42 files changed, 695 insertions, 248 deletions

diff --git a/Makefile.in b/Makefile.in
index 8251f9882..fb6460dfd 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -91,6 +91,10 @@ realinstall:
         install -c -m 0644 seccomp.debug $(DESTDIR)/$(libdir)/firejail/.
         install -c -m 0644 seccomp.i386 $(DESTDIR)/$(libdir)/firejail/.
         install -c -m 0644 seccomp.amd64 $(DESTDIR)/$(libdir)/firejail/.
+        install -c -m 0755 contrib/fix_private-bin.py $(DESTDIR)/$(libdir)/firejail/.
+        install -c -m 0755 contrib/fjclip.py $(DESTDIR)/$(libdir)/firejail/.
+        install -c -m 0755 contrib/fjdisplay.py $(DESTDIR)/$(libdir)/firejail/.
+        install -c -m 0755 contrib/fjresize.py $(DESTDIR)/$(libdir)/firejail/.
         # documents
         install -m 0755 -d $(DESTDIR)/$(DOCDIR)
         install -c -m 0644 COPYING $(DESTDIR)/$(DOCDIR)/.
@@ -158,7 +162,7 @@ uninstall:
         rm -f $(DESTDIR)/$(datarootdir)/bash-completion/completions/firemon
         rm -f $(DESTDIR)/$(datarootdir)/bash-completion/completions/firecfg
         
-DISTFILES = "src etc platform configure configure.ac Makefile.in install.sh mkman.sh mketc.sh mkdeb.sh mkuid.sh COPYING README RELNOTES"
+DISTFILES = "src etc platform contrib configure configure.ac Makefile.in install.sh mkman.sh mketc.sh mkdeb.sh mkuid.sh COPYING README RELNOTES"
 DISTFILES_TEST = "test/apps test/apps-x11 test/apps-x11-xorg test/root test/fcopy test/environment test/profiles test/utils test/compile test/filters test/network test/arguments test/fs test/sysutils"
 
 dist:
diff --git a/README b/README
index 751480868..67d9a555f 100644
--- a/README
+++ b/README
@@ -97,6 +97,14 @@ valoq (https://github.com/valoq)
         - added skanlite, ssh-agent, transmission-cli, tracker, transmission-show, w3m, xfburn, xpra profiles
         - added wget profile
         - disable gnupg and systemd directories under /run/user
+Mike Frysinger (vapier@gentoo.org)
+        - Gentoo compile patch
+Jericho (https://github.com/attritionorg)
+        - spelling
+Pixel Fairy (https://github.com/xahare)
+        - added fjclip.py, fjdisplay.py and fjresize.py in contrib section
+pshpsh (https://github.com/pshpsh)
+        - added FossaMail profile
 eventyrer (https://github.com/eventyrer)
         - update gnome-mplayer.profile
 thewisenerd (https://github.com/thewisenerd)
@@ -104,10 +112,11 @@ thewisenerd (https://github.com/thewisenerd)
         - use $SHELL variable if the shell is not specified
 SYN-cook (https://github.com/SYN-cook)
         - keepass/keepassx browser fixes
+        - disable-common.inc fixes
 thewisenerd (https://github.com/thewisenerd)
         - appimage: pass commandline arguments
 KOLANICH (https://github.com/KOLANICH)
-        - added symlink fixer
+        - added symlink fixer fix_private-bin.py in contrib section
 Jesse Smith (https://github.com/slicer69)
         - added QupZilla profile
 Lari Rauno (https://github.com/tuutti)
@@ -213,6 +222,8 @@ KellerFuchs (https://github.com/KellerFuchs)
         - nonewpriv support, extended profiles for this feature
         - make `restricted-network` prevent use of netfilter
         - disable-common.inc additions
+        - make mutt and msmtp's rc files read-only
+        - added support for .local profile files in /etc/firejail
 ValdikSS (https://github.com/ValdikSS)
         - Psi+, Corebird, Konversation profiles
         - various profile fixes
@@ -292,6 +303,7 @@ Ivan Kozik (https://github.com/ivan)
         - speed up sandbox exit
 Christian Stadelmann (https://github.com/genodeftest)
         - profile fixes
+        - evolution profile fix
 pirate486743186 (https://github.com/pirate486743186)
         - KMail profile
 Kaan Genç (https://github.com/SeriousBug)
diff --git a/README.md b/README.md
index 9057a9a88..f4fa7282f 100644
--- a/README.md
+++ b/README.md
@@ -98,5 +98,5 @@ gjs, gnome-books, gnome-clocks, gnome-documents, gnome-maps, gnome-music, gnome-
 goobox, gpa, gpg, gpg-agent, highlight, img2txt, k3b, kate, lynx, mediainfo, nautilus, odt2txt, pdftotext,
 simple-scan, skanlite, ssh-agent, tracker, transmission-cli, transmission-show, w3m, xfburn, xpra, wget,
 xed, pluma, Cryptocat, Bless, Gnome 2048, Gnome Calculator, Gnome Contacts, JD-GUI, Lollypop, MultiMC5,
-PDFSam, Pithos, Xonotic, wireshark, keepassx2, QupZilla
+PDFSam, Pithos, Xonotic, wireshark, keepassx2, QupZilla, FossaMail
 
diff --git a/RELNOTES b/RELNOTES
index 2d57b1a88..7d0bbaf61 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -1,11 +1,18 @@
 firejail (0.9.45) baseline; urgency=low
   * development version, work in progress
-  * security: overwrite /etc/resolv.conf found by Martin Carpenter
-  * secuirty: TOCTOU exploit for --get and --put found by Daniel Hodson
-  * security: invalid environment exploit found by Martin Carpenter
+  * Gentoo compile patch
+  * security: --bandwidth root shell found by Martin Carpenter (CVE-2017-5207)
+  * security: disabled --allow-debuggers when running on kernel
+    versions prior to 4.8; a kernel bug in ptrace system call
+    allows a full bypass of seccomp filter; problem reported by Lizzie Dixon
+    (CVE-2017-5206)
+  * security: overwrite /etc/resolv.conf found by Martin Carpenter (CVE-2016-10118)
+  * security: TOCTOU exploit for --get and --put found by Daniel Hodson
+  * security: invalid environment exploit found by Martin Carpenter (CVE-2016-10122)
   * security: split most of networking code in a separate executable
   * security: split seccomp filter code configuration in a separate executable
   * security: split file copying in private option in a separate executable
+  * security: root exploit found by Sebastian Krahmer (CVE-2017-5180)
   * feature: disable gnupg and systemd directories under /run/user
   * feature: allow root user access to /dev/shm (--noblacklist=/dev/shm)
   * feature: AppImage type 2 support
@@ -16,16 +23,19 @@ firejail (0.9.45) baseline; urgency=low
   * feature: config support for firejail prompt in terminals
   * feature: pass command line arguments to appimages
   * feature: --allow-private-blacklist option
+  * feature: allow non-seccomp setup for OverlayFS sandboxes
+  * feature: added a number o Python scripts for handling sandboxes
+  * feature: allow local customization using .local files under /etc/firejail
   * new profiles: xiphos, Tor Browser Bundle, display (imagemagik), Wire,
   * new profiles: mumble, zoom, Guayadeque, qemu, keypass2, xed, pluma,
   * new profiles: Cryptocat, Bless, Gnome 2048, Gnome Calculator,
   * new profiles: Gnome Contacts, JD-GUI, Lollypop, MultiMC5, PDFSam, Pithos,
-  * new profies: Xonotic, wireshark, keepassx2, QupZilla
+  * new profies: Xonotic, wireshark, keepassx2, QupZilla, FossaMail
   * bugfixes
  -- netblue30 <netblue30@yahoo.com>  Sun, 23 Oct 2016 08:00:00 -0500
 
 firejail (0.9.44) baseline; urgency=low
-  * CVE-2016-7545 submitted by Aleksey Manevich
+  * CVE-2016-9016 submitted by Aleksey Manevich
   * modifs: removed man firejail-config
   * modifs: --private-tmp whitelists /tmp/.X11-unix directory
   * modifs: Nvidia drivers added to --private-dev
@@ -142,11 +152,12 @@ firejail (0.9.38) baseline; urgency=low
   * added KMail, Seamonkey, Telegram, Mathematica, uGet,
   *   and mupen64plus profiles
   * --chroot in user mode allowed only if seccomp support is available
-  *   in current Linux kernel
+  *   in current Linux kernel (CVE-2016-10123)
   * deprecated --private-home feature
   * the first protocol list installed takes precedence
-  * --tmpfs option allowed only running as root
+  * --tmpfs option allowed only running as root (CVE-2016-10117)
   * added --private-tmp option
+  * weak permissions (CVE-2016-10119, CVE-2016-10120, CVE-2016-10121)
   * bugfixes
  -- netblue30 <netblue30@yahoo.com>  Tue, 2 Feb 2016 10:00:00 -0500
 
diff --git a/contrib/fix_private-bin.py b/contrib/fix_private-bin.py
new file mode 100755
index 000000000..270c758a2
--- /dev/null
+++ b/contrib/fix_private-bin.py
@@ -0,0 +1,157 @@
+#!/usr/bin/python3
+
+__author__ = "KOLANICH"
+__copyright__ = """This is free and unencumbered software released into the public domain.
+
+Anyone is free to copy, modify, publish, use, compile, sell, or
+distribute this software, either in source code form or as a compiled
+binary, for any purpose, commercial or non-commercial, and by any
+means.
+
+In jurisdictions that recognize copyright laws, the author or authors
+of this software dedicate any and all copyright interest in the
+software to the public domain. We make this dedication for the benefit
+of the public at large and to the detriment of our heirs and
+successors. We intend this dedication to be an overt act of
+relinquishment in perpetuity of all present and future rights to this
+software under copyright law.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
+IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR
+OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE,
+ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR
+OTHER DEALINGS IN THE SOFTWARE.
+
+For more information, please refer to <http://unlicense.org/>"""
+__license__ = "Unlicense"
+
+import sys, os, glob, re
+
+privRx=re.compile("^(?:#\s*)?private-bin")
+
+def fixSymlinkedBins(files, replMap):
+        """
+        Used to add filenames to private-bin directives of files if the ones present are mentioned in replMap
+        replMap is a dict where key is the marker filename and value is the filename to add
+        """
+        
+        rxs=dict()
+        for (old,new) in replMap.items():
+                rxs[old]=re.compile("\\b"+old+"\\b")
+                rxs[new]=re.compile("\\b"+new+"\\b")
+        #print(rxs)
+        
+        for filename in files:
+                lines=None
+                with open(filename,"r") as file:
+                        lines=file.readlines()
+                
+                shouldUpdate=False
+                for (i,line) in enumerate(lines):
+                        if privRx.search(line):
+                                for (old,new) in replMap.items():
+                                        if rxs[old].search(line) and not rxs[new].search(line):
+                                                lines[i]=rxs[old].sub(old+","+new, line)
+                                                shouldUpdate=True
+                                                print(lines[i])
+                
+                if shouldUpdate:
+                        with open(filename,"w") as file:
+                                file.writelines(lines)
+                        pass
+
+def createSetOfBinaries(files):
+        """
+        Creates a set of binaries mentioned in private-bin directives of files.
+        """
+        s=set()
+        for filename in files:
+                lines=None
+                with open(filename,"r") as file:
+                        for line in file:
+                                if privRx.search(line):
+                                        bins=line.split(",")
+                                        bins[0]=bins[0].split(" ")[-1]
+                                        bins = [n.strip() for n in bins]
+                                        s=s|set(bins)
+        return s
+
+def createSymlinkTable(binDirs, binariesSet):
+        """
+        creates a dict of symlinked binaries in the system where a key is a symlink name and value is a symlinked binary.
+        binDirs are folders to look into for binaries symlinks
+        binariesSet is a set of binaries to be checked if they are actually a symlinks
+        """
+        m=dict()
+        toProcess=binariesSet
+        while len(toProcess)!=0:
+                additional=set()
+                for sh in toProcess:
+                        for bD in binDirs:
+                                p=bD+os.path.sep+sh
+                                if os.path.exists(p):
+                                        if os.path.islink(p):
+                                                m[sh]=os.readlink(p)
+                                                additional.add(m[sh].split(" ")[0])
+                                        else:
+                                                pass
+                                        break
+                toProcess=additional
+        return m
+
+def doTheFixes(profilesPath, binDirs):
+        """
+        Fixes private-bin in .profiles for firejail. The pipeline is as follows:
+        discover files -> discover mentioned binaries ->
+        discover the ones which are symlinks ->
+        make a look-up table for fix ->
+        filter the ones can be fixed (we cannot fix the ones which are not in directories for binaries) ->
+        apply fix
+        """
+        files=glob.glob(profilesPath+os.path.sep+"*.profile")
+        bins=createSetOfBinaries(files)
+        #print("The binaries used are:")
+        #print(bins)
+        stbl=createSymlinkTable(binDirs,bins)
+        print("The replacement table is:")
+        print(stbl)
+        stbl={a[0]:a[1] for a in stbl.items() if a[0].find(os.path.sep) < 0 and a[1].find(os.path.sep)<0}
+        print("Filtered replacement table is:")
+        print(stbl)
+        fixSymlinkedBins(files,stbl)
+
+def printHelp():
+        print("python3 "+os.path.basename(__file__)+" <dir with .profile files>\nThe default dir is "+defaultProfilesPath+"\n"+doTheFixes.__doc__)
+
+def main():
+        """The main function. Parses the commandline args, shows messages and calles the function actually doing the work."""
+        print(repr(sys.argv))
+        defaultProfilesPath="../etc"
+        if len(sys.argv)>2 or (len(sys.argv)==2 and (sys.argv[1] == '-h' or sys.argv[1] == '--help') ):
+                printHelp()
+                exit(1)
+        
+        profilesPath=None
+        if len(sys.argv)==2:
+                if os.path.isdir(sys.argv[1]):
+                        profilesPath=os.path.abspath(sys.argv[1])
+                else:
+                        if os.path.exists(sys.argv[1]):
+                                print(sys.argv[1]+" is not a dir")
+                        else:
+                                print(sys.argv[1]+" does not exist")
+                        printHelp()
+                        exit(1)
+        else:
+                print("Using default profiles dir: " + defaultProfilesPath)
+                profilesPath=defaultProfilesPath
+
+        binDirs=["/bin","/usr/bin","/usr/sbin","/usr/local/bin","/usr/local/sbin"]
+        print("Binaries dirs are:")
+        print(binDirs)
+        doTheFixes(profilesPath, binDirs)
+
+if __name__ == "__main__":
+        main()
diff --git a/contrib/fix_private-bin_for_symlinked_sh.py b/contrib/fix_private-bin_for_symlinked_sh.py
deleted file mode 100644
index 705e46e46..000000000
--- a/contrib/fix_private-bin_for_symlinked_sh.py
+++ /dev/null
@@ -1,68 +0,0 @@
-#!/usr/bin/python3
-
-import sys, os, glob, re
-
-privRx=re.compile("^(?:#\s*)?private-bin")
-
-def fixSymlinkedBins(files, replMap):
-        rxs=dict()
-        for (old,new) in replMap.items():
-                rxs[old]=re.compile("\\b"+old+"\\b")
-                rxs[new]=re.compile("\\b"+new+"\\b")
-        print(rxs)
-        
-        for filename in files:
-                lines=None
-                with open(filename,"r") as file:
-                        lines=file.readlines()
-                
-                shouldUpdate=False
-                for (i,line) in enumerate(lines):
-                        if privRx.search(line):
-                                for (old,new) in replMap.items():
-                                        if rxs[old].search(line) and not rxs[new].search(line):
-                                                lines[i]=rxs[old].sub(old+","+new, line)
-                                                shouldUpdate=True
-                                                print(lines[i])
-                
-                if shouldUpdate:
-                        with open(filename,"w") as file:
-                                file.writelines(lines)
-                                pass
-
-def createListOfBinaries(files):
-        s=set()
-        for filename in files:
-                lines=None
-                with open(filename,"r") as file:
-                        for line in file:
-                                if privRx.search(line):
-                                        bins=line.split(",")
-                                        bins[0]=bins[0].split(" ")[-1]
-                                        bins = [n.strip() for n in bins]
-                                        s=s|set(bins)
-        return s
-
-def createSymlinkTable(binDirs, binariesSet):
-        m=dict()
-        for sh in binariesSet:
-                for bD in binDirs:
-                        p=bD+os.path.sep+sh
-                        if os.path.exists(p):
-                                if os.path.islink(p):
-                                        m[sh]=os.readlink(p)
-                                else:
-                                        pass
-                                break
-        return m
-
-
-sh="sh"
-binDirs=["/bin","/usr/bin","/usr/sbin","/usr/local/bin","/usr/local/sbin"]
-profilesPath="."
-files=glob.glob(profilesPath+os.path.sep+"*.profile")
-
-bins=createListOfBinaries(files)
-stbl=createSymlinkTable(binDirs,bins)
-print(stbl)
-fixSymlinkedBins(files,{a[0]:a[1] for a in stbl.items() if a[0].find("/") < 0 and a[1].find("/")<0})
diff --git a/contrib/fjclip.py b/contrib/fjclip.py
new file mode 100755
index 000000000..cd12cd289
--- /dev/null
+++ b/contrib/fjclip.py
@@ -0,0 +1,35 @@
+#!/usr/bin/env python
+
+import re
+import sys
+import subprocess
+import fjdisplay
+
+usage = """fjclip.py src dest. src or dest can be named firejails or - for stdin or stdout.
+firemon --x11 to see available running x11 firejails. firejail names can be shortened
+to least ambiguous. for example 'work-libreoffice' can be shortened to 'work' if no
+other firejails name starts with 'work'.
+warning: browsers are dangerous. clipboards from browsers are dangerous.  see
+https://github.com/dxa4481/Pastejacking 
+fjclip.py strips whitespace from both
+ends, but does nothing else to protect you.  use a simple gui text editor like
+gedit if you want to see what your pasting.""" 
+
+if len(sys.argv) != 3 or sys.argv == '-h' or sys.argv == '--help':
+    print(usage)
+    exit(1)
+
+if sys.argv[1] == '-':
+    clipin_raw = sys.stdin.read()
+else:
+    display = fjdisplay.getdisplay(sys.argv[1])
+    clipin_raw = subprocess.check_output(['xsel','-b','--display',display])
+
+clipin = clipin_raw.strip()
+
+if sys.argv[2] == '-':
+    print(clipin)
+else:
+    display = fjdisplay.getdisplay(sys.argv[2])
+    clipout = subprocess.Popen(['xsel','-b','-i','--display',display],stdin=subprocess.PIPE)
+    clipout.communicate(clipin)
\ No newline at end of file
diff --git a/contrib/fjdisplay.py b/contrib/fjdisplay.py
new file mode 100755
index 000000000..0e0ef01ec
--- /dev/null
+++ b/contrib/fjdisplay.py
@@ -0,0 +1,43 @@
+#!/usr/bin/env python
+
+import re
+import sys
+import subprocess
+
+usage = """fjdisplay.py name-of-firejail
+returns the display in the form of ':NNN'
+"""
+
+def getfirejails():
+    output = subprocess.check_output(['firemon','--x11'])
+    firejails = {}
+    name = ''
+    for line in output.split('\n'):
+        namematch = re.search('--name=(\w+\S*)',line)
+        if namematch:
+          name = namematch.group(1)
+        displaymatch = re.search('DISPLAY (:\d+)',line) 
+        if displaymatch:
+          firejails[name] = displaymatch.group(1)
+    return firejails
+
+def getdisplay(name):
+    firejails = getfirejails()
+    fjlist = '\n'.join(firejails.keys())
+    namere = re.compile('^'+name+'.*', re.MULTILINE)
+    matchingjails = namere.findall(fjlist)
+    if len(matchingjails) == 1:
+        return firejails[matchingjails[0]]
+    if len(matchingjails) == 0:
+        raise NameError("firejail {} does not exist".format(name))
+    else:
+        raise NameError("ambiguous firejail name")
+
+if __name__ == '__main__':
+    if '-h' in sys.argv or '--help' in sys.argv or len(sys.argv) > 2:
+        print(usage)
+        exit()
+    if len(sys.argv) == 1:
+        print(getfirejails())
+    if len(sys.argv) == 2:
+        print (getdisplay(sys.argv[1]))
\ No newline at end of file
diff --git a/contrib/fjresize.py b/contrib/fjresize.py
new file mode 100755
index 000000000..52b289159
--- /dev/null
+++ b/contrib/fjresize.py
@@ -0,0 +1,25 @@
+#!/usr/bin/env python
+
+import sys
+import fjdisplay
+import subprocess
+
+usage = """usage: fjresize.py firejail-name displaysize
+resize firejail xephyr windows.
+fjdisplay.py with no other arguments will list running named firejails with displays.
+fjresize.py with only a firejail name will list valid resolutions.
+names can be shortend as long its unambiguous.
+note: you may need to move the xephyr window for the resize to take effect
+example:
+    fjresize.py browser 1280x800
+"""
+
+
+if len(sys.argv) == 2:
+    out = subprocess.check_output(['xrandr','--display',fjdisplay.getdisplay(sys.argv[1])])
+    print(out)
+elif len(sys.argv) == 3: 
+    out = subprocess.check_output(['xrandr','--display',fjdisplay.getdisplay(sys.argv[1]),'--output','default','--mode',sys.argv[2]])
+    print(out)
+else:
+    print(usage)
\ No newline at end of file
diff --git a/etc/Cryptocat.profile b/etc/Cryptocat.profile
index 3db34c03c..b61b88f68 100644
--- a/etc/Cryptocat.profile
+++ b/etc/Cryptocat.profile
@@ -1,4 +1,4 @@
-# Firejail profile for 
+# Firejail profile for Cryptocat
 noblacklist ${HOME}/.config/Cryptocat
 
 include /etc/firejail/disable-common.inc
diff --git a/etc/FossaMail.profile b/etc/FossaMail.profile
new file mode 100644
index 000000000..0da235467
--- /dev/null
+++ b/etc/FossaMail.profile
@@ -0,0 +1,2 @@
+# Firejail profile for FossaMail
+include /etc/firejail/fossamail.profile
diff --git a/etc/disable-common.inc b/etc/disable-common.inc
index 22f54604a..6f21b9681 100644
--- a/etc/disable-common.inc
+++ b/etc/disable-common.inc
@@ -1,3 +1,6 @@
+# Local customizations come here
+include /etc/firejail/disable-common.local
+
 # History files in $HOME
 blacklist-nolog ${HOME}/.history
 blacklist-nolog ${HOME}/.*_history
@@ -102,6 +105,9 @@ read-only ${HOME}/.caffrc
 read-only ${HOME}/.dotfiles
 read-only ${HOME}/dotfiles
 read-only ${HOME}/.mailcap
+read-only ${HOME}/.muttrc
+read-only ${HOME}/.mutt/muttrc
+read-only ${HOME}/.msmtprc
 read-only ${HOME}/.exrc
 read-only ${HOME}/_exrc
 read-only ${HOME}/.vimrc
diff --git a/etc/disable-devel.inc b/etc/disable-devel.inc
index 2ac367f37..07fc3928c 100644
--- a/etc/disable-devel.inc
+++ b/etc/disable-devel.inc
@@ -1,3 +1,6 @@
+# Local customizations come here
+include /etc/firejail/disable-devel.local
+
 # development tools
 
 # GCC
diff --git a/etc/disable-passwdmgr.inc b/etc/disable-passwdmgr.inc
index 045b4d92b..7d129b2e4 100644
--- a/etc/disable-passwdmgr.inc
+++ b/etc/disable-passwdmgr.inc
@@ -1,3 +1,6 @@
+# Local customizations come here
+include /etc/firejail/disable-passwdmgr.local
+
 blacklist ${HOME}/.pki/nssdb
 blacklist ${HOME}/.lastpass
 blacklist ${HOME}/.keepassx
diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc
index 69f0a2e1b..b307978da 100644
--- a/etc/disable-programs.inc
+++ b/etc/disable-programs.inc
@@ -1,3 +1,6 @@
+# Local customizations come here
+include /etc/firejail/disable-programs.local
+
 blacklist ${HOME}/.*coin
 blacklist ${HOME}/.8pecxstudios
 blacklist ${HOME}/.Atom
diff --git a/etc/evolution.profile b/etc/evolution.profile
index ab6dd7a4a..1707e562b 100644
--- a/etc/evolution.profile
+++ b/etc/evolution.profile
@@ -6,6 +6,9 @@ noblacklist ~/.pki
 noblacklist ~/.pki/nssdb
 noblacklist ~/.gnupg
 
+noblacklist /var/spool/mail
+noblacklist /var/mail
+
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-programs.inc
 include /etc/firejail/disable-devel.inc
diff --git a/etc/fossamail.profile b/etc/fossamail.profile
new file mode 100644
index 000000000..a0dc8ae59
--- /dev/null
+++ b/etc/fossamail.profile
@@ -0,0 +1,15 @@
+# Firejail profile for FossaMail
+
+noblacklist ~/.gnupg
+mkdir ~/.gnupg
+whitelist ~/.gnupg
+
+noblacklist ~/.fossamail
+mkdir ~/.fossamail
+whitelist ~/.fossamail
+
+noblacklist ~/.cache/fossamail
+mkdir ~/.cache/fossamail
+whitelist ~/.cache/fossamail
+
+include /etc/firejail/firefox.profile
diff --git a/etc/gpa.profile b/etc/gpa.profile
index 7d7277190..9da750f9e 100644
--- a/etc/gpa.profile
+++ b/etc/gpa.profile
@@ -18,6 +18,4 @@ shell none
 tracelog
 
 # private-bin gpa,gpg
-private-tmp
 private-dev
-# private-etc none
diff --git a/etc/gpg-agent.profile b/etc/gpg-agent.profile
index 59c7383d7..f587f0d53 100644
--- a/etc/gpg-agent.profile
+++ b/etc/gpg-agent.profile
@@ -11,7 +11,7 @@ nogroups
 nonewprivs
 noroot
 nosound
-protocol unix
+protocol unix,inet,inet6
 seccomp
 netfilter
 no3d
@@ -21,6 +21,4 @@ tracelog
 blacklist /tmp/.X11-unix
 
 # private-bin gpg-agent,gpg
-private-tmp
 private-dev
-# private-etc none
diff --git a/etc/gpg.profile b/etc/gpg.profile
index d711c6f3e..963ff5ed7 100644
--- a/etc/gpg.profile
+++ b/etc/gpg.profile
@@ -11,10 +11,9 @@ nogroups
 nonewprivs
 noroot
 nosound
-protocol unix
+protocol unix,inet,inet6
 seccomp
 netfilter
-net none
 no3d
 shell none
 tracelog
@@ -22,6 +21,4 @@ tracelog
 blacklist /tmp/.X11-unix
 
 # private-bin gpg,gpg-agent
-private-tmp
 private-dev
-# private-etc none
diff --git a/etc/uzbl-browser.profile b/etc/uzbl-browser.profile
new file mode 100644
index 000000000..1346b7fc2
--- /dev/null
+++ b/etc/uzbl-browser.profile
@@ -0,0 +1,27 @@
+# Firejail profile for uzbl-browser
+
+noblacklist ~/.config/uzbl
+noblacklist ~/.cache/uzbl
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+
+caps.drop all
+netfilter
+nonewprivs
+noroot
+protocol unix,inet,inet6
+seccomp
+tracelog
+
+mkdir ~/.config/uzbl
+whitelist ~/.config/uzbl
+mkdir ~/.cache/uzbl
+whitelist ~/.cache/uzbl
+mkdir ~/.local/share/uzbl
+whitelist ~/.local/share/uzbl
+
+whitelist ${DOWNLOADS}
+
+include /etc/firejail/whitelist-common.inc
diff --git a/etc/whitelist-common.inc b/etc/whitelist-common.inc
index d4e69948e..cf7797100 100644
--- a/etc/whitelist-common.inc
+++ b/etc/whitelist-common.inc
@@ -1,3 +1,6 @@
+# Local customizations come here
+include /etc/firejail/whitelist-common.local
+
 # common whitelist for all profiles
 
 whitelist ~/.XCompose
diff --git a/platform/debian/conffiles b/platform/debian/conffiles
index 9afe42be8..56a5c8e7e 100644
--- a/platform/debian/conffiles
+++ b/platform/debian/conffiles
@@ -240,3 +240,5 @@
 /etc/firejail/xonotic.profile
 /etc/firejail/VirtualBox.profile
 /etc/firejail/qupzilla.profile
+/etc/firejail/FossaMail.profile
+/etc/firejail/fossamail.profile
diff --git a/src/fcopy/main.c b/src/fcopy/main.c
index b1e2813db..a4f5ace11 100644
--- a/src/fcopy/main.c
+++ b/src/fcopy/main.c
@@ -41,7 +41,7 @@ static void copy_file(const char *srcname, const char *destname, mode_t mode, ui
         // open source
         int src = open(srcname, O_RDONLY);
         if (src < 0) {
-                fprintf(stderr, "Warning: cannot open %s, file not copied\n", srcname);
+                fprintf(stderr, "Warning fcopy: cannot open %s, file not copied\n", srcname);
                 return;
         }
 
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config
index fe65a5077..4e4e5488a 100644
--- a/src/firecfg/firecfg.config
+++ b/src/firecfg/firecfg.config
@@ -184,8 +184,6 @@ eog
 # other
 atom
 atom-beta
-gpa
-gpg
 ranger
 keepass
 keepass2
diff --git a/src/firejail/bandwidth.c b/src/firejail/bandwidth.c
index 5e9002f22..84c9dc53a 100644
--- a/src/firejail/bandwidth.c
+++ b/src/firejail/bandwidth.c
@@ -435,15 +435,8 @@ void bandwidth_pid(pid_t pid, const char *command, const char *dev, int down, in
         if (setregid(0, 0))
                 errExit("setregid");
 
-        if (!cfg.shell)
-                cfg.shell = guess_shell();
-        if (!cfg.shell) {
-                fprintf(stderr, "Error: no POSIX shell found, please use --shell command line option\n");
-                exit(1);
-        }
-
         char *arg[4];
-        arg[0] = cfg.shell;
+        arg[0] = "/bin/sh";
         arg[1] = "-c";
         arg[2] = cmd;
         arg[3] = NULL;
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index 36cf47435..722d5c05e 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -105,7 +105,7 @@
 #define ASSERT_PERMS_FD(fd, uid, gid, mode) \
         do { \
                 struct stat s;\
-                if (stat(fd, &s) == -1) errExit("stat");\
+                if (fstat(fd, &s) == -1) errExit("fstat");\
                 assert(s.st_uid == uid);\
                 assert(s.st_gid == gid);\
                 assert((s.st_mode & 07777) == (mode));\
@@ -403,7 +403,7 @@ char *fs_check_overlay_dir(const char *subdirname, int allow_reuse);
 void fs_overlayfs(void);
 // chroot into an existing directory; mount exiting /dev and update /etc/resolv.conf
 void fs_chroot(const char *rootdir);
-int fs_check_chroot_dir(const char *rootdir);
+void fs_check_chroot_dir(const char *rootdir);
 
 // profile.c
 // find and read the profile specified by name from dir directory
@@ -450,6 +450,8 @@ void logmsg(const char *msg);
 void logargs(int argc, char **argv) ;
 void logerr(const char *msg);
 int copy_file(const char *srcname, const char *destname, uid_t uid, gid_t gid, mode_t mode);
+void copy_file_as_user(const char *srcname, const char *destname, uid_t uid, gid_t gid, mode_t mode);
+void touch_file_as_user(const char *fname, uid_t uid, gid_t gid, mode_t mode);
 int is_dir(const char *fname);
 int is_link(const char *fname);
 char *line_remove_spaces(const char *buf);
diff --git a/src/firejail/fs.c b/src/firejail/fs.c
index e2fc09533..0da4cc111 100644
--- a/src/firejail/fs.c
+++ b/src/firejail/fs.c
@@ -711,10 +711,36 @@ char *fs_check_overlay_dir(const char *subdirname, int allow_reuse) {
         // create ~/.firejail directory
         if (asprintf(&dirname, "%s/.firejail", cfg.homedir) == -1)
                 errExit("asprintf");
+                
+        if (is_link(dirname)) {
+                fprintf(stderr, "Error: invalid ~/.firejail directory\n");
+                exit(1);
+        }
         if (stat(dirname, &s) == -1) {
-                mkdir_attr(dirname, 0700, 0, 0);
+                // create directory
+                pid_t child = fork();
+                if (child < 0)
+                        errExit("fork");
+                if (child == 0) {
+                        // drop privileges
+                        drop_privs(0);
+        
+                        // create directory
+                        if (mkdir(dirname, 0700))
+                                errExit("mkdir");
+                        if (chmod(dirname, 0700) == -1)
+                                errExit("chmod");
+                        ASSERT_PERMS(dirname, getuid(), getgid(), 0700);
+                        _exit(0);
+                }
+                // wait for the child to finish
+                waitpid(child, NULL, 0);
+                if (stat(dirname, &s) == -1) {
+                        fprintf(stderr, "Error: cannot create ~/.firejail directory\n");
+                        exit(1);
+                }
         }
-        else if (is_link(dirname)) {
+        else if (s.st_uid != getuid()) {
                 fprintf(stderr, "Error: invalid ~/.firejail directory\n");
                 exit(1);
         }
@@ -994,20 +1020,25 @@ void fs_overlayfs(void) {
 
 #ifdef HAVE_CHROOT              
 // return 1 if error
-int fs_check_chroot_dir(const char *rootdir) {
+void fs_check_chroot_dir(const char *rootdir) {
         EUID_ASSERT();
         assert(rootdir);
         struct stat s;
         char *name;
 
+        if (strcmp(rootdir, "/tmp") == 0 || strcmp(rootdir, "/var/tmp") == 0) {
+                fprintf(stderr, "Error: invalid chroot directory\n");
+                exit(1);
+        }
+
         // rootdir has to be owned by root
         if (stat(rootdir, &s) != 0) {
                 fprintf(stderr, "Error: cannot find chroot directory\n");
-                return 1;
+                exit(1);
         }
         if (s.st_uid != 0) {
                 fprintf(stderr, "Error: chroot directory should be owned by root\n");
-                return 1;
+                exit(1);
         }
 
         // check /dev
@@ -1015,7 +1046,11 @@ int fs_check_chroot_dir(const char *rootdir) {
                 errExit("asprintf");
         if (stat(name, &s) == -1) {
                 fprintf(stderr, "Error: cannot find /dev in chroot directory\n");
-                return 1;
+                exit(1);
+        }
+        if (s.st_uid != 0) {
+                fprintf(stderr, "Error: chroot /dev directory should be owned by root\n");
+                exit(1);
         }
         free(name);
 
@@ -1024,7 +1059,11 @@ int fs_check_chroot_dir(const char *rootdir) {
                 errExit("asprintf");
         if (stat(name, &s) == -1) {
                 fprintf(stderr, "Error: cannot find /var/tmp in chroot directory\n");
-                return 1;
+                exit(1);
+        }
+        if (s.st_uid != 0) {
+                fprintf(stderr, "Error: chroot /var/tmp directory should be owned by root\n");
+                exit(1);
         }
         free(name);
         
@@ -1033,7 +1072,11 @@ int fs_check_chroot_dir(const char *rootdir) {
                 errExit("asprintf");
         if (stat(name, &s) == -1) {
                 fprintf(stderr, "Error: cannot find /proc in chroot directory\n");
-                return 1;
+                exit(1);
+        }
+        if (s.st_uid != 0) {
+                fprintf(stderr, "Error: chroot /proc directory should be owned by root\n");
+                exit(1);
         }
         free(name);
         
@@ -1042,18 +1085,41 @@ int fs_check_chroot_dir(const char *rootdir) {
                 errExit("asprintf");
         if (stat(name, &s) == -1) {
                 fprintf(stderr, "Error: cannot find /tmp in chroot directory\n");
-                return 1;
+                exit(1);
+        }
+        if (s.st_uid != 0) {
+                fprintf(stderr, "Error: chroot /tmp directory should be owned by root\n");
+                exit(1);
+        }
+        free(name);
+
+        // check /etc
+        if (asprintf(&name, "%s/etc", rootdir) == -1)
+                errExit("asprintf");
+        if (stat(name, &s) == -1) {
+                fprintf(stderr, "Error: cannot find /etc in chroot directory\n");
+                exit(1);
+        }
+        if (s.st_uid != 0) {
+                fprintf(stderr, "Error: chroot /etc directory should be owned by root\n");
+                exit(1);
         }
         free(name);
 
-        // check /bin/bash
-//      if (asprintf(&name, "%s/bin/bash", rootdir) == -1)
-//              errExit("asprintf");
-//      if (stat(name, &s) == -1) {
-//              fprintf(stderr, "Error: cannot find /bin/bash in chroot directory\n");
-//              return 1;
-//      }
-//      free(name);
+        // check /etc/resolv.conf
+        if (asprintf(&name, "%s/etc/resolv.conf", rootdir) == -1)
+                errExit("asprintf");
+        if (stat(name, &s) == 0) {
+                if (s.st_uid != 0) {
+                        fprintf(stderr, "Error: chroot /etc/resolv.conf should be owned by root\n");
+                        exit(1);
+                }
+        }
+        if (is_link(name)) {
+                fprintf(stderr, "Error: invalid %s file\n", name);
+                exit(1);
+        }
+        free(name);
 
         // check x11 socket directory
         if (getenv("FIREJAIL_X11")) {
@@ -1063,12 +1129,14 @@ int fs_check_chroot_dir(const char *rootdir) {
                         errExit("asprintf");
                 if (stat(name, &s) == -1) {
                         fprintf(stderr, "Error: cannot find /tmp/.X11-unix in chroot directory\n");
-                        return 1;
+                        exit(1);
+                }
+                if (s.st_uid != 0) {
+                        fprintf(stderr, "Error: chroot /tmp/.X11-unix directory should be owned by root\n");
+                        exit(1);
                 }
                 free(name);
         }
-        
-        return 0;       
 }
 
 // chroot into an existing directory; mount exiting /dev and update /etc/resolv.conf
@@ -1099,10 +1167,16 @@ void fs_chroot(const char *rootdir) {
                         free(newx11);
                 }
                 
+                // some older distros don't have a /run directory
+                // create one by default
                 // create /run/firejail directory in chroot
                 char *rundir;
                 if (asprintf(&rundir, "%s/run", rootdir) == -1)
                         errExit("asprintf");
+                if (is_link(rundir)) {
+                        fprintf(stderr, "Error: invalid run directory inside chroot\n");
+                        exit(1);
+                }
                 create_empty_dir_as_root(rundir, 0755);
                 free(rundir);
                 if (asprintf(&rundir, "%s/run/firejail", rootdir) == -1)
@@ -1129,7 +1203,7 @@ void fs_chroot(const char *rootdir) {
                         fprintf(stderr, "Error: invalid %s file\n", fname);
                         exit(1);
                 }
-                if (copy_file("/etc/resolv.conf", fname, 0, 0, 0644) == -1)
+                if (copy_file("/etc/resolv.conf", fname, 0, 0, 0644) == -1) // root needed
                         fprintf(stderr, "Warning: /etc/resolv.conf not initialized\n");
         }
         
diff --git a/src/firejail/fs_dev.c b/src/firejail/fs_dev.c
index d710e98f2..bd9b9e828 100644
--- a/src/firejail/fs_dev.c
+++ b/src/firejail/fs_dev.c
@@ -28,6 +28,7 @@
 #ifndef _BSD_SOURCE
 #define _BSD_SOURCE 
 #endif
+#include <sys/sysmacros.h>
 #include <sys/types.h>
 
 typedef struct {
@@ -51,7 +52,7 @@ static DevEntry dev[] = {
         {"/dev/nvidia8", RUN_DEV_DIR "/nvidia8", 0, 1},
         {"/dev/nvidia9", RUN_DEV_DIR "/nvidia9", 0, 1},
         {"/dev/nvidiactl", RUN_DEV_DIR "/nvidiactl", 0, 1},
-        {"/dev/nvidia-modset", RUN_DEV_DIR "/nvidia-modset", 0, 1},
+        {"/dev/nvidia-modeset", RUN_DEV_DIR "/nvidia-modeset", 0, 1},
         {"/dev/nvidia-uvm", RUN_DEV_DIR "/nvidia-uvm", 0, 1},
         {NULL, NULL, 0, 0}
 };
diff --git a/src/firejail/fs_etc.c b/src/firejail/fs_etc.c
index 479383af2..f14e90deb 100644
--- a/src/firejail/fs_etc.c
+++ b/src/firejail/fs_etc.c
@@ -31,8 +31,8 @@ void fs_machineid(void) {
                 uint32_t u32[4];
         } mid;
 
-        // if --machine-id flag is active, do nothing
-        if (arg_machineid)
+        // if --machine-id flag is inactive, do nothing
+        if (arg_machineid == 0)
                 return;
 
         // init random number generator
diff --git a/src/firejail/fs_home.c b/src/firejail/fs_home.c
index 0872bf0d0..8a52314ed 100644
--- a/src/firejail/fs_home.c
+++ b/src/firejail/fs_home.c
@@ -42,19 +42,17 @@ static void skel(const char *homedir, uid_t u, gid_t g) {
                 // don't copy it if we already have the file
                 if (stat(fname, &s) == 0)
                         return;
+                if (is_link(fname)) { // stat on dangling symlinks fails, try again using lstat
+                        fprintf(stderr, "Error: invalid %s file\n", fname);
+                        exit(1);
+                }
                 if (stat("/etc/skel/.zshrc", &s) == 0) {
-                        if (copy_file("/etc/skel/.zshrc", fname, u, g, 0644) == 0) {
-                                fs_logger("clone /etc/skel/.zshrc");
-                        }
+                        copy_file_as_user("/etc/skel/.zshrc", fname, u, g, 0644); // regular user
+                        fs_logger("clone /etc/skel/.zshrc");
                 }
-                else { // 
-                        FILE *fp = fopen(fname, "w");
-                        if (fp) {
-                                fprintf(fp, "\n");
-                                SET_PERMS_STREAM(fp, u, g, S_IRUSR | S_IWUSR);
-                                fclose(fp);
-                                fs_logger2("touch", fname);
-                        }
+                else {
+                        touch_file_as_user(fname, u, g, 0644);
+                        fs_logger2("touch", fname);
                 }
                 free(fname);
         }
@@ -64,23 +62,21 @@ static void skel(const char *homedir, uid_t u, gid_t g) {
                 if (asprintf(&fname, "%s/.cshrc", homedir) == -1)
                         errExit("asprintf");
                 struct stat s;
+                
                 // don't copy it if we already have the file
                 if (stat(fname, &s) == 0)
                         return;
+                if (is_link(fname)) { // stat on dangling symlinks fails, try again using lstat
+                        fprintf(stderr, "Error: invalid %s file\n", fname);
+                        exit(1);
+                }
                 if (stat("/etc/skel/.cshrc", &s) == 0) {
-                        if (copy_file("/etc/skel/.cshrc", fname, u, g, 0644) == 0) {
-                                fs_logger("clone /etc/skel/.cshrc");
-                        }
+                        copy_file_as_user("/etc/skel/.cshrc", fname, u, g, 0644); // regular user
+                        fs_logger("clone /etc/skel/.cshrc");
                 }
-                else { // 
-                        /* coverity[toctou] */
-                        FILE *fp = fopen(fname, "w");
-                        if (fp) {
-                                fprintf(fp, "\n");
-                                SET_PERMS_STREAM(fp, u, g, S_IRUSR | S_IWUSR);
-                                fclose(fp);
-                                fs_logger2("touch", fname);
-                        }
+                else {
+                        touch_file_as_user(fname, u, g, 0644);
+                        fs_logger2("touch", fname);
                 }
                 free(fname);
         }
@@ -93,10 +89,13 @@ static void skel(const char *homedir, uid_t u, gid_t g) {
                 // don't copy it if we already have the file
                 if (stat(fname, &s) == 0) 
                         return;
+                if (is_link(fname)) { // stat on dangling symlinks fails, try again using lstat
+                        fprintf(stderr, "Error: invalid %s file\n", fname);
+                        exit(1);
+                }
                 if (stat("/etc/skel/.bashrc", &s) == 0) {
-                        if (copy_file("/etc/skel/.bashrc", fname, u, g, 0644) == 0) {
-                                fs_logger("clone /etc/skel/.bashrc");
-                        }
+                        copy_file_as_user("/etc/skel/.bashrc", fname, u, g, 0644); // regular user
+                        fs_logger("clone /etc/skel/.bashrc");
                 }
                 free(fname);
         }
@@ -106,6 +105,14 @@ static int store_xauthority(void) {
         // put a copy of .Xauthority in XAUTHORITY_FILE
         char *src;
         char *dest = RUN_XAUTHORITY_FILE;
+        // create an empty file as root, and change ownership to user
+        FILE *fp = fopen(dest, "w");
+        if (fp) {
+                fprintf(fp, "\n");
+                SET_PERMS_STREAM(fp, getuid(), getgid(), 0600);
+                fclose(fp);
+        }
+        
         if (asprintf(&src, "%s/.Xauthority", cfg.homedir) == -1)
                 errExit("asprintf");
         
@@ -115,12 +122,9 @@ static int store_xauthority(void) {
                         fprintf(stderr, "Warning: invalid .Xauthority file\n");
                         return 0;
                 }
-                        
-                int rv = copy_file(src, dest, -1, -1, 0600);
-                if (rv) {
-                        fprintf(stderr, "Warning: cannot transfer .Xauthority in private home directory\n");
-                        return 0;
-                }
+
+                copy_file_as_user(src, dest, getuid(), getgid(), 0600); // regular user
+                fs_logger2("clone", dest);
                 return 1; // file copied
         }
         
@@ -128,8 +132,17 @@ static int store_xauthority(void) {
 }
 
 static int store_asoundrc(void) {
+        // put a copy of .Xauthority in XAUTHORITY_FILE
         char *src;
         char *dest = RUN_ASOUNDRC_FILE;
+        // create an empty file as root, and change ownership to user
+        FILE *fp = fopen(dest, "w");
+        if (fp) {
+                fprintf(fp, "\n");
+                SET_PERMS_STREAM(fp, getuid(), getgid(), 0644);
+                fclose(fp);
+        }
+        
         if (asprintf(&src, "%s/.asoundrc", cfg.homedir) == -1)
                 errExit("asprintf");
         
@@ -150,11 +163,8 @@ static int store_asoundrc(void) {
                         free(rp);
                 }
 
-                int rv = copy_file(src, dest, -1, -1, -0644);
-                if (rv) {
-                        fprintf(stderr, "Warning: cannot transfer .asoundrc in private home directory\n");
-                        return 0;
-                }
+                copy_file_as_user(src, dest, getuid(), getgid(), 0644); // regular user
+                fs_logger2("clone", dest);
                 return 1; // file copied
         }
         
@@ -167,13 +177,15 @@ static void copy_xauthority(void) {
         char *dest;
         if (asprintf(&dest, "%s/.Xauthority", cfg.homedir) == -1)
                 errExit("asprintf");
-        // copy, set permissions and ownership
-        int rv = copy_file(src, dest, getuid(), getgid(), S_IRUSR | S_IWUSR);
-        if (rv)
-                fprintf(stderr, "Warning: cannot transfer .Xauthority in private home directory\n");
-        else {
-                fs_logger2("clone", dest);
+        
+        // if destination is a symbolic link, exit the sandbox!!!
+        if (is_link(dest)) {
+                fprintf(stderr, "Error: %s is a symbolic link\n", dest);
+                exit(1);
         }
+
+        copy_file_as_user(src, dest, getuid(), getgid(), S_IRUSR | S_IWUSR); // regular user
+        fs_logger2("clone", dest);
         
         // delete the temporary file
         unlink(src);
@@ -185,14 +197,16 @@ static void copy_asoundrc(void) {
         char *dest;
         if (asprintf(&dest, "%s/.asoundrc", cfg.homedir) == -1)
                 errExit("asprintf");
-        // copy, set permissions and ownership
-        int rv = copy_file(src, dest, getuid(), getgid(), S_IRUSR | S_IWUSR);
-        if (rv)
-                fprintf(stderr, "Warning: cannot transfer .asoundrc in private home directory\n");
-        else {
-                fs_logger2("clone", dest);
+        
+        // if destination is a symbolic link, exit the sandbox!!!
+        if (is_link(dest)) {
+                fprintf(stderr, "Error: %s is a symbolic link\n", dest);
+                exit(1);
         }
 
+        copy_file_as_user(src, dest, getuid(), getgid(), S_IRUSR | S_IWUSR); // regular user
+        fs_logger2("clone", dest);
+
         // delete the temporary file
         unlink(src);
 }
diff --git a/src/firejail/fs_mkdir.c b/src/firejail/fs_mkdir.c
index 5b6ceae90..d29f58a58 100644
--- a/src/firejail/fs_mkdir.c
+++ b/src/firejail/fs_mkdir.c
@@ -112,33 +112,8 @@ void fs_mkfile(const char *name) {
         }
 
         // create file
-        pid_t child = fork();
-        if (child < 0)
-                errExit("fork");
-        if (child == 0) {
-                // drop privileges
-                drop_privs(0);
-
-                /* coverity[toctou] */
-                FILE *fp = fopen(expanded, "w");
-                if (!fp)
-                        fprintf(stderr, "Warning: cannot create %s file\n", expanded);
-                else {
-                        int fd = fileno(fp);
-                        if (fd == -1)
-                                errExit("fileno");
-                        int rv = fchmod(fd, 0600);
-                        (void) rv;
-                        fclose(fp);
-                }
-#ifdef HAVE_GCOV
-                __gcov_flush();
-#endif
-                _exit(0);
-        }
-        // wait for the child to finish
-        waitpid(child, NULL, 0);
-
+        touch_file_as_user(expanded, getuid(), getgid(), 0600);
+        
 doexit:
         free(expanded);
 }
diff --git a/src/firejail/ls.c b/src/firejail/ls.c
index 77eb35f97..1af56751a 100644
--- a/src/firejail/ls.c
+++ b/src/firejail/ls.c
@@ -336,7 +336,7 @@ void sandboxfs(int op, pid_t pid, const char *path1, const char *path2) {
                         drop_privs(0);
                         
                         // copy the file
-                        if (copy_file(src_fname, tmp_fname, getuid(), getgid(), 0600))
+                        if (copy_file(src_fname, tmp_fname, getuid(), getgid(), 0600)) // already a regular user
                                 _exit(1);
 #ifdef HAVE_GCOV
                         __gcov_flush();
@@ -362,7 +362,7 @@ void sandboxfs(int op, pid_t pid, const char *path1, const char *path2) {
                         drop_privs(0);
                         
                         // copy the file
-                        if (copy_file(tmp_fname, dest_fname, getuid(), getgid(), 0600))
+                        if (copy_file(tmp_fname, dest_fname, getuid(), getgid(), 0600)) // already a regular user
                                 _exit(1);
 #ifdef HAVE_GCOV
                         __gcov_flush();
@@ -411,7 +411,7 @@ void sandboxfs(int op, pid_t pid, const char *path1, const char *path2) {
                         drop_privs(0);
                         
                         // copy the file
-                        if (copy_file(src_fname, tmp_fname, getuid(), getgid(), 0600))
+                        if (copy_file(src_fname, tmp_fname, getuid(), getgid(), 0600)) // already a regular user
                                 _exit(1);
 #ifdef HAVE_GCOV
                         __gcov_flush();
@@ -443,7 +443,7 @@ void sandboxfs(int op, pid_t pid, const char *path1, const char *path2) {
                         drop_privs(0);
                         
                         // copy the file
-                        if (copy_file(tmp_fname, dest_fname, getuid(), getgid(), 0600))
+                        if (copy_file(tmp_fname, dest_fname, getuid(), getgid(), 0600)) // already a regular user
                                 _exit(1);
 #ifdef HAVE_GCOV
                         __gcov_flush();
diff --git a/src/firejail/main.c b/src/firejail/main.c
index e70e20eec..84bf5e8e6 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -35,6 +35,7 @@
 #include <signal.h>
 #include <time.h>
 #include <net/if.h>
+#include <sys/utsname.h>
 
 #if 0
 #include <sys/times.h>
@@ -817,8 +818,27 @@ int main(int argc, char **argv) {
         
         if (check_arg(argc, argv, "--quiet"))
                 arg_quiet = 1;
-        if (check_arg(argc, argv, "--allow-debuggers"))
+        if (check_arg(argc, argv, "--allow-debuggers")) {
+                // check kernel version
+                struct utsname u;
+                int rv = uname(&u);
+                if (rv != 0)
+                        errExit("uname");
+                int major;
+                int minor;
+                if (2 != sscanf(u.release, "%d.%d", &major, &minor)) {
+                        fprintf(stderr, "Error: cannot extract Linux kernel version: %s\n", u.version);
+                        exit(1);
+                }
+                if (major < 4 || (major == 4 && minor < 8)) {
+                        fprintf(stderr, "Error: --allow-debuggers is disabled on Linux kernels prior to 4.8. "
+                                "A bug in ptrace call allows a full bypass of the seccomp filter. "
+                                "Your current kernel version is %d.%d.\n", major, minor);
+                        exit(1);
+                }
+
                 arg_allow_debuggers = 1;
+        }
 
         // drop permissions by default and rise them when required
         EUID_INIT();
@@ -1448,13 +1468,10 @@ int main(int argc, char **argv) {
                                         fprintf(stderr, "Error: invalid chroot directory\n");
                                         exit(1);
                                 }
-                                free(rpath);
+                                cfg.chrootdir = rpath;
                                 
                                 // check chroot directory structure
-                                if (fs_check_chroot_dir(cfg.chrootdir)) {
-                                        fprintf(stderr, "Error: invalid chroot\n");
-                                        exit(1);
-                                }
+                                fs_check_chroot_dir(cfg.chrootdir);
                         }
                         else
                                 exit_err_feature("chroot");
diff --git a/src/firejail/preproc.c b/src/firejail/preproc.c
index d2db7d3dd..e17f39caa 100644
--- a/src/firejail/preproc.c
+++ b/src/firejail/preproc.c
@@ -76,12 +76,12 @@ void preproc_mount_mnt_dir(void) {
                 fs_logger2("tmpfs", RUN_MNT_DIR);
                 
                 //copy defaultl seccomp files
-                copy_file(PATH_SECCOMP_I386, RUN_SECCOMP_I386, getuid(), getgid(), 0644);
-                copy_file(PATH_SECCOMP_AMD64, RUN_SECCOMP_AMD64, getuid(), getgid(), 0644);
+                copy_file(PATH_SECCOMP_I386, RUN_SECCOMP_I386, getuid(), getgid(), 0644); // root needed
+                copy_file(PATH_SECCOMP_AMD64, RUN_SECCOMP_AMD64, getuid(), getgid(), 0644); // root needed
                 if (arg_allow_debuggers)
-                        copy_file(PATH_SECCOMP_DEFAULT_DEBUG, RUN_SECCOMP_CFG, getuid(), getgid(), 0644);
+                        copy_file(PATH_SECCOMP_DEFAULT_DEBUG, RUN_SECCOMP_CFG, getuid(), getgid(), 0644); // root needed
                 else
-                        copy_file(PATH_SECCOMP_DEFAULT, RUN_SECCOMP_CFG, getuid(), getgid(), 0644);
+                        copy_file(PATH_SECCOMP_DEFAULT, RUN_SECCOMP_CFG, getuid(), getgid(), 0644); // root needed
                         
                 // as root, create an empty RUN_SECCOMP_PROTOCOL file
                 create_empty_file_as_root(RUN_SECCOMP_PROTOCOL, 0644);
diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index fab4f1efa..33b6eab91 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -1017,6 +1017,11 @@ void profile_read(const char *fname) {
         // open profile file:
         FILE *fp = fopen(fname, "r");
         if (fp == NULL) {
+                // if the file ends in ".local", do not exit
+                char *ptr = strstr(fname, ".local");
+                if (ptr && strlen(ptr) == 6)
+                        return;
+                
                 fprintf(stderr, "Error: cannot open profile file %s\n", fname);
                 exit(1);
         }
diff --git a/src/firejail/pulseaudio.c b/src/firejail/pulseaudio.c
index f890dd534..4ec84ec61 100644
--- a/src/firejail/pulseaudio.c
+++ b/src/firejail/pulseaudio.c
@@ -22,6 +22,7 @@
 #include <sys/stat.h>
 #include <sys/mount.h>
 #include <dirent.h>
+#include <sys/wait.h>
 
 static void disable_file(const char *path, const char *file) {
         assert(file);
@@ -113,7 +114,7 @@ void pulseaudio_init(void) {
         char *pulsecfg = NULL;
         if (asprintf(&pulsecfg, "%s/client.conf", RUN_PULSE_DIR) == -1)
                 errExit("asprintf");
-        if (copy_file("/etc/pulse/client.conf", pulsecfg, -1, -1, 0644))
+        if (copy_file("/etc/pulse/client.conf", pulsecfg, -1, -1, 0644)) // root needed
                 errExit("copy_file");
         FILE *fp = fopen(pulsecfg, "a+");
         if (!fp)
@@ -127,21 +128,63 @@ void pulseaudio_init(void) {
         if (asprintf(&dir1, "%s/.config", cfg.homedir) == -1)
                 errExit("asprintf");
         if (stat(dir1, &s) == -1) {
-                int rv = mkdir(dir1, 0755);
-                if (rv == 0) {
-                        if (set_perms(dir1, getuid(), getgid(), 0755))
-                                {;} // do nothing
+                pid_t child = fork();
+                if (child < 0)
+                        errExit("fork");
+                if (child == 0) {
+                        // drop privileges
+                        drop_privs(0);
+        
+                        int rv = mkdir(dir1, 0755);
+                        if (rv == 0) {
+                                if (set_perms(dir1, getuid(), getgid(), 0755))
+                                        {;} // do nothing
+                        }
+#ifdef HAVE_GCOV
+                        __gcov_flush();
+#endif
+                        _exit(0);
+                }
+                // wait for the child to finish
+                waitpid(child, NULL, 0);
+        }
+        else {
+                // make sure the directory is owned by the user
+                if (s.st_uid != getuid()) {
+                        fprintf(stderr, "Error: user .config directory is not owned by the current user\n");
+                        exit(1);
                 }
         }
         free(dir1);
+        
         if (asprintf(&dir1, "%s/.config/pulse", cfg.homedir) == -1)
                 errExit("asprintf");
         if (stat(dir1, &s) == -1) {
-                /* coverity[toctou] */
-                int rv = mkdir(dir1, 0700);
-                if (rv == 0) {
-                        if (set_perms(dir1, getuid(), getgid(), 0700))
-                                {;} // do nothing
+                pid_t child = fork();
+                if (child < 0)
+                        errExit("fork");
+                if (child == 0) {
+                        // drop privileges
+                        drop_privs(0);
+        
+                        int rv = mkdir(dir1, 0700);
+                        if (rv == 0) {
+                                if (set_perms(dir1, getuid(), getgid(), 0700))
+                                        {;} // do nothing
+                        }
+#ifdef HAVE_GCOV
+                        __gcov_flush();
+#endif
+                        _exit(0);
+                }
+                // wait for the child to finish
+                waitpid(child, NULL, 0);
+        }
+        else {
+                // make sure the directory is owned by the user
+                if (s.st_uid != getuid()) {
+                        fprintf(stderr, "Error: user .config/pulse directory is not owned by the current user\n");
+                        exit(1);
                 }
         }
         free(dir1);
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index 50fcd6ed0..493877db3 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -616,19 +616,10 @@ int sandbox(void* sandbox_arg) {
                         fs_trace_preload();
         }
         else 
-#endif          
+#endif
 #ifdef HAVE_OVERLAYFS
         if (arg_overlay)        {
                 fs_overlayfs();
-                // force caps and seccomp if not started as root
-                if (getuid() != 0) {
-                        enforce_filters();
-#ifdef HAVE_SECCOMP
-                        enforce_seccomp = 1;
-#endif
-                }
-                else
-                        arg_seccomp = 1;
         }
         else
 #endif
diff --git a/src/firejail/util.c b/src/firejail/util.c
index 75f2acdb9..10000e912 100644
--- a/src/firejail/util.c
+++ b/src/firejail/util.c
@@ -28,6 +28,7 @@
 #include <grp.h>
 #include <sys/ioctl.h>
 #include <termios.h>
+#include <sys/wait.h>
 
 #define MAX_GROUPS 1024
 // drop privileges
@@ -177,14 +178,14 @@ int copy_file(const char *srcname, const char *destname, uid_t uid, gid_t gid, m
         // open source
         int src = open(srcname, O_RDONLY);
         if (src < 0) {
-                fprintf(stderr, "Warning: cannot open %s, file not copied\n", srcname);
+                fprintf(stderr, "Warning: cannot open source file %s, file not copied\n", srcname);
                 return -1;
         }
 
         // open destination
         int dst = open(destname, O_CREAT|O_WRONLY|O_TRUNC, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH);
         if (dst < 0) {
-                fprintf(stderr, "Warning: cannot open %s, file not copied\n", destname);
+                fprintf(stderr, "Warning: cannot open destination file %s, file not copied\n", destname);
                 close(src);
                 return -1;
         }
@@ -218,6 +219,51 @@ int copy_file(const char *srcname, const char *destname, uid_t uid, gid_t gid, m
         return 0;
 }
 
+// return -1 if error, 0 if no error
+void copy_file_as_user(const char *srcname, const char *destname, uid_t uid, gid_t gid, mode_t mode) {
+        pid_t child = fork();
+        if (child < 0)
+                errExit("fork");
+        if (child == 0) {
+                // drop privileges
+                drop_privs(0);
+
+                // copy, set permissions and ownership
+                int rv = copy_file(srcname, destname, uid, gid, mode); // already a regular user
+                if (rv)
+                        fprintf(stderr, "Warning: cannot copy %s\n", srcname);
+#ifdef HAVE_GCOV
+                __gcov_flush();
+#endif
+                _exit(0);
+        }
+        // wait for the child to finish
+        waitpid(child, NULL, 0);
+}
+
+// return -1 if error, 0 if no error
+void touch_file_as_user(const char *fname, uid_t uid, gid_t gid, mode_t mode) {
+        pid_t child = fork();
+        if (child < 0)
+                errExit("fork");
+        if (child == 0) {
+                // drop privileges
+                drop_privs(0);
+
+                FILE *fp = fopen(fname, "w");
+                if (fp) {
+                        fprintf(fp, "\n");
+                        SET_PERMS_STREAM(fp, uid, gid, mode);
+                        fclose(fp);
+                }
+#ifdef HAVE_GCOV
+                __gcov_flush();
+#endif
+                _exit(0);
+        }
+        // wait for the child to finish
+        waitpid(child, NULL, 0);
+}
 
 // return 1 if the file is a directory
 int is_dir(const char *fname) {
diff --git a/src/firejail/x11.c b/src/firejail/x11.c
index 91017237d..4e0b46fb8 100644
--- a/src/firejail/x11.c
+++ b/src/firejail/x11.c
@@ -653,11 +653,7 @@ void x11_xorg(void) {
         struct stat s;
         if (stat(dest, &s) == -1) {
                 // create an .Xauthority file
-                FILE *fp = fopen(dest, "w");
-                if (!fp)
-                        errExit("fopen");
-                SET_PERMS_STREAM(fp, getuid(), getgid(), 0600);
-                fclose(fp);
+                touch_file_as_user(dest, getuid(), getgid(), 0600);
         }
 
         // check xauth utility is present in the system
@@ -666,6 +662,10 @@ void x11_xorg(void) {
                 exit(1);
         }
 
+        // temporarily mount a tempfs on top of /tmp directory
+        if (mount("tmpfs", "/tmp", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC,  "mode=777,gid=0") < 0)
+                errExit("mounting /tmp");
+
         // create a temporary .Xauthority file
         char tmpfname[] = "/tmp/.tmpXauth-XXXXXX";
         int fd = mkstemp(tmpfname);
@@ -673,9 +673,9 @@ void x11_xorg(void) {
                 fprintf(stderr, "Error: cannot create .Xauthority file\n");
                 exit(1);
         }
-        close(fd);
-        if (chown(tmpfname, getuid(), getgid()) == -1)
+        if (fchown(fd, getuid(), getgid()) == -1)
                 errExit("chown");
+        close(fd);
 
         pid_t child = fork();
         if (child < 0)
@@ -713,7 +713,7 @@ void x11_xorg(void) {
         
         // move the temporary file in RUN_XAUTHORITY_SEC_FILE in order to have it deleted
         // automatically when the sandbox is closed
-        if (copy_file(tmpfname, RUN_XAUTHORITY_SEC_FILE, getuid(), getgid(), 0600)) {
+        if (copy_file(tmpfname, RUN_XAUTHORITY_SEC_FILE, getuid(), getgid(), 0600)) { // root needed
                 fprintf(stderr, "Error: cannot create the new .Xauthority file\n");
                 exit(1);
         }
@@ -730,5 +730,8 @@ void x11_xorg(void) {
         if (set_perms(dest, getuid(), getgid(), 0600))
                 errExit("set_perms");
         free(dest);
+        
+        // unmount /tmp
+        umount("/tmp");
 #endif  
 }
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt
index fa522c154..ecb8be139 100644
--- a/src/man/firejail-profile.txt
+++ b/src/man/firejail-profile.txt
@@ -86,6 +86,10 @@ file in user home directory.
 
 Example: "include ${HOME}/myprofiles/profile1" will load "~/myprofiles/profile1" file.
 
+If the file is not found, and the file name does not end in ".local", the sandbox exist immediately
+with an error printed on stderr. ".local" files can be used to customize the global configuration
+in /etc/firejail directory. These files are not overwritten during software install.
+
 .TP
 \fBnoblacklist file_name
 If the file name matches file_name, the file will not be blacklisted in any blacklist commands that follow.
@@ -448,7 +452,7 @@ Assign MAC addresses to the last network interface defined by a net command.
 
 .TP
 \fBmachine-id
-Preserve id number in /etc/machine-id file. By default a new random id is generated inside the sandbox.
+Spoof id number in /etc/machine-id file - a new random id is generated inside the sandbox.
 
 .TP
 \fBmtu number
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index 60c21cbc1..69ed2a8dc 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -76,7 +76,9 @@ $ firejail [OPTIONS] firefox        # starting Mozilla Firefox
 Signal the end of options and disables further option processing.
 .TP
 \fB\-\-allow-debuggers
-Allow tools such as strace and gdb inside the sandbox.
+Allow tools such as strace and gdb inside the sandbox. This option is only available
+when running on Linux kernels 4.8 or newer - a kernel bug in ptrace system call allows a full
+bypass of the seccomp filter.
 .br
 
 .br
@@ -676,7 +678,7 @@ $ firejail \-\-net=eth0 \-\-mac=00:11:22:33:44:55 firefox
 
 .TP
 \fB\-\-machine-id
-Preserve id number in /etc/machine-id file. By default a new random id is generated inside the sandbox.
+Spoof id number in /etc/machine-id file - a new random id is generated inside the sandbox.
 .br
 
 .br