38 files changed, 661 insertions, 145 deletions

diff --git a/etc/disable-common.inc b/etc/disable-common.inc
index f18b0d396..bc2f6869d 100644
--- a/etc/disable-common.inc
+++ b/etc/disable-common.inc
@@ -24,7 +24,7 @@ blacklist ${HOME}/.config/openbox/autostart
 blacklist ${HOME}/.config/openbox/environment
 blacklist ${HOME}/.gnomerc
 blacklist /etc/X11/Xsession.d/
-blacklist ${HOME}/.xpra
+# blacklist ${HOME}/.xpra - this will kill --x11=xpra cmdline option for all programs
 
 # VirtualBox
 blacklist ${HOME}/.VirtualBox
diff --git a/etc/file.profile b/etc/file.profile
index f709e7f0c..d145fe12a 100644
--- a/etc/file.profile
+++ b/etc/file.profile
@@ -1,4 +1,5 @@
 # file profile
+quiet
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-programs.inc
 include /etc/firejail/disable-passwdmgr.inc
@@ -16,7 +17,6 @@ protocol unix
 seccomp
 shell none
 tracelog
-quiet
 x11 none
 
 blacklist /tmp/.X11-unix
diff --git a/etc/gajim.profile b/etc/gajim.profile
index b030a68b4..eb60f858b 100644
--- a/etc/gajim.profile
+++ b/etc/gajim.profile
@@ -1,4 +1,8 @@
 # Firejail profile for Gajim
+noblacklist ${HOME}/.cache/gajim
+noblacklist ${HOME}/.local/share/gajim
+noblacklist ${HOME}/.config/gajim
+
 mkdir ${HOME}/.cache/gajim
 mkdir ${HOME}/.local/share/gajim
 mkdir ${HOME}/.config/gajim
@@ -29,4 +33,6 @@ seccomp
 shell none
 
 #private-bin python2.7 gajim
+#private-etc fonts
 private-dev
+#private-tmp
diff --git a/etc/git.profile b/etc/git.profile
index edb59ce13..d60e58c03 100644
--- a/etc/git.profile
+++ b/etc/git.profile
@@ -1,4 +1,5 @@
 # git profile
+quiet
 noblacklist ~/.gitconfig
 noblacklist ~/.ssh
 noblacklist ~/.gnupg
@@ -19,7 +20,6 @@ nonewprivs
 noroot
 nosound
 protocol unix,inet,inet6
-quiet
 seccomp
 shell none
 
diff --git a/etc/gzip.profile b/etc/gzip.profile
index d51b9a951..feb27c150 100644
--- a/etc/gzip.profile
+++ b/etc/gzip.profile
@@ -1,4 +1,5 @@
 # gzip profile
+quiet
 ignore noroot
 include /etc/firejail/default.profile
 
@@ -7,7 +8,6 @@ blacklist /tmp/.X11-unix
 net none
 no3d
 nosound
-quiet
 shell none
 tracelog
 
diff --git a/etc/strings.profile b/etc/strings.profile
index 7c464bf88..2b7724b11 100644
--- a/etc/strings.profile
+++ b/etc/strings.profile
@@ -1,10 +1,10 @@
 # strings profile
+quiet
 ignore noroot
 include /etc/firejail/default.profile
 
 net none
 nosound
-quiet
 shell none
 tracelog
 
diff --git a/etc/tar.profile b/etc/tar.profile
index 91fdaf48d..3addb02fb 100644
--- a/etc/tar.profile
+++ b/etc/tar.profile
@@ -1,4 +1,5 @@
 # tar profile
+quiet
 ignore noroot
 include /etc/firejail/default.profile
 
@@ -8,7 +9,6 @@ hostname tar
 net none
 no3d
 nosound
-quiet
 shell none
 tracelog
 
diff --git a/etc/unrar.profile b/etc/unrar.profile
index 0700cafe9..bde6f4e22 100644
--- a/etc/unrar.profile
+++ b/etc/unrar.profile
@@ -1,4 +1,5 @@
 # unrar profile
+quiet
 ignore noroot
 include /etc/firejail/default.profile
 
@@ -8,7 +9,6 @@ hostname unrar
 net none
 no3d
 nosound
-quiet
 shell none
 tracelog
 
diff --git a/etc/unzip.profile b/etc/unzip.profile
index a43785795..8c10d11a0 100644
--- a/etc/unzip.profile
+++ b/etc/unzip.profile
@@ -1,4 +1,5 @@
 # unzip profile
+quiet
 ignore noroot
 include /etc/firejail/default.profile
 blacklist /tmp/.X11-unix
@@ -7,7 +8,6 @@ hostname unzip
 net none
 no3d
 nosound
-quiet
 shell none
 tracelog
 
diff --git a/etc/uudeview.profile b/etc/uudeview.profile
index 5ba0896ab..d5b750a13 100644
--- a/etc/uudeview.profile
+++ b/etc/uudeview.profile
@@ -1,4 +1,5 @@
 # uudeview profile
+quiet
 ignore noroot
 include /etc/firejail/default.profile
 
@@ -7,7 +8,6 @@ blacklist /etc
 hostname uudeview
 net none
 nosound
-quiet
 shell none
 tracelog
 
diff --git a/etc/wget.profile b/etc/wget.profile
index ad2b03b33..d9bca2acc 100644
--- a/etc/wget.profile
+++ b/etc/wget.profile
@@ -1,4 +1,5 @@
 # wget profile
+quiet
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-programs.inc
 include /etc/firejail/disable-passwdmgr.inc
diff --git a/etc/xzdec.profile b/etc/xzdec.profile
index 04f98cef6..6164e3200 100644
--- a/etc/xzdec.profile
+++ b/etc/xzdec.profile
@@ -1,4 +1,5 @@
 # xzdec profile
+quiet
 ignore noroot
 include /etc/firejail/default.profile
 
@@ -7,7 +8,6 @@ blacklist /tmp/.X11-unix
 net none
 no3d
 nosound
-quiet
 shell none
 tracelog
 
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config
index 40dda07ff..369abdc20 100644
--- a/src/firecfg/firecfg.config
+++ b/src/firecfg/firecfg.config
@@ -17,7 +17,6 @@ transmission-qt
 transmission-cli
 transmission-show
 uget-gtk
-wget
 
 # browsers/email
 abrowser
@@ -187,21 +186,14 @@ atom
 atom-beta
 gpa
 gpg
-# don't run ssh-agent and gpg-agent with firejail by default
-# this will break many processes using them in the background 
-# ssh-agent
-# gpg-agent
-git
 ranger
 keepass
 keepass2
 keepassx
 pluma
-ssh
 tracker
 xiphos
 xed
-xpra
 
 # weather/climate
 aweather
@@ -212,13 +204,3 @@ ark
 atool
 file-roller
 
-# when used by other processes in the background, it will break stuff
-#7z
-#cpio
-#gtar
-#gzip
-#tar
-#unrar
-#unzip
-#xz
-#xzdec
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index 61de17bf8..d172efce1 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -43,6 +43,8 @@
 #define RUN_PROTOCOL_CFG        "/run/firejail/mnt/protocol"
 #define RUN_HOME_DIR    "/run/firejail/mnt/home"
 #define RUN_ETC_DIR     "/run/firejail/mnt/etc"
+#define RUN_OPT_DIR     "/run/firejail/mnt/opt"
+#define RUN_SRV_DIR     "/run/firejail/mnt/srv"
 #define RUN_BIN_DIR     "/run/firejail/mnt/bin"
 #define RUN_PULSE_DIR   "/run/firejail/mnt/pulse"
 
@@ -200,6 +202,8 @@ typedef struct config_t {
         char *home_private;     // private home directory
         char *home_private_keep;        // keep list for private home directory
         char *etc_private_keep; // keep list for private etc directory
+        char *opt_private_keep; // keep list for private opt directory
+        char *srv_private_keep; // keep list for private srv directory
         char *bin_private_keep; // keep list for private bin directory
         char *cwd;              // current working directory
         char *overlay_dir;
@@ -315,6 +319,8 @@ extern int arg_doubledash;	// double dash
 extern int arg_shell_none;      // run the program directly without a shell
 extern int arg_private_dev;     // private dev directory
 extern int arg_private_etc;     // private etc directory
+extern int arg_private_opt;     // private opt directory
+extern int arg_private_srv;     // private srv directory
 extern int arg_private_bin;     // private bin directory
 extern int arg_private_tmp;     // private tmp directory
 extern int arg_scan;            // arp-scan all interfaces
@@ -556,7 +562,7 @@ void network_del_run_file(pid_t pid);
 void network_set_run_file(pid_t pid);
 
 // fs_etc.c
-void fs_private_etc_list(void);
+void fs_private_dir_list(const char *private_dir, const char *private_run_dir, const char *private_list);
 
 // no_sandbox.c
 int check_namespace_virt(void);
diff --git a/src/firejail/fs_etc.c b/src/firejail/fs_etc.c
index 80329d5ba..9a28ac601 100644
--- a/src/firejail/fs_etc.c
+++ b/src/firejail/fs_etc.c
@@ -47,7 +47,7 @@ errexit:
         exit(1);
 }
 
-static void duplicate(char *fname) {
+static void duplicate(const char *fname, const char *private_dir, const char *private_run_dir) {
         if (*fname == '~' || *fname == '/' || strstr(fname, "..")) {
                 fprintf(stderr, "Error: \"%s\" is an invalid filename\n", fname);
                 exit(1);
@@ -55,40 +55,44 @@ static void duplicate(char *fname) {
         invalid_filename(fname);
 
         char *src;
-        if (asprintf(&src,  "/etc/%s", fname) == -1)
+        if (asprintf(&src,  "%s/%s", private_dir, fname) == -1)
                 errExit("asprintf");
         if (check_dir_or_file(src) == 0) {
                 if (!arg_quiet)
-                        fprintf(stderr, "Warning: skipping %s for private bin\n", fname);
+                        fprintf(stderr, "Warning: skipping %s for private %s\n", fname, private_dir);
                 free(src);
                 return;
         }
 
+        if (arg_debug)
+                printf("copying %s to private %s\n", src, private_dir);
+                
         struct stat s;
         if (stat(src, &s) == 0 && S_ISDIR(s.st_mode)) {
                 // create the directory in RUN_ETC_DIR
                 char *dirname;
-                if (asprintf(&dirname, "%s/%s", RUN_ETC_DIR, fname) == -1)
+                if (asprintf(&dirname, "%s/%s", private_run_dir, fname) == -1)
                         errExit("asprintf");
                 create_empty_dir_as_root(dirname, s.st_mode);
                 sbox_run(SBOX_ROOT| SBOX_SECCOMP, 3, PATH_FCOPY, src, dirname);
                 free(dirname);
         }
         else
-                sbox_run(SBOX_ROOT| SBOX_SECCOMP, 3, PATH_FCOPY, src, RUN_ETC_DIR);
+                sbox_run(SBOX_ROOT| SBOX_SECCOMP, 3, PATH_FCOPY, src, private_run_dir);
 
         fs_logger2("clone", src);
         free(src);
 }
 
 
-void fs_private_etc_list(void) {
-        char *private_list = cfg.etc_private_keep;
+void fs_private_dir_list(const char *private_dir, const char *private_run_dir, const char *private_list) {
+        assert(private_dir);
+        assert(private_run_dir);
         assert(private_list);
         
         // create /run/firejail/mnt/etc directory
-        mkdir_attr(RUN_ETC_DIR, 0755, 0, 0);
-        fs_logger("tmpfs /etc");
+        mkdir_attr(private_run_dir, 0755, 0, 0);
+        fs_logger2("tmpfs", private_dir);
         
         fs_logger_print();      // save the current log
 
@@ -97,7 +101,7 @@ void fs_private_etc_list(void) {
         // using a new child process with root privileges
         if (*private_list != '\0') {
                 if (arg_debug)
-                        printf("Copying files in the new etc directory:\n");
+                        printf("Copying files in the new %s directory:\n", private_dir);
 
                 // copy the list of files in the new home directory
                 char *dlist = strdup(private_list);
@@ -106,18 +110,18 @@ void fs_private_etc_list(void) {
         
 
                 char *ptr = strtok(dlist, ",");
-                duplicate(ptr);
+                duplicate(ptr, private_dir, private_run_dir);
         
                 while ((ptr = strtok(NULL, ",")) != NULL)
-                        duplicate(ptr);
+                        duplicate(ptr, private_dir, private_run_dir);
                 free(dlist);    
                 fs_logger_print();
         }
         
         if (arg_debug)
-                printf("Mount-bind %s on top of /etc\n", RUN_ETC_DIR);
-        if (mount(RUN_ETC_DIR, "/etc", NULL, MS_BIND|MS_REC, NULL) < 0)
+                printf("Mount-bind %s on top of %s\n", private_run_dir, private_dir);
+        if (mount(private_run_dir, private_dir, NULL, MS_BIND|MS_REC, NULL) < 0)
                 errExit("mount bind");
-        fs_logger("mount /etc");
+        fs_logger2("mount", private_dir);
 }
 
diff --git a/src/firejail/fs_var.c b/src/firejail/fs_var.c
index 2aa4a1b54..bdc5ecaf3 100644
--- a/src/firejail/fs_var.c
+++ b/src/firejail/fs_var.c
@@ -65,10 +65,9 @@ static void build_list(const char *srcdir) {
                         struct stat s;
                         char *name;
                         if (asprintf(&name, "%s/%s", srcdir, dir->d_name) == -1)
-                                continue;
-                        if (stat(name, &s) == -1)
-                                continue;
-                        if (S_ISLNK(s.st_mode)) {
+                                errExit("asprintf");
+                        if (stat(name, &s) == -1 ||
+                            S_ISLNK(s.st_mode)) {
                                 free(name);
                                 continue;
                         }
@@ -143,7 +142,7 @@ void fs_var_log(void) {
                 fs_logger("touch /var/log/btmp");
         }
         else
-                fprintf(stderr, "Warning: cannot mount tmpfs on top of /var/log\n");
+                fprintf(stderr, "Warning: cannot hide /var/log directory\n");
 }
 
 void fs_var_lib(void) {
diff --git a/src/firejail/fs_whitelist.c b/src/firejail/fs_whitelist.c
index 7b32021be..b10858411 100644
--- a/src/firejail/fs_whitelist.c
+++ b/src/firejail/fs_whitelist.c
@@ -95,34 +95,29 @@ static char *resolve_downloads(void) {
                                         if (asprintf(&fname, "%s/%s", cfg.homedir, ptr1) == -1)
                                                 errExit("asprintf");
                                         
-                                        if (stat(fname, &s) == -1) {
-                                                fprintf(stderr, "***\n");
-                                                fprintf(stderr, "*** Error: directory %s not found.\n", fname);
-                                                fprintf(stderr, "*** \tThis directory is configured in ~/.config/user-dirs.dirs.\n");
-                                                fprintf(stderr, "*** \tPlease create a Downloads directory.\n");
-                                                fprintf(stderr, "***\n");
+                                        if (stat(fname, &s) == -1)
                                                 free(fname);
-                                                return NULL;
-                                        }
+                                                goto errout;
                                 
                                         char *rv;
                                         if (asprintf(&rv, "whitelist ~/%s", ptr + 24) == -1)
                                                 errExit("asprintf");
                                         return rv;
                                 }
-                                else {
-                                        fprintf(stderr, "***\n");
-                                        fprintf(stderr, "*** Error: invalid XDG_DOWNLOAD_DIR entry in ~/.config/user-dirs.dirs.\n");
-                                        fprintf(stderr, "*** \tPlease specify a valid Downloads directory, example:\n");
-                                        fprintf(stderr, "***\n");
-                                        fprintf(stderr, "***\t\tXDG_DOWNLOAD_DIR=\"$HOME/Downloads\"\n");
-                                        fprintf(stderr, "***\n");
-                                        return NULL;
-                                }
+                                else
+                                        goto errout;
                         }
                 }
         }
+        
         fclose(fp);
+        return NULL;
+
+errout:
+        fprintf(stderr, "***\n");
+        fprintf(stderr, "*** Error: Downloads directory was not found in user home.\n");
+        fprintf(stderr, "*** \tAny files saved by the program, will be lost when the sandbox is closed.\n");
+        fprintf(stderr, "***\n");
         
         return NULL;
 }
@@ -181,10 +176,8 @@ static void whitelist_path(ProfileEntry *entry) {
         if (entry->home_dir) {
                 if (strncmp(path, cfg.homedir, strlen(cfg.homedir)) == 0) {             
                         fname = path + strlen(cfg.homedir);
-                        if (*fname == '\0') {
-                                fprintf(stderr, "Error: file %s is not in user home directory, exiting...\n", path);
-                                exit(1);
-                        }
+                        if (*fname == '\0')
+                                goto errexit;
                 }
                 else
                         fname = path;
@@ -194,70 +187,56 @@ static void whitelist_path(ProfileEntry *entry) {
         }
         else if (entry->tmp_dir) {
                 fname = path + 4; // strlen("/tmp")
-                if (*fname == '\0') {
-                        fprintf(stderr, "Error: file %s is not in /tmp directory, exiting...\n", path);
-                        exit(1);
-                }
+                if (*fname == '\0')
+                        goto errexit;
         
                 if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_TMP_DIR, fname) == -1)
                         errExit("asprintf");
         }
         else if (entry->media_dir) {
                 fname = path + 6; // strlen("/media")
-                if (*fname == '\0') {
-                        fprintf(stderr, "Error: file %s is not in /media directory, exiting...\n", path);
-                        exit(1);
-                }
+                if (*fname == '\0')
+                        goto errexit;
         
                 if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_MEDIA_DIR, fname) == -1)
                         errExit("asprintf");
         }
         else if (entry->mnt_dir) {
                 fname = path + 4; // strlen("/mnt")
-                if (*fname == '\0') {
-                        fprintf(stderr, "Error: file %s is not in /mnt directory, exiting...\n", path);
-                        exit(1);
-                }
+                if (*fname == '\0')
+                        goto errexit;
 
                 if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_MNT_DIR, fname) == -1)
                         errExit("asprintf");
         }
         else if (entry->var_dir) {
                 fname = path + 4; // strlen("/var")
-                if (*fname == '\0') {
-                        fprintf(stderr, "Error: file %s is not in /var directory, exiting...\n", path);
-                        exit(1);
-                }
+                if (*fname == '\0')
+                        goto errexit;
         
                 if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_VAR_DIR, fname) == -1)
                         errExit("asprintf");
         }
         else if (entry->dev_dir) {
                 fname = path + 4; // strlen("/dev")
-                if (*fname == '\0') {
-                        fprintf(stderr, "Error: file %s is not in /dev directory, exiting...\n", path);
-                        exit(1);
-                }
+                if (*fname == '\0')
+                        goto errexit;
         
                 if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_DEV_DIR, fname) == -1)
                         errExit("asprintf");
         }
         else if (entry->opt_dir) {
                 fname = path + 4; // strlen("/opt")
-                if (*fname == '\0') {
-                        fprintf(stderr, "Error: file %s is not in /opt directory, exiting...\n", path);
-                        exit(1);
-                }
+                if (*fname == '\0')
+                        goto errexit;
         
                 if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_OPT_DIR, fname) == -1)
                         errExit("asprintf");
         }
         else if (entry->srv_dir) {
                 fname = path + 4; // strlen("/srv")
-                if (*fname == '\0') {
-                        fprintf(stderr, "Error: file %s is not in /srv directory, exiting...\n", path);
-                        exit(1);
-                }
+                if (*fname == '\0')
+                        goto errexit;
 
                 if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_SRV_DIR, fname) == -1)
                         errExit("asprintf");
@@ -305,6 +284,11 @@ static void whitelist_path(ProfileEntry *entry) {
                 errExit("mount bind");
 
         free(wfile);
+        return;
+
+errexit:
+        fprintf(stderr, "Error: file %s is not in the whitelisted directory\n", path);
+        exit(1);
 }
 
 
@@ -432,8 +416,6 @@ void fs_whitelist(void) {
                         tmp_dir = 1;
                         // both path and absolute path are under /tmp
                         if (strncmp(fname, "/tmp/", 5) != 0) {
-                                if (arg_debug)
-                                        fprintf(stderr, "Debug %d: fname #%s#\n", __LINE__, fname);
                                 goto errexit;
                         }
                 }
@@ -442,8 +424,6 @@ void fs_whitelist(void) {
                         media_dir = 1;
                         // both path and absolute path are under /media
                         if (strncmp(fname, "/media/", 7) != 0) {
-                                if (arg_debug)
-                                        fprintf(stderr, "Debug %d: fname #%s#\n", __LINE__, fname);
                                 goto errexit;
                         }
                 }
@@ -452,8 +432,6 @@ void fs_whitelist(void) {
                         mnt_dir = 1;
                         // both path and absolute path are under /mnt
                         if (strncmp(fname, "/mnt/", 5) != 0) {
-                                if (arg_debug)
-                                        fprintf(stderr, "Debug %d: fname #%s#\n", __LINE__, fname);
                                 goto errexit;
                         }
                 }
@@ -467,8 +445,6 @@ void fs_whitelist(void) {
                         else if (strcmp(new_name, "/var/lock")== 0)
                                 ;
                         else if (strncmp(fname, "/var/", 5) != 0) {
-                                if (arg_debug)
-                                        fprintf(stderr, "Debug %d: fname #%s#\n", __LINE__, fname);
                                 goto errexit;
                         }
                 }
@@ -477,8 +453,6 @@ void fs_whitelist(void) {
                         dev_dir = 1;
                         // both path and absolute path are under /dev
                         if (strncmp(fname, "/dev/", 5) != 0) {
-                                if (arg_debug)
-                                        fprintf(stderr, "Debug %d: fname #%s#\n", __LINE__, fname);
                                 goto errexit;
                         }
                 }
@@ -487,8 +461,6 @@ void fs_whitelist(void) {
                         opt_dir = 1;
                         // both path and absolute path are under /dev
                         if (strncmp(fname, "/opt/", 5) != 0) {
-                                if (arg_debug)
-                                        fprintf(stderr, "Debug %d: fname #%s#\n", __LINE__, fname);
                                 goto errexit;
                         }
                 }
@@ -497,14 +469,10 @@ void fs_whitelist(void) {
                         srv_dir = 1;
                         // both path and absolute path are under /srv
                         if (strncmp(fname, "/srv/", 5) != 0) {
-                                if (arg_debug)
-                                        fprintf(stderr, "Debug %d: fname #%s#\n", __LINE__, fname);
                                 goto errexit;
                         }
                 }
                 else {
-                        if (arg_debug)
-                                fprintf(stderr, "Debug %d: \n", __LINE__);
                         goto errexit;
                 }
 
diff --git a/src/firejail/main.c b/src/firejail/main.c
index 0929347b7..4ccbb6a86 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -88,6 +88,8 @@ int arg_doubledash = 0;			// double dash
 int arg_shell_none = 0;                 // run the program directly without a shell
 int arg_private_dev = 0;                        // private dev directory
 int arg_private_etc = 0;                        // private etc directory
+int arg_private_opt = 0;                        // private opt directory
+int arg_private_srv = 0;                        // private srv directory
 int arg_private_bin = 0;                        // private bin directory
 int arg_private_tmp = 0;                        // private tmp directory
 int arg_scan = 0;                               // arp-scan all interfaces
@@ -1624,6 +1626,24 @@ int main(int argc, char **argv) {
                         }
                         arg_private_etc = 1;
                 }
+                else if (strncmp(argv[i], "--private-opt=", 14) == 0) {
+                        // extract private opt list
+                        cfg.opt_private_keep = argv[i] + 14;
+                        if (*cfg.opt_private_keep == '\0') {
+                                fprintf(stderr, "Error: invalid private-opt option\n");
+                                exit(1);
+                        }
+                        arg_private_opt = 1;
+                }
+                else if (strncmp(argv[i], "--private-srv=", 14) == 0) {
+                        // extract private srv list
+                        cfg.srv_private_keep = argv[i] + 14;
+                        if (*cfg.srv_private_keep == '\0') {
+                                fprintf(stderr, "Error: invalid private-etc option\n");
+                                exit(1);
+                        }
+                        arg_private_srv = 1;
+                }
                 else if (strncmp(argv[i], "--private-bin=", 14) == 0) {
                         // extract private bin list
                         cfg.bin_private_keep = argv[i] + 14;
diff --git a/src/firejail/netfilter.c b/src/firejail/netfilter.c
index ef4915f15..9e759ec70 100644
--- a/src/firejail/netfilter.c
+++ b/src/firejail/netfilter.c
@@ -47,14 +47,8 @@ void check_netfilter_file(const char *fname) {
         EUID_ASSERT();
         invalid_filename(fname);
         
-        if (is_dir(fname) || is_link(fname) || strstr(fname, "..")) {
-                fprintf(stderr, "Error: invalid network filter file\n");
-                exit(1);
-        }
-
-        // access call checks as real UID/GID, not as effective UID/GID
-        if (access(fname, R_OK)) {
-                fprintf(stderr, "Error: cannot access network filter file\n");
+        if (is_dir(fname) || is_link(fname) || strstr(fname, "..") || access(fname, R_OK )) {
+                fprintf(stderr, "Error: invalid network filter file %s\n", fname);
                 exit(1);
         }
 }
@@ -101,7 +95,10 @@ void netfilter(const char *fname) {
         // push filter
         if (arg_debug)
                 printf("Installing network filter:\n%s\n", filter);
-        sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP | SBOX_STDIN_FROM_FILE, 1, iptables_restore);
+                
+        // first run of iptables on this platform installs a number of kernel modules such as ip_tables, x_tables, iptable_filter
+        // we run this command with caps and seccomp disabled in order to allow the loading of these modules
+        sbox_run(SBOX_ROOT /* | SBOX_CAPS_NETWORK | SBOX_SECCOMP*/ | SBOX_STDIN_FROM_FILE, 1, iptables_restore);
         unlink(SBOX_STDIN_FILE);
 
         // debug
@@ -138,7 +135,7 @@ void netfilter6(const char *fname) {
         char *filter = read_text_file_or_exit(fname);
         FILE *fp = fopen(SBOX_STDIN_FILE, "w");
         if (!fp) {
-                fprintf(stderr, "Error: cannot open /tmp/netfilter6 file\n");
+                fprintf(stderr, "Error: cannot open %s\n", SBOX_STDIN_FILE);
                 exit(1);
         }
         fprintf(fp, "%s\n", filter);
@@ -147,7 +144,10 @@ void netfilter6(const char *fname) {
         // push filter
         if (arg_debug)
                 printf("Installing network filter:\n%s\n", filter);
-        sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP | SBOX_STDIN_FROM_FILE, 1, ip6tables_restore);
+
+        // first run of iptables on this platform installs a number of kernel modules such as ip_tables, x_tables, iptable_filter
+        // we run this command with caps and seccomp disabled in order to allow the loading of these modules
+        sbox_run(SBOX_ROOT | /* SBOX_CAPS_NETWORK | SBOX_SECCOMP | */ SBOX_STDIN_FROM_FILE, 1, ip6tables_restore);
         unlink(SBOX_STDIN_FILE);
         
         // debug
diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index 9acb1b813..2be6948f0 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -739,6 +739,22 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
                 return 0;
         }
 
+        // private /opt list of files and directories
+        if (strncmp(ptr, "private-opt ", 12) == 0) {
+                cfg.opt_private_keep = ptr + 12;
+                arg_private_opt = 1;
+                
+                return 0;
+        }
+
+        // private /srv list of files and directories
+        if (strncmp(ptr, "private-srv ", 12) == 0) {
+                cfg.srv_private_keep = ptr + 12;
+                arg_private_srv = 1;
+                
+                return 0;
+        }
+
         // private /bin list of files
         if (strncmp(ptr, "private-bin ", 12) == 0) {
                 cfg.bin_private_keep = ptr + 12;
diff --git a/src/firejail/run_symlink.c b/src/firejail/run_symlink.c
index a4dce405d..753c50208 100644
--- a/src/firejail/run_symlink.c
+++ b/src/firejail/run_symlink.c
@@ -90,8 +90,6 @@ void run_symlink(int argc, char **argv) {
         if (asprintf(&firejail, "%s/bin/firejail", PREFIX) == -1)
                 errExit("asprintf");
 
-        printf("Redirecting symlink to %s\n", program);
-
         // drop privileges
         if (setgid(getgid()) < 0)
                 errExit("setgid/getgid");
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index 0a6777fef..68b8f554d 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -671,13 +671,33 @@ int sandbox(void* sandbox_arg) {
                 else if (arg_overlay)
                         fprintf(stderr, "Warning: private-etc feature is disabled in overlay\n");
                 else {
-                        fs_private_etc_list();
+                        fs_private_dir_list("/etc", RUN_ETC_DIR, cfg.etc_private_keep);
                         // create /etc/ld.so.preload file again
                         if (arg_trace || arg_tracelog || mask_x11_abstract_socket)
                                 fs_trace_preload();
                 }
         }
         
+        if (arg_private_opt) {
+                if (cfg.chrootdir)
+                        fprintf(stderr, "Warning: private-opt feature is disabled in chroot\n");
+                else if (arg_overlay)
+                        fprintf(stderr, "Warning: private-opt feature is disabled in overlay\n");
+                else {
+                        fs_private_dir_list("/opt", RUN_OPT_DIR, cfg.opt_private_keep);
+                }
+        }
+        
+        if (arg_private_srv) {
+                if (cfg.chrootdir)
+                        fprintf(stderr, "Warning: private-srv feature is disabled in chroot\n");
+                else if (arg_overlay)
+                        fprintf(stderr, "Warning: private-srv feature is disabled in overlay\n");
+                else {
+                        fs_private_dir_list("/srv", RUN_SRV_DIR, cfg.srv_private_keep);
+                }
+        }
+        
         if (arg_private_bin) {
                 if (cfg.chrootdir)
                         fprintf(stderr, "Warning: private-bin feature is disabled in chroot\n");
diff --git a/test/environment/dns.exp b/test/environment/dns.exp
index 40403aade..3e2a0ffd4 100755
--- a/test/environment/dns.exp
+++ b/test/environment/dns.exp
@@ -26,15 +26,34 @@ expect {
 }
 after 100
 send -- "exit\r"
-after 100
+sleep 1
 
 
-# no chroot
-send -- "firejail --trace --dns=208.67.222.222 wget -q debian.org\r"
+send -- "firejail --profile=dns.profile\r"
 expect {
-        timeout {puts "TESTING ERROR 1.1\n";exit}
+        timeout {puts "TESTING ERROR 12.1\n";exit}
         "Child process initialized"
 }
+sleep 1
+
+send -- "cat /etc/resolv.conf\r"
+expect {
+        timeout {puts "TESTING ERROR 12.2\n";exit}
+        "nameserver 8.8.4.4"
+}
+expect {
+        timeout {puts "TESTING ERROR 12.3\n";exit}
+        "nameserver 8.8.8.8"
+}
+expect {
+        timeout {puts "TESTING ERROR 12.4\n";exit}
+        "nameserver 4.2.2.1"
+}
+after 100
+send -- "exit\r"
+sleep 1
+
+send -- "firejail --trace --dns=208.67.222.222 wget -q debian.org\r"
 expect {
         timeout {puts "TESTING ERROR 1.2\n";exit}
         "connect"
diff --git a/test/environment/dns.profile b/test/environment/dns.profile
new file mode 100644
index 000000000..d1b842c86
--- /dev/null
+++ b/test/environment/dns.profile
@@ -0,0 +1,3 @@
+dns 8.8.4.4
+dns 8.8.8.8
+dns 4.2.2.1
diff --git a/test/fs/fs.sh b/test/fs/fs.sh
index d9a425661..611b62b09 100755
--- a/test/fs/fs.sh
+++ b/test/fs/fs.sh
@@ -88,6 +88,9 @@ echo "TESTING: double whitelist (test/fs/whitelist-double.exp)"
 echo "TESTING: whitelist (test/fs/whitelist.exp)"
 ./whitelist.exp
 
+echo "TESTING: whitelist dev, var(test/fs/whitelist-dev.exp)"
+./whitelist-dev.exp
+
 echo "TESTING: fscheck --bind non root (test/fs/fscheck-bindnoroot.exp)"
 ./fscheck-bindnoroot.exp
 
diff --git a/test/fs/whitelist-dev.exp b/test/fs/whitelist-dev.exp
new file mode 100755
index 000000000..a19d5cedf
--- /dev/null
+++ b/test/fs/whitelist-dev.exp
@@ -0,0 +1,47 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
+
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+
+send -- "firejail --whitelist=/dev/null --debug\r"
+expect {
+        timeout {puts "TESTING ERROR 0\n";exit}
+        "Child process initialized"
+}
+sleep 1
+
+send -- "ls -l /dev | find /dev | wc -l\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "2"
+}
+after 100
+send -- "exit\r"
+sleep 1
+
+send -- "firejail --whitelist=/var/tmp --debug\r"
+expect {
+        timeout {puts "TESTING ERROR 0\n";exit}
+        "Child process initialized"
+}
+sleep 1
+
+send -- "ls -l /dev | find /dev | wc -l\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "2"
+}
+after 100
+send -- "exit\r"
+sleep 1
+
+
+
+
+after 100
+puts "\nall done\n"
+
diff --git a/test/fs/whitelist.exp b/test/fs/whitelist.exp
index 9a9a0f353..9b631b884 100755
--- a/test/fs/whitelist.exp
+++ b/test/fs/whitelist.exp
@@ -36,7 +36,7 @@ after 200
 send -- "ln -s ~/fjtest-dir ~/fjtest-dir-lnk\r"
 after 200
 
-send -- "firejail --whitelist=~/fjtest-file --whitelist=~/fjtest-dir\r"
+send -- "firejail --whitelist=~/fjtest-file --whitelist=~/fjtest-dir --debug\r"
 expect {
         timeout {puts "TESTING ERROR 0\n";exit}
         "Child process initialized"
@@ -49,19 +49,19 @@ expect {
         "2"
 }
 
-send -- "cat fjtest-file\r"
+send -- "cat ~/fjtest-file\r"
 expect {
         timeout {puts "TESTING ERROR 2\n";exit}
         "123"
 }
 
-send -- "cat fjtest-dir/fjtest-file\r"
+send -- "cat ~/fjtest-dir/fjtest-file\r"
 expect {
         timeout {puts "TESTING ERROR 3\n";exit}
         "123"
 }
 
-send -- "cat fjtest-dir/fjtest-dir/fjtest-file\r"
+send -- "cat ~/fjtest-dir/fjtest-dir/fjtest-file\r"
 expect {
         timeout {puts "TESTING ERROR 4\n";exit}
         "123"
@@ -86,7 +86,7 @@ expect {
         "1"
 }
 
-send -- "cat fjtest-dir/fjtest-dir/fjtest-file\r"
+send -- "cat ~/fjtest-dir/fjtest-dir/fjtest-file\r"
 expect {
         timeout {puts "TESTING ERROR 12\n";exit}
         "123"
@@ -111,37 +111,37 @@ expect {
         "4"
 }
 
-send -- "cat fjtest-file\r"
+send -- "cat ~/fjtest-file\r"
 expect {
         timeout {puts "TESTING ERROR 22\n";exit}
         "123"
 }
 
-send -- "cat fjtest-dir/fjtest-file\r"
+send -- "cat ~/fjtest-dir/fjtest-file\r"
 expect {
         timeout {puts "TESTING ERROR 23\n";exit}
         "123"
 }
 
-send -- "cat fjtest-dir/fjtest-dir/fjtest-file\r"
+send -- "cat ~/fjtest-dir/fjtest-dir/fjtest-file\r"
 expect {
         timeout {puts "TESTING ERROR 24\n";exit}
         "123"
 }
 
-send -- "cat fjtest-file-lnk\r"
+send -- "cat ~/fjtest-file-lnk\r"
 expect {
         timeout {puts "TESTING ERROR 25\n";exit}
         "123"
 }
 
-send -- "cat fjtest-dir-lnk/fjtest-file\r"
+send -- "cat ~/fjtest-dir-lnk/fjtest-file\r"
 expect {
         timeout {puts "TESTING ERROR 26\n";exit}
         "123"
 }
 
-send -- "cat fjtest-dir-lnk/fjtest-dir/fjtest-file\r"
+send -- "cat ~/fjtest-dir-lnk/fjtest-dir/fjtest-file\r"
 expect {
         timeout {puts "TESTING ERROR 27\n";exit}
         "123"
@@ -193,13 +193,13 @@ expect {
         "2"
 }
 
-send -- "cat fjtest-file-lnk\r"
+send -- "cat ~/fjtest-file-lnk\r"
 expect {
         timeout {puts "TESTING ERROR 42\n";exit}
         "123"
 }
 
-send -- "cat fjtest-dir-lnk/fjtest-file\r"
+send -- "cat ~/fjtest-dir-lnk/fjtest-file\r"
 expect {
         timeout {puts "TESTING ERROR 43\n";exit}
         "123"
diff --git a/test/network/ip6.exp b/test/network/ip6.exp
index f0fcebcf8..1db16c28a 100755
--- a/test/network/ip6.exp
+++ b/test/network/ip6.exp
@@ -43,6 +43,46 @@ expect {
 }
 
 send -- "exit\r"
+sleep 2
+
+
+send -- "firejail --debug --profile=ip6.profile\r"
+expect {
+        timeout {puts "TESTING ERROR 10\n";exit}
+        "Installing network filter"
+}
+expect {
+        timeout {puts "TESTING ERROR 11\n";exit}
+        "DROP"
+}
+expect {
+        timeout {puts "TESTING ERROR 12\n";exit}
+        "unable to initialize table 'filter'" {puts "\nTESTING SKIP 2: no IPv6 support\n"; exit}
+        "2001:db8:1f0a:3ec::2"
+}
+expect {
+        timeout {puts "TESTING ERROR 13\n";exit}
+        "Child process initialized"
+}
+sleep 2
+
+send -- "/sbin/ifconfig\r"
+expect {
+        timeout {puts "TESTING ERROR 14\n";exit}
+        "inet6"
+}
+expect {
+        timeout {puts "TESTING ERROR 15\n";exit}
+        "2001:db8:0:f101::1"
+}
+expect {
+        timeout {puts "TESTING ERROR 16\n";exit}
+        "Scope:Global" { puts "Debian\n"}
+        "scopeid 0x0<global>" { puts "Arch\n"}
+}
+
+send -- "exit\r"
+
 after 100
 
 puts "\nall done\n"
diff --git a/test/network/ip6.profile b/test/network/ip6.profile
new file mode 100644
index 000000000..87afa3941
--- /dev/null
+++ b/test/network/ip6.profile
@@ -0,0 +1,3 @@
+net br0
+ip6 2001:0db8:0:f101::1/64
+netfilter6 ipv6.net
diff --git a/test/network/iprange.exp b/test/network/iprange.exp
new file mode 100755
index 000000000..a1b2ccab4
--- /dev/null
+++ b/test/network/iprange.exp
@@ -0,0 +1,103 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
+
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+
+send -- "firejail --net=br1 --iprange=10.10.30.50,10.10.30.55\r"
+expect {
+        timeout {puts "TESTING ERROR 0\n";exit}
+        "eth0"
+}
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "10.10.30.50" {puts "10.10.30.50\n"}
+        "10.10.30.51" {puts "10.10.30.51\n"}
+        "10.10.30.52" {puts "10.10.30.52\n"}
+        "10.10.30.53" {puts "10.10.30.53\n"}
+        "10.10.30.54" {puts "10.10.30.54\n"}
+        "10.10.30.55" {puts "10.10.30.55\n"}
+}
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        "255.255.255.0"
+}
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        "Child process initialized"
+}
+sleep 1
+send -- "exit\r"
+sleep 2
+
+send -- "firejail --profile=iprange.profile\r"
+expect {
+        timeout {puts "TESTING ERROR 5\n";exit}
+        "eth0"
+}
+expect {
+        timeout {puts "TESTING ERROR 6\n";exit}
+        "10.10.30.50" {puts "10.10.30.50\n"}
+        "10.10.30.51" {puts "10.10.30.51\n"}
+        "10.10.30.52" {puts "10.10.30.52\n"}
+        "10.10.30.53" {puts "10.10.30.53\n"}
+        "10.10.30.54" {puts "10.10.30.54\n"}
+        "10.10.30.55" {puts "10.10.30.55\n"}
+}
+expect {
+        timeout {puts "TESTING ERROR 7\n";exit}
+        "255.255.255.0"
+}
+expect {
+        timeout {puts "TESTING ERROR 8\n";exit}
+        "Child process initialized"
+}
+sleep 1
+send -- "exit\r"
+sleep 2
+
+
+
+send -- "firejail --iprange=10.10.30.50,10.10.30.55\r"
+expect {
+        timeout {puts "TESTING ERROR 9\n";exit}
+        "no network device configured"
+}
+after 100
+
+send -- "firejail --net=br1 --iprange=10.10.30.50,10.10.30.55 --iprange=10.10.30.50,10.10.30.55\r"
+expect {
+        timeout {puts "TESTING ERROR 10\n";exit}
+        "cannot configure the IP range twice for the same interface"
+}
+after 100
+
+send -- "firejail --net=br1 --iprange=10.10.30.50\r"
+expect {
+        timeout {puts "TESTING ERROR 11\n";exit}
+        "invalid IP range"
+}
+after 100
+
+send -- "firejail --net=br0 --iprange=10.10.30.50,10.10.30.55\r"
+expect {
+        timeout {puts "TESTING ERROR 12\n";exit}
+        "IP range addresses not in network range"
+}
+after 100
+
+send -- "firejail --net=br1 --iprange=10.10.30.55,10.10.30.50\r"
+expect {
+        timeout {puts "TESTING ERROR 12\n";exit}
+        "invalid IP range"
+}
+after 100
+
+
+after 100
+
+puts "\nall done\n"
+
diff --git a/test/network/iprange.profile b/test/network/iprange.profile
new file mode 100644
index 000000000..ecc01cd93
--- /dev/null
+++ b/test/network/iprange.profile
@@ -0,0 +1,2 @@
+net br1
+iprange 10.10.30.50,10.10.30.55
diff --git a/test/network/net_veth.exp b/test/network/net_veth.exp
index 89dedcb24..04091047b 100755
--- a/test/network/net_veth.exp
+++ b/test/network/net_veth.exp
@@ -123,6 +123,18 @@ expect {
 }
 sleep 1
 send -- "exit\r"
+sleep 1
+
+send -- "firejail --net=eth0 --ip=10.10.20.1\r"
+expect {
+        timeout {puts "TESTING ERROR 27\n";exit}
+        "the IP address is not in the interface range"
+}
+
+
+
+
+
 
 after 100
 
diff --git a/test/network/network.sh b/test/network/network.sh
index e1646d64a..bea5dfb26 100755
--- a/test/network/network.sh
+++ b/test/network/network.sh
@@ -78,6 +78,12 @@ echo "TESTING: veth (net_veth.exp)"
 echo "TESTING: netfilter (net_netfilter.exp)"
 ./net_netfilter.exp
 
+echo "TESTING: iprange (iprange.exp)"
+./iprange.exp
+
+echo "TESTING: veth-name (veth-name.exp)"
+./veth-name.exp
+
 echo "TESTING: 4 bridges ARP (4bridges_arp.exp)"
 ./4bridges_arp.exp
 
diff --git a/test/network/veth-name.exp b/test/network/veth-name.exp
new file mode 100755
index 000000000..36ed41d92
--- /dev/null
+++ b/test/network/veth-name.exp
@@ -0,0 +1,77 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
+
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+
+# 
+send -- "firejail --net=br1 --ip=10.10.30.50 --veth-name=blablabla\r"
+expect {
+        timeout {puts "TESTING ERROR 0\n";exit}
+        "eth0"
+}
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "10.10.30.50"
+}
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        "255.255.255.0"
+}
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        "Child process initialized"
+}
+sleep 1
+
+spawn $env(SHELL)
+send -- "ip link show\r"
+expect {
+        timeout {puts "TESTING ERROR 4\n";exit}
+        "blablabla"
+}
+expect {
+        timeout {puts "TESTING ERROR 5\n";exit}
+        "master br1 state UP"
+}
+sleep 1
+
+
+send -- "firejail --profile=veth-name.profile\r"
+expect {
+        timeout {puts "TESTING ERROR 6\n";exit}
+        "eth0"
+}
+expect {
+        timeout {puts "TESTING ERROR 7\n";exit}
+        "10.10.60.51"
+}
+expect {
+        timeout {puts "TESTING ERROR 8\n";exit}
+        "255.255.255.0"
+}
+expect {
+        timeout {puts "TESTING ERROR 9\n";exit}
+        "Child process initialized"
+}
+sleep 1
+
+spawn $env(SHELL)
+send -- "ip link show\r"
+expect {
+        timeout {puts "TESTING ERROR 10\n";exit}
+        "bingo"
+}
+expect {
+        timeout {puts "TESTING ERROR 11\n";exit}
+        "master br4 state UP"
+}
+sleep 1
+
+
+after 100
+puts "\nall done\n"
+
diff --git a/test/network/veth-name.profile b/test/network/veth-name.profile
new file mode 100644
index 000000000..f00a74d63
--- /dev/null
+++ b/test/network/veth-name.profile
@@ -0,0 +1,3 @@
+net br4
+ip 10.10.60.51
+veth-name bingo
diff --git a/test/root/private.exp b/test/root/private.exp
index 4040081ee..9ce9716f9 100755
--- a/test/root/private.exp
+++ b/test/root/private.exp
@@ -29,5 +29,62 @@ expect {
 after 100
 
 send -- "exit\r"
+sleep 1
+
+
+
+send -- "touch /opt/firejail-test-file\r"
+after 100
+send -- "mkdir /opt/firejail-test-dir\r"
+after 100
+send -- "touch /opt/firejail-test-dir/firejail-test-file\r"
+after 100
+send -- "firejail --private-opt=firejail-test-file,firejail-test-dir --debug\r"
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        "Child process initialized"
+}
+sleep 1
+
+send -- "find /opt | wc -l\r"
+expect {
+        timeout {puts "TESTING ERROR 4\n";exit}
+        "4"
+}
+after 100
+send -- "exit\r"
+sleep 1
+
+
+send -- "touch /srv/firejail-test-file\r"
+after 100
+send -- "mkdir /srv/firejail-test-dir\r"
+after 100
+send -- "touch /srv/firejail-test-dir/firejail-test-file\r"
 after 100
+send -- "firejail --private-srv=firejail-test-file,firejail-test-dir --debug\r"
+expect {
+        timeout {puts "TESTING ERROR 5\n";exit}
+        "Child process initialized"
+}
+sleep 1
+
+send -- "find /srv | wc -l\r"
+expect {
+        timeout {puts "TESTING ERROR 6\n";exit}
+        "4"
+}
+after 100
+send -- "exit\r"
+sleep 1
+
+
+
+
+
+
+
+
+
+
 puts "\nall done\n"
diff --git a/test/root/root.sh b/test/root/root.sh
index 494bd4fe7..371bccdff 100755
--- a/test/root/root.sh
+++ b/test/root/root.sh
@@ -53,6 +53,9 @@ fi
 echo "TESTING: fs private (test/root/private.exp)"
 ./private.exp
 
+echo "TESTING: fs whitelist mnt, opt, media (test/root/whitelist-mnt.exp)"
+./whitelist.exp
+
 #********************************
 # seccomp
 #********************************
diff --git a/test/root/whitelist.exp b/test/root/whitelist.exp
new file mode 100755
index 000000000..f6936c048
--- /dev/null
+++ b/test/root/whitelist.exp
@@ -0,0 +1,118 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
+
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+
+send -- "touch /mnt/firejail-test-file\r"
+after 100
+send -- "mkdir /mnt/firejail-test-dir\r"
+after 100
+send -- "touch /mnt/firejail-test-dir/firejail-test-file\r"
+after 100
+send -- "firejail --whitelist=/mnt/firejail-test-file --whitelist=/mnt/firejail-test-dir --debug\r"
+expect {
+        timeout {puts "TESTING ERROR 0\n";exit}
+        "Child process initialized"
+}
+sleep 1
+
+send -- "find /mnt | wc -l\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "4"
+}
+after 100
+send -- "exit\r"
+sleep 1
+
+
+send -- "touch /opt/firejail-test-file\r"
+after 100
+send -- "mkdir /opt/firejail-test-dir\r"
+after 100
+send -- "touch /opt/firejail-test-dir/firejail-test-file\r"
+after 100
+send -- "firejail --whitelist=/opt/firejail-test-file  --whitelist=/opt/firejail-test-dir --debug\r"
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        "Child process initialized"
+}
+sleep 1
+
+send -- "find /opt | wc -l\r"
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        "4"
+}
+after 100
+send -- "exit\r"
+sleep 1
+
+send -- "touch /media/firejail-test-file\r"
+after 100
+send -- "mkdir /media/firejail-test-dir\r"
+after 100
+send -- "touch /media/firejail-test-dir/firejail-test-file\r"
+after 100
+send -- "firejail --whitelist=/media/firejail-test-file --whitelist=/media/firejail-test-dir --debug\r"
+expect {
+        timeout {puts "TESTING ERROR 4\n";exit}
+        "Child process initialized"
+}
+sleep 1
+
+send -- "find /media | wc -l\r"
+expect {
+        timeout {puts "TESTING ERROR 5\n";exit}
+        "4"
+}
+after 100
+send -- "exit\r"
+sleep 1
+
+
+send -- "firejail --whitelist=/var/run --whitelist=/var/lock --debug\r"
+expect {
+        timeout {puts "TESTING ERROR 6\n";exit}
+        "Child process initialized"
+}
+sleep 1
+
+send -- "find /var | wc -l\r"
+expect {
+        timeout {puts "TESTING ERROR 7\n";exit}
+        ""
+}
+after 100
+send -- "exit\r"
+sleep 1
+
+send -- "touch /srv/firejail-test-file\r"
+after 100
+send -- "mkdir /srv/firejail-test-dir\r"
+after 100
+send -- "touch /srv/firejail-test-dir/firejail-test-file\r"
+after 100
+send -- "firejail --whitelist=/srv/firejail-test-file --whitelist=/srv/firejail-test-dir --debug\r"
+expect {
+        timeout {puts "TESTING ERROR 8\n";exit}
+        "Child process initialized"
+}
+sleep 1
+
+send -- "find /srv | wc -l\r"
+expect {
+        timeout {puts "TESTING ERROR 9\n";exit}
+        "4"
+}
+after 100
+send -- "exit\r"
+
+
+after 100
+puts "\nall done\n"
+