577 files changed, 20917 insertions, 7828 deletions
diff --git a/.gitignore b/.gitignore
index 85e317827..459119b14 100644
--- a/.gitignore
+++ b/.gitignore
@@ -3,6 +3,8 @@
 *~
 *.swp
 *.rpm
+*.gcda
+*.gcno
 Makefile
 config.log
 config.status
@@ -17,3 +19,7 @@ src/firemon/firemon
 src/firecfg/firecfg
 src/ftee/ftee
 src/tags
+src/faudit/faudit
+src/fnet/fnet
+src/fseccomp/fseccomp
+uids.h
diff --git a/Makefile.in b/Makefile.in
index 16f8e8717..86fd4f4b7 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -1,6 +1,7 @@
-all: apps firejail.1 firemon.1 firecfg.1 firejail-profile.5 firejail-login.5 firejail-config.5
+all: apps man
 MYLIBS = src/lib
-APPS = src/firejail src/firemon src/firecfg src/libtrace src/libtracelog src/ftee
+APPS = src/firejail src/firemon src/firecfg src/libtrace src/libtracelog src/ftee src/faudit src/libconnect src/fnet src/fseccomp
+MANPAGES = firejail.1 firemon.1 firecfg.1 firejail-profile.5 firejail-login.5
 prefix=@prefix@
 exec_prefix=@exec_prefix@
@@ -14,47 +15,48 @@ VERSION=@PACKAGE_VERSION@
 NAME=@PACKAGE_NAME@
 PACKAGE_TARNAME=@PACKAGE_TARNAME@
 DOCDIR=@docdir@
+HAVE_APPARMOR=@HAVE_APPARMOR@
+BUSYBOX_WORKAROUND=@BUSYBOX_WORKAROUND@
+uids.h:; ./mkuid.sh
 .PHONY: mylibs $(MYLIBS)
-mylibs: $(MYLIBS)
+mylibs: $(MYLIBS) uids.h
 $(MYLIBS):
        $(MAKE) -C $@
 .PHONY: apps $(APPS)
 apps: $(APPS)
-$(APPS): $(MYLIBS)
+$(APPS): $(MYLIBS) uids.h
        $(MAKE) -C $@
-firemon.1: src/man/firemon.txt
+$(MANPAGES): $(wildcard src/man/*.txt)
-        ./mkman.sh $(VERSION) src/man/firemon.txt firemon.1
+        ./mkman.sh $(VERSION) src/man/$(basename $@).txt $@
-firejail.1: src/man/firejail.txt
-        ./mkman.sh $(VERSION) src/man/firejail.txt firejail.1
+man: $(MANPAGES)
-firecfg.1: src/man/firecfg.txt
-        ./mkman.sh $(VERSION) src/man/firecfg.txt firecfg.1
-firejail-profile.5: src/man/firejail-profile.txt
-        ./mkman.sh $(VERSION) src/man/firejail-profile.txt firejail-profile.5
-firejail-login.5: src/man/firejail-login.txt
-        ./mkman.sh $(VERSION) src/man/firejail-login.txt firejail-login.5
-firejail-config.5: src/man/firejail-config.txt
-        ./mkman.sh $(VERSION) src/man/firejail-config.txt firejail-config.5
 clean:
-        for dir in $(APPS); do \
+        for dir in $(APPS) $(MYLIBS); do \
                $(MAKE) -C $$dir clean; \
        done
-        for dir in $(MYLIBS); do \
+        rm -f $(MANPAGES) $(MANPAGES:%=%.gz) firejail*.rpm
-                $(MAKE) -C $$dir clean; \
+        rm -f test/utils/index.html*
-        done
+        rm -f test/utils/wget-log
-        rm -f firejail.1 firejail.1.gz firemon.1 firemon.1.gz firecfg.1 firecfg.gz firejail-profile.5 firejail-profile.5.gz firejail-login.5 firejail-login.5.gz firejail-config.5 firejail-config.5.gz firejail*.rpm
+        rm -f test/utils/lstesting
+        rm -f test/environment/index.html*
+        rm -f test/environment/wget-log*
+        rm -fr test/environment/-testdir
+        rm -f test/environment/logfile*
+        rm -f test/environment/index.html
+        rm -f test/environment/wget-log
+        rm -f test/sysutils/firejail_t*
+        cd test/compile; ./compile.sh --clean; cd ../..
 distclean: clean
-        for dir in $(APPS); do \
+        for dir in $(APPS) $(MYLIBS); do \
-                $(MAKE) -C $$dir distclean; \
-        done
-        for dir in $(MYLIBS); do \
                $(MAKE) -C $$dir distclean; \
        done
-        rm -fr Makefile autom4te.cache config.log config.status config.h
+        rm -fr Makefile autom4te.cache config.log config.status config.h uids.h
 realinstall:
        # firejail executable
@@ -69,133 +71,49 @@ realinstall:
        install -m 0755 -d $(DESTDIR)/$(libdir)/firejail
        install -c -m 0644 src/libtrace/libtrace.so $(DESTDIR)/$(libdir)/firejail/.
        install -c -m 0644 src/libtracelog/libtracelog.so $(DESTDIR)/$(libdir)/firejail/.
+        install -c -m 0644 src/libconnect/libconnect.so $(DESTDIR)/$(libdir)/firejail/.
        install -c -m 0755 src/ftee/ftee $(DESTDIR)/$(libdir)/firejail/.
        install -c -m 0755 src/fshaper/fshaper.sh $(DESTDIR)/$(libdir)/firejail/.
        install -c -m 0644 src/firecfg/firecfg.config $(DESTDIR)/$(libdir)/firejail/.
+        install -c -m 0755 src/faudit/faudit $(DESTDIR)/$(libdir)/firejail/.
+        install -c -m 0755 src/fnet/fnet $(DESTDIR)/$(libdir)/firejail/.
+        install -c -m 0755 src/fseccomp/fseccomp $(DESTDIR)/$(libdir)/firejail/.
        # documents
        install -m 0755 -d $(DESTDIR)/$(DOCDIR)
        install -c -m 0644 COPYING $(DESTDIR)/$(DOCDIR)/.
        install -c -m 0644 README $(DESTDIR)/$(DOCDIR)/.
        install -c -m 0644 RELNOTES $(DESTDIR)/$(DOCDIR)/.
        # etc files
-        ./mketc.sh $(sysconfdir)
+        ./mketc.sh $(sysconfdir) $(BUSYBOX_WORKAROUND)
        install -m 0755 -d $(DESTDIR)/$(sysconfdir)/firejail
-        install -c -m 0644 .etc/audacious.profile $(DESTDIR)/$(sysconfdir)/firejail/.
+        for file in .etc/* etc/firejail.config; do \
-        install -c -m 0644 .etc/clementine.profile $(DESTDIR)/$(sysconfdir)/firejail/.
+                install -c -m 0644 $$file $(DESTDIR)/$(sysconfdir)/firejail; \
-        install -c -m 0644 .etc/epiphany.profile $(DESTDIR)/$(sysconfdir)/firejail/.
+        done
-        install -c -m 0644 .etc/qtox.profile $(DESTDIR)/$(sysconfdir)/firejail/.
-        install -c -m 0644 .etc/polari.profile $(DESTDIR)/$(sysconfdir)/firejail/.
-        install -c -m 0644 .etc/gnome-mplayer.profile $(DESTDIR)/$(sysconfdir)/firejail/.
-        install -c -m 0644 .etc/rhythmbox.profile $(DESTDIR)/$(sysconfdir)/firejail/.
-        install -c -m 0644 .etc/totem.profile $(DESTDIR)/$(sysconfdir)/firejail/.
-        install -c -m 0644 .etc/firefox.profile $(DESTDIR)/$(sysconfdir)/firejail/.
-        install -c -m 0644 .etc/icedove.profile $(DESTDIR)/$(sysconfdir)/firejail/.
-        install -c -m 0644 .etc/iceweasel.profile $(DESTDIR)/$(sysconfdir)/firejail/.
-        install -c -m 0644 .etc/midori.profile $(DESTDIR)/$(sysconfdir)/firejail/.
-        install -c -m 0644 .etc/evince.profile $(DESTDIR)/$(sysconfdir)/firejail/.
-        install -c -m 0644 .etc/chromium-browser.profile $(DESTDIR)/$(sysconfdir)/firejail/.
-        install -c -m 0644 .etc/chromium.profile $(DESTDIR)/$(sysconfdir)/firejail/.
-        install -c -m 0644 .etc/google-chrome.profile $(DESTDIR)/$(sysconfdir)/firejail/.
-        install -c -m 0644 .etc/google-chrome-stable.profile $(DESTDIR)/$(sysconfdir)/firejail/.
-        install -c -m 0644 .etc/google-chrome-beta.profile $(DESTDIR)/$(sysconfdir)/firejail/.
-        install -c -m 0644 .etc/google-chrome-unstable.profile $(DESTDIR)/$(sysconfdir)/firejail/.
-        install -c -m 0644 .etc/disable-common.inc $(DESTDIR)/$(sysconfdir)/firejail/.
-        install -c -m 0644 .etc/dropbox.profile $(DESTDIR)/$(sysconfdir)/firejail/.
-        install -c -m 0644 .etc/opera.profile $(DESTDIR)/$(sysconfdir)/firejail/.
-        install -c -m 0644 .etc/opera-beta.profile $(DESTDIR)/$(sysconfdir)/firejail/.
-        install -c -m 0644 .etc/thunderbird.profile $(DESTDIR)/$(sysconfdir)/firejail/.
-        install -c -m 0644 .etc/transmission-gtk.profile $(DESTDIR)/$(sysconfdir)/firejail/.
-        install -c -m 0644 .etc/transmission-qt.profile $(DESTDIR)/$(sysconfdir)/firejail/.
-        install -c -m 0644 .etc/vlc.profile $(DESTDIR)/$(sysconfdir)/firejail/.
-        install -c -m 0644 .etc/deluge.profile $(DESTDIR)/$(sysconfdir)/firejail/.
-        install -c -m 0644 .etc/qbittorrent.profile $(DESTDIR)/$(sysconfdir)/firejail/.
-        install -c -m 0644 .etc/generic.profile $(DESTDIR)/$(sysconfdir)/firejail/.
-        install -c -m 0644 .etc/pidgin.profile $(DESTDIR)/$(sysconfdir)/firejail/.
-        install -c -m 0644 .etc/xchat.profile $(DESTDIR)/$(sysconfdir)/firejail/.
-        install -c -m 0644 .etc/empathy.profile $(DESTDIR)/$(sysconfdir)/firejail/.
-        install -c -m 0644 .etc/server.profile $(DESTDIR)/$(sysconfdir)/firejail/.
-        install -c -m 0644 .etc/icecat.profile $(DESTDIR)/$(sysconfdir)/firejail/.
-        install -c -m 0644 .etc/quassel.profile $(DESTDIR)/$(sysconfdir)/firejail/.
-        install -c -m 0644 .etc/deadbeef.profile $(DESTDIR)/$(sysconfdir)/firejail/.
-        install -c -m 0644 .etc/filezilla.profile $(DESTDIR)/$(sysconfdir)/firejail/.
-        install -c -m 0644 .etc/fbreader.profile $(DESTDIR)/$(sysconfdir)/firejail/.
-        install -c -m 0644 .etc/spotify.profile $(DESTDIR)/$(sysconfdir)/firejail/.
-        install -c -m 0644 .etc/steam.profile $(DESTDIR)/$(sysconfdir)/firejail/.
-        install -c -m 0644 .etc/skype.profile $(DESTDIR)/$(sysconfdir)/firejail/.
-        install -c -m 0644 .etc/wine.profile $(DESTDIR)/$(sysconfdir)/firejail/.
-        install -c -m 0644 .etc/disable-devel.inc $(DESTDIR)/$(sysconfdir)/firejail/.
-        install -c -m 0644 .etc/conkeror.profile $(DESTDIR)/$(sysconfdir)/firejail/.
-        install -c -m 0644 .etc/unbound.profile $(DESTDIR)/$(sysconfdir)/firejail/.
-        install -c -m 0644 .etc/dnscrypt-proxy.profile $(DESTDIR)/$(sysconfdir)/firejail/.
-        install -c -m 0644 .etc/whitelist-common.inc $(DESTDIR)/$(sysconfdir)/firejail/.
-        install -c -m 0644 .etc/nolocal.net $(DESTDIR)/$(sysconfdir)/firejail/.
-        install -c -m 0644 .etc/webserver.net $(DESTDIR)/$(sysconfdir)/firejail/.
-        install -c -m 0644 .etc/bitlbee.profile $(DESTDIR)/$(sysconfdir)/firejail/.
-        install -c -m 0644 .etc/weechat.profile $(DESTDIR)/$(sysconfdir)/firejail/.
-        install -c -m 0644 .etc/weechat-curses.profile $(DESTDIR)/$(sysconfdir)/firejail/.
-        install -c -m 0644 .etc/hexchat.profile $(DESTDIR)/$(sysconfdir)/firejail/.
-        install -c -m 0644 .etc/rtorrent.profile $(DESTDIR)/$(sysconfdir)/firejail/.
-        install -c -m 0644 .etc/parole.profile $(DESTDIR)/$(sysconfdir)/firejail/.
-        install -c -m 0644 .etc/kmail.profile $(DESTDIR)/$(sysconfdir)/firejail/.
-        install -c -m 0644 .etc/seamonkey.profile $(DESTDIR)/$(sysconfdir)/firejail/.
-        install -c -m 0644 .etc/seamonkey-bin.profile $(DESTDIR)/$(sysconfdir)/firejail/.
-        install -c -m 0644 .etc/telegram.profile $(DESTDIR)/$(sysconfdir)/firejail/.
-        install -c -m 0644 .etc/mathematica.profile $(DESTDIR)/$(sysconfdir)/firejail/.
-        install -c -m 0644 .etc/Mathematica.profile $(DESTDIR)/$(sysconfdir)/firejail/.
-        install -c -m 0644 .etc/uget-gtk.profile $(DESTDIR)/$(sysconfdir)/firejail/.
-        install -c -m 0644 .etc/mupen64plus.profile $(DESTDIR)/$(sysconfdir)/firejail/.
-        install -c -m 0644 .etc/disable-programs.inc $(DESTDIR)/$(sysconfdir)/firejail/.
-        install -c -m 0644 .etc/disable-passwdmgr.inc $(DESTDIR)/$(sysconfdir)/firejail/.
-        install -c -m 0644 .etc/lxterminal.profile $(DESTDIR)/$(sysconfdir)/firejail/.
-        install -c -m 0644 .etc/cherrytree.profile $(DESTDIR)/$(sysconfdir)/firejail/.
-        install -c -m 0644 .etc/wesnoth.profile $(DESTDIR)/$(sysconfdir)/firejail/.
-        install -c -m 0644 .etc/hedgewars.profile $(DESTDIR)/$(sysconfdir)/firejail/.
-        install -c -m 0644 .etc/vivaldi.profile $(DESTDIR)/$(sysconfdir)/firejail/.
-        install -c -m 0644 .etc/vivaldi-beta.profile $(DESTDIR)/$(sysconfdir)/firejail/.
-        install -c -m 0644 .etc/atril.profile $(DESTDIR)/$(sysconfdir)/firejail/.
-        install -c -m 0644 .etc/qutebrowser.profile $(DESTDIR)/$(sysconfdir)/firejail/.
-        install -c -m 0644 .etc/flashpeak-slimjet.profile $(DESTDIR)/$(sysconfdir)/firejail/.
-        install -c -m 0644 .etc/ssh.profile $(DESTDIR)/$(sysconfdir)/firejail/.
-        install -c -m 0644 .etc/openbox.profile $(DESTDIR)/$(sysconfdir)/firejail/.
-        install -c -m 0644 .etc/dillo.profile $(DESTDIR)/$(sysconfdir)/firejail/.
-        install -c -m 0644 .etc/cmus.profile $(DESTDIR)/$(sysconfdir)/firejail/.
-        install -c -m 0644 .etc/dnsmasq.profile $(DESTDIR)/$(sysconfdir)/firejail/.
-        install -c -m 0644 .etc/palemoon.profile $(DESTDIR)/$(sysconfdir)/firejail/.
-        install -c -m 0644 .etc/icedove.profile $(DESTDIR)/$(sysconfdir)/firejail/.
-        install -c -m 0644 .etc/abrowser.profile $(DESTDIR)/$(sysconfdir)/firejail/.
-        install -c -m 0644 .etc/0ad.profile $(DESTDIR)/$(sysconfdir)/firejail/.
        sh -c "if [ ! -f $(DESTDIR)/$(sysconfdir)/firejail/login.users ]; then install -c -m 0644 etc/login.users $(DESTDIR)/$(sysconfdir)/firejail/.; fi;"
-        sh -c "if [ ! -f $(DESTDIR)/$(sysconfdir)/firejail/firejail.config ]; then install -c -m 0644 etc/firejail.config $(DESTDIR)/$(sysconfdir)/firejail/.; fi;"
        rm -fr .etc
+ifeq ($(HAVE_APPARMOR),-DHAVE_APPARMOR) 
+        # install apparmor profile
+        sh -c "if [ ! -d $(DESTDIR)/$(sysconfdir)/apparmor.d ]; then install -d -m 755 $(DESTDIR)/$(sysconfdir)/apparmor.d; fi;"
+        install -c -m 0644 etc/firejail-default $(DESTDIR)/$(sysconfdir)/apparmor.d/.
+endif   
        # man pages
-        rm -f firejail.1.gz
-        gzip -9n firejail.1
-        rm -f firemon.1.gz
-        gzip -9n firemon.1
-        rm -f firecfg.1.gz
-        gzip -9n firecfg.1
-        rm -f firejail-profile.5.gz
-        gzip -9n firejail-profile.5
-        rm -f firejail-login.5.gz
-        gzip -9n firejail-login.5
-        rm -f firejail-config.5.gz
-        gzip -9n firejail-config.5
        install -m 0755 -d $(DESTDIR)/$(mandir)/man1
-        install -c -m 0644 firejail.1.gz $(DESTDIR)/$(mandir)/man1/.
-        install -c -m 0644 firemon.1.gz $(DESTDIR)/$(mandir)/man1/.
-        install -c -m 0644 firecfg.1.gz $(DESTDIR)/$(mandir)/man1/.
        install -m 0755 -d $(DESTDIR)/$(mandir)/man5
-        install -c -m 0644 firejail-profile.5.gz $(DESTDIR)/$(mandir)/man5/.
+        for man in $(MANPAGES); do \
-        install -c -m 0644 firejail-login.5.gz $(DESTDIR)/$(mandir)/man5/.
+                rm -f $$man.gz; \
-        install -c -m 0644 firejail-config.5.gz $(DESTDIR)/$(mandir)/man5/.
+                gzip -9n $$man; \
-        rm -f firejail.1.gz firemon.1.gz firecfg.1.gz firejail-profile.5.gz firejail-login.5.gz firejail-config.5.gz
+                case "$$man" in \
+                        *.1) install -c -m 0644 $$man.gz $(DESTDIR)/$(mandir)/man1/; ;; \
+                        *.5) install -c -m 0644 $$man.gz $(DESTDIR)/$(mandir)/man5/; ;; \
+                esac; \
+        done
+        rm -f $(MANPAGES) $(MANPAGES:%=%.gz)
        # bash completion
        install -m 0755 -d $(DESTDIR)/$(datarootdir)/bash-completion/completions
        install -c -m 0644 src/bash_completion/firejail.bash_completion $(DESTDIR)/$(datarootdir)/bash-completion/completions/firejail
        install -c -m 0644 src/bash_completion/firemon.bash_completion $(DESTDIR)/$(datarootdir)/bash-completion/completions/firemon
        install -c -m 0644 src/bash_completion/firecfg.bash_completion $(DESTDIR)/$(datarootdir)/bash-completion/completions/firecfg
 install: all
        $(MAKE) realinstall
@@ -205,7 +123,11 @@ install-strip: all
        strip src/firecfg/firecfg
        strip src/libtrace/libtrace.so
        strip src/libtracelog/libtracelog.so
+        strip src/libconnect/libconnect.so
        strip src/ftee/ftee
+        strip src/faudit/faudit
+        strip src/fnet/fnet
+        strip src/fseccomp/fseccomp
        $(MAKE) realinstall
 uninstall:
@@ -214,30 +136,44 @@ uninstall:
        rm -f $(DESTDIR)/$(bindir)/firecfg
        rm -fr $(DESTDIR)/$(libdir)/firejail
        rm -fr $(DESTDIR)/$(datarootdir)/doc/firejail
-        rm -f $(DESTDIR)/$(mandir)/man1/firejail.1*
+        for man in $(MANPAGES); do \
-        rm -f $(DESTDIR)/$(mandir)/man1/firemon.1*
+                rm -f $(DESTDIR)/$(mandir)/man5/$$man*; \
-        rm -f $(DESTDIR)/$(mandir)/man1/firecfg.1*
+                rm -f $(DESTDIR)/$(mandir)/man1/$$man*; \
-        rm -f $(DESTDIR)/$(mandir)/man5/firejail-profile.5*
+        done
-        rm -f $(DESTDIR)/$(mandir)/man5/firejail-login.5*
-        rm -f $(DESTDIR)/$(mandir)/man5/firejail-config.5*
        rm -f $(DESTDIR)/$(datarootdir)/bash-completion/completions/firejail
        rm -f $(DESTDIR)/$(datarootdir)/bash-completion/completions/firemon
        rm -f $(DESTDIR)/$(datarootdir)/bash-completion/completions/firecfg
        
+DISTFILES = "src etc platform configure configure.ac Makefile.in install.sh mkman.sh mketc.sh mkdeb.sh mkuid.sh COPYING README RELNOTES"
+DISTFILES_TEST = "test/rlimit test/apps test/apps-x11 test/apps-x11-xorg test/root test/environment test/profiles test/utils test/compile test/filters test/network test/arguments test/fs test/sysutils"
 dist:
+        mv config.status config.status.old
        make distclean
-        rm -fr $(NAME)-$(VERSION) $(NAME)-$(VERSION).tar.bz2
+        mv config.status.old config.status
-        mkdir $(NAME)-$(VERSION)
+        rm -fr $(NAME)-$(VERSION) $(NAME)-$(VERSION).tar.xz
-        cd $(NAME)-$(VERSION); cp -a ../src .; cp -a ../etc .; cp -a ../platform .; rm -fr src/tools; cd ..
+        mkdir -p $(NAME)-$(VERSION)/test
-        cd $(NAME)-$(VERSION); cp -a ../configure .; cp -a ../configure.ac .; cp -a ../Makefile.in .; cp -a ../install.sh .; cp -a ../mkman.sh .; cp -a ../mketc.sh .; cp -a ../mkdeb.sh .;cd ..
+        cp -a "$(DISTFILES)" $(NAME)-$(VERSION)
-        cd $(NAME)-$(VERSION); cp -a ../COPYING .; cp -a ../README .; cp -a ../RELNOTES .; cd ..
+        cp -a "$(DISTFILES_TEST)" $(NAME)-$(VERSION)/test
-        cd $(NAME)-$(VERSION); rm -fr `find . -name .svn`; rm -fr $(NAME)-$(VERSION); cd ..
+        rm -rf $(NAME)-$(VERSION)/src/tools
-        tar -cjvf $(NAME)-$(VERSION).tar.bz2 $(NAME)-$(VERSION)
+        find $(NAME)-$(VERSION) -name .svn -delete
+        tar -cJvf $(NAME)-$(VERSION).tar.xz $(NAME)-$(VERSION)
        rm -fr $(NAME)-$(VERSION)
+asc:; ./mkasc.sh $(VERSION)
 deb: dist
        ./mkdeb.sh $(NAME) $(VERSION)
+snap: all
+        cd platform/snap; ./snap.sh
+install-snap: snap
+        sudo snap remove faudit; sudo snap install faudit*.snap
+test-compile: dist
+        cd test/compile; ./compile.sh $(NAME)-$(VERSION)
 .PHONY: rpms
 rpms:
        ./platform/rpm/mkrpm.sh $(NAME) $(VERSION)
@@ -250,5 +186,74 @@ cppcheck: clean
 scan-build: clean
        scan-build make
-asc:; ./mkasc.sh $(VERSION)
+#
+# make test
+#
+test-profiles:
+        cd test/profiles; ./profiles.sh | grep TESTING
+test-apps:
+        cd test/apps; ./apps.sh | grep TESTING
+test-apps-x11:
+        cd test/apps-x11; ./apps-x11.sh | grep TESTING
+test-apps-x11-xorg:
+        cd test/apps-x11-xorg; ./apps-x11-xorg.sh | grep TESTING
+test-sysutils:
+        cd test/sysutils; ./sysutils.sh | grep TESTING
+        
+test-utils:
+        cd test/utils; ./utils.sh | grep TESTING
+test-environment:
+        cd test/environment; ./environment.sh | grep TESTING
+test-filters:
+        cd test/filters; ./filters.sh | grep TESTING
+test-arguments:
+        cd test/arguments; ./arguments.sh | grep TESTING
+        
+test-fs:
+        cd test/fs; ./fs.sh | grep TESTING
+test-rlimit:
+        cd test/rlimit; ./rlimit.sh | grep TESTING
+        
+test: test-profiles test-fs test-utils  test-environment test-apps test-apps-x11 test-apps-x11-xorg test-filters test-arguments test-rlimit
+        echo "TEST COMPLETE"
+##########################################
+# Individual tests, some of them require root access
+# The tests are very intrussive, by the time you are done
+# with them you will need to restart your computer.
+##########################################
+# Huge appimage files, not included in "make dist" archive
+test-appimage:
+        cd test/appimage; ./appimage.sh | grep TESTING
+# Root access, network devices are created before the test
+# restart your computer to get rid of these devices
+test-network:
+        cd test/network; ./network.sh | grep TESTING
+# Tesets running a root user
+test-root:
+        cd test/root; su -c ./root.sh | grep TESTING
+        
+# OverlayFS is not available on all platforms
+test-overlay:
+        cd test/overlay; ./overlay.sh | grep TESTING
+# For testing hidepid system, the command to set it up is "mount -o remount,rw,hidepid=2 /proc"
+test-all: test-root test-network test-appimage test-overlay test
+        echo "TEST COMPLETE"
+        
+\ No newline at end of file
diff --git a/README b/README
index 81481f512..e21e96bc7 100644
--- a/README
+++ b/README
@@ -18,18 +18,171 @@ License: GPL v2
 Firejail Authors:
 netblue30 (netblue30@yahoo.com)
-Joan Figueras (https://github.com/figue)
+Reiner Herrmann (https://github.com/reinerh)
-        - added abrowser profile
+        - a number of build patches
+        - man page fixes
+        - Debian and Ubuntu integration
+        - clang-analyzer fixes
+        - Debian reproducible build
+        - unit testing framework
+        - moved build to .xz
+        - detached signatures for source archive
+        - recursive mkdir
+Aleksey Manevich (https://github.com/manevich)
+        - several profile fixes
+        - fix problem with relative path in storage_find function
+        - fix build for systems without bash
+        - fix double quotes/single quotes problem
+        - big rework of argument processing subsystem
+        - --join fixes
+        - spliting up cmdline.c
+        - Busybox support
+        - X11 support rewrite
+        - gether shell selection code in one place
+        - fixed several TOCTOU security problems
+        - added --fix option to firecfg utility
+        - read_pid fix
+        - added --x11=block options
+        - x11 xpra, xphyr, none profile commands
+        - added --join-or-start command
+        - CVE-2016-7545
 Fred-Barclay (https://github.com/Fred-Barclay)
+        - lots of profile fixes
        - added Vivaldi, Atril profiles
        - added PaleMoon profile
        - split Icedove and Thunderbird profiles
        - added 0ad profile
+        - fixed version for .deb packages
+        - added Warzone2100 profile
+        - blacklisted VeraCrypt
+        - added Gpredict profile
+        - added Aweather, Stellarium profiles
+        - fixed HexChat and Atril profiles
+        - fixed disable-common.inc for mate-terminal
+        - blacklisted escape-happy terminals in disable-common.inc
+        - blacklisted g++
+        - added xplayer, xreader, and xviewer profiles
+        - added Brave profile
+        - added Gitter profile
+        - various organising
+        - added LibreOffice profile
+        - added pix profile
+        - added audacity profile
+        - fixed Telegram and qtox profiles
+        - added Atom Beta and Atom profiles
+        - tightened 0ad, atril, evince, gthumb, pix, qtox, and xreader profiles
+        - several private-bin conversions
+        - added jitsi profile
+        - pidgin private-bin conversion
+        - added eom profile
+        - added gnome-chess profile
+        - added DOSBox profile
+        - evince profile enhancement
+        - tightened Spotify profile
+        - added xiphos and Tor Browser Bundle profiles
+curiosity-seeker (https://github.com/curiosity-seeker)
+        - tightening unbound and dnscrypt-proxy profiles
+        - dnsmasq profile
+        - okular and gwenview profiles
+        - cherrytree profile fixes
+        - added quiterss profile
+        - added guayadeque profile
+Simon Peter (https://github.com/probonopd)
+        - set $APPIMAGE and $APPDIR environment variables
+        - AppImage version detection
+        - Leafppad type v1 and v2 appimage packages in test/appimage
+BogDan Vatra (https://github.com/bog-dan-ro)
+        - zoom profile
+Impyy (https://github.com/Impyy)
+        - added mumble profile
+valoq (https://github.com/valoq)
+        - LibreOffice profile fixes
+        - cherrytree profile fixes
+        - added support for /srv in --whitelist feature
+        - Eye of GNOME, Evolution, display (imagemagik) and Wire profiles
+        - blacklist suid binaries in disable-common.inc
+        - fix man pages
+        - various profile improvements
+Vadim A. Misbakh-Soloviov (https://github.com/msva)
+        - profile fixes
+Rafael Cavalcanti (https://github.com/rccavalcanti)
+        - chromium profile fixes for Arch Linux
+Deelvesh Bunjun (https://github.com/DeelveshBunjun)
+        - added xpdf profile
+Dara Adib (https://github.com/daradib)
+        - ssh profile fix
+        - evince profile fix
+vismir2 (https://github.com/vismir2)
+        - feh, ranger, 7z, keepass, keepassx and zathura profiles
+        - claws-mail, mutt, git, emacs, vim profiles
+        - lots of profile fixes
+graywolf (https://github.com/graywolf)
+        - spelling fix
+Tomasz Jan Góralczyk (https://github.com/tjg)
+        - fixed Steam profile
+pwnage-pineapple (https://github.com/pwnage-pineapple)
+        - update Okular profile
+Sergey Alirzaev (https://github.com/l29ah)
+        - firejail.h enum fix
+greigdp (https://github.com/greigdp)
+        - Gajim IM client profile
+        - fix Slack profile
+Icaro Perseo (https://github.com/icaroperseo)
+        - Icecat profile
+        - several profile fixes
+hamzadis (https://github.com/hamzadis)
+        - added --overlay-named=name and --overlay-path=path    
+Gaman Gabriel (https://github.com/stelariusinfinitek)
+        - inox profile
+greigdp (https://github.com/greigdp)
+        - fixed spotify profile
+        - added Slack profile
+Laurent Declercq (https://github.com/nuxwin)
+        - fixed test for shell interpreter in chroots
+Franco (nextime) Lanza (https://github.com/nextime)
+        - added --private-template/--private-home
+xee5ch (https://github.com/xee5ch)
+        - skypeforlinux profile
+Peter Hogg (https://github.com/pigmonkey)
+        - WeeChat profile
+        - rtorrent profile
+        - bitlbee profile fixes
+        - mutt profile fixes
+Thomas Jarosch (https://github.com/thomasjfox)
+        - disable keepassx in disable-passwdmgr.inc
+        - added uudeview profile
+        - added tar (gtar), unzip and unrar profile
+        - added file profile
+        - improved profile list
+        - fixed small variable glitch in stat64() / lstat64() (libtracelog)
+        - added lstat() / lstat64() support to libtrace
+        - include mkuid.sh in make dist
+Niklas Haas (https://github.com/haasn)
+        - blacklisting for keybase.io's client
+Jaykishan Mutkawoa (https://github.com/jmutkawoa)
+        - cpio profile
+Paupiah Yash (https://github.com/CaffeinatedStud)
+        - gzip  profile
+Akhil Hans Maulloo (https://github.com/kouul)
+        - xz profile
+Rahul Golam (https://github.com/technoLord)
+        - strings profile
+geg2048 (https://github.com/geg2048)
+        - kwallet profile fixes
+maces (https://github.com/maces)
+        - Franz messenger profile
+KellerFuchs (https://github.com/KellerFuchs)
+        - nonewpriv support, extended profiles for this feature
+        - make `restricted-network` prevent use of netfilter
+        - disable-common.inc additions
+ValdikSS (https://github.com/ValdikSS)
+        - Psi+, Corebird, Konversation profiles
+        - various profile fixes
 avoidr (https://github.com/avoidr)
        - whitelist fix
        - recently-used.xbel fix
        - added parole profile
-        - blacklist ncat, manpage fixes,
+        - blacklist ncat
        - hostname support in profile file
        - Google Chrome profile rework
        - added cmus profile
@@ -37,6 +190,23 @@ avoidr (https://github.com/avoidr)
        - add net iface support in profile files
        - paths fix
        - lots of profile fixes
+        - added mcabber profile
+        - fixed mpv profile
+        - various other fixes
+Ruan (https://github.com/ruany)
+        - fixed hexchat profile
+Vasya Novikov (https://github.com/vn971)
+        - Wesnoth profile
+        - Hedegewars profile
+        - manpage fixes
+        - fixed firecfg clean/clear issue
+        - found the ugliest bug so far
+Matthew Gyurgyik (https://github.com/pyther)
+        - rpm spec and several fixes
+Joan Figueras (https://github.com/figue)
+        - added abrowser profile
+        - added Google-Play-Music-Desktop-Player
+        - added cyberfox profile
 Petter Reinholdtsen (pere@hungry.com)
        - Opera profile patch
 n1trux (https://github.com/n1trux)
@@ -52,12 +222,9 @@ dshmgh (https://github.com/dshmgh)
 yumkam (https://github.com/yumkam)
        - add compile-time option to restrict --net= to root only
        - man page fixes
-Vasya Novikov (https://github.com/vn971)
-        - Wesnoth profile
-        - Hedegewars profile
-        - manpage fixes
 mahdi1234 (https://github.com/mahdi1234)
        - cherrytree profile
+        - Seamonkey profiles
 jrabe (https://github.com/jrabe)
        - disallow access to kdbx files
        - Epiphany profile
@@ -71,19 +238,14 @@ Tom Mellor (https://github.com/kalegrill)
 Martin Carpenter (https://github.com/mcarpenter)
        - security audit and bug fixes
        - Centos 6.x support
-Aleksey Manevich (https://github.com/manevich)
-        - several profile fixes
-        - fix problem with relative path in storage_find function
-        - fix build for systems without bash
 pszxzsd (https://github.com/pszxzsd)
        -uGet profile
 Rahiel Kasim (https://github.com/rahiel)
        - Mathematica profile
+        - whitelisted Dropbox profile
+        - whitelisted keysnail config for firefox
 creideiki (https://github.com/creideiki)
        - make the sandbox process reap all children
-curiosity-seeker (https://github.com/curiosity-seeker)
-        - tightening unbound and dnscrypt-proxy profiles
-        - dnsmasq profile
 sinkuu (https://github.com/sinkuu)
        - blacklisting kwalletd
        - fix symlink invocation for programs placing symlinks in $PATH
@@ -93,8 +255,7 @@ Holger Heinz (https://github.com/hheinz)
        - manpage work
 Andrey Alekseenko (https://github.com/al42and)
        - fixing lintian warnings
-mahdi1234 (https://github.com/mahdi1234)
+        - fixed Skype profile
-        - Seamonkey profiles
 Ivan Kozik (https://github.com/ivan)
        - speed up sandbox exit
 Christian Stadelmann (https://github.com/genodeftest)
@@ -105,11 +266,6 @@ Kaan Genç (https://github.com/SeriousBug)
        - dynamic allocation of noblacklist buffer
 Veeti Paananen (https://github.com/veeti)
        - fixed Spotify profile
-Rahiel Kasim (https://github.com/rahiel)
-        - whitelist keysnail config for firefox
-Peter Hogg (https://github.com/pigmonkey)
-        - WeeChat profile
-        - rtorrent profile
 rogshdo (https://github.com/rogshdo)
        - BitlBee profile
 Bruno Nova (https://github.com/brunonova)
@@ -117,8 +273,6 @@ Bruno Nova (https://github.com/brunonova)
        - bash arguments fix
 Matt Parnell (https://github.com/ilikenwf)
        - whitelisting for core firefox related functionality
-Andrey Alekseenko (https://github.com/al42and)
-        - fixed Skype profile
 Ondra Nekola (https://github.com/satai)
        - allow firefox theming with non-global themes
 emacsomancer (https://github.com/emacsomancer)
@@ -132,8 +286,6 @@ andrew160 (https://github.com/andrew160)
        - profile and man pages fixes
 Loïc Damien (https://github.com/dzamlo)
        - small fixes
-Matthew Gyurgyik (https://github.com/pyther)
-        - rpm spec and several fixes
 greigdp (https://github.com/greigdp)
        - add Spotify profile
 Mattias Wadman (https://github.com/wader)
@@ -150,12 +302,6 @@ sarneaud (https://github.com/sarneaud)
        - various enhancements and bug fixes
 Patrick Toomey (http://sourceforge.net/u/ptoomey/profile/)
        - user namespace implementation
-Reiner Herrmann
-        - a number of build patches
-        - man page fixes
-        - Debian and Ubuntu integration
-        - clang-analyzer fixes
-        - Debian reproducible build
 sshirokov (http://sourceforge.net/u/yshirokov/profile/)
        - Patch to output "Reading profile" to stderr instead of stdout
 G4JC (http://sourceforge.net/u/gaming4jc/profile/)
diff --git a/README.md b/README.md
index 7f6f573b4..ad90639e2 100644
--- a/README.md
+++ b/README.md
@@ -31,255 +31,26 @@ Features: https://firejail.wordpress.com/features-3/
 Documentation: https://firejail.wordpress.com/documentation-2/
 FAQ: https://firejail.wordpress.com/support/frequently-asked-questions/
-`````
 `````
-# Current development version: 0.9.40-rc2
-Version 0.9.40-rc1 released!
-## X11 sandboxing support
-X11 support is built around Xpra (http://xpra.org/) or Xephyr.
 `````
-       --x11  Start a new X11 server using Xpra or Xephyr and attach the sand‐
+## User submitted profile repositories
-              box to this server.  The regular X11 server (display 0)  is  not
-              visible  in  the sandbox. This prevents screenshot and keylogger
-              applications started in the sandbox  from  accessing  other  X11
-              displays.  A network namespace needs to be instantiated in order
-              to deny access to X11 abstract Unix domain socket.
-              Firejail will try first Xpra, and if Xpra is  not  installed  on
-              the  system,  it  will  try to find Xephyr.  This feature is not
-              available when running as root.
-              Example:
-              $ firejail --x11 --net=eth0 firefox
-       --x11=xpra
-              Start a new X11 server using Xpra (http://xpra.org)  and  attach
-              the sandbox to this server.  Xpra is a persistent remote display
-              server and client for forwarding X11  applications  and  desktop
-              screens.  On Debian platforms Xpra is installed with the command
-              sudo apt-get install xpra.  This feature is not  available  when
-              running as root.
-              Example:
-              $ firejail --x11 --net=eth0 firefox
-       --x11=xephyr
-              Start  a  new  X11 server using Xephyr and attach the sandbox to
-              this server.  Xephyr is a display server  implementing  the  X11
-              display  server protocol.  It runs in a window just like other X
-              applications, but it is an X server itself in which you can  run
-              other software.  The default Xephyr window size is 800x600. This
-              can be modified in /etc/firejail/firejail.config file, see man 5
-              firejail-config for more details.
-              The  recommended way to use this feature is to run a window man‐
-              ager inside the sandbox.  A security profile for OpenBox is pro‐
-              vided.  On Debian platforms Xephyr is installed with the command
-              sudo apt-get install xserver-xephyr.  This feature is not avail‐
-              able when running as root.
-              Example:
-              $ firejail --x11 --net=eth0 openbox
-`````
-More information here: https://firejail.wordpress.com/documentation-2/x11-guide/
-## File transfers
-`````
-FILE TRANSFER
-       These features allow the user to inspect the filesystem container of an
-       existing sandbox and transfer files from  the  container  to  the  host
-       filesystem.
-       --get=name filename
-              Retrieve the container file and store it on the host in the cur‐
-              rent working directory.  The  container  is  specified  by  name
-              (--name option). Full path is needed for filename.
-       --get=pid filename
-              Retrieve the container file and store it on the host in the cur‐
-              rent working directory.  The container is specified  by  process
-              ID. Full path is needed for filename.
-       --ls=name dir_or_filename
-              List  container  files.   The  container  is  specified  by name
-              (--name option).  Full path is needed for dir_or_filename.
-       --ls=pid dir_or_filename
+If you keep your Firejail profiles in a public repository, please give us a link:
-              List container files.  The container is specified by process ID.
-              Full path is needed for dir_or_filename.
-       Examples:
+* https://github.com/chiraag-nataraj/firejail-profiles
-              $ firejail --name=mybrowser --private firefox
+* https://github.com/triceratops1/fe
-              $ firejail --ls=mybrowser ~/Downloads
+Use this issue to request new profiles: https://github.com/netblue30/firejail/issues/825
-              drwxr-xr-x netblue  netblue         4096 .
-              drwxr-xr-x netblue  netblue         4096 ..
-              -rw-r--r-- netblue  netblue         7847 x11-x305.png
-              -rw-r--r-- netblue  netblue         6800 x11-x642.png
-              -rw-r--r-- netblue  netblue        34139 xpra-clipboard.png
-              $ firejail --get=mybrowser ~/Downloads/xpra-clipboard.png
 `````
-## Firecfg
 `````
-NAME
+# Current development version: 0.9.45
-       Firecfg - Desktop configuration program for Firejail software.
-SYNOPSIS
-       firecfg [OPTIONS]
-DESCRIPTION
-       Firecfg is the desktop configuration utility for Firejail software. The
-       utility creates several symbolic links  to  firejail  executable.  This
-       allows the user to sandbox applications automatically, just by clicking
-       on a regular desktop menus and icons.
-       The symbolic links are placed in /usr/local/bin. For more  information,
-       see DESKTOP INTEGRATION section in man 1 firejail.
-OPTIONS
-       --clear
-              Clear all firejail symbolic links
-       -?, --help
-              Print options end exit.
-       --list List all firejail symbolic links
-       --version
-              Print program version and exit.
-       Example:
-       $ sudo firecfg
-       /usr/local/bin/firefox created
-       /usr/local/bin/vlc created
-       [...]
-       $ firecfg --list
-       /usr/local/bin/firefox
-       /usr/local/bin/vlc
-       [...]
-       $ sudo firecfg --clear
-       /usr/local/bin/firefox removed
-       /usr/local/bin/vlc removed
-       [...]
 `````
-## Compile time and run time configuration support
-Most Linux kernel security features require root privileges during configuration.
-The same is true for kernel networking features. Firejail (SUID binary) opens the 
-access to these features to regular users. The privilege escalation is restricted 
-to the sandbox being configured, and is not extended to the rest of the system. 
-This arrangement works fine for user desktops or servers where the access is already limited.
-If you not happy with a particular feature, all the support can be eliminated from SUID binary at compile time,
-or at run time by editing /etc/firejail/firejail.config file.
-The following features can be enabled or disabled:
 `````
-       bind   Enable or disable bind support, default enabled.
+## New Profiles
+xiphos, Tor Browser Bundle, display (imagemagik), Wire, mumble, zoom,Guayadeque
-       chroot Enable or disable chroot support, default enabled.
-       file-transfer
-              Enable or disable file transfer support, default enabled.
-       network
-              Enable or disable networking features, default enabled.
-       restricted-network
-              Enable  or disable restricted network support, default disabled.
-              If enabled, networking features should also be enabled  (network
-              yes).   Restricted  networking  grants access to --interface and
-              --net=ethXXX only to root user. Regular users are  only  allowed
-              --net=none.
-       secomp Enable or disable seccomp support, default enabled.
-       userns Enable or disable user namespace support, default enabled.
-       x11    Enable or disable X11 sandboxing support, default enabled.
-       xephyr-screen
-              Screen    size    for   --x11=xephyr,   default   800x600.   Run
-              /usr/bin/xrandr for a full list of resolutions available on your
-              specific setup. Examples:
-              xephyr-screen 640x480
-              xephyr-screen 800x600
-              xephyr-screen 1024x768
-              xephyr-screen 1280x1024
-`````
-## Default seccomp filter update
-Currently 50 syscalls are blacklisted by default, out of a total of 318 calls (AMD64, Debian Jessie).
-## STUN/WebRTC disabled in default netfilter configuration
-The  current netfilter configuration (--netfilter option) looks like this:
-`````
-             *filter
-              :INPUT DROP [0:0]
-              :FORWARD DROP [0:0]
-              :OUTPUT ACCEPT [0:0]
-              -A INPUT -i lo -j ACCEPT
-              -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-              # allow ping
-              -A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT
-              -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT
-              -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
-              # drop STUN (WebRTC) requests
-              -A OUTPUT -p udp --dport 3478 -j DROP
-              -A OUTPUT -p udp --dport 3479 -j DROP
-              -A OUTPUT -p tcp --dport 3478 -j DROP
-              -A OUTPUT -p tcp --dport 3479 -j DROP
-              COMMIT
-`````
-The filter is loaded by default for Firefox if a network namespace is configured:
-`````
-$ firejail --net=eth0 firefox
-`````
-## Set sandbox nice value
-`````
-      --nice=value
-              Set nice value for all processes running inside the sandbox.
-              Example:
-              $ firejail --nice=-5 firefox
-`````
-## mkdir
-`````
-$ man firejail-profile
-[...]
-       mkdir directory
-              Create   a   directory  in  user  home.  Use  this  command  for
-              whitelisted directories you need to preserve when the sandbox is
-              closed.  Subdirectories  also  need  to  be created using mkdir.
-              Example from firefox profile:
-              mkdir ~/.mozilla
-              whitelist ~/.mozilla
-              mkdir ~/.cache
-              mkdir ~/.cache/mozilla
-              mkdir ~/.cache/mozilla/firefox
-              whitelist ~/.cache/mozilla/firefox
-[...]
-`````
-## New security profiles
-lxterminal, Epiphany, cherrytree, Polari, Vivaldi, Atril, qutebrowser, SlimJet, Battle for Wesnoth, Hedgewars, qTox,
-OpenSSH client, OpenBox window manager, Dillo, cmus, dnsmasq, PaleMoon, Icedove, abrowser, 0ad
diff --git a/RELNOTES b/RELNOTES
index fbd620408..e726674ec 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -1,12 +1,102 @@
-firejail (0.9.40-rc1) baseline; urgency=low
+firejail (0.9.45) baseline; urgency=low
+  * development version, work in progress
+  * security: overwrite /etc/resolv.conf found by Martin Carpenter
+  * secuirty: TOCTOU exploit for --get and --put found by Daniel Hodson
+  * security: invalid environment exploit found by Martin Carpenter
+  * security: split most of networking code in a separate executable
+  * security: split seccomp filter code configuration in a separate executable
+  * feature: allow root user access to /dev/shm (--noblacklist=/dev/shm)
+  * new profiles: xiphos, Tor Browser Bundle, display (imagemagik), Wire,
+  * new profiles: mumble, zoom, Guayadeque
+  * bugfixes
+ -- netblue30 <netblue30@yahoo.com>  Sun, 23 Oct 2016 08:00:00 -0500
+firejail (0.9.44) baseline; urgency=low
+  * CVE-2016-7545 submitted by Aleksey Manevich
+  * modifs: removed man firejail-config
+  * modifs: --private-tmp whitelists /tmp/.X11-unix directory
+  * modifs: Nvidia drivers added to --private-dev
+  * modifs: /srv supported by --whitelist
+  * feature: allow user access to /sys/fs (--noblacklist=/sys/fs)
+  * feature: support starting/joining sandbox is a single command
+    (--join-or-start)
+  * feature: X11 detection support for --audit
+  * feature: assign a name to the interface connected to the bridge 
+    (--veth-name)
+  * feature: all user home directories are visible (--allusers)
+  * feature: add files to sandbox container (--put)
+  * feature: blocking x11 (--x11=block)
+  * feature: X11 security extension (--x11=xorg)
+  * feature: disable 3D hardware acceleration (--no3d)
+  * feature: x11 xpra, x11 xephyr, x11 block, allusers, no3d profile commands
+  * feature: move files in sandbox (--put)
+  * feature: accept wildcard patterns in user  name field of restricted
+    shell login feature
+  * new profiles: qpdfview, mupdf, Luminance HDR, Synfig Studio, Gimp, Inkscape
+  * new profiles: feh, ranger, zathura, 7z, keepass, keepassx,
+  * new profiles: claws-mail, mutt, git, emacs, vim, xpdf, VirtualBox, OpenShot
+  * new profiles: Flowblade, Eye of GNOME (eog), Evolution
+  * bugfixes
+ -- netblue30 <netblue30@yahoo.com>  Fri, 21 Oct 2016 08:00:00 -0500
+firejail (0.9.42) baseline; urgency=low
+  * security: --whitelist deleted files, submitted by Vasya Novikov
+  * security: disable x32 ABI in seccomp, submitted by Jann Horn
+  * security: tighten --chroot, submitted by Jann Horn
+  * security: terminal sandbox escape, submitted by Stephan Sokolow
+  * security: several TOCTOU fixes submitted by Aleksey Manevich
+  * modifs: bringing back --private-home option
+  * modifs: deprecated --user option, please use "sudo -u username firejail"
+  * modifs: allow symlinks in home directory for --whitelist option
+  * modifs: Firejail prompt is enabled by env variable FIREJAIL_PROMPT="yes"
+  * modifs: recursive mkdir
+  * modifs: include /dev/snd in --private-dev
+  * modifs: seccomp filter update
+  * modifs: release archives moved to .xz format
+  * feature: AppImage support (--appimage)
+  * feature: AppArmor support (--apparmor)
+  * feature: Ubuntu snap support (/etc/firejail/snap.profile)
+  * feature: Sandbox auditing support (--audit)
+  * feature: remove environment variable (--rmenv)
+  * feature: noexec support (--noexec)
+  * feature: clean local overlay storage directory (--overlay-clean)
+  * feature: store and reuse overlay (--overlay-named)
+  * feature: allow debugging inside the sandbox with gdb and strace
+         (--allow-debuggers)
+  * feature: mkfile profile command
+  * feature: quiet profile command
+  * feature: x11 profile command
+  * feature: option to fix desktop files (firecfg --fix)
+  * compile time: Busybox support (--enable-busybox-workaround)
+  * compile time: disable overlayfs (--disable-overlayfs)
+  * compile time: disable whitlisting (--disable-whitelist)
+  * compile time: disable global config (--disable-globalcfg)
+  * run time: enable/disable overlayfs (overlayfs yes/no)
+  * run time: enable/disable  quiet as default (quiet-by-default yes/no)
+  * run time: user-defined network filter (netfilter-default)
+  * run time: enable/disable whitelisting (whitelist yes/no)
+  * run time: enable/disable remounting of /proc and /sys
+          (remount-proc-sys yes/no)
+  * run time: enable/disable chroot desktop features (chroot-desktop yes/no)
+  * profiles: Gitter, gThumb, mpv, Franz messenger, LibreOffice
+  * profiles: pix, audacity, xz, xzdec, gzip, cpio, less
+  * profiles: Atom Beta, Atom, jitsi, eom, uudeview
+  * profiles: tar (gtar), unzip, unrar, file, skypeforlinux,
+  * profiles: inox, Slack, gnome-chess. Gajim IM client, DOSBox
+  * bugfixes
+ -- netblue30 <netblue30@yahoo.com>  Thu, 8 Sept 2016 08:00:00 -0500
+firejail (0.9.40) baseline; urgency=low
  * added --nice option
  * added --x11 option
  * added --x11=xpra option
  * added --x11=xephyr option
  * added --cpu.print option
  * added filetransfer options --ls and --get
+  * added --writable-etc and --writable-var options
+  * added --read-only option
  * added mkdir, ipc-namespace, and nosound profile commands
-  * added net iface, and iprange profile commands
+  * added net, ip, defaultgw, ip6, mac, mtu and iprange profile commands
  * --version also prints compile options
  * --output option also redirects stderr
  * added compile-time option to restrict --net= to root only
@@ -18,10 +108,16 @@ firejail (0.9.40-rc1) baseline; urgency=low
  * new profiles: lxterminal, Epiphany, cherrytree, Polari, Vivaldi, Atril
  * new profiles: qutebrowser, SlimJet, Battle for Wesnoth, Hedgewars
  * new profiles: qTox, OpenSSH client, OpenBox, Dillo, cmus, dnsmasq
-  * new profiles: PaleMoon, Icedove, abrowser, 0ad
+  * new profiles: PaleMoon, Icedove, abrowser, 0ad, netsurf, Warzone2100
+  * new profiles: okular, gwenview, Google-Play-Music-Desktop-Player
+  * new profiles: Aweather, Stellarium, gpredict, quiterss, cyberfox
+  * new profiles: generic Ubuntu snap application profile, xplayer
+  * new profiles: xreader, xviewer, mcabber, Psi+, Corebird, Konversation
+  * new profiles: Brave, Gitter
+  * generic.profile renamed default.profile
  * build rpm packages using "make rpms"
  * bugfixes
- -- netblue30 <netblue30@yahoo.com>  Sun, 3 Apr 2016 08:00:00 -0500
+ -- netblue30 <netblue30@yahoo.com>  Sun, 29 May 2016 08:00:00 -0500
 firejail (0.9.38) baseline; urgency=low
  * IPv6 support (--ip6 and --netfilter6)
diff --git a/configure b/configure
index 73a5c89e6..0aefb5c62 100755
--- a/configure
+++ b/configure
@@ -1,6 +1,6 @@
 #! /bin/sh
 # Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.69 for firejail 0.9.40-rc2.
+# Generated by GNU Autoconf 2.69 for firejail 0.9.45.
 #
 # Report bugs to <netblue30@yahoo.com>.
 #
@@ -580,8 +580,8 @@ MAKEFLAGS=
 # Identity of this package.
 PACKAGE_NAME='firejail'
 PACKAGE_TARNAME='firejail'
-PACKAGE_VERSION='0.9.40-rc2'
+PACKAGE_VERSION='0.9.45'
-PACKAGE_STRING='firejail 0.9.40-rc2'
+PACKAGE_STRING='firejail 0.9.45'
 PACKAGE_BUGREPORT='netblue30@yahoo.com'
 PACKAGE_URL='http://firejail.wordpress.com'
@@ -625,17 +625,25 @@ ac_includes_default="\
 ac_subst_vars='LTLIBOBJS
 LIBOBJS
 HAVE_SECCOMP_H
-EGREP
+HAVE_GCOV
-GREP
+BUSYBOX_WORKAROUND
-CPP
 HAVE_FATAL_WARNINGS
+HAVE_WHITELIST
 HAVE_FILE_TRANSFER
 HAVE_X11
 HAVE_USERNS
 HAVE_NETWORK
+HAVE_GLOBALCFG
 HAVE_BIND
 HAVE_CHROOT
 HAVE_SECCOMP
+HAVE_PRIVATE_HOME
+HAVE_OVERLAYFS
+EXTRA_LDFLAGS
+EGREP
+GREP
+CPP
+HAVE_APPARMOR
 RANLIB
 INSTALL_DATA
 INSTALL_SCRIPT
@@ -688,14 +696,21 @@ SHELL'
 ac_subst_files=''
 ac_user_opts='
 enable_option_checking
+enable_apparmor
+enable_overlayfs
+enable_private_home
 enable_seccomp
 enable_chroot
 enable_bind
+enable_globalcfg
 enable_network
 enable_userns
 enable_x11
 enable_file_transfer
+enable_whitelist
 enable_fatal_warnings
+enable_busybox_workaround
+enable_gcov
 '
      ac_precious_vars='build_alias
 host_alias
@@ -1246,7 +1261,7 @@ if test "$ac_init_help" = "long"; then
  # Omit some internal or obsolete options to make the list less imposing.
  # This message is too long to be a string in the A/UX 3.1 sh.
  cat <<_ACEOF
-\`configure' configures firejail 0.9.40-rc2 to adapt to many kinds of systems.
+\`configure' configures firejail 0.9.45 to adapt to many kinds of systems.
 Usage: $0 [OPTION]... [VAR=VALUE]...
@@ -1307,7 +1322,7 @@ fi
 if test -n "$ac_init_help"; then
  case $ac_init_help in
-     short | recursive ) echo "Configuration of firejail 0.9.40-rc2:";;
+     short | recursive ) echo "Configuration of firejail 0.9.45:";;
   esac
  cat <<\_ACEOF
@@ -1315,16 +1330,25 @@ Optional Features:
  --disable-option-checking  ignore unrecognized --enable/--with options
  --disable-FEATURE       do not include FEATURE (same as --enable-FEATURE=no)
  --enable-FEATURE[=ARG]  include FEATURE [ARG=yes]
+  --enable-apparmor       enable apparmor
+  --disable-overlayfs     disable overlayfs
+  --disable-private-home  disable private home feature
  --disable-seccomp       disable seccomp
  --disable-chroot        disable chroot
  --disable-bind          disable bind
+  --disable-globalcfg     if the global config file firejail.cfg is not
+                          present, continue the program using defaults
  --disable-network       disable network
  --enable-network=restricted
                          restrict --net= to root only
  --disable-userns        disable user namespace
  --disable-x11           disable X11 sandboxing support
  --disable-file-transfer disable file transfer
+  --disable-whitelist     disable whitelist
  --enable-fatal-warnings -W -Wall -Werror
+  --enable-busybox-workaround
+                          enable busybox workaround
+  --enable-gcov           Gcov instrumentation
 Some influential environment variables:
  CC          C compiler command
@@ -1403,7 +1427,7 @@ fi
 test -n "$ac_init_help" && exit $ac_status
 if $ac_init_version; then
  cat <<\_ACEOF
-firejail configure 0.9.40-rc2
+firejail configure 0.9.45
 generated by GNU Autoconf 2.69
 Copyright (C) 2012 Free Software Foundation, Inc.
@@ -1455,52 +1479,6 @@ fi
 } # ac_fn_c_try_compile
-# ac_fn_c_try_link LINENO
-# -----------------------
-# Try to link conftest.$ac_ext, and return whether this succeeded.
-ac_fn_c_try_link ()
-{
-  as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack
-  rm -f conftest.$ac_objext conftest$ac_exeext
-  if { { ac_try="$ac_link"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\""
-$as_echo "$ac_try_echo"; } >&5
-  (eval "$ac_link") 2>conftest.err
-  ac_status=$?
-  if test -s conftest.err; then
-    grep -v '^ *+' conftest.err >conftest.er1
-    cat conftest.er1 >&5
-    mv -f conftest.er1 conftest.err
-  fi
-  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
-  test $ac_status = 0; } && {
-         test -z "$ac_c_werror_flag" ||
-         test ! -s conftest.err
-       } && test -s conftest$ac_exeext && {
-         test "$cross_compiling" = yes ||
-         test -x conftest$ac_exeext
-       }; then :
-  ac_retval=0
-else
-  $as_echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-        ac_retval=1
-fi
-  # Delete the IPA/IPO (Inter Procedural Analysis/Optimization) information
-  # created by the PGI compiler (conftest_ipa8_conftest.oo), as it would
-  # interfere with the next link command; also delete a directory that is
-  # left behind by Apple's compiler.  We do this before executing the actions.
-  rm -rf conftest.dSYM conftest_ipa8_conftest.oo
-  eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno
-  as_fn_set_status $ac_retval
-} # ac_fn_c_try_link
 # ac_fn_c_try_cpp LINENO
 # ----------------------
 # Try to preprocess conftest.$ac_ext, and return whether this succeeded.
@@ -1701,11 +1679,57 @@ $as_echo "$ac_res" >&6; }
  eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno
 } # ac_fn_c_check_header_compile
+# ac_fn_c_try_link LINENO
+# -----------------------
+# Try to link conftest.$ac_ext, and return whether this succeeded.
+ac_fn_c_try_link ()
+{
+  as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack
+  rm -f conftest.$ac_objext conftest$ac_exeext
+  if { { ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\""
+$as_echo "$ac_try_echo"; } >&5
+  (eval "$ac_link") 2>conftest.err
+  ac_status=$?
+  if test -s conftest.err; then
+    grep -v '^ *+' conftest.err >conftest.er1
+    cat conftest.er1 >&5
+    mv -f conftest.er1 conftest.err
+  fi
+  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+  test $ac_status = 0; } && {
+         test -z "$ac_c_werror_flag" ||
+         test ! -s conftest.err
+       } && test -s conftest$ac_exeext && {
+         test "$cross_compiling" = yes ||
+         test -x conftest$ac_exeext
+       }; then :
+  ac_retval=0
+else
+  $as_echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+        ac_retval=1
+fi
+  # Delete the IPA/IPO (Inter Procedural Analysis/Optimization) information
+  # created by the PGI compiler (conftest_ipa8_conftest.oo), as it would
+  # interfere with the next link command; also delete a directory that is
+  # left behind by Apple's compiler.  We do this before executing the actions.
+  rm -rf conftest.dSYM conftest_ipa8_conftest.oo
+  eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno
+  as_fn_set_status $ac_retval
+} # ac_fn_c_try_link
 cat >config.log <<_ACEOF
 This file contains any messages produced by compilers while
 running configure, to aid debugging if configure makes a mistake.
-It was created by firejail $as_me 0.9.40-rc2, which was
+It was created by firejail $as_me 0.9.45, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
  $ $0 $@
@@ -3062,164 +3086,20 @@ else
 fi
-HAVE_SECCOMP=""
+HAVE_APPARMOR=""
-# Check whether --enable-seccomp was given.
+# Check whether --enable-apparmor was given.
-if test "${enable_seccomp+set}" = set; then :
+if test "${enable_apparmor+set}" = set; then :
-  enableval=$enable_seccomp;
+  enableval=$enable_apparmor;
-fi
-if test "x$enable_seccomp" != "xno"; then :
-        HAVE_SECCOMP="-DHAVE_SECCOMP"
-fi
-HAVE_CHROOT=""
-# Check whether --enable-chroot was given.
-if test "${enable_chroot+set}" = set; then :
-  enableval=$enable_chroot;
-fi
-if test "x$enable_chroot" != "xno"; then :
-        HAVE_CHROOT="-DHAVE_CHROOT"
-fi
-HAVE_BIND=""
-# Check whether --enable-bind was given.
-if test "${enable_bind+set}" = set; then :
-  enableval=$enable_bind;
-fi
-if test "x$enable_bind" != "xno"; then :
-        HAVE_BIND="-DHAVE_BIND"
-fi
-HAVE_NETWORK=""
-# Check whether --enable-network was given.
-if test "${enable_network+set}" = set; then :
-  enableval=$enable_network;
-fi
-# Check whether --enable-network was given.
-if test "${enable_network+set}" = set; then :
-  enableval=$enable_network;
-fi
-if test "x$enable_network" != "xno"; then :
-        HAVE_NETWORK="-DHAVE_NETWORK"
-        if test "x$enable_network" = "xrestricted"; then :
-               HAVE_NETWORK="$HAVE_NETWORK -DHAVE_NETWORK_RESTRICTED"
-fi
-fi
-HAVE_USERNS=""
-# Check whether --enable-userns was given.
-if test "${enable_userns+set}" = set; then :
-  enableval=$enable_userns;
-fi
-if test "x$enable_userns" != "xno"; then :
-        HAVE_USERNS="-DHAVE_USERNS"
-fi
-HAVE_X11=""
-# Check whether --enable-x11 was given.
-if test "${enable_x11+set}" = set; then :
-  enableval=$enable_x11;
-fi
-if test "x$enable_x11" != "xno"; then :
-        HAVE_X11="-DHAVE_X11"
-fi
-HAVE_FILE_TRANSFER=""
-# Check whether --enable-file-transfer was given.
-if test "${enable_file_transfer+set}" = set; then :
-  enableval=$enable_file_transfer;
-fi
-if test "x$enable_file_transfer" != "xno"; then :
-        HAVE_FILE_TRANSFER="-DHAVE_FILE_TRANSFER"
-fi
-HAVE_FATAL_WARNINGS=""
-# Check whether --enable-fatal_warnings was given.
-if test "${enable_fatal_warnings+set}" = set; then :
-  enableval=$enable_fatal_warnings;
 fi
-if test "x$enable_fatal_warnings" = "xyes"; then :
+if test "x$enable_apparmor" = "xyes"; then :
-        HAVE_FATAL_WARNINGS="-W -Wall -Werror"
+        HAVE_APPARMOR="-DHAVE_APPARMOR"
 fi
-# checking pthread library
-{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for main in -lpthread" >&5
-$as_echo_n "checking for main in -lpthread... " >&6; }
-if ${ac_cv_lib_pthread_main+:} false; then :
-  $as_echo_n "(cached) " >&6
-else
-  ac_check_lib_save_LIBS=$LIBS
-LIBS="-lpthread  $LIBS"
-cat confdefs.h - <<_ACEOF >conftest.$ac_ext
-/* end confdefs.h.  */
-int
-main ()
-{
-return main ();
-  ;
-  return 0;
-}
-_ACEOF
-if ac_fn_c_try_link "$LINENO"; then :
-  ac_cv_lib_pthread_main=yes
-else
-  ac_cv_lib_pthread_main=no
-fi
-rm -f core conftest.err conftest.$ac_objext \
-    conftest$ac_exeext conftest.$ac_ext
-LIBS=$ac_check_lib_save_LIBS
-fi
-{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_pthread_main" >&5
-$as_echo "$ac_cv_lib_pthread_main" >&6; }
-if test "x$ac_cv_lib_pthread_main" = xyes; then :
-  cat >>confdefs.h <<_ACEOF
-#define HAVE_LIBPTHREAD 1
-_ACEOF
-  LIBS="-lpthread $LIBS"
-else
-  as_fn_error $? "*** POSIX thread support not installed ***" "$LINENO" 5
-fi
 ac_ext=c
 ac_cpp='$CPP $CPPFLAGS'
 ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
@@ -3617,6 +3497,263 @@ fi
 done
+if test "x$enable_apparmor" = "xyes"; then :
+        ac_fn_c_check_header_mongrel "$LINENO" "sys/apparmor.h" "ac_cv_header_sys_apparmor_h" "$ac_includes_default"
+if test "x$ac_cv_header_sys_apparmor_h" = xyes; then :
+else
+  as_fn_error $? "Couldn't find sys/apparmor.h... please install apparmor user space library and development files " "$LINENO" 5
+fi
+fi
+if test "x$enable_apparmor" = "xyes"; then :
+        EXTRA_LDFLAGS+="-lapparmor "
+fi
+HAVE_OVERLAYFS=""
+# Check whether --enable-overlayfs was given.
+if test "${enable_overlayfs+set}" = set; then :
+  enableval=$enable_overlayfs;
+fi
+if test "x$enable_overlayfs" != "xno"; then :
+        HAVE_OVERLAYFS="-DHAVE_OVERLAYFS"
+fi
+HAVE_PRIVATEHOME=""
+# Check whether --enable-private-home was given.
+if test "${enable_private_home+set}" = set; then :
+  enableval=$enable_private_home;
+fi
+if test "x$enable_private_home" != "xno"; then :
+        HAVE_PRIVATE_HOME="-DHAVE_PRIVATE_HOME"
+fi
+HAVE_SECCOMP=""
+# Check whether --enable-seccomp was given.
+if test "${enable_seccomp+set}" = set; then :
+  enableval=$enable_seccomp;
+fi
+if test "x$enable_seccomp" != "xno"; then :
+        HAVE_SECCOMP="-DHAVE_SECCOMP"
+fi
+HAVE_CHROOT=""
+# Check whether --enable-chroot was given.
+if test "${enable_chroot+set}" = set; then :
+  enableval=$enable_chroot;
+fi
+if test "x$enable_chroot" != "xno"; then :
+        HAVE_CHROOT="-DHAVE_CHROOT"
+fi
+HAVE_BIND=""
+# Check whether --enable-bind was given.
+if test "${enable_bind+set}" = set; then :
+  enableval=$enable_bind;
+fi
+if test "x$enable_bind" != "xno"; then :
+        HAVE_BIND="-DHAVE_BIND"
+fi
+HAVE_GLOBALCFG=""
+# Check whether --enable-globalcfg was given.
+if test "${enable_globalcfg+set}" = set; then :
+  enableval=$enable_globalcfg;
+fi
+if test "x$enable_globalcfg" != "xno"; then :
+        HAVE_GLOBALCFG="-DHAVE_GLOBALCFG"
+fi
+HAVE_NETWORK=""
+# Check whether --enable-network was given.
+if test "${enable_network+set}" = set; then :
+  enableval=$enable_network;
+fi
+# Check whether --enable-network was given.
+if test "${enable_network+set}" = set; then :
+  enableval=$enable_network;
+fi
+if test "x$enable_network" != "xno"; then :
+        HAVE_NETWORK="-DHAVE_NETWORK"
+        if test "x$enable_network" = "xrestricted"; then :
+               HAVE_NETWORK="$HAVE_NETWORK -DHAVE_NETWORK_RESTRICTED"
+fi
+fi
+HAVE_USERNS=""
+# Check whether --enable-userns was given.
+if test "${enable_userns+set}" = set; then :
+  enableval=$enable_userns;
+fi
+if test "x$enable_userns" != "xno"; then :
+        HAVE_USERNS="-DHAVE_USERNS"
+fi
+HAVE_X11=""
+# Check whether --enable-x11 was given.
+if test "${enable_x11+set}" = set; then :
+  enableval=$enable_x11;
+fi
+if test "x$enable_x11" != "xno"; then :
+        HAVE_X11="-DHAVE_X11"
+fi
+HAVE_FILE_TRANSFER=""
+# Check whether --enable-file-transfer was given.
+if test "${enable_file_transfer+set}" = set; then :
+  enableval=$enable_file_transfer;
+fi
+if test "x$enable_file_transfer" != "xno"; then :
+        HAVE_FILE_TRANSFER="-DHAVE_FILE_TRANSFER"
+fi
+HAVE_WHITELIST=""
+# Check whether --enable-whitelist was given.
+if test "${enable_whitelist+set}" = set; then :
+  enableval=$enable_whitelist;
+fi
+if test "x$enable_whitelist" != "xno"; then :
+        HAVE_WHITELIST="-DHAVE_WHITELIST"
+fi
+HAVE_FATAL_WARNINGS=""
+# Check whether --enable-fatal_warnings was given.
+if test "${enable_fatal_warnings+set}" = set; then :
+  enableval=$enable_fatal_warnings;
+fi
+if test "x$enable_fatal_warnings" = "xyes"; then :
+        HAVE_FATAL_WARNINGS="-W -Wall -Werror"
+fi
+BUSYBOX_WORKAROUND="no"
+# Check whether --enable-busybox-workaround was given.
+if test "${enable_busybox_workaround+set}" = set; then :
+  enableval=$enable_busybox_workaround;
+fi
+if test "x$enable_busybox_workaround" = "xyes"; then :
+        BUSYBOX_WORKAROUND="yes"
+fi
+HAVE_GCOV=""
+# Check whether --enable-gcov was given.
+if test "${enable_gcov+set}" = set; then :
+  enableval=$enable_gcov;
+fi
+if test "x$enable_gcov" = "xyes"; then :
+        HAVE_GCOV="--coverage -DHAVE_GCOV "
+        EXTRA_LDFLAGS+="-lgcov --coverage "
+fi
+# checking pthread library
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for main in -lpthread" >&5
+$as_echo_n "checking for main in -lpthread... " >&6; }
+if ${ac_cv_lib_pthread_main+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  ac_check_lib_save_LIBS=$LIBS
+LIBS="-lpthread  $LIBS"
+cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+int
+main ()
+{
+return main ();
+  ;
+  return 0;
+}
+_ACEOF
+if ac_fn_c_try_link "$LINENO"; then :
+  ac_cv_lib_pthread_main=yes
+else
+  ac_cv_lib_pthread_main=no
+fi
+rm -f core conftest.err conftest.$ac_objext \
+    conftest$ac_exeext conftest.$ac_ext
+LIBS=$ac_check_lib_save_LIBS
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_pthread_main" >&5
+$as_echo "$ac_cv_lib_pthread_main" >&6; }
+if test "x$ac_cv_lib_pthread_main" = xyes; then :
+  cat >>confdefs.h <<_ACEOF
+#define HAVE_LIBPTHREAD 1
+_ACEOF
+  LIBS="-lpthread $LIBS"
+else
+  as_fn_error $? "*** POSIX thread support not installed ***" "$LINENO" 5
+fi
 ac_fn_c_check_header_mongrel "$LINENO" "pthread.h" "ac_cv_header_pthread_h" "$ac_includes_default"
 if test "x$ac_cv_header_pthread_h" = xyes; then :
@@ -3640,7 +3777,7 @@ if test "$prefix" = /usr; then
        sysconfdir="/etc"
 fi
-ac_config_files="$ac_config_files Makefile src/lib/Makefile src/firejail/Makefile src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile src/ftee/Makefile"
+ac_config_files="$ac_config_files Makefile src/lib/Makefile src/fnet/Makefile src/firejail/Makefile src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile src/ftee/Makefile src/faudit/Makefile src/libconnect/Makefile src/fseccomp/Makefile"
 cat >confcache <<\_ACEOF
 # This file is a shell script that caches the results of configure
@@ -4184,7 +4321,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
 # report actual input values of CONFIG_FILES etc. instead of their
 # values after options handling.
 ac_log="
-This file was extended by firejail $as_me 0.9.40-rc2, which was
+This file was extended by firejail $as_me 0.9.45, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
  CONFIG_FILES    = $CONFIG_FILES
@@ -4238,7 +4375,7 @@ _ACEOF
 cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
 ac_cs_version="\\
-firejail config.status 0.9.40-rc2
+firejail config.status 0.9.45
 configured by $0, generated by GNU Autoconf 2.69,
  with options \\"\$ac_cs_config\\"
@@ -4351,12 +4488,16 @@ do
  case $ac_config_target in
    "Makefile") CONFIG_FILES="$CONFIG_FILES Makefile" ;;
    "src/lib/Makefile") CONFIG_FILES="$CONFIG_FILES src/lib/Makefile" ;;
+    "src/fnet/Makefile") CONFIG_FILES="$CONFIG_FILES src/fnet/Makefile" ;;
    "src/firejail/Makefile") CONFIG_FILES="$CONFIG_FILES src/firejail/Makefile" ;;
    "src/firemon/Makefile") CONFIG_FILES="$CONFIG_FILES src/firemon/Makefile" ;;
    "src/libtrace/Makefile") CONFIG_FILES="$CONFIG_FILES src/libtrace/Makefile" ;;
    "src/libtracelog/Makefile") CONFIG_FILES="$CONFIG_FILES src/libtracelog/Makefile" ;;
    "src/firecfg/Makefile") CONFIG_FILES="$CONFIG_FILES src/firecfg/Makefile" ;;
    "src/ftee/Makefile") CONFIG_FILES="$CONFIG_FILES src/ftee/Makefile" ;;
+    "src/faudit/Makefile") CONFIG_FILES="$CONFIG_FILES src/faudit/Makefile" ;;
+    "src/libconnect/Makefile") CONFIG_FILES="$CONFIG_FILES src/libconnect/Makefile" ;;
+    "src/fseccomp/Makefile") CONFIG_FILES="$CONFIG_FILES src/fseccomp/Makefile" ;;
  *) as_fn_error $? "invalid argument: \`$ac_config_target'" "$LINENO" 5;;
  esac
@@ -4818,13 +4959,22 @@ echo "   prefix: $prefix"
 echo "   sysconfdir: $sysconfdir"
 echo "   seccomp: $HAVE_SECCOMP"
 echo "   <linux/seccomp.h>: $HAVE_SECCOMP_H"
+echo "   apparmor: $HAVE_APPARMOR"
+echo "   global config: $HAVE_GLOBALCFG"
 echo "   chroot: $HAVE_CHROOT"
 echo "   bind: $HAVE_BIND"
 echo "   network: $HAVE_NETWORK"
 echo "   user namespace: $HAVE_USERNS"
 echo "   X11 sandboxing support: $HAVE_X11"
+echo "   whitelisting: $HAVE_WHITELIST"
+echo "   private home support: $HAVE_PRIVATE_HOME"
 echo "   file transfer support: $HAVE_FILE_TRANSFER"
+echo "   overlayfs support: $HAVE_OVERLAYFS"
+echo "   busybox workaround: $BUSYBOX_WORKAROUND"
+echo "   EXTRA_LDFLAGS: $EXTRA_LDFLAGS"
 echo "   fatal warnings: $HAVE_FATAL_WARNINGS"
+echo "   Gcov instrumentation: $HAVE_GCOV"
 echo
diff --git a/configure.ac b/configure.ac
index a4486b3ff..74ba09f43 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1,5 +1,5 @@
 AC_PREREQ([2.68])
-AC_INIT(firejail, 0.9.40-rc2, netblue30@yahoo.com, , http://firejail.wordpress.com)
+AC_INIT(firejail, 0.9.45, netblue30@yahoo.com, , http://firejail.wordpress.com)
 AC_CONFIG_SRCDIR([src/firejail/main.c])
 #AC_CONFIG_HEADERS([config.h])
@@ -9,6 +9,39 @@ AC_PROG_CC
 AC_PROG_INSTALL
 AC_PROG_RANLIB
+HAVE_APPARMOR=""
+AC_ARG_ENABLE([apparmor],
+    AS_HELP_STRING([--enable-apparmor], [enable apparmor]))
+AS_IF([test "x$enable_apparmor" = "xyes"], [
+        HAVE_APPARMOR="-DHAVE_APPARMOR"
+        AC_SUBST(HAVE_APPARMOR)
+])
+AS_IF([test "x$enable_apparmor" = "xyes"], [
+        AC_CHECK_HEADER(sys/apparmor.h, , [AC_MSG_ERROR(
+        [Couldn't find sys/apparmor.h... please install apparmor user space library and development files] )])
+])
+AS_IF([test "x$enable_apparmor" = "xyes"], [
+        EXTRA_LDFLAGS+="-lapparmor "
+])
+AC_SUBST([EXTRA_LDFLAGS])
+HAVE_OVERLAYFS=""
+AC_ARG_ENABLE([overlayfs],
+    AS_HELP_STRING([--disable-overlayfs], [disable overlayfs]))
+AS_IF([test "x$enable_overlayfs" != "xno"], [
+        HAVE_OVERLAYFS="-DHAVE_OVERLAYFS"
+        AC_SUBST(HAVE_OVERLAYFS)
+])
+HAVE_PRIVATEHOME=""
+AC_ARG_ENABLE([private-home],
+    AS_HELP_STRING([--disable-private-home], [disable private home feature]))
+AS_IF([test "x$enable_private_home" != "xno"], [
+        HAVE_PRIVATE_HOME="-DHAVE_PRIVATE_HOME"
+        AC_SUBST(HAVE_PRIVATE_HOME)
+])
 HAVE_SECCOMP=""
 AC_ARG_ENABLE([seccomp],
    AS_HELP_STRING([--disable-seccomp], [disable seccomp]))
@@ -33,6 +66,14 @@ AS_IF([test "x$enable_bind" != "xno"], [
        AC_SUBST(HAVE_BIND)
 ])
+HAVE_GLOBALCFG=""
+AC_ARG_ENABLE([globalcfg],
+    AS_HELP_STRING([--disable-globalcfg], [if the global config file firejail.cfg is not present, continue the program using defaults]))
+AS_IF([test "x$enable_globalcfg" != "xno"], [
+        HAVE_GLOBALCFG="-DHAVE_GLOBALCFG"
+        AC_SUBST(HAVE_GLOBALCFG)
+])
 HAVE_NETWORK=""
 AC_ARG_ENABLE([network],
    AS_HELP_STRING([--disable-network], [disable network]))
@@ -70,6 +111,14 @@ AS_IF([test "x$enable_file_transfer" != "xno"], [
        AC_SUBST(HAVE_FILE_TRANSFER)
 ])
+HAVE_WHITELIST=""
+AC_ARG_ENABLE([whitelist],
+    AS_HELP_STRING([--disable-whitelist], [disable whitelist]))
+AS_IF([test "x$enable_whitelist" != "xno"], [
+        HAVE_WHITELIST="-DHAVE_WHITELIST"
+        AC_SUBST(HAVE_WHITELIST)
+])
 HAVE_FATAL_WARNINGS=""
 AC_ARG_ENABLE([fatal_warnings],
    AS_HELP_STRING([--enable-fatal-warnings], [-W -Wall -Werror]))
@@ -78,6 +127,25 @@ AS_IF([test "x$enable_fatal_warnings" = "xyes"], [
        AC_SUBST(HAVE_FATAL_WARNINGS)
 ])
+BUSYBOX_WORKAROUND="no"
+AC_ARG_ENABLE([busybox-workaround],
+    AS_HELP_STRING([--enable-busybox-workaround], [enable busybox workaround]))
+AS_IF([test "x$enable_busybox_workaround" = "xyes"], [
+        BUSYBOX_WORKAROUND="yes"
+        AC_SUBST(BUSYBOX_WORKAROUND)
+])
+HAVE_GCOV=""
+AC_ARG_ENABLE([gcov],
+    AS_HELP_STRING([--enable-gcov], [Gcov instrumentation]))
+AS_IF([test "x$enable_gcov" = "xyes"], [
+        HAVE_GCOV="--coverage -DHAVE_GCOV "
+        EXTRA_LDFLAGS+="-lgcov --coverage "
+        AC_SUBST(HAVE_GCOV)
+])
 # checking pthread library
 AC_CHECK_LIB([pthread], [main], [], AC_MSG_ERROR([*** POSIX thread support not installed ***]))
@@ -90,7 +158,8 @@ if test "$prefix" = /usr; then
        sysconfdir="/etc"
 fi
-AC_OUTPUT(Makefile src/lib/Makefile src/firejail/Makefile src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile src/ftee/Makefile)
+AC_OUTPUT(Makefile src/lib/Makefile src/fnet/Makefile src/firejail/Makefile src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile \
+src/firecfg/Makefile src/ftee/Makefile src/faudit/Makefile src/libconnect/Makefile src/fseccomp/Makefile)
 echo
 echo "Configuration options:"
@@ -98,13 +167,22 @@ echo "   prefix: $prefix"
 echo "   sysconfdir: $sysconfdir"
 echo "   seccomp: $HAVE_SECCOMP"
 echo "   <linux/seccomp.h>: $HAVE_SECCOMP_H"
+echo "   apparmor: $HAVE_APPARMOR"
+echo "   global config: $HAVE_GLOBALCFG"
 echo "   chroot: $HAVE_CHROOT"
 echo "   bind: $HAVE_BIND"
 echo "   network: $HAVE_NETWORK"
 echo "   user namespace: $HAVE_USERNS"
 echo "   X11 sandboxing support: $HAVE_X11"
+echo "   whitelisting: $HAVE_WHITELIST"
+echo "   private home support: $HAVE_PRIVATE_HOME"
 echo "   file transfer support: $HAVE_FILE_TRANSFER"
+echo "   overlayfs support: $HAVE_OVERLAYFS"
+echo "   busybox workaround: $BUSYBOX_WORKAROUND"
+echo "   EXTRA_LDFLAGS: $EXTRA_LDFLAGS"
 echo "   fatal warnings: $HAVE_FATAL_WARNINGS"
+echo "   Gcov instrumentation: $HAVE_GCOV"
 echo
diff --git a/etc/0ad.profile b/etc/0ad.profile
index f8a3ce23d..1e7c06879 100644
--- a/etc/0ad.profile
+++ b/etc/0ad.profile
@@ -1,30 +1,31 @@
 # Firejail profile for 0ad.
+noblacklist ~/.cache/0ad
 noblacklist ~/.config/0ad
+noblacklist ~/.local/share/0ad
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
 include /etc/firejail/disable-programs.inc
-# Call these options
-caps.drop all
-seccomp
-protocol unix,inet,inet6,netlink
-netfilter
-tracelog
-noroot
 # Whitelists
-noblacklist ~/.cache/0ad
-mkdir ~/.cache
 mkdir ~/.cache/0ad
 whitelist ~/.cache/0ad
-mkdir ~/.config
 mkdir ~/.config/0ad
 whitelist ~/.config/0ad
-noblacklist ~/.local/share/0ad
-mkdir ~/.local
-mkdir ~/.local/share
 mkdir ~/.local/share/0ad
 whitelist ~/.local/share/0ad
+caps.drop all
+netfilter
+nogroups
+nonewprivs
+noroot
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+private-dev
+private-tmp
diff --git a/etc/7z.profile b/etc/7z.profile
new file mode 100644
index 000000000..0cb72ff8d
--- /dev/null
+++ b/etc/7z.profile
@@ -0,0 +1,9 @@
+# 7zip crompression tool profile
+quiet
+ignore noroot
+include /etc/firejail/default.profile
+tracelog
+net none
+shell none
+private-dev
+nosound
diff --git a/etc/Cyberfox.profile b/etc/Cyberfox.profile
new file mode 100644
index 000000000..1f74606ce
--- /dev/null
+++ b/etc/Cyberfox.profile
@@ -0,0 +1,3 @@
+# Firejail profile for Cyberfox (based on Mozilla Firefox)
+include /etc/firejail/cyberfox.profile
diff --git a/etc/Mathematica.profile b/etc/Mathematica.profile
index 05131df43..e719f070f 100644
--- a/etc/Mathematica.profile
+++ b/etc/Mathematica.profile
@@ -15,5 +15,6 @@ include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
 caps.drop all
-seccomp
+nonewprivs
 noroot
+seccomp
diff --git a/etc/Telegram.profile b/etc/Telegram.profile
new file mode 100644
index 000000000..2e0f97821
--- /dev/null
+++ b/etc/Telegram.profile
@@ -0,0 +1,2 @@
+# Telegram IRC profile
+include /etc/firejail/telegram.profile
diff --git a/etc/Wire.profile b/etc/Wire.profile
new file mode 100644
index 000000000..bd9645c7f
--- /dev/null
+++ b/etc/Wire.profile
@@ -0,0 +1,3 @@
+# wire messenger profile
+include /etc/firejail/wire.profile
diff --git a/etc/abrowser.profile b/etc/abrowser.profile
index 949635258..4aa18aa90 100644
--- a/etc/abrowser.profile
+++ b/etc/abrowser.profile
@@ -7,17 +7,16 @@ include /etc/firejail/disable-programs.inc
 include /etc/firejail/disable-devel.inc
 caps.drop all
-seccomp
-protocol unix,inet,inet6,netlink
 netfilter
-tracelog
+nonewprivs
 noroot
+protocol unix,inet,inet6,netlink
+seccomp
+tracelog
 whitelist ${DOWNLOADS}
 mkdir ~/.mozilla
 whitelist ~/.mozilla
-mkdir ~/.cache
-mkdir ~/.cache/mozilla
 mkdir ~/.cache/mozilla/abrowser
 whitelist ~/.cache/mozilla/abrowser
 whitelist ~/dwhelper
@@ -40,13 +39,12 @@ whitelist ~/.config/lastpass
 #silverlight
-whitelist ~/.wine-pipelight 
+whitelist ~/.wine-pipelight
-whitelist ~/.wine-pipelight64 
+whitelist ~/.wine-pipelight64
-whitelist ~/.config/pipelight-widevine 
+whitelist ~/.config/pipelight-widevine
 whitelist ~/.config/pipelight-silverlight5.1
 include /etc/firejail/whitelist-common.inc
 # experimental features
 #private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,iceweasel,firefox,adobe,mime.types,mailcap,asound.conf,pulse
diff --git a/etc/atom-beta.profile b/etc/atom-beta.profile
new file mode 100644
index 000000000..fa0b316bb
--- /dev/null
+++ b/etc/atom-beta.profile
@@ -0,0 +1,20 @@
+# Firejail profile for Atom Beta.
+noblacklist ~/.atom
+noblacklist ~/.config/Atom
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-passwdmgr.inc
+caps.drop all
+netfilter
+nogroups
+nonewprivs
+noroot
+nosound
+protocol unix,inet,inet6,netlink
+seccomp
+shell none
+private-dev
+private-tmp
diff --git a/etc/atom.profile b/etc/atom.profile
new file mode 100644
index 000000000..61930d5c1
--- /dev/null
+++ b/etc/atom.profile
@@ -0,0 +1,20 @@
+# Firejail profile for Atom.
+noblacklist ~/.atom
+noblacklist ~/.config/Atom
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-passwdmgr.inc
+caps.drop all
+netfilter
+nogroups
+nonewprivs
+noroot
+nosound
+protocol unix,inet,inet6,netlink
+seccomp
+shell none
+private-dev
+private-tmp
diff --git a/etc/atril.profile b/etc/atril.profile
index e078c1d20..fbcca0c1b 100644
--- a/etc/atril.profile
+++ b/etc/atril.profile
@@ -1,12 +1,21 @@
 # Atril profile
+noblacklist ~/.config/atril
+noblacklist ~/.local/share
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-programs.inc
 include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
 caps.drop all
-seccomp
+nogroups
-protocol unix,inet,inet6
+nonewprivs
-netfilter
 noroot
+nosound
+protocol unix
+seccomp
+shell none
 tracelog
+private-bin atril, atril-previewer, atril-thumbnailer
+private-dev
+private-tmp
diff --git a/etc/audacious.profile b/etc/audacious.profile
index 290faa260..e5275213c 100644
--- a/etc/audacious.profile
+++ b/etc/audacious.profile
@@ -5,6 +5,7 @@ include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
 caps.drop all
-seccomp
+nonewprivs
-protocol unix,inet,inet6
 noroot
+protocol unix,inet,inet6
+seccomp
diff --git a/etc/audacity.profile b/etc/audacity.profile
new file mode 100644
index 000000000..827fa4301
--- /dev/null
+++ b/etc/audacity.profile
@@ -0,0 +1,21 @@
+# Audacity profile
+noblacklist ~/.audacity-data
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+include /etc/firejail/disable-programs.inc
+caps.drop all
+netfilter
+nogroups
+nonewprivs
+noroot
+protocol unix
+seccomp
+shell none
+tracelog
+private-bin audacity
+private-dev
+private-tmp
diff --git a/etc/aweather.profile b/etc/aweather.profile
new file mode 100644
index 000000000..fa8654f1e
--- /dev/null
+++ b/etc/aweather.profile
@@ -0,0 +1,25 @@
+# Firejail profile for aweather.
+noblacklist ~/.config/aweather
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+include /etc/firejail/disable-programs.inc
+# Whitelist
+mkdir ~/.config/aweather
+whitelist ~/.config/aweather
+caps.drop all
+netfilter
+nogroups
+nonewprivs
+noroot
+nosound
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+private-bin aweather
+private-dev
+private-tmp
diff --git a/etc/bitlbee.profile b/etc/bitlbee.profile
index fb84c260a..87d2e843a 100644
--- a/etc/bitlbee.profile
+++ b/etc/bitlbee.profile
@@ -4,8 +4,11 @@ noblacklist /usr/sbin
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-programs.inc
-protocol unix,inet,inet6
+netfilter
+nonewprivs
 private
 private-dev
+protocol unix,inet,inet6
 seccomp
-netfilter
+nosound
+read-write /var/lib/bitlbee
diff --git a/etc/brave.profile b/etc/brave.profile
new file mode 100644
index 000000000..4fc3a5bb0
--- /dev/null
+++ b/etc/brave.profile
@@ -0,0 +1,18 @@
+# Profile for Brave browser
+noblacklist ~/.config/brave
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-devel.inc
+caps.drop all
+netfilter
+nonewprivs
+noroot
+protocol unix,inet,inet6,netlink
+seccomp
+whitelist ${DOWNLOADS}
+mkdir ~/.config/brave
+whitelist ~/.config/brave
diff --git a/etc/cherrytree.profile b/etc/cherrytree.profile
index 7bcc61e98..139dec8ec 100644
--- a/etc/cherrytree.profile
+++ b/etc/cherrytree.profile
@@ -1,22 +1,18 @@
 # cherrytree note taking application
+noblacklist /usr/bin/python2*
+noblacklist /usr/lib/python3*
+noblacklist ${HOME}/.config/cherrytree
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-programs.inc
 include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
-whitelist ${HOME}/cherrytree
-mkdir ~/.config
-mkdir ~/.config/cherrytree
-whitelist ${HOME}/.config/cherrytree/
-mkdir ~/.local
-mkdir ~/.local/share
-whitelist ${HOME}/.local/share/
 caps.drop all
-seccomp
-protocol unix,inet,inet6,netlink
 netfilter
-tracelog
+nogroups
+nonewprivs
 noroot
-include /etc/firejail/whitelist-common.inc
 nosound
+seccomp
+protocol unix,inet,inet6,netlink
+tracelog
diff --git a/etc/chromium.profile b/etc/chromium.profile
index 7cf2853ca..4109af9a4 100644
--- a/etc/chromium.profile
+++ b/etc/chromium.profile
@@ -11,10 +11,8 @@ include /etc/firejail/disable-programs.inc
 netfilter
 whitelist ${DOWNLOADS}
-mkdir ~/.config
 mkdir ~/.config/chromium
 whitelist ~/.config/chromium
-mkdir ~/.cache
 mkdir ~/.cache/chromium
 whitelist ~/.cache/chromium
 mkdir ~/.pki
@@ -27,4 +25,7 @@ whitelist ~/keepassx.kdbx
 whitelist ~/.lastpass
 whitelist ~/.config/lastpass
+# specific to Arch
+whitelist ~/.config/chromium-flags.conf
 include /etc/firejail/whitelist-common.inc
diff --git a/etc/claws-mail.profile b/etc/claws-mail.profile
new file mode 100644
index 000000000..1b6d2f645
--- /dev/null
+++ b/etc/claws-mail.profile
@@ -0,0 +1,24 @@
+# claws-mail profile
+noblacklist ~/.claws-mail
+noblacklist ~/.signature
+noblacklist ~/.gnupg
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+caps.drop all
+netfilter
+nonewprivs
+noroot
+nogroups
+nosound
+protocol unix,inet,inet6
+seccomp
+shell none
+private-dev
+private-tmp
diff --git a/etc/clementine.profile b/etc/clementine.profile
index c6271e6e3..5ce085358 100644
--- a/etc/clementine.profile
+++ b/etc/clementine.profile
@@ -5,6 +5,7 @@ include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
 caps.drop all
-seccomp
+nonewprivs
-protocol unix,inet,inet6
 noroot
+protocol unix,inet,inet6
+seccomp
diff --git a/etc/cmus.profile b/etc/cmus.profile
index 72b43a70f..2e2a6940c 100644
--- a/etc/cmus.profile
+++ b/etc/cmus.profile
@@ -7,10 +7,11 @@ include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
 caps.drop all
-seccomp
-protocol unix,inet,inet6
 netfilter
+nonewprivs
 noroot
+protocol unix,inet,inet6
+seccomp
 private-bin cmus
 private-etc group
diff --git a/etc/conkeror.profile b/etc/conkeror.profile
index 007eef663..e82eeec4c 100644
--- a/etc/conkeror.profile
+++ b/etc/conkeror.profile
@@ -4,10 +4,11 @@ include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-programs.inc
 caps.drop all
-seccomp
-protocol unix,inet,inet6
 netfilter
+nonewprivs
 noroot
+protocol unix,inet,inet6
+seccomp
 whitelist ~/.conkeror.mozdev.org
 whitelist ~/Downloads
diff --git a/etc/corebird.profile b/etc/corebird.profile
new file mode 100644
index 000000000..077ae30d0
--- /dev/null
+++ b/etc/corebird.profile
@@ -0,0 +1,12 @@
+# Firejail corebird profile
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+caps.drop all
+netfilter
+noroot
+protocol unix,inet,inet6
+seccomp
diff --git a/etc/cpio.profile b/etc/cpio.profile
new file mode 100644
index 000000000..519bd244c
--- /dev/null
+++ b/etc/cpio.profile
@@ -0,0 +1,21 @@
+# cpio profile
+# /sbin and /usr/sbin are visible inside the sandbox
+# /boot is not visible and /var is heavily modified 
+quiet
+noblacklist /sbin
+noblacklist /usr/sbin
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-passwdmgr.inc
+private-dev
+seccomp
+caps.drop all
+net none
+shell none
+tracelog
+net none
+nosound
diff --git a/etc/cyberfox.profile b/etc/cyberfox.profile
new file mode 100644
index 000000000..ae487fa3c
--- /dev/null
+++ b/etc/cyberfox.profile
@@ -0,0 +1,50 @@
+# Firejail profile for Cyberfox (based on Mozilla Firefox)
+noblacklist ~/.8pecxstudios
+noblacklist ~/.cache/8pecxstudios
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-devel.inc
+caps.drop all
+netfilter
+nonewprivs
+noroot
+protocol unix,inet,inet6,netlink
+seccomp
+tracelog
+whitelist ${DOWNLOADS}
+mkdir ~/.8pecxstudios
+whitelist ~/.8pecxstudios
+mkdir ~/.cache/8pecxstudios
+whitelist ~/.cache/8pecxstudios
+whitelist ~/dwhelper
+whitelist ~/.zotero
+whitelist ~/.vimperatorrc
+whitelist ~/.vimperator
+whitelist ~/.pentadactylrc
+whitelist ~/.pentadactyl
+whitelist ~/.keysnail.js
+whitelist ~/.config/gnome-mplayer
+whitelist ~/.cache/gnome-mplayer/plugin
+whitelist ~/.pki
+# lastpass, keepassx
+whitelist ~/.keepassx
+whitelist ~/.config/keepassx
+whitelist ~/keepassx.kdbx
+whitelist ~/.lastpass
+whitelist ~/.config/lastpass
+#silverlight
+whitelist ~/.wine-pipelight
+whitelist ~/.wine-pipelight64
+whitelist ~/.config/pipelight-widevine
+whitelist ~/.config/pipelight-silverlight5.1
+include /etc/firejail/whitelist-common.inc
+# experimental features
+#private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,iceweasel,firefox,adobe,mime.types,mailcap,asound.conf,pulse
diff --git a/etc/deadbeef.profile b/etc/deadbeef.profile
index 2810e5323..04abd0a92 100644
--- a/etc/deadbeef.profile
+++ b/etc/deadbeef.profile
@@ -7,6 +7,7 @@ include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
 caps.drop all
-seccomp
+nonewprivs
-protocol unix,inet,inet6
 noroot
+protocol unix,inet,inet6
+seccomp
diff --git a/etc/generic.profile b/etc/default.profile
index f2c7d4114..a2de72695 100644
--- a/etc/generic.profile
+++ b/etc/default.profile
@@ -8,8 +8,8 @@ include /etc/firejail/disable-passwdmgr.inc
 #blacklist ${HOME}/.wine
 caps.drop all
-seccomp
-protocol unix,inet,inet6
 netfilter
+nonewprivs
 noroot
+protocol unix,inet,inet6
+seccomp
diff --git a/etc/deluge.profile b/etc/deluge.profile
index 4043f58f5..c6ddec3ec 100644
--- a/etc/deluge.profile
+++ b/etc/deluge.profile
@@ -1,4 +1,4 @@
-# deluge bittorernt client profile
+# deluge bittorrernt client profile
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-programs.inc
 # deluge is using python on Debian
@@ -6,8 +6,15 @@ include /etc/firejail/disable-programs.inc
 include /etc/firejail/disable-passwdmgr.inc
 caps.drop all
-seccomp
-protocol unix,inet,inet6
 netfilter
+nonewprivs
 noroot
 nosound
+protocol unix,inet,inet6
+seccomp
+shell none
+#private-bin deluge,sh,python,uname
+private-dev
+private-tmp
diff --git a/etc/dillo.profile b/etc/dillo.profile
index 49c33fb7a..2ddd363cb 100644
--- a/etc/dillo.profile
+++ b/etc/dillo.profile
@@ -7,11 +7,12 @@ include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
 caps.drop all
-seccomp
-protocol unix,inet,inet6
 netfilter
-tracelog
+nonewprivs
 noroot
+protocol unix,inet,inet6
+seccomp
+tracelog
 whitelist ${DOWNLOADS}
 mkdir ~/.dillo
@@ -20,6 +21,3 @@ mkdir ~/.fltk
 whitelist ~/.fltk
 include /etc/firejail/whitelist-common.inc
diff --git a/etc/disable-common.inc b/etc/disable-common.inc
index b1133f28f..0dad8b385 100644
--- a/etc/disable-common.inc
+++ b/etc/disable-common.inc
@@ -1,6 +1,7 @@
 # History files in $HOME
 blacklist-nolog ${HOME}/.history
 blacklist-nolog ${HOME}/.*_history
+blacklist-nolog ${HOME}/.bash_history
 blacklist ${HOME}/.local/share/systemd
 blacklist-nolog ${HOME}/.adobe
 blacklist-nolog ${HOME}/.macromedia
@@ -14,21 +15,34 @@ blacklist /etc/xdg/autostart
 blacklist ${HOME}/.kde4/Autostart
 blacklist ${HOME}/.kde4/share/autostart
 blacklist ${HOME}/.kde/Autostart
+blacklist ${HOME}/.kde/share/autostart
 blacklist ${HOME}/.config/plasma-workspace/shutdown
 blacklist ${HOME}/.config/plasma-workspace/env
 blacklist ${HOME}/.config/lxsession/LXDE/autostart
 blacklist ${HOME}/.fluxbox/startup
 blacklist ${HOME}/.config/openbox/autostart
 blacklist ${HOME}/.config/openbox/environment
+blacklist ${HOME}/.gnomerc
+blacklist /etc/X11/Xsession.d/
+blacklist ${HOME}/.xpra
 # VirtualBox
 blacklist ${HOME}/.VirtualBox
 blacklist ${HOME}/VirtualBox VMs
 blacklist ${HOME}/.config/VirtualBox
+# VeraCrypt
+blacklist ${PATH}/veracrypt
+blacklist ${PATH}/veracrypt-uninstall.sh
+blacklist /usr/share/veracrypt
+blacklist /usr/share/applications/veracrypt.*
+blacklist /usr/share/pixmaps/veracrypt.*
+blacklist ${HOME}/.VeraCrypt
 # var
 blacklist /var/spool/cron
 blacklist /var/spool/anacron
+blacklist /var/mail
 blacklist /var/run/acpid.socket
 blacklist /var/run/minissdpd.sock
 blacklist /var/run/rpcbind.sock
@@ -39,7 +53,7 @@ blacklist /var/lib/mysql/mysql.sock
 blacklist /var/run/docker.sock
 # etc
-blacklist /etc/cron.*
+blacklist /etc/cron*
 blacklist /etc/profile.d
 blacklist /etc/rc.local
 blacklist /etc/anacrontab
@@ -50,11 +64,15 @@ read-only ${HOME}/.xserverrc
 read-only ${HOME}/.profile
 # Shell startup files
+read-only ${HOME}/.antigen
 read-only ${HOME}/.bash_login
 read-only ${HOME}/.bashrc
 read-only ${HOME}/.bash_profile
 read-only ${HOME}/.bash_logout
+read-only ${HOME}/.zsh.d
+read-only ${HOME}/.zshenv
 read-only ${HOME}/.zshrc
+read-only ${HOME}/.zshrc.local
 read-only ${HOME}/.zlogin
 read-only ${HOME}/.zprofile
 read-only ${HOME}/.zlogout
@@ -62,8 +80,12 @@ read-only ${HOME}/.zsh_files
 read-only ${HOME}/.tcshrc
 read-only ${HOME}/.cshrc
 read-only ${HOME}/.csh_files
+read-only ${HOME}/.profile
 # Initialization files that allow arbitrary command execution
+read-only ${HOME}/.caffrc
+read-only ${HOME}/.dotfiles
+read-only ${HOME}/dotfiles
 read-only ${HOME}/.mailcap
 read-only ${HOME}/.exrc
 read-only ${HOME}/_exrc
@@ -73,10 +95,11 @@ read-only ${HOME}/.gvimrc
 read-only ${HOME}/_gvimrc
 read-only ${HOME}/.vim
 read-only ${HOME}/.emacs
+read-only ${HOME}/.emacs.d
+read-only ${HOME}/.nano
 read-only ${HOME}/.tmux.conf
 read-only ${HOME}/.iscreenrc
-read-only ${HOME}/.muttrc
+read-only ${HOME}/.reportbugrc
-read-only ${HOME}/.mutt/muttrc
 read-only ${HOME}/.xmonad
 read-only ${HOME}/.xscreensaver
@@ -84,16 +107,25 @@ read-only ${HOME}/.xscreensaver
 read-only ${HOME}/bin
 # top secret
+blacklist ${HOME}/.ecryptfs
+blacklist ${HOME}/.Private
 blacklist ${HOME}/.ssh
+blacklist ${HOME}/.cert
 blacklist ${HOME}/.gnome2/keyrings
-blacklist ${HOME}/kde4/share/apps/kwallet
+blacklist ${HOME}/.kde4/share/apps/kwallet
-blacklist ${HOME}/kde/share/apps/kwallet
+blacklist ${HOME}/.kde/share/apps/kwallet
 blacklist ${HOME}/.local/share/kwalletd
+blacklist ${HOME}/.config/keybase
 blacklist ${HOME}/.netrc
 blacklist ${HOME}/.gnupg
+blacklist ${HOME}/.caff
+blacklist ${HOME}/.smbcredentials
 blacklist ${HOME}/*.kdbx
 blacklist ${HOME}/*.kdb
 blacklist ${HOME}/*.key
+blacklist ${HOME}/.muttrc
+blacklist ${HOME}/.mutt/muttrc
+blacklist ${HOME}/.msmtprc
 blacklist /etc/shadow
 blacklist /etc/gshadow
 blacklist /etc/passwd-
@@ -106,11 +138,19 @@ blacklist /etc/shadow+
 blacklist /etc/gshadow+
 blacklist /etc/ssh
 blacklist /var/backup
+blacklist /home/.ecryptfs
+# system directories    
+blacklist /sbin
+blacklist /usr/sbin
+blacklist /usr/local/sbin
 # system management
 blacklist ${PATH}/umount
 blacklist ${PATH}/mount
 blacklist ${PATH}/fusermount
+blacklist ${PATH}/ntfs-3g
+blacklist ${PATH}/at
 blacklist ${PATH}/su
 blacklist ${PATH}/sudo
 blacklist ${PATH}/xinput
@@ -119,17 +159,45 @@ blacklist ${PATH}/xev
 blacklist ${PATH}/strace
 blacklist ${PATH}/nc
 blacklist ${PATH}/ncat
+blacklist ${PATH}/gpasswd
+blacklist ${PATH}/newgidmap
+blacklist ${PATH}/newgrp
+blacklist ${PATH}/newuidmap
+blacklist ${PATH}/pkexec
+blacklist ${PATH}/sg
+blacklist ${PATH}/rsh
+blacklist ${PATH}/rlogin
+blacklist ${PATH}/rcp
+blacklist ${PATH}/crontab
+blacklist ${PATH}/ksu
+blacklist ${PATH}/chsh
+blacklist ${PATH}/chfn
+blacklist ${PATH}/chage
+blacklist ${PATH}/expiry
+blacklist ${PATH}/unix_chkpwd
+blacklist ${PATH}/procmail
-# system directories    
+# other SUID binaries
-blacklist /sbin
+blacklist /usr/lib/virtualbox
-blacklist /usr/sbin
-blacklist /usr/local/sbin
 # prevent lxterminal connecting to an existing lxterminal session
 blacklist /tmp/.lxterminal-socket*
-# disable terminals running as server
+# disable terminals running as server resulting in sandbox escape
 blacklist ${PATH}/gnome-terminal
 blacklist ${PATH}/gnome-terminal.wrapper
 blacklist ${PATH}/xfce4-terminal
 blacklist ${PATH}/xfce4-terminal.wrapper
+blacklist ${PATH}/mate-terminal
+blacklist ${PATH}/mate-terminal.wrapper
+blacklist ${PATH}/lilyterm
+blacklist ${PATH}/pantheon-terminal
+blacklist ${PATH}/roxterm
+blacklist ${PATH}/roxterm-config
+blacklist ${PATH}/terminix
+blacklist ${PATH}/urxvtc
+blacklist ${PATH}/urxvtcd
+# kernel files
+blacklist /vmlinuz*
+blacklist /initrd*
diff --git a/etc/disable-devel.inc b/etc/disable-devel.inc
index fa77ed8d1..2ac367f37 100644
--- a/etc/disable-devel.inc
+++ b/etc/disable-devel.inc
@@ -2,20 +2,32 @@
 # GCC
 blacklist /usr/include
+#blacklist /usr/lib/gcc - seems to create problems on Gentoo
 blacklist /usr/bin/gcc*
 blacklist /usr/bin/cpp*
 blacklist /usr/bin/c9*
 blacklist /usr/bin/c8*
 blacklist /usr/bin/c++*
+blacklist /usr/bin/as
 blacklist /usr/bin/ld
 blacklist /usr/bin/gdb
+blacklist /usr/bin/g++*
+blacklist /usr/bin/x86_64-linux-gnu-g++*
+blacklist /usr/bin/x86_64-linux-gnu-gcc*
+blacklist /usr/bin/x86_64-unknown-linux-gnu-g++*
+blacklist /usr/bin/x86_64-unknown-linux-gnu-gcc*
 # clang/llvm
 blacklist /usr/bin/clang*
 blacklist /usr/bin/llvm*
-blacklist /usb/bin/lldb*
+blacklist /usr/bin/lldb*
 blacklist /usr/lib/llvm*
+# tcc - Tiny C Compiler
+blacklist /usr/bin/tcc
+blacklist /usr/bin/x86_64-tcc
+blacklist /usr/lib/tcc
 # Valgrind
 blacklist /usr/bin/valgrind*
 blacklist /usr/lib/valgrind
@@ -35,17 +47,17 @@ blacklist /usr/lib/php*
 blacklist /usr/bin/ruby
 blacklist /usr/lib/ruby
+# Programs using python: deluge, firefox addons, filezilla, cherrytree, xchat, hexchat, libreoffice
 # Python 2
-blacklist /usr/bin/python2*
+#blacklist /usr/bin/python2*
-blacklist /usr/lib/python2*
+#blacklist /usr/lib/python2*
-blacklist /usr/local/lib/python2*
+#blacklist /usr/local/lib/python2*
-blacklist /usr/include/python2*
+#blacklist /usr/include/python2*
-blacklist /usr/share/python2*
+#blacklist /usr/share/python2*
+#
 # Python 3
-blacklist /usr/bin/python3*
+#blacklist /usr/bin/python3*
-blacklist /usr/lib/python3*
+#blacklist /usr/lib/python3*
-blacklist /usr/local/lib/python3*
+#blacklist /usr/local/lib/python3*
-blacklist /usr/share/python3*
+#blacklist /usr/share/python3*
-blacklist /usr/include/python3*
+#blacklist /usr/include/python3*
diff --git a/etc/disable-passwdmgr.inc b/etc/disable-passwdmgr.inc
index c1e68d1ec..6db9073ab 100644
--- a/etc/disable-passwdmgr.inc
+++ b/etc/disable-passwdmgr.inc
@@ -3,4 +3,5 @@ blacklist ${HOME}/.lastpass
 blacklist ${HOME}/.keepassx
 blacklist ${HOME}/.password-store
 blacklist ${HOME}/keepassx.kdbx
+blacklist ${HOME}/.config/keepassx
diff --git a/etc/display.profile b/etc/display.profile
new file mode 100644
index 000000000..ec041bff7
--- /dev/null
+++ b/etc/display.profile
@@ -0,0 +1,23 @@
+# display (ImageMagick tool) image viewer profile
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+caps.drop all
+seccomp
+protocol unix
+netfilter
+net none
+nonewprivs
+noroot
+nogroups
+nosound
+shell none
+x11 xorg
+private-bin display 
+private-tmp
+private-dev
+private-etc none
diff --git a/etc/dnscrypt-proxy.profile b/etc/dnscrypt-proxy.profile
index bd7e19dc2..926b8bfcc 100644
--- a/etc/dnscrypt-proxy.profile
+++ b/etc/dnscrypt-proxy.profile
@@ -8,5 +8,7 @@ include /etc/firejail/disable-passwdmgr.inc
 private
 private-dev
+nosound
+no3d
 seccomp.drop mount,umount2,ptrace,kexec_load,kexec_file_load,open_by_handle_at,init_module,finit_module,delete_module,iopl,ioperm,swapon,swapoff,syslog,process_vm_readv,process_vm_writev,sysfs,_sysctl,adjtimex,clock_adjtime,lookup_dcookie,perf_event_open,fanotify_init,kcmp,add_key,request_key,keyctl,uselib,acct,modify_ldt,pivot_root,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,mbind,get_mempolicy,set_mempolicy,migrate_pages,move_pages,vmsplice,perf_event_open
diff --git a/etc/dnsmasq.profile b/etc/dnsmasq.profile
index 474bc5aca..3bd43f144 100644
--- a/etc/dnsmasq.profile
+++ b/etc/dnsmasq.profile
@@ -5,9 +5,13 @@ include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-programs.inc
 include /etc/firejail/disable-passwdmgr.inc
 include /etc/firejail/disable-devel.inc
 caps
-seccomp
-protocol unix,inet,inet6,netlink
 netfilter
+nonewprivs
 private
 private-dev
+nosound
+no3d
+protocol unix,inet,inet6,netlink
+seccomp
diff --git a/etc/dosbox.profile b/etc/dosbox.profile
new file mode 100644
index 000000000..45fbb712a
--- /dev/null
+++ b/etc/dosbox.profile
@@ -0,0 +1,21 @@
+# Firejail profile for dosbox
+noblacklist ~/.dosbox
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+caps.drop all
+netfilter
+nogroups
+nonewprivs
+noroot
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+private-bin dosbox
+private-dev
+private-tmp
diff --git a/etc/dropbox.profile b/etc/dropbox.profile
index a0a944dce..40efd62b2 100644
--- a/etc/dropbox.profile
+++ b/etc/dropbox.profile
@@ -1,9 +1,21 @@
 # dropbox profile
+noblacklist ~/.config/autostart
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-programs.inc
 include /etc/firejail/disable-passwdmgr.inc
 caps
-seccomp
+nonewprivs
-protocol unix,inet,inet6
 noroot
+protocol unix,inet,inet6
+seccomp
+mkdir ~/Dropbox
+whitelist ~/Dropbox
+mkdir ~/.dropbox
+whitelist ~/.dropbox
+mkdir ~/.dropbox-dist
+whitelist ~/.dropbox-dist
+mkfile ~/.config/autostart/dropbox.desktop
+whitelist ~/.config/autostart/dropbox.desktop
diff --git a/etc/emacs.profile b/etc/emacs.profile
new file mode 100644
index 000000000..cbdba7712
--- /dev/null
+++ b/etc/emacs.profile
@@ -0,0 +1,17 @@
+# emacs profile
+noblacklist ~/.emacs
+noblacklist ~/.emacs.d
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-passwdmgr.inc
+caps.drop all
+netfilter
+nonewprivs
+noroot
+nogroups
+protocol unix,inet,inet6
+seccomp
diff --git a/etc/empathy.profile b/etc/empathy.profile
index 789bdda08..371100814 100644
--- a/etc/empathy.profile
+++ b/etc/empathy.profile
@@ -4,6 +4,7 @@ include /etc/firejail/disable-programs.inc
 include /etc/firejail/disable-devel.inc
 caps.drop all
-seccomp
-protocol unix,inet,inet6
 netfilter
+nonewprivs
+protocol unix,inet,inet6
+seccomp
diff --git a/etc/eog.profile b/etc/eog.profile
new file mode 100644
index 000000000..68e950bd7
--- /dev/null
+++ b/etc/eog.profile
@@ -0,0 +1,23 @@
+# eog (gnome image viewer) profile
+noblacklist ~/.config/eog
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+caps.drop all
+netfilter
+nogroups
+nonewprivs
+noroot
+nosound
+protocol unix
+seccomp
+shell none
+private-bin eog
+private-dev
+private-etc fonts
+private-tmp
diff --git a/etc/eom.profile b/etc/eom.profile
new file mode 100644
index 000000000..dfcea82c1
--- /dev/null
+++ b/etc/eom.profile
@@ -0,0 +1,21 @@
+# Firejail profile for Eye of Mate (eom)
+noblacklist ~/.config/mate/eom
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+caps.drop all
+nogroups
+nonewprivs
+noroot
+nosound
+protocol unix
+seccomp
+shell none
+tracelog
+private-bin eom
+private-dev
+private-tmp
diff --git a/etc/epiphany.profile b/etc/epiphany.profile
index 95a673bf9..0e898f02b 100644
--- a/etc/epiphany.profile
+++ b/etc/epiphany.profile
@@ -8,19 +8,16 @@ include /etc/firejail/disable-programs.inc
 include /etc/firejail/disable-devel.inc
 whitelist ${DOWNLOADS}
-mkdir ${HOME}/.local
-mkdir ${HOME}/.local/share
 mkdir ${HOME}/.local/share/epiphany
 whitelist ${HOME}/.local/share/epiphany
-mkdir ${HOME}/.config
 mkdir ${HOME}/.config/epiphany
 whitelist ${HOME}/.config/epiphany
-mkdir ${HOME}/.cache
 mkdir ${HOME}/.cache/epiphany
 whitelist ${HOME}/.cache/epiphany
 include /etc/firejail/whitelist-common.inc
 caps.drop all
-seccomp
-protocol unix,inet,inet6
 netfilter
+nonewprivs
+protocol unix,inet,inet6
+seccomp
diff --git a/etc/evince.profile b/etc/evince.profile
index c390dcaf3..cbb2083f4 100644
--- a/etc/evince.profile
+++ b/etc/evince.profile
@@ -5,7 +5,18 @@ include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
 caps.drop all
-seccomp
+netfilter
-protocol unix,inet,inet6
+#net none - creates some problems on some distributions
+nogroups
+nonewprivs
 noroot
 nosound
+protocol unix
+seccomp
+shell none
+tracelog
+private-bin evince,evince-previewer,evince-thumbnailer
+private-dev
+private-etc fonts
+private-tmp
+\ No newline at end of file
diff --git a/etc/evolution.profile b/etc/evolution.profile
new file mode 100644
index 000000000..d63eeed74
--- /dev/null
+++ b/etc/evolution.profile
@@ -0,0 +1,26 @@
+# evolution profile
+noblacklist ~/.config/evolution
+noblacklist ~/.local/share/evolution
+noblacklist ~/.cache/evolution
+noblacklist ~/.pki
+noblacklist ~/.pki/nssdb
+noblacklist ~/.gnupg
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+caps.drop all
+netfilter
+nogroups
+nonewprivs
+noroot
+nosound
+protocol unix,inet,inet6
+seccomp
+shell none
+private-dev
+private-tmp
diff --git a/etc/fbreader.profile b/etc/fbreader.profile
index cfbae1c74..ec098d5fe 100644
--- a/etc/fbreader.profile
+++ b/etc/fbreader.profile
@@ -7,8 +7,14 @@ include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
 caps.drop all
-seccomp
-protocol unix,inet,inet6
 netfilter
+nonewprivs
 noroot
 nosound
+protocol unix,inet,inet6
+seccomp
+shell none
+private-bin fbreader,FBReader
+private-dev
+private-tmp
diff --git a/etc/feh.profile b/etc/feh.profile
new file mode 100644
index 000000000..2812effc9
--- /dev/null
+++ b/etc/feh.profile
@@ -0,0 +1,21 @@
+# feh image viewer profile
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+caps.drop all
+netfilter
+net none
+nogroups
+nonewprivs
+noroot
+nosound
+protocol unix
+seccomp
+shell none
+private-bin feh
+private-dev
+private-etc feh
+private-tmp
+\ No newline at end of file
diff --git a/etc/file.profile b/etc/file.profile
new file mode 100644
index 000000000..199a97fad
--- /dev/null
+++ b/etc/file.profile
@@ -0,0 +1,17 @@
+# file profile
+ignore noroot
+include /etc/firejail/default.profile
+blacklist /tmp/.X11-unix
+hostname file
+net none
+no3d
+nosound
+quiet
+shell none
+tracelog
+private-dev
+private-bin file
+private-etc magic.mgc,magic,localtime
diff --git a/etc/filezilla.profile b/etc/filezilla.profile
index 8542de284..a40fceec1 100644
--- a/etc/filezilla.profile
+++ b/etc/filezilla.profile
@@ -7,8 +7,14 @@ include /etc/firejail/disable-programs.inc
 include /etc/firejail/disable-devel.inc
 caps.drop all
-seccomp
-protocol unix,inet,inet6
-noroot
 netfilter
+nonewprivs
+noroot
 nosound
+protocol unix,inet,inet6
+seccomp
+shell none
+private-bin filezilla,uname,sh,python,lsb_release,fzputtygen,fzsftp
+private-dev
+private-tmp
diff --git a/etc/firefox-esr.profile b/etc/firefox-esr.profile
new file mode 100644
index 000000000..d2fde9a3f
--- /dev/null
+++ b/etc/firefox-esr.profile
@@ -0,0 +1,2 @@
+# Firejail profile for Mozilla Firefox ESR
+include /etc/firejail/firefox.profile
diff --git a/etc/firefox.profile b/etc/firefox.profile
index 1ea94a2c7..6bb581f4f 100644
--- a/etc/firefox.profile
+++ b/etc/firefox.profile
@@ -2,22 +2,24 @@
 noblacklist ~/.mozilla
 noblacklist ~/.cache/mozilla
+noblacklist ~/.config/qpdfview
+noblacklist ~/.local/share/qpdfview
+noblacklist ~/.kde/share/apps/okular
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-programs.inc
 include /etc/firejail/disable-devel.inc
 caps.drop all
-seccomp
-protocol unix,inet,inet6,netlink
 netfilter
-tracelog
+nonewprivs
 noroot
+protocol unix,inet,inet6,netlink
+seccomp
+tracelog
 whitelist ${DOWNLOADS}
 mkdir ~/.mozilla
 whitelist ~/.mozilla
-mkdir ~/.cache
-mkdir ~/.cache/mozilla
 mkdir ~/.cache/mozilla/firefox
 whitelist ~/.cache/mozilla/firefox
 whitelist ~/dwhelper
@@ -30,6 +32,9 @@ whitelist ~/.keysnail.js
 whitelist ~/.config/gnome-mplayer
 whitelist ~/.cache/gnome-mplayer/plugin
 whitelist ~/.pki
+whitelist ~/.config/qpdfview
+whitelist ~/.local/share/qpdfview
+whitelist ~/.kde/share/apps/okular
 # lastpass, keepassx
 whitelist ~/.keepassx
@@ -40,14 +45,15 @@ whitelist ~/.config/lastpass
 #silverlight
-whitelist ~/.wine-pipelight 
+whitelist ~/.wine-pipelight
-whitelist ~/.wine-pipelight64 
+whitelist ~/.wine-pipelight64
-whitelist ~/.config/pipelight-widevine 
+whitelist ~/.config/pipelight-widevine
 whitelist ~/.config/pipelight-silverlight5.1
 include /etc/firejail/whitelist-common.inc
 # experimental features
-#private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,iceweasel,firefox,adobe,mime.types,mailcap,asound.conf,pulse
+#private-bin firefox,which,sh,dbus-launch,dbus-send,env
+#private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,xdg,gtk-2.0,gtk-3.0,X11,pango,fonts,firefox,mime.types,mailcap,asound.conf,pulse
+private-dev
+private-tmp
diff --git a/etc/firejail-default b/etc/firejail-default
new file mode 100644
index 000000000..1b0eb7658
--- /dev/null
+++ b/etc/firejail-default
@@ -0,0 +1,154 @@
+#########################################
+# Generic Firejail AppArmor profile
+#########################################
+##########
+# A simple PID declaration based on Ubuntu's @{pid}
+# Ubuntu keeps it under tunables/kernelvars and include it via tunables/global.
+# We don't know if this definition is available outside Debian and Ubuntu, so
+# we declare our own here.
+##########
+@{PID}={[1-9],[1-9][0-9],[1-9][0-9][0-9],[1-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9][0-9]}
+profile firejail-default {
+##########
+# D-Bus is a huge security hole. Uncomment this line if you need D-Bus
+# functionality.
+##########
+#dbus,
+##########
+# Mask /proc and /sys information leakage. The configuration here is barely
+# enough to run "top" or "ps aux".
+##########
+/ r,
+/[^proc,^sys]** mrwlk,
+/{,var/}run/ r,
+/{,var/}run/** r,
+/{,var/}run/user/**/dconf/ rw,
+/{,var/}run/user/**/dconf/user rw,
+/{,var/}run/user/**/pulse/ rw,
+/{,var/}run/user/**/pulse/** rw,
+/{,var/}run/firejail/mnt/fslogger r,
+/{,var/}run/firejail/appimage r,
+/{,var/}run/firejail/appimage/** r,
+/{,var/}run/firejail/appimage/** ix,
+/{run,dev}/shm/ r,
+/{run,dev}/shm/** rmwk,
+/proc/ r,
+/proc/meminfo r,
+/proc/cpuinfo r,
+/proc/filesystems r,
+/proc/uptime r,
+/proc/loadavg r,
+/proc/stat r,
+/proc/@{PID}/ r,
+/proc/@{PID}/fd/ r,
+/proc/@{PID}/task/ r,
+/proc/@{PID}/cmdline r,
+/proc/@{PID}/comm r,
+/proc/@{PID}/stat r,
+/proc/@{PID}/statm r,
+/proc/@{PID}/status r,
+/proc/@{PID}/task/@{PID}/stat r,
+/proc/sys/kernel/pid_max r,
+/proc/sys/kernel/shmmax r,
+/proc/sys/vm/overcommit_memory r,
+/proc/sys/vm/overcommit_ratio r,
+/sys/ r,
+/sys/bus/ r,
+/sys/bus/** r,
+/sys/class/ r,
+/sys/class/** r,
+/sys/devices/ r,
+/sys/devices/** r,
+/proc/@{PID}/maps r,
+/proc/@{PID}/mounts r,
+/proc/@{PID}/mountinfo r,
+/proc/@{PID}/oom_score_adj r,
+##########
+# Allow running programs only from well-known system directories. If you need
+# to run programs from your home directory, uncomment /home line.
+##########
+/lib/** ix,
+/lib64/** ix,
+/bin/** ix,
+/sbin/** ix,
+/usr/bin/** ix,
+/usr/sbin/** ix,
+/usr/local/** ix,
+/usr/lib/** ix,
+/usr/games/** ix,
+/opt/ r,
+/opt/** r,
+/opt/** ix,
+#/home/** ix,
+##########
+# Allow all networking functionality, and control it from Firejail.
+##########
+network inet,
+network inet6,
+network unix,
+network netlink,
+network raw,
+##########
+# There is no equivalent in Firejail for filtering signals.
+##########
+signal,
+##########
+# We let Firejail deal with capabilities.
+##########
+capability chown,
+capability dac_override,
+capability dac_read_search,
+capability fowner,
+capability fsetid,
+capability kill,
+capability setgid,
+capability setuid,
+capability setpcap,
+capability linux_immutable,
+capability net_bind_service,
+capability net_broadcast,
+capability net_admin,
+capability net_raw,
+capability ipc_lock,
+capability ipc_owner,
+capability sys_module,
+capability sys_rawio,
+capability sys_chroot,
+capability sys_ptrace,
+capability sys_pacct,
+capability sys_admin,
+capability sys_boot,
+capability sys_nice,
+capability sys_resource,
+capability sys_time,
+capability sys_tty_config,
+capability mknod,
+capability lease,
+capability audit_write,
+capability audit_control,
+capability setfcap,
+capability mac_override,
+capability mac_admin,
+##########
+# We let Firejail deal with mount/umount functionality.
+##########
+mount,
+remount,
+umount,
+pivot_root,
+}
diff --git a/etc/firejail.config b/etc/firejail.config
index 41cd08e68..2ea767f37 100644
--- a/etc/firejail.config
+++ b/etc/firejail.config
@@ -9,24 +9,60 @@
 # Enable or disable chroot support, default enabled.
 # chroot yes
+# Use chroot for desktop programs, default enabled. The sandbox will have full
+# access to system's /dev directory in order to allow video acceleration,
+# and it will harden the rest of the chroot tree.
+# chroot-desktop yes
 # Enable or disable file transfer support, default enabled.
 # file-transfer yes
+# Force use of nonewprivs.  This mitigates the possibility of
+# a user abusing firejail's features to trick a privileged (suid
+# or file capabilities) process into loading code or configuration
+# that is partially under their control.  Default disabled.
+# force-nonewprivs no
 # Enable or disable networking features, default enabled.
 # network yes
+# Enable or disable overlayfs features, default enabled.
+# overlayfs yes
+# Remove /usr/local directories from private-bin list, default disabled.
+# private-bin-no-local no
+# Enable or disable private-home feature, default enabled
+# private-home yes
+# Enable --quiet as default every time the sandbox is started. Default disabled.
+# quiet-by-default no
+# Remount /proc and /sys inside the sandbox, default enabled.
+# remount-proc-sys yes
 # Enable or disable restricted network support, default disabled. If enabled,
 # networking features should also be enabled (network yes).
-# Restricted networking grants access to --interface and --net=ethXXX
+# Restricted networking grants access to --interface, --net=ethXXX and
-# only to root user. Regular users are only allowed --net=none.
+# --netfilter only to root user. Regular users are only allowed --net=none.
 # restricted-network no
+# Change default netfilter configuration. When using --netfilter option without
+# a file argument, the default filter is hardcoded (see man 1 firejail). This
+# configuration entry allows the user to change the default by specifying
+# a file containing the filter configuration. The filter file format is the
+# format of  iptables-save  and iptable-restore commands. Example:
+# netfilter-default /etc/iptables.iptables.rules
 # Enable or disable seccomp support, default enabled.
 # seccomp yes
 # Enable or disable user namespace support, default enabled.
 # userns yes
+# Enable or disable whitelisting support, default enabled.
+# whitelist yes
 # Enable or disable X11 sandboxing support, default enabled.
 # x11 yes
@@ -36,3 +72,10 @@
 # xephyr-screen 800x600
 # xephyr-screen 1024x768
 # xephyr-screen 1280x1024
+# Firejail window title in Xephyr, default enabled.
+# xephyr-window-title yes
+# Xephyr command extra parameters. None by default, and the declaration is commented out.
+# xephyr-extra-params -keybd ephyr,,,xkbmodel=evdev
+# xephyr-extra-params -grayscale
diff --git a/etc/flashpeak-slimjet.profile b/etc/flashpeak-slimjet.profile
index 94c672acf..7e0eb486b 100644
--- a/etc/flashpeak-slimjet.profile
+++ b/etc/flashpeak-slimjet.profile
@@ -15,16 +15,15 @@ include /etc/firejail/disable-programs.inc
 #
 caps.drop all
-seccomp
-protocol unix,inet,inet6,netlink
 netfilter
+nonewprivs
 noroot
+protocol unix,inet,inet6,netlink
+seccomp
 whitelist ${DOWNLOADS}
-mkdir ~/.config
 mkdir ~/.config/slimjet
 whitelist ~/.config/slimjet
-mkdir ~/.cache
 mkdir ~/.cache/slimjet
 whitelist ~/.cache/slimjet
 mkdir ~/.pki
diff --git a/etc/flowblade.profile b/etc/flowblade.profile
new file mode 100644
index 000000000..12afdb0aa
--- /dev/null
+++ b/etc/flowblade.profile
@@ -0,0 +1,13 @@
+# FlowBlade profile
+noblacklist ${HOME}/.flowblade
+noblacklist ${HOME}/.config/flowblade
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-passwdmgr.inc
+caps.drop all
+netfilter
+nonewprivs
+noroot
+protocol unix,inet,inet6,netlink
+seccomp
diff --git a/etc/franz.profile b/etc/franz.profile
new file mode 100644
index 000000000..0b3be551b
--- /dev/null
+++ b/etc/franz.profile
@@ -0,0 +1,24 @@
+# Franz profile
+noblacklist ~/.config/Franz
+noblacklist ~/.cache/Franz
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-devel.inc
+caps.drop all
+netfilter
+nonewprivs
+noroot
+protocol unix,inet,inet6,netlink
+seccomp
+#tracelog
+whitelist ${DOWNLOADS}
+mkdir ~/.config/Franz
+whitelist ~/.config/Franz
+mkdir ~/.cache/Franz
+whitelist ~/.cache/Franz
+mkdir ~/.pki
+whitelist ~/.pki
+include /etc/firejail/whitelist-common.inc
diff --git a/etc/gajim.profile b/etc/gajim.profile
new file mode 100644
index 000000000..809378ef9
--- /dev/null
+++ b/etc/gajim.profile
@@ -0,0 +1,33 @@
+# Firejail profile for Gajim
+mkdir ${HOME}/.cache/gajim
+mkdir ${HOME}/.local/share/gajim
+mkdir ${HOME}/.config/gajim
+mkdir ${HOME}/Downloads
+# Allow the local python 2.7 site packages, in case any plugins are using these
+mkdir ${HOME}/.local/lib/python2.7/site-packages/
+whitelist ${HOME}/.local/lib/python2.7/site-packages/
+read-only ${HOME}/.local/lib/python2.7/site-packages/
+whitelist ${HOME}/.cache/gajim
+whitelist ${HOME}/.local/share/gajim
+whitelist ${HOME}/.config/gajim
+whitelist ${HOME}/Downloads
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-passwdmgr.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-devel.inc
+caps.drop all
+netfilter
+nogroups
+nonewprivs
+noroot
+protocol unix,inet,inet6
+seccomp
+shell none
+#private-bin python2.7 gajim
+private-dev
diff --git a/etc/gimp.profile b/etc/gimp.profile
new file mode 100644
index 000000000..cb441fc9d
--- /dev/null
+++ b/etc/gimp.profile
@@ -0,0 +1,20 @@
+# gimp
+noblacklist ${HOME}/.gimp*
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-passwdmgr.inc
+caps.drop all
+netfilter
+nogroups
+nonewprivs
+noroot
+nosound
+protocol unix
+seccomp
+noexec ${HOME}
+noexec /tmp
+private-dev
+private-tmp
diff --git a/etc/git.profile b/etc/git.profile
new file mode 100644
index 000000000..73122d347
--- /dev/null
+++ b/etc/git.profile
@@ -0,0 +1,27 @@
+# git profile
+noblacklist ~/.gitconfig
+noblacklist ~/.ssh
+noblacklist ~/.gnupg
+noblacklist ~/.emacs
+noblacklist ~/.emacs.d
+noblacklist ~/.viminfo
+noblacklist ~/.vim
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-passwdmgr.inc
+caps.drop all
+netfilter
+nogroups
+nonewprivs
+noroot
+nosound
+protocol unix,inet,inet6
+quiet
+seccomp
+shell none
+private-dev
diff --git a/etc/gitter.profile b/etc/gitter.profile
new file mode 100644
index 000000000..f43f5f199
--- /dev/null
+++ b/etc/gitter.profile
@@ -0,0 +1,20 @@
+# Firejail profile for Gitter
+noblacklist ~/.config/Gitter
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-passwdmgr.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-devel.inc
+caps.drop all
+netfilter
+nogroups
+nonewprivs
+noroot
+nosound
+protocol unix,inet,inet6,netlink
+seccomp
+shell none
+private-bin gitter
+private-dev
+private-tmp
diff --git a/etc/gnome-chess.profile b/etc/gnome-chess.profile
new file mode 100644
index 000000000..297f7e6a9
--- /dev/null
+++ b/etc/gnome-chess.profile
@@ -0,0 +1,22 @@
+# Firejail profile for gnome-chess
+noblacklist /.local/share/gnome-chess
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-passwdmgr.inc
+caps.drop all
+nogroups
+nonewprivs
+noroot
+nosound
+protocol unix
+seccomp
+shell none
+tracelog
+private-bin fairymax,gnome-chess,hoichess
+private-dev
+private-etc fonts,gnome-chess
+private-tmp
diff --git a/etc/gnome-mplayer.profile b/etc/gnome-mplayer.profile
index ec3698ac8..1b0fc9807 100644
--- a/etc/gnome-mplayer.profile
+++ b/etc/gnome-mplayer.profile
@@ -5,6 +5,13 @@ include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
 caps.drop all
-seccomp
+nogroups
-protocol unix,inet,inet6
+nonewprivs
 noroot
+protocol unix,inet,inet6
+seccomp
+shell none
+private-bin gnome-mplayer
+private-dev
+private-tmp
diff --git a/etc/google-chrome-beta.profile b/etc/google-chrome-beta.profile
index 11f9f9e33..fe870274f 100644
--- a/etc/google-chrome-beta.profile
+++ b/etc/google-chrome-beta.profile
@@ -11,10 +11,8 @@ include /etc/firejail/disable-programs.inc
 netfilter
 whitelist ${DOWNLOADS}
-mkdir ~/.config
 mkdir ~/.config/google-chrome-beta
 whitelist ~/.config/google-chrome-beta
-mkdir ~/.cache
 mkdir ~/.cache/google-chrome-beta
 whitelist ~/.cache/google-chrome-beta
 mkdir ~/.pki
diff --git a/etc/google-chrome-unstable.profile b/etc/google-chrome-unstable.profile
index f253e5a90..f6680ac2d 100644
--- a/etc/google-chrome-unstable.profile
+++ b/etc/google-chrome-unstable.profile
@@ -11,10 +11,8 @@ include /etc/firejail/disable-programs.inc
 netfilter
 whitelist ${DOWNLOADS}
-mkdir ~/.config
 mkdir ~/.config/google-chrome-unstable
 whitelist ~/.config/google-chrome-unstable
-mkdir ~/.cache
 mkdir ~/.cache/google-chrome-unstable
 whitelist ~/.cache/google-chrome-unstable
 mkdir ~/.pki
diff --git a/etc/google-chrome.profile b/etc/google-chrome.profile
index 5e168aae5..a9fcebe73 100644
--- a/etc/google-chrome.profile
+++ b/etc/google-chrome.profile
@@ -11,10 +11,8 @@ include /etc/firejail/disable-programs.inc
 netfilter
 whitelist ${DOWNLOADS}
-mkdir ~/.config
 mkdir ~/.config/google-chrome
 whitelist ~/.config/google-chrome
-mkdir ~/.cache
 mkdir ~/.cache/google-chrome
 whitelist ~/.cache/google-chrome
 mkdir ~/.pki
diff --git a/etc/google-play-music-desktop-player.profile b/etc/google-play-music-desktop-player.profile
new file mode 100644
index 000000000..b4cf8d9ac
--- /dev/null
+++ b/etc/google-play-music-desktop-player.profile
@@ -0,0 +1,18 @@
+# Google Play Music desktop player profile
+noblacklist ~/.config/Google Play Music Desktop Player
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+caps.drop all
+nonewprivs
+noroot
+netfilter
+protocol unix,inet,inet6,netlink
+seccomp
+#whitelist ~/.pulse
+#whitelist ~/.config/pulse
+whitelist ~/.config/Google Play Music Desktop Player
diff --git a/etc/gpredict.profile b/etc/gpredict.profile
new file mode 100644
index 000000000..801304c18
--- /dev/null
+++ b/etc/gpredict.profile
@@ -0,0 +1,25 @@
+# Firejail profile for gpredict.
+noblacklist ~/.config/Gpredict
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+include /etc/firejail/disable-programs.inc
+# Whitelist
+whitelist ~/.config/Gpredict
+caps.drop all
+netfilter
+nogroups
+nonewprivs
+noroot
+nosound
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+private-bin gpredict
+private-etc fonts,resolv.conf
+private-dev
+private-tmp
diff --git a/etc/gtar.profile b/etc/gtar.profile
new file mode 100644
index 000000000..2f675cd9d
--- /dev/null
+++ b/etc/gtar.profile
@@ -0,0 +1,3 @@
+# gtar profile
+quiet
+include /etc/firejail/tar.profile
diff --git a/etc/gthumb.profile b/etc/gthumb.profile
new file mode 100644
index 000000000..055d78935
--- /dev/null
+++ b/etc/gthumb.profile
@@ -0,0 +1,21 @@
+# gthumb profile
+noblacklist ${HOME}/.config/gthumb
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+caps.drop all
+nogroups
+nonewprivs
+noroot
+nosound
+protocol unix
+seccomp
+shell none
+tracelog
+private-bin gthumb
+private-dev
+private-tmp
+\ No newline at end of file
diff --git a/etc/gwenview.profile b/etc/gwenview.profile
new file mode 100644
index 000000000..c866c9e63
--- /dev/null
+++ b/etc/gwenview.profile
@@ -0,0 +1,22 @@
+# KDE gwenview profile
+noblacklist ~/.kde/share/apps/gwenview
+noblacklist ~/.kde/share/config/gwenviewrc
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+caps.drop all
+nogroups
+nonewprivs
+noroot
+protocol unix
+seccomp
+nosound
+private-dev
+#Experimental:
+#shell none
+#private-bin gwenview
+#private-etc X11
diff --git a/etc/gzip.profile b/etc/gzip.profile
new file mode 100644
index 000000000..d51b9a951
--- /dev/null
+++ b/etc/gzip.profile
@@ -0,0 +1,14 @@
+# gzip profile
+ignore noroot
+include /etc/firejail/default.profile
+blacklist /tmp/.X11-unix
+net none
+no3d
+nosound
+quiet
+shell none
+tracelog
+private-dev
diff --git a/etc/hedgewars.profile b/etc/hedgewars.profile
index 5ab7cfe72..7910b7eb0 100644
--- a/etc/hedgewars.profile
+++ b/etc/hedgewars.profile
@@ -7,11 +7,16 @@ include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
 caps.drop all
+netfilter
+nogroups
+nonewprivs
 noroot
-private-dev
 seccomp
 tracelog
+private-dev
+private-tmp
 mkdir     ~/.hedgewars
 whitelist ~/.hedgewars
 include /etc/firejail/whitelist-common.inc
diff --git a/etc/hexchat.profile b/etc/hexchat.profile
index 8f6fd6217..5cefe45b5 100644
--- a/etc/hexchat.profile
+++ b/etc/hexchat.profile
@@ -1,10 +1,28 @@
 # HexChat instant messaging profile
+# Currently in testing (may not work for all users)
 noblacklist ${HOME}/.config/hexchat
+#noblacklist /usr/lib/python2*
+#noblacklist /usr/lib/python3*
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-programs.inc
 include /etc/firejail/disable-devel.inc
 caps.drop all
-seccomp
+netfilter
-protocol unix,inet,inet6
+nogroups
+nonewprivs
 noroot
+nosound
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+mkdir ~/.config/hexchat
+whitelist ~/.config/hexchat
+include /etc/firejail/whitelist-common.inc
+private-bin hexchat
+#debug note: private-bin requires perl, python, etc on some systems
+private-dev
+private-tmp
diff --git a/etc/icecat.profile b/etc/icecat.profile
index 25d426ad2..2f8e2df7f 100644
--- a/etc/icecat.profile
+++ b/etc/icecat.profile
@@ -1,2 +1,51 @@
 # Firejail profile for GNU Icecat
-include /etc/firejail/firefox.profile
+noblacklist ~/.mozilla
+noblacklist ~/.cache/mozilla
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-devel.inc
+caps.drop all
+netfilter
+nonewprivs
+noroot
+protocol unix,inet,inet6,netlink
+seccomp
+tracelog
+whitelist ${DOWNLOADS}
+mkdir ~/.mozilla
+whitelist ~/.mozilla
+mkdir ~/.cache/mozilla/icecat
+whitelist ~/.cache/mozilla/icecat
+whitelist ~/dwhelper
+whitelist ~/.zotero
+whitelist ~/.vimperatorrc
+whitelist ~/.vimperator
+whitelist ~/.pentadactylrc
+whitelist ~/.pentadactyl
+whitelist ~/.keysnail.js
+whitelist ~/.config/gnome-mplayer
+whitelist ~/.cache/gnome-mplayer/plugin
+whitelist ~/.pki
+# lastpass, keepassx
+whitelist ~/.keepassx
+whitelist ~/.config/keepassx
+whitelist ~/keepassx.kdbx
+whitelist ~/.lastpass
+whitelist ~/.config/lastpass
+#silverlight
+whitelist ~/.wine-pipelight
+whitelist ~/.wine-pipelight64
+whitelist ~/.config/pipelight-widevine
+whitelist ~/.config/pipelight-silverlight5.1
+include /etc/firejail/whitelist-common.inc
+# experimental features
+#private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,iceweasel,firefox,adobe,mime.types,mailcap,asound.conf,pulse
diff --git a/etc/icedove.profile b/etc/icedove.profile
index e9a63c8dd..310684bdb 100644
--- a/etc/icedove.profile
+++ b/etc/icedove.profile
@@ -11,9 +11,11 @@ mkdir ~/.icedove
 whitelist ~/.icedove
 noblacklist ~/.cache/icedove
-mkdir ~/.cache
 mkdir ~/.cache/icedove
 whitelist ~/.cache/icedove
+# allow browsers
+ignore private-tmp
 include /etc/firejail/firefox.profile
+#include /etc/firejail/chromium.profile - chromium runs as suid!
diff --git a/etc/inkscape.profile b/etc/inkscape.profile
new file mode 100644
index 000000000..a0e86b6c9
--- /dev/null
+++ b/etc/inkscape.profile
@@ -0,0 +1,20 @@
+# inkscape
+noblacklist ${HOME}/.inkscape
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-passwdmgr.inc
+caps.drop all
+netfilter
+nogroups
+nonewprivs
+noroot
+nosound
+protocol unix
+seccomp
+noexec ${HOME}
+noexec /tmp
+private-dev
+private-tmp
diff --git a/etc/inox.profile b/etc/inox.profile
new file mode 100644
index 000000000..49d2f2835
--- /dev/null
+++ b/etc/inox.profile
@@ -0,0 +1,24 @@
+# Inox browser profile
+noblacklist ~/.config/inox
+noblacklist ~/.cache/inox
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+netfilter
+whitelist ${DOWNLOADS}
+mkdir ~/.config/inox
+whitelist ~/.config/inox
+mkdir ~/.cache/inox
+whitelist ~/.cache/inox
+mkdir ~/.pki
+whitelist ~/.pki
+# lastpass, keepassx
+whitelist ~/.keepassx
+whitelist ~/.config/keepassx
+whitelist ~/keepassx.kdbx
+whitelist ~/.lastpass
+whitelist ~/.config/lastpass
+include /etc/firejail/whitelist-common.inc
diff --git a/etc/jitsi.profile b/etc/jitsi.profile
new file mode 100644
index 000000000..046499abe
--- /dev/null
+++ b/etc/jitsi.profile
@@ -0,0 +1,17 @@
+# Firejail profile for jitsi
+noblacklist ~/.jitsi
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+include /etc/firejail/disable-programs.inc
+caps.drop all
+nogroups
+nonewprivs
+noroot
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+private-tmp
diff --git a/etc/keepass.profile b/etc/keepass.profile
new file mode 100644
index 000000000..23f9a7b40
--- /dev/null
+++ b/etc/keepass.profile
@@ -0,0 +1,22 @@
+# keepass password manager profile
+noblacklist ${HOME}/.config/keepass
+noblacklist ${HOME}/.keepass
+ 
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+caps.drop all
+nogroups
+nonewprivs
+noroot
+nosound
+protocol unix,inet,inet6
+seccomp
+netfilter
+shell none
+private-tmp
+private-dev
diff --git a/etc/keepassx.profile b/etc/keepassx.profile
new file mode 100644
index 000000000..415160df3
--- /dev/null
+++ b/etc/keepassx.profile
@@ -0,0 +1,23 @@
+# keepassx password manager profile
+noblacklist ${HOME}/.config/keepassx
+noblacklist ${HOME}/.keepassx
+noblacklist ${HOME}/keepassx.kdbx
+ 
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+caps.drop all
+nogroups
+nonewprivs
+noroot
+nosound
+protocol unix
+seccomp
+netfilter
+shell none
+private-tmp
+private-dev 
diff --git a/etc/kmail.profile b/etc/kmail.profile
index a7079661b..bc21ba604 100644
--- a/etc/kmail.profile
+++ b/etc/kmail.profile
@@ -7,8 +7,13 @@ include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
 caps.drop all
-seccomp
-protocol unix,inet,inet6,netlink
 netfilter
+nogroups
+nonewprivs
 noroot
+protocol unix,inet,inet6,netlink
+seccomp
 tracelog
+private-dev
+private-tmp
diff --git a/etc/konversation.profile b/etc/konversation.profile
new file mode 100644
index 000000000..e9546fd1b
--- /dev/null
+++ b/etc/konversation.profile
@@ -0,0 +1,15 @@
+# Firejail konversation profile
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+caps.drop all
+netfilter
+nogroups
+noroot
+seccomp
+protocol unix,inet,inet6
+private-tmp
diff --git a/etc/less.profile b/etc/less.profile
new file mode 100644
index 000000000..08758aead
--- /dev/null
+++ b/etc/less.profile
@@ -0,0 +1,11 @@
+# less profile
+quiet
+ignore noroot
+include /etc/firejail/default.profile
+net none
+nosound
+shell none
+tracelog
+private-dev
diff --git a/etc/libreoffice.profile b/etc/libreoffice.profile
new file mode 100644
index 000000000..d6aceb7a8
--- /dev/null
+++ b/etc/libreoffice.profile
@@ -0,0 +1,19 @@
+# Firejail profile for LibreOffice
+noblacklist ~/.config/libreoffice
+noblacklist /usr/local/sbin
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+caps.drop all
+netfilter
+nogroups
+nonewprivs
+noroot
+protocol unix,inet,inet6
+seccomp
+tracelog
+private-dev
+# whitelist /tmp/.X11-unix/
diff --git a/etc/localc.profile b/etc/localc.profile
new file mode 100644
index 000000000..fecd08822
--- /dev/null
+++ b/etc/localc.profile
@@ -0,0 +1,5 @@
+################################
+# LibreOffice profile
+################################
+include /etc/firejail/libreoffice.profile
diff --git a/etc/lodraw.profile b/etc/lodraw.profile
new file mode 100644
index 000000000..fecd08822
--- /dev/null
+++ b/etc/lodraw.profile
@@ -0,0 +1,5 @@
+################################
+# LibreOffice profile
+################################
+include /etc/firejail/libreoffice.profile
diff --git a/etc/loffice.profile b/etc/loffice.profile
new file mode 100644
index 000000000..fecd08822
--- /dev/null
+++ b/etc/loffice.profile
@@ -0,0 +1,5 @@
+################################
+# LibreOffice profile
+################################
+include /etc/firejail/libreoffice.profile
diff --git a/etc/lofromtemplate.profile b/etc/lofromtemplate.profile
new file mode 100644
index 000000000..fecd08822
--- /dev/null
+++ b/etc/lofromtemplate.profile
@@ -0,0 +1,5 @@
+################################
+# LibreOffice profile
+################################
+include /etc/firejail/libreoffice.profile
diff --git a/etc/loimpress.profile b/etc/loimpress.profile
new file mode 100644
index 000000000..fecd08822
--- /dev/null
+++ b/etc/loimpress.profile
@@ -0,0 +1,5 @@
+################################
+# LibreOffice profile
+################################
+include /etc/firejail/libreoffice.profile
diff --git a/etc/lomath.profile b/etc/lomath.profile
new file mode 100644
index 000000000..fecd08822
--- /dev/null
+++ b/etc/lomath.profile
@@ -0,0 +1,5 @@
+################################
+# LibreOffice profile
+################################
+include /etc/firejail/libreoffice.profile
diff --git a/etc/loweb.profile b/etc/loweb.profile
new file mode 100644
index 000000000..fecd08822
--- /dev/null
+++ b/etc/loweb.profile
@@ -0,0 +1,5 @@
+################################
+# LibreOffice profile
+################################
+include /etc/firejail/libreoffice.profile
diff --git a/etc/lowriter.profile b/etc/lowriter.profile
new file mode 100644
index 000000000..fecd08822
--- /dev/null
+++ b/etc/lowriter.profile
@@ -0,0 +1,5 @@
+################################
+# LibreOffice profile
+################################
+include /etc/firejail/libreoffice.profile
diff --git a/etc/luminance-hdr.profile b/etc/luminance-hdr.profile
new file mode 100644
index 000000000..76e864e0c
--- /dev/null
+++ b/etc/luminance-hdr.profile
@@ -0,0 +1,23 @@
+# luminance-hdr
+noblacklist ${HOME}/.config/Luminance
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-passwdmgr.inc
+caps.drop all
+ipc-namespace
+netfilter
+nogroups
+nonewprivs
+noroot
+nosound
+protocol unix
+seccomp
+shell none
+tracelog
+noexec ${HOME}
+noexec /tmp
+private-tmp
+private-dev
diff --git a/etc/lxterminal.profile b/etc/lxterminal.profile
index b6acf2587..d1d0b8a0d 100644
--- a/etc/lxterminal.profile
+++ b/etc/lxterminal.profile
@@ -5,7 +5,7 @@ include /etc/firejail/disable-programs.inc
 include /etc/firejail/disable-passwdmgr.inc
 caps.drop all
-seccomp
-protocol unix,inet,inet6
 netfilter
+protocol unix,inet,inet6
+seccomp
 #noroot - somehow this breaks on Debian Jessie!
diff --git a/etc/mcabber.profile b/etc/mcabber.profile
new file mode 100644
index 000000000..48b46dba0
--- /dev/null
+++ b/etc/mcabber.profile
@@ -0,0 +1,21 @@
+# mcabber profile
+noblacklist ${HOME}/.mcabber
+noblacklist ${HOME}/.mcabberrc
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+caps.drop all
+netfilter
+nonewprivs
+noroot
+protocol inet,inet6
+seccomp
+private-bin mcabber
+private-etc null
+private-dev
+shell none
+nosound
diff --git a/etc/midori.profile b/etc/midori.profile
index 7fc27e07c..046c45d94 100644
--- a/etc/midori.profile
+++ b/etc/midori.profile
@@ -5,7 +5,9 @@ include /etc/firejail/disable-programs.inc
 include /etc/firejail/disable-devel.inc
 caps.drop all
-seccomp
-protocol unix,inet,inet6
 netfilter
+nonewprivs
+# noroot - noroot break midori on Ubuntu 14.04
+protocol unix,inet,inet6
+seccomp
diff --git a/etc/mpv.profile b/etc/mpv.profile
new file mode 100644
index 000000000..80f8de54a
--- /dev/null
+++ b/etc/mpv.profile
@@ -0,0 +1,18 @@
+# mpv media player profile
+noblacklist ${HOME}/.config/mpv
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+caps.drop all
+netfilter
+nonewprivs
+noroot
+protocol unix,inet,inet6
+seccomp
+# to test
+shell none
+private-bin mpv,youtube-dl,python2.7
diff --git a/etc/mumble.profile b/etc/mumble.profile
new file mode 100644
index 000000000..ddd70822d
--- /dev/null
+++ b/etc/mumble.profile
@@ -0,0 +1,26 @@
+# mumble profile
+noblacklist ${HOME}/.config/Mumble
+noblacklist ${HOME}/.local/share/data/Mumble
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+mkdir ${HOME}/.config/Mumble
+mkdir ${HOME}/.local/share/data/Mumble
+whitelist ${HOME}/.config/Mumble
+whitelist ${HOME}/.local/share/data/Mumble
+include /etc/firejail/whitelist-common.inc
+caps.drop all
+netfilter
+nonewprivs
+nogroups
+noroot
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+private-bin mumble
+private-tmp
diff --git a/etc/mupdf.profile b/etc/mupdf.profile
new file mode 100644
index 000000000..e022866e8
--- /dev/null
+++ b/etc/mupdf.profile
@@ -0,0 +1,28 @@
+# mupdf reader profile
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+caps.drop all
+nogroups
+nonewprivs
+noroot
+nosound
+protocol unix
+seccomp
+netfilter
+net none
+shell none
+tracelog
+#seccomp.keep access,arch_prctl,brk,clone,close,connect,execve,exit_group,fchmod,fchown,fcntl,fstat,futex,getcwd,getpeername,getrlimit,getsockname,getsockopt,lseek,lstat,mlock,mmap,mprotect,munmap,nanosleep,open,poll,prctl,read,recvfrom,recvmsg,restart_syscall,rt_sigaction,rt_sigprocmask,select,sendmsg,set_robust_list,set_tid_address,setresgid,setresuid,shmat,shmctl,shmget,shutdown,socket,stat,sysinfo,uname,unshare,wait4,write,writev
+private-bin mupdf
+private-tmp
+private-dev
+private-etc fonts
+# mupdf will never write anything
+read-only ${HOME}
diff --git a/etc/mupen64plus.profile b/etc/mupen64plus.profile
index 7b38b411a..acb13e6b9 100644
--- a/etc/mupen64plus.profile
+++ b/etc/mupen64plus.profile
@@ -8,15 +8,13 @@ include /etc/firejail/disable-programs.inc
 include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
-mkdir ${HOME}/.local
-mkdir ${HOME}/.local/share
 mkdir ${HOME}/.local/share/mupen64plus
 whitelist ${HOME}/.local/share/mupen64plus/
-mkdir ${HOME}/.config
 mkdir ${HOME}/.config/mupen64plus
 whitelist ${HOME}/.config/mupen64plus/
-noroot
 caps.drop all
-seccomp
 net none
+nonewprivs
+noroot
+seccomp
diff --git a/etc/mutt.profile b/etc/mutt.profile
new file mode 100644
index 000000000..54cf828b1
--- /dev/null
+++ b/etc/mutt.profile
@@ -0,0 +1,41 @@
+# mutt email client profile
+noblacklist ~/.muttrc
+noblacklist ~/.mutt
+noblacklist ~/.mutt/muttrc
+noblacklist ~/.mailcap
+noblacklist ~/.gnupg
+noblacklist ~/.mail
+noblacklist ~/.Mail
+noblacklist ~/mail
+noblacklist ~/Mail
+noblacklist ~/sent
+noblacklist ~/postponed
+noblacklist ~/.cache/mutt
+noblacklist ~/.w3m
+noblacklist ~/.elinks
+noblacklist ~/.vim
+noblacklist ~/.vimrc
+noblacklist ~/.viminfo
+noblacklist ~/.emacs
+noblacklist ~/.emacs.d
+noblacklist ~/.signature
+noblacklist ~/.bogofilter
+noblacklist ~/.msmtprc
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-passwdmgr.inc
+include /etc/firejail/disable-devel.inc
+caps.drop all
+netfilter
+nogroups
+nonewprivs
+noroot
+nosound
+protocol unix,inet,inet6
+seccomp
+shell none
+private-dev
diff --git a/etc/netsurf.profile b/etc/netsurf.profile
new file mode 100644
index 000000000..1ed2163c2
--- /dev/null
+++ b/etc/netsurf.profile
@@ -0,0 +1,30 @@
+# Firejail profile for Mozilla Firefox (Iceweasel in Debian)
+noblacklist ~/.config/netsurf
+noblacklist ~/.cache/netsurf
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-devel.inc
+caps.drop all
+netfilter
+nonewprivs
+noroot
+protocol unix,inet,inet6,netlink
+seccomp
+tracelog
+whitelist ${DOWNLOADS}
+mkdir ~/.config/netsurf
+whitelist ~/.config/netsurf
+mkdir ~/.cache/netsurf
+whitelist ~/.cache/netsurf
+# lastpass, keepassx
+whitelist ~/.keepassx
+whitelist ~/.config/keepassx
+whitelist ~/keepassx.kdbx
+whitelist ~/.lastpass
+whitelist ~/.config/lastpass
+include /etc/firejail/whitelist-common.inc
diff --git a/etc/nolocal.net b/etc/nolocal.net
index 9c0c6e125..9fa785450 100644
--- a/etc/nolocal.net
+++ b/etc/nolocal.net
@@ -4,7 +4,8 @@
 :OUTPUT ACCEPT [0:0]
 ###################################################################
-# Client filter rejecting local network traffic, with the exception of DNS traffic
+# Client filter rejecting local network traffic, with the exception of
+# DNS traffic
 #
 # Usage:
 #     firejail --net=eth0 --netfilter=/etc/firejail/nolocal.net firefox
diff --git a/etc/okular.profile b/etc/okular.profile
new file mode 100644
index 000000000..b43a5fbea
--- /dev/null
+++ b/etc/okular.profile
@@ -0,0 +1,25 @@
+# KDE okular profile
+noblacklist ~/.kde/share/apps/okular
+noblacklist ~/.kde/share/config/okularrc
+noblacklist ~/.kde/share/config/okularpartrc
+read-only   ~/.kde/share/config/kdeglobals
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+caps.drop all
+nogroups
+nonewprivs
+noroot
+protocol unix
+seccomp
+nosound
+private-dev
+#Experimental:
+#net none
+#shell none
+#private-bin okular,kbuildsycoca4,kbuildsycoca5
+#private-etc X11
diff --git a/etc/openbox.profile b/etc/openbox.profile
index 6e2e5d6fd..f812768a1 100644
--- a/etc/openbox.profile
+++ b/etc/openbox.profile
@@ -5,8 +5,7 @@
 include /etc/firejail/disable-common.inc
 caps.drop all
-seccomp
-protocol unix,inet,inet6
 netfilter
 noroot
+protocol unix,inet,inet6
+seccomp
diff --git a/etc/openshot.profile b/etc/openshot.profile
new file mode 100644
index 000000000..f12bd7d11
--- /dev/null
+++ b/etc/openshot.profile
@@ -0,0 +1,13 @@
+# OpenShot profile
+noblacklist ${HOME}/.openshot
+noblacklist ${HOME}/.openshot_qt
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-passwdmgr.inc
+caps.drop all
+netfilter
+nonewprivs
+noroot
+protocol unix,inet,inet6,netlink
+seccomp
diff --git a/etc/opera-beta.profile b/etc/opera-beta.profile
index 3d6edb286..12c91c744 100644
--- a/etc/opera-beta.profile
+++ b/etc/opera-beta.profile
@@ -8,10 +8,8 @@ include /etc/firejail/disable-devel.inc
 netfilter
 whitelist ${DOWNLOADS}
-mkdir ~/.config
 mkdir ~/.config/opera-beta
 whitelist ~/.config/opera-beta
-mkdir ~/.cache
 mkdir ~/.cache/opera-beta
 whitelist ~/.cache/opera-beta
 mkdir ~/.pki
diff --git a/etc/opera.profile b/etc/opera.profile
index ff00eb349..e0c89a195 100644
--- a/etc/opera.profile
+++ b/etc/opera.profile
@@ -9,10 +9,8 @@ include /etc/firejail/disable-devel.inc
 netfilter
 whitelist ${DOWNLOADS}
-mkdir ~/.config
 mkdir ~/.config/opera
 whitelist ~/.config/opera
-mkdir ~/.cache
 mkdir ~/.cache/opera
 whitelist ~/.cache/opera
 mkdir ~/.opera
diff --git a/etc/palemoon.profile b/etc/palemoon.profile
index fc4ea453b..71deec6bc 100644
--- a/etc/palemoon.profile
+++ b/etc/palemoon.profile
@@ -1,31 +1,30 @@
 # Firejail profile for Pale Moon
-# Noblacklists
 noblacklist ~/.moonchild productions/pale moon
 noblacklist ~/.cache/moonchild productions/pale moon
-# Included profiles
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-programs.inc
 include /etc/firejail/disable-devel.inc
 include /etc/firejail/whitelist-common.inc
-# Options
-caps.drop all
-seccomp
-protocol unix,inet,inet6,netlink
-netfilter
-tracelog
-noroot
 whitelist ${DOWNLOADS}
 mkdir ~/.moonchild productions
 whitelist ~/.moonchild productions
-mkdir ~/.cache
-mkdir ~/.cache/moonchild productions
 mkdir ~/.cache/moonchild productions/pale moon
 whitelist ~/.cache/moonchild productions/pale moon
+caps.drop all
+netfilter
+nogroups
+nonewprivs
+noroot
+protocol unix,inet,inet6,netlink
+seccomp
+shell none
+tracelog
+private-bin palemoon
+private-tmp
 # These are uncommented in the Firefox profile. If you run into trouble you may
 # want to uncomment (some of) them.
 #whitelist ~/dwhelper
@@ -40,9 +39,9 @@ whitelist ~/.cache/moonchild productions/pale moon
 #whitelist ~/.pki
 # For silverlight
-#whitelist ~/.wine-pipelight 
+#whitelist ~/.wine-pipelight
-#whitelist ~/.wine-pipelight64 
+#whitelist ~/.wine-pipelight64
-#whitelist ~/.config/pipelight-widevine 
+#whitelist ~/.config/pipelight-widevine
 #whitelist ~/.config/pipelight-silverlight5.1
@@ -55,3 +54,4 @@ whitelist ~/.config/lastpass
 # experimental features
 #private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,iceweasel,firefox,adobe,mime.types,mailcap,asound.conf,pulse
+#private-dev (disabled for now as it will interfere with webcam use in palemoon)
diff --git a/etc/parole.profile b/etc/parole.profile
index 0c9a72143..1440a9ef7 100644
--- a/etc/parole.profile
+++ b/etc/parole.profile
@@ -8,8 +8,9 @@ private-etc passwd,group,fonts
 private-bin parole,dbus-launch
 caps.drop all
-seccomp
-protocol unix,inet,inet6
 netfilter
+nonewprivs
 noroot
+protocol unix,inet,inet6
+seccomp
 shell none
diff --git a/etc/pidgin.profile b/etc/pidgin.profile
index fd497f082..850706145 100644
--- a/etc/pidgin.profile
+++ b/etc/pidgin.profile
@@ -2,10 +2,20 @@
 noblacklist ${HOME}/.purple
 include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-programs.inc
 include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+include /etc/firejail/disable-programs.inc
 caps.drop all
-seccomp
+netfilter
-protocol unix,inet,inet6
+nogroups
+nonewprivs
 noroot
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+private-bin pidgin
+private-dev
+private-tmp
diff --git a/etc/pix.profile b/etc/pix.profile
new file mode 100644
index 000000000..dc8192b01
--- /dev/null
+++ b/etc/pix.profile
@@ -0,0 +1,22 @@
+# Firejail profile for pix
+noblacklist ${HOME}/.config/pix
+noblacklist ${HOME}/.local/share/pix
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+caps.drop all
+nogroups
+nonewprivs
+noroot
+nosound
+protocol unix
+seccomp
+shell none
+tracelog
+private-bin pix
+private-dev
+private-tmp
+\ No newline at end of file
diff --git a/etc/polari.profile b/etc/polari.profile
index 0bc46f3f7..ac9530c40 100644
--- a/etc/polari.profile
+++ b/etc/polari.profile
@@ -3,18 +3,14 @@ include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-programs.inc
 include /etc/firejail/disable-devel.inc
-mkdir ${HOME}/.local
-mkdir ${HOME}/.local/share/
 mkdir ${HOME}/.local/share/Empathy
 whitelist ${HOME}/.local/share/Empathy
 mkdir ${HOME}/.local/share/telepathy
 whitelist ${HOME}/.local/share/telepathy
 mkdir ${HOME}/.local/share/TpLogger
 whitelist ${HOME}/.local/share/TpLogger
-mkdir ${HOME}/.config
 mkdir ${HOME}/.config/telepathy-account-widgets
 whitelist ${HOME}/.config/telepathy-account-widgets
-mkdir ${HOME}/.cache
 mkdir ${HOME}/.cache/telepathy
 whitelist ${HOME}/.cache/telepathy
 mkdir ${HOME}/.purple
@@ -22,8 +18,8 @@ whitelist ${HOME}/.purple
 include /etc/firejail/whitelist-common.inc
 caps.drop all
-seccomp
-protocol unix,inet,inet6
-noroot
 netfilter
+nonewprivs
+noroot
+protocol unix,inet,inet6
+seccomp
diff --git a/etc/psi-plus.profile b/etc/psi-plus.profile
new file mode 100644
index 000000000..a9323448b
--- /dev/null
+++ b/etc/psi-plus.profile
@@ -0,0 +1,23 @@
+# Firejail profile for Psi+
+noblacklist ${HOME}/.config/psi+
+noblacklist ${HOME}/.local/share/psi+
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-passwdmgr.inc
+whitelist ${DOWNLOADS}
+mkdir ~/.config/psi+
+whitelist ~/.config/psi+
+mkdir ~/.local/share/psi+
+whitelist ~/.local/share/psi+
+mkdir ~/.cache/psi+
+whitelist ~/.cache/psi+
+caps.drop all
+netfilter
+noroot
+protocol unix,inet,inet6
+seccomp
+include /etc/firejail/whitelist-common.inc
diff --git a/etc/qbittorrent.profile b/etc/qbittorrent.profile
index 8bdc745fb..89e0e4c78 100644
--- a/etc/qbittorrent.profile
+++ b/etc/qbittorrent.profile
@@ -5,8 +5,15 @@ include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
 caps.drop all
-seccomp
-protocol unix,inet,inet6
 netfilter
+nonewprivs
 noroot
 nosound
+protocol unix,inet,inet6
+seccomp
+# there are some problems with "Open destination folder", see bug #536
+#shell none
+#private-bin qbittorrent
+private-dev
+private-tmp
diff --git a/etc/qpdfview.profile b/etc/qpdfview.profile
new file mode 100644
index 000000000..06c0db206
--- /dev/null
+++ b/etc/qpdfview.profile
@@ -0,0 +1,22 @@
+# qpdfview profile
+noblacklist ${HOME}/.config/qpdfview
+noblacklist ${HOME}/.local/share/qpdfview
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+caps.drop all
+nogroups
+nonewprivs
+noroot
+nosound
+protocol unix
+seccomp
+shell none
+tracelog
+private-bin qpdfview
+private-dev
+private-tmp
diff --git a/etc/qtox.profile b/etc/qtox.profile
index 80acc3873..81d8aa10e 100644
--- a/etc/qtox.profile
+++ b/etc/qtox.profile
@@ -3,13 +3,21 @@ noblacklist ${HOME}/.config/tox
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-programs.inc
 include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
 mkdir ${HOME}/.config/tox
 whitelist ${HOME}/.config/tox
 whitelist ${DOWNLOADS}
-include /etc/firejail/whitelist-common.inc
 caps.drop all
-seccomp
+netfilter
-protocol unix,inet,inet6
+nogroups
+nonewprivs
 noroot
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+private-bin qtox
+private-tmp
diff --git a/etc/quassel.profile b/etc/quassel.profile
index 72004da7f..f92dfeb9f 100644
--- a/etc/quassel.profile
+++ b/etc/quassel.profile
@@ -4,7 +4,8 @@ include /etc/firejail/disable-programs.inc
 include /etc/firejail/disable-devel.inc
 caps.drop all
-seccomp
+nonewprivs
-protocol unix,inet,inet6
 noroot
 netfilter
+protocol unix,inet,inet6
+seccomp
diff --git a/etc/quiterss.profile b/etc/quiterss.profile
index 411d37dbd..2b28fce73 100644
--- a/etc/quiterss.profile
+++ b/etc/quiterss.profile
@@ -4,26 +4,27 @@ include /etc/firejail/disable-passwdmgr.inc
 include /etc/firejail/disable-devel.inc
 whitelist ${HOME}/quiterssfeeds.opml
-mkdir ~/.config
 mkdir ~/.config/QuiteRss
 whitelist ${HOME}/.config/QuiteRss/
 whitelist ${HOME}/.config/QuiteRssrc
-mkdir ~/.local
 mkdir ~/.local/share
 whitelist ${HOME}/.local/share/
-mkdir ~/.cache
 mkdir ~/.cache/QuiteRss
 whitelist ${HOME}/.cache/QuiteRss
 caps.drop all
-seccomp
-protocol unix,inet,inet6
 netfilter
-tracelog
-noroot
 nogroups
+nonewprivs
+noroot
+nosound
+protocol unix,inet,inet6
+seccomp
 shell none
-private-dev
+tracelog
 private-bin quiterss
+private-dev
 #private-etc X11,ssl
 include /etc/firejail/whitelist-common.inc
diff --git a/etc/qutebrowser.profile b/etc/qutebrowser.profile
index 934a374de..0efb7b629 100644
--- a/etc/qutebrowser.profile
+++ b/etc/qutebrowser.profile
@@ -7,16 +7,16 @@ include /etc/firejail/disable-programs.inc
 include /etc/firejail/disable-devel.inc
 caps.drop all
-seccomp
-protocol unix,inet,inet6,netlink
 netfilter
-tracelog
+nonewprivs
 noroot
+protocol unix,inet,inet6,netlink
+seccomp
+tracelog
 whitelist ${DOWNLOADS}
 mkdir ~/.config/qutebrowser
 whitelist ~/.config/qutebrowser
-mkdir ~/.cache
 mkdir ~/.cache/qutebrowser
 whitelist ~/.cache/qutebrowser
 include /etc/firejail/whitelist-common.inc
diff --git a/etc/ranger.profile b/etc/ranger.profile
new file mode 100644
index 000000000..323e64dee
--- /dev/null
+++ b/etc/ranger.profile
@@ -0,0 +1,23 @@
+# ranger file manager profile
+noblacklist /usr/bin/perl
+#noblacklist /usr/bin/cpan*
+noblacklist /usr/share/perl*
+noblacklist /usr/lib/perl*
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+caps.drop all
+netfilter
+net none
+nogroups
+nonewprivs
+noroot
+protocol unix
+seccomp
+nosound
+private-tmp
+private-dev
diff --git a/etc/rhythmbox.profile b/etc/rhythmbox.profile
index 782cd3832..e5e192486 100644
--- a/etc/rhythmbox.profile
+++ b/etc/rhythmbox.profile
@@ -5,7 +5,15 @@ include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
 caps.drop all
-seccomp
-protocol unix,inet,inet6
-noroot
 netfilter
+nogroups
+nonewprivs
+noroot
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+private-bin rhythmbox
+private-dev
+private-tmp
diff --git a/etc/rtorrent.profile b/etc/rtorrent.profile
index ae0430830..55bfcd77f 100644
--- a/etc/rtorrent.profile
+++ b/etc/rtorrent.profile
@@ -5,8 +5,14 @@ include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
 caps.drop all
-seccomp
-protocol unix,inet,inet6
 netfilter
+nonewprivs
 noroot
 nosound
+protocol unix,inet,inet6
+seccomp
+shell none
+private-bin rtorrent
+private-dev
+private-tmp
+\ No newline at end of file
diff --git a/etc/seamonkey.profile b/etc/seamonkey.profile
index a10d5b0ec..b981d9516 100644
--- a/etc/seamonkey.profile
+++ b/etc/seamonkey.profile
@@ -6,18 +6,16 @@ include /etc/firejail/disable-programs.inc
 include /etc/firejail/disable-devel.inc
 caps.drop all
-seccomp
-protocol unix,inet,inet6,netlink
 netfilter
-tracelog
+nonewprivs
 noroot
+protocol unix,inet,inet6,netlink
+seccomp
+tracelog
 whitelist ${DOWNLOADS}
-mkdir ~/.mozilla
 mkdir ~/.mozilla/seamonkey
 whitelist ~/.mozilla/seamonkey
-mkdir ~/.cache
-mkdir ~/.cache/mozilla
 mkdir ~/.cache/mozilla/seamonkey
 whitelist ~/.cache/mozilla/seamonkey
 whitelist ~/dwhelper
@@ -41,11 +39,10 @@ whitelist ~/.lastpass
 whitelist ~/.config/lastpass
 #silverlight
-whitelist ~/.wine-pipelight 
+whitelist ~/.wine-pipelight
-whitelist ~/.wine-pipelight64 
+whitelist ~/.wine-pipelight64
-whitelist ~/.config/pipelight-widevine 
+whitelist ~/.config/pipelight-widevine
 whitelist ~/.config/pipelight-silverlight5.1
 # experimental features
 #private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,iceweasel,firefox,adobe,mime.types,mailcap,asound.conf,pulse
diff --git a/etc/server.profile b/etc/server.profile
index 1b3cb7207..b8a34feb2 100644
--- a/etc/server.profile
+++ b/etc/server.profile
@@ -6,8 +6,12 @@ include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-programs.inc
 include /etc/firejail/disable-passwdmgr.inc
+blacklist /tmp/.X11-unix
+no3d
+nosound
+seccomp
 private
 private-dev
 private-tmp
-seccomp
diff --git a/etc/skype.profile b/etc/skype.profile
index 26feac1a4..9cbcd5117 100644
--- a/etc/skype.profile
+++ b/etc/skype.profile
@@ -6,6 +6,7 @@ include /etc/firejail/disable-devel.inc
 caps.drop all
 netfilter
+nonewprivs
 noroot
-seccomp
 protocol unix,inet,inet6
+seccomp
diff --git a/etc/skypeforlinux.profile b/etc/skypeforlinux.profile
new file mode 100644
index 000000000..3f0a274f9
--- /dev/null
+++ b/etc/skypeforlinux.profile
@@ -0,0 +1,11 @@
+# skypeforlinux profile
+noblacklist ${HOME}/.config/skypeforlinux
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-passwdmgr.inc
+caps.drop all
+netfilter
+noroot
+seccomp
+protocol unix,inet,inet6,netlink
diff --git a/etc/slack.profile b/etc/slack.profile
new file mode 100644
index 000000000..a85a28f03
--- /dev/null
+++ b/etc/slack.profile
@@ -0,0 +1,31 @@
+# Firejail profile for Slack
+noblacklist ${HOME}/.config/Slack
+noblacklist ${HOME}/Downloads
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+blacklist /var
+caps.drop all
+name slack
+netfilter
+nogroups
+nonewprivs
+noroot
+protocol unix,inet,inet6,netlink
+seccomp
+shell none
+private-bin slack
+private-dev
+private-etc fonts,resolv.conf,ld.so.conf,ld.so.cache,localtime
+private-tmp
+mkdir ${HOME}/.config
+mkdir ${HOME}/.config/Slack
+whitelist ${HOME}/.config/Slack
+whitelist ${HOME}/Downloads
+include /etc/firejail/whitelist-common.inc
diff --git a/etc/snap.profile b/etc/snap.profile
new file mode 100644
index 000000000..270fdf1a5
--- /dev/null
+++ b/etc/snap.profile
@@ -0,0 +1,14 @@
+################################
+# Generic Ubuntu snap application profile
+################################
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-passwdmgr.inc
+whitelist ~/snap
+whitelist ${DOWNLOADS}
+include /etc/firejail/whitelist-common.inc
+caps.keep chown,sys_admin
diff --git a/etc/soffice.profile b/etc/soffice.profile
new file mode 100644
index 000000000..fecd08822
--- /dev/null
+++ b/etc/soffice.profile
@@ -0,0 +1,5 @@
+################################
+# LibreOffice profile
+################################
+include /etc/firejail/libreoffice.profile
diff --git a/etc/spotify.profile b/etc/spotify.profile
index fd4586dd5..6dbcc03ee 100644
--- a/etc/spotify.profile
+++ b/etc/spotify.profile
@@ -7,24 +7,37 @@ include /etc/firejail/disable-programs.inc
 include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
-# Whitelist the folders needed by Spotify - This is more restrictive 
+# Whitelist the folders needed by Spotify
-# than a blacklist though, but this is all spotify requires for 
-# streaming audio
-mkdir ${HOME}/.config
 mkdir ${HOME}/.config/spotify
 whitelist ${HOME}/.config/spotify
-mkdir ${HOME}/.local
-mkdir ${HOME}/.local/share
 mkdir ${HOME}/.local/share/spotify
 whitelist ${HOME}/.local/share/spotify
-mkdir ${HOME}/.cache
 mkdir ${HOME}/.cache/spotify
 whitelist ${HOME}/.cache/spotify
-include /etc/firejail/whitelist-common.inc
 caps.drop all
-seccomp
-protocol unix,inet,inet6,netlink
 netfilter
+nogroups
+nonewprivs
 noroot
+protocol unix,inet,inet6,netlink
+seccomp
+shell none
+private-bin spotify
+private-etc fonts,machine-id,pulse,resolv.conf
+private-dev
+private-tmp
+blacklist ${HOME}/.Xauthority
+blacklist ${HOME}/.bashrc
+blacklist /boot
+blacklist /lost+found
+blacklist /media
+blacklist /mnt
+blacklist /opt
+blacklist /root
+blacklist /sbin
+blacklist /srv
+blacklist /sys
+blacklist /var
diff --git a/etc/ssh.profile b/etc/ssh.profile
index 7b282bde6..d3558ead3 100644
--- a/etc/ssh.profile
+++ b/etc/ssh.profile
@@ -1,12 +1,15 @@
 # ssh client
+quiet
 noblacklist ~/.ssh
+noblacklist /tmp/ssh-*
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-programs.inc
 include /etc/firejail/disable-passwdmgr.inc
 caps.drop all
-seccomp
-protocol unix,inet,inet6
 netfilter
+nonewprivs
 noroot
+protocol unix,inet,inet6
+seccomp
diff --git a/etc/start-tor-browser.profile b/etc/start-tor-browser.profile
new file mode 100644
index 000000000..ee19cee25
--- /dev/null
+++ b/etc/start-tor-browser.profile
@@ -0,0 +1,20 @@
+# Firejail profile for the Tor Brower Bundle
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+include /etc/firejail/disable-programs.inc
+caps.drop all
+netfilter
+nogroups
+nonewprivs
+noroot
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+private-bin bash,grep,sed,tail,env,gpg,id,readlink,dirname,test,mkdir,ln,sed,cp,rm,getconf
+private-etc fonts
+private-dev
+private-tmp
diff --git a/etc/steam.profile b/etc/steam.profile
index 4c96e8258..5dc5e80ff 100644
--- a/etc/steam.profile
+++ b/etc/steam.profile
@@ -8,6 +8,7 @@ include /etc/firejail/disable-passwdmgr.inc
 caps.drop all
 netfilter
+nonewprivs
 noroot
+protocol unix,inet,inet6,netlink
 seccomp
-protocol unix,inet,inet6
diff --git a/etc/stellarium.profile b/etc/stellarium.profile
new file mode 100644
index 000000000..d57c9e5f7
--- /dev/null
+++ b/etc/stellarium.profile
@@ -0,0 +1,28 @@
+# Firejail profile for Stellarium.
+noblacklist ~/.stellarium
+noblacklist ~/.config/stellarium
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+include /etc/firejail/disable-programs.inc
+# Whitelist
+mkdir ~/.stellarium
+whitelist ~/.stellarium
+mkdir ~/.config/stellarium
+whitelist ~/.config/stellarium
+caps.drop all
+netfilter
+nogroups
+nonewprivs
+noroot
+nosound
+protocol unix,inet,inet6,netlink
+seccomp
+shell none
+tracelog
+private-bin stellarium
+private-dev
+private-tmp
diff --git a/etc/strings.profile b/etc/strings.profile
new file mode 100644
index 000000000..7c464bf88
--- /dev/null
+++ b/etc/strings.profile
@@ -0,0 +1,11 @@
+# strings profile
+ignore noroot
+include /etc/firejail/default.profile
+net none
+nosound
+quiet
+shell none
+tracelog
+private-dev
diff --git a/etc/synfigstudio.profile b/etc/synfigstudio.profile
new file mode 100644
index 000000000..69b2a0db2
--- /dev/null
+++ b/etc/synfigstudio.profile
@@ -0,0 +1,19 @@
+# synfigstudio
+noblacklist ${HOME}/.config/synfig
+noblacklist ${HOME}/.synfig
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-passwdmgr.inc
+caps.drop all
+netfilter
+nonewprivs
+noroot
+protocol unix
+seccomp
+noexec ${HOME}
+noexec /tmp
+private-dev
+private-tmp
diff --git a/etc/tar.profile b/etc/tar.profile
new file mode 100644
index 000000000..91fdaf48d
--- /dev/null
+++ b/etc/tar.profile
@@ -0,0 +1,18 @@
+# tar profile
+ignore noroot
+include /etc/firejail/default.profile
+blacklist /tmp/.X11-unix
+hostname tar
+net none
+no3d
+nosound
+quiet
+shell none
+tracelog
+# support compressed archives
+private-bin sh,tar,gtar,compress,gzip,lzma,xz,bzip2,lbzip2,lzip,lzop
+private-dev
+private-etc passwd,group,localtime
diff --git a/etc/telegram.profile b/etc/telegram.profile
index df6b6a270..7615c8eef 100644
--- a/etc/telegram.profile
+++ b/etc/telegram.profile
@@ -5,11 +5,8 @@ include /etc/firejail/disable-programs.inc
 include /etc/firejail/disable-devel.inc
 caps.drop all
-seccomp
-protocol unix,inet,inet6
-noroot
 netfilter
+nonewprivs
-whitelist ~/Downloads/Telegram Desktop
+noroot
-mkdir ${HOME}/.TelegramDesktop
+protocol unix,inet,inet6
-whitelist ~/.TelegramDesktop
+seccomp
diff --git a/etc/thunderbird.profile b/etc/thunderbird.profile
index 7882367b9..568343ba6 100644
--- a/etc/thunderbird.profile
+++ b/etc/thunderbird.profile
@@ -11,9 +11,11 @@ mkdir ~/.thunderbird
 whitelist ~/.thunderbird
 noblacklist ~/.cache/thunderbird
-mkdir ~/.cache
 mkdir ~/.cache/thunderbird
 whitelist ~/.cache/thunderbird
+# allow browsers
+ignore private-tmp
 include /etc/firejail/firefox.profile
+#include /etc/firejail/chromium.profile - chromium runs as suid!
diff --git a/etc/totem.profile b/etc/totem.profile
index 4d87cbb85..252b46979 100644
--- a/etc/totem.profile
+++ b/etc/totem.profile
@@ -1,11 +1,15 @@
 # Totem media player profile
+noblacklist ~/.config/totem
+noblacklist ~/.local/share/totem
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-programs.inc
 include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
 caps.drop all
-seccomp
+nonewprivs
-protocol unix,inet,inet6
 noroot
 netfilter
+protocol unix,inet,inet6
+seccomp
diff --git a/etc/transmission-gtk.profile b/etc/transmission-gtk.profile
index d61d36a8c..fa54ea81b 100644
--- a/etc/transmission-gtk.profile
+++ b/etc/transmission-gtk.profile
@@ -1,4 +1,4 @@
-# transmission-gtk profile
+# transmission-gtk bittorrent profile
 noblacklist ${HOME}/.config/transmission
 noblacklist ${HOME}/.cache/transmission
@@ -8,9 +8,15 @@ include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
 caps.drop all
-seccomp
-protocol unix,inet,inet6
 netfilter
+nonewprivs
 noroot
-tracelog
 nosound
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+private-bin transmission-gtk
+private-dev
+private-tmp
diff --git a/etc/transmission-qt.profile b/etc/transmission-qt.profile
index 3db7a5452..100fadc27 100644
--- a/etc/transmission-qt.profile
+++ b/etc/transmission-qt.profile
@@ -1,4 +1,4 @@
-# transmission-qt profile
+# transmission-qt bittorrent profile
 noblacklist ${HOME}/.config/transmission
 noblacklist ${HOME}/.cache/transmission
@@ -8,9 +8,15 @@ include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
 caps.drop all
-seccomp
-protocol unix,inet,inet6
 netfilter
+nonewprivs
 noroot
-tracelog
 nosound
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+private-bin transmission-qt
+private-dev
+private-tmp
diff --git a/etc/uget-gtk.profile b/etc/uget-gtk.profile
index ef5aa7d4a..3ba28f772 100644
--- a/etc/uget-gtk.profile
+++ b/etc/uget-gtk.profile
@@ -6,13 +6,19 @@ include /etc/firejail/disable-programs.inc
 include /etc/firejail/disable-devel.inc
 caps.drop all
-seccomp
-protocol unix,inet,inet6
 netfilter
+nonewprivs
 noroot
+nosound
+protocol unix,inet,inet6
+seccomp
+shell none
+private-bin uget-gtk
+private-dev
+private-tmp
 whitelist ${DOWNLOADS}
-mkdir ~/.config
 mkdir ~/.config/uGet
 whitelist ~/.config/uGet
 include /etc/firejail/whitelist-common.inc
diff --git a/etc/unbound.profile b/etc/unbound.profile
index 4365e4fee..5e2cb5f65 100644
--- a/etc/unbound.profile
+++ b/etc/unbound.profile
@@ -8,5 +8,6 @@ include /etc/firejail/disable-passwdmgr.inc
 private
 private-dev
+nosound
 seccomp.drop mount,umount2,ptrace,kexec_load,kexec_file_load,open_by_handle_at,init_module,finit_module,delete_module,iopl,ioperm,swapon,swapoff,syslog,process_vm_readv,process_vm_writev,sysfs,_sysctl,adjtimex,clock_adjtime,lookup_dcookie,perf_event_open,fanotify_init,kcmp,add_key,request_key,keyctl,uselib,acct,modify_ldt,pivot_root,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,mbind,get_mempolicy,set_mempolicy,migrate_pages,move_pages,vmsplice,perf_event_open
diff --git a/etc/unrar.profile b/etc/unrar.profile
new file mode 100644
index 000000000..0700cafe9
--- /dev/null
+++ b/etc/unrar.profile
@@ -0,0 +1,18 @@
+# unrar profile
+ignore noroot
+include /etc/firejail/default.profile
+blacklist /tmp/.X11-unix
+hostname unrar
+net none
+no3d
+nosound
+quiet
+shell none
+tracelog
+private-bin unrar
+private-dev
+private-etc passwd,group,localtime
+private-tmp
diff --git a/etc/unzip.profile b/etc/unzip.profile
new file mode 100644
index 000000000..a43785795
--- /dev/null
+++ b/etc/unzip.profile
@@ -0,0 +1,16 @@
+# unzip profile
+ignore noroot
+include /etc/firejail/default.profile
+blacklist /tmp/.X11-unix
+hostname unzip
+net none
+no3d
+nosound
+quiet
+shell none
+tracelog
+private-bin unzip
+private-dev
+private-etc passwd,group,localtime
diff --git a/etc/uudeview.profile b/etc/uudeview.profile
new file mode 100644
index 000000000..5ba0896ab
--- /dev/null
+++ b/etc/uudeview.profile
@@ -0,0 +1,15 @@
+# uudeview profile
+ignore noroot
+include /etc/firejail/default.profile
+blacklist /etc
+hostname uudeview
+net none
+nosound
+quiet
+shell none
+tracelog
+private-bin uudeview
+private-dev
diff --git a/etc/vim.profile b/etc/vim.profile
new file mode 100644
index 000000000..b161fcbb0
--- /dev/null
+++ b/etc/vim.profile
@@ -0,0 +1,16 @@
+# vim profile
+noblacklist ~/.vim
+noblacklist ~/.vimrc
+noblacklist ~/.viminfo
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-passwdmgr.inc
+caps.drop all
+netfilter
+nogroups
+nonewprivs
+noroot
+protocol unix,inet,inet6
+seccomp
diff --git a/etc/virtualbox.profile b/etc/virtualbox.profile
new file mode 100644
index 000000000..49f8f8b24
--- /dev/null
+++ b/etc/virtualbox.profile
@@ -0,0 +1,13 @@
+# VirtualBox profile
+noblacklist ${HOME}/.VirtualBox
+noblacklist ${HOME}/VirtualBox VMs
+noblacklist ${HOME}/.config/VirtualBox
+noblacklist /usr/bin/virtualbox
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-passwdmgr.inc
+caps.drop all
diff --git a/etc/vivaldi.profile b/etc/vivaldi.profile
index 449d9a168..3c608dccb 100644
--- a/etc/vivaldi.profile
+++ b/etc/vivaldi.profile
@@ -6,12 +6,11 @@ include /etc/firejail/disable-programs.inc
 include /etc/firejail/disable-devel.inc
 netfilter
+nonewprivs
 whitelist ${DOWNLOADS}
-mkdir ~/.config
 mkdir ~/.config/vivaldi
 whitelist ~/.config/vivaldi
-mkdir ~/.cache
 mkdir ~/.cache/vivaldi
 whitelist ~/.cache/vivaldi
 include /etc/firejail/whitelist-common.inc
diff --git a/etc/vlc.profile b/etc/vlc.profile
index 061ae6f78..2fd763f25 100644
--- a/etc/vlc.profile
+++ b/etc/vlc.profile
@@ -7,7 +7,14 @@ include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
 caps.drop all
-seccomp
-protocol unix,inet,inet6
-noroot
 netfilter
+nogroups
+nonewprivs
+noroot
+protocol unix,inet,inet6,netlink
+seccomp
+shell none
+private-bin vlc,cvlc,nvlc,rvlc,qvlc,svlc
+private-dev
+private-tmp
diff --git a/etc/warzone2100.profile b/etc/warzone2100.profile
new file mode 100644
index 000000000..7c7efade8
--- /dev/null
+++ b/etc/warzone2100.profile
@@ -0,0 +1,26 @@
+# Firejail profile for warzone2100
+# Currently supports warzone2100-3.1
+noblacklist ~/.warzone2100-3.1
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+include /etc/firejail/disable-programs.inc
+# Whitelist
+mkdir ~/.warzone2100-3.1
+whitelist ~/.warzone2100-3.1
+# Call these options
+caps.drop all
+netfilter
+nogroups
+nonewprivs
+noroot
+protocol unix,inet,inet6,netlink
+seccomp
+shell none
+tracelog
+private-bin warzone2100
+private-dev
+private-tmp
diff --git a/etc/weechat.profile b/etc/weechat.profile
index 280a5f9d8..410061278 100644
--- a/etc/weechat.profile
+++ b/etc/weechat.profile
@@ -4,8 +4,12 @@ include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-programs.inc
 caps.drop all
-seccomp
-protocol unix,inet,inet6
 netfilter
+nonewprivs
 noroot
-netfilter
+protocol unix,inet,inet6
+seccomp
+# no private-bin support for various reasons:
+# Plugins loaded: alias, aspell, charset, exec, fifo, guile, irc,
+# logger, lua, perl, python, relay, ruby, script, tcl, trigger, xferloading plugins 
+\ No newline at end of file
diff --git a/etc/wesnoth.profile b/etc/wesnoth.profile
index 340ba0db5..bb489ddeb 100644
--- a/etc/wesnoth.profile
+++ b/etc/wesnoth.profile
@@ -9,20 +9,16 @@ include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
 caps.drop all
-seccomp
+nonewprivs
-protocol unix,inet,inet6
 noroot
+protocol unix,inet,inet6
+seccomp
 private-dev
+private-tmp
-whitelist /tmp/.X11-unix
-mkdir ${HOME}/.local
-mkdir ${HOME}/.local/share
 mkdir ${HOME}/.local/share/wesnoth
-mkdir ${HOME}/.config
 mkdir ${HOME}/.config/wesnoth
-mkdir ${HOME}/.cache
 mkdir ${HOME}/.cache/wesnoth
 whitelist ${HOME}/.local/share/wesnoth
 whitelist ${HOME}/.config/wesnoth
diff --git a/etc/whitelist-common.inc b/etc/whitelist-common.inc
index 9d5ef3d96..d4e69948e 100644
--- a/etc/whitelist-common.inc
+++ b/etc/whitelist-common.inc
@@ -1,5 +1,6 @@
 # common whitelist for all profiles
+whitelist ~/.XCompose
 whitelist ~/.config/mimeapps.list
 whitelist ~/.icons
 whitelist ~/.config/user-dirs.dirs
@@ -13,16 +14,25 @@ whitelist ~/.fonts.d
 whitelist ~/.fontconfig
 whitelist ~/.fonts.conf
 whitelist ~/.fonts.conf.d
+whitelist ~/.local/share/fonts
 whitelist ~/.config/fontconfig
 whitelist ~/.cache/fontconfig
 # gtk
 whitelist ~/.gtkrc
 whitelist ~/.gtkrc-2.0
+whitelist ~/.config/gtk-2.0
 whitelist ~/.config/gtk-3.0
 whitelist ~/.themes
+whitelist ~/.kde/share/config/gtkrc
+whitelist ~/.kde/share/config/gtkrc-2.0
 # dconf
-mkdir ~/.config
 mkdir ~/.config/dconf
 whitelist ~/.config/dconf
+# qt/kde
+whitelist ~/.config/kdeglobals
+whitelist ~/.kde/share/config/oxygenrc
+whitelist ~/.kde/share/config/kdeglobals
+whitelist ~/.kde/share/icons
diff --git a/etc/wine.profile b/etc/wine.profile
index ea6db8511..18e5346af 100644
--- a/etc/wine.profile
+++ b/etc/wine.profile
@@ -9,5 +9,6 @@ include /etc/firejail/disable-devel.inc
 caps.drop all
 netfilter
+nonewprivs
 noroot
 seccomp
diff --git a/etc/wire.profile b/etc/wire.profile
new file mode 100644
index 000000000..c84b4cc28
--- /dev/null
+++ b/etc/wire.profile
@@ -0,0 +1,24 @@
+# wire messenger profile
+noblacklist ~/.config/Wire
+noblacklist ~/.config/wire
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+caps.drop all
+netfilter
+nonewprivs
+nogroups
+noroot
+protocol unix,inet,inet6,netlink
+seccomp
+shell none
+private-tmp
+private-dev
+# Note: the current beta version of wire is located in /opt/Wire/wire and therefore not in PATH.
+# To use wire with firejail run "firejail /opt/Wire/wire" 
diff --git a/etc/xchat.profile b/etc/xchat.profile
index fcea4245e..1f2865cab 100644
--- a/etc/xchat.profile
+++ b/etc/xchat.profile
@@ -6,6 +6,9 @@ include /etc/firejail/disable-programs.inc
 include /etc/firejail/disable-devel.inc
 caps.drop all
-seccomp
+nonewprivs
-protocol unix,inet,inet6
 noroot
+protocol unix,inet,inet6
+seccomp
+# private-bin requires perl, python, etc.
diff --git a/etc/xiphos.profile b/etc/xiphos.profile
new file mode 100644
index 000000000..b7fb6ecf3
--- /dev/null
+++ b/etc/xiphos.profile
@@ -0,0 +1,30 @@
+# Firejail profile for xiphos
+noblacklist ~/.sword
+noblacklist ~/.xiphos
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+include /etc/firejail/disable-programs.inc
+blacklist ~/.bashrc
+blacklist ~/.Xauthority
+caps.drop all
+netfilter
+nogroups
+nonewprivs
+noroot
+nosound
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+private-bin xiphos
+private-etc fonts,resolv.conf,sword
+private-dev
+private-tmp
+whitelist ${HOME}/.sword
+whitelist ${HOME}/.xiphos
diff --git a/etc/xpdf.profile b/etc/xpdf.profile
new file mode 100644
index 000000000..7ea368bbe
--- /dev/null
+++ b/etc/xpdf.profile
@@ -0,0 +1,18 @@
+################################
+# xpdf application profile
+################################
+noblacklist ${HOME}/.xpdfrc
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-passwdmgr.inc
+caps.drop all
+net none
+nonewprivs
+noroot
+protocol unix
+shell none
+seccomp
+private-dev
+private-tmp
diff --git a/etc/xplayer.profile b/etc/xplayer.profile
new file mode 100644
index 000000000..191d2f67f
--- /dev/null
+++ b/etc/xplayer.profile
@@ -0,0 +1,22 @@
+# Xplayer profile
+noblacklist ~/.config/xplayer
+noblacklist ~/.local/share/xplayer
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+caps.drop all
+netfilter
+nogroups
+nonewprivs
+noroot
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+private-bin xplayer,xplayer-audio-preview,xplayer-video-thumbnailer
+private-dev
+private-tmp
diff --git a/etc/xreader.profile b/etc/xreader.profile
new file mode 100644
index 000000000..d2a000bd0
--- /dev/null
+++ b/etc/xreader.profile
@@ -0,0 +1,23 @@
+# Xreader profile
+noblacklist ~/.config/xreader
+noblacklist ~/.cache/xreader
+noblacklist ~/.local/share
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+caps.drop all
+nogroups
+nonewprivs
+noroot
+nosound
+protocol unix
+seccomp
+shell none
+tracelog
+private-bin xreader, xreader-previewer, xreader-thumbnailer
+private-dev
+private-tmp
diff --git a/etc/xviewer.profile b/etc/xviewer.profile
new file mode 100644
index 000000000..cbb59d16e
--- /dev/null
+++ b/etc/xviewer.profile
@@ -0,0 +1,20 @@
+noblacklist ~/.config/xviewer
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+caps.drop all
+nogroups
+nonewprivs
+noroot
+nosound
+protocol unix
+seccomp
+shell none
+tracelog
+private-dev
+private-bin xviewer
+private-tmp
diff --git a/etc/xz.profile b/etc/xz.profile
new file mode 100644
index 000000000..5b29f7338
--- /dev/null
+++ b/etc/xz.profile
@@ -0,0 +1,3 @@
+# xz profile
+quiet
+include /etc/firejail/cpio.profile
diff --git a/etc/xzdec.profile b/etc/xzdec.profile
new file mode 100644
index 000000000..04f98cef6
--- /dev/null
+++ b/etc/xzdec.profile
@@ -0,0 +1,14 @@
+# xzdec profile
+ignore noroot
+include /etc/firejail/default.profile
+blacklist /tmp/.X11-unix
+net none
+no3d
+nosound
+quiet
+shell none
+tracelog
+private-dev
diff --git a/etc/zathura.profile b/etc/zathura.profile
new file mode 100644
index 000000000..6c93a2480
--- /dev/null
+++ b/etc/zathura.profile
@@ -0,0 +1,26 @@
+# zathura document viewer profile
+noblacklist ~/.config/zathura
+noblacklist ~/.local/share/zathura
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+caps.drop all
+netfilter
+net none
+nogroups
+nonewprivs
+noroot
+nosound
+shell none
+seccomp
+protocol unix
+private-bin zathura
+private-dev
+private-etc fonts
+private-tmp
+read-only ~/
+read-write ~/.local/share/zathura/
diff --git a/etc/zoom.profile b/etc/zoom.profile
new file mode 100644
index 000000000..f5831dd88
--- /dev/null
+++ b/etc/zoom.profile
@@ -0,0 +1,23 @@
+# Firejail profile for zoom.us
+noblacklist ~/.config/zoomus.conf
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-devel.inc
+# Whitelists
+mkdir ~/.zoom
+whitelist ~/.zoom
+caps.drop all
+netfilter
+nonewprivs
+noroot
+protocol unix,inet,inet6
+seccomp
+private-tmp
diff --git a/gcov.sh b/gcov.sh
new file mode 100755
index 000000000..ffacce6b5
--- /dev/null
+++ b/gcov.sh
@@ -0,0 +1,71 @@
+#!/bin/bash
+generate() {
+        lcov --capture -d src/firejail -d src/firemon -d src/fseccomp -d src/fnet -d src/ftee -d src/lib -d src/firecfg --output-file gcov-file
+        rm -fr gcov-dir
+        genhtml gcov-file --output-directory gcov-dir
+}
+# init
+USER=`whoami`
+firejail --help
+firemon --help
+/usr/lib/firejail/fnet --help
+/usr/lib/firejail/fseccomp --help
+/usr/lib/firejail/ftee --help
+firecfg --help
+sudo chown $USER:$USER `find .`
+generate
+# running tests
+make test-root
+generate
+sleep 2
+make test-network
+generate
+sleep 2
+make test-appimage
+generate
+sleep 2
+make test-overlay
+generate
+sleep 2
+make test-profiles
+generate
+sleep 2
+make test-fs
+generate
+sleep 2
+make test-utils
+generate
+sleep 2
+make test-environment
+generate
+sleep 2
+make test-apps
+generate
+sleep 2
+make test-apps-x11
+generate
+sleep 2
+make test-apps-x11-xorg 
+generate
+sleep 2
+make test-filters 
+generate
+sleep 2
+make test-arguments
+generate
+sleep 2
diff --git a/mkasc.sh b/mkasc.sh
index 2c9836f17..4d5b73e20 100755
--- a/mkasc.sh
+++ b/mkasc.sh
@@ -6,5 +6,6 @@ cd /transfer
 sha256sum * > firejail-$1-unsigned
 gpg --clearsign --digest-algo SHA256 < firejail-$1-unsigned > firejail-$1.asc
 gpg --verify firejail-$1.asc
+gpg --detach-sign --armor firejail-$1.tar.xz
 rm firejail-$1-unsigned
diff --git a/mkdeb.sh b/mkdeb.sh
index 71c3b9a04..be8d618e1 100755
--- a/mkdeb.sh
+++ b/mkdeb.sh
@@ -3,7 +3,7 @@
 # a code archive should already be available
 TOP=`pwd`
-CODE_ARCHIVE="$1-$2.tar.bz2"
+CODE_ARCHIVE="$1-$2.tar.xz"
 CODE_DIR="$1-$2"
 INSTALL_DIR="${INSTALL_DIR}${CODE_DIR}/debian"
 DEBIAN_CTRL_DIR="${DEBIAN_CTRL_DIR}${CODE_DIR}/debian/DEBIAN"
@@ -15,7 +15,7 @@ echo "install directory: $INSTALL_DIR"
 echo "debian control directory: $DEBIAN_CTRL_DIR"
 echo "*****************************************"
-tar -xjvf $CODE_ARCHIVE
+tar -xJvf $CODE_ARCHIVE
 #mkdir -p $INSTALL_DIR
 cd $CODE_DIR
 ./configure --prefix=/usr
diff --git a/mketc.sh b/mketc.sh
index f44238968..f98c5479f 100755
--- a/mketc.sh
+++ b/mketc.sh
@@ -2,23 +2,21 @@
 rm -fr .etc
 mkdir .etc
-result=$(echo $1 | sed 's/\//\\\//g')
+for file in etc/*.profile etc/*.inc etc/*.net;
-echo $result
-FILES=`ls etc/*.profile`
-for file in $FILES
-do
-        sed "s/\/etc\/firejail/$result\/firejail/g" $file > .$file
-done
-FILES=`ls etc/*.inc`
-for file in $FILES
 do
-        sed "s/\/etc\/firejail/$result\/firejail/g" $file > .$file
+        sed "s;/etc/firejail;$1/firejail;g" $file > .$file
 done
-FILES=`ls etc/*.net`
+if [ "x$2" = "xyes" ]
-for file in $FILES
+then
-do
+sed -i -e '
-        sed "s/\/etc\/firejail/$result\/firejail/g" $file > .$file
+1i# Workaround for systems where common UNIX utilities are symlinks to busybox.\
-done
+# If this is not your case you can remove --enable-busybox-workaround from\
+# ./configure options, for added security.\
+noblacklist \${PATH}/mount\
+noblacklist \${PATH}/umount\
+noblacklist \${PATH}/su\
+noblacklist \${PATH}/sudo\
+noblacklist \${PATH}/nc\
+' .etc/disable-common.inc
+fi
diff --git a/mkuid.sh b/mkuid.sh
new file mode 100755
index 000000000..a59f58143
--- /dev/null
+++ b/mkuid.sh
@@ -0,0 +1,20 @@
+#!/bin/sh
+echo "extracting UID_MIN and GID_MIN"
+echo "#ifndef FIREJAIL_UIDS_H" > uids.h
+echo "#define FIREJAIL_UIDS_H" >> uids.h
+if [ -r /etc/login.defs ]
+then
+        echo "// using values extracted from /etc/login.defs" >> uids.h
+        UID_MIN=`awk '/^\s*UID_MIN\s*([0-9]*).*?$/ {print $2}' /etc/login.defs`
+        GID_MIN=`awk '/^\s*GID_MIN\s*([0-9]*).*?$/ {print $2}' /etc/login.defs`
+        echo "#define UID_MIN $UID_MIN" >> uids.h
+        echo "#define GID_MIN $GID_MIN" >> uids.h
+else
+        echo "// using default values" >> uids.h
+        echo "#define UID_MIN 1000" >> uids.h
+        echo "#define GID_MIN 1000" >> uids.h
+fi
+echo "#endif" >> uids.h
diff --git a/platform/debian/conffiles b/platform/debian/conffiles
index dc8640147..321a96f80 100644
--- a/platform/debian/conffiles
+++ b/platform/debian/conffiles
@@ -1,85 +1,176 @@
-/etc/firejail/evince.profile
+/etc/firejail/0ad.profile
-/etc/firejail/chromium.profile
+/etc/firejail/Cyberfox.profile
+/etc/firejail/Mathematica.profile
+/etc/firejail/Telegram.profile
+/etc/firejail/abrowser.profile
+/etc/firejail/atom-beta.profile
+/etc/firejail/atom.profile
+/etc/firejail/atril.profile
+/etc/firejail/audacious.profile
+/etc/firejail/audacity.profile
+/etc/firejail/aweather.profile
+/etc/firejail/bitlbee.profile
+/etc/firejail/brave.profile
+/etc/firejail/cherrytree.profile
 /etc/firejail/chromium-browser.profile
-/etc/firejail/google-chrome.profile
+/etc/firejail/chromium.profile
-/etc/firejail/google-chrome-stable.profile
+/etc/firejail/clementine.profile
+/etc/firejail/cmus.profile
+/etc/firejail/conkeror.profile
+/etc/firejail/corebird.profile
+/etc/firejail/cpio.profile
+/etc/firejail/cyberfox.profile
+/etc/firejail/deadbeef.profile
+/etc/firejail/default.profile
+/etc/firejail/deluge.profile
+/etc/firejail/dillo.profile
+/etc/firejail/disable-common.inc
+/etc/firejail/disable-devel.inc
+/etc/firejail/disable-passwdmgr.inc
+/etc/firejail/disable-programs.inc
+/etc/firejail/dnscrypt-proxy.profile
+/etc/firejail/dnsmasq.profile
+/etc/firejail/dosbox.profile
+/etc/firejail/dropbox.profile
+/etc/firejail/empathy.profile
+/etc/firejail/eom.profile
+/etc/firejail/epiphany.profile
+/etc/firejail/evince.profile
+/etc/firejail/fbreader.profile
+/etc/firejail/feh.profile
+/etc/firejail/file.profile
+/etc/firejail/filezilla.profile
+/etc/firejail/firefox-esr.profile
+/etc/firejail/firefox.profile
+/etc/firejail/firejail.config
+/etc/firejail/flashpeak-slimjet.profile
+/etc/firejail/franz.profile
+/etc/firejail/gajim.profile
+/etc/firejail/gimp.profile
+/etc/firejail/gitter.profile
+/etc/firejail/gnome-chess.profile
+/etc/firejail/gnome-mplayer.profile
 /etc/firejail/google-chrome-beta.profile
+/etc/firejail/google-chrome-stable.profile
 /etc/firejail/google-chrome-unstable.profile
-/etc/firejail/midori.profile
+/etc/firejail/google-chrome.profile
+/etc/firejail/google-play-music-desktop-player.profile
+/etc/firejail/gpredict.profile
+/etc/firejail/gtar.profile
+/etc/firejail/gthumb.profile
+/etc/firejail/gwenview.profile
+/etc/firejail/gzip.profile
+/etc/firejail/hedgewars.profile
+/etc/firejail/hexchat.profile
+/etc/firejail/icecat.profile
 /etc/firejail/icedove.profile
 /etc/firejail/iceweasel.profile
-/etc/firejail/dropbox.profile
+/etc/firejail/inkscape.profile
+/etc/firejail/inox.profile
+/etc/firejail/jitsi.profile
+/etc/firejail/kmail.profile
+/etc/firejail/konversation.profile
+/etc/firejail/less.profile
+/etc/firejail/libreoffice.profile
+/etc/firejail/localc.profile
+/etc/firejail/lodraw.profile
+/etc/firejail/loffice.profile
+/etc/firejail/lofromtemplate.profile
 /etc/firejail/login.users
-/etc/firejail/firefox.profile
+/etc/firejail/loimpress.profile
-/etc/firejail/opera.profile
+/etc/firejail/lomath.profile
+/etc/firejail/loweb.profile
+/etc/firejail/lowriter.profile
+/etc/firejail/luminance-hdr.profile
+/etc/firejail/lxterminal.profile
+/etc/firejail/mathematica.profile
+/etc/firejail/mcabber.profile
+/etc/firejail/midori.profile
+/etc/firejail/mpv.profile
+/etc/firejail/mupdf.profile
+/etc/firejail/mupen64plus.profile
+/etc/firejail/netsurf.profile
+/etc/firejail/nolocal.net
+/etc/firejail/okular.profile
+/etc/firejail/openbox.profile
 /etc/firejail/opera-beta.profile
-/etc/firejail/thunderbird.profile
+/etc/firejail/opera.profile
-/etc/firejail/transmission-gtk.profile
+/etc/firejail/palemoon.profile
-/etc/firejail/transmission-qt.profile
+/etc/firejail/parole.profile
-/etc/firejail/vlc.profile
+/etc/firejail/pidgin.profile
-/etc/firejail/audacious.profile
+/etc/firejail/pix.profile
-/etc/firejail/clementine.profile
-/etc/firejail/epiphany.profile
-/etc/firejail/qtox.profile
 /etc/firejail/polari.profile
-/etc/firejail/gnome-mplayer.profile
+/etc/firejail/psi-plus.profile
-/etc/firejail/rhythmbox.profile
-/etc/firejail/totem.profile
-/etc/firejail/deluge.profile
 /etc/firejail/qbittorrent.profile
-/etc/firejail/generic.profile
+/etc/firejail/qpdfview.profile
-/etc/firejail/xchat.profile
+/etc/firejail/qtox.profile
-/etc/firejail/server.profile
 /etc/firejail/quassel.profile
-/etc/firejail/pidgin.profile
+/etc/firejail/quiterss.profile
-/etc/firejail/filezilla.profile
+/etc/firejail/qutebrowser.profile
-/etc/firejail/empathy.profile
+/etc/firejail/ranger.profile
-/etc/firejail/disable-common.inc
+/etc/firejail/rhythmbox.profile
-/etc/firejail/deadbeef.profile
+/etc/firejail/rtorrent.profile
-/etc/firejail/icecat.profile
+/etc/firejail/seamonkey-bin.profile
-/etc/firejail/fbreader.profile
+/etc/firejail/seamonkey.profile
-/etc/firejail/spotify.profile
+/etc/firejail/server.profile
 /etc/firejail/skype.profile
+/etc/firejail/skypeforlinux.profile
+/etc/firejail/slack.profile
+/etc/firejail/snap.profile
+/etc/firejail/soffice.profile
+/etc/firejail/spotify.profile
+/etc/firejail/ssh.profile
 /etc/firejail/steam.profile
-/etc/firejail/wine.profile
+/etc/firejail/stellarium.profile
-/etc/firejail/disable-devel.inc
+/etc/firejail/strings.profile
-/etc/firejail/conkeror.profile
+/etc/firejail/synfigstudio.profile
+/etc/firejail/tar.profile
+/etc/firejail/telegram.profile
+/etc/firejail/thunderbird.profile
+/etc/firejail/totem.profile
+/etc/firejail/transmission-gtk.profile
+/etc/firejail/transmission-qt.profile
+/etc/firejail/uget-gtk.profile
 /etc/firejail/unbound.profile
-/etc/firejail/dnscrypt-proxy.profile
+/etc/firejail/unrar.profile
-/etc/firejail/whitelist-common.inc
+/etc/firejail/unzip.profile
-/etc/firejail/nolocal.net
+/etc/firejail/uudeview.profile
+/etc/firejail/vivaldi-beta.profile
+/etc/firejail/vivaldi.profile
+/etc/firejail/vlc.profile
+/etc/firejail/warzone2100.profile
 /etc/firejail/webserver.net
-/etc/firejail/bitlbee.profile
-/etc/firejail/weechat.profile
 /etc/firejail/weechat-curses.profile
-/etc/firejail/hexchat.profile
+/etc/firejail/weechat.profile
-/etc/firejail/rtorrent.profile
-/etc/firejail/parole.profile
-/etc/firejail/kmail.profile
-/etc/firejail/seamonkey.profile
-/etc/firejail/seamonkey-bin.profile
-/etc/firejail/telegram.profile
-/etc/firejail/mathematica.profile
-/etc/firejail/Mathematica.profile
-/etc/firejail/uget-gtk.profile
-/etc/firejail/mupen64plus.profile
-/etc/firejail/lxterminal.profile
-/etc/firejail/cherrytree.profile
 /etc/firejail/wesnoth.profile
-/etc/firejail/hedgewars.profile
+/etc/firejail/whitelist-common.inc
-/etc/firejail/vivaldi.profile
+/etc/firejail/wine.profile
-/etc/firejail/vivaldi-beta.profile
+/etc/firejail/xchat.profile
-/etc/firejail/atril.profile
+/etc/firejail/xplayer.profile
-/etc/firejail/firejail.config
+/etc/firejail/xreader.profile
-/etc/firejail/qutebrowser.profile
+/etc/firejail/xviewer.profile
-/etc/firejail/flashpeak-slimjet.profile
+/etc/firejail/xz.profile
-/etc/firejail/ssh.profile
+/etc/firejail/xzdec.profile
-/etc/firejail/openbox.profile
+/etc/firejail/zathura.profile
-/etc/firejail/disable-programs.inc
+/etc/firejail/7z.profile
-/etc/firejail/disable-passwdmgr.inc
+/etc/firejail/keepass.profile
-/etc/firejail/dillo.profile
+/etc/firejail/keepassx.profile
-/etc/firejail/cmus.profile
+/etc/firejail/claws-mail.profile
-/etc/firejail/dnsmasq.profile
+/etc/firejail/mutt.profile
-/etc/firejail/palemoon.profile
+/etc/firejail/git.profile
-/etc/firejail/abrowser.profile
+/etc/firejail/emacs.profile
-/etc/firejail/0ad.profile
+/etc/firejail/vim.profile
+/etc/firejail/xpdf.profile
+/etc/firejail/virtualbox.profile
+/etc/firejail/openshot.profile
+/etc/firejail/flowblade.profile
+/etc/firejail/eog.profile
+/etc/firejail/evolution.profile
+/etc/firejail/start-tor-browser.profile
+/etc/firejail/xiphos.profile
+/etc/firejail/display.profile
+/etc/firejail/Wire.profile
+/etc/firejail/wire.profile
+/etc/firejail/mumble.profile
+/etc/firejail/zoom.profile
+/etc/firejail/guayadeque.profile
diff --git a/platform/rpm/firejail.spec b/platform/rpm/firejail.spec
index e365af2d6..67280921a 100644
--- a/platform/rpm/firejail.spec
+++ b/platform/rpm/firejail.spec
@@ -33,16 +33,22 @@ rm -rf %{buildroot}
 %doc
 %defattr(-, root, root, -)
 %attr(4755, -, -) %{_bindir}/__NAME__
+%{_bindir}/firecfg
 %{_bindir}/firemon
+%{_libdir}/__NAME__/firecfg.config
 %{_libdir}/__NAME__/ftee
+%{_libdir}/__NAME__/faudit
 %{_libdir}/__NAME__/fshaper.sh
 %{_libdir}/__NAME__/libtrace.so
 %{_libdir}/__NAME__/libtracelog.so
 %{_datarootdir}/bash-completion/completions/__NAME__
+%{_datarootdir}/bash-completion/completions/firecfg
 %{_datarootdir}/bash-completion/completions/firemon
 %{_docdir}/__NAME__
 %{_mandir}/man1/__NAME__.1.gz
+%{_mandir}/man1/firecfg.1.gz
 %{_mandir}/man1/firemon.1.gz
+%{_mandir}/man5/__NAME__-config.5.gz
 %{_mandir}/man5/__NAME__-login.5.gz
 %{_mandir}/man5/__NAME__-profile.5.gz
 %config %{_sysconfdir}/__NAME__
diff --git a/platform/rpm/old-mkrpm.sh b/platform/rpm/old-mkrpm.sh
new file mode 100755
index 000000000..017d5e1c3
--- /dev/null
+++ b/platform/rpm/old-mkrpm.sh
@@ -0,0 +1,542 @@
+#!/bin/bash
+VERSION="0.9.44"
+rm -fr ~/rpmbuild
+rm -f firejail-$VERSION-1.x86_64.rpm
+mkdir -p ~/rpmbuild/{RPMS,SRPMS,BUILD,SOURCES,SPECS,tmp}
+cat <<EOF >~/.rpmmacros
+%_topdir   %(echo $HOME)/rpmbuild
+%_tmppath  %{_topdir}/tmp
+EOF
+cd ~/rpmbuild
+echo "building directory tree"
+mkdir -p firejail-$VERSION/usr/bin
+install -m 755 /usr/bin/firejail firejail-$VERSION/usr/bin/.
+install -m 755 /usr/bin/firemon firejail-$VERSION/usr/bin/.
+install -m 755 /usr/bin/firecfg firejail-$VERSION/usr/bin/.
+mkdir -p  firejail-$VERSION/usr/lib/firejail
+install -m 755 /usr/lib/firejail/faudit  firejail-$VERSION/usr/lib/firejail/.
+install -m 644 /usr/lib/firejail/firecfg.config  firejail-$VERSION/usr/lib/firejail/.
+install -m 755 /usr/lib/firejail/fshaper.sh  firejail-$VERSION/usr/lib/firejail/.
+install -m 755 /usr/lib/firejail/ftee  firejail-$VERSION/usr/lib/firejail/.
+install -m 644 /usr/lib/firejail/libtrace.so  firejail-$VERSION/usr/lib/firejail/.
+install -m 644 /usr/lib/firejail/libtracelog.so  firejail-$VERSION/usr/lib/firejail/.
+install -m 644 /usr/lib/firejail/libconnect.so  firejail-$VERSION/usr/lib/firejail/.
+mkdir -p firejail-$VERSION/usr/share/man/man1
+install -m 644 /usr/share/man/man1/firejail.1.gz firejail-$VERSION/usr/share/man/man1/.
+install -m 644 /usr/share/man/man1/firemon.1.gz firejail-$VERSION/usr/share/man/man1/.
+install -m 644 /usr/share/man/man1/firecfg.1.gz firejail-$VERSION/usr/share/man/man1/.
+mkdir -p firejail-$VERSION/usr/share/man/man5
+install -m 644 /usr/share/man/man5/firejail-profile.5.gz firejail-$VERSION/usr/share/man/man5/.
+install -m 644 /usr/share/man/man5/firejail-login.5.gz firejail-$VERSION/usr/share/man/man5/.
+mkdir -p firejail-$VERSION/usr/share/doc/packages/firejail
+install -m 644 /usr/share/doc/firejail/COPYING firejail-$VERSION/usr/share/doc/packages/firejail/.
+install -m 644 /usr/share/doc/firejail/README firejail-$VERSION/usr/share/doc/packages/firejail/.
+install -m 644 /usr/share/doc/firejail/RELNOTES firejail-$VERSION/usr/share/doc/packages/firejail/.
+mkdir -p firejail-$VERSION/etc/firejail
+install -m 644 /etc/firejail/0ad.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/abrowser.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/atom-beta.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/atom.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/atril.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/audacious.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/audacity.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/aweather.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/bitlbee.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/brave.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/cherrytree.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/chromium-browser.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/chromium.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/clementine.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/cmus.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/conkeror.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/corebird.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/cpio.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/cyberfox.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/Cyberfox.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/deadbeef.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/default.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/deluge.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/dillo.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/disable-common.inc firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/disable-devel.inc firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/disable-passwdmgr.inc firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/disable-programs.inc firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/dnscrypt-proxy.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/dnsmasq.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/dosbox.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/dropbox.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/empathy.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/eom.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/epiphany.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/evince.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/fbreader.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/file.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/filezilla.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/firefox-esr.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/firefox.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/firejail.config firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/flashpeak-slimjet.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/franz.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/gajim.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/gitter.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/gnome-chess.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/gnome-mplayer.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/google-chrome-beta.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/google-chrome.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/google-chrome-stable.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/google-chrome-unstable.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/google-play-music-desktop-player.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/gpredict.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/gtar.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/gthumb.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/gwenview.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/gzip.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/hedgewars.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/hexchat.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/icecat.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/icedove.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/iceweasel.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/inox.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/jitsi.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/kmail.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/konversation.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/less.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/libreoffice.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/localc.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/lodraw.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/loffice.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/lofromtemplate.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/login.users firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/loimpress.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/lomath.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/loweb.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/lowriter.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/lxterminal.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/mathematica.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/Mathematica.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/mcabber.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/midori.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/mpv.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/mupen64plus.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/netsurf.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/nolocal.net firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/okular.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/openbox.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/opera-beta.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/opera.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/palemoon.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/parole.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/pidgin.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/pix.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/polari.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/psi-plus.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/qbittorrent.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/qtox.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/quassel.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/quiterss.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/qutebrowser.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/rhythmbox.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/rtorrent.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/seamonkey-bin.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/seamonkey.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/server.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/skypeforlinux.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/skype.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/slack.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/snap.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/soffice.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/spotify.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/ssh.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/steam.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/stellarium.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/strings.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/tar.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/telegram.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/Telegram.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/thunderbird.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/totem.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/transmission-gtk.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/transmission-qt.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/uget-gtk.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/unbound.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/unrar.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/unzip.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/uudeview.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/vivaldi-beta.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/vivaldi.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/vlc.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/warzone2100.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/webserver.net firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/weechat-curses.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/weechat.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/wesnoth.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/whitelist-common.inc firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/wine.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/xchat.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/xplayer.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/xreader.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/xviewer.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/xzdec.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/xz.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/zathura.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/7z.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/keepass.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/keepassx.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/claws-mail.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/mutt.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/git.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/emacs.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/vim.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/xpdf.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/virtualbox.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/openshot.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/flowblade.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/eog.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/evolution.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/feh.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/gimp.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/inkscape.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/luminance-hdr.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/mupdf.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/qpdfview.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/ranger.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/synfigstudio.profile firejail-$VERSION/etc/firejail/.
+mkdir -p firejail-$VERSION/usr/share/bash-completion/completions
+install -m 644 /usr/share/bash-completion/completions/firejail  firejail-$VERSION/usr/share/bash-completion/completions/.
+install -m 644 /usr/share/bash-completion/completions/firemon  firejail-$VERSION/usr/share/bash-completion/completions/.
+install -m 644 /usr/share/bash-completion/completions/firecfg  firejail-$VERSION/usr/share/bash-completion/completions/.
+echo "building tar.gz archive"
+tar -czvf firejail-$VERSION.tar.gz firejail-$VERSION
+cp firejail-$VERSION.tar.gz SOURCES/.
+echo "building config spec"
+cat <<EOF > SPECS/firejail.spec
+%define        __spec_install_post %{nil}
+%define          debug_package %{nil}
+%define        __os_install_post %{_dbpath}/brp-compress
+Summary: Linux namepaces sandbox program
+Name: firejail
+Version: $VERSION
+Release: 1
+License: GPL+
+Group: Development/Tools
+SOURCE0 : %{name}-%{version}.tar.gz
+URL: http://firejail.wordpress.com
+BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root
+%description
+Firejail  is  a  SUID sandbox program that reduces the risk of security
+breaches by restricting the running environment of untrusted applications
+using Linux namespaces. It includes a sandbox profile for Mozilla Firefox.
+%prep
+%setup -q
+%build
+%install
+rm -rf %{buildroot}
+mkdir -p  %{buildroot}
+cp -a * %{buildroot}
+%clean
+rm -rf %{buildroot}
+%files
+%defattr(-,root,root,-)
+%config(noreplace) %{_sysconfdir}/%{name}/0ad.profile
+%config(noreplace) %{_sysconfdir}/%{name}/abrowser.profile
+%config(noreplace) %{_sysconfdir}/%{name}/atom-beta.profile
+%config(noreplace) %{_sysconfdir}/%{name}/atom.profile
+%config(noreplace) %{_sysconfdir}/%{name}/atril.profile
+%config(noreplace) %{_sysconfdir}/%{name}/audacious.profile
+%config(noreplace) %{_sysconfdir}/%{name}/audacity.profile
+%config(noreplace) %{_sysconfdir}/%{name}/aweather.profile
+%config(noreplace) %{_sysconfdir}/%{name}/bitlbee.profile
+%config(noreplace) %{_sysconfdir}/%{name}/brave.profile
+%config(noreplace) %{_sysconfdir}/%{name}/cherrytree.profile
+%config(noreplace) %{_sysconfdir}/%{name}/chromium-browser.profile
+%config(noreplace) %{_sysconfdir}/%{name}/chromium.profile
+%config(noreplace) %{_sysconfdir}/%{name}/clementine.profile
+%config(noreplace) %{_sysconfdir}/%{name}/cmus.profile
+%config(noreplace) %{_sysconfdir}/%{name}/conkeror.profile
+%config(noreplace) %{_sysconfdir}/%{name}/corebird.profile
+%config(noreplace) %{_sysconfdir}/%{name}/cpio.profile
+%config(noreplace) %{_sysconfdir}/%{name}/cyberfox.profile
+%config(noreplace) %{_sysconfdir}/%{name}/Cyberfox.profile
+%config(noreplace) %{_sysconfdir}/%{name}/deadbeef.profile
+%config(noreplace) %{_sysconfdir}/%{name}/default.profile
+%config(noreplace) %{_sysconfdir}/%{name}/deluge.profile
+%config(noreplace) %{_sysconfdir}/%{name}/dillo.profile
+%config(noreplace) %{_sysconfdir}/%{name}/disable-common.inc
+%config(noreplace) %{_sysconfdir}/%{name}/disable-devel.inc
+%config(noreplace) %{_sysconfdir}/%{name}/disable-passwdmgr.inc
+%config(noreplace) %{_sysconfdir}/%{name}/disable-programs.inc
+%config(noreplace) %{_sysconfdir}/%{name}/dnscrypt-proxy.profile
+%config(noreplace) %{_sysconfdir}/%{name}/dnsmasq.profile
+%config(noreplace) %{_sysconfdir}/%{name}/dosbox.profile
+%config(noreplace) %{_sysconfdir}/%{name}/dropbox.profile
+%config(noreplace) %{_sysconfdir}/%{name}/empathy.profile
+%config(noreplace) %{_sysconfdir}/%{name}/eom.profile
+%config(noreplace) %{_sysconfdir}/%{name}/epiphany.profile
+%config(noreplace) %{_sysconfdir}/%{name}/evince.profile
+%config(noreplace) %{_sysconfdir}/%{name}/fbreader.profile
+%config(noreplace) %{_sysconfdir}/%{name}/file.profile
+%config(noreplace) %{_sysconfdir}/%{name}/filezilla.profile
+%config(noreplace) %{_sysconfdir}/%{name}/firefox-esr.profile
+%config(noreplace) %{_sysconfdir}/%{name}/firefox.profile
+%config(noreplace) %{_sysconfdir}/%{name}/firejail.config
+%config(noreplace) %{_sysconfdir}/%{name}/flashpeak-slimjet.profile
+%config(noreplace) %{_sysconfdir}/%{name}/franz.profile
+%config(noreplace) %{_sysconfdir}/%{name}/gajim.profile
+%config(noreplace) %{_sysconfdir}/%{name}/gitter.profile
+%config(noreplace) %{_sysconfdir}/%{name}/gnome-chess.profile
+%config(noreplace) %{_sysconfdir}/%{name}/gnome-mplayer.profile
+%config(noreplace) %{_sysconfdir}/%{name}/google-chrome-beta.profile
+%config(noreplace) %{_sysconfdir}/%{name}/google-chrome.profile
+%config(noreplace) %{_sysconfdir}/%{name}/google-chrome-stable.profile
+%config(noreplace) %{_sysconfdir}/%{name}/google-chrome-unstable.profile
+%config(noreplace) %{_sysconfdir}/%{name}/google-play-music-desktop-player.profile
+%config(noreplace) %{_sysconfdir}/%{name}/gpredict.profile
+%config(noreplace) %{_sysconfdir}/%{name}/gtar.profile
+%config(noreplace) %{_sysconfdir}/%{name}/gthumb.profile
+%config(noreplace) %{_sysconfdir}/%{name}/gwenview.profile
+%config(noreplace) %{_sysconfdir}/%{name}/gzip.profile
+%config(noreplace) %{_sysconfdir}/%{name}/hedgewars.profile
+%config(noreplace) %{_sysconfdir}/%{name}/hexchat.profile
+%config(noreplace) %{_sysconfdir}/%{name}/icecat.profile
+%config(noreplace) %{_sysconfdir}/%{name}/icedove.profile
+%config(noreplace) %{_sysconfdir}/%{name}/iceweasel.profile
+%config(noreplace) %{_sysconfdir}/%{name}/inox.profile
+%config(noreplace) %{_sysconfdir}/%{name}/jitsi.profile
+%config(noreplace) %{_sysconfdir}/%{name}/kmail.profile
+%config(noreplace) %{_sysconfdir}/%{name}/konversation.profile
+%config(noreplace) %{_sysconfdir}/%{name}/less.profile
+%config(noreplace) %{_sysconfdir}/%{name}/libreoffice.profile
+%config(noreplace) %{_sysconfdir}/%{name}/localc.profile
+%config(noreplace) %{_sysconfdir}/%{name}/lodraw.profile
+%config(noreplace) %{_sysconfdir}/%{name}/loffice.profile
+%config(noreplace) %{_sysconfdir}/%{name}/lofromtemplate.profile
+%config(noreplace) %{_sysconfdir}/%{name}/login.users
+%config(noreplace) %{_sysconfdir}/%{name}/loimpress.profile
+%config(noreplace) %{_sysconfdir}/%{name}/lomath.profile
+%config(noreplace) %{_sysconfdir}/%{name}/loweb.profile
+%config(noreplace) %{_sysconfdir}/%{name}/lowriter.profile
+%config(noreplace) %{_sysconfdir}/%{name}/lxterminal.profile
+%config(noreplace) %{_sysconfdir}/%{name}/mathematica.profile
+%config(noreplace) %{_sysconfdir}/%{name}/Mathematica.profile
+%config(noreplace) %{_sysconfdir}/%{name}/mcabber.profile
+%config(noreplace) %{_sysconfdir}/%{name}/midori.profile
+%config(noreplace) %{_sysconfdir}/%{name}/mpv.profile
+%config(noreplace) %{_sysconfdir}/%{name}/mupen64plus.profile
+%config(noreplace) %{_sysconfdir}/%{name}/netsurf.profile
+%config(noreplace) %{_sysconfdir}/%{name}/nolocal.net
+%config(noreplace) %{_sysconfdir}/%{name}/okular.profile
+%config(noreplace) %{_sysconfdir}/%{name}/openbox.profile
+%config(noreplace) %{_sysconfdir}/%{name}/opera-beta.profile
+%config(noreplace) %{_sysconfdir}/%{name}/opera.profile
+%config(noreplace) %{_sysconfdir}/%{name}/palemoon.profile
+%config(noreplace) %{_sysconfdir}/%{name}/parole.profile
+%config(noreplace) %{_sysconfdir}/%{name}/pidgin.profile
+%config(noreplace) %{_sysconfdir}/%{name}/pix.profile
+%config(noreplace) %{_sysconfdir}/%{name}/polari.profile
+%config(noreplace) %{_sysconfdir}/%{name}/psi-plus.profile
+%config(noreplace) %{_sysconfdir}/%{name}/qbittorrent.profile
+%config(noreplace) %{_sysconfdir}/%{name}/qtox.profile
+%config(noreplace) %{_sysconfdir}/%{name}/quassel.profile
+%config(noreplace) %{_sysconfdir}/%{name}/quiterss.profile
+%config(noreplace) %{_sysconfdir}/%{name}/qutebrowser.profile
+%config(noreplace) %{_sysconfdir}/%{name}/rhythmbox.profile
+%config(noreplace) %{_sysconfdir}/%{name}/rtorrent.profile
+%config(noreplace) %{_sysconfdir}/%{name}/seamonkey-bin.profile
+%config(noreplace) %{_sysconfdir}/%{name}/seamonkey.profile
+%config(noreplace) %{_sysconfdir}/%{name}/server.profile
+%config(noreplace) %{_sysconfdir}/%{name}/skypeforlinux.profile
+%config(noreplace) %{_sysconfdir}/%{name}/skype.profile
+%config(noreplace) %{_sysconfdir}/%{name}/slack.profile
+%config(noreplace) %{_sysconfdir}/%{name}/snap.profile
+%config(noreplace) %{_sysconfdir}/%{name}/soffice.profile
+%config(noreplace) %{_sysconfdir}/%{name}/spotify.profile
+%config(noreplace) %{_sysconfdir}/%{name}/ssh.profile
+%config(noreplace) %{_sysconfdir}/%{name}/steam.profile
+%config(noreplace) %{_sysconfdir}/%{name}/stellarium.profile
+%config(noreplace) %{_sysconfdir}/%{name}/strings.profile
+%config(noreplace) %{_sysconfdir}/%{name}/tar.profile
+%config(noreplace) %{_sysconfdir}/%{name}/telegram.profile
+%config(noreplace) %{_sysconfdir}/%{name}/Telegram.profile
+%config(noreplace) %{_sysconfdir}/%{name}/thunderbird.profile
+%config(noreplace) %{_sysconfdir}/%{name}/totem.profile
+%config(noreplace) %{_sysconfdir}/%{name}/transmission-gtk.profile
+%config(noreplace) %{_sysconfdir}/%{name}/transmission-qt.profile
+%config(noreplace) %{_sysconfdir}/%{name}/uget-gtk.profile
+%config(noreplace) %{_sysconfdir}/%{name}/unbound.profile
+%config(noreplace) %{_sysconfdir}/%{name}/unrar.profile
+%config(noreplace) %{_sysconfdir}/%{name}/unzip.profile
+%config(noreplace) %{_sysconfdir}/%{name}/uudeview.profile
+%config(noreplace) %{_sysconfdir}/%{name}/vivaldi-beta.profile
+%config(noreplace) %{_sysconfdir}/%{name}/vivaldi.profile
+%config(noreplace) %{_sysconfdir}/%{name}/vlc.profile
+%config(noreplace) %{_sysconfdir}/%{name}/warzone2100.profile
+%config(noreplace) %{_sysconfdir}/%{name}/webserver.net
+%config(noreplace) %{_sysconfdir}/%{name}/weechat-curses.profile
+%config(noreplace) %{_sysconfdir}/%{name}/weechat.profile
+%config(noreplace) %{_sysconfdir}/%{name}/wesnoth.profile
+%config(noreplace) %{_sysconfdir}/%{name}/whitelist-common.inc
+%config(noreplace) %{_sysconfdir}/%{name}/wine.profile
+%config(noreplace) %{_sysconfdir}/%{name}/xchat.profile
+%config(noreplace) %{_sysconfdir}/%{name}/xplayer.profile
+%config(noreplace) %{_sysconfdir}/%{name}/xreader.profile
+%config(noreplace) %{_sysconfdir}/%{name}/xviewer.profile
+%config(noreplace) %{_sysconfdir}/%{name}/xzdec.profile
+%config(noreplace) %{_sysconfdir}/%{name}/xz.profile
+%config(noreplace) %{_sysconfdir}/%{name}/zathura.profile
+%config(noreplace) %{_sysconfdir}/%{name}/7z.profile
+%config(noreplace) %{_sysconfdir}/%{name}/keepass.profile
+%config(noreplace) %{_sysconfdir}/%{name}/keepassx.profile
+%config(noreplace) %{_sysconfdir}/%{name}/claws-mail.profile
+%config(noreplace) %{_sysconfdir}/%{name}/mutt.profile
+%config(noreplace) %{_sysconfdir}/%{name}/git.profile
+%config(noreplace) %{_sysconfdir}/%{name}/emacs.profile
+%config(noreplace) %{_sysconfdir}/%{name}/vim.profile
+%config(noreplace) %{_sysconfdir}/%{name}/xpdf.profile
+%config(noreplace) %{_sysconfdir}/%{name}/virtualbox.profile
+%config(noreplace) %{_sysconfdir}/%{name}/openshot.profile
+%config(noreplace) %{_sysconfdir}/%{name}/flowblade.profile
+%config(noreplace) %{_sysconfdir}/%{name}/eog.profile
+%config(noreplace) %{_sysconfdir}/%{name}/evolution.profile
+%config(noreplace) %{_sysconfdir}/%{name}/feh.profile
+%config(noreplace) %{_sysconfdir}/%{name}/inkscape.profile
+%config(noreplace) %{_sysconfdir}/%{name}/gimp.profile
+%config(noreplace) %{_sysconfdir}/%{name}/luminance-hdr.profile
+%config(noreplace) %{_sysconfdir}/%{name}/mupdf.profile
+%config(noreplace) %{_sysconfdir}/%{name}/qpdfview.profile
+%config(noreplace) %{_sysconfdir}/%{name}/ranger.profile
+%config(noreplace) %{_sysconfdir}/%{name}/synfigstudio.profile
+/usr/bin/firejail
+/usr/bin/firemon
+/usr/bin/firecfg
+/usr/lib/firejail/libtrace.so
+/usr/lib/firejail/libtracelog.so
+/usr/lib/firejail/libconnect.so
+/usr/lib/firejail/faudit
+/usr/lib/firejail/ftee
+/usr/lib/firejail/firecfg.config
+/usr/lib/firejail/fshaper.sh
+/usr/share/doc/packages/firejail/COPYING
+/usr/share/doc/packages/firejail/README
+/usr/share/doc/packages/firejail/RELNOTES
+/usr/share/man/man1/firejail.1.gz
+/usr/share/man/man1/firemon.1.gz
+/usr/share/man/man1/firecfg.1.gz
+/usr/share/man/man5/firejail-profile.5.gz
+/usr/share/man/man5/firejail-login.5.gz
+/usr/share/bash-completion/completions/firejail
+/usr/share/bash-completion/completions/firemon
+/usr/share/bash-completion/completions/firecfg
+ 
+%post
+chmod u+s /usr/bin/firejail
+%changelog
+* Fri Oct 21 2016  netblue30 <netblue30@yahoo.com> 0.9.44-1
+  - CVE-2016-7545 submitted by Aleksey Manevich
+  - modifs: removed man firejail-config
+  - modifs: --private-tmp whitelists /tmp/.X11-unix directory
+  - modifs: Nvidia drivers added to --private-dev
+  - modifs: /srv supported by --whitelist
+  - feature: allow user access to /sys/fs (--noblacklist=/sys/fs)
+  - feature: support starting/joining sandbox is a single command
+    (--join-or-start)
+  - feature: X11 detection support for --audit
+  - feature: assign a name to the interface connected to the bridge 
+    (--veth-name)
+  - feature: all user home directories are visible (--allusers)
+  - feature: add files to sandbox container (--put)
+  - feature: blocking x11 (--x11=block)
+  - feature: X11 security extension (--x11=xorg)
+  - feature: disable 3D hardware acceleration (--no3d)
+  - feature: x11 xpra, x11 xephyr, x11 block, allusers, no3d profile commands
+  - feature: move files in sandbox (--put)
+  - feature: accept wildcard patterns in user  name field of restricted
+    shell login feature
+  - new profiles: qpdfview, mupdf, Luminance HDR, Synfig Studio, Gimp, Inkscape
+  - new profiles: feh, ranger, zathura, 7z, keepass, keepassx,
+  - new profiles: claws-mail, mutt, git, emacs, vim, xpdf, VirtualBox, OpenShot
+  - new profiles: Flowblade, Eye of GNOME (eog), Evolution
+  - bugfixes
+* Thu Sep 8 2016 netblue30 <netblue30@yahoo.com> 0.9.42-1
+  - security: --whitelist deleted files, submitted by Vasya Novikov
+  - security: disable x32 ABI in seccomp, submitted by Jann Horn
+  - security: tighten --chroot, submitted by Jann Horn
+  - security: terminal sandbox escape, submitted by Stephan Sokolow
+  - security: several TOCTOU fixes submitted by Aleksey Manevich
+  - modifs: bringing back --private-home option
+  - modifs: deprecated --user option, please use "sudo -u username firejail"
+  - modifs: allow symlinks in home directory for --whitelist option
+  - modifs: Firejail prompt is enabled by env variable FIREJAIL_PROMPT="yes"
+  - modifs: recursive mkdir
+  - modifs: include /dev/snd in --private-dev
+  - modifs: seccomp filter update
+  - modifs: release archives moved to .xz format
+  - feature: AppImage support (--appimage)
+  - feature: AppArmor support (--apparmor)
+  - feature: Ubuntu snap support (/etc/firejail/snap.profile)
+  - feature: Sandbox auditing support (--audit)
+  - feature: remove environment variable (--rmenv)
+  - feature: noexec support (--noexec)
+  - feature: clean local overlay storage directory (--overlay-clean)
+  - feature: store and reuse overlay (--overlay-named)
+  - feature: allow debugging inside the sandbox with gdb and strace
+         (--allow-debuggers)
+  - feature: mkfile profile command
+  - feature: quiet profile command
+  - feature: x11 profile command
+  - feature: option to fix desktop files (firecfg --fix)
+  - compile time: Busybox support (--enable-busybox-workaround)
+  - compile time: disable overlayfs (--disable-overlayfs)
+  - compile time: disable whitlisting (--disable-whitelist)
+  - compile time: disable global config (--disable-globalcfg)
+  - run time: enable/disable overlayfs (overlayfs yes/no)
+  - run time: enable/disable  quiet as default (quiet-by-default yes/no)
+  - run time: user-defined network filter (netfilter-default)
+  - run time: enable/disable whitelisting (whitelist yes/no)
+  - run time: enable/disable remounting of /proc and /sys
+          (remount-proc-sys yes/no)
+  - run time: enable/disable chroot desktop features (chroot-desktop yes/no)
+  - profiles: Gitter, gThumb, mpv, Franz messenger, LibreOffice
+  - profiles: pix, audacity, xz, xzdec, gzip, cpio, less
+  - profiles: Atom Beta, Atom, jitsi, eom, uudeview
+  - profiles: tar (gtar), unzip, unrar, file, skypeforlinux,
+  - profiles: inox, Slack, gnome-chess. Gajim IM client, DOSBox
+  - bugfixes
+EOF
+echo "building rpm"
+rpmbuild -ba SPECS/firejail.spec
+rpm -qpl RPMS/x86_64/firejail-$VERSION-1.x86_64.rpm
+cd ..
+rm -f firejail-$VERSION-1.x86_64.rpm
+cp rpmbuild/RPMS/x86_64/firejail-$VERSION-1.x86_64.rpm .
diff --git a/platform/snap/snap.sh b/platform/snap/snap.sh
new file mode 100755
index 000000000..d7f924293
--- /dev/null
+++ b/platform/snap/snap.sh
@@ -0,0 +1,20 @@
+#!/bin/bash
+rm -fr faudit-snap
+rm -f faudit_*.snap
+mkdir faudit-snap
+cd faudit-snap
+snapcraft init
+cp ../snapcraft.yaml .
+#snapcraft stage
+mkdir -p stage/usr/lib/firejail
+cp ../../../src/faudit/faudit stage/usr/lib/firejail/.
+find stage
+snapcraft stage
+snapcraft snap
+cd ..
+mv faudit-snap/faudit_*.snap ../../.
+rm -fr faudit-snap
diff --git a/platform/snap/snapcraft.yaml b/platform/snap/snapcraft.yaml
new file mode 100644
index 000000000..7b04a2ca1
--- /dev/null
+++ b/platform/snap/snapcraft.yaml
@@ -0,0 +1,21 @@
+name: faudit  # the name of the snap
+version: 0  # the version of the snap
+summary: Fireajail audit snap edition  # 79 char long summary
+description: faudit program extracted from Firejail and packaged as a snap  # a longer description for the snap
+confinement: strict  # use "strict" to enforce system access only via declared interfaces
+apps:
+    faudit:
+        command: /usr/lib/firejail/faudit
+parts:
+    faudit:  # Replace with a part name of your liking
+        # Get more information about plugins by running
+        # snapcraft help plugins
+        # and more information about the available plugins
+        # by running
+        # snapcraft list-plugins
+        plugin: nil
+        snap:
+        - usr/lib/firejail/faudit
diff --git a/src/bash_completion/firejail.bash_completion b/src/bash_completion/firejail.bash_completion
index 21e28c98b..d3dcd57d0 100644
--- a/src/bash_completion/firejail.bash_completion
+++ b/src/bash_completion/firejail.bash_completion
@@ -47,6 +47,10 @@ _firejail()
            _filedir
            return 0
            ;;
+       --read-write)
+            _filedir
+            return 0
+            ;;
        --bind)
            _filedir
            return 0
@@ -63,6 +67,10 @@ _firejail()
            _filedir
            return 0
            ;;
+        --audit)
+            _filedir
+            return 0
+            ;;
         --net)
                comps=$(__interfaces)
            COMPREPLY=( $(compgen -W '$comps' -- "$cur") )
diff --git a/src/faudit/Makefile.in b/src/faudit/Makefile.in
new file mode 100644
index 000000000..995a0bf49
--- /dev/null
+++ b/src/faudit/Makefile.in
@@ -0,0 +1,25 @@
+all: faudit
+PREFIX=@prefix@
+VERSION=@PACKAGE_VERSION@
+NAME=@PACKAGE_NAME@
+HAVE_FATAL_WARNINGS=@HAVE_FATAL_WARNINGS@
+H_FILE_LIST       = $(sort $(wildcard *.[h]))
+C_FILE_LIST       = $(sort $(wildcard *.c))
+OBJS = $(C_FILE_LIST:.c=.o)
+BINOBJS =  $(foreach file, $(OBJS), $file)
+CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' -DPREFIX='"$(PREFIX)"' -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security
+LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now -lpthread
+%.o : %.c $(H_FILE_LIST)
+        $(CC) $(CFLAGS) $(INCLUDE) -c $< -o $@
+faudit: $(OBJS)
+        $(CC)  $(LDFLAGS) -o $@ $(OBJS)
+clean:; rm -f *.o faudit
+distclean: clean
+        rm -fr Makefile
diff --git a/src/faudit/caps.c b/src/faudit/caps.c
new file mode 100644
index 000000000..d4a62b34f
--- /dev/null
+++ b/src/faudit/caps.c
@@ -0,0 +1,79 @@
+/*
+ * Copyright (C) 2014-2016 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
+#include "faudit.h"
+#include <linux/capability.h>
+#define MAXBUF 4098
+static int extract_caps(uint64_t *val) {
+        FILE *fp = fopen("/proc/self/status", "r");
+        if (!fp)
+                return 1;
+        
+        char buf[MAXBUF];
+        while (fgets(buf, MAXBUF, fp)) {
+                if (strncmp(buf, "CapBnd:\t", 8) == 0) {
+                        char *ptr = buf + 8;
+                        unsigned long long tmp;
+                        sscanf(ptr, "%llx", &tmp);
+                        *val = tmp;
+                        fclose(fp);
+                        return 0;
+                }
+        }
+        fclose(fp);
+        return 1;
+}
+// return 1 if the capability is in tbe map
+static int check_capability(uint64_t map, int cap) {
+        int i;
+        uint64_t mask = 1ULL;
+        
+        for (i = 0; i < 64; i++, mask <<= 1) {
+                if ((i == cap) && (mask & map))
+                        return 1;
+        }
+        return 0;
+}
+void caps_test(void) {
+        uint64_t caps_val;
+        
+        if (extract_caps(&caps_val)) {
+                printf("SKIP: cannot extract capabilities on this platform.\n");
+                return;
+        }
+        
+        if (caps_val) {
+                printf("BAD: the capability map is %llx, it should be all zero. ", (unsigned long long) caps_val);
+                printf("Use \"firejail --caps.drop=all\" to fix it.\n");
+                
+                if (check_capability(caps_val, CAP_SYS_ADMIN))
+                        printf("UGLY: CAP_SYS_ADMIN is enabled.\n");
+                if (check_capability(caps_val, CAP_SYS_BOOT))
+                        printf("UGLY: CAP_SYS_BOOT is enabled.\n");
+        }
+        else
+                printf("GOOD: all capabilities are disabled.\n"); 
+}
diff --git a/src/faudit/dbus.c b/src/faudit/dbus.c
new file mode 100644
index 000000000..4debf2ff6
--- /dev/null
+++ b/src/faudit/dbus.c
@@ -0,0 +1,95 @@
+/*
+ * Copyright (C) 2014-2016 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
+#include "faudit.h"
+#include <sys/socket.h>
+#include <sys/un.h>
+// return 0 if the connection is possible
+int check_unix(const char *sockfile) {
+        assert(sockfile);
+        int rv = -1;
+        // open socket
+        int sock = socket(AF_UNIX, SOCK_STREAM, 0);
+        if (sock == -1) 
+                return rv;
+        // connect
+        struct sockaddr_un remote;
+        memset(&remote, 0, sizeof(struct sockaddr_un));
+        remote.sun_family = AF_UNIX;
+        strcpy(remote.sun_path, sockfile);
+        int len = strlen(remote.sun_path) + sizeof(remote.sun_family);
+        if (*sockfile == '@')
+                remote.sun_path[0] = '\0';
+        if (connect(sock, (struct sockaddr *)&remote, len) == 0)
+                rv = 0;
+        
+        close(sock);
+        return rv;
+}
+void dbus_test(void) {
+        // check the session bus
+        char *str = getenv("DBUS_SESSION_BUS_ADDRESS");
+        if (str) {
+                int rv = 0;
+                char *bus = strdup(str);
+                if (!bus)
+                        errExit("strdup");
+                char *sockfile;
+                if ((sockfile = strstr(bus, "unix:abstract=")) != NULL) {
+                        sockfile += 13;
+                        *sockfile = '@';
+                        char *ptr = strchr(sockfile, ',');
+                        if (ptr)
+                                *ptr = '\0';    
+                        rv = check_unix(sockfile);
+                        *sockfile = '@';
+                        if (rv == 0)
+                                printf("MAYBE: D-Bus socket %s is available\n", sockfile);
+                        else if (rv == -1)
+                                printf("GOOD: cannot connect to D-Bus socket %s\n", sockfile);
+                }
+                else if ((sockfile = strstr(bus, "unix:path=")) != NULL) {
+                        sockfile += 10;
+                        char *ptr = strchr(sockfile, ',');
+                        if (ptr)
+                                *ptr = '\0';
+                        rv = check_unix(sockfile);
+                        if (rv == 0)
+                                printf("MAYBE: D-Bus socket %s is available\n", sockfile);
+                        else if (rv == -1)
+                                printf("GOOD: cannot connect to D-Bus socket %s\n", sockfile);
+                }
+                else if ((sockfile = strstr(bus, "tcp:host=")) != NULL)
+                        printf("UGLY: session bus configured for TCP communication.\n");
+                else
+                        printf("GOOD: cannot find a D-Bus socket\n");
+                        
+                        
+                free(bus);
+        }
+        else
+                printf("GOOD: DBUS_SESSION_BUS_ADDRESS environment variable not configured.");
+}
diff --git a/src/faudit/dev.c b/src/faudit/dev.c
new file mode 100644
index 000000000..92f615958
--- /dev/null
+++ b/src/faudit/dev.c
@@ -0,0 +1,47 @@
+/*
+ * Copyright (C) 2014-2016 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
+#include "faudit.h"
+#include <dirent.h>
+void dev_test(void) {
+        DIR *dir;
+        if (!(dir = opendir("/dev"))) {
+                fprintf(stderr, "Error: cannot open /dev directory\n");
+                return;
+        }
+        
+        struct dirent *entry;
+        printf("INFO: files visible in /dev directory: ");
+        int cnt = 0;
+        while ((entry = readdir(dir)) != NULL) {
+                if (strcmp(entry->d_name, ".") == 0 || strcmp(entry->d_name, "..") == 0)
+                        continue;
+                
+                printf("%s, ", entry->d_name);
+                cnt++;
+        }
+        printf("\n");
+        
+        if (cnt > 20)
+                printf("MAYBE: /dev directory seems to be fully populated. Use --private-dev or --whitelist to restrict the access.\n");
+        else
+                printf("GOOD: Access to /dev directory is restricted.\n");
+        closedir(dir);
+}
diff --git a/src/faudit/faudit.h b/src/faudit/faudit.h
new file mode 100644
index 000000000..17c754c3b
--- /dev/null
+++ b/src/faudit/faudit.h
@@ -0,0 +1,68 @@
+/*
+ * Copyright (C) 2014-2016 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
+#ifndef FAUDIT_H
+#define FAUDIT_H
+#define _GNU_SOURCE
+#include <stdio.h>
+#include <stdlib.h>
+#include <stdint.h>
+#include <string.h>
+#include <unistd.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <sys/mount.h>
+#include <assert.h>
+#define errExit(msg)    do { char msgout[500]; sprintf(msgout, "Error %s:%s(%d)", msg, __FUNCTION__, __LINE__); perror(msgout); exit(1);} while (0)
+// main.c
+extern char *prog;
+// pid.c
+void pid_test(void);
+// caps.c
+void caps_test(void);
+// seccomp.c
+void seccomp_test(void);
+// syscall.c
+void syscall_helper(int argc, char **argv);
+void syscall_run(const char *name);
+// files.c
+void files_test(void);
+// network.c
+void network_test(void);
+// dbus.c
+int check_unix(const char *sockfile);
+void dbus_test(void);
+// dev.c
+void dev_test(void);
+// x11.c
+void x11_test(void);
+#endif
diff --git a/src/faudit/files.c b/src/faudit/files.c
new file mode 100644
index 000000000..67b43f22b
--- /dev/null
+++ b/src/faudit/files.c
@@ -0,0 +1,75 @@
+/*
+ * Copyright (C) 2014-2016 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
+#include "faudit.h"
+#include <fcntl.h>
+#include <pwd.h>
+static char *username = NULL;
+static char *homedir = NULL;
+static void check_home_file(const char *name) {
+        assert(homedir);
+        
+        char *fname;
+        if (asprintf(&fname, "%s/%s", homedir, name) ==  -1)
+                errExit("asprintf");
+        if (access(fname, R_OK) == 0) {
+                printf("UGLY: I can access files in %s directory. ", fname);
+                printf("Use \"firejail --blacklist=%s\" to block it.\n", fname);
+        }
+        else
+                printf("GOOD: I cannot access files in %s directory.\n", fname);
+        
+        free(fname);
+}
+void files_test(void) {
+        struct passwd *pw = getpwuid(getuid());
+        if (!pw) {
+                fprintf(stderr, "Error: cannot retrieve user account information\n");
+                return;
+        }
+        
+        username = strdup(pw->pw_name);
+        if (!username)
+                errExit("strdup");
+        homedir = strdup(pw->pw_dir);
+        if (!homedir)
+                errExit("strdup");
+        
+        // check access to .ssh directory
+        check_home_file(".ssh");
+        // check access to .gnupg directory
+        check_home_file(".gnupg");
+        // check access to Firefox browser directory
+        check_home_file(".mozilla");
+        // check access to Chromium browser directory
+        check_home_file(".config/chromium");
+        
+        // check access to Debian Icedove directory
+        check_home_file(".icedove");
+        
+        // check access to Thunderbird directory
+        check_home_file(".thunderbird");
+}
diff --git a/src/faudit/main.c b/src/faudit/main.c
new file mode 100644
index 000000000..7f47ccaf0
--- /dev/null
+++ b/src/faudit/main.c
@@ -0,0 +1,98 @@
+/*
+ * Copyright (C) 2014-2016 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
+#include "faudit.h"
+char *prog;
+int main(int argc, char **argv) {
+        // make test-arguments helper
+        if (getenv("FIREJAIL_TEST_ARGUMENTS")) {
+                printf("Arguments:\n");
+        
+                int i;
+                for (i = 0; i < argc; i++) {
+                        printf("#%s#\n", argv[i]);
+                }
+                
+                return 0;
+        }
+        if (argc != 1) {
+                int i;
+                
+                for (i = 1; i < argc; i++) {
+                        if (strcmp(argv[i], "syscall")) {
+                                syscall_helper(argc, argv);
+                                return 0;
+                        }
+                }
+                return 1;
+        }
+        printf("\n---------------- Firejail Audit: the GOOD, the BAD and the UGLY ----------------\n");
+        // extract program name
+        prog = realpath(argv[0], NULL);
+        if (prog == NULL) {
+                prog = strdup("faudit");
+                if (!prog)
+                        errExit("strdup");
+        }
+        printf("INFO: starting %s.\n", prog);
+        
+        
+        // check pid namespace
+        pid_test();
+        printf("\n");
+        
+        // check seccomp
+        seccomp_test();
+        printf("\n");
+        
+        // check capabilities
+        caps_test();
+        printf("\n");
+        // check some well-known problematic files and directories
+        files_test();
+        printf("\n");
+        
+        // network
+        network_test();
+        printf("\n");
+        
+        // dbus
+        dbus_test();
+        printf("\n");
+        // x11 test
+        x11_test();
+        printf("\n");
+        // /dev test
+        dev_test();
+        printf("\n");
+        free(prog);
+        printf("--------------------------------------------------------------------------------\n");
+        return 0;
+}
diff --git a/src/faudit/network.c b/src/faudit/network.c
new file mode 100644
index 000000000..cf1eede69
--- /dev/null
+++ b/src/faudit/network.c
@@ -0,0 +1,101 @@
+/*
+ * Copyright (C) 2014-2016 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
+#include "faudit.h"
+#include <sys/socket.h>
+#include <arpa/inet.h>
+#include <linux/netlink.h>
+#include <linux/rtnetlink.h>
+static void check_ssh(void) {
+        // open socket
+        int sock = socket(AF_INET, SOCK_STREAM, 0);
+        if (sock == -1) {
+                printf("GOOD: SSH server not available on localhost.\n");
+                return;
+        }
+        // connect to localhost
+        struct sockaddr_in server;
+        server.sin_addr.s_addr = inet_addr("127.0.0.1");
+        server.sin_family = AF_INET;
+        server.sin_port = htons(22);    
+        
+        if (connect(sock , (struct sockaddr *)&server , sizeof(server)) < 0)
+                printf("GOOD: SSH server not available on localhost.\n");
+        else {
+                printf("MAYBE: an SSH server is accessible on localhost. ");
+                printf("It could be a good idea to create a new network namespace using \"--net=none\" or \"--net=eth0\".\n");
+        }
+        
+        close(sock);
+}
+static void check_http(void) {
+        // open socket
+        int sock = socket(AF_INET, SOCK_STREAM, 0);
+        if (sock == -1) {
+                printf("GOOD: HTTP server not available on localhost.\n");
+                return;
+        }
+        // connect to localhost
+        struct sockaddr_in server;
+        server.sin_addr.s_addr = inet_addr("127.0.0.1");
+        server.sin_family = AF_INET;
+        server.sin_port = htons(80);    
+        
+        if (connect(sock , (struct sockaddr *)&server , sizeof(server)) < 0)
+                printf("GOOD: HTTP server not available on localhost.\n");
+        else {
+                printf("MAYBE: an HTTP server is accessible on localhost. ");
+                printf("It could be a good idea to create a new network namespace using \"--net=none\" or \"--net=eth0\".\n");
+        }
+        
+        close(sock);
+}
+void check_netlink(void) {
+        int sock = socket(AF_NETLINK, SOCK_RAW | SOCK_CLOEXEC, 0);
+        if (sock == -1) {
+                printf("GOOD: I cannot connect to netlink socket. Network utilities such as iproute2 will not work in the sandbox.\n");
+                return;
+        }
+        struct sockaddr_nl local;
+        memset(&local, 0, sizeof(local));
+        local.nl_family = AF_NETLINK;
+        local.nl_groups = 0; //subscriptions;
+        if (bind(sock, (struct sockaddr*)&local, sizeof(local)) < 0) {
+                printf("GOOD: I cannot connect to netlink socket. Network utilities such as iproute2 will not work in the sandbox.\n");
+                close(sock);
+                return;
+        }
+        
+        close(sock);
+        printf("MAYBE: I can connect to netlink socket. Network utilities such as iproute2 will work fine in the sandbox. ");
+        printf("You can use \"--protocol\" to disable the socket.\n");
+}
+        
+void network_test(void) {
+        check_ssh();
+        check_http();
+        check_netlink();
+}
diff --git a/src/faudit/pid.c b/src/faudit/pid.c
new file mode 100644
index 000000000..a0fb1d921
--- /dev/null
+++ b/src/faudit/pid.c
@@ -0,0 +1,101 @@
+/*
+ * Copyright (C) 2014-2016 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
+#include "faudit.h"
+void pid_test(void) {
+        char *kern_proc[] = {
+                "kthreadd",
+                "ksoftirqd",
+                "kworker",
+                "rcu_sched",
+                "rcu_bh",
+                NULL    // NULL terminated list
+        };
+        int i;
+        // look at the first 10 processes
+        int not_visible = 1;
+        for (i = 1; i <= 10; i++) { 
+                struct stat s;
+                char *fname;
+                if (asprintf(&fname, "/proc/%d/comm", i) == -1)
+                        errExit("asprintf");
+                if (stat(fname, &s) == -1) {
+                        free(fname);
+                        continue;
+                }
+                
+                // open file
+                /* coverity[toctou] */
+                FILE *fp = fopen(fname, "r");
+                if (!fp) {
+//                      fprintf(stderr, "Warning: cannot open %s\n", fname);
+                        free(fname);
+                        continue;
+                }
+                
+                // read file
+                char buf[100];
+                if (fgets(buf, 10, fp) == NULL) {
+//                      fprintf(stderr, "Warning: cannot read %s\n", fname);
+                        fclose(fp);
+                        free(fname);
+                        continue;
+                }
+                not_visible = 0;
+                // clean /n
+                char *ptr;
+                if ((ptr = strchr(buf, '\n')) != NULL)
+                        *ptr = '\0';
+                
+                // check process name against the kernel list
+                int j = 0;
+                while (kern_proc[j] != NULL) {
+                        if (strncmp(buf, kern_proc[j], strlen(kern_proc[j])) == 0) {
+                                fclose(fp);
+                                free(fname);
+                                printf("BAD: Process %d is not running in a PID namespace. ", getpid());
+                                printf("Are you sure you're running in a sandbox?\n");
+                                return;
+                        }
+                        j++;
+                }
+                
+                fclose(fp);
+                free(fname);
+        }
+        pid_t pid = getpid();
+        if (not_visible && pid > 100)
+                printf("BAD: Process %d is not running in a PID namespace.\n", pid);
+        else
+                printf("GOOD: process %d is running in a PID namespace.\n", pid);
+        
+        // try to guess the type of container/sandbox
+        char *str = getenv("container");
+        if (str)
+                printf("INFO: container/sandbox %s.\n", str);
+        else {
+                str = getenv("SNAP");
+                if (str)
+                        printf("INFO: this is a snap package\n");
+        }
+}
diff --git a/src/faudit/seccomp.c b/src/faudit/seccomp.c
new file mode 100644
index 000000000..7b2999467
--- /dev/null
+++ b/src/faudit/seccomp.c
@@ -0,0 +1,101 @@
+/*
+ * Copyright (C) 2014-2016 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
+#include "faudit.h"
+#define MAXBUF 4098
+static int extract_seccomp(int *val) {
+        FILE *fp = fopen("/proc/self/status", "r");
+        if (!fp)
+                return 1;
+        
+        char buf[MAXBUF];
+        while (fgets(buf, MAXBUF, fp)) {
+                if (strncmp(buf, "Seccomp:\t", 8) == 0) {
+                        char *ptr = buf + 8;
+                        int tmp;
+                        sscanf(ptr, "%d", &tmp);
+                        *val = tmp;
+                        fclose(fp);
+                        return 0;
+                }
+        }
+        fclose(fp);
+        return 1;
+}
+void seccomp_test(void) {
+        int seccomp_status;
+        int rv = extract_seccomp(&seccomp_status);
+        
+        if (rv) {
+                printf("INFO: cannot extract seccomp configuration on this platform.\n");
+                return;
+        }
+        
+        if (seccomp_status == 0) {
+                printf("BAD: seccomp disabled. Use \"firejail --seccomp\" to enable it.\n");
+        }
+        else if (seccomp_status == 1)
+                printf("GOOD: seccomp strict mode - only  read, write, _exit, and sigreturn are allowd.\n");
+        else if (seccomp_status == 2) {
+                printf("GOOD: seccomp BPF enabled.\n");
+                printf("checking syscalls: "); fflush(0);
+                printf("mount... "); fflush(0);
+                syscall_run("mount");
+                printf("umount2... "); fflush(0);
+                syscall_run("umount2");
+                printf("ptrace... "); fflush(0);
+                syscall_run("ptrace");
+                
+                printf("swapon... "); fflush(0);
+                syscall_run("swapon");
+                
+                printf("swapoff... "); fflush(0);
+                syscall_run("swapoff");
+                printf("init_module... "); fflush(0);
+                syscall_run("init_module");
+                printf("delete_module... "); fflush(0);
+                syscall_run("delete_module");
+                
+                printf("chroot... "); fflush(0);
+                syscall_run("chroot");
+                
+                printf("pivot_root... "); fflush(0);
+                syscall_run("pivot_root");
+                
+#if defined(__i386__) || defined(__x86_64__)
+                printf("iopl... "); fflush(0);
+                syscall_run("iopl");
+                
+                printf("ioperm... "); fflush(0);
+                syscall_run("ioperm");
+#endif  
+                printf("\n");
+        }
+        else
+                fprintf(stderr, "Error: unrecognized seccomp mode\n");
+}
diff --git a/src/faudit/syscall.c b/src/faudit/syscall.c
new file mode 100644
index 000000000..3c87305df
--- /dev/null
+++ b/src/faudit/syscall.c
@@ -0,0 +1,101 @@
+/*
+ * Copyright (C) 2014-2016 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
+#include "faudit.h"
+#include <sys/ptrace.h>
+#include <sys/swap.h>
+#if defined(__i386__) || defined(__x86_64__)
+#include <sys/io.h>
+#endif
+#include <sys/wait.h>
+extern int init_module(void *module_image, unsigned long len,
+                       const char *param_values);
+extern int finit_module(int fd, const char *param_values,
+                        int flags);
+extern int delete_module(const char *name, int flags);
+extern int pivot_root(const char *new_root, const char *put_old);
+void syscall_helper(int argc, char **argv) {
+        (void) argc;
+        
+        if (strcmp(argv[2], "mount") == 0) {
+                mount(NULL, NULL, NULL, 0, NULL);
+                printf("\nUGLY: mount syscall permitted.\n");
+        }
+        else if (strcmp(argv[2], "umount2") == 0) {
+                umount2(NULL, 0);
+                printf("\nUGLY: umount2 syscall permitted.\n");
+        }
+        else if (strcmp(argv[2], "ptrace") == 0) {
+                ptrace(0, 0, NULL, NULL);
+                printf("\nUGLY: ptrace syscall permitted.\n");
+        }
+        else if (strcmp(argv[2], "swapon") == 0) {
+                swapon(NULL, 0);
+                printf("\nUGLY: swapon syscall permitted.\n");
+        }
+        else if (strcmp(argv[2], "swapoff") == 0) {
+                swapoff(NULL);
+                printf("\nUGLY: swapoff syscall permitted.\n");
+        }
+        else if (strcmp(argv[2], "init_module") == 0) {
+                init_module(NULL, 0, NULL);
+                printf("\nUGLY: init_module syscall permitted.\n");
+        }
+        else if (strcmp(argv[2], "delete_module") == 0) {
+                delete_module(NULL, 0);
+                printf("\nUGLY: delete_module syscall permitted.\n");
+        }
+        else if (strcmp(argv[2], "chroot") == 0) {
+                int rv = chroot("/blablabla-57281292");
+                (void) rv;
+                printf("\nUGLY: chroot syscall permitted.\n");
+        }
+        else if (strcmp(argv[2], "pivot_root") == 0) {
+                pivot_root(NULL, NULL);
+                printf("\nUGLY: pivot_root syscall permitted.\n");
+        }
+#if defined(__i386__) || defined(__x86_64__)
+        else if (strcmp(argv[2], "iopl") == 0) {
+                iopl(0L);
+                printf("\nUGLY: iopl syscall permitted.\n");
+        }
+        else if (strcmp(argv[2], "ioperm") == 0) {
+                ioperm(0, 0, 0);
+                printf("\nUGLY: ioperm syscall permitted.\n");
+        }
+#endif
+        exit(0);
+}
+void syscall_run(const char *name) {
+        assert(prog);
+        
+        pid_t child = fork();
+        if (child < 0)
+                errExit("fork");
+        if (child == 0) {
+                execl(prog, prog, "syscall", name, NULL);
+                perror("execl");
+                _exit(1);
+        }
+                
+        // wait for the child to finish
+        waitpid(child, NULL, 0);
+}
diff --git a/src/faudit/x11.c b/src/faudit/x11.c
new file mode 100644
index 000000000..43f40f4e9
--- /dev/null
+++ b/src/faudit/x11.c
@@ -0,0 +1,63 @@
+/*
+ * Copyright (C) 2014-2016 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
+#include "faudit.h"
+#include <sys/socket.h>
+#include <dirent.h>
+void x11_test(void) {
+        // check regular display 0 sockets
+        if (check_unix("/tmp/.X11-unix/X0") == 0)
+                printf("MAYBE: X11 socket /tmp/.X11-unix/X0 is available\n");
+        if (check_unix("@/tmp/.X11-unix/X0") == 0)
+                printf("MAYBE: X11 socket @/tmp/.X11-unix/X0 is available\n");
+                
+        // check all unix sockets in /tmp/.X11-unix directory
+        DIR *dir;
+        if (!(dir = opendir("/tmp/.X11-unix"))) {
+                // sleep 2 seconds and try again
+                sleep(2);
+                if (!(dir = opendir("/tmp/.X11-unix"))) {
+                        ;
+                }
+        }
+        
+        if (dir == NULL)
+                printf("GOOD: cannot open /tmp/.X11-unix directory\n");
+        else {
+                struct dirent *entry;
+                while ((entry = readdir(dir)) != NULL) {
+                        if (strcmp(entry->d_name, "X0") == 0)
+                                continue;
+                        if (strcmp(entry->d_name, ".") == 0)
+                                continue;
+                        if (strcmp(entry->d_name, "..") == 0)
+                                continue;
+                        char *name;
+                        if (asprintf(&name, "/tmp/.X11-unix/%s", entry->d_name) == -1)
+                                errExit("asprintf");
+                        if (check_unix(name) == 0)
+                                printf("MAYBE: X11 socket %s is available\n", name);
+                        free(name);
+                }
+                closedir(dir);
+        }
+}
diff --git a/src/firecfg/Makefile.in b/src/firecfg/Makefile.in
index 11f8b1e8d..f9fe08768 100644
--- a/src/firecfg/Makefile.in
+++ b/src/firecfg/Makefile.in
@@ -16,22 +16,24 @@ HAVE_NETWORK=@HAVE_NETWORK@
 HAVE_USERNS=@HAVE_USERNS@
 HAVE_X11=@HAVE_X11@
 HAVE_FILE_TRANSFER=@HAVE_FILE_TRANSFER@
+HAVE_GCOV=@HAVE_GCOV@
+EXTRA_LDFLAGS +=@EXTRA_LDFLAGS@
 H_FILE_LIST       = $(sort $(wildcard *.[h]))
 C_FILE_LIST       = $(sort $(wildcard *.c))
 OBJS = $(C_FILE_LIST:.c=.o)
 BINOBJS =  $(foreach file, $(OBJS), $file)
-CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' -DPREFIX='"$(prefix)"'  -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' $(HAVE_X11) $(HAVE_SECCOMP) $(HAVE_SECCOMP_H) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_BIND) $(HAVE_FILE_TRANSFER) -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security
+CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' $(HAVE_GCOV)  -DPREFIX='"$(prefix)"'  -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' $(HAVE_X11) $(HAVE_SECCOMP) $(HAVE_SECCOMP_H) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_BIND) $(HAVE_FILE_TRANSFER) -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security
 LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now -lpthread
 %.o : %.c $(H_FILE_LIST) ../include/common.h ../include/euid_common.h ../include/libnetlink.h ../include/pid.h
        $(CC) $(CFLAGS) $(INCLUDE) -c $< -o $@
 firecfg: $(OBJS) ../lib/common.o
-        $(CC)  $(LDFLAGS) -o $@ $(OBJS) ../lib/common.o $(LIBS)
+        $(CC)  $(LDFLAGS) -o $@ $(OBJS) ../lib/common.o $(LIBS) $(EXTRA_LDFLAGS)
-clean:; rm -f *.o firecfg firecfg.1 firecfg.1.gz
+clean:; rm -f *.o firecfg firecfg.1 firecfg.1.gz *.gcov *.gcda *.gcno
 distclean: clean
        rm -fr Makefile
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config
index c28f8e352..e3e333497 100644
--- a/src/firecfg/firecfg.config
+++ b/src/firecfg/firecfg.config
@@ -2,44 +2,124 @@
 # This is the list of programs handled by firecfg utility
 #
+# astronomy
+gpredict
+stellarium
+# bittorrent/ftp
+deluge
+dropbox
+filezilla
+qbittorrent
+rtorrent
+transmission-gtk
+transmission-qt
+uget-gtk
 # browsers/email
-firefox
+abrowser
-iceweasel
+brave
-chromium-browser
 chromium
+chromium-browser
 conkeror
-thunderbird
+cyberfox
-epiphany
+firefox
+firefox-esr
 flashpeak-slimjet
+epiphany
+dillo
+google-chrome
 google-chrome-beta
 google-chrome-stable
 google-chrome-unstable
-google-chrome
+iceweasel
 icecat
 icedove
 kmail
 midori
+netsurf
 opera-beta
 opera
+palemoon
 qutebrowser
+start-tor-browser
 seamonkey
 seamonkey-bin
+thunderbird
 vivaldi-beta
 vivaldi
-dillo
+evolution
-# bittorrent/ftp
+# chat/messaging
-deluge
+bitlbee
-filezilla
+corebird
-qbittorrent
+empathy
-rtorrent
+gitter
-transmission-gtk
+hexchat
-transmission-qt
+jitsi
+konversation
+pidgin
+polari
+psi-plus
+qtox
+quassel
+skype
+telegram
+weechat
+weechat-curses
+xchat
+# dns
+dnscrypt-proxy
+dnsmaq
+unbound
+# emulators/compatibility layers
+mupen64plus
+wine
+dosbox
+virtualbox
+# games
+0ad
+gnome-chess
+hedgewars
+steam
+wesnot
+warzone2100
+# Media
+audacious
+audacity
+clementine
+cmus
+deadbeef
+feh
+gnome-mplayer
+google-play-music-desktop-player
+mpv
+parole
+rhythmbox
+spotify
+totem
+vlc
+xplayer
+xviewer
+eom
+# news readers
+quiterss
 # office
+atril
 cherrytree
 evince
 fbreader
+gimp
+gthumb
+gwenview
+inkscape
+libreoffice
 localc
 lodraw
 loffice
@@ -48,29 +128,30 @@ loimpress
 lomath
 loweb
 lowriter
+luminance-hdr
+mupdf
+qpdfview
+soffice
+synfigstudio
 Mathematica
 mathematica
+okular
+pix
+xpdf
+xreader
+zathura
+openshot
+flowblade
+eog
-# Media
+# other
-vlc
+ssh
-audacious
+atom-beta
-clementine
+atom
-deadbeef
+ranger
-parole
+keepass
-rhythmbox
+keepassx
-totem
+xiphos
-cmus
-# chat/messaging
+# weather/climate
-bitlbee
+aweather
-empathy
-gnome-mplayer
-hexchat
-pidgin
-qtox
-quassel
-xchat
-# games
-hedgewars
-wesnot
diff --git a/src/firecfg/main.c b/src/firecfg/main.c
index 70d29a3ed..d2566ce22 100644
--- a/src/firecfg/main.c
+++ b/src/firecfg/main.c
@@ -24,8 +24,13 @@
 #include <dirent.h>
 #include <sys/types.h>
 #include <sys/stat.h>
+#include <fcntl.h>
 #include <unistd.h>
+#include <string.h>
+#include <errno.h>
+#include <sys/mman.h>
 #include "../include/common.h"
+static int arg_debug = 0;
 static void usage(void) {
        printf("firecfg - version %s\n\n", VERSION);
@@ -37,8 +42,10 @@ static void usage(void) {
        printf("DESKTOP INTEGRATION section in man 1 firejail.\n\n");
        printf("Usage: firecfg [OPTIONS]\n\n");
        printf("   --clean - remove all firejail symbolic links.\n\n");
+        printf("   --debug - print debug messages.\n\n");
        printf("   --help, -? - this help screen.\n\n");
        printf("   --list - list all firejail symbolic links.\n\n");
+        printf("   --fix - fix .desktop files.\n\n");
        printf("   --version - print program version and exit.\n\n");
        printf("Example:\n\n");
        printf("   $ sudo firecfg\n");
@@ -49,10 +56,14 @@ static void usage(void) {
        printf("   /usr/local/bin/firefox\n");
        printf("   /usr/local/bin/vlc\n");
        printf("   [...]\n");
-        printf("   $ sudo firecfg --clear\n");
+        printf("   $ sudo firecfg --clean\n");
        printf("   /usr/local/bin/firefox removed\n");
        printf("   /usr/local/bin/vlc removed\n");
        printf("   [...]\n");
+        printf("   $ firecfg --fix\n");
+        printf("   /home/user/.local/share/applications/chromium.desktop created\n");
+        printf("   /home/user/.local/share/applications/vlc.desktop created\n");
+        printf("   [...]\n");
        printf("\n");
        printf("License GPL version 2 or later\n");
        printf("Homepage: http://firejail.wordpress.com\n\n");
@@ -67,9 +78,12 @@ static int find(const char *program, const char *directory) {
                errExit("asprintf");
                
        struct stat s;
-        if (stat(fname, &s) == 0)
+        if (stat(fname, &s) == 0) {
+                if (arg_debug)
+                        printf("found %s in directory %s\n", program, directory);
                retval = 1;
-        
+        }
+                
        free(fname);
        return retval;
 }
@@ -79,7 +93,8 @@ static int find(const char *program, const char *directory) {
 static int which(const char *program) {
        // check some well-known paths
        if (find(program, "/bin") || find(program, "/usr/bin") ||
-             find(program, "/sbin") || find(program, "/usr/sbin"))
+             find(program, "/sbin") || find(program, "/usr/sbin") ||
+             find(program, "/usr/games"))
                return 1;
                
        // check environment
@@ -205,8 +220,9 @@ static void set_file(const char *name, const char *firejail_exec) {
                errExit("asprintf");
        
        struct stat s;
-        if (stat(fname, &s) == 0)
+        if (stat(fname, &s) == 0) {
-                ; //printf("%s already present\n", fname);
+                printf("%s is already present, skipping...\n", fname);
+        }
        else {
                int rv = symlink(firejail_exec, fname);
                if (rv) {
@@ -268,7 +284,7 @@ static void set(void) {
                // empty line
                if (*start == '\0')
                        continue;
-                
                // set link
                set_file(start, firejail_exec);
        }
@@ -278,6 +294,164 @@ static void set(void) {
        free(firejail_exec);
 }
+static void fix_desktop_files(void) {
+        if (getuid() == 0) {
+                fprintf(stderr, "Error: you should run --fix as user\n");
+                exit(1);
+        }
+        char *homedir = getenv("HOME");
+        if (!homedir)
+                errExit("getenv");
+        char *user_apps_dir;
+        if (asprintf(&user_apps_dir, "%s/.local/share/applications", homedir) == -1)
+                errExit("asprintf");
+        DIR *dir = opendir("/usr/share/applications");
+        if (!dir) {
+                perror("Error: cannot open /usr/share/applications directory");
+                exit(1);
+        }
+        if (chdir("/usr/share/applications")) {
+                perror("Error: cannot chdir to /usr/share/applications");
+                exit(1);
+        }
+        struct dirent *entry;
+        while ((entry = readdir(dir)) != NULL) {
+                if (strcmp(entry->d_name, ".") == 0 || strcmp(entry->d_name, "..") == 0)
+                        continue;
+                // skip if not regular file or link
+                if (entry->d_type != DT_REG && entry->d_type != DT_LNK)
+                        continue;
+                // skip if not .desktop file
+                if (strstr(entry->d_name,".desktop") != (entry->d_name+strlen(entry->d_name)-8))
+                        continue;
+                char *filename = entry->d_name;
+                // skip links
+                if (is_link(filename))
+                        continue;
+                struct stat sb;
+                if (stat(filename, &sb) == -1)
+                        errExit("stat");
+                int fd = open(filename, O_RDONLY);
+                if (fd == -1)
+                        errExit("open");
+                char *buf = mmap(NULL, sb.st_size + 1, PROT_READ | PROT_WRITE, MAP_PRIVATE, fd, 0);
+                if (buf == MAP_FAILED)
+                        errExit("mmap");
+                close(fd);
+                // check format
+                if (strstr(buf, "[Desktop Entry]\n") == NULL) {
+                        if (arg_debug)
+                                fprintf(stderr, "/usr/share/applications/%s - SKIPPED: wrong format?\n", filename);
+                        munmap(buf, sb.st_size + 1);
+                        continue;
+                }
+                // get executable name
+                char *ptr1 = strstr(buf,"\nExec=");
+                if (!ptr1 || strlen(ptr1) < 7) {
+                        if (arg_debug)
+                                fprintf(stderr, "/usr/share/applications/%s - SKIPPED: wrong format?\n", filename);
+                        munmap(buf, sb.st_size + 1);
+                        continue;
+                }
+                char *execname = ptr1 + 6;
+                // https://specifications.freedesktop.org/desktop-entry-spec/latest/ar01s06.html
+                // The executable program can either be specified with its full path
+                // or with the name of the executable only
+                if (execname[0] != '/') {
+                        if (arg_debug)
+                                fprintf(stderr, "/usr/share/applications/%s - already OK\n", filename);
+                        continue;
+                }
+                // executable name can be quoted, this is rare and currently unsupported, TODO
+                if (execname[0] == '"') {
+                        if (arg_debug)
+                                fprintf(stderr, "/usr/share/applications/%s - skipped: path quoting unsupported\n", filename);
+                        continue;
+                }
+                // put '\0' at end of filename
+                char *tail = NULL;
+                char endchar = ' ';
+                if (execname[0] == '/') {
+                        char *ptr2 = index(execname, ' ');
+                        char *ptr3 = index(execname, '\n');
+                        if (ptr2 && (!ptr3 || (ptr2 < ptr3))) {
+                                endchar = ptr2[0];
+                                ptr2[0] = '\0';
+                                tail = ptr2 + 1;
+                        } else if (ptr3 && (!ptr2 || (ptr3 < ptr2))) {
+                                endchar = ptr3[0];
+                                ptr3[0] = '\0';
+                                tail = ptr3 + 1;
+                        }
+                        ptr1[5] = '\0';
+                }
+                char *bname = basename(execname);
+                assert(bname);
+                // check if basename in PATH
+                if (!which(bname)) {
+                        fprintf(stderr, "/usr/share/applications/%s - skipped, %s not in PATH\n", filename, bname);
+                        continue;
+                }
+                char *outname;
+                if (asprintf(&outname ,"%s/%s", user_apps_dir, filename) == -1)
+                        errExit("asprintf");
+                int fd1 = open(outname, O_CREAT | O_WRONLY | O_EXCL, S_IRUSR | S_IWUSR);
+                free(outname);
+                if (fd1 == -1) {
+                        fprintf(stderr, "%s/%s skipped: %s\n", user_apps_dir, filename, strerror(errno));
+                        munmap(buf, sb.st_size + 1);
+                        continue;
+                }
+                FILE *outfile = fdopen(fd1, "w");
+                if (!outfile) {
+                        fprintf(stderr, "%s/%s skipped: %s\n", user_apps_dir, filename, strerror(errno));
+                        munmap(buf, sb.st_size + 1);
+                        close(fd1);
+                        continue;
+                }
+                if (fprintf(outfile,\
+                "# Converted by firecfg --fix from /usr/share/applications/%s\n\n%s=%s%c%s",\
+                filename, buf, bname, endchar, tail) < 0) {
+                        fprintf(stderr, "Unable to write %s/%s: %s\n", user_apps_dir, filename, strerror(errno));
+                        munmap(buf, sb.st_size + 1);
+                        fclose(outfile);
+                        continue;
+                }
+                fclose(outfile);
+                munmap(buf, sb.st_size + 1);
+                printf("%s/%s created\n", user_apps_dir, filename);
+        }
+        closedir(dir);
+        free(user_apps_dir);
+}
 int main(int argc, char **argv) {
        int i;
        
@@ -288,6 +462,8 @@ int main(int argc, char **argv) {
                        usage();
                        return 0;
                }
+                else if (strcmp(argv[i], "--debug") == 0)
+                        arg_debug = 1;
                else if (strcmp(argv[i], "--version") == 0) {
                        printf("firecfg version %s\n\n", VERSION);
                        return 0;
@@ -300,6 +476,10 @@ int main(int argc, char **argv) {
                        list();
                        return 0;
                }
+                else if (strcmp(argv[i], "--fix") == 0) {
+                        fix_desktop_files();
+                        return 0;
+                }
                else {
                        fprintf(stderr, "Error: invalid command line option\n");
                        usage();
diff --git a/src/firejail/Makefile.in b/src/firejail/Makefile.in
index 3ad4ba75e..6e5071925 100644
--- a/src/firejail/Makefile.in
+++ b/src/firejail/Makefile.in
@@ -16,22 +16,28 @@ HAVE_NETWORK=@HAVE_NETWORK@
 HAVE_USERNS=@HAVE_USERNS@
 HAVE_X11=@HAVE_X11@
 HAVE_FILE_TRANSFER=@HAVE_FILE_TRANSFER@
+HAVE_WHITELIST=@HAVE_WHITELIST@
+HAVE_GLOBALCFG=@HAVE_GLOBALCFG@
+HAVE_APPARMOR=@HAVE_APPARMOR@
+HAVE_OVERLAYFS=@HAVE_OVERLAYFS@
+HAVE_PRIVATE_HOME=@HAVE_PRIVATE_HOME@
+HAVE_GCOV=@HAVE_GCOV@
+EXTRA_LDFLAGS +=@EXTRA_LDFLAGS@
 H_FILE_LIST       = $(sort $(wildcard *.[h]))
 C_FILE_LIST       = $(sort $(wildcard *.c))
 OBJS = $(C_FILE_LIST:.c=.o)
 BINOBJS =  $(foreach file, $(OBJS), $file)
-CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' -DPREFIX='"$(prefix)"'  -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' $(HAVE_X11) $(HAVE_SECCOMP) $(HAVE_SECCOMP_H) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_BIND) $(HAVE_FILE_TRANSFER) -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security
+CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"'  $(HAVE_GCOV) -DPREFIX='"$(prefix)"'  -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' $(HAVE_X11) $(HAVE_PRIVATE_HOME) $(HAVE_APPARMOR) $(HAVE_OVERLAYFS) $(HAVE_SECCOMP) $(HAVE_GLOBALCFG) $(HAVE_SECCOMP_H) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_BIND) $(HAVE_FILE_TRANSFER) $(HAVE_WHITELIST) -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security
 LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now -lpthread
-%.o : %.c $(H_FILE_LIST) ../include/common.h ../include/euid_common.h ../include/libnetlink.h ../include/pid.h
+%.o : %.c $(H_FILE_LIST) ../include/common.h ../include/euid_common.h ../include/pid.h ../include/seccomp.h ../include/syscall.h
        $(CC) $(CFLAGS) $(INCLUDE) -c $< -o $@
 firejail: $(OBJS) ../lib/libnetlink.o ../lib/common.o
-        $(CC)  $(LDFLAGS) -o $@ $(OBJS) ../lib/libnetlink.o ../lib/common.o $(LIBS)
+        $(CC)  $(LDFLAGS) -o $@ $(OBJS) ../lib/common.o $(LIBS) $(EXTRA_LDFLAGS)
-clean:; rm -f *.o firejail firejail.1 firejail.1.gz
+clean:; rm -f *.o firejail firejail.1 firejail.1.gz *.gcov *.gcda *.gcno
 distclean: clean
        rm -fr Makefile
diff --git a/src/firejail/appimage.c b/src/firejail/appimage.c
new file mode 100644
index 000000000..a658173eb
--- /dev/null
+++ b/src/firejail/appimage.c
@@ -0,0 +1,176 @@
+/*
+ * Copyright (C) 2014-2016 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
+// http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=770fe30a46a12b6fb6b63fbe1737654d28e84844
+// sudo mount -o loop krita-3.0-x86_64.appimage mnt
+#include "firejail.h"
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <sys/mount.h>
+#include <fcntl.h>
+#include <linux/loop.h>
+#include <errno.h>
+static char *devloop = NULL;    // device file 
+static char *mntdir = NULL;     // mount point in /tmp directory
+const char *appimage_getdir(void) {
+        return mntdir;
+}
+void appimage_set(const char *appimage_path) {
+        assert(appimage_path);
+        assert(devloop == NULL);        // don't call this twice!
+        EUID_ASSERT();
+        
+#ifdef LOOP_CTL_GET_FREE        // test for older kernels; this definition is found in /usr/include/linux/loop.h
+        // check appimage_path
+        if (access(appimage_path, R_OK) == -1) {
+                fprintf(stderr, "Error: cannot access AppImage file\n");
+                exit(1);
+        }
+        // get appimage type and ELF size
+        // a value of 0 means we are dealing with a type1 appimage
+        long unsigned int size = appimage2_size(appimage_path);
+        if (arg_debug)
+                printf("AppImage ELF size %lu\n", size);
+        // open as user to prevent race condition
+        int ffd = open(appimage_path, O_RDONLY|O_CLOEXEC);
+        if (ffd == -1) {
+                fprintf(stderr, "Error: /dev/loop-control interface is not supported by your kernel\n");
+                exit(1);
+        }
+        // find or allocate a free loop device to use
+        EUID_ROOT();
+        int cfd = open("/dev/loop-control", O_RDWR);
+        int devnr = ioctl(cfd, LOOP_CTL_GET_FREE);
+        if (devnr == -1) {
+                fprintf(stderr, "Error: cannot allocate a new loopback device\n");
+                exit(1);
+        }
+        close(cfd);
+        if (asprintf(&devloop, "/dev/loop%d", devnr) == -1)
+                errExit("asprintf");
+                
+        int lfd = open(devloop, O_RDONLY);
+        if (ioctl(lfd, LOOP_SET_FD, ffd) == -1) {
+                fprintf(stderr, "Error: cannot configure the loopback device\n");
+                exit(1);
+        }
+        
+        if (size) {
+                struct loop_info64 info;
+                memset(&info, 0, sizeof(struct loop_info64));
+                info.lo_offset = size;
+                if (ioctl(lfd,  LOOP_SET_STATUS64, &info) == -1)
+                        errExit("configure appimage offset");
+        }
+        
+        close(lfd);
+        close(ffd);
+        EUID_USER();
+        // creates appimage mount point perms 0700
+        if (asprintf(&mntdir, "%s/.appimage-%u",  RUN_FIREJAIL_APPIMAGE_DIR, getpid()) == -1)
+                errExit("asprintf");
+        EUID_ROOT();
+        mkdir_attr(mntdir, 0700, getuid(), getgid());
+        EUID_USER();
+        
+        // mount
+        char *mode;
+        if (asprintf(&mode, "mode=700,uid=%d,gid=%d", getuid(), getgid()) == -1)
+                errExit("asprintf");
+        EUID_ROOT();
+        
+        if (size == 0) {
+                if (mount(devloop, mntdir, "iso9660",MS_MGC_VAL|MS_RDONLY,  mode) < 0)
+                        errExit("mounting appimage");
+        }
+        else {
+                if (mount(devloop, mntdir, "squashfs",MS_MGC_VAL|MS_RDONLY,  mode) < 0)
+                        errExit("mounting appimage");
+        }
+        if (arg_debug)
+                printf("appimage mounted on %s\n", mntdir);
+        EUID_USER();
+        // set environment
+        if (appimage_path && setenv("APPIMAGE", appimage_path, 1) < 0)
+                errExit("setenv");
+        if (mntdir && setenv("APPDIR", mntdir, 1) < 0)
+                errExit("setenv");
+        // build new command line
+        if (asprintf(&cfg.command_line, "%s/AppRun", mntdir) == -1)
+                errExit("asprintf");
+        
+        free(mode);
+#ifdef HAVE_GCOV
+        __gcov_flush();
+#endif
+#else
+        fprintf(stderr, "Error: /dev/loop-control interface is not supported by your kernel\n");
+        exit(1);
+#endif
+}
+void appimage_clear(void) {
+        int rv;
+        EUID_ROOT();
+        if (mntdir) {
+                int i;
+                int rv = 0;
+                for (i = 0; i < 5; i++) {
+                        rv = umount2(mntdir, MNT_FORCE);
+                        if (rv == 0)
+                                break;
+                        if (rv == -1 && errno == EBUSY) {
+                                if (!arg_quiet)
+                                        printf("Warning: EBUSY error trying to unmount %s\n", mntdir);                  
+                                sleep(2);
+                                continue;
+                        }
+                        
+                        // rv = -1
+                        if (!arg_quiet) {
+                                printf("Warning: error trying to unmount %s\n", mntdir);
+                                perror("umount");
+                        }
+                }
+                
+                if (rv == 0) {
+                        rmdir(mntdir);
+                        free(mntdir);
+                }
+        }
+        if (devloop) {
+                int lfd = open(devloop, O_RDONLY);
+                rv = ioctl(lfd, LOOP_CLR_FD, 0);
+                (void) rv;
+                close(lfd);
+        }
+}
diff --git a/src/firejail/appimage_size.c b/src/firejail/appimage_size.c
new file mode 100644
index 000000000..3f5c3150c
--- /dev/null
+++ b/src/firejail/appimage_size.c
@@ -0,0 +1,160 @@
+/*
+ * Copyright (C) 2014-2016 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ */
+/*
+Compile with:
+gcc elfsize.c -o elfsize
+Example:
+ls -l                                           126584
+Calculation using the values also reported by readelf -h:
+Start of section headers        e_shoff         124728
+Size of section headers         e_shentsize     64
+Number of section headers       e_shnum         29
+e_shoff + ( e_shentsize * e_shnum ) =           126584
+*/
+#include <elf.h>
+#include <byteswap.h>
+#include <stdio.h>
+#include <stdint.h>
+#include <errno.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <string.h>
+#include <fcntl.h>
+typedef Elf32_Nhdr Elf_Nhdr;
+static Elf64_Ehdr ehdr;
+#if __BYTE_ORDER == __LITTLE_ENDIAN
+#define ELFDATANATIVE ELFDATA2LSB
+#elif __BYTE_ORDER == __BIG_ENDIAN
+#define ELFDATANATIVE ELFDATA2MSB
+#else
+#error "Unknown machine endian"
+#endif
+static uint16_t file16_to_cpu(uint16_t val) {
+        if (ehdr.e_ident[EI_DATA] != ELFDATANATIVE)
+                val = bswap_16(val);
+        return val;
+}
+static uint32_t file32_to_cpu(uint32_t val) {
+        if (ehdr.e_ident[EI_DATA] != ELFDATANATIVE)
+                val = bswap_32(val);
+        return val;
+}
+static uint64_t file64_to_cpu(uint64_t val) {
+        if (ehdr.e_ident[EI_DATA] != ELFDATANATIVE)
+                val = bswap_64(val);
+        return val;
+}
+// return 0 if error
+static long unsigned int read_elf32(int fd) {
+        Elf32_Ehdr ehdr32;
+        ssize_t ret;
+        ret = pread(fd, &ehdr32, sizeof(ehdr32), 0);
+        if (ret < 0 || (size_t)ret != sizeof(ehdr))
+                return 0;
+        ehdr.e_shoff            = file32_to_cpu(ehdr32.e_shoff);
+        ehdr.e_shentsize        = file16_to_cpu(ehdr32.e_shentsize);
+        ehdr.e_shnum            = file16_to_cpu(ehdr32.e_shnum);
+        return(ehdr.e_shoff + (ehdr.e_shentsize * ehdr.e_shnum));
+}
+// return 0 if error
+static long unsigned int read_elf64(int fd) {
+        Elf64_Ehdr ehdr64;
+        ssize_t ret;
+        ret = pread(fd, &ehdr64, sizeof(ehdr64), 0);
+        if (ret < 0 || (size_t)ret != sizeof(ehdr))
+                return 0;
+        ehdr.e_shoff            = file64_to_cpu(ehdr64.e_shoff);
+        ehdr.e_shentsize        = file16_to_cpu(ehdr64.e_shentsize);
+        ehdr.e_shnum            = file16_to_cpu(ehdr64.e_shnum);
+        return(ehdr.e_shoff + (ehdr.e_shentsize * ehdr.e_shnum));
+}
+// return 0 if error
+// return 0 if this is not an appimgage2 file
+long unsigned int appimage2_size(const char *fname) {
+/* TODO, FIXME: This assumes that the section header table (SHT) is
+the last part of the ELF. This is usually the case but
+it could also be that the last section is the last part
+of the ELF. This should be checked for.
+*/
+        ssize_t ret;
+        int fd;
+        long unsigned int size = 0;
+        fd = open(fname, O_RDONLY);
+        if (fd < 0)
+                return 0;
+        ret = pread(fd, ehdr.e_ident, EI_NIDENT, 0);
+        if (ret != EI_NIDENT)
+                goto getout;
+        if ((ehdr.e_ident[EI_DATA] != ELFDATA2LSB) &&
+             (ehdr.e_ident[EI_DATA] != ELFDATA2MSB))
+                goto getout;
+        if(ehdr.e_ident[EI_CLASS] == ELFCLASS32) {
+                size = read_elf32(fd);
+        }
+        else if(ehdr.e_ident[EI_CLASS] == ELFCLASS64) {
+                size = read_elf64(fd);
+        }
+        else {
+                goto getout;
+        }
+        if (size == 0)
+                goto getout;
+        // look for a LZMA header at this location
+        unsigned char buf[4];
+        ret = pread(fd, buf, 4, size);
+        if (ret != 4) {
+                size = 0;
+                goto getout;
+        }
+        if (memcmp(buf, "hsqs", 4) != 0)
+                size = 0;
+getout:
+        close(fd);
+        return size;
+}
diff --git a/src/firejail/arp.c b/src/firejail/arp.c
index fb5e426b0..ddb75905f 100644
--- a/src/firejail/arp.c
+++ b/src/firejail/arp.c
@@ -40,6 +40,7 @@ typedef struct arp_hdr_t {
        uint8_t target_ip[4];
 } ArpHdr;
 // returns 0 if the address is not in use, -1 otherwise
 int arp_check(const char *dev, uint32_t destaddr, uint32_t srcaddr) {
        if (strlen(dev) > IFNAMSIZ) {
@@ -286,189 +287,4 @@ uint32_t arp_assign(const char *dev, Bridge *br) {
        return ip;
 }
-// scan interface (--scan option)
-void arp_scan(const char *dev, uint32_t ifip, uint32_t ifmask) {
-        assert(dev);
-        assert(ifip);
-//      printf("Scanning interface %s (%d.%d.%d.%d/%d)\n",
-//              dev, PRINT_IP(ifip & ifmask), mask2bits(ifmask));
-                        
-        if (strlen(dev) > IFNAMSIZ) {
-                fprintf(stderr, "Error: invalid network device name %s\n", dev);
-                exit(1);
-        }
-        
-        // find interface mac address
-        int sock;
-        if ((sock = socket(AF_INET, SOCK_RAW, IPPROTO_RAW)) < 0)
-                errExit("socket");
-        struct ifreq ifr;
-        memset(&ifr, 0, sizeof (ifr));
-        strncpy(ifr.ifr_name, dev, IFNAMSIZ);
-        if (ioctl(sock, SIOCGIFHWADDR, &ifr) < 0)
-                errExit("ioctl");
-        close(sock);
-        uint8_t mac[6];
-        memcpy (mac, ifr.ifr_hwaddr.sa_data, 6);
-        // open layer2 socket
-        if ((sock = socket(PF_PACKET, SOCK_RAW, htons (ETH_P_ALL))) < 0)
-                errExit("socket");
-        
-        // try all possible ip addresses in ascending order
-        uint32_t range = ~ifmask + 1; // the number of potential addresses
-        // this software is not supported for /31 networks
-        if (range < 4) {
-                fprintf(stderr, "Warning: this option is not supported for /31 networks\n");
-                close(sock);
-                return;
-        }
-        uint32_t dest = (ifip & ifmask) + 1;
-        uint32_t last = dest + range - 1;
-        uint32_t src = htonl(ifip);
-        // wait not more than one second for an answer
-        int header_printed = 0;
-        uint32_t last_ip = 0;
-        struct timeval ts;
-        ts.tv_sec = 2; // 2 seconds receive timeout
-        ts.tv_usec = 0;
-        
-        while (1) {
-                fd_set rfds;
-                FD_ZERO(&rfds);
-                FD_SET(sock, &rfds);
-                fd_set wfds;
-                FD_ZERO(&wfds);
-                FD_SET(sock, &wfds);
-                int maxfd = sock;
-                uint8_t frame[ETH_FRAME_LEN]; // includes eht header, vlan, and crc
-                memset(frame, 0, ETH_FRAME_LEN);        
-                int nready;
-                if (dest < last)
-                        nready = select(maxfd + 1,  &rfds, &wfds, (fd_set *) 0, NULL);
-                else            
-                        nready = select(maxfd + 1,  &rfds,  (fd_set *) 0, (fd_set *) 0, &ts);
-                
-                if (nready < 0)
-                        errExit("select");
-                        
-                if (nready == 0) { // timeout
-                        break;
-                }
-                
-                if (FD_ISSET(sock, &wfds) && dest < last) {
-                        // configure layer2 socket address information
-                        struct sockaddr_ll addr;
-                        memset(&addr, 0, sizeof(addr));
-                        if ((addr.sll_ifindex = if_nametoindex(dev)) == 0)
-                                errExit("if_nametoindex");
-                        addr.sll_family = AF_PACKET;
-                        memcpy (addr.sll_addr, mac, 6);
-                        addr.sll_halen = htons(6);
-                
-                        // build the arp packet header
-                        ArpHdr hdr;
-                        memset(&hdr, 0, sizeof(hdr));
-                        hdr.htype = htons(1);
-                        hdr.ptype = htons(ETH_P_IP);
-                        hdr.hlen = 6;
-                        hdr.plen = 4;
-                        hdr.opcode = htons(1); //ARPOP_REQUEST
-                        memcpy(hdr.sender_mac, mac, 6);
-                        memcpy(hdr.sender_ip, (uint8_t *)&src, 4);
-                        uint32_t dst = htonl(dest);
-                        memcpy(hdr.target_ip, (uint8_t *)&dst, 4);
-                
-                        // build ethernet frame
-                        uint8_t frame[ETH_FRAME_LEN]; // includes eht header, vlan, and crc
-                        memset(frame, 0, sizeof(frame));
-                        frame[0] = frame[1] = frame[2] = frame[3] = frame[4] = frame[5] = 0xff;
-                        memcpy(frame + 6, mac, 6);
-                        frame[12] = ETH_P_ARP / 256;
-                        frame[13] = ETH_P_ARP % 256;
-                        memcpy (frame + 14, &hdr, sizeof(hdr));
-                
-                        // send packet
-                        int len;
-                        if ((len = sendto (sock, frame, 14 + sizeof(ArpHdr), 0, (struct sockaddr *) &addr, sizeof (addr))) <= 0)
-                                errExit("send");
-//printf("send %d bytes to %d.%d.%d.%d\n", len, PRINT_IP(dest));                
-                        fflush(0);
-                        dest++;
-                }
-                
-                if (FD_ISSET(sock, &rfds)) {
-                        // read the incoming packet
-                        int len = recvfrom(sock, frame, ETH_FRAME_LEN, 0, NULL, NULL);
-                        if (len < 0) {
-                                perror("recvfrom");
-                        }
-                        // parse the incoming packet
-                        if ((unsigned int) len < 14 + sizeof(ArpHdr))
-                                continue;
-                        // look only at ARP packets
-                        if (frame[12] != (ETH_P_ARP / 256) || frame[13] != (ETH_P_ARP % 256))
-                                continue;
-                        ArpHdr hdr;
-                        memcpy(&hdr, frame + 14, sizeof(ArpHdr));
-                        if (hdr.opcode == htons(2)) {
-                                // check my mac and my address
-                                if (memcmp(mac, hdr.target_mac, 6) != 0)
-                                        continue;
-                                uint32_t ip;
-                                memcpy(&ip, hdr.target_ip, 4);
-                                if (ip != src)
-                                        continue;
-                                memcpy(&ip, hdr.sender_ip, 4);
-                                ip = ntohl(ip);
-                                
-                                if (ip == last_ip) // filter duplicates
-                                        continue;
-                                last_ip = ip;
-                                        
-                                // printing
-                                if (header_printed == 0) {
-                                        printf("   Network scan:\n");
-                                        
-                                        // print parent interface
-                                        if (cfg.bridge0.configured && cfg.bridge0.ip && cfg.bridge0.macvlan &&
-                                            (cfg.bridge0.ip & cfg.bridge0.mask) == (ifip & cfg.bridge0.mask))
-                                                printf("   %02x:%02x:%02x:%02x:%02x:%02x\t%d.%d.%d.%d\n",
-                                                        PRINT_MAC(cfg.bridge0.mac), PRINT_IP(cfg.bridge0.ip));
-                                        
-                                        if (cfg.bridge1.configured && cfg.bridge1.ip &&  cfg.bridge1.macvlan &&
-                                            (cfg.bridge1.ip & cfg.bridge1.mask) == (ifip & cfg.bridge1.mask))
-                                                printf("   %02x:%02x:%02x:%02x:%02x:%02x\t%d.%d.%d.%d\n",
-                                                        PRINT_MAC(cfg.bridge1.mac), PRINT_IP(cfg.bridge1.ip));
-                                        
-                                        if (cfg.bridge2.configured && cfg.bridge2.ip &&  cfg.bridge2.macvlan &&
-                                            (cfg.bridge2.ip & cfg.bridge2.mask) == (ifip & cfg.bridge2.mask))
-                                                printf("   %02x:%02x:%02x:%02x:%02x:%02x\t%d.%d.%d.%d\n",
-                                                        PRINT_MAC(cfg.bridge2.mac), PRINT_IP(cfg.bridge2.ip));
-                                        
-                                        if (cfg.bridge3.configured && cfg.bridge3.ip &&  cfg.bridge3.macvlan &&
-                                            (cfg.bridge3.ip & cfg.bridge3.mask) == (ifip & cfg.bridge3.mask))
-                                                printf("   %02x:%02x:%02x:%02x:%02x:%02x\t%d.%d.%d.%d\n",
-                                                        PRINT_MAC(cfg.bridge3.mac), PRINT_IP(cfg.bridge3.ip));
-                                        
-                                        header_printed = 1;
-                                }
-                                printf("   %02x:%02x:%02x:%02x:%02x:%02x\t%d.%d.%d.%d\n",
-                                        PRINT_MAC(hdr.sender_mac), PRINT_IP(ip));                                                                       
-                        }
-                }
-        }
-        
-        close(sock);
-}
diff --git a/src/firejail/bandwidth.c b/src/firejail/bandwidth.c
index 34c5ca509..5e9002f22 100644
--- a/src/firejail/bandwidth.c
+++ b/src/firejail/bandwidth.c
@@ -130,14 +130,8 @@ static void bandwidth_create_run_file(pid_t pid) {
        /* coverity[toctou] */
        FILE *fp = fopen(fname, "w");
        if (fp) {
+                SET_PERMS_STREAM(fp, 0, 0, 0644);
                fclose(fp);
-        
-                /* coverity[toctou] */
-                if (chmod(fname, 0644) == -1)
-                        errExit("chmod");
-                /* coverity[toctou] */
-                if (chown(fname, 0, 0) == -1)
-                        errExit("chown");
        }
        else {
                fprintf(stderr, "Error: cannot create bandwidth file\n");
@@ -180,12 +174,9 @@ void network_set_run_file(pid_t pid) {
                        fprintf(fp, "%s:%s\n", cfg.bridge2.dev, cfg.bridge2.devsandbox);
                if (cfg.bridge3.configured)
                        fprintf(fp, "%s:%s\n", cfg.bridge3.dev, cfg.bridge3.devsandbox);
-                fclose(fp);
-                if (chmod(fname, 0644) == -1)
+                SET_PERMS_STREAM(fp, 0, 0, 0644);
-                        errExit("chmod");
+                fclose(fp);
-                if (chown(fname, 0, 0) == -1)
-                        errExit("chown");
        }
        else {
                fprintf(stderr, "Error: cannot create network map file\n");
@@ -320,21 +311,6 @@ void bandwidth_set(pid_t pid, const char *dev, int down, int up) {
 //***********************************
 // command execution
 //***********************************
-void bandwidth_name(const char *name, const char *command, const char *dev, int down, int up) {
-        EUID_ASSERT();
-        if (!name || strlen(name) == 0) {
-                fprintf(stderr, "Error: invalid sandbox name\n");
-                exit(1);
-        }
-        pid_t pid;
-        if (name2pid(name, &pid)) {
-                fprintf(stderr, "Error: cannot find sandbox %s\n", name);
-                exit(1);
-        }
-        bandwidth_pid(pid, command, dev, down, up);
-}
 void bandwidth_pid(pid_t pid, const char *command, const char *dev, int down, int up) {
        EUID_ASSERT();
        //************************
@@ -459,13 +435,21 @@ void bandwidth_pid(pid_t pid, const char *command, const char *dev, int down, in
        if (setregid(0, 0))
                errExit("setregid");
+        if (!cfg.shell)
+                cfg.shell = guess_shell();
+        if (!cfg.shell) {
+                fprintf(stderr, "Error: no POSIX shell found, please use --shell command line option\n");
+                exit(1);
+        }
        char *arg[4];
-        arg[0] = "/bin/bash";
+        arg[0] = cfg.shell;
        arg[1] = "-c";
        arg[2] = cmd;
        arg[3] = NULL;
-        execvp("/bin/bash", arg);
+        clearenv();
+        execvp(arg[0], arg);
        
        // it will never get here
-        exit(0);                
+        errExit("execvp");
 }
diff --git a/src/firejail/caps.c b/src/firejail/caps.c
index 2d42c7d8a..ba811cada 100644
--- a/src/firejail/caps.c
+++ b/src/firejail/caps.c
@@ -168,17 +168,6 @@ static CapsEntry capslist[] = {
 //
 }; // end of capslist
-const char *caps_find_nr(int nr) {
-        int i;
-        int elems = sizeof(capslist) / sizeof(capslist[0]);
-        for (i = 0; i < elems; i++) {
-                if (nr == capslist[i].nr)
-                        return capslist[i].name;
-        }
-        
-        return "unknown";
-}
 // return -1 if error, or syscall number
 static int caps_find_name(const char *name) {
        int i;
@@ -397,26 +386,10 @@ static uint64_t extract_caps(int pid) {
        }
        fclose(fp);
        free(file);
-        printf("Error: cannot read caps configuration\n");
+        fprintf(stderr, "Error: cannot read caps configuration\n");
        exit(1);
 }
-void caps_print_filter_name(const char *name) {
-        EUID_ASSERT();
-        if (!name || strlen(name) == 0) {
-                fprintf(stderr, "Error: invalid sandbox name\n");
-                exit(1);
-        }
-        pid_t pid;
-        if (name2pid(name, &pid)) {
-                fprintf(stderr, "Error: cannot find sandbox %s\n", name);
-                exit(1);
-        }
-        caps_print_filter(pid);
-}
 void caps_print_filter(pid_t pid) {
        EUID_ASSERT();
        
diff --git a/src/firejail/cgroup.c b/src/firejail/cgroup.c
index ebd87f0d2..d9c7af9cf 100644
--- a/src/firejail/cgroup.c
+++ b/src/firejail/cgroup.c
@@ -30,10 +30,9 @@ void save_cgroup(void) {
        if (fp) {
                fprintf(fp, "%s", cfg.cgroup);
                fflush(0);
+                SET_PERMS_STREAM(fp, 0, 0, 0644);
                if (fclose(fp))
                        goto errout;
-                if (chown(RUN_CGROUP_CFG, 0, 0) < 0)
-                        errExit("chown");
        }
        else
                goto errout;
diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c
index 430b0c5a6..78c0e5c60 100644
--- a/src/firejail/checkcfg.c
+++ b/src/firejail/checkcfg.c
@@ -19,15 +19,17 @@
 */
 #include "firejail.h"
 #include <sys/stat.h>
+#include <linux/loop.h>
 #define MAX_READ 8192                             // line buffer for profile files
 static int initialized = 0;
 static int cfg_val[CFG_MAX];
 char *xephyr_screen = "800x600";
+char *xephyr_extra_params = "";
+char *netfilter_default = NULL;
 int checkcfg(int val) {
-        EUID_ASSERT();
        assert(val < CFG_MAX);
        int line = 0;
@@ -37,6 +39,8 @@ int checkcfg(int val) {
                for (i = 0; i < CFG_MAX; i++)
                        cfg_val[i] = 1; // most of them are enabled by default
                cfg_val[CFG_RESTRICTED_NETWORK] = 0; // disabled by default
+                cfg_val[CFG_FORCE_NONEWPRIVS] = 0; // disabled by default
+                cfg_val[CFG_PRIVATE_BIN_NO_LOCAL] = 0; // disabled by default
                
                // open configuration file
                char *fname;
@@ -45,10 +49,24 @@ int checkcfg(int val) {
                FILE *fp = fopen(fname, "r");
                if (!fp) {
+#ifdef HAVE_GLOBALCFG                   
                        fprintf(stderr, "Error: Firejail configuration file %s not found\n", fname);
                        exit(1);
+#else
+                        initialized = 1;
+                        return  cfg_val[val];
+#endif  
                }
                
+                // if the file exists, it should be owned by root
+                struct stat s;
+                if (stat(fname, &s) == -1)
+                        errExit("stat");
+                if (s.st_uid != 0) {
+                        fprintf(stderr, "Error: configuration file should be owned by root\n");
+                        exit(1);
+                }
                // read configuration file
                char buf[MAX_READ];
                while (fgets(buf,MAX_READ, fp)) {
@@ -106,6 +124,15 @@ int checkcfg(int val) {
                                else
                                        goto errout;
                        }
+                        // nonewprivs
+                        else if (strncmp(ptr, "force-nonewprivs ", 17) == 0) {
+                                if (strcmp(ptr + 17, "yes") == 0)
+                                        cfg_val[CFG_SECCOMP] = 1;
+                                else if (strcmp(ptr + 17, "no") == 0)
+                                        cfg_val[CFG_SECCOMP] = 0;
+                                else
+                                        goto errout;
+                        }
                        // seccomp
                        else if (strncmp(ptr, "seccomp ", 8) == 0) {
                                if (strcmp(ptr + 8, "yes") == 0)
@@ -115,6 +142,15 @@ int checkcfg(int val) {
                                else
                                        goto errout;
                        }
+                        // whitelist
+                        else if (strncmp(ptr, "whitelist ", 10) == 0) {
+                                if (strcmp(ptr + 10, "yes") == 0)
+                                        cfg_val[CFG_WHITELIST] = 1;
+                                else if (strcmp(ptr + 10, "no") == 0)
+                                        cfg_val[CFG_WHITELIST] = 0;
+                                else
+                                        goto errout;
+                        }
                        // network
                        else if (strncmp(ptr, "network ", 8) == 0) {
                                if (strcmp(ptr + 8, "yes") == 0)
@@ -133,6 +169,28 @@ int checkcfg(int val) {
                                else
                                        goto errout;
                        }
+                        // netfilter
+                        else if (strncmp(ptr, "netfilter-default ", 18) == 0) {
+                                char *fname = ptr + 18;
+                                while (*fname == ' ' || *fname == '\t')
+                                        ptr++;
+                                char *end = strchr(fname, ' ');
+                                if (end)
+                                        *end = '\0';
+                                
+                                // is the file present?
+                                struct stat s;
+                                if (stat(fname, &s) == -1) {
+                                        fprintf(stderr, "Error: netfilter-default file %s not available\n", fname);
+                                        exit(1);
+                                }
+                                
+                                netfilter_default = strdup(fname);
+                                if (!netfilter_default)
+                                        errExit("strdup");
+                                if (arg_debug)
+                                        printf("netfilter default file %s\n", fname);
+                        }
                        
                        // Xephyr screen size
                        else if (strncmp(ptr, "xephyr-screen ", 14) == 0) {
@@ -145,9 +203,73 @@ int checkcfg(int val) {
                                if (asprintf(&xephyr_screen, "%dx%d", n1, n2) == -1)
                                        errExit("asprintf");
                        }
+        
+                        // xephyr window title
+                        else if (strncmp(ptr, "xephyr-window-title ", 20) == 0) {
+                                if (strcmp(ptr + 20, "yes") == 0)
+                                        cfg_val[CFG_XEPHYR_WINDOW_TITLE] = 1;
+                                else if (strcmp(ptr + 20, "no") == 0)
+                                        cfg_val[CFG_XEPHYR_WINDOW_TITLE] = 0;
+                                else
+                                        goto errout;
+                        }
+                                
+                        // Xephyr command extra parameters
+                        else if (strncmp(ptr, "xephyr-extra-params ", 19) == 0) {
+                                xephyr_extra_params = strdup(ptr + 19);
+                                if (!xephyr_extra_params)
+                                        errExit("strdup");
+                        }
+                        
+                        // quiet by default
+                        else if (strncmp(ptr, "quiet-by-default ", 17) == 0) {
+                                if (strcmp(ptr + 17, "yes") == 0)
+                                        arg_quiet = 1;
+                        }
+                        // remount /proc and /sys
+                        else if (strncmp(ptr, "remount-proc-sys ", 17) == 0) {
+                                if (strcmp(ptr + 17, "yes") == 0)
+                                        cfg_val[CFG_REMOUNT_PROC_SYS] = 1;
+                                else if (strcmp(ptr + 17, "no") == 0)
+                                        cfg_val[CFG_REMOUNT_PROC_SYS] = 0;
+                                else
+                                        goto errout;
+                        }
+                        else if (strncmp(ptr, "overlayfs ", 10) == 0) {
+                                if (strcmp(ptr + 10, "yes") == 0)
+                                        cfg_val[CFG_OVERLAYFS] = 1;
+                                else if (strcmp(ptr + 10, "no") == 0)
+                                        cfg_val[CFG_OVERLAYFS] = 0;
+                                else
+                                        goto errout;
+                        }
+                        else if (strncmp(ptr, "private-home ", 13) == 0) {
+                                if (strcmp(ptr + 13, "yes") == 0)
+                                        cfg_val[CFG_PRIVATE_HOME] = 1;
+                                else if (strcmp(ptr + 13, "no") == 0)
+                                        cfg_val[CFG_PRIVATE_HOME] = 0;
+                                else
+                                        goto errout;
+                        }
+                        else if (strncmp(ptr, "chroot-desktop ", 15) == 0) {
+                                if (strcmp(ptr + 15, "yes") == 0)
+                                        cfg_val[CFG_CHROOT_DESKTOP] = 1;
+                                else if (strcmp(ptr + 15, "no") == 0)
+                                        cfg_val[CFG_CHROOT_DESKTOP] = 0;
+                                else
+                                        goto errout;
+                        }
+                        else if (strncmp(ptr, "private-bin-no-local ", 21) == 0) {
+                                if (strcmp(ptr + 21, "yes") == 0)
+                                        cfg_val[CFG_PRIVATE_BIN_NO_LOCAL] = 1;
+                                else if (strcmp(ptr + 21, "no") == 0)
+                                        cfg_val[CFG_PRIVATE_BIN_NO_LOCAL] = 0;
+                                else
+                                        goto errout;
+                        }
                        else
                                goto errout;
-                                
                        free(ptr);
                }
@@ -163,3 +285,111 @@ errout:
        exit(1);
 }
+void print_compiletime_support(void) {
+        printf("Compile time support:\n");
+        printf("\t- AppArmor support is %s\n",
+#ifdef HAVE_APPARMOR
+                "enabled"
+#else
+                "disabled"
+#endif
+                );
+        printf("\t- AppImage support is %s\n",
+#ifdef LOOP_CTL_GET_FREE        // test for older kernels; this definition is found in /usr/include/linux/loop.h
+                "enabled"
+#else
+                "disabled"
+#endif
+                );
+        printf("\t- bind support is %s\n",
+#ifdef HAVE_BIND
+                "enabled"
+#else
+                "disabled"
+#endif
+                );
+        printf("\t- chroot support is %s\n",
+#ifdef HAVE_CHROOT
+                "enabled"
+#else
+                "disabled"
+#endif
+                );
+        printf("\t- file and directory whitelisting support is %s\n",
+#ifdef HAVE_WHITELIST
+                "enabled"
+#else
+                "disabled"
+#endif
+                );
+        printf("\t- file transfer support is %s\n",
+#ifdef HAVE_FILE_TRANSFER
+                "enabled"
+#else
+                "disabled"
+#endif
+                );
+        printf("\t- networking support is %s\n",
+#ifdef HAVE_NETWORK
+                "enabled"
+#else
+                "disabled"
+#endif
+                );
+#ifdef HAVE_NETWORK_RESTRICTED
+        printf("\t- networking features are available only to root user\n");
+#endif
+        printf("\t- overlayfs support is %s\n",
+#ifdef HAVE_OVERLAYFS
+                "enabled"
+#else
+                "disabled"
+#endif
+                );
+        printf("\t- private-home support is %s\n",
+#ifdef HAVE_PRIVATE_HOME
+                "enabled"
+#else
+                "disabled"
+#endif
+                );
+        printf("\t- seccomp-bpf support is %s\n",
+#ifdef HAVE_SECCOMP
+                "enabled"
+#else
+                "disabled"
+#endif
+                );
+        printf("\t- user namespace support is %s\n",
+#ifdef HAVE_USERNS
+                "enabled"
+#else
+                "disabled"
+#endif
+                );
+        printf("\t- X11 sandboxing support is %s\n",
+#ifdef HAVE_X11
+                "enabled"
+#else
+                "disabled"
+#endif
+                );
+}
diff --git a/src/firejail/cmdline.c b/src/firejail/cmdline.c
new file mode 100644
index 000000000..cadf4795d
--- /dev/null
+++ b/src/firejail/cmdline.c
@@ -0,0 +1,159 @@
+/*
+ * Copyright (C) 2014-2016 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
+#include "firejail.h"
+#include <string.h>
+#include <stdbool.h>
+#include <stdio.h>
+#include <linux/limits.h>
+#include <assert.h>
+#include <errno.h>
+static int cmdline_length(int argc, char **argv, int index) {
+        assert(index != -1);
+        
+        unsigned i,j;
+        int len = 0;
+        unsigned argcnt = argc - index;
+        bool in_quotes = false;
+        for (i = 0; i < argcnt; i++) {
+                in_quotes = false;
+                for (j = 0; j < strlen(argv[i + index]); j++) {
+                        if (argv[i + index][j] == '\'') {
+                                if (in_quotes)
+                                        len++;
+                                if (j > 0 && argv[i + index][j-1] == '\'')
+                                        len++;
+                                else
+                                        len += 3;
+                                in_quotes = false;
+                        } else {
+                                if (!in_quotes)
+                                        len++;
+                                len++;
+                                in_quotes = true;
+                        }
+                }
+                if (in_quotes) {
+                        len++;
+                }
+                if (strlen(argv[i + index]) == 0) {
+                        len += 2;
+                }
+                len++;
+        }
+        return len;
+}
+static void quote_cmdline(char *command_line, char *window_title, int len, int argc, char **argv, int index) {
+        assert(index != -1);
+        unsigned i,j;
+        unsigned argcnt = argc - index;
+        bool in_quotes = false;
+        char *ptr1 = command_line;
+        char *ptr2 = window_title;
+        for (i = 0; i < argcnt; i++) {
+                // enclose args by single quotes,
+                // and since single quote can't be represented in single quoted text
+                // each occurence of it should be enclosed by double quotes
+                in_quotes = false;
+                for (j = 0; j < strlen(argv[i + index]); j++) {
+                        // single quote
+                        if (argv[i + index][j] == '\'') {
+                                if (in_quotes) {
+                                        // close quotes
+                                        ptr1[0] = '\'';
+                                        ptr1++;
+                                }
+                                // previous char was single quote too
+                                if (j > 0 && argv[i + index][j-1] == '\'') {
+                                        ptr1--;
+                                        sprintf(ptr1, "\'\"");
+                                } 
+                                // this first in series
+                                else
+                                {
+                                        sprintf(ptr1, "\"\'\"");
+                                }
+                                ptr1 += strlen(ptr1);
+                                in_quotes = false;
+                        }
+                        // anything other
+                        else
+                        {
+                                if (!in_quotes) {
+                                        // open quotes
+                                        ptr1[0] = '\'';
+                                        ptr1++;
+                                }
+                                ptr1[0] = argv[i + index][j];
+                                ptr1++;
+                                in_quotes = true;
+                        }
+                }
+                // close quotes
+                if (in_quotes) {
+                        ptr1[0] = '\'';
+                        ptr1++;
+                }
+                // handle empty argument case
+                if (strlen(argv[i + index]) == 0) {
+                        sprintf(ptr1, "\'\'");
+                        ptr1 += strlen(ptr1);
+                }
+                // add space
+                sprintf(ptr1, " ");
+                ptr1 += strlen(ptr1);
+                sprintf(ptr2, "%s ", argv[i + index]);
+                ptr2 += strlen(ptr2);
+        }
+        assert((unsigned) len == strlen(command_line));
+}
+void build_cmdline(char **command_line, char **window_title, int argc, char **argv, int index) {
+        // index == -1 could happen if we have --shell=none and no program was specified
+        // the program should exit with an error before entering this function
+        assert(index != -1);
+        int len = cmdline_length(argc, argv, index);
+        if (len > ARG_MAX) {
+                errno = E2BIG;
+                errExit("cmdline_length");
+        }
+        *command_line = malloc(len + 1);
+        if (!*command_line)
+                        errExit("malloc");
+        *window_title = malloc(len + 1);
+        if (!*window_title)
+                        errExit("malloc");
+        
+        quote_cmdline(*command_line, *window_title, len, argc, argv, index);
+        assert(*command_line);
+        assert(*window_title);
+}
diff --git a/src/firejail/cpu.c b/src/firejail/cpu.c
index 1802ad5e1..7f53fed0f 100644
--- a/src/firejail/cpu.c
+++ b/src/firejail/cpu.c
@@ -78,11 +78,8 @@ void save_cpu(void) {
        FILE *fp = fopen(RUN_CPU_CFG, "w");
        if (fp) {
                fprintf(fp, "%x\n", cfg.cpus);
+                SET_PERMS_STREAM(fp, 0, 0, 0600);
                fclose(fp);
-                if (chmod(RUN_CPU_CFG, 0600) < 0)
-                        errExit("chmod");
-                if (chown(RUN_CPU_CFG, 0, 0) < 0)
-                        errExit("chown");
        }
        else {
                fprintf(stderr, "Error: cannot save cpu affinity mask\n");
@@ -171,21 +168,6 @@ static void print_cpu(int pid) {
        free(file);
 }
-void cpu_print_filter_name(const char *name) {
-        EUID_ASSERT();
-        if (!name || strlen(name) == 0) {
-                fprintf(stderr, "Error: invalid sandbox name\n");
-                exit(1);
-        }
-        pid_t pid;
-        if (name2pid(name, &pid)) {
-                fprintf(stderr, "Error: cannot find sandbox %s\n", name);
-                exit(1);
-        }
-        cpu_print_filter(pid);
-}
 void cpu_print_filter(pid_t pid) {
        EUID_ASSERT();
        
diff --git a/src/firejail/env.c b/src/firejail/env.c
index 54a6b0036..a02c67ae1 100644
--- a/src/firejail/env.c
+++ b/src/firejail/env.c
@@ -27,12 +27,27 @@ typedef struct env_t {
        struct env_t *next;
        char *name;
        char *value;
+        ENV_OP op;
 } Env;
 static Env *envlist = NULL;
 static void env_add(Env *env) {
-        env->next = envlist;
+        env->next = NULL;
-        envlist = env;
+        
+        // add the new entry at the end of the list
+        if (envlist == NULL) {
+                envlist = env;
+                return;
+        }
+        
+        Env *ptr = envlist;
+        while (1) {
+                if (ptr->next == NULL) {
+                        ptr->next = env;
+                        break;
+                }
+                ptr = ptr->next;
+        }
 }
 // load IBUS env variables
@@ -87,7 +102,7 @@ void env_ibus_load(void) {
                        if (arg_debug)
                                printf("%s\n", buf);
                        EUID_USER();
-                        env_store(buf);
+                        env_store(buf, SETENV);
                        EUID_ROOT();
                }
@@ -104,29 +119,31 @@ void env_defaults(void) {
        // fix qt 4.8
        if (setenv("QT_X11_NO_MITSHM", "1", 1) < 0)
                errExit("setenv");
+//      if (setenv("MOZ_NO_REMOTE, "1", 1) < 0)
+//              errExit("setenv");
        if (setenv("container", "firejail", 1) < 0) // LXC sets container=lxc,
                errExit("setenv");
-        if (arg_zsh && setenv("SHELL", "/usr/bin/zsh", 1) < 0)
+        if (!cfg.shell)
-                errExit("setenv");
+                cfg.shell = guess_shell();
-        if (arg_csh && setenv("SHELL", "/bin/csh", 1) < 0)
-                errExit("setenv");
        if (cfg.shell && setenv("SHELL", cfg.shell, 1) < 0)
                errExit("setenv");
        // set prompt color to green
-        //export PS1='\[\e[1;32m\][\u@\h \W]\$\[\e[0m\] '
+        char *prompt = getenv("FIREJAIL_PROMPT");
-        if (setenv("PROMPT_COMMAND", "export PS1=\"\\[\\e[1;32m\\][\\u@\\h \\W]\\$\\[\\e[0m\\] \"", 1) < 0)
+        if (prompt && strcmp(prompt, "yes") == 0) {
-                errExit("setenv");
+                //export PS1='\[\e[1;32m\][\u@\h \W]\$\[\e[0m\] '
+                if (setenv("PROMPT_COMMAND", "export PS1=\"\\[\\e[1;32m\\][\\u@\\h \\W]\\$\\[\\e[0m\\] \"", 1) < 0)
+                        errExit("setenv");
+        }
-        // build the window title and set it
+        // set the window title
-        char *title;
+        if (!arg_quiet)
-        if (asprintf(&title, "\033]0;firejail %s\007\n", cfg.window_title) == -1)
+                printf("\033]0;firejail %s\007", cfg.window_title);
-                errExit("asprintf");
+        fflush(0);
-        printf("%s", title);
-        free(title);
 }
 // parse and store the environment setting 
-void env_store(const char *str) {
+void env_store(const char *str, ENV_OP op) {
        EUID_ASSERT();
        assert(str);
        
@@ -134,11 +151,13 @@ void env_store(const char *str) {
        if (*str == '\0')
                goto errexit;
        char *ptr = strchr(str, '=');
-        if (!ptr)
+        if (op == SETENV) {
-                goto errexit;
+                if (!ptr)
-        ptr++;
+                        goto errexit;
-        if (*ptr == '\0')
+                ptr++;
-                goto errexit;
+                if (*ptr == '\0')
+                        goto errexit;
+        }
        // build list entry
        Env *env = malloc(sizeof(Env));
@@ -148,10 +167,13 @@ void env_store(const char *str) {
        env->name = strdup(str);
        if (env->name == NULL)
                errExit("strdup");
-        char *ptr2 = strchr(env->name, '=');
+        if (op == SETENV) {
-        assert(ptr2);
+                char *ptr2 = strchr(env->name, '=');
-        *ptr2 = '\0';
+                assert(ptr2);
-        env->value = ptr2 + 1;
+                *ptr2 = '\0';
+                env->value = ptr2 + 1;
+        }
+        env->op = op;
        
        // add entry to the list
        env_add(env);
@@ -167,8 +189,13 @@ void env_apply(void) {
        Env *env = envlist;
        
        while (env) {
-                if (setenv(env->name, env->value, 1) < 0)
+                if (env->op == SETENV) {
-                        errExit("setenv");
+                        if (setenv(env->name, env->value, 1) < 0)
+                                errExit("setenv");
+                }
+                else if (env->op == RMENV) {
+                        unsetenv(env->name);
+                }
                env = env->next;
        }
 }
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index 24ea53476..d7ba539e6 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -22,10 +22,13 @@
 #include "../include/common.h"
 #include "../include/euid_common.h"
+// debug restricted shell
+//#define DEBUG_RESTRICTED_SHELL
 // filesystem
 #define RUN_FIREJAIL_BASEDIR    "/run"
 #define RUN_FIREJAIL_DIR        "/run/firejail"
+#define RUN_FIREJAIL_APPIMAGE_DIR       "/run/firejail/appimage"
 #define RUN_FIREJAIL_NAME_DIR   "/run/firejail/name"
 #define RUN_FIREJAIL_X11_DIR    "/run/firejail/x11"
 #define RUN_FIREJAIL_NETWORK_DIR        "/run/firejail/network"
@@ -34,7 +37,6 @@
 #define RUN_RO_DIR      "/run/firejail/firejail.ro.dir"
 #define RUN_RO_FILE     "/run/firejail/firejail.ro.file"
 #define RUN_MNT_DIR     "/run/firejail/mnt"     // a tmpfs is mounted on this directory before any of the files below are created
-#define RUN_SECCOMP_CFG "/run/firejail/mnt/seccomp"
 #define RUN_CGROUP_CFG  "/run/firejail/mnt/cgroup"
 #define RUN_CPU_CFG     "/run/firejail/mnt/cpu"
 #define RUN_GROUPS_CFG  "/run/firejail/mnt/groups"
@@ -43,8 +45,15 @@
 #define RUN_HOME_DIR    "/run/firejail/mnt/home"
 #define RUN_ETC_DIR     "/run/firejail/mnt/etc"
 #define RUN_BIN_DIR     "/run/firejail/mnt/bin"
-#define RUN_DRI_DIR     "/run/firejail/mnt/dri"
 #define RUN_PULSE_DIR   "/run/firejail/mnt/pulse"
+#define RUN_SECCOMP_CFG "/run/firejail/mnt/seccomp"                     // configured filter
+#define RUN_SECCOMP_PROTOCOL    "/run/firejail/mnt/seccomp.protocol"    // protocol filter
+#define RUN_SECCOMP_AMD64       "/run/firejail/mnt/seccomp.amd64"       // amd64 filter installed on i386 architectures
+#define RUN_SECCOMP_I386        "/run/firejail/mnt/seccomp.i386"                // i386 filter installed on amd64 architectures
+#define RUN_DEV_DIR             "/run/firejail/mnt/dev"
 #define RUN_DEVLOG_FILE "/run/firejail/mnt/devlog"
 #define RUN_WHITELIST_X11_DIR   "/run/firejail/mnt/orig-x11"
@@ -52,11 +61,14 @@
 #define RUN_WHITELIST_HOME_USER_DIR     "/run/firejail/mnt/orig-home-user"      // home directory whitelisting
 #define RUN_WHITELIST_TMP_DIR   "/run/firejail/mnt/orig-tmp"
 #define RUN_WHITELIST_MEDIA_DIR "/run/firejail/mnt/orig-media"
+#define RUN_WHITELIST_MNT_DIR   "/run/firejail/mnt/orig-mnt"
 #define RUN_WHITELIST_VAR_DIR   "/run/firejail/mnt/orig-var"
 #define RUN_WHITELIST_DEV_DIR   "/run/firejail/mnt/orig-dev"
 #define RUN_WHITELIST_OPT_DIR   "/run/firejail/mnt/orig-opt"
+#define RUN_WHITELIST_SRV_DIR   "/run/firejail/mnt/orig-srv"
 #define RUN_XAUTHORITY_FILE     "/run/firejail/mnt/.Xauthority"
+#define RUN_XAUTHORITY_SEC_FILE "/run/firejail/mnt/sec.Xauthority"
 #define RUN_ASOUNDRC_FILE       "/run/firejail/mnt/.asoundrc"
 #define RUN_HOSTNAME_FILE       "/run/firejail/mnt/hostname"
 #define RUN_HOSTS_FILE  "/run/firejail/mnt/hosts"
@@ -67,11 +79,59 @@
 #define RUN_GROUP_FILE          "/run/firejail/mnt/group"
 #define RUN_FSLOGGER_FILE               "/run/firejail/mnt/fslogger"
 // profiles
-#define DEFAULT_USER_PROFILE    "generic"
+#define DEFAULT_USER_PROFILE    "default"
 #define DEFAULT_ROOT_PROFILE    "server"
 #define MAX_INCLUDE_LEVEL 6             // include levels in profile files
+#define ASSERT_PERMS(file, uid, gid, mode) \
+        do { \
+                assert(file);\
+                struct stat s;\
+                if (stat(file, &s) == -1) errExit("stat");\
+                assert(s.st_uid == uid);\
+                assert(s.st_gid == gid);\
+                assert((s.st_mode & 07777) == (mode));\
+        } while (0)
+#define ASSERT_PERMS_FD(fd, uid, gid, mode) \
+        do { \
+                struct stat s;\
+                if (stat(fd, &s) == -1) errExit("stat");\
+                assert(s.st_uid == uid);\
+                assert(s.st_gid == gid);\
+                assert((s.st_mode & 07777) == (mode));\
+        } while (0)
+#define ASSERT_PERMS_STREAM(file, uid, gid, mode) \
+        do { \
+                int fd = fileno(file);\
+                if (fd == -1) errExit("fileno");\
+                ASSERT_PERMS_FD(fd, uid, gid, (mode));\
+        } while (0)
+#define SET_PERMS_FD(fd, uid, gid, mode) \
+        do { \
+                if (fchmod(fd, (mode)) == -1)   errExit("chmod");\
+                if (fchown(fd, uid, gid) == -1) errExit("chown");\
+        } while (0)
+#define SET_PERMS_STREAM(stream, uid, gid, mode) \
+        do { \
+                int fd = fileno(stream);\
+                if (fd == -1) errExit("fileno");\
+                SET_PERMS_FD(fd, uid, gid, (mode));\
+        } while (0)
+#define SET_PERMS_STREAM_NOERR(stream, uid, gid, mode) \
+        do { \
+                int fd = fileno(stream);\
+                if (fd == -1) continue;\
+                int rv = fchmod(fd, (mode));\
+                (void) rv;\
+                rv = fchown(fd, uid, gid);\
+                (void) rv;\
+        } while (0)
 // main.c
 typedef struct bridge_t {
        // on the host
@@ -81,6 +141,8 @@ typedef struct bridge_t {
        uint8_t mac[6];         // interface mac address
        int mtu;                // interface mtu
        
+        char *veth_name;        // veth name for the device connected to the bridge
+        
        // inside the sandbox
        char *devsandbox;       // name of the device inside the sandbox
        uint32_t ipsandbox;     // ip address inside the sandbox
@@ -115,9 +177,11 @@ typedef struct profile_entry_t {
        unsigned home_dir:1;    // whitelist in /home/user directory
        unsigned tmp_dir:1;     // whitelist in /tmp directory
        unsigned media_dir:1;   // whitelist in /media directory
+        unsigned mnt_dir:1;     // whitelist in /mnt directory
        unsigned var_dir:1;     // whitelist in /var directory
        unsigned dev_dir:1;     // whitelist in /dev directory
        unsigned opt_dir:1;     // whitelist in /opt directory
+        unsigned srv_dir:1;     // whitelist in /srv directory
 }ProfileEntry;
 typedef struct config_t {
@@ -131,10 +195,12 @@ typedef struct config_t {
        char *profile_ignore[MAX_PROFILE_IGNORE];
        char *chrootdir;        // chroot directory
        char *home_private;     // private home directory
+        char *home_private_keep;        // keep list for private home directory
        char *etc_private_keep; // keep list for private etc directory
        char *bin_private_keep; // keep list for private bin directory
        char *cwd;              // current working directory
        char *overlay_dir;
+   char *private_template; // template dir for tmpfs home
        // networking
        char *name;             // sandbox name
@@ -156,7 +222,6 @@ typedef struct config_t {
        char *seccomp_list;//  optional seccomp list on top of default filter
        char *seccomp_list_drop;        // seccomp drop list
        char *seccomp_list_keep;        // seccomp keep list
-        char **seccomp_list_errno;      // seccomp errno[nr] lists
        char *protocol;                 // protocol list
        // rlimits
@@ -211,6 +276,7 @@ static inline int any_interface_configured(void) {
 void clear_run_files(pid_t pid);
 extern int arg_private;         // mount private /home
+extern int arg_private_template; // private /home template
 extern int arg_debug;           // print debug messages
 extern int arg_debug_check_filename;            // print debug messages for filename checking
 extern int arg_debug_blacklists;        // print debug messages for blacklists
@@ -218,9 +284,8 @@ extern int arg_debug_whitelists;	// print debug messages for whitelists
 extern int arg_nonetwork;       // --net=none
 extern int arg_command; // -c
 extern int arg_overlay;         // overlay option
-extern int arg_overlay_keep;    // place overlay diff directory in ~/.firejail
+extern int arg_overlay_keep;    // place overlay diff in a known directory
-extern int arg_zsh;             // use zsh as default shell
+extern int arg_overlay_reuse;   // allow the reuse of overlays
-extern int arg_csh;             // use csh as default shell
 extern int arg_seccomp; // enable default seccomp filter
@@ -237,6 +302,7 @@ extern int arg_rlimit_nproc;	// rlimit nproc
 extern int arg_rlimit_fsize;    // rlimit fsize
 extern int arg_rlimit_sigpending;// rlimit sigpending
 extern int arg_nogroups;        // disable supplementary groups
+extern int arg_nonewprivs;      // set the NO_NEW_PRIVS prctl
 extern int arg_noroot;          // create a new user namespace and disable root user
 extern int arg_netfilter;       // enable netfilter
 extern int arg_netfilter6;      // enable netfilter6
@@ -251,12 +317,24 @@ extern int arg_private_tmp;	// private tmp directory
 extern int arg_scan;            // arp-scan all interfaces
 extern int arg_whitelist;       // whitelist commad
 extern int arg_nosound; // disable sound
+extern int arg_no3d;            // disable 3d hardware acceleration
 extern int arg_quiet;           // no output for scripting
 extern int arg_join_network;    // join only the network namespace
 extern int arg_join_filesystem; // join only the mount namespace
 extern int arg_nice;            // nice value configured
 extern int arg_ipc;             // enable ipc namespace
+extern int arg_writable_etc;    // writable etc
+extern int arg_writable_var;    // writable var
+extern int arg_appimage;        // appimage
+extern int arg_audit;           // audit
+extern char *arg_audit_prog;    // audit
+extern int arg_apparmor;        // apparmor
+extern int arg_allow_debuggers; // allow debuggers
+extern int arg_x11_block;       // block X11
+extern int arg_x11_xorg;        // use X11 security extention
+extern int arg_allusers;        // all user home directories visible
+extern int login_shell;
 extern int parent_to_child_fds[2];
 extern int child_to_parent_fds[2];
 extern pid_t sandbox_pid;
@@ -267,16 +345,17 @@ extern int fullargc;
 // main.c
 void check_user_namespace(void);
+char *guess_shell(void);
 // sandbox.c
 int sandbox(void* sandbox_arg);
+void start_application(void);
 // network_main.c
 void net_configure_bridge(Bridge *br, char *dev_name);
 void net_configure_sandbox_ip(Bridge *br);
 void net_configure_veth_pair(Bridge *br, const char *ifname, pid_t child);
 void net_check_cfg(void);
-void net_dns_print_name(const char *name);
 void net_dns_print(pid_t pid);
 void network_main(pid_t child);
@@ -287,35 +366,35 @@ void net_if_ip(const char *ifname, uint32_t ip, uint32_t mask, int mtu);
 void net_if_ip6(const char *ifname, const char *addr6);
 int net_get_if_addr(const char *bridge, uint32_t *ip, uint32_t *mask, uint8_t mac[6], int *mtu);
 int net_add_route(uint32_t dest, uint32_t mask, uint32_t gw);
-void net_ifprint(void);
-void net_bridge_add_interface(const char *bridge, const char *dev);
 uint32_t network_get_defaultgw(void);
 int net_config_mac(const char *ifname, const unsigned char mac[6]);
 int net_get_mac(const char *ifname, unsigned char mac[6]);
+void net_config_interface(const char *dev, uint32_t ip, uint32_t mask, int mtu);
+// preproc.c
+void preproc_build_firejail_dir(void);
+void preproc_mount_mnt_dir(void);
+void preproc_build_cp_command(void);
+void preproc_delete_cp_command(void) ;
+void preproc_remount_mnt_dir(void);
 // fs.c
-// build /run/firejail directory
-void fs_build_firejail_dir(void);
-// build /run/firejail/mnt directory
-void fs_build_mnt_dir(void);
-// grab a copy of cp command
-void fs_build_cp_command(void);
-// delete the temporary cp command
-void fs_delete_cp_command(void) ;
 // blacklist files or directoies by mounting empty files on top of them
 void fs_blacklist(void);
 // remount a directory read-only
 void fs_rdonly(const char *dir);
+// remount a directory noexec, nodev and nosuid
+void fs_noexec(const char *dir);
 // mount /proc and /sys directories
 void fs_proc_sys_dev_boot(void);
 // build a basic read-only filesystem
 void fs_basic_fs(void);
 // mount overlayfs on top of / directory
+char *fs_check_overlay_dir(const char *subdirname, int allow_reuse);
 void fs_overlayfs(void);
 // chroot into an existing directory; mount exiting /dev and update /etc/resolv.conf
 void fs_chroot(const char *rootdir);
 int fs_check_chroot_dir(const char *rootdir);
-void fs_private_tmp(void);
 // profile.c
 // find and read the profile specified by name from dir directory
@@ -340,12 +419,11 @@ void usage(void);
 // join.c
 void join(pid_t pid, int argc, char **argv, int index);
-void join_name(const char *name, int argc, char **argv, int index);
+// shutdown.c
 void shut(pid_t pid);
-void shut_name(const char *name);
 // restricted_shell.c
-extern char *restricted_user;
 int restricted_shell(const char *user);
 // arp.c
@@ -353,13 +431,6 @@ int restricted_shell(const char *user);
 int arp_check(const char *dev, uint32_t destaddr, uint32_t srcaddr);
 // assign an IP address using arp scanning
 uint32_t arp_assign(const char *dev, Bridge *br);
-// scan interface (--scan option)
-void arp_scan(const char *dev, uint32_t srcaddr, uint32_t srcmask);
-// veth.c
-int net_create_veth(const char *dev, const char *nsdev, unsigned pid);
-int net_create_macvlan(const char *dev, const char *parent, unsigned pid);
-int net_move_interface(const char *dev, unsigned pid);
 // util.c
 void drop_privs(int nogroups);
@@ -369,7 +440,7 @@ void logsignal(int s);
 void logmsg(const char *msg);
 void logargs(int argc, char **argv) ;
 void logerr(const char *msg);
-int copy_file(const char *srcname, const char *destname);
+int copy_file(const char *srcname, const char *destname, uid_t uid, gid_t gid, mode_t mode);
 int is_dir(const char *fname);
 int is_link(const char *fname);
 char *line_remove_spaces(const char *buf);
@@ -384,8 +455,13 @@ char *expand_home(const char *path, const char* homedir);
 const char *gnu_basename(const char *path);
 uid_t pid_get_uid(pid_t pid);
 void invalid_filename(const char *fname);
-uid_t get_tty_gid(void);
+uid_t get_group_id(const char *group);
-uid_t get_audio_gid(void);
+int remove_directory(const char *path);
+void flush_stdin(void);
+void create_empty_dir_as_root(const char *dir, mode_t mode);
+void create_empty_file_as_root(const char *dir, mode_t mode);
+int set_perms(const char *fname, uid_t uid, gid_t gid, mode_t mode);
+void mkdir_attr(const char *fname, mode_t mode, uid_t uid, gid_t gid);
 // fs_var.c
 void fs_var_log(void);  // mounting /var/log
@@ -400,23 +476,33 @@ void dbg_test_dir(const char *dir);
 // fs_dev.c
 void fs_dev_shm(void);
 void fs_private_dev(void);
+void fs_dev_disable_sound(void);
+void fs_dev_disable_3d(void);
 // fs_home.c
 // private mode (--private)
 void fs_private(void);
 // private mode (--private=homedir)
 void fs_private_homedir(void);
+// private template (--private-template=templatedir)
+void fs_private_template(void);
 // check new private home directory (--private= option) - exit if it fails
 void fs_check_private_dir(void);
+// check new private template home directory (--private-template= option) exit if it fails
+void fs_check_private_template(void);
+// check directory list specified by user (--private-home option) - exit if it fails
+void fs_check_home_list(void);
+void fs_private_home_list(void);
 // seccomp.c
+char *seccomp_check_list(const char *str);
+int seccomp_load(const char *fname);
+void seccomp_filter_32(void);
+void seccomp_filter_64(void);
 int seccomp_filter_drop(int enforce_seccomp);
 int seccomp_filter_keep(void);
-void seccomp_set(void);
-void seccomp_print_filter_name(const char *name);
 void seccomp_print_filter(pid_t pid);
-int seccomp_filter_errno(void);
 // caps.c
 int caps_default_filter(void);
@@ -427,14 +513,11 @@ int caps_check_list(const char *clist, void (*callback)(int));
 void caps_drop_list(const char *clist);
 void caps_keep_list(const char *clist);
 void caps_print_filter(pid_t pid);
-void caps_print_filter_name(const char *name);
 // syscall.c
 const char *syscall_find_nr(int nr);
 // return -1 if error, 0 if no error
 int syscall_check_list(const char *slist, void (*callback)(int syscall, int arg), int arg);
-// print all available syscallsseccomp
-void syscall_print(void);
 // fs_trace.c
 void fs_trace_preload(void);
@@ -452,7 +535,6 @@ void read_cpu_list(const char *str);
 void set_cpu_affinity(void);
 void load_cpu(const char *fname);
 void save_cpu(void);
-void cpu_print_filter_name(const char *name);
 void cpu_print_filter(pid_t pid);
 // cgroup.c
@@ -470,7 +552,6 @@ void netfilter6(const char *fname);
 // bandwidth.c
 void bandwidth_del_run_file(pid_t pid);
-void bandwidth_name(const char *name, const char *command, const char *dev, int down, int up);
 void bandwidth_pid(pid_t pid, const char *command, const char *dev, int down, int up);
 void network_del_run_file(pid_t pid);
 void network_set_run_file(pid_t pid);
@@ -480,11 +561,17 @@ void fs_check_etc_list(void);
 void fs_private_etc_list(void);
 // no_sandbox.c
+int check_namespace_virt(void);
 int check_kernel_procs(void);
 void run_no_sandbox(int argc, char **argv);
 // env.c
-void env_store(const char *str);
+typedef enum {
+        SETENV = 0,
+        RMENV
+} ENV_OP;
+void env_store(const char *str, ENV_OP op);
 void env_apply(void);
 void env_defaults(void);
 void env_ibus_load(void);
@@ -507,13 +594,9 @@ void fs_check_bin_list(void);
 void fs_private_bin_list(void);
 // protocol.c
-void protocol_list();
-void protocol_print_filter_name(const char *name);
-void protocol_print_filter(pid_t pid);
-void protocol_store(const char *prlist);
-void protocol_filter(void);
 void protocol_filter_save(void);
 void protocol_filter_load(const char *fname);
+void protocol_print_filter(pid_t pid);
 // restrict_users.c
 void restrict_users(void);
@@ -525,46 +608,90 @@ void fs_logger2int(const char *msg1, int d);
 void fs_logger3(const char *msg1, const char *msg2, const char *msg3);
 void fs_logger_print(void);
 void fs_logger_change_owner(void);
-void fs_logger_print_log_name(const char *name);
 void fs_logger_print_log(pid_t pid);
 // run_symlink.c
 void run_symlink(int argc, char **argv);
-// user.c
-void check_user(int argc, char **argv);
 // paths.c
 char **build_paths(void);
 // fs_mkdir.c
 void fs_mkdir(const char *name);
+void fs_mkfile(const char *name);
 // x11.c
+extern int mask_x11_abstract_socket;
 void fs_x11(void);
 int x11_display(void);
 void x11_start(int argc, char **argv);
 void x11_start_xpra(int argc, char **argv);
 void x11_start_xephyr(int argc, char **argv);
-extern char *xephyr_screen;
+void x11_block(void);
 // ls.c
-#define SANDBOX_FS_LS 0
+enum {
-#define SANDBOX_FS_GET 1
+        SANDBOX_FS_LS = 0,
-void sandboxfs_name(int op, const char *name, const char *path);
+        SANDBOX_FS_GET,
-void sandboxfs(int op, pid_t pid, const char *patqh);
+        SANDBOX_FS_PUT,
+        SANDBOX_FS_MAX // this should always be the last entry
+};
+void sandboxfs(int op, pid_t pid, const char *path1, const char *path2);
 // checkcfg.c
-#define CFG_FILE_TRANSFER 0
+enum {
-#define CFG_X11 1
+        CFG_FILE_TRANSFER = 0,
-#define CFG_BIND 2
+        CFG_X11,
-#define CFG_USERNS 3
+        CFG_BIND,
-#define CFG_CHROOT 4
+        CFG_USERNS,
-#define CFG_SECCOMP 5
+        CFG_CHROOT,
-#define CFG_NETWORK 6
+        CFG_SECCOMP,
-#define CFG_RESTRICTED_NETWORK 7
+        CFG_NETWORK,
-#define CFG_MAX 8 // this should always be the last entry
+        CFG_RESTRICTED_NETWORK,
+        CFG_FORCE_NONEWPRIVS,
+        CFG_WHITELIST,
+        CFG_XEPHYR_WINDOW_TITLE,
+        CFG_REMOUNT_PROC_SYS,
+        CFG_OVERLAYFS,
+        CFG_CHROOT_DESKTOP,
+        CFG_PRIVATE_HOME,
+        CFG_PRIVATE_BIN_NO_LOCAL,
+        CFG_MAX // this should always be the last entry
+};
+extern char *xephyr_screen;
+extern char *xephyr_extra_params;
+extern char *netfilter_default;
 int checkcfg(int val);
+void print_compiletime_support(void);
+void x11_xorg(void);
+// appimage.c
+void appimage_set(const char *appimage_path);
+void appimage_clear(void);
+const char *appimage_getdir(void);
+// appimage_size.c
+long unsigned int appimage2_size(const char *fname);
+// cmdline.c
+void build_cmdline(char **command_line, char **window_title, int argc, char **argv, int index);
+// sbox.c
+// programs
+#define PATH_FNET (LIBDIR "/firejail/fnet")
+#define PATH_FIREMON (PREFIX "/bin/firemon")
+#define PATH_FSECCOMP (LIBDIR "/firejail/fseccomp")
+// bitmapped filters for sbox_run
+#define SBOX_ROOT (1 << 0)                      // run the sandbox as root
+#define SBOX_USER (1 << 1)                      // run the sandbox as a regular user
+#define SBOX_SECCOMP (1 << 2)           // install seccomp 
+#define SBOX_CAPS_NONE (1 << 3)         // drop all capabilities
+#define SBOX_CAPS_NETWORK (1 << 4)      // caps filter for programs running network programs
+#define SBOX_ALLOW_STDIN (1 << 5)               // don't close stdin
+// run sbox
+int sbox_run(unsigned filter, int num, ...);
 #endif
diff --git a/src/firejail/fs.c b/src/firejail/fs.c
index 7ee76d096..7ff7e3c59 100644
--- a/src/firejail/fs.c
+++ b/src/firejail/fs.c
@@ -27,198 +27,9 @@
 #include <fcntl.h>
 #include <errno.h>
-static void create_empty_dir(void) {
+static void fs_rdwr(const char *dir);
-        struct stat s;
-        
-        if (stat(RUN_RO_DIR, &s)) {
-                /* coverity[toctou] */
-                int rv = mkdir(RUN_RO_DIR, S_IRUSR | S_IXUSR);
-                if (rv == -1)
-                        errExit("mkdir");       
-                if (chown(RUN_RO_DIR, 0, 0) < 0)
-                        errExit("chown");
-        }
-}
-static void create_empty_file(void) {
-        struct stat s;
-        if (stat(RUN_RO_FILE, &s)) {
-                /* coverity[toctou] */
-                FILE *fp = fopen(RUN_RO_FILE, "w");
-                if (!fp)
-                        errExit("fopen");
-                fclose(fp);
-                if (chown(RUN_RO_FILE, 0, 0) < 0)
-                        errExit("chown");
-                if (chmod(RUN_RO_FILE, S_IRUSR) < 0)
-                        errExit("chown");
-        }
-}
-// build /run/firejail directory
-void fs_build_firejail_dir(void) {
-        struct stat s;
-        // CentOS 6 doesn't have /run directory
-        if (stat(RUN_FIREJAIL_BASEDIR, &s)) {
-                if (arg_debug)
-                        printf("Creating %s directory\n", RUN_FIREJAIL_BASEDIR);
-                /* coverity[toctou] */
-                int rv = mkdir(RUN_FIREJAIL_BASEDIR, 0755);
-                if (rv == -1)
-                        errExit("mkdir");
-                if (chown(RUN_FIREJAIL_BASEDIR, 0, 0) < 0)
-                        errExit("chown");
-                if (chmod(RUN_FIREJAIL_BASEDIR, 0755) < 0)
-                        errExit("chmod");
-        }
-        else { // check /tmp/firejail directory belongs to root end exit if doesn't!
-                if (s.st_uid != 0 || s.st_gid != 0) {
-                        fprintf(stderr, "Error: non-root %s directory, exiting...\n", RUN_FIREJAIL_DIR);
-                        exit(1);
-                }
-        }
-        if (stat(RUN_FIREJAIL_DIR, &s)) {
-                if (arg_debug)
-                        printf("Creating %s directory\n", RUN_FIREJAIL_DIR);
-                /* coverity[toctou] */
-                int rv = mkdir(RUN_FIREJAIL_DIR, 0755);
-                if (rv == -1)
-                        errExit("mkdir");
-                if (chown(RUN_FIREJAIL_DIR, 0, 0) < 0)
-                        errExit("chown");
-                if (chmod(RUN_FIREJAIL_DIR, 0755) < 0)
-                        errExit("chmod");
-        }
-        
-        if (stat(RUN_FIREJAIL_NETWORK_DIR, &s)) {
-                if (arg_debug)
-                        printf("Creating %s directory\n", RUN_FIREJAIL_NETWORK_DIR);
-                
-                if (mkdir(RUN_FIREJAIL_NETWORK_DIR, 0755) == -1)
-                        errExit("mkdir");
-                if (chown(RUN_FIREJAIL_NETWORK_DIR, 0, 0) < 0)
-                        errExit("chown");
-                if (chmod(RUN_FIREJAIL_NETWORK_DIR, 0755) < 0)
-                        errExit("chmod");
-        }
-        
-        if (stat(RUN_FIREJAIL_BANDWIDTH_DIR, &s)) {
-                if (arg_debug)
-                        printf("Creating %s directory\n", RUN_FIREJAIL_BANDWIDTH_DIR);
-                if (mkdir(RUN_FIREJAIL_BANDWIDTH_DIR, 0755) == -1)
-                        errExit("mkdir");
-                if (chown(RUN_FIREJAIL_BANDWIDTH_DIR, 0, 0) < 0)
-                        errExit("chown");
-                if (chmod(RUN_FIREJAIL_BANDWIDTH_DIR, 0755) < 0)
-                        errExit("chmod");
-        }
-                
-        if (stat(RUN_FIREJAIL_NAME_DIR, &s)) {
-                if (arg_debug)
-                        printf("Creating %s directory\n", RUN_FIREJAIL_NAME_DIR);
-                if (mkdir(RUN_FIREJAIL_NAME_DIR, 0755) == -1)
-                        errExit("mkdir");
-                if (chown(RUN_FIREJAIL_NAME_DIR, 0, 0) < 0)
-                        errExit("chown");
-                if (chmod(RUN_FIREJAIL_NAME_DIR, 0755) < 0)
-                        errExit("chmod");
-        }
-        
-        if (stat(RUN_FIREJAIL_X11_DIR, &s)) {
-                if (arg_debug)
-                        printf("Creating %s directory\n", RUN_FIREJAIL_X11_DIR);
-                if (mkdir(RUN_FIREJAIL_X11_DIR, 0755) == -1)
-                        errExit("mkdir");
-                if (chown(RUN_FIREJAIL_X11_DIR, 0, 0) < 0)
-                        errExit("chown");
-                if (chmod(RUN_FIREJAIL_X11_DIR, 0755) < 0)
-                        errExit("chmod");
-        }
-        
-        create_empty_dir();
-        create_empty_file();
-}
-// build /tmp/firejail/mnt directory
-static int tmpfs_mounted = 0;
-#ifdef HAVE_CHROOT              
-static void fs_build_remount_mnt_dir(void) {
-        tmpfs_mounted = 0;
-        fs_build_mnt_dir();
-}
-#endif
-void fs_build_mnt_dir(void) {
-        struct stat s;
-        fs_build_firejail_dir();
-        
-        // create /run/firejail/mnt directory
-        if (stat(RUN_MNT_DIR, &s)) {
-                if (arg_debug)
-                        printf("Creating %s directory\n", RUN_MNT_DIR);
-                /* coverity[toctou] */
-                int rv = mkdir(RUN_MNT_DIR, 0755);
-                if (rv == -1)
-                        errExit("mkdir");
-                if (chown(RUN_MNT_DIR, 0, 0) < 0)
-                        errExit("chown");
-                if (chmod(RUN_MNT_DIR, 0755) < 0)
-                        errExit("chmod");
-        }
-        // ... and mount tmpfs on top of it
-        if (!tmpfs_mounted) {
-                // mount tmpfs on top of /run/firejail/mnt
-                if (arg_debug)
-                        printf("Mounting tmpfs on %s directory\n", RUN_MNT_DIR);
-                if (mount("tmpfs", RUN_MNT_DIR, "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC,  "mode=755,gid=0") < 0)
-                        errExit("mounting /tmp/firejail/mnt");
-                tmpfs_mounted = 1;
-                fs_logger2("tmpfs", RUN_MNT_DIR);
-        }
-}
-// grab a copy of cp command
-void fs_build_cp_command(void) {
-        struct stat s;
-        fs_build_mnt_dir();
-        if (stat(RUN_CP_COMMAND, &s)) {
-                char* fname = realpath("/bin/cp", NULL);
-                if (fname == NULL) {
-                        fprintf(stderr, "Error: /bin/cp not found\n");
-                        exit(1);
-                }
-                if (stat(fname, &s)) {
-                        fprintf(stderr, "Error: /bin/cp not found\n");
-                        exit(1);
-                }
-                if (is_link(fname)) {
-                        fprintf(stderr, "Error: invalid /bin/cp file\n");
-                        exit(1);
-                }
-                int rv = copy_file(fname, RUN_CP_COMMAND);
-                if (rv) {
-                        fprintf(stderr, "Error: cannot access /bin/cp\n");
-                        exit(1);
-                }
-                /* coverity[toctou] */
-                if (chown(RUN_CP_COMMAND, 0, 0))
-                        errExit("chown");
-                if (chmod(RUN_CP_COMMAND, 0755))
-                        errExit("chmod");
-                        
-                free(fname);
-        }
-}
-// delete the temporary cp command
-void fs_delete_cp_command(void) {
-        unlink(RUN_CP_COMMAND);
-}
 //***********************************************
 // process profile file
@@ -228,6 +39,8 @@ typedef enum {
        BLACKLIST_NOLOG,
        MOUNT_READONLY,
        MOUNT_TMPFS,
+        MOUNT_NOEXEC,
+        MOUNT_RDWR,
        OPERATION_MAX
 } OPERATION;
@@ -242,14 +55,9 @@ static void disable_file(OPERATION op, const char *filename) {
        assert(op <OPERATION_MAX);
        last_disable = UNSUCCESSFUL;
        
-        // rebuild /run/firejail directory in case tmpfs was mounted on top of /run
-        fs_build_firejail_dir();
-        
        // Resolve all symlinks
        char* fname = realpath(filename, NULL);
        if (fname == NULL && errno != EACCES) {
-                if (arg_debug)
-                        printf("Warning (realpath): %s is an invalid file, skipping...\n", filename);
                return;
        }
        if (fname == NULL && errno == EACCES) {
@@ -298,9 +106,10 @@ static void disable_file(OPERATION op, const char *filename) {
                // some distros put all executables under /usr/bin and make /bin a symbolic link
                if ((strcmp(fname, "/bin") == 0 || strcmp(fname, "/usr/bin") == 0) &&
                      is_link(filename) &&
-                      S_ISDIR(s.st_mode))
+                      S_ISDIR(s.st_mode)) {
-                        fprintf(stderr, "Warning: %s directory link was not blacklisted\n", filename);
+                        if (!arg_quiet)
-                        
+                                fprintf(stderr, "Warning: %s directory link was not blacklisted\n", filename);
+                }
                else {
                        if (arg_debug)
                                printf("Disable %s\n", fname);
@@ -332,6 +141,18 @@ static void disable_file(OPERATION op, const char *filename) {
                fs_rdonly(fname);
 // todo: last_disable = SUCCESSFUL;
        }
+        else if (op == MOUNT_RDWR) {
+                if (arg_debug)
+                        printf("Mounting read-only %s\n", fname);
+                fs_rdwr(fname);
+// todo: last_disable = SUCCESSFUL;
+        }
+        else if (op == MOUNT_NOEXEC) {
+                if (arg_debug)
+                        printf("Mounting noexec %s\n", fname);
+                fs_noexec(fname);
+// todo: last_disable = SUCCESSFUL;
+        }
        else if (op == MOUNT_TMPFS) {
                if (S_ISDIR(s.st_mode)) {
                        if (arg_debug)
@@ -361,7 +182,7 @@ static void globbing(OPERATION op, const char *pattern, const char *noblacklist[
        glob_t globbuf;
        // Profiles contain blacklists for files that might not exist on a user's machine.
        // GLOB_NOCHECK makes that okay.
-        int globerr = glob(pattern, GLOB_NOCHECK | GLOB_NOSORT, NULL, &globbuf);
+        int globerr = glob(pattern, GLOB_NOCHECK | GLOB_NOSORT | GLOB_PERIOD, NULL, &globbuf);
        if (globerr) {
                fprintf(stderr, "Error: failed to glob pattern %s\n", pattern);
                exit(1);
@@ -426,21 +247,13 @@ void fs_blacklist(void) {
                // process bind command
                if (strncmp(entry->data, "bind ", 5) == 0)  {
+                        struct stat s;
                        char *dname1 = entry->data + 5;
                        char *dname2 = split_comma(dname1);
-                        if (dname2 == NULL) {
+                        if (dname2 == NULL ||
-                                fprintf(stderr, "Error: second directory missing in bind command\n");
+                            stat(dname1, &s) == -1 ||
-                                entry = entry->next;
+                            stat(dname2, &s) == -1) {
-                                continue;
+                                fprintf(stderr, "Error: invalid bind command, directory missing\n");
-                        }
-                        struct stat s;
-                        if (stat(dname1, &s) == -1) {
-                                fprintf(stderr, "Error: cannot find %s for bind command\n", dname1);
-                                entry = entry->next;
-                                continue;
-                        }
-                        if (stat(dname2, &s) == -1) {
-                                fprintf(stderr, "Error: cannot find %s for bind command\n", dname2);
                                entry = entry->next;
                                continue;
                        }
@@ -452,11 +265,8 @@ void fs_blacklist(void) {
                        if (mount(dname1, dname2, NULL, MS_BIND|MS_REC, NULL) < 0)
                                errExit("mount bind");
                        /* coverity[toctou] */
-                        if (chown(dname2, s.st_uid, s.st_gid) == -1)
+                        if (set_perms(dname2,  s.st_uid, s.st_gid,s.st_mode))
-                                errExit("mount-bind chown");
+                                errExit("set_perms"); 
-                        /* coverity[toctou] */
-                        if (chmod(dname2, s.st_mode) == -1)
-                                errExit("mount-bind chmod");
                                
                        entry = entry->next;
                        continue;
@@ -464,12 +274,40 @@ void fs_blacklist(void) {
                // Process noblacklist command
                if (strncmp(entry->data, "noblacklist ", 12) == 0) {
-                        if (noblacklist_c >= noblacklist_m) {
+                        char **paths = build_paths();
-                        noblacklist_m *= 2;
-                        noblacklist = realloc(noblacklist, sizeof(*noblacklist) * noblacklist_m);
+                        char *enames[sizeof(paths)+1] = {0};
-                        if (noblacklist == NULL)
+                        int i = 0;
-                                errExit("failed increasing memory for noblacklist entries");}
-                        noblacklist[noblacklist_c++] = expand_home(entry->data + 12, homedir);
+                        if (strncmp(entry->data + 12, "${PATH}", 7) == 0) {
+                                // expand ${PATH} macro
+                                while (paths[i] != NULL) {
+                                        if (asprintf(&enames[i], "%s%s", paths[i], entry->data + 19) == -1)
+                                                errExit("asprintf");
+                                        i++;
+                                }
+                        } else {
+                                // expand ${HOME} macro if found or pass as is
+                                enames[0] = expand_home(entry->data + 12, homedir);
+                                enames[1] = NULL;
+                        }
+                        i = 0;
+                        while (enames[i] != NULL) {
+                                if (noblacklist_c >= noblacklist_m) {
+                                        noblacklist_m *= 2;
+                                        noblacklist = realloc(noblacklist, sizeof(*noblacklist) * noblacklist_m);
+                                        if (noblacklist == NULL)
+                                                errExit("failed increasing memory for noblacklist entries");
+                                }
+                                noblacklist[noblacklist_c++] = enames[i];
+                                i++;
+                        }
+                        while (enames[i] != NULL) {
+                                free(enames[i]);
+                        }
                        entry = entry->next;
                        continue;
                }
@@ -487,10 +325,32 @@ void fs_blacklist(void) {
                        ptr = entry->data + 10;
                        op = MOUNT_READONLY;
                }                       
+                else if (strncmp(entry->data, "read-write ", 11) == 0) {
+                        ptr = entry->data + 11;
+                        op = MOUNT_RDWR;
+                }                       
+                else if (strncmp(entry->data, "noexec ", 7) == 0) {
+                        ptr = entry->data + 7;
+                        op = MOUNT_NOEXEC;
+                }                       
                else if (strncmp(entry->data, "tmpfs ", 6) == 0) {
                        ptr = entry->data + 6;
                        op = MOUNT_TMPFS;
                }                       
+                else if (strncmp(entry->data, "mkdir ", 6) == 0) {
+                        EUID_USER();
+                        fs_mkdir(entry->data + 6);
+                        EUID_ROOT();
+                        entry = entry->next;
+                        continue;
+                }                       
+                else if (strncmp(entry->data, "mkfile ", 7) == 0) {
+                        EUID_USER();
+                        fs_mkfile(entry->data + 7);
+                        EUID_ROOT();
+                        entry = entry->next;
+                        continue;
+                }                       
                else {
                        fprintf(stderr, "Error: invalid profile line %s\n", entry->data);
                        entry = entry->next;
@@ -542,38 +402,56 @@ void fs_rdonly(const char *dir) {
        int rv = stat(dir, &s);
        if (rv == 0) {
                // mount --bind /bin /bin
-                if (mount(dir, dir, NULL, MS_BIND|MS_REC, NULL) < 0)
-                        errExit("mount read-only");
                // mount --bind -o remount,ro /bin
-                if (mount(NULL, dir, NULL, MS_BIND|MS_REMOUNT|MS_RDONLY|MS_REC, NULL) < 0)
+                if (mount(dir, dir, NULL, MS_BIND|MS_REC, NULL) < 0 ||
+                    mount(NULL, dir, NULL, MS_BIND|MS_REMOUNT|MS_RDONLY|MS_REC, NULL) < 0)
                        errExit("mount read-only");
                fs_logger2("read-only", dir);
        }
 }
-void fs_rdonly_noexit(const char *dir) {
+static void fs_rdwr(const char *dir) {
+        assert(dir);
+        // check directory exists
+        struct stat s;
+        int rv = stat(dir, &s);
+        if (rv == 0) {
+                // if the file is outside /home directory, allow only root user
+                uid_t u = getuid();
+                if (u != 0 && s.st_uid != u) {
+                        if (!arg_quiet)
+                                fprintf(stderr, "Warning: you are not allowed to change %s to read-write\n", dir);
+                        return;
+                }
+                
+                // mount --bind /bin /bin
+                // mount --bind -o remount,rw /bin
+                if (mount(dir, dir, NULL, MS_BIND|MS_REC, NULL) < 0 || 
+                    mount(NULL, dir, NULL, MS_BIND|MS_REMOUNT|MS_REC, NULL) < 0)
+                        errExit("mount read-write");
+                fs_logger2("read-write", dir);
+        }
+}
+void fs_noexec(const char *dir) {
        assert(dir);
        // check directory exists
        struct stat s;
        int rv = stat(dir, &s);
        if (rv == 0) {
-                int merr = 0;
                // mount --bind /bin /bin
-                if (mount(dir, dir, NULL, MS_BIND|MS_REC, NULL) < 0)
-                        merr = 1;
                // mount --bind -o remount,ro /bin
-                if (mount(NULL, dir, NULL, MS_BIND|MS_REMOUNT|MS_RDONLY|MS_REC, NULL) < 0)
+                if (mount(dir, dir, NULL, MS_BIND|MS_REC, NULL) < 0 || 
-                        merr = 1;
+                    mount(NULL, dir, NULL, MS_BIND|MS_REMOUNT|MS_NOEXEC|MS_NODEV|MS_NOSUID|MS_REC, NULL) < 0)
-                if (merr)
+                        errExit("mount noexec");
-                        fprintf(stderr, "Warning: cannot mount %s read-only\n", dir); 
+                fs_logger2("noexec", dir);
-                else
-                        fs_logger2("read-only", dir);
        }
 }
 // mount /proc and /sys directories
 void fs_proc_sys_dev_boot(void) {
-        struct stat s;
        if (arg_debug)
                printf("Remounting /proc and /proc/sys filesystems\n");
        if (mount("proc", "/proc", "proc", MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_REC, NULL) < 0)
@@ -581,10 +459,8 @@ void fs_proc_sys_dev_boot(void) {
        fs_logger("remount /proc");
        // remount /proc/sys readonly
-        if (mount("/proc/sys", "/proc/sys", NULL, MS_BIND | MS_REC, NULL) < 0)
+        if (mount("/proc/sys", "/proc/sys", NULL, MS_BIND | MS_REC, NULL) < 0 ||
-                errExit("mounting /proc/sys");
+            mount(NULL, "/proc/sys", NULL, MS_BIND | MS_REMOUNT | MS_RDONLY | MS_REC, NULL) < 0)
-        if (mount(NULL, "/proc/sys", NULL, MS_BIND | MS_REMOUNT | MS_RDONLY | MS_REC, NULL) < 0)
                errExit("mounting /proc/sys");
        fs_logger("read-only /proc/sys");
@@ -601,114 +477,71 @@ void fs_proc_sys_dev_boot(void) {
                        fs_logger("remount /sys");
        }
                
-        if (stat("/sys/firmware", &s) == 0) {
+        disable_file(BLACKLIST_FILE, "/sys/firmware");
-                disable_file(BLACKLIST_FILE, "/sys/firmware");
+        disable_file(BLACKLIST_FILE, "/sys/hypervisor");
-        }
+        { // allow user access to /sys/fs if "--noblacklist=/sys/fs" is present on the command line
-                
+                EUID_USER();    
-        if (stat("/sys/hypervisor", &s) == 0) {
+                profile_add("blacklist /sys/fs");
-                disable_file(BLACKLIST_FILE, "/sys/hypervisor");
+                EUID_ROOT();
-        }
-        if (stat("/sys/fs", &s) == 0) {
-                disable_file(BLACKLIST_FILE, "/sys/fs");
-        }
-        if (stat("/sys/module", &s) == 0) {
-                disable_file(BLACKLIST_FILE, "/sys/module");
        }
+        disable_file(BLACKLIST_FILE, "/sys/module");
-        if (stat("/sys/power", &s) == 0) {
+        disable_file(BLACKLIST_FILE, "/sys/power");
-                disable_file(BLACKLIST_FILE, "/sys/power");
+        disable_file(BLACKLIST_FILE, "/sys/kernel/debug");
-        }
+        disable_file(BLACKLIST_FILE, "/sys/kernel/vmcoreinfo");
+        disable_file(BLACKLIST_FILE, "/sys/kernel/uevent_helper");
-//      if (mount("sysfs", "/sys", "sysfs", MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_REC, NULL) < 0)
-//              errExit("mounting /sys");
+        // various /proc/sys files
+        disable_file(BLACKLIST_FILE, "/proc/sys/security");     
-        // Disable SysRq
+        disable_file(BLACKLIST_FILE, "/proc/sys/efi/vars");     
-        // a linux box can be shut down easily using the following commands (as root):
+        disable_file(BLACKLIST_FILE, "/proc/sys/fs/binfmt_misc");       
-        // # echo 1 > /proc/sys/kernel/sysrq
+        disable_file(BLACKLIST_FILE, "/proc/sys/kernel/core_pattern");  
-        // #echo b > /proc/sysrq-trigger
+        disable_file(BLACKLIST_FILE, "/proc/sys/kernel/modprobe");      
-        // for more information see https://www.kernel.org/doc/Documentation/sysrq.txt
+        disable_file(BLACKLIST_FILE, "/proc/sysrq-trigger");
-        if (arg_debug)
+        disable_file(BLACKLIST_FILE, "/proc/sys/kernel/hotplug");
-                printf("Disable /proc/sysrq-trigger\n");
+        disable_file(BLACKLIST_FILE, "/proc/sys/vm/panic_on_oom");
-        fs_rdonly_noexit("/proc/sysrq-trigger");
-        
+        // various /proc files
-        // disable hotplug and uevent_helper
+        disable_file(BLACKLIST_FILE, "/proc/irq");
-        if (arg_debug)
+        disable_file(BLACKLIST_FILE, "/proc/bus");
-                printf("Disable /proc/sys/kernel/hotplug\n");
+        disable_file(BLACKLIST_FILE, "/proc/config.gz");        
-        fs_rdonly_noexit("/proc/sys/kernel/hotplug");
+        disable_file(BLACKLIST_FILE, "/proc/sched_debug");      
-        if (arg_debug)
+        disable_file(BLACKLIST_FILE, "/proc/timer_list");       
-                printf("Disable /sys/kernel/uevent_helper\n");
+        disable_file(BLACKLIST_FILE, "/proc/timer_stats");      
-        fs_rdonly_noexit("/sys/kernel/uevent_helper");
-        
-        // read-only /proc/irq and /proc/bus
-        if (arg_debug)
-                printf("Disable /proc/irq\n");
-        fs_rdonly_noexit("/proc/irq");
-        if (arg_debug)
-                printf("Disable /proc/bus\n");
-        fs_rdonly_noexit("/proc/bus");
-        
-        // disable /proc/kcore
        disable_file(BLACKLIST_FILE, "/proc/kcore");
-        // disable /proc/kallsyms
        disable_file(BLACKLIST_FILE, "/proc/kallsyms");
+        disable_file(BLACKLIST_FILE, "/proc/mem");
+        disable_file(BLACKLIST_FILE, "/proc/kmem");
        
-        // disable /boot
+        // remove kernel symbol information
-        if (stat("/boot", &s) == 0) {
+        if (!arg_allow_debuggers) {
-                if (arg_debug)
+                disable_file(BLACKLIST_FILE, "/usr/src/linux");
-                        printf("Disable /boot directory\n");
+                disable_file(BLACKLIST_FILE, "/lib/modules");
+                disable_file(BLACKLIST_FILE, "/usr/lib/debug");
                disable_file(BLACKLIST_FILE, "/boot");
        }
-        
+                
        // disable /selinux
-        if (stat("/selinux", &s) == 0) {
+        disable_file(BLACKLIST_FILE, "/selinux");
-                if (arg_debug)
-                        printf("Disable /selinux directory\n");
-                disable_file(BLACKLIST_FILE, "/selinux");
-        }
        
        // disable /dev/port
-        if (stat("/dev/port", &s) == 0) {
+        disable_file(BLACKLIST_FILE, "/dev/port");
-                disable_file(BLACKLIST_FILE, "/dev/port");
-        }
        
        if (getuid() != 0) {
-                // disable /dev/kmsg
+                // disable /dev/kmsg and /proc/kmsg
-                if (stat("/dev/kmsg", &s) == 0) {
+                disable_file(BLACKLIST_FILE, "/dev/kmsg");
-                        disable_file(BLACKLIST_FILE, "/dev/kmsg");
+                disable_file(BLACKLIST_FILE, "/proc/kmsg");
-                }
-                
-                // disable /proc/kmsg
-                if (stat("/proc/kmsg", &s) == 0) {
-                        disable_file(BLACKLIST_FILE, "/proc/kmsg");
-                }
        }
 }
 // disable firejail configuration in /etc/firejail and in ~/.config/firejail
-static void disable_firejail_config(void) {
+static void disable_config(void) {
        struct stat s;
-        if (stat("/etc/firejail", &s) == 0)
-                disable_file(BLACKLIST_FILE, "/etc/firejail");
        char *fname;
        if (asprintf(&fname, "%s/.config/firejail", cfg.homedir) == -1)
                errExit("asprintf");
        if (stat(fname, &s) == 0)
                disable_file(BLACKLIST_FILE, fname);
-        
-        if (stat("/usr/local/etc/firejail", &s) == 0)
-                disable_file(BLACKLIST_FILE, "/usr/local/etc/firejail");
-        if (strcmp(PREFIX, "/usr/local")) {
-                if (asprintf(&fname, "%s/etc/firejail", PREFIX) == -1)
-                        errExit("asprintf");
-                if (stat(fname, &s) == 0)
-                        disable_file(BLACKLIST_FILE, fname);
-        }
-        
        free(fname);
        
        // disable run time information
@@ -725,8 +558,23 @@ static void disable_firejail_config(void) {
 // build a basic read-only filesystem
 void fs_basic_fs(void) {
+        uid_t uid = getuid();
+        
        if (arg_debug)
-                printf("Mounting read-only /bin, /sbin, /lib, /lib32, /lib64, /usr, /etc, /var\n");
+                printf("Mounting read-only /bin, /sbin, /lib, /lib32, /lib64, /usr");
+        if (!arg_writable_etc) {
+                fs_rdonly("/etc");
+                if (uid)
+                        fs_noexec("/etc");
+                if (arg_debug) printf(", /etc");
+        }
+        if (!arg_writable_var) {
+                fs_rdonly("/var");
+                if (uid)
+                        fs_noexec("/var");
+                if (arg_debug) printf(", /var");
+        }
+        if (arg_debug) printf("\n");
        fs_rdonly("/bin");
        fs_rdonly("/sbin");
        fs_rdonly("/lib");
@@ -734,12 +582,10 @@ void fs_basic_fs(void) {
        fs_rdonly("/lib32");
        fs_rdonly("/libx32");
        fs_rdonly("/usr");
-        fs_rdonly("/etc");
-        fs_rdonly("/var");
        // update /var directory in order to support multiple sandboxes running on the same root directory
-        if (!arg_private_dev)
+//      if (!arg_private_dev)
-                fs_dev_shm();
+//              fs_dev_shm();
        fs_var_lock();
        fs_var_tmp();
        fs_var_log();
@@ -750,10 +596,51 @@ void fs_basic_fs(void) {
        // don't leak user information
        restrict_users();
        
-        disable_firejail_config();
+        // when starting as root, firejail config is not disabled;
+        // this mode could be used to install and test new software by chaining
+        // firejail sandboxes (firejail --force)
+        if (uid)
+                disable_config();
 }
+#ifdef HAVE_OVERLAYFS
+char *fs_check_overlay_dir(const char *subdirname, int allow_reuse) {
+        struct stat s;
+        char *dirname;
+        // create ~/.firejail directory
+        if (asprintf(&dirname, "%s/.firejail", cfg.homedir) == -1)
+                errExit("asprintf");
+        if (stat(dirname, &s) == -1) {
+                mkdir_attr(dirname, 0700, 0, 0);
+        }
+        else if (is_link(dirname)) {
+                fprintf(stderr, "Error: invalid ~/.firejail directory\n");
+                exit(1);
+        }
+        free(dirname);
+        // check overlay directory
+        if (asprintf(&dirname, "%s/.firejail/%s", cfg.homedir, subdirname) == -1)
+                errExit("asprintf");
+        if (is_link(dirname)) {
+                fprintf(stderr, "Error: overlay directory is a symbolic link\n");
+                exit(1);
+        }
+        if (allow_reuse == 0) {
+                if (stat(dirname, &s) == 0) {
+                        fprintf(stderr, "Error: overlay directory already exists: %s\n", dirname);
+                        exit(1);
+                }
+        }
+        return dirname;
+}
 // mount overlayfs on top of / directory
 // mounting an overlay and chrooting into it:
 //
@@ -806,48 +693,53 @@ void fs_overlayfs(void) {
        if (major == 3 && minor < 18)
                oldkernel = 1;
        
-        // build overlay directories
-        fs_build_mnt_dir();
        char *oroot;
        if(asprintf(&oroot, "%s/oroot", RUN_MNT_DIR) == -1)
                errExit("asprintf");
-        if (mkdir(oroot, 0755))
+        mkdir_attr(oroot, 0755, 0, 0);
-                errExit("mkdir");
-        if (chown(oroot, 0, 0) < 0)
-                errExit("chown");
-        if (chmod(oroot, 0755) < 0)
-                errExit("chmod");
+        struct stat s;
        char *basedir = RUN_MNT_DIR;
        if (arg_overlay_keep) {
                // set base for working and diff directories
                basedir = cfg.overlay_dir;
-                if (mkdir(basedir, 0755) != 0) {
-                        fprintf(stderr, "Error: cannot create overlay directory\n");
+                // does the overlay exist?
-                        exit(1);
+                if (stat(basedir, &s) == 0) {
+                        if (arg_overlay_reuse == 0) {
+                                fprintf(stderr, "Error: overlay directory exists, but reuse is not allowed\n");
+                                exit(1);
+                        }
+                }
+                else {
+                        if (mkdir(basedir, 0755) != 0) {
+                                fprintf(stderr, "Error: cannot create overlay directory\n");
+                                exit(1);
+                        }
                }
        }
        char *odiff;
        if(asprintf(&odiff, "%s/odiff", basedir) == -1)
                errExit("asprintf");
-        if (mkdir(odiff, 0755))
-                errExit("mkdir");
+        // no need to check arg_overlay_reuse
-        if (chown(odiff, 0, 0) < 0)
+        if (stat(odiff, &s) != 0) {
-                errExit("chown");
+                mkdir_attr(odiff, 0755, 0, 0);
-        if (chmod(odiff, 0755) < 0)
+        }
-                errExit("chmod");
+        else if (set_perms(odiff, 0, 0, 0755))
+                errExit("set_perms");
        
        char *owork;
        if(asprintf(&owork, "%s/owork", basedir) == -1)
                errExit("asprintf");
-        if (mkdir(owork, 0755))
-                errExit("mkdir");
+        // no need to check arg_overlay_reuse
-        if (chown(owork, 0, 0) < 0)
+        if (stat(owork, &s) != 0) {
+                mkdir_attr(owork, 0755, 0, 0);
+        }
+        else if (set_perms(owork, 0, 0, 0755))
                errExit("chown");
-        if (chmod(owork, 0755) < 0)
-                errExit("chmod");
        
        // mount overlayfs
        if (arg_debug)
@@ -899,21 +791,23 @@ void fs_overlayfs(void) {
                
                                if(asprintf(&hdiff, "%s/hdiff", basedir) == -1)
                                        errExit("asprintf");
-                                if (mkdir(hdiff, S_IRWXU | S_IRWXG | S_IRWXO))
-                                        errExit("mkdir");
+                                // no need to check arg_overlay_reuse
-                                if (chown(hdiff, 0, 0) < 0)
+                                if (stat(hdiff, &s) != 0) {
-                                        errExit("chown");
+                                        mkdir_attr(hdiff, S_IRWXU | S_IRWXG | S_IRWXO, 0, 0);
-                                if (chmod(hdiff, S_IRWXU  | S_IRGRP | S_IXGRP | S_IROTH | S_IXOTH) < 0)
+                                }
-                                        errExit("chmod");
+                                else if (set_perms(hdiff, 0, 0, S_IRWXU  | S_IRGRP | S_IXGRP | S_IROTH | S_IXOTH))
+                                        errExit("set_perms");
                
                                if(asprintf(&hwork, "%s/hwork", basedir) == -1)
                                        errExit("asprintf");
-                                if (mkdir(hwork, S_IRWXU | S_IRWXG | S_IRWXO))
-                                        errExit("mkdir");
+                                // no need to check arg_overlay_reuse
-                                if (chown(hwork, 0, 0) < 0)
+                                if (stat(hwork, &s) != 0) {
-                                        errExit("chown");
+                                        mkdir_attr(hwork, S_IRWXU | S_IRWXG | S_IRWXO, 0, 0);
-                                if (chmod(hwork, S_IRWXU  | S_IRGRP | S_IXGRP | S_IROTH | S_IXOTH) < 0)
+                                }
-                                        errExit("chmod");
+                                else if (set_perms(hwork, 0, 0, S_IRWXU  | S_IRGRP | S_IXGRP | S_IROTH | S_IXOTH))
+                                        errExit("set_perms");
                
                                // no homedir in overlay so now mount another overlay for /home
                                if (asprintf(&option, "lowerdir=/home,upperdir=%s,workdir=%s", hdiff, hwork) == -1)
@@ -950,13 +844,30 @@ void fs_overlayfs(void) {
                errExit("mounting /run");
        fs_logger("whitelist /run");
+        // mount-bind /tmp/.X11-unix directory
+        if (stat("/tmp/.X11-unix", &s) == 0) {
+                if (arg_debug)
+                        printf("Mounting /tmp/.X11-unix\n");
+                char *x11;
+                if (asprintf(&x11, "%s/tmp/.X11-unix", oroot) == -1)
+                        errExit("asprintf");
+                if (mount("/tmp/.X11-unix", x11, NULL, MS_BIND|MS_REC, NULL) < 0)
+                        fprintf(stderr, "Warning: cannot mount /tmp/.X11-unix in overlay\n");
+                else
+                        fs_logger("whitelist /tmp/.X11-unix");
+                free(x11);
+        }
        // chroot in the new filesystem
+#ifdef HAVE_GCOV
+        __gcov_flush();
+#endif
        if (chroot(oroot) == -1)
                errExit("chroot");
        // update /var directory in order to support multiple sandboxes running on the same root directory
-        if (!arg_private_dev)
+//      if (!arg_private_dev)
-                fs_dev_shm();
+//              fs_dev_shm();
        fs_var_lock();
        fs_var_tmp();
        fs_var_log();
@@ -967,20 +878,18 @@ void fs_overlayfs(void) {
        // don't leak user information
        restrict_users();
-        // when starting as root in overlay mode, firejail config is not disabled;
+        // when starting as root, firejail config is not disabled;
        // this mode could be used to install and test new software by chaining
        // firejail sandboxes (firejail --force)
        if (getuid() != 0)
-                disable_firejail_config();
+                disable_config();
-        else
-                fprintf(stderr, "Warning: masking /etc/firejail disabled when starting the sandbox as root using --overlay option\n");
        // cleanup and exit
        free(option);
        free(oroot);
        free(odiff);
 }
+#endif
 #ifdef HAVE_CHROOT              
@@ -991,6 +900,16 @@ int fs_check_chroot_dir(const char *rootdir) {
        struct stat s;
        char *name;
+        // rootdir has to be owned by root
+        if (stat(rootdir, &s) != 0) {
+                fprintf(stderr, "Error: cannot find chroot directory\n");
+                return 1;
+        }
+        if (s.st_uid != 0) {
+                fprintf(stderr, "Error: chroot directory should be owned by root\n");
+                return 1;
+        }
        // check /dev
        if (asprintf(&name, "%s/dev", rootdir) == -1)
                errExit("asprintf");
@@ -1018,7 +937,7 @@ int fs_check_chroot_dir(const char *rootdir) {
        }
        free(name);
        
-        // check /proc
+        // check /tmp
        if (asprintf(&name, "%s/tmp", rootdir) == -1)
                errExit("asprintf");
        if (stat(name, &s) == -1) {
@@ -1026,16 +945,29 @@ int fs_check_chroot_dir(const char *rootdir) {
                return 1;
        }
        free(name);
-        
        // check /bin/bash
-        if (asprintf(&name, "%s/bin/bash", rootdir) == -1)
+//      if (asprintf(&name, "%s/bin/bash", rootdir) == -1)
-                errExit("asprintf");
+//              errExit("asprintf");
-        if (stat(name, &s) == -1) {
+//      if (stat(name, &s) == -1) {
-                fprintf(stderr, "Error: cannot find /bin/bash in chroot directory\n");
+//              fprintf(stderr, "Error: cannot find /bin/bash in chroot directory\n");
-                return 1;
+//              return 1;
+//      }
+//      free(name);
+        // check x11 socket directory
+        if (getenv("FIREJAIL_X11")) {
+                mask_x11_abstract_socket = 1;
+                char *name;
+                if (asprintf(&name, "%s/tmp/.X11-unix", rootdir) == -1)
+                        errExit("asprintf");
+                if (stat(name, &s) == -1) {
+                        fprintf(stderr, "Error: cannot find /tmp/.X11-unix in chroot directory\n");
+                        return 1;
+                }
+                free(name);
        }
-        free(name);
+        
        return 0;       
 }
@@ -1043,77 +975,108 @@ int fs_check_chroot_dir(const char *rootdir) {
 void fs_chroot(const char *rootdir) {
        assert(rootdir);
        
-        //***********************************
+        if (checkcfg(CFG_CHROOT_DESKTOP)) {
-        // mount-bind a /dev in rootdir
+                // mount-bind a /dev in rootdir
-        //***********************************
+                char *newdev;
-        // mount /dev
+                if (asprintf(&newdev, "%s/dev", rootdir) == -1)
-        char *newdev;
+                        errExit("asprintf");
-        if (asprintf(&newdev, "%s/dev", rootdir) == -1)
+                if (arg_debug)
-                errExit("asprintf");
+                        printf("Mounting /dev on %s\n", newdev);
-        if (arg_debug)
+                if (mount("/dev", newdev, NULL, MS_BIND|MS_REC, NULL) < 0)
-                printf("Mounting /dev on %s\n", newdev);
+                        errExit("mounting /dev");
-        if (mount("/dev", newdev, NULL, MS_BIND|MS_REC, NULL) < 0)
+                free(newdev);
-                errExit("mounting /dev");
+                
-        
+                // x11
-        // some older distros don't have a /run directory
+                if (getenv("FIREJAIL_X11")) {
-        // create one by default
+                        mask_x11_abstract_socket = 1;
-        // no exit on error, let the user deal with any problems
+                        char *newx11;
-        char *rundir;
+                        if (asprintf(&newx11, "%s/tmp/.X11-unix", rootdir) == -1)
-        if (asprintf(&rundir, "%s/run", rootdir) == -1)
+                                errExit("asprintf");
-                errExit("asprintf");
+                        if (arg_debug)
-        if (!is_dir(rundir)) {
+                                printf("Mounting /tmp/.X11-unix on %s\n", newx11);
-                int rv = mkdir(rundir, 0755);
+                        if (mount("/tmp/.X11-unix", newx11, NULL, MS_BIND|MS_REC, NULL) < 0)
-                (void) rv;
+                                errExit("mounting /tmp/.X11-unix");
-                rv = chown(rundir, 0, 0);
+                        free(newx11);
-                (void) rv;
+                }
+                
+                // create /run/firejail directory in chroot
+                char *rundir;
+                if (asprintf(&rundir, "%s/run", rootdir) == -1)
+                        errExit("asprintf");
+                create_empty_dir_as_root(rundir, 0755);
+                free(rundir);
+                if (asprintf(&rundir, "%s/run/firejail", rootdir) == -1)
+                        errExit("asprintf");
+                create_empty_dir_as_root(rundir, 0755);
+                free(rundir);
+                
+                // create /run/firejail/mnt directory in chroot and mount a tmpfs
+                if (asprintf(&rundir, "%s/run/firejail/mnt", rootdir) == -1)
+                        errExit("asprintf");
+                create_empty_dir_as_root(rundir, 0755);
+                if (mount("tmpfs", rundir, "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC,  "mode=755,gid=0") < 0)
+                        errExit("mounting /run/firejail/mnt");
+                fs_logger2("tmpfs", RUN_MNT_DIR);
+                free(rundir);
+                // retrieve seccomp.protocol
+                struct stat s;
+                if (stat(RUN_SECCOMP_PROTOCOL, &s) == 0) {
+                        if (asprintf(&rundir, "%s%s", rootdir, RUN_SECCOMP_PROTOCOL) == -1)
+                                errExit("asprintf");
+                        copy_file(RUN_SECCOMP_PROTOCOL, rundir, getuid(), getgid(), 0644);
+                        free(rundir);
+                }
+                
+                // copy /etc/resolv.conf in chroot directory
+                // if resolv.conf in chroot is a symbolic link, this will fail
+                // no exit on error, let the user deal with the problem
+                char *fname;
+                if (asprintf(&fname, "%s/etc/resolv.conf", rootdir) == -1)
+                        errExit("asprintf");
+                if (arg_debug)
+                        printf("Updating /etc/resolv.conf in %s\n", fname);
+                if (is_link(fname)) {
+                        fprintf(stderr, "Error: invalid %s file\n", fname);
+                        exit(1);
+                }
+                if (copy_file("/etc/resolv.conf", fname, 0, 0, 0644) == -1)
+                        fprintf(stderr, "Warning: /etc/resolv.conf not initialized\n");
        }
        
-        // copy /etc/resolv.conf in chroot directory
-        // if resolv.conf in chroot is a symbolic link, this will fail
-        // no exit on error, let the user deal with the problem
-        char *fname;
-        if (asprintf(&fname, "%s/etc/resolv.conf", rootdir) == -1)
-                errExit("asprintf");
-        if (arg_debug)
-                printf("Updating /etc/resolv.conf in %s\n", fname);
-        if (is_link(fname)) {
-                fprintf(stderr, "Error: invalid %s file\n", fname);
-                exit(1);
-        }
-        if (copy_file("/etc/resolv.conf", fname) == -1)
-                fprintf(stderr, "Warning: /etc/resolv.conf not initialized\n");
-                
        // chroot into the new directory
+#ifdef HAVE_GCOV
+        __gcov_flush();
+#endif
        if (arg_debug)
                printf("Chrooting into %s\n", rootdir);
        if (chroot(rootdir) < 0)
                errExit("chroot");
-        // mount a new tmpfs in /run/firejail/mnt - the old one was lost in chroot
-        fs_build_remount_mnt_dir();
-                
-        // update /var directory in order to support multiple sandboxes running on the same root directory
-        if (!arg_private_dev)
-                fs_dev_shm();
-        fs_var_lock();
-        fs_var_tmp();
-        fs_var_log();
-        fs_var_lib();
-        fs_var_cache();
-        fs_var_utmp();
-        // don't leak user information
+        // create all other /run/firejail files and directories
-        restrict_users();
+        preproc_build_firejail_dir();
+                
-        disable_firejail_config();
+        if (checkcfg(CFG_CHROOT_DESKTOP)) {
+                // update /var directory in order to support multiple sandboxes running on the same root directory
+//              if (!arg_private_dev)
+//                      fs_dev_shm();
+                fs_var_lock();
+                fs_var_tmp();
+                fs_var_log();
+                fs_var_lib();
+                fs_var_cache();
+                fs_var_utmp();
+        
+                // don't leak user information
+                restrict_users();
+        
+                // when starting as root, firejail config is not disabled;
+                // this mode could be used to install and test new software by chaining
+                // firejail sandboxes (firejail --force)
+                if (getuid() != 0)
+                        disable_config();
+        }
 }
 #endif
-void fs_private_tmp(void) {
-        // mount tmpfs on top of /run/firejail/mnt
-        if (arg_debug)
-                printf("Mounting tmpfs on /tmp directory\n");
-        if (mount("tmpfs", "/tmp", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC,  "mode=1777,gid=0") < 0)
-                errExit("mounting /tmp/firejail/mnt");
-        fs_logger2("tmpfs", "/tmp");
-}
diff --git a/src/firejail/fs_bin.c b/src/firejail/fs_bin.c
index c3d24aaac..6cc1bf3ab 100644
--- a/src/firejail/fs_bin.c
+++ b/src/firejail/fs_bin.c
@@ -28,6 +28,8 @@ static char *paths[] = {
        "/usr/local/bin",
        "/usr/bin",
        "/bin",
+        "/usr/games",
+        "/usr/local/games",
        "/usr/local/sbin",
        "/usr/sbin",
        "/sbin",
@@ -44,12 +46,38 @@ static char *check_dir_or_file(const char *name) {
        
        int i = 0;
        while (paths[i]) {
+                // private-bin-no-local can be disabled in /etc/firejail/firejail.config
+                if (checkcfg(CFG_PRIVATE_BIN_NO_LOCAL) && strstr(paths[i], "local/")) {
+                        i++;
+                        continue;
+                }
+                
+                // check file           
                if (asprintf(&fname, "%s/%s", paths[i], name) == -1)
                        errExit("asprintf");
                if (arg_debug)
                        printf("Checking %s/%s\n", paths[i], name);             
-                if (stat(fname, &s) == 0 && !S_ISDIR(s.st_mode)) // do not allow directories
+                if (stat(fname, &s) == 0 && !S_ISDIR(s.st_mode)) { // do not allow directories
+                        // check symlink to firejail executable in /usr/local/bin
+                        if (strcmp(paths[i], "/usr/local/bin") == 0 && is_link(fname)) {
+                                char *actual_path = realpath(fname, NULL);
+                                if (actual_path) {
+                                        char *ptr = strstr(actual_path, "/firejail");
+                                        if (ptr && strlen(ptr) == strlen("/firejail")) {
+                                                if (arg_debug)
+                                                        printf("firejail exec symlink detected\n");
+                                                free(actual_path);
+                                                free(fname);
+                                                fname = NULL;
+                                                i++;
+                                                continue;
+                                        }
+                                        free(actual_path);
+                                }
+                                
+                        }               
                        break; // file found
+                }
                
                free(fname);
                fname = NULL;
@@ -57,7 +85,8 @@ static char *check_dir_or_file(const char *name) {
        }
        if (!fname) {
-//              fprintf(stderr, "Warning: file %s not found\n", name);
+                if (arg_debug)
+                        fprintf(stderr, "Warning: file %s not found\n", name);
                return NULL;
        }
        
@@ -108,16 +137,16 @@ void fs_check_bin_list(void) {
        }
        
        if (*newlist == '\0') {
-                fprintf(stderr, "Warning: no --private-bin list executable found, option disabled\n");
+//              fprintf(stderr, "Warning: no --private-bin list executable found, option disabled\n");
-                cfg.bin_private_keep = NULL;
+//              cfg.bin_private_keep = NULL;
-                arg_private_bin = 0;
+//              arg_private_bin = 0;
                free(newlist);
        }
        else {
                ptr = strrchr(newlist, ',');
                assert(ptr);
                *ptr = '\0';
-                if (notfound)
+                if (notfound && !arg_quiet)
                        fprintf(stderr, "Warning: not all executables from --private-bin list were found. The current list is %s\n", newlist);
                
                cfg.bin_private_keep = newlist;
@@ -127,7 +156,6 @@ void fs_check_bin_list(void) {
 }
 static void duplicate(char *fname) {
-        char *cmd;
        char *path = check_dir_or_file(fname);
        if (!path)
                return;
@@ -153,13 +181,24 @@ static void duplicate(char *fname) {
                }
                else {
                        // copy the file
-                        if (asprintf(&cmd, "%s -a %s %s/%s", RUN_CP_COMMAND, actual_path, RUN_BIN_DIR, fname) == -1)
-                                errExit("asprintf");
                        if (arg_debug)
-                                printf("%s\n", cmd);
+                                printf("running: %s -a %s %s/%s", RUN_CP_COMMAND, actual_path, RUN_BIN_DIR, fname);
-                        if (system(cmd))
-                                errExit("system cp -a");
+                        pid_t child = fork();
-                        free(cmd);
+                        if (child < 0)
+                                errExit("fork");
+                        if (child == 0) {
+                                char *f;
+                                if (asprintf(&f, "%s/%s", RUN_BIN_DIR, fname) == -1)
+                                        errExit("asprintf");
+                                clearenv();     
+                                execlp(RUN_CP_COMMAND, RUN_CP_COMMAND, "-a", actual_path, f, NULL);
+                                perror("execlp");
+                                _exit(1);
+                        }
+                        // wait for the child to finish
+                        waitpid(child, NULL, 0);
+                
                }
                free(actual_path);
        }
@@ -172,29 +211,8 @@ void fs_private_bin_list(void) {
        char *private_list = cfg.bin_private_keep;
        assert(private_list);
        
-        // check bin paths
+        // create /run/firejail/mnt/bin directory
-        int i = 0;
+        mkdir_attr(RUN_BIN_DIR, 0755, 0, 0);
-#if 0
-        while (paths[i]) {
-                struct stat s;
-                if (stat(paths[i], &s) == -1) {
-                        fprintf(stderr, "Error: cannot find %s directory\n", paths[i]);
-                        exit(1);
-                }
-                i++;
-        }
-#endif
-        // create /tmp/firejail/mnt/bin directory
-        fs_build_mnt_dir();
-        int rv = mkdir(RUN_BIN_DIR, 0755);
-        if (rv == -1)
-                errExit("mkdir");
-        if (chown(RUN_BIN_DIR, 0, 0) < 0)
-                errExit("chown");
-        if (chmod(RUN_BIN_DIR, 0755) < 0)
-                errExit("chmod");
-        
        
        // copy the list of files in the new etc directory
        // using a new child process without root privileges
@@ -225,13 +243,16 @@ void fs_private_bin_list(void) {
                        duplicate(ptr);
                free(dlist);    
                fs_logger_print();
-                exit(0);
+#ifdef HAVE_GCOV
+                __gcov_flush();
+#endif
+                _exit(0);
        }
        // wait for the child to finish
        waitpid(child, NULL, 0);
        // mount-bind
-        i = 0;
+        int i = 0;
        while (paths[i]) {
                struct stat s;
                if (stat(paths[i], &s) == 0) {
diff --git a/src/firejail/fs_dev.c b/src/firejail/fs_dev.c
index 2fd450391..d710e98f2 100644
--- a/src/firejail/fs_dev.c
+++ b/src/firejail/fs_dev.c
@@ -30,17 +30,75 @@
 #endif
 #include <sys/types.h>
+typedef struct {
+        const char *dev_fname;
+        const char *run_fname;
+        int sound;
+        int hw3d;
+} DevEntry;
+static DevEntry dev[] = {
+        {"/dev/snd", RUN_DEV_DIR "/snd", 1, 0}, // sound device
+        {"/dev/dri", RUN_DEV_DIR "/dri", 0, 1},         // 3d device
+        {"/dev/nvidia0", RUN_DEV_DIR "/nvidia0", 0, 1},
+        {"/dev/nvidia1", RUN_DEV_DIR "/nvidia1", 0, 1},
+        {"/dev/nvidia2", RUN_DEV_DIR "/nvidia2", 0, 1},
+        {"/dev/nvidia3", RUN_DEV_DIR "/nvidia3", 0, 1},
+        {"/dev/nvidia4", RUN_DEV_DIR "/nvidia4", 0, 1},
+        {"/dev/nvidia5", RUN_DEV_DIR "/nvidia5", 0, 1},
+        {"/dev/nvidia6", RUN_DEV_DIR "/nvidia6", 0, 1},
+        {"/dev/nvidia7", RUN_DEV_DIR "/nvidia7", 0, 1},
+        {"/dev/nvidia8", RUN_DEV_DIR "/nvidia8", 0, 1},
+        {"/dev/nvidia9", RUN_DEV_DIR "/nvidia9", 0, 1},
+        {"/dev/nvidiactl", RUN_DEV_DIR "/nvidiactl", 0, 1},
+        {"/dev/nvidia-modset", RUN_DEV_DIR "/nvidia-modset", 0, 1},
+        {"/dev/nvidia-uvm", RUN_DEV_DIR "/nvidia-uvm", 0, 1},
+        {NULL, NULL, 0, 0}
+};
+static void deventry_mount(void) {
+        int i = 0;
+        while (dev[i].dev_fname != NULL) {
+                struct stat s;
+                if (stat(dev[i].run_fname, &s) == 0) {
+                        int dir = is_dir(dev[i].run_fname);
+                        if (arg_debug)
+                                printf("mounting %s %s\n", dev[i].run_fname, (dir)? "directory": "file");
+                        if (dir) {
+                                mkdir_attr(dev[i].dev_fname, 0755, 0, 0);
+                        }
+                        else {
+                                struct stat s;
+                                if (stat(dev[i].run_fname, &s) == -1) {
+                                        if (arg_debug)
+                                                printf("Warning: cannot stat %s file\n", dev[i].run_fname);
+                                        i++;
+                                        continue;
+                                }
+                                FILE *fp = fopen(dev[i].dev_fname, "w");
+                                if (fp) {
+                                        fprintf(fp, "\n");
+                                        SET_PERMS_STREAM(fp, s.st_uid, s.st_gid, s.st_mode);
+                                        fclose(fp);
+                                }
+                        }
+                                
+                        if (mount(dev[i].run_fname, dev[i].dev_fname, NULL, MS_BIND|MS_REC, NULL) < 0)
+                                errExit("mounting dev file");
+                        fs_logger2("whitelist", dev[i].dev_fname);
+                }
+                
+                i++;    
+        }
+}
+        
 static void create_char_dev(const char *path, mode_t mode, int major, int minor) {
        dev_t dev = makedev(major, minor);
-        int rv = mknod(path, S_IFCHR | mode, dev);
+        if (mknod(path, S_IFCHR | mode, dev) == -1)
-        if (rv == -1)
                goto errexit;
-        
        if (chmod(path, mode) < 0)
                goto errexit;
-        if (chown(path, 0, 0) < 0)
+        ASSERT_PERMS(path, 0, 0, mode);
-                goto errexit;
        return;
        
@@ -62,35 +120,19 @@ errexit:
 }
 void fs_private_dev(void){
-        int rv;
        // install a new /dev directory
        if (arg_debug)
                printf("Mounting tmpfs on /dev\n");
-        int have_dri = 0;
-        struct stat s;
-        if (stat("/dev/dri", &s) == 0)
-                have_dri = 1;
        // create DRI_DIR
-        fs_build_mnt_dir();
+        // keep a copy of dev directory
-        if (have_dri) {
+        mkdir_attr(RUN_DEV_DIR, 0755, 0, 0);
-                /* coverity[toctou] */
+        if (mount("/dev", RUN_DEV_DIR, NULL, MS_BIND|MS_REC, NULL) < 0)
-                rv = mkdir(RUN_DRI_DIR, 0755);
+                errExit("mounting /dev/dri");
-                if (rv == -1)
-                        errExit("mkdir");
+        // create DEVLOG_FILE
-                if (chown(RUN_DRI_DIR, 0, 0) < 0)
-                        errExit("chown");
-                if (chmod(RUN_DRI_DIR, 0755) < 0)
-                        errExit("chmod");
-        
-                // keep a copy of /dev/dri under DRI_DIR
-                if (mount("/dev/dri", RUN_DRI_DIR, NULL, MS_BIND|MS_REC, NULL) < 0)
-                        errExit("mounting /dev/dri");
-        }
-        
-        // restore /dev/log
        int have_devlog = 0;
+        struct stat s;
        if (stat("/dev/log", &s) == 0) {
                have_devlog = 1;
                FILE *fp = fopen(RUN_DEVLOG_FILE, "w");
@@ -108,6 +150,8 @@ void fs_private_dev(void){
        if (mount("tmpfs", "/dev", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC,  "mode=755,gid=0") < 0)
                errExit("mounting /dev");
        fs_logger("tmpfs /dev");
+        
+        deventry_mount();
        // bring back /dev/log
        if (have_devlog) {
@@ -120,32 +164,14 @@ void fs_private_dev(void){
                        fs_logger("clone /dev/log");
                }
        }               
+        if (mount(RUN_RO_DIR, RUN_DEV_DIR, "none", MS_BIND, "mode=400,gid=0") < 0)
+                errExit("disable /dev/snd");
-        // bring back the /dev/dri directory
-        if (have_dri) {
-                /* coverity[toctou] */
-                rv = mkdir("/dev/dri", 0755);
-                if (rv == -1)
-                        errExit("mkdir");
-                if (chown("/dev/dri", 0, 0) < 0)
-                        errExit("chown");
-                if (chmod("/dev/dri",0755) < 0)
-                        errExit("chmod");
-                if (mount(RUN_DRI_DIR, "/dev/dri", NULL, MS_BIND|MS_REC, NULL) < 0)
-                        errExit("mounting /dev/dri");
-                fs_logger("whitelist /dev/dri");
-        }
        
        // create /dev/shm
        if (arg_debug)
                printf("Create /dev/shm directory\n");
-        rv = mkdir("/dev/shm", 01777);
+        mkdir_attr("/dev/shm", 01777, 0, 0);
-        if (rv == -1)
-                errExit("mkdir");
-        if (chown("/dev/shm", 0, 0) < 0)
-                errExit("chown");
-        if (chmod("/dev/shm", 01777) < 0)
-                errExit("chmod");
        fs_logger("mkdir /dev/shm");
        // create devices
@@ -167,13 +193,7 @@ void fs_private_dev(void){
 #endif
        // pseudo-terminal
-        rv = mkdir("/dev/pts", 0755);
+        mkdir_attr("/dev/pts", 0755, 0, 0);
-        if (rv == -1)
-                errExit("mkdir");
-        if (chown("/dev/pts", 0, 0) < 0)
-                errExit("chown");
-        if (chmod("/dev/pts", 0755) < 0)
-                errExit("chmod");
        fs_logger("mkdir /dev/pts");
        create_char_dev("/dev/pts/ptmx", 0666, 5, 2); //"mknod -m 666 /dev/pts/ptmx c 5 2");
        fs_logger("mknod /dev/pts/ptmx");
@@ -186,7 +206,7 @@ void fs_private_dev(void){
        // mount /dev/pts
-        gid_t ttygid = get_tty_gid();
+        gid_t ttygid = get_group_id("tty");
        char *data;
        if (asprintf(&data, "newinstance,gid=%d,mode=620,ptmxmode=0666", (int) ttygid) == -1)
                errExit("asprintf");
@@ -205,6 +225,7 @@ void fs_private_dev(void){
 }
+#if 0
 void fs_dev_shm(void) {
        uid_t uid = getuid(); // set a new shm only if we started as root
        if (uid)
@@ -222,12 +243,7 @@ void fs_dev_shm(void) {
                if (lnk) {
                        if (!is_dir(lnk)) {
                                // create directory
-                                if (mkdir(lnk, 01777))
+                                mkdir_attr(lnk, 01777, 0, 0);
-                                        errExit("mkdir");
-                                if (chown(lnk, 0, 0))
-                                        errExit("chown");
-                                if (chmod(lnk, 01777))
-                                        errExit("chmod");
                        }
                        if (arg_debug)
                                printf("Mounting tmpfs on %s on behalf of /dev/shm\n", lnk);
@@ -243,3 +259,40 @@ void fs_dev_shm(void) {
                        
        }
 }
+#endif  
+static void disable_file_or_dir(const char *fname) {
+        if (arg_debug)
+                printf("disable %s\n", fname);
+        struct stat s;
+        if (stat(fname, &s) != -1) {
+                if (is_dir(fname)) {    
+                        if (mount(RUN_RO_DIR, fname, "none", MS_BIND, "mode=400,gid=0") < 0)
+                                errExit("disable directory");
+                }
+                else {
+                        if (mount(RUN_RO_FILE, fname, "none", MS_BIND, "mode=400,gid=0") < 0)
+                                errExit("disable file");
+                }               
+        }
+        fs_logger2("blacklist", fname);
+}
+void fs_dev_disable_sound(void) {
+        int i = 0;
+        while (dev[i].dev_fname != NULL) {
+                if (dev[i].sound)
+                        disable_file_or_dir(dev[i].dev_fname);
+                i++;
+        }
+}
+void fs_dev_disable_3d(void) {
+        int i = 0;
+        while (dev[i].dev_fname != NULL) {
+                if (dev[i].hw3d)
+                        disable_file_or_dir(dev[i].dev_fname);
+                i++;
+        }
+}
diff --git a/src/firejail/fs_etc.c b/src/firejail/fs_etc.c
index 1a44b1305..7e18840fd 100644
--- a/src/firejail/fs_etc.c
+++ b/src/firejail/fs_etc.c
@@ -28,7 +28,7 @@
 static int check_dir_or_file(const char *name) {
        assert(name);
        invalid_filename(name);
-        
        struct stat s;
        char *fname;
        if (asprintf(&fname, "/etc/%s", name) == -1)
@@ -40,7 +40,11 @@ static int check_dir_or_file(const char *name) {
                        printf("Warning: file %s not found.\n", fname);
                return 0;
        }
-        
+        // read access
+        if (access(fname, R_OK) == -1)
+                goto errexit;
        // dir or regular file
        if (S_ISDIR(s.st_mode) || S_ISREG(s.st_mode)) {
                free(fname);
@@ -52,6 +56,8 @@ static int check_dir_or_file(const char *name) {
                return 1;
        }
        
+errexit:        
        fprintf(stderr, "Error: invalid file type, %s.\n", fname);
        exit(1);
 }
@@ -88,18 +94,25 @@ void fs_check_etc_list(void) {
 }
 static void duplicate(char *fname) {
-        char *cmd;
+        // copy the file
-        // copy the file - this code assumes ETC_DIR is actually MNT_DIR/etc
-        if (asprintf(&cmd, "%s -a --parents /etc/%s %s", RUN_CP_COMMAND, fname, RUN_MNT_DIR) == -1)
-                errExit("asprintf");
        if (arg_debug)
-                printf("%s\n", cmd);
+                printf("running: %s -a --parents /etc/%s %s\n", RUN_CP_COMMAND, fname, RUN_MNT_DIR);
-        if (system(cmd))
-                fprintf(stderr, "Warning (fs_etc): error copying file /etc/%s, skipping...\n", fname);
+        pid_t child = fork();
+        if (child < 0)
+                errExit("fork");
+        if (child == 0) {
+                char *f;
+                if (asprintf(&f, "/etc/%s", fname) == -1)
+                        errExit("asprintf");
+                clearenv();     
+                execlp(RUN_CP_COMMAND, RUN_CP_COMMAND, "-a", "--parents", f, RUN_MNT_DIR, NULL);
+                perror("execlp");
+                _exit(1);
+        }
+        // wait for the child to finish
+        waitpid(child, NULL, 0);
-        free(cmd);
-        
        char *name;
        if (asprintf(&name, "/etc/%s", fname) == -1)
                errExit("asprintf");
@@ -118,51 +131,51 @@ void fs_private_etc_list(void) {
                exit(1);
        }
-        // create /tmp/firejail/mnt/etc directory
+        // create /run/firejail/mnt/etc directory
-        fs_build_mnt_dir();
+        mkdir_attr(RUN_ETC_DIR, 0755, 0, 0);
-        int rv = mkdir(RUN_ETC_DIR, 0755);
-        if (rv == -1)
-                errExit("mkdir");
-        if (chown(RUN_ETC_DIR, 0, 0) < 0)
-                errExit("chown");
-        if (chmod(RUN_ETC_DIR, 0755) < 0)
-                errExit("chmod");
        fs_logger("tmpfs /etc");
        
-        // copy the list of files in the new etc directory
-        // using a new child process without root privileges
        fs_logger_print();      // save the current log
-        pid_t child = fork();
-        if (child < 0)
-                errExit("fork");
-        if (child == 0) {
-                if (arg_debug)
-                        printf("Copying files in the new etc directory:\n");
-                // elevate privileges - files in the new /etc directory belong to root
-                if (setreuid(0, 0) < 0)
-                        errExit("setreuid");
-                if (setregid(0, 0) < 0)
-                        errExit("setregid");
-                
-                // copy the list of files in the new home directory
-                char *dlist = strdup(private_list);
-                if (!dlist)
-                        errExit("strdup");
-        
-                char *ptr = strtok(dlist, ",");
+        // copy the list of files in the new etc directory
-                duplicate(ptr);
+        // using a new child process with root privileges
+        if (*private_list != '\0') {
+                pid_t child = fork();
+                if (child < 0)
+                        errExit("fork");
+                if (child == 0) {
+                        if (arg_debug)
+                                printf("Copying files in the new etc directory:\n");
        
-                while ((ptr = strtok(NULL, ",")) != NULL)
+                        // elevate privileges - files in the new /etc directory belong to root
+                        if (setreuid(0, 0) < 0)
+                                errExit("setreuid");
+                        if (setregid(0, 0) < 0)
+                                errExit("setregid");
+                        
+                        // copy the list of files in the new home directory
+                        char *dlist = strdup(private_list);
+                        if (!dlist)
+                                errExit("strdup");
+                
+        
+                        char *ptr = strtok(dlist, ",");
                        duplicate(ptr);
-                free(dlist);    
+                
-                fs_logger_print();
+                        while ((ptr = strtok(NULL, ",")) != NULL)
-                exit(0);
+                                duplicate(ptr);
+                        free(dlist);    
+                        fs_logger_print();
+#ifdef HAVE_GCOV
+                        __gcov_flush();
+#endif
+                        _exit(0);
+                }
+                // wait for the child to finish
+                waitpid(child, NULL, 0);
        }
-        // wait for the child to finish
+        
-        waitpid(child, NULL, 0);
        if (arg_debug)
                printf("Mount-bind %s on top of /etc\n", RUN_ETC_DIR);
        if (mount(RUN_ETC_DIR, "/etc", NULL, MS_BIND|MS_REC, NULL) < 0)
diff --git a/src/firejail/fs_home.c b/src/firejail/fs_home.c
index d4a16da0a..242482d26 100644
--- a/src/firejail/fs_home.c
+++ b/src/firejail/fs_home.c
@@ -28,11 +28,13 @@
 #include <sys/wait.h>
 #include <unistd.h>
 #include <grp.h>
+#include <ftw.h>
 static void skel(const char *homedir, uid_t u, gid_t g) {
        char *fname;
        // zsh
-        if (arg_zsh) {
+        if (!arg_shell_none && (strcmp(cfg.shell,"/usr/bin/zsh") == 0 || strcmp(cfg.shell,"/bin/zsh") == 0)) {
                // copy skel files
                if (asprintf(&fname, "%s/.zshrc", homedir) == -1)
                        errExit("asprintf");
@@ -41,13 +43,7 @@ static void skel(const char *homedir, uid_t u, gid_t g) {
                if (stat(fname, &s) == 0)
                        return;
                if (stat("/etc/skel/.zshrc", &s) == 0) {
-                        if (is_link("/etc/skel/.zshrc")) {
+                        if (copy_file("/etc/skel/.zshrc", fname, u, g, 0644) == 0) {
-                                fprintf(stderr, "Error: invalid /etc/skel/.zshrc file\n");
-                                exit(1);
-                        }
-                        if (copy_file("/etc/skel/.zshrc", fname) == 0) {
-                                if (chown(fname, u, g) == -1)
-                                        errExit("chown");
                                fs_logger("clone /etc/skel/.zshrc");
                        }
                }
@@ -55,18 +51,15 @@ static void skel(const char *homedir, uid_t u, gid_t g) {
                        FILE *fp = fopen(fname, "w");
                        if (fp) {
                                fprintf(fp, "\n");
+                                SET_PERMS_STREAM(fp, u, g, S_IRUSR | S_IWUSR);
                                fclose(fp);
-                                if (chown(fname, u, g) == -1)
-                                        errExit("chown");
-                                if (chmod(fname, S_IRUSR | S_IWUSR) < 0)
-                                        errExit("chown");
                                fs_logger2("touch", fname);
                        }
                }
                free(fname);
        }
        // csh
-        else if (arg_csh) {
+        else if (!arg_shell_none && strcmp(cfg.shell,"/bin/csh") == 0) {
                // copy skel files
                if (asprintf(&fname, "%s/.cshrc", homedir) == -1)
                        errExit("asprintf");
@@ -75,13 +68,7 @@ static void skel(const char *homedir, uid_t u, gid_t g) {
                if (stat(fname, &s) == 0)
                        return;
                if (stat("/etc/skel/.cshrc", &s) == 0) {
-                        if (is_link("/etc/skel/.cshrc")) {
+                        if (copy_file("/etc/skel/.cshrc", fname, u, g, 0644) == 0) {
-                                fprintf(stderr, "Error: invalid /etc/skel/.cshrc file\n");
-                                exit(1);
-                        }
-                        if (copy_file("/etc/skel/.cshrc", fname) == 0) {
-                                if (chown(fname, u, g) == -1)
-                                        errExit("chown");
                                fs_logger("clone /etc/skel/.cshrc");
                        }
                }
@@ -90,11 +77,8 @@ static void skel(const char *homedir, uid_t u, gid_t g) {
                        FILE *fp = fopen(fname, "w");
                        if (fp) {
                                fprintf(fp, "\n");
+                                SET_PERMS_STREAM(fp, u, g, S_IRUSR | S_IWUSR);
                                fclose(fp);
-                                if (chown(fname, u, g) == -1)
-                                        errExit("chown");
-                                if (chmod(fname, S_IRUSR | S_IWUSR) < 0)
-                                        errExit("chown");
                                fs_logger2("touch", fname);
                        }
                }
@@ -110,14 +94,7 @@ static void skel(const char *homedir, uid_t u, gid_t g) {
                if (stat(fname, &s) == 0) 
                        return;
                if (stat("/etc/skel/.bashrc", &s) == 0) {
-                        if (is_link("/etc/skel/.bashrc")) {
+                        if (copy_file("/etc/skel/.bashrc", fname, u, g, 0644) == 0) {
-                                fprintf(stderr, "Error: invalid /etc/skel/.bashrc file\n");
-                                exit(1);
-                        }
-                        if (copy_file("/etc/skel/.bashrc", fname) == 0) {
-                                /* coverity[toctou] */
-                                if (chown(fname, u, g) == -1)
-                                        errExit("chown");
                                fs_logger("clone /etc/skel/.bashrc");
                        }
                }
@@ -127,8 +104,6 @@ static void skel(const char *homedir, uid_t u, gid_t g) {
 static int store_xauthority(void) {
        // put a copy of .Xauthority in XAUTHORITY_FILE
-        fs_build_mnt_dir();
        char *src;
        char *dest = RUN_XAUTHORITY_FILE;
        if (asprintf(&src, "%s/.Xauthority", cfg.homedir) == -1)
@@ -137,11 +112,11 @@ static int store_xauthority(void) {
        struct stat s;
        if (stat(src, &s) == 0) {
                if (is_link(src)) {
-                        fprintf(stderr, "Error: invalid .Xauthority file\n");
+                        fprintf(stderr, "Warning: invalid .Xauthority file\n");
-                        exit(1);
+                        return 0;
                }
                        
-                int rv = copy_file(src, dest);
+                int rv = copy_file(src, dest, -1, -1, 0600);
                if (rv) {
                        fprintf(stderr, "Warning: cannot transfer .Xauthority in private home directory\n");
                        return 0;
@@ -153,9 +128,6 @@ static int store_xauthority(void) {
 }
 static int store_asoundrc(void) {
-        // put a copy of .Xauthority in XAUTHORITY_FILE
-        fs_build_mnt_dir();
        char *src;
        char *dest = RUN_ASOUNDRC_FILE;
        if (asprintf(&src, "%s/.asoundrc", cfg.homedir) == -1)
@@ -177,7 +149,7 @@ static int store_asoundrc(void) {
                        free(rp);
                }
-                int rv = copy_file(src, dest);
+                int rv = copy_file(src, dest, -1, -1, -0644);
                if (rv) {
                        fprintf(stderr, "Warning: cannot transfer .asoundrc in private home directory\n");
                        return 0;
@@ -194,17 +166,12 @@ static void copy_xauthority(void) {
        char *dest;
        if (asprintf(&dest, "%s/.Xauthority", cfg.homedir) == -1)
                errExit("asprintf");
-        int rv = copy_file(src, dest);
+        // copy, set permissions and ownership
+        int rv = copy_file(src, dest, getuid(), getgid(), S_IRUSR | S_IWUSR);
        if (rv)
                fprintf(stderr, "Warning: cannot transfer .Xauthority in private home directory\n");
        else {
                fs_logger2("clone", dest);
-        
-                // set permissions and ownership
-                if (chown(dest, getuid(), getgid()) < 0)
-                        errExit("chown");
-                if (chmod(dest, S_IRUSR | S_IWUSR) < 0)
-                        errExit("chmod");
        }
        
        // delete the temporary file
@@ -217,17 +184,12 @@ static void copy_asoundrc(void) {
        char *dest;
        if (asprintf(&dest, "%s/.asoundrc", cfg.homedir) == -1)
                errExit("asprintf");
-        int rv = copy_file(src, dest);
+        // copy, set permissions and ownership
+        int rv = copy_file(src, dest, getuid(), getgid(), S_IRUSR | S_IWUSR);
        if (rv)
                fprintf(stderr, "Warning: cannot transfer .asoundrc in private home directory\n");
        else {
                fs_logger2("clone", dest);
-        
-                // set permissions and ownership
-                if (chown(dest, getuid(), getgid()) < 0)
-                        errExit("chown");
-                if (chmod(dest, S_IRUSR | S_IWUSR) < 0)
-                        errExit("chmod");
        }
        // delete the temporary file
@@ -260,7 +222,7 @@ void fs_private_homedir(void) {
        // mount bind private_homedir on top of homedir
        if (arg_debug)
                printf("Mount-bind %s on top of %s\n", private_homedir, homedir);
-        if (mount(private_homedir, homedir, NULL, MS_BIND|MS_REC, NULL) < 0)
+        if (mount(private_homedir, homedir, NULL, MS_NOSUID | MS_NODEV | MS_BIND | MS_REC, NULL) < 0)
                errExit("mount bind");
        fs_logger3("mount-bind", private_homedir, cfg.homedir);
        fs_logger2("whitelist", cfg.homedir);
@@ -274,7 +236,7 @@ void fs_private_homedir(void) {
                // mask /root
                if (arg_debug)
                        printf("Mounting a new /root directory\n");
-                if (mount("tmpfs", "/root", "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME | MS_REC,  "mode=700,gid=0") < 0)
+                if (mount("tmpfs", "/root", "tmpfs", MS_NOSUID | MS_NODEV | MS_NOEXEC | MS_STRICTATIME | MS_REC,  "mode=700,gid=0") < 0)
                        errExit("mounting home directory");
                fs_logger("tmpfs /root");
        }
@@ -282,7 +244,7 @@ void fs_private_homedir(void) {
                // mask /home
                if (arg_debug)
                        printf("Mounting a new /home directory\n");
-                if (mount("tmpfs", "/home", "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME | MS_REC,  "mode=755,gid=0") < 0)
+                if (mount("tmpfs", "/home", "tmpfs", MS_NOSUID | MS_NODEV | MS_NOEXEC | MS_STRICTATIME | MS_REC,  "mode=755,gid=0") < 0)
                        errExit("mounting home directory");
                fs_logger("tmpfs /home");
        }
@@ -312,14 +274,14 @@ void fs_private(void) {
        // mask /home
        if (arg_debug)
                printf("Mounting a new /home directory\n");
-        if (mount("tmpfs", "/home", "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME | MS_REC,  "mode=755,gid=0") < 0)
+        if (mount("tmpfs", "/home", "tmpfs", MS_NOSUID | MS_NODEV | MS_NOEXEC | MS_STRICTATIME | MS_REC,  "mode=755,gid=0") < 0)
                errExit("mounting home directory");
        fs_logger("tmpfs /home");
        // mask /root
        if (arg_debug)
                printf("Mounting a new /root directory\n");
-        if (mount("tmpfs", "/root", "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME | MS_REC,  "mode=700,gid=0") < 0)
+        if (mount("tmpfs", "/root", "tmpfs", MS_NOSUID | MS_NODEV | MS_NOEXEC | MS_STRICTATIME | MS_REC,  "mode=700,gid=0") < 0)
                errExit("mounting root directory");
        fs_logger("tmpfs /root");
@@ -343,8 +305,8 @@ void fs_private(void) {
                copy_xauthority();
        if (aflag)
                copy_asoundrc();
-}
+}
 // check new private home directory (--private= option) - exit if it fails
 void fs_check_private_dir(void) {
@@ -384,3 +346,318 @@ void fs_check_private_dir(void) {
        }
 }
+//***********************************************************************************
+// --private-home
+//***********************************************************************************
+#define PRIVATE_COPY_LIMIT (500 * 1024 *1024)
+static int size_limit_reached = 0;
+static unsigned file_cnt = 0;
+static unsigned size_cnt = 0;
+static char *check_dir_or_file(const char *name);
+int fs_copydir(const char *path, const struct stat *st, int ftype, struct FTW *sftw) {
+        (void) st;
+        (void) sftw;
+        if (size_limit_reached)
+                return 0;
+        struct stat s;
+        char *dest;
+        if (asprintf(&dest, "%s%s", RUN_HOME_DIR, path + strlen(cfg.homedir)) == -1)
+                errExit("asprintf");
+        // don't copy it if we already have the file
+        if (stat(dest, &s) == 0) {
+                free(dest);
+                return 0;
+        }
+        
+        // extract mode and ownership
+        if (stat(path, &s) != 0) {
+                free(dest);
+                return 0;
+        }
+        // check uid
+        if (s.st_uid != firejail_uid || s.st_gid != firejail_gid) {
+                free(dest);
+                return 0;
+        }
+        if ((s.st_size + size_cnt) > PRIVATE_COPY_LIMIT) {
+                size_limit_reached = 1;
+                free(dest);
+                return 0;
+        }
+        file_cnt++;
+        size_cnt += s.st_size;
+        if(ftype == FTW_F)
+                copy_file(path, dest, firejail_uid, firejail_gid, s.st_mode);
+        else if (ftype == FTW_D) {
+                if (mkdir(dest, s.st_mode) == -1)
+                        errExit("mkdir");
+                if (set_perms(dest, firejail_uid, firejail_gid, s.st_mode))
+                        errExit("set_perms");
+#if 0
+struct stat s2;         
+if (stat(dest, &s2) == 0) {
+    printf("%s\t", dest);
+    printf((S_ISDIR(s.st_mode))  ? "d" : "-");
+    printf((s.st_mode & S_IRUSR) ? "r" : "-");
+    printf((s.st_mode & S_IWUSR) ? "w" : "-");
+    printf((s.st_mode & S_IXUSR) ? "x" : "-");
+    printf((s.st_mode & S_IRGRP) ? "r" : "-");
+    printf((s.st_mode & S_IWGRP) ? "w" : "-");
+    printf((s.st_mode & S_IXGRP) ? "x" : "-");
+    printf((s.st_mode & S_IROTH) ? "r" : "-");
+    printf((s.st_mode & S_IWOTH) ? "w" : "-");
+    printf((s.st_mode & S_IXOTH) ? "x" : "-");
+    printf("\n");
+}
+#endif          
+                
+                fs_logger2("clone", path);
+        }               
+                
+        free(dest);
+        return(0);
+}
+static void duplicate(char *name) {
+        char *fname = check_dir_or_file(name);
+        if (arg_debug)
+                printf("Private home: duplicating %s\n", fname);
+        assert(strncmp(fname, cfg.homedir, strlen(cfg.homedir)) == 0);
+        struct stat s;
+        if (stat(fname, &s) == -1) {
+                free(fname);
+                return;
+        }
+        
+        if(nftw(fname, fs_copydir, 1, FTW_PHYS) != 0) {
+                fprintf(stderr, "Error: unable to copy template dir\n");
+                exit(1);
+        }
+        fs_logger_print();      // save the current log
+        free(fname);
+}
+static char *check_dir_or_file(const char *name) {
+        assert(name);
+        struct stat s;
+        // basic checks
+        invalid_filename(name);
+        if (arg_debug)
+                printf("Private home: checking %s\n", name);
+        // expand home directory
+        char *fname = expand_home(name, cfg.homedir);
+        if (!fname) {
+                fprintf(stderr, "Error: file %s not found.\n", name);
+                exit(1);
+        }
+        // If it doesn't start with '/', it must be relative to homedir
+        if (fname[0] != '/') {
+                char* tmp;
+                if (asprintf(&tmp, "%s/%s", cfg.homedir, fname) == -1)
+                        errExit("asprintf");
+                free(fname);
+                fname = tmp;
+        }
+        // check the file is in user home directory
+        char *rname = realpath(fname, NULL);
+        if (!rname) {
+                fprintf(stderr, "Error: invalid file %s\n", name);
+                exit(1);
+        }
+        if (strncmp(rname, cfg.homedir, strlen(cfg.homedir)) != 0) {
+                fprintf(stderr, "Error: file %s is not in user home directory\n", name);
+                exit(1);
+        }
+        
+        // a full home directory is not allowed
+        if (strcmp(rname, cfg.homedir) == 0) {
+                fprintf(stderr, "Error: invalid directory %s\n", rname);
+                exit(1);
+        }
+        
+        // only top files and directories in user home are allowed
+        char *ptr = rname + strlen(cfg.homedir);
+        if (*ptr == '\0') {
+                fprintf(stderr, "Error: invalid file %s\n", name);
+                exit(1);
+        }
+        ptr++;
+        ptr = strchr(ptr, '/');
+        if (ptr) {
+                if (*ptr != '\0') {
+                        fprintf(stderr, "Error: only top files and directories in user home are allowed\n");
+                        exit(1);
+                }
+        }
+        if (stat(fname, &s) == -1) {
+                fprintf(stderr, "Error: file %s not found.\n", fname);
+                exit(1);
+        }
+        // check uid
+        uid_t uid = getuid();
+        gid_t gid = getgid();
+        if (s.st_uid != uid || s.st_gid != gid) {
+                fprintf(stderr, "Error: only files or directories created by the current user are allowed.\n");
+                exit(1);
+        }
+        // dir or regular file
+        if (S_ISDIR(s.st_mode) || S_ISREG(s.st_mode)) {
+                free(fname);
+                return rname;                     // regular exit from the function
+        }
+        fprintf(stderr, "Error: invalid file type, %s.\n", fname);
+        exit(1);
+}
+// check directory list specified by user (--private-home option) - exit if it fails
+void fs_check_home_list(void) {
+        if (strstr(cfg.home_private_keep, "..")) {
+                fprintf(stderr, "Error: invalid private-home list\n");
+                exit(1);
+        }
+        char *dlist = strdup(cfg.home_private_keep);
+        if (!dlist)
+                errExit("strdup");
+        char *ptr = strtok(dlist, ",");
+        char *tmp = check_dir_or_file(ptr);
+        free(tmp);
+        while ((ptr = strtok(NULL, ",")) != NULL) {
+                tmp = check_dir_or_file(ptr);
+                free(tmp);
+        }
+        free(dlist);
+}
+// private mode (--private-home=list):
+//      mount homedir on top of /home/user,
+//      tmpfs on top of  /root in nonroot mode,
+//      tmpfs on top of /tmp in root mode,
+//      set skel files,
+//      restore .Xauthority
+void fs_private_home_list(void) {
+        char *homedir = cfg.homedir;
+        char *private_list = cfg.home_private_keep;
+        assert(homedir);
+        assert(private_list);
+        int xflag = store_xauthority();
+        int aflag = store_asoundrc();
+        uid_t u = firejail_uid;
+        gid_t g = firejail_gid;
+        struct stat s;
+        if (stat(homedir, &s) == -1) {
+                fprintf(stderr, "Error: cannot find user home directory\n");
+                exit(1);
+        }
+        // create /run/firejail/mnt/home directory
+        int rv = mkdir(RUN_HOME_DIR, 0755);
+        if (rv == -1)
+                errExit("mkdir");
+        if (set_perms(RUN_HOME_DIR, u, g, 0755))
+                errExit("set_perms");
+        ASSERT_PERMS(RUN_HOME_DIR, u, g, 0755);
+        fs_logger_print();      // save the current log
+        // copy the list of files in the new home directory
+        // using a new child process without root privileges
+        pid_t child = fork();
+        if (child < 0)
+                errExit("fork");
+        if (child == 0) {
+                if (arg_debug)
+                        printf("Copying files in the new home:\n");
+                // drop privileges
+                if (setgroups(0, NULL) < 0)
+                        errExit("setgroups");
+                if (setgid(getgid()) < 0)
+                        errExit("setgid/getgid");
+                if (setuid(getuid()) < 0)
+                        errExit("setuid/getuid");
+                // copy the list of files in the new home directory
+                char *dlist = strdup(cfg.home_private_keep);
+                if (!dlist)
+                        errExit("strdup");
+                
+                char *ptr = strtok(dlist, ",");
+                duplicate(ptr);
+                while ((ptr = strtok(NULL, ",")) != NULL)
+                        duplicate(ptr);
+                if (!arg_quiet) {
+                        if (size_limit_reached)
+                                fprintf(stderr, "Warning: private-home copy limit of %u MB reached, not all the files were copied\n", 
+                                        PRIVATE_COPY_LIMIT / (1024 *1024));
+                        else
+                                printf("Private home: %u files, total size %u bytes\n", file_cnt, size_cnt);
+                }
+                fs_logger_print();      // save the current log
+                free(dlist);
+#ifdef HAVE_GCOV
+        __gcov_flush();
+#endif
+                _exit(0);
+        }
+        // wait for the child to finish
+        waitpid(child, NULL, 0);
+        if (arg_debug)
+                printf("Mount-bind %s on top of %s\n", RUN_HOME_DIR, homedir);
+        if (mount(RUN_HOME_DIR, homedir, NULL, MS_BIND|MS_REC, NULL) < 0)
+                errExit("mount bind");
+        if (u != 0) {
+                // mask /root
+                if (arg_debug)
+                        printf("Mounting a new /root directory\n");
+                if (mount("tmpfs", "/root", "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME | MS_REC,  "mode=700,gid=0") < 0)
+                        errExit("mounting home directory");
+        }
+        else {
+                // mask /home
+                if (arg_debug)
+                        printf("Mounting a new /home directory\n");
+                if (mount("tmpfs", "/home", "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME | MS_REC,  "mode=755,gid=0") < 0)
+                        errExit("mounting home directory");
+        }
+        skel(homedir, u, g);
+        if (xflag)
+                copy_xauthority();
+        if (aflag)
+                copy_asoundrc();
+}
diff --git a/src/firejail/fs_hostname.c b/src/firejail/fs_hostname.c
index aa391c0cb..04197eb8f 100644
--- a/src/firejail/fs_hostname.c
+++ b/src/firejail/fs_hostname.c
@@ -27,7 +27,6 @@
 void fs_hostname(const char *hostname) {
        struct stat s;
-        fs_build_mnt_dir();
        
        // create a new /etc/hostname
        if (stat("/etc/hostname", &s) == 0) {
@@ -40,14 +39,10 @@ void fs_hostname(const char *hostname) {
                        exit(1);
                }
                fprintf(fp, "%s\n", hostname);
-                fclose(fp);
-                
                // mode and owner
-                if (chown(RUN_HOSTNAME_FILE, 0, 0) < 0)
+                SET_PERMS_STREAM(fp, 0, 0, S_IRUSR | S_IWRITE | S_IRGRP | S_IROTH);
-                        errExit("chown");
+                fclose(fp);
-                if (chmod(RUN_HOSTNAME_FILE, S_IRUSR | S_IWRITE | S_IRGRP | S_IROTH ) < 0)
-                        errExit("chmod");
-                
                // bind-mount the file on top of /etc/hostname
                if (mount(RUN_HOSTNAME_FILE, "/etc/hostname", NULL, MS_BIND|MS_REC, NULL) < 0)
                        errExit("mount bind /etc/hostname");
@@ -88,13 +83,9 @@ void fs_hostname(const char *hostname) {
                                fprintf(fp2, "%s\n", buf);
                }
                fclose(fp1);
-                fclose(fp2);
-                
                // mode and owner
-                if (chown(RUN_HOSTS_FILE, 0, 0) < 0)
+                SET_PERMS_STREAM(fp2, 0, 0, S_IRUSR | S_IWRITE | S_IRGRP | S_IROTH);
-                        errExit("chown");
+                fclose(fp2);
-                if (chmod(RUN_HOSTS_FILE, S_IRUSR | S_IWRITE | S_IRGRP | S_IROTH ) < 0)
-                        errExit("chmod");
                
                // bind-mount the file on top of /etc/hostname
                if (mount(RUN_HOSTS_FILE, "/etc/hosts", NULL, MS_BIND|MS_REC, NULL) < 0)
@@ -108,7 +99,6 @@ void fs_resolvconf(void) {
                return;
        struct stat s;
-        fs_build_mnt_dir();
        
        // create a new /etc/hostname
        if (stat("/etc/resolv.conf", &s) == 0) {
@@ -126,13 +116,11 @@ void fs_resolvconf(void) {
                        fprintf(fp, "nameserver %d.%d.%d.%d\n", PRINT_IP(cfg.dns2));
                if (cfg.dns3)
                        fprintf(fp, "nameserver %d.%d.%d.%d\n", PRINT_IP(cfg.dns3));
-                fclose(fp);
-                
                // mode and owner
-                if (chown(RUN_RESOLVCONF_FILE, 0, 0) < 0)
+                SET_PERMS_STREAM(fp, 0, 0, S_IRUSR | S_IWRITE | S_IRGRP | S_IROTH);
-                        errExit("chown");
-                if (chmod(RUN_RESOLVCONF_FILE, S_IRUSR | S_IWRITE | S_IRGRP | S_IROTH ) < 0)
+                fclose(fp);
-                        errExit("chmod");
                
                // bind-mount the file on top of /etc/hostname
                if (mount(RUN_RESOLVCONF_FILE, "/etc/resolv.conf", NULL, MS_BIND|MS_REC, NULL) < 0)
diff --git a/src/firejail/fs_logger.c b/src/firejail/fs_logger.c
index 30b0fe438..052a41457 100644
--- a/src/firejail/fs_logger.c
+++ b/src/firejail/fs_logger.c
@@ -97,11 +97,7 @@ void fs_logger_print(void) {
                perror("fopen");                
                return;
        }
-        
+        SET_PERMS_STREAM_NOERR(fp, getuid(), getgid(), 0644);
-        int rv = chown(RUN_FSLOGGER_FILE, getuid(), getgid());
-        (void) rv; // best effort!
-        rv = chmod(RUN_FSLOGGER_FILE, 0644);
-        (void) rv; // best effort!
        
        FsMsg *ptr = head;
        while (ptr) {
@@ -121,22 +117,6 @@ void fs_logger_change_owner(void) {
                errExit("chown");
 }
-void fs_logger_print_log_name(const char *name) {
-        EUID_ASSERT();
-        
-        if (!name || strlen(name) == 0) {
-                fprintf(stderr, "Error: invalid sandbox name\n");
-                exit(1);
-        }
-        pid_t pid;
-        if (name2pid(name, &pid)) {
-                fprintf(stderr, "Error: cannot find sandbox %s\n", name);
-                exit(1);
-        }
-        fs_logger_print_log(pid);
-}
 void fs_logger_print_log(pid_t pid) {
        EUID_ASSERT();
diff --git a/src/firejail/fs_mkdir.c b/src/firejail/fs_mkdir.c
index 398c534bf..6bcb3f33e 100644
--- a/src/firejail/fs_mkdir.c
+++ b/src/firejail/fs_mkdir.c
@@ -22,8 +22,38 @@
 #include <sys/stat.h>
 #include <unistd.h>
 #include <grp.h>
- #include <sys/wait.h>
+#include <sys/wait.h>
- 
+#include <string.h>
+static void mkdir_recursive(char *path) {
+        char *subdir = NULL;
+        struct stat s;
+        if (chdir("/")) {
+                fprintf(stderr, "Error: can't chdir to /");
+                return;
+        }
+        subdir = strtok(path, "/");
+        while(subdir) {
+                if (stat(subdir, &s) == -1) {
+                        if (mkdir(subdir, 0700) == -1) {
+                                fprintf(stderr, "Warning: cannot create %s directory\n", subdir);
+                                return;
+                        }
+                } else if (!S_ISDIR(s.st_mode)) {
+                        fprintf(stderr, "Warning: '%s' exists, but is no directory\n", subdir);
+                        return;
+                }
+                if (chdir(subdir)) {
+                        fprintf(stderr, "Error: can't chdir to %s", subdir);
+                        return;
+                }
+                subdir = strtok(NULL, "/");
+        }
+}
 void fs_mkdir(const char *name) {
        EUID_ASSERT();
        
@@ -42,9 +72,71 @@ void fs_mkdir(const char *name) {
        }
        // create directory
-        if (mkdir(expanded, 0700) == -1)
+        pid_t child = fork();
-                fprintf(stderr, "Warning: cannot create %s directory\n", expanded);
+        if (child < 0)
+                errExit("fork");
+        if (child == 0) {
+                // drop privileges
+                drop_privs(0);
+                // create directory
+                mkdir_recursive(expanded);
+#ifdef HAVE_GCOV
+                __gcov_flush();
+#endif
+                _exit(0);
+        }
+        // wait for the child to finish
+        waitpid(child, NULL, 0);
 doexit:
        free(expanded);
 }       
+void fs_mkfile(const char *name) {
+        EUID_ASSERT();
+        
+        // check file name
+        invalid_filename(name);
+        char *expanded = expand_home(name, cfg.homedir);
+        if (strncmp(expanded, cfg.homedir, strlen(cfg.homedir)) != 0) {
+                fprintf(stderr, "Error: only files in user home are supported by mkfile\n");
+                exit(1);
+        }
+        struct stat s;
+        if (stat(expanded, &s) == 0) {
+                // file exists, do nothing
+                goto doexit;
+        }
+        // create file
+        pid_t child = fork();
+        if (child < 0)
+                errExit("fork");
+        if (child == 0) {
+                // drop privileges
+                drop_privs(0);
+                FILE *fp = fopen(expanded, "w");
+                if (!fp)
+                        fprintf(stderr, "Warning: cannot create %s file\n", expanded);
+                else {
+                        int fd = fileno(fp);
+                        if (fd == -1)
+                                errExit("fileno");
+                        int rv = fchmod(fd, 0600);
+                        (void) rv;
+                        fclose(fp);
+                }
+#ifdef HAVE_GCOV
+                __gcov_flush();
+#endif
+                _exit(0);
+        }
+        // wait for the child to finish
+        waitpid(child, NULL, 0);
+doexit:
+        free(expanded);
+}
diff --git a/src/firejail/fs_trace.c b/src/firejail/fs_trace.c
index f6ca28227..719b55048 100644
--- a/src/firejail/fs_trace.c
+++ b/src/firejail/fs_trace.c
@@ -37,19 +37,13 @@ void fs_trace_preload(void) {
                FILE *fp = fopen("/etc/ld.so.preload", "w");
                if (!fp)
                        errExit("fopen");
+                SET_PERMS_STREAM(fp, 0, 0, S_IRUSR | S_IWRITE | S_IRGRP | S_IROTH);
                fclose(fp);
-                if (chown("/etc/ld.so.preload", 0, 0) < 0)
-                        errExit("chown");
-                if (chmod("/etc/ld.so.preload", S_IRUSR | S_IWRITE | S_IRGRP | S_IROTH ) < 0)
-                        errExit("chmod");
                fs_logger("touch /etc/ld.so.preload");
        }
 }
 void fs_trace(void) {
-        // create /tmp/firejail/mnt directory
-        fs_build_mnt_dir();
-        
        // create the new ld.so.preload file and mount-bind it
        if (arg_debug)
                printf("Create the new ld.so.preload file\n");
@@ -57,21 +51,20 @@ void fs_trace(void) {
        FILE *fp = fopen(RUN_LDPRELOAD_FILE, "w");
        if (!fp)
                errExit("fopen");
-        if (arg_trace)
+        if (arg_trace) {
                fprintf(fp, "%s/firejail/libtrace.so\n", LIBDIR);
+        }
        else if (arg_tracelog) {
                fprintf(fp, "%s/firejail/libtracelog.so\n", LIBDIR);
                if (!arg_quiet)
                        printf("Blacklist violations are logged to syslog\n");
        }       
-        else
-                assert(0);
+        if (mask_x11_abstract_socket)
-                
+                fprintf(fp, "%s/firejail/libconnect.so\n", LIBDIR);
+        SET_PERMS_STREAM(fp, 0, 0, S_IRUSR | S_IWRITE | S_IRGRP | S_IROTH);
        fclose(fp);
-        if (chown(RUN_LDPRELOAD_FILE, 0, 0) < 0)
-                errExit("chown");
-        if (chmod(RUN_LDPRELOAD_FILE, S_IRUSR | S_IWRITE | S_IRGRP | S_IROTH ) < 0)
-                errExit("chmod");
        
        // mount the new preload file
        if (arg_debug)
@@ -81,5 +74,3 @@ void fs_trace(void) {
        fs_logger("create /etc/ld.so.preload");
 }
-                
-        
-\ No newline at end of file
diff --git a/src/firejail/fs_var.c b/src/firejail/fs_var.c
index f904fa5d9..ca50685ad 100644
--- a/src/firejail/fs_var.c
+++ b/src/firejail/fs_var.c
@@ -98,10 +98,7 @@ static void build_dirs(void) {
        // create directories under /var/log
        DirData *ptr = dirlist;
        while (ptr) {
-                if (mkdir(ptr->name, ptr->st_mode))
+                mkdir_attr(ptr->name, ptr->st_mode, ptr->st_uid, ptr->st_gid);
-                        errExit("mkdir");
-                if (chown(ptr->name, ptr->st_uid, ptr->st_gid))
-                        errExit("chown");
                fs_logger2("mkdir", ptr->name);
                ptr = ptr->next;
        }
@@ -121,7 +118,7 @@ void fs_var_log(void) {
                // mount a tmpfs on top of /var/log
                if (arg_debug)
                        printf("Mounting tmpfs on /var/log\n");
-                if (mount("tmpfs", "/var/log", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC,  "mode=755,gid=0") < 0)
+                if (mount("tmpfs", "/var/log", "tmpfs", MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_STRICTATIME | MS_REC,  "mode=755,gid=0") < 0)
                        errExit("mounting /var/log");
                fs_logger("tmpfs /var/log");
                
@@ -131,22 +128,16 @@ void fs_var_log(void) {
                // create an empty /var/log/wtmp file
                /* coverity[toctou] */
                FILE *fp = fopen("/var/log/wtmp", "w");
+                SET_PERMS_STREAM(fp, 0, wtmp_group, S_IRUSR | S_IWRITE | S_IRGRP | S_IWGRP | S_IROTH);
                if (fp)
                        fclose(fp);
-                if (chown("/var/log/wtmp", 0, wtmp_group) < 0)
-                        errExit("chown");
-                if (chmod("/var/log/wtmp", S_IRUSR | S_IWRITE | S_IRGRP | S_IWGRP | S_IROTH ) < 0)
-                        errExit("chmod");
                fs_logger("touch /var/log/wtmp");
                        
                // create an empty /var/log/btmp file
                fp = fopen("/var/log/btmp", "w");
+                SET_PERMS_STREAM(fp, 0, wtmp_group, S_IRUSR | S_IWRITE | S_IRGRP | S_IWGRP);
                if (fp)
                        fclose(fp);
-                if (chown("/var/log/btmp", 0, wtmp_group) < 0)
-                        errExit("chown");
-                if (chmod("/var/log/btmp", S_IRUSR | S_IWRITE | S_IRGRP | S_IWGRP) < 0)
-                        errExit("chmod");
                fs_logger("touch /var/log/btmp");
        }
        else
@@ -160,7 +151,7 @@ void fs_var_lib(void) {
        if (stat("/var/lib/dhcp", &s) == 0) {
                if (arg_debug)
                        printf("Mounting tmpfs on /var/lib/dhcp\n");
-                if (mount("tmpfs", "/var/lib/dhcp", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC,  "mode=755,gid=0") < 0)
+                if (mount("tmpfs", "/var/lib/dhcp", "tmpfs", MS_NOSUID |  MS_NOEXEC | MS_NODEV | MS_STRICTATIME | MS_REC,  "mode=755,gid=0") < 0)
                        errExit("mounting /var/lib/dhcp");
                fs_logger("tmpfs /var/lib/dhcp");
                        
@@ -169,11 +160,8 @@ void fs_var_lib(void) {
                
                if (fp) {
                        fprintf(fp, "\n");
+                        SET_PERMS_STREAM(fp, 0, 0, S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH);
                        fclose(fp);
-                        if (chown("/var/lib/dhcp/dhcpd.leases", 0, 0) == -1)
-                                errExit("chown");
-                        if (chmod("/var/lib/dhcp/dhcpd.leases", S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH))
-                                errExit("chmod");
                        fs_logger("touch /var/lib/dhcp/dhcpd.leases");
                }
        }
@@ -182,7 +170,7 @@ void fs_var_lib(void) {
        if (stat("/var/lib/nginx", &s) == 0) {
                if (arg_debug)
                        printf("Mounting tmpfs on /var/lib/nginx\n");
-                if (mount("tmpfs", "/var/lib/nginx", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC,  "mode=755,gid=0") < 0)
+                if (mount("tmpfs", "/var/lib/nginx", "tmpfs", MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_STRICTATIME | MS_REC,  "mode=755,gid=0") < 0)
                        errExit("mounting /var/lib/nginx");
                fs_logger("tmpfs /var/lib/nginx");
        }                       
@@ -191,7 +179,7 @@ void fs_var_lib(void) {
        if (stat("/var/lib/snmp", &s) == 0) {
                if (arg_debug)
                        printf("Mounting tmpfs on /var/lib/snmp\n");
-                if (mount("tmpfs", "/var/lib/snmp", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC,  "mode=755,gid=0") < 0)
+                if (mount("tmpfs", "/var/lib/snmp", "tmpfs", MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_STRICTATIME | MS_REC,  "mode=755,gid=0") < 0)
                        errExit("mounting /var/lib/snmp");
                fs_logger("tmpfs /var/lib/snmp");
        }                       
@@ -200,7 +188,7 @@ void fs_var_lib(void) {
        if (stat("/var/lib/sudo", &s) == 0) {
                if (arg_debug)
                        printf("Mounting tmpfs on /var/lib/sudo\n");
-                if (mount("tmpfs", "/var/lib/sudo", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC,  "mode=755,gid=0") < 0)
+                if (mount("tmpfs", "/var/lib/sudo", "tmpfs", MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_STRICTATIME | MS_REC,  "mode=755,gid=0") < 0)
                        errExit("mounting /var/lib/sudo");
                fs_logger("tmpfs /var/lib/sudo");
        }                       
@@ -212,7 +200,7 @@ void fs_var_cache(void) {
        if (stat("/var/cache/apache2", &s) == 0) {
                if (arg_debug)
                        printf("Mounting tmpfs on /var/cache/apache2\n");
-                if (mount("tmpfs", "/var/cache/apache2", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC,  "mode=755,gid=0") < 0)
+                if (mount("tmpfs", "/var/cache/apache2", "tmpfs", MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_STRICTATIME | MS_REC,  "mode=755,gid=0") < 0)
                        errExit("mounting /var/cache/apache2");
                fs_logger("tmpfs /var/cache/apache2");
        }                       
@@ -220,7 +208,7 @@ void fs_var_cache(void) {
        if (stat("/var/cache/lighttpd", &s) == 0) {
                if (arg_debug)
                        printf("Mounting tmpfs on /var/cache/lighttpd\n");
-                if (mount("tmpfs", "/var/cache/lighttpd", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC,  "mode=755,gid=0") < 0)
+                if (mount("tmpfs", "/var/cache/lighttpd", "tmpfs", MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_STRICTATIME | MS_REC,  "mode=755,gid=0") < 0)
                        errExit("mounting /var/cache/lighttpd");
                fs_logger("tmpfs /var/cache/lighttpd");
@@ -232,18 +220,10 @@ void fs_var_cache(void) {
                        gid = p->pw_gid;
                }
                
-                int rv = mkdir("/var/cache/lighttpd/compress", 0755);
+                mkdir_attr("/var/cache/lighttpd/compress", 0755, uid, gid);
-                if (rv == -1)
-                        errExit("mkdir");
-                if (chown("/var/cache/lighttpd/compress", uid, gid) < 0)
-                        errExit("chown");
                fs_logger("mkdir /var/cache/lighttpd/compress");
-                rv = mkdir("/var/cache/lighttpd/uploads", 0755);
+                mkdir_attr("/var/cache/lighttpd/uploads", 0755, uid, gid);
-                if (rv == -1)
-                        errExit("mkdir");
-                if (chown("/var/cache/lighttpd/uploads", uid, gid) < 0)
-                        errExit("chown");
                fs_logger("/var/cache/lighttpd/uploads");
        }                       
 }
@@ -268,7 +248,7 @@ void fs_var_lock(void) {
        if (is_dir("/var/lock")) {
                if (arg_debug)
                        printf("Mounting tmpfs on /var/lock\n");
-                if (mount("tmpfs", "/var/lock", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC,  "mode=1777,gid=0") < 0)
+                if (mount("tmpfs", "/var/lock", "tmpfs", MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_STRICTATIME | MS_REC,  "mode=1777,gid=0") < 0)
                        errExit("mounting /lock");
                fs_logger("tmpfs /var/lock");
        }
@@ -277,16 +257,11 @@ void fs_var_lock(void) {
                if (lnk) {
                        if (!is_dir(lnk)) {
                                // create directory
-                                if (mkdir(lnk, S_IRWXU|S_IRWXG|S_IRWXO))
+                                mkdir_attr(lnk, S_IRWXU|S_IRWXG|S_IRWXO, 0, 0);
-                                        errExit("mkdir");
-                                if (chown(lnk, 0, 0))
-                                        errExit("chown");
-                                if (chmod(lnk, S_IRWXU|S_IRWXG|S_IRWXO))
-                                        errExit("chmod");
                        }
                        if (arg_debug)
                                printf("Mounting tmpfs on %s on behalf of /var/lock\n", lnk);
-                        if (mount("tmpfs", lnk, "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC,  "mode=1777,gid=0") < 0)
+                        if (mount("tmpfs", lnk, "tmpfs", MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_STRICTATIME | MS_REC,  "mode=1777,gid=0") < 0)
                                errExit("mounting /var/lock");
                        free(lnk);
                        fs_logger("tmpfs /var/lock");
@@ -304,7 +279,7 @@ void fs_var_tmp(void) {
                if (!is_link("/var/tmp")) {
                        if (arg_debug)
                                printf("Mounting tmpfs on /var/tmp\n");
-                        if (mount("tmpfs", "/var/tmp", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC,  "mode=1777,gid=0") < 0)
+                        if (mount("tmpfs", "/var/tmp", "tmpfs", MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_STRICTATIME | MS_REC,  "mode=1777,gid=0") < 0)
                                errExit("mounting /var/tmp");
                        fs_logger("tmpfs /var/tmp");
                }
@@ -327,9 +302,6 @@ void fs_var_utmp(void) {
                return;
        }
-        // create /tmp/firejail/mnt directory
-        fs_build_mnt_dir();
-        
        // create a new utmp file
        if (arg_debug)
                printf("Create the new utmp file\n");
@@ -353,16 +325,13 @@ void fs_var_utmp(void) {
                        
        // save new utmp file
        fwrite(&u_boot, sizeof(u_boot), 1, fp);
+        SET_PERMS_STREAM(fp, 0, utmp_group, S_IRUSR | S_IWRITE | S_IRGRP | S_IWGRP | S_IROTH);
        fclose(fp);
-        if (chown(RUN_UTMP_FILE, 0, utmp_group) < 0)
-                errExit("chown");
-        if (chmod(RUN_UTMP_FILE, S_IRUSR | S_IWRITE | S_IRGRP | S_IWGRP | S_IROTH ) < 0)
-                errExit("chmod");
        
        // mount the new utmp file
        if (arg_debug)
                printf("Mount the new utmp file\n");
-        if (mount(RUN_UTMP_FILE, UTMP_FILE, NULL, MS_BIND|MS_REC, NULL) < 0)
+        if (mount(RUN_UTMP_FILE, UTMP_FILE, NULL, MS_BIND|MS_NOSUID|MS_NOEXEC | MS_NODEV | MS_REC, NULL) < 0)
                errExit("mount bind utmp");
        fs_logger("create /var/run/utmp");
 }
diff --git a/src/firejail/fs_whitelist.c b/src/firejail/fs_whitelist.c
index 617e61dcd..564dc8290 100644
--- a/src/firejail/fs_whitelist.c
+++ b/src/firejail/fs_whitelist.c
@@ -157,10 +157,8 @@ static int mkpath(const char* path, mode_t mode) {
                        }
                }
                else {
-                        if (chmod(file_path, mode) == -1)
+                        if (set_perms(file_path, uid, gid, mode))
-                                errExit("chmod");
+                                errExit("set_perms");
-                        if (chown(file_path, uid, gid) == -1)
-                                errExit("chown");
                        done = 1;
                }                       
@@ -181,11 +179,15 @@ static void whitelist_path(ProfileEntry *entry) {
        char *wfile = NULL;
        if (entry->home_dir) {
-                fname = path + strlen(cfg.homedir);
+                if (strncmp(path, cfg.homedir, strlen(cfg.homedir)) == 0) {             
-                if (*fname == '\0') {
+                        fname = path + strlen(cfg.homedir);
-                        fprintf(stderr, "Error: file %s is not in user home directory, exiting...\n", path);
+                        if (*fname == '\0') {
-                        exit(1);
+                                fprintf(stderr, "Error: file %s is not in user home directory, exiting...\n", path);
+                                exit(1);
+                        }
                }
+                else
+                        fname = path;
        
                if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_HOME_USER_DIR, fname) == -1)
                        errExit("asprintf");
@@ -210,6 +212,16 @@ static void whitelist_path(ProfileEntry *entry) {
                if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_MEDIA_DIR, fname) == -1)
                        errExit("asprintf");
        }
+        else if (entry->mnt_dir) {
+                fname = path + 4; // strlen("/mnt")
+                if (*fname == '\0') {
+                        fprintf(stderr, "Error: file %s is not in /mnt directory, exiting...\n", path);
+                        exit(1);
+                }
+                if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_MNT_DIR, fname) == -1)
+                        errExit("asprintf");
+        }
        else if (entry->var_dir) {
                fname = path + 4; // strlen("/var")
                if (*fname == '\0') {
@@ -240,7 +252,16 @@ static void whitelist_path(ProfileEntry *entry) {
                if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_OPT_DIR, fname) == -1)
                        errExit("asprintf");
        }
+        else if (entry->srv_dir) {
+                fname = path + 4; // strlen("/srv")
+                if (*fname == '\0') {
+                        fprintf(stderr, "Error: file %s is not in /srv directory, exiting...\n", path);
+                        exit(1);
+                }
+                if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_SRV_DIR, fname) == -1)
+                        errExit("asprintf");
+        }
        // check if the file exists
        struct stat s;
        if (wfile && stat(wfile, &s) == 0) {
@@ -248,9 +269,6 @@ static void whitelist_path(ProfileEntry *entry) {
                        printf("Whitelisting %s\n", path);
        }
        else {
-                if (arg_debug || arg_debug_whitelists) {
-                        fprintf(stderr, "Warning (whitelisting): %s is an invalid file, skipping...\n", path);
-                }
                return;
        }
        
@@ -267,21 +285,21 @@ static void whitelist_path(ProfileEntry *entry) {
        
        // process regular file
        else {
-                // create an empty file
+                if (access(path, R_OK)) {
-                FILE *fp = fopen(path, "w");
+                        // create an empty file
-                if (!fp) {
+                        FILE *fp = fopen(path, "w");
-                        fprintf(stderr, "Error: cannot create empty file in home directory\n");
+                        if (!fp) {
-                        exit(1);
+                                fprintf(stderr, "Error: cannot create empty file in home directory\n");
+                                exit(1);
+                        }
+                        // set file properties
+                        SET_PERMS_STREAM(fp, s.st_uid, s.st_gid, s.st_mode);
+                        fclose(fp);
                }
-                fclose(fp);
+                else
+                        return; // the file is already present
        }
        
-        // set file properties
-        if (chown(path, s.st_uid, s.st_gid) < 0)
-                errExit("chown");
-        if (chmod(path, s.st_mode) < 0)
-                errExit("chmod");
        // mount
        if (mount(wfile, path, NULL, MS_BIND|MS_REC, NULL) < 0)
                errExit("mount bind");
@@ -302,10 +320,11 @@ void fs_whitelist(void) {
        int home_dir = 0;       // /home/user directory flag
        int tmp_dir = 0;        // /tmp directory flag
        int media_dir = 0;      // /media directory flag
+        int mnt_dir = 0;        // /mnt directory flag
        int var_dir = 0;                // /var directory flag
        int dev_dir = 0;                // /dev directory flag
        int opt_dir = 0;                // /opt directory flag
+        int srv_dir = 0;                // /srv directory flag
        // verify whitelist files, extract symbolic links, etc.
        while (entry) {
                // handle only whitelist commands
@@ -367,13 +386,17 @@ void fs_whitelist(void) {
                                tmp_dir = 1;
                        else if (strncmp(new_name, "/media/", 7) == 0)
                                media_dir = 1;
+                        else if (strncmp(new_name, "/mnt/", 5) == 0)
+                                mnt_dir = 1;
                        else if (strncmp(new_name, "/var/", 5) == 0)
                                var_dir = 1;
                        else if (strncmp(new_name, "/dev/", 5) == 0)
                                dev_dir = 1;
                        else if (strncmp(new_name, "/opt/", 5) == 0)
                                opt_dir = 1;
+                        else if (strncmp(new_name, "/srv/", 5) == 0)
+                                opt_dir = 1;
+                        
                        continue;
                }
                
@@ -390,12 +413,16 @@ void fs_whitelist(void) {
                        entry->home_dir = 1;
                        home_dir = 1;
+                        if (arg_debug || arg_debug_whitelists)
+                                fprintf(stderr, "Debug %d: fname #%s#, cfg.homedir #%s#\n",
+                                        __LINE__, fname, cfg.homedir);
                        // both path and absolute path are under /home
                        if (strncmp(fname, cfg.homedir, strlen(cfg.homedir)) != 0) {
-                                if (arg_debug)
+                                // check if the file is owned by the user
-                                        fprintf(stderr, "Debug %d: fname #%s#, cfg.homedir #%s#\n",
+                                struct stat s;
-                                                __LINE__, fname, cfg.homedir);
+                                if (stat(fname, &s) == 0 && s.st_uid != getuid())
-                                goto errexit;
+                                        goto errexit;
                        }
                }
                else if (strncmp(new_name, "/tmp/", 5) == 0) {
@@ -418,6 +445,16 @@ void fs_whitelist(void) {
                                goto errexit;
                        }
                }
+                else if (strncmp(new_name, "/mnt/", 5) == 0) {
+                        entry->mnt_dir = 1;
+                        mnt_dir = 1;
+                        // both path and absolute path are under /mnt
+                        if (strncmp(fname, "/mnt/", 5) != 0) {
+                                if (arg_debug)
+                                        fprintf(stderr, "Debug %d: fname #%s#\n", __LINE__, fname);
+                                goto errexit;
+                        }
+                }
                else if (strncmp(new_name, "/var/", 5) == 0) {
                        entry->var_dir = 1;
                        var_dir = 1;
@@ -453,6 +490,16 @@ void fs_whitelist(void) {
                                goto errexit;
                        }
                }
+                else if (strncmp(new_name, "/srv/", 5) == 0) {
+                        entry->srv_dir = 1;
+                        srv_dir = 1;
+                        // both path and absolute path are under /srv
+                        if (strncmp(fname, "/srv/", 5) != 0) {
+                                if (arg_debug)
+                                        fprintf(stderr, "Debug %d: fname #%s#\n", __LINE__, fname);
+                                goto errexit;
+                        }
+                }
                else {
                        if (arg_debug)
                                fprintf(stderr, "Debug %d: \n", __LINE__);
@@ -480,21 +527,10 @@ void fs_whitelist(void) {
                entry = entry->next;
        }
                
-        // create mount points
-        fs_build_mnt_dir();
-        
        // /home/user
        if (home_dir) {
                // keep a copy of real home dir in RUN_WHITELIST_HOME_USER_DIR
-                int rv = mkdir(RUN_WHITELIST_HOME_USER_DIR, 0755);
+                mkdir_attr(RUN_WHITELIST_HOME_USER_DIR, 0755, getuid(), getgid());
-                if (rv == -1)
-                        errExit("mkdir");
-                if (chown(RUN_WHITELIST_HOME_USER_DIR, getuid(), getgid()) < 0)
-                        errExit("chown");
-                if (chmod(RUN_WHITELIST_HOME_USER_DIR, 0755) < 0)
-                        errExit("chmod");
-        
                if (mount(cfg.homedir, RUN_WHITELIST_HOME_USER_DIR, NULL, MS_BIND|MS_REC, NULL) < 0)
                        errExit("mount bind");
        
@@ -504,15 +540,8 @@ void fs_whitelist(void) {
        
        // /tmp mountpoint
        if (tmp_dir) {
-                // keep a copy of real /tmp directory in WHITELIST_TMP_DIR
+                // keep a copy of real /tmp directory in  
-                int rv = mkdir(RUN_WHITELIST_TMP_DIR, 1777);
+                mkdir_attr(RUN_WHITELIST_TMP_DIR, 1777, 0, 0);
-                if (rv == -1)
-                        errExit("mkdir");
-                if (chown(RUN_WHITELIST_TMP_DIR, 0, 0) < 0)
-                        errExit("chown");
-                if (chmod(RUN_WHITELIST_TMP_DIR, 1777) < 0)
-                        errExit("chmod");
-        
                if (mount("/tmp", RUN_WHITELIST_TMP_DIR, NULL, MS_BIND|MS_REC, NULL) < 0)
                        errExit("mount bind");
        
@@ -526,37 +555,51 @@ void fs_whitelist(void) {
        
        // /media mountpoint
        if (media_dir) {
-                // keep a copy of real /media directory in RUN_WHITELIST_MEDIA_DIR
+                // some distros don't have a /media directory
-                int rv = mkdir(RUN_WHITELIST_MEDIA_DIR, 0755);
+                struct stat s;
-                if (rv == -1)
+                if (stat("/media", &s) == 0) {
-                        errExit("mkdir");
+                        // keep a copy of real /media directory in RUN_WHITELIST_MEDIA_DIR
-                if (chown(RUN_WHITELIST_MEDIA_DIR, 0, 0) < 0)
+                        mkdir_attr(RUN_WHITELIST_MEDIA_DIR, 0755, 0, 0);
-                        errExit("chown");
+                        if (mount("/media", RUN_WHITELIST_MEDIA_DIR, NULL, MS_BIND|MS_REC, NULL) < 0)
-                if (chmod(RUN_WHITELIST_MEDIA_DIR, 0755) < 0)
+                                errExit("mount bind");
-                        errExit("chmod");
        
-                if (mount("/media", RUN_WHITELIST_MEDIA_DIR, NULL, MS_BIND|MS_REC, NULL) < 0)
+                        // mount tmpfs on /media
-                        errExit("mount bind");
+                        if (arg_debug || arg_debug_whitelists)
-        
+                                printf("Mounting tmpfs on /media directory\n");
-                // mount tmpfs on /media
+                        if (mount("tmpfs", "/media", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC,  "mode=755,gid=0") < 0)
-                if (arg_debug || arg_debug_whitelists)
+                                errExit("mounting tmpfs on /media");
-                        printf("Mounting tmpfs on /media directory\n");
+                        fs_logger("tmpfs /media");
-                if (mount("tmpfs", "/media", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC,  "mode=755,gid=0") < 0)
+                }
-                        errExit("mounting tmpfs on /media");
+                else
-                fs_logger("tmpfs /media");
+                        media_dir = 0;
+        }
+        // /mnt mountpoint
+        if (mnt_dir) {
+                // check if /mnt directory exists
+                struct stat s;
+                if (stat("/mnt", &s) == 0) {
+                        // keep a copy of real /mnt directory in RUN_WHITELIST_MNT_DIR
+                        mkdir_attr(RUN_WHITELIST_MNT_DIR, 0755, 0, 0);
+                        if (mount("/mnt", RUN_WHITELIST_MNT_DIR, NULL, MS_BIND|MS_REC, NULL) < 0)
+                                errExit("mount bind");
+                        // mount tmpfs on /mnt
+                        if (arg_debug || arg_debug_whitelists)
+                                printf("Mounting tmpfs on /mnt directory\n");
+                        if (mount("tmpfs", "/mnt", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC,  "mode=755,gid=0") < 0)
+                                errExit("mounting tmpfs on /mnt");
+                        fs_logger("tmpfs /mnt");
+                }
+                else
+                        mnt_dir = 0;
        }
        // /var mountpoint
        if (var_dir) {
                // keep a copy of real /var directory in RUN_WHITELIST_VAR_DIR
-                int rv = mkdir(RUN_WHITELIST_VAR_DIR, 0755);
+                mkdir_attr(RUN_WHITELIST_VAR_DIR, 0755, 0, 0);
-                if (rv == -1)
-                        errExit("mkdir");
-                if (chown(RUN_WHITELIST_VAR_DIR, 0, 0) < 0)
-                        errExit("chown");
-                if (chmod(RUN_WHITELIST_VAR_DIR, 0755) < 0)
-                        errExit("chmod");
-        
                if (mount("/var", RUN_WHITELIST_VAR_DIR, NULL, MS_BIND|MS_REC, NULL) < 0)
                        errExit("mount bind");
        
@@ -571,14 +614,7 @@ void fs_whitelist(void) {
        // /dev mountpoint
        if (dev_dir) {
                // keep a copy of real /dev directory in RUN_WHITELIST_DEV_DIR
-                int rv = mkdir(RUN_WHITELIST_DEV_DIR, 0755);
+                mkdir_attr(RUN_WHITELIST_DEV_DIR, 0755, 0, 0);
-                if (rv == -1)
-                        errExit("mkdir");
-                if (chown(RUN_WHITELIST_DEV_DIR, 0, 0) < 0)
-                        errExit("chown");
-                if (chmod(RUN_WHITELIST_DEV_DIR, 0755) < 0)
-                        errExit("chmod");
-        
                if (mount("/dev", RUN_WHITELIST_DEV_DIR, NULL, MS_BIND|MS_REC,  "mode=755,gid=0") < 0)
                        errExit("mount bind");
        
@@ -593,14 +629,7 @@ void fs_whitelist(void) {
        // /opt mountpoint
        if (opt_dir) {
                // keep a copy of real /opt directory in RUN_WHITELIST_OPT_DIR
-                int rv = mkdir(RUN_WHITELIST_OPT_DIR, 0755);
+                mkdir_attr(RUN_WHITELIST_OPT_DIR, 0755, 0, 0);
-                if (rv == -1)
-                        errExit("mkdir");
-                if (chown(RUN_WHITELIST_OPT_DIR, 0, 0) < 0)
-                        errExit("chown");
-                if (chmod(RUN_WHITELIST_OPT_DIR, 0755) < 0)
-                        errExit("chmod");
-        
                if (mount("/opt", RUN_WHITELIST_OPT_DIR, NULL, MS_BIND|MS_REC, NULL) < 0)
                        errExit("mount bind");
        
@@ -612,6 +641,29 @@ void fs_whitelist(void) {
                fs_logger("tmpfs /opt");
        }
+        // /srv mountpoint
+        if (srv_dir) {
+                // check if /srv directory exists
+                struct stat s;
+                if (stat("/srv", &s) == 0) {
+                        // keep a copy of real /srv directory in RUN_WHITELIST_SRV_DIR
+                        mkdir_attr(RUN_WHITELIST_SRV_DIR, 0755, 0, 0);
+                        if (mount("/srv", RUN_WHITELIST_SRV_DIR, NULL, MS_BIND|MS_REC, NULL) < 0)
+                                errExit("mount bind");
+                        // mount tmpfs on /srv
+                        if (arg_debug || arg_debug_whitelists)
+                                printf("Mounting tmpfs on /srv directory\n");
+                        if (mount("tmpfs", "/srv", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC,  "mode=755,gid=0") < 0)
+                                errExit("mounting tmpfs on /srv");
+                        fs_logger("tmpfs /srv");
+                }
+                else
+                        srv_dir = 0;
+        }
+        
        // go through profile rules again, and interpret whitelist commands
        entry = cfg.profile;
        while (entry) {
@@ -696,6 +748,20 @@ void fs_whitelist(void) {
                fs_logger2("tmpfs", RUN_WHITELIST_MEDIA_DIR);
        }
+        // mask the real /mnt directory, currently mounted on RUN_WHITELIST_MNT_DIR
+        if (mnt_dir) {
+                if (mount("tmpfs", RUN_WHITELIST_MNT_DIR, "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC,  "mode=755,gid=0") < 0)
+                        errExit("mount tmpfs");
+                fs_logger2("tmpfs", RUN_WHITELIST_MNT_DIR);
+        }
+        // mask the real /srv directory, currently mounted on RUN_WHITELIST_SRV_DIR
+        if (srv_dir) {
+                if (mount("tmpfs", RUN_WHITELIST_SRV_DIR, "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC,  "mode=755,gid=0") < 0)
+                        errExit("mount tmpfs");
+                fs_logger2("tmpfs", RUN_WHITELIST_SRV_DIR);
+        }
        if (new_name)
                free(new_name);
                
diff --git a/src/firejail/join.c b/src/firejail/join.c
index 98e140ce4..628002d35 100644
--- a/src/firejail/join.c
+++ b/src/firejail/join.c
@@ -23,12 +23,19 @@
 #include <fcntl.h>
 #include <unistd.h>
 #include <sys/prctl.h>
+#include <errno.h>
 static int apply_caps = 0;
 static uint64_t caps = 0;
 static int apply_seccomp = 0;
 #define BUFLEN 4096
+static void signal_handler(int sig){
+        flush_stdin();
+        exit(sig);
+}
 static void extract_command(int argc, char **argv, int index) {
        EUID_ASSERT();
        if (index >= argc)
@@ -48,22 +55,9 @@ static void extract_command(int argc, char **argv, int index) {
                exit(1);
        }
-        int len = 0;
-        int i;
-        // calculate command length
-        for (i = index; i < argc; i++) {
-                len += strlen(argv[i]) + 1;
-        }
-        assert(len > 0);
        // build command
-        cfg.command_line = malloc(len + 1);
+        build_cmdline(&cfg.command_line, &cfg.window_title, argc, argv, index);
-        *cfg.command_line = '\0';
-        for (i = index; i < argc; i++) {
-                strcat(cfg.command_line, argv[i]);
-                strcat(cfg.command_line, " ");
-        }
        if (arg_debug)
                printf("Extracted command #%s#\n", cfg.command_line);
 }
@@ -134,7 +128,7 @@ static void extract_caps_seccomp(pid_t pid) {
                        break;
                }
                else if (strncmp(buf, "CapBnd:", 7) == 0) {             
-                        char *ptr = buf + 8;
+                        char *ptr = buf + 7;
                        unsigned long long val;
                        sscanf(ptr, "%llx", &val);
                        apply_caps = 1;
@@ -179,26 +173,12 @@ static void extract_user_namespace(pid_t pid) {
        free(uidmap);
 }
-void join_name(const char *name, int argc, char **argv, int index) {
-        EUID_ASSERT();
-        if (!name || strlen(name) == 0) {
-                fprintf(stderr, "Error: invalid sandbox name\n");
-                exit(1);
-        }
-        pid_t pid;
-        if (name2pid(name, &pid)) {
-                fprintf(stderr, "Error: cannot find sandbox %s\n", name);
-                exit(1);
-        }
-        join(pid, argc, argv, index);
-}
 void join(pid_t pid, int argc, char **argv, int index) {
        EUID_ASSERT();
        char *homedir = cfg.homedir;
        
        extract_command(argc, argv, index);
+        signal (SIGTERM, signal_handler);
        // if the pid is that of a firejail  process, use the pid of the first child process
        EUID_ROOT();
@@ -249,15 +229,11 @@ void join(pid_t pid, int argc, char **argv, int index) {
                        exit(1);
        }
        else {
-                if (join_namespace(pid, "ipc"))
+                if (join_namespace(pid, "ipc") ||
-                        exit(1);
+                    join_namespace(pid, "net") ||
-                if (join_namespace(pid, "net"))
+                    join_namespace(pid, "pid") ||
-                        exit(1);
+                    join_namespace(pid, "uts") ||
-                if (join_namespace(pid, "pid"))
+                    join_namespace(pid, "mnt"))
-                        exit(1);
-                if (join_namespace(pid, "uts"))
-                        exit(1);
-                if (join_namespace(pid, "mnt"))
                        exit(1);
        }
@@ -297,19 +273,18 @@ void join(pid_t pid, int argc, char **argv, int index) {
                if (apply_caps == 1)    // not available for uid 0
                        caps_set(caps);
 #ifdef HAVE_SECCOMP
-                // set protocol filter
+                // read cfg.protocol from file
                if (getuid() != 0)
                        protocol_filter_load(RUN_PROTOCOL_CFG);
                if (cfg.protocol) {     // not available for uid 0
-                        protocol_filter();
+                        seccomp_load(RUN_SECCOMP_PROTOCOL);     // install filter       
                }
                                
                // set seccomp filter
                if (apply_seccomp == 1) // not available for uid 0
-                        seccomp_set();
+                        seccomp_load(RUN_SECCOMP_CFG);
-                
 #endif
-                
                // fix qt 4.8
                if (setenv("QT_X11_NO_MITSHM", "1", 1) < 0)
                        errExit("setenv");
@@ -322,76 +297,84 @@ void join(pid_t pid, int argc, char **argv, int index) {
                                printf("Joining user namespace\n");
                        if (join_namespace(1, "user"))
                                exit(1);
+                        // user namespace resets capabilities
+                        // set caps filter
+                        if (apply_caps == 1)    // not available for uid 0
+                                caps_set(caps);
                }
                else 
                        drop_privs(arg_nogroups);       // nogroups not available for uid 0
                // set prompt color to green
-                //export PS1='\[\e[1;32m\][\u@\h \W]\$\[\e[0m\] '
+                char *prompt = getenv("FIREJAIL_PROMPT");
-                if (setenv("PROMPT_COMMAND", "export PS1=\"\\[\\e[1;32m\\][\\u@\\h \\W]\\$\\[\\e[0m\\] \"", 1) < 0)
+                if (prompt && strcmp(prompt, "yes") == 0) {
-                        errExit("setenv");
+                        //export PS1='\[\e[1;32m\][\u@\h \W]\$\[\e[0m\] '
+                        if (setenv("PROMPT_COMMAND", "export PS1=\"\\[\\e[1;32m\\][\\u@\\h \\W]\\$\\[\\e[0m\\] \"", 1) < 0)
+                                errExit("setenv");
+                }
+                
+                // set nice
+                if (arg_nice) {
+                        errno = 0;
+                        int rv = nice(cfg.nice);
+                        (void) rv;
+                        if (errno) {
+                                fprintf(stderr, "Warning: cannot set nice value\n");
+                                errno = 0;
+                        }
+                }
-                // run cmdline trough /bin/bash
+                // run cmdline trough shell
                if (cfg.command_line == NULL) {
+                        // if the sandbox was started with --shell=none, it is possible we don't have a shell
+                        // inside the sandbox
+                        if (cfg.shell == NULL) {
+                                cfg.shell = guess_shell();
+                                if (!cfg.shell) {
+                                        fprintf(stderr, "Error: no POSIX shell found, please use --shell command line option\n");
+                                        exit(1);
+                                }
+                        }
+                                
                        struct stat s;
+                        if (stat(cfg.shell, &s) == -1)  {
+                                fprintf(stderr, "Error: %s shell not found inside the sandbox\n", cfg.shell);
+                                exit(1);
+                        }
-                        // replace the process with a shell
+                        cfg.command_line = cfg.shell;
-                        if (stat("/bin/bash", &s) == 0)
+                        cfg.window_title = cfg.shell;
-                                execlp("/bin/bash", "/bin/bash", NULL);
-                        else if (stat("/usr/bin/zsh", &s) == 0)
-                                execlp("/usr/bin/zsh", "/usr/bin/zsh", NULL);
-                        else if (stat("/bin/csh", &s) == 0)
-                                execlp("/bin/csh", "/bin/csh", NULL);
-                        else if (stat("/bin/sh", &s) == 0)
-                                execlp("/bin/sh", "/bin/sh", NULL);
-                        
-                        // no shell found, print an error and exit
-                        fprintf(stderr, "Error: no POSIX shell found\n");
-                        sleep(5);
-                        exit(1);
                }
-                else {
-                        // run the command supplied by the user
-                        int cwd = 0;
-                        if (cfg.cwd) {
-                                if (chdir(cfg.cwd) == 0)
-                                        cwd = 1;
-                        }
-                        
-                        if (!cwd) {
-                                if (chdir("/") < 0)
-                                        errExit("chdir");
-                                if (cfg.homedir) {
-                                        struct stat s;
-                                        if (stat(cfg.homedir, &s) == 0) {
-                                                if (chdir(cfg.homedir) < 0)
-                                                        errExit("chdir");
-                                        }
-                                }
-                        }
-                        char *arg[5];
+                int cwd = 0;
-                        arg[0] = "/bin/bash";
+                if (cfg.cwd) {
-                        arg[1] = "-c";
+                        if (chdir(cfg.cwd) == 0)
-                        if (arg_debug)
+                                cwd = 1;
-                                printf("Starting %s\n", cfg.command_line);
+                }
-                        if (!arg_doubledash) {
-                                arg[2] = cfg.command_line;
+                if (!cwd) {
-                                arg[3] = NULL;
+                        if (chdir("/") < 0)
-                        }
+                                errExit("chdir");
-                        else {
+                        if (cfg.homedir) {
-                                arg[2] = "--";
+                                struct stat s;
-                                arg[3] = cfg.command_line;
+                                if (stat(cfg.homedir, &s) == 0) {
-                                arg[4] = NULL;
+                                        /* coverity[toctou] */
+                                        if (chdir(cfg.homedir) < 0)
+                                                errExit("chdir");
+                                }
                        }
-                        execvp("/bin/bash", arg);
                }
+                start_application();
                // it will never get here!!!
        }
        // wait for the child to finish
        waitpid(child, NULL, 0);
+        flush_stdin();
        exit(0);
 }
diff --git a/src/firejail/list.c b/src/firejail/list.c
deleted file mode 100644
index cd53264b6..000000000
--- a/src/firejail/list.c
+++ /dev/null
@@ -1,81 +0,0 @@
-/*
- * Copyright (C) 2014-2016 Firejail Authors
- *
- * This file is part of firejail project
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or
- * (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License along
- * with this program; if not, write to the Free Software Foundation, Inc.,
- * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-*/
-#include "firejail.h"
-#include <sys/types.h>
-#include <sys/stat.h>
-static void grsec_elevate_privileges(void) {
-        struct stat s;
-        if (stat("/proc/sys/kernel/grsecurity", &s) == 0) {
-                EUID_ROOT();
-                // elevate privileges
-                if (setreuid(0, 0))
-                        errExit("setreuid");
-                if (setregid(0, 0))
-                        errExit("setregid");
-        }
-}
-void top(void) {
-        EUID_ASSERT();
-        
-        char *arg[4];
-        arg[0] = "bash";
-        arg[1] = "-c";
-        arg[2] = "firemon --top";
-        arg[3] = NULL;
-        execvp("/bin/bash", arg); 
-}
-void netstats(void) {
-        EUID_ASSERT();
-        grsec_elevate_privileges();     
-        
-        char *arg[4];
-        arg[0] = "bash";
-        arg[1] = "-c";
-        arg[2] = "firemon --netstats";
-        arg[3] = NULL;
-        execvp("/bin/bash", arg); 
-}
-void list(void) {
-        EUID_ASSERT();
-        
-        char *arg[4];
-        arg[0] = "bash";
-        arg[1] = "-c";
-        arg[2] = "firemon --list";
-        arg[3] = NULL;
-        execvp("/bin/bash", arg); 
-}
-void tree(void) {
-        EUID_ASSERT();
-        
-        char *arg[4];
-        arg[0] = "bash";
-        arg[1] = "-c";
-        arg[2] = "firemon --tree";
-        arg[3] = NULL;
-        execvp("/bin/bash", arg); 
-}
diff --git a/src/firejail/ls.c b/src/firejail/ls.c
index 444b5b69e..86c3a6079 100644
--- a/src/firejail/ls.c
+++ b/src/firejail/ls.c
@@ -185,23 +185,26 @@ static void print_directory(const char *path) {
        free(namelist);
 }
-void sandboxfs_name(int op, const char *name, const char *path) {
+char *expand_path(const char *path) {
-        EUID_ASSERT();
+        char *fname = NULL;
-        
+        if (*path == '/') {
-        if (!name || strlen(name) == 0) {
+                fname = strdup(path);
-                fprintf(stderr, "Error: invalid sandbox name\n");
+                if (!fname)
-                exit(1);
+                        errExit("strdup");
        }
-        pid_t pid;
+        else if (*path == '~') {
-        if (name2pid(name, &pid)) {
+                if (asprintf(&fname, "%s%s", cfg.homedir, path + 1) == -1)
-                fprintf(stderr, "Error: cannot find sandbox %s\n", name);
+                        errExit("asprintf");
-                exit(1);
        }
+        else {
-        sandboxfs(op, pid, path);
+                // assume the file is in current working directory
+                if (asprintf(&fname, "%s/%s", cfg.cwd, path) == -1)
+                        errExit("asprintf");
+        }               
+        return fname;
 }
-void sandboxfs(int op, pid_t pid, const char *path) {
+void sandboxfs(int op, pid_t pid, const char *path1, const char *path2) {
        EUID_ASSERT();
        // if the pid is that of a firejail  process, use the pid of the first child process
@@ -228,22 +231,17 @@ void sandboxfs(int op, pid_t pid, const char *path) {
                }
        }
-        // full path or file in current directory?
+        // expand paths
-        char *fname;
+        char *fname1 = expand_path(path1);;
-        if (*path == '/') {
+        char *fname2 = NULL;
-                fname = strdup(path);
+        if (path2 != NULL) {
-                if (!fname)
+                fname2 = expand_path(path2);
-                        errExit("strdup");
-        }
-        else if (*path == '~') {
-                if (asprintf(&fname, "%s%s", cfg.homedir, path + 1) == -1)
-                        errExit("asprintf");
        }
-        else {
+        if (arg_debug) {
-                fprintf(stderr, "Error: Cannot access %s\n", path);
+                printf("file1 %s\n", fname1);
-                exit(1);
+                printf("file2 %s\n", fname2);
        }
+                
        // sandbox root directory
        char *rootdir;
        if (asprintf(&rootdir, "/proc/%d/root", pid) == -1)
@@ -257,22 +255,24 @@ void sandboxfs(int op, pid_t pid, const char *path) {
                if (chdir("/") < 0)
                        errExit("chdir");
                
-                // access chek is performed with the real UID
+                // drop privileges
-                if (access(fname, R_OK) == -1) {
+                drop_privs(0);
-                        fprintf(stderr, "Error: Cannot access %s\n", fname);
+                if (access(fname1, R_OK) == -1) {
+                        fprintf(stderr, "Error: Cannot access %s\n", fname1);
                        exit(1);
                }
        
                // list directory contents
                struct stat s;
-                if (stat(fname, &s) == -1) {
+                if (stat(fname1, &s) == -1) {
-                        fprintf(stderr, "Error: Cannot access %s\n", fname);
+                        fprintf(stderr, "Error: Cannot access %s\n", fname1);
                        exit(1);
                }
                if (S_ISDIR(s.st_mode)) {
-                        char *rp = realpath(fname, NULL);
+                        char *rp = realpath(fname1, NULL);
                        if (!rp) {
-                                fprintf(stderr, "Error: Cannot access %s\n", fname);
+                                fprintf(stderr, "Error: Cannot access %s\n", fname1);
                                exit(1);
                        }
                        if (arg_debug)
@@ -287,9 +287,9 @@ void sandboxfs(int op, pid_t pid, const char *path) {
                        free(dir);
                }
                else {
-                        char *rp = realpath(fname, NULL);
+                        char *rp = realpath(fname1, NULL);
                        if (!rp) {
-                                fprintf(stderr, "Error: Cannot access %s\n", fname);
+                                fprintf(stderr, "Error: Cannot access %s\n", fname1);
                                exit(1);
                        }
                        if (arg_debug)
@@ -308,19 +308,24 @@ void sandboxfs(int op, pid_t pid, const char *path) {
        
        // get file from sandbox and store it in the current directory
        else if (op == SANDBOX_FS_GET) {
-                // check source file (sandbox)
+                char *src_fname =fname1;
-                char *src_fname;
+                char *dest_fname = strrchr(fname1, '/');
-                if (asprintf(&src_fname, "%s%s", rootdir, fname) == -1)
+                if (!dest_fname || *(++dest_fname) == '\0') {
-                        errExit("asprintf");
+                        fprintf(stderr, "Error: invalid file name %s\n", fname1);
-                EUID_ROOT();
-                struct stat s;
-                if (stat(src_fname, &s) == -1) {
-                        fprintf(stderr, "Error: Cannot access %s\n", fname);
                        exit(1);
                }
-                
-                
+                EUID_ROOT();
-                // try to open the source file - we need to chroot
+                if (arg_debug)
+                        printf("copy %s to %s\n", src_fname, dest_fname);
+                // create a user-owned temporary file in /run/firejail directory
+                char tmp_fname[] = "/run/firejail/tmpget-XXXXXX";
+                int fd = mkstemp(tmp_fname);
+                SET_PERMS_FD(fd, getuid(), getgid(), 0600);
+                close(fd);
+        
+                // copy the source file into the temporary file - we need to chroot
                pid_t child = fork();
                if (child < 0)
                        errExit("fork");
@@ -334,55 +339,135 @@ void sandboxfs(int op, pid_t pid, const char *path) {
                        // drop privileges
                        drop_privs(0);
                        
-                        // try to read the file
+                        // copy the file
-                        if (access(fname, R_OK) == -1) {
+                        if (copy_file(src_fname, tmp_fname, getuid(), getgid(), 0600))
-                                fprintf(stderr, "Error: Cannot read %s\n", fname);
+                                _exit(1);
-                                exit(1);
+#ifdef HAVE_GCOV
-                        }
+                        __gcov_flush();
-                        exit(0);
+#endif
+                        _exit(0);
                }
                // wait for the child to finish
                int status = 0;
                waitpid(child, &status, 0);
                if (WIFEXITED(status) && WEXITSTATUS(status) == 0);
-                else
+                else {
+                        unlink(tmp_fname);
                        exit(1);
-                EUID_USER();
+                }
                
-                // check destination file (host)
+                // copy the temporary file into the destionation file
-                char *dest_fname = strrchr(fname, '/');
+                child = fork();
-                if (!dest_fname || *(++dest_fname) == '\0') {
+                if (child < 0)
-                        fprintf(stderr, "Error: invalid file name %s\n", fname);
+                        errExit("fork");
+                if (child == 0) {
+                        // drop privileges
+                        drop_privs(0);
+                        
+                        // copy the file
+                        if (copy_file(tmp_fname, dest_fname, getuid(), getgid(), 0600))
+                                _exit(1);
+#ifdef HAVE_GCOV
+                        __gcov_flush();
+#endif
+                        _exit(0);
+                }
+                // wait for the child to finish
+                status = 0;
+                waitpid(child, &status, 0);
+                if (WIFEXITED(status) && WEXITSTATUS(status) == 0);
+                else {
+                        unlink(tmp_fname);
                        exit(1);
                }
                
-                if (access(dest_fname, F_OK) == -1) {
+                // remove the temporary file
-                        // try to create the file
+                unlink(tmp_fname);
-                        FILE *fp = fopen(dest_fname, "w");
+                EUID_USER();
-                        if (!fp) {
+        }
-                                fprintf(stderr, "Error: cannot create %s\n", dest_fname);
+        // get file from host and store it in the sandbox
-                                exit(1);
+        else if (op == SANDBOX_FS_PUT && path2) {
-                        }
+                char *src_fname =fname1;
-                        fclose(fp);
+                char *dest_fname = fname2;
+                EUID_ROOT();
+                if (arg_debug)
+                        printf("copy %s to %s\n", src_fname, dest_fname);
+                // create a user-owned temporary file in /run/firejail directory
+                char tmp_fname[] = "/run/firejail/tmpget-XXXXXX";
+                int fd = mkstemp(tmp_fname);
+                SET_PERMS_FD(fd, getuid(), getgid(), 0600);
+                close(fd);
+        
+                // copy the source file into the temporary file - we need to chroot
+                pid_t child = fork();
+                if (child < 0)
+                        errExit("fork");
+                if (child == 0) {
+                        // drop privileges
+                        drop_privs(0);
+                        
+                        // copy the file
+                        if (copy_file(src_fname, tmp_fname, getuid(), getgid(), 0600))
+                                _exit(1);
+#ifdef HAVE_GCOV
+                        __gcov_flush();
+#endif
+                        _exit(0);
                }
+                // wait for the child to finish
+                int status = 0;
+                waitpid(child, &status, 0);
+                if (WIFEXITED(status) && WEXITSTATUS(status) == 0);
                else {
-                        if (access(dest_fname, W_OK) == -1) {
+                        unlink(tmp_fname);
-                                fprintf(stderr, "Error: cannot write %s\n", dest_fname);
+                        exit(1);
-                                exit(1);
-                        }
                }
-                // copy file
+                
-                EUID_ROOT();
+                // copy the temporary file into the destionation file
-                copy_file(src_fname, dest_fname);
+                child = fork();
-                if (chown(dest_fname, getuid(), getgid()) == -1)
+                if (child < 0)
-                        errExit("chown");
+                        errExit("fork");
-                if (chmod(dest_fname, 0644) == -1)
+                if (child == 0) {
-                        errExit("chmod");
+                        // chroot
+                        if (chroot(rootdir) < 0)
+                                errExit("chroot");
+                        if (chdir("/") < 0)
+                                errExit("chdir");
+                        
+                        // drop privileges
+                        drop_privs(0);
+                        
+                        // copy the file
+                        if (copy_file(tmp_fname, dest_fname, getuid(), getgid(), 0600))
+                                _exit(1);
+#ifdef HAVE_GCOV
+                        __gcov_flush();
+#endif
+                        _exit(0);
+                }
+                // wait for the child to finish
+                status = 0;
+                waitpid(child, &status, 0);
+                if (WIFEXITED(status) && WEXITSTATUS(status) == 0);
+                else {
+                        unlink(tmp_fname);
+                        exit(1);
+                }
+                
+                // remove the temporary file
+                unlink(tmp_fname);
                EUID_USER();
        }
-        
-        free(fname);
+        if (fname2)
+                free(fname2);
+        free(fname1);
        free(rootdir);
        exit(0);
diff --git a/src/firejail/main.c b/src/firejail/main.c
index bdf960b96..ec0c31285 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -46,21 +46,22 @@ printf("time %s:%d %u\n", __FILE__, __LINE__, (uint32_t) systick);
 #endif
 uid_t firejail_uid = 0;
+gid_t firejail_gid = 0;
 #define STACK_SIZE (1024 * 1024)
 static char child_stack[STACK_SIZE];            // space for child's stack
 Config cfg;                                     // configuration
 int arg_private = 0;                            // mount private /home and /tmp directoryu
+int arg_private_template = 0; // mount private /home using a template
 int arg_debug = 0;                              // print debug messages
-int arg_debug_check_filename;           // print debug messages for filename checking
+int arg_debug_check_filename = 0;               // print debug messages for filename checking
-int arg_debug_blacklists;                       // print debug messages for blacklists
+int arg_debug_blacklists = 0;                   // print debug messages for blacklists
-int arg_debug_whitelists;                       // print debug messages for whitelists
+int arg_debug_whitelists = 0;                   // print debug messages for whitelists
 int arg_nonetwork = 0;                          // --net=none
 int arg_command = 0;                            // -c
 int arg_overlay = 0;                            // overlay option
-int arg_overlay_keep = 0;                       // place overlay diff directory in ~/.firejail
+int arg_overlay_keep = 0;                       // place overlay diff in a known directory
-int arg_zsh = 0;                                // use zsh as default shell
+int arg_overlay_reuse = 0;                      // allow the reuse of overlays
-int arg_csh = 0;                                // use csh as default shell
 int arg_seccomp = 0;                            // enable default seccomp filter
@@ -77,6 +78,7 @@ int arg_rlimit_nproc = 0;			// rlimit nproc
 int arg_rlimit_fsize = 0;                               // rlimit fsize
 int arg_rlimit_sigpending = 0;                  // rlimit fsize
 int arg_nogroups = 0;                           // disable supplementary groups
+int arg_nonewprivs = 0;                 // set the NO_NEW_PRIVS prctl
 int arg_noroot = 0;                             // create a new user namespace and disable root user
 int arg_netfilter;                              // enable netfilter
 int arg_netfilter6;                             // enable netfilter6
@@ -91,11 +93,25 @@ int arg_private_tmp = 0;			// private tmp directory
 int arg_scan = 0;                               // arp-scan all interfaces
 int arg_whitelist = 0;                          // whitelist commad
 int arg_nosound = 0;                            // disable sound
+int arg_no3d;                                   // disable 3d hardware acceleration
 int arg_quiet = 0;                              // no output for scripting
 int arg_join_network = 0;                       // join only the network namespace
 int arg_join_filesystem = 0;                    // join only the mount namespace
 int arg_nice = 0;                               // nice value configured
 int arg_ipc = 0;                                        // enable ipc namespace
+int arg_writable_etc = 0;                       // writable etc
+int arg_writable_var = 0;                       // writable var
+int arg_appimage = 0;                           // appimage
+int arg_audit = 0;                              // audit
+char *arg_audit_prog = NULL;                    // audit
+int arg_apparmor = 0;                           // apparmor
+int arg_allow_debuggers = 0;                    // allow debuggers
+int arg_x11_block = 0;                          // block X11
+int arg_x11_xorg = 0;                           // use X11 security extention
+int arg_allusers = 0;                           // all user home directories visible
+int login_shell = 0;
 int parent_to_child_fds[2];
 int child_to_parent_fds[2];
@@ -126,7 +142,8 @@ static void myexit(int rv) {
        // delete sandbox files in shared memory
        EUID_ROOT();
        clear_run_files(sandbox_pid);
-        
+        appimage_clear();
+        flush_stdin();
        exit(rv); 
 }
@@ -141,20 +158,37 @@ static void my_handler(int s){
        myexit(1);
 }
-// return 1 if error, 0 if a valid pid was found
+static pid_t extract_pid(const char *name) {
-static inline int read_pid(char *str, pid_t *pid) {
+        EUID_ASSERT();
+        if (!name || strlen(name) == 0) {
+                fprintf(stderr, "Error: invalid sandbox name\n");
+                exit(1);
+        }
+        
+        pid_t pid;
+        EUID_ROOT();
+        if (name2pid(name, &pid)) {
+                fprintf(stderr, "Error: cannot find sandbox %s\n", name);
+                exit(1);
+        }
+        EUID_USER();
+        return pid;
+}
+static pid_t read_pid(const char *str) {
        char *endptr;
        errno = 0;
        long int pidtmp = strtol(str, &endptr, 10);
        if ((errno == ERANGE && (pidtmp == LONG_MAX || pidtmp == LONG_MIN))
                || (errno != 0 && pidtmp == 0)) {
-                return 1;
+                return extract_pid(str);
        }
-        if (endptr == str) {
+        // endptr points to '\0' char in str if the entire string is valid
-                return 1;
+        if (endptr == NULL || endptr[0]!='\0') {
+                return extract_pid(str);
        }
-        *pid = (pid_t)pidtmp;
+        return (pid_t)pidtmp;
-        return 0;
 }
 // init configuration
@@ -228,12 +262,14 @@ void check_user_namespace(void) {
            stat("/proc/self/gid_map", &s3) == 0)
                arg_noroot = 1;
        else {
-                fprintf(stderr, "Warning: user namespaces not available in the current kernel.\n");
+                if (!arg_quiet || arg_debug)
+                        fprintf(stderr, "Warning: user namespaces not available in the current kernel.\n");
                arg_noroot = 0;
        }
 }
 #endif
 // exit commands
 static void run_cmd_and_exit(int i, int argc, char **argv) {
        EUID_ASSERT();
@@ -248,32 +284,36 @@ static void run_cmd_and_exit(int i, int argc, char **argv) {
        }
        else if (strcmp(argv[i], "--version") == 0) {
                printf("firejail version %s\n", VERSION);
-#ifndef HAVE_NETWORK
+                printf("\n");
-                printf("Networking support is disabled.\n");
+                print_compiletime_support();
-#endif
+                printf("\n");
-#ifdef HAVE_NETWORK_RESTRICTED
+                exit(0);
-                printf("Networking support is allowed only to root user.\n");
+        }
-#endif
+#ifdef HAVE_OVERLAYFS
-#ifndef HAVE_USERNS
+        else if (strcmp(argv[i], "--overlay-clean") == 0) {
-                printf("User namespace support is disabled.\n");
+                if (checkcfg(CFG_OVERLAYFS)) {
-#endif
+                        char *path;
-#ifndef HAVE_SECCOMP
+                        if (asprintf(&path, "%s/.firejail", cfg.homedir) == -1)
-                printf("Seccomp-bpf support is disabled.\n");
+                                errExit("asprintf");
-#endif
+                        EUID_ROOT();
-#ifndef HAVE_BIND
+                        if (setreuid(0, 0) < 0)
-                printf("Bind support is disabled.\n");
+                                errExit("setreuid");
-#endif
+                        if (setregid(0, 0) < 0)
-#ifndef HAVE_CHROOT
+                                errExit("setregid");
-                printf("Chroot support is disabled.\n");
+                        errno = 0;
-#endif
+                        int rv = remove_directory(path);
-#ifndef HAVE_X11
+                        if (rv) {
-                printf("X11 support is disabled.\n");
+                                fprintf(stderr, "Error: cannot removed overlays stored in ~/.firejail directory, errno %d\n", errno);
-#endif
+                                exit(1);
-#ifndef HAVE_FILE_TRANSFER
+                        }
-                printf("File transfer support is disabled.\n");
+                }
-#endif
+                else {
+                        fprintf(stderr, "Error: overlayfs feature is disabled in Firejail configuration file\n");
+                        exit(1);
+                }
                exit(0);
        }
+#endif
 #ifdef HAVE_X11
        else if (strcmp(argv[i], "--x11") == 0) {
                if (checkcfg(CFG_X11)) {
@@ -361,11 +401,8 @@ static void run_cmd_and_exit(int i, int argc, char **argv) {
                        }       
                        
                        // extract pid or sandbox name
-                        pid_t pid;
+                        pid_t pid = read_pid(argv[i] + 12);
-                        if (read_pid(argv[i] + 12, &pid) == 0)
+                        bandwidth_pid(pid, cmd, dev, down, up);
-                                bandwidth_pid(pid, cmd, dev, down, up);
-                        else
-                                bandwidth_name(argv[i] + 12, cmd, dev, down, up);
                }
                else {
                        fprintf(stderr, "Error: networking features are disabled in Firejail configuration file\n");
@@ -380,8 +417,8 @@ static void run_cmd_and_exit(int i, int argc, char **argv) {
 #ifdef HAVE_SECCOMP
        else if (strcmp(argv[i], "--debug-syscalls") == 0) {
                if (checkcfg(CFG_SECCOMP)) {
-                        syscall_print();
+                        int rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 2, PATH_FSECCOMP, "debug-syscalls");
-                        exit(0);
+                        exit(rv);
                }
                else {
                        fprintf(stderr, "Error: seccomp feature is disabled in Firejail configuration file\n");
@@ -390,7 +427,8 @@ static void run_cmd_and_exit(int i, int argc, char **argv) {
        }
        else if (strcmp(argv[i], "--debug-errnos") == 0) {
                if (checkcfg(CFG_SECCOMP)) {
-                        errno_print();
+                        int rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 2, PATH_FSECCOMP, "debug-errnos");
+                        exit(rv);
                }
                else {
                        fprintf(stderr, "Error: seccomp feature is disabled in Firejail configuration file\n");
@@ -401,11 +439,8 @@ static void run_cmd_and_exit(int i, int argc, char **argv) {
        else if (strncmp(argv[i], "--seccomp.print=", 16) == 0) {
                if (checkcfg(CFG_SECCOMP)) {
                        // print seccomp filter for a sandbox specified by pid or by name
-                        pid_t pid;
+                        pid_t pid = read_pid(argv[i] + 16);
-                        if (read_pid(argv[i] + 16, &pid) == 0)          
+                        seccomp_print_filter(pid);
-                                seccomp_print_filter(pid);
-                        else
-                                seccomp_print_filter_name(argv[i] + 16);
                }
                else {
                        fprintf(stderr, "Error: seccomp feature is disabled in Firejail configuration file\n");
@@ -414,17 +449,14 @@ static void run_cmd_and_exit(int i, int argc, char **argv) {
                exit(0);
        }
        else if (strcmp(argv[i], "--debug-protocols") == 0) {
-                protocol_list();
+                int rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 2, PATH_FSECCOMP, "debug-protocols");
-                exit(0);
+                exit(rv);
        }
        else if (strncmp(argv[i], "--protocol.print=", 17) == 0) {
                if (checkcfg(CFG_SECCOMP)) {
                        // print seccomp filter for a sandbox specified by pid or by name
-                        pid_t pid;
+                        pid_t pid = read_pid(argv[i] + 17);             
-                        if (read_pid(argv[i] + 17, &pid) == 0)          
+                        protocol_print_filter(pid);
-                                protocol_print_filter(pid);
-                        else
-                                protocol_print_filter_name(argv[i] + 17);
                }
                else {
                        fprintf(stderr, "Error: seccomp feature is disabled in Firejail configuration file\n");
@@ -435,38 +467,26 @@ static void run_cmd_and_exit(int i, int argc, char **argv) {
 #endif
        else if (strncmp(argv[i], "--cpu.print=", 12) == 0) {
                // join sandbox by pid or by name
-                pid_t pid;
+                pid_t pid = read_pid(argv[i] + 12);
-                if (read_pid(argv[i] + 12, &pid) == 0)          
+                cpu_print_filter(pid);
-                        cpu_print_filter(pid);
-                else
-                        cpu_print_filter_name(argv[i] + 12);
                exit(0);
        }
        else if (strncmp(argv[i], "--caps.print=", 13) == 0) {
                // join sandbox by pid or by name
-                pid_t pid;
+                pid_t pid = read_pid(argv[i] + 13);
-                if (read_pid(argv[i] + 13, &pid) == 0)          
+                caps_print_filter(pid);
-                        caps_print_filter(pid);
-                else
-                        caps_print_filter_name(argv[i] + 13);
                exit(0);
        }
        else if (strncmp(argv[i], "--fs.print=", 11) == 0) {
                // join sandbox by pid or by name
-                pid_t pid;
+                pid_t pid = read_pid(argv[i] + 11);
-                if (read_pid(argv[i] + 11, &pid) == 0)          
+                fs_logger_print_log(pid);
-                        fs_logger_print_log(pid);
-                else
-                        fs_logger_print_log_name(argv[i] + 11);
                exit(0);
        }
        else if (strncmp(argv[i], "--dns.print=", 12) == 0) {
                // join sandbox by pid or by name
-                pid_t pid;
+                pid_t pid = read_pid(argv[i] + 12);
-                if (read_pid(argv[i] + 12, &pid) == 0)          
+                net_dns_print(pid);
-                        net_dns_print(pid);
-                else
-                        net_dns_print_name(argv[i] + 12);
                exit(0);
        }
        else if (strcmp(argv[i], "--debug-caps") == 0) {
@@ -474,27 +494,44 @@ static void run_cmd_and_exit(int i, int argc, char **argv) {
                exit(0);
        }
        else if (strcmp(argv[i], "--list") == 0) {
-                list();
+                if (pid_hidepid())
+                        sbox_run(SBOX_ROOT| SBOX_CAPS_NONE | SBOX_SECCOMP, 2, PATH_FIREMON, "--list");
+                else
+                        sbox_run(SBOX_USER| SBOX_CAPS_NONE | SBOX_SECCOMP, 2, PATH_FIREMON, "--list");
                exit(0);
        }
        else if (strcmp(argv[i], "--tree") == 0) {
-                tree();
+                if (pid_hidepid())
+                        sbox_run(SBOX_ROOT | SBOX_CAPS_NONE | SBOX_SECCOMP, 2, PATH_FIREMON, "--tree");
+                else
+                        sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 2, PATH_FIREMON, "--tree");
                exit(0);
        }
        else if (strcmp(argv[i], "--top") == 0) {
-                top();
+                if (pid_hidepid())
+                        sbox_run(SBOX_ROOT | SBOX_CAPS_NONE | SBOX_SECCOMP | SBOX_ALLOW_STDIN,
+                                2, PATH_FIREMON, "--top");
+                else
+                        sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP | SBOX_ALLOW_STDIN,
+                                2, PATH_FIREMON, "--top");
                exit(0);
        }
 #ifdef HAVE_NETWORK     
        else if (strcmp(argv[i], "--netstats") == 0) {
                if (checkcfg(CFG_NETWORK)) {
-                        netstats();
+                        struct stat s;
+                        if (stat("/proc/sys/kernel/grsecurity", &s) == 0 || pid_hidepid())
+                                sbox_run(SBOX_ROOT | SBOX_CAPS_NONE | SBOX_SECCOMP | SBOX_ALLOW_STDIN,
+                                        2, PATH_FIREMON, "--netstats");
+                        else
+                                sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP | SBOX_ALLOW_STDIN,
+                                        2, PATH_FIREMON, "--netstats");
+                        exit(0);
                }
                else {
                        fprintf(stderr, "Error: networking features are disabled in Firejail configuration file\n");
                        exit(1);
                }
-                exit(0);
        }
 #endif  
 #ifdef HAVE_FILE_TRANSFER
@@ -515,11 +552,40 @@ static void run_cmd_and_exit(int i, int argc, char **argv) {
                         }
                         
                        // get file
-                        pid_t pid;
+                        pid_t pid = read_pid(argv[i] + 6);
-                        if (read_pid(argv[i] + 6, &pid) == 0)           
+                        sandboxfs(SANDBOX_FS_GET, pid, path, NULL);
-                                sandboxfs(SANDBOX_FS_GET, pid, path);
+                        exit(0);
-                        else
+                }
-                                sandboxfs_name(SANDBOX_FS_GET, argv[i] + 6, path);
+                else {
+                        fprintf(stderr, "Error: --get feature is disabled in Firejail configuration file\n");
+                        exit(1);
+                }
+        }
+        else if (strncmp(argv[i], "--put=", 6) == 0) {
+                if (checkcfg(CFG_FILE_TRANSFER)) {
+                        logargs(argc, argv);
+                        
+                        // verify path
+                        if ((i + 3) != argc) {
+                                fprintf(stderr, "Error: invalid --put option, 2 paths expected\n");
+                                exit(1);
+                        }
+                        char *path1 = argv[i + 1];
+                         invalid_filename(path1);
+                         if (strstr(path1, "..")) {
+                                fprintf(stderr, "Error: invalid file name %s\n", path1);
+                                exit(1);
+                         }
+                        char *path2 = argv[i + 2];
+                         invalid_filename(path2);
+                         if (strstr(path2, "..")) {
+                                fprintf(stderr, "Error: invalid file name %s\n", path2);
+                                exit(1);
+                         }
+                         
+                        // get file
+                        pid_t pid = read_pid(argv[i] + 6);
+                        sandboxfs(SANDBOX_FS_PUT, pid, path1, path2);
                        exit(0);
                }
                else {
@@ -544,11 +610,8 @@ static void run_cmd_and_exit(int i, int argc, char **argv) {
                         }
                         
                        // list directory contents
-                        pid_t pid;
+                        pid_t pid = read_pid(argv[i] + 5);
-                        if (read_pid(argv[i] + 5, &pid) == 0)           
+                        sandboxfs(SANDBOX_FS_LS, pid, path, NULL);
-                                sandboxfs(SANDBOX_FS_LS, pid, path);
-                        else
-                                sandboxfs_name(SANDBOX_FS_LS, argv[i] + 5, path);
                        exit(0);
                }
                else {
@@ -559,14 +622,49 @@ static void run_cmd_and_exit(int i, int argc, char **argv) {
 #endif
        else if (strncmp(argv[i], "--join=", 7) == 0) {
                logargs(argc, argv);
-                
+                if (arg_shell_none) {
+                        if (argc <= (i+1)) {
+                                fprintf(stderr, "Error: --shell=none set, but no command specified\n");
+                                exit(1);
+                        }
+                        cfg.original_program_index = i + 1;
+                }
+                if (!cfg.shell && !arg_shell_none)
+                        cfg.shell = guess_shell();
                // join sandbox by pid or by name
+                pid_t pid = read_pid(argv[i] + 7);
+                join(pid, argc, argv, i + 1);
+                exit(0);
+        }
+        else if (strncmp(argv[i], "--join-or-start=", 16) == 0) {
+                // NOTE: this is first part of option handler,
+                //               sandbox name is set in other part
+                logargs(argc, argv);
+                if (arg_shell_none) {
+                        if (argc <= (i+1)) {
+                                fprintf(stderr, "Error: --shell=none set, but no command specified\n");
+                                exit(1);
+                        }
+                        cfg.original_program_index = i + 1;
+                }
+#if 0 // todo: redo it
+                // try to join by name only
                pid_t pid;
-                if (read_pid(argv[i] + 7, &pid) == 0)           
+                if (!name2pid(argv[i] + 16, &pid)) {
+                        if (!cfg.shell && !arg_shell_none)
+                                cfg.shell = guess_shell();
                        join(pid, argc, argv, i + 1);
-                else
+                        exit(0);
-                        join_name(argv[i] + 7, argc, argv, i + 1);
+                }
-                exit(0);
+#endif          
+                // if there no such sandbox continue argument processing
        }
 #ifdef HAVE_NETWORK     
        else if (strncmp(argv[i], "--join-network=", 15) == 0) {
@@ -578,12 +676,12 @@ static void run_cmd_and_exit(int i, int argc, char **argv) {
                                exit(1);
                        }
                        
+                        if (!cfg.shell && !arg_shell_none)
+                                cfg.shell = guess_shell();
                        // join sandbox by pid or by name
-                        pid_t pid;
+                        pid_t pid = read_pid(argv[i] + 15);
-                        if (read_pid(argv[i] + 15, &pid) == 0)          
+                        join(pid, argc, argv, i + 1);
-                                join(pid, argc, argv, i + 1);
-                        else
-                                join_name(argv[i] + 15, argc, argv, i + 1);
                }
                else {
                        fprintf(stderr, "Error: networking features are disabled in Firejail configuration file\n");
@@ -601,23 +699,20 @@ static void run_cmd_and_exit(int i, int argc, char **argv) {
                        exit(1);
                }
                
+                if (!cfg.shell && !arg_shell_none)
+                        cfg.shell = guess_shell();
                // join sandbox by pid or by name
-                pid_t pid;
+                pid_t pid = read_pid(argv[i] + 18);
-                if (read_pid(argv[i] + 18, &pid) == 0)          
+                join(pid, argc, argv, i + 1);
-                        join(pid, argc, argv, i + 1);
-                else
-                        join_name(argv[i] + 18, argc, argv, i + 1);
                exit(0);
        }
        else if (strncmp(argv[i], "--shutdown=", 11) == 0) {
                logargs(argc, argv);
                
                // shutdown sandbox by pid or by name
-                pid_t pid;
+                pid_t pid = read_pid(argv[i] + 11);
-                if (read_pid(argv[i] + 11, &pid) == 0)
+                shut(pid);
-                        shut(pid);
-                else
-                        shut_name(argv[i] + 11);
                exit(0);
        }
@@ -635,14 +730,10 @@ static void set_name_file(pid_t pid) {
                exit(1);
        }
        fprintf(fp, "%s\n", cfg.name);
-        fclose(fp);
-        
        // mode and ownership
-        if (chown(fname, 0, 0) == -1)
+        SET_PERMS_STREAM(fp, 0, 0, 0644);
-                errExit("chown");
+        fclose(fp);
-        if (chmod(fname, 0644) == -1)
-                errExit("chmod");
-        
 }
 static void delete_name_file(pid_t pid) {
@@ -651,6 +742,7 @@ static void delete_name_file(pid_t pid) {
                errExit("asprintf");
        int rv = unlink(fname);
        (void) rv;
+        free(fname);
 }
 static void set_x11_file(pid_t pid, int display) {
@@ -665,14 +757,10 @@ static void set_x11_file(pid_t pid, int display) {
                exit(1);
        }
        fprintf(fp, "%d\n", display);
-        fclose(fp);
-        
        // mode and ownership
-        if (chown(fname, 0, 0) == -1)
+        SET_PERMS_STREAM(fp, 0, 0, 0644);
-                errExit("chown");
+        fclose(fp);
-        if (chmod(fname, 0644) == -1)
-                errExit("chmod");
-        
 }
 static void delete_x11_file(pid_t pid) {
@@ -681,6 +769,62 @@ static void delete_x11_file(pid_t pid) {
                errExit("asprintf");
        int rv = unlink(fname);
        (void) rv;
+        free(fname);
+}
+static void detect_quiet(int argc, char **argv) {
+        int i;
+        
+        // detect --quiet
+        for (i = 1; i < argc; i++) {
+                if (strcmp(argv[i], "--quiet") == 0) {
+                        arg_quiet = 1;
+                        break;
+                }
+                
+                // detect end of firejail params
+                if (strcmp(argv[i], "--") == 0)
+                        break;
+                if (strncmp(argv[i], "--", 2) != 0)
+                        break;
+        }
+}
+static void detect_allow_debuggers(int argc, char **argv) {
+        int i;
+        
+        // detect --allow-debuggers
+        for (i = 1; i < argc; i++) {
+                if (strcmp(argv[i], "--allow-debuggers") == 0) {
+                        arg_allow_debuggers = 1;
+                        break;
+                }
+                
+                // detect end of firejail params
+                if (strcmp(argv[i], "--") == 0)
+                        break;
+                if (strncmp(argv[i], "--", 2) != 0)
+                        break;
+        }
+}
+char *guess_shell(void) {
+        char *shell = NULL;
+        // shells in order of preference
+        char *shells[] = {"/bin/bash", "/bin/csh", "/usr/bin/zsh", "/bin/sh", "/bin/ash", NULL };
+        int i = 0;
+        while (shells[i] != NULL) {
+                struct stat s;
+                // access call checks as real UID/GID, not as effective UID/GID
+                if (stat(shells[i], &s) == 0 && access(shells[i], R_OK) == 0) {
+                        shell = shells[i];
+                        break;
+                }
+                i++;
+        }
+        return shell;
 }
 //*******************************************
@@ -694,81 +838,106 @@ int main(int argc, char **argv) {
        int option_force = 0;
        int custom_profile = 0; // custom profile loaded
        char *custom_profile_dir = NULL; // custom profile directory
-        int arg_noprofile = 0; // use generic.profile if none other found/specified
+        int arg_noprofile = 0; // use default.profile if none other found/specified
-#ifdef HAVE_SECCOMP
-        int highest_errno = errno_highest_nr();
+        // build /run/firejail directory structure
-#endif
+        preproc_build_firejail_dir();
+        
+        detect_quiet(argc, argv);
+        detect_allow_debuggers(argc, argv);
        // drop permissions by default and rise them when required
        EUID_INIT();
        EUID_USER();
        // check argv[0] symlink wrapper if this is not a login shell
        if (*argv[0] != '-')
                run_symlink(argc, argv);
        // check if we already have a sandbox running
+        // If LXC is detected, start firejail sandbox
+        // otherwise try to detect a PID namespace by looking under /proc for specific kernel processes and:
+        //      - if --force flag is set, start firejail sandbox
+        //      -- if --force flag is not set, start the application in a /bin/bash shell 
+        if (check_namespace_virt() == 0) {
+                EUID_ROOT();
+                int rv = check_kernel_procs();
+                EUID_USER();
+                if (rv == 0) {
+                        // if --force option is passed to the program, disregard the existing sandbox
+                        int found = 0;
+                        for (i = 1; i < argc; i++) {
+                                if (strcmp(argv[i], "--force") == 0 ||
+                                    strcmp(argv[i], "--list") == 0 ||   
+                                    strcmp(argv[i], "--netstats") == 0 ||       
+                                    strcmp(argv[i], "--tree") == 0 ||   
+                                    strcmp(argv[i], "--top") == 0 ||
+                                    strncmp(argv[i], "--ls=", 5) == 0 ||
+                                    strncmp(argv[i], "--get=", 6) == 0 ||
+                                    strcmp(argv[i], "--debug-caps") == 0 ||
+                                    strcmp(argv[i], "--debug-errnos") == 0 ||
+                                    strcmp(argv[i], "--debug-syscalls") == 0 ||
+                                    strcmp(argv[i], "--debug-protocols") == 0 ||
+                                    strcmp(argv[i], "--help") == 0 ||
+                                    strcmp(argv[i], "--version") == 0 ||
+                                    strcmp(argv[i], "--overlay-clean") == 0 ||
+                                    strncmp(argv[i], "--dns.print=", 12) == 0 ||
+                                    strncmp(argv[i], "--bandwidth=", 12) == 0 ||
+                                    strncmp(argv[i], "--caps.print=", 13) == 0 ||
+                                    strncmp(argv[i], "--cpu.print=", 12) == 0 ||
+        //********************************************************************************
+        // todo: fix the following problems
+                                    strncmp(argv[i], "--join=", 7) == 0 ||
+        //[netblue@debian Downloads]$ firejail --join=896
+        //Switching to pid 897, the first child process inside the sandbox
+        //Error: seccomp file not found
+        //********************************************************************************
+        
+                                    strncmp(argv[i], "--join-filesystem=", 18) == 0 ||
+                                    strncmp(argv[i], "--join-network=", 15) == 0 ||
+                                    strncmp(argv[i], "--fs.print=", 11) == 0 ||
+                                    strncmp(argv[i], "--protocol.print=", 17) == 0 ||
+                                    strncmp(argv[i], "--seccomp.print", 15) == 0 ||
+                                    strncmp(argv[i], "--shutdown=", 11) == 0) {
+                                        found = 1;
+                                        break;
+                                }
+        
+                                // detect end of firejail params
+                                if (strcmp(argv[i], "--") == 0)
+                                        break;
+                                if (strncmp(argv[i], "--", 2) != 0)
+                                        break;
+                        }
+                        
+                        if (found == 0) {
+                                // start the program directly without sandboxing
+                                run_no_sandbox(argc, argv);
+                                // it will never get here!
+                                assert(0);
+                        }
+                        else
+                                option_force = 1;
+                }
+        }
+        
+        // check root/suid
        EUID_ROOT();
-        int rv = check_kernel_procs();
+        if (geteuid()) {
-        EUID_USER();
+                // detect --version
-        if (rv == 0) {
-                // if --force option is passed to the program, disregard the existing sandbox
-                int found = 0;
                for (i = 1; i < argc; i++) {
-                        if (strcmp(argv[i], "--force") == 0 ||
+                        if (strcmp(argv[i], "--version") == 0) {
-                            strcmp(argv[i], "--list") == 0 ||   
+                                printf("firejail version %s\n", VERSION);
-                            strcmp(argv[i], "--netstats") == 0 ||       
+                                exit(0);
-                            strcmp(argv[i], "--tree") == 0 ||   
-                            strcmp(argv[i], "--top") == 0 ||
-                            strncmp(argv[i], "--ls=", 5) == 0 ||
-                            strncmp(argv[i], "--get=", 6) == 0 ||
-                            strcmp(argv[i], "--debug-caps") == 0 ||
-                            strcmp(argv[i], "--debug-errnos") == 0 ||
-                            strcmp(argv[i], "--debug-syscalls") == 0 ||
-                            strcmp(argv[i], "--debug-protocols") == 0 ||
-                            strcmp(argv[i], "--help") == 0 ||
-                            strcmp(argv[i], "--version") == 0 ||
-                            strncmp(argv[i], "--dns.print=", 12) == 0 ||
-                            strncmp(argv[i], "--bandwidth=", 12) == 0 ||
-                            strncmp(argv[i], "--caps.print=", 13) == 0 ||
-                            strncmp(argv[i], "--cpu.print=", 12) == 0 ||
-//********************************************************************************
-// todo: fix the following problems
-                            strncmp(argv[i], "--join=", 7) == 0 ||
-//[netblue@debian Downloads]$ firejail --join=896
-//Switching to pid 897, the first child process inside the sandbox
-//Error: seccomp file not found
-//********************************************************************************
-                            strncmp(argv[i], "--join-filesystem=", 18) == 0 ||
-                            strncmp(argv[i], "--join-network=", 15) == 0 ||
-                            strncmp(argv[i], "--fs.print=", 11) == 0 ||
-                            strncmp(argv[i], "--protocol.print=", 17) == 0 ||
-                            strncmp(argv[i], "--seccomp.print", 15) == 0 ||
-                            strncmp(argv[i], "--shutdown=", 11) == 0) {
-                                found = 1;
-                                break;
                        }
+                        
+                        // detect end of firejail params
                        if (strcmp(argv[i], "--") == 0)
                                break;
                        if (strncmp(argv[i], "--", 2) != 0)
                                break;
                }
-                
-                if (found == 0) {
-                        // start the program directly without sandboxing
-                        run_no_sandbox(argc, argv);
-                        // it will never get here!
-                        assert(0);
-                }
-                else
-                        option_force = 1;
-        }
-        // check root/suid
-        EUID_ROOT();
-        if (geteuid()) {
-                fprintf(stderr, "Error: the sandbox is not setuid root\n");
                exit(1);
        }
        EUID_USER();
@@ -776,10 +945,8 @@ int main(int argc, char **argv) {
        // initialize globals
        init_cfg(argc, argv);
        // check firejail directories
        EUID_ROOT();
-        fs_build_firejail_dir();
        bandwidth_del_run_file(sandbox_pid);
        network_del_run_file(sandbox_pid);
        delete_name_file(sandbox_pid);
@@ -798,15 +965,68 @@ int main(int argc, char **argv) {
                        if (strcmp(comm, "sshd") == 0) {
                                arg_quiet = 1;
                                parent_sshd = 1;
+#ifdef DEBUG_RESTRICTED_SHELL
+                                {EUID_ROOT();
+                                FILE *fp = fopen("/firelog", "w");
+                                if (fp) {
+                                        int i;
+                                        fprintf(fp, "argc %d: ", argc);
+                                        for (i = 0; i < argc; i++)
+                                                fprintf(fp, "#%s# ", argv[i]);
+                                        fprintf(fp, "\n");
+                                        fclose(fp);
+                                }
+                                EUID_USER();}
+#endif
+                                // run sftp and scp directly without any sandboxing
+                                // regular login has argv[0] == "-firejail"
+                                if (*argv[0] != '-') {
+                                        if (strcmp(argv[1], "-c") == 0 && argc > 2) {
+                                                if (strcmp(argv[2], "/usr/lib/openssh/sftp-server") == 0 ||
+                                                    strncmp(argv[2], "scp ", 4) == 0) {
+#ifdef DEBUG_RESTRICTED_SHELL
+                                                        {EUID_ROOT();
+                                                        FILE *fp = fopen("/firelog", "a");
+                                                        if (fp) {
+                                                                fprintf(fp, "run without a sandbox\n");
+                                                                fclose(fp);
+                                                        }
+                                                        EUID_USER();}
+#endif
+                                                    
+                                                        drop_privs(1);
+                                                        int rv = system(argv[2]);
+                                                        exit(rv);
+                                                }
+                                        }
+                                }
                        }
                        free(comm);
                }
        }
        
-        // is this a login shell, or a command passed by sshd insert command line options from /etc/firejail/login.users
+        // is this a login shell, or a command passed by sshd, insert command line options from /etc/firejail/login.users
        if (*argv[0] == '-' || parent_sshd) {
+                if (argc == 1)
+                        login_shell = 1;
                fullargc = restricted_shell(cfg.username);
                if (fullargc) {
+                        
+#ifdef DEBUG_RESTRICTED_SHELL
+                        {EUID_ROOT();
+                        FILE *fp = fopen("/firelog", "a");
+                        if (fp) {
+                                fprintf(fp, "fullargc %d: ",  fullargc);
+                                int i;
+                                for (i = 0; i < fullargc; i++)
+                                        fprintf(fp, "#%s# ", fullargv[i]);
+                                fprintf(fp, "\n");
+                                fclose(fp);
+                        }
+                        EUID_USER();}
+#endif
+                        
                        int j;
                        for (i = 1, j = fullargc; i < argc && j < MAX_ARGS; i++, j++, fullargc++)
                                fullargv[j] = argv[i];
@@ -814,12 +1034,37 @@ int main(int argc, char **argv) {
                        // replace argc/argv with fullargc/fullargv
                        argv = fullargv;
                        argc = j;
+#ifdef DEBUG_RESTRICTED_SHELL
+                        {EUID_ROOT();
+                        FILE *fp = fopen("/firelog", "a");
+                        if (fp) {
+                                fprintf(fp, "argc %d: ", argc);
+                                int i;
+                                for (i = 0; i < argc; i++)
+                                        fprintf(fp, "#%s# ", argv[i]);
+                                fprintf(fp, "\n");
+                                fclose(fp);
+                        }
+                        EUID_USER();}
+#endif
                }
        }
        else {
                // check --output option and execute it;
                check_output(argc, argv); // the function will not return if --output option was found
-                check_user(argc, argv); // the function will not return if --user option was found
+        }
+        
+        
+        // check for force-nonewprivs in /etc/firejail/firejail.config file
+        if (checkcfg(CFG_FORCE_NONEWPRIVS))
+                arg_nonewprivs = 1;
+        
+        if (arg_allow_debuggers) {
+                char *cmd = strdup("noblacklist ${PATH}/strace");
+                if (!cmd)
+                        errExit("strdup");
+                profile_add(cmd);
        }
        
        // parse arguments
@@ -845,14 +1090,30 @@ int main(int argc, char **argv) {
                }
                else if (strcmp(argv[i], "--force") == 0)
                        ;
+                else if (strcmp(argv[i], "--allow-debuggers") == 0) {
+                        // already handled
+                }
                //*************************************
                // filtering
                //*************************************
+#ifdef HAVE_APPARMOR
+                else if (strcmp(argv[i], "--apparmor") == 0)
+                        arg_apparmor = 1;
+#endif  
 #ifdef HAVE_SECCOMP
                else if (strncmp(argv[i], "--protocol=", 11) == 0) {
                        if (checkcfg(CFG_SECCOMP)) {
-                                protocol_store(argv[i] + 11);
+                                if (cfg.protocol) {
+                                        if (!arg_quiet)
+                                                fprintf(stderr, "Warning: a protocol list is present, the new list \"%s\" will not be installed\n", argv[i] + 11);
+                                }
+                                else {
+                                        // store list
+                                        cfg.protocol = strdup(argv[i] + 11);
+                                        if (!cfg.protocol)
+                                                errExit("strdup");
+                                }
                        }
                        else {
                                fprintf(stderr, "Error: seccomp feature is disabled in Firejail configuration file\n");
@@ -879,9 +1140,7 @@ int main(int argc, char **argv) {
                                        exit(1);
                                }
                                arg_seccomp = 1;
-                                cfg.seccomp_list = strdup(argv[i] + 10);
+                                cfg.seccomp_list = seccomp_check_list(argv[i] + 10);
-                                if (!cfg.seccomp_list)
-                                        errExit("strdup");
                        }
                        else {
                                fprintf(stderr, "Error: seccomp feature is disabled in Firejail configuration file\n");
@@ -895,9 +1154,7 @@ int main(int argc, char **argv) {
                                        exit(1);
                                }
                                arg_seccomp = 1;
-                                cfg.seccomp_list_drop = strdup(argv[i] + 15);
+                                cfg.seccomp_list_drop = seccomp_check_list(argv[i] + 15);
-                                if (!cfg.seccomp_list_drop)
-                                        errExit("strdup");
                        }
                        else {
                                fprintf(stderr, "Error: seccomp feature is disabled in Firejail configuration file\n");
@@ -911,43 +1168,7 @@ int main(int argc, char **argv) {
                                        exit(1);
                                }
                                arg_seccomp = 1;
-                                cfg.seccomp_list_keep = strdup(argv[i] + 15);
+                                cfg.seccomp_list_keep = seccomp_check_list(argv[i] + 15);
-                                if (!cfg.seccomp_list_keep)
-                                        errExit("strdup");
-                        }
-                        else {
-                                fprintf(stderr, "Error: seccomp feature is disabled in Firejail configuration file\n");
-                                exit(1);
-                        }
-                }
-                else if (strncmp(argv[i], "--seccomp.e", 11) == 0 && strchr(argv[i], '=')) {
-                        if (checkcfg(CFG_SECCOMP)) {
-                                if (arg_seccomp && !cfg.seccomp_list_errno) {
-                                        fprintf(stderr, "Error: seccomp already enabled\n");
-                                        exit(1);
-                                }
-                                char *eq = strchr(argv[i], '=');
-                                char *errnoname = strndup(argv[i] + 10, eq - (argv[i] + 10));
-                                int nr = errno_find_name(errnoname);
-                                if (nr == -1) {
-                                        fprintf(stderr, "Error: unknown errno %s\n", errnoname);
-                                        free(errnoname);
-                                        exit(1);
-                                }
-        
-                                if (!cfg.seccomp_list_errno)
-                                        cfg.seccomp_list_errno = calloc(highest_errno+1, sizeof(cfg.seccomp_list_errno[0]));
-        
-                                if (cfg.seccomp_list_errno[nr]) {
-                                        fprintf(stderr, "Error: errno %s already configured\n", errnoname);
-                                        free(errnoname);
-                                        exit(1);
-                                }
-                                arg_seccomp = 1;
-                                cfg.seccomp_list_errno[nr] = strdup(eq+1);
-                                if (!cfg.seccomp_list_errno[nr])
-                                        errExit("strdup");
-                                free(errnoname);
                        }
                        else {
                                fprintf(stderr, "Error: seccomp feature is disabled in Firejail configuration file\n");
@@ -1021,6 +1242,8 @@ int main(int argc, char **argv) {
                        read_cpu_list(argv[i] + 6);
                else if (strncmp(argv[i], "--nice=", 7) == 0) {
                        cfg.nice = atoi(argv[i] + 7);
+                        if (getuid() != 0 &&cfg.nice < 0)
+                                cfg.nice = 0;
                        arg_nice = 1;
                }
                else if (strncmp(argv[i], "--cgroup=", 9) == 0) {
@@ -1039,6 +1262,8 @@ int main(int argc, char **argv) {
                //*************************************
                // filesystem
                //*************************************
+                else if (strcmp(argv[i], "--allusers") == 0)
+                        arg_allusers = 1;
 #ifdef HAVE_BIND                
                else if (strncmp(argv[i], "--bind=", 7) == 0) {
                        if (checkcfg(CFG_BIND)) {
@@ -1079,98 +1304,155 @@ int main(int argc, char **argv) {
                        profile_check_line(line, 0, NULL);      // will exit if something wrong
                        profile_add(line);
                }
+#ifdef HAVE_WHITELIST
                else if (strncmp(argv[i], "--whitelist=", 12) == 0) {
+                        if (checkcfg(CFG_WHITELIST)) {
+                                char *line;
+                                if (asprintf(&line, "whitelist %s", argv[i] + 12) == -1)
+                                        errExit("asprintf");
+                                
+                                profile_check_line(line, 0, NULL);      // will exit if something wrong
+                                profile_add(line);
+                        }
+                        else {
+                                fprintf(stderr, "Error: whitelist feature is disabled in Firejail configuration file\n");
+                                exit(1);
+                        }
+                }
+#endif          
+                else if (strncmp(argv[i], "--read-only=", 12) == 0) {
                        char *line;
-                        if (asprintf(&line, "whitelist %s", argv[i] + 12) == -1)
+                        if (asprintf(&line, "read-only %s", argv[i] + 12) == -1)
                                errExit("asprintf");
                        
                        profile_check_line(line, 0, NULL);      // will exit if something wrong
                        profile_add(line);
                }
-                else if (strncmp(argv[i], "--read-only=", 12) == 0) {
+                else if (strncmp(argv[i], "--noexec=", 9) == 0) {
                        char *line;
-                        if (asprintf(&line, "read-only %s", argv[i] + 12) == -1)
+                        if (asprintf(&line, "noexec %s", argv[i] + 9) == -1)
                                errExit("asprintf");
                        
                        profile_check_line(line, 0, NULL);      // will exit if something wrong
                        profile_add(line);
                }
-                else if (strcmp(argv[i], "--overlay") == 0) {
+                else if (strncmp(argv[i], "--read-write=", 13) == 0) {
-                        if (cfg.chrootdir) {
+                        char *line;
-                                fprintf(stderr, "Error: --overlay and --chroot options are mutually exclusive\n");
+                        if (asprintf(&line, "read-write %s", argv[i] + 13) == -1)
-                                exit(1);
-                        }
-                        struct stat s;
-                        if (stat("/proc/sys/kernel/grsecurity", &s) == 0) {
-                                fprintf(stderr, "Error: --overlay option is not available on Grsecurity systems\n");
-                                exit(1);        
-                        }
-                        arg_overlay = 1;
-                        arg_overlay_keep = 1;
-                        
-                        // create ~/.firejail directory
-                        char *dirname;
-                        if (asprintf(&dirname, "%s/.firejail", cfg.homedir) == -1)
                                errExit("asprintf");
-                        if (stat(dirname, &s) == -1) {
+                        
-                                /* coverity[toctou] */
+                        profile_check_line(line, 0, NULL);      // will exit if something wrong
-                                if (mkdir(dirname, 0700))
+                        profile_add(line);
-                                        errExit("mkdir");
+                }
-                                if (chown(dirname, getuid(), getgid()) < 0)
+#ifdef HAVE_OVERLAYFS
-                                        errExit("chown");
+                else if (strcmp(argv[i], "--overlay") == 0) {
-                                if (chmod(dirname, 0700) < 0)
+                        if (checkcfg(CFG_OVERLAYFS)) {
-                                        errExit("chmod");
+                                if (cfg.chrootdir) {
+                                        fprintf(stderr, "Error: --overlay and --chroot options are mutually exclusive\n");
+                                        exit(1);
+                                }
+                                struct stat s;
+                                if (stat("/proc/sys/kernel/grsecurity", &s) == 0) {
+                                        fprintf(stderr, "Error: --overlay option is not available on Grsecurity systems\n");
+                                        exit(1);        
+                                }
+                                arg_overlay = 1;
+                                arg_overlay_keep = 1;
+                                
+                                char *subdirname;
+                                if (asprintf(&subdirname, "%d", getpid()) == -1)
+                                        errExit("asprintf");
+                                cfg.overlay_dir = fs_check_overlay_dir(subdirname, arg_overlay_reuse);
+        
+                                free(subdirname);
                        }
-                        else if (is_link(dirname)) {
+                        else {
-                                fprintf(stderr, "Error: invalid ~/.firejail directory\n");
+                                fprintf(stderr, "Error: overlayfs feature is disabled in Firejail configuration file\n");
                                exit(1);
                        }
-                        
+                }
-                        free(dirname);
+                else if (strncmp(argv[i], "--overlay-named=", 16) == 0) {
-                        
+                        if (checkcfg(CFG_OVERLAYFS)) {
-                        // check overlay directory
+                                if (cfg.chrootdir) {
-                        if (asprintf(&dirname, "%s/.firejail/%d", cfg.homedir, getpid()) == -1)
+                                        fprintf(stderr, "Error: --overlay and --chroot options are mutually exclusive\n");
-                                errExit("asprintf");
+                                        exit(1);
-                        if (stat(dirname, &s) == 0) {
+                                }
-                                fprintf(stderr, "Error: overlay directory already exists: %s\n", dirname);
+                                struct stat s;
+                                if (stat("/proc/sys/kernel/grsecurity", &s) == 0) {
+                                        fprintf(stderr, "Error: --overlay option is not available on Grsecurity systems\n");
+                                        exit(1);
+                                }
+                                arg_overlay = 1;
+                                arg_overlay_keep = 1;
+                                arg_overlay_reuse = 1;
+                                
+                                char *subdirname = argv[i] + 16;
+                                if (subdirname == '\0') {
+                                        fprintf(stderr, "Error: invalid overlay option\n");
+                                        exit(1);
+                                }
+                                
+                                // check name
+                                invalid_filename(subdirname);
+                                if (strstr(subdirname, "..") || strstr(subdirname, "/")) {
+                                        fprintf(stderr, "Error: invalid overlay name\n");
+                                        exit(1);
+                                }
+                                cfg.overlay_dir = fs_check_overlay_dir(subdirname, arg_overlay_reuse);
+                        }
+                        else {
+                                fprintf(stderr, "Error: overlayfs feature is disabled in Firejail configuration file\n");
                                exit(1);
                        }
-                        cfg.overlay_dir = dirname;
                }
                else if (strcmp(argv[i], "--overlay-tmpfs") == 0) {
-                        if (cfg.chrootdir) {
+                        if (checkcfg(CFG_OVERLAYFS)) {
-                                fprintf(stderr, "Error: --overlay and --chroot options are mutually exclusive\n");
+                                if (cfg.chrootdir) {
-                                exit(1);
+                                        fprintf(stderr, "Error: --overlay and --chroot options are mutually exclusive\n");
+                                        exit(1);
+                                }
+                                struct stat s;
+                                if (stat("/proc/sys/kernel/grsecurity", &s) == 0) {
+                                        fprintf(stderr, "Error: --overlay option is not available on Grsecurity systems\n");
+                                        exit(1);        
+                                }
+                                arg_overlay = 1;
                        }
-                        struct stat s;
+                        else {
-                        if (stat("/proc/sys/kernel/grsecurity", &s) == 0) {
+                                fprintf(stderr, "Error: overlayfs feature is disabled in Firejail configuration file\n");
-                                fprintf(stderr, "Error: --overlay option is not available on Grsecurity systems\n");
+                                exit(1);
-                                exit(1);        
                        }
-                        arg_overlay = 1;
                }
+#endif
                else if (strncmp(argv[i], "--profile=", 10) == 0) {
                        if (arg_noprofile) {
                                fprintf(stderr, "Error: --noprofile and --profile options are mutually exclusive\n");
                                exit(1);
                        }
-                        invalid_filename(argv[i] + 10);
+                        
+                        char *ppath = expand_home(argv[i] + 10, cfg.homedir);
+                        if (!ppath)
+                                errExit("strdup");
+                        invalid_filename(ppath);
                        
                        // multiple profile files are allowed!
-                        char *ptr = argv[i] + 10;
+                        if (is_dir(ppath) || is_link(ppath) || strstr(ppath, "..")) {
-                        if (is_dir(ptr) || is_link(ptr) || strstr(ptr, "..")) {
                                fprintf(stderr, "Error: invalid profile file\n");
                                exit(1);
                        }
                        
                        // access call checks as real UID/GID, not as effective UID/GID
-                        if (access(argv[i] + 10, R_OK)) {
+                        if (access(ppath, R_OK)) {
                                fprintf(stderr, "Error: cannot access profile file\n");
                                return 1;
                        }
-                        profile_read(argv[i] + 10);
+                        profile_read(ppath);
                        custom_profile = 1;
+                        free(ppath);
                }
                else if (strncmp(argv[i], "--profile-path=", 15) == 0) {
                        if (arg_noprofile) {
@@ -1255,6 +1537,14 @@ int main(int argc, char **argv) {
                                        return 1;
                                }
                                
+                                // don't allow "--chroot=/"
+                                char *rpath = realpath(cfg.chrootdir, NULL);
+                                if (rpath == NULL || strcmp(rpath, "/") == 0) {
+                                        fprintf(stderr, "Error: invalid chroot directory\n");
+                                        exit(1);
+                                }
+                                free(rpath);
+                                
                                // check chroot directory structure
                                if (fs_check_chroot_dir(cfg.chrootdir)) {
                                        fprintf(stderr, "Error: invalid chroot\n");
@@ -1265,12 +1555,27 @@ int main(int argc, char **argv) {
                                fprintf(stderr, "Error: --chroot feature is disabled in Firejail configuration file\n");
                                exit(1);
                        }
                }
 #endif
-                else if (strcmp(argv[i], "--private") == 0)
+                else if (strcmp(argv[i], "--writable-etc") == 0) {
+                        if (cfg.etc_private_keep) {
+                                fprintf(stderr, "Error: --private-etc and --writable-etc are mutually exclusive\n");
+                                exit(1);
+                        }
+                        arg_writable_etc = 1;
+                }
+                else if (strcmp(argv[i], "--writable-var") == 0) {
+                        arg_writable_var = 1;
+                }
+                else if (strcmp(argv[i], "--private") == 0) {
                        arg_private = 1;
+                }
                else if (strncmp(argv[i], "--private=", 10) == 0) {
+                        if (cfg.home_private_keep) {
+                                fprintf(stderr, "Error: a private list of files was already defined with --private-home option.\n");
+                                exit(1);
+                        }
                        // extract private home dirname
                        cfg.home_private = argv[i] + 10;
                        if (*cfg.home_private == '\0') {
@@ -1278,12 +1583,42 @@ int main(int argc, char **argv) {
                                exit(1);
                        }
                        fs_check_private_dir();
+                        // downgrade to --private if the directory is the user home directory
+                        if (strcmp(cfg.home_private, cfg.homedir) == 0) {
+                                free(cfg.home_private);
+                                cfg.home_private = NULL;
+                        }
                        arg_private = 1;
                }
+#ifdef HAVE_PRIVATE_HOME
+                else if (strncmp(argv[i], "--private-home=", 15) == 0) {
+                        if (checkcfg(CFG_PRIVATE_HOME)) {
+                                if (cfg.home_private) {
+                                        fprintf(stderr, "Error: a private home directory was already defined with --private option.\n");
+                                        exit(1);
+                                }
+                                
+                                // extract private home dirname
+                                cfg.home_private_keep = argv[i] + 15;
+                                fs_check_home_list();
+                                arg_private = 1;
+                        }
+                        else {
+                                fprintf(stderr, "Error: --private-home feature is disabled in Firejail configuration file\n");
+                                exit(1);
+                        }
+                }
+#endif          
                else if (strcmp(argv[i], "--private-dev") == 0) {
                        arg_private_dev = 1;
                }
                else if (strncmp(argv[i], "--private-etc=", 14) == 0) {
+                        if (arg_writable_etc) {
+                                fprintf(stderr, "Error: --private-etc and --writable-etc are mutually exclusive\n");
+                                exit(1);
+                        }
+                        
                        // extract private etc list
                        cfg.etc_private_keep = argv[i] + 14;
                        if (*cfg.etc_private_keep == '\0') {
@@ -1291,12 +1626,7 @@ int main(int argc, char **argv) {
                                exit(1);
                        }
                        fs_check_etc_list();
-                        if (*cfg.etc_private_keep != '\0')
+                        arg_private_etc = 1;
-                                arg_private_etc = 1;
-                        else {
-                                arg_private_etc = 0;
-                                fprintf(stderr, "Warning: private-etc disabled, no file found\n");
-                        }
                }
                else if (strncmp(argv[i], "--private-bin=", 14) == 0) {
                        // extract private bin list
@@ -1341,11 +1671,18 @@ int main(int argc, char **argv) {
                        }
                }
 #endif
+                else if (strcmp(argv[i], "--nonewprivs") == 0) {
+                        arg_nonewprivs = 1;
+                }
                else if (strncmp(argv[i], "--env=", 6) == 0)
-                        env_store(argv[i] + 6);
+                        env_store(argv[i] + 6, SETENV);
-                else if (strncmp(argv[i], "--nosound", 9) == 0) {
+                else if (strncmp(argv[i], "--rmenv=", 8) == 0)
+                        env_store(argv[i] + 8, RMENV);
+                else if (strcmp(argv[i], "--nosound") == 0) {
                        arg_nosound = 1;
-                        arg_private_dev = 1;
+                }
+                else if (strcmp(argv[i], "--no3d") == 0) {
+                        arg_no3d = 1;
                }
                                
                //*************************************
@@ -1401,7 +1738,8 @@ int main(int argc, char **argv) {
                                        errExit("strdup");
                                
                                if (net_get_if_addr(intf->dev, &intf->ip, &intf->mask, intf->mac, &intf->mtu)) {
-                                        fprintf(stderr, "Warning:  interface %s is not configured\n", intf->dev);
+                                        if (!arg_quiet || arg_debug)
+                                                fprintf(stderr, "Warning:  interface %s is not configured\n", intf->dev);
                                }
                                intf->configured = 1;
                        }
@@ -1464,6 +1802,27 @@ int main(int argc, char **argv) {
                        }
                }
+                else if (strncmp(argv[i], "--veth-name=", 12) == 0) {
+                        if (checkcfg(CFG_NETWORK)) {
+                                Bridge *br = last_bridge_configured();
+                                if (br == NULL) {
+                                        fprintf(stderr, "Error: no network device configured\n");
+                                        exit(1);
+                                }
+                                br->veth_name = strdup(argv[i] + 12);
+                                if (br->veth_name == NULL)
+                                        errExit("strdup");
+                                if (*br->veth_name == '\0') {
+                                        fprintf(stderr, "Error: no veth-name configured\n");
+                                        exit(1);
+                                }
+                        }
+                        else {
+                                fprintf(stderr, "Error: networking features are disabled in Firejail configuration file\n");
+                                exit(1);
+                        }
+                }
                else if (strcmp(argv[i], "--scan") == 0) {
                        if (checkcfg(CFG_NETWORK)) {
                                arg_scan = 1;
@@ -1522,17 +1881,17 @@ int main(int argc, char **argv) {
                                Bridge *br = last_bridge_configured();
                                if (br == NULL) {
                                        fprintf(stderr, "Error: no network device configured\n");
-                                        return 1;
+                                        exit(1);
                                }
                                if (mac_not_zero(br->macsandbox)) {
                                        fprintf(stderr, "Error: cannot configure the MAC address twice for the same interface\n");
-                                        return 1;
+                                        exit(1);
                                }
        
                                // read the address
                                if (atomac(argv[i] + 6, br->macsandbox)) {
                                        fprintf(stderr, "Error: invalid MAC address\n");
-                                        return 1;
+                                        exit(1);
                                }
                        }
                        else {
@@ -1546,12 +1905,12 @@ int main(int argc, char **argv) {
                                Bridge *br = last_bridge_configured();
                                if (br == NULL) {
                                        fprintf(stderr, "Error: no network device configured\n");
-                                        return 1;
+                                        exit(1);
                                }
        
                                if (sscanf(argv[i] + 6, "%d", &br->mtu) != 1 || br->mtu < 576 || br->mtu > 9198) {
                                        fprintf(stderr, "Error: invalid mtu value\n");
-                                        return 1;
+                                        exit(1);
                                }
                        }
                        else {
@@ -1565,11 +1924,11 @@ int main(int argc, char **argv) {
                                Bridge *br = last_bridge_configured();
                                if (br == NULL) {
                                        fprintf(stderr, "Error: no network device configured\n");
-                                        return 1;
+                                        exit(1);
                                }
                                if (br->arg_ip_none || br->ipsandbox) {
                                        fprintf(stderr, "Error: cannot configure the IP address twice for the same interface\n");
-                                        return 1;
+                                        exit(1);
                                }
        
                                // configure this IP address for the last bridge defined
@@ -1578,7 +1937,7 @@ int main(int argc, char **argv) {
                                else {
                                        if (atoip(argv[i] + 5, &br->ipsandbox)) {
                                                fprintf(stderr, "Error: invalid IP address\n");
-                                                return 1;
+                                                exit(1);
                                        }
                                }
                        }
@@ -1593,11 +1952,11 @@ int main(int argc, char **argv) {
                                Bridge *br = last_bridge_configured();
                                if (br == NULL) {
                                        fprintf(stderr, "Error: no network device configured\n");
-                                        return 1;
+                                        exit(1);
                                }
                                if (br->arg_ip_none || br->ip6sandbox) {
                                        fprintf(stderr, "Error: cannot configure the IP address twice for the same interface\n");
-                                        return 1;
+                                        exit(1);
                                }
        
                                // configure this IP address for the last bridge defined
@@ -1605,7 +1964,7 @@ int main(int argc, char **argv) {
                                br->ip6sandbox = argv[i] + 6;
 //                              if (atoip(argv[i] + 5, &br->ipsandbox)) {
 //                                      fprintf(stderr, "Error: invalid IP address\n");
-//                                      return 1;
+//                                      exit(1);
 //                              }
                        }
                        else {
@@ -1619,7 +1978,7 @@ int main(int argc, char **argv) {
                        if (checkcfg(CFG_NETWORK)) {
                                if (atoip(argv[i] + 12, &cfg.defaultgw)) {
                                        fprintf(stderr, "Error: invalid IP address\n");
-                                        return 1;
+                                        exit(1);
                                }
                        }
                        else {
@@ -1649,6 +2008,18 @@ int main(int argc, char **argv) {
 #ifdef HAVE_NETWORK
                else if (strcmp(argv[i], "--netfilter") == 0) {
+#ifdef HAVE_NETWORK_RESTRICTED
+                        // compile time restricted networking
+                        if (getuid() != 0) {
+                                fprintf(stderr, "Error: --netfilter is only allowed for root\n");
+                                exit(1);
+                        }
+#endif
+                        // run time restricted networking
+                        if (checkcfg(CFG_RESTRICTED_NETWORK) && getuid() != 0) {
+                                fprintf(stderr, "Error: --netfilter is only allowed for root\n");
+                                exit(1);
+                        }
                        if (checkcfg(CFG_NETWORK)) {
                                arg_netfilter = 1;
                        }
@@ -1659,6 +2030,18 @@ int main(int argc, char **argv) {
                }
                else if (strncmp(argv[i], "--netfilter=", 12) == 0) {
+#ifdef HAVE_NETWORK_RESTRICTED
+                        // compile time restricted networking
+                        if (getuid() != 0) {
+                                fprintf(stderr, "Error: --netfilter is only allowed for root\n");
+                                exit(1);
+                        }
+#endif
+                        // run time restricted networking
+                        if (checkcfg(CFG_RESTRICTED_NETWORK) && getuid() != 0) {
+                                fprintf(stderr, "Error: --netfilter is only allowed for root\n");
+                                exit(1);
+                        }
                        if (checkcfg(CFG_NETWORK)) {
                                arg_netfilter = 1;
                                arg_netfilter_file = argv[i] + 12;
@@ -1685,32 +2068,49 @@ int main(int argc, char **argv) {
                //*************************************
                // command
                //*************************************
+                else if (strcmp(argv[i], "--audit") == 0) {
+                        if (asprintf(&arg_audit_prog, "%s/firejail/faudit", LIBDIR) == -1)
+                                errExit("asprintf");
+                        arg_audit = 1;
+                }
+                else if (strncmp(argv[i], "--audit=", 8) == 0) {
+                        if (strlen(argv[i] + 8) == 0) {
+                                fprintf(stderr, "Error: invalid audit program\n");
+                                exit(1);
+                        }
+                        arg_audit_prog = strdup(argv[i] + 8);
+                        if (!arg_audit_prog)
+                                errExit("strdup");
+                        arg_audit = 1;
+                }
+                else if (strcmp(argv[i], "--appimage") == 0)
+                        arg_appimage = 1;
                else if (strcmp(argv[i], "--csh") == 0) {
                        if (arg_shell_none) {
                        
                                fprintf(stderr, "Error: --shell=none was already specified.\n");
                                return 1;
                        }
-                        if (arg_zsh || cfg.shell ) {
+                        if (cfg.shell) {
                                fprintf(stderr, "Error: only one default user shell can be specified\n");
                                return 1;
                        }
-                        arg_csh = 1;
+                        cfg.shell = "/bin/csh";
                }
                else if (strcmp(argv[i], "--zsh") == 0) {
                        if (arg_shell_none) {
                                fprintf(stderr, "Error: --shell=none was already specified.\n");
                                return 1;
                        }
-                        if (arg_csh || cfg.shell ) {
+                        if (cfg.shell) {
                                fprintf(stderr, "Error: only one default user shell can be specified\n");
                                return 1;
                        }
-                        arg_zsh = 1;
+                        cfg.shell = "/bin/zsh";
                }
                else if (strcmp(argv[i], "--shell=none") == 0) {
                        arg_shell_none = 1;
-                        if (arg_csh || arg_zsh || cfg.shell) {
+                        if (cfg.shell) {
                                fprintf(stderr, "Error: a shell was already specified\n");
                                return 1;
                        }
@@ -1722,7 +2122,7 @@ int main(int argc, char **argv) {
                        }
                        invalid_filename(argv[i] + 8);
                        
-                        if (arg_csh || arg_zsh || cfg.shell) {
+                        if (cfg.shell) {
                                fprintf(stderr, "Error: only one user shell can be specified\n");
                                return 1;
                        }
@@ -1732,9 +2132,18 @@ int main(int argc, char **argv) {
                                fprintf(stderr, "Error: invalid shell\n");
                                exit(1);
                        }
-                        
                        // access call checks as real UID/GID, not as effective UID/GID
-                        if (access(cfg.shell, R_OK)) {
+                        if(cfg.chrootdir) {
+                                char *shellpath;
+                                if (asprintf(&shellpath, "%s%s", cfg.chrootdir, cfg.shell) == -1)
+                                        errExit("asprintf");
+                                if (access(shellpath, R_OK)) {
+                                        fprintf(stderr, "Error: cannot access shell file in chroot\n");
+                                        exit(1);
+                                }
+                                free(shellpath);
+                        } else if (access(cfg.shell, R_OK)) {
                                fprintf(stderr, "Error: cannot access shell file\n");
                                exit(1);
                        }
@@ -1746,6 +2155,32 @@ int main(int argc, char **argv) {
                                return 1;
                        }
                }
+                
+                // unlike all other x11 features, this is available always
+                else if (strcmp(argv[i], "--x11=none") == 0) {
+                        arg_x11_block = 1;
+                }
+#ifdef HAVE_X11
+                else if (strcmp(argv[i], "--x11=xorg") == 0) {
+                        if (checkcfg(CFG_X11))
+                                arg_x11_xorg = 1;
+                        else {
+                                fprintf(stderr, "Error: --x11 feature is disabled in Firejail configuration file\n");
+                                exit(1);
+                        }
+                }
+#endif
+                else if (strncmp(argv[i], "--join-or-start=", 16) == 0) {
+                        // NOTE: this is second part of option handler,
+                        //               atempt to find and join sandbox is done in other one
+                        // set sandbox name and start normally
+                        cfg.name = argv[i] + 16;
+                        if (strlen(cfg.name) == 0) {
+                                fprintf(stderr, "Error: please provide a name for sandbox\n");
+                                return 1;
+                        }
+                }
                else if (strcmp(argv[i], "--") == 0) {
                        // double dash - positional params to follow
                        arg_doubledash = 1;
@@ -1766,15 +2201,33 @@ int main(int argc, char **argv) {
                        }
                        
                        // we have a program name coming
-                        extract_command_name(i, argv);
+                        if (arg_appimage) {
+                                cfg.command_name = strdup(argv[i]);
+                                if (!cfg.command_name)
+                                        errExit("strdup");
+                        }
+                        else
+                                extract_command_name(i, argv);
                        prog_index = i;
                        break;
                }
        }
+        
+        // prog_index could still be -1 if no program was specified
+        if (prog_index == -1 && arg_shell_none) {
+                fprintf(stderr, "shell=none configured, but no program specified\n");
+                exit(1);
+        }
        // check trace configuration
-        if (arg_trace && arg_tracelog)
+        if (arg_trace && arg_tracelog) {
-                fprintf(stderr, "Warning: --trace and --tracelog are mutually exclusive; --tracelog disabled\n");
+                if (!arg_quiet || arg_debug)
+                        fprintf(stderr, "Warning: --trace and --tracelog are mutually exclusive; --tracelog disabled\n");
+        }
+        
+        // disable x11 abstract socket
+        if (getenv("FIREJAIL_X11"))
+                mask_x11_abstract_socket = 1;
        
        // check user namespace (--noroot) options
        if (arg_noroot) {
@@ -1798,66 +2251,41 @@ int main(int argc, char **argv) {
                free(msg);
        }
-        // build the sandbox command
+        // guess shell if unspecified
-        if (prog_index == -1 && arg_zsh) {
+        if (!arg_shell_none && !cfg.shell) {
-                cfg.command_line = "/usr/bin/zsh";
+                cfg.shell = guess_shell();
-                cfg.window_title = "/usr/bin/zsh";
+                if (!cfg.shell) {
-                cfg.command_name = "zsh";
+                        fprintf(stderr, "Error: unable to guess your shell, please set explicitly by using --shell option.\n");
-        }
+                        exit(1);
-        else if (prog_index == -1 && arg_csh) {
+                }
-                cfg.command_line = "/bin/csh";
+                if (arg_debug)
-                cfg.window_title = "/bin/csh";
+                        printf("Autoselecting %s as shell\n", cfg.shell);
-                cfg.command_name = "csh";
        }
-        else if (prog_index == -1 && cfg.shell) {
+        // build the sandbox command
+        if (prog_index == -1 && cfg.shell) {
                cfg.command_line = cfg.shell;
                cfg.window_title = cfg.shell;
                cfg.command_name = cfg.shell;
        }
-        else if (prog_index == -1) {
+        else if (arg_appimage) {
-                cfg.command_line = "/bin/bash";
+                if (arg_debug)
-                cfg.window_title = "/bin/bash";
+                        printf("Configuring appimage environment\n");
-                cfg.command_name = "bash";
+                appimage_set(cfg.command_name);
+                cfg.window_title = "appimage";
        }
        else {
-                // calculate the length of the command
+                build_cmdline(&cfg.command_line, &cfg.window_title, argc, argv, prog_index);
-                int i;
-                int len = 0;
-                int argcnt = argc - prog_index;
-                for (i = 0; i < argcnt; i++)
-                        len += strlen(argv[i + prog_index]) + 3; // + ' ' + 2 '"'
-                // build the string
-                cfg.command_line = malloc(len + 1); // + '\0'
-                if (!cfg.command_line)
-                        errExit("malloc");
-                cfg.window_title = malloc(len + 1); // + '\0'
-                if (!cfg.window_title)
-                        errExit("malloc");
-                char *ptr1 = cfg.command_line;
-                char *ptr2 = cfg.window_title;
-                for (i = 0; i < argcnt; i++) {
-                        // detect bash commands
-                        if (strstr(argv[i + prog_index], "&&") || strstr(argv[i + prog_index], "||")) {
-                                sprintf(ptr1, "%s ", argv[i + prog_index]);
-                        }
-                        else if (arg_command){
-                                sprintf(ptr1, "%s ", argv[i + prog_index]);
-                        }
-                        else {
-                                sprintf(ptr1, "\"%s\" ", argv[i + prog_index]);
-                        }
-                        sprintf(ptr2, "%s ", argv[i + prog_index]);
-                        ptr1 += strlen(ptr1);
-                        ptr2 += strlen(ptr2);
-                }
        }
+/*      else {
+                fprintf(stderr, "Error: command must be specified when --shell=none used.\n");
+                exit(1);
+        }*/
        
        assert(cfg.command_name);
        if (arg_debug)
                printf("Command name #%s#\n", cfg.command_name);
+                
                                
        // load the profile
        if (!arg_noprofile) {
@@ -1881,14 +2309,16 @@ int main(int argc, char **argv) {
                }
        }
-        // use generic.profile as the default
+        // use default.profile as the default
        if (!custom_profile && !arg_noprofile) {
-                if (cfg.chrootdir)
+                if (cfg.chrootdir) {
-                        fprintf(stderr, "Warning: default profile disabled by --chroot option\n");
+                        if (!arg_quiet || arg_debug)
-                else if (arg_overlay)
+                                fprintf(stderr, "Warning: default profile disabled by --chroot option\n");
-                        fprintf(stderr, "Warning: default profile disabled by --overlay option\n");
+                }
-//              else if (cfg.home_private_keep)
+                else if (arg_overlay) {
-//                      fprintf(stderr, "Warning: default profile disabled by --private-home option\n");
+                        if (!arg_quiet || arg_debug)
+                                fprintf(stderr, "Warning: default profile disabled by --overlay option\n");
+                }
                else {
                        // try to load a default profile
                        char *profile_name = DEFAULT_USER_PROFILE;
@@ -1911,12 +2341,20 @@ int main(int argc, char **argv) {
                                else
                                        custom_profile = profile_find(profile_name, SYSCONFDIR);
                        }
+                        if (!custom_profile) {
+                                fprintf(stderr, "Error: no default.profile installed\n");
+                                exit(1);
+                        }
                        
                        if (custom_profile && !arg_quiet)
                                printf("\n** Note: you can use --noprofile to disable %s.profile **\n\n", profile_name);
                }
        }
+        // block X11 sockets
+        if (arg_x11_block)
+                x11_block();
        // check network configuration options - it will exit if anything went wrong
        net_check_cfg();
        
@@ -1947,11 +2385,13 @@ int main(int argc, char **argv) {
                errExit("pipe");
        if (arg_noroot && arg_overlay) {
-                fprintf(stderr, "Warning: --overlay and --noroot are mutually exclusive, noroot disabled\n");
+                if (!arg_quiet || arg_debug)
+                        fprintf(stderr, "Warning: --overlay and --noroot are mutually exclusive, noroot disabled\n");
                arg_noroot = 0;
        }
        else if (arg_noroot && cfg.chrootdir) {
-                fprintf(stderr, "Warning: --chroot and --noroot are mutually exclusive, noroot disabled\n");
+                if (!arg_quiet || arg_debug)
+                        fprintf(stderr, "Warning: --chroot and --noroot are mutually exclusive, noroot disabled\n");
                arg_noroot = 0;
        }
@@ -2012,7 +2452,10 @@ int main(int argc, char **argv) {
                        network_main(child);
                        if (arg_debug)
                                printf("Host network configured\n");                    
-                        exit(0);                        
+#ifdef HAVE_GCOV
+                        __gcov_flush();
+#endif
+                        _exit(0);                       
                }
                // wait for the child to finish
@@ -2061,16 +2504,30 @@ int main(int argc, char **argv) {
                ptr += strlen(ptr);
                
                //  add tty group
-                gid_t ttygid = get_tty_gid();
+                gid_t g = get_group_id("tty");
-                if (ttygid) {
+                if (g) {
-                        sprintf(ptr, "%d %d 1\n", ttygid, ttygid);
+                        sprintf(ptr, "%d %d 1\n", g, g);
                        ptr += strlen(ptr);
                }
                
                //  add audio group
-                gid_t audiogid = get_audio_gid();
+                g = get_group_id("audio");
-                if (ttygid) {
+                if (g) {
-                        sprintf(ptr, "%d %d 1\n", audiogid, audiogid);
+                        sprintf(ptr, "%d %d 1\n", g, g);
+                        ptr += strlen(ptr);
+                }
+                
+                //  add video group
+                g = get_group_id("video");
+                if (g) {
+                        sprintf(ptr, "%d %d 1\n", g, g);
+                        ptr += strlen(ptr);
+                }
+                
+                //  add games group
+                g = get_group_id("games");
+                if (g) {
+                        sprintf(ptr, "%d %d 1\n", g, g);
                }
                
                EUID_ROOT();
@@ -2084,8 +2541,10 @@ int main(int argc, char **argv) {
        close(parent_to_child_fds[1]);
 
        EUID_ROOT();
-        if (lockfd != -1)
+        if (lockfd != -1) {
                flock(lockfd, LOCK_UN);
+                close(lockfd);
+        }
        // create name file under /run/firejail
        
@@ -2101,13 +2560,6 @@ int main(int argc, char **argv) {
        waitpid(child, &status, 0);
        // free globals
-#ifdef HAVE_SECCOMP
-        if (cfg.seccomp_list_errno) {
-                for (i = 0; i < highest_errno; i++)
-                        free(cfg.seccomp_list_errno[i]);
-                free(cfg.seccomp_list_errno);
-        }
-#endif
        if (cfg.profile) {
                ProfileEntry *prf = cfg.profile;
                while (prf != NULL) {
diff --git a/src/firejail/netfilter.c b/src/firejail/netfilter.c
index 71abfb53d..1df4b7a0f 100644
--- a/src/firejail/netfilter.c
+++ b/src/firejail/netfilter.c
@@ -66,6 +66,8 @@ void netfilter(const char *fname) {
        // custom filter
        int allocated = 0;
+        if (netfilter_default)
+                fname = netfilter_default;
        if (fname) {
                // buffer the filter
                struct stat s;
@@ -141,9 +143,10 @@ void netfilter(const char *fname) {
                dup2(fd,STDIN_FILENO);
                // wipe out environment variables
-                environ = NULL;
+                clearenv();     
                execl(iptables_restore, iptables_restore, NULL);
-                // it will never get here!!!
+                perror("execl");
+                _exit(1);
        }
        // wait for the child to finish
        waitpid(child, NULL, 0);
@@ -160,8 +163,10 @@ void netfilter(const char *fname) {
                        if (setregid(0, 0))
                                errExit("setregid");
                        environ = NULL;
+                        assert(getenv("LD_PRELOAD") == NULL);   
                        execl(iptables, iptables, "-vL", NULL);
-                        // it will never get here!!!
+                        perror("execl");
+                        _exit(1);
                }
                // wait for the child to finish
                waitpid(child, NULL, 0);
@@ -252,9 +257,10 @@ void netfilter6(const char *fname) {
                dup2(fd,STDIN_FILENO);
                // wipe out environment variables
-                environ = NULL;
+                clearenv();     
                execl(ip6tables_restore, ip6tables_restore, NULL);
-                // it will never get here!!!
+                perror("execl");
+                _exit(1);
        }
        // wait for the child to finish
        waitpid(child, NULL, 0);
@@ -265,9 +271,10 @@ void netfilter6(const char *fname) {
                if (child < 0)
                        errExit("fork");
                if (child == 0) {
-                        environ = NULL;
+                        clearenv();     
                        execl(ip6tables, ip6tables, "-vL", NULL);
-                        // it will never get here!!!
+                        perror("execl");
+                        _exit(1);
                }
                // wait for the child to finish
                waitpid(child, NULL, 0);
diff --git a/src/firejail/network.c b/src/firejail/network.c
index aac48e521..6d09d770f 100644
--- a/src/firejail/network.c
+++ b/src/firejail/network.c
@@ -28,70 +28,6 @@
 #include <net/route.h>
 #include <linux/if_bridge.h>
-// scan interfaces in current namespace and print IP address/mask for each interface
-void net_ifprint(void) {
-        uint32_t ip;
-        uint32_t mask;
-        struct ifaddrs *ifaddr, *ifa;
-        if (getifaddrs(&ifaddr) == -1)
-                errExit("getifaddrs");
-        printf("%-17.17s%-19.19s%-17.17s%-17.17s%-6.6s\n",
-                "Interface", "MAC", "IP", "Mask", "Status");
-        // walk through the linked list
-        for (ifa = ifaddr; ifa != NULL; ifa = ifa->ifa_next) {
-                if (ifa->ifa_addr == NULL)
-                        continue;
-                if (ifa->ifa_addr->sa_family == AF_INET) {
-                        struct sockaddr_in *si = (struct sockaddr_in *) ifa->ifa_netmask;
-                        mask = ntohl(si->sin_addr.s_addr);
-                        si = (struct sockaddr_in *) ifa->ifa_addr;
-                        ip = ntohl(si->sin_addr.s_addr);
-                        // interface status
-                        char *status;
-                        if (ifa->ifa_flags & IFF_RUNNING && ifa->ifa_flags & IFF_UP)
-                                status = "UP";
-                        else
-                                status = "DOWN";
-                        // ip address and mask
-                        char ipstr[30];
-                        sprintf(ipstr, "%d.%d.%d.%d", PRINT_IP(ip));
-                        char maskstr[30];
-                        sprintf(maskstr, "%d.%d.%d.%d", PRINT_IP(mask));
-                        
-                        // mac address
-                        unsigned char mac[6];
-                        net_get_mac(ifa->ifa_name, mac);
-                        char macstr[30];
-                        if (strcmp(ifa->ifa_name, "lo") == 0)
-                                macstr[0] = '\0';
-                        else
-                                sprintf(macstr, "%02x:%02x:%02x:%02x:%02x:%02x", PRINT_MAC(mac));
-                        // print                                
-                        printf("%-17.17s%-19.19s%-17.17s%-17.17s%-6.6s\n",
-                                ifa->ifa_name, macstr, ipstr, maskstr, status);
-                        // network scanning
-                        if (!arg_scan)                          // scanning disabled
-                                continue;
-                        if (strcmp(ifa->ifa_name, "lo") == 0)   // no loopbabck scanning
-                                continue;
-                        if (mask2bits(mask) < 16)               // not scanning large networks
-                                continue;
-                        if (!ip)                                        // if not configured
-                                continue;
-                        // only if the interface is up and running
-                        if (ifa->ifa_flags & IFF_RUNNING && ifa->ifa_flags & IFF_UP)
-                                arp_scan(ifa->ifa_name, ip, mask);
-                }
-        }
-        freeifaddrs(ifaddr);
-}
 int net_get_mtu(const char *ifname) {
        int mtu = 0;
@@ -190,95 +126,11 @@ void net_if_up(const char *ifname) {
                fprintf(stderr, "Error: invalid network device name %s\n", ifname);
                exit(1);
        }
-        
+        sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, 3, 
-        int sock = socket(AF_INET,SOCK_DGRAM,0);
+                PATH_FNET, "ifup", ifname);
-        if (sock < 0)
+}       
-                errExit("socket");
-        // get the existing interface flags
-        struct ifreq ifr;
-        memset(&ifr, 0, sizeof(ifr));
-        strncpy(ifr.ifr_name, ifname, IFNAMSIZ);
-        ifr.ifr_addr.sa_family = AF_INET;
-        // read the existing flags
-        if (ioctl(sock, SIOCGIFFLAGS, &ifr ) < 0) {
-                close(sock);
-                errExit("ioctl");
-        }
-        ifr.ifr_flags |= IFF_UP;
-        // set the new flags
-        if (ioctl( sock, SIOCSIFFLAGS, &ifr ) < 0) {
-                close(sock);
-                errExit("ioctl");
-        }
-        // checking
-        // read the existing flags
-        if (ioctl(sock, SIOCGIFFLAGS, &ifr ) < 0) {
-                close(sock);
-                errExit("ioctl");
-        }
-        // wait not more than 500ms for the interface to come up
-        int cnt = 0;
-        while (cnt < 50) {
-                usleep(10000);                    // sleep 10ms
-                // read the existing flags
-                if (ioctl(sock, SIOCGIFFLAGS, &ifr ) < 0) {
-                        close(sock);
-                        errExit("ioctl");
-                }
-                if (ifr.ifr_flags & IFF_RUNNING)
-                        break;
-                cnt++;
-        }
-        close(sock);
-}
-// bring interface up
-void net_if_down(const char *ifname) {
-        if (strlen(ifname) > IFNAMSIZ) {
-                fprintf(stderr, "Error: invalid network device name %s\n", ifname);
-                exit(1);
-        }
-        
-        int sock = socket(AF_INET,SOCK_DGRAM,0);
-        if (sock < 0)
-                errExit("socket");
-        // get the existing interface flags
-        struct ifreq ifr;
-        memset(&ifr, 0, sizeof(ifr));
-        strncpy(ifr.ifr_name, ifname, IFNAMSIZ);
-        ifr.ifr_addr.sa_family = AF_INET;
-        // read the existing flags
-        if (ioctl(sock, SIOCGIFFLAGS, &ifr ) < 0) {
-                close(sock);
-                errExit("ioctl");
-        }
-        ifr.ifr_flags &= ~IFF_UP;
-        // set the new flags
-        if (ioctl( sock, SIOCSIFFLAGS, &ifr ) < 0) {
-                close(sock);
-                errExit("ioctl");
-        }
-        close(sock);
-}
-struct ifreq6 {
-        struct in6_addr ifr6_addr;
-        uint32_t ifr6_prefixlen;
-        unsigned int ifr6_ifindex;
-};
 // configure interface ipv6 address
 // ex: firejail --net=eth0 --ip6=2001:0db8:0:f101::1/64
 void net_if_ip6(const char *ifname, const char *addr6) {
@@ -287,107 +139,11 @@ void net_if_ip6(const char *ifname, const char *addr6) {
                exit(1);
        }
        
-        // extract prefix
+        sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, 5, 
-        unsigned long prefix;
+                PATH_FNET, "config", "ipv6", ifname, addr6);
-        char *ptr;
-        if ((ptr = strchr(addr6, '/'))) {
-                prefix = atol(ptr + 1);
-                if (prefix > 128) {
-                        fprintf(stderr, "Error: invalid prefix for IPv6 address %s\n", addr6);
-                        exit(1);
-                }
-                *ptr = '\0';    // mark the end of the address
-        }
-        else
-                prefix = 128;
-        // extract address
-        struct sockaddr_in6 sin6;
-        memset(&sin6, 0, sizeof(sin6));
-        sin6.sin6_family = AF_INET6;
-        int rv = inet_pton(AF_INET6, addr6, sin6.sin6_addr.s6_addr);
-        if (rv <= 0) {
-                fprintf(stderr, "Error: invalid IPv6 address %s\n", addr6);
-                exit(1);
-        }
-        // open socket
-        int sock = socket(PF_INET6, SOCK_DGRAM, IPPROTO_IP);
-        if (sock < 0) {
-                fprintf(stderr, "Error: IPv6 is not supported on this system\n");
-                exit(1);
-        }
-        // find interface index
-        struct ifreq ifr;
-        memset(&ifr, 0, sizeof(ifr));
-        strncpy(ifr.ifr_name, ifname, IFNAMSIZ);
-        ifr.ifr_addr.sa_family = AF_INET;
-        if (ioctl(sock, SIOGIFINDEX, &ifr) < 0) {
-                perror("ioctl SIOGIFINDEX");
-                exit(1);
-        }
-        // configure address
-        struct ifreq6 ifr6;
-        memset(&ifr6, 0, sizeof(ifr6));
-        ifr6.ifr6_prefixlen = prefix;
-        ifr6.ifr6_ifindex = ifr.ifr_ifindex;
-        memcpy((char *) &ifr6.ifr6_addr, (char *) &sin6.sin6_addr, sizeof(struct in6_addr));
-        if (ioctl(sock, SIOCSIFADDR, &ifr6) < 0) {
-                perror("ioctl SIOCSIFADDR");
-                exit(1);
-        }
-        
-        close(sock);
-}
-// configure interface ipv4 address
-void net_if_ip(const char *ifname, uint32_t ip, uint32_t mask, int mtu) {
-        if (strlen(ifname) > IFNAMSIZ) {
-                fprintf(stderr, "Error: invalid network device name %s\n", ifname);
-                exit(1);
-        }
-        if (arg_debug)
-                printf("configure interface %s\n", ifname);
-        int sock = socket(AF_INET,SOCK_DGRAM,0);
-        if (sock < 0)
-                errExit("socket");
-        struct ifreq ifr;
-        memset(&ifr, 0, sizeof(ifr));
-        strncpy(ifr.ifr_name, ifname, IFNAMSIZ);
-        ifr.ifr_addr.sa_family = AF_INET;
-        ((struct sockaddr_in *)&ifr.ifr_addr)->sin_addr.s_addr = htonl(ip);
-        if (ioctl( sock, SIOCSIFADDR, &ifr ) < 0) {
-                close(sock);
-                errExit("ioctl");
-        }
-        if (ip != 0) {
-                ((struct sockaddr_in *)&ifr.ifr_addr)->sin_addr.s_addr =  htonl(mask);
-                if (ioctl( sock, SIOCSIFNETMASK, &ifr ) < 0) {
-                        close(sock);
-                        errExit("ioctl");
-                }
-        }
-        
-        // configure mtu
-        if (mtu > 0) {
-                ifr.ifr_mtu = mtu;
-                if (ioctl( sock, SIOCSIFMTU, &ifr ) < 0) {
-                        close(sock);
-                        errExit("ioctl");
-                }
-        }
-        close(sock);
-        usleep(10000);                            // sleep 10ms
 }
 // add an IP route, return -1 if error, 0 if the route was added
 int net_add_route(uint32_t ip, uint32_t mask, uint32_t gw) {
        int sock;
@@ -425,52 +181,6 @@ int net_add_route(uint32_t ip, uint32_t mask, uint32_t gw) {
 }
-// add a veth device to a bridge
-void net_bridge_add_interface(const char *bridge, const char *dev) {
-        if (strlen(bridge) > IFNAMSIZ) {
-                fprintf(stderr, "Error: invalid network device name %s\n", bridge);
-                exit(1);
-        }
-        // somehow adding the interface to the bridge resets MTU on bridge device!!!
-        // workaround: restore MTU on the bridge device
-        // todo: put a real fix in
-        int mtu1 = net_get_mtu(bridge);
-        struct ifreq ifr;
-        int err;
-        int ifindex = if_nametoindex(dev);
-        if (ifindex <= 0)
-                errExit("if_nametoindex");
-        int sock;
-        if ((sock = socket(AF_INET, SOCK_STREAM, 0)) < 0)
-                errExit("socket");
-        memset(&ifr, 0, sizeof(ifr));
-        strncpy(ifr.ifr_name, bridge, IFNAMSIZ);
-#ifdef SIOCBRADDIF
-        ifr.ifr_ifindex = ifindex;
-        err = ioctl(sock, SIOCBRADDIF, &ifr);
-        if (err < 0)
-#endif
-        {
-                unsigned long args[4] = { BRCTL_ADD_IF, ifindex, 0, 0 };
-                ifr.ifr_data = (char *) args;
-                err = ioctl(sock, SIOCDEVPRIVATE, &ifr);
-        }
-        (void) err;
-        close(sock);
-        int mtu2 = net_get_mtu(bridge);
-        if (mtu1 != mtu2) {
-                if (arg_debug)
-                        printf("Restoring MTU for %s\n", bridge);
-                net_set_mtu(bridge, mtu1);
-        }
-}
 #define BUFSIZE 1024
 uint32_t network_get_defaultgw(void) {
@@ -504,20 +214,15 @@ uint32_t network_get_defaultgw(void) {
 }
 int net_config_mac(const char *ifname, const unsigned char mac[6]) {
-        struct ifreq ifr;
+        char *macstr;
-        int sock;
+        if (asprintf(&macstr, "%02x:%02x:%02x:%02x:%02x:%02x",
+                mac[0], mac[1], mac[2], mac[3], mac[4], mac[5]) == -1)
-        if ((sock = socket(AF_INET, SOCK_STREAM, 0)) < 0)
+                errExit("asprintf");
-                errExit("socket");
-        memset(&ifr, 0, sizeof(ifr));
+        sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, 5, 
-        strncpy(ifr.ifr_name, ifname, IFNAMSIZ);
+                PATH_FNET, "config", "mac", ifname, macstr);
-        ifr.ifr_hwaddr.sa_family = ARPHRD_ETHER;
-        memcpy(ifr.ifr_hwaddr.sa_data, mac, 6);
        
-        if (ioctl(sock, SIOCSIFHWADDR, &ifr) == -1)
+        free(macstr);
-                errExit("ioctl");
-        close(sock);
        return 0;
 }
@@ -540,3 +245,27 @@ int net_get_mac(const char *ifname, unsigned char mac[6]) {
        close(sock);
        return 0;
 }
+void net_config_interface(const char *dev, uint32_t ip, uint32_t mask, int mtu) {
+        assert(dev);
+        
+        char *ipstr;
+        if (asprintf(&ipstr, "%llu", (long long unsigned) ip) == -1)
+                errExit("asprintf");
+        char *maskstr;
+        if (asprintf(&maskstr, "%llu", (long long unsigned) mask) == -1)
+                errExit("asprintf");
+        char *mtustr;
+        if (asprintf(&mtustr, "%d", mtu) == -1)
+                errExit("asprintf");
+        
+        sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, 7, 
+                PATH_FNET, "config", "interface", dev, ipstr, maskstr, mtustr);
+        free(ipstr);
+        free(maskstr);
+        free(mtustr);
+}
diff --git a/src/firejail/network.txt b/src/firejail/network.txt
index 673d5b941..f6df0f485 100644
--- a/src/firejail/network.txt
+++ b/src/firejail/network.txt
@@ -13,7 +13,7 @@ net_configure_bridge(br, device) {
 }
 net_configure_sandbox_ip(br) {
-        if br->ip_snadbox
+        if br->ip_sandbox
                check br->ipsandbox inside the bridge network
                arp_check(br->ipsandbox)        // send an arp req to check if anybody else is using this address
        else
diff --git a/src/firejail/network_main.c b/src/firejail/network_main.c
index e6d5cd5d7..9fbc09d2b 100644
--- a/src/firejail/network_main.c
+++ b/src/firejail/network_main.c
@@ -23,6 +23,7 @@
 #include <sys/stat.h>
 #include <unistd.h>
 #include <net/if.h>
+#include <stdarg.h>
 // configure bridge structure
 // - extract ip address and mask from the bridge interface
@@ -56,9 +57,12 @@ void net_configure_bridge(Bridge *br, char *dev_name) {
                }
        }
+        // allow unconfigured interfaces
        if (net_get_if_addr(br->dev, &br->ip, &br->mask, br->mac, &br->mtu)) {
-                fprintf(stderr, "Error: interface %s is not configured\n", br->dev);
+                fprintf(stderr, "Warning: the network interface %s is not configured\n", br->dev);
-                exit(1);
+                br->configured = 1;
+                br->arg_ip_none = 1;
+                return;
        }
        if (arg_debug) {
                if (br->macvlan == 0)
@@ -117,15 +121,18 @@ void net_configure_veth_pair(Bridge *br, const char *ifname, pid_t child) {
        // create a veth pair
        char *dev;
-        if (asprintf(&dev, "veth%u%s", getpid(), ifname) < 0)
+        if (br->veth_name == NULL) {
+                if (asprintf(&dev, "veth%u%s", getpid(), ifname) < 0)
+                        errExit("asprintf");
+        }
+        else
+                dev = br->veth_name;
+                
+        char *cstr;
+        if (asprintf(&cstr, "%d", child) == -1)
                errExit("asprintf");
-        net_create_veth(dev, ifname, child);
+        sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, 7, PATH_FNET, "create", "veth", dev, ifname, br->dev, cstr);
+        free(cstr);
-        // add interface to the bridge
-        net_bridge_add_interface(br->dev, dev);
-        // bring up the interface
-        net_if_up(dev);
        char *msg;
        if (asprintf(&msg, "%d.%d.%d.%d address assigned to sandbox", PRINT_IP(br->ipsandbox)) == -1)
@@ -224,23 +231,6 @@ void net_check_cfg(void) {
        }
 }
-void net_dns_print_name(const char *name) {
-        EUID_ASSERT();
-        if (!name || strlen(name) == 0) {
-                fprintf(stderr, "Error: invalid sandbox name\n");
-                exit(1);
-        }
-        pid_t pid;
-        if (name2pid(name, &pid)) {
-                fprintf(stderr, "Error: cannot find sandbox %s\n", name);
-                exit(1);
-        }
-        net_dns_print(pid);
-}
 #define MAXBUF 4096
 void net_dns_print(pid_t pid) {
        EUID_ASSERT();
@@ -282,47 +272,53 @@ void net_dns_print(pid_t pid) {
 }
 void network_main(pid_t child) {
+        char *cstr;
+        if (asprintf(&cstr, "%d", child) == -1)
+                errExit("asprintf");
        // create veth pair or macvlan device
        if (cfg.bridge0.configured) {
                if (cfg.bridge0.macvlan == 0) {
                        net_configure_veth_pair(&cfg.bridge0, "eth0", child);
                }
                else
-                        net_create_macvlan(cfg.bridge0.devsandbox, cfg.bridge0.dev, child);
+                        sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, 6, PATH_FNET, "create", "macvlan", cfg.bridge0.devsandbox, cfg.bridge0.dev, cstr);
        }
        
        if (cfg.bridge1.configured) {
                if (cfg.bridge1.macvlan == 0)
                        net_configure_veth_pair(&cfg.bridge1, "eth1", child);
                else
-                        net_create_macvlan(cfg.bridge1.devsandbox, cfg.bridge1.dev, child);
+                        sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, 6, PATH_FNET, "create", "macvlan", cfg.bridge1.devsandbox, cfg.bridge1.dev, cstr);
        }
        
        if (cfg.bridge2.configured) {
                if (cfg.bridge2.macvlan == 0)
                        net_configure_veth_pair(&cfg.bridge2, "eth2", child);
                else
-                        net_create_macvlan(cfg.bridge2.devsandbox, cfg.bridge2.dev, child);
+                        sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, 6, PATH_FNET, "create", "macvlan", cfg.bridge2.devsandbox, cfg.bridge2.dev, cstr);
        }
        
        if (cfg.bridge3.configured) {
                if (cfg.bridge3.macvlan == 0)
                        net_configure_veth_pair(&cfg.bridge3, "eth3", child);
                else
-                        net_create_macvlan(cfg.bridge3.devsandbox, cfg.bridge3.dev, child);
+                        sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, 6, PATH_FNET, "create", "macvlan", cfg.bridge3.devsandbox, cfg.bridge3.dev, cstr);
        }
        // move interfaces in sandbox
        if (cfg.interface0.configured) {
-                net_move_interface(cfg.interface0.dev, child);
+                sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, 4, PATH_FNET, "moveif", cfg.interface0.dev, cstr);
        }
        if (cfg.interface1.configured) {
-                net_move_interface(cfg.interface1.dev, child);
+                sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, 4, PATH_FNET, "moveif", cfg.interface1.dev, cstr);
        }
        if (cfg.interface2.configured) {
-                net_move_interface(cfg.interface2.dev, child);
+                sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, 4, PATH_FNET, "moveif", cfg.interface3.dev, cstr);
        }
        if (cfg.interface3.configured) {
-                net_move_interface(cfg.interface3.dev, child);
+                sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, 4, PATH_FNET, "moveif", cfg.interface3.dev, cstr);
        }
+        free(cstr);
 }
diff --git a/src/firejail/no_sandbox.c b/src/firejail/no_sandbox.c
index a9242f035..aae490c34 100644
--- a/src/firejail/no_sandbox.c
+++ b/src/firejail/no_sandbox.c
@@ -23,6 +23,65 @@
 #include <unistd.h>
 #include <grp.h>
+#define MAX_BUF 4096
+int is_container(const char *str) {
+        assert(str);
+        if (strcmp(str, "lxc") == 0 ||
+             strcmp(str, "docker") == 0 ||
+             strcmp(str, "lxc-libvirt") == 0 ||
+             strcmp(str, "systemd-nspawn") == 0 ||
+             strcmp(str, "rkt") == 0)
+                return 1;
+        return 0;
+}
+// returns 1 if we are running under LXC
+int check_namespace_virt(void) {
+        EUID_ASSERT();
+        
+        // check container environment variable
+        char *str = getenv("container");
+        if (str && is_container(str))
+                return 1;
+        
+        // check PID 1 container environment variable
+        EUID_ROOT();
+        FILE *fp = fopen("/proc/1/environ", "r");
+        if (fp) {
+                int c = 0;
+                while (c != EOF) {
+                        // read one line
+                        char buf[MAX_BUF];
+                        int i = 0;
+                        while ((c = fgetc(fp)) != EOF) {
+                                if (c == 0)
+                                        break;
+                                buf[i] = (char) c;
+                                if (++i == (MAX_BUF - 1))
+                                        break;
+                        }
+                        buf[i] = '\0';
+                        
+                        // check env var name
+                        if (strncmp(buf, "container=", 10) == 0) {
+                                // found it
+                                if (is_container(buf + 10)) {
+                                        fclose(fp);
+                                        EUID_USER();
+                                        return 1;
+                                }
+                        }
+//                      printf("i %d c %d, buf #%s#\n", i, c, buf);
+                }
+                
+                fclose(fp);
+        }
+                
+        EUID_USER();
+        return 0;
+}
 // check process space for kernel processes
 // return 1 if found, 0 if not found
 int check_kernel_procs(void) {
@@ -103,44 +162,130 @@ int check_kernel_procs(void) {
 void run_no_sandbox(int argc, char **argv) {
        EUID_ASSERT();
-        // build command
+        // process limited subset of options
-        char *command = NULL;
+        int i;
-        int allocated = 0;
+        for (i = 0; i < argc; i++) {
-        if (argc == 1)
+                if (strcmp(argv[i], "--csh") == 0) {
-                command = "/bin/bash";
+                        if (arg_shell_none) {
-        else {
+                                fprintf(stderr, "Error: --shell=none was already specified.\n");
-                // calculate length
+                                exit(1);
-                int len = 0;
+                        }
-                int i;
+                        if (cfg.shell) {
-                for (i = 1; i < argc; i++) {
+                                fprintf(stderr, "Error: only one default user shell can be specified\n");
-                        if (*argv[i] == '-')
+                                exit(1);
-                                continue;
+                        }
+                        cfg.shell = "/bin/csh";
+                }
+                else if (strcmp(argv[i], "--zsh") == 0) {
+                        if (arg_shell_none) {
+                                fprintf(stderr, "Error: --shell=none was already specified.\n");
+                                exit(1);
+                        }
+                        if (cfg.shell) {
+                                fprintf(stderr, "Error: only one default user shell can be specified\n");
+                                exit(1);
+                        }
+                        cfg.shell = "/bin/zsh";
+                }
+                else if (strcmp(argv[i], "--shell=none") == 0) {
+                        arg_shell_none = 1;
+                        if (cfg.shell) {
+                                fprintf(stderr, "Error: a shell was already specified\n");
+                                exit(1);
+                        }
+                }
+                else if (strncmp(argv[i], "--shell=", 8) == 0) {
+                        if (arg_shell_none) {
+                                fprintf(stderr, "Error: --shell=none was already specified.\n");
+                                exit(1);
+                        }
+                        invalid_filename(argv[i] + 8);
+                        if (cfg.shell) {
+                                fprintf(stderr, "Error: only one user shell can be specified\n");
+                                exit(1);
+                        }
+                        cfg.shell = argv[i] + 8;
+                        if (is_dir(cfg.shell) || strstr(cfg.shell, "..")) {
+                                fprintf(stderr, "Error: invalid shell\n");
+                                exit(1);
+                        }
+                        // access call checks as real UID/GID, not as effective UID/GID
+                        if(cfg.chrootdir) {
+                                char *shellpath;
+                                if (asprintf(&shellpath, "%s%s", cfg.chrootdir, cfg.shell) == -1)
+                                        errExit("asprintf");
+                                if (access(shellpath, R_OK)) {
+                                        fprintf(stderr, "Error: cannot access shell file in chroot\n");
+                                        exit(1);
+                                }
+                                free(shellpath);
+                        } else if (access(cfg.shell, R_OK)) {
+                                fprintf(stderr, "Error: cannot access shell file\n");
+                                exit(1);
+                        }
+                }
+        }
+        // use $SHELL to get shell used in sandbox
+        if (!arg_shell_none && !cfg.shell) {
+                char *shell =  getenv("SHELL");
+                if (access(shell, R_OK) == 0)
+                        cfg.shell = shell;
+        }
+        // guess shell otherwise
+        if (!arg_shell_none && !cfg.shell) {
+                cfg.shell = guess_shell();
+                if (arg_debug)
+                        printf("Autoselecting %s as shell\n", cfg.shell);
+        }
+        if (!arg_shell_none && !cfg.shell) {
+                fprintf(stderr, "Error: unable to guess your shell, please set explicitly by using --shell option.\n");
+                exit(1);
+        }
+        int prog_index = 0;
+        // find first non option arg:
+        //      - first argument not starting wiht --,
+        //      - whatever follows after -c (example: firejail -c ls)
+        for (i = 1; i < argc; i++) {
+                if (strcmp(argv[i], "-c") == 0) {
+                        prog_index = i + 1;
+                        if (prog_index == argc) {
+                                fprintf(stderr, "Error: option -c requires an argument\n");
+                                exit(1);
+                        }
                        break;
                }
-                int start_index = i;
+                // check first argument not starting with --
-                for (i = start_index; i < argc; i++)
+                if (strncmp(argv[i],"--",2) != 0) {
-                        len += strlen(argv[i]) + 1;
+                        prog_index = i;
-                
+                        break;
-                // allocate
-                command = malloc(len + 1);
-                if (!command)
-                        errExit("malloc");
-                memset(command, 0, len + 1);
-                allocated = 1;
-                
-                // copy
-                for (i = start_index; i < argc; i++) {
-                        strcat(command, argv[i]);
-                        strcat(command, " ");
                }
        }
-        
-        // start the program in /bin/sh
+        if (!arg_shell_none) {
-        fprintf(stderr, "Warning: an existing sandbox was detected. "
+                if (prog_index == 0) {
-                "%s will run without any additional sandboxing features in a /bin/sh shell\n", command);
+                        cfg.command_line = cfg.shell;
-        int rv = system(command);
+                        cfg.window_title = cfg.shell;
-        (void) rv;
+                } else {
-        if (allocated)
+                        build_cmdline(&cfg.command_line, &cfg.window_title, argc, argv, prog_index);
-                free(command);
+                }
-        exit(1);
+        }
+        cfg.original_argv = argv;
+        cfg.original_program_index = prog_index;
+        char *command;
+        if (prog_index == 0)
+                command = cfg.shell;
+        else
+                command = argv[prog_index];
+        if (!arg_quiet)
+                fprintf(stderr, "Warning: an existing sandbox was detected. "
+                        "%s will run without any additional sandboxing features\n", command);
+        start_application();
 }
diff --git a/src/firejail/output.c b/src/firejail/output.c
index 269ac25ea..91fe7f164 100644
--- a/src/firejail/output.c
+++ b/src/firejail/output.c
@@ -27,7 +27,6 @@ void check_output(int argc, char **argv) {
        
        int i;
        char *outfile = NULL;
-//      drop_privs(0);
        int found = 0;
        for (i = 1; i < argc; i++) {
@@ -91,6 +90,7 @@ void check_output(int argc, char **argv) {
        sprintf(ptr, "2>&1 | %s/firejail/ftee %s", LIBDIR, outfile);
        // run command
+        drop_privs(0);
        char *a[4];
        a[0] = "/bin/bash";
        a[1] = "-c";
diff --git a/src/firejail/preproc.c b/src/firejail/preproc.c
new file mode 100644
index 000000000..ea4e6743f
--- /dev/null
+++ b/src/firejail/preproc.c
@@ -0,0 +1,125 @@
+/*
+ * Copyright (C) 2014-2016 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
+#include "firejail.h"
+#include <sys/mount.h>
+#include <sys/stat.h>
+static int tmpfs_mounted = 0;
+// build /run/firejail directory
+void preproc_build_firejail_dir(void) {
+        struct stat s;
+        // CentOS 6 doesn't have /run directory
+        if (stat(RUN_FIREJAIL_BASEDIR, &s)) {
+                create_empty_dir_as_root(RUN_FIREJAIL_BASEDIR, 0755);
+        }
+        if (stat(RUN_FIREJAIL_DIR, &s)) {
+                create_empty_dir_as_root(RUN_FIREJAIL_DIR, 0755);
+        }
+        
+        if (stat(RUN_FIREJAIL_NETWORK_DIR, &s)) {
+                create_empty_dir_as_root(RUN_FIREJAIL_NETWORK_DIR, 0755);
+        }
+        
+        if (stat(RUN_FIREJAIL_BANDWIDTH_DIR, &s)) {
+                create_empty_dir_as_root(RUN_FIREJAIL_BANDWIDTH_DIR, 0755);
+        }
+                
+        if (stat(RUN_FIREJAIL_NAME_DIR, &s)) {
+                create_empty_dir_as_root(RUN_FIREJAIL_NAME_DIR, 0755);
+        }
+        
+        if (stat(RUN_FIREJAIL_X11_DIR, &s)) {
+                create_empty_dir_as_root(RUN_FIREJAIL_X11_DIR, 0755);
+        }
+        
+        if (stat(RUN_FIREJAIL_APPIMAGE_DIR, &s)) {
+                create_empty_dir_as_root(RUN_FIREJAIL_APPIMAGE_DIR, 0755);
+        }
+        
+        if (stat(RUN_MNT_DIR, &s)) {
+                create_empty_dir_as_root(RUN_MNT_DIR, 0755);
+        }
+        create_empty_file_as_root(RUN_RO_FILE, S_IRUSR);
+        create_empty_dir_as_root(RUN_RO_DIR, S_IRUSR);
+}
+// build /run/firejail/mnt directory
+void preproc_mount_mnt_dir(void) {
+        // mount tmpfs on top of /run/firejail/mnt
+        if (!tmpfs_mounted) {
+                if (arg_debug)
+                        printf("Mounting tmpfs on %s directory\n", RUN_MNT_DIR);
+                if (mount("tmpfs", RUN_MNT_DIR, "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC,  "mode=755,gid=0") < 0)
+                        errExit("mounting /run/firejail/mnt");
+                tmpfs_mounted = 1;
+                fs_logger2("tmpfs", RUN_MNT_DIR);
+                
+                // create all seccomp files
+                // as root, create RUN_SECCOMP_I386 file
+                create_empty_file_as_root(RUN_SECCOMP_I386, 0644);
+                if (set_perms(RUN_SECCOMP_I386, getuid(), getgid(), 0644))
+                        errExit("set_perms");
+                // as root, create RUN_SECCOMP_AMD64 file
+                create_empty_file_as_root(RUN_SECCOMP_AMD64, 0644);
+                if (set_perms(RUN_SECCOMP_AMD64, getuid(), getgid(), 0644))
+                        errExit("set_perms");
+                // as root, create RUN_SECCOMP file
+                create_empty_file_as_root(RUN_SECCOMP_CFG, 0644);
+                if (set_perms(RUN_SECCOMP_CFG, getuid(), getgid(), 0644))
+                        errExit("set_perms");
+                // as root, create RUN_SECCOMP_PROTOCOL file
+                create_empty_file_as_root(RUN_SECCOMP_PROTOCOL, 0644);
+                if (set_perms(RUN_SECCOMP_PROTOCOL, getuid(), getgid(), 0644))
+                        errExit("set_perms");
+        }
+}
+// grab a copy of cp command
+void preproc_build_cp_command(void) {
+        struct stat s;
+        preproc_mount_mnt_dir();
+        if (stat(RUN_CP_COMMAND, &s)) {
+                char* fname = realpath("/bin/cp", NULL);
+                if (fname == NULL || stat(fname, &s) || is_link(fname)) {
+                        fprintf(stderr, "Error: invalid /bin/cp\n");
+                        exit(1);
+                }
+                int rv = copy_file(fname, RUN_CP_COMMAND, 0, 0, 0755);
+                if (rv) {
+                        fprintf(stderr, "Error: cannot access /bin/cp\n");
+                        exit(1);
+                }
+                ASSERT_PERMS(RUN_CP_COMMAND, 0, 0, 0755);
+                        
+                free(fname);
+        }
+}
+// delete the temporary cp command
+void preproc_delete_cp_command(void) {
+        unlink(RUN_CP_COMMAND);
+}
diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index 6ded0ca2f..0fd45d1ef 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -105,7 +105,12 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
        // mkdir 
        if (strncmp(ptr, "mkdir ", 6) == 0) {
                fs_mkdir(ptr + 6);
-                return 0;
+                return 1;       // process mkdir again while applying blacklists
+        }
+        // mkfile 
+        if (strncmp(ptr, "mkfile ", 7) == 0) {
+                fs_mkfile(ptr + 7);
+                return 1;       // process mkfile again while applying blacklists
        }
        // sandbox name
        else if (strncmp(ptr, "name ", 5) == 0) {
@@ -131,6 +136,10 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
                return 0;
        }
+        else if (strcmp(ptr, "nonewprivs") == 0) {
+                arg_nonewprivs = 1;
+                return 0;
+        }
        else if (strcmp(ptr, "seccomp") == 0) {
 #ifdef HAVE_SECCOMP
                if (checkcfg(CFG_SECCOMP))
@@ -160,6 +169,22 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
                arg_private = 1;
                return 0;
        }
+        if (strncmp(ptr, "private-home ", 13) == 0) {
+#ifdef HAVE_PRIVATE_HOME
+                if (checkcfg(CFG_PRIVATE_HOME)) {
+                        cfg.home_private_keep = ptr + 13;
+                        fs_check_home_list();
+                        arg_private = 1;
+                }
+                else
+                        fprintf(stderr, "Warning: private-home is disabled in Firejail configuration file\n");
+#endif
+                return 0;
+        }
+        else if (strcmp(ptr, "allusers") == 0) {
+                arg_allusers = 1;
+                return 0;
+        }
        else if (strcmp(ptr, "private-dev") == 0) {
                arg_private_dev = 1;
                return 0;
@@ -174,7 +199,10 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
        }
        else if (strcmp(ptr, "nosound") == 0) {
                arg_nosound = 1;
-                arg_private_dev = 1;
+                return 0;
+        }
+        else if (strcmp(ptr, "no3d") == 0) {
+                arg_no3d = 1;
                return 0;
        }
        else if (strcmp(ptr, "netfilter") == 0) {
@@ -274,6 +302,29 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
                return 0;
        }
        
+        else if (strncmp(ptr, "veth-name ", 10) == 0) {
+#ifdef HAVE_NETWORK
+                if (checkcfg(CFG_NETWORK)) {
+                        Bridge *br = last_bridge_configured();
+                        if (br == NULL) {
+                                fprintf(stderr, "Error: no network device configured\n");
+                                exit(1);
+                        }
+                        br->veth_name = strdup(ptr + 10);
+                        if (br->veth_name == NULL)
+                                errExit("strdup");
+                        if (*br->veth_name == '\0') {
+                                fprintf(stderr, "Error: no veth-name configured\n");
+                                exit(1);
+                        }
+                }
+                else
+                        fprintf(stderr, "Warning: networking features are disabled in Firejail configuration file\n");
+#endif
+                return 0;
+        }
        else if (strncmp(ptr, "iprange ", 8) == 0) {
 #ifdef HAVE_NETWORK
                if (checkcfg(CFG_NETWORK)) {
@@ -319,11 +370,145 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
                return 0;
        }
-        
+        else if (strncmp(ptr, "mac ", 4) == 0) {
+#ifdef HAVE_NETWORK
+                if (checkcfg(CFG_NETWORK)) {
+                        Bridge *br = last_bridge_configured();
+                        if (br == NULL) {
+                                fprintf(stderr, "Error: no network device configured\n");
+                                exit(1);
+                        }
+                        
+                        if (mac_not_zero(br->macsandbox)) {
+                                fprintf(stderr, "Error: cannot configure the MAC address twice for the same interface\n");
+                                exit(1);
+                        }
+                        // read the address
+                        if (atomac(ptr + 4, br->macsandbox)) {
+                                fprintf(stderr, "Error: invalid MAC address\n");
+                                exit(1);
+                        }
+                }
+                else
+                        fprintf(stderr, "Warning: networking features are disabled in Firejail configuration file\n");
+#endif
+                return 0;
+        }
+        else if (strncmp(ptr, "mtu ", 4) == 0) {
+#ifdef HAVE_NETWORK
+                if (checkcfg(CFG_NETWORK)) {
+                        Bridge *br = last_bridge_configured();
+                        if (br == NULL) {
+                                fprintf(stderr, "Error: no network device configured\n");
+                                exit(1);
+                        }
+                        
+                        if (sscanf(ptr + 4, "%d", &br->mtu) != 1 || br->mtu < 576 || br->mtu > 9198) {
+                                fprintf(stderr, "Error: invalid mtu value\n");
+                                exit(1);
+                        }
+                }
+                else
+                        fprintf(stderr, "Warning: networking features are disabled in Firejail configuration file\n");
+#endif
+                return 0;
+        }
+        else if (strncmp(ptr, "ip ", 3) == 0) {
+#ifdef HAVE_NETWORK
+                if (checkcfg(CFG_NETWORK)) {
+                        Bridge *br = last_bridge_configured();
+                        if (br == NULL) {
+                                fprintf(stderr, "Error: no network device configured\n");
+                                exit(1);
+                        }
+                        if (br->arg_ip_none || br->ipsandbox) {
+                                fprintf(stderr, "Error: cannot configure the IP address twice for the same interface\n");
+                                exit(1);
+                        }
+                        // configure this IP address for the last bridge defined
+                        if (strcmp(ptr + 3, "none") == 0)
+                                br->arg_ip_none = 1;
+                        else {
+                                if (atoip(ptr + 3, &br->ipsandbox)) {
+                                        fprintf(stderr, "Error: invalid IP address\n");
+                                        exit(1);
+                                }
+                        }
+                }
+                else
+                        fprintf(stderr, "Warning: networking features are disabled in Firejail configuration file\n");
+#endif
+                return 0;
+        }
+        else if (strncmp(ptr, "ip6 ", 4) == 0) {
+#ifdef HAVE_NETWORK
+                if (checkcfg(CFG_NETWORK)) {
+                        Bridge *br = last_bridge_configured();
+                        if (br == NULL) {
+                                fprintf(stderr, "Error: no network device configured\n");
+                                exit(1);
+                        }
+                        if (br->arg_ip_none || br->ip6sandbox) {
+                                fprintf(stderr, "Error: cannot configure the IP address twice for the same interface\n");
+                                exit(1);
+                        }
+                        // configure this IP address for the last bridge defined
+                        // todo: verify ipv6 syntax
+                        br->ip6sandbox = ptr + 4;
+//                      if (atoip(argv[i] + 5, &br->ipsandbox)) {
+//                              fprintf(stderr, "Error: invalid IP address\n");
+//                              exit(1);
+//                      }
+                        
+                }
+                else
+                        fprintf(stderr, "Warning: networking features are disabled in Firejail configuration file\n");
+#endif
+                return 0;
+        }
+        else if (strncmp(ptr, "defaultgw ", 10) == 0) {
+#ifdef HAVE_NETWORK
+                if (checkcfg(CFG_NETWORK)) {
+                        if (atoip(ptr + 10, &cfg.defaultgw)) {
+                                fprintf(stderr, "Error: invalid IP address\n");
+                                exit(1);
+                        }
+                }
+                else
+                        fprintf(stderr, "Warning: networking features are disabled in Firejail configuration file\n");
+#endif
+                return 0;
+        }
+        if (strcmp(ptr, "apparmor") == 0) {
+#ifdef HAVE_APPARMOR            
+                arg_apparmor = 1;
+#endif
+                return 0;
+        }
        if (strncmp(ptr, "protocol ", 9) == 0) {
 #ifdef HAVE_SECCOMP
-                if (checkcfg(CFG_SECCOMP))
+                if (checkcfg(CFG_SECCOMP)) {
-                        protocol_store(ptr + 9);
+                        if (cfg.protocol) {
+                                if (!arg_quiet)
+                                        fprintf(stderr, "Warning: a protocol list is present, the new list \"%s\" will not be installed\n", ptr + 9);
+                                return 0;
+                        }
+                        
+                        // store list
+                        cfg.protocol = strdup(ptr + 9);
+                        if (!cfg.protocol)
+                                errExit("strdup");
+                }
                else
                        fprintf(stderr, "Warning: user seccomp feature is disabled in Firejail configuration file\n");
 #endif
@@ -331,7 +516,11 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
        }
        
        if (strncmp(ptr, "env ", 4) == 0) {
-                env_store(ptr + 4);
+                env_store(ptr + 4, SETENV);
+                return 0;
+        }
+        if (strncmp(ptr, "rmenv ", 6) == 0) {
+                env_store(ptr + 6, RMENV);
                return 0;
        }
        
@@ -340,9 +529,7 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
 #ifdef HAVE_SECCOMP
                if (checkcfg(CFG_SECCOMP)) {
                        arg_seccomp = 1;
-                        cfg.seccomp_list = strdup(ptr + 8);
+                        cfg.seccomp_list = seccomp_check_list(ptr + 8);
-                        if (!cfg.seccomp_list)
-                                errExit("strdup");
                }
                else
                        fprintf(stderr, "Warning: user seccomp feature is disabled in Firejail configuration file\n");
@@ -356,9 +543,7 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
 #ifdef HAVE_SECCOMP
                if (checkcfg(CFG_SECCOMP)) {
                        arg_seccomp = 1;
-                        cfg.seccomp_list_drop = strdup(ptr + 13);
+                        cfg.seccomp_list_drop = seccomp_check_list(ptr + 13);
-                        if (!cfg.seccomp_list_drop)
-                                errExit("strdup");
                }
                else
                        fprintf(stderr, "Warning: user seccomp feature is disabled in Firejail configuration file\n");
@@ -371,9 +556,7 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
 #ifdef HAVE_SECCOMP
                if (checkcfg(CFG_SECCOMP)) {
                        arg_seccomp = 1;
-                        cfg.seccomp_list_keep= strdup(ptr + 13);
+                        cfg.seccomp_list_keep= seccomp_check_list(ptr + 13);
-                        if (!cfg.seccomp_list_keep)
-                                errExit("strdup");
                }
                else
                        fprintf(stderr, "Warning: user seccomp feature is disabled in Firejail configuration file\n");
@@ -387,7 +570,7 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
                arg_caps_list = strdup(ptr + 10);
                if (!arg_caps_list)
                        errExit("strdup");
-                // verify seccomp list and exit if problems
+                // verify caps list and exit if problems
                if (caps_check_list(arg_caps_list, NULL))
                        exit(1);
                return 0;
@@ -399,7 +582,7 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
                arg_caps_list = strdup(ptr + 10);
                if (!arg_caps_list)
                        errExit("strdup");
-                // verify seccomp list and exit if problems
+                // verify caps list and exit if problems
                if (caps_check_list(arg_caps_list, NULL))
                        exit(1);
                return 0;
@@ -441,6 +624,8 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
        // nice value
        if (strncmp(ptr, "nice ", 4) == 0) {
                cfg.nice = atoi(ptr + 5);
+                if (getuid() != 0 &&cfg.nice < 0)
+                        cfg.nice = 0;
                arg_nice = 1;
                return 0;
        }
@@ -451,6 +636,22 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
                return 0;
        }
        
+        // writable-etc
+        if (strcmp(ptr, "writable-etc") == 0) {
+                if (cfg.etc_private_keep) {
+                        fprintf(stderr, "Error: private-etc and writable-etc are mutually exclusive\n");
+                        exit(1);
+                }
+                arg_writable_etc = 1;
+                return 0;
+        }
+        
+        // writable-var
+        if (strcmp(ptr, "writable-var") == 0) {
+                arg_writable_var = 1;
+                return 0;
+        }
+        
        // private directory
        if (strncmp(ptr, "private ", 8) == 0) {
                cfg.home_private = ptr + 8;
@@ -459,16 +660,85 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
                return 0;
        }
+        if (strcmp(ptr, "x11 none") == 0) {
+                arg_x11_block = 1;
+                return 0;
+        }
+        if (strcmp(ptr, "x11 xephyr") == 0) {
+#ifdef HAVE_X11
+                if (checkcfg(CFG_X11)) {
+                        char *x11env = getenv("FIREJAIL_X11");
+                        if (x11env && strcmp(x11env, "yes") == 0) {
+                                mask_x11_abstract_socket = 1;
+                                return 0;
+                        }
+                        else {
+                                // start x11
+                                x11_start_xephyr(cfg.original_argc, cfg.original_argv);
+                                exit(0);
+                        }
+                }
+#endif
+                return 0;
+        }
+        if (strcmp(ptr, "x11 xorg") == 0) {
+#ifdef HAVE_X11
+                if (checkcfg(CFG_X11))
+                        arg_x11_xorg = 1;
+                else {
+                        fprintf(stderr, "Error: --x11 feature is disabled in Firejail configuration file\n");
+                        return 0;
+                }
+#endif
+                return 0;
+        }
+        if (strcmp(ptr, "x11 xpra") == 0) {
+#ifdef HAVE_X11
+                if (checkcfg(CFG_X11)) {
+                        char *x11env = getenv("FIREJAIL_X11");
+                        if (x11env && strcmp(x11env, "yes") == 0) {
+                                mask_x11_abstract_socket = 1;
+                                return 0;
+                        }
+                        else {
+                                // start x11
+                                x11_start_xpra(cfg.original_argc, cfg.original_argv);
+                                exit(0);
+                        }
+                }
+#endif
+                return 0;
+        }
+        
+        if (strcmp(ptr, "x11") == 0) {
+#ifdef HAVE_X11
+                if (checkcfg(CFG_X11)) {
+                        char *x11env = getenv("FIREJAIL_X11");
+                        if (x11env && strcmp(x11env, "yes") == 0) {
+                                mask_x11_abstract_socket = 1;
+                                return 0;
+                        }
+                        else {
+                                // start x11
+                                x11_start(cfg.original_argc, cfg.original_argv);
+                                exit(0);                
+                        }
+                }
+#endif          
+                return 0;
+        }
+        
        // private /etc list of files and directories
        if (strncmp(ptr, "private-etc ", 12) == 0) {
+                if (arg_writable_etc) {
+                        fprintf(stderr, "Error: --private-etc and --writable-etc are mutually exclusive\n");
+                        exit(1);
+                }
                cfg.etc_private_keep = ptr + 12;
                fs_check_etc_list();
-                if (*cfg.etc_private_keep != '\0')
+                arg_private_etc = 1;
-                        arg_private_etc = 1;
-                else {
-                        arg_private_etc = 0;
-                        fprintf(stderr, "Warning: private-etc disabled, no file found\n");
-                }
                
                return 0;
        }
@@ -569,6 +839,30 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
                return 0;               
        }
+        if (strncmp(ptr, "join-or-start ", 14) == 0) {
+                // try to join by name only
+                pid_t pid;
+                if (!name2pid(ptr + 14, &pid)) {
+                        if (!cfg.shell && !arg_shell_none)
+                                cfg.shell = guess_shell();
+                        // find first non-option arg
+                        int i;
+                        for (i = 1; i < cfg.original_argc && strncmp(cfg.original_argv[i], "--", 2) != 0; i++);
+                        join(pid, cfg.original_argc,cfg.original_argv, i + 1);
+                        exit(0);
+                }
+                // set sandbox name and start normally
+                cfg.name = ptr + 14;
+                if (strlen(cfg.name) == 0) {
+                        fprintf(stderr, "Error: invalid sandbox name\n");
+                        exit(1);
+                }
+                return 0;
+        }
        // rest of filesystem
        if (strncmp(ptr, "blacklist ", 10) == 0)
                ptr += 10;
@@ -577,11 +871,23 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
        else if (strncmp(ptr, "noblacklist ", 12) == 0)
                ptr += 12;
        else if (strncmp(ptr, "whitelist ", 10) == 0) {
-                arg_whitelist = 1;
+#ifdef HAVE_WHITELIST           
-                ptr += 10;
+                if (checkcfg(CFG_WHITELIST)) {
+                        arg_whitelist = 1;
+                        ptr += 10;
+                }
+                else
+                        return 0;
+#else           
+                return 0;
+#endif
        }
        else if (strncmp(ptr, "read-only ", 10) == 0)
                ptr += 10;
+        else if (strncmp(ptr, "read-write ", 11) == 0)
+                ptr += 11;
+        else if (strncmp(ptr, "noexec ", 7) == 0)
+                ptr += 7;
        else if (strncmp(ptr, "tmpfs ", 6) == 0) {
                if (getuid() != 0) {
                        fprintf(stderr, "Error: tmpfs available only when running the sandbox as root\n");
@@ -651,6 +957,16 @@ void profile_read(const char *fname) {
                exit(1);
        }
+        // allow debuggers
+        if (arg_allow_debuggers) {
+                char *tmp = strrchr(fname, '/');
+                if (tmp && *(tmp + 1) != '\0') {
+                        tmp++;
+                        if (strcmp(tmp, "disable-devel.inc") == 0)
+                                return;
+                }
+        }
        // open profile file:
        FILE *fp = fopen(fname, "r");
        if (fp == NULL) {
@@ -658,8 +974,7 @@ void profile_read(const char *fname) {
                exit(1);
        }
-        if (!arg_quiet)
+        int msg_printed = 0;
-                fprintf(stderr, "Reading profile %s\n", fname);
        // read the file line by line
        char buf[MAX_READ + 1];
@@ -677,6 +992,17 @@ void profile_read(const char *fname) {
                        continue;
                }
                
+                // process quiet
+                if (strcmp(ptr, "quiet") == 0) {
+                        arg_quiet = 1;
+                        continue;
+                }
+                if (!msg_printed) {
+                        if (!arg_quiet)
+                                fprintf(stderr, "Reading profile %s\n", fname);
+                        msg_printed = 1;
+                }
                // process include
                if (strncmp(ptr, "include ", 8) == 0) {
                        include_level++;
diff --git a/src/firejail/protocol.c b/src/firejail/protocol.c
index 7e5ab7dfb..2a09ed010 100644
--- a/src/firejail/protocol.c
+++ b/src/firejail/protocol.c
@@ -18,269 +18,18 @@
 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 */
-/*
-        struct sock_filter filter[] = {
-                VALIDATE_ARCHITECTURE,
-                EXAMINE_SYSCALL,
-                ONLY(SYS_socket),
-                EXAMINE_ARGUMENT(0), // allow only AF_INET and AF_INET6, drop everything else
-                WHITELIST(AF_INET),
-                WHITELIST(AF_INET6),
-                WHITELIST(AF_PACKET),
-                RETURN_ERRNO(ENOTSUP)
-        };
-        struct sock_fprog prog = {
-                .len = (unsigned short)(sizeof(filter) / sizeof(filter[0])),
-                .filter = filter,
-        };
-        if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) {
-                perror("prctl(NO_NEW_PRIVS)");
-                return 1;
-        }
-        if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog)) {
-                perror("prctl");
-                return 1;
-        }
-*/
 #ifdef HAVE_SECCOMP
 #include "firejail.h"
-#include "seccomp.h"
+#include "../include/seccomp.h"
-#include <sys/types.h>
-#include <sys/socket.h>
-static char *protocol[] = {
-        "unix",
-        "inet",
-        "inet6",
-        "netlink",
-        "packet",
-        NULL
-};
-static struct sock_filter protocol_filter_command[] = {
-        WHITELIST(AF_UNIX),
-        WHITELIST(AF_INET),
-        WHITELIST(AF_INET6),
-        WHITELIST(AF_NETLINK),
-        WHITELIST(AF_PACKET)
-};
-// Note: protocol[] and protocol_filter_command are synchronized
-// command length
-struct sock_filter whitelist[] = {
-        WHITELIST(AF_UNIX)
-};
-unsigned whitelist_len = sizeof(whitelist) / sizeof(struct sock_filter);
-static int is_protocol(const char *p) {
-        int i = 0;
-        while (protocol[i] != NULL) {
-                if (strcmp(protocol[i], p) == 0)
-                        return 1;
-                i++;
-        }
-        return 0;
-}       
-static struct sock_filter *find_protocol_domain(const char *p) {
-        int i = 0;
-        while (protocol[i] != NULL) {
-                if (strcmp(protocol[i], p) == 0)
-                        return &protocol_filter_command[i * whitelist_len];
-                i++;
-        }
-        return NULL;
-}       
-// --debug-protocols
-void protocol_list(void) {
-        EUID_ASSERT();
-        
-#ifndef SYS_socket
-        fprintf(stderr, "Warning: --protocol not supported on this platform\n");
-        return;
-#endif
-        int i = 0;
-        while (protocol[i] != NULL) {
-                printf("%s, ", protocol[i]);
-                i++;
-        }
-        printf("\n");
-}
-// check protocol list and store it in cfg structure
-void protocol_store(const char *prlist) {
-        EUID_ASSERT();
-        assert(prlist);
-        
-        if (cfg.protocol && !arg_quiet) {
-                fprintf(stderr, "Warning: a protocol list is present, the new list \"%s\" will not be installed\n", prlist);
-                return;
-        }
-        
-        // temporary list
-        char *tmplist = strdup(prlist);
-        if (!tmplist)
-                errExit("strdup");
-        
-        // check list
-        char *token = strtok(tmplist, ",");
-        if (!token)
-                goto errout;
-                
-        while (token) {
-                if (!is_protocol(token))
-                        goto errout;
-                token = strtok(NULL, ",");
-        }       
-        free(tmplist);
-        
-        // store list
-        cfg.protocol = strdup(prlist);
-        if (!cfg.protocol)
-                errExit("strdup");
-        return;
-                
-errout:
-        fprintf(stderr, "Error: invalid protocol list\n");
-        exit(1);
-}       
-// install protocol filter
-void protocol_filter(void) {
-        assert(cfg.protocol);
-        if (arg_debug)
-                printf("Set protocol filter: %s\n", cfg.protocol);
-#ifndef SYS_socket
-        (void) find_protocol_domain;
-        fprintf(stderr, "Warning: --protocol not supported on this platform\n");
-        return;
-#else
-        // build the filter
-        struct sock_filter filter[32];  // big enough
-        memset(&filter[0], 0, sizeof(filter));
-        uint8_t *ptr = (uint8_t *) &filter[0];
-        
-        // header
-        struct sock_filter filter_start[] = {
-                VALIDATE_ARCHITECTURE,
-                EXAMINE_SYSCALL,
-                ONLY(SYS_socket),
-                EXAMINE_ARGUMENT(0)
-        };
-        memcpy(ptr, &filter_start[0], sizeof(filter_start));
-        ptr += sizeof(filter_start);
-#if 0
-printf("entries %u\n", (unsigned) (sizeof(filter_start) / sizeof(struct sock_filter)));
-{
-        unsigned j;
-        unsigned char *ptr2 = (unsigned char *) &filter[0];
-        for (j = 0; j < sizeof(filter); j++, ptr2++) {
-                if ((j % (sizeof(struct sock_filter))) == 0)
-                        printf("\n%u: ", 1 + (unsigned) (j / (sizeof(struct sock_filter))));
-                printf("%02x, ", (*ptr2) & 0xff);
-        }
-        printf("\n");
-}
-printf("whitelist_len %u, struct sock_filter len %u\n", whitelist_len, (unsigned) sizeof(struct sock_filter));
-#endif
-        // parse list and add commands
-        char *tmplist = strdup(cfg.protocol);
-        if (!tmplist)
-                errExit("strdup");
-        char *token = strtok(tmplist, ",");
-        if (!token)
-                errExit("strtok");
-                
-        while (token) {
-                struct sock_filter *domain = find_protocol_domain(token);
-                assert(domain);
-                memcpy(ptr, domain, whitelist_len * sizeof(struct sock_filter));
-                ptr += whitelist_len * sizeof(struct sock_filter);
-                token = strtok(NULL, ",");
-#if 0
-printf("entries %u\n",  (unsigned) ((uint64_t) ptr - (uint64_t) (filter)) / (unsigned) sizeof(struct sock_filter));
-{
-        unsigned j;
-        unsigned char *ptr2 = (unsigned char *) &filter[0];
-        for (j = 0; j < sizeof(filter); j++, ptr2++) {
-                if ((j % (sizeof(struct sock_filter))) == 0)
-                        printf("\n%u: ", 1 + (unsigned) (j / (sizeof(struct sock_filter))));
-                printf("%02x, ", (*ptr2) & 0xff);
-        }
-        printf("\n");
-}
-#endif
-        }       
-        free(tmplist);
-        // add end of filter
-        struct sock_filter filter_end[] = {
-                RETURN_ERRNO(ENOTSUP)
-        };
-        memcpy(ptr, &filter_end[0], sizeof(filter_end));
-        ptr += sizeof(filter_end);
-#if 0
-printf("entries %u\n",  (unsigned) ((uint64_t) ptr - (uint64_t) (filter)) / (unsigned) sizeof(struct sock_filter));
-{
-        unsigned j;
-        unsigned char *ptr2 = (unsigned char *) &filter[0];
-        for (j = 0; j < sizeof(filter); j++, ptr2++) {
-                if ((j % (sizeof(struct sock_filter))) == 0)
-                        printf("\n%u: ", 1 + (unsigned) (j / (sizeof(struct sock_filter))));
-                printf("%02x, ", (*ptr2) & 0xff);
-        }
-        printf("\n");
-}
-#endif  
-        // install filter
-        unsigned short entries = (unsigned short) ((uintptr_t) ptr - (uintptr_t) (filter)) / (unsigned) sizeof(struct sock_filter);
-        struct sock_fprog prog = {
-                .len = entries,
-                .filter = filter,
-        };
-        if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog) || prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) {
-                fprintf(stderr, "Warning: seccomp disabled, it requires a Linux kernel version 3.5 or newer.\n");
-                return;
-        }
-#endif // SYS_socket    
-}
 void protocol_filter_save(void) {
        // save protocol filter configuration in PROTOCOL_CFG
-        fs_build_mnt_dir();
        FILE *fp = fopen(RUN_PROTOCOL_CFG, "w");
        if (!fp)
                errExit("fopen");
        fprintf(fp, "%s\n", cfg.protocol);
+        SET_PERMS_STREAM(fp, 0, 0, 0600);
        fclose(fp);
-        if (chmod(RUN_PROTOCOL_CFG, 0600) < 0)
-                errExit("chmod");
-        if (chown(RUN_PROTOCOL_CFG, 0, 0) < 0)
-                errExit("chown");
 }
 void protocol_filter_load(const char *fname) {
@@ -310,29 +59,6 @@ void protocol_filter_load(const char *fname) {
 // --protocol.print
-void protocol_print_filter_name(const char *name) {
-        EUID_ASSERT();
-        
-        (void) name;
-#ifdef SYS_socket
-        if (!name || strlen(name) == 0) {
-                fprintf(stderr, "Error: invalid sandbox name\n");
-                exit(1);
-        }
-        pid_t pid;
-        if (name2pid(name, &pid)) {
-                fprintf(stderr, "Error: cannot find sandbox %s\n", name);
-                exit(1);
-        }
-        protocol_print_filter(pid);
-#else
-        fprintf(stderr, "Warning: --protocol not supported on this platform\n");
-        return;
-#endif
-}
-// --protocol.print
 void protocol_print_filter(pid_t pid) {
        EUID_ASSERT();
        
diff --git a/src/firejail/pulseaudio.c b/src/firejail/pulseaudio.c
index 1eb5e59e1..6ec590eaa 100644
--- a/src/firejail/pulseaudio.c
+++ b/src/firejail/pulseaudio.c
@@ -53,16 +53,32 @@ doexit:
 // disable pulseaudio socket
 void pulseaudio_disable(void) {
+        if (arg_debug)
+                printf("disable pulseaudio\n");
        // blacklist user config directory
        disable_file(cfg.homedir, ".config/pulse");
+        // blacklist pulseaudio socket in XDG_RUNTIME_DIR
+        char *name = getenv("XDG_RUNTIME_DIR");
+        if (name)
+                disable_file(name, "pulse/native");
+        // try the default location anyway
+        char *path;
+        if (asprintf(&path, "/run/user/%d", getuid()) == -1)
+                errExit("asprintf");
+        disable_file(path, "pulse/native");
+        free(path);
+                
        // blacklist any pulse* file in /tmp directory
        DIR *dir;
        if (!(dir = opendir("/tmp"))) {
                // sleep 2 seconds and try again
                sleep(2);
                if (!(dir = opendir("/tmp"))) {
-                        fprintf(stderr, "Warning: cannot open /tmp directory. PulseAudio sockets are not disabled\n");
                        return;
                }
        }
@@ -76,10 +92,6 @@ void pulseaudio_disable(void) {
        closedir(dir);
-        // blacklist XDG_RUNTIME_DIR
-        char *name = getenv("XDG_RUNTIME_DIR");
-        if (name)
-                disable_file(name, "pulse/native");
 }
@@ -92,33 +104,23 @@ void pulseaudio_init(void) {
                return;
         
        // create the new user pulseaudio directory
-         fs_build_mnt_dir();
        int rv = mkdir(RUN_PULSE_DIR, 0700);
        (void) rv; // in --chroot mode the directory can already be there
-        if (chown(RUN_PULSE_DIR, getuid(), getgid()) < 0)
+        if (set_perms(RUN_PULSE_DIR, getuid(), getgid(), 0700))
-                errExit("chown");
+                errExit("set_perms");
-        if (chmod(RUN_PULSE_DIR, 0700) < 0)
-                errExit("chmod");
        // create the new client.conf file
        char *pulsecfg = NULL;
        if (asprintf(&pulsecfg, "%s/client.conf", RUN_PULSE_DIR) == -1)
                errExit("asprintf");
-        if (is_link("/etc/pulse/client.conf")) {
+        if (copy_file("/etc/pulse/client.conf", pulsecfg, -1, -1, 0644))
-                fprintf(stderr, "Error: invalid /etc/pulse/client.conf file\n");
-                exit(1);
-        }
-        if (copy_file("/etc/pulse/client.conf", pulsecfg))
                errExit("copy_file");
        FILE *fp = fopen(pulsecfg, "a+");
        if (!fp)
                errExit("fopen");
        fprintf(fp, "%s", "\nenable-shm = no\n");
+        SET_PERMS_STREAM(fp, getuid(), getgid(), 0644);
        fclose(fp);
-        if (chmod(pulsecfg, 0644) == -1)
-                errExit("chmod");
-        if (chown(pulsecfg, getuid(), getgid()) == -1)
-                errExit("chown");
        // create ~/.config/pulse directory if not present
        char *dir1;
@@ -127,10 +129,8 @@ void pulseaudio_init(void) {
        if (stat(dir1, &s) == -1) {
                int rv = mkdir(dir1, 0755);
                if (rv == 0) {
-                        rv = chown(dir1, getuid(), getgid());
+                        if (set_perms(dir1, getuid(), getgid(), 0755))
-                        (void) rv;
+                                {;} // do nothing
-                        rv = chmod(dir1, 0755);
-                        (void) rv;
                }
        }
        free(dir1);
@@ -139,10 +139,8 @@ void pulseaudio_init(void) {
        if (stat(dir1, &s) == -1) {
                int rv = mkdir(dir1, 0700);
                if (rv == 0) {
-                        rv = chown(dir1, getuid(), getgid());
+                        if (set_perms(dir1, getuid(), getgid(), 0700))
-                        (void) rv;
+                                {;} // do nothing
-                        rv = chmod(dir1, 0700);
-                        (void) rv;
                }
        }
        free(dir1);
diff --git a/src/firejail/restrict_users.c b/src/firejail/restrict_users.c
index 5a41c441b..393851148 100644
--- a/src/firejail/restrict_users.c
+++ b/src/firejail/restrict_users.c
@@ -26,6 +26,7 @@
 #include <dirent.h>
 #include <fcntl.h>
 #include <errno.h>
+#include "../../uids.h"
 #define MAXBUF 1024
@@ -72,7 +73,6 @@ static void sanitize_home(void) {
                return;
        }
        
-        fs_build_mnt_dir();
        if (mkdir(RUN_WHITELIST_HOME_DIR, 0755) == -1)
                errExit("mkdir");
@@ -95,10 +95,8 @@ static void sanitize_home(void) {
        fs_logger2("mkdir", cfg.homedir);
        
        // set mode and ownership
-        if (chown(cfg.homedir, s.st_uid, s.st_gid) == -1)
+        if (set_perms(cfg.homedir, s.st_uid, s.st_gid, s.st_mode))
-                errExit("chown");
+                errExit("set_perms");
-        if (chmod(cfg.homedir, s.st_mode) == -1)
-                errExit("chmod");
        // mount user home directory
        if (mount(RUN_WHITELIST_HOME_DIR, cfg.homedir, NULL, MS_BIND|MS_REC, NULL) < 0)
@@ -118,7 +116,7 @@ static void sanitize_passwd(void) {
        if (stat("/etc/passwd", &s) == -1)
                return;
        if (arg_debug)
-                printf("Sanitizing /etc/passwd\n");
+                printf("Sanitizing /etc/passwd, UID_MIN %d\n", UID_MIN);
        if (is_link("/etc/passwd")) {
                fprintf(stderr, "Error: invalid /etc/passwd\n");
                exit(1);
@@ -126,7 +124,6 @@ static void sanitize_passwd(void) {
        FILE *fpin = NULL;
        FILE *fpout = NULL;
-        fs_build_mnt_dir();
        // open files
        /* coverity[toctou] */
@@ -170,7 +167,7 @@ static void sanitize_passwd(void) {
                int rv = sscanf(ptr, "%d:", &uid);
                if (rv == 0 || uid < 0)
                        goto errout;
-                if (uid < 1000) { // todo extract UID_MIN from /etc/login.def
+                if (uid < UID_MIN) {
                        fprintf(fpout, "%s", buf);
                        continue;
                }
@@ -186,12 +183,9 @@ static void sanitize_passwd(void) {
                fprintf(fpout, "%s", buf);
        }
        fclose(fpin);
+        SET_PERMS_STREAM(fpout, 0, 0, 0644);
        fclose(fpout);
-        if (chown(RUN_PASSWD_FILE, 0, 0) == -1)
-                errExit("chown");
-        if (chmod(RUN_PASSWD_FILE, 0644) == -1)
-                errExit("chmod");
-                
        // mount-bind tne new password file
        if (mount(RUN_PASSWD_FILE, "/etc/passwd", "none", MS_BIND, "mode=400,gid=0") < 0)
                errExit("mount");
@@ -255,7 +249,7 @@ static void sanitize_group(void) {
        if (stat("/etc/group", &s) == -1)
                return;
        if (arg_debug)
-                printf("Sanitizing /etc/group\n");
+                printf("Sanitizing /etc/group, GID_MIN %d\n", GID_MIN);
        if (is_link("/etc/group")) {
                fprintf(stderr, "Error: invalid /etc/group\n");
                exit(1);
@@ -263,7 +257,6 @@ static void sanitize_group(void) {
        FILE *fpin = NULL;
        FILE *fpout = NULL;
-        fs_build_mnt_dir();
        // open files
        /* coverity[toctou] */
@@ -306,7 +299,7 @@ static void sanitize_group(void) {
                int rv = sscanf(ptr, "%d:", &gid);
                if (rv == 0 || gid < 0)
                        goto errout;
-                if (gid < 1000) { // todo extract GID_MIN from /etc/login.def
+                if (gid < GID_MIN) {
                        if (copy_line(fpout, buf, ptr))
                                goto errout;
                        continue;
@@ -318,12 +311,9 @@ static void sanitize_group(void) {
                        goto errout;
        }
        fclose(fpin);
+        SET_PERMS_STREAM(fpout, 0, 0, 0644);
        fclose(fpout);
-        if (chown(RUN_GROUP_FILE, 0, 0) == -1)
-                errExit("chown");
-        if (chmod(RUN_GROUP_FILE, 0644) == -1)
-                errExit("chmod");
-                
        // mount-bind tne new group file
        if (mount(RUN_GROUP_FILE, "/etc/group", "none", MS_BIND, "mode=400,gid=0") < 0)
                errExit("mount");
@@ -340,6 +330,9 @@ errout:
 }
 void restrict_users(void) {
+        if (arg_allusers)
+                return;
+                
        // only in user mode
        if (getuid()) {
                if (strncmp(cfg.homedir, "/home/", 6) == 0) {
@@ -347,7 +340,7 @@ void restrict_users(void) {
                        sanitize_home();
                }
                else {
-                        // user has the home diercotry outside /home
+                        // user has the home directory outside /home
                        // mount tmpfs on top of /home in order to hide it
                        if (mount("tmpfs", "/home", "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME | MS_REC,  "mode=755,gid=0") < 0)
                                errExit("mount tmpfs");
diff --git a/src/firejail/restricted_shell.c b/src/firejail/restricted_shell.c
index ee6e94957..979bb1eed 100644
--- a/src/firejail/restricted_shell.c
+++ b/src/firejail/restricted_shell.c
@@ -18,6 +18,7 @@
 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 */
 #include "firejail.h"
+#include <fnmatch.h>
 #define MAX_READ 4096   // maximum line length
 char *restricted_user = NULL;
@@ -40,7 +41,7 @@ int restricted_shell(const char *user) {
        char buf[MAX_READ];
        while (fgets(buf, MAX_READ, fp)) {
                lineno++;
-                
                // remove empty spaces at the beginning of the line
                char *ptr = buf;
                while (*ptr == ' ' || *ptr == '\t') { 
@@ -48,21 +49,26 @@ int restricted_shell(const char *user) {
                }
                if (*ptr == '\n' || *ptr == '#')
                        continue;
+                //
+                // parse line
+                //
                
-                // parse line   
+                // extract users
                char *usr = ptr;
                char *args = strchr(usr, ':');
                if (args == NULL) {
                        fprintf(stderr, "Error: users.conf line %d\n", lineno);
                        exit(1);
                }
+                
                *args = '\0';
                args++;
                ptr = strchr(args, '\n');
                if (ptr)
                        *ptr = '\0';
                
-                // if nothing follows, continue
+                // extract firejail command line arguments
                char *ptr2 = args;
                int found = 0;
                while (*ptr2 != '\0') {
@@ -70,29 +76,42 @@ int restricted_shell(const char *user) {
                                found = 1;
                                break;
                        }
+                        ptr2++;
                }
+                // if nothing follows, continue
                if (!found)
                        continue;
                
-                // process user
+                // user name globbing
-                if (strcmp(user, usr) == 0) {
+                if (fnmatch(usr, user, 0) == 0) {
-                        restricted_user = strdup(user);
+                        // process program arguments
-                        // extract program arguments
                        fullargv[0] = "firejail";
                        int i;
                        ptr = args;
                        for (i = 1; i < MAX_ARGS; i++) {
-                                fullargv[i] = ptr;
+                                // skip blanks
-                                while (*ptr != ' ' && *ptr != '\t' && *ptr != '\0')
+                                while (*ptr == ' ' || *ptr == '\t')
                                        ptr++;
+                                fullargv[i] = ptr;
+#ifdef DEBUG_RESTRICTED_SHELL
+                                {EUID_ROOT();
+                                FILE *fp = fopen("/firelog", "a");
+                                if (fp) {
+                                        fprintf(fp, "i %d ptr #%s#\n", i, fullargv[i]);
+                                        fclose(fp);
+                                }
+                                EUID_USER();}
+#endif                          
+                                
                                if (*ptr != '\0') {
+                                        // go to the end of the word
+                                        while (*ptr != ' ' && *ptr != '\t' && *ptr != '\0')
+                                                ptr++;
                                        *ptr ='\0';
                                        fullargv[i] = strdup(fullargv[i]);
-                                        if (fullargv[i] == NULL) {
+                                        if (fullargv[i] == NULL)
-                                                fprintf(stderr, "Error: cannot allocate memory\n");
+                                                errExit("strdup");
-                                                exit(1);
-                                        }
                                        ptr++;
                                        while (*ptr == ' ' || *ptr == '\t')
                                                ptr++;
@@ -108,7 +127,7 @@ int restricted_shell(const char *user) {
                }
        }
        fclose(fp);
-                         
        return 0;   
 }
diff --git a/src/firejail/run_symlink.c b/src/firejail/run_symlink.c
index d57816e12..8aa2fe53f 100644
--- a/src/firejail/run_symlink.c
+++ b/src/firejail/run_symlink.c
@@ -91,14 +91,22 @@ void run_symlink(int argc, char **argv) {
        printf("Redirecting symlink to %s\n", program);
+        // drop privileges
+        if (setgid(getgid()) < 0)
+                errExit("setgid/getgid");
+        if (setuid(getuid()) < 0)
+                errExit("setuid/getuid");
        // run command
        char *a[3 + argc];
        a[0] = firejail;
        a[1] = program;
        int i;
-        for (i = 0; i < (argc - 1); i++)
+        for (i = 0; i < (argc - 1); i++) {
                a[i + 2] = argv[i + 1];
+        }
        a[i + 2] = NULL;
+        assert(getenv("LD_PRELOAD") == NULL);   
        execvp(a[0], a); 
        perror("execvp");
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index 3f3564295..109daf552 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -28,12 +28,23 @@
 #include <sys/types.h>
 #include <dirent.h>
 #include <errno.h>
+#include <fcntl.h>
 #include <sched.h>
 #ifndef CLONE_NEWUSER
 #define CLONE_NEWUSER   0x10000000
 #endif
+#include <sys/prctl.h>
+#ifndef PR_SET_NO_NEW_PRIVS
+# define PR_SET_NO_NEW_PRIVS 38
+#endif
+#ifdef HAVE_APPARMOR
+#include <sys/apparmor.h>
+#endif
 static int monitored_pid = 0;
 static void sandbox_handler(int sig){
        if (!arg_quiet) {
@@ -70,8 +81,11 @@ static void sandbox_handler(int sig){
                
        }
        // broadcast a SIGKILL
        kill(-1, SIGKILL);
+        flush_stdin();
        exit(sig);
 }
@@ -94,9 +108,8 @@ void save_nogroups(void) {
        FILE *fp = fopen(RUN_GROUPS_CFG, "w");
        if (fp) {
                fprintf(fp, "\n");
+                SET_PERMS_STREAM(fp, 0, 0, 0644); // assume mode 0644
                fclose(fp);
-                if (chown(RUN_GROUPS_CFG, 0, 0) < 0)
-                        errExit("chown");
        }
        else {
                fprintf(stderr, "Error: cannot save nogroups state\n");
@@ -109,7 +122,7 @@ static void sandbox_if_up(Bridge *br) {
        assert(br);
        if (!br->configured)
                return;
-                
        char *dev = br->devsandbox;
        net_if_up(dev);
@@ -124,8 +137,7 @@ static void sandbox_if_up(Bridge *br) {
                assert(br->ipsandbox);
                if (arg_debug)
                        printf("Configuring %d.%d.%d.%d address on interface %s\n", PRINT_IP(br->ipsandbox), dev);
-                net_if_ip(dev, br->ipsandbox, br->mask, br->mtu);
+                net_config_interface(dev, br->ipsandbox, br->mask, br->mtu);
-                net_if_up(dev);
        }
        else if (br->arg_ip_none == 0 && br->macvlan == 1) {
                // reassign the macvlan address
@@ -147,8 +159,7 @@ static void sandbox_if_up(Bridge *br) {
                        
                if (arg_debug)
                        printf("Configuring %d.%d.%d.%d address on interface %s\n", PRINT_IP(br->ipsandbox), dev);
-                net_if_ip(dev, br->ipsandbox, br->mask, br->mtu);
+                net_config_interface(dev, br->ipsandbox, br->mask, br->mtu);
-                net_if_up(dev);
        }
        
        if (br->ip6sandbox)
@@ -198,6 +209,12 @@ static int monitor_application(pid_t app_pid) {
                if (arg_debug)
                        printf("Sandbox monitor: waitpid %u retval %d status %d\n", monitored_pid, rv, status);
+                // if /proc is not remounted, we cannot check /proc directory,
+                // for now we just get out of here
+                // todo: find another way of checking child processes!
+                if (!checkcfg(CFG_REMOUNT_PROC_SYS))
+                        break;
                DIR *dir;
                if (!(dir = opendir("/proc"))) {
                        // sleep 2 seconds and try again
@@ -237,40 +254,46 @@ static int monitor_application(pid_t app_pid) {
        // return the latest exit status.
        return status;
+}
-#if 0
+void start_audit(void) {
-// todo: find a way to shut down interfaces before closing the namespace
+        char *audit_prog;
-// the problem is we don't have enough privileges to shutdown interfaces in this moment
+        if (asprintf(&audit_prog, "%s/firejail/faudit", LIBDIR) == -1)
-        // shut down bridge/macvlan interfaces
+                errExit("asprintf");
-        if (any_bridge_configured()) {
+        assert(getenv("LD_PRELOAD") == NULL);   
-                
+        execl(audit_prog, audit_prog, NULL);
-                if (cfg.bridge0.configured) {
+        perror("execl");
-                        printf("Shutting down %s\n", cfg.bridge0.devsandbox);
+        exit(1);
-                        net_if_down( cfg.bridge0.devsandbox);
-                }
-                if (cfg.bridge1.configured) {
-                        printf("Shutting down %s\n", cfg.bridge1.devsandbox);
-                        net_if_down( cfg.bridge1.devsandbox);
-                }
-                if (cfg.bridge2.configured) {
-                        printf("Shutting down %s\n", cfg.bridge2.devsandbox);
-                        net_if_down( cfg.bridge2.devsandbox);
-                }
-                if (cfg.bridge3.configured) {
-                        printf("Shutting down %s\n", cfg.bridge3.devsandbox);
-                        net_if_down( cfg.bridge3.devsandbox);
-                }
-                usleep(20000);  // 20 ms sleep
-        }       
-#endif  
 }
+void start_application(void) {
+//if (setsid() == -1)
+//errExit("setsid");
-static void start_application(void) {
+        // set environment
+        env_defaults();
+        env_apply();
+        if (arg_debug) {
+                printf("starting application\n");
+                printf("LD_PRELOAD=%s\n", getenv("LD_PRELOAD"));
+        }
+        
+        //****************************************
+        // audit
+        //****************************************
+        if (arg_audit) {
+                assert(arg_audit_prog);
+                struct stat s;
+                if (stat(arg_audit_prog, &s) != 0) {
+                        fprintf(stderr, "Error: cannot find the audit program\n");
+                        exit(1);
+                }
+                execl(arg_audit_prog, arg_audit_prog, NULL);
+        }
        //****************************************
        // start the program without using a shell
        //****************************************
-        if (arg_shell_none) {
+        else if (arg_shell_none) {
                if (arg_debug) {
                        int i;
                        for (i = cfg.original_program_index; i < cfg.original_argc; i++) {
@@ -289,35 +312,33 @@ static void start_application(void) {
                        printf("Child process initialized\n");
                execvp(cfg.original_argv[cfg.original_program_index], &cfg.original_argv[cfg.original_program_index]);
+                exit(1);
        }
        //****************************************
        // start the program using a shell
        //****************************************
        else {
-                // choose the shell requested by the user, or use bash as default
+                assert(cfg.shell);
-                char *sh;
+                assert(cfg.command_line);
-                if (cfg.shell)
-                        sh = cfg.shell;
-                else if (arg_zsh)
-                        sh = "/usr/bin/zsh";
-                else if (arg_csh)
-                        sh = "/bin/csh";
-                else
-                        sh = "/bin/bash";
-                        
                char *arg[5];
                int index = 0;
-                arg[index++] = sh;
+                arg[index++] = cfg.shell;
-                arg[index++] = "-c";
+                if (login_shell) {
-                assert(cfg.command_line);
+                        arg[index++] = "-l";
-                if (arg_debug)
+                        if (arg_debug)
-                        printf("Starting %s\n", cfg.command_line);
+                                printf("Starting %s login shell\n", cfg.shell);
-                if (arg_doubledash) 
+                } else {
-                        arg[index++] = "--";
+                        arg[index++] = "-c";
-                arg[index++] = cfg.command_line;
+                        if (arg_debug)
+                                printf("Running %s command through %s\n", cfg.command_line, cfg.shell);
+                        if (arg_doubledash)
+                                arg[index++] = "--";
+                        arg[index++] = cfg.command_line;
+                }
                arg[index] = NULL;
                assert(index < 5);
-                
                if (arg_debug) {
                        char *msg;
                        if (asprintf(&msg, "sandbox %d, execvp into %s", sandbox_pid, cfg.command_line) == -1)
@@ -325,7 +346,7 @@ static void start_application(void) {
                        logmsg(msg);
                        free(msg);
                }
-                
                if (arg_debug) {
                        int i;
                        for (i = 0; i < 5; i++) {
@@ -334,17 +355,40 @@ static void start_application(void) {
                                printf("execvp argument %d: %s\n", i, arg[i]);
                        }
                }
-                
                if (!arg_command && !arg_quiet)
                        printf("Child process initialized\n");
-                execvp(sh, arg);
+                execvp(arg[0], arg);
        }
-        
        perror("execvp");
        exit(1); // it should never get here!!!
 }
+static void enforce_filters(void) {
+        // force default seccomp inside the chroot, no keep or drop list
+        // the list build on top of the default drop list is kept intact
+        arg_seccomp = 1;
+        if (cfg.seccomp_list_drop) {
+                free(cfg.seccomp_list_drop);
+                cfg.seccomp_list_drop = NULL;
+        }
+        if (cfg.seccomp_list_keep) {
+                free(cfg.seccomp_list_keep);
+                cfg.seccomp_list_keep = NULL;
+        }
+        
+        // disable all capabilities
+        if (arg_caps_default_filter || arg_caps_list)
+                fprintf(stderr, "Warning: all capabilities disabled for a regular user in chroot\n");
+        arg_caps_drop_all = 1;
+        
+        // drop all supplementary groups; /etc/group file inside chroot
+        // is controlled by a regular usr
+        arg_nogroups = 1;
+        if (!arg_quiet)
+                printf("Dropping all Linux capabilities and enforcing default seccomp filter\n");
+}
 int sandbox(void* sandbox_arg) {
        // Get rid of unused parameter warning
@@ -364,6 +408,7 @@ int sandbox(void* sandbox_arg) {
        if (arg_debug && child_pid == 1)
                printf("PID namespace installed\n");
        //****************************
        // set hostname
        //****************************
@@ -379,7 +424,8 @@ int sandbox(void* sandbox_arg) {
        if (mount(NULL, "/", NULL, MS_SLAVE | MS_REC, NULL) < 0) {
                chk_chroot();
        }
-        
+        // ... and mount a tmpfs on top of /run/firejail/mnt directory
+        preproc_mount_mnt_dir();
        
        //****************************
        // log sandbox data
@@ -396,7 +442,7 @@ int sandbox(void* sandbox_arg) {
        fs_logger("install mount namespace");
        
        //****************************
-        // netfilter etc.
+        // netfilter
        //****************************
        if (arg_netfilter && any_bridge_configured()) { // assuming by default the client filter
                netfilter(arg_netfilter_file);
@@ -405,6 +451,101 @@ int sandbox(void* sandbox_arg) {
                netfilter6(arg_netfilter6_file);
        }
+        //****************************
+        // networking
+        //****************************
+        int gw_cfg_failed = 0; // default gw configuration flag
+        if (arg_nonetwork) {
+                net_if_up("lo");
+                if (arg_debug)
+                        printf("Network namespace enabled, only loopback interface available\n");
+        }
+        else if (any_bridge_configured() || any_interface_configured()) {
+                // configure lo and eth0...eth3
+                net_if_up("lo");
+                
+                if (mac_not_zero(cfg.bridge0.macsandbox))
+                        net_config_mac(cfg.bridge0.devsandbox, cfg.bridge0.macsandbox);
+                sandbox_if_up(&cfg.bridge0);
+                
+                if (mac_not_zero(cfg.bridge1.macsandbox))
+                        net_config_mac(cfg.bridge1.devsandbox, cfg.bridge1.macsandbox);
+                sandbox_if_up(&cfg.bridge1);
+                
+                if (mac_not_zero(cfg.bridge2.macsandbox))
+                        net_config_mac(cfg.bridge2.devsandbox, cfg.bridge2.macsandbox);
+                sandbox_if_up(&cfg.bridge2);
+                
+                if (mac_not_zero(cfg.bridge3.macsandbox))
+                        net_config_mac(cfg.bridge3.devsandbox, cfg.bridge3.macsandbox);
+                sandbox_if_up(&cfg.bridge3);
+                
+                // moving an interface in a namespace using --interface will reset the interface configuration;
+                // we need to put the configuration back
+                if (cfg.interface0.configured && cfg.interface0.ip) {
+                        if (arg_debug)
+                                printf("Configuring %d.%d.%d.%d address on interface %s\n", PRINT_IP(cfg.interface0.ip), cfg.interface0.dev);
+                        net_config_interface(cfg.interface0.dev, cfg.interface0.ip, cfg.interface0.mask, cfg.interface0.mtu);
+                }                       
+                if (cfg.interface1.configured && cfg.interface1.ip) {
+                        if (arg_debug)
+                                printf("Configuring %d.%d.%d.%d address on interface %s\n", PRINT_IP(cfg.interface1.ip), cfg.interface1.dev);
+                        net_config_interface(cfg.interface1.dev, cfg.interface1.ip, cfg.interface1.mask, cfg.interface1.mtu);
+                }                       
+                if (cfg.interface2.configured && cfg.interface2.ip) {
+                        if (arg_debug)
+                                printf("Configuring %d.%d.%d.%d address on interface %s\n", PRINT_IP(cfg.interface2.ip), cfg.interface2.dev);
+                        net_config_interface(cfg.interface2.dev, cfg.interface2.ip, cfg.interface2.mask, cfg.interface2.mtu);
+                }                       
+                if (cfg.interface3.configured && cfg.interface3.ip) {
+                        if (arg_debug)
+                                printf("Configuring %d.%d.%d.%d address on interface %s\n", PRINT_IP(cfg.interface3.ip), cfg.interface3.dev);
+                        net_config_interface(cfg.interface3.dev, cfg.interface3.ip, cfg.interface3.mask, cfg.interface3.mtu);
+                }                       
+                        
+                // add a default route
+                if (cfg.defaultgw) {
+                        // set the default route
+                        if (net_add_route(0, 0, cfg.defaultgw)) {
+                                fprintf(stderr, "Warning: cannot configure default route\n");
+                                gw_cfg_failed = 1;
+                        }
+                }
+                if (arg_debug)
+                        printf("Network namespace enabled\n");
+        }
+        
+        // print network configuration
+        if (!arg_quiet) {
+                if (any_bridge_configured() || any_interface_configured() || cfg.defaultgw || cfg.dns1) {
+                        printf("\n");
+                        if (any_bridge_configured() || any_interface_configured()) {
+//                              net_ifprint();
+                                if (arg_scan)
+                                        sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, 3, PATH_FNET, "printif", "scan");
+                                else
+                                        sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, 2, PATH_FNET, "printif", "scan");
+                                
+                        }
+                        if (cfg.defaultgw != 0) {
+                                if (gw_cfg_failed)
+                                        printf("Default gateway configuration failed\n");
+                                else
+                                        printf("Default gateway %d.%d.%d.%d\n", PRINT_IP(cfg.defaultgw));
+                        }
+                        if (cfg.dns1 != 0)
+                                printf("DNS server %d.%d.%d.%d\n", PRINT_IP(cfg.dns1));
+                        if (cfg.dns2 != 0)
+                                printf("DNS server %d.%d.%d.%d\n", PRINT_IP(cfg.dns2));
+                        if (cfg.dns3 != 0)
+                                printf("DNS server %d.%d.%d.%d\n", PRINT_IP(cfg.dns3));
+                        printf("\n");
+                }
+        }
        // load IBUS env variables
        if (arg_nonetwork || any_bridge_configured() || any_interface_configured()) {
                // do nothing - there are problems with ibus version 1.5.11
@@ -412,11 +553,29 @@ int sandbox(void* sandbox_arg) {
        else
                env_ibus_load();
        
-        // grab a copy of cp command
+        //****************************
-        fs_build_cp_command();
+        // fs pre-processing:
-        
+        //  - copy some commands under /run
+        //  - build seccomp filters
+        //  - create an empty /etc/ld.so.preload
+        //****************************
+        preproc_build_cp_command();
+#ifdef HAVE_SECCOMP
+        if (cfg.protocol) {
+                if (arg_debug)
+                        printf("Build protocol filter: %s\n", cfg.protocol);
+                // build the seccomp filter as a regular user
+                int rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 5,
+                        PATH_FSECCOMP, "protocol", "build", cfg.protocol, RUN_SECCOMP_PROTOCOL);
+                if (rv)
+                        exit(rv);
+        }
+#endif  
        // trace pre-install
-        if (arg_trace || arg_tracelog)
+        if (arg_trace || arg_tracelog || mask_x11_abstract_socket)
                fs_trace_preload();
        //****************************
@@ -425,39 +584,23 @@ int sandbox(void* sandbox_arg) {
 #ifdef HAVE_SECCOMP
        int enforce_seccomp = 0;
 #endif
+        if (arg_appimage) {
+                enforce_filters();
+#ifdef HAVE_SECCOMP
+                enforce_seccomp = 1;
+#endif          
+        }
 #ifdef HAVE_CHROOT              
        if (cfg.chrootdir) {
                fs_chroot(cfg.chrootdir);
-                // redo cp command
-                fs_build_cp_command();
                
                // force caps and seccomp if not started as root
                if (getuid() != 0) {
-                        // force default seccomp inside the chroot, no keep or drop list
+                        enforce_filters();
-                        // the list build on top of the default drop list is kept intact
-                        arg_seccomp = 1;
 #ifdef HAVE_SECCOMP
                        enforce_seccomp = 1;
 #endif
-                        if (cfg.seccomp_list_drop) {
-                                free(cfg.seccomp_list_drop);
-                                cfg.seccomp_list_drop = NULL;
-                        }
-                        if (cfg.seccomp_list_keep) {
-                                free(cfg.seccomp_list_keep);
-                                cfg.seccomp_list_keep = NULL;
-                        }
-                        
-                        // disable all capabilities
-                        if (arg_caps_default_filter || arg_caps_list)
-                                fprintf(stderr, "Warning: all capabilities disabled for a regular user during chroot\n");
-                        arg_caps_drop_all = 1;
-                        
-                        // drop all supplementary groups; /etc/group file inside chroot
-                        // is controlled by a regular usr
-                        arg_nogroups = 1;
-                        if (!arg_quiet)
-                                printf("Dropping all Linux capabilities and enforcing default seccomp filter\n");
                }
                else
                        arg_seccomp = 1;
@@ -465,17 +608,28 @@ int sandbox(void* sandbox_arg) {
                //****************************
                // trace pre-install, this time inside chroot
                //****************************
-                if (arg_trace || arg_tracelog)
+                if (arg_trace || arg_tracelog || mask_x11_abstract_socket)
                        fs_trace_preload();
        }
        else 
 #endif          
-        if (arg_overlay)        
+#ifdef HAVE_OVERLAYFS
+        if (arg_overlay)        {
                fs_overlayfs();
+                // force caps and seccomp if not started as root
+                if (getuid() != 0) {
+                        enforce_filters();
+#ifdef HAVE_SECCOMP
+                        enforce_seccomp = 1;
+#endif
+                }
+                else
+                        arg_seccomp = 1;
+        }
        else
+#endif
                fs_basic_fs();
        
        //****************************
        // set hostname in /etc/hostname
        //****************************
@@ -487,145 +641,135 @@ int sandbox(void* sandbox_arg) {
        // private mode
        //****************************
        if (arg_private) {
-                if (cfg.home_private)   // --private=
+                if (cfg.home_private) { // --private=
-                        fs_private_homedir();
+                        if (cfg.chrootdir)
+                                fprintf(stderr, "Warning: private=directory feature is disabled in chroot\n");
+                        else if (arg_overlay)
+                                fprintf(stderr, "Warning: private=directory feature is disabled in overlay\n");
+                        else
+                                fs_private_homedir();
+                }
+                else if (cfg.home_private_keep) { // --private-home=
+                        if (cfg.chrootdir)
+                                fprintf(stderr, "Warning: private-home= feature is disabled in chroot\n");
+                        else if (arg_overlay)
+                                fprintf(stderr, "Warning: private-home= feature is disabled in overlay\n");
+                        else
+                                fs_private_home_list();
+                }
                else // --private
                        fs_private();
        }
-        
-        if (arg_private_dev)
+        if (arg_private_dev) {
-                fs_private_dev();
+                if (cfg.chrootdir)
+                        fprintf(stderr, "Warning: private-dev feature is disabled in chroot\n");
+                else if (arg_overlay)
+                        fprintf(stderr, "Warning: private-dev feature is disabled in overlay\n");
+                else
+                        fs_private_dev();
+        }
+                
        if (arg_private_etc) {
-                fs_private_etc_list();
+                if (cfg.chrootdir)
-                // create /etc/ld.so.preload file again
+                        fprintf(stderr, "Warning: private-etc feature is disabled in chroot\n");
-                if (arg_trace || arg_tracelog)
+                else if (arg_overlay)
-                        fs_trace_preload();
+                        fprintf(stderr, "Warning: private-etc feature is disabled in overlay\n");
+                else {
+                        fs_private_etc_list();
+                        // create /etc/ld.so.preload file again
+                        if (arg_trace || arg_tracelog || mask_x11_abstract_socket)
+                                fs_trace_preload();
+                }
+        }
+        
+        if (arg_private_bin) {
+                if (cfg.chrootdir)
+                        fprintf(stderr, "Warning: private-bin feature is disabled in chroot\n");
+                else if (arg_overlay)
+                        fprintf(stderr, "Warning: private-bin feature is disabled in overlay\n");
+                else {
+                        // for --x11=xorg we need to add xauth command
+                        if (arg_x11_xorg) {
+                                EUID_USER();
+                                char *tmp;
+                                if (asprintf(&tmp, "%s,xauth", cfg.bin_private_keep) == -1)
+                                        errExit("asprintf");
+                                cfg.bin_private_keep = tmp;
+                                fs_check_bin_list();
+                                EUID_ROOT();
+                        }
+                        fs_private_bin_list();
+                }
+        }
+        
+        if (arg_private_tmp) {
+                if (cfg.chrootdir)
+                        fprintf(stderr, "Warning: private-tmp feature is disabled in chroot\n");
+                else if (arg_overlay)
+                        fprintf(stderr, "Warning: private-tmp feature is disabled in overlay\n");
+                else {
+                        // private-tmp is implemented as a whitelist
+                        EUID_USER();
+                        profile_add("whitelist /tmp/.X11-unix");
+                        EUID_ROOT();
+                }
        }
-        if (arg_private_bin)
+        
-                fs_private_bin_list();
+        //****************************
-        if (arg_private_tmp)
+        // update /proc, /sys, /dev, /boot directorymy
-                fs_private_tmp();
+        //****************************
+        if (checkcfg(CFG_REMOUNT_PROC_SYS))
+                fs_proc_sys_dev_boot();
        
        //****************************
        // apply the profile file
        //****************************
-        if (cfg.profile) {
+        // apply all whitelist commands ... 
-                // apply all whitelist commands ... 
+        if (cfg.chrootdir)
+                fprintf(stderr, "Warning: whitelist feature is disabled in chroot\n");
+        else if (arg_overlay)
+                fprintf(stderr, "Warning: whitelist feature is disabled in overlay\n");
+        else
                fs_whitelist();
-                
+        
-                // ... followed by blacklist commands
+        // ... followed by blacklist commands
-                fs_blacklist();
+        fs_blacklist(); // mkdir and mkfile are processed all over again
-        }
        
        //****************************
        // install trace
        //****************************
-        if (arg_trace || arg_tracelog)
+        if (arg_trace || arg_tracelog || mask_x11_abstract_socket)
                fs_trace();
                
        //****************************
-        // update /proc, /dev, /boot directorymy
+        // nosound/no3d and fix for pulseaudio 7.0
-        //****************************
-        fs_proc_sys_dev_boot();
-        
-        //****************************
-        // --nosound and fix for pulseaudio 7.0
        //****************************
-        if (arg_nosound)
+        if (arg_nosound) {
+                // disable pulseaudio
                pulseaudio_disable();
+                // disable /dev/snd
+                fs_dev_disable_sound();
+        }
        else
                pulseaudio_init();
        
+        if (arg_no3d)
+                fs_dev_disable_3d();
+        
        //****************************
-        // networking
+        // set dns
        //****************************
-        if (arg_nonetwork) {
-                net_if_up("lo");
-                if (arg_debug)
-                        printf("Network namespace enabled, only loopback interface available\n");
-        }
-        else if (any_bridge_configured() || any_interface_configured()) {
-                // configure lo and eth0...eth3
-                net_if_up("lo");
-                
-                if (mac_not_zero(cfg.bridge0.macsandbox))
-                        net_config_mac(cfg.bridge0.devsandbox, cfg.bridge0.macsandbox);
-                sandbox_if_up(&cfg.bridge0);
-                
-                if (mac_not_zero(cfg.bridge1.macsandbox))
-                        net_config_mac(cfg.bridge1.devsandbox, cfg.bridge1.macsandbox);
-                sandbox_if_up(&cfg.bridge1);
-                
-                if (mac_not_zero(cfg.bridge2.macsandbox))
-                        net_config_mac(cfg.bridge2.devsandbox, cfg.bridge2.macsandbox);
-                sandbox_if_up(&cfg.bridge2);
-                
-                if (mac_not_zero(cfg.bridge3.macsandbox))
-                        net_config_mac(cfg.bridge3.devsandbox, cfg.bridge3.macsandbox);
-                sandbox_if_up(&cfg.bridge3);
-                
-                // add a default route
-                if (cfg.defaultgw) {
-                        // set the default route
-                        if (net_add_route(0, 0, cfg.defaultgw))
-                                fprintf(stderr, "Warning: cannot configure default route\n");
-                }
-                
-                // enable interfaces
-                if (cfg.interface0.configured && cfg.interface0.ip) {
-                        if (arg_debug)
-                                printf("Configuring %d.%d.%d.%d address on interface %s\n", PRINT_IP(cfg.interface0.ip), cfg.interface0.dev);
-                        net_if_ip(cfg.interface0.dev, cfg.interface0.ip, cfg.interface0.mask, cfg.interface0.mtu);
-                        net_if_up(cfg.interface0.dev);
-                }                       
-                if (cfg.interface1.configured && cfg.interface1.ip) {
-                        if (arg_debug)
-                                printf("Configuring %d.%d.%d.%d address on interface %s\n", PRINT_IP(cfg.interface1.ip), cfg.interface1.dev);
-                        net_if_ip(cfg.interface1.dev, cfg.interface1.ip, cfg.interface1.mask, cfg.interface1.mtu);
-                        net_if_up(cfg.interface1.dev);
-                }                       
-                if (cfg.interface2.configured && cfg.interface2.ip) {
-                        if (arg_debug)
-                                printf("Configuring %d.%d.%d.%d address on interface %s\n", PRINT_IP(cfg.interface2.ip), cfg.interface2.dev);
-                        net_if_ip(cfg.interface2.dev, cfg.interface2.ip, cfg.interface2.mask, cfg.interface2.mtu);
-                        net_if_up(cfg.interface2.dev);
-                }                       
-                if (cfg.interface3.configured && cfg.interface3.ip) {
-                        if (arg_debug)
-                                printf("Configuring %d.%d.%d.%d address on interface %s\n", PRINT_IP(cfg.interface3.ip), cfg.interface3.dev);
-                        net_if_ip(cfg.interface3.dev, cfg.interface3.ip, cfg.interface3.mask, cfg.interface3.mtu);
-                        net_if_up(cfg.interface3.dev);
-                }                       
-                        
-                if (arg_debug)
-                        printf("Network namespace enabled\n");
-        }
-        
-        // if any dns server is configured, it is time to set it now
        fs_resolvconf();
+        
+        //****************************
+        // fs post-processing
+        //****************************
+        preproc_delete_cp_command();
        fs_logger_print();
        fs_logger_change_owner();
-        // print network configuration
-        if (!arg_quiet) {
-                if (any_bridge_configured() || any_interface_configured() || cfg.defaultgw || cfg.dns1) {
-                        printf("\n");
-                        if (any_bridge_configured() || any_interface_configured())
-                                net_ifprint();
-                        if (cfg.defaultgw != 0)
-                                printf("Default gateway %d.%d.%d.%d\n", PRINT_IP(cfg.defaultgw));
-                        if (cfg.dns1 != 0)
-                                printf("DNS server %d.%d.%d.%d\n", PRINT_IP(cfg.dns1));
-                        if (cfg.dns2 != 0)
-                                printf("DNS server %d.%d.%d.%d\n", PRINT_IP(cfg.dns2));
-                        if (cfg.dns3 != 0)
-                                printf("DNS server %d.%d.%d.%d\n", PRINT_IP(cfg.dns3));
-                        printf("\n");
-                }
-        }
-        
-        fs_delete_cp_command();
        //****************************
        // set application environment
        //****************************
@@ -649,12 +793,6 @@ int sandbox(void* sandbox_arg) {
                }
        }
        
-        // set environment
-        env_defaults();
-        
-        // set user-supplied environment variables
-        env_apply();
        // set nice
        if (arg_nice) {
                errno = 0;
@@ -668,6 +806,8 @@ int sandbox(void* sandbox_arg) {
        
        // clean /tmp/.X11-unix sockets
        fs_x11();
+        if (arg_x11_xorg)
+                x11_xorg();
        
        //****************************
        // set security filters
@@ -679,35 +819,35 @@ int sandbox(void* sandbox_arg) {
        // set rlimits
        set_rlimits();
-        // set seccomp
+        // set cpu affinity
+        if (cfg.cpus) {
+                save_cpu(); // save cpu affinity mask to CPU_CFG file
+                set_cpu_affinity();
+        }
+        
+        // save cgroup in CGROUP_CFG file
+        if (cfg.cgroup)
+                save_cgroup();
+        // set seccomp //todo: push it down after drop_privs and/or configuring noroot
 #ifdef HAVE_SECCOMP
        // install protocol filter
        if (cfg.protocol) {
-                protocol_filter();      // install filter       
+                if (arg_debug)
-                protocol_filter_save(); // save filter in PROTOCOL_CFG
+                        printf("Install protocol filter: %s\n", cfg.protocol);
+                seccomp_load(RUN_SECCOMP_PROTOCOL);     // install filter       
+                protocol_filter_save(); // save filter in RUN_PROTOCOL_CFG
        }
        // if a keep list is available, disregard the drop list
        if (arg_seccomp == 1) {
                if (cfg.seccomp_list_keep)
                        seccomp_filter_keep();
-                else if (cfg.seccomp_list_errno)
-                        seccomp_filter_errno(); 
                else
                        seccomp_filter_drop(enforce_seccomp);
        }
 #endif
-        // set cpu affinity
-        if (cfg.cpus) {
-                save_cpu(); // save cpu affinity mask to CPU_CFG file
-                set_cpu_affinity();
-        }
-        
-        // save cgroup in CGROUP_CFG file
-        if (cfg.cgroup)
-                save_cgroup();
        //****************************************
        // drop privileges or create a new user namespace
        //****************************************
@@ -715,7 +855,7 @@ int sandbox(void* sandbox_arg) {
        if (arg_noroot) {
                int rv = unshare(CLONE_NEWUSER);
                if (rv == -1) {
-                        fprintf(stderr, "Warning: cannot mount a new user namespace, going forward without it...\n");
+                        fprintf(stderr, "Warning: cannot create a new user namespace, going forward without it...\n");
                        drop_privs(arg_nogroups);
                        arg_noroot = 0;
                }
@@ -739,6 +879,18 @@ int sandbox(void* sandbox_arg) {
                        printf("noroot user namespace installed\n");
                set_caps();
        }
+        
+        //****************************************
+        // Set NO_NEW_PRIVS if desired
+        //****************************************
+        if (arg_nonewprivs) {
+                int no_new_privs = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
+                if(no_new_privs != 0)
+                        fprintf(stderr, "Warning: NO_NEW_PRIVS disabled, it requires a Linux kernel version 3.5 or newer.\n");
+                else if (arg_debug)
+                        printf("NO_NEW_PRIVS set\n");
+        }
        //****************************************
        // fork the application and monitor it
@@ -746,13 +898,27 @@ int sandbox(void* sandbox_arg) {
        pid_t app_pid = fork();
        if (app_pid == -1)
                errExit("fork");
-                
        if (app_pid == 0) {
+#ifdef HAVE_APPARMOR
+                if (arg_apparmor) {
+                        errno = 0;
+                        if (aa_change_onexec("firejail-default")) {
+                                fprintf(stderr, "Error: cannot confine the application using AppArmor.\n");
+                                fprintf(stderr, "Maybe firejail-default AppArmor profile is not loaded into the kernel.\n");
+                                fprintf(stderr, "As root, run \"aa-enforce firejail-default\" to load it.\n");
+                                exit(1);
+                        }
+                        else if (arg_debug)
+                                printf("AppArmor enabled\n");
+                }
+#endif          
                prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); // kill the child in case the parent died
                start_application();    // start app
        }
        int status = monitor_application(app_pid);      // monitor application
+        flush_stdin();
        if (WIFEXITED(status)) {
                // if we had a proper exit, return that exit status
diff --git a/src/firejail/sbox.c b/src/firejail/sbox.c
new file mode 100644
index 000000000..430ffb86e
--- /dev/null
+++ b/src/firejail/sbox.c
@@ -0,0 +1,206 @@
+/*
+ * Copyright (C) 2014-2016 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
+#include "firejail.h"
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <unistd.h>
+#include <net/if.h>
+#include <stdarg.h>
+ #include <sys/wait.h>
+#include "../include/seccomp.h"
+static struct sock_filter filter[] = {
+        VALIDATE_ARCHITECTURE,
+        EXAMINE_SYSCALL,
+#if defined(__x86_64__)
+#define X32_SYSCALL_BIT 0x40000000
+        // handle X32 ABI
+        BPF_JUMP(BPF_JMP+BPF_JGE+BPF_K, X32_SYSCALL_BIT, 1, 0),
+        BPF_JUMP(BPF_JMP+BPF_JGE+BPF_K, 0, 1, 0),
+        RETURN_ERRNO(EPERM),
+#endif
+        // syscall list
+#ifdef SYS_mount                
+        BLACKLIST(SYS_mount),  // mount/unmount filesystems
+#endif
+#ifdef SYS_umount2              
+        BLACKLIST(SYS_umount2),
+#endif
+#ifdef SYS_ptrace               
+        BLACKLIST(SYS_ptrace), // trace processes
+#endif
+#ifdef SYS_kexec_file_load              
+        BLACKLIST(SYS_kexec_file_load),
+#endif
+#ifdef SYS_kexec_load           
+        BLACKLIST(SYS_kexec_load), // loading a different kernel
+#endif
+#ifdef SYS_name_to_handle_at            
+        BLACKLIST(SYS_name_to_handle_at),
+#endif
+#ifdef SYS_open_by_handle_at            
+        BLACKLIST(SYS_open_by_handle_at), // open by handle
+#endif
+#ifdef SYS_init_module          
+        BLACKLIST(SYS_init_module), // kernel module handling
+#endif
+#ifdef SYS_finit_module // introduced in 2013
+        BLACKLIST(SYS_finit_module),
+#endif
+#ifdef SYS_create_module
+        BLACKLIST(SYS_create_module),
+#endif
+#ifdef SYS_delete_module                
+        BLACKLIST(SYS_delete_module),
+#endif
+#ifdef SYS_iopl         
+        BLACKLIST(SYS_iopl), // io permissions
+#endif
+#ifdef  SYS_ioperm      
+        BLACKLIST(SYS_ioperm),
+#endif
+#ifdef SYS_iopl         
+        BLACKLIST(SYS_iopl), // io permissions
+#endif
+#ifdef  SYS_ioprio_set  
+        BLACKLIST(SYS_ioprio_set),
+#endif
+#ifdef SYS_ni_syscall // new io permissions call on arm devices
+        BLACKLIST(SYS_ni_syscall),
+#endif
+#ifdef SYS_swapon               
+        BLACKLIST(SYS_swapon), // swap on/off
+#endif
+#ifdef SYS_swapoff              
+        BLACKLIST(SYS_swapoff),
+#endif
+#ifdef SYS_syslog               
+        BLACKLIST(SYS_syslog), // kernel printk control
+#endif
+        RETURN_ALLOW
+};
+static struct sock_fprog prog = {
+        .len = (unsigned short)(sizeof(filter) / sizeof(filter[0])),
+        .filter = filter,
+};
+typedef struct sbox_config {
+        char *name;
+        char *path;
+        unsigned filters;
+} SboxConfig;
+int sbox_run(unsigned filter, int num, ...) {
+        EUID_ROOT();
+        
+        int i;
+        va_list valist;
+        va_start(valist, num);
+        // build argument list
+        char *arg[num + 1];
+        for (i = 0; i < num; i++)
+                arg[i] = va_arg(valist, char*);
+        arg[i] = NULL;
+        va_end(valist);
+        
+        if (arg_debug) {
+                printf("sbox run: ");
+                for (i = 0; i <= num; i++)
+                        printf("%s ", arg[i]);
+                printf("\n");
+        }
+        pid_t child = fork();
+        if (child < 0)
+                errExit("fork");
+        if (child == 0) {
+                // clean the new process
+                clearenv();
+                int max = 20; // getdtablesize() is overkill for a firejail process
+                for (i = 3; i < max; i++)
+                        close(i); // close open files
+                if ((filter & SBOX_ALLOW_STDIN) == 0) {
+                        int fd = open("/dev/null",O_RDWR, 0);
+                        if (fd != -1) {
+                                dup2 (fd, STDIN_FILENO);
+                                if (fd > 2)
+                                        close (fd);
+                        }
+                        else // the user could run the sandbox without /dev/null
+                                close(STDIN_FILENO);
+                }
+                umask(027);     
+                // apply filters
+                if (filter & SBOX_CAPS_NONE) {
+                        caps_drop_all();
+                }
+                else if (filter & SBOX_CAPS_NETWORK) {
+#ifndef HAVE_GCOV // the following filter will prevent GCOV from saving info in .gcda files
+                        uint64_t set = ((uint64_t) 1) << CAP_NET_ADMIN;
+                        set |=  ((uint64_t) 1) << CAP_NET_RAW;
+                        caps_set(set);
+#endif
+                }       
+                if (filter & SBOX_SECCOMP) {
+                        if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) {
+                                perror("prctl(NO_NEW_PRIVS)");
+                        }
+                        if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog)) {
+                                perror("prctl(PR_SET_SECCOMP)");
+                        }
+                }
+                if (filter & SBOX_ROOT) {
+                        // elevate privileges in order to get grsecurity working
+                        if (setreuid(0, 0))
+                                errExit("setreuid");
+                        if (setregid(0, 0))
+                                errExit("setregid");
+                }
+                else if (filter & SBOX_USER)
+                        drop_privs(1);
+                clearenv();
+                if (arg[0])     // get rid of scan-build warning
+                        execvp(arg[0], arg);
+                else
+                        assert(0);
+                perror("execl");
+                _exit(1);
+        }
+        int status;
+        if (waitpid(child, &status, 0) == -1 ) {
+                errExit("waitpid");
+        }
+        if (WIFEXITED(status) && status != 0) {
+                fprintf(stderr, "Error: failed to run %s\n", arg[0]);
+                exit(1);
+        }
+        
+        return status;
+}
diff --git a/src/firejail/seccomp.c b/src/firejail/seccomp.c
index 7108b5a05..4a2221e98 100644
--- a/src/firejail/seccomp.c
+++ b/src/firejail/seccomp.c
@@ -20,798 +20,216 @@
 #ifdef HAVE_SECCOMP
 #include "firejail.h"
-#include "seccomp.h"
+#include "../include/seccomp.h"
-#define SECSIZE 128 // initial filter size
-static struct sock_filter *sfilter = NULL;
-static int sfilter_alloc_size = 0;
-static int sfilter_index = 0;
-// debug filter
-void filter_debug(void) {
-        // start filter
-        struct sock_filter filter[] = {
-                VALIDATE_ARCHITECTURE,
-                EXAMINE_SYSCALL
-        };
-        // print sizes
+char *seccomp_check_list(const char *str) {
-        printf("SECCOMP Filter:\n");
+        assert(str);
-        if (sfilter == NULL) {
+        if (strlen(str) == 0) {
-                printf("SECCOMP filter not allocated\n");
+                fprintf(stderr, "Error: empty syscall lists are not allowed\n");
-                return;
+                exit(1);
        }
-        if (sfilter_index < 4)
-                return;
        
-        // test the start of the filter
+        int len = strlen(str) + 1;
-        if (memcmp(sfilter, filter, sizeof(filter)) == 0) {
+        char *rv = malloc(len);
-                printf("  VALIDATE_ARCHITECTURE\n");
+        if (!rv)
-                printf("  EXAMINE_SYSCAL\n");
+                errExit("malloc");
-        }
+        memset(rv, 0, len);
        
-        // loop trough blacklists
+        const char *ptr1 = str;
-        int i = 4;
+        char *ptr2 = rv;
-        while (i < sfilter_index) {
+        while (*ptr1 != '\0') {
-                // minimal parsing!
+                if (isalnum(*ptr1) || *ptr1 == '_' || *ptr1 == ',' || *ptr1 == ':')
-                unsigned char *ptr = (unsigned char *) &sfilter[i];
+                        *ptr2++ = *ptr1++;
-                int *nr = (int *) (ptr + 4);
-                if (*ptr        == 0x15 && *(ptr +14) == 0xff && *(ptr + 15) == 0x7f ) {
-                        printf("  WHITELIST %d %s\n", *nr, syscall_find_nr(*nr));
-                        i += 2;
-                }
-                else if (*ptr   == 0x15 && *(ptr +14) == 0 && *(ptr + 15) == 0) {
-                        printf("  BLACKLIST %d %s\n", *nr, syscall_find_nr(*nr));
-                        i += 2;
-                }
-                else if (*ptr   == 0x15 && *(ptr +14) == 0x5 && *(ptr + 15) == 0) {
-                        int err = *(ptr + 13) << 8 | *(ptr + 12);
-                        printf("  ERRNO %d %s %d %s\n", *nr, syscall_find_nr(*nr), err, errno_find_nr(err));
-                        i += 2;
-                }
-                else if (*ptr == 0x06 && *(ptr +6) == 0 && *(ptr + 7) == 0 ) {
-                        printf("  KILL_PROCESS\n");
-                        i++;
-                }
-                else if (*ptr == 0x06 && *(ptr +6) == 0xff && *(ptr + 7) == 0x7f ) {
-                        printf("  RETURN_ALLOW\n");
-                        i++;
-                }
                else {
-                        printf("  UNKNOWN ENTRY!!!\n");
+                        fprintf(stderr, "Error: invalid syscall list\n");
-                        i++;
+                        exit(1);
                }
        }
+                                                
+        return rv;
 }
-// initialize filter
-static void filter_init(void) {
-        if (sfilter) {
-                assert(0);
-                return;
-        }
-//      if (arg_debug)
-//              printf("Initialize seccomp filter\n");  
-        // allocate a filter of SECSIZE
-        sfilter = malloc(sizeof(struct sock_filter) * SECSIZE);
-        if (!sfilter)
-                errExit("malloc");
-        memset(sfilter, 0, sizeof(struct sock_filter) * SECSIZE);
-        sfilter_alloc_size = SECSIZE;
-        
-        // copy the start entries
-        struct sock_filter filter[] = {
-                VALIDATE_ARCHITECTURE,
-                EXAMINE_SYSCALL
-        };
-        sfilter_index = sizeof(filter) / sizeof(struct sock_filter);    
-        memcpy(sfilter, filter, sizeof(filter));
-}
-static void filter_realloc(void) {
-        assert(sfilter);
-        assert(sfilter_alloc_size);
-        assert(sfilter_index);
-        if (arg_debug)
-                printf("Allocating more seccomp filter entries\n");
-        
-        // allocate the new memory
-        struct sock_filter *old = sfilter;
-        sfilter = malloc(sizeof(struct sock_filter) * (sfilter_alloc_size + SECSIZE));
-        if (!sfilter)
-                errExit("malloc");
-        memset(sfilter, 0, sizeof(struct sock_filter) *  (sfilter_alloc_size + SECSIZE));
-        
-        // copy old filter
-        memcpy(sfilter, old, sizeof(struct sock_filter) *  sfilter_alloc_size);
-        sfilter_alloc_size += SECSIZE;
-}
-static void filter_add_whitelist(int syscall, int arg) {
-        (void) arg;
-        assert(sfilter);
-        assert(sfilter_alloc_size);
-        assert(sfilter_index);
-//      if (arg_debug)
-//              printf("Whitelisting syscall %d %s\n", syscall, syscall_find_nr(syscall));
-        
-        if ((sfilter_index + 2) > sfilter_alloc_size)
-                filter_realloc();
-        
-        struct sock_filter filter[] = {
-                WHITELIST(syscall)
-        };
-#if 0
-{
-        int i;
-        unsigned char *ptr = (unsigned char *) &filter[0];
-        for (i = 0; i < sizeof(filter); i++, ptr++)
-                printf("%x, ", (*ptr) & 0xff);
-        printf("\n");
-}
-#endif
-        memcpy(&sfilter[sfilter_index], filter, sizeof(filter));
-        sfilter_index += sizeof(filter) / sizeof(struct sock_filter);   
-}
-static void filter_add_blacklist(int syscall, int arg) {
-        (void) arg;
-        assert(sfilter);
-        assert(sfilter_alloc_size);
-        assert(sfilter_index);
-//      if (arg_debug)
-//              printf("Blacklisting syscall %d %s\n", syscall, syscall_find_nr(syscall));
-        
-        if ((sfilter_index + 2) > sfilter_alloc_size)
-                filter_realloc();
-        
-        struct sock_filter filter[] = {
-                BLACKLIST(syscall)
-        };
-#if 0
-{
-        int i;
-        unsigned char *ptr = (unsigned char *) &filter[0];
-        for (i = 0; i < sizeof(filter); i++, ptr++)
-                printf("%x, ", (*ptr) & 0xff);
-        printf("\n");
-}
-#endif
-        memcpy(&sfilter[sfilter_index], filter, sizeof(filter));
-        sfilter_index += sizeof(filter) / sizeof(struct sock_filter);   
-}
-static void filter_add_errno(int syscall, int arg) {
-        assert(sfilter);
-        assert(sfilter_alloc_size);
-        assert(sfilter_index);
-//      if (arg_debug)
-//              printf("Errno syscall %d %d %s\n", syscall, arg, syscall_find_nr(syscall));
-        if ((sfilter_index + 2) > sfilter_alloc_size)
-                filter_realloc();
-        struct sock_filter filter[] = {
-                BLACKLIST_ERRNO(syscall, arg)
-        };
-#if 0
-{
-        int i;
-        unsigned char *ptr = (unsigned char *) &filter[0];
-        for (i = 0; i < sizeof(filter); i++, ptr++)
-                printf("%x, ", (*ptr) & 0xff);
-        printf("\n");
-}
-#endif
-        memcpy(&sfilter[sfilter_index], filter, sizeof(filter));
-        sfilter_index += sizeof(filter) / sizeof(struct sock_filter);
-}
-static void filter_end_blacklist(void) {
-        assert(sfilter);
-        assert(sfilter_alloc_size);
-        assert(sfilter_index);
-//      if (arg_debug)
-//              printf("Ending syscall filter\n");
-        if ((sfilter_index + 2) > sfilter_alloc_size)
-                filter_realloc();
-        
-        struct sock_filter filter[] = {
-                RETURN_ALLOW
-        };
-#if 0   
-{
-        int i;
-        unsigned char *ptr = (unsigned char *) &filter[0];
-        for (i = 0; i < sizeof(filter); i++, ptr++)
-                printf("%x, ", (*ptr) & 0xff);
-        printf("\n");
-}
-#endif
-        memcpy(&sfilter[sfilter_index], filter, sizeof(filter));
-        sfilter_index += sizeof(filter) / sizeof(struct sock_filter);   
-}
-static void filter_end_whitelist(void) {
-        assert(sfilter);
-        assert(sfilter_alloc_size);
-        assert(sfilter_index);
-        if (arg_debug)
-                printf("Ending syscall filter\n");
-        if ((sfilter_index + 2) > sfilter_alloc_size)
-                filter_realloc();
-        
-        struct sock_filter filter[] = {
-                KILL_PROCESS
-        };
-#if 0   
-{
-        int i;
-        unsigned char *ptr = (unsigned char *) &filter[0];
-        for (i = 0; i < sizeof(filter); i++, ptr++)
-                printf("%x, ", (*ptr) & 0xff);
-        printf("\n");
-}
-#endif
-        memcpy(&sfilter[sfilter_index], filter, sizeof(filter));
-        sfilter_index += sizeof(filter) / sizeof(struct sock_filter);   
-}
-// save seccomp filter in  /run/firejail/mnt/seccomp
-static void write_seccomp_file(void) {
-        fs_build_mnt_dir();
-        assert(sfilter);
-        int fd = open(RUN_SECCOMP_CFG, O_CREAT | O_WRONLY, S_IRUSR | S_IWUSR);
+int seccomp_load(const char *fname) {
-        if (fd == -1)
+        assert(fname);
-                errExit("open");
-        if (arg_debug)
-                printf("Save seccomp filter, size %u bytes\n", (unsigned) (sfilter_index * sizeof(struct sock_filter)));
-        errno = 0;
-        ssize_t sz = write(fd, sfilter, sfilter_index * sizeof(struct sock_filter));
-        if (sz != (ssize_t)(sfilter_index * sizeof(struct sock_filter))) {
-                fprintf(stderr, "Error: cannot save seccomp filter\n");
-                exit(1);
-        }
-        close(fd);
-        if (chown(RUN_SECCOMP_CFG, 0, 0) < 0)
-                errExit("chown");
-}
-// read seccomp filter from /run/firejail/mnt/seccomp
-static void read_seccomp_file(const char *fname) {
-        assert(sfilter == NULL && sfilter_index == 0);
        // check file
        struct stat s;
        if (stat(fname, &s) == -1) {
-                fprintf(stderr, "Warning: seccomp file not found\n");
+                fprintf(stderr, "Error: cannot read protocol filter file\n");
-                return;
-        }
-        ssize_t sz = s.st_size;
-        if (sz == 0 || (sz % sizeof(struct sock_filter)) != 0) {
-                fprintf(stderr, "Error: invalid seccomp file\n");
                exit(1);
        }
-        sfilter = malloc(sz);
+        int size = s.st_size;
-        if (!sfilter)
+        unsigned short entries = (unsigned short) size / (unsigned short) sizeof(struct sock_filter);
-                errExit("malloc");
+//printf("size %d, entries %d\n", s.st_size, entries);
-                
-        // read file
+        // read filter
-        /* coverity[toctou] */
+        struct sock_filter filter[entries];
-        int fd = open(fname,O_RDONLY);
+        memset(&filter[0], 0, sizeof(filter));
-        if (fd == -1)
+        int src = open(fname, O_RDONLY);
-                errExit("open");
+        int rd = 0;
-        errno = 0;              
+        while (rd < size) {
-        ssize_t size = read(fd, sfilter, sz);
+                int rv = read(src, (unsigned char *) filter + rd, size - rd);
-        if (size != sz) {
+                if (rv == -1) {
-                fprintf(stderr, "Error: invalid seccomp file\n");
+                        fprintf(stderr, "Error: cannot read %s file\n", fname);
-                exit(1);
+                        exit(1);
+                }
+                rd += rv;
        }
-        sfilter_index = sz / sizeof(struct sock_filter);
+        close(src);
-        if (arg_debug)
+        // install filter
-                printf("Read seccomp filter, size %u bytes\n", (unsigned) (sfilter_index * sizeof(struct sock_filter)));
+        struct sock_fprog prog = {
+                .len = entries,
+                .filter = filter,
+        };
-        close(fd);
+        if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog) || prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) {
+                fprintf(stderr, "Warning: seccomp disabled, it requires a Linux kernel version 3.5 or newer.\n");
+                return 1;
+        }
        
-        if (arg_debug)
+        return 0;
-                filter_debug();
 }
 // i386 filter installed on amd64 architectures
 void seccomp_filter_32(void) {
-        // hardcoded syscall values
+        if (arg_debug)
-        struct sock_filter filter[] = {
+                printf("Build secondary 32-bit filter\n");
-                VALIDATE_ARCHITECTURE_32,
-                EXAMINE_SYSCALL,
-                BLACKLIST(21), // mount
-                BLACKLIST(52), // umount2
-                BLACKLIST(26), // ptrace
-                BLACKLIST(283), // kexec_load
-                BLACKLIST(342), // open_by_handle_at
-                BLACKLIST(128), // init_module
-                BLACKLIST(350), // finit_module
-                BLACKLIST(129), // delete_module
-                BLACKLIST(110), // iopl
-                BLACKLIST(101), // ioperm
-                BLACKLIST(87), // swapon
-                BLACKLIST(115), // swapoff
-                BLACKLIST(103), // syslog
-                BLACKLIST(347), // process_vm_readv
-                BLACKLIST(348), // process_vm_writev
-                BLACKLIST(135), // sysfs
-                BLACKLIST(149), // _sysctl
-                BLACKLIST(124), // adjtimex
-                BLACKLIST(343), // clock_adjtime
-                BLACKLIST(253), // lookup_dcookie
-                BLACKLIST(336), // perf_event_open
-                BLACKLIST(338), // fanotify_init
-                BLACKLIST(349), // kcmp
-                BLACKLIST(286), // add_key
-                BLACKLIST(287), // request_key
-                BLACKLIST(288), // keyctl
-                BLACKLIST(86), // uselib
-                BLACKLIST(51), // acct
-                BLACKLIST(123), // modify_ldt
-                BLACKLIST(217), // pivot_root
-                BLACKLIST(245), // io_setup
-                BLACKLIST(246), // io_destroy
-                BLACKLIST(247), // io_getevents
-                BLACKLIST(248), // io_submit
-                BLACKLIST(249), // io_cancel
-                BLACKLIST(257), // remap_file_pages
-                BLACKLIST(274), // mbind
-                BLACKLIST(275), // get_mempolicy
-                BLACKLIST(276), // set_mempolicy
-                BLACKLIST(294), // migrate_pages
-                BLACKLIST(317), // move_pages
-                BLACKLIST(316), // vmsplice
-                BLACKLIST(61),  // chroot
-                BLACKLIST(88), // reboot
-                BLACKLIST(169), // nfsservctl
-                BLACKLIST(130), // get_kernel_syms
-                RETURN_ALLOW
-        };
-        struct sock_fprog prog = {
+        // build the seccomp filter as a regular user
-                .len = (unsigned short)(sizeof(filter) / sizeof(filter[0])),
+        int rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 4,
-                .filter = filter,
+                PATH_FSECCOMP, "secondary", "32", RUN_SECCOMP_I386);
-        };
+        if (rv)
+                exit(rv);
-        if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog) || prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) {
+        if (seccomp_load(RUN_SECCOMP_I386) == 0) {
-                ;
+                if (arg_debug)
-        }
+                        printf("Dual i386/amd64 seccomp filter configured\n");
-        else if (arg_debug) {
-                printf("Dual i386/amd64 seccomp filter configured\n");
        }
 }
 // amd64 filter installed on i386 architectures
 void seccomp_filter_64(void) {
-        // hardcoded syscall values
+        if (arg_debug)
-        struct sock_filter filter[] = {
+                printf("Build secondary 64-bit filter\n");
-                VALIDATE_ARCHITECTURE_64,
-                EXAMINE_SYSCALL,
-                BLACKLIST(165), // mount
-                BLACKLIST(166), // umount2
-                BLACKLIST(101), // ptrace
-                BLACKLIST(246), // kexec_load
-                BLACKLIST(304), // open_by_handle_at
-                BLACKLIST(175), // init_module
-                BLACKLIST(313), // finit_module
-                BLACKLIST(176), // delete_module
-                BLACKLIST(172), // iopl
-                BLACKLIST(173), // ioperm
-                BLACKLIST(167), // swapon
-                BLACKLIST(168), // swapoff
-                BLACKLIST(103), // syslog
-                BLACKLIST(310), // process_vm_readv
-                BLACKLIST(311), // process_vm_writev
-                BLACKLIST(139), // sysfs
-                BLACKLIST(156), // _sysctl
-                BLACKLIST(159), // adjtimex
-                BLACKLIST(305), // clock_adjtime
-                BLACKLIST(212), // lookup_dcookie
-                BLACKLIST(298), // perf_event_open
-                BLACKLIST(300), // fanotify_init
-                BLACKLIST(312), // kcmp
-                BLACKLIST(248), // add_key
-                BLACKLIST(249), // request_key
-                BLACKLIST(250), // keyctl
-                BLACKLIST(134), // uselib
-                BLACKLIST(163), // acct
-                BLACKLIST(154), // modify_ldt
-                BLACKLIST(155), // pivot_root
-                BLACKLIST(206), // io_setup
-                BLACKLIST(207), // io_destroy
-                BLACKLIST(208), // io_getevents
-                BLACKLIST(209), // io_submit
-                BLACKLIST(210), // io_cancel
-                BLACKLIST(216), // remap_file_pages
-                BLACKLIST(237), // mbind
-                BLACKLIST(239), // get_mempolicy
-                BLACKLIST(238), // set_mempolicy
-                BLACKLIST(256), // migrate_pages
-                BLACKLIST(279), // move_pages
-                BLACKLIST(278), // vmsplice
-                BLACKLIST(161), // chroot
-                BLACKLIST(184), // tuxcall
-                BLACKLIST(169), // reboot
-                BLACKLIST(180), // nfsservctl
-                BLACKLIST(177), // get_kernel_syms
-                RETURN_ALLOW
-        };
-        struct sock_fprog prog = {
+        // build the seccomp filter as a regular user
-                .len = (unsigned short)(sizeof(filter) / sizeof(filter[0])),
+        int rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 4,
-                .filter = filter,
+                PATH_FSECCOMP, "secondary", "64", RUN_SECCOMP_AMD64);
-        };
+        if (rv)
+                exit(rv);
-        if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog) || prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) {
+        if (seccomp_load(RUN_SECCOMP_AMD64) == 0) {
-                ;
+                if (arg_debug)
-        }
+                        printf("Dual i386/amd64 seccomp filter configured\n");
-        else if (arg_debug) {
-                printf("Dual i386/amd64 seccomp filter configured\n");
        }
 }
 // drop filter for seccomp option
 int seccomp_filter_drop(int enforce_seccomp) {
-        filter_init();
-        
        // default seccomp
-        if (cfg.seccomp_list_drop == NULL) {
+        if (cfg.seccomp_list_drop == NULL && cfg.seccomp_list == NULL) {
 #if defined(__x86_64__)
                seccomp_filter_32();
 #endif
 #if defined(__i386__)
                seccomp_filter_64();
 #endif
+                if (arg_debug)
+                        printf("Build default seccomp filter\n");
+                // build the seccomp filter as a regular user
+                int rv;
+                if (arg_allow_debuggers)
+                        rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 4,
+                                PATH_FSECCOMP, "default", RUN_SECCOMP_CFG, "allow-debuggers");
+                else
+                        rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 3,
+                                PATH_FSECCOMP, "default", RUN_SECCOMP_CFG);
+                if (rv)
+                        exit(rv);
+        }
-#ifdef SYS_mount                
+        // default seccomp filter with additional drop list
-                filter_add_blacklist(SYS_mount, 0);
+        else if (cfg.seccomp_list && cfg.seccomp_list_drop == NULL) {
-#endif
+#if defined(__x86_64__)
-#ifdef SYS_umount2              
+                seccomp_filter_32();
-                filter_add_blacklist(SYS_umount2, 0);
-#endif
-#ifdef SYS_ptrace               
-                filter_add_blacklist(SYS_ptrace, 0);
-#endif
-#ifdef SYS_kexec_load           
-                filter_add_blacklist(SYS_kexec_load, 0);
-#endif
-#ifdef SYS_kexec_file_load              
-                filter_add_blacklist(SYS_kexec_file_load, 0);
-#endif
-#ifdef SYS_open_by_handle_at            
-                filter_add_blacklist(SYS_open_by_handle_at, 0);
-#endif
-#ifdef SYS_init_module          
-                filter_add_blacklist(SYS_init_module, 0);
-#endif
-#ifdef SYS_finit_module // introduced in 2013
-                filter_add_blacklist(SYS_finit_module, 0);
-#endif
-#ifdef SYS_delete_module                
-                filter_add_blacklist(SYS_delete_module, 0);
-#endif
-#ifdef SYS_iopl         
-                filter_add_blacklist(SYS_iopl, 0);
-#endif
-#ifdef  SYS_ioperm      
-                filter_add_blacklist(SYS_ioperm, 0);
-#endif
-#ifdef SYS_ni_syscall // new io permissions call on arm devices
-                filter_add_blacklist(SYS_ni_syscall, 0);
-#endif
-#ifdef SYS_swapon               
-                filter_add_blacklist(SYS_swapon, 0);
-#endif
-#ifdef SYS_swapoff              
-                filter_add_blacklist(SYS_swapoff, 0);
-#endif
-#ifdef SYS_syslog               
-                filter_add_blacklist(SYS_syslog, 0);
-#endif
-#ifdef SYS_process_vm_readv             
-                filter_add_blacklist(SYS_process_vm_readv, 0);
 #endif
-#ifdef SYS_process_vm_writev            
+#if defined(__i386__)
-                filter_add_blacklist(SYS_process_vm_writev, 0);
+                seccomp_filter_64();
 #endif
+                if (arg_debug)
-// mknod removed in 0.9.29 - it brakes Zotero extension
+                        printf("Build default+drop seccomp filter\n");
-//#ifdef SYS_mknod              
-//              filter_add_blacklist(SYS_mknod, 0);
-//#endif
                
-                // new syscalls in 0.9,23               
+                // build the seccomp filter as a regular user
-#ifdef SYS_sysfs                
+                int rv;
-                filter_add_blacklist(SYS_sysfs, 0);
+                if (arg_allow_debuggers)
-#endif
+                        rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 6,
-#ifdef SYS__sysctl      
+                                PATH_FSECCOMP, "default", "drop", RUN_SECCOMP_CFG, cfg.seccomp_list, "allow-debuggers");
-                filter_add_blacklist(SYS__sysctl, 0);
+                else
-#endif
+                        rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 5,
-#ifdef SYS_adjtimex             
+                                PATH_FSECCOMP, "default", "drop", RUN_SECCOMP_CFG, cfg.seccomp_list);
-                filter_add_blacklist(SYS_adjtimex, 0);
+                if (rv)
-#endif
+                        exit(rv);
-#ifdef  SYS_clock_adjtime       
-                filter_add_blacklist(SYS_clock_adjtime, 0);
-#endif
-#ifdef SYS_lookup_dcookie               
-                filter_add_blacklist(SYS_lookup_dcookie, 0);
-#endif
-#ifdef  SYS_perf_event_open     
-                filter_add_blacklist(SYS_perf_event_open, 0);
-#endif
-#ifdef  SYS_fanotify_init       
-                filter_add_blacklist(SYS_fanotify_init, 0);
-#endif
-#ifdef SYS_kcmp
-                filter_add_blacklist(SYS_kcmp, 0);
-#endif
-// 0.9.32
-#ifdef SYS_add_key
-                filter_add_blacklist(SYS_add_key, 0);
-#endif
-#ifdef SYS_request_key
-                filter_add_blacklist(SYS_request_key, 0);
-#endif
-#ifdef SYS_keyctl
-                filter_add_blacklist(SYS_keyctl, 0);
-#endif
-#ifdef SYS_uselib
-                filter_add_blacklist(SYS_uselib, 0);
-#endif
-#ifdef SYS_acct
-                filter_add_blacklist(SYS_acct, 0);
-#endif
-#ifdef SYS_modify_ldt
-                filter_add_blacklist(SYS_modify_ldt, 0);
-#endif
-        //#ifdef SYS_unshare
-        //              filter_add_blacklist(SYS_unshare, 0);
-        //#endif
-#ifdef SYS_pivot_root
-                filter_add_blacklist(SYS_pivot_root, 0);
-#endif
-        //#ifdef SYS_quotactl
-        //              filter_add_blacklist(SYS_quotactl, 0);
-        //#endif
-#ifdef SYS_io_setup
-                filter_add_blacklist(SYS_io_setup, 0);
-#endif
-#ifdef SYS_io_destroy
-                filter_add_blacklist(SYS_io_destroy, 0);
-#endif
-#ifdef SYS_io_getevents
-                filter_add_blacklist(SYS_io_getevents, 0);
-#endif
-#ifdef SYS_io_submit
-                filter_add_blacklist(SYS_io_submit, 0);
-#endif
-#ifdef SYS_io_cancel
-                filter_add_blacklist(SYS_io_cancel, 0);
-#endif
-#ifdef SYS_remap_file_pages
-                filter_add_blacklist(SYS_remap_file_pages, 0);
-#endif
-#ifdef SYS_mbind
-                filter_add_blacklist(SYS_mbind, 0);
-#endif
-#ifdef SYS_get_mempolicy
-                filter_add_blacklist(SYS_get_mempolicy, 0);
-#endif
-#ifdef SYS_set_mempolicy
-                filter_add_blacklist(SYS_set_mempolicy, 0);
-#endif
-#ifdef SYS_migrate_pages
-                filter_add_blacklist(SYS_migrate_pages, 0);
-#endif
-#ifdef SYS_move_pages
-                filter_add_blacklist(SYS_move_pages, 0);
-#endif
-#ifdef SYS_vmsplice
-                filter_add_blacklist(SYS_vmsplice, 0);
-#endif
-#ifdef SYS_chroot
-                filter_add_blacklist(SYS_chroot, 0);
-#endif
-        //#ifdef SYS_set_robust_list
-        //              filter_add_blacklist(SYS_set_robust_list, 0);
-        //#endif
-        //#ifdef SYS_get_robust_list
-        //              filter_add_blacklist(SYS_get_robust_list, 0);
-        //#endif
- // CHECK_SECCOMP(seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EPERM), SCMP_SYS(clone), 1,
- //     SCMP_A0(SCMP_CMP_MASKED_EQ, CLONE_NEWUSER, CLONE_NEWUSER)));
-// 0.9.39
-#ifdef SYS_tuxcall
-                filter_add_blacklist(SYS_tuxcall, 0);
-#endif
-#ifdef SYS_reboot
-                filter_add_blacklist(SYS_reboot, 0);
-#endif
-#ifdef SYS_nfsservctl
-                filter_add_blacklist(SYS_nfsservctl, 0);
-#endif
-#ifdef SYS_get_kernel_syms
-                filter_add_blacklist(SYS_get_kernel_syms, 0);
-#endif
-        }
-        // default seccomp filter with additional drop list
-        if (cfg.seccomp_list && cfg.seccomp_list_drop == NULL) {
-                if (syscall_check_list(cfg.seccomp_list, filter_add_blacklist, 0)) {
-                        fprintf(stderr, "Error: cannot load seccomp filter\n");
-                        exit(1);
-                }
-        }
-        // drop list
-        else if (cfg.seccomp_list == NULL && cfg.seccomp_list_drop) {
-                if (syscall_check_list(cfg.seccomp_list_drop, filter_add_blacklist, 0)) {
-                        fprintf(stderr, "Error: cannot load seccomp filter\n");
-                        exit(1);
-                }
        }
        
-        
+        // drop list without defaults - secondary filters are not installed
-        filter_end_blacklist();
+        else if (cfg.seccomp_list == NULL && cfg.seccomp_list_drop) {
-        if (arg_debug)
+                if (arg_debug)
-                filter_debug();
+                        printf("Build drop seccomp filter\n");
-        // save seccomp filter in  /tmp/firejail/mnt/seccomp
+                // build the seccomp filter as a regular user
-        // in order to use it in --join operations
+                int rv;
-        write_seccomp_file();
+                if (arg_allow_debuggers)
+                        rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 5,
+                                PATH_FSECCOMP, "drop", RUN_SECCOMP_CFG, cfg.seccomp_list_drop,  "allow-debuggers");
-        struct sock_fprog prog = {
-                .len = sfilter_index,
-                .filter = sfilter,
-        };
-        if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog) || prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) {
-                if (enforce_seccomp) {
-                        fprintf(stderr, "Error: a seccomp-enabled Linux kernel is required, exiting...\n");
-                        exit(1);
-                }
                else
-                        fprintf(stderr, "Warning: seccomp disabled, it requires a Linux kernel version 3.5 or newer.\n");
+                        rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 4,
+                                PATH_FSECCOMP, "drop", RUN_SECCOMP_CFG, cfg.seccomp_list_drop);
-                return 1;
+                if (rv)
+                        exit(rv);
        }
-        
+        else {
-        return 0;
+                assert(0);
-}
-// keep filter for seccomp option
-int seccomp_filter_keep(void) {
-        filter_init();
-        // these 4 syscalls are used by firejail after the seccomp filter is initialized
-        filter_add_whitelist(SYS_setuid, 0);
-        filter_add_whitelist(SYS_setgid, 0);
-        filter_add_whitelist(SYS_setgroups, 0);
-        filter_add_whitelist(SYS_dup, 0);
-        
-        // apply keep list
-        if (cfg.seccomp_list_keep) {
-                if (syscall_check_list(cfg.seccomp_list_keep, filter_add_whitelist, 0)) {
-                        fprintf(stderr, "Error: cannot load seccomp filter\n");
-                        exit(1);
-                }
        }
        
-        filter_end_whitelist();
+        // load the filter
-        if (arg_debug)
+        if (seccomp_load(RUN_SECCOMP_CFG) == 0) {
-                filter_debug();
+                if (arg_debug)
+                        printf("seccomp filter configured\n");
-        // save seccomp filter in  /tmp/firejail/mnt/seccomp
-        // in order to use it in --join operations
-        write_seccomp_file();
-        struct sock_fprog prog = {
-                .len = sfilter_index,
-                .filter = sfilter,
-        };
-        if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog) || prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) {
-                fprintf(stderr, "Warning: seccomp disabled, it requires a Linux kernel version 3.5 or newer.\n");
-                return 1;
        }
-        else if (arg_debug) {
+        else if (enforce_seccomp) {
-                printf("seccomp enabled\n");
+                fprintf(stderr, "Error: a seccomp-enabled Linux kernel is required, exiting...\n");
+                exit(1);
        }
        
-        return 0;
-}
-// errno filter for seccomp option
-int seccomp_filter_errno(void) {
-        int i;
-        int higest_errno = errno_highest_nr();
-        filter_init();
-        // apply errno list
-        for (i = 0; i < higest_errno; i++) {
-                if (cfg.seccomp_list_errno[i]) {
-                        if (syscall_check_list(cfg.seccomp_list_errno[i], filter_add_errno, i)) {
-                                fprintf(stderr, "Error: cannot load seccomp filter\n");
-                                exit(1);
-                        }
-                }
-        }
-        filter_end_blacklist();
        if (arg_debug)
-                filter_debug();
+                sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 3,
+                        PATH_FSECCOMP, "print", RUN_SECCOMP_CFG);
-        // save seccomp filter in  /tmp/firejail/mnt/seccomp
-        // in order to use it in --join operations
-        write_seccomp_file();
-        struct sock_fprog prog = {
-                .len = sfilter_index,
-                .filter = sfilter,
-        };
-        if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog) || prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) {
-                fprintf(stderr, "Warning: seccomp disabled, it requires a Linux kernel version 3.5 or newer.\n");
-                return 1;
-        }
-        else if (arg_debug) {
-                printf("seccomp enabled\n");
-        }
-        return 0;
+        return seccomp_load(RUN_SECCOMP_CFG);
 }
+// keep filter for seccomp option
+int seccomp_filter_keep(void) {
-void seccomp_set(void) {
+        if (arg_debug)
-        // read seccomp filter from  /tmp/firejail/mnt/seccomp
+                printf("Build drop seccomp filter\n");
-        read_seccomp_file(RUN_SECCOMP_CFG);
-        
-        // apply filter
-        struct sock_fprog prog = {
-                .len = sfilter_index,
-                .filter = sfilter,
-        };
        
-        if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog) || prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) {
+        // build the seccomp filter as a regular user
-                fprintf(stderr, "Warning: seccomp disabled, it requires a Linux kernel version 3.5 or newer.\n");
+        int rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 4,
-                return;
+                PATH_FSECCOMP, "keep", RUN_SECCOMP_CFG, cfg.seccomp_list_keep);
-        }
+        if (rv)
-        else if (arg_debug) {
+                exit(rv);
-                printf("seccomp enabled\n");
+        if (arg_debug)
-        }
+                printf("seccomp filter configured\n");
-}
-void seccomp_print_filter_name(const char *name) {
-        EUID_ASSERT();
-        if (!name || strlen(name) == 0) {
-                fprintf(stderr, "Error: invalid sandbox name\n");
-                exit(1);
-        }
-        pid_t pid;
-        if (name2pid(name, &pid)) {
-                fprintf(stderr, "Error: cannot find sandbox %s\n", name);
-                exit(1);
-        }
-        seccomp_print_filter(pid);
+                
+        return seccomp_load(RUN_SECCOMP_CFG);
 }
 void seccomp_print_filter(pid_t pid) {
@@ -853,10 +271,11 @@ void seccomp_print_filter(pid_t pid) {
                exit(1);
        }
-        // read and print the filter
+        // read and print the filter - run this as root, the user doesn't have access
-        read_seccomp_file(fname);
+        int rv = sbox_run(SBOX_ROOT | SBOX_SECCOMP, 3,
-        drop_privs(1);
+                PATH_FSECCOMP, "print", fname);
-        filter_debug();
+        if (rv)
+                exit(rv);
        free(fname);
        exit(0);
diff --git a/src/firejail/shutdown.c b/src/firejail/shutdown.c
index 8d8035bfb..c23e87321 100644
--- a/src/firejail/shutdown.c
+++ b/src/firejail/shutdown.c
@@ -23,22 +23,6 @@
 #include <fcntl.h>
 #include <sys/prctl.h>
-void shut_name(const char *name) {
-        EUID_ASSERT();
-        if (!name || strlen(name) == 0) {
-                fprintf(stderr, "Error: invalid sandbox name\n");
-                exit(1);
-        }
-        
-        pid_t pid;
-        if (name2pid(name, &pid)) {
-                fprintf(stderr, "Error: cannot find sandbox %s\n", name);
-                exit(1);
-        }
-        shut(pid);
-}
 void shut(pid_t pid) {
        EUID_ASSERT();
        
diff --git a/src/firejail/usage.c b/src/firejail/usage.c
index 539785f21..c8bed06e3 100644
--- a/src/firejail/usage.c
+++ b/src/firejail/usage.c
@@ -23,330 +23,190 @@ void usage(void) {
        printf("firejail - version %s\n\n", VERSION);
        printf("Firejail is a SUID sandbox program that reduces the risk of security breaches by\n");
        printf("restricting the running environment of untrusted applications using Linux\n");
-        printf("namespaces. It includes a sandbox profile for Mozilla Firefox.\n\n");
+        printf("namespaces.\n");
        printf("\n");
-        printf("Usage: firejail [options] [program and arguments]\n\n");
+        printf("Usage: firejail [options] [program and arguments]\n");
        printf("\n");
-        printf("Without any options, the sandbox consists of a filesystem chroot build from the\n");
+        printf("Options:\n");
-        printf("current system directories  mounted  read-only,  and  new PID and IPC\n");
+        printf("    -- - signal the end of options and disables further option processing.\n");
-        printf("namespaces. If no program is specified as an argument, /bin/bash is started by\n");
+        printf("    --allow-debuggers - allow tools such as strace and gdb inside the sandbox.\n");
-        printf("default in the sandbox.\n\n");
+        printf("    --allusers - all user home directories are visible inside the sandbox.\n");
-        printf("\n");
+        printf("    --apparmor - enable AppArmor confinement.\n");
-        printf("Options:\n\n");
+        printf("    --appimage - sandbox an AppImage application.\n");
-        printf("    -- - signal the end of options and disables further option processing.\n\n");
+        printf("    --audit[=test-program] - audit the sandbox.\n");
 #ifdef HAVE_NETWORK     
-        printf("    --bandwidth=name|pid - set  bandwidth  limits  for  the sandbox identified\n");
+        printf("    --bandwidth=name|pid - set  bandwidth  limits\n");
-        printf("\tby name or PID, see Traffic Shaping section fo more details.\n\n");
 #endif
 #ifdef HAVE_BIND                
-        printf("    --bind=dirname1,dirname2 - mount-bind dirname1 on top of dirname2.\n\n");
+        printf("    --bind=dirname1,dirname2 - mount-bind dirname1 on top of dirname2.\n");
-        printf("    --bind=filename1,filename2 - mount-bind filename1 on top of filename2.\n\n");
+        printf("    --bind=filename1,filename2 - mount-bind filename1 on top of filename2.\n");
 #endif
-        printf("    --blacklist=dirname_or_filename - blacklist directory or file.\n\n");
+        printf("    --blacklist=filename - blacklist directory or file.\n");
-        printf("    -c - execute command and exit.\n\n");
+        printf("    -c - execute command and exit.\n");
-        printf("    --caps - enable default Linux capabilities filter.\n\n");
+        printf("    --caps - enable default Linux capabilities filter.\n");
-        printf("    --caps.drop=all - drop all capabilities.\n\n");
+        printf("    --caps.drop=all - drop all capabilities.\n");
-        printf("    --caps.drop=capability,capability - blacklist capabilities filter.\n\n");
+        printf("    --caps.drop=capability,capability - blacklist capabilities filter.\n");
-        printf("    --caps.keep=capability,capability - whitelist capabilities filter.\n\n");
+        printf("    --caps.keep=capability,capability - whitelist capabilities filter.\n");
-        printf("    --caps.print=name|pid - print the caps filter for the sandbox identified\n");
+        printf("    --caps.print=name|pid - print the caps filter.\n");
-        printf("\tby name or PID.\n\n");
        printf("    --cgroup=tasks-file - place the sandbox in the specified control group.\n");
-        printf("\ttasks-file is the full path of cgroup tasks file.\n\n");
 #ifdef HAVE_CHROOT              
-        printf("    --chroot=dirname - chroot into directory.\n\n");
+        printf("    --chroot=dirname - chroot into directory.\n");
+#endif
+        printf("    --cpu=cpu-number,cpu-number - set cpu affinity.\n");
+        printf("    --cpu.print=name|pid - print the cpus in use.\n");
+        printf("    --csh - use /bin/csh as default shell.\n");
+        printf("    --debug - print sandbox debug messages.\n");
+        printf("    --debug-blacklists - debug blacklisting.\n");
+        printf("    --debug-caps - print all recognized capabilities.\n");
+        printf("    --debug-check-filename - debug filename checking.\n");
+        printf("    --debug-errnos - print all recognized error numbers.\n");
+        printf("    --debug-protocols - print all recognized protocols.\n");
+        printf("    --debug-syscalls - print all recognized system calls.\n");
+#ifdef HAVE_WHITELIST   
+        printf("    --debug-whitelists - debug whitelisting.\n");
 #endif
-        printf("    --cpu=cpu-number,cpu-number - set cpu affinity.\n\n");
-        printf("    --cpu.print=name|pid - print the cup in use by the sandbox identified\n");
-        printf("\tby name or PID.\n\n");
-        printf("    --csh - use /bin/csh as default shell.\n\n");
-        
-        printf("    --debug - print sandbox debug messages.\n\n");
-        printf("    --debug-blacklists - debug blacklisting.\n\n");
-        printf("    --debug-caps - print all recognized capabilities in the current Firejail\n");
-        printf("\tsoftware build.\n\n");
-        printf("    --debug-check-filename - debug filename checking.\n\n");
-        printf("    --debug-errnos - print all recognized error numbers in the current Firejail\n");
-        printf("\tsoftware build.\n\n");
-        printf("    --debug-protocols - print all recognized protocols in the current Firejail\n");
-        printf("\tsoftware build.\n\n");
-        printf("    --debug-syscalls - print all recognized system calls in the current Firejail\n");
-        printf("\tsoftware build.\n\n");
-        printf("    --debug-whitelists - debug whitelisting.\n\n");
 #ifdef HAVE_NETWORK     
-        printf("    --defaultgw=address - use this address as default gateway in the new network\n");
+        printf("    --defaultgw=address - configure default gateway.\n");
-        printf("\tnamespace.\n\n");
 #endif
-        printf("    --dns=address - set a DNS server for the sandbox. Up to three DNS servers\n");
+        printf("    --dns=address - set DNS server.\n");
-        printf("\tcan be defined.\n\n");
+        printf("    --dns.print=name|pid - print DNS configuration.\n");
-        printf("    --dns.print=name|pid - print DNS configuration for the sandbox identified\n");
-        printf("\tby name or PID.\n\n");
        
-        printf("    --env=name=value - set environment variable in the new sandbox.\n\n");
+        printf("    --env=name=value - set environment variable.\n");
-        printf("    --fs.print=name|pid - print the filesystem log for the sandbox identified\n");
+        printf("    --fs.print=name|pid - print the filesystem log.\n");
-        printf("\tby name or PID.\n\n");
+        printf("    --get=name|pid filename - get a file from sandbox container.\n");
-        printf("    --get=name|pid filename - get a file from sandbox container.\n\n");
+        printf("    --help, -? - this help screen.\n");
-        printf("    --help, -? - this help screen.\n\n");
+        printf("    --hostname=name - set sandbox hostname.\n");
-        printf("    --hostname=name - set sandbox hostname.\n\n");
+        printf("    --ignore=command - ignore command in profile files.\n");
-        printf("    --ignore=command - ignore command in profile files.\n\n");
 #ifdef HAVE_NETWORK     
-        printf("    --interface=name - move interface in a new network namespace. Up to four\n");
+        printf("    --interface=name - move interface in sandbox.\n");
-        printf("\t--interface options can be specified.\n\n");
+        printf("    --ip=address - set interface IP address.\n");
-        printf("    --ip=address - set interface IP address.\n\n");
+        printf("    --ip=none - no IP address and no default gateway are configured.\n");
-        printf("    --ip=none - no IP address and no default gateway address are configured\n");
+        printf("    --ip6=address - set interface IPv6 address.\n");
-        printf("\tin the new network namespace. Use this option in case you intend to\n");
+        printf("    --iprange=address,address - configure an IP address in this range.\n");
-        printf("\tstart an external DHCP client in the sandbox.\n\n");
-        printf("    --ip6=address - set interface IPv6 address.\n\n");
-        printf("    --iprange=address,address - configure an IP address in this range.\n\n");
 #endif
-        printf("    --ipc-namespace - enable a new IPC namespace if the sandbox was started as\n");
+        printf("    --ipc-namespace - enable a new IPC namespace.\n");
-        printf("\tregular user. IPC namespace is enabled by default only if the sandbox\n");
+        printf("    --join=name|pid - join the sandbox.\n");
-        printf("\tis started as root.\n\n");
+        printf("    --join-filesystem=name|pid - join the mount namespace.\n");
-        printf("    --join=name|pid - join the sandbox identified by name or PID.\n\n");
-        printf("    --join-filesystem=name|pid - join the mount namespace of the sandbox\n");
-        printf("\tidentified by name or PID.\n\n");
 #ifdef HAVE_NETWORK     
-        printf("    --join-network=name|pid - join the network namespace of the sandbox\n");
+        printf("    --join-network=name|pid - join the network namespace.\n");
-        printf("\tidentified by name or PID.\n\n");
 #endif
-        printf("    --list - list all sandboxes.\n\n");
+        printf("    --list - list all sandboxes.\n");
-        printf("    --ls=name|pid dir_or_filename - list files in sandbox container.\n\n");
+        printf("    --ls=name|pid dir_or_filename - list files in sandbox container.\n");
 #ifdef HAVE_NETWORK     
-        printf("    --mac=xx:xx:xx:xx:xx:xx - set interface MAC address.\n\n");
+        printf("    --mac=xx:xx:xx:xx:xx:xx - set interface MAC address.\n");
-        printf("    --mtu=number - set interface MTU.\n\n");
+        printf("    --mtu=number - set interface MTU.\n");
 #endif
-        printf("    --name=name - set sandbox name.\n\n");
+        printf("    --name=name - set sandbox name.\n");
 #ifdef HAVE_NETWORK     
-        printf("    --net=bridgename - enable network namespaces and connect to this bridge\n");
+        printf("    --net=bridgename - enable network namespaces and connect to this bridge.\n");
-        printf("\tdevice. Up to four --net devices can be defined.\n\n");
        printf("    --net=ethernet_interface - enable network namespaces and connect to this\n");
-        printf("\tEthernet interface using the standard Linux macvlan driver. Up to four\n");
+        printf("\tEthernet interface.\n");
-        printf("\t--net devices can be defined.\n\n");
+        printf("    --net=none - enable a new, unconnected network namespace.\n");
-        
+        printf("    --netfilter[=filename] - enable the default client network filter.\n");
-        printf("    --net=none - enable a new, unconnected network namespace.\n\n");
+        printf("    --netfilter6=filename - enable the IPv6 network filter.\n");
+        printf("    --netstats - monitor network statistics.\n");
-        printf("    --netfilter - enable the default client network filter in the new\n");
-        printf("\tnetwork namespace.\n\n");
-        printf("    --netfilter=filename - enable the network filter specified by\n");
-        printf("\tfilename in the new network namespace. The filter file format\n");
-        printf("\tis the format of iptables-save and iptable-restore commands.\n\n");
-        printf("    --netfilter6=filename - enable the IPv6 network filter specified by\n");
-        printf("\tfilename in the new network namespace. The filter file format\n");
-        printf("\tis the format of ip6tables-save and ip6table-restore commands.\n\n");
-        printf("    --netstats - monitor network statistics for sandboxes creating a new\n");
-        printf("\tnetwork namespace.\n\n");
 #endif
-        printf("    --nice=value - set nice value\n\n");
+        printf("    --nice=value - set nice value.\n");
-        printf("    --noblacklist=dirname_or_filename - disable blacklist for directory or\n");
+        printf("    --no3d - disable 3D hardware acceleration.\n");
-        printf("\tfile.\n\n");
+        printf("    --noblacklist=filename - disable blacklist for file or directory .\n");
-        printf("    --nogroups - disable supplementary groups. Without this option,\n");
+        printf("    --noexec=filename - remount the file or directory noexec nosuid and nodev.\n");
-        printf("\tsupplementary groups are enabled for the user starting the sandbox.\n");
+        printf("    --nogroups - disable supplementary groups.\n");
-        printf("\t For root, groups are always disabled.\n\n");
+        printf("    --noprofile - do not use a security profile.\n");
-        printf("    --noprofile - do not use a profile.  Profile priority is use the one\n");
-        printf("\tspecified on the command line, next try to find one that\n");
-        printf("\tmatches the command name, and lastly use %s.profile\n", DEFAULT_USER_PROFILE);
-        printf("\tif running as regular user or %s.profile if running as\n", DEFAULT_ROOT_PROFILE);
-        printf("\troot.\n\n");
 #ifdef HAVE_USERNS                      
-        printf("    --noroot - install a user namespace with a single user - the current\n");
+        printf("    --noroot - install a user namespace with only the current user.\n");
-        printf("\tuser. root user does not exist in the new namespace. This option\n");
-        printf("\tis not supported for --chroot and --overlay configurations.\n\n");
 #endif
-        printf("    --nosound - disable sound system.\n\n");
+        printf("    --nonewprivs - sets the NO_NEW_PRIVS prctl.\n");
-                
+        printf("    --output=logfile - stdout logging and log rotation.\n");
-        printf("    --output=logfile - stdout logging and log rotation. Copy stdout and stderr\n");
-        printf("\tto logfile, and keep the size of the file under 500KB using log\n");
-        printf("\trotation. Five files with prefixes .1 to .5 are used in\n");
-        printf("\trotation.\n\n");
-        
        printf("    --overlay - mount a filesystem overlay on top of the current filesystem.\n");
-        printf("\tThe upper filesystem layer is persistent, and stored in\n");
+        printf("    --overlay-named=name - mount a filesystem overlay on top of the current\n");
-        printf("\t$HOME/.firejail directory. (OverlayFS support is required in\n");
+        printf("\tfilesystem, and store it in name directory.\n");
-        printf("\tLinux kernel for this option to work). \n\n");   
+        printf("    --overlay-tmpfs - mount a temporary filesystem overlay on top of the current\n");
+        printf("\tfilesystem.\n");   
-        printf("    --overlay-tmpfs - mount a filesystem overlay on top of the current\n");
+        printf("    --overlay-clean - clean all overlays stored in $HOME/.firejail directory.\n");
-        printf("\tfilesystem. The upper layer is stored in a tmpfs filesystem,\n");
+        printf("    --private - temporary home directory.\n");
-        printf("\tand it is discarded when the sandbox is closed. (OverlayFS\n");
+        printf("    --private=directory - use directory as user home.\n");
-        printf("\tsupport is required in Linux kernel for this option to work).\n\n");   
+        printf("    --private-home=file,directory - build a new user home in a temporary\n");
+        printf("\tfilesystem, and copy the files and directories in the list in\n");
-        printf("    --private - mount new /root and /home/user directories in temporary\n");
+        printf("\tthe new home.\n");
-        printf("\tfilesystems. All modifications are discarded when the sandbox is\n");
-        printf("\tclosed.\n\n");
-        printf("    --private=directory - use directory as user home.\n\n");
        printf("    --private-bin=file,file - build a new /bin in a temporary filesystem,\n");
-        printf("\tand copy the programs in the list.\n\n");
+        printf("\tand copy the programs in the list.\n");
        printf("    --private-dev - create a new /dev directory. Only dri, null, full, zero,\n");
-        printf("\ttty, pst, ptms, random, urandom, log and shm devices are available.\n\n");
+        printf("\ttty, pst, ptms, random, snd, urandom, log and shm devices are available.\n");
        printf("    --private-etc=file,directory - build a new /etc in a temporary\n");
        printf("\tfilesystem, and copy the files and directories in the list.\n");
-        printf("\tAll modifications are discarded when the sandbox is closed.\n\n");
+        printf("    --private-tmp - mount a tmpfs on top of /tmp directory.\n");
-        
+        printf("    --profile=filename - use a custom profile.\n");
-        printf("    --private-tmp - mount a tmpfs on top of /tmp directory\n\n");
+        printf("    --profile-path=directory - use this directory to look for profile files.\n");
-        
-        printf("    --profile=filename - use a custom profile.\n\n");
-        printf("    --profile-path=directory - use this directory to look for profile files.\n\n");
-        
        printf("    --protocol=protocol,protocol,protocol - enable protocol filter.\n");
-        printf("\tProtocol values: unix, inet, inet6, netlink, packet.\n\n");
+        printf("    --protocol.print=name|pid - print the protocol filter.\n");
-        printf("    --protocol.print=name|pid - print the protocol filter for the sandbox\n");
+        printf("    --put=name|pid src-filename dest-filename - put a file in sandbox container.\n");
-        printf("\tidentified by name or PID.\n\n");
+        printf("    --quiet - turn off Firejail's output.\n");
-        
+        printf("    --read-only=filename - set directory or file read-only..\n");
-        printf("    --quiet - turn off Firejail's output.\n\n");
+        printf("    --read-write=filename - set directory or file read-write..\n");
-        printf("    --read-only=dirname_or_filename - set directory or file read-only..\n\n");
        printf("    --rlimit-fsize=number - set the maximum file size that can be created\n");
-        printf("\tby a process.\n\n");
+        printf("\tby a process.\n");
        printf("    --rlimit-nofile=number - set the maximum number of files that can be\n");
-        printf("\topened by a process.\n\n");
+        printf("\topened by a process.\n");
        printf("    --rlimit-nproc=number - set the maximum number of processes that can be\n");
-        printf("\tcreated for the real user ID of the calling process.\n\n");
+        printf("\tcreated for the real user ID of the calling process.\n");
        printf("    --rlimit-sigpending=number - set the maximum number of pending signals\n");
-        printf("\tfor a process.\n\n");
+        printf("\tfor a process.\n");
+        printf("    --rmenv=name - remove environment variable in the new sandbox.\n");
 #ifdef HAVE_NETWORK     
        printf("    --scan - ARP-scan all the networks from inside a network namespace.\n");
-        printf("\tThis makes it possible to detect macvlan kernel device drivers\n");
-        printf("\trunning on the current host.\n\n");
 #endif  
 #ifdef HAVE_SECCOMP
-        printf("    --seccomp - enable seccomp filter and apply the default blacklist.\n\n");
+        printf("    --seccomp - enable seccomp filter and apply the default blacklist.\n");
-        
        printf("    --seccomp=syscall,syscall,syscall - enable seccomp filter, blacklist the\n");
-        printf("\tdefault syscall list and the syscalls specified by the command.\n\n");
+        printf("\tdefault syscall list and the syscalls specified by the command.\n");
-        
        printf("    --seccomp.drop=syscall,syscall,syscall - enable seccomp filter, and\n");
-        printf("\tblacklist the syscalls specified by the command.\n\n");
+        printf("\tblacklist the syscalls specified by the command.\n");
-        
        printf("    --seccomp.keep=syscall,syscall,syscall - enable seccomp filter, and\n");
-        printf("\twhitelist the syscalls specified by the command.\n\n");
+        printf("\twhitelist the syscalls specified by the command.\n");
-        
        printf("    --seccomp.<errno>=syscall,syscall,syscall - enable seccomp filter, and\n");
-        printf("\treturn errno for the syscalls specified by the command.\n\n");
+        printf("\treturn errno for the syscalls specified by the command.\n");
-        
        printf("    --seccomp.print=name|pid - print the seccomp filter for the sandbox\n");
-        printf("\tidentified by name or PID.\n\n");
+        printf("\tidentified by name or PID.\n");
 #endif
+        printf("    --shell=none - run the program directly without a user shell.\n");
-        printf("    --shell=none - run the program directly without a user shell.\n\n");
+        printf("    --shell=program - set default user shell.\n");
-        printf("    --shell=program - set default user shell.\n\n");
+        printf("    --shutdown=name|pid - shutdown the sandbox identified by name or PID.\n");
-        printf("    --shutdown=name|pid - shutdown the sandbox identified by name or PID.\n\n");
        printf("    --tmpfs=dirname - mount a tmpfs filesystem on directory dirname.\n");
-        printf("\tThis option is available only when running the sandbox as root.\n\n");
+        printf("    --top - monitor the most CPU-intensive sandboxes.\n");
-        printf("    --top - monitor the most CPU-intensive sandboxes.\n\n");
+        printf("    --trace - trace open, access and connect system calls.\n");
-        printf("    --trace - trace open, access and connect system calls.\n\n");
        printf("    --tracelog - add a syslog message for every access to files or\n");
-        printf("\tdirectoires blacklisted by the security profile.\n\n");
+        printf("\tdirectoires blacklisted by the security profile.\n");
-        printf("    --tree - print a tree of all sandboxed processes.\n\n");
+        printf("    --tree - print a tree of all sandboxed processes.\n");
-        printf("    --user=new_user - switch the user before starting the sandbox.\n\n");
+        printf("    --version - print program version and exit.\n");
-        printf("    --version - print program version and exit.\n\n");
-        printf("    --whitelist=dirname_or_filename - whitelist directory or file.\n\n");
-        printf("    --x11 - enable X11 server. The software checks first if Xpra is installed,\n");
-        printf("\tthen it checks if Xephyr is installed.\n\n");
-        printf("    --x11=xpra - enable Xpra X11 server.\n\n");
-        printf("    --x11=xephyr - enable Xephyr X11 server. The window size is 800x600.\n\n");
-        printf("    --zsh - use /usr/bin/zsh as default shell.\n\n");
-        printf("\n");
-        printf("\n");
 #ifdef HAVE_NETWORK     
-        printf("Traffic Shaping\n\n");
+        printf("    --veth-name=name - use this name for the interface connected to the bridge.\n"); 
-        
+#endif  
-        printf("Network bandwidth is an expensive resource shared among  all  sandboxes\n");
+#ifdef HAVE_WHITELIST   
-        printf("running  on a system.  Traffic shaping allows the user to increase network\n");
+        printf("    --whitelist=filename - whitelist directory or file.\n");
-        printf("performance by controlling the amount of data that flows into and out of the\n");
+#endif  
-        printf("sandboxes. Firejail  implements  a simple rate-limiting shaper based on Linux\n");
+        printf("    --writable-etc - /etc directory is mounted read-write.\n");
-        printf("command tc. The shaper works at sandbox level, and can be used  only  for\n");
+        printf("    --writable-var - /var directory is mounted read-write.\n");
-        printf("sandboxes configured with new network namespaces.\n\n");
+        printf("    --x11 - enable X11 sandboxing. The software checks first if Xpra is\n");
+        printf("\tinstalled, then it checks if Xephyr is installed. If all fails, it will\n");
-        printf("Set rate-limits:\n");
+        printf("\tattempt to use X11 security extension.\n");
-        printf("    firejail  --bandwidth={name|pid} set network-name down-speed up-speed\n\n");
+        printf("    --x11=none - disable access to X11 sockets.\n");
-        printf("Clear rate-limits:\n");
+        printf("    --x11=xephyr - enable Xephyr X11 server. The window size is 800x600.\n");
-        printf("    firejail --bandwidth={name|pid} clear network-name\n\n");
+        printf("    --x11=xorg - enable X11 security extension.\n");
-        printf("Status:\n");
+        printf("    --x11=xpra - enable Xpra X11 server.\n");
-        printf("    firejail --bandwidth={name|pid} status\n\n");
+        printf("    --zsh - use /usr/bin/zsh as default shell.\n");
-        printf("where:\n");
-            printf("    name - sandbox name\n");
-            printf("    pid - sandbox pid\n");
-            printf("    network-name - network name as used by --net option\n");
-            printf("    down-speed - download speed in KB/s (decimal kilobyte per second)\n");
-            printf("    up-speed - upload speed in KB/s (decimal kilobyte per second)\n");
-        printf("\n");
-        printf("Example:\n");
-            printf("    $ firejail --name=mybrowser --net=eth0 firefox &\n");
-            printf("    $ firejail --bandwidth=mybrowser set eth0 80 20\n");
-            printf("    $ firejail --bandwidth=mybrowser status\n");
-            printf("    $ firejail --bandwidth=mybrowser clear eth0\n");
-        printf("\n");
-        printf("\n");
-#endif
-        printf("Monitoring\n\n");
-        printf("Option --list prints a list of all sandboxes. The format for each entry is as\n");
-        printf("follows:\n\n");
-        printf("    PID:USER:Command\n\n");
-        printf("Option --tree prints the tree of processes running in the sandbox. The format\n");
-        printf("for each process entry is as follows:\n\n");
-        printf("    PID:USER:Command\n\n");
-        printf("Option --top is similar to the UNIX top command, however it applies only to\n");
-        printf("sandboxes. Listed below are the available fields (columns) in alphabetical\n");
-        printf("order:\n\n");
-        printf("    Command - command used to start the sandbox.\n");
-        printf("    CPU%% - CPU usage, the sandbox share of the elapsed CPU time since the\n");
-        printf("\tlast screen update\n");
-        printf("    PID - Unique process ID for the task controlling the sandbox.\n");
-        printf("    Prcs - number of processes running in sandbox, including the controlling\n");
-        printf("\tprocess.\n");
-        printf("    RES - Resident Memory Size (KiB), sandbox non-swapped physical memory.\n");
-        printf("\tIt is a sum of the RES values for all processes running in the\n");
-        printf("\tsandbox.\n");
-        printf("    SHR - Shared Memory Size (KiB), it reflects memory shared with other\n");
-        printf("\tprocesses. It is a sum of the SHR values for all processes running\n");
-        printf("\tin the sandbox, including the controlling process.\n");
-        printf("    Uptime - sandbox running time in hours:minutes:seconds format.\n");
-        printf("    User - The owner of the sandbox.\n");
-        printf("\n");
-        printf("\n");
-        printf("Profile files\n\n");
-        printf("Several command line configuration options can be passed to the program using\n");
-        printf("profile files. Default Firejail profile files are stored in /etc/firejail\n");
-        printf("directory, user profile files are stored in ~/.config/firejail directory. See\n");
-        printf("man 5 firejail-profile for more information.\n\n");
-        printf("\n");
-        printf("Restricted shell\n\n");
-        printf("To  configure a restricted shell, replace /bin/bash with /usr/bin/firejail in\n");
-        printf("/etc/password file for each user that needs to  be  restricted.\n");
-        printf("Alternatively, you can specify /usr/bin/firejail  in adduser command:\n\n");
-        printf("   adduser --shell /usr/bin/firejail username\n\n");
-        printf("Arguments to be passed to firejail executable upon login are  declared  in\n");
-        printf("/etc/firejail/login.users file.\n\n");
        printf("\n");
-        printf("Examples:\n\n");
+        printf("Examples:\n");
-        printf("    $ firejail\n");
-        printf("\tstart a regular /bin/bash session in sandbox\n");
        printf("    $ firejail firefox\n");
        printf("\tstart Mozilla Firefox\n");
        printf("    $ firejail --debug firefox\n");
        printf("\tdebug Firefox sandbox\n");
-        printf("    $ firejail --private firefox\n");
+        printf("    $ firejail --private --sna=8.8.8.8 firefox\n");
-        printf("\tstart Firefox with a new, empty home directory\n");
+        printf("\tstart Firefox with a new, empty home directory, and a well-known DNS\n");
-        printf("    $ firejail --net=br0 ip=10.10.20.10\n");
+        printf("\tserver setting.\n");
-        printf("\tstart a /bin/bash session in a new network namespace; the session is\n");
+        printf("    $ firejail --net=eth0 firefox\n");
-        printf("\tconnected to the main network using br0 bridge device, an IP address\n");
+        printf("\tstart Firefox in a new network namespace\n");
-        printf("\tof 10.10.20.10 is assigned to the sandbox\n");
+        printf("    $ firejail --x11=xorg firefox\n");
-        printf("    $ firejail --net=br0 --net=br1 --net=br2\n");
+        printf("\tstart Firefox and sandbox X11\n");
-        printf("\tstart a /bin/bash session in a new network namespace and connect it\n");
-        printf("\tto br0, br1, and br2 host bridge devices\n");
        printf("    $ firejail --list\n");
        printf("\tlist all running sandboxes\n");
        printf("\n");
diff --git a/src/firejail/user.c b/src/firejail/user.c
deleted file mode 100644
index a2f34392c..000000000
--- a/src/firejail/user.c
+++ /dev/null
@@ -1,115 +0,0 @@
-/*
- * Copyright (C) 2014-2016 Firejail Authors
- *
- * This file is part of firejail project
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or
- * (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License along
- * with this program; if not, write to the Free Software Foundation, Inc.,
- * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
- */
-#include "firejail.h"
-#include <sys/types.h>
-#include <sys/stat.h>
-#include <unistd.h>
-#include <grp.h>
-#include <pwd.h>
-void check_user(int argc, char **argv) {
-        EUID_ASSERT();
-        int i;
-        char *user = NULL;
-        int found = 0;
-        for (i = 1; i < argc; i++) {
-                // check options
-                if (strcmp(argv[i], "--") == 0)
-                        break;
-                if (strncmp(argv[i], "--", 2) != 0)
-                        break;
-                
-                // check user option            
-                if (strncmp(argv[i], "--user=", 7) == 0) {
-                        found = 1;
-                        user = argv[i] + 7;
-                        break;
-                }
-        }
-        if (!found)
-                return;
-        // check root
-        if (getuid() != 0) {
-                fprintf(stderr, "Error: you need to be root to use --user command line option\n");
-                exit(1);
-        }
-        
-        // switch user
-        struct passwd *pw = getpwnam(user);
-        if (!pw) {
-                fprintf(stderr, "Error: cannot find user %s\n", user);
-                exit(1);
-        }
-        printf("Switching to user %s, UID %d, GID %d\n", user, pw->pw_uid, pw->pw_gid);
-        int rv = initgroups(user, pw->pw_gid);
-        if (rv == -1) {
-                perror("initgroups");
-                fprintf(stderr, "Error: cannot switch to user %s\n", user);
-        }
-        rv = setgid(pw->pw_gid);
-        if (rv == -1) {
-                perror("setgid");
-                fprintf(stderr, "Error: cannot switch to user %s\n", user);
-        }
-        rv = setuid(pw->pw_uid);
-        if (rv == -1) {
-                perror("setuid");
-                fprintf(stderr, "Error: cannot switch to user %s\n", user);
-        }
-        // build the new command line
-        int len = 0;
-        for (i = 0; i < argc; i++) {
-                len += strlen(argv[i]) + 1; // + ' '
-        }
-        
-        char *cmd = malloc(len + 1); // + '\0'
-        if (!cmd)
-                errExit("malloc");
-        
-        char *ptr = cmd;
-        int first = 1;
-        for (i = 0; i < argc; i++) {
-                if (strncmp(argv[i], "--user=", 7) == 0 && first) {
-                        first = 0;
-                        continue;
-                }
-                
-                ptr += sprintf(ptr, "%s ", argv[i]);
-        }
-        // run command
-        char *a[4];
-        a[0] = "/bin/bash";
-        a[1] = "-c";
-        a[2] = cmd;
-        a[3] = NULL;
-        execvp(a[0], a); 
-        perror("execvp");
-        exit(1);
-}
diff --git a/src/firejail/util.c b/src/firejail/util.c
index da73bbfd5..d928c6b42 100644
--- a/src/firejail/util.c
+++ b/src/firejail/util.c
@@ -17,18 +17,23 @@
 * with this program; if not, write to the Free Software Foundation, Inc.,
 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 */
+#define _XOPEN_SOURCE 500
 #include "firejail.h"
+#include <ftw.h>
 #include <sys/stat.h>
 #include <fcntl.h>
 #include <syslog.h>
 #include <errno.h>
 #include <dirent.h>
 #include <grp.h>
+#include <sys/ioctl.h>
+#include <termios.h>
 #define MAX_GROUPS 1024
 // drop privileges
 // - for root group or if nogroups is set, supplementary groups are not configured
 void drop_privs(int nogroups) {
+        EUID_ROOT();
        gid_t gid = getgid();
        // configure supplementary groups
@@ -77,7 +82,7 @@ void drop_privs(int nogroups) {
 int mkpath_as_root(const char* path) {
        assert(path && *path);
-        
        // work on a copy of the path
        char *file_path = strdup(path);
        if (!file_path)
@@ -95,24 +100,21 @@ int mkpath_as_root(const char* path) {
                        }
                }
                else {
-                        if (chmod(file_path, 0755) == -1)
+                        if (set_perms(file_path, 0, 0, 0755))
-                                errExit("chmod");
+                                errExit("set_perms");
-                        if (chown(file_path, 0, 0) == -1)
-                                errExit("chown");
                        done = 1;
-                }                       
+                }
                *p='/';
        }
        if (done)
                fs_logger2("mkpath", path);
-                
        free(file_path);
        return 0;
 }
 void logsignal(int s) {
        if (!arg_debug)
                return;
@@ -167,8 +169,8 @@ void logerr(const char *msg) {
 }
-// return -1 if error, 0 if no error
+// return -1 if error, 0 if no error; if destname already exists, return error
-int copy_file(const char *srcname, const char *destname) {
+int copy_file(const char *srcname, const char *destname, uid_t uid, gid_t gid, mode_t mode) {
        assert(srcname);
        assert(destname);
@@ -205,17 +207,23 @@ int copy_file(const char *srcname, const char *destname) {
                }
        }
+        if (fchown(dst, uid, gid) == -1)
+                errExit("fchown");
+        if (fchmod(dst, mode) == -1)
+                errExit("fchmod");
        close(src);
        close(dst);
        return 0;
 }
 // return 1 if the file is a directory
 int is_dir(const char *fname) {
        assert(fname);
        if (*fname == '\0')
                return 0;
-        
        // if fname doesn't end in '/', add one
        int rv;
        struct stat s;
@@ -226,20 +234,21 @@ int is_dir(const char *fname) {
                if (asprintf(&tmp, "%s/", fname) == -1) {
                        fprintf(stderr, "Error: cannot allocate memory, %s:%d\n", __FILE__, __LINE__);
                        errExit("asprintf");
-                }               
+                }
                rv = stat(tmp, &s);
                free(tmp);
        }
-        
        if (rv == -1)
                return 0;
-                
        if (S_ISDIR(s.st_mode))
                return 1;
        return 0;
 }
 // return 1 if the file is a link
 int is_link(const char *fname) {
        assert(fname);
@@ -324,7 +333,7 @@ char *split_comma(char *str) {
 int not_unsigned(const char *str) {
        EUID_ASSERT();
-        
        int rv = 0;
        const char *ptr = str;
        while (*ptr != ' ' && *ptr != '\t' && *ptr != '\0') {
@@ -346,7 +355,7 @@ int find_child(pid_t parent, pid_t *child) {
        *child = 0;                               // use it to flag a found child
        DIR *dir;
-        EUID_ROOT(); // grsecurity fix
+        EUID_ROOT();                              // grsecurity fix
        if (!(dir = opendir("/proc"))) {
                // sleep 2 seconds and try again
                sleep(2);
@@ -403,13 +412,11 @@ int find_child(pid_t parent, pid_t *child) {
 }
 void extract_command_name(int index, char **argv) {
        EUID_ASSERT();
        assert(argv);
        assert(argv[index]);
        // configure command index
        cfg.original_program_index = index;
@@ -418,13 +425,13 @@ void extract_command_name(int index, char **argv) {
                errExit("strdup");
        // if we have a symbolic link, use the real path to extract the name
-        if (is_link(argv[index])) {
+//      if (is_link(argv[index])) {
-                char*newname = realpath(argv[index], NULL);
+//              char*newname = realpath(argv[index], NULL);
-                if (newname) {
+//              if (newname) {
-                        free(str);
+//                      free(str);
-                        str = newname;
+//                      str = newname;
-                }
+//              }
-        }
+//      }
        // configure command name
        cfg.command_name = str;
@@ -446,7 +453,6 @@ void extract_command_name(int index, char **argv) {
                        exit(1);
                }
                char *tmp = strdup(ptr);
                if (!tmp)
                        errExit("strdup");
@@ -532,6 +538,7 @@ void notify_other(int fd) {
        fclose(stream);
 }
 // This function takes a pathname supplied by the user and expands '~' and
 // '${HOME}' at the start, to refer to a path relative to the user's home
 // directory (supplied).
@@ -540,7 +547,7 @@ void notify_other(int fd) {
 char *expand_home(const char *path, const char* homedir) {
        assert(path);
        assert(homedir);
-        
        // Replace home macro
        char *new_name = NULL;
        if (strncmp(path, "${HOME}", 7) == 0) {
@@ -548,15 +555,16 @@ char *expand_home(const char *path, const char* homedir) {
                        errExit("asprintf");
                return new_name;
        }
-        else if (strncmp(path, "~/", 2) == 0) {
+        else if (*path == '~') {
                if (asprintf(&new_name, "%s%s", homedir, path + 1) == -1)
                        errExit("asprintf");
                return new_name;
        }
-        
        return strdup(path);
 }
 // Equivalent to the GNU version of basename, which is incompatible with
 // the POSIX basename. A few lines of code saves any portability pain.
 // https://www.gnu.org/software/libc/manual/html_node/Finding-Tokens-in-a-String.html#index-basename
@@ -567,17 +575,18 @@ const char *gnu_basename(const char *path) {
        return last_slash+1;
 }
 uid_t pid_get_uid(pid_t pid) {
        EUID_ASSERT();
        uid_t rv = 0;
-        
        // open status file
        char *file;
        if (asprintf(&file, "/proc/%u/status", pid) == -1) {
                perror("asprintf");
                exit(1);
        }
-        EUID_ROOT();    // grsecurity fix
+        EUID_ROOT();                              // grsecurity fix
        FILE *fp = fopen(file, "r");
        if (!fp) {
                free(file);
@@ -596,16 +605,16 @@ uid_t pid_get_uid(pid_t pid) {
                        }
                        if (*ptr == '\0')
                                break;
-                                
                        rv = atoi(ptr);
-                        break; // break regardless!
+                        break;                    // break regardless!
                }
        }
        fclose(fp);
        free(file);
-        EUID_USER();    // grsecurity fix
+        EUID_USER();                              // grsecurity fix
-        
        if (rv == 0) {
                fprintf(stderr, "Error: cannot read /proc file\n");
                exit(1);
@@ -613,14 +622,15 @@ uid_t pid_get_uid(pid_t pid) {
        return rv;
 }
 void invalid_filename(const char *fname) {
        EUID_ASSERT();
        assert(fname);
        const char *ptr = fname;
-        
        if (arg_debug_check_filename)
                printf("Checking filename %s\n", fname);
-        
        if (strncmp(ptr, "${HOME}", 7) == 0)
                ptr = fname + 7;
        else if (strncmp(ptr, "${PATH}", 7) == 0)
@@ -636,22 +646,125 @@ void invalid_filename(const char *fname) {
        }
 }
-uid_t get_tty_gid(void) {
+uid_t get_group_id(const char *group) {
        // find tty group id
-        gid_t ttygid = 0;
+        gid_t gid = 0;
-        struct group *g = getgrnam("tty");
+        struct group *g = getgrnam(group);
        if (g)
-                ttygid = g->gr_gid;
+                gid = g->gr_gid;
-        return ttygid;
+        return gid;
 }
-uid_t get_audio_gid(void) {
-        // find tty group id
-        gid_t audiogid = 0;
-        struct group *g = getgrnam("audio");
-        if (g)
-                audiogid = g->gr_gid;
-        return audiogid;
+static int remove_callback(const char *fpath, const struct stat *sb, int typeflag, struct FTW *ftwbuf) {
+        (void) sb;
+        (void) typeflag;
+        (void) ftwbuf;
+        
+        int rv = remove(fpath);
+        if (rv)
+                perror(fpath);
+        return rv;
+}
+int remove_directory(const char *path) {
+        // FTW_PHYS - do not follow symbolic links
+        return nftw(path, remove_callback, 64, FTW_DEPTH | FTW_PHYS);
+}
+void flush_stdin(void) {
+        if (isatty(STDIN_FILENO)) {
+                int cnt = 0;
+                ioctl(STDIN_FILENO, FIONREAD, &cnt);
+                if (cnt) {
+                        if (!arg_quiet)
+                                printf("Warning: removing %d bytes from stdin\n", cnt);
+                        ioctl(STDIN_FILENO, TCFLSH, TCIFLUSH);
+                }
+        }
+}
+void create_empty_dir_as_root(const char *dir, mode_t mode) {
+        assert(dir);
+        struct stat s;
+        
+        if (stat(dir, &s)) {
+                if (arg_debug)
+                        printf("Creating empty %s directory\n", dir);
+                if (mkdir(dir, mode) == -1)
+                        errExit("mkdir");
+                if (set_perms(dir, 0, 0, mode))
+                        errExit("set_perms");
+                ASSERT_PERMS(dir, 0, 0, mode);
+        }
+}
+void create_empty_file_as_root(const char *fname, mode_t mode) {
+        assert(fname);
+        struct stat s;
+        if (stat(fname, &s)) {
+                if (arg_debug)
+                        printf("Creating empty %s file\n", fname);
+                FILE *fp = fopen(fname, "w");
+                if (!fp)
+                        errExit("fopen");
+                SET_PERMS_STREAM(fp, 0, 0, S_IRUSR);
+                fclose(fp);
+                if (chmod(fname, mode) == -1)
+                        errExit("chmod");
+        }
+}
+// return 1 if error
+int set_perms(const char *fname, uid_t uid, gid_t gid, mode_t mode) {
+        assert(fname);
+        if (chmod(fname, mode) == -1)
+                return 1;
+        if (chown(fname, uid, gid) == -1)
+                return 1;
+        return 0;
+}
+void mkdir_attr(const char *fname, mode_t mode, uid_t uid, gid_t gid) {
+        assert(fname);
+        mode &= 07777;
+#if 0   
+        printf("fname %s, uid %d, gid %d, mode %x - ", fname, uid, gid, (unsigned) mode);
+        if (S_ISLNK(mode))
+                printf("l");
+        else if (S_ISDIR(mode))
+                printf("d");
+        else if (S_ISCHR(mode))
+                printf("c");
+        else if (S_ISBLK(mode))
+                printf("b");
+        else if (S_ISSOCK(mode))
+                printf("s");
+        else
+                printf("-");
+        printf( (mode & S_IRUSR) ? "r" : "-");
+        printf( (mode & S_IWUSR) ? "w" : "-");
+        printf( (mode & S_IXUSR) ? "x" : "-");
+        printf( (mode & S_IRGRP) ? "r" : "-");
+        printf( (mode & S_IWGRP) ? "w" : "-");
+        printf( (mode & S_IXGRP) ? "x" : "-");
+        printf( (mode & S_IROTH) ? "r" : "-");
+        printf( (mode & S_IWOTH) ? "w" : "-");
+        printf( (mode & S_IXOTH) ? "x" : "-");
+        printf("\n");
+#endif  
+        if (mkdir(fname, mode) == -1 ||
+            chmod(fname, mode) == -1 ||
+            chown(fname, uid, gid)) {
+                fprintf(stderr, "Error: failed to create %s directory\n", fname);
+                errExit("mkdir/chmod");
+        }
+        ASSERT_PERMS(fname, uid, gid, mode);
 }
diff --git a/src/firejail/x11.c b/src/firejail/x11.c
index ef1095a49..9da6d3e30 100644
--- a/src/firejail/x11.c
+++ b/src/firejail/x11.c
@@ -20,11 +20,14 @@
 #include "firejail.h"
 #include <sys/types.h>
 #include <sys/stat.h>
+#include <fcntl.h>
 #include <unistd.h>
 #include <signal.h>
 #include <stdlib.h>
 #include <dirent.h>
 #include <sys/mount.h>
+#include <sys/wait.h>
+int mask_x11_abstract_socket = 0;
 #ifdef HAVE_X11
 // return 1 if xpra is installed on the system
@@ -49,6 +52,31 @@ static int x11_check_xephyr(void) {
        return 1;
 }
+// check for X11 abstract sockets
+static int x11_abstract_sockets_present(void) {
+        char *path;
+        EUID_ROOT(); // grsecurity fix
+        FILE *fp = fopen("/proc/net/unix", "r");
+        EUID_USER();
+        if (!fp)
+                errExit("fopen");
+        while (fscanf(fp, "%*s %*s %*s %*s %*s %*s %*s %ms\n", &path) != EOF) {
+                if (path && strncmp(path, "@/tmp/.X11-unix/", 16) == 0) {
+                        free(path);
+                        fclose(fp);
+                        return 1;
+                }
+        }
+        free(path);
+        fclose(fp);
+        return 0;
+}
 static int random_display_number(void) {
        int i;
        int found = 1;
@@ -109,10 +137,8 @@ void fs_x11(void) {
        int rv = mkdir(RUN_WHITELIST_X11_DIR, 1777);
        if (rv == -1)
                errExit("mkdir");
-        if (chown(RUN_WHITELIST_X11_DIR, 0, 0) < 0)
+        if (set_perms(RUN_WHITELIST_X11_DIR, 0, 0, 1777))
-                errExit("chown");
+                errExit("set_perms");
-        if (chmod(RUN_WHITELIST_X11_DIR, 1777) < 0)
-                errExit("chmod");
        if (mount("/tmp/.X11-unix", RUN_WHITELIST_X11_DIR, NULL, MS_BIND|MS_REC, NULL) < 0)
                errExit("mount bind");
@@ -130,13 +156,9 @@ void fs_x11(void) {
                fprintf(stderr, "Error: cannot create empty file in x11 directory\n");
                exit(1);
        }
-        fclose(fp);
        // set file properties
-        if (chown(x11file, s.st_uid, s.st_gid) < 0)
+        SET_PERMS_STREAM(fp, s.st_uid, s.st_gid, s.st_mode);
-                errExit("chown");
+        fclose(fp);
-        if (chmod(x11file, s.st_mode) < 0)
-                errExit("chmod");
        // mount
        char *wx11file;
@@ -164,15 +186,17 @@ void x11_start_xephyr(int argc, char **argv) {
        EUID_ASSERT();
        int i;
        struct stat s;
-        pid_t client = 0;
+        pid_t jail = 0;
        pid_t server = 0;
        
+        setenv("FIREJAIL_X11", "yes", 1);
        // unfortunately, xephyr does a number of weird things when started by root user!!!
        if (getuid() == 0) {
-                fprintf(stderr, "Error: this feature is not available when running as root\n");
+                fprintf(stderr, "Error: X11 sandboxing is not available when running as root\n");
                exit(1);
        }
+        drop_privs(0);
        // check xephyr
        if (x11_check_xephyr() == 0) {
@@ -183,23 +207,78 @@ void x11_start_xephyr(int argc, char **argv) {
        }
        
        int display = random_display_number();
+        char *display_str;
-        // start xephyr
+        if (asprintf(&display_str, ":%d", display) == -1)
-        char *cmd1;
-        if (asprintf(&cmd1, "Xephyr -ac -br -title \"firejail x11 sandbox\" -noreset -screen %s :%d", xephyr_screen, display) == -1)
                errExit("asprintf");
-        
-        int len = 50; // DISPLAY...
+        assert(xephyr_screen);
-        for (i = 0; i < argc; i++) {
+        char *server_argv[256] = { "Xephyr", "-ac", "-br", "-noreset", "-screen", xephyr_screen }; // rest initialyzed to NULL
-                len += strlen(argv[i]) + 1; // + ' '
+        unsigned pos = 0;
+        while (server_argv[pos] != NULL) pos++;
+        if (checkcfg(CFG_XEPHYR_WINDOW_TITLE)) {
+                server_argv[pos++] = "-title";
+                server_argv[pos++] = "firejail x11 sandbox";
+        }
+        assert(xephyr_extra_params); // should be "" if empty
+        // parse xephyr_extra_params
+        // very basic quoting support
+        char *temp = strdup(xephyr_extra_params);
+        if (*xephyr_extra_params != '\0') {
+                if (!temp)
+                        errExit("strdup");
+                bool dquote = false;
+                bool squote = false;
+                for (i = 0; i < (int) strlen(xephyr_extra_params); i++) {
+                        if (temp[i] == '\"') {
+                                dquote = !dquote;
+                                if (dquote) temp[i] = '\0'; // replace closing quote by \0
+                        }
+                        if (temp[i] == '\'') {
+                                squote = !squote;
+                                if (squote) temp[i] = '\0'; // replace closing quote by \0
+                        }
+                        if (!dquote && !squote && temp[i] == ' ') temp[i] = '\0';
+                        if (dquote && squote) {
+                                fprintf(stderr, "Error: mixed quoting found while parsing xephyr_extra_params\n");
+                                exit(1);
+                        }
+                }
+                if (dquote) {
+                        fprintf(stderr, "Error: unclosed quote found while parsing xephyr_extra_params\n");
+                        exit(1);
+                }
+                for (i = 0; i < (int) strlen(xephyr_extra_params)-1; i++) {
+                        if (pos >= (sizeof(server_argv)/sizeof(*server_argv))) {
+                                fprintf(stderr, "Error: arg count limit exceeded while parsing xephyr_extra_params\n");
+                                exit(1);
+                        }
+                        if (temp[i] == '\0' && (temp[i+1] == '\"' || temp[i+1] == '\'')) server_argv[pos++] = temp + i + 2;
+                        else if (temp[i] == '\0' && temp[i+1] != '\0') server_argv[pos++] = temp + i + 1;
+                }
        }
        
-        char *cmd2 = malloc(len + 1); // + '\0'
+        server_argv[pos++] = display_str;
-        if (!cmd2)
+        server_argv[pos++] = NULL;
-                errExit("malloc");
+        assert(pos < (sizeof(server_argv)/sizeof(*server_argv))); // no overrun
+        assert(server_argv[pos-1] == NULL); // last element is null
        
-        sprintf(cmd2, "DISPLAY=:%d ", display);
+        if (arg_debug) {
-        char *ptr = cmd2 + strlen(cmd2);
+                size_t i = 0;
+                printf("xephyr server:");
+                while (server_argv[i]!=NULL) {
+                        printf(" \"%s\"", server_argv[i]);
+                        i++;
+                }
+                putchar('\n');
+        }
+        // remove --x11 arg
+        char *jail_argv[argc+2];
+        int j = 0;
        for (i = 0; i < argc; i++) {
                if (strcmp(argv[i], "--x11") == 0)
                        continue;
@@ -207,32 +286,40 @@ void x11_start_xephyr(int argc, char **argv) {
                        continue;
                if (strcmp(argv[i], "--x11=xephyr") == 0)
                        continue;
-                ptr += sprintf(ptr, "%s ", argv[i]);
+                jail_argv[j] = argv[i];
+                j++;
+        }
+        jail_argv[j] = NULL;
+        assert(j < argc+2); // no overrun
+        if (arg_debug) {
+                size_t i = 0;
+                printf("xephyr client:");
+                while (jail_argv[i]!=NULL) {
+                        printf(" \"%s\"", jail_argv[i]);
+                        i++;
+                }
+                putchar('\n');
        }
-        if (arg_debug)
-                printf("xephyr server: %s\n", cmd1);    
-        if (arg_debug)
-                printf("xephyr client: %s\n", cmd2);    
        
-        signal(SIGHUP,SIG_IGN); // fix sleep(1) below
        server = fork();
        if (server < 0)
                errExit("fork");
        if (server == 0) {
                if (arg_debug)
                        printf("Starting xephyr...\n");
-        
-                char *a[4];
+                // running without privileges - see drop_privs call above
-                a[0] = "/bin/bash";
+                assert(getenv("LD_PRELOAD") == NULL);   
-                a[1] = "-c";
+                execvp(server_argv[0], server_argv);
-                a[2] = cmd1;
-                a[3] = NULL;
-        
-                execvp(a[0], a); 
                perror("execvp");
-                exit(1);
+                _exit(1);
        }
+        if (arg_debug)
+                printf("xephyr server pid %d\n", server);
        // check X11 socket
        char *fname;
        if (asprintf(&fname, "/tmp/.X11-unix/X%d", display) == -1)
@@ -250,7 +337,6 @@ void x11_start_xephyr(int argc, char **argv) {
                exit(1);
        }
        free(fname);
-        sleep(1);
        
        if (arg_debug) {
                printf("X11 sockets: "); fflush(0);
@@ -258,26 +344,40 @@ void x11_start_xephyr(int argc, char **argv) {
                (void) rv;
        }
+        setenv("DISPLAY", display_str, 1);
        // run attach command
-        client = fork();
+        jail = fork();
-        if (client < 0)
+        if (jail < 0)
                errExit("fork");
-        if (client == 0) {
+        if (jail == 0) {
-                printf("\n*** Attaching to Xephyr display %d ***\n\n", display);
+                if (!arg_quiet)
-                char *a[4];
+                        printf("\n*** Attaching to Xephyr display %d ***\n\n", display);
-                a[0] = "/bin/bash";
-                a[1] = "-c";
+                // running without privileges - see drop_privs call above
-                a[2] = cmd2;
+                assert(getenv("LD_PRELOAD") == NULL);   
-                a[3] = NULL;
+                execvp(jail_argv[0], jail_argv);
-        
-                execvp(a[0], a); 
                perror("execvp");
-                exit(1);
+                _exit(1);
        }
-        sleep(1);
-        
+        // cleanup
-        if (!arg_quiet)
+        free(display_str);
-                printf("Xephyr server pid %d, client pid %d\n", server, client);
+        free(temp);
+        // wait for either server or jail termination
+        pid_t pid = wait(NULL);
+        // see which process terminated and kill other
+        if (pid == server) {
+                kill(jail, SIGTERM);
+        } else if (pid == jail) {
+                kill(server, SIGTERM);
+        }
+        // without this closing Xephyr window may mess your terminal:
+        // "monitoring" process will release terminal before
+        // jail process ends and releases terminal
+        wait(NULL); // fulneral
        exit(0);
 }
@@ -289,12 +389,14 @@ void x11_start_xpra(int argc, char **argv) {
        pid_t client = 0;
        pid_t server = 0;
        
+        setenv("FIREJAIL_X11", "yes", 1);
        // unfortunately, xpra does a number of weird things when started by root user!!!
        if (getuid() == 0) {
-                fprintf(stderr, "Error: this feature is not available when running as root\n");
+                fprintf(stderr, "Error: X11 sandboxing is not available when running as root\n");
                exit(1);
        }
+        drop_privs(0);
        // check xpra
        if (x11_check_xpra() == 0) {
@@ -304,56 +406,39 @@ void x11_start_xpra(int argc, char **argv) {
        }
        
        int display = random_display_number();
+        char *display_str;
+        if (asprintf(&display_str, ":%d", display) == -1)
+                errExit("asprintf");
        // build the start command
-        int len = 50; // xpra start...
+        char *server_argv[] = { "xpra", "start", display_str, "--no-daemon",  NULL };
-        for (i = 0; i < argc; i++) {
-                len += strlen(argv[i]) + 1; // + ' '
+        int fd_null = -1;
-        }
+        if (arg_quiet) {
-        
+                fd_null = open("/dev/null", O_RDWR);
-        char *cmd1 = malloc(len + 1); // + '\0'
+                if (fd_null == -1)
-        if (!cmd1)
+                        errExit("open");
-                errExit("malloc");
-        
-        sprintf(cmd1, "xpra start :%d --exit-with-children --start-child=\"", display);
-        char *ptr = cmd1 + strlen(cmd1);
-        for (i = 0; i < argc; i++) {
-                if (strcmp(argv[i], "--x11") == 0)
-                        continue;
-                if (strcmp(argv[i], "--x11=xpra") == 0)
-                        continue;
-                if (strcmp(argv[i], "--x11=xephyr") == 0)
-                        continue;
-                ptr += sprintf(ptr, "%s ", argv[i]);
        }
-        sprintf(ptr, "\"");
-        if (arg_debug)
-                printf("xpra server: %s\n", cmd1);      
-        
-        // build the attach command
-        char *cmd2;
-        if (asprintf(&cmd2, "xpra --title=\"firejail x11 sandbox\" attach :%d", display) == -1)
-                errExit("asprintf");
-        if (arg_debug)
-                printf("xpra client: %s\n", cmd2);
-        signal(SIGHUP,SIG_IGN); // fix sleep(1) below
+        // start
        server = fork();
        if (server < 0)
                errExit("fork");
        if (server == 0) {
                if (arg_debug)
                        printf("Starting xpra...\n");
+                if (arg_quiet && fd_null != -1) {
+                        dup2(fd_null,0);
+                        dup2(fd_null,1);
+                        dup2(fd_null,2);
+                }
        
-                char *a[4];
+                // running without privileges - see drop_privs call above
-                a[0] = "/bin/bash";
+                assert(getenv("LD_PRELOAD") == NULL);   
-                a[1] = "-c";
+                execvp(server_argv[0], server_argv);
-                a[2] = cmd1;
-                a[3] = NULL;
-        
-                execvp(a[0], a); 
                perror("execvp");
-                exit(1);
+                _exit(1);
        }
        // check X11 socket
@@ -366,14 +451,13 @@ void x11_start_xpra(int argc, char **argv) {
                sleep(1);
                if (stat(fname, &s) == 0)
                        break;
-        };
+        }
        
        if (n == 10) {
                fprintf(stderr, "Error: failed to start xpra\n");
                exit(1);
        }
        free(fname);
-        sleep(1);
        
        if (arg_debug) {
                printf("X11 sockets: "); fflush(0);
@@ -381,28 +465,118 @@ void x11_start_xpra(int argc, char **argv) {
                (void) rv;
        }
+        // build attach command
+        char *attach_argv[] = { "xpra", "--title=\"firejail x11 sandbox\"", "attach", display_str, NULL };
        // run attach command
        client = fork();
        if (client < 0)
                errExit("fork");
        if (client == 0) {
-                printf("\n*** Attaching to xpra display %d ***\n\n", display);
+                if (arg_quiet && fd_null != -1) {
-                char *a[4];
+                        dup2(fd_null,0);
-                a[0] = "/bin/bash";
+                        dup2(fd_null,1);
-                a[1] = "-c";
+                        dup2(fd_null,2);
-                a[2] = cmd2;
+                }
-                a[3] = NULL;
-        
+                if (!arg_quiet)
-                execvp(a[0], a); 
+                        printf("\n*** Attaching to xpra display %d ***\n\n", display);
+                // running without privileges - see drop_privs call above
+                assert(getenv("LD_PRELOAD") == NULL);   
+                execvp(attach_argv[0], attach_argv);
+                perror("execvp");
+                _exit(1);
+        }
+        setenv("DISPLAY", display_str, 1);
+        // build jail command
+        char *firejail_argv[argc+2];
+        int pos = 0;
+        for (i = 0; i < argc; i++) {
+                if (strcmp(argv[i], "--x11") == 0)
+                        continue;
+                if (strcmp(argv[i], "--x11=xpra") == 0)
+                        continue;
+                if (strcmp(argv[i], "--x11=xephyr") == 0)
+                        continue;
+                firejail_argv[pos] = argv[i];
+                pos++;
+        }
+        firejail_argv[pos] = NULL;
+        assert(pos < (argc+2));
+        assert(!firejail_argv[pos]);
+        // start jail
+        pid_t jail = fork();
+        if (jail < 0)
+                errExit("fork");
+        if (jail == 0) {
+                // running without privileges - see drop_privs call above
+                assert(getenv("LD_PRELOAD") == NULL);   
+                if (firejail_argv[0]) // shut up llvm scan-build
+                        execvp(firejail_argv[0], firejail_argv);
                perror("execvp");
                exit(1);
        }
-        sleep(1);
-        
-        if (!arg_quiet)
-                printf("Xpra server pid %d, client pid %d\n", server, client);
-        exit(0);
+        if (!arg_quiet)
+                printf("Xpra server pid %d, xpra client pid %d, jail %d\n", server, client, jail);
+        sleep(1); // let jail start
+        // wait for jail or server to end
+        while (1) {
+                pid_t pid = wait(NULL);
+                if (pid == jail) {
+                        char *stop_argv[] = { "xpra", "stop", display_str, NULL };
+                        pid_t stop = fork();
+                        if (stop < 0)
+                                errExit("fork");
+                        if (stop == 0) {
+                                if (arg_quiet && fd_null != -1) {
+                                        dup2(fd_null,0);
+                                        dup2(fd_null,1);
+                                        dup2(fd_null,2);
+                                }
+                                // running without privileges - see drop_privs call above
+                                assert(getenv("LD_PRELOAD") == NULL);   
+                                execvp(stop_argv[0], stop_argv);
+                                perror("execvp");
+                                _exit(1);
+                        }
+                        // wait for xpra server to stop, 10 seconds limit
+                        while (++n < 10) {
+                                sleep(1);
+                                pid = waitpid(server, NULL, WNOHANG);
+                                if (pid == server)
+                                        break;
+                        }
+                        if (arg_debug) {
+                                if (n == 10)
+                                        printf("failed to stop xpra server gratefully\n");
+                                else
+                                        printf("xpra server successfully stopped in %d secs\n", n);
+                        }
+                        
+                        // kill xpra server and xpra client
+                        kill(client, SIGTERM);
+                        kill(server, SIGTERM);
+                        exit(0);
+                }
+                else if (pid == server) {
+                        // kill firejail process
+                        kill(jail, SIGTERM);
+                        // kill xpra client (should die with server, but...)
+                        kill(client, SIGTERM);
+                        exit(0);
+                }
+        }
 }
 void x11_start(int argc, char **argv) {
@@ -410,7 +584,7 @@ void x11_start(int argc, char **argv) {
        // unfortunately, xpra does a number of weird things when started by root user!!!
        if (getuid() == 0) {
-                fprintf(stderr, "Error: this feature is not available when running as root\n");
+                fprintf(stderr, "Error: X11 sandboxing is not available when running as root\n");
                exit(1);
        }
@@ -428,3 +602,128 @@ void x11_start(int argc, char **argv) {
 }
 #endif
+void x11_block(void) {
+#ifdef HAVE_X11
+        mask_x11_abstract_socket = 1;
+        // check abstract socket presence and network namespace options
+        if ((!arg_nonetwork && !cfg.bridge0.configured && !cfg.interface0.configured)
+                && x11_abstract_sockets_present()) {
+                fprintf(stderr, "ERROR: --x11=none specified, but abstract X11 socket still accessible.\n"
+                                                "Additional setup required. To block abstract X11 socket you can either:\n"
+                                                " * use network namespace in firejail (--net=none, --net=...)\n"
+                                                " * add \"-nolisten local\" to xserver options\n"
+                                                "   (eg. to your display manager config, or /etc/X11/xinit/xserverrc)\n");
+                exit(1);
+        }
+        // blacklist sockets
+        profile_check_line("blacklist /tmp/.X11-unix", 0, NULL);
+        profile_add(strdup("blacklist /tmp/.X11-unix"));
+        // blacklist .Xauthority
+        profile_check_line("blacklist ${HOME}/.Xauthority", 0, NULL);
+        profile_add(strdup("blacklist ${HOME}/.Xauthority"));
+        char *xauthority = getenv("XAUTHORITY");
+        if (xauthority) {
+                char *line;
+                if (asprintf(&line, "blacklist %s", xauthority) == -1)
+                        errExit("asprintf");
+                profile_check_line(line, 0, NULL);
+                profile_add(line);
+        }
+        // clear environment
+        env_store("DISPLAY", RMENV);
+        env_store("XAUTHORITY", RMENV);
+#endif
+}
+void x11_xorg(void) {
+#ifdef HAVE_X11
+        // destination - create an empty ~/.Xauthotrity file if it doesn't exist already, and use it as a mount point
+        char *dest;
+        if (asprintf(&dest, "%s/.Xauthority", cfg.homedir) == -1)
+                errExit("asprintf");
+        struct stat s;
+        if (stat(dest, &s) == -1) {
+                // create an .Xauthority file
+                FILE *fp = fopen(dest, "w");
+                if (!fp)
+                        errExit("fopen");
+                SET_PERMS_STREAM(fp, getuid(), getgid(), 0600);
+                fclose(fp);
+        }
+        // check xauth utility is present in the system
+        if (stat("/usr/bin/xauth", &s) == -1) {
+                fprintf(stderr, "Error: cannot find /usr/bin/xauth executable\n");
+                exit(1);
+        }
+        // create a temporary .Xauthority file
+        char tmpfname[] = "/tmp/.tmpXauth-XXXXXX";
+        int fd = mkstemp(tmpfname);
+        if (fd == -1) {
+                fprintf(stderr, "Error: cannot create .Xauthority file\n");
+                exit(1);
+        }
+        close(fd);
+        if (chown(tmpfname, getuid(), getgid()) == -1)
+                errExit("chown");
+        pid_t child = fork();
+        if (child < 0)
+                errExit("fork");
+        if (child == 0) {
+                // generate the new .Xauthority file using xauth utility
+                if (arg_debug)
+                        printf("Generating a new .Xauthority file\n");
+                drop_privs(1);
+                char *display = getenv("DISPLAY");
+                if (!display)
+                        display = ":0.0";
+                
+                clearenv();
+                execlp("/usr/bin/xauth", "/usr/bin/xauth", "-f", tmpfname,
+                        "generate", display, "MIT-MAGIC-COOKIE-1", "untrusted", NULL); 
+                
+#ifdef HAVE_GCOV
+                __gcov_flush();
+#endif
+                _exit(0);
+        }
+        // wait for the child to finish
+        waitpid(child, NULL, 0);
+        // check the file was created and set mode and ownership
+        if (stat(tmpfname, &s) == -1) {
+                fprintf(stderr, "Error: cannot create the new .Xauthority file\n");
+                exit(1);
+        }
+        if (set_perms(tmpfname, getuid(), getgid(), 0600))
+                errExit("set_perms");
+        
+        // move the temporary file in RUN_XAUTHORITY_SEC_FILE in order to have it deleted
+        // automatically when the sandbox is closed
+        if (copy_file(tmpfname, RUN_XAUTHORITY_SEC_FILE, getuid(), getgid(), 0600)) {
+                fprintf(stderr, "Error: cannot create the new .Xauthority file\n");
+                exit(1);
+        }
+        if (set_perms(RUN_XAUTHORITY_SEC_FILE, getuid(), getgid(), 0600))
+                errExit("set_perms");
+        unlink(tmpfname);
+        
+        // mount
+        if (mount(RUN_XAUTHORITY_SEC_FILE, dest, "none", MS_BIND, "mode=0600") == -1) {
+                fprintf(stderr, "Error: cannot mount the new .Xauthority file\n");
+                exit(1);
+        }
+        if (set_perms(dest, getuid(), getgid(), 0600))
+                errExit("set_perms");
+        free(dest);
+#endif  
+}
diff --git a/src/firemon/Makefile.in b/src/firemon/Makefile.in
index 21888d354..efc48b212 100644
--- a/src/firemon/Makefile.in
+++ b/src/firemon/Makefile.in
@@ -4,21 +4,26 @@ PREFIX=@prefix@
 VERSION=@PACKAGE_VERSION@
 NAME=@PACKAGE_NAME@
 HAVE_FATAL_WARNINGS=@HAVE_FATAL_WARNINGS@
+HAVE_GCOV=@HAVE_GCOV@
+EXTRA_LDFLAGS +=@EXTRA_LDFLAGS@
 H_FILE_LIST       = $(sort $(wildcard *.[h]))
 C_FILE_LIST       = $(sort $(wildcard *.c))
 OBJS = $(C_FILE_LIST:.c=.o)
 BINOBJS =  $(foreach file, $(OBJS), $file)
-CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security
+CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' $(HAVE_GCOV) -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security
 LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now 
+HAVE_GCOV=@HAVE_GCOV@
+EXTRA_LDFLAGS +=@EXTRA_LDFLAGS@
 %.o : %.c $(H_FILE_LIST)
        $(CC) $(CFLAGS) $(INCLUDE) -c $< -o $@
 firemon: $(OBJS) ../lib/common.o ../lib/pid.o
-        $(CC)  $(LDFLAGS) -o $@ $(OBJS) ../lib/common.o ../lib/pid.o $(LIBS)
+        $(CC)  $(LDFLAGS) -o $@ $(OBJS) ../lib/common.o ../lib/pid.o $(LIBS) $(EXTRA_LDFLAGS)
-clean:; rm -f *.o firemon
+clean:; rm -f *.o firemon *.gcov *.gcda *.gcno
 distclean: clean
        rm -fr Makefile
diff --git a/src/firemon/arp.c b/src/firemon/arp.c
index 7cb8ff4c3..014f6a904 100644
--- a/src/firemon/arp.c
+++ b/src/firemon/arp.c
@@ -72,17 +72,15 @@ static void print_arp(const char *fname) {
 }
-void arp(pid_t pid) {
+void arp(pid_t pid, int print_procs) {
-        if (getuid() == 0)
-                firemon_drop_privs();
-        
        pid_read(pid);
        
        // print processes
        int i;
        for (i = 0; i < max_pids; i++) {
                if (pids[i].level == 1) {
-                        pid_print_list(i, 0);
+                        if (print_procs || pid == 0)
+                                pid_print_list(i, 0);
                        int child = find_child(i);
                        if (child != -1) {
                                char *fname;
@@ -90,10 +88,10 @@ void arp(pid_t pid) {
                                        errExit("asprintf");
                                print_arp(fname);
                                free(fname);
-                                printf("\n");
                        }
                }
        }
+        printf("\n");
 }
diff --git a/src/firemon/caps.c b/src/firemon/caps.c
index 5cd9b5d0d..81877ab87 100644
--- a/src/firemon/caps.c
+++ b/src/firemon/caps.c
@@ -48,17 +48,15 @@ static void print_caps(int pid) {
        free(file);
 }
                        
-void caps(pid_t pid) {
+void caps(pid_t pid, int print_procs) {
-        if (getuid() == 0)
-                firemon_drop_privs();
-        
        pid_read(pid);  // include all processes
        
        // print processes
        int i;
        for (i = 0; i < max_pids; i++) {
                if (pids[i].level == 1) {
-                        pid_print_list(i, 0);
+                        if (print_procs || pid == 0)
+                                pid_print_list(i, 0);
                        int child = find_child(i);
                        if (child != -1)
                                print_caps(child);
diff --git a/src/firemon/cgroup.c b/src/firemon/cgroup.c
index 0b93390ae..e20e1d449 100644
--- a/src/firemon/cgroup.c
+++ b/src/firemon/cgroup.c
@@ -44,21 +44,20 @@ static void print_cgroup(int pid) {
        free(file);
 }
                        
-void cgroup(pid_t pid) {
+void cgroup(pid_t pid, int print_procs) {
-        if (getuid() == 0)
-                firemon_drop_privs();
-        
        pid_read(pid);
        
        // print processes
        int i;
        for (i = 0; i < max_pids; i++) {
                if (pids[i].level == 1) {
-                        pid_print_list(i, 0);
+                        if (print_procs || pid == 0)
+                                pid_print_list(i, 0);
                        int child = find_child(i);
                        if (child != -1)
                                print_cgroup(child);
                }
        }
+        printf("\n");
 }
diff --git a/src/firemon/cpu.c b/src/firemon/cpu.c
index 06658f58c..47c935686 100644
--- a/src/firemon/cpu.c
+++ b/src/firemon/cpu.c
@@ -48,21 +48,20 @@ static void print_cpu(int pid) {
        free(file);
 }
                        
-void cpu(pid_t pid) {
+void cpu(pid_t pid, int print_procs) {
-        if (getuid() == 0)
-                firemon_drop_privs();
-        
        pid_read(pid);
        
        // print processes
        int i;
        for (i = 0; i < max_pids; i++) {
                if (pids[i].level == 1) {
-                        pid_print_list(i, 0);
+                        if (print_procs || pid == 0)
+                                pid_print_list(i, 0);
                        int child = find_child(i);
                        if (child != -1)
                                print_cpu(child);
                }
        }
+        printf("\n");
 }
diff --git a/src/firemon/firemon.c b/src/firemon/firemon.c
index 3140c5f70..b63e37444 100644
--- a/src/firemon/firemon.c
+++ b/src/firemon/firemon.c
@@ -25,7 +25,6 @@
 #include <grp.h>
 #include <sys/stat.h>
 
 static int arg_route = 0;
 static int arg_arp = 0;
 static int arg_tree = 0;
@@ -35,6 +34,9 @@ static int arg_caps = 0;
 static int arg_cpu = 0;
 static int arg_cgroup = 0;
 static int arg_x11 = 0;
+static int arg_top = 0;
+static int arg_list = 0;
+static int arg_netstats = 0;
 int arg_nowrap = 0;
 static struct termios tlocal;   // startup terminal setting
@@ -62,17 +64,6 @@ int find_child(int id) {
        return -1;
 }
-// drop privileges
-void firemon_drop_privs(void) {
-        // drop privileges
-        if (setgroups(0, NULL) < 0)
-                errExit("setgroups");
-        if (setgid(getgid()) < 0)
-                errExit("setgid/getgid");
-        if (setuid(getuid()) < 0)
-                errExit("setuid/getuid");
-}
 // sleep and wait for a key to be pressed
 void firemon_sleep(int st) {
        if (terminal_set == 0) {
@@ -129,53 +120,44 @@ int main(int argc, char **argv) {
                }
                
                // options without a pid argument
-                else if (strcmp(argv[i], "--top") == 0) {
+                else if (strcmp(argv[i], "--top") == 0)
-                        top(); // never to return
+                        arg_top = 1;
-                }
+                else if (strcmp(argv[i], "--list") == 0)
-                else if (strcmp(argv[i], "--list") == 0) {
+                        arg_list = 1;
-                        list();
+                else if (strcmp(argv[i], "--tree") == 0)
-                        return 0;
+                        arg_tree = 1;
-                }
                else if (strcmp(argv[i], "--netstats") == 0) {
                        struct stat s;
                        if (getuid() != 0 && stat("/proc/sys/kernel/grsecurity", &s) == 0) {
                                fprintf(stderr, "Error: this feature is not available on Grsecurity systems\n");
                                exit(1);
                        }       
+                        arg_netstats = 1;
-                        netstats();
-                        return 0;
                }
                // cumulative options with or without a pid argument
-                else if (strcmp(argv[i], "--x11") == 0) {
+                else if (strcmp(argv[i], "--x11") == 0)
                        arg_x11 = 1;
-                }
+                else if (strcmp(argv[i], "--cgroup") == 0)
-                else if (strcmp(argv[i], "--cgroup") == 0) {
                        arg_cgroup = 1;
-                }
+                else if (strcmp(argv[i], "--cpu") == 0)
-                else if (strcmp(argv[i], "--cpu") == 0) {
                        arg_cpu = 1;
-                }
+                else if (strcmp(argv[i], "--seccomp") == 0)
-                else if (strcmp(argv[i], "--seccomp") == 0) {
                        arg_seccomp = 1;
-                }
+                else if (strcmp(argv[i], "--caps") == 0)
-                else if (strcmp(argv[i], "--caps") == 0) {
                        arg_caps = 1;
-                }
-                else if (strcmp(argv[i], "--tree") == 0) {
-                        arg_tree = 1;
-                }
                else if (strcmp(argv[i], "--interface") == 0) {
+                        if (getuid() != 0) {
+                                fprintf(stderr, "Error: you need to be root to run this command\n");
+                                exit(1);
+                        }
                        arg_interface = 1;
                }
-                else if (strcmp(argv[i], "--route") == 0) {
+                else if (strcmp(argv[i], "--route") == 0)
                        arg_route = 1;
-                }
+                else if (strcmp(argv[i], "--arp") == 0)
-                else if (strcmp(argv[i], "--arp") == 0) {
                        arg_arp = 1;
-                }
                else if (strncmp(argv[i], "--name=", 7) == 0) {
                        char *name = argv[i] + 7;
@@ -212,27 +194,66 @@ int main(int argc, char **argv) {
                }
        }
-        if (arg_tree)
+        // allow only root user if /proc is mounted hidepid
+        if (pid_hidepid() && getuid() != 0) {
+                fprintf(stderr, "Error: /proc is mounted hidepid, you would need to be root to run this command\n");
+                exit(1);
+        }
+        
+        if (arg_top) {
+                top(); 
+                return 0;
+        }
+        if (arg_list) {
+                list();
+                return 0;
+        }
+        if (arg_netstats) {
+                netstats();
+                return 0;               
+        }
+        
+        // cumulative options
+        int print_procs = 1;
+        if (arg_tree) {
                tree((pid_t) pid);
-        if (arg_interface)
+                print_procs = 0;
-                interface((pid_t) pid);
+        }
-        if (arg_route)
+        if (arg_cpu) {
-                route((pid_t) pid);
+                cpu((pid_t) pid, print_procs);
-        if (arg_arp)
+                print_procs = 0;
-                arp((pid_t) pid);
+        }
-        if (arg_seccomp)
+        if (arg_seccomp) {
-                seccomp((pid_t) pid);
+                seccomp((pid_t) pid, print_procs);
-        if (arg_caps)
+                print_procs = 0;
-                caps((pid_t) pid);
+        }
-        if (arg_cpu)
+        if (arg_caps) {
-                cpu((pid_t) pid);
+                caps((pid_t) pid, print_procs);
-        if (arg_cgroup)
+                print_procs = 0;
-                cgroup((pid_t) pid);
+        }
-        if (arg_x11)
+        if (arg_cgroup) {
-                x11((pid_t) pid);
+                cgroup((pid_t) pid, print_procs);
+                print_procs = 0;
+        }
+        if (arg_x11) {
+                x11((pid_t) pid, print_procs);
+                print_procs = 0;
+        }
+        if (arg_interface) {
+                interface((pid_t) pid, print_procs);
+                print_procs = 0;
+        }
+        if (arg_route) {
+                route((pid_t) pid, print_procs);
+                print_procs = 0;
+        }
+        if (arg_arp) {
+                arp((pid_t) pid, print_procs);
+                print_procs = 0;
+        }
        
-        if (!arg_route && !arg_arp && !arg_interface && !arg_tree && !arg_caps && !arg_seccomp && !arg_x11)
+        if (print_procs)
-                procevent((pid_t) pid); // never to return
+                procevent((pid_t) pid);
                
        return 0;
 }
diff --git a/src/firemon/firemon.h b/src/firemon/firemon.h
index 522ece077..c78023888 100644
--- a/src/firemon/firemon.h
+++ b/src/firemon/firemon.h
@@ -38,7 +38,6 @@ static inline void firemon_clrscr(void) {
 // firemon.c
 extern int arg_nowrap;
 int find_child(int id);
-void firemon_drop_privs(void);
 void firemon_sleep(int st);
@@ -55,25 +54,25 @@ void top(void);
 void list(void);
 // interface.c
-void interface(pid_t pid);
+void interface(pid_t pid, int print_procs);
 // arp.c
-void arp(pid_t pid);
+void arp(pid_t pid, int print_procs);
 // route.c
-void route(pid_t pid);
+void route(pid_t pid, int print_procs);
 // caps.c
-void caps(pid_t pid);
+void caps(pid_t pid, int print_procs);
 // seccomp.c
-void seccomp(pid_t pid);
+void seccomp(pid_t pid, int print_procs);
 // cpu.c
-void cpu(pid_t pid);
+void cpu(pid_t pid, int print_procs);
 // cgroup.c
-void cgroup(pid_t pid);
+void cgroup(pid_t pid, int print_procs);
 // tree.c
 void tree(pid_t pid);
@@ -82,6 +81,6 @@ void tree(pid_t pid);
 void netstats(void);
 // x11.c
-void x11(pid_t pid);
+void x11(pid_t pid, int print_procs);
 #endif
diff --git a/src/firemon/interface.c b/src/firemon/interface.c
index 5a89e1491..def9cd5ac 100644
--- a/src/firemon/interface.c
+++ b/src/firemon/interface.c
@@ -145,32 +145,31 @@ static void print_sandbox(pid_t pid) {
                if (rv)
                        return;
                net_ifprint();
-                printf("\n");
+#ifdef HAVE_GCOV
-                exit(0);
+                __gcov_flush();
+#endif
+                _exit(0);
        }
        
        // wait for the child to finish
        waitpid(child, NULL, 0);
 }
-void interface(pid_t pid) {
+void interface(pid_t pid, int print_procs) {
-        if (getuid() != 0) {
-                fprintf(stderr, "Error: you need to be root to run this command\n");
-                exit(1);
-        }
-        
        pid_read(pid); // a pid of 0 will include all processes
        
        // print processes
        int i;
        for (i = 0; i < max_pids; i++) {
                if (pids[i].level == 1) {
-                        pid_print_list(i, 0);
+                        if (print_procs || pid == 0)
+                                pid_print_list(i, 0);
                        int child = find_child(i);
                        if (child != -1) {
                                print_sandbox(child);
                        }
                }
        }
+        printf("\n");
 }
diff --git a/src/firemon/list.c b/src/firemon/list.c
index 901627c2a..acff13a28 100644
--- a/src/firemon/list.c
+++ b/src/firemon/list.c
@@ -20,9 +20,6 @@
 #include "firemon.h"
 void list(void) {
-        if (getuid() == 0)
-                firemon_drop_privs();
-        
        pid_read(0);    // include all processes
        
        // print processes
diff --git a/src/firemon/netstats.c b/src/firemon/netstats.c
index 89e4202bd..3c020d630 100644
--- a/src/firemon/netstats.c
+++ b/src/firemon/netstats.c
@@ -26,6 +26,10 @@
 #define MAXBUF 4096
+// ip -s link: device stats
+// ss -s: socket stats
 static char *get_header(void) {
        char *rv;
        if (asprintf(&rv, "%-5.5s %-9.9s %-10.10s %-10.10s %s",
@@ -166,9 +170,6 @@ static void print_proc(int index, int itv, int col) {
 }
 void netstats(void) {
-        if (getuid() == 0)
-                firemon_drop_privs();
-        
        pid_read(0);    // include all processes
        
        printf("Displaying network statistics only for sandboxes using a new network namespace.\n");
diff --git a/src/firemon/procevent.c b/src/firemon/procevent.c
index e2dd5aaa2..1940f4a34 100644
--- a/src/firemon/procevent.c
+++ b/src/firemon/procevent.c
@@ -28,6 +28,8 @@
 #include <arpa/inet.h>
 #include <time.h>
 #include <fcntl.h>
+#include <sys/uio.h>
 #define PIDS_BUFLEN 4096
 #define SERVER_PORT 889 // 889-899 is left unassigned by IANA
@@ -89,7 +91,8 @@ static int pid_is_firejail(pid_t pid) {
        
                // list of firejail arguments that don't trigger sandbox creation
                // the initial -- is not included 
-                char *firejail_args = "ls list tree x11 help version top netstats debug-syscalls debug-errnos debug-protocols";
+                char *firejail_args = "ls list tree x11 help version top netstats debug-syscalls debug-errnos debug-protocols "
+                        "protocol.print debug.caps shutdown bandwidth caps.print cpu.print debug-caps fs.print get overlay-clean ";
                
                int i;
                char *start;
@@ -189,6 +192,10 @@ static int procevent_monitor(const int sock, pid_t mypid) {
        tv.tv_usec = 0;
        while (1) {
+#ifdef HAVE_GCOV
+                __gcov_flush();
+#endif
 #define BUFFSIZE 4096 
                char __attribute__ ((aligned(NLMSG_ALIGNTO)))buf[BUFFSIZE];
                
diff --git a/src/firemon/route.c b/src/firemon/route.c
index 398965671..fb58b169d 100644
--- a/src/firemon/route.c
+++ b/src/firemon/route.c
@@ -181,17 +181,15 @@ static void print_route(const char *fname) {
 }
-void route(pid_t pid) {
+void route(pid_t pid, int print_procs) {
-        if (getuid() == 0)
-                firemon_drop_privs();
-        
        pid_read(pid);
        
        // print processes
        int i;
        for (i = 0; i < max_pids; i++) {
                if (pids[i].level == 1) {
-                        pid_print_list(i, 0);
+                        if (print_procs || pid == 0)
+                                pid_print_list(i, 0);
                        int child = find_child(i);
                        if (child != -1) {
                                char *fname;
@@ -204,10 +202,10 @@ void route(pid_t pid) {
                                        errExit("asprintf");
                                print_route(fname);
                                free(fname);
-                                printf("\n");
                        }
                }
        }
+        printf("\n");
 }
diff --git a/src/firemon/seccomp.c b/src/firemon/seccomp.c
index 71771c72d..abc698bb8 100644
--- a/src/firemon/seccomp.c
+++ b/src/firemon/seccomp.c
@@ -48,17 +48,15 @@ static void print_seccomp(int pid) {
        free(file);
 }
                        
-void seccomp(pid_t pid) {
+void seccomp(pid_t pid, int print_procs) {
-        if (getuid() == 0)
-                firemon_drop_privs();
-        
        pid_read(pid);  // include all processes
        
        // print processes
        int i;
        for (i = 0; i < max_pids; i++) {
                if (pids[i].level == 1) {
-                        pid_print_list(i, 0);
+                        if (print_procs || pid == 0)
+                                pid_print_list(i, 0);
                        int child = find_child(i);
                        if (child != -1)
                                print_seccomp(child);
diff --git a/src/firemon/top.c b/src/firemon/top.c
index a6da6f64e..b804761dd 100644
--- a/src/firemon/top.c
+++ b/src/firemon/top.c
@@ -232,9 +232,6 @@ void head_print(int col, int row) {
 }
 void top(void) {
-        if (getuid() == 0)
-                firemon_drop_privs();
        while (1) {
                // clear linked list
                head_clear();
diff --git a/src/firemon/tree.c b/src/firemon/tree.c
index b05eb92f9..6d8b37ecb 100644
--- a/src/firemon/tree.c
+++ b/src/firemon/tree.c
@@ -20,10 +20,7 @@
 #include "firemon.h"
 void tree(pid_t pid) {
-        if (getuid() == 0)
+        pid_read(pid);
-                firemon_drop_privs();
-        
-        pid_read(pid);  // include all processes
        
        // print processes
        int i;
diff --git a/src/firemon/x11.c b/src/firemon/x11.c
index e30c2d78b..b0efb090a 100644
--- a/src/firemon/x11.c
+++ b/src/firemon/x11.c
@@ -22,17 +22,15 @@
 #include <sys/stat.h>
 #include <unistd.h>
                        
-void x11(pid_t pid) {
+void x11(pid_t pid, int print_procs) {
-        if (getuid() == 0)
-                firemon_drop_privs();
-        
        pid_read(pid);
        
        // print processes
        int i;
        for (i = 0; i < max_pids; i++) {
                if (pids[i].level == 1) {
-                        pid_print_list(i, 0);
+                        if (print_procs || pid == 0)
+                                pid_print_list(i, 0);
                        
                        char *x11file;
                        // todo: use macro from src/firejail/firejail.h for /run/firejail/x11 directory
@@ -49,12 +47,13 @@ void x11(pid_t pid) {
                                int display;
                                int rv = fscanf(fp, "%d", &display);
                                if (rv == 1)
-                                        printf("   DISPLAY :%d\n", display);
+                                        printf("  DISPLAY :%d\n", display);
                                fclose(fp);
                        }
                        free(x11file);
                }
        }
+        printf("\n");
 }
diff --git a/src/fnet/Makefile.in b/src/fnet/Makefile.in
new file mode 100644
index 000000000..32f08882a
--- /dev/null
+++ b/src/fnet/Makefile.in
@@ -0,0 +1,45 @@
+all: fnet
+prefix=@prefix@
+exec_prefix=@exec_prefix@
+libdir=@libdir@
+sysconfdir=@sysconfdir@
+VERSION=@PACKAGE_VERSION@
+NAME=@PACKAGE_NAME@
+HAVE_SECCOMP_H=@HAVE_SECCOMP_H@
+HAVE_SECCOMP=@HAVE_SECCOMP@
+HAVE_CHROOT=@HAVE_CHROOT@
+HAVE_BIND=@HAVE_BIND@
+HAVE_FATAL_WARNINGS=@HAVE_FATAL_WARNINGS@
+HAVE_NETWORK=@HAVE_NETWORK@
+HAVE_USERNS=@HAVE_USERNS@
+HAVE_X11=@HAVE_X11@
+HAVE_FILE_TRANSFER=@HAVE_FILE_TRANSFER@
+HAVE_WHITELIST=@HAVE_WHITELIST@
+HAVE_GLOBALCFG=@HAVE_GLOBALCFG@
+HAVE_APPARMOR=@HAVE_APPARMOR@
+HAVE_OVERLAYFS=@HAVE_OVERLAYFS@
+HAVE_PRIVATE_HOME=@HAVE_PRIVATE_HOME@
+EXTRA_LDFLAGS +=@EXTRA_LDFLAGS@
+HAVE_GCOV=@HAVE_GCOV@
+EXTRA_LDFLAGS +=@EXTRA_LDFLAGS@
+H_FILE_LIST       = $(sort $(wildcard *.[h]))
+C_FILE_LIST       = $(sort $(wildcard *.c))
+OBJS = $(C_FILE_LIST:.c=.o)
+BINOBJS =  $(foreach file, $(OBJS), $file)
+CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' $(HAVE_GCOV) -DPREFIX='"$(prefix)"'  -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' $(HAVE_X11) $(HAVE_PRIVATE_HOME) $(HAVE_APPARMOR) $(HAVE_OVERLAYFS) $(HAVE_SECCOMP) $(HAVE_GLOBALCFG) $(HAVE_SECCOMP_H) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_BIND) $(HAVE_FILE_TRANSFER) $(HAVE_WHITELIST) -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security
+LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now -lpthread
+%.o : %.c $(H_FILE_LIST) ../include/common.h ../include/libnetlink.h
+        $(CC) $(CFLAGS) $(INCLUDE) -c $< -o $@
+fnet: $(OBJS) ../lib/libnetlink.o
+        $(CC)  $(LDFLAGS) -o $@ $(OBJS) ../lib/libnetlink.o $(LIBS) $(EXTRA_LDFLAGS)
+clean:; rm -f *.o fnet *.gcov *.gcda *.gcno
+distclean: clean
+        rm -fr Makefile
diff --git a/src/fnet/arp.c b/src/fnet/arp.c
new file mode 100644
index 000000000..96684fdf9
--- /dev/null
+++ b/src/fnet/arp.c
@@ -0,0 +1,208 @@
+/*
+ * Copyright (C) 2014-2016 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
+#include "fnet.h"
+#include <sys/socket.h>
+#include <sys/ioctl.h>
+#include <linux/if_ether.h>                       //TCP/IP Protocol Suite for Linux
+#include <net/if.h>
+#include <netinet/in.h>
+#include <linux/ip.h>
+#include <linux/udp.h>
+#include <linux/tcp.h>
+#include <linux/if_packet.h>
+typedef struct arp_hdr_t {
+        uint16_t htype;
+        uint16_t ptype;
+        uint8_t hlen;
+        uint8_t plen;
+        uint16_t opcode;
+        uint8_t sender_mac[6];
+        uint8_t sender_ip[4];
+        uint8_t target_mac[6];
+        uint8_t target_ip[4];
+} ArpHdr;
+// scan interface (--scan option)
+void arp_scan(const char *dev, uint32_t ifip, uint32_t ifmask) {
+        assert(dev);
+        assert(ifip);
+//      printf("Scanning interface %s (%d.%d.%d.%d/%d)\n",
+//              dev, PRINT_IP(ifip & ifmask), mask2bits(ifmask));
+                        
+        if (strlen(dev) > IFNAMSIZ) {
+                fprintf(stderr, "Error: invalid network device name %s\n", dev);
+                exit(1);
+        }
+        
+        // find interface mac address
+        int sock;
+        if ((sock = socket(AF_INET, SOCK_RAW, IPPROTO_RAW)) < 0)
+                errExit("socket");
+        struct ifreq ifr;
+        memset(&ifr, 0, sizeof (ifr));
+        strncpy(ifr.ifr_name, dev, IFNAMSIZ);
+        if (ioctl(sock, SIOCGIFHWADDR, &ifr) < 0)
+                errExit("ioctl");
+        close(sock);
+        uint8_t mac[6];
+        memcpy (mac, ifr.ifr_hwaddr.sa_data, 6);
+        // open layer2 socket
+        if ((sock = socket(PF_PACKET, SOCK_RAW, htons (ETH_P_ALL))) < 0)
+                errExit("socket");
+        
+        // try all possible ip addresses in ascending order
+        uint32_t range = ~ifmask + 1; // the number of potential addresses
+        // this software is not supported for /31 networks
+        if (range < 4) {
+                fprintf(stderr, "Warning: this option is not supported for /31 networks\n");
+                close(sock);
+                return;
+        }
+        uint32_t dest = (ifip & ifmask) + 1;
+        uint32_t last = dest + range - 1;
+        uint32_t src = htonl(ifip);
+        // wait not more than one second for an answer
+        int header_printed = 0;
+        uint32_t last_ip = 0;
+        struct timeval ts;
+        ts.tv_sec = 2; // 2 seconds receive timeout
+        ts.tv_usec = 0;
+        
+        while (1) {
+                fd_set rfds;
+                FD_ZERO(&rfds);
+                FD_SET(sock, &rfds);
+                fd_set wfds;
+                FD_ZERO(&wfds);
+                FD_SET(sock, &wfds);
+                int maxfd = sock;
+                uint8_t frame[ETH_FRAME_LEN]; // includes eht header, vlan, and crc
+                memset(frame, 0, ETH_FRAME_LEN);        
+                int nready;
+                if (dest < last)
+                        nready = select(maxfd + 1,  &rfds, &wfds, (fd_set *) 0, NULL);
+                else            
+                        nready = select(maxfd + 1,  &rfds,  (fd_set *) 0, (fd_set *) 0, &ts);
+                
+                if (nready < 0)
+                        errExit("select");
+                        
+                if (nready == 0) { // timeout
+                        break;
+                }
+                
+                if (FD_ISSET(sock, &wfds) && dest < last) {
+                        // configure layer2 socket address information
+                        struct sockaddr_ll addr;
+                        memset(&addr, 0, sizeof(addr));
+                        if ((addr.sll_ifindex = if_nametoindex(dev)) == 0)
+                                errExit("if_nametoindex");
+                        addr.sll_family = AF_PACKET;
+                        memcpy (addr.sll_addr, mac, 6);
+                        addr.sll_halen = htons(6);
+                
+                        // build the arp packet header
+                        ArpHdr hdr;
+                        memset(&hdr, 0, sizeof(hdr));
+                        hdr.htype = htons(1);
+                        hdr.ptype = htons(ETH_P_IP);
+                        hdr.hlen = 6;
+                        hdr.plen = 4;
+                        hdr.opcode = htons(1); //ARPOP_REQUEST
+                        memcpy(hdr.sender_mac, mac, 6);
+                        memcpy(hdr.sender_ip, (uint8_t *)&src, 4);
+                        uint32_t dst = htonl(dest);
+                        memcpy(hdr.target_ip, (uint8_t *)&dst, 4);
+                
+                        // build ethernet frame
+                        uint8_t frame[ETH_FRAME_LEN]; // includes eht header, vlan, and crc
+                        memset(frame, 0, sizeof(frame));
+                        frame[0] = frame[1] = frame[2] = frame[3] = frame[4] = frame[5] = 0xff;
+                        memcpy(frame + 6, mac, 6);
+                        frame[12] = ETH_P_ARP / 256;
+                        frame[13] = ETH_P_ARP % 256;
+                        memcpy (frame + 14, &hdr, sizeof(hdr));
+                
+                        // send packet
+                        int len;
+                        if ((len = sendto (sock, frame, 14 + sizeof(ArpHdr), 0, (struct sockaddr *) &addr, sizeof (addr))) <= 0)
+                                errExit("send");
+//printf("send %d bytes to %d.%d.%d.%d\n", len, PRINT_IP(dest));                
+                        fflush(0);
+                        dest++;
+                }
+                
+                if (FD_ISSET(sock, &rfds)) {
+                        // read the incoming packet
+                        int len = recvfrom(sock, frame, ETH_FRAME_LEN, 0, NULL, NULL);
+                        if (len < 0) {
+                                perror("recvfrom");
+                        }
+                        // parse the incoming packet
+                        if ((unsigned int) len < 14 + sizeof(ArpHdr))
+                                continue;
+                        // look only at ARP packets
+                        if (frame[12] != (ETH_P_ARP / 256) || frame[13] != (ETH_P_ARP % 256))
+                                continue;
+                        ArpHdr hdr;
+                        memcpy(&hdr, frame + 14, sizeof(ArpHdr));
+                        if (hdr.opcode == htons(2)) {
+                                // check my mac and my address
+                                if (memcmp(mac, hdr.target_mac, 6) != 0)
+                                        continue;
+                                uint32_t ip;
+                                memcpy(&ip, hdr.target_ip, 4);
+                                if (ip != src)
+                                        continue;
+                                memcpy(&ip, hdr.sender_ip, 4);
+                                ip = ntohl(ip);
+                                
+                                if (ip == last_ip) // filter duplicates
+                                        continue;
+                                last_ip = ip;
+                                        
+                                // printing
+                                if (header_printed == 0) {
+                                        printf("   Network scan:\n");
+                                        header_printed = 1;
+                                }
+                                printf("   %02x:%02x:%02x:%02x:%02x:%02x\t%d.%d.%d.%d\n",
+                                        PRINT_MAC(hdr.sender_mac), PRINT_IP(ip));                                                                       
+                        }
+                }
+        }
+        
+        close(sock);
+}
diff --git a/src/fnet/fnet.h b/src/fnet/fnet.h
new file mode 100644
index 000000000..0c5e5baef
--- /dev/null
+++ b/src/fnet/fnet.h
@@ -0,0 +1,49 @@
+ /*
+ * Copyright (C) 2014-2016 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
+#ifndef FNET_H
+#define FNET_H
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <assert.h>
+#include "../include/common.h"
+// veth.c
+int net_create_veth(const char *dev, const char *nsdev, unsigned pid);
+int net_create_macvlan(const char *dev, const char *parent, unsigned pid);
+int net_move_interface(const char *dev, unsigned pid);
+// interface.c
+void net_bridge_add_interface(const char *bridge, const char *dev);
+void net_if_up(const char *ifname);
+int net_get_mtu(const char *ifname);
+void net_set_mtu(const char *ifname, int mtu);
+void net_ifprint(int scan);
+int net_get_mac(const char *ifname, unsigned char mac[6]);
+void net_if_ip(const char *ifname, uint32_t ip, uint32_t mask, int mtu);
+int net_if_mac(const char *ifname, const unsigned char mac[6]);
+void net_if_ip6(const char *ifname, const char *addr6);
+// arp.c
+void arp_scan(const char *dev, uint32_t ifip, uint32_t ifmask);
+#endif
diff --git a/src/fnet/interface.c b/src/fnet/interface.c
new file mode 100644
index 000000000..3958efddd
--- /dev/null
+++ b/src/fnet/interface.c
@@ -0,0 +1,370 @@
+ /*
+ * Copyright (C) 2014-2016 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
+#include "fnet.h"
+#include <arpa/inet.h>
+#include <sys/socket.h>
+#include <sys/ioctl.h>
+#include <netdb.h>
+#include <ifaddrs.h>
+#include <net/if.h>
+#include <net/if_arp.h>
+#include <net/route.h>
+#include <linux/if_bridge.h>
+static void check_if_name(const char *ifname) {
+        if (strlen(ifname) > IFNAMSIZ) {
+                fprintf(stderr, "Error fnet: invalid network device name %s\n", ifname);
+                exit(1);
+        }
+}
+// add a veth device to a bridge
+void net_bridge_add_interface(const char *bridge, const char *dev) {
+        check_if_name(bridge);
+        check_if_name(dev);
+        
+        // somehow adding the interface to the bridge resets MTU on bridge device!!!
+        // workaround: restore MTU on the bridge device
+        // todo: put a real fix in
+        int mtu1 = net_get_mtu(bridge);
+        struct ifreq ifr;
+        int err;
+        int ifindex = if_nametoindex(dev);
+        if (ifindex <= 0)
+                errExit("if_nametoindex");
+        int sock;
+        if ((sock = socket(AF_INET, SOCK_STREAM, 0)) < 0)
+                errExit("socket");
+        memset(&ifr, 0, sizeof(ifr));
+        strncpy(ifr.ifr_name, bridge, IFNAMSIZ);
+#ifdef SIOCBRADDIF
+        ifr.ifr_ifindex = ifindex;
+        err = ioctl(sock, SIOCBRADDIF, &ifr);
+        if (err < 0)
+#endif
+        {
+                unsigned long args[4] = { BRCTL_ADD_IF, ifindex, 0, 0 };
+                ifr.ifr_data = (char *) args;
+                err = ioctl(sock, SIOCDEVPRIVATE, &ifr);
+        }
+        (void) err;
+        close(sock);
+        int mtu2 = net_get_mtu(bridge);
+        if (mtu1 != mtu2)
+                net_set_mtu(bridge, mtu1);
+}
+// bring interface up
+void net_if_up(const char *ifname) {
+        check_if_name(ifname);
+        
+        int sock = socket(AF_INET,SOCK_DGRAM,0);
+        if (sock < 0)
+                errExit("socket");
+        // get the existing interface flags
+        struct ifreq ifr;
+        memset(&ifr, 0, sizeof(ifr));
+        strncpy(ifr.ifr_name, ifname, IFNAMSIZ);
+        ifr.ifr_addr.sa_family = AF_INET;
+        // read the existing flags
+        if (ioctl(sock, SIOCGIFFLAGS, &ifr ) < 0)
+                errExit("ioctl");
+        ifr.ifr_flags |= IFF_UP;
+        // set the new flags
+        if (ioctl( sock, SIOCSIFFLAGS, &ifr ) < 0)
+                errExit("ioctl");
+        // checking
+        // read the existing flags
+        if (ioctl(sock, SIOCGIFFLAGS, &ifr ) < 0)
+                errExit("ioctl");
+        // wait not more than 500ms for the interface to come up
+        int cnt = 0;
+        while (cnt < 50) {
+                usleep(10000);                    // sleep 10ms
+                // read the existing flags
+                if (ioctl(sock, SIOCGIFFLAGS, &ifr ) < 0)
+                        errExit("ioctl");
+                if (ifr.ifr_flags & IFF_RUNNING)
+                        break;
+                cnt++;
+        }
+        close(sock);
+}
+int net_get_mtu(const char *ifname) {
+        check_if_name(ifname);
+        int mtu = 0;
+        int s;
+        struct ifreq ifr;
+        if ((s = socket(AF_INET, SOCK_DGRAM, 0)) < 0)
+                errExit("socket");
+        memset(&ifr, 0, sizeof(ifr));
+        ifr.ifr_addr.sa_family = AF_INET;
+        strncpy(ifr.ifr_name, ifname, IFNAMSIZ);
+        if (ioctl(s, SIOCGIFMTU, (caddr_t)&ifr) == 0)
+                mtu = ifr.ifr_mtu;
+        close(s);
+        
+        
+        return mtu;
+}
+void net_set_mtu(const char *ifname, int mtu) {
+        check_if_name(ifname);
+        int s;
+        struct ifreq ifr;
+        if ((s = socket(AF_INET, SOCK_DGRAM, 0)) < 0)
+                errExit("socket");
+        memset(&ifr, 0, sizeof(ifr));
+        ifr.ifr_addr.sa_family = AF_INET;
+        strncpy(ifr.ifr_name, ifname, IFNAMSIZ);
+        ifr.ifr_mtu = mtu;
+        if (ioctl(s, SIOCSIFMTU, (caddr_t)&ifr) != 0)
+                fprintf(stderr, "Warning fnet: cannot set mtu for interface %s\n", ifname);
+        close(s);
+}
+// scan interfaces in current namespace and print IP address/mask for each interface
+void net_ifprint(int scan) {
+        uint32_t ip;
+        uint32_t mask;
+        struct ifaddrs *ifaddr, *ifa;
+        if (getifaddrs(&ifaddr) == -1)
+                errExit("getifaddrs");
+        printf("%-17.17s%-19.19s%-17.17s%-17.17s%-6.6s\n",
+                "Interface", "MAC", "IP", "Mask", "Status");
+        // walk through the linked list
+        for (ifa = ifaddr; ifa != NULL; ifa = ifa->ifa_next) {
+                if (ifa->ifa_addr == NULL)
+                        continue;
+                if (ifa->ifa_addr->sa_family == AF_INET) {
+                        struct sockaddr_in *si = (struct sockaddr_in *) ifa->ifa_netmask;
+                        mask = ntohl(si->sin_addr.s_addr);
+                        si = (struct sockaddr_in *) ifa->ifa_addr;
+                        ip = ntohl(si->sin_addr.s_addr);
+                        // interface status
+                        char *status;
+                        if (ifa->ifa_flags & IFF_RUNNING && ifa->ifa_flags & IFF_UP)
+                                status = "UP";
+                        else
+                                status = "DOWN";
+                        // ip address and mask
+                        char ipstr[30];
+                        sprintf(ipstr, "%d.%d.%d.%d", PRINT_IP(ip));
+                        char maskstr[30];
+                        sprintf(maskstr, "%d.%d.%d.%d", PRINT_IP(mask));
+                        
+                        // mac address
+                        unsigned char mac[6];
+                        net_get_mac(ifa->ifa_name, mac);
+                        char macstr[30];
+                        if (strcmp(ifa->ifa_name, "lo") == 0)
+                                macstr[0] = '\0';
+                        else
+                                sprintf(macstr, "%02x:%02x:%02x:%02x:%02x:%02x", PRINT_MAC(mac));
+                        // print                                
+                        printf("%-17.17s%-19.19s%-17.17s%-17.17s%-6.6s\n",
+                                ifa->ifa_name, macstr, ipstr, maskstr, status);
+                        // network scanning
+                        if (!scan)                              // scanning disabled
+                                continue;
+                        if (strcmp(ifa->ifa_name, "lo") == 0)   // no loopbabck scanning
+                                continue;
+                        if (mask2bits(mask) < 16)               // not scanning large networks
+                                continue;
+                        if (!ip)                                        // if not configured
+                                continue;
+                        // only if the interface is up and running
+                        if (ifa->ifa_flags & IFF_RUNNING && ifa->ifa_flags & IFF_UP)
+                                arp_scan(ifa->ifa_name, ip, mask);
+                }
+        }
+        freeifaddrs(ifaddr);
+}
+int net_get_mac(const char *ifname, unsigned char mac[6]) {
+        check_if_name(ifname);
+        struct ifreq ifr;
+        int sock;
+        if ((sock = socket(AF_INET, SOCK_STREAM, 0)) < 0)
+                errExit("socket");
+        memset(&ifr, 0, sizeof(ifr));
+        strncpy(ifr.ifr_name, ifname, IFNAMSIZ);
+        ifr.ifr_hwaddr.sa_family = ARPHRD_ETHER;
+        
+        if (ioctl(sock, SIOCGIFHWADDR, &ifr) == -1)
+                errExit("ioctl");
+        memcpy(mac, ifr.ifr_hwaddr.sa_data, 6);
+        close(sock);
+        return 0;
+}
+// configure interface ipv4 address
+void net_if_ip(const char *ifname, uint32_t ip, uint32_t mask, int mtu) {
+        check_if_name(ifname);
+        int sock = socket(AF_INET,SOCK_DGRAM,0);
+        if (sock < 0)
+                errExit("socket");
+        struct ifreq ifr;
+        memset(&ifr, 0, sizeof(ifr));
+        strncpy(ifr.ifr_name, ifname, IFNAMSIZ);
+        ifr.ifr_addr.sa_family = AF_INET;
+        ((struct sockaddr_in *)&ifr.ifr_addr)->sin_addr.s_addr = htonl(ip);
+        if (ioctl( sock, SIOCSIFADDR, &ifr ) < 0) 
+                errExit("ioctl");
+        if (ip != 0) {
+                ((struct sockaddr_in *)&ifr.ifr_addr)->sin_addr.s_addr =  htonl(mask);
+                if (ioctl( sock, SIOCSIFNETMASK, &ifr ) < 0)
+                        errExit("ioctl");
+        }
+        
+        // configure mtu
+        if (mtu > 0) {
+                ifr.ifr_mtu = mtu;
+                if (ioctl( sock, SIOCSIFMTU, &ifr ) < 0)
+                        errExit("ioctl");
+        }
+        close(sock);
+        usleep(10000);                            // sleep 10ms
+        return;
+}
+int net_if_mac(const char *ifname, const unsigned char mac[6]) {
+        check_if_name(ifname);
+        struct ifreq ifr;
+        int sock;
+        if ((sock = socket(AF_INET, SOCK_STREAM, 0)) < 0)
+                errExit("socket");
+        memset(&ifr, 0, sizeof(ifr));
+        strncpy(ifr.ifr_name, ifname, IFNAMSIZ);
+        ifr.ifr_hwaddr.sa_family = ARPHRD_ETHER;
+        memcpy(ifr.ifr_hwaddr.sa_data, mac, 6);
+        
+        if (ioctl(sock, SIOCSIFHWADDR, &ifr) == -1)
+                errExit("ioctl");
+        close(sock);
+        return 0;
+}
+// configure interface ipv6 address
+// ex: firejail --net=eth0 --ip6=2001:0db8:0:f101::1/64
+struct ifreq6 {
+        struct in6_addr ifr6_addr;
+        uint32_t ifr6_prefixlen;
+        unsigned int ifr6_ifindex;
+};
+void net_if_ip6(const char *ifname, const char *addr6) {
+        check_if_name(ifname);
+        if (strchr(addr6, ':') == NULL) {
+                fprintf(stderr, "Error fnet: invalid IPv6 address %s\n", addr6);
+                exit(1);
+        }
+        
+        // extract prefix
+        unsigned long prefix;
+        char *ptr;
+        if ((ptr = strchr(addr6, '/'))) {
+                prefix = atol(ptr + 1);
+                if (prefix > 128) {
+                        fprintf(stderr, "Error fnet: invalid prefix for IPv6 address %s\n", addr6);
+                        exit(1);
+                }
+                *ptr = '\0';    // mark the end of the address
+        }
+        else
+                prefix = 128;
+        // extract address
+        struct sockaddr_in6 sin6;
+        memset(&sin6, 0, sizeof(sin6));
+        sin6.sin6_family = AF_INET6;
+        int rv = inet_pton(AF_INET6, addr6, sin6.sin6_addr.s6_addr);
+        if (rv <= 0) {
+                fprintf(stderr, "Error fnet: invalid IPv6 address %s\n", addr6);
+                exit(1);
+        }
+        // open socket
+        int sock = socket(PF_INET6, SOCK_DGRAM, IPPROTO_IP);
+        if (sock < 0) {
+                fprintf(stderr, "Error fnet: IPv6 is not supported on this system\n");
+                exit(1);
+        }
+        // find interface index
+        struct ifreq ifr;
+        memset(&ifr, 0, sizeof(ifr));
+        strncpy(ifr.ifr_name, ifname, IFNAMSIZ);
+        ifr.ifr_addr.sa_family = AF_INET;
+        if (ioctl(sock, SIOGIFINDEX, &ifr) < 0) {
+                perror("ioctl SIOGIFINDEX");
+                exit(1);
+        }
+        // configure address
+        struct ifreq6 ifr6;
+        memset(&ifr6, 0, sizeof(ifr6));
+        ifr6.ifr6_prefixlen = prefix;
+        ifr6.ifr6_ifindex = ifr.ifr_ifindex;
+        memcpy((char *) &ifr6.ifr6_addr, (char *) &sin6.sin6_addr, sizeof(struct in6_addr));
+        if (ioctl(sock, SIOCSIFADDR, &ifr6) < 0) {
+                perror("ioctl SIOCSIFADDR");
+                exit(1);
+        }
+        
+        close(sock);
+}
diff --git a/src/fnet/main.c b/src/fnet/main.c
new file mode 100644
index 000000000..4ae9eb6e3
--- /dev/null
+++ b/src/fnet/main.c
@@ -0,0 +1,103 @@
+ /*
+ * Copyright (C) 2014-2016 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
+#include "fnet.h"
+static void usage(void) {
+        printf("Usage:\n");
+        printf("\tfnet create veth dev1 dev2 bridge child\n");
+        printf("\tfnet create macvlan dev parent child\n");
+        printf("\tfnet moveif dev proc\n");
+        printf("\tfnet printif\n");
+        printf("\tfnet printif scan\n");
+        printf("\tfnet config interface dev ip mask mtu\n");
+        printf("\tfnet config mac addr\n");
+        printf("\tfnet config ipv6 dev ipn");
+        printf("\tfmet ifup dev\n");
+}
+int main(int argc, char **argv) {
+#if 0
+{
+//system("cat /proc/self/status");
+int i;
+for (i = 0; i < argc; i++)
+        printf("*%s* ", argv[i]);
+printf("\n");
+}       
+#endif
+        if (argc < 2)
+                return 1;
+        if (strcmp(argv[1], "-h") == 0 || strcmp(argv[1], "--help") == 0 || strcmp(argv[1], "-?") ==0) {
+                usage();
+                return 0;
+        }
+        else if (argc == 3 && strcmp(argv[1], "ifup") == 0) {
+                net_if_up(argv[2]);
+        }
+        else if (argc == 2 && strcmp(argv[1], "printif") == 0) {
+                net_ifprint(0);
+        }
+        else if (argc == 3 && strcmp(argv[1], "printif") == 0 && strcmp(argv[2], "scan") == 0) {
+                net_ifprint(1);
+        }
+        else if (argc == 7 && strcmp(argv[1], "create") == 0 && strcmp(argv[2], "veth") == 0) {
+                // create veth pair and move one end in the the namespace
+                net_create_veth(argv[3], argv[4], atoi(argv[6]));
+                // connect the ohter veth end to the bridge ...
+                net_bridge_add_interface(argv[5], argv[3]);
+                // ... and bring it  up
+                net_if_up(argv[3]);
+        }
+        else if (argc == 6 && strcmp(argv[1], "create") == 0 && strcmp(argv[2], "macvlan") == 0) {
+                net_create_macvlan(argv[3], argv[4], atoi(argv[5]));
+        }
+        else if (argc == 7 && strcmp(argv[1], "config") == 0 && strcmp(argv[2], "interface") == 0) {
+                char *dev = argv[3];
+                uint32_t ip = (uint32_t)  atoll(argv[4]);
+                uint32_t mask = (uint32_t)  atoll(argv[5]);
+                int mtu = atoi(argv[6]);
+                // configure interface
+                net_if_ip(dev, ip, mask, mtu);
+                // ... and bring it  up
+                net_if_up(dev);
+        }
+        else if (argc == 5 && strcmp(argv[1], "config") == 0 && strcmp(argv[2], "mac") == 0) {
+                unsigned char mac[6];
+                if (atomac(argv[4], mac)) {
+                        fprintf(stderr, "Error fnet: invalid mac address %s\n", argv[4]);
+                }
+                net_if_mac(argv[3], mac);
+        }
+        else if (argc == 4 && strcmp(argv[1], "moveif") == 0) {
+                net_move_interface(argv[2], atoi(argv[3]));
+        }
+        else if (argc == 5 && strcmp(argv[1], "config") == 0 && strcmp(argv[2], "ipv6") == 0) {
+                net_if_ip6(argv[3], argv[4]);
+        }
+        else {
+                fprintf(stderr, "Error fnet: invalid arguments\n");
+                return 1;
+        }
+        return 0;
+}
diff --git a/src/firejail/veth.c b/src/fnet/veth.c
index df3c1d1f9..546fafcec 100644
--- a/src/firejail/veth.c
+++ b/src/fnet/veth.c
@@ -45,7 +45,7 @@
 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 */
-#include "firejail.h"
+#include "fnet.h"
 #include "../include/libnetlink.h"
 #include <linux/veth.h>
 #include <net/if.h>
@@ -63,8 +63,6 @@ int net_create_veth(const char *dev, const char *nsdev, unsigned pid) {
        int len;
        struct iplink_req req;
-        if (arg_debug)
-                printf("create veth %s/%s/%u\n", dev, nsdev, pid);
        assert(dev);
        assert(nsdev);
        assert(pid);
@@ -113,6 +111,8 @@ int net_create_veth(const char *dev, const char *nsdev, unsigned pid) {
        if (rtnl_talk(&rth, &req.n, 0, 0, NULL) < 0)
                exit(2);
+        rtnl_close(&rth);
+        
        return 0;
 }
@@ -120,8 +120,6 @@ int net_create_veth(const char *dev, const char *nsdev, unsigned pid) {
 int net_create_macvlan(const char *dev, const char *parent, unsigned pid) {
        int len;
        struct iplink_req req;
-        if (arg_debug)
-                printf("create macvlan %s, parent %s\n", dev, parent);
        assert(dev);
        assert(parent);
@@ -177,6 +175,8 @@ int net_create_macvlan(const char *dev, const char *parent, unsigned pid) {
        if (rtnl_talk(&rth, &req.n, 0, 0, NULL) < 0)
                exit(2);
+        rtnl_close(&rth);
+        
        return 0;
 }
@@ -184,8 +184,6 @@ int net_create_macvlan(const char *dev, const char *parent, unsigned pid) {
 // when the interface is moved, netlink does not preserve interface configuration
 int net_move_interface(const char *dev, unsigned pid) {
        struct iplink_req req;
-        if (arg_debug)
-                printf("move device %s inside the namespace\n", dev);
        assert(dev);
        if (rtnl_open(&rth, 0) < 0) {
@@ -215,6 +213,8 @@ int net_move_interface(const char *dev, unsigned pid) {
        if (rtnl_talk(&rth, &req.n, 0, 0, NULL) < 0)
                exit(2);
+        rtnl_close(&rth);
+        
        return 0;
 }
diff --git a/src/fseccomp/Makefile.in b/src/fseccomp/Makefile.in
new file mode 100644
index 000000000..04c46f128
--- /dev/null
+++ b/src/fseccomp/Makefile.in
@@ -0,0 +1,45 @@
+all: fseccomp
+prefix=@prefix@
+exec_prefix=@exec_prefix@
+libdir=@libdir@
+sysconfdir=@sysconfdir@
+VERSION=@PACKAGE_VERSION@
+NAME=@PACKAGE_NAME@
+HAVE_SECCOMP_H=@HAVE_SECCOMP_H@
+HAVE_SECCOMP=@HAVE_SECCOMP@
+HAVE_CHROOT=@HAVE_CHROOT@
+HAVE_BIND=@HAVE_BIND@
+HAVE_FATAL_WARNINGS=@HAVE_FATAL_WARNINGS@
+HAVE_NETWORK=@HAVE_NETWORK@
+HAVE_USERNS=@HAVE_USERNS@
+HAVE_X11=@HAVE_X11@
+HAVE_FILE_TRANSFER=@HAVE_FILE_TRANSFER@
+HAVE_WHITELIST=@HAVE_WHITELIST@
+HAVE_GLOBALCFG=@HAVE_GLOBALCFG@
+HAVE_APPARMOR=@HAVE_APPARMOR@
+HAVE_OVERLAYFS=@HAVE_OVERLAYFS@
+HAVE_PRIVATE_HOME=@HAVE_PRIVATE_HOME@
+EXTRA_LDFLAGS +=@EXTRA_LDFLAGS@
+HAVE_GCOV=@HAVE_GCOV@
+EXTRA_LDFLAGS +=@EXTRA_LDFLAGS@
+H_FILE_LIST       = $(sort $(wildcard *.[h]))
+C_FILE_LIST       = $(sort $(wildcard *.c))
+OBJS = $(C_FILE_LIST:.c=.o)
+BINOBJS =  $(foreach file, $(OBJS), $file)
+CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' $(HAVE_GCOV) -DPREFIX='"$(prefix)"'  -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' $(HAVE_X11) $(HAVE_PRIVATE_HOME) $(HAVE_APPARMOR) $(HAVE_OVERLAYFS) $(HAVE_SECCOMP) $(HAVE_GLOBALCFG) $(HAVE_SECCOMP_H) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_BIND) $(HAVE_FILE_TRANSFER) $(HAVE_WHITELIST) -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security
+LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now -lpthread
+%.o : %.c $(H_FILE_LIST) ../include/common.h ../include/syscall.h
+        $(CC) $(CFLAGS) $(INCLUDE) -c $< -o $@
+fseccomp: $(OBJS)
+        $(CC)  $(LDFLAGS) -o $@ $(OBJS) $(LIBS) $(EXTRA_LDFLAGS)
+clean:; rm -f *.o fseccomp *.gcov *.gcda *.gcno
+distclean: clean
+        rm -fr Makefile
diff --git a/src/firejail/errno.c b/src/fseccomp/errno.c
index c493dfa09..dbee916d4 100644
--- a/src/firejail/errno.c
+++ b/src/fseccomp/errno.c
@@ -17,9 +17,8 @@
 * with this program; if not, write to the Free Software Foundation, Inc.,
 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 */
+#include "fseccomp.h"
-#ifdef HAVE_SECCOMP
-#include "firejail.h"
 #include <errno.h>
 //#include <attr/xattr.h>
@@ -171,20 +170,7 @@ static ErrnoEntry errnolist[] = {
 #endif  
 };
-int errno_highest_nr(void) {
-        int i, max = 0;
-        int elems = sizeof(errnolist) / sizeof(errnolist[0]);
-        for (i = 0; i < elems; i++) {
-                if (errnolist[i].nr > max)
-                        max = errnolist[i].nr;
-        }
-        return max;
-}
 int errno_find_name(const char *name) {
-        EUID_ASSERT();
-        
        int i;
        int elems = sizeof(errnolist) / sizeof(errnolist[0]);
        for (i = 0; i < elems; i++) {
@@ -206,9 +192,9 @@ char *errno_find_nr(int nr) {
        return "unknown";
 }
 void errno_print(void) {
-        EUID_ASSERT();
-        
        int i;
        int elems = sizeof(errnolist) / sizeof(errnolist[0]);
        for (i = 0; i < elems; i++) {
@@ -216,5 +202,3 @@ void errno_print(void) {
        }
        printf("\n");
 }
-#endif // HAVE_SECCOMP
diff --git a/src/fseccomp/fseccomp.h b/src/fseccomp/fseccomp.h
new file mode 100644
index 000000000..504f1c23f
--- /dev/null
+++ b/src/fseccomp/fseccomp.h
@@ -0,0 +1,68 @@
+/*
+ * Copyright (C) 2014-2016 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
+#ifndef FSECCOMP_H
+#define FSECCOMP_H
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <assert.h>
+#include "../include/common.h"
+// syscall.c
+void syscall_print(void);
+int syscall_check_list(const char *slist, void (*callback)(int fd, int syscall, int arg), int fd, int arg);
+int syscall_find_name(const char *name);
+char *syscall_find_nr(int nr);
+// errno.c
+void errno_print(void);
+int errno_find_name(const char *name);
+char *errno_find_nr(int nr);
+// protocol.c
+void protocol_print(void);
+void protocol_build_filter(const char *prlist, const char *fname);
+// seccomp_secondary.c
+void seccomp_secondary_64(const char *fname);
+void seccomp_secondary_32(const char *fname);
+// seccomp_file.c
+void filter_init(int fd);
+void filter_add_whitelist(int fd, int syscall, int arg);
+void filter_add_blacklist(int fd, int syscall, int arg);
+void filter_add_errno(int fd, int syscall, int arg);
+void filter_end_blacklist(int fd);
+void filter_end_whitelist(int fd);
+// seccomp.c
+// default list
+void seccomp_default(const char *fname, int allow_debuggers);
+// drop list
+void seccomp_drop(const char *fname, char *list, int allow_debuggers);
+// default+drop list
+void seccomp_default_drop(const char *fname, char *list, int allow_debuggers);
+// whitelisted filter
+void seccomp_keep(const char *fname, char *list);
+// seccomp_print
+void filter_print(const char *fname);
+#endif
diff --git a/src/fseccomp/main.c b/src/fseccomp/main.c
new file mode 100644
index 000000000..39e72fdf9
--- /dev/null
+++ b/src/fseccomp/main.c
@@ -0,0 +1,91 @@
+/*
+ * Copyright (C) 2014-2016 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
+#include "fseccomp.h"
+static void usage(void) {
+        printf("Usage:\n");
+        printf("\tfseccomp debug-syscalls\n");
+        printf("\tfseccomp debug-errnos\n");
+        printf("\tfseccomp debug-protocols\n");
+        printf("\tfseccomp protocol build list file\n");
+        printf("\tfseccomp secondary 64 file\n");
+        printf("\tfseccomp secondary 32 file\n");
+        printf("\tfseccomp default file\n");
+        printf("\tfseccomp default file allow-debuggers\n");
+        printf("\tfseccomp drop file list\n");
+        printf("\tfseccomp drop file list allow-debuggers\n");
+        printf("\tfseccomp default drop file list\n");
+        printf("\tfseccomp default drop file list allow-debuggers\n");
+        printf("\tfseccomp keep file list\n");
+        printf("\tfseccomp print file\n");
+}
+int main(int argc, char **argv) {
+#if 0
+{
+//system("cat /proc/self/status");
+int i;
+for (i = 0; i < argc; i++)
+        printf("*%s* ", argv[i]);
+printf("\n");
+}       
+#endif
+        if (argc < 2)
+                return 1;
+                
+        if (strcmp(argv[1], "-h") == 0 || strcmp(argv[1], "--help") == 0 || strcmp(argv[1], "-?") ==0) {
+                usage();
+                return 0;
+        }
+        else if (argc == 2 && strcmp(argv[1], "debug-syscalls") == 0)
+                syscall_print();
+        else if (argc == 2 && strcmp(argv[1], "debug-errnos") == 0)
+                errno_print();
+        else if (argc == 2 && strcmp(argv[1], "debug-protocols") == 0)
+                protocol_print();
+        else if (argc == 5 && strcmp(argv[1], "protocol") == 0 && strcmp(argv[2], "build") == 0)
+                protocol_build_filter(argv[3], argv[4]);
+        else if (argc == 4 && strcmp(argv[1], "secondary") == 0 && strcmp(argv[2], "64") == 0)
+                seccomp_secondary_64(argv[3]);
+        else if (argc == 4 && strcmp(argv[1], "secondary") == 0 && strcmp(argv[2], "32") == 0) 
+                seccomp_secondary_32(argv[3]);
+        else if (argc == 3 && strcmp(argv[1], "default") == 0)
+                seccomp_default(argv[2], 0);
+        else if (argc == 4 && strcmp(argv[1], "default") == 0 && strcmp(argv[3], "allow-debuggers") == 0)
+                seccomp_default(argv[2], 1);
+        else if (argc == 4 && strcmp(argv[1], "drop") == 0)
+                seccomp_drop(argv[2], argv[3], 0);
+        else if (argc == 5 && strcmp(argv[1], "drop") == 0 && strcmp(argv[4], "allow-debuggers") == 0)
+                seccomp_drop(argv[2], argv[3], 1);
+        else if (argc == 5 && strcmp(argv[1], "default") == 0 && strcmp(argv[2], "drop") == 0)
+                seccomp_default_drop(argv[3], argv[4], 0);
+        else if (argc == 6 && strcmp(argv[1], "default") == 0 && strcmp(argv[2], "drop") == 0 && strcmp(argv[5], "allow-debuggers") == 0)
+                seccomp_default_drop(argv[3], argv[4], 1);
+        else if (argc == 4 && strcmp(argv[1], "keep") == 0)
+                seccomp_keep(argv[2], argv[3]);
+        else if (argc == 3 && strcmp(argv[1], "print") == 0)
+                filter_print(argv[2]);
+        else {
+                fprintf(stderr, "Error fseccomp: invalid arguments\n");
+                return 1;
+        }
+        return 0;
+}
+\ No newline at end of file
diff --git a/src/fseccomp/protocol.c b/src/fseccomp/protocol.c
new file mode 100644
index 000000000..7bf560fe1
--- /dev/null
+++ b/src/fseccomp/protocol.c
@@ -0,0 +1,219 @@
+/*
+ * Copyright (C) 2014-2016 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
+/*
+        struct sock_filter filter[] = {
+                VALIDATE_ARCHITECTURE,
+                EXAMINE_SYSCALL,
+                ONLY(SYS_socket),
+                EXAMINE_ARGUMENT(0), // allow only AF_INET and AF_INET6, drop everything else
+                WHITELIST(AF_INET),
+                WHITELIST(AF_INET6),
+                WHITELIST(AF_PACKET),
+                RETURN_ERRNO(ENOTSUP)
+        };
+        struct sock_fprog prog = {
+                .len = (unsigned short)(sizeof(filter) / sizeof(filter[0])),
+                .filter = filter,
+        };
+        if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) {
+                perror("prctl(NO_NEW_PRIVS)");
+                return 1;
+        }
+        if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog)) {
+                perror("prctl");
+                return 1;
+        }
+*/
+#include "fseccomp.h"
+#include "../include/seccomp.h"
+#include <sys/syscall.h>
+#include <sys/types.h>
+#include <sys/socket.h>
+static char *protocol[] = {
+        "unix",
+        "inet",
+        "inet6",
+        "netlink",
+        "packet",
+        NULL
+};
+static struct sock_filter protocol_filter_command[] = {
+        WHITELIST(AF_UNIX),
+        WHITELIST(AF_INET),
+        WHITELIST(AF_INET6),
+        WHITELIST(AF_NETLINK),
+        WHITELIST(AF_PACKET)
+};
+// Note: protocol[] and protocol_filter_command are synchronized
+// command length
+struct sock_filter whitelist[] = {
+        WHITELIST(AF_UNIX)
+};
+unsigned whitelist_len = sizeof(whitelist) / sizeof(struct sock_filter);
+static struct sock_filter *find_protocol_domain(const char *p) {
+        int i = 0;
+        while (protocol[i] != NULL) {
+                if (strcmp(protocol[i], p) == 0)
+                        return &protocol_filter_command[i * whitelist_len];
+                i++;
+        }
+        return NULL;
+}       
+void protocol_print(void) {
+#ifndef SYS_socket
+        fprintf(stderr, "Warning fseccomp: firejail --protocol not supported on this platform\n");
+        return;
+#endif
+        int i = 0;
+        while (protocol[i] != NULL) {
+                printf("%s, ", protocol[i]);
+                i++;
+        }
+        printf("\n");
+}
+// install protocol filter
+void protocol_build_filter(const char *prlist, const char *fname) {
+        assert(prlist);
+        assert(fname);
+#ifndef SYS_socket
+        fprintf(stderr, "Warning fseccomp: --protocol not supported on this platform\n");
+        return;
+#else
+        // build the filter
+        struct sock_filter filter[32];  // big enough
+        memset(&filter[0], 0, sizeof(filter));
+        uint8_t *ptr = (uint8_t *) &filter[0];
+        
+        // header
+        struct sock_filter filter_start[] = {
+                VALIDATE_ARCHITECTURE,
+                EXAMINE_SYSCALL,
+                ONLY(SYS_socket),
+                EXAMINE_ARGUMENT(0)
+        };
+        memcpy(ptr, &filter_start[0], sizeof(filter_start));
+        ptr += sizeof(filter_start);
+#if 0
+printf("entries %u\n", (unsigned) (sizeof(filter_start) / sizeof(struct sock_filter)));
+{
+        unsigned j;
+        unsigned char *ptr2 = (unsigned char *) &filter[0];
+        for (j = 0; j < sizeof(filter); j++, ptr2++) {
+                if ((j % (sizeof(struct sock_filter))) == 0)
+                        printf("\n%u: ", 1 + (unsigned) (j / (sizeof(struct sock_filter))));
+                printf("%02x, ", (*ptr2) & 0xff);
+        }
+        printf("\n");
+}
+printf("whitelist_len %u, struct sock_filter len %u\n", whitelist_len, (unsigned) sizeof(struct sock_filter));
+#endif
+        // parse list and add commands
+        char *tmplist = strdup(prlist);
+        if (!tmplist)
+                errExit("strdup");
+        char *token = strtok(tmplist, ",");
+        if (!token)
+                errExit("strtok");
+                
+        while (token) {
+                struct sock_filter *domain = find_protocol_domain(token);
+                if (domain == NULL) {
+                        fprintf(stderr, "Error fseccomp: %s is not a valid protocol\n", token);
+                        exit(1);
+                }
+                memcpy(ptr, domain, whitelist_len * sizeof(struct sock_filter));
+                ptr += whitelist_len * sizeof(struct sock_filter);
+                token = strtok(NULL, ",");
+#if 0
+printf("entries %u\n",  (unsigned) ((uint64_t) ptr - (uint64_t) (filter)) / (unsigned) sizeof(struct sock_filter));
+{
+        unsigned j;
+        unsigned char *ptr2 = (unsigned char *) &filter[0];
+        for (j = 0; j < sizeof(filter); j++, ptr2++) {
+                if ((j % (sizeof(struct sock_filter))) == 0)
+                        printf("\n%u: ", 1 + (unsigned) (j / (sizeof(struct sock_filter))));
+                printf("%02x, ", (*ptr2) & 0xff);
+        }
+        printf("\n");
+}
+#endif
+        }       
+        free(tmplist);
+        // add end of filter
+        struct sock_filter filter_end[] = {
+                RETURN_ERRNO(ENOTSUP)
+        };
+        memcpy(ptr, &filter_end[0], sizeof(filter_end));
+        ptr += sizeof(filter_end);
+#if 0
+printf("entries %u\n",  (unsigned) ((uint64_t) ptr - (uint64_t) (filter)) / (unsigned) sizeof(struct sock_filter));
+{
+        unsigned j;
+        unsigned char *ptr2 = (unsigned char *) &filter[0];
+        for (j = 0; j < sizeof(filter); j++, ptr2++) {
+                if ((j % (sizeof(struct sock_filter))) == 0)
+                        printf("\n%u: ", 1 + (unsigned) (j / (sizeof(struct sock_filter))));
+                printf("%02x, ", (*ptr2) & 0xff);
+        }
+        printf("\n");
+}
+#endif  
+        // save filter to file
+        int dst = open(fname, O_CREAT|O_WRONLY|O_TRUNC, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH);
+        if (dst < 0) {
+                fprintf(stderr, "Error fseccomp: cannot open %s file\n", fname);
+                exit(1);
+        }
+        
+        int size = (int) ((uintptr_t) ptr - (uintptr_t) (filter));
+        int written = 0;
+        while (written < size) {
+                int rv = write(dst, (unsigned char *) filter + written, size - written);
+                if (rv == -1) {
+                        fprintf(stderr, "Error fseccomp: cannot write %s file\n", fname);
+                        exit(1);
+                }
+                written += rv;
+        }
+        close(dst);
+#endif // SYS_socket    
+}
diff --git a/src/fseccomp/seccomp.c b/src/fseccomp/seccomp.c
new file mode 100644
index 000000000..cc6edc8ca
--- /dev/null
+++ b/src/fseccomp/seccomp.c
@@ -0,0 +1,292 @@
+/*
+ * Copyright (C) 2014-2016 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
+#include "fseccomp.h"
+#include "../include/seccomp.h"
+#include <sys/syscall.h>
+static void add_default_list(int fd, int allow_debuggers) {
+#ifdef SYS_mount
+        filter_add_blacklist(fd, SYS_mount, 0);
+#endif
+#ifdef SYS_umount2
+        filter_add_blacklist(fd, SYS_umount2, 0);
+#endif
+        if (!allow_debuggers) {
+#ifdef SYS_ptrace
+                filter_add_blacklist(fd, SYS_ptrace, 0);
+#endif
+        }
+#ifdef SYS_kexec_load
+        filter_add_blacklist(fd, SYS_kexec_load, 0);
+#endif
+#ifdef SYS_kexec_file_load
+        filter_add_blacklist(fd, SYS_kexec_file_load, 0);
+#endif
+#ifdef SYS_open_by_handle_at
+        filter_add_blacklist(fd, SYS_open_by_handle_at, 0);
+#endif
+#ifdef SYS_name_to_handle_at
+        filter_add_blacklist(fd, SYS_name_to_handle_at, 0);
+#endif
+#ifdef SYS_init_module
+        filter_add_blacklist(fd, SYS_init_module, 0);
+#endif
+#ifdef SYS_finit_module
+        filter_add_blacklist(fd, SYS_finit_module, 0);
+#endif
+#ifdef SYS_create_module
+        filter_add_blacklist(fd, SYS_create_module, 0);
+#endif
+#ifdef SYS_delete_module
+        filter_add_blacklist(fd, SYS_delete_module, 0);
+#endif
+#ifdef SYS_iopl
+        filter_add_blacklist(fd, SYS_iopl, 0);
+#endif
+#ifdef  SYS_ioperm
+        filter_add_blacklist(fd, SYS_ioperm, 0);
+#endif
+#ifdef  SYS_ioprio_set
+        filter_add_blacklist(fd, SYS_ioprio_set, 0);
+#endif
+#ifdef SYS_ni_syscall
+        filter_add_blacklist(fd, SYS_ni_syscall, 0);
+#endif
+#ifdef SYS_swapon
+        filter_add_blacklist(fd, SYS_swapon, 0);
+#endif
+#ifdef SYS_swapoff
+        filter_add_blacklist(fd, SYS_swapoff, 0);
+#endif
+#ifdef SYS_syslog
+        filter_add_blacklist(fd, SYS_syslog, 0);
+#endif
+        if (!allow_debuggers) {
+#ifdef SYS_process_vm_readv
+                filter_add_blacklist(fd, SYS_process_vm_readv, 0);
+#endif
+        }
+#ifdef SYS_process_vm_writev
+        filter_add_blacklist(fd, SYS_process_vm_writev, 0);
+#endif
+        // mknod removed in 0.9.29 - it brakes Zotero extension
+        //#ifdef SYS_mknod
+        //              filter_add_blacklist(SYS_mknod, 0);
+        //#endif
+#ifdef SYS_sysfs
+        filter_add_blacklist(fd, SYS_sysfs, 0);
+#endif
+#ifdef SYS__sysctl
+        filter_add_blacklist(fd, SYS__sysctl, 0);
+#endif
+#ifdef SYS_adjtimex
+        filter_add_blacklist(fd, SYS_adjtimex, 0);
+#endif
+#ifdef  SYS_clock_adjtime
+        filter_add_blacklist(fd, SYS_clock_adjtime, 0);
+#endif
+#ifdef SYS_lookup_dcookie
+        filter_add_blacklist(fd, SYS_lookup_dcookie, 0);
+#endif
+#ifdef  SYS_perf_event_open
+        filter_add_blacklist(fd, SYS_perf_event_open, 0);
+#endif
+#ifdef  SYS_fanotify_init
+        filter_add_blacklist(fd, SYS_fanotify_init, 0);
+#endif
+#ifdef SYS_kcmp
+        filter_add_blacklist(fd, SYS_kcmp, 0);
+#endif
+#ifdef SYS_add_key
+        filter_add_blacklist(fd, SYS_add_key, 0);
+#endif
+#ifdef SYS_request_key
+        filter_add_blacklist(fd, SYS_request_key, 0);
+#endif
+#ifdef SYS_keyctl
+        filter_add_blacklist(fd, SYS_keyctl, 0);
+#endif
+#ifdef SYS_uselib
+        filter_add_blacklist(fd, SYS_uselib, 0);
+#endif
+#ifdef SYS_acct
+        filter_add_blacklist(fd, SYS_acct, 0);
+#endif
+#ifdef SYS_modify_ldt
+        filter_add_blacklist(fd, SYS_modify_ldt, 0);
+#endif
+#ifdef SYS_pivot_root
+        filter_add_blacklist(fd, SYS_pivot_root, 0);
+#endif
+#ifdef SYS_io_setup
+        filter_add_blacklist(fd, SYS_io_setup, 0);
+#endif
+#ifdef SYS_io_destroy
+        filter_add_blacklist(fd, SYS_io_destroy, 0);
+#endif
+#ifdef SYS_io_getevents
+        filter_add_blacklist(fd, SYS_io_getevents, 0);
+#endif
+#ifdef SYS_io_submit
+        filter_add_blacklist(fd, SYS_io_submit, 0);
+#endif
+#ifdef SYS_io_cancel
+        filter_add_blacklist(fd, SYS_io_cancel, 0);
+#endif
+#ifdef SYS_remap_file_pages
+        filter_add_blacklist(fd, SYS_remap_file_pages, 0);
+#endif
+#ifdef SYS_mbind
+        filter_add_blacklist(fd, SYS_mbind, 0);
+#endif
+#ifdef SYS_get_mempolicy
+        filter_add_blacklist(fd, SYS_get_mempolicy, 0);
+#endif
+#ifdef SYS_set_mempolicy
+        filter_add_blacklist(fd, SYS_set_mempolicy, 0);
+#endif
+#ifdef SYS_migrate_pages
+        filter_add_blacklist(fd, SYS_migrate_pages, 0);
+#endif
+#ifdef SYS_move_pages
+        filter_add_blacklist(fd, SYS_move_pages, 0);
+#endif
+#ifdef SYS_vmsplice
+        filter_add_blacklist(fd, SYS_vmsplice, 0);
+#endif
+#ifdef SYS_chroot
+        filter_add_blacklist(fd, SYS_chroot, 0);
+#endif
+#ifdef SYS_tuxcall
+        filter_add_blacklist(fd, SYS_tuxcall, 0);
+#endif
+#ifdef SYS_reboot
+        filter_add_blacklist(fd, SYS_reboot, 0);
+#endif
+#ifdef SYS_nfsservctl
+        filter_add_blacklist(fd, SYS_nfsservctl, 0);
+#endif
+#ifdef SYS_get_kernel_syms
+        filter_add_blacklist(fd, SYS_get_kernel_syms, 0);
+#endif
+}
+// default list
+void seccomp_default(const char *fname, int allow_debuggers) {
+        assert(fname);
+        // open file
+        int fd = open(fname, O_CREAT|O_WRONLY|O_TRUNC, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH);
+        if (fd < 0) {
+                fprintf(stderr, "Error fseccomp: cannot open %s file\n", fname);
+                exit(1);
+        }
+        // build filter
+        filter_init(fd);
+        add_default_list(fd, allow_debuggers);
+        filter_end_blacklist(fd);
+        
+        // close file
+        close(fd);
+}
+// drop list
+void seccomp_drop(const char *fname, char *list, int allow_debuggers) {
+        assert(fname);
+        (void) allow_debuggers; // todo: to implemnet it
+        // open file
+        int fd = open(fname, O_CREAT|O_WRONLY|O_TRUNC, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH);
+        if (fd < 0) {
+                fprintf(stderr, "Error fseccomp: cannot open %s file\n", fname);
+                exit(1);
+        }
+        // build filter
+        filter_init(fd);
+        if (syscall_check_list(list, filter_add_blacklist, fd, 0)) {
+                fprintf(stderr, "Error fseccomp: cannot build seccomp filter\n");
+                exit(1);
+        }
+        filter_end_blacklist(fd);
+        
+        // close file
+        close(fd);
+}
+// default+drop
+void seccomp_default_drop(const char *fname, char *list, int allow_debuggers) {
+        assert(fname);
+        // open file
+        int fd = open(fname, O_CREAT|O_WRONLY|O_TRUNC, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH);
+        if (fd < 0) {
+                fprintf(stderr, "Error fseccomp: cannot open %s file\n", fname);
+                exit(1);
+        }
+        // build filter
+        filter_init(fd);
+        add_default_list(fd, allow_debuggers);
+        if (syscall_check_list(list, filter_add_blacklist, fd, 0)) {
+                fprintf(stderr, "Error fseccomp: cannot build seccomp filter\n");
+                exit(1);
+        }
+        filter_end_blacklist(fd);
+        
+        // close file
+        close(fd);
+}
+void seccomp_keep(const char *fname, char *list) {
+        // open file
+        int fd = open(fname, O_CREAT|O_WRONLY|O_TRUNC, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH);
+        if (fd < 0) {
+                fprintf(stderr, "Error fseccomp: cannot open %s file\n", fname);
+                exit(1);
+        }
+        // build filter
+        filter_init(fd);
+        // these 4 syscalls are used by firejail after the seccomp filter is initialized
+        filter_add_whitelist(fd, SYS_setuid, 0);
+        filter_add_whitelist(fd, SYS_setgid, 0);
+        filter_add_whitelist(fd, SYS_setgroups, 0);
+        filter_add_whitelist(fd, SYS_dup, 0);
+        filter_add_whitelist(fd, SYS_prctl, 0);
+        
+        if (syscall_check_list(list, filter_add_whitelist, fd, 0)) {
+                fprintf(stderr, "Error fseccomp: cannot build seccomp filter\n");
+                exit(1);
+        }
+        
+        filter_end_whitelist(fd);
+        
+        // close file
+        close(fd);
+}
diff --git a/src/fseccomp/seccomp_file.c b/src/fseccomp/seccomp_file.c
new file mode 100644
index 000000000..10ef9dd31
--- /dev/null
+++ b/src/fseccomp/seccomp_file.c
@@ -0,0 +1,108 @@
+/*
+ * Copyright (C) 2014-2016 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
+#include "fseccomp.h"
+#include "../include/seccomp.h"
+#include <sys/syscall.h>
+static void write_to_file(int fd, void *data, int size) {
+        assert(data);
+        assert(size);
+        
+        int written = 0;
+        while (written < size) {
+                int rv = write(fd, (unsigned char *) data + written, size - written);
+                if (rv == -1) {
+                        fprintf(stderr, "Error fseccomp: cannot write seccomp file\n");
+                        exit(1);
+                }
+                written += rv;
+        }
+}
+void filter_init(int fd) {
+#if defined(__x86_64__)
+#define X32_SYSCALL_BIT 0x40000000
+        struct sock_filter filter[] = {
+                VALIDATE_ARCHITECTURE,
+                EXAMINE_SYSCALL,
+                // handle X32 ABI
+                BPF_JUMP(BPF_JMP+BPF_JGE+BPF_K, X32_SYSCALL_BIT, 1, 0),
+                BPF_JUMP(BPF_JMP+BPF_JGE+BPF_K, 0, 1, 0),
+                RETURN_ERRNO(EPERM)
+        };
+#else
+        struct sock_filter filter[] = {
+                VALIDATE_ARCHITECTURE,
+                EXAMINE_SYSCALL
+        };
+#endif
+#if 0
+{
+        int i;
+        unsigned char *ptr = (unsigned char *) &filter[0];
+        for (i = 0; i < sizeof(filter); i++, ptr++)
+                printf("%x, ", (*ptr) & 0xff);
+        printf("\n");
+}
+#endif
+        write_to_file(fd, filter, sizeof(filter));
+}
+void filter_add_whitelist(int fd, int syscall, int arg) {
+        (void) arg;
+        
+        struct sock_filter filter[] = {
+                WHITELIST(syscall)
+        };
+        write_to_file(fd, filter, sizeof(filter));
+}
+void filter_add_blacklist(int fd, int syscall, int arg) {
+        (void) arg;
+        
+        struct sock_filter filter[] = {
+                BLACKLIST(syscall)
+        };
+        write_to_file(fd, filter, sizeof(filter));
+}
+void filter_add_errno(int fd, int syscall, int arg) {
+        struct sock_filter filter[] = {
+                BLACKLIST_ERRNO(syscall, arg)
+        };
+        write_to_file(fd, filter, sizeof(filter));
+}
+void filter_end_blacklist(int fd) {
+        struct sock_filter filter[] = {
+                RETURN_ALLOW
+        };
+        write_to_file(fd, filter, sizeof(filter));
+}
+void filter_end_whitelist(int fd) {
+        struct sock_filter filter[] = {
+                KILL_PROCESS
+        };
+        write_to_file(fd, filter, sizeof(filter));
+}
diff --git a/src/fseccomp/seccomp_print.c b/src/fseccomp/seccomp_print.c
new file mode 100644
index 000000000..7dc983b12
--- /dev/null
+++ b/src/fseccomp/seccomp_print.c
@@ -0,0 +1,116 @@
+/*
+ * Copyright (C) 2014-2016 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
+#include "fseccomp.h"
+#include "../include/seccomp.h"
+#include <sys/syscall.h>
+static struct sock_filter *filter = NULL;
+static int filter_cnt = 0;
+static void load_seccomp(const char *fname) {
+        assert(fname);
+        // check file
+        struct stat s;
+        if (stat(fname, &s) == -1) {
+                fprintf(stderr, "Error fseccomp: cannot read protocol filter file\n");
+                exit(1);
+        }
+        int size = s.st_size;
+        unsigned short entries = (unsigned short) size / (unsigned short) sizeof(struct sock_filter);
+        filter_cnt = entries;
+//printf("size %d, entries %d\n", s.st_size, entries);
+        filter = malloc(sizeof(struct sock_filter) * entries);
+        if (!filter)
+                errExit("malloc");
+                
+        // read filter
+        memset(filter, 0, sizeof(struct sock_filter) * entries);
+        int src = open(fname, O_RDONLY);
+        int rd = 0;
+        while (rd < size) {
+                int rv = read(src, (unsigned char *) filter + rd, size - rd);
+                if (rv == -1) {
+                        fprintf(stderr, "Error fseccomp: cannot read %s file\n", fname);
+                        exit(1);
+                }
+                rd += rv;
+        }
+        close(src);
+}
+// debug filter
+void filter_print(const char *fname) {
+        assert(fname);
+        load_seccomp(fname);
+        
+        // start filter
+        struct sock_filter start[] = {
+                VALIDATE_ARCHITECTURE,
+                EXAMINE_SYSCALL
+        };
+        // print sizes
+        printf("SECCOMP Filter:\n");
+        // test the start of the filter
+        if (memcmp(&start[0], filter, sizeof(start)) == 0) {
+                printf("  VALIDATE_ARCHITECTURE\n");
+                printf("  EXAMINE_SYSCAL\n");
+        }
+        else {
+                printf("Invalid seccomp filter %s\n", fname);
+                return;
+        }
+        
+        // loop trough blacklists
+        int i = 4;
+        while (i < filter_cnt) {
+                // minimal parsing!
+                unsigned char *ptr = (unsigned char *) &filter[i];
+                int *nr = (int *) (ptr + 4);
+                if (*ptr        == 0x15 && *(ptr +14) == 0xff && *(ptr + 15) == 0x7f ) {
+                        printf("  WHITELIST %d %s\n", *nr, syscall_find_nr(*nr));
+                        i += 2;
+                }
+                else if (*ptr   == 0x15 && *(ptr +14) == 0 && *(ptr + 15) == 0) {
+                        printf("  BLACKLIST %d %s\n", *nr, syscall_find_nr(*nr));
+                        i += 2;
+                }
+                else if (*ptr   == 0x15 && *(ptr +14) == 0x5 && *(ptr + 15) == 0) {
+                        int err = *(ptr + 13) << 8 | *(ptr + 12);
+                        printf("  ERRNO %d %s %d %s\n", *nr, syscall_find_nr(*nr), err, errno_find_nr(err));
+                        i += 2;
+                }
+                else if (*ptr == 0x06 && *(ptr +6) == 0 && *(ptr + 7) == 0 ) {
+                        printf("  KILL_PROCESS\n");
+                        i++;
+                }
+                else if (*ptr == 0x06 && *(ptr +6) == 0xff && *(ptr + 7) == 0x7f ) {
+                        printf("  RETURN_ALLOW\n");
+                        i++;
+                }
+                else {
+                        printf("  UNKNOWN ENTRY!!!\n");
+                        i++;
+                }
+        }
+}
diff --git a/src/fseccomp/seccomp_secondary.c b/src/fseccomp/seccomp_secondary.c
new file mode 100644
index 000000000..a856e5aef
--- /dev/null
+++ b/src/fseccomp/seccomp_secondary.c
@@ -0,0 +1,183 @@
+/*
+ * Copyright (C) 2014-2016 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
+#include "fseccomp.h"
+#include "../include/seccomp.h"
+#include <sys/syscall.h>
+void seccomp_secondary_64(const char *fname) {
+        // hardcoded syscall values
+        struct sock_filter filter[] = {
+                VALIDATE_ARCHITECTURE_64,
+                EXAMINE_SYSCALL,
+                BLACKLIST(165), // mount
+                BLACKLIST(166), // umount2
+// todo: implement --allow-debuggers            
+                BLACKLIST(101), // ptrace
+                BLACKLIST(246), // kexec_load
+                BLACKLIST(304), // open_by_handle_at
+                BLACKLIST(303), // name_to_handle_at
+                BLACKLIST(174), // create_module
+                BLACKLIST(175), // init_module
+                BLACKLIST(313), // finit_module
+                BLACKLIST(176), // delete_module
+                BLACKLIST(172), // iopl
+                BLACKLIST(173), // ioperm
+                BLACKLIST(251), // ioprio_set
+                BLACKLIST(167), // swapon
+                BLACKLIST(168), // swapoff
+                BLACKLIST(103), // syslog
+                BLACKLIST(310), // process_vm_readv
+                BLACKLIST(311), // process_vm_writev
+                BLACKLIST(139), // sysfs
+                BLACKLIST(156), // _sysctl
+                BLACKLIST(159), // adjtimex
+                BLACKLIST(305), // clock_adjtime
+                BLACKLIST(212), // lookup_dcookie
+                BLACKLIST(298), // perf_event_open
+                BLACKLIST(300), // fanotify_init
+                BLACKLIST(312), // kcmp
+                BLACKLIST(248), // add_key
+                BLACKLIST(249), // request_key
+                BLACKLIST(250), // keyctl
+                BLACKLIST(134), // uselib
+                BLACKLIST(163), // acct
+                BLACKLIST(154), // modify_ldt
+                BLACKLIST(155), // pivot_root
+                BLACKLIST(206), // io_setup
+                BLACKLIST(207), // io_destroy
+                BLACKLIST(208), // io_getevents
+                BLACKLIST(209), // io_submit
+                BLACKLIST(210), // io_cancel
+                BLACKLIST(216), // remap_file_pages
+                BLACKLIST(237), // mbind
+                BLACKLIST(239), // get_mempolicy
+                BLACKLIST(238), // set_mempolicy
+                BLACKLIST(256), // migrate_pages
+                BLACKLIST(279), // move_pages
+                BLACKLIST(278), // vmsplice
+                BLACKLIST(161), // chroot
+                BLACKLIST(184), // tuxcall
+                BLACKLIST(169), // reboot
+                BLACKLIST(180), // nfsservctl
+                BLACKLIST(177), // get_kernel_syms
+                
+                RETURN_ALLOW
+        };
+        // save filter to file
+        int dst = open(fname, O_CREAT|O_WRONLY|O_TRUNC, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH);
+        if (dst < 0) {
+                fprintf(stderr, "Error fseccomp: cannot open %s file\n", fname);
+                exit(1);
+        }
+        
+        int size = (int) sizeof(filter);
+        int written = 0;
+        while (written < size) {
+                int rv = write(dst, (unsigned char *) filter + written, size - written);
+                if (rv == -1) {
+                        fprintf(stderr, "Error fseccomp: cannot write %s file\n", fname);
+                        exit(1);
+                }
+                written += rv;
+        }
+        close(dst);
+}
+// i386 filter installed on amd64 architectures
+void seccomp_secondary_32(const char *fname) {
+        // hardcoded syscall values
+        struct sock_filter filter[] = {
+                VALIDATE_ARCHITECTURE_32,
+                EXAMINE_SYSCALL,
+                BLACKLIST(21), // mount
+                BLACKLIST(52), // umount2
+// todo: implement --allow-debuggers            
+                BLACKLIST(26), // ptrace
+                BLACKLIST(283), // kexec_load
+                BLACKLIST(341), // name_to_handle_at
+                BLACKLIST(342), // open_by_handle_at
+                BLACKLIST(127), // create_module
+                BLACKLIST(128), // init_module
+                BLACKLIST(350), // finit_module
+                BLACKLIST(129), // delete_module
+                BLACKLIST(110), // iopl
+                BLACKLIST(101), // ioperm
+                BLACKLIST(289), // ioprio_set
+                BLACKLIST(87), // swapon
+                BLACKLIST(115), // swapoff
+                BLACKLIST(103), // syslog
+                BLACKLIST(347), // process_vm_readv
+                BLACKLIST(348), // process_vm_writev
+                BLACKLIST(135), // sysfs
+                BLACKLIST(149), // _sysctl
+                BLACKLIST(124), // adjtimex
+                BLACKLIST(343), // clock_adjtime
+                BLACKLIST(253), // lookup_dcookie
+                BLACKLIST(336), // perf_event_open
+                BLACKLIST(338), // fanotify_init
+                BLACKLIST(349), // kcmp
+                BLACKLIST(286), // add_key
+                BLACKLIST(287), // request_key
+                BLACKLIST(288), // keyctl
+                BLACKLIST(86), // uselib
+                BLACKLIST(51), // acct
+                BLACKLIST(123), // modify_ldt
+                BLACKLIST(217), // pivot_root
+                BLACKLIST(245), // io_setup
+                BLACKLIST(246), // io_destroy
+                BLACKLIST(247), // io_getevents
+                BLACKLIST(248), // io_submit
+                BLACKLIST(249), // io_cancel
+                BLACKLIST(257), // remap_file_pages
+                BLACKLIST(274), // mbind
+                BLACKLIST(275), // get_mempolicy
+                BLACKLIST(276), // set_mempolicy
+                BLACKLIST(294), // migrate_pages
+                BLACKLIST(317), // move_pages
+                BLACKLIST(316), // vmsplice
+                BLACKLIST(61),  // chroot
+                BLACKLIST(88), // reboot
+                BLACKLIST(169), // nfsservctl
+                BLACKLIST(130), // get_kernel_syms
+                
+                RETURN_ALLOW
+        };
+        // save filter to file
+        int dst = open(fname, O_CREAT|O_WRONLY|O_TRUNC, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH);
+        if (dst < 0) {
+                fprintf(stderr, "Error fseccomp: cannot open %s file\n", fname);
+                exit(1);
+        }
+        
+        int size = (int) sizeof(filter);
+        int written = 0;
+        while (written < size) {
+                int rv = write(dst, (unsigned char *) filter + written, size - written);
+                if (rv == -1) {
+                        fprintf(stderr, "Error fseccomp: cannot write %s file\n", fname);
+                        exit(1);
+                }
+                written += rv;
+        }
+        close(dst);
+}
diff --git a/src/firejail/syscall.c b/src/fseccomp/syscall.c
index 985cc8bb8..7c2c4cbb2 100644
--- a/src/firejail/syscall.c
+++ b/src/fseccomp/syscall.c
@@ -17,9 +17,7 @@
 * with this program; if not, write to the Free Software Foundation, Inc.,
 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 */
+#include "fseccomp.h"
-#ifdef HAVE_SECCOMP
-#include "firejail.h"
 #include <sys/syscall.h>
 typedef struct {
@@ -31,13 +29,25 @@ static SyscallEntry syslist[] = {
 //
 // code generated using tools/extract-syscall
 //
-#include "syscall.h"
+#include "../include/syscall.h"
 //
 // end of generated code
 //
 }; // end of syslist
-const char *syscall_find_nr(int nr) {
+// return -1 if error, or syscall number
+int syscall_find_name(const char *name) {
+        int i;
+        int elems = sizeof(syslist) / sizeof(syslist[0]);
+        for (i = 0; i < elems; i++) {
+                if (strcmp(name, syslist[i].name) == 0)
+                        return syslist[i].nr;
+        }
+        
+        return -1;
+}
+char *syscall_find_nr(int nr) {
        int i;
        int elems = sizeof(syslist) / sizeof(syslist[0]);
        for (i = 0; i < elems; i++) {
@@ -48,24 +58,61 @@ const char *syscall_find_nr(int nr) {
        return "unknown";
 }
-// return -1 if error, or syscall number
+void syscall_print(void) {
-static int syscall_find_name(const char *name) {
        int i;
        int elems = sizeof(syslist) / sizeof(syslist[0]);
        for (i = 0; i < elems; i++) {
-                if (strcmp(name, syslist[i].name) == 0)
+                printf("%d\t- %s\n", syslist[i].nr, syslist[i].name);
-                        return syslist[i].nr;
        }
+        printf("\n");
+}
+// allowed input:
+// - syscall
+// - syscall(error)
+static void syscall_process_name(const char *name, int *syscall_nr, int *error_nr) {
+        assert(name);
+        if (strlen(name) == 0)
+                goto error;
+        *error_nr = -1;
        
-        return -1;
+        // syntax check
+        char *str = strdup(name);
+        if (!str)
+                errExit("strdup");
+        char *syscall_name = str;
+        char *error_name = strchr(str, ':');
+        if (error_name) {
+                *error_name = '\0';
+                error_name++;
+        }
+        if (strlen(syscall_name) == 0) {
+                free(str);
+                goto error;
+        }
+        *syscall_nr = syscall_find_name(syscall_name);
+        if (error_name) {
+                *error_nr = errno_find_name(error_name);
+                if (*error_nr == -1)
+                        *syscall_nr = -1;
+        }
+        free(str);
+        return;
+        
+error:
+        fprintf(stderr, "Error fseccomp: invalid syscall list entry %s\n", name);
+        exit(1);
 }
 // return 1 if error, 0 if OK
-int syscall_check_list(const char *slist, void (*callback)(int syscall, int arg), int arg) {
+int syscall_check_list(const char *slist, void (*callback)(int fd, int syscall, int arg), int fd, int arg) {
        // don't allow empty lists
        if (slist == NULL || *slist == '\0') {
-                fprintf(stderr, "Error: empty syscall lists are not allowed\n");
+                fprintf(stderr, "Error fseccomp: empty syscall lists are not allowed\n");
-                return -1;
+                exit(1);
        }
        // work on a copy of the string
@@ -73,44 +120,27 @@ int syscall_check_list(const char *slist, void (*callback)(int syscall, int arg)
        if (!str)
                errExit("strdup");
-        char *ptr = str;
+        char *ptr =strtok(str, ",");
-        char *start = str;
+        if (ptr == NULL) {
-        while (*ptr != '\0') {
+                fprintf(stderr, "Error fseccomp: empty syscall lists are not allowed\n");
-                if (islower(*ptr) || isdigit(*ptr) || *ptr == '_')
+                exit(1);
-                        ;
-                else if (*ptr == ',') {
-                        *ptr = '\0';
-                        int nr = syscall_find_name(start);
-                        if (nr == -1)
-                                fprintf(stderr, "Warning: syscall %s not found\n", start);
-                        else if (callback != NULL)
-                                callback(nr, arg);
-                                
-                        start = ptr + 1;
-                }
-                ptr++;
        }
-        if (*start != '\0') {
-                int nr = syscall_find_name(start);
+        while (ptr) {
-                if (nr == -1)
+                int syscall_nr;
-                        fprintf(stderr, "Warning: syscall %s not found\n", start);
+                int error_nr;
-                else if (callback != NULL)
+                syscall_process_name(ptr, &syscall_nr, &error_nr);
-                        callback(nr, arg);
+                if (syscall_nr == -1)
+                        fprintf(stderr, "Warning fseccomp: syscall %s not found\n", ptr);
+                else if (callback != NULL) {
+                        if (error_nr != -1)
+                                filter_add_errno(fd, syscall_nr, error_nr);
+                        else
+                                callback(fd, syscall_nr, arg);
+                }
+                ptr = strtok(NULL, ",");
        }
        
        free(str);
        return 0;
 }
-void syscall_print(void) {
-        EUID_ASSERT();
-        
-        int i;
-        int elems = sizeof(syslist) / sizeof(syslist[0]);
-        for (i = 0; i < elems; i++) {
-                printf("%d\t- %s\n", syslist[i].nr, syslist[i].name);
-        }
-        printf("\n");
-}
-#endif // HAVE_SECCOMP
diff --git a/src/ftee/Makefile.in b/src/ftee/Makefile.in
index be159225f..ad508cadd 100644
--- a/src/ftee/Makefile.in
+++ b/src/ftee/Makefile.in
@@ -4,21 +4,23 @@ PREFIX=@prefix@
 VERSION=@PACKAGE_VERSION@
 NAME=@PACKAGE_NAME@
 HAVE_FATAL_WARNINGS=@HAVE_FATAL_WARNINGS@
+HAVE_GCOV=@HAVE_GCOV@
+EXTRA_LDFLAGS +=@EXTRA_LDFLAGS@
 H_FILE_LIST       = $(sort $(wildcard *.[h]))
 C_FILE_LIST       = $(sort $(wildcard *.c))
 OBJS = $(C_FILE_LIST:.c=.o)
 BINOBJS =  $(foreach file, $(OBJS), $file)
-CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' -DPREFIX='"$(PREFIX)"' -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security
+CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' $(HAVE_GCOV) -DPREFIX='"$(PREFIX)"' -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security
 LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now -lpthread
 %.o : %.c $(H_FILE_LIST)
        $(CC) $(CFLAGS) $(INCLUDE) -c $< -o $@
 ftee: $(OBJS)
-        $(CC)  $(LDFLAGS) -o $@ $(OBJS)
+        $(CC)  $(LDFLAGS) -o $@ $(OBJS) $(EXTRA_LDFLAGS)
-clean:; rm -f *.o ftee
+clean:; rm -f *.o ftee *.gcov *.gcda *.gcno
 distclean: clean
        rm -fr Makefile
diff --git a/src/ftee/main.c b/src/ftee/main.c
index 8daea8487..e6aa5f567 100644
--- a/src/ftee/main.c
+++ b/src/ftee/main.c
@@ -193,6 +193,10 @@ int main(int argc, char **argv) {
                usage();
                exit(1);
        }
+        if (strcmp(argv[1], "--help") == 0) {
+                usage();
+                return 0;
+        }
        char *fname = argv[1];
diff --git a/src/include/common.h b/src/include/common.h
index cd4b9c874..108820290 100644
--- a/src/include/common.h
+++ b/src/include/common.h
@@ -32,7 +32,7 @@
 #include <ctype.h>
 #include <assert.h>
-#define errExit(msg)    do { char msgout[500]; sprintf(msgout, "Error %s:%s(%d)", msg, __FUNCTION__, __LINE__); perror(msgout); exit(1);} while (0)
+#define errExit(msg)    do { char msgout[500]; sprintf(msgout, "Error %s: %s:%d %s", msg, __FILE__, __LINE__, __FUNCTION__); perror(msgout); exit(1);} while (0)
 // macro to print ip addresses in a printf statement
 #define PRINT_IP(A) \
@@ -113,4 +113,6 @@ int join_namespace(pid_t pid, char *type);
 int name2pid(const char *name, pid_t *pid);
 char *pid_proc_comm(const pid_t pid);
 char *pid_proc_cmdline(const pid_t pid);
+int pid_proc_cmdline_x11_xpra_xephyr(const pid_t pid);
+int pid_hidepid(void);
 #endif
diff --git a/src/include/euid_common.h b/src/include/euid_common.h
index f07cf2868..752df5fff 100644
--- a/src/include/euid_common.h
+++ b/src/include/euid_common.h
@@ -31,25 +31,32 @@
 }
 extern uid_t firejail_uid;
+extern uid_t firejail_gid;
 static inline void EUID_ROOT(void) {
        if (seteuid(0) == -1)
-                fprintf(stderr, "Error: cannot switch euid to root\n");
+                fprintf(stderr, "Warning: cannot switch euid to root\n");
+        if (setegid(0) == -1)
+                fprintf(stderr, "Warning: cannot switch egid to root\n");
 }
 static inline void EUID_USER(void) {
        if (seteuid(firejail_uid) == -1)
-                fprintf(stderr, "Error: cannot switch euid to user\n");
+                errExit("seteuid");
+        if (setegid(firejail_gid) == -1)
+                errExit("setegid");
 }
 static inline void EUID_PRINT(void) {
        printf("debug: uid %d, euid %d\n", getuid(), geteuid());
+        printf("debug: gid %d, egid %d\n", getgid(), getegid());
 }
 static inline void EUID_INIT(void) {
        firejail_uid = getuid();
+        firejail_gid = getgid();
 }
 #endif
diff --git a/src/firejail/seccomp.h b/src/include/seccomp.h
index 7d646dd9e..7d646dd9e 100644
--- a/src/firejail/seccomp.h
+++ b/src/include/seccomp.h
diff --git a/src/firejail/syscall.h b/src/include/syscall.h
index 5b2cb4915..9a29779c9 100644
--- a/src/firejail/syscall.h
+++ b/src/include/syscall.h
@@ -20,7 +20,6 @@
 // content extracted from /bits/syscall.h file form glibc 2.22
 // using ../tools/extract_syscall tool
 #if !defined __x86_64__
 #ifdef SYS__llseek
 #ifdef __NR__llseek
@@ -37,6 +36,11 @@
        {"_sysctl", __NR__sysctl},
 #endif
 #endif
+#ifdef SYS_accept4
+#ifdef __NR_accept4
+        {"accept4", __NR_accept4},
+#endif
+#endif
 #ifdef SYS_access
 #ifdef __NR_access
        {"access", __NR_access},
@@ -72,6 +76,11 @@
        {"bdflush", __NR_bdflush},
 #endif
 #endif
+#ifdef SYS_bind
+#ifdef __NR_bind
+        {"bind", __NR_bind},
+#endif
+#endif
 #ifdef SYS_bpf
 #ifdef __NR_bpf
        {"bpf", __NR_bpf},
@@ -157,6 +166,16 @@
        {"close", __NR_close},
 #endif
 #endif
+#ifdef SYS_connect
+#ifdef __NR_connect
+        {"connect", __NR_connect},
+#endif
+#endif
+#ifdef SYS_copy_file_range
+#ifdef __NR_copy_file_range
+        {"copy_file_range", __NR_copy_file_range},
+#endif
+#endif
 #ifdef SYS_creat
 #ifdef __NR_creat
        {"creat", __NR_creat},
@@ -492,6 +511,11 @@
        {"getitimer", __NR_getitimer},
 #endif
 #endif
+#ifdef SYS_getpeername
+#ifdef __NR_getpeername
+        {"getpeername", __NR_getpeername},
+#endif
+#endif
 #ifdef SYS_getpgid
 #ifdef __NR_getpgid
        {"getpgid", __NR_getpgid},
@@ -562,6 +586,16 @@
        {"getsid", __NR_getsid},
 #endif
 #endif
+#ifdef SYS_getsockname
+#ifdef __NR_getsockname
+        {"getsockname", __NR_getsockname},
+#endif
+#endif
+#ifdef SYS_getsockopt
+#ifdef __NR_getsockopt
+        {"getsockopt", __NR_getsockopt},
+#endif
+#endif
 #ifdef SYS_gettid
 #ifdef __NR_gettid
        {"gettid", __NR_gettid},
@@ -722,6 +756,11 @@
        {"linkat", __NR_linkat},
 #endif
 #endif
+#ifdef SYS_listen
+#ifdef __NR_listen
+        {"listen", __NR_listen},
+#endif
+#endif
 #ifdef SYS_listxattr
 #ifdef __NR_listxattr
        {"listxattr", __NR_listxattr},
@@ -777,6 +816,11 @@
        {"mbind", __NR_mbind},
 #endif
 #endif
+#ifdef SYS_membarrier
+#ifdef __NR_membarrier
+        {"membarrier", __NR_membarrier},
+#endif
+#endif
 #ifdef SYS_memfd_create
 #ifdef __NR_memfd_create
        {"memfd_create", __NR_memfd_create},
@@ -817,6 +861,11 @@
        {"mlock", __NR_mlock},
 #endif
 #endif
+#ifdef SYS_mlock2
+#ifdef __NR_mlock2
+        {"mlock2", __NR_mlock2},
+#endif
+#endif
 #ifdef SYS_mlockall
 #ifdef __NR_mlockall
        {"mlockall", __NR_mlockall},
@@ -1122,11 +1171,21 @@
        {"reboot", __NR_reboot},
 #endif
 #endif
+#ifdef SYS_recvfrom
+#ifdef __NR_recvfrom
+        {"recvfrom", __NR_recvfrom},
+#endif
+#endif
 #ifdef SYS_recvmmsg
 #ifdef __NR_recvmmsg
        {"recvmmsg", __NR_recvmmsg},
 #endif
 #endif
+#ifdef SYS_recvmsg
+#ifdef __NR_recvmsg
+        {"recvmsg", __NR_recvmsg},
+#endif
+#endif
 #ifdef SYS_remap_file_pages
 #ifdef __NR_remap_file_pages
        {"remap_file_pages", __NR_remap_file_pages},
@@ -1292,6 +1351,16 @@
        {"sendmmsg", __NR_sendmmsg},
 #endif
 #endif
+#ifdef SYS_sendmsg
+#ifdef __NR_sendmsg
+        {"sendmsg", __NR_sendmsg},
+#endif
+#endif
+#ifdef SYS_sendto
+#ifdef __NR_sendto
+        {"sendto", __NR_sendto},
+#endif
+#endif
 #ifdef SYS_set_mempolicy
 #ifdef __NR_set_mempolicy
        {"set_mempolicy", __NR_set_mempolicy},
@@ -1432,6 +1501,11 @@
        {"setsid", __NR_setsid},
 #endif
 #endif
+#ifdef SYS_setsockopt
+#ifdef __NR_setsockopt
+        {"setsockopt", __NR_setsockopt},
+#endif
+#endif
 #ifdef SYS_settimeofday
 #ifdef __NR_settimeofday
        {"settimeofday", __NR_settimeofday},
@@ -1457,6 +1531,11 @@
        {"sgetmask", __NR_sgetmask},
 #endif
 #endif
+#ifdef SYS_shutdown
+#ifdef __NR_shutdown
+        {"shutdown", __NR_shutdown},
+#endif
+#endif
 #ifdef SYS_sigaction
 #ifdef __NR_sigaction
        {"sigaction", __NR_sigaction},
@@ -1502,11 +1581,21 @@
        {"sigsuspend", __NR_sigsuspend},
 #endif
 #endif
+#ifdef SYS_socket
+#ifdef __NR_socket
+        {"socket", __NR_socket},
+#endif
+#endif
 #ifdef SYS_socketcall
 #ifdef __NR_socketcall
        {"socketcall", __NR_socketcall},
 #endif
 #endif
+#ifdef SYS_socketpair
+#ifdef __NR_socketpair
+        {"socketpair", __NR_socketpair},
+#endif
+#endif
 #ifdef SYS_splice
 #ifdef __NR_splice
        {"splice", __NR_splice},
@@ -1722,6 +1811,11 @@
        {"uselib", __NR_uselib},
 #endif
 #endif
+#ifdef SYS_userfaultfd
+#ifdef __NR_userfaultfd
+        {"userfaultfd", __NR_userfaultfd},
+#endif
+#endif
 #ifdef SYS_ustat
 #ifdef __NR_ustat
        {"ustat", __NR_ustat},
@@ -1934,6 +2028,11 @@
        {"connect", __NR_connect},
 #endif
 #endif
+#ifdef SYS_copy_file_range
+#ifdef __NR_copy_file_range
+        {"copy_file_range", __NR_copy_file_range},
+#endif
+#endif
 #ifdef SYS_creat
 #ifdef __NR_creat
        {"creat", __NR_creat},
@@ -2484,6 +2583,11 @@
        {"mbind", __NR_mbind},
 #endif
 #endif
+#ifdef SYS_membarrier
+#ifdef __NR_membarrier
+        {"membarrier", __NR_membarrier},
+#endif
+#endif
 #ifdef SYS_memfd_create
 #ifdef __NR_memfd_create
        {"memfd_create", __NR_memfd_create},
@@ -2524,6 +2628,11 @@
        {"mlock", __NR_mlock},
 #endif
 #endif
+#ifdef SYS_mlock2
+#ifdef __NR_mlock2
+        {"mlock2", __NR_mlock2},
+#endif
+#endif
 #ifdef SYS_mlockall
 #ifdef __NR_mlockall
        {"mlockall", __NR_mlockall},
@@ -3354,6 +3463,11 @@
        {"uselib", __NR_uselib},
 #endif
 #endif
+#ifdef SYS_userfaultfd
+#ifdef __NR_userfaultfd
+        {"userfaultfd", __NR_userfaultfd},
+#endif
+#endif
 #ifdef SYS_ustat
 #ifdef __NR_ustat
        {"ustat", __NR_ustat},
@@ -3546,6 +3660,11 @@
        {"connect", __NR_connect},
 #endif
 #endif
+#ifdef SYS_copy_file_range
+#ifdef __NR_copy_file_range
+        {"copy_file_range", __NR_copy_file_range},
+#endif
+#endif
 #ifdef SYS_creat
 #ifdef __NR_creat
        {"creat", __NR_creat},
@@ -4071,6 +4190,11 @@
        {"mbind", __NR_mbind},
 #endif
 #endif
+#ifdef SYS_membarrier
+#ifdef __NR_membarrier
+        {"membarrier", __NR_membarrier},
+#endif
+#endif
 #ifdef SYS_memfd_create
 #ifdef __NR_memfd_create
        {"memfd_create", __NR_memfd_create},
@@ -4111,6 +4235,11 @@
        {"mlock", __NR_mlock},
 #endif
 #endif
+#ifdef SYS_mlock2
+#ifdef __NR_mlock2
+        {"mlock2", __NR_mlock2},
+#endif
+#endif
 #ifdef SYS_mlockall
 #ifdef __NR_mlockall
        {"mlockall", __NR_mlockall},
@@ -4921,6 +5050,11 @@
        {"unshare", __NR_unshare},
 #endif
 #endif
+#ifdef SYS_userfaultfd
+#ifdef __NR_userfaultfd
+        {"userfaultfd", __NR_userfaultfd},
+#endif
+#endif
 #ifdef SYS_ustat
 #ifdef __NR_ustat
        {"ustat", __NR_ustat},
diff --git a/src/lib/Makefile.in b/src/lib/Makefile.in
index 71f96bab1..5549aca11 100644
--- a/src/lib/Makefile.in
+++ b/src/lib/Makefile.in
@@ -2,12 +2,14 @@ PREFIX=@prefix@
 VERSION=@PACKAGE_VERSION@
 NAME=@PACKAGE_NAME@
 HAVE_FATAL_WARNINGS=@HAVE_FATAL_WARNINGS@
+HAVE_GCOV=@HAVE_GCOV@
+EXTRA_LDFLAGS +=@EXTRA_LDFLAGS@
 H_FILE_LIST       = $(sort $(wildcard *.[h]))
 C_FILE_LIST       = $(sort $(wildcard *.c))
 OBJS = $(C_FILE_LIST:.c=.o)
 BINOBJS =  $(foreach file, $(OBJS), $file)
-CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIC -Wformat -Wformat-security
+CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' $(HAVE_GCOV) -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIC -Wformat -Wformat-security
 LDFLAGS:=-pic -Wl,-z,relro -Wl,-z,now 
 all: $(OBJS)
@@ -15,7 +17,7 @@ all: $(OBJS)
 %.o : %.c $(H_FILE_LIST)
        $(CC) $(CFLAGS) $(INCLUDE) -c $< -o $@
-clean:; rm -f $(OBJS)
+clean:; rm -f $(OBJS) *.gcov *.gcda *.gcno
 distclean: clean
        rm -fr Makefile
diff --git a/src/lib/common.c b/src/lib/common.c
index 8ea926df1..2f2340963 100644
--- a/src/lib/common.c
+++ b/src/lib/common.c
@@ -199,3 +199,88 @@ char *pid_proc_cmdline(const pid_t pid) {
        }
        return rv;
 }
+// return 1 if firejail --x11 on command line
+int pid_proc_cmdline_x11_xpra_xephyr(const pid_t pid) {
+        // if comm is not firejail return 0
+        char *comm = pid_proc_comm(pid);
+        if (strcmp(comm, "firejail") != 0) {
+                free(comm);
+                return 0;
+        }
+        free(comm);
+        // open /proc/pid/cmdline file
+        char *fname;
+        int fd;
+        if (asprintf(&fname, "/proc/%d/cmdline", pid) == -1)
+                return 0;
+        if ((fd = open(fname, O_RDONLY)) < 0) {
+                free(fname);
+                return 0;
+        }
+        free(fname);
+        // read file
+        unsigned char buffer[BUFLEN];
+        ssize_t len;
+        if ((len = read(fd, buffer, sizeof(buffer) - 1)) <= 0) {
+                close(fd);
+                return 0;
+        }
+        buffer[len] = '\0';
+        close(fd);
+        // skip the first argument
+        int i;
+        for (i = 0; buffer[i] != '\0'; i++);
+        // parse remaining command line options
+        while (1) {
+                // extract argument
+                i++;
+                if (i >= len)
+                        break;
+                char *arg = (char *)buffer + i;
+                // detect the last command line option
+                if (strcmp(arg, "--") == 0)
+                        break;
+                if (strncmp(arg, "--", 2) != 0)
+                        break;
+                
+                if (strcmp(arg, "--x11=xorg") == 0)
+                        return 0;
+                
+                // check x11 xpra or xephyr
+                if (strncmp(arg, "--x11", 5) == 0)
+                        return 1;
+                i += strlen(arg);
+        }
+        return 0;
+}
+// return 1 if /proc is mounted hidepid, or if /proc/mouns access is denied
+#define BUFLEN 4096
+int pid_hidepid(void) {
+        FILE *fp = fopen("/proc/mounts", "r");
+        if (!fp)
+                return 1;
+                
+        char buf[BUFLEN];
+        while (fgets(buf, BUFLEN, fp)) {
+                if (strstr(buf, "proc /proc proc")) {
+                        fclose(fp);
+                        // check hidepid
+                        if (strstr(buf, "hidepid=2") || strstr(buf, "hidepid=1"))
+                                return 1;
+                        return 0;
+                }
+        }
+        
+        fclose(fp);
+        return 0;
+}
diff --git a/src/lib/libnetlink.c b/src/lib/libnetlink.c
index 07457eefe..836cf417d 100644
--- a/src/lib/libnetlink.c
+++ b/src/lib/libnetlink.c
@@ -723,7 +723,7 @@ int rta_addattr32(struct rtattr *rta, int maxlen, int type, __u32 data)
        int len = RTA_LENGTH(4);
        struct rtattr *subrta;
-        if (RTA_ALIGN(rta->rta_len) + len > maxlen) {
+        if ((int) (RTA_ALIGN(rta->rta_len) + len) > maxlen) {
                fprintf(stderr,"rta_addattr32: Error! max allowed bound %d exceeded\n",maxlen);
                return -1;
        }
@@ -741,7 +741,7 @@ int rta_addattr_l(struct rtattr *rta, int maxlen, int type,
        struct rtattr *subrta;
        int len = RTA_LENGTH(alen);
-        if (RTA_ALIGN(rta->rta_len) + RTA_ALIGN(len) > maxlen) {
+        if ((int) (RTA_ALIGN(rta->rta_len) + RTA_ALIGN(len)) > maxlen) {
                fprintf(stderr,"rta_addattr_l: Error! max allowed bound %d exceeded\n",maxlen);
                return -1;
        }
diff --git a/src/lib/pid.c b/src/lib/pid.c
index d1ade389e..ed583c51d 100644
--- a/src/lib/pid.c
+++ b/src/lib/pid.c
@@ -29,7 +29,6 @@
 //Process pids[max_pids];
 Process *pids = NULL;
 int max_pids=32769;
-#define PIDS_BUFLEN 4096
 // get the memory associated with this pid
 void pid_getmem(unsigned pid, unsigned *rss, unsigned *shared) {
@@ -340,18 +339,12 @@ void pid_read(pid_t mon_pid) {
                                        exit(1);
                                }
-                                if (mon_pid == 0 && strncmp(ptr, "firejail", 8) == 0) {
+                                if ((strncmp(ptr, "firejail", 8) == 0) && (mon_pid == 0 || mon_pid == pid)) {
-                                        pids[pid].level = 1;
+                                        if (pid_proc_cmdline_x11_xpra_xephyr(pid))
-                                }
+                                                pids[pid].level = -1;
-                                else if (mon_pid == pid && strncmp(ptr, "firejail", 8) == 0) {
+                                        else
-                                        pids[pid].level = 1;
+                                                pids[pid].level = 1;
                                }
-//                              else if (mon_pid == 0 && strncmp(ptr, "lxc-execute", 11) == 0) {
-//                                      pids[pid].level = 1;
-//                              }
-//                              else if (mon_pid == pid && strncmp(ptr, "lxc-execute", 11) == 0) {
-//                                      pids[pid].level = 1;
-//                              }
                                else
                                        pids[pid].level = -1;
                        }
diff --git a/src/libconnect/Makefile.in b/src/libconnect/Makefile.in
new file mode 100644
index 000000000..5b7a8d0f1
--- /dev/null
+++ b/src/libconnect/Makefile.in
@@ -0,0 +1,25 @@
+PREFIX=@prefix@
+VERSION=@PACKAGE_VERSION@
+NAME=@PACKAGE_NAME@
+HAVE_FATAL_WARNINGS=@HAVE_FATAL_WARNINGS@
+H_FILE_LIST       = $(sort $(wildcard *.[h]))
+C_FILE_LIST       = $(sort $(wildcard *.c))
+OBJS = $(C_FILE_LIST:.c=.o)
+BINOBJS =  $(foreach file, $(OBJS), $file)
+CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIC -Wformat -Wformat-security
+LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now 
+all: libconnect.so
+%.o : %.c $(H_FILE_LIST)
+        $(CC) $(CFLAGS) $(INCLUDE) -c $< -o $@
+libconnect.so: $(OBJS)
+        $(CC) $(LDFLAGS) -shared -fPIC -z relro -o $@ $(OBJS) -ldl
+clean:; rm -f $(OBJS) libconnect.so
+distclean: clean
+        rm -fr Makefile
diff --git a/src/libconnect/libconnect.c b/src/libconnect/libconnect.c
new file mode 100644
index 000000000..18c4d81f5
--- /dev/null
+++ b/src/libconnect/libconnect.c
@@ -0,0 +1,66 @@
+/*
+ * Copyright (C) 2014-2016 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
+#define _GNU_SOURCE
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <dlfcn.h>
+#include <sys/types.h>
+#include <unistd.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <arpa/inet.h>
+#include <sys/un.h>
+#include <sys/stat.h>
+#include <dirent.h>
+#include <errno.h>
+//#define DEBUG
+//static int check_sockaddr(int sockfd, const char *call, const struct sockaddr *addr, int rv) {
+static int check_sockaddr(const struct sockaddr *addr) {
+        if (addr->sa_family == AF_UNIX) {
+                struct sockaddr_un *a = (struct sockaddr_un *) addr;
+                if (a->sun_path[0] == '\0' && strstr(a->sun_path + 1, "X11-unix")) {
+//                      printf("@%s\n", a->sun_path + 1);
+                        errno = ENOENT;
+                        return -1;
+                }
+        }
+        
+        return 0;
+}
+//
+// syscalls
+//
+// connect
+typedef int (*orig_connect_t)(int sockfd, const struct sockaddr *addr, socklen_t addrlen);
+static orig_connect_t orig_connect = NULL;
+int connect(int sockfd, const struct sockaddr *addr, socklen_t addrlen) {
+        if (!orig_connect)
+                orig_connect = (orig_connect_t)dlsym(RTLD_NEXT, "connect");
+                        
+        if (check_sockaddr(addr) == -1)
+                return -1;
+                
+        return orig_connect(sockfd, addr, addrlen);
+}
diff --git a/src/libtrace/libtrace.c b/src/libtrace/libtrace.c
index a3d1571f7..dde3df2ea 100644
--- a/src/libtrace/libtrace.c
+++ b/src/libtrace/libtrace.c
@@ -423,11 +423,36 @@ int stat(const char *pathname, struct stat *buf) {
 typedef int (*orig_stat64_t)(const char *pathname, struct stat64 *buf);
 static orig_stat64_t orig_stat64 = NULL;
 int stat64(const char *pathname, struct stat64 *buf) {
-        if (!orig_stat)
+        if (!orig_stat64)
                orig_stat64 = (orig_stat64_t)dlsym(RTLD_NEXT, "stat64");
                        
        int rv = orig_stat64(pathname, buf);
-        printf("%u:%s:stat %s:%d\n", pid(), name(), pathname, rv);
+        printf("%u:%s:stat64 %s:%d\n", pid(), name(), pathname, rv);
+        return rv;
+}
+#endif /* __GLIBC__ */
+// lstat
+typedef int (*orig_lstat_t)(const char *pathname, struct stat *buf);
+static orig_lstat_t orig_lstat = NULL;
+int lstat(const char *pathname, struct stat *buf) {
+        if (!orig_lstat)
+                orig_lstat = (orig_lstat_t)dlsym(RTLD_NEXT, "lstat");
+        int rv = orig_lstat(pathname, buf);
+        printf("%u:%s:lstat %s:%d\n", pid(), name(), pathname, rv);
+        return rv;
+}
+#ifdef __GLIBC__
+typedef int (*orig_lstat64_t)(const char *pathname, struct stat64 *buf);
+static orig_lstat64_t orig_lstat64 = NULL;
+int lstat64(const char *pathname, struct stat64 *buf) {
+        if (!orig_lstat64)
+                orig_lstat64 = (orig_lstat64_t)dlsym(RTLD_NEXT, "lstat64");
+        int rv = orig_lstat64(pathname, buf);
+        printf("%u:%s:lstat64 %s:%d\n", pid(), name(), pathname, rv);
        return rv;
 }
 #endif /* __GLIBC__ */
diff --git a/src/libtracelog/libtracelog.c b/src/libtracelog/libtracelog.c
index c3fd40a67..ff884c7d7 100644
--- a/src/libtracelog/libtracelog.c
+++ b/src/libtracelog/libtracelog.c
@@ -31,6 +31,7 @@
 #include <sys/stat.h>
 #include <syslog.h>
 #include <dirent.h>
+#include <limits.h>
 //#define DEBUG
@@ -91,9 +92,9 @@ static void storage_add(const char *str) {
        storage[h] = ptr;
 }
-char* cwd = NULL; // global variable for keeping current working directory
+// global variable to keep current working directory
-typedef int (*orig_chdir_t)(const char *pathname);
+static char* cwd = NULL;
-static orig_chdir_t orig_chdir = NULL;
 static char *storage_find(const char *str) {
 #ifdef DEBUG
        printf("storage find %s\n", str);
@@ -107,17 +108,23 @@ static char *storage_find(const char *str) {
        const char *tofind = str;
        int allocated = 0;
-        if (strstr(str, "..") || strstr(str, "/./") || strstr(str, "//") || str[0]!='/') {
+        if (strstr(str, "..") || strstr(str, "/./") || strstr(str, "//") || str[0] != '/') {
-                if (!orig_chdir)
+                if (cwd != NULL && str[0] != '/') {
-                        orig_chdir = (orig_chdir_t)dlsym(RTLD_NEXT, "chdir");
+                        char *fullpath=malloc(PATH_MAX);
-                if (!orig_chdir(cwd)) {
+                        if (!fullpath) {
-#ifdef DEBUG
+                                fprintf(stderr, "Error: cannot allocate memory\n");
-                        printf("chdir failed\n");
+                                return NULL;
-#endif
+                        }
-                        return NULL;
+                        if (snprintf(fullpath, PATH_MAX, "%s/%s", cwd, str)<3) {
+                                fprintf(stderr, "Error: snprintf failed\n");
+                                free(fullpath);
+                                return NULL;
+                        }
+                        tofind = realpath(fullpath, NULL);
+                        free(fullpath);
+                } else {
+                        tofind = realpath(str, NULL);
                }
-                tofind = realpath(str, NULL);
                if (!tofind) {
 #ifdef DEBUG
                        printf("realpath failed\n");
@@ -556,7 +563,7 @@ int stat64(const char *pathname, struct stat64 *buf) {
 #ifdef DEBUG
        printf("%s %s\n", __FUNCTION__, pathname);
 #endif
-        if (!orig_stat)
+        if (!orig_stat64)
                orig_stat64 = (orig_stat64_t)dlsym(RTLD_NEXT, "stat64");
        if (!blacklist_loaded)
                load_blacklist();
@@ -592,7 +599,7 @@ int lstat64(const char *pathname, struct stat64 *buf) {
 #ifdef DEBUG
        printf("%s %s\n", __FUNCTION__, pathname);
 #endif
-        if (!orig_lstat)
+        if (!orig_lstat64)
                orig_lstat64 = (orig_lstat64_t)dlsym(RTLD_NEXT, "lstat64");
        if (!blacklist_loaded)
                load_blacklist();
@@ -641,9 +648,8 @@ DIR *opendir(const char *pathname) {
 }
 // chdir
-// definition of orig_chdir placed before storage_find function
+typedef int (*orig_chdir_t)(const char *pathname);
-//typedef int (*orig_chdir_t)(const char *pathname);
+static orig_chdir_t orig_chdir = NULL;
-//static orig_chdir_t orig_chdir = NULL;
 int chdir(const char *pathname) {
 #ifdef DEBUG
        printf("%s %s\n", __FUNCTION__, pathname);
@@ -662,3 +668,32 @@ int chdir(const char *pathname) {
        int rv = orig_chdir(pathname);
        return rv;
 }
+// fchdir
+typedef int (*orig_fchdir_t)(int fd);
+static orig_fchdir_t orig_fchdir = NULL;
+int fchdir(int fd) {
+#ifdef DEBUG
+        printf("%s %d\n", __FUNCTION__, fd);
+#endif
+        if (!orig_fchdir)
+                orig_fchdir = (orig_fchdir_t)dlsym(RTLD_NEXT, "fchdir");
+        free(cwd);
+        char *pathname=malloc(PATH_MAX);
+        if (pathname) {
+                if (snprintf(pathname,PATH_MAX,"/proc/self/fd/%d", fd)>0) {
+                        cwd = realpath(pathname, NULL);
+                } else {
+                        cwd = NULL;
+                        fprintf(stderr, "Error: snprintf failed\n");
+                }
+                free(pathname);
+        } else {
+                fprintf(stderr, "Error: cannot allocate memory\n");
+                cwd = NULL;
+        }
+        int rv = orig_fchdir(fd);
+        return rv;
+}
diff --git a/src/man/firecfg.txt b/src/man/firecfg.txt
index decc1af73..b9d336c4c 100644
--- a/src/man/firecfg.txt
+++ b/src/man/firecfg.txt
@@ -10,19 +10,25 @@ sandbox applications automatically, just by clicking on a regular desktop
 menus and icons.
 The symbolic links are placed in /usr/local/bin. For more information, see
-DESKTOP INTEGRATION section in man 1 firejail.
+\fBDESKTOP INTEGRATION\fR section in \fBman 1 firejail\fR.
 .SH OPTIONS
 .TP
 \fB\-\-clean
 Remove all firejail symbolic links.
 .TP
+\fB\-\-debug
+Print debug messages.
+.TP
 \fB\-?\fR, \fB\-\-help\fR
 Print options end exit.
 .TP
 \fB\-\-list
 List all firejail symbolic links
 .TP
+\fB\-\-fix
+Fix .desktop files. Some .desktop files use full path to executable. Firecfg will check .desktop files in /usr/share/applications/, replace full path by name if it is in PATH, and write result to $HOME/.local/share/applications/.
+.TP
 \fB\-\-version
 Print program version and exit.
@@ -48,13 +54,22 @@ $ firecfg --list
 .br
 [...]
 .br
-$ sudo firecfg --clear
+$ sudo firecfg --clean
 .br
 /usr/local/bin/firefox removed
 .br
 /usr/local/bin/vlc removed
 .br
 [...]
+.br
+$ firecfg --fix
+.br
+/home/user/.local/share/applications/chromium.desktop created
+.br
+/home/user/.local/share/applications/vlc.desktop created
+.br
+[...]
 .SH LICENSE
 This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.
@@ -65,6 +80,5 @@ Homepage: http://firejail.wordpress.com
 \&\flfiremon\fR\|(1),
 \&\flfirejail-profile\fR\|(5),
 \&\flfirejail-login\fR\|(5)
-\&\flfirejail-config\fR\|(5)
diff --git a/src/man/firejail-config.txt b/src/man/firejail-config.txt
deleted file mode 100644
index fcf4109ee..000000000
--- a/src/man/firejail-config.txt
+++ /dev/null
@@ -1,81 +0,0 @@
-.TH FIREJAIL-CONFIG 5 "MONTH YEAR" "VERSION" "firejail.config man page"
-.SH NAME
-firejail.config \- Firejail run time configuration file
-.SH DESCRIPTION
-/etc/firejail/firejail.config is the system-wide configuration file for Firejail.
-It allows the system administrator to enable or disable a number of
-features and Linux kernel security technologies used by Firejail sandbox.
-The file contains keyword-argument pairs, one per line.
-Use 'yes' or 'no' as configuration values.
-Note that some of these features can also be enabled or disabled at compile
-time. Most features are enabled by default both at compile time and
-at run time.
-.TP
-\fBbind
-Enable or disable bind support, default enabled.
-.TP
-\fBchroot
-Enable or disable chroot support, default enabled.
-.TP
-\fBfile-transfer
-Enable or disable file transfer support, default enabled.
-.TP
-\fBnetwork
-Enable or disable networking features, default enabled.
-.TP
-\fBrestricted-network
-Enable or disable restricted network support, default disabled. If enabled,
-networking features should also be enabled (network yes).
-Restricted networking grants access to --interface and --net=ethXXX
-only to root user. Regular users are only allowed --net=none.
-.TP
-\fBsecomp
-Enable or disable seccomp support, default enabled.
-.TP
-\fBuserns
-Enable or disable user namespace support, default enabled.
-.TP
-\fBx11
-Enable or disable X11 sandboxing support, default enabled.
-.TP
-\fBxephyr-screen
-Screen size for --x11=xephyr, default 800x600. Run /usr/bin/xrandr for
-a full list of resolutions available on your specific setup. Examples:
-.br
-.br
-xephyr-screen 640x480
-.br
-xephyr-screen 800x600
-.br
-xephyr-screen 1024x768
-.br
-xephyr-screen 1280x1024
-.SH FILES
-/etc/firejail/firejail.config
-.SH LICENSE
-Firejail is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.
-.PP
-Homepage: http://firejail.wordpress.com
-.SH SEE ALSO
-\&\flfirejail\fR\|(1),
-\&\flfiremon\fR\|(1),
-\&\flfirecfg\fR\|(1),
-\&\flfirejail-profile\fR\|(5)
-\&\flfirejail-login\fR\|(5)
diff --git a/src/man/firejail-login.txt b/src/man/firejail-login.txt
index 6cd9ce3cb..796179d0b 100644
--- a/src/man/firejail-login.txt
+++ b/src/man/firejail-login.txt
@@ -13,9 +13,13 @@ Example:
        netblue:--net=none --protocol=unix
+Wildcard patterns are accepted in the user name field:
+        user*: --private
 .SH RESTRICTED SHELL
 To configure a restricted shell, replace /bin/bash with /usr/bin/firejail in
-/etc/password file for each user that needs to be restricted. Alternatively,
+/etc/passwd file for each user that needs to be restricted. Alternatively,
 you can specify /usr/bin/firejail  using adduser or usermod commands:
 adduser \-\-shell /usr/bin/firejail username
@@ -34,6 +38,5 @@ Homepage: http://firejail.wordpress.com
 \&\flfiremon\fR\|(1),
 \&\flfirecfg\fR\|(1),
 \&\flfirejail-profile\fR\|(5)
-\&\flfirejail-config\fR\|(5)
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt
index 9045c1122..d6113218c 100644
--- a/src/man/firejail-profile.txt
+++ b/src/man/firejail-profile.txt
@@ -44,7 +44,7 @@ To disable default profile loading, use --noprofile command option. Example:
 .RS
 $ firejail
 .br
-Reading profile /etc/firejail/generic.profile
+Reading profile /etc/firejail/default.profile
 .br
 Parent pid 8553, child pid 8554
 .br
@@ -93,11 +93,17 @@ If the file name matches file_name, the file will not be blacklisted in any blac
 Example: "noblacklist ${HOME}/.mozilla"
 .TP
-\fBignore command
+\fBignore
 Ignore command.
 Example: "ignore seccomp"
+.TP
+\fBquiet
+Disable Firejail's output. This should be the first uncommented command in the profile file.
+Example: "quiet"
 .SH Filesystem
 These profile entries define a chroot filesystem built on top of the existing
 host filesystem. Each line describes a file element that is removed from
@@ -122,11 +128,16 @@ blacklist ${PATH}/ifconfig
 blacklist ${HOME}/.ssh
 .TP
-\fBread-only file_or_directory
+\fBblacklist-nolog file_or_directory
-Make directory or file read-only.
+When --tracelog flag is set, blacklisting generates syslog messages if the sandbox tries to access the file or directory.
-.TP
+blacklist-nolog command disables syslog messages for this particular file or directory. Examples:
-\fBtmpfs directory
+.br
-Mount an empty tmpfs filesystem on top of directory. This option is available only when running the sandbox as root.
+.br
+blacklist-nolog /usr/bin
+.br
+blacklist-nolog /usr/bin/gcc*
 .TP
 \fBbind directory1,directory2
 Mount-bind directory1 on top of directory2. This option is only available when running as root.
@@ -135,8 +146,14 @@ Mount-bind directory1 on top of directory2. This option is only available when r
 Mount-bind file1 on top of file2. This option is only available when running as root.
 .TP
 \fBmkdir directory
-Create a directory in user home. Use this command for whitelisted directories you need to preserve
+Create a directory in user home before the sandbox is started.
-when the sandbox is closed. Subdirectories also need to be created using mkdir. Example from
+The directory is created if it doesn't already exist.
+.br
+.br
+Use this command for whitelisted directories you need to preserve
+when the sandbox is closed. Without it, the application will create the directory, and the directory
+will be deleted when the sandbox is closed. Subdirectories are recursively created. Example from
 firefox profile:
 .br
@@ -145,14 +162,17 @@ mkdir ~/.mozilla
 .br
 whitelist ~/.mozilla
 .br
-mkdir ~/.cache
-.br
-mkdir ~/.cache/mozilla
-.br
 mkdir ~/.cache/mozilla/firefox
 .br
 whitelist ~/.cache/mozilla/firefox
 .TP
+\fBmkfile file
+Similar to mkdir, this command creates a file in user home before the sandbox is started.
+The file is created if it doesn't already exist, but it's target directory has to exist.
+.TP
+\fBnoexec file_or_directory
+Remount the file or the directory noexec, nodev and nosuid.
+.TP
 \fBprivate
 Mount new /root and /home/user directories in temporary
 filesystems. All modifications are discarded when the sandbox is
@@ -161,6 +181,12 @@ closed.
 \fBprivate directory
 Use directory as user home.
 .TP
+\f\private-home file,directory
+Build a new user home in a temporary
+filesystem, and copy the files and directories in the list in the
+new home. All modifications are discarded when the sandbox is
+closed.
+.TP
 \fBprivate-bin file,file
 Build a new /bin in a temporary filesystem, and copy the programs in the list.
 The same directory is also bind-mounted over /sbin, /usr/bin and /usr/sbin.
@@ -174,19 +200,43 @@ filesystem, and copy the files and directories in the list.
 All modifications are discarded when the sandbox is closed.
 .TP
 \fBprivate-tmp
-Mount an empty temporary filesystem on top of /tmp directory.
+Mount an empty temporary filesystem on top of /tmp directory whitelisting /tmp/.X11-unix.
 .TP
-\fBwhitelist file_or_directory
+\fBread-only file_or_directory
-Build a new user home in a temporary filesystem, and mount-bind file_or_directory.
+Make directory or file read-only.
-The modifications to file_or_directory are persistent, everything else is discarded
+.TP
-when the sandbox is closed.
+\fBread-write file_or_directory
+Make directory or file read-write.
+.TP
+\fBtmpfs directory
+Mount an empty tmpfs filesystem on top of directory. This option is available only when running the sandbox as root.
 .TP
 \fBtracelog
 Blacklist violations logged to syslog.
+.TP
+\fBwhitelist file_or_directory
+Whitelist directory or file. A temporary file system is mounted on the top directory, and the
+whitelisted files are mount-binded inside. Modifications to whitelisted files are persistent,
+everything else is discarded when the sandbox is closed. The top directory could be 
+user home, /dev, /media, /mnt, /opt, /srv, /var, and /tmp.
+.br
+.br
+Symbolic link handling: with the exception of user home, both the link and the real file should be in
+the same top directory. For user home, both the link and the real file should be owned by the user.
+.TP
+\fBwritable-etc
+Mount /etc directory read-write.
+.TP
+\fBwritable-var
+Mount /var directory read-write.
 .SH Security filters
 The following security filters are currently implemented:
 .TP
+\fBapparmor
+Enable AppArmor confinement.
+.TP
 \fBcaps
 Enable default Linux capabilities filter.
 .TP
@@ -205,10 +255,7 @@ first argument to socket system call. Recognized values: \fBunix\fR,
 \fBinet\fR, \fBinet6\fR, \fBnetlink\fR and \fBpacket\fR.
 .TP
 \fBseccomp
-Enable default seccomp filter.  The default list is as follows:
+Enable seccomp filter and blacklist the syscalls in the default list. See man 1 firejail for more details.
-mount, umount2, ptrace, kexec_load, open_by_handle_at, init_module, finit_module, delete_module,
-iopl, ioperm, swapon, swapoff, syslog, process_vm_readv and process_vm_writev,
-sysfs,_sysctl, adjtimex, clock_adjtime, lookup_dcookie, perf_event_open, fanotify_init and kcmp.
 .TP
 \fBseccomp syscall,syscall,syscall
 Enable seccomp filter and blacklist the system calls in the list on top of default seccomp filter.
@@ -219,9 +266,32 @@ Enable seccomp filter and blacklist  the system calls in the list.
 \fBseccomp.keep syscall,syscall,syscall
 Enable seccomp filter and whitelist the system calls in the list.
 .TP
+\fBnonewprivs
+Sets the NO_NEW_PRIVS prctl.  This ensures that child processes
+cannot acquire new privileges using execve(2);  in particular,
+this means that calling a suid binary (or one with file capabilities)
+does not result in an increase of privilege.
+.TP
 \fBnoroot
 Use this command  to enable an user namespace. The namespace has only one user, the current user.
 There is no root account (uid 0) defined in the namespace.
+.TP
+\fBx11
+Enable X11 sandboxing.
+.TP
+\fBx11 none
+Blacklist /tmp/.X11-unix directory, ${HOME}/.Xauthority and file specified in ${XAUTHORITY} environment variable.
+Remove DISPLAY and XAUTHORITY environment variables.
+Stop with error message if X11 abstract socket will be accessible in jail.
+.TP
+\fBx11 xephyr
+Enable X11 sandboxing with xephyr.
+.TP
+\fBx11 xorg
+Enable X11 sandboxing with X11 security extension.
+.TP
+\fBx11 xpra
+Enable X11 sandboxing with xpra.
 .SH Resource limits, CPU affinity, Control Groups
 These profile entries define the limits on system resources (rlimits) for the processes inside the sandbox.
@@ -255,6 +325,10 @@ The sandbox is placed in g1 control group.
 .SH User Environment
 .TP
+\fBallusers
+All user home directories are visible inside the sandbox. By default, only current user home directory is visible.
+.TP
 \fBname sandboxname
 Set sandbox name. Example:
 .br
@@ -284,9 +358,18 @@ Enable IPC namespace.
 .TP
 \fBnosound
 Disable sound system.
+.TP
+\fBno3d
+Disable 3D hardware acceleration.
 .SH Networking
 Networking features available in profile files.
+.TP
+\fBdefaultgw address
+Use this address as default gateway in the new network namespace.
+.TP
 \fBdns address
 Set a DNS server for the sandbox. Up to three DNS servers can be defined.
@@ -295,6 +378,45 @@ Set a DNS server for the sandbox. Up to three DNS servers can be defined.
 Set a hostname for the sandbox.
 .TP
+\fBip address
+Assign IP addresses to the last network interface defined by a net command. A
+default gateway is assigned by default.
+.br
+.br
+Example:
+.br
+net eth0
+.br
+ip 10.10.20.56
+.TP
+\fBip none
+No IP address and no default gateway are configured for the last interface
+defined by a net command. Use this option
+in case you intend to start an external DHCP client in the sandbox.
+.br
+.br
+Example:
+.br
+net eth0
+.br
+ip none
+.TP
+\fBip6 address
+Assign IPv6 addresses to the last network interface defined by a net command.
+.br
+.br
+Example:
+.br
+net eth0
+.br
+ip6 2001:0db8:0:f101::1/64
+.TP
 \fBiprange address,address
 Assign  an  IP address in the provided range to the last network
 interface defined by  a  net command.  A  default  gateway  is assigned by default.
@@ -311,6 +433,16 @@ iprange 192.168.1.150,192.168.1.160
 .br
 .TP
+\fBmac address
+Assign MAC addresses to the last network interface defined by a net command.
+.TP
+\fBmtu number
+Assign a MTU value to the last network interface defined by a net command.
+.TP
 \fBnetfilter
 If a new network namespace is created, enabled default network filter.
@@ -345,6 +477,17 @@ available in the new namespace is a new loopback interface (lo).
 Use this option to deny network access to programs that don't
 really need network access.
+.TP
+\fBveth-name name
+Use this name for the interface connected to the bridge for --net=bridge_interface commands, 
+instead of the default one.
+.SH Other
+.TP
+\fBjoin-or-start sandboxname
+Join the sandbox identified by name or start a new one.
+Same as "firejail --join=sandboxname" command if sandbox with specified name exists, otherwise same as "name sandboxname".
 .SH RELOCATING PROFILES
 For various reasons some users might want to keep the profile files in a different directory.
 Using \fB--profile-path\fR command line option, Firejail can be instructed to look for profiles
@@ -388,7 +531,6 @@ Homepage: http://firejail.wordpress.com
 \&\flfiremon\fR\|(1),
 \&\flfirecfg\fR\|(1),
 \&\flfirejail-login\fR\|(5)
-\&\flfirejail-config\fR\|(5)
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index 23db832c1..bb9ae270c 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -11,7 +11,7 @@ firejail [OPTIONS] [program and arguments]
 File transfer from an existing sandbox
 .PP
 .RS
-firejail {\-\-ls | \-\-get} dir_or_filename
+firejail {\-\-ls | \-\-get | \-\-put} dir_or_filename
 .RE
 .PP
 Network traffic shaping for an existing sandbox:
@@ -50,15 +50,16 @@ of applications. The software includes security profiles for a number of more co
 Linux programs, such as Mozilla Firefox, Chromium, VLC, Transmission etc.
 .SH USAGE
-Without any options, the sandbox consists of a chroot filesystem build in a new mount namespace,
+Without any options, the sandbox consists of a filesystem build in a new mount namespace,
-and new PID and UTS namespaces. IPC, network and user namespaces can be added using the command line options.
+and new PID and UTS namespaces. IPC, network and user namespaces can be added using the
-The default Firejail filesystem is based on the host filesystem with the main directories mounted read-only.
+command line options. The default Firejail filesystem is based on the host filesystem with the main 
-Only /home and /tmp are writable.
+system directories mounted read-only. These directories are /etc, /var, /usr, /bin, /sbin, /lib, /lib32, 
+/libx32 and /lib64. Only /home and /tmp are writable.
 .PP
 As it starts up, Firejail tries to find a security profile based on the name of the application.
 If an appropriate profile is not found, Firejail will use a default profile.
 The default profile is quite restrictive. In case the application doesn't work, use --noprofile option 
-to disable it. For more information, please see \fBSECURITY PROFILES\fR section.
+to disable it. For more information, please see \fBSECURITY PROFILES\fR section below.
 .PP
 If a program argument is not specified, Firejail starts /bin/bash shell.
 Examples:
@@ -74,6 +75,46 @@ $ firejail [OPTIONS] firefox        # starting Mozilla Firefox
 \fB\-\-
 Signal the end of options and disables further option processing.
 .TP
+\fB\-\-allow-debuggers
+Allow tools such as strace and gdb inside the sandbox.
+.br
+.br
+Example:
+.br
+$ firejail  --allow-debuggers --profile=/etc/firejail/firefox.profile strace -f firefox
+.TP
+\fB\-\-allusers
+All user home directories are visible inside the sandbox. By default, only current user home directory is visible.
+.br
+.br
+Example:
+.br
+$ firejail --allusers
+.TP
+\fB\-\-apparmor
+Enable AppArmor confinement. For more information, please see \fBAPPARMOR\fR section below.
+.TP
+\fB\-\-appimage
+Sandbox an AppImage (http://appimage.org/) application.
+.br
+.br
+Example:
+.br
+$ firejail --appimage krita-3.0-x86_64.appimage
+.br
+$ firejail --appimage --private krita-3.0-x86_64.appimage
+.br
+$ firejail --appimage --net=none --x11 krita-3.0-x86_64.appimage
+.TP
+\fB\-\-audit
+Audit the sandbox, see \fBAUDIT\fR section for more details.
+.TP
+\fB\-\-audit=test-program
+Audit the sandbox, see \fBAUDIT\fR section for more details.
+.TP
 \fB\-\-bandwidth=name|pid
 Set bandwidth limits for the sandbox identified by name or PID, see \fBTRAFFIC SHAPING\fR section for more details.
 .TP
@@ -152,14 +193,7 @@ Example:
 .br
 $ sudo firejail \-\-caps.keep=chown,net_bind_service,setgid,\\
 setuid /etc/init.d/nginx start
-.br
-.br
-A short note about mixing \-\-whitelist and \-\-read-only options. Whitelisted directories
-should be made read-only independently. Making a parent directory read-only, will not
-make the whitelist read-only. Example:
-.br
-$ firejail --whitelist=~/work --read-only=~/ --read-only=~/work
 .TP
 \fB\-\-caps.print=name|pid
 Print the caps filter for the sandbox identified by name or by PID.
@@ -194,7 +228,8 @@ Example:
 .TP
 \fB\-\-chroot=dirname
-Chroot the sandbox into a root filesystem. If the sandbox is started as a
+Chroot the sandbox into a root filesystem. Unlike the regular filesystem container,
+the system directories are mounted read-write. If the sandbox is started as a
 regular user, default seccomp and capabilities filters are enabled. This
 option is not available on Grsecurity systems.
 .br
@@ -465,6 +500,11 @@ in case you intend to start an external DHCP client in the sandbox.
 Example:
 .br
 $ firejail \-\-net=eth0 \-\-\ip=none
+.br
+.br
+If the corresponding interface doesn't have an IP address configured, this
+option is enabled by default.
 .TP
 \fB\-\-ip6=address
@@ -547,19 +587,19 @@ $ firejail --net=eth0 --name=browser firefox &
 .br
 # change netfilter configuration
 .br
-$ sudo firejail --join-network=browser "cat /etc/firejail/nolocal.net | /sbin/iptables-restore"
+$ sudo firejail --join-network=browser bash -c "cat /etc/firejail/nolocal.net | /sbin/iptables-restore"
 .br
 .br
 # verify netfilter configuration
 .br
-$ sudo firejail --join-network=browser "/sbin/iptables -vL"
+$ sudo firejail --join-network=browser /sbin/iptables -vL
 .br
 .br
 # verify  IP addresses
 .br
-$ sudo firejail --join-network=browser "ip addr"
+$ sudo firejail --join-network=browser ip addr
 .br
 Switching to pid 1932, the first child process inside the sandbox
 .br
@@ -588,6 +628,13 @@ Switching to pid 1932, the first child process inside the sandbox
       valid_lft forever preferred_lft forever
 .TP
+\fB\-\-join-or-start=name
+Join the sandbox identified by name or start a new one.
+Same as "firejail --join=name" if sandbox with specified name exists, otherwise same as "firejail --name=name ..."
+.br
+Note that in contrary to other join options there is respective profile option.
+.TP
 \fB\-\-ls=name|pid dir_or_filename
 List files in sandbox container, see \fBFILE TRANSFER\fR section for more details.
@@ -798,13 +845,23 @@ PID  User    RX(KB/s) TX(KB/s) Command
 .TP
 \fB\-\-nice=value
 Set nice value for all processes running inside the sandbox.
+Only root may specify a negative value.
 .br
 .br
 Example:
 .br
-$ firejail --nice=-5 firefox
+$ firejail --nice=2 firefox
+.TP
+\fB\-\-no3d
+Disable 3D hardware acceleration.
+.br
+.br
+Example:
+.br
+$ firejail --no3d firefox
 .TP
 \fB\-\-noblacklist=dirname_or_filename
@@ -831,6 +888,21 @@ $ nc dict.org 2628
 220 pan.alephnull.com dictd 1.12.1/rf on Linux 3.14-1-amd64
 .br
 .TP
+\fB\-\-noexec=dirname_or_filename
+Remount directory or file noexec, nodev and nosuid.
+.br
+.br
+Example:
+.br
+$ firejail \-\-noexec=/tmp
+.br
+.br
+/etc and /var are noexec by default if the sandbox was started as a regular user. If there are more than one mount operation
+on the path of the file or directory, noexec should be applied to the last one. Always check if the change took effect inside the sandbox.
+.TP
 \fB\-\-nogroups
 Disable supplementary groups. Without this option, supplementary groups are enabled for the user starting the
 sandbox. For root user supplementary groups are always disabled.
@@ -865,7 +937,7 @@ Example:
 .br
 $ firejail
 .br
-Reading profile /etc/firejail/generic.profile
+Reading profile /etc/firejail/default.profile
 .br
 Parent pid 8553, child pid 8554
 .br
@@ -908,6 +980,14 @@ ping: icmp open socket: Operation not permitted
 $
 .TP
+\fB\-\-nonewprivs
+Sets the NO_NEW_PRIVS prctl.  This ensures that child processes
+cannot acquire new privileges using execve(2);  in particular,
+this means that calling a suid binary (or one with file capabilities)
+does not result in an increase of privilege. This option
+is enabled by default if seccomp filter is activated.
+.TP
 \fB\-\-nosound
 Disable sound system.
 .br
@@ -946,13 +1026,15 @@ $ ls -l sandboxlog*
 .TP
 \fB\-\-overlay
-Mount a filesystem overlay on top of the current filesystem. All filesystem modifications go into the overlay.
+Mount a filesystem overlay on top of the current filesystem.  Unlike the regular filesystem container,
-The overlay is stored in $HOME/.firejail directory. This option is not available on Grsecurity systems.
+the system directories are mounted read-write. All filesystem modifications go into the overlay.
+The overlay is stored in $HOME/.firejail/<PID> directory.
 .br
 .br
 OverlayFS support is required in Linux kernel for this option to work.
-OverlayFS was officially introduced in Linux kernel version 3.18
+OverlayFS was officially introduced in Linux kernel version 3.18.
+This option is not available on Grsecurity systems.
 .br
 .br
@@ -961,14 +1043,34 @@ Example:
 $ firejail \-\-overlay firefox
 .TP
+\fB\-\-overlay-named=name
+Mount a filesystem overlay on top of the current filesystem.  Unlike the regular filesystem container,
+the system directories are mounted read-write. All filesystem modifications go into the overlay.
+The overlay is stored in $HOME/.firejail/<NAME> directory. The created overlay can be reused between multiple
+sessions.
+.br
+.br
+OverlayFS support is required in Linux kernel for this option to work.
+OverlayFS was officially introduced in Linux kernel version 3.18.
+This option is not available on Grsecurity systems.
+.br
+.br
+Example:
+.br
+$ firejail \-\-overlay-named=jail1 firefox
+.TP
 \fB\-\-overlay-tmpfs
 Mount a filesystem overlay on top of the current filesystem. All filesystem modifications go into the overlay,
-and are discarded when the sandbox is closed. This option is not available on Grsecurity systems.
+and are discarded when the sandbox is closed.
 .br
 .br
 OverlayFS support is required in Linux kernel for this option to work.
-OverlayFS was officially introduced in Linux kernel version 3.18
+OverlayFS was officially introduced in Linux kernel version 3.18.
+This option is not available on Grsecurity systems.
 .br
 .br
@@ -977,6 +1079,17 @@ Example:
 $ firejail \-\-overlay-tmpfs firefox
 .TP
+\fB\-\-overlay-clean
+Clean all overlays stored in $HOME/.firejail directory. Overlays created with --overlay-path=path
+outside $HOME/.firejail will not be deleted.
+.br
+.br
+Example:
+.br
+$ firejail \-\-overlay-clean
+.TP
 \fB\-\-private
 Mount new /root and /home/user directories in temporary
 filesystems. All modifications are discarded when the sandbox is
@@ -998,9 +1111,24 @@ Example:
 $ firejail \-\-private=/home/netblue/firefox-home firefox
 .TP
+\fB\-\-private-home=file,directory
+Build a new user home in a temporary
+filesystem, and copy the files and directories in the list in the
+new home. All modifications are discarded when the sandbox is
+closed.
+.br
+.br
+Example:
+.br
+$ firejail \-\-private-home=.mozilla firefox
+.TP
 \fB\-\-private-bin=file,file
 Build a new /bin in a temporary filesystem, and copy the programs in the list.
+If no listed file is found, /bin directory will be empty.
 The same directory is also bind-mounted over /sbin, /usr/bin, /usr/sbin and /usr/local/bin.
+All modifications are discarded when the sandbox is closed. 
 .br
 .br
@@ -1018,7 +1146,7 @@ bash  cat  ls  sed
 .TP
 \fB\-\-private-dev
-Create a new /dev directory. Only dri, null, full, zero, tty, pts, ptmx, random, urandom, log and shm devices are available.
+Create a new /dev directory. Only dri, null, full, zero, tty, pts, ptmx, random, snd, urandom, log and shm devices are available.
 .br
 .br
@@ -1032,14 +1160,15 @@ Child process initialized
 .br
 $ ls /dev
 .br
-dri  full  log  null  ptmx  pts  random  shm  tty  urandom  zero
+dri  full  log  null  ptmx  pts  random  shm  snd  tty  urandom  zero
 .br
 $
 .TP
 \fB\-\-private-etc=file,directory
 Build a new /etc in a temporary
 filesystem, and copy the files and directories in the list.
-All modifications are discarded when the sandbox is closed.
+If no listed file is found, /etc directory will be empty.
+All modifications are discarded when the sandbox is closed. 
 .br
 .br
@@ -1051,7 +1180,7 @@ nsswitch.conf,passwd,resolv.conf
 .TP
 \fB\-\-private-tmp
-Mount an empty temporary filesystem on top of /tmp directory.
+Mount an empty temporary filesystem on top of /tmp directory whitelisting /tmp/.X11-unix.
 .br
 .br
@@ -1120,6 +1249,9 @@ $ firejail \-\-protocol.print=3272
 .br
 unix,inet,inet6,netlink
 .TP
+\fB\-\-put=name|pid src-filename dest-filename
+Put a file in sandbox container, see \fBFILE TRANSFER\fR section for more details.
+.TP
 \fB\-\-quiet
 Turn off Firejail's output.
 .TP
@@ -1131,6 +1263,31 @@ Set directory or file read-only.
 Example:
 .br
 $ firejail \-\-read-only=~/.mozilla firefox
+.br
+.br
+A short note about mixing \-\-whitelist and \-\-read-only options. Whitelisted directories
+should be made read-only independently. Making a parent directory read-only, will not
+make the whitelist read-only. Example:
+.br
+.br
+$ firejail --whitelist=~/work --read-only=~ --read-only=~/work
+.TP
+\fB\-\-read-write=dirname_or_filename
+Set directory or file read-write. Only files or directories belonging to the current user are allowed for
+this operation. Example:
+.br
+.br
+$ mkdir ~/test
+.br
+$ touch ~/test/a
+.br
+$ firejail --read-only=~/test --read-write=~/test/a
 .TP
 \fB\-\-rlimit-fsize=number
 Set the maximum file size that can be created by a process.
@@ -1143,6 +1300,17 @@ Set the maximum number of processes that can be created for the real user ID of
 .TP
 \fB\-\-rlimit-sigpending=number
 Set the maximum number of pending signals for a process.
+.TP
+\fB\-\-rmenv=name
+Remove environment variable in the new sandbox.
+.br
+.br
+Example:
+.br
+$ firejail \-\-rmenv=DBUS_SESSION_BUS_ADDRESS
 .TP
 \fB\-\-scan
 ARP-scan all the networks from inside a network namespace.
@@ -1156,13 +1324,13 @@ $ firejail \-\-net=eth0 \-\-scan
 .TP
 \fB\-\-seccomp
 Enable seccomp filter and blacklist the syscalls in the default list. The default list is as follows:
-mount, umount2, ptrace, kexec_load, kexec_file_load, open_by_handle_at, init_module, finit_module, delete_module,
+mount, umount2, ptrace, kexec_load, kexec_file_load, name_to_handle_at, open_by_handle_at, create_module, init_module, finit_module, delete_module,
-iopl, ioperm, swapon, swapoff, syslog, process_vm_readv, process_vm_writev,
+iopl, ioperm, ioprio_set, swapon, swapoff, syslog, process_vm_readv, process_vm_writev,
 sysfs,_sysctl, adjtimex, clock_adjtime, lookup_dcookie, perf_event_open, fanotify_init, kcmp,
 add_key, request_key, keyctl, uselib, acct, modify_ldt, pivot_root, io_setup,
 io_destroy, io_getevents, io_submit, io_cancel,
 remap_file_pages, mbind, get_mempolicy, set_mempolicy,
-migrate_pages, move_pages, vmsplice, perf_event_open, chroot,
+migrate_pages, move_pages, vmsplice, chroot,
 tuxcall, reboot, mfsservctl and get_kernel_syms.
 .br
@@ -1425,15 +1593,7 @@ $ firejail \-\-tree
 11969:netblue:firejail \-\-net=eth0 transmission-gtk 
 .br
  11970:netblue:transmission-gtk 
-.TP
-\fB\-\-user=new-user
-Switch the user before starting the sandbox. This command should be run as root.
-.br
-.br
-Example:
-.br
-# firejail \-\-user=www-data
 .TP
 \fB\-\-version
 Print program version and exit.
@@ -1445,66 +1605,106 @@ Example:
 $ firejail \-\-version
 .br
 firejail version 0.9.27
+.TP
+\fB\-\-veth-name=name
+Use this name for the interface connected to the bridge for --net=bridge_interface commands, 
+instead of the default one.
+.br
+.br
+Example:
+.br
+$ firejail \-\-net=br0 --veth-name=if0
 .TP
 \fB\-\-whitelist=dirname_or_filename
-Whitelist directory or file. This feature is implemented only for user home, /dev, /media, /opt, /var, and /tmp directories.
+Whitelist directory or file. A temporary file system is mounted on the top directory, and the
-When whitlisting symbolic links, both the link and the real file should be in the same top directory
+whitelisted files are mount-binded inside. Modifications to whitelisted files are persistent,
-(home user, /media, /var etc.)
+everything else is discarded when the sandbox is closed. The top directory could be 
+user home, /dev, /media, /mnt, /opt, /srv, /var, and /tmp.
+.br
+.br
+Symbolic link handling: with the exception of user home, both the link and the real file should be in
+the same top directory. For user home, both the link and the real file should be owned by the user.
 .br
 .br
 Example:
 .br
-$ firejail \-\-whitelist=~/.mozilla \-\-whitelist=~/Downloads
+$ firejail \-\-noprofile \-\-whitelist=~/.mozilla
 .br
 $ firejail \-\-whitelist=/tmp/.X11-unix --whitelist=/dev/null
 .br
 $ firejail "\-\-whitelist=/home/username/My Virtual Machines"
 .TP
-\fB\-\-x11
+\fB\-\-writable-etc
-Start a new X11 server using Xpra or Xephyr and attach the sandbox to this server.
+Mount /etc directory read-write.
-The regular X11 server (display 0) is not visible in the sandbox. This prevents screenshot and keylogger
-applications started in the sandbox from accessing other X11 displays.
-A network namespace needs to be instantiated in order to deny access to X11 abstract Unix domain socket.
 .br
 .br
-Firejail will try first Xpra, and if Xpra is not installed on the system, it will try to find Xephyr.
+Example:
-This feature is not available when running as root. 
+.br
+$ sudo firejail --writable-etc
+.TP
+\fB\-\-writable-var
+Mount /var directory read-write.
 .br
 .br
 Example:
 .br
-$ firejail \-\-x11 --net=eth0 firefox
+$ sudo firejail --writable-var
 .TP
-\fB\-\-x11=xpra
+\fB\-\-x11
-Start a new X11 server using Xpra (http://xpra.org) and attach the sandbox to this server.
+Sandbox the application using Xpra, Xephyr or Xorg security extension.
-Xpra is a persistent remote display server and client for forwarding X11 applications and desktop screens.
+The sandbox will prevents screenshot and keylogger applications started inside the sandbox from accessing
-On Debian platforms Xpra is installed with the command \fBsudo apt-get install xpra\fR.
+clients running outside the sandbox.
-This feature is not available when running as root.
+Firejail will try first Xpra, and if Xpra is not installed on the system, it will try to find Xephyr.
+If all fails, Firejail will not attempt to use X11 security extension.
+.br
+.br
+Xpra and Xephyr modes require a network namespace to be instantiated in order to disable
+X11 abstract Unix socket. If this is not possible, the user can disable the abstract socket
+by adding "-nolisten local" on Xorg command line.
 .br
 .br
 Example:
 .br
-$ firejail \-\-x11=xpra --net=eth0 firefox
+$ firejail \-\-x11 --net=eth0 firefox
+.TP
+\fB\-\-x11=none
+Blacklist /tmp/.X11-unix directory, ${HOME}/.Xauthority and the file specified in ${XAUTHORITY} environment variable.
+Remove DISPLAY and XAUTHORITY environment variables.
+Stop with error message if X11 abstract socket will be accessible in jail.
 .TP
 \fB\-\-x11=xephyr
-Start a new X11 server using Xephyr and attach the sandbox to this server.
+Start Xephyr and attach the sandbox to this server.
 Xephyr is a display server implementing the X11 display server protocol.
-It runs in a window just like other X applications, but it is an X server itself in which you can run other software.
+A network namespace needs to be instantiated in order to deny access to X11 abstract Unix domain socket.
-The default Xephyr window size is 800x600. This can be modified in /etc/firejail/firejail.config file,
+.br
-see \fBman 5 firejail-config\fR for more details.
+.br
+Xephyr runs in a window just like any other X11 application. The default window size is 800x600.
+This can be modified in /etc/firejail/firejail.config file.
 .br
 .br
 The recommended way to use this feature is to run a window manager inside the sandbox.
 A security profile for OpenBox is provided.
-On Debian platforms Xephyr is installed with the command \fBsudo apt-get install xserver-xephyr\fR.
+.br
+.br
+Xephyr is developed by Xorg project. On Debian platforms it is installed with the command \fBsudo apt-get install xserver-xephyr\fR.
 This feature is not available when running as root. 
 .br
@@ -1514,6 +1714,42 @@ Example:
 $ firejail \-\-x11=xephyr --net=eth0 openbox
 .TP
+\fB\-\-x11=xorg
+Sandbox the application using the untrusted mode implemented by X11 security extension. 
+The extension is available in Xorg package
+and it is installed by default on most Linux distributions. It provides support for a simple trusted/untrusted 
+connection model. Untrusted clients are restricted in certain ways to prevent them from reading window
+contents of other clients, stealing input events, etc.
+The untrusted mode has several limitations. A lot of regular programs  assume they are a trusted X11 clients
+and will crash or lock up when run in untrusted mode. Chromium browser and xterm are two examples.
+Firefox and transmission-gtk seem to be working fine.
+A network namespace is not required for this option.
+.br
+.br
+Example:
+.br
+$ firejail \-\-x11=xorg firefox
+.TP
+\fB\-\-x11=xpra
+Start Xpra (http://xpra.org) and attach the sandbox to this server.
+Xpra is a persistent remote display server and client for forwarding X11 applications and desktop screens.
+A network namespace needs to be instantiated in order to deny access to X11 abstract Unix domain socket.
+.br
+.br
+On Debian platforms Xpra is installed with the command \fBsudo apt-get install xpra\fR.
+This feature is not available when running as root.
+.br
+.br
+Example:
+.br
+$ firejail \-\-x11=xpra --net=eth0 firefox
+.TP
 \fB\-\-zsh
 Use /usr/bin/zsh as default user shell.
 .br
@@ -1576,6 +1812,44 @@ $ firejail --tree
      1221:netblue:/usr/lib/firefox/firefox
 .RE
+.SH APPARMOR
+.TP
+AppArmor support is disabled by default at compile time. Use --enable-apparmor configuration option to enable it:
+.br
+.br
+$ ./configure --prefix=/usr --enable-apparmor
+.TP
+During software install, a generic AppArmor profile file, firejail-default, is placed in /etc/apparmor.d directory. The profile needs to be loaded into the kernel by running the following command as root:
+.br
+.br
+# aa-enforce firejail-default
+.TP
+The installed profile tries to replicate some advanced security features inspired by kernel-based Grsecurity:
+.br
+.br
+- Prevent information leakage in /proc and /sys directories. The resulting filesystem is barely enough for running
+commands such as "top" and "ps aux".
+.br
+.br
+- Allow running programs only from well-known system paths, such as /bin, /sbin, /usr/bin etc. Running
+programs and scripts from user home or other directories writable by the user is not allowed.
+.br
+.br
+- Disable D-Bus. D-Bus has long been a huge security hole, and most programs don't use it anyway.
+You should have no problems running Chromium or Firefox.
+.TP
+To enable AppArmor confinement on top of your current Firejail security features, pass \fB\-\-apparmor\fR flag to Firejail command line. You can also include \fBapparmor\fR command in a Firejail profile file. Example:
+.br
+.br
+$ firejail --apparmor firefox
 .SH FILE TRANSFER
 These features allow the user to inspect the filesystem container of an existing sandbox
 and transfer files from the container to the host filesystem.
@@ -1583,12 +1857,16 @@ and transfer files from the container to the host filesystem.
 .TP
 \fB\-\-get=name|pid filename
 Retrieve the container file and store it on the host in the current working directory.
-The container is specified by name or PID. Full path is needed for filename.
+The container is specified by name or PID.
 .TP
 \fB\-\-ls=name|pid dir_or_filename
 List container files. The container is specified by name or PID.
-Full path is needed for dir_or_filename.
+.TP
+\fB\-\-put=name|pid src-filename dest-filename
+Put src-filename in sandbox container.
+The container is specified by name or PID.
 .TP
 Examples:
@@ -1614,7 +1892,11 @@ drwxr-xr-x netblue  netblue         4096 ..
 .br
 $ firejail \-\-get=mybrowser ~/Downloads/xpra-clipboard.png
+.br
+.br
+$ firejail \-\-put=mybrowser xpra-clipboard.png ~/Downloads/xpra-clipboard.png
+.br
 .SH TRAFFIC SHAPING
 Network bandwidth is an expensive resource shared among all sandboxes running on a system.
@@ -1626,15 +1908,15 @@ The shaper works at sandbox level, and can be used only for sandboxes configured
 Set rate-limits:
-        firejail --bandwidth=name|pid set network download upload
+        $ firejail --bandwidth=name|pid set network download upload
 Clear rate-limits:
-        firejail --bandwidth=name|pid clear network
+        $ firejail --bandwidth=name|pid clear network
 Status:
-        firejail --bandwidth=name|pid status
+        $ firejail --bandwidth=name|pid status
 where:
 .br
@@ -1658,6 +1940,26 @@ Example:
 .br
        $ firejail \-\-bandwidth=mybrowser clear eth0
+.SH AUDIT
+Audit feature allows the user to point out gaps in security profiles. The
+implementation replaces the program to be sandboxed with a test program. By
+default, we use faudit program distributed with Firejail. A custom test program
+can also be supplied by the user. Examples:
+Running the default audit program:
+.br
+        $ firejail --audit transmission-gtk
+Running a custom audit program:
+.br
+        $ firejail --audit=~/sandbox-test transmission-gtk
+In the examples above, the sandbox configures transmission-gtk profile and
+starts the test program. The real program, transmission-gtk, will not be
+started.
+Limitations: audit feature is not implemented for --x11 commands.
 .SH MONITORING
 Option \-\-list prints a list of all sandboxes. The format
 for each process entry is as follows:
@@ -1751,7 +2053,7 @@ To disable default profile loading, use --noprofile command option. Example:
 .RS
 $ firejail
 .br
-Reading profile /etc/firejail/generic.profile
+Reading profile /etc/firejail/default.profile
 .br
 Parent pid 8553, child pid 8554
 .br
@@ -1818,7 +2120,6 @@ Homepage: http://firejail.wordpress.com
 \&\flfirecfg\fR\|(1),
 \&\flfirejail-profile\fR\|(5),
 \&\flfirejail-login\fR\|(5)
-\&\flfirejail-config\fR\|(5)
diff --git a/src/man/firemon.txt b/src/man/firemon.txt
index ef99b0927..bd84401af 100644
--- a/src/man/firemon.txt
+++ b/src/man/firemon.txt
@@ -109,6 +109,5 @@ Homepage: http://firejail.wordpress.com
 \&\flfirecfg\fR\|(1),
 \&\flfirejail-profile\fR\|(5),
 \&\flfirejail-login\fR\|(5)
-\&\flfirejail-config\fR\|(5)
diff --git a/src/tools/mkcoverit.sh b/src/tools/mkcoverit.sh
index 4af84a7a1..65b06f9fa 100755
--- a/src/tools/mkcoverit.sh
+++ b/src/tools/mkcoverit.sh
@@ -1,13 +1,13 @@
 #!/bin/bash
 # unpack firejail archive
-ARCFIREJAIL=`ls *.tar.bz2| grep firejail`
+ARCFIREJAIL=`ls *.tar.xz| grep firejail`
 if [ "$?" -eq 0 ];
 then
        echo "preparing $ARCFIREJAIL"
-        DIRFIREJAIL=`basename $ARCFIREJAIL  .tar.bz2`
+        DIRFIREJAIL=`basename $ARCFIREJAIL  .tar.xz`
        rm -fr $DIRFIREJAIL
-        tar -xjvf $ARCFIREJAIL
+        tar -xJvf $ARCFIREJAIL
        cd $DIRFIREJAIL
        ./configure --prefix=/usr
        cd ..
diff --git a/test/appimage/Leafpad-0.8.17-x86_64.AppImage b/test/appimage/Leafpad-0.8.17-x86_64.AppImage
new file mode 100644
index 000000000..865f6b44c
--- /dev/null
+++ b/test/appimage/Leafpad-0.8.17-x86_64.AppImage
Binary files differ
diff --git a/test/appimage/Leafpad-0.8.18.1.glibc2.4-x86_64.AppImage b/test/appimage/Leafpad-0.8.18.1.glibc2.4-x86_64.AppImage
new file mode 100644
index 000000000..d167431f3
--- /dev/null
+++ b/test/appimage/Leafpad-0.8.18.1.glibc2.4-x86_64.AppImage
Binary files differ
diff --git a/test/appimage/appimage-v1.exp b/test/appimage/appimage-v1.exp
new file mode 100755
index 000000000..503da2b9b
--- /dev/null
+++ b/test/appimage/appimage-v1.exp
@@ -0,0 +1,85 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+send -- "firejail --name=appimage-test --appimage Leafpad-0.8.17-x86_64.AppImage\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "Child process initialized"
+}
+sleep 2
+spawn $env(SHELL)
+send -- "firejail --list\r"
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        ":firejail"
+}
+expect {
+        timeout {puts "TESTING ERROR 3.1\n";exit}
+        "appimage Leafpad"
+}
+after 100
+# grsecurity exit
+send -- "file /proc/sys/kernel/grsecurity\r"
+expect {
+        timeout {puts "TESTING ERROR - grsecurity detection\n";exit}
+        "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit}
+        "cannot open" {puts "grsecurity not present\n"}
+}
+send -- "firejail --name=blablabla\r"
+expect {
+        timeout {puts "TESTING ERROR 4\n";exit}
+        "Child process initialized"
+}
+sleep 2
+spawn $env(SHELL)
+send -- "firemon --seccomp\r"
+expect {
+        timeout {puts "TESTING ERROR 5\n";exit}
+        "need to be root" {puts "/proc mounted as hidepid, exiting...\n"; exit}
+        "appimage Leafpad"
+}
+expect {
+        timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit}
+        "Seccomp:       2"
+}
+expect {
+        timeout {puts "TESTING ERROR 5.1\n";exit}
+        "name=blablabla"
+}
+after 100
+send -- "firemon --caps\r"
+expect {
+        timeout {puts "TESTING ERROR 6\n";exit}
+        "appimage Leafpad"
+}
+expect {
+        timeout {puts "TESTING ERROR 6.1\n";exit}
+        "CapBnd:"
+}
+expect {
+        timeout {puts "TESTING ERROR 6.2\n";exit}
+        "0000000000000000"
+}
+expect {
+        timeout {puts "TESTING ERROR 6.3\n";exit}
+        "name=blablabla"
+}
+after 100
+spawn $env(SHELL)
+send -- "firejail --shutdown=appimage-test\r"
+sleep 3
+puts "\nall done\n"
diff --git a/test/appimage/appimage-v2.exp b/test/appimage/appimage-v2.exp
new file mode 100755
index 000000000..5cb9d0849
--- /dev/null
+++ b/test/appimage/appimage-v2.exp
@@ -0,0 +1,85 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+send -- "firejail --appimage Leafpad-0.8.18.1.glibc2.4-x86_64.AppImage\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "Child process initialized"
+}
+sleep 2
+spawn $env(SHELL)
+send -- "firejail --list\r"
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        ":firejail"
+}
+expect {
+        timeout {puts "TESTING ERROR 3.1\n";exit}
+        "appimage Leafpad"
+}
+after 100
+# grsecurity exit
+send -- "file /proc/sys/kernel/grsecurity\r"
+expect {
+        timeout {puts "TESTING ERROR - grsecurity detection\n";exit}
+        "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit}
+        "cannot open" {puts "grsecurity not present\n"}
+}
+send -- "firejail --name=blablabla\r"
+expect {
+        timeout {puts "TESTING ERROR 4\n";exit}
+        "Child process initialized"
+}
+sleep 2
+spawn $env(SHELL)
+send -- "firemon --seccomp\r"
+expect {
+        timeout {puts "TESTING ERROR 5\n";exit}
+        "need to be root" {puts "/proc mounted as hidepid, exiting...\n"; exit}
+        "appimage Leafpad"
+}
+expect {
+        timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit}
+        "Seccomp:       2"
+}
+expect {
+        timeout {puts "TESTING ERROR 5.1\n";exit}
+        "name=blablabla"
+}
+after 100
+send -- "firemon --caps\r"
+expect {
+        timeout {puts "TESTING ERROR 6\n";exit}
+        "appimage Leafpad"
+}
+expect {
+        timeout {puts "TESTING ERROR 6.1\n";exit}
+        "CapBnd:"
+}
+expect {
+        timeout {puts "TESTING ERROR 6.2\n";exit}
+        "0000000000000000"
+}
+expect {
+        timeout {puts "TESTING ERROR 6.3\n";exit}
+        "name=blablabla"
+}
+after 100
+spawn $env(SHELL)
+send -- "firejail --shutdown=appimage-test\r"
+sleep 3
+puts "\nall done\n"
diff --git a/test/appimage/appimage.sh b/test/appimage/appimage.sh
new file mode 100755
index 000000000..6a73d0a7e
--- /dev/null
+++ b/test/appimage/appimage.sh
@@ -0,0 +1,14 @@
+#!/bin/bash
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
+export MALLOC_CHECK_=3
+export MALLOC_PERTURB_=$(($RANDOM % 255 + 1))
+echo "TESTING: AppImage v1 (test/appimage/appimage-v1.exp)"
+./appimage-v1.exp
+echo "TESTING: AppImage v2 (test/appimage/appimage-v2.exp)"
+./appimage-v1.exp
diff --git a/test/apps-x11-xorg/apps-x11-xorg.sh b/test/apps-x11-xorg/apps-x11-xorg.sh
new file mode 100755
index 000000000..b05914b52
--- /dev/null
+++ b/test/apps-x11-xorg/apps-x11-xorg.sh
@@ -0,0 +1,35 @@
+#!/bin/bash
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
+export MALLOC_CHECK_=3
+export MALLOC_PERTURB_=$(($RANDOM % 255 + 1))
+which firefox
+if [ "$?" -eq 0 ];
+then
+        echo "TESTING: firefox x11 xorg"
+        ./firefox.exp
+else
+        echo "TESTING SKIP: firefox not found"
+fi
+which transmission-gtk
+if [ "$?" -eq 0 ];
+then
+        echo "TESTING: transmission-gtk x11 xorg"
+        ./transmission-gtk.exp
+else
+        echo "TESTING SKIP: transmission-gtk not found"
+fi
+which icedove
+if [ "$?" -eq 0 ];
+then
+        echo "TESTING: icedove x11 xorg"
+        ./icedove.exp
+else
+        echo "TESTING SKIP: icedove not found"
+fi
diff --git a/test/apps-x11-xorg/firefox.exp b/test/apps-x11-xorg/firefox.exp
new file mode 100755
index 000000000..66b82fe92
--- /dev/null
+++ b/test/apps-x11-xorg/firefox.exp
@@ -0,0 +1,91 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+send -- "firejail --name=test --x11=xorg firefox -no-remote www.gentoo.org\r"
+sleep 10
+spawn $env(SHELL)
+send -- "firejail --list\r"
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        ":firejail"
+}
+expect {
+        timeout {puts "TESTING ERROR 3.1\n";exit}
+        "firefox" {puts "firefox detected\n";}
+        "iceweasel" {puts "iceweasel detected\n";}
+}
+expect {
+        timeout {puts "TESTING ERROR 3.2\n";exit}
+        "no-remote"
+}
+sleep 1
+# grsecurity exit
+send -- "file /proc/sys/kernel/grsecurity\r"
+expect {
+        timeout {puts "TESTING ERROR - grsecurity detection\n";exit}
+        "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit}
+        "cannot open" {puts "grsecurity not present\n"}
+}
+send -- "firejail --name=blablabla\r"
+expect {
+        timeout {puts "TESTING ERROR 4\n";exit}
+        "Child process initialized"
+}
+sleep 2
+spawn $env(SHELL)
+send -- "firemon --seccomp\r"
+expect {
+        timeout {puts "TESTING ERROR 5\n";exit}
+        "need to be root" {puts "/proc mounted as hidepid, exiting...\n"; exit}
+        " firefox" {puts "firefox detected\n";}
+        " iceweasel" {puts "iceweasel detected\n";}
+}
+expect {
+        timeout {puts "TESTING ERROR 5.0\n";exit}
+        "no-remote"
+}
+expect {
+        timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit}
+        "Seccomp:       2"
+}
+expect {
+        timeout {puts "TESTING ERROR 5.1\n";exit}
+        "name=blablabla"
+}
+sleep 1
+send -- "firemon --caps\r"
+expect {
+        timeout {puts "TESTING ERROR 6\n";exit}
+        " firefox" {puts "firefox detected\n";}
+        " iceweasel" {puts "iceweasel detected\n";}
+}
+expect {
+        timeout {puts "TESTING ERROR 6.0\n";exit}
+        "no-remote"
+}
+expect {
+        timeout {puts "TESTING ERROR 6.1\n";exit}
+        "CapBnd:"
+}
+expect {
+        timeout {puts "TESTING ERROR 6.2\n";exit}
+        "0000000000000000"
+}
+expect {
+        timeout {puts "TESTING ERROR 6.3\n";exit}
+        "name=blablabla"
+}
+sleep 1
+send -- "firejail --shutdown=test\r"
+sleep 3
+puts "\nall done\n"
diff --git a/test/apps-x11-xorg/icedove.exp b/test/apps-x11-xorg/icedove.exp
new file mode 100755
index 000000000..667c2259f
--- /dev/null
+++ b/test/apps-x11-xorg/icedove.exp
@@ -0,0 +1,86 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+send -- "firejail --name=test --x11=xorg icedove\r"
+sleep 10
+spawn $env(SHELL)
+send -- "firejail --list\r"
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        ":firejail"
+}
+expect {
+        timeout {puts "TESTING ERROR 3.1\n";exit}
+        "icedove"
+}
+sleep 1
+# grsecurity exit
+send -- "file /proc/sys/kernel/grsecurity\r"
+expect {
+        timeout {puts "TESTING ERROR - grsecurity detection\n";exit}
+        "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit}
+        "cannot open" {puts "grsecurity not present\n"}
+}
+send -- "firejail --name=blablabla\r"
+expect {
+        timeout {puts "TESTING ERROR 4\n";exit}
+        "Child process initialized"
+}
+sleep 2
+spawn $env(SHELL)
+send -- "firemon --seccomp\r"
+expect {
+        timeout {puts "TESTING ERROR 5\n";exit}
+        "need to be root" {puts "/proc mounted as hidepid, exiting...\n"; exit}
+        ":firejail"
+}
+expect {
+        timeout {puts "TESTING ERROR 5.0\n";exit}
+        "icedove"
+}
+expect {
+        timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit}
+        "Seccomp:       2"
+}
+expect {
+        timeout {puts "TESTING ERROR 5.1\n";exit}
+        "name=blablabla"
+}
+sleep 2
+send -- "firemon --caps\r"
+expect {
+        timeout {puts "TESTING ERROR 6\n";exit}
+        ":firejail"
+}
+expect {
+        timeout {puts "TESTING ERROR 6.0\n";exit}
+        "icedove"
+}
+expect {
+        timeout {puts "TESTING ERROR 6.1\n";exit}
+        "CapBnd"
+}
+expect {
+        timeout {puts "TESTING ERROR 6.2\n";exit}
+        "0000000000000000"
+}
+expect {
+        timeout {puts "TESTING ERROR 6.3\n";exit}
+        "name=blablabla"
+}
+sleep 1
+send -- "firejail --shutdown=test\r"
+sleep 3
+puts "\nall done\n"
diff --git a/test/apps-x11-xorg/transmission-gtk.exp b/test/apps-x11-xorg/transmission-gtk.exp
new file mode 100755
index 000000000..c52cb5b3a
--- /dev/null
+++ b/test/apps-x11-xorg/transmission-gtk.exp
@@ -0,0 +1,86 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+send -- "firejail --name=test --x11=xorg transmission-gtk\r"
+sleep 10
+spawn $env(SHELL)
+send -- "firejail --list\r"
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        ":firejail"
+}
+expect {
+        timeout {puts "TESTING ERROR 3.1\n";exit}
+        "transmission-gtk"
+}
+sleep 1
+# grsecurity exit
+send -- "file /proc/sys/kernel/grsecurity\r"
+expect {
+        timeout {puts "TESTING ERROR - grsecurity detection\n";exit}
+        "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit}
+        "cannot open" {puts "grsecurity not present\n"}
+}
+send -- "firejail --name=blablabla\r"
+expect {
+        timeout {puts "TESTING ERROR 4\n";exit}
+        "Child process initialized"
+}
+sleep 2
+spawn $env(SHELL)
+send -- "firemon --seccomp\r"
+expect {
+        timeout {puts "TESTING ERROR 5\n";exit}
+        "need to be root" {puts "/proc mounted as hidepid, exiting...\n"; exit}
+        ":firejail"
+}
+expect {
+        timeout {puts "TESTING ERROR 5.0\n";exit}
+        "transmission-gtk"
+}
+expect {
+        timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit}
+        "Seccomp:       2"
+}
+expect {
+        timeout {puts "TESTING ERROR 5.1\n";exit}
+        "name=blablabla"
+}
+sleep 1
+send -- "firemon --caps\r"
+expect {
+        timeout {puts "TESTING ERROR 6\n";exit}
+        ":firejail"
+}
+expect {
+        timeout {puts "TESTING ERROR 6.0\n";exit}
+        "transmission-gtk"
+}
+expect {
+        timeout {puts "TESTING ERROR 6.1\n";exit}
+        "CapBnd"
+}
+expect {
+        timeout {puts "TESTING ERROR 6.2\n";exit}
+        "0000000000000000"
+}
+expect {
+        timeout {puts "TESTING ERROR 6.3\n";exit}
+        "name=blablabla"
+}
+sleep 1
+send -- "firejail --shutdown=test\r"
+sleep 3
+puts "\nall done\n"
diff --git a/test/apps-x11/apps-x11.sh b/test/apps-x11/apps-x11.sh
new file mode 100755
index 000000000..4a8671dbd
--- /dev/null
+++ b/test/apps-x11/apps-x11.sh
@@ -0,0 +1,88 @@
+#!/bin/bash
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
+export MALLOC_CHECK_=3
+export MALLOC_PERTURB_=$(($RANDOM % 255 + 1))
+echo "TESTING: no x11 (test/apps-x11/x11-none.exp)"
+./x11-none.exp
+which xterm
+if [ "$?" -eq 0 ];
+then
+        echo "TESTING: xterm x11 xorg"
+        ./xterm-xorg.exp
+        which xpra
+        if [ "$?" -eq 0 ];
+        then
+        echo "TESTING: xterm x11 xpra"
+        ./xterm-xpra.exp
+        fi
+        
+        which Xephyr
+        if [ "$?" -eq 0 ];
+        then
+        echo "TESTING: xterm x11 xephyr"
+        ./xterm-xephyr.exp
+        fi
+else
+        echo "TESTING SKIP: xterm not found"
+fi
+# check xpra/xephyr
+which xpra
+if [ "$?" -eq 0 ];
+then
+        echo "xpra found"
+else
+        echo "xpra not found"
+        which Xephyr
+        if [ "$?" -eq 0 ];
+        then
+                echo "Xephyr found"
+        else
+                echo "TESTING SKIP: xpra and/or Xephyr not found"
+                exit
+        fi
+fi
+which firefox
+if [ "$?" -eq 0 ];
+then
+        echo "TESTING: firefox x11"
+        ./firefox.exp
+else
+        echo "TESTING SKIP: firefox not found"
+fi
+which chromium
+if [ "$?" -eq 0 ];
+then
+        echo "TESTING: chromium x11"
+        ./chromium.exp
+else
+        echo "TESTING SKIP: chromium not found"
+fi
+which transmission-gtk
+if [ "$?" -eq 0 ];
+then
+        echo "TESTING: transmission-gtk x11"
+        ./transmission-gtk.exp
+else
+        echo "TESTING SKIP: transmission-gtk not found"
+fi
+which icedove
+if [ "$?" -eq 0 ];
+then
+        echo "TESTING: icedove x11"
+        ./icedove.exp
+else
+        echo "TESTING SKIP: icedove not found"
+fi
diff --git a/test/chromium-x11.exp b/test/apps-x11/chromium.exp
index bcac3233c..2505c0c37 100755
--- a/test/chromium-x11.exp
+++ b/test/apps-x11/chromium.exp
@@ -1,10 +1,13 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
 set timeout 10
 spawn $env(SHELL)
 match_max 100000
-send -- "firejail --name=test --x11 --net=br0 chromium www.gentoo.org\r"
+send -- "firejail --name=test --x11 chromium www.gentoo.org\r"
 sleep 10
 spawn $env(SHELL)
@@ -37,6 +40,7 @@ spawn $env(SHELL)
 send -- "firemon --seccomp\r"
 expect {
        timeout {puts "TESTING ERROR 5\n";exit}
+        "need to be root" {puts "/proc mounted as hidepid, exiting...\n"; exit}
        ":firejail"
 }
 expect {
diff --git a/test/apps-x11/firefox.exp b/test/apps-x11/firefox.exp
new file mode 100755
index 000000000..6a50c8884
--- /dev/null
+++ b/test/apps-x11/firefox.exp
@@ -0,0 +1,91 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+send -- "firejail --name=test --x11 firefox -no-remote www.gentoo.org\r"
+sleep 10
+spawn $env(SHELL)
+send -- "firejail --list\r"
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        ":firejail"
+}
+expect {
+        timeout {puts "TESTING ERROR 3.1\n";exit}
+        "firefox" {puts "firefox detected\n";}
+        "iceweasel" {puts "iceweasel detected\n";}
+}
+expect {
+        timeout {puts "TESTING ERROR 3.2\n";exit}
+        "no-remote"
+}
+sleep 1
+# grsecurity exit
+send -- "file /proc/sys/kernel/grsecurity\r"
+expect {
+        timeout {puts "TESTING ERROR - grsecurity detection\n";exit}
+        "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit}
+        "cannot open" {puts "grsecurity not present\n"}
+}
+send -- "firejail --name=blablabla\r"
+expect {
+        timeout {puts "TESTING ERROR 4\n";exit}
+        "Child process initialized"
+}
+sleep 2
+spawn $env(SHELL)
+send -- "firemon --seccomp\r"
+expect {
+        timeout {puts "TESTING ERROR 5\n";exit}
+        "need to be root" {puts "/proc mounted as hidepid, exiting...\n"; exit}
+        " firefox" {puts "firefox detected\n";}
+        " iceweasel" {puts "iceweasel detected\n";}
+}
+expect {
+        timeout {puts "TESTING ERROR 5.0\n";exit}
+        "no-remote"
+}
+expect {
+        timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit}
+        "Seccomp:       2"
+}
+expect {
+        timeout {puts "TESTING ERROR 5.1\n";exit}
+        "name=blablabla"
+}
+sleep 1
+send -- "firemon --caps\r"
+expect {
+        timeout {puts "TESTING ERROR 6\n";exit}
+        " firefox" {puts "firefox detected\n";}
+        " iceweasel" {puts "iceweasel detected\n";}
+}
+expect {
+        timeout {puts "TESTING ERROR 6.0\n";exit}
+        "no-remote"
+}
+expect {
+        timeout {puts "TESTING ERROR 6.1\n";exit}
+        "CapBnd:"
+}
+expect {
+        timeout {puts "TESTING ERROR 6.2\n";exit}
+        "0000000000000000"
+}
+expect {
+        timeout {puts "TESTING ERROR 6.3\n";exit}
+        "name=blablabla"
+}
+sleep 1
+send -- "firejail --shutdown=test\r"
+sleep 3
+puts "\nall done\n"
diff --git a/test/apps-x11/icedove.exp b/test/apps-x11/icedove.exp
new file mode 100755
index 000000000..e306e33ce
--- /dev/null
+++ b/test/apps-x11/icedove.exp
@@ -0,0 +1,86 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+send -- "firejail --name=test --x11 icedove\r"
+sleep 10
+spawn $env(SHELL)
+send -- "firejail --list\r"
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        ":firejail"
+}
+expect {
+        timeout {puts "TESTING ERROR 3.1\n";exit}
+        "icedove"
+}
+sleep 1
+# grsecurity exit
+send -- "file /proc/sys/kernel/grsecurity\r"
+expect {
+        timeout {puts "TESTING ERROR - grsecurity detection\n";exit}
+        "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit}
+        "cannot open" {puts "grsecurity not present\n"}
+}
+send -- "firejail --name=blablabla\r"
+expect {
+        timeout {puts "TESTING ERROR 4\n";exit}
+        "Child process initialized"
+}
+sleep 2
+spawn $env(SHELL)
+send -- "firemon --seccomp\r"
+expect {
+        timeout {puts "TESTING ERROR 5\n";exit}
+        "need to be root" {puts "/proc mounted as hidepid, exiting...\n"; exit}
+        ":firejail"
+}
+expect {
+        timeout {puts "TESTING ERROR 5.0\n";exit}
+        "icedove"
+}
+expect {
+        timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit}
+        "Seccomp:       2"
+}
+expect {
+        timeout {puts "TESTING ERROR 5.1\n";exit}
+        "name=blablabla"
+}
+sleep 2
+send -- "firemon --caps\r"
+expect {
+        timeout {puts "TESTING ERROR 6\n";exit}
+        ":firejail"
+}
+expect {
+        timeout {puts "TESTING ERROR 6.0\n";exit}
+        "icedove"
+}
+expect {
+        timeout {puts "TESTING ERROR 6.1\n";exit}
+        "CapBnd"
+}
+expect {
+        timeout {puts "TESTING ERROR 6.2\n";exit}
+        "0000000000000000"
+}
+expect {
+        timeout {puts "TESTING ERROR 6.3\n";exit}
+        "name=blablabla"
+}
+sleep 1
+send -- "firejail --shutdown=test\r"
+sleep 3
+puts "\nall done\n"
diff --git a/test/transmission-gtk-x11.exp b/test/apps-x11/transmission-gtk.exp
index 4ee3de701..4083a121f 100755
--- a/test/transmission-gtk-x11.exp
+++ b/test/apps-x11/transmission-gtk.exp
@@ -1,10 +1,13 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
 set timeout 10
 spawn $env(SHELL)
 match_max 100000
-send -- "firejail --name=test --net=br0 --x11 transmission-gtk\r"
+send -- "firejail --name=test --x11 transmission-gtk\r"
 sleep 10
 spawn $env(SHELL)
@@ -38,6 +41,7 @@ spawn $env(SHELL)
 send -- "firemon --seccomp\r"
 expect {
        timeout {puts "TESTING ERROR 5\n";exit}
+        "need to be root" {puts "/proc mounted as hidepid, exiting...\n"; exit}
        ":firejail"
 }
 expect {
diff --git a/test/apps-x11/x11-none.exp b/test/apps-x11/x11-none.exp
new file mode 100755
index 000000000..e9908839b
--- /dev/null
+++ b/test/apps-x11/x11-none.exp
@@ -0,0 +1,48 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+send -- "firejail --name=test --x11=none\r"
+expect {
+        timeout {puts "TESTING ERROR 0\n";exit}
+        "use network namespace in firejail"
+}
+sleep 1
+send -- "firejail --name=test --net=none --x11=none\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "Child process initialized"
+}
+sleep 1
+send -- "ls -al /tmp/.X11-unix\r"
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        "cannot open directory"
+}
+after 100
+send -- "xterm\r"
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        "DISPLAY is not set"
+}
+after 100
+send -- "export DISPLAY=:0.0\r"
+after 100
+send -- "xterm\r"
+expect {
+        timeout {puts "TESTING ERROR 4\n";exit}
+        "Xt error"
+}
+after 100
+puts "\nall done\n"
diff --git a/test/apps-x11/x11-xephyr.exp b/test/apps-x11/x11-xephyr.exp
new file mode 100755
index 000000000..41a413890
--- /dev/null
+++ b/test/apps-x11/x11-xephyr.exp
@@ -0,0 +1,59 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+send -- "firejail --name=test --x11=xephyr xterm\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "Child process initialized"
+}
+exit
+sleep 5
+expect {
+        timeout {puts "TESTING ERROR 0\n";exit}
+        "use network namespace in firejail"
+}
+sleep 1
+send -- "firejail --name=test --net=none --x11=none\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "Child process initialized"
+}
+sleep 1
+send -- "ls -al /tmp/.X11-unix\r"
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        "cannot open directory"
+}
+after 100
+send -- "xterm\r"
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        "DISPLAY is not set"
+}
+after 100
+send -- "export DISPLAY=:0.0\r"
+after 100
+send -- "xterm\r"
+expect {
+        timeout {puts "TESTING ERROR 4\n";exit}
+        "Xt error"
+}
+after 100
+puts "\nall done\n"
diff --git a/test/apps-x11/xterm-xephyr.exp b/test/apps-x11/xterm-xephyr.exp
new file mode 100755
index 000000000..5b4299478
--- /dev/null
+++ b/test/apps-x11/xterm-xephyr.exp
@@ -0,0 +1,86 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+send -- "firejail --name=test --x11=xephyr xterm\r"
+sleep 10
+spawn $env(SHELL)
+send -- "firejail --list\r"
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        ":firejail"
+}
+expect {
+        timeout {puts "TESTING ERROR 3.1\n";exit}
+        "xterm"
+}
+sleep 1
+# grsecurity exit
+send -- "file /proc/sys/kernel/grsecurity\r"
+expect {
+        timeout {puts "TESTING ERROR - grsecurity detection\n";exit}
+        "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit}
+        "cannot open" {puts "grsecurity not present\n"}
+}
+send -- "firejail --name=blablabla\r"
+expect {
+        timeout {puts "TESTING ERROR 4\n";exit}
+        "Child process initialized"
+}
+sleep 2
+spawn $env(SHELL)
+send -- "firemon --seccomp\r"
+expect {
+        timeout {puts "TESTING ERROR 5\n";exit}
+        "need to be root" {puts "/proc mounted as hidepid, exiting...\n"; exit}
+        ":firejail"
+}
+expect {
+        timeout {puts "TESTING ERROR 5.0\n";exit}
+        "xterm"
+}
+expect {
+        timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit}
+        "Seccomp:       2"
+}
+expect {
+        timeout {puts "TESTING ERROR 5.1\n";exit}
+        "name=blablabla"
+}
+sleep 1
+send -- "firemon --caps\r"
+expect {
+        timeout {puts "TESTING ERROR 6\n";exit}
+        ":firejail"
+}
+expect {
+        timeout {puts "TESTING ERROR 6.0\n";exit}
+        "xterm"
+}
+expect {
+        timeout {puts "TESTING ERROR 6.1\n";exit}
+        "CapBnd"
+}
+expect {
+        timeout {puts "TESTING ERROR 6.2\n";exit}
+        "0000000000000000"
+}
+expect {
+        timeout {puts "TESTING ERROR 6.3\n";exit}
+        "name=blablabla"
+}
+sleep 1
+send -- "firejail --shutdown=test\r"
+sleep 3
+puts "\nall done\n"
diff --git a/test/apps-x11/xterm-xorg.exp b/test/apps-x11/xterm-xorg.exp
new file mode 100755
index 000000000..fbc88f196
--- /dev/null
+++ b/test/apps-x11/xterm-xorg.exp
@@ -0,0 +1,86 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+send -- "firejail --name=test --x11=xorg xterm\r"
+sleep 10
+spawn $env(SHELL)
+send -- "firejail --list\r"
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        ":firejail"
+}
+expect {
+        timeout {puts "TESTING ERROR 3.1\n";exit}
+        "xterm"
+}
+sleep 1
+# grsecurity exit
+send -- "file /proc/sys/kernel/grsecurity\r"
+expect {
+        timeout {puts "TESTING ERROR - grsecurity detection\n";exit}
+        "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit}
+        "cannot open" {puts "grsecurity not present\n"}
+}
+send -- "firejail --name=blablabla\r"
+expect {
+        timeout {puts "TESTING ERROR 4\n";exit}
+        "Child process initialized"
+}
+sleep 2
+spawn $env(SHELL)
+send -- "firemon --seccomp\r"
+expect {
+        timeout {puts "TESTING ERROR 5\n";exit}
+        "need to be root" {puts "/proc mounted as hidepid, exiting...\n"; exit}
+        ":firejail"
+}
+expect {
+        timeout {puts "TESTING ERROR 5.0\n";exit}
+        "xterm"
+}
+expect {
+        timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit}
+        "Seccomp:       2"
+}
+expect {
+        timeout {puts "TESTING ERROR 5.1\n";exit}
+        "name=blablabla"
+}
+sleep 1
+send -- "firemon --caps\r"
+expect {
+        timeout {puts "TESTING ERROR 6\n";exit}
+        ":firejail"
+}
+expect {
+        timeout {puts "TESTING ERROR 6.0\n";exit}
+        "xterm"
+}
+expect {
+        timeout {puts "TESTING ERROR 6.1\n";exit}
+        "CapBnd"
+}
+expect {
+        timeout {puts "TESTING ERROR 6.2\n";exit}
+        "0000000000000000"
+}
+expect {
+        timeout {puts "TESTING ERROR 6.3\n";exit}
+        "name=blablabla"
+}
+sleep 1
+send -- "firejail --shutdown=test\r"
+sleep 3
+puts "\nall done\n"
diff --git a/test/apps-x11/xterm-xpra.exp b/test/apps-x11/xterm-xpra.exp
new file mode 100755
index 000000000..1fb5df486
--- /dev/null
+++ b/test/apps-x11/xterm-xpra.exp
@@ -0,0 +1,98 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+send -- "firejail --name=test --x11=xpra xterm\r"
+sleep 10
+spawn $env(SHELL)
+send -- "firejail --list\r"
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        ":firejail"
+}
+expect {
+        timeout {puts "TESTING ERROR 3.1\n";exit}
+        "xterm"
+}
+sleep 1
+# grsecurity exit
+send -- "file /proc/sys/kernel/grsecurity\r"
+expect {
+        timeout {puts "TESTING ERROR - grsecurity detection\n";exit}
+        "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit}
+        "cannot open" {puts "grsecurity not present\n"}
+}
+send -- "firejail --name=blablabla\r"
+expect {
+        timeout {puts "TESTING ERROR 4\n";exit}
+        "Child process initialized"
+}
+sleep 2
+spawn $env(SHELL)
+send -- "firemon --seccomp\r"
+expect {
+        timeout {puts "TESTING ERROR 5\n";exit}
+        "need to be root" {puts "/proc mounted as hidepid, exiting...\n"; exit}
+        ":firejail"
+}
+expect {
+        timeout {puts "TESTING ERROR 5.0\n";exit}
+        "xterm"
+}
+expect {
+        timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit}
+        "Seccomp:       2"
+}
+expect {
+        timeout {puts "TESTING ERROR 5.1\n";exit}
+        "name=blablabla"
+}
+sleep 1
+send -- "firemon --caps\r"
+expect {
+        timeout {puts "TESTING ERROR 6\n";exit}
+        ":firejail"
+}
+expect {
+        timeout {puts "TESTING ERROR 6.0\n";exit}
+        "xterm"
+}
+expect {
+        timeout {puts "TESTING ERROR 6.1\n";exit}
+        "CapBnd"
+}
+expect {
+        timeout {puts "TESTING ERROR 6.2\n";exit}
+        "0000000000000000"
+}
+expect {
+        timeout {puts "TESTING ERROR 6.3\n";exit}
+        "name=blablabla"
+}
+sleep 1
+send -- "firemon --x11\r"
+expect {
+        timeout {puts "TESTING ERROR 7\n";exit}
+        "name=test xterm"
+}
+expect {
+        timeout {puts "TESTING ERROR 7.1\n";exit}
+        "DISPLAY"
+}
+sleep 1
+send -- "firejail --shutdown=test\r"
+sleep 3
+puts "\nall done\n"
diff --git a/test/test-apps.sh b/test/apps/apps.sh
index 5ada20549..38307b284 100755
--- a/test/test-apps.sh
+++ b/test/apps/apps.sh
@@ -1,4 +1,10 @@
 #!/bin/bash
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
+export MALLOC_CHECK_=3
+export MALLOC_PERTURB_=$(($RANDOM % 255 + 1))
 which firefox
 if [ "$?" -eq 0 ];
@@ -6,7 +12,7 @@ then
        echo "TESTING: firefox"
        ./firefox.exp
 else
-        echo "TESTING: firefox not found"
+        echo "TESTING SKIP: firefox not found"
 fi
 which midori
@@ -15,7 +21,7 @@ then
        echo "TESTING: midori"
        ./midori.exp
 else
-        echo "TESTING: midori not found"
+        echo "TESTING SKIP: midori not found"
 fi
 which chromium
@@ -24,16 +30,7 @@ then
        echo "TESTING: chromium"
        ./chromium.exp
 else
-        echo "TESTING: chromium not found"
+        echo "TESTING SKIP: chromium not found"
-fi
-which google-chrome
-if [ "$?" -eq 0 ];
-then
-        echo "TESTING: google-chrome"
-        ./chromium.exp
-else
-        echo "TESTING: google-chrome not found"
 fi
 which opera
@@ -42,7 +39,7 @@ then
        echo "TESTING: opera"
        ./opera.exp
 else
-        echo "TESTING: opera not found"
+        echo "TESTING SKIP: opera not found"
 fi
 which transmission-gtk
@@ -51,7 +48,7 @@ then
        echo "TESTING: transmission-gtk"
        ./transmission-gtk.exp
 else
-        echo "TESTING: transmission-gtk not found"
+        echo "TESTING SKIP: transmission-gtk not found"
 fi
 which transmission-qt
@@ -60,7 +57,34 @@ then
        echo "TESTING: transmission-qt"
        ./transmission-qt.exp
 else
-        echo "TESTING: transmission-qt not found"
+        echo "TESTING SKIP: transmission-qt not found"
+fi
+which qbittorrent
+if [ "$?" -eq 0 ];
+then
+        echo "TESTING: qbittorrent"
+        ./qbittorrent.exp
+else
+        echo "TESTING SKIP: qbittorrent not found"
+fi
+which uget-gtk
+if [ "$?" -eq 0 ];
+then
+        echo "TESTING: uget"
+        ./uget-gtk.exp
+else
+        echo "TESTING SKIP: uget-gtk not found"
+fi
+which filezilla
+if [ "$?" -eq 0 ];
+then
+        echo "TESTING: filezilla"
+        ./filezilla.exp
+else
+        echo "TESTING SKIP: filezilla not found"
 fi
 which evince
@@ -69,7 +93,17 @@ then
        echo "TESTING: evince"
        ./evince.exp
 else
-        echo "TESTING: evince not found"
+        echo "TESTING SKIP: evince not found"
+fi
+which gthumb
+if [ "$?" -eq 0 ];
+then
+        echo "TESTING: gthumb"
+        ./gthumb.exp
+else
+        echo "TESTING SKIP: gthumb not found"
 fi
 which icedove
@@ -78,7 +112,7 @@ then
        echo "TESTING: icedove"
        ./icedove.exp
 else
-        echo "TESTING: icedove not found"
+        echo "TESTING SKIP: icedove not found"
 fi
 which vlc
@@ -87,7 +121,7 @@ then
        echo "TESTING: vlc"
        ./vlc.exp
 else
-        echo "TESTING: vlc not found"
+        echo "TESTING SKIP: vlc not found"
 fi
 which fbreader
@@ -96,7 +130,7 @@ then
        echo "TESTING: fbreader"
        ./fbreader.exp
 else
-        echo "TESTING: fbreader not found"
+        echo "TESTING SKIP: fbreader not found"
 fi
 which deluge
@@ -105,7 +139,7 @@ then
        echo "TESTING: deluge"
        ./deluge.exp
 else
-        echo "TESTING: deluge not found"
+        echo "TESTING SKIP: deluge not found"
 fi
 which gnome-mplayer
@@ -114,7 +148,7 @@ then
        echo "TESTING: gnome-mplayer"
        ./gnome-mplayer.exp
 else
-        echo "TESTING: gnome-mplayer not found"
+        echo "TESTING SKIP: gnome-mplayer not found"
 fi
 which xchat
@@ -123,7 +157,7 @@ then
        echo "TESTING: xchat"
        ./xchat.exp
 else
-        echo "TESTING: xchat not found"
+        echo "TESTING SKIP: xchat not found"
 fi
 which hexchat
@@ -132,16 +166,7 @@ then
        echo "TESTING: hexchat"
        ./hexchat.exp
 else
-        echo "TESTING: hexchat not found"
+        echo "TESTING SKIP: hexchat not found"
-fi
-which weechat-curses
-if [ "$?" -eq 0 ];
-then
-        echo "TESTING: weechat"
-        ./weechat.exp
-else
-        echo "TESTING: weechat not found"
 fi
 which wine
@@ -150,6 +175,6 @@ then
        echo "TESTING: wine"
        ./wine.exp
 else
-        echo "TESTING: wine not found"
+        echo "TESTING SKIP: wine not found"
 fi
diff --git a/test/chromium.exp b/test/apps/chromium.exp
index 676f7e314..d43f70f8e 100755
--- a/test/chromium.exp
+++ b/test/apps/chromium.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
 set timeout 10
 spawn $env(SHELL)
@@ -25,7 +28,7 @@ expect {
        timeout {puts "TESTING ERROR 3.1\n";exit}
        "chromium"
 }
-sleep 1
+after 100
 # grsecurity exit
 send -- "file /proc/sys/kernel/grsecurity\r"
@@ -46,6 +49,7 @@ spawn $env(SHELL)
 send -- "firemon --seccomp\r"
 expect {
        timeout {puts "TESTING ERROR 5\n";exit}
+        "need to be root" {puts "/proc mounted as hidepid, exiting...\n"; exit}
        ":firejail chromium"
 }
 expect {
@@ -56,7 +60,7 @@ expect {
        timeout {puts "TESTING ERROR 5.1\n";exit}
        "name=blablabla"
 }
-sleep 1
+after 100
 send -- "firemon --caps\r"
 expect {
        timeout {puts "TESTING ERROR 6\n";exit}
@@ -74,7 +78,7 @@ expect {
        timeout {puts "TESTING ERROR 6.3\n";exit}
        "name=blablabla"
 }
-sleep 1
+after 100
 puts "\n"
diff --git a/test/deluge.exp b/test/apps/deluge.exp
index 9f5063495..0bf1baae2 100755
--- a/test/deluge.exp
+++ b/test/apps/deluge.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
 set timeout 10
 spawn $env(SHELL)
@@ -25,7 +28,7 @@ expect {
        timeout {puts "TESTING ERROR 3.1\n";exit}
        "deluge"
 }
-sleep 1
+after 100
 # grsecurity exit
 send -- "file /proc/sys/kernel/grsecurity\r"
@@ -46,6 +49,7 @@ spawn $env(SHELL)
 send -- "firemon --seccomp\r"
 expect {
        timeout {puts "TESTING ERROR 5\n";exit}
+        "need to be root" {puts "/proc mounted as hidepid, exiting...\n"; exit}
        ":firejail deluge"
 }
 expect {
@@ -56,7 +60,7 @@ expect {
        timeout {puts "TESTING ERROR 5.1\n";exit}
        "name=blablabla"
 }
-sleep 1
+after 100
 send -- "firemon --caps\r"
 expect {
        timeout {puts "TESTING ERROR 6\n";exit}
@@ -74,7 +78,7 @@ expect {
        timeout {puts "TESTING ERROR 6.3\n";exit}
        "name=blablabla"
 }
-sleep 1
+after 100
 puts "\n"
diff --git a/test/evince.exp b/test/apps/evince.exp
index 3c3ad4bdd..71f760a9c 100755
--- a/test/evince.exp
+++ b/test/apps/evince.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
 set timeout 10
 spawn $env(SHELL)
@@ -25,7 +28,7 @@ expect {
        timeout {puts "TESTING ERROR 3.1\n";exit}
        "evince"
 }
-sleep 1
+after 100
 # grsecurity exit
 send -- "file /proc/sys/kernel/grsecurity\r"
@@ -46,6 +49,7 @@ spawn $env(SHELL)
 send -- "firemon --seccomp\r"
 expect {
        timeout {puts "TESTING ERROR 5\n";exit}
+        "need to be root" {puts "/proc mounted as hidepid, exiting...\n"; exit}
        ":firejail evince"
 }
 expect {
@@ -56,7 +60,7 @@ expect {
        timeout {puts "TESTING ERROR 5.1\n";exit}
        "name=blablabla"
 }
-sleep 1
+after 100
 send -- "firemon --caps\r"
 expect {
        timeout {puts "TESTING ERROR 6\n";exit}
@@ -74,7 +78,7 @@ expect {
        timeout {puts "TESTING ERROR 6.3\n";exit}
        "name=blablabla"
 }
-sleep 1
+after 100
 puts "\nall done\n"
diff --git a/test/fbreader.exp b/test/apps/fbreader.exp
index d2bee880e..99c48d87c 100755
--- a/test/fbreader.exp
+++ b/test/apps/fbreader.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
 set timeout 10
 spawn $env(SHELL)
@@ -25,7 +28,7 @@ expect {
        timeout {puts "TESTING ERROR 3.1\n";exit}
        "fbreader"
 }
-sleep 1
+after 100
 # grsecurity exit
 send -- "file /proc/sys/kernel/grsecurity\r"
@@ -46,6 +49,7 @@ spawn $env(SHELL)
 send -- "firemon --seccomp\r"
 expect {
        timeout {puts "TESTING ERROR 5\n";exit}
+        "need to be root" {puts "/proc mounted as hidepid, exiting...\n"; exit}
        ":firejail fbreader"
 }
 expect {
@@ -56,7 +60,7 @@ expect {
        timeout {puts "TESTING ERROR 5.1\n";exit}
        "name=blablabla"
 }
-sleep 1
+after 100
 send -- "firemon --caps\r"
 expect {
        timeout {puts "TESTING ERROR 6\n";exit}
@@ -74,7 +78,7 @@ expect {
        timeout {puts "TESTING ERROR 6.3\n";exit}
        "name=blablabla"
 }
-sleep 1
+after 100
 puts "\nall done\n"
diff --git a/test/apps/filezilla.exp b/test/apps/filezilla.exp
new file mode 100755
index 000000000..2f7038184
--- /dev/null
+++ b/test/apps/filezilla.exp
@@ -0,0 +1,84 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+send -- "firejail filezilla\r"
+expect {
+        timeout {puts "TESTING ERROR 0\n";exit}
+        "Reading profile /etc/firejail/filezilla.profile"
+}
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "Child process initialized"
+}
+sleep 3
+spawn $env(SHELL)
+send -- "firejail --list\r"
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        ":firejail"
+}
+expect {
+        timeout {puts "TESTING ERROR 3.1\n";exit}
+        "filezilla"
+}
+after 100
+# grsecurity exit
+send -- "file /proc/sys/kernel/grsecurity\r"
+expect {
+        timeout {puts "TESTING ERROR - grsecurity detection\n";exit}
+        "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit}
+        "cannot open" {puts "grsecurity not present\n"}
+}
+send -- "firejail --name=blablabla\r"
+expect {
+        timeout {puts "TESTING ERROR 4\n";exit}
+        "Child process initialized"
+}
+sleep 2
+spawn $env(SHELL)
+send -- "firemon --seccomp\r"
+expect {
+        timeout {puts "TESTING ERROR 5\n";exit}
+        "need to be root" {puts "/proc mounted as hidepid, exiting...\n"; exit}
+        ":firejail filezilla"
+}
+expect {
+        timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit}
+        "Seccomp:       2"
+}
+expect {
+        timeout {puts "TESTING ERROR 5.1\n";exit}
+        "name=blablabla"
+}
+after 100
+send -- "firemon --caps\r"
+expect {
+        timeout {puts "TESTING ERROR 6\n";exit}
+        ":firejail filezilla"
+}
+expect {
+        timeout {puts "TESTING ERROR 6.1\n";exit}
+        "CapBnd:"
+}
+expect {
+        timeout {puts "TESTING ERROR 6.2\n";exit}
+        "0000000000000000"
+}
+expect {
+        timeout {puts "TESTING ERROR 6.3\n";exit}
+        "name=blablabla"
+}
+after 100
+puts "\nall done\n"
diff --git a/test/firefox.exp b/test/apps/firefox.exp
index 2585e4b5c..5745d9270 100755
--- a/test/firefox.exp
+++ b/test/apps/firefox.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
 set timeout 10
 spawn $env(SHELL)
@@ -30,7 +33,7 @@ expect {
        timeout {puts "TESTING ERROR 3.2\n";exit}
        "no-remote"
 }
-sleep 1
+after 100
 # grsecurity exit
 send -- "file /proc/sys/kernel/grsecurity\r"
@@ -52,6 +55,7 @@ spawn $env(SHELL)
 send -- "firemon --seccomp\r"
 expect {
        timeout {puts "TESTING ERROR 5\n";exit}
+        "need to be root" {puts "/proc mounted as hidepid, exiting...\n"; exit}
        " firefox" {puts "firefox detected\n";}
        " iceweasel" {puts "iceweasel detected\n";}
 }
@@ -67,7 +71,7 @@ expect {
        timeout {puts "TESTING ERROR 5.1\n";exit}
        "name=blablabla"
 }
-sleep 1
+after 100
 send -- "firemon --caps\r"
 expect {
        timeout {puts "TESTING ERROR 6\n";exit}
@@ -90,7 +94,7 @@ expect {
        timeout {puts "TESTING ERROR 6.3\n";exit}
        "name=blablabla"
 }
-sleep 1
+after 100
 puts "\n"
diff --git a/test/gnome-mplayer.exp b/test/apps/gnome-mplayer.exp
index 6965322fc..6f0e5a312 100755
--- a/test/gnome-mplayer.exp
+++ b/test/apps/gnome-mplayer.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
 set timeout 10
 spawn $env(SHELL)
@@ -13,7 +16,7 @@ expect {
        timeout {puts "TESTING ERROR 1\n";exit}
        "Child process initialized"
 }
-sleep 10
+sleep 5
 spawn $env(SHELL)
 send -- "firejail --list\r"
@@ -25,7 +28,7 @@ expect {
        timeout {puts "TESTING ERROR 3.1\n";exit}
        "gnome-mplayer"
 }
-sleep 1
+after 100
 # grsecurity exit
 send -- "file /proc/sys/kernel/grsecurity\r"
@@ -46,6 +49,7 @@ spawn $env(SHELL)
 send -- "firemon --seccomp\r"
 expect {
        timeout {puts "TESTING ERROR 5\n";exit}
+        "need to be root" {puts "/proc mounted as hidepid, exiting...\n"; exit}
        ":firejail gnome-mplayer"
 }
 expect {
@@ -56,7 +60,7 @@ expect {
        timeout {puts "TESTING ERROR 5.1\n";exit}
        "name=blablabla"
 }
-sleep 1
+after 100
 send -- "firemon --caps\r"
 expect {
        timeout {puts "TESTING ERROR 6\n";exit}
@@ -74,7 +78,7 @@ expect {
        timeout {puts "TESTING ERROR 6.3\n";exit}
        "name=blablabla"
 }
-sleep 1
+after 100
 puts "\nall done\n"
diff --git a/test/weechat.exp b/test/apps/gthumb.exp
index 630af55ee..13132cef6 100755
--- a/test/weechat.exp
+++ b/test/apps/gthumb.exp
@@ -1,13 +1,16 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
 set timeout 10
 spawn $env(SHELL)
 match_max 100000
-send -- "firejail weechat-curses\r"
+send -- "firejail gthumb\r"
 expect {
        timeout {puts "TESTING ERROR 0\n";exit}
-        "Reading profile /etc/firejail/weechat.profile"
+        "Reading profile /etc/firejail/gthumb.profile"
 }
 expect {
        timeout {puts "TESTING ERROR 1\n";exit}
@@ -23,9 +26,9 @@ expect {
 }
 expect {
        timeout {puts "TESTING ERROR 3.1\n";exit}
-        "weechat-curses"
+        "gthumb"
 }
-sleep 1
+after 100
 # grsecurity exit
 send -- "file /proc/sys/kernel/grsecurity\r"
@@ -46,7 +49,8 @@ spawn $env(SHELL)
 send -- "firemon --seccomp\r"
 expect {
        timeout {puts "TESTING ERROR 5\n";exit}
-        "weechat-curses"
+        "need to be root" {puts "/proc mounted as hidepid, exiting...\n"; exit}
+        ":firejail gthumb"
 }
 expect {
        timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit}
@@ -56,11 +60,11 @@ expect {
        timeout {puts "TESTING ERROR 5.1\n";exit}
        "name=blablabla"
 }
-sleep 1
+after 100
 send -- "firemon --caps\r"
 expect {
        timeout {puts "TESTING ERROR 6\n";exit}
-        "weechat-curses"
+        ":firejail gthumb"
 }
 expect {
        timeout {puts "TESTING ERROR 6.1\n";exit}
@@ -74,7 +78,7 @@ expect {
        timeout {puts "TESTING ERROR 6.3\n";exit}
        "name=blablabla"
 }
-sleep 1
+after 100
-puts "\n"
+puts "\nall done\n"
diff --git a/test/hexchat.exp b/test/apps/hexchat.exp
index 7e99c8cdf..5d0bc1093 100755
--- a/test/hexchat.exp
+++ b/test/apps/hexchat.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
 set timeout 10
 spawn $env(SHELL)
@@ -25,7 +28,7 @@ expect {
        timeout {puts "TESTING ERROR 3.1\n";exit}
        "hexchat"
 }
-sleep 1
+after 100
 # grsecurity exit
 send -- "file /proc/sys/kernel/grsecurity\r"
@@ -46,6 +49,7 @@ spawn $env(SHELL)
 send -- "firemon --seccomp\r"
 expect {
        timeout {puts "TESTING ERROR 5\n";exit}
+        "need to be root" {puts "/proc mounted as hidepid, exiting...\n"; exit}
        "hexchat"
 }
 expect {
@@ -56,7 +60,7 @@ expect {
        timeout {puts "TESTING ERROR 5.1\n";exit}
        "name=blablabla"
 }
-sleep 1
+after 100
 send -- "firemon --caps\r"
 expect {
        timeout {puts "TESTING ERROR 6\n";exit}
@@ -74,7 +78,7 @@ expect {
        timeout {puts "TESTING ERROR 6.3\n";exit}
        "name=blablabla"
 }
-sleep 1
+after 100
 puts "\n"
diff --git a/test/icedove.exp b/test/apps/icedove.exp
index 344febb93..c0fbd9fc8 100755
--- a/test/icedove.exp
+++ b/test/apps/icedove.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
 set timeout 10
 spawn $env(SHELL)
@@ -25,7 +28,7 @@ expect {
        timeout {puts "TESTING ERROR 3.1\n";exit}
        "icedove"
 }
-sleep 1
+after 100
 # grsecurity exit
 send -- "file /proc/sys/kernel/grsecurity\r"
@@ -46,6 +49,7 @@ spawn $env(SHELL)
 send -- "firemon --seccomp\r"
 expect {
        timeout {puts "TESTING ERROR 5\n";exit}
+        "need to be root" {puts "/proc mounted as hidepid, exiting...\n"; exit}
        ":firejail icedove"
 }
 expect {
@@ -56,7 +60,7 @@ expect {
        timeout {puts "TESTING ERROR 5.1\n";exit}
        "name=blablabla"
 }
-sleep 1
+after 100
 send -- "firemon --caps\r"
 expect {
        timeout {puts "TESTING ERROR 6\n";exit}
@@ -74,7 +78,7 @@ expect {
        timeout {puts "TESTING ERROR 6.3\n";exit}
        "name=blablabla"
 }
-sleep 1
+after 100
 puts "\nall done\n"
diff --git a/test/midori.exp b/test/apps/midori.exp
index 470f5de77..45d70eda1 100755
--- a/test/midori.exp
+++ b/test/apps/midori.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
 set timeout 10
 spawn $env(SHELL)
@@ -13,7 +16,7 @@ expect {
        timeout {puts "TESTING ERROR 1\n";exit}
        "Child process initialized"
 }
-sleep 10
+sleep 5
 spawn $env(SHELL)
 send -- "firejail --list\r"
@@ -25,7 +28,7 @@ expect {
        timeout {puts "TESTING ERROR 3.1\n";exit}
        "midori"
 }
-sleep 1
+after 100
 # grsecurity exit
 send -- "file /proc/sys/kernel/grsecurity\r"
@@ -46,6 +49,7 @@ spawn $env(SHELL)
 send -- "firemon --seccomp\r"
 expect {
        timeout {puts "TESTING ERROR 5\n";exit}
+        "need to be root" {puts "/proc mounted as hidepid, exiting...\n"; exit}
        ":firejail midori"
 }
 expect {
@@ -56,7 +60,7 @@ expect {
        timeout {puts "TESTING ERROR 5.1\n";exit}
        "name=blablabla"
 }
-sleep 1
+after 100
 send -- "firemon --caps\r"
 expect {
        timeout {puts "TESTING ERROR 6\n";exit}
@@ -74,7 +78,7 @@ expect {
        timeout {puts "TESTING ERROR 6.3n";exit}
        "name=blablabla"
 }
-sleep 1
+after 100
 puts "\n"
diff --git a/test/opera.exp b/test/apps/opera.exp
index 23eed5504..036fc2e21 100755
--- a/test/opera.exp
+++ b/test/apps/opera.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
 set timeout 10
 spawn $env(SHELL)
@@ -25,7 +28,7 @@ expect {
        timeout {puts "TESTING ERROR 3.1\n";exit}
        "opera"
 }
-sleep 1
+after 100
 # grsecurity exit
 send -- "file /proc/sys/kernel/grsecurity\r"
@@ -46,6 +49,7 @@ spawn $env(SHELL)
 send -- "firemon --seccomp\r"
 expect {
        timeout {puts "TESTING ERROR 5\n";exit}
+        "need to be root" {puts "/proc mounted as hidepid, exiting...\n"; exit}
        ":firejail opera"
 }
 expect {
@@ -56,7 +60,7 @@ expect {
        timeout {puts "TESTING ERROR 5.1\n";exit}
        "name=blablabla"
 }
-sleep 1
+after 100
 send -- "firemon --caps\r"
 expect {
        timeout {puts "TESTING ERROR 6\n";exit}
@@ -74,7 +78,7 @@ expect {
        timeout {puts "TESTING ERROR 6.3\n";exit}
        "name=blablabla"
 }
-sleep 1
+after 100
 puts "\n"
diff --git a/test/apps/qbittorrent.exp b/test/apps/qbittorrent.exp
new file mode 100755
index 000000000..8bc6d8564
--- /dev/null
+++ b/test/apps/qbittorrent.exp
@@ -0,0 +1,84 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+send -- "firejail qbittorrent\r"
+expect {
+        timeout {puts "TESTING ERROR 0\n";exit}
+        "Reading profile /etc/firejail/qbittorrent.profile"
+}
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "Child process initialized"
+}
+sleep 3
+spawn $env(SHELL)
+send -- "firejail --list\r"
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        ":firejail"
+}
+expect {
+        timeout {puts "TESTING ERROR 3.1\n";exit}
+        "qbittorrent"
+}
+after 100
+# grsecurity exit
+send -- "file /proc/sys/kernel/grsecurity\r"
+expect {
+        timeout {puts "TESTING ERROR - grsecurity detection\n";exit}
+        "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit}
+        "cannot open" {puts "grsecurity not present\n"}
+}
+send -- "firejail --name=blablabla\r"
+expect {
+        timeout {puts "TESTING ERROR 4\n";exit}
+        "Child process initialized"
+}
+sleep 2
+spawn $env(SHELL)
+send -- "firemon --seccomp\r"
+expect {
+        timeout {puts "TESTING ERROR 5\n";exit}
+        "need to be root" {puts "/proc mounted as hidepid, exiting...\n"; exit}
+        ":firejail qbittorrent"
+}
+expect {
+        timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit}
+        "Seccomp:       2"
+}
+expect {
+        timeout {puts "TESTING ERROR 5.1\n";exit}
+        "name=blablabla"
+}
+after 100
+send -- "firemon --caps\r"
+expect {
+        timeout {puts "TESTING ERROR 6\n";exit}
+        ":firejail qbittorrent"
+}
+expect {
+        timeout {puts "TESTING ERROR 6.1\n";exit}
+        "CapBnd:"
+}
+expect {
+        timeout {puts "TESTING ERROR 6.2\n";exit}
+        "0000000000000000"
+}
+expect {
+        timeout {puts "TESTING ERROR 6.3\n";exit}
+        "name=blablabla"
+}
+after 100
+puts "\n"
diff --git a/test/transmission-gtk.exp b/test/apps/transmission-gtk.exp
index 1acfc6f94..70700d523 100755
--- a/test/transmission-gtk.exp
+++ b/test/apps/transmission-gtk.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
 set timeout 10
 spawn $env(SHELL)
@@ -9,7 +12,7 @@ expect {
        timeout {puts "TESTING ERROR 1\n";exit}
        "Child process initialized"
 }
-sleep 10
+sleep 5
 spawn $env(SHELL)
 send -- "firejail --list\r"
@@ -21,7 +24,7 @@ expect {
        timeout {puts "TESTING ERROR 3.1\n";exit}
        "transmission-gtk"
 }
-sleep 1
+after 100
 # grsecurity exit
 send -- "file /proc/sys/kernel/grsecurity\r"
@@ -41,6 +44,7 @@ spawn $env(SHELL)
 send -- "firemon --seccomp\r"
 expect {
        timeout {puts "TESTING ERROR 5\n";exit}
+        "need to be root" {puts "/proc mounted as hidepid, exiting...\n"; exit}
        ":firejail transmission-gtk"
 }
 expect {
@@ -51,7 +55,7 @@ expect {
        timeout {puts "TESTING ERROR 5.1\n";exit}
        "name=blablabla"
 }
-sleep 1
+after 100
 send -- "firemon --caps\r"
 expect {
        timeout {puts "TESTING ERROR 6\n";exit}
@@ -69,7 +73,7 @@ expect {
        timeout {puts "TESTING ERROR 6.3\n";exit}
        "name=blablabla"
 }
-sleep 1
+after 100
 puts "\nall done\n"
diff --git a/test/transmission-qt.exp b/test/apps/transmission-qt.exp
index 944fd28a2..3773b1dc2 100755
--- a/test/transmission-qt.exp
+++ b/test/apps/transmission-qt.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
 set timeout 10
 spawn $env(SHELL)
@@ -13,7 +16,7 @@ expect {
        timeout {puts "TESTING ERROR 1\n";exit}
        "Child process initialized"
 }
-sleep 10
+sleep 3
 spawn $env(SHELL)
 send -- "firejail --list\r"
@@ -25,7 +28,7 @@ expect {
        timeout {puts "TESTING ERROR 3.1\n";exit}
        "transmission-qt"
 }
-sleep 1
+after 100
 # grsecurity exit
 send -- "file /proc/sys/kernel/grsecurity\r"
@@ -46,6 +49,7 @@ spawn $env(SHELL)
 send -- "firemon --seccomp\r"
 expect {
        timeout {puts "TESTING ERROR 5\n";exit}
+        "need to be root" {puts "/proc mounted as hidepid, exiting...\n"; exit}
        ":firejail transmission-qt"
 }
 expect {
@@ -56,7 +60,7 @@ expect {
        timeout {puts "TESTING ERROR 5.1\n";exit}
        "name=blablabla"
 }
-sleep 1
+after 100
 send -- "firemon --caps\r"
 expect {
        timeout {puts "TESTING ERROR 6\n";exit}
@@ -74,7 +78,7 @@ expect {
        timeout {puts "TESTING ERROR 6.3\n";exit}
        "name=blablabla"
 }
-sleep 1
+after 100
 puts "\nall done\n"
diff --git a/test/apps/uget-gtk.exp b/test/apps/uget-gtk.exp
new file mode 100755
index 000000000..22c2a0831
--- /dev/null
+++ b/test/apps/uget-gtk.exp
@@ -0,0 +1,84 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+send -- "firejail uget-gtk\r"
+expect {
+        timeout {puts "TESTING ERROR 0\n";exit}
+        "Reading profile /etc/firejail/uget-gtk.profile"
+}
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "Child process initialized"
+}
+sleep 3
+spawn $env(SHELL)
+send -- "firejail --list\r"
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        ":firejail"
+}
+expect {
+        timeout {puts "TESTING ERROR 3.1\n";exit}
+        "uget-gtk"
+}
+after 100
+# grsecurity exit
+send -- "file /proc/sys/kernel/grsecurity\r"
+expect {
+        timeout {puts "TESTING ERROR - grsecurity detection\n";exit}
+        "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit}
+        "cannot open" {puts "grsecurity not present\n"}
+}
+send -- "firejail --name=blablabla\r"
+expect {
+        timeout {puts "TESTING ERROR 4\n";exit}
+        "Child process initialized"
+}
+sleep 2
+spawn $env(SHELL)
+send -- "firemon --seccomp\r"
+expect {
+        timeout {puts "TESTING ERROR 5\n";exit}
+        "need to be root" {puts "/proc mounted as hidepid, exiting...\n"; exit}
+        ":firejail uget-gtk"
+}
+expect {
+        timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit}
+        "Seccomp:       2"
+}
+expect {
+        timeout {puts "TESTING ERROR 5.1\n";exit}
+        "name=blablabla"
+}
+after 100
+send -- "firemon --caps\r"
+expect {
+        timeout {puts "TESTING ERROR 6\n";exit}
+        ":firejail uget-gtk"
+}
+expect {
+        timeout {puts "TESTING ERROR 6.1\n";exit}
+        "CapBnd:"
+}
+expect {
+        timeout {puts "TESTING ERROR 6.2\n";exit}
+        "0000000000000000"
+}
+expect {
+        timeout {puts "TESTING ERROR 6.3\n";exit}
+        "name=blablabla"
+}
+after 100
+puts "\nall done\n"
diff --git a/test/vlc.exp b/test/apps/vlc.exp
index 290c0fc2f..b94ef8e12 100755
--- a/test/vlc.exp
+++ b/test/apps/vlc.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
 set timeout 10
 spawn $env(SHELL)
@@ -25,7 +28,7 @@ expect {
        timeout {puts "TESTING ERROR 3.1\n";exit}
        "vlc"
 }
-sleep 1
+after 100
 # grsecurity exit
 send -- "file /proc/sys/kernel/grsecurity\r"
@@ -46,6 +49,7 @@ spawn $env(SHELL)
 send -- "firemon --seccomp\r"
 expect {
        timeout {puts "TESTING ERROR 5\n";exit}
+        "need to be root" {puts "/proc mounted as hidepid, exiting...\n"; exit}
        ":firejail vlc"
 }
 expect {
@@ -56,7 +60,7 @@ expect {
        timeout {puts "TESTING ERROR 5.1\n";exit}
        "name=blablabla"
 }
-sleep 1
+after 100
 send -- "firemon --caps\r"
 expect {
        timeout {puts "TESTING ERROR 6\n";exit}
@@ -74,7 +78,7 @@ expect {
        timeout {puts "TESTING ERROR 6.3\n";exit}
        "name=blablabla"
 }
-sleep 1
+after 100
 puts "\nall done\n"
diff --git a/test/wine.exp b/test/apps/wine.exp
index f5b7d12b4..a2f465acb 100755
--- a/test/wine.exp
+++ b/test/apps/wine.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
 set timeout 10
 spawn $env(SHELL)
diff --git a/test/xchat.exp b/test/apps/xchat.exp
index cde89d754..f3284caf7 100755
--- a/test/xchat.exp
+++ b/test/apps/xchat.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
 set timeout 10
 spawn $env(SHELL)
@@ -25,7 +28,7 @@ expect {
        timeout {puts "TESTING ERROR 3.1\n";exit}
        "xchat"
 }
-sleep 1
+after 100
 # grsecurity exit
 send -- "file /proc/sys/kernel/grsecurity\r"
@@ -46,6 +49,7 @@ spawn $env(SHELL)
 send -- "firemon --seccomp\r"
 expect {
        timeout {puts "TESTING ERROR 5\n";exit}
+        "need to be root" {puts "/proc mounted as hidepid, exiting...\n"; exit}
        " xchat"
 }
 expect {
@@ -56,7 +60,7 @@ expect {
        timeout {puts "TESTING ERROR 5.1\n";exit}
        "name=blablabla"
 }
-sleep 1
+after 100
 send -- "firemon --caps\r"
 expect {
        timeout {puts "TESTING ERROR 6\n";exit}
@@ -74,7 +78,7 @@ expect {
        timeout {puts "TESTING ERROR 6.3\n";exit}
        "name=blablabla"
 }
-sleep 1
+after 100
 puts "\n"
diff --git a/test/arguments/arguments.sh b/test/arguments/arguments.sh
new file mode 100755
index 000000000..db4c9b472
--- /dev/null
+++ b/test/arguments/arguments.sh
@@ -0,0 +1,23 @@
+#!/bin/bash
+[ -f argtest ] || make argtest
+echo "TESTING: 1. regular bash session"
+./bashrun.exp
+sleep 1
+echo "TESTING: 2. symbolic link to firejail"
+./symrun.exp
+rm -fr symtest
+sleep 1
+echo "TESTING: 3. --join option"
+./joinrun.exp
+sleep 1
+echo "TESTING: 4. --output option"
+./outrun.exp
+rm out
+rm out.*
diff --git a/test/arguments/bashrun.exp b/test/arguments/bashrun.exp
new file mode 100755
index 000000000..a3c9e382d
--- /dev/null
+++ b/test/arguments/bashrun.exp
@@ -0,0 +1,86 @@
+#!/usr/bin/expect -f
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+send --  "./bashrun.sh\r"
+expect {
+        timeout {puts "TESTING ERROR 1.1.1\n";exit}
+        "Arguments:"
+}
+expect {
+        timeout {puts "TESTING ERROR 1.1.2\n";exit}
+        "#arg1#"
+}
+expect {
+        timeout {puts "TESTING ERROR 1.1.3\n";exit}
+        "#arg2#"
+}
+expect {
+        timeout {puts "TESTING ERROR 1.2.1\n";exit}
+        "Arguments:"
+}
+expect {
+        timeout {puts "TESTING ERROR 1.2.2\n";exit}
+        "#arg1 tail#"
+}
+expect {
+        timeout {puts "TESTING ERROR 1.2.3\n";exit}
+        "#arg2 tail#"
+}
+expect {
+        timeout {puts "TESTING ERROR 1.3.1\n";exit}
+        "Arguments:"
+}
+expect {
+        timeout {puts "TESTING ERROR 1.3.2\n";exit}
+        "#arg1 tail#"
+}
+expect {
+        timeout {puts "TESTING ERROR 1.3.3\n";exit}
+        "#arg2 tail#"
+}
+expect {
+        timeout {puts "TESTING ERROR 1.4.1\n";exit}
+        "Arguments:"
+}
+expect {
+        timeout {puts "TESTING ERROR 1.4.2\n";exit}
+        "#arg1 tail#"
+}
+expect {
+        timeout {puts "TESTING ERROR 1.4.3\n";exit}
+        "#arg2 tail#"
+}
+expect {
+        timeout {puts "TESTING ERROR 1.5.1\n";exit}
+        "Arguments:"
+}
+expect {
+        timeout {puts "TESTING ERROR 1.5.2\n";exit}
+        "#arg1&tail#"
+}
+expect {
+        timeout {puts "TESTING ERROR 1.5.3\n";exit}
+        "#arg2&tail#"
+}
+expect {
+        timeout {puts "TESTING ERROR 1.6.1\n";exit}
+        "Arguments:"
+}
+expect {
+        timeout {puts "TESTING ERROR 1.6.2\n";exit}
+        "#arg1&tail#"
+}
+expect {
+        timeout {puts "TESTING ERROR 1.6.3\n";exit}
+        "#arg2&tail#"
+}
+puts "\nall done\n"
diff --git a/test/arguments/bashrun.sh b/test/arguments/bashrun.sh
new file mode 100755
index 000000000..0797c92c2
--- /dev/null
+++ b/test/arguments/bashrun.sh
@@ -0,0 +1,22 @@
+#!/bin/bash
+echo "TESTING: 1.1 - simple args"
+firejail --env=FIREJAIL_TEST_ARGUMENTS=yes --quiet /usr/lib/firejail/faudit arg1 arg2
+# simple quotes, testing spaces in file names
+echo "TESTING: 1.2 - args with space and \""
+firejail --env=FIREJAIL_TEST_ARGUMENTS=yes --quiet /usr/lib/firejail/faudit "arg1 tail" "arg2 tail"
+echo "TESTING: 1.3 - args with space and '"
+firejail --env=FIREJAIL_TEST_ARGUMENTS=yes --quiet /usr/lib/firejail/faudit 'arg1 tail' 'arg2 tail'
+# escaped space in file names
+echo "TESTING: 1.4 - args with space and \\"
+firejail --env=FIREJAIL_TEST_ARGUMENTS=yes --quiet /usr/lib/firejail/faudit arg1\ tail arg2\ tail
+# & char appears in URLs - URLs should be quoted
+echo "TESTING: 1.5 - args with & and \""
+firejail --env=FIREJAIL_TEST_ARGUMENTS=yes --quiet /usr/lib/firejail/faudit "arg1&tail" "arg2&tail"
+echo "TESTING: 1.6 - args with & and '"
+firejail --env=FIREJAIL_TEST_ARGUMENTS=yes --quiet /usr/lib/firejail/faudit 'arg1&tail' 'arg2&tail'
diff --git a/test/arguments/joinrun.exp b/test/arguments/joinrun.exp
new file mode 100755
index 000000000..8e8570e4f
--- /dev/null
+++ b/test/arguments/joinrun.exp
@@ -0,0 +1,91 @@
+#!/usr/bin/expect -f
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+send -- "firejail --name=joinrun\r"
+sleep 2
+spawn $env(SHELL)
+send --  "./joinrun.sh\r"
+expect {
+        timeout {puts "TESTING ERROR 3.1.1\n";exit}
+        "Arguments:"
+}
+expect {
+        timeout {puts "TESTING ERROR 3.1.2\n";exit}
+        "#arg1#"
+}
+expect {
+        timeout {puts "TESTING ERROR 3.1.3\n";exit}
+        "#arg2#"
+}
+expect {
+        timeout {puts "TESTING ERROR 3.2.1\n";exit}
+        "Arguments:"
+}
+expect {
+        timeout {puts "TESTING ERROR 3.2.2\n";exit}
+        "#arg1 tail#"
+}
+expect {
+        timeout {puts "TESTING ERROR 3.2.3\n";exit}
+        "#arg2 tail#"
+}
+expect {
+        timeout {puts "TESTING ERROR 3.3.1\n";exit}
+        "Arguments:"
+}
+expect {
+        timeout {puts "TESTING ERROR 3.3.2\n";exit}
+        "#arg1 tail#"
+}
+expect {
+        timeout {puts "TESTING ERROR 3.3.3\n";exit}
+        "#arg2 tail#"
+}
+expect {
+        timeout {puts "TESTING ERROR 3.4.1\n";exit}
+        "Arguments:"
+}
+expect {
+        timeout {puts "TESTING ERROR 3.4.2\n";exit}
+        "#arg1 tail#"
+}
+expect {
+        timeout {puts "TESTING ERROR 3.4.3\n";exit}
+        "#arg2 tail#"
+}
+expect {
+        timeout {puts "TESTING ERROR 3.5.1\n";exit}
+        "Arguments:"
+}
+expect {
+        timeout {puts "TESTING ERROR 3.5.2\n";exit}
+        "#arg1&tail#"
+}
+expect {
+        timeout {puts "TESTING ERROR 3.5.3\n";exit}
+        "#arg2&tail#"
+}
+expect {
+        timeout {puts "TESTING ERROR 3.6.1\n";exit}
+        "Arguments:"
+}
+expect {
+        timeout {puts "TESTING ERROR 3.6.2\n";exit}
+        "#arg1&tail#"
+}
+expect {
+        timeout {puts "TESTING ERROR 3.6.3\n";exit}
+        "#arg2&tail#"
+}
+puts "\nall done\n"
diff --git a/test/arguments/joinrun.sh b/test/arguments/joinrun.sh
new file mode 100755
index 000000000..2743d823e
--- /dev/null
+++ b/test/arguments/joinrun.sh
@@ -0,0 +1,22 @@
+#!/bin/bash
+echo "TESTING: 3.1 - simple args"
+firejail --env=FIREJAIL_TEST_ARGUMENTS=yes --join=joinrun /usr/lib/firejail/faudit arg1 arg2
+# simple quotes, testing spaces in file names
+echo "TESTING: 3.2 - args with space and \""
+firejail--env=FIREJAIL_TEST_ARGUMENTS=yes  --quiet /usr/lib/firejail/faudit "arg1 tail" "arg2 tail"
+echo "TESTING: 3.3 - args with space and '"
+firejail --env=FIREJAIL_TEST_ARGUMENTS=yes --quiet /usr/lib/firejail/faudit 'arg1 tail' 'arg2 tail'
+# escaped space in file names
+echo "TESTING: 3.4 - args with space and \\"
+firejail--env=FIREJAIL_TEST_ARGUMENTS=yes  --quiet /usr/lib/firejail/faudit arg1\ tail arg2\ tail
+# & char appears in URLs - URLs should be quoted
+echo "TESTING: 3.5 - args with & and \""
+firejail --env=FIREJAIL_TEST_ARGUMENTS=yes --quiet /usr/lib/firejail/faudit "arg1&tail" "arg2&tail"
+echo "TESTING: 3.6 - args with & and '"
+firejail --env=FIREJAIL_TEST_ARGUMENTS=yes --quiet /usr/lib/firejail/faudit 'arg1&tail' 'arg2&tail'
diff --git a/test/arguments/outrun.exp b/test/arguments/outrun.exp
new file mode 100755
index 000000000..d28e75661
--- /dev/null
+++ b/test/arguments/outrun.exp
@@ -0,0 +1,90 @@
+#!/usr/bin/expect -f
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+send --  "./outrun.sh\r"
+expect {
+        timeout {puts "TESTING ERROR 4.1.1\n";exit}
+        "Arguments:"
+}
+expect {
+        timeout {puts "TESTING ERROR 4.1.2\n";exit}
+        "#arg1#"
+}
+expect {
+        timeout {puts "TESTING ERROR 4.1.3\n";exit}
+        "#arg2#"
+}
+exit
+#***************************************************
+#  breaking down from here on - bug to fix
+#***************************************************
+expect {
+        timeout {puts "TESTING ERROR 4.2.1\n";exit}
+        "Arguments:"
+}
+expect {
+        timeout {puts "TESTING ERROR 4.2.2\n";exit}
+        "#arg1 tail#"
+}
+expect {
+        timeout {puts "TESTING ERROR 4.2.3\n";exit}
+        "#arg2 tail#"
+}
+expect {
+        timeout {puts "TESTING ERROR 4.3.1\n";exit}
+        "Arguments:"
+}
+expect {
+        timeout {puts "TESTING ERROR 4.3.2\n";exit}
+        "#arg1 tail#"
+}
+expect {
+        timeout {puts "TESTING ERROR 4.3.3\n";exit}
+        "#arg2 tail#"
+}
+expect {
+        timeout {puts "TESTING ERROR 4.4.1\n";exit}
+        "Arguments:"
+}
+expect {
+        timeout {puts "TESTING ERROR 4.4.2\n";exit}
+        "#arg1 tail#"
+}
+expect {
+        timeout {puts "TESTING ERROR 4.4.3\n";exit}
+        "#arg2 tail#"
+}
+expect {
+        timeout {puts "TESTING ERROR 4.5.1\n";exit}
+        "Arguments:"
+}
+expect {
+        timeout {puts "TESTING ERROR 4.5.2\n";exit}
+        "#arg1&tail#"
+}
+expect {
+        timeout {puts "TESTING ERROR 4.5.3\n";exit}
+        "#arg2&tail#"
+}
+expect {
+        timeout {puts "TESTING ERROR 4.6.1\n";exit}
+        "Arguments:"
+}
+expect {
+        timeout {puts "TESTING ERROR 4.6.2\n";exit}
+        "#arg1&tail#"
+}
+expect {
+        timeout {puts "TESTING ERROR 4.6.3\n";exit}
+        "#arg2&tail#"
+}
+puts "\nall done\n"
diff --git a/test/arguments/outrun.sh b/test/arguments/outrun.sh
new file mode 100755
index 000000000..a21243873
--- /dev/null
+++ b/test/arguments/outrun.sh
@@ -0,0 +1,22 @@
+#!/bin/bash
+echo "TESTING: 4.1 - simple args"
+firejail --env=FIREJAIL_TEST_ARGUMENTS=yes --output=out /usr/lib/firejail/faudit arg1 arg2
+# simple quotes, testing spaces in file names
+echo "TESTING: 4.2 - args with space and \""
+firejail --env=FIREJAIL_TEST_ARGUMENTS=yes --output=out /usr/lib/firejail/faudit "arg1 tail" "arg2 tail"
+echo "TESTING: 4.3 - args with space and '"
+firejail--env=FIREJAIL_TEST_ARGUMENTS=yes  --output=out /usr/lib/firejail/faudit 'arg1 tail' 'arg2 tail'
+# escaped space in file names
+echo "TESTING: 4.4 - args with space and \\"
+firejail--env=FIREJAIL_TEST_ARGUMENTS=yes  --output=out /usr/lib/firejail/faudit arg1\ tail arg2\ tail
+# & char appears in URLs - URLs should be quoted
+echo "TESTING: 4.5 - args with & and \""
+firejail --env=FIREJAIL_TEST_ARGUMENTS=yes --output=out /usr/lib/firejail/faudit "arg1&tail" "arg2&tail"
+echo "TESTING: 4.6 - args with & and '"
+firejail--env=FIREJAIL_TEST_ARGUMENTS=yes  --output=out /usr/lib/firejail/faudit 'arg1&tail' 'arg2&tail'
diff --git a/test/arguments/symrun.exp b/test/arguments/symrun.exp
new file mode 100755
index 000000000..10e7ac6c8
--- /dev/null
+++ b/test/arguments/symrun.exp
@@ -0,0 +1,71 @@
+#!/usr/bin/expect -f
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+send --  "./symrun.sh\r"
+expect {
+        timeout {puts "TESTING ERROR 2.1.1\n";exit}
+        "Arguments:"
+}
+expect {
+        timeout {puts "TESTING ERROR 2.1.2\n";exit}
+        "#arg1#"
+}
+expect {
+        timeout {puts "TESTING ERROR 2.1.3\n";exit}
+        "#arg2#"
+}
+expect {
+        timeout {puts "TESTING ERROR 2.3.1\n";exit}
+        "Arguments:"
+}
+expect {
+        timeout {puts "TESTING ERROR 2.3.2\n";exit}
+        "#arg1 tail#"
+}
+expect {
+        timeout {puts "TESTING ERROR 2.3.3\n";exit}
+        "#arg2 tail#"
+}
+expect {
+        timeout {puts "TESTING ERROR 2.4.1\n";exit}
+        "Arguments:"
+}
+expect {
+        timeout {puts "TESTING ERROR 2.4.2\n";exit}
+        "#arg1 tail#"
+}
+expect {
+        timeout {puts "TESTING ERROR 2.4.3\n";exit}
+        "#arg2 tail#"
+}
+expect {
+        timeout {puts "TESTING ERROR 2.5.1\n";exit}
+        "Arguments:"
+}
+expect {
+        timeout {puts "TESTING ERROR 2.5.2\n";exit}
+        "#arg1&tail#"
+}
+expect {
+        timeout {puts "TESTING ERROR 2.5.3\n";exit}
+        "#arg2&tail#"
+}
+expect {
+        timeout {puts "TESTING ERROR 2.6.1\n";exit}
+        "Arguments:"
+}
+expect {
+        timeout {puts "TESTING ERROR 2.6.2\n";exit}
+        "#arg1&tail#"
+}
+expect {
+        timeout {puts "TESTING ERROR 2.6.3\n";exit}
+        "#arg2&tail#"
+}
diff --git a/test/arguments/symrun.sh b/test/arguments/symrun.sh
new file mode 100755
index 000000000..d28f024a8
--- /dev/null
+++ b/test/arguments/symrun.sh
@@ -0,0 +1,30 @@
+#!/bin/bash
+mkdir symtest
+ln -s /usr/bin/firejail symtest/argtest
+# search for argtest in current directory
+export PATH=$PATH:.
+echo "TESTING: 2.1 - simple args"
+symtest/argtest arg1 arg2
+# simple quotes, testing spaces in file names
+echo "TESTING: 2.2 - args with space and \""
+symtest/argtest "arg1 tail" "arg2 tail"
+echo "TESTING: 2.3 - args with space and '"
+symtest/argtest 'arg1 tail' 'arg2 tail'
+# escaped space in file names
+echo "TESTING: 2.4 - args with space and \\"
+symtest/argtest arg1\ tail arg2\ tail
+# & char appears in URLs - URLs should be quoted
+echo "TESTING: 2.5 - args with & and \""
+symtest/argtest "arg1&tail" "arg2&tail"
+echo "TESTING: 2.6 - args with & and '"
+symtest/argtest 'arg1&tail' 'arg2&tail'
+rm -fr symtest
diff --git a/test/auto/autotest.sh b/test/auto/autotest.sh
deleted file mode 100755
index 0fb7565af..000000000
--- a/test/auto/autotest.sh
+++ /dev/null
@@ -1,202 +0,0 @@
-#!/bin/bash
-arr[1]="TEST 1: svn and standard compilation"
-arr[2]="TEST 2: cppcheck"
-arr[3]="TEST 3: compile seccomp disabled, chroot disabled, bind disabled"
-arr[4]="TEST 4: rvtest"
-arr[5]="TEST 5: expect test as root, no malloc perturb"
-arr[6]="TEST 6: expect test as user, no malloc perturb"
-arr[7]="TEST 7: expect test as root, malloc perturb"
-arr[8]="TEST 8: expect test as user, malloc perturb"
-# remove previous reports and output file
-cleanup() {
-        rm -f out-test
-        rm -f output*
-        rm -f report*
-        rm -fr firejail-trunk
-}
-print_title() {
-        echo
-        echo
-        echo
-        echo "**************************************************"
-        echo $1
-        echo "**************************************************"
-}
-while [ $# -gt 0 ]; do    # Until you run out of parameters . . .
-    case "$1" in
-    --clean)
-        cleanup
-        exit
-        ;;
-    --help)
-        echo "./autotest.sh [--clean|--help]"
-        exit
-        ;;
-    esac
-    shift       # Check next set of parameters.
-done
-cleanup
-# enable sudo
-sudo ls -al
-#*****************************************************************
-# TEST 1
-#*****************************************************************
-# - checkout source code
-# - check compilation
-# - install
-#*****************************************************************
-print_title "${arr[1]}"
-svn checkout svn://svn.code.sf.net/p/firejail/code-0/trunk firejail-trunk
-cd firejail-trunk
-./configure --prefix=/usr 2>&1 | tee ../output-configure
-make -j4 2>&1 | tee ../output-make
-sudo make install 2>&1 | tee ../output-install
-cd src/tools
-gcc -o rvtest rvtest.c
-cd ../..
-cd test
-sudo ./configure > /dev/null
-cd ../..
-grep warning output-configure output-make output-install > ./report-test1
-grep error output-configure output-make output-install >> ./report-test1
-cat report-test1 > out-test1
-#*****************************************************************
-# TEST 2
-#*****************************************************************
-# - run cppcheck
-#*****************************************************************
-print_title "${arr[2]}"
-cd firejail-trunk
-cp /home/netblue/bin/cfg/std.cfg .
-cppcheck --force . 2>&1 | tee ../output-cppcheck
-cd ..
-grep error output-cppcheck > report-test2
-cat report-test2 > out-test2
-#*****************************************************************
-# TEST 3
-#*****************************************************************
-# - disable seccomp configuration
-# - check compilation
-#*****************************************************************
-print_title "${arr[3]}"
-# seccomp
-cd firejail-trunk
-make distclean
-./configure --prefix=/usr --disable-seccomp 2>&1 | tee ../output-configure-noseccomp
-make -j4 2>&1 | tee ../output-make-noseccomp
-cd ..
-grep warning output-configure-noseccomp output-make-noseccomp > ./report-test3
-grep error output-configure-noseccomp output-make-noseccomp >> ./report-test3
-# chroot
-cd firejail-trunk
-make distclean
-./configure --prefix=/usr --disable-chroot 2>&1 | tee ../output-configure-nochroot
-make -j4 2>&1 | tee ../output-make-nochroot
-cd ..
-grep warning output-configure-nochroot output-make-nochroot >> ./report-test3
-grep error output-configure-nochroot output-make-nochroot >> ./report-test3
-# bind
-cd firejail-trunk
-make distclean
-./configure --prefix=/usr --disable-bind 2>&1 | tee ../output-configure-nobind
-make -j4 2>&1 | tee ../output-make-nobind
-cd ..
-grep warning output-configure-nobind output-make-nobind >> ./report-test3
-grep error output-configure-nobind output-make-nobind >> ./report-test3
-# save result
-cat report-test3 > out-test3
-#*****************************************************************
-# TEST 4
-#*****************************************************************
-# - rvtest
-#*****************************************************************
-print_title "${arr[4]}"
-cd firejail-trunk
-cd test
-../src/tools/rvtest test.rv 2>/dev/null | tee ../../output-test4 | grep TESTING
-cd ../..
-grep TESTING output-test4 > ./report-test4
-grep ERROR report-test4 > out-test4
-#*****************************************************************
-# TEST 5
-#*****************************************************************
-# - expect test as root, no malloc perturb
-#*****************************************************************
-print_title "${arr[5]}"
-cd firejail-trunk/test
-sudo ./test-root.sh 2>&1 | tee ../../output-test5 | grep TESTING
-cd ../..
-grep TESTING output-test5 > ./report-test5
-grep ERROR report-test5 > out-test5
-#*****************************************************************
-# TEST 6
-#*****************************************************************
-# - expect test as user, no malloc perturb
-#*****************************************************************
-print_title "${arr[6]}"
-cd firejail-trunk/test
-./test.sh 2>&1 | tee ../../output-test6 | grep TESTING
-cd ../..
-grep TESTING output-test6 > ./report-test6
-grep ERROR report-test6 > out-test6
-#*****************************************************************
-# TEST 7
-#*****************************************************************
-# - expect test as root, malloc perturb
-#*****************************************************************
-print_title "${arr[7]}"
-export MALLOC_CHECK_=3
-export MALLOC_PERTURB_=$(($RANDOM % 255 + 1))
-cd firejail-trunk/test
-sudo ./test-root.sh 2>&1 | tee ../../output-test7 | grep TESTING
-cd ../..
-grep TESTING output-test7 > ./report-test7
-grep ERROR report-test7 > out-test7
-#*****************************************************************
-# TEST 8
-#*****************************************************************
-# - expect test as user, malloc perturb
-#*****************************************************************
-print_title "${arr[8]}"
-cd firejail-trunk/test
-./test.sh 2>&1 | tee ../../output-test8| grep TESTING
-cd ../..
-grep TESTING output-test8 > ./report-test8
-grep ERROR report-test8 > out-test8
-#*****************************************************************
-# PRINT REPORTS
-#*****************************************************************
-echo
-echo
-echo
-echo
-echo "**********************************************************"
-echo "TEST RESULTS"
-echo "**********************************************************"
-wc -l out-test*
-rm out-test*
-echo
-exit
diff --git a/test/compile/compile.sh b/test/compile/compile.sh
index e3e9bef2b..44e67fe22 100755
--- a/test/compile/compile.sh
+++ b/test/compile/compile.sh
@@ -9,13 +9,18 @@ arr[6]="TEST 6: compile network disabled"
 arr[7]="TEST 7: compile X11 disabled"
 arr[8]="TEST 8: compile network restricted"
 arr[9]="TEST 9: compile file transfer disabled"
+arr[10]="TEST 10: compile disable whitelist"
+arr[11]="TEST 11: compile disable global config"
+arr[12]="TEST 12: compile apparmor"
+arr[13]="TEST 13: compile busybox"
+arr[14]="TEST 14: compile overlayfs disabled"
+arr[15]="TEST 15: compile apparmor enabled"
 # remove previous reports and output file
 cleanup() {
        rm -f report*
        rm -fr firejail
-        rm oc* om*
+        rm -f oc* om*
 }
 print_title() {
@@ -27,6 +32,7 @@ print_title() {
        echo "**************************************************"
 }
+DIST="$1"
 while [ $# -gt 0 ]; do    # Until you run out of parameters . . .
    case "$1" in
    --clean)
@@ -42,36 +48,33 @@ while [ $# -gt 0 ]; do    # Until you run out of parameters . . .
 done
 cleanup
-# enable sudo
-sudo ls -al
 #*****************************************************************
 # TEST 1
 #*****************************************************************
 # - checkout source code
-# - check compilation
-# - install
 #*****************************************************************
 print_title "${arr[1]}"
-git clone https://github.com/netblue30/firejail.git
+echo "$DIST"
+tar -xJvf ../../$DIST.tar.xz
+mv $DIST firejail
 cd firejail
 ./configure --prefix=/usr --enable-fatal-warnings 2>&1 | tee ../output-configure
 make -j4 2>&1 | tee ../output-make
-sudo make install 2>&1 | tee ../output-install
 cd ..
-grep Warning output-configure output-make output-install > ./report-test1
+grep Warning output-configure output-make > ./report-test1
-grep Error output-configure output-make output-install >> ./report-test1
+grep Error output-configure output-make >> ./report-test1
 cp output-configure oc1
 cp output-make om1
-rm output-configure output-make output-install
+rm output-configure output-make
 #*****************************************************************
 # TEST 2
 #*****************************************************************
 # - disable seccomp configuration
-# - check compilation
 #*****************************************************************
 print_title "${arr[2]}"
 # seccomp
@@ -90,7 +93,6 @@ rm output-configure output-make
 # TEST 3
 #*****************************************************************
 # - disable chroot configuration
-# - check compilation
 #*****************************************************************
 print_title "${arr[3]}"
 # seccomp
@@ -109,7 +111,6 @@ rm output-configure output-make
 # TEST 4
 #*****************************************************************
 # - disable bind configuration
-# - check compilation
 #*****************************************************************
 print_title "${arr[4]}"
 # seccomp
@@ -128,7 +129,6 @@ rm output-configure output-make
 # TEST 5
 #*****************************************************************
 # - disable user namespace configuration
-# - check compilation
 #*****************************************************************
 print_title "${arr[5]}"
 # seccomp
@@ -166,7 +166,6 @@ rm output-configure output-make
 # TEST 7
 #*****************************************************************
 # - disable X11 support
-# - check compilation
 #*****************************************************************
 print_title "${arr[7]}"
 # seccomp
@@ -186,7 +185,6 @@ rm output-configure output-make
 # TEST 8
 #*****************************************************************
 # - enable network restricted
-# - check compilation
 #*****************************************************************
 print_title "${arr[8]}"
 # seccomp
@@ -206,13 +204,12 @@ rm output-configure output-make
 # TEST 9
 #*****************************************************************
 # - disable file transfer
-# - check compilation
 #*****************************************************************
 print_title "${arr[9]}"
 # seccomp
 cd firejail
 make distclean
-./configure --prefix=/usr --enable-network=restricted  --enable-fatal-warnings 2>&1 | tee ../output-configure
+./configure --prefix=/usr --disable-file-transfer  --enable-fatal-warnings 2>&1 | tee ../output-configure
 make -j4 2>&1 | tee ../output-make
 cd ..
 grep Warning output-configure output-make > ./report-test9
@@ -221,6 +218,114 @@ cp output-configure oc9
 cp output-make om9
 rm output-configure output-make
+#*****************************************************************
+# TEST 10
+#*****************************************************************
+# - disable whitelist
+#*****************************************************************
+print_title "${arr[10]}"
+# seccomp
+cd firejail
+make distclean
+./configure --prefix=/usr --disable-whitelist  --enable-fatal-warnings 2>&1 | tee ../output-configure
+make -j4 2>&1 | tee ../output-make
+cd ..
+grep Warning output-configure output-make > ./report-test10
+grep Error output-configure output-make >> ./report-test10
+cp output-configure oc10
+cp output-make om10
+rm output-configure output-make
+#*****************************************************************
+# TEST 11
+#*****************************************************************
+# - disable global config
+#*****************************************************************
+print_title "${arr[11]}"
+# seccomp
+cd firejail
+make distclean
+./configure --prefix=/usr --disable-globalcfg  --enable-fatal-warnings 2>&1 | tee ../output-configure
+make -j4 2>&1 | tee ../output-make
+cd ..
+grep Warning output-configure output-make > ./report-test11
+grep Error output-configure output-make >> ./report-test11
+cp output-configure oc11
+cp output-make om11
+rm output-configure output-make
+#*****************************************************************
+# TEST 12
+#*****************************************************************
+# - enable apparmor
+#*****************************************************************
+print_title "${arr[12]}"
+# seccomp
+cd firejail
+make distclean
+./configure --prefix=/usr --enable-apparmor  --enable-fatal-warnings 2>&1 | tee ../output-configure
+make -j4 2>&1 | tee ../output-make
+cd ..
+grep Warning output-configure output-make > ./report-test12
+grep Error output-configure output-make >> ./report-test12
+cp output-configure oc12
+cp output-make om12
+rm output-configure output-make
+#*****************************************************************
+# TEST 13
+#*****************************************************************
+# - enable busybox workaround
+#*****************************************************************
+print_title "${arr[13]}"
+# seccomp
+cd firejail
+make distclean
+./configure --prefix=/usr --enable-busybox-workaround --enable-fatal-warnings 2>&1 | tee ../output-configure
+make -j4 2>&1 | tee ../output-make
+cd ..
+grep Warning output-configure output-make > ./report-test13
+grep Error output-configure output-make >> ./report-test13
+cp output-configure oc13
+cp output-make om13
+rm output-configure output-make
+#*****************************************************************
+# TEST 14
+#*****************************************************************
+# - disable overlayfs
+#*****************************************************************
+print_title "${arr[14]}"
+# seccomp
+cd firejail
+make distclean
+./configure --prefix=/usr --disable-overlayfs --enable-fatal-warnings 2>&1 | tee ../output-configure
+make -j4 2>&1 | tee ../output-make
+cd ..
+grep Warning output-configure output-make > ./report-test14
+grep Error output-configure output-make >> ./report-test14
+cp output-configure oc14
+cp output-make om14
+rm output-configure output-make
+#*****************************************************************
+# TEST 15
+#*****************************************************************
+# - enable apparmor
+#*****************************************************************
+print_title "${arr[15]}"
+# seccomp
+cd firejail
+make distclean
+./configure --prefix=/usr --enable-apparmor --enable-fatal-warnings 2>&1 | tee ../output-configure
+make -j4 2>&1 | tee ../output-make
+cd ..
+grep Warning output-configure output-make > ./report-test15
+grep Error output-configure output-make >> ./report-test15
+cp output-configure oc15
+cp output-make om15
+rm output-configure output-make
 #*****************************************************************
 # PRINT REPORTS
@@ -245,3 +350,10 @@ echo ${arr[6]}
 echo ${arr[7]}
 echo ${arr[8]}
 echo ${arr[9]}
+echo ${arr[10]}
+echo ${arr[11]}
+echo ${arr[12]}
+echo ${arr[13]}
+echo ${arr[14]}
+echo ${arr[15]}
diff --git a/test/configure b/test/configure
index bdf36fcad..9acd021c8 100755
--- a/test/configure
+++ b/test/configure
@@ -28,7 +28,7 @@ ROOTDIR="/tmp/chroot"			# default chroot directory
 DEFAULT_FILES="/bin/bash /bin/sh "      # basic chroot files
 DEFAULT_FILES+="/etc/passwd /etc/nsswitch.conf /etc/group "
 DEFAULT_FILES+=`find /lib -name libnss*`        # files required by glibc
-DEFAULT_FILES+=" /bin/cp /bin/ls /bin/cat /bin/ps /bin/netstat /bin/ping /sbin/ifconfig /usr/bin/touch /bin/hostname /bin/grep /usr/bin/dig /usr/bin/openssl /usr/bin/id /usr/bin/getent /usr/bin/whoami /usr/bin/wc /usr/bin/wget /bin/umount"
+DEFAULT_FILES+=" /bin/cp /bin/ls /bin/cat /bin/ps /bin/netstat /bin/ping /sbin/ifconfig /usr/bin/touch /bin/ip /bin/hostname /bin/grep /usr/bin/dig /usr/bin/openssl /usr/bin/id /usr/bin/getent /usr/bin/whoami /usr/bin/wc /usr/bin/wget /bin/umount"
 rm -fr $ROOTDIR
 mkdir -p $ROOTDIR/{root,bin,lib,lib64,usr,home,etc,dev/shm,tmp,var/run,var/tmp,var/lock,var/log,proc}
diff --git a/test/dns.exp b/test/dns.exp
deleted file mode 100755
index 96513f278..000000000
--- a/test/dns.exp
+++ /dev/null
@@ -1,69 +0,0 @@
-#!/usr/bin/expect -f
-set timeout 30
-spawn $env(SHELL)
-match_max 100000
-# no chroot
-send -- "firejail --trace --dns=208.67.222.222 wget -q debian.org\r"
-expect {
-        timeout {puts "TESTING ERROR 1.1\n";exit}
-        "Child process initialized"
-}
-expect {
-        timeout {puts "TESTING ERROR 1.2\n";exit}
-        "1:wget:connect 208.67.222.222:53"
-}
-sleep 1
-send -- "rm index.html\r"
-sleep 1
-# with chroot
-send -- "firejail --chroot=/tmp/chroot --trace --dns=208.67.222.222 wget -q debian.org\r"
-expect {
-        timeout {puts "TESTING ERROR 2.1\n";exit}
-        "Child process initialized"
-}
-expect {
-        timeout {puts "TESTING ERROR 2.2\n";exit}
-        "1:wget:connect 208.67.222.222:53"
-}
-sleep 1
-send -- "rm index.html\r"
-sleep 1
-# net eth0
-send -- "firejail --net=eth0 --trace --dns=208.67.222.222 wget -q debian.org\r"
-expect {
-        timeout {puts "TESTING ERROR 3.1\n";exit}
-        "Child process initialized"
-}
-expect {
-        timeout {puts "TESTING ERROR 3.2\n";exit}
-        "1:wget:connect 208.67.222.222:53"
-}
-sleep 1
-send -- "rm index.html\r"
-sleep 1
-# net eth0 and chroot
-send -- "firejail --net=eth0 --chroot=/tmp/chroot --trace --dns=208.67.222.222 wget -q debian.org\r"
-expect {
-        timeout {puts "TESTING ERROR 4.1\n";exit}
-        "Child process initialized"
-}
-expect {
-        timeout {puts "TESTING ERROR 4.2\n";exit}
-        "1:wget:connect 208.67.222.222:53"
-}
-sleep 1
-send -- "rm index.html\r"
-sleep 1
-puts "\n"
diff --git a/test/environment/allow-debuggers.exp b/test/environment/allow-debuggers.exp
new file mode 100755
index 000000000..8a404decb
--- /dev/null
+++ b/test/environment/allow-debuggers.exp
@@ -0,0 +1,40 @@
+#!/usr/bin/expect -f
+set timeout 10
+cd /home
+spawn $env(SHELL)
+match_max 100000
+send -- "firejail --profile=/etc/firejail/firefox.profile --allow-debuggers strace ls\r"
+expect {
+        timeout {puts "TESTING ERROR 0\n";exit}
+        "Child process initialized"
+}
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "ioctl"
+}
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        "exit_group"
+}
+after 100
+send -- "firejail --allow-debuggers --profile=/etc/firejail/firefox.profile strace ls\r"
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        "Child process initialized"
+}
+expect {
+        timeout {puts "TESTING ERROR 4\n";exit}
+        "ioctl"
+}       
+expect {
+        timeout {puts "TESTING ERROR 5\n";exit}
+        "exit_group"
+}
+after 100
+puts "\nall done\n"
diff --git a/test/shell_csh.exp b/test/environment/csh.exp
index a2634f633..46e4bb3ca 100755
--- a/test/shell_csh.exp
+++ b/test/environment/csh.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
 set timeout 10
 spawn $env(SHELL)
@@ -11,16 +14,13 @@ expect {
 }
 sleep 1
-send -- "ls -al;pwd\r"
+send -- "find /home\r"
 expect {
        timeout {puts "TESTING ERROR 1\n";exit}
        ".cshrc"
 }
-expect {
-        timeout {puts "TESTING ERROR 1.1\n";exit}
+send -- "env | grep SHELL\r"
-        "home"
-}
-send -- "env | grep SHELL;pwd\r"
 expect {
        timeout {puts "TESTING ERROR 2\n";exit}
        "SHELL"
@@ -29,12 +29,8 @@ expect {
        timeout {puts "TESTING ERROR 2.1\n";exit}
        "/bin/csh"
 }
-expect {
-        timeout {puts "TESTING ERROR 2.2\n";exit}
-        "home"
-}
 send -- "exit\r"
-sleep 1
+after 100
 puts "\n"
diff --git a/test/shell_dash.exp b/test/environment/dash.exp
index f5a60719e..cd051ea7c 100755
--- a/test/shell_dash.exp
+++ b/test/environment/dash.exp
@@ -1,6 +1,7 @@
 #!/usr/bin/expect -f
 set timeout 10
+cd /home
 spawn $env(SHELL)
 match_max 100000
@@ -35,7 +36,7 @@ expect {
        "home"
 }
 send -- "exit\r"
-sleep 1
+after 100
 puts "\n"
diff --git a/test/environment/dns.exp b/test/environment/dns.exp
new file mode 100755
index 000000000..6ffb124cf
--- /dev/null
+++ b/test/environment/dns.exp
@@ -0,0 +1,30 @@
+#!/usr/bin/expect -f
+set timeout 30
+spawn $env(SHELL)
+match_max 100000
+# no chroot
+send -- "firejail --trace --dns=208.67.222.222 wget -q debian.org\r"
+expect {
+        timeout {puts "TESTING ERROR 1.1\n";exit}
+        "Child process initialized"
+}
+expect {
+        timeout {puts "TESTING ERROR 1.2\n";exit}
+        "connect"
+}
+expect {
+        timeout {puts "TESTING ERROR 1.2\n";exit}
+        "208.67.222.222"
+}
+expect {
+        timeout {puts "TESTING ERROR 1.2\n";exit}
+        "53"
+}
+after 100
+send -- "rm index.html\r"
+after 100
+puts "\nall done\n"
diff --git a/test/doubledash.exp b/test/environment/doubledash.exp
index 668468980..2eaa7d9ce 100755
--- a/test/doubledash.exp
+++ b/test/environment/doubledash.exp
@@ -36,25 +36,25 @@ expect {
 sleep 3
 spawn $env(SHELL)
-send --  "firejail --list;pwd\r"
+send --  "firejail --list;ls -d /tmp\r"
 expect {
        timeout {puts "TESTING ERROR 6\n";exit}
        "name=testing"
 }
 expect {
        timeout {puts "TESTING ERROR 7\n";exit}
-        "home"
+        "/tmp"
 }
-send --  "firejail --list;pwd\r"
+send --  "firejail --list;ls -d /tmp\r"
 expect {
        timeout {puts "TESTING ERROR 8 (join)\n";exit}
        "join=testing"
 }
 expect {
        timeout {puts "TESTING ERROR 9\n";exit}
-        "home"
+        "/tmp"
 }
-sleep 1
+after 100
 puts "\n"
diff --git a/test/env.exp b/test/environment/env.exp
index d7aee3c64..8f72400b0 100755
--- a/test/env.exp
+++ b/test/environment/env.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
 set timeout 10
 spawn $env(SHELL)
@@ -28,7 +31,7 @@ expect {
        "ENV3"
 }
 send -- "exit\r"
-sleep 1
+after 100
 #***********************************************
 send -- "firejail --profile=env.profile\r"
diff --git a/test/env.profile b/test/environment/env.profile
index ba66e6210..ba66e6210 100644
--- a/test/env.profile
+++ b/test/environment/env.profile
diff --git a/test/environment/environment.sh b/test/environment/environment.sh
new file mode 100755
index 000000000..5c4d49331
--- /dev/null
+++ b/test/environment/environment.sh
@@ -0,0 +1,87 @@
+#!/bin/bash
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
+export MALLOC_CHECK_=3
+export MALLOC_PERTURB_=$(($RANDOM % 255 + 1))
+echo "TESTING: DNS (test/environment/dns.exp)"
+./dns.exp
+echo "TESTING: doubledash (test/environment/doubledash.exp"
+mkdir -- -testdir
+touch -- -testdir/ttt
+cp -- /bin/bash -testdir/.
+./doubledash.exp
+rm -fr -- -testdir
+echo "TESTING: output (test/environment/output.exp)"
+./output.exp
+echo "TESTING: extract command (extract_command.exp)"
+./extract_command.exp
+echo "TESTING: environment variables (test/environment/env.exp)"
+./env.exp
+echo "TESTING: shell none(test/environment/shell-none.exp)"
+./shell-none.exp
+which dash
+if [ "$?" -eq 0 ];
+then
+        echo "TESTING: dash (test/environment/dash.exp)"
+        ./dash.exp
+else
+        echo "TESTING SKIP: dash not found"
+fi
+which csh
+if [ "$?" -eq 0 ];
+then
+        echo "TESTING: csh (test/environment/csh.exp)"
+        ./csh.exp
+else
+        echo "TESTING SKIP: csh not found"
+fi
+which zsh
+if [ "$?" -eq 0 ];
+then
+        echo "TESTING: zsh (test/environment/zsh.exp)"
+        ./zsh.exp
+else
+        echo "TESTING SKIP: zsh not found"
+fi
+echo "TESTING: firejail in firejail - single sandbox (test/environment/firejail-in-firejail.exp)"
+./firejail-in-firejail.exp
+echo "TESTING: firejail in firejail - force new sandbox (test/environment/firejail-in-firejail2.exp)"
+./firejail-in-firejail2.exp
+which aplay
+if [ "$?" -eq 0 ];
+then
+        echo "TESTING: sound (test/environment/sound.exp)"
+        ./sound.exp
+else
+        echo "TESTING SKIP: aplay not found"
+fi
+echo "TESTING: nice (test/environment/nice.exp)"
+./nice.exp
+echo "TESTING: quiet (test/environment/quiet.exp)"
+./quiet.exp
+which strace
+if [ "$?" -eq 0 ];
+then
+        echo "TESTING: --allow-debuggers (test/environment/allow-debuggers.exp)"
+        ./allow-debuggers.exp
+else
+        echo "TESTING SKIP: strace not found"
+fi
diff --git a/test/extract_command.exp b/test/environment/extract_command.exp
index 99c1cc134..266f66ff5 100755
--- a/test/extract_command.exp
+++ b/test/environment/extract_command.exp
@@ -7,7 +7,7 @@ match_max 100000
 send -- "firejail --debug ls -al\r"
 expect {
        timeout {puts "TESTING ERROR 0\n";exit}
-        "Reading profile /etc/firejail/generic.profile"
+        "Reading profile /etc/firejail/default.profile"
 }
 expect {
        timeout {puts "TESTING ERROR 2\n";exit}
@@ -17,7 +17,7 @@ expect {
        timeout {puts "TESTING ERROR 2\n";exit}
        "Parent is shutting down, bye"
 }
-sleep 1
+after 100
 puts "\nall done\n"
diff --git a/test/firejail-in-firejail.exp b/test/environment/firejail-in-firejail.exp
index 5ba18d1fa..1122b712f 100755
--- a/test/firejail-in-firejail.exp
+++ b/test/environment/firejail-in-firejail.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
 set timeout 10
 spawn $env(SHELL)
@@ -16,6 +19,6 @@ expect {
        timeout {puts "TESTING ERROR 1\n";exit}
        "Warning: an existing sandbox was detected"
 }
-sleep 1
+after 100
 puts "\nall done\n"
diff --git a/test/firejail-in-firejail2.exp b/test/environment/firejail-in-firejail2.exp
index b0fed0dae..37d1c2870 100755
--- a/test/firejail-in-firejail2.exp
+++ b/test/environment/firejail-in-firejail2.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
 set timeout 10
 spawn $env(SHELL)
@@ -16,6 +19,6 @@ expect {
        timeout {puts "TESTING ERROR 1\n";exit}
        "Child process initialized"
 }
-sleep 1
+after 100
 puts "\nall done\n"
diff --git a/test/nice.exp b/test/environment/nice.exp
index f4afb547d..2e0e95ea1 100755
--- a/test/nice.exp
+++ b/test/environment/nice.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
 set timeout 10
 spawn $env(SHELL)
@@ -14,7 +17,7 @@ sleep 1
 send -- "top -b -n 1\r"
 expect {
        timeout {puts "TESTING ERROR 1\n";exit}
-        "netblue"
+        $env(USER)
 }
 expect {
        timeout {puts "TESTING ERROR 2\n";exit}
@@ -26,7 +29,7 @@ expect {
 }
 expect {
        timeout {puts "TESTING ERROR 4\n";exit}
-        "netblu"
+        $env(USER)
 }
 expect {
        timeout {puts "TESTING ERROR 5\n";exit}
@@ -39,7 +42,7 @@ expect {
 sleep 1
 send -- "exit\r"
-sleep 1
+after 100
 send -- "firejail --profile=nice.profile\r"
 expect {
@@ -51,7 +54,7 @@ sleep 1
 send -- "top -b -n 1\r"
 expect {
        timeout {puts "TESTING ERROR 11\n";exit}
-        "netblue"
+        $env(USER)
 }
 expect {
        timeout {puts "TESTING ERROR 12\n";exit}
@@ -63,7 +66,7 @@ expect {
 }
 expect {
        timeout {puts "TESTING ERROR 14\n";exit}
-        "netblu"
+        $env(USER)
 }
 expect {
        timeout {puts "TESTING ERROR 15\n";exit}
diff --git a/test/nice.profile b/test/environment/nice.profile
index d02c8f58b..d02c8f58b 100644
--- a/test/nice.profile
+++ b/test/environment/nice.profile
diff --git a/test/output.exp b/test/environment/output.exp
index 90a9d64b6..10c325832 100755
--- a/test/output.exp
+++ b/test/environment/output.exp
@@ -59,8 +59,7 @@ expect {
        timeout {puts "TESTING ERROR 7\n";exit}
        "logfile.5"
 }
-sleep 1
+after 100
 send -- "rm -f logfile*\r"
-sleep 1
+after 100
+puts "\nall done\n"
-puts "\n"
diff --git a/test/output.sh b/test/environment/output.sh
index 2be188e3a..2be188e3a 100755
--- a/test/output.sh
+++ b/test/environment/output.sh
diff --git a/test/environment/quiet.exp b/test/environment/quiet.exp
new file mode 100755
index 000000000..8d7c8d4c0
--- /dev/null
+++ b/test/environment/quiet.exp
@@ -0,0 +1,21 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
+set timeout 4
+spawn $env(SHELL)
+match_max 100000
+# check ip address
+send -- "firejail --quiet echo done\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "Reading profile" {puts "TESTING ERROR 2\n";exit}
+        "Child process initialized" {puts "TESTING ERROR 3\n";exit}
+        "done"
+}
+after 100
+puts "\nall done\n"
diff --git a/test/environment/shell-none.exp b/test/environment/shell-none.exp
new file mode 100755
index 000000000..8f3df794f
--- /dev/null
+++ b/test/environment/shell-none.exp
@@ -0,0 +1,48 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+send -- "firejail  --shell=none\r"
+expect {
+        timeout {puts "TESTING ERROR 0\n";exit}
+        "shell=none configured, but no program specified"
+}
+sleep 1
+send -- "firejail  --profile=shell-none.profile\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "shell=none configured, but no program specified"
+}
+after 100
+send -- "firejail  --shell=none ls\r"
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        "Child process initialized"
+}
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        "environment.sh"
+}
+after 100
+send -- "firejail  --profile=shell-none.profile ls\r"
+expect {
+        timeout {puts "TESTING ERROR 4\n";exit}
+        "Child process initialized"
+}
+expect {
+        timeout {puts "TESTING ERROR 5\n";exit}
+        "environment.sh"
+}
+after 100
+puts "\nall done\n"
diff --git a/test/environment/shell-none.profile b/test/environment/shell-none.profile
new file mode 100644
index 000000000..f16ebe3a0
--- /dev/null
+++ b/test/environment/shell-none.profile
@@ -0,0 +1 @@
+shell none
diff --git a/test/sound.exp b/test/environment/sound.exp
index 078f8b416..dd55add89 100755
--- a/test/sound.exp
+++ b/test/environment/sound.exp
@@ -1,4 +1,8 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
 set timeout 10
 spawn $env(SHELL)
@@ -73,7 +77,7 @@ expect {
        timeout {puts "TESTING ERROR 25\n";exit}
        "Parent is shutting down"
 }
-sleep 2
+after 100
-puts "\n"
+puts "\nall done\n"
diff --git a/test/sound.profile b/test/environment/sound.profile
index 2f83a0bbb..2f83a0bbb 100644
--- a/test/sound.profile
+++ b/test/environment/sound.profile
diff --git a/test/shell_zsh.exp b/test/environment/zsh.exp
index 1d73fd926..578951ce0 100755
--- a/test/shell_zsh.exp
+++ b/test/environment/zsh.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
 set timeout 10
 spawn $env(SHELL)
@@ -11,15 +14,12 @@ expect {
 }
 sleep 1
-send -- "ls -al;pwd\r"
+send -- "find /home\r"
 expect {
        timeout {puts "TESTING ERROR 1\n";exit}
        ".zshrc"
 }
-expect {
-        timeout {puts "TESTING ERROR 1.1\n";exit}
-        "home"
-}
 send -- "env | grep SHELL;pwd\r"
 expect {
        timeout {puts "TESTING ERROR 2\n";exit}
@@ -27,14 +27,10 @@ expect {
 }
 expect {
        timeout {puts "TESTING ERROR 2.1\n";exit}
-        "/usr/bin/zsh"
+        "/bin/zsh"
-}
-expect {
-        timeout {puts "TESTING ERROR 2.2\n";exit}
-        "home"
 }
 send -- "exit\r"
-sleep 1
+after 100
-puts "\n"
+puts "\nall done\n"
diff --git a/test/features/1.2.exp b/test/features/1.2.exp
index 6f7cae888..bcb227304 100755
--- a/test/features/1.2.exp
+++ b/test/features/1.2.exp
@@ -34,7 +34,7 @@ expect {
 }
 expect {
        timeout {puts "TESTING ERROR 1.4\n";exit}
-        "proc /proc/sysrq-trigger proc"
+        "/proc/sysrq-trigger"
 }
 #expect {
 #       timeout {puts "TESTING ERROR 1.5\n";exit}
@@ -42,11 +42,11 @@ expect {
 #}
 expect {
        timeout {puts "TESTING ERROR 1.6\n";exit}
-        "proc /proc/irq proc"
+        "/proc/irq"
 }
 expect {
        timeout {puts "TESTING ERROR 1.7\n";exit}
-        "proc /proc/bus proc"
+        "/proc/bus"
 }
 after 100
 send -- "exit\r"
@@ -115,22 +115,22 @@ if { $chroot == "chroot" } {
                timeout {puts "TESTING ERROR 5.3\n";exit}
                "proc /proc/sys proc"
        }
-        expect {
+#       expect {
-                timeout {puts "TESTING ERROR 5.4\n";exit}
+#               timeout {puts "TESTING ERROR 5.4\n";exit}
-                "proc /proc/sysrq-trigger proc"
+#               "proc /proc/sysrq-trigger proc"
-        }
+#       }
 #       expect {
 #               timeout {puts "TESTING ERROR 5.5\n";exit}
 #               "proc /proc/sys/kernel/hotplug"
 #       }
-        expect {
+#       expect {
-                timeout {puts "TESTING ERROR 5.6\n";exit}
+#               timeout {puts "TESTING ERROR 5.6\n";exit}
-                "proc /proc/irq proc"
+#               "proc /proc/irq proc"
-        }
+#       }
-        expect {
+#       expect {
-                timeout {puts "TESTING ERROR 5.7\n";exit}
+#               timeout {puts "TESTING ERROR 5.7\n";exit}
-                "proc /proc/bus proc"
+#               "proc /proc/bus proc"
-        }
+#       }
        after 100
        send -- "exit\r"
        sleep 1
diff --git a/test/features/1.8.exp b/test/features/1.8.exp
index 493a87328..4c6d3f3dc 100755
--- a/test/features/1.8.exp
+++ b/test/features/1.8.exp
@@ -20,12 +20,6 @@ expect {
 }
 sleep 1
-send -- "ls /etc/firejail\r"
-expect {
-        timeout {puts "TESTING ERROR 1\n";exit}
-        "Permission denied"
-}
-after 100
 send -- "ls ~/.config/firejail\r"
 expect {
        timeout {puts "TESTING ERROR 1.1\n";exit}
@@ -77,12 +71,6 @@ if { $overlay == "overlay" } {
                "Child process initialized" {puts "normal system\n"}
        }
        sleep 1
-        send -- "ls /etc/firejail\r"
-        expect {
-                timeout {puts "TESTING ERROR 3\n";exit}
-                "Permission denied"
-        }
-        after 100
        send -- "ls ~/.config/firejail\r"
        expect {
                timeout {puts "TESTING ERROR 3.1\n";exit}
@@ -134,12 +122,6 @@ if { $chroot == "chroot" } {
                "Child process initialized"
        }
        sleep 1
-        send -- "ls /etc/firejail\r"
-        expect {
-                timeout {puts "TESTING ERROR 5\n";exit}
-                "Permission denied"
-        }
-        after 100
        send -- "ls ~/.config/firejail\r"
        expect {
                timeout {puts "TESTING ERROR 5.1\n";exit}
diff --git a/test/features/3.5.exp b/test/features/3.5.exp
index aed5fe836..f4b544b3d 100755
--- a/test/features/3.5.exp
+++ b/test/features/3.5.exp
@@ -22,8 +22,8 @@ sleep 1
 send -- "ls -l /dev | wc -l\r"
 expect {
        timeout {puts "TESTING ERROR 1.1\n";exit}
-        "12" { puts "Debian\n"}
+        "13" { puts "Debian\n"}
-        "11" { puts "Centos\n"}
+        "12" { puts "Centos\n"}
 }
 after 100
@@ -45,8 +45,8 @@ if { $overlay == "overlay" } {
        send -- "ls -l /dev | wc -l\r"
        expect {
                timeout {puts "TESTING ERROR 3.1\n";exit}
-                "12" { puts "Debian\n"}
+                "13" { puts "Debian\n"}
-                "11" { puts "Centos\n"}
+                "12" { puts "Centos\n"}
        }
        
        after 100
@@ -68,7 +68,7 @@ if { $chroot == "chroot" } {
        send -- "ls -l /dev | wc -l\r"
        expect {
                timeout {puts "TESTING ERROR 5.1\n";exit}
-                "11"
+                "12"
        }
        
        after 100
diff --git a/test/features/3.6.exp b/test/features/3.6.exp
index a00517716..389e63a1d 100755
--- a/test/features/3.6.exp
+++ b/test/features/3.6.exp
@@ -60,14 +60,19 @@ if { $chroot == "chroot" } {
        expect {
                timeout {puts "TESTING ERROR 4\n";exit}
                "chroot option is not available" {puts "grsecurity\n"; exit}
+                "private-etc feature is disabled in chroot"
+        }
+        expect {
+                timeout {puts "TESTING ERROR 5\n";exit}
+                "chroot option is not available" {puts "grsecurity\n"; exit}
                "Child process initialized"
        }
        sleep 1
        
-        send -- "ls -al /etc | wc -l\r"
+        send -- "ls /etc | grep firejail\r"
        expect {
-                timeout {puts "TESTING ERROR 5.1\n";exit}
+                timeout {puts "TESTING ERROR 6\n";exit}
-                "10"
+                "firejail"
        }
        
        after 100
diff --git a/test/features/3.8.exp b/test/features/3.8.exp
index 94a1abf67..d941fa9b7 100755
--- a/test/features/3.8.exp
+++ b/test/features/3.8.exp
@@ -61,14 +61,18 @@ if { $chroot == "chroot" } {
        send -- "firejail --noprofile --chroot=/tmp/chroot --private-bin=bash,cat,cp,ls,wc\r"
        expect {
                timeout {puts "TESTING ERROR 4\n";exit}
+                "private-bin feature is disabled in chroot"
+        }
+        expect {
+                timeout {puts "TESTING ERROR 5\n";exit}
                "Child process initialized"
        }
        sleep 1
        
        send -- "ls -l /usr/bin | wc -l\r"
        expect {
-                timeout {puts "TESTING ERROR 5.1\n";exit}
+                timeout {puts "TESTING ERROR 6\n";exit}
-                "6"
+                "9"
        }
        
        after 100
diff --git a/test/filters/caps.exp b/test/filters/caps.exp
new file mode 100755
index 000000000..7f7cf7dd1
--- /dev/null
+++ b/test/filters/caps.exp
@@ -0,0 +1,72 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+send -- "firejail --caps.keep=chown,fowner --noprofile\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "Child process initialized"
+}
+sleep 2
+send -- "cat /proc/self/status\r"
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        "CapBnd:        0000000000000009"
+}
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        "Seccomp:"
+}
+send -- "exit\r"
+sleep 1
+send -- "firejail --caps.drop=all --noprofile\r"
+expect {
+        timeout {puts "TESTING ERROR 4\n";exit}
+        "Child process initialized"
+}
+sleep 2
+send -- "cat /proc/self/status\r"
+expect {
+        timeout {puts "TESTING ERROR 5\n";exit}
+        "CapBnd:        0000000000000000"
+}
+expect {
+        timeout {puts "TESTING ERROR 6\n";exit}
+        "Seccomp:"
+}
+send -- "exit\r"
+sleep 1
+send -- "firejail --caps.drop=chown,dac_override,dac_read_search,fowner --noprofile\r"
+expect {
+        timeout {puts "TESTING ERROR 7\n";exit}
+        "Child process initialized"
+}
+sleep 2
+send -- "cat /proc/self/status\r"
+expect {
+        timeout {puts "TESTING ERROR 8\n";exit}
+        "CapBnd:"
+}
+expect {
+        timeout {puts "TESTING ERROR 9\n";exit}
+        "fffffff0"
+}
+expect {
+        timeout {puts "TESTING ERROR 10\n";exit}
+        "Seccomp:"
+}
+send -- "exit\r"
+after 100
+puts "\nall done\n"
diff --git a/test/filters/filters.sh b/test/filters/filters.sh
new file mode 100755
index 000000000..5c7c98b3e
--- /dev/null
+++ b/test/filters/filters.sh
@@ -0,0 +1,68 @@
+#!/bin/bash
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
+export MALLOC_CHECK_=3
+export MALLOC_PERTURB_=$(($RANDOM % 255 + 1))
+echo "TESTING: noroot (test/filters/noroot.exp)"
+./noroot.exp
+echo "TESTING: capabilities (test/filters/caps.exp)"
+./caps.exp
+rm -f seccomp-test-file
+if [ "$(uname -m)" = "x86_64" ]; then
+       echo "TESTING: fseccomp (test/filters/fseccomp.exp)"
+        ./fseccomp.exp
+else
+        echo "TESTING SKIP: fseccomp test implemented only for x86_64"
+fi
+rm -f seccomp-test-file
+if [ "$(uname -m)" = "x86_64" ]; then
+        echo "TESTING: protocol (test/filters/protocol.exp)"
+        ./protocol.exp
+else
+        echo "TESTING SKIP: protocol, running only on x86_64"
+fi
+echo "TESTING: seccomp bad empty (test/filters/seccomp-bad-empty.exp)"
+./seccomp-bad-empty.exp
+echo "TESTING: seccomp debug  (test/filters/seccomp-debug.exp)"
+./seccomp-debug.exp
+echo "TESTING: seccomp errno (test/filters/seccomp-errno.exp)"
+./seccomp-errno.exp
+echo "TESTING: seccomp su (test/filters/seccomp-su.exp)"
+./seccomp-su.exp
+which strace
+if [ $? -eq 0 ]; then
+        echo "TESTING: seccomp ptrace (test/filters/seccomp-ptrace.exp)"
+        ./seccomp-ptrace.exp
+else
+        echo "TESTING SKIP: ptrace, strace not found"
+fi
+echo "TESTING: seccomp chmod - seccomp lists (test/filters/seccomp-chmod.exp)"
+./seccomp-chmod.exp
+echo "TESTING: seccomp chmod profile - seccomp lists (test/filters/seccomp-chmod-profile.exp)"
+./seccomp-chmod-profile.exp
+# todo:  fix pwd and add seccomp-chown.exp
+echo "TESTING: seccomp empty (test/filters/seccomp-empty.exp)"
+./seccomp-empty.exp
+if [ "$(uname -m)" = "x86_64" ]; then
+        echo "TESTING: seccomp dual filter (test/filters/seccomp-dualfilter.exp)"
+        ./seccomp-dualfilter.exp
+else
+        echo "TESTING SKIP: seccomp dual, not running on x86_64"
+fi
diff --git a/test/filters/fseccomp.exp b/test/filters/fseccomp.exp
new file mode 100755
index 000000000..8a9a8f9dc
--- /dev/null
+++ b/test/filters/fseccomp.exp
@@ -0,0 +1,138 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+after 100
+send -- "/usr/lib/firejail/fseccomp debug-syscalls\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "1      - write"
+}
+after 100
+send -- "/usr/lib/firejail/fseccomp debug-errnos\r"
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        "1      - EPERM"
+}
+after 100
+send -- "/usr/lib/firejail/fseccomp debug-protocols\r"
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        "unix, inet, inet6, netlink, packet,"
+}
+after 100
+send -- "/usr/lib/firejail/fseccomp protocol build unix,inet seccomp-test-file\r"
+after 100
+send -- "/usr/lib/firejail/fseccomp print seccomp-test-file\r"
+expect {
+        timeout {puts "TESTING ERROR 4.1\n";exit}
+        "WHITELIST 41 socket"
+}
+after 100
+send -- "/usr/lib/firejail/fseccomp secondary 64 seccomp-test-file\r"
+after 100
+send -- "/usr/lib/firejail/fseccomp print seccomp-test-file\r"
+expect {
+        timeout {puts "TESTING ERROR 5.1\n";exit}
+        "BLACKLIST 165 mount"
+}
+expect {
+        timeout {puts "TESTING ERROR 5.2\n";exit}
+        "BLACKLIST 166 umount2"
+}
+expect {
+        timeout {puts "TESTING ERROR 5.3\n";exit}
+        "RETURN_ALLOW"
+}
+after 100
+send -- "/usr/lib/firejail/fseccomp default seccomp-test-file\r"
+after 100
+send -- "/usr/lib/firejail/fseccomp print seccomp-test-file\r"
+expect {
+        timeout {puts "TESTING ERROR 6.1\n";exit}
+        "BLACKLIST 165 mount"
+}
+expect {
+        timeout {puts "TESTING ERROR 6.2\n";exit}
+        "BLACKLIST 166 umount2"
+}
+expect {
+        timeout {puts "TESTING ERROR 6.3\n";exit}
+        "RETURN_ALLOW"
+}
+after 100
+send -- "/usr/lib/firejail/fseccomp drop seccomp-test-file chmod,chown\r"
+after 100
+send -- "/usr/lib/firejail/fseccomp print seccomp-test-file\r"
+expect {
+        timeout {puts "TESTING ERROR 7.1\n";exit}
+        "BLACKLIST 165 mount" {puts "TESTING ERROR 7.2\n";exit}
+        "BLACKLIST 166 umount2" {puts "TESTING ERROR 7.3\n";exit}
+        "BLACKLIST 90 chmod"
+}
+expect {
+        timeout {puts "TESTING ERROR 7.4\n";exit}
+        "BLACKLIST 92 chown"
+}
+expect {
+        timeout {puts "TESTING ERROR 7.5\n";exit}
+        "RETURN_ALLOW"
+}
+after 100
+send -- "/usr/lib/firejail/fseccomp default drop seccomp-test-file chmod,chown\r"
+after 100
+send -- "/usr/lib/firejail/fseccomp print seccomp-test-file\r"
+expect {
+        timeout {puts "TESTING ERROR 8.1\n";exit}
+        "BLACKLIST 165 mount"
+}
+expect {
+        timeout {puts "TESTING ERROR 8.2\n";exit}
+        "BLACKLIST 166 umount2"
+}
+expect {
+        timeout {puts "TESTING ERROR 8.3\n";exit}
+        "BLACKLIST 90 chmod"
+}
+expect {
+        timeout {puts "TESTING ERROR 8.4\n";exit}
+        "BLACKLIST 92 chown"
+}
+expect {
+        timeout {puts "TESTING ERROR 8.5\n";exit}
+        "RETURN_ALLOW"
+}
+after 100
+send -- "/usr/lib/firejail/fseccomp keep seccomp-test-file chmod,chown\r"
+after 100
+send -- "/usr/lib/firejail/fseccomp print seccomp-test-file\r"
+expect {
+        timeout {puts "TESTING ERROR 9.1\n";exit}
+        "WHITELIST 90 chmod"
+}
+expect {
+        timeout {puts "TESTING ERROR 9.2\n";exit}
+        "WHITELIST 92 chown"
+}
+expect {
+        timeout {puts "TESTING ERROR 9.3\n";exit}
+        "KILL_PROCESS"
+}
+after 100
+puts "\nall done\n"
diff --git a/test/filters/noroot.exp b/test/filters/noroot.exp
new file mode 100755
index 000000000..b011f2bf9
--- /dev/null
+++ b/test/filters/noroot.exp
@@ -0,0 +1,160 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+send -- "firejail --noprofile --noroot --caps.drop=all --seccomp\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "cannot create a new user namespace" {puts "TESTING SKIP: user namespace not available\n"; exit}
+        "Child process initialized"
+}
+sleep 1
+send -- "cat /proc/self/status\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "CapBnd:        0000000000000000"
+}
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        "Seccomp:"
+}
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        "2"
+}
+expect {
+        timeout {puts "TESTING ERROR 4\n";exit}
+        "Cpus_allowed:"
+}
+puts "\n"
+send -- "ping 0\r"
+expect {
+        timeout {puts "TESTING ERROR 5\n";exit}
+        "Operation not permitted"
+}
+send -- "whoami\r"
+expect {
+        timeout {puts "TESTING ERROR 6\n";exit}
+        $env(USER)
+}
+send -- "sudo -s\r"
+expect {
+        timeout {puts "TESTING ERROR 7\n";exit}
+        "effective uid is not 0, is sudo installed setuid root?" { puts "OK\n";}
+        "sudo must be owned by uid 0 and have the setuid bit set" { puts "OK\n";}
+        "Bad system call" { puts "OK\n";}
+}
+send -- "cat /proc/self/uid_map | wc -l\r"
+expect {
+        timeout {puts "TESTING ERROR 8\n";exit}
+        "1"
+}
+send -- "cat /proc/self/gid_map | wc -l\r"
+expect {
+        timeout {puts "TESTING ERROR 9\n";exit}
+        "5"
+}
+puts "\n"
+send -- "exit\r"
+sleep 2
+send -- "firejail --name=test --noroot --noprofile\r"
+expect {
+        timeout {puts "TESTING ERROR 10\n";exit}
+        "Child process initialized"
+}
+sleep 1
+send -- "cat /proc/self/status\r"
+expect {
+        timeout {puts "TESTING ERROR 11\n";exit}
+        "CapBnd:"
+}
+expect {
+        timeout {puts "TESTING ERROR 12\n";exit}
+        "ffffffff"
+}
+expect {
+        timeout {puts "TESTING ERROR 13\n";exit}
+        "Seccomp:"
+}
+expect {
+        timeout {puts "TESTING ERROR 14\n";exit}
+        "0"
+}
+expect {
+        timeout {puts "TESTING ERROR 15\n";exit}
+        "Cpus_allowed:"
+}
+puts "\n"
+send -- "whoami\r"
+expect {
+        timeout {puts "TESTING ERROR 16\n";exit}
+        $env(USER)
+}
+send -- "sudo -s\r"
+expect {
+        timeout {puts "TESTING ERROR 17\n";exit}
+        "effective uid is not 0, is sudo installed setuid root?" { puts "OK\n";}
+        "sudo must be owned by uid 0 and have the setuid bit set" { puts "OK\n";}
+}
+send -- "ping 0\r"
+expect {
+        timeout {puts "TESTING ERROR 18\n";exit}
+        "Operation not permitted"
+}
+send -- "cat /proc/self/uid_map | wc -l\r"
+expect {
+        timeout {puts "TESTING ERROR 19\n";exit}
+        "1"
+}
+send -- "cat /proc/self/gid_map | wc -l\r"
+expect {
+        timeout {puts "TESTING ERROR 20\n";exit}
+        "5"
+}
+spawn $env(SHELL)
+send -- "firejail --debug --join=test\r"
+expect {
+        timeout {puts "TESTING ERROR 21\n";exit}
+        "User namespace detected"
+}
+expect {
+        timeout {puts "TESTING ERROR 22\n";exit}
+        "Joining user namespace"
+}
+sleep 1
+send -- "sudo -s\r"
+expect {
+        timeout {puts "TESTING ERROR 23\n";exit}
+        "effective uid is not 0, is sudo installed setuid root?" { puts "OK\n";}
+        "sudo must be owned by uid 0 and have the setuid bit set" { puts "OK\n";}
+        "Permission denied" { puts "OK\n";}
+}
+send -- "cat /proc/self/uid_map | wc -l\r"
+expect {
+        timeout {puts "TESTING ERROR 24\n";exit}
+        "1"
+}
+send -- "cat /proc/self/gid_map | wc -l\r"
+expect {
+        timeout {puts "TESTING ERROR 25\n";exit}
+        "5"
+}
+after 100
+puts "\nall done\n"
diff --git a/test/protocol.exp b/test/filters/protocol.exp
index 018f4cd9b..835f645b2 100755
--- a/test/protocol.exp
+++ b/test/filters/protocol.exp
@@ -1,16 +1,21 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
 set timeout 10
 spawn $env(SHELL)
 match_max 100000
-send -- "firejail --noprofile --protocol=unix ../src/tools/syscall_test socket\r"
+send -- "firejail --noprofile --protocol=unix ./syscall_test socket\r"
 expect {
        timeout {puts "TESTING ERROR 1\n";exit}
+        "Permission denied" {puts "TESTING SKIP: permission denied\n"; exit}
        "Child process initialized"
 }
 expect {
        timeout {puts "TESTING ERROR 1.1\n";exit}
+        "Permission denied" {puts "TESTING SKIP: permission denied\n"; exit}
        "socket AF_INET"
 }
 expect {
@@ -47,7 +52,7 @@ expect {
 }
 sleep 1
-send -- "firejail --noprofile --protocol=inet6,packet ../src/tools/syscall_test socket\r"
+send -- "firejail --noprofile --protocol=inet6,packet ./syscall_test socket\r"
 expect {
        timeout {puts "TESTING ERROR 2\n";exit}
        "Child process initialized"
@@ -91,7 +96,7 @@ expect {
 sleep 1
 # profile testing
-send -- "firejail --profile=protocol1.profile ../src/tools/syscall_test socket\r"
+send -- "firejail --profile=protocol1.profile ./syscall_test socket\r"
 expect {
        timeout {puts "TESTING ERROR 3\n";exit}
        "Child process initialized"
@@ -134,7 +139,7 @@ expect {
 }
 sleep 1
-send -- "firejail --profile=protocol2.profile ../src/tools/syscall_test socket\r"
+send -- "firejail --profile=protocol2.profile ./syscall_test socket\r"
 expect {
        timeout {puts "TESTING ERROR 4\n";exit}
        "Child process initialized"
@@ -175,10 +180,6 @@ expect {
        timeout {puts "TESTING ERROR 4.9\n";exit}
        "after socket"
 }
-sleep 1
+after 100
 puts "\nall done\n"
diff --git a/test/protocol1.profile b/test/filters/protocol1.profile
index 3e1ea2a29..3e1ea2a29 100644
--- a/test/protocol1.profile
+++ b/test/filters/protocol1.profile
diff --git a/test/protocol2.profile b/test/filters/protocol2.profile
index b7eb4ab91..b7eb4ab91 100644
--- a/test/protocol2.profile
+++ b/test/filters/protocol2.profile
diff --git a/test/seccomp-bad-empty.exp b/test/filters/seccomp-bad-empty.exp
index 631d67743..1bd9c9b1f 100755
--- a/test/seccomp-bad-empty.exp
+++ b/test/filters/seccomp-bad-empty.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
 set timeout 10
 spawn $env(SHELL)
@@ -33,6 +36,6 @@ expect {
        timeout {puts "TESTING ERROR 7\n";exit}
        "Error: line 1 in seccomp-bad-empty2.profile is invalid"
 }
-sleep 1
+after 100
 puts "\nall done\n"
diff --git a/test/seccomp-bad-empty.profile b/test/filters/seccomp-bad-empty.profile
index 2d4fcde7c..2d4fcde7c 100644
--- a/test/seccomp-bad-empty.profile
+++ b/test/filters/seccomp-bad-empty.profile
diff --git a/test/seccomp-bad-empty2.profile b/test/filters/seccomp-bad-empty2.profile
index c4e6c9f74..c4e6c9f74 100644
--- a/test/seccomp-bad-empty2.profile
+++ b/test/filters/seccomp-bad-empty2.profile
diff --git a/test/pid.exp b/test/filters/seccomp-chmod-profile.exp
index cdeb9d5fb..463ce05e9 100755
--- a/test/pid.exp
+++ b/test/filters/seccomp-chmod-profile.exp
@@ -1,49 +1,51 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
 set timeout 10
 spawn $env(SHELL)
 match_max 100000
-send -- "firejail\r"
+send --  "firejail --profile=seccomp.profile --private\r"
 expect {
        timeout {puts "TESTING ERROR 0\n";exit}
        "Child process initialized"
 }
-sleep 1
+sleep 2
-# test processes
+send -- "cd ~; echo done\r"
-send -- "bash\r"
-sleep 1
-send -- "ps aux; pwd\r"
 expect {
        timeout {puts "TESTING ERROR 1\n";exit}
-        "/bin/bash"
+        "done"
 }
+send -- "touch testfile; echo done\r"
 expect {
        timeout {puts "TESTING ERROR 2\n";exit}
-        "bash"
+        "done"
 }
+send -- "ls -l testfile; echo done\r"
 expect {
        timeout {puts "TESTING ERROR 3\n";exit}
-        "ps aux"
+        "testfile"
 }
 expect {
        timeout {puts "TESTING ERROR 4\n";exit}
-        "home"
+        "done"
 }
-sleep 1
-send -- "ps aux |wc -l; pwd\r"
+send -- "chmod +x testfile; echo done\r"
 expect {
        timeout {puts "TESTING ERROR 5\n";exit}
-        "6" {puts "normal system\n"}
+        "Bad system call"
-        "5" {puts "grsecurity\n"}
 }
 expect {
        timeout {puts "TESTING ERROR 6\n";exit}
-        "home"
+        "done"
 }
-sleep 1
+send -- "exit\r"
+after 100
 puts "\nall done\n"
diff --git a/test/seccomp-chmod.exp b/test/filters/seccomp-chmod.exp
index b4a213206..b17990e3a 100755
--- a/test/seccomp-chmod.exp
+++ b/test/filters/seccomp-chmod.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
 set timeout 10
 spawn $env(SHELL)
@@ -11,36 +14,38 @@ expect {
 }
 sleep 2
-send -- "touch testfile;pwd\r"
+send -- "cd ~; echo done\r"
 expect {
        timeout {puts "TESTING ERROR 1\n";exit}
-        "/root" {puts "running as root"}
+        "done"
-        "/home"
 }
-send -- "ls -l testfile;pwd\r"
+send -- "touch testfile; echo done\r"
 expect {
        timeout {puts "TESTING ERROR 2\n";exit}
-        "testfile"
+        "done"
 }
+send -- "ls -l testfile; echo done\r"
 expect {
        timeout {puts "TESTING ERROR 3\n";exit}
-        "/root" {puts "running as root"}
+        "testfile"
-        "/home"
+}
+expect {
+        timeout {puts "TESTING ERROR 4\n";exit}
+        "done"
 }
-send -- "chmod +x testfile;pwd\r"
+send -- "chmod +x testfile; echo done\r"
 expect {
-        timeout {puts "TESTING ERROR 2\n";exit}
+        timeout {puts "TESTING ERROR 5\n";exit}
        "Bad system call"
 }
 expect {
-        timeout {puts "TESTING ERROR 3\n";exit}
+        timeout {puts "TESTING ERROR 6\n";exit}
-        "/root" {puts "running as root"}
+        "done"
-        "/home"
 }
 send -- "exit\r"
-sleep 1
+after 100
-puts "\n"
+puts "\nall done\n"
diff --git a/test/seccomp-chown.exp b/test/filters/seccomp-chown.exp
index 69b896700..a54d279f1 100755
--- a/test/seccomp-chown.exp
+++ b/test/filters/seccomp-chown.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
 set timeout 10
 spawn $env(SHELL)
@@ -42,5 +45,5 @@ expect {
 send -- "exit\r"
-sleep 1
+after 100
-puts "\n"
+puts "\nall done\n"
diff --git a/test/seccomp-debug.exp b/test/filters/seccomp-debug.exp
index 1034f040e..dbc0d37a9 100755
--- a/test/seccomp-debug.exp
+++ b/test/filters/seccomp-debug.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
 set timeout 10
 spawn $env(SHELL)
diff --git a/test/filters/seccomp-dualfilter.exp b/test/filters/seccomp-dualfilter.exp
new file mode 100755
index 000000000..958dab528
--- /dev/null
+++ b/test/filters/seccomp-dualfilter.exp
@@ -0,0 +1,55 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
+set timeout 1
+spawn $env(SHELL)
+match_max 100000
+send -- "./syscall_test\r"
+expect {
+        timeout {puts "\nTESTING SKIP: 64-bit support missing\n";exit}
+        "Usage"
+}
+send -- "./syscall_test32\r"
+expect {
+        timeout {puts "\nTESTING SKIP: 32-bit support missing\n";exit}
+        "Usage"
+}
+set timeout 10
+send -- "firejail ./syscall_test mount\r"
+expect {
+        timeout {puts "TESTING ERROR 0\n";exit}
+        "Child process initialized"
+}
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "before mount"
+}
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        "after mount" {puts "TESTING ERROR 3\n";exit}
+        "Parent is shutting down"
+}
+sleep 1
+send -- "firejail ./syscall_test32 mount\r"
+expect {
+        timeout {puts "TESTING ERROR 4\n";exit}
+        "Child process initialized"
+}
+expect {
+        timeout {puts "TESTING ERROR 5\n";exit}
+        "before mount"
+}
+expect {
+        timeout {puts "TESTING ERROR 6\n";exit}
+        "after mount" {puts "TESTING ERROR 7\n";exit}
+        "Parent is shutting down"
+}
+after 100
+puts "\nall done\n"
diff --git a/test/seccomp-empty.exp b/test/filters/seccomp-empty.exp
index 11abf2e00..d150dac7d 100755
--- a/test/seccomp-empty.exp
+++ b/test/filters/seccomp-empty.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
 set timeout 10
 spawn $env(SHELL)
@@ -141,5 +144,6 @@ expect {
 }
 sleep 2
 send -- "exit\r"
+after 100
 puts "\n"
diff --git a/test/seccomp-empty.profile b/test/filters/seccomp-empty.profile
index 8f71f55a5..8f71f55a5 100644
--- a/test/seccomp-empty.profile
+++ b/test/filters/seccomp-empty.profile
diff --git a/test/filters/seccomp-errno.exp b/test/filters/seccomp-errno.exp
new file mode 100755
index 000000000..c3af2fbe9
--- /dev/null
+++ b/test/filters/seccomp-errno.exp
@@ -0,0 +1,54 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+send -- "touch seccomp-test-file\r"
+after 100
+send --  "firejail --seccomp=unlinkat:ENOENT rm seccomp-test-file\r"
+expect {
+        timeout {puts "TESTING ERROR 0\n";exit}
+        "No such file or directory"
+}
+sleep 1
+send --  "firejail --seccomp=unlinkat:ENOENT --debug rm seccomp-test-file\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "unlinkat 2 ENOENT"
+}
+sleep 1
+send --  "firejail --seccomp=unlinkat:ENOENT,mkdir:ENOENT\r"
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        "Child process initialized"
+}
+sleep 1
+send -- "rm seccomp-test-file\r"
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        "No such file or directory"
+}
+after 100
+puts "\n"
+send -- "mkdir seccomp-test-dir\r"
+expect {
+        timeout {puts "TESTING ERROR 4\n";exit}
+        "No such file or directory"
+}
+after 100
+puts "\n"
+send -- "exit\r"
+sleep 1
+send -- "rm seccomp-test-file\r"
+after 100
+puts "all done\n"
diff --git a/test/seccomp-ptrace.exp b/test/filters/seccomp-ptrace.exp
index 9a9b7430e..bb87b96ea 100755
--- a/test/seccomp-ptrace.exp
+++ b/test/filters/seccomp-ptrace.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
 set timeout 10
 spawn $env(SHELL)
@@ -19,5 +22,5 @@ expect {
 }
 send -- "exit\r"
-sleep 1
+after 100
 puts "all done\n"
diff --git a/test/seccomp-su.exp b/test/filters/seccomp-su.exp
index dcae6f869..3feabc20f 100755
--- a/test/seccomp-su.exp
+++ b/test/filters/seccomp-su.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
 set timeout 10
 spawn $env(SHELL)
@@ -14,21 +17,24 @@ sleep 2
 send -- "sudo su -\r"
 expect {
        timeout {puts "TESTING ERROR 1\n";exit}
-        "effective uid is not 0"
+        "effective uid is not 0" {puts "OK\n"}
+        "Bad system call" {puts "OK\n"}
 }
 send -- "sudo ls\r"
 expect {
        timeout {puts "TESTING ERROR 2\n";exit}
-        "effective uid is not 0"
+        "effective uid is not 0" {puts "OK\n"}
+        "Bad system call" {puts "OK\n"}
 }
 send -- "ping google.com\r"
 expect {
-        timeout {puts "TESTING ERROR 2\n";exit}
+        timeout {puts "TESTING ERROR 3\n";exit}
-        "Operation not permitted"
+        "Operation not permitted" {puts "OK\n"}
+        "unknown host" {puts "OK\n"}
 }
 send -- "exit\r"
-sleep 1
+after 100
 puts "all done\n"
diff --git a/test/seccomp.profile b/test/filters/seccomp.profile
index cb0b15aee..cb0b15aee 100644
--- a/test/seccomp.profile
+++ b/test/filters/seccomp.profile
diff --git a/src/tools/syscall_test b/test/filters/syscall_test
index bf29c5b99..bf29c5b99 100755
--- a/src/tools/syscall_test
+++ b/test/filters/syscall_test
Binary files differ
diff --git a/src/tools/syscall_test.c b/test/filters/syscall_test.c
index b3f43c755..422af619d 100644
--- a/src/tools/syscall_test.c
+++ b/test/filters/syscall_test.c
@@ -1,3 +1,7 @@
+// This file is part of Firejail project
+// Copyright (C) 2014-2016 Firejail Authors
+// License GPL v2
 #include <stdlib.h>
 #include <stdio.h>
 #include <unistd.h>
diff --git a/src/tools/syscall_test32 b/test/filters/syscall_test32
index 8d72f58c4..8d72f58c4 100755
--- a/src/tools/syscall_test32
+++ b/test/filters/syscall_test32
Binary files differ
diff --git a/test/fs/fs.sh b/test/fs/fs.sh
new file mode 100755
index 000000000..efbf505ee
--- /dev/null
+++ b/test/fs/fs.sh
@@ -0,0 +1,99 @@
+#!/bin/bash
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
+export MALLOC_CHECK_=3
+export MALLOC_PERTURB_=$(($RANDOM % 255 + 1))
+rm -fr ~/_firejail_test_*
+echo "TESTING: mkdir/mkfile (test/fs/mkdir_mkfile.exp)"
+./mkdir_mkfile.exp
+rm -fr ~/_firejail_test_*
+mkdir ~/_firejail_test_dir
+touch ~/_firejail_test_dir/a
+mkdir ~/_firejail_test_dir/test1
+touch ~/_firejail_test_dir/test1/b
+echo "TESTING: read/write (test/fs/read-write.exp)"
+./read-write.exp
+rm -fr ~/_firejail_test_*
+echo "TESTING: /sys/fs access (test/fs/sys_fs.exp)"
+./sys_fs.exp
+echo "TESTING: kmsg access (test/fs/kmsg.exp)"
+./kmsg.exp
+echo "TESTING: read/write /var/tmp (test/fs/fs_var_tmp.exp)"
+./fs_var_tmp.exp
+echo "TESTING: read/write /var/lock (test/fs/fs_var_lock.exp)"
+./fs_var_lock.exp
+echo "TESTING: read/write /dev/shm (test/fs/fs_dev_shm.exp)"
+./fs_dev_shm.exp
+echo "TESTING: private (test/fs/private.exp)"
+./private.exp
+echo "TESTING: private home (test/fs/private-home.exp)"
+./private-home.exp
+echo "TESTING: private home dir (test/fs/private-home-dir.exp)"
+./private-home-dir.exp
+echo "TESTING: private home dir same as user home (test/fs/private-homedir.exp)"
+./private-homedir.exp
+echo "TESTING: private-etc (test/fs/private-etc.exp)"
+./private-etc.exp
+echo "TESTING: empty private-etc (test/fs/private-etc-empty.exp)"
+./private-etc-empty.exp
+echo "TESTING: private-bin (test/fs/private-bin.exp)"
+./private-bin.exp
+echo "TESTING: whitelist empty (test/fs/whitelist-empty.exp)"
+./whitelist-empty.exp
+echo "TESTING: private whitelist (test/fs/private-whitelist.exp)"
+./private-whitelist.exp
+echo "TESTING: invalid filename (test/fs/invalid_filename.exp)"
+./invalid_filename.exp
+echo "TESTING: blacklist directory (test/fs/option_blacklist.exp)"
+./option_blacklist.exp
+echo "TESTING: blacklist file (test/fs/option_blacklist_file.exp)"
+./option_blacklist_file.exp
+echo "TESTING: blacklist glob (test/fs/option_blacklist_glob.exp)"
+./option_blacklist_glob.exp
+echo "TESTING: bind as user (test/fs/option_bind_user.exp)"
+./option_bind_user.exp
+echo "TESTING: recursive mkdir (test/fs/mkdir.exp)"
+./mkdir.exp
+echo "TESTING: double whitelist (test/fs/whitelist-double.exp)"
+./whitelist-double.exp
+echo "TESTING: whitelist (test/fs/whitelist.exp)"
+./whitelist.exp
+#cleanup
+rm -fr ~/fjtest-dir
+rm -fr ~/fjtest-dir-lnk
+rm -f ~/fjtest-file
+rm -f ~/fjtest-file-lnk
+rm -f /tmp/fjtest-file
+rm -fr /tmp/fjtest-dir
+rm -fr ~/_firejail_test_*
diff --git a/test/fs_dev_shm.exp b/test/fs/fs_dev_shm.exp
index b54f24eb5..8150dfa61 100755
--- a/test/fs_dev_shm.exp
+++ b/test/fs/fs_dev_shm.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
 set timeout 10
 spawn $env(SHELL)
@@ -12,33 +15,33 @@ expect {
 }
 sleep 1
-send -- "echo mytest > /dev/shm/ttt;pwd\r"
+send -- "echo mytest > /dev/shm/ttt;echo done\r"
 expect {
        timeout {puts "TESTING ERROR 1\n";exit}
-        "home"
+        "done"
 }
-send -- "cat /dev/shm/ttt;pwd\r"
+send -- "cat /dev/shm/ttt;echo done\r"
 expect {
-        timeout {puts "TESTING ERROR 2.1\n";exit}
+        timeout {puts "TESTING ERROR 2\n";exit}
        "mytest"
 }
 expect {
-        timeout {puts "TESTING ERROR 2\n";exit}
+        timeout {puts "TESTING ERROR 3\n";exit}
-        "home"
+        "done"
 }
-send -- "rm /dev/shm/ttt;pwd\r"
+send -- "rm /dev/shm/ttt;echo done\r"
 expect {
-        timeout {puts "TESTING ERROR 3\n";exit}
+        timeout {puts "TESTING ERROR 4\n";exit}
-        "home"
+        "done"
 }
-send -- "cat /dev/shm/ttt;pwd\r"
+send -- "cat /dev/shm/ttt;echo done\r"
 expect {
-        timeout {puts "TESTING ERROR 4\n";exit}
+        timeout {puts "TESTING ERROR 5\n";exit}
-        "mytest" {puts "TESTING ERROR 4.1\n";exit}
+        "mytest" {puts "TESTING ERROR 6\n";exit}
-        "home"
+        "done"
 }
 sleep 1
@@ -48,40 +51,40 @@ sleep 1
 # redo the test with --private
 send -- "firejail\r"
 expect {
-        timeout {puts "TESTING ERROR 10\n";exit}
+        timeout {puts "TESTING ERROR 7\n";exit}
        "Child process initialized"
 }
 sleep 1
-send -- "echo mytest > /dev/shm/ttt;pwd\r"
+send -- "echo mytest > /dev/shm/ttt;echo done\r"
 expect {
-        timeout {puts "TESTING ERROR 11\n";exit}
+        timeout {puts "TESTING ERROR 8\n";exit}
-        "home"
+        "done"
 }
-send -- "cat /dev/shm/ttt;pwd\r"
+send -- "cat /dev/shm/ttt;echo done\r"
 expect {
-        timeout {puts "TESTING ERROR 12.1\n";exit}
+        timeout {puts "TESTING ERROR 9\n";exit}
        "mytest"
 }
 expect {
-        timeout {puts "TESTING ERROR 12\n";exit}
+        timeout {puts "TESTING ERROR 10\n";exit}
-        "home"
+        "done"
 }
-send -- "rm /dev/shm/ttt;pwd\r"
+send -- "rm /dev/shm/ttt;echo done\r"
 expect {
-        timeout {puts "TESTING ERROR 13\n";exit}
+        timeout {puts "TESTING ERROR 11\n";exit}
-        "home"
+        "done"
 }
-send -- "cat /dev/shm/ttt;pwd\r"
+send -- "cat /dev/shm/ttt;echo done\r"
 expect {
-        timeout {puts "TESTING ERROR 14\n";exit}
+        timeout {puts "TESTING ERROR 12\n";exit}
-        "mytest" {puts "TESTING ERROR 14.1\n";exit}
+        "mytest" {puts "TESTING ERROR 13\n";exit}
-        "home"
+        "done"
 }
-sleep 1
+after 100
-puts "\n"
+puts "\nall done\n"
diff --git a/test/fs/fs_var_lock.exp b/test/fs/fs_var_lock.exp
new file mode 100755
index 000000000..5879dca52
--- /dev/null
+++ b/test/fs/fs_var_lock.exp
@@ -0,0 +1,90 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+# testing read-write /var/lock
+send -- "firejail\r"
+expect {
+        timeout {puts "TESTING ERROR 0\n";exit}
+        "Child process initialized"
+}
+sleep 1
+send -- "echo mytest > /var/lock/ttt;echo done\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "done"
+}
+send -- "cat /var/lock/ttt;echo done\r"
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        "mytest"
+}
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        "done"
+}
+send -- "rm /var/lock/ttt;echo done\r"
+expect {
+        timeout {puts "TESTING ERROR 4\n";exit}
+        "done"
+}
+send -- "cat /var/lock/ttt;echo done\r"
+expect {
+        timeout {puts "TESTING ERROR 5\n";exit}
+        "mytest" {puts "TESTING ERROR 6\n";exit}
+        "done"
+}
+sleep 1
+send -- "exit\r"
+sleep 1
+# redo the test with --private
+send -- "firejail\r"
+expect {
+        timeout {puts "TESTING ERROR 7\n";exit}
+        "Child process initialized"
+}
+sleep 1
+send -- "echo mytest > /var/lock/ttt;echo done\r"
+expect {
+        timeout {puts "TESTING ERROR 8\n";exit}
+        "done"
+}
+send -- "cat /var/lock/ttt;echo done\r"
+expect {
+        timeout {puts "TESTING ERROR 9\n";exit}
+        "mytest"
+}
+expect {
+        timeout {puts "TESTING ERROR 10\n";exit}
+        "done"
+}
+send -- "rm /var/lock/ttt;echo done\r"
+expect {
+        timeout {puts "TESTING ERROR 11\n";exit}
+        "done"
+}
+send -- "cat /var/lock/ttt;echo done\r"
+expect {
+        timeout {puts "TESTING ERROR 12\n";exit}
+        "mytest" {puts "TESTING ERROR 13\n";exit}
+        "done"
+}
+after 100
+puts "\nall done\n"
diff --git a/test/fs_var_tmp.exp b/test/fs/fs_var_tmp.exp
index 95ceeb2a4..a3bc5afe2 100755
--- a/test/fs_var_tmp.exp
+++ b/test/fs/fs_var_tmp.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
 set timeout 10
 spawn $env(SHELL)
@@ -12,33 +15,33 @@ expect {
 }
 sleep 1
-send -- "echo mytest > /var/tmp/ttt;pwd\r"
+send -- "echo mytest > /var/tmp/ttt;echo done\r"
 expect {
        timeout {puts "TESTING ERROR 1\n";exit}
-        "home"
+        "done"
 }
-send -- "cat /var/tmp/ttt;pwd\r"
+send -- "cat /var/tmp/ttt;echo done\r"
 expect {
-        timeout {puts "TESTING ERROR 2.1\n";exit}
+        timeout {puts "TESTING ERROR 2\n";exit}
        "mytest"
 }
 expect {
-        timeout {puts "TESTING ERROR 2\n";exit}
+        timeout {puts "TESTING ERROR 3\n";exit}
-        "home"
+        "done"
 }
-send -- "rm /var/tmp/ttt;pwd\r"
+send -- "rm /var/tmp/ttt;echo done\r"
 expect {
-        timeout {puts "TESTING ERROR 3\n";exit}
+        timeout {puts "TESTING ERROR 4\n";exit}
-        "home"
+        "done"
 }
-send -- "cat /var/tmp/ttt;pwd\r"
+send -- "cat /var/tmp/ttt;echo done\r"
 expect {
-        timeout {puts "TESTING ERROR 4\n";exit}
+        timeout {puts "TESTING ERROR 5\n";exit}
-        "mytest" {puts "TESTING ERROR 4.1\n";exit}
+        "mytest" {puts "TESTING ERROR 6\n";exit}
-        "home"
+        "done"
 }
 sleep 1
@@ -48,40 +51,40 @@ sleep 1
 # redo the test with --private
 send -- "firejail\r"
 expect {
-        timeout {puts "TESTING ERROR 10\n";exit}
+        timeout {puts "TESTING ERROR 7\n";exit}
        "Child process initialized"
 }
 sleep 1
-send -- "echo mytest > /var/tmp/ttt;pwd\r"
+send -- "echo mytest > /var/tmp/ttt;echo done\r"
 expect {
-        timeout {puts "TESTING ERROR 11\n";exit}
+        timeout {puts "TESTING ERROR 8\n";exit}
-        "home"
+        "done"
 }
-send -- "cat /var/tmp/ttt;pwd\r"
+send -- "cat /var/tmp/ttt;echo done\r"
 expect {
-        timeout {puts "TESTING ERROR 12.1\n";exit}
+        timeout {puts "TESTING ERROR 9\n";exit}
        "mytest"
 }
 expect {
-        timeout {puts "TESTING ERROR 12\n";exit}
+        timeout {puts "TESTING ERROR 10\n";exit}
-        "home"
+        "done"
 }
-send -- "rm /var/tmp/ttt;pwd\r"
+send -- "rm /var/tmp/ttt;echo done\r"
 expect {
-        timeout {puts "TESTING ERROR 13\n";exit}
+        timeout {puts "TESTING ERROR 11\n";exit}
-        "home"
+        "done"
 }
-send -- "cat /var/tmp/ttt;pwd\r"
+send -- "cat /var/tmp/ttt;echo done\r"
 expect {
-        timeout {puts "TESTING ERROR 14\n";exit}
+        timeout {puts "TESTING ERROR 12\n";exit}
-        "mytest" {puts "TESTING ERROR 14.1\n";exit}
+        "mytest" {puts "TESTING ERROR 13\n";exit}
-        "home"
+        "done"
 }
-sleep 1
+after 100
-puts "\n"
+puts "\nall done\n"
diff --git a/test/invalid_filename.exp b/test/fs/invalid_filename.exp
index fe8bd8c25..1acc85491 100755
--- a/test/invalid_filename.exp
+++ b/test/fs/invalid_filename.exp
@@ -1,23 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
-#invalid_filename checks:
+# Copyright (C) 2014-2016 Firejail Authors
-#
+# License GPL v2
-#--bind (two files) - profile.c - Note: The test is not implemented here, need to be root to test it
-#--blacklist - profile.c
-#--cgroup - cgroup.c
-#--chroot - main.c
-#--netfilter - netfilter.c
-#--output - output.c
-#--private - fs_home.c
-#--privte-bin (list) - fs_bin.c
-#--private-home (list) - fs_home.c
-#--private-etc (list) - fs_etc.c
-#--profile - main.c
-#--read_only - profile.c
-#--shell - main.c
-#--tmpfs - profile.c
-#--white-list
 set timeout 10
 spawn $env(SHELL)
@@ -201,7 +185,5 @@ expect {
 }
 after 100
 puts "\nall done\n"
diff --git a/test/kmsg.exp b/test/fs/kmsg.exp
index 096bdb708..abc711aee 100755
--- a/test/kmsg.exp
+++ b/test/fs/kmsg.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
 set timeout 10
 spawn $env(SHELL)
@@ -16,14 +19,14 @@ expect {
        timeout {puts "TESTING ERROR 2\n";exit}
        "Permission denied"
 }
-sleep 1
+after 100
 send -- "cat /proc/kmsg\r"
 expect {
        timeout {puts "TESTING ERROR 3\n";exit}
        "Permission denied"
 }
-sleep 1
+after 100
 puts "\nall done\n"
diff --git a/test/fs/mkdir.exp b/test/fs/mkdir.exp
new file mode 100755
index 000000000..111db06db
--- /dev/null
+++ b/test/fs/mkdir.exp
@@ -0,0 +1,20 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2016 Firejail Authors
+# License GPL v2
+set timeout 3
+spawn $env(SHELL)
+match_max 100000
+send -- "firejail --profile=mkdir.profile find ~/.firejail_test\r"
+expect {
+        timeout {puts "TESTING ERROR 1.1\n";exit}
+        "Warning: cannot create" { puts "TESTING ERROR 1.2\n";exit}
+        "No such file or directory" { puts "TESTING ERROR 1.3\n";exit}
+        ".firejail_test/a/b/c/d.txt"
+}
+send -- "rm -rf ~/.firejail_test\r"
+after 100
+puts "\nall done\n"
diff --git a/test/fs/mkdir.profile b/test/fs/mkdir.profile
new file mode 100644
index 000000000..61b44c9ac
--- /dev/null
+++ b/test/fs/mkdir.profile
@@ -0,0 +1,2 @@
+mkdir ~/.firejail_test/a/b/c
+mkfile ~/.firejail_test/a/b/c/d.txt
diff --git a/test/fs/mkdir_mkfile.exp b/test/fs/mkdir_mkfile.exp
new file mode 100755
index 000000000..98163bf77
--- /dev/null
+++ b/test/fs/mkdir_mkfile.exp
@@ -0,0 +1,46 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+# testing profile and private
+send -- "firejail --private --profile=mkdir_mkfile.profile\r"
+expect {
+        timeout {puts "TESTING ERROR 0\n";exit}
+        "Child process initialized"
+}
+sleep 1
+send -- "find ~\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "_firejail_test_file"
+}
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "_firejail_test_dir"
+}
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "_firejail_test_dir/dir1"
+}
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "_firejail_test_dir/dir1/dir2"
+}
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "_firejail_test_dir/dir1/dir2/dir3"
+}
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "_firejail_test_dir/dir1/dir2/dir3/file1"
+}
+after 100
+puts "all done\n"
diff --git a/test/fs/mkdir_mkfile.profile b/test/fs/mkdir_mkfile.profile
new file mode 100644
index 000000000..d179c62ac
--- /dev/null
+++ b/test/fs/mkdir_mkfile.profile
@@ -0,0 +1,4 @@
+mkdir ~/_firejail_test_dir
+mkfile ~/_firejail_test_file
+mkdir ~/_firejail_test_dir/dir1/dir2/dir3
+mkfile ~/_firejail_test_dir/dir1/dir2/dir3/file1
diff --git a/test/option_bind_user.exp b/test/fs/option_bind_user.exp
index 9d2d17d7f..a2912968e 100755
--- a/test/option_bind_user.exp
+++ b/test/fs/option_bind_user.exp
@@ -9,7 +9,7 @@ expect {
        timeout {puts "TESTING ERROR 0\n";exit}
        "bind option is available only if running as root"
 }
-sleep 1
+after 100
 puts "\n"
diff --git a/test/option_blacklist.exp b/test/fs/option_blacklist.exp
index b80d0cc60..6554d438f 100755
--- a/test/option_blacklist.exp
+++ b/test/fs/option_blacklist.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
 set timeout 10
 spawn $env(SHELL)
@@ -11,25 +14,25 @@ expect {
 }
 sleep 1
-send -- "ls -l /var;pwd\r"
+send -- "ls -l /var;echo done\r"
 expect {
        timeout {puts "TESTING ERROR 1\n";exit}
        "Permission denied"
 }
 expect {
        timeout {puts "TESTING ERROR 2\n";exit}
-        "home"
+        "done"
 }
-send -- "cd /var;pwd\r"
+send -- "cd /var;echo done\r"
 expect {
        timeout {puts "TESTING ERROR 3\n";exit}
        "Permission denied"
 }
 expect {
        timeout {puts "TESTING ERROR 4\n";exit}
-        "home"
+        "done"
 }
-sleep 1
+after 100
 puts "\n"
diff --git a/test/option_blacklist_file.exp b/test/fs/option_blacklist_file.exp
index ecdfe3b82..b0164136c 100755
--- a/test/option_blacklist_file.exp
+++ b/test/fs/option_blacklist_file.exp
@@ -11,16 +11,16 @@ expect {
 }
 sleep 1
-send -- "cat /etc/passwd;pwd\r"
+send -- "cat /etc/passwd;echo done\r"
 expect {
        timeout {puts "TESTING ERROR 1\n";exit}
        "Permission denied"
 }
 expect {
        timeout {puts "TESTING ERROR 2\n";exit}
-        "home"
+        "done"
 }
-sleep 1
+after 100
 puts "\n"
diff --git a/test/fs/option_blacklist_glob.exp b/test/fs/option_blacklist_glob.exp
new file mode 100755
index 000000000..5a96cacc9
--- /dev/null
+++ b/test/fs/option_blacklist_glob.exp
@@ -0,0 +1,33 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+send -- "firejail --blacklist=testdir1/*\r"
+expect {
+        timeout {puts "TESTING ERROR 0\n";exit}
+        "Child process initialized"
+}
+sleep 1
+send -- "cd testdir1\r"
+sleep 1
+send -- "cat .file\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "Permission denied"
+}
+send -- "ls .directory\r"
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        "Permission denied"
+}
+after 100
+puts "\n"
diff --git a/test/private-bin.exp b/test/fs/private-bin.exp
index a82d2b213..fe9468be9 100755
--- a/test/private-bin.exp
+++ b/test/fs/private-bin.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
 set timeout 10
 spawn $env(SHELL)
@@ -63,9 +66,6 @@ expect {
 }
 send -- "exit\r"
+after 100
-sleep 1
 puts "\nall done\n"
diff --git a/test/private-bin.profile b/test/fs/private-bin.profile
index 24cf5929a..24cf5929a 100644
--- a/test/private-bin.profile
+++ b/test/fs/private-bin.profile
diff --git a/test/fs/private-etc-empty.exp b/test/fs/private-etc-empty.exp
new file mode 100755
index 000000000..5ddce8678
--- /dev/null
+++ b/test/fs/private-etc-empty.exp
@@ -0,0 +1,42 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+send -- "firejail --private-etc=blablabla\r"
+expect {
+        timeout {puts "TESTING ERROR 0\n";exit}
+        "Child process initialized"
+}
+sleep 1
+send -- "ls -l /etc | wc -l\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "0" {puts "Debian\n"}
+        "1" {puts "Arch\n"}
+}
+send -- "exit\r"
+sleep 1
+send -- "firejail --profile=private-etc-empty.profile\r"
+expect {
+        timeout {puts "TESTING ERROR 0\n";exit}
+        "Child process initialized"
+}
+sleep 1
+send -- "ls -l /etc | wc -l\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "0" {puts "Debian\n"}
+        "1" {puts "Arch\n"}
+}
+after 100
+puts "\nall done\n"
diff --git a/test/fs/private-etc-empty.profile b/test/fs/private-etc-empty.profile
new file mode 100644
index 000000000..38aa8cd68
--- /dev/null
+++ b/test/fs/private-etc-empty.profile
@@ -0,0 +1 @@
+private-etc blablabla
diff --git a/test/private-etc.exp b/test/fs/private-etc.exp
index db1d1df3a..e692f7382 100755
--- a/test/private-etc.exp
+++ b/test/fs/private-etc.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
 set timeout 10
 spawn $env(SHELL)
@@ -12,31 +15,31 @@ expect {
 }
 sleep 1
-send -- "ls -al /etc\r"
+send -- "LC_ALL=C ls -al /etc\r"
 expect {
        timeout {puts "TESTING ERROR 3\n";exit}
-        "group"
+        "X11"
 }
 expect {
        timeout {puts "TESTING ERROR 4\n";exit}
-        "passwd"
+        "group"
 }
 expect {
        timeout {puts "TESTING ERROR 5\n";exit}
-        "resolv.conf"
+        "passwd"
 }
 expect {
        timeout {puts "TESTING ERROR 6\n";exit}
-        "X11"
+        "resolv.conf"
 }
-send -- "ls -al /etc\r"
+send -- "ls -al /etc; echo done\r"
 expect {
        timeout {puts "TESTING ERROR 7\n";exit}
        "shadow" {puts "TESTING ERROR 8\n";exit}
-        "X11"
+        "done"
 }
-sleep 1
+after 100
 puts "\nall done\n"
diff --git a/test/fs/private-home-dir.exp b/test/fs/private-home-dir.exp
new file mode 100755
index 000000000..5491be834
--- /dev/null
+++ b/test/fs/private-home-dir.exp
@@ -0,0 +1,70 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+if {[file exists ~/.asoundrc]} {
+        puts "found .asoundrc file\n"
+} else {
+        send -- "touch ~/.asoundrc\r"
+}
+after 100
+if {[file exists ~/.Xauthority]} {
+        puts "found .Xauthority file\n"
+} else {
+        send -- "touch ~/.Xauthority\r"
+}
+after 100
+send -- "mkdir ~/_firejail_test_dir_\r"
+sleep 1
+# testing profile and private
+send -- "firejail --private=~/_firejail_test_dir_\r"
+expect {
+        timeout {puts "TESTING ERROR 0\n";exit}
+        "Child process initialized"
+}
+sleep 1
+send -- "ls -l ~\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "total 0"
+}
+after 100
+send -- "ls -al ~\r"
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        ".asoundrc"
+}
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        ".bashrc"
+}
+expect {
+        timeout {puts "TESTING ERROR 4\n";exit}
+        ".Xauthority"
+}
+after 100
+send -- "exit\r"
+sleep 1
+# testing profile and private
+send -- "firejail --private=/etc\r"
+expect {
+        timeout {puts "TESTING ERROR 5\n";exit}
+        "private directory should be owned by the current user"
+}
+sleep 1
+puts "all done\n"
diff --git a/test/fs/private-home.exp b/test/fs/private-home.exp
new file mode 100755
index 000000000..de5a88dea
--- /dev/null
+++ b/test/fs/private-home.exp
@@ -0,0 +1,45 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+# create some test files in user home directory
+send -- "touch ~/_firejail_test_file1\r"
+send -- "touch ~/_firejail_test_file2\r"
+send -- "mkdir ~/_firejail_test_dir1\r"
+send -- "mkdir ~/_firejail_test_dir1/_firejail_test_dir2\r"
+send -- "touch ~/_firejail_test_dir1/_firejail_test_dir2/_firejail_test_file3\r"
+after 100
+send -- "firejail --private-home=_firejail_test_file1,_firejail_test_file2,_firejail_test_dir1\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "Child process initialized"
+}
+after 100
+send -- "find ~\r"
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        "_firejail_test_file3"
+}
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        "_firejail_test_file2"
+}
+expect {
+        timeout {puts "TESTING ERROR 4\n";exit}
+        "_firejail_test_file1"
+}
+after 100
+send -- "rm -f ~/_firejail_test_file*\r"
+send -- "rm -fr ~/_firejail_test_dir*\r"
+after 100
+puts "\nall done\n"
diff --git a/test/fs/private-homedir.exp b/test/fs/private-homedir.exp
new file mode 100755
index 000000000..35085948a
--- /dev/null
+++ b/test/fs/private-homedir.exp
@@ -0,0 +1,25 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+send -- "firejail --private=~\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "Child process initialized"
+}
+after 100
+send -- "ls -l ~\r"
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        "total 0"
+}
+after 100
+puts "\nall done\n"
diff --git a/test/private-whitelist.exp b/test/fs/private-whitelist.exp
index 7379241ef..4dadeacb1 100755
--- a/test/private-whitelist.exp
+++ b/test/fs/private-whitelist.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
 set timeout 10
 spawn $env(SHELL)
@@ -9,26 +12,28 @@ expect {
        timeout {puts "TESTING ERROR 1\n";exit}
        "Child process initialized"
 }
-sleep 1
+after 100
 send -- "ls -al /tmp\r"
 expect {
        timeout {puts "TESTING ERROR 2\n";exit}
        ".X11-unix"
 }
-sleep 1
+after 100
 send -- "ls -a /tmp | wc -l\r"
 expect {
        timeout {puts "TESTING ERROR 3\n";exit}
        "3"
 }
-sleep 1
+after 100
 send -- "ls -a ~ | wc -l\r"
 expect {
        timeout {puts "TESTING ERROR 4\n";exit}
-        "5"
+        "3" {puts "3\n"}
+        "4" {puts "4\n"}
+        "5" {puts "5\n"}
 }
 sleep 1
diff --git a/test/fs/private.exp b/test/fs/private.exp
new file mode 100755
index 000000000..8114ee45d
--- /dev/null
+++ b/test/fs/private.exp
@@ -0,0 +1,58 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+if {[file exists ~/.asoundrc]} {
+        puts "found .asoundrc file\n"
+} else {
+        send -- "touch ~/.asoundrc\r"
+}
+after 100
+if {[file exists ~/.Xauthority]} {
+        puts "found .Xauthority file\n"
+} else {
+        send -- "touch ~/.Xauthority\r"
+}
+after 100
+# testing profile and private
+send -- "firejail --private\r"
+expect {
+        timeout {puts "TESTING ERROR 0\n";exit}
+        "Child process initialized"
+}
+sleep 1
+send -- "ls -l ~\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "total 0"
+}
+after 100
+send -- "ls -al ~\r"
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        ".asoundrc"
+}
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        ".bashrc"
+}
+expect {
+        timeout {puts "TESTING ERROR 4\n";exit}
+        ".Xauthority"
+}
+after 100
+send -- "exit\r"
+sleep 1
+puts "all done\n"
diff --git a/test/fs/read-write.exp b/test/fs/read-write.exp
new file mode 100755
index 000000000..57986488e
--- /dev/null
+++ b/test/fs/read-write.exp
@@ -0,0 +1,51 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+send -- "firejail --read-only=~/_firejail_test_dir --read-write=~/_firejail_test_dir/test1\r"
+expect {
+        timeout {puts "TESTING ERROR 0\n";exit}
+        "Child process initialized"
+}
+sleep 1
+send -- "echo mytest >~/_firejail_test_dir/a;echo done\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "done"
+}
+after 100
+send -- "echo mytest >~/_firejail_test_dir/test1/b;echo done\r"
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        "done"
+}
+after 100
+send -- "cat ~/_firejail_test_dir/a;echo done\r"
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        "mytest" {puts "TESTING ERROR 4\n";exit}
+        "done"
+}
+after 100
+send -- "cat ~/_firejail_test_dir/test1/b;echo done\r"
+expect {
+        timeout {puts "TESTING ERROR 5\n";exit}
+        "mytest"
+}
+expect {
+        timeout {puts "TESTING ERROR 6\n";exit}
+        "done"
+}
+after 100
+puts "\nall done\n"
diff --git a/test/fs/sys_fs.exp b/test/fs/sys_fs.exp
new file mode 100755
index 000000000..f512776d9
--- /dev/null
+++ b/test/fs/sys_fs.exp
@@ -0,0 +1,44 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+send -- "firejail\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "Child process initialized"
+}
+sleep 1
+send -- "ls /sys/fs\r"
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        "Permission denied"
+}
+after 100
+send -- "exit\r"
+sleep 1
+send -- "firejail --noblacklist=/sys/fs\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "Child process initialized"
+}
+sleep 1
+send -- "ls /sys/fs\r"
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        "cgroup"
+}
+after 100
+send -- "exit\r"
+after 100
+puts "\nall done\n"
diff --git a/test/fs/testdir1/.directory/file b/test/fs/testdir1/.directory/file
new file mode 100644
index 000000000..e69de29bb
--- /dev/null
+++ b/test/fs/testdir1/.directory/file
diff --git a/test/fs/testdir1/.file b/test/fs/testdir1/.file
new file mode 100644
index 000000000..e69de29bb
--- /dev/null
+++ b/test/fs/testdir1/.file
diff --git a/test/fs/whitelist-double.exp b/test/fs/whitelist-double.exp
new file mode 100755
index 000000000..fc05f9322
--- /dev/null
+++ b/test/fs/whitelist-double.exp
@@ -0,0 +1,42 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+send -- "echo 123 > /tmp/firejal-deleteme\r"
+sleep 1
+send -- "firejail --whitelist=/tmp/firejal-deleteme --whitelist=/tmp/firejal-deleteme\r"
+expect {
+        timeout {puts "TESTING ERROR 0\n";exit}
+        "Child process initialized"
+}
+sleep 1
+send -- "cat /tmp/firejal-deleteme\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "123"
+}
+send -- "exit\r"
+sleep 1
+send -- "cat /tmp/firejal-deleteme\r"
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        "123"
+}
+send -- "rm /tmp/firejal-deleteme\r"
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        "0"
+}
+after 100
+puts "\nall done\n"
diff --git a/test/whitelist-empty.exp b/test/fs/whitelist-empty.exp
index 226b019db..71bb8f914 100755
--- a/test/whitelist-empty.exp
+++ b/test/fs/whitelist-empty.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
 set timeout 30
 spawn $env(SHELL)
@@ -46,5 +49,6 @@ expect {
        "0"
 }
+after 100
 puts "\nall done\n"
diff --git a/test/fs/whitelist.exp b/test/fs/whitelist.exp
new file mode 100755
index 000000000..9a9a0f353
--- /dev/null
+++ b/test/fs/whitelist.exp
@@ -0,0 +1,226 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+# cleanup
+send -- "rm -fr ~/fjtest-dir\r"
+after 200
+send -- "rm -fr ~/fjtest-dir-lnk\r"
+after 200
+send -- "rm ~/fjtest-file\r"
+after 200
+send -- "rm ~/fjtest-file-lnk\r"
+after 200
+send -- "rm /tmp/fjtest-file\r"
+after 200
+send -- "rm -fr /tmp/fjtest-dir\r"
+after 200
+# simple files and directories
+send -- "mkdir -p ~/fjtest-dir/fjtest-dir\r"
+after 200
+send -- "echo 123 > ~/fjtest-file\r"
+after 200
+send -- "echo 123 > ~/fjtest-dir/fjtest-file\r"
+after 200
+send -- "echo 123 > ~/fjtest-dir/fjtest-dir/fjtest-file\r"
+after 200
+send -- "ln -s ~/fjtest-file ~/fjtest-file-lnk\r"
+after 200
+send -- "ln -s ~/fjtest-dir ~/fjtest-dir-lnk\r"
+after 200
+send -- "firejail --whitelist=~/fjtest-file --whitelist=~/fjtest-dir\r"
+expect {
+        timeout {puts "TESTING ERROR 0\n";exit}
+        "Child process initialized"
+}
+sleep 1
+send -- "ls -l ~/ | grep -v total | wc -l\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "2"
+}
+send -- "cat fjtest-file\r"
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        "123"
+}
+send -- "cat fjtest-dir/fjtest-file\r"
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        "123"
+}
+send -- "cat fjtest-dir/fjtest-dir/fjtest-file\r"
+expect {
+        timeout {puts "TESTING ERROR 4\n";exit}
+        "123"
+}
+send -- "exit\r"
+sleep 1
+# simple files and directories
+send -- "firejail --whitelist=~/fjtest-dir/fjtest-dir/fjtest-file\r"
+expect {
+        timeout {puts "TESTING ERROR 10\n";exit}
+        "Child process initialized"
+}
+sleep 1
+send -- "ls -l ~/ | grep -v total | wc -l\r"
+expect {
+        timeout {puts "TESTING ERROR 11\n";exit}
+        "1"
+}
+send -- "cat fjtest-dir/fjtest-dir/fjtest-file\r"
+expect {
+        timeout {puts "TESTING ERROR 12\n";exit}
+        "123"
+}
+send -- "exit\r"
+sleep 1
+# symlinks
+send -- "firejail --whitelist=~/fjtest-file-lnk --whitelist=~/fjtest-dir-lnk\r"
+expect {
+        timeout {puts "TESTING ERROR 20\n";exit}
+        "Child process initialized"
+}
+sleep 1
+send -- "ls -l ~/ | grep -v total | wc -l\r"
+expect {
+        timeout {puts "TESTING ERROR 21\n";exit}
+        "4"
+}
+send -- "cat fjtest-file\r"
+expect {
+        timeout {puts "TESTING ERROR 22\n";exit}
+        "123"
+}
+send -- "cat fjtest-dir/fjtest-file\r"
+expect {
+        timeout {puts "TESTING ERROR 23\n";exit}
+        "123"
+}
+send -- "cat fjtest-dir/fjtest-dir/fjtest-file\r"
+expect {
+        timeout {puts "TESTING ERROR 24\n";exit}
+        "123"
+}
+send -- "cat fjtest-file-lnk\r"
+expect {
+        timeout {puts "TESTING ERROR 25\n";exit}
+        "123"
+}
+send -- "cat fjtest-dir-lnk/fjtest-file\r"
+expect {
+        timeout {puts "TESTING ERROR 26\n";exit}
+        "123"
+}
+send -- "cat fjtest-dir-lnk/fjtest-dir/fjtest-file\r"
+expect {
+        timeout {puts "TESTING ERROR 27\n";exit}
+        "123"
+}
+send -- "exit\r"
+sleep 1
+# symlinks outside home to a file we don't own
+send -- "rm ~/fjtest-file-lnk\r"
+after 200
+send -- "ln -s /etc/passwd ~/fjtest-file-lnk\r"
+after 200
+send -- "firejail --whitelist=~/fjtest-file-lnk --whitelist=~/fjtest-dir-lnk\r"
+expect {
+        timeout {puts "TESTING ERROR 30\n";exit}
+        "invalid whitelist path"
+}
+expect {
+        timeout {puts "TESTING ERROR 31\n";exit}
+        "exiting"
+}
+sleep 1
+# symlinks outside home to a file we own
+send -- "rm -fr ~/fjtest-dir-lnk\r"
+after 200
+send -- "rm ~/fjtest-file-lnk\r"
+after 200
+send -- "echo 123 > /tmp/fjtest-file\r"
+after 200
+send -- "mkdir /tmp/fjtest-dir\r"
+after 200
+send -- "echo 123 > /tmp/fjtest-dir/fjtest-file\r"
+after 200
+send -- "ln -s /tmp/fjtest-file ~/fjtest-file-lnk\r"
+after 200
+send -- "ln -s /tmp/fjtest-dir ~/fjtest-dir-lnk\r"
+after 200
+send -- "firejail --whitelist=~/fjtest-file-lnk --whitelist=~/fjtest-dir-lnk\r"
+expect {
+        timeout {puts "TESTING ERROR 40\n";exit}
+        "Child process initialized"
+}
+sleep 1
+send -- "ls -l ~/ | grep -v total | wc -l\r"
+expect {
+        timeout {puts "TESTING ERROR 41\n";exit}
+        "2"
+}
+send -- "cat fjtest-file-lnk\r"
+expect {
+        timeout {puts "TESTING ERROR 42\n";exit}
+        "123"
+}
+send -- "cat fjtest-dir-lnk/fjtest-file\r"
+expect {
+        timeout {puts "TESTING ERROR 43\n";exit}
+        "123"
+}
+send -- "exit\r"
+sleep 1
+# cleanup
+send -- "rm -fr ~/fjtest-dir\r"
+after 200
+send -- "rm -fr ~/fjtest-dir-lnk\r"
+after 200
+send -- "rm ~/fjtest-file\r"
+after 200
+send -- "rm ~/fjtest-file-lnk\r"
+after 200
+send -- "rm /tmp/fjtest-file\r"
+after 200
+send -- "rm -fr /tmp/fjtest-dir\r"
+after 200
+puts "\nall done\n"
diff --git a/test/fs_var_lock.exp b/test/fs_var_lock.exp
deleted file mode 100755
index dfcf571f4..000000000
--- a/test/fs_var_lock.exp
+++ /dev/null
@@ -1,87 +0,0 @@
-#!/usr/bin/expect -f
-set timeout 10
-spawn $env(SHELL)
-match_max 100000
-# testing read-write /var/lock
-send -- "firejail\r"
-expect {
-        timeout {puts "TESTING ERROR 0\n";exit}
-        "Child process initialized"
-}
-sleep 1
-send -- "echo mytest > /var/lock/ttt;pwd\r"
-expect {
-        timeout {puts "TESTING ERROR 1\n";exit}
-        "home"
-}
-send -- "cat /var/lock/ttt;pwd\r"
-expect {
-        timeout {puts "TESTING ERROR 2.1\n";exit}
-        "mytest"
-}
-expect {
-        timeout {puts "TESTING ERROR 2\n";exit}
-        "home"
-}
-send -- "rm /var/lock/ttt;pwd\r"
-expect {
-        timeout {puts "TESTING ERROR 3\n";exit}
-        "home"
-}
-send -- "cat /var/lock/ttt;pwd\r"
-expect {
-        timeout {puts "TESTING ERROR 4\n";exit}
-        "mytest" {puts "TESTING ERROR 4.1\n";exit}
-        "home"
-}
-sleep 1
-send -- "exit\r"
-sleep 1
-# redo the test with --private
-send -- "firejail\r"
-expect {
-        timeout {puts "TESTING ERROR 10\n";exit}
-        "Child process initialized"
-}
-sleep 1
-send -- "echo mytest > /var/lock/ttt;pwd\r"
-expect {
-        timeout {puts "TESTING ERROR 11\n";exit}
-        "home"
-}
-send -- "cat /var/lock/ttt;pwd\r"
-expect {
-        timeout {puts "TESTING ERROR 12.1\n";exit}
-        "mytest"
-}
-expect {
-        timeout {puts "TESTING ERROR 12\n";exit}
-        "home"
-}
-send -- "rm /var/lock/ttt;pwd\r"
-expect {
-        timeout {puts "TESTING ERROR 13\n";exit}
-        "home"
-}
-send -- "cat /var/lock/ttt;pwd\r"
-expect {
-        timeout {puts "TESTING ERROR 14\n";exit}
-        "mytest" {puts "TESTING ERROR 14.1\n";exit}
-        "home"
-}
-sleep 1
-puts "\n"
diff --git a/test/google-chrome.exp b/test/google-chrome.exp
deleted file mode 100755
index 389988e3c..000000000
--- a/test/google-chrome.exp
+++ /dev/null
@@ -1,80 +0,0 @@
-#!/usr/bin/expect -f
-set timeout 10
-spawn $env(SHELL)
-match_max 100000
-send -- "firejail google-chrome www.gentoo.org\r"
-expect {
-        timeout {puts "TESTING ERROR 0\n";exit}
-        "Reading profile /etc/firejail/google-chrome.profile"
-}
-expect {
-        timeout {puts "TESTING ERROR 1\n";exit}
-        "Child process initialized"
-}
-sleep 10
-spawn $env(SHELL)
-send -- "firejail --list\r"
-expect {
-        timeout {puts "TESTING ERROR 3\n";exit}
-        ":firejail"
-}
-expect {
-        timeout {puts "TESTING ERROR 3.1\n";exit}
-        "google-chrome"
-}
-sleep 1
-# grsecurity exit
-send -- "file /proc/sys/kernel/grsecurity\r"
-expect {
-        timeout {puts "TESTING ERROR - grsecurity detection\n";exit}
-        "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit}
-        "cannot open" {puts "grsecurity not present\n"}
-}
-send -- "firejail --name=blablabla\r"
-expect {
-        timeout {puts "TESTING ERROR 4\n";exit}
-        "Child process initialized"
-}
-sleep 2
-spawn $env(SHELL)
-send -- "firemon --seccomp\r"
-expect {
-        timeout {puts "TESTING ERROR 5\n";exit}
-        ":firejail google-chrome"
-}
-expect {
-        timeout {puts "TESTING ERROR 5.1\n";exit}
-        "Seccomp:       0"
-}
-expect {
-        timeout {puts "TESTING ERROR 5.1\n";exit}
-        "name=blablabla"
-}
-sleep 1
-send -- "firemon --caps\r"
-expect {
-        timeout {puts "TESTING ERROR 6\n";exit}
-        ":firejail google-chrome"
-}
-expect {
-        timeout {puts "TESTING ERROR 6.1\n";exit}
-        "CapBnd:"
-}
-expect {
-        timeout {puts "TESTING ERROR 6.2\n";exit}
-        "fffffffff"
-}
-expect {
-        timeout {puts "TESTING ERROR 6.3\n";exit}
-        "name=blablabla"
-}
-sleep 1
-puts "\n"
diff --git a/test/net_interface.exp b/test/net_interface.exp
deleted file mode 100755
index 4b55187ff..000000000
--- a/test/net_interface.exp
+++ /dev/null
@@ -1,88 +0,0 @@
-#!/usr/bin/expect -f
-set timeout 10
-spawn $env(SHELL)
-match_max 100000
-send -- "ip link add link eth0 name eth0.100 type vlan id 100\r"
-sleep 1
-send -- "ip link add link eth0 name eth0.101 type vlan id 101\r"
-sleep 1
-send -- "ip link add link eth0 name eth0.102 type vlan id 102\r"
-sleep 1
-send -- "ip link add link eth0 name eth0.103 type vlan id 103\r"
-sleep 1
-send -- "ip link add link eth0 name eth0.104 type vlan id 104\r"
-sleep 1
-puts "\n"
-send -- "/sbin/ifconfig eth0.100 10.200.0.1/24\r"
-sleep 1
-send -- "/sbin/ifconfig eth0.101 10.200.1.1/24\r"
-sleep 1
-send -- "/sbin/ifconfig eth0.102 10.200.2.1/24\r"
-sleep 1
-send -- "/sbin/ifconfig eth0.103 10.200.3.1/24\r"
-sleep 1
-send -- "/sbin/ifconfig eth0.104 10.200.4.1/24\r"
-sleep 1
-puts "\n"
-send -- "firejail --noprofile --interface=eth0.100 --interface=eth0.101 --interface=eth0.102 --interface=eth0.103 --interface=eth0.104\r"
-expect {
-        timeout {puts "TESTING ERROR 0\n";exit}
-        "maximum 4 interfaces are allowed"
-}
-sleep 1
-send -- "firejail --noprofile --interface=eth0.100 --interface=eth0.101 --interface=eth0.102 --interface=eth0.103\r"
-expect {
-        timeout {puts "TESTING ERROR 1\n";exit}
-        "eth0.100"
-}
-expect {
-        timeout {puts "TESTING ERROR 1.1\n";exit}
-        "UP"
-}
-expect {
-        timeout {puts "TESTING ERROR 2\n";exit}
-        "eth0.101"
-}
-expect {
-        timeout {puts "TESTING ERROR 2.2\n";exit}
-        "UP"
-}
-expect {
-        timeout {puts "TESTING ERROR 3\n";exit}
-        "eth0.102"
-}
-expect {
-        timeout {puts "TESTING ERROR 3.1\n";exit}
-        "UP"
-}
-expect {
-        timeout {puts "TESTING ERROR 4\n";exit}
-        "eth0.103"
-}
-expect {
-        timeout {puts "TESTING ERROR 4.1\n";exit}
-        "UP"
-}
-sleep 1
-send -- "exit\r"
-sleep 1
-send -- "firejail --noprofile --interface=eth0.104\r"
-expect {
-        timeout {puts "TESTING ERROR 5\n";exit}
-        "eth0.104"
-}
-expect {
-        timeout {puts "TESTING ERROR 5.1\n";exit}
-        "UP"
-}
-puts "all done\n"
diff --git a/test/4bridges_arp.exp b/test/network/4bridges_arp.exp
index 6a3e6db2a..6383aad5e 100755
--- a/test/4bridges_arp.exp
+++ b/test/network/4bridges_arp.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
 set timeout 10
 spawn $env(SHELL)
@@ -26,9 +29,9 @@ expect {
        timeout {puts "TESTING ERROR 0.4\n";exit}
        "Child process initialized"
 }
-sleep 2
+sleep 1
 send -- "exit\r"
-sleep 2
+sleep 1
 # check eth1
 send -- "firejail --net=br0 --net=br1 --net=br2 --net=br3\r"
@@ -52,9 +55,9 @@ expect {
        timeout {puts "TESTING ERROR 1.4\n";exit}
        "Child process initialized"
 }
-sleep 2
+sleep 1
 send -- "exit\r"
-sleep 2
+sleep 1
 # check eth2
@@ -79,9 +82,9 @@ expect {
        timeout {puts "TESTING ERROR 2.4\n";exit}
        "Child process initialized"
 }
-sleep 2
+sleep 1
 send -- "exit\r"
-sleep 2
+sleep 1
@@ -107,9 +110,9 @@ expect {
        timeout {puts "TESTING ERROR 4\n";exit}
        "Child process initialized"
 }
-sleep 2
+sleep 1
 send -- "exit\r"
-sleep 2
+sleep 1
@@ -164,7 +167,8 @@ expect {
        timeout {puts "TESTING ERROR 10.2\n";exit}
        "10.10.50.0/24 dev eth3  proto kernel  scope link"
 }
-sleep 1
+send -- "exit\r"
+after 100
 puts "\nall done\n"
diff --git a/test/4bridges_ip.exp b/test/network/4bridges_ip.exp
index 8068aeebb..e762ac285 100755
--- a/test/4bridges_ip.exp
+++ b/test/network/4bridges_ip.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
 set timeout 10
 spawn $env(SHELL)
@@ -26,9 +29,9 @@ expect {
        timeout {puts "TESTING ERROR 0.4\n";exit}
        "Child process initialized"
 }
-sleep 2
+sleep 1
 send -- "exit\r"
-sleep 2
+sleep 1
 # check eth1
 send -- "firejail --net=br0 --net=br1 --ip=10.10.30.50 --net=br2 --ip=10.10.40.100 --net=br3\r"
@@ -52,9 +55,9 @@ expect {
        timeout {puts "TESTING ERROR 1.4\n";exit}
        "Child process initialized"
 }
-sleep 2
+sleep 1
 send -- "exit\r"
-sleep 2
+sleep 1
 # check eth2
@@ -79,9 +82,9 @@ expect {
        timeout {puts "TESTING ERROR 2.4\n";exit}
        "Child process initialized"
 }
-sleep 2
+sleep 1
 send -- "exit\r"
-sleep 2
+sleep 1
@@ -107,9 +110,9 @@ expect {
        timeout {puts "TESTING ERROR 4\n";exit}
        "Child process initialized"
 }
-sleep 2
+sleep 1
 send -- "exit\r"
-sleep 2
+sleep 1
@@ -168,7 +171,8 @@ expect {
        "10.10.50.0/24 dev eth3  proto kernel  scope link"
 }
-sleep 1
+send -- "exit\r"
+after 100
 puts "\nall done\n"
diff --git a/test/network/README b/test/network/README
new file mode 100644
index 000000000..4404c53b0
--- /dev/null
+++ b/test/network/README
@@ -0,0 +1,14 @@
+Warning: this test requires root access to configure a number of bridge, mac
+and vlan devices. Please take a look at configure file. By the time you are
+finished testing, you'll probably have to reboot the computer to get your
+networking subsytem back to normal.
+Limitations - to be investigated and fixed:
+        - the test is assuming an eth0 wired interface to be present
+        - using netstat and ifconfig - this needs to be moved to iproute2
+        - configure script inserts an entry in system netfilter configuration
+        - the test will probably not work on grsecurity settings
+        - macvlan interfaces don't seem to work correctly under VirtualBox
+Run the test:
+        $ ./network.sh | grep TESTING
diff --git a/test/bandwidth.exp b/test/network/bandwidth.exp
index 33b351296..8a2e46e04 100755
--- a/test/bandwidth.exp
+++ b/test/network/bandwidth.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
 set timeout 10
 spawn $env(SHELL)
@@ -9,13 +12,13 @@ expect {
        timeout {puts "TESTING ERROR 0\n";exit}
        "Child process initialized"
 }
-sleep 2
+sleep 1
 spawn $env(SHELL)
 send -- "firejail --bandwidth=test status\r"
 expect {
        timeout {puts "TESTING ERROR 1\n";exit}
-        "qdisc noqueue 0: dev eth0"
+        "qdisc * 0: dev eth0"
 }
 sleep 1
@@ -51,12 +54,12 @@ expect {
 }
 sleep 1
-send -- "firejail --bandwidth=test status; pwd\r"
+send -- "firejail --bandwidth=test status; echo done\r"
 expect {
        timeout {puts "TESTING ERROR 8\n";exit}
        "rate 80Kbit burst 10Kb" {puts "TESTING ERROR 9\n";exit}
-        "home" {puts "ok\n"}
+        "done"
 }
-sleep 1
+after 100
 puts "\nall done\n"
diff --git a/test/network/configure b/test/network/configure
new file mode 100755
index 000000000..35d938340
--- /dev/null
+++ b/test/network/configure
@@ -0,0 +1,27 @@
+#!/bin/bash
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
+brctl addbr br0
+ifconfig br0 10.10.20.1/29 up
+# NAT masquerade
+iptables -t nat -A POSTROUTING -o eth0 -s 10.10.20.0/29 -j MASQUERADE
+# port forwarding
+# iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to 10.10.20.2:80
+        
+brctl addbr br1
+ifconfig br1 10.10.30.1/24 up
+brctl addbr br2
+ifconfig br2 10.10.40.1/24 up
+brctl addbr br3
+ifconfig br3 10.10.50.1/24 up
+brctl addbr br4
+ifconfig br4 10.10.60.1/24 up
+ip link add link eth0 name eth0.5 type vlan id 5
+/sbin/ifconfig eth0.5 10.10.205.10/24 up
+ip link add link eth0 name eth0.6 type vlan id 6
+/sbin/ifconfig eth0.6 10.10.206.10/24 up
+ip link add link eth0 name eth0.7 type vlan id 7
+/sbin/ifconfig eth0.7 10.10.207.10/24 up
diff --git a/test/network/firemon-arp.exp b/test/network/firemon-arp.exp
new file mode 100755
index 000000000..71fa1660f
--- /dev/null
+++ b/test/network/firemon-arp.exp
@@ -0,0 +1,50 @@
+#!/usr/bin/expect -f
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+#send -- "ping -c 3 192.168.1.1\r"
+#expect {
+#       timeout {puts "TESTING ERROR 0\n";exit}
+#       "3 packets transmitted"
+#}
+#sleep 1
+send --  "firejail --name=test1\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "Child process initialized"
+}
+sleep 1
+spawn $env(SHELL)
+send --  "firejail --name=test2\r"
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        "Child process initialized"
+}
+sleep 1
+spawn $env(SHELL)
+send -- "firemon --arp\r"
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        "name=test1"
+}
+expect {
+        timeout {puts "TESTING ERROR 4\n";exit}
+        "192.168.1.1 dev eth0 lladdr" {puts "Debian testing\n";}
+        "192.168.1.1 dev enp0s3 lladdr" {puts "Centos 7 testing\n";}
+}
+expect {
+        timeout {puts "TESTING ERROR 5\n";exit}
+        "REACHABLE"
+}
+expect {
+        timeout {puts "TESTING ERROR 6\n";exit}
+        "name=test2"
+}
+after 100
+puts "\nall done\n"
diff --git a/test/network/firemon-interfaces.exp b/test/network/firemon-interfaces.exp
new file mode 100755
index 000000000..deb8594af
--- /dev/null
+++ b/test/network/firemon-interfaces.exp
@@ -0,0 +1,67 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+send -- "firejail --net=eth0 --name=test1\r"
+expect {
+        timeout {puts "TESTING ERROR 9\n";exit}
+        "Child process initialized"
+}
+sleep 1
+spawn $env(SHELL)
+send -- "firejail --net=eth0 --name=test2\r"
+expect {
+        timeout {puts "TESTING ERROR 9\n";exit}
+        "Child process initialized"
+}
+sleep 1
+spawn $env(SHELL)
+send -- "firemon --interface\r"
+expect {
+        timeout {puts "TESTING ERROR 9\n";exit}
+        "Link status"
+}
+expect {
+        timeout {puts "TESTING ERROR 9\n";exit}
+        "lo UP"
+}
+expect {
+        timeout {puts "TESTING ERROR 9\n";exit}
+        "eth0-"
+}
+expect {
+        timeout {puts "TESTING ERROR 9\n";exit}
+        "IPv4 status"
+}
+expect {
+        timeout {puts "TESTING ERROR 9\n";exit}
+        "lo UP"
+}
+expect {
+        timeout {puts "TESTING ERROR 9\n";exit}
+        "eth0-"
+}
+expect {
+        timeout {puts "TESTING ERROR 9\n";exit}
+        "IPv6 status"
+}
+expect {
+        timeout {puts "TESTING ERROR 9\n";exit}
+        "lo UP"
+}
+expect {
+        timeout {puts "TESTING ERROR 9\n";exit}
+        "eth0-"
+}
+after 100
+puts "\n"
diff --git a/test/firemon-route.exp b/test/network/firemon-route.exp
index a48116675..19a705778 100755
--- a/test/firemon-route.exp
+++ b/test/network/firemon-route.exp
@@ -4,7 +4,7 @@ set timeout 10
 spawn $env(SHELL)
 match_max 100000
-send --  "firejail\r"
+send --  "firejail --name=test1\r"
 expect {
        timeout {puts "TESTING ERROR 0\n";exit}
        "Child process initialized"
@@ -12,22 +12,38 @@ expect {
 sleep 1
 spawn $env(SHELL)
-send -- "firemon --route\r"
+send --  "firejail --name=test2\r"
 expect {
        timeout {puts "TESTING ERROR 1\n";exit}
+        "Child process initialized"
+}
+sleep 1
+spawn $env(SHELL)
+send -- "firemon --route\r"
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        "name=test1"
+}
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
        "0.0.0.0/0 via 192.168.1.1, dev eth0, metric 0" {puts "Debian testing\n";}
        "0.0.0.0/0 via 192.168.1.1, dev enp0s3, metric 1024" {puts "Centos 7 testing\n";}
        "0.0.0.0/0 via 192.168.1.1, dev enp0s3, metric 0" {puts "OpenSUSE testing\n";}
-        "0.0.0.0/0 via 192.168.1.1, dev enp0s3, metric 100" {puts "Arch testing\n";}
+            "0.0.0.0/0 via 192.168.1.1, dev enp0s3, metric 100" {puts "Arch testing\n";}
 }
 expect {
-        timeout {puts "TESTING ERROR 2\n";exit}
+        timeout {puts "TESTING ERROR 4\n";exit}
        "10.10.30.0/24, dev br1, scope link src 10.10.30.1"
 }
 expect {
-        timeout {puts "TESTING ERROR 3\n";exit}
+        timeout {puts "TESTING ERROR 5\n";exit}
        "10.10.50.0/24, dev br3, scope link src 10.10.50.1"
 }
-sleep 1
+expect {
+        timeout {puts "TESTING ERROR 6\n";exit}
+        "name=test2"
+}
+after 100
-puts "\n"
+puts "\nalldone\n"
diff --git a/test/hostname.exp b/test/network/hostname.exp
index 4e5c7e073..73d06725f 100755
--- a/test/hostname.exp
+++ b/test/network/hostname.exp
@@ -1,25 +1,29 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
 set timeout 10
 spawn $env(SHELL)
 match_max 100000
-send --  "firejail --hostname=baluba --noprofile\r"
+send --  "firejail --hostname=bingo --noprofile\r"
 expect {
        timeout {puts "TESTING ERROR 1\n";exit}
        "Child process initialized"
 }
 sleep 1
-send -- "ping -c 3 baluba;pwd\r"
+send -- "ping -c 3 bingo; echo done\r"
 expect {
        timeout {puts "TESTING ERROR 2\n";exit}
        "3 packets transmitted, 3 received"
 }
 expect {
        timeout {puts "TESTING ERROR 3\n";exit}
-        "home"
+        "done"
 }
-sleep 1
+send -- "exit\r"
+after 100
 puts "all done\n"
diff --git a/test/network/interface.exp b/test/network/interface.exp
new file mode 100755
index 000000000..bd8777c33
--- /dev/null
+++ b/test/network/interface.exp
@@ -0,0 +1,66 @@
+#!/usr/bin/expect -f
+#
+# interface
+#
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+set overlay [lindex $argv 0]
+set chroot [lindex $argv 1]
+#
+# N
+#
+# todo: seems to be unable to find interface eth0.7
+#send -- "firejail --noprofile --interface=eth0.5 --interface=eth0.6 --interface=eth0.7\r"
+send -- "firejail --noprofile --interface=eth0.5 --interface=eth0.6\r"
+expect {
+        timeout {puts "TESTING ERROR 0\n";exit}
+        "Child process initialized"
+}
+sleep 1
+send -- "/sbin/ifconfig\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "eth0.5"
+}
+expect {
+        timeout {puts "TESTING ERROR 2n";exit}
+        "Link"
+}
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        "10.10.205.10"
+}
+expect {
+        timeout {puts "TESTING ERROR 4\n";exit}
+        "UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1"
+}
+after 100
+send -- "/sbin/ifconfig\r"
+expect {
+        timeout {puts "TESTING ERROR 5\n";exit}
+        "eth0.6"
+}
+expect {
+        timeout {puts "TESTING ERROR 6\n";exit}
+        "Link"
+}
+expect {
+        timeout {puts "TESTING ERROR 7\n";exit}
+        "10.10.206.10"
+}
+expect {
+        timeout {puts "TESTING ERROR 8\n";exit}
+        "UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1"
+}
+after 100
+send -- "exit\r"
+sleep 1
+puts "\nall done\n"
diff --git a/test/ip6.exp b/test/network/ip6.exp
index fba47d095..f0fcebcf8 100755
--- a/test/ip6.exp
+++ b/test/network/ip6.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
 set timeout 10
 spawn $env(SHELL)
@@ -15,6 +18,7 @@ expect {
 }
 expect {
        timeout {puts "TESTING ERROR 2\n";exit}
+        "unable to initialize table 'filter'" {puts "\nTESTING SKIP 2: no IPv6 support\n"; exit}
        "2001:db8:1f0a:3ec::2"
 }
 expect {
@@ -38,6 +42,8 @@ expect {
        "scopeid 0x0<global>" { puts "Arch\n"}
 }
+send -- "exit\r"
+after 100
 puts "\nall done\n"
diff --git a/test/ipv6.net b/test/network/ipv6.net
index cc8f22943..cc8f22943 100644
--- a/test/ipv6.net
+++ b/test/network/ipv6.net
diff --git a/test/network/net-profile.profile b/test/network/net-profile.profile
new file mode 100644
index 000000000..05052b6dc
--- /dev/null
+++ b/test/network/net-profile.profile
@@ -0,0 +1,10 @@
+net br0
+mac 00:11:22:33:44:55
+mtu 1000
+net br1
+ip 10.10.30.50
+net br2
+ip 10.10.40.100
+net br3
+defaultgw 10.10.20.2
diff --git a/test/net_arp.exp b/test/network/net_arp.exp
index 9e07744f3..fdd30f218 100755
--- a/test/net_arp.exp
+++ b/test/network/net_arp.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
 set timeout 10
 spawn $env(SHELL)
@@ -66,6 +69,6 @@ expect {
        "sleep 20"
 }
-# wait for snadboxes to be shutdown
+# wait for sandboxes to be shutdown
 sleep 30
 puts "\n"
diff --git a/test/net_badip.exp b/test/network/net_badip.exp
index 71b69e104..d13a6144e 100755
--- a/test/net_badip.exp
+++ b/test/network/net_badip.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
 set timeout 10
 spawn $env(SHELL)
@@ -10,7 +13,7 @@ expect {
        timeout {puts "TESTING ERROR 0.0\n";exit}
        "the IP address is not"
 }
-sleep 1
+after 100
 puts "\n"
diff --git a/test/net_defaultgw.exp b/test/network/net_defaultgw.exp
index 840f2ccac..6291ae5ba 100755
--- a/test/net_defaultgw.exp
+++ b/test/network/net_defaultgw.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
 set timeout 10
 spawn $env(SHELL)
@@ -40,7 +43,8 @@ expect {
        timeout {puts "TESTING ERROR 10.2\n";exit}
        "10.10.20.0/29 dev eth0  proto kernel  scope link"
 }
-sleep 1
+send -- "exit\r"
+after 100
 puts "\nall done\n"
diff --git a/test/net_defaultgw2.exp b/test/network/net_defaultgw2.exp
index db14e17cb..7620e4899 100755
--- a/test/net_defaultgw2.exp
+++ b/test/network/net_defaultgw2.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
 set timeout 10
 spawn $env(SHELL)
@@ -34,7 +37,8 @@ expect {
        timeout {puts "TESTING ERROR 10.3\n";exit}
        "10.10.30.0/24 dev eth1  proto kernel  scope link"
 }
-sleep 1
+send -- "exit\r"
+after 100
 puts "\nall done\n"
diff --git a/test/net_defaultgw3.exp b/test/network/net_defaultgw3.exp
index 64da9dfca..a47324adc 100755
--- a/test/net_defaultgw3.exp
+++ b/test/network/net_defaultgw3.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
 set timeout 10
 spawn $env(SHELL)
@@ -11,7 +14,8 @@ expect {
        "default gateway 10.10.95.89 is not in the range of any network"
 }
-sleep 1
+after 100
 puts "\n"
diff --git a/test/net_ip.exp b/test/network/net_ip.exp
index f5d487ecc..0fa84243a 100755
--- a/test/net_ip.exp
+++ b/test/network/net_ip.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
 set timeout 10
 spawn $env(SHELL)
@@ -26,9 +29,9 @@ expect {
        timeout {puts "TESTING ERROR 4\n";exit}
        "Child process initialized"
 }
-sleep 2
+sleep 1
 send -- "exit\r"
-sleep 2
+sleep 1
 # check loopback
 send -- "firejail --net=br0 --ip=10.10.20.5 --protocol=unix,inet,netlink\r"
@@ -66,7 +69,8 @@ expect {
        timeout {puts "TESTING ERROR 10\n";exit}
        "10.10.20.0/29 dev eth0  proto kernel  scope link"
 }
-sleep 1
+send -- "exit\r"
+after 100
 puts "\n"
diff --git a/test/net_local.exp b/test/network/net_local.exp
index 642213658..d58135785 100755
--- a/test/net_local.exp
+++ b/test/network/net_local.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
 set timeout 10
 spawn $env(SHELL)
@@ -14,9 +17,9 @@ expect {
        timeout {puts "TESTING ERROR 4\n";exit}
        "Child process initialized"
 }
-sleep 2
+sleep 1
 send -- "exit\r"
-sleep 2
+sleep 1
 # check loopback
 send -- "firejail --noprofile\r"
@@ -40,6 +43,8 @@ expect {
        timeout {puts "TESTING ERROR 7\n";exit}
        "255.0.0.0"
 }
+send -- "exit\r"
+after 100
 puts "all done\n"
diff --git a/test/net_mac.exp b/test/network/net_mac.exp
index 076634730..d3cd8163f 100755
--- a/test/net_mac.exp
+++ b/test/network/net_mac.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
 set timeout 10
 spawn $env(SHELL)
@@ -30,7 +33,8 @@ expect {
        timeout {puts "TESTING ERROR 4\n";exit}
        "Child process initialized"
 }
-sleep 1
+send -- "exit\r"
+after 100
 puts "\nall done\n"
diff --git a/test/net_macvlan.exp b/test/network/net_macvlan.exp
index 20d022de9..f457ea98f 100755
--- a/test/net_macvlan.exp
+++ b/test/network/net_macvlan.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
 set timeout 10
 spawn $env(SHELL)
@@ -83,6 +86,8 @@ while { $i <= $MAXi } {
        after 100
 #       sleep 1
 }
+send -- "exit\r"
+after 100
 puts "\n"
diff --git a/test/net_mtu.exp b/test/network/net_mtu.exp
index 7943b2866..eb9c5d08c 100755
--- a/test/net_mtu.exp
+++ b/test/network/net_mtu.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
 set timeout 10
 spawn $env(SHELL)
@@ -25,6 +28,8 @@ expect {
        timeout {puts "TESTING ERROR 4\n";exit}
        "state UP"
 }
+send -- "exit\r"
+after 100
 puts "\nall done\n"
diff --git a/test/net_netfilter.exp b/test/network/net_netfilter.exp
index 989fcc407..737485d07 100755
--- a/test/net_netfilter.exp
+++ b/test/network/net_netfilter.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
 set timeout 10
 spawn $env(SHELL)
@@ -26,7 +29,7 @@ expect {
        timeout {puts "TESTING ERROR 4\n";exit}
        "Child process initialized"
 }
-sleep 2
+sleep 1
 send -- "exit\r"
 sleep 1
@@ -40,7 +43,7 @@ expect {
        "ACCEPT     icmp --  any    any     anywhere" {puts "TESTING ERROR 5.1\n";exit}
        "Child process initialized"
 }
-sleep 2
+sleep 1
 send -- "exit\r"
 sleep 1
@@ -54,7 +57,7 @@ expect {
        timeout {puts "TESTING ERROR 6.1\n";exit}
        "Child process initialized"
 }
-sleep 2
+sleep 1
 send -- "ping -c 1 -w 3 10.10.20.1\r"
 expect {
        timeout {puts "TESTING ERROR 6.2\n";exit}
diff --git a/test/net_noip.exp b/test/network/net_noip.exp
index 8d28adb39..b557d116c 100755
--- a/test/net_noip.exp
+++ b/test/network/net_noip.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
 set timeout 10
 spawn $env(SHELL)
@@ -16,25 +19,26 @@ send -- "bash\r"
 sleep 1
 # no default gateway configured
-send -- "netstat -rn;pwd\r"
+send -- "netstat -rn;echo done\r"
 expect {
        timeout {puts "TESTING ERROR 2\n";exit}
        "0.0.0.0" {puts "TESTING ERROR 3\n";exit}
        "eth0" {puts "TESTING ERROR 4\n";exit}
-        "home"
+        "done"
 }
 sleep 1
 # eth0 configured
-send -- "/sbin/ifconfig;pwd\r"
+send -- "/sbin/ifconfig;echo done\r"
 expect {
        timeout {puts "TESTING ERROR 5\n";exit}
        "eth0"
 }
 expect {
        timeout {puts "TESTING ERROR 6\n";exit}
-        "home"
+        "done"
 }
+send -- "exit\r"
 after 100
 puts "all done\n"
diff --git a/test/net_noip2.exp b/test/network/net_noip2.exp
index 58f90422b..c86ea4900 100755
--- a/test/net_noip2.exp
+++ b/test/network/net_noip2.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
 set timeout 10
 spawn $env(SHELL)
@@ -16,25 +19,26 @@ send -- "bash\r"
 sleep 1
 # no default gateway configured
-send -- "netstat -rn;pwd\r"
+send -- "netstat -rn;echo done\r"
 expect {
        timeout {puts "TESTING ERROR 2\n";exit}
        "0.0.0.0" {puts "TESTING ERROR 3\n";exit}
        "eth0" {puts "TESTING ERROR 4\n";exit}
-        "home"
+        "done"
 }
 sleep 1
 # eth0 configured
-send -- "/sbin/ifconfig;pwd\r"
+send -- "/sbin/ifconfig;echo done\r"
 expect {
        timeout {puts "TESTING ERROR 5\n";exit}
        "eth0"
 }
 expect {
        timeout {puts "TESTING ERROR 6\n";exit}
-        "home"
+        "done"
 }
+send -- "exit\r"
 after 100
 puts "all done\n"
diff --git a/test/net_none.exp b/test/network/net_none.exp
index 54b6cb946..1761eb423 100755
--- a/test/net_none.exp
+++ b/test/network/net_none.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
 set timeout 10
 spawn $env(SHELL)
@@ -16,20 +19,20 @@ sleep 1
 # test default gw
 send -- "bash\r"
 sleep 1
-send -- "netstat -rn; pwd\r"
+send -- "netstat -rn; echo done\r"
 expect {
        timeout {puts "TESTING ERROR 1\n";exit}
        "0.0.0.0" {puts "TESTING ERROR 1.1\n";exit}
-        "home"
+        "done"
 }
 sleep 1
 # check again devices
-send -- "cat /proc/1/net/dev;pwd\r"
+send -- "cat /proc/1/net/dev;echo done\r"
 expect {
        timeout {puts "TESTING ERROR 2\n";exit}
        "eth0" {puts "TESTING ERROR 2.1\n";exit}
-        "home"
+        "done"
 }
 send -- "exit\r"
 sleep 1
@@ -48,21 +51,22 @@ sleep 1
 # test default gw
 send -- "bash\r"
 sleep 1
-send -- "netstat -rn; pwd\r"
+send -- "netstat -rn; echo done\r"
 expect {
        timeout {puts "TESTING ERROR 4\n";exit}
        "0.0.0.0" {puts "TESTING ERROR 4.1\n";exit}
-        "home"
+        "done"
 }
 sleep 1
 # check again devices
-send -- "cat /proc/1/net/dev;pwd\r"
+send -- "cat /proc/1/net/dev;echo done\r"
 expect {
        timeout {puts "TESTING ERROR 5\n";exit}
        "eth0" {puts "TESTING ERROR 5.1\n";exit}
-        "home"
+        "done"
 }
-sleep 1
+send -- "exit\r"
+after 100
-puts "\n"
+puts "\nall done\n"
diff --git a/test/net_none.profile b/test/network/net_none.profile
index 079c08ea8..079c08ea8 100644
--- a/test/net_none.profile
+++ b/test/network/net_none.profile
diff --git a/test/network/net_profile.exp b/test/network/net_profile.exp
new file mode 100755
index 000000000..29008d811
--- /dev/null
+++ b/test/network/net_profile.exp
@@ -0,0 +1,77 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+# check eth0
+send -- "firejail --profile=net-profile.profile\r"
+expect {
+        timeout {puts "TESTING ERROR 0.0\n";exit}
+        "eth0"
+}
+expect {
+        timeout {puts "TESTING ERROR 0.1\n";exit}
+        "00:11:22:33:44:55"
+}
+expect {
+        timeout {puts "TESTING ERROR 0.1\n";exit}
+        "10.10.20"
+}
+expect {
+        timeout {puts "TESTING ERROR 0.2\n";exit}
+        "255.255.255.248"
+}
+expect {
+        timeout {puts "TESTING ERROR 0.3\n";exit}
+        "UP"
+}
+expect {
+        timeout {puts "TESTING ERROR 0.4\n";exit}
+        "Child process initialized"
+}
+sleep 1
+send -- "ip route show\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "10.10.30.0/24 dev eth1  proto kernel  scope link  src 10.10.30.50"
+}
+send -- "ip route show\r"
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        "10.10.40.0/24 dev eth2  proto kernel  scope link  src 10.10.40.100"
+}
+# check default gw
+send -- "ip route show\r"
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        "default via 10.10.20.2 dev eth0"
+}
+# check mtu
+send -- "ip link show\r"
+expect {
+        timeout {puts "TESTING ERROR 4\n";exit}
+        "eth0"
+}
+expect {
+        timeout {puts "TESTING ERROR 5\n";exit}
+        "mtu 1000"
+}
+expect {
+        timeout {puts "TESTING ERROR 6\n";exit}
+        "state UP"
+}
+send -- "exit\r"
+after 100
+puts "\nall done\n"
diff --git a/test/network/net_scan.exp b/test/network/net_scan.exp
new file mode 100755
index 000000000..5afbbeea6
--- /dev/null
+++ b/test/network/net_scan.exp
@@ -0,0 +1,75 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+# 
+send -- "firejail --net=br1 --ip=10.10.30.50\r"
+expect {
+        timeout {puts "TESTING ERROR 0\n";exit}
+        "eth0"
+}
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "10.10.30.50"
+}
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        "255.255.255.0"
+}
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        "Child process initialized"
+}
+sleep 1
+spawn $env(SHELL)
+send -- "firejail --net=br1 --ip=10.10.30.51\r"
+expect {
+        timeout {puts "TESTING ERROR 4\n";exit}
+        "eth0"
+}
+expect {
+        timeout {puts "TESTING ERROR 5\n";exit}
+        "10.10.30.51"
+}
+expect {
+        timeout {puts "TESTING ERROR 6\n";exit}
+        "255.255.255.0"
+}
+expect {
+        timeout {puts "TESTING ERROR 7\n";exit}
+        "Child process initialized"
+}
+sleep 1
+spawn $env(SHELL)
+send -- "firejail --net=br1 --scan\r"
+expect {
+        timeout {puts "TESTING ERROR 8\n";exit}
+        "eth0"
+}
+expect {
+        timeout {puts "TESTING ERROR 9\n";exit}
+        "10.10.30.50"
+}
+expect {
+        timeout {puts "TESTING ERROR 10\n";exit}
+        "10.10.30.51"
+}
+expect {
+        timeout {puts "TESTING ERROR 11\n";exit}
+        "Child process initialized"
+}
+sleep 1
+after 100
+puts "\nall done\n"
diff --git a/test/network/net_veth.exp b/test/network/net_veth.exp
new file mode 100755
index 000000000..89dedcb24
--- /dev/null
+++ b/test/network/net_veth.exp
@@ -0,0 +1,130 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+send -- "firejail --net=eth0\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "lo"
+}
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        "127.0.0.1"
+}
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        "255.0.0.0"
+}
+expect {
+        timeout {puts "TESTING ERROR 4\n";exit}
+        "UP"
+}
+expect {
+        timeout {puts "TESTING ERROR 5\n";exit}
+        "eth0-"
+}
+expect {
+        timeout {puts "TESTING ERROR 6\n";exit}
+        "255.255.255.0"
+}
+expect {
+        timeout {puts "TESTING ERROR 7\n";exit}
+        "UP"
+}
+expect {
+        timeout {puts "TESTING ERROR 8\n";exit}
+        "Default gateway"
+}
+expect {
+        timeout {puts "TESTING ERROR 9\n";exit}
+        "Child process initialized"
+}
+sleep 1
+send -- "exit\r"
+sleep 1
+send -- "firejail --net=eth0 --net=eth0 --net=eth0 --net=eth0\r"
+expect {
+        timeout {puts "TESTING ERROR 11\n";exit}
+        "lo"
+}
+expect {
+        timeout {puts "TESTING ERROR 12\n";exit}
+        "127.0.0.1"
+}
+expect {
+        timeout {puts "TESTING ERROR 13\n";exit}
+        "255.0.0.0"
+}
+expect {
+        timeout {puts "TESTING ERROR 14\n";exit}
+        "UP"
+}
+expect {
+        timeout {puts "TESTING ERROR 15\n";exit}
+        "eth0-"
+}
+expect {
+        timeout {puts "TESTING ERROR 16\n";exit}
+        "255.255.255.0"
+}
+expect {
+        timeout {puts "TESTING ERROR 17\n";exit}
+        "UP"
+}
+expect {
+        timeout {puts "TESTING ERROR 18\n";exit}
+        "eth1-"
+}
+expect {
+        timeout {puts "TESTING ERROR 19\n";exit}
+        "255.255.255.0"
+}
+expect {
+        timeout {puts "TESTING ERROR 20\n";exit}
+        "UP"
+}
+expect {
+        timeout {puts "TESTING ERROR 5\n";exit}
+        "eth2-"
+}
+expect {
+        timeout {puts "TESTING ERROR 21\n";exit}
+        "255.255.255.0"
+}
+expect {
+        timeout {puts "TESTING ERROR 22\n";exit}
+        "UP"
+}
+expect {
+        timeout {puts "TESTING ERROR 23\n";exit}
+        "eth3-"
+}
+expect {
+        timeout {puts "TESTING ERROR 24\n";exit}
+        "255.255.255.0"
+}
+expect {
+        timeout {puts "TESTING ERROR 25\n";exit}
+        "UP"
+}
+expect {
+        timeout {puts "TESTING ERROR 26\n";exit}
+        "Default gateway"
+}
+expect {
+        timeout {puts "TESTING ERROR 27\n";exit}
+        "Child process initialized"
+}
+sleep 1
+send -- "exit\r"
+after 100
+puts "\n"
diff --git a/test/netfilter.filter b/test/network/netfilter.filter
index 3e232065c..3e232065c 100644
--- a/test/netfilter.filter
+++ b/test/network/netfilter.filter
diff --git a/test/netfilter.profile b/test/network/netfilter.profile
index 824c6cd0f..824c6cd0f 100644
--- a/test/netfilter.profile
+++ b/test/network/netfilter.profile
diff --git a/test/network/netstats.exp b/test/network/netstats.exp
new file mode 100755
index 000000000..41232061d
--- /dev/null
+++ b/test/network/netstats.exp
@@ -0,0 +1,39 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+send -- "firejail --net=eth0 --name=test1\r"
+expect {
+        timeout {puts "TESTING ERROR 9\n";exit}
+        "Child process initialized"
+}
+sleep 1
+spawn $env(SHELL)
+send -- "firejail --net=eth0 --name=test2\r"
+expect {
+        timeout {puts "TESTING ERROR 9\n";exit}
+        "Child process initialized"
+}
+sleep 1
+spawn $env(SHELL)
+send -- "firejail --netstats\r"
+sleep 4
+expect {
+        timeout {puts "TESTING ERROR 9\n";exit}
+        "name=test1"
+}
+expect {
+        timeout {puts "TESTING ERROR 9\n";exit}
+        "name=test2"
+}
+after 100
+puts "\n"
diff --git a/test/network/network.sh b/test/network/network.sh
new file mode 100755
index 000000000..e1646d64a
--- /dev/null
+++ b/test/network/network.sh
@@ -0,0 +1,85 @@
+#!/bin/bash
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
+export MALLOC_CHECK_=3
+export MALLOC_PERTURB_=$(($RANDOM % 255 + 1))
+sudo ./configure
+echo "TESTING: firemon interface (firemon-interfaces.exp)"
+sudo ./firemon-interfaces.exp
+echo "TESTING: firemon arp (firemon-arp.exp)"
+./firemon-arp.exp
+echo "TESTING: firemon netstats (netstats.exp)"
+./netstats.exp
+echo "TESTING: firemon route (firemon-route.exp)"
+./firemon-route.exp
+echo "TESTING: network profile (net_profile.exp)"
+./net_profile.exp
+echo "TESTING: bandwidth (bandwidth.exp)"
+./bandwidth.exp
+echo "TESTING: IPv6 support (ip6.exp)"
+./ip6.exp
+echo "TESTING: local network (net_local.exp)"
+./net_local.exp
+echo "TESTING: no network (net_none.exp)"
+./net_none.exp
+echo "TESTING: network IP (net_ip.exp)"
+./net_ip.exp
+echo "TESTING: network MAC (net_mac.exp)"
+sleep 2
+./net_mac.exp
+echo "TESTING: network MTU (net_mtu.exp)"
+./net_mtu.exp
+echo "TESTING: network hostname (hostname.exp)"
+./hostname.exp
+echo "TESTING: network bad IP (net_badip.exp)"
+./net_badip.exp
+echo "TESTING: network no IP test 1 (net_noip.exp)"
+./net_noip.exp
+echo "TESTING: network no IP test 2 (net_noip2.exp)"
+./net_noip2.exp
+echo "TESTING: network default gateway test 1 (net_defaultgw.exp)"
+./net_defaultgw.exp
+echo "TESTING: network default gateway test 2 (net_defaultgw2.exp)"
+./net_defaultgw2.exp
+echo "TESTING: network default gateway test 3 (net_defaultgw3.exp)"
+./net_defaultgw3.exp
+echo "TESTING: scan (net_scan.exp)"
+./net_scan.exp
+echo "TESTING: interface (interface.exp)"
+./interface.exp
+echo "TESTING: veth (net_veth.exp)"
+./net_veth.exp
+echo "TESTING: netfilter (net_netfilter.exp)"
+./net_netfilter.exp
+echo "TESTING: 4 bridges ARP (4bridges_arp.exp)"
+./4bridges_arp.exp
+echo "TESTING: 4 bridges IP (4bridges_ip.exp)"
+./4bridges_ip.exp
diff --git a/test/noroot.exp b/test/noroot.exp
deleted file mode 100755
index 37d55fe78..000000000
--- a/test/noroot.exp
+++ /dev/null
@@ -1,117 +0,0 @@
-#!/usr/bin/expect -f
-set timeout 10
-spawn $env(SHELL)
-match_max 100000
-send -- "firejail --debug --noprofile --noroot --caps.drop=all --seccomp --cpu=0,1 --name=noroot-sandbox\r"
-expect {
-        timeout {puts "TESTING ERROR 0.1\n";exit}
-        "Child process initialized"
-}
-sleep 1
-send -- "cat /proc/self/status\r"
-expect {
-        timeout {puts "TESTING ERROR 1\n";exit}
-        "CapBnd:"
-}
-expect {
-        timeout {puts "TESTING ERROR 1.1\n";exit}
-        "0000000000000000"
-}
-send -- "cat /proc/self/status\r"
-expect {
-        timeout {puts "TESTING ERROR 2\n";exit}
-        "Cpus_allowed:"
-}
-expect {
-        timeout {puts "TESTING ERROR 2.1\n";exit}
-        "3"
-}
-expect {
-        timeout {puts "TESTING ERROR 2.2\n";exit}
-        "Cpus_allowed_list:"
-}
-puts "\n"
-send -- "cat /proc/self/status\r"
-expect {
-        timeout {puts "TESTING ERROR 2\n";exit}
-        "Seccomp:"
-}
-expect {
-        timeout {puts "TESTING ERROR 2.1\n";exit}
-        "2"
-}
-expect {
-        timeout {puts "TESTING ERROR 2.2\n";exit}
-        "Cpus_allowed:"
-}
-puts "\n"
-send -- "ping 0\r"
-expect {
-        timeout {puts "TESTING ERROR 4\n";exit}
-        "Operation not permitted"
-}
-puts "\n"
-send -- "whoami\r"
-expect {
-        timeout {puts "TESTING ERROR 55\\n";exit}
-        "netblue"
-}
-puts "\n"
-send -- "exit\r"
-sleep 2
-send -- "firejail --noroot --noprofile\r"
-expect {
-        timeout {puts "TESTING ERROR 6\n";exit}
-        "Child process initialized"
-}
-sleep 1
-send -- "whoami\r"
-expect {
-        timeout {puts "TESTING ERROR 7\n";exit}
-        "netblue"
-}
-send -- "sudo -s\r"
-expect {
-        timeout {puts "TESTING ERROR 8\n";exit}
-        "effective uid is not 0, is sudo installed setuid root?" { puts "OK\n";}
-        "sudo must be owned by uid 0 and have the setuid bit set" { puts "OK\n";}
-}
-puts "\n"
-send -- "exit\r"
-sleep 2
-send -- "firejail --name=test --noroot --noprofile\r"
-expect {
-        timeout {puts "TESTING ERROR 9\n";exit}
-        "Child process initialized"
-}
-sleep 1
-spawn $env(SHELL)
-send -- "firejail --debug --join=test\r"
-expect {
-        timeout {puts "TESTING ERROR 9\n";exit}
-        "User namespace detected"
-}
-expect {
-        timeout {puts "TESTING ERROR 9\n";exit}
-        "Joining user namespace"
-}
-sleep 1
-send -- "sudo -s\r"
-expect {
-        timeout {puts "TESTING ERROR 8\n";exit}
-        "effective uid is not 0, is sudo installed setuid root?" { puts "OK\n";}
-        "sudo must be owned by uid 0 and have the setuid bit set" { puts "OK\n";}
-}
-puts "all done\n"
diff --git a/test/notes b/test/notes
deleted file mode 100644
index 864cd5519..000000000
--- a/test/notes
+++ /dev/null
@@ -1,13 +0,0 @@
-Testing --nosound
-Get a list of active PulseAudio clients:
-$ pacmd info | grep application.process.binary
-                application.process.binary = "lxpanel"
-                application.process.binary = "plugin-container"
-                application.process.binary = "plugin-container"
- 
-Find active PulseAudio socket:
-$ netstat -l | grep pulse
-unix  2      [ ACC ]     STREAM     LISTENING     10669    /tmp/pulse-WwG6ohxIJmGO/cli
-unix  2      [ ACC ]     STREAM     LISTENING     12584    /tmp/pulse-WwG6ohxIJmGO/dbus-socket
-unix  2      [ ACC ]     STREAM     LISTENING     12581    /tmp/pulse-WwG6ohxIJmGO/native
diff --git a/test/option-join2.exp b/test/option-join2.exp
deleted file mode 100755
index 630b62d9e..000000000
--- a/test/option-join2.exp
+++ /dev/null
@@ -1,39 +0,0 @@
-#!/usr/bin/expect -f
-set timeout 10
-spawn $env(SHELL)
-match_max 100000
-send --  "firejail --name=\"svn testing\"\r"
-expect {
-        timeout {puts "TESTING ERROR 0\n";exit}
-        "Child process initialized"
-}
-sleep 3
-spawn $env(SHELL)
-send --  "firejail --join=\"svn testing\";pwd\r"
-expect {
-        timeout {puts "TESTING ERROR 1\n";exit}
-        "Switching to pid"
-}
-sleep 1
-spawn $env(SHELL)
-send --  "firejail --shutdown=\"svn testing\";pwd\r"
-expect {
-        timeout {puts "TESTING ERROR 3\n";exit}
-        "home"
-}
-sleep 1
-send --  "firejail --list;pwd\r"
-expect {
-        timeout {puts "TESTING ERROR 4\n";exit}
-        "svn testing" {puts "TESTING ERROR 5\n";exit}
-        "home"
-}
-sleep 1
-puts "\nall done\n"
diff --git a/test/option-join3.exp b/test/option-join3.exp
deleted file mode 100755
index aa8a445df..000000000
--- a/test/option-join3.exp
+++ /dev/null
@@ -1,39 +0,0 @@
-#!/usr/bin/expect -f
-set timeout 10
-spawn $env(SHELL)
-match_max 100000
-send --  "firejail --name=svn\\ testing\r"
-expect {
-        timeout {puts "TESTING ERROR 0\n";exit}
-        "Child process initialized"
-}
-sleep 3
-spawn $env(SHELL)
-send --  "firejail --join=svn\\ testing;pwd\r"
-expect {
-        timeout {puts "TESTING ERROR 1\n";exit}
-        "Switching to pid"
-}
-sleep 1
-spawn $env(SHELL)
-send --  "firejail --shutdown=svn\\ testing;pwd\r"
-expect {
-        timeout {puts "TESTING ERROR 3\n";exit}
-        "home"
-}
-sleep 1
-send --  "firejail --list;pwd\r"
-expect {
-        timeout {puts "TESTING ERROR 4\n";exit}
-        "svn testing" {puts "TESTING ERROR 5\n";exit}
-        "home"
-}
-sleep 1
-puts "\nall done\n"
diff --git a/test/option-trace.exp b/test/option-trace.exp
deleted file mode 100755
index 38038b58e..000000000
--- a/test/option-trace.exp
+++ /dev/null
@@ -1,25 +0,0 @@
-#!/usr/bin/expect -f
-set timeout 10
-spawn $env(SHELL)
-match_max 100000
-send --  "firejail --trace\r"
-expect {
-        timeout {puts "TESTING ERROR 0\n";exit}
-        "Child process initialized"
-}
-expect {
-        timeout {puts "TESTING ERROR 1\n";exit}
-        "bash:open /dev/tty" {puts "64bit\n"}
-        "bash:open64 /dev/tty" {puts "32bit\n"}
-}
-expect {
-        timeout {puts "TESTING ERROR 3\n";exit}
-        "bash:access /etc/terminfo/x/xterm" {puts "debian\n"}
-        "bash:access /usr/share/terminfo/x/xterm" {puts "arch\n"}
-}
-sleep 1
-puts "\nall done\n"
diff --git a/test/overlay/firefox-x11-xorg.exp b/test/overlay/firefox-x11-xorg.exp
new file mode 100755
index 000000000..76c0e55fc
--- /dev/null
+++ b/test/overlay/firefox-x11-xorg.exp
@@ -0,0 +1,90 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+send -- "firejail --overlay --name=test --x11=xorg firefox -no-remote www.gentoo.org\r"
+sleep 10
+spawn $env(SHELL)
+send -- "firejail --list\r"
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        ":firejail"
+}
+expect {
+        timeout {puts "TESTING ERROR 3.1\n";exit}
+        "firefox" {puts "firefox detected\n";}
+        "iceweasel" {puts "iceweasel detected\n";}
+}
+expect {
+        timeout {puts "TESTING ERROR 3.2\n";exit}
+        "no-remote"
+}
+sleep 1
+# grsecurity exit
+send -- "file /proc/sys/kernel/grsecurity\r"
+expect {
+        timeout {puts "TESTING ERROR - grsecurity detection\n";exit}
+        "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit}
+        "cannot open" {puts "grsecurity not present\n"}
+}
+send -- "firejail --overlay --name=blablabla\r"
+expect {
+        timeout {puts "TESTING ERROR 4\n";exit}
+        "Child process initialized"
+}
+sleep 2
+spawn $env(SHELL)
+send -- "firemon --seccomp\r"
+expect {
+        timeout {puts "TESTING ERROR 5\n";exit}
+        " firefox" {puts "firefox detected\n";}
+        " iceweasel" {puts "iceweasel detected\n";}
+}
+expect {
+        timeout {puts "TESTING ERROR 5.0\n";exit}
+        "no-remote"
+}
+expect {
+        timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit}
+        "Seccomp:       2"
+}
+expect {
+        timeout {puts "TESTING ERROR 5.1\n";exit}
+        "name=blablabla"
+}
+sleep 1
+send -- "firemon --caps\r"
+expect {
+        timeout {puts "TESTING ERROR 6\n";exit}
+        " firefox" {puts "firefox detected\n";}
+        " iceweasel" {puts "iceweasel detected\n";}
+}
+expect {
+        timeout {puts "TESTING ERROR 6.0\n";exit}
+        "no-remote"
+}
+expect {
+        timeout {puts "TESTING ERROR 6.1\n";exit}
+        "CapBnd:"
+}
+expect {
+        timeout {puts "TESTING ERROR 6.2\n";exit}
+        "0000000000000000"
+}
+expect {
+        timeout {puts "TESTING ERROR 6.3\n";exit}
+        "name=blablabla"
+}
+sleep 1
+send -- "firejail --shutdown=test\r"
+sleep 3
+puts "\nall done\n"
diff --git a/test/firefox-x11.exp b/test/overlay/firefox-x11.exp
index 7e30437db..aa248f328 100755
--- a/test/firefox-x11.exp
+++ b/test/overlay/firefox-x11.exp
@@ -1,10 +1,13 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
 set timeout 10
 spawn $env(SHELL)
 match_max 100000
-send -- "firejail --name=test --x11 --net=br0 firefox -no-remote www.gentoo.org\r"
+send -- "firejail --overlay --name=test --x11 firefox -no-remote www.gentoo.org\r"
 sleep 10
 spawn $env(SHELL)
@@ -30,7 +33,7 @@ expect {
        "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit}
        "cannot open" {puts "grsecurity not present\n"}
 }
-send -- "firejail --name=blablabla\r"
+send -- "firejail --name=blablabla --overlay\r"
 expect {
        timeout {puts "TESTING ERROR 4\n";exit}
        "Child process initialized"
diff --git a/test/overlay/firefox.exp b/test/overlay/firefox.exp
new file mode 100755
index 000000000..6ef23558d
--- /dev/null
+++ b/test/overlay/firefox.exp
@@ -0,0 +1,99 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+send -- "firejail --overlay firefox -no-remote www.gentoo.org\r"
+expect {
+        timeout {puts "TESTING ERROR 0\n";exit}
+        "Reading profile /etc/firejail/firefox.profile"
+}
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "Child process initialized"
+}
+sleep 10
+spawn $env(SHELL)
+send -- "firejail --list\r"
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        ":firejail"
+}
+expect {
+        timeout {puts "TESTING ERROR 3.1\n";exit}
+        "firefox" {puts "firefox detected\n";}
+        "iceweasel" {puts "iceweasel detected\n";}
+}
+expect {
+        timeout {puts "TESTING ERROR 3.2\n";exit}
+        "no-remote"
+}
+after 100
+# grsecurity exit
+send -- "file /proc/sys/kernel/grsecurity\r"
+expect {
+        timeout {puts "TESTING ERROR - grsecurity detection\n";exit}
+        "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit}
+        "cannot open" {puts "grsecurity not present\n"}
+}
+send -- "firejail --name=blablabla --overlay\r"
+expect {
+        timeout {puts "TESTING ERROR 4\n";exit}
+        "Child process initialized"
+}
+sleep 2
+spawn $env(SHELL)
+send -- "firemon --seccomp\r"
+expect {
+        timeout {puts "TESTING ERROR 5\n";exit}
+        " firefox" {puts "firefox detected\n";}
+        " iceweasel" {puts "iceweasel detected\n";}
+}
+expect {
+        timeout {puts "TESTING ERROR 5.0\n";exit}
+        "no-remote"
+}
+expect {
+        timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit}
+        "Seccomp:       2"
+}
+expect {
+        timeout {puts "TESTING ERROR 5.1\n";exit}
+        "name=blablabla"
+}
+after 100
+send -- "firemon --caps\r"
+expect {
+        timeout {puts "TESTING ERROR 6\n";exit}
+        " firefox" {puts "firefox detected\n";}
+        " iceweasel" {puts "iceweasel detected\n";}
+}
+expect {
+        timeout {puts "TESTING ERROR 6.0\n";exit}
+        "no-remote"
+}
+expect {
+        timeout {puts "TESTING ERROR 6.1\n";exit}
+        "CapBnd:"
+}
+expect {
+        timeout {puts "TESTING ERROR 6.2\n";exit}
+        "0000000000000000"
+}
+expect {
+        timeout {puts "TESTING ERROR 6.3\n";exit}
+        "name=blablabla"
+}
+after 100
+puts "\nall done\n"
diff --git a/test/overlay/fs-named.exp b/test/overlay/fs-named.exp
new file mode 100755
index 000000000..2ccb22bb1
--- /dev/null
+++ b/test/overlay/fs-named.exp
@@ -0,0 +1,66 @@
+#!/usr/bin/expect -f
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+send -- "firejail --overlay-named=firejail-test\r"
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        "not available for kernels older than 3.18" {puts "\nTESTING: overlayfs not available\n"; exit}
+        "Error: --overlay option is not available on Grsecurity systems" {puts "\nTESTING: overlayfs not available\n"; exit}
+        "Child process initialized" {puts "found\n"}
+}
+sleep 1
+send -- "echo xyzxyzxyz > ~/_firejail_test_file; echo done\r"
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        "done"
+}
+after 100
+send -- "cat  ~/_firejail_test_file; echo done\r"
+expect {
+        timeout {puts "TESTING ERROR 4\n";exit}
+        "xyzxyzxyz"
+}
+expect {
+        timeout {puts "TESTING ERROR 4.1\n";exit}
+        "done"
+}
+after 100
+send -- "exit\r"
+sleep 2
+send -- "cat  ~/_firejail_test_file; echo done\r"
+expect {
+        timeout {puts "TESTING ERROR 5\n";exit}
+        "xyzxyzxyz" {puts "TESTING ERROR 5.1\n";exit}
+        "done"
+}
+after 100
+send -- "firejail --overlay-named=firejail-test\r"
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        "not available for kernels older than 3.18" {puts "\nTESTING: overlayfs not available\n"; exit}
+        "Error: --overlay option is not available on Grsecurity systems" {puts "\nTESTING: overlayfs not available\n"; exit}
+        "Child process initialized" {puts "found\n"}
+}
+sleep 1
+send -- "cat  ~/_firejail_test_file; echo done\r"
+expect {
+        timeout {puts "TESTING ERROR 4\n";exit}
+        "xyzxyzxyz"
+}
+expect {
+        timeout {puts "TESTING ERROR 4.1\n";exit}
+        "done"
+}
+after 100
+puts "\nall done\n"
diff --git a/test/fs_overlay.exp b/test/overlay/fs-tmpfs.exp
index b7eeba80f..658d16779 100755
--- a/test/fs_overlay.exp
+++ b/test/overlay/fs-tmpfs.exp
@@ -4,63 +4,59 @@ set timeout 10
 spawn $env(SHELL)
 match_max 100000
-send -- "rm -f /tmp/firejail-overlay-test;pwd\r"
+send -- "firejail --overlay-clean\r"
+after 100
+send -- "file ~/.firejail\r"
 expect {
        timeout {puts "TESTING ERROR 0\n";exit}
-        "home"
+        "cannot open"
 }
+after 100
-send -- "ls > /tmp/firejail-overlay-test;pwd\r"
+send -- "firejail --overlay-tmpfs\r"
 expect {
        timeout {puts "TESTING ERROR 1\n";exit}
-        "home"
-}
-send -- "firejail --noprofile --overlay\r"
-expect {
-        timeout {puts "TESTING ERROR 2\n";exit}
        "not available for kernels older than 3.18" {puts "\nTESTING: overlayfs not available\n"; exit}
        "Error: --overlay option is not available on Grsecurity systems" {puts "\nTESTING: overlayfs not available\n"; exit}
        "Child process initialized" {puts "found\n"}
 }
 sleep 1
-send -- "echo xyzxyzxyz > /tmp/firejail-overlay-test;pwd\r"
+send -- "echo xyzxyzxyz > ~/_firejail_test_file; echo done\r"
 expect {
-        timeout {puts "TESTING ERROR 3\n";exit}
+        timeout {puts "TESTING ERROR 2\n";exit}
-        "home"
+        "done"
 }
-sleep 1
+after 100
-send -- "cat  /tmp/firejail-overlay-test;pwd\r"
+send -- "cat  ~/_firejail_test_file; echo done\r"
 expect {
-        timeout {puts "TESTING ERROR 4\n";exit}
+        timeout {puts "TESTING ERROR 3\n";exit}
        "xyzxyzxyz"
 }
 expect {
-        timeout {puts "TESTING ERROR 4.1\n";exit}
+        timeout {puts "TESTING ERROR 4\n";exit}
-        "home"
+        "done"
 }
-sleep 1
+after 100
 send -- "exit\r"
-sleep 2
+sleep 1
-send -- "cat  /tmp/firejail-overlay-test;pwd\r"
+send -- "cat  ~/_firejail_test_file; echo done\r"
 expect {
        timeout {puts "TESTING ERROR 5\n";exit}
-        "xyzxyzxyz" {puts "TESTING ERROR 5.1\n";exit}
+        "xyzxyzxyz" {puts "TESTING ERROR 6\n";exit}
-        "home"
+        "done"
 }
+after 100
-sleep 1
+send -- "file ~/.firejail\r"
-send -- "rm -f /tmp/firejail-overlay-test;pwd\r"
 expect {
-        timeout {puts "TESTING ERROR 0\n";exit}
+        timeout {puts "TESTING ERROR 7\n";exit}
-        "home"
+        "cannot open"
 }
+after 100
+puts "\nall done\n"
-sleep 1
-puts "all done \n"
diff --git a/test/overlay/fs.exp b/test/overlay/fs.exp
new file mode 100755
index 000000000..15ada9203
--- /dev/null
+++ b/test/overlay/fs.exp
@@ -0,0 +1,46 @@
+#!/usr/bin/expect -f
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+send -- "firejail --overlay\r"
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        "not available for kernels older than 3.18" {puts "\nTESTING: overlayfs not available\n"; exit}
+        "Error: --overlay option is not available on Grsecurity systems" {puts "\nTESTING: overlayfs not available\n"; exit}
+        "Child process initialized" {puts "found\n"}
+}
+sleep 1
+send -- "echo xyzxyzxyz > ~/_firejail_test_file; echo done\r"
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        "done"
+}
+after 100
+send -- "cat  ~/_firejail_test_file; echo done\r"
+expect {
+        timeout {puts "TESTING ERROR 4\n";exit}
+        "xyzxyzxyz"
+}
+expect {
+        timeout {puts "TESTING ERROR 4.1\n";exit}
+        "done"
+}
+after 100
+send -- "exit\r"
+sleep 2
+send -- "cat  ~/_firejail_test_file; echo done\r"
+expect {
+        timeout {puts "TESTING ERROR 5\n";exit}
+        "xyzxyzxyz" {puts "TESTING ERROR 5.1\n";exit}
+        "done"
+}
+after 100
+puts "\nall done\n"
diff --git a/test/overlay/overlay.sh b/test/overlay/overlay.sh
new file mode 100755
index 000000000..4c9ebe5b0
--- /dev/null
+++ b/test/overlay/overlay.sh
@@ -0,0 +1,67 @@
+#!/bin/bash
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
+export MALLOC_CHECK_=3
+export MALLOC_PERTURB_=$(($RANDOM % 255 + 1))
+echo "TESTING: overlay fs (test/overlay/fs.exp)"
+rm -fr ~/_firejail_test_*
+./fs.exp
+rm -fr ~/_firejail_test_*
+echo "TESTING: overlay named fs (test/overlay/fs-named.exp)"
+rm -fr ~/_firejail_test_*
+./fs-named.exp
+rm -fr ~/_firejail_test_*
+echo "TESTING: overlay tmpfs fs (test/overlay/fs-tmpfs.exp)"
+rm -fr ~/_firejail_test_*
+./fs-tmpfs.exp
+rm -fr ~/_firejail_test_*
+which firefox
+if [ "$?" -eq 0 ];
+then
+        echo "TESTING: overlay firefox"
+        ./firefox.exp
+else
+        echo "TESTING SKIP: firefox not found"
+fi
+which firefox
+if [ "$?" -eq 0 ];
+then
+        echo "TESTING: overlay firefox x11 xorg"
+        ./firefox.exp
+else
+        echo "TESTING SKIP: firefox not found"
+fi
+# check xpra/xephyr
+which xpra
+if [ "$?" -eq 0 ];
+then
+        echo "xpra found"
+else
+        echo "xpra not found"
+        which Xephyr
+        if [ "$?" -eq 0 ];
+        then
+                echo "Xephyr found"
+        else
+                echo "TESTING SKIP: xpra and/or Xephyr not found"
+                exit
+        fi
+fi
+which firefox
+if [ "$?" -eq 0 ];
+then
+        echo "TESTING: overlay firefox x11"
+        ./firefox-x11.exp
+else
+        echo "TESTING SKIP: firefox not found"
+fi
diff --git a/test/private.exp b/test/private.exp
deleted file mode 100755
index a5920c37b..000000000
--- a/test/private.exp
+++ /dev/null
@@ -1,97 +0,0 @@
-#!/usr/bin/expect -f
-set timeout 10
-spawn $env(SHELL)
-match_max 100000
-if { $argc != 1 } {
-        puts "TESTING ERROR: argument missing"
-        puts "Usage: private.exp username"
-        puts "where username is the name of the current user"
-        exit
-}
-# testing profile and private
-send -- "firejail --private --profile=/etc/firejail/generic.profile\r"
-expect {
-        timeout {puts "TESTING ERROR 0\n";exit}
-        "Child process initialized"
-}
-sleep 1
-send -- "exit\r"
-sleep 1
-send -- "firejail --private --noprofile\r"
-expect {
-        timeout {puts "TESTING ERROR 0\n";exit}
-        "Child process initialized"
-}
-sleep 1
-send -- "ls -al; pwd\r"
-expect {
-        timeout {puts "TESTING ERROR 0.1\n";exit}
-        ".bashrc"
-}
-expect {
-        timeout {puts "TESTING ERROR 0.2\n";exit}
-        [lindex $argv 0]
-}
-send -- "ls -al; pwd\r"
-expect {
-        timeout {
-                # OpenSUSE doesn't use .Xauthority from user home directory
-                send -- "env | grep XAUTHORITY\r"
-                expect {
-                        timeout {puts "TESTING ERROR 0.3\n";exit}
-                        "/run/lightdm/netblue/xauthority"
-                }
-        }
-        ".Xauthority"
-}
-expect {
-        timeout {puts "TESTING ERROR 0.4\n";exit}
-        [lindex $argv 0]
-}
-# testing private only
-send -- "bash\r"
-sleep 1
-# owner /home/netblue
-send -- "ls -l /home;pwd\r"
-expect {
-        timeout {puts "TESTING ERROR 1\n";exit}
-        [lindex $argv 0]
-}
-expect {
-        timeout {puts "TESTING ERROR 1.1\n";exit}
-        [lindex $argv 0]
-}
-expect {
-        timeout {puts "TESTING ERROR 1.2\n";exit}
-        [lindex $argv 0]
-}
-expect {
-        timeout {puts "TESTING ERROR 1.3\n";exit}
-        "home"
-}
-sleep 1
-# owner /tmp
-send -- "stat -c %U%a /tmp;pwd\r"
-expect {
-        timeout {puts "TESTING ERROR 2\n";exit}
-        "root777" {puts "version 1\n";}
-            "root1777" {puts "version 2\n";}
-        "nobody777" {puts "version 3\n";}
-            "nobody1777" {puts "version 4\n";}
-}
-expect {
-        timeout {puts "TESTING ERROR 2.1\n";exit}
-        "home"
-}
-sleep 1
-puts "all done\n"
diff --git a/test/private_dir.exp b/test/private_dir.exp
index 9dfb2ea9f..a4beeba27 100755
--- a/test/private_dir.exp
+++ b/test/private_dir.exp
@@ -42,7 +42,7 @@ expect {
 send -- "ls -al | wc -l;pwd\r"
 expect {
        timeout {puts "TESTING ERROR 1\n";exit}
-        "7" {puts "normal system\n";}
+        "6" {puts "normal system\n";}
        "5" {puts "OpenSUSE\n";}
 }
 expect {
diff --git a/test/private_dir_profile.exp b/test/private_dir_profile.exp
index 5b38ad0bb..8d1c74444 100755
--- a/test/private_dir_profile.exp
+++ b/test/private_dir_profile.exp
@@ -42,7 +42,7 @@ expect {
 send -- "ls -al | wc -l;pwd\r"
 expect {
        timeout {puts "TESTING ERROR 1\n";exit}
-        "7" {puts "normal system\n";}
+        "6" {puts "normal system\n";}
        "5" {puts "OpenSUSE\n";}
 }
 expect {
diff --git a/test/profile_tmpfs.exp b/test/profile_tmpfs.exp
deleted file mode 100755
index a2faa32f7..000000000
--- a/test/profile_tmpfs.exp
+++ /dev/null
@@ -1,37 +0,0 @@
-#!/usr/bin/expect -f
-set timeout 10
-spawn $env(SHELL)
-match_max 100000
-send -- "mkdir /tmp/firejailtestdir\r"
-sleep 1
-send -- "ls > /tmp/firejailtestdir/tmpfile\r"
-sleep 1
-send -- "firejail --profile=tmpfs.profile\r"
-expect {
-        timeout {puts "TESTING ERROR 0\n";exit}
-        "Child process initialized"
-}
-# testing private only
-send -- "bash\r"
-sleep 1
-send -- "ls -l /tmp/firejailtestdir;pwd\r"
-expect {
-        timeout {puts "TESTING ERROR 1.1\n";exit}
-        "tmpfile" {puts "TESTING ERROR 1\n";exit}
-        "home"
-}
-sleep 1
-send -- "exit\r"
-sleep 1
-send -- "exit\r"
-sleep 1
-send -- "rm -fr  /tmp/firejailtestdir\r"
-sleep 1
-puts "\n"
diff --git a/test/ignore.exp b/test/profiles/ignore.exp
index c5ea25684..0c5691e9a 100755
--- a/test/ignore.exp
+++ b/test/profiles/ignore.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
 set timeout 10
 spawn $env(SHELL)
@@ -43,5 +46,5 @@ expect {
        "Child process initialized"
 }
+after 100
 puts "\nall done\n"
diff --git a/test/ignore.profile b/test/profiles/ignore.profile
index aec231ad2..aec231ad2 100644
--- a/test/ignore.profile
+++ b/test/profiles/ignore.profile
diff --git a/test/ignore2.profile b/test/profiles/ignore2.profile
index 49fcd8324..49fcd8324 100644
--- a/test/ignore2.profile
+++ b/test/profiles/ignore2.profile
diff --git a/test/profile_followlnk.exp b/test/profiles/profile_followlnk.exp
index e2ede2865..eb3d04852 100755
--- a/test/profile_followlnk.exp
+++ b/test/profiles/profile_followlnk.exp
@@ -5,34 +5,22 @@ spawn $env(SHELL)
 match_max 100000
 send -- "mkdir /tmp/firejailtestdir\r"
-sleep 1
 send -- "ln -s /tmp/firejailtestdir  /tmp/firejailtestdirlnk\r"
-sleep 1
 send -- "touch /tmp/firejailtestfile\r"
-sleep 1
 send -- "ln -s /tmp/firejailtestfile /tmp/firejailtestfilelnk\r"
 sleep 1
-send -- "firejail --profile=readonly-lnk.profile --debug\r"
+send -- "firejail --profile=readonly-lnk.profile\r"
 expect {
        timeout {puts "TESTING ERROR 0\n";exit}
        "Child process initialized"
 }
-# testing private only
+send -- "ls > /tmp/firejailtestdirlnk/ttt\r"
-send -- "bash\r"
-sleep 1
-send -- "ls > /tmp/firejailtestdirlnk/ttt;pwd\r"
 expect {
        timeout {puts "TESTING ERROR 1\n";exit}
        "Read-only file system"
 }
-expect {
-        timeout {puts "TESTING ERROR 1.1\n";exit}
-        "home"
-}
 sleep 1
 send -- "ls > /tmp/firejailtestfilelnk;pwd\r"
@@ -40,29 +28,11 @@ expect {
        timeout {puts "TESTING ERROR 2\n";exit}
        "Read-only file system"
 }
-expect {
-        timeout {puts "TESTING ERROR 2.1\n";exit}
-        "home"
-}
 sleep 1
 send -- "exit\r"
-sleep 1
+after 100
-send -- "pwd\r"
-expect {
-        timeout {puts "TESTING ERROR 3\n";exit}
-        "home"
-}
-sleep 1
-send -- "exit\r"
-sleep 1
-send -- "pwd\r"
-expect {
-        timeout {puts "TESTING ERROR 4\n";exit}
-        "home"
-}
-sleep 2
 send -- "rm -fr /tmp/firejailtest*\r"
-sleep 1
+after 100
-puts "\n"
+puts "\nall done\n"
diff --git a/test/profile_noperm.exp b/test/profiles/profile_noperm.exp
index b3ed558bc..b3b031cb2 100755
--- a/test/profile_noperm.exp
+++ b/test/profiles/profile_noperm.exp
@@ -9,5 +9,5 @@ expect {
        timeout {puts "TESTING ERROR 0\n";exit}
        "cannot access profile"
 }
-sleep 1
+after 100
-puts "\n"
+puts "\nall done\n"
diff --git a/test/profile_readonly.exp b/test/profiles/profile_readonly.exp
index 046b0d738..c1c9544a6 100755
--- a/test/profile_readonly.exp
+++ b/test/profiles/profile_readonly.exp
@@ -5,7 +5,6 @@ spawn $env(SHELL)
 match_max 100000
 send -- "mkdir /tmp/firejailtestdir\r"
-sleep 1
 send -- "touch /tmp/firejailtestfile\r"
 sleep 1
@@ -14,51 +13,24 @@ expect {
        timeout {puts "TESTING ERROR 0\n";exit}
        "Child process initialized"
 }
+sleep 2
-# testing private only
+send -- "ls > /tmp/firejailtestdir/ttt\r"
-send -- "bash\r"
-sleep 1
-send -- "ls > /tmp/firejailtestdir/ttt;pwd\r"
 expect {
        timeout {puts "TESTING ERROR 1\n";exit}
        "Read-only file system"
 }
-expect {
-        timeout {puts "TESTING ERROR 1.1\n";exit}
-        "home"
-}
 sleep 1
-send -- "ls > /tmp/firejailtestfile;pwd\r"
+send -- "ls > /tmp/firejailtestfile\r"
 expect {
        timeout {puts "TESTING ERROR 2\n";exit}
        "Read-only file system"
 }
-expect {
-        timeout {puts "TESTING ERROR 2.1\n";exit}
-        "home"
-}
-sleep 1
-send -- "exit\r"
-sleep 1
-send -- "pwd\r"
-expect {
-        timeout {puts "TESTING ERROR 3\n";exit}
-        "home"
-}
-sleep 1
 send -- "exit\r"
-sleep 1
+after 100
-send -- "pwd\r"
-expect {
-        timeout {puts "TESTING ERROR 4\n";exit}
-        "home"
-}
-sleep 2
 send -- "rm -fr /tmp/firejailtest*\r"
-sleep 1
+after 100
-puts "\n"
+puts "\nall done\n"
diff --git a/test/profile_syntax.exp b/test/profiles/profile_syntax.exp
index 559947276..d1be2074a 100755
--- a/test/profile_syntax.exp
+++ b/test/profiles/profile_syntax.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
 set timeout 10
 spawn $env(SHELL)
@@ -22,42 +25,30 @@ sleep 1
 send -- "ls -l /etc/shadow\r"
 expect {
        timeout {puts "TESTING ERROR 3\n";exit}
-        "root root 0"
+        "root root"
 }
 sleep 1
-send -- "rmdir;pwd\r"
+send -- "rmdir\r"
 expect {
        timeout {puts "TESTING ERROR 4\n";exit}
        "Permission denied"
 }
-expect {
-        timeout {puts "TESTING ERROR 5\n";exit}
-        "home"
-}
 sleep 1
-send -- "mount;pwd\r"
+send -- "mount\r"
 expect {
        timeout {puts "TESTING ERROR 6\n";exit}
        "Permission denied"
 }
-expect {
-        timeout {puts "TESTING ERROR 7\n";exit}
-        "home"
-}
 sleep 1
-send -- "umount;pwd\r"
+send -- "umount\r"
 expect {
        timeout {puts "TESTING ERROR 8\n";exit}
        "Permission denied"
 }
-expect {
-        timeout {puts "TESTING ERROR 9\n";exit}
-        "home"
-}
 send -- "exit\r"
-sleep 1
+after 100
-puts "\n"
+puts "\nall done\n"
diff --git a/test/profile_syntax2.exp b/test/profiles/profile_syntax2.exp
index 96e85ba93..9dca35ca2 100755
--- a/test/profile_syntax2.exp
+++ b/test/profiles/profile_syntax2.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
 set timeout 10
 spawn $env(SHELL)
@@ -42,6 +45,6 @@ expect {
        timeout {puts "TESTING ERROR 8\n";exit}
        "Child process initialized"
 }
+send -- "exit\r"
-sleep 1
+after 100
 puts "\nall done\n"
diff --git a/test/profiles/profiles.sh b/test/profiles/profiles.sh
new file mode 100755
index 000000000..ca0b9fb29
--- /dev/null
+++ b/test/profiles/profiles.sh
@@ -0,0 +1,34 @@
+#!/bin/bash
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
+export MALLOC_CHECK_=3
+export MALLOC_PERTURB_=$(($RANDOM % 255 + 1))
+echo "TESTING: default profiles installed in /etc"
+PROFILES=`ls /etc/firejail/*.profile`
+for PROFILE in $PROFILES
+do
+        echo "TESTING: $PROFILE"
+        ./test-profile.exp $PROFILE
+done
+echo "TESTING: profile syntax (test/profiles/profile_syntax.exp)"
+./profile_syntax.exp
+echo "TESTING: profile syntax 2 (test/profiles/profile_syntax2.exp)"
+./profile_syntax2.exp
+echo "TESTING: ignore command (test/profiles/ignore.exp)"
+./ignore.exp
+echo "TESTING: profile read-only (test/profiles/profile_readonly.exp)"
+./profile_readonly.exp
+echo "TESTING: profile read-only links (test/profiles/profile_readonly.exp)"
+./profile_followlnk.exp
+echo "TESTING: profile no permissions (test/profiles/profile_noperm.exp)"
+./profile_noperm.exp
diff --git a/test/readonly-lnk.profile b/test/profiles/readonly-lnk.profile
index 71ffb1a26..71ffb1a26 100644
--- a/test/readonly-lnk.profile
+++ b/test/profiles/readonly-lnk.profile
diff --git a/test/readonly.profile b/test/profiles/readonly.profile
index 55d89e3d7..55d89e3d7 100644
--- a/test/readonly.profile
+++ b/test/profiles/readonly.profile
diff --git a/test/test-profile.exp b/test/profiles/test-profile.exp
index a03e8db31..a6b4a5aad 100755
--- a/test/test-profile.exp
+++ b/test/profiles/test-profile.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
 set timeout 10
 spawn $env(SHELL)
@@ -10,10 +13,10 @@ if { $argc != 1 } {
        exit
 }
-send -- "firejail --profile=$argv /bin/bash\r"
+send -- "firejail --profile=$argv echo done\r"
 expect {
        timeout {puts "TESTING ERROR 0\n";exit}
-        "Child process initialized"
+        "done"
 }
 send -- "exit\r"
 after 100
diff --git a/test/test.profile b/test/profiles/test.profile
index 1d69cc960..1d69cc960 100644
--- a/test/test.profile
+++ b/test/profiles/test.profile
diff --git a/test/test2.profile b/test/profiles/test2.profile
index d7e1a1f21..d7e1a1f21 100644
--- a/test/test2.profile
+++ b/test/profiles/test2.profile
diff --git a/test/quiet.exp b/test/quiet.exp
deleted file mode 100755
index fa46aebf2..000000000
--- a/test/quiet.exp
+++ /dev/null
@@ -1,17 +0,0 @@
-#!/usr/bin/expect -f
-set timeout 4
-spawn $env(SHELL)
-match_max 100000
-# check ip address
-send -- "firejail --net=br0 --quiet\r"
-expect {
-        "Child process initialized" {puts "TESTING ERROR 1\n";exit}
-        "Interface" {puts "TESTING ERROR 1\n";exit}
-}
-sleep 1
-send -- "\r"
-puts "\nall done\n"
diff --git a/test/profile_rlimit.exp b/test/rlimit/rlimit-profile.exp
index 7d2637444..a9e54a405 100755
--- a/test/profile_rlimit.exp
+++ b/test/rlimit/rlimit-profile.exp
@@ -1,6 +1,7 @@
 #!/usr/bin/expect -f
 set timeout 10
+#cd /home
 spawn $env(SHELL)
 match_max 100000
@@ -11,7 +12,7 @@ expect {
 }
 sleep 1
-send -- "cat /proc/self/limits; pwd\r"
+send -- "cat /proc/self/limits\r"
 expect {
        timeout {puts "TESTING ERROR 1.1\n";exit}
        "Max file size             1024                 1024"
@@ -28,9 +29,5 @@ expect {
        timeout {puts "TESTING ERROR 1.4\n";exit}
        "Max pending signals       200                  200"
 }
-expect {
+after 100
-        timeout {puts "TESTING ERROR 1.5\n";exit}
+puts "\nall done\n"
-        "home"
-}
-sleep 1
-puts "\n"
diff --git a/test/option_rlimit.exp b/test/rlimit/rlimit.exp
index 17d2bd9d1..611f69821 100755
--- a/test/option_rlimit.exp
+++ b/test/rlimit/rlimit.exp
@@ -1,6 +1,7 @@
 #!/usr/bin/expect -f
 set timeout 10
+cd /home
 spawn $env(SHELL)
 match_max 100000
@@ -32,5 +33,5 @@ expect {
        timeout {puts "TESTING ERROR 1.5\n";exit}
        "home"
 }
-sleep 1
+after 100
 puts "\n"
diff --git a/test/rlimit.profile b/test/rlimit/rlimit.profile
index 271891c03..271891c03 100644
--- a/test/rlimit.profile
+++ b/test/rlimit/rlimit.profile
diff --git a/test/rlimit/rlimit.sh b/test/rlimit/rlimit.sh
new file mode 100755
index 000000000..d85497176
--- /dev/null
+++ b/test/rlimit/rlimit.sh
@@ -0,0 +1,14 @@
+#!/bin/bash
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
+export MALLOC_CHECK_=3
+export MALLOC_PERTURB_=$(($RANDOM % 255 + 1))
+echo "TESTING: rlimit (test/rlimit/rlimit.exp)"
+./rlimit.exp
+echo "TESTING: rlimit profile (test/rlimit/rlimit-profile.exp)"
+./rlimit-profile.exp
diff --git a/test/servers3.exp b/test/root/apache2.exp
index eccdaa1d9..0b102bad5 100755
--- a/test/servers3.exp
+++ b/test/root/apache2.exp
@@ -4,16 +4,6 @@ set timeout 5
 spawn $env(SHELL)
 match_max 100000
-send -- "sudo ls; sudo whoami; sudo pwd\r"
-expect {
-        timeout {puts "TESTING ERROR: you need to root run this test as root\n";exit}
-        "root"
-}
-send -- "pkill apache\r"
-sleep 2
 send -- "firejail --name=apache /etc/init.d/apache2 start\r"
 expect {
        timeout {puts "TESTING ERROR 0\n";exit}
diff --git a/test/root/firecfg.exp b/test/root/firecfg.exp
new file mode 100755
index 000000000..b4864988d
--- /dev/null
+++ b/test/root/firecfg.exp
@@ -0,0 +1,46 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+send -- "firecfg\r"
+sleep 1
+send --  "firecfg --clean\r"
+expect {
+        timeout {puts "TESTING ERROR 0\n";exit}
+        "/usr/local/bin/firefox removed"
+}
+after 100
+send -- "file /usr/local/bin/firefox; echo done\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "symbolic link to /usr/bin/firejail"  {puts "TESTING ERROR 2\n";exit}
+        "done"
+}
+after 100
+send --  "firecfg\r"
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        "/usr/local/bin/firefox created"
+}
+after 100
+send -- "file /usr/local/bin/firefox\r"
+expect {
+        timeout {puts "TESTING ERROR 4\n";exit}
+        "symbolic link to /usr/bin/firejail"
+}
+after 100
+send -- "firecfg --list\r"
+expect {
+        timeout {puts "TESTING ERROR 5\n";exit}
+        "/usr/local/bin/firefox"
+}
+after 100
+puts "\nall done\n"
diff --git a/test/root/firejail.config b/test/root/firejail.config
new file mode 100644
index 000000000..71ff2f4e9
--- /dev/null
+++ b/test/root/firejail.config
@@ -0,0 +1,20 @@
+bind yes
+chroot yes
+chroot-desktop yes
+file-transfer yes
+force-nonewprivs no
+network yes
+overlayfs yes
+private-bin-no-local no
+private-home yes
+quiet-by-default no
+remount-proc-sys yes
+restricted-network no
+# netfilter-default /etc/iptables.iptables.rules
+seccomp yes
+userns yes
+whitelist yes
+x11 yes
+xephyr-screen 800x600
+xephyr-window-title yes
+xephyr-extra-params -grayscale
diff --git a/test/root/firemon-events.exp b/test/root/firemon-events.exp
new file mode 100755
index 000000000..4f305e51d
--- /dev/null
+++ b/test/root/firemon-events.exp
@@ -0,0 +1,72 @@
+#!/usr/bin/expect -f
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+# start firemon
+set firemon_id $spawn_id
+send -- "firemon\r"
+sleep 1
+# start firejail
+spawn $env(SHELL)
+set firejail_id $spawn_id
+send -- "firejail\r"
+expect {
+        timeout {puts "TESTING ERROR 0\n";exit}
+        "Child process initialized"
+}
+# get messages on firemon
+set spawn_id $firemon_id
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "exec"
+}
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        "/bin/bash -c /bin/bash"
+}
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        "exec"
+}
+expect {
+        timeout {puts "TESTING ERROR 4\n";exit}
+        "/bin/bash"
+}
+expect {
+        timeout {puts "TESTING ERROR 5\n";exit}
+        "fork"
+}
+expect {
+        timeout {puts "TESTING ERROR 6\n";exit}
+        "child"
+}
+expect {
+        timeout {puts "TESTING ERROR 7\n";exit}
+        "/bin/bash"
+}
+after 100
+# exit firejail
+set spawn_id $firejail_id
+send -- "exit\r"
+sleep 1
+# get messages on firemon
+set spawn_id $firemon_id
+expect {
+        timeout {puts "TESTING ERROR 8\n";exit}
+        "exit"
+}
+expect {
+        timeout {puts "TESTING ERROR 9\n";exit}
+        "EXIT SANDBOX"
+}
+puts "\nall done\n"
diff --git a/test/servers4.exp b/test/root/isc-dhcp.exp
index 86500707a..5d9597e7c 100755
--- a/test/servers4.exp
+++ b/test/root/isc-dhcp.exp
@@ -4,15 +4,6 @@ set timeout 5
 spawn $env(SHELL)
 match_max 100000
-send -- "sudo ls; sudo whoami; sudo pwd\r"
-expect {
-        timeout {puts "TESTING ERROR: you need to root run this test as root\n";exit}
-        "root"
-}
-send -- "pkill dhcpd\r"
-sleep 2
 send -- "firejail --name=dhcpd /etc/init.d/isc-dhcp-server start\r"
 expect {
        timeout {puts "TESTING ERROR 0\n";exit}
diff --git a/test/servers6.exp b/test/root/nginx.exp
index 9ef4ea514..82ebe0ee7 100755
--- a/test/servers6.exp
+++ b/test/root/nginx.exp
@@ -4,16 +4,6 @@ set timeout 5
 spawn $env(SHELL)
 match_max 100000
-send -- "sudo ls; sudo whoami; sudo pwd\r"
-expect {
-        timeout {puts "TESTING ERROR: you need to root run this test as root\n";exit}
-        "root"
-}
-send -- "pkill nginx\r"
-sleep 2
 send -- "firejail --name=nginx /etc/init.d/nginx start\r"
 expect {
        timeout {puts "TESTING ERROR 0\n";exit}
diff --git a/test/option_bind_directory.exp b/test/root/option_bind_directory.exp
index 3233c68de..3233c68de 100755
--- a/test/option_bind_directory.exp
+++ b/test/root/option_bind_directory.exp
diff --git a/test/option_bind_file.exp b/test/root/option_bind_file.exp
index 8926e0391..8926e0391 100755
--- a/test/option_bind_file.exp
+++ b/test/root/option_bind_file.exp
diff --git a/test/option_tmpfs.exp b/test/root/option_tmpfs.exp
index 6522ef2d3..3d492dfdb 100755
--- a/test/option_tmpfs.exp
+++ b/test/root/option_tmpfs.exp
@@ -16,13 +16,9 @@ expect {
        timeout {puts "TESTING ERROR 1\n";exit}
        "total 0"
 }
-expect {
+after 100
-        timeout {puts "TESTING ERROR 2\n";exit}
-        "/root"
-}
-sleep 1
 send -- "exit\r"
-sleep 2
+sleep 1
 send -- "firejail --debug-check-filename --tmpfs=\"bla&&bla\"\r"
 expect {
@@ -40,5 +36,5 @@ expect {
 after 100
-puts "\nalldone\n"
+puts "\nall done\n"
diff --git a/test/root/private.exp b/test/root/private.exp
new file mode 100755
index 000000000..4040081ee
--- /dev/null
+++ b/test/root/private.exp
@@ -0,0 +1,33 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+send --  "firejail --private\r"
+expect {
+        timeout {puts "TESTING ERROR 0\n";exit}
+        "Child process initialized"
+}
+sleep 2
+send --  "ls -l /home\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "total 0"
+}
+after 100
+send --  "ls -l /root\r"
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        "total 0"
+}
+after 100
+send -- "exit\r"
+after 100
+puts "\nall done\n"
diff --git a/test/root/profile_tmpfs.exp b/test/root/profile_tmpfs.exp
new file mode 100755
index 000000000..25f73b50b
--- /dev/null
+++ b/test/root/profile_tmpfs.exp
@@ -0,0 +1,40 @@
+#!/usr/bin/expect -f
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+send -- "firejail --profile=tmpfs.profile\r"
+expect {
+        timeout {puts "TESTING ERROR 0\n";exit}
+        "Child process initialized"
+}
+sleep 1
+send -- "ls -l /var;pwd\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "total 0"
+}
+after 100
+send -- "exit\r"
+sleep 1
+send -- "firejail --debug-check-filename --profile=tmpfs-bad.profile\r"
+expect {
+        timeout {puts "TESTING ERROR 13.1\n";exit}
+        "Checking filename bla&&bla"
+}
+expect {
+        timeout {puts "TESTING ERROR 13.2\n";exit}
+        "Error:"
+}
+expect {
+        timeout {puts "TESTING ERROR 13.3\n";exit}
+        "is an invalid filename"
+}
+after 100
+puts "\nall done\n"
diff --git a/test/root/root.sh b/test/root/root.sh
new file mode 100755
index 000000000..494bd4fe7
--- /dev/null
+++ b/test/root/root.sh
@@ -0,0 +1,105 @@
+#!/bin/bash
+# set a new firejail config file
+cp firejail.config /etc/firejail/firejail.config
+#********************************
+# servers
+#********************************
+if [ -f /etc/init.d/snmpd ]
+then
+        echo "TESTING: snmpd (test/root/snmpd.exp)"
+        ./snmpd.exp
+else
+        echo "TESTING SKIP: snmpd  not found"
+fi
+if [ -f /etc/init.d/apache2 ]
+then
+        echo "TESTING: apache2 (test/root/apache2.exp)"
+        ./apache2.exp
+else
+        echo "TESTING SKIP: apache2  not found"
+fi
+if [ -f /etc/init.d/isc-dhcp-server ]
+then
+        echo "TESTING: isc dhcp server (test/root/isc-dhscp.exp)"
+        ./isc-dhcp.exp
+else
+        echo "TESTING SKIP: isc dhcp server not found"
+fi
+if [ -f /etc/init.d/unbound ]
+then
+        echo "TESTING: unbound (test/root/unbound.exp)"
+        ./unbound.exp
+else
+        echo "TESTING SKIP: unbound  not found"
+fi
+if [ -f /etc/init.d/nginx ]
+then
+        echo "TESTING: nginx (test/root/nginx.exp)"
+        ./nginx.exp
+else
+        echo "TESTING SKIP: nginx  not found"
+fi
+#********************************
+# filesystem
+#********************************
+echo "TESTING: fs private (test/root/private.exp)"
+./private.exp
+#********************************
+# seccomp
+#********************************
+echo "TESTING: seccomp umount (test/root/seccomp-umount.exp)"
+./seccomp-umount.exp
+echo "TESTING: seccomp chmod (test/root/seccomp-chmod.exp)"
+./seccomp-chmod.exp
+echo "TESTING: seccomp chown (test/root/seccomp-chown.exp)"
+./seccomp-chown.exp
+#********************************
+# command line options
+#********************************
+echo "TESTING: tmpfs (test/root/option_tmpfs.exp)"
+./option_tmpfs.exp
+echo "TESTING: profile tmpfs (test/root/profile_tmpfs)"
+./profile_tmpfs.exp
+echo "TESTING: bind directory (test/root/option_bind_directory.exp)"
+./option_bind_directory.exp
+echo "TESTING: bind file (test/root/option_bind_file.exp)"
+echo hello > tmpfile
+./option_bind_file.exp
+rm -f tmpfile
+#********************************
+# firemon
+#********************************
+echo "TESTING: firemon events (test/root/firemon-events.exp)"
+./firemon-events.exp
+#********************************
+# firecfg
+#********************************
+which firefox
+if [ "$?" -eq 0 ];
+then
+        echo "TESTING: firecfg (test/root/firecfg.exp)"
+        ./firecfg.exp
+else
+        echo "TESTING SKIP: firecfg, firefox not found"
+fi
+# restore the default config file
+cp ../../etc/firejail.config /etc/firejail/firejail.config
diff --git a/test/root/seccomp-chmod.exp b/test/root/seccomp-chmod.exp
new file mode 100755
index 000000000..b17990e3a
--- /dev/null
+++ b/test/root/seccomp-chmod.exp
@@ -0,0 +1,51 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+send --  "firejail --seccomp=chmod,fchmod,fchmodat --private\r"
+expect {
+        timeout {puts "TESTING ERROR 0\n";exit}
+        "Child process initialized"
+}
+sleep 2
+send -- "cd ~; echo done\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "done"
+}
+send -- "touch testfile; echo done\r"
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        "done"
+}
+send -- "ls -l testfile; echo done\r"
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        "testfile"
+}
+expect {
+        timeout {puts "TESTING ERROR 4\n";exit}
+        "done"
+}
+send -- "chmod +x testfile; echo done\r"
+expect {
+        timeout {puts "TESTING ERROR 5\n";exit}
+        "Bad system call"
+}
+expect {
+        timeout {puts "TESTING ERROR 6\n";exit}
+        "done"
+}
+send -- "exit\r"
+after 100
+puts "\nall done\n"
diff --git a/test/seccomp-chmod-profile.exp b/test/root/seccomp-chown.exp
index 098328cea..a54d279f1 100755
--- a/test/seccomp-chmod-profile.exp
+++ b/test/root/seccomp-chown.exp
@@ -1,10 +1,13 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
 set timeout 10
 spawn $env(SHELL)
 match_max 100000
-send --  "firejail --profile=seccomp.profile --private\r"
+send --  "firejail --seccomp=chown,fchown,fchownat,lchown --private\r"
 expect {
        timeout {puts "TESTING ERROR 0\n";exit}
        "Child process initialized"
@@ -29,7 +32,7 @@ expect {
        "/home"
 }
-send -- "chmod +x testfile;pwd\r"
+send -- "chown netblue:netblue testfile;pwd\r"
 expect {
        timeout {puts "TESTING ERROR 2\n";exit}
        "Bad system call"
@@ -42,5 +45,5 @@ expect {
 send -- "exit\r"
-sleep 1
+after 100
-puts "\n"
+puts "\nall done\n"
diff --git a/test/seccomp-umount.exp b/test/root/seccomp-umount.exp
index c0107a084..c441c5fc4 100755
--- a/test/seccomp-umount.exp
+++ b/test/root/seccomp-umount.exp
@@ -1,16 +1,13 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
 set timeout 10
 spawn $env(SHELL)
 match_max 100000
-send -- "sudo ls; sudo whoami; sudo pwd\r"
+send --  "firejail --seccomp --noprofile\r"
-expect {
-        timeout {puts "TESTING ERROR: you need to root run this test as root\n";exit}
-        "root"
-}
-send --  "firejail --net=br0 --ip=10.10.20.5 --seccomp --noprofile\r"
 expect {
        timeout {puts "TESTING ERROR 0\n";exit}
        "Child process initialized"
@@ -24,5 +21,5 @@ expect {
 }
 send -- "exit\r"
-sleep 1
+after 100
 puts "\n"
diff --git a/test/servers2.exp b/test/root/snmpd.exp
index 90e34470f..610fdb13a 100755
--- a/test/servers2.exp
+++ b/test/root/snmpd.exp
@@ -4,16 +4,6 @@ set timeout 5
 spawn $env(SHELL)
 match_max 100000
-send -- "sudo ls; sudo whoami; sudo pwd\r"
-expect {
-        timeout {puts "TESTING ERROR: you need to root run this test as root\n";exit}
-        "root"
-}
-send -- "pkill snmpd\r"
-sleep 2
 send -- "firejail --name=snmpd /etc/init.d/snmpd start\r"
 expect {
        timeout {puts "TESTING ERROR 0\n";exit}
diff --git a/test/root/tmpfs-bad.profile b/test/root/tmpfs-bad.profile
new file mode 100644
index 000000000..7264e18ff
--- /dev/null
+++ b/test/root/tmpfs-bad.profile
@@ -0,0 +1 @@
+tmpfs bla&&bla
diff --git a/test/root/tmpfs.profile b/test/root/tmpfs.profile
new file mode 100644
index 000000000..55a6f7ebc
--- /dev/null
+++ b/test/root/tmpfs.profile
@@ -0,0 +1 @@
+tmpfs /var
diff --git a/test/servers5.exp b/test/root/unbound.exp
index 193e662ff..9c496306a 100755
--- a/test/servers5.exp
+++ b/test/root/unbound.exp
@@ -4,15 +4,6 @@ set timeout 5
 spawn $env(SHELL)
 match_max 100000
-send -- "sudo ls; sudo whoami; sudo pwd\r"
-expect {
-        timeout {puts "TESTING ERROR: you need to root run this test as root\n";exit}
-        "root"
-}
-send -- "pkill unbound\r"
-sleep 2
 send -- "firejail --name=unbound unbound\r"
 expect {
        timeout {puts "TESTING ERROR 0\n";exit}
diff --git a/test/seccomp-errno.exp b/test/seccomp-errno.exp
deleted file mode 100755
index e6678ab8f..000000000
--- a/test/seccomp-errno.exp
+++ /dev/null
@@ -1,87 +0,0 @@
-#!/usr/bin/expect -f
-set timeout 10
-spawn $env(SHELL)
-match_max 100000
-send -- "touch seccomp-test-file\r"
-sleep 1
-send --  "firejail --seccomp.enoent=unlinkat rm seccomp-test-file\r"
-expect {
-        timeout {puts "TESTING ERROR 0\n";exit}
-        "No such file or directory"
-}
-sleep 1
-send --  "firejail --seccomp.enoent=unlinkat --debug rm seccomp-test-file\r"
-expect {
-        timeout {puts "TESTING ERROR 1\n";exit}
-        "unlinkat 2 ENOENT"
-}
-sleep 1
-send --  "firejail --seccomp.enoent=unlinkat,mkdir\r"
-expect {
-        timeout {puts "TESTING ERROR 2\n";exit}
-        "Child process initialized"
-}
-sleep 1
-send -- "rm seccomp-test-file\r"
-expect {
-        timeout {puts "TESTING ERROR 3\n";exit}
-        "No such file or directory"
-}
-after 100
-puts "\n"
-send -- "mkdir seccomp-test-dir\r"
-expect {
-        timeout {puts "TESTING ERROR 4\n";exit}
-        "No such file or directory"
-}
-after 100
-puts "\n"
-send -- "exit\r"
-sleep 1
-send --  "firejail --seccomp.enoent=unlinkat --seccomp.enoent=mkdir\r"
-expect {
-        timeout {puts "TESTING ERROR 5\n";exit}
-        "errno enoent already configured"
-}
-sleep 1
-send --  "firejail --seccomp.enoent=unlinkat --seccomp.eperm=mkdir\r"
-expect {
-        timeout {puts "TESTING ERROR 6\n";exit}
-        "Child process initialized"
-}
-sleep 1
-send -- "rm seccomp-test-file\r"
-expect {
-        timeout {puts "TESTING ERROR 7\n";exit}
-        "No such file or directory"
-}
-after 100
-puts "\n"
-send -- "mkdir seccomp-test-dir\r"
-expect {
-        timeout {puts "TESTING ERROR 8\n";exit}
-        "Operation not permitted"
-}
-after 100
-puts "\n"
-send -- "exit\r"
-sleep 1
-send -- "rm seccomp-test-file\r"
-sleep 1
-puts "all done\n"
diff --git a/test/sysrq-trigger.exp b/test/sysrq-trigger.exp
deleted file mode 100755
index 18fb4a01a..000000000
--- a/test/sysrq-trigger.exp
+++ /dev/null
@@ -1,21 +0,0 @@
-#!/usr/bin/expect -f
-set timeout 10
-spawn $env(SHELL)
-match_max 100000
-send -- "firejail\r"
-expect {
-        timeout {puts "TESTING ERROR 0\n";exit}
-        "Child process initialized"
-}
-sleep 1
-send -- "echo b > /proc/sysrq-trigger\r"
-expect {
-        timeout {puts "TESTING ERROR 1\n";exit}
-        "Read-only file system"
-}
-sleep 1
-puts "\n"
diff --git a/test/sysutils/cpio.exp b/test/sysutils/cpio.exp
new file mode 100755
index 000000000..9755d8737
--- /dev/null
+++ b/test/sysutils/cpio.exp
@@ -0,0 +1,26 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+send -- "find /usr/share/doc/firejail | /bin/cpio -ov > firejail_t1\r"
+sleep 1
+send -- "find /usr/share/doc/firejail | firejail /bin/cpio -ov > firejail_t2\r"
+sleep 1
+send -- "diff -s firejail_t1 firejail_t2\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "firejail_t1 and firejail_t2 are identical"
+}
+send -- "rm firejail_t*\r"
+sleep 1
+puts "\nall done\n"
diff --git a/test/sysutils/file.exp b/test/sysutils/file.exp
new file mode 100755
index 000000000..a8ad84d12
--- /dev/null
+++ b/test/sysutils/file.exp
@@ -0,0 +1,18 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+send -- "echo 'test string for firejail test' > /tmp/firejail_test.txt; firejail file /tmp/firejail_test.txt\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "ASCII text"
+}
+send -- "rm /tmp/firejail_test.txt\r"
+sleep 1
+puts "\nall done\n"
diff --git a/test/sysutils/gzip.exp b/test/sysutils/gzip.exp
new file mode 100755
index 000000000..ab0e727de
--- /dev/null
+++ b/test/sysutils/gzip.exp
@@ -0,0 +1,26 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+send -- "/bin/gzip -c /usr/bin/firejail > firejail_t1\r"
+sleep 1
+send -- "firejail /bin/gzip -c /usr/bin/firejail > firejail_t2\r"
+sleep 1
+send -- "diff -s firejail_t1 firejail_t2\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "firejail_t1 and firejail_t2 are identical"
+}
+send -- "rm firejail_t*\r"
+sleep 1
+puts "\nall done\n"
diff --git a/test/sysutils/less.exp b/test/sysutils/less.exp
new file mode 100755
index 000000000..720830304
--- /dev/null
+++ b/test/sysutils/less.exp
@@ -0,0 +1,20 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+send -- "firejail less ../../Makefile.in\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "MYLIBS"
+}
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        "APPS"
+}
+puts "\nall done\n"
diff --git a/test/sysutils/strings.exp b/test/sysutils/strings.exp
new file mode 100755
index 000000000..1fd0f5dc0
--- /dev/null
+++ b/test/sysutils/strings.exp
@@ -0,0 +1,26 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+send -- "/usr/bin/strings /usr/bin/firejail > firejail_t1\r"
+sleep 1
+send -- "firejail /usr/bin/strings /usr/bin/firejail > firejail_t2\r"
+sleep 1
+send -- "diff -s firejail_t1 firejail_t2\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "firejail_t1 and firejail_t2 are identical"
+}
+send -- "rm firejail_t*\r"
+sleep 1
+puts "\nall done\n"
diff --git a/test/sysutils/sysutils.sh b/test/sysutils/sysutils.sh
new file mode 100755
index 000000000..99939133d
--- /dev/null
+++ b/test/sysutils/sysutils.sh
@@ -0,0 +1,80 @@
+#!/bin/bash
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
+export MALLOC_CHECK_=3
+export MALLOC_PERTURB_=$(($RANDOM % 255 + 1))
+which cpio
+if [ "$?" -eq 0 ];
+then
+        echo "TESTING: cpio"
+        ./cpio.exp
+else
+        echo "TESTING SKIP: cpio not found"
+fi
+#which strings
+#if [ "$?" -eq 0 ];
+#then
+#       echo "TESTING: strings"
+#       ./strings.exp
+#else
+#       echo "TESTING SKIP: strings not found"
+#fi
+which gzip
+if [ "$?" -eq 0 ];
+then
+        echo "TESTING: gzip"
+        ./gzip.exp
+else
+        echo "TESTING SKIP: gzip not found"
+fi
+which xzdec
+if [ "$?" -eq 0 ];
+then
+        echo "TESTING: xzdec"
+        ./xzdec.exp
+else
+        echo "TESTING SKIP: xzdec not found"
+fi
+which xz
+if [ "$?" -eq 0 ];
+then
+        echo "TESTING: xz"
+        ./xz.exp
+else
+        echo "TESTING SKIP: xz not found"
+fi
+which less
+if [ "$?" -eq 0 ];
+then
+        echo "TESTING: less"
+        ./less.exp
+else
+        echo "TESTING SKIP: less not found"
+fi
+which file
+if [ "$?" -eq 0 ];
+then
+        echo "TESTING: file"
+        ./file.exp
+else
+        echo "TESTING SKIP: file not found"
+fi
+which tar
+if [ "$?" -eq 0 ];
+then
+        echo "TESTING: tar"
+        ./tar.exp
+else
+        echo "TESTING SKIP: tar not found"
+fi
diff --git a/test/sysutils/tar.exp b/test/sysutils/tar.exp
new file mode 100755
index 000000000..f41d67d6f
--- /dev/null
+++ b/test/sysutils/tar.exp
@@ -0,0 +1,46 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+send -- "firejail /bin/tar -cjvf firejail_t2 /usr/share/doc/firejail\r"
+expect {
+        timeout {puts "TESTING ERROR 1.1\n";exit}
+        "Error" {puts "TESTING ERROR 1.2\n";exit}
+        "/usr/share/doc/firejail/README"
+}
+after 100
+send -- "stat -c '|%s|' firejail_t2; uname -s\r"
+expect {
+        timeout {puts "TESTING ERROR 2.1\n";exit}
+        "|0|" {puts "TESTING ERROR 2.2\n";exit}
+        "Linux"
+}
+sleep 1
+send -- "firejail /bin/tar --compare --file=firejail_t2 -C / | wc\r"
+expect {
+        timeout {puts "TESTING ERROR 3.1\n";exit}
+        "This does not look like a tar archive" {puts "TESTING ERROR 3.2\n"; exit}
+        "      0       0       0"
+}
+sleep 1
+send -- "/bin/tar --compare --file=firejail_t2 -C / | wc\r"
+expect {
+        timeout {puts "TESTING ERROR 4.1\n";exit}
+        "This does not look like a tar archive" {puts "TESTING ERROR 4.2\n"; exit}
+        "      0       0       0"
+}
+sleep 1
+send -- "rm firejail_t*\r"
+sleep 1
+puts "\nall done\n"
diff --git a/test/sysutils/xz.exp b/test/sysutils/xz.exp
new file mode 100755
index 000000000..11d0e560c
--- /dev/null
+++ b/test/sysutils/xz.exp
@@ -0,0 +1,26 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+send -- "/usr/bin/xz -c /usr/bin/firejail > firejail_t1\r"
+sleep 1
+send -- "firejail /usr/bin/xz -c /usr/bin/firejail > firejail_t2\r"
+sleep 1
+send -- "diff -s firejail_t1 firejail_t2\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "firejail_t1 and firejail_t2 are identical"
+}
+send -- "rm firejail_t*\r"
+sleep 1
+puts "\nall done\n"
diff --git a/test/sysutils/xzdec.exp b/test/sysutils/xzdec.exp
new file mode 100755
index 000000000..0ea6f5fb0
--- /dev/null
+++ b/test/sysutils/xzdec.exp
@@ -0,0 +1,29 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+send -- "/usr/bin/xz -c /usr/bin/firejail > firejail_t3\r"
+sleep 1
+send -- "/usr/bin/xzdec -c firejail_t3 > firejail_t1\r"
+sleep 1
+send -- "firejail /usr/bin/xzdec -c firejail_t3 > firejail_t2\r"
+sleep 1
+send -- "diff -s firejail_t1 firejail_t2\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "firejail_t1 and firejail_t2 are identical"
+} 
+send -- "rm firejail_t*\r"
+sleep 1
+puts "\nall done\n"
diff --git a/test/test-apps-x11.sh b/test/test-apps-x11.sh
deleted file mode 100755
index 6521fa2b0..000000000
--- a/test/test-apps-x11.sh
+++ /dev/null
@@ -1,29 +0,0 @@
-#!/bin/bash
-which firefox
-if [ "$?" -eq 0 ];
-then
-        echo "TESTING: firefox x11"
-        ./firefox-x11.exp
-else
-        echo "TESTING: firefox not found"
-fi
-which chromium
-if [ "$?" -eq 0 ];
-then
-        echo "TESTING: chromium x11"
-        ./chromium-x11.exp
-else
-        echo "TESTING: chromium not found"
-fi
-which transmission-gtk
-if [ "$?" -eq 0 ];
-then
-        echo "TESTING: transmission-gtk x11"
-        ./transmission-gtk.exp
-else
-        echo "TESTING: transmission-gtk not found"
-fi
diff --git a/test/test-nonet.sh b/test/test-nonet.sh
deleted file mode 100755
index 3df8b2d4e..000000000
--- a/test/test-nonet.sh
+++ /dev/null
@@ -1,44 +0,0 @@
-#!/bin/bash
-echo "TESTING: version"
-./option_version.exp
-echo "TESTING: help"
-./option_help.exp
-echo "TESTING: man"
-./option_man.exp
-echo "TESTING: list"
-./option_list.exp
-echo "TESTING: PID"
-./pid.exp
-echo "TESTING: profile no permissions"
-./profile_noperm.exp
-echo "TESTING: profile syntax"
-./profile_syntax.exp
-echo "TESTING: profile read-only"
-./profile_readonly.exp
-echo "TESTING: profile tmpfs"
-./profile_tmpfs.exp
-echo "TESTING: private"
-./private.exp `whoami`
-echo "TESTING: read/write /var/tmp"
-./fs_var_tmp.exp
-echo "TESTING: read/write /var/run"
-./fs_var_run.exp
-echo "TESTING: read/write /var/lock"
-./fs_var_lock.exp
-echo "TESTING: read/write /dev/shm"
-./fs_dev_shm.exp
diff --git a/test/test-profiles.sh b/test/test-profiles.sh
deleted file mode 100755
index d9142885b..000000000
--- a/test/test-profiles.sh
+++ /dev/null
@@ -1,10 +0,0 @@
-#!/bin/bash
-echo "TESTING: default profiles installed in /etc"
-PROFILES=`ls /etc/firejail/*.profile`
-for PROFILE in $PROFILES
-do
-        echo "TESTING: $PROFILE"
-        ./test-profile.exp $PROFILE
-done
diff --git a/test/test-root.sh b/test/test-root.sh
deleted file mode 100755
index 7e1a0b968..000000000
--- a/test/test-root.sh
+++ /dev/null
@@ -1,82 +0,0 @@
-#!/bin/bash
-./chk_config.exp
-echo "TESTING: tmpfs (option_tmpfs.exp)"
-./option_tmpfs.exp
-echo "TESTING: profile tmpfs (profile_tmpfs)"
-./profile_tmpfs.exp
-echo "TESTING: network interfaces (net_interface.exp)"
-./net_interface.exp
-echo "TESTING: chroot (fs_chroot_asroot.exp)"
-./fs_chroot_asroot.exp
-if [ -f /etc/init.d/snmpd ]
-then
-        echo "TESTING: servers snmpd, private-dev (servers2.exp)"
-        ./servers2.exp
-fi
-if [ -f /etc/init.d/apache2 ]
-then
-        echo "TESTING: servers apache2, private-dev, private-tmp (servers3.exp)"
-        ./servers3.exp
-fi
-if [ -f /etc/init.d/isc-dhcp-server ]
-then
-        echo "TESTING: servers isc dhcp server, private-dev (servers4.exp)"
-        ./servers4.exp
-fi
-if [ -f /etc/init.d/unbound ]
-then
-        echo "TESTING: servers unbound, private-dev, private-tmp (servers5.exp)"
-        ./servers5.exp
-fi
-if [ -f /etc/init.d/nginx ]
-then
-        echo "TESTING: servers nginx, private-dev, private-tmp (servers6.exp)"
-        ./servers6.exp
-fi
-echo "TESTING: /proc/sysrq-trigger reset disabled (sysrq-trigger.exp)"
-./sysrq-trigger.exp
-echo "TESTING: seccomp umount (seccomp-umount.exp)"
-./seccomp-umount.exp
-echo "TESTING: seccomp chmod (seccomp-chmod.exp)"
-./seccomp-chmod.exp
-echo "TESTING: seccomp chown (seccomp-chown.exp)"
-./seccomp-chown.exp
-echo "TESTING: bind directory (option_bind_directory.exp)"
-./option_bind_directory.exp
-echo "TESTING: bind file (option_bind_file.exp)"
-echo hello > tmpfile
-./option_bind_file.exp
-rm -f tmpfile
-echo "TESTING: firemon --interface (firemon-interface.exp)"
-./firemon-interface.exp
-if [ -f /sys/fs/cgroup/g1/tasks ]
-then
-        echo "TESTING: firemon --cgroup (firemon-cgroup.exp)"
-        ./firemon-cgroup.exp
-fi
-echo "TESTING: chroot resolv.conf (chroot-resolvconf.exp)"
-rm -f tmpfile
-touch tmpfile
-rm -f /tmp/chroot/etc/resolv.conf
-ln -s tmp /tmp/chroot/etc/resolv.conf
-./chroot-resolvconf.exp
-rm -f tmpfile
diff --git a/test/test.sh b/test/test.sh
index c6fe4f299..4b7d5bb6d 100755
--- a/test/test.sh
+++ b/test/test.sh
@@ -1,70 +1,15 @@
 #!/bin/bash
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
 ./chk_config.exp
-./test-profiles.sh
 ./fscheck.sh
-echo "TESTING: cpu.print (cpu-print.exp)"
-echo "TESTING:    failing under VirtualBox where there is only one CPU"
-./cpu-print.exp
-echo "TESTING: bandwidth (bandwidth.exp)"
-./bandwidth.exp
-echo "TESTING: file transfer (ls.exp)"
-./ls.exp
-echo "TESTING: fs.print (fs-print.exp)"
-./fs-print.exp
-echo "TESTING: dns.print (dns-print.exp)"
-./dns-print.exp
-echo "TESTING: caps.print (caps-print.exp)"
-./caps-print.exp
-echo "TESTING: seccomp.print (seccomp-print.exp)"
-./seccomp-print.exp
-echo "TESTING: protocol.print (protocol-print.exp)"
-./protocol-print.exp
-echo "TESTING: sound (sound.exp)"
-./sound.exp
-echo "TESTING: nice (nice.exp)"
-./nice.exp
 echo "TESTING: tty (tty.exp)"
 ./tty.exp
-echo "TESTING: protocol (protocol.exp)"
-./protocol.exp
-echo "TESTING: invalid filename (invalid_filename.exp)"
-./invalid_filename.exp
-echo "TESTING: environment variables (env.exp)"
-./env.exp
-echo "TESTING: whitelist empty (whitelist-empty.exp)"
-./whitelist-empty.exp
-echo "TESTING: ignore command (ignore.exp)"
-./ignore.exp
-echo "TESTING: private-etc (private-etc.exp)"
-./private-etc.exp
-echo "TESTING: private-bin (private-bin.exp)"
-./private-bin.exp
-echo "TESTING: private whitelist (private-whitelist.exp)"
-echo "TESTING:    failing on OpenSUSE"
-./private-whitelist.exp
 sleep 1
 rm -fr dir\ with\ space
 mkdir dir\ with\ space
@@ -82,102 +27,9 @@ rm -fr auto2
 rm -fr auto3
 rm -fr auto4
-echo "TESTING: version (option_version.exp)"
-./option_version.exp
-echo "TESTING: help (option_help.exp)"
-./option_help.exp
-echo "TESTING: man (option_man.exp)"
-./option_man.exp
-echo "TESTING: list (option_list.exp)"
-./option_list.exp
-echo "TESTING: tree (option_tree.exp)"
-./option_tree.exp
-if [ -f /proc/self/uid_map ];
-then
-        echo "TESTING: noroot (noroot.exp)"
-        ./noroot.exp
-else
-        echo "TESTING: user namespaces not available"
-fi
-echo "TESTING: doubledash"
-mkdir -- -testdir
-touch -- -testdir/ttt
-cp -- /bin/bash -testdir/.
-./doubledash.exp
-rm -fr -- -testdir
-echo "TESTING: trace1 (option-trace.exp)"
-./option-trace.exp
-echo "TESTING: trace2 (trace.exp)"
-rm -f index.html*
-./trace.exp
-rm -f index.html*
-echo "TESTING: extract command (extract_command.exp)"
-./extract_command.exp
-echo "TESTING: kmsg access (kmsg.exp)"
-./kmsg.exp
-echo "TESTING: rlimit (option_rlimit.exp)"
-./option_rlimit.exp
-echo "TESTING: shutdown (option_shutdown.exp)"
-./option-shutdown.exp
-echo "TESTING: shutdown2 (option_shutdown2.exp)"
-./option-shutdown2.exp
-echo "TESTING: shutdown3 (option_shutdown3.exp)"
-./option-shutdown3.exp
-echo "TESTING: shutdown4 (option_shutdown4.exp)"
-./option-shutdown4.exp
-echo "TESTING: join (option-join.exp)"
-./option-join.exp
-echo "TESTING: join2 (option-join2.exp)"
-./option-join2.exp
-echo "TESTING: join3 (option-join3.exp)"
-./option-join3.exp
-echo "TESTING: join profile (option-join-profile.exp)"
-./option-join-profile.exp
-echo "TESTING: firejail in firejail - single sandbox (firejail-in-firejail.exp)"
-./firejail-in-firejail.exp
-echo "TESTING: firejail in firejail - force new sandbox (firejail-in-firejail2.exp)"
-./firejail-in-firejail2.exp
 echo "TESTING: chroot overlay (option_chroot_overlay.exp)"
 ./option_chroot_overlay.exp
-echo "TESTING: blacklist directory (option_blacklist.exp)"
-./option_blacklist.exp
-echo "TESTING: blacklist file (opiton_blacklist_file.exp)"
-./option_blacklist_file.exp
-echo "TESTING: bind as user (option_bind_user.exp)"
-./option_bind_user.exp
-if [ -d /home/bingo ];
-then
-        echo "TESTING: home sanitize (opiton_version.exp)"
-        ./option_version.exp
-fi
 echo "TESTING: chroot as user (fs_chroot.exp)"
 ./fs_chroot.exp
@@ -190,47 +42,7 @@ ls -al > tmpreadonly
 sleep 5
 rm -f tmpreadonly
-echo "TESTING: zsh (shell_zsh.exp)"
-./shell_zsh.exp
-echo "TESTING: csh (shell_csh.exp)"
-./shell_csh.exp
-which dash
-if [ "$?" -eq 0 ];
-then
-        echo "TESTING: dash (shell_dash.exp)"
-        ./shell_dash.exp
-else
-        echo "TESTING: dash not found"
-fi
-./test-apps.sh
-./test-apps-x11.sh
-echo "TESTING: PID (pid.exp)"
-./pid.exp
-echo "TESTING: output (output.exp)"
-./output.exp
-echo "TESTING: profile no permissions (profile_noperm.exp)"
-./profile_noperm.exp
-echo "TESTING: profile syntax (profile_syntax.exp)"
-./profile_syntax.exp
-echo "TESTING: profile syntax 2 (profile_syntax2.exp)"
-./profile_syntax2.exp
-echo "TESTING: profile rlimit (profile_rlimit.exp)"
-./profile_rlimit.exp
-echo "TESTING: profile read-only (profile_readonly.exp)"
-./profile_readonly.exp
-echo "TESTING: private (private.exp)"
-./private.exp `whoami`
 echo "TESTING: private directory (private_dir.exp)"
 rm -fr dirprivate
@@ -247,113 +59,13 @@ rm -fr dirprivate
 echo "TESTING: overlayfs (fs_overlay.exp)"
 ./fs_overlay.exp
-echo "TESTING: seccomp debug  (seccomp-debug.exp)"
-./seccomp-debug.exp
-echo "TESTING: seccomp errno (seccomp-errno.exp)"
-./seccomp-errno.exp
-echo "TESTING: seccomp su (seccomp-su.exp)"
-./seccomp-su.exp
-echo "TESTING: seccomp ptrace (seccomp-ptrace.exp)"
-./seccomp-ptrace.exp
-echo "TESTING: seccomp chmod - seccomp lists (seccomp-chmod.exp)"
-./seccomp-chmod.exp
-echo "TESTING: seccomp chmod profile - seccomp lists (seccomp-chmod-profile.exp)"
-./seccomp-chmod-profile.exp
-echo "TESTING: seccomp empty (seccomp-empty.exp)"
-./seccomp-empty.exp
-echo "TESTING: seccomp bad empty (seccomp-bad-empty.exp)"
-./seccomp-bad-empty.exp
-echo "TESTING: seccomp dual filter (seccomp-dualfilter.exp)"
-./seccomp-dualfilter.exp
-echo "TESTING: read/write /var/tmp (fs_var_tmp.exp)"
-./fs_var_tmp.exp
-echo "TESTING: read/write /var/lock (fs_var_lock.exp)"
-./fs_var_lock.exp
-echo "TESTING: read/write /dev/shm (fs_dev_shm.exp)"
-./fs_dev_shm.exp
-echo "TESTING: quiet (quiet.exp)"
-./quiet.exp
-echo "TESTING: IPv6 support (ip6.exp)"
-echo "TESTING:    broken on Centos - todo"
-./ip6.exp
-echo "TESTING: local network (net_local.exp)"
-./net_local.exp
-echo "TESTING: no network (net_none.exp)"
-./net_none.exp
-echo "TESTING: network IP (net_ip.exp)"
-./net_ip.exp
-echo "TESTING: network MAC (net_mac.exp)"
-sleep 2
-./net_mac.exp
-echo "TESTING: network MTU (net_mtu.exp)"
-./net_mtu.exp
-echo "TESTING: network hostname (hostname.exp)"
-./hostname.exp
-echo "TESTING: network bad IP (net_badip.exp)"
-./net_badip.exp
-echo "TESTING: network no IP test 1 (net_noip.exp)"
-./net_noip.exp
-echo "TESTING: network no IP test 2 (net_noip2.exp)"
-./net_noip2.exp
-echo "TESTING: network default gateway test 1 (net_defaultgw.exp)"
-./net_defaultgw.exp
-echo "TESTING: network default gateway test 2 (net_defaultgw2.exp)"
-./net_defaultgw2.exp
-echo "TESTING: network default gateway test 3 (net_defaultgw3.exp)"
-./net_defaultgw3.exp
-echo "TESTING: netfilter (net_netfilter.exp)"
-./net_netfilter.exp
-echo "TESTING: 4 bridges ARP (4bridges_arp.exp)"
-./4bridges_arp.exp
-echo "TESTING: 4 bridges IP (4bridges_ip.exp)"
-./4bridges_ip.exp
 echo "TESTING: login SSH (login_ssh.exp)"
 ./login_ssh.exp
-echo "TESTING: ARP (net_arp.exp)"
-./net_arp.exp
-echo "TESTING: DNS (dns.exp)"
-./dns.exp
 echo "TESTING: firemon --arp (firemon-arp.exp)"
 ./firemon-arp.exp
 echo "TESTING: firemon --route (firemon-route.exp)"
 ./firemon-route.exp
-echo "TESTING: firemon --seccomp (firemon-seccomp.exp)"
-./firemon-seccomp.exp
-echo "TESTING: firemon --caps (firemon-caps.exp)"
-./firemon-caps.exp
diff --git a/test/tmpfs.profile b/test/tmpfs.profile
deleted file mode 100644
index 0680f4d69..000000000
--- a/test/tmpfs.profile
+++ /dev/null
@@ -1 +0,0 @@
-tmpfs /tmp/firejailtestdir
-\ No newline at end of file
diff --git a/test/caps-print.exp b/test/utils/caps-print.exp
index 39e5ec50a..fa5239da2 100755
--- a/test/caps-print.exp
+++ b/test/utils/caps-print.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
 set timeout 10
 spawn $env(SHELL)
@@ -25,5 +28,5 @@ expect {
        timeout {puts "TESTING ERROR 3\n";exit}
        "net_raw             - disabled"
 }
-sleep 1
+after 100
 puts "\nall done\n"
diff --git a/test/caps1.profile b/test/utils/caps1.profile
index e14655b2e..e14655b2e 100644
--- a/test/caps1.profile
+++ b/test/utils/caps1.profile
diff --git a/test/caps2.profile b/test/utils/caps2.profile
index cb2258c52..cb2258c52 100644
--- a/test/caps2.profile
+++ b/test/utils/caps2.profile
diff --git a/test/catchsignal-master.sh b/test/utils/catchsignal-master.sh
index 62a1801cc..62a1801cc 100755
--- a/test/catchsignal-master.sh
+++ b/test/utils/catchsignal-master.sh
diff --git a/test/catchsignal.sh b/test/utils/catchsignal.sh
index 87a1d0adf..87a1d0adf 100755
--- a/test/catchsignal.sh
+++ b/test/utils/catchsignal.sh
diff --git a/test/catchsignal2.sh b/test/utils/catchsignal2.sh
index 424350397..424350397 100755
--- a/test/catchsignal2.sh
+++ b/test/utils/catchsignal2.sh
diff --git a/test/cpu-print.exp b/test/utils/cpu-print.exp
index d8e3fbb04..ca2e57313 100755
--- a/test/cpu-print.exp
+++ b/test/utils/cpu-print.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
 set timeout 10
 spawn $env(SHELL)
@@ -17,5 +20,5 @@ expect {
        timeout {puts "TESTING ERROR 1\n";exit}
        "Cpus_allowed_list:     1-2"
 }
-sleep 1
+after 100
 puts "\nall done\n"
diff --git a/test/dns-print.exp b/test/utils/dns-print.exp
index ee7b08e5e..406ab5149 100755
--- a/test/dns-print.exp
+++ b/test/utils/dns-print.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
 set timeout 10
 spawn $env(SHELL)
@@ -17,5 +20,5 @@ expect {
        timeout {puts "TESTING ERROR 1\n";exit}
        "nameserver 1.2.3.4"
 }
-sleep 1
+after 100
 puts "\nall done\n"
diff --git a/test/firemon-caps.exp b/test/utils/firemon-caps.exp
index 3dd6384db..76aa13725 100755
--- a/test/firemon-caps.exp
+++ b/test/utils/firemon-caps.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
 set timeout 10
 spawn $env(SHELL)
@@ -63,6 +66,7 @@ spawn $env(SHELL)
 send -- "firemon --caps\r"
 expect {
        timeout {puts "TESTING ERROR 8.1\n";exit}
+        "need to be root" {puts "TESTING SKIP: /proc mounted as hidepid\n"; exit}
        "bingo1"
 }
 expect {
diff --git a/test/utils/firemon-cgroup.exp b/test/utils/firemon-cgroup.exp
new file mode 100755
index 000000000..b1ab083ae
--- /dev/null
+++ b/test/utils/firemon-cgroup.exp
@@ -0,0 +1,41 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+send --  "firejail --name=test1\r"
+expect {
+        timeout {puts "TESTING ERROR 0\n";exit}
+        "Child process initialized"
+}
+sleep 1
+spawn $env(SHELL)
+send --  "firejail --name=test2\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "Child process initialized"
+}
+sleep 1
+spawn $env(SHELL)
+send --  "firemon --cgroup\r"
+sleep 4
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        "need to be root" {puts "TESTING SKIP: /proc mounted as hidepid\n"; exit}
+        "name=test1"
+}
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        "name=test2"
+}
+after 100
+puts "\nall done\n"
diff --git a/test/seccomp-dualfilter.exp b/test/utils/firemon-cpu.exp
index afdf8a53a..f2ecd4a5c 100755
--- a/test/seccomp-dualfilter.exp
+++ b/test/utils/firemon-cpu.exp
@@ -1,38 +1,45 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
 set timeout 10
 spawn $env(SHELL)
 match_max 100000
-send -- "firejail ../src/tools/syscall_test mount\r"
+send --  "firejail --name=test1\r"
 expect {
        timeout {puts "TESTING ERROR 0\n";exit}
        "Child process initialized"
 }
+sleep 1
+spawn $env(SHELL)
+send --  "firejail --name=test2\r"
 expect {
        timeout {puts "TESTING ERROR 1\n";exit}
-        "before mount"
+        "Child process initialized"
 }
+sleep 1
+spawn $env(SHELL)
+send --  "firemon --cpu\r"
+sleep 4
 expect {
        timeout {puts "TESTING ERROR 2\n";exit}
-        "after mount" {puts "TESTING ERROR 2.1\n";exit}
+        "need to be root" {puts "TESTING SKIP: /proc mounted as hidepid\n"; exit}
-        "Parent is shutting down"
+        "name=test1"
 }
-sleep 1
-send -- "firejail ../src/tools/syscall_test32 mount\r"
 expect {
        timeout {puts "TESTING ERROR 3\n";exit}
-        "Child process initialized"
+        "Cpus_allowed_list"
 }
 expect {
        timeout {puts "TESTING ERROR 4\n";exit}
-        "before mount"
+        "name=test2"
-}
-expect {
-        timeout {puts "TESTING ERROR 5\n";exit}
-        "after mount" {puts "TESTING ERROR 5.1\n";exit}
-        "Parent is shutting down"
 }
+after 100
 puts "\nall done\n"
diff --git a/test/firemon-seccomp.exp b/test/utils/firemon-seccomp.exp
index 55817faf3..26c478344 100755
--- a/test/firemon-seccomp.exp
+++ b/test/utils/firemon-seccomp.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
 set timeout 10
 spawn $env(SHELL)
@@ -26,6 +29,7 @@ spawn $env(SHELL)
 send -- "firemon --seccomp\r"
 expect {
        timeout {puts "TESTING ERROR 1\n";exit}
+        "need to be root" {puts "TESTING SKIP: /proc mounted as hidepid\n"; exit}
        "bingo1"
 }
 expect {
@@ -37,7 +41,7 @@ expect {
        "bingo2"
 }
 expect {
-        timeout {puts "TESTING ERROR 3\n";exit}
+        timeout {puts "TESTING ERROR 4\n";exit}
        "Seccomp:       0"
 }
 after 100
diff --git a/test/fs-print.exp b/test/utils/fs-print.exp
index 48056a3bf..4d4ceb718 100755
--- a/test/fs-print.exp
+++ b/test/utils/fs-print.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
 set timeout 10
 spawn $env(SHELL)
@@ -25,5 +28,5 @@ expect {
        timeout {puts "TESTING ERROR 3\n";exit}
        "blacklist /proc/kmsg"
 }
-sleep 1
+after 100
 puts "\nall done\n"
diff --git a/test/option_help.exp b/test/utils/help.exp
index f4518219c..5b9864578 100755
--- a/test/option_help.exp
+++ b/test/utils/help.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
 set timeout 10
 spawn $env(SHELL)
diff --git a/test/firemon-interface.exp b/test/utils/join-profile.exp
index 6a82ae41e..a2078c2f6 100755
--- a/test/firemon-interface.exp
+++ b/test/utils/join-profile.exp
@@ -4,31 +4,32 @@ set timeout 10
 spawn $env(SHELL)
 match_max 100000
-send --  "firejail\r"
+send --  "firejail --profile=name.profile\r"
 expect {
        timeout {puts "TESTING ERROR 0\n";exit}
        "Child process initialized"
 }
-sleep 1
+sleep 2
 spawn $env(SHELL)
-send -- "firemon --interface\r"
+send --  "firejail --join=jointesting\r"
 expect {
        timeout {puts "TESTING ERROR 1\n";exit}
-        "lo UP"
+        "Switching to pid"
 }
+sleep 1
+send -- "ps aux\r"
 expect {
        timeout {puts "TESTING ERROR 2\n";exit}
-        "10.10.20.1/29"
+        "/bin/bash"
-}
-expect {
-        timeout {puts "TESTING ERROR 3\n";exit}
-        "10.10.50.1/24"
 }
 expect {
        timeout {puts "TESTING ERROR 3\n";exit}
-        "br3"
+        "/bin/bash"
 }
-sleep 1
-puts "\n"
+send -- "exit"
+after 100
+puts "\nall done\n"
diff --git a/test/utils/join.exp b/test/utils/join.exp
new file mode 100755
index 000000000..fc30bc6a4
--- /dev/null
+++ b/test/utils/join.exp
@@ -0,0 +1,38 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
+set timeout 10
+cd /home
+spawn $env(SHELL)
+match_max 100000
+send --  "firejail --name=jointesting --cpu=0 --nice=2\r"
+expect {
+        timeout {puts "TESTING ERROR 0\n";exit}
+        "Child process initialized"
+}
+sleep 2
+spawn $env(SHELL)
+send --  "firejail --join=jointesting\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "Switching to pid"
+}
+sleep 1
+send -- "ps aux\r"
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        "/bin/bash"
+}
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        "/bin/bash"
+}
+send -- "exit"
+after 100
+puts "\nall done\n"
diff --git a/test/option-join-profile.exp b/test/utils/join2.exp
index 9200980a1..5895eb730 100755
--- a/test/option-join-profile.exp
+++ b/test/utils/join2.exp
@@ -1,39 +1,38 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
 set timeout 10
+cd /home
 spawn $env(SHELL)
 match_max 100000
-send --  "firejail --profile=name.profile\r"
+send --  "firejail --name=\"join testing\"\r"
 expect {
        timeout {puts "TESTING ERROR 0\n";exit}
        "Child process initialized"
 }
-sleep 3
+sleep 2
 spawn $env(SHELL)
-send --  "firejail --join=jointesting;pwd\r"
+send --  "firejail --join=\"join testing\"\r"
 expect {
        timeout {puts "TESTING ERROR 1\n";exit}
        "Switching to pid"
 }
-sleep 3
+sleep 1
+send -- "ps aux\r"
-spawn $env(SHELL)
-send --  "firejail --shutdown=jointesting;pwd\r"
 expect {
-        timeout {puts "TESTING ERROR 3\n";exit}
+        timeout {puts "TESTING ERROR 2\n";exit}
-        "home"
+        "/bin/bash"
 }
-sleep 5
-send --  "firejail --list;pwd\r"
 expect {
-        timeout {puts "TESTING ERROR 4\n";exit}
+        timeout {puts "TESTING ERROR 3\n";exit}
-        "jointesting" {puts "TESTING ERROR 5\n";exit}
+        "/bin/bash"
-        "home"
 }
-sleep 1
+send -- "exit"
+after 100
 puts "\nall done\n"
diff --git a/test/option-join.exp b/test/utils/join3.exp
index 6250e87a2..3ccc47bf9 100755
--- a/test/option-join.exp
+++ b/test/utils/join3.exp
@@ -1,39 +1,38 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
 set timeout 10
+cd /home
 spawn $env(SHELL)
 match_max 100000
-send --  "firejail --name=svntesting\r"
+send --  "firejail --name=join\\ testing\r"
 expect {
        timeout {puts "TESTING ERROR 0\n";exit}
        "Child process initialized"
 }
-sleep 3
+sleep 2
 spawn $env(SHELL)
-send --  "firejail --join=svntesting;pwd\r"
+send --  "firejail --join=join\\ testing\r"
 expect {
        timeout {puts "TESTING ERROR 1\n";exit}
        "Switching to pid"
 }
 sleep 1
+send -- "ps aux\r"
-spawn $env(SHELL)
-send --  "firejail --shutdown=svntesting;pwd\r"
 expect {
-        timeout {puts "TESTING ERROR 3\n";exit}
+        timeout {puts "TESTING ERROR 2\n";exit}
-        "home"
+        "/bin/bash"
 }
-sleep 1
-send --  "firejail --list;pwd\r"
 expect {
-        timeout {puts "TESTING ERROR 4\n";exit}
+        timeout {puts "TESTING ERROR 3\n";exit}
-        "svntesting" {puts "TESTING ERROR 5\n";exit}
+        "/bin/bash"
-        "home"
 }
-sleep 1
+send -- "exit"
+after 100
 puts "\nall done\n"
diff --git a/test/firemon-arp.exp b/test/utils/join4.exp
index 3fc8c2aee..c367dd770 100755
--- a/test/firemon-arp.exp
+++ b/test/utils/join4.exp
@@ -1,34 +1,38 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
 set timeout 10
+cd /home
 spawn $env(SHELL)
 match_max 100000
-send -- "ping -c 3 192.168.1.1\r"
+send --  "firejail --name=123test\r"
 expect {
        timeout {puts "TESTING ERROR 0\n";exit}
-        "3 packets transmitted"
+        "Child process initialized"
 }
-sleep 1
+sleep 2
-send --  "firejail\r"
+spawn $env(SHELL)
+send --  "firejail --join=123test\r"
 expect {
        timeout {puts "TESTING ERROR 1\n";exit}
-        "Child process initialized"
+        "Switching to pid"
 }
 sleep 1
+send -- "ps aux\r"
-spawn $env(SHELL)
-send -- "firemon --arp\r"
 expect {
        timeout {puts "TESTING ERROR 2\n";exit}
-        "192.168.1.1 dev eth0 lladdr" {puts "Debian testing\n";}
+        "/bin/bash"
-        "192.168.1.1 dev enp0s3 lladdr" {puts "Centos 7 testing\n";}
 }
 expect {
        timeout {puts "TESTING ERROR 3\n";exit}
-        "REACHABLE"
+        "/bin/bash"
 }
-sleep 1
-puts "\n"
+send -- "exit"
+after 100
+puts "\nall done\n"
diff --git a/test/option_list.exp b/test/utils/list.exp
index b9c73e52b..69db1f568 100755
--- a/test/option_list.exp
+++ b/test/utils/list.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
 set timeout 10
 spawn $env(SHELL)
diff --git a/test/ls.exp b/test/utils/ls.exp
index 5fe6d79c6..ff6867c51 100755
--- a/test/ls.exp
+++ b/test/utils/ls.exp
@@ -3,6 +3,8 @@
 set timeout 10
 spawn $env(SHELL)
 match_max 100000
+set firstspawn $spawn_id
 send -- "rm -f lstesting\r"
 sleep 1
@@ -11,11 +13,11 @@ expect {
        timeout {puts "TESTING ERROR 0\n";exit}
        "Child process initialized"
 }
-sleep 2
+sleep 1
-send -- "echo my_testing > lstesting\r"
+send -- "echo my_testing > ~/lstesting\r"
-sleep 2
+after 100
+# ls
 spawn $env(SHELL)
 send -- "firejail --ls=test ~/.\r"
 expect {
@@ -23,19 +25,45 @@ expect {
        "lstesting"
 }
 sleep 1
+# get
 send -- "firejail --get=test ~/lstesting\r"
-expect {
-        timeout {puts "TESTING ERROR 1\n";exit}
-        "lstesting"
-}
 sleep 1
 send -- "cat lstesting\r"
 expect {
-        timeout {puts "TESTING ERROR 1\n";exit}
+        timeout {puts "TESTING ERROR 2n";exit}
        "my_testing"
 }
+after 100
+# put
+send -- "echo put_test > ~/lstesting\r"
+after 100
+send -- "firejail --put=test ~/lstesting ~/lstesting_2\r"
 sleep 1
-send -- "rm -f lstesting\r"
+set spawn_id $firstspawn
+send -- "ls -al ~\r"
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        "lstesting_2"
+}
+after 100
+send -- "cat ~/lstesting_2\r"
+expect {
+        timeout {puts "TESTING ERROR 4\n";exit}
+        "put_test"
+}
+after 100
+send -- "exit\r"
 sleep 1
+send -- "rm -f lstesting\r"
+after 100
 puts "\nall done\n"
diff --git a/test/option_man.exp b/test/utils/man.exp
index d941a2432..d29f760b0 100755
--- a/test/option_man.exp
+++ b/test/utils/man.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
 set timeout 10
 spawn $env(SHELL)
diff --git a/test/name.profile b/test/utils/name.profile
index 1aa9f2d64..1aa9f2d64 100644
--- a/test/name.profile
+++ b/test/utils/name.profile
diff --git a/test/protocol-print.exp b/test/utils/protocol-print.exp
index 4d1ae34d6..b4b94ea93 100755
--- a/test/protocol-print.exp
+++ b/test/utils/protocol-print.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
 set timeout 10
 spawn $env(SHELL)
@@ -17,5 +20,5 @@ expect {
        timeout {puts "TESTING ERROR 1\n";exit}
        "unix,inet,inet6"
 }
-sleep 1
+after 100
 puts "\nall done\n"
diff --git a/test/seccomp-print.exp b/test/utils/seccomp-print.exp
index b4e6ed35e..f6ff1e721 100755
--- a/test/seccomp-print.exp
+++ b/test/utils/seccomp-print.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
 set timeout 10
 spawn $env(SHELL)
@@ -29,5 +32,5 @@ expect {
        timeout {puts "TESTING ERROR 4\n";exit}
        "RETURN_ALLOW"
 }
-sleep 1
+after 100
 puts "\nall done\n"
diff --git a/test/option-shutdown.exp b/test/utils/shutdown.exp
index e869f7611..15a9a62c8 100755
--- a/test/option-shutdown.exp
+++ b/test/utils/shutdown.exp
@@ -1,6 +1,10 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
 set timeout 10
+cd /home
 spawn $env(SHELL)
 match_max 100000
@@ -9,22 +13,23 @@ expect {
        timeout {puts "TESTING ERROR 0\n";exit}
        "Child process initialized"
 }
-sleep 3
+sleep 2
 spawn $env(SHELL)
-send --  "firejail --shutdown=shutdowntesting;pwd\r"
+send --  "firejail --shutdown=shutdowntesting; echo done\r"
 expect {
        timeout {puts "TESTING ERROR 4\n";exit}
-        "home"
+        "done"
 }
-sleep 1
+sleep 5
-send --  "firejail --list;pwd\r"
+spawn $env(SHELL)
+send --  "firejail --list;echo done\r"
 expect {
        timeout {puts "TESTING ERROR 5\n";exit}
        "shutdowntesting" {puts "TESTING ERROR 6\n";exit}
-        "home"
+        "done"
 }
 sleep 1
-puts "\nalldone\n"
+puts "\nall done\n"
diff --git a/test/option-shutdown2.exp b/test/utils/shutdown2.exp
index 403bc30be..777a73ec9 100755
--- a/test/option-shutdown2.exp
+++ b/test/utils/shutdown2.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
 set timeout 10
 spawn $env(SHELL)
@@ -37,6 +40,6 @@ expect {
        timeout {puts "TESTING ERROR 5\n";exit}
        "5"
 }
-sleep 1
+after 100
 puts "\nalldone\n"
diff --git a/test/option-shutdown3.exp b/test/utils/shutdown3.exp
index 0ef371cd8..a74fb3386 100755
--- a/test/option-shutdown3.exp
+++ b/test/utils/shutdown3.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
 set timeout 10
 spawn $env(SHELL)
@@ -57,6 +60,6 @@ expect {
        timeout {puts "TESTING ERROR 10\n";exit}
        "5"
 }
-sleep 1
+after 100
 puts "\nalldone\n"
diff --git a/test/option-shutdown4.exp b/test/utils/shutdown4.exp
index f188ec66d..2942ba3d5 100755
--- a/test/option-shutdown4.exp
+++ b/test/utils/shutdown4.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
 set timeout 10
 spawn $env(SHELL)
@@ -57,10 +60,6 @@ expect {
        timeout {puts "TESTING ERROR 50\n";exit}
        "50"
 }
-expect {
+after 100
-        timeout {puts "TESTING ERROR 60\n";exit}
-        "Killed"
-}
-sleep 1
 puts "\nalldone\n"
diff --git a/test/utils/top.exp b/test/utils/top.exp
new file mode 100755
index 000000000..d530e5a85
--- /dev/null
+++ b/test/utils/top.exp
@@ -0,0 +1,40 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+send --  "firejail --name=test1\r"
+expect {
+        timeout {puts "TESTING ERROR 0\n";exit}
+        "Child process initialized"
+}
+sleep 1
+spawn $env(SHELL)
+send --  "firejail --name=test2\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "Child process initialized"
+}
+sleep 1
+spawn $env(SHELL)
+send --  "firejail --top\r"
+sleep 4
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        "name=test1"
+}
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        "name=test2"
+}
+after 100
+puts "\nall done\n"
diff --git a/test/trace.exp b/test/utils/trace.exp
index 21dd6a559..78a04b273 100755
--- a/test/trace.exp
+++ b/test/utils/trace.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
 set timeout 30
 spawn $env(SHELL)
@@ -76,6 +79,7 @@ expect {
        timeout {puts "TESTING ERROR 8.6\n";exit}
        "wget:fopen64 index.html" {puts "OK\n";}
        "wget:fopen index.html" {puts "OK\n";}
+        "Parent is shutting down" {puts "OK\n";}
 }
 sleep 1
@@ -86,9 +90,26 @@ expect {
 }
 expect {
        timeout {puts "TESTING ERROR 10\n";exit}
-        "rm:unlinkat index.html"
+        "rm:unlinkat index.html" {puts "OK\n";}
+        "Parent is shutting down" {puts "OK\n";}
 }
 sleep 1
+send --  "firejail --trace\r"
+expect {
+        timeout {puts "TESTING ERROR 11\n";exit}
+        "Child process initialized"
+}
+expect {
+        timeout {puts "TESTING ERROR 12\n";exit}
+        "bash:open /dev/tty" {puts "64bit\n"}
+        "bash:open64 /dev/tty" {puts "32bit\n"}
+}
+expect {
+        timeout {puts "TESTING ERROR 13\n";exit}
+        "bash:access /etc/terminfo/" {puts "debian\n"}
+        "bash:access /usr/share/terminfo/" {puts "arch\n"}
+}
+after 100
 puts "\nall done\n"
diff --git a/test/option_tree.exp b/test/utils/tree.exp
index 1841907d1..a8ef763f1 100755
--- a/test/option_tree.exp
+++ b/test/utils/tree.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
 set timeout 10
 spawn $env(SHELL)
diff --git a/test/utils/utils.sh b/test/utils/utils.sh
new file mode 100755
index 000000000..bd91110f7
--- /dev/null
+++ b/test/utils/utils.sh
@@ -0,0 +1,102 @@
+#!/bin/bash
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
+export MALLOC_CHECK_=3
+export MALLOC_PERTURB_=$(($RANDOM % 255 + 1))
+echo "TESTING: version (test/utils/version.exp)"
+./version.exp
+echo "TESTING: help (test/utils/help.exp)"
+./help.exp
+which man
+if [ "$?" -eq 0 ];
+then
+        echo "TESTING: man (test/utils/man.exp)"
+        ./man.exp
+else
+        echo "TESTING SKIP: man not found"
+fi
+echo "TESTING: list (test/utils/list.exp)"
+./list.exp
+echo "TESTING: tree (test/utils/tree.exp)"
+./tree.exp
+if [ $(grep -c ^processor /proc/cpuinfo) -gt 1 ];
+then
+        echo "TESTING: cpu.print (test/utils/cpu-print.exp)"
+        ./cpu-print.exp
+else
+        echo "TESTING SKIP: cpu.print, not enough CPUs"
+fi
+echo "TESTING: fs.print (test/utils/fs-print.exp)"
+./fs-print.exp
+echo "TESTING: dns.print (test/utils/dns-print.exp)"
+./dns-print.exp
+echo "TESTING: caps.print (test/utils/caps-print.exp)"
+./caps-print.exp
+echo "TESTING: seccomp.print (test/utils/seccomp-print.exp)"
+./seccomp-print.exp
+echo "TESTING: protocol.print (test/utils/protocol-print.exp)"
+./protocol-print.exp
+echo "TESTING: shutdown (test/utils/shutdown.exp)"
+./shutdown.exp
+echo "TESTING: shutdown2 (test/utils/shutdown2.exp)"
+./shutdown2.exp
+echo "TESTING: shutdown3 (test/utils/shutdown3.exp)"
+./shutdown3.exp
+echo "TESTING: shutdown4 (test/utils/shutdown4.exp)"
+./shutdown4.exp
+echo "TESTING: join (test/utils/join.exp)"
+./join.exp
+echo "TESTING: join2 (test/utils/join2.exp)"
+./join2.exp
+echo "TESTING: join3 (test/utils/join3.exp)"
+./join3.exp
+echo "TESTING: join3 (test/utils/join4.exp)"
+./join4.exp
+echo "TESTING: join profile (test/utils/join-profile.exp)"
+./join-profile.exp
+echo "TESTING: trace (test/utils/trace.exp)"
+rm -f index.html*
+./trace.exp
+rm -f index.html*
+echo "TESTING: top (test/utils/top.exp)"
+./top.exp
+echo "TESTING: file transfer (test/utils/ls.exp)"
+./ls.exp
+echo "TESTING: firemon seccomp (test/utils/firemon-seccomp.exp)"
+./firemon-seccomp.exp
+echo "TESTING: firemon caps (test/utils/firemon-caps.exp)"
+./firemon-caps.exp
+echo "TESTING: firemon cpu (test/utils/firemon-cpu.exp)"
+./firemon-cpu.exp
+echo "TESTING: firemon cgroup (test/utils/firemon-cgroup.exp)"
+./firemon-cgroup.exp
diff --git a/test/option_version.exp b/test/utils/version.exp
index 44c0c217f..2ce6f1680 100755
--- a/test/option_version.exp
+++ b/test/utils/version.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
 set timeout 10
 spawn $env(SHELL)
diff --git a/todo b/todo
index da732be9f..6bc73313f 100644
--- a/todo
+++ b/todo
@@ -74,11 +74,217 @@ CapEff:	0000000000000000
 CapBnd: 0000003fffffffff
 CapAmb: 0000000000000000
-11. cleanup thunderbird profile - disable-common was commented out
+11. check seccomp on Docker: https://docs.docker.com/engine/security/seccomp/
-12. check seccomp on Docker: https://docs.docker.com/engine/security/seccomp/
 Seccomp lists:
 https://github.com/torvalds/linux/blob/1e75a9f34a5ed5902707fb74b468356c55142b71/arch/x86/entry/syscalls/syscall_64.tbl
 https://github.com/torvalds/linux/blob/1e75a9f34a5ed5902707fb74b468356c55142b71/arch/x86/entry/syscalls/syscall_32.tbl
-13. check for --chroot why .config/pulse dir is not created
+12. check for --chroot why .config/pulse dir is not created
+13. print error line number for profile files in  profile_check_line()
+14. make rpms problems
+$ firejail --version
+firejail version 0.9.40
+User namespace support is disabled.
+$ rpmlint firejail-0.9.40-1.x86_64.rpm 
+firejail.x86_64: E: no-changelogname-tag
+firejail.x86_64: W: unstripped-binary-or-object /usr/lib64/firejail/libtracelog.so
+firejail.x86_64: W: unstripped-binary-or-object /usr/lib64/firejail/libtrace.so
+firejail.x86_64: E: missing-call-to-setgroups /usr/lib64/firejail/libtrace.so
+firejail.x86_64: W: conffile-without-noreplace-flag /etc/firejail/google-play-music-desktop-player.profile
+firejail.x86_64: W: conffile-without-noreplace-flag /etc/firejail/rtorrent.profi
+$ rpmlint firejail-0.9.40-1.src.rpm
+firejail.src: E: no-changelogname-tag
+firejail.src: W: invalid-url Source0: https://github.com/netblue30/firejail/archive/0.9.40.tar.gz#/firejail-0.9.40.tar.gz HTTP Error 404: Not Found
+1 packages and 0 specfiles checked; 1 errors, 1 warnings.
+15. bug: capabiliteis declared on the command line take precedence over caps declared in profiles
+$ firejail  --caps.keep=chown,net_bind_service src/faudit/faudit
+Reading profile /etc/firejail/default.profile
+Reading profile /etc/firejail/disable-common.inc
+Reading profile /etc/firejail/disable-programs.inc
+Reading profile /etc/firejail/disable-passwdmgr.inc
+** Note: you can use --noprofile to disable default.profile **
+Parent pid 6872, child pid 6873
+Child process initialized
+----- Firejail Audit: the Good, the Bad and the Ugly -----
+GOOD: Process PID 2, running in a PID namespace
+Container/sandbox: firejail
+GOOD: all capabilities are disabled
+Parent is shutting down, bye...
+16. Sound devices:
+/dev/snd
+    /dev/snd/pcmC0D0 -> /dev/audio0 (/dev/audio) -> minor 4
+    /dev/snd/pcmC0D0 -> /dev/dsp0 (/dev/dsp) -> minor 3
+    /dev/snd/pcmC0D1 -> /dev/adsp0 (/dev/adsp) -> minor 12
+    /dev/snd/pcmC1D0 -> /dev/audio1 -> minor 4+16 = 20
+    /dev/snd/pcmC1D0 -> /dev/dsp1 -> minor 3+16 = 19
+    /dev/snd/pcmC1D1 -> /dev/adsp1 -> minor 12+16 = 28
+    /dev/snd/pcmC2D0 -> /dev/audio2 -> minor 4+32 = 36
+    /dev/snd/pcmC2D0 -> /dev/dsp2 -> minor 3+32 = 35
+    /dev/snd/pcmC2D1 -> /dev/adsp2 -> minor 12+32 = 44
+17. test 3d acceleration
+$ lspci -nn | grep VGA
+# apt-get install mesa-utils
+$ glxinfo  | grep rendering
+The output should be:
+direct rendering: Yes
+        
+$ glxinfo | grep "renderer string"
+OpenGL renderer string: Gallium 0.4 on AMD KAVERI
+glxgears stuck to 60fps may be due to VSync signal synchronization.
+To disable Vsync
+$ vblank_mode=0 glxgears
+19. testing snaps
+Install firejail from official repository
+sudo apt-get install firejail
+Check firejail version
+firejail --version
+Above command outputs: firejail version 0.9.38
+Search the snap 'ubuntu clock' application
+sudo snap find ubuntu-clock-app
+Install 'ubuntu clock' application using snap
+sudo snap install ubuntu-clock-app
+Ubuntu snap packages are installed in /snap/// directory and can be executed from /snap/bin/
+cd /snap/bin/
+ls -l
+Note: We see application name is: ubuntu-clock-app.clock
+Run application
+/snap/bin/ubuntu-clock-app.clock
+Note: Application starts-up without a problem and clock is displayed.
+Close application using mouse.
+Now try to firejail the application.
+firejail /snap/bin/ubuntu-clock-app.clock
+-------- Error message --------
+Reading profile /etc/firejail/generic.profile
+Reading profile /etc/firejail/disable-mgmt.inc
+Reading profile /etc/firejail/disable-secret.inc
+Reading profile /etc/firejail/disable-common.inc
+** Note: you can use --noprofile to disable generic.profile **
+Parent pid 3770, child pid 3771
+Child process initialized
+need to run as root or suid
+parent is shutting down, bye...
+-------- End of Error message --------
+Try running as root as message instructs.
+sudo firejail /snap/bin/ubuntu-clock-app.clock
+extract env for process
+ps e -p <pid> | sed 's/ /\n/g' 
+20. check default disable - from grsecurity
+GRKERNSEC_HIDESYM
+/proc/kallsyms and other files
+GRKERNSEC_PROC_USER
+If you say Y here, non-root users will only be able to view their own
+processes, and restricts them from viewing network-related information,
+and viewing kernel symbol and module information.
+GRKERNSEC_PROC_ADD
+If you say Y here, additional restrictions will be placed on
+/proc that keep normal users from viewing device information and 
+slabinfo information that could be useful for exploits.
+21. Core Infrastructure Initiative (CII) Best Practices
+Proposal
+Someone closely involved with the project could go thought the criteria and keep them up-to-date.
+References
+    https://bestpractices.coreinfrastructure.org
+    https://twit.tv/shows/floss-weekly/episodes/389
+22. add support for read-write and noexec to Firetools
+23. AppArmor
+$ sudo apt-get install apparmor apparmor-profiles apparmor-utils apparmor-notify
+$ sudo apt-get install libapparmor-dev
+$ sudo perl -pi -e 's,GRUB_CMDLINE_LINUX="(.*)"$,GRUB_CMDLINE_LINUX="$1 apparmor=1 security=apparmor",' /etc/default/grub
+$ sudo update-grub
+$ sudo reboot
+If you are using auditd, start aa-notify to get notification whenever a program causes a DENIED message.
+$ sudo aa-notify -p -f /var/log/audit/audit.log
+$ sudo cat /sys/kernel/security/apparmor/profiles | grep firejail
+firejail-default (enforce)
+24. check monitor proc behaviour for sandboxes with --blacklist=/proc
+also check --apparmor in this case
+25. fix firemon and firetools on systems with hidepid=2
+sudo mount -o remount,rw,hidepid=2 /proc
+26. mupdf profile
+27. LUKS 
+dm-crypt+LUKS – dm-crypt is a transparent disk encryption subsystem in 
+Linux kernel v2.6+ and later and DragonFly BSD. It can encrypt whole disks, 
+removable media, partitions, software RAID volumes, logical volumes, and files.
+28. Merge --dbus=none from https://github.com/Sidnioulz/firejail
+  // block dbus session bus the hard way if necessary
+  if (cfg.dbus == 0) {
+    char *dbus_path;
+                if (asprintf(&dbus_path, "/run/user/%d/bus", getuid()) == -1)
+                        errExit("asprintf");
+    fs_blacklist_file(dbus_path);
+    free(dbus_path);
+}
+29. grsecurity - move test after "firejail --name=blablabla" in /test/apps*
+30. /* coverity[toctou] */