50 files changed, 384 insertions, 304 deletions
diff --git a/.gitignore b/.gitignore
index 1285dea92..5e26f1711 100644
--- a/.gitignore
+++ b/.gitignore
@@ -14,6 +14,7 @@ firejail-*.tar.xz
 firejail-login.5
 firejail-profile.5
 firejail-config.5
+firejail-users.5
 firejail.1
 firemon.1
 firecfg.1
diff --git a/RELNOTES b/RELNOTES
index 87b3f3780..c6194e1a6 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -1,6 +1,8 @@
 firejail (0.9.53) baseline; urgency=low
  * work in progress
  * modif: --force depercated
+  * modif: --csg, --zsh deprecated
+  * modif: --debug-check-filename deprecated
  * modif: --git-install and --git-uninstall deprecated
  * modif: support for private-bin, private-lib and shell none has been
     disabled while running AppImage archives in order to be able to use
diff --git a/etc/arduino.profile b/etc/arduino.profile
index e7d0d68dd..14741c964 100644
--- a/etc/arduino.profile
+++ b/etc/arduino.profile
@@ -9,6 +9,12 @@ noblacklist ${HOME}/.arduino15
 noblacklist ${HOME}/.java
 noblacklist ${HOME}/Arduino
+# Allow access to java
+noblacklist ${PATH}/java
+noblacklist /usr/lib/java
+noblacklist /etc/java
+noblacklist /usr/share/java
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-interpreters.inc
diff --git a/etc/bitlbee.profile b/etc/bitlbee.profile
index b6baa66bc..1cd5d6a69 100644
--- a/etc/bitlbee.profile
+++ b/etc/bitlbee.profile
@@ -28,7 +28,6 @@ seccomp
 disable-mnt
 private
 private-dev
-private-dev
 private-tmp
 read-write /var/lib/bitlbee
diff --git a/etc/disable-common.inc b/etc/disable-common.inc
index ff5dc7b6b..7bc66b1e9 100644
--- a/etc/disable-common.inc
+++ b/etc/disable-common.inc
@@ -116,6 +116,10 @@ blacklist /run/user/*/kdeinit5__*
 # blacklist /tmp/ksocket-*/kdeinit4__*
 #  - causes issues when kdeinit4 gets killed; enable on KDE Plasma 4
+# gnome
+# contains extensions, last used times of applications, and notifications
+blacklist ${HOME}/.local/share/gnome-shell
 # systemd
 blacklist ${HOME}/.config/systemd
 blacklist ${HOME}/.local/share/systemd
diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc
index b68dde0c4..eddb12e08 100644
--- a/etc/disable-programs.inc
+++ b/etc/disable-programs.inc
@@ -429,6 +429,7 @@ blacklist ${HOME}/.local/share/telepathy
 blacklist ${HOME}/.local/share/terasology
 blacklist ${HOME}/.local/share/torbrowser
 blacklist ${HOME}/.local/share/totem
+blacklist ${HOME}/.local/share/uzbl
 blacklist ${HOME}/.local/share/vlc
 blacklist ${HOME}/.local/share/vpltd
 blacklist ${HOME}/.local/share/vulkan
diff --git a/etc/discord.profile b/etc/discord.profile
new file mode 100644
index 000000000..bb59ed42d
--- /dev/null
+++ b/etc/discord.profile
@@ -0,0 +1,33 @@
+# Firejail profile for Discord
+# This file is overwritten after every install/update
+# Persistent local customizations
+include /etc/firejail/discord.local
+# Persistent global definitions
+include /etc/firejail/globals.local
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+include /etc/firejail/disable-programs.inc
+mkdir ${HOME}/.config/discord
+whitelist ${HOME}/.config/discord
+caps.drop all
+netfilter
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+novideo
+protocol unix,inet,inet6,netlink
+seccomp
+private-bin discord,sh,xdg-mime
+private-dev
+private-etc fonts
+private-tmp
+noexec ${HOME}
+noexec /tmp
diff --git a/etc/firefox-common-addons.inc b/etc/firefox-common-addons.inc
index b237c3c05..333ebdaa2 100644
--- a/etc/firefox-common-addons.inc
+++ b/etc/firefox-common-addons.inc
@@ -16,7 +16,6 @@ noblacklist ${HOME}/.kde4/share/apps/okular
 noblacklist ${HOME}/.kde4/share/config/kgetrc
 noblacklist ${HOME}/.kde4/share/config/okularpartrc
 noblacklist ${HOME}/.kde4/share/config/okularrc
-# noblacklist ${HOME}/.local/share/gnome-shell/extensions
 noblacklist ${HOME}/.local/share/kget
 noblacklist ${HOME}/.local/share/okular
 noblacklist ${HOME}/.local/share/qpdfview
@@ -41,7 +40,6 @@ whitelist ${HOME}/.kde4/share/config/okularpartrc
 whitelist ${HOME}/.kde4/share/config/okularrc
 whitelist ${HOME}/.keysnail.js
 whitelist ${HOME}/.lastpass
-whitelist ${HOME}/.local/share/gnome-shell/extensions
 whitelist ${HOME}/.local/share/kget
 whitelist ${HOME}/.local/share/okular
 whitelist ${HOME}/.local/share/qpdfview
@@ -53,3 +51,14 @@ whitelist ${HOME}/.wine-pipelight
 whitelist ${HOME}/.wine-pipelight64
 whitelist ${HOME}/.zotero
 whitelist ${HOME}/dwhelper
+# GNOME Shell integration (chrome-gnome-shell) needs dbus and python 3 (blacklisted by disable-interpreters.inc)
+noblacklist ${HOME}/.local/share/gnome-shell/extensions
+whitelist ${HOME}/.local/share/gnome-shell/extensions
+ignore nodbus
+noblacklist ${PATH}/python3*
+noblacklist /usr/lib/python3*
+# Flash plugin
+# private-etc must first be enabled in firefox-common.profile and in profiles including it.
+#private-etc adobe
diff --git a/etc/firejail-default b/etc/firejail-default
index ad3fdd718..2e48439f5 100644
--- a/etc/firejail-default
+++ b/etc/firejail-default
@@ -165,10 +165,10 @@ capability sys_time,
 capability sys_tty_config,
 capability mknod,
 capability lease,
-capability audit_write,
+#capability audit_write,
-capability audit_control,
+#capability audit_control,
 capability setfcap,
-capability mac_override,
+#capability mac_override,
 #capability mac_admin,
 ##########
diff --git a/etc/flowblade.profile b/etc/flowblade.profile
index bad8538cf..e06107f0f 100644
--- a/etc/flowblade.profile
+++ b/etc/flowblade.profile
@@ -8,6 +8,12 @@ include /etc/firejail/globals.local
 noblacklist ${HOME}/.config/flowblade
 noblacklist ${HOME}/.flowblade
+# Allow python (blacklisted by disable-interpreters.inc)
+noblacklist ${PATH}/python2*
+noblacklist ${PATH}/python3*
+noblacklist /usr/lib/python2*
+noblacklist /usr/lib/python3*
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-interpreters.inc
diff --git a/etc/jd-gui.profile b/etc/jd-gui.profile
index f435b4ed7..9a325d18b 100644
--- a/etc/jd-gui.profile
+++ b/etc/jd-gui.profile
@@ -8,6 +8,12 @@ include /etc/firejail/globals.local
 noblacklist ${HOME}/.config/jd-gui.cfg
 noblacklist ${HOME}/.java
+# Allow access to java
+noblacklist ${PATH}/java
+noblacklist /usr/lib/java
+noblacklist /etc/java
+noblacklist /usr/share/java
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-interpreters.inc
diff --git a/etc/less.profile b/etc/less.profile
index e2616ba4f..9b04329f2 100644
--- a/etc/less.profile
+++ b/etc/less.profile
@@ -20,7 +20,7 @@ shell none
 tracelog
 writable-var-log
-# The user can have a custom coloring scritps configured in ${HOME}/.lessfilter.
+# The user can have a custom coloring script configured in ${HOME}/.lessfilter.
 # Enable private-bin and private-lib if you are not using any filter.
 # private-bin less
 # private-lib
diff --git a/etc/openshot.profile b/etc/openshot.profile
index 114580f1e..832008564 100644
--- a/etc/openshot.profile
+++ b/etc/openshot.profile
@@ -8,6 +8,12 @@ include /etc/firejail/globals.local
 noblacklist ${HOME}/.openshot
 noblacklist ${HOME}/.openshot_qt
+# Allow python (blacklisted by disable-interpreters.inc)
+noblacklist ${PATH}/python2*
+noblacklist ${PATH}/python3*
+noblacklist /usr/lib/python2*
+noblacklist /usr/lib/python3*
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-interpreters.inc
diff --git a/etc/pycharm-community.profile b/etc/pycharm-community.profile
index b5e508d06..bbb907577 100644
--- a/etc/pycharm-community.profile
+++ b/etc/pycharm-community.profile
@@ -9,6 +9,12 @@ noblacklist ${HOME}/snap
 noblacklist ${HOME}/.PyCharmCE*
 noblacklist ${HOME}/.java
+# Allow access to java
+noblacklist ${PATH}/java
+noblacklist /usr/lib/java
+noblacklist /etc/java
+noblacklist /usr/share/java
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
diff --git a/etc/ranger.profile b/etc/ranger.profile
index 94b282669..ff65a057b 100644
--- a/etc/ranger.profile
+++ b/etc/ranger.profile
@@ -5,11 +5,19 @@ include /etc/firejail/ranger.local
 # Persistent global definitions
 include /etc/firejail/globals.local
+noblacklist ${HOME}/.config/ranger
+# Allow python (blacklisted by disable-interpreters.inc)
+noblacklist ${PATH}/python2*
+noblacklist ${PATH}/python3*
+noblacklist /usr/lib/python2*
+noblacklist /usr/lib/python3*
+# Allow perl
 # noblacklist ${PATH}/cpan*
 noblacklist ${PATH}/perl
 noblacklist /usr/lib/perl*
 noblacklist /usr/share/perl*
-noblacklist ${HOME}/.config/ranger
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-devel.inc
diff --git a/etc/steam.profile b/etc/steam.profile
index e1e6fd0e1..7b3149843 100644
--- a/etc/steam.profile
+++ b/etc/steam.profile
@@ -24,6 +24,12 @@ noblacklist /usr/lib/llvm*
 # needed for STEAM_RUNTIME_PREFER_HOST_LIBRARIES=1 to work
 noblacklist /sbin
+# Allow access to java
+noblacklist ${PATH}/java
+noblacklist /usr/lib/java
+noblacklist /etc/java
+noblacklist /usr/share/java
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-interpreters.inc
diff --git a/etc/terasology.profile b/etc/terasology.profile
index 0a4067341..fa45eb880 100644
--- a/etc/terasology.profile
+++ b/etc/terasology.profile
@@ -8,6 +8,12 @@ include /etc/firejail/globals.local
 noblacklist ${HOME}/.java
 noblacklist ${HOME}/.local/share/terasology
+# Allow access to java
+noblacklist ${PATH}/java
+noblacklist /usr/lib/java
+noblacklist /etc/java
+noblacklist /usr/share/java
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-interpreters.inc
diff --git a/etc/uzbl-browser.profile b/etc/uzbl-browser.profile
index 0a3549c97..b8a3fa497 100644
--- a/etc/uzbl-browser.profile
+++ b/etc/uzbl-browser.profile
@@ -7,6 +7,13 @@ include /etc/firejail/globals.local
 noblacklist ${HOME}/.config/uzbl
 noblacklist ${HOME}/.gnupg
+noblacklist ${HOME}/.local/share/uzbl
+# Allow python (blacklisted by disable-interpreters.inc)
+noblacklist ${PATH}/python2*
+noblacklist ${PATH}/python3*
+noblacklist /usr/lib/python2*
+noblacklist /usr/lib/python3*
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-devel.inc
diff --git a/etc/zaproxy.profile b/etc/zaproxy.profile
index 8e63014ce..66f91250d 100644
--- a/etc/zaproxy.profile
+++ b/etc/zaproxy.profile
@@ -8,6 +8,12 @@ include /etc/firejail/globals.local
 noblacklist ${HOME}/.java
 noblacklist ${HOME}/.ZAP
+# Allow access to java
+noblacklist ${PATH}/java
+noblacklist /usr/lib/java
+noblacklist /etc/java
+noblacklist /usr/share/java
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-interpreters.inc
diff --git a/etc/zathura.profile b/etc/zathura.profile
index b47aeb0da..028e15ef5 100644
--- a/etc/zathura.profile
+++ b/etc/zathura.profile
@@ -15,6 +15,7 @@ include /etc/firejail/disable-passwdmgr.inc
 include /etc/firejail/disable-programs.inc
 caps.drop all
+machine-id
 # net none
 # nodbus
 nodvd
@@ -29,7 +30,7 @@ shell none
 private-bin zathura
 private-dev
-private-etc fonts
+private-etc fonts,machine-id
 private-tmp
 read-only ${HOME}/
diff --git a/mkuid.sh b/mkuid.sh
index a59f58143..9a37dc2ca 100755
--- a/mkuid.sh
+++ b/mkuid.sh
@@ -6,15 +6,15 @@ echo "#define FIREJAIL_UIDS_H" >> uids.h
 if [ -r /etc/login.defs ]
 then
-        echo "// using values extracted from /etc/login.defs" >> uids.h
        UID_MIN=`awk '/^\s*UID_MIN\s*([0-9]*).*?$/ {print $2}' /etc/login.defs`
        GID_MIN=`awk '/^\s*GID_MIN\s*([0-9]*).*?$/ {print $2}' /etc/login.defs`
-        echo "#define UID_MIN $UID_MIN" >> uids.h
-        echo "#define GID_MIN $GID_MIN" >> uids.h
-else
-        echo "// using default values" >> uids.h
-        echo "#define UID_MIN 1000" >> uids.h
-        echo "#define GID_MIN 1000" >> uids.h
 fi
+# use default values if not found
+[ -z "$UID_MIN" ] && UID_MIN="1000"
+[ -z "$GID_MIN" ] && GID_MIN="1000"
+echo "#define UID_MIN $UID_MIN" >> uids.h
+echo "#define GID_MIN $GID_MIN" >> uids.h
 echo "#endif" >> uids.h
diff --git a/src/firecfg/desktop_files.c b/src/firecfg/desktop_files.c
index 49e58528c..eb3794d3f 100644
--- a/src/firecfg/desktop_files.c
+++ b/src/firecfg/desktop_files.c
@@ -163,8 +163,6 @@ void fix_desktop_files(char *homedir) {
                // skip links
                if (is_link(filename))
                        continue;
-                if (stat(filename, &sb) == -1)
-                        errExit("stat");
                // no profile in /etc/firejail, no desktop file fixing
                if (!have_profile(filename, homedir))
@@ -173,23 +171,33 @@ void fix_desktop_files(char *homedir) {
                //****************************************************
                // load the file in memory and do some basic checking
                //****************************************************
-                /* coverity[toctou] */
+                FILE *fp = fopen(filename, "r");
-                int fd = open(filename, O_RDONLY);
+                if (!fp) {
-                if (fd == -1) {
                        fprintf(stderr, "Warning: cannot open /usr/share/applications/%s\n", filename);
                        continue;
                }
-                char *buf = mmap(NULL, sb.st_size + 1, PROT_READ | PROT_WRITE, MAP_PRIVATE, fd, 0);
+                fseek(fp, 0, SEEK_END);
-                if (buf == MAP_FAILED)
+                size_t size = ftell(fp);
-                        errExit("mmap");
+                fseek(fp, 0, SEEK_SET);
-                close(fd);
+                char *buf = malloc(size + 1);
+                if (!buf)
+                        errExit("malloc");
+                size_t loaded = fread(buf, size, 1, fp);
+                fclose(fp);
+                if (loaded != 1) {
+                        fprintf(stderr, "Warning: cannot read /usr/share/applications/%s\n", filename);
+                        free(buf);
+                        continue;
+                }
+                buf[size] = '\0';
                // check format
                if (strstr(buf, "[Desktop Entry]\n") == NULL) {
                        if (arg_debug)
                                printf("   %s - skipped: wrong format?\n", filename);
-                        munmap(buf, sb.st_size + 1);
+                        free(buf);
                        continue;
                }
@@ -198,7 +206,7 @@ void fix_desktop_files(char *homedir) {
                if (!ptr || strlen(ptr) < 7) {
                        if (arg_debug)
                                printf("   %s - skipped: wrong format?\n", filename);
-                        munmap(buf, sb.st_size + 1);
+                        free(buf);
                        continue;
                }
@@ -207,7 +215,7 @@ void fix_desktop_files(char *homedir) {
                if (execname[0] == '"') {
                        if (arg_debug)
                                printf("   %s - skipped: path quoting unsupported\n", filename);
-                        munmap(buf, sb.st_size + 1);
+                        free(buf);
                        continue;
                }
@@ -241,12 +249,9 @@ void fix_desktop_files(char *homedir) {
                        }
                }
-                if (change_exec == NULL && change_dbus == 0) {
+                free(buf);
-                        munmap(buf, sb.st_size + 1);
+                if (change_exec == NULL && change_dbus == 0)
                        continue;
-                }
-                munmap(buf, sb.st_size + 1);
                //****************************************************
                // generate output file
diff --git a/src/firejail/Makefile.in b/src/firejail/Makefile.in
index 48d985d73..d0f43041c 100644
--- a/src/firejail/Makefile.in
+++ b/src/firejail/Makefile.in
@@ -2,7 +2,7 @@ all: firejail
 include ../common.mk
-%.o : %.c $(H_FILE_LIST) ../include/common.h ../include/euid_common.h ../include/pid.h ../include/seccomp.h ../include/syscall.h ../include/firejail_user.h
+%.o : %.c $(H_FILE_LIST) ../include/common.h ../include/ldd_utils.h ../include/euid_common.h ../include/pid.h ../include/seccomp.h ../include/syscall.h ../include/firejail_user.h
        $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@
 firejail: $(OBJS) ../lib/libnetlink.o ../lib/common.o ../lib/ldd_utils.o ../lib/firejail_user.o
diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c
index 7b0ae30b6..f8094e893 100644
--- a/src/firejail/checkcfg.c
+++ b/src/firejail/checkcfg.c
@@ -166,10 +166,6 @@ int checkcfg(int val) {
                                else
                                        goto errout;
                        }
-                        // follow symlink in private-bin command
-                        else if (strncmp(ptr, "follow-symlink-private-bin ", 27) == 0) {
-                                fwarning("follow-symlink-private-bin from firejail.config was deprecated\n");
-                        }
                        // nonewprivs
                        else if (strncmp(ptr, "force-nonewprivs ", 17) == 0) {
                                if (strcmp(ptr + 17, "yes") == 0)
@@ -311,9 +307,6 @@ int checkcfg(int val) {
                                else
                                        goto errout;
                        }
-                        else if (strncmp(ptr, "remount-proc-sys ", 17) == 0) {
-                                fwarning("remount-proc-sys from firejail.config was deprecated\n");
-                        }
                        else if (strncmp(ptr, "overlayfs ", 10) == 0) {
                                if (strcmp(ptr + 10, "yes") == 0)
                                        cfg_val[CFG_OVERLAYFS] = 1;
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index 4fd11ab4f..2746deea1 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -309,7 +309,6 @@ static inline int any_interface_configured(void) {
 extern int arg_private;         // mount private /home
 extern int arg_private_template; // private /home template
 extern int arg_debug;           // print debug messages
-extern int arg_debug_check_filename;            // print debug messages for filename checking
 extern int arg_debug_blacklists;        // print debug messages for blacklists
 extern int arg_debug_whitelists;        // print debug messages for whitelists
 extern int arg_debug_private_lib;       // print debug messages for private-lib
@@ -577,9 +576,6 @@ void caps_keep_list(const char *clist);
 void caps_print_filter(pid_t pid);
 void caps_drop_dac_override(void);
-// syscall.c
-const char *syscall_find_nr(int nr);
 // fs_trace.c
 void fs_trace_preload(void);
 void fs_trace(void);
@@ -647,12 +643,6 @@ void env_ibus_load(void);
 // fs_whitelist.c
 void fs_whitelist(void);
-// errno.c
-int errno_highest_nr(void);
-int errno_find_name(const char *name);
-char *errno_find_nr(int nr);
-void errno_print(void);
 // pulseaudio.c
 void pulseaudio_init(void);
 void pulseaudio_disable(void);
@@ -795,10 +785,6 @@ void build_appimage_cmdline(char **command_line, char **window_title, int argc,
 // run sbox
 int sbox_run(unsigned filter, int num, ...);
-// git.c
-void git_install();
-void git_uninstall();
 // run_files.c
 void delete_run_files(pid_t pid);
 void delete_bandwidth_run_file(pid_t pid);
diff --git a/src/firejail/main.c b/src/firejail/main.c
index e676bbd7c..2d8af7f41 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -47,7 +47,6 @@ Config cfg;					// configuration
 int arg_private = 0;                            // mount private /home and /tmp directoryu
 int arg_private_template = 0; // mount private /home using a template
 int arg_debug = 0;                              // print debug messages
-int arg_debug_check_filename = 0;               // print debug messages for filename checking
 int arg_debug_blacklists = 0;                   // print debug messages for blacklists
 int arg_debug_whitelists = 0;                   // print debug messages for whitelists
 int arg_debug_private_lib = 0;                  // print debug messages for private-lib
@@ -1051,8 +1050,6 @@ int main(int argc, char **argv) {
                if (strcmp(argv[i], "--debug") == 0 && !arg_quiet)
                        arg_debug = 1;
-                else if (strcmp(argv[i], "--debug-check-filename") == 0)
-                        arg_debug_check_filename = 1;
                else if (strcmp(argv[i], "--debug-blacklists") == 0)
                        arg_debug_blacklists = 1;
                else if (strcmp(argv[i], "--debug-whitelists") == 0)
@@ -1439,9 +1436,6 @@ int main(int argc, char **argv) {
                        custom_profile = 1;
                        free(ppath);
                }
-                else if (strncmp(argv[i], "--profile-path=", 15) == 0) {
-                        fwarning("--profile-path has been deprecated\n");
-                }
                else if (strcmp(argv[i], "--noprofile") == 0) {
                        if (custom_profile) {
                                fprintf(stderr, "Error: --profile and --noprofile options are mutually exclusive\n");
@@ -1541,9 +1535,6 @@ int main(int argc, char **argv) {
                else if (strcmp(argv[i], "--machine-id") == 0) {
                        arg_machineid = 1;
                }
-                else if (strcmp(argv[i], "--allow-private-blacklist") == 0) {
-                        fwarning("--allow-private-blacklist was deprecated\n");
-                }
                else if (strcmp(argv[i], "--private") == 0) {
                        arg_private = 1;
                }
@@ -2117,29 +2108,6 @@ int main(int argc, char **argv) {
                }
                else if (strcmp(argv[i], "--appimage") == 0)
                        arg_appimage = 1;
-                else if (strcmp(argv[i], "--csh") == 0) {
-                        if (arg_shell_none) {
-                                fprintf(stderr, "Error: --shell=none was already specified.\n");
-                                return 1;
-                        }
-                        if (cfg.shell) {
-                                fprintf(stderr, "Error: only one default user shell can be specified\n");
-                                return 1;
-                        }
-                        cfg.shell = "/bin/csh";
-                }
-                else if (strcmp(argv[i], "--zsh") == 0) {
-                        if (arg_shell_none) {
-                                fprintf(stderr, "Error: --shell=none was already specified.\n");
-                                return 1;
-                        }
-                        if (cfg.shell) {
-                                fprintf(stderr, "Error: only one default user shell can be specified\n");
-                                return 1;
-                        }
-                        cfg.shell = "/bin/zsh";
-                }
                else if (strcmp(argv[i], "--shell=none") == 0) {
                        arg_shell_none = 1;
                        if (cfg.shell) {
diff --git a/src/firejail/no_sandbox.c b/src/firejail/no_sandbox.c
index ba955bcca..5bd3f7e09 100644
--- a/src/firejail/no_sandbox.c
+++ b/src/firejail/no_sandbox.c
@@ -167,9 +167,7 @@ void run_no_sandbox(int argc, char **argv) {
        for (i = 0; i < argc; i++) {
                if (strcmp(argv[i], "--debug") == 0)
                        arg_debug = 1;
-                else if (strcmp(argv[i], "--csh") == 0 ||
+                else if (strcmp(argv[i], "--shell=none") == 0 ||
-                    strcmp(argv[i], "--zsh") == 0 ||
-                    strcmp(argv[i], "--shell=none") == 0 ||
                    strncmp(argv[i], "--shell=", 8) == 0)
                        fwarning("shell-related command line options are disregarded - using SHELL environment variable\n");
        }
diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index 3ef9a1856..156ffa24a 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -257,10 +257,6 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
                arg_nodbus = 1;
                return 0;
        }
-        else if (strcmp(ptr, "allow-private-blacklist") == 0) {
-                fmessage("--allow-private-blacklist was deprecated\n");
-                return 0;
-        }
        else if (strcmp(ptr, "netfilter") == 0) {
 #ifdef HAVE_NETWORK
                if (checkcfg(CFG_NETWORK))
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index 709ce96b6..e0cecda1b 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -997,6 +997,10 @@ int sandbox(void* sandbox_arg) {
                seccomp_load(RUN_SECCOMP_PROTOCOL);     // install filter
                protocol_filter_save(); // save filter in RUN_PROTOCOL_CFG
        }
+        else {
+                int rv = unlink(RUN_SECCOMP_PROTOCOL);
+                (void) rv;
+        }
 #endif
        // if a keep list is available, disregard the drop list
@@ -1005,13 +1009,21 @@ int sandbox(void* sandbox_arg) {
                        seccomp_filter_keep();
                else
                        seccomp_filter_drop();
-        }
-        if (arg_debug) {
+                // clean unused filters
-                printf("\nSeccomp files:\n");
+#if defined(__LP64__)
-                int rv = system("ls -l /run/firejail/mnt/seccomp*\n");
+                int rv = unlink(RUN_SECCOMP_64);
+#endif
+#if defined(__ILP32__)
+                int rv = unlink(RUN_SECCOMP_32);
+#endif
+                (void) rv;
+        }
+        else { // clean seccomp files under /run/firejail/mnt
+                int rv = unlink(RUN_SECCOMP_CFG);
+                rv |= unlink(RUN_SECCOMP_64);
+                rv |= unlink(RUN_SECCOMP_32);
                (void) rv;
-                printf("\n");
        }
        if (arg_memory_deny_write_execute) {
@@ -1019,6 +1031,10 @@ int sandbox(void* sandbox_arg) {
                        printf("Install memory write&execute filter\n");
                seccomp_load(RUN_SECCOMP_MDWX); // install filter
        }
+        else {
+                int rv = unlink(RUN_SECCOMP_MDWX);
+                (void) rv;
+        }
 #endif
        //****************************************
diff --git a/src/firejail/sbox.c b/src/firejail/sbox.c
index fed1f7ba7..53df20a54 100644
--- a/src/firejail/sbox.c
+++ b/src/firejail/sbox.c
@@ -153,12 +153,6 @@ int sbox_run(unsigned filter, int num, ...) {
                for (i = 3; i < max; i++)
                        close(i); // close open files
-                if (arg_debug) {
-                        printf("sbox file descriptors:\n");
-                        int rv = system("ls -l /proc/self/fd");
-                        (void) rv;
-                }
                umask(027);
                // apply filters
@@ -215,12 +209,5 @@ int sbox_run(unsigned filter, int num, ...) {
                exit(1);
        }
-#if 0
-printf("** sbox run out *********************************\n");
-system("ls -l /run/firejail/mnt\n");
-system("ls -l /proc/self/fd");
-printf("** sbox run out *********************************\n");
-#endif
        return status;
 }
diff --git a/src/firejail/usage.c b/src/firejail/usage.c
index effbf3751..742fc0465 100644
--- a/src/firejail/usage.c
+++ b/src/firejail/usage.c
@@ -29,8 +29,6 @@ static char *usage_str =
        "Options:\n"
        "    -- - signal the end of options and disables further option processing.\n"
        "    --allow-debuggers - allow tools such as strace and gdb inside the sandbox.\n"
-        "    --allow-private-blacklist - allow blacklisting files in private\n"
-        "\thome directories.\n"
        "    --allusers - all user home directories are visible inside the sandbox.\n"
        "    --apparmor - enable AppArmor confinement.\n"
        "    --apparmor.print=name|pid - print apparmor status.\n"
@@ -58,11 +56,9 @@ static char *usage_str =
 #endif
        "    --cpu=cpu-number,cpu-number - set cpu affinity.\n"
        "    --cpu.print=name|pid - print the cpus in use.\n"
-        "    --csh - use /bin/csh as default shell.\n"
        "    --debug - print sandbox debug messages.\n"
        "    --debug-blacklists - debug blacklisting.\n"
        "    --debug-caps - print all recognized capabilities.\n"
-        "    --debug-check-filename - debug filename checking.\n"
        "    --debug-errnos - print all recognized error numbers.\n"
        "    --debug-private-lib - debug for --private-lib option.\n"
        "    --debug-protocols - print all recognized protocols.\n"
@@ -77,7 +73,9 @@ static char *usage_str =
        "    --dns.print=name|pid - print DNS configuration.\n"
        "    --env=name=value - set environment variable.\n"
        "    --fs.print=name|pid - print the filesystem log.\n"
+#ifdef HAVE_FILE_TRANSFER
        "    --get=name|pid filename - get a file from sandbox container.\n"
+#endif
        "    --help, -? - this help screen.\n"
        "    --hostname=name - set sandbox hostname.\n"
        "    --hosts-file=file - use file as /etc/hosts.\n"
@@ -97,7 +95,9 @@ static char *usage_str =
 #endif
        "    --join-or-start=name|pid - join the sandbox or start a new one.\n"
        "    --list - list all sandboxes.\n"
+#ifdef HAVE_FILE_TRANSFER
        "    --ls=name|pid dir_or_filename - list files in sandbox container.\n"
+#endif
 #ifdef HAVE_NETWORK
        "    --mac=xx:xx:xx:xx:xx:xx - set interface MAC address.\n"
 #endif
@@ -159,13 +159,16 @@ static char *usage_str =
        "\tfilesystem, and copy the files and directories in the list.\n"
        "    --private-tmp - mount a tmpfs on top of /tmp directory.\n"
        "    --private-opt=file,directory - build a new /opt in a temporary filesystem.\n"
+        "    --private-srv=file,directory - build a new /srv in a temporary filesystem.\n"
        "    --profile=filename - use a custom profile.\n"
        "    --profile.print=name|pid - print the name of profile file.\n"
        "    --profile-path=directory - use this directory to look for profile files.\n"
        "    --protocol=protocol,protocol,protocol - enable protocol filter.\n"
        "    --protocol.print=name|pid - print the protocol filter.\n"
+#ifdef HAVE_FILE_TRANSFER
        "    --put=name|pid src-filename dest-filename - put a file in sandbox\n"
        "\tcontainer.\n"
+#endif
        "    --quiet - turn off Firejail's output.\n"
        "    --read-only=filename - set directory or file read-only..\n"
        "    --read-write=filename - set directory or file read-write.\n"
@@ -230,7 +233,6 @@ static char *usage_str =
        "    --x11=xvfb - enable Xvfb X11 server.\n"
        "    --xephyr-screen=WIDTHxHEIGHT - set screen size for --x11=xephyr.\n"
 #endif
-        "    --zsh - use /usr/bin/zsh as default shell.\n"
        "\n"
        "Examples:\n"
        "    $ firejail firefox\n"
diff --git a/src/firejail/util.c b/src/firejail/util.c
index 3437d495f..a44e52e98 100644
--- a/src/firejail/util.c
+++ b/src/firejail/util.c
@@ -800,9 +800,6 @@ void invalid_filename(const char *fname, int globbing) {
        assert(fname);
        const char *ptr = fname;
-        if (arg_debug_check_filename)
-                printf("Checking filename %s\n", fname);
        if (strncmp(ptr, "${HOME}", 7) == 0)
                ptr = fname + 7;
        else if (strncmp(ptr, "${PATH}", 7) == 0)
diff --git a/src/firejail/x11.c b/src/firejail/x11.c
index 3903b4709..7040dea18 100644
--- a/src/firejail/x11.c
+++ b/src/firejail/x11.c
@@ -347,12 +347,6 @@ void x11_start_xvfb(int argc, char **argv) {
        }
        free(fname);
-        if (arg_debug) {
-                printf("X11 sockets: "); fflush(0);
-                int rv = system("ls /tmp/.X11-unix");
-                (void) rv;
-        }
        assert(display_str);
        setenv("DISPLAY", display_str, 1);
        // run attach command
@@ -582,12 +576,6 @@ void x11_start_xephyr(int argc, char **argv) {
        }
        free(fname);
-        if (arg_debug) {
-                printf("X11 sockets: "); fflush(0);
-                int rv = system("ls /tmp/.X11-unix");
-                (void) rv;
-        }
        assert(display_str);
        setenv("DISPLAY", display_str, 1);
        // run attach command
@@ -755,12 +743,6 @@ void x11_start_xpra_old(int argc, char **argv, int display, char *display_str) {
        }
        free(fname);
-        if (arg_debug) {
-                printf("X11 sockets: "); fflush(0);
-                int rv = system("ls /tmp/.X11-unix");
-                (void) rv;
-        }
        // build attach command
        char *attach_argv[] = { "xpra", "--title=\"firejail x11 sandbox\"", "attach", display_str, NULL };
diff --git a/src/firemon/usage.c b/src/firemon/usage.c
index 37bd4e874..a4d642d66 100644
--- a/src/firemon/usage.c
+++ b/src/firemon/usage.c
@@ -43,6 +43,7 @@ static char *help_str =
        "\t--tree - print a tree of all sandboxed processes.\n\n"
        "\t--top - monitor the most CPU-intensive sandboxes.\n\n"
        "\t--version - print program version and exit.\n\n"
+        "\t--x11 - print X11 display number.\n\n"
        "Without any options, firemon monitors all fork, exec, id change, and exit\n"
        "events in the sandbox. Monitoring a specific PID is also supported.\n\n"
diff --git a/src/lib/firejail_user.c b/src/lib/firejail_user.c
index 5d92aa133..7d9784392 100644
--- a/src/lib/firejail_user.c
+++ b/src/lib/firejail_user.c
@@ -45,6 +45,12 @@ int firejail_user_check(const char *name) {
        if (strcmp(name, "root") == 0)
                return 1;
+        // user nobody disabled by default
+        if (strcmp(name, "nobody") == 0) {
+                fprintf(stderr, "Error: user nobody is not allowed to run the sandbox\n");
+                exit(1);
+        }
        // check file existence
        char *fname = get_fname();
        if (access(fname, F_OK)) {
diff --git a/src/man/firejail-users.txt b/src/man/firejail-users.txt
index fcc0f914b..ec91e495c 100644
--- a/src/man/firejail-users.txt
+++ b/src/man/firejail-users.txt
@@ -5,7 +5,7 @@ firejail.users \- Firejail user access database
 .SH DESCRIPTION
 /etc/firejail/firejail.users lists the users allowed to run firejail SUID executable.
 If the file is not present in the system, all users are allowed to use the sandbox.
-root user is allowed by default.
+root user is allowed by default, user nobody is denied access by default.
 Example:
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index 6e8e4eb2c..2e410061d 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -314,15 +314,6 @@ $ firejail \-\-list
 $ firejail \-\-cpu.print=3272
 .TP
-\fB\-\-csh
-Use /bin/csh as default user shell.
-.br
-.br
-Example:
-.br
-$ firejail \-\-csh
-.TP
 \fB\-\-debug\fR
 Print debug messages.
 .br
@@ -351,15 +342,6 @@ Print all recognized capabilities in the current Firejail software build and exi
 Example:
 .br
 $ firejail \-\-debug-caps
-.TP
-\fB\-\-debug-check-filename\fR
-Debug filename checking.
-.br
-.br
-Example:
-.br
-$ firejail \-\-debug-check-filename firefox
 .TP
 \fB\-\-debug-errnos
@@ -1949,8 +1931,7 @@ $ firejail \-\-shell=none script.sh
 \fB\-\-shell=program
 Set default user shell. Use this shell to run the application using \-c shell option.
 For example "firejail \-\-shell=/bin/dash firefox" will start Mozilla Firefox as "/bin/dash \-c firefox".
-By default Bash shell (/bin/bash) is used. Options such as \-\-zsh and \-\-csh can also set the default
+By default Bash shell (/bin/bash) is used.
-shell.
 .br
 .br
@@ -2324,16 +2305,6 @@ Example:
 $ firejail --net=eth0 --x11=xephyr --xephyr-screen=640x480 firefox
 .br
-.TP
-\fB\-\-zsh
-Use /usr/bin/zsh as default user shell.
-.br
-.br
-Example:
-.br
-$ firejail \-\-zsh
 .SH DESKTOP INTEGRATION
 A symbolic link to /usr/bin/firejail under the name of a program, will start the program in Firejail sandbox.
 The symbolic link should be placed in the first $PATH position. On most systems, a good place
diff --git a/test/appimage/appimage-args.exp b/test/appimage/appimage-args.exp
index dcf16452f..0ec07c1ad 100755
--- a/test/appimage/appimage-args.exp
+++ b/test/appimage/appimage-args.exp
@@ -56,7 +56,7 @@ expect {
 sleep 2
 spawn $env(SHELL)
-send -- "firemon --seccomp\r"
+send -- "firemon --seccomp --nowrap\r"
 expect {
        timeout {puts "TESTING ERROR 8\n";exit}
        "need to be root" {puts "/proc mounted as hidepid, exiting...\n"; exit}
@@ -71,7 +71,7 @@ expect {
        "name=blablabla"
 }
 after 100
-send -- "firemon --caps\r"
+send -- "firemon --caps --nowrap\r"
 expect {
        timeout {puts "TESTING ERROR 11\n";exit}
        "appimage Leafpad"
diff --git a/test/appimage/appimage-v1.exp b/test/appimage/appimage-v1.exp
index 073c32dab..90b13b9ff 100755
--- a/test/appimage/appimage-v1.exp
+++ b/test/appimage/appimage-v1.exp
@@ -44,7 +44,7 @@ expect {
 sleep 2
 spawn $env(SHELL)
-send -- "firemon --seccomp\r"
+send -- "firemon --seccomp --nowrap\r"
 expect {
        timeout {puts "TESTING ERROR 5\n";exit}
        "need to be root" {puts "/proc mounted as hidepid, exiting...\n"; exit}
@@ -59,7 +59,7 @@ expect {
        "name=blablabla"
 }
 after 100
-send -- "firemon --caps\r"
+send -- "firemon --caps --nowrap\r"
 expect {
        timeout {puts "TESTING ERROR 6\n";exit}
        "appimage Leafpad"
diff --git a/test/environment/allow-debuggers.exp b/test/environment/allow-debuggers.exp
index 359f94db1..f92ec5ddf 100755
--- a/test/environment/allow-debuggers.exp
+++ b/test/environment/allow-debuggers.exp
@@ -5,36 +5,27 @@ cd /home
 spawn $env(SHELL)
 match_max 100000
-send -- "firejail --profile=/etc/firejail/firefox.profile --allow-debuggers strace ls\r"
+send -- "firejail --allow-debuggers\r"
 expect {
        timeout {puts "TESTING ERROR 0\n";exit}
        "Child process initialized" { puts "\n"}
        "is disabled on Linux kernels prior to 4.8" { puts "TESTING SKIP: kernel too old\n"; exit }
 }
-expect {
-        timeout {puts "TESTING ERROR 1\n";exit}
-        "ioctl"
-}
-expect {
-        timeout {puts "TESTING ERROR 2\n";exit}
-        "exit_group"
-}
 after 100
-send -- "firejail --allow-debuggers --profile=/etc/firejail/firefox.profile strace ls\r"
+send -- "strace ls\r"
-expect {
-        timeout {puts "TESTING ERROR 3\n";exit}
-        "Child process initialized"
-}
 expect {
-        timeout {puts "TESTING ERROR 4\n";exit}
+        timeout {puts "TESTING ERROR 1\n";exit}
-        "ioctl"
+        "open"
 }
 expect {
-        timeout {puts "TESTING ERROR 5\n";exit}
+        timeout {puts "TESTING ERROR 2\n";exit}
        "exit_group"
 }
 after 100
+send -- "exit\r"
+sleep 1
 puts "\nall done\n"
diff --git a/test/environment/csh.exp b/test/environment/csh.exp
index 10a278ebc..7b5ab9b33 100755
--- a/test/environment/csh.exp
+++ b/test/environment/csh.exp
@@ -1,49 +1,31 @@
 #!/usr/bin/expect -f
-# This file is part of Firejail project
-# Copyright (C) 2014-2018 Firejail Authors
-# License GPL v2
 set timeout 10
+cd /home
 spawn $env(SHELL)
 match_max 100000
-send -- "firejail --private --tracelog --csh\r"
+send -- "firejail --private --shell=/bin/csh\r"
 expect {
        timeout {puts "TESTING ERROR 0\n";exit}
        "Child process initialized"
 }
 sleep 1
-send -- "find ~\r"
+send -- "env | grep SHELL;pwd\r"
 expect {
        timeout {puts "TESTING ERROR 1\n";exit}
-        ".cshrc"
+        "SHELL"
-}
-send -- "env | grep SHELL\r"
-expect {
-        timeout {puts "TESTING ERROR 2\n";exit}
-        "SHELL"
 }
 expect {
-        timeout {puts "TESTING ERROR 2.1\n";exit}
+        timeout {puts "TESTING ERROR 2\n";exit}
        "/bin/csh"
 }
-send -- "exit\r"
-sleep 1
-send -- "firejail --shell=none --csh\r"
 expect {
        timeout {puts "TESTING ERROR 3\n";exit}
-        "shell=none was already specified"
+        "home"
-}
-after 100
-send -- "firejail --csh --shell=none\r"
-expect {
-        timeout {puts "TESTING ERROR 4\n";exit}
-        "a shell was already specified"
 }
+send -- "exit\r"
 after 100
-puts "\n"
+puts "\nall done\n"
diff --git a/test/environment/environment.sh b/test/environment/environment.sh
index b6688d484..364a4b65b 100755
--- a/test/environment/environment.sh
+++ b/test/environment/environment.sh
@@ -68,9 +68,6 @@ fi
 echo "TESTING: firejail in firejail - single sandbox (test/environment/firejail-in-firejail.exp)"
 ./firejail-in-firejail.exp
-echo "TESTING: firejail in firejail - force new sandbox (test/environment/firejail-in-firejail2.exp)"
-./firejail-in-firejail2.exp
 which aplay
 if [ "$?" -eq 0 ];
 then
diff --git a/test/environment/firejail-in-firejail2.exp b/test/environment/firejail-in-firejail2.exp
deleted file mode 100755
index 6528e45cd..000000000
--- a/test/environment/firejail-in-firejail2.exp
+++ /dev/null
@@ -1,51 +0,0 @@
-#!/usr/bin/expect -f
-# This file is part of Firejail project
-# Copyright (C) 2014-2018 Firejail Authors
-# License GPL v2
-set timeout 10
-spawn $env(SHELL)
-match_max 100000
-send --  "firejail --noprofile\r"
-expect {
-        timeout {puts "TESTING ERROR 1\n";exit}
-        "Child process initialized"
-}
-sleep 1
-send --  "firejail\r"
-expect {
-        timeout {puts "TESTING ERROR 2\n";exit}
-        "Warning: an existing sandbox was detected"
-}
-after 100
-send --  "exit\r"
-after 100
-send --  "firejail --force\r"
-expect {
-        timeout {puts "TESTING ERROR 3\n";exit}
-        "Child process initialized"
-}
-after 100
-send --  "exit\r"
-after 100
-send --  "firejail --version\r"
-expect {
-        timeout {puts "TESTING ERROR 4\n";exit}
-        "firejail version"
-}
-after 100
-send --  "firejail --version --force\r"
-expect {
-        timeout {puts "TESTING ERROR 5\n";exit}
-        "firejail version"
-}
-after 100
-puts "\nall done\n"
diff --git a/test/environment/zsh.exp b/test/environment/zsh.exp
index e7f610e98..a1b94a326 100755
--- a/test/environment/zsh.exp
+++ b/test/environment/zsh.exp
@@ -1,49 +1,31 @@
 #!/usr/bin/expect -f
-# This file is part of Firejail project
-# Copyright (C) 2014-2018 Firejail Authors
-# License GPL v2
 set timeout 10
+cd /home
 spawn $env(SHELL)
 match_max 100000
-send -- "firejail --private --tracelog --zsh\r"
+send -- "firejail --private --shell=/bin/zsh\r"
 expect {
        timeout {puts "TESTING ERROR 0\n";exit}
        "Child process initialized"
 }
 sleep 1
-send -- "find ~\r"
-expect {
-        timeout {puts "TESTING ERROR 1\n";exit}
-        ".zshrc"
-}
 send -- "env | grep SHELL;pwd\r"
 expect {
-        timeout {puts "TESTING ERROR 2\n";exit}
+        timeout {puts "TESTING ERROR 1\n";exit}
        "SHELL"
 }
 expect {
-        timeout {puts "TESTING ERROR 2.1\n";exit}
+        timeout {puts "TESTING ERROR 2\n";exit}
        "/bin/zsh"
 }
-send -- "exit\r"
-sleep 1
-send -- "firejail --shell=none --zsh\r"
 expect {
        timeout {puts "TESTING ERROR 3\n";exit}
-        "shell=none was already specified"
+        "home"
-}
-after 100
-send -- "firejail --zsh --shell=none\r"
-expect {
-        timeout {puts "TESTING ERROR 4\n";exit}
-        "a shell was already specified"
 }
+send -- "exit\r"
 after 100
 puts "\nall done\n"
diff --git a/test/filters/filters.sh b/test/filters/filters.sh
index 45b1d0459..97ecc8be0 100755
--- a/test/filters/filters.sh
+++ b/test/filters/filters.sh
@@ -28,6 +28,12 @@ fi
 echo "TESTING: debug options (test/filters/debug.exp)"
 ./debug.exp
+echo "TESTING: seccomp run files (test/filters/seccomp-run-files.exp)"
+./seccomp-run-files.exp
+echo "TESTING: seccomp postexec (test/filters/seccomp-postexec.exp)"
+./seccomp-postexec.exp
 echo "TESTING: noroot (test/filters/noroot.exp)"
 ./noroot.exp
diff --git a/test/filters/seccomp-postexec.exp b/test/filters/seccomp-postexec.exp
new file mode 100755
index 000000000..4302aec5e
--- /dev/null
+++ b/test/filters/seccomp-postexec.exp
@@ -0,0 +1,33 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2018 Firejail Authors
+# License GPL v2
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+send --  "firejail --debug --seccomp=execve\r"
+expect {
+        timeout {puts "TESTING ERROR 0\n";exit}
+        "configuring postexec seccomp filter in"
+}
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "data.architecture"
+}
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        "monitoring pid"
+}
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        "Sandbox monitor: waitpid"
+}
+expect {
+        timeout {puts "TESTING ERROR 4\n";exit}
+        "Parent is shutting down"
+}
+sleep 1
+puts "all done\n"
diff --git a/test/filters/seccomp-run-files.exp b/test/filters/seccomp-run-files.exp
new file mode 100755
index 000000000..a72b9aef7
--- /dev/null
+++ b/test/filters/seccomp-run-files.exp
@@ -0,0 +1,98 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2018 Firejail Authors
+# License GPL v2
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+send --  "firejail --debug\r"
+expect {
+        timeout {puts "TESTING ERROR 0\n";exit}
+        "/run/firejail/mnt/seccomp seccomp filter"
+}
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "/run/firejail/mnt/seccomp.32 seccomp filter"
+}
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        "/run/firejail/mnt/seccomp.protocol seccomp filter"
+}
+after 100
+send -- "ls -l /run/firejail/mnt | grep seccomp | wc -l\r"
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        "4"
+}
+send -- "exit\r"
+sleep 1
+send --  "firejail --ignore=seccomp --debug\r"
+expect {
+        timeout {puts "TESTING ERROR 4\n";exit}
+        "/run/firejail/mnt/seccomp seccomp filter" {puts "TESTING ERROR 5\n";exit}
+        "/run/firejail/mnt/seccomp.32 seccomp filter" {puts "TESTING ERROR 6\n";exit}
+        "/run/firejail/mnt/seccomp.64 seccomp filter" {puts "TESTING ERROR 7\n";exit}
+        "/run/firejail/mnt/seccomp.protocol seccomp filter"
+}
+after 100
+send -- "ls -l /run/firejail/mnt | grep seccomp | wc -l\r"
+expect {
+        timeout {puts "TESTING ERROR 8\n";exit}
+        "1"
+}
+send -- "exit\r"
+sleep 1
+send --  "firejail --ignore=protocol --debug\r"
+expect {
+        timeout {puts "TESTING ERROR 9\n";exit}
+        "/run/firejail/mnt/seccomp seccomp filter"
+}
+expect {
+        timeout {puts "TESTING ERROR 10\n";exit}
+        "/run/firejail/mnt/seccomp.32 seccomp filter"
+}
+expect {
+        timeout {puts "TESTING ERROR 11\n";exit}
+        "/run/firejail/mnt/seccomp.protocol seccomp filter" {puts "TESTING ERROR 12\n";exit}
+        "monitoring"
+}
+after 100
+send -- "ls -l /run/firejail/mnt | grep seccomp | wc -l\r"
+expect {
+        timeout {puts "TESTING ERROR 13\n";exit}
+        "3"
+}
+send -- "exit\r"
+sleep 1
+send --  "firejail --memory-deny-write-execute --debug\r"
+expect {
+        timeout {puts "TESTING ERROR 14\n";exit}
+        "/run/firejail/mnt/seccomp.mdwx seccomp filter"
+}
+expect {
+        timeout {puts "TESTING ERROR 15\n";exit}
+        "/run/firejail/mnt/seccomp seccomp filter"
+}
+expect {
+        timeout {puts "TESTING ERROR 16\n";exit}
+        "/run/firejail/mnt/seccomp.32 seccomp filter"
+}
+expect {
+        timeout {puts "TESTING ERROR 17\n";exit}
+        "/run/firejail/mnt/seccomp.protocol seccomp filter"
+}
+after 100
+send -- "ls -l /run/firejail/mnt | grep seccomp | wc -l\r"
+expect {
+        timeout {puts "TESTING ERROR 18\n";exit}
+        "5"
+}
+send -- "exit\r"
+sleep 1
+puts "all done\n"
diff --git a/test/fnetfilter/default.exp b/test/fnetfilter/default.exp
index 4c24b370f..8406160e3 100755
--- a/test/fnetfilter/default.exp
+++ b/test/fnetfilter/default.exp
@@ -31,7 +31,7 @@ after 100
 send -- "fnetfilter test1.net,33\r"
 expect {
        timeout {puts "TESTING ERROR 4\n";exit}
-        "invalid destination file in netfilter command"
+        "cannot open test1.net,33"
 }
 after 100
 send -- "rm outfile\r"
diff --git a/test/fnetfilter/template.exp b/test/fnetfilter/template.exp
index b63a2d4c9..5b84166d8 100755
--- a/test/fnetfilter/template.exp
+++ b/test/fnetfilter/template.exp
@@ -66,7 +66,7 @@ after 100
 send -- "fnetfilter test2.net,icmp-type,destination-unreachable,time-exceeded,echo-request\r"
 expect {
        timeout {puts "TESTING ERROR 12\n";exit}
-        "invalid destination file in netfilter command"
+        "cannot open test2.net,"
 }
 after 100
diff --git a/test/root/private.exp b/test/root/private.exp
index 784761fc8..e3d3245ae 100755
--- a/test/root/private.exp
+++ b/test/root/private.exp
@@ -54,6 +54,21 @@ expect {
 after 100
 send -- "exit\r"
 sleep 1
+send -- "firejail --whitelist=/opt/firejail-test-file --whitelist=/opt/firejail-test-dir --debug\r"
+expect {
+        timeout {puts "TESTING ERROR 3.1\n";exit}
+        "Child process initialized"
+}
+sleep 1
+send -- "find /opt | wc -l\r"
+expect {
+        timeout {puts "TESTING ERROR 4.1\n";exit}
+        "4"
+}
+after 100
+send -- "exit\r"
+sleep 1
 send -- "touch /srv/firejail-test-file\r"
@@ -77,14 +92,20 @@ expect {
 after 100
 send -- "exit\r"
 sleep 1
+send -- "firejail --whitelist=/srv/firejail-test-file --whitelist=/srv/firejail-test-dir --debug\r"
+expect {
+        timeout {puts "TESTING ERROR 5.1\n";exit}
+        "Child process initialized"
+}
+sleep 1
+send -- "find /srv | wc -l\r"
+expect {
+        timeout {puts "TESTING ERROR 6.1\n";exit}
+        "4"
+}
+after 100
+send -- "exit\r"
+sleep 1
 puts "\nall done\n"