mainline merge

29 files changed, 55 insertions, 2388 deletions

diff --git a/Makefile.in b/Makefile.in
index 03dba1f61..557b0289e 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -1,7 +1,7 @@
 all: apps man filters
 MYLIBS = src/lib
 APPS = src/firejail src/firemon src/fsec-print src/fsec-optimize src/firecfg src/fnetfilter src/fnet src/fseccomp src/libpostexecseccomp
-MANPAGES = firejail.1 firemon.1 firecfg.1 firejail-profile.5 firejail-login.5 firejail-users.5
+MANPAGES = firejail.1 firemon.1 firecfg.1 firejail-profile.5 firejail-users.5
 SECCOMP_FILTERS = seccomp seccomp.debug seccomp.32 seccomp.block_secondary seccomp.mdwx
 
 prefix=@prefix@
diff --git a/etc/dig.profile b/etc/dig.profile
deleted file mode 100644
index 4b6ab0975..000000000
--- a/etc/dig.profile
+++ /dev/null
@@ -1,47 +0,0 @@
-quiet
-# Firejail profile for dig
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/dig.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-include /etc/firejail/disable-common.inc
-# include /etc/firejail/disable-devel.inc
-# include /etc/firejail/disable-interpreters.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
-#include /etc/firejail/disable-xdg.inc
-
-whitelist ~/.digrc
-include /etc/firejail/whitelist-common.inc
-include /etc/firejail/whitelist-var-common.inc
-
-caps.drop all
-# ipc-namespace
-netfilter
-no3d
-nodbus
-nodvd
-nogroups
-nonewprivs
-noroot
-nosound
-notv
-novideo
-protocol unix,inet,inet6
-seccomp
-shell none
-
-disable-mnt
-private
-private-bin sh,bash,dig
-private-cache
-private-dev
-# private-etc resolv.conf
-private-lib
-private-tmp
-
-memory-deny-write-execute
-# noexec ${HOME}
-# noexec /tmp
diff --git a/linecnt.sh b/linecnt.sh
index 4048077e8..c0ba0df05 100755
--- a/linecnt.sh
+++ b/linecnt.sh
@@ -6,7 +6,6 @@ gcov_init() {
         firemon --help > /dev/null
         /usr/lib/firejail/fnet --help > /dev/null
         /usr/lib/firejail/fseccomp --help > /dev/null
-        /usr/lib/firejail/ftee --help > /dev/null
         firecfg --help > /dev/null
 
         /usr/lib/firejail/fnetfilter --help > /dev/null
@@ -20,5 +19,5 @@ rm -fr gcov-dir
 gcov_init
 lcov -q --capture -d src/firejail -d src/firemon \
         -d  src/fnetfilter -d src/fsec-print -d src/fsec-optimize -d src/fseccomp \
-        -d src/fnet -d src/ftee -d src/lib -d src/firecfg --output-file gcov-file
+        -d src/fnet -d src/lib -d src/firecfg --output-file gcov-file
 genhtml -q gcov-file --output-directory gcov-dir
diff --git a/platform/rpm/old-mkrpm.sh b/platform/rpm/old-mkrpm.sh
deleted file mode 100755
index bb321c4fe..000000000
--- a/platform/rpm/old-mkrpm.sh
+++ /dev/null
@@ -1,688 +0,0 @@
-#!/bin/bash
-VERSION="0.9.52"
-rm -fr ~/rpmbuild
-rm -f firejail-$VERSION-1.x86_64.rpm
-
-mkdir -p ~/rpmbuild/{RPMS,SRPMS,BUILD,SOURCES,SPECS,tmp}
-cat <<EOF >~/.rpmmacros
-%_topdir   %(echo $HOME)/rpmbuild
-%_tmppath  %{_topdir}/tmp
-EOF
-
-cd ~/rpmbuild
-echo "building directory tree"
-
-mkdir -p firejail-$VERSION/usr/bin
-install -m 755 /usr/bin/firejail firejail-$VERSION/usr/bin/.
-install -m 755 /usr/bin/firemon firejail-$VERSION/usr/bin/.
-install -m 755 /usr/bin/firecfg firejail-$VERSION/usr/bin/.
-
-mkdir -p  firejail-$VERSION/usr/lib/firejail
-install -m 755 /usr/lib/firejail/faudit  firejail-$VERSION/usr/lib/firejail/.
-install -m 755 /usr/lib/firejail/fcopy  firejail-$VERSION/usr/lib/firejail/.
-install -m 755 /usr/lib/firejail/fgit-install.sh  firejail-$VERSION/usr/lib/firejail/.
-install -m 755 /usr/lib/firejail/fgit-uninstall.sh  firejail-$VERSION/usr/lib/firejail/.
-install -m 644 /usr/lib/firejail/firecfg.config  firejail-$VERSION/usr/lib/firejail/.
-# Python 3  is not available on CentOS
-#install -m 755 /usr/lib/firejail/fix_private-bin.py  firejail-$VERSION/usr/lib/firejail/.
-#install -m 755 /usr/lib/firejail/fjclip.py  firejail-$VERSION/usr/lib/firejail/.
-#install -m 755 /usr/lib/firejail/fjdisplay.py  firejail-$VERSION/usr/lib/firejail/.
-#install -m 755 /usr/lib/firejail/fjresize.py  firejail-$VERSION/usr/lib/firejail/.
-install -m 755 /usr/lib/firejail/fldd  firejail-$VERSION/usr/lib/firejail/.
-install -m 755 /usr/lib/firejail/fnet  firejail-$VERSION/usr/lib/firejail/.
-install -m 755 /usr/lib/firejail/fseccomp  firejail-$VERSION/usr/lib/firejail/.
-install -m 755 /usr/lib/firejail/fshaper.sh  firejail-$VERSION/usr/lib/firejail/.
-install -m 755 /usr/lib/firejail/ftee  firejail-$VERSION/usr/lib/firejail/.
-install -m 755 /usr/lib/firejail/fbuilder  firejail-$VERSION/usr/lib/firejail/.
-install -m 644 /usr/lib/firejail/libtracelog.so  firejail-$VERSION/usr/lib/firejail/.
-install -m 644 /usr/lib/firejail/libtrace.so  firejail-$VERSION/usr/lib/firejail/.
-install -m 644 /usr/lib/firejail/libpostexecseccomp.so  firejail-$VERSION/usr/lib/firejail/.
-install -m 644 /usr/lib/firejail/seccomp  firejail-$VERSION/usr/lib/firejail/.
-install -m 644 /usr/lib/firejail/seccomp.64  firejail-$VERSION/usr/lib/firejail/.
-install -m 644 /usr/lib/firejail/seccomp.debug  firejail-$VERSION/usr/lib/firejail/.
-install -m 644 /usr/lib/firejail/seccomp.32  firejail-$VERSION/usr/lib/firejail/.
-install -m 644 /usr/lib/firejail/seccomp.block_secondary  firejail-$VERSION/usr/lib/firejail/.
-install -m 644 /usr/lib/firejail/seccomp.mdwx  firejail-$VERSION/usr/lib/firejail/.
-
-mkdir -p firejail-$VERSION/usr/share/man/man1
-install -m 644 /usr/share/man/man1/firejail.1.gz firejail-$VERSION/usr/share/man/man1/.
-install -m 644 /usr/share/man/man1/firemon.1.gz firejail-$VERSION/usr/share/man/man1/.
-install -m 644 /usr/share/man/man1/firecfg.1.gz firejail-$VERSION/usr/share/man/man1/.
-
-mkdir -p firejail-$VERSION/usr/share/man/man5
-install -m 644 /usr/share/man/man5/firejail-profile.5.gz firejail-$VERSION/usr/share/man/man5/.
-install -m 644 /usr/share/man/man5/firejail-login.5.gz firejail-$VERSION/usr/share/man/man5/.
-
-mkdir -p firejail-$VERSION/usr/share/doc/packages/firejail
-install -m 644 /usr/share/doc/firejail/COPYING firejail-$VERSION/usr/share/doc/packages/firejail/.
-install -m 644 /usr/share/doc/firejail/README firejail-$VERSION/usr/share/doc/packages/firejail/.
-install -m 644 /usr/share/doc/firejail/RELNOTES firejail-$VERSION/usr/share/doc/packages/firejail/.
-
-mkdir -p firejail-$VERSION/etc/firejail
-install -m 644 /etc/firejail/* firejail-$VERSION/etc/firejail/.
-
-mkdir -p firejail-$VERSION/usr/share/bash-completion/completions
-install -m 644 /usr/share/bash-completion/completions/firejail  firejail-$VERSION/usr/share/bash-completion/completions/.
-install -m 644 /usr/share/bash-completion/completions/firemon  firejail-$VERSION/usr/share/bash-completion/completions/.
-install -m 644 /usr/share/bash-completion/completions/firecfg  firejail-$VERSION/usr/share/bash-completion/completions/.
-
-echo "building tar.gz archive"
-tar -czvf firejail-$VERSION.tar.gz firejail-$VERSION
-
-cp firejail-$VERSION.tar.gz SOURCES/.
-
-echo "building config spec"
-cat <<EOF > SPECS/firejail.spec
-%define        __spec_install_post %{nil}
-%define          debug_package %{nil}
-%define        __os_install_post %{_dbpath}/brp-compress
-
-Summary: Linux namepaces sandbox program
-Name: firejail
-Version: $VERSION
-Release: 1
-License: GPL+
-Group: Development/Tools
-SOURCE0 : %{name}-%{version}.tar.gz
-URL: http://firejail.wordpress.com
-
-BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root
-
-%description
-Firejail  is  a  SUID sandbox program that reduces the risk of security
-breaches by restricting the running environment of untrusted applications
-using Linux namespaces. It includes a sandbox profile for Mozilla Firefox.
-
-%prep
-%setup -q
-
-%build
-
-%install
-rm -rf %{buildroot}
-mkdir -p  %{buildroot}
-
-cp -a * %{buildroot}
-
-
-%clean
-rm -rf %{buildroot}
-
-%files
-%defattr(-,root,root,-)
-%{_sysconfdir}/%{name}/0ad.profile
-%{_sysconfdir}/%{name}/abrowser.profile
-%{_sysconfdir}/%{name}/atom-beta.profile
-%{_sysconfdir}/%{name}/atom.profile
-%{_sysconfdir}/%{name}/atril.profile
-%{_sysconfdir}/%{name}/audacious.profile
-%{_sysconfdir}/%{name}/audacity.profile
-%{_sysconfdir}/%{name}/aweather.profile
-%{_sysconfdir}/%{name}/bitlbee.profile
-%{_sysconfdir}/%{name}/brave.profile
-%{_sysconfdir}/%{name}/cherrytree.profile
-%{_sysconfdir}/%{name}/chromium-browser.profile
-%{_sysconfdir}/%{name}/chromium.profile
-%{_sysconfdir}/%{name}/clementine.profile
-%{_sysconfdir}/%{name}/cmus.profile
-%{_sysconfdir}/%{name}/conkeror.profile
-%{_sysconfdir}/%{name}/corebird.profile
-%{_sysconfdir}/%{name}/cpio.profile
-%{_sysconfdir}/%{name}/cyberfox.profile
-%{_sysconfdir}/%{name}/Cyberfox.profile
-%{_sysconfdir}/%{name}/deadbeef.profile
-%{_sysconfdir}/%{name}/default.profile
-%{_sysconfdir}/%{name}/deluge.profile
-%{_sysconfdir}/%{name}/dillo.profile
-%{_sysconfdir}/%{name}/disable-common.inc
-%{_sysconfdir}/%{name}/disable-devel.inc
-%{_sysconfdir}/%{name}/disable-passwdmgr.inc
-%{_sysconfdir}/%{name}/disable-programs.inc
-%{_sysconfdir}/%{name}/dnscrypt-proxy.profile
-%{_sysconfdir}/%{name}/dnsmasq.profile
-%{_sysconfdir}/%{name}/dosbox.profile
-%{_sysconfdir}/%{name}/dropbox.profile
-%{_sysconfdir}/%{name}/empathy.profile
-%{_sysconfdir}/%{name}/eom.profile
-%{_sysconfdir}/%{name}/epiphany.profile
-%{_sysconfdir}/%{name}/evince.profile
-%{_sysconfdir}/%{name}/fbreader.profile
-%{_sysconfdir}/%{name}/file.profile
-%{_sysconfdir}/%{name}/filezilla.profile
-%{_sysconfdir}/%{name}/firefox-esr.profile
-%{_sysconfdir}/%{name}/firefox.profile
-%config(noreplace) %{_sysconfdir}/%{name}/firejail.config
-%{_sysconfdir}/%{name}/flashpeak-slimjet.profile
-%{_sysconfdir}/%{name}/franz.profile
-%{_sysconfdir}/%{name}/gajim.profile
-%{_sysconfdir}/%{name}/gitter.profile
-%{_sysconfdir}/%{name}/gnome-chess.profile
-%{_sysconfdir}/%{name}/gnome-mplayer.profile
-%{_sysconfdir}/%{name}/google-chrome-beta.profile
-%{_sysconfdir}/%{name}/google-chrome.profile
-%{_sysconfdir}/%{name}/google-chrome-stable.profile
-%{_sysconfdir}/%{name}/google-chrome-unstable.profile
-%{_sysconfdir}/%{name}/google-play-music-desktop-player.profile
-%{_sysconfdir}/%{name}/gpredict.profile
-%{_sysconfdir}/%{name}/gtar.profile
-%{_sysconfdir}/%{name}/gthumb.profile
-%{_sysconfdir}/%{name}/gwenview.profile
-%{_sysconfdir}/%{name}/gzip.profile
-%{_sysconfdir}/%{name}/hedgewars.profile
-%{_sysconfdir}/%{name}/hexchat.profile
-%{_sysconfdir}/%{name}/icecat.profile
-%{_sysconfdir}/%{name}/icedove.profile
-%{_sysconfdir}/%{name}/iceweasel.profile
-%{_sysconfdir}/%{name}/inox.profile
-%{_sysconfdir}/%{name}/jitsi.profile
-%{_sysconfdir}/%{name}/kmail.profile
-%{_sysconfdir}/%{name}/konversation.profile
-%{_sysconfdir}/%{name}/less.profile
-%{_sysconfdir}/%{name}/libreoffice.profile
-%{_sysconfdir}/%{name}/localc.profile
-%{_sysconfdir}/%{name}/lodraw.profile
-%{_sysconfdir}/%{name}/loffice.profile
-%{_sysconfdir}/%{name}/lofromtemplate.profile
-%config(noreplace) %{_sysconfdir}/%{name}/login.users
-%{_sysconfdir}/%{name}/loimpress.profile
-%{_sysconfdir}/%{name}/lomath.profile
-%{_sysconfdir}/%{name}/loweb.profile
-%{_sysconfdir}/%{name}/lowriter.profile
-%{_sysconfdir}/%{name}/mathematica.profile
-%{_sysconfdir}/%{name}/Mathematica.profile
-%{_sysconfdir}/%{name}/mcabber.profile
-%{_sysconfdir}/%{name}/midori.profile
-%{_sysconfdir}/%{name}/mpv.profile
-%{_sysconfdir}/%{name}/mupen64plus.profile
-%{_sysconfdir}/%{name}/netsurf.profile
-%{_sysconfdir}/%{name}/nolocal.net
-%{_sysconfdir}/%{name}/okular.profile
-%{_sysconfdir}/%{name}/openbox.profile
-%{_sysconfdir}/%{name}/opera-beta.profile
-%{_sysconfdir}/%{name}/opera.profile
-%{_sysconfdir}/%{name}/palemoon.profile
-%{_sysconfdir}/%{name}/parole.profile
-%{_sysconfdir}/%{name}/pidgin.profile
-%{_sysconfdir}/%{name}/pix.profile
-%{_sysconfdir}/%{name}/polari.profile
-%{_sysconfdir}/%{name}/psi-plus.profile
-%{_sysconfdir}/%{name}/qbittorrent.profile
-%{_sysconfdir}/%{name}/qtox.profile
-%{_sysconfdir}/%{name}/quassel.profile
-%{_sysconfdir}/%{name}/quiterss.profile
-%{_sysconfdir}/%{name}/qutebrowser.profile
-%{_sysconfdir}/%{name}/rhythmbox.profile
-%{_sysconfdir}/%{name}/rtorrent.profile
-%{_sysconfdir}/%{name}/seamonkey-bin.profile
-%{_sysconfdir}/%{name}/seamonkey.profile
-%{_sysconfdir}/%{name}/server.profile
-%{_sysconfdir}/%{name}/skypeforlinux.profile
-%{_sysconfdir}/%{name}/skype.profile
-%{_sysconfdir}/%{name}/slack.profile
-%{_sysconfdir}/%{name}/snap.profile
-%{_sysconfdir}/%{name}/soffice.profile
-%{_sysconfdir}/%{name}/spotify.profile
-%{_sysconfdir}/%{name}/ssh.profile
-%{_sysconfdir}/%{name}/steam.profile
-%{_sysconfdir}/%{name}/stellarium.profile
-%{_sysconfdir}/%{name}/strings.profile
-%{_sysconfdir}/%{name}/tar.profile
-%{_sysconfdir}/%{name}/telegram.profile
-%{_sysconfdir}/%{name}/Telegram.profile
-%{_sysconfdir}/%{name}/thunderbird.profile
-%{_sysconfdir}/%{name}/totem.profile
-%{_sysconfdir}/%{name}/transmission-gtk.profile
-%{_sysconfdir}/%{name}/transmission-qt.profile
-%{_sysconfdir}/%{name}/uget-gtk.profile
-%{_sysconfdir}/%{name}/unbound.profile
-%{_sysconfdir}/%{name}/unrar.profile
-%{_sysconfdir}/%{name}/unzip.profile
-%{_sysconfdir}/%{name}/uudeview.profile
-%{_sysconfdir}/%{name}/vivaldi-beta.profile
-%{_sysconfdir}/%{name}/vivaldi.profile
-%{_sysconfdir}/%{name}/vlc.profile
-%{_sysconfdir}/%{name}/warzone2100.profile
-%{_sysconfdir}/%{name}/webserver.net
-%{_sysconfdir}/%{name}/weechat-curses.profile
-%{_sysconfdir}/%{name}/weechat.profile
-%{_sysconfdir}/%{name}/wesnoth.profile
-%{_sysconfdir}/%{name}/whitelist-common.inc
-%{_sysconfdir}/%{name}/wine.profile
-%{_sysconfdir}/%{name}/xchat.profile
-%{_sysconfdir}/%{name}/xplayer.profile
-%{_sysconfdir}/%{name}/xreader.profile
-%{_sysconfdir}/%{name}/xviewer.profile
-%{_sysconfdir}/%{name}/xzdec.profile
-%{_sysconfdir}/%{name}/xz.profile
-%{_sysconfdir}/%{name}/zathura.profile
-%{_sysconfdir}/%{name}/7z.profile
-%{_sysconfdir}/%{name}/keepass.profile
-%{_sysconfdir}/%{name}/keepassx.profile
-%{_sysconfdir}/%{name}/claws-mail.profile
-%{_sysconfdir}/%{name}/mutt.profile
-%{_sysconfdir}/%{name}/git.profile
-%{_sysconfdir}/%{name}/emacs.profile
-%{_sysconfdir}/%{name}/vim.profile
-%{_sysconfdir}/%{name}/xpdf.profile
-%{_sysconfdir}/%{name}/virtualbox.profile
-%{_sysconfdir}/%{name}/openshot.profile
-%{_sysconfdir}/%{name}/flowblade.profile
-%{_sysconfdir}/%{name}/eog.profile
-%{_sysconfdir}/%{name}/evolution.profile
-%{_sysconfdir}/%{name}/feh.profile
-%{_sysconfdir}/%{name}/inkscape.profile
-%{_sysconfdir}/%{name}/gimp.profile
-%{_sysconfdir}/%{name}/luminance-hdr.profile
-%{_sysconfdir}/%{name}/mupdf.profile
-%{_sysconfdir}/%{name}/qpdfview.profile
-%{_sysconfdir}/%{name}/ranger.profile
-%{_sysconfdir}/%{name}/synfigstudio.profile
-# 0.9.45
-%{_sysconfdir}/%{name}/Cryptocat.profile
-%{_sysconfdir}/%{name}/FossaMail.profile
-%{_sysconfdir}/%{name}/Thunar.profile
-%{_sysconfdir}/%{name}/VirtualBox.profile
-%{_sysconfdir}/%{name}/Wire.profile
-%{_sysconfdir}/%{name}/amarok.profile
-%{_sysconfdir}/%{name}/ark.profile
-%{_sysconfdir}/%{name}/atool.profile
-%{_sysconfdir}/%{name}/bleachbit.profile
-%{_sysconfdir}/%{name}/bless.profile
-%{_sysconfdir}/%{name}/brasero.profile
-%{_sysconfdir}/%{name}/cryptocat.profile
-%{_sysconfdir}/%{name}/cvlc.profile
-%{_sysconfdir}/%{name}/display.profile
-%{_sysconfdir}/%{name}/dolphin.profile
-%{_sysconfdir}/%{name}/dragon.profile
-%{_sysconfdir}/%{name}/elinks.profile
-%{_sysconfdir}/%{name}/enchant.profile
-%{_sysconfdir}/%{name}/engrampa.profile
-%{_sysconfdir}/%{name}/exiftool.profile
-%{_sysconfdir}/%{name}/file-roller.profile
-%{_sysconfdir}/%{name}/fossamail.profile
-%{_sysconfdir}/%{name}/gedit.profile
-%{_sysconfdir}/%{name}/geeqie.profile
-%{_sysconfdir}/%{name}/gjs.profile
-%{_sysconfdir}/%{name}/gnome-2048.profile
-%{_sysconfdir}/%{name}/gnome-books.profile
-%{_sysconfdir}/%{name}/gnome-calculator.profile
-%{_sysconfdir}/%{name}/gnome-clocks.profile
-%{_sysconfdir}/%{name}/gnome-contacts.profile
-%{_sysconfdir}/%{name}/gnome-documents.profile
-%{_sysconfdir}/%{name}/gnome-maps.profile
-%{_sysconfdir}/%{name}/gnome-music.profile
-%{_sysconfdir}/%{name}/gnome-photos.profile
-%{_sysconfdir}/%{name}/gnome-weather.profile
-%{_sysconfdir}/%{name}/goobox.profile
-%{_sysconfdir}/%{name}/gpa.profile
-%{_sysconfdir}/%{name}/gpg-agent.profile
-%{_sysconfdir}/%{name}/gpg.profile
-%{_sysconfdir}/%{name}/gpicview.profile
-%{_sysconfdir}/%{name}/guayadeque.profile
-%{_sysconfdir}/%{name}/highlight.profile
-%{_sysconfdir}/%{name}/img2txt.profile
-%{_sysconfdir}/%{name}/iridium-browser.profile
-%{_sysconfdir}/%{name}/iridium.profile
-%{_sysconfdir}/%{name}/jd-gui.profile
-%{_sysconfdir}/%{name}/k3b.profile
-%{_sysconfdir}/%{name}/kate.profile
-%{_sysconfdir}/%{name}/keepass2.profile
-%{_sysconfdir}/%{name}/keepassx2.profile
-%{_sysconfdir}/%{name}/keepassxc.profile
-%{_sysconfdir}/%{name}/kino.profile
-%{_sysconfdir}/%{name}/lollypop.profile
-%{_sysconfdir}/%{name}/lynx.profile
-%{_sysconfdir}/%{name}/mediainfo.profile
-%{_sysconfdir}/%{name}/mediathekview.profile
-%{_sysconfdir}/%{name}/mousepad.profile
-%{_sysconfdir}/%{name}/multimc5.profile
-%{_sysconfdir}/%{name}/mumble.profile
-%{_sysconfdir}/%{name}/nautilus.profile
-%{_sysconfdir}/%{name}/odt2txt.profile
-%{_sysconfdir}/%{name}/pdfsam.profile
-%{_sysconfdir}/%{name}/pdftotext.profile
-%{_sysconfdir}/%{name}/pithos.profile
-%{_sysconfdir}/%{name}/pluma.profile
-%{_sysconfdir}/%{name}/qemu-launcher.profile
-%{_sysconfdir}/%{name}/qemu-system-x86_64.profile
-%{_sysconfdir}/%{name}/qupzilla.profile
-%{_sysconfdir}/%{name}/scribus.profile
-%{_sysconfdir}/%{name}/simple-scan.profile
-%{_sysconfdir}/%{name}/skanlite.profile
-%{_sysconfdir}/%{name}/ssh-agent.profile
-%{_sysconfdir}/%{name}/start-tor-browser.profile
-%{_sysconfdir}/%{name}/thunar.profile
-%{_sysconfdir}/%{name}/tracker.profile
-%{_sysconfdir}/%{name}/transmission-cli.profile
-%{_sysconfdir}/%{name}/transmission-show.profile
-%{_sysconfdir}/%{name}/uzbl-browser.profile
-%{_sysconfdir}/%{name}/vivaldi-stable.profile
-%{_sysconfdir}/%{name}/w3m.profile
-%{_sysconfdir}/%{name}/wget.profile
-%{_sysconfdir}/%{name}/wire.profile
-%{_sysconfdir}/%{name}/wireshark.profile
-%{_sysconfdir}/%{name}/xed.profile
-%{_sysconfdir}/%{name}/xfburn.profile
-%{_sysconfdir}/%{name}/xiphos.profile
-%{_sysconfdir}/%{name}/xmms.profile
-%{_sysconfdir}/%{name}/xonotic-glx.profile
-%{_sysconfdir}/%{name}/xonotic-sdl.profile
-%{_sysconfdir}/%{name}/xonotic.profile
-%{_sysconfdir}/%{name}/xpra.profile
-%{_sysconfdir}/%{name}/zoom.profile
-%{_sysconfdir}/%{name}/2048-qt.profile
-%{_sysconfdir}/%{name}/Xephyr.profile
-%{_sysconfdir}/%{name}/Xvfb.profile
-%{_sysconfdir}/%{name}/akregator.profile
-%{_sysconfdir}/%{name}/arduino.profile
-%{_sysconfdir}/%{name}/baloo_file.profile
-%{_sysconfdir}/%{name}/bibletime.profile
-%{_sysconfdir}/%{name}/blender.profile
-%{_sysconfdir}/%{name}/caja.profile
-%{_sysconfdir}/%{name}/clipit.profile
-%{_sysconfdir}/%{name}/dia.profile
-%{_sysconfdir}/%{name}/dino.profile
-%{_sysconfdir}/%{name}/fontforge.profile
-%{_sysconfdir}/%{name}/galculator.profile
-%{_sysconfdir}/%{name}/geany.profile
-%{_sysconfdir}/%{name}/gimp-2.8.profile
-%{_sysconfdir}/%{name}/globaltime.profile
-%{_sysconfdir}/%{name}/gnome-font-viewer.profile
-%{_sysconfdir}/%{name}/gucharmap.profile
-%{_sysconfdir}/%{name}/hugin.profile
-%{_sysconfdir}/%{name}/kcalc.profile
-%{_sysconfdir}/%{name}/knotes.profile
-%{_sysconfdir}/%{name}/kodi.profile
-%{_sysconfdir}/%{name}/ktorrent.profile
-%{_sysconfdir}/%{name}/leafpad.profile
-%{_sysconfdir}/%{name}/lximage-qt.profile
-%{_sysconfdir}/%{name}/lxmusic.profile
-%{_sysconfdir}/%{name}/mate-calc.profile
-%{_sysconfdir}/%{name}/mate-calculator.profile
-%{_sysconfdir}/%{name}/mate-color-select.profile
-%{_sysconfdir}/%{name}/mate-dictionary.profile
-%{_sysconfdir}/%{name}/meld.profile
-%{_sysconfdir}/%{name}/nemo.profile
-%{_sysconfdir}/%{name}/nylas.profile
-%{_sysconfdir}/%{name}/orage.profile
-%{_sysconfdir}/%{name}/pcmanfm.profile
-%{_sysconfdir}/%{name}/qlipper.profile
-%{_sysconfdir}/%{name}/ristretto.profile
-%{_sysconfdir}/%{name}/viewnior.profile
-%{_sysconfdir}/%{name}/viking.profile
-%{_sysconfdir}/%{name}/xfce4-dict.profile
-%{_sysconfdir}/%{name}/xfce4-notes.profile
-%{_sysconfdir}/%{name}/youtube-dl.profile
-%{_sysconfdir}/%{name}/catfish.profile
-%{_sysconfdir}/%{name}/darktable.profile
-%{_sysconfdir}/%{name}/digikam.profile
-%{_sysconfdir}/%{name}/handbrake.profile
-%{_sysconfdir}/%{name}/vym.profile
-%{_sysconfdir}/%{name}/waterfox.profile
-# 0.9.49
-%{_sysconfdir}/%{name}/Gitter.profile
-%{_sysconfdir}/%{name}/android-studio.profile
-%{_sysconfdir}/%{name}/apktool.profile
-%{_sysconfdir}/%{name}/arm.profile
-%{_sysconfdir}/%{name}/baobab.profile
-%{_sysconfdir}/%{name}/calibre.profile
-%{_sysconfdir}/%{name}/curl.profile
-%{_sysconfdir}/%{name}/dex2jar.profile
-%{_sysconfdir}/%{name}/ebook-viewer.profile
-%{_sysconfdir}/%{name}/electron.profile
-%{_sysconfdir}/%{name}/etr.profile
-%{_sysconfdir}/%{name}/firefox-nightly.profile
-%{_sysconfdir}/%{name}/frozen-bubble.profile
-%{_sysconfdir}/%{name}/geary.profile
-%{_sysconfdir}/%{name}/ghb.profile
-%{_sysconfdir}/%{name}/gitg.profile
-%{_sysconfdir}/%{name}/gnome-twitch.profile
-%{_sysconfdir}/%{name}/handbrake-gtk.profile
-%{_sysconfdir}/%{name}/hashcat.profile
-%{_sysconfdir}/%{name}/idea.sh.profile
-%{_sysconfdir}/%{name}/kwrite.profile
-%{_sysconfdir}/%{name}/liferea.profile
-%{_sysconfdir}/%{name}/mplayer.profile
-%{_sysconfdir}/%{name}/musescore.profile
-%{_sysconfdir}/%{name}/neverball.profile
-%{_sysconfdir}/%{name}/obs.profile
-%{_sysconfdir}/%{name}/open-invaders.profile
-%{_sysconfdir}/%{name}/peek.profile
-%{_sysconfdir}/%{name}/picard.profile
-%{_sysconfdir}/%{name}/pingus.profile
-%{_sysconfdir}/%{name}/rambox.profile
-%{_sysconfdir}/%{name}/remmina.profile
-%{_sysconfdir}/%{name}/riot-web.profile
-%{_sysconfdir}/%{name}/sdat2img.profile
-%{_sysconfdir}/%{name}/silentarmy.profile
-%{_sysconfdir}/%{name}/simutrans.profile
-%{_sysconfdir}/%{name}/smplayer.profile
-%{_sysconfdir}/%{name}/soundconverter.profile
-%{_sysconfdir}/%{name}/sqlitebrowser.profile
-%{_sysconfdir}/%{name}/supertux2.profile
-%{_sysconfdir}/%{name}/telegram-desktop.profile
-%{_sysconfdir}/%{name}/torbrowser-launcher.profile
-%{_sysconfdir}/%{name}/truecraft.profile
-%{_sysconfdir}/%{name}/tuxguitar.profile
-%{_sysconfdir}/%{name}/unknown-horizons.profile
-%{_sysconfdir}/%{name}/wireshark-gtk.profile
-%{_sysconfdir}/%{name}/wireshark-qt.profile
-%{_sysconfdir}/%{name}/itch.profile
-%{_sysconfdir}/%{name}/minetest.profile
-%{_sysconfdir}/%{name}/yandex-browser.profile
-# 0.9.52
-%{_sysconfdir}/%{name}/Natron.profile
-%{_sysconfdir}/%{name}/Viber.profile
-%{_sysconfdir}/%{name}/amule.profile
-%{_sysconfdir}/%{name}/arch-audit.profile
-%{_sysconfdir}/%{name}/ardour4.profile
-%{_sysconfdir}/%{name}/ardour5.profile
-%{_sysconfdir}/%{name}/bluefish.profile
-%{_sysconfdir}/%{name}/brackets.profile
-%{_sysconfdir}/%{name}/calligra.profile
-%{_sysconfdir}/%{name}/calligraauthor.profile
-%{_sysconfdir}/%{name}/calligraconverter.profile
-%{_sysconfdir}/%{name}/calligraflow.profile
-%{_sysconfdir}/%{name}/calligraplan.profile
-%{_sysconfdir}/%{name}/calligraplanwork.profile
-%{_sysconfdir}/%{name}/calligrasheets.profile
-%{_sysconfdir}/%{name}/calligrastage.profile
-%{_sysconfdir}/%{name}/calligrawords.profile
-%{_sysconfdir}/%{name}/cin.profile
-%{_sysconfdir}/%{name}/cinelerra.profile
-%{_sysconfdir}/%{name}/clamav.profile
-%{_sysconfdir}/%{name}/clamdscan.profile
-%{_sysconfdir}/%{name}/clamdtop.profile
-%{_sysconfdir}/%{name}/clamscan.profile
-%{_sysconfdir}/%{name}/cliqz.profile
-%{_sysconfdir}/%{name}/conky.profile
-%{_sysconfdir}/%{name}/dooble-qt4.profile
-%{_sysconfdir}/%{name}/dooble.profile
-%{_sysconfdir}/%{name}/fetchmail.profile
-%{_sysconfdir}/%{name}/ffmpeg.profile
-%{_sysconfdir}/%{name}/freecad.profile
-%{_sysconfdir}/%{name}/freecadcmd.profile
-%{_sysconfdir}/%{name}/freshclam.profile
-%{_sysconfdir}/%{name}/google-earth.profile
-%{_sysconfdir}/%{name}/imagej.profile
-%{_sysconfdir}/%{name}/karbon.profile
-%{_sysconfdir}/%{name}/kdenlive.profile
-%{_sysconfdir}/%{name}/krita.profile
-%{_sysconfdir}/%{name}/linphone.profile
-%{_sysconfdir}/%{name}/lmms.profile
-%{_sysconfdir}/%{name}/macrofusion.profile
-%{_sysconfdir}/%{name}/mpd.profile
-%{_sysconfdir}/%{name}/natron.profile
-%{_sysconfdir}/%{name}/openshot-qt.profile
-%{_sysconfdir}/%{name}/pinta.profile
-%{_sysconfdir}/%{name}/ricochet.profile
-%{_sysconfdir}/%{name}/rocketchat.profile
-%{_sysconfdir}/%{name}/shotcut.profile
-%{_sysconfdir}/%{name}/smtube.profile
-%{_sysconfdir}/%{name}/surf.profile
-%{_sysconfdir}/%{name}/teamspeak3.profile
-%{_sysconfdir}/%{name}/terasology.profile
-%{_sysconfdir}/%{name}/tor-browser-en.profile
-%{_sysconfdir}/%{name}/tor.profile
-%{_sysconfdir}/%{name}/uefitool.profile
-%{_sysconfdir}/%{name}/whitelist-var-common.inc
-%{_sysconfdir}/%{name}/x-terminal-emulator.profile
-%{_sysconfdir}/%{name}/xmr-stak-cpu.profile
-%{_sysconfdir}/%{name}/zart.profile
-%{_sysconfdir}/%{name}/aosp.profile
-%{_sysconfdir}/%{name}/archaudit-report.profile
-%{_sysconfdir}/%{name}/bnox.profile
-%{_sysconfdir}/%{name}/bsdtar.profile
-%{_sysconfdir}/%{name}/cower.profile
-%{_sysconfdir}/%{name}/dnox.profile
-%{_sysconfdir}/%{name}/enpass.profile
-%{_sysconfdir}/%{name}/gnome-ring.profile
-%{_sysconfdir}/%{name}/kdeinit4.profile
-%{_sysconfdir}/%{name}/kget.profile
-%{_sysconfdir}/%{name}/kopete.profile
-%{_sysconfdir}/%{name}/krunner.profile
-%{_sysconfdir}/%{name}/kwin_x11.profile
-%{_sysconfdir}/%{name}/makepkg.profile
-%{_sysconfdir}/%{name}/nheko.profile
-%{_sysconfdir}/%{name}/pdfmod.profile
-%{_sysconfdir}/%{name}/ping.profile
-%{_sysconfdir}/%{name}/runenpass.sh.profile
-%{_sysconfdir}/%{name}/signal-desktop.profile
-%{_sysconfdir}/%{name}/tcpserver.net
-%{_sysconfdir}/%{name}/xcalc.profile
-%{_sysconfdir}/%{name}/zaproxy.profile
- 
-/usr/bin/firejail
-/usr/bin/firemon
-/usr/bin/firecfg
-
-/usr/lib/firejail/libtrace.so
-/usr/lib/firejail/libtracelog.so
-/usr/lib/firejail/libpostexecseccomp.so
-/usr/lib/firejail/faudit
-/usr/lib/firejail/ftee
-/usr/lib/firejail/fbuilder
-/usr/lib/firejail/firecfg.config
-/usr/lib/firejail/fshaper.sh
-/usr/lib/firejail/fcopy
-/usr/lib/firejail/fgit-install.sh
-/usr/lib/firejail/fgit-uninstall.sh
-#/usr/lib/firejail/fix_private-bin.py
-#/usr/lib/firejail/fjclip.py
-#/usr/lib/firejail/fjdisplay.py
-#/usr/lib/firejail/fjresize.py
-/usr/lib/firejail/fnet
-/usr/lib/firejail/fldd
-/usr/lib/firejail/fseccomp
-/usr/lib/firejail/seccomp
-/usr/lib/firejail/seccomp.64
-/usr/lib/firejail/seccomp.debug
-/usr/lib/firejail/seccomp.32
-/usr/lib/firejail/seccomp.block_secondary
-/usr/lib/firejail/seccomp.mdwx
-
-/usr/share/doc/packages/firejail/COPYING
-/usr/share/doc/packages/firejail/README
-/usr/share/doc/packages/firejail/RELNOTES
-/usr/share/man/man1/firejail.1.gz
-/usr/share/man/man1/firemon.1.gz
-/usr/share/man/man1/firecfg.1.gz
-/usr/share/man/man5/firejail-profile.5.gz
-/usr/share/man/man5/firejail-login.5.gz
-/usr/share/bash-completion/completions/firejail
-/usr/share/bash-completion/completions/firemon
-/usr/share/bash-completion/completions/firecfg
-
-%post
-chmod u+s /usr/bin/firejail
-
-%changelog
-* Tue Dec 12 2017  netblue30 <netblue30@yahoo.com> 0.9.52-1
-
-* Fri Sep 8 2017  netblue30 <netblue30@yahoo.com> 0.9.50-1
-
-* Mon Jun 12 2017  netblue30 <netblue30@yahoo.com> 0.9.48-1
-
-* Mon May 15 2017  netblue30 <netblue30@yahoo.com> 0.9.46-1
-
-* Fri Oct 21 2016  netblue30 <netblue30@yahoo.com> 0.9.44-1
-  - CVE-2016-7545 submitted by Aleksey Manevich
-  - modifs: removed man firejail-config
-  - modifs: --private-tmp whitelists /tmp/.X11-unix directory
-  - modifs: Nvidia drivers added to --private-dev
-  - modifs: /srv supported by --whitelist
-  - feature: allow user access to /sys/fs (--noblacklist=/sys/fs)
-  - feature: support starting/joining sandbox is a single command
-    (--join-or-start)
-  - feature: X11 detection support for --audit
-  - feature: assign a name to the interface connected to the bridge
-    (--veth-name)
-  - feature: all user home directories are visible (--allusers)
-  - feature: add files to sandbox container (--put)
-  - feature: blocking x11 (--x11=block)
-  - feature: X11 security extension (--x11=xorg)
-  - feature: disable 3D hardware acceleration (--no3d)
-  - feature: x11 xpra, x11 xephyr, x11 block, allusers, no3d profile commands
-  - feature: move files in sandbox (--put)
-  - feature: accept wildcard patterns in user  name field of restricted
-    shell login feature
-  - new profiles: qpdfview, mupdf, Luminance HDR, Synfig Studio, Gimp, Inkscape
-  - new profiles: feh, ranger, zathura, 7z, keepass, keepassx,
-  - new profiles: claws-mail, mutt, git, emacs, vim, xpdf, VirtualBox, OpenShot
-  - new profiles: Flowblade, Eye of GNOME (eog), Evolution
-  - bugfixes
-
-* Thu Sep 8 2016 netblue30 <netblue30@yahoo.com> 0.9.42-1
-  - security: --whitelist deleted files, submitted by Vasya Novikov
-  - security: disable x32 ABI in seccomp, submitted by Jann Horn
-  - security: tighten --chroot, submitted by Jann Horn
-  - security: terminal sandbox escape, submitted by Stephan Sokolow
-  - security: several TOCTOU fixes submitted by Aleksey Manevich
-  - modifs: bringing back --private-home option
-  - modifs: deprecated --user option, please use "sudo -u username firejail"
-  - modifs: allow symlinks in home directory for --whitelist option
-  - modifs: Firejail prompt is enabled by env variable FIREJAIL_PROMPT="yes"
-  - modifs: recursive mkdir
-  - modifs: include /dev/snd in --private-dev
-  - modifs: seccomp filter update
-  - modifs: release archives moved to .xz format
-  - feature: AppImage support (--appimage)
-  - feature: AppArmor support (--apparmor)
-  - feature: Ubuntu snap support (/etc/firejail/snap.profile)
-  - feature: Sandbox auditing support (--audit)
-  - feature: remove environment variable (--rmenv)
-  - feature: noexec support (--noexec)
-  - feature: clean local overlay storage directory (--overlay-clean)
-  - feature: store and reuse overlay (--overlay-named)
-  - feature: allow debugging inside the sandbox with gdb and strace
-         (--allow-debuggers)
-  - feature: mkfile profile command
-  - feature: quiet profile command
-  - feature: x11 profile command
-  - feature: option to fix desktop files (firecfg --fix)
-  - compile time: Busybox support (--enable-busybox-workaround)
-  - compile time: disable overlayfs (--disable-overlayfs)
-  - compile time: disable whitelisting (--disable-whitelist)
-  - compile time: disable global config (--disable-globalcfg)
-  - run time: enable/disable overlayfs (overlayfs yes/no)
-  - run time: enable/disable  quiet as default (quiet-by-default yes/no)
-  - run time: user-defined network filter (netfilter-default)
-  - run time: enable/disable whitelisting (whitelist yes/no)
-  - run time: enable/disable remounting of /proc and /sys
-          (remount-proc-sys yes/no)
-  - run time: enable/disable chroot desktop features (chroot-desktop yes/no)
-  - profiles: Gitter, gThumb, mpv, Franz messenger, LibreOffice
-  - profiles: pix, audacity, xz, xzdec, gzip, cpio, less
-  - profiles: Atom Beta, Atom, jitsi, eom, uudeview
-  - profiles: tar (gtar), unzip, unrar, file, skypeforlinux,
-  - profiles: inox, Slack, gnome-chess. Gajim IM client, DOSBox
-  - bugfixes
-
-EOF
-
-echo "building rpm"
-rpmbuild -ba SPECS/firejail.spec
-rpm -qpl RPMS/x86_64/firejail-$VERSION-1.x86_64.rpm
-cd ..
-rm -f firejail-$VERSION-1.x86_64.rpm
-cp rpmbuild/RPMS/x86_64/firejail-$VERSION-1.x86_64.rpm .
diff --git a/src/firejail/cgroup.c b/src/firejail/cgroup.c
deleted file mode 100644
index 8eb61bf78..000000000
--- a/src/firejail/cgroup.c
+++ /dev/null
@@ -1,119 +0,0 @@
-/*
- * Copyright (C) 2014-2018 Firejail Authors
- *
- * This file is part of firejail project
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or
- * (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License along
- * with this program; if not, write to the Free Software Foundation, Inc.,
- * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-*/
-#include "firejail.h"
-#include <sys/stat.h>
-
-#define MAXBUF 4096
-
-void save_cgroup(void) {
-        if (cfg.cgroup == NULL)
-                return;
-
-        FILE *fp = fopen(RUN_CGROUP_CFG, "w");
-        if (fp) {
-                fprintf(fp, "%s", cfg.cgroup);
-                fflush(0);
-                SET_PERMS_STREAM(fp, 0, 0, 0644);
-                if (fclose(fp))
-                        goto errout;
-        }
-        else
-                goto errout;
-
-        return;
-
-errout:
-        fprintf(stderr, "Error: cannot save cgroup\n");
-        exit(1);
-}
-
-void load_cgroup(const char *fname) {
-        if (!fname)
-                return;
-
-        FILE *fp = fopen(fname, "r");
-        if (fp) {
-                char buf[MAXBUF];
-                if (fgets(buf, MAXBUF, fp)) {
-                        cfg.cgroup = strdup(buf);
-                        if (!cfg.cgroup)
-                                errExit("strdup");
-                }
-                else
-                        goto errout;
-
-                fclose(fp);
-                return;
-        }
-errout:
-        fwarning("cannot load control group\n");
-        if (fp)
-                fclose(fp);
-}
-
-
-void set_cgroup(const char *path) {
-        EUID_ASSERT();
-
-        invalid_filename(path, 0); // no globbing
-
-        // path starts with /sys/fs/cgroup
-        if (strncmp(path, "/sys/fs/cgroup", 14) != 0)
-                goto errout;
-
-        // path ends in tasks
-        char *ptr = strstr(path, "tasks");
-        if (!ptr)
-                goto errout;
-        if (*(ptr + 5) != '\0')
-                goto errout;
-
-        // no .. traversal
-        ptr = strstr(path, "..");
-        if (ptr)
-                goto errout;
-
-        // tasks file exists
-        struct stat s;
-        if (stat(path, &s) == -1)
-                goto errout;
-
-        // task file belongs to the user running the sandbox
-        if (s.st_uid != getuid() && s.st_gid != getgid())
-                goto errout2;
-
-        // add the task to cgroup
-        /* coverity[toctou] */
-        FILE *fp = fopen(path,  "a");
-        if (!fp)
-                goto errout;
-        pid_t pid = getpid();
-        int rv = fprintf(fp, "%d\n", pid);
-        (void) rv;
-        fclose(fp);
-        return;
-
-errout:
-        fprintf(stderr, "Error: invalid cgroup\n");
-        exit(1);
-errout2:
-        fprintf(stderr, "Error: you don't have permissions to use this control group\n");
-        exit(1);
-}
diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c
index 0cceea17b..430771a13 100644
--- a/src/firejail/checkcfg.c
+++ b/src/firejail/checkcfg.c
@@ -76,17 +76,6 @@ int checkcfg(int val) {
                         if (!ptr)
                                 continue;
 
-#ifndef LTS
-                        // file transfer
-                        else if (strncmp(ptr, "file-transfer ", 14) == 0) {
-                                if (strcmp(ptr + 14, "yes") == 0)
-                                        cfg_val[CFG_FILE_TRANSFER] = 1;
-                                else if (strcmp(ptr + 14, "no") == 0)
-                                        cfg_val[CFG_FILE_TRANSFER] = 0;
-                                else
-                                        goto errout;
-                        }
-#endif
                         // dbus
                         else if (strncmp(ptr, "dbus ", 5) == 0) {
                                 if (strcmp(ptr + 5, "yes") == 0)
@@ -105,17 +94,6 @@ int checkcfg(int val) {
                                 else
                                         goto errout;
                         }
-#ifndef LTS
-                        // x11
-                        else if (strncmp(ptr, "x11 ", 4) == 0) {
-                                if (strcmp(ptr + 4, "yes") == 0)
-                                        cfg_val[CFG_X11] = 1;
-                                else if (strcmp(ptr + 4, "no") == 0)
-                                        cfg_val[CFG_X11] = 0;
-                                else
-                                        goto errout;
-                        }
-#endif
                         // apparmor
                         else if (strncmp(ptr, "apparmor ", 9) == 0) {
                                 if (strcmp(ptr + 9, "yes") == 0)
@@ -143,17 +121,6 @@ int checkcfg(int val) {
                                 else
                                         goto errout;
                         }
-#ifndef LTS
-                        // chroot
-                        else if (strncmp(ptr, "chroot ", 7) == 0) {
-                                if (strcmp(ptr + 7, "yes") == 0)
-                                        cfg_val[CFG_CHROOT] = 1;
-                                else if (strcmp(ptr + 7, "no") == 0)
-                                        cfg_val[CFG_CHROOT] = 0;
-                                else
-                                        goto errout;
-                        }
-#endif
                         // prompt
                         else if (strncmp(ptr, "firejail-prompt ", 16) == 0) {
                                 if (strcmp(ptr + 16, "yes") == 0)
@@ -241,70 +208,6 @@ int checkcfg(int val) {
                                 if (arg_debug)
                                         printf("netfilter default file %s\n", fname);
                         }
-
-#ifndef LTS
-                        // Xephyr screen size
-                        else if (strncmp(ptr, "xephyr-screen ", 14) == 0) {
-                                // expecting two numbers and an x between them
-                                int n1;
-                                int n2;
-                                int rv = sscanf(ptr + 14, "%dx%d", &n1, &n2);
-                                if (rv != 2)
-                                        goto errout;
-                                if (asprintf(&xephyr_screen, "%dx%d", n1, n2) == -1)
-                                        errExit("asprintf");
-                        }
-
-                        // xephyr window title
-                        else if (strncmp(ptr, "xephyr-window-title ", 20) == 0) {
-                                if (strcmp(ptr + 20, "yes") == 0)
-                                        cfg_val[CFG_XEPHYR_WINDOW_TITLE] = 1;
-                                else if (strcmp(ptr + 20, "no") == 0)
-                                        cfg_val[CFG_XEPHYR_WINDOW_TITLE] = 0;
-                                else
-                                        goto errout;
-                        }
-
-                        // Xephyr command extra parameters
-                        else if (strncmp(ptr, "xephyr-extra-params ", 20) == 0) {
-                                if (*xephyr_extra_params != '\0')
-                                        goto errout;
-                                xephyr_extra_params = strdup(ptr + 20);
-                                if (!xephyr_extra_params)
-                                        errExit("strdup");
-                        }
-
-                        // xpra server extra parameters
-                        else if (strncmp(ptr, "xpra-extra-params ", 18) == 0) {
-                                if (*xpra_extra_params != '\0')
-                                        goto errout;
-                                xpra_extra_params = strdup(ptr + 18);
-                                if (!xpra_extra_params)
-                                        errExit("strdup");
-                        }
-
-                        // Xvfb screen size
-                                else if (strncmp(ptr, "xvfb-screen ", 12) == 0) {
-                                // expecting three numbers separated by x's
-                                unsigned int n1;
-                                unsigned int n2;
-                                unsigned int n3;
-                                int rv = sscanf(ptr + 12, "%ux%ux%u", &n1, &n2, &n3);
-                                if (rv != 3)
-                                        goto errout;
-                                if (asprintf(&xvfb_screen, "%ux%ux%u", n1, n2, n3) == -1)
-                                        errExit("asprintf");
-                        }
-
-                        // Xvfb extra parameters
-                        else if (strncmp(ptr, "xvfb-extra-params ", 18) == 0) {
-                                if (*xvfb_extra_params != '\0')
-                                        goto errout;
-                                xvfb_extra_params = strdup(ptr + 18);
-                                if (!xvfb_extra_params)
-                                        errExit("strdup");
-                        }
-#endif
                         // quiet by default
                         else if (strncmp(ptr, "quiet-by-default ", 17) == 0) {
                                 if (strcmp(ptr + 17, "yes") == 0)
@@ -314,40 +217,6 @@ int checkcfg(int val) {
                                 else
                                         goto errout;
                         }
-#ifndef LTS
-                        else if (strncmp(ptr, "overlayfs ", 10) == 0) {
-                                if (strcmp(ptr + 10, "yes") == 0)
-                                        cfg_val[CFG_OVERLAYFS] = 1;
-                                else if (strcmp(ptr + 10, "no") == 0)
-                                        cfg_val[CFG_OVERLAYFS] = 0;
-                                else
-                                        goto errout;
-                        }
-                        else if (strncmp(ptr, "private-home ", 13) == 0) {
-                                if (strcmp(ptr + 13, "yes") == 0)
-                                        cfg_val[CFG_PRIVATE_HOME] = 1;
-                                else if (strcmp(ptr + 13, "no") == 0)
-                                        cfg_val[CFG_PRIVATE_HOME] = 0;
-                                else
-                                        goto errout;
-                        }
-                        else if (strncmp(ptr, "private-lib ", 12) == 0) {
-                                if (strcmp(ptr + 12, "yes") == 0)
-                                        cfg_val[CFG_PRIVATE_LIB] = 1;
-                                else if (strcmp(ptr + 12, "no") == 0)
-                                        cfg_val[CFG_PRIVATE_LIB] = 0;
-                                else
-                                        goto errout;
-                        }
-                        else if (strncmp(ptr, "private-bin-no-local ", 21) == 0) {
-                                if (strcmp(ptr + 21, "yes") == 0)
-                                        cfg_val[CFG_PRIVATE_BIN_NO_LOCAL] = 1;
-                                else if (strcmp(ptr + 21, "no") == 0)
-                                        cfg_val[CFG_PRIVATE_BIN_NO_LOCAL] = 0;
-                                else
-                                        goto errout;
-                        }
-#endif
                         else if (strncmp(ptr, "disable-mnt ", 12) == 0) {
                                 if (strcmp(ptr + 12, "yes") == 0)
                                         cfg_val[CFG_DISABLE_MNT] = 1;
@@ -363,17 +232,6 @@ int checkcfg(int val) {
                                         goto errout;
                                 cfg_val[CFG_ARP_PROBES] = arp_probes;
                         }
-#ifndef LTS
-                        // xpra-attach
-                        else if (strncmp(ptr, "xpra-attach ", 12) == 0) {
-                                if (strcmp(ptr + 12, "yes") == 0)
-                                        cfg_val[CFG_XPRA_ATTACH] = 1;
-                                else if (strcmp(ptr + 12, "no") == 0)
-                                        cfg_val[CFG_XPRA_ATTACH] = 0;
-                                else
-                                        goto errout;
-                        }
-#endif
                         else
                                 goto errout;
 
@@ -421,22 +279,6 @@ void print_compiletime_support(void) {
 #endif
                 );
 
-        printf("\t- bind support is %s\n",
-#ifdef HAVE_BIND
-                "enabled"
-#else
-                "disabled"
-#endif
-                );
-
-        printf("\t- chroot support is %s\n",
-#ifdef HAVE_CHROOT
-                "enabled"
-#else
-                "disabled"
-#endif
-                );
-
         printf("\t- file and directory whitelisting support is %s\n",
 #ifdef HAVE_WHITELIST
                 "enabled"
@@ -445,14 +287,6 @@ void print_compiletime_support(void) {
 #endif
                 );
 
-        printf("\t- file transfer support is %s\n",
-#ifdef HAVE_FILE_TRANSFER
-                "enabled"
-#else
-                "disabled"
-#endif
-                );
-
         printf("\t- networking support is %s\n",
 #ifdef HAVE_NETWORK
                 "enabled"
@@ -461,22 +295,6 @@ void print_compiletime_support(void) {
 #endif
                 );
 
-        printf("\t- overlayfs support is %s\n",
-#ifdef HAVE_OVERLAYFS
-                "enabled"
-#else
-                "disabled"
-#endif
-                );
-
-        printf("\t- private-home support is %s\n",
-#ifdef HAVE_PRIVATE_HOME
-                "enabled"
-#else
-                "disabled"
-#endif
-                );
-
         printf("\t- seccomp-bpf support is %s\n",
 #ifdef HAVE_SECCOMP
                 "enabled"
@@ -492,12 +310,4 @@ void print_compiletime_support(void) {
                 "disabled"
 #endif
                 );
-
-        printf("\t- X11 sandboxing support is %s\n",
-#ifdef HAVE_X11
-                "enabled"
-#else
-                "disabled"
-#endif
-                );
 }
diff --git a/src/firejail/join.c b/src/firejail/join.c
index cdd95b6a8..bf421d5d1 100644
--- a/src/firejail/join.c
+++ b/src/firejail/join.c
@@ -121,6 +121,7 @@ static void extract_cpu(pid_t pid) {
         free(fname);
 }
 
+#ifndef LTS
 static void extract_cgroup(pid_t pid) {
         char *fname;
         if (asprintf(&fname, "/proc/%d/root%s", pid, RUN_CGROUP_CFG) == -1)
@@ -134,6 +135,7 @@ static void extract_cgroup(pid_t pid) {
         load_cgroup(fname);
         free(fname);
 }
+#endif
 
 static void extract_caps_seccomp(pid_t pid) {
         // open stat file
@@ -287,14 +289,18 @@ void join(pid_t pid, int argc, char **argv, int index) {
         if (getuid() != 0) {
                 extract_caps_seccomp(pid);
                 extract_cpu(pid);
+#ifndef LTS
                 extract_cgroup(pid);
+#endif
                 extract_nogroups(pid);
                 extract_user_namespace(pid);
         }
 
+#ifndef LTS
         // set cgroup
         if (cfg.cgroup) // not available for uid 0
                 set_cgroup(cfg.cgroup);
+#endif
 
         // get umask, it will be set by start_application()
         extract_umask(pid);
diff --git a/src/firejail/main.c b/src/firejail/main.c
index b3664ee2e..c87032f6d 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -968,6 +968,7 @@ int main(int argc, char **argv) {
         delete_run_files(sandbox_pid);
         EUID_USER();
 
+#ifndef LTS
         //check if the parent is sshd daemon
         int parent_sshd = 0;
         {
@@ -1066,12 +1067,11 @@ int main(int argc, char **argv) {
 #endif
                 }
         }
-#ifndef LTS
         else {
                 // check --output option and execute it;
                 check_output(argc, argv); // the function will not return if --output or --output-stderr option was found
         }
-#endif
+#endif // LTS
         EUID_ASSERT();
 
 
@@ -1264,6 +1264,7 @@ int main(int argc, char **argv) {
                                 cfg.nice = 0;
                         arg_nice = 1;
                 }
+#ifndef LTS
                 else if (strncmp(argv[i], "--cgroup=", 9) == 0) {
                         if (option_cgroup) {
                                 fprintf(stderr, "Error: only a cgroup can be defined\n");
@@ -1276,13 +1277,12 @@ int main(int argc, char **argv) {
                                 errExit("strdup");
                         set_cgroup(cfg.cgroup);
                 }
-
+#endif
                 //*************************************
                 // filesystem
                 //*************************************
                 else if (strcmp(argv[i], "--allusers") == 0)
                         arg_allusers = 1;
-#ifdef HAVE_BIND
                 else if (strncmp(argv[i], "--bind=", 7) == 0) {
                         if (checkcfg(CFG_BIND)) {
                                 char *line;
@@ -1295,7 +1295,6 @@ int main(int argc, char **argv) {
                         else
                                 exit_err_feature("bind");
                 }
-#endif
                 else if (strncmp(argv[i], "--tmpfs=", 8) == 0) {
                         char *line;
                         if (asprintf(&line, "tmpfs %s", argv[i] + 8) == -1)
diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index ea069de76..a90a5e7d6 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -748,11 +748,13 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
                 return 0;
         }
 
+#ifndef LTS
         // cgroup
         if (strncmp(ptr, "cgroup ", 7) == 0) {
                 set_cgroup(ptr + 7);
                 return 0;
         }
+#endif
 
         // writable-etc
         if (strcmp(ptr, "writable-etc") == 0) {
diff --git a/src/firejail/restricted_shell.c b/src/firejail/restricted_shell.c
deleted file mode 100644
index 9beb01655..000000000
--- a/src/firejail/restricted_shell.c
+++ /dev/null
@@ -1,132 +0,0 @@
-/*
- * Copyright (C) 2014-2018 Firejail Authors
- *
- * This file is part of firejail project
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or
- * (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License along
- * with this program; if not, write to the Free Software Foundation, Inc.,
- * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-*/
-#include "firejail.h"
-#include <fnmatch.h>
-
-#define MAX_READ 4096   // maximum line length
-char *restricted_user = NULL;
-
-
-int restricted_shell(const char *user) {
-        EUID_ASSERT();
-        assert(user);
-
-        // open profile file:
-        char *fname;
-        if (asprintf(&fname, "%s/login.users", SYSCONFDIR) == -1)
-                errExit("asprintf");
-        FILE *fp = fopen(fname, "r");
-        free(fname);
-        if (fp == NULL)
-                return 0;
-
-        int lineno = 0;
-        char buf[MAX_READ];
-        while (fgets(buf, MAX_READ, fp)) {
-                lineno++;
-
-                // remove empty spaces at the beginning of the line
-                char *ptr = buf;
-                while (*ptr == ' ' || *ptr == '\t') {
-                        ptr++;
-                }
-                if (*ptr == '\n' || *ptr == '#')
-                        continue;
-
-                //
-                // parse line
-                //
-
-                // extract users
-                char *usr = ptr;
-                char *args = strchr(usr, ':');
-                if (args == NULL) {
-                        fprintf(stderr, "Error: users.conf line %d\n", lineno);
-                        exit(1);
-                }
-
-                *args = '\0';
-                args++;
-                ptr = strchr(args, '\n');
-                if (ptr)
-                        *ptr = '\0';
-
-                // extract firejail command line arguments
-                char *ptr2 = args;
-                int found = 0;
-                while (*ptr2 != '\0') {
-                        if (*ptr2 != ' ' && *ptr2 != '\t') {
-                                found = 1;
-                                break;
-                        }
-                        ptr2++;
-                }
-                // if nothing follows, continue
-                if (!found)
-                        continue;
-
-                // user name globbing
-                if (fnmatch(usr, user, 0) == 0) {
-                        // process program arguments
-
-                        fullargv[0] = "firejail";
-                        int i;
-                        ptr = args;
-                        for (i = 1; i < MAX_ARGS; i++) {
-                                // skip blanks
-                                while (*ptr == ' ' || *ptr == '\t')
-                                        ptr++;
-                                fullargv[i] = ptr;
-#ifdef DEBUG_RESTRICTED_SHELL
-                                {EUID_ROOT();
-                                FILE *fp = fopen("/firelog", "a");
-                                if (fp) {
-                                        fprintf(fp, "i %d ptr #%s#\n", i, fullargv[i]);
-                                        fclose(fp);
-                                }
-                                EUID_USER();}
-#endif
-
-                                if (*ptr != '\0') {
-                                        // go to the end of the word
-                                        while (*ptr != ' ' && *ptr != '\t' && *ptr != '\0')
-                                                ptr++;
-                                        *ptr ='\0';
-                                        fullargv[i] = strdup(fullargv[i]);
-                                        if (fullargv[i] == NULL)
-                                                errExit("strdup");
-                                        ptr++;
-                                        while (*ptr == ' ' || *ptr == '\t')
-                                                ptr++;
-                                        if (*ptr != '\0')
-                                                continue;
-                                }
-                                fullargv[i] = strdup(fullargv[i]);
-                                fclose(fp);
-                                return i + 1;
-                        }
-                        fprintf(stderr, "Error: too many program arguments in users.conf line %d\n", lineno);
-                        exit(1);
-                }
-        }
-        fclose(fp);
-
-        return 0;
-}
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index 919a2b84e..380257223 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -1061,9 +1061,11 @@ int sandbox(void* sandbox_arg) {
                 EUID_ROOT();
         }
 
+#ifndef LTS
         // save cgroup in CGROUP_CFG file
         if (cfg.cgroup)
                 save_cgroup();
+#endif
 
         // set seccomp
 #ifdef HAVE_SECCOMP
diff --git a/src/firejail/usage.c b/src/firejail/usage.c
index c8866da3a..73af66be2 100644
--- a/src/firejail/usage.c
+++ b/src/firejail/usage.c
@@ -33,25 +33,18 @@ static char *usage_str =
         "    --apparmor - enable AppArmor confinement.\n"
         "    --apparmor.print=name|pid - print apparmor status.\n"
         "    --appimage - sandbox an AppImage application.\n"
-        "    --audit[=test-program] - audit the sandbox.\n"
 #ifdef HAVE_NETWORK
         "    --bandwidth=name|pid - set bandwidth limits.\n"
 #endif
         "    --bind=dirname1,dirname2 - mount-bind dirname1 on top of dirname2.\n"
         "    --bind=filename1,filename2 - mount-bind filename1 on top of filename2.\n"
         "    --blacklist=filename - blacklist directory or file.\n"
-        "    --build - build a whitelisted profile for the application.\n"
-        "    --build=filename - build a whitelisted profile for the application.\n"
         "    -c - execute command and exit.\n"
         "    --caps - enable default Linux capabilities filter.\n"
         "    --caps.drop=all - drop all capabilities.\n"
         "    --caps.drop=capability,capability - blacklist capabilities filter.\n"
         "    --caps.keep=capability,capability - whitelist capabilities filter.\n"
         "    --caps.print=name|pid - print the caps filter.\n"
-        "    --cgroup=tasks-file - place the sandbox in the specified control group.\n"
-#ifdef HAVE_CHROOT
-        "    --chroot=dirname - chroot into directory.\n"
-#endif
         "    --cpu=cpu-number,cpu-number - set cpu affinity.\n"
         "    --cpu.print=name|pid - print the cpus in use.\n"
         "    --debug - print sandbox debug messages.\n"
@@ -71,9 +64,6 @@ static char *usage_str =
         "    --dns.print=name|pid - print DNS configuration.\n"
         "    --env=name=value - set environment variable.\n"
         "    --fs.print=name|pid - print the filesystem log.\n"
-#ifdef HAVE_FILE_TRANSFER
-        "    --get=name|pid filename - get a file from sandbox container.\n"
-#endif
         "    --help, -? - this help screen.\n"
         "    --hostname=name - set sandbox hostname.\n"
         "    --hosts-file=file - use file as /etc/hosts.\n"
@@ -141,52 +131,22 @@ static char *usage_str =
         "    --novideo - disable video devices.\n"
         "    --nou2f - disable U2F devices.\n"
         "    --nowhitelist=filename - disable whitelist for file or directory .\n"
-        "    --output=logfile - stdout logging and log rotation.\n"
-        "    --output-stderr=logfile - stdout and stderr logging and log rotation.\n"
-        "    --overlay - mount a filesystem overlay on top of the current filesystem.\n"
-        "    --overlay-named=name - mount a filesystem overlay on top of the current\n"
-        "\tfilesystem, and store it in name directory.\n"
-        "    --overlay-tmpfs - mount a temporary filesystem overlay on top of the\n"
-        "\tcurrent filesystem.\n"
-        "    --overlay-clean - clean all overlays stored in $HOME/.firejail directory.\n"
         "    --private - temporary home directory.\n"
         "    --private=directory - use directory as user home.\n"
         "    --private-cache - temporary ~/.cache directory.\n"
-        "    --private-home=file,directory - build a new user home in a temporary\n"
-        "\tfilesystem, and copy the files and directories in the list in\n"
-        "\tthe new home.\n"
-        "    --private-bin=file,file - build a new /bin in a temporary filesystem,\n"
-        "\tand copy the programs in the list.\n"
         "    --private-dev - create a new /dev directory with a small number of\n"
         "\tcommon device files.\n"
-        "    --private-etc=file,directory - build a new /etc in a temporary\n"
-        "\tfilesystem, and copy the files and directories in the list.\n"
         "    --private-tmp - mount a tmpfs on top of /tmp directory.\n"
-        "    --private-opt=file,directory - build a new /opt in a temporary filesystem.\n"
-        "    --private-srv=file,directory - build a new /srv in a temporary filesystem.\n"
         "    --profile=filename - use a custom profile.\n"
         "    --profile.print=name|pid - print the name of profile file.\n"
         "    --profile-path=directory - use this directory to look for profile files.\n"
         "    --protocol=protocol,protocol,protocol - enable protocol filter.\n"
         "    --protocol.print=name|pid - print the protocol filter.\n"
-#ifdef HAVE_FILE_TRANSFER
-        "    --put=name|pid src-filename dest-filename - put a file in sandbox\n"
-        "\tcontainer.\n"
-#endif
         "    --quiet - turn off Firejail's output.\n"
         "    --read-only=filename - set directory or file read-only..\n"
         "    --read-write=filename - set directory or file read-write.\n"
         "    --rlimit-as=number - set the maximum size of the process's virtual memory\n"
         "\t(address space) in bytes.\n"
-        "    --rlimit-cpu=number - set the maximum CPU time in seconds.\n"
-        "    --rlimit-fsize=number - set the maximum file size that can be created\n"
-        "\tby a process.\n"
-        "    --rlimit-nofile=number - set the maximum number of files that can be\n"
-        "\topened by a process.\n"
-        "    --rlimit-nproc=number - set the maximum number of processes that can be\n"
-        "\tcreated for the real user ID of the calling process.\n"
-        "    --rlimit-sigpending=number - set the maximum number of pending signals\n"
-        "\tfor a process.\n"
         "    --rmenv=name - remove environment variable in the new sandbox.\n"
 #ifdef HAVE_NETWORK
         "    --scan - ARP-scan all the networks from inside a network namespace.\n"
@@ -210,9 +170,6 @@ static char *usage_str =
         "\thas elapsed.\n"
         "    --tmpfs=dirname - mount a tmpfs filesystem on directory dirname.\n"
         "    --top - monitor the most CPU-intensive sandboxes.\n"
-        "    --trace - trace open, access and connect system calls.\n"
-        "    --tracelog - add a syslog message for every access to files or\n"
-        "\tdirectories blacklisted by the security profile.\n"
         "    --tree - print a tree of all sandboxed processes.\n"
         "    --version - print program version and exit.\n"
 #ifdef HAVE_NETWORK
@@ -226,17 +183,6 @@ static char *usage_str =
         "\t/run/user/$UID/gnupg.\n"
         "    --writable-var - /var directory is mounted read-write.\n"
         "    --writable-var-log - use the real /var/log directory, not a clone.\n"
-#ifdef HAVE_X11
-        "    --x11 - enable X11 sandboxing. The software checks first if Xpra is\n"
-        "\tinstalled, then it checks if Xephyr is installed. If all fails, it will\n"
-        "\tattempt to use X11 security extension.\n"
-        "    --x11=none - disable access to X11 sockets.\n"
-        "    --x11=xephyr - enable Xephyr X11 server. The window size is 800x600.\n"
-        "    --x11=xorg - enable X11 security extension.\n"
-        "    --x11=xpra - enable Xpra X11 server.\n"
-        "    --x11=xvfb - enable Xvfb X11 server.\n"
-        "    --xephyr-screen=WIDTHxHEIGHT - set screen size for --x11=xephyr.\n"
-#endif
         "\n"
         "Examples:\n"
         "    $ firejail firefox\n"
diff --git a/src/lib/firejail_user.c b/src/lib/firejail_user.c
index c7af14254..b0f56a19a 100644
--- a/src/lib/firejail_user.c
+++ b/src/lib/firejail_user.c
@@ -107,10 +107,8 @@ int firejail_user_check(const char *name) {
         if (strcmp(name, "root") == 0)
                 return 1;
 
-        // other system users will run the program as is
-        uid_t uid = getuid();
-        assert(uid_min > 0);
-        if (((int) uid < uid_min && uid != 0) || strcmp(name, "nobody") == 0)
+        // user nobody is never allowed
+        if (strcmp(name, "root") == 0)
                 return 0;
 
         // check file existence
@@ -155,7 +153,7 @@ void firejail_user_add(const char *name) {
         struct passwd *pw = getpwnam(name);
         if (!pw) {
                 fprintf(stderr, "Error: user %s not found on this system.\n", name);
-                return;
+                exit(1);
         }
 
         // check the user is not already in the database
diff --git a/src/man/firecfg.txt b/src/man/firecfg.txt
index 80cb201d9..8811e17e5 100644
--- a/src/man/firecfg.txt
+++ b/src/man/firecfg.txt
@@ -123,5 +123,4 @@ Homepage: https://firejail.wordpress.com
 \&\flfirejail\fR\|(1),
 \&\flfiremon\fR\|(1),
 \&\flfirejail-profile\fR\|(5),
-\&\flfirejail-login\fR\|(5)
 \&\flfirejail-users\fR\|(5)
diff --git a/src/man/firejail-login.txt b/src/man/firejail-login.txt
deleted file mode 100644
index c2fa63dc4..000000000
--- a/src/man/firejail-login.txt
+++ /dev/null
@@ -1,41 +0,0 @@
-.TH FIREJAIL-LOGIN 5 "MONTH YEAR" "VERSION" "login.users man page"
-.SH NAME
-login.users \- Login file syntax for Firejail
-
-.SH DESCRIPTION
-/etc/firejail/login.users file describes additional arguments passed to firejail executable
-upon user logging into a Firejail restricted shell. Each user entry in the file consists of
-a user name followed by the arguments passed to firejail. The format is as follows:
-
-        user_name: arguments
-
-Example:
-
-        netblue:--net=none --protocol=unix
-
-Wildcard patterns are accepted in the user name field:
-
-        user*: --private
-
-.SH RESTRICTED SHELL
-To configure a restricted shell, replace /bin/bash with /usr/bin/firejail in
-/etc/passwd file for each user that needs to be restricted. Alternatively,
-you can specify /usr/bin/firejail  using adduser or usermod commands:
-
-adduser \-\-shell /usr/bin/firejail username
-.br
-usermod \-\-shell /usr/bin/firejail username
-
-.SH FILES
-/etc/firejail/login.users
-
-.SH LICENSE
-Firejail is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.
-.PP
-Homepage: https://firejail.wordpress.com
-.SH SEE ALSO
-\&\flfirejail\fR\|(1),
-\&\flfiremon\fR\|(1),
-\&\flfirecfg\fR\|(1),
-\&\flfirejail-profile\fR\|(5)
-\&\flfirejail-users\fR\|(5)
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt
index 17562c503..92e95f165 100644
--- a/src/man/firejail-profile.txt
+++ b/src/man/firejail-profile.txt
@@ -197,18 +197,6 @@ The file is created if it doesn't already exist.
 \fBnoexec file_or_directory
 Remount the file or the directory noexec, nodev and nosuid.
 .TP
-\fBoverlay
-Mount  a  filesystem  overlay  on top of the current filesystem.
-The overlay is stored in $HOME/.firejail/<PID>  directory.
-.TP
-\fBoverlay-named name
-Mount  a  filesystem  overlay  on top of the current filesystem.
-The overlay is stored in $HOME/.firejail/name  directory.
-.TP
-\fBoverlay-tmpfs
-Mount  a  filesystem  overlay  on top of the current filesystem.
-All filesystem  modifications are discarded when the sandbox is closed.
-.TP
 \fBprivate
 Mount new /root and /home/user directories in temporary
 filesystems. All modifications are discarded when the sandbox is
@@ -217,20 +205,10 @@ closed.
 \fBprivate directory
 Use directory as user home.
 .TP
-\fBprivate-home file,directory
-Build a new user home in a temporary
-filesystem, and copy the files and directories in the list in the
-new home. All modifications are discarded when the sandbox is
-closed.
-.TP
 \fBprivate-cache
 Mount an empty temporary filesystem on top of the .cache directory in user home. All
 modifications are discarded when the sandbox is closed.
 .TP
-\fBprivate-bin file,file
-Build a new /bin in a temporary filesystem, and copy the programs in the list.
-The same directory is also bind-mounted over /sbin, /usr/bin and /usr/sbin.
-.TP
 \fBprivate-dev
 Create a new /dev directory. Only disc, dri, null, full, zero, tty, pts, ptmx,
 random, snd, urandom, video, log and shm devices are available.
@@ -238,25 +216,6 @@ random, snd, urandom, video, log and shm devices are available.
 \fBkeep-dev-shm
 /dev/shm directory is untouched (even with private-dev).
 .TP
-\fBprivate-etc file,directory
-Build a new /etc in a temporary
-filesystem, and copy the files and directories in the list.
-All modifications are discarded when the sandbox is closed.
-.TP
-\fBprivate-lib file,directory
-Build a new /lib directory and bring in the libraries required by the application to run.
-This feature is still under development, see \fBman 1 firejail\fR for some examples.
-.TP
-\fBprivate-opt file,directory
-Build a new /optin a temporary
-filesystem, and copy the files and directories in the list.
-All modifications are discarded when the sandbox is closed.
-.TP
-\fBprivate-srv file,directory
-Build a new /srv in a temporary
-filesystem, and copy the files and directories in the list.
-All modifications are discarded when the sandbox is closed.
-.TP
 \fBprivate-tmp
 Mount an empty temporary filesystem on top of /tmp directory whitelisting /tmp/.X11-unix.
 .TP
@@ -269,9 +228,6 @@ Make directory or file read-write.
 \fBtmpfs directory
 Mount an empty tmpfs filesystem on top of directory. This option is available only when running the sandbox as root.
 .TP
-\fBtracelog
-Blacklist violations logged to syslog.
-.TP
 \fBwhitelist file_or_directory
 Whitelist directory or file. A temporary file system is mounted on the top directory, and the
 whitelisted files are mount-binded inside. Modifications to whitelisted files are persistent,
@@ -350,82 +306,26 @@ does not result in an increase of privilege.
 \fBnoroot
 Use this command  to enable an user namespace. The namespace has only one user, the current user.
 There is no root account (uid 0) defined in the namespace.
-.TP
-\fBx11
-Enable X11 sandboxing.
-.TP
-\fBx11 none
-Blacklist /tmp/.X11-unix directory, ${HOME}/.Xauthority and file specified in ${XAUTHORITY} environment variable.
-Remove DISPLAY and XAUTHORITY environment variables.
-Stop with error message if X11 abstract socket will be accessible in jail.
-.TP
-\fBx11 xephyr
-Enable X11 sandboxing with Xephyr server.
-.TP
-\fBx11 xorg
-Enable X11 sandboxing with X11 security extension.
-.TP
-\fBx11 xpra
-Enable X11 sandboxing with Xpra server.
-.TP
-\fBx11 xvfb
-Enable X11 sandboxing with Xvfb server.
-.TP
-\fBxephyr-screen WIDTHxHEIGHT
-Set screen size for x11 xephyr. This command should be included in the profile file before x11 xephyr command.
-.br
 
-.br
-Example:
+
+.SH User Environment
+
+.TP
+\fBcpu cpu-number,cpu-number,cpu-number
+Set CPU affinity. Example:
 .br
 
 .br
-xephyr-screen 640x480
+cpu 0,1,2
 .br
-x11 xephyr
-
-
-
-.SH Resource limits, CPU affinity, Control Groups
-These profile entries define the limits on system resources (rlimits) for the processes inside the sandbox.
-The limits can be modified inside the sandbox using the regular \fBulimit\fR command. \fBcpu\fR command
-configures the CPU cores available, and \fBcgroup\fR command
-place the sandbox in an existing control group.
-
-Examples:
 
 .TP
-\fBrlimit-as 123456789012
-Set the maximum size of the process's virtual memory to 123456789012 bytes.
-.TP
-\fBrlimit-cpu 123
-Set the maximum CPU time in seconds.
-.TP
-\fBrlimit-fsize 1024
-Set the maximum file size that can be created by a process to 1024 bytes.
-.TP
-\fBrlimit-nproc 1000
-Set the maximum number of processes that can be created for the real user ID of the calling process to 1000.
-.TP
-\fBrlimit-nofile 500
-Set the maximum number of files that can be opened by a process to 500.
-.TP
-\fBrlimit-sigpending 200
-Set the maximum number of processes that can be created for the real user ID of the calling process to 200.
-.TP
-\fBcpu 0,1,2
-Use only CPU cores 0, 1 and 2.
-.TP
-\fBnice -5
-Set a nice value of -5 to all processes running inside the sandbox.
-.TP
-\fBcgroup /sys/fs/cgroup/g1/tasks
-The sandbox is placed in g1 control group.
+\fBnice value
+Set  nice  value  for all processes running inside the sandbox.
 .TP
 \fBtimeout hh:mm:ss
 Kill the sandbox automatically after the time has elapsed. The time is specified in hours/minutes/seconds format.
 
-.SH User Environment
 .TP
 \fBallusers
 All user home directories are visible inside the sandbox. By default, only current user home directory is visible.
@@ -644,5 +544,4 @@ Homepage: https://firejail.wordpress.com
 \&\flfirejail\fR\|(1),
 \&\flfiremon\fR\|(1),
 \&\flfirecfg\fR\|(1),
-\&\flfirejail-login\fR\|(5)
 \&\flfirejail-users\fR\|(5)
diff --git a/src/man/firejail-users.txt b/src/man/firejail-users.txt
index c29de0705..aa81bd304 100644
--- a/src/man/firejail-users.txt
+++ b/src/man/firejail-users.txt
@@ -4,13 +4,13 @@ firejail.users \- Firejail user access database
 
 .SH DESCRIPTION
 /etc/firejail/firejail.users lists the users allowed to run firejail SUID executable.
-If the file is not present in the system, all users are allowed to use the sandbox.
-root user is allowed by default. Other system users (users with an ID below UID_MIN value
-defined in /etc/login.defs, typically 1000) are not allowed to start the sandbox.
+root user is allowed by default, user nobody is never allowed.
 
 If the user is not allowed to start the sandbox, Firejail will attempt to run the
 program without sandboxing it.
 
+If the file is not present in the system, all users are allowed to use the sandbox.
+
 Example:
 
         $ cat /etc/firejail/firejail.users
@@ -34,11 +34,23 @@ By default, running firecfg creates the file and adds the current user to the li
 
 See \fBman 1 firecfg\fR for details.
 
+.SH ALTERNATIVE SOLUTION
+An alternative way of restricting user access to firejail executable is to create a special firejail user group and
+allow only users in this group to run the sandbox:
+
+        # addgroup firejail
+.br
+        # chown root:firejail /usr/bin/firejail
+.br
+        # chmod 4750 /usr/bin/firejail
+
+
 .SH FILES
 /etc/firejail/firejail.users
 
 .SH LICENSE
-Firejail is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.
+Firejail is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License
+as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.
 .PP
 Homepage: https://firejail.wordpress.com
 .SH SEE ALSO
@@ -46,4 +58,3 @@ Homepage: https://firejail.wordpress.com
 \&\flfiremon\fR\|(1),
 \&\flfirecfg\fR\|(1),
 \&\flfirejail-profile\fR\|(5)
-\&\flfirejail-login\fR\|(5)
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index 7de1bff50..b2ad2cba5 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -8,12 +8,6 @@ Start a sandbox:
 firejail [OPTIONS] [program and arguments]
 .RE
 .PP
-File transfer from an existing sandbox
-.PP
-.RS
-firejail {\-\-ls | \-\-get | \-\-put} dir_or_filename
-.RE
-.PP
 Network traffic shaping for an existing sandbox:
 .PP
 .RS
@@ -127,12 +121,6 @@ $ firejail \-\-apparmor.print=browser
   AppArmor: firejail-default enforce
 
 .TP
-\fB\-\-audit
-Audit the sandbox, see \fBAUDIT\fR section for more details.
-.TP
-\fB\-\-audit=test-program
-Audit the sandbox, see \fBAUDIT\fR section for more details.
-.TP
 \fB\-\-bandwidth=name|pid
 Set bandwidth limits for the sandbox identified by name or PID, see \fBTRAFFIC SHAPING\fR section for more details.
 .TP
@@ -159,30 +147,7 @@ $ firejail \-\-blacklist=~/.mozilla
 $ firejail "\-\-blacklist=/home/username/My Virtual Machines"
 .br
 $ firejail \-\-blacklist=/home/username/My\\ Virtual\\ Machines
-.TP
-\fB\-\-build
-The command builds a whitelisted profile. The profile is printed on the screen. If /usr/bin/strace is installed on the system, it also
-builds a whitelisted seccomp profile. The program is run in a very relaxed sandbox,
-with only --caps.drop=all and --nonewprivs. Programs that raise user privileges are not supported
-in order to allow strace to run. Chromium and Chromium-based browsers will not work.
-.br
-
-.br
-Example:
-.br
-$ firejail --build vlc ~/Videos/test.mp4
-.TP
-\fB\-\-build=profile-file
-The command builds a whitelisted profile, and saves it in profile-file. If /usr/bin/strace is installed on the system, it also
-builds a whitelisted seccomp profile. The program is run in a very relaxed sandbox,
-with only --caps.drop=all and --nonewprivs. Programs that raise user privileges are not supported
-in order to allow strace to run. Chromium and Chromium-based browsers will not work.
-.br
 
-.br
-Example:
-.br
-$ firejail --build=vlc.profile vlc ~/Videos/test.mp4
 .TP
 \fB\-c
 Execute command and exit.
@@ -259,29 +224,6 @@ $ firejail \-\-list
 $ firejail \-\-caps.print=3272
 
 .TP
-\fB\-\-cgroup=tasks-file
-Place the sandbox in the specified control group. tasks-file is the full path of cgroup tasks file.
-.br
-
-.br
-Example:
-.br
-# firejail \-\-cgroup=/sys/fs/cgroup/g1/tasks
-
-.TP
-\fB\-\-chroot=dirname
-Chroot the sandbox into a root filesystem. Unlike the regular filesystem container,
-the system directories are mounted read-write. If the sandbox is started as a
-regular user, default seccomp and capabilities filters are enabled. This
-option is not available on Grsecurity systems.
-.br
-
-.br
-Example:
-.br
-$ firejail \-\-chroot=/media/ubuntu warzone2100
-
-.TP
 \fB\-\-cpu=cpu-number,cpu-number,cpu-number
 Set CPU affinity.
 .br
@@ -472,10 +414,6 @@ $ firejail \-\-list
 $ firejail \-\-fs.print=3272
 
 .TP
-\fB\-\-get=name|pid filename
-Get a file from sandbox container, see \fBFILE TRANSFER\fR section for more details.
-
-.TP
 \fB\-?\fR, \fB\-\-help\fR
 Print options end exit.
 
@@ -699,10 +637,6 @@ Example:
 $ firejail --keep-var-tmp
 
 .TP
-\fB\-\-ls=name|pid dir_or_filename
-List files in sandbox container, see \fBFILE TRANSFER\fR section for more details.
-
-.TP
 \fB\-\-list
 List all sandboxes, see \fBMONITORING\fR section for more details.
 .br
@@ -1233,101 +1167,6 @@ Disable video devices.
 Disable whitelist for this directory or file.
 
 .TP
-\fB\-\-output=logfile
-stdout logging and log rotation. Copy stdout to logfile, and keep the size of the file under 500KB using log
-rotation. Five files with prefixes .1 to .5 are used in rotation.
-.br
-
-.br
-Example:
-.br
-$ firejail \-\-output=sandboxlog /bin/bash
-.br
-[...]
-.br
-$ ls -l sandboxlog*
-.br
--rw-r--r-- 1 netblue netblue 333890 Jun  2 07:48 sandboxlog
-.br
--rw-r--r-- 1 netblue netblue 511488 Jun  2 07:48 sandboxlog.1
-.br
--rw-r--r-- 1 netblue netblue 511488 Jun  2 07:48 sandboxlog.2
-.br
--rw-r--r-- 1 netblue netblue 511488 Jun  2 07:48 sandboxlog.3
-.br
--rw-r--r-- 1 netblue netblue 511488 Jun  2 07:48 sandboxlog.4
-.br
--rw-r--r-- 1 netblue netblue 511488 Jun  2 07:48 sandboxlog.5
-
-.TP
-\fB\-\-output-stderr=logfile
-Similar to \-\-output, but stderr is also stored.
-
-.TP
-\fB\-\-overlay
-Mount a filesystem overlay on top of the current filesystem.  Unlike the regular filesystem container,
-the system directories are mounted read-write. All filesystem modifications go into the overlay.
-The overlay is stored in $HOME/.firejail/<PID> directory.
-.br
-
-.br
-OverlayFS support is required in Linux kernel for this option to work.
-OverlayFS was officially introduced in Linux kernel version 3.18.
-This option is not available on Grsecurity systems.
-.br
-
-.br
-Example:
-.br
-$ firejail \-\-overlay firefox
-
-.TP
-\fB\-\-overlay-named=name
-Mount a filesystem overlay on top of the current filesystem.  Unlike the regular filesystem container,
-the system directories are mounted read-write. All filesystem modifications go into the overlay.
-The overlay is stored in $HOME/.firejail/<NAME> directory. The created overlay can be reused between multiple
-sessions.
-.br
-
-.br
-OverlayFS support is required in Linux kernel for this option to work.
-OverlayFS was officially introduced in Linux kernel version 3.18.
-This option is not available on Grsecurity systems.
-.br
-
-.br
-Example:
-.br
-$ firejail \-\-overlay-named=jail1 firefox
-
-.TP
-\fB\-\-overlay-tmpfs
-Mount a filesystem overlay on top of the current filesystem. All filesystem modifications
-are discarded when the sandbox is closed.
-.br
-
-.br
-OverlayFS support is required in Linux kernel for this option to work.
-OverlayFS was officially introduced in Linux kernel version 3.18.
-This option is not available on Grsecurity systems.
-.br
-
-.br
-Example:
-.br
-$ firejail \-\-overlay-tmpfs firefox
-
-.TP
-\fB\-\-overlay-clean
-Clean all overlays stored in $HOME/.firejail directory.
-.br
-
-.br
-Example:
-.br
-$ firejail \-\-overlay-clean
-
-.TP
 \fB\-\-private
 Mount new /root and /home/user directories in temporary
 filesystems. All modifications are discarded when the sandbox is
@@ -1349,19 +1188,6 @@ Example:
 $ firejail \-\-private=/home/netblue/firefox-home firefox
 
 .TP
-\fB\-\-private-home=file,directory
-Build a new user home in a temporary
-filesystem, and copy the files and directories in the list in the
-new home. All modifications are discarded when the sandbox is
-closed.
-.br
-
-.br
-Example:
-.br
-$ firejail \-\-private-home=.mozilla firefox
-
-.TP
 \fB\-\-private-cache
 Mount an empty temporary filesystem on top of the .cache directory in user home. All
 modifications are discarded when the sandbox is closed.
@@ -1373,79 +1199,6 @@ Example:
 $ firejail \-\-private-cache openbox
 
 .TP
-\fB\-\-private-bin=file,file
-Build a new /bin in a temporary filesystem, and copy the programs in the list.
-If no listed file is found, /bin directory will be empty.
-The same directory is also bind-mounted over /sbin, /usr/bin, /usr/sbin and /usr/local/bin.
-All modifications are discarded when the sandbox is closed. File globbing is supported,
-see \fBFILE GLOBBING\fR section for more details.
-.br
-
-.br
-Example:
-.br
-$ firejail \-\-private-bin=bash,sed,ls,cat
-.br
-Parent pid 20841, child pid 20842
-.br
-Child process initialized
-.br
-$ ls /bin
-.br
-bash  cat  ls  sed
-
-.TP
-\fB\-\-private-lib=file,directory
-This feature is currently under heavy development. Only amd64 platforms are supported at this moment.
-The idea is to build a new /lib in a temporary filesystem,
-with only the library files necessary to run the application.
-It could be as simple as:
-.br
-
-.br
-$ firejail --private-lib galculator
-.br
-
-.br
-but it gets complicated really fast:
-.br
-
-.br
-$ firejail --private-lib=x86_64-linux-gnu/xed,x86_64-linux-gnu/gdk-pixbuf-2.0,libenchant.so.1,librsvg-2.so.2 xed
-.br
-
-.br
-The feature is integrated with \-\-private-bin:
-.br
-
-.br
-$ firejail --private-lib --private-bin=bash,ls,ps
-.br
-$ ls /lib
-.br
-ld-linux-x86-64.so.2 libgpg-error.so.0 libprocps.so.6 libsystemd.so.0
-.br
-libc.so.6 liblz4.so.1 libpthread.so.0 libtinfo.so.5
-.br
-libdl.so.2 liblzma.so.5 librt.so.1 x86_64-linux-gnu
-.br
-libgcrypt.so.20 libpcre.so.3 libselinux.so.1
-.br
-$ ps
-.br
- PID TTY          TIME CMD
-.br
-    1 pts/0    00:00:00 firejail
-.br
-   45 pts/0    00:00:00 bash
-.br
-   48 pts/0    00:00:00 ps
-.br
-$
-.br
-
-
-.TP
 \fB\-\-private-dev
 Create a new /dev directory. Only disc, dri, null, full, zero, tty, pts, ptmx, random, snd, urandom, video, log and shm devices are available.
 .br
@@ -1464,46 +1217,6 @@ $ ls /dev
 cdrom  cdrw  dri  dvd  dvdrw  full  log  null  ptmx  pts  random  shm  snd  sr0  tty  urandom  zero
 .br
 $
-.TP
-\fB\-\-private-etc=file,directory
-Build a new /etc in a temporary
-filesystem, and copy the files and directories in the list.
-If no listed file is found, /etc directory will be empty.
-All modifications are discarded when the sandbox is closed.
-.br
-
-.br
-Example:
-.br
-$ firejail --private-etc=group,hostname,localtime, \\
-.br
-nsswitch.conf,passwd,resolv.conf
-
-.TP
-\fB\-\-private-opt=file,directory
-Build a new /opt in a temporary
-filesystem, and copy the files and directories in the list.
-If no listed file is found, /opt directory will be empty.
-All modifications are discarded when the sandbox is closed.
-.br
-
-.br
-Example:
-.br
-$ firejail --private-opt=firefox /opt/firefox/firefox
-
-.TP
-\fB\-\-private-srv=file,directory
-Build a new /srv in a temporary
-filesystem, and copy the files and directories in the list.
-If no listed file is found, /srv directory will be empty.
-All modifications are discarded when the sandbox is closed.
-.br
-
-.br
-Example:
-.br
-# firejail --private-srv=www /etc/init.d/apache2 start
 
 .TP
 \fB\-\-private-tmp
@@ -1586,9 +1299,6 @@ $ firejail \-\-protocol.print=3272
 .br
 unix,inet,inet6,netlink
 .TP
-\fB\-\-put=name|pid src-filename dest-filename
-Put a file in sandbox container, see \fBFILE TRANSFER\fR section for more details.
-.TP
 \fB\-\-quiet
 Turn off Firejail's output.
 .TP
@@ -1625,33 +1335,6 @@ $ touch ~/test/a
 .br
 $ firejail --read-only=~/test --read-write=~/test/a
 
-
-.TP
-\fB\-\-rlimit-as=number
-Set the maximum size of the process's virtual memory (address space) in bytes.
-
-.TP
-\fB\-\-rlimit-cpu=number
-Set the maximum limit, in seconds, for the amount of CPU time each
-sandboxed process  can consume. When the limit is reached, the processes are killed.
-
-The CPU limit is a limit on CPU seconds rather than elapsed time. CPU seconds is basically how many seconds
-the CPU has been in use and does not necessarily directly relate to the elapsed time. Linux kernel keeps
-track of CPU seconds for each process independently.
-
-.TP
-\fB\-\-rlimit-fsize=number
-Set the maximum file size that can be created by a process.
-.TP
-\fB\-\-rlimit-nofile=number
-Set the maximum number of files that can be opened by a process.
-.TP
-\fB\-\-rlimit-nproc=number
-Set the maximum number of processes that can be created for the real user ID of the calling process.
-.TP
-\fB\-\-rlimit-sigpending=number
-Set the maximum number of pending signals for a process.
-
 .TP
 \fB\-\-rmenv=name
 Remove environment variable in the new sandbox.
@@ -2082,30 +1765,7 @@ Reading profile /etc/firejail/wget.profile
 
 .br
 parent is shutting down, bye...
-.TP
-\fB\-\-tracelog
-This option enables auditing blacklisted files and directories. A message
-is sent to syslog in case the file or the directory is accessed.
-.br
-
-.br
-Example:
-.br
-$ firejail --tracelog firefox
-.br
 
-.br
-Sample messages:
-.br
-$ sudo tail -f /var/log/syslog
-.br
-[...]
-.br
-Dec  3 11:43:25 debian firejail[70]: blacklist violation - sandbox 26370, exe firefox, syscall open64, path /etc/shadow
-.br
-Dec  3 11:46:17 debian firejail[70]: blacklist violation - sandbox 26370, exe firefox, syscall opendir, path /boot
-.br
-[...]
 .TP
 \fB\-\-tree
 Print a tree of all sandboxed processes, see \fBMONITORING\fR section for more details.
@@ -2213,167 +1873,6 @@ Example:
 $ sudo firejail --writable-var-log
 
 
-.TP
-\fB\-\-x11
-Sandbox the application using Xpra, Xephyr, Xvfb or Xorg security extension.
-The sandbox will prevents screenshot and keylogger applications started inside the sandbox from accessing
-clients running outside the sandbox.
-Firejail will try first Xpra, and if Xpra is not installed on the system, it will try to find Xephyr.
-If all fails, Firejail will not attempt to use Xvfb or X11 security extension.
-.br
-
-.br
-Xpra, Xephyr and Xvfb modes require a network namespace to be instantiated in order to disable
-X11 abstract Unix socket. If this is not possible, the user can disable the abstract socket
-by adding "-nolisten local" on Xorg command line at system level.
-.br
-
-.br
-Example:
-.br
-$ firejail \-\-x11 --net=eth0 firefox
-
-.TP
-\fB\-\-x11=none
-Blacklist /tmp/.X11-unix directory, ${HOME}/.Xauthority and the file specified in ${XAUTHORITY} environment variable.
-Remove DISPLAY and XAUTHORITY environment variables.
-Stop with error message if X11 abstract socket will be accessible in jail.
-
-.TP
-\fB\-\-x11=xephyr
-Start Xephyr and attach the sandbox to this server.
-Xephyr is a display server implementing the X11 display server protocol.
-A network namespace needs to be instantiated in order to deny access to X11 abstract Unix domain socket.
-.br
-
-.br
-Xephyr runs in a window just like any other X11 application. The default window size is 800x600.
-This can be modified in /etc/firejail/firejail.config file.
-.br
-
-.br
-The recommended way to use this feature is to run a window manager inside the sandbox.
-A security profile for OpenBox is provided.
-.br
-
-.br
-Xephyr is developed by Xorg project. On Debian platforms it is installed with the command \fBsudo apt-get install xserver-xephyr\fR.
-This feature is not available when running as root.
-.br
-
-.br
-Example:
-.br
-$ firejail \-\-x11=xephyr --net=eth0 openbox
-
-.TP
-\fB\-\-x11=xorg
-Sandbox the application using the untrusted mode implemented by X11 security extension.
-The extension is available in Xorg package
-and it is installed by default on most Linux distributions. It provides support for a simple trusted/untrusted
-connection model. Untrusted clients are restricted in certain ways to prevent them from reading window
-contents of other clients, stealing input events, etc.
-
-The untrusted mode has several limitations. A lot of regular programs  assume they are a trusted X11 clients
-and will crash or lock up when run in untrusted mode. Chromium browser and xterm are two examples.
-Firefox and transmission-gtk seem to be working fine.
-A network namespace is not required for this option.
-.br
-
-.br
-Example:
-.br
-$ firejail \-\-x11=xorg firefox
-
-.TP
-\fB\-\-x11=xpra
-Start Xpra (https://xpra.org) and attach the sandbox to this server.
-Xpra is a persistent remote display server and client for forwarding X11 applications and desktop screens.
-A network namespace needs to be instantiated in order to deny access to X11 abstract Unix domain socket.
-.br
-
-.br
-On Debian platforms Xpra is installed with the command \fBsudo apt-get install xpra\fR.
-This feature is not available when running as root.
-.br
-
-.br
-Example:
-.br
-$ firejail \-\-x11=xpra --net=eth0 firefox
-
-
-.TP
-\fB\-\-x11=xvfb
-Start Xvfb X11 server and attach the sandbox to this server.
-Xvfb, short for X virtual framebuffer, performs all graphical operations in memory
-without showing any screen output. Xvfb is mainly used for remote access and software
-testing on headless servers.
-.br
-
-.br
-On Debian platforms Xvfb is installed with the command \fBsudo apt-get install xvfb\fR.
-This feature is not available when running as root.
-.br
-
-.br
-Example: remote VNC access
-.br
-
-.br
-On the server we start a sandbox using Xvfb and openbox
-window manager. The default size of Xvfb screen is 800x600 - it can be changed
-in /etc/firejail/firejail.config (xvfb-screen). Some sort of networking (--net) is required
-in order to isolate the abstract sockets used by other X servers.
-.br
-
-.br
-$ firejail --net=none --x11=xvfb openbox
-.br
-
-.br
-*** Attaching to Xvfb display 792 ***
-.br
-
-.br
-Reading profile /etc/firejail/openbox.profile
-.br
-Reading profile /etc/firejail/disable-common.inc
-.br
-Reading profile /etc/firejail/disable-common.local
-.br
-Parent pid 5400, child pid 5401
-.br
-
-.br
-On the server we also start a VNC server and attach it to the display handled by our
-Xvfb server (792).
-.br
-
-.br
-$ x11vnc -display :792
-.br
-
-.br
-On the client machine we start a VNC viewer and use it to connect to our server:
-.br
-
-.br
-$ vncviewer
-.br
-
-.TP
-\fB\-\-xephyr-screen=WIDTHxHEIGHT
-Set screen size for --x11=xephyr. The setting will overwrite the default set in /etc/firejail/firejail.config
-for the current sandbox. Run xrandr to get a list of supported resolutions on your computer.
-.br
-
-.br
-Example:
-.br
-$ firejail --net=eth0 --x11=xephyr --xephyr-screen=640x480 firefox
-.br
-
 .SH DESKTOP INTEGRATION
 A symbolic link to /usr/bin/firejail under the name of a program, will start the program in Firejail sandbox.
 The symbolic link should be placed in the first $PATH position. On most systems, a good place
@@ -2506,54 +2005,6 @@ To enable AppArmor confinement on top of your current Firejail security features
 .br
 $ firejail --apparmor firefox
 
-.SH FILE TRANSFER
-These features allow the user to inspect the filesystem container of an existing sandbox
-and transfer files from the container to the host filesystem.
-
-.TP
-\fB\-\-get=name|pid filename
-Retrieve the container file and store it on the host in the current working directory.
-The container is specified by name or PID.
-
-.TP
-\fB\-\-ls=name|pid dir_or_filename
-List container files. The container is specified by name or PID.
-
-.TP
-\fB\-\-put=name|pid src-filename dest-filename
-Put src-filename in sandbox container.
-The container is specified by name or PID.
-
-.TP
-Examples:
-.br
-
-.br
-$ firejail \-\-name=mybrowser --private firefox
-.br
-
-.br
-$ firejail \-\-ls=mybrowser ~/Downloads
-.br
-drwxr-xr-x netblue  netblue         4096 .
-.br
-drwxr-xr-x netblue  netblue         4096 ..
-.br
--rw-r--r-- netblue  netblue         7847 x11-x305.png
-.br
--rw-r--r-- netblue  netblue         6800 x11-x642.png
-.br
--rw-r--r-- netblue  netblue        34139 xpra-clipboard.png
-.br
-
-.br
-$ firejail \-\-get=mybrowser ~/Downloads/xpra-clipboard.png
-.br
-
-.br
-$ firejail \-\-put=mybrowser xpra-clipboard.png ~/Downloads/xpra-clipboard.png
-.br
-
 .SH TRAFFIC SHAPING
 Network bandwidth is an expensive resource shared among all sandboxes running on a system.
 Traffic shaping allows the user to increase network performance by controlling
@@ -2596,25 +2047,6 @@ Example:
 .br
         $ firejail \-\-bandwidth=mybrowser clear eth0
 
-.SH AUDIT
-Audit feature allows the user to point out gaps in security profiles. The
-implementation replaces the program to be sandboxed with a test program. By
-default, we use faudit program distributed with Firejail. A custom test program
-can also be supplied by the user. Examples:
-
-Running the default audit program:
-.br
-        $ firejail --audit transmission-gtk
-
-Running a custom audit program:
-.br
-        $ firejail --audit=~/sandbox-test transmission-gtk
-
-In the examples above, the sandbox configures transmission-gtk profile and
-starts the test program. The real program, transmission-gtk, will not be
-started.
-
-Limitations: audit feature is not implemented for --x11 commands.
 
 .SH MONITORING
 Option \-\-list prints a list of all sandboxes. The format
@@ -2778,5 +2210,4 @@ Homepage: https://firejail.wordpress.com
 \&\flfiremon\fR\|(1),
 \&\flfirecfg\fR\|(1),
 \&\flfirejail-profile\fR\|(5),
-\&\flfirejail-login\fR\|(5)
 \&\flfirejail-users\fR\|(5)
diff --git a/src/man/firemon.txt b/src/man/firemon.txt
index 214fcac44..bcc1820bf 100644
--- a/src/man/firemon.txt
+++ b/src/man/firemon.txt
@@ -110,5 +110,4 @@ Homepage: https://firejail.wordpress.com
 \&\flfirejail\fR\|(1),
 \&\flfirecfg\fR\|(1),
 \&\flfirejail-profile\fR\|(5),
-\&\flfirejail-login\fR\|(5)
 \&\flfirejail-users\fR\|(5)
diff --git a/src/tools/check-caps.sh b/src/tools/check-caps.sh
deleted file mode 100755
index 13525677b..000000000
--- a/src/tools/check-caps.sh
+++ /dev/null
@@ -1,46 +0,0 @@
-#!/bin/bash
-
-if [ $# -eq 0 ]
-then
-        echo "Usage: check-caps.sh program-and-arguments"
-        echo
-fi
-
-set -x
-
-firejail --caps.drop=chown "$1"
-firejail --caps.drop=dac_override "$1"
-firejail --caps.drop=dac_read_search "$1"
-firejail --caps.drop=fowner "$1"
-firejail --caps.drop=fsetid "$1"
-firejail --caps.drop=kill "$1"
-firejail --caps.drop=setgid "$1"
-firejail --caps.drop=setuid "$1"
-firejail --caps.drop=setpcap "$1"
-firejail --caps.drop=linux_immutable "$1"
-firejail --caps.drop=net_bind_service "$1"
-firejail --caps.drop=net_broadcast "$1"
-firejail --caps.drop=net_admin "$1"
-firejail --caps.drop=net_raw "$1"
-firejail --caps.drop=ipc_lock "$1"
-firejail --caps.drop=ipc_owner "$1"
-firejail --caps.drop=sys_module "$1"
-firejail --caps.drop=sys_rawio "$1"
-firejail --caps.drop=sys_chroot "$1"
-firejail --caps.drop=sys_ptrace "$1"
-firejail --caps.drop=sys_pacct "$1"
-firejail --caps.drop=sys_admin "$1"
-firejail --caps.drop=sys_boot "$1"
-firejail --caps.drop=sys_nice "$1"
-firejail --caps.drop=sys_resource "$1"
-firejail --caps.drop=sys_time "$1"
-firejail --caps.drop=sys_tty_config "$1"
-firejail --caps.drop=mknod "$1"
-firejail --caps.drop=lease "$1"
-firejail --caps.drop=audit_write "$1"
-firejail --caps.drop=audit_control "$1"
-firejail --caps.drop=setfcap "$1"
-firejail --caps.drop=mac_override "$1"
-firejail --caps.drop=mac_admin "$1"
-firejail --caps.drop=syslog "$1"
-firejail --caps.drop=wake_alarm "$1"
diff --git a/src/tools/extract_caps.c b/src/tools/extract_caps.c
deleted file mode 100644
index 9769fb071..000000000
--- a/src/tools/extract_caps.c
+++ /dev/null
@@ -1,83 +0,0 @@
-/*
- * Copyright (C) 2014-2018 Firejail Authors
- *
- * This file is part of firejail project
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or
- * (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License along
- * with this program; if not, write to the Free Software Foundation, Inc.,
- * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-*/
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <assert.h>
-
-#define BUFMAX 4096
-
-int main(int argc, char **argv) {
-        if (argc != 2) {
-                printf("usage: %s /usr/include/linux/capability.h\n", argv[0]);
-                return 1;
-        }
-
-        //open file
-        FILE *fp = fopen(argv[1], "r");
-        if (!fp) {
-                fprintf(stderr, "Error: cannot open file\n");
-                return 1;
-        }
-
-        // read file
-        char buf[BUFMAX];
-        while (fgets(buf, BUFMAX, fp)) {
-                // cleanup
-                char *start = buf;
-                while (*start == ' ' || *start == '\t')
-                        start++;
-                char *end = strchr(start, '\n');
-                if (end)
-                        *end = '\0';
-
-                // parsing
-                if (strncmp(start, "#define CAP_", 12) == 0) {
-                        if (strstr(start, "CAP_LAST_CAP"))
-                                break;
-
-                        char *ptr1 = start + 8;
-                        char *ptr2 = ptr1;
-                        while (*ptr2 == ' ' || *ptr2 == '\t')
-                                ptr2++;
-                        while (*ptr2 != ' ' && *ptr2 != '\t')
-                                ptr2++;
-                        *ptr2 = '\0';
-
-                        ptr2 = strdup(ptr1);
-                        assert(ptr2);
-                        ptr2 += 4;
-                        char *ptr3 = ptr2;
-                        while (*ptr3 != '\0') {
-                                *ptr3 = tolower(*ptr3);
-                                ptr3++;
-                        }
-
-
-                        printf("#ifdef %s\n", ptr1);
-                        printf("\t{\"%s\", %s },\n", ptr2, ptr1);
-                        printf("#endif\n");
-
-                }
-
-        }
-        fclose(fp);
-        return 0;
-}
diff --git a/src/tools/extract_errnos.sh b/src/tools/extract_errnos.sh
deleted file mode 100644
index 43b225828..000000000
--- a/src/tools/extract_errnos.sh
+++ /dev/null
@@ -1,4 +0,0 @@
-echo -e "#include <errno.h>\n#include <attr/xattr.h>" | \
-    cpp -dD | \
-    grep "^#define E" | \
-    sed -e '{s/#define \(.*\) .*/\t"\1", \1,/g}'
diff --git a/src/tools/extract_syscalls.c b/src/tools/extract_syscalls.c
deleted file mode 100644
index d7e16e912..000000000
--- a/src/tools/extract_syscalls.c
+++ /dev/null
@@ -1,93 +0,0 @@
-/*
- * Copyright (C) 2014-2018 Firejail Authors
- *
- * This file is part of firejail project
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or
- * (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License along
- * with this program; if not, write to the Free Software Foundation, Inc.,
- * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-*/
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-
-#define BUFMAX 4096
-
-int main(int argc, char **argv) {
-        if (argc != 2) {
-                printf("usage: %s /usr/include/x86_64-linux-gnu/bits/syscall.h\n", argv[0]);
-                return 1;
-        }
-
-        //open file
-        FILE *fp = fopen(argv[1], "r");
-        if (!fp) {
-                fprintf(stderr, "Error: cannot open file\n");
-                return 1;
-        }
-
-        // read file
-        char buf[BUFMAX];
-        while (fgets(buf, BUFMAX, fp)) {
-                // cleanup
-                char *start = buf;
-                while (*start == ' ' || *start == '\t')
-                        start++;
-                char *end = strchr(start, '\n');
-                if (end)
-                        *end = '\0';
-
-                // parsing
-                if (strncmp(start, "# error", 7) == 0)
-                        continue;
-                if (strncmp(start, "#endif", 6) == 0)
-                        printf("%s\n", start);
-                if (strncmp(start, "#endif", 6) == 0)
-                        printf("%s\n", start);
-                else if (strncmp(start, "#if", 3) == 0)
-                        printf("%s\n", start);
-                else if (strncmp(start, "#define", 7) == 0) {
-                        // extract data
-                        char *ptr1 = strstr(start, "SYS_");
-                        char *ptr2 = strstr(start, "__NR_");
-                        if (!ptr1 || !ptr2) {
-                                fprintf(stderr, "Error: cannot parse \"%s\"\n", start);
-                                fclose(fp);
-                                return 1;
-                        }
-                        *(ptr2 - 1) = '\0';
-
-                        char *ptr3 = ptr1;
-                        while (*ptr3 != ' ' && *ptr3 != '\t' && *ptr3 != '\0')
-                                ptr3++;
-                        *ptr3 = '\0';
-                        ptr3 = ptr2;
-                        while (*ptr3 != ' ' && *ptr3 != '\t' && *ptr3 != '\0')
-                                ptr3++;
-                        *ptr3 = '\0';
-
-                        ptr3 = ptr1;
-                        while (*ptr3 != '_')
-                                ptr3++;
-                        ptr3++;
-
-                        printf("#ifdef %s\n", ptr1);
-                        printf("#ifdef %s\n", ptr2);
-                        printf("\t{\"%s\", %s},\n", ptr3, ptr2);
-                        printf("#endif\n");
-                        printf("#endif\n");
-                }
-        }
-        fclose(fp);
-        return 0;
-}
diff --git a/src/tools/mkcoverit.sh b/src/tools/mkcoverit.sh
deleted file mode 100755
index d4a68e397..000000000
--- a/src/tools/mkcoverit.sh
+++ /dev/null
@@ -1,45 +0,0 @@
-#!/bin/bash
-
-# unpack firejail archive
-ARCFIREJAIL=`ls *.tar.xz| grep firejail`
-if [ "$?" -eq 0 ];
-then
-        echo "preparing $ARCFIREJAIL"
-        DIRFIREJAIL=`basename $ARCFIREJAIL  .tar.xz`
-        rm -fr $DIRFIREJAIL
-        tar -xJvf $ARCFIREJAIL
-        cd $DIRFIREJAIL
-        ./configure --prefix=/usr
-        cd ..
-else
-        echo "Error: firejail source archive missing"
-        exit 1
-fi
-
-
-# unpack firetools archive
-ARCFIRETOOLS=`ls *.tar.bz2 | grep firetools`
-if [ "$?" -eq 0 ];
-then
-        echo "preparing $ARCFIRETOOLS"
-        DIRFIRETOOLS=`basename $ARCFIRETOOLS .tar.bz2`
-        rm -fr $DIRFIRETOOLS
-        tar -xjvf $ARCFIRETOOLS
-        cd $DIRFIRETOOLS
-        pwd
-        ./configure --prefix=/usr
-        cd ..
-
-else
-        echo "Error: firetools source archive missing"
-        exit 1
-fi
-
-# move firetools in firejail source tree
-mkdir -p $DIRFIREJAIL/extras
-mv $DIRFIRETOOLS $DIRFIREJAIL/extras/firetools
-
-# build
-cd $DIRFIREJAIL
-cov-build --dir cov-int make -j 4 extras
-tar czvf myproject.tgz cov-int
diff --git a/src/tools/testuid.c b/src/tools/testuid.c
deleted file mode 100644
index 633b9773e..000000000
--- a/src/tools/testuid.c
+++ /dev/null
@@ -1,49 +0,0 @@
-/*
- * Copyright (C) 2014-2018 Firejail Authors
- *
- * This file is part of firejail project
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or
- * (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License along
- * with this program; if not, write to the Free Software Foundation, Inc.,
- * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-*/
-
-// compile: gcc -o testuid testuid.c
-
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <unistd.h>
-#include <sys/types.h>
-
-
-static void print_status(void) {
-        FILE *fp = fopen("/proc/self/status", "r");
-        if (!fp) {
-                fprintf(stderr, "Error, cannot open staus file\n");
-                exit(1);
-        }
-
-        char buf[4096];
-        while (fgets(buf, 4096, fp)) {
-                if (strncmp(buf, "Uid", 3) == 0 || strncmp(buf, "Gid", 3) == 0)
-                        printf("%s", buf);
-        }
-
-        fclose(fp);
-}
-
-int main(void) {
-        print_status();
-        return 0;
-}
diff --git a/src/tools/ttytest.c b/src/tools/ttytest.c
deleted file mode 100644
index a449bf9ba..000000000
--- a/src/tools/ttytest.c
+++ /dev/null
@@ -1,36 +0,0 @@
-#define _XOPEN_SOURCE 600
-#include <stdlib.h>
-#include <stdio.h>
-#include <fcntl.h>
-#include <errno.h>
-
-int main(void) {
-        int fdm;
-        int rc;
-
-        // initial
-        system("ls -l /dev/pts");
-
-        fdm = posix_openpt(O_RDWR);
-        if (fdm < 0) {
-                perror("posix_openpt");
-                return 1;
-        }
-
-        rc = grantpt(fdm);
-        if (rc != 0) {
-                perror("grantpt");
-                return 1;
-        }
-
-        rc = unlockpt(fdm);
-        if (rc != 0) {
-                perror("unlockpt");
-                return 1;
-        }
-
-        // final
-        system("ls -l /dev/pts");
-
-        return 0;
-}
diff --git a/src/tools/unchroot.pl b/src/tools/unchroot.pl
deleted file mode 100755
index bd30ffe76..000000000
--- a/src/tools/unchroot.pl
+++ /dev/null
@@ -1,33 +0,0 @@
-#!/usr/bin/perl -w
-use strict;
-# unchroot.pl Dec 2007
-# http://pentestmonkey.net/blog/chroot-breakout-perl
-
-# This script may be used for legal purposes only.
-
-# Go to the root of the jail
-chdir "/";
-
-# Open filehandle to root of jail
-opendir JAILROOT, "." or die "ERROR: Couldn't get file handle to root of jailn";
-
-# Create a subdir, move into it
-mkdir "mysubdir";
-chdir "mysubdir";
-
-# Lock ourselves in a new jail
-chroot ".";
-
-# Use our filehandle to get back to the root of the old jail
-chdir(*JAILROOT);
-
-# Get to the real root
-while ((stat("."))[0] != (stat(".."))[0] or (stat("."))[1] != (stat(".."))[1]) {
-        chdir "..";
-}
-
-# Lock ourselves in real root - so we're not really in a jail at all now
-chroot ".";
-
-# Start an un-jailed shell
-system("/bin/sh");
diff --git a/src/tools/unixsocket.c b/src/tools/unixsocket.c
deleted file mode 100644
index c4302eed3..000000000
--- a/src/tools/unixsocket.c
+++ /dev/null
@@ -1,29 +0,0 @@
-#include <stdio.h>
-#include <sys/types.h>
-#include <sys/socket.h>
-#include <sys/un.h>
-
-int main(void) {
-        struct sockaddr_un addr;
-        int s;
-        const char *socketpath = "/var/run/minissdpd.sock";
-//      const char *socketpath = "/var/run/acipd.sock";
-
-        s = socket(AF_UNIX, SOCK_STREAM, 0);
-        if(s < 0) {
-                fprintf(stderr, "Error: cannot open socket\n");
-                return 1;
-        }
-
-        addr.sun_family = AF_UNIX;
-        strncpy(addr.sun_path, socketpath, sizeof(addr.sun_path));
-        if(connect(s, (struct sockaddr *)&addr, sizeof(struct sockaddr_un)) < 0) {
-                fprintf(stderr, "Error: cannot connect to socket\n");
-                return 1;
-        }
-
-        printf("connected to %s\n", socketpath);
-        close(s);
-
-        return 0;
-}
diff --git a/status b/status
index 505a900bb..40446c53c 100644
--- a/status
+++ b/status
@@ -1,3 +1,14 @@
+possible cleanup: --fs.print, --timeout
+
+usage.c cleanup:
+        --audit, --build, --chroot, --output, --overlay-*, --rlimit*, --trace*, --x11*, --ls, --get, --put, --cgroup
+        --private-home, private-etc, private-bin, --private-lib, --private-opt, --private-srv
+
+
+main:14864, LTS 10890
+removed restricted-shell
+
+
 Aug 26 - merge mainline
 
 Phase 2