65 files changed, 1093 insertions, 110 deletions

diff --git a/Makefile.in b/Makefile.in
index 16f8e8717..fbe9b24c4 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -164,6 +164,14 @@ realinstall:
         install -c -m 0644 .etc/icedove.profile $(DESTDIR)/$(sysconfdir)/firejail/.
         install -c -m 0644 .etc/abrowser.profile $(DESTDIR)/$(sysconfdir)/firejail/.
         install -c -m 0644 .etc/0ad.profile $(DESTDIR)/$(sysconfdir)/firejail/.
+        install -c -m 0644 .etc/netsurf.profile $(DESTDIR)/$(sysconfdir)/firejail/.
+        install -c -m 0644 .etc/warzone2100.profile $(DESTDIR)/$(sysconfdir)/firejail/.
+        install -c -m 0644 .etc/okular.profile $(DESTDIR)/$(sysconfdir)/firejail/.
+        install -c -m 0644 .etc/gwenview.profile $(DESTDIR)/$(sysconfdir)/firejail/.
+        install -c -m 0644 .etc/gpredict.profile $(DESTDIR)/$(sysconfdir)/firejail/.
+        install -c -m 0644 .etc/aweather.profile $(DESTDIR)/$(sysconfdir)/firejail/.
+        install -c -m 0644 .etc/stellarium.profile $(DESTDIR)/$(sysconfdir)/firejail/.
+        install -c -m 0644 .etc/google-play-music-desktop-player.profile $(DESTDIR)/$(sysconfdir)/firejail/.
         sh -c "if [ ! -f $(DESTDIR)/$(sysconfdir)/firejail/login.users ]; then install -c -m 0644 etc/login.users $(DESTDIR)/$(sysconfdir)/firejail/.; fi;"
         sh -c "if [ ! -f $(DESTDIR)/$(sysconfdir)/firejail/firejail.config ]; then install -c -m 0644 etc/firejail.config $(DESTDIR)/$(sysconfdir)/firejail/.; fi;"
         rm -fr .etc
@@ -231,6 +239,8 @@ dist:
         cd $(NAME)-$(VERSION); cp -a ../src .; cp -a ../etc .; cp -a ../platform .; rm -fr src/tools; cd ..
         cd $(NAME)-$(VERSION); cp -a ../configure .; cp -a ../configure.ac .; cp -a ../Makefile.in .; cp -a ../install.sh .; cp -a ../mkman.sh .; cp -a ../mketc.sh .; cp -a ../mkdeb.sh .;cd ..
         cd $(NAME)-$(VERSION); cp -a ../COPYING .; cp -a ../README .; cp -a ../RELNOTES .; cd ..
+        cd $(NAME)-$(VERSION); mkdir -p test; cp -a ../test/profiles test/.; cd ..
+        cd $(NAME)-$(VERSION); mkdir -p test; cp -a ../test/apps test/.; cd ..
         cd $(NAME)-$(VERSION); rm -fr `find . -name .svn`; rm -fr $(NAME)-$(VERSION); cd ..
         tar -cjvf $(NAME)-$(VERSION).tar.bz2 $(NAME)-$(VERSION)
         rm -fr $(NAME)-$(VERSION)
@@ -250,5 +260,14 @@ cppcheck: clean
 
 scan-build: clean
         scan-build make
+
 asc:; ./mkasc.sh $(VERSION)
 
+test-profiles:
+        cd test/profiles; ./profiles.sh | grep TESTING
+
+test-apps:
+        cd test/apps; ./apps.sh | grep TESTING
+
+test: test-profiles test-apps
+        echo "TEST COMPLETE"
diff --git a/README b/README
index 81481f512..9ea2730ad 100644
--- a/README
+++ b/README
@@ -18,13 +18,32 @@ License: GPL v2
 Firejail Authors:
 
 netblue30 (netblue30@yahoo.com)
+Vasya Novikov (https://github.com/vn971)
+        - Wesnoth profile
+        - Hedegewars profile
+        - manpage fixes
+        - fixed firecfg clean/clear issue
+curiosity-seeker (https://github.com/curiosity-seeker)
+        - tightening unbound and dnscrypt-proxy profiles
+        - dnsmasq profile
+        - okular and gwenview profiles
+        - cherrytree profile fixes
+Matthew Gyurgyik (https://github.com/pyther)
+        - rpm spec and several fixes
 Joan Figueras (https://github.com/figue)
         - added abrowser profile
+        - added Google-Play-Music-Desktop-Player
 Fred-Barclay (https://github.com/Fred-Barclay)
         - added Vivaldi, Atril profiles
         - added PaleMoon profile
         - split Icedove and Thunderbird profiles
         - added 0ad profile
+        - fixed version for .deb packages
+        - added Warzone2100 profile
+        - blacklisted VeraCrypt
+        - added Gpredict profile
+        - added Aweather, Stellarium profiles
+        - fixed HexChat and Atril profiles
 avoidr (https://github.com/avoidr)
         - whitelist fix
         - recently-used.xbel fix
@@ -52,10 +71,6 @@ dshmgh (https://github.com/dshmgh)
 yumkam (https://github.com/yumkam)
         - add compile-time option to restrict --net= to root only
         - man page fixes
-Vasya Novikov (https://github.com/vn971)
-        - Wesnoth profile
-        - Hedegewars profile
-        - manpage fixes
 mahdi1234 (https://github.com/mahdi1234)
         - cherrytree profile
 jrabe (https://github.com/jrabe)
@@ -81,9 +96,6 @@ Rahiel Kasim (https://github.com/rahiel)
         - Mathematica profile
 creideiki (https://github.com/creideiki)
         - make the sandbox process reap all children
-curiosity-seeker (https://github.com/curiosity-seeker)
-        - tightening unbound and dnscrypt-proxy profiles
-        - dnsmasq profile
 sinkuu (https://github.com/sinkuu)
         - blacklisting kwalletd
         - fix symlink invocation for programs placing symlinks in $PATH
@@ -132,8 +144,6 @@ andrew160 (https://github.com/andrew160)
         - profile and man pages fixes
 Loïc Damien (https://github.com/dzamlo)
         - small fixes
-Matthew Gyurgyik (https://github.com/pyther)
-        - rpm spec and several fixes
 greigdp (https://github.com/greigdp)
         - add Spotify profile
 Mattias Wadman (https://github.com/wader)
diff --git a/README.md b/README.md
index 7f6f573b4..8e68232b0 100644
--- a/README.md
+++ b/README.md
@@ -34,7 +34,7 @@ FAQ: https://firejail.wordpress.com/support/frequently-asked-questions/
 `````
 
 `````
-# Current development version: 0.9.40-rc2
+# Current development version: 0.9.40~rc2
 Version 0.9.40-rc1 released!
 
 ## X11 sandboxing support
@@ -143,8 +143,8 @@ DESCRIPTION
        see DESKTOP INTEGRATION section in man 1 firejail.
 
 OPTIONS
-       --clear
-              Clear all firejail symbolic links
+       --clean
+              Remove all firejail symbolic links
 
        -?, --help
               Print options end exit.
@@ -164,7 +164,7 @@ OPTIONS
        /usr/local/bin/firefox
        /usr/local/bin/vlc
        [...]
-       $ sudo firecfg --clear
+       $ sudo firecfg --clean
        /usr/local/bin/firefox removed
        /usr/local/bin/vlc removed
        [...]
@@ -281,5 +281,6 @@ $ man firejail-profile
 
 ## New security profiles
 lxterminal, Epiphany, cherrytree, Polari, Vivaldi, Atril, qutebrowser, SlimJet, Battle for Wesnoth, Hedgewars, qTox,
-OpenSSH client, OpenBox window manager, Dillo, cmus, dnsmasq, PaleMoon, Icedove, abrowser, 0ad
+OpenSSH client, OpenBox window manager, Dillo, cmus, dnsmasq, PaleMoon, Icedove, abrowser, 0ad, netsurf,
+Warzone2100, okular, gwenview, Gpredict, Aweather, Stellarium, Google-Play-Music-Desktop-Player
 
diff --git a/RELNOTES b/RELNOTES
index fbd620408..2a7e8ca60 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -5,8 +5,10 @@ firejail (0.9.40-rc1) baseline; urgency=low
   * added --x11=xephyr option
   * added --cpu.print option
   * added filetransfer options --ls and --get
+  * added --writable-etc and --writable-var options
+  * added --read-only option
   * added mkdir, ipc-namespace, and nosound profile commands
-  * added net iface, and iprange profile commands
+  * added net, ip, defaultgw, ip6, mac, mtu and iprange profile commands
   * --version also prints compile options
   * --output option also redirects stderr
   * added compile-time option to restrict --net= to root only
@@ -18,7 +20,9 @@ firejail (0.9.40-rc1) baseline; urgency=low
   * new profiles: lxterminal, Epiphany, cherrytree, Polari, Vivaldi, Atril
   * new profiles: qutebrowser, SlimJet, Battle for Wesnoth, Hedgewars
   * new profiles: qTox, OpenSSH client, OpenBox, Dillo, cmus, dnsmasq
-  * new profiles: PaleMoon, Icedove, abrowser, 0ad
+  * new profiles: PaleMoon, Icedove, abrowser, 0ad, netsurf, Warzone2100
+  * new profiles: okular, gwenview, Google-Play-Music-Desktop-Player
+  * new profiles: Aweather, Stellarium, gpredict
   * build rpm packages using "make rpms"
   * bugfixes
  -- netblue30 <netblue30@yahoo.com>  Sun, 3 Apr 2016 08:00:00 -0500
diff --git a/configure b/configure
index 73a5c89e6..46e792f64 100755
--- a/configure
+++ b/configure
@@ -1,6 +1,6 @@
 #! /bin/sh
 # Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.69 for firejail 0.9.40-rc2.
+# Generated by GNU Autoconf 2.69 for firejail 0.9.40~rc2.
 #
 # Report bugs to <netblue30@yahoo.com>.
 #
@@ -580,8 +580,8 @@ MAKEFLAGS=
 # Identity of this package.
 PACKAGE_NAME='firejail'
 PACKAGE_TARNAME='firejail'
-PACKAGE_VERSION='0.9.40-rc2'
-PACKAGE_STRING='firejail 0.9.40-rc2'
+PACKAGE_VERSION='0.9.40~rc2'
+PACKAGE_STRING='firejail 0.9.40~rc2'
 PACKAGE_BUGREPORT='netblue30@yahoo.com'
 PACKAGE_URL='http://firejail.wordpress.com'
 
@@ -1246,7 +1246,7 @@ if test "$ac_init_help" = "long"; then
   # Omit some internal or obsolete options to make the list less imposing.
   # This message is too long to be a string in the A/UX 3.1 sh.
   cat <<_ACEOF
-\`configure' configures firejail 0.9.40-rc2 to adapt to many kinds of systems.
+\`configure' configures firejail 0.9.40~rc2 to adapt to many kinds of systems.
 
 Usage: $0 [OPTION]... [VAR=VALUE]...
 
@@ -1307,7 +1307,7 @@ fi
 
 if test -n "$ac_init_help"; then
   case $ac_init_help in
-     short | recursive ) echo "Configuration of firejail 0.9.40-rc2:";;
+     short | recursive ) echo "Configuration of firejail 0.9.40~rc2:";;
    esac
   cat <<\_ACEOF
 
@@ -1403,7 +1403,7 @@ fi
 test -n "$ac_init_help" && exit $ac_status
 if $ac_init_version; then
   cat <<\_ACEOF
-firejail configure 0.9.40-rc2
+firejail configure 0.9.40~rc2
 generated by GNU Autoconf 2.69
 
 Copyright (C) 2012 Free Software Foundation, Inc.
@@ -1705,7 +1705,7 @@ cat >config.log <<_ACEOF
 This file contains any messages produced by compilers while
 running configure, to aid debugging if configure makes a mistake.
 
-It was created by firejail $as_me 0.9.40-rc2, which was
+It was created by firejail $as_me 0.9.40~rc2, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
 
   $ $0 $@
@@ -4184,7 +4184,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
 # report actual input values of CONFIG_FILES etc. instead of their
 # values after options handling.
 ac_log="
-This file was extended by firejail $as_me 0.9.40-rc2, which was
+This file was extended by firejail $as_me 0.9.40~rc2, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
 
   CONFIG_FILES    = $CONFIG_FILES
@@ -4238,7 +4238,7 @@ _ACEOF
 cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
 ac_cs_version="\\
-firejail config.status 0.9.40-rc2
+firejail config.status 0.9.40~rc2
 configured by $0, generated by GNU Autoconf 2.69,
   with options \\"\$ac_cs_config\\"
 
diff --git a/configure.ac b/configure.ac
index a4486b3ff..09b1076c4 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1,5 +1,5 @@
 AC_PREREQ([2.68])
-AC_INIT(firejail, 0.9.40-rc2, netblue30@yahoo.com, , http://firejail.wordpress.com)
+AC_INIT(firejail, 0.9.40~rc2, netblue30@yahoo.com, , http://firejail.wordpress.com)
 AC_CONFIG_SRCDIR([src/firejail/main.c])
 #AC_CONFIG_HEADERS([config.h])
 
diff --git a/etc/atril.profile b/etc/atril.profile
index e078c1d20..c5b2abc48 100644
--- a/etc/atril.profile
+++ b/etc/atril.profile
@@ -1,4 +1,5 @@
 # Atril profile
+noblacklist ~/.config/atril
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-programs.inc
 include /etc/firejail/disable-devel.inc
@@ -7,6 +8,10 @@ include /etc/firejail/disable-passwdmgr.inc
 caps.drop all
 seccomp
 protocol unix,inet,inet6
-netfilter
+net none
 noroot
 tracelog
+
+mkdir ~/.config
+mkdir ~/.config/atril
+whitelist ~/.config/atril
diff --git a/etc/aweather.profile b/etc/aweather.profile
new file mode 100644
index 000000000..d7f510a7e
--- /dev/null
+++ b/etc/aweather.profile
@@ -0,0 +1,23 @@
+# Firejail profile for aweather.
+
+# Noblacklist
+noblacklist ~/.config/aweather
+
+# Include
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+include /etc/firejail/disable-programs.inc
+
+# Call these options
+caps.drop all
+netfilter
+noroot
+protocol unix,inet,inet6,netlink
+seccomp
+tracelog
+
+# Whitelist
+mkdir ~/.config
+mkdir ~/.config/aweather
+whitelist ~/.config/aweather
diff --git a/etc/cherrytree.profile b/etc/cherrytree.profile
index 7bcc61e98..77fa79e11 100644
--- a/etc/cherrytree.profile
+++ b/etc/cherrytree.profile
@@ -1,4 +1,6 @@
 # cherrytree note taking application
+noblacklist /usr/bin/python2*
+noblacklist /usr/lib/python2*
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-programs.inc
 include /etc/firejail/disable-devel.inc
diff --git a/etc/disable-common.inc b/etc/disable-common.inc
index b1133f28f..9faa2aa6a 100644
--- a/etc/disable-common.inc
+++ b/etc/disable-common.inc
@@ -26,6 +26,14 @@ blacklist ${HOME}/.VirtualBox
 blacklist ${HOME}/VirtualBox VMs
 blacklist ${HOME}/.config/VirtualBox
 
+# VeraCrypt
+blacklist ${PATH}/veracrypt
+blacklist ${PATH}/veracrypt-uninstall.sh
+blacklist /usr/share/veracrypt
+blacklist /usr/share/applications/veracrypt.*
+blacklist /usr/share/pixmaps/veracrypt.*
+blacklist ${HOME}/.VeraCrypt
+
 # var
 blacklist /var/spool/cron
 blacklist /var/spool/anacron
@@ -133,3 +141,5 @@ blacklist ${PATH}/gnome-terminal
 blacklist ${PATH}/gnome-terminal.wrapper
 blacklist ${PATH}/xfce4-terminal
 blacklist ${PATH}/xfce4-terminal.wrapper
+blacklist ${PATH}/mate-terminal
+blacklist ${PATH}/mate-terminal.wrapper
diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc
index 7f18aa16f..317ac082f 100644
--- a/etc/disable-programs.inc
+++ b/etc/disable-programs.inc
@@ -5,9 +5,18 @@ blacklist ${HOME}/.FBReader
 blacklist ${HOME}/.wine
 blacklist ${HOME}/.Mathematica
 blacklist ${HOME}/.Wolfram Research
+blacklist ${HOME}/.stellarium
 blacklist ${HOME}/.config/mupen64plus
 blacklist ${HOME}/.config/transmission
 blacklist ${HOME}/.config/uGet
+blacklist ${HOME}/.config/Gpredict
+blacklist ${HOME}/.config/aweather
+blacklist ${HOME}/.config/stellarium
+blacklist ~/.kde/share/apps/okular
+blacklist ~/.kde/share/config/okularrc
+blacklist ~/.kde/share/config/okularpartrc
+blacklist ~/.kde/share/apps/gwenview
+blacklist ~/.kde/share/config/gwenviewrc
 
 # Media players
 blacklist ${HOME}/.config/cmus
@@ -54,6 +63,7 @@ blacklist ${HOME}/.hedgewars
 blacklist ${HOME}/.steam
 blacklist ${HOME}/.config/wesnoth
 blacklist ${HOME}/.config/0ad
+blacklist ${HOME}/.warzone2100-3.1
 
 # Cryptocoins
 blacklist ${HOME}/.*coin
diff --git a/etc/google-play-music-desktop-player.profile b/etc/google-play-music-desktop-player.profile
new file mode 100644
index 000000000..7fe43f1f6
--- /dev/null
+++ b/etc/google-play-music-desktop-player.profile
@@ -0,0 +1,17 @@
+# Google Play Music desktop player profile
+noblacklist ~/.config/Google Play Music Desktop Player
+
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+
+caps.drop all
+seccomp
+protocol unix,inet,inet6,netlink
+noroot
+netfilter
+
+#whitelist ~/.pulse
+#whitelist ~/.config/pulse
+whitelist ~/.config/Google Play Music Desktop Player
diff --git a/etc/gpredict.profile b/etc/gpredict.profile
new file mode 100644
index 000000000..f53cb1b4f
--- /dev/null
+++ b/etc/gpredict.profile
@@ -0,0 +1,23 @@
+# Firejail profile for gpredict.
+
+# Noblacklist
+noblacklist ~/.config/Gpredict
+
+# Include
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+include /etc/firejail/disable-programs.inc
+
+# Call these options
+caps.drop all
+netfilter
+noroot
+protocol unix,inet,inet6,netlink
+seccomp
+tracelog
+
+# Whitelist
+mkdir ~/.config
+mkdir ~/.config/Gpredict
+whitelist ~/.config/Gpredict
diff --git a/etc/gwenview.profile b/etc/gwenview.profile
new file mode 100644
index 000000000..d61c57adc
--- /dev/null
+++ b/etc/gwenview.profile
@@ -0,0 +1,19 @@
+# KDE gwenview profile
+noblacklist ~/.kde/share/apps/gwenview
+noblacklist ~/.kde/share/config/gwenviewrc
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+caps.drop all
+seccomp
+protocol unix
+noroot
+nogroups
+private-dev
+
+#Experimental:
+#shell none
+#private-bin gwenview
+#private-etc X11
+
diff --git a/etc/hexchat.profile b/etc/hexchat.profile
index 8f6fd6217..7978960c8 100644
--- a/etc/hexchat.profile
+++ b/etc/hexchat.profile
@@ -1,5 +1,6 @@
 # HexChat instant messaging profile
 noblacklist ${HOME}/.config/hexchat
+noblacklist /usr/lib/python2*
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-programs.inc
 include /etc/firejail/disable-devel.inc
@@ -8,3 +9,8 @@ caps.drop all
 seccomp
 protocol unix,inet,inet6
 noroot
+netfilter
+
+mkdir ~/.config
+mkdir ~/.config/hexchat
+whitelist ~/.config/hexchat
diff --git a/etc/netsurf.profile b/etc/netsurf.profile
new file mode 100644
index 000000000..26b621126
--- /dev/null
+++ b/etc/netsurf.profile
@@ -0,0 +1,34 @@
+# Firejail profile for Mozilla Firefox (Iceweasel in Debian)
+
+noblacklist ~/.config/netsurf
+noblacklist ~/.cache/netsurf
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-devel.inc
+
+caps.drop all
+seccomp
+protocol unix,inet,inet6,netlink
+netfilter
+tracelog
+noroot
+
+whitelist ${DOWNLOADS}
+mkdir ~/.config
+mkdir ~/.config/netsurf
+whitelist ~/.config/netsurf
+mkdir ~/.cache
+mkdir ~/.cache/netsurf
+whitelist ~/.cache/netsurf
+
+# lastpass, keepassx
+whitelist ~/.keepassx
+whitelist ~/.config/keepassx
+whitelist ~/keepassx.kdbx
+whitelist ~/.lastpass
+whitelist ~/.config/lastpass
+
+include /etc/firejail/whitelist-common.inc
+
+
+
diff --git a/etc/okular.profile b/etc/okular.profile
new file mode 100644
index 000000000..7929a8796
--- /dev/null
+++ b/etc/okular.profile
@@ -0,0 +1,21 @@
+# KDE okular profile
+noblacklist ~/.kde/share/apps/okular
+noblacklist ~/.kde/share/config/okularrc
+noblacklist ~/.kde/share/config/okularpartrc
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+caps.drop all
+seccomp
+protocol unix
+noroot
+nogroups
+private-dev
+
+#Experimental:
+#net none
+#shell none
+#private-bin okular,kbuildsycoca4,kbuildsycoca5
+#private-etc X11
+
diff --git a/etc/stellarium.profile b/etc/stellarium.profile
new file mode 100644
index 000000000..7cb74eeaa
--- /dev/null
+++ b/etc/stellarium.profile
@@ -0,0 +1,27 @@
+# Firejail profile for Stellarium.
+
+# Noblacklist
+noblacklist ~/.stellarium
+noblacklist ~/.config/stellarium
+
+# Include
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+include /etc/firejail/disable-programs.inc
+
+# Call these options
+caps.drop all
+netfilter
+noroot
+protocol unix,inet,inet6,netlink
+seccomp
+tracelog
+
+# Whitelist
+mkdir ~/.stellarium
+whitelist ~/.stellarium
+
+mkdir ~/.config
+mkdir ~/.config/stellarium
+whitelist ~/.config/stellarium
diff --git a/etc/warzone2100.profile b/etc/warzone2100.profile
new file mode 100644
index 000000000..7588da657
--- /dev/null
+++ b/etc/warzone2100.profile
@@ -0,0 +1,19 @@
+# Firejail profile for warzone2100
+# Currently supports warzone2100-3.1
+noblacklist ~/.warzone2100-3.1
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+include /etc/firejail/disable-programs.inc
+
+# Call these options
+caps.drop all
+netfilter
+noroot
+protocol unix,inet,inet6,netlink
+seccomp
+tracelog
+
+# Whitelist
+mkdir ~/.warzone2100-3.1
+whitelist ~/.warzone2100-3.1
diff --git a/platform/debian/conffiles b/platform/debian/conffiles
index dc8640147..a5ca6d072 100644
--- a/platform/debian/conffiles
+++ b/platform/debian/conffiles
@@ -83,3 +83,11 @@
 /etc/firejail/palemoon.profile
 /etc/firejail/abrowser.profile
 /etc/firejail/0ad.profile
+/etc/firejail/netsurf.profile
+/etc/firejail/warzone2100.profile
+/etc/firejail/okular.profile
+/etc/firejail/gwenview.profile
+/etc/firejail/gpredict.profile
+/etc/firejail/aweather.profile
+/etc/firejail/stellarium.profile
+/etc/firejail/google-play-music-desktop-player.profile
diff --git a/platform/rpm/firejail.spec b/platform/rpm/firejail.spec
index e365af2d6..e1799d7a6 100644
--- a/platform/rpm/firejail.spec
+++ b/platform/rpm/firejail.spec
@@ -33,16 +33,21 @@ rm -rf %{buildroot}
 %doc
 %defattr(-, root, root, -)
 %attr(4755, -, -) %{_bindir}/__NAME__
+%{_bindir}/firecfg
 %{_bindir}/firemon
+%{_libdir}/__NAME__/firecfg.config
 %{_libdir}/__NAME__/ftee
 %{_libdir}/__NAME__/fshaper.sh
 %{_libdir}/__NAME__/libtrace.so
 %{_libdir}/__NAME__/libtracelog.so
 %{_datarootdir}/bash-completion/completions/__NAME__
+%{_datarootdir}/bash-completion/completions/firecfg
 %{_datarootdir}/bash-completion/completions/firemon
 %{_docdir}/__NAME__
 %{_mandir}/man1/__NAME__.1.gz
+%{_mandir}/man1/firecfg.1.gz
 %{_mandir}/man1/firemon.1.gz
+%{_mandir}/man5/__NAME__-config.5.gz
 %{_mandir}/man5/__NAME__-login.5.gz
 %{_mandir}/man5/__NAME__-profile.5.gz
 %config %{_sysconfdir}/__NAME__
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config
index c28f8e352..3812ee7d8 100644
--- a/src/firecfg/firecfg.config
+++ b/src/firecfg/firecfg.config
@@ -2,6 +2,13 @@
 # This is the list of programs handled by firecfg utility
 #
 
+# astronomy
+gpredict
+stellarium
+
+# weather/climate
+aweather
+
 # browsers/email
 firefox
 iceweasel
@@ -27,6 +34,7 @@ seamonkey-bin
 vivaldi-beta
 vivaldi
 dillo
+netsurf
 
 # bittorrent/ftp
 deluge
@@ -50,6 +58,8 @@ loweb
 lowriter
 Mathematica
 mathematica
+gwenview
+okular
 
 # Media
 vlc
@@ -72,5 +82,7 @@ quassel
 xchat
 
 # games
+0ad
 hedgewars
 wesnot
+warzone2100
diff --git a/src/firecfg/main.c b/src/firecfg/main.c
index 70d29a3ed..f0f2aaeb7 100644
--- a/src/firecfg/main.c
+++ b/src/firecfg/main.c
@@ -49,7 +49,7 @@ static void usage(void) {
         printf("   /usr/local/bin/firefox\n");
         printf("   /usr/local/bin/vlc\n");
         printf("   [...]\n");
-        printf("   $ sudo firecfg --clear\n");
+        printf("   $ sudo firecfg --clean\n");
         printf("   /usr/local/bin/firefox removed\n");
         printf("   /usr/local/bin/vlc removed\n");
         printf("   [...]\n");
@@ -79,7 +79,8 @@ static int find(const char *program, const char *directory) {
 static int which(const char *program) {
         // check some well-known paths
         if (find(program, "/bin") || find(program, "/usr/bin") ||
-             find(program, "/sbin") || find(program, "/usr/sbin"))
+             find(program, "/sbin") || find(program, "/usr/sbin") ||
+             find(program, "/usr/games"))
                 return 1;
                 
         // check environment
@@ -268,7 +269,7 @@ static void set(void) {
                 // empty line
                 if (*start == '\0')
                         continue;
-                
+
                 // set link
                 set_file(start, firejail_exec);
         }
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index 24ea53476..302883310 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -256,6 +256,8 @@ extern int arg_join_network;	// join only the network namespace
 extern int arg_join_filesystem; // join only the mount namespace
 extern int arg_nice;            // nice value configured
 extern int arg_ipc;             // enable ipc namespace
+extern int arg_writable_etc;    // writable etc
+extern int arg_writable_var;    // writable var
 
 extern int parent_to_child_fds[2];
 extern int child_to_parent_fds[2];
@@ -566,5 +568,10 @@ void sandboxfs(int op, pid_t pid, const char *patqh);
 #define CFG_MAX 8 // this should always be the last entry
 int checkcfg(int val);
 
+// fs_rdwr.c
+void fs_rdwr_add(const char *path);
+void fs_rdwr(void);
+
+
 #endif
 
diff --git a/src/firejail/fs.c b/src/firejail/fs.c
index 7ee76d096..171b4848c 100644
--- a/src/firejail/fs.c
+++ b/src/firejail/fs.c
@@ -726,7 +726,14 @@ static void disable_firejail_config(void) {
 // build a basic read-only filesystem
 void fs_basic_fs(void) {
         if (arg_debug)
-                printf("Mounting read-only /bin, /sbin, /lib, /lib32, /lib64, /usr, /etc, /var\n");
+                printf("Mounting read-only /bin, /sbin, /lib, /lib32, /lib64, /usr");
+        if (!arg_writable_etc) {
+                fs_rdonly("/etc");
+        }
+        if (!arg_writable_var) {
+                fs_rdonly("/var");
+        }
+        if (arg_debug) printf("\n");
         fs_rdonly("/bin");
         fs_rdonly("/sbin");
         fs_rdonly("/lib");
@@ -734,8 +741,6 @@ void fs_basic_fs(void) {
         fs_rdonly("/lib32");
         fs_rdonly("/libx32");
         fs_rdonly("/usr");
-        fs_rdonly("/etc");
-        fs_rdonly("/var");
 
         // update /var directory in order to support multiple sandboxes running on the same root directory
         if (!arg_private_dev)
@@ -750,7 +755,16 @@ void fs_basic_fs(void) {
         // don't leak user information
         restrict_users();
         
-        disable_firejail_config();
+        // when starting as root, firejail config is not disabled;
+        // this mode could be used to install and test new software by chaining
+        // firejail sandboxes (firejail --force)
+        if (getuid() != 0)
+                disable_firejail_config();
+        else
+                fprintf(stderr, "Warning: masking /etc/firejail disabled when starting the sandbox as root\n");
+                
+        if (getuid() == 0)
+                fs_rdwr();
 }
 
 
@@ -967,13 +981,13 @@ void fs_overlayfs(void) {
         // don't leak user information
         restrict_users();
 
-        // when starting as root in overlay mode, firejail config is not disabled;
+        // when starting as root, firejail config is not disabled;
         // this mode could be used to install and test new software by chaining
         // firejail sandboxes (firejail --force)
         if (getuid() != 0)
                 disable_firejail_config();
         else
-                fprintf(stderr, "Warning: masking /etc/firejail disabled when starting the sandbox as root using --overlay option\n");
+                fprintf(stderr, "Warning: masking /etc/firejail disabled when starting the sandbox as root\n");
 
         // cleanup and exit
         free(option);
@@ -1104,7 +1118,13 @@ void fs_chroot(const char *rootdir) {
         // don't leak user information
         restrict_users();
 
-        disable_firejail_config();
+        // when starting as root, firejail config is not disabled;
+        // this mode could be used to install and test new software by chaining
+        // firejail sandboxes (firejail --force)
+        if (getuid() != 0)
+                disable_firejail_config();
+        else
+                fprintf(stderr, "Warning: masking /etc/firejail disabled when starting the sandbox as root\n");
 }
 #endif
 
diff --git a/src/firejail/fs_rdwr.c b/src/firejail/fs_rdwr.c
new file mode 100644
index 000000000..68df6465f
--- /dev/null
+++ b/src/firejail/fs_rdwr.c
@@ -0,0 +1,93 @@
+/*
+ * Copyright (C) 2014-2016 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
+#include "firejail.h"
+#include <sys/mount.h>
+#include <sys/stat.h>
+#include <sys/types.h>
+#include <sys/wait.h>
+#include <unistd.h>
+
+typedef struct rdwr_t {
+        struct rdwr_t *next;
+        const char *path;
+} RDWR;
+
+RDWR *rdwr = NULL;
+
+void fs_rdwr_add(const char *path) {
+        // verify path
+        if (*path != '/') {
+                fprintf(stderr, "Error: invalid path for read-write command\n");
+                exit(1);
+        }
+        invalid_filename(path);
+        if (is_link(path)) {
+                fprintf(stderr, "Error: invalid symbolic link for read-write command\n");
+                exit(1);
+        }
+        if (strstr(path, "..")) {
+                fprintf(stderr, "Error: invalid path for read-write command\n");
+                exit(1);
+        }
+        
+        // print warning if the file doesn't exist
+        struct stat s;
+        if (stat(path, &s) == -1) {
+                fprintf(stderr, "Warning: %s not found, skipping read-write command\n", path);
+                return;
+        }
+        
+        // build list entry
+        RDWR *r = malloc(sizeof(RDWR));
+        if (!r)
+                errExit("malloc");
+        memset(r, 0, sizeof(RDWR));
+        r->path = path;
+        
+        // add
+        r->next = rdwr;
+        rdwr = r;
+}
+
+static void mount_rdwr(const char *path) {
+        assert(path);
+        // check directory exists
+        struct stat s;
+        int rv = stat(path, &s);
+        if (rv == 0) {
+                // mount --bind /bin /bin
+                if (mount(path, path, NULL, MS_BIND|MS_REC, NULL) < 0)
+                        errExit("mount read-write");
+                // mount --bind -o remount,rw /bin
+                if (mount(NULL, path, NULL, MS_BIND|MS_REMOUNT|MS_REC, NULL) < 0)
+                        errExit("mount read-write");
+                fs_logger2("read-write", path);
+        }
+}
+
+void fs_rdwr(void) {
+        RDWR *ptr = rdwr;
+        
+        while (ptr) {
+                mount_rdwr(ptr->path);
+                ptr = ptr->next;
+        }
+}
+
diff --git a/src/firejail/main.c b/src/firejail/main.c
index bdf960b96..54b9c05f0 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -96,6 +96,8 @@ int arg_join_network = 0;			// join only the network namespace
 int arg_join_filesystem = 0;                    // join only the mount namespace
 int arg_nice = 0;                               // nice value configured
 int arg_ipc = 0;                                        // enable ipc namespace
+int arg_writable_etc = 0;                       // writable etc
+int arg_writable_var = 0;                       // writable var
 
 int parent_to_child_fds[2];
 int child_to_parent_fds[2];
@@ -1095,6 +1097,14 @@ int main(int argc, char **argv) {
                         profile_check_line(line, 0, NULL);      // will exit if something wrong
                         profile_add(line);
                 }
+                else if (strncmp(argv[i], "--read-write=", 13) == 0) {
+                        char *line;
+                        if (asprintf(&line, "read-write %s", argv[i] + 13) == -1)
+                                errExit("asprintf");
+                        
+                        profile_check_line(line, 0, NULL);      // will exit if something wrong
+                        // profile_add(line); is not necessary
+                }
                 else if (strcmp(argv[i], "--overlay") == 0) {
                         if (cfg.chrootdir) {
                                 fprintf(stderr, "Error: --overlay and --chroot options are mutually exclusive\n");
@@ -1154,23 +1164,27 @@ int main(int argc, char **argv) {
                                 fprintf(stderr, "Error: --noprofile and --profile options are mutually exclusive\n");
                                 exit(1);
                         }
-                        invalid_filename(argv[i] + 10);
+                        
+                        char *ppath = expand_home(argv[i] + 10, cfg.homedir);
+                        if (!ppath)
+                                errExit("strdup");
+                        invalid_filename(ppath);
                         
                         // multiple profile files are allowed!
-                        char *ptr = argv[i] + 10;
-                        if (is_dir(ptr) || is_link(ptr) || strstr(ptr, "..")) {
+                        if (is_dir(ppath) || is_link(ppath) || strstr(ppath, "..")) {
                                 fprintf(stderr, "Error: invalid profile file\n");
                                 exit(1);
                         }
                         
                         // access call checks as real UID/GID, not as effective UID/GID
-                        if (access(argv[i] + 10, R_OK)) {
+                        if (access(ppath, R_OK)) {
                                 fprintf(stderr, "Error: cannot access profile file\n");
                                 return 1;
                         }
 
-                        profile_read(argv[i] + 10);
+                        profile_read(ppath);
                         custom_profile = 1;
+                        free(ppath);
                 }
                 else if (strncmp(argv[i], "--profile-path=", 15) == 0) {
                         if (arg_noprofile) {
@@ -1268,6 +1282,24 @@ int main(int argc, char **argv) {
 
                 }
 #endif
+                else if (strcmp(argv[i], "--writable-etc") == 0) {
+                        if (getuid() != 0) {
+                                fprintf(stderr, "Error: --writable-etc is available only for root user\n");
+                                exit(1);
+                        }
+                        if (cfg.etc_private_keep) {
+                                fprintf(stderr, "Error: --private-etc and --writable-etc are mutually exclusive\n");
+                                exit(1);
+                        }
+                        arg_writable_etc = 1;
+                }
+                else if (strcmp(argv[i], "--writable-var") == 0) {
+                        if (getuid() != 0) {
+                                fprintf(stderr, "Error: --writable-var is available only for root user\n");
+                                exit(1);
+                        }
+                        arg_writable_var = 1;
+                }
                 else if (strcmp(argv[i], "--private") == 0)
                         arg_private = 1;
                 else if (strncmp(argv[i], "--private=", 10) == 0) {
@@ -1284,6 +1316,11 @@ int main(int argc, char **argv) {
                         arg_private_dev = 1;
                 }
                 else if (strncmp(argv[i], "--private-etc=", 14) == 0) {
+                        if (arg_writable_etc) {
+                                fprintf(stderr, "Error: --private-etc and --writable-etc are mutually exclusive\n");
+                                exit(1);
+                        }
+                        
                         // extract private etc list
                         cfg.etc_private_keep = argv[i] + 14;
                         if (*cfg.etc_private_keep == '\0') {
@@ -1522,17 +1559,17 @@ int main(int argc, char **argv) {
                                 Bridge *br = last_bridge_configured();
                                 if (br == NULL) {
                                         fprintf(stderr, "Error: no network device configured\n");
-                                        return 1;
+                                        exit(1);
                                 }
                                 if (mac_not_zero(br->macsandbox)) {
                                         fprintf(stderr, "Error: cannot configure the MAC address twice for the same interface\n");
-                                        return 1;
+                                        exit(1);
                                 }
         
                                 // read the address
                                 if (atomac(argv[i] + 6, br->macsandbox)) {
                                         fprintf(stderr, "Error: invalid MAC address\n");
-                                        return 1;
+                                        exit(1);
                                 }
                         }
                         else {
@@ -1546,12 +1583,12 @@ int main(int argc, char **argv) {
                                 Bridge *br = last_bridge_configured();
                                 if (br == NULL) {
                                         fprintf(stderr, "Error: no network device configured\n");
-                                        return 1;
+                                        exit(1);
                                 }
         
                                 if (sscanf(argv[i] + 6, "%d", &br->mtu) != 1 || br->mtu < 576 || br->mtu > 9198) {
                                         fprintf(stderr, "Error: invalid mtu value\n");
-                                        return 1;
+                                        exit(1);
                                 }
                         }
                         else {
@@ -1565,11 +1602,11 @@ int main(int argc, char **argv) {
                                 Bridge *br = last_bridge_configured();
                                 if (br == NULL) {
                                         fprintf(stderr, "Error: no network device configured\n");
-                                        return 1;
+                                        exit(1);
                                 }
                                 if (br->arg_ip_none || br->ipsandbox) {
                                         fprintf(stderr, "Error: cannot configure the IP address twice for the same interface\n");
-                                        return 1;
+                                        exit(1);
                                 }
         
                                 // configure this IP address for the last bridge defined
@@ -1578,7 +1615,7 @@ int main(int argc, char **argv) {
                                 else {
                                         if (atoip(argv[i] + 5, &br->ipsandbox)) {
                                                 fprintf(stderr, "Error: invalid IP address\n");
-                                                return 1;
+                                                exit(1);
                                         }
                                 }
                         }
@@ -1593,11 +1630,11 @@ int main(int argc, char **argv) {
                                 Bridge *br = last_bridge_configured();
                                 if (br == NULL) {
                                         fprintf(stderr, "Error: no network device configured\n");
-                                        return 1;
+                                        exit(1);
                                 }
                                 if (br->arg_ip_none || br->ip6sandbox) {
                                         fprintf(stderr, "Error: cannot configure the IP address twice for the same interface\n");
-                                        return 1;
+                                        exit(1);
                                 }
         
                                 // configure this IP address for the last bridge defined
@@ -1605,7 +1642,7 @@ int main(int argc, char **argv) {
                                 br->ip6sandbox = argv[i] + 6;
 //                              if (atoip(argv[i] + 5, &br->ipsandbox)) {
 //                                      fprintf(stderr, "Error: invalid IP address\n");
-//                                      return 1;
+//                                      exit(1);
 //                              }
                         }
                         else {
@@ -1619,7 +1656,7 @@ int main(int argc, char **argv) {
                         if (checkcfg(CFG_NETWORK)) {
                                 if (atoip(argv[i] + 12, &cfg.defaultgw)) {
                                         fprintf(stderr, "Error: invalid IP address\n");
-                                        return 1;
+                                        exit(1);
                                 }
                         }
                         else {
@@ -2084,8 +2121,10 @@ int main(int argc, char **argv) {
         close(parent_to_child_fds[1]);
  
         EUID_ROOT();
-        if (lockfd != -1)
+        if (lockfd != -1) {
                 flock(lockfd, LOCK_UN);
+                close(lockfd);
+        }
 
         // create name file under /run/firejail
         
diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index 6ded0ca2f..d358594d9 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -319,7 +319,126 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
                 return 0;
         }
 
-        
+
+// from here
+        else if (strncmp(ptr, "mac ", 4) == 0) {
+#ifdef HAVE_NETWORK
+                if (checkcfg(CFG_NETWORK)) {
+                        Bridge *br = last_bridge_configured();
+                        if (br == NULL) {
+                                fprintf(stderr, "Error: no network device configured\n");
+                                exit(1);
+                        }
+                        
+                        if (mac_not_zero(br->macsandbox)) {
+                                fprintf(stderr, "Error: cannot configure the MAC address twice for the same interface\n");
+                                exit(1);
+                        }
+
+                        // read the address
+                        if (atomac(ptr + 4, br->macsandbox)) {
+                                fprintf(stderr, "Error: invalid MAC address\n");
+                                exit(1);
+                        }
+                }
+                else
+                        fprintf(stderr, "Warning: networking features are disabled in Firejail configuration file\n");
+#endif
+                return 0;
+        }
+
+        else if (strncmp(ptr, "mtu ", 4) == 0) {
+#ifdef HAVE_NETWORK
+                if (checkcfg(CFG_NETWORK)) {
+                        Bridge *br = last_bridge_configured();
+                        if (br == NULL) {
+                                fprintf(stderr, "Error: no network device configured\n");
+                                exit(1);
+                        }
+                        
+                        if (sscanf(ptr + 4, "%d", &br->mtu) != 1 || br->mtu < 576 || br->mtu > 9198) {
+                                fprintf(stderr, "Error: invalid mtu value\n");
+                                exit(1);
+                        }
+                }
+                else
+                        fprintf(stderr, "Warning: networking features are disabled in Firejail configuration file\n");
+#endif
+                return 0;
+        }
+
+        else if (strncmp(ptr, "ip ", 3) == 0) {
+#ifdef HAVE_NETWORK
+                if (checkcfg(CFG_NETWORK)) {
+                        Bridge *br = last_bridge_configured();
+                        if (br == NULL) {
+                                fprintf(stderr, "Error: no network device configured\n");
+                                exit(1);
+                        }
+                        if (br->arg_ip_none || br->ipsandbox) {
+                                fprintf(stderr, "Error: cannot configure the IP address twice for the same interface\n");
+                                exit(1);
+                        }
+
+                        // configure this IP address for the last bridge defined
+                        if (strcmp(ptr + 3, "none") == 0)
+                                br->arg_ip_none = 1;
+                        else {
+                                if (atoip(ptr + 3, &br->ipsandbox)) {
+                                        fprintf(stderr, "Error: invalid IP address\n");
+                                        exit(1);
+                                }
+                        }
+                }
+                else
+                        fprintf(stderr, "Warning: networking features are disabled in Firejail configuration file\n");
+#endif
+                return 0;
+        }
+
+        else if (strncmp(ptr, "ip6 ", 4) == 0) {
+#ifdef HAVE_NETWORK
+                if (checkcfg(CFG_NETWORK)) {
+                        Bridge *br = last_bridge_configured();
+                        if (br == NULL) {
+                                fprintf(stderr, "Error: no network device configured\n");
+                                exit(1);
+                        }
+                        if (br->arg_ip_none || br->ip6sandbox) {
+                                fprintf(stderr, "Error: cannot configure the IP address twice for the same interface\n");
+                                exit(1);
+                        }
+
+                        // configure this IP address for the last bridge defined
+                        // todo: verify ipv6 syntax
+                        br->ip6sandbox = ptr + 4;
+//                      if (atoip(argv[i] + 5, &br->ipsandbox)) {
+//                              fprintf(stderr, "Error: invalid IP address\n");
+//                              exit(1);
+//                      }
+                        
+                }
+                else
+                        fprintf(stderr, "Warning: networking features are disabled in Firejail configuration file\n");
+#endif
+                return 0;
+        }
+
+        else if (strncmp(ptr, "defaultgw ", 10) == 0) {
+#ifdef HAVE_NETWORK
+                if (checkcfg(CFG_NETWORK)) {
+                        Bridge *br = last_bridge_configured();
+                        if (atoip(ptr + 10, &cfg.defaultgw)) {
+                                fprintf(stderr, "Error: invalid IP address\n");
+                                exit(1);
+                        }
+                }
+                else
+                        fprintf(stderr, "Warning: networking features are disabled in Firejail configuration file\n");
+#endif
+                return 0;
+        }
+
         if (strncmp(ptr, "protocol ", 9) == 0) {
 #ifdef HAVE_SECCOMP
                 if (checkcfg(CFG_SECCOMP))
@@ -451,6 +570,30 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
                 return 0;
         }
         
+        // writable-etc
+        if (strcmp(ptr, "writable-etc") == 0) {
+                if (getuid() != 0) {
+                        fprintf(stderr, "Error: writable-etc is available only for root user\n");
+                        exit(1);
+                }
+                if (cfg.etc_private_keep) {
+                        fprintf(stderr, "Error: private-etc and writable-etc are mutually exclusive\n");
+                        exit(1);
+                }
+                arg_writable_etc = 1;
+                return 0;
+        }
+        
+        // writable-var
+        if (strcmp(ptr, "writable-var") == 0) {
+                if (getuid() != 0) {
+                        fprintf(stderr, "Error: writable-var is available only for root user\n");
+                        exit(1);
+                }
+                arg_writable_var = 1;
+                return 0;
+        }
+        
         // private directory
         if (strncmp(ptr, "private ", 8) == 0) {
                 cfg.home_private = ptr + 8;
@@ -461,6 +604,10 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
 
         // private /etc list of files and directories
         if (strncmp(ptr, "private-etc ", 12) == 0) {
+                if (arg_writable_etc) {
+                        fprintf(stderr, "Error: --private-etc and --writable-etc are mutually exclusive\n");
+                        exit(1);
+                }
                 cfg.etc_private_keep = ptr + 12;
                 fs_check_etc_list();
                 if (*cfg.etc_private_keep != '\0')
@@ -569,6 +716,16 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
                 return 0;               
         }
 
+        // read-write
+        if (strncmp(ptr, "read-write ", 11) == 0) {
+                if (getuid() != 0) {
+                        fprintf(stderr, "Error: read-write command is available only for root user\n");
+                        exit(1);
+                }
+                fs_rdwr_add(ptr + 11);
+                return 0;
+        }
+
         // rest of filesystem
         if (strncmp(ptr, "blacklist ", 10) == 0)
                 ptr += 10;
diff --git a/src/firejail/usage.c b/src/firejail/usage.c
index 539785f21..8c738a0fc 100644
--- a/src/firejail/usage.c
+++ b/src/firejail/usage.c
@@ -209,6 +209,7 @@ void usage(void) {
         printf("\tcreated for the real user ID of the calling process.\n\n");
         printf("    --rlimit-sigpending=number - set the maximum number of pending signals\n");
         printf("\tfor a process.\n\n");
+        printf("    --read-write=dirname_or_filename - set directory or file read-write..\n\n");
 #ifdef HAVE_NETWORK     
         printf("    --scan - ARP-scan all the networks from inside a network namespace.\n");
         printf("\tThis makes it possible to detect macvlan kernel device drivers\n");
@@ -246,6 +247,12 @@ void usage(void) {
         printf("    --user=new_user - switch the user before starting the sandbox.\n\n");
         printf("    --version - print program version and exit.\n\n");
         printf("    --whitelist=dirname_or_filename - whitelist directory or file.\n\n");
+        
+        printf("    --writable-etc - /etc directory is mounted read-write. This option is\n");
+        printf("\tavailable only when running the sandbox as root user.\n\n");
+        printf("    --writable-var - /var directory is mounted read-write. This option is\n");
+        printf("\tavailable only when running the sandbox as root user.\n\n");
+        
         printf("    --x11 - enable X11 server. The software checks first if Xpra is installed,\n");
         printf("\tthen it checks if Xephyr is installed.\n\n");
         printf("    --x11=xpra - enable Xpra X11 server.\n\n");
diff --git a/src/firejail/x11.c b/src/firejail/x11.c
index ef1095a49..985ca9337 100644
--- a/src/firejail/x11.c
+++ b/src/firejail/x11.c
@@ -170,7 +170,7 @@ void x11_start_xephyr(int argc, char **argv) {
 
         // unfortunately, xephyr does a number of weird things when started by root user!!!
         if (getuid() == 0) {
-                fprintf(stderr, "Error: this feature is not available when running as root\n");
+                fprintf(stderr, "Error: X11 sandboxing is not available when running as root\n");
                 exit(1);
         }
 
@@ -292,7 +292,7 @@ void x11_start_xpra(int argc, char **argv) {
 
         // unfortunately, xpra does a number of weird things when started by root user!!!
         if (getuid() == 0) {
-                fprintf(stderr, "Error: this feature is not available when running as root\n");
+                fprintf(stderr, "Error: X11 sandboxing is not available when running as root\n");
                 exit(1);
         }
 
@@ -410,7 +410,7 @@ void x11_start(int argc, char **argv) {
 
         // unfortunately, xpra does a number of weird things when started by root user!!!
         if (getuid() == 0) {
-                fprintf(stderr, "Error: this feature is not available when running as root\n");
+                fprintf(stderr, "Error: X11 sandboxing is not available when running as root\n");
                 exit(1);
         }
 
diff --git a/src/firemon/netstats.c b/src/firemon/netstats.c
index 89e4202bd..0ff0dd33d 100644
--- a/src/firemon/netstats.c
+++ b/src/firemon/netstats.c
@@ -26,6 +26,10 @@
 
 #define MAXBUF 4096
 
+// ip -s link: device stats
+// ss -s: socket stats
+
+
 static char *get_header(void) {
         char *rv;
         if (asprintf(&rv, "%-5.5s %-9.9s %-10.10s %-10.10s %s",
diff --git a/src/man/firecfg.txt b/src/man/firecfg.txt
index decc1af73..e2e4229b0 100644
--- a/src/man/firecfg.txt
+++ b/src/man/firecfg.txt
@@ -48,7 +48,7 @@ $ firecfg --list
 .br
 [...]
 .br
-$ sudo firecfg --clear
+$ sudo firecfg --clean
 .br
 /usr/local/bin/firefox removed
 .br
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt
index 9045c1122..19063f5ef 100644
--- a/src/man/firejail-profile.txt
+++ b/src/man/firejail-profile.txt
@@ -122,12 +122,6 @@ blacklist ${PATH}/ifconfig
 blacklist ${HOME}/.ssh
 
 .TP
-\fBread-only file_or_directory
-Make directory or file read-only.
-.TP
-\fBtmpfs directory
-Mount an empty tmpfs filesystem on top of directory. This option is available only when running the sandbox as root.
-.TP
 \fBbind directory1,directory2
 Mount-bind directory1 on top of directory2. This option is only available when running as root.
 .TP
@@ -135,8 +129,14 @@ Mount-bind directory1 on top of directory2. This option is only available when r
 Mount-bind file1 on top of file2. This option is only available when running as root.
 .TP
 \fBmkdir directory
-Create a directory in user home. Use this command for whitelisted directories you need to preserve
-when the sandbox is closed. Subdirectories also need to be created using mkdir. Example from
+Create a directory in user home before the sandbox is started.
+The directory is created if it doesn't already exist.
+.br
+
+.br
+Use this command for whitelisted directories you need to preserve
+when the sandbox is closed. Without it, the application will create the directory, and the directory
+will be deleted when the sandbox is closed. Subdirectories also need to be created using mkdir. Example from
 firefox profile:
 .br
 
@@ -176,13 +176,30 @@ All modifications are discarded when the sandbox is closed.
 \fBprivate-tmp
 Mount an empty temporary filesystem on top of /tmp directory.
 .TP
+\fBread-only file_or_directory
+Make directory or file read-only.
+.TP
+\fBread-write file_or_directory
+Make directory or file read-write.
+.TP
+\fBtmpfs directory
+Mount an empty tmpfs filesystem on top of directory. This option is available only when running the sandbox as root.
+.TP
+\fBtracelog
+Blacklist violations logged to syslog.
+.TP
 \fBwhitelist file_or_directory
 Build a new user home in a temporary filesystem, and mount-bind file_or_directory.
 The modifications to file_or_directory are persistent, everything else is discarded
 when the sandbox is closed.
 .TP
-\fBtracelog
-Blacklist violations logged to syslog.
+\fBwritable-etc
+Mount /etc directory read-write. This option is  available  only
+when running the sandbox as root user.
+.TP
+\fBwritable-var
+Mount /var directory read-write. This option is  available  only
+when running the sandbox as root user.
 .SH Security filters
 The following security filters are currently implemented:
 
@@ -284,9 +301,15 @@ Enable IPC namespace.
 .TP
 \fBnosound
 Disable sound system.
+
 .SH Networking
 Networking features available in profile files.
 
+.TP
+\fBdefaultgw address
+Use this address as default gateway in the new network namespace.
+
+.TP
 \fBdns address
 Set a DNS server for the sandbox. Up to three DNS servers can be defined.
 
@@ -295,6 +318,45 @@ Set a DNS server for the sandbox. Up to three DNS servers can be defined.
 Set a hostname for the sandbox.
 
 .TP
+\fBip address
+Assign IP addresses to the last network interface defined by a net command. A
+default gateway is assigned by default.
+.br
+
+.br
+Example:
+.br
+net eth0
+.br
+ip 10.10.20.56
+
+.TP
+\fBip none
+No IP address and no default gateway are configured for the last interface
+defined by a net command. Use this option
+in case you intend to start an external DHCP client in the sandbox.
+.br
+
+.br
+Example:
+.br
+net eth0
+.br
+ip none
+
+.TP
+\fBip6 address
+Assign IPv6 addresses to the last network interface defined by a net command.
+.br
+
+.br
+Example:
+.br
+net eth0
+.br
+ip6 2001:0db8:0:f101::1/64
+
+.TP
 \fBiprange address,address
 Assign  an  IP address in the provided range to the last network
 interface defined by  a  net command.  A  default  gateway  is assigned by default.
@@ -311,6 +373,16 @@ iprange 192.168.1.150,192.168.1.160
 .br
 
 .TP
+\fBmac address
+Assign MAC addresses to the last network interface defined by a net command.
+
+.TP
+\fBmtu number
+Assign a MTU value to the last network interface defined by a net command.
+
+
+
+.TP
 \fBnetfilter
 If a new network namespace is created, enabled default network filter.
 
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index 23db832c1..19415a332 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -50,15 +50,16 @@ of applications. The software includes security profiles for a number of more co
 Linux programs, such as Mozilla Firefox, Chromium, VLC, Transmission etc.
 
 .SH USAGE
-Without any options, the sandbox consists of a chroot filesystem build in a new mount namespace,
-and new PID and UTS namespaces. IPC, network and user namespaces can be added using the command line options.
-The default Firejail filesystem is based on the host filesystem with the main directories mounted read-only.
-Only /home and /tmp are writable.
+Without any options, the sandbox consists of a filesystem build in a new mount namespace,
+and new PID and UTS namespaces. IPC, network and user namespaces can be added using the
+command line options. The default Firejail filesystem is based on the host filesystem with the main 
+system directories mounted read-only. These directories are /etc, /var, /usr, /bin, /sbin, /lib, /lib32, 
+/libx32 and /lib64. Only /home and /tmp are writable.
 .PP
 As it starts up, Firejail tries to find a security profile based on the name of the application.
 If an appropriate profile is not found, Firejail will use a default profile.
 The default profile is quite restrictive. In case the application doesn't work, use --noprofile option 
-to disable it. For more information, please see \fBSECURITY PROFILES\fR section.
+to disable it. For more information, please see \fBSECURITY PROFILES\fR section below.
 .PP
 If a program argument is not specified, Firejail starts /bin/bash shell.
 Examples:
@@ -194,7 +195,8 @@ Example:
 
 .TP
 \fB\-\-chroot=dirname
-Chroot the sandbox into a root filesystem. If the sandbox is started as a
+Chroot the sandbox into a root filesystem. Unlike the regular filesystem container,
+the system directories are mounted read-write. If the sandbox is started as a
 regular user, default seccomp and capabilities filters are enabled. This
 option is not available on Grsecurity systems.
 .br
@@ -946,7 +948,8 @@ $ ls -l sandboxlog*
 
 .TP
 \fB\-\-overlay
-Mount a filesystem overlay on top of the current filesystem. All filesystem modifications go into the overlay.
+Mount a filesystem overlay on top of the current filesystem.  Unlike the regular filesystem container,
+the system directories are mounted read-write. All filesystem modifications go into the overlay.
 The overlay is stored in $HOME/.firejail directory. This option is not available on Grsecurity systems.
 .br
 
@@ -1143,6 +1146,16 @@ Set the maximum number of processes that can be created for the real user ID of
 .TP
 \fB\-\-rlimit-sigpending=number
 Set the maximum number of pending signals for a process.
+
+.TP
+\fB\-\-read-write=dirname_or_filename
+By default, the sandbox mounts system directories read-only.
+These directories are /etc, /var, /usr, /bin, /sbin, /lib, /lib32, /libx32 and /lib64. 
+Use this option to mount read-write files or directories inside the system directories.
+
+This option is available only to root user. It has no effect when --chroot or --overlay are also set. In these
+cases the system directories are mounted read-write.
+
 .TP
 \fB\-\-scan
 ARP-scan all the networks from inside a network namespace.
@@ -1462,6 +1475,27 @@ $ firejail \-\-whitelist=/tmp/.X11-unix --whitelist=/dev/null
 $ firejail "\-\-whitelist=/home/username/My Virtual Machines"
 
 .TP
+\fB\-\-writable-etc
+Mount /etc directory read-write. This option is available only when running the sandbox as root user.
+.br
+
+.br
+Example:
+.br
+$ sudo firejail --writable-etc
+
+.TP
+\fB\-\-writable-var
+Mount /var directory read-write. This option is available only when running the sandbox as root user.
+.br
+
+.br
+Example:
+.br
+$ sudo firejail --writable-var
+
+
+.TP
 \fB\-\-x11
 Start a new X11 server using Xpra or Xephyr and attach the sandbox to this server.
 The regular X11 server (display 0) is not visible in the sandbox. This prevents screenshot and keylogger
diff --git a/test/test-apps.sh b/test/apps/apps.sh
index 5ada20549..ff561ef31 100755
--- a/test/test-apps.sh
+++ b/test/apps/apps.sh
@@ -1,5 +1,8 @@
 #!/bin/bash
 
+export MALLOC_CHECK_=3
+export MALLOC_PERTURB_=$(($RANDOM % 255 + 1))
+
 which firefox
 if [ "$?" -eq 0 ];
 then
@@ -27,15 +30,6 @@ else
         echo "TESTING: chromium not found"
 fi
 
-which google-chrome
-if [ "$?" -eq 0 ];
-then
-        echo "TESTING: google-chrome"
-        ./chromium.exp
-else
-        echo "TESTING: google-chrome not found"
-fi
-
 which opera
 if [ "$?" -eq 0 ];
 then
diff --git a/test/chromium.exp b/test/apps/chromium.exp
index 676f7e314..676f7e314 100755
--- a/test/chromium.exp
+++ b/test/apps/chromium.exp
diff --git a/test/deluge.exp b/test/apps/deluge.exp
index 9f5063495..9f5063495 100755
--- a/test/deluge.exp
+++ b/test/apps/deluge.exp
diff --git a/test/evince.exp b/test/apps/evince.exp
index 3c3ad4bdd..3c3ad4bdd 100755
--- a/test/evince.exp
+++ b/test/apps/evince.exp
diff --git a/test/fbreader.exp b/test/apps/fbreader.exp
index d2bee880e..d2bee880e 100755
--- a/test/fbreader.exp
+++ b/test/apps/fbreader.exp
diff --git a/test/firefox.exp b/test/apps/firefox.exp
index 2585e4b5c..2585e4b5c 100755
--- a/test/firefox.exp
+++ b/test/apps/firefox.exp
diff --git a/test/gnome-mplayer.exp b/test/apps/gnome-mplayer.exp
index 6965322fc..6965322fc 100755
--- a/test/gnome-mplayer.exp
+++ b/test/apps/gnome-mplayer.exp
diff --git a/test/hexchat.exp b/test/apps/hexchat.exp
index 7e99c8cdf..7e99c8cdf 100755
--- a/test/hexchat.exp
+++ b/test/apps/hexchat.exp
diff --git a/test/icedove.exp b/test/apps/icedove.exp
index 344febb93..344febb93 100755
--- a/test/icedove.exp
+++ b/test/apps/icedove.exp
diff --git a/test/midori.exp b/test/apps/midori.exp
index 470f5de77..470f5de77 100755
--- a/test/midori.exp
+++ b/test/apps/midori.exp
diff --git a/test/opera.exp b/test/apps/opera.exp
index 23eed5504..23eed5504 100755
--- a/test/opera.exp
+++ b/test/apps/opera.exp
diff --git a/test/transmission-gtk.exp b/test/apps/transmission-gtk.exp
index 1acfc6f94..1acfc6f94 100755
--- a/test/transmission-gtk.exp
+++ b/test/apps/transmission-gtk.exp
diff --git a/test/transmission-qt.exp b/test/apps/transmission-qt.exp
index 944fd28a2..944fd28a2 100755
--- a/test/transmission-qt.exp
+++ b/test/apps/transmission-qt.exp
diff --git a/test/vlc.exp b/test/apps/vlc.exp
index 290c0fc2f..290c0fc2f 100755
--- a/test/vlc.exp
+++ b/test/apps/vlc.exp
diff --git a/test/weechat.exp b/test/apps/weechat.exp
index 630af55ee..630af55ee 100755
--- a/test/weechat.exp
+++ b/test/apps/weechat.exp
diff --git a/test/wine.exp b/test/apps/wine.exp
index f5b7d12b4..f5b7d12b4 100755
--- a/test/wine.exp
+++ b/test/apps/wine.exp
diff --git a/test/xchat.exp b/test/apps/xchat.exp
index cde89d754..cde89d754 100755
--- a/test/xchat.exp
+++ b/test/apps/xchat.exp
diff --git a/test/icedove-x11.exp b/test/icedove-x11.exp
new file mode 100755
index 000000000..6f8eee90d
--- /dev/null
+++ b/test/icedove-x11.exp
@@ -0,0 +1,82 @@
+#!/usr/bin/expect -f
+
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+
+send -- "firejail --name=test --net=br0 --x11 icedove\r"
+sleep 10
+
+spawn $env(SHELL)
+send -- "firejail --list\r"
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        ":firejail"
+}
+expect {
+        timeout {puts "TESTING ERROR 3.1\n";exit}
+        "icedove"
+}
+sleep 1
+
+# grsecurity exit
+send -- "file /proc/sys/kernel/grsecurity\r"
+expect {
+        timeout {puts "TESTING ERROR - grsecurity detection\n";exit}
+        "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit}
+        "cannot open" {puts "grsecurity not present\n"}
+}
+
+send -- "firejail --name=blablabla\r"
+expect {
+        timeout {puts "TESTING ERROR 4\n";exit}
+        "Child process initialized"
+}
+sleep 2
+
+spawn $env(SHELL)
+send -- "firemon --seccomp\r"
+expect {
+        timeout {puts "TESTING ERROR 5\n";exit}
+        ":firejail"
+}
+expect {
+        timeout {puts "TESTING ERROR 5.0\n";exit}
+        "icedove"
+}
+expect {
+        timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit}
+        "Seccomp:       2"
+}
+expect {
+        timeout {puts "TESTING ERROR 5.1\n";exit}
+        "name=blablabla"
+}
+sleep 2
+send -- "firemon --caps\r"
+expect {
+        timeout {puts "TESTING ERROR 6\n";exit}
+        ":firejail"
+}
+expect {
+        timeout {puts "TESTING ERROR 6.0\n";exit}
+        "icedove"
+}
+expect {
+        timeout {puts "TESTING ERROR 6.1\n";exit}
+        "CapBnd"
+}
+expect {
+        timeout {puts "TESTING ERROR 6.2\n";exit}
+        "0000000000000000"
+}
+expect {
+        timeout {puts "TESTING ERROR 6.3\n";exit}
+        "name=blablabla"
+}
+sleep 1
+send -- "firejail --shutdown=test\r"
+sleep 3
+
+puts "\nall done\n"
+
diff --git a/test/net-profile.profile b/test/net-profile.profile
new file mode 100644
index 000000000..05052b6dc
--- /dev/null
+++ b/test/net-profile.profile
@@ -0,0 +1,10 @@
+net br0
+mac 00:11:22:33:44:55
+mtu 1000
+net br1
+ip 10.10.30.50
+net br2
+ip 10.10.40.100
+net br3
+defaultgw 10.10.20.2
+
diff --git a/test/net_profile.exp b/test/net_profile.exp
new file mode 100755
index 000000000..37043c906
--- /dev/null
+++ b/test/net_profile.exp
@@ -0,0 +1,73 @@
+#!/usr/bin/expect -f
+
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+
+# check eth0
+send -- "firejail --profile=net-profile.profile\r"
+expect {
+        timeout {puts "TESTING ERROR 0.0\n";exit}
+        "eth0"
+}
+expect {
+        timeout {puts "TESTING ERROR 0.1\n";exit}
+        "00:11:22:33:44:55"
+}
+expect {
+        timeout {puts "TESTING ERROR 0.1\n";exit}
+        "10.10.20"
+}
+expect {
+        timeout {puts "TESTING ERROR 0.2\n";exit}
+        "255.255.255.248"
+}
+expect {
+        timeout {puts "TESTING ERROR 0.3\n";exit}
+        "UP"
+}
+expect {
+        timeout {puts "TESTING ERROR 0.4\n";exit}
+        "Child process initialized"
+}
+sleep 2
+
+send -- "ip route show\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "10.10.30.0/24 dev eth1  proto kernel  scope link  src 10.10.30.50"
+}
+
+send -- "ip route show\r"
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        "10.10.40.0/24 dev eth2  proto kernel  scope link  src 10.10.40.100"
+}
+
+
+# check default gw
+send -- "ip route show\r"
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        "default via 10.10.20.2 dev eth0"
+}
+
+# check mtu
+send -- "ip link show\r"
+expect {
+        timeout {puts "TESTING ERROR 4\n";exit}
+        "eth0"
+}
+expect {
+        timeout {puts "TESTING ERROR 5\n";exit}
+        "mtu 1000"
+}
+expect {
+        timeout {puts "TESTING ERROR 6\n";exit}
+        "state UP"
+}
+
+sleep 1
+
+puts "\nall done\n"
+
diff --git a/test/profile_syntax.exp b/test/profiles/profile_syntax.exp
index 559947276..ecad1043b 100755
--- a/test/profile_syntax.exp
+++ b/test/profiles/profile_syntax.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
 
 set timeout 10
 spawn $env(SHELL)
diff --git a/test/profile_syntax2.exp b/test/profiles/profile_syntax2.exp
index 96e85ba93..ba83731be 100755
--- a/test/profile_syntax2.exp
+++ b/test/profiles/profile_syntax2.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
 
 set timeout 10
 spawn $env(SHELL)
diff --git a/test/profiles/profiles.sh b/test/profiles/profiles.sh
new file mode 100755
index 000000000..a20ed5432
--- /dev/null
+++ b/test/profiles/profiles.sh
@@ -0,0 +1,22 @@
+#!/bin/bash
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
+
+export MALLOC_CHECK_=3
+export MALLOC_PERTURB_=$(($RANDOM % 255 + 1))
+
+echo "TESTING: default profiles installed in /etc"
+PROFILES=`ls /etc/firejail/*.profile`
+for PROFILE in $PROFILES
+do
+        echo "TESTING: $PROFILE"
+        ./test-profile.exp $PROFILE
+done
+
+echo "TESTING: profile syntax (profiles/profile_syntax.exp)"
+./profile_syntax.exp
+
+echo "TESTING: profile syntax 2 (profiles/profile_syntax2.exp)"
+./profile_syntax2.exp
+
diff --git a/test/test-profile.exp b/test/profiles/test-profile.exp
index a03e8db31..590b42652 100755
--- a/test/test-profile.exp
+++ b/test/profiles/test-profile.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
 
 set timeout 10
 spawn $env(SHELL)
diff --git a/test/test.profile b/test/profiles/test.profile
index 1d69cc960..1d69cc960 100644
--- a/test/test.profile
+++ b/test/profiles/test.profile
diff --git a/test/test2.profile b/test/profiles/test2.profile
index d7e1a1f21..d7e1a1f21 100644
--- a/test/test2.profile
+++ b/test/profiles/test2.profile
diff --git a/test/test-apps-x11.sh b/test/test-apps-x11.sh
index 6521fa2b0..93d984501 100755
--- a/test/test-apps-x11.sh
+++ b/test/test-apps-x11.sh
@@ -1,5 +1,14 @@
 #!/bin/bash
 
+which xterm
+if [ "$?" -eq 0 ];
+then
+        echo "TESTING: xterm x11"
+        ./xterm-x11.exp
+else
+        echo "TESTING: xterm not found"
+fi
+
 which firefox
 if [ "$?" -eq 0 ];
 then
@@ -22,8 +31,17 @@ which transmission-gtk
 if [ "$?" -eq 0 ];
 then
         echo "TESTING: transmission-gtk x11"
-        ./transmission-gtk.exp
+        ./transmission-gtk-x11.exp
 else
         echo "TESTING: transmission-gtk not found"
 fi
 
+which icedove
+if [ "$?" -eq 0 ];
+then
+        echo "TESTING: icedove x11"
+        ./icedove-x11.exp
+else
+        echo "TESTING: chromium not found"
+fi
+
diff --git a/test/test-profiles.sh b/test/test-profiles.sh
deleted file mode 100755
index d9142885b..000000000
--- a/test/test-profiles.sh
+++ /dev/null
@@ -1,10 +0,0 @@
-#!/bin/bash
-
-echo "TESTING: default profiles installed in /etc"
-PROFILES=`ls /etc/firejail/*.profile`
-for PROFILE in $PROFILES
-do
-        echo "TESTING: $PROFILE"
-        ./test-profile.exp $PROFILE
-done
-
diff --git a/test/test.sh b/test/test.sh
index c6fe4f299..1204d8208 100755
--- a/test/test.sh
+++ b/test/test.sh
@@ -2,14 +2,15 @@
 
 ./chk_config.exp
 
-./test-profiles.sh
-
 ./fscheck.sh
 
 echo "TESTING: cpu.print (cpu-print.exp)"
 echo "TESTING:    failing under VirtualBox where there is only one CPU"
 ./cpu-print.exp
 
+echo "TESTING: network profile (net_profile.exp)"
+./net_profile.exp
+
 echo "TESTING: bandwidth (bandwidth.exp)"
 ./bandwidth.exp
 
@@ -205,7 +206,6 @@ else
         echo "TESTING: dash not found"
 fi
 
-./test-apps.sh
 ./test-apps-x11.sh
 
 echo "TESTING: PID (pid.exp)"
@@ -217,12 +217,6 @@ echo "TESTING: output (output.exp)"
 echo "TESTING: profile no permissions (profile_noperm.exp)"
 ./profile_noperm.exp
 
-echo "TESTING: profile syntax (profile_syntax.exp)"
-./profile_syntax.exp
-
-echo "TESTING: profile syntax 2 (profile_syntax2.exp)"
-./profile_syntax2.exp
-
 echo "TESTING: profile rlimit (profile_rlimit.exp)"
 ./profile_rlimit.exp
 
diff --git a/test/xterm-x11.exp b/test/xterm-x11.exp
new file mode 100755
index 000000000..592f77659
--- /dev/null
+++ b/test/xterm-x11.exp
@@ -0,0 +1,82 @@
+#!/usr/bin/expect -f
+
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+
+send -- "firejail --name=test --net=br0 --x11 xterm\r"
+sleep 10
+
+spawn $env(SHELL)
+send -- "firejail --list\r"
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        ":firejail"
+}
+expect {
+        timeout {puts "TESTING ERROR 3.1\n";exit}
+        "xterm"
+}
+sleep 1
+
+# grsecurity exit
+send -- "file /proc/sys/kernel/grsecurity\r"
+expect {
+        timeout {puts "TESTING ERROR - grsecurity detection\n";exit}
+        "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit}
+        "cannot open" {puts "grsecurity not present\n"}
+}
+
+send -- "firejail --name=blablabla\r"
+expect {
+        timeout {puts "TESTING ERROR 4\n";exit}
+        "Child process initialized"
+}
+sleep 2
+
+spawn $env(SHELL)
+send -- "firemon --seccomp\r"
+expect {
+        timeout {puts "TESTING ERROR 5\n";exit}
+        ":firejail"
+}
+expect {
+        timeout {puts "TESTING ERROR 5.0\n";exit}
+        "xterm"
+}
+expect {
+        timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit}
+        "Seccomp:       2"
+}
+expect {
+        timeout {puts "TESTING ERROR 5.1\n";exit}
+        "name=blablabla"
+}
+sleep 1
+send -- "firemon --caps\r"
+expect {
+        timeout {puts "TESTING ERROR 6\n";exit}
+        ":firejail"
+}
+expect {
+        timeout {puts "TESTING ERROR 6.0\n";exit}
+        "xterm"
+}
+expect {
+        timeout {puts "TESTING ERROR 6.1\n";exit}
+        "CapBnd"
+}
+expect {
+        timeout {puts "TESTING ERROR 6.2\n";exit}
+        "0000000000000000"
+}
+expect {
+        timeout {puts "TESTING ERROR 6.3\n";exit}
+        "name=blablabla"
+}
+sleep 1
+send -- "firejail --shutdown=test\r"
+sleep 3
+
+puts "\nall done\n"
+
diff --git a/todo b/todo
index da732be9f..56cc3dc0b 100644
--- a/todo
+++ b/todo
@@ -74,11 +74,11 @@ CapEff:	0000000000000000
 CapBnd: 0000003fffffffff
 CapAmb: 0000000000000000
 
-11. cleanup thunderbird profile - disable-common was commented out
-
-12. check seccomp on Docker: https://docs.docker.com/engine/security/seccomp/
+11. check seccomp on Docker: https://docs.docker.com/engine/security/seccomp/
 Seccomp lists:
 https://github.com/torvalds/linux/blob/1e75a9f34a5ed5902707fb74b468356c55142b71/arch/x86/entry/syscalls/syscall_64.tbl
 https://github.com/torvalds/linux/blob/1e75a9f34a5ed5902707fb74b468356c55142b71/arch/x86/entry/syscalls/syscall_32.tbl
 
-13. check for --chroot why .config/pulse dir is not created
+12. check for --chroot why .config/pulse dir is not created
+
+13. print error line number for profile files in  profile_check_line()