18 files changed, 289 insertions, 101 deletions

diff --git a/etc/libreoffice.profile b/etc/libreoffice.profile
index 4b3eb1ac7..18fcc59c6 100644
--- a/etc/libreoffice.profile
+++ b/etc/libreoffice.profile
@@ -23,20 +23,22 @@ include /etc/firejail/disable-programs.inc
 
 include /etc/firejail/whitelist-var-common.inc
 
-apparmor
+# Ubuntu 18.04 uses its own apparmor profile
+# uncomment the next line if you are not on Ubuntu
+#apparmor
 caps.drop all
 machine-id
 netfilter
 nodbus
 nodvd
 nogroups
-nonewprivs
+#nonewprivs - fix for Ubuntu 18.04/Debian 10
 noroot
 notv
-protocol unix,inet,inet6
-seccomp
+#protocol unix,inet,inet6  - fix for Ubuntu 18.04/Debian 10
+#seccomp  - fix for Ubuntu 18.04/Debian 10
 shell none
-tracelog
+#tracelog - problems reported by Ubuntu 18.04 apparmor profile in /var/log/syslog
 
 private-dev
 private-tmp
diff --git a/etc/rhythmbox.profile b/etc/rhythmbox.profile
index 38ccb886f..57e1ce5f0 100644
--- a/etc/rhythmbox.profile
+++ b/etc/rhythmbox.profile
@@ -8,7 +8,8 @@ include /etc/firejail/globals.local
 
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-interpreters.inc
+# rhythmbox is using Python
+#include /etc/firejail/disable-interpreters.inc
 include /etc/firejail/disable-passwdmgr.inc
 include /etc/firejail/disable-programs.inc
 
diff --git a/etc/vlc.profile b/etc/vlc.profile
index 6b0bee7bd..9ccbb7310 100644
--- a/etc/vlc.profile
+++ b/etc/vlc.profile
@@ -17,7 +17,7 @@ include /etc/firejail/disable-programs.inc
 
 include /etc/firejail/whitelist-var-common.inc
 
-apparmor
+#apparmor - on Ubuntu 18.04 it refuses to start without dbus access
 caps.drop all
 netfilter
 # nodbus - problems with KDE
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config
index 81acf7d83..da8937717 100644
--- a/src/firecfg/firecfg.config
+++ b/src/firecfg/firecfg.config
@@ -275,7 +275,7 @@ musescore
 musixmatch
 mutt
 natron
-nautilus
+#nautilus - removed in order to let the application start in a new sandbox when clicking on icons in the file manager
 ncdu
 netsurf
 neverball
@@ -300,7 +300,7 @@ pdftotext
 peek
 picard
 pidgin
-ping
+#ping - disabled until we fix  #1912
 pingus
 pinta
 pithos
diff --git a/src/firecfg/util.c b/src/firecfg/util.c
index f0446ca8d..7ed86c36e 100644
--- a/src/firecfg/util.c
+++ b/src/firecfg/util.c
@@ -58,9 +58,15 @@ int which(const char *program) {
                 // use path2 to count the entries
                 char *ptr = strtok(path2, ":");
                 while (ptr) {
-                        if (find(program, ptr)) {
-                                free(path2);
-                                return 1;
+                        // Ubuntu 18.04 is adding  /snap/bin to PATH;
+                        // they populate /snap/bin with simbolic links to /usr/bin/ programs;
+                        // most simlinked programs are not installed by default.
+                        // Removing /snap/bin from our search
+                        if (strcmp(ptr, "/snap/bin") != 0) {
+                                if (find(program, ptr)) {
+                                        free(path2);
+                                        return 1;
+                                }
                         }
                         ptr = strtok(NULL, ":");
                 }
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index 0df832c09..14f87c36c 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -524,6 +524,16 @@ unsigned extract_timeout(const char *str);
 void disable_file_or_dir(const char *fname);
 void disable_file_path(const char *path, const char *file);
 
+// Get info regarding the last kernel mount operation.
+// The return value points to a static area, and will be overwritten by subsequent calls.
+// The function does an exit(1) if anything goes wrong.
+typedef struct {
+        char *fsname;
+        char *dir;
+} MountData;
+MountData *get_last_mount(void);
+
+
 // fs_var.c
 void fs_var_log(void);  // mounting /var/log
 void fs_var_lib(void);  // various other fixes for software in /var directory
diff --git a/src/firejail/fs_bin.c b/src/firejail/fs_bin.c
index d4cdbbe0a..b0ad35299 100644
--- a/src/firejail/fs_bin.c
+++ b/src/firejail/fs_bin.c
@@ -25,6 +25,8 @@
 #include <unistd.h>
 #include <glob.h>
 
+static int prog_cnt = 0;
+
 static char *paths[] = {
         "/usr/local/bin",
         "/usr/bin",
@@ -191,6 +193,7 @@ static void duplicate(char *fname, FILE *fplist) {
                                 // solving problems such as /bin/sh -> /bin/dash
                                 // copy the real file pointed by symlink
                                 sbox_run(SBOX_ROOT| SBOX_SECCOMP, 3, PATH_FCOPY, actual_path, RUN_BIN_DIR);
+                                prog_cnt++;
                                 char *f = strrchr(actual_path, '/');
                                 if (f && *(++f) !='\0')
                                         report_duplication(f);
@@ -201,6 +204,7 @@ static void duplicate(char *fname, FILE *fplist) {
 
         // copy a file or a symlink
         sbox_run(SBOX_ROOT| SBOX_SECCOMP, 3, PATH_FCOPY, full_path, RUN_BIN_DIR);
+        prog_cnt++;
         free(full_path);
         report_duplication(fname);
 }
@@ -256,6 +260,9 @@ void fs_private_bin_list(void) {
         char *private_list = cfg.bin_private_keep;
         assert(private_list);
 
+        // start timetrace
+        timetrace_start();
+
         // create /run/firejail/mnt/bin directory
         mkdir_attr(RUN_BIN_DIR, 0755, 0, 0);
 
@@ -298,4 +305,5 @@ void fs_private_bin_list(void) {
                 }
                 i++;
         }
+        fmessage("%d %s installed in %0.2f ms\n", prog_cnt, (prog_cnt == 1)? "program": "programs", timetrace_end());
 }
diff --git a/src/firejail/fs_lib.c b/src/firejail/fs_lib.c
index 8a105be97..363b48d1d 100644
--- a/src/firejail/fs_lib.c
+++ b/src/firejail/fs_lib.c
@@ -201,7 +201,7 @@ static char *valid_file(const char *lib) {
                 }
                 free(fname);
         }
-printf("not found %s\n", lib);
+
         fwarning("%s library not found, skipping...\n", lib);
         return NULL;
 }
@@ -352,7 +352,7 @@ void fs_private_lib(void) {
                                                 fslib_copy_dir(name);
                                         free(name);
 
-                                        // /usr/lib/x86_linux-gnu - debian & frriends
+                                        // /usr/lib/x86_linux-gnu - debian & friends
                                         if (asprintf(&name, "/usr/lib/x86_64-linux-gnu/%s", ptr) == -1)
                                                 errExit("asprintf");
                                         if (is_dir(name))
@@ -377,20 +377,12 @@ void fs_private_lib(void) {
                 printf("*** Installing system libraries\n");
         fslib_install_system();
 
-        fmessage("Installed %d libraries and %d directories\n", lib_cnt, dir_cnt);
+        fmessage("Installed %d %s and %d %s\n", lib_cnt, (lib_cnt == 1)? "library": "libraries",
+                dir_cnt, (dir_cnt == 1)? "directory": "directories");
 
-        // bring in firejail directory for --trace options
+        // bring in firejail directory for --trace and seccomp post exec
         fslib_copy_dir(LIBDIR "/firejail");
 
-        // ... and for sandbox in sandbox functionality
-        fslib_copy_libs(LIBDIR "/firejail/faudit");
-        fslib_copy_libs(LIBDIR "/firejail/fbuilder");
-        fslib_copy_libs(LIBDIR "/firejail/fcopy");
-        fslib_copy_libs(LIBDIR "/firejail/fldd");
-        fslib_copy_libs(LIBDIR "/firejail/fnet");
-        fslib_copy_libs(LIBDIR "/firejail/fnetfilter");
-        fslib_copy_libs(LIBDIR "/firejail/fseccomp");
-        fslib_copy_libs(LIBDIR "/firejail/ftee");
         // mount lib filesystem
         mount_directories();
 }
diff --git a/src/firejail/fs_whitelist.c b/src/firejail/fs_whitelist.c
index 21fa8e624..60bb0f6ed 100644
--- a/src/firejail/fs_whitelist.c
+++ b/src/firejail/fs_whitelist.c
@@ -37,6 +37,7 @@ static char *dentry[] = {
 #define EMPTY_STRING ("")
 #define MAXBUF 4098
 static char *resolve_downloads(int nowhitelist_flag) {
+        EUID_ASSERT();
         char *fname;
         struct stat s;
 
@@ -316,6 +317,16 @@ static void whitelist_path(ProfileEntry *entry) {
         if (mount(wfile, path, NULL, MS_BIND|MS_REC, NULL) < 0)
                 errExit("mount bind");
 
+        // check the last mount operation
+        MountData *mptr = get_last_mount(); // will do exit(1) if the mount cannot be found
+
+        // No mounts are allowed on top level directories. A destination such as "/etc" is very bad!
+        //  - there should be more than one '/' char in dest string
+        if (mptr->dir == strrchr(mptr->dir, '/')) {
+                fprintf(stderr, "Error: invalid mount on top of %s\n", mptr->dir);
+                exit(1);
+        }
+
         free(wfile);
         return;
 
@@ -352,6 +363,7 @@ void fs_whitelist(void) {
                 errExit("failed allocating memory for nowhitelist entries");
 
         // verify whitelist files, extract symbolic links, etc.
+        EUID_USER();
         while (entry) {
                 int nowhitelist_flag = 0;
 
@@ -643,6 +655,7 @@ void fs_whitelist(void) {
         assert(nowhitelist);
         free(nowhitelist);
 
+        EUID_ROOT();
         // /home/user
         if (home_dir) {
                 // keep a copy of real home dir in RUN_WHITELIST_HOME_USER_DIR
@@ -856,6 +869,15 @@ void fs_whitelist(void) {
                                                 fprintf(stderr, "Warning cannot create symbolic link %s\n", entry->link);
                                         else if (arg_debug || arg_debug_whitelists)
                                                 printf("Created symbolic link %s -> %s\n", entry->link, entry->data + 10);
+
+                                        // check again for files in /tmp directory
+                                        if (strncmp(entry->link, "/tmp/", 5) == 0) {
+                                                char *path = realpath(entry->link, NULL);
+                                                if (path == NULL || strncmp(path, "/tmp/", 5) != 0) {
+                                                        fprintf(stderr, "Error: invalid symbolic link %s\n", entry->link);
+                                                        exit(1);
+                                                }
+                                        }
                                 }
                         }
                 }
diff --git a/src/firejail/util.c b/src/firejail/util.c
index a44e52e98..f441f283f 100644
--- a/src/firejail/util.c
+++ b/src/firejail/util.c
@@ -1029,3 +1029,39 @@ void disable_file_path(const char *path, const char *file) {
         free(fname);
 }
 
+#define MAX_BUF 4096
+static char mbuf[MAX_BUF];
+static MountData mdata;
+
+// Get info regarding the last kernel mount operation.
+// The return value points to a static area, and will be overwritten by subsequent calls.
+// The function does an exit(1) if anything goes wrong.
+MountData *get_last_mount(void) {
+        // open /proc/self/mounts
+        FILE *fp = fopen("/proc/self/mounts", "r");
+        if (!fp)
+                goto errexit;
+
+        mbuf[0] = '\0';
+        while (fgets(mbuf, MAX_BUF, fp));
+        fclose(fp);
+        if (arg_debug || arg_debug_whitelists)
+                printf("%s", mbuf);
+
+        // there should be no reason to have a new mount on top of a top level directory
+        mdata.fsname = mbuf;
+        mdata.dir = strstr(mbuf, " ");
+        if (!mdata.dir)
+                goto errexit;
+        mdata.dir++;
+        char *end = strstr(mdata.dir, " ");
+        if (!end)
+                goto errexit;
+        *end = '\0';
+
+        return &mdata;
+
+errexit:
+        fprintf(stderr, "Error: cannot read /proc/self/mounts");
+        exit(1);
+}
diff --git a/src/fldd/main.c b/src/fldd/main.c
index be4500d2a..4658e82fb 100644
--- a/src/fldd/main.c
+++ b/src/fldd/main.c
@@ -340,10 +340,8 @@ printf("\n");
         else {
                 if (is_lib_64(argv[1]))
                         parse_elf(argv[1]);
-                else {
-                        fprintf(stderr, "Error fldd: %s is not a 64bit program/library\n", argv[1]);
-                        exit(1);
-                }
+                else
+                        fprintf(stderr, "Warning fldd: %s is not a 64bit program/library\n", argv[1]);
         }
 
 
diff --git a/src/lib/firejail_user.c b/src/lib/firejail_user.c
index 09a4da0e7..0cc0ac6c1 100644
--- a/src/lib/firejail_user.c
+++ b/src/lib/firejail_user.c
@@ -47,7 +47,8 @@ int firejail_user_check(const char *name) {
                 return 1;
 
         // other system users will run the program as is
-        if (getuid() < UID_MIN || strcmp(name, "nobody") == 0)
+        uid_t uid = getuid();
+        if ((uid < UID_MIN && uid != 0) || strcmp(name, "nobody") == 0)
                 return 0;
 
         // check file existence
diff --git a/test/arguments/arguments.sh b/test/arguments/arguments.sh
index 9500b5975..d9f2d4697 100755
--- a/test/arguments/arguments.sh
+++ b/test/arguments/arguments.sh
@@ -3,9 +3,8 @@
 if [ -f /etc/debian_version ]; then
         libdir=$(dirname "$(dpkg -L firejail | grep faudit)")
         export PATH="$PATH:$libdir"
-else
-        export PATH="$PATH:/usr/lib/firejail:/usr/lib64/firejail"
 fi
+export PATH="$PATH:/usr/lib/firejail:/usr/lib64/firejail"
 
 echo "TESTING: 1. regular bash session"
 ./bashrun.exp
diff --git a/test/filters/filters.sh b/test/filters/filters.sh
index ff197aa54..d0a34ccc5 100755
--- a/test/filters/filters.sh
+++ b/test/filters/filters.sh
@@ -9,9 +9,9 @@ export MALLOC_PERTURB_=$(($RANDOM % 255 + 1))
 if [ -f /etc/debian_version ]; then
         libdir=$(dirname "$(dpkg -L firejail | grep fseccomp)")
         export PATH="$PATH:$libdir"
-else
-        export PATH="$PATH:/usr/lib/firejail:/usr/lib64/firejail"
 fi
+export PATH="$PATH:/usr/lib/firejail:/usr/lib64/firejail"
+
 
 if [ "$(uname -m)" = "x86_64" ]; then
     echo "TESTING: memory-deny-write-execute (test/filters/memwrexe.exp)"
diff --git a/test/fs/invalid_filename.exp b/test/fs/invalid_filename.exp
index e16798ab8..84abe74cd 100755
--- a/test/fs/invalid_filename.exp
+++ b/test/fs/invalid_filename.exp
@@ -7,11 +7,7 @@ set timeout 10
 spawn $env(SHELL)
 match_max 100000
 
-send -- "firejail --debug-check-filename --noprofile --blacklist=\"bla&&bla\"\r"
-expect {
-        timeout {puts "TESTING ERROR 1.1\n";exit}
-        "Checking filename bla&&bla"
-}
+send -- "firejail --noprofile --blacklist=\"bla&&bla\"\r"
 expect {
         timeout {puts "TESTING ERROR 1.2\n";exit}
         "Error:"
@@ -22,11 +18,7 @@ expect {
 }
 after 100
 
-send -- "firejail --debug-check-filename --noprofile --cgroup=\"bla&&bla\"\r"
-expect {
-        timeout {puts "TESTING ERROR 2.1\n";exit}
-        "Checking filename bla&&bla"
-}
+send -- "firejail --noprofile --cgroup=\"bla&&bla\"\r"
 expect {
         timeout {puts "TESTING ERROR 2.2\n";exit}
         "Error:"
@@ -37,12 +29,7 @@ expect {
 }
 after 100
 
-send -- "firejail --debug-check-filename --noprofile --chroot=\"bla&&bla\"\r"
-expect {
-        timeout {puts "TESTING ERROR 3.1\n";exit}
-        "Checking filename bla&&bla" {puts "normal system\n"}
-        "Error: --chroot option is not available on Grsecurity systems" { puts "\nall done\n"; exit}
-}
+send -- "firejail --noprofile --chroot=\"bla&&bla\"\r"
 expect {
         timeout {puts "TESTING ERROR 3.2\n";exit}
         "Error:"
@@ -53,11 +40,7 @@ expect {
 }
 after 100
 
-send -- "firejail --debug-check-filename --noprofile --netfilter=\"bla&&bla\"\r"
-expect {
-        timeout {puts "TESTING ERROR 4.1\n";exit}
-        "Checking filename bla&&bla"
-}
+send -- "firejail --noprofile --netfilter=\"bla&&bla\"\r"
 expect {
         timeout {puts "TESTING ERROR 4.2\n";exit}
         "Error:"
@@ -68,22 +51,14 @@ expect {
 }
 after 100
 
-send -- "firejail --debug-check-filename --noprofile --output=\"bla&&bla\"\r"
-expect {
-        timeout {puts "TESTING ERROR 5.2\n";exit}
-        "Error:"
-}
+send -- "firejail --noprofile --output=\"bla&&bla\"\r"
 expect {
         timeout {puts "TESTING ERROR 5.3\n";exit}
         "is an invalid filename"
 }
 after 100
 
-send -- "firejail --debug-check-filename --noprofile --private=\"bla&&bla\"\r"
-expect {
-        timeout {puts "TESTING ERROR 6.1\n";exit}
-        "Checking filename bla&&bla"
-}
+send -- "firejail --noprofile --private=\"bla&&bla\"\r"
 expect {
         timeout {puts "TESTING ERROR 6.2\n";exit}
         "Error:"
@@ -94,11 +69,7 @@ expect {
 }
 after 100
 
-send -- "firejail --debug-check-filename --noprofile --private-bin=\"bla&&bla\"\r"
-expect {
-        timeout {puts "TESTING ERROR 7.1\n";exit}
-        "Checking filename bla&&bla"
-}
+send -- "firejail --noprofile --private-bin=\"bla&&bla\"\r"
 expect {
         timeout {puts "TESTING ERROR 7.2\n";exit}
         "Error:"
@@ -109,11 +80,7 @@ expect {
 }
 after 100
 
-send -- "firejail --debug-check-filename --noprofile --private-home=\"bla&&bla\"\r"
-expect {
-        timeout {puts "TESTING ERROR 8.1\n";exit}
-        "Checking filename bla&&bla"
-}
+send -- "firejail --noprofile --private-home=\"bla&&bla\"\r"
 expect {
         timeout {puts "TESTING ERROR 8.2\n";exit}
         "Error:"
@@ -124,11 +91,7 @@ expect {
 }
 after 100
 
-send -- "firejail --debug-check-filename --noprofile --private-etc=\"bla&&bla\"\r"
-expect {
-        timeout {puts "TESTING ERROR 9.1\n";exit}
-        "Checking filename bla&&bla"
-}
+send -- "firejail --noprofile --private-etc=\"bla&&bla\"\r"
 expect {
         timeout {puts "TESTING ERROR 9.2\n";exit}
         "Error:"
@@ -139,11 +102,7 @@ expect {
 }
 after 100
 
-send -- "firejail --debug-check-filename --profile=\"bla&&bla\"\r"
-expect {
-        timeout {puts "TESTING ERROR 10.1\n";exit}
-        "Checking filename bla&&bla"
-}
+send -- "firejail --profile=\"bla&&bla\"\r"
 expect {
         timeout {puts "TESTING ERROR 10.2\n";exit}
         "Error:"
@@ -154,11 +113,7 @@ expect {
 }
 after 100
 
-send -- "firejail --debug-check-filename --read-only=\"bla&&bla\"\r"
-expect {
-        timeout {puts "TESTING ERROR 11.1\n";exit}
-        "Checking filename bla&&bla"
-}
+send -- "firejail --read-only=\"bla&&bla\"\r"
 expect {
         timeout {puts "TESTING ERROR 11.2\n";exit}
         "Error:"
@@ -169,11 +124,7 @@ expect {
 }
 after 100
 
-send -- "firejail --debug-check-filename --shell=\"bla&&bla\"\r"
-expect {
-        timeout {puts "TESTING ERROR 12.1\n";exit}
-        "Checking filename bla&&bla"
-}
+send -- "firejail --shell=\"bla&&bla\"\r"
 expect {
         timeout {puts "TESTING ERROR 12.2\n";exit}
         "Error:"
@@ -185,11 +136,7 @@ expect {
 after 100
 
 
-send -- "firejail --debug-check-filename --whitelist=\"bla&&bla\"\r"
-expect {
-        timeout {puts "TESTING ERROR 14.1\n";exit}
-        "Checking filename bla&&bla"
-}
+send -- "firejail --whitelist=\"bla&&bla\"\r"
 expect {
         timeout {puts "TESTING ERROR 14.2\n";exit}
         "Error:"
diff --git a/test/private-lib/gedit.exp b/test/private-lib/gedit.exp
new file mode 100755
index 000000000..00fa934e7
--- /dev/null
+++ b/test/private-lib/gedit.exp
@@ -0,0 +1,83 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2018 Firejail Authors
+# License GPL v2
+
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+
+send -- "firejail /usr/bin/gedit\r"
+expect {
+        timeout {puts "TESTING ERROR 0\n";exit}
+        "Reading profile /etc/firejail/gedit.profile"
+}
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "Child process initialized"
+}
+sleep 3
+
+spawn $env(SHELL)
+send -- "firejail --list\r"
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        ":firejail"
+}
+expect {
+        timeout {puts "TESTING ERROR 3.1\n";exit}
+        "gedit"
+}
+after 100
+
+# grsecurity exit
+send -- "file /proc/sys/kernel/grsecurity\r"
+expect {
+        timeout {puts "TESTING ERROR - grsecurity detection\n";exit}
+        "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit}
+        "cannot open" {puts "grsecurity not present\n"}
+}
+
+send -- "firejail --name=blablabla\r"
+expect {
+        timeout {puts "TESTING ERROR 4\n";exit}
+        "Child process initialized"
+}
+sleep 2
+
+spawn $env(SHELL)
+send -- "firemon --seccomp\r"
+expect {
+        timeout {puts "TESTING ERROR 5\n";exit}
+        "need to be root" {puts "/proc mounted as hidepid, exiting...\n"; exit}
+        ":firejail /usr/bin/gedit"
+}
+expect {
+        timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit}
+        "Seccomp:       2"
+}
+expect {
+        timeout {puts "TESTING ERROR 5.1\n";exit}
+        "name=blablabla"
+}
+after 100
+send -- "firemon --caps\r"
+expect {
+        timeout {puts "TESTING ERROR 6\n";exit}
+        ":firejail /usr/bin/gedit"
+}
+expect {
+        timeout {puts "TESTING ERROR 6.1\n";exit}
+        "CapBnd:"
+}
+expect {
+        timeout {puts "TESTING ERROR 6.2\n";exit}
+        "0000000000000000"
+}
+expect {
+        timeout {puts "TESTING ERROR 6.3\n";exit}
+        "name=blablabla"
+}
+after 100
+
+puts "\nall done\n"
diff --git a/test/private-lib/pluma.exp b/test/private-lib/pluma.exp
new file mode 100755
index 000000000..92ae0a345
--- /dev/null
+++ b/test/private-lib/pluma.exp
@@ -0,0 +1,83 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2018 Firejail Authors
+# License GPL v2
+
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+
+send -- "firejail pluma\r"
+expect {
+        timeout {puts "TESTING ERROR 0\n";exit}
+        "Reading profile /etc/firejail/pluma.profile"
+}
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "Child process initialized"
+}
+sleep 3
+
+spawn $env(SHELL)
+send -- "firejail --list\r"
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        ":firejail"
+}
+expect {
+        timeout {puts "TESTING ERROR 3.1\n";exit}
+        "pluma"
+}
+after 100
+
+# grsecurity exit
+send -- "file /proc/sys/kernel/grsecurity\r"
+expect {
+        timeout {puts "TESTING ERROR - grsecurity detection\n";exit}
+        "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit}
+        "cannot open" {puts "grsecurity not present\n"}
+}
+
+send -- "firejail --name=blablabla\r"
+expect {
+        timeout {puts "TESTING ERROR 4\n";exit}
+        "Child process initialized"
+}
+sleep 2
+
+spawn $env(SHELL)
+send -- "firemon --seccomp\r"
+expect {
+        timeout {puts "TESTING ERROR 5\n";exit}
+        "need to be root" {puts "/proc mounted as hidepid, exiting...\n"; exit}
+        ":firejail pluma"
+}
+expect {
+        timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit}
+        "Seccomp:       2"
+}
+expect {
+        timeout {puts "TESTING ERROR 5.1\n";exit}
+        "name=blablabla"
+}
+after 100
+send -- "firemon --caps\r"
+expect {
+        timeout {puts "TESTING ERROR 6\n";exit}
+        ":firejail pluma"
+}
+expect {
+        timeout {puts "TESTING ERROR 6.1\n";exit}
+        "CapBnd:"
+}
+expect {
+        timeout {puts "TESTING ERROR 6.2\n";exit}
+        "0000000000000000"
+}
+expect {
+        timeout {puts "TESTING ERROR 6.3\n";exit}
+        "name=blablabla"
+}
+after 100
+
+puts "\nall done\n"
diff --git a/test/private-lib/private-lib.sh b/test/private-lib/private-lib.sh
index 2a0eb8d30..edf81917a 100755
--- a/test/private-lib/private-lib.sh
+++ b/test/private-lib/private-lib.sh
@@ -5,7 +5,7 @@
 
 export MALLOC_CHECK_=3
 export MALLOC_PERTURB_=$(($RANDOM % 255 + 1))
-LIST="evince galculator gnome-calculator leafpad mousepad transmission-gtk xcalc atril gpicview eom eog"
+LIST="evince galculator gnome-calculator gedit leafpad mousepad pluma transmission-gtk xcalc atril gpicview eom eog"
 
 
 for app in $LIST; do