fixed conflict

32 files changed, 591 insertions, 144 deletions

diff --git a/README b/README
index 5308ab022..a03b1cc9f 100644
--- a/README
+++ b/README
@@ -95,6 +95,9 @@ valoq (https://github.com/valoq)
         - added img2txt, k3b, kate, lynx, mediainfo, nautilus, odt2txt, pdftotext, simple-scan profiles
         - added skanlite, ssh-agent, transmission-cli, tracker, transmission-show, w3m, xfburn, xpra profiles
         - added wget profile
+SpotComms (https://github.com/SpotComms)
+        - added Bless, Gnome 2048, Gnome Calculator, Gnome Contacts, JD-GUI, Lollypop, MultiMC5 profiles
+        - added PDFSam, Pithos, and Xonotic profiles
 Vasya Novikov (https://github.com/vn971)
         - Wesnoth profile
         - Hedegewars profile
diff --git a/README.md b/README.md
index 981582ebf..bafcf6120 100644
--- a/README.md
+++ b/README.md
@@ -55,10 +55,31 @@ Use this issue to request new profiles: https://github.com/netblue30/firejail/is
 `````
 
 `````
+## New command line options
+`````
+      --private-opt=file,directory
+              Build  a  new /opt in a temporary filesystem, and copy the files
+              and directories in the list.  If no listed file is  found,  /opt
+              directory  will  be empty.  All modifications are discarded when
+              the sandbox is closed.
+
+              Example:
+              $ firejail --private-opt=firefox /opt/firefox/firefox
+
+       --private-srv=file,directory
+              Build a new /srv in a temporary filesystem, and copy  the  files
+              and  directories  in the list.  If no listed file is found, /srv
+              directory will be empty.  All modifications are  discarded  when
+              the sandbox is closed.
+
+              Example:
+              # firejail --private-srv=www /etc/init.d/apache2 start
+`````
 ## New Profiles
 xiphos, Tor Browser Bundle, display (imagemagik), Wire, mumble, zoom, Guayadeque, qemu, keypass2,
 amarok, ark, atool, bleachbit, brasero, dolphin, dragon, elinks, enchant, exiftool, file-roller, gedit,
 gjs, gnome-books, gnome-clocks, gnome-documents, gnome-maps, gnome-music, gnome-photos, gnome-weather,
 goobox, gpa, gpg, gpg-agent, highlight, img2txt, k3b, kate, lynx, mediainfo, nautilus, odt2txt, pdftotext,
 simple-scan, skanlite, ssh-agent, tracker, transmission-cli, transmission-show, w3m, xfburn, xpra, wget,
-xed, pluma, Cryptocat
+xed, pluma, Cryptocat Bless, Gnome 2048, Gnome Calculator, Gnome Contacts, JD-GUI, Lollypop, MultiMC5, 
+PDFSam, Pithos, Xonotic
diff --git a/RELNOTES b/RELNOTES
index d20326121..3ccd51ce7 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -9,9 +9,13 @@ firejail (0.9.45) baseline; urgency=low
   * feature: allow root user access to /dev/shm (--noblacklist=/dev/shm)
   * feature: AppImage type 2 support
   * feature: test coverage (gcov) support
+  * feature: private /opt directory (--private-opt, profile support)
+  * feature: private /srv directory (--private-srv, profile support)
   * new profiles: xiphos, Tor Browser Bundle, display (imagemagik), Wire,
   * new profiles: mumble, zoom, Guayadeque, qemu, keypass2, xed, pluma,
-  * new profiles: Cryptocat
+  * new profiles: Cryptocat, Bless, Gnome 2048, Gnome Calculator, 
+  * new profiles: Gnome Contacts, JD-GUI, Lollypop, MultiMC5, PDFSam, Pithos,
+  * new profies: Xonotic
   * bugfixes
  -- netblue30 <netblue30@yahoo.com>  Sun, 23 Oct 2016 08:00:00 -0500
 
diff --git a/etc/bless.profile b/etc/bless.profile
new file mode 100644
index 000000000..752edadf7
--- /dev/null
+++ b/etc/bless.profile
@@ -0,0 +1,20 @@
+#
+#Profile for bless
+#
+
+#No Blacklist Paths
+noblacklist ${HOME}/.config/bless
+
+#Blacklist Paths
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-passwdmgr.inc
+include /etc/firejail/disable-devel.inc
+
+#Options
+caps.drop all
+netfilter
+nonewprivs
+noroot
+protocol unix,inet,inet6
+seccomp
diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc
index f87053b7c..8d0d75d63 100644
--- a/etc/disable-programs.inc
+++ b/etc/disable-programs.inc
@@ -10,6 +10,7 @@ blacklist ${HOME}/.stellarium
 blacklist ${HOME}/.sword
 blacklist ${HOME}/.xiphos
 blacklist ${HOME}/.config/Atom
+blacklist ${HOME}/.config/bless
 blacklist ${HOME}/.config/gthumb
 blacklist ${HOME}/.config/mupen64plus
 blacklist ${HOME}/.config/transmission
@@ -44,6 +45,7 @@ blacklist ${HOME}/.openshot_qt
 blacklist ${HOME}/.flowblade
 blacklist ${HOME}/.config/flowblade
 blacklist ${HOME}/.config/eog
+blacklist ${HOME}/.config/jd-gui.cfg
 blacklist ${HOME}/.config/arkrc
 blacklist ${HOME}/.config/atril
 blacklist ${HOME}/.config/aweather
@@ -77,6 +79,7 @@ blacklist ${HOME}/.config/xplayer
 blacklist ${HOME}/.audacity-data
 blacklist ${HOME}/.guayadeque
 blacklist ${HOME}/.config/dragonplayerrc
+blacklist ${HOME}/.local/share/lollypop
 
 # HTTP / FTP / Mail
 blacklist ${HOME}/.icedove
@@ -144,6 +147,10 @@ blacklist ${HOME}/.config/0ad
 blacklist ${HOME}/.warzone2100-3.1
 blacklist ${HOME}/.dosbox
 blacklist ${HOME}/.local/share/gnome-chess
+blacklist ${HOME}/.local/share/gnome-2048
+blacklist ${HOME}/.local/share/multimc5
+blacklist ${HOME}/.multimc5
+blacklist ${HOME}/.xonotic
 
 # Cryptocoins
 blacklist ${HOME}/.*coin
diff --git a/etc/gnome-2048.profile b/etc/gnome-2048.profile
new file mode 100644
index 000000000..f9982da61
--- /dev/null
+++ b/etc/gnome-2048.profile
@@ -0,0 +1,25 @@
+#
+#Profile for gnome-2048
+#
+
+#No Blacklist Paths
+noblacklist ${HOME}/.local/share/gnome-2048
+
+#Blacklist Paths
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-passwdmgr.inc
+include /etc/firejail/disable-devel.inc
+
+#Whitelist Paths
+mkdir ${HOME}/.local/share/gnome-2048
+whitelist ${HOME}/.local/share/gnome-2048
+include /etc/firejail/whitelist-common.inc
+
+#Options
+caps.drop all
+netfilter
+nonewprivs
+noroot
+protocol unix,inet,inet6
+seccomp
diff --git a/etc/gnome-calculator.profile b/etc/gnome-calculator.profile
new file mode 100644
index 000000000..49e068171
--- /dev/null
+++ b/etc/gnome-calculator.profile
@@ -0,0 +1,19 @@
+#
+#Profile for gnome-calculator
+#
+
+#Blacklist Paths
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-passwdmgr.inc
+include /etc/firejail/disable-devel.inc
+
+include /etc/firejail/whitelist-common.inc
+
+#Options
+caps.drop all
+netfilter
+nonewprivs
+noroot
+protocol unix,inet,inet6
+seccomp
diff --git a/etc/gnome-contacts.profile b/etc/gnome-contacts.profile
new file mode 100644
index 000000000..9dc25b26c
--- /dev/null
+++ b/etc/gnome-contacts.profile
@@ -0,0 +1,19 @@
+#
+#Profile for gnome-contacts
+#
+
+#Blacklist Paths
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-passwdmgr.inc
+include /etc/firejail/disable-devel.inc
+
+include /etc/firejail/whitelist-common.inc
+
+#Options
+caps.drop all
+netfilter
+nonewprivs
+noroot
+protocol unix,inet,inet6
+seccomp
diff --git a/etc/jd-gui.profile b/etc/jd-gui.profile
new file mode 100644
index 000000000..1d6eb41f8
--- /dev/null
+++ b/etc/jd-gui.profile
@@ -0,0 +1,19 @@
+#
+#Profile for jd-gui
+#
+
+noblacklist ${HOME}/.config/jd-gui.cfg
+
+#Blacklist Paths
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-passwdmgr.inc
+include /etc/firejail/disable-devel.inc
+
+#Options
+caps.drop all
+netfilter
+nonewprivs
+noroot
+protocol unix,inet,inet6
+seccomp
diff --git a/etc/lollypop.profile b/etc/lollypop.profile
new file mode 100644
index 000000000..41a662bca
--- /dev/null
+++ b/etc/lollypop.profile
@@ -0,0 +1,20 @@
+#
+#Profile for lollypop
+#
+
+#No Blacklist Paths
+noblacklist ${HOME}/.local/share/lollypop
+
+#Blacklist Paths
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-passwdmgr.inc
+include /etc/firejail/disable-devel.inc
+
+#Options
+caps.drop all
+netfilter
+nonewprivs
+noroot
+protocol unix,inet,inet6
+seccomp
diff --git a/etc/multimc5.profile b/etc/multimc5.profile
new file mode 100644
index 000000000..cc310f294
--- /dev/null
+++ b/etc/multimc5.profile
@@ -0,0 +1,27 @@
+#
+#Profile for multimc5
+#
+
+#No Blacklist Paths
+noblacklist ${HOME}/.local/share/multimc5
+noblacklist ${HOME}/.multimc5
+
+#Blacklist Paths
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-passwdmgr.inc
+include /etc/firejail/disable-devel.inc
+
+#Whitelist Paths
+mkdir ${HOME}/.local/share/multimc5
+whitelist ${HOME}/.local/share/multimc5
+mkdir ${HOME}/.multimc5
+whitelist ${HOME}/.multimc5
+include /etc/firejail/whitelist-common.inc
+
+#Options
+caps.drop all
+netfilter
+nonewprivs
+noroot
+protocol unix,inet,inet6
diff --git a/etc/pdfsam.profile b/etc/pdfsam.profile
new file mode 100644
index 000000000..6e50f37cf
--- /dev/null
+++ b/etc/pdfsam.profile
@@ -0,0 +1,17 @@
+#
+#Profile for pdfsam
+#
+
+#Blacklist Paths
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-passwdmgr.inc
+include /etc/firejail/disable-devel.inc
+
+#Options
+caps.drop all
+netfilter
+nonewprivs
+noroot
+protocol unix,inet,inet6
+seccomp
diff --git a/etc/pithos.profile b/etc/pithos.profile
new file mode 100644
index 000000000..8270b8bee
--- /dev/null
+++ b/etc/pithos.profile
@@ -0,0 +1,19 @@
+#
+#Profile for pithos
+#
+
+#Blacklist Paths
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-passwdmgr.inc
+include /etc/firejail/disable-devel.inc
+
+include /etc/firejail/whitelist-common.inc
+
+#Options
+caps.drop all
+netfilter
+nonewprivs
+noroot
+protocol unix,inet,inet6
+seccomp
diff --git a/etc/xonotic-glx.profile b/etc/xonotic-glx.profile
new file mode 100644
index 000000000..b255ffdbb
--- /dev/null
+++ b/etc/xonotic-glx.profile
@@ -0,0 +1,5 @@
+#
+#Profile for xonotic:xonotic-glx
+#
+
+include /etc/firejail/xonotic.profile
diff --git a/etc/xonotic-sdl.profile b/etc/xonotic-sdl.profile
new file mode 100644
index 000000000..783667304
--- /dev/null
+++ b/etc/xonotic-sdl.profile
@@ -0,0 +1,5 @@
+#
+#Profile for xonotic:xonotic-sdl
+#
+
+include /etc/firejail/xonotic.profile
diff --git a/etc/xonotic.profile b/etc/xonotic.profile
new file mode 100644
index 000000000..75d649619
--- /dev/null
+++ b/etc/xonotic.profile
@@ -0,0 +1,25 @@
+#
+#Profile for xonotic
+#
+
+#No Blacklist Paths
+noblacklist ${HOME}/.xonotic
+
+#Blacklist Paths
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-passwdmgr.inc
+include /etc/firejail/disable-devel.inc
+
+#Whitelist Paths
+mkdir ${HOME}/.xonotic
+whitelist ${HOME}/.xonotic
+include /etc/firejail/whitelist-common.inc
+
+#Options
+caps.drop all
+netfilter
+nonewprivs
+noroot
+protocol unix,inet,inet6
+seccomp
diff --git a/platform/debian/conffiles b/platform/debian/conffiles
index 4dcbc28f6..551e7ad36 100644
--- a/platform/debian/conffiles
+++ b/platform/debian/conffiles
@@ -223,3 +223,15 @@
 /etc/firejail/zathura.profile
 /etc/firejail/zoom.profile
 /etc/firejail/wget.profile
+/etc/firejail/bless.profile
+/etc/firejail/gnome-2048.profile
+/etc/firejail/gnome-calculator.profile
+/etc/firejail/gnome-contacts.profile
+/etc/firejail/jd-gui.profile
+/etc/firejail/lollypop.profile
+/etc/firejail/multimc5.profile
+/etc/firejail/pdfsam.profile
+/etc/firejail/pithos.profile
+/etc/firejail/xonotic-glx.profile
+/etc/firejail/xonotic-sdl.profile
+/etc/firejail/xonotic.profile
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index 61de17bf8..d172efce1 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -43,6 +43,8 @@
 #define RUN_PROTOCOL_CFG        "/run/firejail/mnt/protocol"
 #define RUN_HOME_DIR    "/run/firejail/mnt/home"
 #define RUN_ETC_DIR     "/run/firejail/mnt/etc"
+#define RUN_OPT_DIR     "/run/firejail/mnt/opt"
+#define RUN_SRV_DIR     "/run/firejail/mnt/srv"
 #define RUN_BIN_DIR     "/run/firejail/mnt/bin"
 #define RUN_PULSE_DIR   "/run/firejail/mnt/pulse"
 
@@ -200,6 +202,8 @@ typedef struct config_t {
         char *home_private;     // private home directory
         char *home_private_keep;        // keep list for private home directory
         char *etc_private_keep; // keep list for private etc directory
+        char *opt_private_keep; // keep list for private opt directory
+        char *srv_private_keep; // keep list for private srv directory
         char *bin_private_keep; // keep list for private bin directory
         char *cwd;              // current working directory
         char *overlay_dir;
@@ -315,6 +319,8 @@ extern int arg_doubledash;	// double dash
 extern int arg_shell_none;      // run the program directly without a shell
 extern int arg_private_dev;     // private dev directory
 extern int arg_private_etc;     // private etc directory
+extern int arg_private_opt;     // private opt directory
+extern int arg_private_srv;     // private srv directory
 extern int arg_private_bin;     // private bin directory
 extern int arg_private_tmp;     // private tmp directory
 extern int arg_scan;            // arp-scan all interfaces
@@ -556,7 +562,7 @@ void network_del_run_file(pid_t pid);
 void network_set_run_file(pid_t pid);
 
 // fs_etc.c
-void fs_private_etc_list(void);
+void fs_private_dir_list(const char *private_dir, const char *private_run_dir, const char *private_list);
 
 // no_sandbox.c
 int check_namespace_virt(void);
diff --git a/src/firejail/fs_etc.c b/src/firejail/fs_etc.c
index 80329d5ba..9a28ac601 100644
--- a/src/firejail/fs_etc.c
+++ b/src/firejail/fs_etc.c
@@ -47,7 +47,7 @@ errexit:
         exit(1);
 }
 
-static void duplicate(char *fname) {
+static void duplicate(const char *fname, const char *private_dir, const char *private_run_dir) {
         if (*fname == '~' || *fname == '/' || strstr(fname, "..")) {
                 fprintf(stderr, "Error: \"%s\" is an invalid filename\n", fname);
                 exit(1);
@@ -55,40 +55,44 @@ static void duplicate(char *fname) {
         invalid_filename(fname);
 
         char *src;
-        if (asprintf(&src,  "/etc/%s", fname) == -1)
+        if (asprintf(&src,  "%s/%s", private_dir, fname) == -1)
                 errExit("asprintf");
         if (check_dir_or_file(src) == 0) {
                 if (!arg_quiet)
-                        fprintf(stderr, "Warning: skipping %s for private bin\n", fname);
+                        fprintf(stderr, "Warning: skipping %s for private %s\n", fname, private_dir);
                 free(src);
                 return;
         }
 
+        if (arg_debug)
+                printf("copying %s to private %s\n", src, private_dir);
+                
         struct stat s;
         if (stat(src, &s) == 0 && S_ISDIR(s.st_mode)) {
                 // create the directory in RUN_ETC_DIR
                 char *dirname;
-                if (asprintf(&dirname, "%s/%s", RUN_ETC_DIR, fname) == -1)
+                if (asprintf(&dirname, "%s/%s", private_run_dir, fname) == -1)
                         errExit("asprintf");
                 create_empty_dir_as_root(dirname, s.st_mode);
                 sbox_run(SBOX_ROOT| SBOX_SECCOMP, 3, PATH_FCOPY, src, dirname);
                 free(dirname);
         }
         else
-                sbox_run(SBOX_ROOT| SBOX_SECCOMP, 3, PATH_FCOPY, src, RUN_ETC_DIR);
+                sbox_run(SBOX_ROOT| SBOX_SECCOMP, 3, PATH_FCOPY, src, private_run_dir);
 
         fs_logger2("clone", src);
         free(src);
 }
 
 
-void fs_private_etc_list(void) {
-        char *private_list = cfg.etc_private_keep;
+void fs_private_dir_list(const char *private_dir, const char *private_run_dir, const char *private_list) {
+        assert(private_dir);
+        assert(private_run_dir);
         assert(private_list);
         
         // create /run/firejail/mnt/etc directory
-        mkdir_attr(RUN_ETC_DIR, 0755, 0, 0);
-        fs_logger("tmpfs /etc");
+        mkdir_attr(private_run_dir, 0755, 0, 0);
+        fs_logger2("tmpfs", private_dir);
         
         fs_logger_print();      // save the current log
 
@@ -97,7 +101,7 @@ void fs_private_etc_list(void) {
         // using a new child process with root privileges
         if (*private_list != '\0') {
                 if (arg_debug)
-                        printf("Copying files in the new etc directory:\n");
+                        printf("Copying files in the new %s directory:\n", private_dir);
 
                 // copy the list of files in the new home directory
                 char *dlist = strdup(private_list);
@@ -106,18 +110,18 @@ void fs_private_etc_list(void) {
         
 
                 char *ptr = strtok(dlist, ",");
-                duplicate(ptr);
+                duplicate(ptr, private_dir, private_run_dir);
         
                 while ((ptr = strtok(NULL, ",")) != NULL)
-                        duplicate(ptr);
+                        duplicate(ptr, private_dir, private_run_dir);
                 free(dlist);    
                 fs_logger_print();
         }
         
         if (arg_debug)
-                printf("Mount-bind %s on top of /etc\n", RUN_ETC_DIR);
-        if (mount(RUN_ETC_DIR, "/etc", NULL, MS_BIND|MS_REC, NULL) < 0)
+                printf("Mount-bind %s on top of %s\n", private_run_dir, private_dir);
+        if (mount(private_run_dir, private_dir, NULL, MS_BIND|MS_REC, NULL) < 0)
                 errExit("mount bind");
-        fs_logger("mount /etc");
+        fs_logger2("mount", private_dir);
 }
 
diff --git a/src/firejail/join.c b/src/firejail/join.c
index 628002d35..bcf951f33 100644
--- a/src/firejail/join.c
+++ b/src/firejail/join.c
@@ -285,12 +285,6 @@ void join(pid_t pid, int argc, char **argv, int index) {
                         seccomp_load(RUN_SECCOMP_CFG);
 #endif
 
-                // fix qt 4.8
-                if (setenv("QT_X11_NO_MITSHM", "1", 1) < 0)
-                        errExit("setenv");
-                if (setenv("container", "firejail", 1) < 0) // LXC sets container=lxc,
-                        errExit("setenv");
-
                 // mount user namespace or drop privileges
                 if (arg_noroot) {       // not available for uid 0
                         if (arg_debug)
@@ -307,14 +301,6 @@ void join(pid_t pid, int argc, char **argv, int index) {
                         drop_privs(arg_nogroups);       // nogroups not available for uid 0
 
 
-                // set prompt color to green
-                char *prompt = getenv("FIREJAIL_PROMPT");
-                if (prompt && strcmp(prompt, "yes") == 0) {
-                        //export PS1='\[\e[1;32m\][\u@\h \W]\$\[\e[0m\] '
-                        if (setenv("PROMPT_COMMAND", "export PS1=\"\\[\\e[1;32m\\][\\u@\\h \\W]\\$\\[\\e[0m\\] \"", 1) < 0)
-                                errExit("setenv");
-                }
-                
                 // set nice
                 if (arg_nice) {
                         errno = 0;
@@ -326,24 +312,9 @@ void join(pid_t pid, int argc, char **argv, int index) {
                         }
                 }
 
-                // run cmdline trough shell
+                env_defaults();
                 if (cfg.command_line == NULL) {
-                        // if the sandbox was started with --shell=none, it is possible we don't have a shell
-                        // inside the sandbox
-                        if (cfg.shell == NULL) {
-                                cfg.shell = guess_shell();
-                                if (!cfg.shell) {
-                                        fprintf(stderr, "Error: no POSIX shell found, please use --shell command line option\n");
-                                        exit(1);
-                                }
-                        }
-                                
-                        struct stat s;
-                        if (stat(cfg.shell, &s) == -1)  {
-                                fprintf(stderr, "Error: %s shell not found inside the sandbox\n", cfg.shell);
-                                exit(1);
-                        }
-
+                        assert(cfg.shell);
                         cfg.command_line = cfg.shell;
                         cfg.window_title = cfg.shell;
                 }
diff --git a/src/firejail/main.c b/src/firejail/main.c
index 0929347b7..4ccbb6a86 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -88,6 +88,8 @@ int arg_doubledash = 0;			// double dash
 int arg_shell_none = 0;                 // run the program directly without a shell
 int arg_private_dev = 0;                        // private dev directory
 int arg_private_etc = 0;                        // private etc directory
+int arg_private_opt = 0;                        // private opt directory
+int arg_private_srv = 0;                        // private srv directory
 int arg_private_bin = 0;                        // private bin directory
 int arg_private_tmp = 0;                        // private tmp directory
 int arg_scan = 0;                               // arp-scan all interfaces
@@ -1624,6 +1626,24 @@ int main(int argc, char **argv) {
                         }
                         arg_private_etc = 1;
                 }
+                else if (strncmp(argv[i], "--private-opt=", 14) == 0) {
+                        // extract private opt list
+                        cfg.opt_private_keep = argv[i] + 14;
+                        if (*cfg.opt_private_keep == '\0') {
+                                fprintf(stderr, "Error: invalid private-opt option\n");
+                                exit(1);
+                        }
+                        arg_private_opt = 1;
+                }
+                else if (strncmp(argv[i], "--private-srv=", 14) == 0) {
+                        // extract private srv list
+                        cfg.srv_private_keep = argv[i] + 14;
+                        if (*cfg.srv_private_keep == '\0') {
+                                fprintf(stderr, "Error: invalid private-etc option\n");
+                                exit(1);
+                        }
+                        arg_private_srv = 1;
+                }
                 else if (strncmp(argv[i], "--private-bin=", 14) == 0) {
                         // extract private bin list
                         cfg.bin_private_keep = argv[i] + 14;
diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index 9acb1b813..2be6948f0 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -739,6 +739,22 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
                 return 0;
         }
 
+        // private /opt list of files and directories
+        if (strncmp(ptr, "private-opt ", 12) == 0) {
+                cfg.opt_private_keep = ptr + 12;
+                arg_private_opt = 1;
+                
+                return 0;
+        }
+
+        // private /srv list of files and directories
+        if (strncmp(ptr, "private-srv ", 12) == 0) {
+                cfg.srv_private_keep = ptr + 12;
+                arg_private_srv = 1;
+                
+                return 0;
+        }
+
         // private /bin list of files
         if (strncmp(ptr, "private-bin ", 12) == 0) {
                 cfg.bin_private_keep = ptr + 12;
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index 0a6777fef..68b8f554d 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -671,13 +671,33 @@ int sandbox(void* sandbox_arg) {
                 else if (arg_overlay)
                         fprintf(stderr, "Warning: private-etc feature is disabled in overlay\n");
                 else {
-                        fs_private_etc_list();
+                        fs_private_dir_list("/etc", RUN_ETC_DIR, cfg.etc_private_keep);
                         // create /etc/ld.so.preload file again
                         if (arg_trace || arg_tracelog || mask_x11_abstract_socket)
                                 fs_trace_preload();
                 }
         }
         
+        if (arg_private_opt) {
+                if (cfg.chrootdir)
+                        fprintf(stderr, "Warning: private-opt feature is disabled in chroot\n");
+                else if (arg_overlay)
+                        fprintf(stderr, "Warning: private-opt feature is disabled in overlay\n");
+                else {
+                        fs_private_dir_list("/opt", RUN_OPT_DIR, cfg.opt_private_keep);
+                }
+        }
+        
+        if (arg_private_srv) {
+                if (cfg.chrootdir)
+                        fprintf(stderr, "Warning: private-srv feature is disabled in chroot\n");
+                else if (arg_overlay)
+                        fprintf(stderr, "Warning: private-srv feature is disabled in overlay\n");
+                else {
+                        fs_private_dir_list("/srv", RUN_SRV_DIR, cfg.srv_private_keep);
+                }
+        }
+        
         if (arg_private_bin) {
                 if (cfg.chrootdir)
                         fprintf(stderr, "Warning: private-bin feature is disabled in chroot\n");
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt
index d6113218c..007374c75 100644
--- a/src/man/firejail-profile.txt
+++ b/src/man/firejail-profile.txt
@@ -181,7 +181,7 @@ closed.
 \fBprivate directory
 Use directory as user home.
 .TP
-\f\private-home file,directory
+\fBprivate-home file,directory
 Build a new user home in a temporary
 filesystem, and copy the files and directories in the list in the
 new home. All modifications are discarded when the sandbox is
@@ -199,6 +199,16 @@ Build a new /etc in a temporary
 filesystem, and copy the files and directories in the list.
 All modifications are discarded when the sandbox is closed.
 .TP
+\fBprivate-opt file,directory
+Build a new /optin a temporary
+filesystem, and copy the files and directories in the list.
+All modifications are discarded when the sandbox is closed.
+.TP
+\fBprivate-srv file,directory
+Build a new /srv in a temporary
+filesystem, and copy the files and directories in the list.
+All modifications are discarded when the sandbox is closed.
+.TP
 \fBprivate-tmp
 Mount an empty temporary filesystem on top of /tmp directory whitelisting /tmp/.X11-unix.
 .TP
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index 8441f25d5..450f30c68 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -1179,6 +1179,32 @@ $ firejail --private-etc=group,hostname,localtime, \\
 nsswitch.conf,passwd,resolv.conf
 
 .TP
+\fB\-\-private-opt=file,directory
+Build a new /opt in a temporary
+filesystem, and copy the files and directories in the list.
+If no listed file is found, /opt directory will be empty.
+All modifications are discarded when the sandbox is closed. 
+.br
+
+.br
+Example:
+.br
+$ firejail --private-opt=firefox /opt/firefox/firefox
+
+.TP
+\fB\-\-private-srv=file,directory
+Build a new /srv in a temporary
+filesystem, and copy the files and directories in the list.
+If no listed file is found, /srv directory will be empty.
+All modifications are discarded when the sandbox is closed. 
+.br
+
+.br
+Example:
+.br
+# firejail --private-srv=www /etc/init.d/apache2 start
+
+.TP
 \fB\-\-private-tmp
 Mount an empty temporary filesystem on top of /tmp directory whitelisting /tmp/.X11-unix.
 .br
diff --git a/test/environment/dns.exp b/test/environment/dns.exp
index d00e9fb94..3e2a0ffd4 100755
--- a/test/environment/dns.exp
+++ b/test/environment/dns.exp
@@ -55,10 +55,6 @@ sleep 1
 
 send -- "firejail --trace --dns=208.67.222.222 wget -q debian.org\r"
 expect {
-        timeout {puts "TESTING ERROR 1.1\n";exit}
-        "Child process initialized"
-}
-expect {
         timeout {puts "TESTING ERROR 1.2\n";exit}
         "connect"
 }
diff --git a/test/network/net_veth.exp b/test/network/net_veth.exp
index 89dedcb24..04091047b 100755
--- a/test/network/net_veth.exp
+++ b/test/network/net_veth.exp
@@ -123,6 +123,18 @@ expect {
 }
 sleep 1
 send -- "exit\r"
+sleep 1
+
+send -- "firejail --net=eth0 --ip=10.10.20.1\r"
+expect {
+        timeout {puts "TESTING ERROR 27\n";exit}
+        "the IP address is not in the interface range"
+}
+
+
+
+
+
 
 after 100
 
diff --git a/test/root/private.exp b/test/root/private.exp
index 4040081ee..9ce9716f9 100755
--- a/test/root/private.exp
+++ b/test/root/private.exp
@@ -29,5 +29,62 @@ expect {
 after 100
 
 send -- "exit\r"
+sleep 1
+
+
+
+send -- "touch /opt/firejail-test-file\r"
+after 100
+send -- "mkdir /opt/firejail-test-dir\r"
+after 100
+send -- "touch /opt/firejail-test-dir/firejail-test-file\r"
+after 100
+send -- "firejail --private-opt=firejail-test-file,firejail-test-dir --debug\r"
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        "Child process initialized"
+}
+sleep 1
+
+send -- "find /opt | wc -l\r"
+expect {
+        timeout {puts "TESTING ERROR 4\n";exit}
+        "4"
+}
+after 100
+send -- "exit\r"
+sleep 1
+
+
+send -- "touch /srv/firejail-test-file\r"
+after 100
+send -- "mkdir /srv/firejail-test-dir\r"
+after 100
+send -- "touch /srv/firejail-test-dir/firejail-test-file\r"
 after 100
+send -- "firejail --private-srv=firejail-test-file,firejail-test-dir --debug\r"
+expect {
+        timeout {puts "TESTING ERROR 5\n";exit}
+        "Child process initialized"
+}
+sleep 1
+
+send -- "find /srv | wc -l\r"
+expect {
+        timeout {puts "TESTING ERROR 6\n";exit}
+        "4"
+}
+after 100
+send -- "exit\r"
+sleep 1
+
+
+
+
+
+
+
+
+
+
 puts "\nall done\n"
diff --git a/test/root/root.sh b/test/root/root.sh
index 01c372f68..371bccdff 100755
--- a/test/root/root.sh
+++ b/test/root/root.sh
@@ -53,8 +53,8 @@ fi
 echo "TESTING: fs private (test/root/private.exp)"
 ./private.exp
 
-echo "TESTING: fs whitelist mnt, opt, media(test/root/whitelist-mnt.exp)"
-./whitelist-mnt.exp
+echo "TESTING: fs whitelist mnt, opt, media (test/root/whitelist-mnt.exp)"
+./whitelist.exp
 
 #********************************
 # seccomp
diff --git a/test/root/whitelist-mnt.exp b/test/root/whitelist-mnt.exp
deleted file mode 100755
index 58ae4fffc..000000000
--- a/test/root/whitelist-mnt.exp
+++ /dev/null
@@ -1,86 +0,0 @@
-#!/usr/bin/expect -f
-# This file is part of Firejail project
-# Copyright (C) 2014-2016 Firejail Authors
-# License GPL v2
-
-set timeout 10
-spawn $env(SHELL)
-match_max 100000
-
-send -- "touch /mnt/firejail-test-file\r"
-after 100
-send -- "firejail --whitelist=/mnt/firejail-test-file --debug\r"
-expect {
-        timeout {puts "TESTING ERROR 0\n";exit}
-        "Child process initialized"
-}
-sleep 1
-
-send -- "find /mnt | wc -l\r"
-expect {
-        timeout {puts "TESTING ERROR 1\n";exit}
-        "2"
-}
-after 100
-send -- "exit\r"
-sleep 1
-
-
-send -- "touch /opt/firejail-test-file\r"
-after 100
-send -- "firejail --whitelist=/opt/firejail-test-file --debug\r"
-expect {
-        timeout {puts "TESTING ERROR 0\n";exit}
-        "Child process initialized"
-}
-sleep 1
-
-send -- "find /opt | wc -l\r"
-expect {
-        timeout {puts "TESTING ERROR 1\n";exit}
-        "2"
-}
-after 100
-send -- "exit\r"
-sleep 1
-
-send -- "touch /media/firejail-test-file\r"
-after 100
-send -- "firejail --whitelist=/media/firejail-test-file --debug\r"
-expect {
-        timeout {puts "TESTING ERROR 0\n";exit}
-        "Child process initialized"
-}
-sleep 1
-
-send -- "find /media | wc -l\r"
-expect {
-        timeout {puts "TESTING ERROR 1\n";exit}
-        "2"
-}
-after 100
-send -- "exit\r"
-sleep 1
-
-
-send -- "firejail --whitelist=/var/run --whitelist=/var/lock --debug\r"
-expect {
-        timeout {puts "TESTING ERROR 0\n";exit}
-        "Child process initialized"
-}
-sleep 1
-
-send -- "find /var | wc -l\r"
-expect {
-        timeout {puts "TESTING ERROR 1\n";exit}
-        ""
-}
-after 100
-send -- "exit\r"
-sleep 1
-
-
-
-after 100
-puts "\nall done\n"
-
diff --git a/test/root/whitelist.exp b/test/root/whitelist.exp
new file mode 100755
index 000000000..f6936c048
--- /dev/null
+++ b/test/root/whitelist.exp
@@ -0,0 +1,118 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
+
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+
+send -- "touch /mnt/firejail-test-file\r"
+after 100
+send -- "mkdir /mnt/firejail-test-dir\r"
+after 100
+send -- "touch /mnt/firejail-test-dir/firejail-test-file\r"
+after 100
+send -- "firejail --whitelist=/mnt/firejail-test-file --whitelist=/mnt/firejail-test-dir --debug\r"
+expect {
+        timeout {puts "TESTING ERROR 0\n";exit}
+        "Child process initialized"
+}
+sleep 1
+
+send -- "find /mnt | wc -l\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "4"
+}
+after 100
+send -- "exit\r"
+sleep 1
+
+
+send -- "touch /opt/firejail-test-file\r"
+after 100
+send -- "mkdir /opt/firejail-test-dir\r"
+after 100
+send -- "touch /opt/firejail-test-dir/firejail-test-file\r"
+after 100
+send -- "firejail --whitelist=/opt/firejail-test-file  --whitelist=/opt/firejail-test-dir --debug\r"
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        "Child process initialized"
+}
+sleep 1
+
+send -- "find /opt | wc -l\r"
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        "4"
+}
+after 100
+send -- "exit\r"
+sleep 1
+
+send -- "touch /media/firejail-test-file\r"
+after 100
+send -- "mkdir /media/firejail-test-dir\r"
+after 100
+send -- "touch /media/firejail-test-dir/firejail-test-file\r"
+after 100
+send -- "firejail --whitelist=/media/firejail-test-file --whitelist=/media/firejail-test-dir --debug\r"
+expect {
+        timeout {puts "TESTING ERROR 4\n";exit}
+        "Child process initialized"
+}
+sleep 1
+
+send -- "find /media | wc -l\r"
+expect {
+        timeout {puts "TESTING ERROR 5\n";exit}
+        "4"
+}
+after 100
+send -- "exit\r"
+sleep 1
+
+
+send -- "firejail --whitelist=/var/run --whitelist=/var/lock --debug\r"
+expect {
+        timeout {puts "TESTING ERROR 6\n";exit}
+        "Child process initialized"
+}
+sleep 1
+
+send -- "find /var | wc -l\r"
+expect {
+        timeout {puts "TESTING ERROR 7\n";exit}
+        ""
+}
+after 100
+send -- "exit\r"
+sleep 1
+
+send -- "touch /srv/firejail-test-file\r"
+after 100
+send -- "mkdir /srv/firejail-test-dir\r"
+after 100
+send -- "touch /srv/firejail-test-dir/firejail-test-file\r"
+after 100
+send -- "firejail --whitelist=/srv/firejail-test-file --whitelist=/srv/firejail-test-dir --debug\r"
+expect {
+        timeout {puts "TESTING ERROR 8\n";exit}
+        "Child process initialized"
+}
+sleep 1
+
+send -- "find /srv | wc -l\r"
+expect {
+        timeout {puts "TESTING ERROR 9\n";exit}
+        "4"
+}
+after 100
+send -- "exit\r"
+
+
+after 100
+puts "\nall done\n"
+
diff --git a/todo b/todo
index 253704fcf..070fb068d 100644
--- a/todo
+++ b/todo
@@ -286,4 +286,14 @@ removable media, partitions, software RAID volumes, logical volumes, and files.
 
 29. grsecurity - move test after "firejail --name=blablabla" in /test/apps*
 
-
+30.
+$ sudo firejail --fs.print=test
+[sudo] password for netblue: 
+tmpfs /run/firejail/mnt                 << ????????????????
+sandbox name: test
+sandbox pid: 5790
+sandbox filesystem: local
+install mount namespace
+read-only /etc
+read-only /var
+read-only /bin