25 files changed, 344 insertions, 189 deletions
diff --git a/README b/README
index 8df3e8ad3..7570cc3f6 100644
--- a/README
+++ b/README
@@ -80,8 +80,8 @@ Fred-Barclay (https://github.com/Fred-Barclay)
        - evince profile enhancement
        - tightened Spotify profile
        - added xiphos and Tor Browser Bundle profiles
-    - added xed and pluma profiles
+        - added xed and pluma profiles
-    - added Cryptocat profile
+        - added Cryptocat profile
 valoq (https://github.com/valoq)
        - lots of profile fixes
        - added support for /srv in --whitelist feature
@@ -95,6 +95,8 @@ valoq (https://github.com/valoq)
        - added img2txt, k3b, kate, lynx, mediainfo, nautilus, odt2txt, pdftotext, simple-scan profiles
        - added skanlite, ssh-agent, transmission-cli, tracker, transmission-show, w3m, xfburn, xpra profiles
        - added wget profile
+Lari Rauno (https://github.com/tuutti)
+        - qutebrowser profile fixes
 SpotComms (https://github.com/SpotComms)
        - added Bless, Gnome 2048, Gnome Calculator, Gnome Contacts, JD-GUI, Lollypop, MultiMC5 profiles
        - added PDFSam, Pithos, and Xonotic profiles
diff --git a/README.md b/README.md
index bafcf6120..16f84493b 100644
--- a/README.md
+++ b/README.md
@@ -74,6 +74,13 @@ Use this issue to request new profiles: https://github.com/netblue30/firejail/is
              Example:
              # firejail --private-srv=www /etc/init.d/apache2 start
+       --machine-id
+              Preserve  id  number  in  /etc/machine-id file. By default a new
+              random id is generated inside the sandbox.
+              Example:
+              $ firejail --machine-id
 `````
 ## New Profiles
 xiphos, Tor Browser Bundle, display (imagemagik), Wire, mumble, zoom, Guayadeque, qemu, keypass2,
diff --git a/RELNOTES b/RELNOTES
index 3ccd51ce7..c3a077c5e 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -11,6 +11,7 @@ firejail (0.9.45) baseline; urgency=low
  * feature: test coverage (gcov) support
  * feature: private /opt directory (--private-opt, profile support)
  * feature: private /srv directory (--private-srv, profile support)
+  * feature: spoof machine-id
  * new profiles: xiphos, Tor Browser Bundle, display (imagemagik), Wire,
  * new profiles: mumble, zoom, Guayadeque, qemu, keypass2, xed, pluma,
  * new profiles: Cryptocat, Bless, Gnome 2048, Gnome Calculator, 
diff --git a/etc/disable-common.inc b/etc/disable-common.inc
index 95af0aa34..b86c6f998 100644
--- a/etc/disable-common.inc
+++ b/etc/disable-common.inc
@@ -209,7 +209,8 @@ blacklist ${PATH}/roxterm-config
 blacklist ${PATH}/terminix
 blacklist ${PATH}/urxvtc
 blacklist ${PATH}/urxvtcd
-blacklist ${PATH}/konsole
+#konsole doesn't seem to have this problem - last tested on Ubuntu 16.04
+#blacklist ${PATH}/konsole
 # kernel files
 blacklist /vmlinuz*
diff --git a/etc/qutebrowser.profile b/etc/qutebrowser.profile
index eabbe0f3e..dcacd4f29 100644
--- a/etc/qutebrowser.profile
+++ b/etc/qutebrowser.profile
@@ -18,4 +18,6 @@ mkdir ~/.config/qutebrowser
 whitelist ~/.config/qutebrowser
 mkdir ~/.cache/qutebrowser
 whitelist ~/.cache/qutebrowser
+mkdir ~/.local/share/qutebrowser
+whitelist ~/.local/share/qutebrowser
 include /etc/firejail/whitelist-common.inc
diff --git a/gcov.sh b/gcov.sh
index a3cd8c5ee..57190cad2 100755
--- a/gcov.sh
+++ b/gcov.sh
@@ -2,13 +2,13 @@
 gcov_init() {
        USER=`whoami`
-        firejail --help
+        firejail --help > /dev/null
-        firemon --help
+        firemon --help > /dev/null
-        /usr/lib/firejail/fnet --help
+        /usr/lib/firejail/fnet --help > /dev/null
-        /usr/lib/firejail/fseccomp --help
+        /usr/lib/firejail/fseccomp --help > /dev/null
-        /usr/lib/firejail/ftee --help
+        /usr/lib/firejail/ftee --help > /dev/null
-        /usr/lib/firejail/fcopy --help
+        /usr/lib/firejail/fcopy --help > /dev/null
-        firecfg --help
+        firecfg --help > /dev/null
        sudo chown $USER:$USER `find .`
 }
@@ -24,6 +24,13 @@ generate() {
 gcov_init
+lcov -q --capture -d src/firejail -d src/firemon -d  src/fcopy -d src/fseccomp -d src/fnet -d src/ftee -d src/lib -d src/firecfg --output-file gcov-file-old
+#make test-environment
+#generate
+#sleep 2
+#exit
 # running tests
 make test-root
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index d172efce1..368e0d88d 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -78,6 +78,7 @@
 #define RUN_HOSTNAME_FILE       "/run/firejail/mnt/hostname"
 #define RUN_HOSTS_FILE  "/run/firejail/mnt/hosts"
 #define RUN_RESOLVCONF_FILE     "/run/firejail/mnt/resolv.conf"
+#define RUN_MACHINEID   "/run/firejail/mnt/machine-id"
 #define RUN_LDPRELOAD_FILE      "/run/firejail/mnt/ld.so.preload"
 #define RUN_UTMP_FILE           "/run/firejail/mnt/utmp"
 #define RUN_PASSWD_FILE         "/run/firejail/mnt/passwd"
@@ -342,6 +343,7 @@ extern int arg_allow_debuggers;	// allow debuggers
 extern int arg_x11_block;       // block X11
 extern int arg_x11_xorg;        // use X11 security extention
 extern int arg_allusers;        // all user home directories visible
+extern int arg_machineid;       // preserve /etc/machine-id
 extern int login_shell;
 extern int parent_to_child_fds[2];
diff --git a/src/firejail/fs.c b/src/firejail/fs.c
index ffad961c3..905d2903d 100644
--- a/src/firejail/fs.c
+++ b/src/firejail/fs.c
@@ -662,7 +662,8 @@ void fs_basic_fs(void) {
        fs_var_lib();
        fs_var_cache();
        fs_var_utmp();
+        fs_machineid();
+        
        // don't leak user information
        restrict_users();
        
@@ -945,6 +946,7 @@ void fs_overlayfs(void) {
        fs_var_lib();
        fs_var_cache();
        fs_var_utmp();
+        fs_machineid();
        // don't leak user information
        restrict_users();
@@ -1126,6 +1128,7 @@ void fs_chroot(const char *rootdir) {
                fs_var_lib();
                fs_var_cache();
                fs_var_utmp();
+                fs_machineid();
        
                // don't leak user information
                restrict_users();
diff --git a/src/firejail/fs_etc.c b/src/firejail/fs_etc.c
index 9a28ac601..a04bf6725 100644
--- a/src/firejail/fs_etc.c
+++ b/src/firejail/fs_etc.c
@@ -23,6 +23,57 @@
 #include <sys/types.h>
 #include <unistd.h>
+// spoof /etc/machine_id
+void fs_machineid(void) {
+        union machineid_t {
+                uint8_t u8[16];
+                uint32_t u32[4];
+        } mid;
+        // if --machine-id flag is active, do nothing
+        if (arg_machineid)
+                return;
+        // init random number generator
+        srand(time(NULL));
+        
+        // generate random id
+        mid.u32[0] = rand();
+        mid.u32[1] = rand();
+        mid.u32[2] = rand();
+        mid.u32[3] = rand();
+        
+        // UUID version 4 and DCE variant
+        mid.u8[6] = (mid.u8[6] & 0x0F) | 0x40;
+        mid.u8[8] = (mid.u8[8] & 0x3F) | 0x80;
+        
+        // write it in a file
+        FILE *fp = fopen(RUN_MACHINEID, "w");
+        if (!fp)
+                errExit("fopen");
+        fprintf(fp, "%08x%08x%08x%08x\n", mid.u32[0], mid.u32[1], mid.u32[2], mid.u32[3]);
+        fclose(fp);
+        if (set_perms(RUN_MACHINEID, 0, 0, 0444))
+                errExit("set_perms");
+                
+        struct stat s;
+        // mount-bind 
+        if (stat("/etc/machine-id", &s) == 0) {
+                if (arg_debug)
+                        printf("installing a new /etc/machine-id\n");
+                if (mount(RUN_MACHINEID, "/etc/machine-id", "none", MS_BIND, "mode=444,gid=0"))
+                        errExit("mount");
+        }
+//#if 0 // todo: investigate    
+        if (stat("/var/lib/dbus/machine-id", &s) == 0) {
+                if (mount(RUN_MACHINEID, "/etc/machine-id", "none", MS_BIND, "mode=444,gid=0"))
+                        errExit("mount");
+        }
+//#endif
+}
 // return 0 if file not found, 1 if found
 static int check_dir_or_file(const char *fname) {
        assert(fname);
diff --git a/src/firejail/main.c b/src/firejail/main.c
index aa855b7eb..b25bad9f2 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -111,6 +111,7 @@ int arg_allow_debuggers = 0;			// allow debuggers
 int arg_x11_block = 0;                          // block X11
 int arg_x11_xorg = 0;                           // use X11 security extention
 int arg_allusers = 0;                           // all user home directories visible
+int arg_machineid = 0;                          // preserve /etc/machine-id
 int login_shell = 0;
@@ -750,42 +751,6 @@ static void delete_x11_file(pid_t pid) {
        free(fname);
 }
-static void detect_quiet(int argc, char **argv) {
-        int i;
-        
-        // detect --quiet
-        for (i = 1; i < argc; i++) {
-                if (strcmp(argv[i], "--quiet") == 0) {
-                        arg_quiet = 1;
-                        break;
-                }
-                
-                // detect end of firejail params
-                if (strcmp(argv[i], "--") == 0)
-                        break;
-                if (strncmp(argv[i], "--", 2) != 0)
-                        break;
-        }
-}
-static void detect_allow_debuggers(int argc, char **argv) {
-        int i;
-        
-        // detect --allow-debuggers
-        for (i = 1; i < argc; i++) {
-                if (strcmp(argv[i], "--allow-debuggers") == 0) {
-                        arg_allow_debuggers = 1;
-                        break;
-                }
-                
-                // detect end of firejail params
-                if (strcmp(argv[i], "--") == 0)
-                        break;
-                if (strncmp(argv[i], "--", 2) != 0)
-                        break;
-        }
-}
 char *guess_shell(void) {
        char *shell = NULL;
        // shells in order of preference
@@ -805,6 +770,25 @@ char *guess_shell(void) {
        return shell;
 }
+static int check_arg(int argc, char **argv, const char *argument) {
+        int i;
+        int found = 0;
+        for (i = 1; i < argc; i++) {
+                if (strcmp(argv[i], argument) == 0) {
+                        found = 1;
+                        break;
+                }
+                // detect end of firejail params
+                if (strcmp(argv[i], "--") == 0)
+                        break;
+                if (strncmp(argv[i], "--", 2) != 0)
+                        break;
+        }
+        
+        return found;
+}
 //*******************************************
 // Main program
 //*******************************************
@@ -821,8 +805,10 @@ int main(int argc, char **argv) {
        // build /run/firejail directory structure
        preproc_build_firejail_dir();
        
-        detect_quiet(argc, argv);
+        if (check_arg(argc, argv, "--quiet"))
-        detect_allow_debuggers(argc, argv);
+                arg_quiet = 1;
+        if (check_arg(argc, argv, "--allow-debuggers"))
+                arg_allow_debuggers = 1;
        // drop permissions by default and rise them when required
        EUID_INIT();
@@ -844,78 +830,32 @@ int main(int argc, char **argv) {
                EUID_USER();
                if (rv == 0) {
                        // if --force option is passed to the program, disregard the existing sandbox
-                        int found = 0;
+                        if (check_arg(argc, argv, "--force"))
-                        for (i = 1; i < argc; i++) {
+                                option_force = 1;
-                                if (strcmp(argv[i], "--force") == 0 ||
+                        else {
-                                    strcmp(argv[i], "--list") == 0 ||   
+                                if (check_arg(argc, argv, "--version")) {
-                                    strcmp(argv[i], "--netstats") == 0 ||       
+                                        printf("firejail version %s\n", VERSION);
-                                    strcmp(argv[i], "--tree") == 0 ||   
+                                        exit(0);
-                                    strcmp(argv[i], "--top") == 0 ||
-                                    strncmp(argv[i], "--ls=", 5) == 0 ||
-                                    strncmp(argv[i], "--get=", 6) == 0 ||
-                                    strcmp(argv[i], "--debug-caps") == 0 ||
-                                    strcmp(argv[i], "--debug-errnos") == 0 ||
-                                    strcmp(argv[i], "--debug-syscalls") == 0 ||
-                                    strcmp(argv[i], "--debug-protocols") == 0 ||
-                                    strcmp(argv[i], "--help") == 0 ||
-                                    strcmp(argv[i], "--version") == 0 ||
-                                    strcmp(argv[i], "--overlay-clean") == 0 ||
-                                    strncmp(argv[i], "--dns.print=", 12) == 0 ||
-                                    strncmp(argv[i], "--bandwidth=", 12) == 0 ||
-                                    strncmp(argv[i], "--caps.print=", 13) == 0 ||
-                                    strncmp(argv[i], "--cpu.print=", 12) == 0 ||
-        //********************************************************************************
-        // todo: fix the following problems
-                                    strncmp(argv[i], "--join=", 7) == 0 ||
-        //[netblue@debian Downloads]$ firejail --join=896
-        //Switching to pid 897, the first child process inside the sandbox
-        //Error: seccomp file not found
-        //********************************************************************************
-        
-                                    strncmp(argv[i], "--join-filesystem=", 18) == 0 ||
-                                    strncmp(argv[i], "--join-network=", 15) == 0 ||
-                                    strncmp(argv[i], "--fs.print=", 11) == 0 ||
-                                    strncmp(argv[i], "--protocol.print=", 17) == 0 ||
-                                    strncmp(argv[i], "--seccomp.print", 15) == 0 ||
-                                    strncmp(argv[i], "--shutdown=", 11) == 0) {
-                                        found = 1;
-                                        break;
                                }
-        
+                                
-                                // detect end of firejail params
-                                if (strcmp(argv[i], "--") == 0)
-                                        break;
-                                if (strncmp(argv[i], "--", 2) != 0)
-                                        break;
-                        }
-                        
-                        if (found == 0) {
                                // start the program directly without sandboxing
                                run_no_sandbox(argc, argv);
                                // it will never get here!
                                assert(0);
                        }
-                        else
-                                option_force = 1;
                }
        }
-        
        // check root/suid
        EUID_ROOT();
        if (geteuid()) {
-                // detect --version
+                // only --version is supported without SUID support
-                for (i = 1; i < argc; i++) {
+                if (check_arg(argc, argv, "--version")) {
-                        if (strcmp(argv[i], "--version") == 0) {
+                        printf("firejail version %s\n", VERSION);
-                                printf("firejail version %s\n", VERSION);
+                        exit(0);
-                                exit(0);
-                        }
-                        
-                        // detect end of firejail params
-                        if (strcmp(argv[i], "--") == 0)
-                                break;
-                        if (strncmp(argv[i], "--", 2) != 0)
-                                break;
                }
+                fprintf(stderr, "Error: cannot rise privileges\n");
                exit(1);
        }
        EUID_USER();
@@ -1520,6 +1460,9 @@ int main(int argc, char **argv) {
                else if (strcmp(argv[i], "--writable-var") == 0) {
                        arg_writable_var = 1;
                }
+                else if (strcmp(argv[i], "--machine-id") == 0) {
+                        arg_machineid = 1;
+                }
                else if (strcmp(argv[i], "--private") == 0) {
                        arg_private = 1;
                }
diff --git a/src/firejail/no_sandbox.c b/src/firejail/no_sandbox.c
index 8af555ea2..c56d90994 100644
--- a/src/firejail/no_sandbox.c
+++ b/src/firejail/no_sandbox.c
@@ -165,84 +165,28 @@ void run_no_sandbox(int argc, char **argv) {
        // process limited subset of options
        int i;
        for (i = 0; i < argc; i++) {
-                if (strcmp(argv[i], "--csh") == 0) {
+                if (strcmp(argv[i], "--debug") == 0)
-                        if (arg_shell_none) {
+                        arg_debug = 1;
-                                fprintf(stderr, "Error: --shell=none was already specified.\n");
+                else if (strcmp(argv[i], "--csh") == 0 ||
-                                exit(1);
+                    strcmp(argv[i], "--zsh") == 0 ||
-                        }
+                    strcmp(argv[i], "--shell=none") == 0 ||
-                        if (cfg.shell) {
+                    strncmp(argv[i], "--shell=", 8) == 0)
-                                fprintf(stderr, "Error: only one default user shell can be specified\n");
+                        fprintf(stderr, "Warning: shell-related command line options are disregarded - using SHELL environment variable");
-                                exit(1);
-                        }
-                        cfg.shell = "/bin/csh";
-                }
-                else if (strcmp(argv[i], "--zsh") == 0) {
-                        if (arg_shell_none) {
-                                fprintf(stderr, "Error: --shell=none was already specified.\n");
-                                exit(1);
-                        }
-                        if (cfg.shell) {
-                                fprintf(stderr, "Error: only one default user shell can be specified\n");
-                                exit(1);
-                        }
-                        cfg.shell = "/bin/zsh";
-                }
-                else if (strcmp(argv[i], "--shell=none") == 0) {
-                        arg_shell_none = 1;
-                        if (cfg.shell) {
-                                fprintf(stderr, "Error: a shell was already specified\n");
-                                exit(1);
-                        }
-                }
-                else if (strncmp(argv[i], "--shell=", 8) == 0) {
-                        if (arg_shell_none) {
-                                fprintf(stderr, "Error: --shell=none was already specified.\n");
-                                exit(1);
-                        }
-                        invalid_filename(argv[i] + 8);
-                        if (cfg.shell) {
-                                fprintf(stderr, "Error: only one user shell can be specified\n");
-                                exit(1);
-                        }
-                        cfg.shell = argv[i] + 8;
-                        if (is_dir(cfg.shell) || strstr(cfg.shell, "..")) {
-                                fprintf(stderr, "Error: invalid shell\n");
-                                exit(1);
-                        }
-                        // access call checks as real UID/GID, not as effective UID/GID
-                        if(cfg.chrootdir) {
-                                char *shellpath;
-                                if (asprintf(&shellpath, "%s%s", cfg.chrootdir, cfg.shell) == -1)
-                                        errExit("asprintf");
-                                if (access(shellpath, R_OK)) {
-                                        fprintf(stderr, "Error: cannot access shell file in chroot\n");
-                                        exit(1);
-                                }
-                                free(shellpath);
-                        } else if (access(cfg.shell, R_OK)) {
-                                fprintf(stderr, "Error: cannot access shell file\n");
-                                exit(1);
-                        }
-                }
        }
        // use $SHELL to get shell used in sandbox
-        if (!arg_shell_none && !cfg.shell) {
+        char *shell =  getenv("SHELL");
-                char *shell =  getenv("SHELL");
+        if (shell && access(shell, R_OK) == 0)
-                if (shell && access(shell, R_OK) == 0)
+                cfg.shell = shell;
-                        cfg.shell = shell;
-        }
        // guess shell otherwise
-        if (!arg_shell_none && !cfg.shell) {
+        if (!cfg.shell) {
                cfg.shell = guess_shell();
                if (arg_debug)
                        printf("Autoselecting %s as shell\n", cfg.shell);
        }
-        if (!arg_shell_none && !cfg.shell) {
+        if (!cfg.shell) {
-                fprintf(stderr, "Error: unable to guess your shell, please set explicitly by using --shell option.\n");
+                fprintf(stderr, "Error: unable to guess your shell, please set SHELL environment variable\n");
                exit(1);
        }
@@ -266,13 +210,11 @@ void run_no_sandbox(int argc, char **argv) {
                }
        }
-        if (!arg_shell_none) {
+        if (prog_index == 0) {
-                if (prog_index == 0) {
+                cfg.command_line = cfg.shell;
-                        cfg.command_line = cfg.shell;
+                cfg.window_title = cfg.shell;
-                        cfg.window_title = cfg.shell;
+        } else {
-                } else {
+                build_cmdline(&cfg.command_line, &cfg.window_title, argc, argv, prog_index);
-                        build_cmdline(&cfg.command_line, &cfg.window_title, argc, argv, prog_index);
-                }
        }
        cfg.original_argv = argv;
@@ -287,5 +229,6 @@ void run_no_sandbox(int argc, char **argv) {
                fprintf(stderr, "Warning: an existing sandbox was detected. "
                        "%s will run without any additional sandboxing features\n", command);
+        arg_quiet = 1;
        start_application();
 }
diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index 3697b54b9..da3daf95a 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -650,6 +650,10 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
                return 0;
        }
        
+        if (strcmp(ptr, "machine-id") == 0) {
+                arg_machineid = 1;
+                return 0;
+        }
        // writable-var
        if (strcmp(ptr, "writable-var") == 0) {
                arg_writable_var = 1;
@@ -1049,6 +1053,9 @@ void profile_read(const char *fname) {
 //              else {
 //                      free(ptr);
 //              }
+#ifdef HAVE_GCOV
+                __gcov_flush();
+#endif
        }
        fclose(fp);
 }
diff --git a/src/firejail/rlimit.c b/src/firejail/rlimit.c
index a774fd6f5..47dd846d2 100644
--- a/src/firejail/rlimit.c
+++ b/src/firejail/rlimit.c
@@ -27,6 +27,9 @@ void set_rlimits(void) {
        if (arg_rlimit_nofile) {
                rl.rlim_cur = (rlim_t) cfg.rlimit_nofile;
                rl.rlim_max = (rlim_t) cfg.rlimit_nofile;
+#ifdef HAVE_GCOV        // gcov-instrumented programs might crash at this point
+                __gcov_dump();
+#endif
                if (setrlimit(RLIMIT_NOFILE, &rl) == -1)
                        errExit("setrlimit");
                if (arg_debug)
@@ -36,6 +39,9 @@ void set_rlimits(void) {
        if (arg_rlimit_nproc) {
                rl.rlim_cur = (rlim_t) cfg.rlimit_nproc;
                rl.rlim_max = (rlim_t) cfg.rlimit_nproc;
+#ifdef HAVE_GCOV
+                __gcov_dump();
+#endif
                if (setrlimit(RLIMIT_NPROC, &rl) == -1)
                        errExit("setrlimit");
                if (arg_debug)
@@ -45,6 +51,9 @@ void set_rlimits(void) {
        if (arg_rlimit_fsize) {
                rl.rlim_cur = (rlim_t) cfg.rlimit_fsize;
                rl.rlim_max = (rlim_t) cfg.rlimit_fsize;
+#ifdef HAVE_GCOV
+                __gcov_dump();
+#endif
                if (setrlimit(RLIMIT_FSIZE, &rl) == -1)
                        errExit("setrlimit");
                if (arg_debug)
@@ -54,6 +63,9 @@ void set_rlimits(void) {
        if (arg_rlimit_sigpending) {
                rl.rlim_cur = (rlim_t) cfg.rlimit_sigpending;
                rl.rlim_max = (rlim_t) cfg.rlimit_sigpending;
+#ifdef HAVE_GCOV
+                __gcov_dump();
+#endif
                if (setrlimit(RLIMIT_SIGPENDING, &rl) == -1)
                        errExit("setrlimit");
                if (arg_debug)
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index 68b8f554d..50fcd6ed0 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -286,6 +286,9 @@ void start_application(void) {
        //****************************************
        if (arg_audit) {
                assert(arg_audit_prog);
+#ifdef HAVE_GCOV
+        __gcov_dump();
+#endif
                execl(arg_audit_prog, arg_audit_prog, NULL);
        }
        //****************************************
@@ -309,6 +312,9 @@ void start_application(void) {
                if (!arg_command && !arg_quiet)
                        printf("Child process initialized\n");
+#ifdef HAVE_GCOV
+        __gcov_dump();
+#endif
                execvp(cfg.original_argv[cfg.original_program_index], &cfg.original_argv[cfg.original_program_index]);
                exit(1);
        }
@@ -356,6 +362,9 @@ void start_application(void) {
                if (!arg_command && !arg_quiet)
                        printf("Child process initialized\n");
+#ifdef HAVE_GCOV
+        __gcov_dump();
+#endif
                execvp(arg[0], arg);
        }
diff --git a/src/firejail/usage.c b/src/firejail/usage.c
index c8bed06e3..db3c25a5a 100644
--- a/src/firejail/usage.c
+++ b/src/firejail/usage.c
@@ -94,6 +94,9 @@ void usage(void) {
        printf("    --ls=name|pid dir_or_filename - list files in sandbox container.\n");
 #ifdef HAVE_NETWORK     
        printf("    --mac=xx:xx:xx:xx:xx:xx - set interface MAC address.\n");
+#endif
+        printf("    --machine-id - preserve /etc/machine-id\n");
+#ifdef HAVE_NETWORK     
        printf("    --mtu=number - set interface MTU.\n");
 #endif
        printf("    --name=name - set sandbox name.\n");
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt
index 007374c75..fa522c154 100644
--- a/src/man/firejail-profile.txt
+++ b/src/man/firejail-profile.txt
@@ -447,6 +447,10 @@ iprange 192.168.1.150,192.168.1.160
 Assign MAC addresses to the last network interface defined by a net command.
 .TP
+\fBmachine-id
+Preserve id number in /etc/machine-id file. By default a new random id is generated inside the sandbox.
+.TP
 \fBmtu number
 Assign a MTU value to the last network interface defined by a net command.
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index 450f30c68..fdeb9ea3f 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -666,6 +666,16 @@ Example:
 $ firejail \-\-net=eth0 \-\-mac=00:11:22:33:44:55 firefox
 .TP
+\fB\-\-machine-id
+Preserve id number in /etc/machine-id file. By default a new random id is generated inside the sandbox.
+.br
+.br
+Example:
+.br
+$ firejail \-\-machine-id
+.TP
 \fB\-\-mtu=number
 Assign a MTU value to the last network interface defined by a \-\-net option.
 .br
diff --git a/test/environment/firejail-in-firejail.exp b/test/environment/firejail-in-firejail.exp
index 1122b712f..2b851ee72 100755
--- a/test/environment/firejail-in-firejail.exp
+++ b/test/environment/firejail-in-firejail.exp
@@ -16,9 +16,34 @@ sleep 1
 send --  "firejail\r"
 expect {
-        timeout {puts "TESTING ERROR 1\n";exit}
+        timeout {puts "TESTING ERROR 2\n";exit}
        "Warning: an existing sandbox was detected"
 }
 after 100
+send --  "exit\r"
+after 100
+send --  "firejail --force\r"
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        "cannot rise privileges"
+}
+after 100
+send --  "firejail --version\r"
+expect {
+        timeout {puts "TESTING ERROR 4\n";exit}
+        "firejail version"
+}
+after 100
+send --  "firejail --version --force\r"
+expect {
+        timeout {puts "TESTING ERROR 5\n";exit}
+        "firejail version"
+}
+after 100
 puts "\nall done\n"
diff --git a/test/environment/firejail-in-firejail2.exp b/test/environment/firejail-in-firejail2.exp
index 37d1c2870..330e5e372 100755
--- a/test/environment/firejail-in-firejail2.exp
+++ b/test/environment/firejail-in-firejail2.exp
@@ -14,11 +14,38 @@ expect {
 }
 sleep 1
+send --  "firejail\r"
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        "Warning: an existing sandbox was detected"
+}
+after 100
+send --  "exit\r"
+after 100
 send --  "firejail --force\r"
 expect {
-        timeout {puts "TESTING ERROR 1\n";exit}
+        timeout {puts "TESTING ERROR 3\n";exit}
        "Child process initialized"
 }
 after 100
+send --  "exit\r"
+after 100
+send --  "firejail --version\r"
+expect {
+        timeout {puts "TESTING ERROR 4\n";exit}
+        "firejail version"
+}
+after 100
+send --  "firejail --version --force\r"
+expect {
+        timeout {puts "TESTING ERROR 5\n";exit}
+        "firejail version"
+}
+after 100
 puts "\nall done\n"
diff --git a/test/network/dns-print.exp b/test/network/dns-print.exp
new file mode 100755
index 000000000..9cdc14a6d
--- /dev/null
+++ b/test/network/dns-print.exp
@@ -0,0 +1,31 @@
+#!/usr/bin/expect -f
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+send --  "firejail --name=test-dns --net=eth0 --dns=1.2.3.4 --dns=2.3.4.5 --dns=3.4.5.6\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "Child process initialized"
+}
+sleep 1
+spawn $env(SHELL)
+send --  "firejail --dns.print=test-dns\r"
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        "nameserver 1.2.3.4"
+}
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        "nameserver 2.3.4.5"
+}
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        "nameserver 3.4.5.6"
+}
+after 100
+puts "\nall done\n"
diff --git a/test/network/net_macvlan2.exp b/test/network/net_macvlan2.exp
new file mode 100755
index 000000000..7f21fc083
--- /dev/null
+++ b/test/network/net_macvlan2.exp
@@ -0,0 +1,43 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+send -- "firejail --net=eth0 --net=eth0 --net=eth0 --net=eth0\r"
+expect {
+        timeout {puts "TESTING ERROR 0.1\n";exit}
+        "eth0-"
+}
+expect {
+        timeout {puts "TESTING ERROR 0.2\n";exit}
+        "eth1-"
+}
+expect {
+        timeout {puts "TESTING ERROR 0.3\n";exit}
+        "eth2-"
+}
+expect {
+        timeout {puts "TESTING ERROR 0.4\n";exit}
+        "eth3-"
+}
+expect {
+        timeout {puts "TESTING ERROR 0.5\n";exit}
+        "Default gateway 192.168.1.1"
+}
+expect {
+        timeout {puts "TESTING ERROR 0.6\n";exit}
+        "Child process initialized"
+}
+after 100
+send -- "exit\r"
+sleep 1
+after 100
+puts "\nall done\n"
diff --git a/test/network/network.sh b/test/network/network.sh
index bea5dfb26..94df9935e 100755
--- a/test/network/network.sh
+++ b/test/network/network.sh
@@ -11,6 +11,9 @@ sudo ./configure
 echo "TESTING: firemon interface (firemon-interfaces.exp)"
 sudo ./firemon-interfaces.exp
+echo "TESTING: print dns (dns-print.exp)"
+./dns-print.exp
 echo "TESTING: firemon arp (firemon-arp.exp)"
 ./firemon-arp.exp
@@ -69,6 +72,9 @@ echo "TESTING: network default gateway test 3 (net_defaultgw3.exp)"
 echo "TESTING: scan (net_scan.exp)"
 ./net_scan.exp
+echo "TESTING: mtu (mtu.exp)"
+./mtu.exp
 echo "TESTING: interface (interface.exp)"
 ./interface.exp
@@ -84,6 +90,9 @@ echo "TESTING: iprange (iprange.exp)"
 echo "TESTING: veth-name (veth-name.exp)"
 ./veth-name.exp
+echo "TESTING: macvlan2 (net_macvlan2.exp)"
+./net_macvlan2.exp
 echo "TESTING: 4 bridges ARP (4bridges_arp.exp)"
 ./4bridges_arp.exp
diff --git a/test/network/net_macvlan.exp b/test/stress/net_macvlan.exp
index f457ea98f..6ea4a6adf 100755
--- a/test/network/net_macvlan.exp
+++ b/test/stress/net_macvlan.exp
@@ -12,7 +12,7 @@ spawn $env(SHELL)
 send -- "firejail --net=eth0 --ip=192.168.1.60\r"
 expect {
        timeout {puts "TESTING ERROR 1.1\n";puts "Please open a sandbox on 192.168.1.60\n";exit}
-        "the address 192.168.1.60 is already in use"
+        "192.168.1.60 is interface eth0 address"
 }
diff --git a/test/stress/stress.sh b/test/stress/stress.sh
new file mode 100755
index 000000000..35c846071
--- /dev/null
+++ b/test/stress/stress.sh
@@ -0,0 +1,11 @@
+#!/bin/bash
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
+export MALLOC_CHECK_=3
+export MALLOC_PERTURB_=$(($RANDOM % 255 + 1))
+echo "TESTING: macvlan (net_macvlan.exp)"
+./net_macvlan.exp
diff --git a/todo b/todo
index 954fd786a..86917e6cd 100644
--- a/todo
+++ b/todo
@@ -299,3 +299,5 @@ read-only /var
 read-only /bin
 31. --private and --allusers are coliding
+32. machine-id defined in rfc4122