process initialized"
-}
-expect {
-        timeout {puts "TESTING ERROR 2.1\n";exit}
-        "socket AF_INET"
-}
-expect {
-        timeout {puts "TESTING ERROR 2.2\n";exit}
-        "Operation not supported"
-}
-expect {
-        timeout {puts "TESTING ERROR 2.3\n";exit}
-        "socket AF_INET6"
-}
-expect {
-        timeout {puts "TESTING ERROR 2.4\n";exit}
-        "socket AF_NETLINK"
-}
-expect {
-        timeout {puts "TESTING ERROR 2.5\n";exit}
-        "Operation not supported"
-}
-expect {
-        timeout {puts "TESTING ERROR 2.6\n";exit}
-        "socket AF_UNIX"
-}
-expect {
-        timeout {puts "TESTING ERROR 2.7\n";exit}
-        "Operation not supported"
-}
-expect {
-        timeout {puts "TESTING ERROR 2.8\n";exit}
-        "socket AF_PACKETX"
-}
-expect {
-        timeout {puts "TESTING ERROR 2.9\n";exit}
-        "after socket"
+        "000a: 15 01 00 00000029   jeq socket 000c (false 000b)"
 }
-sleep 1
-
-# profile testing
-send -- "firejail --profile=protocol1.profile ./syscall_test socket\r"
 expect {
         timeout {puts "TESTING ERROR 3\n";exit}
-        "Child process initialized"
-}
-expect {
-        timeout {puts "TESTING ERROR 3.1\n";exit}
-        "socket AF_INET"
-}
-expect {
-        timeout {puts "TESTING ERROR 3.2\n";exit}
-        "Operation not supported"
-}
-expect {
-        timeout {puts "TESTING ERROR 3.3\n";exit}
-        "socket AF_INET6"
-}
-expect {
-        timeout {puts "TESTING ERROR 3.4\n";exit}
-        "Operation not supported"
-}
-expect {
-        timeout {puts "TESTING ERROR 3.5\n";exit}
-        "socket AF_NETLINK"
-}
-expect {
-        timeout {puts "TESTING ERROR 3.6\n";exit}
-        "Operation not supported"
-}
-expect {
-        timeout {puts "TESTING ERROR 3.7\n";exit}
-        "socket AF_UNIX"
-}
-expect {
-        timeout {puts "TESTING ERROR 3.8\n";exit}
-        "socket AF_PACKETX"
+        "000b: 06 00 00 7fff0000   ret ALLOW"
 }
 expect {
-        timeout {puts "TESTING ERROR 3.9\n";exit}
-        "Operation not supported"
-}
-sleep 1
-
-send -- "firejail --profile=protocol2.profile ./syscall_test socket\r"
-expect {
         timeout {puts "TESTING ERROR 4\n";exit}
-        "Child process initialized"
-}
-expect {
-        timeout {puts "TESTING ERROR 4.1\n";exit}
-        "socket AF_INET"
-}
-expect {
-        timeout {puts "TESTING ERROR 4.2\n";exit}
-        "Operation not supported"
-}
-expect {
-        timeout {puts "TESTING ERROR 4.3\n";exit}
-        "socket AF_INET6"
+        "000c: 20 00 00 00000010   ld  data.args"
 }
 expect {
-        timeout {puts "TESTING ERROR 4.4\n";exit}
-        "socket AF_NETLINK"
+        timeout {puts "TESTING ERROR 5\n";exit}
+        "000d: 15 00 01 00000001   jeq 1 000e (false 000f)"
 }
 expect {
-        timeout {puts "TESTING ERROR 4.5\n";exit}
-        "Operation not supported"
+        timeout {puts "TESTING ERROR 6\n";exit}
+        "000e: 06 00 00 7fff0000   ret ALLOW"
+        ""
 }
 expect {
-        timeout {puts "TESTING ERROR 4.6\n";exit}
-        "socket AF_UNIX"
+        timeout {puts "TESTING ERROR 7\n";exit}
+        "000f: 06 00 00 0005005f   ret ERRNO(95)"
 }
-expect {
-        timeout {puts "TESTING ERROR 4.7\n";exit}
-        "Operation not supported"
-}
-expect {
-        timeout {puts "TESTING ERROR 4.8\n";exit}
-        "socket AF_PACKETX"
-}
-expect {
-        timeout {puts "TESTING ERROR 4.9\n";exit}
-        "after socket"
-}
-after 100
 
+after 100
+send -- "exit\r"
+after 100
 puts "\nall done\n"
diff --git a/test/filters/seccomp-dualfilter.exp b/test/filters/seccomp-dualfilter.exp
deleted file mode 100755
index e655be848..000000000
--- a/test/filters/seccomp-dualfilter.exp
+++ /dev/null
@@ -1,55 +0,0 @@
-#!/usr/bin/expect -f
-# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
-# License GPL v2
-
-set timeout 1
-spawn $env(SHELL)
-match_max 100000
-
-send -- "./syscall_test\r"
-expect {
-        timeout {puts "\nTESTING SKIP: 64-bit support missing\n";exit}
-        "Usage"
-}
-
-send -- "./syscall_test32\r"
-expect {
-        timeout {puts "\nTESTING SKIP: 32-bit support missing\n";exit}
-        "Usage"
-}
-
-set timeout 10
-send -- "firejail ./syscall_test mount\r"
-expect {
-        timeout {puts "TESTING ERROR 0\n";exit}
-        "Child process initialized"
-}
-expect {
-        timeout {puts "TESTING ERROR 1\n";exit}
-        "before mount"
-}
-expect {
-        timeout {puts "TESTING ERROR 2\n";exit}
-        "after mount" {puts "TESTING ERROR 3\n";exit}
-        "Parent is shutting down"
-}
-sleep 1
-
-send -- "firejail ./syscall_test32 mount\r"
-expect {
-        timeout {puts "TESTING ERROR 4\n";exit}
-        "Child process initialized"
-}
-expect {
-        timeout {puts "TESTING ERROR 5\n";exit}
-        "before mount"
-}
-expect {
-        timeout {puts "TESTING ERROR 6\n";exit}
-        "after mount" {puts "TESTING ERROR 7\n";exit}
-        "Parent is shutting down"
-}
-
-after 100
-puts "\nall done\n"
diff --git a/test/filters/seccomp-postexec.exp b/test/filters/seccomp-postexec.exp
index 18263520a..fe0e40e60 100755
--- a/test/filters/seccomp-postexec.exp
+++ b/test/filters/seccomp-postexec.exp
@@ -14,20 +14,17 @@ expect {
 }
 expect {
         timeout {puts "TESTING ERROR 1\n";exit}
-        "data.architecture"
-}
-expect {
-        timeout {puts "TESTING ERROR 2\n";exit}
         "monitoring pid"
 }
+sleep 1
+
+send -- "ls\r"
 expect {
-        timeout {puts "TESTING ERROR 3\n";exit}
-        "Sandbox monitor: waitpid"
-}
-expect {
-        timeout {puts "TESTING ERROR 4\n";exit}
-        "Parent is shutting down"
+        timeout {puts "TESTING ERROR 2\n";exit}
+        "not permitted"
 }
-sleep 1
 
+
+send -- "exit\r"
+after 100
 puts "all done\n"
diff --git a/test/filters/seccomp-ptrace.exp b/test/filters/seccomp-ptrace.exp
index ec8ab615c..05fd6eabb 100755
--- a/test/filters/seccomp-ptrace.exp
+++ b/test/filters/seccomp-ptrace.exp
@@ -17,8 +17,7 @@ sleep 2
 send -- "strace ls\r"
 expect {
         timeout {puts "TESTING ERROR 1\n";exit}
-        "Bad system call" {puts "version 1\n";}
-        " unexpected signal 31" {puts "version 2\n"}
+        "not permitted"
 }
 
 send -- "exit\r"
diff --git a/test/filters/syscall_test b/test/filters/syscall_test
deleted file mode 100755
index bf29c5b99..000000000
--- a/test/filters/syscall_test
+++ /dev/null
diff --git a/test/filters/syscall_test.c b/test/filters/syscall_test.c
deleted file mode 100644
index 55ee31afb..000000000
--- a/test/filters/syscall_test.c
+++ /dev/null
@@ -1,82 +0,0 @@
-// This file is part of Firejail project
-// Copyright (C) 2014-2021 Firejail Authors
-// License GPL v2
-
-#include <stdlib.h>
-#include <stdio.h>
-#include <unistd.h>
-#include <sys/types.h>
-#include <sys/socket.h>
-#include <linux/netlink.h>
-#include <net/ethernet.h>
-#include <sys/mount.h>
-
-int main(int argc, char **argv) {
-        if (argc != 2) {
-                printf("Usage: test [sleep|socket|mkdir|mount]\n");
-                return 1;
-        }
-
-        if (strcmp(argv[1], "sleep") == 0) {
-                printf("before sleep\n");
-                sleep(1);
-                printf("after sleep\n");
-        }
-        else if (strcmp(argv[1], "socket") == 0) {
-                int sock;
-
-                printf("testing socket AF_INET\n");
-                if ((sock = socket(AF_INET, SOCK_STREAM, 0)) < 0) {
-                        perror("socket");
-                }
-                else
-                        close(sock);
-
-                printf("testing socket AF_INET6\n");
-                if ((sock = socket(AF_INET6, SOCK_STREAM, 0)) < 0) {
-                        perror("socket");
-                }
-                else
-                        close(sock);
-
-                printf("testing socket AF_NETLINK\n");
-                if ((sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE)) < 0) {
-                        perror("socket");
-                }
-                else
-                        close(sock);
-
-                printf("testing socket AF_UNIX\n");
-                if ((sock = socket(AF_UNIX, SOCK_STREAM, 0)) < 0) {
-                        perror("socket");
-                }
-                else
-                        close(sock);
-
-                // root needed to be able to handle this
-                printf("testing socket AF_PACKETX\n");
-                if ((sock = socket(AF_PACKET, SOCK_DGRAM, htons(ETH_P_ARP))) < 0) {
-                        perror("socket");
-                }
-                else
-                        close(sock);
-                printf("after socket\n");
-        }
-        else if (strcmp(argv[1], "mkdir") == 0) {
-                printf("before mkdir\n");
-                mkdir("tmp", 0777);
-                printf("after mkdir\n");
-        }
-        else if (strcmp(argv[1], "mount") == 0) {
-                printf("before mount\n");
-                if (mount("tmpfs", "/tmp", "tmpfs", MS_NOSUID | MS_STRICTATIME,  "mode=755,gid=0") < 0) {
-                        perror("mount");
-                }
-                printf("after mount\n");
-        }
-        else {
-                fprintf(stderr, "Error: invalid argument\n");
-                return 1;
-        }
-        return 0;
-}
diff --git a/test/filters/syscall_test32 b/test/filters/syscall_test32
deleted file mode 100755
index 8d72f58c4..000000000
--- a/test/filters/syscall_test32
+++ /dev/null