26 files changed, 104 insertions, 237 deletions

diff --git a/Makefile.in b/Makefile.in
index b6997bd3d..e9aab83c9 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -16,6 +16,7 @@ VERSION=@PACKAGE_VERSION@
 NAME=@PACKAGE_NAME@
 PACKAGE_TARNAME=@PACKAGE_TARNAME@
 DOCDIR=@docdir@
+HAVE_SECCOMP=@HAVE_SECCOMP@
 HAVE_APPARMOR=@HAVE_APPARMOR@
 HAVE_CONTRIB_INSTALL=@HAVE_CONTRIB_INSTALL@
 HAVE_GIT_INSTALL=@HAVE_GIT_INSTALL@
@@ -39,10 +40,12 @@ $(MANPAGES): $(wildcard src/man/*.txt)
 man: $(MANPAGES)
 
 filters: src/fseccomp
+ifeq ($(HAVE_SECCOMP),-DHAVE_SECCOMP)
         src/fseccomp/fseccomp default seccomp
         src/fseccomp/fseccomp default seccomp.debug allow-debuggers
         src/fseccomp/fseccomp secondary 32 seccomp.i386
         src/fseccomp/fseccomp secondary 64 seccomp.amd64
+endif
 
 clean:
         for dir in $(APPS) $(MYLIBS); do \
@@ -87,15 +90,18 @@ ifeq ($(HAVE_GIT_INSTALL),-DHAVE_GIT_INSTALL)
         install -c -m 0755 src/fgit/fgit-install.sh $(DESTDIR)/$(libdir)/firejail/.
         install -c -m 0755 src/fgit/fgit-uninstall.sh $(DESTDIR)/$(libdir)/firejail/.
 endif
+
         install -c -m 0644 src/firecfg/firecfg.config $(DESTDIR)/$(libdir)/firejail/.
         install -c -m 0755 src/faudit/faudit $(DESTDIR)/$(libdir)/firejail/.
         install -c -m 0755 src/fnet/fnet $(DESTDIR)/$(libdir)/firejail/.
-        install -c -m 0755 src/fseccomp/fseccomp $(DESTDIR)/$(libdir)/firejail/.
         install -c -m 0755 src/fcopy/fcopy $(DESTDIR)/$(libdir)/firejail/.
+ifeq ($(HAVE_SECCOMP),-DHAVE_SECCOMP)
+        install -c -m 0755 src/fseccomp/fseccomp $(DESTDIR)/$(libdir)/firejail/.
         install -c -m 0644 seccomp $(DESTDIR)/$(libdir)/firejail/.
         install -c -m 0644 seccomp.debug $(DESTDIR)/$(libdir)/firejail/.
         install -c -m 0644 seccomp.i386 $(DESTDIR)/$(libdir)/firejail/.
         install -c -m 0644 seccomp.amd64 $(DESTDIR)/$(libdir)/firejail/.
+endif
 ifeq ($(HAVE_CONTRIB_INSTALL),yes)
         install -c -m 0755 contrib/fix_private-bin.py $(DESTDIR)/$(libdir)/firejail/.
         install -c -m 0755 contrib/fjclip.py $(DESTDIR)/$(libdir)/firejail/.
@@ -240,7 +246,9 @@ test-environment:
         cd test/environment; ./environment.sh | grep TESTING
 
 test-filters:
+ifeq ($(HAVE_SECCOMP),-DHAVE_SECCOMP)
         cd test/filters; ./filters.sh | grep TESTING
+endif
 
 test-arguments:
         cd test/arguments; ./arguments.sh | grep TESTING
diff --git a/README b/README
index 915001ec2..e45c6d412 100644
--- a/README
+++ b/README
@@ -468,5 +468,6 @@ Zack Weinberg (https://github.com/zackw)
         - Xvfb and Xephyr profiles, modified Xpra profile
         - support for sandboxing Xpra, Xvfb and Xephyr in independent sandboxes when started
           with firejail --x11
-
+        - support for xpra-extra-params in firejail.config
+        
 Copyright (C) 2014-2017 Firejail Authors
diff --git a/README.md b/README.md
index fdcca9e6e..4aa2e66b3 100644
--- a/README.md
+++ b/README.md
@@ -62,161 +62,7 @@ Use this issue to request new profiles: https://github.com/netblue30/firejail/is
 `````
 
 `````
-# Current development version: 0.9.45
-`````
-
-`````
-## Desktop integration
-
-All --fix functionality is done by default in firecfg, --fix option was removed. Clicking on a program
-in desktop manager menu should start the program automatically in a sandbox if a profile
-is available in /etc/firejail. We cover about 300 different applications in this moment on all major desktop managers.
-
-Symlinks for the common file managers are installed in /usr/local/bin by firecfg. 
-File managers are usually started by default at login time, and will be sandboxed.
-Clicking on a file in the file manager will start the corresponding program in the same sandbox as the file manager.
-For example, clicking on a video file will start a sandboxed VLC running the video.
-We support in this moment XFCE, LXDE, MATE, Cinnamon and KDE.
-
-## AppImage
-
-Added AppImage type 2 support, and support for passing command line arguments to appimages.
-`````
-
-`````
-## X11 sandboxing support
-In this release we add support for Xvfb (X virtual framebuffer), an in-memory X display server.
-Xvfb allows the user to run graphical applications without a display (e.g., browser tests on a CI server)
-while also having the ability to take screenshots.
-
-
-       --x11=xvfb
-              Start  Xvfb  X11  server  and attach the sandbox to this server.
-              Xvfb, short for X virtual framebuffer,  performs  all  graphical
-              operations  in memory without showing any screen output. Xvfb is
-              mainly used for remote access and software testing  on  headless
-              servers.
+# Current development version: 0.9.47
 
-              On Debian platforms Xvfb is installed with the command sudo apt-
-              get install xvfb.  This feature is not available when running as
-              root.
+Upcoming release 0.9.46 was moved on 0.9.46-bugfixes branch: https://github.com/netblue30/firejail/tree/0.9.46-bugfixes
 
-              Example: remote VNC access
-
-              On  the  server we start a sandbox using Xvfb and openbox window
-              manager. The default size of Xvfb screen is 800x600 - it can  be
-              changed  in  /etc/firejail/firejail.config  (xvfb-screen).  Some
-              sort of networking (--net) is required in order to  isolate  the
-              abstract sockets used by other X servers.
-
-              $ firejail --net=none --x11=xvfb openbox
-
-              *** Attaching to Xvfb display 792 ***
-
-              Reading profile /etc/firejail/openbox.profile
-              Reading profile /etc/firejail/disable-common.inc
-              Reading profile /etc/firejail/disable-common.local
-              Parent pid 5400, child pid 5401
-
-              On  the  server  we also start a VNC server and attach it to the
-              display handled by our Xvfb server (792).
-
-              $ x11vnc -display :792
-
-              On the client machine we start a VNC viewer and use it  to  con‐
-              nect to our server:
-
-              $ vncviewer
-
-
-## New command line options
-`````
-      --private-opt=file,directory
-              Build  a  new /opt in a temporary filesystem, and copy the files
-              and directories in the list.  If no listed file is  found,  /opt
-              directory  will  be empty.  All modifications are discarded when
-              the sandbox is closed.
-
-              Example:
-              $ firejail --private-opt=firefox /opt/firefox/firefox
-
-       --private-srv=file,directory
-              Build a new /srv in a temporary filesystem, and copy  the  files
-              and  directories  in the list.  If no listed file is found, /srv
-              directory will be empty.  All modifications are  discarded  when
-              the sandbox is closed.
-
-              Example:
-              # firejail --private-srv=www /etc/init.d/apache2 start
-
-      --machine-id
-              Spoof id number in /etc/machine-id file - a  new  random  id  is
-              generated inside the sandbox.
-
-              Example:
-              $ firejail --machine-id
-
-       --allow-private-blacklist
-              Allow  blacklisting  files in private home directory. By default
-              these blacklists are disabled.
-
-              Example:
-              $   firejail    --allow-private-blacklist   --private=~/priv-dir
-              --blacklist=~/.mozilla
-
-      --hosts-file=file
-              Use file as /etc/hosts.
-
-              Example:
-              $ firejail --hosts-file=~/myhosts firefox
-
-      --writable-var-log
-              Use the real /var/log directory, not  a  clone.  By  default,  a
-              tmpfs  is  mounted  on top of /var/log directory, and a skeleton
-              filesystem is created based on the original /var/log.
-
-              Example:
-              $ sudo firejail --writable-var-log
-
-       --git-install
-              Download, compile and install mainline git version  of  Firejail
-              from  the  official  repository  on  GitHub.   The  software  is
-              installed in /usr/local/bin, and takes precedence over the (old)
-              version installed in /usr/bin. If for any reason the new version
-              doesn't work, the user can uninstall  it  using  --git-uninstall
-              command and revert to the old version.
-
-              Prerequisites: git and compile support are required for this com‐
-              mand to work. On Debian/Ubuntu systems this support is installed
-              using "sudo apt-get install build-essential git".
-
-              Example:
-
-              $ firejail --git-install
-
-       --git-uninstall
-              Remove    the   Firejail   version   previously   installed   in
-              /usr/local/bin using --git-install command.
-
-              Example:
-
-              $ firejail --git-uninstall
-
-
-       --nowhitelist=dirname_or_filename
-              Disable whitelist for this directory or file.
-
-`````
-## New Profiles
-xiphos, Tor Browser Bundle, display (imagemagik), Wire, mumble, zoom, Guayadeque, qemu, keypass2,
-amarok, ark, atool, bleachbit, brasero, dolphin, dragon, elinks, enchant, exiftool, file-roller, gedit,
-gjs, gnome-books, gnome-clocks, gnome-documents, gnome-maps, gnome-music, gnome-photos, gnome-weather,
-goobox, gpa, gpg, gpg-agent, highlight, img2txt, k3b, kate, lynx, mediainfo, nautilus, odt2txt, pdftotext,
-simple-scan, skanlite, ssh-agent, tracker, transmission-cli, transmission-show, w3m, xfburn, xpra, wget,
-xed, pluma, Cryptocat, Bless, Gnome 2048, Gnome Calculator, Gnome Contacts, JD-GUI, Lollypop, MultiMC5,
-PDFSam, Pithos, Xonotic, wireshark, keepassx2, QupZilla, FossaMail, Uzbl browser, xmms, iridium browser,
-Kino, Thunar, Geeqie, Engrampa, Scribus, mousepad, gpicview, keepassxc, cvlc, MediathekView, baloo_file,
-Nylas, dino, BibleTime, viewnior, Kodi, viking, youtube-dl, meld, Arduino, Akregator, KCalc, KTorrent,
-Orage Globaltime, Orage Clendar, xfce4-notes, xfce4-dict, Ristretto, PCManFM, Dia, FontForge, Geany, Hugin,
-mate-calc, mate-dictionary, mate-color-select, caja, galculator, Nemo, gnome-font-viewer, gucharmap,
-knotes, clipit, leafpad, lximage-qt, lxmusic, qlipper, Xvfb, Xephyr, Blender, 2048-qt 
diff --git a/RELNOTES b/RELNOTES
index be9e35af7..3ebf790c5 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -1,5 +1,4 @@
-firejail (0.9.46-rc1) baseline; urgency=low
-  * development version, work in progress
+firejail (0.9.46) baseline; urgency=low
   * security: split most of networking code in a separate executable
   * security: split seccomp filter code configuration in a separate executable
   * security: split file copying in private option in a separate executable
@@ -34,6 +33,8 @@ firejail (0.9.46-rc1) baseline; urgency=low
   * feature: --fix-sound support in firecfg
   * feature: added support for sandboxing Xpra, Xvfb and Xephyr in 
     independent sandboxes when started with firejail --x11
+  * feature: enable automatic X server sandboxing for --x11=xpra
+    and --x11=xephyr
   * feature: support for Xpra extra params in firejail config file
   * new profiles: xiphos, Tor Browser Bundle, display (imagemagick), Wire,
   * new profiles: mumble, zoom, Guayadeque, qemu, keypass2, xed, pluma,
@@ -51,7 +52,7 @@ firejail (0.9.46-rc1) baseline; urgency=low
   * new profiles: clipit, leafpad, lximage-qt, lxmusic, qlipper, Xvfb, Xephyr
   * new profiles: Blender, 2048-qt
   * bugfixes
- -- netblue30 <netblue30@yahoo.com>  Fri, 7 Apr 2017 08:00:00 -0500
+ -- netblue30 <netblue30@yahoo.com>  Sun, 14 May 2017 08:00:00 -0500
 
 firejail (0.9.44.10) baseline; urgency=low
   * security: when using --x11=xorg and --net, incorrect processing of
diff --git a/configure b/configure
index 44de314fe..4e28ac153 100755
--- a/configure
+++ b/configure
@@ -1,6 +1,6 @@
 #! /bin/sh
 # Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.69 for firejail 0.9.46~rc1.
+# Generated by GNU Autoconf 2.69 for firejail 0.9.47.
 #
 # Report bugs to <netblue30@yahoo.com>.
 #
@@ -580,8 +580,8 @@ MAKEFLAGS=
 # Identity of this package.
 PACKAGE_NAME='firejail'
 PACKAGE_TARNAME='firejail'
-PACKAGE_VERSION='0.9.46~rc1'
-PACKAGE_STRING='firejail 0.9.46~rc1'
+PACKAGE_VERSION='0.9.47'
+PACKAGE_STRING='firejail 0.9.47'
 PACKAGE_BUGREPORT='netblue30@yahoo.com'
 PACKAGE_URL='http://firejail.wordpress.com'
 
@@ -1265,7 +1265,7 @@ if test "$ac_init_help" = "long"; then
   # Omit some internal or obsolete options to make the list less imposing.
   # This message is too long to be a string in the A/UX 3.1 sh.
   cat <<_ACEOF
-\`configure' configures firejail 0.9.46~rc1 to adapt to many kinds of systems.
+\`configure' configures firejail 0.9.47 to adapt to many kinds of systems.
 
 Usage: $0 [OPTION]... [VAR=VALUE]...
 
@@ -1326,7 +1326,7 @@ fi
 
 if test -n "$ac_init_help"; then
   case $ac_init_help in
-     short | recursive ) echo "Configuration of firejail 0.9.46~rc1:";;
+     short | recursive ) echo "Configuration of firejail 0.9.47:";;
    esac
   cat <<\_ACEOF
 
@@ -1434,7 +1434,7 @@ fi
 test -n "$ac_init_help" && exit $ac_status
 if $ac_init_version; then
   cat <<\_ACEOF
-firejail configure 0.9.46~rc1
+firejail configure 0.9.47
 generated by GNU Autoconf 2.69
 
 Copyright (C) 2012 Free Software Foundation, Inc.
@@ -1736,7 +1736,7 @@ cat >config.log <<_ACEOF
 This file contains any messages produced by compilers while
 running configure, to aid debugging if configure makes a mistake.
 
-It was created by firejail $as_me 0.9.46~rc1, which was
+It was created by firejail $as_me 0.9.47, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
 
   $ $0 $@
@@ -4355,7 +4355,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
 # report actual input values of CONFIG_FILES etc. instead of their
 # values after options handling.
 ac_log="
-This file was extended by firejail $as_me 0.9.46~rc1, which was
+This file was extended by firejail $as_me 0.9.47, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
 
   CONFIG_FILES    = $CONFIG_FILES
@@ -4409,7 +4409,7 @@ _ACEOF
 cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
 ac_cs_version="\\
-firejail config.status 0.9.46~rc1
+firejail config.status 0.9.47
 configured by $0, generated by GNU Autoconf 2.69,
   with options \\"\$ac_cs_config\\"
 
diff --git a/configure.ac b/configure.ac
index c6048ca61..594a7abf8 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1,5 +1,5 @@
 AC_PREREQ([2.68])
-AC_INIT(firejail, 0.9.46~rc1, netblue30@yahoo.com, , http://firejail.wordpress.com)
+AC_INIT(firejail, 0.9.47, netblue30@yahoo.com, , http://firejail.wordpress.com)
 AC_CONFIG_SRCDIR([src/firejail/main.c])
 #AC_CONFIG_HEADERS([config.h])
 
diff --git a/etc/Xephyr.profile b/etc/Xephyr.profile
index 362318bb1..d3349f7f7 100644
--- a/etc/Xephyr.profile
+++ b/etc/Xephyr.profile
@@ -4,13 +4,11 @@ include /etc/firejail/Xephyr.local
 
 #
 # This profile will sandbox Xephyr server itself when used with firejail --x11=xephyr.
-# The target program is sandboxed with its own profile. By default the this functionality
-# is disabled. To enable it, create a firejail-Xephyr  symlink in /usr/local/bin:
+# To enable it, create a firejail-Xephyr  symlink in /usr/local/bin:
 #
 #    $ sudo ln -s /usr/bin/firejail /usr/local/bin/Xephyr
 #
-# We have this functionality disabled by default because it creates problems on
-# some Linux distributions.
+# or run "sudo firecfg"
 #
 
 
diff --git a/etc/Xvfb.profile b/etc/Xvfb.profile
index 9c919f432..0cf9b7e1c 100644
--- a/etc/Xvfb.profile
+++ b/etc/Xvfb.profile
@@ -10,7 +10,7 @@ include /etc/firejail/xvfb.local
 #    $ sudo ln -s /usr/bin/firejail /usr/local/bin/Xvfb
 #
 # We have this functionality disabled by default because it creates problems on
-# some Linux distributions.
+# some Linux distributions. Also, older versions of Xpra use Xvfb.
 #
 
 
diff --git a/etc/vlc.profile b/etc/vlc.profile
index 5d759ffd4..d32fa7cf7 100644
--- a/etc/vlc.profile
+++ b/etc/vlc.profile
@@ -11,7 +11,7 @@ include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
 
 caps.drop all
-ipc-namespace
+#ipc-namespace
 netfilter
 # nogroups
 nonewprivs
diff --git a/etc/xpra.profile b/etc/xpra.profile
index f4f28f9de..11bfec7eb 100644
--- a/etc/xpra.profile
+++ b/etc/xpra.profile
@@ -5,14 +5,11 @@ include /etc/firejail/xpra.local
 
 #
 # This profile will sandbox Xpra server itself when used with firejail --x11=xpra.
-# The target program is sandboxed with its own profile. By default the this functionality
-# is disabled. To enable it, create a firejail-xpra  symlink in /usr/local/bin:
+# To enable it, create a firejail-xpra  symlink in /usr/local/bin:
 #
 #    $ sudo ln -s /usr/bin/firejail /usr/local/bin/xpra
 #
-# We have this functionality disabled by default because it creates problems on
-# some Linux distributions.
-#
+# or run "sudo firecfg"
 
 # private home directory doesn't work on some distros, so we go for a regular home
 #private
@@ -36,6 +33,7 @@ protocol unix
 
 private-dev
 private-tmp
+# older Xpra versions also use Xvfb
 #private-bin xpra,python,Xvfb,Xorg,sh,xkbcomp,xauth,dbus-launch,pactl,ldconfig,which,strace,bash,cat,ls
 #private-etc ld.so.conf,ld.so.cache,resolv.conf,host.conf,nsswitch.conf,gai.conf,hosts,hostname,machine-id,xpra,X11
 
diff --git a/platform/debian/conffiles b/platform/debian/conffiles
index b9eadb9fc..965f18501 100644
--- a/platform/debian/conffiles
+++ b/platform/debian/conffiles
@@ -301,4 +301,3 @@
 /etc/firejail/blender.profile
 /etc/firejail/2048-qt.profile
 /etc/firejail/gimp-2.8.profile
-
diff --git a/platform/debian/control b/platform/debian/control
index 4287d6561..4161cbfb2 100644
--- a/platform/debian/control
+++ b/platform/debian/control
@@ -2,7 +2,7 @@ Package: firejail
 Version: FIREJAILVER-1
 Architecture: amd64
 Maintainer: netblue30 <netblue30@yahoo.com>
-Installed-Size: 272
+Installed-Size: 2024
 Depends: libc6
 Suggests: python, python3
 Section: admin
diff --git a/platform/rpm/old-mkrpm.sh b/platform/rpm/old-mkrpm.sh
index 46a2c613d..78e93507c 100755
--- a/platform/rpm/old-mkrpm.sh
+++ b/platform/rpm/old-mkrpm.sh
@@ -1,5 +1,5 @@
 #!/bin/bash
-VERSION="0.9.46~rc1"
+VERSION="0.9.46"
 rm -fr ~/rpmbuild
 rm -f firejail-$VERSION-1.x86_64.rpm
 
@@ -366,6 +366,50 @@ rm -rf %{buildroot}
 %{_sysconfdir}/%{name}/xonotic.profile
 %{_sysconfdir}/%{name}/xpra.profile
 %{_sysconfdir}/%{name}/zoom.profile
+%{_sysconfdir}/%{name}/2048-qt.profile
+%{_sysconfdir}/%{name}/Xephyr.profile
+%{_sysconfdir}/%{name}/Xvfb.profile
+%{_sysconfdir}/%{name}/akregator.profile
+%{_sysconfdir}/%{name}/arduino.profile
+%{_sysconfdir}/%{name}/baloo_file.profile
+%{_sysconfdir}/%{name}/bibletime.profile
+%{_sysconfdir}/%{name}/blender.profile
+%{_sysconfdir}/%{name}/caja.profile
+%{_sysconfdir}/%{name}/clipit.profile
+%{_sysconfdir}/%{name}/dia.profile
+%{_sysconfdir}/%{name}/dino.profile
+%{_sysconfdir}/%{name}/fontforge.profile
+%{_sysconfdir}/%{name}/galculator.profile
+%{_sysconfdir}/%{name}/geany.profile
+%{_sysconfdir}/%{name}/gimp-2.8.profile
+%{_sysconfdir}/%{name}/globaltime.profile
+%{_sysconfdir}/%{name}/gnome-font-viewer.profile
+%{_sysconfdir}/%{name}/gucharmap.profile
+%{_sysconfdir}/%{name}/hugin.profile
+%{_sysconfdir}/%{name}/kcalc.profile
+%{_sysconfdir}/%{name}/knotes.profile
+%{_sysconfdir}/%{name}/kodi.profile
+%{_sysconfdir}/%{name}/ktorrent.profile
+%{_sysconfdir}/%{name}/leafpad.profile
+%{_sysconfdir}/%{name}/lximage-qt.profile
+%{_sysconfdir}/%{name}/lxmusic.profile
+%{_sysconfdir}/%{name}/mate-calc.profile
+%{_sysconfdir}/%{name}/mate-calculator.profile
+%{_sysconfdir}/%{name}/mate-color-select.profile
+%{_sysconfdir}/%{name}/mate-dictionary.profile
+%{_sysconfdir}/%{name}/meld.profile
+%{_sysconfdir}/%{name}/nemo.profile
+%{_sysconfdir}/%{name}/nylas.profile
+%{_sysconfdir}/%{name}/orage.profile
+%{_sysconfdir}/%{name}/pcmanfm.profile
+%{_sysconfdir}/%{name}/qlipper.profile
+%{_sysconfdir}/%{name}/ristretto.profile
+%{_sysconfdir}/%{name}/viewnior.profile
+%{_sysconfdir}/%{name}/viking.profile
+%{_sysconfdir}/%{name}/xfce4-dict.profile
+%{_sysconfdir}/%{name}/xfce4-notes.profile
+%{_sysconfdir}/%{name}/youtube-dl.profile
+  
 
 /usr/bin/firejail
 /usr/bin/firemon
@@ -407,7 +451,7 @@ rm -rf %{buildroot}
 chmod u+s /usr/bin/firejail
 
 %changelog
-* Fri Apr 7 2017  netblue30 <netblue30@yahoo.com> 0.9.46~rc1
+* Mon May 15 2017  netblue30 <netblue30@yahoo.com> 0.9.46-1
 
 * Fri Oct 21 2016  netblue30 <netblue30@yahoo.com> 0.9.44-1
   - CVE-2016-7545 submitted by Aleksey Manevich
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config
index 60e414755..f46fdea35 100644
--- a/src/firecfg/firecfg.config
+++ b/src/firecfg/firecfg.config
@@ -230,6 +230,7 @@ wire
 wireshark
 xchat
 xed
+Xephyr
 xfburn
 xfce4-dict
 xfce4-notes
@@ -239,6 +240,7 @@ xonotic-glx
 xonotic-sdl
 xpdf
 xplayer
+xpra
 xreader
 xviewer
 youtube-dl
diff --git a/src/firejail/main.c b/src/firejail/main.c
index 9e5c31c32..86ca422ae 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -2174,7 +2174,7 @@ int main(int argc, char **argv) {
         
         // prog_index could still be -1 if no program was specified
         if (prog_index == -1 && arg_shell_none) {
-                fprintf(stderr, "shell=none configured, but no program specified\n");
+                fprintf(stderr, "Error: shell=none configured, but no program specified\n");
                 exit(1);
         }
 
diff --git a/src/firejail/no_sandbox.c b/src/firejail/no_sandbox.c
index 9221aaa99..05f5abe2a 100644
--- a/src/firejail/no_sandbox.c
+++ b/src/firejail/no_sandbox.c
@@ -230,8 +230,5 @@ void run_no_sandbox(int argc, char **argv) {
 
         arg_quiet = 1;
 
-  // we don't want to run a shell, otherwise it will be recursively
-  arg_shell_none = 1;
-
         start_application();
 }
diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index c515accc0..9ae2aa5b4 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -1089,12 +1089,8 @@ void profile_read(const char *fname) {
         }
 
         // check file
-        if (strlen(fname) == 0) {
-                fprintf(stderr, "Error: invalid profile file\n");
-                exit(1);
-        }
         invalid_filename(fname);
-        if (is_dir(fname) || is_link(fname) || strstr(fname, "..")) {
+        if (strlen(fname) == 0 || is_dir(fname)) {
                 fprintf(stderr, "Error: invalid profile file\n");
                 exit(1);
         }
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index d8880b924..3ff104d26 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -43,7 +43,7 @@
 #ifdef HAVE_APPARMOR
 #include <sys/apparmor.h>
 #endif
-
+#include <syscall.h>
 
 static int monitored_pid = 0;
 static void sandbox_handler(int sig){
@@ -907,7 +907,7 @@ int sandbox(void* sandbox_arg) {
         // set seccomp //todo: push it down after drop_privs and/or configuring noroot
 #ifdef HAVE_SECCOMP
         // install protocol filter
-#ifdef SYS_SOCKET
+#ifdef SYS_socket
         if (cfg.protocol) {
                 if (arg_debug)
                         printf("Install protocol filter: %s\n", cfg.protocol);
diff --git a/src/firejail/x11.c b/src/firejail/x11.c
index 0f7ea56b6..f1d45adef 100644
--- a/src/firejail/x11.c
+++ b/src/firejail/x11.c
@@ -568,6 +568,7 @@ void x11_start_xephyr(int argc, char **argv) {
                 (void) rv;
         }
 
+        assert(display_str);
         setenv("DISPLAY", display_str, 1);
         // run attach command
         jail = fork();
@@ -785,6 +786,7 @@ void x11_start_xpra(int argc, char **argv) {
                 _exit(1);
         }
 
+        assert(display_str);
         setenv("DISPLAY", display_str, 1);
 
         // build jail command
@@ -798,7 +800,7 @@ void x11_start_xpra(int argc, char **argv) {
         }
         firejail_argv[pos] = NULL;
 
-        assert(pos < (argc+2));
+        assert((int) pos < (argc+2));
         assert(!firejail_argv[pos]);
 
         // start jail
diff --git a/src/fseccomp/protocol.c b/src/fseccomp/protocol.c
index 57ce2f8e0..4a0fadb3c 100644
--- a/src/fseccomp/protocol.c
+++ b/src/fseccomp/protocol.c
@@ -60,6 +60,7 @@ static char *protocol[] = {
         NULL
 };
 
+#ifdef SYS_socket
 static struct sock_filter protocol_filter_command[] = {
         WHITELIST(AF_UNIX),
         WHITELIST(AF_INET),
@@ -67,6 +68,7 @@ static struct sock_filter protocol_filter_command[] = {
         WHITELIST(AF_NETLINK),
         WHITELIST(AF_PACKET)
 };
+#endif
 // Note: protocol[] and protocol_filter_command are synchronized
 
 // command length
@@ -75,6 +77,7 @@ struct sock_filter whitelist[] = {
 };
 unsigned whitelist_len = sizeof(whitelist) / sizeof(struct sock_filter);
 
+#ifdef SYS_socket
 static struct sock_filter *find_protocol_domain(const char *p) {
         int i = 0;
         while (protocol[i] != NULL) {
@@ -85,7 +88,7 @@ static struct sock_filter *find_protocol_domain(const char *p) {
 
         return NULL;
 }       
-
+#endif
 
 void protocol_print(void) {
 #ifndef SYS_socket
diff --git a/src/man/firecfg.txt b/src/man/firecfg.txt
index 979d4fc06..55b60dcac 100644
--- a/src/man/firecfg.txt
+++ b/src/man/firecfg.txt
@@ -20,16 +20,14 @@ The integration covers:
 .br
 
 .br
-- programs started by clicking on file icons in file manager - only Cinnamon, KDE, LXDE, MATE and XFCE
+- programs started by clicking on file icons in file manager - only Cinnamon, KDE, LXDE/LXQT, MATE and XFCE
 desktop managers are supported in this moment
 .RE
 
-This brings us as very close to full desktop integration.
-
-To set it up, run "sudo firecfg" after installing
-Firejail software, and logout/login for the integration to take effect. "sudo firecfg" should also be run after
-you install new programs. If the program is supported by Firejail, the symbolic link in /usr/local/bin
-will be created. For a list of programs supported by default run "ls /etc/firejail".
+To set it up, run "sudo firecfg" after installing Firejail software.
+The same command should also be run after
+installing new programs. If the program is supported by Firejail, the symbolic link in /usr/local/bin
+will be created. For a full list of programs supported by default run "cat /usr/lib/firejail/firecfg.config".
 
 For user-driven manual integration, see \fBDESKTOP INTEGRATION\fR section in \fBman 1 firejail\fR.
 
diff --git a/test/arguments/arguments.sh b/test/arguments/arguments.sh
index d9b7058bf..73e589876 100755
--- a/test/arguments/arguments.sh
+++ b/test/arguments/arguments.sh
@@ -6,6 +6,7 @@ if [ -f /etc/debian_version ]; then
 else
         export PATH="$PATH:/usr/lib/firejail"
 fi
+export PATH="$PATH:/usr/lib/firejail"
 
 echo "TESTING: 1. regular bash session"
 ./bashrun.exp
diff --git a/test/environment/allow-debuggers.exp b/test/environment/allow-debuggers.exp
index 8a404decb..f032e1c3e 100755
--- a/test/environment/allow-debuggers.exp
+++ b/test/environment/allow-debuggers.exp
@@ -8,7 +8,8 @@ match_max 100000
 send -- "firejail --profile=/etc/firejail/firefox.profile --allow-debuggers strace ls\r"
 expect {
         timeout {puts "TESTING ERROR 0\n";exit}
-        "Child process initialized"
+        "Child process initialized" { puts "\n"}
+        "is disabled on Linux kernels prior to 4.8" { puts "TESTING SKIP: kernel too old\n"; exit }
 }
 expect {
         timeout {puts "TESTING ERROR 1\n";exit}
diff --git a/test/filters/filters.sh b/test/filters/filters.sh
index 59d7d7e7f..6a5ec2b87 100755
--- a/test/filters/filters.sh
+++ b/test/filters/filters.sh
@@ -13,6 +13,8 @@ else
         export PATH="$PATH:/usr/lib/firejail"
 fi
 
+export PATH="$PATH:/usr/lib/firejail"
+
 echo "TESTING: debug options (test/filters/debug.exp)"
 ./debug.exp
 
diff --git a/test/utils/firecfg-fix.exp b/test/utils/firecfg-fix.exp
deleted file mode 100755
index 685ce9c7b..000000000
--- a/test/utils/firecfg-fix.exp
+++ /dev/null
@@ -1,25 +0,0 @@
-#!/usr/bin/expect -f
-# This file is part of Firejail project
-# Copyright (C) 2014-2017 Firejail Authors
-# License GPL v2
-
-set timeout 10
-spawn $env(SHELL)
-match_max 100000
-
-send -- "firecfg --fix\r"
-expect {
-        timeout {puts "TESTING ERROR 0\n";exit}
-        "created"
-}
-sleep 1
-
-send -- "firecfg --fix\r"
-expect {
-        timeout {puts "TESTING ERROR 1\n";exit}
-        "skipped"
-}
-sleep 1
-
-puts "\nall done\n"
-
diff --git a/test/utils/utils.sh b/test/utils/utils.sh
index d5ee5ef32..751f1f8e7 100755
--- a/test/utils/utils.sh
+++ b/test/utils/utils.sh
@@ -112,8 +112,3 @@ echo "TESTING: firemon interface (test/utils/firemon-interface.exp)"
 echo "TESTING: firemon name (test/utils/firemon-name.exp)"
 ./firemon-name.exp
 
-echo "TESTING: firecfg --fix (test/utils/firecfg-fix.exp)"
-mv ~/.local/share/applications ~/firejail-test-local-apps
-./firecfg-fix.exp
-rm -fr ~/.local/share/applications
-mv ~/firejail-test-local-apps ~/.local/share/applications