42 files changed, 1265 insertions, 100 deletions

diff --git a/.gitignore b/.gitignore
index 0c803b135..cbb1b2e83 100644
--- a/.gitignore
+++ b/.gitignore
@@ -22,6 +22,7 @@ firejail-users.5
 firejail.1
 firemon.1
 firecfg.1
+jailtest.5
 mkdeb.sh
 src/firejail/firejail
 src/firemon/firemon
@@ -40,6 +41,7 @@ src/fbuilder/fbuilder
 src/profstats/profstats
 src/bash_completion/firejail.bash_completion
 src/zsh_completion/_firejail
+src/jailtest/jailtest
 uids.h
 seccomp
 seccomp.debug
diff --git a/Makefile.in b/Makefile.in
index 593afdacf..b0deee03b 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -23,13 +23,13 @@ endif
 
 COMPLETIONDIRS = src/zsh_completion src/bash_completion
 all: all_items mydirs $(MAN_TARGET) filters
-APPS = src/firecfg/firecfg src/firejail/firejail src/firemon/firemon src/profstats/profstats
+APPS = src/firecfg/firecfg src/firejail/firejail src/firemon/firemon src/profstats/profstats src/jailtest/jailtest
 SBOX_APPS = src/faudit/faudit src/fbuilder/fbuilder src/ftee/ftee
 SBOX_APPS_NON_DUMPABLE = src/fcopy/fcopy src/fldd/fldd src/fnet/fnet src/fnetfilter/fnetfilter
 MYDIRS = src/lib $(MAN_SRC) $(COMPLETIONDIRS)
 MYLIBS = src/libpostexecseccomp/libpostexecseccomp.so src/libtrace/libtrace.so src/libtracelog/libtracelog.so
 COMPLETIONS = src/zsh_completion/_firejail src/bash_completion/firejail.bash_completion
-MANPAGES = firejail.1 firemon.1 firecfg.1 firejail-profile.5 firejail-login.5 firejail-users.5
+MANPAGES = firejail.1 firemon.1 firecfg.1 firejail-profile.5 firejail-login.5 firejail-users.5 jailtest.5
 SBOX_APPS_NON_DUMPABLE += src/fsec-optimize/fsec-optimize src/fsec-print/fsec-print src/fseccomp/fseccomp
 SECCOMP_FILTERS = seccomp seccomp.debug seccomp.32 seccomp.block_secondary seccomp.mdwx seccomp.mdwx.32
 ALL_ITEMS = $(APPS) $(SBOX_APPS) $(SBOX_APPS_NON_DUMPABLE) $(MYLIBS)
@@ -109,6 +109,8 @@ endif
         install -m 0755 src/firemon/firemon $(DESTDIR)$(bindir)
         # firecfg executable
         install -m 0755 src/firecfg/firecfg $(DESTDIR)$(bindir)
+        # jailtest executable
+        install -m 0755 src/jailtest/jailtest $(DESTDIR)$(bindir)
         # libraries and plugins
         install -m 0755 -d $(DESTDIR)$(libdir)/firejail
         install -m 0644 -t $(DESTDIR)$(libdir)/firejail $(MYLIBS) $(SECCOMP_FILTERS) src/firecfg/firecfg.config
@@ -177,6 +179,7 @@ uninstall:
         rm -f $(DESTDIR)$(bindir)/firemon
         rm -f $(DESTDIR)$(bindir)/firecfg
         rm -fr $(DESTDIR)$(libdir)/firejail
+        rm -fr $(DESTDIR)$(libdir)/jailtest
         rm -fr $(DESTDIR)$(datarootdir)/doc/firejail
         for man in $(MANPAGES); do \
                 rm -f $(DESTDIR)$(mandir)/man5/$$man*; \
diff --git a/README b/README
index 3660c71e6..3faa88350 100644
--- a/README
+++ b/README
@@ -44,9 +44,10 @@ Committers
 - Fred-Barclay (https://github.com/Fred-Barclay)
 - Kelvin M. Klann (https://github.com/kmk3)
 - Kristóf Marussy (https://github.com/kris7t)
+- Neo00001 (https://github.com/Neo00001)
 - Reiner Herrmann (https://github.com/reinerh - Debian/Ubuntu maintainer)
 - rusty-snake (https://github.com/rusty-snake)
-- smithsohu (https://github.com/smitsohu)
+- smitsohu (https://github.com/smitsohu)
 - SkewedZeppelin (https://github.com/SkewedZeppelin)
 - startx2017 (https://github.com/startx2017) - LTS and *bugfixes branches maintainer)
 - Topi Miettinen (https://github.com/topimiettinen)
diff --git a/README.md b/README.md
index db088ddf6..0409df8b5 100644
--- a/README.md
+++ b/README.md
@@ -198,7 +198,100 @@ We also keep a list of profile fixes for previous released versions in [etc-fixe
 Milestone page: https://github.com/netblue30/firejail/milestone/1
 Release discussion: https://github.com/netblue30/firejail/issues/3696
 
+### jailtest
+`````
+JAILTEST(1)                    JAILTEST man page                   JAILTEST(1)
+
+NAME
+       jailtest - Simple utility program to test running sandboxes
+
+SYNOPSIS
+       sudo jailtest [OPTIONS] [directory]
+
+DESCRIPTION
+       WORK IN PROGRESS!  jailtest attaches itself to all sandboxes started by
+       the user and performs some basic tests on the sandbox filesystem:
+
+       1. Virtual directories
+              jailtest extracts a list with the main virtual  directories  in‐
+              stalled by the sandbox.  These directories are build by firejail
+              at startup using --private* and --whitelist commands.
+
+       2. Noexec test
+              jailtest inserts executable programs  in  /home/username,  /tmp,
+              and  /var/tmp  directories and tries to run them form inside the
+              sandbox, thus testing if the directory is executable or not.
+
+       3. Read access test
+              jailtest creates test files in the directories specified by  the
+              user and tries to read them from inside the sandbox.
+
+       4. AppArmor test
+
+       5. Seccomp test
+
+       The program is started as root using sudo.
+
+OPTIONS
+       --debug
+              Print debug messages
+
+       -?, --help
+              Print options end exit.
+
+       --version
+              Print program version and exit.
 
+       [directory]
+              One  or  more  directories in user home to test for read access.
+              ~/.ssh and ~/.gnupg are tested by default.
+
+OUTPUT
+       For each sandbox detected we print the following line:
+
+            PID:USER:Sandbox Name:Command
+
+       It is followed by relevant sandbox information, such as the virtual di‐
+       rectories and various warnings.
+
+EXAMPLE
+       $ sudo jailtest
+       2014:netblue::firejail /usr/bin/gimp
+          Virtual dirs: /tmp, /var/tmp, /dev, /usr/share,
+          Warning: I can run programs in /home/netblue
+
+       2055:netblue::firejail /usr/bin/ssh -X netblue@x.y.z.net
+          Virtual dirs: /var/tmp, /dev, /usr/share, /run/user/1000,
+          Warning: I can read ~/.ssh
+
+       2186:netblue:libreoffice:firejail --appimage /opt/LibreOffice-fresh.ap‐
+       pimage
+          Virtual dirs: /tmp, /var/tmp, /dev,
+
+       26090:netblue::/usr/bin/firejail /opt/firefox/firefox
+          Virtual dirs: /home/netblue, /tmp, /var/tmp, /dev, /etc, /usr/share,
+                        /run/user/1000,
+
+       26160:netblue:tor:firejail --private=~/tor-browser_en-US ./start-tor
+          Warning: AppArmor not enabled
+          Virtual dirs: /home/netblue, /tmp, /var/tmp, /dev, /etc, /bin,
+                        /usr/share, /run/user/1000,
+          Warning: I can run programs in /home/netblue
+
+LICENSE
+       This program is free software; you can redistribute it and/or modify it
+       under  the  terms of the GNU General Public License as published by the
+       Free Software Foundation; either version 2 of the License, or (at  your
+       option) any later version.
+
+       Homepage: https://firejail.wordpress.com
+
+SEE ALSO
+       firejail(1),  firemon(1), firecfg(1), firejail-profile(5), firejail-lo‐
+       gin(5), firejail-users(5),
+
+0.9.65                             Feb 2021                        JAILTEST(1)
+`````
 
 ### Profile Statistics
 
@@ -210,31 +303,31 @@ $ ./profstats *.profile
 Warning: multiple caps in transmission-daemon.profile
 
 Stats:
-    profiles                    1064
-    include local profile       1064   (include profile-name.local)
-    include globals             1064   (include globals.local)
-    blacklist ~/.ssh            959   (include disable-common.inc)
-    seccomp                     975
-    capabilities                1063
-    noexec                      944   (include disable-exec.inc)
-    memory-deny-write-execute   229
-    apparmor                    605
-    private-bin                 564
-    private-dev                 932
-    private-etc                 462
-    private-tmp                 823
-    whitelist home directory    502
-    whitelist var               744   (include whitelist-var-common.inc)
-    whitelist run/user          461   (include whitelist-runuser-common.inc
+    profiles                    1077
+    include local profile       1077   (include profile-name.local)
+    include globals             1077   (include globals.local)
+    blacklist ~/.ssh            971   (include disable-common.inc)
+    seccomp                     988
+    capabilities                1076
+    noexec                      960   (include disable-exec.inc)
+    memory-deny-write-execute   231
+    apparmor                    621
+    private-bin                 571
+    private-dev                 949
+    private-etc                 470
+    private-tmp                 835
+    whitelist home directory    508
+    whitelist var               758   (include whitelist-var-common.inc)
+    whitelist run/user          539   (include whitelist-runuser-common.inc
                                         or blacklist ${RUNUSER})
-    whitelist usr/share         451   (include whitelist-usr-share-common.inc
-    net none                    345
-    dbus-user none              564
-    dbus-user filter            85
-    dbus-system none            696
+    whitelist usr/share         526   (include whitelist-usr-share-common.inc
+    net none                    354
+    dbus-user none              573
+    dbus-user filter            86
+    dbus-system none            706
     dbus-system filter          7
 ```
 
 ### New profiles:
 
-vmware-view, display-im6.q16
+vmware-view, display-im6.q16, ipcalc, ipcalc-ng, ebook-convert, ebook-edit, ebook-meta, ebook-polish, lzop
diff --git a/RELNOTES b/RELNOTES
index 98ae118a3..5aa77814a 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -1,7 +1,8 @@
 firejail (0.9.65) baseline; urgency=low
   * filtering environment variables
   * zsh completion
-  * new profiles: vmware-view, display-im6.q16
+  * new profiles: vmware-view, display-im6.q16, ipcalc, ipcalc-ng
+  * ebook-convert, ebook-edit, ebook-meta, ebook-polish, lzop
  -- netblue30 <netblue30@yahoo.com>  Tue, 9 Feb 2021 09:00:00 -0500
 
 firejail (0.9.64.4) baseline; urgency=low
diff --git a/configure b/configure
index fa2401070..84bcafaf7 100755
--- a/configure
+++ b/configure
@@ -4269,7 +4269,7 @@ fi
 
 ac_config_files="$ac_config_files mkdeb.sh"
 
-ac_config_files="$ac_config_files Makefile src/common.mk src/lib/Makefile src/fcopy/Makefile src/fnet/Makefile src/firejail/Makefile src/fnetfilter/Makefile src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile src/fbuilder/Makefile src/fsec-print/Makefile src/ftee/Makefile src/faudit/Makefile src/fseccomp/Makefile src/fldd/Makefile src/libpostexecseccomp/Makefile src/fsec-optimize/Makefile src/profstats/Makefile src/man/Makefile src/zsh_completion/Makefile src/bash_completion/Makefile test/Makefile"
+ac_config_files="$ac_config_files Makefile src/common.mk src/lib/Makefile src/fcopy/Makefile src/fnet/Makefile src/firejail/Makefile src/fnetfilter/Makefile src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile src/fbuilder/Makefile src/fsec-print/Makefile src/ftee/Makefile src/faudit/Makefile src/fseccomp/Makefile src/fldd/Makefile src/libpostexecseccomp/Makefile src/fsec-optimize/Makefile src/profstats/Makefile src/man/Makefile src/zsh_completion/Makefile src/bash_completion/Makefile test/Makefile src/jailtest/Makefile"
 
 cat >confcache <<\_ACEOF
 # This file is a shell script that caches the results of configure
@@ -5000,7 +5000,10 @@ do
     "src/fsec-optimize/Makefile") CONFIG_FILES="$CONFIG_FILES src/fsec-optimize/Makefile" ;;
     "src/profstats/Makefile") CONFIG_FILES="$CONFIG_FILES src/profstats/Makefile" ;;
     "src/man/Makefile") CONFIG_FILES="$CONFIG_FILES src/man/Makefile" ;;
+    "src/zsh_completion/Makefile") CONFIG_FILES="$CONFIG_FILES src/zsh_completion/Makefile" ;;
+    "src/bash_completion/Makefile") CONFIG_FILES="$CONFIG_FILES src/bash_completion/Makefile" ;;
     "test/Makefile") CONFIG_FILES="$CONFIG_FILES test/Makefile" ;;
+    "src/jailtest/Makefile") CONFIG_FILES="$CONFIG_FILES src/jailtest/Makefile" ;;
 
   *) as_fn_error $? "invalid argument: \`$ac_config_target'" "$LINENO" 5;;
   esac
diff --git a/configure.ac b/configure.ac
index aa2d0fb6b..b2e9a7b86 100644
--- a/configure.ac
+++ b/configure.ac
@@ -234,7 +234,8 @@ AC_CONFIG_FILES([mkdeb.sh], [chmod +x mkdeb.sh])
 AC_OUTPUT(Makefile src/common.mk src/lib/Makefile src/fcopy/Makefile src/fnet/Makefile src/firejail/Makefile src/fnetfilter/Makefile \
 src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile src/fbuilder/Makefile src/fsec-print/Makefile \
 src/ftee/Makefile src/faudit/Makefile src/fseccomp/Makefile src/fldd/Makefile src/libpostexecseccomp/Makefile src/fsec-optimize/Makefile \
-src/profstats/Makefile src/man/Makefile src/zsh_completion/Makefile src/bash_completion/Makefile test/Makefile)
+src/profstats/Makefile src/man/Makefile src/zsh_completion/Makefile src/bash_completion/Makefile test/Makefile \
+src/jailtest/Makefile)
 
 echo
 echo "Configuration options:"
diff --git a/etc/apparmor/firejail-default b/etc/apparmor/firejail-default
index 397bf753b..80d527e41 100644
--- a/etc/apparmor/firejail-default
+++ b/etc/apparmor/firejail-default
@@ -126,43 +126,14 @@ signal (receive),
 # We let Firejail deal with capabilities, but ensure that
 # some AppArmor related capabilities will not be available.
 ##########
-capability checkpoint_restore,
-capability perfmon,
-capability bpf,
-capability chown,
-capability dac_override,
-capability dac_read_search,
-capability fowner,
-capability fsetid,
-capability kill,
-capability setgid,
-capability setuid,
-capability setpcap,
-capability linux_immutable,
-capability net_bind_service,
-capability net_broadcast,
-capability net_admin,
-capability net_raw,
-capability ipc_lock,
-capability ipc_owner,
-capability sys_module,
-capability sys_rawio,
-capability sys_chroot,
-capability sys_ptrace,
-capability sys_pacct,
-capability sys_admin,
-capability sys_boot,
-capability sys_nice,
-capability sys_resource,
-capability sys_time,
-capability sys_tty_config,
-capability mknod,
-capability lease,
-#capability audit_write,
-#capability audit_control,
-capability setfcap,
-#capability mac_override,
-#capability mac_admin,
+# The list of recognized capabilities varies from one apparmor version to another.
+# For example on Debian 10 (apparmor 2.13.2) checkpoint_restore, perfmon, bpf are not available
+# We allow all caps by default and remove the  ones we don't like:
+capability,
+deny capability audit_write,
+deny capability audit_control,
+deny capability mac_override,
+deny capability mac_admin,
 
 # Site-specific additions and overrides. See local/README for details.
 #include <local/firejail-default>
diff --git a/etc/profile-a-l/dosbox.profile b/etc/profile-a-l/dosbox.profile
index 11b9a4f42..b9ef5d49d 100644
--- a/etc/profile-a-l/dosbox.profile
+++ b/etc/profile-a-l/dosbox.profile
@@ -11,14 +11,17 @@ noblacklist ${DOCUMENTS}
 
 include disable-common.inc
 include disable-devel.inc
+include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
 
+include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
+apparmor
 caps.drop all
 netfilter
 nodvd
@@ -36,3 +39,6 @@ tracelog
 private-bin dosbox
 private-dev
 private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-a-l/ebook-convert.profile b/etc/profile-a-l/ebook-convert.profile
new file mode 100644
index 000000000..988ba90fc
--- /dev/null
+++ b/etc/profile-a-l/ebook-convert.profile
@@ -0,0 +1,11 @@
+# Firejail profile alias for calibre
+# This file is overwritten after every install/update
+# Persistent local customizations
+include ebook-convert.local
+
+net none
+dbus-user none
+dbus-system none
+
+# Redirect
+include calibre.profile
diff --git a/etc/profile-a-l/ebook-edit.profile b/etc/profile-a-l/ebook-edit.profile
new file mode 100644
index 000000000..3b5fee0a8
--- /dev/null
+++ b/etc/profile-a-l/ebook-edit.profile
@@ -0,0 +1,11 @@
+# Firejail profile alias for calibre
+# This file is overwritten after every install/update
+# Persistent local customizations
+include ebook-edit.local
+
+net none
+dbus-user none
+dbus-system none
+
+# Redirect
+include calibre.profile
diff --git a/etc/profile-a-l/ebook-meta.profile b/etc/profile-a-l/ebook-meta.profile
new file mode 100644
index 000000000..594a8e241
--- /dev/null
+++ b/etc/profile-a-l/ebook-meta.profile
@@ -0,0 +1,11 @@
+# Firejail profile alias for calibre
+# This file is overwritten after every install/update
+# Persistent local customizations
+include ebook-meta.local
+
+net none
+dbus-user none
+dbus-system none
+
+# Redirect
+include calibre.profile
diff --git a/etc/profile-a-l/ebook-polish.profile b/etc/profile-a-l/ebook-polish.profile
new file mode 100644
index 000000000..ad94e32a2
--- /dev/null
+++ b/etc/profile-a-l/ebook-polish.profile
@@ -0,0 +1,11 @@
+# Firejail profile alias for calibre
+# This file is overwritten after every install/update
+# Persistent local customizations
+include ebook-polish.local
+
+net none
+dbus-user none
+dbus-system none
+
+# Redirect
+include calibre.profile
diff --git a/etc/profile-a-l/ipcalc-ng.profile b/etc/profile-a-l/ipcalc-ng.profile
new file mode 100644
index 000000000..3ad0f3a4f
--- /dev/null
+++ b/etc/profile-a-l/ipcalc-ng.profile
@@ -0,0 +1,11 @@
+# Firejail profile ipcalc-ng
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include ipcalc-ng.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include ipcalc.profile
diff --git a/etc/profile-a-l/ipcalc.profile b/etc/profile-a-l/ipcalc.profile
new file mode 100644
index 000000000..4b97b83b7
--- /dev/null
+++ b/etc/profile-a-l/ipcalc.profile
@@ -0,0 +1,62 @@
+# Firejail profile for ipcalc
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include ipcalc.local
+# Persistent global definitions
+include globals.local
+
+# Allow perl (blacklisted by disable-interpreters.inc)
+include allow-perl.inc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+# include disable-shell.inc
+include disable-write-mnt.inc
+include disable-xdg.inc
+
+# include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+ipc-namespace
+# machine-id
+net none
+netfilter
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+# protocol unix
+seccomp
+shell none
+# tracelog
+
+disable-mnt
+private
+private-bin bash,ipcalc,ipcalc-ng,perl,sh
+# private-cache
+private-dev
+# empty etc directory
+private-etc none
+private-lib
+private-opt none
+private-tmp
+
+dbus-user none
+dbus-system none
+
+# memory-deny-write-execute
+# read-only ${HOME}
diff --git a/etc/profile-a-l/lzop.profile b/etc/profile-a-l/lzop.profile
new file mode 100644
index 000000000..f3175c590
--- /dev/null
+++ b/etc/profile-a-l/lzop.profile
@@ -0,0 +1,12 @@
+# Firejail profile for lzop
+# Description: File compressor using lzo lib
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include lzop.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include cpio.profile
diff --git a/etc/profile-m-z/man.profile b/etc/profile-m-z/man.profile
index 6f74e6da3..c6c50cf47 100644
--- a/etc/profile-m-z/man.profile
+++ b/etc/profile-m-z/man.profile
@@ -29,6 +29,7 @@ whitelist /usr/share/locale
 whitelist /usr/share/man
 whitelist /var/cache/man
 include whitelist-common.inc
+include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
@@ -53,7 +54,7 @@ tracelog
 x11 none
 
 disable-mnt
-private-bin apropos,bash,cat,catman,col,gpreconv,groff,grotty,gunzip,gzip,less,man,most,nroff,preconv,sed,sh,tbl,tr,troff,whatis,which,xtotroff,zcat,zsoelim
+#private-bin apropos,bash,cat,catman,col,gpreconv,groff,grotty,gunzip,gzip,less,man,most,nroff,preconv,sed,sh,tbl,tr,troff,whatis,which,xtotroff,zcat,zsoelim
 private-cache
 private-dev
 private-etc alternatives,fonts,locale,locale.alias,locale.conf,man_db.conf,manpath.config,selinux,sysless,xdg
diff --git a/etc/profile-m-z/patch.profile b/etc/profile-m-z/patch.profile
index 46a84372c..b034efde9 100644
--- a/etc/profile-m-z/patch.profile
+++ b/etc/profile-m-z/patch.profile
@@ -43,7 +43,7 @@ x11 none
 
 private-bin patch,red
 private-dev
-private-lib libfakeroot
+private-lib libdl.so.*,libfakeroot
 
 dbus-user none
 dbus-system none
diff --git a/etc/profile-m-z/signal-desktop.profile b/etc/profile-m-z/signal-desktop.profile
index 666a37def..ebd3168b3 100644
--- a/etc/profile-m-z/signal-desktop.profile
+++ b/etc/profile-m-z/signal-desktop.profile
@@ -6,7 +6,6 @@ include signal-desktop.local
 include globals.local
 
 # Disabled until someone reported positive feedback
-ignore include-xdg.inc
 ignore include whitelist-runuser-common.inc
 ignore include whitelist-usr-share-common.inc
 ignore private-cache
diff --git a/etc/profile-m-z/ssh.profile b/etc/profile-m-z/ssh.profile
index 641c3a79d..7bc731333 100644
--- a/etc/profile-m-z/ssh.profile
+++ b/etc/profile-m-z/ssh.profile
@@ -24,6 +24,7 @@ whitelist ${RUNUSER}/keyring/ssh
 include whitelist-usr-share-common.inc
 include whitelist-runuser-common.inc
 
+apparmor
 caps.drop all
 ipc-namespace
 netfilter
diff --git a/etc/profile-m-z/torbrowser-launcher.profile b/etc/profile-m-z/torbrowser-launcher.profile
index 1045fa02a..8b1ed1645 100644
--- a/etc/profile-m-z/torbrowser-launcher.profile
+++ b/etc/profile-m-z/torbrowser-launcher.profile
@@ -15,6 +15,9 @@ noblacklist ${HOME}/.local/share/torbrowser
 include allow-python2.inc
 include allow-python3.inc
 
+blacklist /opt
+blacklist /srv
+
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
@@ -30,6 +33,8 @@ whitelist ${HOME}/.config/torbrowser
 whitelist ${HOME}/.local/share/torbrowser
 include whitelist-common.inc
 include whitelist-var-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
 
 # Uncomment the line below or put 'apparmor' in your torbrowser-launcher.local.
 # IMPORTANT: the relevant rule in /etc/apparmor.d/local/firejail-default will need
diff --git a/etc/profile-m-z/vmware-player.profile b/etc/profile-m-z/vmware-player.profile
new file mode 100644
index 000000000..582a0f693
--- /dev/null
+++ b/etc/profile-m-z/vmware-player.profile
@@ -0,0 +1,8 @@
+# Firejail profile for vmware-player
+# Description: The industry standard for running multiple operating systems as virtual machines on a single Linux PC.
+# This file is overwritten after every install/update
+# Persistent local customizations
+include vmware-player.local
+
+# Redirect
+include vmware.profile
diff --git a/etc/profile-m-z/vmware-workstation.profile b/etc/profile-m-z/vmware-workstation.profile
new file mode 100644
index 000000000..6290b57f4
--- /dev/null
+++ b/etc/profile-m-z/vmware-workstation.profile
@@ -0,0 +1,8 @@
+# Firejail profile for vmware-workstation
+# Description: The industry standard for running multiple operating systems as virtual machines on a single Linux PC.
+# This file is overwritten after every install/update
+# Persistent local customizations
+include vmware-workstation.local
+
+# Redirect
+include vmware.profile
diff --git a/platform/rpm/firejail.spec b/platform/rpm/firejail.spec
index b73ffe857..85df1b4eb 100644
--- a/platform/rpm/firejail.spec
+++ b/platform/rpm/firejail.spec
@@ -35,6 +35,7 @@ rm -rf %{buildroot}
 %attr(4755, -, -) %{_bindir}/__NAME__
 %{_bindir}/firecfg
 %{_bindir}/firemon
+%{_bindir}/jailtest
 %{_libdir}/__NAME__
 %{_datarootdir}/bash-completion/completions/__NAME__
 %{_datarootdir}/bash-completion/completions/firecfg
@@ -47,4 +48,5 @@ rm -rf %{buildroot}
 %{_mandir}/man5/__NAME__-login.5.gz
 %{_mandir}/man5/__NAME__-profile.5.gz
 %{_mandir}/man5/__NAME__-users.5.gz
+%{_mandir}/man5/jailtest.5.gz
 %config(noreplace) %{_sysconfdir}/__NAME__
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config
index d056d0654..b44a1bc85 100644
--- a/src/firecfg/firecfg.config
+++ b/src/firecfg/firecfg.config
@@ -191,6 +191,10 @@ dropbox
 d-feet
 easystroke
 ebook-viewer
+ebook-convert
+ebook-edit
+ebook-meta
+ebook-polish
 electron-mail
 electrum
 element-desktop
@@ -375,6 +379,8 @@ impressive
 inkscape
 inkview
 inox
+ipcalc
+ipcalc-ng
 iridium
 iridium-browser
 jd-gui
@@ -458,7 +464,7 @@ lynx
 lyx
 macrofusion
 magicor
-# man
+man
 manaplus
 marker
 masterpdfeditor
@@ -803,6 +809,8 @@ vivaldi-snapshot
 vivaldi-stable
 vlc
 vmware
+vmware-player
+vmware-workstation
 vscodium
 vulturesclaw
 vultureseye
diff --git a/src/jailtest/Makefile.in b/src/jailtest/Makefile.in
new file mode 100644
index 000000000..9c9c0c508
--- /dev/null
+++ b/src/jailtest/Makefile.in
@@ -0,0 +1,14 @@
+all: jailtest
+
+include ../common.mk
+
+%.o : %.c $(H_FILE_LIST) ../include/common.h ../include/pid.h
+        $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@
+
+jailtest: $(OBJS)
+        $(CC)  $(LDFLAGS) -o $@ $(OBJS)  ../lib/common.o ../lib/pid.o $(LIBS) $(EXTRA_LDFLAGS)
+
+clean:; rm -fr *.o jailtest *.gcov *.gcda *.gcno *.plist
+
+distclean: clean
+        rm -fr Makefile
diff --git a/src/jailtest/access.c b/src/jailtest/access.c
new file mode 100644
index 000000000..4e737dc7a
--- /dev/null
+++ b/src/jailtest/access.c
@@ -0,0 +1,143 @@
+/*
+ * Copyright (C) 2014-2021 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
+#include "jailtest.h"
+#include <dirent.h>
+#include <sys/wait.h>
+
+typedef struct {
+        char *tfile;
+        char *tdir;
+} TestDir;
+
+#define MAX_TEST_FILES 16
+TestDir td[MAX_TEST_FILES];
+static int files_cnt = 0;
+
+void access_setup(const char *directory) {
+        // I am root!
+        assert(directory);
+        assert(user_home_dir);
+
+        if (files_cnt >= MAX_TEST_FILES) {
+                fprintf(stderr, "Error: maximum number of test directories exceded\n");
+                exit(1);
+        }
+
+        char *fname = strdup(directory);
+        if (!fname)
+                errExit("strdup");
+        if (strncmp(fname, "~/", 2) == 0) {
+                free(fname);
+                if (asprintf(&fname, "%s/%s", user_home_dir, directory + 2) == -1)
+                        errExit("asprintf");
+        }
+
+        char *path = realpath(fname, NULL);
+        free(fname);
+        if (path == NULL) {
+                fprintf(stderr, "Warning: invalid directory %s, skipping...\n", directory);
+                return;
+        }
+
+        // file in home directory
+        if (strncmp(path, user_home_dir, strlen(user_home_dir)) != 0) {
+                fprintf(stderr, "Warning: file %s is not in user home directory, skipping...\n", directory);
+                free(path);
+                return;
+        }
+
+        // try to open the dir as root
+        DIR *dir = opendir(path);
+        if (!dir) {
+                fprintf(stderr, "Warning: directory %s not found, skipping\n", directory);
+                free(path);
+                return;
+        }
+        closedir(dir);
+
+        // create a test file
+        char *test_file;
+        if (asprintf(&test_file, "%s/jailtest-access-%d", path, getpid()) == -1)
+                errExit("asprintf");
+
+        FILE *fp = fopen(test_file, "w");
+        if (!fp) {
+                printf("Warning: I cannot create test file in directory %s, skipping...\n", directory);
+                return;
+        }
+        fprintf(fp, "this file was created by firetest utility, you can safely delete it\n");
+        fclose(fp);
+        int rv = chown(test_file, user_uid, user_gid);
+        if (rv)
+                errExit("chown");
+
+        char *dname = strdup(directory);
+        if (!dname)
+                errExit("strdup");
+        td[files_cnt].tdir = dname;
+        td[files_cnt].tfile = test_file;
+        files_cnt++;
+}
+
+void access_destroy(void) {
+        // remove test files
+        int i;
+
+        for (i = 0; i < files_cnt; i++) {
+                int rv = unlink(td[i].tfile);
+                (void) rv;
+        }
+        files_cnt = 0;
+}
+
+void access_test(void) {
+        // I am root in sandbox mount namespace
+        assert(user_uid);
+        int i;
+
+        pid_t child = fork();
+        if (child == -1)
+                errExit("fork");
+
+        if (child == 0) { // child
+                // drop privileges
+                if (setgid(user_gid) != 0)
+                        errExit("setgid");
+                if (setuid(user_uid) != 0)
+                        errExit("setuid");
+
+                for (i = 0; i < files_cnt; i++) {
+                        assert(td[i].tfile);
+
+                        // try to open the file for reading
+                        FILE *fp = fopen(td[i].tfile, "r");
+                        if (fp) {
+
+                                printf("   Warning: I can read %s\n", td[i].tdir);
+                                fclose(fp);
+                        }
+                }
+                exit(0);
+        }
+
+        // wait for the child to finish
+        int status;
+        wait(&status);
+}
diff --git a/src/jailtest/apparmor.c b/src/jailtest/apparmor.c
new file mode 100644
index 000000000..9ddfea3de
--- /dev/null
+++ b/src/jailtest/apparmor.c
@@ -0,0 +1,40 @@
+/*
+ * Copyright (C) 2014-2021 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
+#include "jailtest.h"
+
+#ifdef HAVE_APPARMOR
+#include <sys/apparmor.h>
+
+void apparmor_test(pid_t pid) {
+        char *label = NULL;
+        char *mode = NULL;
+        int rv = aa_gettaskcon(pid, &label, &mode);
+        if (rv == -1 || mode == NULL)
+                printf("   Warning: AppArmor not enabled\n");
+}
+
+
+#else
+void apparmor_test(pid_t pid) {
+        (void) pid;
+        return;
+}
+#endif
+
diff --git a/src/jailtest/jailtest.h b/src/jailtest/jailtest.h
new file mode 100644
index 000000000..10174cc9a
--- /dev/null
+++ b/src/jailtest/jailtest.h
@@ -0,0 +1,58 @@
+/*
+ * Copyright (C) 2014-2021 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
+#ifndef JAILTEST_H
+#define JAILTEST_H
+
+#include "../include/common.h"
+
+// main.c
+extern uid_t user_uid;
+extern gid_t user_gid;
+extern char *user_name;
+extern char *user_home_dir;
+extern char *user_run_dir;
+
+// access.c
+void access_setup(const char *directory);
+void access_test(void);
+void access_destroy(void);
+
+// noexec.c
+void noexec_setup(void);
+void noexec_test(const char *msg);
+
+// virtual.c
+void virtual_setup(const char *directory);
+void virtual_destroy(void);
+void virtual_test(void);
+
+// apparmor.c
+void apparmor_test(pid_t pid);
+
+// seccomp.c
+void seccomp_test(pid_t pid);
+
+// utils.c
+char *get_sudo_user(void);
+char *get_homedir(const char *user, uid_t *uid, gid_t *gid);
+int find_child(pid_t pid);
+pid_t switch_to_child(pid_t pid);
+
+#endif
\ No newline at end of file
diff --git a/src/jailtest/main.c b/src/jailtest/main.c
new file mode 100644
index 000000000..850277bc5
--- /dev/null
+++ b/src/jailtest/main.c
@@ -0,0 +1,167 @@
+/*
+ * Copyright (C) 2014-2021 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
+#include "jailtest.h"
+#include "../include/firejail_user.h"
+#include "../include/pid.h"
+#include <sys/wait.h>
+
+uid_t user_uid = 0;
+gid_t user_gid = 0;
+char *user_name = NULL;
+char *user_home_dir = NULL;
+char *user_run_dir = NULL;
+int arg_debug = 0;
+
+static char *usage_str =
+        "Usage: jailtest [options] directory [directory]\n\n"
+        "Options:\n"
+        "   --debug - print debug messages.\n"
+        "   --help, -? - this help screen.\n"
+        "   --version - print program version and exit.\n";
+
+
+static void usage(void) {
+        printf("firetest - version %s\n\n", VERSION);
+        puts(usage_str);
+}
+
+static void cleanup(void) {
+        // running only as root
+        if (getuid() == 0) {
+                if (arg_debug)
+                        printf("cleaning up!\n");
+                access_destroy();
+                virtual_destroy();
+        }
+}
+
+int main(int argc, char **argv) {
+        int i;
+        int findex = 0;
+
+        for (i = 1; i < argc; i++) {
+                if (strcmp(argv[i], "-?") == 0 || strcmp(argv[i], "--help") == 0) {
+                        usage();
+                        return 0;
+                }
+                else if (strcmp(argv[i], "--version") == 0) {
+                        printf("firetest version %s\n\n", VERSION);
+                        return 0;
+                }
+                else if (strncmp(argv[i], "--hello=", 8) == 0) { // used by noexec test
+                        printf("   Warning: I can run programs in %s\n", argv[i] + 8);
+                        return 0;
+                }
+                else if (strcmp(argv[i], "--debug") == 0)
+                        arg_debug = 1;
+                else if (strncmp(argv[i], "--", 2) == 0) {
+                        fprintf(stderr, "Error: invalid option\n");
+                        return 1;
+                }
+                else {
+                        findex = i;
+                        break;
+                }
+        }
+
+        // user setup
+        if (getuid() != 0) {
+                fprintf(stderr, "Error: you need to be root (via sudo) to run this program\n");
+                exit(1);
+        }
+        user_name = get_sudo_user();
+        assert(user_name);
+        user_home_dir = get_homedir(user_name, &user_uid, &user_gid);
+        if (user_uid == 0) {
+                fprintf(stderr, "Error: root user not supported\n");
+                exit(1);
+        }
+        if (asprintf(&user_run_dir, "/run/user/%d", user_uid) == -1)
+                errExit("asprintf");
+
+        // test setup
+        atexit(cleanup);
+        access_setup("~/.ssh");
+        access_setup("~/.gnupg");
+        if (findex > 0) {
+                for (i = findex; i < argc; i++)
+                        access_setup(argv[i]);
+        }
+
+        noexec_setup();
+        virtual_setup(user_home_dir);
+        virtual_setup("/tmp");
+        virtual_setup("/var/tmp");
+        virtual_setup("/dev");
+        virtual_setup("/etc");
+        virtual_setup("/bin");
+        virtual_setup("/usr/share");
+        virtual_setup(user_run_dir);
+
+
+
+        // print processes
+        pid_read(0);
+        for (i = 0; i < max_pids; i++) {
+                if (pids[i].level == 1) {
+                        uid_t uid = pid_get_uid(i);
+                        if (uid != user_uid) // not interested in other user sandboxes
+                                continue;
+
+                        // in case the pid is that of a firejail process, use the pid of the first child process
+                        uid_t pid = find_child(i);
+                        printf("\n");
+                        pid_print_list(i, 0); //  no wrapping
+                        apparmor_test(pid);
+                        seccomp_test(pid);
+                        fflush(0);
+
+                        pid_t child = fork();
+                        if (child == -1)
+                                errExit("fork");
+                        if (child == 0) {
+                                int rv = join_namespace(pid, "mnt");
+                                if (rv == 0) {
+                                        virtual_test();
+                                        noexec_test(user_home_dir);
+                                        noexec_test("/tmp");
+                                        noexec_test("/var/tmp");
+                                        noexec_test(user_run_dir);
+                                        access_test();
+                                }
+                                else {
+                                        printf("   Error: I cannot join the process mount space\n");
+                                        exit(1);
+                                }
+
+                                // drop privileges in order not to trigger cleanup()
+                                if (setgid(user_gid) != 0)
+                                        errExit("setgid");
+                                if (setuid(user_uid) != 0)
+                                        errExit("setuid");
+                                return 0;
+                        }
+                        int status;
+                        wait(&status);
+                }
+        }
+
+        return 0;
+}
diff --git a/src/jailtest/noexec.c b/src/jailtest/noexec.c
new file mode 100644
index 000000000..4347b7eef
--- /dev/null
+++ b/src/jailtest/noexec.c
@@ -0,0 +1,113 @@
+/*
+ * Copyright (C) 2014-2021 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
+#include "jailtest.h"
+#include <sys/wait.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+
+static unsigned char *execfile = NULL;
+static int execfile_len = 0;
+
+void noexec_setup(void) {
+        // grab a copy of myself
+        char *self = realpath("/proc/self/exe", NULL);
+        if (self) {
+                struct stat s;
+                if (access(self, X_OK) == 0 && stat(self, &s) == 0) {
+                        assert(s.st_size);
+                        execfile = malloc(s.st_size);
+
+                        int fd = open(self, O_RDONLY);
+                        if (fd == -1)
+                                errExit("open");
+                        int len = 0;
+                        do {
+                                int rv = read(fd, execfile + len, s.st_size - len);
+                                if (rv == -1)
+                                        errExit("read");
+                                if (rv == 0) {
+                                        // something went wrong!
+                                        free(execfile);
+                                        execfile = NULL;
+                                        printf("Warning: I cannot grab a copy of myself, skipping noexec test...\n");
+                                        break;
+                                }
+                                len += rv;
+                        }
+                        while (len < s.st_size);
+                        execfile_len = s.st_size;
+                        close(fd);
+                }
+        }
+}
+
+
+void noexec_test(const char *path) {
+        assert(user_uid);
+
+        // I am root in sandbox mount namespace
+        if (!execfile)
+                return;
+
+        char *fname;
+        if (asprintf(&fname, "%s/jailtest-noexec-%d", path, getpid()) == -1)
+                errExit("asprintf");
+
+        pid_t child = fork();
+        if (child == -1)
+                errExit("fork");
+
+        if (child == 0) { // child
+                // drop privileges
+                if (setgid(user_gid) != 0)
+                        errExit("setgid");
+                if (setuid(user_uid) != 0)
+                        errExit("setuid");
+                int fd = open(fname, O_CREAT | O_TRUNC | O_WRONLY, 0700);
+                if (fd == -1) {
+                        printf("   I cannot create files in %s, skipping noexec...\n", path);
+                        exit(1);
+                }
+
+                int len = 0;
+                while (len < execfile_len) {
+                        int rv = write(fd, execfile + len, execfile_len - len);
+                        if (rv == -1 || rv == 0) {
+                                printf("   I cannot create files in %s, skipping noexec....\n", path);
+                                exit(1);
+                        }
+                        len += rv;
+                }
+                fchmod(fd, 0700);
+                close(fd);
+
+                char *arg;
+                if (asprintf(&arg, "--hello=%s", path) == -1)
+                        errExit("asprintf");
+                int rv = execl(fname, fname, arg, NULL);
+                (void) rv; // if we get here execl failed
+                exit(0);
+        }
+
+        int status;
+        wait(&status);
+        int rv = unlink(fname);
+        (void) rv;
+}
\ No newline at end of file
diff --git a/src/jailtest/seccomp.c b/src/jailtest/seccomp.c
new file mode 100644
index 000000000..2cecb4b4d
--- /dev/null
+++ b/src/jailtest/seccomp.c
@@ -0,0 +1,47 @@
+/*
+ * Copyright (C) 2014-2021 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
+#include "jailtest.h"
+#define MAXBUF 4096
+
+void seccomp_test(pid_t pid) {
+        char *file;
+        if (asprintf(&file, "/proc/%d/status", pid) == -1)
+                errExit("asprintf");
+
+        FILE *fp = fopen(file, "r");
+        if (!fp) {
+                printf("  Error: cannot open %s\n", file);
+                free(file);
+                return;
+        }
+
+        char buf[MAXBUF];
+        while (fgets(buf, MAXBUF, fp)) {
+                if (strncmp(buf, "Seccomp:", 8) == 0) {
+                        int val = -1;
+                        int rv = sscanf(buf + 8, "\t%d", &val);
+                        if (rv != 1 || val == 0)
+                                printf("   Warning: seccomp not enabled\n");
+                        break;
+                }
+        }
+        fclose(fp);
+        free(file);
+}
diff --git a/src/jailtest/utils.c b/src/jailtest/utils.c
new file mode 100644
index 000000000..41c21b753
--- /dev/null
+++ b/src/jailtest/utils.c
@@ -0,0 +1,102 @@
+/*
+ * Copyright (C) 2014-2021 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
+#include "jailtest.h"
+#include "../include/pid.h"
+#include <errno.h>
+#include <pwd.h>
+#include <dirent.h>
+
+#define BUFLEN 4096
+
+char *get_sudo_user(void) {
+        char *user = getenv("SUDO_USER");
+        if (!user) {
+                user = getpwuid(getuid())->pw_name;
+                if (!user) {
+                        fprintf(stderr, "Error: cannot detect login user\n");
+                        exit(1);
+                }
+        }
+
+        return user;
+}
+
+char *get_homedir(const char *user, uid_t *uid, gid_t *gid) {
+        // find home directory
+        struct passwd *pw = getpwnam(user);
+        if (!pw)
+                goto errexit;
+
+        char *home = pw->pw_dir;
+        if (!home)
+                goto errexit;
+
+        *uid = pw->pw_uid;
+        *gid = pw->pw_gid;
+
+        return home;
+
+errexit:
+        fprintf(stderr, "Error: cannot find home directory for user %s\n", user);
+        exit(1);
+}
+
+// find the second child process for the specified pid
+// return -1 if not found
+//
+// Example:
+//14776:netblue:/usr/bin/firejail /usr/bin/transmission-qt
+//  14777:netblue:/usr/bin/firejail /usr/bin/transmission-qt
+//    14792:netblue:/usr/bin/transmission-qt
+// We need 14792, the first real sandboxed process
+// duplicate from src/firemon/main.c
+int find_child(int id) {
+        int i;
+        int first_child = -1;
+
+        // find the first child
+        for (i = 0; i < max_pids; i++) {
+                if (pids[i].level == 2 && pids[i].parent == id) {
+                        // skip /usr/bin/xdg-dbus-proxy (started by firejail for dbus filtering)
+                        char *cmdline = pid_proc_cmdline(i);
+                        if (strncmp(cmdline, XDG_DBUS_PROXY_PATH, strlen(XDG_DBUS_PROXY_PATH)) == 0) {
+                                free(cmdline);
+                                continue;
+                        }
+                        free(cmdline);
+                        first_child = i;
+                        break;
+                }
+        }
+
+        if (first_child == -1)
+                return -1;
+
+        // find the second-level child
+        for (i = 0; i < max_pids; i++) {
+                if (pids[i].level == 3 && pids[i].parent == first_child)
+                        return i;
+        }
+
+        // if a second child is not found, return the first child pid
+        // this happens for processes sandboxed with --join
+        return first_child;
+}
+
diff --git a/src/jailtest/virtual.c b/src/jailtest/virtual.c
new file mode 100644
index 000000000..fcdcf9720
--- /dev/null
+++ b/src/jailtest/virtual.c
@@ -0,0 +1,125 @@
+/*
+ * Copyright (C) 2014-2021 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
+#include "jailtest.h"
+#include <dirent.h>
+#include <sys/wait.h>
+
+
+#define MAX_TEST_FILES 16
+static char *dirs[MAX_TEST_FILES];
+static char *files[MAX_TEST_FILES];
+static int files_cnt = 0;
+
+void virtual_setup(const char *directory) {
+        // I am root!
+        assert(directory);
+        assert(*directory == '/');
+        assert(files_cnt < MAX_TEST_FILES);
+
+        // try to open the dir as root
+        DIR *dir = opendir(directory);
+        if (!dir) {
+                fprintf(stderr, "Warning: directory %s not found, skipping\n", directory);
+                return;
+        }
+        closedir(dir);
+
+        // create a test file
+        char *test_file;
+        if (asprintf(&test_file, "%s/jailtest-private-%d", directory, getpid()) == -1)
+                errExit("asprintf");
+
+        FILE *fp = fopen(test_file, "w");
+        if (!fp) {
+                printf("Warning: I cannot create test file in directory %s, skipping...\n", directory);
+                return;
+        }
+        fprintf(fp, "this file was created by firetest utility, you can safely delete it\n");
+        fclose(fp);
+        if (strcmp(directory, user_home_dir) == 0) {
+                int rv = chown(test_file, user_uid, user_gid);
+                if (rv)
+                        errExit("chown");
+        }
+
+        char *dname = strdup(directory);
+        if (!dname)
+                errExit("strdup");
+        dirs[files_cnt] = dname;
+        files[files_cnt] = test_file;
+        files_cnt++;
+}
+
+void virtual_destroy(void) {
+        // remove test files
+        int i;
+
+        for (i = 0; i < files_cnt; i++) {
+                int rv = unlink(files[i]);
+                (void) rv;
+        }
+        files_cnt = 0;
+}
+
+void virtual_test(void) {
+        // I am root in sandbox mount namespace
+        assert(user_uid);
+        int i;
+
+        int cnt = 0;
+        cnt += printf("   Virtual dirs: "); fflush(0);
+
+        for (i = 0; i < files_cnt; i++) {
+                assert(files[i]);
+
+                // I am root!
+                pid_t child = fork();
+                if (child == -1)
+                        errExit("fork");
+
+                if (child == 0) { // child
+                        // drop privileges
+                        if (setgid(user_gid) != 0)
+                                errExit("setgid");
+                        if (setuid(user_uid) != 0)
+                                errExit("setuid");
+
+                        // try to open the file for reading
+                        FILE *fp = fopen(files[i], "r");
+                        if (fp)
+                                fclose(fp);
+                        else {
+                                if (cnt == 0)
+                                        cnt += printf("\n                 ");
+                                cnt += printf("%s, ", dirs[i]);
+                                if (cnt > 60)
+                                        cnt = 0;
+                        }
+                        fflush(0);
+                        exit(cnt);
+                }
+
+                // wait for the child to finish
+                int status;
+                wait(&status);
+                cnt = WEXITSTATUS(status);
+        }
+        printf("\n");
+}
diff --git a/src/man/Makefile.in b/src/man/Makefile.in
index 1c4444307..1a1f8ba08 100644
--- a/src/man/Makefile.in
+++ b/src/man/Makefile.in
@@ -1,4 +1,4 @@
-all: firecfg.man firejail.man firejail-login.man firejail-users.man firejail-profile.man firemon.man
+all: firecfg.man firejail.man firejail-login.man firejail-users.man firejail-profile.man firemon.man jailtest.man
 include ../common.mk
 
 %.man: %.txt
diff --git a/src/man/firecfg.txt b/src/man/firecfg.txt
index 2c02aee47..dbb9397c6 100644
--- a/src/man/firecfg.txt
+++ b/src/man/firecfg.txt
@@ -130,8 +130,9 @@ This program is free software; you can redistribute it and/or modify it under th
 .PP
 Homepage: https://firejail.wordpress.com
 .SH SEE ALSO
-\&\flfirejail\fR\|(1),
-\&\flfiremon\fR\|(1),
-\&\flfirejail-profile\fR\|(5),
-\&\flfirejail-login\fR\|(5)
-\&\flfirejail-users\fR\|(5)
+.BR firejail (1),
+.BR firemon (1),
+.BR firejail-profile (5),
+.BR firejail-login (5),
+.BR firejail-users (5),
+.BR jailtest (1)
diff --git a/src/man/firejail-login.txt b/src/man/firejail-login.txt
index 430e86cc8..ce27729b7 100644
--- a/src/man/firejail-login.txt
+++ b/src/man/firejail-login.txt
@@ -34,8 +34,9 @@ Firejail is free software; you can redistribute it and/or modify it under the te
 .PP
 Homepage: https://firejail.wordpress.com
 .SH SEE ALSO
-\&\flfirejail\fR\|(1),
-\&\flfiremon\fR\|(1),
-\&\flfirecfg\fR\|(1),
-\&\flfirejail-profile\fR\|(5)
-\&\flfirejail-users\fR\|(5)
+.BR firejail (1),
+.BR firemon (1),
+.BR firecfg (1),
+.BR firejail-profile (5),
+.BR firejail-users (5),
+.BR jailtest (1)
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt
index 5e77b5f70..c7dc4c434 100644
--- a/src/man/firejail-profile.txt
+++ b/src/man/firejail-profile.txt
@@ -889,10 +889,12 @@ Firejail is free software; you can redistribute it and/or modify it under the te
 .PP
 Homepage: https://firejail.wordpress.com
 .SH SEE ALSO
-\&\flfirejail\fR\|(1),
-\&\flfiremon\fR\|(1),
-\&\flfirecfg\fR\|(1),
-\&\flfirejail-login\fR\|(5),
-\&\flfirejail-users\fR\|(5),
+.BR firejail (1),
+.BR firemon (1),
+.BR firecfg (1),
+.BR firejail-login (5),
+.BR firejail-users (5),
+.BR jailtest (1)
+
 .UR https://github.com/netblue30/firejail/wiki/Creating-Profiles
 .UE
diff --git a/src/man/firejail-users.txt b/src/man/firejail-users.txt
index 6fa09e05e..c5a9c1848 100644
--- a/src/man/firejail-users.txt
+++ b/src/man/firejail-users.txt
@@ -54,8 +54,9 @@ as published by the Free Software Foundation; either version 2 of the License, o
 .PP
 Homepage: https://firejail.wordpress.com
 .SH SEE ALSO
-\&\flfirejail\fR\|(1),
-\&\flfiremon\fR\|(1),
-\&\flfirecfg\fR\|(1),
-\&\flfirejail-profile\fR\|(5)
-\&\flfirejail-login\fR\|(5)
+.BR firejail (1),
+.BR firemon (1),
+.BR firecfg (1),
+.BR firejail-profile (5),
+.BR firejail-login (5),
+.BR jailtest (1)
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index e85a02ee8..9e89d4e79 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -3332,11 +3332,13 @@ This program is free software; you can redistribute it and/or modify it under th
 .PP
 Homepage: https://firejail.wordpress.com
 .SH SEE ALSO
-\&\flfiremon\fR\|(1),
-\&\flfirecfg\fR\|(1),
-\&\flfirejail-profile\fR\|(5),
-\&\flfirejail-login\fR\|(5),
-\&\flfirejail-users\fR\|(5),
+.BR firemon (1),
+.BR firecfg (1),
+.BR firejail-profile (5),
+.BR firejail-login (5),
+.BR firejail-users (5),
+.BR jailtest (1)
+
 .UR https://github.com/netblue30/firejail/wiki
 .UE ,
 .UR https://github.com/netblue30/firejail
diff --git a/src/man/firemon.txt b/src/man/firemon.txt
index cea6c0265..64f15a1f0 100644
--- a/src/man/firemon.txt
+++ b/src/man/firemon.txt
@@ -115,8 +115,9 @@ This program is free software; you can redistribute it and/or modify it under th
 .PP
 Homepage: https://firejail.wordpress.com
 .SH SEE ALSO
-\&\flfirejail\fR\|(1),
-\&\flfirecfg\fR\|(1),
-\&\flfirejail-profile\fR\|(5),
-\&\flfirejail-login\fR\|(5)
-\&\flfirejail-users\fR\|(5)
+.BR firejail (1),
+.BR firecfg (1),
+.BR firejail-profile (5),
+.BR firejail-login (5),
+.BR firejail-users (5),
+.BR jailtest (1)
diff --git a/src/man/jailtest.txt b/src/man/jailtest.txt
new file mode 100644
index 000000000..1b64097ea
--- /dev/null
+++ b/src/man/jailtest.txt
@@ -0,0 +1,106 @@
+.TH JAILTEST 1 "MONTH YEAR" "VERSION" "JAILTEST man page"
+.SH NAME
+jailtest \- Simple utility program to test running sandboxes
+.SH SYNOPSIS
+sudo jailtest [OPTIONS] [directory]
+.SH DESCRIPTION
+WORK IN PROGRESS!
+jailtest attaches itself to all sandboxes started by the user and performs some basic tests
+on the sandbox filesystem:
+.TP
+\fB1. Virtual directories
+jailtest extracts a list with the main virtual directories installed by the sandbox.
+These directories are build by firejail at startup using --private* and --whitelist commands.
+.TP
+\fB2. Noexec test
+jailtest inserts executable programs in /home/username, /tmp, and /var/tmp directories
+and tries to run them form inside the sandbox, thus testing if the directory is executable or not.
+.TP
+\fB3. Read access test
+jailtest creates test files in the directories specified by the user and tries to read
+them from inside the sandbox.
+.TP
+\fB4. AppArmor test
+.TP
+\fB5. Seccomp test
+.TP
+The program is started as root using sudo.
+
+.SH OPTIONS
+.TP
+\fB\-\-debug
+Print debug messages
+.TP
+\fB\-?\fR, \fB\-\-help\fR
+Print options end exit.
+.TP
+\fB\-\-version
+Print program version and exit.
+.TP
+\fB[directory]
+One or more directories in user home to test for read access. ~/.ssh and ~/.gnupg are tested by default.
+
+.SH OUTPUT
+For each sandbox detected we print the following line:
+
+        PID:USER:Sandbox Name:Command
+
+It is followed by relevant sandbox information, such as the virtual directories and various warnings.
+
+.SH EXAMPLE
+
+$ sudo jailtest
+.br
+2014:netblue::firejail /usr/bin/gimp
+.br
+   Virtual dirs: /tmp, /var/tmp, /dev, /usr/share,
+.br
+   Warning: I can run programs in /home/netblue
+.br
+
+.br
+2055:netblue::firejail /usr/bin/ssh -X netblue@x.y.z.net
+.br
+   Virtual dirs: /var/tmp, /dev, /usr/share, /run/user/1000,
+.br
+   Warning: I can read ~/.ssh
+.br
+
+.br
+2186:netblue:libreoffice:firejail --appimage /opt/LibreOffice-fresh.appimage
+.br
+   Virtual dirs: /tmp, /var/tmp, /dev,
+.br
+
+.br
+26090:netblue::/usr/bin/firejail /opt/firefox/firefox
+.br
+   Virtual dirs: /home/netblue, /tmp, /var/tmp, /dev, /etc, /usr/share,
+.br
+                 /run/user/1000,
+.br
+
+.br
+26160:netblue:tor:firejail --private=~/tor-browser_en-US ./start-tor
+.br
+   Warning: AppArmor not enabled
+.br
+   Virtual dirs: /home/netblue, /tmp, /var/tmp, /dev, /etc, /bin,
+.br
+                 /usr/share, /run/user/1000,
+.br
+   Warning: I can run programs in /home/netblue
+.br
+
+
+.SH LICENSE
+This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.
+.PP
+Homepage: https://firejail.wordpress.com
+.SH SEE ALSO
+.BR firejail (1),
+.BR firemon (1),
+.BR firecfg (1),
+.BR firejail-profile (5),
+.BR firejail-login (5),
+.BR firejail-users (5),