449 files changed, 20094 insertions, 3909 deletions

diff --git a/.gitignore b/.gitignore
index 408290b85..34a228a76 100644
--- a/.gitignore
+++ b/.gitignore
@@ -8,9 +8,14 @@ config.log
 config.status
 firejail-login.5
 firejail-profile.5
+firejail-config.5
 firejail.1
 firemon.1
+firecfg.1
 src/firejail/firejail
 src/firemon/firemon
+src/firecfg/firecfg
 src/ftee/ftee
 src/tags
+src/faudit/faudit
+
diff --git a/Makefile.in b/Makefile.in
index 1a22700e8..44833021e 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -1,6 +1,6 @@
-all: apps firejail.1 firemon.1 firejail-profile.5 firejail-login.5
+all: apps firejail.1 firemon.1 firecfg.1 firejail-profile.5 firejail-login.5 firejail-config.5
 MYLIBS = src/lib
-APPS = src/firejail src/firemon src/libtrace src/libtracelog src/ftee
+APPS = src/firejail src/firemon src/firecfg src/libtrace src/libtracelog src/ftee src/faudit
 
 prefix=@prefix@
 exec_prefix=@exec_prefix@
@@ -29,10 +29,14 @@ firemon.1: src/man/firemon.txt
         ./mkman.sh $(VERSION) src/man/firemon.txt firemon.1
 firejail.1: src/man/firejail.txt
         ./mkman.sh $(VERSION) src/man/firejail.txt firejail.1
+firecfg.1: src/man/firecfg.txt
+        ./mkman.sh $(VERSION) src/man/firecfg.txt firecfg.1
 firejail-profile.5: src/man/firejail-profile.txt
         ./mkman.sh $(VERSION) src/man/firejail-profile.txt firejail-profile.5
 firejail-login.5: src/man/firejail-login.txt
         ./mkman.sh $(VERSION) src/man/firejail-login.txt firejail-login.5
+firejail-config.5: src/man/firejail-config.txt
+        ./mkman.sh $(VERSION) src/man/firejail-config.txt firejail-config.5
 
 clean:
         for dir in $(APPS); do \
@@ -41,7 +45,19 @@ clean:
         for dir in $(MYLIBS); do \
                 $(MAKE) -C $$dir clean; \
         done
-        rm -f firejail.1 firejail.1.gz firemon.1 firemon.1.gz firejail-profile.5 firejail-profile.5.gz firejail-login.5 firejail-login.5.gz firejail*.rpm
+        rm -f firejail.1 firejail.1.gz firemon.1 firemon.1.gz firecfg.1 firecfg.gz firejail-profile.5 firejail-profile.5.gz firejail-login.5 firejail-login.5.gz firejail-config.5 firejail-config.5.gz firejail*.rpm
+        rm -f test/utils/index.html*
+        rm -f test/utils/wget-log
+        rm -f test/utils/lstesting
+        rm -f test/environment/index.html*
+        rm -f test/environment/wget-log*
+        rm -fr test/environment/-testdir
+        rm -f test/environment/logfile*
+        rm -f test/environment/index.html
+        rm -f test/environment/wget-log
+        rm -f test/sysutils/firejail_t*
+        cd test/compile; ./compile.sh --clean; cd ../..
+        cd test/dist-compile; ./compile.sh --clean; cd ../..
 
 distclean: clean
         for dir in $(APPS); do \
@@ -50,7 +66,7 @@ distclean: clean
         for dir in $(MYLIBS); do \
                 $(MAKE) -C $$dir distclean; \
         done
-        rm -fr Makefile autom4te.cache config.log config.status config.h
+        rm -fr Makefile autom4te.cache config.log config.status config.h uids.h
 
 realinstall:
         # firejail executable
@@ -59,12 +75,16 @@ realinstall:
         chmod u+s $(DESTDIR)/$(bindir)/firejail
         # firemon executable
         install -c -m 0755 src/firemon/firemon $(DESTDIR)/$(bindir)/.
+        # firecfg executable
+        install -c -m 0755 src/firecfg/firecfg $(DESTDIR)/$(bindir)/.
         # libraries and plugins
         install -m 0755 -d $(DESTDIR)/$(libdir)/firejail
         install -c -m 0644 src/libtrace/libtrace.so $(DESTDIR)/$(libdir)/firejail/.
         install -c -m 0644 src/libtracelog/libtracelog.so $(DESTDIR)/$(libdir)/firejail/.
         install -c -m 0755 src/ftee/ftee $(DESTDIR)/$(libdir)/firejail/.
         install -c -m 0755 src/fshaper/fshaper.sh $(DESTDIR)/$(libdir)/firejail/.
+        install -c -m 0644 src/firecfg/firecfg.config $(DESTDIR)/$(libdir)/firejail/.
+        install -c -m 0755 src/faudit/faudit $(DESTDIR)/$(libdir)/firejail/.
         # documents
         install -m 0755 -d $(DESTDIR)/$(DOCDIR)
         install -c -m 0644 COPYING $(DESTDIR)/$(DOCDIR)/.
@@ -73,103 +93,168 @@ realinstall:
         # etc files
         ./mketc.sh $(sysconfdir)
         install -m 0755 -d $(DESTDIR)/$(sysconfdir)/firejail
+        install -c -m 0644 .etc/0ad.profile $(DESTDIR)/$(sysconfdir)/firejail/.
+        install -c -m 0644 .etc/Cyberfox.profile $(DESTDIR)/$(sysconfdir)/firejail/.
+        install -c -m 0644 .etc/Mathematica.profile $(DESTDIR)/$(sysconfdir)/firejail/.
+        install -c -m 0644 .etc/Telegram.profile $(DESTDIR)/$(sysconfdir)/firejail/.
+        install -c -m 0644 .etc/abrowser.profile $(DESTDIR)/$(sysconfdir)/firejail/.
+        install -c -m 0644 .etc/atom-beta.profile $(DESTDIR)/$(sysconfdir)/firejail/.
+        install -c -m 0644 .etc/atom.profile $(DESTDIR)/$(sysconfdir)/firejail/.
+        install -c -m 0644 .etc/atril.profile $(DESTDIR)/$(sysconfdir)/firejail/.
         install -c -m 0644 .etc/audacious.profile $(DESTDIR)/$(sysconfdir)/firejail/.
+        install -c -m 0644 .etc/audacity.profile $(DESTDIR)/$(sysconfdir)/firejail/.
+        install -c -m 0644 .etc/aweather.profile $(DESTDIR)/$(sysconfdir)/firejail/.
+        install -c -m 0644 .etc/bitlbee.profile $(DESTDIR)/$(sysconfdir)/firejail/.
+        install -c -m 0644 .etc/brave.profile $(DESTDIR)/$(sysconfdir)/firejail/.
+        install -c -m 0644 .etc/cherrytree.profile $(DESTDIR)/$(sysconfdir)/firejail/.
+        install -c -m 0644 .etc/chromium-browser.profile $(DESTDIR)/$(sysconfdir)/firejail/.
+        install -c -m 0644 .etc/chromium.profile $(DESTDIR)/$(sysconfdir)/firejail/.
         install -c -m 0644 .etc/clementine.profile $(DESTDIR)/$(sysconfdir)/firejail/.
+        install -c -m 0644 .etc/cmus.profile $(DESTDIR)/$(sysconfdir)/firejail/.
+        install -c -m 0644 .etc/conkeror.profile $(DESTDIR)/$(sysconfdir)/firejail/.
+        install -c -m 0644 .etc/corebird.profile $(DESTDIR)/$(sysconfdir)/firejail/.
+        install -c -m 0644 .etc/cpio.profile $(DESTDIR)/$(sysconfdir)/firejail/.
+        install -c -m 0644 .etc/cyberfox.profile $(DESTDIR)/$(sysconfdir)/firejail/.
+        install -c -m 0644 .etc/deadbeef.profile $(DESTDIR)/$(sysconfdir)/firejail/.
+        install -c -m 0644 .etc/default.profile $(DESTDIR)/$(sysconfdir)/firejail/.
+        install -c -m 0644 .etc/deluge.profile $(DESTDIR)/$(sysconfdir)/firejail/.
+        install -c -m 0644 .etc/dillo.profile $(DESTDIR)/$(sysconfdir)/firejail/.
+        install -c -m 0644 .etc/disable-common.inc $(DESTDIR)/$(sysconfdir)/firejail/.
+        install -c -m 0644 .etc/disable-devel.inc $(DESTDIR)/$(sysconfdir)/firejail/.
+        install -c -m 0644 .etc/disable-passwdmgr.inc $(DESTDIR)/$(sysconfdir)/firejail/.
+        install -c -m 0644 .etc/disable-programs.inc $(DESTDIR)/$(sysconfdir)/firejail/.
+        install -c -m 0644 .etc/dnscrypt-proxy.profile $(DESTDIR)/$(sysconfdir)/firejail/.
+        install -c -m 0644 .etc/dnsmasq.profile $(DESTDIR)/$(sysconfdir)/firejail/.
+        install -c -m 0644 .etc/dropbox.profile $(DESTDIR)/$(sysconfdir)/firejail/.
+        install -c -m 0644 .etc/empathy.profile $(DESTDIR)/$(sysconfdir)/firejail/.
+        install -c -m 0644 .etc/eom.profile $(DESTDIR)/$(sysconfdir)/firejail/.
         install -c -m 0644 .etc/epiphany.profile $(DESTDIR)/$(sysconfdir)/firejail/.
-        install -c -m 0644 .etc/polari.profile $(DESTDIR)/$(sysconfdir)/firejail/.
-        install -c -m 0644 .etc/gnome-mplayer.profile $(DESTDIR)/$(sysconfdir)/firejail/.
-        install -c -m 0644 .etc/rhythmbox.profile $(DESTDIR)/$(sysconfdir)/firejail/.
-        install -c -m 0644 .etc/totem.profile $(DESTDIR)/$(sysconfdir)/firejail/.
+        install -c -m 0644 .etc/evince.profile $(DESTDIR)/$(sysconfdir)/firejail/.
+        install -c -m 0644 .etc/fbreader.profile $(DESTDIR)/$(sysconfdir)/firejail/.
+        install -c -m 0644 .etc/filezilla.profile $(DESTDIR)/$(sysconfdir)/firejail/.
+        install -c -m 0644 .etc/firefox-esr.profile $(DESTDIR)/$(sysconfdir)/firejail/.
         install -c -m 0644 .etc/firefox.profile $(DESTDIR)/$(sysconfdir)/firejail/.
+        install -c -m 0644 .etc/flashpeak-slimjet.profile $(DESTDIR)/$(sysconfdir)/firejail/.
+        install -c -m 0644 .etc/franz.profile $(DESTDIR)/$(sysconfdir)/firejail/.
+        install -c -m 0644 .etc/gitter.profile $(DESTDIR)/$(sysconfdir)/firejail/.
+        install -c -m 0644 .etc/gnome-mplayer.profile $(DESTDIR)/$(sysconfdir)/firejail/.
+        install -c -m 0644 .etc/google-chrome-beta.profile $(DESTDIR)/$(sysconfdir)/firejail/.
+        install -c -m 0644 .etc/google-chrome-stable.profile $(DESTDIR)/$(sysconfdir)/firejail/.
+        install -c -m 0644 .etc/google-chrome-unstable.profile $(DESTDIR)/$(sysconfdir)/firejail/.
+        install -c -m 0644 .etc/google-chrome.profile $(DESTDIR)/$(sysconfdir)/firejail/.
+        install -c -m 0644 .etc/google-play-music-desktop-player.profile $(DESTDIR)/$(sysconfdir)/firejail/.
+        install -c -m 0644 .etc/gpredict.profile $(DESTDIR)/$(sysconfdir)/firejail/.
+        install -c -m 0644 .etc/gthumb.profile $(DESTDIR)/$(sysconfdir)/firejail/.
+        install -c -m 0644 .etc/gwenview.profile $(DESTDIR)/$(sysconfdir)/firejail/.
+        install -c -m 0644 .etc/gzip.profile $(DESTDIR)/$(sysconfdir)/firejail/.
+        install -c -m 0644 .etc/hedgewars.profile $(DESTDIR)/$(sysconfdir)/firejail/.
+        install -c -m 0644 .etc/hexchat.profile $(DESTDIR)/$(sysconfdir)/firejail/.
+        install -c -m 0644 .etc/icecat.profile $(DESTDIR)/$(sysconfdir)/firejail/.
         install -c -m 0644 .etc/icedove.profile $(DESTDIR)/$(sysconfdir)/firejail/.
         install -c -m 0644 .etc/iceweasel.profile $(DESTDIR)/$(sysconfdir)/firejail/.
+        install -c -m 0644 .etc/jitsi.profile $(DESTDIR)/$(sysconfdir)/firejail/.
+        install -c -m 0644 .etc/kmail.profile $(DESTDIR)/$(sysconfdir)/firejail/.
+        install -c -m 0644 .etc/konversation.profile $(DESTDIR)/$(sysconfdir)/firejail/.
+        install -c -m 0644 .etc/less.profile $(DESTDIR)/$(sysconfdir)/firejail/.
+        install -c -m 0644 .etc/libreoffice.profile $(DESTDIR)/$(sysconfdir)/firejail/.
+        install -c -m 0644 .etc/localc.profile $(DESTDIR)/$(sysconfdir)/firejail/.
+        install -c -m 0644 .etc/lodraw.profile $(DESTDIR)/$(sysconfdir)/firejail/.
+        install -c -m 0644 .etc/loffice.profile $(DESTDIR)/$(sysconfdir)/firejail/.
+        install -c -m 0644 .etc/lofromtemplate.profile $(DESTDIR)/$(sysconfdir)/firejail/.
+        install -c -m 0644 .etc/loimpress.profile $(DESTDIR)/$(sysconfdir)/firejail/.
+        install -c -m 0644 .etc/lomath.profile $(DESTDIR)/$(sysconfdir)/firejail/.
+        install -c -m 0644 .etc/loweb.profile $(DESTDIR)/$(sysconfdir)/firejail/.
+        install -c -m 0644 .etc/lowriter.profile $(DESTDIR)/$(sysconfdir)/firejail/.
+        install -c -m 0644 .etc/lxterminal.profile $(DESTDIR)/$(sysconfdir)/firejail/.
+        install -c -m 0644 .etc/mathematica.profile $(DESTDIR)/$(sysconfdir)/firejail/.
+        install -c -m 0644 .etc/mcabber.profile $(DESTDIR)/$(sysconfdir)/firejail/.
         install -c -m 0644 .etc/midori.profile $(DESTDIR)/$(sysconfdir)/firejail/.
-        install -c -m 0644 .etc/evince.profile $(DESTDIR)/$(sysconfdir)/firejail/.
-        install -c -m 0644 .etc/chromium-browser.profile $(DESTDIR)/$(sysconfdir)/firejail/.
-        install -c -m 0644 .etc/chromium.profile $(DESTDIR)/$(sysconfdir)/firejail/.
-        install -c -m 0644 .etc/google-chrome.profile $(DESTDIR)/$(sysconfdir)/firejail/.
-        install -c -m 0644 .etc/google-chrome-stable.profile $(DESTDIR)/$(sysconfdir)/firejail/.
-        install -c -m 0644 .etc/google-chrome-beta.profile $(DESTDIR)/$(sysconfdir)/firejail/.
-        install -c -m 0644 .etc/google-chrome-unstable.profile $(DESTDIR)/$(sysconfdir)/firejail/.
-        install -c -m 0644 .etc/disable-mgmt.inc $(DESTDIR)/$(sysconfdir)/firejail/.
-        install -c -m 0644 .etc/disable-secret.inc $(DESTDIR)/$(sysconfdir)/firejail/.
-        install -c -m 0644 .etc/disable-common.inc $(DESTDIR)/$(sysconfdir)/firejail/.
-        install -c -m 0644 .etc/dropbox.profile $(DESTDIR)/$(sysconfdir)/firejail/.
-        install -c -m 0644 .etc/opera.profile $(DESTDIR)/$(sysconfdir)/firejail/.
+        install -c -m 0644 .etc/mpv.profile $(DESTDIR)/$(sysconfdir)/firejail/.
+        install -c -m 0644 .etc/mupen64plus.profile $(DESTDIR)/$(sysconfdir)/firejail/.
+        install -c -m 0644 .etc/netsurf.profile $(DESTDIR)/$(sysconfdir)/firejail/.
+        install -c -m 0644 .etc/nolocal.net $(DESTDIR)/$(sysconfdir)/firejail/.
+        install -c -m 0644 .etc/okular.profile $(DESTDIR)/$(sysconfdir)/firejail/.
+        install -c -m 0644 .etc/openbox.profile $(DESTDIR)/$(sysconfdir)/firejail/.
         install -c -m 0644 .etc/opera-beta.profile $(DESTDIR)/$(sysconfdir)/firejail/.
-        install -c -m 0644 .etc/thunderbird.profile $(DESTDIR)/$(sysconfdir)/firejail/.
-        install -c -m 0644 .etc/transmission-gtk.profile $(DESTDIR)/$(sysconfdir)/firejail/.
-        install -c -m 0644 .etc/transmission-qt.profile $(DESTDIR)/$(sysconfdir)/firejail/.
-        install -c -m 0644 .etc/vlc.profile $(DESTDIR)/$(sysconfdir)/firejail/.
-        install -c -m 0644 .etc/deluge.profile $(DESTDIR)/$(sysconfdir)/firejail/.
-        install -c -m 0644 .etc/qbittorrent.profile $(DESTDIR)/$(sysconfdir)/firejail/.
-        install -c -m 0644 .etc/generic.profile $(DESTDIR)/$(sysconfdir)/firejail/.
+        install -c -m 0644 .etc/opera.profile $(DESTDIR)/$(sysconfdir)/firejail/.
+        install -c -m 0644 .etc/palemoon.profile $(DESTDIR)/$(sysconfdir)/firejail/.
+        install -c -m 0644 .etc/parole.profile $(DESTDIR)/$(sysconfdir)/firejail/.
         install -c -m 0644 .etc/pidgin.profile $(DESTDIR)/$(sysconfdir)/firejail/.
-        install -c -m 0644 .etc/xchat.profile $(DESTDIR)/$(sysconfdir)/firejail/.
-        install -c -m 0644 .etc/empathy.profile $(DESTDIR)/$(sysconfdir)/firejail/.
-        install -c -m 0644 .etc/server.profile $(DESTDIR)/$(sysconfdir)/firejail/.
-        install -c -m 0644 .etc/icecat.profile $(DESTDIR)/$(sysconfdir)/firejail/.
+        install -c -m 0644 .etc/pix.profile $(DESTDIR)/$(sysconfdir)/firejail/.
+        install -c -m 0644 .etc/polari.profile $(DESTDIR)/$(sysconfdir)/firejail/.
+        install -c -m 0644 .etc/psi-plus.profile $(DESTDIR)/$(sysconfdir)/firejail/.
+        install -c -m 0644 .etc/qbittorrent.profile $(DESTDIR)/$(sysconfdir)/firejail/.
+        install -c -m 0644 .etc/qtox.profile $(DESTDIR)/$(sysconfdir)/firejail/.
         install -c -m 0644 .etc/quassel.profile $(DESTDIR)/$(sysconfdir)/firejail/.
-        install -c -m 0644 .etc/deadbeef.profile $(DESTDIR)/$(sysconfdir)/firejail/.
-        install -c -m 0644 .etc/filezilla.profile $(DESTDIR)/$(sysconfdir)/firejail/.
-        install -c -m 0644 .etc/fbreader.profile $(DESTDIR)/$(sysconfdir)/firejail/.
+        install -c -m 0644 .etc/quiterss.profile $(DESTDIR)/$(sysconfdir)/firejail/.
+        install -c -m 0644 .etc/qutebrowser.profile $(DESTDIR)/$(sysconfdir)/firejail/.
+        install -c -m 0644 .etc/rhythmbox.profile $(DESTDIR)/$(sysconfdir)/firejail/.
+        install -c -m 0644 .etc/rtorrent.profile $(DESTDIR)/$(sysconfdir)/firejail/.
+        install -c -m 0644 .etc/seamonkey-bin.profile $(DESTDIR)/$(sysconfdir)/firejail/.
+        install -c -m 0644 .etc/seamonkey.profile $(DESTDIR)/$(sysconfdir)/firejail/.
+        install -c -m 0644 .etc/server.profile $(DESTDIR)/$(sysconfdir)/firejail/.
+        install -c -m 0644 .etc/skype.profile $(DESTDIR)/$(sysconfdir)/firejail/.
+        install -c -m 0644 .etc/snap.profile $(DESTDIR)/$(sysconfdir)/firejail/.
+        install -c -m 0644 .etc/soffice.profile $(DESTDIR)/$(sysconfdir)/firejail/.
         install -c -m 0644 .etc/spotify.profile $(DESTDIR)/$(sysconfdir)/firejail/.
+        install -c -m 0644 .etc/ssh.profile $(DESTDIR)/$(sysconfdir)/firejail/.
         install -c -m 0644 .etc/steam.profile $(DESTDIR)/$(sysconfdir)/firejail/.
-        install -c -m 0644 .etc/skype.profile $(DESTDIR)/$(sysconfdir)/firejail/.
-        install -c -m 0644 .etc/wine.profile $(DESTDIR)/$(sysconfdir)/firejail/.
-        install -c -m 0644 .etc/disable-devel.inc $(DESTDIR)/$(sysconfdir)/firejail/.
-        install -c -m 0644 .etc/conkeror.profile $(DESTDIR)/$(sysconfdir)/firejail/.
+        install -c -m 0644 .etc/stellarium.profile $(DESTDIR)/$(sysconfdir)/firejail/.
+        install -c -m 0644 .etc/strings.profile $(DESTDIR)/$(sysconfdir)/firejail/.
+        install -c -m 0644 .etc/telegram.profile $(DESTDIR)/$(sysconfdir)/firejail/.
+        install -c -m 0644 .etc/thunderbird.profile $(DESTDIR)/$(sysconfdir)/firejail/.
+        install -c -m 0644 .etc/totem.profile $(DESTDIR)/$(sysconfdir)/firejail/.
+        install -c -m 0644 .etc/transmission-gtk.profile $(DESTDIR)/$(sysconfdir)/firejail/.
+        install -c -m 0644 .etc/transmission-qt.profile $(DESTDIR)/$(sysconfdir)/firejail/.
+        install -c -m 0644 .etc/uget-gtk.profile $(DESTDIR)/$(sysconfdir)/firejail/.
         install -c -m 0644 .etc/unbound.profile $(DESTDIR)/$(sysconfdir)/firejail/.
-        install -c -m 0644 .etc/dnscrypt-proxy.profile $(DESTDIR)/$(sysconfdir)/firejail/.
-        install -c -m 0644 .etc/whitelist-common.inc $(DESTDIR)/$(sysconfdir)/firejail/.
-        install -c -m 0644 .etc/nolocal.net $(DESTDIR)/$(sysconfdir)/firejail/.
+        install -c -m 0644 .etc/uudeview.profile $(DESTDIR)/$(sysconfdir)/firejail/.
+        install -c -m 0644 .etc/vivaldi-beta.profile $(DESTDIR)/$(sysconfdir)/firejail/.
+        install -c -m 0644 .etc/vivaldi.profile $(DESTDIR)/$(sysconfdir)/firejail/.
+        install -c -m 0644 .etc/vlc.profile $(DESTDIR)/$(sysconfdir)/firejail/.
+        install -c -m 0644 .etc/warzone2100.profile $(DESTDIR)/$(sysconfdir)/firejail/.
         install -c -m 0644 .etc/webserver.net $(DESTDIR)/$(sysconfdir)/firejail/.
-        install -c -m 0644 .etc/bitlbee.profile $(DESTDIR)/$(sysconfdir)/firejail/.
-        install -c -m 0644 .etc/weechat.profile $(DESTDIR)/$(sysconfdir)/firejail/.
         install -c -m 0644 .etc/weechat-curses.profile $(DESTDIR)/$(sysconfdir)/firejail/.
-        install -c -m 0644 .etc/hexchat.profile $(DESTDIR)/$(sysconfdir)/firejail/.
-        install -c -m 0644 .etc/rtorrent.profile $(DESTDIR)/$(sysconfdir)/firejail/.
-        install -c -m 0644 .etc/parole.profile $(DESTDIR)/$(sysconfdir)/firejail/.
-        install -c -m 0644 .etc/kmail.profile $(DESTDIR)/$(sysconfdir)/firejail/.
-        install -c -m 0644 .etc/seamonkey.profile $(DESTDIR)/$(sysconfdir)/firejail/.
-        install -c -m 0644 .etc/seamonkey-bin.profile $(DESTDIR)/$(sysconfdir)/firejail/.
-        install -c -m 0644 .etc/telegram.profile $(DESTDIR)/$(sysconfdir)/firejail/.
-        install -c -m 0644 .etc/mathematica.profile $(DESTDIR)/$(sysconfdir)/firejail/.
-        install -c -m 0644 .etc/Mathematica.profile $(DESTDIR)/$(sysconfdir)/firejail/.
-        install -c -m 0644 .etc/uget-gtk.profile $(DESTDIR)/$(sysconfdir)/firejail/.
-        install -c -m 0644 .etc/mupen64plus.profile $(DESTDIR)/$(sysconfdir)/firejail/.
-        install -c -m 0644 .etc/disable-terminals.inc $(DESTDIR)/$(sysconfdir)/firejail/.
-        install -c -m 0644 .etc/lxterminal.profile $(DESTDIR)/$(sysconfdir)/firejail/.
-        install -c -m 0644 .etc/cherrytree.profile $(DESTDIR)/$(sysconfdir)/firejail/.
+        install -c -m 0644 .etc/weechat.profile $(DESTDIR)/$(sysconfdir)/firejail/.
         install -c -m 0644 .etc/wesnoth.profile $(DESTDIR)/$(sysconfdir)/firejail/.
-        install -c -m 0644 .etc/hedgewars.profile $(DESTDIR)/$(sysconfdir)/firejail/.
-        install -c -m 0644 .etc/vivaldi.profile $(DESTDIR)/$(sysconfdir)/firejail/.
-        install -c -m 0644 .etc/vivaldi-beta.profile $(DESTDIR)/$(sysconfdir)/firejail/.
-        install -c -m 0644 .etc/atril.profile $(DESTDIR)/$(sysconfdir)/firejail/.
+        install -c -m 0644 .etc/whitelist-common.inc $(DESTDIR)/$(sysconfdir)/firejail/.
+        install -c -m 0644 .etc/wine.profile $(DESTDIR)/$(sysconfdir)/firejail/.
+        install -c -m 0644 .etc/xchat.profile $(DESTDIR)/$(sysconfdir)/firejail/.
+        install -c -m 0644 .etc/xplayer.profile $(DESTDIR)/$(sysconfdir)/firejail/.
+        install -c -m 0644 .etc/xreader.profile $(DESTDIR)/$(sysconfdir)/firejail/.
+        install -c -m 0644 .etc/xviewer.profile $(DESTDIR)/$(sysconfdir)/firejail/.
+        install -c -m 0644 .etc/xz.profile $(DESTDIR)/$(sysconfdir)/firejail/.
+        install -c -m 0644 .etc/xzdec.profile $(DESTDIR)/$(sysconfdir)/firejail/.
         sh -c "if [ ! -f $(DESTDIR)/$(sysconfdir)/firejail/login.users ]; then install -c -m 0644 etc/login.users $(DESTDIR)/$(sysconfdir)/firejail/.; fi;"
-        sh -c "if [ ! -f $(DESTDIR)/$(sysconfdir)/firejail/firejail.config ]; then install -c -m 0644 etc/firejail.config $(DESTDIR)/$(sysconfdir)/firejail/.; fi;"
+        install -c -m 0644 etc/firejail.config $(DESTDIR)/$(sysconfdir)/firejail/.
         rm -fr .etc
         # man pages
         rm -f firejail.1.gz
         gzip -9n firejail.1
         rm -f firemon.1.gz
         gzip -9n firemon.1
+        rm -f firecfg.1.gz
+        gzip -9n firecfg.1
         rm -f firejail-profile.5.gz
         gzip -9n firejail-profile.5
         rm -f firejail-login.5.gz
         gzip -9n firejail-login.5
+        rm -f firejail-config.5.gz
+        gzip -9n firejail-config.5
         install -m 0755 -d $(DESTDIR)/$(mandir)/man1
         install -c -m 0644 firejail.1.gz $(DESTDIR)/$(mandir)/man1/.
         install -c -m 0644 firemon.1.gz $(DESTDIR)/$(mandir)/man1/.
+        install -c -m 0644 firecfg.1.gz $(DESTDIR)/$(mandir)/man1/.
         install -m 0755 -d $(DESTDIR)/$(mandir)/man5
         install -c -m 0644 firejail-profile.5.gz $(DESTDIR)/$(mandir)/man5/.
         install -c -m 0644 firejail-login.5.gz $(DESTDIR)/$(mandir)/man5/.
-        rm -f firejail.1.gz firemon.1.gz firejail-profile.5.gz firejail-login.5.gz
+        install -c -m 0644 firejail-config.5.gz $(DESTDIR)/$(mandir)/man5/.
+        rm -f firejail.1.gz firemon.1.gz firecfg.1.gz firejail-profile.5.gz firejail-login.5.gz firejail-config.5.gz
         # bash completion
         install -m 0755 -d $(DESTDIR)/$(datarootdir)/bash-completion/completions
         install -c -m 0644 src/bash_completion/firejail.bash_completion $(DESTDIR)/$(datarootdir)/bash-completion/completions/firejail
         install -c -m 0644 src/bash_completion/firemon.bash_completion $(DESTDIR)/$(datarootdir)/bash-completion/completions/firemon
-
+        install -c -m 0644 src/bash_completion/firecfg.bash_completion $(DESTDIR)/$(datarootdir)/bash-completion/completions/firecfg
 
 install: all
         $(MAKE) realinstall
@@ -177,37 +262,58 @@ install: all
 install-strip: all
         strip src/firejail/firejail
         strip src/firemon/firemon
+        strip src/firecfg/firecfg
         strip src/libtrace/libtrace.so
         strip src/libtracelog/libtracelog.so
         strip src/ftee/ftee
+        strip src/faudit/faudit
         $(MAKE) realinstall
 
 uninstall:
         rm -f $(DESTDIR)/$(bindir)/firejail
         rm -f $(DESTDIR)/$(bindir)/firemon
+        rm -f $(DESTDIR)/$(bindir)/firecfg
         rm -fr $(DESTDIR)/$(libdir)/firejail
         rm -fr $(DESTDIR)/$(datarootdir)/doc/firejail
         rm -f $(DESTDIR)/$(mandir)/man1/firejail.1*
         rm -f $(DESTDIR)/$(mandir)/man1/firemon.1*
+        rm -f $(DESTDIR)/$(mandir)/man1/firecfg.1*
         rm -f $(DESTDIR)/$(mandir)/man5/firejail-profile.5*
         rm -f $(DESTDIR)/$(mandir)/man5/firejail-login.5*
+        rm -f $(DESTDIR)/$(mandir)/man5/firejail-config.5*
         rm -f $(DESTDIR)/$(datarootdir)/bash-completion/completions/firejail
         rm -f $(DESTDIR)/$(datarootdir)/bash-completion/completions/firemon
+        rm -f $(DESTDIR)/$(datarootdir)/bash-completion/completions/firecfg
         
+DISTFILES = "src etc platform configure configure.ac Makefile.in install.sh mkman.sh mketc.sh mkdeb.sh COPYING README RELNOTES"
+DISTFILES_TEST = "test/apps test/apps-x11 test/environment test/profiles test/utils test/compile test/dist-compile test/filters test/network test/fs test/sysutils"
+
 dist:
         make distclean
         rm -fr $(NAME)-$(VERSION) $(NAME)-$(VERSION).tar.bz2
-        mkdir $(NAME)-$(VERSION)
-        cd $(NAME)-$(VERSION); cp -a ../src .; cp -a ../etc .; cp -a ../platform .; rm -fr src/tools; cd ..
-        cd $(NAME)-$(VERSION); cp -a ../configure .; cp -a ../configure.ac .; cp -a ../Makefile.in .; cp -a ../install.sh .; cp -a ../mkman.sh .; cp -a ../mketc.sh .; cp -a ../mkdeb.sh .;cd ..
-        cd $(NAME)-$(VERSION); cp -a ../COPYING .; cp -a ../README .; cp -a ../RELNOTES .; cd ..
-        cd $(NAME)-$(VERSION); rm -fr `find . -name .svn`; rm -fr $(NAME)-$(VERSION); cd ..
+        mkdir -p $(NAME)-$(VERSION)/test
+        cp -a "$(DISTFILES)" $(NAME)-$(VERSION)
+        cp -a "$(DISTFILES_TEST)" $(NAME)-$(VERSION)/test
+        rm -rf $(NAME)-$(VERSION)/src/tools
+        find $(NAME)-$(VERSION) -name .svn -delete
         tar -cjvf $(NAME)-$(VERSION).tar.bz2 $(NAME)-$(VERSION)
         rm -fr $(NAME)-$(VERSION)
 
 deb: dist
         ./mkdeb.sh $(NAME) $(VERSION)
 
+snap: all
+        cd platform/snap; ./snap.sh
+
+install-snap: snap
+        sudo snap remove faudit; sudo snap install faudit*.snap
+
+github-compile:
+        cd test/compile; ./compile.sh
+
+dist-compile: dist
+        cd test/dist-compile; ./compile.sh $(NAME)-$(VERSION)
+        
 .PHONY: rpms
 rpms:
         ./platform/rpm/mkrpm.sh $(NAME) $(VERSION)
@@ -220,5 +326,35 @@ cppcheck: clean
 
 scan-build: clean
         scan-build make
+
 asc:; ./mkasc.sh $(VERSION)
 
+test-profiles:
+        cd test/profiles; ./profiles.sh | grep TESTING
+
+test-apps:
+        cd test/apps; ./apps.sh | grep TESTING
+
+test-apps-x11:
+        cd test/apps-x11; ./apps-x11.sh | grep TESTING
+
+test-sysutils:
+        cd test/sysutils; ./sysutils.sh | grep TESTING
+        
+test-utils:
+        cd test/utils; ./utils.sh | grep TESTING
+
+test-environment:
+        cd test/environment; ./environment.sh | grep TESTING
+
+test-filters:
+        cd test/filters; ./filters.sh | grep TESTING
+
+test-network:
+        echo "Please read test/network/README file and run the test manually"
+
+test-fs:
+        cd test/fs; ./fs.sh | grep TESTING
+
+test: test-profiles test-fs test-utils  test-environment test-sysutils test-apps test-apps-x11 test-filters
+        echo "TEST COMPLETE"
diff --git a/README b/README
index 1bb6bb998..7b28226e4 100644
--- a/README
+++ b/README
@@ -18,25 +18,131 @@ License: GPL v2
 Firejail Authors:
 
 netblue30 (netblue30@yahoo.com)
-Benjamin Kampmann (https://github.com/ligthyear)
-        - Forward exit code from child process
-dshmgh (https://github.com/dshmgh)
-        - overlayfs fix for systems with /home mounted on a separate partition
+Reiner Herrmann (https://github.com/reinerh)
+        - a number of build patches
+        - man page fixes
+        - Debian and Ubuntu integration
+        - clang-analyzer fixes
+        - Debian reproducible build
+        - unit testing framework
+Thomas Jarosch (https://github.com/thomasjfox)
+        - disable keepassx in disable-passwdmgr.inc
+        - added uudeview profile
+Niklas Haas (https://github.com/haasn)
+        - blacklisting for keybase.io's client
+Aleksey Manevich (https://github.com/manevich)
+        - several profile fixes
+        - fix problem with relative path in storage_find function
+        - fix build for systems without bash
+        - fix double quotes/single quotes problem
+        - big rework of argument processing subsytem
+        - --join fixes
 Fred-Barclay (https://github.com/Fred-Barclay)
         - added Vivaldi, Atril profiles
-yumkam (https://github.com/yumkam)
-        - add compile-time option to restrict --net= to root only
+        - added PaleMoon profile
+        - split Icedove and Thunderbird profiles
+        - added 0ad profile
+        - fixed version for .deb packages
+        - added Warzone2100 profile
+        - blacklisted VeraCrypt
+        - added Gpredict profile
+        - added Aweather, Stellarium profiles
+        - fixed HexChat and Atril profiles
+        - fixed disable-common.inc for mate-terminal
+        - blacklisted escape-happy terminals in disable-common.inc
+        - blacklisted g++
+        - added xplayer, xreader, and xviewer profiles
+        - added Brave profile
+        - added Gitter profile
+        - various organising
+        - added LibreOffice profile
+        - added pix profile
+        - added audacity profile
+        - fixed Telegram and qtox profiles
+        - added Atom Beta and Atom profiles
+        - tightened 0ad, atril, evince, gthumb, pix, qtox, and xreader profiles.
+        - several private-bin conversions
+        - added jitsi profile
+        - pidgin private-bin conversion
+        - added eom profile
+Jaykishan Mutkawoa (https://github.com/jmutkawoa)
+        - cpio profile
+Paupiah Yash (https://github.com/CaffeinatedStud)
+        - gzip  profile
+Akhil Hans Maulloo (https://github.com/kouul)
+        - xz profile
+Rahul Golam (https://github.com/technoLord)
+        - strings profile
+geg2048 (https://github.com/geg2048)
+        - kwallet profile fixes
+Simon Peter (https://github.com/probonopd)
+        - set $APPIMAGE and $APPDIR environment variables
+maces (https://github.com/maces)
+        - Franz messenger profile
+KellerFuchs (https://github.com/KellerFuchs)
+        - nonewpriv support, extended profiles for this feature
+        - make `restricted-network` prevent use of netfilter
+        - disable-common.inc additions
+ValdikSS (https://github.com/ValdikSS)
+        - Psi+, Corebird, Konversation profiles
+        - various profile fixes
+avoidr (https://github.com/avoidr)
+        - whitelist fix
+        - recently-used.xbel fix
+        - added parole profile
+        - blacklist ncat
+        - hostname support in profile file
+        - Google Chrome profile rework
+        - added cmus profile
         - man page fixes
+        - add net iface support in profile files
+        - paths fix
+        - lots of profile fixes
+        - added mcabber profile
+        - fixed mpv profile
+        - various other fixes
+Ruan (https://github.com/ruany)
+        - fixed hexchat profile
 Vasya Novikov (https://github.com/vn971)
         - Wesnoth profile
         - Hedegewars profile
         - manpage fixes
+        - fixed firecfg clean/clear issue
+curiosity-seeker (https://github.com/curiosity-seeker)
+        - tightening unbound and dnscrypt-proxy profiles
+        - dnsmasq profile
+        - okular and gwenview profiles
+        - cherrytree profile fixes
+        - added quiterss profile
+Matthew Gyurgyik (https://github.com/pyther)
+        - rpm spec and several fixes
+Joan Figueras (https://github.com/figue)
+        - added abrowser profile
+        - added Google-Play-Music-Desktop-Player
+        - added cyberfox profile
+Petter Reinholdtsen (pere@hungry.com)
+        - Opera profile patch
+n1trux (https://github.com/n1trux)
+        - fix flashpeak-slimjet profile typos
+Felipe Barriga Richards (https://github.com/fbarriga)
+        - --private-etc fix
+Alexander Stein (https://github.com/ajstein)
+        - added profile for qutebrowser
+Benjamin Kampmann (https://github.com/ligthyear)
+        - Forward exit code from child process
+dshmgh (https://github.com/dshmgh)
+        - overlayfs fix for systems with /home mounted on a separate partition
+yumkam (https://github.com/yumkam)
+        - add compile-time option to restrict --net= to root only
+        - man page fixes
 mahdi1234 (https://github.com/mahdi1234)
         - cherrytree profile
 jrabe (https://github.com/jrabe)
         - disallow access to kdbx files
         - Epiphany profile
         - Polari profile
+        - qTox profile
+        - X11 fixes
 jgriffiths (https://github.com/jgriffiths)
         - make rpm packages support
 Tom Mellor (https://github.com/kalegrill)
@@ -44,18 +150,13 @@ Tom Mellor (https://github.com/kalegrill)
 Martin Carpenter (https://github.com/mcarpenter)
         - security audit and bug fixes
         - Centos 6.x support
-Aleksey Manevich (https://github.com/manevich)
-        - several profile fixes
-        - fix problem with relative path in storage_find function
-        - fix build for systems without bash
 pszxzsd (https://github.com/pszxzsd)
         -uGet profile
 Rahiel Kasim (https://github.com/rahiel)
         - Mathematica profile
+        - whitelisted Dropbox profile
 creideiki (https://github.com/creideiki)
         - make the sandbox process reap all children
-curiosity-seeker (https://github.com/curiosity-seeker)
-        - tightening unbound and dnscrypt-proxy profiles
 sinkuu (https://github.com/sinkuu)
         - blacklisting kwalletd
         - fix symlink invocation for programs placing symlinks in $PATH
@@ -84,13 +185,6 @@ Peter Hogg (https://github.com/pigmonkey)
         - rtorrent profile
 rogshdo (https://github.com/rogshdo)
         - BitlBee profile
-avoidr (https://github.com/avoidr)
-        - whitelist fix
-        - recently-used.xbel fix
-        - added parole profile
-        - blacklist ncat, manpage fixes,
-        - hostname support in profile file
-        - Google Chrome profile rework
 Bruno Nova (https://github.com/brunonova)
         - whitelist fix
         - bash arguments fix
@@ -111,8 +205,6 @@ andrew160 (https://github.com/andrew160)
         - profile and man pages fixes
 Loïc Damien (https://github.com/dzamlo)
         - small fixes
-Matthew Gyurgyik (https://github.com/pyther)
-        - rpm spec and several fixes
 greigdp (https://github.com/greigdp)
         - add Spotify profile
 Mattias Wadman (https://github.com/wader)
@@ -129,12 +221,6 @@ sarneaud (https://github.com/sarneaud)
         - various enhancements and bug fixes
 Patrick Toomey (http://sourceforge.net/u/ptoomey/profile/)
         - user namespace implementation
-Reiner Herrmann
-        - a number of build patches
-        - man page fixes
-        - Debian and Ubuntu integration
-        - clang-analyzer fixes
-        - Debian reproducible build
 sshirokov (http://sourceforge.net/u/yshirokov/profile/)
         - Patch to output "Reading profile" to stderr instead of stdout
 G4JC (http://sourceforge.net/u/gaming4jc/profile/)
diff --git a/README.md b/README.md
index 73d52af71..26dc2c4e3 100644
--- a/README.md
+++ b/README.md
@@ -34,124 +34,126 @@ FAQ: https://firejail.wordpress.com/support/frequently-asked-questions/
 `````
 
 `````
-# Current development version: 0.9.39
-`````
+# Current development version: 0.9.42~rc2
 
-`````
+Version 0.9.41~rc1 was released.
 
-## X11 sandboxing support
+## Deprecated --user
 
-X11 support is built around Xpra (http://xpra.org/).
-So far I've seen it working on Debian 7 and 8, and Ubuntu 14.04. If you manage to run it on another
-distribution, please let me know. Example:
-`````
-$ firejail --x11 --net=eth0 firefox
-`````
---x11 starts the server, --net is required in order to remove the main X11 server socket from the sandbox.
-More information here: https://firejail.wordpress.com/documentation-2/x11-guide/
+--user option was deprecated, please use "sudo -u username firejail application" instead.
 
-## File transfers
-`````
-FILE TRANSFER
-       These features allow the user to inspect the file system  container  of
-       an  existing  sandbox and transfer files from the container to the host
-       file system.
+## --whitelist rework
 
-       --get=name filename
-              Retrieve the container file and store it on the host in the cur‐
-              rent  working  directory.   The container is spececified by name
-              (--name option). Full path is needed for filename.
+Symlinks outside user home directories are allowed:
+`````
+      --whitelist=dirname_or_filename
+              Whitelist directory or file. This feature  is  implemented  only
+              for  user  home, /dev, /media, /opt, /var, and /tmp directories.
+              With the exception of user home, both the link and the real file
+              should  be  in  the same top directory. For /home, both the link
+              and the real file should be owned by the user.
 
-       --get=pid filename
-              Retrieve the container file and store it on the host in the cur‐
-              rent working directory.  The container is spececified by process
-              ID. Full path is needed for filename.
+              Example:
+              $ firejail --noprofile --whitelist=~/.mozilla
+              $ firejail --whitelist=/tmp/.X11-unix --whitelist=/dev/null
+              $ firejail "--whitelist=/home/username/My Virtual Machines"
+`````
 
-       --ls=name dir_or_filename
-              List container files.  The  container  is  spececified  by  name
-              (--name option).  Full path is needed for dir_or_filename.
 
-       --ls=pid dir_or_filename
-              List  container  files.  The container is spececified by process
-              ID.  Full path is needed for dir_or_filename.
+## AppImage
 
-       Examples:
+AppImage (http://appimage.org/) is a distribution-agnostic packaging format.
+The package is a regular ISO file containing all binaries, libraries and resources
+necessary for the program to run.
 
-              $ firejail --name=mybrowser --private firefox
+We introduce in this release support for sandboxing AppImage applications. Example:
+`````
+$ firejail --appimage krita-3.0-x86_64.appimage
+`````
+All Firejail sandboxing options should be available. A private home directory:
+`````
+$ firejail --appimage --private krita-3.0-x86_64.appimage
+`````
+or some basic X11 sandboxing:
+`````
+$ firejail --appimage --net=none --x11 krita-3.0-x86_64.appimage
+`````
+Major software applications distributing AppImage packages:
 
-              $ firejail --ls=mybrowser ~/Downloads
-              drwxr-xr-x netblue  netblue         4096 .
-              drwxr-xr-x netblue  netblue         4096 ..
-              -rw-r--r-- netblue  netblue         7847 x11-x305.png
-              -rw-r--r-- netblue  netblue         6800 x11-x642.png
-              -rw-r--r-- netblue  netblue        34139 xpra-clipboard.png
+* Krita: https://krita.org/download/krita-desktop/
+* OpenShot: http://www.openshot.org/download/
+* Scribus: https://www.scribus.net/downloads/unstable-branch/
+* MuseScore: https://musescore.org/en/download
 
-              $ firejail --get=mybrowser ~/Downloads/xpra-clipboard.png
+More packages build by AppImage developer Simon Peter: https://bintray.com/probono/AppImages
 
+AppImage project home: https://github.com/probonopd/AppImageKit
 
+## Sandbox auditing
 `````
+AUDIT
+       Audit feature allows the user to point out gaps in  security  profiles.
+       The  implementation  replaces  the  program to be sandboxed with a test
+       program. By default, we use faudit program distributed with Firejail. A
+       custom test program can also be supplied by the user. Examples:
 
-## Default seccomp filter update
+       Running the default audit program:
+            $ firejail --audit transmission-gtk
 
-Currently 50 syscalls are blacklisted by default, out of a total of 318 calls (AMD64, Debian Jessie).
+       Running a custom audit program:
+            $ firejail --audit=~/sandbox-test transmission-gtk
 
-## STUN/WebRTC disabled in default netfilter configuration
+       In  the examples above, the sandbox configures transmission-gtk profile
+       and starts the test program. The real program,  transmission-gtk,  will
+       not be started.
 
-The  current netfilter configuration (--netfilter option) looks like this:
-`````
-             *filter
-              :INPUT DROP [0:0]
-              :FORWARD DROP [0:0]
-              :OUTPUT ACCEPT [0:0]
-              -A INPUT -i lo -j ACCEPT
-              -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-              # allow ping
-              -A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT
-              -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT
-              -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
-              # drop STUN (WebRTC) requests
-              -A OUTPUT -p udp --dport 3478 -j DROP
-              -A OUTPUT -p udp --dport 3479 -j DROP
-              -A OUTPUT -p tcp --dport 3478 -j DROP
-              -A OUTPUT -p tcp --dport 3479 -j DROP
-              COMMIT
+       Limitations: audit feature is not implemented for --x11 commands.
 `````
 
-The filter is loaded by default for Firefox if a network namespace is configured:
+## --noexec
 `````
-$ firejail --net=eth0 firefox
+       --noexec=dirname_or_filename
+              Remount directory or file noexec, nodev and nosuid.
+
+              Example:
+              $ firejail --noexec=/tmp
+
+              /etc and /var are noexec by default. If there are more than one
+              mount operation on the path of the file  or  directory,  noexec
+              should  be  applied to the last one. Always check if the change
+              took effect inside the sandbox.
 `````
 
-## Set sandbox nice value
+## --rmenv
 `````
-      --nice=value
-              Set nice value for all processes running inside the sandbox.
+      --rmenv=name
+              Remove environment variable in the new sandbox.
 
               Example:
-              $ firejail --nice=-5 firefox
+              $ firejail --rmenv=DBUS_SESSION_BUS_ADDRESS
 `````
 
-## mkdir
+## Converting profiles to private-bin - work in progress!
 
-`````
-$ man firejail-profile
-[...]
-       mkdir directory
-              Create   a   directory  in  user  home.  Use  this  command  for
-              whitelisted directories you need to preserve when the sandbox is
-              closed.  Subdirectories  also  need  to  be created using mkdir.
-              Example from firefox profile:
+BitTorrent: deluge, qbittorrent, rtorrent, transmission-gtk, transmission-qt, uget-gtk
 
-              mkdir ~/.mozilla
-              whitelist ~/.mozilla
-              mkdir ~/.cache
-              mkdir ~/.cache/mozilla
-              mkdir ~/.cache/mozilla/firefox
-              whitelist ~/.cache/mozilla/firefox
+File transfer: filezilla
 
-[...]
-`````
+Media: vlc, mpv, gnome-mplayer, audacity, rhythmbox, spotify, xplayer, xviewer, eom
+
+Office: evince, gthumb, fbreader, pix, atril, xreader,
+
+Chat/messaging: qtox, gitter, pidgin
+
+Games: warzone2100
+
+Weather/climate: aweather
+
+Astronomy: gpredict, stellarium
+
+Browsers: Palemoon
 
 ## New security profiles
 
-lxterminal, Epiphany, cherrytree, Battle for Wesnoth, Hedgewars
+Gitter, gThumb, mpv, Franz messenger, LibreOffice, pix, audacity, strings, xz, xzdec, gzip, cpio, less, Atom Beta, Atom, jitsi, eom, uudeview
+
diff --git a/RELNOTES b/RELNOTES
index 1392bbaff..e37e24778 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -1,16 +1,55 @@
-firejail (0.9.39) baseline; urgency=low
-  * default seccomp filter update
-  * disable STUN/WebRTC in default netfilter configuration
+firejail (0.9.42~rc2) baseline; urgency=low
+  * deprecated --user option, please use "sudo -u username firejail" instead
+  * --read-write option rework
+  * allow symlinks in home directory for --whitelist option
+  * AppImage support (--appimage)
+  * Sandbox auditing support (--audit)
+  * remove environment variable (--rmenv)
+  * noexec support (--noexec)
+  * Ubuntu snap support
+  * include /dev/snd in --private-dev
+  * added mkfile profile command
+  * seccomp filter updated
+  * compile time and run time support to disable whitelists
+  * compile time support to disable global configuration file
+  * added netfilter-default config option in /etc/firejail/firejail.config
+  * new profiles: Gitter, gThumb, mpv, Franz messenger, LibreOffice
+  * new profiles: pix, audacity, strings, xz, xzdec, gzip, cpio, less
+  * new profiles: Atom Beta, Atom, jitsi, eom, uudeview
+ -- netblue30 <netblue30@yahoo.com>  Thu, 21 Jul 2016 08:00:00 -0500
+
+firejail (0.9.40) baseline; urgency=low
   * added --nice option
   * added --x11 option
+  * added --x11=xpra option
+  * added --x11=xephyr option
+  * added --cpu.print option
   * added filetransfer options --ls and --get
-  * added mkdir, ipc-namespace and nosound profile commands
+  * added --writable-etc and --writable-var options
+  * added --read-only option
+  * added mkdir, ipc-namespace, and nosound profile commands
+  * added net, ip, defaultgw, ip6, mac, mtu and iprange profile commands
   * --version also prints compile options
+  * --output option also redirects stderr
   * added compile-time option to restrict --net= to root only
-  * build rpm packages using "make rpms"
+  * run time config support, man firejail-config
+  * added firecfg utility
+  * AppArmor fixes
+  * default seccomp filter update
+  * disable STUN/WebRTC in default netfilter configuration
   * new profiles: lxterminal, Epiphany, cherrytree, Polari, Vivaldi, Atril
+  * new profiles: qutebrowser, SlimJet, Battle for Wesnoth, Hedgewars
+  * new profiles: qTox, OpenSSH client, OpenBox, Dillo, cmus, dnsmasq
+  * new profiles: PaleMoon, Icedove, abrowser, 0ad, netsurf, Warzone2100
+  * new profiles: okular, gwenview, Google-Play-Music-Desktop-Player
+  * new profiles: Aweather, Stellarium, gpredict, quiterss, cyberfox
+  * new profiles: generic Ubuntu snap application profile, xplayer
+  * new profiles: xreader, xviewer, mcabber, Psi+, Corebird, Konversation
+  * new profiles: Brave, Gitter
+  * generic.profile renamed default.profile
+  * build rpm packages using "make rpms"
   * bugfixes
- -- netblue30 <netblue30@yahoo.com>  Wed, 3 Mar 2016 08:00:00 -0500
+ -- netblue30 <netblue30@yahoo.com>  Sun, 29 May 2016 08:00:00 -0500
 
 firejail (0.9.38) baseline; urgency=low
   * IPv6 support (--ip6 and --netfilter6)
diff --git a/configure b/configure
index 937ab8445..050b4df9c 100755
--- a/configure
+++ b/configure
@@ -1,6 +1,6 @@
 #! /bin/sh
 # Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.69 for firejail 0.9.39.
+# Generated by GNU Autoconf 2.69 for firejail 0.9.42~rc2.
 #
 # Report bugs to <netblue30@yahoo.com>.
 #
@@ -580,8 +580,8 @@ MAKEFLAGS=
 # Identity of this package.
 PACKAGE_NAME='firejail'
 PACKAGE_TARNAME='firejail'
-PACKAGE_VERSION='0.9.39'
-PACKAGE_STRING='firejail 0.9.39'
+PACKAGE_VERSION='0.9.42~rc2'
+PACKAGE_STRING='firejail 0.9.42~rc2'
 PACKAGE_BUGREPORT='netblue30@yahoo.com'
 PACKAGE_URL='http://firejail.wordpress.com'
 
@@ -629,10 +629,12 @@ EGREP
 GREP
 CPP
 HAVE_FATAL_WARNINGS
+HAVE_WHITELIST
 HAVE_FILE_TRANSFER
 HAVE_X11
 HAVE_USERNS
 HAVE_NETWORK
+HAVE_GLOBALCFG
 HAVE_BIND
 HAVE_CHROOT
 HAVE_SECCOMP
@@ -691,10 +693,12 @@ enable_option_checking
 enable_seccomp
 enable_chroot
 enable_bind
+enable_globalcfg
 enable_network
 enable_userns
 enable_x11
 enable_file_transfer
+enable_whitelist
 enable_fatal_warnings
 '
       ac_precious_vars='build_alias
@@ -1246,7 +1250,7 @@ if test "$ac_init_help" = "long"; then
   # Omit some internal or obsolete options to make the list less imposing.
   # This message is too long to be a string in the A/UX 3.1 sh.
   cat <<_ACEOF
-\`configure' configures firejail 0.9.39 to adapt to many kinds of systems.
+\`configure' configures firejail 0.9.42~rc2 to adapt to many kinds of systems.
 
 Usage: $0 [OPTION]... [VAR=VALUE]...
 
@@ -1307,7 +1311,7 @@ fi
 
 if test -n "$ac_init_help"; then
   case $ac_init_help in
-     short | recursive ) echo "Configuration of firejail 0.9.39:";;
+     short | recursive ) echo "Configuration of firejail 0.9.42~rc2:";;
    esac
   cat <<\_ACEOF
 
@@ -1318,12 +1322,15 @@ Optional Features:
   --disable-seccomp       disable seccomp
   --disable-chroot        disable chroot
   --disable-bind          disable bind
+  --disable-globalcfg     if the global config file firejail.cfg is not
+                          present, continue the program using defaults
   --disable-network       disable network
   --enable-network=restricted
                           restrict --net= to root only
   --disable-userns        disable user namespace
   --disable-x11           disable X11 sandboxing support
   --disable-file-transfer disable file transfer
+  --disable-whitelist     disable whitelist
   --enable-fatal-warnings -W -Wall -Werror
 
 Some influential environment variables:
@@ -1403,7 +1410,7 @@ fi
 test -n "$ac_init_help" && exit $ac_status
 if $ac_init_version; then
   cat <<\_ACEOF
-firejail configure 0.9.39
+firejail configure 0.9.42~rc2
 generated by GNU Autoconf 2.69
 
 Copyright (C) 2012 Free Software Foundation, Inc.
@@ -1705,7 +1712,7 @@ cat >config.log <<_ACEOF
 This file contains any messages produced by compilers while
 running configure, to aid debugging if configure makes a mistake.
 
-It was created by firejail $as_me 0.9.39, which was
+It was created by firejail $as_me 0.9.42~rc2, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
 
   $ $0 $@
@@ -3101,6 +3108,19 @@ if test "x$enable_bind" != "xno"; then :
 
 fi
 
+HAVE_GLOBALCFG=""
+# Check whether --enable-globalcfg was given.
+if test "${enable_globalcfg+set}" = set; then :
+  enableval=$enable_globalcfg;
+fi
+
+if test "x$enable_globalcfg" != "xno"; then :
+
+        HAVE_GLOBALCFG="-DHAVE_GLOBALCFG"
+
+
+fi
+
 HAVE_NETWORK=""
 # Check whether --enable-network was given.
 if test "${enable_network+set}" = set; then :
@@ -3163,6 +3183,19 @@ if test "x$enable_file_transfer" != "xno"; then :
 
 fi
 
+HAVE_WHITELIST=""
+# Check whether --enable-whitelist was given.
+if test "${enable_whitelist+set}" = set; then :
+  enableval=$enable_whitelist;
+fi
+
+if test "x$enable_whitelist" != "xno"; then :
+
+        HAVE_WHITELIST="-DHAVE_WHITELIST"
+
+
+fi
+
 HAVE_FATAL_WARNINGS=""
 # Check whether --enable-fatal_warnings was given.
 if test "${enable_fatal_warnings+set}" = set; then :
@@ -3640,7 +3673,10 @@ if test "$prefix" = /usr; then
         sysconfdir="/etc"
 fi
 
-ac_config_files="$ac_config_files Makefile src/lib/Makefile src/firejail/Makefile src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/ftee/Makefile"
+# extract UID_MIN and GID_MIN from login.def
+./mkuid.sh
+
+ac_config_files="$ac_config_files Makefile src/lib/Makefile src/firejail/Makefile src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile src/ftee/Makefile src/faudit/Makefile"
 
 cat >confcache <<\_ACEOF
 # This file is a shell script that caches the results of configure
@@ -4184,7 +4220,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
 # report actual input values of CONFIG_FILES etc. instead of their
 # values after options handling.
 ac_log="
-This file was extended by firejail $as_me 0.9.39, which was
+This file was extended by firejail $as_me 0.9.42~rc2, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
 
   CONFIG_FILES    = $CONFIG_FILES
@@ -4238,7 +4274,7 @@ _ACEOF
 cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
 ac_cs_version="\\
-firejail config.status 0.9.39
+firejail config.status 0.9.42~rc2
 configured by $0, generated by GNU Autoconf 2.69,
   with options \\"\$ac_cs_config\\"
 
@@ -4355,7 +4391,9 @@ do
     "src/firemon/Makefile") CONFIG_FILES="$CONFIG_FILES src/firemon/Makefile" ;;
     "src/libtrace/Makefile") CONFIG_FILES="$CONFIG_FILES src/libtrace/Makefile" ;;
     "src/libtracelog/Makefile") CONFIG_FILES="$CONFIG_FILES src/libtracelog/Makefile" ;;
+    "src/firecfg/Makefile") CONFIG_FILES="$CONFIG_FILES src/firecfg/Makefile" ;;
     "src/ftee/Makefile") CONFIG_FILES="$CONFIG_FILES src/ftee/Makefile" ;;
+    "src/faudit/Makefile") CONFIG_FILES="$CONFIG_FILES src/faudit/Makefile" ;;
 
   *) as_fn_error $? "invalid argument: \`$ac_config_target'" "$LINENO" 5;;
   esac
@@ -4817,13 +4855,18 @@ echo "   prefix: $prefix"
 echo "   sysconfdir: $sysconfdir"
 echo "   seccomp: $HAVE_SECCOMP"
 echo "   <linux/seccomp.h>: $HAVE_SECCOMP_H"
+echo "   global config: $HAVE_GLOBALCFG"
 echo "   chroot: $HAVE_CHROOT"
 echo "   bind: $HAVE_BIND"
 echo "   network: $HAVE_NETWORK"
 echo "   user namespace: $HAVE_USERNS"
 echo "   X11 sandboxing support: $HAVE_X11"
+echo "   whitelisting: $HAVE_WHITELIST"
 echo "   file transfer support: $HAVE_FILE_TRANSFER"
 echo "   fatal warnings: $HAVE_FATAL_WARNINGS"
+printf "   uid_min: "; grep UID_MIN uids.h
+printf "   gid_min: "; grep GID_MIN uids.h
 echo
 
 
+
diff --git a/configure.ac b/configure.ac
index c59f5a28b..a84396ad4 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1,5 +1,5 @@
 AC_PREREQ([2.68])
-AC_INIT(firejail, 0.9.39, netblue30@yahoo.com, , http://firejail.wordpress.com)
+AC_INIT(firejail, 0.9.42~rc2, netblue30@yahoo.com, , http://firejail.wordpress.com)
 AC_CONFIG_SRCDIR([src/firejail/main.c])
 #AC_CONFIG_HEADERS([config.h])
 
@@ -33,6 +33,14 @@ AS_IF([test "x$enable_bind" != "xno"], [
         AC_SUBST(HAVE_BIND)
 ])
 
+HAVE_GLOBALCFG=""
+AC_ARG_ENABLE([globalcfg],
+    AS_HELP_STRING([--disable-globalcfg], [if the global config file firejail.cfg is not present, continue the program using defaults]))
+AS_IF([test "x$enable_globalcfg" != "xno"], [
+        HAVE_GLOBALCFG="-DHAVE_GLOBALCFG"
+        AC_SUBST(HAVE_GLOBALCFG)
+])
+
 HAVE_NETWORK=""
 AC_ARG_ENABLE([network],
     AS_HELP_STRING([--disable-network], [disable network]))
@@ -70,6 +78,14 @@ AS_IF([test "x$enable_file_transfer" != "xno"], [
         AC_SUBST(HAVE_FILE_TRANSFER)
 ])
 
+HAVE_WHITELIST=""
+AC_ARG_ENABLE([whitelist],
+    AS_HELP_STRING([--disable-whitelist], [disable whitelist]))
+AS_IF([test "x$enable_whitelist" != "xno"], [
+        HAVE_WHITELIST="-DHAVE_WHITELIST"
+        AC_SUBST(HAVE_WHITELIST)
+])
+
 HAVE_FATAL_WARNINGS=""
 AC_ARG_ENABLE([fatal_warnings],
     AS_HELP_STRING([--enable-fatal-warnings], [-W -Wall -Werror]))
@@ -90,7 +106,10 @@ if test "$prefix" = /usr; then
         sysconfdir="/etc"
 fi
 
-AC_OUTPUT(Makefile src/lib/Makefile src/firejail/Makefile src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/ftee/Makefile)
+# extract UID_MIN and GID_MIN from login.def
+./mkuid.sh
+
+AC_OUTPUT(Makefile src/lib/Makefile src/firejail/Makefile src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile src/ftee/Makefile src/faudit/Makefile)
 
 echo
 echo "Configuration options:"
@@ -98,13 +117,18 @@ echo "   prefix: $prefix"
 echo "   sysconfdir: $sysconfdir"
 echo "   seccomp: $HAVE_SECCOMP"
 echo "   <linux/seccomp.h>: $HAVE_SECCOMP_H"
+echo "   global config: $HAVE_GLOBALCFG"
 echo "   chroot: $HAVE_CHROOT"
 echo "   bind: $HAVE_BIND"
 echo "   network: $HAVE_NETWORK"
 echo "   user namespace: $HAVE_USERNS"
 echo "   X11 sandboxing support: $HAVE_X11"
+echo "   whitelisting: $HAVE_WHITELIST"
 echo "   file transfer support: $HAVE_FILE_TRANSFER"
 echo "   fatal warnings: $HAVE_FATAL_WARNINGS"
+printf "   uid_min: "; grep UID_MIN uids.h
+printf "   gid_min: "; grep GID_MIN uids.h
 echo
 
 
+
diff --git a/etc/0ad.profile b/etc/0ad.profile
new file mode 100644
index 000000000..11fb45463
--- /dev/null
+++ b/etc/0ad.profile
@@ -0,0 +1,35 @@
+# Firejail profile for 0ad.
+noblacklist ~/.cache/0ad
+noblacklist ~/.config/0ad
+noblacklist ~/.local/share/0ad
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+include /etc/firejail/disable-programs.inc
+
+# Whitelists
+mkdir ~/.cache
+mkdir ~/.cache/0ad
+whitelist ~/.cache/0ad
+
+mkdir ~/.config
+mkdir ~/.config/0ad
+whitelist ~/.config/0ad
+
+mkdir ~/.local
+mkdir ~/.local/share
+mkdir ~/.local/share/0ad
+whitelist ~/.local/share/0ad
+
+caps.drop all
+netfilter
+nonewprivs
+nogroups
+noroot
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+
+private-dev
+
diff --git a/etc/Cyberfox.profile b/etc/Cyberfox.profile
new file mode 100644
index 000000000..1f74606ce
--- /dev/null
+++ b/etc/Cyberfox.profile
@@ -0,0 +1,3 @@
+# Firejail profile for Cyberfox (based on Mozilla Firefox)
+
+include /etc/firejail/cyberfox.profile
diff --git a/etc/Mathematica.profile b/etc/Mathematica.profile
index 73fb0c9e0..e719f070f 100644
--- a/etc/Mathematica.profile
+++ b/etc/Mathematica.profile
@@ -1,15 +1,20 @@
 # Mathematica profile
+noblacklist ${HOME}/.Mathematica
+noblacklist ${HOME}/.Wolfram Research
+
 mkdir ~/.Mathematica
 whitelist ~/.Mathematica
 mkdir ~/.Wolfram Research
 whitelist ~/.Wolfram Research
 whitelist ~/Documents/Wolfram Mathematica
 include /etc/firejail/whitelist-common.inc
-include /etc/firejail/disable-mgmt.inc
-include /etc/firejail/disable-secret.inc
+
 include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
 include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-terminals.inc
+include /etc/firejail/disable-passwdmgr.inc
+
 caps.drop all
-seccomp
+nonewprivs
 noroot
+seccomp
diff --git a/etc/Telegram.profile b/etc/Telegram.profile
new file mode 100644
index 000000000..2e0f97821
--- /dev/null
+++ b/etc/Telegram.profile
@@ -0,0 +1,2 @@
+# Telegram IRC profile
+include /etc/firejail/telegram.profile
diff --git a/etc/abrowser.profile b/etc/abrowser.profile
new file mode 100644
index 000000000..65247e7d3
--- /dev/null
+++ b/etc/abrowser.profile
@@ -0,0 +1,52 @@
+# Firejail profile for Abrowser
+
+noblacklist ~/.mozilla
+noblacklist ~/.cache/mozilla
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-devel.inc
+
+caps.drop all
+netfilter
+nonewprivs
+noroot
+protocol unix,inet,inet6,netlink
+seccomp
+tracelog
+
+whitelist ${DOWNLOADS}
+mkdir ~/.mozilla
+whitelist ~/.mozilla
+mkdir ~/.cache
+mkdir ~/.cache/mozilla
+mkdir ~/.cache/mozilla/abrowser
+whitelist ~/.cache/mozilla/abrowser
+whitelist ~/dwhelper
+whitelist ~/.zotero
+whitelist ~/.vimperatorrc
+whitelist ~/.vimperator
+whitelist ~/.pentadactylrc
+whitelist ~/.pentadactyl
+whitelist ~/.keysnail.js
+whitelist ~/.config/gnome-mplayer
+whitelist ~/.cache/gnome-mplayer/plugin
+whitelist ~/.pki
+
+# lastpass, keepassx
+whitelist ~/.keepassx
+whitelist ~/.config/keepassx
+whitelist ~/keepassx.kdbx
+whitelist ~/.lastpass
+whitelist ~/.config/lastpass
+
+
+#silverlight
+whitelist ~/.wine-pipelight
+whitelist ~/.wine-pipelight64
+whitelist ~/.config/pipelight-widevine
+whitelist ~/.config/pipelight-silverlight5.1
+
+include /etc/firejail/whitelist-common.inc
+
+# experimental features
+#private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,iceweasel,firefox,adobe,mime.types,mailcap,asound.conf,pulse
diff --git a/etc/atom-beta.profile b/etc/atom-beta.profile
new file mode 100644
index 000000000..3c753e86c
--- /dev/null
+++ b/etc/atom-beta.profile
@@ -0,0 +1,19 @@
+# Firjail profile for Atom Beta.
+noblacklist ~/.atom
+noblacklist ~/.config/Atom
+
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-passwdmgr.inc
+
+caps.drop all
+netfilter
+nonewprivs
+nogroups
+noroot
+seccomp
+shell none
+
+private-dev
+nosound
+
diff --git a/etc/atom.profile b/etc/atom.profile
new file mode 100644
index 000000000..8304cd379
--- /dev/null
+++ b/etc/atom.profile
@@ -0,0 +1,18 @@
+# Firjail profile for Atom.
+noblacklist ~/.atom
+noblacklist ~/.config/Atom
+
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-passwdmgr.inc
+
+caps.drop all
+netfilter
+nonewprivs
+nogroups
+noroot
+seccomp
+shell none
+
+private-dev
+nosound
diff --git a/etc/atril.profile b/etc/atril.profile
index d87781c7d..bfe731bec 100644
--- a/etc/atril.profile
+++ b/etc/atril.profile
@@ -1,7 +1,20 @@
 # Atril profile
+noblacklist ~/.config/atril
+noblacklist ~/.local/share
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
 include /etc/firejail/disable-devel.inc
-include /etc/firejail/generic.profile
-blacklist ${HOME}/.wine
+include /etc/firejail/disable-passwdmgr.inc
 
+caps.drop all
+nonewprivs
+nogroups
+noroot
+nosound
+protocol unix
+seccomp
+shell none
 tracelog
 
+private-bin atril, atril-previewer, atril-thumbnailer
+private-dev
diff --git a/etc/audacious.profile b/etc/audacious.profile
index b9ce11c0e..e5275213c 100644
--- a/etc/audacious.profile
+++ b/etc/audacious.profile
@@ -1,16 +1,11 @@
 # Audacious media player profile
-include /etc/firejail/disable-mgmt.inc
-include /etc/firejail/disable-secret.inc
 include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
 include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-terminals.inc
-blacklist ${HOME}/.pki/nssdb
-blacklist ${HOME}/.lastpass
-blacklist ${HOME}/.keepassx
-blacklist ${HOME}/.password-store
-blacklist ${HOME}/.wine
+include /etc/firejail/disable-passwdmgr.inc
+
 caps.drop all
-seccomp
-protocol unix,inet,inet6
+nonewprivs
 noroot
-
+protocol unix,inet,inet6
+seccomp
diff --git a/etc/audacity.profile b/etc/audacity.profile
new file mode 100644
index 000000000..162201cb8
--- /dev/null
+++ b/etc/audacity.profile
@@ -0,0 +1,19 @@
+# Audacity profile
+noblacklist ~/.audacity-data
+
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+include /etc/firejail/disable-programs.inc
+
+caps.drop all
+nonewprivs
+nogroups
+noroot
+protocol unix
+seccomp
+shell none
+tracelog
+
+private-bin audacity
+private-dev
diff --git a/etc/aweather.profile b/etc/aweather.profile
new file mode 100644
index 000000000..d617fb701
--- /dev/null
+++ b/etc/aweather.profile
@@ -0,0 +1,25 @@
+# Firejail profile for aweather.
+noblacklist ~/.config/aweather
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+include /etc/firejail/disable-programs.inc
+
+# Whitelist
+mkdir ~/.config
+mkdir ~/.config/aweather
+whitelist ~/.config/aweather
+
+caps.drop all
+netfilter
+nonewprivs
+nogroups
+noroot
+nosound
+protocol unix,inet,inet6,netlink
+seccomp
+shell none
+tracelog
+
+private-bin aweather
+private-dev
diff --git a/etc/bitlbee.profile b/etc/bitlbee.profile
index ca9e87818..87d2e843a 100644
--- a/etc/bitlbee.profile
+++ b/etc/bitlbee.profile
@@ -1,11 +1,14 @@
 # BitlBee instant messaging profile
 noblacklist /sbin
 noblacklist /usr/sbin
-include /etc/firejail/disable-mgmt.inc
 include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-terminals.inc
-protocol unix,inet,inet6
+include /etc/firejail/disable-programs.inc
+
+netfilter
+nonewprivs
 private
 private-dev
+protocol unix,inet,inet6
 seccomp
-netfilter
+nosound
+read-write /var/lib/bitlbee
diff --git a/etc/brave.profile b/etc/brave.profile
new file mode 100644
index 000000000..4c42e9faa
--- /dev/null
+++ b/etc/brave.profile
@@ -0,0 +1,19 @@
+# Profile for Brave browser
+
+noblacklist ~/.config/brave
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-devel.inc
+
+caps.drop all
+netfilter
+nonewprivs
+noroot
+protocol unix,inet,inet6,netlink
+seccomp
+
+whitelist ${DOWNLOADS}
+
+mkdir ~/.config
+mkdir ~/.config/brave
+whitelist ~/.config/brave
diff --git a/etc/cherrytree.profile b/etc/cherrytree.profile
index d1e1c71d9..7b6238d98 100644
--- a/etc/cherrytree.profile
+++ b/etc/cherrytree.profile
@@ -1,8 +1,10 @@
 # cherrytree note taking application
-include /etc/firejail/disable-mgmt.inc
-include /etc/firejail/disable-secret.inc
+noblacklist /usr/bin/python2*
+noblacklist /usr/lib/python3*
 include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
 include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
 
 whitelist ${HOME}/cherrytree
 mkdir ~/.config
@@ -11,11 +13,23 @@ whitelist ${HOME}/.config/cherrytree/
 mkdir ~/.local
 mkdir ~/.local/share
 whitelist ${HOME}/.local/share/
+
 caps.drop all
+netfilter
+nonewprivs
+noroot
+nosound
 seccomp
 protocol unix,inet,inet6,netlink
-netfilter
 tracelog
-noroot
+
 include /etc/firejail/whitelist-common.inc
-nosound
+
+# no private-bin support for various reasons:
+#10:25:34 exec 11249 (root) NEW SANDBOX: /usr/bin/firejail /usr/bin/cherrytree 
+#10:25:34 exec 11252 (netblue) /bin/bash -c "/usr/bin/cherrytree"  
+#10:25:34 exec 11252 (netblue) /usr/bin/python /usr/bin/cherrytree 
+#10:25:34 exec 11253 (netblue) sh -c /sbin/ldconfig -p 2>/dev/null 
+#10:25:34 exec 11255 (netblue) sh -c if type gcc >/dev/null 2>&1; then CC=gcc; elif type cc >/dev/null 2>&1; then CC=cc;else exit 10; fi;LANG=C LC_ALL=C $CC -Wl,-t -o /tmp/tmpiYr44S 2>&1 -llibc 
+# it requires acces to browser to show the online help
+# it doesn't play nicely with expect
diff --git a/etc/chromium.profile b/etc/chromium.profile
index b58931b8d..7cf2853ca 100644
--- a/etc/chromium.profile
+++ b/etc/chromium.profile
@@ -1,11 +1,8 @@
 # Chromium browser profile
 noblacklist ~/.config/chromium
 noblacklist ~/.cache/chromium
-noblacklist ~/keepassx.kdbx
-include /etc/firejail/disable-mgmt.inc
-include /etc/firejail/disable-secret.inc
 include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-terminals.inc
+include /etc/firejail/disable-programs.inc
 
 # chromium is distributed with a perl script on Arch
 # include /etc/firejail/disable-devel.inc
diff --git a/etc/clementine.profile b/etc/clementine.profile
index 21b5a58ab..5ce085358 100644
--- a/etc/clementine.profile
+++ b/etc/clementine.profile
@@ -1,16 +1,11 @@
 # Clementine media player profile
-include /etc/firejail/disable-mgmt.inc
-include /etc/firejail/disable-secret.inc
 include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-terminals.inc
+include /etc/firejail/disable-programs.inc
 include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-terminals.inc
-blacklist ${HOME}/.pki/nssdb
-blacklist ${HOME}/.lastpass
-blacklist ${HOME}/.keepassx
-blacklist ${HOME}/.password-store
-blacklist ${HOME}/.wine
+include /etc/firejail/disable-passwdmgr.inc
+
 caps.drop all
-seccomp
-protocol unix,inet,inet6
+nonewprivs
 noroot
+protocol unix,inet,inet6
+seccomp
diff --git a/etc/cmus.profile b/etc/cmus.profile
new file mode 100644
index 000000000..2e2a6940c
--- /dev/null
+++ b/etc/cmus.profile
@@ -0,0 +1,18 @@
+# cmus profile
+noblacklist ${HOME}/.config/cmus
+
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+
+caps.drop all
+netfilter
+nonewprivs
+noroot
+protocol unix,inet,inet6
+seccomp
+
+private-bin cmus
+private-etc group
+shell none
diff --git a/etc/conkeror.profile b/etc/conkeror.profile
index 2d6323d3b..e82eeec4c 100644
--- a/etc/conkeror.profile
+++ b/etc/conkeror.profile
@@ -1,14 +1,15 @@
 # Firejail profile for Conkeror web browser profile
 noblacklist ${HOME}/.conkeror.mozdev.org
-include /etc/firejail/disable-mgmt.inc
-include /etc/firejail/disable-secret.inc
 include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-terminals.inc
+include /etc/firejail/disable-programs.inc
+
 caps.drop all
-seccomp
-protocol unix,inet,inet6
 netfilter
+nonewprivs
 noroot
+protocol unix,inet,inet6
+seccomp
+
 whitelist ~/.conkeror.mozdev.org
 whitelist ~/Downloads
 whitelist ~/dwhelper
@@ -20,6 +21,4 @@ whitelist ~/.vimperator
 whitelist ~/.pentadactylrc
 whitelist ~/.pentadactyl
 whitelist ~/.conkerorrc
-
-# common
 include /etc/firejail/whitelist-common.inc
diff --git a/etc/corebird.profile b/etc/corebird.profile
new file mode 100644
index 000000000..077ae30d0
--- /dev/null
+++ b/etc/corebird.profile
@@ -0,0 +1,12 @@
+# Firejail corebird profile
+
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+
+caps.drop all
+netfilter
+noroot
+protocol unix,inet,inet6
+seccomp
diff --git a/etc/cpio.profile b/etc/cpio.profile
new file mode 100644
index 000000000..b4d232496
--- /dev/null
+++ b/etc/cpio.profile
@@ -0,0 +1,22 @@
+# cpio profile
+# /sbin and /usr/sbin are visible inside the sandbox
+# /boot is not visible and /var is heavily modified 
+
+noblacklist /sbin
+noblacklist /usr/sbin
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-passwdmgr.inc
+
+private-dev
+private-tmp
+seccomp
+caps.drop all
+net none
+shell none
+tracelog
+net none
+nosound
+
+
+
diff --git a/etc/cyberfox.profile b/etc/cyberfox.profile
new file mode 100644
index 000000000..afa77d1d4
--- /dev/null
+++ b/etc/cyberfox.profile
@@ -0,0 +1,51 @@
+# Firejail profile for Cyberfox (based on Mozilla Firefox)
+
+noblacklist ~/.8pecxstudios
+noblacklist ~/.cache/8pecxstudios
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-devel.inc
+
+caps.drop all
+netfilter
+nonewprivs
+noroot
+protocol unix,inet,inet6,netlink
+seccomp
+tracelog
+
+whitelist ${DOWNLOADS}
+mkdir ~/.8pecxstudios
+whitelist ~/.8pecxstudios
+mkdir ~/.cache
+mkdir ~/.cache/8pecxstudios
+whitelist ~/.cache/8pecxstudios
+whitelist ~/dwhelper
+whitelist ~/.zotero
+whitelist ~/.vimperatorrc
+whitelist ~/.vimperator
+whitelist ~/.pentadactylrc
+whitelist ~/.pentadactyl
+whitelist ~/.keysnail.js
+whitelist ~/.config/gnome-mplayer
+whitelist ~/.cache/gnome-mplayer/plugin
+whitelist ~/.pki
+
+# lastpass, keepassx
+whitelist ~/.keepassx
+whitelist ~/.config/keepassx
+whitelist ~/keepassx.kdbx
+whitelist ~/.lastpass
+whitelist ~/.config/lastpass
+
+
+#silverlight
+whitelist ~/.wine-pipelight
+whitelist ~/.wine-pipelight64
+whitelist ~/.config/pipelight-widevine
+whitelist ~/.config/pipelight-silverlight5.1
+
+include /etc/firejail/whitelist-common.inc
+
+# experimental features
+#private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,iceweasel,firefox,adobe,mime.types,mailcap,asound.conf,pulse
diff --git a/etc/deadbeef.profile b/etc/deadbeef.profile
index ec9fcd0f0..04abd0a92 100644
--- a/etc/deadbeef.profile
+++ b/etc/deadbeef.profile
@@ -1,16 +1,13 @@
 # DeaDBeeF media player profile
-include /etc/firejail/disable-mgmt.inc
-include /etc/firejail/disable-secret.inc
+noblacklist ${HOME}/.config/deadbeef
+
 include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
 include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-terminals.inc
-blacklist ${HOME}/.pki/nssdb
-blacklist ${HOME}/.lastpass
-blacklist ${HOME}/.keepassx
-blacklist ${HOME}/.password-store
-blacklist ${HOME}/.wine
+include /etc/firejail/disable-passwdmgr.inc
+
 caps.drop all
-seccomp
-protocol unix,inet,inet6
+nonewprivs
 noroot
-
+protocol unix,inet,inet6
+seccomp
diff --git a/etc/default.profile b/etc/default.profile
new file mode 100644
index 000000000..a2de72695
--- /dev/null
+++ b/etc/default.profile
@@ -0,0 +1,15 @@
+################################
+# Generic GUI application profile
+################################
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-passwdmgr.inc
+
+#blacklist ${HOME}/.wine
+
+caps.drop all
+netfilter
+nonewprivs
+noroot
+protocol unix,inet,inet6
+seccomp
diff --git a/etc/deluge.profile b/etc/deluge.profile
index bcd754952..8fde9acf9 100644
--- a/etc/deluge.profile
+++ b/etc/deluge.profile
@@ -1,19 +1,21 @@
-# deluge bittorernt client profile
-include /etc/firejail/disable-mgmt.inc
-include /etc/firejail/disable-secret.inc
+# deluge bittorrernt client profile
 include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-terminals.inc
-blacklist ${HOME}/.pki/nssdb
-blacklist ${HOME}/.lastpass
-blacklist ${HOME}/.keepassx
-blacklist ${HOME}/.password-store
-blacklist ${HOME}/.wine
+include /etc/firejail/disable-programs.inc
+# deluge is using python on Debian
+#include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+
 caps.drop all
-seccomp
-protocol unix,inet,inet6
 netfilter
+nonewprivs
 noroot
 nosound
+protocol unix,inet,inet6
+seccomp
 
+shell none
+private-bin deluge,sh,python,uname
+whitelist /tmp/.X11-unix
+private-dev
+nosound
 
diff --git a/etc/dillo.profile b/etc/dillo.profile
new file mode 100644
index 000000000..2ddd363cb
--- /dev/null
+++ b/etc/dillo.profile
@@ -0,0 +1,23 @@
+# Firejail profile for Dillo web browser
+
+noblacklist ~/.dillo
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+
+caps.drop all
+netfilter
+nonewprivs
+noroot
+protocol unix,inet,inet6
+seccomp
+tracelog
+
+whitelist ${DOWNLOADS}
+mkdir ~/.dillo
+whitelist ~/.dillo
+mkdir ~/.fltk
+whitelist ~/.fltk
+
+include /etc/firejail/whitelist-common.inc
diff --git a/etc/disable-common.inc b/etc/disable-common.inc
index 88ce42976..d18ee0287 100644
--- a/etc/disable-common.inc
+++ b/etc/disable-common.inc
@@ -1,53 +1,10 @@
-# various programs
-blacklist  ${HOME}/.config/vlc
-
 # History files in $HOME
 blacklist-nolog ${HOME}/.history
 blacklist-nolog ${HOME}/.*_history
-
-# HTTP / FTP / Mail
+blacklist ${HOME}/.local/share/systemd
 blacklist-nolog ${HOME}/.adobe
 blacklist-nolog ${HOME}/.macromedia
-blacklist ${HOME}/.icedove
-blacklist ${HOME}/.thunderbird
-blacklist ${HOME}/.sylpheed-2.0
-blacklist ${HOME}/.config/midori
-
-blacklist ${HOME}/.mozilla
-blacklist ${HOME}/.config/chromium
-blacklist ${HOME}/.config/google-chrome
-blacklist ${HOME}/.config/google-chrome-beta
-blacklist ${HOME}/.config/google-chrome-unstable
-blacklist ${HOME}/.config/opera
-blacklist ${HOME}/.config/opera-beta
-blacklist ~/.config/vivaldi
-
-blacklist ${HOME}/.filezilla
-blacklist ${HOME}/.config/filezilla
-blacklist ${HOME}/.local/share/systemd
-
-# Instant Messaging
-blacklist ${HOME}/.config/hexchat
-blacklist ${HOME}/.mcabber
-blacklist ${HOME}/.purple
-blacklist ${HOME}/.config/psi+
-blacklist ${HOME}/.retroshare
-blacklist ${HOME}/.weechat
-blacklist ${HOME}/.config/xchat
-blacklist ${HOME}/.Skype
-
-# Cryptocoins
-blacklist ${HOME}/.*coin
-blacklist ${HOME}/.electrum*
-blacklist ${HOME}/wallet.dat
-
-# VNC
-blacklist ${HOME}/.remmina
-
-# Other
-blacklist ${HOME}/.tconn
-blacklist ${HOME}/.FBReader
-blacklist ${HOME}/.wine
+read-only ${HOME}/.local/share/applications
 
 # X11 session autostart
 blacklist ${HOME}/.xinitrc
@@ -63,16 +20,21 @@ blacklist ${HOME}/.config/lxsession/LXDE/autostart
 blacklist ${HOME}/.fluxbox/startup
 blacklist ${HOME}/.config/openbox/autostart
 blacklist ${HOME}/.config/openbox/environment
+blacklist ${HOME}/.gnomerc
+blacklist /etc/X11/Xsession.d/
 
 # VirtualBox
 blacklist ${HOME}/.VirtualBox
 blacklist ${HOME}/VirtualBox VMs
 blacklist ${HOME}/.config/VirtualBox
 
-# git, subversion
-blacklist ${HOME}/.subversion
-blacklist ${HOME}/.gitconfig
-blacklist ${HOME}/.git-credential-cache
+# VeraCrypt
+blacklist ${PATH}/veracrypt
+blacklist ${PATH}/veracrypt-uninstall.sh
+blacklist /usr/share/veracrypt
+blacklist /usr/share/applications/veracrypt.*
+blacklist /usr/share/pixmaps/veracrypt.*
+blacklist ${HOME}/.VeraCrypt
 
 # var
 blacklist /var/spool/cron
@@ -98,11 +60,15 @@ read-only ${HOME}/.xserverrc
 read-only ${HOME}/.profile
 
 # Shell startup files
+read-only ${HOME}/.antigen
 read-only ${HOME}/.bash_login
 read-only ${HOME}/.bashrc
 read-only ${HOME}/.bash_profile
 read-only ${HOME}/.bash_logout
+read-only ${HOME}/.zsh.d
+read-only ${HOME}/.zshenv
 read-only ${HOME}/.zshrc
+read-only ${HOME}/.zshrc.local
 read-only ${HOME}/.zlogin
 read-only ${HOME}/.zprofile
 read-only ${HOME}/.zlogout
@@ -110,8 +76,12 @@ read-only ${HOME}/.zsh_files
 read-only ${HOME}/.tcshrc
 read-only ${HOME}/.cshrc
 read-only ${HOME}/.csh_files
+read-only ${HOME}/.profile
 
 # Initialization files that allow arbitrary command execution
+read-only ${HOME}/.caffrc
+read-only ${HOME}/.dotfiles
+read-only ${HOME}/dotfiles
 read-only ${HOME}/.mailcap
 read-only ${HOME}/.exrc
 read-only ${HOME}/_exrc
@@ -121,22 +91,80 @@ read-only ${HOME}/.gvimrc
 read-only ${HOME}/_gvimrc
 read-only ${HOME}/.vim
 read-only ${HOME}/.emacs
+read-only ${HOME}/.emacs.d
+read-only ${HOME}/.nano
 read-only ${HOME}/.tmux.conf
 read-only ${HOME}/.iscreenrc
 read-only ${HOME}/.muttrc
 read-only ${HOME}/.mutt/muttrc
+read-only ${HOME}/.msmtprc
+read-only ${HOME}/.reportbugrc
 read-only ${HOME}/.xmonad
 read-only ${HOME}/.xscreensaver
 
 # The user ~/bin directory can override commands such as ls
 read-only ${HOME}/bin
 
-# cache
-blacklist ~/.cache/mozilla
-blacklist ~/.cache/chromium
-blacklist ~/.cache/google-chrome
-blacklist ~/.cache/google-chrome-beta
-blacklist ~/.cache/google-chrome-unstable
-blacklist ~/.cache/opera
-blacklist ~/.cache/opera-beta
-blacklist ~/.cache/vivaldi
+# top secret
+blacklist ${HOME}/.ssh
+blacklist ${HOME}/.cert
+blacklist ${HOME}/.gnome2/keyrings
+blacklist ${HOME}/.kde4/share/apps/kwallet
+blacklist ${HOME}/.kde/share/apps/kwallet
+blacklist ${HOME}/.local/share/kwalletd
+blacklist ${HOME}/.config/keybase
+blacklist ${HOME}/.netrc
+blacklist ${HOME}/.gnupg
+blacklist ${HOME}/.caff
+blacklist ${HOME}/.smbcredentials
+blacklist ${HOME}/*.kdbx
+blacklist ${HOME}/*.kdb
+blacklist ${HOME}/*.key
+blacklist /etc/shadow
+blacklist /etc/gshadow
+blacklist /etc/passwd-
+blacklist /etc/group-
+blacklist /etc/shadow-
+blacklist /etc/gshadow-
+blacklist /etc/passwd+
+blacklist /etc/group+
+blacklist /etc/shadow+
+blacklist /etc/gshadow+
+blacklist /etc/ssh
+blacklist /var/backup
+
+# system management
+blacklist ${PATH}/umount
+blacklist ${PATH}/mount
+blacklist ${PATH}/fusermount
+blacklist ${PATH}/su
+blacklist ${PATH}/sudo
+blacklist ${PATH}/xinput
+blacklist ${PATH}/evtest
+blacklist ${PATH}/xev
+blacklist ${PATH}/strace
+blacklist ${PATH}/nc
+blacklist ${PATH}/ncat
+
+# system directories    
+blacklist /sbin
+blacklist /usr/sbin
+blacklist /usr/local/sbin
+
+# prevent lxterminal connecting to an existing lxterminal session
+blacklist /tmp/.lxterminal-socket*
+
+# disable terminals running as server
+blacklist ${PATH}/gnome-terminal
+blacklist ${PATH}/gnome-terminal.wrapper
+blacklist ${PATH}/xfce4-terminal
+blacklist ${PATH}/xfce4-terminal.wrapper
+blacklist ${PATH}/mate-terminal
+blacklist ${PATH}/mate-terminal.wrapper
+blacklist ${PATH}/lilyterm
+blacklist ${PATH}/pantheon-terminal
+blacklist ${PATH}/roxterm
+blacklist ${PATH}/roxterm-config
+blacklist ${PATH}/terminix
+blacklist ${PATH}/urxvtc
+blacklist ${PATH}/urxvtcd
diff --git a/etc/disable-devel.inc b/etc/disable-devel.inc
index 65b31ba9b..963cf6da0 100644
--- a/etc/disable-devel.inc
+++ b/etc/disable-devel.inc
@@ -2,13 +2,20 @@
 
 # GCC
 blacklist /usr/include
+blacklist /usr/lib/gcc
 blacklist /usr/bin/gcc*
 blacklist /usr/bin/cpp*
 blacklist /usr/bin/c9*
 blacklist /usr/bin/c8*
 blacklist /usr/bin/c++*
+blacklist /usr/bin/as
 blacklist /usr/bin/ld
 blacklist /usr/bin/gdb
+blacklist /usr/bin/g++*
+blacklist /usr/bin/x86_64-linux-gnu-g++*
+blacklist /usr/bin/x86_64-linux-gnu-gcc*
+blacklist /usr/bin/x86_64-unknown-linux-gnu-g++*
+blacklist /usr/bin/x86_64-unknown-linux-gnu-gcc*
 
 # clang/llvm
 blacklist /usr/bin/clang*
@@ -16,6 +23,11 @@ blacklist /usr/bin/llvm*
 blacklist /usb/bin/lldb*
 blacklist /usr/lib/llvm*
 
+# tcc - Tiny C Compiler
+blacklist /usr/bin/tcc
+blacklist /usr/bin/x86_64-tcc
+blacklist /usr/lib/tcc
+
 # Valgrind
 blacklist /usr/bin/valgrind*
 blacklist /usr/lib/valgrind
@@ -34,3 +46,18 @@ blacklist /usr/lib/php*
 # Ruby
 blacklist /usr/bin/ruby
 blacklist /usr/lib/ruby
+
+# Programs using python: deluge, firefox addons, filezilla, cherrytree, xchat, hexchat, libreoffice
+# Python 2
+#blacklist /usr/bin/python2*
+#blacklist /usr/lib/python2*
+#blacklist /usr/local/lib/python2*
+#blacklist /usr/include/python2*
+#blacklist /usr/share/python2*
+#
+# Python 3
+#blacklist /usr/bin/python3*
+#blacklist /usr/lib/python3*
+#blacklist /usr/local/lib/python3*
+#blacklist /usr/share/python3*
+#blacklist /usr/include/python3*
diff --git a/etc/disable-mgmt.inc b/etc/disable-mgmt.inc
deleted file mode 100644
index 0a11d6728..000000000
--- a/etc/disable-mgmt.inc
+++ /dev/null
@@ -1,17 +0,0 @@
-# system directories    
-blacklist /sbin
-blacklist /usr/sbin
-blacklist /usr/local/sbin
-
-# system management
-blacklist ${PATH}/umount
-blacklist ${PATH}/mount
-blacklist ${PATH}/fusermount
-blacklist ${PATH}/su
-blacklist ${PATH}/sudo
-blacklist ${PATH}/xinput
-blacklist ${PATH}/evtest
-blacklist ${PATH}/xev
-blacklist ${PATH}/strace
-blacklist ${PATH}/nc
-blacklist ${PATH}/ncat
diff --git a/etc/disable-passwdmgr.inc b/etc/disable-passwdmgr.inc
new file mode 100644
index 000000000..6db9073ab
--- /dev/null
+++ b/etc/disable-passwdmgr.inc
@@ -0,0 +1,7 @@
+blacklist ${HOME}/.pki/nssdb
+blacklist ${HOME}/.lastpass
+blacklist ${HOME}/.keepassx
+blacklist ${HOME}/.password-store
+blacklist ${HOME}/keepassx.kdbx
+blacklist ${HOME}/.config/keepassx
+
diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc
new file mode 100644
index 000000000..0f155351d
--- /dev/null
+++ b/etc/disable-programs.inc
@@ -0,0 +1,129 @@
+# various programs
+blacklist ${HOME}/.Atom
+blacklist ${HOME}/.remmina
+blacklist ${HOME}/.tconn
+blacklist ${HOME}/.FBReader
+blacklist ${HOME}/.wine
+blacklist ${HOME}/.Mathematica
+blacklist ${HOME}/.Wolfram Research
+blacklist ${HOME}/.stellarium
+blacklist ${HOME}/.config/Atom
+blacklist ${HOME}/.config/gthumb
+blacklist ${HOME}/.config/mupen64plus
+blacklist ${HOME}/.config/transmission
+blacklist ${HOME}/.config/uGet
+blacklist ${HOME}/.config/Gpredict
+blacklist ${HOME}/.config/aweather
+blacklist ${HOME}/.config/stellarium
+blacklist ${HOME}/.config/atril
+blacklist ${HOME}/.config/xreader
+blacklist ${HOME}/.config/xviewer
+blacklist ${HOME}/.config/libreoffice
+blacklist ${HOME}/.config/pix
+blacklist ${HOME}/.config/mate/eom
+blacklist ${HOME}/.kde/share/apps/okular
+blacklist ${HOME}/.kde/share/config/okularrc
+blacklist ${HOME}/.kde/share/config/okularpartrc
+blacklist ${HOME}/.kde/share/apps/gwenview
+blacklist ${HOME}/.kde/share/config/gwenviewrc
+
+# Media players
+blacklist ${HOME}/.config/cmus
+blacklist ${HOME}/.config/deadbeef
+blacklist ${HOME}/.config/spotify
+blacklist ${HOME}/.config/vlc
+blacklist ${HOME}/.config/mpv
+blacklist ${HOME}/.config/totem
+blacklist ${HOME}/.config/xplayer
+blacklist ${HOME}/.audacity-data
+
+# HTTP / FTP / Mail
+blacklist ${HOME}/.icedove
+blacklist ${HOME}/.thunderbird
+blacklist ${HOME}/.sylpheed-2.0
+blacklist ${HOME}/.config/midori
+blacklist ${HOME}/.mozilla
+blacklist ${HOME}/.config/chromium
+blacklist ${HOME}/.config/google-chrome
+blacklist ${HOME}/.config/google-chrome-beta
+blacklist ${HOME}/.config/google-chrome-unstable
+blacklist ${HOME}/.config/opera
+blacklist ${HOME}/.config/opera-beta
+blacklist ${HOME}/.opera
+blacklist ${HOME}/.config/vivaldi
+blacklist ${HOME}/.filezilla
+blacklist ${HOME}/.config/filezilla
+blacklist ${HOME}/.dillo
+blacklist ${HOME}/.conkeror.mozdev.org
+blacklist ${HOME}/.config/epiphany
+blacklist ${HOME}/.config/slimjet
+blacklist ${HOME}/.config/qutebrowser
+blacklist ${HOME}/.8pecxstudios
+blacklist ${HOME}/.config/brave
+
+# Instant Messaging
+blacklist ${HOME}/.config/hexchat
+blacklist ${HOME}/.mcabber
+blacklist ${HOME}/.mcabberrc
+blacklist ${HOME}/.purple
+blacklist ${HOME}/.config/psi+
+blacklist ${HOME}/.retroshare
+blacklist ${HOME}/.weechat
+blacklist ${HOME}/.config/xchat
+blacklist ${HOME}/.Skype
+blacklist ${HOME}/.config/tox
+blacklist ${HOME}/.TelegramDesktop
+blacklist ${HOME}/.config/Gitter
+blacklist ${HOME}/.config/Franz
+blacklist ${HOME}/.jitsi
+
+# Games
+blacklist ${HOME}/.hedgewars
+blacklist ${HOME}/.steam
+blacklist ${HOME}/.config/wesnoth
+blacklist ${HOME}/.config/0ad
+blacklist ${HOME}/.warzone2100-3.1
+
+# Cryptocoins
+blacklist ${HOME}/.*coin
+blacklist ${HOME}/.electrum*
+blacklist ${HOME}/wallet.dat
+
+# git, subversion
+blacklist ${HOME}/.subversion
+blacklist ${HOME}/.gitconfig
+blacklist ${HOME}/.git-credential-cache
+
+# cache
+blacklist ${HOME}/.cache/mozilla
+blacklist ${HOME}/.cache/chromium
+blacklist ${HOME}/.cache/google-chrome
+blacklist ${HOME}/.cache/google-chrome-beta
+blacklist ${HOME}/.cache/google-chrome-unstable
+blacklist ${HOME}/.cache/opera
+blacklist ${HOME}/.cache/opera-beta
+blacklist ${HOME}/.cache/vivaldi
+blacklist ${HOME}/.cache/epiphany
+blacklist ${HOME}/.cache/slimjet
+blacklist ${HOME}/.cache/qutebrowser
+blacklist ${HOME}/.cache/spotify
+blacklist ${HOME}/.cache/thunderbird
+blacklist ${HOME}/.cache/icedove
+blacklist ${HOME}/.cache/transmission
+blacklist ${HOME}/.cache/wesnoth
+blacklist ${HOME}/.cache/0ad
+blacklist ${HOME}/.cache/8pecxstudios
+blacklist ${HOME}/.cache/xreader
+blacklist ${HOME}/.cache/Franz
+
+# share
+blacklist ${HOME}/.local/share/epiphany
+blacklist ${HOME}/.local/share/mupen64plus
+blacklist ${HOME}/.local/share/spotify
+blacklist ${HOME}/.local/share/steam
+blacklist ${HOME}/.local/share/wesnoth
+blacklist ${HOME}/.local/share/0ad
+blacklist ${HOME}/.local/share/xplayer
+blacklist ${HOME}/.local/share/totem
+blacklist ${HOME}/.local/share/psi+
+blacklist ${HOME}/.local/share/pix
diff --git a/etc/disable-secret.inc b/etc/disable-secret.inc
deleted file mode 100644
index 7d29cda31..000000000
--- a/etc/disable-secret.inc
+++ /dev/null
@@ -1,23 +0,0 @@
-# HOME directory
-blacklist ${HOME}/.ssh
-blacklist ${HOME}/.gnome2/keyrings
-blacklist ${HOME}/kde4/share/apps/kwallet
-blacklist ${HOME}/kde/share/apps/kwallet
-blacklist ${HOME}/.local/share/kwalletd
-blacklist ${HOME}/.netrc
-blacklist ${HOME}/.gnupg
-blacklist ${HOME}/*.kdbx
-blacklist ${HOME}/*.kdb
-blacklist ${HOME}/*.key
-blacklist /etc/shadow
-blacklist /etc/gshadow
-blacklist /etc/passwd-
-blacklist /etc/group-
-blacklist /etc/shadow-
-blacklist /etc/gshadow-
-blacklist /etc/passwd+
-blacklist /etc/group+
-blacklist /etc/shadow+
-blacklist /etc/gshadow+
-blacklist /etc/ssh
-blacklist /var/backup
diff --git a/etc/disable-terminals.inc b/etc/disable-terminals.inc
deleted file mode 100644
index 9631e7f62..000000000
--- a/etc/disable-terminals.inc
+++ /dev/null
@@ -1,6 +0,0 @@
-# disable terminals running as server
-blacklist ${PATH}/lxterminal
-blacklist ${PATH}/gnome-terminal
-blacklist ${PATH}/gnome-terminal.wrapper
-blacklist ${PATH}/xfce4-terminal
-blacklist ${PATH}/xfce4-terminal.wrapper
diff --git a/etc/dnscrypt-proxy.profile b/etc/dnscrypt-proxy.profile
index 0bc7ac78e..90c244e03 100644
--- a/etc/dnscrypt-proxy.profile
+++ b/etc/dnscrypt-proxy.profile
@@ -1,12 +1,13 @@
 # security profile for dnscrypt-proxy
 noblacklist /sbin
 noblacklist /usr/sbin
-include /etc/firejail/disable-mgmt.inc
 include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
 include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-secret.inc
-include /etc/firejail/disable-terminals.inc
+include /etc/firejail/disable-passwdmgr.inc
+
 private
 private-dev
+nosound
 seccomp.drop mount,umount2,ptrace,kexec_load,kexec_file_load,open_by_handle_at,init_module,finit_module,delete_module,iopl,ioperm,swapon,swapoff,syslog,process_vm_readv,process_vm_writev,sysfs,_sysctl,adjtimex,clock_adjtime,lookup_dcookie,perf_event_open,fanotify_init,kcmp,add_key,request_key,keyctl,uselib,acct,modify_ldt,pivot_root,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,mbind,get_mempolicy,set_mempolicy,migrate_pages,move_pages,vmsplice,perf_event_open
 
diff --git a/etc/dnsmasq.profile b/etc/dnsmasq.profile
new file mode 100644
index 000000000..1c01d44e4
--- /dev/null
+++ b/etc/dnsmasq.profile
@@ -0,0 +1,16 @@
+# dnsmasq profile
+noblacklist /sbin
+noblacklist /usr/sbin
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-passwdmgr.inc
+include /etc/firejail/disable-devel.inc
+
+caps
+netfilter
+nonewprivs
+private
+private-dev
+nosound
+protocol unix,inet,inet6,netlink
+seccomp
diff --git a/etc/dropbox.profile b/etc/dropbox.profile
index 9d2c612de..71e019f8c 100644
--- a/etc/dropbox.profile
+++ b/etc/dropbox.profile
@@ -1,15 +1,22 @@
 # dropbox profile
-include /etc/firejail/disable-mgmt.inc
-include /etc/firejail/disable-secret.inc
+noblacklist ~/.config/autostart
 include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-terminals.inc
-blacklist ${HOME}/.pki/nssdb
-blacklist ${HOME}/.lastpass
-blacklist ${HOME}/.keepassx
-blacklist ${HOME}/.password-store
-blacklist ${HOME}/.wine
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-passwdmgr.inc
+
 caps
-seccomp
-protocol unix,inet,inet6
+nonewprivs
 noroot
+protocol unix,inet,inet6
+seccomp
+
+mkdir ~/Dropbox
+whitelist ~/Dropbox
+mkdir ~/.dropbox
+whitelist ~/.dropbox
+mkdir ~/.dropbox-dist
+whitelist ~/.dropbox-dist
 
+mkdir ~/.config/autostart
+mkfile ~/.config/autostart/dropbox.desktop
+whitelist ~/.config/autostart/dropbox.desktop
diff --git a/etc/empathy.profile b/etc/empathy.profile
index adaf03e23..371100814 100644
--- a/etc/empathy.profile
+++ b/etc/empathy.profile
@@ -1,12 +1,10 @@
 # Empathy instant messaging profile
-include /etc/firejail/disable-mgmt.inc
-include /etc/firejail/disable-secret.inc
 include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
 include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-terminals.inc
-blacklist ${HOME}/.wine
+
 caps.drop all
-seccomp
-protocol unix,inet,inet6
 netfilter
-
+nonewprivs
+protocol unix,inet,inet6
+seccomp
diff --git a/etc/eom.profile b/etc/eom.profile
new file mode 100644
index 000000000..81d993e96
--- /dev/null
+++ b/etc/eom.profile
@@ -0,0 +1,20 @@
+# Firejail profile for Eye of Mate (eom)
+noblacklist ~/.config/mate/eom
+
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+
+caps.drop all
+nogroups
+nonewprivs
+noroot
+nosound
+protocol unix
+seccomp
+shell none
+tracelog
+
+private-bin eom
+private-dev
diff --git a/etc/epiphany.profile b/etc/epiphany.profile
index c7031da71..57191429a 100644
--- a/etc/epiphany.profile
+++ b/etc/epiphany.profile
@@ -1,9 +1,12 @@
 # Epiphany browser profile
-include /etc/firejail/disable-mgmt.inc
-include /etc/firejail/disable-secret.inc
+noblacklist ${HOME}/.config/epiphany
+noblacklist ${HOME}/.cache/epiphany
+noblacklist ${HOME}/.local/share/epiphany
+
 include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
 include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-terminals.inc
+
 whitelist ${DOWNLOADS}
 mkdir ${HOME}/.local
 mkdir ${HOME}/.local/share
@@ -16,8 +19,9 @@ mkdir ${HOME}/.cache
 mkdir ${HOME}/.cache/epiphany
 whitelist ${HOME}/.cache/epiphany
 include /etc/firejail/whitelist-common.inc
+
 caps.drop all
-seccomp
-protocol unix,inet,inet6
 netfilter
-
+nonewprivs
+protocol unix,inet,inet6
+seccomp
diff --git a/etc/evince.profile b/etc/evince.profile
index 81878462b..530ce959a 100644
--- a/etc/evince.profile
+++ b/etc/evince.profile
@@ -1,17 +1,18 @@
 # evince pdf reader profile
-include /etc/firejail/disable-mgmt.inc
-include /etc/firejail/disable-secret.inc
 include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
 include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-terminals.inc
-blacklist ${HOME}/.pki/nssdb
-blacklist ${HOME}/.lastpass
-blacklist ${HOME}/.keepassx
-blacklist ${HOME}/.password-store
-blacklist ${HOME}/.wine
+include /etc/firejail/disable-passwdmgr.inc
+
 caps.drop all
-seccomp
-protocol unix,inet,inet6
+nonewprivs
+nogroups
 noroot
 nosound
+protocol unix
+seccomp
 
+shell none
+private-bin evince,evince-previewer,evince-thumbnailer
+whitelist /tmp/.X11-unix
+private-dev
diff --git a/etc/fbreader.profile b/etc/fbreader.profile
index 4ed942138..de31ce8de 100644
--- a/etc/fbreader.profile
+++ b/etc/fbreader.profile
@@ -1,19 +1,21 @@
 # fbreader ebook reader profile
 noblacklist ${HOME}/.FBReader
-include /etc/firejail/disable-mgmt.inc
-include /etc/firejail/disable-secret.inc
+
 include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
 include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-terminals.inc
-blacklist ${HOME}/.pki/nssdb
-blacklist ${HOME}/.lastpass
-blacklist ${HOME}/.keepassx
-blacklist ${HOME}/.password-store
-blacklist ${HOME}/.wine
+include /etc/firejail/disable-passwdmgr.inc
+
 caps.drop all
-seccomp
-protocol unix,inet,inet6
 netfilter
+nonewprivs
 noroot
 nosound
+protocol unix,inet,inet6
+seccomp
 
+shell none
+private-bin fbreader,FBReader
+whitelist /tmp/.X11-unix
+private-dev
+nosound
diff --git a/etc/filezilla.profile b/etc/filezilla.profile
index 0eabf9a88..551c17a78 100644
--- a/etc/filezilla.profile
+++ b/etc/filezilla.profile
@@ -1,18 +1,22 @@
 # FileZilla ftp profile
 noblacklist ${HOME}/.filezilla
 noblacklist ${HOME}/.config/filezilla
-include /etc/firejail/disable-mgmt.inc
-include /etc/firejail/disable-secret.inc
+
 include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
 include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-terminals.inc
-blacklist ${HOME}/.wine
+
 caps.drop all
-seccomp
-protocol unix,inet,inet6
-noroot
 netfilter
+nonewprivs
+noroot
 nosound
+protocol unix,inet,inet6
+seccomp
 
-
+shell none
+private-bin filezilla,uname,sh,python,lsb_release,fzputtygen,fzsftp
+whitelist /tmp/.X11-unix
+private-dev
+nosound
 
diff --git a/etc/firefox-esr.profile b/etc/firefox-esr.profile
new file mode 100644
index 000000000..d2fde9a3f
--- /dev/null
+++ b/etc/firefox-esr.profile
@@ -0,0 +1,2 @@
+# Firejail profile for Mozilla Firefox ESR
+include /etc/firejail/firefox.profile
diff --git a/etc/firefox.profile b/etc/firefox.profile
index b06dfa6da..2cc4d3cd8 100644
--- a/etc/firefox.profile
+++ b/etc/firefox.profile
@@ -2,19 +2,17 @@
 
 noblacklist ~/.mozilla
 noblacklist ~/.cache/mozilla
-noblacklist ~/keepassx.kdbx
-include /etc/firejail/disable-mgmt.inc
-include /etc/firejail/disable-secret.inc
 include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
 include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-terminals.inc
 
 caps.drop all
-seccomp
-protocol unix,inet,inet6,netlink
 netfilter
-tracelog
+nonewprivs
 noroot
+protocol unix,inet,inet6,netlink
+seccomp
+tracelog
 
 whitelist ${DOWNLOADS}
 mkdir ~/.mozilla
@@ -43,14 +41,12 @@ whitelist ~/.config/lastpass
 
 
 #silverlight
-whitelist ~/.wine-pipelight 
-whitelist ~/.wine-pipelight64 
-whitelist ~/.config/pipelight-widevine 
+whitelist ~/.wine-pipelight
+whitelist ~/.wine-pipelight64
+whitelist ~/.config/pipelight-widevine
 whitelist ~/.config/pipelight-silverlight5.1
 
 include /etc/firejail/whitelist-common.inc
 
 # experimental features
 #private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,iceweasel,firefox,adobe,mime.types,mailcap,asound.conf,pulse
-
-
diff --git a/etc/firejail.config b/etc/firejail.config
index 19525c942..20c4d7a5f 100644
--- a/etc/firejail.config
+++ b/etc/firejail.config
@@ -3,28 +3,59 @@
 # Most features are enabled by default. Use 'yes' or 'no' as configuration
 # values.
 
-# Enable or disable seccomp support, default enabled.
-# seccomp yes
+# Enable or disable bind support, default enabled.
+# bind yes
 
 # Enable or disable chroot support, default enabled.
 # chroot yes
 
-# Enable or disable bind support, default enabled.
-# bind yes
+# Enable or disable file transfer support, default enabled.
+# file-transfer yes
+
+# Force use of nonewprivs.  This mitigates the possibility of
+# a user abusing firejail's features to trick a privileged (suid
+# or file capabilities) process into loading code or configuration
+# that is partially under their control.  Default disabled
+# force-nonewprivs no
 
 # Enable or disable networking features, default enabled.
 # network yes
 
 # Enable or disable restricted network support, default disabled. If enabled,
-# networking features (network yes) above should also be enabled.
+# networking features should also be enabled (network yes).
+# Restricted networking grants access to --interface, --net=ethXXX and
+# --netfilter only to root user. Regular users are only allowed --net=none.
 # restricted-network no
 
+# Change default netfilter configuration. When using --netfilter option without
+# a file argument, the default filter is hardcoded (see man 1 firejail). This
+# configuration entry allows the user to change the default by specifying
+# a file containing the filter configuration. The filter file format is the
+# format of  iptables-save  and iptable-restore commands. Example:
+# netfilter-default /etc/iptables.iptables.rules
+
+# Enable or disable seccomp support, default enabled.
+# seccomp yes
+
 # Enable or disable user namespace support, default enabled.
 # userns yes
 
+# Enable or disable whitelisting support, default enabled.
+# whitelist yes
+
 # Enable or disable X11 sandboxing support, default enabled.
 # x11 yes
 
-# Enable or disable file transfer support, default enabled.
-# file-transfer yes
+# Screen size for --x11=xephyr, default 800x600. Run /usr/bin/xrandr for
+# a full list of resolutions available on your specific setup.
+# xephyr-screen 640x480
+# xephyr-screen 800x600
+# xephyr-screen 1024x768
+# xephyr-screen 1280x1024
+
+# Firejail window title in Xephyr, default enabled.
+# xephyr-window-title yes
 
+# Xephyr command extra parameters. None by default, and the declaration is commented out.
+# xephyr-extra-params -keybd ephyr,,,xkbmodel=evdev
+# xephyr-extra-params -grayscale
diff --git a/etc/flashpeak-slimjet.profile b/etc/flashpeak-slimjet.profile
new file mode 100644
index 000000000..f248c385a
--- /dev/null
+++ b/etc/flashpeak-slimjet.profile
@@ -0,0 +1,41 @@
+# SlimJet browser profile
+# This is a whitelisted profile, the internal browser sandbox
+# is disabled because it requires sudo password. The command
+# to run it is as follows:
+#
+#  firejail flashpeak-slimjet --no-sandbox
+#
+noblacklist ~/.config/slimjet
+noblacklist ~/.cache/slimjet
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+
+# chromium is distributed with a perl script on Arch
+# include /etc/firejail/disable-devel.inc
+#
+
+caps.drop all
+netfilter
+nonewprivs
+noroot
+protocol unix,inet,inet6,netlink
+seccomp
+
+whitelist ${DOWNLOADS}
+mkdir ~/.config
+mkdir ~/.config/slimjet
+whitelist ~/.config/slimjet
+mkdir ~/.cache
+mkdir ~/.cache/slimjet
+whitelist ~/.cache/slimjet
+mkdir ~/.pki
+whitelist ~/.pki
+
+# lastpass, keepassx
+whitelist ~/.keepassx
+whitelist ~/.config/keepassx
+whitelist ~/keepassx.kdbx
+whitelist ~/.lastpass
+whitelist ~/.config/lastpass
+
+include /etc/firejail/whitelist-common.inc
diff --git a/etc/franz.profile b/etc/franz.profile
new file mode 100644
index 000000000..fc4a665de
--- /dev/null
+++ b/etc/franz.profile
@@ -0,0 +1,26 @@
+# Franz profile
+noblacklist ~/.config/Franz
+noblacklist ~/.cache/Franz
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-devel.inc
+
+caps.drop all
+seccomp
+protocol unix,inet,inet6,netlink
+netfilter
+#tracelog
+nonewprivs
+noroot
+
+whitelist ${DOWNLOADS}
+mkdir ~/.config
+mkdir ~/.config/Franz
+whitelist ~/.config/Franz
+mkdir ~/.cache
+mkdir ~/.cache/Franz
+whitelist ~/.cache/Franz
+mkdir ~/.pki
+whitelist ~/.pki
+
+include /etc/firejail/whitelist-common.inc
diff --git a/etc/generic.profile b/etc/generic.profile
deleted file mode 100644
index 5618a555e..000000000
--- a/etc/generic.profile
+++ /dev/null
@@ -1,17 +0,0 @@
-################################
-# Generic GUI application profile
-################################
-include /etc/firejail/disable-mgmt.inc
-include /etc/firejail/disable-secret.inc
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-terminals.inc
-blacklist ${HOME}/.pki/nssdb
-blacklist ${HOME}/.lastpass
-blacklist ${HOME}/.keepassx
-blacklist ${HOME}/.password-store
-caps.drop all
-seccomp
-protocol unix,inet,inet6
-netfilter
-noroot
-
diff --git a/etc/gitter.profile b/etc/gitter.profile
new file mode 100644
index 000000000..2882c59a6
--- /dev/null
+++ b/etc/gitter.profile
@@ -0,0 +1,18 @@
+# Firejail profile for Gitter
+noblacklist ~/.config/Gitter
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-passwdmgr.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-devel.inc
+
+caps.drop all
+netfilter
+nonewprivs
+nogroups
+noroot
+protocol unix,inet,inet6,netlink
+seccomp
+shell none
+
+private-bin gitter
+private-dev
diff --git a/etc/gnome-mplayer.profile b/etc/gnome-mplayer.profile
index 8062c859a..1caea177d 100644
--- a/etc/gnome-mplayer.profile
+++ b/etc/gnome-mplayer.profile
@@ -1,15 +1,14 @@
 # GNOME MPlayer profile
-include /etc/firejail/disable-mgmt.inc
-include /etc/firejail/disable-secret.inc
 include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
 include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-terminals.inc
-blacklist ${HOME}/.pki/nssdb
-blacklist ${HOME}/.lastpass
-blacklist ${HOME}/.keepassx
-blacklist ${HOME}/.password-store
-blacklist ${HOME}/.wine
+include /etc/firejail/disable-passwdmgr.inc
+
 caps.drop all
-seccomp
-protocol unix,inet,inet6
+nonewprivs
 noroot
+protocol unix,inet,inet6
+seccomp
+
+shell none
+private-bin gnome-mplayer
diff --git a/etc/google-chrome-beta.profile b/etc/google-chrome-beta.profile
index 3396585eb..11f9f9e33 100644
--- a/etc/google-chrome-beta.profile
+++ b/etc/google-chrome-beta.profile
@@ -1,11 +1,8 @@
 # Google Chrome beta browser profile
 noblacklist ~/.config/google-chrome-beta
 noblacklist ~/.cache/google-chrome-beta
-noblacklist ~/keepassx.kdbx
-include /etc/firejail/disable-mgmt.inc
-include /etc/firejail/disable-secret.inc
 include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-terminals.inc
+include /etc/firejail/disable-programs.inc
 
 # chromium is distributed with a perl script on Arch
 # include /etc/firejail/disable-devel.inc
diff --git a/etc/google-chrome-unstable.profile b/etc/google-chrome-unstable.profile
index ed4332862..f253e5a90 100644
--- a/etc/google-chrome-unstable.profile
+++ b/etc/google-chrome-unstable.profile
@@ -1,11 +1,8 @@
 # Google Chrome unstable browser profile
 noblacklist ~/.config/google-chrome-unstable
 noblacklist ~/.cache/google-chrome-unstable
-noblacklist ~/keepassx.kdbx
-include /etc/firejail/disable-mgmt.inc
-include /etc/firejail/disable-secret.inc
 include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-terminals.inc
+include /etc/firejail/disable-programs.inc
 
 # chromium is distributed with a perl script on Arch
 # include /etc/firejail/disable-devel.inc
diff --git a/etc/google-chrome.profile b/etc/google-chrome.profile
index 985af38eb..5e168aae5 100644
--- a/etc/google-chrome.profile
+++ b/etc/google-chrome.profile
@@ -1,11 +1,8 @@
 # Google Chrome browser profile
 noblacklist ~/.config/google-chrome
 noblacklist ~/.cache/google-chrome
-noblacklist ~/keepassx.kdbx
-include /etc/firejail/disable-mgmt.inc
-include /etc/firejail/disable-secret.inc
 include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-terminals.inc
+include /etc/firejail/disable-programs.inc
 
 # chromium is distributed with a perl script on Arch
 # include /etc/firejail/disable-devel.inc
diff --git a/etc/google-play-music-desktop-player.profile b/etc/google-play-music-desktop-player.profile
new file mode 100644
index 000000000..b4cf8d9ac
--- /dev/null
+++ b/etc/google-play-music-desktop-player.profile
@@ -0,0 +1,18 @@
+# Google Play Music desktop player profile
+noblacklist ~/.config/Google Play Music Desktop Player
+
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+
+caps.drop all
+nonewprivs
+noroot
+netfilter
+protocol unix,inet,inet6,netlink
+seccomp
+
+#whitelist ~/.pulse
+#whitelist ~/.config/pulse
+whitelist ~/.config/Google Play Music Desktop Player
diff --git a/etc/gpredict.profile b/etc/gpredict.profile
new file mode 100644
index 000000000..02bb4d24d
--- /dev/null
+++ b/etc/gpredict.profile
@@ -0,0 +1,25 @@
+# Firejail profile for gpredict.
+noblacklist ~/.config/Gpredict
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+include /etc/firejail/disable-programs.inc
+
+# Whitelist
+mkdir ~/.config
+mkdir ~/.config/Gpredict
+whitelist ~/.config/Gpredict
+
+caps.drop all
+netfilter
+nonewprivs
+nogroups
+noroot
+nosound
+protocol unix,inet,inet6,netlink
+seccomp
+shell none
+tracelog
+
+private-bin gpredict
+private-dev
diff --git a/etc/gthumb.profile b/etc/gthumb.profile
new file mode 100644
index 000000000..3c02576aa
--- /dev/null
+++ b/etc/gthumb.profile
@@ -0,0 +1,21 @@
+# gthumb profile
+noblacklist ${HOME}/.config/gthumb
+
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+
+caps.drop all
+nonewprivs
+nogroups
+noroot
+nosound
+protocol unix
+seccomp
+shell none
+tracelog
+
+private-bin gthumb
+whitelist /tmp/.X11-unix
+private-dev
diff --git a/etc/gwenview.profile b/etc/gwenview.profile
new file mode 100644
index 000000000..67f10c4e1
--- /dev/null
+++ b/etc/gwenview.profile
@@ -0,0 +1,21 @@
+# KDE gwenview profile
+noblacklist ~/.kde/share/apps/gwenview
+noblacklist ~/.kde/share/config/gwenviewrc
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+
+caps.drop all
+nonewprivs
+noroot
+nogroups
+private-dev
+protocol unix
+seccomp
+nosound
+
+#Experimental:
+#shell none
+#private-bin gwenview
+#private-etc X11
diff --git a/etc/gzip.profile b/etc/gzip.profile
new file mode 100644
index 000000000..cc19e7608
--- /dev/null
+++ b/etc/gzip.profile
@@ -0,0 +1,8 @@
+# gzip profile
+include /etc/firejail/default.profile
+tracelog
+net none
+shell none
+private-dev
+private-tmp
+nosound
diff --git a/etc/hedgewars.profile b/etc/hedgewars.profile
index ab0e067c7..c5d863bd5 100644
--- a/etc/hedgewars.profile
+++ b/etc/hedgewars.profile
@@ -1,18 +1,18 @@
 # whitelist profile for Hedgewars (game)
+noblacklist ${HOME}/.hedgewars
 
 include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
 include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-mgmt.inc
-include /etc/firejail/disable-secret.inc
-include /etc/firejail/disable-terminals.inc
+include /etc/firejail/disable-passwdmgr.inc
 
 caps.drop all
+nonewprivs
 noroot
 private-dev
-whitelist /tmp/.X11-unix
 seccomp
 tracelog
-netfilter
 
 mkdir     ~/.hedgewars
 whitelist ~/.hedgewars
+include /etc/firejail/whitelist-common.inc
diff --git a/etc/hexchat.profile b/etc/hexchat.profile
index 8f9e71b44..4e829c379 100644
--- a/etc/hexchat.profile
+++ b/etc/hexchat.profile
@@ -1,11 +1,21 @@
 # HexChat instant messaging profile
 noblacklist ${HOME}/.config/hexchat
-include /etc/firejail/disable-mgmt.inc
-include /etc/firejail/disable-secret.inc
+noblacklist /usr/lib/python2*
+noblacklist /usr/lib/python3*
 include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
 include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-terminals.inc
+
 caps.drop all
-seccomp
-protocol unix,inet,inet6
+nonewprivs
 noroot
+netfilter
+protocol unix,inet,inet6
+seccomp
+
+mkdir ~/.config
+mkdir ~/.config/hexchat
+whitelist ~/.config/hexchat
+include /etc/firejail/whitelist-common.inc
+
+# private-bin requires perl, python, etc.
diff --git a/etc/icedove.profile b/etc/icedove.profile
index 057e0c9ef..e9a63c8dd 100644
--- a/etc/icedove.profile
+++ b/etc/icedove.profile
@@ -1,3 +1,19 @@
-# Firejail profile for Mozilla Thunderbird (Icedove in Debian)
-include /etc/firejail/thunderbird.profile
+# Firejail profile for Mozilla Thunderbird (Icedove in Debian Stable)
+# Users have icedove set to open a browser by clicking a link in an email
+# We are not allowed to blacklist browser-specific directories
+
+noblacklist ~/.gnupg
+mkdir ~/.gnupg
+whitelist ~/.gnupg
+
+noblacklist ~/.icedove
+mkdir ~/.icedove
+whitelist ~/.icedove
+
+noblacklist ~/.cache/icedove
+mkdir ~/.cache
+mkdir ~/.cache/icedove
+whitelist ~/.cache/icedove
+
+include /etc/firejail/firefox.profile
 
diff --git a/etc/jitsi.profile b/etc/jitsi.profile
new file mode 100644
index 000000000..8baf1ad94
--- /dev/null
+++ b/etc/jitsi.profile
@@ -0,0 +1,16 @@
+# Firejail profile for jitsi
+noblacklist ~/.jitsi
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+include /etc/firejail/disable-programs.inc
+
+caps.drop all
+nonewprivs
+nogroups
+noroot
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+
diff --git a/etc/kmail.profile b/etc/kmail.profile
index ca29675a0..44a53e258 100644
--- a/etc/kmail.profile
+++ b/etc/kmail.profile
@@ -1,20 +1,15 @@
 # kmail profile
 noblacklist ${HOME}/.gnupg
-include /etc/firejail/disable-mgmt.inc
-include /etc/firejail/disable-secret.inc
+
 include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
 include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-terminals.inc
-blacklist ${HOME}/.pki/nssdb
-blacklist ${HOME}/.lastpass
-blacklist ${HOME}/.keepassx
-blacklist ${HOME}/.password-store
-blacklist ${HOME}/.wine
+include /etc/firejail/disable-passwdmgr.inc
+
 caps.drop all
-seccomp
-protocol unix,inet,inet6,netlink
 netfilter
+nonewprivs
 noroot
+protocol unix,inet,inet6,netlink
+seccomp
 tracelog
-
-
diff --git a/etc/konversation.profile b/etc/konversation.profile
new file mode 100644
index 000000000..190061618
--- /dev/null
+++ b/etc/konversation.profile
@@ -0,0 +1,12 @@
+# Firejail konversation profile
+
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+
+caps.drop all
+netfilter
+noroot
+seccomp
+protocol unix,inet,inet6
diff --git a/etc/less.profile b/etc/less.profile
new file mode 100644
index 000000000..0c43111d7
--- /dev/null
+++ b/etc/less.profile
@@ -0,0 +1,8 @@
+# less profile
+include /etc/firejail/default.profile
+tracelog
+net none
+shell none
+private-dev
+private-tmp
+nosound
diff --git a/etc/libreoffice.profile b/etc/libreoffice.profile
new file mode 100644
index 000000000..77a00ebef
--- /dev/null
+++ b/etc/libreoffice.profile
@@ -0,0 +1,19 @@
+# Firejail profile for LibreOffice
+noblacklist ~/.config/libreoffice
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+
+caps.drop all
+netfilter
+nonewprivs
+noroot
+protocol unix,inet,inet6,netlink
+seccomp
+tracelog
+
+private-dev
+whitelist /tmp/.X11-unix/
+nosound
+
diff --git a/etc/localc.profile b/etc/localc.profile
new file mode 100644
index 000000000..fecd08822
--- /dev/null
+++ b/etc/localc.profile
@@ -0,0 +1,5 @@
+################################
+# LibreOffice profile
+################################
+include /etc/firejail/libreoffice.profile
+
diff --git a/etc/lodraw.profile b/etc/lodraw.profile
new file mode 100644
index 000000000..fecd08822
--- /dev/null
+++ b/etc/lodraw.profile
@@ -0,0 +1,5 @@
+################################
+# LibreOffice profile
+################################
+include /etc/firejail/libreoffice.profile
+
diff --git a/etc/loffice.profile b/etc/loffice.profile
new file mode 100644
index 000000000..fecd08822
--- /dev/null
+++ b/etc/loffice.profile
@@ -0,0 +1,5 @@
+################################
+# LibreOffice profile
+################################
+include /etc/firejail/libreoffice.profile
+
diff --git a/etc/lofromtemplate.profile b/etc/lofromtemplate.profile
new file mode 100644
index 000000000..fecd08822
--- /dev/null
+++ b/etc/lofromtemplate.profile
@@ -0,0 +1,5 @@
+################################
+# LibreOffice profile
+################################
+include /etc/firejail/libreoffice.profile
+
diff --git a/etc/login.users b/etc/login.users
index 5d5969091..bc6ac4b09 100644
--- a/etc/login.users
+++ b/etc/login.users
@@ -7,7 +7,7 @@
 #
 # For example:
 #
-#       netblue:--debug --net=none
+#       netblue:--net=none --protocol=unix
 #
 # The extra arguments are inserted into program command line if firejail
 # was started as a login shell.
diff --git a/etc/loimpress.profile b/etc/loimpress.profile
new file mode 100644
index 000000000..fecd08822
--- /dev/null
+++ b/etc/loimpress.profile
@@ -0,0 +1,5 @@
+################################
+# LibreOffice profile
+################################
+include /etc/firejail/libreoffice.profile
+
diff --git a/etc/lomath.profile b/etc/lomath.profile
new file mode 100644
index 000000000..fecd08822
--- /dev/null
+++ b/etc/lomath.profile
@@ -0,0 +1,5 @@
+################################
+# LibreOffice profile
+################################
+include /etc/firejail/libreoffice.profile
+
diff --git a/etc/loweb.profile b/etc/loweb.profile
new file mode 100644
index 000000000..fecd08822
--- /dev/null
+++ b/etc/loweb.profile
@@ -0,0 +1,5 @@
+################################
+# LibreOffice profile
+################################
+include /etc/firejail/libreoffice.profile
+
diff --git a/etc/lowriter.profile b/etc/lowriter.profile
new file mode 100644
index 000000000..fecd08822
--- /dev/null
+++ b/etc/lowriter.profile
@@ -0,0 +1,5 @@
+################################
+# LibreOffice profile
+################################
+include /etc/firejail/libreoffice.profile
+
diff --git a/etc/lxterminal.profile b/etc/lxterminal.profile
index a614a8dbf..d1d0b8a0d 100644
--- a/etc/lxterminal.profile
+++ b/etc/lxterminal.profile
@@ -1,19 +1,11 @@
 # lxterminal (LXDE) profile
 
-include /etc/firejail/disable-mgmt.inc
-include /etc/firejail/disable-secret.inc
 include /etc/firejail/disable-common.inc
-blacklist ${HOME}/.pki/nssdb
-blacklist ${HOME}/.lastpass
-blacklist ${HOME}/.keepassx
-blacklist ${HOME}/.password-store
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-passwdmgr.inc
+
 caps.drop all
-seccomp
-protocol unix,inet,inet6
 netfilter
-
+protocol unix,inet,inet6
+seccomp
 #noroot - somehow this breaks on Debian Jessie!
-
-# lxterminal is a single-instence program
-# blacklist any existing lxterminal socket in order to force a second process instance
-blacklist /tmp/.lxterminal-socket*
diff --git a/etc/mcabber.profile b/etc/mcabber.profile
new file mode 100644
index 000000000..48b46dba0
--- /dev/null
+++ b/etc/mcabber.profile
@@ -0,0 +1,21 @@
+# mcabber profile
+noblacklist ${HOME}/.mcabber
+noblacklist ${HOME}/.mcabberrc
+
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+
+caps.drop all
+netfilter
+nonewprivs
+noroot
+protocol inet,inet6
+seccomp
+
+private-bin mcabber
+private-etc null
+private-dev
+shell none
+nosound
diff --git a/etc/midori.profile b/etc/midori.profile
index e46a6baa2..046c45d94 100644
--- a/etc/midori.profile
+++ b/etc/midori.profile
@@ -1,12 +1,13 @@
 # Midori browser profile
 noblacklist ${HOME}/.config/midori
-include /etc/firejail/disable-mgmt.inc
-include /etc/firejail/disable-secret.inc
 include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
 include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-terminals.inc
+
 caps.drop all
-seccomp
-protocol unix,inet,inet6
 netfilter
+nonewprivs
+# noroot - noroot break midori on Ubuntu 14.04
+protocol unix,inet,inet6
+seccomp
 
diff --git a/etc/mpv.profile b/etc/mpv.profile
new file mode 100644
index 000000000..80f8de54a
--- /dev/null
+++ b/etc/mpv.profile
@@ -0,0 +1,18 @@
+# mpv media player profile
+noblacklist ${HOME}/.config/mpv
+
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+
+caps.drop all
+netfilter
+nonewprivs
+noroot
+protocol unix,inet,inet6
+seccomp
+
+# to test
+shell none
+private-bin mpv,youtube-dl,python2.7
diff --git a/etc/mupen64plus.profile b/etc/mupen64plus.profile
index 239ab3a80..d4b442df8 100644
--- a/etc/mupen64plus.profile
+++ b/etc/mupen64plus.profile
@@ -1,10 +1,13 @@
 # mupen64plus profile
 # manually whitelist ROM files
-include /etc/firejail/disable-mgmt.inc
-include /etc/firejail/disable-secret.inc
+noblacklist ${HOME}/.config/mupen64plus
+noblacklist ${HOME}/.local/share/mupen64plus
+
 include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
 include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-terminals.inc
+include /etc/firejail/disable-passwdmgr.inc
+
 mkdir ${HOME}/.local
 mkdir ${HOME}/.local/share
 mkdir ${HOME}/.local/share/mupen64plus
@@ -12,7 +15,9 @@ whitelist ${HOME}/.local/share/mupen64plus/
 mkdir ${HOME}/.config
 mkdir ${HOME}/.config/mupen64plus
 whitelist ${HOME}/.config/mupen64plus/
-noroot
+
 caps.drop all
-seccomp
 net none
+nonewprivs
+noroot
+seccomp
diff --git a/etc/netsurf.profile b/etc/netsurf.profile
new file mode 100644
index 000000000..3de6be238
--- /dev/null
+++ b/etc/netsurf.profile
@@ -0,0 +1,32 @@
+# Firejail profile for Mozilla Firefox (Iceweasel in Debian)
+
+noblacklist ~/.config/netsurf
+noblacklist ~/.cache/netsurf
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-devel.inc
+
+caps.drop all
+netfilter
+nonewprivs
+noroot
+protocol unix,inet,inet6,netlink
+seccomp
+tracelog
+
+whitelist ${DOWNLOADS}
+mkdir ~/.config
+mkdir ~/.config/netsurf
+whitelist ~/.config/netsurf
+mkdir ~/.cache
+mkdir ~/.cache/netsurf
+whitelist ~/.cache/netsurf
+
+# lastpass, keepassx
+whitelist ~/.keepassx
+whitelist ~/.config/keepassx
+whitelist ~/keepassx.kdbx
+whitelist ~/.lastpass
+whitelist ~/.config/lastpass
+
+include /etc/firejail/whitelist-common.inc
diff --git a/etc/nolocal.net b/etc/nolocal.net
index 9c0c6e125..9fa785450 100644
--- a/etc/nolocal.net
+++ b/etc/nolocal.net
@@ -4,7 +4,8 @@
 :OUTPUT ACCEPT [0:0]
 
 ###################################################################
-# Client filter rejecting local network traffic, with the exception of DNS traffic
+# Client filter rejecting local network traffic, with the exception of
+# DNS traffic
 #
 # Usage:
 #     firejail --net=eth0 --netfilter=/etc/firejail/nolocal.net firefox
diff --git a/etc/okular.profile b/etc/okular.profile
new file mode 100644
index 000000000..c9c342b15
--- /dev/null
+++ b/etc/okular.profile
@@ -0,0 +1,23 @@
+# KDE okular profile
+noblacklist ~/.kde/share/apps/okular
+noblacklist ~/.kde/share/config/okularrc
+noblacklist ~/.kde/share/config/okularpartrc
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+
+caps.drop all
+nonewprivs
+nogroups
+noroot
+private-dev
+protocol unix
+seccomp
+nosound
+
+#Experimental:
+#net none
+#shell none
+#private-bin okular,kbuildsycoca4,kbuildsycoca5
+#private-etc X11
diff --git a/etc/openbox.profile b/etc/openbox.profile
new file mode 100644
index 000000000..f812768a1
--- /dev/null
+++ b/etc/openbox.profile
@@ -0,0 +1,11 @@
+#######################################
+# OpenBox window manager profile
+# - all applications started in OpenBox will run in this profile
+#######################################
+include /etc/firejail/disable-common.inc
+
+caps.drop all
+netfilter
+noroot
+protocol unix,inet,inet6
+seccomp
diff --git a/etc/opera-beta.profile b/etc/opera-beta.profile
index 91eb10787..3d6edb286 100644
--- a/etc/opera-beta.profile
+++ b/etc/opera-beta.profile
@@ -1,12 +1,9 @@
 # Opera-beta browser profile
 noblacklist ~/.config/opera-beta
 noblacklist ~/.cache/opera-beta
-noblacklist ~/keepassx.kdbx
-include /etc/firejail/disable-mgmt.inc
-include /etc/firejail/disable-secret.inc
 include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
 include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-terminals.inc
 
 netfilter
 
diff --git a/etc/opera.profile b/etc/opera.profile
index 08bbd5a06..ff00eb349 100644
--- a/etc/opera.profile
+++ b/etc/opera.profile
@@ -1,12 +1,10 @@
 # Opera browser profile
 noblacklist ~/.config/opera
 noblacklist ~/.cache/opera
-noblacklist ~/keepassx.kdbx
-include /etc/firejail/disable-mgmt.inc
-include /etc/firejail/disable-secret.inc
+noblacklist ~/.opera
 include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
 include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-terminals.inc
 
 netfilter
 
@@ -17,6 +15,8 @@ whitelist ~/.config/opera
 mkdir ~/.cache
 mkdir ~/.cache/opera
 whitelist ~/.cache/opera
+mkdir ~/.opera
+whitelist ~/.opera
 mkdir ~/.pki
 whitelist ~/.pki
 include /etc/firejail/whitelist-common.inc
diff --git a/etc/palemoon.profile b/etc/palemoon.profile
new file mode 100644
index 000000000..302c20d7d
--- /dev/null
+++ b/etc/palemoon.profile
@@ -0,0 +1,58 @@
+# Firejail profile for Pale Moon
+noblacklist ~/.moonchild productions/pale moon
+noblacklist ~/.cache/moonchild productions/pale moon
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/whitelist-common.inc
+
+whitelist ${DOWNLOADS}
+mkdir ~/.moonchild productions
+whitelist ~/.moonchild productions
+mkdir ~/.cache
+mkdir ~/.cache/moonchild productions
+mkdir ~/.cache/moonchild productions/pale moon
+whitelist ~/.cache/moonchild productions/pale moon
+
+caps.drop all
+netfilter
+nogroups
+nonewprivs
+noroot
+protocol unix,inet,inet6,netlink
+seccomp
+shell none
+tracelog
+
+private-bin palemoon
+
+# These are uncommented in the Firefox profile. If you run into trouble you may
+# want to uncomment (some of) them.
+#whitelist ~/dwhelper
+#whitelist ~/.zotero
+#whitelist ~/.vimperatorrc
+#whitelist ~/.vimperator
+#whitelist ~/.pentadactylrc
+#whitelist ~/.pentadactyl
+#whitelist ~/.keysnail.js
+#whitelist ~/.config/gnome-mplayer
+#whitelist ~/.cache/gnome-mplayer/plugin
+#whitelist ~/.pki
+
+# For silverlight
+#whitelist ~/.wine-pipelight
+#whitelist ~/.wine-pipelight64
+#whitelist ~/.config/pipelight-widevine
+#whitelist ~/.config/pipelight-silverlight5.1
+
+
+# lastpass, keepassx
+whitelist ~/.keepassx
+whitelist ~/.config/keepassx
+whitelist ~/keepassx.kdbx
+whitelist ~/.lastpass
+whitelist ~/.config/lastpass
+
+# experimental features
+#private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,iceweasel,firefox,adobe,mime.types,mailcap,asound.conf,pulse
+#private-dev (disabled for now as it will interfere with webcam use in palemoon)
diff --git a/etc/parole.profile b/etc/parole.profile
index fd49bcf07..1440a9ef7 100644
--- a/etc/parole.profile
+++ b/etc/parole.profile
@@ -1,18 +1,16 @@
 # Profile for Parole, the default XFCE4 media player
-include /etc/firejail/disable-mgmt.inc
-include /etc/firejail/disable-secret.inc
 include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
 include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-terminals.inc
+include /etc/firejail/disable-passwdmgr.inc
+
 private-etc passwd,group,fonts
 private-bin parole,dbus-launch
-blacklist ${HOME}/.pki/nssdb
-blacklist ${HOME}/.lastpass
-blacklist ${HOME}/.keepassx
-blacklist ${HOME}/.password-store
+
 caps.drop all
-seccomp
-protocol unix,inet,inet6
 netfilter
+nonewprivs
 noroot
+protocol unix,inet,inet6
+seccomp
 shell none
diff --git a/etc/pidgin.profile b/etc/pidgin.profile
index 54bedccc8..3df2cafa6 100644
--- a/etc/pidgin.profile
+++ b/etc/pidgin.profile
@@ -1,12 +1,20 @@
 # Pidgin profile
 noblacklist ${HOME}/.purple
-include /etc/firejail/disable-mgmt.inc
-include /etc/firejail/disable-secret.inc
+
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-terminals.inc
-blacklist ${HOME}/.wine
+include /etc/firejail/disable-passwdmgr.inc
+include /etc/firejail/disable-programs.inc
+
 caps.drop all
-seccomp
-protocol unix,inet,inet6
+netfilter
+nonewprivs
+nogroups
 noroot
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+
+private-bin pidgin
+private-dev
diff --git a/etc/pix.profile b/etc/pix.profile
new file mode 100644
index 000000000..80c05fd09
--- /dev/null
+++ b/etc/pix.profile
@@ -0,0 +1,23 @@
+# Firejail profile for pix
+noblacklist ${HOME}/.config/pix
+noblacklist ${HOME}/.local/share/pix
+
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+
+caps.drop all
+nonewprivs
+nogroups
+noroot
+nosound
+protocol unix
+seccomp
+shell none
+tracelog
+
+private-bin pix
+whitelist /tmp/.X11-unix
+private-dev
+
diff --git a/etc/polari.profile b/etc/polari.profile
index 26d5ff27b..366883c83 100644
--- a/etc/polari.profile
+++ b/etc/polari.profile
@@ -1,9 +1,8 @@
 # Polari IRC profile
-include /etc/firejail/disable-mgmt.inc
-include /etc/firejail/disable-secret.inc
 include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
 include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-terminals.inc
+
 mkdir ${HOME}/.local
 mkdir ${HOME}/.local/share/
 mkdir ${HOME}/.local/share/Empathy
@@ -21,9 +20,10 @@ whitelist ${HOME}/.cache/telepathy
 mkdir ${HOME}/.purple
 whitelist ${HOME}/.purple
 include /etc/firejail/whitelist-common.inc
+
 caps.drop all
-seccomp
-protocol unix,inet,inet6
-noroot
 netfilter
-
+nonewprivs
+noroot
+protocol unix,inet,inet6
+seccomp
diff --git a/etc/psi-plus.profile b/etc/psi-plus.profile
new file mode 100644
index 000000000..9380237be
--- /dev/null
+++ b/etc/psi-plus.profile
@@ -0,0 +1,27 @@
+# Firejail profile for Psi+
+
+noblacklist ${HOME}/.config/psi+
+noblacklist ${HOME}/.local/share/psi+
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-passwdmgr.inc
+
+whitelist ${DOWNLOADS}
+mkdir ~/.config
+mkdir ~/.config/psi+
+whitelist ~/.config/psi+
+mkdir ~/.local
+mkdir ~/.local/share
+mkdir ~/.local/share/psi+
+whitelist ~/.local/share/psi+
+mkdir ~/.cache
+mkdir ~/.cache/psi+
+whitelist ~/.cache/psi+
+
+include /etc/firejail/whitelist-common.inc
+
+caps.drop all
+netfilter
+noroot
+protocol unix,inet,inet6
+seccomp
diff --git a/etc/qbittorrent.profile b/etc/qbittorrent.profile
index f067aaa99..138b6db55 100644
--- a/etc/qbittorrent.profile
+++ b/etc/qbittorrent.profile
@@ -1,19 +1,20 @@
 # qbittorrent bittorrent profile
-include /etc/firejail/disable-mgmt.inc
-include /etc/firejail/disable-secret.inc
 include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
 include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-terminals.inc
-blacklist ${HOME}/.pki/nssdb
-blacklist ${HOME}/.lastpass
-blacklist ${HOME}/.keepassx
-blacklist ${HOME}/.password-store
-blacklist ${HOME}/.wine
+include /etc/firejail/disable-passwdmgr.inc
+
 caps.drop all
-seccomp
-protocol unix,inet,inet6
 netfilter
+nonewprivs
 noroot
 nosound
+protocol unix,inet,inet6
+seccomp
 
-
+# there are some problems with "Open destination folder", see bug #536
+#shell none
+#private-bin qbittorrent
+whitelist /tmp/.X11-unix
+private-dev
+nosound
diff --git a/etc/qtox.profile b/etc/qtox.profile
new file mode 100644
index 000000000..0cac18573
--- /dev/null
+++ b/etc/qtox.profile
@@ -0,0 +1,22 @@
+# qTox instant messaging profile
+noblacklist ${HOME}/.config/tox
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+
+mkdir ${HOME}/.config/tox
+whitelist ${HOME}/.config/tox
+whitelist ${DOWNLOADS}
+
+caps.drop all
+netfilter
+nonewprivs
+nogroups
+noroot
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+
+private-bin qtox
diff --git a/etc/quassel.profile b/etc/quassel.profile
index bc8c76915..f92dfeb9f 100644
--- a/etc/quassel.profile
+++ b/etc/quassel.profile
@@ -1,13 +1,11 @@
 # Quassel IRC profile
-include /etc/firejail/disable-mgmt.inc
-include /etc/firejail/disable-secret.inc
 include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
 include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-terminals.inc
-blacklist ${HOME}/.wine
+
 caps.drop all
-seccomp
-protocol unix,inet,inet6
+nonewprivs
 noroot
 netfilter
-
+protocol unix,inet,inet6
+seccomp
diff --git a/etc/quiterss.profile b/etc/quiterss.profile
new file mode 100644
index 000000000..f2b9959f6
--- /dev/null
+++ b/etc/quiterss.profile
@@ -0,0 +1,32 @@
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-passwdmgr.inc
+include /etc/firejail/disable-devel.inc
+
+whitelist ${HOME}/quiterssfeeds.opml
+mkdir ~/.config
+mkdir ~/.config/QuiteRss
+whitelist ${HOME}/.config/QuiteRss/
+whitelist ${HOME}/.config/QuiteRssrc
+mkdir ~/.local
+mkdir ~/.local/share
+whitelist ${HOME}/.local/share/
+mkdir ~/.cache
+mkdir ~/.cache/QuiteRss
+whitelist ${HOME}/.cache/QuiteRss
+
+caps.drop all
+netfilter
+nonewprivs
+nogroups
+noroot
+private-bin quiterss
+private-dev
+nosound
+#private-etc X11,ssl
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+
+include /etc/firejail/whitelist-common.inc
diff --git a/etc/qutebrowser.profile b/etc/qutebrowser.profile
new file mode 100644
index 000000000..b590f0ef1
--- /dev/null
+++ b/etc/qutebrowser.profile
@@ -0,0 +1,23 @@
+# Firejail profile for Qutebrowser (Qt5-Webkit+Python) browser
+
+noblacklist ~/.config/qutebrowser
+noblacklist ~/.cache/qutebrowser
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-devel.inc
+
+caps.drop all
+netfilter
+nonewprivs
+noroot
+protocol unix,inet,inet6,netlink
+seccomp
+tracelog
+
+whitelist ${DOWNLOADS}
+mkdir ~/.config/qutebrowser
+whitelist ~/.config/qutebrowser
+mkdir ~/.cache
+mkdir ~/.cache/qutebrowser
+whitelist ~/.cache/qutebrowser
+include /etc/firejail/whitelist-common.inc
diff --git a/etc/rhythmbox.profile b/etc/rhythmbox.profile
index a1a20a863..9f087ea1d 100644
--- a/etc/rhythmbox.profile
+++ b/etc/rhythmbox.profile
@@ -1,17 +1,18 @@
 # Rhythmbox media player profile
-include /etc/firejail/disable-mgmt.inc
-include /etc/firejail/disable-secret.inc
 include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
 include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-terminals.inc
-blacklist ${HOME}/.pki/nssdb
-blacklist ${HOME}/.lastpass
-blacklist ${HOME}/.keepassx
-blacklist ${HOME}/.password-store
-blacklist ${HOME}/.wine
+include /etc/firejail/disable-passwdmgr.inc
+
 caps.drop all
-seccomp
-protocol unix,inet,inet6
-noroot
+nogroups
 netfilter
+nonewprivs
+noroot
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
 
+private-bin rhythmbox
+private-dev
diff --git a/etc/rtorrent.profile b/etc/rtorrent.profile
index 6041052af..15df2c374 100644
--- a/etc/rtorrent.profile
+++ b/etc/rtorrent.profile
@@ -1,12 +1,19 @@
 # rtorrent bittorrent profile
-include /etc/firejail/disable-mgmt.inc
-include /etc/firejail/disable-secret.inc
 include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
 include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-terminals.inc
+include /etc/firejail/disable-passwdmgr.inc
+
 caps.drop all
-seccomp
-protocol unix,inet,inet6
 netfilter
+nonewprivs
 noroot
 nosound
+protocol unix,inet,inet6
+seccomp
+
+shell none
+private-bin rtorrent
+whitelist /tmp/.X11-unix
+private-dev
+nosound
diff --git a/etc/seamonkey.profile b/etc/seamonkey.profile
index b896af97a..9ce4164c1 100644
--- a/etc/seamonkey.profile
+++ b/etc/seamonkey.profile
@@ -1,19 +1,17 @@
 # Firejail profile for Seamoneky based off Mozilla Firefox
 noblacklist ~/.mozilla
 noblacklist ~/.cache/mozilla
-noblacklist ~/keepassx.kdbx
-include /etc/firejail/disable-mgmt.inc
-include /etc/firejail/disable-secret.inc
 include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
 include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-terminals.inc
 
 caps.drop all
-seccomp
-protocol unix,inet,inet6,netlink
 netfilter
-tracelog
+nonewprivs
 noroot
+protocol unix,inet,inet6,netlink
+seccomp
+tracelog
 
 whitelist ${DOWNLOADS}
 mkdir ~/.mozilla
@@ -44,13 +42,10 @@ whitelist ~/.lastpass
 whitelist ~/.config/lastpass
 
 #silverlight
-whitelist ~/.wine-pipelight 
-whitelist ~/.wine-pipelight64 
-whitelist ~/.config/pipelight-widevine 
+whitelist ~/.wine-pipelight
+whitelist ~/.wine-pipelight64
+whitelist ~/.config/pipelight-widevine
 whitelist ~/.config/pipelight-silverlight5.1
 
-
-
 # experimental features
 #private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,iceweasel,firefox,adobe,mime.types,mailcap,asound.conf,pulse
-
diff --git a/etc/server.profile b/etc/server.profile
index 5471aed91..88331d951 100644
--- a/etc/server.profile
+++ b/etc/server.profile
@@ -2,9 +2,13 @@
 # it allows /sbin and /usr/sbin directories - this is where servers are installed
 noblacklist /sbin
 noblacklist /usr/sbin
-include /etc/firejail/disable-mgmt.inc
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-passwdmgr.inc
+
 private
 private-dev
+nosound
 private-tmp
 seccomp
 
diff --git a/etc/skype.profile b/etc/skype.profile
index a33cc339d..9cbcd5117 100644
--- a/etc/skype.profile
+++ b/etc/skype.profile
@@ -1,12 +1,12 @@
 # Skype profile
 noblacklist ${HOME}/.Skype
-include /etc/firejail/disable-mgmt.inc
-include /etc/firejail/disable-secret.inc
 include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
 include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-terminals.inc
+
 caps.drop all
 netfilter
+nonewprivs
 noroot
-seccomp
 protocol unix,inet,inet6
+seccomp
diff --git a/etc/snap.profile b/etc/snap.profile
new file mode 100644
index 000000000..270fdf1a5
--- /dev/null
+++ b/etc/snap.profile
@@ -0,0 +1,14 @@
+################################
+# Generic Ubuntu snap application profile
+################################
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-passwdmgr.inc
+
+whitelist ~/snap
+whitelist ${DOWNLOADS}
+include /etc/firejail/whitelist-common.inc
+
+caps.keep chown,sys_admin
+
+
diff --git a/etc/soffice.profile b/etc/soffice.profile
new file mode 100644
index 000000000..fecd08822
--- /dev/null
+++ b/etc/soffice.profile
@@ -0,0 +1,5 @@
+################################
+# LibreOffice profile
+################################
+include /etc/firejail/libreoffice.profile
+
diff --git a/etc/spotify.profile b/etc/spotify.profile
index 1986a513c..ca575970b 100644
--- a/etc/spotify.profile
+++ b/etc/spotify.profile
@@ -1,11 +1,14 @@
 # Spotify media player profile
-include /etc/firejail/disable-mgmt.inc
-include /etc/firejail/disable-secret.inc
+noblacklist ${HOME}/.config/spotify
+noblacklist ${HOME}/.cache/spotify
+noblacklist ${HOME}/.local/share/spotify
 include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
 include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
 
-# Whitelist the folders needed by Spotify - This is more restrictive 
-# than a blacklist though, but this is all spotify requires for 
+# Whitelist the folders needed by Spotify - This is more restrictive
+# than a blacklist though, but this is all spotify requires for
 # streaming audio
 mkdir ${HOME}/.config
 mkdir ${HOME}/.config/spotify
@@ -20,8 +23,13 @@ whitelist ${HOME}/.cache/spotify
 include /etc/firejail/whitelist-common.inc
 
 caps.drop all
-seccomp
-protocol unix,inet,inet6,netlink
 netfilter
+nogroups
+nonewprivs
 noroot
+protocol unix,inet,inet6,netlink
+seccomp
+shell none
 
+private-bin spotify
+private-dev
diff --git a/etc/ssh.profile b/etc/ssh.profile
new file mode 100644
index 000000000..a6d52c5a5
--- /dev/null
+++ b/etc/ssh.profile
@@ -0,0 +1,13 @@
+# ssh client
+noblacklist ~/.ssh
+
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-passwdmgr.inc
+
+caps.drop all
+netfilter
+nonewprivs
+noroot
+protocol unix,inet,inet6
+seccomp
diff --git a/etc/steam.profile b/etc/steam.profile
index dc17c7a0f..b15a54be9 100644
--- a/etc/steam.profile
+++ b/etc/steam.profile
@@ -1,13 +1,14 @@
 # Steam profile (applies to games/apps launched from Steam as well)
 noblacklist ${HOME}/.steam
 noblacklist ${HOME}/.local/share/steam
-include /etc/firejail/disable-mgmt.inc
-include /etc/firejail/disable-secret.inc
 include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
 include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-terminals.inc
+include /etc/firejail/disable-passwdmgr.inc
+
 caps.drop all
 netfilter
+nonewprivs
 noroot
-seccomp
 protocol unix,inet,inet6
+seccomp
diff --git a/etc/stellarium.profile b/etc/stellarium.profile
new file mode 100644
index 000000000..d0c1326b3
--- /dev/null
+++ b/etc/stellarium.profile
@@ -0,0 +1,29 @@
+# Firejail profile for Stellarium.
+noblacklist ~/.stellarium
+noblacklist ~/.config/stellarium
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+include /etc/firejail/disable-programs.inc
+
+# Whitelist
+mkdir ~/.stellarium
+whitelist ~/.stellarium
+mkdir ~/.config
+mkdir ~/.config/stellarium
+whitelist ~/.config/stellarium
+
+caps.drop all
+netfilter
+nogroups
+nonewprivs
+noroot
+nosound
+protocol unix,inet,inet6,netlink
+seccomp
+shell none
+tracelog
+
+private-bin stellarium
+private-dev
+
diff --git a/etc/strings.profile b/etc/strings.profile
new file mode 100644
index 000000000..881edf4ad
--- /dev/null
+++ b/etc/strings.profile
@@ -0,0 +1,8 @@
+# strings profile
+include /etc/firejail/default.profile
+tracelog
+net none
+shell none
+private-dev
+private-tmp
+nosound
diff --git a/etc/telegram.profile b/etc/telegram.profile
index 94167675c..8e91e426b 100644
--- a/etc/telegram.profile
+++ b/etc/telegram.profile
@@ -1,17 +1,13 @@
 # Telegram IRC profile
 noblacklist ${HOME}/.TelegramDesktop
-include /etc/firejail/disable-mgmt.inc
-include /etc/firejail/disable-secret.inc
 include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
 include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-terminals.inc
 
 caps.drop all
-seccomp
-protocol unix,inet,inet6
-noroot
 netfilter
+nonewprivs
+noroot
+protocol unix,inet,inet6
+seccomp
 
-whitelist ~/Downloads/Telegram Desktop
-mkdir ${HOME}/.TelegramDesktop
-whitelist ~/.TelegramDesktop
diff --git a/etc/thunderbird.profile b/etc/thunderbird.profile
index f608f5467..7882367b9 100644
--- a/etc/thunderbird.profile
+++ b/etc/thunderbird.profile
@@ -1,26 +1,19 @@
-# Firejail profile for Mozilla Thunderbird (Icedove in Debian)
-noblacklist ${HOME}/.gnupg
-include /etc/firejail/disable-mgmt.inc
-include /etc/firejail/disable-secret.inc
-include /etc/firejail/disable-devel.inc
-
+# Firejail profile for Mozilla Thunderbird
 # Users have thunderbird set to open a browser by clicking a link in an email
 # We are not allowed to blacklist browser-specific directories
-#include /etc/firejail/disable-common.inc thunderbird icedove
-blacklist ${HOME}/.adobe
-blacklist ${HOME}/.macromedia
-blacklist ${HOME}/.filezilla
-blacklist ${HOME}/.config/filezilla
-blacklist ${HOME}/.purple
-blacklist ${HOME}/.config/psi+
-blacklist ${HOME}/.remmina
-blacklist ${HOME}/.tconn
 
+noblacklist ~/.gnupg
+mkdir ~/.gnupg
+whitelist ~/.gnupg
+
+noblacklist ~/.thunderbird
+mkdir ~/.thunderbird
+whitelist ~/.thunderbird
+
+noblacklist ~/.cache/thunderbird
+mkdir ~/.cache
+mkdir ~/.cache/thunderbird
+whitelist ~/.cache/thunderbird
 
-caps.drop all
-seccomp
-protocol unix,inet,inet6
-netfilter
-tracelog
-noroot
+include /etc/firejail/firefox.profile
 
diff --git a/etc/totem.profile b/etc/totem.profile
index f2485a2d0..252b46979 100644
--- a/etc/totem.profile
+++ b/etc/totem.profile
@@ -1,16 +1,15 @@
 # Totem media player profile
-include /etc/firejail/disable-mgmt.inc
-include /etc/firejail/disable-secret.inc
+noblacklist ~/.config/totem
+noblacklist ~/.local/share/totem
+
 include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
 include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-terminals.inc
-blacklist ${HOME}/.pki/nssdb
-blacklist ${HOME}/.lastpass
-blacklist ${HOME}/.keepassx
-blacklist ${HOME}/.password-store
-blacklist ${HOME}/.wine
+include /etc/firejail/disable-passwdmgr.inc
+
 caps.drop all
-seccomp
-protocol unix,inet,inet6
+nonewprivs
 noroot
 netfilter
+protocol unix,inet,inet6
+seccomp
diff --git a/etc/transmission-gtk.profile b/etc/transmission-gtk.profile
index 18356a91e..fa5c3b22b 100644
--- a/etc/transmission-gtk.profile
+++ b/etc/transmission-gtk.profile
@@ -1,22 +1,23 @@
-# transmission-gtk profile
-include /etc/firejail/disable-mgmt.inc
-include /etc/firejail/disable-secret.inc
+# transmission-gtk bittorrent profile
+noblacklist ${HOME}/.config/transmission
+noblacklist ${HOME}/.cache/transmission
+
 include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
 include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-terminals.inc
-blacklist ${HOME}/.pki/nssdb
-blacklist ${HOME}/.lastpass
-blacklist ${HOME}/.keepassx
-blacklist ${HOME}/.password-store
-blacklist ${HOME}/.wine
+include /etc/firejail/disable-passwdmgr.inc
+
 caps.drop all
-seccomp
-protocol unix,inet,inet6
 netfilter
+nonewprivs
 noroot
-tracelog
 nosound
+protocol unix,inet,inet6
+seccomp
+tracelog
 
-
-
+shell none
+private-bin transmission-gtk
+whitelist /tmp/.X11-unix
+private-dev
 
diff --git a/etc/transmission-qt.profile b/etc/transmission-qt.profile
index cd07f35c7..754211a63 100644
--- a/etc/transmission-qt.profile
+++ b/etc/transmission-qt.profile
@@ -1,20 +1,22 @@
-# transmission-qt profile
-include /etc/firejail/disable-mgmt.inc
-include /etc/firejail/disable-secret.inc
+# transmission-qt bittorrent profile
+noblacklist ${HOME}/.config/transmission
+noblacklist ${HOME}/.cache/transmission
+
 include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
 include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-terminals.inc
-blacklist ${HOME}/.pki/nssdb
-blacklist ${HOME}/.lastpass
-blacklist ${HOME}/.keepassx
-blacklist ${HOME}/.password-store
-blacklist ${HOME}/.wine
+include /etc/firejail/disable-passwdmgr.inc
+
 caps.drop all
-seccomp
-protocol unix,inet,inet6
 netfilter
+nonewprivs
 noroot
-tracelog
 nosound
+protocol unix,inet,inet6
+seccomp
+tracelog
 
-
+shell none
+private-bin transmission-qt
+whitelist /tmp/.X11-unix
+private-dev
diff --git a/etc/uget-gtk.profile b/etc/uget-gtk.profile
index 3b27c00ba..269f8f0fd 100644
--- a/etc/uget-gtk.profile
+++ b/etc/uget-gtk.profile
@@ -1,16 +1,26 @@
 # uGet profile
-include /etc/firejail/disable-mgmt.inc
-include /etc/firejail/disable-secret.inc
+noblacklist ${HOME}/.config/uGet
+
 include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
 include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-terminals.inc
+
 caps.drop all
-seccomp
-protocol unix,inet,inet6
 netfilter
+nonewprivs
 noroot
+protocol unix,inet,inet6
+seccomp
+
 whitelist ${DOWNLOADS}
 mkdir ~/.config
 mkdir ~/.config/uGet
 whitelist ~/.config/uGet
 include /etc/firejail/whitelist-common.inc
+
+shell none
+private-bin uget-gtk
+whitelist /tmp/.X11-unix
+private-dev
+nosound
+
diff --git a/etc/unbound.profile b/etc/unbound.profile
index c4f009159..5e2cb5f65 100644
--- a/etc/unbound.profile
+++ b/etc/unbound.profile
@@ -1,12 +1,13 @@
 # security profile for unbound (https://unbound.net)
 noblacklist /sbin
 noblacklist /usr/sbin
-include /etc/firejail/disable-mgmt.inc
 include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
 include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-secret.inc
-include /etc/firejail/disable-terminals.inc
+include /etc/firejail/disable-passwdmgr.inc
+
 private
 private-dev
+nosound
 seccomp.drop mount,umount2,ptrace,kexec_load,kexec_file_load,open_by_handle_at,init_module,finit_module,delete_module,iopl,ioperm,swapon,swapoff,syslog,process_vm_readv,process_vm_writev,sysfs,_sysctl,adjtimex,clock_adjtime,lookup_dcookie,perf_event_open,fanotify_init,kcmp,add_key,request_key,keyctl,uselib,acct,modify_ldt,pivot_root,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,mbind,get_mempolicy,set_mempolicy,migrate_pages,move_pages,vmsplice,perf_event_open
 
diff --git a/etc/uudeview.profile b/etc/uudeview.profile
new file mode 100644
index 000000000..8218ac959
--- /dev/null
+++ b/etc/uudeview.profile
@@ -0,0 +1,13 @@
+# uudeview profile
+# the default profile will disable root user, enable seccomp filter etc.
+include /etc/firejail/default.profile
+
+tracelog
+net none
+shell none
+private-bin uudeview
+private-dev
+private-tmp
+private-etc nonexisting_fakefile_for_empty_etc
+hostname uudeview
+nosound
diff --git a/etc/vivaldi.profile b/etc/vivaldi.profile
index daab0b81a..2049d2bd9 100644
--- a/etc/vivaldi.profile
+++ b/etc/vivaldi.profile
@@ -1,14 +1,12 @@
 # Vivaldi browser profile
 noblacklist ~/.config/vivaldi
 noblacklist ~/.cache/vivaldi
-noblacklist ~/keepassx.kdbx
-include /etc/firejail/disable-mgmt.inc
-include /etc/firejail/disable-secret.inc
 include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
 include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-terminals.inc
 
 netfilter
+nonewprivs
 
 whitelist ${DOWNLOADS}
 mkdir ~/.config
diff --git a/etc/vlc.profile b/etc/vlc.profile
index adcfbb119..1a6e5a151 100644
--- a/etc/vlc.profile
+++ b/etc/vlc.profile
@@ -1,17 +1,19 @@
 # VLC media player profile
 noblacklist ${HOME}/.config/vlc
-include /etc/firejail/disable-mgmt.inc
-include /etc/firejail/disable-secret.inc
+
 include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
 include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-terminals.inc
-blacklist ${HOME}/.pki/nssdb
-blacklist ${HOME}/.lastpass
-blacklist ${HOME}/.keepassx
-blacklist ${HOME}/.password-store
-blacklist ${HOME}/.wine
+include /etc/firejail/disable-passwdmgr.inc
+
 caps.drop all
-seccomp
-protocol unix,inet,inet6
-noroot
 netfilter
+nonewprivs
+noroot
+protocol unix,inet,inet6
+seccomp
+
+
+# to test
+shell none
+private-bin vlc,cvlc,nvlc,rvlc,qvlc,svlc
diff --git a/etc/warzone2100.profile b/etc/warzone2100.profile
new file mode 100644
index 000000000..ff37e2800
--- /dev/null
+++ b/etc/warzone2100.profile
@@ -0,0 +1,25 @@
+# Firejail profile for warzone2100
+# Currently supports warzone2100-3.1
+noblacklist ~/.warzone2100-3.1
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+include /etc/firejail/disable-programs.inc
+
+# Whitelist
+mkdir ~/.warzone2100-3.1
+whitelist ~/.warzone2100-3.1
+
+# Call these options
+caps.drop all
+netfilter
+nogroups
+nonewprivs
+noroot
+protocol unix,inet,inet6,netlink
+seccomp
+shell none
+tracelog
+
+private-bin warzone2100
+private-dev
diff --git a/etc/weechat.profile b/etc/weechat.profile
index 3fbce62ca..410061278 100644
--- a/etc/weechat.profile
+++ b/etc/weechat.profile
@@ -1,12 +1,15 @@
 # Weechat IRC profile
 noblacklist ${HOME}/.weechat
-include /etc/firejail/disable-mgmt.inc
 include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-secret.inc
-include /etc/firejail/disable-terminals.inc
+include /etc/firejail/disable-programs.inc
+
 caps.drop all
-seccomp
-protocol unix,inet,inet6
 netfilter
+nonewprivs
 noroot
-netfilter
+protocol unix,inet,inet6
+seccomp
+
+# no private-bin support for various reasons:
+# Plugins loaded: alias, aspell, charset, exec, fifo, guile, irc,
+# logger, lua, perl, python, relay, ruby, script, tcl, trigger, xferloading plugins 
\ No newline at end of file
diff --git a/etc/wesnoth.profile b/etc/wesnoth.profile
index a5b6127df..cd0c6406f 100644
--- a/etc/wesnoth.profile
+++ b/etc/wesnoth.profile
@@ -1,15 +1,18 @@
 # Whitelist-based profile for "Battle for Wesnoth" (game).
+noblacklist ${HOME}/.config/wesnoth
+noblacklist ${HOME}/.cache/wesnoth
+noblacklist ${HOME}/.local/share/wesnoth
 
 include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
 include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-mgmt.inc
-include /etc/firejail/disable-secret.inc
-include /etc/firejail/disable-terminals.inc
+include /etc/firejail/disable-passwdmgr.inc
 
 caps.drop all
-seccomp
-protocol unix,inet,inet6
+nonewprivs
 noroot
+protocol unix,inet,inet6
+seccomp
 
 private-dev
 
diff --git a/etc/whitelist-common.inc b/etc/whitelist-common.inc
index 9d5ef3d96..b3a1a1d30 100644
--- a/etc/whitelist-common.inc
+++ b/etc/whitelist-common.inc
@@ -1,5 +1,6 @@
 # common whitelist for all profiles
 
+whitelist ~/.XCompose
 whitelist ~/.config/mimeapps.list
 whitelist ~/.icons
 whitelist ~/.config/user-dirs.dirs
diff --git a/etc/wine.profile b/etc/wine.profile
index ae1f5d1b6..18e5346af 100644
--- a/etc/wine.profile
+++ b/etc/wine.profile
@@ -2,12 +2,13 @@
 noblacklist ${HOME}/.steam
 noblacklist ${HOME}/.local/share/steam
 noblacklist ${HOME}/.wine
-include /etc/firejail/disable-mgmt.inc
-include /etc/firejail/disable-secret.inc
+
 include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
 include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-terminals.inc
+
 caps.drop all
 netfilter
+nonewprivs
 noroot
 seccomp
diff --git a/etc/xchat.profile b/etc/xchat.profile
index e2dcadc0e..1f2865cab 100644
--- a/etc/xchat.profile
+++ b/etc/xchat.profile
@@ -1,12 +1,14 @@
 # XChat IRC profile
 noblacklist ${HOME}/.config/xchat
-include /etc/firejail/disable-mgmt.inc
-include /etc/firejail/disable-secret.inc
+
 include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
 include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-terminals.inc
-blacklist ${HOME}/.wine
+
 caps.drop all
-seccomp
-protocol unix,inet,inet6
+nonewprivs
 noroot
+protocol unix,inet,inet6
+seccomp
+
+# private-bin requires perl, python, etc.
diff --git a/etc/xplayer.profile b/etc/xplayer.profile
new file mode 100644
index 000000000..a46b2fa06
--- /dev/null
+++ b/etc/xplayer.profile
@@ -0,0 +1,21 @@
+# Xplayer profile
+noblacklist ~/.config/xplayer
+noblacklist ~/.local/share/xplayer
+
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+
+caps.drop all
+netfilter
+nonewprivs
+nogroups
+noroot
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+
+private-bin xplayer,xplayer-audio-preview,xplayer-video-thumbnailer
+private-dev
diff --git a/etc/xreader.profile b/etc/xreader.profile
new file mode 100644
index 000000000..ac7d34022
--- /dev/null
+++ b/etc/xreader.profile
@@ -0,0 +1,22 @@
+# Xreader profile
+noblacklist ~/.config/xreader
+noblacklist ~/.cache/xreader
+noblacklist ~/.local/share
+
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+
+caps.drop all
+nogroups
+nonewprivs
+noroot
+nosound
+protocol unix
+seccomp
+shell none
+tracelog
+
+private-bin xreader, xreader-previewer, xreader-thumbnailer
+private-dev
diff --git a/etc/xviewer.profile b/etc/xviewer.profile
new file mode 100644
index 000000000..7a4ae4858
--- /dev/null
+++ b/etc/xviewer.profile
@@ -0,0 +1,19 @@
+noblacklist ~/.config/xviewer
+
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+
+caps.drop all
+nonewprivs
+nogroups
+noroot
+nosound
+protocol unix
+seccomp
+shell none
+tracelog
+
+private-dev
+private-bin xviewer
diff --git a/etc/xz.profile b/etc/xz.profile
new file mode 100644
index 000000000..709585acd
--- /dev/null
+++ b/etc/xz.profile
@@ -0,0 +1,2 @@
+# xz profile
+include /etc/firejail/cpio.profile
diff --git a/etc/xzdec.profile b/etc/xzdec.profile
new file mode 100644
index 000000000..ddf2061bf
--- /dev/null
+++ b/etc/xzdec.profile
@@ -0,0 +1,8 @@
+# xzdec profile
+include /etc/firejail/default.profile
+tracelog
+net none
+shell none
+private-dev
+private-tmp
+nosound
diff --git a/mkuid.sh b/mkuid.sh
new file mode 100755
index 000000000..f03fdaf94
--- /dev/null
+++ b/mkuid.sh
@@ -0,0 +1,20 @@
+#!/bin/bash
+
+echo "extracting UID_MIN and GID_MIN"
+echo "#ifndef FIREJAIL_UIDS_H" > uids.h
+echo "#define FIREJAIL_UIDS_H" >> uids.h
+
+if [ -f /etc/login.defs ]
+then
+        echo "// using values extracted from /etc/login.defs" >> uids.h
+        UID_MIN=`awk '/^\s*UID_MIN\s*([0-9]*).*?$/ {print $2}' /etc/login.defs`
+        GID_MIN=`awk '/^\s*GID_MIN\s*([0-9]*).*?$/ {print $2}' /etc/login.defs`
+        echo "#define UID_MIN $UID_MIN" >> uids.h
+        echo "#define GID_MIN $GID_MIN" >> uids.h
+else
+        echo "// using default values" >> uids.h
+        echo "#define UID_MIN 1000" >> uids.h
+        echo "#define GID_MIN 1000" >> uids.h
+fi
+
+echo "#endif" >> uids.h
diff --git a/platform/debian/conffiles b/platform/debian/conffiles
index 5240d87a6..5367edfe5 100644
--- a/platform/debian/conffiles
+++ b/platform/debian/conffiles
@@ -1,74 +1,134 @@
-/etc/firejail/evince.profile
-/etc/firejail/disable-secret.inc
-/etc/firejail/chromium.profile
+/etc/firejail/0ad.profile
+/etc/firejail/Cyberfox.profile
+/etc/firejail/Mathematica.profile
+/etc/firejail/Telegram.profile
+/etc/firejail/abrowser.profile
+/etc/firejail/atom-beta.profile
+/etc/firejail/atom.profile
+/etc/firejail/atril.profile
+/etc/firejail/audacious.profile
+/etc/firejail/audacity.profile
+/etc/firejail/aweather.profile
+/etc/firejail/bitlbee.profile
+/etc/firejail/brave.profile
+/etc/firejail/cherrytree.profile
 /etc/firejail/chromium-browser.profile
-/etc/firejail/google-chrome.profile
-/etc/firejail/google-chrome-stable.profile
+/etc/firejail/chromium.profile
+/etc/firejail/clementine.profile
+/etc/firejail/cmus.profile
+/etc/firejail/conkeror.profile
+/etc/firejail/corebird.profile
+/etc/firejail/cpio.profile
+/etc/firejail/cyberfox.profile
+/etc/firejail/deadbeef.profile
+/etc/firejail/default.profile
+/etc/firejail/deluge.profile
+/etc/firejail/dillo.profile
+/etc/firejail/disable-common.inc
+/etc/firejail/disable-devel.inc
+/etc/firejail/disable-passwdmgr.inc
+/etc/firejail/disable-programs.inc
+/etc/firejail/dnscrypt-proxy.profile
+/etc/firejail/dnsmasq.profile
+/etc/firejail/dropbox.profile
+/etc/firejail/empathy.profile
+/etc/firejail/eom.profile
+/etc/firejail/epiphany.profile
+/etc/firejail/evince.profile
+/etc/firejail/fbreader.profile
+/etc/firejail/filezilla.profile
+/etc/firejail/firefox-esr.profile
+/etc/firejail/firefox.profile
+/etc/firejail/firejail.config
+/etc/firejail/flashpeak-slimjet.profile
+/etc/firejail/franz.profile
+/etc/firejail/gitter.profile
+/etc/firejail/gnome-mplayer.profile
 /etc/firejail/google-chrome-beta.profile
+/etc/firejail/google-chrome-stable.profile
 /etc/firejail/google-chrome-unstable.profile
-/etc/firejail/midori.profile
+/etc/firejail/google-chrome.profile
+/etc/firejail/google-play-music-desktop-player.profile
+/etc/firejail/gpredict.profile
+/etc/firejail/gthumb.profile
+/etc/firejail/gwenview.profile
+/etc/firejail/gzip.profile
+/etc/firejail/hedgewars.profile
+/etc/firejail/hexchat.profile
+/etc/firejail/icecat.profile
 /etc/firejail/icedove.profile
 /etc/firejail/iceweasel.profile
-/etc/firejail/dropbox.profile
+/etc/firejail/jitsi.profile
+/etc/firejail/kmail.profile
+/etc/firejail/konversation.profile
+/etc/firejail/less.profile
+/etc/firejail/libreoffice.profile
+/etc/firejail/localc.profile
+/etc/firejail/lodraw.profile
+/etc/firejail/loffice.profile
+/etc/firejail/lofromtemplate.profile
 /etc/firejail/login.users
-/etc/firejail/disable-mgmt.inc
-/etc/firejail/firefox.profile
-/etc/firejail/opera.profile
+/etc/firejail/loimpress.profile
+/etc/firejail/lomath.profile
+/etc/firejail/loweb.profile
+/etc/firejail/lowriter.profile
+/etc/firejail/lxterminal.profile
+/etc/firejail/mathematica.profile
+/etc/firejail/mcabber.profile
+/etc/firejail/midori.profile
+/etc/firejail/mpv.profile
+/etc/firejail/mupen64plus.profile
+/etc/firejail/netsurf.profile
+/etc/firejail/nolocal.net
+/etc/firejail/okular.profile
+/etc/firejail/openbox.profile
 /etc/firejail/opera-beta.profile
-/etc/firejail/thunderbird.profile
-/etc/firejail/transmission-gtk.profile
-/etc/firejail/transmission-qt.profile
-/etc/firejail/vlc.profile
-/etc/firejail/audacious.profile
-/etc/firejail/clementine.profile
-/etc/firejail/epiphany.profile
+/etc/firejail/opera.profile
+/etc/firejail/palemoon.profile
+/etc/firejail/parole.profile
+/etc/firejail/pidgin.profile
+/etc/firejail/pix.profile
 /etc/firejail/polari.profile
-/etc/firejail/gnome-mplayer.profile
-/etc/firejail/rhythmbox.profile
-/etc/firejail/totem.profile
-/etc/firejail/deluge.profile
+/etc/firejail/psi-plus.profile
 /etc/firejail/qbittorrent.profile
-/etc/firejail/generic.profile
-/etc/firejail/xchat.profile
-/etc/firejail/server.profile
+/etc/firejail/qtox.profile
 /etc/firejail/quassel.profile
-/etc/firejail/pidgin.profile
-/etc/firejail/filezilla.profile
-/etc/firejail/empathy.profile
-/etc/firejail/disable-common.inc
-/etc/firejail/deadbeef.profile
-/etc/firejail/icecat.profile
-/etc/firejail/fbreader.profile
-/etc/firejail/spotify.profile
+/etc/firejail/quiterss.profile
+/etc/firejail/qutebrowser.profile
+/etc/firejail/rhythmbox.profile
+/etc/firejail/rtorrent.profile
+/etc/firejail/seamonkey-bin.profile
+/etc/firejail/seamonkey.profile
+/etc/firejail/server.profile
 /etc/firejail/skype.profile
+/etc/firejail/snap.profile
+/etc/firejail/soffice.profile
+/etc/firejail/spotify.profile
+/etc/firejail/ssh.profile
 /etc/firejail/steam.profile
-/etc/firejail/wine.profile
-/etc/firejail/disable-devel.inc
-/etc/firejail/conkeror.profile
+/etc/firejail/stellarium.profile
+/etc/firejail/strings.profile
+/etc/firejail/telegram.profile
+/etc/firejail/thunderbird.profile
+/etc/firejail/totem.profile
+/etc/firejail/transmission-gtk.profile
+/etc/firejail/transmission-qt.profile
+/etc/firejail/uget-gtk.profile
 /etc/firejail/unbound.profile
-/etc/firejail/dnscrypt-proxy.profile
-/etc/firejail/whitelist-common.inc
-/etc/firejail/nolocal.net
+/etc/firejail/uudeview.profile
+/etc/firejail/vivaldi-beta.profile
+/etc/firejail/vivaldi.profile
+/etc/firejail/vlc.profile
+/etc/firejail/warzone2100.profile
 /etc/firejail/webserver.net
-/etc/firejail/bitlbee.profile
-/etc/firejail/weechat.profile
 /etc/firejail/weechat-curses.profile
-/etc/firejail/hexchat.profile
-/etc/firejail/rtorrent.profile
-/etc/firejail/parole.profile
-/etc/firejail/kmail.profile
-/etc/firejail/seamonkey.profile
-/etc/firejail/seamonkey-bin.profile
-/etc/firejail/telegram.profile
-/etc/firejail/mathematica.profile
-/etc/firejail/Mathematica.profile
-/etc/firejail/uget-gtk.profile
-/etc/firejail/mupen64plus.profile
-/etc/firejail/disable-terminals.inc
-/etc/firejail/lxterminal.profile
-/etc/firejail/cherrytree.profile
+/etc/firejail/weechat.profile
 /etc/firejail/wesnoth.profile
-/etc/firejail/hedgewars.profile
-/etc/firejail/vivaldi.profile
-/etc/firejail/vivaldi-beta.profile
-/etc/firejail/atril.profile
+/etc/firejail/whitelist-common.inc
+/etc/firejail/wine.profile
+/etc/firejail/xchat.profile
+/etc/firejail/xplayer.profile
+/etc/firejail/xreader.profile
+/etc/firejail/xviewer.profile
+/etc/firejail/xz.profile
+/etc/firejail/xzdec.profile
diff --git a/platform/rpm/firejail.spec b/platform/rpm/firejail.spec
index e365af2d6..67280921a 100644
--- a/platform/rpm/firejail.spec
+++ b/platform/rpm/firejail.spec
@@ -33,16 +33,22 @@ rm -rf %{buildroot}
 %doc
 %defattr(-, root, root, -)
 %attr(4755, -, -) %{_bindir}/__NAME__
+%{_bindir}/firecfg
 %{_bindir}/firemon
+%{_libdir}/__NAME__/firecfg.config
 %{_libdir}/__NAME__/ftee
+%{_libdir}/__NAME__/faudit
 %{_libdir}/__NAME__/fshaper.sh
 %{_libdir}/__NAME__/libtrace.so
 %{_libdir}/__NAME__/libtracelog.so
 %{_datarootdir}/bash-completion/completions/__NAME__
+%{_datarootdir}/bash-completion/completions/firecfg
 %{_datarootdir}/bash-completion/completions/firemon
 %{_docdir}/__NAME__
 %{_mandir}/man1/__NAME__.1.gz
+%{_mandir}/man1/firecfg.1.gz
 %{_mandir}/man1/firemon.1.gz
+%{_mandir}/man5/__NAME__-config.5.gz
 %{_mandir}/man5/__NAME__-login.5.gz
 %{_mandir}/man5/__NAME__-profile.5.gz
 %config %{_sysconfdir}/__NAME__
diff --git a/platform/snap/snap.sh b/platform/snap/snap.sh
new file mode 100755
index 000000000..d7f924293
--- /dev/null
+++ b/platform/snap/snap.sh
@@ -0,0 +1,20 @@
+#!/bin/bash
+
+rm -fr faudit-snap
+rm -f faudit_*.snap
+mkdir faudit-snap
+cd faudit-snap
+snapcraft init
+cp ../snapcraft.yaml .
+#snapcraft stage
+mkdir -p stage/usr/lib/firejail
+cp ../../../src/faudit/faudit stage/usr/lib/firejail/.
+find stage
+snapcraft stage
+snapcraft snap
+cd ..
+mv faudit-snap/faudit_*.snap ../../.
+rm -fr faudit-snap
+
+
+
diff --git a/platform/snap/snapcraft.yaml b/platform/snap/snapcraft.yaml
new file mode 100644
index 000000000..7b04a2ca1
--- /dev/null
+++ b/platform/snap/snapcraft.yaml
@@ -0,0 +1,21 @@
+name: faudit  # the name of the snap
+version: 0  # the version of the snap
+summary: Fireajail audit snap edition  # 79 char long summary
+description: faudit program extracted from Firejail and packaged as a snap  # a longer description for the snap
+confinement: strict  # use "strict" to enforce system access only via declared interfaces
+
+apps:
+    faudit:
+        command: /usr/lib/firejail/faudit
+
+parts:
+    faudit:  # Replace with a part name of your liking
+        # Get more information about plugins by running
+        # snapcraft help plugins
+        # and more information about the available plugins
+        # by running
+        # snapcraft list-plugins
+        plugin: nil
+        snap:
+        - usr/lib/firejail/faudit
+
diff --git a/src/bash_completion/firecfg.bash_completion b/src/bash_completion/firecfg.bash_completion
new file mode 100644
index 000000000..79b74e49d
--- /dev/null
+++ b/src/bash_completion/firecfg.bash_completion
@@ -0,0 +1,39 @@
+# bash completion for firecfg                          -*- shell-script -*-
+#********************************************************************
+# Script based on completions/configure script in bash-completion package in
+# Debian. The original package is release under GPL v2 license, the webpage is
+# http://bash-completion.alioth.debian.org
+#*******************************************************************
+
+_firecfg()
+{
+    local cur prev words cword split
+    _init_completion -s || return
+
+    case $prev in
+        --help|--version)
+            return
+            ;;
+    esac
+
+    $split && return 0
+
+    # if $COMP_CONFIGURE_HINTS is not null, then completions of the form
+    # --option=SETTING will include 'SETTING' as a contextual hint
+    [[ "$cur" != -* ]] && return 0
+
+    if [[ -n $COMP_CONFIGURE_HINTS ]]; then
+        COMPREPLY=( $( compgen -W "$( $1 --help 2>&1 | \
+            awk '/^  --[A-Za-z]/ { print $1; \
+            if ($2 ~ /--[A-Za-z]/) print $2 }' | sed -e 's/[[,].*//g' )" \
+            -- "$cur" ) )
+        [[ $COMPREPLY == *=* ]] && compopt -o nospace
+    else
+        COMPREPLY=( $( compgen -W '$( _parse_help "$1" )' -- "$cur" ) )
+        [[ $COMPREPLY == *= ]] && compopt -o nospace
+    fi
+} &&
+complete -F _firecfg firecfg
+
+
+
diff --git a/src/bash_completion/firejail.bash_completion b/src/bash_completion/firejail.bash_completion
index 21e28c98b..d3dcd57d0 100644
--- a/src/bash_completion/firejail.bash_completion
+++ b/src/bash_completion/firejail.bash_completion
@@ -47,6 +47,10 @@ _firejail()
             _filedir
             return 0
             ;;
+       --read-write)
+            _filedir
+            return 0
+            ;;
         --bind)
             _filedir
             return 0
@@ -63,6 +67,10 @@ _firejail()
             _filedir
             return 0
             ;;
+        --audit)
+            _filedir
+            return 0
+            ;;
          --net)
                 comps=$(__interfaces)
             COMPREPLY=( $(compgen -W '$comps' -- "$cur") )
diff --git a/src/faudit/Makefile.in b/src/faudit/Makefile.in
new file mode 100644
index 000000000..995a0bf49
--- /dev/null
+++ b/src/faudit/Makefile.in
@@ -0,0 +1,25 @@
+all: faudit
+
+PREFIX=@prefix@
+VERSION=@PACKAGE_VERSION@
+NAME=@PACKAGE_NAME@
+HAVE_FATAL_WARNINGS=@HAVE_FATAL_WARNINGS@
+
+H_FILE_LIST       = $(sort $(wildcard *.[h]))
+C_FILE_LIST       = $(sort $(wildcard *.c))
+OBJS = $(C_FILE_LIST:.c=.o)
+BINOBJS =  $(foreach file, $(OBJS), $file)
+CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' -DPREFIX='"$(PREFIX)"' -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security
+LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now -lpthread
+
+%.o : %.c $(H_FILE_LIST)
+        $(CC) $(CFLAGS) $(INCLUDE) -c $< -o $@
+
+faudit: $(OBJS)
+        $(CC)  $(LDFLAGS) -o $@ $(OBJS)
+
+clean:; rm -f *.o faudit
+
+distclean: clean
+        rm -fr Makefile
+
diff --git a/src/faudit/caps.c b/src/faudit/caps.c
new file mode 100644
index 000000000..d4a62b34f
--- /dev/null
+++ b/src/faudit/caps.c
@@ -0,0 +1,79 @@
+/*
+ * Copyright (C) 2014-2016 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
+
+#include "faudit.h"
+#include <linux/capability.h>
+
+#define MAXBUF 4098
+static int extract_caps(uint64_t *val) {
+        FILE *fp = fopen("/proc/self/status", "r");
+        if (!fp)
+                return 1;
+        
+        char buf[MAXBUF];
+        while (fgets(buf, MAXBUF, fp)) {
+                if (strncmp(buf, "CapBnd:\t", 8) == 0) {
+                        char *ptr = buf + 8;
+                        unsigned long long tmp;
+                        sscanf(ptr, "%llx", &tmp);
+                        *val = tmp;
+                        fclose(fp);
+                        return 0;
+                }
+        }
+
+        fclose(fp);
+        return 1;
+}
+
+// return 1 if the capability is in tbe map
+static int check_capability(uint64_t map, int cap) {
+        int i;
+        uint64_t mask = 1ULL;
+        
+        for (i = 0; i < 64; i++, mask <<= 1) {
+                if ((i == cap) && (mask & map))
+                        return 1;
+        }
+
+        return 0;
+}
+
+void caps_test(void) {
+        uint64_t caps_val;
+        
+        if (extract_caps(&caps_val)) {
+                printf("SKIP: cannot extract capabilities on this platform.\n");
+                return;
+        }
+        
+        if (caps_val) {
+                printf("BAD: the capability map is %llx, it should be all zero. ", (unsigned long long) caps_val);
+                printf("Use \"firejail --caps.drop=all\" to fix it.\n");
+                
+                if (check_capability(caps_val, CAP_SYS_ADMIN))
+                        printf("UGLY: CAP_SYS_ADMIN is enabled.\n");
+                if (check_capability(caps_val, CAP_SYS_BOOT))
+                        printf("UGLY: CAP_SYS_BOOT is enabled.\n");
+        }
+        else
+                printf("GOOD: all capabilities are disabled.\n"); 
+}
+
diff --git a/src/faudit/dbus.c b/src/faudit/dbus.c
new file mode 100644
index 000000000..1edce5802
--- /dev/null
+++ b/src/faudit/dbus.c
@@ -0,0 +1,74 @@
+/*
+ * Copyright (C) 2014-2016 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
+#include "faudit.h"
+#include <sys/socket.h>
+#include <sys/un.h>
+
+void check_session_bus(const char *sockfile) {
+        assert(sockfile);
+        
+        // open socket
+        int sock = socket(AF_UNIX, SOCK_STREAM, 0);
+        if (sock == -1) {
+                printf("GOOD: I cannot connect to session bus. If the application misbehaves, please log a bug with the application developer.\n");
+                return;
+        }
+
+        // connect
+        struct sockaddr_un remote;
+        memset(&remote, 0, sizeof(struct sockaddr_un));
+        remote.sun_family = AF_UNIX;
+        strcpy(remote.sun_path, sockfile);
+        int len = strlen(remote.sun_path) + sizeof(remote.sun_family);
+        remote.sun_path[0] = '\0';
+        if (connect(sock, (struct sockaddr *)&remote, len) == -1) {
+                printf("GOOD: I cannot connect to session bus. If the application misbehaves, please log a bug with the application developer.\n");
+        }
+        else {
+                printf("MAYBE: I can connect to session bus. It could be a good idea to disable it by creating a new network namespace using \"--net=none\" or \"--net=eth0\".\n");
+        }       
+
+        close(sock);
+}
+
+void dbus_test(void) {
+        // check the session bus
+        char *str = getenv("DBUS_SESSION_BUS_ADDRESS");
+        if (str) {
+                char *bus = strdup(str);
+                if (!bus)
+                        errExit("strdup");
+                char *sockfile = strstr(bus, "unix:abstract=");
+                if (sockfile) {
+                        sockfile += 13;
+                        *sockfile = '@';
+                        char *ptr = strchr(sockfile, ',');
+                        if (ptr)
+                                *ptr = '\0';    
+                        check_session_bus(sockfile);
+                        
+                        sockfile -= 13;
+                }
+                free(bus);
+        }
+}
+
+
+
diff --git a/src/faudit/dev.c b/src/faudit/dev.c
new file mode 100644
index 000000000..92f615958
--- /dev/null
+++ b/src/faudit/dev.c
@@ -0,0 +1,47 @@
+/*
+ * Copyright (C) 2014-2016 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
+#include "faudit.h"
+#include <dirent.h>
+
+void dev_test(void) {
+        DIR *dir;
+        if (!(dir = opendir("/dev"))) {
+                fprintf(stderr, "Error: cannot open /dev directory\n");
+                return;
+        }
+        
+        struct dirent *entry;
+        printf("INFO: files visible in /dev directory: ");
+        int cnt = 0;
+        while ((entry = readdir(dir)) != NULL) {
+                if (strcmp(entry->d_name, ".") == 0 || strcmp(entry->d_name, "..") == 0)
+                        continue;
+                
+                printf("%s, ", entry->d_name);
+                cnt++;
+        }
+        printf("\n");
+        
+        if (cnt > 20)
+                printf("MAYBE: /dev directory seems to be fully populated. Use --private-dev or --whitelist to restrict the access.\n");
+        else
+                printf("GOOD: Access to /dev directory is restricted.\n");
+        closedir(dir);
+}
diff --git a/src/faudit/faudit.h b/src/faudit/faudit.h
new file mode 100644
index 000000000..93fb4b709
--- /dev/null
+++ b/src/faudit/faudit.h
@@ -0,0 +1,64 @@
+/*
+ * Copyright (C) 2014-2016 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
+
+#ifndef FAUDIT_H
+#define FAUDIT_H
+#define _GNU_SOURCE
+#include <stdio.h>
+#include <stdlib.h>
+#include <stdint.h>
+#include <string.h>
+#include <unistd.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <sys/mount.h>
+#include <assert.h>
+
+#define errExit(msg)    do { char msgout[500]; sprintf(msgout, "Error %s:%s(%d)", msg, __FUNCTION__, __LINE__); perror(msgout); exit(1);} while (0)
+
+// main.c
+extern char *prog;
+
+// pid.c
+void pid_test(void);
+
+// caps.c
+void caps_test(void);
+
+// seccomp.c
+void seccomp_test(void);
+
+// syscall.c
+void syscall_helper(int argc, char **argv);
+void syscall_run(const char *name);
+
+// files.c
+void files_test(void);
+
+// network.c
+void network_test(void);
+
+// dbus.c
+void dbus_test(void);
+
+// dev.c
+void dev_test(void);
+
+#endif
diff --git a/src/faudit/files.c b/src/faudit/files.c
new file mode 100644
index 000000000..67b43f22b
--- /dev/null
+++ b/src/faudit/files.c
@@ -0,0 +1,75 @@
+/*
+ * Copyright (C) 2014-2016 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
+#include "faudit.h"
+#include <fcntl.h>
+#include <pwd.h>
+
+static char *username = NULL;
+static char *homedir = NULL;
+
+static void check_home_file(const char *name) {
+        assert(homedir);
+        
+        char *fname;
+        if (asprintf(&fname, "%s/%s", homedir, name) ==  -1)
+                errExit("asprintf");
+
+        if (access(fname, R_OK) == 0) {
+                printf("UGLY: I can access files in %s directory. ", fname);
+                printf("Use \"firejail --blacklist=%s\" to block it.\n", fname);
+        }
+        else
+                printf("GOOD: I cannot access files in %s directory.\n", fname);
+        
+        free(fname);
+}
+
+void files_test(void) {
+        struct passwd *pw = getpwuid(getuid());
+        if (!pw) {
+                fprintf(stderr, "Error: cannot retrieve user account information\n");
+                return;
+        }
+        
+        username = strdup(pw->pw_name);
+        if (!username)
+                errExit("strdup");
+        homedir = strdup(pw->pw_dir);
+        if (!homedir)
+                errExit("strdup");
+        
+        // check access to .ssh directory
+        check_home_file(".ssh");
+
+        // check access to .gnupg directory
+        check_home_file(".gnupg");
+
+        // check access to Firefox browser directory
+        check_home_file(".mozilla");
+
+        // check access to Chromium browser directory
+        check_home_file(".config/chromium");
+        
+        // check access to Debian Icedove directory
+        check_home_file(".icedove");
+        
+        // check access to Thunderbird directory
+        check_home_file(".thunderbird");
+}
diff --git a/src/faudit/main.c b/src/faudit/main.c
new file mode 100644
index 000000000..6ff938d98
--- /dev/null
+++ b/src/faudit/main.c
@@ -0,0 +1,80 @@
+/*
+ * Copyright (C) 2014-2016 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
+#include "faudit.h"
+char *prog;
+
+int main(int argc, char **argv) {
+        if (argc != 1) {
+                int i;
+                
+                for (i = 1; i < argc; i++) {
+                        if (strcmp(argv[i], "syscall")) {
+                                syscall_helper(argc, argv);
+                                return 0;
+                        }
+                }
+                return 1;
+        }
+
+        printf("\n---------------- Firejail Audit: the GOOD, the BAD and the UGLY ----------------\n");
+
+        // extract program name
+        prog = realpath(argv[0], NULL);
+        if (prog == NULL) {
+                prog = strdup("faudit");
+                if (!prog)
+                        errExit("strdup");
+        }
+        printf("INFO: starting %s.\n", prog);
+        
+        
+        // check pid namespace
+        pid_test();
+        printf("\n");
+        
+        // check seccomp
+        seccomp_test();
+        printf("\n");
+        
+        // check capabilities
+        caps_test();
+        printf("\n");
+
+        // check some well-known problematic files and directories
+        files_test();
+        printf("\n");
+        
+        // network
+        network_test();
+        printf("\n");
+        
+        // dbus
+        dbus_test();
+        printf("\n");
+
+        // /dev test
+        dev_test();
+        printf("\n");
+
+        free(prog);
+        printf("--------------------------------------------------------------------------------\n");
+
+        return 0;
+}
diff --git a/src/faudit/network.c b/src/faudit/network.c
new file mode 100644
index 000000000..cf1eede69
--- /dev/null
+++ b/src/faudit/network.c
@@ -0,0 +1,101 @@
+/*
+ * Copyright (C) 2014-2016 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
+#include "faudit.h"
+#include <sys/socket.h>
+#include <arpa/inet.h>
+#include <linux/netlink.h>
+#include <linux/rtnetlink.h>
+
+static void check_ssh(void) {
+        // open socket
+        int sock = socket(AF_INET, SOCK_STREAM, 0);
+        if (sock == -1) {
+                printf("GOOD: SSH server not available on localhost.\n");
+                return;
+        }
+
+        // connect to localhost
+        struct sockaddr_in server;
+        server.sin_addr.s_addr = inet_addr("127.0.0.1");
+        server.sin_family = AF_INET;
+        server.sin_port = htons(22);    
+        
+        if (connect(sock , (struct sockaddr *)&server , sizeof(server)) < 0)
+                printf("GOOD: SSH server not available on localhost.\n");
+        else {
+                printf("MAYBE: an SSH server is accessible on localhost. ");
+                printf("It could be a good idea to create a new network namespace using \"--net=none\" or \"--net=eth0\".\n");
+        }
+        
+        close(sock);
+}
+
+static void check_http(void) {
+        // open socket
+        int sock = socket(AF_INET, SOCK_STREAM, 0);
+        if (sock == -1) {
+                printf("GOOD: HTTP server not available on localhost.\n");
+                return;
+        }
+
+        // connect to localhost
+        struct sockaddr_in server;
+        server.sin_addr.s_addr = inet_addr("127.0.0.1");
+        server.sin_family = AF_INET;
+        server.sin_port = htons(80);    
+        
+        if (connect(sock , (struct sockaddr *)&server , sizeof(server)) < 0)
+                printf("GOOD: HTTP server not available on localhost.\n");
+        else {
+                printf("MAYBE: an HTTP server is accessible on localhost. ");
+                printf("It could be a good idea to create a new network namespace using \"--net=none\" or \"--net=eth0\".\n");
+        }
+        
+        close(sock);
+}
+
+void check_netlink(void) {
+        int sock = socket(AF_NETLINK, SOCK_RAW | SOCK_CLOEXEC, 0);
+        if (sock == -1) {
+                printf("GOOD: I cannot connect to netlink socket. Network utilities such as iproute2 will not work in the sandbox.\n");
+                return;
+        }
+
+        struct sockaddr_nl local;
+        memset(&local, 0, sizeof(local));
+        local.nl_family = AF_NETLINK;
+        local.nl_groups = 0; //subscriptions;
+
+        if (bind(sock, (struct sockaddr*)&local, sizeof(local)) < 0) {
+                printf("GOOD: I cannot connect to netlink socket. Network utilities such as iproute2 will not work in the sandbox.\n");
+                close(sock);
+                return;
+        }
+        
+        close(sock);
+        printf("MAYBE: I can connect to netlink socket. Network utilities such as iproute2 will work fine in the sandbox. ");
+        printf("You can use \"--protocol\" to disable the socket.\n");
+}
+        
+void network_test(void) {
+        check_ssh();
+        check_http();
+        check_netlink();
+}
diff --git a/src/faudit/pid.c b/src/faudit/pid.c
new file mode 100644
index 000000000..a0fb1d921
--- /dev/null
+++ b/src/faudit/pid.c
@@ -0,0 +1,101 @@
+/*
+ * Copyright (C) 2014-2016 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
+#include "faudit.h"
+
+void pid_test(void) {
+        char *kern_proc[] = {
+                "kthreadd",
+                "ksoftirqd",
+                "kworker",
+                "rcu_sched",
+                "rcu_bh",
+                NULL    // NULL terminated list
+        };
+        int i;
+
+        // look at the first 10 processes
+        int not_visible = 1;
+        for (i = 1; i <= 10; i++) { 
+                struct stat s;
+                char *fname;
+                if (asprintf(&fname, "/proc/%d/comm", i) == -1)
+                        errExit("asprintf");
+                if (stat(fname, &s) == -1) {
+                        free(fname);
+                        continue;
+                }
+                
+                // open file
+                /* coverity[toctou] */
+                FILE *fp = fopen(fname, "r");
+                if (!fp) {
+//                      fprintf(stderr, "Warning: cannot open %s\n", fname);
+                        free(fname);
+                        continue;
+                }
+                
+                // read file
+                char buf[100];
+                if (fgets(buf, 10, fp) == NULL) {
+//                      fprintf(stderr, "Warning: cannot read %s\n", fname);
+                        fclose(fp);
+                        free(fname);
+                        continue;
+                }
+                not_visible = 0;
+
+                // clean /n
+                char *ptr;
+                if ((ptr = strchr(buf, '\n')) != NULL)
+                        *ptr = '\0';
+                
+                // check process name against the kernel list
+                int j = 0;
+                while (kern_proc[j] != NULL) {
+                        if (strncmp(buf, kern_proc[j], strlen(kern_proc[j])) == 0) {
+                                fclose(fp);
+                                free(fname);
+                                printf("BAD: Process %d is not running in a PID namespace. ", getpid());
+                                printf("Are you sure you're running in a sandbox?\n");
+                                return;
+                        }
+                        j++;
+                }
+                
+                fclose(fp);
+                free(fname);
+        }
+
+        pid_t pid = getpid();
+        if (not_visible && pid > 100)
+                printf("BAD: Process %d is not running in a PID namespace.\n", pid);
+        else
+                printf("GOOD: process %d is running in a PID namespace.\n", pid);
+        
+        // try to guess the type of container/sandbox
+        char *str = getenv("container");
+        if (str)
+                printf("INFO: container/sandbox %s.\n", str);
+        else {
+                str = getenv("SNAP");
+                if (str)
+                        printf("INFO: this is a snap package\n");
+        }
+}
diff --git a/src/faudit/seccomp.c b/src/faudit/seccomp.c
new file mode 100644
index 000000000..7b2999467
--- /dev/null
+++ b/src/faudit/seccomp.c
@@ -0,0 +1,101 @@
+/*
+ * Copyright (C) 2014-2016 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
+#include "faudit.h"
+
+#define MAXBUF 4098
+static int extract_seccomp(int *val) {
+        FILE *fp = fopen("/proc/self/status", "r");
+        if (!fp)
+                return 1;
+        
+        char buf[MAXBUF];
+        while (fgets(buf, MAXBUF, fp)) {
+                if (strncmp(buf, "Seccomp:\t", 8) == 0) {
+                        char *ptr = buf + 8;
+                        int tmp;
+                        sscanf(ptr, "%d", &tmp);
+                        *val = tmp;
+                        fclose(fp);
+                        return 0;
+                }
+        }
+
+        fclose(fp);
+        return 1;
+}
+
+void seccomp_test(void) {
+        int seccomp_status;
+        int rv = extract_seccomp(&seccomp_status);
+        
+        if (rv) {
+                printf("INFO: cannot extract seccomp configuration on this platform.\n");
+                return;
+        }
+        
+        if (seccomp_status == 0) {
+                printf("BAD: seccomp disabled. Use \"firejail --seccomp\" to enable it.\n");
+        }
+        else if (seccomp_status == 1)
+                printf("GOOD: seccomp strict mode - only  read, write, _exit, and sigreturn are allowd.\n");
+        else if (seccomp_status == 2) {
+                printf("GOOD: seccomp BPF enabled.\n");
+
+                printf("checking syscalls: "); fflush(0);
+                printf("mount... "); fflush(0);
+                syscall_run("mount");
+
+                printf("umount2... "); fflush(0);
+                syscall_run("umount2");
+
+                printf("ptrace... "); fflush(0);
+                syscall_run("ptrace");
+                
+                printf("swapon... "); fflush(0);
+                syscall_run("swapon");
+                
+                printf("swapoff... "); fflush(0);
+                syscall_run("swapoff");
+
+                printf("init_module... "); fflush(0);
+                syscall_run("init_module");
+
+                printf("delete_module... "); fflush(0);
+                syscall_run("delete_module");
+                
+                printf("chroot... "); fflush(0);
+                syscall_run("chroot");
+                
+                printf("pivot_root... "); fflush(0);
+                syscall_run("pivot_root");
+                
+#if defined(__i386__) || defined(__x86_64__)
+                printf("iopl... "); fflush(0);
+                syscall_run("iopl");
+                
+                printf("ioperm... "); fflush(0);
+                syscall_run("ioperm");
+#endif  
+                printf("\n");
+        }
+        else
+                fprintf(stderr, "Error: unrecognized seccomp mode\n");
+
+}
diff --git a/src/faudit/syscall.c b/src/faudit/syscall.c
new file mode 100644
index 000000000..9924be00f
--- /dev/null
+++ b/src/faudit/syscall.c
@@ -0,0 +1,100 @@
+/*
+ * Copyright (C) 2014-2016 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
+#include "faudit.h"
+#include <sys/ptrace.h>
+#include <sys/swap.h>
+#if defined(__i386__) || defined(__x86_64__)
+#include <sys/io.h>
+#endif
+#include <sys/wait.h>
+extern int init_module(void *module_image, unsigned long len,
+                       const char *param_values);
+extern int finit_module(int fd, const char *param_values,
+                        int flags);
+extern int delete_module(const char *name, int flags);
+extern int pivot_root(const char *new_root, const char *put_old);
+
+void syscall_helper(int argc, char **argv) {
+        (void) argc;
+        
+        if (strcmp(argv[2], "mount") == 0) {
+                mount(NULL, NULL, NULL, 0, NULL);
+                printf("\nUGLY: mount syscall permitted.\n");
+        }
+        else if (strcmp(argv[2], "umount2") == 0) {
+                umount2(NULL, 0);
+                printf("\nUGLY: umount2 syscall permitted.\n");
+        }
+        else if (strcmp(argv[2], "ptrace") == 0) {
+                ptrace(0, 0, NULL, NULL);
+                printf("\nUGLY: ptrace syscall permitted.\n");
+        }
+        else if (strcmp(argv[2], "swapon") == 0) {
+                swapon(NULL, 0);
+                printf("\nUGLY: swapon syscall permitted.\n");
+        }
+        else if (strcmp(argv[2], "swapoff") == 0) {
+                swapoff(NULL);
+                printf("\nUGLY: swapoff syscall permitted.\n");
+        }
+        else if (strcmp(argv[2], "init_module") == 0) {
+                init_module(NULL, 0, NULL);
+                printf("\nUGLY: init_module syscall permitted.\n");
+        }
+        else if (strcmp(argv[2], "delete_module") == 0) {
+                delete_module(NULL, 0);
+                printf("\nUGLY: delete_module syscall permitted.\n");
+        }
+        else if (strcmp(argv[2], "chroot") == 0) {
+                int rv = chroot("/blablabla-57281292");
+                (void) rv;
+                printf("\nUGLY: chroot syscall permitted.\n");
+        }
+        else if (strcmp(argv[2], "pivot_root") == 0) {
+                pivot_root(NULL, NULL);
+                printf("\nUGLY: pivot_root syscall permitted.\n");
+        }
+#if defined(__i386__) || defined(__x86_64__)
+        else if (strcmp(argv[2], "iopl") == 0) {
+                iopl(0L);
+                printf("\nUGLY: iopl syscall permitted.\n");
+        }
+        else if (strcmp(argv[2], "ioperm") == 0) {
+                ioperm(0, 0, 0);
+                printf("\nUGLY: ioperm syscall permitted.\n");
+        }
+#endif
+        exit(0);
+}
+
+void syscall_run(const char *name) {
+        assert(prog);
+        
+        pid_t child = fork();
+        if (child < 0)
+                errExit("fork");
+        if (child == 0) {
+                execl(prog, prog, "syscall", name, NULL);
+                exit(1);
+        }
+                
+        // wait for the child to finish
+        waitpid(child, NULL, 0);
+}
diff --git a/src/firecfg/Makefile.in b/src/firecfg/Makefile.in
new file mode 100644
index 000000000..11f8b1e8d
--- /dev/null
+++ b/src/firecfg/Makefile.in
@@ -0,0 +1,38 @@
+all: firecfg
+
+prefix=@prefix@
+exec_prefix=@exec_prefix@
+libdir=@libdir@
+sysconfdir=@sysconfdir@
+
+VERSION=@PACKAGE_VERSION@
+NAME=@PACKAGE_NAME@
+HAVE_SECCOMP_H=@HAVE_SECCOMP_H@
+HAVE_SECCOMP=@HAVE_SECCOMP@
+HAVE_CHROOT=@HAVE_CHROOT@
+HAVE_BIND=@HAVE_BIND@
+HAVE_FATAL_WARNINGS=@HAVE_FATAL_WARNINGS@
+HAVE_NETWORK=@HAVE_NETWORK@
+HAVE_USERNS=@HAVE_USERNS@
+HAVE_X11=@HAVE_X11@
+HAVE_FILE_TRANSFER=@HAVE_FILE_TRANSFER@
+
+
+H_FILE_LIST       = $(sort $(wildcard *.[h]))
+C_FILE_LIST       = $(sort $(wildcard *.c))
+OBJS = $(C_FILE_LIST:.c=.o)
+BINOBJS =  $(foreach file, $(OBJS), $file)
+CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' -DPREFIX='"$(prefix)"'  -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' $(HAVE_X11) $(HAVE_SECCOMP) $(HAVE_SECCOMP_H) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_BIND) $(HAVE_FILE_TRANSFER) -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security
+LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now -lpthread
+
+%.o : %.c $(H_FILE_LIST) ../include/common.h ../include/euid_common.h ../include/libnetlink.h ../include/pid.h
+        $(CC) $(CFLAGS) $(INCLUDE) -c $< -o $@
+
+firecfg: $(OBJS) ../lib/common.o
+        $(CC)  $(LDFLAGS) -o $@ $(OBJS) ../lib/common.o $(LIBS)
+
+clean:; rm -f *.o firecfg firecfg.1 firecfg.1.gz
+
+distclean: clean
+        rm -fr Makefile
+
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config
new file mode 100644
index 000000000..48e205a58
--- /dev/null
+++ b/src/firecfg/firecfg.config
@@ -0,0 +1,136 @@
+# /usr/lib/firejail/firecfg.config - firecfg utility configuration file
+# This is the list of programs handled by firecfg utility
+#
+
+# astronomy
+gpredict
+stellarium
+
+# bittorrent/ftp
+deluge
+dropbox
+filezilla
+qbittorrent
+rtorrent
+transmission-gtk
+transmission-qt
+uget-gtk
+
+# browsers/email
+abrowser
+brave
+chromium
+chromium-browser
+conkeror
+cyberfox
+firefox
+firefox-esr
+flashpeak-slimjet
+epiphany
+dillo
+google-chrome
+google-chrome-beta
+google-chrome-stable
+google-chrome-unstable
+iceweasel
+icecat
+icedove
+kmail
+midori
+netsurf
+opera-beta
+opera
+palemoon
+qutebrowser
+seamonkey
+seamonkey-bin
+thunderbird
+vivaldi-beta
+vivaldi
+
+# chat/messaging
+bitlbee
+corebird
+empathy
+gitter
+hexchat
+jitsi
+konversation
+pidgin
+polari
+psi-plus
+qtox
+quassel
+skype
+telegram
+weechat
+weechat-curses
+xchat
+
+# dns
+dnscrypt-proxy
+dnsmaq
+unbound
+
+# emulators/compatibility layers
+mupen64plus
+wine
+
+# games
+0ad
+hedgewars
+steam
+wesnot
+warzone2100
+
+# Media
+audacious
+audacity
+clementine
+cmus
+deadbeef
+gnome-mplayer
+google-play-music-desktop-player
+mpv
+parole
+rhythmbox
+spotify
+totem
+vlc
+xplayer
+xviewer
+eom
+
+# news readers
+quiterss
+
+# office
+atril
+cherrytree
+evince
+fbreader
+gwenview
+gthumb
+libreoffice
+localc
+lodraw
+loffice
+lofromtemplate
+loimpress
+lomath
+loweb
+lowriter
+soffice
+Mathematica
+mathematica
+okular
+pix
+xreader
+
+# other
+ssh
+atom-beta
+atom
+
+# weather/climate
+aweather
diff --git a/src/firecfg/main.c b/src/firecfg/main.c
new file mode 100644
index 000000000..f0f2aaeb7
--- /dev/null
+++ b/src/firecfg/main.c
@@ -0,0 +1,315 @@
+/*
+ * Copyright (C) 2014-2016 netblue30 (netblue30@yahoo.com)
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
+
+#define _GNU_SOURCE
+#include <stdio.h>
+#include <sys/types.h>
+#include <dirent.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <unistd.h>
+#include "../include/common.h"
+
+static void usage(void) {
+        printf("firecfg - version %s\n\n", VERSION);
+        printf("Firecfg is the desktop configuration utility for Firejail software. The utility\n");
+        printf("creates several symbolic links to firejail executable. This allows the user to\n");
+        printf("sandbox applications automatically, just by clicking on a regular desktop\n");
+        printf("menus and icons.\n\n");
+        printf("The symbolic links are placed in /usr/local/bin. For more information, see\n");
+        printf("DESKTOP INTEGRATION section in man 1 firejail.\n\n");
+        printf("Usage: firecfg [OPTIONS]\n\n");
+        printf("   --clean - remove all firejail symbolic links.\n\n");
+        printf("   --help, -? - this help screen.\n\n");
+        printf("   --list - list all firejail symbolic links.\n\n");
+        printf("   --version - print program version and exit.\n\n");
+        printf("Example:\n\n");
+        printf("   $ sudo firecfg\n");
+        printf("   /usr/local/bin/firefox created\n");
+        printf("   /usr/local/bin/vlc created\n");
+        printf("   [...]\n");
+        printf("   $ firecfg --list\n");
+        printf("   /usr/local/bin/firefox\n");
+        printf("   /usr/local/bin/vlc\n");
+        printf("   [...]\n");
+        printf("   $ sudo firecfg --clean\n");
+        printf("   /usr/local/bin/firefox removed\n");
+        printf("   /usr/local/bin/vlc removed\n");
+        printf("   [...]\n");
+        printf("\n");
+        printf("License GPL version 2 or later\n");
+        printf("Homepage: http://firejail.wordpress.com\n\n");
+}
+
+// return 1 if the program is found
+static int find(const char *program, const char *directory) {
+        int retval = 0;
+        
+        char *fname;
+        if (asprintf(&fname, "/%s/%s", directory, program) == -1)
+                errExit("asprintf");
+                
+        struct stat s;
+        if (stat(fname, &s) == 0)
+                retval = 1;
+        
+        free(fname);
+        return retval;
+}
+
+
+// return 1 if program is installed on the system
+static int which(const char *program) {
+        // check some well-known paths
+        if (find(program, "/bin") || find(program, "/usr/bin") ||
+             find(program, "/sbin") || find(program, "/usr/sbin") ||
+             find(program, "/usr/games"))
+                return 1;
+                
+        // check environment
+        char *path1 = getenv("PATH");
+        if (path1) {
+                char *path2 = strdup(path1);
+                if (!path2)
+                        errExit("strdup");
+                
+                // use path2 to count the entries
+                char *ptr = strtok(path2, ":");
+                while (ptr) {
+                        if (find(program, ptr)) {
+                                free(path2);
+                                return 1;
+                        }
+                        ptr = strtok(NULL, ":");
+                }
+                free(path2);
+        }
+        
+        return 0;
+}
+
+// return 1 if the file is a link
+static int is_link(const char *fname) {
+        assert(fname);
+        if (*fname == '\0')
+                return 0;
+
+        struct stat s;
+        if (lstat(fname, &s) == 0) {
+                if (S_ISLNK(s.st_mode))
+                        return 1;
+        }
+
+        return 0;
+}
+
+static void list(void) {
+        DIR *dir = opendir("/usr/local/bin");
+        if (!dir) {
+                fprintf(stderr, "Error: cannot open /usr/local/bin directory\n");
+                exit(1);
+        }
+
+        char *firejail_exec;
+        if (asprintf(&firejail_exec, "%s/bin/firejail", PREFIX) == -1)
+                errExit("asprintf");
+
+        struct dirent *entry;
+        while ((entry = readdir(dir)) != NULL) {
+                if (strcmp(entry->d_name, ".") == 0 || strcmp(entry->d_name, "..") == 0)
+                        continue;
+                
+                char *fullname;
+                if (asprintf(&fullname, "/usr/local/bin/%s", entry->d_name) == -1)
+                        errExit("asprintf");
+                        
+                if (is_link(fullname)) {
+                        char* fname = realpath(fullname, NULL);
+                        if (fname) {
+                                if (strcmp(fname, firejail_exec) == 0)
+                                        printf("%s\n", fullname);
+                                free(fname);
+                        }
+                }
+                free(fullname);
+        }
+                        
+        closedir(dir);
+        free(firejail_exec);
+}
+
+static void clear(void) {
+        if (getuid() != 0) {
+                fprintf(stderr, "Error: you need to be root to run this command\n");
+                exit(1);
+        }
+
+        DIR *dir = opendir("/usr/local/bin");
+        if (!dir) {
+                fprintf(stderr, "Error: cannot open /usr/local/bin directory\n");
+                exit(1);
+        }
+
+        char *firejail_exec;
+        if (asprintf(&firejail_exec, "%s/bin/firejail", PREFIX) == -1)
+                errExit("asprintf");
+
+        struct dirent *entry;
+        while ((entry = readdir(dir)) != NULL) {
+                if (strcmp(entry->d_name, ".") == 0 || strcmp(entry->d_name, "..") == 0)
+                        continue;
+                
+                char *fullname;
+                if (asprintf(&fullname, "/usr/local/bin/%s", entry->d_name) == -1)
+                        errExit("asprintf");
+                        
+                if (is_link(fullname)) {
+                        char* fname = realpath(fullname, NULL);
+                        if (fname) {
+                                if (strcmp(fname, firejail_exec) == 0) {
+                                        printf("%s removed\n", fullname);
+                                        unlink(fullname);
+                                }
+                                free(fname);
+                        }
+                }
+                free(fullname);
+        }
+                        
+        closedir(dir);
+        free(firejail_exec);
+}
+
+static void set_file(const char *name, const char *firejail_exec) {
+        if (which(name) == 0)
+                return;
+
+        char *fname;
+        if (asprintf(&fname, "/usr/local/bin/%s", name) == -1)
+                errExit("asprintf");
+        
+        struct stat s;
+        if (stat(fname, &s) == 0)
+                ; //printf("%s already present\n", fname);
+        else {
+                int rv = symlink(firejail_exec, fname);
+                if (rv) {
+                        fprintf(stderr, "Error: cannot create %s symbolic link\n", fname);
+                        perror("symlink");
+                }
+                else
+                        printf("%s created\n", fname);
+        }
+        
+        free(fname);
+}
+
+#define MAX_BUF 1024
+static void set(void) {
+        if (getuid() != 0) {
+                fprintf(stderr, "Error: you need to be root to run this command\n");
+                exit(1);
+        }
+
+        char *cfgfile;
+        if (asprintf(&cfgfile, "%s/firejail/firecfg.config", LIBDIR) == -1)
+                errExit("asprintf");
+
+        char *firejail_exec;
+        if (asprintf(&firejail_exec, "%s/bin/firejail", PREFIX) == -1)
+                errExit("asprintf");
+
+        FILE *fp = fopen(cfgfile, "r");
+        if (!fp) {
+                fprintf(stderr, "Error: cannot open %s\n", cfgfile);
+                exit(1);
+        }
+        
+        char buf[MAX_BUF];
+        int lineno = 0;
+        while (fgets(buf, MAX_BUF,fp)) {
+                lineno++;
+                if (*buf == '#') // comments
+                        continue;
+
+                // do not accept .. and/or / in file name
+                if (strstr(buf, "..") || strchr(buf, '/')) {
+                        fprintf(stderr, "Error: invalid line %d in %s\n", lineno, cfgfile);
+                        exit(1);
+                }
+                
+                // remove \n
+                char *ptr = strchr(buf, '\n');
+                if (ptr)
+                        *ptr = '\0';
+                        
+                // trim spaces
+                ptr = buf;
+                while (*ptr == ' ' || *ptr == '\t')
+                        ptr++;
+                char *start = ptr;
+                
+                // empty line
+                if (*start == '\0')
+                        continue;
+
+                // set link
+                set_file(start, firejail_exec);
+        }
+
+        fclose(fp);
+        free(cfgfile);
+        free(firejail_exec);
+}
+
+int main(int argc, char **argv) {
+        int i;
+        
+        for (i = 1; i < argc; i++) {
+                // default options
+                if (strcmp(argv[i], "--help") == 0 ||
+                    strcmp(argv[i], "-?") == 0) {
+                        usage();
+                        return 0;
+                }
+                else if (strcmp(argv[i], "--version") == 0) {
+                        printf("firecfg version %s\n\n", VERSION);
+                        return 0;
+                }
+                else if (strcmp(argv[i], "--clean") == 0) {
+                        clear();
+                        return 0;
+                }
+                else if (strcmp(argv[i], "--list") == 0) {
+                        list();
+                        return 0;
+                }
+                else {
+                        fprintf(stderr, "Error: invalid command line option\n");
+                        usage();
+                        return 1;
+                }
+        }
+        
+        set();
+        
+        return 0;
+}
+
diff --git a/src/firejail/Makefile.in b/src/firejail/Makefile.in
index 3ad4ba75e..21f415ba5 100644
--- a/src/firejail/Makefile.in
+++ b/src/firejail/Makefile.in
@@ -16,13 +16,14 @@ HAVE_NETWORK=@HAVE_NETWORK@
 HAVE_USERNS=@HAVE_USERNS@
 HAVE_X11=@HAVE_X11@
 HAVE_FILE_TRANSFER=@HAVE_FILE_TRANSFER@
-
+HAVE_WHITELIST=@HAVE_WHITELIST@
+HAVE_GLOBALCFG=@HAVE_GLOBALCFG@
 
 H_FILE_LIST       = $(sort $(wildcard *.[h]))
 C_FILE_LIST       = $(sort $(wildcard *.c))
 OBJS = $(C_FILE_LIST:.c=.o)
 BINOBJS =  $(foreach file, $(OBJS), $file)
-CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' -DPREFIX='"$(prefix)"'  -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' $(HAVE_X11) $(HAVE_SECCOMP) $(HAVE_SECCOMP_H) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_BIND) $(HAVE_FILE_TRANSFER) -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security
+CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' -DPREFIX='"$(prefix)"'  -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' $(HAVE_X11) $(HAVE_SECCOMP) $(HAVE_GLOBALCFG) $(HAVE_SECCOMP_H) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_BIND) $(HAVE_FILE_TRANSFER) $(HAVE_WHITELIST) -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security
 LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now -lpthread
 
 %.o : %.c $(H_FILE_LIST) ../include/common.h ../include/euid_common.h ../include/libnetlink.h ../include/pid.h
diff --git a/src/firejail/appimage.c b/src/firejail/appimage.c
new file mode 100644
index 000000000..db9382dc3
--- /dev/null
+++ b/src/firejail/appimage.c
@@ -0,0 +1,129 @@
+/*
+ * Copyright (C) 2014-2016 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
+// http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=770fe30a46a12b6fb6b63fbe1737654d28e84844
+// sudo mount -o loop krita-3.0-x86_64.appimage mnt
+
+#include "firejail.h"
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <sys/mount.h>
+#include <fcntl.h>
+#include <linux/loop.h>
+#include <errno.h>
+
+static char *devloop = NULL;    // device file 
+static char *mntdir = NULL;     // mount point in /tmp directory
+
+const char *appimage_getdir(void) {
+        return mntdir;
+}
+
+void appimage_set(const char *appimage_path) {
+        assert(appimage_path);
+        assert(devloop == NULL);        // don't call this twice!
+        EUID_ASSERT();
+        
+        // check appimage_path
+        if (access(appimage_path, R_OK) == -1) {
+                fprintf(stderr, "Error: cannot access AppImage file\n");
+                exit(1);
+        }
+        
+        EUID_ROOT();
+        
+        // find or allocate a free loop device to use
+        int cfd = open("/dev/loop-control", O_RDWR);
+        int devnr = ioctl(cfd, LOOP_CTL_GET_FREE);
+        if (devnr == -1) {
+                fprintf(stderr, "Error: cannot allocate a new loopback device\n");
+                exit(1);
+        }
+        close(cfd);
+        if (asprintf(&devloop, "/dev/loop%d", devnr) == -1)
+                errExit("asprintf");
+                
+        int ffd = open(appimage_path, O_RDONLY|O_CLOEXEC);
+        int lfd = open(devloop, O_RDONLY);
+        if (ioctl(lfd, LOOP_SET_FD, ffd) == -1) {
+                fprintf(stderr, "Error: cannot configure the loopback device\n");
+                exit(1);
+        }
+        close(lfd);
+        close(ffd);
+        
+        char dirname[] = "/tmp/firejail-mnt-XXXXXX";
+        mntdir =  strdup(mkdtemp(dirname));
+        if (mntdir == NULL) {
+                fprintf(stderr, "Error: cannot create temporary directory\n");
+                exit(1);
+        }
+        mkdir(mntdir, 755);
+        if (chown(mntdir, getuid(), getgid()) == -1)
+                errExit("chown");
+        if (chmod(mntdir, 755) == -1)
+                errExit("chmod");
+        
+        char *mode;
+        if (asprintf(&mode, "mode=755,uid=%d,gid=%d", getuid(), getgid()) == -1)
+                errExit("asprintf");
+
+        if (mount(devloop, mntdir, "iso9660",MS_MGC_VAL|MS_RDONLY,  mode) < 0)
+                errExit("mounting appimage");
+
+
+        if (arg_debug)
+                printf("appimage mounted on %s\n", mntdir);
+        EUID_USER();
+
+        if (appimage_path && setenv("APPIMAGE", appimage_path, 1) < 0)
+                errExit("setenv");
+        
+        if (mntdir && setenv("APPDIR", mntdir, 1) < 0)
+                errExit("setenv");
+
+        // build new command line
+        if (asprintf(&cfg.command_line, "%s/AppRun", mntdir) == -1)
+                errExit("asprintf");
+        
+        free(mode);
+}
+
+void appimage_clear(void) {
+        int rv;
+
+        if (mntdir) {
+                rv = umount2(mntdir, MNT_FORCE);
+                if (rv == -1 && errno == EBUSY) {
+                        sleep(1);                       
+                        rv = umount2(mntdir, MNT_FORCE);
+                        (void) rv;
+                        
+                }
+                rmdir(mntdir);
+                free(mntdir);
+        }
+
+        if (devloop) {
+                int lfd = open(devloop, O_RDONLY);
+                rv = ioctl(lfd, LOOP_CLR_FD, 0);
+                (void) rv;
+                close(lfd);
+        }
+}
diff --git a/src/firejail/bandwidth.c b/src/firejail/bandwidth.c
index 0be23b9bc..34c5ca509 100644
--- a/src/firejail/bandwidth.c
+++ b/src/firejail/bandwidth.c
@@ -112,28 +112,11 @@ int fibw_count(void) {
         
 
 //***********************************
-// shm file handling
+// run file handling
 //***********************************
-void shm_create_firejail_dir(void) {
-        struct stat s;
-        if (stat("/dev/shm/firejail", &s) == -1) {
-                /* coverity[toctou] */
-                if (mkdir("/dev/shm/firejail", 0644) == -1)
-                        errExit("mkdir");
-                if (chown("/dev/shm/firejail", 0, 0) == -1)
-                        errExit("chown");
-        }
-        else { // check /dev/shm/firejail directory belongs to root end exit if doesn't!
-                if (s.st_uid != 0 || s.st_gid != 0) {
-                        fprintf(stderr, "Error: non-root %s directory, exiting...\n", "/dev/shm/firejail");
-                        exit(1);
-                }
-        }
-}
-
-static void shm_create_bandwidth_file(pid_t pid) {
+static void bandwidth_create_run_file(pid_t pid) {
         char *fname;
-        if (asprintf(&fname, "/dev/shm/firejail/%d-bandwidth", (int) pid) == -1)
+        if (asprintf(&fname, "%s/%d-bandwidth", RUN_FIREJAIL_BANDWIDTH_DIR, (int) pid) == -1)
                 errExit("asprintf");
         
         // if the file already exists, do nothing
@@ -157,33 +140,33 @@ static void shm_create_bandwidth_file(pid_t pid) {
                         errExit("chown");
         }
         else {
-                fprintf(stderr, "Error: cannot create bandwidth file in /dev/shm/firejail directory\n");
+                fprintf(stderr, "Error: cannot create bandwidth file\n");
                 exit(1);
         }
         
         free(fname);
 }
 
-// delete shm bandwidth file
-void bandwidth_shm_del_file(pid_t pid) {
+// delete bandwidth file
+void bandwidth_del_run_file(pid_t pid) {
         char *fname;
-        if (asprintf(&fname, "/dev/shm/firejail/%d-bandwidth", (int) pid) == -1)
+        if (asprintf(&fname, "%s/%d-bandwidth", RUN_FIREJAIL_BANDWIDTH_DIR, (int) pid) == -1)
                 errExit("asprintf");
         unlink(fname);
         free(fname);
 }
 
-void network_shm_del_file(pid_t pid) {
+void network_del_run_file(pid_t pid) {
         char *fname;
-        if (asprintf(&fname, "/dev/shm/firejail/%d-netmap", (int) pid) == -1)
+        if (asprintf(&fname, "%s/%d-netmap", RUN_FIREJAIL_NETWORK_DIR, (int) pid) == -1)
                 errExit("asprintf");
         unlink(fname);
         free(fname);
 }
 
-void network_shm_set_file(pid_t pid) {
+void network_set_run_file(pid_t pid) {
         char *fname;
-        if (asprintf(&fname, "/dev/shm/firejail/%d-netmap", (int) pid) == -1)
+        if (asprintf(&fname, "%s/%d-netmap", RUN_FIREJAIL_NETWORK_DIR, (int) pid) == -1)
                 errExit("asprintf");
         
         // create an empty file and set mod and ownership
@@ -205,7 +188,7 @@ void network_shm_set_file(pid_t pid) {
                         errExit("chown");
         }
         else {
-                fprintf(stderr, "Error: cannot create network map file in /dev/shm/firejail directory\n");
+                fprintf(stderr, "Error: cannot create network map file\n");
                 exit(1);
         }
         
@@ -213,11 +196,11 @@ void network_shm_set_file(pid_t pid) {
 }
 
 
-void shm_read_bandwidth_file(pid_t pid) {
+static void read_bandwidth_file(pid_t pid) {
         assert(ifbw == NULL);
 
         char *fname;
-        if (asprintf(&fname, "/dev/shm/firejail/%d-bandwidth", (int) pid) == -1)
+        if (asprintf(&fname, "%s/%d-bandwidth", RUN_FIREJAIL_BANDWIDTH_DIR, (int) pid) == -1)
                 errExit("asprintf");
 
         FILE *fp = fopen(fname, "r");
@@ -248,12 +231,12 @@ void shm_read_bandwidth_file(pid_t pid) {
         }
 }
 
-void shm_write_bandwidth_file(pid_t pid) {
+static void write_bandwidth_file(pid_t pid) {
         if (ifbw == NULL)
                 return; // nothing to do
 
         char *fname;
-        if (asprintf(&fname, "/dev/shm/firejail/%d-bandwidth", (int) pid) == -1)
+        if (asprintf(&fname, "%s/%d-bandwidth", RUN_FIREJAIL_BANDWIDTH_DIR, (int) pid) == -1)
                 errExit("asprintf");
 
         FILE *fp = fopen(fname, "w");
@@ -279,33 +262,30 @@ errout:
 // add or remove interfaces
 //***********************************
 
-// remove interface from shm file
-void bandwidth_shm_remove(pid_t pid, const char *dev) {
-        // create bandwidth directory & file in case they are not in the filesystem yet
-        shm_create_firejail_dir();
-        shm_create_bandwidth_file(pid);
+// remove interface from run file
+void bandwidth_remove(pid_t pid, const char *dev) {
+        bandwidth_create_run_file(pid);
         
         // read bandwidth file
-        shm_read_bandwidth_file(pid);
+        read_bandwidth_file(pid);
         
         // find the element and remove it
         IFBW *elem = ifbw_find(dev);
         if (elem) {
                 ifbw_remove(elem);
-                shm_write_bandwidth_file(pid) ;
+                write_bandwidth_file(pid) ;
         }
         
         // remove the file if there are no entries in the list
         if (ifbw == NULL) {
-                bandwidth_shm_del_file(pid);
+                 bandwidth_del_run_file(pid);
         }
 }
 
-// add interface to shm file
-void bandwidth_shm_set(pid_t pid, const char *dev, int down, int up) {
+// add interface to run file
+void bandwidth_set(pid_t pid, const char *dev, int down, int up) {
         // create bandwidth directory & file in case they are not in the filesystem yet
-        shm_create_firejail_dir();
-        shm_create_bandwidth_file(pid);
+        bandwidth_create_run_file(pid);
 
         // create the new text entry
         char *txt;
@@ -313,7 +293,7 @@ void bandwidth_shm_set(pid_t pid, const char *dev, int down, int up) {
                 errExit("asprintf");
         
         // read bandwidth file
-        shm_read_bandwidth_file(pid);
+        read_bandwidth_file(pid);
 
         // look for an existing entry and replace the text
         IFBW *ptr = ifbw_find(dev);
@@ -333,7 +313,7 @@ void bandwidth_shm_set(pid_t pid, const char *dev, int down, int up) {
                 // add it to the linked list
                 ifbw_add(ifbw_new);
         }
-        shm_write_bandwidth_file(pid) ;
+        write_bandwidth_file(pid) ;
 }
 
 
@@ -341,6 +321,7 @@ void bandwidth_shm_set(pid_t pid, const char *dev, int down, int up) {
 // command execution
 //***********************************
 void bandwidth_name(const char *name, const char *command, const char *dev, int down, int up) {
+        EUID_ASSERT();
         if (!name || strlen(name) == 0) {
                 fprintf(stderr, "Error: invalid sandbox name\n");
                 exit(1);
@@ -355,10 +336,13 @@ void bandwidth_name(const char *name, const char *command, const char *dev, int
 }
 
 void bandwidth_pid(pid_t pid, const char *command, const char *dev, int down, int up) {
+        EUID_ASSERT();
         //************************
         // verify sandbox
         //************************
+        EUID_ROOT();
         char *comm = pid_proc_comm(pid);
+        EUID_USER();
         if (!comm) {
                 fprintf(stderr, "Error: cannot find sandbox\n");
                 exit(1);
@@ -372,13 +356,14 @@ void bandwidth_pid(pid_t pid, const char *command, const char *dev, int down, in
         free(comm);
         
         // check network namespace
-        char *cmd = pid_proc_cmdline(pid);
-        if (!cmd || strstr(cmd, "--net") == NULL) {
+        char *name;
+        if (asprintf(&name, "/run/firejail/network/%d-netmap", pid) == -1)
+                errExit("asprintf");
+        struct stat s;
+        if (stat(name, &s) == -1) {
                 fprintf(stderr, "Error: the sandbox doesn't use a new network namespace\n");
                 exit(1);
         }
-        free(cmd);
-
 
         //************************
         // join the network namespace
@@ -388,25 +373,27 @@ void bandwidth_pid(pid_t pid, const char *command, const char *dev, int down, in
                 fprintf(stderr, "Error: cannot join the network namespace\n");
                 exit(1);
         }
+
+        EUID_ROOT();
         if (join_namespace(child, "net")) {
                 fprintf(stderr, "Error: cannot join the network namespace\n");
                 exit(1);
         }
 
-        // set shm file
+        // set run file
         if (strcmp(command, "set") == 0)
-                bandwidth_shm_set(pid, dev, down, up);
+                bandwidth_set(pid, dev, down, up);
         else if (strcmp(command, "clear") == 0)
-                bandwidth_shm_remove(pid, dev);
+                bandwidth_remove(pid, dev);
 
         //************************
         // build command
         //************************
         char *devname = NULL;
         if (dev) {
-                // read shm network map file
+                // read network map file
                 char *fname;
-                if (asprintf(&fname, "/dev/shm/firejail/%d-netmap", (int) pid) == -1)
+                if (asprintf(&fname, "%s/%d-netmap", RUN_FIREJAIL_NETWORK_DIR, (int) pid) == -1)
                         errExit("asprintf");
                 FILE *fp = fopen(fname, "r");
                 if (!fp) {
@@ -441,7 +428,7 @@ void bandwidth_pid(pid_t pid, const char *command, const char *dev, int down, in
         }
         
         // build fshaper.sh command
-        cmd = NULL;
+        char *cmd = NULL;
         if (devname) {
                 if (strcmp(command, "set") == 0) {
                         if (asprintf(&cmd, "%s/firejail/fshaper.sh --%s %s %d %d",
diff --git a/src/firejail/caps.c b/src/firejail/caps.c
index de7c93b48..2d42c7d8a 100644
--- a/src/firejail/caps.c
+++ b/src/firejail/caps.c
@@ -247,11 +247,13 @@ void caps_print(void) {
         // check current caps supported by the kernel
         int cnt = 0;
         unsigned long cap;
+        EUID_ROOT();    // grsecurity fix
         for (cap=0; cap <= 63; cap++) {
                 int code = prctl(PR_CAPBSET_DROP, cap, 0, 0, 0);
                 if (code == 0)
                         cnt++;
         }
+        EUID_USER();
         printf("Your kernel supports %d capabilities.\n", cnt);
         
         for (i = 0; i < elems; i++) {
@@ -373,7 +375,9 @@ static uint64_t extract_caps(int pid) {
                 exit(1);
         }
 
+        EUID_ROOT();    // grsecurity
         FILE *fp = fopen(file, "r");
+        EUID_USER();    // grsecurity
         if (!fp) {
                 printf("Error: cannot open %s\n", file);
                 free(file);
@@ -417,7 +421,9 @@ void caps_print_filter(pid_t pid) {
         EUID_ASSERT();
         
         // if the pid is that of a firejail  process, use the pid of the first child process
+        EUID_ROOT();    // grsecurity
         char *comm = pid_proc_comm(pid);
+        EUID_USER();    // grsecurity
         if (comm) {
                 if (strcmp(comm, "firejail") == 0) {
                         pid_t child;
@@ -439,8 +445,6 @@ void caps_print_filter(pid_t pid) {
         }
 
         uint64_t caps = extract_caps(pid);
-        drop_privs(1);
-
         int i;
         uint64_t mask;
         int elems = sizeof(capslist) / sizeof(capslist[0]);
diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c
index 9ac08b1a6..7de491f5f 100644
--- a/src/firejail/checkcfg.c
+++ b/src/firejail/checkcfg.c
@@ -24,6 +24,9 @@
 
 static int initialized = 0;
 static int cfg_val[CFG_MAX];
+char *xephyr_screen = "800x600";
+char *xephyr_extra_params = "";
+char *netfilter_default = NULL;
 
 int checkcfg(int val) {
         EUID_ASSERT();
@@ -35,6 +38,9 @@ int checkcfg(int val) {
                 int i;
                 for (i = 0; i < CFG_MAX; i++)
                         cfg_val[i] = 1; // most of them are enabled by default
+
+                cfg_val[CFG_RESTRICTED_NETWORK] = 0; // disabled by default
+                cfg_val[CFG_FORCE_NONEWPRIVS] = 0; // disabled by default
                 
                 // open configuration file
                 char *fname;
@@ -43,10 +49,24 @@ int checkcfg(int val) {
 
                 FILE *fp = fopen(fname, "r");
                 if (!fp) {
-                        fprintf(stderr, "Error: Firejail configuration file %s not found\n", fname);
+#ifdef HAVE_GLOBALCFG                   
+                        fprintf(stderr, "Warning: Firejail configuration file %s not found\n", fname);
                         exit(1);
+#else
+                        initialized = 1;
+                        return  cfg_val[val];
+#endif  
                 }
                 
+                // if the file exists, it should be owned by root
+                struct stat s;
+                if (stat(fname, &s) == -1)
+                        errExit("stat");
+                if (s.st_uid != 0 || s.st_gid != 0) {
+                        fprintf(stderr, "Error: configuration file should be owned by root\n");
+                        exit(1);
+                }
+
                 // read configuration file
                 char buf[MAX_READ];
                 while (fgets(buf,MAX_READ, fp)) {
@@ -58,7 +78,8 @@ int checkcfg(int val) {
                         char *ptr = line_remove_spaces(buf);
                         if (!ptr)
                                 continue;
-                                
+                        
+                        // file transfer        
                         if (strncmp(ptr, "file-transfer ", 14) == 0) {
                                 if (strcmp(ptr + 14, "yes") == 0)
                                         cfg_val[CFG_FILE_TRANSFER] = 1;
@@ -67,8 +88,142 @@ int checkcfg(int val) {
                                 else
                                         goto errout;
                         }
+                        // x11
+                        else if (strncmp(ptr, "x11 ", 4) == 0) {
+                                if (strcmp(ptr + 4, "yes") == 0)
+                                        cfg_val[CFG_X11] = 1;
+                                else if (strcmp(ptr + 4, "no") == 0)
+                                        cfg_val[CFG_X11] = 0;
+                                else
+                                        goto errout;
+                        }
+                        // bind
+                        else if (strncmp(ptr, "bind ", 5) == 0) {
+                                if (strcmp(ptr + 5, "yes") == 0)
+                                        cfg_val[CFG_BIND] = 1;
+                                else if (strcmp(ptr + 5, "no") == 0)
+                                        cfg_val[CFG_BIND] = 0;
+                                else
+                                        goto errout;
+                        }
+                        // user namespace
+                        else if (strncmp(ptr, "userns ", 7) == 0) {
+                                if (strcmp(ptr + 7, "yes") == 0)
+                                        cfg_val[CFG_USERNS] = 1;
+                                else if (strcmp(ptr + 7, "no") == 0)
+                                        cfg_val[CFG_USERNS] = 0;
+                                else
+                                        goto errout;
+                        }
+                        // chroot
+                        else if (strncmp(ptr, "chroot ", 7) == 0) {
+                                if (strcmp(ptr + 7, "yes") == 0)
+                                        cfg_val[CFG_CHROOT] = 1;
+                                else if (strcmp(ptr + 7, "no") == 0)
+                                        cfg_val[CFG_CHROOT] = 0;
+                                else
+                                        goto errout;
+                        }
+                        // nonewprivs
+                        else if (strncmp(ptr, "force-nonewprivs ", 17) == 0) {
+                                if (strcmp(ptr + 17, "yes") == 0)
+                                        cfg_val[CFG_SECCOMP] = 1;
+                                else if (strcmp(ptr + 17, "no") == 0)
+                                        cfg_val[CFG_SECCOMP] = 0;
+                                else
+                                        goto errout;
+                        }
+                        // seccomp
+                        else if (strncmp(ptr, "seccomp ", 8) == 0) {
+                                if (strcmp(ptr + 8, "yes") == 0)
+                                        cfg_val[CFG_SECCOMP] = 1;
+                                else if (strcmp(ptr + 8, "no") == 0)
+                                        cfg_val[CFG_SECCOMP] = 0;
+                                else
+                                        goto errout;
+                        }
+                        // whitelist
+                        else if (strncmp(ptr, "whitelist ", 10) == 0) {
+                                if (strcmp(ptr + 10, "yes") == 0)
+                                        cfg_val[CFG_WHITELIST] = 1;
+                                else if (strcmp(ptr + 10, "no") == 0)
+                                        cfg_val[CFG_WHITELIST] = 0;
+                                else
+                                        goto errout;
+                        }
+                        // network
+                        else if (strncmp(ptr, "network ", 8) == 0) {
+                                if (strcmp(ptr + 8, "yes") == 0)
+                                        cfg_val[CFG_NETWORK] = 1;
+                                else if (strcmp(ptr + 8, "no") == 0)
+                                        cfg_val[CFG_NETWORK] = 0;
+                                else
+                                        goto errout;
+                        }
+                        // network
+                        else if (strncmp(ptr, "restricted-network ", 19) == 0) {
+                                if (strcmp(ptr + 19, "yes") == 0)
+                                        cfg_val[CFG_RESTRICTED_NETWORK] = 1;
+                                else if (strcmp(ptr + 19, "no") == 0)
+                                        cfg_val[CFG_RESTRICTED_NETWORK] = 0;
+                                else
+                                        goto errout;
+                        }
+                        // netfilter
+                        else if (strncmp(ptr, "netfilter-default ", 18) == 0) {
+                                char *fname = ptr + 18;
+                                while (*fname == ' ' || *fname == '\t')
+                                        ptr++;
+                                char *end = strchr(fname, ' ');
+                                if (end)
+                                        *end = '\0';
+                                
+                                // is the file present?
+                                struct stat s;
+                                if (stat(fname, &s) == -1) {
+                                        fprintf(stderr, "Error: netfilter-default file %s not available\n", fname);
+                                        exit(1);
+                                }
+                                
+                                netfilter_default = strdup(fname);
+                                if (!netfilter_default)
+                                        errExit("strdup");
+                                if (arg_debug)
+                                        printf("netfilter default file %s\n", fname);
+                        }
+                        
+                        // Xephyr screen size
+                        else if (strncmp(ptr, "xephyr-screen ", 14) == 0) {
+                                // expecting two numbers and an x between them
+                                int n1;
+                                int n2;
+                                int rv = sscanf(ptr + 14, "%dx%d", &n1, &n2);
+                                if (rv != 2)
+                                        goto errout;
+                                if (asprintf(&xephyr_screen, "%dx%d", n1, n2) == -1)
+                                        errExit("asprintf");
+                        }
+        
+                        // xephyr window title
+                        else if (strncmp(ptr, "xephyr-window-title ", 20) == 0) {
+                                if (strcmp(ptr + 20, "yes") == 0)
+                                        cfg_val[CFG_XEPHYR_WINDOW_TITLE] = 1;
+                                else if (strcmp(ptr + 20, "no") == 0)
+                                        cfg_val[CFG_XEPHYR_WINDOW_TITLE] = 0;
+                                else
+                                        goto errout;
+                        }
+                                
+                        // Xephyr command extra parameters
+                        else if (strncmp(ptr, "xephyr-extra-params ", 19) == 0) {
+                                xephyr_extra_params = strdup(ptr + 19);
+                                if (!xephyr_extra_params)
+                                        errExit("strdup");
+                        }
+
                         else
                                 goto errout;
+
                         free(ptr);
                 }
 
diff --git a/src/firejail/cpu.c b/src/firejail/cpu.c
index 23906ae48..1802ad5e1 100644
--- a/src/firejail/cpu.c
+++ b/src/firejail/cpu.c
@@ -139,3 +139,81 @@ void set_cpu_affinity(void) {
                                 printf("CPU affinity not set\n");
                 }
 }
+
+static void print_cpu(int pid) {
+        char *file;
+        if (asprintf(&file, "/proc/%d/status", pid) == -1) {
+                errExit("asprintf");
+                exit(1);
+        }
+
+        EUID_ROOT();    // grsecurity
+        FILE *fp = fopen(file, "r");
+        EUID_USER();    // grsecurity
+        if (!fp) {
+                printf("  Error: cannot open %s\n", file);
+                free(file);
+                return;
+        }
+
+#define MAXBUF 4096     
+        char buf[MAXBUF];
+        while (fgets(buf, MAXBUF, fp)) {
+                if (strncmp(buf, "Cpus_allowed_list:", 18) == 0) {
+                        printf("  %s", buf);
+                        fflush(0);
+                        free(file);
+                        fclose(fp);
+                        return;
+                }
+        }
+        fclose(fp);
+        free(file);
+}
+
+void cpu_print_filter_name(const char *name) {
+        EUID_ASSERT();
+        if (!name || strlen(name) == 0) {
+                fprintf(stderr, "Error: invalid sandbox name\n");
+                exit(1);
+        }
+        pid_t pid;
+        if (name2pid(name, &pid)) {
+                fprintf(stderr, "Error: cannot find sandbox %s\n", name);
+                exit(1);
+        }
+
+        cpu_print_filter(pid);
+}
+
+void cpu_print_filter(pid_t pid) {
+        EUID_ASSERT();
+        
+        // if the pid is that of a firejail  process, use the pid of the first child process
+        EUID_ROOT();    // grsecurity
+        char *comm = pid_proc_comm(pid);
+        EUID_USER();    // grsecurity
+        if (comm) {
+                if (strcmp(comm, "firejail") == 0) {
+                        pid_t child;
+                        if (find_child(pid, &child) == 0) {
+                                pid = child;
+                        }
+                }
+                free(comm);
+        }
+
+        // check privileges for non-root users
+        uid_t uid = getuid();
+        if (uid != 0) {
+                uid_t sandbox_uid = pid_get_uid(pid);
+                if (uid != sandbox_uid) {
+                        fprintf(stderr, "Error: permission denied.\n");
+                        exit(1);
+                }
+        }
+
+        print_cpu(pid);
+        exit(0);
+}
+
diff --git a/src/firejail/env.c b/src/firejail/env.c
index 54a6b0036..1a6236407 100644
--- a/src/firejail/env.c
+++ b/src/firejail/env.c
@@ -27,12 +27,27 @@ typedef struct env_t {
         struct env_t *next;
         char *name;
         char *value;
+        ENV_OP op;
 } Env;
 static Env *envlist = NULL;
 
 static void env_add(Env *env) {
-        env->next = envlist;
-        envlist = env;
+        env->next = NULL;
+        
+        // add the new entry at the end of the list
+        if (envlist == NULL) {
+                envlist = env;
+                return;
+        }
+        
+        Env *ptr = envlist;
+        while (1) {
+                if (ptr->next == NULL) {
+                        ptr->next = env;
+                        break;
+                }
+                ptr = ptr->next;
+        }
 }
 
 // load IBUS env variables
@@ -87,7 +102,7 @@ void env_ibus_load(void) {
                         if (arg_debug)
                                 printf("%s\n", buf);
                         EUID_USER();
-                        env_store(buf);
+                        env_store(buf, SETENV);
                         EUID_ROOT();
                 }
 
@@ -126,7 +141,7 @@ void env_defaults(void) {
 }
 
 // parse and store the environment setting 
-void env_store(const char *str) {
+void env_store(const char *str, ENV_OP op) {
         EUID_ASSERT();
         assert(str);
         
@@ -134,11 +149,13 @@ void env_store(const char *str) {
         if (*str == '\0')
                 goto errexit;
         char *ptr = strchr(str, '=');
-        if (!ptr)
-                goto errexit;
-        ptr++;
-        if (*ptr == '\0')
-                goto errexit;
+        if (op == SETENV) {
+                if (!ptr)
+                        goto errexit;
+                ptr++;
+                if (*ptr == '\0')
+                        goto errexit;
+        }
 
         // build list entry
         Env *env = malloc(sizeof(Env));
@@ -148,10 +165,13 @@ void env_store(const char *str) {
         env->name = strdup(str);
         if (env->name == NULL)
                 errExit("strdup");
-        char *ptr2 = strchr(env->name, '=');
-        assert(ptr2);
-        *ptr2 = '\0';
-        env->value = ptr2 + 1;
+        if (op == SETENV) {
+                char *ptr2 = strchr(env->name, '=');
+                assert(ptr2);
+                *ptr2 = '\0';
+                env->value = ptr2 + 1;
+        }
+        env->op = op;
         
         // add entry to the list
         env_add(env);
@@ -167,8 +187,13 @@ void env_apply(void) {
         Env *env = envlist;
         
         while (env) {
-                if (setenv(env->name, env->value, 1) < 0)
-                        errExit("setenv");
+                if (env->op == SETENV) {
+                        if (setenv(env->name, env->value, 1) < 0)
+                                errExit("setenv");
+                }
+                else if (env->op == RMENV) {
+                        unsetenv(env->name);
+                }
                 env = env->next;
         }
 }
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index bf0937f35..7a538327d 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -44,6 +44,7 @@
 #define RUN_ETC_DIR     "/run/firejail/mnt/etc"
 #define RUN_BIN_DIR     "/run/firejail/mnt/bin"
 #define RUN_DRI_DIR     "/run/firejail/mnt/dri"
+#define RUN_SND_DIR     "/run/firejail/mnt/snd"
 #define RUN_PULSE_DIR   "/run/firejail/mnt/pulse"
 #define RUN_DEVLOG_FILE "/run/firejail/mnt/devlog"
 
@@ -68,7 +69,7 @@
 #define RUN_FSLOGGER_FILE               "/run/firejail/mnt/fslogger"
 
 // profiles
-#define DEFAULT_USER_PROFILE    "generic"
+#define DEFAULT_USER_PROFILE    "default"
 #define DEFAULT_ROOT_PROFILE    "server"
 #define MAX_INCLUDE_LEVEL 6             // include levels in profile files
 
@@ -182,6 +183,19 @@ typedef struct config_t {
 } Config;
 extern Config cfg;
 
+static inline Bridge *last_bridge_configured(void) {
+        if (cfg.bridge3.configured)
+                return &cfg.bridge3;
+        else if (cfg.bridge2.configured)
+                return &cfg.bridge2;
+        else if (cfg.bridge1.configured)
+                return &cfg.bridge1;
+        else if (cfg.bridge0.configured)
+                return &cfg.bridge0;
+        else
+                return NULL;
+}
+
 static inline int any_bridge_configured(void) {
         if (cfg.bridge0.configured || cfg.bridge1.configured || cfg.bridge2.configured || cfg.bridge3.configured)
                 return 1;
@@ -195,6 +209,7 @@ static inline int any_interface_configured(void) {
         else
                 return 0;
 }
+void clear_run_files(pid_t pid);
 
 extern int arg_private;         // mount private /home
 extern int arg_debug;           // print debug messages
@@ -223,6 +238,7 @@ extern int arg_rlimit_nproc;	// rlimit nproc
 extern int arg_rlimit_fsize;    // rlimit fsize
 extern int arg_rlimit_sigpending;// rlimit sigpending
 extern int arg_nogroups;        // disable supplementary groups
+extern int arg_nonewprivs;      // set the NO_NEW_PRIVS prctl
 extern int arg_noroot;          // create a new user namespace and disable root user
 extern int arg_netfilter;       // enable netfilter
 extern int arg_netfilter6;      // enable netfilter6
@@ -242,6 +258,11 @@ extern int arg_join_network;	// join only the network namespace
 extern int arg_join_filesystem; // join only the mount namespace
 extern int arg_nice;            // nice value configured
 extern int arg_ipc;             // enable ipc namespace
+extern int arg_writable_etc;    // writable etc
+extern int arg_writable_var;    // writable var
+extern int arg_appimage;        // appimage
+extern int arg_audit;           // audit
+extern char *arg_audit_prog;    // audit
 
 extern int parent_to_child_fds[2];
 extern int child_to_parent_fds[2];
@@ -264,6 +285,7 @@ void net_configure_veth_pair(Bridge *br, const char *ifname, pid_t child);
 void net_check_cfg(void);
 void net_dns_print_name(const char *name);
 void net_dns_print(pid_t pid);
+void network_main(pid_t child);
 
 // network.c
 void net_if_up(const char *ifname);
@@ -291,6 +313,8 @@ void fs_delete_cp_command(void) ;
 void fs_blacklist(void);
 // remount a directory read-only
 void fs_rdonly(const char *dir);
+// remount a directory noexec, nodev and nosuid
+void fs_noexec(const char *dir);
 // mount /proc and /sys directories
 void fs_proc_sys_dev_boot(void);
 // build a basic read-only filesystem
@@ -370,6 +394,7 @@ const char *gnu_basename(const char *path);
 uid_t pid_get_uid(pid_t pid);
 void invalid_filename(const char *fname);
 uid_t get_tty_gid(void);
+uid_t get_audio_gid(void);
 
 // fs_var.c
 void fs_var_log(void);  // mounting /var/log
@@ -384,6 +409,7 @@ void dbg_test_dir(const char *dir);
 // fs_dev.c
 void fs_dev_shm(void);
 void fs_private_dev(void);
+void fs_dev_disable_sound();
 
 // fs_home.c
 // private mode (--private)
@@ -436,6 +462,8 @@ void read_cpu_list(const char *str);
 void set_cpu_affinity(void);
 void load_cpu(const char *fname);
 void save_cpu(void);
+void cpu_print_filter_name(const char *name);
+void cpu_print_filter(pid_t pid);
 
 // cgroup.c
 void save_cgroup(void);
@@ -451,24 +479,28 @@ void netfilter(const char *fname);
 void netfilter6(const char *fname);
 
 // bandwidth.c
-void shm_create_firejail_dir(void);
-void bandwidth_shm_del_file(pid_t pid);
-void bandwidth_shm_set(pid_t pid, const char *dev, int down, int up);
+void bandwidth_del_run_file(pid_t pid);
 void bandwidth_name(const char *name, const char *command, const char *dev, int down, int up);
 void bandwidth_pid(pid_t pid, const char *command, const char *dev, int down, int up);
-void network_shm_del_file(pid_t pid);
-void network_shm_set_file(pid_t pid);
+void network_del_run_file(pid_t pid);
+void network_set_run_file(pid_t pid);
 
 // fs_etc.c
 void fs_check_etc_list(void);
 void fs_private_etc_list(void);
 
 // no_sandbox.c
+int check_namespace_virt(void);
 int check_kernel_procs(void);
 void run_no_sandbox(int argc, char **argv);
 
 // env.c
-void env_store(const char *str);
+typedef enum {
+        SETENV = 0,
+        RMENV
+} ENV_OP;
+
+void env_store(const char *str, ENV_OP op);
 void env_apply(void);
 void env_defaults(void);
 void env_ibus_load(void);
@@ -515,21 +547,19 @@ void fs_logger_print_log(pid_t pid);
 // run_symlink.c
 void run_symlink(int argc, char **argv);
 
-// user.c
-void check_user(int argc, char **argv);
-
 // paths.c
 char **build_paths(void);
 
 // fs_mkdir.c
 void fs_mkdir(const char *name);
+void fs_mkfile(const char *name);
 
 // x11.c
 void fs_x11(void);
-void x11_start(int argc, char **argv);
 int x11_display(void);
-// return 1 if xpra is installed on the system
-int x11_check_xpra(void);
+void x11_start(int argc, char **argv);
+void x11_start_xpra(int argc, char **argv);
+void x11_start_xephyr(int argc, char **argv);
 
 // ls.c
 #define SANDBOX_FS_LS 0
@@ -539,8 +569,26 @@ void sandboxfs(int op, pid_t pid, const char *patqh);
 
 // checkcfg.c
 #define CFG_FILE_TRANSFER 0
-#define CFG_MAX 1 // this should always be the last entry
+#define CFG_X11 1
+#define CFG_BIND 2
+#define CFG_USERNS 3
+#define CFG_CHROOT 4
+#define CFG_SECCOMP 5
+#define CFG_NETWORK 6
+#define CFG_RESTRICTED_NETWORK 7
+#define CFG_FORCE_NONEWPRIVS 8
+#define CFG_WHITELIST 9
+#define CFG_XEPHYR_WINDOW_TITLE 10
+#define CFG_MAX 11 // this should always be the last entry
+extern char *xephyr_screen;
+extern char *xephyr_extra_params;
+extern char *netfilter_default;
 int checkcfg(int val);
 
+// appimage.c
+void appimage_set(const char *appimage_path);
+void appimage_clear(void);
+const char *appimage_getdir(void);
+
 #endif
 
diff --git a/src/firejail/fs.c b/src/firejail/fs.c
index acee0ba1d..ff5887c10 100644
--- a/src/firejail/fs.c
+++ b/src/firejail/fs.c
@@ -27,6 +27,8 @@
 #include <fcntl.h>
 #include <errno.h>
 
+static void fs_rdwr(const char *dir);
+
 static void create_empty_dir(void) {
         struct stat s;
         
@@ -228,6 +230,8 @@ typedef enum {
         BLACKLIST_NOLOG,
         MOUNT_READONLY,
         MOUNT_TMPFS,
+        MOUNT_NOEXEC,
+        MOUNT_RDWR,
         OPERATION_MAX
 } OPERATION;
 
@@ -248,8 +252,6 @@ static void disable_file(OPERATION op, const char *filename) {
         // Resolve all symlinks
         char* fname = realpath(filename, NULL);
         if (fname == NULL && errno != EACCES) {
-                if (arg_debug)
-                        printf("Warning (realpath): %s is an invalid file, skipping...\n", filename);
                 return;
         }
         if (fname == NULL && errno == EACCES) {
@@ -332,6 +334,18 @@ static void disable_file(OPERATION op, const char *filename) {
                 fs_rdonly(fname);
 // todo: last_disable = SUCCESSFUL;
         }
+        else if (op == MOUNT_RDWR) {
+                if (arg_debug)
+                        printf("Mounting read-only %s\n", fname);
+                fs_rdwr(fname);
+// todo: last_disable = SUCCESSFUL;
+        }
+        else if (op == MOUNT_NOEXEC) {
+                if (arg_debug)
+                        printf("Mounting noexec %s\n", fname);
+                fs_noexec(fname);
+// todo: last_disable = SUCCESSFUL;
+        }
         else if (op == MOUNT_TMPFS) {
                 if (S_ISDIR(s.st_mode)) {
                         if (arg_debug)
@@ -361,7 +375,7 @@ static void globbing(OPERATION op, const char *pattern, const char *noblacklist[
         glob_t globbuf;
         // Profiles contain blacklists for files that might not exist on a user's machine.
         // GLOB_NOCHECK makes that okay.
-        int globerr = glob(pattern, GLOB_NOCHECK | GLOB_NOSORT, NULL, &globbuf);
+        int globerr = glob(pattern, GLOB_NOCHECK | GLOB_NOSORT | GLOB_PERIOD, NULL, &globbuf);
         if (globerr) {
                 fprintf(stderr, "Error: failed to glob pattern %s\n", pattern);
                 exit(1);
@@ -435,12 +449,12 @@ void fs_blacklist(void) {
                         }
                         struct stat s;
                         if (stat(dname1, &s) == -1) {
-                                fprintf(stderr, "Error: cannot find directories for bind command\n");
+                                fprintf(stderr, "Error: cannot find %s for bind command\n", dname1);
                                 entry = entry->next;
                                 continue;
                         }
                         if (stat(dname2, &s) == -1) {
-                                fprintf(stderr, "Error: cannot find directories for bind command\n");
+                                fprintf(stderr, "Error: cannot find %s for bind command\n", dname2);
                                 entry = entry->next;
                                 continue;
                         }
@@ -465,13 +479,11 @@ void fs_blacklist(void) {
                 // Process noblacklist command
                 if (strncmp(entry->data, "noblacklist ", 12) == 0) {
                         if (noblacklist_c >= noblacklist_m) {
-                                noblacklist_m *= 2;
-                                noblacklist = realloc(noblacklist, sizeof(*noblacklist) * noblacklist_m);
-                                if (noblacklist == NULL)
-                                        errExit("failed increasing memory for noblacklist entries");
-                        }
-                        else
-                                noblacklist[noblacklist_c++] = expand_home(entry->data + 12, homedir);
+                        noblacklist_m *= 2;
+                        noblacklist = realloc(noblacklist, sizeof(*noblacklist) * noblacklist_m);
+                        if (noblacklist == NULL)
+                                errExit("failed increasing memory for noblacklist entries");}
+                        noblacklist[noblacklist_c++] = expand_home(entry->data + 12, homedir);
                         entry = entry->next;
                         continue;
                 }
@@ -489,6 +501,14 @@ void fs_blacklist(void) {
                         ptr = entry->data + 10;
                         op = MOUNT_READONLY;
                 }                       
+                else if (strncmp(entry->data, "read-write ", 11) == 0) {
+                        ptr = entry->data + 11;
+                        op = MOUNT_RDWR;
+                }                       
+                else if (strncmp(entry->data, "noexec ", 7) == 0) {
+                        ptr = entry->data + 7;
+                        op = MOUNT_NOEXEC;
+                }                       
                 else if (strncmp(entry->data, "tmpfs ", 6) == 0) {
                         ptr = entry->data + 6;
                         op = MOUNT_TMPFS;
@@ -503,12 +523,12 @@ void fs_blacklist(void) {
                 char *new_name = expand_home(ptr, homedir);
                 ptr = new_name;
 
-                // expand path macro - look for the file in /bin, /usr/bin, /sbin and  /usr/sbin directories
+                // expand path macro - look for the file in /usr/local/bin,  /usr/local/sbin, /bin, /usr/bin, /sbin and  /usr/sbin directories
                 if (ptr) {
                         if (strncmp(ptr, "${PATH}", 7) == 0) {
                                 char *fname = ptr + 7;
                                 size_t fname_len = strlen(fname);
-                                char **paths = build_paths(); //{"/bin", "/sbin", "/usr/bin", "/usr/sbin", NULL};
+                                char **paths = build_paths(); //{"/usr/local/bin", "/usr/local/sbin", "/bin", "/usr/bin/", "/sbin", "/usr/sbin", NULL};
                                 int i = 0;
                                 while (paths[i] != NULL) {
                                         char *path = paths[i];
@@ -552,6 +572,48 @@ void fs_rdonly(const char *dir) {
                 fs_logger2("read-only", dir);
         }
 }
+
+static void fs_rdwr(const char *dir) {
+        assert(dir);
+        // check directory exists
+        struct stat s;
+        int rv = stat(dir, &s);
+        if (rv == 0) {
+                // if the file is outside /home directory, allow only root user
+                uid_t u = getuid();
+                if (u != 0 && s.st_uid != u) {
+                        fprintf(stderr, "Warning: you are not allowed to change %s to read-write\n", dir);
+                        return;
+                }
+                
+                // mount --bind /bin /bin
+                if (mount(dir, dir, NULL, MS_BIND|MS_REC, NULL) < 0)
+                        errExit("mount read-write");
+                // mount --bind -o remount,rw /bin
+                if (mount(NULL, dir, NULL, MS_BIND|MS_REMOUNT|MS_REC, NULL) < 0)
+                        errExit("mount read-write");
+                fs_logger2("read-write", dir);
+        }
+}
+
+void fs_noexec(const char *dir) {
+        assert(dir);
+        // check directory exists
+        struct stat s;
+        int rv = stat(dir, &s);
+        if (rv == 0) {
+                // mount --bind /bin /bin
+                if (mount(dir, dir, NULL, MS_BIND|MS_REC, NULL) < 0)
+                        errExit("mount noexec");
+                // mount --bind -o remount,ro /bin
+                if (mount(NULL, dir, NULL, MS_BIND|MS_REMOUNT|MS_NOEXEC|MS_NODEV|MS_NOSUID|MS_REC, NULL) < 0)
+                        errExit("mount read-only");
+                fs_logger2("noexec", dir);
+        }
+}
+
+
+
 void fs_rdonly_noexit(const char *dir) {
         assert(dir);
         // check directory exists
@@ -574,8 +636,6 @@ void fs_rdonly_noexit(const char *dir) {
 
 // mount /proc and /sys directories
 void fs_proc_sys_dev_boot(void) {
-        struct stat s;
-
         if (arg_debug)
                 printf("Remounting /proc and /proc/sys filesystems\n");
         if (mount("proc", "/proc", "proc", MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_REC, NULL) < 0)
@@ -603,132 +663,107 @@ void fs_proc_sys_dev_boot(void) {
                         fs_logger("remount /sys");
         }
                 
-        if (stat("/sys/firmware", &s) == 0) {
-                disable_file(BLACKLIST_FILE, "/sys/firmware");
-        }
-                
-        if (stat("/sys/hypervisor", &s) == 0) {
-                disable_file(BLACKLIST_FILE, "/sys/hypervisor");
-        }
-
-        if (stat("/sys/fs", &s) == 0) {
-                disable_file(BLACKLIST_FILE, "/sys/fs");
-        }
-
-        if (stat("/sys/module", &s) == 0) {
-                disable_file(BLACKLIST_FILE, "/sys/module");
-        }
-
-        if (stat("/sys/power", &s) == 0) {
-                disable_file(BLACKLIST_FILE, "/sys/power");
-        }
+        disable_file(BLACKLIST_FILE, "/sys/firmware");
+        disable_file(BLACKLIST_FILE, "/sys/hypervisor");
+        disable_file(BLACKLIST_FILE, "/sys/fs");
+        disable_file(BLACKLIST_FILE, "/sys/module");
+        disable_file(BLACKLIST_FILE, "/sys/power");
+        disable_file(BLACKLIST_FILE, "/sys/kernel/debug");
+        disable_file(BLACKLIST_FILE, "/sys/kernel/vmcoreinfo");
+        disable_file(BLACKLIST_FILE, "/sys/kernel/uevent_helper");
 
 //      if (mount("sysfs", "/sys", "sysfs", MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_REC, NULL) < 0)
 //              errExit("mounting /sys");
 
-        // Disable SysRq
-        // a linux box can be shut down easily using the following commands (as root):
-        // # echo 1 > /proc/sys/kernel/sysrq
-        // #echo b > /proc/sysrq-trigger
-        // for more information see https://www.kernel.org/doc/Documentation/sysrq.txt
-        if (arg_debug)
-                printf("Disable /proc/sysrq-trigger\n");
-        fs_rdonly_noexit("/proc/sysrq-trigger");
-        
-        // disable hotplug and uevent_helper
-        if (arg_debug)
-                printf("Disable /proc/sys/kernel/hotplug\n");
-        fs_rdonly_noexit("/proc/sys/kernel/hotplug");
-        if (arg_debug)
-                printf("Disable /sys/kernel/uevent_helper\n");
-        fs_rdonly_noexit("/sys/kernel/uevent_helper");
-        
-        // read-only /proc/irq and /proc/bus
-        if (arg_debug)
-                printf("Disable /proc/irq\n");
-        fs_rdonly_noexit("/proc/irq");
-        if (arg_debug)
-                printf("Disable /proc/bus\n");
-        fs_rdonly_noexit("/proc/bus");
-        
-        // disable /proc/kcore
-        disable_file(BLACKLIST_FILE, "/proc/kcore");
 
-        // disable /proc/kallsyms
+        // various /proc/sys files
+        disable_file(BLACKLIST_FILE, "/proc/sys/security");     
+        disable_file(BLACKLIST_FILE, "/proc/sys/efi/vars");     
+        disable_file(BLACKLIST_FILE, "/proc/sys/fs/binfmt_misc");       
+        disable_file(BLACKLIST_FILE, "/proc/sys/kernel/core_pattern");  
+        disable_file(BLACKLIST_FILE, "/proc/sys/kernel/modprobe");      
+        disable_file(BLACKLIST_FILE, "/proc/sysrq-trigger");
+        disable_file(BLACKLIST_FILE, "/proc/sys/kernel/hotplug");
+        disable_file(BLACKLIST_FILE, "/proc/sys/vm/panic_on_oom");
+
+
+        // various /proc files
+        disable_file(BLACKLIST_FILE, "/proc/irq");
+        disable_file(BLACKLIST_FILE, "/proc/bus");
+        disable_file(BLACKLIST_FILE, "/proc/config.gz");        
+        disable_file(BLACKLIST_FILE, "/proc/sched_debug");      
+        disable_file(BLACKLIST_FILE, "/proc/timer_list");       
+        disable_file(BLACKLIST_FILE, "/proc/timer_stats");      
+        disable_file(BLACKLIST_FILE, "/proc/kcore");
         disable_file(BLACKLIST_FILE, "/proc/kallsyms");
+        disable_file(BLACKLIST_FILE, "/proc/mem");
+        disable_file(BLACKLIST_FILE, "/proc/kmem");
         
         // disable /boot
-        if (stat("/boot", &s) == 0) {
-                if (arg_debug)
-                        printf("Disable /boot directory\n");
-                disable_file(BLACKLIST_FILE, "/boot");
-        }
+        disable_file(BLACKLIST_FILE, "/boot");
         
         // disable /selinux
-        if (stat("/selinux", &s) == 0) {
-                if (arg_debug)
-                        printf("Disable /selinux directory\n");
-                disable_file(BLACKLIST_FILE, "/selinux");
-        }
+        disable_file(BLACKLIST_FILE, "/selinux");
         
         // disable /dev/port
-        if (stat("/dev/port", &s) == 0) {
-                disable_file(BLACKLIST_FILE, "/dev/port");
-        }
+        disable_file(BLACKLIST_FILE, "/dev/port");
         
         if (getuid() != 0) {
-                // disable /dev/kmsg
-                if (stat("/dev/kmsg", &s) == 0) {
-                        disable_file(BLACKLIST_FILE, "/dev/kmsg");
-                }
-                
-                // disable /proc/kmsg
-                if (stat("/proc/kmsg", &s) == 0) {
-                        disable_file(BLACKLIST_FILE, "/proc/kmsg");
-                }
+                // disable /dev/kmsg and /proc/kmsg
+                disable_file(BLACKLIST_FILE, "/dev/kmsg");
+                disable_file(BLACKLIST_FILE, "/proc/kmsg");
         }
 }
 
 // disable firejail configuration in /etc/firejail and in ~/.config/firejail
-static void disable_firejail_config(void) {
+static void disable_config(void) {
         struct stat s;
-        if (stat("/etc/firejail", &s) == 0)
-                disable_file(BLACKLIST_FILE, "/etc/firejail");
 
         char *fname;
         if (asprintf(&fname, "%s/.config/firejail", cfg.homedir) == -1)
                 errExit("asprintf");
         if (stat(fname, &s) == 0)
                 disable_file(BLACKLIST_FILE, fname);
-        
-        if (stat("/usr/local/etc/firejail", &s) == 0)
-                disable_file(BLACKLIST_FILE, "/usr/local/etc/firejail");
-
-        if (strcmp(PREFIX, "/usr/local")) {
-                if (asprintf(&fname, "%s/etc/firejail", PREFIX) == -1)
-                        errExit("asprintf");
-                if (stat(fname, &s) == 0)
-                        disable_file(BLACKLIST_FILE, fname);
-        }
-
-        
-        
         free(fname);
+        
+        // disable run time information
+        if (stat(RUN_FIREJAIL_NETWORK_DIR, &s) == 0)
+                disable_file(BLACKLIST_FILE, RUN_FIREJAIL_NETWORK_DIR);
+        if (stat(RUN_FIREJAIL_BANDWIDTH_DIR, &s) == 0)
+                disable_file(BLACKLIST_FILE, RUN_FIREJAIL_BANDWIDTH_DIR);
+        if (stat(RUN_FIREJAIL_NAME_DIR, &s) == 0)
+                disable_file(BLACKLIST_FILE, RUN_FIREJAIL_NAME_DIR);
+        if (stat(RUN_FIREJAIL_X11_DIR, &s) == 0)
+                disable_file(BLACKLIST_FILE, RUN_FIREJAIL_X11_DIR);
 }
 
 
 // build a basic read-only filesystem
 void fs_basic_fs(void) {
+        uid_t uid = getuid();
+        
         if (arg_debug)
-                printf("Mounting read-only /bin, /sbin, /lib, /lib32, /lib64, /usr, /etc, /var\n");
+                printf("Mounting read-only /bin, /sbin, /lib, /lib32, /lib64, /usr");
+        if (!arg_writable_etc) {
+                fs_rdonly("/etc");
+                if (uid)
+                        fs_noexec("/etc");
+                if (arg_debug) printf(", /etc");
+        }
+        if (!arg_writable_var) {
+                fs_rdonly("/var");
+                if (uid)
+                        fs_noexec("/var");
+                if (arg_debug) printf(", /var");
+        }
+        if (arg_debug) printf("\n");
         fs_rdonly("/bin");
         fs_rdonly("/sbin");
         fs_rdonly("/lib");
         fs_rdonly("/lib64");
         fs_rdonly("/lib32");
+        fs_rdonly("/libx32");
         fs_rdonly("/usr");
-        fs_rdonly("/etc");
-        fs_rdonly("/var");
 
         // update /var directory in order to support multiple sandboxes running on the same root directory
         if (!arg_private_dev)
@@ -743,7 +778,11 @@ void fs_basic_fs(void) {
         // don't leak user information
         restrict_users();
         
-        disable_firejail_config();
+        // when starting as root, firejail config is not disabled;
+        // this mode could be used to install and test new software by chaining
+        // firejail sandboxes (firejail --force)
+        if (uid)
+                disable_config();
 }
 
 
@@ -943,6 +982,21 @@ void fs_overlayfs(void) {
                 errExit("mounting /run");
         fs_logger("whitelist /run");
 
+        // mount-bind /tmp/.X11-unix directory
+        struct stat s;
+        if (stat("/tmp/.X11-unix", &s) == 0) {
+                if (arg_debug)
+                        printf("Mounting /tmp/.X11-unix\n");
+                char *x11;
+                if (asprintf(&x11, "%s/tmp/.X11-unix", oroot) == -1)
+                        errExit("asprintf");
+                if (mount("/tmp/.X11-unix", x11, NULL, MS_BIND|MS_REC, NULL) < 0)
+                        fprintf(stderr, "Warning: cannot mount /tmp/.X11-unix in overlay\n");
+                else
+                        fs_logger("whitelist /tmp/.X11-unix");
+                free(x11);
+        }
+
         // chroot in the new filesystem
         if (chroot(oroot) == -1)
                 errExit("chroot");
@@ -960,7 +1014,11 @@ void fs_overlayfs(void) {
         // don't leak user information
         restrict_users();
 
-        disable_firejail_config();
+        // when starting as root, firejail config is not disabled;
+        // this mode could be used to install and test new software by chaining
+        // firejail sandboxes (firejail --force)
+        if (getuid() != 0)
+                disable_config();
 
         // cleanup and exit
         free(option);
@@ -1005,7 +1063,7 @@ int fs_check_chroot_dir(const char *rootdir) {
         }
         free(name);
         
-        // check /proc
+        // check /tmp
         if (asprintf(&name, "%s/tmp", rootdir) == -1)
                 errExit("asprintf");
         if (stat(name, &s) == -1) {
@@ -1013,7 +1071,7 @@ int fs_check_chroot_dir(const char *rootdir) {
                 return 1;
         }
         free(name);
-        
+
         // check /bin/bash
         if (asprintf(&name, "%s/bin/bash", rootdir) == -1)
                 errExit("asprintf");
@@ -1023,6 +1081,18 @@ int fs_check_chroot_dir(const char *rootdir) {
         }
         free(name);
 
+        // check x11 socket directory
+        if (getenv("FIREJAIL_X11")) {
+                char *name;
+                if (asprintf(&name, "%s/tmp/.X11-unix", rootdir) == -1)
+                        errExit("asprintf");
+                if (stat(name, &s) == -1) {
+                        fprintf(stderr, "Error: cannot find /tmp/.X11-unix in chroot directory\n");
+                        return 1;
+                }
+                free(name);
+        }
+        
         return 0;       
 }
 
@@ -1030,10 +1100,7 @@ int fs_check_chroot_dir(const char *rootdir) {
 void fs_chroot(const char *rootdir) {
         assert(rootdir);
         
-        //***********************************
         // mount-bind a /dev in rootdir
-        //***********************************
-        // mount /dev
         char *newdev;
         if (asprintf(&newdev, "%s/dev", rootdir) == -1)
                 errExit("asprintf");
@@ -1041,6 +1108,19 @@ void fs_chroot(const char *rootdir) {
                 printf("Mounting /dev on %s\n", newdev);
         if (mount("/dev", newdev, NULL, MS_BIND|MS_REC, NULL) < 0)
                 errExit("mounting /dev");
+        free(newdev);
+        
+        // x11
+        if (getenv("FIREJAIL_X11")) {
+                char *newx11;
+                if (asprintf(&newx11, "%s/tmp/.X11-unix", rootdir) == -1)
+                        errExit("asprintf");
+                if (arg_debug)
+                        printf("Mounting /tmp/.X11-unix on %s\n", newx11);
+                if (mount("/tmp/.X11-unix", newx11, NULL, MS_BIND|MS_REC, NULL) < 0)
+                        errExit("mounting /tmp/.X11-unix");
+                free(newx11);
+        }
         
         // some older distros don't have a /run directory
         // create one by default
@@ -1091,7 +1171,11 @@ void fs_chroot(const char *rootdir) {
         // don't leak user information
         restrict_users();
 
-        disable_firejail_config();
+        // when starting as root, firejail config is not disabled;
+        // this mode could be used to install and test new software by chaining
+        // firejail sandboxes (firejail --force)
+        if (getuid() != 0)
+                disable_config();
 }
 #endif
 
diff --git a/src/firejail/fs_bin.c b/src/firejail/fs_bin.c
index 2ee7f7504..ac731c246 100644
--- a/src/firejail/fs_bin.c
+++ b/src/firejail/fs_bin.c
@@ -25,10 +25,12 @@
 #include <unistd.h>
 
 static char *paths[] = {
-        "/bin",
-        "/sbin",
+        "/usr/local/bin",
         "/usr/bin",
+        "/bin",
+        "/usr/local/sbin",
         "/usr/sbin",
+        "/sbin",
         NULL
 };
 
@@ -46,8 +48,27 @@ static char *check_dir_or_file(const char *name) {
                         errExit("asprintf");
                 if (arg_debug)
                         printf("Checking %s/%s\n", paths[i], name);             
-                if (stat(fname, &s) == 0 && !S_ISDIR(s.st_mode)) // do not allow directories
+                if (stat(fname, &s) == 0 && !S_ISDIR(s.st_mode)) { // do not allow directories
+                        // check symlink to firejail executable in /usr/local/bin
+                        if (strcmp(paths[i], "/usr/local/bin") == 0 && is_link(fname)) {
+                                char *actual_path = realpath(fname, NULL);
+                                if (actual_path) {
+                                        char *ptr = strstr(actual_path, "/firejail");
+                                        if (ptr && strlen(ptr) == strlen("/firejail")) {
+                                                if (arg_debug)
+                                                        printf("firejail exec symlink detected\n");
+                                                free(actual_path);
+                                                free(fname);
+                                                fname = NULL;
+                                                i++;
+                                                continue;
+                                        }
+                                        free(actual_path);
+                                }
+                                
+                        }               
                         break; // file found
+                }
                 
                 free(fname);
                 fname = NULL;
@@ -106,9 +127,9 @@ void fs_check_bin_list(void) {
         }
         
         if (*newlist == '\0') {
-                fprintf(stderr, "Warning: no --private-bin list executable found, option disabled\n");
-                cfg.bin_private_keep = NULL;
-                arg_private_bin = 0;
+//              fprintf(stderr, "Warning: no --private-bin list executable found, option disabled\n");
+//              cfg.bin_private_keep = NULL;
+//              arg_private_bin = 0;
                 free(newlist);
         }
         else {
@@ -129,7 +150,7 @@ static void duplicate(char *fname) {
         char *path = check_dir_or_file(fname);
         if (!path)
                 return;
-        
+
         // expand path, just in case this is a symbolic link
         char *full_path;
         if (asprintf(&full_path, "%s/%s", path, fname) == -1)
@@ -137,14 +158,28 @@ static void duplicate(char *fname) {
         
         char *actual_path = realpath(full_path, NULL);
         if (actual_path) {
-                // copy the file
-                if (asprintf(&cmd, "%s -a %s %s/%s", RUN_CP_COMMAND, actual_path, RUN_BIN_DIR, fname) == -1)
-                        errExit("asprintf");
-                if (arg_debug)
-                        printf("%s\n", cmd);
-                if (system(cmd))
-                        errExit("system cp -a");
-                free(cmd);
+                // if the file is a symbolic link not under path, make a symbolic link
+                if (is_link(full_path) && strncmp(actual_path, path, strlen(path))) {
+                        char *lnkname;
+                        if (asprintf(&lnkname, "%s/%s", RUN_BIN_DIR, fname) == -1)
+                                errExit("asprintf");
+                        int rv = symlink(actual_path, lnkname);
+                        if (rv)
+                                fprintf(stderr, "Warning cannot create symbolic link %s\n", lnkname);
+                        else if (arg_debug)
+                                printf("Created symbolic link %s -> %s\n", lnkname, actual_path);
+                        free(lnkname);
+                }
+                else {
+                        // copy the file
+                        if (asprintf(&cmd, "%s -a %s %s/%s", RUN_CP_COMMAND, actual_path, RUN_BIN_DIR, fname) == -1)
+                                errExit("asprintf");
+                        if (arg_debug)
+                                printf("%s\n", cmd);
+                        if (system(cmd))
+                                errExit("system cp -a");
+                        free(cmd);
+                }
                 free(actual_path);
         }
 
@@ -156,17 +191,6 @@ void fs_private_bin_list(void) {
         char *private_list = cfg.bin_private_keep;
         assert(private_list);
         
-        // check bin paths
-        int i = 0;
-        while (paths[i]) {
-                struct stat s;
-                if (stat(paths[i], &s) == -1) {
-                        fprintf(stderr, "Error: cannot find %s directory\n", paths[i]);
-                        exit(1);
-                }
-                i++;
-        }
-
         // create /tmp/firejail/mnt/bin directory
         fs_build_mnt_dir();
         int rv = mkdir(RUN_BIN_DIR, 0755);
@@ -212,15 +236,18 @@ void fs_private_bin_list(void) {
         // wait for the child to finish
         waitpid(child, NULL, 0);
 
-        // moun-bind
-        i = 0;
+        // mount-bind
+        int i = 0;
         while (paths[i]) {
-                if (arg_debug)
-                        printf("Mount-bind %s on top of %s\n", RUN_BIN_DIR, paths[i]);
-                if (mount(RUN_BIN_DIR, paths[i], NULL, MS_BIND|MS_REC, NULL) < 0)
-                        errExit("mount bind");
-                fs_logger2("tmpfs", paths[i]);
-                fs_logger2("mount", paths[i]);
+                struct stat s;
+                if (stat(paths[i], &s) == 0) {
+                        if (arg_debug)
+                                printf("Mount-bind %s on top of %s\n", RUN_BIN_DIR, paths[i]);
+                        if (mount(RUN_BIN_DIR, paths[i], NULL, MS_BIND|MS_REC, NULL) < 0)
+                                errExit("mount bind");
+                        fs_logger2("tmpfs", paths[i]);
+                        fs_logger2("mount", paths[i]);
+                }
                 i++;
         }
         
@@ -234,11 +261,14 @@ void fs_private_bin_list(void) {
         while (ptr) {
                 i = 0;
                 while (paths[i]) {
-                        char *fname;
-                        if (asprintf(&fname, "%s/%s", paths[i], ptr) == -1)
-                                errExit("asprintf");
-                        fs_logger2("clone", fname);
-                        free(fname);
+                        struct stat s;
+                        if (stat(paths[i], &s) == 0) {
+                                char *fname;
+                                if (asprintf(&fname, "%s/%s", paths[i], ptr) == -1)
+                                        errExit("asprintf");
+                                fs_logger2("clone", fname);
+                                free(fname);
+                        }
                         i++;
                 }
                 ptr = strtok(NULL, ",");
diff --git a/src/firejail/fs_dev.c b/src/firejail/fs_dev.c
index 2fd450391..c7a27115f 100644
--- a/src/firejail/fs_dev.c
+++ b/src/firejail/fs_dev.c
@@ -68,9 +68,12 @@ void fs_private_dev(void){
                 printf("Mounting tmpfs on /dev\n");
 
         int have_dri = 0;
+        int have_snd = 0;
         struct stat s;
         if (stat("/dev/dri", &s) == 0)
                 have_dri = 1;
+        if (stat("/dev/snd", &s) == 0)
+                have_snd = 1;
 
         // create DRI_DIR
         fs_build_mnt_dir();
@@ -89,7 +92,23 @@ void fs_private_dev(void){
                         errExit("mounting /dev/dri");
         }
         
-        // restore /dev/log
+        // create SND_DIR
+        if (have_snd) {
+                /* coverity[toctou] */
+                rv = mkdir(RUN_SND_DIR, 0755);
+                if (rv == -1)
+                        errExit("mkdir");
+                if (chown(RUN_SND_DIR, 0, 0) < 0)
+                        errExit("chown");
+                if (chmod(RUN_SND_DIR, 0755) < 0)
+                        errExit("chmod");
+        
+                // keep a copy of /dev/dri under DRI_DIR
+                if (mount("/dev/snd", RUN_SND_DIR, NULL, MS_BIND|MS_REC, NULL) < 0)
+                        errExit("mounting /dev/snd");
+        }
+        
+        // create DEVLOG_FILE
         int have_devlog = 0;
         if (stat("/dev/log", &s) == 0) {
                 have_devlog = 1;
@@ -121,6 +140,21 @@ void fs_private_dev(void){
                 }
         }               
 
+        // bring back the /dev/snd directory
+        if (have_snd) {
+                /* coverity[toctou] */
+                rv = mkdir("/dev/snd", 0755);
+                if (rv == -1)
+                        errExit("mkdir");
+                if (chown("/dev/snd", 0, 0) < 0)
+                        errExit("chown");
+                if (chmod("/dev/snd",0755) < 0)
+                        errExit("chmod");
+                if (mount(RUN_SND_DIR, "/dev/snd", NULL, MS_BIND|MS_REC, NULL) < 0)
+                        errExit("mounting /dev/snd");
+                fs_logger("whitelist /dev/snd");
+        }
+
         // bring back the /dev/dri directory
         if (have_dri) {
                 /* coverity[toctou] */
@@ -243,3 +277,9 @@ void fs_dev_shm(void) {
                         
         }
 }
+
+void fs_dev_disable_sound() {
+        if (mount(RUN_RO_DIR, "/dev/snd", "none", MS_BIND, "mode=400,gid=0") < 0)
+                errExit("disable /dev/snd");
+        fs_logger("blacklist /dev/snd");
+}
diff --git a/src/firejail/fs_etc.c b/src/firejail/fs_etc.c
index bb33b4c76..2ff36f5d2 100644
--- a/src/firejail/fs_etc.c
+++ b/src/firejail/fs_etc.c
@@ -96,7 +96,8 @@ static void duplicate(char *fname) {
         if (arg_debug)
                 printf("%s\n", cmd);
         if (system(cmd))
-                errExit("system cp -a --parents");
+                fprintf(stderr, "Warning (fs_etc): error copying file /etc/%s, skipping...\n", fname);
+
         free(cmd);
         
         char *name;
@@ -128,40 +129,44 @@ void fs_private_etc_list(void) {
                 errExit("chmod");
         fs_logger("tmpfs /etc");
         
-        // copy the list of files in the new etc directory
-        // using a new child process without root privileges
         fs_logger_print();      // save the current log
-        pid_t child = fork();
-        if (child < 0)
-                errExit("fork");
-        if (child == 0) {
-                if (arg_debug)
-                        printf("Copying files in the new etc directory:\n");
 
-                // elevate privileges - files in the new /etc directory belong to root
-                if (setreuid(0, 0) < 0)
-                        errExit("setreuid");
-                if (setregid(0, 0) < 0)
-                        errExit("setregid");
-                
-                // copy the list of files in the new home directory
-                char *dlist = strdup(private_list);
-                if (!dlist)
-                        errExit("strdup");
-        
 
-                char *ptr = strtok(dlist, ",");
-                duplicate(ptr);
+        // copy the list of files in the new etc directory
+        // using a new child process without root privileges
+        if (*private_list != '\0') {
+                pid_t child = fork();
+                if (child < 0)
+                        errExit("fork");
+                if (child == 0) {
+                        if (arg_debug)
+                                printf("Copying files in the new etc directory:\n");
+        
+                        // elevate privileges - files in the new /etc directory belong to root
+                        if (setreuid(0, 0) < 0)
+                                errExit("setreuid");
+                        if (setregid(0, 0) < 0)
+                                errExit("setregid");
+                        
+                        // copy the list of files in the new home directory
+                        char *dlist = strdup(private_list);
+                        if (!dlist)
+                                errExit("strdup");
+                
         
-                while ((ptr = strtok(NULL, ",")) != NULL)
+                        char *ptr = strtok(dlist, ",");
                         duplicate(ptr);
-                free(dlist);    
-                fs_logger_print();
-                exit(0);
+                
+                        while ((ptr = strtok(NULL, ",")) != NULL)
+                                duplicate(ptr);
+                        free(dlist);    
+                        fs_logger_print();
+                        exit(0);
+                }
+                // wait for the child to finish
+                waitpid(child, NULL, 0);
         }
-        // wait for the child to finish
-        waitpid(child, NULL, 0);
-
+        
         if (arg_debug)
                 printf("Mount-bind %s on top of /etc\n", RUN_ETC_DIR);
         if (mount(RUN_ETC_DIR, "/etc", NULL, MS_BIND|MS_REC, NULL) < 0)
diff --git a/src/firejail/fs_home.c b/src/firejail/fs_home.c
index 8a3484b06..41092de2b 100644
--- a/src/firejail/fs_home.c
+++ b/src/firejail/fs_home.c
@@ -41,10 +41,6 @@ static void skel(const char *homedir, uid_t u, gid_t g) {
                 if (stat(fname, &s) == 0)
                         return;
                 if (stat("/etc/skel/.zshrc", &s) == 0) {
-                        if (is_link("/etc/skel/.zshrc")) {
-                                fprintf(stderr, "Error: invalid /etc/skel/.zshrc file\n");
-                                exit(1);
-                        }
                         if (copy_file("/etc/skel/.zshrc", fname) == 0) {
                                 if (chown(fname, u, g) == -1)
                                         errExit("chown");
@@ -75,10 +71,6 @@ static void skel(const char *homedir, uid_t u, gid_t g) {
                 if (stat(fname, &s) == 0)
                         return;
                 if (stat("/etc/skel/.cshrc", &s) == 0) {
-                        if (is_link("/etc/skel/.cshrc")) {
-                                fprintf(stderr, "Error: invalid /etc/skel/.cshrc file\n");
-                                exit(1);
-                        }
                         if (copy_file("/etc/skel/.cshrc", fname) == 0) {
                                 if (chown(fname, u, g) == -1)
                                         errExit("chown");
@@ -110,10 +102,6 @@ static void skel(const char *homedir, uid_t u, gid_t g) {
                 if (stat(fname, &s) == 0) 
                         return;
                 if (stat("/etc/skel/.bashrc", &s) == 0) {
-                        if (is_link("/etc/skel/.bashrc")) {
-                                fprintf(stderr, "Error: invalid /etc/skel/.bashrc file\n");
-                                exit(1);
-                        }
                         if (copy_file("/etc/skel/.bashrc", fname) == 0) {
                                 /* coverity[toctou] */
                                 if (chown(fname, u, g) == -1)
@@ -162,10 +150,19 @@ static int store_asoundrc(void) {
                 errExit("asprintf");
         
         struct stat s;
-        if (stat(src, &s) == 0) {       
+        if (stat(src, &s) == 0) {
                 if (is_link(src)) {
-                        fprintf(stderr, "Error: invalid .asoundrc file\n");
-                        exit(1);
+                        // make sure the real path of the file is inside the home directory
+                        char* rp = realpath(src, NULL);
+                        if (!rp) {
+                                fprintf(stderr, "Error: Cannot access %s\n", src);
+                                exit(1);
+                        }
+                        if (strncmp(rp, cfg.homedir, strlen(cfg.homedir)) != 0) {
+                                fprintf(stderr, "Error: .asoundrc is a symbolic link pointing to a file outside home directory\n");
+                                exit(1);
+                        }
+                        free(rp);
                 }
 
                 int rv = copy_file(src, dest);
@@ -251,7 +248,7 @@ void fs_private_homedir(void) {
         // mount bind private_homedir on top of homedir
         if (arg_debug)
                 printf("Mount-bind %s on top of %s\n", private_homedir, homedir);
-        if (mount(private_homedir, homedir, NULL, MS_BIND|MS_REC, NULL) < 0)
+        if (mount(private_homedir, homedir, NULL, MS_NOSUID | MS_NODEV | MS_BIND | MS_REC, NULL) < 0)
                 errExit("mount bind");
         fs_logger3("mount-bind", private_homedir, cfg.homedir);
         fs_logger2("whitelist", cfg.homedir);
@@ -265,7 +262,7 @@ void fs_private_homedir(void) {
                 // mask /root
                 if (arg_debug)
                         printf("Mounting a new /root directory\n");
-                if (mount("tmpfs", "/root", "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME | MS_REC,  "mode=700,gid=0") < 0)
+                if (mount("tmpfs", "/root", "tmpfs", MS_NOSUID | MS_NODEV | MS_NOEXEC | MS_STRICTATIME | MS_REC,  "mode=700,gid=0") < 0)
                         errExit("mounting home directory");
                 fs_logger("tmpfs /root");
         }
@@ -273,7 +270,7 @@ void fs_private_homedir(void) {
                 // mask /home
                 if (arg_debug)
                         printf("Mounting a new /home directory\n");
-                if (mount("tmpfs", "/home", "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME | MS_REC,  "mode=755,gid=0") < 0)
+                if (mount("tmpfs", "/home", "tmpfs", MS_NOSUID | MS_NODEV | MS_NOEXEC | MS_STRICTATIME | MS_REC,  "mode=755,gid=0") < 0)
                         errExit("mounting home directory");
                 fs_logger("tmpfs /home");
         }
@@ -303,14 +300,14 @@ void fs_private(void) {
         // mask /home
         if (arg_debug)
                 printf("Mounting a new /home directory\n");
-        if (mount("tmpfs", "/home", "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME | MS_REC,  "mode=755,gid=0") < 0)
+        if (mount("tmpfs", "/home", "tmpfs", MS_NOSUID | MS_NODEV | MS_NOEXEC | MS_STRICTATIME | MS_REC,  "mode=755,gid=0") < 0)
                 errExit("mounting home directory");
         fs_logger("tmpfs /home");
 
         // mask /root
         if (arg_debug)
                 printf("Mounting a new /root directory\n");
-        if (mount("tmpfs", "/root", "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME | MS_REC,  "mode=700,gid=0") < 0)
+        if (mount("tmpfs", "/root", "tmpfs", MS_NOSUID | MS_NODEV | MS_NOEXEC | MS_STRICTATIME | MS_REC,  "mode=700,gid=0") < 0)
                 errExit("mounting root directory");
         fs_logger("tmpfs /root");
 
@@ -334,6 +331,7 @@ void fs_private(void) {
                 copy_xauthority();
         if (aflag)
                 copy_asoundrc();
+
 }
 
 
diff --git a/src/firejail/fs_logger.c b/src/firejail/fs_logger.c
index 227a66cd7..30b0fe438 100644
--- a/src/firejail/fs_logger.c
+++ b/src/firejail/fs_logger.c
@@ -141,7 +141,9 @@ void fs_logger_print_log(pid_t pid) {
         EUID_ASSERT();
 
         // if the pid is that of a firejail  process, use the pid of the first child process
+        EUID_ROOT();
         char *comm = pid_proc_comm(pid);
+        EUID_USER();
         if (comm) {
                 if (strcmp(comm, "firejail") == 0) {
                         pid_t child;
diff --git a/src/firejail/fs_mkdir.c b/src/firejail/fs_mkdir.c
index 398c534bf..50bcc613b 100644
--- a/src/firejail/fs_mkdir.c
+++ b/src/firejail/fs_mkdir.c
@@ -42,9 +42,63 @@ void fs_mkdir(const char *name) {
         }
 
         // create directory
-        if (mkdir(expanded, 0700) == -1)
-                fprintf(stderr, "Warning: cannot create %s directory\n", expanded);
+        pid_t child = fork();
+        if (child < 0)
+                errExit("fork");
+        if (child == 0) {
+                // drop privileges
+                drop_privs(0);
+
+                // create directory
+                if (mkdir(expanded, 0700) == -1)
+                        fprintf(stderr, "Warning: cannot create %s directory\n", expanded);
+                exit(0);
+        }
+        // wait for the child to finish
+        waitpid(child, NULL, 0);
 
 doexit:
         free(expanded);
 }       
+
+void fs_mkfile(const char *name) {
+        EUID_ASSERT();
+        
+        // check file name
+        invalid_filename(name);
+        char *expanded = expand_home(name, cfg.homedir);
+        if (strncmp(expanded, cfg.homedir, strlen(cfg.homedir)) != 0) {
+                fprintf(stderr, "Error: only files in user home are supported by mkfile\n");
+                exit(1);
+        }
+
+        struct stat s;
+        if (stat(expanded, &s) == 0) {
+                // file exists, do nothing
+                goto doexit;
+        }
+
+        // create file
+        pid_t child = fork();
+        if (child < 0)
+                errExit("fork");
+        if (child == 0) {
+                // drop privileges
+                drop_privs(0);
+
+                FILE *fp = fopen(expanded, "w");
+                if (!fp)
+                        fprintf(stderr, "Warning: cannot create %s file\n", expanded);
+                else {
+                        fclose(fp);
+                        int rv = chmod(expanded, 0600);
+                        (void) rv;
+                }
+                exit(0);
+        }
+        // wait for the child to finish
+        waitpid(child, NULL, 0);
+
+doexit:
+        free(expanded);
+}
\ No newline at end of file
diff --git a/src/firejail/fs_var.c b/src/firejail/fs_var.c
index f904fa5d9..1516d684f 100644
--- a/src/firejail/fs_var.c
+++ b/src/firejail/fs_var.c
@@ -121,7 +121,7 @@ void fs_var_log(void) {
                 // mount a tmpfs on top of /var/log
                 if (arg_debug)
                         printf("Mounting tmpfs on /var/log\n");
-                if (mount("tmpfs", "/var/log", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC,  "mode=755,gid=0") < 0)
+                if (mount("tmpfs", "/var/log", "tmpfs", MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_STRICTATIME | MS_REC,  "mode=755,gid=0") < 0)
                         errExit("mounting /var/log");
                 fs_logger("tmpfs /var/log");
                 
@@ -160,7 +160,7 @@ void fs_var_lib(void) {
         if (stat("/var/lib/dhcp", &s) == 0) {
                 if (arg_debug)
                         printf("Mounting tmpfs on /var/lib/dhcp\n");
-                if (mount("tmpfs", "/var/lib/dhcp", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC,  "mode=755,gid=0") < 0)
+                if (mount("tmpfs", "/var/lib/dhcp", "tmpfs", MS_NOSUID |  MS_NOEXEC | MS_NODEV | MS_STRICTATIME | MS_REC,  "mode=755,gid=0") < 0)
                         errExit("mounting /var/lib/dhcp");
                 fs_logger("tmpfs /var/lib/dhcp");
                         
@@ -182,7 +182,7 @@ void fs_var_lib(void) {
         if (stat("/var/lib/nginx", &s) == 0) {
                 if (arg_debug)
                         printf("Mounting tmpfs on /var/lib/nginx\n");
-                if (mount("tmpfs", "/var/lib/nginx", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC,  "mode=755,gid=0") < 0)
+                if (mount("tmpfs", "/var/lib/nginx", "tmpfs", MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_STRICTATIME | MS_REC,  "mode=755,gid=0") < 0)
                         errExit("mounting /var/lib/nginx");
                 fs_logger("tmpfs /var/lib/nginx");
         }                       
@@ -191,7 +191,7 @@ void fs_var_lib(void) {
         if (stat("/var/lib/snmp", &s) == 0) {
                 if (arg_debug)
                         printf("Mounting tmpfs on /var/lib/snmp\n");
-                if (mount("tmpfs", "/var/lib/snmp", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC,  "mode=755,gid=0") < 0)
+                if (mount("tmpfs", "/var/lib/snmp", "tmpfs", MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_STRICTATIME | MS_REC,  "mode=755,gid=0") < 0)
                         errExit("mounting /var/lib/snmp");
                 fs_logger("tmpfs /var/lib/snmp");
         }                       
@@ -200,7 +200,7 @@ void fs_var_lib(void) {
         if (stat("/var/lib/sudo", &s) == 0) {
                 if (arg_debug)
                         printf("Mounting tmpfs on /var/lib/sudo\n");
-                if (mount("tmpfs", "/var/lib/sudo", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC,  "mode=755,gid=0") < 0)
+                if (mount("tmpfs", "/var/lib/sudo", "tmpfs", MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_STRICTATIME | MS_REC,  "mode=755,gid=0") < 0)
                         errExit("mounting /var/lib/sudo");
                 fs_logger("tmpfs /var/lib/sudo");
         }                       
@@ -212,7 +212,7 @@ void fs_var_cache(void) {
         if (stat("/var/cache/apache2", &s) == 0) {
                 if (arg_debug)
                         printf("Mounting tmpfs on /var/cache/apache2\n");
-                if (mount("tmpfs", "/var/cache/apache2", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC,  "mode=755,gid=0") < 0)
+                if (mount("tmpfs", "/var/cache/apache2", "tmpfs", MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_STRICTATIME | MS_REC,  "mode=755,gid=0") < 0)
                         errExit("mounting /var/cache/apache2");
                 fs_logger("tmpfs /var/cache/apache2");
         }                       
@@ -220,7 +220,7 @@ void fs_var_cache(void) {
         if (stat("/var/cache/lighttpd", &s) == 0) {
                 if (arg_debug)
                         printf("Mounting tmpfs on /var/cache/lighttpd\n");
-                if (mount("tmpfs", "/var/cache/lighttpd", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC,  "mode=755,gid=0") < 0)
+                if (mount("tmpfs", "/var/cache/lighttpd", "tmpfs", MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_STRICTATIME | MS_REC,  "mode=755,gid=0") < 0)
                         errExit("mounting /var/cache/lighttpd");
                 fs_logger("tmpfs /var/cache/lighttpd");
 
@@ -268,7 +268,7 @@ void fs_var_lock(void) {
         if (is_dir("/var/lock")) {
                 if (arg_debug)
                         printf("Mounting tmpfs on /var/lock\n");
-                if (mount("tmpfs", "/var/lock", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC,  "mode=1777,gid=0") < 0)
+                if (mount("tmpfs", "/var/lock", "tmpfs", MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_STRICTATIME | MS_REC,  "mode=1777,gid=0") < 0)
                         errExit("mounting /lock");
                 fs_logger("tmpfs /var/lock");
         }
@@ -286,7 +286,7 @@ void fs_var_lock(void) {
                         }
                         if (arg_debug)
                                 printf("Mounting tmpfs on %s on behalf of /var/lock\n", lnk);
-                        if (mount("tmpfs", lnk, "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC,  "mode=1777,gid=0") < 0)
+                        if (mount("tmpfs", lnk, "tmpfs", MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_STRICTATIME | MS_REC,  "mode=1777,gid=0") < 0)
                                 errExit("mounting /var/lock");
                         free(lnk);
                         fs_logger("tmpfs /var/lock");
@@ -304,7 +304,7 @@ void fs_var_tmp(void) {
                 if (!is_link("/var/tmp")) {
                         if (arg_debug)
                                 printf("Mounting tmpfs on /var/tmp\n");
-                        if (mount("tmpfs", "/var/tmp", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC,  "mode=1777,gid=0") < 0)
+                        if (mount("tmpfs", "/var/tmp", "tmpfs", MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_STRICTATIME | MS_REC,  "mode=1777,gid=0") < 0)
                                 errExit("mounting /var/tmp");
                         fs_logger("tmpfs /var/tmp");
                 }
@@ -362,7 +362,7 @@ void fs_var_utmp(void) {
         // mount the new utmp file
         if (arg_debug)
                 printf("Mount the new utmp file\n");
-        if (mount(RUN_UTMP_FILE, UTMP_FILE, NULL, MS_BIND|MS_REC, NULL) < 0)
+        if (mount(RUN_UTMP_FILE, UTMP_FILE, NULL, MS_BIND|MS_NOSUID|MS_NOEXEC | MS_NODEV | MS_REC, NULL) < 0)
                 errExit("mount bind utmp");
         fs_logger("create /var/run/utmp");
 }
diff --git a/src/firejail/fs_whitelist.c b/src/firejail/fs_whitelist.c
index 7e61bfde5..f94040d0f 100644
--- a/src/firejail/fs_whitelist.c
+++ b/src/firejail/fs_whitelist.c
@@ -181,11 +181,15 @@ static void whitelist_path(ProfileEntry *entry) {
         char *wfile = NULL;
 
         if (entry->home_dir) {
-                fname = path + strlen(cfg.homedir);
-                if (*fname == '\0') {
-                        fprintf(stderr, "Error: file %s is not in user home directory, exiting...\n", path);
-                        exit(1);
+                if (strncmp(path, cfg.homedir, strlen(cfg.homedir)) == 0) {             
+                        fname = path + strlen(cfg.homedir);
+                        if (*fname == '\0') {
+                                fprintf(stderr, "Error: file %s is not in user home directory, exiting...\n", path);
+                                exit(1);
+                        }
                 }
+                else
+                        fname = path;
         
                 if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_HOME_USER_DIR, fname) == -1)
                         errExit("asprintf");
@@ -248,9 +252,6 @@ static void whitelist_path(ProfileEntry *entry) {
                         printf("Whitelisting %s\n", path);
         }
         else {
-                if (arg_debug || arg_debug_whitelists) {
-                        fprintf(stderr, "Warning (whitelisting): %s is an invalid file, skipping...\n", path);
-                }
                 return;
         }
         
@@ -390,12 +391,16 @@ void fs_whitelist(void) {
 
                         entry->home_dir = 1;
                         home_dir = 1;
+                        if (arg_debug || arg_debug_whitelists)
+                                fprintf(stderr, "Debug %d: fname #%s#, cfg.homedir #%s#\n",
+                                        __LINE__, fname, cfg.homedir);
+
                         // both path and absolute path are under /home
                         if (strncmp(fname, cfg.homedir, strlen(cfg.homedir)) != 0) {
-                                if (arg_debug)
-                                        fprintf(stderr, "Debug %d: fname #%s#, cfg.homedir #%s#\n",
-                                                __LINE__, fname, cfg.homedir);
-                                goto errexit;
+                                // check if the file is owned by the user
+                                struct stat s;
+                                if (stat(fname, &s) == 0 && s.st_uid != getuid())
+                                        goto errexit;
                         }
                 }
                 else if (strncmp(new_name, "/tmp/", 5) == 0) {
@@ -422,7 +427,12 @@ void fs_whitelist(void) {
                         entry->var_dir = 1;
                         var_dir = 1;
                         // both path and absolute path are under /var
-                        if (strncmp(fname, "/var/", 5) != 0) {
+                        // exceptions: /var/run and /var/lock
+                        if (strcmp(new_name, "/var/run")== 0)
+                                ;
+                        else if (strcmp(new_name, "/var/lock")== 0)
+                                ;
+                        else if (strncmp(fname, "/var/", 5) != 0) {
                                 if (arg_debug)
                                         fprintf(stderr, "Debug %d: fname #%s#\n", __LINE__, fname);
                                 goto errexit;
@@ -499,7 +509,7 @@ void fs_whitelist(void) {
         
         // /tmp mountpoint
         if (tmp_dir) {
-                // keep a copy of real /tmp directory in WHITELIST_TMP_DIR
+                // keep a copy of real /tmp directory in  
                 int rv = mkdir(RUN_WHITELIST_TMP_DIR, 1777);
                 if (rv == -1)
                         errExit("mkdir");
@@ -517,6 +527,29 @@ void fs_whitelist(void) {
                 if (mount("tmpfs", "/tmp", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC,  "mode=1777,gid=0") < 0)
                         errExit("mounting tmpfs on /tmp");
                 fs_logger("tmpfs /tmp");
+                
+                // mount appimage directory if necessary
+                if (arg_appimage) {
+                        const char *dir = appimage_getdir();
+                        assert(dir);
+                        char *wdir;
+                        if (asprintf(&wdir, "%s/%s", RUN_WHITELIST_TMP_DIR, dir + 4) == -1)
+                                errExit("asprintf");
+
+                        // create directory
+                        if (mkdir(dir, 0755) < 0)
+                                errExit("mkdir");
+                        if (chown(dir, getuid(), getgid()) < 0)
+                                errExit("chown");
+                        if (chmod(dir, 0755) < 0)
+                                errExit("chmod");
+                
+                        // mount
+                        if (mount(wdir, dir, NULL, MS_BIND|MS_REC, NULL) < 0)
+                                errExit("mount bind");
+                        fs_logger2("whitelist", dir);
+                        free(wdir);
+                }
         }
         
         // /media mountpoint
@@ -618,21 +651,31 @@ void fs_whitelist(void) {
 
 //printf("here %d#%s#\n", __LINE__, entry->data);
                 // whitelist the real file
-                whitelist_path(entry);
-
-                // create the link if any
-                if (entry->link) {
-                        // if the link is already there, do not bother
-                        struct stat s;
-                        if (stat(entry->link, &s) != 0) {
-                                // create the path if necessary
-                                mkpath(entry->link, s.st_mode);
-
-                                int rv = symlink(entry->data + 10, entry->link);
-                                if (rv)
-                                        fprintf(stderr, "Warning cannot create symbolic link %s\n", entry->link);
-                                else if (arg_debug || arg_debug_whitelists)
-                                        printf("Created symbolic link %s -> %s\n", entry->link, entry->data + 10);
+                if (strcmp(entry->data, "whitelist /run") == 0 && 
+                    (strcmp(entry->link, "/var/run") == 0 || strcmp(entry->link, "/var/lock") == 0)) {
+                        int rv = symlink(entry->data + 10, entry->link);
+                        if (rv)
+                                fprintf(stderr, "Warning cannot create symbolic link %s\n", entry->link);
+                        else if (arg_debug || arg_debug_whitelists)
+                                printf("Created symbolic link %s -> %s\n", entry->link, entry->data + 10);
+                }
+                else {
+                        whitelist_path(entry);
+        
+                        // create the link if any
+                        if (entry->link) {
+                                // if the link is already there, do not bother
+                                struct stat s;
+                                if (stat(entry->link, &s) != 0) {
+                                        // create the path if necessary
+                                        mkpath(entry->link, s.st_mode);
+        
+                                        int rv = symlink(entry->data + 10, entry->link);
+                                        if (rv)
+                                                fprintf(stderr, "Warning cannot create symbolic link %s\n", entry->link);
+                                        else if (arg_debug || arg_debug_whitelists)
+                                                printf("Created symbolic link %s -> %s\n", entry->link, entry->data + 10);
+                                }
                         }
                 }
 
diff --git a/src/firejail/join.c b/src/firejail/join.c
index 251260091..c14108986 100644
--- a/src/firejail/join.c
+++ b/src/firejail/join.c
@@ -23,6 +23,7 @@
 #include <fcntl.h>
 #include <unistd.h>
 #include <sys/prctl.h>
+#include <errno.h>
 
 static int apply_caps = 0;
 static uint64_t caps = 0;
@@ -53,7 +54,7 @@ static void extract_command(int argc, char **argv, int index) {
         int i;
         // calculate command length
         for (i = index; i < argc; i++) {
-                len += strlen(argv[i]) + 1;
+                len += strlen(argv[i]) + 3;
         }
         assert(len > 0);
 
@@ -61,8 +62,15 @@ static void extract_command(int argc, char **argv, int index) {
         cfg.command_line = malloc(len + 1);
         *cfg.command_line = '\0';
         for (i = index; i < argc; i++) {
-                strcat(cfg.command_line, argv[i]);
-                strcat(cfg.command_line, " ");
+                if (strchr(argv[i], '&')) {
+                        strcat(cfg.command_line, "\'");
+                        strcat(cfg.command_line, argv[i]);
+                        strcat(cfg.command_line, "\' ");
+                }
+                else {
+                        strcat(cfg.command_line, argv[i]);
+                        strcat(cfg.command_line, " ");
+                }
         }
         if (arg_debug)
                 printf("Extracted command #%s#\n", cfg.command_line);
@@ -201,7 +209,9 @@ void join(pid_t pid, int argc, char **argv, int index) {
         extract_command(argc, argv, index);
 
         // if the pid is that of a firejail  process, use the pid of the first child process
+        EUID_ROOT();
         char *comm = pid_proc_comm(pid);
+        EUID_USER();
         if (comm) {
                 if (strcmp(comm, "firejail") == 0) {
                         pid_t child;
@@ -329,19 +339,38 @@ void join(pid_t pid, int argc, char **argv, int index) {
                 if (setenv("PROMPT_COMMAND", "export PS1=\"\\[\\e[1;32m\\][\\u@\\h \\W]\\$\\[\\e[0m\\] \"", 1) < 0)
                         errExit("setenv");
 
+                // set nice
+                if (arg_nice) {
+                        errno = 0;
+                        int rv = nice(cfg.nice);
+                        (void) rv;
+                        if (errno) {
+                                fprintf(stderr, "Warning: cannot set nice value\n");
+                                errno = 0;
+                        }
+                }
+
                 // run cmdline trough /bin/bash
                 if (cfg.command_line == NULL) {
-                        struct stat s;
 
                         // replace the process with a shell
-                        if (stat("/bin/bash", &s) == 0)
-                                execlp("/bin/bash", "/bin/bash", NULL);
-                        else if (stat("/usr/bin/zsh", &s) == 0)
-                                execlp("/usr/bin/zsh", "/usr/bin/zsh", NULL);
-                        else if (stat("/bin/csh", &s) == 0)
-                                execlp("/bin/csh", "/bin/csh", NULL);
-                        else if (stat("/bin/sh", &s) == 0)
-                                execlp("/bin/sh", "/bin/sh", NULL);
+                        if (cfg.shell)
+                                        execlp(cfg.shell, cfg.shell, NULL);
+                                else if (arg_zsh)
+                                        execlp("/usr/bin/zsh", "/usr/bin/zsh", NULL);
+                                else if (arg_csh)
+                                        execlp("/bin/csh", "/bin/csh", NULL);
+                                else {
+                                        struct stat s;
+                                        if (stat("/bin/bash", &s) == 0)
+                                                execlp("/bin/bash", "/bin/bash", NULL);
+                                        else if (stat("/usr/bin/zsh", &s) == 0)
+                                                execlp("/usr/bin/zsh", "/usr/bin/zsh", NULL);
+                                        else if (stat("/bin/csh", &s) == 0)
+                                                execlp("/bin/csh", "/bin/csh", NULL);
+                                        else if (stat("/bin/sh", &s) == 0)
+                                                execlp("/bin/sh", "/bin/sh", NULL);
+                                }
                         
                         // no shell found, print an error and exit
                         fprintf(stderr, "Error: no POSIX shell found\n");
@@ -368,21 +397,54 @@ void join(pid_t pid, int argc, char **argv, int index) {
                                 }
                         }
 
-                        char *arg[5];
-                        arg[0] = "/bin/bash";
-                        arg[1] = "-c";
-                        if (arg_debug)
-                                printf("Starting %s\n", cfg.command_line);
-                        if (!arg_doubledash) {
-                                arg[2] = cfg.command_line;
-                                arg[3] = NULL;
-                        }
-                        else {
-                                arg[2] = "--";
-                                arg[3] = cfg.command_line;
-                                arg[4] = NULL;
+                        if (arg_shell_none) {
+                                if (arg_debug) {
+                                        int i;
+                                        for (i = cfg.original_program_index; i < cfg.original_argc; i++) {
+                                                if (cfg.original_argv[i] == NULL)
+                                                        break;
+                                                printf("execvp argument %d: %s\n", i - cfg.original_program_index, cfg.original_argv[i]);
+                                        }
+                                }
+                
+                                if (cfg.original_program_index == 0) {
+                                        fprintf(stderr, "Error: --shell=none configured, but no program specified\n");
+                                        exit(1);
+                                }
+                
+                                if (!arg_command && !arg_quiet)
+                                        printf("Child process initialized\n");
+                
+                                execvp(cfg.original_argv[cfg.original_program_index], &cfg.original_argv[cfg.original_program_index]);
+                                exit(1);
+                        } else {
+                                // choose the shell requested by the user, or use bash as default
+                                char *sh;
+                                if (cfg.shell)
+                                        sh = cfg.shell;
+                                else if (arg_zsh)
+                                        sh = "/usr/bin/zsh";
+                                else if (arg_csh)
+                                        sh = "/bin/csh";
+                                else
+                                        sh = "/bin/bash";
+        
+                                char *arg[5];
+                                arg[0] = sh;
+                                arg[1] = "-c";
+                                if (arg_debug)
+                                        printf("Starting %s\n", cfg.command_line);
+                                if (!arg_doubledash) {
+                                        arg[2] = cfg.command_line;
+                                        arg[3] = NULL;
+                                }
+                                else {
+                                        arg[2] = "--";
+                                        arg[3] = cfg.command_line;
+                                        arg[4] = NULL;
+                                }
+                                execvp("/bin/bash", arg);
                         }
-                        execvp("/bin/bash", arg);
                 }
 
                 // it will never get here!!!
diff --git a/src/firejail/list.c b/src/firejail/list.c
index 676df6a14..d093a1f85 100644
--- a/src/firejail/list.c
+++ b/src/firejail/list.c
@@ -18,47 +18,83 @@
  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 */
 #include "firejail.h"
+#include <sys/types.h>
+#include <sys/stat.h>
+
+static void set_privileges(void) {
+        struct stat s;
+        if (stat("/proc/sys/kernel/grsecurity", &s) == 0) {
+                EUID_ROOT();
+
+                // elevate privileges
+                if (setreuid(0, 0))
+                        errExit("setreuid");
+                if (setregid(0, 0))
+                        errExit("setregid");
+        }
+        else
+                drop_privs(1);
+}
+
+static char *get_firemon_path(const char *cmd) {
+        assert(cmd);
+        
+        // start the argv[0] program in a new sandbox
+        char *firemon;
+        if (asprintf(&firemon, "%s/bin/firemon %s", PREFIX, cmd) == -1)
+                errExit("asprintf");
+
+        return firemon;
+}
 
 void top(void) {
         EUID_ASSERT();
-        
+        drop_privs(1);
+        char *cmd = get_firemon_path("--top");
+
         char *arg[4];
         arg[0] = "bash";
         arg[1] = "-c";
-        arg[2] = "firemon --top";
+        arg[2] = cmd;
         arg[3] = NULL;
         execvp("/bin/bash", arg); 
 }
 
 void netstats(void) {
         EUID_ASSERT();
+        set_privileges();       
+        char *cmd = get_firemon_path("--netstats");
         
         char *arg[4];
         arg[0] = "bash";
         arg[1] = "-c";
-        arg[2] = "firemon --netstats";
+        arg[2] = cmd;
         arg[3] = NULL;
         execvp("/bin/bash", arg); 
 }
 
 void list(void) {
         EUID_ASSERT();
+        drop_privs(1);
+        char *cmd = get_firemon_path("--list");
         
         char *arg[4];
         arg[0] = "bash";
         arg[1] = "-c";
-        arg[2] = "firemon --list";
+        arg[2] = cmd;
         arg[3] = NULL;
         execvp("/bin/bash", arg); 
 }
 
 void tree(void) {
         EUID_ASSERT();
+        drop_privs(1);
+        char *cmd = get_firemon_path("--tree");
         
         char *arg[4];
         arg[0] = "bash";
         arg[1] = "-c";
-        arg[2] = "firemon --tree";
+        arg[2] = cmd;
         arg[3] = NULL;
         execvp("/bin/bash", arg); 
 }
diff --git a/src/firejail/ls.c b/src/firejail/ls.c
index 983927cf1..09577fb0c 100644
--- a/src/firejail/ls.c
+++ b/src/firejail/ls.c
@@ -205,7 +205,9 @@ void sandboxfs(int op, pid_t pid, const char *path) {
         EUID_ASSERT();
 
         // if the pid is that of a firejail  process, use the pid of the first child process
+        EUID_ROOT();
         char *comm = pid_proc_comm(pid);
+        EUID_USER();
         if (comm) {
                 if (strcmp(comm, "firejail") == 0) {
                         pid_t child;
@@ -341,7 +343,7 @@ void sandboxfs(int op, pid_t pid, const char *path) {
                 }
 
                 // wait for the child to finish
-                int status = NULL;
+                int status = 0;
                 waitpid(child, &status, 0);
                 if (WIFEXITED(status) && WEXITSTATUS(status) == 0);
                 else
@@ -377,6 +379,7 @@ void sandboxfs(int op, pid_t pid, const char *path) {
                         errExit("chown");
                 if (chmod(dest_fname, 0644) == -1)
                         errExit("chmod");
+                printf("Transfer complete\n");
                 EUID_USER();
         }
         
diff --git a/src/firejail/main.c b/src/firejail/main.c
index 0a02d0918..cbc3d57cf 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -77,6 +77,7 @@ int arg_rlimit_nproc = 0;			// rlimit nproc
 int arg_rlimit_fsize = 0;                               // rlimit fsize
 int arg_rlimit_sigpending = 0;                  // rlimit fsize
 int arg_nogroups = 0;                           // disable supplementary groups
+int arg_nonewprivs = 0;                 // set the NO_NEW_PRIVS prctl
 int arg_noroot = 0;                             // create a new user namespace and disable root user
 int arg_netfilter;                              // enable netfilter
 int arg_netfilter6;                             // enable netfilter6
@@ -96,6 +97,11 @@ int arg_join_network = 0;			// join only the network namespace
 int arg_join_filesystem = 0;                    // join only the mount namespace
 int arg_nice = 0;                               // nice value configured
 int arg_ipc = 0;                                        // enable ipc namespace
+int arg_writable_etc = 0;                       // writable etc
+int arg_writable_var = 0;                       // writable var
+int arg_appimage = 0;                           // appimage
+int arg_audit = 0;                              // audit
+char *arg_audit_prog;                           // audit
 
 int parent_to_child_fds[2];
 int child_to_parent_fds[2];
@@ -105,46 +111,43 @@ int fullargc = 0;
 static pid_t child = 0;
 pid_t sandbox_pid;
 
-static void set_name_file(uid_t pid);
-static void delete_name_file(uid_t pid);
-static void set_x11_file(uid_t pid, int display);
-static void delete_x11_file(uid_t pid);
+static void set_name_file(pid_t pid);
+static void delete_name_file(pid_t pid);
+static void set_x11_file(pid_t pid, int display);
+static void delete_x11_file(pid_t pid);
+
+void clear_run_files(pid_t pid) {
+        bandwidth_del_run_file(pid);            // bandwidth file
+        network_del_run_file(pid);              // network map file
+        delete_name_file(pid);
+        delete_x11_file(pid);
+}
 
 static void myexit(int rv) {
         logmsg("exiting...");
         if (!arg_command && !arg_quiet)
-                printf("\nparent is shutting down, bye...\n");
-        
+                printf("\nParent is shutting down, bye...\n");
+
+
         // delete sandbox files in shared memory
-        bandwidth_shm_del_file(sandbox_pid);            // bandwidth file
-        network_shm_del_file(sandbox_pid);              // network map file
-        delete_name_file(sandbox_pid);
-        delete_x11_file(sandbox_pid);
-        
+        EUID_ROOT();
+        clear_run_files(sandbox_pid);
+        appimage_clear();
+                
         exit(rv); 
 }
 
 static void my_handler(int s){
-        if (!arg_quiet)
-                printf("\nSignal %d caught, shutting down the child process\n", s);
+        EUID_ROOT();
+        if (!arg_quiet) {
+                printf("\nParent received signal %d, shutting down the child process...\n", s);
+                fflush(0);
+        }
         logsignal(s);
-        kill(child, SIGKILL);
+        kill(child, SIGTERM);
         myexit(1);
 }
 
-static inline Bridge *last_bridge_configured(void) {
-        if (cfg.bridge3.configured)
-                return &cfg.bridge3;
-        else if (cfg.bridge2.configured)
-                return &cfg.bridge2;
-        else if (cfg.bridge1.configured)
-                return &cfg.bridge1;
-        else if (cfg.bridge0.configured)
-                return &cfg.bridge0;
-        else
-                return NULL;
-}
-
 // return 1 if error, 0 if a valid pid was found
 static inline int read_pid(char *str, pid_t *pid) {
         char *endptr;
@@ -174,9 +177,11 @@ static void init_cfg(int argc, char **argv) {
         cfg.bridge3.devsandbox = "eth3";
         
         // extract user data
+        EUID_ROOT(); // rise permissions for grsecurity
         struct passwd *pw = getpwuid(getuid());
         if (!pw)
                 errExit("getpwuid");
+        EUID_USER();
         cfg.username = strdup(pw->pw_name);
         if (!cfg.username)
                 errExit("strdup");
@@ -274,74 +279,108 @@ static void run_cmd_and_exit(int i, int argc, char **argv) {
 #ifndef HAVE_FILE_TRANSFER
                 printf("File transfer support is disabled.\n");
 #endif
+#ifndef HAVE_WHITELIST
+                printf("whitelisting support is disabled.\n");
+#endif
                 exit(0);
         }
 #ifdef HAVE_X11
         else if (strcmp(argv[i], "--x11") == 0) {
-                x11_start(argc, argv);
-                exit(0);
+                if (checkcfg(CFG_X11)) {
+                        x11_start(argc, argv);
+                        exit(0);
+                }
+                else {
+                        fprintf(stderr, "Error: --x11 feature is disabled in Firejail configuration file\n");
+                        exit(1);
+                }
         }
-#endif
-#ifdef HAVE_NETWORK     
-        else if (strncmp(argv[i], "--bandwidth=", 12) == 0) {
-                logargs(argc, argv);
-                
-                // extract the command
-                if ((i + 1) == argc) {
-                        fprintf(stderr, "Error: command expected after --bandwidth option\n");
+        else if (strcmp(argv[i], "--x11=xpra") == 0) {
+                if (checkcfg(CFG_X11)) {
+                        x11_start_xpra(argc, argv);
+                        exit(0);
+                }
+                else {
+                        fprintf(stderr, "Error: --x11 feature is disabled in Firejail configuration file\n");
                         exit(1);
                 }
-                char *cmd = argv[i + 1];
-                if (strcmp(cmd, "status") && strcmp(cmd, "clear") && strcmp(cmd, "set")) {
-                        fprintf(stderr, "Error: invalid --bandwidth command.\nValid commands: set, clear, status.\n");
+        }
+        else if (strcmp(argv[i], "--x11=xephyr") == 0) {
+                if (checkcfg(CFG_X11)) {
+                        x11_start_xephyr(argc, argv);
+                        exit(0);
+                }
+                else {
+                        fprintf(stderr, "Error: --x11 feature is disabled in Firejail configuration file\n");
                         exit(1);
                 }
-
-                // extract network name
-                char *dev = NULL;
-                int down = 0;
-                int up = 0;
-                if (strcmp(cmd, "set") == 0 || strcmp(cmd, "clear") == 0) {
-                        // extract device name
-                        if ((i + 2) == argc) {
-                                fprintf(stderr, "Error: network name expected after --bandwidth %s option\n", cmd);
+        }
+#endif
+#ifdef HAVE_NETWORK     
+        else if (strncmp(argv[i], "--bandwidth=", 12) == 0) {
+                if (checkcfg(CFG_NETWORK)) {
+                        logargs(argc, argv);
+                        
+                        // extract the command
+                        if ((i + 1) == argc) {
+                                fprintf(stderr, "Error: command expected after --bandwidth option\n");
                                 exit(1);
                         }
-                        dev = argv[i + 2];
-
-                        // check device name
-                        if (if_nametoindex(dev) == 0) {
-                                fprintf(stderr, "Error: network device %s not found\n", dev);
+                        char *cmd = argv[i + 1];
+                        if (strcmp(cmd, "status") && strcmp(cmd, "clear") && strcmp(cmd, "set")) {
+                                fprintf(stderr, "Error: invalid --bandwidth command.\nValid commands: set, clear, status.\n");
                                 exit(1);
                         }
-
-                        // extract bandwidth
-                        if (strcmp(cmd, "set") == 0) {
-                                if ((i + 4) >= argc) {
-                                        fprintf(stderr, "Error: invalid --bandwidth set command\n");
+        
+                        // extract network name
+                        char *dev = NULL;
+                        int down = 0;
+                        int up = 0;
+                        if (strcmp(cmd, "set") == 0 || strcmp(cmd, "clear") == 0) {
+                                // extract device name
+                                if ((i + 2) == argc) {
+                                        fprintf(stderr, "Error: network name expected after --bandwidth %s option\n", cmd);
                                         exit(1);
                                 }
-                                
-                                down = atoi(argv[i + 3]);
-                                if (down < 0) {
-                                        fprintf(stderr, "Error: invalid download speed\n");
+                                dev = argv[i + 2];
+        
+                                // check device name
+                                if (if_nametoindex(dev) == 0) {
+                                        fprintf(stderr, "Error: network device %s not found\n", dev);
                                         exit(1);
                                 }
-                                up = atoi(argv[i + 4]);
-                                if (up < 0) {
-                                        fprintf(stderr, "Error: invalid upload speed\n");
-                                        exit(1);
+        
+                                // extract bandwidth
+                                if (strcmp(cmd, "set") == 0) {
+                                        if ((i + 4) >= argc) {
+                                                fprintf(stderr, "Error: invalid --bandwidth set command\n");
+                                                exit(1);
+                                        }
+                                        
+                                        down = atoi(argv[i + 3]);
+                                        if (down < 0) {
+                                                fprintf(stderr, "Error: invalid download speed\n");
+                                                exit(1);
+                                        }
+                                        up = atoi(argv[i + 4]);
+                                        if (up < 0) {
+                                                fprintf(stderr, "Error: invalid upload speed\n");
+                                                exit(1);
+                                        }
                                 }
-                        }
-                }       
-                
-                // extract pid or sandbox name
-                pid_t pid;
-                EUID_ROOT();
-                if (read_pid(argv[i] + 12, &pid) == 0)
-                        bandwidth_pid(pid, cmd, dev, down, up);
-                else
-                        bandwidth_name(argv[i] + 12, cmd, dev, down, up);
+                        }       
+                        
+                        // extract pid or sandbox name
+                        pid_t pid;
+                        if (read_pid(argv[i] + 12, &pid) == 0)
+                                bandwidth_pid(pid, cmd, dev, down, up);
+                        else
+                                bandwidth_name(argv[i] + 12, cmd, dev, down, up);
+                }
+                else {
+                        fprintf(stderr, "Error: networking features are disabled in Firejail configuration file\n");
+                        exit(1);
+                }
                 exit(0);
         }
 #endif
@@ -350,20 +389,38 @@ static void run_cmd_and_exit(int i, int argc, char **argv) {
         //*************************************
 #ifdef HAVE_SECCOMP
         else if (strcmp(argv[i], "--debug-syscalls") == 0) {
-                syscall_print();
-                exit(0);
+                if (checkcfg(CFG_SECCOMP)) {
+                        syscall_print();
+                        exit(0);
+                }
+                else {
+                        fprintf(stderr, "Error: seccomp feature is disabled in Firejail configuration file\n");
+                        exit(1);
+                }
         }
         else if (strcmp(argv[i], "--debug-errnos") == 0) {
-                errno_print();
+                if (checkcfg(CFG_SECCOMP)) {
+                        errno_print();
+                }
+                else {
+                        fprintf(stderr, "Error: seccomp feature is disabled in Firejail configuration file\n");
+                        exit(1);
+                }
                 exit(0);
         }
         else if (strncmp(argv[i], "--seccomp.print=", 16) == 0) {
-                // print seccomp filter for a sandbox specified by pid or by name
-                pid_t pid;
-                if (read_pid(argv[i] + 16, &pid) == 0)          
-                        seccomp_print_filter(pid);
-                else
-                        seccomp_print_filter_name(argv[i] + 16);
+                if (checkcfg(CFG_SECCOMP)) {
+                        // print seccomp filter for a sandbox specified by pid or by name
+                        pid_t pid;
+                        if (read_pid(argv[i] + 16, &pid) == 0)          
+                                seccomp_print_filter(pid);
+                        else
+                                seccomp_print_filter_name(argv[i] + 16);
+                }
+                else {
+                        fprintf(stderr, "Error: seccomp feature is disabled in Firejail configuration file\n");
+                        exit(1);
+                }
                 exit(0);
         }
         else if (strcmp(argv[i], "--debug-protocols") == 0) {
@@ -371,15 +428,30 @@ static void run_cmd_and_exit(int i, int argc, char **argv) {
                 exit(0);
         }
         else if (strncmp(argv[i], "--protocol.print=", 17) == 0) {
-                // print seccomp filter for a sandbox specified by pid or by name
+                if (checkcfg(CFG_SECCOMP)) {
+                        // print seccomp filter for a sandbox specified by pid or by name
+                        pid_t pid;
+                        if (read_pid(argv[i] + 17, &pid) == 0)          
+                                protocol_print_filter(pid);
+                        else
+                                protocol_print_filter_name(argv[i] + 17);
+                }
+                else {
+                        fprintf(stderr, "Error: seccomp feature is disabled in Firejail configuration file\n");
+                        exit(1);
+                }
+                exit(0);
+        }
+#endif
+        else if (strncmp(argv[i], "--cpu.print=", 12) == 0) {
+                // join sandbox by pid or by name
                 pid_t pid;
-                if (read_pid(argv[i] + 17, &pid) == 0)          
-                        protocol_print_filter(pid);
+                if (read_pid(argv[i] + 12, &pid) == 0)          
+                        cpu_print_filter(pid);
                 else
-                        protocol_print_filter_name(argv[i] + 17);
+                        cpu_print_filter_name(argv[i] + 12);
                 exit(0);
         }
-#endif
         else if (strncmp(argv[i], "--caps.print=", 13) == 0) {
                 // join sandbox by pid or by name
                 pid_t pid;
@@ -425,7 +497,13 @@ static void run_cmd_and_exit(int i, int argc, char **argv) {
         }
 #ifdef HAVE_NETWORK     
         else if (strcmp(argv[i], "--netstats") == 0) {
-                netstats();
+                if (checkcfg(CFG_NETWORK)) {
+                        netstats();
+                }
+                else {
+                        fprintf(stderr, "Error: networking features are disabled in Firejail configuration file\n");
+                        exit(1);
+                }
                 exit(0);
         }
 #endif  
@@ -455,7 +533,7 @@ static void run_cmd_and_exit(int i, int argc, char **argv) {
                         exit(0);
                 }
                 else {
-                        fprintf(stderr, "Error: this feature is disabled in Firejail configuration file\n");
+                        fprintf(stderr, "Error: --get feature is disabled in Firejail configuration file\n");
                         exit(1);
                 }
         }
@@ -484,7 +562,7 @@ static void run_cmd_and_exit(int i, int argc, char **argv) {
                         exit(0);
                 }
                 else {
-                        fprintf(stderr, "Error: this feature is disabled in Firejail configuration file\n");
+                        fprintf(stderr, "Error: --ls feature is disabled in Firejail configuration file\n");
                         exit(1);
                 }
         }
@@ -502,19 +580,26 @@ static void run_cmd_and_exit(int i, int argc, char **argv) {
         }
 #ifdef HAVE_NETWORK     
         else if (strncmp(argv[i], "--join-network=", 15) == 0) {
-                logargs(argc, argv);
-                arg_join_network = 1;
-                if (getuid() != 0) {
-                        fprintf(stderr, "Error: --join-network is only available to root user\n");
+                if (checkcfg(CFG_NETWORK)) {
+                        logargs(argc, argv);
+                        arg_join_network = 1;
+                        if (getuid() != 0) {
+                                fprintf(stderr, "Error: --join-network is only available to root user\n");
+                                exit(1);
+                        }
+                        
+                        // join sandbox by pid or by name
+                        pid_t pid;
+                        if (read_pid(argv[i] + 15, &pid) == 0)          
+                                join(pid, argc, argv, i + 1);
+                        else
+                                join_name(argv[i] + 15, argc, argv, i + 1);
+                }
+                else {
+                        fprintf(stderr, "Error: networking features are disabled in Firejail configuration file\n");
                         exit(1);
                 }
-                
-                // join sandbox by pid or by name
-                pid_t pid;
-                if (read_pid(argv[i] + 15, &pid) == 0)          
-                        join(pid, argc, argv, i + 1);
-                else
-                        join_name(argv[i] + 15, argc, argv, i + 1);
+
                 exit(0);
         }
 #endif
@@ -548,7 +633,7 @@ static void run_cmd_and_exit(int i, int argc, char **argv) {
 
 }
 
-static void set_name_file(uid_t pid) {
+static void set_name_file(pid_t pid) {
         char *fname;
         if (asprintf(&fname, "%s/%d", RUN_FIREJAIL_NAME_DIR, pid) == -1)
                 errExit("asprintf");
@@ -570,15 +655,16 @@ static void set_name_file(uid_t pid) {
         
 }
 
-static void delete_name_file(uid_t pid) {
+static void delete_name_file(pid_t pid) {
         char *fname;
         if (asprintf(&fname, "%s/%d", RUN_FIREJAIL_NAME_DIR, pid) == -1)
                 errExit("asprintf");
         int rv = unlink(fname);
         (void) rv;
+        free(fname);
 }
 
-static void set_x11_file(uid_t pid, int display) {
+static void set_x11_file(pid_t pid, int display) {
         char *fname;
         if (asprintf(&fname, "%s/%d", RUN_FIREJAIL_X11_DIR, pid) == -1)
                 errExit("asprintf");
@@ -600,12 +686,60 @@ static void set_x11_file(uid_t pid, int display) {
         
 }
 
-static void delete_x11_file(uid_t pid) {
+static void delete_x11_file(pid_t pid) {
         char *fname;
         if (asprintf(&fname, "%s/%d", RUN_FIREJAIL_X11_DIR, pid) == -1)
                 errExit("asprintf");
         int rv = unlink(fname);
         (void) rv;
+        free(fname);
+}
+
+static void detect_quiet(int argc, char **argv) {
+        int i;
+        char *progs[] = {
+                "less",
+                "cpio",
+                "strings",
+                "gzip",
+                "xz",
+                "xzdec",
+                NULL
+        };
+        
+        // detect --quiet
+        for (i = 1; i < argc; i++) {
+                if (strcmp(argv[i], "--quiet") == 0) {
+                        arg_quiet = 1;
+                        break;
+                }
+                
+                // detect end of firejail params
+                if (strcmp(argv[i], "--") == 0)
+                        break;
+                if (strncmp(argv[i], "--", 2) != 0)
+                        break;
+        }
+
+        // argv[i] is the program name if --quiet was not already detected
+        if (arg_quiet || i == argc)
+                return;
+
+        // extract the name of the program without the leading path
+        char *ptr = strrchr(argv[i], '/');
+        char *name = (ptr)? (ptr + 1): argv[i];
+        if (*name == '\0')
+                return;
+
+        // look for the program in the list     
+        int j = 0;
+        while (progs[j] != NULL) {
+                if (strcmp(name, progs[j]) == 0) {
+                        arg_quiet = 1;
+                        return;
+                }
+                j++;
+        }
 }
 
 //*******************************************
@@ -615,14 +749,17 @@ int main(int argc, char **argv) {
         int i;
         int prog_index = -1;                      // index in argv where the program command starts
         int lockfd = -1;
-        int arg_cgroup = 0;
+        int option_cgroup = 0;
+        int option_force = 0;
         int custom_profile = 0; // custom profile loaded
         char *custom_profile_dir = NULL; // custom profile directory
-        int arg_noprofile = 0; // use generic.profile if none other found/specified
+        int arg_noprofile = 0; // use default.profile if none other found/specified
 #ifdef HAVE_SECCOMP
         int highest_errno = errno_highest_nr();
 #endif
 
+        detect_quiet(argc, argv);
+
         // drop permissions by default and rise them when required
         EUID_INIT();
         EUID_USER();
@@ -632,33 +769,87 @@ int main(int argc, char **argv) {
                 run_symlink(argc, argv);
 
         // check if we already have a sandbox running
-        int rv = check_kernel_procs();
-        if (rv == 0) {
-                // if --force option is passed to the program, disregard the existing sandbox
-                int found = 0;
+        // If LXC is detected, start firejail sandbox
+        // otherwise try to detect a PID namespace by looking under /proc for specific kernel processes and:
+        //      - if --force flag is set, start firejail sandbox
+        //      -- if --force flag is not set, start the application in a /bin/bash shell 
+        if (check_namespace_virt() == 0) {
+                EUID_ROOT();
+                int rv = check_kernel_procs();
+                EUID_USER();
+                if (rv == 0) {
+                        // if --force option is passed to the program, disregard the existing sandbox
+                        int found = 0;
+                        for (i = 1; i < argc; i++) {
+                                if (strcmp(argv[i], "--force") == 0 ||
+                                    strcmp(argv[i], "--list") == 0 ||   
+                                    strcmp(argv[i], "--netstats") == 0 ||       
+                                    strcmp(argv[i], "--tree") == 0 ||   
+                                    strcmp(argv[i], "--top") == 0 ||
+                                    strncmp(argv[i], "--ls=", 5) == 0 ||
+                                    strncmp(argv[i], "--get=", 6) == 0 ||
+                                    strcmp(argv[i], "--debug-caps") == 0 ||
+                                    strcmp(argv[i], "--debug-errnos") == 0 ||
+                                    strcmp(argv[i], "--debug-syscalls") == 0 ||
+                                    strcmp(argv[i], "--debug-protocols") == 0 ||
+                                    strcmp(argv[i], "--help") == 0 ||
+                                    strcmp(argv[i], "--version") == 0 ||
+                                    strncmp(argv[i], "--dns.print=", 12) == 0 ||
+                                    strncmp(argv[i], "--bandwidth=", 12) == 0 ||
+                                    strncmp(argv[i], "--caps.print=", 13) == 0 ||
+                                    strncmp(argv[i], "--cpu.print=", 12) == 0 ||
+        //********************************************************************************
+        // todo: fix the following problems
+                                    strncmp(argv[i], "--join=", 7) == 0 ||
+        //[netblue@debian Downloads]$ firejail --join=896
+        //Switching to pid 897, the first child process inside the sandbox
+        //Error: seccomp file not found
+        //********************************************************************************
+        
+                                    strncmp(argv[i], "--join-filesystem=", 18) == 0 ||
+                                    strncmp(argv[i], "--join-network=", 15) == 0 ||
+                                    strncmp(argv[i], "--fs.print=", 11) == 0 ||
+                                    strncmp(argv[i], "--protocol.print=", 17) == 0 ||
+                                    strncmp(argv[i], "--seccomp.print", 15) == 0 ||
+                                    strncmp(argv[i], "--shutdown=", 11) == 0) {
+                                        found = 1;
+                                        break;
+                                }
+        
+                                // detect end of firejail params
+                                if (strcmp(argv[i], "--") == 0)
+                                        break;
+                                if (strncmp(argv[i], "--", 2) != 0)
+                                        break;
+                        }
+                        
+                        if (found == 0) {
+                                // start the program directly without sandboxing
+                                run_no_sandbox(argc, argv);
+                                // it will never get here!
+                                assert(0);
+                        }
+                        else
+                                option_force = 1;
+                }
+        }
+        
+        // check root/suid
+        EUID_ROOT();
+        if (geteuid()) {
+                // detect --version
                 for (i = 1; i < argc; i++) {
-                        if (strcmp(argv[i], "--force") == 0) {
-                                found = 1;
-                                break;
+                        if (strcmp(argv[i], "--version") == 0) {
+                                printf("firejail version %s\n", VERSION);
+                                exit(0);
                         }
+                        
+                        // detect end of firejail params
                         if (strcmp(argv[i], "--") == 0)
                                 break;
                         if (strncmp(argv[i], "--", 2) != 0)
                                 break;
                 }
-                
-                if (found == 0) {
-                        // start the program directly without sandboxing
-                        run_no_sandbox(argc, argv);
-                        // it will never get here!
-                        assert(0);
-                }
-        }
-
-        // check root/suid
-        EUID_ROOT();
-        if (geteuid()) {
-                fprintf(stderr, "Error: the sandbox is not setuid root\n");
                 exit(1);
         }
         EUID_USER();
@@ -670,24 +861,30 @@ int main(int argc, char **argv) {
         // check firejail directories
         EUID_ROOT();
         fs_build_firejail_dir();
-        // todo: deprecate shm functions
-        shm_create_firejail_dir();      
-        bandwidth_shm_del_file(sandbox_pid);
+        bandwidth_del_run_file(sandbox_pid);
+        network_del_run_file(sandbox_pid);
+        delete_name_file(sandbox_pid);
+        delete_x11_file(sandbox_pid);
+        
         EUID_USER();
         
         //check if the parent is sshd daemon
         int parent_sshd = 0;
         {
                 pid_t ppid = getppid();
+                EUID_ROOT();
                 char *comm = pid_proc_comm(ppid);
+                EUID_USER();
                 if (comm) {
-                        if (strcmp(comm, "sshd") == 0)
+                        if (strcmp(comm, "sshd") == 0) {
+                                arg_quiet = 1;
                                 parent_sshd = 1;
+                        }
                         free(comm);
                 }
         }
         
-        // is this a login shell, or a command passed by sshd insert command line options from /etc/firejail/login.users
+        // is this a login shell, or a command passed by sshd, insert command line options from /etc/firejail/login.users
         if (*argv[0] == '-' || parent_sshd) {
                 fullargc = restricted_shell(cfg.username);
                 if (fullargc) {
@@ -703,96 +900,144 @@ int main(int argc, char **argv) {
         else {
                 // check --output option and execute it;
                 check_output(argc, argv); // the function will not return if --output option was found
-                check_user(argc, argv); // the function will not return if --user option was found
         }
         
+        
+        // check for force-nonewprivs in /etc/firejail/firejail.config file
+        if (checkcfg(CFG_FORCE_NONEWPRIVS))
+                arg_nonewprivs = 1;
+        
         // parse arguments
         for (i = 1; i < argc; i++) {
                 run_cmd_and_exit(i, argc, argv); // will exit if the command is recognized
                 
-                if (strcmp(argv[i], "--debug") == 0)
-                        arg_debug = 1;
+                if (strcmp(argv[i], "--debug") == 0) {
+                        if (!arg_quiet) {
+                                arg_debug = 1;
+                                if (option_force)
+                                        printf("Entering sandbox-in-sandbox mode\n");
+                        }
+                }
                 else if (strcmp(argv[i], "--debug-check-filename") == 0)
                         arg_debug_check_filename = 1;
                 else if (strcmp(argv[i], "--debug-blacklists") == 0)
                         arg_debug_blacklists = 1;
                 else if (strcmp(argv[i], "--debug-whitelists") == 0)
                         arg_debug_whitelists = 1;
-                else if (strcmp(argv[i], "--quiet") == 0)
+                else if (strcmp(argv[i], "--quiet") == 0) {
                         arg_quiet = 1;
+                        arg_debug = 0;
+                }
                 else if (strcmp(argv[i], "--force") == 0)
                         ;
-                
+
                 //*************************************
                 // filtering
                 //*************************************
 #ifdef HAVE_SECCOMP
-                else if (strncmp(argv[i], "--protocol=", 11) == 0) 
-                        protocol_store(argv[i] + 11);
+                else if (strncmp(argv[i], "--protocol=", 11) == 0) {
+                        if (checkcfg(CFG_SECCOMP)) {
+                                protocol_store(argv[i] + 11);
+                        }
+                        else {
+                                fprintf(stderr, "Error: seccomp feature is disabled in Firejail configuration file\n");
+                                exit(1);
+                        }
+                }
                 else if (strcmp(argv[i], "--seccomp") == 0) {
-                        if (arg_seccomp) {
-                                fprintf(stderr, "Error: seccomp already enabled\n");
+                        if (checkcfg(CFG_SECCOMP)) {
+                                if (arg_seccomp) {
+                                        fprintf(stderr, "Error: seccomp already enabled\n");
+                                        exit(1);
+                                }
+                                arg_seccomp = 1;
+                        }
+                        else {
+                                fprintf(stderr, "Error: seccomp feature is disabled in Firejail configuration file\n");
                                 exit(1);
                         }
-                        arg_seccomp = 1;
                 }
                 else if (strncmp(argv[i], "--seccomp=", 10) == 0) {
-                        if (arg_seccomp) {
-                                fprintf(stderr, "Error: seccomp already enabled\n");
+                        if (checkcfg(CFG_SECCOMP)) {
+                                if (arg_seccomp) {
+                                        fprintf(stderr, "Error: seccomp already enabled\n");
+                                        exit(1);
+                                }
+                                arg_seccomp = 1;
+                                cfg.seccomp_list = strdup(argv[i] + 10);
+                                if (!cfg.seccomp_list)
+                                        errExit("strdup");
+                        }
+                        else {
+                                fprintf(stderr, "Error: seccomp feature is disabled in Firejail configuration file\n");
                                 exit(1);
                         }
-                        arg_seccomp = 1;
-                        cfg.seccomp_list = strdup(argv[i] + 10);
-                        if (!cfg.seccomp_list)
-                                errExit("strdup");
                 }
                 else if (strncmp(argv[i], "--seccomp.drop=", 15) == 0) {
-                        if (arg_seccomp) {
-                                fprintf(stderr, "Error: seccomp already enabled\n");
+                        if (checkcfg(CFG_SECCOMP)) {
+                                if (arg_seccomp) {
+                                        fprintf(stderr, "Error: seccomp already enabled\n");
+                                        exit(1);
+                                }
+                                arg_seccomp = 1;
+                                cfg.seccomp_list_drop = strdup(argv[i] + 15);
+                                if (!cfg.seccomp_list_drop)
+                                        errExit("strdup");
+                        }
+                        else {
+                                fprintf(stderr, "Error: seccomp feature is disabled in Firejail configuration file\n");
                                 exit(1);
                         }
-                        arg_seccomp = 1;
-                        cfg.seccomp_list_drop = strdup(argv[i] + 15);
-                        if (!cfg.seccomp_list_drop)
-                                errExit("strdup");
                 }
                 else if (strncmp(argv[i], "--seccomp.keep=", 15) == 0) {
-                        if (arg_seccomp) {
-                                fprintf(stderr, "Error: seccomp already enabled\n");
+                        if (checkcfg(CFG_SECCOMP)) {
+                                if (arg_seccomp) {
+                                        fprintf(stderr, "Error: seccomp already enabled\n");
+                                        exit(1);
+                                }
+                                arg_seccomp = 1;
+                                cfg.seccomp_list_keep = strdup(argv[i] + 15);
+                                if (!cfg.seccomp_list_keep)
+                                        errExit("strdup");
+                        }
+                        else {
+                                fprintf(stderr, "Error: seccomp feature is disabled in Firejail configuration file\n");
                                 exit(1);
                         }
-                        arg_seccomp = 1;
-                        cfg.seccomp_list_keep = strdup(argv[i] + 15);
-                        if (!cfg.seccomp_list_keep)
-                                errExit("strdup");
                 }
                 else if (strncmp(argv[i], "--seccomp.e", 11) == 0 && strchr(argv[i], '=')) {
-                        if (arg_seccomp && !cfg.seccomp_list_errno) {
-                                fprintf(stderr, "Error: seccomp already enabled\n");
-                                exit(1);
-                        }
-                        char *eq = strchr(argv[i], '=');
-                        char *errnoname = strndup(argv[i] + 10, eq - (argv[i] + 10));
-                        int nr = errno_find_name(errnoname);
-                        if (nr == -1) {
-                                fprintf(stderr, "Error: unknown errno %s\n", errnoname);
+                        if (checkcfg(CFG_SECCOMP)) {
+                                if (arg_seccomp && !cfg.seccomp_list_errno) {
+                                        fprintf(stderr, "Error: seccomp already enabled\n");
+                                        exit(1);
+                                }
+                                char *eq = strchr(argv[i], '=');
+                                char *errnoname = strndup(argv[i] + 10, eq - (argv[i] + 10));
+                                int nr = errno_find_name(errnoname);
+                                if (nr == -1) {
+                                        fprintf(stderr, "Error: unknown errno %s\n", errnoname);
+                                        free(errnoname);
+                                        exit(1);
+                                }
+        
+                                if (!cfg.seccomp_list_errno)
+                                        cfg.seccomp_list_errno = calloc(highest_errno+1, sizeof(cfg.seccomp_list_errno[0]));
+        
+                                if (cfg.seccomp_list_errno[nr]) {
+                                        fprintf(stderr, "Error: errno %s already configured\n", errnoname);
+                                        free(errnoname);
+                                        exit(1);
+                                }
+                                arg_seccomp = 1;
+                                cfg.seccomp_list_errno[nr] = strdup(eq+1);
+                                if (!cfg.seccomp_list_errno[nr])
+                                        errExit("strdup");
                                 free(errnoname);
-                                exit(1);
                         }
-
-                        if (!cfg.seccomp_list_errno)
-                                cfg.seccomp_list_errno = calloc(highest_errno+1, sizeof(cfg.seccomp_list_errno[0]));
-
-                        if (cfg.seccomp_list_errno[nr]) {
-                                fprintf(stderr, "Error: errno %s already configured\n", errnoname);
-                                free(errnoname);
+                        else {
+                                fprintf(stderr, "Error: seccomp feature is disabled in Firejail configuration file\n");
                                 exit(1);
                         }
-                        arg_seccomp = 1;
-                        cfg.seccomp_list_errno[nr] = strdup(eq+1);
-                        if (!cfg.seccomp_list_errno[nr])
-                                errExit("strdup");
-                        free(errnoname);
                 }
 #endif          
                 else if (strcmp(argv[i], "--caps") == 0)
@@ -861,15 +1106,17 @@ int main(int argc, char **argv) {
                         read_cpu_list(argv[i] + 6);
                 else if (strncmp(argv[i], "--nice=", 7) == 0) {
                         cfg.nice = atoi(argv[i] + 7);
+                        if (getuid() != 0 &&cfg.nice < 0)
+                                cfg.nice = 0;
                         arg_nice = 1;
                 }
                 else if (strncmp(argv[i], "--cgroup=", 9) == 0) {
-                        if (arg_cgroup) {
+                        if (option_cgroup) {
                                 fprintf(stderr, "Error: only a cgroup can be defined\n");
                                 exit(1);
                         }
                         
-                        arg_cgroup = 1;
+                        option_cgroup = 1;
                         cfg.cgroup = strdup(argv[i] + 9);
                         if (!cfg.cgroup)
                                 errExit("strdup");
@@ -881,12 +1128,18 @@ int main(int argc, char **argv) {
                 //*************************************
 #ifdef HAVE_BIND                
                 else if (strncmp(argv[i], "--bind=", 7) == 0) {
-                        char *line;
-                        if (asprintf(&line, "bind %s", argv[i] + 7) == -1)
-                                errExit("asprintf");
-
-                        profile_check_line(line, 0, NULL);      // will exit if something wrong
-                        profile_add(line);
+                        if (checkcfg(CFG_BIND)) {
+                                char *line;
+                                if (asprintf(&line, "bind %s", argv[i] + 7) == -1)
+                                        errExit("asprintf");
+        
+                                profile_check_line(line, 0, NULL);      // will exit if something wrong
+                                profile_add(line);
+                        }
+                        else {
+                                fprintf(stderr, "Error: --bind feature is disabled in Firejail configuration file\n");
+                                exit(1);
+                        }
                 }
 #endif
                 else if (strncmp(argv[i], "--tmpfs=", 8) == 0) {
@@ -913,17 +1166,43 @@ int main(int argc, char **argv) {
                         profile_check_line(line, 0, NULL);      // will exit if something wrong
                         profile_add(line);
                 }
+
+#ifdef HAVE_WHITELIST
                 else if (strncmp(argv[i], "--whitelist=", 12) == 0) {
+                        if (checkcfg(CFG_WHITELIST)) {
+                                char *line;
+                                if (asprintf(&line, "whitelist %s", argv[i] + 12) == -1)
+                                        errExit("asprintf");
+                                
+                                profile_check_line(line, 0, NULL);      // will exit if something wrong
+                                profile_add(line);
+                        }
+                        else {
+                                fprintf(stderr, "Error: whitelist feature is disabled in Firejail configuration file\n");
+                                exit(1);
+                        }
+                }
+#endif          
+
+                else if (strncmp(argv[i], "--read-only=", 12) == 0) {
                         char *line;
-                        if (asprintf(&line, "whitelist %s", argv[i] + 12) == -1)
+                        if (asprintf(&line, "read-only %s", argv[i] + 12) == -1)
                                 errExit("asprintf");
                         
                         profile_check_line(line, 0, NULL);      // will exit if something wrong
                         profile_add(line);
                 }
-                else if (strncmp(argv[i], "--read-only=", 12) == 0) {
+                else if (strncmp(argv[i], "--noexec=", 9) == 0) {
                         char *line;
-                        if (asprintf(&line, "read-only %s", argv[i] + 12) == -1)
+                        if (asprintf(&line, "noexec %s", argv[i] + 9) == -1)
+                                errExit("asprintf");
+                        
+                        profile_check_line(line, 0, NULL);      // will exit if something wrong
+                        profile_add(line);
+                }
+                else if (strncmp(argv[i], "--read-write=", 13) == 0) {
+                        char *line;
+                        if (asprintf(&line, "read-write %s", argv[i] + 13) == -1)
                                 errExit("asprintf");
                         
                         profile_check_line(line, 0, NULL);      // will exit if something wrong
@@ -934,6 +1213,11 @@ int main(int argc, char **argv) {
                                 fprintf(stderr, "Error: --overlay and --chroot options are mutually exclusive\n");
                                 exit(1);
                         }
+                        struct stat s;
+                        if (stat("/proc/sys/kernel/grsecurity", &s) == 0) {
+                                fprintf(stderr, "Error: --overlay option is not available on Grsecurity systems\n");
+                                exit(1);        
+                        }
                         arg_overlay = 1;
                         arg_overlay_keep = 1;
                         
@@ -941,7 +1225,6 @@ int main(int argc, char **argv) {
                         char *dirname;
                         if (asprintf(&dirname, "%s/.firejail", cfg.homedir) == -1)
                                 errExit("asprintf");
-                        struct stat s;
                         if (stat(dirname, &s) == -1) {
                                 /* coverity[toctou] */
                                 if (mkdir(dirname, 0700))
@@ -972,6 +1255,11 @@ int main(int argc, char **argv) {
                                 fprintf(stderr, "Error: --overlay and --chroot options are mutually exclusive\n");
                                 exit(1);
                         }
+                        struct stat s;
+                        if (stat("/proc/sys/kernel/grsecurity", &s) == 0) {
+                                fprintf(stderr, "Error: --overlay option is not available on Grsecurity systems\n");
+                                exit(1);        
+                        }
                         arg_overlay = 1;
                 }
                 else if (strncmp(argv[i], "--profile=", 10) == 0) {
@@ -979,23 +1267,27 @@ int main(int argc, char **argv) {
                                 fprintf(stderr, "Error: --noprofile and --profile options are mutually exclusive\n");
                                 exit(1);
                         }
-                        invalid_filename(argv[i] + 10);
+                        
+                        char *ppath = expand_home(argv[i] + 10, cfg.homedir);
+                        if (!ppath)
+                                errExit("strdup");
+                        invalid_filename(ppath);
                         
                         // multiple profile files are allowed!
-                        char *ptr = argv[i] + 10;
-                        if (is_dir(ptr) || is_link(ptr) || strstr(ptr, "..")) {
+                        if (is_dir(ppath) || is_link(ppath) || strstr(ppath, "..")) {
                                 fprintf(stderr, "Error: invalid profile file\n");
                                 exit(1);
                         }
                         
                         // access call checks as real UID/GID, not as effective UID/GID
-                        if (access(argv[i] + 10, R_OK)) {
+                        if (access(ppath, R_OK)) {
                                 fprintf(stderr, "Error: cannot access profile file\n");
                                 return 1;
                         }
 
-                        profile_read(argv[i] + 10);
+                        profile_read(ppath);
                         custom_profile = 1;
+                        free(ppath);
                 }
                 else if (strncmp(argv[i], "--profile-path=", 15) == 0) {
                         if (arg_noprofile) {
@@ -1049,35 +1341,60 @@ int main(int argc, char **argv) {
                 }
 #ifdef HAVE_CHROOT              
                 else if (strncmp(argv[i], "--chroot=", 9) == 0) {
-                        if (arg_overlay) {
-                                fprintf(stderr, "Error: --overlay and --chroot options are mutually exclusive\n");
-                                exit(1);
-                        }
-                        invalid_filename(argv[i] + 9);
-                        
-                        // extract chroot dirname
-                        cfg.chrootdir = argv[i] + 9;
-                        // if the directory starts with ~, expand the home directory
-                        if (*cfg.chrootdir == '~') {
-                                char *tmp;
-                                if (asprintf(&tmp, "%s%s", cfg.homedir, cfg.chrootdir + 1) == -1)
-                                        errExit("asprintf");
-                                cfg.chrootdir = tmp;
-                        }
-                        
-                        // check chroot dirname exists
-                        if (strstr(cfg.chrootdir, "..") || !is_dir(cfg.chrootdir) || is_link(cfg.chrootdir)) {
-                                fprintf(stderr, "Error: invalid directory %s\n", cfg.chrootdir);
-                                return 1;
+                        if (checkcfg(CFG_CHROOT)) {
+                                if (arg_overlay) {
+                                        fprintf(stderr, "Error: --overlay and --chroot options are mutually exclusive\n");
+                                        exit(1);
+                                }
+                                
+                                struct stat s;
+                                if (stat("/proc/sys/kernel/grsecurity", &s) == 0) {
+                                        fprintf(stderr, "Error: --chroot option is not available on Grsecurity systems\n");
+                                        exit(1);        
+                                }
+                                
+                                
+                                invalid_filename(argv[i] + 9);
+                                
+                                // extract chroot dirname
+                                cfg.chrootdir = argv[i] + 9;
+                                // if the directory starts with ~, expand the home directory
+                                if (*cfg.chrootdir == '~') {
+                                        char *tmp;
+                                        if (asprintf(&tmp, "%s%s", cfg.homedir, cfg.chrootdir + 1) == -1)
+                                                errExit("asprintf");
+                                        cfg.chrootdir = tmp;
+                                }
+                                
+                                // check chroot dirname exists
+                                if (strstr(cfg.chrootdir, "..") || !is_dir(cfg.chrootdir) || is_link(cfg.chrootdir)) {
+                                        fprintf(stderr, "Error: invalid directory %s\n", cfg.chrootdir);
+                                        return 1;
+                                }
+                                
+                                // check chroot directory structure
+                                if (fs_check_chroot_dir(cfg.chrootdir)) {
+                                        fprintf(stderr, "Error: invalid chroot\n");
+                                        exit(1);
+                                }
                         }
-                        
-                        // check chroot directory structure
-                        if (fs_check_chroot_dir(cfg.chrootdir)) {
-                                fprintf(stderr, "Error: invalid chroot\n");
+                        else {
+                                fprintf(stderr, "Error: --chroot feature is disabled in Firejail configuration file\n");
                                 exit(1);
                         }
+
                 }
 #endif
+                else if (strcmp(argv[i], "--writable-etc") == 0) {
+                        if (cfg.etc_private_keep) {
+                                fprintf(stderr, "Error: --private-etc and --writable-etc are mutually exclusive\n");
+                                exit(1);
+                        }
+                        arg_writable_etc = 1;
+                }
+                else if (strcmp(argv[i], "--writable-var") == 0) {
+                        arg_writable_var = 1;
+                }
                 else if (strcmp(argv[i], "--private") == 0)
                         arg_private = 1;
                 else if (strncmp(argv[i], "--private=", 10) == 0) {
@@ -1094,6 +1411,11 @@ int main(int argc, char **argv) {
                         arg_private_dev = 1;
                 }
                 else if (strncmp(argv[i], "--private-etc=", 14) == 0) {
+                        if (arg_writable_etc) {
+                                fprintf(stderr, "Error: --private-etc and --writable-etc are mutually exclusive\n");
+                                exit(1);
+                        }
+                        
                         // extract private etc list
                         cfg.etc_private_keep = argv[i] + 14;
                         if (*cfg.etc_private_keep == '\0') {
@@ -1101,12 +1423,7 @@ int main(int argc, char **argv) {
                                 exit(1);
                         }
                         fs_check_etc_list();
-                        if (*cfg.etc_private_keep != '\0')
-                                arg_private_etc = 1;
-                        else {
-                                arg_private_etc = 0;
-                                fprintf(stderr, "Warning: private-etc disabled, no file found\n");
-                        }
+                        arg_private_etc = 1;
                 }
                 else if (strncmp(argv[i], "--private-bin=", 14) == 0) {
                         // extract private bin list
@@ -1115,8 +1432,8 @@ int main(int argc, char **argv) {
                                 fprintf(stderr, "Error: invalid private-bin option\n");
                                 exit(1);
                         }
-                        fs_check_bin_list();
                         arg_private_bin = 1;
+                        fs_check_bin_list();
                 }
                 else if (strcmp(argv[i], "--private-tmp") == 0) {
                         arg_private_tmp = 1;
@@ -1143,14 +1460,23 @@ int main(int argc, char **argv) {
                         arg_nogroups = 1;
 #ifdef HAVE_USERNS
                 else if (strcmp(argv[i], "--noroot") == 0) {
-                        check_user_namespace();
+                        if (checkcfg(CFG_USERNS))
+                                check_user_namespace();
+                        else {
+                                fprintf(stderr, "Error: --noroot feature is disabled in Firejail configuration file\n");
+                                exit(1);
+                        }
                 }
 #endif
+                else if (strcmp(argv[i], "--nonewprivs") == 0) {
+                        arg_nonewprivs = 1;
+                }
                 else if (strncmp(argv[i], "--env=", 6) == 0)
-                        env_store(argv[i] + 6);
-                else if (strncmp(argv[i], "--nosound", 9) == 0) {
+                        env_store(argv[i] + 6, SETENV);
+                else if (strncmp(argv[i], "--rmenv=", 8) == 0)
+                        env_store(argv[i] + 8, RMENV);
+                else if (strcmp(argv[i], "--nosound") == 0) {
                         arg_nosound = 1;
-                        arg_private_dev = 1;
                 }
                                 
                 //*************************************
@@ -1158,204 +1484,278 @@ int main(int argc, char **argv) {
                 //*************************************
 #ifdef HAVE_NETWORK     
                 else if (strncmp(argv[i], "--interface=", 12) == 0) {
+                        if (checkcfg(CFG_NETWORK)) {
 #ifdef HAVE_NETWORK_RESTRICTED
-                        if (getuid() != 0) {
-                                fprintf(stderr, "Error: --interface is allowed only to root user\n");
-                                exit(1);
-                        }
+                                // compile time restricted networking
+                                if (getuid() != 0) {
+                                        fprintf(stderr, "Error: --interface is allowed only to root user\n");
+                                        exit(1);
+                                }
 #endif
-                        // checks
-                        if (arg_nonetwork) {
-                                fprintf(stderr, "Error: --network=none and --interface are incompatible\n");
-                                exit(1);
-                        }
-                        if (strcmp(argv[i] + 12, "lo") == 0) {
-                                fprintf(stderr, "Error: cannot use lo device in --interface command\n");
-                                exit(1);
-                        }
-                        int ifindex = if_nametoindex(argv[i] + 12);
-                        if (ifindex <= 0) {
-                                fprintf(stderr, "Error: cannot find interface %s\n", argv[i] + 12);
-                                exit(1);
+                                // run time restricted networking
+                                if (checkcfg(CFG_RESTRICTED_NETWORK) && getuid() != 0) {
+                                        fprintf(stderr, "Error: --interface is allowed only to root user\n");
+                                        exit(1);
+                                }
+                
+                                // checks
+                                if (arg_nonetwork) {
+                                        fprintf(stderr, "Error: --network=none and --interface are incompatible\n");
+                                        exit(1);
+                                }
+                                if (strcmp(argv[i] + 12, "lo") == 0) {
+                                        fprintf(stderr, "Error: cannot use lo device in --interface command\n");
+                                        exit(1);
+                                }
+                                int ifindex = if_nametoindex(argv[i] + 12);
+                                if (ifindex <= 0) {
+                                        fprintf(stderr, "Error: cannot find interface %s\n", argv[i] + 12);
+                                        exit(1);
+                                }
+                                
+                                Interface *intf;
+                                if (cfg.interface0.configured == 0)
+                                        intf = &cfg.interface0;
+                                else if (cfg.interface1.configured == 0)
+                                        intf = &cfg.interface1;
+                                else if (cfg.interface2.configured == 0)
+                                        intf = &cfg.interface2;
+                                else if (cfg.interface3.configured == 0)
+                                        intf = &cfg.interface3;
+                                else {
+                                        fprintf(stderr, "Error: maximum 4 interfaces are allowed\n");
+                                        return 1;
+                                }
+                                
+                                intf->dev = strdup(argv[i] + 12);
+                                if (!intf->dev)
+                                        errExit("strdup");
+                                
+                                if (net_get_if_addr(intf->dev, &intf->ip, &intf->mask, intf->mac, &intf->mtu)) {
+                                        fprintf(stderr, "Warning:  interface %s is not configured\n", intf->dev);
+                                }
+                                intf->configured = 1;
                         }
-                        
-                        Interface *intf;
-                        if (cfg.interface0.configured == 0)
-                                intf = &cfg.interface0;
-                        else if (cfg.interface1.configured == 0)
-                                intf = &cfg.interface1;
-                        else if (cfg.interface2.configured == 0)
-                                intf = &cfg.interface2;
-                        else if (cfg.interface3.configured == 0)
-                                intf = &cfg.interface3;
                         else {
-                                fprintf(stderr, "Error: maximum 4 interfaces are allowed\n");
-                                return 1;
-                        }
-                        
-                        intf->dev = strdup(argv[i] + 12);
-                        if (!intf->dev)
-                                errExit("strdup");
-                        
-                        if (net_get_if_addr(intf->dev, &intf->ip, &intf->mask, intf->mac, &intf->mtu)) {
-                                fprintf(stderr, "Warning:  interface %s is not configured\n", intf->dev);
+                                fprintf(stderr, "Error: networking features are disabled in Firejail configuration file\n");
+                                exit(1);
                         }
-                        intf->configured = 1;
                 }
+
                 else if (strncmp(argv[i], "--net=", 6) == 0) {
-                        if (strcmp(argv[i] + 6, "none") == 0) {
-                                arg_nonetwork  = 1;
-                                cfg.bridge0.configured = 0;
-                                cfg.bridge1.configured = 0;
-                                cfg.bridge2.configured = 0;
-                                cfg.bridge3.configured = 0;
-                                cfg.interface0.configured = 0;
-                                cfg.interface1.configured = 0;
-                                cfg.interface2.configured = 0;
-                                cfg.interface3.configured = 0;
-                                continue;
-                        }
+                        if (checkcfg(CFG_NETWORK)) {
+                                if (strcmp(argv[i] + 6, "none") == 0) {
+                                        arg_nonetwork  = 1;
+                                        cfg.bridge0.configured = 0;
+                                        cfg.bridge1.configured = 0;
+                                        cfg.bridge2.configured = 0;
+                                        cfg.bridge3.configured = 0;
+                                        cfg.interface0.configured = 0;
+                                        cfg.interface1.configured = 0;
+                                        cfg.interface2.configured = 0;
+                                        cfg.interface3.configured = 0;
+                                        continue;
+                                }
+
 #ifdef HAVE_NETWORK_RESTRICTED
-                        if (getuid() != 0) {
-                                fprintf(stderr, "Error: only --net=none is allowed to non-root users\n");
-                                exit(1);
-                        }
+                                // compile time restricted networking
+                                if (getuid() != 0) {
+                                        fprintf(stderr, "Error: only --net=none is allowed to non-root users\n");
+                                        exit(1);
+                                }
 #endif
-                        if (strcmp(argv[i] + 6, "lo") == 0) {
-                                fprintf(stderr, "Error: cannot attach to lo device\n");
-                                exit(1);
+                                // run time restricted networking
+                                if (checkcfg(CFG_RESTRICTED_NETWORK) && getuid() != 0) {
+                                        fprintf(stderr, "Error: only --net=none is allowed to non-root users\n");
+                                        exit(1);
+                                }
+                                if (strcmp(argv[i] + 6, "lo") == 0) {
+                                        fprintf(stderr, "Error: cannot attach to lo device\n");
+                                        exit(1);
+                                }
+        
+                                Bridge *br;
+                                if (cfg.bridge0.configured == 0)
+                                        br = &cfg.bridge0;
+                                else if (cfg.bridge1.configured == 0)
+                                        br = &cfg.bridge1;
+                                else if (cfg.bridge2.configured == 0)
+                                        br = &cfg.bridge2;
+                                else if (cfg.bridge3.configured == 0)
+                                        br = &cfg.bridge3;
+                                else {
+                                        fprintf(stderr, "Error: maximum 4 network devices are allowed\n");
+                                        return 1;
+                                }
+                                net_configure_bridge(br, argv[i] + 6);
                         }
-
-                        Bridge *br;
-                        if (cfg.bridge0.configured == 0)
-                                br = &cfg.bridge0;
-                        else if (cfg.bridge1.configured == 0)
-                                br = &cfg.bridge1;
-                        else if (cfg.bridge2.configured == 0)
-                                br = &cfg.bridge2;
-                        else if (cfg.bridge3.configured == 0)
-                                br = &cfg.bridge3;
                         else {
-                                fprintf(stderr, "Error: maximum 4 network devices are allowed\n");
-                                return 1;
+                                fprintf(stderr, "Error: networking features are disabled in Firejail configuration file\n");
+                                exit(1);
                         }
-                        net_configure_bridge(br, argv[i] + 6);
                 }
+
                 else if (strcmp(argv[i], "--scan") == 0) {
-                        arg_scan = 1;
-                }
-                else if (strncmp(argv[i], "--iprange=", 10) == 0) {
-                        Bridge *br = last_bridge_configured();
-                        if (br == NULL) {
-                                fprintf(stderr, "Error: no network device configured\n");
-                                return 1;
+                        if (checkcfg(CFG_NETWORK)) {
+                                arg_scan = 1;
                         }
-                        if (br->iprange_start || br->iprange_end) {
-                                fprintf(stderr, "Error: cannot configure the IP range twice for the same interface\n");
-                                return 1;
+                        else {
+                                fprintf(stderr, "Error: networking features are disabled in Firejail configuration file\n");
+                                exit(1);
                         }
-                        
-                        // parse option arguments
-                        char *firstip = argv[i] + 10;
-                        char *secondip = firstip;
-                        while (*secondip != '\0') {
-                                if (*secondip == ',')
-                                        break;
+                }
+                else if (strncmp(argv[i], "--iprange=", 10) == 0) {
+                        if (checkcfg(CFG_NETWORK)) {
+                                Bridge *br = last_bridge_configured();
+                                if (br == NULL) {
+                                        fprintf(stderr, "Error: no network device configured\n");
+                                        return 1;
+                                }
+                                if (br->iprange_start || br->iprange_end) {
+                                        fprintf(stderr, "Error: cannot configure the IP range twice for the same interface\n");
+                                        return 1;
+                                }
+                                
+                                // parse option arguments
+                                char *firstip = argv[i] + 10;
+                                char *secondip = firstip;
+                                while (*secondip != '\0') {
+                                        if (*secondip == ',')
+                                                break;
+                                        secondip++;
+                                }
+                                if (*secondip == '\0') {
+                                        fprintf(stderr, "Error: invalid IP range\n");
+                                        return 1;
+                                }
+                                *secondip = '\0';
                                 secondip++;
+                                
+                                // check addresses
+                                if (atoip(firstip, &br->iprange_start) || atoip(secondip, &br->iprange_end) ||
+                                    br->iprange_start >= br->iprange_end) {
+                                        fprintf(stderr, "Error: invalid IP range\n");
+                                        return 1;
+                                }
+                                if (in_netrange(br->iprange_start, br->ip, br->mask) || in_netrange(br->iprange_end, br->ip, br->mask)) {
+                                        fprintf(stderr, "Error: IP range addresses not in network range\n");
+                                        return 1;
+                                }
                         }
-                        if (*secondip == '\0') {
-                                fprintf(stderr, "Error: invalid IP range\n");
-                                return 1;
-                        }
-                        *secondip = '\0';
-                        secondip++;
-                        
-                        // check addresses
-                        if (atoip(firstip, &br->iprange_start) || atoip(secondip, &br->iprange_end) ||
-                            br->iprange_start >= br->iprange_end) {
-                                fprintf(stderr, "Error: invalid IP range\n");
-                                return 1;
-                        }
-                        if (in_netrange(br->iprange_start, br->ip, br->mask) || in_netrange(br->iprange_end, br->ip, br->mask)) {
-                                fprintf(stderr, "Error: IP range addresses not in network range\n");
-                                return 1;
+                        else {
+                                fprintf(stderr, "Error: networking features are disabled in Firejail configuration file\n");
+                                exit(1);
                         }
                 }
+
                 else if (strncmp(argv[i], "--mac=", 6) == 0) {
-                        Bridge *br = last_bridge_configured();
-                        if (br == NULL) {
-                                fprintf(stderr, "Error: no network device configured\n");
-                                return 1;
-                        }
-                        if (mac_not_zero(br->macsandbox)) {
-                                fprintf(stderr, "Error: cannot configure the MAC address twice for the same interface\n");
-                                return 1;
+                        if (checkcfg(CFG_NETWORK)) {
+                                Bridge *br = last_bridge_configured();
+                                if (br == NULL) {
+                                        fprintf(stderr, "Error: no network device configured\n");
+                                        exit(1);
+                                }
+                                if (mac_not_zero(br->macsandbox)) {
+                                        fprintf(stderr, "Error: cannot configure the MAC address twice for the same interface\n");
+                                        exit(1);
+                                }
+        
+                                // read the address
+                                if (atomac(argv[i] + 6, br->macsandbox)) {
+                                        fprintf(stderr, "Error: invalid MAC address\n");
+                                        exit(1);
+                                }
                         }
-
-                        // read the address
-                        if (atomac(argv[i] + 6, br->macsandbox)) {
-                                fprintf(stderr, "Error: invalid MAC address\n");
-                                return 1;
+                        else {
+                                fprintf(stderr, "Error: networking features are disabled in Firejail configuration file\n");
+                                exit(1);
                         }
                 }
+
                 else if (strncmp(argv[i], "--mtu=", 6) == 0) {
-                        Bridge *br = last_bridge_configured();
-                        if (br == NULL) {
-                                fprintf(stderr, "Error: no network device configured\n");
-                                return 1;
+                        if (checkcfg(CFG_NETWORK)) {
+                                Bridge *br = last_bridge_configured();
+                                if (br == NULL) {
+                                        fprintf(stderr, "Error: no network device configured\n");
+                                        exit(1);
+                                }
+        
+                                if (sscanf(argv[i] + 6, "%d", &br->mtu) != 1 || br->mtu < 576 || br->mtu > 9198) {
+                                        fprintf(stderr, "Error: invalid mtu value\n");
+                                        exit(1);
+                                }
                         }
-
-                        if (sscanf(argv[i] + 6, "%d", &br->mtu) != 1 || br->mtu < 576 || br->mtu > 9198) {
-                                fprintf(stderr, "Error: invalid mtu value\n");
-                                return 1;
+                        else {
+                                fprintf(stderr, "Error: networking features are disabled in Firejail configuration file\n");
+                                exit(1);
                         }
                 }
+
                 else if (strncmp(argv[i], "--ip=", 5) == 0) {
-                        Bridge *br = last_bridge_configured();
-                        if (br == NULL) {
-                                fprintf(stderr, "Error: no network device configured\n");
-                                return 1;
-                        }
-                        if (br->arg_ip_none || br->ipsandbox) {
-                                fprintf(stderr, "Error: cannot configure the IP address twice for the same interface\n");
-                                return 1;
+                        if (checkcfg(CFG_NETWORK)) {
+                                Bridge *br = last_bridge_configured();
+                                if (br == NULL) {
+                                        fprintf(stderr, "Error: no network device configured\n");
+                                        exit(1);
+                                }
+                                if (br->arg_ip_none || br->ipsandbox) {
+                                        fprintf(stderr, "Error: cannot configure the IP address twice for the same interface\n");
+                                        exit(1);
+                                }
+        
+                                // configure this IP address for the last bridge defined
+                                if (strcmp(argv[i] + 5, "none") == 0)
+                                        br->arg_ip_none = 1;
+                                else {
+                                        if (atoip(argv[i] + 5, &br->ipsandbox)) {
+                                                fprintf(stderr, "Error: invalid IP address\n");
+                                                exit(1);
+                                        }
+                                }
                         }
-
-                        // configure this IP address for the last bridge defined
-                        if (strcmp(argv[i] + 5, "none") == 0)
-                                br->arg_ip_none = 1;
                         else {
-                                if (atoip(argv[i] + 5, &br->ipsandbox)) {
-                                        fprintf(stderr, "Error: invalid IP address\n");
-                                        return 1;
-                                }
+                                fprintf(stderr, "Error: networking features are disabled in Firejail configuration file\n");
+                                exit(1);
                         }
                 }
-                else if (strncmp(argv[i], "--ip6=", 6) == 0) {
-                        Bridge *br = last_bridge_configured();
-                        if (br == NULL) {
-                                fprintf(stderr, "Error: no network device configured\n");
-                                return 1;
-                        }
-                        if (br->arg_ip_none || br->ip6sandbox) {
-                                fprintf(stderr, "Error: cannot configure the IP address twice for the same interface\n");
-                                return 1;
-                        }
 
-                        // configure this IP address for the last bridge defined
-                        // todo: verify ipv6 syntax
-                        br->ip6sandbox = argv[i] + 6;
+                else if (strncmp(argv[i], "--ip6=", 6) == 0) {
+                        if (checkcfg(CFG_NETWORK)) {
+                                Bridge *br = last_bridge_configured();
+                                if (br == NULL) {
+                                        fprintf(stderr, "Error: no network device configured\n");
+                                        exit(1);
+                                }
+                                if (br->arg_ip_none || br->ip6sandbox) {
+                                        fprintf(stderr, "Error: cannot configure the IP address twice for the same interface\n");
+                                        exit(1);
+                                }
+        
+                                // configure this IP address for the last bridge defined
+                                // todo: verify ipv6 syntax
+                                br->ip6sandbox = argv[i] + 6;
 //                              if (atoip(argv[i] + 5, &br->ipsandbox)) {
 //                                      fprintf(stderr, "Error: invalid IP address\n");
-//                                      return 1;
+//                                      exit(1);
 //                              }
+                        }
+                        else {
+                                fprintf(stderr, "Error: networking features are disabled in Firejail configuration file\n");
+                                exit(1);
+                        }
                 }
 
 
                 else if (strncmp(argv[i], "--defaultgw=", 12) == 0) {
-                        if (atoip(argv[i] + 12, &cfg.defaultgw)) {
-                                fprintf(stderr, "Error: invalid IP address\n");
-                                return 1;
+                        if (checkcfg(CFG_NETWORK)) {
+                                if (atoip(argv[i] + 12, &cfg.defaultgw)) {
+                                        fprintf(stderr, "Error: invalid IP address\n");
+                                        exit(1);
+                                }
+                        }
+                        else {
+                                fprintf(stderr, "Error: networking features are disabled in Firejail configuration file\n");
+                                exit(1);
                         }
                 }
 #endif          
@@ -1377,25 +1777,89 @@ int main(int argc, char **argv) {
                                 return 1;
                         }
                 }
+
 #ifdef HAVE_NETWORK
-                else if (strcmp(argv[i], "--netfilter") == 0)
-                        arg_netfilter = 1;
+                else if (strcmp(argv[i], "--netfilter") == 0) {
+#ifdef HAVE_NETWORK_RESTRICTED
+                        // compile time restricted networking
+                        if (getuid() != 0) {
+                                fprintf(stderr, "Error: --netfilter is only allowed for root\n");
+                                exit(1);
+                        }
+#endif
+                        // run time restricted networking
+                        if (checkcfg(CFG_RESTRICTED_NETWORK) && getuid() != 0) {
+                                fprintf(stderr, "Error: --netfilter is only allowed for root\n");
+                                exit(1);
+                        }
+                        if (checkcfg(CFG_NETWORK)) {
+                                arg_netfilter = 1;
+                        }
+                        else {
+                                fprintf(stderr, "Error: networking features are disabled in Firejail configuration file\n");
+                                exit(1);
+                        }
+                }
+
                 else if (strncmp(argv[i], "--netfilter=", 12) == 0) {
-                        arg_netfilter = 1;
-                        arg_netfilter_file = argv[i] + 12;
-                        check_netfilter_file(arg_netfilter_file);
+#ifdef HAVE_NETWORK_RESTRICTED
+                        // compile time restricted networking
+                        if (getuid() != 0) {
+                                fprintf(stderr, "Error: --netfilter is only allowed for root\n");
+                                exit(1);
+                        }
+#endif
+                        // run time restricted networking
+                        if (checkcfg(CFG_RESTRICTED_NETWORK) && getuid() != 0) {
+                                fprintf(stderr, "Error: --netfilter is only allowed for root\n");
+                                exit(1);
+                        }
+                        if (checkcfg(CFG_NETWORK)) {
+                                arg_netfilter = 1;
+                                arg_netfilter_file = argv[i] + 12;
+                                check_netfilter_file(arg_netfilter_file);
+                        }
+                        else {
+                                fprintf(stderr, "Error: networking features are disabled in Firejail configuration file\n");
+                                exit(1);
+                        }
                 }
+
                 else if (strncmp(argv[i], "--netfilter6=", 13) == 0) {
-                        arg_netfilter6 = 1;
-                        arg_netfilter6_file = argv[i] + 13;
-                        check_netfilter_file(arg_netfilter6_file);
+                        if (checkcfg(CFG_NETWORK)) {
+                                arg_netfilter6 = 1;
+                                arg_netfilter6_file = argv[i] + 13;
+                                check_netfilter_file(arg_netfilter6_file);
+                        }
+                        else {
+                                fprintf(stderr, "Error: networking features are disabled in Firejail configuration file\n");
+                                exit(1);
+                        }
                 }
 #endif
                 //*************************************
                 // command
                 //*************************************
+                else if (strcmp(argv[i], "--audit") == 0) {
+                        if (asprintf(&arg_audit_prog, "%s/firejail/faudit", LIBDIR) == -1)
+                                errExit("asprintf");
+                        arg_audit = 1;
+                }
+                else if (strncmp(argv[i], "--audit=", 8) == 0) {
+                        if (strlen(argv[i] + 8) == 0) {
+                                fprintf(stderr, "Error: invalid audit program\n");
+                                exit(1);
+                        }
+                        arg_audit_prog = strdup(argv[i] + 8);
+                        if (!arg_audit_prog)
+                                errExit("strdup");
+                        arg_audit = 1;
+                }
+                else if (strcmp(argv[i], "--appimage") == 0)
+                        arg_appimage = 1;
                 else if (strcmp(argv[i], "--csh") == 0) {
                         if (arg_shell_none) {
+                        
                                 fprintf(stderr, "Error: --shell=none was already specified.\n");
                                 return 1;
                         }
@@ -1474,15 +1938,18 @@ int main(int argc, char **argv) {
                         }
                         
                         // we have a program name coming
-                        extract_command_name(i, argv);
+                        if (arg_appimage) {
+                                cfg.command_name = strdup(argv[i]);
+                                if (!cfg.command_name)
+                                        errExit("strdup");
+                        }
+                        else
+                                extract_command_name(i, argv);
                         prog_index = i;
                         break;
                 }
         }
 
-        // check network configuration options - it will exit if anything went wrong
-        net_check_cfg();
-        
         // check trace configuration
         if (arg_trace && arg_tracelog)
                 fprintf(stderr, "Warning: --trace and --tracelog are mutually exclusive; --tracelog disabled\n");
@@ -1530,13 +1997,46 @@ int main(int argc, char **argv) {
                 cfg.window_title = "/bin/bash";
                 cfg.command_name = "bash";
         }
+        else if (arg_appimage) {
+                if (arg_debug)
+                        printf("Configuring appimage environment\n");
+                appimage_set(cfg.command_name);
+                cfg.window_title = "appimage";
+        }
         else {
                 // calculate the length of the command
                 int i;
                 int len = 0;
                 int argcnt = argc - prog_index;
-                for (i = 0; i < argcnt; i++)
-                        len += strlen(argv[i + prog_index]) + 3; // + ' ' + 2 '"'
+                int j;
+                bool in_quotes = false;
+
+                for (i = 0; i < argcnt; i++) {
+                        in_quotes = false;
+                        for (j = 0; j < strlen(argv[i + prog_index]); j++) {
+                                if (argv[i + prog_index][j] == '\'') {
+                                        if (in_quotes)
+                                                len++;
+                                        if (j > 0 && argv[i + prog_index][j-1] == '\'')
+                                                len++;
+                                        else
+                                                len += 3;
+                                        in_quotes = false;
+                                } else {
+                                        if (!in_quotes)
+                                                len++;
+                                        len++;
+                                        in_quotes = true;
+                                }
+                        }
+                        if (in_quotes) {
+                                len++;
+                        }
+                        if (strlen(argv[i + prog_index]) == 0) {
+                                len += 2;
+                        }
+                        len++;
+                }
 
                 // build the string
                 cfg.command_line = malloc(len + 1); // + '\0'
@@ -1549,26 +2049,70 @@ int main(int argc, char **argv) {
                 char *ptr1 = cfg.command_line;
                 char *ptr2 = cfg.window_title;
                 for (i = 0; i < argcnt; i++) {
-                        // detect bash commands
-                        if (strstr(argv[i + prog_index], "&&") || strstr(argv[i + prog_index], "||")) {
-                                sprintf(ptr1, "%s ", argv[i + prog_index]);
+
+                        // enclose args by single quotes,
+                        // and since single quote can't be represented in single quoted text
+                        // each occurence of it should be enclosed by double quotes
+                        in_quotes = false;
+                        for (j = 0; j < strlen(argv[i + prog_index]); j++) {
+                                // single quote
+                                if (argv[i + prog_index][j] == '\'') {
+                                        if (in_quotes) {
+                                                // close quotes
+                                                ptr1[0] = '\'';
+                                                ptr1++;
+                                        }
+                                        // previous char was single quote too
+                                        if (j > 0 && argv[i + prog_index][j-1] == '\'') {
+                                                ptr1--;
+                                                sprintf(ptr1, "\'\"");
+                                        } 
+                                        // this first in series
+                                        else
+                                        {
+                                                sprintf(ptr1, "\"\'\"");
+                                        }
+                                        ptr1 += strlen(ptr1);
+                                        in_quotes = false;
+                                }
+                                // anything other
+                                else
+                                {
+                                        if (!in_quotes) {
+                                                // open quotes
+                                                ptr1[0] = '\'';
+                                                ptr1++;
+                                        }
+                                        ptr1[0] = argv[i + prog_index][j];
+                                        ptr1++;
+                                        in_quotes = true;
+                                }
                         }
-                        else if (arg_command){
-                                sprintf(ptr1, "%s ", argv[i + prog_index]);
+                        // close quotes
+                        if (in_quotes) {
+                                ptr1[0] = '\'';
+                                ptr1++;
                         }
-                        else {
-                                sprintf(ptr1, "\"%s\" ", argv[i + prog_index]);
+                        // handle empty argument case
+                        if (strlen(argv[i + prog_index]) == 0) {
+                                sprintf(ptr1, "\'\'");
+                                ptr1 += strlen(ptr1);
                         }
-                        sprintf(ptr2, "%s ", argv[i + prog_index]);
-
+                        // add space
+                        sprintf(ptr1, " ");
                         ptr1 += strlen(ptr1);
+
+                        sprintf(ptr2, "%s ", argv[i + prog_index]);
                         ptr2 += strlen(ptr2);
                 }
+
+                assert(len == strlen(cfg.command_line));
         }
         
         assert(cfg.command_name);
         if (arg_debug)
                 printf("Command name #%s#\n", cfg.command_name);
+                
                                 
         // load the profile
         if (!arg_noprofile) {
@@ -1592,14 +2136,12 @@ int main(int argc, char **argv) {
                 }
         }
 
-        // use generic.profile as the default
+        // use default.profile as the default
         if (!custom_profile && !arg_noprofile) {
                 if (cfg.chrootdir)
                         fprintf(stderr, "Warning: default profile disabled by --chroot option\n");
                 else if (arg_overlay)
                         fprintf(stderr, "Warning: default profile disabled by --overlay option\n");
-//              else if (cfg.home_private_keep)
-//                      fprintf(stderr, "Warning: default profile disabled by --private-home option\n");
                 else {
                         // try to load a default profile
                         char *profile_name = DEFAULT_USER_PROFILE;
@@ -1622,12 +2164,19 @@ int main(int argc, char **argv) {
                                 else
                                         custom_profile = profile_find(profile_name, SYSCONFDIR);
                         }
+                        if (!custom_profile) {
+                                fprintf(stderr, "Error: no default.profile installed\n");
+                                exit(1);
+                        }
                         
                         if (custom_profile && !arg_quiet)
                                 printf("\n** Note: you can use --noprofile to disable %s.profile **\n\n", profile_name);
                 }
         }
 
+        // check network configuration options - it will exit if anything went wrong
+        net_check_cfg();
+        
         // check and assign an IP address - for macvlan it will be done again in the sandbox!
         if (any_bridge_configured()) {
                 EUID_ROOT();
@@ -1644,7 +2193,7 @@ int main(int argc, char **argv) {
                 check_network(&cfg.bridge3);
                         
                 // save network mapping in shared memory
-                network_shm_set_file(sandbox_pid);
+                network_set_run_file(sandbox_pid);
                 EUID_USER();
         }
 
@@ -1706,54 +2255,27 @@ int main(int argc, char **argv) {
                         printf("The new log directory is /proc/%d/root/var/log\n", child);
         }
         
-
-        EUID_ROOT();    
         if (!arg_nonetwork) {
-                // create veth pair or macvlan device
-                if (cfg.bridge0.configured) {
-                        if (cfg.bridge0.macvlan == 0) {
-                                net_configure_veth_pair(&cfg.bridge0, "eth0", child);
-                        }
-                        else
-                                net_create_macvlan(cfg.bridge0.devsandbox, cfg.bridge0.dev, child);
-                }
-                
-                if (cfg.bridge1.configured) {
-                        if (cfg.bridge1.macvlan == 0)
-                                net_configure_veth_pair(&cfg.bridge1, "eth1", child);
-                        else
-                                net_create_macvlan(cfg.bridge1.devsandbox, cfg.bridge1.dev, child);
-                }
-                
-                if (cfg.bridge2.configured) {
-                        if (cfg.bridge2.macvlan == 0)
-                                net_configure_veth_pair(&cfg.bridge2, "eth2", child);
-                        else
-                                net_create_macvlan(cfg.bridge2.devsandbox, cfg.bridge2.dev, child);
-                }
-                
-                if (cfg.bridge3.configured) {
-                        if (cfg.bridge3.macvlan == 0)
-                                net_configure_veth_pair(&cfg.bridge3, "eth3", child);
-                        else
-                                net_create_macvlan(cfg.bridge3.devsandbox, cfg.bridge3.dev, child);
-                }
-        
-                // move interfaces in sandbox
-                if (cfg.interface0.configured) {
-                        net_move_interface(cfg.interface0.dev, child);
-                }
-                if (cfg.interface1.configured) {
-                        net_move_interface(cfg.interface1.dev, child);
-                }
-                if (cfg.interface2.configured) {
-                        net_move_interface(cfg.interface2.dev, child);
-                }
-                if (cfg.interface3.configured) {
-                        net_move_interface(cfg.interface3.dev, child);
+                EUID_ROOT();    
+                pid_t net_child = fork();
+                if (net_child < 0)
+                        errExit("fork");
+                if (net_child == 0) {
+                        // elevate privileges in order to get grsecurity working
+                        if (setreuid(0, 0))
+                                errExit("setreuid");
+                        if (setregid(0, 0))
+                                errExit("setregid");
+                        network_main(child);
+                        if (arg_debug)
+                                printf("Host network configured\n");                    
+                        exit(0);                        
                 }
+
+                // wait for the child to finish
+                waitpid(net_child, NULL, 0);
+                EUID_USER();
         }
-        EUID_USER();
 
         // close each end of the unused pipes
         close(parent_to_child_fds[0]);
@@ -1772,6 +2294,7 @@ int main(int argc, char **argv) {
                 char *map_path;
                 if (asprintf(&map_path, "/proc/%d/uid_map", child) == -1)
                         errExit("asprintf");
+
                 char *map;
                 uid_t uid = getuid();
                 if (asprintf(&map, "%d %d 1", uid, uid) == -1)
@@ -1782,23 +2305,34 @@ int main(int argc, char **argv) {
                 free(map);
                 free(map_path);
          
-                //gid
-                if (asprintf(&map_path, "/proc/%d/gid_map", child) == -1)
-                        errExit("asprintf");
+                // gid file
+                if (asprintf(&map_path, "/proc/%d/gid_map", child) == -1)
+                        errExit("asprintf");
+                char gidmap[1024];
+                char *ptr = gidmap;
+                *ptr = '\0';
+
+                // add user group
                 gid_t gid = getgid();
+                sprintf(ptr, "%d %d 1\n", gid, gid);
+                ptr += strlen(ptr);
+                
+                //  add tty group
                 gid_t ttygid = get_tty_gid();
-                if (ttygid == 0)  {
-                        if (asprintf(&map, "%d %d 1", gid, gid) == -1)
-                                errExit("asprintf");
-                }
-                else {
-                        if (asprintf(&map, "%d %d 1\n%d %d 1", gid, gid, ttygid, ttygid) == -1)
-                                errExit("asprintf");
-                }
+                if (ttygid) {
+                        sprintf(ptr, "%d %d 1\n", ttygid, ttygid);
+                        ptr += strlen(ptr);
+                }
+                
+                //  add audio group
+                gid_t audiogid = get_audio_gid();
+                if (ttygid) {
+                        sprintf(ptr, "%d %d 1\n", audiogid, audiogid);
+                }
+                
                 EUID_ROOT();
-                update_map(map, map_path);
+                update_map(gidmap, map_path);
                 EUID_USER();
-                free(map);
                 free(map_path);
         }
         
@@ -1807,8 +2341,10 @@ int main(int argc, char **argv) {
         close(parent_to_child_fds[1]);
  
         EUID_ROOT();
-        if (lockfd != -1)
+        if (lockfd != -1) {
                 flock(lockfd, LOCK_UN);
+                close(lockfd);
+        }
 
         // create name file under /run/firejail
         
@@ -1816,9 +2352,11 @@ int main(int argc, char **argv) {
         // handle CTRL-C in parent
         signal (SIGINT, my_handler);
         signal (SIGTERM, my_handler);
+
         
         // wait for the child to finish
-        int status = NULL;
+        EUID_USER();
+        int status = 0;
         waitpid(child, &status, 0);
 
         // free globals
diff --git a/src/firejail/netfilter.c b/src/firejail/netfilter.c
index 4a5499699..b50d61039 100644
--- a/src/firejail/netfilter.c
+++ b/src/firejail/netfilter.c
@@ -66,6 +66,8 @@ void netfilter(const char *fname) {
 
         // custom filter
         int allocated = 0;
+        if (netfilter_default)
+                fname = netfilter_default;
         if (fname) {
                 // buffer the filter
                 struct stat s;
@@ -139,7 +141,6 @@ void netfilter(const char *fname) {
                         exit(1);
                 }
                 dup2(fd,STDIN_FILENO);
-                close(fd);
 
                 // wipe out environment variables
                 environ = NULL;
@@ -155,6 +156,11 @@ void netfilter(const char *fname) {
                 if (child < 0)
                         errExit("fork");
                 if (child == 0) {
+                        // elevate privileges in order to get grsecurity working
+                        if (setreuid(0, 0))
+                                errExit("setreuid");
+                        if (setregid(0, 0))
+                                errExit("setregid");
                         environ = NULL;
                         execl(iptables, iptables, "-vL", NULL);
                         // it will never get here!!!
@@ -246,7 +252,6 @@ void netfilter6(const char *fname) {
                         exit(1);
                 }
                 dup2(fd,STDIN_FILENO);
-                close(fd);
 
                 // wipe out environment variables
                 environ = NULL;
diff --git a/src/firejail/network_main.c b/src/firejail/network_main.c
index 3fb79b9f4..396c612b1 100644
--- a/src/firejail/network_main.c
+++ b/src/firejail/network_main.c
@@ -56,9 +56,12 @@ void net_configure_bridge(Bridge *br, char *dev_name) {
                 }
         }
 
+        // allow unconfigured interfaces
         if (net_get_if_addr(br->dev, &br->ip, &br->mask, br->mac, &br->mtu)) {
-                fprintf(stderr, "Error: interface %s is not configured\n", br->dev);
-                exit(1);
+                fprintf(stderr, "Warning: the network interface %s is not configured\n", br->dev);
+                br->configured = 1;
+                br->arg_ip_none = 1;
+                return;
         }
         if (arg_debug) {
                 if (br->macvlan == 0)
@@ -212,7 +215,10 @@ void net_check_cfg(void) {
                 // first network is a mac device
                 else {
                         // get the host default gw
+                        EUID_ROOT();    // rise permissions for grsecurity
+                        // Error fopen:network_get_defaultgw(479): Permission denied
                         uint32_t gw = network_get_defaultgw();
+                        EUID_USER();
                         // check the gateway is network range
                         if (in_netrange(gw, cfg.bridge0.ip, cfg.bridge0.mask))
                                 gw = 0;
@@ -244,7 +250,9 @@ void net_dns_print(pid_t pid) {
         // drop privileges - will not be able to read /etc/resolv.conf for --noroot option
 
         // if the pid is that of a firejail  process, use the pid of the first child process
+        EUID_ROOT();
         char *comm = pid_proc_comm(pid);
+        EUID_USER();
         if (comm) {
                 if (strcmp(comm, "firejail") == 0) {
                         pid_t child;
@@ -275,3 +283,49 @@ void net_dns_print(pid_t pid) {
         free(fname);
         exit(0);
 }
+
+void network_main(pid_t child) {
+        // create veth pair or macvlan device
+        if (cfg.bridge0.configured) {
+                if (cfg.bridge0.macvlan == 0) {
+                        net_configure_veth_pair(&cfg.bridge0, "eth0", child);
+                }
+                else
+                        net_create_macvlan(cfg.bridge0.devsandbox, cfg.bridge0.dev, child);
+        }
+        
+        if (cfg.bridge1.configured) {
+                if (cfg.bridge1.macvlan == 0)
+                        net_configure_veth_pair(&cfg.bridge1, "eth1", child);
+                else
+                        net_create_macvlan(cfg.bridge1.devsandbox, cfg.bridge1.dev, child);
+        }
+        
+        if (cfg.bridge2.configured) {
+                if (cfg.bridge2.macvlan == 0)
+                        net_configure_veth_pair(&cfg.bridge2, "eth2", child);
+                else
+                        net_create_macvlan(cfg.bridge2.devsandbox, cfg.bridge2.dev, child);
+        }
+        
+        if (cfg.bridge3.configured) {
+                if (cfg.bridge3.macvlan == 0)
+                        net_configure_veth_pair(&cfg.bridge3, "eth3", child);
+                else
+                        net_create_macvlan(cfg.bridge3.devsandbox, cfg.bridge3.dev, child);
+        }
+
+        // move interfaces in sandbox
+        if (cfg.interface0.configured) {
+                net_move_interface(cfg.interface0.dev, child);
+        }
+        if (cfg.interface1.configured) {
+                net_move_interface(cfg.interface1.dev, child);
+        }
+        if (cfg.interface2.configured) {
+                net_move_interface(cfg.interface2.dev, child);
+        }
+        if (cfg.interface3.configured) {
+                net_move_interface(cfg.interface3.dev, child);
+        }
+}
diff --git a/src/firejail/no_sandbox.c b/src/firejail/no_sandbox.c
index 9f9ace527..f1fd04aec 100644
--- a/src/firejail/no_sandbox.c
+++ b/src/firejail/no_sandbox.c
@@ -23,11 +23,72 @@
 #include <unistd.h>
 #include <grp.h>
 
+#define MAX_BUF 4096
+
+int is_container(const char *str) {
+        assert(str);
+        if (strcmp(str, "lxc") == 0 ||
+             strcmp(str, "docker") == 0 ||
+             strcmp(str, "lxc-libvirt") == 0 ||
+             strcmp(str, "systemd-nspawn") == 0 ||
+             strcmp(str, "rkt") == 0)
+                return 1;
+        return 0;
+}
+
+// returns 1 if we are running under LXC
+int check_namespace_virt(void) {
+        EUID_ASSERT();
+        
+        // check container environment variable
+        char *str = getenv("container");
+        if (str && is_container(str))
+                return 1;
+        
+        // check PID 1 container environment variable
+        EUID_ROOT();
+        FILE *fp = fopen("/proc/1/environ", "r");
+        if (fp) {
+                int c = 0;
+                while (c != EOF) {
+                        // read one line
+                        char buf[MAX_BUF];
+                        int i = 0;
+                        while ((c = fgetc(fp)) != EOF) {
+                                if (c == 0)
+                                        break;
+                                buf[i] = (char) c;
+                                if (++i == (MAX_BUF - 1))
+                                        break;
+                        }
+                        buf[i] = '\0';
+                        
+                        // check env var name
+                        if (strncmp(buf, "container=", 10) == 0) {
+                                // found it
+                                if (is_container(buf + 10)) {
+                                        fclose(fp);
+                                        EUID_USER();
+                                        return 1;
+                                }
+                        }
+//                      printf("i %d c %d, buf #%s#\n", i, c, buf);
+                }
+                
+                fclose(fp);
+        }
+                
+        EUID_USER();
+        return 0;
+}
+
 // check process space for kernel processes
 // return 1 if found, 0 if not found
 int check_kernel_procs(void) {
-        EUID_ASSERT();
-        
+        // we run this function with EUID set in order to detect grsecurity
+        // only user processes are available in /proc when running grsecurity
+        // EUID_ASSERT();
+
         char *kern_proc[] = {
                 "kthreadd",
                 "ksoftirqd",
@@ -117,7 +178,7 @@ void run_no_sandbox(int argc, char **argv) {
                 }
                 int start_index = i;
                 for (i = start_index; i < argc; i++)
-                        len += strlen(argv[i]) + 1;
+                        len += strlen(argv[i]) + 3;
                 
                 // allocate
                 command = malloc(len + 1);
@@ -128,8 +189,15 @@ void run_no_sandbox(int argc, char **argv) {
                 
                 // copy
                 for (i = start_index; i < argc; i++) {
-                        strcat(command, argv[i]);
-                        strcat(command, " ");
+                        if (strchr(argv[i], '&')) {
+                                strcat(command, "\"");
+                                strcat(command, argv[i]);
+                                strcat(command, "\" ");
+                        }
+                        else {
+                                strcat(command, argv[i]);
+                                strcat(command, " ");
+                        }
                 }
         }
         
diff --git a/src/firejail/output.c b/src/firejail/output.c
index a554b76aa..91fe7f164 100644
--- a/src/firejail/output.c
+++ b/src/firejail/output.c
@@ -27,7 +27,6 @@ void check_output(int argc, char **argv) {
         
         int i;
         char *outfile = NULL;
-//      drop_privs(0);
 
         int found = 0;
         for (i = 1; i < argc; i++) {
@@ -76,7 +75,7 @@ void check_output(int argc, char **argv) {
         for (i = 0; i < argc; i++) {
                 len += strlen(argv[i]) + 1; // + ' '
         }
-        len += 50 + strlen(outfile); // tee command
+        len += 100 + strlen(LIBDIR) + strlen(outfile); // tee command
         
         char *cmd = malloc(len + 1); // + '\0'
         if (!cmd)
@@ -88,9 +87,10 @@ void check_output(int argc, char **argv) {
                         continue;
                 ptr += sprintf(ptr, "%s ", argv[i]);
         }
-        sprintf(ptr, "| %s/firejail/ftee %s", LIBDIR, outfile);
+        sprintf(ptr, "2>&1 | %s/firejail/ftee %s", LIBDIR, outfile);
 
         // run command
+        drop_privs(0);
         char *a[4];
         a[0] = "/bin/bash";
         a[1] = "-c";
diff --git a/src/firejail/paths.c b/src/firejail/paths.c
index 3d4b8cd8e..97a1d5a98 100644
--- a/src/firejail/paths.c
+++ b/src/firejail/paths.c
@@ -75,10 +75,12 @@ char **build_paths(void) {
                 memset(paths, 0, sizeof(char *) * cnt);
 
                 // add default paths
-                add_path("/bin");
-                add_path("/sbin");
+                add_path("/usr/local/bin");
                 add_path("/usr/bin");
+                add_path("/bin");
+                add_path("/usr/local/sbin");
                 add_path("/usr/sbin");
+                add_path("/sbin");
 
                 path2 = strdup(path1);
                 if (!path2)
diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index 461bcb941..46ef0921d 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -107,6 +107,11 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
                 fs_mkdir(ptr + 6);
                 return 0;
         }
+        // mkfile 
+        if (strncmp(ptr, "mkfile ", 7) == 0) {
+                fs_mkfile(ptr + 7);
+                return 0;
+        }
         // sandbox name
         else if (strncmp(ptr, "name ", 5) == 0) {
                 cfg.name = ptr + 5;
@@ -123,12 +128,25 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
         // seccomp, caps, private, user namespace
         else if (strcmp(ptr, "noroot") == 0) {
 #if HAVE_USERNS
-                check_user_namespace();
+                if (checkcfg(CFG_USERNS))
+                        check_user_namespace();
+                else
+                        fprintf(stderr, "Warning: user namespace feature is disabled in Firejail configuration file\n");
 #endif
+
+                return 0;
+        }
+        else if (strcmp(ptr, "nonewprivs") == 0) {
+                arg_nonewprivs = 1;
                 return 0;
         }
         else if (strcmp(ptr, "seccomp") == 0) {
-                arg_seccomp = 1;
+#ifdef HAVE_SECCOMP
+                if (checkcfg(CFG_SECCOMP))
+                        arg_seccomp = 1;
+                else
+                        fprintf(stderr, "Warning: user seccomp feature is disabled in Firejail configuration file\n");
+#endif
                 return 0;
         }
         else if (strcmp(ptr, "caps") == 0) {
@@ -165,88 +183,331 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
         }
         else if (strcmp(ptr, "nosound") == 0) {
                 arg_nosound = 1;
-                arg_private_dev = 1;
                 return 0;
         }
         else if (strcmp(ptr, "netfilter") == 0) {
 #ifdef HAVE_NETWORK
-                arg_netfilter = 1;
+                if (checkcfg(CFG_NETWORK))
+                        arg_netfilter = 1;
+                else
+                        fprintf(stderr, "Warning: networking features are disabled in Firejail configuration file\n");
 #endif
                 return 0;
         }
         else if (strncmp(ptr, "netfilter ", 10) == 0) {
 #ifdef HAVE_NETWORK
-                arg_netfilter = 1;
-                arg_netfilter_file = strdup(ptr + 10);
-                if (!arg_netfilter_file)
-                        errExit("strdup");
-                check_netfilter_file(arg_netfilter_file);
+                if (checkcfg(CFG_NETWORK)) {
+                        arg_netfilter = 1;
+                        arg_netfilter_file = strdup(ptr + 10);
+                        if (!arg_netfilter_file)
+                                errExit("strdup");
+                        check_netfilter_file(arg_netfilter_file);
+                }
+                else
+                        fprintf(stderr, "Warning: networking features are disabled in Firejail configuration file\n");
 #endif
                 return 0;
         }
         else if (strncmp(ptr, "netfilter6 ", 11) == 0) {
 #ifdef HAVE_NETWORK
-                arg_netfilter6 = 1;
-                arg_netfilter6_file = strdup(ptr + 11);
-                if (!arg_netfilter6_file)
-                        errExit("strdup");
-                check_netfilter_file(arg_netfilter6_file);
+                if (checkcfg(CFG_NETWORK)) {
+                        arg_netfilter6 = 1;
+                        arg_netfilter6_file = strdup(ptr + 11);
+                        if (!arg_netfilter6_file)
+                                errExit("strdup");
+                        check_netfilter_file(arg_netfilter6_file);
+                }
+                else
+                        fprintf(stderr, "Warning: networking features are disabled in Firejail configuration file\n");
 #endif
                 return 0;
         }
         else if (strcmp(ptr, "net none") == 0) {
 #ifdef HAVE_NETWORK
-                arg_nonetwork  = 1;
-                cfg.bridge0.configured = 0;
-                cfg.bridge1.configured = 0;
-                cfg.bridge2.configured = 0;
-                cfg.bridge3.configured = 0;
+                if (checkcfg(CFG_NETWORK)) {
+                        arg_nonetwork  = 1;
+                        cfg.bridge0.configured = 0;
+                        cfg.bridge1.configured = 0;
+                        cfg.bridge2.configured = 0;
+                        cfg.bridge3.configured = 0;
+                        cfg.interface0.configured = 0;
+                        cfg.interface1.configured = 0;
+                        cfg.interface2.configured = 0;
+                        cfg.interface3.configured = 0;
+                }
+                else
+                        fprintf(stderr, "Warning: networking features are disabled in Firejail configuration file\n");
+#endif
+                return 0;
+        }
+        else if (strncmp(ptr, "net ", 4) == 0) {
+#ifdef HAVE_NETWORK
+                if (checkcfg(CFG_NETWORK)) {
+#ifdef HAVE_NETWORK_RESTRICTED
+                        // compile time restricted networking
+                        if (getuid() != 0) {
+                                fprintf(stderr, "Error: only \"net none\" is allowed to non-root users\n");
+                                exit(1);
+                        }
+#endif
+                        // run time restricted networking
+                        if (checkcfg(CFG_RESTRICTED_NETWORK) && getuid() != 0) {
+                                fprintf(stderr, "Error: only \"net none\" is allowed to non-root users\n");
+                                exit(1);
+                        }
+                        
+                        if (strcmp(ptr + 4, "lo") == 0) {
+                                fprintf(stderr, "Error: cannot attach to lo device\n");
+                                exit(1);
+                        }
+
+                        Bridge *br;
+                        if (cfg.bridge0.configured == 0)
+                                br = &cfg.bridge0;
+                        else if (cfg.bridge1.configured == 0)
+                                br = &cfg.bridge1;
+                        else if (cfg.bridge2.configured == 0)
+                                br = &cfg.bridge2;
+                        else if (cfg.bridge3.configured == 0)
+                                br = &cfg.bridge3;
+                        else {
+                                fprintf(stderr, "Error: maximum 4 network devices are allowed\n");
+                                exit(1);
+                        }
+                        net_configure_bridge(br, ptr + 4);
+                }
+                else
+                        fprintf(stderr, "Warning: networking features are disabled in Firejail configuration file\n");
 #endif
                 return 0;
         }
         
-#ifdef HAVE_SECCOMP
-        if (strncmp(ptr, "protocol ", 9) == 0) {
-                protocol_store(ptr + 9);
+        else if (strncmp(ptr, "iprange ", 8) == 0) {
+#ifdef HAVE_NETWORK
+                if (checkcfg(CFG_NETWORK)) {
+                        Bridge *br = last_bridge_configured();
+                        if (br == NULL) {
+                                fprintf(stderr, "Error: no network device configured\n");
+                                exit(1);
+                        }
+                        if (br->iprange_start || br->iprange_end) {
+                                fprintf(stderr, "Error: cannot configure the IP range twice for the same interface\n");
+                                exit(1);
+                        }
+
+                        // parse option arguments
+                        char *firstip = ptr + 8;
+                        char *secondip = firstip;
+                        while (*secondip != '\0') {
+                                if (*secondip == ',')
+                                        break;
+                                secondip++;
+                        }
+                        if (*secondip == '\0') {
+                                fprintf(stderr, "Error: invalid IP range\n");
+                                exit(1);
+                        }
+                        *secondip = '\0';
+                        secondip++;
+                        
+                        // check addresses
+                        if (atoip(firstip, &br->iprange_start) || atoip(secondip, &br->iprange_end) ||
+                            br->iprange_start >= br->iprange_end) {
+                                fprintf(stderr, "Error: invalid IP range\n");
+                                exit(1);
+                        }
+                        if (in_netrange(br->iprange_start, br->ip, br->mask) || in_netrange(br->iprange_end, br->ip, br->mask)) {
+                                fprintf(stderr, "Error: IP range addresses not in network range\n");
+                                exit(1);
+                        }
+                }
+                else
+                        fprintf(stderr, "Warning: networking features are disabled in Firejail configuration file\n");
+#endif
                 return 0;
         }
+
+
+// from here
+        else if (strncmp(ptr, "mac ", 4) == 0) {
+#ifdef HAVE_NETWORK
+                if (checkcfg(CFG_NETWORK)) {
+                        Bridge *br = last_bridge_configured();
+                        if (br == NULL) {
+                                fprintf(stderr, "Error: no network device configured\n");
+                                exit(1);
+                        }
+                        
+                        if (mac_not_zero(br->macsandbox)) {
+                                fprintf(stderr, "Error: cannot configure the MAC address twice for the same interface\n");
+                                exit(1);
+                        }
+
+                        // read the address
+                        if (atomac(ptr + 4, br->macsandbox)) {
+                                fprintf(stderr, "Error: invalid MAC address\n");
+                                exit(1);
+                        }
+                }
+                else
+                        fprintf(stderr, "Warning: networking features are disabled in Firejail configuration file\n");
 #endif
+                return 0;
+        }
+
+        else if (strncmp(ptr, "mtu ", 4) == 0) {
+#ifdef HAVE_NETWORK
+                if (checkcfg(CFG_NETWORK)) {
+                        Bridge *br = last_bridge_configured();
+                        if (br == NULL) {
+                                fprintf(stderr, "Error: no network device configured\n");
+                                exit(1);
+                        }
+                        
+                        if (sscanf(ptr + 4, "%d", &br->mtu) != 1 || br->mtu < 576 || br->mtu > 9198) {
+                                fprintf(stderr, "Error: invalid mtu value\n");
+                                exit(1);
+                        }
+                }
+                else
+                        fprintf(stderr, "Warning: networking features are disabled in Firejail configuration file\n");
+#endif
+                return 0;
+        }
+
+        else if (strncmp(ptr, "ip ", 3) == 0) {
+#ifdef HAVE_NETWORK
+                if (checkcfg(CFG_NETWORK)) {
+                        Bridge *br = last_bridge_configured();
+                        if (br == NULL) {
+                                fprintf(stderr, "Error: no network device configured\n");
+                                exit(1);
+                        }
+                        if (br->arg_ip_none || br->ipsandbox) {
+                                fprintf(stderr, "Error: cannot configure the IP address twice for the same interface\n");
+                                exit(1);
+                        }
+
+                        // configure this IP address for the last bridge defined
+                        if (strcmp(ptr + 3, "none") == 0)
+                                br->arg_ip_none = 1;
+                        else {
+                                if (atoip(ptr + 3, &br->ipsandbox)) {
+                                        fprintf(stderr, "Error: invalid IP address\n");
+                                        exit(1);
+                                }
+                        }
+                }
+                else
+                        fprintf(stderr, "Warning: networking features are disabled in Firejail configuration file\n");
+#endif
+                return 0;
+        }
+
+        else if (strncmp(ptr, "ip6 ", 4) == 0) {
+#ifdef HAVE_NETWORK
+                if (checkcfg(CFG_NETWORK)) {
+                        Bridge *br = last_bridge_configured();
+                        if (br == NULL) {
+                                fprintf(stderr, "Error: no network device configured\n");
+                                exit(1);
+                        }
+                        if (br->arg_ip_none || br->ip6sandbox) {
+                                fprintf(stderr, "Error: cannot configure the IP address twice for the same interface\n");
+                                exit(1);
+                        }
+
+                        // configure this IP address for the last bridge defined
+                        // todo: verify ipv6 syntax
+                        br->ip6sandbox = ptr + 4;
+//                      if (atoip(argv[i] + 5, &br->ipsandbox)) {
+//                              fprintf(stderr, "Error: invalid IP address\n");
+//                              exit(1);
+//                      }
+                        
+                }
+                else
+                        fprintf(stderr, "Warning: networking features are disabled in Firejail configuration file\n");
+#endif
+                return 0;
+        }
+
+        else if (strncmp(ptr, "defaultgw ", 10) == 0) {
+#ifdef HAVE_NETWORK
+                if (checkcfg(CFG_NETWORK)) {
+                        if (atoip(ptr + 10, &cfg.defaultgw)) {
+                                fprintf(stderr, "Error: invalid IP address\n");
+                                exit(1);
+                        }
+                }
+                else
+                        fprintf(stderr, "Warning: networking features are disabled in Firejail configuration file\n");
+#endif
+                return 0;
+        }
+
+        if (strncmp(ptr, "protocol ", 9) == 0) {
+#ifdef HAVE_SECCOMP
+                if (checkcfg(CFG_SECCOMP))
+                        protocol_store(ptr + 9);
+                else
+                        fprintf(stderr, "Warning: user seccomp feature is disabled in Firejail configuration file\n");
+#endif
+                return 0;
+        }
         
         if (strncmp(ptr, "env ", 4) == 0) {
-                env_store(ptr + 4);
+                env_store(ptr + 4, SETENV);
+                return 0;
+        }
+        if (strncmp(ptr, "rmenv ", 6) == 0) {
+                env_store(ptr + 6, RMENV);
                 return 0;
         }
         
         // seccomp drop list on top of default list
         if (strncmp(ptr, "seccomp ", 8) == 0) {
-                arg_seccomp = 1;
 #ifdef HAVE_SECCOMP
-                cfg.seccomp_list = strdup(ptr + 8);
-                if (!cfg.seccomp_list)
-                        errExit("strdup");
+                if (checkcfg(CFG_SECCOMP)) {
+                        arg_seccomp = 1;
+                        cfg.seccomp_list = strdup(ptr + 8);
+                        if (!cfg.seccomp_list)
+                                errExit("strdup");
+                }
+                else
+                        fprintf(stderr, "Warning: user seccomp feature is disabled in Firejail configuration file\n");
 #endif
+
                 return 0;
         }
         
         // seccomp drop list without default list
         if (strncmp(ptr, "seccomp.drop ", 13) == 0) {
-                arg_seccomp = 1;
 #ifdef HAVE_SECCOMP
-                cfg.seccomp_list_drop = strdup(ptr + 13);
-                if (!cfg.seccomp_list_drop)
-                        errExit("strdup");
-#endif
+                if (checkcfg(CFG_SECCOMP)) {
+                        arg_seccomp = 1;
+                        cfg.seccomp_list_drop = strdup(ptr + 13);
+                        if (!cfg.seccomp_list_drop)
+                                errExit("strdup");
+                }
+                else
+                        fprintf(stderr, "Warning: user seccomp feature is disabled in Firejail configuration file\n");
+#endif          
                 return 0;
         }
 
         // seccomp keep list
         if (strncmp(ptr, "seccomp.keep ", 13) == 0) {
-                arg_seccomp = 1;
 #ifdef HAVE_SECCOMP
-                cfg.seccomp_list_keep= strdup(ptr + 13);
-                if (!cfg.seccomp_list_keep)
-                        errExit("strdup");
-#endif
+                if (checkcfg(CFG_SECCOMP)) {
+                        arg_seccomp = 1;
+                        cfg.seccomp_list_keep= strdup(ptr + 13);
+                        if (!cfg.seccomp_list_keep)
+                                errExit("strdup");
+                }
+                else
+                        fprintf(stderr, "Warning: user seccomp feature is disabled in Firejail configuration file\n");
+#endif          
                 return 0;
         }
         
@@ -310,6 +571,8 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
         // nice value
         if (strncmp(ptr, "nice ", 4) == 0) {
                 cfg.nice = atoi(ptr + 5);
+                if (getuid() != 0 &&cfg.nice < 0)
+                        cfg.nice = 0;
                 arg_nice = 1;
                 return 0;
         }
@@ -320,6 +583,22 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
                 return 0;
         }
         
+        // writable-etc
+        if (strcmp(ptr, "writable-etc") == 0) {
+                if (cfg.etc_private_keep) {
+                        fprintf(stderr, "Error: private-etc and writable-etc are mutually exclusive\n");
+                        exit(1);
+                }
+                arg_writable_etc = 1;
+                return 0;
+        }
+        
+        // writable-var
+        if (strcmp(ptr, "writable-var") == 0) {
+                arg_writable_var = 1;
+                return 0;
+        }
+        
         // private directory
         if (strncmp(ptr, "private ", 8) == 0) {
                 cfg.home_private = ptr + 8;
@@ -330,14 +609,13 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
 
         // private /etc list of files and directories
         if (strncmp(ptr, "private-etc ", 12) == 0) {
+                if (arg_writable_etc) {
+                        fprintf(stderr, "Error: --private-etc and --writable-etc are mutually exclusive\n");
+                        exit(1);
+                }
                 cfg.etc_private_keep = ptr + 12;
                 fs_check_etc_list();
-                if (*cfg.etc_private_keep != '\0')
-                        arg_private_etc = 1;
-                else {
-                        arg_private_etc = 0;
-                        fprintf(stderr, "Warning: private-etc disabled, no file found\n");
-                }
+                arg_private_etc = 1;
                 
                 return 0;
         }
@@ -345,41 +623,51 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
         // private /bin list of files
         if (strncmp(ptr, "private-bin ", 12) == 0) {
                 cfg.bin_private_keep = ptr + 12;
-                fs_check_bin_list();
                 arg_private_bin = 1;
+                fs_check_bin_list();
                 return 0;
         }
 
         // filesystem bind
         if (strncmp(ptr, "bind ", 5) == 0) {
-                if (getuid() != 0) {
-                        fprintf(stderr, "Error: --bind option is available only if running as root\n");
-                        exit(1);
-                }
-
-                // extract two directories
-                char *dname1 = ptr + 5;
-                char *dname2 = split_comma(dname1); // this inserts a '0 to separate the two dierctories
-                if (dname2 == NULL) {
-                        fprintf(stderr, "Error: missing second directory for bind\n");
-                        exit(1);
-                }
-                
-                // check directories
-                invalid_filename(dname1);
-                invalid_filename(dname2);
-                if (strstr(dname1, "..") || strstr(dname2, "..")) {
-                        fprintf(stderr, "Error: invalid file name.\n");
-                        exit(1);
+#ifdef HAVE_BIND                
+                if (checkcfg(CFG_BIND)) {
+                        if (getuid() != 0) {
+                                fprintf(stderr, "Error: --bind option is available only if running as root\n");
+                                exit(1);
+                        }
+        
+                        // extract two directories
+                        char *dname1 = ptr + 5;
+                        char *dname2 = split_comma(dname1); // this inserts a '0 to separate the two dierctories
+                        if (dname2 == NULL) {
+                                fprintf(stderr, "Error: missing second directory for bind\n");
+                                exit(1);
+                        }
+                        
+                        // check directories
+                        invalid_filename(dname1);
+                        invalid_filename(dname2);
+                        if (strstr(dname1, "..") || strstr(dname2, "..")) {
+                                fprintf(stderr, "Error: invalid file name.\n");
+                                exit(1);
+                        }
+                        if (is_link(dname1) || is_link(dname2)) {
+                                fprintf(stderr, "Symbolic links are not allowed for bind command\n");
+                                exit(1);
+                        }
+                        
+                        // insert comma back
+                        *(dname2 - 1) = ',';
+                        return 1;
                 }
-                if (is_link(dname1) || is_link(dname2)) {
-                        fprintf(stderr, "Symbolic links are not allowed for bind command\n");
-                        exit(1);
+                else {
+                        fprintf(stderr, "Warning: bind feature is disabled in Firejail configuration file\n");
+                        return 0;                       
                 }
-                
-                // insert comma back
-                *(dname2 - 1) = ',';
-                return 1;
+#else
+                return 0;
+#endif          
         }
 
         // rlimit
@@ -436,11 +724,23 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
         else if (strncmp(ptr, "noblacklist ", 12) == 0)
                 ptr += 12;
         else if (strncmp(ptr, "whitelist ", 10) == 0) {
-                arg_whitelist = 1;
-                ptr += 10;
+#ifdef HAVE_WHITELIST           
+                if (checkcfg(CFG_WHITELIST)) {
+                        arg_whitelist = 1;
+                        ptr += 10;
+                }
+                else
+                        return 0;
+#else           
+                return 0;
+#endif
         }
         else if (strncmp(ptr, "read-only ", 10) == 0)
                 ptr += 10;
+        else if (strncmp(ptr, "read-write ", 11) == 0)
+                ptr += 11;
+        else if (strncmp(ptr, "noexec ", 7) == 0)
+                ptr += 7;
         else if (strncmp(ptr, "tmpfs ", 6) == 0) {
                 if (getuid() != 0) {
                         fprintf(stderr, "Error: tmpfs available only when running the sandbox as root\n");
diff --git a/src/firejail/protocol.c b/src/firejail/protocol.c
index 3e81f13dc..7e5ab7dfb 100644
--- a/src/firejail/protocol.c
+++ b/src/firejail/protocol.c
@@ -122,7 +122,7 @@ void protocol_store(const char *prlist) {
         EUID_ASSERT();
         assert(prlist);
         
-        if (cfg.protocol) {
+        if (cfg.protocol && !arg_quiet) {
                 fprintf(stderr, "Warning: a protocol list is present, the new list \"%s\" will not be installed\n", prlist);
                 return;
         }
@@ -339,7 +339,9 @@ void protocol_print_filter(pid_t pid) {
         (void) pid;
 #ifdef SYS_socket
         // if the pid is that of a firejail  process, use the pid of the first child process
+        EUID_ROOT();
         char *comm = pid_proc_comm(pid);
+        EUID_USER();
         if (comm) {
                 if (strcmp(comm, "firejail") == 0) {
                         pid_t child;
diff --git a/src/firejail/pulseaudio.c b/src/firejail/pulseaudio.c
index 8bf8d8303..908ef1d25 100644
--- a/src/firejail/pulseaudio.c
+++ b/src/firejail/pulseaudio.c
@@ -56,13 +56,27 @@ void pulseaudio_disable(void) {
         // blacklist user config directory
         disable_file(cfg.homedir, ".config/pulse");
 
+
+        // blacklist pulseaudio socket in XDG_RUNTIME_DIR
+        char *name = getenv("XDG_RUNTIME_DIR");
+        if (name)
+                disable_file(name, "pulse/native");
+
+        // try the default location anyway
+        char *path;
+        if (asprintf(&path, "/run/user/%d", getuid()) == -1)
+                errExit("asprintf");
+        disable_file(path, "pulse/native");
+        free(path);
+                
+
+
         // blacklist any pulse* file in /tmp directory
         DIR *dir;
         if (!(dir = opendir("/tmp"))) {
                 // sleep 2 seconds and try again
                 sleep(2);
                 if (!(dir = opendir("/tmp"))) {
-                        fprintf(stderr, "Warning: cannot open /tmp directory. PulseAudio sockets are not disabled\n");
                         return;
                 }
         }
@@ -76,10 +90,6 @@ void pulseaudio_disable(void) {
 
         closedir(dir);
 
-        // blacklist XDG_RUNTIME_DIR
-        char *name = getenv("XDG_RUNTIME_DIR");
-        if (name)
-                disable_file(name, "pulse/native");
 }
 
 
@@ -104,10 +114,6 @@ void pulseaudio_init(void) {
         char *pulsecfg = NULL;
         if (asprintf(&pulsecfg, "%s/client.conf", RUN_PULSE_DIR) == -1)
                 errExit("asprintf");
-        if (is_link("/etc/pulse/client.conf")) {
-                fprintf(stderr, "Error: invalid /etc/pulse/client.conf file\n");
-                exit(1);
-        }
         if (copy_file("/etc/pulse/client.conf", pulsecfg))
                 errExit("copy_file");
         FILE *fp = fopen(pulsecfg, "a+");
@@ -120,9 +126,49 @@ void pulseaudio_init(void) {
         if (chown(pulsecfg, getuid(), getgid()) == -1)
                 errExit("chown");
 
-        // set environment
-        if (setenv("PULSE_CLIENTCONFIG", pulsecfg, 1) < 0)
-                errExit("setenv");
+        // create ~/.config/pulse directory if not present
+        char *dir1;
+        if (asprintf(&dir1, "%s/.config", cfg.homedir) == -1)
+                errExit("asprintf");
+        if (stat(dir1, &s) == -1) {
+                int rv = mkdir(dir1, 0755);
+                if (rv == 0) {
+                        rv = chown(dir1, getuid(), getgid());
+                        (void) rv;
+                        rv = chmod(dir1, 0755);
+                        (void) rv;
+                }
+        }
+        free(dir1);
+        if (asprintf(&dir1, "%s/.config/pulse", cfg.homedir) == -1)
+                errExit("asprintf");
+        if (stat(dir1, &s) == -1) {
+                int rv = mkdir(dir1, 0700);
+                if (rv == 0) {
+                        rv = chown(dir1, getuid(), getgid());
+                        (void) rv;
+                        rv = chmod(dir1, 0700);
+                        (void) rv;
+                }
+        }
+        free(dir1);
         
+        
+        // if we have ~/.config/pulse mount the new directory, else set environment variable
+        char *homeusercfg;
+        if (asprintf(&homeusercfg, "%s/.config/pulse", cfg.homedir) == -1)
+                errExit("asprintf");
+        if (stat(homeusercfg, &s) == 0) {
+                if (mount(RUN_PULSE_DIR, homeusercfg, "none", MS_BIND, NULL) < 0)
+                        errExit("mount pulseaudio");
+                fs_logger2("tmpfs", homeusercfg);
+        }
+        else {
+                // set environment
+                if (setenv("PULSE_CLIENTCONFIG", pulsecfg, 1) < 0)
+                        errExit("setenv");
+        }
+                
         free(pulsecfg);
+        free(homeusercfg);
 }
diff --git a/src/firejail/restrict_users.c b/src/firejail/restrict_users.c
index 5a41c441b..de798037f 100644
--- a/src/firejail/restrict_users.c
+++ b/src/firejail/restrict_users.c
@@ -26,6 +26,7 @@
 #include <dirent.h>
 #include <fcntl.h>
 #include <errno.h>
+#include "../../uids.h"
 
 #define MAXBUF 1024
 
@@ -118,7 +119,7 @@ static void sanitize_passwd(void) {
         if (stat("/etc/passwd", &s) == -1)
                 return;
         if (arg_debug)
-                printf("Sanitizing /etc/passwd\n");
+                printf("Sanitizing /etc/passwd, UID_MIN %d\n", UID_MIN);
         if (is_link("/etc/passwd")) {
                 fprintf(stderr, "Error: invalid /etc/passwd\n");
                 exit(1);
@@ -170,7 +171,7 @@ static void sanitize_passwd(void) {
                 int rv = sscanf(ptr, "%d:", &uid);
                 if (rv == 0 || uid < 0)
                         goto errout;
-                if (uid < 1000) { // todo extract UID_MIN from /etc/login.def
+                if (uid < UID_MIN) {
                         fprintf(fpout, "%s", buf);
                         continue;
                 }
@@ -255,7 +256,7 @@ static void sanitize_group(void) {
         if (stat("/etc/group", &s) == -1)
                 return;
         if (arg_debug)
-                printf("Sanitizing /etc/group\n");
+                printf("Sanitizing /etc/group, GID_MIN %d\n", GID_MIN);
         if (is_link("/etc/group")) {
                 fprintf(stderr, "Error: invalid /etc/group\n");
                 exit(1);
@@ -306,7 +307,7 @@ static void sanitize_group(void) {
                 int rv = sscanf(ptr, "%d:", &gid);
                 if (rv == 0 || gid < 0)
                         goto errout;
-                if (gid < 1000) { // todo extract GID_MIN from /etc/login.def
+                if (gid < GID_MIN) {
                         if (copy_line(fpout, buf, ptr))
                                 goto errout;
                         continue;
diff --git a/src/firejail/restricted_shell.c b/src/firejail/restricted_shell.c
index da4e9d332..ee6e94957 100644
--- a/src/firejail/restricted_shell.c
+++ b/src/firejail/restricted_shell.c
@@ -61,7 +61,20 @@ int restricted_shell(const char *user) {
                 ptr = strchr(args, '\n');
                 if (ptr)
                         *ptr = '\0';
-                        
+                
+                // if nothing follows, continue
+                char *ptr2 = args;
+                int found = 0;
+                while (*ptr2 != '\0') {
+                        if (*ptr2 != ' ' && *ptr2 != '\t') {
+                                found = 1;
+                                break;
+                        }
+                }
+                if (!found)
+                        continue;
+                
+                // process user
                 if (strcmp(user, usr) == 0) {
                         restricted_user = strdup(user);
                         // extract program arguments
diff --git a/src/firejail/run_symlink.c b/src/firejail/run_symlink.c
index d57816e12..020e70b80 100644
--- a/src/firejail/run_symlink.c
+++ b/src/firejail/run_symlink.c
@@ -91,13 +91,20 @@ void run_symlink(int argc, char **argv) {
 
         printf("Redirecting symlink to %s\n", program);
 
+        // drop privileges
+        if (setgid(getgid()) < 0)
+                errExit("setgid/getgid");
+        if (setuid(getuid()) < 0)
+                errExit("setuid/getuid");
+
         // run command
         char *a[3 + argc];
         a[0] = firejail;
         a[1] = program;
         int i;
-        for (i = 0; i < (argc - 1); i++)
+        for (i = 0; i < (argc - 1); i++) {
                 a[i + 2] = argv[i + 1];
+        }
         a[i + 2] = NULL;
         execvp(a[0], a); 
 
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index 5bd86019a..0fd81979f 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -34,6 +34,55 @@
 #define CLONE_NEWUSER   0x10000000
 #endif
 
+#include <sys/prctl.h>
+#ifndef PR_SET_NO_NEW_PRIVS
+# define PR_SET_NO_NEW_PRIVS 38
+#endif
+
+
+
+static int monitored_pid = 0;
+static void sandbox_handler(int sig){
+        if (!arg_quiet) {
+                printf("\nChild received signal %d, shutting down the sandbox...\n", sig);
+                fflush(0);
+        }
+
+        // broadcast sigterm to all processes in the group
+        kill(-1, SIGTERM);
+        sleep(1);
+
+        if (monitored_pid) {
+                int monsec = 9;
+                char *monfile;
+                if (asprintf(&monfile, "/proc/%d/cmdline", monitored_pid) == -1)
+                        errExit("asprintf");
+                while (monsec) {
+                        FILE *fp = fopen(monfile, "r");
+                        if (!fp)
+                                break;
+                                
+                        char c;
+                        size_t count = fread(&c, 1, 1, fp);
+                        fclose(fp);
+                        if (count == 0)
+                                break;
+
+                        if (arg_debug)
+                                printf("Waiting on PID %d to finish\n", monitored_pid);
+                        sleep(1);
+                        monsec--;
+                }
+                free(monfile);
+                
+        }
+
+        // broadcast a SIGKILL
+        kill(-1, SIGKILL);
+        exit(sig);
+}
+
+
 static void set_caps(void) {
         if (arg_caps_drop_all)
                 caps_drop_all();
@@ -131,9 +180,20 @@ static void chk_chroot(void) {
 }
 
 static int monitor_application(pid_t app_pid) {
-        int status;
-        while (app_pid) {
+        monitored_pid = app_pid;
+        signal (SIGTERM, sandbox_handler);
+        EUID_USER();
+
+        int status = 0;
+        while (monitored_pid) {
                 usleep(20000);
+                char *msg;
+                if (asprintf(&msg, "monitoring pid %d\n", monitored_pid) == -1)
+                        errExit("asprintf");
+                logmsg(msg);
+                if (arg_debug)
+                        printf("%s\n", msg);
+                free(msg);
 
                 pid_t rv;
                 do {
@@ -141,9 +201,9 @@ static int monitor_application(pid_t app_pid) {
                         if (rv == -1)
                                 break;
                 }
-                while(rv != app_pid);
+                while(rv != monitored_pid);
                 if (arg_debug)
-                        printf("Sandbox monitor: waitpid %u retval %d status %d\n", app_pid, rv, status);
+                        printf("Sandbox monitor: waitpid %u retval %d status %d\n", monitored_pid, rv, status);
 
                 DIR *dir;
                 if (!(dir = opendir("/proc"))) {
@@ -156,20 +216,30 @@ static int monitor_application(pid_t app_pid) {
                 }
 
                 struct dirent *entry;
-                app_pid = 0;
+                monitored_pid = 0;
                 while ((entry = readdir(dir)) != NULL) {
                         unsigned pid;
                         if (sscanf(entry->d_name, "%u", &pid) != 1)
                                 continue;
                         if (pid == 1)
                                 continue;
-                        app_pid = pid;
+                        
+                        // todo: make this generic
+                        // Dillo browser leaves a dpid process running, we need to shut it down
+                        if (strcmp(cfg.command_name, "dillo") == 0) {
+                                char *pidname = pid_proc_comm(pid);
+                                if (pidname && strcmp(pidname, "dpid") == 0)
+                                        break;
+                                free(pidname);
+                        }
+
+                        monitored_pid = pid;
                         break;
                 }
                 closedir(dir);
 
-                if (app_pid != 0 && arg_debug)
-                        printf("Sandbox monitor: monitoring %u\n", app_pid);
+                if (monitored_pid != 0 && arg_debug)
+                        printf("Sandbox monitor: monitoring %u\n", monitored_pid);
         }
 
         // return the latest exit status.
@@ -202,12 +272,32 @@ static int monitor_application(pid_t app_pid) {
 #endif  
 }
 
+void start_audit(void) {
+        char *audit_prog;
+        if (asprintf(&audit_prog, "%s/firejail/faudit", LIBDIR) == -1)
+                errExit("asprintf");
+        execl(audit_prog, audit_prog, NULL);
+        perror("execl");
+        exit(1);
+}
 
 static void start_application(void) {
         //****************************************
+        // audit
+        //****************************************
+        if (arg_audit) {
+                assert(arg_audit_prog);
+                struct stat s;
+                if (stat(arg_audit_prog, &s) != 0) {
+                        fprintf(stderr, "Error: cannot find the audit program\n");
+                        exit(1);
+                }
+                execl(arg_audit_prog, arg_audit_prog, NULL);
+        }
+        //****************************************
         // start the program without using a shell
         //****************************************
-        if (arg_shell_none) {
+        else if (arg_shell_none) {
                 if (arg_debug) {
                         int i;
                         for (i = cfg.original_program_index; i < cfg.original_argc; i++) {
@@ -217,9 +307,16 @@ static void start_application(void) {
                         }
                 }
 
+                if (cfg.original_program_index == 0) {
+                        fprintf(stderr, "Error: --shell=none configured, but no program specified\n");
+                        exit(1);
+                }
+
                 if (!arg_command && !arg_quiet)
                         printf("Child process initialized\n");
+
                 execvp(cfg.original_argv[cfg.original_program_index], &cfg.original_argv[cfg.original_program_index]);
+                exit(1);
         }
         //****************************************
         // start the program using a shell
@@ -462,14 +559,20 @@ int sandbox(void* sandbox_arg) {
         //****************************
         // --nosound and fix for pulseaudio 7.0
         //****************************
-        if (arg_nosound)
+        if (arg_nosound) {
+                // disable pulseaudio
                 pulseaudio_disable();
+
+                // disable /dev/snd
+                fs_dev_disable_sound();
+        }
         else
                 pulseaudio_init();
         
         //****************************
         // networking
         //****************************
+        int gw_cfg_failed = 0; // default gw configuration flag
         if (arg_nonetwork) {
                 net_if_up("lo");
                 if (arg_debug)
@@ -495,13 +598,6 @@ int sandbox(void* sandbox_arg) {
                         net_config_mac(cfg.bridge3.devsandbox, cfg.bridge3.macsandbox);
                 sandbox_if_up(&cfg.bridge3);
                 
-                // add a default route
-                if (cfg.defaultgw) {
-                        // set the default route
-                        if (net_add_route(0, 0, cfg.defaultgw))
-                                fprintf(stderr, "Warning: cannot configure default route\n");
-                }
-                
                 // enable interfaces
                 if (cfg.interface0.configured && cfg.interface0.ip) {
                         if (arg_debug)
@@ -528,6 +624,15 @@ int sandbox(void* sandbox_arg) {
                         net_if_up(cfg.interface3.dev);
                 }                       
                         
+                // add a default route
+                if (cfg.defaultgw) {
+                        // set the default route
+                        if (net_add_route(0, 0, cfg.defaultgw)) {
+                                fprintf(stderr, "Warning: cannot configure default route\n");
+                                gw_cfg_failed = 1;
+                        }
+                }
+
                 if (arg_debug)
                         printf("Network namespace enabled\n");
         }
@@ -543,8 +648,12 @@ int sandbox(void* sandbox_arg) {
                         printf("\n");
                         if (any_bridge_configured() || any_interface_configured())
                                 net_ifprint();
-                        if (cfg.defaultgw != 0)
-                                printf("Default gateway %d.%d.%d.%d\n", PRINT_IP(cfg.defaultgw));
+                        if (cfg.defaultgw != 0) {
+                                if (gw_cfg_failed)
+                                        printf("Default gateway configuration failed\n");
+                                else
+                                        printf("Default gateway %d.%d.%d.%d\n", PRINT_IP(cfg.defaultgw));
+                        }
                         if (cfg.dns1 != 0)
                                 printf("DNS server %d.%d.%d.%d\n", PRINT_IP(cfg.dns1));
                         if (cfg.dns2 != 0)
@@ -604,7 +713,7 @@ int sandbox(void* sandbox_arg) {
         // set security filters
         //****************************
         // set capabilities
-        if (!arg_noroot)
+//      if (!arg_noroot)
                 set_caps();
 
         // set rlimits
@@ -646,8 +755,7 @@ int sandbox(void* sandbox_arg) {
         if (arg_noroot) {
                 int rv = unshare(CLONE_NEWUSER);
                 if (rv == -1) {
-                        fprintf(stderr, "Warning: cannot mount a new user namespace, going forward without it\n");
-                        perror("unshare");
+                        fprintf(stderr, "Warning: cannot create a new user namespace, going forward without it...\n");
                         drop_privs(arg_nogroups);
                         arg_noroot = 0;
                 }
@@ -667,11 +775,22 @@ int sandbox(void* sandbox_arg) {
         // somehow, the new user namespace resets capabilities;
         // we need to do them again
         if (arg_noroot) {
-                set_caps();
                 if (arg_debug)
                         printf("noroot user namespace installed\n");
+                set_caps();
         }
+        
+        //****************************************
+        // Set NO_NEW_PRIVS if desired
+        //****************************************
+        if (arg_nonewprivs) {
+                int no_new_privs = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
 
+                if(no_new_privs != 0)
+                        fprintf(stderr, "Warning: NO_NEW_PRIVS disabled, it requires a Linux kernel version 3.5 or newer.\n");
+                else if (arg_debug)
+                        printf("NO_NEW_PRIVS set\n");
+        }
 
         //****************************************
         // fork the application and monitor it
diff --git a/src/firejail/seccomp.c b/src/firejail/seccomp.c
index a5a77abab..efe24a211 100644
--- a/src/firejail/seccomp.c
+++ b/src/firejail/seccomp.c
@@ -261,7 +261,7 @@ static void filter_end_whitelist(void) {
 }
 
 
-// save seccomp filter in  /tmp/firejail/mnt/seccomp
+// save seccomp filter in  /run/firejail/mnt/seccomp
 static void write_seccomp_file(void) {
         fs_build_mnt_dir();
         assert(sfilter);
@@ -283,15 +283,15 @@ static void write_seccomp_file(void) {
                 errExit("chown");
 }
 
-// read seccomp filter from /tmp/firejail/mnt/seccomp
+// read seccomp filter from /run/firejail/mnt/seccomp
 static void read_seccomp_file(const char *fname) {
         assert(sfilter == NULL && sfilter_index == 0);
 
         // check file
         struct stat s;
         if (stat(fname, &s) == -1) {
-                fprintf(stderr, "Error: seccomp file not found\n");
-                exit(1);
+                fprintf(stderr, "Warning: seccomp file not found\n");
+                return;
         }
         ssize_t sz = s.st_size;
         if (sz == 0 || (sz % sizeof(struct sock_filter)) != 0) {
@@ -334,12 +334,15 @@ void seccomp_filter_32(void) {
                 BLACKLIST(52), // umount2
                 BLACKLIST(26), // ptrace
                 BLACKLIST(283), // kexec_load
+                BLACKLIST(341), // name_to_handle_at
                 BLACKLIST(342), // open_by_handle_at
+                BLACKLIST(127), // create_module
                 BLACKLIST(128), // init_module
                 BLACKLIST(350), // finit_module
                 BLACKLIST(129), // delete_module
                 BLACKLIST(110), // iopl
                 BLACKLIST(101), // ioperm
+                BLACKLIST(289), // ioprio_set
                 BLACKLIST(87), // swapon
                 BLACKLIST(115), // swapoff
                 BLACKLIST(103), // syslog
@@ -376,6 +379,7 @@ void seccomp_filter_32(void) {
                 BLACKLIST(88), // reboot
                 BLACKLIST(169), // nfsservctl
                 BLACKLIST(130), // get_kernel_syms
+                
                 RETURN_ALLOW
         };
 
@@ -403,11 +407,14 @@ void seccomp_filter_64(void) {
                 BLACKLIST(101), // ptrace
                 BLACKLIST(246), // kexec_load
                 BLACKLIST(304), // open_by_handle_at
+                BLACKLIST(303), // name_to_handle_at
+                BLACKLIST(174), // create_module
                 BLACKLIST(175), // init_module
                 BLACKLIST(313), // finit_module
                 BLACKLIST(176), // delete_module
                 BLACKLIST(172), // iopl
                 BLACKLIST(173), // ioperm
+                BLACKLIST(251), // ioprio_set
                 BLACKLIST(167), // swapon
                 BLACKLIST(168), // swapoff
                 BLACKLIST(103), // syslog
@@ -445,6 +452,7 @@ void seccomp_filter_64(void) {
                 BLACKLIST(169), // reboot
                 BLACKLIST(180), // nfsservctl
                 BLACKLIST(177), // get_kernel_syms
+                
                 RETURN_ALLOW
         };
 
@@ -493,12 +501,18 @@ int seccomp_filter_drop(int enforce_seccomp) {
 #ifdef SYS_open_by_handle_at            
                 filter_add_blacklist(SYS_open_by_handle_at, 0);
 #endif
+#ifdef SYS_name_to_handle_at            
+                filter_add_blacklist(SYS_name_to_handle_at, 0);
+#endif
 #ifdef SYS_init_module          
                 filter_add_blacklist(SYS_init_module, 0);
 #endif
 #ifdef SYS_finit_module // introduced in 2013
                 filter_add_blacklist(SYS_finit_module, 0);
 #endif
+#ifdef SYS_create_module
+                filter_add_blacklist(SYS_create_module, 0);
+#endif
 #ifdef SYS_delete_module                
                 filter_add_blacklist(SYS_delete_module, 0);
 #endif
@@ -508,6 +522,9 @@ int seccomp_filter_drop(int enforce_seccomp) {
 #ifdef  SYS_ioperm      
                 filter_add_blacklist(SYS_ioperm, 0);
 #endif
+#ifdef  SYS_ioprio_set  
+                filter_add_blacklist(SYS_ioprio_set, 0);
+#endif
 #ifdef SYS_ni_syscall // new io permissions call on arm devices
                 filter_add_blacklist(SYS_ni_syscall, 0);
 #endif
@@ -648,6 +665,7 @@ int seccomp_filter_drop(int enforce_seccomp) {
 #ifdef SYS_get_kernel_syms
                 filter_add_blacklist(SYS_get_kernel_syms, 0);
 #endif
+
         }
 
         // default seccomp filter with additional drop list
@@ -816,9 +834,11 @@ void seccomp_print_filter_name(const char *name) {
 
 void seccomp_print_filter(pid_t pid) {
         EUID_ASSERT();
-        
+
         // if the pid is that of a firejail  process, use the pid of the first child process
+        EUID_ROOT();
         char *comm = pid_proc_comm(pid);
+        EUID_USER();
         if (comm) {
                 if (strcmp(comm, "firejail") == 0) {
                         pid_t child;
@@ -839,7 +859,6 @@ void seccomp_print_filter(pid_t pid) {
                 }
         }
 
-
         // find the seccomp filter
         EUID_ROOT();
         char *fname;
diff --git a/src/firejail/shutdown.c b/src/firejail/shutdown.c
index 3671901d0..8d8035bfb 100644
--- a/src/firejail/shutdown.c
+++ b/src/firejail/shutdown.c
@@ -44,7 +44,9 @@ void shut(pid_t pid) {
         
         pid_t parent = pid;
         // if the pid is that of a firejail  process, use the pid of a child process inside the sandbox
+        EUID_ROOT();
         char *comm = pid_proc_comm(pid);
+        EUID_USER();
         if (comm) {
                 if (strcmp(comm, "firejail") == 0) {
                         pid_t child;
@@ -75,25 +77,47 @@ void shut(pid_t pid) {
         EUID_ROOT();
         printf("Sending SIGTERM to %u\n", pid);
         kill(pid, SIGTERM);
-        sleep(2);
         
-        // if the process is still running, terminate it using SIGKILL
-        // try to open stat file
-        char *file;
-        if (asprintf(&file, "/proc/%u/status", pid) == -1) {
-                perror("asprintf");
-                exit(1);
+        // wait for not more than 10 seconds
+        sleep(2);
+        int monsec = 8;
+        char *monfile;
+        if (asprintf(&monfile, "/proc/%d/cmdline", pid) == -1)
+                errExit("asprintf");
+        int killdone = 0;
+
+        while (monsec) {
+                FILE *fp = fopen(monfile, "r");
+                if (!fp) {
+                        killdone = 1;
+                        break;
+                }
+                
+                char c;
+                size_t count = fread(&c, 1, 1, fp);
+                fclose(fp);
+                if (count == 0) {
+                        // all done
+                        killdone = 1;
+                        break;
+                }
+
+                sleep(1);
+                monsec--;
         }
-        FILE *fp = fopen(file, "r");
-        if (!fp)
-                return;
-        fclose(fp);
-        
-        // kill the process and also the parent
-        printf("Sending SIGKILL to %u\n", pid);
-        kill(pid, SIGKILL);
-        if (parent != pid) {
-                printf("Sending SIGKILL to %u\n", parent);
-                kill(parent, SIGKILL);
+        free(monfile);
+
+
+        // force SIGKILL
+        if (!killdone) {
+                // kill the process and also the parent
+                printf("Sending SIGKILL to %u\n", pid);
+                kill(pid, SIGKILL);
+                if (parent != pid) {
+                        printf("Sending SIGKILL to %u\n", parent);
+                        kill(parent, SIGKILL);
+                }
         }
+        
+        clear_run_files(parent);
 }
diff --git a/src/firejail/syscall.h b/src/firejail/syscall.h
index 5b2cb4915..68d4b5736 100644
--- a/src/firejail/syscall.h
+++ b/src/firejail/syscall.h
@@ -37,6 +37,11 @@
         {"_sysctl", __NR__sysctl},
 #endif
 #endif
+#ifdef SYS_accept4
+#ifdef __NR_accept4
+        {"accept4", __NR_accept4},
+#endif
+#endif
 #ifdef SYS_access
 #ifdef __NR_access
         {"access", __NR_access},
@@ -72,6 +77,11 @@
         {"bdflush", __NR_bdflush},
 #endif
 #endif
+#ifdef SYS_bind
+#ifdef __NR_bind
+        {"bind", __NR_bind},
+#endif
+#endif
 #ifdef SYS_bpf
 #ifdef __NR_bpf
         {"bpf", __NR_bpf},
@@ -157,6 +167,16 @@
         {"close", __NR_close},
 #endif
 #endif
+#ifdef SYS_connect
+#ifdef __NR_connect
+        {"connect", __NR_connect},
+#endif
+#endif
+#ifdef SYS_copy_file_range
+#ifdef __NR_copy_file_range
+        {"copy_file_range", __NR_copy_file_range},
+#endif
+#endif
 #ifdef SYS_creat
 #ifdef __NR_creat
         {"creat", __NR_creat},
@@ -492,6 +512,11 @@
         {"getitimer", __NR_getitimer},
 #endif
 #endif
+#ifdef SYS_getpeername
+#ifdef __NR_getpeername
+        {"getpeername", __NR_getpeername},
+#endif
+#endif
 #ifdef SYS_getpgid
 #ifdef __NR_getpgid
         {"getpgid", __NR_getpgid},
@@ -562,6 +587,16 @@
         {"getsid", __NR_getsid},
 #endif
 #endif
+#ifdef SYS_getsockname
+#ifdef __NR_getsockname
+        {"getsockname", __NR_getsockname},
+#endif
+#endif
+#ifdef SYS_getsockopt
+#ifdef __NR_getsockopt
+        {"getsockopt", __NR_getsockopt},
+#endif
+#endif
 #ifdef SYS_gettid
 #ifdef __NR_gettid
         {"gettid", __NR_gettid},
@@ -722,6 +757,11 @@
         {"linkat", __NR_linkat},
 #endif
 #endif
+#ifdef SYS_listen
+#ifdef __NR_listen
+        {"listen", __NR_listen},
+#endif
+#endif
 #ifdef SYS_listxattr
 #ifdef __NR_listxattr
         {"listxattr", __NR_listxattr},
@@ -777,6 +817,11 @@
         {"mbind", __NR_mbind},
 #endif
 #endif
+#ifdef SYS_membarrier
+#ifdef __NR_membarrier
+        {"membarrier", __NR_membarrier},
+#endif
+#endif
 #ifdef SYS_memfd_create
 #ifdef __NR_memfd_create
         {"memfd_create", __NR_memfd_create},
@@ -817,6 +862,11 @@
         {"mlock", __NR_mlock},
 #endif
 #endif
+#ifdef SYS_mlock2
+#ifdef __NR_mlock2
+        {"mlock2", __NR_mlock2},
+#endif
+#endif
 #ifdef SYS_mlockall
 #ifdef __NR_mlockall
         {"mlockall", __NR_mlockall},
@@ -1122,11 +1172,21 @@
         {"reboot", __NR_reboot},
 #endif
 #endif
+#ifdef SYS_recvfrom
+#ifdef __NR_recvfrom
+        {"recvfrom", __NR_recvfrom},
+#endif
+#endif
 #ifdef SYS_recvmmsg
 #ifdef __NR_recvmmsg
         {"recvmmsg", __NR_recvmmsg},
 #endif
 #endif
+#ifdef SYS_recvmsg
+#ifdef __NR_recvmsg
+        {"recvmsg", __NR_recvmsg},
+#endif
+#endif
 #ifdef SYS_remap_file_pages
 #ifdef __NR_remap_file_pages
         {"remap_file_pages", __NR_remap_file_pages},
@@ -1292,6 +1352,16 @@
         {"sendmmsg", __NR_sendmmsg},
 #endif
 #endif
+#ifdef SYS_sendmsg
+#ifdef __NR_sendmsg
+        {"sendmsg", __NR_sendmsg},
+#endif
+#endif
+#ifdef SYS_sendto
+#ifdef __NR_sendto
+        {"sendto", __NR_sendto},
+#endif
+#endif
 #ifdef SYS_set_mempolicy
 #ifdef __NR_set_mempolicy
         {"set_mempolicy", __NR_set_mempolicy},
@@ -1432,6 +1502,11 @@
         {"setsid", __NR_setsid},
 #endif
 #endif
+#ifdef SYS_setsockopt
+#ifdef __NR_setsockopt
+        {"setsockopt", __NR_setsockopt},
+#endif
+#endif
 #ifdef SYS_settimeofday
 #ifdef __NR_settimeofday
         {"settimeofday", __NR_settimeofday},
@@ -1457,6 +1532,11 @@
         {"sgetmask", __NR_sgetmask},
 #endif
 #endif
+#ifdef SYS_shutdown
+#ifdef __NR_shutdown
+        {"shutdown", __NR_shutdown},
+#endif
+#endif
 #ifdef SYS_sigaction
 #ifdef __NR_sigaction
         {"sigaction", __NR_sigaction},
@@ -1502,11 +1582,21 @@
         {"sigsuspend", __NR_sigsuspend},
 #endif
 #endif
+#ifdef SYS_socket
+#ifdef __NR_socket
+        {"socket", __NR_socket},
+#endif
+#endif
 #ifdef SYS_socketcall
 #ifdef __NR_socketcall
         {"socketcall", __NR_socketcall},
 #endif
 #endif
+#ifdef SYS_socketpair
+#ifdef __NR_socketpair
+        {"socketpair", __NR_socketpair},
+#endif
+#endif
 #ifdef SYS_splice
 #ifdef __NR_splice
         {"splice", __NR_splice},
@@ -1722,6 +1812,11 @@
         {"uselib", __NR_uselib},
 #endif
 #endif
+#ifdef SYS_userfaultfd
+#ifdef __NR_userfaultfd
+        {"userfaultfd", __NR_userfaultfd},
+#endif
+#endif
 #ifdef SYS_ustat
 #ifdef __NR_ustat
         {"ustat", __NR_ustat},
@@ -1934,6 +2029,11 @@
         {"connect", __NR_connect},
 #endif
 #endif
+#ifdef SYS_copy_file_range
+#ifdef __NR_copy_file_range
+        {"copy_file_range", __NR_copy_file_range},
+#endif
+#endif
 #ifdef SYS_creat
 #ifdef __NR_creat
         {"creat", __NR_creat},
@@ -2484,6 +2584,11 @@
         {"mbind", __NR_mbind},
 #endif
 #endif
+#ifdef SYS_membarrier
+#ifdef __NR_membarrier
+        {"membarrier", __NR_membarrier},
+#endif
+#endif
 #ifdef SYS_memfd_create
 #ifdef __NR_memfd_create
         {"memfd_create", __NR_memfd_create},
@@ -2524,6 +2629,11 @@
         {"mlock", __NR_mlock},
 #endif
 #endif
+#ifdef SYS_mlock2
+#ifdef __NR_mlock2
+        {"mlock2", __NR_mlock2},
+#endif
+#endif
 #ifdef SYS_mlockall
 #ifdef __NR_mlockall
         {"mlockall", __NR_mlockall},
@@ -3354,6 +3464,11 @@
         {"uselib", __NR_uselib},
 #endif
 #endif
+#ifdef SYS_userfaultfd
+#ifdef __NR_userfaultfd
+        {"userfaultfd", __NR_userfaultfd},
+#endif
+#endif
 #ifdef SYS_ustat
 #ifdef __NR_ustat
         {"ustat", __NR_ustat},
@@ -3546,6 +3661,11 @@
         {"connect", __NR_connect},
 #endif
 #endif
+#ifdef SYS_copy_file_range
+#ifdef __NR_copy_file_range
+        {"copy_file_range", __NR_copy_file_range},
+#endif
+#endif
 #ifdef SYS_creat
 #ifdef __NR_creat
         {"creat", __NR_creat},
@@ -4071,6 +4191,11 @@
         {"mbind", __NR_mbind},
 #endif
 #endif
+#ifdef SYS_membarrier
+#ifdef __NR_membarrier
+        {"membarrier", __NR_membarrier},
+#endif
+#endif
 #ifdef SYS_memfd_create
 #ifdef __NR_memfd_create
         {"memfd_create", __NR_memfd_create},
@@ -4111,6 +4236,11 @@
         {"mlock", __NR_mlock},
 #endif
 #endif
+#ifdef SYS_mlock2
+#ifdef __NR_mlock2
+        {"mlock2", __NR_mlock2},
+#endif
+#endif
 #ifdef SYS_mlockall
 #ifdef __NR_mlockall
         {"mlockall", __NR_mlockall},
@@ -4921,6 +5051,11 @@
         {"unshare", __NR_unshare},
 #endif
 #endif
+#ifdef SYS_userfaultfd
+#ifdef __NR_userfaultfd
+        {"userfaultfd", __NR_userfaultfd},
+#endif
+#endif
 #ifdef SYS_ustat
 #ifdef __NR_ustat
         {"ustat", __NR_ustat},
diff --git a/src/firejail/usage.c b/src/firejail/usage.c
index 7bc6ea47a..f7a93174f 100644
--- a/src/firejail/usage.c
+++ b/src/firejail/usage.c
@@ -34,6 +34,9 @@ void usage(void) {
         printf("\n");
         printf("Options:\n\n");
         printf("    -- - signal the end of options and disables further option processing.\n\n");
+        printf("    --appimage - sandbox an AppImage application\n\n");
+        printf("    --audit - audit the sandbox, see Audit section for more details\n\n");
+        printf("    --audit=test-program - audit the sandbox, see Audit section for more details\n\n");
 #ifdef HAVE_NETWORK     
         printf("    --bandwidth=name|pid - set  bandwidth  limits  for  the sandbox identified\n");
         printf("\tby name or PID, see Traffic Shaping section fo more details.\n\n");
@@ -56,6 +59,8 @@ void usage(void) {
         printf("    --chroot=dirname - chroot into directory.\n\n");
 #endif
         printf("    --cpu=cpu-number,cpu-number - set cpu affinity.\n\n");
+        printf("    --cpu.print=name|pid - print the cup in use by the sandbox identified\n");
+        printf("\tby name or PID.\n\n");
         printf("    --csh - use /bin/csh as default shell.\n\n");
         
         printf("    --debug - print sandbox debug messages.\n\n");
@@ -69,8 +74,9 @@ void usage(void) {
         printf("\tsoftware build.\n\n");
         printf("    --debug-syscalls - print all recognized system calls in the current Firejail\n");
         printf("\tsoftware build.\n\n");
+#ifdef HAVE_WHITELIST   
         printf("    --debug-whitelists - debug whitelisting.\n\n");
-
+#endif
 
 
 #ifdef HAVE_NETWORK     
@@ -141,9 +147,11 @@ void usage(void) {
         printf("    --nice=value - set nice value\n\n");
         printf("    --noblacklist=dirname_or_filename - disable blacklist for directory or\n");
         printf("\tfile.\n\n");
+        printf("    --noexec=dirname_of_filenam - remount the file or directory noexec\n");
+        printf("\tnosuid and nodev\n\n");
         printf("    --nogroups - disable supplementary groups. Without this option,\n");
         printf("\tsupplementary groups are enabled for the user starting the sandbox.\n");
-        printf("\t For root, groups are always disabled.\n\n");
+        printf("\tFor root, groups are always disabled.\n\n");
 
         printf("    --noprofile - do not use a profile.  Profile priority is use the one\n");
         printf("\tspecified on the command line, next try to find one that\n");
@@ -155,10 +163,13 @@ void usage(void) {
         printf("\tuser. root user does not exist in the new namespace. This option\n");
         printf("\tis not supported for --chroot and --overlay configurations.\n\n");
 #endif
+        printf("    --nonewprivs - sets the NO_NEW_PRIVS prctl - the child processes\n");
+        printf("\tcannot gain privileges using execve(2); in particular, this prevents\n");
+        printf("\tgaining privileges by calling a suid binary\n\n");
         printf("    --nosound - disable sound system.\n\n");
                 
-        printf("    --output=logfile - stdout logging and log rotation. Copy stdout to\n");
-        printf("\tlogfile, and keep the size of the file under 500KB using log\n");
+        printf("    --output=logfile - stdout logging and log rotation. Copy stdout and stderr\n");
+        printf("\tto logfile, and keep the size of the file under 500KB using log\n");
         printf("\trotation. Five files with prefixes .1 to .5 are used in\n");
         printf("\trotation.\n\n");
         
@@ -178,11 +189,10 @@ void usage(void) {
         printf("    --private=directory - use directory as user home.\n\n");
 
         printf("    --private-bin=file,file - build a new /bin in a temporary filesystem,\n");
-        printf("\tand copy the programs in the list. The same directory is\n");
-        printf("\talso bind-mounted over /sbin, /usr/bin and /usr/sbin.\n\n");
+        printf("\tand copy the programs in the list.\n\n");
 
         printf("    --private-dev - create a new /dev directory. Only dri, null, full, zero,\n");
-        printf("\ttty, pst, ptms, random, urandom, log and shm devices are available.\n\n");
+        printf("\ttty, pst, ptms, random, snd, urandom, log and shm devices are available.\n\n");
 
         printf("    --private-etc=file,directory - build a new /etc in a temporary\n");
         printf("\tfilesystem, and copy the files and directories in the list.\n");
@@ -200,6 +210,7 @@ void usage(void) {
         
         printf("    --quiet - turn off Firejail's output.\n\n");
         printf("    --read-only=dirname_or_filename - set directory or file read-only..\n\n");
+        printf("    --read-write=dirname_or_filename - set directory or file read-write..\n\n");
         printf("    --rlimit-fsize=number - set the maximum file size that can be created\n");
         printf("\tby a process.\n\n");
         printf("    --rlimit-nofile=number - set the maximum number of files that can be\n");
@@ -208,6 +219,7 @@ void usage(void) {
         printf("\tcreated for the real user ID of the calling process.\n\n");
         printf("    --rlimit-sigpending=number - set the maximum number of pending signals\n");
         printf("\tfor a process.\n\n");
+        printf("    --rmenv=name - remove environment variable in the new sandbox.\n\n");
 #ifdef HAVE_NETWORK     
         printf("    --scan - ARP-scan all the networks from inside a network namespace.\n");
         printf("\tThis makes it possible to detect macvlan kernel device drivers\n");
@@ -242,10 +254,17 @@ void usage(void) {
         printf("    --tracelog - add a syslog message for every access to files or\n");
         printf("\tdirectoires blacklisted by the security profile.\n\n");
         printf("    --tree - print a tree of all sandboxed processes.\n\n");
-        printf("    --user=new_user - switch the user before starting the sandbox.\n\n");
         printf("    --version - print program version and exit.\n\n");
+#ifdef HAVE_WHITELIST   
         printf("    --whitelist=dirname_or_filename - whitelist directory or file.\n\n");
-        printf("    --x11 - enable x11 server.\n\n");
+#endif  
+        printf("    --writable-etc - /etc directory is mounted read-write.\n\n");
+        printf("    --writable-var - /var directory is mounted read-write.\n\n");
+        
+        printf("    --x11 - enable X11 server. The software checks first if Xpra is installed,\n");
+        printf("\tthen it checks if Xephyr is installed.\n\n");
+        printf("    --x11=xpra - enable Xpra X11 server.\n\n");
+        printf("    --x11=xephyr - enable Xephyr X11 server. The window size is 800x600.\n\n");
         printf("    --zsh - use /usr/bin/zsh as default shell.\n\n");
         printf("\n");
         printf("\n");
@@ -283,7 +302,19 @@ void usage(void) {
         printf("\n");
 #endif
 
-
+        printf("Audit\n\n");
+        printf("Audit feature allows the user to point out gaps in security profiles. The\n");
+        printf("implementation replaces the program to be sandboxed with a test program. By\n");
+        printf("default, we use faudit program distributed with Firejail. A custom test program\n");
+        printf("can also be supplied by the user. Examples:\n\n");
+        printf("Running the default audit program:\n");
+        printf("    $ firejail --audit transmission-gtk\n\n");
+        printf("Running a custom audit program:\n");
+        printf("    $ firejail --audit=~/sandbox-test transmission-gtk\n\n");
+        printf("In the examples above, the sandbox configures transmission-gtk profile and\n");
+        printf("starts the test program. The real program, transmission-gtk, will not be\n");
+        printf("started.\n\n\n");
+        
         printf("Monitoring\n\n");
 
         printf("Option --list prints a list of all sandboxes. The format for each entry is as\n");
@@ -321,7 +352,7 @@ void usage(void) {
         printf("\n");
         printf("Restricted shell\n\n");
         printf("To  configure a restricted shell, replace /bin/bash with /usr/bin/firejail in\n");
-        printf("/etc/password file for each user that needs to  be  restricted.\n");
+        printf("/etc/passwd file for each user that needs to  be  restricted.\n");
         printf("Alternatively, you can specify /usr/bin/firejail  in adduser command:\n\n");
         printf("   adduser --shell /usr/bin/firejail username\n\n");
         printf("Arguments to be passed to firejail executable upon login are  declared  in\n");
diff --git a/src/firejail/user.c b/src/firejail/user.c
deleted file mode 100644
index a2f34392c..000000000
--- a/src/firejail/user.c
+++ /dev/null
@@ -1,115 +0,0 @@
-/*
- * Copyright (C) 2014-2016 Firejail Authors
- *
- * This file is part of firejail project
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or
- * (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License along
- * with this program; if not, write to the Free Software Foundation, Inc.,
- * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
- */
-#include "firejail.h"
-#include <sys/types.h>
-#include <sys/stat.h>
-#include <unistd.h>
-#include <grp.h>
-#include <pwd.h>
-
-
-void check_user(int argc, char **argv) {
-        EUID_ASSERT();
-        int i;
-        char *user = NULL;
-
-        int found = 0;
-        for (i = 1; i < argc; i++) {
-                // check options
-                if (strcmp(argv[i], "--") == 0)
-                        break;
-                if (strncmp(argv[i], "--", 2) != 0)
-                        break;
-                
-                // check user option            
-                if (strncmp(argv[i], "--user=", 7) == 0) {
-                        found = 1;
-                        user = argv[i] + 7;
-                        break;
-                }
-        }
-        if (!found)
-                return;
-
-        // check root
-        if (getuid() != 0) {
-                fprintf(stderr, "Error: you need to be root to use --user command line option\n");
-                exit(1);
-        }
-        
-        // switch user
-        struct passwd *pw = getpwnam(user);
-        if (!pw) {
-                fprintf(stderr, "Error: cannot find user %s\n", user);
-                exit(1);
-        }
-
-        printf("Switching to user %s, UID %d, GID %d\n", user, pw->pw_uid, pw->pw_gid);
-        int rv = initgroups(user, pw->pw_gid);
-        if (rv == -1) {
-                perror("initgroups");
-                fprintf(stderr, "Error: cannot switch to user %s\n", user);
-        }
-
-        rv = setgid(pw->pw_gid);
-        if (rv == -1) {
-                perror("setgid");
-                fprintf(stderr, "Error: cannot switch to user %s\n", user);
-        }
-
-        rv = setuid(pw->pw_uid);
-        if (rv == -1) {
-                perror("setuid");
-                fprintf(stderr, "Error: cannot switch to user %s\n", user);
-        }
-
-        // build the new command line
-        int len = 0;
-        for (i = 0; i < argc; i++) {
-                len += strlen(argv[i]) + 1; // + ' '
-        }
-        
-        char *cmd = malloc(len + 1); // + '\0'
-        if (!cmd)
-                errExit("malloc");
-        
-        char *ptr = cmd;
-        int first = 1;
-        for (i = 0; i < argc; i++) {
-                if (strncmp(argv[i], "--user=", 7) == 0 && first) {
-                        first = 0;
-                        continue;
-                }
-                
-                ptr += sprintf(ptr, "%s ", argv[i]);
-        }
-
-        // run command
-        char *a[4];
-        a[0] = "/bin/bash";
-        a[1] = "-c";
-        a[2] = cmd;
-        a[3] = NULL;
-
-        execvp(a[0], a); 
-
-        perror("execvp");
-        exit(1);
-}
diff --git a/src/firejail/util.c b/src/firejail/util.c
index 04b564370..dc906532f 100644
--- a/src/firejail/util.c
+++ b/src/firejail/util.c
@@ -29,6 +29,7 @@
 // drop privileges
 // - for root group or if nogroups is set, supplementary groups are not configured
 void drop_privs(int nogroups) {
+        EUID_ROOT();
         gid_t gid = getgid();
 
         // configure supplementary groups
@@ -346,6 +347,7 @@ int find_child(pid_t parent, pid_t *child) {
         *child = 0;                               // use it to flag a found child
 
         DIR *dir;
+        EUID_ROOT(); // grsecurity fix
         if (!(dir = opendir("/proc"))) {
                 // sleep 2 seconds and try again
                 sleep(2);
@@ -397,7 +399,7 @@ int find_child(pid_t parent, pid_t *child) {
                 free(file);
         }
         closedir(dir);
-
+        EUID_USER();
         return (*child)? 0:1;                     // 0 = found, 1 = not found
 }
 
@@ -547,7 +549,7 @@ char *expand_home(const char *path, const char* homedir) {
                         errExit("asprintf");
                 return new_name;
         }
-        else if (strncmp(path, "~/", 2) == 0) {
+        else if (*path == '~') {
                 if (asprintf(&new_name, "%s%s", homedir, path + 1) == -1)
                         errExit("asprintf");
                 return new_name;
@@ -576,6 +578,7 @@ uid_t pid_get_uid(pid_t pid) {
                 perror("asprintf");
                 exit(1);
         }
+        EUID_ROOT();    // grsecurity fix
         FILE *fp = fopen(file, "r");
         if (!fp) {
                 free(file);
@@ -602,6 +605,7 @@ uid_t pid_get_uid(pid_t pid) {
 
         fclose(fp);
         free(file);
+        EUID_USER();    // grsecurity fix
         
         if (rv == 0) {
                 fprintf(stderr, "Error: cannot read /proc file\n");
@@ -642,3 +646,13 @@ uid_t get_tty_gid(void) {
 
         return ttygid;
 }
+
+uid_t get_audio_gid(void) {
+        // find tty group id
+        gid_t audiogid = 0;
+        struct group *g = getgrnam("audio");
+        if (g)
+                audiogid = g->gr_gid;
+
+        return audiogid;
+}
diff --git a/src/firejail/x11.c b/src/firejail/x11.c
index 8c781c67a..2accaeb71 100644
--- a/src/firejail/x11.c
+++ b/src/firejail/x11.c
@@ -26,8 +26,9 @@
 #include <dirent.h>
 #include <sys/mount.h>
 
+#ifdef HAVE_X11
 // return 1 if xpra is installed on the system
-int x11_check_xpra(void) {
+static int x11_check_xpra(void) {
         struct stat s;
         
         // check xpra
@@ -37,6 +38,43 @@ int x11_check_xpra(void) {
         return 1;
 }
 
+// return 1 if xephyr is installed on the system
+static int x11_check_xephyr(void) {
+        struct stat s;
+        
+        // check xephyr
+        if (stat("/usr/bin/Xephyr", &s) == -1)
+                return 0;
+
+        return 1;
+}
+
+static int random_display_number(void) {
+        int i;
+        int found = 1;
+        int display;
+        for (i = 0; i < 100; i++) {
+                display = rand() % 1024;
+                if (display < 10)
+                        continue;
+                char *fname;
+                if (asprintf(&fname, "/tmp/.X11-unix/X%d", display) == -1)
+                        errExit("asprintf");
+                struct stat s;
+                if (stat(fname, &s) == -1) {
+                        found = 1;
+                        break;
+                }
+        }
+        if (!found) {
+                fprintf(stderr, "Error: cannot pick up a random X11 display number, exiting...\n");
+                exit(1);
+        }
+        
+        return display;
+}
+#endif
+
 // return display number, -1 if not configured
 int x11_display(void) {
         // extract display
@@ -120,38 +158,163 @@ void fs_x11(void) {
 
 
 #ifdef HAVE_X11
-void x11_start(int argc, char **argv) {
+//$ Xephyr -ac -br -noreset -screen 800x600 :22 &
+//$ DISPLAY=:22 firejail --net=eth0 --blacklist=/tmp/.X11-unix/x0 firefox
+void x11_start_xephyr(int argc, char **argv) {
         EUID_ASSERT();
         int i;
         struct stat s;
         pid_t client = 0;
         pid_t server = 0;
         
-        // check xpra
-        if (x11_check_xpra() == 0) {
-                fprintf(stderr, "\nError: Xpra program was not found in /usr/bin directory, please install it:\n");
-                fprintf(stderr, "   Debian/Ubuntu/Mint: sudo apt-get install xpra\n");
+
+        setenv("FIREJAIL_X11", "yes", 1);
+
+        // unfortunately, xephyr does a number of weird things when started by root user!!!
+        if (getuid() == 0) {
+                fprintf(stderr, "Error: X11 sandboxing is not available when running as root\n");
+                exit(1);
+        }
+        drop_privs(0);
+
+        // check xephyr
+        if (x11_check_xephyr() == 0) {
+                fprintf(stderr, "\nError: Xephyr program was not found in /usr/bin directory, please install it:\n");
+                fprintf(stderr, "   Debian/Ubuntu/Mint: sudo apt-get install xserver-xephyr\n");
+                fprintf(stderr, "   Arch: sudo pacman -S xorg-server-xephyr\n");
                 exit(0);
         }
         
-        int display;
-        int found = 1;
-        for (i = 0; i < 100; i++) {
-                display = rand() % 1024;
-                if (display < 10)
-                        continue;
-                char *fname;
-                if (asprintf(&fname, "/tmp/.X11-unix/X%d", display) == -1)
+        int display = random_display_number();
+
+        // start xephyr
+        char *cmd1;
+        if (checkcfg(CFG_XEPHYR_WINDOW_TITLE)) {
+                if (asprintf(&cmd1, "Xephyr -ac -br -title \"firejail x11 sandbox\" %s -noreset -screen %s :%d", xephyr_extra_params, xephyr_screen, display) == -1)
                         errExit("asprintf");
-                if (stat(fname, &s) == -1) {
-                        found = 1;
+        }
+        else {
+                if (asprintf(&cmd1, "Xephyr -ac -br  %s -noreset -screen %s :%d", xephyr_extra_params, xephyr_screen, display) == -1)
+                        errExit("asprintf");
+        }
+
+        int len = 50; // DISPLAY...
+        for (i = 0; i < argc; i++) {
+                len += strlen(argv[i]) + 1; // + ' '
+        }
+        
+        char *cmd2 = malloc(len + 1); // + '\0'
+        if (!cmd2)
+                errExit("malloc");
+        
+        sprintf(cmd2, "DISPLAY=:%d ", display);
+        char *ptr = cmd2 + strlen(cmd2);
+        for (i = 0; i < argc; i++) {
+                if (strcmp(argv[i], "--x11") == 0)
+                        continue;
+                if (strcmp(argv[i], "--x11=xpra") == 0)
+                        continue;
+                if (strcmp(argv[i], "--x11=xephyr") == 0)
+                        continue;
+                ptr += sprintf(ptr, "%s ", argv[i]);
+        }
+        if (arg_debug)
+                printf("xephyr server: %s\n", cmd1);    
+        if (arg_debug)
+                printf("xephyr client: %s\n", cmd2);    
+        
+        signal(SIGHUP,SIG_IGN); // fix sleep(1) below
+        server = fork();
+        if (server < 0)
+                errExit("fork");
+        if (server == 0) {
+                if (arg_debug)
+                        printf("Starting xephyr...\n");
+        
+                char *a[4];
+                a[0] = "/bin/bash";
+                a[1] = "-c";
+                a[2] = cmd1;
+                a[3] = NULL;
+        
+                execvp(a[0], a); 
+                perror("execvp");
+                exit(1);
+        }
+
+        // check X11 socket
+        char *fname;
+        if (asprintf(&fname, "/tmp/.X11-unix/X%d", display) == -1)
+                errExit("asprintf");
+        int n = 0;
+        // wait for x11 server to start
+        while (++n < 10) {
+                sleep(1);
+                if (stat(fname, &s) == 0)
                         break;
-                }
+        };
+        
+        if (n == 10) {
+                fprintf(stderr, "Error: failed to start xephyr\n");
+                exit(1);
         }
-        if (!found) {
-                fprintf(stderr, "Error: cannot pick up a random X11 display number, exiting...\n");
+        free(fname);
+        sleep(1);
+        
+        if (arg_debug) {
+                printf("X11 sockets: "); fflush(0);
+                int rv = system("ls /tmp/.X11-unix");
+                (void) rv;
+        }
+
+        // run attach command
+        client = fork();
+        if (client < 0)
+                errExit("fork");
+        if (client == 0) {
+                printf("\n*** Attaching to Xephyr display %d ***\n\n", display);
+                char *a[4];
+                a[0] = "/bin/bash";
+                a[1] = "-c";
+                a[2] = cmd2;
+                a[3] = NULL;
+        
+                execvp(a[0], a); 
+                perror("execvp");
                 exit(1);
         }
+        sleep(1);
+        
+        if (!arg_quiet)
+                printf("Xephyr server pid %d, client pid %d\n", server, client);
+
+        exit(0);
+}
+
+void x11_start_xpra(int argc, char **argv) {
+        EUID_ASSERT();
+        int i;
+        struct stat s;
+        pid_t client = 0;
+        pid_t server = 0;
+        
+        setenv("FIREJAIL_X11", "yes", 1);
+
+        // unfortunately, xpra does a number of weird things when started by root user!!!
+        if (getuid() == 0) {
+                fprintf(stderr, "Error: X11 sandboxing is not available when running as root\n");
+                exit(1);
+        }
+        drop_privs(0);
+
+        // check xpra
+        if (x11_check_xpra() == 0) {
+                fprintf(stderr, "\nError: Xpra program was not found in /usr/bin directory, please install it:\n");
+                fprintf(stderr, "   Debian/Ubuntu/Mint: sudo apt-get install xpra\n");
+                exit(0);
+        }
+        
+        int display = random_display_number();
 
         // build the start command
         int len = 50; // xpra start...
@@ -168,6 +331,10 @@ void x11_start(int argc, char **argv) {
         for (i = 0; i < argc; i++) {
                 if (strcmp(argv[i], "--x11") == 0)
                         continue;
+                if (strcmp(argv[i], "--x11=xpra") == 0)
+                        continue;
+                if (strcmp(argv[i], "--x11=xephyr") == 0)
+                        continue;
                 ptr += sprintf(ptr, "%s ", argv[i]);
         }
         sprintf(ptr, "\"");
@@ -176,12 +343,12 @@ void x11_start(int argc, char **argv) {
         
         // build the attach command
         char *cmd2;
-        if (asprintf(&cmd2, "xpra attach :%d", display) == -1)
+        if (asprintf(&cmd2, "xpra --title=\"firejail x11 sandbox\" attach :%d", display) == -1)
                 errExit("asprintf");
         if (arg_debug)
                 printf("xpra client: %s\n", cmd2);
 
-        signal(SIGHUP,SIG_IGN); // fix sleep(1`) below
+        signal(SIGHUP,SIG_IGN); // fix sleep(1) below
         server = fork();
         if (server < 0)
                 errExit("fork");
@@ -248,4 +415,27 @@ void x11_start(int argc, char **argv) {
 
         exit(0);
 }
+
+void x11_start(int argc, char **argv) {
+        EUID_ASSERT();
+
+        // unfortunately, xpra does a number of weird things when started by root user!!!
+        if (getuid() == 0) {
+                fprintf(stderr, "Error: X11 sandboxing is not available when running as root\n");
+                exit(1);
+        }
+
+        // check xpra
+        if (x11_check_xpra() == 1)
+                x11_start_xpra(argc, argv);
+        else if (x11_check_xephyr() == 1)
+                x11_start_xephyr(argc, argv);
+        else {
+                fprintf(stderr, "\nError: Xpra or Xephyr not found in /usr/bin directory, please install one of them:\n");
+                fprintf(stderr, "   Debian/Ubuntu/Mint: sudo apt-get install xpra\n");
+                fprintf(stderr, "   Debian/Ubuntu/Mint: sudo apt-get install xserver-xephyr\n");
+                exit(0);
+        }
+}
+
 #endif
diff --git a/src/firemon/firemon.c b/src/firemon/firemon.c
index 0e38696ac..3140c5f70 100644
--- a/src/firemon/firemon.c
+++ b/src/firemon/firemon.c
@@ -23,7 +23,8 @@
 #include <sys/ioctl.h>
 #include <sys/prctl.h>
 #include <grp.h>
-
+#include <sys/stat.h>
+ 
 
 static int arg_route = 0;
 static int arg_arp = 0;
@@ -136,6 +137,12 @@ int main(int argc, char **argv) {
                         return 0;
                 }
                 else if (strcmp(argv[i], "--netstats") == 0) {
+                        struct stat s;
+                        if (getuid() != 0 && stat("/proc/sys/kernel/grsecurity", &s) == 0) {
+                                fprintf(stderr, "Error: this feature is not available on Grsecurity systems\n");
+                                exit(1);
+                        }       
+
                         netstats();
                         return 0;
                 }
diff --git a/src/firemon/netstats.c b/src/firemon/netstats.c
index 3b6c128ae..0ff0dd33d 100644
--- a/src/firemon/netstats.c
+++ b/src/firemon/netstats.c
@@ -26,6 +26,10 @@
 
 #define MAXBUF 4096
 
+// ip -s link: device stats
+// ss -s: socket stats
+
+
 static char *get_header(void) {
         char *rv;
         if (asprintf(&rv, "%-5.5s %-9.9s %-10.10s %-10.10s %s",
@@ -117,8 +121,14 @@ static void print_proc(int index, int itv, int col) {
         }
         else
                 ptrcmd = cmd;
-        // if the command doesn't have a --net= option, don't print
-        if (strstr(ptrcmd, "--net=") == NULL) {
+        
+        // check network namespace
+        char *name;
+        if (asprintf(&name, "/run/firejail/network/%d-netmap", index) == -1)
+                errExit("asprintf");
+        struct stat s;
+        if (stat(name, &s) == -1) {
+                // the sandbox doesn't have a --net= option, don't print
                 if (cmd)
                         free(cmd);
                 return;
diff --git a/src/firemon/procevent.c b/src/firemon/procevent.c
index e2dd5aaa2..7c961adde 100644
--- a/src/firemon/procevent.c
+++ b/src/firemon/procevent.c
@@ -89,7 +89,8 @@ static int pid_is_firejail(pid_t pid) {
         
                 // list of firejail arguments that don't trigger sandbox creation
                 // the initial -- is not included 
-                char *firejail_args = "ls list tree x11 help version top netstats debug-syscalls debug-errnos debug-protocols";
+                char *firejail_args = "ls list tree x11 help version top netstats debug-syscalls debug-errnos debug-protocols "
+                        "protocol.print debug.caps shutdown bandwidth caps.print cpu.print debug-caps fs.print get ";
                 
                 int i;
                 char *start;
diff --git a/src/firemon/usage.c b/src/firemon/usage.c
index 926e1c89f..74a2a61f0 100644
--- a/src/firemon/usage.c
+++ b/src/firemon/usage.c
@@ -24,7 +24,8 @@ void usage(void) {
         printf("Usage: firemon [OPTIONS] [PID]\n\n");
         printf("Monitor processes started in a Firejail sandbox. Without any PID specified,\n");
         printf("all processes started by Firejail are monitored. Descendants of these processes\n");
-        printf("are also being monitored.\n\n");
+        printf("are also being monitored. On Grsecurity systems only root user\n");
+        printf("can run this program.\n\n");
         printf("Options:\n");
         printf("\t--arp - print ARP table for each sandbox.\n\n");
         printf("\t--caps - print capabilities configuration for each sandbox.\n\n");
diff --git a/src/include/euid_common.h b/src/include/euid_common.h
index f07cf2868..b6d341bf4 100644
--- a/src/include/euid_common.h
+++ b/src/include/euid_common.h
@@ -36,12 +36,12 @@ extern uid_t firejail_uid;
 
 static inline void EUID_ROOT(void) {
         if (seteuid(0) == -1)
-                fprintf(stderr, "Error: cannot switch euid to root\n");
+                fprintf(stderr, "Warning: cannot switch euid to root\n");
 }
 
 static inline void EUID_USER(void) {
         if (seteuid(firejail_uid) == -1)
-                fprintf(stderr, "Error: cannot switch euid to user\n");
+                fprintf(stderr, "Warning: cannot switch euid to user\n");
 }
 
 static inline void EUID_PRINT(void) {
diff --git a/src/lib/libnetlink.c b/src/lib/libnetlink.c
index 07457eefe..836cf417d 100644
--- a/src/lib/libnetlink.c
+++ b/src/lib/libnetlink.c
@@ -723,7 +723,7 @@ int rta_addattr32(struct rtattr *rta, int maxlen, int type, __u32 data)
         int len = RTA_LENGTH(4);
         struct rtattr *subrta;
 
-        if (RTA_ALIGN(rta->rta_len) + len > maxlen) {
+        if ((int) (RTA_ALIGN(rta->rta_len) + len) > maxlen) {
                 fprintf(stderr,"rta_addattr32: Error! max allowed bound %d exceeded\n",maxlen);
                 return -1;
         }
@@ -741,7 +741,7 @@ int rta_addattr_l(struct rtattr *rta, int maxlen, int type,
         struct rtattr *subrta;
         int len = RTA_LENGTH(alen);
 
-        if (RTA_ALIGN(rta->rta_len) + RTA_ALIGN(len) > maxlen) {
+        if ((int) (RTA_ALIGN(rta->rta_len) + RTA_ALIGN(len)) > maxlen) {
                 fprintf(stderr,"rta_addattr_l: Error! max allowed bound %d exceeded\n",maxlen);
                 return -1;
         }
diff --git a/src/lib/pid.c b/src/lib/pid.c
index a89ac434b..d1ade389e 100644
--- a/src/lib/pid.c
+++ b/src/lib/pid.c
@@ -310,7 +310,11 @@ void pid_read(pid_t mon_pid) {
                         continue;
                 if (pid == mypid)
                         continue;
-                
+
+                // skip PID 1 just in case we run a sandbox-in-sandbox
+                if (pid == 1)
+                        continue;
+                        
                 // open stat file
                 char *file;
                 if (asprintf(&file, "/proc/%u/status", pid) == -1) {
diff --git a/src/libtracelog/libtracelog.c b/src/libtracelog/libtracelog.c
index c3fd40a67..3e65587c4 100644
--- a/src/libtracelog/libtracelog.c
+++ b/src/libtracelog/libtracelog.c
@@ -91,9 +91,9 @@ static void storage_add(const char *str) {
         storage[h] = ptr;
 }
 
-char* cwd = NULL; // global variable for keeping current working directory
-typedef int (*orig_chdir_t)(const char *pathname);
-static orig_chdir_t orig_chdir = NULL;
+// global variable to keep current working directory
+static char* cwd = NULL;
+
 static char *storage_find(const char *str) {
 #ifdef DEBUG
         printf("storage find %s\n", str);
@@ -107,17 +107,23 @@ static char *storage_find(const char *str) {
         const char *tofind = str;
         int allocated = 0;
 
-        if (strstr(str, "..") || strstr(str, "/./") || strstr(str, "//") || str[0]!='/') {
-                if (!orig_chdir)
-                        orig_chdir = (orig_chdir_t)dlsym(RTLD_NEXT, "chdir");
-                if (!orig_chdir(cwd)) {
-#ifdef DEBUG
-                        printf("chdir failed\n");
-#endif
-                        return NULL;
+        if (strstr(str, "..") || strstr(str, "/./") || strstr(str, "//") || str[0] != '/') {
+                if (cwd != NULL && str[0] != '/') {
+                        char *fullpath=malloc(PATH_MAX);
+                        if (!fullpath) {
+                                fprintf(stderr, "Error: cannot allocate memory\n");
+                                return NULL;
+                        }
+                        if (snprintf(fullpath, PATH_MAX, "%s/%s", cwd, str)<3) {
+                                fprintf(stderr, "Error: snprintf failed\n");
+                                free(fullpath);
+                                return NULL;
+                        }
+                        tofind = realpath(fullpath, NULL);
+                        free(fullpath);
+                } else {
+                        tofind = realpath(str, NULL);
                 }
-
-                tofind = realpath(str, NULL);
                 if (!tofind) {
 #ifdef DEBUG
                         printf("realpath failed\n");
@@ -641,9 +647,8 @@ DIR *opendir(const char *pathname) {
 }
 
 // chdir
-// definition of orig_chdir placed before storage_find function
-//typedef int (*orig_chdir_t)(const char *pathname);
-//static orig_chdir_t orig_chdir = NULL;
+typedef int (*orig_chdir_t)(const char *pathname);
+static orig_chdir_t orig_chdir = NULL;
 int chdir(const char *pathname) {
 #ifdef DEBUG
         printf("%s %s\n", __FUNCTION__, pathname);
@@ -662,3 +667,32 @@ int chdir(const char *pathname) {
         int rv = orig_chdir(pathname);
         return rv;
 }
+
+// fchdir
+typedef int (*orig_fchdir_t)(int fd);
+static orig_fchdir_t orig_fchdir = NULL;
+int fchdir(int fd) {
+#ifdef DEBUG
+        printf("%s %d\n", __FUNCTION__, fd);
+#endif
+        if (!orig_fchdir)
+                orig_fchdir = (orig_fchdir_t)dlsym(RTLD_NEXT, "fchdir");
+
+        free(cwd);
+        char *pathname=malloc(PATH_MAX);
+        if (pathname) {
+                if (snprintf(pathname,PATH_MAX,"/proc/self/fd/%d", fd)>0) {
+                        cwd = realpath(pathname, NULL);
+                } else {
+                        cwd = NULL;
+                        fprintf(stderr, "Error: snprintf failed\n");
+                }
+                free(pathname);
+        } else {
+                fprintf(stderr, "Error: cannot allocate memory\n");
+                cwd = NULL;
+        }
+
+        int rv = orig_fchdir(fd);
+        return rv;
+}
diff --git a/src/man/firecfg.txt b/src/man/firecfg.txt
new file mode 100644
index 000000000..c12bf7731
--- /dev/null
+++ b/src/man/firecfg.txt
@@ -0,0 +1,70 @@
+.TH FIRECFG 1 "MONTH YEAR" "VERSION" "firecfg man page"
+.SH NAME
+Firecfg \- Desktop configuration program for Firejail software.
+.SH SYNOPSIS
+firecfg [OPTIONS]
+.SH DESCRIPTION
+Firecfg is the desktop configuration utility for Firejail software. The utility
+creates several symbolic links to firejail executable. This allows the user to
+sandbox applications automatically, just by clicking on a regular desktop
+menus and icons.
+
+The symbolic links are placed in /usr/local/bin. For more information, see
+\fBDESKTOP INTEGRATION\fR section in \fBman 1 firejail\fR.
+
+.SH OPTIONS
+.TP
+\fB\-\-clean
+Remove all firejail symbolic links.
+.TP
+\fB\-?\fR, \fB\-\-help\fR
+Print options end exit.
+.TP
+\fB\-\-list
+List all firejail symbolic links
+.TP
+\fB\-\-version
+Print program version and exit.
+
+
+.PP
+Example:
+.br
+
+.br
+$ sudo firecfg
+.br
+/usr/local/bin/firefox created
+.br
+/usr/local/bin/vlc created
+.br
+[...]
+.br
+$ firecfg --list
+.br
+/usr/local/bin/firefox
+.br
+/usr/local/bin/vlc
+.br
+[...]
+.br
+$ sudo firecfg --clean
+.br
+/usr/local/bin/firefox removed
+.br
+/usr/local/bin/vlc removed
+.br
+[...]
+
+.SH LICENSE
+This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.
+.PP
+Homepage: http://firejail.wordpress.com
+.SH SEE ALSO
+\&\flfirejail\fR\|(1),
+\&\flfiremon\fR\|(1),
+\&\flfirejail-profile\fR\|(5),
+\&\flfirejail-login\fR\|(5)
+\&\flfirejail-config\fR\|(5)
+
+
diff --git a/src/man/firejail-config.txt b/src/man/firejail-config.txt
new file mode 100644
index 000000000..386eda976
--- /dev/null
+++ b/src/man/firejail-config.txt
@@ -0,0 +1,109 @@
+.TH FIREJAIL-CONFIG 5 "MONTH YEAR" "VERSION" "firejail.config man page"
+.SH NAME
+firejail.config \- Firejail run time configuration file
+
+.SH DESCRIPTION
+/etc/firejail/firejail.config is the system-wide configuration file for Firejail.
+It allows the system administrator to enable or disable a number of
+features and Linux kernel security technologies used by Firejail sandbox.
+The file contains keyword-argument pairs, one per line.
+Use 'yes' or 'no' as configuration values.
+
+Note that some of these features can also be enabled or disabled at compile
+time. Most features are enabled by default both at compile time and
+at run time.
+
+.TP
+\fBbind
+Enable or disable bind support, default enabled.
+
+.TP
+\fBchroot
+Enable or disable chroot support, default enabled.
+
+.TP
+\fBfile-transfer
+Enable or disable file transfer support, default enabled.
+
+.TP
+\fBforce-nonewprivs
+Force use of nonewprivs.  This mitigates the possibility of
+a user abusing firejail's features to trick a privileged (suid
+or file capabilities) process into loading code or configuration
+that is partially under their control.  Default disabled.
+
+.TP
+\fBnetwork
+Enable or disable networking features, default enabled.
+
+.TP
+\fBrestricted-network
+Enable or disable restricted network support, default disabled. If enabled,
+networking features should also be enabled (network yes).
+Restricted networking grants access to --interface, --net=ethXXX and
+\-\-netfilter only to root user. Regular users are only allowed --net=none.
+
+.TP
+\fBsecomp
+Enable or disable seccomp support, default enabled.
+
+.TP
+\fBuserns
+Enable or disable user namespace support, default enabled.
+
+.TP
+\fBwhitelist
+Enable or disable whitelisting support, default enabled.
+
+.TP
+\fBx11
+Enable or disable X11 sandboxing support, default enabled.
+
+.TP
+\fBxephyr-screen
+Screen size for --x11=xephyr, default 800x600. Run /usr/bin/xrandr for
+a full list of resolutions available on your specific setup. Examples:
+.br
+
+.br
+xephyr-screen 640x480
+.br
+xephyr-screen 800x600
+.br
+xephyr-screen 1024x768
+.br
+xephyr-screen 1280x1024
+
+.TP
+\fBxephyr-window-title
+Firejail window title in Xephyr, default enabled.
+
+.TP
+\fBxephyr-extra-params
+Xephyr command extra parameters. None by default, and the declaration is commented out. Examples:
+.br
+
+.br
+xephyr-extra-params -keybd ephyr,,,xkbmodel=evdev
+.br
+xephyr-extra-params -grayscale
+
+.SH COMPILE TIME CONFIGURATION
+Most of the features described in this file can also be configured at compile time, please run \fB./configure --help\fR for more details.
+
+.SH FILES
+/etc/firejail/firejail.config
+
+.SH LICENSE
+Firejail is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.
+.PP
+Homepage: http://firejail.wordpress.com
+.SH SEE ALSO
+\&\flfirejail\fR\|(1),
+\&\flfiremon\fR\|(1),
+\&\flfirecfg\fR\|(1),
+\&\flfirejail-profile\fR\|(5)
+\&\flfirejail-login\fR\|(5)
+
+
+
diff --git a/src/man/firejail-login.txt b/src/man/firejail-login.txt
index e5bcf9436..464551202 100644
--- a/src/man/firejail-login.txt
+++ b/src/man/firejail-login.txt
@@ -11,11 +11,11 @@ a user name followed by the arguments passed to firejail. The format is as follo
 
 Example:
 
-        netblue:--debug --net=none
+        netblue:--net=none --protocol=unix
 
 .SH RESTRICTED SHELL
 To configure a restricted shell, replace /bin/bash with /usr/bin/firejail in
-/etc/password file for each user that needs to be restricted. Alternatively,
+/etc/passwd file for each user that needs to be restricted. Alternatively,
 you can specify /usr/bin/firejail  using adduser or usermod commands:
 
 adduser \-\-shell /usr/bin/firejail username
@@ -32,7 +32,8 @@ Homepage: http://firejail.wordpress.com
 .SH SEE ALSO
 \&\flfirejail\fR\|(1),
 \&\flfiremon\fR\|(1),
+\&\flfirecfg\fR\|(1),
 \&\flfirejail-profile\fR\|(5)
-
+\&\flfirejail-config\fR\|(5)
 
 
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt
index c5de79118..504842a9e 100644
--- a/src/man/firejail-profile.txt
+++ b/src/man/firejail-profile.txt
@@ -44,7 +44,7 @@ To disable default profile loading, use --noprofile command option. Example:
 .RS
 $ firejail
 .br
-Reading profile /etc/firejail/generic.profile
+Reading profile /etc/firejail/default.profile
 .br
 Parent pid 8553, child pid 8554
 .br
@@ -122,12 +122,6 @@ blacklist ${PATH}/ifconfig
 blacklist ${HOME}/.ssh
 
 .TP
-\fBread-only file_or_directory
-Make directory or file read-only.
-.TP
-\fBtmpfs directory
-Mount an empty tmpfs filesystem on top of directory. This option is available only when running the sandbox as root.
-.TP
 \fBbind directory1,directory2
 Mount-bind directory1 on top of directory2. This option is only available when running as root.
 .TP
@@ -135,8 +129,14 @@ Mount-bind directory1 on top of directory2. This option is only available when r
 Mount-bind file1 on top of file2. This option is only available when running as root.
 .TP
 \fBmkdir directory
-Create a directory in user home. Use this command for whitelisted directories you need to preserve
-when the sandbox is closed. Subdirectories also need to be created using mkdir. Example from
+Create a directory in user home before the sandbox is started.
+The directory is created if it doesn't already exist.
+.br
+
+.br
+Use this command for whitelisted directories you need to preserve
+when the sandbox is closed. Without it, the application will create the directory, and the directory
+will be deleted when the sandbox is closed. Subdirectories also need to be created using mkdir. Example from
 firefox profile:
 .br
 
@@ -153,6 +153,13 @@ mkdir ~/.cache/mozilla/firefox
 .br
 whitelist ~/.cache/mozilla/firefox
 .TP
+\fBmkfile file
+Similar to mkdir, this command creates a file in user home before the sandbox is started.
+The file is created if it doesn't already exist.
+.TP
+\fBnoexec file_or_directory
+Remount the file or the directory noexec, nodev and nosuid.
+.TP
 \fBprivate
 Mount new /root and /home/user directories in temporary
 filesystems. All modifications are discarded when the sandbox is
@@ -176,13 +183,28 @@ All modifications are discarded when the sandbox is closed.
 \fBprivate-tmp
 Mount an empty temporary filesystem on top of /tmp directory.
 .TP
+\fBread-only file_or_directory
+Make directory or file read-only.
+.TP
+\fBread-write file_or_directory
+Make directory or file read-write.
+.TP
+\fBtmpfs directory
+Mount an empty tmpfs filesystem on top of directory. This option is available only when running the sandbox as root.
+.TP
+\fBtracelog
+Blacklist violations logged to syslog.
+.TP
 \fBwhitelist file_or_directory
 Build a new user home in a temporary filesystem, and mount-bind file_or_directory.
 The modifications to file_or_directory are persistent, everything else is discarded
 when the sandbox is closed.
 .TP
-\fBtracelog
-Blacklist violations logged to syslog.
+\fBwritable-etc
+Mount /etc directory read-write.
+.TP
+\fBwritable-var
+Mount /var directory read-write.
 .SH Security filters
 The following security filters are currently implemented:
 
@@ -205,10 +227,7 @@ first argument to socket system call. Recognized values: \fBunix\fR,
 \fBinet\fR, \fBinet6\fR, \fBnetlink\fR and \fBpacket\fR.
 .TP
 \fBseccomp
-Enable default seccomp filter.  The default list is as follows:
-mount, umount2, ptrace, kexec_load, open_by_handle_at, init_module, finit_module, delete_module,
-iopl, ioperm, swapon, swapoff, syslog, process_vm_readv and process_vm_writev,
-sysfs,_sysctl, adjtimex, clock_adjtime, lookup_dcookie, perf_event_open, fanotify_init and kcmp.
+Enable seccomp filter and blacklist the syscalls in the default list. See man 1 firejail for more details.
 .TP
 \fBseccomp syscall,syscall,syscall
 Enable seccomp filter and blacklist the system calls in the list on top of default seccomp filter.
@@ -219,6 +238,12 @@ Enable seccomp filter and blacklist  the system calls in the list.
 \fBseccomp.keep syscall,syscall,syscall
 Enable seccomp filter and whitelist the system calls in the list.
 .TP
+\fBnonewprivs
+Sets the NO_NEW_PRIVS prctl.  This ensures that child processes
+cannot acquire new privileges using execve(2);  in particular,
+this means that calling a suid binary (or one with file capabilities)
+does not result in an increase of privilege.
+.TP
 \fBnoroot
 Use this command  to enable an user namespace. The namespace has only one user, the current user.
 There is no root account (uid 0) defined in the namespace.
@@ -284,10 +309,88 @@ Enable IPC namespace.
 .TP
 \fBnosound
 Disable sound system.
+
 .SH Networking
 Networking features available in profile files.
 
 .TP
+\fBdefaultgw address
+Use this address as default gateway in the new network namespace.
+
+.TP
+\fBdns address
+Set a DNS server for the sandbox. Up to three DNS servers can be defined.
+
+.TP
+\fBhostname name
+Set a hostname for the sandbox.
+
+.TP
+\fBip address
+Assign IP addresses to the last network interface defined by a net command. A
+default gateway is assigned by default.
+.br
+
+.br
+Example:
+.br
+net eth0
+.br
+ip 10.10.20.56
+
+.TP
+\fBip none
+No IP address and no default gateway are configured for the last interface
+defined by a net command. Use this option
+in case you intend to start an external DHCP client in the sandbox.
+.br
+
+.br
+Example:
+.br
+net eth0
+.br
+ip none
+
+.TP
+\fBip6 address
+Assign IPv6 addresses to the last network interface defined by a net command.
+.br
+
+.br
+Example:
+.br
+net eth0
+.br
+ip6 2001:0db8:0:f101::1/64
+
+.TP
+\fBiprange address,address
+Assign  an  IP address in the provided range to the last network
+interface defined by  a  net command.  A  default  gateway  is assigned by default.
+.br
+
+.br
+Example:
+.br
+
+.br
+net eth0
+.br
+iprange 192.168.1.150,192.168.1.160
+.br
+
+.TP
+\fBmac address
+Assign MAC addresses to the last network interface defined by a net command.
+
+.TP
+\fBmtu number
+Assign a MTU value to the last network interface defined by a net command.
+
+
+
+.TP
 \fBnetfilter
 If a new network namespace is created, enabled default network filter.
 
@@ -296,19 +399,31 @@ If a new network namespace is created, enabled default network filter.
 If a new network namespace is created, enabled the network filter in filename.
 
 .TP
-\fBnet none
-Enable  a new, unconnected network namespace. The only interface
-available in the new namespace is a new loopback interface (lo).
-Use  this  option  to deny network access to programs that don't
-really need network access.
+\fBnet bridge_interface
+Enable a new network namespace and connect it to this bridge interface.
+Unless specified with option \-\-ip and \-\-defaultgw, an IP address and a default gateway will be assigned
+automatically to the sandbox. The IP address is verified using ARP before assignment. The address
+configured as default gateway is the bridge device IP address. Up to four \-\-net
+bridge devices can be defined. Mixing bridge and macvlan devices is allowed.
 
 .TP
-\fBdns address
-Set a DNS server for the sandbox. Up to three DNS servers can be defined.
+\fBnet ethernet_interface
+Enable a new network namespace and connect it
+to this ethernet interface using the standard Linux macvlan
+driver. Unless specified with option \-\-ip and \-\-defaultgw, an
+IP address and a default gateway will be assigned automatically
+to the sandbox. The IP address is verified using ARP before
+assignment. The address configured as default gateway is the
+default gateway of the host. Up to four \-\-net devices can
+be defined. Mixing bridge and macvlan devices is allowed.
+Note: wlan devices are not supported for this option.
 
 .TP
-\fBhostname name
-Set a hostname for the sandbox.
+\fBnet none
+Enable a new, unconnected network namespace. The only interface
+available in the new namespace is a new loopback interface (lo).
+Use this option to deny network access to programs that don't
+really need network access.
 
 .SH RELOCATING PROFILES
 For various reasons some users might want to keep the profile files in a different directory.
@@ -351,7 +466,9 @@ Homepage: http://firejail.wordpress.com
 .SH SEE ALSO
 \&\flfirejail\fR\|(1),
 \&\flfiremon\fR\|(1),
+\&\flfirecfg\fR\|(1),
 \&\flfirejail-login\fR\|(5)
+\&\flfirejail-config\fR\|(5)
 
 
 
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index fead4eaf5..d34cfdb20 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -50,15 +50,16 @@ of applications. The software includes security profiles for a number of more co
 Linux programs, such as Mozilla Firefox, Chromium, VLC, Transmission etc.
 
 .SH USAGE
-Without any options, the sandbox consists of a chroot filesystem build in a new mount namespace,
-and new PID and UTS namespaces. IPC, network and user namespaces can be added using the command line options.
-The default Firejail filesystem is based on the host filesystem with the main directories mounted read-only.
-Only /home and /tmp are writable.
+Without any options, the sandbox consists of a filesystem build in a new mount namespace,
+and new PID and UTS namespaces. IPC, network and user namespaces can be added using the
+command line options. The default Firejail filesystem is based on the host filesystem with the main 
+system directories mounted read-only. These directories are /etc, /var, /usr, /bin, /sbin, /lib, /lib32, 
+/libx32 and /lib64. Only /home and /tmp are writable.
 .PP
 As it starts up, Firejail tries to find a security profile based on the name of the application.
 If an appropriate profile is not found, Firejail will use a default profile.
 The default profile is quite restrictive. In case the application doesn't work, use --noprofile option 
-to disable it. For more information, please see \fBSECURITY PROFILES\fR section.
+to disable it. For more information, please see \fBSECURITY PROFILES\fR section below.
 .PP
 If a program argument is not specified, Firejail starts /bin/bash shell.
 Examples:
@@ -74,6 +75,25 @@ $ firejail [OPTIONS] firefox        # starting Mozilla Firefox
 \fB\-\-
 Signal the end of options and disables further option processing.
 .TP
+\fB\-\-appimage
+Sandbox an AppImage (http://appimage.org/) application.
+.br
+
+.br
+Example:
+.br
+$ firejail --appimage krita-3.0-x86_64.appimage
+.br
+$ firejail --appimage --private krita-3.0-x86_64.appimage
+.br
+$ firejail --appimage --net=none --x11 krita-3.0-x86_64.appimage
+.TP
+\fB\-\-audit
+Audit the sandbox, see \fBAUDIT\fR section for more details.
+.TP
+\fB\-\-audit=test-program
+Audit the sandbox, see \fBAUDIT\fR section for more details.
+.TP
 \fB\-\-bandwidth=name|pid
 Set bandwidth limits for the sandbox identified by name or PID, see \fBTRAFFIC SHAPING\fR section for more details.
 .TP
@@ -118,7 +138,7 @@ The filter is applied to all processes started in the sandbox.
 .br
 Example:
 .br
-$ sudo firejail \-\-caps "/etc/init.d/nginx start && sleep inf"
+$ sudo firejail \-\-caps /etc/init.d/nginx start
 
 .TP
 \fB\-\-caps.drop=all
@@ -152,17 +172,10 @@ Example:
 .br
 $ sudo firejail \-\-caps.keep=chown,net_bind_service,setgid,\\
 setuid /etc/init.d/nginx start
-.br
 
-.br
-A short note about mixing \-\-whitelist and \-\-read-only options. Whitelisted directories
-should be made read-only independently. Making a parent directory read-only, will not
-make the whitelist read-only. Example:
-.br
-$ firejail --whitelist=~/work --read-only=~/ --read-only=~/work
 .TP
-\fB\-\-caps.print=name
-Print the caps filter for the sandbox identified by name.
+\fB\-\-caps.print=name|pid
+Print the caps filter for the sandbox identified by name or by PID.
 .br
 
 .br
@@ -170,13 +183,7 @@ Example:
 .br
 $ firejail \-\-name=mygame \-\-caps.drop=all warzone2100 &
 .br
-[...]
-.br
 $ firejail \-\-caps.print=mygame
-
-.TP
-\fB\-\-caps.print=pid
-Print the caps filter for a sandbox identified by PID.
 .br
 
 .br
@@ -200,8 +207,10 @@ Example:
 
 .TP
 \fB\-\-chroot=dirname
-Chroot the sandbox into a root filesystem. If the sandbox is started as a
-regular user, default seccomp and capabilities filters are enabled.
+Chroot the sandbox into a root filesystem. Unlike the regular filesystem container,
+the system directories are mounted read-write. If the sandbox is started as a
+regular user, default seccomp and capabilities filters are enabled. This
+option is not available on Grsecurity systems.
 .br
 
 .br
@@ -220,6 +229,28 @@ Example:
 $ firejail \-\-cpu=0,1 handbrake
 
 .TP
+\fB\-\-cpu.print=name|pid
+Print the CPU cores in use by the sandbox identified by name or by PID.
+.br
+
+.br
+Example:
+.br
+$ firejail \-\-name=mygame \-\-caps.drop=all warzone2100 &
+.br
+$ firejail \-\-cpu.print=mygame
+.br
+
+.br
+Example:
+.br
+$ firejail \-\-list
+.br
+3272:netblue:firejail \-\-private firefox
+.br
+$ firejail \-\-cpu.print=3272
+
+.TP
 \fB\-\-csh
 Use /bin/csh as default user shell.
 .br
@@ -326,8 +357,8 @@ Example:
 $ firejail \-\-dns=8.8.8.8 \-\-dns=8.8.4.4 firefox
 
 .TP
-\fB\-\-dns.print=name
-Print DNS configuration for a sandbox identified by name.
+\fB\-\-dns.print=name|pid
+Print DNS configuration for a sandbox identified by name or by PID.
 .br
 
 .br
@@ -335,13 +366,7 @@ Example:
 .br
 $ firejail \-\-name=mygame \-\-caps.drop=all warzone2100 &
 .br
-[...]
-.br
 $ firejail \-\-dns.print=mygame
-
-.TP
-\fB\-\-dns.print=pid
-Print DNS configuration for a sandbox identified by PID.
 .br
 
 .br
@@ -371,8 +396,8 @@ There could be lots of reasons for it to fail, for example if the existing sandb
 admin capabilities, SUID binaries, or if it runs seccomp.
 
 .TP
-\fB\-\-fs.print=name
-Print the filesystem log for the sandbox identified by name.
+\fB\-\-fs.print=name|print
+Print the filesystem log for the sandbox identified by name or by PID.
 .br
 
 .br
@@ -380,13 +405,7 @@ Example:
 .br
 $ firejail \-\-name=mygame \-\-caps.drop=all warzone2100 &
 .br
-[...]
-.br
 $ firejail \-\-fs.print=mygame
-
-.TP
-\fB\-\-fs.print=pid
-Print the filesystem log for a sandbox identified by PID.
 .br
 
 .br
@@ -460,6 +479,11 @@ in case you intend to start an external DHCP client in the sandbox.
 Example:
 .br
 $ firejail \-\-net=eth0 \-\-\ip=none
+.br
+
+.br
+If the corresponding interface doesn't have an IP address configured, this
+option is enabled by default.
 
 .TP
 \fB\-\-ip6=address
@@ -495,13 +519,12 @@ Example:
 .br
 $ firejail \-\-ipc-namespace firefox
 .TP
-\fB\-\-join=name
-Join the sandbox identified by name. By default a /bin/bash shell is started after joining the sandbox.
+\fB\-\-join=name|pid
+Join the sandbox identified by name or by PID. By default a /bin/bash shell is started after joining the sandbox.
 If a program is specified, the program is run in the sandbox. If \-\-join command is issued as a regular user,
 all security filters are configured for the new process the same they are configured in the sandbox.
 If \-\-join command is issued as root, the security filters, cgroups and cpus configurations are not applied
 to the process joining the sandbox.
-
 .br
 
 .br
@@ -509,18 +532,7 @@ Example:
 .br
 $ firejail \-\-name=mygame \-\-caps.drop=all warzone2100 &
 .br
-[...]
-.br
 $ firejail \-\-join=mygame
-
-
-.TP
-\fB\-\-join=pid
-Join the sandbox identified by process ID. By default a /bin/bash shell is started after joining the sandbox.
-If a program is specified, the program is run in the sandbox. If \-\-join command is issued as a regular user,
-all security filters are configured for the new process the same they are configured in the sandbox.
-If \-\-join command is issued as root, the security filters, cgroups and cpus configurations are not applied
-to the process joining the sandbox.
 .br
 
 .br
@@ -533,37 +545,71 @@ $ firejail \-\-list
 $ firejail \-\-join=3272
 
 .TP
-\fB\-\-join-filesystem=name
-Join the mount namespace of the sandbox identified by name. By default a /bin/bash shell is started after joining the sandbox.
+\fB\-\-join-filesystem=name|pid
+Join the mount namespace of the sandbox identified by name or PID. By default a /bin/bash shell is started after joining the sandbox.
 If a program is specified, the program is run in the sandbox. This command is available only to root user.
 Security filters, cgroups and cpus configurations are not applied to the process joining the sandbox.
 
 .TP
-\fB\-\-join-filesystem=pid
-Join the mount namespace of the sandbox identified by process ID. By default a /bin/bash shell is started after joining the sandbox.
-If a program is specified, the program is run in the sandbox. This command is available only to root user.
-Security filters, cgroups and cpus configurations are not applied to the process joining the sandbox.
-
-.TP
-\fB\-\-join-network=name
+\fB\-\-join-network=name|PID
 Join the network namespace of the sandbox identified by name. By default a /bin/bash shell is started after joining the sandbox.
 If a program is specified, the program is run in the sandbox. This command is available only to root user.
-Security filters, cgroups and cpus configurations are not applied to the process joining the sandbox.
+Security filters, cgroups and cpus configurations are not applied to the process joining the sandbox. Example:
+.br
 
-.TP
-\fB\-\-join-network=pid
-Join the network namespace of the sandbox identified by process ID. By default a /bin/bash shell is started after joining the sandbox.
-If a program is specified, the program is run in the sandbox. This command is available only to root user.
-Security filters, cgroups and cpus configurations are not applied to the process joining the sandbox.
+.br
+# start firefox
+.br
+$ firejail --net=eth0 --name=browser firefox &
+.br
 
+.br
+# change netfilter configuration
+.br
+$ sudo firejail --join-network=browser "cat /etc/firejail/nolocal.net | /sbin/iptables-restore"
+.br
 
+.br
+# verify netfilter configuration
+.br
+$ sudo firejail --join-network=browser "/sbin/iptables -vL"
+.br
+
+.br
+# verify  IP addresses
+.br
+$ sudo firejail --join-network=browser "ip addr"
+.br
+Switching to pid 1932, the first child process inside the sandbox
+.br
+1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default 
+.br
+    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
+.br
+    inet 127.0.0.1/8 scope host lo
+.br
+       valid_lft forever preferred_lft forever
+.br
+    inet6 ::1/128 scope host 
+.br
+       valid_lft forever preferred_lft forever
+.br
+2: eth0-1931: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN group default 
+.br
+    link/ether 76:58:14:42:78:e4 brd ff:ff:ff:ff:ff:ff
+.br
+    inet 192.168.1.158/24 brd 192.168.1.255 scope global eth0-1931
+.br
+       valid_lft forever preferred_lft forever
+.br
+    inet6 fe80::7458:14ff:fe42:78e4/64 scope link 
+.br
+       valid_lft forever preferred_lft forever
 
 .TP
 \fB\-\-ls=name|pid dir_or_filename
 List files in sandbox container, see \fBFILE TRANSFER\fR section for more details.
 
-\fB
-
 .TP
 \fB\-\-list
 List all sandboxes, see \fBMONITORING\fR section for more details.
@@ -771,12 +817,13 @@ PID  User    RX(KB/s) TX(KB/s) Command
 .TP
 \fB\-\-nice=value
 Set nice value for all processes running inside the sandbox.
+Only root may specify a negative value.
 .br
 
 .br
 Example:
 .br
-$ firejail --nice=-5 firefox
+$ firejail --nice=2 firefox
 
 
 .TP
@@ -804,6 +851,21 @@ $ nc dict.org 2628
 220 pan.alephnull.com dictd 1.12.1/rf on Linux 3.14-1-amd64
 .br
 .TP
+\fB\-\-noexec=dirname_or_filename
+Remount directory or file noexec, nodev and nosuid.
+.br
+
+.br
+Example:
+.br
+$ firejail \-\-noexec=/tmp
+.br
+
+.br
+/etc and /var are noexec by default if the sandbox was started as a regular user. If there are more than one mount operation
+on the path of the file or directory, noexec should be applied to the last one. Always check if the change took effect inside the sandbox.
+
+.TP
 \fB\-\-nogroups
 Disable supplementary groups. Without this option, supplementary groups are enabled for the user starting the
 sandbox. For root user supplementary groups are always disabled.
@@ -838,7 +900,7 @@ Example:
 .br
 $ firejail
 .br
-Reading profile /etc/firejail/generic.profile
+Reading profile /etc/firejail/default.profile
 .br
 Parent pid 8553, child pid 8554
 .br
@@ -881,6 +943,14 @@ ping: icmp open socket: Operation not permitted
 $
 
 .TP
+\fB\-\-nonewprivs
+Sets the NO_NEW_PRIVS prctl.  This ensures that child processes
+cannot acquire new privileges using execve(2);  in particular,
+this means that calling a suid binary (or one with file capabilities)
+does not result in an increase of privilege. This option
+is enabled by default if seccomp filter is activated.
+
+.TP
 \fB\-\-nosound
 Disable sound system.
 .br
@@ -892,7 +962,7 @@ $ firejail \-\-nosound firefox
 
 .TP
 \fB\-\-output=logfile
-stdout logging and log rotation. Copy stdout to logfile, and keep the size of the file under 500KB using log
+stdout logging and log rotation. Copy stdout and stderr to logfile, and keep the size of the file under 500KB using log
 rotation. Five files with prefixes .1 to .5 are used in rotation.
 .br
 
@@ -919,8 +989,9 @@ $ ls -l sandboxlog*
 
 .TP
 \fB\-\-overlay
-Mount a filesystem overlay on top of the current filesystem. All filesystem modifications go into the overlay.
-The overlay is stored in $HOME/.firejail directory.
+Mount a filesystem overlay on top of the current filesystem.  Unlike the regular filesystem container,
+the system directories are mounted read-write. All filesystem modifications go into the overlay.
+The overlay is stored in $HOME/.firejail directory. This option is not available on Grsecurity systems.
 .br
 
 .br
@@ -936,7 +1007,7 @@ $ firejail \-\-overlay firefox
 .TP
 \fB\-\-overlay-tmpfs
 Mount a filesystem overlay on top of the current filesystem. All filesystem modifications go into the overlay,
-and are discarded when the sandbox is closed.
+and are discarded when the sandbox is closed. This option is not available on Grsecurity systems.
 .br
 
 .br
@@ -973,7 +1044,9 @@ $ firejail \-\-private=/home/netblue/firefox-home firefox
 .TP
 \fB\-\-private-bin=file,file
 Build a new /bin in a temporary filesystem, and copy the programs in the list.
-The same directory is also bind-mounted over /sbin, /usr/bin and /usr/sbin.
+If no listed file is found, /bin directory will be empty.
+The same directory is also bind-mounted over /sbin, /usr/bin, /usr/sbin and /usr/local/bin.
+All modifications are discarded when the sandbox is closed. 
 .br
 
 .br
@@ -991,7 +1064,7 @@ bash  cat  ls  sed
 
 .TP
 \fB\-\-private-dev
-Create a new /dev directory. Only dri, null, full, zero, tty, pts, ptmx, random, urandom, log and shm devices are available.
+Create a new /dev directory. Only dri, null, full, zero, tty, pts, ptmx, random, snd, urandom, log and shm devices are available.
 .br
 
 .br
@@ -1005,14 +1078,15 @@ Child process initialized
 .br
 $ ls /dev
 .br
-dri  full  log  null  ptmx  pts  random  shm  tty  urandom  zero
+dri  full  log  null  ptmx  pts  random  shm  snd  tty  urandom  zero
 .br
 $
 .TP
 \fB\-\-private-etc=file,directory
 Build a new /etc in a temporary
 filesystem, and copy the files and directories in the list.
-All modifications are discarded when the sandbox is closed.
+If no listed file is found, /etc directory will be empty.
+All modifications are discarded when the sandbox is closed. 
 .br
 
 .br
@@ -1068,8 +1142,8 @@ Example:
 .br
 $ firejail \-\-protocol=unix,inet,inet6 firefox
 .TP
-\fB\-\-protocol.print=name
-Print the protocol filter for the sandbox identified by name.
+\fB\-\-protocol.print=name|pid
+Print the protocol filter for the sandbox identified by name or PID.
 .br
 
 .br
@@ -1077,15 +1151,9 @@ Example:
 .br
 $ firejail \-\-name=mybrowser firefox &
 .br
-[...]
-.br
 $ firejail \-\-protocol.print=mybrowser
 .br
 unix,inet,inet6,netlink
-
-.TP
-\fB\-\-protocol.print=pid
-Print the protocol filter for a sandbox identified by PID.
 .br
 
 .br
@@ -1110,6 +1178,31 @@ Set directory or file read-only.
 Example:
 .br
 $ firejail \-\-read-only=~/.mozilla firefox
+.br
+
+.br
+A short note about mixing \-\-whitelist and \-\-read-only options. Whitelisted directories
+should be made read-only independently. Making a parent directory read-only, will not
+make the whitelist read-only. Example:
+.br
+
+.br
+$ firejail --whitelist=~/work --read-only=~ --read-only=~/work
+
+.TP
+\fB\-\-read-write=dirname_or_filename
+Set directory or file read-write. Only files or directories belonging to the current user are allowed for
+this operation. Example:
+.br
+
+.br
+$ mkdir ~/test
+.br
+$ touch ~/test/a
+.br
+$ firejail --read-only=~/test --read-write=~/test/a
+
+
 .TP
 \fB\-\-rlimit-fsize=number
 Set the maximum file size that can be created by a process.
@@ -1122,6 +1215,17 @@ Set the maximum number of processes that can be created for the real user ID of
 .TP
 \fB\-\-rlimit-sigpending=number
 Set the maximum number of pending signals for a process.
+
+.TP
+\fB\-\-rmenv=name
+Remove environment variable in the new sandbox.
+.br
+
+.br
+Example:
+.br
+$ firejail \-\-rmenv=DBUS_SESSION_BUS_ADDRESS
+
 .TP
 \fB\-\-scan
 ARP-scan all the networks from inside a network namespace.
@@ -1135,13 +1239,13 @@ $ firejail \-\-net=eth0 \-\-scan
 .TP
 \fB\-\-seccomp
 Enable seccomp filter and blacklist the syscalls in the default list. The default list is as follows:
-mount, umount2, ptrace, kexec_load, kexec_file_load, open_by_handle_at, init_module, finit_module, delete_module,
-iopl, ioperm, swapon, swapoff, syslog, process_vm_readv, process_vm_writev,
+mount, umount2, ptrace, kexec_load, kexec_file_load, name_to_handle_at, open_by_handle_at, create_module, init_module, finit_module, delete_module,
+iopl, ioperm, ioprio_set, swapon, swapoff, syslog, process_vm_readv, process_vm_writev,
 sysfs,_sysctl, adjtimex, clock_adjtime, lookup_dcookie, perf_event_open, fanotify_init, kcmp,
 add_key, request_key, keyctl, uselib, acct, modify_ldt, pivot_root, io_setup,
 io_destroy, io_getevents, io_submit, io_cancel,
 remap_file_pages, mbind, get_mempolicy, set_mempolicy,
-migrate_pages, move_pages, vmsplice, perf_event_open, chroot,
+migrate_pages, move_pages, vmsplice, chroot,
 tuxcall, reboot, mfsservctl and get_kernel_syms.
 .br
 
@@ -1205,8 +1309,8 @@ $ rm testfile
 rm: cannot remove `testfile': Operation not permitted
 
 .TP
-\fB\-\-seccomp.print=name
-Print the seccomp filter for the sandbox started using \-\-name option.
+\fB\-\-seccomp.print=name|PID
+Print the seccomp filter for the sandbox identified by name or PID.
 .br
 
 .br
@@ -1270,72 +1374,6 @@ SECCOMP Filter:
 .br
 $ 
 .TP
-\fB\-\-seccomp.print=pid
-Print the seccomp filter for the sandbox specified by process ID. Use \-\-list option to get a list of all active sandboxes.
-.br
-
-.br
-Example:
-.br
-$ firejail \-\-list
-.br
-10786:netblue:firejail \-\-name=browser firefox 
-$ firejail \-\-seccomp.print=10786
-.br
-SECCOMP Filter:
-.br
-  VALIDATE_ARCHITECTURE
-.br
-  EXAMINE_SYSCAL
-.br
-  BLACKLIST 165 mount
-.br
-  BLACKLIST 166 umount2
-.br
-  BLACKLIST 101 ptrace
-.br
-  BLACKLIST 246 kexec_load
-.br
-  BLACKLIST 304 open_by_handle_at
-.br
-  BLACKLIST 175 init_module
-.br
-  BLACKLIST 176 delete_module
-.br
-  BLACKLIST 172 iopl
-.br
-  BLACKLIST 173 ioperm
-.br
-  BLACKLIST 167 swapon
-.br
-  BLACKLIST 168 swapoff
-.br
-  BLACKLIST 103 syslog
-.br
-  BLACKLIST 310 process_vm_readv
-.br
-  BLACKLIST 311 process_vm_writev
-.br
-  BLACKLIST 133 mknod
-.br
-  BLACKLIST 139 sysfs
-.br
-  BLACKLIST 156 _sysctl
-.br
-  BLACKLIST 159 adjtimex
-.br
-  BLACKLIST 305 clock_adjtime
-.br
-  BLACKLIST 212 lookup_dcookie
-.br
-  BLACKLIST 298 perf_event_open
-.br
-  BLACKLIST 300 fanotify_init
-.br
-  RETURN_ALLOW
-.br
-$ 
-.TP
 \fB\-\-shell=none
 Run the program directly, without a user shell.
 .br
@@ -1356,8 +1394,8 @@ shell.
 Example:
 $firejail \-\-shell=/bin/dash script.sh
 .TP
-\fB\-\-shutdown=name
-Shutdown the sandbox started using \-\-name option.
+\fB\-\-shutdown=name|PID
+Shutdown the sandbox identified by name or PID.
 .br
 
 .br
@@ -1365,12 +1403,7 @@ Example:
 .br
 $ firejail \-\-name=mygame \-\-caps.drop=all warzone2100 &
 .br
-[...]
-.br
 $ firejail \-\-shutdown=mygame
-.TP
-\fB\-\-shutdown=pid
-Shutdown the sandbox specified by process ID. Use \-\-list option to get a list of all active sandboxes.
 .br
 
 .br
@@ -1475,15 +1508,7 @@ $ firejail \-\-tree
 11969:netblue:firejail \-\-net=eth0 transmission-gtk 
 .br
   11970:netblue:transmission-gtk 
-.TP
-\fB\-\-user=new-user
-Switch the user before starting the sandbox. This command should be run as root.
-.br
 
-.br
-Example:
-.br
-# firejail \-\-user=www-data
 .TP
 \fB\-\-version
 Print program version and exit.
@@ -1498,25 +1523,51 @@ firejail version 0.9.27
 .TP
 \fB\-\-whitelist=dirname_or_filename
 Whitelist directory or file. This feature is implemented only for user home, /dev, /media, /opt, /var, and /tmp directories.
-When whitlisting symbolic links, both the link and the real file should be in the same top directory
-(home user, /media, /var etc.)
+With the exception of user home, both the link and the real file should be in
+the same top directory. For /home, both the link and the real file should be owned by the user.
 .br
 
 .br
 Example:
 .br
-$ firejail \-\-whitelist=~/.mozilla \-\-whitelist=~/Downloads
+$ firejail \-\-noprofile \-\-whitelist=~/.mozilla
 .br
 $ firejail \-\-whitelist=/tmp/.X11-unix --whitelist=/dev/null
 .br
 $ firejail "\-\-whitelist=/home/username/My Virtual Machines"
 
 .TP
+\fB\-\-writable-etc
+Mount /etc directory read-write.
+.br
+
+.br
+Example:
+.br
+$ sudo firejail --writable-etc
+
+.TP
+\fB\-\-writable-var
+Mount /var directory read-write.
+.br
+
+.br
+Example:
+.br
+$ sudo firejail --writable-var
+
+
+.TP
 \fB\-\-x11
-Start a new X11 server using Xpra (http://xpra.org) and attach the sandbox to this server.
-Xpra is a persistent remote display server and client for forwarding X11 applications and desktop screens.
+Start a new X11 server using Xpra or Xephyr and attach the sandbox to this server.
 The regular X11 server (display 0) is not visible in the sandbox. This prevents screenshot and keylogger
-applications started in the sandbox from accessing display 0.
+applications started in the sandbox from accessing other X11 displays.
+A network namespace needs to be instantiated in order to deny access to X11 abstract Unix domain socket.
+.br
+
+.br
+Firejail will try first Xpra, and if Xpra is not installed on the system, it will try to find Xephyr.
+This feature is not available when running as root. 
 .br
 
 .br
@@ -1525,6 +1576,40 @@ Example:
 $ firejail \-\-x11 --net=eth0 firefox
 
 .TP
+\fB\-\-x11=xpra
+Start a new X11 server using Xpra (http://xpra.org) and attach the sandbox to this server.
+Xpra is a persistent remote display server and client for forwarding X11 applications and desktop screens.
+On Debian platforms Xpra is installed with the command \fBsudo apt-get install xpra\fR.
+This feature is not available when running as root.
+.br
+
+.br
+Example:
+.br
+$ firejail \-\-x11=xpra --net=eth0 firefox
+
+.TP
+\fB\-\-x11=xephyr
+Start a new X11 server using Xephyr and attach the sandbox to this server.
+Xephyr is a display server implementing the X11 display server protocol.
+It runs in a window just like other X applications, but it is an X server itself in which you can run other software.
+The default Xephyr window size is 800x600. This can be modified in /etc/firejail/firejail.config file,
+see \fBman 5 firejail-config\fR for more details.
+.br
+
+.br
+The recommended way to use this feature is to run a window manager inside the sandbox.
+A security profile for OpenBox is provided.
+On Debian platforms Xephyr is installed with the command \fBsudo apt-get install xserver-xephyr\fR.
+This feature is not available when running as root. 
+.br
+
+.br
+Example:
+.br
+$ firejail \-\-x11=xephyr --net=eth0 openbox
+
+.TP
 \fB\-\-zsh
 Use /usr/bin/zsh as default user shell.
 .br
@@ -1534,30 +1619,71 @@ Example:
 .br
 $ firejail \-\-zsh
 
-.SH FILE TRANSFER
-These features allow the user to inspect the file system container of an existing sandbox
-and transfer files from the container to the host file system.
+.SH DESKTOP INTEGRATION
+A symbolic link to /usr/bin/firejail under the name of a program, will start the program in Firejail sandbox.
+The symbolic link should be placed in the first $PATH position. On most systems, a good place
+is /usr/local/bin directory. Example:
+.PP
+.RS
+.br
 
-.TP
-\fB\-\-get=name filename
-Retrieve the container file and store it on the host in the current working directory.
-The container is spececified by name (\-\-name option). Full path is needed for filename.
+.br
+Make a firefox symlink to /usr/bin/firejail:
+.br
 
-.TP
-\fB\-\-get=pid filename
-Retrieve the container file and store it on the host in the current working directory.
-The container is spececified by process ID. Full path is needed for filename.
+.br
+$ ln -s /usr/bin/firejail /usr/local/bin/firefox
+.br
+
+.br
+Verify $PATH
+.br
+
+.br
+$ which -a firefox
+.br
+/usr/local/bin/firefox
+.br
+/usr/bin/firefox
+.br
+
+.br
+Starting firefox in this moment, automatically invokes “firejail firefox”.
+.RE
+.br
+
+.br
+This works for clicking on desktop environment icons, menus etc. Use "firejail --tree"
+to verify the program is sandboxed.
+.PP
+.RS
+.br
+
+.br
+.br
+$ firejail --tree
+.br
+1189:netblue:firejail firefox
+.br
+  1190:netblue:firejail firefox
+.br
+    1220:netblue:/bin/sh -c "/usr/lib/firefox/firefox"  
+.br
+      1221:netblue:/usr/lib/firefox/firefox
+.RE
+
+.SH FILE TRANSFER
+These features allow the user to inspect the filesystem container of an existing sandbox
+and transfer files from the container to the host filesystem.
 
 .TP
-\fB\-\-ls=name dir_or_filename
-List container files.
-The container is spececified by name (\-\-name option).
-Full path is needed for dir_or_filename.
+\fB\-\-get=name|pid filename
+Retrieve the container file and store it on the host in the current working directory.
+The container is specified by name or PID. Full path is needed for filename.
 
 .TP
-\fB\-\-ls=pid dir_or_filename
-List container files.
-The container is spececified by process ID.
+\fB\-\-ls=name|pid dir_or_filename
+List container files. The container is specified by name or PID.
 Full path is needed for dir_or_filename.
 
 .TP
@@ -1596,15 +1722,15 @@ The shaper works at sandbox level, and can be used only for sandboxes configured
 
 Set rate-limits:
 
-        firejail --bandwidth={name|pid} set network download upload
+        $ firejail --bandwidth=name|pid set network download upload
 
 Clear rate-limits:
 
-        firejail --bandwidth={name|pid} clear network
+        $ firejail --bandwidth=name|pid clear network
 
 Status:
 
-        firejail --bandwidth={name|pid} status
+        $ firejail --bandwidth=name|pid status
 
 where:
 .br
@@ -1628,6 +1754,26 @@ Example:
 .br
         $ firejail \-\-bandwidth=mybrowser clear eth0
 
+.SH AUDIT
+Audit feature allows the user to point out gaps in security profiles. The
+implementation replaces the program to be sandboxed with a test program. By
+default, we use faudit program distributed with Firejail. A custom test program
+can also be supplied by the user. Examples:
+
+Running the default audit program:
+.br
+        $ firejail --audit transmission-gtk
+
+Running a custom audit program:
+.br
+        $ firejail --audit=~/sandbox-test transmission-gtk
+
+In the examples above, the sandbox configures transmission-gtk profile and
+starts the test program. The real program, transmission-gtk, will not be
+started.
+
+Limitations: audit feature is not implemented for --x11 commands.
+
 .SH MONITORING
 Option \-\-list prints a list of all sandboxes. The format
 for each process entry is as follows:
@@ -1721,7 +1867,7 @@ To disable default profile loading, use --noprofile command option. Example:
 .RS
 $ firejail
 .br
-Reading profile /etc/firejail/generic.profile
+Reading profile /etc/firejail/default.profile
 .br
 Parent pid 8553, child pid 8554
 .br
@@ -1744,7 +1890,7 @@ See man 5 firejail-profile for profile file syntax information.
         
 .SH RESTRICTED SHELL
 To configure a restricted shell, replace /bin/bash with /usr/bin/firejail in
-/etc/password file for each user that needs to be restricted. Alternatively,
+/etc/passwd file for each user that needs to be restricted. Alternatively,
 you can specify /usr/bin/firejail  in adduser command:
 
 adduser \-\-shell /usr/bin/firejail username
@@ -1785,8 +1931,10 @@ This program is free software; you can redistribute it and/or modify it under th
 Homepage: http://firejail.wordpress.com
 .SH SEE ALSO
 \&\flfiremon\fR\|(1),
+\&\flfirecfg\fR\|(1),
 \&\flfirejail-profile\fR\|(5),
 \&\flfirejail-login\fR\|(5)
+\&\flfirejail-config\fR\|(5)
 
 
 
diff --git a/src/man/firemon.txt b/src/man/firemon.txt
index 88b2ce59f..ef99b0927 100644
--- a/src/man/firemon.txt
+++ b/src/man/firemon.txt
@@ -6,7 +6,8 @@ firemon [OPTIONS] [PID]
 .SH DESCRIPTION
 Firemon monitors programs started in a Firejail sandbox.
 Without a PID specified, all processes started by Firejail are monitored. Descendants of
-these processes are also being monitored.
+these processes are also being monitored. On Grsecurity systems only root user
+can run this program.
 .SH OPTIONS
 .TP
 \fB\-\-arp
@@ -105,7 +106,9 @@ This program is free software; you can redistribute it and/or modify it under th
 Homepage: http://firejail.wordpress.com
 .SH SEE ALSO
 \&\flfirejail\fR\|(1),
+\&\flfirecfg\fR\|(1),
 \&\flfirejail-profile\fR\|(5),
 \&\flfirejail-login\fR\|(5)
+\&\flfirejail-config\fR\|(5)
 
 
diff --git a/src/tools/config-4.4.0-1-grsec-amd64 b/src/tools/config-4.4.0-1-grsec-amd64
new file mode 100644
index 000000000..82215c460
--- /dev/null
+++ b/src/tools/config-4.4.0-1-grsec-amd64
@@ -0,0 +1,7430 @@
+#
+# Automatically generated file; DO NOT EDIT.
+# Linux/x86 4.4.6 Kernel Configuration
+#
+CONFIG_64BIT=y
+CONFIG_X86_64=y
+CONFIG_X86=y
+CONFIG_INSTRUCTION_DECODER=y
+CONFIG_PERF_EVENTS_INTEL_UNCORE=y
+CONFIG_OUTPUT_FORMAT="elf64-x86-64"
+CONFIG_ARCH_DEFCONFIG="arch/x86/configs/x86_64_defconfig"
+CONFIG_LOCKDEP_SUPPORT=y
+CONFIG_STACKTRACE_SUPPORT=y
+CONFIG_HAVE_LATENCYTOP_SUPPORT=y
+CONFIG_MMU=y
+CONFIG_NEED_DMA_MAP_STATE=y
+CONFIG_NEED_SG_DMA_LENGTH=y
+CONFIG_GENERIC_ISA_DMA=y
+CONFIG_GENERIC_BUG=y
+CONFIG_GENERIC_BUG_RELATIVE_POINTERS=y
+CONFIG_GENERIC_HWEIGHT=y
+CONFIG_ARCH_MAY_HAVE_PC_FDC=y
+CONFIG_RWSEM_XCHGADD_ALGORITHM=y
+CONFIG_GENERIC_CALIBRATE_DELAY=y
+CONFIG_ARCH_HAS_CPU_RELAX=y
+CONFIG_ARCH_HAS_CACHE_LINE_SIZE=y
+CONFIG_HAVE_SETUP_PER_CPU_AREA=y
+CONFIG_NEED_PER_CPU_EMBED_FIRST_CHUNK=y
+CONFIG_NEED_PER_CPU_PAGE_FIRST_CHUNK=y
+CONFIG_ARCH_HIBERNATION_POSSIBLE=y
+CONFIG_ARCH_SUSPEND_POSSIBLE=y
+CONFIG_ARCH_WANT_HUGE_PMD_SHARE=y
+CONFIG_ARCH_WANT_GENERAL_HUGETLB=y
+CONFIG_ZONE_DMA32=y
+CONFIG_AUDIT_ARCH=y
+CONFIG_ARCH_SUPPORTS_OPTIMIZED_INLINING=y
+CONFIG_ARCH_SUPPORTS_DEBUG_PAGEALLOC=y
+CONFIG_HAVE_INTEL_TXT=y
+CONFIG_X86_64_SMP=y
+CONFIG_ARCH_HWEIGHT_CFLAGS="-fcall-saved-rdi -fcall-saved-rsi -fcall-saved-rdx -fcall-saved-rcx -fcall-saved-r8 -fcall-saved-r9 -fcall-saved-r10 -fcall-saved-r11"
+CONFIG_ARCH_SUPPORTS_UPROBES=y
+CONFIG_FIX_EARLYCON_MEM=y
+CONFIG_PGTABLE_LEVELS=4
+CONFIG_DEFCONFIG_LIST="/lib/modules/$UNAME_RELEASE/.config"
+CONFIG_IRQ_WORK=y
+CONFIG_BUILDTIME_EXTABLE_SORT=y
+
+#
+# General setup
+#
+CONFIG_INIT_ENV_ARG_LIMIT=32
+CONFIG_CROSS_COMPILE=""
+# CONFIG_COMPILE_TEST is not set
+CONFIG_LOCALVERSION=""
+# CONFIG_LOCALVERSION_AUTO is not set
+CONFIG_HAVE_KERNEL_GZIP=y
+CONFIG_HAVE_KERNEL_BZIP2=y
+CONFIG_HAVE_KERNEL_LZMA=y
+CONFIG_HAVE_KERNEL_XZ=y
+CONFIG_HAVE_KERNEL_LZO=y
+CONFIG_HAVE_KERNEL_LZ4=y
+# CONFIG_KERNEL_GZIP is not set
+# CONFIG_KERNEL_BZIP2 is not set
+# CONFIG_KERNEL_LZMA is not set
+CONFIG_KERNEL_XZ=y
+# CONFIG_KERNEL_LZO is not set
+# CONFIG_KERNEL_LZ4 is not set
+CONFIG_DEFAULT_HOSTNAME="(none)"
+CONFIG_SWAP=y
+CONFIG_SYSVIPC=y
+CONFIG_SYSVIPC_SYSCTL=y
+CONFIG_POSIX_MQUEUE=y
+CONFIG_POSIX_MQUEUE_SYSCTL=y
+CONFIG_CROSS_MEMORY_ATTACH=y
+CONFIG_FHANDLE=y
+CONFIG_AUDIT=y
+CONFIG_HAVE_ARCH_AUDITSYSCALL=y
+CONFIG_AUDITSYSCALL=y
+CONFIG_AUDIT_WATCH=y
+CONFIG_AUDIT_TREE=y
+
+#
+# IRQ subsystem
+#
+CONFIG_GENERIC_IRQ_PROBE=y
+CONFIG_GENERIC_IRQ_SHOW=y
+CONFIG_GENERIC_PENDING_IRQ=y
+CONFIG_GENERIC_IRQ_CHIP=y
+CONFIG_IRQ_DOMAIN=y
+CONFIG_IRQ_DOMAIN_HIERARCHY=y
+CONFIG_GENERIC_MSI_IRQ=y
+CONFIG_GENERIC_MSI_IRQ_DOMAIN=y
+CONFIG_IRQ_FORCED_THREADING=y
+CONFIG_SPARSE_IRQ=y
+CONFIG_CLOCKSOURCE_WATCHDOG=y
+CONFIG_ARCH_CLOCKSOURCE_DATA=y
+CONFIG_CLOCKSOURCE_VALIDATE_LAST_CYCLE=y
+CONFIG_GENERIC_TIME_VSYSCALL=y
+CONFIG_GENERIC_CLOCKEVENTS=y
+CONFIG_GENERIC_CLOCKEVENTS_BROADCAST=y
+CONFIG_GENERIC_CLOCKEVENTS_MIN_ADJUST=y
+CONFIG_GENERIC_CMOS_UPDATE=y
+
+#
+# Timers subsystem
+#
+CONFIG_TICK_ONESHOT=y
+CONFIG_NO_HZ_COMMON=y
+# CONFIG_HZ_PERIODIC is not set
+CONFIG_NO_HZ_IDLE=y
+# CONFIG_NO_HZ_FULL is not set
+# CONFIG_NO_HZ is not set
+CONFIG_HIGH_RES_TIMERS=y
+
+#
+# CPU/Task time and stats accounting
+#
+CONFIG_TICK_CPU_ACCOUNTING=y
+# CONFIG_VIRT_CPU_ACCOUNTING_GEN is not set
+# CONFIG_IRQ_TIME_ACCOUNTING is not set
+CONFIG_BSD_PROCESS_ACCT=y
+CONFIG_BSD_PROCESS_ACCT_V3=y
+CONFIG_TASKSTATS=y
+CONFIG_TASK_DELAY_ACCT=y
+CONFIG_TASK_XACCT=y
+CONFIG_TASK_IO_ACCOUNTING=y
+
+#
+# RCU Subsystem
+#
+CONFIG_TREE_RCU=y
+# CONFIG_RCU_EXPERT is not set
+CONFIG_SRCU=y
+# CONFIG_TASKS_RCU is not set
+CONFIG_RCU_STALL_COMMON=y
+# CONFIG_RCU_EXPEDITE_BOOT is not set
+CONFIG_BUILD_BIN2C=y
+# CONFIG_IKCONFIG is not set
+CONFIG_LOG_BUF_SHIFT=17
+CONFIG_LOG_CPU_MAX_BUF_SHIFT=12
+CONFIG_HAVE_UNSTABLE_SCHED_CLOCK=y
+CONFIG_ARCH_SUPPORTS_NUMA_BALANCING=y
+CONFIG_ARCH_WANT_BATCHED_UNMAP_TLB_FLUSH=y
+CONFIG_NUMA_BALANCING=y
+# CONFIG_NUMA_BALANCING_DEFAULT_ENABLED is not set
+CONFIG_CGROUPS=y
+# CONFIG_CGROUP_DEBUG is not set
+CONFIG_CGROUP_FREEZER=y
+CONFIG_CGROUP_PIDS=y
+CONFIG_CGROUP_DEVICE=y
+CONFIG_CPUSETS=y
+CONFIG_PROC_PID_CPUSET=y
+CONFIG_CGROUP_CPUACCT=y
+CONFIG_PAGE_COUNTER=y
+CONFIG_MEMCG=y
+CONFIG_MEMCG_DISABLED=y
+CONFIG_MEMCG_SWAP=y
+# CONFIG_MEMCG_SWAP_ENABLED is not set
+# CONFIG_MEMCG_KMEM is not set
+# CONFIG_CGROUP_HUGETLB is not set
+CONFIG_CGROUP_PERF=y
+CONFIG_CGROUP_SCHED=y
+CONFIG_FAIR_GROUP_SCHED=y
+CONFIG_CFS_BANDWIDTH=y
+# CONFIG_RT_GROUP_SCHED is not set
+CONFIG_BLK_CGROUP=y
+# CONFIG_DEBUG_BLK_CGROUP is not set
+CONFIG_CGROUP_WRITEBACK=y
+CONFIG_NAMESPACES=y
+CONFIG_UTS_NS=y
+CONFIG_IPC_NS=y
+CONFIG_USER_NS=y
+CONFIG_PID_NS=y
+CONFIG_NET_NS=y
+CONFIG_SCHED_AUTOGROUP=y
+# CONFIG_SYSFS_DEPRECATED is not set
+CONFIG_RELAY=y
+CONFIG_BLK_DEV_INITRD=y
+CONFIG_INITRAMFS_SOURCE=""
+CONFIG_RD_GZIP=y
+CONFIG_RD_BZIP2=y
+CONFIG_RD_LZMA=y
+CONFIG_RD_XZ=y
+CONFIG_RD_LZO=y
+CONFIG_RD_LZ4=y
+# CONFIG_CC_OPTIMIZE_FOR_SIZE is not set
+CONFIG_SYSCTL=y
+CONFIG_ANON_INODES=y
+CONFIG_HAVE_UID16=y
+CONFIG_SYSCTL_EXCEPTION_TRACE=y
+CONFIG_HAVE_PCSPKR_PLATFORM=y
+CONFIG_BPF=y
+CONFIG_EXPERT=y
+CONFIG_UID16=y
+CONFIG_MULTIUSER=y
+CONFIG_SGETMASK_SYSCALL=y
+CONFIG_SYSFS_SYSCALL=y
+# CONFIG_SYSCTL_SYSCALL is not set
+CONFIG_KALLSYMS=y
+CONFIG_KALLSYMS_ALL=y
+CONFIG_PRINTK=y
+CONFIG_BUG=y
+CONFIG_ELF_CORE=y
+CONFIG_PCSPKR_PLATFORM=y
+CONFIG_BASE_FULL=y
+CONFIG_FUTEX=y
+CONFIG_EPOLL=y
+CONFIG_SIGNALFD=y
+CONFIG_TIMERFD=y
+CONFIG_EVENTFD=y
+CONFIG_BPF_SYSCALL=y
+CONFIG_SHMEM=y
+CONFIG_AIO=y
+CONFIG_ADVISE_SYSCALLS=y
+# CONFIG_USERFAULTFD is not set
+CONFIG_PCI_QUIRKS=y
+CONFIG_MEMBARRIER=y
+# CONFIG_EMBEDDED is not set
+CONFIG_HAVE_PERF_EVENTS=y
+
+#
+# Kernel Performance Events And Counters
+#
+CONFIG_PERF_EVENTS=y
+# CONFIG_DEBUG_PERF_USE_VMALLOC is not set
+CONFIG_VM_EVENT_COUNTERS=y
+# CONFIG_COMPAT_BRK is not set
+CONFIG_SLAB=y
+# CONFIG_SLUB is not set
+# CONFIG_SLOB is not set
+# CONFIG_SYSTEM_DATA_VERIFICATION is not set
+CONFIG_PROFILING=y
+CONFIG_OPROFILE=m
+# CONFIG_OPROFILE_EVENT_MULTIPLEX is not set
+CONFIG_HAVE_OPROFILE=y
+CONFIG_OPROFILE_NMI_TIMER=y
+CONFIG_KPROBES=y
+CONFIG_JUMP_LABEL=y
+# CONFIG_STATIC_KEYS_SELFTEST is not set
+CONFIG_OPTPROBES=y
+# CONFIG_UPROBES is not set
+# CONFIG_HAVE_64BIT_ALIGNED_ACCESS is not set
+CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS=y
+CONFIG_ARCH_USE_BUILTIN_BSWAP=y
+CONFIG_KRETPROBES=y
+CONFIG_USER_RETURN_NOTIFIER=y
+CONFIG_HAVE_IOREMAP_PROT=y
+CONFIG_HAVE_KPROBES=y
+CONFIG_HAVE_KRETPROBES=y
+CONFIG_HAVE_OPTPROBES=y
+CONFIG_HAVE_KPROBES_ON_FTRACE=y
+CONFIG_HAVE_ARCH_TRACEHOOK=y
+CONFIG_HAVE_DMA_ATTRS=y
+CONFIG_HAVE_DMA_CONTIGUOUS=y
+CONFIG_GENERIC_SMP_IDLE_THREAD=y
+CONFIG_HAVE_REGS_AND_STACK_ACCESS_API=y
+CONFIG_HAVE_CLK=y
+CONFIG_HAVE_DMA_API_DEBUG=y
+CONFIG_HAVE_HW_BREAKPOINT=y
+CONFIG_HAVE_MIXED_BREAKPOINTS_REGS=y
+CONFIG_HAVE_USER_RETURN_NOTIFIER=y
+CONFIG_HAVE_PERF_EVENTS_NMI=y
+CONFIG_HAVE_PERF_REGS=y
+CONFIG_HAVE_PERF_USER_STACK_DUMP=y
+CONFIG_HAVE_ARCH_JUMP_LABEL=y
+CONFIG_ARCH_HAVE_NMI_SAFE_CMPXCHG=y
+CONFIG_HAVE_CMPXCHG_LOCAL=y
+CONFIG_HAVE_CMPXCHG_DOUBLE=y
+CONFIG_ARCH_WANT_COMPAT_IPC_PARSE_VERSION=y
+CONFIG_ARCH_WANT_OLD_COMPAT_IPC=y
+CONFIG_HAVE_ARCH_SECCOMP_FILTER=y
+CONFIG_SECCOMP_FILTER=y
+CONFIG_HAVE_CC_STACKPROTECTOR=y
+CONFIG_CC_STACKPROTECTOR=y
+# CONFIG_CC_STACKPROTECTOR_NONE is not set
+# CONFIG_CC_STACKPROTECTOR_REGULAR is not set
+CONFIG_CC_STACKPROTECTOR_STRONG=y
+CONFIG_HAVE_CONTEXT_TRACKING=y
+CONFIG_HAVE_VIRT_CPU_ACCOUNTING_GEN=y
+CONFIG_HAVE_IRQ_TIME_ACCOUNTING=y
+CONFIG_HAVE_ARCH_TRANSPARENT_HUGEPAGE=y
+CONFIG_HAVE_ARCH_HUGE_VMAP=y
+CONFIG_HAVE_ARCH_SOFT_DIRTY=y
+CONFIG_MODULES_USE_ELF_RELA=y
+CONFIG_HAVE_IRQ_EXIT_ON_IRQ_STACK=y
+CONFIG_ARCH_HAS_ELF_RANDOMIZE=y
+CONFIG_HAVE_COPY_THREAD_TLS=y
+CONFIG_OLD_SIGSUSPEND3=y
+CONFIG_COMPAT_OLD_SIGACTION=y
+
+#
+# GCOV-based kernel profiling
+#
+CONFIG_ARCH_HAS_GCOV_PROFILE_ALL=y
+# CONFIG_HAVE_GENERIC_DMA_COHERENT is not set
+CONFIG_SLABINFO=y
+CONFIG_RT_MUTEXES=y
+CONFIG_BASE_SMALL=0
+CONFIG_MODULES=y
+CONFIG_MODULE_FORCE_LOAD=y
+CONFIG_MODULE_UNLOAD=y
+CONFIG_MODULE_FORCE_UNLOAD=y
+CONFIG_MODVERSIONS=y
+# CONFIG_MODULE_SRCVERSION_ALL is not set
+# CONFIG_MODULE_SIG is not set
+# CONFIG_MODULE_COMPRESS is not set
+CONFIG_MODULES_TREE_LOOKUP=y
+CONFIG_BLOCK=y
+CONFIG_BLK_DEV_BSG=y
+CONFIG_BLK_DEV_BSGLIB=y
+CONFIG_BLK_DEV_INTEGRITY=y
+CONFIG_BLK_DEV_THROTTLING=y
+# CONFIG_BLK_CMDLINE_PARSER is not set
+
+#
+# Partition Types
+#
+CONFIG_PARTITION_ADVANCED=y
+CONFIG_ACORN_PARTITION=y
+# CONFIG_ACORN_PARTITION_CUMANA is not set
+# CONFIG_ACORN_PARTITION_EESOX is not set
+CONFIG_ACORN_PARTITION_ICS=y
+# CONFIG_ACORN_PARTITION_ADFS is not set
+# CONFIG_ACORN_PARTITION_POWERTEC is not set
+CONFIG_ACORN_PARTITION_RISCIX=y
+# CONFIG_AIX_PARTITION is not set
+CONFIG_OSF_PARTITION=y
+CONFIG_AMIGA_PARTITION=y
+CONFIG_ATARI_PARTITION=y
+CONFIG_MAC_PARTITION=y
+CONFIG_MSDOS_PARTITION=y
+CONFIG_BSD_DISKLABEL=y
+CONFIG_MINIX_SUBPARTITION=y
+CONFIG_SOLARIS_X86_PARTITION=y
+CONFIG_UNIXWARE_DISKLABEL=y
+CONFIG_LDM_PARTITION=y
+# CONFIG_LDM_DEBUG is not set
+CONFIG_SGI_PARTITION=y
+CONFIG_ULTRIX_PARTITION=y
+CONFIG_SUN_PARTITION=y
+CONFIG_KARMA_PARTITION=y
+CONFIG_EFI_PARTITION=y
+# CONFIG_SYSV68_PARTITION is not set
+# CONFIG_CMDLINE_PARTITION is not set
+CONFIG_BLOCK_COMPAT=y
+
+#
+# IO Schedulers
+#
+CONFIG_IOSCHED_NOOP=y
+CONFIG_IOSCHED_DEADLINE=y
+CONFIG_IOSCHED_CFQ=y
+CONFIG_CFQ_GROUP_IOSCHED=y
+# CONFIG_DEFAULT_DEADLINE is not set
+CONFIG_DEFAULT_CFQ=y
+# CONFIG_DEFAULT_NOOP is not set
+CONFIG_DEFAULT_IOSCHED="cfq"
+CONFIG_PREEMPT_NOTIFIERS=y
+CONFIG_PADATA=y
+CONFIG_ASN1=m
+CONFIG_INLINE_SPIN_UNLOCK_IRQ=y
+CONFIG_INLINE_READ_UNLOCK=y
+CONFIG_INLINE_READ_UNLOCK_IRQ=y
+CONFIG_INLINE_WRITE_UNLOCK=y
+CONFIG_INLINE_WRITE_UNLOCK_IRQ=y
+CONFIG_ARCH_SUPPORTS_ATOMIC_RMW=y
+CONFIG_MUTEX_SPIN_ON_OWNER=y
+CONFIG_RWSEM_SPIN_ON_OWNER=y
+CONFIG_LOCK_SPIN_ON_OWNER=y
+CONFIG_ARCH_USE_QUEUED_SPINLOCKS=y
+CONFIG_QUEUED_SPINLOCKS=y
+CONFIG_ARCH_USE_QUEUED_RWLOCKS=y
+CONFIG_QUEUED_RWLOCKS=y
+CONFIG_FREEZER=y
+
+#
+# Processor type and features
+#
+# CONFIG_ZONE_DMA is not set
+CONFIG_SMP=y
+CONFIG_X86_FEATURE_NAMES=y
+CONFIG_X86_X2APIC=y
+CONFIG_X86_MPPARSE=y
+# CONFIG_X86_EXTENDED_PLATFORM is not set
+CONFIG_X86_INTEL_LPSS=y
+CONFIG_X86_AMD_PLATFORM_DEVICE=y
+CONFIG_IOSF_MBI=m
+CONFIG_X86_SUPPORTS_MEMORY_FAILURE=y
+CONFIG_SCHED_OMIT_FRAME_POINTER=y
+CONFIG_HYPERVISOR_GUEST=y
+CONFIG_PARAVIRT=y
+# CONFIG_PARAVIRT_DEBUG is not set
+CONFIG_PARAVIRT_SPINLOCKS=y
+# CONFIG_XEN is not set
+CONFIG_KVM_GUEST=y
+# CONFIG_PARAVIRT_TIME_ACCOUNTING is not set
+CONFIG_PARAVIRT_CLOCK=y
+CONFIG_NO_BOOTMEM=y
+# CONFIG_MK8 is not set
+# CONFIG_MPSC is not set
+# CONFIG_MCORE2 is not set
+# CONFIG_MATOM is not set
+CONFIG_GENERIC_CPU=y
+CONFIG_X86_INTERNODE_CACHE_SHIFT=6
+CONFIG_X86_L1_CACHE_SHIFT=6
+CONFIG_X86_TSC=y
+CONFIG_X86_CMPXCHG64=y
+CONFIG_X86_CMOV=y
+CONFIG_X86_MINIMUM_CPU_FAMILY=64
+CONFIG_X86_DEBUGCTLMSR=y
+# CONFIG_PROCESSOR_SELECT is not set
+CONFIG_CPU_SUP_INTEL=y
+CONFIG_CPU_SUP_AMD=y
+CONFIG_CPU_SUP_CENTAUR=y
+CONFIG_HPET_TIMER=y
+CONFIG_HPET_EMULATE_RTC=y
+CONFIG_DMI=y
+CONFIG_GART_IOMMU=y
+CONFIG_CALGARY_IOMMU=y
+CONFIG_CALGARY_IOMMU_ENABLED_BY_DEFAULT=y
+CONFIG_SWIOTLB=y
+CONFIG_IOMMU_HELPER=y
+# CONFIG_MAXSMP is not set
+CONFIG_NR_CPUS=512
+CONFIG_SCHED_SMT=y
+CONFIG_SCHED_MC=y
+# CONFIG_PREEMPT_NONE is not set
+CONFIG_PREEMPT_VOLUNTARY=y
+# CONFIG_PREEMPT is not set
+CONFIG_X86_LOCAL_APIC=y
+CONFIG_X86_IO_APIC=y
+CONFIG_X86_REROUTE_FOR_BROKEN_BOOT_IRQS=y
+CONFIG_X86_MCE=y
+CONFIG_X86_MCE_INTEL=y
+CONFIG_X86_MCE_AMD=y
+CONFIG_X86_MCE_THRESHOLD=y
+CONFIG_X86_MCE_INJECT=m
+CONFIG_X86_THERMAL_VECTOR=y
+# CONFIG_VM86 is not set
+CONFIG_X86_VSYSCALL_EMULATION=y
+CONFIG_I8K=m
+CONFIG_MICROCODE=y
+CONFIG_MICROCODE_INTEL=y
+CONFIG_MICROCODE_AMD=y
+CONFIG_MICROCODE_OLD_INTERFACE=y
+CONFIG_X86_MSR=m
+CONFIG_X86_CPUID=m
+CONFIG_ARCH_PHYS_ADDR_T_64BIT=y
+CONFIG_ARCH_DMA_ADDR_T_64BIT=y
+CONFIG_X86_DIRECT_GBPAGES=y
+CONFIG_NUMA=y
+CONFIG_AMD_NUMA=y
+CONFIG_X86_64_ACPI_NUMA=y
+CONFIG_NODES_SPAN_OTHER_NODES=y
+CONFIG_NUMA_EMU=y
+CONFIG_NODES_SHIFT=6
+CONFIG_ARCH_SPARSEMEM_ENABLE=y
+CONFIG_ARCH_SPARSEMEM_DEFAULT=y
+CONFIG_ARCH_SELECT_MEMORY_MODEL=y
+# CONFIG_ARCH_MEMORY_PROBE is not set
+CONFIG_ILLEGAL_POINTER_VALUE=0xdead000000000000
+CONFIG_SELECT_MEMORY_MODEL=y
+CONFIG_SPARSEMEM_MANUAL=y
+CONFIG_SPARSEMEM=y
+CONFIG_NEED_MULTIPLE_NODES=y
+CONFIG_HAVE_MEMORY_PRESENT=y
+CONFIG_SPARSEMEM_EXTREME=y
+CONFIG_SPARSEMEM_VMEMMAP_ENABLE=y
+CONFIG_SPARSEMEM_ALLOC_MEM_MAP_TOGETHER=y
+CONFIG_SPARSEMEM_VMEMMAP=y
+CONFIG_HAVE_MEMBLOCK=y
+CONFIG_HAVE_MEMBLOCK_NODE_MAP=y
+CONFIG_ARCH_DISCARD_MEMBLOCK=y
+CONFIG_MEMORY_ISOLATION=y
+# CONFIG_MOVABLE_NODE is not set
+CONFIG_HAVE_BOOTMEM_INFO_NODE=y
+CONFIG_MEMORY_HOTPLUG=y
+CONFIG_MEMORY_HOTPLUG_SPARSE=y
+CONFIG_MEMORY_HOTREMOVE=y
+CONFIG_SPLIT_PTLOCK_CPUS=4
+CONFIG_ARCH_ENABLE_SPLIT_PMD_PTLOCK=y
+CONFIG_MEMORY_BALLOON=y
+CONFIG_BALLOON_COMPACTION=y
+CONFIG_COMPACTION=y
+CONFIG_MIGRATION=y
+CONFIG_ARCH_ENABLE_HUGEPAGE_MIGRATION=y
+CONFIG_PHYS_ADDR_T_64BIT=y
+CONFIG_ZONE_DMA_FLAG=0
+CONFIG_VIRT_TO_BUS=y
+CONFIG_MMU_NOTIFIER=y
+CONFIG_KSM=y
+CONFIG_DEFAULT_MMAP_MIN_ADDR=65536
+CONFIG_ARCH_SUPPORTS_MEMORY_FAILURE=y
+CONFIG_MEMORY_FAILURE=y
+CONFIG_TRANSPARENT_HUGEPAGE=y
+# CONFIG_TRANSPARENT_HUGEPAGE_ALWAYS is not set
+CONFIG_TRANSPARENT_HUGEPAGE_MADVISE=y
+# CONFIG_CLEANCACHE is not set
+CONFIG_FRONTSWAP=y
+# CONFIG_CMA is not set
+CONFIG_ZSWAP=y
+CONFIG_ZPOOL=y
+CONFIG_ZBUD=y
+CONFIG_ZSMALLOC=m
+# CONFIG_PGTABLE_MAPPING is not set
+CONFIG_GENERIC_EARLY_IOREMAP=y
+CONFIG_ARCH_SUPPORTS_DEFERRED_STRUCT_PAGE_INIT=y
+# CONFIG_DEFERRED_STRUCT_PAGE_INIT is not set
+# CONFIG_IDLE_PAGE_TRACKING is not set
+CONFIG_ZONE_DEVICE=y
+CONFIG_FRAME_VECTOR=y
+CONFIG_X86_PMEM_LEGACY_DEVICE=y
+CONFIG_X86_PMEM_LEGACY=m
+# CONFIG_X86_CHECK_BIOS_CORRUPTION is not set
+CONFIG_X86_RESERVE_LOW=64
+CONFIG_MTRR=y
+CONFIG_MTRR_SANITIZER=y
+CONFIG_MTRR_SANITIZER_ENABLE_DEFAULT=0
+CONFIG_MTRR_SANITIZER_SPARE_REG_NR_DEFAULT=1
+CONFIG_X86_PAT=y
+CONFIG_ARCH_USES_PG_UNCACHED=y
+CONFIG_ARCH_RANDOM=y
+CONFIG_X86_SMAP=y
+CONFIG_X86_INTEL_MPX=y
+CONFIG_EFI=y
+CONFIG_EFI_STUB=y
+CONFIG_EFI_MIXED=y
+CONFIG_SECCOMP=y
+# CONFIG_HZ_100 is not set
+CONFIG_HZ_250=y
+# CONFIG_HZ_300 is not set
+# CONFIG_HZ_1000 is not set
+CONFIG_HZ=250
+CONFIG_SCHED_HRTICK=y
+# CONFIG_KEXEC_FILE is not set
+CONFIG_CRASH_DUMP=y
+CONFIG_PHYSICAL_START=0x1000000
+CONFIG_RELOCATABLE=y
+CONFIG_RANDOMIZE_BASE=y
+CONFIG_RANDOMIZE_BASE_MAX_OFFSET=0x40000000
+CONFIG_X86_NEED_RELOCS=y
+CONFIG_PHYSICAL_ALIGN=0x1000000
+CONFIG_HOTPLUG_CPU=y
+# CONFIG_BOOTPARAM_HOTPLUG_CPU0 is not set
+# CONFIG_DEBUG_HOTPLUG_CPU0 is not set
+CONFIG_LEGACY_VSYSCALL_EMULATE=y
+# CONFIG_LEGACY_VSYSCALL_NONE is not set
+# CONFIG_CMDLINE_BOOL is not set
+CONFIG_MODIFY_LDT_SYSCALL=y
+CONFIG_DEFAULT_MODIFY_LDT_SYSCALL=y
+CONFIG_HAVE_LIVEPATCH=y
+CONFIG_ARCH_ENABLE_MEMORY_HOTPLUG=y
+CONFIG_ARCH_ENABLE_MEMORY_HOTREMOVE=y
+CONFIG_USE_PERCPU_NUMA_NODE_ID=y
+
+#
+# Power management and ACPI options
+#
+CONFIG_SUSPEND=y
+CONFIG_SUSPEND_FREEZER=y
+# CONFIG_SUSPEND_SKIP_SYNC is not set
+CONFIG_PM_SLEEP=y
+CONFIG_PM_SLEEP_SMP=y
+# CONFIG_PM_AUTOSLEEP is not set
+# CONFIG_PM_WAKELOCKS is not set
+CONFIG_PM=y
+CONFIG_PM_DEBUG=y
+CONFIG_PM_ADVANCED_DEBUG=y
+# CONFIG_PM_TEST_SUSPEND is not set
+CONFIG_PM_SLEEP_DEBUG=y
+# CONFIG_DPM_WATCHDOG is not set
+# CONFIG_PM_TRACE_RTC is not set
+CONFIG_PM_CLK=y
+# CONFIG_WQ_POWER_EFFICIENT_DEFAULT is not set
+CONFIG_ACPI=y
+CONFIG_ACPI_LEGACY_TABLES_LOOKUP=y
+CONFIG_ARCH_MIGHT_HAVE_ACPI_PDC=y
+CONFIG_ACPI_SYSTEM_POWER_STATES_SUPPORT=y
+# CONFIG_ACPI_DEBUGGER is not set
+CONFIG_ACPI_SLEEP=y
+# CONFIG_ACPI_PROCFS_POWER is not set
+CONFIG_ACPI_REV_OVERRIDE_POSSIBLE=y
+# CONFIG_ACPI_EC_DEBUGFS is not set
+CONFIG_ACPI_AC=m
+CONFIG_ACPI_BATTERY=m
+CONFIG_ACPI_BUTTON=m
+CONFIG_ACPI_VIDEO=m
+CONFIG_ACPI_FAN=m
+CONFIG_ACPI_DOCK=y
+CONFIG_ACPI_CPU_FREQ_PSS=y
+CONFIG_ACPI_PROCESSOR_IDLE=y
+CONFIG_ACPI_PROCESSOR=m
+CONFIG_ACPI_IPMI=m
+CONFIG_ACPI_HOTPLUG_CPU=y
+CONFIG_ACPI_PROCESSOR_AGGREGATOR=m
+CONFIG_ACPI_THERMAL=m
+CONFIG_ACPI_NUMA=y
+# CONFIG_ACPI_CUSTOM_DSDT is not set
+CONFIG_ACPI_INITRD_TABLE_OVERRIDE=y
+# CONFIG_ACPI_DEBUG is not set
+CONFIG_ACPI_PCI_SLOT=y
+CONFIG_X86_PM_TIMER=y
+CONFIG_ACPI_CONTAINER=y
+CONFIG_ACPI_HOTPLUG_MEMORY=y
+CONFIG_ACPI_HOTPLUG_IOAPIC=y
+CONFIG_ACPI_SBS=m
+CONFIG_ACPI_HED=y
+CONFIG_ACPI_BGRT=y
+# CONFIG_ACPI_REDUCED_HARDWARE_ONLY is not set
+CONFIG_ACPI_NFIT=m
+CONFIG_HAVE_ACPI_APEI=y
+CONFIG_HAVE_ACPI_APEI_NMI=y
+CONFIG_ACPI_APEI=y
+CONFIG_ACPI_APEI_GHES=y
+CONFIG_ACPI_APEI_PCIEAER=y
+CONFIG_ACPI_APEI_MEMORY_FAILURE=y
+# CONFIG_ACPI_APEI_ERST_DEBUG is not set
+CONFIG_ACPI_EXTLOG=y
+# CONFIG_PMIC_OPREGION is not set
+CONFIG_SFI=y
+
+#
+# CPU Frequency scaling
+#
+CONFIG_CPU_FREQ=y
+CONFIG_CPU_FREQ_GOV_COMMON=y
+CONFIG_CPU_FREQ_STAT=m
+# CONFIG_CPU_FREQ_STAT_DETAILS is not set
+# CONFIG_CPU_FREQ_DEFAULT_GOV_PERFORMANCE is not set
+# CONFIG_CPU_FREQ_DEFAULT_GOV_POWERSAVE is not set
+# CONFIG_CPU_FREQ_DEFAULT_GOV_USERSPACE is not set
+CONFIG_CPU_FREQ_DEFAULT_GOV_ONDEMAND=y
+# CONFIG_CPU_FREQ_DEFAULT_GOV_CONSERVATIVE is not set
+CONFIG_CPU_FREQ_GOV_PERFORMANCE=y
+CONFIG_CPU_FREQ_GOV_POWERSAVE=m
+CONFIG_CPU_FREQ_GOV_USERSPACE=m
+CONFIG_CPU_FREQ_GOV_ONDEMAND=y
+CONFIG_CPU_FREQ_GOV_CONSERVATIVE=m
+
+#
+# CPU frequency scaling drivers
+#
+CONFIG_X86_INTEL_PSTATE=y
+CONFIG_X86_PCC_CPUFREQ=m
+CONFIG_X86_ACPI_CPUFREQ=m
+CONFIG_X86_ACPI_CPUFREQ_CPB=y
+CONFIG_X86_POWERNOW_K8=m
+CONFIG_X86_AMD_FREQ_SENSITIVITY=m
+CONFIG_X86_SPEEDSTEP_CENTRINO=m
+CONFIG_X86_P4_CLOCKMOD=m
+
+#
+# shared options
+#
+CONFIG_X86_SPEEDSTEP_LIB=m
+
+#
+# CPU Idle
+#
+CONFIG_CPU_IDLE=y
+CONFIG_CPU_IDLE_GOV_LADDER=y
+CONFIG_CPU_IDLE_GOV_MENU=y
+# CONFIG_ARCH_NEEDS_CPU_IDLE_COUPLED is not set
+CONFIG_INTEL_IDLE=y
+
+#
+# Memory power savings
+#
+CONFIG_I7300_IDLE_IOAT_CHANNEL=y
+CONFIG_I7300_IDLE=m
+
+#
+# Bus options (PCI etc.)
+#
+CONFIG_PCI=y
+CONFIG_PCI_DIRECT=y
+CONFIG_PCI_MMCONFIG=y
+CONFIG_PCI_DOMAINS=y
+# CONFIG_PCI_CNB20LE_QUIRK is not set
+CONFIG_PCIEPORTBUS=y
+CONFIG_HOTPLUG_PCI_PCIE=y
+CONFIG_PCIEAER=y
+# CONFIG_PCIE_ECRC is not set
+CONFIG_PCIEAER_INJECT=m
+CONFIG_PCIEASPM=y
+# CONFIG_PCIEASPM_DEBUG is not set
+CONFIG_PCIEASPM_DEFAULT=y
+# CONFIG_PCIEASPM_POWERSAVE is not set
+# CONFIG_PCIEASPM_PERFORMANCE is not set
+CONFIG_PCIE_PME=y
+CONFIG_PCI_BUS_ADDR_T_64BIT=y
+CONFIG_PCI_MSI=y
+CONFIG_PCI_MSI_IRQ_DOMAIN=y
+# CONFIG_PCI_DEBUG is not set
+CONFIG_PCI_REALLOC_ENABLE_AUTO=y
+CONFIG_PCI_STUB=m
+CONFIG_HT_IRQ=y
+CONFIG_PCI_ATS=y
+CONFIG_PCI_IOV=y
+CONFIG_PCI_PRI=y
+CONFIG_PCI_PASID=y
+CONFIG_PCI_LABEL=y
+
+#
+# PCI host controller drivers
+#
+CONFIG_ISA_DMA_API=y
+CONFIG_AMD_NB=y
+CONFIG_PCCARD=m
+CONFIG_PCMCIA=m
+CONFIG_PCMCIA_LOAD_CIS=y
+CONFIG_CARDBUS=y
+
+#
+# PC-card bridges
+#
+CONFIG_YENTA=m
+CONFIG_YENTA_O2=y
+CONFIG_YENTA_RICOH=y
+CONFIG_YENTA_TI=y
+CONFIG_YENTA_ENE_TUNE=y
+CONFIG_YENTA_TOSHIBA=y
+CONFIG_PD6729=m
+CONFIG_I82092=m
+CONFIG_PCCARD_NONSTATIC=y
+CONFIG_HOTPLUG_PCI=y
+CONFIG_HOTPLUG_PCI_ACPI=y
+CONFIG_HOTPLUG_PCI_ACPI_IBM=m
+CONFIG_HOTPLUG_PCI_CPCI=y
+CONFIG_HOTPLUG_PCI_CPCI_ZT5550=m
+CONFIG_HOTPLUG_PCI_CPCI_GENERIC=m
+CONFIG_HOTPLUG_PCI_SHPC=m
+# CONFIG_RAPIDIO is not set
+CONFIG_X86_SYSFB=y
+
+#
+# Executable file formats / Emulations
+#
+CONFIG_BINFMT_ELF=y
+CONFIG_COMPAT_BINFMT_ELF=y
+CONFIG_CORE_DUMP_DEFAULT_ELF_HEADERS=y
+CONFIG_BINFMT_SCRIPT=y
+# CONFIG_HAVE_AOUT is not set
+CONFIG_BINFMT_MISC=m
+CONFIG_COREDUMP=y
+CONFIG_IA32_EMULATION=y
+CONFIG_IA32_AOUT=y
+# CONFIG_X86_X32 is not set
+CONFIG_COMPAT=y
+CONFIG_COMPAT_FOR_U64_ALIGNMENT=y
+CONFIG_SYSVIPC_COMPAT=y
+CONFIG_KEYS_COMPAT=y
+CONFIG_X86_DEV_DMA_OPS=y
+CONFIG_PMC_ATOM=y
+CONFIG_NET=y
+CONFIG_COMPAT_NETLINK_MESSAGES=y
+CONFIG_NET_INGRESS=y
+
+#
+# Networking options
+#
+CONFIG_PACKET=y
+CONFIG_PACKET_DIAG=m
+CONFIG_UNIX=y
+CONFIG_UNIX_DIAG=m
+CONFIG_XFRM=y
+CONFIG_XFRM_ALGO=m
+CONFIG_XFRM_USER=m
+CONFIG_XFRM_SUB_POLICY=y
+CONFIG_XFRM_MIGRATE=y
+# CONFIG_XFRM_STATISTICS is not set
+CONFIG_XFRM_IPCOMP=m
+CONFIG_NET_KEY=m
+CONFIG_NET_KEY_MIGRATE=y
+CONFIG_INET=y
+CONFIG_IP_MULTICAST=y
+CONFIG_IP_ADVANCED_ROUTER=y
+CONFIG_IP_FIB_TRIE_STATS=y
+CONFIG_IP_MULTIPLE_TABLES=y
+CONFIG_IP_ROUTE_MULTIPATH=y
+CONFIG_IP_ROUTE_VERBOSE=y
+CONFIG_IP_ROUTE_CLASSID=y
+# CONFIG_IP_PNP is not set
+CONFIG_NET_IPIP=m
+CONFIG_NET_IPGRE_DEMUX=m
+CONFIG_NET_IP_TUNNEL=m
+CONFIG_NET_IPGRE=m
+CONFIG_NET_IPGRE_BROADCAST=y
+CONFIG_IP_MROUTE=y
+CONFIG_IP_MROUTE_MULTIPLE_TABLES=y
+CONFIG_IP_PIMSM_V1=y
+CONFIG_IP_PIMSM_V2=y
+CONFIG_SYN_COOKIES=y
+CONFIG_NET_IPVTI=m
+CONFIG_NET_UDP_TUNNEL=m
+CONFIG_NET_FOU=m
+CONFIG_NET_FOU_IP_TUNNELS=y
+CONFIG_INET_AH=m
+CONFIG_INET_ESP=m
+CONFIG_INET_IPCOMP=m
+CONFIG_INET_XFRM_TUNNEL=m
+CONFIG_INET_TUNNEL=m
+CONFIG_INET_XFRM_MODE_TRANSPORT=m
+CONFIG_INET_XFRM_MODE_TUNNEL=m
+CONFIG_INET_XFRM_MODE_BEET=m
+CONFIG_INET_LRO=m
+CONFIG_INET_DIAG=m
+CONFIG_INET_TCP_DIAG=m
+CONFIG_INET_UDP_DIAG=m
+CONFIG_TCP_CONG_ADVANCED=y
+CONFIG_TCP_CONG_BIC=m
+CONFIG_TCP_CONG_CUBIC=y
+CONFIG_TCP_CONG_WESTWOOD=m
+CONFIG_TCP_CONG_HTCP=m
+CONFIG_TCP_CONG_HSTCP=m
+CONFIG_TCP_CONG_HYBLA=m
+CONFIG_TCP_CONG_VEGAS=m
+CONFIG_TCP_CONG_SCALABLE=m
+CONFIG_TCP_CONG_LP=m
+CONFIG_TCP_CONG_VENO=m
+CONFIG_TCP_CONG_YEAH=m
+CONFIG_TCP_CONG_ILLINOIS=m
+CONFIG_TCP_CONG_DCTCP=m
+CONFIG_TCP_CONG_CDG=m
+CONFIG_DEFAULT_CUBIC=y
+# CONFIG_DEFAULT_RENO is not set
+CONFIG_DEFAULT_TCP_CONG="cubic"
+CONFIG_TCP_MD5SIG=y
+CONFIG_IPV6=y
+CONFIG_IPV6_ROUTER_PREF=y
+CONFIG_IPV6_ROUTE_INFO=y
+CONFIG_IPV6_OPTIMISTIC_DAD=y
+CONFIG_INET6_AH=m
+CONFIG_INET6_ESP=m
+CONFIG_INET6_IPCOMP=m
+CONFIG_IPV6_MIP6=y
+# CONFIG_IPV6_ILA is not set
+CONFIG_INET6_XFRM_TUNNEL=m
+CONFIG_INET6_TUNNEL=m
+CONFIG_INET6_XFRM_MODE_TRANSPORT=m
+CONFIG_INET6_XFRM_MODE_TUNNEL=m
+CONFIG_INET6_XFRM_MODE_BEET=m
+CONFIG_INET6_XFRM_MODE_ROUTEOPTIMIZATION=m
+CONFIG_IPV6_VTI=m
+CONFIG_IPV6_SIT=m
+CONFIG_IPV6_SIT_6RD=y
+CONFIG_IPV6_NDISC_NODETYPE=y
+CONFIG_IPV6_TUNNEL=m
+CONFIG_IPV6_GRE=m
+CONFIG_IPV6_MULTIPLE_TABLES=y
+CONFIG_IPV6_SUBTREES=y
+CONFIG_IPV6_MROUTE=y
+CONFIG_IPV6_MROUTE_MULTIPLE_TABLES=y
+CONFIG_IPV6_PIMSM_V2=y
+# CONFIG_NETLABEL is not set
+CONFIG_NETWORK_SECMARK=y
+CONFIG_NET_PTP_CLASSIFY=y
+# CONFIG_NETWORK_PHY_TIMESTAMPING is not set
+CONFIG_NETFILTER=y
+# CONFIG_NETFILTER_DEBUG is not set
+CONFIG_NETFILTER_ADVANCED=y
+CONFIG_BRIDGE_NETFILTER=m
+
+#
+# Core Netfilter Configuration
+#
+CONFIG_NETFILTER_INGRESS=y
+CONFIG_NETFILTER_NETLINK=m
+CONFIG_NETFILTER_NETLINK_ACCT=m
+CONFIG_NETFILTER_NETLINK_QUEUE=m
+CONFIG_NETFILTER_NETLINK_LOG=m
+CONFIG_NF_CONNTRACK=m
+CONFIG_NF_LOG_COMMON=m
+CONFIG_NF_CONNTRACK_MARK=y
+CONFIG_NF_CONNTRACK_SECMARK=y
+CONFIG_NF_CONNTRACK_ZONES=y
+CONFIG_NF_CONNTRACK_PROCFS=y
+CONFIG_NF_CONNTRACK_EVENTS=y
+CONFIG_NF_CONNTRACK_TIMEOUT=y
+CONFIG_NF_CONNTRACK_TIMESTAMP=y
+CONFIG_NF_CONNTRACK_LABELS=y
+CONFIG_NF_CT_PROTO_DCCP=m
+CONFIG_NF_CT_PROTO_GRE=m
+CONFIG_NF_CT_PROTO_SCTP=m
+CONFIG_NF_CT_PROTO_UDPLITE=m
+CONFIG_NF_CONNTRACK_AMANDA=m
+CONFIG_NF_CONNTRACK_FTP=m
+CONFIG_NF_CONNTRACK_H323=m
+CONFIG_NF_CONNTRACK_IRC=m
+CONFIG_NF_CONNTRACK_BROADCAST=m
+CONFIG_NF_CONNTRACK_NETBIOS_NS=m
+CONFIG_NF_CONNTRACK_SNMP=m
+CONFIG_NF_CONNTRACK_PPTP=m
+CONFIG_NF_CONNTRACK_SANE=m
+CONFIG_NF_CONNTRACK_SIP=m
+CONFIG_NF_CONNTRACK_TFTP=m
+CONFIG_NF_CT_NETLINK=m
+CONFIG_NF_CT_NETLINK_TIMEOUT=m
+CONFIG_NF_CT_NETLINK_HELPER=m
+CONFIG_NETFILTER_NETLINK_GLUE_CT=y
+CONFIG_NF_NAT=m
+CONFIG_NF_NAT_NEEDED=y
+CONFIG_NF_NAT_PROTO_DCCP=m
+CONFIG_NF_NAT_PROTO_UDPLITE=m
+CONFIG_NF_NAT_PROTO_SCTP=m
+CONFIG_NF_NAT_AMANDA=m
+CONFIG_NF_NAT_FTP=m
+CONFIG_NF_NAT_IRC=m
+CONFIG_NF_NAT_SIP=m
+CONFIG_NF_NAT_TFTP=m
+CONFIG_NF_NAT_REDIRECT=m
+CONFIG_NETFILTER_SYNPROXY=m
+CONFIG_NF_TABLES=m
+CONFIG_NF_TABLES_INET=m
+CONFIG_NF_TABLES_NETDEV=m
+CONFIG_NFT_EXTHDR=m
+CONFIG_NFT_META=m
+CONFIG_NFT_CT=m
+CONFIG_NFT_RBTREE=m
+CONFIG_NFT_HASH=m
+CONFIG_NFT_COUNTER=m
+CONFIG_NFT_LOG=m
+CONFIG_NFT_LIMIT=m
+CONFIG_NFT_MASQ=m
+CONFIG_NFT_REDIR=m
+CONFIG_NFT_NAT=m
+CONFIG_NFT_QUEUE=m
+CONFIG_NFT_REJECT=m
+CONFIG_NFT_REJECT_INET=m
+CONFIG_NFT_COMPAT=m
+CONFIG_NETFILTER_XTABLES=m
+
+#
+# Xtables combined modules
+#
+CONFIG_NETFILTER_XT_MARK=m
+CONFIG_NETFILTER_XT_CONNMARK=m
+CONFIG_NETFILTER_XT_SET=m
+
+#
+# Xtables targets
+#
+CONFIG_NETFILTER_XT_TARGET_AUDIT=m
+CONFIG_NETFILTER_XT_TARGET_CHECKSUM=m
+CONFIG_NETFILTER_XT_TARGET_CLASSIFY=m
+CONFIG_NETFILTER_XT_TARGET_CONNMARK=m
+CONFIG_NETFILTER_XT_TARGET_CONNSECMARK=m
+CONFIG_NETFILTER_XT_TARGET_CT=m
+CONFIG_NETFILTER_XT_TARGET_DSCP=m
+CONFIG_NETFILTER_XT_TARGET_HL=m
+CONFIG_NETFILTER_XT_TARGET_HMARK=m
+CONFIG_NETFILTER_XT_TARGET_IDLETIMER=m
+CONFIG_NETFILTER_XT_TARGET_LED=m
+CONFIG_NETFILTER_XT_TARGET_LOG=m
+CONFIG_NETFILTER_XT_TARGET_MARK=m
+CONFIG_NETFILTER_XT_NAT=m
+CONFIG_NETFILTER_XT_TARGET_NETMAP=m
+CONFIG_NETFILTER_XT_TARGET_NFLOG=m
+CONFIG_NETFILTER_XT_TARGET_NFQUEUE=m
+# CONFIG_NETFILTER_XT_TARGET_NOTRACK is not set
+CONFIG_NETFILTER_XT_TARGET_RATEEST=m
+CONFIG_NETFILTER_XT_TARGET_REDIRECT=m
+CONFIG_NETFILTER_XT_TARGET_TEE=m
+CONFIG_NETFILTER_XT_TARGET_TPROXY=m
+CONFIG_NETFILTER_XT_TARGET_TRACE=m
+CONFIG_NETFILTER_XT_TARGET_SECMARK=m
+CONFIG_NETFILTER_XT_TARGET_TCPMSS=m
+CONFIG_NETFILTER_XT_TARGET_TCPOPTSTRIP=m
+
+#
+# Xtables matches
+#
+CONFIG_NETFILTER_XT_MATCH_ADDRTYPE=m
+CONFIG_NETFILTER_XT_MATCH_BPF=m
+CONFIG_NETFILTER_XT_MATCH_CGROUP=m
+CONFIG_NETFILTER_XT_MATCH_CLUSTER=m
+CONFIG_NETFILTER_XT_MATCH_COMMENT=m
+CONFIG_NETFILTER_XT_MATCH_CONNBYTES=m
+CONFIG_NETFILTER_XT_MATCH_CONNLABEL=m
+CONFIG_NETFILTER_XT_MATCH_CONNLIMIT=m
+CONFIG_NETFILTER_XT_MATCH_CONNMARK=m
+CONFIG_NETFILTER_XT_MATCH_CONNTRACK=m
+CONFIG_NETFILTER_XT_MATCH_CPU=m
+CONFIG_NETFILTER_XT_MATCH_DCCP=m
+CONFIG_NETFILTER_XT_MATCH_DEVGROUP=m
+CONFIG_NETFILTER_XT_MATCH_DSCP=m
+CONFIG_NETFILTER_XT_MATCH_ECN=m
+CONFIG_NETFILTER_XT_MATCH_ESP=m
+# CONFIG_NETFILTER_XT_MATCH_GRADM is not set
+CONFIG_NETFILTER_XT_MATCH_HASHLIMIT=m
+CONFIG_NETFILTER_XT_MATCH_HELPER=m
+CONFIG_NETFILTER_XT_MATCH_HL=m
+CONFIG_NETFILTER_XT_MATCH_IPCOMP=m
+CONFIG_NETFILTER_XT_MATCH_IPRANGE=m
+CONFIG_NETFILTER_XT_MATCH_IPVS=m
+CONFIG_NETFILTER_XT_MATCH_L2TP=m
+CONFIG_NETFILTER_XT_MATCH_LENGTH=m
+CONFIG_NETFILTER_XT_MATCH_LIMIT=m
+CONFIG_NETFILTER_XT_MATCH_MAC=m
+CONFIG_NETFILTER_XT_MATCH_MARK=m
+CONFIG_NETFILTER_XT_MATCH_MULTIPORT=m
+CONFIG_NETFILTER_XT_MATCH_NFACCT=m
+CONFIG_NETFILTER_XT_MATCH_OSF=m
+CONFIG_NETFILTER_XT_MATCH_OWNER=m
+CONFIG_NETFILTER_XT_MATCH_POLICY=m
+CONFIG_NETFILTER_XT_MATCH_PHYSDEV=m
+CONFIG_NETFILTER_XT_MATCH_PKTTYPE=m
+CONFIG_NETFILTER_XT_MATCH_QUOTA=m
+CONFIG_NETFILTER_XT_MATCH_RATEEST=m
+CONFIG_NETFILTER_XT_MATCH_REALM=m
+CONFIG_NETFILTER_XT_MATCH_RECENT=m
+CONFIG_NETFILTER_XT_MATCH_SCTP=m
+CONFIG_NETFILTER_XT_MATCH_SOCKET=m
+CONFIG_NETFILTER_XT_MATCH_STATE=m
+CONFIG_NETFILTER_XT_MATCH_STATISTIC=m
+CONFIG_NETFILTER_XT_MATCH_STRING=m
+CONFIG_NETFILTER_XT_MATCH_TCPMSS=m
+CONFIG_NETFILTER_XT_MATCH_TIME=m
+CONFIG_NETFILTER_XT_MATCH_U32=m
+CONFIG_IP_SET=m
+CONFIG_IP_SET_MAX=256
+CONFIG_IP_SET_BITMAP_IP=m
+CONFIG_IP_SET_BITMAP_IPMAC=m
+CONFIG_IP_SET_BITMAP_PORT=m
+CONFIG_IP_SET_HASH_IP=m
+CONFIG_IP_SET_HASH_IPMARK=m
+CONFIG_IP_SET_HASH_IPPORT=m
+CONFIG_IP_SET_HASH_IPPORTIP=m
+CONFIG_IP_SET_HASH_IPPORTNET=m
+CONFIG_IP_SET_HASH_MAC=m
+CONFIG_IP_SET_HASH_NETPORTNET=m
+CONFIG_IP_SET_HASH_NET=m
+CONFIG_IP_SET_HASH_NETNET=m
+CONFIG_IP_SET_HASH_NETPORT=m
+CONFIG_IP_SET_HASH_NETIFACE=m
+CONFIG_IP_SET_LIST_SET=m
+CONFIG_IP_VS=m
+CONFIG_IP_VS_IPV6=y
+# CONFIG_IP_VS_DEBUG is not set
+CONFIG_IP_VS_TAB_BITS=12
+
+#
+# IPVS transport protocol load balancing support
+#
+CONFIG_IP_VS_PROTO_TCP=y
+CONFIG_IP_VS_PROTO_UDP=y
+CONFIG_IP_VS_PROTO_AH_ESP=y
+CONFIG_IP_VS_PROTO_ESP=y
+CONFIG_IP_VS_PROTO_AH=y
+CONFIG_IP_VS_PROTO_SCTP=y
+
+#
+# IPVS scheduler
+#
+CONFIG_IP_VS_RR=m
+CONFIG_IP_VS_WRR=m
+CONFIG_IP_VS_LC=m
+CONFIG_IP_VS_WLC=m
+CONFIG_IP_VS_FO=m
+CONFIG_IP_VS_OVF=m
+CONFIG_IP_VS_LBLC=m
+CONFIG_IP_VS_LBLCR=m
+CONFIG_IP_VS_DH=m
+CONFIG_IP_VS_SH=m
+CONFIG_IP_VS_SED=m
+CONFIG_IP_VS_NQ=m
+
+#
+# IPVS SH scheduler
+#
+CONFIG_IP_VS_SH_TAB_BITS=8
+
+#
+# IPVS application helper
+#
+CONFIG_IP_VS_FTP=m
+CONFIG_IP_VS_NFCT=y
+CONFIG_IP_VS_PE_SIP=m
+
+#
+# IP: Netfilter Configuration
+#
+CONFIG_NF_DEFRAG_IPV4=m
+CONFIG_NF_CONNTRACK_IPV4=m
+CONFIG_NF_CONNTRACK_PROC_COMPAT=y
+CONFIG_NF_TABLES_IPV4=m
+CONFIG_NFT_CHAIN_ROUTE_IPV4=m
+CONFIG_NFT_REJECT_IPV4=m
+CONFIG_NFT_DUP_IPV4=m
+CONFIG_NF_TABLES_ARP=m
+CONFIG_NF_DUP_IPV4=m
+CONFIG_NF_LOG_ARP=m
+CONFIG_NF_LOG_IPV4=m
+CONFIG_NF_REJECT_IPV4=m
+CONFIG_NF_NAT_IPV4=m
+CONFIG_NFT_CHAIN_NAT_IPV4=m
+CONFIG_NF_NAT_MASQUERADE_IPV4=m
+CONFIG_NFT_MASQ_IPV4=m
+CONFIG_NFT_REDIR_IPV4=m
+CONFIG_NF_NAT_SNMP_BASIC=m
+CONFIG_NF_NAT_PROTO_GRE=m
+CONFIG_NF_NAT_PPTP=m
+CONFIG_NF_NAT_H323=m
+CONFIG_IP_NF_IPTABLES=m
+CONFIG_IP_NF_MATCH_AH=m
+CONFIG_IP_NF_MATCH_ECN=m
+CONFIG_IP_NF_MATCH_RPFILTER=m
+CONFIG_IP_NF_MATCH_TTL=m
+CONFIG_IP_NF_FILTER=m
+CONFIG_IP_NF_TARGET_REJECT=m
+CONFIG_IP_NF_TARGET_SYNPROXY=m
+CONFIG_IP_NF_NAT=m
+CONFIG_IP_NF_TARGET_MASQUERADE=m
+CONFIG_IP_NF_TARGET_NETMAP=m
+CONFIG_IP_NF_TARGET_REDIRECT=m
+CONFIG_IP_NF_MANGLE=m
+CONFIG_IP_NF_TARGET_CLUSTERIP=m
+CONFIG_IP_NF_TARGET_ECN=m
+CONFIG_IP_NF_TARGET_TTL=m
+CONFIG_IP_NF_RAW=m
+CONFIG_IP_NF_SECURITY=m
+CONFIG_IP_NF_ARPTABLES=m
+CONFIG_IP_NF_ARPFILTER=m
+CONFIG_IP_NF_ARP_MANGLE=m
+
+#
+# IPv6: Netfilter Configuration
+#
+CONFIG_NF_DEFRAG_IPV6=m
+CONFIG_NF_CONNTRACK_IPV6=m
+CONFIG_NF_TABLES_IPV6=m
+CONFIG_NFT_CHAIN_ROUTE_IPV6=m
+CONFIG_NFT_REJECT_IPV6=m
+CONFIG_NFT_DUP_IPV6=m
+CONFIG_NF_DUP_IPV6=m
+CONFIG_NF_REJECT_IPV6=m
+CONFIG_NF_LOG_IPV6=m
+CONFIG_NF_NAT_IPV6=m
+CONFIG_NFT_CHAIN_NAT_IPV6=m
+CONFIG_NF_NAT_MASQUERADE_IPV6=m
+CONFIG_NFT_MASQ_IPV6=m
+CONFIG_NFT_REDIR_IPV6=m
+CONFIG_IP6_NF_IPTABLES=m
+CONFIG_IP6_NF_MATCH_AH=m
+CONFIG_IP6_NF_MATCH_EUI64=m
+CONFIG_IP6_NF_MATCH_FRAG=m
+CONFIG_IP6_NF_MATCH_OPTS=m
+CONFIG_IP6_NF_MATCH_HL=m
+CONFIG_IP6_NF_MATCH_IPV6HEADER=m
+CONFIG_IP6_NF_MATCH_MH=m
+CONFIG_IP6_NF_MATCH_RPFILTER=m
+CONFIG_IP6_NF_MATCH_RT=m
+CONFIG_IP6_NF_TARGET_HL=m
+CONFIG_IP6_NF_FILTER=m
+CONFIG_IP6_NF_TARGET_REJECT=m
+CONFIG_IP6_NF_TARGET_SYNPROXY=m
+CONFIG_IP6_NF_MANGLE=m
+CONFIG_IP6_NF_RAW=m
+CONFIG_IP6_NF_SECURITY=m
+CONFIG_IP6_NF_NAT=m
+CONFIG_IP6_NF_TARGET_MASQUERADE=m
+CONFIG_IP6_NF_TARGET_NPT=m
+
+#
+# DECnet: Netfilter Configuration
+#
+CONFIG_DECNET_NF_GRABULATOR=m
+CONFIG_NF_TABLES_BRIDGE=m
+CONFIG_NFT_BRIDGE_META=m
+CONFIG_NFT_BRIDGE_REJECT=m
+CONFIG_NF_LOG_BRIDGE=m
+CONFIG_BRIDGE_NF_EBTABLES=m
+CONFIG_BRIDGE_EBT_BROUTE=m
+CONFIG_BRIDGE_EBT_T_FILTER=m
+CONFIG_BRIDGE_EBT_T_NAT=m
+CONFIG_BRIDGE_EBT_802_3=m
+CONFIG_BRIDGE_EBT_AMONG=m
+CONFIG_BRIDGE_EBT_ARP=m
+CONFIG_BRIDGE_EBT_IP=m
+CONFIG_BRIDGE_EBT_IP6=m
+CONFIG_BRIDGE_EBT_LIMIT=m
+CONFIG_BRIDGE_EBT_MARK=m
+CONFIG_BRIDGE_EBT_PKTTYPE=m
+CONFIG_BRIDGE_EBT_STP=m
+CONFIG_BRIDGE_EBT_VLAN=m
+CONFIG_BRIDGE_EBT_ARPREPLY=m
+CONFIG_BRIDGE_EBT_DNAT=m
+CONFIG_BRIDGE_EBT_MARK_T=m
+CONFIG_BRIDGE_EBT_REDIRECT=m
+CONFIG_BRIDGE_EBT_SNAT=m
+CONFIG_BRIDGE_EBT_LOG=m
+CONFIG_BRIDGE_EBT_NFLOG=m
+CONFIG_IP_DCCP=m
+CONFIG_INET_DCCP_DIAG=m
+
+#
+# DCCP CCIDs Configuration
+#
+# CONFIG_IP_DCCP_CCID2_DEBUG is not set
+CONFIG_IP_DCCP_CCID3=y
+# CONFIG_IP_DCCP_CCID3_DEBUG is not set
+CONFIG_IP_DCCP_TFRC_LIB=y
+
+#
+# DCCP Kernel Hacking
+#
+# CONFIG_IP_DCCP_DEBUG is not set
+CONFIG_NET_DCCPPROBE=m
+CONFIG_IP_SCTP=m
+CONFIG_NET_SCTPPROBE=m
+# CONFIG_SCTP_DBG_OBJCNT is not set
+CONFIG_SCTP_DEFAULT_COOKIE_HMAC_MD5=y
+# CONFIG_SCTP_DEFAULT_COOKIE_HMAC_SHA1 is not set
+# CONFIG_SCTP_DEFAULT_COOKIE_HMAC_NONE is not set
+CONFIG_SCTP_COOKIE_HMAC_MD5=y
+CONFIG_SCTP_COOKIE_HMAC_SHA1=y
+CONFIG_RDS=m
+CONFIG_RDS_RDMA=m
+CONFIG_RDS_TCP=m
+# CONFIG_RDS_DEBUG is not set
+CONFIG_TIPC=m
+CONFIG_TIPC_MEDIA_IB=y
+CONFIG_TIPC_MEDIA_UDP=y
+CONFIG_ATM=m
+CONFIG_ATM_CLIP=m
+# CONFIG_ATM_CLIP_NO_ICMP is not set
+CONFIG_ATM_LANE=m
+CONFIG_ATM_MPOA=m
+CONFIG_ATM_BR2684=m
+# CONFIG_ATM_BR2684_IPFILTER is not set
+CONFIG_L2TP=m
+CONFIG_L2TP_V3=y
+CONFIG_L2TP_IP=m
+CONFIG_L2TP_ETH=m
+CONFIG_STP=m
+CONFIG_GARP=m
+CONFIG_MRP=m
+CONFIG_BRIDGE=m
+CONFIG_BRIDGE_IGMP_SNOOPING=y
+CONFIG_BRIDGE_VLAN_FILTERING=y
+CONFIG_HAVE_NET_DSA=y
+CONFIG_VLAN_8021Q=m
+CONFIG_VLAN_8021Q_GVRP=y
+CONFIG_VLAN_8021Q_MVRP=y
+CONFIG_DECNET=m
+# CONFIG_DECNET_ROUTER is not set
+CONFIG_LLC=m
+CONFIG_LLC2=m
+CONFIG_IPX=m
+# CONFIG_IPX_INTERN is not set
+CONFIG_ATALK=m
+CONFIG_DEV_APPLETALK=m
+CONFIG_IPDDP=m
+CONFIG_IPDDP_ENCAP=y
+# CONFIG_X25 is not set
+CONFIG_LAPB=m
+CONFIG_PHONET=m
+CONFIG_6LOWPAN=m
+CONFIG_6LOWPAN_NHC=m
+CONFIG_6LOWPAN_NHC_DEST=m
+CONFIG_6LOWPAN_NHC_FRAGMENT=m
+CONFIG_6LOWPAN_NHC_HOP=m
+CONFIG_6LOWPAN_NHC_IPV6=m
+CONFIG_6LOWPAN_NHC_MOBILITY=m
+CONFIG_6LOWPAN_NHC_ROUTING=m
+CONFIG_6LOWPAN_NHC_UDP=m
+CONFIG_IEEE802154=m
+# CONFIG_IEEE802154_NL802154_EXPERIMENTAL is not set
+CONFIG_IEEE802154_SOCKET=m
+CONFIG_IEEE802154_6LOWPAN=m
+# CONFIG_MAC802154 is not set
+CONFIG_NET_SCHED=y
+
+#
+# Queueing/Scheduling
+#
+CONFIG_NET_SCH_CBQ=m
+CONFIG_NET_SCH_HTB=m
+CONFIG_NET_SCH_HFSC=m
+CONFIG_NET_SCH_ATM=m
+CONFIG_NET_SCH_PRIO=m
+CONFIG_NET_SCH_MULTIQ=m
+CONFIG_NET_SCH_RED=m
+CONFIG_NET_SCH_SFB=m
+CONFIG_NET_SCH_SFQ=m
+CONFIG_NET_SCH_TEQL=m
+CONFIG_NET_SCH_TBF=m
+CONFIG_NET_SCH_GRED=m
+CONFIG_NET_SCH_DSMARK=m
+CONFIG_NET_SCH_NETEM=m
+CONFIG_NET_SCH_DRR=m
+CONFIG_NET_SCH_MQPRIO=m
+CONFIG_NET_SCH_CHOKE=m
+CONFIG_NET_SCH_QFQ=m
+CONFIG_NET_SCH_CODEL=m
+CONFIG_NET_SCH_FQ_CODEL=m
+CONFIG_NET_SCH_FQ=m
+CONFIG_NET_SCH_HHF=m
+CONFIG_NET_SCH_PIE=m
+CONFIG_NET_SCH_INGRESS=m
+CONFIG_NET_SCH_PLUG=m
+
+#
+# Classification
+#
+CONFIG_NET_CLS=y
+CONFIG_NET_CLS_BASIC=m
+CONFIG_NET_CLS_TCINDEX=m
+CONFIG_NET_CLS_ROUTE4=m
+CONFIG_NET_CLS_FW=m
+CONFIG_NET_CLS_U32=m
+CONFIG_CLS_U32_PERF=y
+CONFIG_CLS_U32_MARK=y
+CONFIG_NET_CLS_RSVP=m
+CONFIG_NET_CLS_RSVP6=m
+CONFIG_NET_CLS_FLOW=m
+CONFIG_NET_CLS_CGROUP=m
+CONFIG_NET_CLS_BPF=m
+CONFIG_NET_CLS_FLOWER=m
+CONFIG_NET_EMATCH=y
+CONFIG_NET_EMATCH_STACK=32
+CONFIG_NET_EMATCH_CMP=m
+CONFIG_NET_EMATCH_NBYTE=m
+CONFIG_NET_EMATCH_U32=m
+CONFIG_NET_EMATCH_META=m
+CONFIG_NET_EMATCH_TEXT=m
+CONFIG_NET_EMATCH_CANID=m
+CONFIG_NET_EMATCH_IPSET=m
+CONFIG_NET_CLS_ACT=y
+CONFIG_NET_ACT_POLICE=m
+CONFIG_NET_ACT_GACT=m
+CONFIG_GACT_PROB=y
+CONFIG_NET_ACT_MIRRED=m
+CONFIG_NET_ACT_IPT=m
+CONFIG_NET_ACT_NAT=m
+CONFIG_NET_ACT_PEDIT=m
+CONFIG_NET_ACT_SIMP=m
+CONFIG_NET_ACT_SKBEDIT=m
+CONFIG_NET_ACT_CSUM=m
+CONFIG_NET_ACT_VLAN=m
+CONFIG_NET_ACT_BPF=m
+CONFIG_NET_ACT_CONNMARK=m
+CONFIG_NET_CLS_IND=y
+CONFIG_NET_SCH_FIFO=y
+CONFIG_DCB=y
+CONFIG_DNS_RESOLVER=m
+CONFIG_BATMAN_ADV=m
+CONFIG_BATMAN_ADV_BLA=y
+CONFIG_BATMAN_ADV_DAT=y
+CONFIG_BATMAN_ADV_NC=y
+CONFIG_BATMAN_ADV_MCAST=y
+CONFIG_OPENVSWITCH=m
+CONFIG_OPENVSWITCH_GRE=m
+CONFIG_OPENVSWITCH_VXLAN=m
+CONFIG_OPENVSWITCH_GENEVE=m
+CONFIG_VSOCKETS=m
+CONFIG_VMWARE_VMCI_VSOCKETS=m
+CONFIG_NETLINK_MMAP=y
+CONFIG_NETLINK_DIAG=m
+CONFIG_MPLS=y
+CONFIG_NET_MPLS_GSO=y
+CONFIG_MPLS_ROUTING=m
+CONFIG_MPLS_IPTUNNEL=m
+# CONFIG_HSR is not set
+# CONFIG_NET_SWITCHDEV is not set
+CONFIG_NET_L3_MASTER_DEV=y
+CONFIG_RPS=y
+CONFIG_RFS_ACCEL=y
+CONFIG_XPS=y
+CONFIG_CGROUP_NET_PRIO=y
+CONFIG_CGROUP_NET_CLASSID=y
+CONFIG_NET_RX_BUSY_POLL=y
+CONFIG_BQL=y
+CONFIG_BPF_JIT=y
+CONFIG_NET_FLOW_LIMIT=y
+
+#
+# Network testing
+#
+CONFIG_NET_PKTGEN=m
+# CONFIG_NET_TCPPROBE is not set
+CONFIG_HAMRADIO=y
+
+#
+# Packet Radio protocols
+#
+CONFIG_AX25=m
+# CONFIG_AX25_DAMA_SLAVE is not set
+CONFIG_NETROM=m
+CONFIG_ROSE=m
+
+#
+# AX.25 network device drivers
+#
+CONFIG_MKISS=m
+CONFIG_6PACK=m
+CONFIG_BPQETHER=m
+CONFIG_BAYCOM_SER_FDX=m
+CONFIG_BAYCOM_SER_HDX=m
+CONFIG_BAYCOM_PAR=m
+CONFIG_YAM=m
+CONFIG_CAN=m
+CONFIG_CAN_RAW=m
+CONFIG_CAN_BCM=m
+CONFIG_CAN_GW=m
+
+#
+# CAN Device Drivers
+#
+CONFIG_CAN_VCAN=m
+CONFIG_CAN_SLCAN=m
+CONFIG_CAN_DEV=m
+CONFIG_CAN_CALC_BITTIMING=y
+# CONFIG_CAN_LEDS is not set
+CONFIG_CAN_SJA1000=m
+CONFIG_CAN_SJA1000_ISA=m
+# CONFIG_CAN_SJA1000_PLATFORM is not set
+CONFIG_CAN_EMS_PCMCIA=m
+CONFIG_CAN_EMS_PCI=m
+CONFIG_CAN_PEAK_PCMCIA=m
+CONFIG_CAN_PEAK_PCI=m
+CONFIG_CAN_PEAK_PCIEC=y
+CONFIG_CAN_KVASER_PCI=m
+CONFIG_CAN_PLX_PCI=m
+# CONFIG_CAN_C_CAN is not set
+# CONFIG_CAN_M_CAN is not set
+# CONFIG_CAN_CC770 is not set
+
+#
+# CAN SPI interfaces
+#
+# CONFIG_CAN_MCP251X is not set
+
+#
+# CAN USB interfaces
+#
+CONFIG_CAN_EMS_USB=m
+CONFIG_CAN_ESD_USB2=m
+CONFIG_CAN_GS_USB=m
+CONFIG_CAN_KVASER_USB=m
+CONFIG_CAN_PEAK_USB=m
+CONFIG_CAN_8DEV_USB=m
+CONFIG_CAN_SOFTING=m
+CONFIG_CAN_SOFTING_CS=m
+# CONFIG_CAN_DEBUG_DEVICES is not set
+CONFIG_IRDA=m
+
+#
+# IrDA protocols
+#
+CONFIG_IRLAN=m
+CONFIG_IRNET=m
+CONFIG_IRCOMM=m
+# CONFIG_IRDA_ULTRA is not set
+
+#
+# IrDA options
+#
+CONFIG_IRDA_CACHE_LAST_LSAP=y
+CONFIG_IRDA_FAST_RR=y
+# CONFIG_IRDA_DEBUG is not set
+
+#
+# Infrared-port device drivers
+#
+
+#
+# SIR device drivers
+#
+CONFIG_IRTTY_SIR=m
+
+#
+# Dongle support
+#
+CONFIG_DONGLE=y
+CONFIG_ESI_DONGLE=m
+CONFIG_ACTISYS_DONGLE=m
+CONFIG_TEKRAM_DONGLE=m
+CONFIG_TOIM3232_DONGLE=m
+CONFIG_LITELINK_DONGLE=m
+CONFIG_MA600_DONGLE=m
+CONFIG_GIRBIL_DONGLE=m
+CONFIG_MCP2120_DONGLE=m
+CONFIG_OLD_BELKIN_DONGLE=m
+CONFIG_ACT200L_DONGLE=m
+CONFIG_KINGSUN_DONGLE=m
+CONFIG_KSDAZZLE_DONGLE=m
+CONFIG_KS959_DONGLE=m
+
+#
+# FIR device drivers
+#
+CONFIG_USB_IRDA=m
+CONFIG_SIGMATEL_FIR=m
+CONFIG_NSC_FIR=m
+CONFIG_WINBOND_FIR=m
+CONFIG_SMC_IRCC_FIR=m
+CONFIG_ALI_FIR=m
+CONFIG_VLSI_FIR=m
+CONFIG_VIA_FIR=m
+CONFIG_MCS_FIR=m
+CONFIG_BT=m
+CONFIG_BT_BREDR=y
+CONFIG_BT_RFCOMM=m
+CONFIG_BT_RFCOMM_TTY=y
+CONFIG_BT_BNEP=m
+CONFIG_BT_BNEP_MC_FILTER=y
+CONFIG_BT_BNEP_PROTO_FILTER=y
+CONFIG_BT_CMTP=m
+CONFIG_BT_HIDP=m
+CONFIG_BT_HS=y
+CONFIG_BT_LE=y
+CONFIG_BT_6LOWPAN=m
+# CONFIG_BT_SELFTEST is not set
+
+#
+# Bluetooth device drivers
+#
+CONFIG_BT_INTEL=m
+CONFIG_BT_BCM=m
+CONFIG_BT_RTL=m
+CONFIG_BT_QCA=m
+CONFIG_BT_HCIBTUSB=m
+CONFIG_BT_HCIBTUSB_BCM=y
+CONFIG_BT_HCIBTUSB_RTL=y
+CONFIG_BT_HCIBTSDIO=m
+CONFIG_BT_HCIUART=m
+CONFIG_BT_HCIUART_H4=y
+CONFIG_BT_HCIUART_BCSP=y
+CONFIG_BT_HCIUART_ATH3K=y
+CONFIG_BT_HCIUART_LL=y
+CONFIG_BT_HCIUART_3WIRE=y
+CONFIG_BT_HCIUART_INTEL=y
+CONFIG_BT_HCIUART_BCM=y
+CONFIG_BT_HCIUART_QCA=y
+CONFIG_BT_HCIBCM203X=m
+CONFIG_BT_HCIBPA10X=m
+CONFIG_BT_HCIBFUSB=m
+CONFIG_BT_HCIDTL1=m
+CONFIG_BT_HCIBT3C=m
+CONFIG_BT_HCIBLUECARD=m
+# CONFIG_BT_HCIBTUART is not set
+CONFIG_BT_HCIVHCI=m
+CONFIG_BT_MRVL=m
+CONFIG_BT_MRVL_SDIO=m
+CONFIG_BT_ATH3K=m
+CONFIG_AF_RXRPC=m
+# CONFIG_AF_RXRPC_DEBUG is not set
+CONFIG_RXKAD=m
+CONFIG_FIB_RULES=y
+CONFIG_WIRELESS=y
+CONFIG_WIRELESS_EXT=y
+CONFIG_WEXT_CORE=y
+CONFIG_WEXT_PROC=y
+CONFIG_WEXT_SPY=y
+CONFIG_WEXT_PRIV=y
+CONFIG_CFG80211=m
+# CONFIG_NL80211_TESTMODE is not set
+# CONFIG_CFG80211_DEVELOPER_WARNINGS is not set
+# CONFIG_CFG80211_REG_DEBUG is not set
+# CONFIG_CFG80211_CERTIFICATION_ONUS is not set
+CONFIG_CFG80211_DEFAULT_PS=y
+# CONFIG_CFG80211_INTERNAL_REGDB is not set
+CONFIG_CFG80211_CRDA_SUPPORT=y
+CONFIG_CFG80211_WEXT=y
+CONFIG_CFG80211_WEXT_EXPORT=y
+CONFIG_LIB80211=m
+CONFIG_LIB80211_CRYPT_WEP=m
+CONFIG_LIB80211_CRYPT_CCMP=m
+CONFIG_LIB80211_CRYPT_TKIP=m
+# CONFIG_LIB80211_DEBUG is not set
+CONFIG_MAC80211=m
+CONFIG_MAC80211_HAS_RC=y
+CONFIG_MAC80211_RC_MINSTREL=y
+CONFIG_MAC80211_RC_MINSTREL_HT=y
+# CONFIG_MAC80211_RC_MINSTREL_VHT is not set
+CONFIG_MAC80211_RC_DEFAULT_MINSTREL=y
+CONFIG_MAC80211_RC_DEFAULT="minstrel_ht"
+CONFIG_MAC80211_MESH=y
+CONFIG_MAC80211_LEDS=y
+# CONFIG_MAC80211_MESSAGE_TRACING is not set
+# CONFIG_MAC80211_DEBUG_MENU is not set
+CONFIG_MAC80211_STA_HASH_MAX_SIZE=0
+CONFIG_WIMAX=m
+CONFIG_WIMAX_DEBUG_LEVEL=8
+CONFIG_RFKILL=m
+CONFIG_RFKILL_LEDS=y
+CONFIG_RFKILL_INPUT=y
+# CONFIG_RFKILL_GPIO is not set
+CONFIG_NET_9P=m
+CONFIG_NET_9P_VIRTIO=m
+CONFIG_NET_9P_RDMA=m
+# CONFIG_NET_9P_DEBUG is not set
+# CONFIG_CAIF is not set
+CONFIG_CEPH_LIB=m
+# CONFIG_CEPH_LIB_PRETTYDEBUG is not set
+# CONFIG_CEPH_LIB_USE_DNS_RESOLVER is not set
+CONFIG_NFC=m
+CONFIG_NFC_DIGITAL=m
+# CONFIG_NFC_NCI is not set
+CONFIG_NFC_HCI=m
+# CONFIG_NFC_SHDLC is not set
+
+#
+# Near Field Communication (NFC) devices
+#
+CONFIG_NFC_PN533=m
+# CONFIG_NFC_TRF7970A is not set
+CONFIG_NFC_MEI_PHY=m
+CONFIG_NFC_SIM=m
+CONFIG_NFC_PORT100=m
+CONFIG_NFC_PN544=m
+CONFIG_NFC_PN544_MEI=m
+# CONFIG_NFC_MICROREAD_MEI is not set
+# CONFIG_NFC_ST21NFCA is not set
+CONFIG_LWTUNNEL=y
+CONFIG_HAVE_BPF_JIT=y
+
+#
+# Device Drivers
+#
+
+#
+# Generic Driver Options
+#
+# CONFIG_UEVENT_HELPER is not set
+CONFIG_DEVTMPFS=y
+# CONFIG_DEVTMPFS_MOUNT is not set
+CONFIG_STANDALONE=y
+CONFIG_PREVENT_FIRMWARE_BUILD=y
+CONFIG_FW_LOADER=y
+# CONFIG_FIRMWARE_IN_KERNEL is not set
+CONFIG_EXTRA_FIRMWARE=""
+CONFIG_FW_LOADER_USER_HELPER=y
+# CONFIG_FW_LOADER_USER_HELPER_FALLBACK is not set
+CONFIG_WANT_DEV_COREDUMP=y
+CONFIG_ALLOW_DEV_COREDUMP=y
+CONFIG_DEV_COREDUMP=y
+# CONFIG_DEBUG_DRIVER is not set
+# CONFIG_DEBUG_DEVRES is not set
+# CONFIG_SYS_HYPERVISOR is not set
+# CONFIG_GENERIC_CPU_DEVICES is not set
+CONFIG_GENERIC_CPU_AUTOPROBE=y
+CONFIG_REGMAP=y
+CONFIG_REGMAP_I2C=m
+CONFIG_REGMAP_SPI=m
+CONFIG_DMA_SHARED_BUFFER=y
+# CONFIG_FENCE_TRACE is not set
+
+#
+# Bus devices
+#
+CONFIG_CONNECTOR=y
+CONFIG_PROC_EVENTS=y
+CONFIG_MTD=m
+# CONFIG_MTD_TESTS is not set
+CONFIG_MTD_REDBOOT_PARTS=m
+CONFIG_MTD_REDBOOT_DIRECTORY_BLOCK=-1
+# CONFIG_MTD_REDBOOT_PARTS_UNALLOCATED is not set
+# CONFIG_MTD_REDBOOT_PARTS_READONLY is not set
+# CONFIG_MTD_CMDLINE_PARTS is not set
+CONFIG_MTD_AR7_PARTS=m
+
+#
+# User Modules And Translation Layers
+#
+CONFIG_MTD_BLKDEVS=m
+CONFIG_MTD_BLOCK=m
+CONFIG_MTD_BLOCK_RO=m
+CONFIG_FTL=m
+CONFIG_NFTL=m
+CONFIG_NFTL_RW=y
+CONFIG_INFTL=m
+CONFIG_RFD_FTL=m
+CONFIG_SSFDC=m
+# CONFIG_SM_FTL is not set
+CONFIG_MTD_OOPS=m
+CONFIG_MTD_SWAP=m
+# CONFIG_MTD_PARTITIONED_MASTER is not set
+
+#
+# RAM/ROM/Flash chip drivers
+#
+CONFIG_MTD_CFI=m
+CONFIG_MTD_JEDECPROBE=m
+CONFIG_MTD_GEN_PROBE=m
+# CONFIG_MTD_CFI_ADV_OPTIONS is not set
+CONFIG_MTD_MAP_BANK_WIDTH_1=y
+CONFIG_MTD_MAP_BANK_WIDTH_2=y
+CONFIG_MTD_MAP_BANK_WIDTH_4=y
+# CONFIG_MTD_MAP_BANK_WIDTH_8 is not set
+# CONFIG_MTD_MAP_BANK_WIDTH_16 is not set
+# CONFIG_MTD_MAP_BANK_WIDTH_32 is not set
+CONFIG_MTD_CFI_I1=y
+CONFIG_MTD_CFI_I2=y
+# CONFIG_MTD_CFI_I4 is not set
+# CONFIG_MTD_CFI_I8 is not set
+CONFIG_MTD_CFI_INTELEXT=m
+CONFIG_MTD_CFI_AMDSTD=m
+CONFIG_MTD_CFI_STAA=m
+CONFIG_MTD_CFI_UTIL=m
+CONFIG_MTD_RAM=m
+CONFIG_MTD_ROM=m
+CONFIG_MTD_ABSENT=m
+
+#
+# Mapping drivers for chip access
+#
+CONFIG_MTD_COMPLEX_MAPPINGS=y
+CONFIG_MTD_PHYSMAP=m
+# CONFIG_MTD_PHYSMAP_COMPAT is not set
+CONFIG_MTD_SBC_GXX=m
+# CONFIG_MTD_AMD76XROM is not set
+# CONFIG_MTD_ICHXROM is not set
+# CONFIG_MTD_ESB2ROM is not set
+# CONFIG_MTD_CK804XROM is not set
+# CONFIG_MTD_SCB2_FLASH is not set
+CONFIG_MTD_NETtel=m
+# CONFIG_MTD_L440GX is not set
+CONFIG_MTD_PCI=m
+CONFIG_MTD_PCMCIA=m
+# CONFIG_MTD_PCMCIA_ANONYMOUS is not set
+# CONFIG_MTD_GPIO_ADDR is not set
+CONFIG_MTD_INTEL_VR_NOR=m
+CONFIG_MTD_PLATRAM=m
+# CONFIG_MTD_LATCH_ADDR is not set
+
+#
+# Self-contained MTD device drivers
+#
+# CONFIG_MTD_PMC551 is not set
+CONFIG_MTD_DATAFLASH=m
+# CONFIG_MTD_DATAFLASH_WRITE_VERIFY is not set
+# CONFIG_MTD_DATAFLASH_OTP is not set
+CONFIG_MTD_M25P80=m
+CONFIG_MTD_SST25L=m
+CONFIG_MTD_SLRAM=m
+CONFIG_MTD_PHRAM=m
+CONFIG_MTD_MTDRAM=m
+CONFIG_MTDRAM_TOTAL_SIZE=4096
+CONFIG_MTDRAM_ERASE_SIZE=128
+CONFIG_MTD_BLOCK2MTD=m
+
+#
+# Disk-On-Chip Device Drivers
+#
+# CONFIG_MTD_DOCG3 is not set
+CONFIG_MTD_NAND_ECC=m
+# CONFIG_MTD_NAND_ECC_SMC is not set
+CONFIG_MTD_NAND=m
+CONFIG_MTD_NAND_BCH=m
+CONFIG_MTD_NAND_ECC_BCH=y
+CONFIG_MTD_SM_COMMON=m
+# CONFIG_MTD_NAND_DENALI_PCI is not set
+# CONFIG_MTD_NAND_DENALI_DT is not set
+# CONFIG_MTD_NAND_GPIO is not set
+# CONFIG_MTD_NAND_OMAP_BCH_BUILD is not set
+CONFIG_MTD_NAND_IDS=m
+CONFIG_MTD_NAND_RICOH=m
+CONFIG_MTD_NAND_DISKONCHIP=m
+# CONFIG_MTD_NAND_DISKONCHIP_PROBE_ADVANCED is not set
+CONFIG_MTD_NAND_DISKONCHIP_PROBE_ADDRESS=0
+# CONFIG_MTD_NAND_DISKONCHIP_BBTWRITE is not set
+# CONFIG_MTD_NAND_DOCG4 is not set
+CONFIG_MTD_NAND_CAFE=m
+CONFIG_MTD_NAND_NANDSIM=m
+# CONFIG_MTD_NAND_PLATFORM is not set
+# CONFIG_MTD_NAND_HISI504 is not set
+CONFIG_MTD_ONENAND=m
+CONFIG_MTD_ONENAND_VERIFY_WRITE=y
+# CONFIG_MTD_ONENAND_GENERIC is not set
+# CONFIG_MTD_ONENAND_OTP is not set
+CONFIG_MTD_ONENAND_2X_PROGRAM=y
+
+#
+# LPDDR & LPDDR2 PCM memory drivers
+#
+CONFIG_MTD_LPDDR=m
+CONFIG_MTD_QINFO_PROBE=m
+CONFIG_MTD_SPI_NOR=m
+CONFIG_MTD_SPI_NOR_USE_4K_SECTORS=y
+CONFIG_MTD_UBI=m
+CONFIG_MTD_UBI_WL_THRESHOLD=4096
+CONFIG_MTD_UBI_BEB_LIMIT=20
+# CONFIG_MTD_UBI_FASTMAP is not set
+# CONFIG_MTD_UBI_GLUEBI is not set
+CONFIG_MTD_UBI_BLOCK=y
+# CONFIG_OF is not set
+CONFIG_ARCH_MIGHT_HAVE_PC_PARPORT=y
+CONFIG_PARPORT=m
+CONFIG_PARPORT_PC=m
+CONFIG_PARPORT_SERIAL=m
+# CONFIG_PARPORT_PC_FIFO is not set
+# CONFIG_PARPORT_PC_SUPERIO is not set
+CONFIG_PARPORT_PC_PCMCIA=m
+# CONFIG_PARPORT_GSC is not set
+# CONFIG_PARPORT_AX88796 is not set
+CONFIG_PARPORT_1284=y
+CONFIG_PARPORT_NOT_PC=y
+CONFIG_PNP=y
+# CONFIG_PNP_DEBUG_MESSAGES is not set
+
+#
+# Protocols
+#
+CONFIG_PNPACPI=y
+CONFIG_BLK_DEV=y
+CONFIG_BLK_DEV_NULL_BLK=m
+CONFIG_BLK_DEV_FD=m
+# CONFIG_PARIDE is not set
+CONFIG_BLK_DEV_PCIESSD_MTIP32XX=m
+CONFIG_ZRAM=m
+CONFIG_ZRAM_LZ4_COMPRESS=y
+CONFIG_BLK_CPQ_CISS_DA=m
+CONFIG_CISS_SCSI_TAPE=y
+CONFIG_BLK_DEV_DAC960=m
+CONFIG_BLK_DEV_UMEM=m
+# CONFIG_BLK_DEV_COW_COMMON is not set
+CONFIG_BLK_DEV_LOOP=m
+CONFIG_BLK_DEV_LOOP_MIN_COUNT=8
+# CONFIG_BLK_DEV_CRYPTOLOOP is not set
+CONFIG_BLK_DEV_DRBD=m
+# CONFIG_DRBD_FAULT_INJECTION is not set
+CONFIG_BLK_DEV_NBD=m
+CONFIG_BLK_DEV_SKD=m
+CONFIG_BLK_DEV_OSD=m
+CONFIG_BLK_DEV_SX8=m
+CONFIG_BLK_DEV_RAM=m
+CONFIG_BLK_DEV_RAM_COUNT=16
+CONFIG_BLK_DEV_RAM_SIZE=16384
+# CONFIG_BLK_DEV_RAM_DAX is not set
+CONFIG_CDROM_PKTCDVD=m
+CONFIG_CDROM_PKTCDVD_BUFFERS=8
+# CONFIG_CDROM_PKTCDVD_WCACHE is not set
+CONFIG_ATA_OVER_ETH=m
+CONFIG_VIRTIO_BLK=m
+# CONFIG_BLK_DEV_HD is not set
+CONFIG_BLK_DEV_RBD=m
+CONFIG_BLK_DEV_RSXX=m
+CONFIG_BLK_DEV_NVME=m
+
+#
+# Misc devices
+#
+CONFIG_SENSORS_LIS3LV02D=m
+CONFIG_AD525X_DPOT=m
+CONFIG_AD525X_DPOT_I2C=m
+CONFIG_AD525X_DPOT_SPI=m
+# CONFIG_DUMMY_IRQ is not set
+CONFIG_IBM_ASM=m
+CONFIG_PHANTOM=m
+CONFIG_SGI_IOC4=m
+CONFIG_TIFM_CORE=m
+CONFIG_TIFM_7XX1=m
+CONFIG_ICS932S401=m
+CONFIG_ENCLOSURE_SERVICES=m
+CONFIG_HP_ILO=m
+CONFIG_APDS9802ALS=m
+CONFIG_ISL29003=m
+CONFIG_ISL29020=m
+CONFIG_SENSORS_TSL2550=m
+CONFIG_SENSORS_BH1780=m
+CONFIG_SENSORS_BH1770=m
+CONFIG_SENSORS_APDS990X=m
+CONFIG_HMC6352=m
+CONFIG_DS1682=m
+CONFIG_TI_DAC7512=m
+CONFIG_VMWARE_BALLOON=m
+# CONFIG_BMP085_I2C is not set
+# CONFIG_BMP085_SPI is not set
+# CONFIG_USB_SWITCH_FSA9480 is not set
+# CONFIG_LATTICE_ECP3_CONFIG is not set
+# CONFIG_SRAM is not set
+CONFIG_C2PORT=m
+CONFIG_C2PORT_DURAMAR_2150=m
+
+#
+# EEPROM support
+#
+CONFIG_EEPROM_AT24=m
+CONFIG_EEPROM_AT25=m
+CONFIG_EEPROM_LEGACY=m
+CONFIG_EEPROM_MAX6875=m
+CONFIG_EEPROM_93CX6=m
+# CONFIG_EEPROM_93XX46 is not set
+CONFIG_CB710_CORE=m
+# CONFIG_CB710_DEBUG is not set
+CONFIG_CB710_DEBUG_ASSUMPTIONS=y
+
+#
+# Texas Instruments shared transport line discipline
+#
+# CONFIG_TI_ST is not set
+CONFIG_SENSORS_LIS3_I2C=m
+
+#
+# Altera FPGA firmware download module
+#
+CONFIG_ALTERA_STAPL=m
+CONFIG_INTEL_MEI=m
+CONFIG_INTEL_MEI_ME=m
+# CONFIG_INTEL_MEI_TXE is not set
+CONFIG_VMWARE_VMCI=m
+
+#
+# Intel MIC Bus Driver
+#
+CONFIG_INTEL_MIC_BUS=m
+
+#
+# SCIF Bus Driver
+#
+CONFIG_SCIF_BUS=m
+
+#
+# Intel MIC Host Driver
+#
+CONFIG_INTEL_MIC_HOST=m
+
+#
+# Intel MIC Card Driver
+#
+# CONFIG_INTEL_MIC_CARD is not set
+
+#
+# SCIF Driver
+#
+CONFIG_SCIF=m
+
+#
+# Intel MIC Coprocessor State Management (COSM) Drivers
+#
+CONFIG_MIC_COSM=m
+# CONFIG_GENWQE is not set
+# CONFIG_ECHO is not set
+# CONFIG_CXL_BASE is not set
+# CONFIG_CXL_KERNEL_API is not set
+# CONFIG_CXL_EEH is not set
+CONFIG_HAVE_IDE=y
+# CONFIG_IDE is not set
+
+#
+# SCSI device support
+#
+CONFIG_SCSI_MOD=m
+CONFIG_RAID_ATTRS=m
+CONFIG_SCSI=m
+CONFIG_SCSI_DMA=y
+CONFIG_SCSI_NETLINK=y
+# CONFIG_SCSI_MQ_DEFAULT is not set
+# CONFIG_SCSI_PROC_FS is not set
+
+#
+# SCSI support type (disk, tape, CD-ROM)
+#
+CONFIG_BLK_DEV_SD=m
+CONFIG_CHR_DEV_ST=m
+CONFIG_CHR_DEV_OSST=m
+CONFIG_BLK_DEV_SR=m
+CONFIG_BLK_DEV_SR_VENDOR=y
+CONFIG_CHR_DEV_SG=m
+CONFIG_CHR_DEV_SCH=m
+CONFIG_SCSI_ENCLOSURE=m
+CONFIG_SCSI_CONSTANTS=y
+CONFIG_SCSI_LOGGING=y
+CONFIG_SCSI_SCAN_ASYNC=y
+
+#
+# SCSI Transports
+#
+CONFIG_SCSI_SPI_ATTRS=m
+CONFIG_SCSI_FC_ATTRS=m
+CONFIG_SCSI_ISCSI_ATTRS=m
+CONFIG_SCSI_SAS_ATTRS=m
+CONFIG_SCSI_SAS_LIBSAS=m
+CONFIG_SCSI_SAS_ATA=y
+CONFIG_SCSI_SAS_HOST_SMP=y
+CONFIG_SCSI_SRP_ATTRS=m
+CONFIG_SCSI_LOWLEVEL=y
+CONFIG_ISCSI_TCP=m
+CONFIG_ISCSI_BOOT_SYSFS=m
+CONFIG_SCSI_CXGB3_ISCSI=m
+CONFIG_SCSI_CXGB4_ISCSI=m
+CONFIG_SCSI_BNX2_ISCSI=m
+CONFIG_SCSI_BNX2X_FCOE=m
+CONFIG_BE2ISCSI=m
+CONFIG_BLK_DEV_3W_XXXX_RAID=m
+CONFIG_SCSI_HPSA=m
+CONFIG_SCSI_3W_9XXX=m
+CONFIG_SCSI_3W_SAS=m
+CONFIG_SCSI_ACARD=m
+CONFIG_SCSI_AACRAID=m
+CONFIG_SCSI_AIC7XXX=m
+CONFIG_AIC7XXX_CMDS_PER_DEVICE=8
+CONFIG_AIC7XXX_RESET_DELAY_MS=15000
+CONFIG_AIC7XXX_DEBUG_ENABLE=y
+CONFIG_AIC7XXX_DEBUG_MASK=0
+CONFIG_AIC7XXX_REG_PRETTY_PRINT=y
+CONFIG_SCSI_AIC79XX=m
+CONFIG_AIC79XX_CMDS_PER_DEVICE=32
+CONFIG_AIC79XX_RESET_DELAY_MS=15000
+CONFIG_AIC79XX_DEBUG_ENABLE=y
+CONFIG_AIC79XX_DEBUG_MASK=0
+CONFIG_AIC79XX_REG_PRETTY_PRINT=y
+CONFIG_SCSI_AIC94XX=m
+# CONFIG_AIC94XX_DEBUG is not set
+CONFIG_SCSI_MVSAS=m
+# CONFIG_SCSI_MVSAS_DEBUG is not set
+# CONFIG_SCSI_MVSAS_TASKLET is not set
+CONFIG_SCSI_MVUMI=m
+CONFIG_SCSI_DPT_I2O=m
+CONFIG_SCSI_ADVANSYS=m
+CONFIG_SCSI_ARCMSR=m
+CONFIG_SCSI_ESAS2R=m
+CONFIG_MEGARAID_NEWGEN=y
+CONFIG_MEGARAID_MM=m
+CONFIG_MEGARAID_MAILBOX=m
+CONFIG_MEGARAID_LEGACY=m
+CONFIG_MEGARAID_SAS=m
+CONFIG_SCSI_MPT3SAS=m
+CONFIG_SCSI_MPT2SAS_MAX_SGE=128
+CONFIG_SCSI_MPT3SAS_MAX_SGE=128
+CONFIG_SCSI_MPT2SAS=m
+CONFIG_SCSI_UFSHCD=m
+CONFIG_SCSI_UFSHCD_PCI=m
+# CONFIG_SCSI_UFSHCD_PLATFORM is not set
+CONFIG_SCSI_HPTIOP=m
+CONFIG_SCSI_BUSLOGIC=m
+# CONFIG_SCSI_FLASHPOINT is not set
+CONFIG_VMWARE_PVSCSI=m
+CONFIG_HYPERV_STORAGE=m
+CONFIG_LIBFC=m
+CONFIG_LIBFCOE=m
+CONFIG_FCOE=m
+CONFIG_FCOE_FNIC=m
+CONFIG_SCSI_SNIC=m
+CONFIG_SCSI_DMX3191D=m
+CONFIG_SCSI_EATA=m
+CONFIG_SCSI_EATA_TAGGED_QUEUE=y
+CONFIG_SCSI_EATA_LINKED_COMMANDS=y
+CONFIG_SCSI_EATA_MAX_TAGS=16
+CONFIG_SCSI_FUTURE_DOMAIN=m
+CONFIG_SCSI_GDTH=m
+CONFIG_SCSI_ISCI=m
+CONFIG_SCSI_IPS=m
+CONFIG_SCSI_INITIO=m
+CONFIG_SCSI_INIA100=m
+# CONFIG_SCSI_PPA is not set
+# CONFIG_SCSI_IMM is not set
+CONFIG_SCSI_STEX=m
+CONFIG_SCSI_SYM53C8XX_2=m
+CONFIG_SCSI_SYM53C8XX_DMA_ADDRESSING_MODE=1
+CONFIG_SCSI_SYM53C8XX_DEFAULT_TAGS=16
+CONFIG_SCSI_SYM53C8XX_MAX_TAGS=64
+CONFIG_SCSI_SYM53C8XX_MMIO=y
+CONFIG_SCSI_IPR=m
+# CONFIG_SCSI_IPR_TRACE is not set
+# CONFIG_SCSI_IPR_DUMP is not set
+CONFIG_SCSI_QLOGIC_1280=m
+CONFIG_SCSI_QLA_FC=m
+CONFIG_TCM_QLA2XXX=m
+CONFIG_SCSI_QLA_ISCSI=m
+CONFIG_SCSI_LPFC=m
+CONFIG_SCSI_DC395x=m
+CONFIG_SCSI_AM53C974=m
+CONFIG_SCSI_WD719X=m
+CONFIG_SCSI_DEBUG=m
+CONFIG_SCSI_PMCRAID=m
+CONFIG_SCSI_PM8001=m
+CONFIG_SCSI_BFA_FC=m
+CONFIG_SCSI_VIRTIO=m
+CONFIG_SCSI_CHELSIO_FCOE=m
+CONFIG_SCSI_LOWLEVEL_PCMCIA=y
+CONFIG_PCMCIA_AHA152X=m
+CONFIG_PCMCIA_FDOMAIN=m
+CONFIG_PCMCIA_QLOGIC=m
+CONFIG_PCMCIA_SYM53C500=m
+CONFIG_SCSI_DH=y
+CONFIG_SCSI_DH_RDAC=m
+CONFIG_SCSI_DH_HP_SW=m
+CONFIG_SCSI_DH_EMC=m
+CONFIG_SCSI_DH_ALUA=m
+CONFIG_SCSI_OSD_INITIATOR=m
+CONFIG_SCSI_OSD_ULD=m
+CONFIG_SCSI_OSD_DPRINT_SENSE=1
+# CONFIG_SCSI_OSD_DEBUG is not set
+CONFIG_ATA=m
+# CONFIG_ATA_NONSTANDARD is not set
+CONFIG_ATA_VERBOSE_ERROR=y
+CONFIG_ATA_ACPI=y
+CONFIG_SATA_ZPODD=y
+CONFIG_SATA_PMP=y
+
+#
+# Controllers with non-SFF native interface
+#
+CONFIG_SATA_AHCI=m
+# CONFIG_SATA_AHCI_PLATFORM is not set
+# CONFIG_SATA_INIC162X is not set
+CONFIG_SATA_ACARD_AHCI=m
+CONFIG_SATA_SIL24=m
+CONFIG_ATA_SFF=y
+
+#
+# SFF controllers with custom DMA interface
+#
+CONFIG_PDC_ADMA=m
+CONFIG_SATA_QSTOR=m
+CONFIG_SATA_SX4=m
+CONFIG_ATA_BMDMA=y
+
+#
+# SATA SFF controllers with BMDMA
+#
+CONFIG_ATA_PIIX=m
+CONFIG_SATA_MV=m
+CONFIG_SATA_NV=m
+CONFIG_SATA_PROMISE=m
+CONFIG_SATA_SIL=m
+CONFIG_SATA_SIS=m
+CONFIG_SATA_SVW=m
+CONFIG_SATA_ULI=m
+CONFIG_SATA_VIA=m
+CONFIG_SATA_VITESSE=m
+
+#
+# PATA SFF controllers with BMDMA
+#
+CONFIG_PATA_ALI=m
+CONFIG_PATA_AMD=m
+CONFIG_PATA_ARTOP=m
+CONFIG_PATA_ATIIXP=m
+CONFIG_PATA_ATP867X=m
+CONFIG_PATA_CMD64X=m
+# CONFIG_PATA_CYPRESS is not set
+CONFIG_PATA_EFAR=m
+CONFIG_PATA_HPT366=m
+CONFIG_PATA_HPT37X=m
+# CONFIG_PATA_HPT3X2N is not set
+# CONFIG_PATA_HPT3X3 is not set
+CONFIG_PATA_IT8213=m
+CONFIG_PATA_IT821X=m
+CONFIG_PATA_JMICRON=m
+CONFIG_PATA_MARVELL=m
+CONFIG_PATA_NETCELL=m
+CONFIG_PATA_NINJA32=m
+CONFIG_PATA_NS87415=m
+CONFIG_PATA_OLDPIIX=m
+# CONFIG_PATA_OPTIDMA is not set
+CONFIG_PATA_PDC2027X=m
+CONFIG_PATA_PDC_OLD=m
+# CONFIG_PATA_RADISYS is not set
+CONFIG_PATA_RDC=m
+CONFIG_PATA_SCH=m
+CONFIG_PATA_SERVERWORKS=m
+CONFIG_PATA_SIL680=m
+CONFIG_PATA_SIS=m
+CONFIG_PATA_TOSHIBA=m
+CONFIG_PATA_TRIFLEX=m
+CONFIG_PATA_VIA=m
+# CONFIG_PATA_WINBOND is not set
+
+#
+# PIO-only SFF controllers
+#
+# CONFIG_PATA_CMD640_PCI is not set
+CONFIG_PATA_MPIIX=m
+CONFIG_PATA_NS87410=m
+# CONFIG_PATA_OPTI is not set
+CONFIG_PATA_PCMCIA=m
+# CONFIG_PATA_PLATFORM is not set
+CONFIG_PATA_RZ1000=m
+
+#
+# Generic fallback / legacy drivers
+#
+# CONFIG_PATA_ACPI is not set
+CONFIG_ATA_GENERIC=m
+# CONFIG_PATA_LEGACY is not set
+CONFIG_MD=y
+CONFIG_BLK_DEV_MD=m
+CONFIG_MD_LINEAR=m
+CONFIG_MD_RAID0=m
+CONFIG_MD_RAID1=m
+CONFIG_MD_RAID10=m
+CONFIG_MD_RAID456=m
+CONFIG_MD_MULTIPATH=m
+CONFIG_MD_FAULTY=m
+# CONFIG_MD_CLUSTER is not set
+CONFIG_BCACHE=m
+# CONFIG_BCACHE_DEBUG is not set
+CONFIG_BLK_DEV_DM_BUILTIN=y
+CONFIG_BLK_DEV_DM=m
+# CONFIG_DM_MQ_DEFAULT is not set
+# CONFIG_DM_DEBUG is not set
+CONFIG_DM_BUFIO=m
+CONFIG_DM_BIO_PRISON=m
+CONFIG_DM_PERSISTENT_DATA=m
+# CONFIG_DM_DEBUG_BLOCK_STACK_TRACING is not set
+CONFIG_DM_CRYPT=m
+CONFIG_DM_SNAPSHOT=m
+CONFIG_DM_THIN_PROVISIONING=m
+CONFIG_DM_CACHE=m
+CONFIG_DM_CACHE_MQ=m
+CONFIG_DM_CACHE_SMQ=m
+CONFIG_DM_CACHE_CLEANER=m
+CONFIG_DM_ERA=m
+CONFIG_DM_MIRROR=m
+CONFIG_DM_LOG_USERSPACE=m
+CONFIG_DM_RAID=m
+CONFIG_DM_ZERO=m
+CONFIG_DM_MULTIPATH=m
+CONFIG_DM_MULTIPATH_QL=m
+CONFIG_DM_MULTIPATH_ST=m
+CONFIG_DM_DELAY=m
+CONFIG_DM_UEVENT=y
+CONFIG_DM_FLAKEY=m
+CONFIG_DM_VERITY=m
+CONFIG_DM_SWITCH=m
+CONFIG_DM_LOG_WRITES=m
+CONFIG_TARGET_CORE=m
+CONFIG_TCM_IBLOCK=m
+CONFIG_TCM_FILEIO=m
+CONFIG_TCM_PSCSI=m
+CONFIG_TCM_USER2=m
+CONFIG_LOOPBACK_TARGET=m
+CONFIG_TCM_FC=m
+CONFIG_ISCSI_TARGET=m
+CONFIG_SBP_TARGET=m
+CONFIG_FUSION=y
+CONFIG_FUSION_SPI=m
+CONFIG_FUSION_FC=m
+CONFIG_FUSION_SAS=m
+CONFIG_FUSION_MAX_SGE=128
+CONFIG_FUSION_CTL=m
+CONFIG_FUSION_LAN=m
+# CONFIG_FUSION_LOGGING is not set
+
+#
+# IEEE 1394 (FireWire) support
+#
+CONFIG_FIREWIRE=m
+CONFIG_FIREWIRE_OHCI=m
+CONFIG_FIREWIRE_SBP2=m
+CONFIG_FIREWIRE_NET=m
+CONFIG_FIREWIRE_NOSY=m
+CONFIG_MACINTOSH_DRIVERS=y
+CONFIG_MAC_EMUMOUSEBTN=y
+CONFIG_NETDEVICES=y
+CONFIG_MII=m
+CONFIG_NET_CORE=y
+CONFIG_BONDING=m
+CONFIG_DUMMY=m
+CONFIG_EQUALIZER=m
+CONFIG_NET_FC=y
+CONFIG_IFB=m
+CONFIG_NET_TEAM=m
+CONFIG_NET_TEAM_MODE_BROADCAST=m
+CONFIG_NET_TEAM_MODE_ROUNDROBIN=m
+CONFIG_NET_TEAM_MODE_RANDOM=m
+CONFIG_NET_TEAM_MODE_ACTIVEBACKUP=m
+CONFIG_NET_TEAM_MODE_LOADBALANCE=m
+CONFIG_MACVLAN=m
+CONFIG_MACVTAP=m
+CONFIG_IPVLAN=m
+CONFIG_VXLAN=m
+CONFIG_GENEVE=m
+CONFIG_NETCONSOLE=m
+CONFIG_NETCONSOLE_DYNAMIC=y
+CONFIG_NETPOLL=y
+CONFIG_NET_POLL_CONTROLLER=y
+CONFIG_TUN=m
+# CONFIG_TUN_VNET_CROSS_LE is not set
+CONFIG_VETH=m
+CONFIG_VIRTIO_NET=m
+CONFIG_NLMON=m
+CONFIG_NET_VRF=m
+CONFIG_SUNGEM_PHY=m
+CONFIG_ARCNET=m
+CONFIG_ARCNET_1201=m
+CONFIG_ARCNET_1051=m
+CONFIG_ARCNET_RAW=m
+CONFIG_ARCNET_CAP=m
+CONFIG_ARCNET_COM90xx=m
+CONFIG_ARCNET_COM90xxIO=m
+CONFIG_ARCNET_RIM_I=m
+CONFIG_ARCNET_COM20020=m
+CONFIG_ARCNET_COM20020_PCI=m
+CONFIG_ARCNET_COM20020_CS=m
+CONFIG_ATM_DRIVERS=y
+CONFIG_ATM_DUMMY=m
+CONFIG_ATM_TCP=m
+CONFIG_ATM_LANAI=m
+CONFIG_ATM_ENI=m
+# CONFIG_ATM_ENI_DEBUG is not set
+# CONFIG_ATM_ENI_TUNE_BURST is not set
+CONFIG_ATM_FIRESTREAM=m
+CONFIG_ATM_ZATM=m
+# CONFIG_ATM_ZATM_DEBUG is not set
+CONFIG_ATM_NICSTAR=m
+CONFIG_ATM_NICSTAR_USE_SUNI=y
+CONFIG_ATM_NICSTAR_USE_IDT77105=y
+CONFIG_ATM_IDT77252=m
+# CONFIG_ATM_IDT77252_DEBUG is not set
+# CONFIG_ATM_IDT77252_RCV_ALL is not set
+CONFIG_ATM_IDT77252_USE_SUNI=y
+CONFIG_ATM_AMBASSADOR=m
+# CONFIG_ATM_AMBASSADOR_DEBUG is not set
+CONFIG_ATM_HORIZON=m
+# CONFIG_ATM_HORIZON_DEBUG is not set
+CONFIG_ATM_IA=m
+# CONFIG_ATM_IA_DEBUG is not set
+CONFIG_ATM_FORE200E=m
+# CONFIG_ATM_FORE200E_USE_TASKLET is not set
+CONFIG_ATM_FORE200E_TX_RETRY=16
+CONFIG_ATM_FORE200E_DEBUG=0
+CONFIG_ATM_HE=m
+CONFIG_ATM_HE_USE_SUNI=y
+CONFIG_ATM_SOLOS=m
+
+#
+# CAIF transport drivers
+#
+CONFIG_VHOST_NET=m
+CONFIG_VHOST_SCSI=m
+CONFIG_VHOST_RING=m
+CONFIG_VHOST=m
+# CONFIG_VHOST_CROSS_ENDIAN_LEGACY is not set
+
+#
+# Distributed Switch Architecture drivers
+#
+# CONFIG_NET_DSA_MV88E6XXX is not set
+# CONFIG_NET_DSA_MV88E6XXX_NEED_PPU is not set
+CONFIG_ETHERNET=y
+CONFIG_MDIO=m
+CONFIG_NET_VENDOR_3COM=y
+CONFIG_PCMCIA_3C574=m
+CONFIG_PCMCIA_3C589=m
+CONFIG_VORTEX=m
+CONFIG_TYPHOON=m
+CONFIG_NET_VENDOR_ADAPTEC=y
+CONFIG_ADAPTEC_STARFIRE=m
+CONFIG_NET_VENDOR_AGERE=y
+CONFIG_ET131X=m
+CONFIG_NET_VENDOR_ALTEON=y
+CONFIG_ACENIC=m
+# CONFIG_ACENIC_OMIT_TIGON_I is not set
+# CONFIG_ALTERA_TSE is not set
+CONFIG_NET_VENDOR_AMD=y
+CONFIG_AMD8111_ETH=m
+CONFIG_PCNET32=m
+CONFIG_PCMCIA_NMCLAN=m
+# CONFIG_NET_VENDOR_ARC is not set
+CONFIG_NET_VENDOR_ATHEROS=y
+CONFIG_ATL2=m
+CONFIG_ATL1=m
+CONFIG_ATL1E=m
+CONFIG_ATL1C=m
+CONFIG_ALX=m
+# CONFIG_NET_VENDOR_AURORA is not set
+CONFIG_NET_CADENCE=y
+# CONFIG_MACB is not set
+CONFIG_NET_VENDOR_BROADCOM=y
+CONFIG_B44=m
+CONFIG_B44_PCI_AUTOSELECT=y
+CONFIG_B44_PCICORE_AUTOSELECT=y
+CONFIG_B44_PCI=y
+# CONFIG_BCMGENET is not set
+CONFIG_BNX2=m
+CONFIG_CNIC=m
+CONFIG_TIGON3=m
+CONFIG_BNX2X=m
+CONFIG_BNX2X_SRIOV=y
+CONFIG_BNX2X_VXLAN=y
+CONFIG_BNXT=m
+CONFIG_BNXT_SRIOV=y
+CONFIG_NET_VENDOR_BROCADE=y
+CONFIG_BNA=m
+CONFIG_NET_VENDOR_CAVIUM=y
+# CONFIG_THUNDER_NIC_PF is not set
+# CONFIG_THUNDER_NIC_VF is not set
+# CONFIG_THUNDER_NIC_BGX is not set
+CONFIG_LIQUIDIO=m
+CONFIG_NET_VENDOR_CHELSIO=y
+CONFIG_CHELSIO_T1=m
+CONFIG_CHELSIO_T1_1G=y
+CONFIG_CHELSIO_T3=m
+CONFIG_CHELSIO_T4=m
+CONFIG_CHELSIO_T4_DCB=y
+# CONFIG_CHELSIO_T4_FCOE is not set
+CONFIG_CHELSIO_T4VF=m
+CONFIG_NET_VENDOR_CISCO=y
+CONFIG_ENIC=m
+# CONFIG_CX_ECAT is not set
+# CONFIG_DNET is not set
+CONFIG_NET_VENDOR_DEC=y
+CONFIG_NET_TULIP=y
+CONFIG_DE2104X=m
+CONFIG_DE2104X_DSL=0
+CONFIG_TULIP=m
+# CONFIG_TULIP_MWI is not set
+# CONFIG_TULIP_MMIO is not set
+CONFIG_TULIP_NAPI=y
+CONFIG_TULIP_NAPI_HW_MITIGATION=y
+# CONFIG_DE4X5 is not set
+CONFIG_WINBOND_840=m
+CONFIG_DM9102=m
+CONFIG_ULI526X=m
+CONFIG_PCMCIA_XIRCOM=m
+CONFIG_NET_VENDOR_DLINK=y
+CONFIG_DL2K=m
+CONFIG_SUNDANCE=m
+# CONFIG_SUNDANCE_MMIO is not set
+CONFIG_NET_VENDOR_EMULEX=y
+CONFIG_BE2NET=m
+CONFIG_BE2NET_HWMON=y
+CONFIG_BE2NET_VXLAN=y
+CONFIG_NET_VENDOR_EZCHIP=y
+CONFIG_NET_VENDOR_EXAR=y
+CONFIG_S2IO=m
+CONFIG_VXGE=m
+# CONFIG_VXGE_DEBUG_TRACE_ALL is not set
+CONFIG_NET_VENDOR_FUJITSU=y
+CONFIG_PCMCIA_FMVJ18X=m
+CONFIG_NET_VENDOR_HP=y
+CONFIG_HP100=m
+CONFIG_NET_VENDOR_INTEL=y
+CONFIG_E100=m
+CONFIG_E1000=m
+CONFIG_E1000E=m
+CONFIG_IGB=m
+CONFIG_IGB_HWMON=y
+CONFIG_IGB_DCA=y
+CONFIG_IGBVF=m
+CONFIG_IXGB=m
+CONFIG_IXGBE=m
+CONFIG_IXGBE_VXLAN=y
+CONFIG_IXGBE_HWMON=y
+CONFIG_IXGBE_DCA=y
+CONFIG_IXGBE_DCB=y
+CONFIG_IXGBEVF=m
+CONFIG_I40E=m
+CONFIG_I40E_VXLAN=y
+CONFIG_I40E_DCB=y
+CONFIG_I40E_FCOE=y
+CONFIG_I40EVF=m
+# CONFIG_FM10K is not set
+CONFIG_NET_VENDOR_I825XX=y
+CONFIG_JME=m
+CONFIG_NET_VENDOR_MARVELL=y
+# CONFIG_MVMDIO is not set
+CONFIG_SKGE=m
+CONFIG_SKGE_GENESIS=y
+CONFIG_SKY2=m
+CONFIG_NET_VENDOR_MELLANOX=y
+CONFIG_MLX4_EN=m
+CONFIG_MLX4_EN_DCB=y
+CONFIG_MLX4_EN_VXLAN=y
+CONFIG_MLX4_CORE=m
+CONFIG_MLX4_DEBUG=y
+CONFIG_MLX5_CORE=m
+CONFIG_MLX5_CORE_EN=y
+# CONFIG_MLXSW_CORE is not set
+CONFIG_NET_VENDOR_MICREL=y
+# CONFIG_KS8842 is not set
+# CONFIG_KS8851 is not set
+# CONFIG_KS8851_MLL is not set
+CONFIG_KSZ884X_PCI=m
+CONFIG_NET_VENDOR_MICROCHIP=y
+# CONFIG_ENC28J60 is not set
+# CONFIG_ENCX24J600 is not set
+CONFIG_NET_VENDOR_MYRI=y
+CONFIG_MYRI10GE=m
+CONFIG_MYRI10GE_DCA=y
+CONFIG_FEALNX=m
+CONFIG_NET_VENDOR_NATSEMI=y
+CONFIG_NATSEMI=m
+CONFIG_NS83820=m
+CONFIG_NET_VENDOR_8390=y
+CONFIG_PCMCIA_AXNET=m
+CONFIG_NE2K_PCI=m
+CONFIG_PCMCIA_PCNET=m
+CONFIG_NET_VENDOR_NVIDIA=y
+CONFIG_FORCEDETH=m
+CONFIG_NET_VENDOR_OKI=y
+# CONFIG_ETHOC is not set
+CONFIG_NET_PACKET_ENGINE=y
+CONFIG_HAMACHI=m
+CONFIG_YELLOWFIN=m
+CONFIG_NET_VENDOR_QLOGIC=y
+CONFIG_QLA3XXX=m
+CONFIG_QLCNIC=m
+CONFIG_QLCNIC_SRIOV=y
+CONFIG_QLCNIC_DCB=y
+CONFIG_QLCNIC_VXLAN=y
+CONFIG_QLCNIC_HWMON=y
+CONFIG_QLGE=m
+CONFIG_NETXEN_NIC=m
+CONFIG_QED=m
+CONFIG_QEDE=m
+CONFIG_NET_VENDOR_QUALCOMM=y
+CONFIG_NET_VENDOR_REALTEK=y
+# CONFIG_ATP is not set
+CONFIG_8139CP=m
+CONFIG_8139TOO=m
+# CONFIG_8139TOO_PIO is not set
+CONFIG_8139TOO_TUNE_TWISTER=y
+CONFIG_8139TOO_8129=y
+# CONFIG_8139_OLD_RX_RESET is not set
+CONFIG_R8169=m
+CONFIG_NET_VENDOR_RENESAS=y
+CONFIG_NET_VENDOR_RDC=y
+CONFIG_R6040=m
+CONFIG_NET_VENDOR_ROCKER=y
+CONFIG_NET_VENDOR_SAMSUNG=y
+# CONFIG_SXGBE_ETH is not set
+# CONFIG_NET_VENDOR_SEEQ is not set
+CONFIG_NET_VENDOR_SILAN=y
+CONFIG_SC92031=m
+CONFIG_NET_VENDOR_SIS=y
+CONFIG_SIS900=m
+CONFIG_SIS190=m
+CONFIG_SFC=m
+CONFIG_SFC_MTD=y
+CONFIG_SFC_MCDI_MON=y
+CONFIG_SFC_SRIOV=y
+CONFIG_SFC_MCDI_LOGGING=y
+CONFIG_NET_VENDOR_SMSC=y
+CONFIG_PCMCIA_SMC91C92=m
+CONFIG_EPIC100=m
+# CONFIG_SMSC911X is not set
+CONFIG_SMSC9420=m
+CONFIG_NET_VENDOR_STMICRO=y
+# CONFIG_STMMAC_ETH is not set
+CONFIG_NET_VENDOR_SUN=y
+CONFIG_HAPPYMEAL=m
+CONFIG_SUNGEM=m
+CONFIG_CASSINI=m
+CONFIG_NIU=m
+CONFIG_NET_VENDOR_SYNOPSYS=y
+CONFIG_NET_VENDOR_TEHUTI=y
+CONFIG_TEHUTI=m
+CONFIG_NET_VENDOR_TI=y
+# CONFIG_TI_CPSW_ALE is not set
+CONFIG_TLAN=m
+CONFIG_NET_VENDOR_VIA=y
+CONFIG_VIA_RHINE=m
+# CONFIG_VIA_RHINE_MMIO is not set
+CONFIG_VIA_VELOCITY=m
+CONFIG_NET_VENDOR_WIZNET=y
+# CONFIG_WIZNET_W5100 is not set
+# CONFIG_WIZNET_W5300 is not set
+CONFIG_NET_VENDOR_XIRCOM=y
+CONFIG_PCMCIA_XIRC2PS=m
+CONFIG_FDDI=y
+CONFIG_DEFXX=m
+# CONFIG_DEFXX_MMIO is not set
+CONFIG_SKFP=m
+CONFIG_HIPPI=y
+CONFIG_ROADRUNNER=m
+# CONFIG_ROADRUNNER_LARGE_RINGS is not set
+CONFIG_NET_SB1000=m
+CONFIG_PHYLIB=m
+
+#
+# MII PHY device drivers
+#
+CONFIG_AQUANTIA_PHY=m
+CONFIG_AT803X_PHY=m
+CONFIG_AMD_PHY=m
+CONFIG_MARVELL_PHY=m
+CONFIG_DAVICOM_PHY=m
+CONFIG_QSEMI_PHY=m
+CONFIG_LXT_PHY=m
+CONFIG_CICADA_PHY=m
+CONFIG_VITESSE_PHY=m
+CONFIG_TERANETICS_PHY=m
+CONFIG_SMSC_PHY=m
+CONFIG_BCM_NET_PHYLIB=m
+CONFIG_BROADCOM_PHY=m
+# CONFIG_BCM7XXX_PHY is not set
+CONFIG_BCM87XX_PHY=m
+CONFIG_ICPLUS_PHY=m
+CONFIG_REALTEK_PHY=m
+CONFIG_NATIONAL_PHY=m
+CONFIG_STE10XP=m
+CONFIG_LSI_ET1011C_PHY=m
+CONFIG_MICREL_PHY=m
+CONFIG_DP83848_PHY=m
+CONFIG_DP83867_PHY=m
+CONFIG_MICROCHIP_PHY=m
+# CONFIG_FIXED_PHY is not set
+# CONFIG_MDIO_BITBANG is not set
+# CONFIG_MDIO_OCTEON is not set
+# CONFIG_MDIO_BCM_UNIMAC is not set
+# CONFIG_MICREL_KS8995MA is not set
+CONFIG_PLIP=m
+CONFIG_PPP=m
+CONFIG_PPP_BSDCOMP=m
+CONFIG_PPP_DEFLATE=m
+CONFIG_PPP_FILTER=y
+CONFIG_PPP_MPPE=m
+CONFIG_PPP_MULTILINK=y
+CONFIG_PPPOATM=m
+CONFIG_PPPOE=m
+CONFIG_PPTP=m
+CONFIG_PPPOL2TP=m
+CONFIG_PPP_ASYNC=m
+CONFIG_PPP_SYNC_TTY=m
+CONFIG_SLIP=m
+CONFIG_SLHC=m
+CONFIG_SLIP_COMPRESSED=y
+CONFIG_SLIP_SMART=y
+CONFIG_SLIP_MODE_SLIP6=y
+
+#
+# Host-side USB support is needed for USB Network Adapter support
+#
+CONFIG_USB_NET_DRIVERS=m
+CONFIG_USB_CATC=m
+CONFIG_USB_KAWETH=m
+CONFIG_USB_PEGASUS=m
+CONFIG_USB_RTL8150=m
+CONFIG_USB_RTL8152=m
+CONFIG_USB_LAN78XX=m
+CONFIG_USB_USBNET=m
+CONFIG_USB_NET_AX8817X=m
+CONFIG_USB_NET_AX88179_178A=m
+CONFIG_USB_NET_CDCETHER=m
+CONFIG_USB_NET_CDC_EEM=m
+CONFIG_USB_NET_CDC_NCM=m
+CONFIG_USB_NET_HUAWEI_CDC_NCM=m
+CONFIG_USB_NET_CDC_MBIM=m
+CONFIG_USB_NET_DM9601=m
+CONFIG_USB_NET_SR9700=m
+CONFIG_USB_NET_SR9800=m
+CONFIG_USB_NET_SMSC75XX=m
+CONFIG_USB_NET_SMSC95XX=m
+CONFIG_USB_NET_GL620A=m
+CONFIG_USB_NET_NET1080=m
+CONFIG_USB_NET_PLUSB=m
+CONFIG_USB_NET_MCS7830=m
+CONFIG_USB_NET_RNDIS_HOST=m
+CONFIG_USB_NET_CDC_SUBSET=m
+CONFIG_USB_ALI_M5632=y
+CONFIG_USB_AN2720=y
+CONFIG_USB_BELKIN=y
+CONFIG_USB_ARMLINUX=y
+CONFIG_USB_EPSON2888=y
+CONFIG_USB_KC2190=y
+CONFIG_USB_NET_ZAURUS=m
+CONFIG_USB_NET_CX82310_ETH=m
+CONFIG_USB_NET_KALMIA=m
+CONFIG_USB_NET_QMI_WWAN=m
+CONFIG_USB_HSO=m
+CONFIG_USB_NET_INT51X1=m
+CONFIG_USB_CDC_PHONET=m
+CONFIG_USB_IPHETH=m
+CONFIG_USB_SIERRA_NET=m
+CONFIG_USB_VL600=m
+CONFIG_USB_NET_CH9200=m
+CONFIG_WLAN=y
+CONFIG_PCMCIA_RAYCS=m
+CONFIG_LIBERTAS_THINFIRM=m
+# CONFIG_LIBERTAS_THINFIRM_DEBUG is not set
+CONFIG_LIBERTAS_THINFIRM_USB=m
+CONFIG_AIRO=m
+CONFIG_ATMEL=m
+CONFIG_PCI_ATMEL=m
+CONFIG_PCMCIA_ATMEL=m
+CONFIG_AT76C50X_USB=m
+CONFIG_AIRO_CS=m
+CONFIG_PCMCIA_WL3501=m
+# CONFIG_PRISM54 is not set
+CONFIG_USB_ZD1201=m
+CONFIG_USB_NET_RNDIS_WLAN=m
+CONFIG_ADM8211=m
+CONFIG_RTL8180=m
+CONFIG_RTL8187=m
+CONFIG_RTL8187_LEDS=y
+CONFIG_MAC80211_HWSIM=m
+CONFIG_MWL8K=m
+CONFIG_ATH_COMMON=m
+CONFIG_ATH_CARDS=m
+# CONFIG_ATH_DEBUG is not set
+CONFIG_ATH5K=m
+# CONFIG_ATH5K_DEBUG is not set
+CONFIG_ATH5K_PCI=y
+CONFIG_ATH9K_HW=m
+CONFIG_ATH9K_COMMON=m
+CONFIG_ATH9K_BTCOEX_SUPPORT=y
+CONFIG_ATH9K=m
+CONFIG_ATH9K_PCI=y
+# CONFIG_ATH9K_AHB is not set
+# CONFIG_ATH9K_DYNACK is not set
+# CONFIG_ATH9K_WOW is not set
+CONFIG_ATH9K_RFKILL=y
+# CONFIG_ATH9K_CHANNEL_CONTEXT is not set
+CONFIG_ATH9K_PCOEM=y
+CONFIG_ATH9K_HTC=m
+CONFIG_CARL9170=m
+CONFIG_CARL9170_LEDS=y
+CONFIG_CARL9170_WPC=y
+# CONFIG_CARL9170_HWRNG is not set
+CONFIG_ATH6KL=m
+CONFIG_ATH6KL_SDIO=m
+CONFIG_ATH6KL_USB=m
+# CONFIG_ATH6KL_DEBUG is not set
+CONFIG_AR5523=m
+CONFIG_WIL6210=m
+CONFIG_WIL6210_ISR_COR=y
+CONFIG_ATH10K=m
+CONFIG_ATH10K_PCI=m
+# CONFIG_ATH10K_DEBUG is not set
+# CONFIG_WCN36XX is not set
+CONFIG_B43=m
+CONFIG_B43_BCMA=y
+CONFIG_B43_SSB=y
+CONFIG_B43_BUSES_BCMA_AND_SSB=y
+# CONFIG_B43_BUSES_BCMA is not set
+# CONFIG_B43_BUSES_SSB is not set
+CONFIG_B43_PCI_AUTOSELECT=y
+CONFIG_B43_PCICORE_AUTOSELECT=y
+CONFIG_B43_SDIO=y
+CONFIG_B43_BCMA_PIO=y
+CONFIG_B43_PIO=y
+CONFIG_B43_PHY_G=y
+CONFIG_B43_PHY_N=y
+CONFIG_B43_PHY_LP=y
+CONFIG_B43_PHY_HT=y
+CONFIG_B43_LEDS=y
+CONFIG_B43_HWRNG=y
+# CONFIG_B43_DEBUG is not set
+CONFIG_B43LEGACY=m
+CONFIG_B43LEGACY_PCI_AUTOSELECT=y
+CONFIG_B43LEGACY_PCICORE_AUTOSELECT=y
+CONFIG_B43LEGACY_LEDS=y
+CONFIG_B43LEGACY_HWRNG=y
+CONFIG_B43LEGACY_DEBUG=y
+CONFIG_B43LEGACY_DMA=y
+CONFIG_B43LEGACY_PIO=y
+CONFIG_B43LEGACY_DMA_AND_PIO_MODE=y
+# CONFIG_B43LEGACY_DMA_MODE is not set
+# CONFIG_B43LEGACY_PIO_MODE is not set
+CONFIG_BRCMUTIL=m
+CONFIG_BRCMSMAC=m
+CONFIG_BRCMFMAC=m
+CONFIG_BRCMFMAC_PROTO_BCDC=y
+CONFIG_BRCMFMAC_PROTO_MSGBUF=y
+CONFIG_BRCMFMAC_SDIO=y
+CONFIG_BRCMFMAC_USB=y
+CONFIG_BRCMFMAC_PCIE=y
+# CONFIG_BRCM_TRACING is not set
+# CONFIG_BRCMDBG is not set
+CONFIG_HOSTAP=m
+CONFIG_HOSTAP_FIRMWARE=y
+# CONFIG_HOSTAP_FIRMWARE_NVRAM is not set
+CONFIG_HOSTAP_PLX=m
+CONFIG_HOSTAP_PCI=m
+CONFIG_HOSTAP_CS=m
+# CONFIG_IPW2100 is not set
+CONFIG_IPW2200=m
+CONFIG_IPW2200_MONITOR=y
+CONFIG_IPW2200_RADIOTAP=y
+CONFIG_IPW2200_PROMISCUOUS=y
+CONFIG_IPW2200_QOS=y
+# CONFIG_IPW2200_DEBUG is not set
+CONFIG_LIBIPW=m
+# CONFIG_LIBIPW_DEBUG is not set
+CONFIG_IWLWIFI=m
+CONFIG_IWLWIFI_LEDS=y
+CONFIG_IWLDVM=m
+CONFIG_IWLMVM=m
+CONFIG_IWLWIFI_OPMODE_MODULAR=y
+# CONFIG_IWLWIFI_BCAST_FILTERING is not set
+# CONFIG_IWLWIFI_UAPSD is not set
+
+#
+# Debugging Options
+#
+# CONFIG_IWLWIFI_DEBUG is not set
+CONFIG_IWLEGACY=m
+CONFIG_IWL4965=m
+CONFIG_IWL3945=m
+
+#
+# iwl3945 / iwl4965 Debugging Options
+#
+# CONFIG_IWLEGACY_DEBUG is not set
+CONFIG_LIBERTAS=m
+CONFIG_LIBERTAS_USB=m
+CONFIG_LIBERTAS_CS=m
+CONFIG_LIBERTAS_SDIO=m
+# CONFIG_LIBERTAS_SPI is not set
+# CONFIG_LIBERTAS_DEBUG is not set
+CONFIG_LIBERTAS_MESH=y
+CONFIG_HERMES=m
+# CONFIG_HERMES_PRISM is not set
+CONFIG_HERMES_CACHE_FW_ON_INIT=y
+CONFIG_PLX_HERMES=m
+CONFIG_TMD_HERMES=m
+CONFIG_NORTEL_HERMES=m
+CONFIG_PCMCIA_HERMES=m
+CONFIG_PCMCIA_SPECTRUM=m
+CONFIG_ORINOCO_USB=m
+CONFIG_P54_COMMON=m
+CONFIG_P54_USB=m
+CONFIG_P54_PCI=m
+# CONFIG_P54_SPI is not set
+CONFIG_P54_LEDS=y
+CONFIG_RT2X00=m
+CONFIG_RT2400PCI=m
+CONFIG_RT2500PCI=m
+CONFIG_RT61PCI=m
+CONFIG_RT2800PCI=m
+CONFIG_RT2800PCI_RT33XX=y
+CONFIG_RT2800PCI_RT35XX=y
+CONFIG_RT2800PCI_RT53XX=y
+CONFIG_RT2800PCI_RT3290=y
+CONFIG_RT2500USB=m
+CONFIG_RT73USB=m
+CONFIG_RT2800USB=m
+CONFIG_RT2800USB_RT33XX=y
+CONFIG_RT2800USB_RT35XX=y
+CONFIG_RT2800USB_RT3573=y
+CONFIG_RT2800USB_RT53XX=y
+CONFIG_RT2800USB_RT55XX=y
+# CONFIG_RT2800USB_UNKNOWN is not set
+CONFIG_RT2800_LIB=m
+CONFIG_RT2800_LIB_MMIO=m
+CONFIG_RT2X00_LIB_MMIO=m
+CONFIG_RT2X00_LIB_PCI=m
+CONFIG_RT2X00_LIB_USB=m
+CONFIG_RT2X00_LIB=m
+CONFIG_RT2X00_LIB_FIRMWARE=y
+CONFIG_RT2X00_LIB_CRYPTO=y
+CONFIG_RT2X00_LIB_LEDS=y
+# CONFIG_RT2X00_DEBUG is not set
+CONFIG_WL_MEDIATEK=y
+CONFIG_MT7601U=m
+CONFIG_RTL_CARDS=m
+CONFIG_RTL8192CE=m
+CONFIG_RTL8192SE=m
+CONFIG_RTL8192DE=m
+CONFIG_RTL8723AE=m
+CONFIG_RTL8723BE=m
+CONFIG_RTL8188EE=m
+CONFIG_RTL8192EE=m
+CONFIG_RTL8821AE=m
+CONFIG_RTL8192CU=m
+CONFIG_RTLWIFI=m
+CONFIG_RTLWIFI_PCI=m
+CONFIG_RTLWIFI_USB=m
+# CONFIG_RTLWIFI_DEBUG is not set
+CONFIG_RTL8192C_COMMON=m
+CONFIG_RTL8723_COMMON=m
+CONFIG_RTLBTCOEXIST=m
+# CONFIG_RTL8XXXU is not set
+# CONFIG_WL_TI is not set
+CONFIG_ZD1211RW=m
+# CONFIG_ZD1211RW_DEBUG is not set
+CONFIG_MWIFIEX=m
+CONFIG_MWIFIEX_SDIO=m
+CONFIG_MWIFIEX_PCIE=m
+CONFIG_MWIFIEX_USB=m
+# CONFIG_CW1200 is not set
+CONFIG_RSI_91X=m
+CONFIG_RSI_DEBUGFS=y
+# CONFIG_RSI_SDIO is not set
+CONFIG_RSI_USB=m
+
+#
+# WiMAX Wireless Broadband devices
+#
+CONFIG_WIMAX_I2400M=m
+CONFIG_WIMAX_I2400M_USB=m
+CONFIG_WIMAX_I2400M_DEBUG_LEVEL=8
+CONFIG_WAN=y
+CONFIG_LANMEDIA=m
+CONFIG_HDLC=m
+CONFIG_HDLC_RAW=m
+CONFIG_HDLC_RAW_ETH=m
+CONFIG_HDLC_CISCO=m
+CONFIG_HDLC_FR=m
+CONFIG_HDLC_PPP=m
+# CONFIG_HDLC_X25 is not set
+CONFIG_PCI200SYN=m
+CONFIG_WANXL=m
+# CONFIG_PC300TOO is not set
+CONFIG_FARSYNC=m
+CONFIG_DSCC4=m
+CONFIG_DSCC4_PCISYNC=y
+CONFIG_DSCC4_PCI_RST=y
+CONFIG_DLCI=m
+CONFIG_DLCI_MAX=8
+# CONFIG_SBNI is not set
+CONFIG_IEEE802154_DRIVERS=m
+CONFIG_VMXNET3=m
+CONFIG_FUJITSU_ES=m
+CONFIG_HYPERV_NET=m
+CONFIG_ISDN=y
+# CONFIG_ISDN_I4L is not set
+CONFIG_ISDN_CAPI=m
+CONFIG_CAPI_TRACE=y
+CONFIG_ISDN_CAPI_CAPI20=m
+CONFIG_ISDN_CAPI_MIDDLEWARE=y
+
+#
+# CAPI hardware drivers
+#
+CONFIG_CAPI_AVM=y
+CONFIG_ISDN_DRV_AVMB1_B1PCI=m
+CONFIG_ISDN_DRV_AVMB1_B1PCIV4=y
+CONFIG_ISDN_DRV_AVMB1_B1PCMCIA=m
+CONFIG_ISDN_DRV_AVMB1_AVM_CS=m
+CONFIG_ISDN_DRV_AVMB1_T1PCI=m
+CONFIG_ISDN_DRV_AVMB1_C4=m
+CONFIG_CAPI_EICON=y
+CONFIG_ISDN_DIVAS=m
+CONFIG_ISDN_DIVAS_BRIPCI=y
+CONFIG_ISDN_DIVAS_PRIPCI=y
+CONFIG_ISDN_DIVAS_DIVACAPI=m
+CONFIG_ISDN_DIVAS_USERIDI=m
+CONFIG_ISDN_DIVAS_MAINT=m
+CONFIG_ISDN_DRV_GIGASET=m
+CONFIG_GIGASET_CAPI=y
+# CONFIG_GIGASET_DUMMYLL is not set
+CONFIG_GIGASET_BASE=m
+CONFIG_GIGASET_M105=m
+CONFIG_GIGASET_M101=m
+# CONFIG_GIGASET_DEBUG is not set
+CONFIG_HYSDN=m
+CONFIG_HYSDN_CAPI=y
+CONFIG_MISDN=m
+CONFIG_MISDN_DSP=m
+CONFIG_MISDN_L1OIP=m
+
+#
+# mISDN hardware drivers
+#
+CONFIG_MISDN_HFCPCI=m
+CONFIG_MISDN_HFCMULTI=m
+CONFIG_MISDN_HFCUSB=m
+CONFIG_MISDN_AVMFRITZ=m
+CONFIG_MISDN_SPEEDFAX=m
+CONFIG_MISDN_INFINEON=m
+CONFIG_MISDN_W6692=m
+# CONFIG_MISDN_NETJET is not set
+CONFIG_MISDN_IPAC=m
+CONFIG_MISDN_ISAR=m
+# CONFIG_NVM is not set
+
+#
+# Input device support
+#
+CONFIG_INPUT=y
+CONFIG_INPUT_LEDS=y
+CONFIG_INPUT_FF_MEMLESS=m
+CONFIG_INPUT_POLLDEV=m
+CONFIG_INPUT_SPARSEKMAP=m
+CONFIG_INPUT_MATRIXKMAP=m
+
+#
+# Userland interfaces
+#
+CONFIG_INPUT_MOUSEDEV=y
+CONFIG_INPUT_MOUSEDEV_PSAUX=y
+CONFIG_INPUT_MOUSEDEV_SCREEN_X=1024
+CONFIG_INPUT_MOUSEDEV_SCREEN_Y=768
+CONFIG_INPUT_JOYDEV=m
+CONFIG_INPUT_EVDEV=m
+# CONFIG_INPUT_EVBUG is not set
+
+#
+# Input Device Drivers
+#
+CONFIG_INPUT_KEYBOARD=y
+CONFIG_KEYBOARD_ADP5588=m
+# CONFIG_KEYBOARD_ADP5589 is not set
+CONFIG_KEYBOARD_ATKBD=y
+# CONFIG_KEYBOARD_QT1070 is not set
+CONFIG_KEYBOARD_QT2160=m
+CONFIG_KEYBOARD_LKKBD=m
+CONFIG_KEYBOARD_GPIO=m
+# CONFIG_KEYBOARD_GPIO_POLLED is not set
+# CONFIG_KEYBOARD_TCA6416 is not set
+# CONFIG_KEYBOARD_TCA8418 is not set
+# CONFIG_KEYBOARD_MATRIX is not set
+CONFIG_KEYBOARD_LM8323=m
+# CONFIG_KEYBOARD_LM8333 is not set
+CONFIG_KEYBOARD_MAX7359=m
+# CONFIG_KEYBOARD_MCS is not set
+# CONFIG_KEYBOARD_MPR121 is not set
+CONFIG_KEYBOARD_NEWTON=m
+CONFIG_KEYBOARD_OPENCORES=m
+# CONFIG_KEYBOARD_SAMSUNG is not set
+CONFIG_KEYBOARD_STOWAWAY=m
+CONFIG_KEYBOARD_SUNKBD=m
+CONFIG_KEYBOARD_XTKBD=m
+CONFIG_INPUT_MOUSE=y
+CONFIG_MOUSE_PS2=m
+CONFIG_MOUSE_PS2_ALPS=y
+CONFIG_MOUSE_PS2_LOGIPS2PP=y
+CONFIG_MOUSE_PS2_SYNAPTICS=y
+CONFIG_MOUSE_PS2_CYPRESS=y
+CONFIG_MOUSE_PS2_LIFEBOOK=y
+CONFIG_MOUSE_PS2_TRACKPOINT=y
+CONFIG_MOUSE_PS2_ELANTECH=y
+CONFIG_MOUSE_PS2_SENTELIC=y
+# CONFIG_MOUSE_PS2_TOUCHKIT is not set
+CONFIG_MOUSE_PS2_FOCALTECH=y
+CONFIG_MOUSE_PS2_VMMOUSE=y
+CONFIG_MOUSE_SERIAL=m
+CONFIG_MOUSE_APPLETOUCH=m
+CONFIG_MOUSE_BCM5974=m
+CONFIG_MOUSE_CYAPA=m
+CONFIG_MOUSE_ELAN_I2C=m
+CONFIG_MOUSE_ELAN_I2C_I2C=y
+CONFIG_MOUSE_ELAN_I2C_SMBUS=y
+CONFIG_MOUSE_VSXXXAA=m
+# CONFIG_MOUSE_GPIO is not set
+CONFIG_MOUSE_SYNAPTICS_I2C=m
+CONFIG_MOUSE_SYNAPTICS_USB=m
+CONFIG_INPUT_JOYSTICK=y
+CONFIG_JOYSTICK_ANALOG=m
+CONFIG_JOYSTICK_A3D=m
+CONFIG_JOYSTICK_ADI=m
+CONFIG_JOYSTICK_COBRA=m
+CONFIG_JOYSTICK_GF2K=m
+CONFIG_JOYSTICK_GRIP=m
+CONFIG_JOYSTICK_GRIP_MP=m
+CONFIG_JOYSTICK_GUILLEMOT=m
+CONFIG_JOYSTICK_INTERACT=m
+CONFIG_JOYSTICK_SIDEWINDER=m
+CONFIG_JOYSTICK_TMDC=m
+CONFIG_JOYSTICK_IFORCE=m
+CONFIG_JOYSTICK_IFORCE_USB=y
+CONFIG_JOYSTICK_IFORCE_232=y
+CONFIG_JOYSTICK_WARRIOR=m
+CONFIG_JOYSTICK_MAGELLAN=m
+CONFIG_JOYSTICK_SPACEORB=m
+CONFIG_JOYSTICK_SPACEBALL=m
+CONFIG_JOYSTICK_STINGER=m
+CONFIG_JOYSTICK_TWIDJOY=m
+CONFIG_JOYSTICK_ZHENHUA=m
+CONFIG_JOYSTICK_DB9=m
+CONFIG_JOYSTICK_GAMECON=m
+CONFIG_JOYSTICK_TURBOGRAFX=m
+# CONFIG_JOYSTICK_AS5011 is not set
+CONFIG_JOYSTICK_JOYDUMP=m
+CONFIG_JOYSTICK_XPAD=m
+CONFIG_JOYSTICK_XPAD_FF=y
+CONFIG_JOYSTICK_XPAD_LEDS=y
+CONFIG_JOYSTICK_WALKERA0701=m
+CONFIG_INPUT_TABLET=y
+CONFIG_TABLET_USB_ACECAD=m
+CONFIG_TABLET_USB_AIPTEK=m
+CONFIG_TABLET_USB_GTCO=m
+CONFIG_TABLET_USB_HANWANG=m
+CONFIG_TABLET_USB_KBTAB=m
+CONFIG_TABLET_SERIAL_WACOM4=m
+CONFIG_INPUT_TOUCHSCREEN=y
+CONFIG_TOUCHSCREEN_PROPERTIES=y
+CONFIG_TOUCHSCREEN_ADS7846=m
+CONFIG_TOUCHSCREEN_AD7877=m
+CONFIG_TOUCHSCREEN_AD7879=m
+CONFIG_TOUCHSCREEN_AD7879_I2C=m
+# CONFIG_TOUCHSCREEN_AD7879_SPI is not set
+CONFIG_TOUCHSCREEN_ATMEL_MXT=m
+# CONFIG_TOUCHSCREEN_AUO_PIXCIR is not set
+# CONFIG_TOUCHSCREEN_BU21013 is not set
+# CONFIG_TOUCHSCREEN_CY8CTMG110 is not set
+# CONFIG_TOUCHSCREEN_CYTTSP_CORE is not set
+# CONFIG_TOUCHSCREEN_CYTTSP4_CORE is not set
+CONFIG_TOUCHSCREEN_DYNAPRO=m
+CONFIG_TOUCHSCREEN_HAMPSHIRE=m
+CONFIG_TOUCHSCREEN_EETI=m
+# CONFIG_TOUCHSCREEN_FT6236 is not set
+CONFIG_TOUCHSCREEN_FUJITSU=m
+# CONFIG_TOUCHSCREEN_GOODIX is not set
+# CONFIG_TOUCHSCREEN_ILI210X is not set
+CONFIG_TOUCHSCREEN_GUNZE=m
+# CONFIG_TOUCHSCREEN_ELAN is not set
+CONFIG_TOUCHSCREEN_ELO=m
+CONFIG_TOUCHSCREEN_WACOM_W8001=m
+# CONFIG_TOUCHSCREEN_WACOM_I2C is not set
+# CONFIG_TOUCHSCREEN_MAX11801 is not set
+CONFIG_TOUCHSCREEN_MCS5000=m
+# CONFIG_TOUCHSCREEN_MMS114 is not set
+CONFIG_TOUCHSCREEN_MTOUCH=m
+CONFIG_TOUCHSCREEN_INEXIO=m
+CONFIG_TOUCHSCREEN_MK712=m
+CONFIG_TOUCHSCREEN_PENMOUNT=m
+# CONFIG_TOUCHSCREEN_EDT_FT5X06 is not set
+CONFIG_TOUCHSCREEN_TOUCHRIGHT=m
+CONFIG_TOUCHSCREEN_TOUCHWIN=m
+# CONFIG_TOUCHSCREEN_PIXCIR is not set
+# CONFIG_TOUCHSCREEN_WDT87XX_I2C is not set
+CONFIG_TOUCHSCREEN_WM97XX=m
+CONFIG_TOUCHSCREEN_WM9705=y
+CONFIG_TOUCHSCREEN_WM9712=y
+CONFIG_TOUCHSCREEN_WM9713=y
+CONFIG_TOUCHSCREEN_USB_COMPOSITE=m
+CONFIG_TOUCHSCREEN_USB_EGALAX=y
+CONFIG_TOUCHSCREEN_USB_PANJIT=y
+CONFIG_TOUCHSCREEN_USB_3M=y
+CONFIG_TOUCHSCREEN_USB_ITM=y
+CONFIG_TOUCHSCREEN_USB_ETURBO=y
+CONFIG_TOUCHSCREEN_USB_GUNZE=y
+CONFIG_TOUCHSCREEN_USB_DMC_TSC10=y
+CONFIG_TOUCHSCREEN_USB_IRTOUCH=y
+CONFIG_TOUCHSCREEN_USB_IDEALTEK=y
+CONFIG_TOUCHSCREEN_USB_GENERAL_TOUCH=y
+CONFIG_TOUCHSCREEN_USB_GOTOP=y
+CONFIG_TOUCHSCREEN_USB_JASTEC=y
+CONFIG_TOUCHSCREEN_USB_ELO=y
+CONFIG_TOUCHSCREEN_USB_E2I=y
+CONFIG_TOUCHSCREEN_USB_ZYTRONIC=y
+CONFIG_TOUCHSCREEN_USB_ETT_TC45USB=y
+CONFIG_TOUCHSCREEN_USB_NEXIO=y
+CONFIG_TOUCHSCREEN_USB_EASYTOUCH=y
+CONFIG_TOUCHSCREEN_TOUCHIT213=m
+CONFIG_TOUCHSCREEN_TSC_SERIO=m
+# CONFIG_TOUCHSCREEN_TSC2004 is not set
+# CONFIG_TOUCHSCREEN_TSC2005 is not set
+CONFIG_TOUCHSCREEN_TSC2007=m
+# CONFIG_TOUCHSCREEN_ST1232 is not set
+CONFIG_TOUCHSCREEN_SUR40=m
+# CONFIG_TOUCHSCREEN_SX8654 is not set
+CONFIG_TOUCHSCREEN_TPS6507X=m
+# CONFIG_TOUCHSCREEN_ZFORCE is not set
+# CONFIG_TOUCHSCREEN_ROHM_BU21023 is not set
+CONFIG_INPUT_MISC=y
+# CONFIG_INPUT_AD714X is not set
+# CONFIG_INPUT_BMA150 is not set
+# CONFIG_INPUT_E3X0_BUTTON is not set
+CONFIG_INPUT_PCSPKR=m
+# CONFIG_INPUT_MMA8450 is not set
+# CONFIG_INPUT_MPU3050 is not set
+CONFIG_INPUT_APANEL=m
+# CONFIG_INPUT_GP2A is not set
+# CONFIG_INPUT_GPIO_BEEPER is not set
+# CONFIG_INPUT_GPIO_TILT_POLLED is not set
+CONFIG_INPUT_ATLAS_BTNS=m
+CONFIG_INPUT_ATI_REMOTE2=m
+CONFIG_INPUT_KEYSPAN_REMOTE=m
+# CONFIG_INPUT_KXTJ9 is not set
+CONFIG_INPUT_POWERMATE=m
+CONFIG_INPUT_YEALINK=m
+CONFIG_INPUT_CM109=m
+CONFIG_INPUT_UINPUT=m
+# CONFIG_INPUT_PCF8574 is not set
+# CONFIG_INPUT_GPIO_ROTARY_ENCODER is not set
+# CONFIG_INPUT_ADXL34X is not set
+# CONFIG_INPUT_IMS_PCU is not set
+# CONFIG_INPUT_CMA3000 is not set
+CONFIG_INPUT_IDEAPAD_SLIDEBAR=m
+CONFIG_INPUT_SOC_BUTTON_ARRAY=m
+# CONFIG_INPUT_DRV260X_HAPTICS is not set
+# CONFIG_INPUT_DRV2665_HAPTICS is not set
+# CONFIG_INPUT_DRV2667_HAPTICS is not set
+
+#
+# Hardware I/O ports
+#
+CONFIG_SERIO=y
+CONFIG_ARCH_MIGHT_HAVE_PC_SERIO=y
+CONFIG_SERIO_I8042=y
+CONFIG_SERIO_SERPORT=m
+CONFIG_SERIO_CT82C710=m
+CONFIG_SERIO_PARKBD=m
+CONFIG_SERIO_PCIPS2=m
+CONFIG_SERIO_LIBPS2=y
+CONFIG_SERIO_RAW=m
+CONFIG_SERIO_ALTERA_PS2=m
+# CONFIG_SERIO_PS2MULT is not set
+# CONFIG_SERIO_ARC_PS2 is not set
+CONFIG_HYPERV_KEYBOARD=m
+# CONFIG_USERIO is not set
+CONFIG_GAMEPORT=m
+CONFIG_GAMEPORT_NS558=m
+CONFIG_GAMEPORT_L4=m
+CONFIG_GAMEPORT_EMU10K1=m
+CONFIG_GAMEPORT_FM801=m
+
+#
+# Character devices
+#
+CONFIG_TTY=y
+CONFIG_VT=y
+CONFIG_CONSOLE_TRANSLATIONS=y
+CONFIG_VT_CONSOLE=y
+CONFIG_VT_CONSOLE_SLEEP=y
+CONFIG_HW_CONSOLE=y
+CONFIG_VT_HW_CONSOLE_BINDING=y
+CONFIG_UNIX98_PTYS=y
+CONFIG_DEVPTS_MULTIPLE_INSTANCES=y
+# CONFIG_LEGACY_PTYS is not set
+CONFIG_SERIAL_NONSTANDARD=y
+CONFIG_ROCKETPORT=m
+CONFIG_CYCLADES=m
+# CONFIG_CYZ_INTR is not set
+CONFIG_MOXA_INTELLIO=m
+CONFIG_MOXA_SMARTIO=m
+CONFIG_SYNCLINK=m
+CONFIG_SYNCLINKMP=m
+CONFIG_SYNCLINK_GT=m
+CONFIG_NOZOMI=m
+CONFIG_ISI=m
+CONFIG_N_HDLC=m
+CONFIG_N_GSM=m
+# CONFIG_TRACE_SINK is not set
+CONFIG_DEVMEM=y
+
+#
+# Serial drivers
+#
+CONFIG_SERIAL_EARLYCON=y
+CONFIG_SERIAL_8250=y
+# CONFIG_SERIAL_8250_DEPRECATED_OPTIONS is not set
+CONFIG_SERIAL_8250_PNP=y
+CONFIG_SERIAL_8250_CONSOLE=y
+CONFIG_SERIAL_8250_DMA=y
+CONFIG_SERIAL_8250_PCI=y
+CONFIG_SERIAL_8250_CS=m
+CONFIG_SERIAL_8250_NR_UARTS=32
+CONFIG_SERIAL_8250_RUNTIME_UARTS=4
+CONFIG_SERIAL_8250_EXTENDED=y
+CONFIG_SERIAL_8250_MANY_PORTS=y
+CONFIG_SERIAL_8250_SHARE_IRQ=y
+# CONFIG_SERIAL_8250_DETECT_IRQ is not set
+CONFIG_SERIAL_8250_RSA=y
+# CONFIG_SERIAL_8250_FSL is not set
+CONFIG_SERIAL_8250_DW=y
+# CONFIG_SERIAL_8250_RT288X is not set
+CONFIG_SERIAL_8250_FINTEK=m
+# CONFIG_SERIAL_8250_MID is not set
+
+#
+# Non-8250 serial port support
+#
+# CONFIG_SERIAL_MAX3100 is not set
+# CONFIG_SERIAL_MAX310X is not set
+# CONFIG_SERIAL_UARTLITE is not set
+CONFIG_SERIAL_CORE=y
+CONFIG_SERIAL_CORE_CONSOLE=y
+CONFIG_SERIAL_JSM=m
+# CONFIG_SERIAL_SCCNXP is not set
+# CONFIG_SERIAL_SC16IS7XX is not set
+# CONFIG_SERIAL_ALTERA_JTAGUART is not set
+# CONFIG_SERIAL_ALTERA_UART is not set
+# CONFIG_SERIAL_IFX6X60 is not set
+# CONFIG_SERIAL_ARC is not set
+CONFIG_SERIAL_RP2=m
+CONFIG_SERIAL_RP2_NR_UARTS=32
+# CONFIG_SERIAL_FSL_LPUART is not set
+CONFIG_TTY_PRINTK=m
+CONFIG_PRINTER=m
+# CONFIG_LP_CONSOLE is not set
+CONFIG_PPDEV=m
+CONFIG_HVC_DRIVER=y
+CONFIG_VIRTIO_CONSOLE=m
+CONFIG_IPMI_HANDLER=m
+# CONFIG_IPMI_PANIC_EVENT is not set
+CONFIG_IPMI_DEVICE_INTERFACE=m
+CONFIG_IPMI_SI=m
+# CONFIG_IPMI_SI_PROBE_DEFAULTS is not set
+# CONFIG_IPMI_SSIF is not set
+CONFIG_IPMI_WATCHDOG=m
+CONFIG_IPMI_POWEROFF=m
+CONFIG_HW_RANDOM=m
+# CONFIG_HW_RANDOM_TIMERIOMEM is not set
+CONFIG_HW_RANDOM_INTEL=m
+CONFIG_HW_RANDOM_AMD=m
+CONFIG_HW_RANDOM_VIA=m
+CONFIG_HW_RANDOM_VIRTIO=m
+CONFIG_HW_RANDOM_TPM=m
+CONFIG_NVRAM=m
+CONFIG_R3964=m
+CONFIG_APPLICOM=m
+
+#
+# PCMCIA character devices
+#
+CONFIG_SYNCLINK_CS=m
+CONFIG_CARDMAN_4000=m
+CONFIG_CARDMAN_4040=m
+CONFIG_IPWIRELESS=m
+CONFIG_MWAVE=m
+CONFIG_RAW_DRIVER=m
+CONFIG_MAX_RAW_DEVS=256
+CONFIG_HPET=y
+CONFIG_HPET_MMAP=y
+CONFIG_HPET_MMAP_DEFAULT=y
+CONFIG_HANGCHECK_TIMER=m
+CONFIG_TCG_TPM=m
+CONFIG_TCG_TIS=m
+CONFIG_TCG_TIS_I2C_ATMEL=m
+CONFIG_TCG_TIS_I2C_INFINEON=m
+CONFIG_TCG_TIS_I2C_NUVOTON=m
+CONFIG_TCG_NSC=m
+CONFIG_TCG_ATMEL=m
+CONFIG_TCG_INFINEON=m
+CONFIG_TCG_CRB=m
+CONFIG_TCG_TIS_ST33ZP24=m
+CONFIG_TCG_TIS_ST33ZP24_I2C=m
+# CONFIG_TCG_TIS_ST33ZP24_SPI is not set
+CONFIG_TELCLOCK=m
+# CONFIG_XILLYBUS is not set
+
+#
+# I2C support
+#
+CONFIG_I2C=y
+CONFIG_ACPI_I2C_OPREGION=y
+CONFIG_I2C_BOARDINFO=y
+CONFIG_I2C_COMPAT=y
+CONFIG_I2C_CHARDEV=m
+CONFIG_I2C_MUX=m
+
+#
+# Multiplexer I2C Chip support
+#
+# CONFIG_I2C_MUX_GPIO is not set
+# CONFIG_I2C_MUX_PCA9541 is not set
+# CONFIG_I2C_MUX_PCA954x is not set
+# CONFIG_I2C_MUX_PINCTRL is not set
+# CONFIG_I2C_MUX_REG is not set
+CONFIG_I2C_HELPER_AUTO=y
+CONFIG_I2C_SMBUS=m
+CONFIG_I2C_ALGOBIT=m
+CONFIG_I2C_ALGOPCA=m
+
+#
+# I2C Hardware Bus support
+#
+
+#
+# PC SMBus host controller drivers
+#
+CONFIG_I2C_ALI1535=m
+CONFIG_I2C_ALI1563=m
+CONFIG_I2C_ALI15X3=m
+CONFIG_I2C_AMD756=m
+CONFIG_I2C_AMD756_S4882=m
+CONFIG_I2C_AMD8111=m
+CONFIG_I2C_I801=m
+CONFIG_I2C_ISCH=m
+CONFIG_I2C_ISMT=m
+CONFIG_I2C_PIIX4=m
+CONFIG_I2C_NFORCE2=m
+CONFIG_I2C_NFORCE2_S4985=m
+CONFIG_I2C_SIS5595=m
+CONFIG_I2C_SIS630=m
+CONFIG_I2C_SIS96X=m
+CONFIG_I2C_VIA=m
+CONFIG_I2C_VIAPRO=m
+
+#
+# ACPI drivers
+#
+CONFIG_I2C_SCMI=m
+
+#
+# I2C system bus drivers (mostly embedded / system-on-chip)
+#
+# CONFIG_I2C_CBUS_GPIO is not set
+CONFIG_I2C_DESIGNWARE_CORE=m
+CONFIG_I2C_DESIGNWARE_PLATFORM=m
+CONFIG_I2C_DESIGNWARE_PCI=m
+# CONFIG_I2C_EMEV2 is not set
+# CONFIG_I2C_GPIO is not set
+CONFIG_I2C_KEMPLD=m
+CONFIG_I2C_OCORES=m
+CONFIG_I2C_PCA_PLATFORM=m
+# CONFIG_I2C_PXA_PCI is not set
+CONFIG_I2C_SIMTEC=m
+# CONFIG_I2C_XILINX is not set
+
+#
+# External I2C/SMBus adapter drivers
+#
+CONFIG_I2C_DIOLAN_U2C=m
+CONFIG_I2C_PARPORT=m
+CONFIG_I2C_PARPORT_LIGHT=m
+CONFIG_I2C_ROBOTFUZZ_OSIF=m
+CONFIG_I2C_TAOS_EVM=m
+CONFIG_I2C_TINY_USB=m
+CONFIG_I2C_VIPERBOARD=m
+
+#
+# Other I2C/SMBus bus drivers
+#
+CONFIG_I2C_STUB=m
+# CONFIG_I2C_SLAVE is not set
+# CONFIG_I2C_DEBUG_CORE is not set
+# CONFIG_I2C_DEBUG_ALGO is not set
+# CONFIG_I2C_DEBUG_BUS is not set
+CONFIG_SPI=y
+# CONFIG_SPI_DEBUG is not set
+CONFIG_SPI_MASTER=y
+
+#
+# SPI Master Controller Drivers
+#
+# CONFIG_SPI_ALTERA is not set
+CONFIG_SPI_BITBANG=m
+CONFIG_SPI_BUTTERFLY=m
+# CONFIG_SPI_CADENCE is not set
+# CONFIG_SPI_GPIO is not set
+CONFIG_SPI_LM70_LLP=m
+# CONFIG_SPI_OC_TINY is not set
+# CONFIG_SPI_PXA2XX is not set
+# CONFIG_SPI_PXA2XX_PCI is not set
+# CONFIG_SPI_SC18IS602 is not set
+# CONFIG_SPI_XCOMM is not set
+# CONFIG_SPI_XILINX is not set
+# CONFIG_SPI_ZYNQMP_GQSPI is not set
+# CONFIG_SPI_DESIGNWARE is not set
+
+#
+# SPI Protocol Masters
+#
+# CONFIG_SPI_SPIDEV is not set
+# CONFIG_SPI_TLE62X0 is not set
+# CONFIG_SPMI is not set
+# CONFIG_HSI is not set
+
+#
+# PPS support
+#
+CONFIG_PPS=m
+# CONFIG_PPS_DEBUG is not set
+# CONFIG_NTP_PPS is not set
+
+#
+# PPS clients support
+#
+# CONFIG_PPS_CLIENT_KTIMER is not set
+CONFIG_PPS_CLIENT_LDISC=m
+CONFIG_PPS_CLIENT_PARPORT=m
+# CONFIG_PPS_CLIENT_GPIO is not set
+
+#
+# PPS generators support
+#
+
+#
+# PTP clock support
+#
+CONFIG_PTP_1588_CLOCK=m
+
+#
+# Enable PHYLIB and NETWORK_PHY_TIMESTAMPING to see the additional clocks.
+#
+CONFIG_PINCTRL=y
+
+#
+# Pin controllers
+#
+CONFIG_PINMUX=y
+CONFIG_PINCONF=y
+CONFIG_GENERIC_PINCONF=y
+# CONFIG_DEBUG_PINCTRL is not set
+# CONFIG_PINCTRL_AMD is not set
+CONFIG_PINCTRL_BAYTRAIL=y
+CONFIG_PINCTRL_CHERRYVIEW=y
+CONFIG_PINCTRL_INTEL=y
+CONFIG_PINCTRL_BROXTON=y
+CONFIG_PINCTRL_SUNRISEPOINT=y
+CONFIG_ARCH_WANT_OPTIONAL_GPIOLIB=y
+CONFIG_GPIOLIB=y
+CONFIG_GPIO_DEVRES=y
+CONFIG_GPIO_ACPI=y
+CONFIG_GPIOLIB_IRQCHIP=y
+# CONFIG_DEBUG_GPIO is not set
+CONFIG_GPIO_SYSFS=y
+
+#
+# Memory mapped GPIO drivers
+#
+# CONFIG_GPIO_AMDPT is not set
+# CONFIG_GPIO_DWAPB is not set
+# CONFIG_GPIO_GENERIC_PLATFORM is not set
+# CONFIG_GPIO_ICH is not set
+# CONFIG_GPIO_LYNXPOINT is not set
+# CONFIG_GPIO_VX855 is not set
+# CONFIG_GPIO_ZX is not set
+
+#
+# Port-mapped I/O GPIO drivers
+#
+# CONFIG_GPIO_104_IDIO_16 is not set
+# CONFIG_GPIO_F7188X is not set
+# CONFIG_GPIO_IT87 is not set
+# CONFIG_GPIO_SCH is not set
+# CONFIG_GPIO_SCH311X is not set
+
+#
+# I2C GPIO expanders
+#
+# CONFIG_GPIO_ADP5588 is not set
+# CONFIG_GPIO_MAX7300 is not set
+# CONFIG_GPIO_MAX732X is not set
+# CONFIG_GPIO_PCA953X is not set
+# CONFIG_GPIO_PCF857X is not set
+# CONFIG_GPIO_SX150X is not set
+
+#
+# MFD GPIO expanders
+#
+CONFIG_GPIO_KEMPLD=m
+
+#
+# PCI GPIO expanders
+#
+# CONFIG_GPIO_AMD8111 is not set
+# CONFIG_GPIO_INTEL_MID is not set
+CONFIG_GPIO_ML_IOH=m
+# CONFIG_GPIO_RDC321X is not set
+
+#
+# SPI GPIO expanders
+#
+# CONFIG_GPIO_MAX7301 is not set
+# CONFIG_GPIO_MC33880 is not set
+
+#
+# SPI or I2C GPIO expanders
+#
+# CONFIG_GPIO_MCP23S08 is not set
+
+#
+# USB GPIO expanders
+#
+CONFIG_GPIO_VIPERBOARD=m
+CONFIG_W1=m
+CONFIG_W1_CON=y
+
+#
+# 1-wire Bus Masters
+#
+CONFIG_W1_MASTER_MATROX=m
+CONFIG_W1_MASTER_DS2490=m
+CONFIG_W1_MASTER_DS2482=m
+# CONFIG_W1_MASTER_DS1WM is not set
+# CONFIG_W1_MASTER_GPIO is not set
+
+#
+# 1-wire Slaves
+#
+CONFIG_W1_SLAVE_THERM=m
+CONFIG_W1_SLAVE_SMEM=m
+# CONFIG_W1_SLAVE_DS2408 is not set
+# CONFIG_W1_SLAVE_DS2413 is not set
+# CONFIG_W1_SLAVE_DS2406 is not set
+# CONFIG_W1_SLAVE_DS2423 is not set
+CONFIG_W1_SLAVE_DS2431=m
+CONFIG_W1_SLAVE_DS2433=m
+# CONFIG_W1_SLAVE_DS2433_CRC is not set
+# CONFIG_W1_SLAVE_DS2760 is not set
+# CONFIG_W1_SLAVE_DS2780 is not set
+# CONFIG_W1_SLAVE_DS2781 is not set
+# CONFIG_W1_SLAVE_DS28E04 is not set
+CONFIG_W1_SLAVE_BQ27000=m
+CONFIG_POWER_SUPPLY=y
+# CONFIG_POWER_SUPPLY_DEBUG is not set
+# CONFIG_PDA_POWER is not set
+# CONFIG_GENERIC_ADC_BATTERY is not set
+# CONFIG_TEST_POWER is not set
+# CONFIG_BATTERY_DS2780 is not set
+# CONFIG_BATTERY_DS2781 is not set
+# CONFIG_BATTERY_DS2782 is not set
+CONFIG_BATTERY_SBS=m
+# CONFIG_BATTERY_BQ27XXX is not set
+# CONFIG_BATTERY_MAX17040 is not set
+# CONFIG_BATTERY_MAX17042 is not set
+# CONFIG_CHARGER_MAX8903 is not set
+# CONFIG_CHARGER_LP8727 is not set
+# CONFIG_CHARGER_GPIO is not set
+# CONFIG_CHARGER_BQ2415X is not set
+# CONFIG_CHARGER_BQ24190 is not set
+# CONFIG_CHARGER_BQ24257 is not set
+# CONFIG_CHARGER_BQ24735 is not set
+# CONFIG_CHARGER_BQ25890 is not set
+# CONFIG_CHARGER_SMB347 is not set
+# CONFIG_BATTERY_GAUGE_LTC2941 is not set
+# CONFIG_CHARGER_RT9455 is not set
+# CONFIG_POWER_RESET is not set
+# CONFIG_POWER_AVS is not set
+CONFIG_HWMON=y
+CONFIG_HWMON_VID=m
+# CONFIG_HWMON_DEBUG_CHIP is not set
+
+#
+# Native drivers
+#
+CONFIG_SENSORS_ABITUGURU=m
+CONFIG_SENSORS_ABITUGURU3=m
+# CONFIG_SENSORS_AD7314 is not set
+CONFIG_SENSORS_AD7414=m
+CONFIG_SENSORS_AD7418=m
+CONFIG_SENSORS_ADM1021=m
+CONFIG_SENSORS_ADM1025=m
+CONFIG_SENSORS_ADM1026=m
+CONFIG_SENSORS_ADM1029=m
+CONFIG_SENSORS_ADM1031=m
+CONFIG_SENSORS_ADM9240=m
+# CONFIG_SENSORS_ADT7310 is not set
+# CONFIG_SENSORS_ADT7410 is not set
+CONFIG_SENSORS_ADT7411=m
+CONFIG_SENSORS_ADT7462=m
+CONFIG_SENSORS_ADT7470=m
+CONFIG_SENSORS_ADT7475=m
+CONFIG_SENSORS_ASC7621=m
+CONFIG_SENSORS_K8TEMP=m
+CONFIG_SENSORS_K10TEMP=m
+CONFIG_SENSORS_FAM15H_POWER=m
+CONFIG_SENSORS_APPLESMC=m
+CONFIG_SENSORS_ASB100=m
+CONFIG_SENSORS_ATXP1=m
+CONFIG_SENSORS_DS620=m
+CONFIG_SENSORS_DS1621=m
+CONFIG_SENSORS_DELL_SMM=m
+CONFIG_SENSORS_I5K_AMB=m
+CONFIG_SENSORS_F71805F=m
+CONFIG_SENSORS_F71882FG=m
+CONFIG_SENSORS_F75375S=m
+CONFIG_SENSORS_FSCHMD=m
+CONFIG_SENSORS_GL518SM=m
+CONFIG_SENSORS_GL520SM=m
+CONFIG_SENSORS_G760A=m
+# CONFIG_SENSORS_G762 is not set
+# CONFIG_SENSORS_GPIO_FAN is not set
+# CONFIG_SENSORS_HIH6130 is not set
+CONFIG_SENSORS_IBMAEM=m
+CONFIG_SENSORS_IBMPEX=m
+# CONFIG_SENSORS_IIO_HWMON is not set
+CONFIG_SENSORS_I5500=m
+CONFIG_SENSORS_CORETEMP=m
+CONFIG_SENSORS_IT87=m
+CONFIG_SENSORS_JC42=m
+# CONFIG_SENSORS_POWR1220 is not set
+CONFIG_SENSORS_LINEAGE=m
+# CONFIG_SENSORS_LTC2945 is not set
+CONFIG_SENSORS_LTC4151=m
+CONFIG_SENSORS_LTC4215=m
+# CONFIG_SENSORS_LTC4222 is not set
+CONFIG_SENSORS_LTC4245=m
+# CONFIG_SENSORS_LTC4260 is not set
+CONFIG_SENSORS_LTC4261=m
+CONFIG_SENSORS_MAX1111=m
+CONFIG_SENSORS_MAX16065=m
+CONFIG_SENSORS_MAX1619=m
+CONFIG_SENSORS_MAX1668=m
+# CONFIG_SENSORS_MAX197 is not set
+CONFIG_SENSORS_MAX6639=m
+CONFIG_SENSORS_MAX6642=m
+CONFIG_SENSORS_MAX6650=m
+# CONFIG_SENSORS_MAX6697 is not set
+# CONFIG_SENSORS_MAX31790 is not set
+# CONFIG_SENSORS_HTU21 is not set
+# CONFIG_SENSORS_MCP3021 is not set
+CONFIG_SENSORS_MENF21BMC_HWMON=m
+CONFIG_SENSORS_ADCXX=m
+CONFIG_SENSORS_LM63=m
+CONFIG_SENSORS_LM70=m
+CONFIG_SENSORS_LM73=m
+CONFIG_SENSORS_LM75=m
+CONFIG_SENSORS_LM77=m
+CONFIG_SENSORS_LM78=m
+CONFIG_SENSORS_LM80=m
+CONFIG_SENSORS_LM83=m
+CONFIG_SENSORS_LM85=m
+CONFIG_SENSORS_LM87=m
+CONFIG_SENSORS_LM90=m
+CONFIG_SENSORS_LM92=m
+CONFIG_SENSORS_LM93=m
+# CONFIG_SENSORS_LM95234 is not set
+CONFIG_SENSORS_LM95241=m
+CONFIG_SENSORS_LM95245=m
+CONFIG_SENSORS_PC87360=m
+CONFIG_SENSORS_PC87427=m
+CONFIG_SENSORS_NTC_THERMISTOR=m
+CONFIG_SENSORS_NCT6683=m
+CONFIG_SENSORS_NCT6775=m
+# CONFIG_SENSORS_NCT7802 is not set
+# CONFIG_SENSORS_NCT7904 is not set
+CONFIG_SENSORS_PCF8591=m
+# CONFIG_PMBUS is not set
+# CONFIG_SENSORS_SHT15 is not set
+CONFIG_SENSORS_SHT21=m
+# CONFIG_SENSORS_SHTC1 is not set
+CONFIG_SENSORS_SIS5595=m
+CONFIG_SENSORS_DME1737=m
+CONFIG_SENSORS_EMC1403=m
+CONFIG_SENSORS_EMC2103=m
+CONFIG_SENSORS_EMC6W201=m
+CONFIG_SENSORS_SMSC47M1=m
+CONFIG_SENSORS_SMSC47M192=m
+CONFIG_SENSORS_SMSC47B397=m
+CONFIG_SENSORS_SCH56XX_COMMON=m
+CONFIG_SENSORS_SCH5627=m
+CONFIG_SENSORS_SCH5636=m
+CONFIG_SENSORS_SMM665=m
+# CONFIG_SENSORS_ADC128D818 is not set
+CONFIG_SENSORS_ADS1015=m
+CONFIG_SENSORS_ADS7828=m
+CONFIG_SENSORS_ADS7871=m
+CONFIG_SENSORS_AMC6821=m
+# CONFIG_SENSORS_INA209 is not set
+# CONFIG_SENSORS_INA2XX is not set
+# CONFIG_SENSORS_TC74 is not set
+CONFIG_SENSORS_THMC50=m
+CONFIG_SENSORS_TMP102=m
+# CONFIG_SENSORS_TMP103 is not set
+CONFIG_SENSORS_TMP401=m
+CONFIG_SENSORS_TMP421=m
+CONFIG_SENSORS_VIA_CPUTEMP=m
+CONFIG_SENSORS_VIA686A=m
+CONFIG_SENSORS_VT1211=m
+CONFIG_SENSORS_VT8231=m
+CONFIG_SENSORS_W83781D=m
+CONFIG_SENSORS_W83791D=m
+CONFIG_SENSORS_W83792D=m
+CONFIG_SENSORS_W83793=m
+CONFIG_SENSORS_W83795=m
+# CONFIG_SENSORS_W83795_FANCTRL is not set
+CONFIG_SENSORS_W83L785TS=m
+CONFIG_SENSORS_W83L786NG=m
+CONFIG_SENSORS_W83627HF=m
+CONFIG_SENSORS_W83627EHF=m
+
+#
+# ACPI drivers
+#
+CONFIG_SENSORS_ACPI_POWER=m
+CONFIG_SENSORS_ATK0110=m
+CONFIG_THERMAL=y
+CONFIG_THERMAL_HWMON=y
+CONFIG_THERMAL_WRITABLE_TRIPS=y
+CONFIG_THERMAL_DEFAULT_GOV_STEP_WISE=y
+# CONFIG_THERMAL_DEFAULT_GOV_FAIR_SHARE is not set
+# CONFIG_THERMAL_DEFAULT_GOV_USER_SPACE is not set
+# CONFIG_THERMAL_DEFAULT_GOV_POWER_ALLOCATOR is not set
+CONFIG_THERMAL_GOV_FAIR_SHARE=y
+CONFIG_THERMAL_GOV_STEP_WISE=y
+CONFIG_THERMAL_GOV_BANG_BANG=y
+CONFIG_THERMAL_GOV_USER_SPACE=y
+# CONFIG_THERMAL_GOV_POWER_ALLOCATOR is not set
+# CONFIG_THERMAL_EMULATION is not set
+CONFIG_INTEL_POWERCLAMP=m
+CONFIG_X86_PKG_TEMP_THERMAL=m
+CONFIG_INTEL_SOC_DTS_IOSF_CORE=m
+CONFIG_INTEL_SOC_DTS_THERMAL=m
+CONFIG_INT340X_THERMAL=m
+CONFIG_ACPI_THERMAL_REL=m
+CONFIG_INTEL_PCH_THERMAL=m
+CONFIG_WATCHDOG=y
+CONFIG_WATCHDOG_CORE=y
+# CONFIG_WATCHDOG_NOWAYOUT is not set
+
+#
+# Watchdog Device Drivers
+#
+CONFIG_SOFT_WATCHDOG=m
+CONFIG_MENF21BMC_WATCHDOG=m
+# CONFIG_XILINX_WATCHDOG is not set
+# CONFIG_CADENCE_WATCHDOG is not set
+# CONFIG_DW_WATCHDOG is not set
+# CONFIG_MAX63XX_WATCHDOG is not set
+CONFIG_ACQUIRE_WDT=m
+CONFIG_ADVANTECH_WDT=m
+CONFIG_ALIM1535_WDT=m
+CONFIG_ALIM7101_WDT=m
+CONFIG_F71808E_WDT=m
+CONFIG_SP5100_TCO=m
+CONFIG_SBC_FITPC2_WATCHDOG=m
+CONFIG_EUROTECH_WDT=m
+CONFIG_IB700_WDT=m
+CONFIG_IBMASR=m
+CONFIG_WAFER_WDT=m
+CONFIG_I6300ESB_WDT=m
+CONFIG_IE6XX_WDT=m
+CONFIG_ITCO_WDT=m
+CONFIG_ITCO_VENDOR_SUPPORT=y
+CONFIG_IT8712F_WDT=m
+CONFIG_IT87_WDT=m
+CONFIG_HP_WATCHDOG=m
+CONFIG_KEMPLD_WDT=m
+CONFIG_HPWDT_NMI_DECODING=y
+CONFIG_SC1200_WDT=m
+CONFIG_PC87413_WDT=m
+CONFIG_NV_TCO=m
+CONFIG_60XX_WDT=m
+CONFIG_CPU5_WDT=m
+CONFIG_SMSC_SCH311X_WDT=m
+CONFIG_SMSC37B787_WDT=m
+CONFIG_VIA_WDT=m
+CONFIG_W83627HF_WDT=m
+CONFIG_W83877F_WDT=m
+CONFIG_W83977F_WDT=m
+CONFIG_MACHZ_WDT=m
+CONFIG_SBC_EPX_C3_WATCHDOG=m
+# CONFIG_BCM7038_WDT is not set
+# CONFIG_MEN_A21_WDT is not set
+
+#
+# PCI-based Watchdog Cards
+#
+CONFIG_PCIPCWATCHDOG=m
+CONFIG_WDTPCI=m
+
+#
+# USB-based Watchdog Cards
+#
+CONFIG_USBPCWATCHDOG=m
+CONFIG_SSB_POSSIBLE=y
+
+#
+# Sonics Silicon Backplane
+#
+CONFIG_SSB=m
+CONFIG_SSB_SPROM=y
+CONFIG_SSB_BLOCKIO=y
+CONFIG_SSB_PCIHOST_POSSIBLE=y
+CONFIG_SSB_PCIHOST=y
+CONFIG_SSB_B43_PCI_BRIDGE=y
+CONFIG_SSB_PCMCIAHOST_POSSIBLE=y
+CONFIG_SSB_PCMCIAHOST=y
+CONFIG_SSB_SDIOHOST_POSSIBLE=y
+CONFIG_SSB_SDIOHOST=y
+# CONFIG_SSB_HOST_SOC is not set
+# CONFIG_SSB_SILENT is not set
+# CONFIG_SSB_DEBUG is not set
+CONFIG_SSB_DRIVER_PCICORE_POSSIBLE=y
+CONFIG_SSB_DRIVER_PCICORE=y
+# CONFIG_SSB_DRIVER_GPIO is not set
+CONFIG_BCMA_POSSIBLE=y
+
+#
+# Broadcom specific AMBA
+#
+CONFIG_BCMA=m
+CONFIG_BCMA_BLOCKIO=y
+CONFIG_BCMA_HOST_PCI_POSSIBLE=y
+CONFIG_BCMA_HOST_PCI=y
+# CONFIG_BCMA_HOST_SOC is not set
+CONFIG_BCMA_DRIVER_PCI=y
+# CONFIG_BCMA_DRIVER_GMAC_CMN is not set
+# CONFIG_BCMA_DRIVER_GPIO is not set
+# CONFIG_BCMA_DEBUG is not set
+
+#
+# Multifunction device drivers
+#
+CONFIG_MFD_CORE=m
+# CONFIG_MFD_AS3711 is not set
+# CONFIG_PMIC_ADP5520 is not set
+# CONFIG_MFD_AAT2870_CORE is not set
+# CONFIG_MFD_BCM590XX is not set
+# CONFIG_MFD_AXP20X is not set
+# CONFIG_MFD_CROS_EC is not set
+# CONFIG_PMIC_DA903X is not set
+# CONFIG_MFD_DA9052_SPI is not set
+# CONFIG_MFD_DA9052_I2C is not set
+# CONFIG_MFD_DA9055 is not set
+# CONFIG_MFD_DA9062 is not set
+# CONFIG_MFD_DA9063 is not set
+# CONFIG_MFD_DA9150 is not set
+# CONFIG_MFD_DLN2 is not set
+# CONFIG_MFD_MC13XXX_SPI is not set
+# CONFIG_MFD_MC13XXX_I2C is not set
+# CONFIG_HTC_PASIC3 is not set
+# CONFIG_HTC_I2CPLD is not set
+# CONFIG_MFD_INTEL_QUARK_I2C_GPIO is not set
+CONFIG_LPC_ICH=m
+CONFIG_LPC_SCH=m
+# CONFIG_INTEL_SOC_PMIC is not set
+CONFIG_MFD_INTEL_LPSS=m
+CONFIG_MFD_INTEL_LPSS_ACPI=m
+CONFIG_MFD_INTEL_LPSS_PCI=m
+# CONFIG_MFD_JANZ_CMODIO is not set
+CONFIG_MFD_KEMPLD=m
+# CONFIG_MFD_88PM800 is not set
+# CONFIG_MFD_88PM805 is not set
+# CONFIG_MFD_88PM860X is not set
+# CONFIG_MFD_MAX14577 is not set
+# CONFIG_MFD_MAX77693 is not set
+# CONFIG_MFD_MAX77843 is not set
+# CONFIG_MFD_MAX8907 is not set
+# CONFIG_MFD_MAX8925 is not set
+# CONFIG_MFD_MAX8997 is not set
+# CONFIG_MFD_MAX8998 is not set
+# CONFIG_MFD_MT6397 is not set
+CONFIG_MFD_MENF21BMC=m
+# CONFIG_EZX_PCAP is not set
+CONFIG_MFD_VIPERBOARD=m
+# CONFIG_MFD_RETU is not set
+# CONFIG_MFD_PCF50633 is not set
+# CONFIG_UCB1400_CORE is not set
+# CONFIG_MFD_RDC321X is not set
+CONFIG_MFD_RTSX_PCI=m
+# CONFIG_MFD_RT5033 is not set
+CONFIG_MFD_RTSX_USB=m
+# CONFIG_MFD_RC5T583 is not set
+# CONFIG_MFD_RN5T618 is not set
+# CONFIG_MFD_SEC_CORE is not set
+# CONFIG_MFD_SI476X_CORE is not set
+# CONFIG_MFD_SM501 is not set
+# CONFIG_MFD_SKY81452 is not set
+# CONFIG_MFD_SMSC is not set
+# CONFIG_ABX500_CORE is not set
+# CONFIG_MFD_SYSCON is not set
+# CONFIG_MFD_TI_AM335X_TSCADC is not set
+# CONFIG_MFD_LP3943 is not set
+# CONFIG_MFD_LP8788 is not set
+# CONFIG_MFD_PALMAS is not set
+# CONFIG_TPS6105X is not set
+# CONFIG_TPS65010 is not set
+# CONFIG_TPS6507X is not set
+# CONFIG_MFD_TPS65090 is not set
+# CONFIG_MFD_TPS65217 is not set
+# CONFIG_MFD_TPS65218 is not set
+# CONFIG_MFD_TPS6586X is not set
+# CONFIG_MFD_TPS65910 is not set
+# CONFIG_MFD_TPS65912 is not set
+# CONFIG_MFD_TPS65912_I2C is not set
+# CONFIG_MFD_TPS65912_SPI is not set
+# CONFIG_MFD_TPS80031 is not set
+# CONFIG_TWL4030_CORE is not set
+# CONFIG_TWL6040_CORE is not set
+# CONFIG_MFD_WL1273_CORE is not set
+# CONFIG_MFD_LM3533 is not set
+# CONFIG_MFD_TMIO is not set
+# CONFIG_MFD_VX855 is not set
+# CONFIG_MFD_ARIZONA_I2C is not set
+# CONFIG_MFD_ARIZONA_SPI is not set
+# CONFIG_MFD_WM8400 is not set
+# CONFIG_MFD_WM831X_I2C is not set
+# CONFIG_MFD_WM831X_SPI is not set
+# CONFIG_MFD_WM8350_I2C is not set
+# CONFIG_MFD_WM8994 is not set
+# CONFIG_REGULATOR is not set
+CONFIG_MEDIA_SUPPORT=m
+
+#
+# Multimedia core support
+#
+CONFIG_MEDIA_CAMERA_SUPPORT=y
+CONFIG_MEDIA_ANALOG_TV_SUPPORT=y
+CONFIG_MEDIA_DIGITAL_TV_SUPPORT=y
+CONFIG_MEDIA_RADIO_SUPPORT=y
+CONFIG_MEDIA_SDR_SUPPORT=y
+CONFIG_MEDIA_RC_SUPPORT=y
+CONFIG_MEDIA_CONTROLLER=y
+CONFIG_VIDEO_DEV=m
+# CONFIG_VIDEO_V4L2_SUBDEV_API is not set
+CONFIG_VIDEO_V4L2=m
+# CONFIG_VIDEO_ADV_DEBUG is not set
+# CONFIG_VIDEO_FIXED_MINOR_RANGES is not set
+CONFIG_VIDEO_TUNER=m
+CONFIG_VIDEOBUF_GEN=m
+CONFIG_VIDEOBUF_DMA_SG=m
+CONFIG_VIDEOBUF_VMALLOC=m
+CONFIG_VIDEOBUF_DVB=m
+CONFIG_VIDEOBUF2_CORE=m
+CONFIG_VIDEOBUF2_MEMOPS=m
+CONFIG_VIDEOBUF2_DMA_CONTIG=m
+CONFIG_VIDEOBUF2_VMALLOC=m
+CONFIG_VIDEOBUF2_DMA_SG=m
+CONFIG_VIDEOBUF2_DVB=m
+CONFIG_DVB_CORE=m
+CONFIG_DVB_NET=y
+CONFIG_TTPCI_EEPROM=m
+CONFIG_DVB_MAX_ADAPTERS=8
+CONFIG_DVB_DYNAMIC_MINORS=y
+
+#
+# Media drivers
+#
+CONFIG_RC_CORE=m
+CONFIG_RC_MAP=m
+CONFIG_RC_DECODERS=y
+CONFIG_LIRC=m
+CONFIG_IR_LIRC_CODEC=m
+CONFIG_IR_NEC_DECODER=m
+CONFIG_IR_RC5_DECODER=m
+CONFIG_IR_RC6_DECODER=m
+CONFIG_IR_JVC_DECODER=m
+CONFIG_IR_SONY_DECODER=m
+CONFIG_IR_SANYO_DECODER=m
+CONFIG_IR_SHARP_DECODER=m
+CONFIG_IR_MCE_KBD_DECODER=m
+CONFIG_IR_XMP_DECODER=m
+CONFIG_RC_DEVICES=y
+CONFIG_RC_ATI_REMOTE=m
+CONFIG_IR_ENE=m
+# CONFIG_IR_HIX5HD2 is not set
+CONFIG_IR_IMON=m
+CONFIG_IR_MCEUSB=m
+CONFIG_IR_ITE_CIR=m
+CONFIG_IR_FINTEK=m
+CONFIG_IR_NUVOTON=m
+CONFIG_IR_REDRAT3=m
+CONFIG_IR_STREAMZAP=m
+CONFIG_IR_WINBOND_CIR=m
+CONFIG_IR_IGORPLUGUSB=m
+CONFIG_IR_IGUANA=m
+CONFIG_IR_TTUSBIR=m
+CONFIG_RC_LOOPBACK=m
+# CONFIG_IR_GPIO_CIR is not set
+CONFIG_MEDIA_USB_SUPPORT=y
+
+#
+# Webcam devices
+#
+CONFIG_USB_VIDEO_CLASS=m
+CONFIG_USB_VIDEO_CLASS_INPUT_EVDEV=y
+CONFIG_USB_GSPCA=m
+CONFIG_USB_M5602=m
+CONFIG_USB_STV06XX=m
+CONFIG_USB_GL860=m
+CONFIG_USB_GSPCA_BENQ=m
+CONFIG_USB_GSPCA_CONEX=m
+CONFIG_USB_GSPCA_CPIA1=m
+CONFIG_USB_GSPCA_DTCS033=m
+CONFIG_USB_GSPCA_ETOMS=m
+CONFIG_USB_GSPCA_FINEPIX=m
+CONFIG_USB_GSPCA_JEILINJ=m
+CONFIG_USB_GSPCA_JL2005BCD=m
+CONFIG_USB_GSPCA_KINECT=m
+CONFIG_USB_GSPCA_KONICA=m
+CONFIG_USB_GSPCA_MARS=m
+CONFIG_USB_GSPCA_MR97310A=m
+CONFIG_USB_GSPCA_NW80X=m
+CONFIG_USB_GSPCA_OV519=m
+CONFIG_USB_GSPCA_OV534=m
+CONFIG_USB_GSPCA_OV534_9=m
+CONFIG_USB_GSPCA_PAC207=m
+CONFIG_USB_GSPCA_PAC7302=m
+CONFIG_USB_GSPCA_PAC7311=m
+CONFIG_USB_GSPCA_SE401=m
+CONFIG_USB_GSPCA_SN9C2028=m
+CONFIG_USB_GSPCA_SN9C20X=m
+CONFIG_USB_GSPCA_SONIXB=m
+CONFIG_USB_GSPCA_SONIXJ=m
+CONFIG_USB_GSPCA_SPCA500=m
+CONFIG_USB_GSPCA_SPCA501=m
+CONFIG_USB_GSPCA_SPCA505=m
+CONFIG_USB_GSPCA_SPCA506=m
+CONFIG_USB_GSPCA_SPCA508=m
+CONFIG_USB_GSPCA_SPCA561=m
+CONFIG_USB_GSPCA_SPCA1528=m
+CONFIG_USB_GSPCA_SQ905=m
+CONFIG_USB_GSPCA_SQ905C=m
+CONFIG_USB_GSPCA_SQ930X=m
+CONFIG_USB_GSPCA_STK014=m
+CONFIG_USB_GSPCA_STK1135=m
+CONFIG_USB_GSPCA_STV0680=m
+CONFIG_USB_GSPCA_SUNPLUS=m
+CONFIG_USB_GSPCA_T613=m
+CONFIG_USB_GSPCA_TOPRO=m
+CONFIG_USB_GSPCA_TOUPTEK=m
+CONFIG_USB_GSPCA_TV8532=m
+CONFIG_USB_GSPCA_VC032X=m
+CONFIG_USB_GSPCA_VICAM=m
+CONFIG_USB_GSPCA_XIRLINK_CIT=m
+CONFIG_USB_GSPCA_ZC3XX=m
+CONFIG_USB_PWC=m
+# CONFIG_USB_PWC_DEBUG is not set
+CONFIG_USB_PWC_INPUT_EVDEV=y
+CONFIG_VIDEO_CPIA2=m
+CONFIG_USB_ZR364XX=m
+CONFIG_USB_STKWEBCAM=m
+CONFIG_USB_S2255=m
+CONFIG_VIDEO_USBTV=m
+
+#
+# Analog TV USB devices
+#
+CONFIG_VIDEO_PVRUSB2=m
+CONFIG_VIDEO_PVRUSB2_SYSFS=y
+CONFIG_VIDEO_PVRUSB2_DVB=y
+# CONFIG_VIDEO_PVRUSB2_DEBUGIFC is not set
+CONFIG_VIDEO_HDPVR=m
+CONFIG_VIDEO_USBVISION=m
+CONFIG_VIDEO_STK1160_COMMON=m
+CONFIG_VIDEO_STK1160_AC97=y
+CONFIG_VIDEO_STK1160=m
+# CONFIG_VIDEO_GO7007 is not set
+
+#
+# Analog/digital TV USB devices
+#
+CONFIG_VIDEO_AU0828=m
+CONFIG_VIDEO_AU0828_V4L2=y
+CONFIG_VIDEO_AU0828_RC=y
+CONFIG_VIDEO_CX231XX=m
+CONFIG_VIDEO_CX231XX_RC=y
+CONFIG_VIDEO_CX231XX_ALSA=m
+CONFIG_VIDEO_CX231XX_DVB=m
+CONFIG_VIDEO_TM6000=m
+CONFIG_VIDEO_TM6000_ALSA=m
+CONFIG_VIDEO_TM6000_DVB=m
+
+#
+# Digital TV USB devices
+#
+CONFIG_DVB_USB=m
+# CONFIG_DVB_USB_DEBUG is not set
+CONFIG_DVB_USB_A800=m
+CONFIG_DVB_USB_DIBUSB_MB=m
+CONFIG_DVB_USB_DIBUSB_MB_FAULTY=y
+CONFIG_DVB_USB_DIBUSB_MC=m
+CONFIG_DVB_USB_DIB0700=m
+CONFIG_DVB_USB_UMT_010=m
+CONFIG_DVB_USB_CXUSB=m
+CONFIG_DVB_USB_M920X=m
+CONFIG_DVB_USB_DIGITV=m
+CONFIG_DVB_USB_VP7045=m
+CONFIG_DVB_USB_VP702X=m
+CONFIG_DVB_USB_GP8PSK=m
+CONFIG_DVB_USB_NOVA_T_USB2=m
+CONFIG_DVB_USB_TTUSB2=m
+CONFIG_DVB_USB_DTT200U=m
+CONFIG_DVB_USB_OPERA1=m
+CONFIG_DVB_USB_AF9005=m
+CONFIG_DVB_USB_AF9005_REMOTE=m
+CONFIG_DVB_USB_PCTV452E=m
+CONFIG_DVB_USB_DW2102=m
+CONFIG_DVB_USB_CINERGY_T2=m
+CONFIG_DVB_USB_DTV5100=m
+CONFIG_DVB_USB_FRIIO=m
+CONFIG_DVB_USB_AZ6027=m
+CONFIG_DVB_USB_TECHNISAT_USB2=m
+CONFIG_DVB_USB_V2=m
+CONFIG_DVB_USB_AF9015=m
+CONFIG_DVB_USB_AF9035=m
+CONFIG_DVB_USB_ANYSEE=m
+CONFIG_DVB_USB_AU6610=m
+CONFIG_DVB_USB_AZ6007=m
+CONFIG_DVB_USB_CE6230=m
+CONFIG_DVB_USB_EC168=m
+CONFIG_DVB_USB_GL861=m
+CONFIG_DVB_USB_LME2510=m
+CONFIG_DVB_USB_MXL111SF=m
+CONFIG_DVB_USB_RTL28XXU=m
+CONFIG_DVB_USB_DVBSKY=m
+CONFIG_DVB_TTUSB_BUDGET=m
+CONFIG_DVB_TTUSB_DEC=m
+CONFIG_SMS_USB_DRV=m
+CONFIG_DVB_B2C2_FLEXCOP_USB=m
+# CONFIG_DVB_B2C2_FLEXCOP_USB_DEBUG is not set
+CONFIG_DVB_AS102=m
+
+#
+# Webcam, TV (analog/digital) USB devices
+#
+CONFIG_VIDEO_EM28XX=m
+CONFIG_VIDEO_EM28XX_V4L2=m
+CONFIG_VIDEO_EM28XX_ALSA=m
+CONFIG_VIDEO_EM28XX_DVB=m
+CONFIG_VIDEO_EM28XX_RC=m
+
+#
+# Software defined radio USB devices
+#
+CONFIG_USB_AIRSPY=m
+CONFIG_USB_HACKRF=m
+CONFIG_USB_MSI2500=m
+CONFIG_MEDIA_PCI_SUPPORT=y
+
+#
+# Media capture support
+#
+CONFIG_VIDEO_MEYE=m
+CONFIG_VIDEO_SOLO6X10=m
+CONFIG_VIDEO_TW68=m
+CONFIG_VIDEO_ZORAN=m
+CONFIG_VIDEO_ZORAN_DC30=m
+CONFIG_VIDEO_ZORAN_ZR36060=m
+CONFIG_VIDEO_ZORAN_BUZ=m
+CONFIG_VIDEO_ZORAN_DC10=m
+CONFIG_VIDEO_ZORAN_LML33=m
+CONFIG_VIDEO_ZORAN_LML33R10=m
+CONFIG_VIDEO_ZORAN_AVS6EYES=m
+
+#
+# Media capture/analog TV support
+#
+CONFIG_VIDEO_IVTV=m
+CONFIG_VIDEO_IVTV_ALSA=m
+CONFIG_VIDEO_FB_IVTV=m
+CONFIG_VIDEO_HEXIUM_GEMINI=m
+CONFIG_VIDEO_HEXIUM_ORION=m
+CONFIG_VIDEO_MXB=m
+CONFIG_VIDEO_DT3155=m
+
+#
+# Media capture/analog/hybrid TV support
+#
+CONFIG_VIDEO_CX18=m
+CONFIG_VIDEO_CX18_ALSA=m
+CONFIG_VIDEO_CX23885=m
+CONFIG_MEDIA_ALTERA_CI=m
+# CONFIG_VIDEO_CX25821 is not set
+CONFIG_VIDEO_CX88=m
+CONFIG_VIDEO_CX88_ALSA=m
+CONFIG_VIDEO_CX88_BLACKBIRD=m
+CONFIG_VIDEO_CX88_DVB=m
+CONFIG_VIDEO_CX88_ENABLE_VP3054=y
+CONFIG_VIDEO_CX88_VP3054=m
+CONFIG_VIDEO_CX88_MPEG=m
+CONFIG_VIDEO_BT848=m
+CONFIG_DVB_BT8XX=m
+CONFIG_VIDEO_SAA7134=m
+CONFIG_VIDEO_SAA7134_ALSA=m
+CONFIG_VIDEO_SAA7134_RC=y
+CONFIG_VIDEO_SAA7134_DVB=m
+CONFIG_VIDEO_SAA7164=m
+
+#
+# Media digital TV PCI Adapters
+#
+CONFIG_DVB_AV7110_IR=y
+CONFIG_DVB_AV7110=m
+CONFIG_DVB_AV7110_OSD=y
+CONFIG_DVB_BUDGET_CORE=m
+CONFIG_DVB_BUDGET=m
+CONFIG_DVB_BUDGET_CI=m
+CONFIG_DVB_BUDGET_AV=m
+CONFIG_DVB_BUDGET_PATCH=m
+CONFIG_DVB_B2C2_FLEXCOP_PCI=m
+# CONFIG_DVB_B2C2_FLEXCOP_PCI_DEBUG is not set
+CONFIG_DVB_PLUTO2=m
+CONFIG_DVB_DM1105=m
+CONFIG_DVB_PT1=m
+CONFIG_DVB_PT3=m
+CONFIG_MANTIS_CORE=m
+CONFIG_DVB_MANTIS=m
+CONFIG_DVB_HOPPER=m
+CONFIG_DVB_NGENE=m
+CONFIG_DVB_DDBRIDGE=m
+CONFIG_DVB_SMIPCIE=m
+CONFIG_DVB_NETUP_UNIDVB=m
+CONFIG_V4L_PLATFORM_DRIVERS=y
+CONFIG_VIDEO_CAFE_CCIC=m
+CONFIG_VIDEO_VIA_CAMERA=m
+# CONFIG_SOC_CAMERA is not set
+CONFIG_V4L_MEM2MEM_DRIVERS=y
+# CONFIG_VIDEO_MEM2MEM_DEINTERLACE is not set
+# CONFIG_VIDEO_SH_VEU is not set
+CONFIG_V4L_TEST_DRIVERS=y
+CONFIG_VIDEO_VIVID=m
+CONFIG_VIDEO_VIVID_MAX_DEVS=64
+# CONFIG_VIDEO_VIM2M is not set
+# CONFIG_DVB_PLATFORM_DRIVERS is not set
+
+#
+# Supported MMC/SDIO adapters
+#
+CONFIG_SMS_SDIO_DRV=m
+CONFIG_RADIO_ADAPTERS=y
+CONFIG_RADIO_TEA575X=m
+CONFIG_RADIO_SI470X=y
+CONFIG_USB_SI470X=m
+# CONFIG_I2C_SI470X is not set
+# CONFIG_RADIO_SI4713 is not set
+CONFIG_USB_MR800=m
+CONFIG_USB_DSBR=m
+CONFIG_RADIO_MAXIRADIO=m
+CONFIG_RADIO_SHARK=m
+CONFIG_RADIO_SHARK2=m
+CONFIG_USB_KEENE=m
+CONFIG_USB_RAREMONO=m
+CONFIG_USB_MA901=m
+# CONFIG_RADIO_TEA5764 is not set
+# CONFIG_RADIO_SAA7706H is not set
+# CONFIG_RADIO_TEF6862 is not set
+# CONFIG_RADIO_WL1273 is not set
+
+#
+# Texas Instruments WL128x FM driver (ST based)
+#
+
+#
+# Supported FireWire (IEEE 1394) Adapters
+#
+CONFIG_DVB_FIREDTV=m
+CONFIG_DVB_FIREDTV_INPUT=y
+CONFIG_MEDIA_COMMON_OPTIONS=y
+
+#
+# common driver options
+#
+CONFIG_VIDEO_CX2341X=m
+CONFIG_VIDEO_TVEEPROM=m
+CONFIG_CYPRESS_FIRMWARE=m
+CONFIG_DVB_B2C2_FLEXCOP=m
+CONFIG_VIDEO_SAA7146=m
+CONFIG_VIDEO_SAA7146_VV=m
+CONFIG_SMS_SIANO_MDTV=m
+CONFIG_SMS_SIANO_RC=y
+
+#
+# Media ancillary drivers (tuners, sensors, i2c, frontends)
+#
+CONFIG_MEDIA_SUBDRV_AUTOSELECT=y
+CONFIG_MEDIA_ATTACH=y
+CONFIG_VIDEO_IR_I2C=m
+
+#
+# Audio decoders, processors and mixers
+#
+CONFIG_VIDEO_TVAUDIO=m
+CONFIG_VIDEO_TDA7432=m
+CONFIG_VIDEO_TDA9840=m
+CONFIG_VIDEO_TEA6415C=m
+CONFIG_VIDEO_TEA6420=m
+CONFIG_VIDEO_MSP3400=m
+CONFIG_VIDEO_CS5345=m
+CONFIG_VIDEO_CS53L32A=m
+CONFIG_VIDEO_WM8775=m
+CONFIG_VIDEO_WM8739=m
+CONFIG_VIDEO_VP27SMPX=m
+
+#
+# RDS decoders
+#
+CONFIG_VIDEO_SAA6588=m
+
+#
+# Video decoders
+#
+CONFIG_VIDEO_BT819=m
+CONFIG_VIDEO_BT856=m
+CONFIG_VIDEO_BT866=m
+CONFIG_VIDEO_KS0127=m
+CONFIG_VIDEO_SAA7110=m
+CONFIG_VIDEO_SAA711X=m
+CONFIG_VIDEO_TVP5150=m
+CONFIG_VIDEO_VPX3220=m
+
+#
+# Video and audio decoders
+#
+CONFIG_VIDEO_SAA717X=m
+CONFIG_VIDEO_CX25840=m
+
+#
+# Video encoders
+#
+CONFIG_VIDEO_SAA7127=m
+CONFIG_VIDEO_SAA7185=m
+CONFIG_VIDEO_ADV7170=m
+CONFIG_VIDEO_ADV7175=m
+
+#
+# Camera sensor devices
+#
+CONFIG_VIDEO_OV7670=m
+CONFIG_VIDEO_MT9V011=m
+
+#
+# Flash devices
+#
+
+#
+# Video improvement chips
+#
+CONFIG_VIDEO_UPD64031A=m
+CONFIG_VIDEO_UPD64083=m
+
+#
+# Audio/Video compression chips
+#
+CONFIG_VIDEO_SAA6752HS=m
+
+#
+# Miscellaneous helper chips
+#
+CONFIG_VIDEO_M52790=m
+
+#
+# Sensors used on soc_camera driver
+#
+CONFIG_MEDIA_TUNER=m
+CONFIG_MEDIA_TUNER_SIMPLE=m
+CONFIG_MEDIA_TUNER_TDA8290=m
+CONFIG_MEDIA_TUNER_TDA827X=m
+CONFIG_MEDIA_TUNER_TDA18271=m
+CONFIG_MEDIA_TUNER_TDA9887=m
+CONFIG_MEDIA_TUNER_TEA5761=m
+CONFIG_MEDIA_TUNER_TEA5767=m
+CONFIG_MEDIA_TUNER_MSI001=m
+CONFIG_MEDIA_TUNER_MT20XX=m
+CONFIG_MEDIA_TUNER_MT2060=m
+CONFIG_MEDIA_TUNER_MT2063=m
+CONFIG_MEDIA_TUNER_MT2266=m
+CONFIG_MEDIA_TUNER_MT2131=m
+CONFIG_MEDIA_TUNER_QT1010=m
+CONFIG_MEDIA_TUNER_XC2028=m
+CONFIG_MEDIA_TUNER_XC5000=m
+CONFIG_MEDIA_TUNER_XC4000=m
+CONFIG_MEDIA_TUNER_MXL5005S=m
+CONFIG_MEDIA_TUNER_MXL5007T=m
+CONFIG_MEDIA_TUNER_MC44S803=m
+CONFIG_MEDIA_TUNER_MAX2165=m
+CONFIG_MEDIA_TUNER_TDA18218=m
+CONFIG_MEDIA_TUNER_FC0011=m
+CONFIG_MEDIA_TUNER_FC0012=m
+CONFIG_MEDIA_TUNER_FC0013=m
+CONFIG_MEDIA_TUNER_TDA18212=m
+CONFIG_MEDIA_TUNER_E4000=m
+CONFIG_MEDIA_TUNER_FC2580=m
+CONFIG_MEDIA_TUNER_M88RS6000T=m
+CONFIG_MEDIA_TUNER_TUA9001=m
+CONFIG_MEDIA_TUNER_SI2157=m
+CONFIG_MEDIA_TUNER_IT913X=m
+CONFIG_MEDIA_TUNER_R820T=m
+CONFIG_MEDIA_TUNER_MXL301RF=m
+CONFIG_MEDIA_TUNER_QM1D1C0042=m
+
+#
+# Multistandard (satellite) frontends
+#
+CONFIG_DVB_STB0899=m
+CONFIG_DVB_STB6100=m
+CONFIG_DVB_STV090x=m
+CONFIG_DVB_STV6110x=m
+CONFIG_DVB_M88DS3103=m
+
+#
+# Multistandard (cable + terrestrial) frontends
+#
+CONFIG_DVB_DRXK=m
+CONFIG_DVB_TDA18271C2DD=m
+CONFIG_DVB_SI2165=m
+
+#
+# DVB-S (satellite) frontends
+#
+CONFIG_DVB_CX24110=m
+CONFIG_DVB_CX24123=m
+CONFIG_DVB_MT312=m
+CONFIG_DVB_ZL10036=m
+CONFIG_DVB_ZL10039=m
+CONFIG_DVB_S5H1420=m
+CONFIG_DVB_STV0288=m
+CONFIG_DVB_STB6000=m
+CONFIG_DVB_STV0299=m
+CONFIG_DVB_STV6110=m
+CONFIG_DVB_STV0900=m
+CONFIG_DVB_TDA8083=m
+CONFIG_DVB_TDA10086=m
+CONFIG_DVB_TDA8261=m
+CONFIG_DVB_VES1X93=m
+CONFIG_DVB_TUNER_ITD1000=m
+CONFIG_DVB_TUNER_CX24113=m
+CONFIG_DVB_TDA826X=m
+CONFIG_DVB_TUA6100=m
+CONFIG_DVB_CX24116=m
+CONFIG_DVB_CX24117=m
+CONFIG_DVB_CX24120=m
+CONFIG_DVB_SI21XX=m
+CONFIG_DVB_TS2020=m
+CONFIG_DVB_DS3000=m
+CONFIG_DVB_MB86A16=m
+CONFIG_DVB_TDA10071=m
+
+#
+# DVB-T (terrestrial) frontends
+#
+CONFIG_DVB_SP8870=m
+CONFIG_DVB_SP887X=m
+CONFIG_DVB_CX22700=m
+CONFIG_DVB_CX22702=m
+CONFIG_DVB_DRXD=m
+CONFIG_DVB_L64781=m
+CONFIG_DVB_TDA1004X=m
+CONFIG_DVB_NXT6000=m
+CONFIG_DVB_MT352=m
+CONFIG_DVB_ZL10353=m
+CONFIG_DVB_DIB3000MB=m
+CONFIG_DVB_DIB3000MC=m
+CONFIG_DVB_DIB7000M=m
+CONFIG_DVB_DIB7000P=m
+CONFIG_DVB_TDA10048=m
+CONFIG_DVB_AF9013=m
+CONFIG_DVB_EC100=m
+CONFIG_DVB_STV0367=m
+CONFIG_DVB_CXD2820R=m
+CONFIG_DVB_CXD2841ER=m
+CONFIG_DVB_RTL2830=m
+CONFIG_DVB_RTL2832=m
+CONFIG_DVB_RTL2832_SDR=m
+CONFIG_DVB_SI2168=m
+CONFIG_DVB_AS102_FE=m
+
+#
+# DVB-C (cable) frontends
+#
+CONFIG_DVB_VES1820=m
+CONFIG_DVB_TDA10021=m
+CONFIG_DVB_TDA10023=m
+CONFIG_DVB_STV0297=m
+
+#
+# ATSC (North American/Korean Terrestrial/Cable DTV) frontends
+#
+CONFIG_DVB_NXT200X=m
+CONFIG_DVB_OR51211=m
+CONFIG_DVB_OR51132=m
+CONFIG_DVB_BCM3510=m
+CONFIG_DVB_LGDT330X=m
+CONFIG_DVB_LGDT3305=m
+CONFIG_DVB_LGDT3306A=m
+CONFIG_DVB_LG2160=m
+CONFIG_DVB_S5H1409=m
+CONFIG_DVB_AU8522=m
+CONFIG_DVB_AU8522_DTV=m
+CONFIG_DVB_AU8522_V4L=m
+CONFIG_DVB_S5H1411=m
+
+#
+# ISDB-T (terrestrial) frontends
+#
+CONFIG_DVB_S921=m
+CONFIG_DVB_DIB8000=m
+CONFIG_DVB_MB86A20S=m
+
+#
+# ISDB-S (satellite) & ISDB-T (terrestrial) frontends
+#
+CONFIG_DVB_TC90522=m
+
+#
+# Digital terrestrial only tuners/PLL
+#
+CONFIG_DVB_PLL=m
+CONFIG_DVB_TUNER_DIB0070=m
+CONFIG_DVB_TUNER_DIB0090=m
+
+#
+# SEC control devices for DVB-S
+#
+CONFIG_DVB_DRX39XYJ=m
+CONFIG_DVB_LNBH25=m
+CONFIG_DVB_LNBP21=m
+CONFIG_DVB_LNBP22=m
+CONFIG_DVB_ISL6405=m
+CONFIG_DVB_ISL6421=m
+CONFIG_DVB_ISL6423=m
+CONFIG_DVB_A8293=m
+CONFIG_DVB_SP2=m
+CONFIG_DVB_LGS8GXX=m
+CONFIG_DVB_ATBM8830=m
+CONFIG_DVB_TDA665x=m
+CONFIG_DVB_IX2505V=m
+CONFIG_DVB_M88RS2000=m
+CONFIG_DVB_AF9033=m
+CONFIG_DVB_HORUS3A=m
+CONFIG_DVB_ASCOT2E=m
+
+#
+# Tools to develop new frontends
+#
+# CONFIG_DVB_DUMMY_FE is not set
+
+#
+# Graphics support
+#
+CONFIG_AGP=y
+CONFIG_AGP_AMD64=y
+CONFIG_AGP_INTEL=y
+CONFIG_AGP_SIS=y
+CONFIG_AGP_VIA=y
+CONFIG_INTEL_GTT=y
+CONFIG_VGA_ARB=y
+CONFIG_VGA_ARB_MAX_GPUS=16
+CONFIG_VGA_SWITCHEROO=y
+CONFIG_DRM=m
+CONFIG_DRM_MIPI_DSI=y
+CONFIG_DRM_KMS_HELPER=m
+CONFIG_DRM_KMS_FB_HELPER=y
+CONFIG_DRM_FBDEV_EMULATION=y
+CONFIG_DRM_LOAD_EDID_FIRMWARE=y
+CONFIG_DRM_TTM=m
+
+#
+# I2C encoder or helper chips
+#
+# CONFIG_DRM_I2C_ADV7511 is not set
+CONFIG_DRM_I2C_CH7006=m
+CONFIG_DRM_I2C_SIL164=m
+# CONFIG_DRM_I2C_NXP_TDA998X is not set
+CONFIG_DRM_TDFX=m
+CONFIG_DRM_R128=m
+CONFIG_DRM_RADEON=m
+# CONFIG_DRM_RADEON_USERPTR is not set
+# CONFIG_DRM_RADEON_UMS is not set
+CONFIG_DRM_AMDGPU=m
+# CONFIG_DRM_AMDGPU_CIK is not set
+CONFIG_DRM_AMDGPU_USERPTR=y
+CONFIG_DRM_NOUVEAU=m
+CONFIG_NOUVEAU_DEBUG=5
+CONFIG_NOUVEAU_DEBUG_DEFAULT=3
+CONFIG_DRM_NOUVEAU_BACKLIGHT=y
+# CONFIG_DRM_I810 is not set
+CONFIG_DRM_I915=m
+# CONFIG_DRM_I915_PRELIMINARY_HW_SUPPORT is not set
+CONFIG_DRM_MGA=m
+CONFIG_DRM_SIS=m
+CONFIG_DRM_VIA=m
+CONFIG_DRM_SAVAGE=m
+CONFIG_DRM_VGEM=m
+CONFIG_DRM_VMWGFX=m
+CONFIG_DRM_VMWGFX_FBCON=y
+CONFIG_DRM_GMA500=m
+CONFIG_DRM_GMA600=y
+CONFIG_DRM_GMA3600=y
+CONFIG_DRM_UDL=m
+CONFIG_DRM_AST=m
+CONFIG_DRM_MGAG200=m
+CONFIG_DRM_CIRRUS_QEMU=m
+CONFIG_DRM_QXL=m
+CONFIG_DRM_BOCHS=m
+CONFIG_DRM_VIRTIO_GPU=m
+CONFIG_DRM_PANEL=y
+
+#
+# Display Panels
+#
+CONFIG_DRM_BRIDGE=y
+
+#
+# Display Interface Bridges
+#
+CONFIG_HSA_AMD=m
+
+#
+# Frame buffer Devices
+#
+CONFIG_FB=y
+CONFIG_FIRMWARE_EDID=y
+CONFIG_FB_CMDLINE=y
+CONFIG_FB_DDC=m
+CONFIG_FB_BOOT_VESA_SUPPORT=y
+CONFIG_FB_CFB_FILLRECT=y
+CONFIG_FB_CFB_COPYAREA=y
+CONFIG_FB_CFB_IMAGEBLIT=y
+# CONFIG_FB_CFB_REV_PIXELS_IN_BYTE is not set
+CONFIG_FB_SYS_FILLRECT=m
+CONFIG_FB_SYS_COPYAREA=m
+CONFIG_FB_SYS_IMAGEBLIT=m
+# CONFIG_FB_FOREIGN_ENDIAN is not set
+CONFIG_FB_SYS_FOPS=m
+CONFIG_FB_DEFERRED_IO=y
+CONFIG_FB_HECUBA=m
+CONFIG_FB_SVGALIB=m
+# CONFIG_FB_MACMODES is not set
+CONFIG_FB_BACKLIGHT=y
+CONFIG_FB_MODE_HELPERS=y
+CONFIG_FB_TILEBLITTING=y
+
+#
+# Frame buffer hardware drivers
+#
+CONFIG_FB_CIRRUS=m
+CONFIG_FB_PM2=m
+CONFIG_FB_PM2_FIFO_DISCONNECT=y
+CONFIG_FB_CYBER2000=m
+CONFIG_FB_CYBER2000_DDC=y
+CONFIG_FB_ARC=m
+# CONFIG_FB_ASILIANT is not set
+# CONFIG_FB_IMSTT is not set
+CONFIG_FB_VGA16=m
+CONFIG_FB_UVESA=m
+CONFIG_FB_VESA=y
+CONFIG_FB_EFI=y
+CONFIG_FB_N411=m
+CONFIG_FB_HGA=m
+# CONFIG_FB_OPENCORES is not set
+# CONFIG_FB_S1D13XXX is not set
+# CONFIG_FB_I740 is not set
+CONFIG_FB_LE80578=m
+CONFIG_FB_CARILLO_RANCH=m
+# CONFIG_FB_INTEL is not set
+CONFIG_FB_MATROX=m
+CONFIG_FB_MATROX_MILLENIUM=y
+CONFIG_FB_MATROX_MYSTIQUE=y
+CONFIG_FB_MATROX_G=y
+CONFIG_FB_MATROX_I2C=m
+CONFIG_FB_MATROX_MAVEN=m
+CONFIG_FB_RADEON=m
+CONFIG_FB_RADEON_I2C=y
+CONFIG_FB_RADEON_BACKLIGHT=y
+# CONFIG_FB_RADEON_DEBUG is not set
+CONFIG_FB_ATY128=m
+CONFIG_FB_ATY128_BACKLIGHT=y
+CONFIG_FB_ATY=m
+CONFIG_FB_ATY_CT=y
+# CONFIG_FB_ATY_GENERIC_LCD is not set
+CONFIG_FB_ATY_GX=y
+CONFIG_FB_ATY_BACKLIGHT=y
+CONFIG_FB_S3=m
+CONFIG_FB_S3_DDC=y
+CONFIG_FB_SAVAGE=m
+# CONFIG_FB_SAVAGE_I2C is not set
+# CONFIG_FB_SAVAGE_ACCEL is not set
+CONFIG_FB_SIS=m
+CONFIG_FB_SIS_300=y
+CONFIG_FB_SIS_315=y
+CONFIG_FB_VIA=m
+# CONFIG_FB_VIA_DIRECT_PROCFS is not set
+CONFIG_FB_VIA_X_COMPATIBILITY=y
+CONFIG_FB_NEOMAGIC=m
+CONFIG_FB_KYRO=m
+CONFIG_FB_3DFX=m
+# CONFIG_FB_3DFX_ACCEL is not set
+CONFIG_FB_3DFX_I2C=y
+CONFIG_FB_VOODOO1=m
+CONFIG_FB_VT8623=m
+CONFIG_FB_TRIDENT=m
+CONFIG_FB_ARK=m
+CONFIG_FB_PM3=m
+# CONFIG_FB_CARMINE is not set
+CONFIG_FB_SMSCUFX=m
+CONFIG_FB_UDL=m
+# CONFIG_FB_IBM_GXT4500 is not set
+CONFIG_FB_VIRTUAL=m
+# CONFIG_FB_METRONOME is not set
+CONFIG_FB_MB862XX=m
+CONFIG_FB_MB862XX_PCI_GDC=y
+CONFIG_FB_MB862XX_I2C=y
+# CONFIG_FB_BROADSHEET is not set
+# CONFIG_FB_AUO_K190X is not set
+CONFIG_FB_HYPERV=m
+CONFIG_FB_SIMPLE=y
+# CONFIG_FB_SM712 is not set
+CONFIG_BACKLIGHT_LCD_SUPPORT=y
+# CONFIG_LCD_CLASS_DEVICE is not set
+CONFIG_BACKLIGHT_CLASS_DEVICE=y
+# CONFIG_BACKLIGHT_GENERIC is not set
+CONFIG_BACKLIGHT_APPLE=m
+# CONFIG_BACKLIGHT_PM8941_WLED is not set
+# CONFIG_BACKLIGHT_SAHARA is not set
+# CONFIG_BACKLIGHT_ADP8860 is not set
+# CONFIG_BACKLIGHT_ADP8870 is not set
+# CONFIG_BACKLIGHT_LM3639 is not set
+# CONFIG_BACKLIGHT_GPIO is not set
+# CONFIG_BACKLIGHT_LV5207LP is not set
+# CONFIG_BACKLIGHT_BD6107 is not set
+CONFIG_VGASTATE=m
+CONFIG_HDMI=y
+
+#
+# Console display driver support
+#
+CONFIG_VGA_CONSOLE=y
+# CONFIG_VGACON_SOFT_SCROLLBACK is not set
+CONFIG_DUMMY_CONSOLE=y
+CONFIG_DUMMY_CONSOLE_COLUMNS=80
+CONFIG_DUMMY_CONSOLE_ROWS=25
+CONFIG_FRAMEBUFFER_CONSOLE=y
+CONFIG_FRAMEBUFFER_CONSOLE_DETECT_PRIMARY=y
+CONFIG_FRAMEBUFFER_CONSOLE_ROTATION=y
+# CONFIG_LOGO is not set
+CONFIG_SOUND=m
+CONFIG_SOUND_OSS_CORE=y
+# CONFIG_SOUND_OSS_CORE_PRECLAIM is not set
+CONFIG_SND=m
+CONFIG_SND_TIMER=m
+CONFIG_SND_PCM=m
+CONFIG_SND_HWDEP=m
+CONFIG_SND_RAWMIDI=m
+CONFIG_SND_JACK=y
+CONFIG_SND_SEQUENCER=m
+CONFIG_SND_SEQ_DUMMY=m
+CONFIG_SND_OSSEMUL=y
+CONFIG_SND_MIXER_OSS=m
+CONFIG_SND_PCM_OSS=m
+CONFIG_SND_PCM_OSS_PLUGINS=y
+CONFIG_SND_PCM_TIMER=y
+# CONFIG_SND_SEQUENCER_OSS is not set
+CONFIG_SND_HRTIMER=m
+CONFIG_SND_SEQ_HRTIMER_DEFAULT=y
+CONFIG_SND_DYNAMIC_MINORS=y
+CONFIG_SND_MAX_CARDS=32
+CONFIG_SND_SUPPORT_OLD_API=y
+CONFIG_SND_PROC_FS=y
+CONFIG_SND_VERBOSE_PROCFS=y
+# CONFIG_SND_VERBOSE_PRINTK is not set
+# CONFIG_SND_DEBUG is not set
+CONFIG_SND_VMASTER=y
+CONFIG_SND_DMA_SGBUF=y
+CONFIG_SND_RAWMIDI_SEQ=m
+CONFIG_SND_OPL3_LIB_SEQ=m
+# CONFIG_SND_OPL4_LIB_SEQ is not set
+# CONFIG_SND_SBAWE_SEQ is not set
+# CONFIG_SND_EMU10K1_SEQ is not set
+CONFIG_SND_MPU401_UART=m
+CONFIG_SND_OPL3_LIB=m
+CONFIG_SND_VX_LIB=m
+CONFIG_SND_AC97_CODEC=m
+CONFIG_SND_DRIVERS=y
+CONFIG_SND_PCSP=m
+CONFIG_SND_DUMMY=m
+CONFIG_SND_ALOOP=m
+CONFIG_SND_VIRMIDI=m
+CONFIG_SND_MTPAV=m
+CONFIG_SND_MTS64=m
+CONFIG_SND_SERIAL_U16550=m
+CONFIG_SND_MPU401=m
+CONFIG_SND_PORTMAN2X4=m
+CONFIG_SND_AC97_POWER_SAVE=y
+CONFIG_SND_AC97_POWER_SAVE_DEFAULT=0
+CONFIG_SND_SB_COMMON=m
+CONFIG_SND_PCI=y
+CONFIG_SND_AD1889=m
+CONFIG_SND_ALS4000=m
+CONFIG_SND_ASIHPI=m
+CONFIG_SND_ATIIXP=m
+CONFIG_SND_ATIIXP_MODEM=m
+CONFIG_SND_AU8810=m
+CONFIG_SND_AU8820=m
+CONFIG_SND_AU8830=m
+# CONFIG_SND_AW2 is not set
+CONFIG_SND_BT87X=m
+# CONFIG_SND_BT87X_OVERCLOCK is not set
+CONFIG_SND_CA0106=m
+CONFIG_SND_CMIPCI=m
+CONFIG_SND_OXYGEN_LIB=m
+CONFIG_SND_OXYGEN=m
+CONFIG_SND_CS4281=m
+CONFIG_SND_CS46XX=m
+CONFIG_SND_CS46XX_NEW_DSP=y
+CONFIG_SND_CTXFI=m
+CONFIG_SND_DARLA20=m
+CONFIG_SND_GINA20=m
+CONFIG_SND_LAYLA20=m
+CONFIG_SND_DARLA24=m
+CONFIG_SND_GINA24=m
+CONFIG_SND_LAYLA24=m
+CONFIG_SND_MONA=m
+CONFIG_SND_MIA=m
+CONFIG_SND_ECHO3G=m
+CONFIG_SND_INDIGO=m
+CONFIG_SND_INDIGOIO=m
+CONFIG_SND_INDIGODJ=m
+CONFIG_SND_INDIGOIOX=m
+CONFIG_SND_INDIGODJX=m
+CONFIG_SND_ENS1370=m
+CONFIG_SND_ENS1371=m
+CONFIG_SND_FM801=m
+CONFIG_SND_FM801_TEA575X_BOOL=y
+CONFIG_SND_HDSP=m
+CONFIG_SND_HDSPM=m
+CONFIG_SND_ICE1724=m
+CONFIG_SND_INTEL8X0=m
+CONFIG_SND_INTEL8X0M=m
+CONFIG_SND_KORG1212=m
+CONFIG_SND_LOLA=m
+CONFIG_SND_LX6464ES=m
+CONFIG_SND_MIXART=m
+CONFIG_SND_NM256=m
+CONFIG_SND_PCXHR=m
+CONFIG_SND_RIPTIDE=m
+CONFIG_SND_RME32=m
+CONFIG_SND_RME96=m
+CONFIG_SND_RME9652=m
+CONFIG_SND_VIA82XX=m
+CONFIG_SND_VIA82XX_MODEM=m
+CONFIG_SND_VIRTUOSO=m
+CONFIG_SND_VX222=m
+CONFIG_SND_YMFPCI=m
+
+#
+# HD-Audio
+#
+CONFIG_SND_HDA=m
+CONFIG_SND_HDA_INTEL=m
+CONFIG_SND_HDA_HWDEP=y
+CONFIG_SND_HDA_RECONFIG=y
+CONFIG_SND_HDA_INPUT_BEEP=y
+CONFIG_SND_HDA_INPUT_BEEP_MODE=1
+CONFIG_SND_HDA_PATCH_LOADER=y
+CONFIG_SND_HDA_CODEC_REALTEK=m
+CONFIG_SND_HDA_CODEC_ANALOG=m
+CONFIG_SND_HDA_CODEC_SIGMATEL=m
+CONFIG_SND_HDA_CODEC_VIA=m
+CONFIG_SND_HDA_CODEC_HDMI=m
+CONFIG_SND_HDA_CODEC_CIRRUS=m
+CONFIG_SND_HDA_CODEC_CONEXANT=m
+CONFIG_SND_HDA_CODEC_CA0110=m
+CONFIG_SND_HDA_CODEC_CA0132=m
+CONFIG_SND_HDA_CODEC_CA0132_DSP=y
+CONFIG_SND_HDA_CODEC_CMEDIA=m
+CONFIG_SND_HDA_CODEC_SI3054=m
+CONFIG_SND_HDA_GENERIC=m
+CONFIG_SND_HDA_POWER_SAVE_DEFAULT=0
+CONFIG_SND_HDA_CORE=m
+CONFIG_SND_HDA_DSP_LOADER=y
+CONFIG_SND_HDA_I915=y
+CONFIG_SND_HDA_PREALLOC_SIZE=64
+CONFIG_SND_SPI=y
+CONFIG_SND_USB=y
+CONFIG_SND_USB_AUDIO=m
+CONFIG_SND_USB_UA101=m
+CONFIG_SND_USB_USX2Y=m
+CONFIG_SND_USB_CAIAQ=m
+CONFIG_SND_USB_CAIAQ_INPUT=y
+CONFIG_SND_USB_US122L=m
+CONFIG_SND_USB_6FIRE=m
+CONFIG_SND_USB_HIFACE=m
+CONFIG_SND_BCD2000=m
+CONFIG_SND_USB_LINE6=m
+CONFIG_SND_USB_POD=m
+CONFIG_SND_USB_PODHD=m
+CONFIG_SND_USB_TONEPORT=m
+CONFIG_SND_USB_VARIAX=m
+CONFIG_SND_FIREWIRE=y
+CONFIG_SND_FIREWIRE_LIB=m
+CONFIG_SND_DICE=m
+CONFIG_SND_OXFW=m
+CONFIG_SND_ISIGHT=m
+CONFIG_SND_SCS1X=m
+CONFIG_SND_FIREWORKS=m
+CONFIG_SND_BEBOB=m
+CONFIG_SND_FIREWIRE_DIGI00X=m
+CONFIG_SND_FIREWIRE_TASCAM=m
+CONFIG_SND_PCMCIA=y
+CONFIG_SND_VXPOCKET=m
+CONFIG_SND_PDAUDIOCF=m
+CONFIG_SND_SOC=m
+# CONFIG_SND_ATMEL_SOC is not set
+# CONFIG_SND_DESIGNWARE_I2S is not set
+
+#
+# SoC Audio for Freescale CPUs
+#
+
+#
+# Common SoC Audio options for Freescale CPUs:
+#
+# CONFIG_SND_SOC_FSL_ASRC is not set
+# CONFIG_SND_SOC_FSL_SAI is not set
+# CONFIG_SND_SOC_FSL_SSI is not set
+# CONFIG_SND_SOC_FSL_SPDIF is not set
+# CONFIG_SND_SOC_FSL_ESAI is not set
+# CONFIG_SND_SOC_IMX_AUDMUX is not set
+CONFIG_SND_SOC_INTEL_SST=m
+CONFIG_SND_SOC_INTEL_SST_ACPI=m
+CONFIG_SND_SOC_INTEL_HASWELL=m
+CONFIG_SND_SOC_INTEL_BAYTRAIL=m
+CONFIG_SND_SOC_INTEL_HASWELL_MACH=m
+CONFIG_SND_SOC_INTEL_BYT_RT5640_MACH=m
+CONFIG_SND_SOC_INTEL_BYT_MAX98090_MACH=m
+CONFIG_SND_SOC_INTEL_BROADWELL_MACH=m
+# CONFIG_SND_SOC_INTEL_BYTCR_RT5640_MACH is not set
+# CONFIG_SND_SOC_INTEL_CHT_BSW_RT5672_MACH is not set
+# CONFIG_SND_SOC_INTEL_CHT_BSW_RT5645_MACH is not set
+# CONFIG_SND_SOC_INTEL_CHT_BSW_MAX98090_TI_MACH is not set
+# CONFIG_SND_SOC_INTEL_SKL_RT286_MACH is not set
+
+#
+# Allwinner SoC Audio support
+#
+# CONFIG_SND_SUN4I_CODEC is not set
+# CONFIG_SND_SOC_XTFPGA_I2S is not set
+CONFIG_SND_SOC_I2C_AND_SPI=m
+
+#
+# CODEC drivers
+#
+# CONFIG_SND_SOC_AC97_CODEC is not set
+# CONFIG_SND_SOC_ADAU1701 is not set
+# CONFIG_SND_SOC_AK4104 is not set
+# CONFIG_SND_SOC_AK4554 is not set
+# CONFIG_SND_SOC_AK4613 is not set
+# CONFIG_SND_SOC_AK4642 is not set
+# CONFIG_SND_SOC_AK5386 is not set
+# CONFIG_SND_SOC_ALC5623 is not set
+# CONFIG_SND_SOC_CS35L32 is not set
+# CONFIG_SND_SOC_CS42L51_I2C is not set
+# CONFIG_SND_SOC_CS42L52 is not set
+# CONFIG_SND_SOC_CS42L56 is not set
+# CONFIG_SND_SOC_CS42L73 is not set
+# CONFIG_SND_SOC_CS4265 is not set
+# CONFIG_SND_SOC_CS4270 is not set
+# CONFIG_SND_SOC_CS4271_I2C is not set
+# CONFIG_SND_SOC_CS4271_SPI is not set
+# CONFIG_SND_SOC_CS42XX8_I2C is not set
+# CONFIG_SND_SOC_CS4349 is not set
+# CONFIG_SND_SOC_ES8328 is not set
+# CONFIG_SND_SOC_GTM601 is not set
+CONFIG_SND_SOC_MAX98090=m
+# CONFIG_SND_SOC_PCM1681 is not set
+# CONFIG_SND_SOC_PCM1792A is not set
+# CONFIG_SND_SOC_PCM512x_I2C is not set
+# CONFIG_SND_SOC_PCM512x_SPI is not set
+CONFIG_SND_SOC_RL6231=m
+CONFIG_SND_SOC_RL6347A=m
+CONFIG_SND_SOC_RT286=m
+# CONFIG_SND_SOC_RT5631 is not set
+CONFIG_SND_SOC_RT5640=m
+# CONFIG_SND_SOC_RT5677_SPI is not set
+# CONFIG_SND_SOC_SGTL5000 is not set
+# CONFIG_SND_SOC_SIRF_AUDIO_CODEC is not set
+# CONFIG_SND_SOC_SPDIF is not set
+# CONFIG_SND_SOC_SSM2602_SPI is not set
+# CONFIG_SND_SOC_SSM2602_I2C is not set
+# CONFIG_SND_SOC_SSM4567 is not set
+# CONFIG_SND_SOC_STA32X is not set
+# CONFIG_SND_SOC_STA350 is not set
+# CONFIG_SND_SOC_STI_SAS is not set
+# CONFIG_SND_SOC_TAS2552 is not set
+# CONFIG_SND_SOC_TAS5086 is not set
+# CONFIG_SND_SOC_TAS571X is not set
+# CONFIG_SND_SOC_TFA9879 is not set
+# CONFIG_SND_SOC_TLV320AIC23_I2C is not set
+# CONFIG_SND_SOC_TLV320AIC23_SPI is not set
+# CONFIG_SND_SOC_TLV320AIC31XX is not set
+# CONFIG_SND_SOC_TLV320AIC3X is not set
+# CONFIG_SND_SOC_TS3A227E is not set
+# CONFIG_SND_SOC_WM8510 is not set
+# CONFIG_SND_SOC_WM8523 is not set
+# CONFIG_SND_SOC_WM8580 is not set
+# CONFIG_SND_SOC_WM8711 is not set
+# CONFIG_SND_SOC_WM8728 is not set
+# CONFIG_SND_SOC_WM8731 is not set
+# CONFIG_SND_SOC_WM8737 is not set
+# CONFIG_SND_SOC_WM8741 is not set
+# CONFIG_SND_SOC_WM8750 is not set
+# CONFIG_SND_SOC_WM8753 is not set
+# CONFIG_SND_SOC_WM8770 is not set
+# CONFIG_SND_SOC_WM8776 is not set
+# CONFIG_SND_SOC_WM8804_I2C is not set
+# CONFIG_SND_SOC_WM8804_SPI is not set
+# CONFIG_SND_SOC_WM8903 is not set
+# CONFIG_SND_SOC_WM8962 is not set
+# CONFIG_SND_SOC_WM8978 is not set
+# CONFIG_SND_SOC_TPA6130A2 is not set
+# CONFIG_SND_SIMPLE_CARD is not set
+# CONFIG_SOUND_PRIME is not set
+CONFIG_AC97_BUS=m
+
+#
+# HID support
+#
+CONFIG_HID=m
+CONFIG_HID_BATTERY_STRENGTH=y
+CONFIG_HIDRAW=y
+CONFIG_UHID=m
+CONFIG_HID_GENERIC=m
+
+#
+# Special HID drivers
+#
+CONFIG_HID_A4TECH=m
+CONFIG_HID_ACRUX=m
+CONFIG_HID_ACRUX_FF=y
+CONFIG_HID_APPLE=m
+CONFIG_HID_APPLEIR=m
+CONFIG_HID_AUREAL=m
+CONFIG_HID_BELKIN=m
+CONFIG_HID_BETOP_FF=m
+CONFIG_HID_CHERRY=m
+CONFIG_HID_CHICONY=m
+CONFIG_HID_CORSAIR=m
+CONFIG_HID_PRODIKEYS=m
+CONFIG_HID_CP2112=m
+CONFIG_HID_CYPRESS=m
+CONFIG_HID_DRAGONRISE=m
+CONFIG_DRAGONRISE_FF=y
+CONFIG_HID_EMS_FF=m
+CONFIG_HID_ELECOM=m
+CONFIG_HID_ELO=m
+CONFIG_HID_EZKEY=m
+CONFIG_HID_GEMBIRD=m
+# CONFIG_HID_GFRM is not set
+CONFIG_HID_HOLTEK=m
+CONFIG_HOLTEK_FF=y
+# CONFIG_HID_GT683R is not set
+CONFIG_HID_KEYTOUCH=m
+CONFIG_HID_KYE=m
+CONFIG_HID_UCLOGIC=m
+CONFIG_HID_WALTOP=m
+CONFIG_HID_GYRATION=m
+CONFIG_HID_ICADE=m
+CONFIG_HID_TWINHAN=m
+CONFIG_HID_KENSINGTON=m
+CONFIG_HID_LCPOWER=m
+CONFIG_HID_LENOVO=m
+CONFIG_HID_LOGITECH=m
+CONFIG_HID_LOGITECH_DJ=m
+CONFIG_HID_LOGITECH_HIDPP=m
+CONFIG_LOGITECH_FF=y
+CONFIG_LOGIRUMBLEPAD2_FF=y
+CONFIG_LOGIG940_FF=y
+CONFIG_LOGIWHEELS_FF=y
+CONFIG_HID_MAGICMOUSE=m
+CONFIG_HID_MICROSOFT=m
+CONFIG_HID_MONTEREY=m
+CONFIG_HID_MULTITOUCH=m
+CONFIG_HID_NTRIG=m
+CONFIG_HID_ORTEK=m
+CONFIG_HID_PANTHERLORD=m
+CONFIG_PANTHERLORD_FF=y
+CONFIG_HID_PENMOUNT=m
+CONFIG_HID_PETALYNX=m
+CONFIG_HID_PICOLCD=m
+CONFIG_HID_PICOLCD_FB=y
+CONFIG_HID_PICOLCD_BACKLIGHT=y
+CONFIG_HID_PICOLCD_LEDS=y
+CONFIG_HID_PICOLCD_CIR=y
+CONFIG_HID_PLANTRONICS=m
+CONFIG_HID_PRIMAX=m
+CONFIG_HID_ROCCAT=m
+CONFIG_HID_SAITEK=m
+CONFIG_HID_SAMSUNG=m
+CONFIG_HID_SONY=m
+CONFIG_SONY_FF=y
+CONFIG_HID_SPEEDLINK=m
+CONFIG_HID_STEELSERIES=m
+CONFIG_HID_SUNPLUS=m
+CONFIG_HID_RMI=m
+CONFIG_HID_GREENASIA=m
+CONFIG_GREENASIA_FF=y
+CONFIG_HID_HYPERV_MOUSE=m
+CONFIG_HID_SMARTJOYPLUS=m
+CONFIG_SMARTJOYPLUS_FF=y
+CONFIG_HID_TIVO=m
+CONFIG_HID_TOPSEED=m
+CONFIG_HID_THINGM=m
+CONFIG_HID_THRUSTMASTER=m
+CONFIG_THRUSTMASTER_FF=y
+CONFIG_HID_WACOM=m
+CONFIG_HID_WIIMOTE=m
+CONFIG_HID_XINMO=m
+CONFIG_HID_ZEROPLUS=m
+CONFIG_ZEROPLUS_FF=y
+CONFIG_HID_ZYDACRON=m
+CONFIG_HID_SENSOR_HUB=m
+# CONFIG_HID_SENSOR_CUSTOM_SENSOR is not set
+
+#
+# USB HID support
+#
+CONFIG_USB_HID=m
+CONFIG_HID_PID=y
+CONFIG_USB_HIDDEV=y
+
+#
+# USB HID Boot Protocol drivers
+#
+# CONFIG_USB_KBD is not set
+# CONFIG_USB_MOUSE is not set
+
+#
+# I2C HID support
+#
+CONFIG_I2C_HID=m
+CONFIG_USB_OHCI_LITTLE_ENDIAN=y
+CONFIG_USB_SUPPORT=y
+CONFIG_USB_COMMON=m
+CONFIG_USB_ARCH_HAS_HCD=y
+CONFIG_USB=m
+CONFIG_USB_ANNOUNCE_NEW_DEVICES=y
+
+#
+# Miscellaneous USB options
+#
+CONFIG_USB_DEFAULT_PERSIST=y
+CONFIG_USB_DYNAMIC_MINORS=y
+# CONFIG_USB_OTG is not set
+# CONFIG_USB_OTG_WHITELIST is not set
+# CONFIG_USB_OTG_BLACKLIST_HUB is not set
+# CONFIG_USB_ULPI_BUS is not set
+CONFIG_USB_MON=m
+CONFIG_USB_WUSB=m
+CONFIG_USB_WUSB_CBAF=m
+# CONFIG_USB_WUSB_CBAF_DEBUG is not set
+
+#
+# USB Host Controller Drivers
+#
+# CONFIG_USB_C67X00_HCD is not set
+CONFIG_USB_XHCI_HCD=m
+CONFIG_USB_XHCI_PCI=m
+# CONFIG_USB_XHCI_PLATFORM is not set
+CONFIG_USB_EHCI_HCD=m
+CONFIG_USB_EHCI_ROOT_HUB_TT=y
+CONFIG_USB_EHCI_TT_NEWSCHED=y
+CONFIG_USB_EHCI_PCI=m
+# CONFIG_USB_EHCI_HCD_PLATFORM is not set
+# CONFIG_USB_OXU210HP_HCD is not set
+# CONFIG_USB_ISP116X_HCD is not set
+# CONFIG_USB_ISP1362_HCD is not set
+# CONFIG_USB_FOTG210_HCD is not set
+# CONFIG_USB_MAX3421_HCD is not set
+CONFIG_USB_OHCI_HCD=m
+CONFIG_USB_OHCI_HCD_PCI=m
+# CONFIG_USB_OHCI_HCD_SSB is not set
+# CONFIG_USB_OHCI_HCD_PLATFORM is not set
+CONFIG_USB_UHCI_HCD=m
+CONFIG_USB_U132_HCD=m
+CONFIG_USB_SL811_HCD=m
+# CONFIG_USB_SL811_HCD_ISO is not set
+CONFIG_USB_SL811_CS=m
+# CONFIG_USB_R8A66597_HCD is not set
+CONFIG_USB_WHCI_HCD=m
+CONFIG_USB_HWA_HCD=m
+# CONFIG_USB_HCD_BCMA is not set
+# CONFIG_USB_HCD_SSB is not set
+# CONFIG_USB_HCD_TEST_MODE is not set
+
+#
+# USB Device Class drivers
+#
+CONFIG_USB_ACM=m
+CONFIG_USB_PRINTER=m
+CONFIG_USB_WDM=m
+CONFIG_USB_TMC=m
+
+#
+# NOTE: USB_STORAGE depends on SCSI but BLK_DEV_SD may
+#
+
+#
+# also be needed; see USB_STORAGE Help for more info
+#
+CONFIG_USB_STORAGE=m
+# CONFIG_USB_STORAGE_DEBUG is not set
+CONFIG_USB_STORAGE_REALTEK=m
+CONFIG_REALTEK_AUTOPM=y
+CONFIG_USB_STORAGE_DATAFAB=m
+CONFIG_USB_STORAGE_FREECOM=m
+CONFIG_USB_STORAGE_ISD200=m
+CONFIG_USB_STORAGE_USBAT=m
+CONFIG_USB_STORAGE_SDDR09=m
+CONFIG_USB_STORAGE_SDDR55=m
+CONFIG_USB_STORAGE_JUMPSHOT=m
+CONFIG_USB_STORAGE_ALAUDA=m
+CONFIG_USB_STORAGE_ONETOUCH=m
+CONFIG_USB_STORAGE_KARMA=m
+CONFIG_USB_STORAGE_CYPRESS_ATACB=m
+CONFIG_USB_STORAGE_ENE_UB6250=m
+CONFIG_USB_UAS=m
+
+#
+# USB Imaging devices
+#
+CONFIG_USB_MDC800=m
+CONFIG_USB_MICROTEK=m
+CONFIG_USBIP_CORE=m
+CONFIG_USBIP_VHCI_HCD=m
+CONFIG_USBIP_HOST=m
+# CONFIG_USBIP_DEBUG is not set
+# CONFIG_USB_MUSB_HDRC is not set
+# CONFIG_USB_DWC3 is not set
+# CONFIG_USB_DWC2 is not set
+# CONFIG_USB_CHIPIDEA is not set
+# CONFIG_USB_ISP1760 is not set
+
+#
+# USB port drivers
+#
+CONFIG_USB_USS720=m
+CONFIG_USB_SERIAL=m
+CONFIG_USB_SERIAL_GENERIC=y
+CONFIG_USB_SERIAL_SIMPLE=m
+CONFIG_USB_SERIAL_AIRCABLE=m
+CONFIG_USB_SERIAL_ARK3116=m
+CONFIG_USB_SERIAL_BELKIN=m
+CONFIG_USB_SERIAL_CH341=m
+CONFIG_USB_SERIAL_WHITEHEAT=m
+CONFIG_USB_SERIAL_DIGI_ACCELEPORT=m
+CONFIG_USB_SERIAL_CP210X=m
+CONFIG_USB_SERIAL_CYPRESS_M8=m
+CONFIG_USB_SERIAL_EMPEG=m
+CONFIG_USB_SERIAL_FTDI_SIO=m
+CONFIG_USB_SERIAL_VISOR=m
+CONFIG_USB_SERIAL_IPAQ=m
+CONFIG_USB_SERIAL_IR=m
+CONFIG_USB_SERIAL_EDGEPORT=m
+CONFIG_USB_SERIAL_EDGEPORT_TI=m
+CONFIG_USB_SERIAL_F81232=m
+CONFIG_USB_SERIAL_GARMIN=m
+CONFIG_USB_SERIAL_IPW=m
+CONFIG_USB_SERIAL_IUU=m
+CONFIG_USB_SERIAL_KEYSPAN_PDA=m
+CONFIG_USB_SERIAL_KEYSPAN=m
+CONFIG_USB_SERIAL_KLSI=m
+CONFIG_USB_SERIAL_KOBIL_SCT=m
+CONFIG_USB_SERIAL_MCT_U232=m
+CONFIG_USB_SERIAL_METRO=m
+CONFIG_USB_SERIAL_MOS7720=m
+CONFIG_USB_SERIAL_MOS7715_PARPORT=y
+CONFIG_USB_SERIAL_MOS7840=m
+CONFIG_USB_SERIAL_MXUPORT=m
+CONFIG_USB_SERIAL_NAVMAN=m
+CONFIG_USB_SERIAL_PL2303=m
+CONFIG_USB_SERIAL_OTI6858=m
+CONFIG_USB_SERIAL_QCAUX=m
+CONFIG_USB_SERIAL_QUALCOMM=m
+CONFIG_USB_SERIAL_SPCP8X5=m
+CONFIG_USB_SERIAL_SAFE=m
+# CONFIG_USB_SERIAL_SAFE_PADDED is not set
+CONFIG_USB_SERIAL_SIERRAWIRELESS=m
+CONFIG_USB_SERIAL_SYMBOL=m
+CONFIG_USB_SERIAL_TI=m
+CONFIG_USB_SERIAL_CYBERJACK=m
+CONFIG_USB_SERIAL_XIRCOM=m
+CONFIG_USB_SERIAL_WWAN=m
+CONFIG_USB_SERIAL_OPTION=m
+CONFIG_USB_SERIAL_OMNINET=m
+CONFIG_USB_SERIAL_OPTICON=m
+CONFIG_USB_SERIAL_XSENS_MT=m
+CONFIG_USB_SERIAL_WISHBONE=m
+CONFIG_USB_SERIAL_SSU100=m
+CONFIG_USB_SERIAL_QT2=m
+CONFIG_USB_SERIAL_DEBUG=m
+
+#
+# USB Miscellaneous drivers
+#
+CONFIG_USB_EMI62=m
+CONFIG_USB_EMI26=m
+CONFIG_USB_ADUTUX=m
+CONFIG_USB_SEVSEG=m
+CONFIG_USB_RIO500=m
+CONFIG_USB_LEGOTOWER=m
+CONFIG_USB_LCD=m
+CONFIG_USB_LED=m
+CONFIG_USB_CYPRESS_CY7C63=m
+CONFIG_USB_CYTHERM=m
+CONFIG_USB_IDMOUSE=m
+CONFIG_USB_FTDI_ELAN=m
+CONFIG_USB_APPLEDISPLAY=m
+CONFIG_USB_SISUSBVGA=m
+CONFIG_USB_SISUSBVGA_CON=y
+CONFIG_USB_LD=m
+CONFIG_USB_TRANCEVIBRATOR=m
+CONFIG_USB_IOWARRIOR=m
+CONFIG_USB_TEST=m
+CONFIG_USB_EHSET_TEST_FIXTURE=m
+CONFIG_USB_ISIGHTFW=m
+CONFIG_USB_YUREX=m
+CONFIG_USB_EZUSB_FX2=m
+# CONFIG_USB_HSIC_USB3503 is not set
+# CONFIG_USB_LINK_LAYER_TEST is not set
+CONFIG_USB_CHAOSKEY=m
+CONFIG_USB_ATM=m
+CONFIG_USB_SPEEDTOUCH=m
+CONFIG_USB_CXACRU=m
+CONFIG_USB_UEAGLEATM=m
+CONFIG_USB_XUSBATM=m
+
+#
+# USB Physical Layer drivers
+#
+# CONFIG_USB_PHY is not set
+# CONFIG_NOP_USB_XCEIV is not set
+# CONFIG_USB_GPIO_VBUS is not set
+# CONFIG_USB_ISP1301 is not set
+CONFIG_USB_GADGET=m
+# CONFIG_USB_GADGET_DEBUG is not set
+# CONFIG_USB_GADGET_DEBUG_FILES is not set
+CONFIG_USB_GADGET_VBUS_DRAW=2
+CONFIG_USB_GADGET_STORAGE_NUM_BUFFERS=2
+
+#
+# USB Peripheral Controller
+#
+# CONFIG_USB_FOTG210_UDC is not set
+# CONFIG_USB_GR_UDC is not set
+# CONFIG_USB_R8A66597 is not set
+# CONFIG_USB_PXA27X is not set
+# CONFIG_USB_MV_UDC is not set
+# CONFIG_USB_MV_U3D is not set
+# CONFIG_USB_M66592 is not set
+# CONFIG_USB_BDC_UDC is not set
+# CONFIG_USB_AMD5536UDC is not set
+# CONFIG_USB_NET2272 is not set
+CONFIG_USB_NET2280=m
+# CONFIG_USB_GOKU is not set
+CONFIG_USB_EG20T=m
+# CONFIG_USB_DUMMY_HCD is not set
+# CONFIG_USB_CONFIGFS is not set
+# CONFIG_USB_ZERO is not set
+# CONFIG_USB_AUDIO is not set
+# CONFIG_USB_ETH is not set
+# CONFIG_USB_G_NCM is not set
+# CONFIG_USB_GADGETFS is not set
+# CONFIG_USB_FUNCTIONFS is not set
+# CONFIG_USB_MASS_STORAGE is not set
+# CONFIG_USB_GADGET_TARGET is not set
+# CONFIG_USB_G_SERIAL is not set
+# CONFIG_USB_MIDI_GADGET is not set
+# CONFIG_USB_G_PRINTER is not set
+# CONFIG_USB_CDC_COMPOSITE is not set
+# CONFIG_USB_G_NOKIA is not set
+# CONFIG_USB_G_ACM_MS is not set
+# CONFIG_USB_G_MULTI is not set
+# CONFIG_USB_G_HID is not set
+# CONFIG_USB_G_DBGP is not set
+# CONFIG_USB_G_WEBCAM is not set
+CONFIG_USB_LED_TRIG=y
+CONFIG_UWB=m
+CONFIG_UWB_HWA=m
+CONFIG_UWB_WHCI=m
+CONFIG_UWB_I1480U=m
+CONFIG_MMC=m
+# CONFIG_MMC_DEBUG is not set
+
+#
+# MMC/SD/SDIO Card Drivers
+#
+CONFIG_MMC_BLOCK=m
+CONFIG_MMC_BLOCK_MINORS=256
+CONFIG_MMC_BLOCK_BOUNCE=y
+CONFIG_SDIO_UART=m
+# CONFIG_MMC_TEST is not set
+
+#
+# MMC/SD/SDIO Host Controller Drivers
+#
+CONFIG_MMC_SDHCI=m
+CONFIG_MMC_SDHCI_PCI=m
+CONFIG_MMC_RICOH_MMC=y
+CONFIG_MMC_SDHCI_ACPI=m
+# CONFIG_MMC_SDHCI_PLTFM is not set
+CONFIG_MMC_WBSD=m
+CONFIG_MMC_TIFM_SD=m
+# CONFIG_MMC_SPI is not set
+CONFIG_MMC_SDRICOH_CS=m
+CONFIG_MMC_CB710=m
+CONFIG_MMC_VIA_SDMMC=m
+CONFIG_MMC_VUB300=m
+CONFIG_MMC_USHC=m
+# CONFIG_MMC_USDHI6ROL0 is not set
+CONFIG_MMC_REALTEK_PCI=m
+CONFIG_MMC_REALTEK_USB=m
+CONFIG_MMC_TOSHIBA_PCI=m
+# CONFIG_MMC_MTK is not set
+CONFIG_MEMSTICK=m
+# CONFIG_MEMSTICK_DEBUG is not set
+
+#
+# MemoryStick drivers
+#
+# CONFIG_MEMSTICK_UNSAFE_RESUME is not set
+CONFIG_MSPRO_BLOCK=m
+# CONFIG_MS_BLOCK is not set
+
+#
+# MemoryStick Host Controller Drivers
+#
+CONFIG_MEMSTICK_TIFM_MS=m
+CONFIG_MEMSTICK_JMICRON_38X=m
+CONFIG_MEMSTICK_R592=m
+CONFIG_MEMSTICK_REALTEK_PCI=m
+CONFIG_MEMSTICK_REALTEK_USB=m
+CONFIG_NEW_LEDS=y
+CONFIG_LEDS_CLASS=y
+# CONFIG_LEDS_CLASS_FLASH is not set
+
+#
+# LED drivers
+#
+# CONFIG_LEDS_LM3530 is not set
+# CONFIG_LEDS_LM3642 is not set
+# CONFIG_LEDS_PCA9532 is not set
+# CONFIG_LEDS_GPIO is not set
+CONFIG_LEDS_LP3944=m
+# CONFIG_LEDS_LP5521 is not set
+# CONFIG_LEDS_LP5523 is not set
+# CONFIG_LEDS_LP5562 is not set
+# CONFIG_LEDS_LP8501 is not set
+# CONFIG_LEDS_LP8860 is not set
+CONFIG_LEDS_CLEVO_MAIL=m
+CONFIG_LEDS_PCA955X=m
+# CONFIG_LEDS_PCA963X is not set
+CONFIG_LEDS_DAC124S085=m
+CONFIG_LEDS_BD2802=m
+CONFIG_LEDS_INTEL_SS4200=m
+CONFIG_LEDS_LT3593=m
+CONFIG_LEDS_DELL_NETBOOKS=m
+# CONFIG_LEDS_TCA6507 is not set
+# CONFIG_LEDS_TLC591XX is not set
+# CONFIG_LEDS_LM355x is not set
+CONFIG_LEDS_MENF21BMC=m
+
+#
+# LED driver for blink(1) USB RGB LED is under Special HID drivers (HID_THINGM)
+#
+# CONFIG_LEDS_BLINKM is not set
+
+#
+# LED Triggers
+#
+CONFIG_LEDS_TRIGGERS=y
+CONFIG_LEDS_TRIGGER_TIMER=m
+CONFIG_LEDS_TRIGGER_ONESHOT=m
+CONFIG_LEDS_TRIGGER_HEARTBEAT=m
+CONFIG_LEDS_TRIGGER_BACKLIGHT=m
+CONFIG_LEDS_TRIGGER_CPU=y
+CONFIG_LEDS_TRIGGER_GPIO=m
+CONFIG_LEDS_TRIGGER_DEFAULT_ON=m
+
+#
+# iptables trigger is under Netfilter config (LED target)
+#
+CONFIG_LEDS_TRIGGER_TRANSIENT=m
+CONFIG_LEDS_TRIGGER_CAMERA=m
+CONFIG_ACCESSIBILITY=y
+CONFIG_A11Y_BRAILLE_CONSOLE=y
+CONFIG_INFINIBAND=m
+CONFIG_INFINIBAND_USER_MAD=m
+CONFIG_INFINIBAND_USER_ACCESS=m
+CONFIG_INFINIBAND_USER_MEM=y
+CONFIG_INFINIBAND_ON_DEMAND_PAGING=y
+CONFIG_INFINIBAND_ADDR_TRANS=y
+CONFIG_INFINIBAND_MTHCA=m
+CONFIG_INFINIBAND_MTHCA_DEBUG=y
+CONFIG_INFINIBAND_QIB=m
+CONFIG_INFINIBAND_QIB_DCA=y
+CONFIG_INFINIBAND_CXGB3=m
+# CONFIG_INFINIBAND_CXGB3_DEBUG is not set
+CONFIG_INFINIBAND_CXGB4=m
+CONFIG_MLX4_INFINIBAND=m
+CONFIG_MLX5_INFINIBAND=m
+CONFIG_INFINIBAND_NES=m
+# CONFIG_INFINIBAND_NES_DEBUG is not set
+CONFIG_INFINIBAND_OCRDMA=m
+CONFIG_INFINIBAND_USNIC=m
+CONFIG_INFINIBAND_IPOIB=m
+CONFIG_INFINIBAND_IPOIB_CM=y
+CONFIG_INFINIBAND_IPOIB_DEBUG=y
+# CONFIG_INFINIBAND_IPOIB_DEBUG_DATA is not set
+CONFIG_INFINIBAND_SRP=m
+CONFIG_INFINIBAND_SRPT=m
+CONFIG_INFINIBAND_ISER=m
+CONFIG_INFINIBAND_ISERT=m
+CONFIG_EDAC_ATOMIC_SCRUB=y
+CONFIG_EDAC_SUPPORT=y
+CONFIG_EDAC=y
+CONFIG_EDAC_LEGACY_SYSFS=y
+# CONFIG_EDAC_DEBUG is not set
+CONFIG_EDAC_DECODE_MCE=m
+CONFIG_EDAC_MM_EDAC=m
+CONFIG_EDAC_AMD64=m
+# CONFIG_EDAC_AMD64_ERROR_INJECTION is not set
+CONFIG_EDAC_E752X=m
+CONFIG_EDAC_I82975X=m
+CONFIG_EDAC_I3000=m
+CONFIG_EDAC_I3200=m
+CONFIG_EDAC_IE31200=m
+CONFIG_EDAC_X38=m
+CONFIG_EDAC_I5400=m
+CONFIG_EDAC_I7CORE=m
+CONFIG_EDAC_I5000=m
+CONFIG_EDAC_I5100=m
+CONFIG_EDAC_I7300=m
+CONFIG_EDAC_SBRIDGE=m
+CONFIG_RTC_LIB=y
+CONFIG_RTC_CLASS=y
+CONFIG_RTC_HCTOSYS=y
+CONFIG_RTC_HCTOSYS_DEVICE="rtc0"
+CONFIG_RTC_SYSTOHC=y
+CONFIG_RTC_SYSTOHC_DEVICE="rtc0"
+# CONFIG_RTC_DEBUG is not set
+
+#
+# RTC interfaces
+#
+CONFIG_RTC_INTF_SYSFS=y
+CONFIG_RTC_INTF_PROC=y
+CONFIG_RTC_INTF_DEV=y
+# CONFIG_RTC_INTF_DEV_UIE_EMUL is not set
+# CONFIG_RTC_DRV_TEST is not set
+
+#
+# I2C RTC drivers
+#
+# CONFIG_RTC_DRV_ABB5ZES3 is not set
+# CONFIG_RTC_DRV_ABX80X is not set
+# CONFIG_RTC_DRV_DS1307 is not set
+# CONFIG_RTC_DRV_DS1374 is not set
+# CONFIG_RTC_DRV_DS1672 is not set
+# CONFIG_RTC_DRV_DS3232 is not set
+# CONFIG_RTC_DRV_MAX6900 is not set
+# CONFIG_RTC_DRV_RS5C372 is not set
+# CONFIG_RTC_DRV_ISL1208 is not set
+# CONFIG_RTC_DRV_ISL12022 is not set
+# CONFIG_RTC_DRV_ISL12057 is not set
+# CONFIG_RTC_DRV_X1205 is not set
+# CONFIG_RTC_DRV_PCF2127 is not set
+# CONFIG_RTC_DRV_PCF8523 is not set
+# CONFIG_RTC_DRV_PCF8563 is not set
+# CONFIG_RTC_DRV_PCF85063 is not set
+# CONFIG_RTC_DRV_PCF8583 is not set
+# CONFIG_RTC_DRV_M41T80 is not set
+# CONFIG_RTC_DRV_BQ32K is not set
+# CONFIG_RTC_DRV_S35390A is not set
+# CONFIG_RTC_DRV_FM3130 is not set
+# CONFIG_RTC_DRV_RX8581 is not set
+# CONFIG_RTC_DRV_RX8025 is not set
+# CONFIG_RTC_DRV_EM3027 is not set
+# CONFIG_RTC_DRV_RV3029C2 is not set
+# CONFIG_RTC_DRV_RV8803 is not set
+
+#
+# SPI RTC drivers
+#
+# CONFIG_RTC_DRV_M41T93 is not set
+# CONFIG_RTC_DRV_M41T94 is not set
+# CONFIG_RTC_DRV_DS1305 is not set
+# CONFIG_RTC_DRV_DS1343 is not set
+# CONFIG_RTC_DRV_DS1347 is not set
+# CONFIG_RTC_DRV_DS1390 is not set
+# CONFIG_RTC_DRV_MAX6902 is not set
+# CONFIG_RTC_DRV_R9701 is not set
+# CONFIG_RTC_DRV_RS5C348 is not set
+# CONFIG_RTC_DRV_DS3234 is not set
+# CONFIG_RTC_DRV_PCF2123 is not set
+# CONFIG_RTC_DRV_RX4581 is not set
+# CONFIG_RTC_DRV_MCP795 is not set
+
+#
+# Platform RTC drivers
+#
+CONFIG_RTC_DRV_CMOS=y
+# CONFIG_RTC_DRV_DS1286 is not set
+# CONFIG_RTC_DRV_DS1511 is not set
+# CONFIG_RTC_DRV_DS1553 is not set
+# CONFIG_RTC_DRV_DS1685_FAMILY is not set
+# CONFIG_RTC_DRV_DS1742 is not set
+# CONFIG_RTC_DRV_DS2404 is not set
+# CONFIG_RTC_DRV_STK17TA8 is not set
+# CONFIG_RTC_DRV_M48T86 is not set
+# CONFIG_RTC_DRV_M48T35 is not set
+# CONFIG_RTC_DRV_M48T59 is not set
+# CONFIG_RTC_DRV_MSM6242 is not set
+# CONFIG_RTC_DRV_BQ4802 is not set
+# CONFIG_RTC_DRV_RP5C01 is not set
+# CONFIG_RTC_DRV_V3020 is not set
+
+#
+# on-CPU RTC drivers
+#
+
+#
+# HID Sensor RTC drivers
+#
+# CONFIG_RTC_DRV_HID_SENSOR_TIME is not set
+CONFIG_DMADEVICES=y
+# CONFIG_DMADEVICES_DEBUG is not set
+
+#
+# DMA Devices
+#
+CONFIG_DMA_ENGINE=y
+CONFIG_DMA_VIRTUAL_CHANNELS=m
+CONFIG_DMA_ACPI=y
+CONFIG_INTEL_IDMA64=m
+CONFIG_INTEL_IOATDMA=m
+CONFIG_INTEL_MIC_X100_DMA=m
+CONFIG_DW_DMAC_CORE=m
+CONFIG_DW_DMAC=m
+# CONFIG_DW_DMAC_PCI is not set
+
+#
+# DMA Clients
+#
+CONFIG_ASYNC_TX_DMA=y
+# CONFIG_DMATEST is not set
+CONFIG_DMA_ENGINE_RAID=y
+CONFIG_DCA=m
+# CONFIG_AUXDISPLAY is not set
+CONFIG_UIO=m
+CONFIG_UIO_CIF=m
+# CONFIG_UIO_PDRV_GENIRQ is not set
+# CONFIG_UIO_DMEM_GENIRQ is not set
+CONFIG_UIO_AEC=m
+CONFIG_UIO_SERCOS3=m
+CONFIG_UIO_PCI_GENERIC=m
+CONFIG_UIO_NETX=m
+# CONFIG_UIO_PRUSS is not set
+CONFIG_UIO_MF624=m
+CONFIG_VFIO_IOMMU_TYPE1=m
+CONFIG_VFIO_VIRQFD=m
+CONFIG_VFIO=m
+CONFIG_VFIO_PCI=m
+CONFIG_VFIO_PCI_VGA=y
+CONFIG_VFIO_PCI_MMAP=y
+CONFIG_VFIO_PCI_INTX=y
+CONFIG_IRQ_BYPASS_MANAGER=m
+CONFIG_VIRT_DRIVERS=y
+CONFIG_VIRTIO=m
+
+#
+# Virtio drivers
+#
+CONFIG_VIRTIO_PCI=m
+CONFIG_VIRTIO_PCI_LEGACY=y
+CONFIG_VIRTIO_BALLOON=m
+CONFIG_VIRTIO_INPUT=m
+# CONFIG_VIRTIO_MMIO is not set
+
+#
+# Microsoft Hyper-V guest support
+#
+CONFIG_HYPERV=m
+CONFIG_HYPERV_UTILS=m
+CONFIG_HYPERV_BALLOON=m
+CONFIG_STAGING=y
+# CONFIG_SLICOSS is not set
+CONFIG_PRISM2_USB=m
+CONFIG_COMEDI=m
+# CONFIG_COMEDI_DEBUG is not set
+CONFIG_COMEDI_DEFAULT_BUF_SIZE_KB=2048
+CONFIG_COMEDI_DEFAULT_BUF_MAXSIZE_KB=20480
+CONFIG_COMEDI_MISC_DRIVERS=y
+CONFIG_COMEDI_BOND=m
+CONFIG_COMEDI_TEST=m
+CONFIG_COMEDI_PARPORT=m
+CONFIG_COMEDI_SERIAL2002=m
+# CONFIG_COMEDI_ISA_DRIVERS is not set
+CONFIG_COMEDI_PCI_DRIVERS=m
+CONFIG_COMEDI_8255_PCI=m
+CONFIG_COMEDI_ADDI_WATCHDOG=m
+CONFIG_COMEDI_ADDI_APCI_1032=m
+CONFIG_COMEDI_ADDI_APCI_1500=m
+CONFIG_COMEDI_ADDI_APCI_1516=m
+CONFIG_COMEDI_ADDI_APCI_1564=m
+CONFIG_COMEDI_ADDI_APCI_16XX=m
+CONFIG_COMEDI_ADDI_APCI_2032=m
+CONFIG_COMEDI_ADDI_APCI_2200=m
+CONFIG_COMEDI_ADDI_APCI_3120=m
+CONFIG_COMEDI_ADDI_APCI_3501=m
+CONFIG_COMEDI_ADDI_APCI_3XXX=m
+CONFIG_COMEDI_ADL_PCI6208=m
+CONFIG_COMEDI_ADL_PCI7X3X=m
+CONFIG_COMEDI_ADL_PCI8164=m
+CONFIG_COMEDI_ADL_PCI9111=m
+CONFIG_COMEDI_ADL_PCI9118=m
+CONFIG_COMEDI_ADV_PCI1710=m
+CONFIG_COMEDI_ADV_PCI1723=m
+CONFIG_COMEDI_ADV_PCI1724=m
+CONFIG_COMEDI_ADV_PCI_DIO=m
+CONFIG_COMEDI_AMPLC_DIO200_PCI=m
+CONFIG_COMEDI_AMPLC_PC236_PCI=m
+CONFIG_COMEDI_AMPLC_PC263_PCI=m
+CONFIG_COMEDI_AMPLC_PCI224=m
+CONFIG_COMEDI_AMPLC_PCI230=m
+CONFIG_COMEDI_CONTEC_PCI_DIO=m
+CONFIG_COMEDI_DAS08_PCI=m
+CONFIG_COMEDI_DT3000=m
+CONFIG_COMEDI_DYNA_PCI10XX=m
+CONFIG_COMEDI_GSC_HPDI=m
+CONFIG_COMEDI_MF6X4=m
+CONFIG_COMEDI_ICP_MULTI=m
+CONFIG_COMEDI_DAQBOARD2000=m
+CONFIG_COMEDI_JR3_PCI=m
+CONFIG_COMEDI_KE_COUNTER=m
+CONFIG_COMEDI_CB_PCIDAS64=m
+CONFIG_COMEDI_CB_PCIDAS=m
+CONFIG_COMEDI_CB_PCIDDA=m
+CONFIG_COMEDI_CB_PCIMDAS=m
+CONFIG_COMEDI_CB_PCIMDDA=m
+CONFIG_COMEDI_ME4000=m
+CONFIG_COMEDI_ME_DAQ=m
+CONFIG_COMEDI_NI_6527=m
+CONFIG_COMEDI_NI_65XX=m
+CONFIG_COMEDI_NI_660X=m
+CONFIG_COMEDI_NI_670X=m
+CONFIG_COMEDI_NI_LABPC_PCI=m
+CONFIG_COMEDI_NI_PCIDIO=m
+CONFIG_COMEDI_NI_PCIMIO=m
+CONFIG_COMEDI_RTD520=m
+CONFIG_COMEDI_S626=m
+CONFIG_COMEDI_MITE=m
+CONFIG_COMEDI_NI_TIOCMD=m
+CONFIG_COMEDI_PCMCIA_DRIVERS=m
+CONFIG_COMEDI_CB_DAS16_CS=m
+CONFIG_COMEDI_DAS08_CS=m
+CONFIG_COMEDI_NI_DAQ_700_CS=m
+CONFIG_COMEDI_NI_DAQ_DIO24_CS=m
+CONFIG_COMEDI_NI_LABPC_CS=m
+CONFIG_COMEDI_NI_MIO_CS=m
+CONFIG_COMEDI_QUATECH_DAQP_CS=m
+CONFIG_COMEDI_USB_DRIVERS=m
+CONFIG_COMEDI_DT9812=m
+CONFIG_COMEDI_NI_USB6501=m
+CONFIG_COMEDI_USBDUX=m
+CONFIG_COMEDI_USBDUXFAST=m
+CONFIG_COMEDI_USBDUXSIGMA=m
+CONFIG_COMEDI_VMK80XX=m
+CONFIG_COMEDI_8254=m
+CONFIG_COMEDI_8255=m
+CONFIG_COMEDI_8255_SA=m
+CONFIG_COMEDI_KCOMEDILIB=m
+CONFIG_COMEDI_AMPLC_DIO200=m
+CONFIG_COMEDI_AMPLC_PC236=m
+CONFIG_COMEDI_DAS08=m
+CONFIG_COMEDI_NI_LABPC=m
+CONFIG_COMEDI_NI_TIO=m
+# CONFIG_PANEL is not set
+CONFIG_RTL8192U=m
+CONFIG_RTLLIB=m
+CONFIG_RTLLIB_CRYPTO_CCMP=m
+CONFIG_RTLLIB_CRYPTO_TKIP=m
+CONFIG_RTLLIB_CRYPTO_WEP=m
+CONFIG_RTL8192E=m
+CONFIG_R8712U=m
+CONFIG_R8188EU=m
+CONFIG_88EU_AP_MODE=y
+CONFIG_R8723AU=m
+CONFIG_8723AU_AP_MODE=y
+CONFIG_8723AU_BT_COEXIST=y
+CONFIG_RTS5208=m
+# CONFIG_VT6655 is not set
+CONFIG_VT6656=m
+
+#
+# IIO staging drivers
+#
+
+#
+# Accelerometers
+#
+# CONFIG_ADIS16201 is not set
+# CONFIG_ADIS16203 is not set
+# CONFIG_ADIS16204 is not set
+# CONFIG_ADIS16209 is not set
+# CONFIG_ADIS16220 is not set
+# CONFIG_ADIS16240 is not set
+# CONFIG_LIS3L02DQ is not set
+# CONFIG_SCA3000 is not set
+
+#
+# Analog to digital converters
+#
+# CONFIG_AD7606 is not set
+# CONFIG_AD7780 is not set
+# CONFIG_AD7816 is not set
+# CONFIG_AD7192 is not set
+# CONFIG_AD7280 is not set
+
+#
+# Analog digital bi-direction converters
+#
+# CONFIG_ADT7316 is not set
+
+#
+# Capacitance to digital converters
+#
+# CONFIG_AD7150 is not set
+# CONFIG_AD7152 is not set
+# CONFIG_AD7746 is not set
+
+#
+# Direct Digital Synthesis
+#
+# CONFIG_AD9832 is not set
+# CONFIG_AD9834 is not set
+
+#
+# Digital gyroscope sensors
+#
+# CONFIG_ADIS16060 is not set
+
+#
+# Network Analyzer, Impedance Converters
+#
+# CONFIG_AD5933 is not set
+
+#
+# Light sensors
+#
+CONFIG_SENSORS_ISL29018=m
+# CONFIG_SENSORS_ISL29028 is not set
+CONFIG_TSL2583=m
+# CONFIG_TSL2x7x is not set
+
+#
+# Magnetometer sensors
+#
+# CONFIG_SENSORS_HMC5843_I2C is not set
+# CONFIG_SENSORS_HMC5843_SPI is not set
+
+#
+# Active energy metering IC
+#
+# CONFIG_ADE7753 is not set
+# CONFIG_ADE7754 is not set
+# CONFIG_ADE7758 is not set
+# CONFIG_ADE7759 is not set
+# CONFIG_ADE7854 is not set
+
+#
+# Resolver to digital converters
+#
+# CONFIG_AD2S90 is not set
+# CONFIG_AD2S1200 is not set
+# CONFIG_AD2S1210 is not set
+
+#
+# Triggers - standalone
+#
+# CONFIG_IIO_PERIODIC_RTC_TRIGGER is not set
+# CONFIG_IIO_SIMPLE_DUMMY is not set
+# CONFIG_FB_SM750 is not set
+# CONFIG_FB_XGI is not set
+
+#
+# Speakup console speech
+#
+CONFIG_SPEAKUP=m
+CONFIG_SPEAKUP_SYNTH_ACNTSA=m
+CONFIG_SPEAKUP_SYNTH_APOLLO=m
+CONFIG_SPEAKUP_SYNTH_AUDPTR=m
+CONFIG_SPEAKUP_SYNTH_BNS=m
+CONFIG_SPEAKUP_SYNTH_DECTLK=m
+CONFIG_SPEAKUP_SYNTH_DECEXT=m
+CONFIG_SPEAKUP_SYNTH_LTLK=m
+CONFIG_SPEAKUP_SYNTH_SOFT=m
+CONFIG_SPEAKUP_SYNTH_SPKOUT=m
+CONFIG_SPEAKUP_SYNTH_TXPRT=m
+CONFIG_SPEAKUP_SYNTH_DUMMY=m
+# CONFIG_TOUCHSCREEN_SYNAPTICS_I2C_RMI4 is not set
+CONFIG_STAGING_MEDIA=y
+# CONFIG_I2C_BCM2048 is not set
+# CONFIG_DVB_CXD2099 is not set
+# CONFIG_DVB_MN88472 is not set
+# CONFIG_DVB_MN88473 is not set
+CONFIG_LIRC_STAGING=y
+CONFIG_LIRC_BT829=m
+CONFIG_LIRC_IMON=m
+# CONFIG_LIRC_PARALLEL is not set
+CONFIG_LIRC_SASEM=m
+CONFIG_LIRC_SERIAL=m
+CONFIG_LIRC_SERIAL_TRANSMITTER=y
+CONFIG_LIRC_SIR=m
+CONFIG_LIRC_ZILOG=m
+# CONFIG_STAGING_RDMA is not set
+
+#
+# Android
+#
+CONFIG_WIMAX_GDM72XX=m
+# CONFIG_WIMAX_GDM72XX_QOS is not set
+# CONFIG_WIMAX_GDM72XX_K_MODE is not set
+# CONFIG_WIMAX_GDM72XX_WIMAX2 is not set
+CONFIG_WIMAX_GDM72XX_USB=y
+# CONFIG_WIMAX_GDM72XX_SDIO is not set
+CONFIG_WIMAX_GDM72XX_USB_PM=y
+# CONFIG_LTE_GDM724X is not set
+# CONFIG_FIREWIRE_SERIAL is not set
+# CONFIG_MTD_SPINAND_MT29F is not set
+CONFIG_LUSTRE_FS=m
+CONFIG_LUSTRE_OBD_MAX_IOCTL_BUFFER=8192
+# CONFIG_LUSTRE_DEBUG_EXPENSIVE_CHECK is not set
+CONFIG_LUSTRE_LLITE_LLOOP=m
+CONFIG_LNET=m
+CONFIG_LNET_MAX_PAYLOAD=1048576
+# CONFIG_LNET_SELFTEST is not set
+CONFIG_LNET_XPRT_IB=m
+# CONFIG_DGNC is not set
+# CONFIG_DGAP is not set
+# CONFIG_GS_FPGABOOT is not set
+# CONFIG_CRYPTO_SKEIN is not set
+# CONFIG_UNISYSSPAR is not set
+# CONFIG_FB_TFT is not set
+# CONFIG_WILC1000_DRIVER is not set
+# CONFIG_MOST is not set
+CONFIG_X86_PLATFORM_DEVICES=y
+CONFIG_ACER_WMI=m
+CONFIG_ACERHDF=m
+CONFIG_ALIENWARE_WMI=m
+CONFIG_ASUS_LAPTOP=m
+CONFIG_DELL_LAPTOP=m
+CONFIG_DELL_WMI=m
+CONFIG_DELL_WMI_AIO=m
+CONFIG_DELL_SMO8800=m
+CONFIG_DELL_RBTN=m
+CONFIG_FUJITSU_LAPTOP=m
+# CONFIG_FUJITSU_LAPTOP_DEBUG is not set
+CONFIG_FUJITSU_TABLET=m
+CONFIG_AMILO_RFKILL=m
+CONFIG_HP_ACCEL=m
+CONFIG_HP_WIRELESS=m
+CONFIG_HP_WMI=m
+CONFIG_MSI_LAPTOP=m
+CONFIG_PANASONIC_LAPTOP=m
+CONFIG_COMPAL_LAPTOP=m
+CONFIG_SONY_LAPTOP=m
+CONFIG_SONYPI_COMPAT=y
+CONFIG_IDEAPAD_LAPTOP=m
+CONFIG_THINKPAD_ACPI=m
+CONFIG_THINKPAD_ACPI_ALSA_SUPPORT=y
+# CONFIG_THINKPAD_ACPI_DEBUGFACILITIES is not set
+# CONFIG_THINKPAD_ACPI_DEBUG is not set
+# CONFIG_THINKPAD_ACPI_UNSAFE_LEDS is not set
+CONFIG_THINKPAD_ACPI_VIDEO=y
+CONFIG_THINKPAD_ACPI_HOTKEY_POLL=y
+CONFIG_SENSORS_HDAPS=m
+# CONFIG_INTEL_MENLOW is not set
+CONFIG_EEEPC_LAPTOP=m
+CONFIG_ASUS_WMI=m
+CONFIG_ASUS_NB_WMI=m
+CONFIG_EEEPC_WMI=m
+CONFIG_ACPI_WMI=m
+CONFIG_MSI_WMI=m
+CONFIG_TOPSTAR_LAPTOP=m
+CONFIG_ACPI_TOSHIBA=m
+CONFIG_TOSHIBA_BT_RFKILL=m
+CONFIG_TOSHIBA_HAPS=m
+# CONFIG_TOSHIBA_WMI is not set
+CONFIG_ACPI_CMPC=m
+CONFIG_INTEL_IPS=m
+CONFIG_IBM_RTL=m
+CONFIG_SAMSUNG_LAPTOP=m
+CONFIG_MXM_WMI=m
+CONFIG_INTEL_OAKTRAIL=m
+CONFIG_SAMSUNG_Q10=m
+CONFIG_APPLE_GMUX=m
+CONFIG_INTEL_RST=m
+CONFIG_INTEL_SMARTCONNECT=m
+CONFIG_PVPANIC=m
+CONFIG_INTEL_PMC_IPC=m
+CONFIG_SURFACE_PRO3_BUTTON=m
+CONFIG_CHROME_PLATFORMS=y
+CONFIG_CHROMEOS_LAPTOP=m
+CONFIG_CHROMEOS_PSTORE=m
+CONFIG_CLKDEV_LOOKUP=y
+CONFIG_HAVE_CLK_PREPARE=y
+CONFIG_COMMON_CLK=y
+
+#
+# Common Clock Framework
+#
+# CONFIG_COMMON_CLK_SI5351 is not set
+# CONFIG_COMMON_CLK_PXA is not set
+# CONFIG_COMMON_CLK_CDCE706 is not set
+
+#
+# Hardware Spinlock drivers
+#
+
+#
+# Clock Source drivers
+#
+CONFIG_CLKEVT_I8253=y
+CONFIG_I8253_LOCK=y
+CONFIG_CLKBLD_I8253=y
+# CONFIG_ATMEL_PIT is not set
+# CONFIG_SH_TIMER_CMT is not set
+# CONFIG_SH_TIMER_MTU2 is not set
+# CONFIG_SH_TIMER_TMU is not set
+# CONFIG_EM_TIMER_STI is not set
+# CONFIG_MAILBOX is not set
+CONFIG_IOMMU_API=y
+CONFIG_IOMMU_SUPPORT=y
+
+#
+# Generic IOMMU Pagetable Support
+#
+CONFIG_IOMMU_IOVA=y
+CONFIG_AMD_IOMMU=y
+CONFIG_AMD_IOMMU_V2=y
+CONFIG_DMAR_TABLE=y
+CONFIG_INTEL_IOMMU=y
+CONFIG_INTEL_IOMMU_SVM=y
+# CONFIG_INTEL_IOMMU_DEFAULT_ON is not set
+CONFIG_INTEL_IOMMU_FLOPPY_WA=y
+CONFIG_IRQ_REMAP=y
+
+#
+# Remoteproc drivers
+#
+# CONFIG_STE_MODEM_RPROC is not set
+
+#
+# Rpmsg drivers
+#
+
+#
+# SOC (System On Chip) specific Drivers
+#
+# CONFIG_SUNXI_SRAM is not set
+# CONFIG_SOC_TI is not set
+CONFIG_PM_DEVFREQ=y
+
+#
+# DEVFREQ Governors
+#
+CONFIG_DEVFREQ_GOV_SIMPLE_ONDEMAND=m
+# CONFIG_DEVFREQ_GOV_PERFORMANCE is not set
+# CONFIG_DEVFREQ_GOV_POWERSAVE is not set
+# CONFIG_DEVFREQ_GOV_USERSPACE is not set
+
+#
+# DEVFREQ Drivers
+#
+# CONFIG_PM_DEVFREQ_EVENT is not set
+# CONFIG_EXTCON is not set
+CONFIG_MEMORY=y
+CONFIG_IIO=m
+CONFIG_IIO_BUFFER=y
+# CONFIG_IIO_BUFFER_CB is not set
+CONFIG_IIO_KFIFO_BUF=m
+CONFIG_IIO_TRIGGERED_BUFFER=m
+CONFIG_IIO_TRIGGER=y
+CONFIG_IIO_CONSUMERS_PER_TRIGGER=2
+
+#
+# Accelerometers
+#
+# CONFIG_BMA180 is not set
+CONFIG_BMC150_ACCEL=m
+CONFIG_BMC150_ACCEL_I2C=m
+CONFIG_BMC150_ACCEL_SPI=m
+CONFIG_HID_SENSOR_ACCEL_3D=m
+# CONFIG_IIO_ST_ACCEL_3AXIS is not set
+# CONFIG_KXSD9 is not set
+CONFIG_KXCJK1013=m
+# CONFIG_MMA8452 is not set
+CONFIG_MMA9551_CORE=m
+CONFIG_MMA9551=m
+CONFIG_MMA9553=m
+# CONFIG_MXC4005 is not set
+# CONFIG_STK8312 is not set
+# CONFIG_STK8BA50 is not set
+
+#
+# Analog to digital converters
+#
+# CONFIG_AD7266 is not set
+# CONFIG_AD7291 is not set
+# CONFIG_AD7298 is not set
+# CONFIG_AD7476 is not set
+# CONFIG_AD7791 is not set
+# CONFIG_AD7793 is not set
+# CONFIG_AD7887 is not set
+# CONFIG_AD7923 is not set
+# CONFIG_AD799X is not set
+# CONFIG_HI8435 is not set
+# CONFIG_MAX1027 is not set
+# CONFIG_MAX1363 is not set
+# CONFIG_MCP320X is not set
+# CONFIG_MCP3422 is not set
+# CONFIG_NAU7802 is not set
+# CONFIG_TI_ADC081C is not set
+# CONFIG_TI_ADC128S052 is not set
+CONFIG_VIPERBOARD_ADC=m
+
+#
+# Amplifiers
+#
+# CONFIG_AD8366 is not set
+
+#
+# Chemical Sensors
+#
+# CONFIG_VZ89X is not set
+
+#
+# Hid Sensor IIO Common
+#
+CONFIG_HID_SENSOR_IIO_COMMON=m
+CONFIG_HID_SENSOR_IIO_TRIGGER=m
+
+#
+# SSP Sensor Common
+#
+# CONFIG_IIO_SSP_SENSORHUB is not set
+
+#
+# Digital to analog converters
+#
+# CONFIG_AD5064 is not set
+# CONFIG_AD5360 is not set
+# CONFIG_AD5380 is not set
+# CONFIG_AD5421 is not set
+# CONFIG_AD5446 is not set
+# CONFIG_AD5449 is not set
+# CONFIG_AD5504 is not set
+# CONFIG_AD5624R_SPI is not set
+# CONFIG_AD5686 is not set
+# CONFIG_AD5755 is not set
+# CONFIG_AD5764 is not set
+# CONFIG_AD5791 is not set
+# CONFIG_AD7303 is not set
+# CONFIG_M62332 is not set
+# CONFIG_MAX517 is not set
+# CONFIG_MCP4725 is not set
+# CONFIG_MCP4922 is not set
+
+#
+# Frequency Synthesizers DDS/PLL
+#
+
+#
+# Clock Generator/Distribution
+#
+# CONFIG_AD9523 is not set
+
+#
+# Phase-Locked Loop (PLL) frequency synthesizers
+#
+# CONFIG_ADF4350 is not set
+
+#
+# Digital gyroscope sensors
+#
+# CONFIG_ADIS16080 is not set
+# CONFIG_ADIS16130 is not set
+# CONFIG_ADIS16136 is not set
+# CONFIG_ADIS16260 is not set
+# CONFIG_ADXRS450 is not set
+CONFIG_BMG160=m
+CONFIG_BMG160_I2C=m
+CONFIG_BMG160_SPI=m
+CONFIG_HID_SENSOR_GYRO_3D=m
+# CONFIG_IIO_ST_GYRO_3AXIS is not set
+# CONFIG_ITG3200 is not set
+
+#
+# Humidity sensors
+#
+# CONFIG_DHT11 is not set
+# CONFIG_HDC100X is not set
+# CONFIG_HTU21 is not set
+# CONFIG_SI7005 is not set
+# CONFIG_SI7020 is not set
+
+#
+# Inertial measurement units
+#
+# CONFIG_ADIS16400 is not set
+# CONFIG_ADIS16480 is not set
+CONFIG_KMX61=m
+CONFIG_INV_MPU6050_IIO=m
+
+#
+# Light sensors
+#
+CONFIG_ACPI_ALS=m
+# CONFIG_ADJD_S311 is not set
+# CONFIG_AL3320A is not set
+# CONFIG_APDS9300 is not set
+# CONFIG_APDS9960 is not set
+# CONFIG_BH1750 is not set
+# CONFIG_CM32181 is not set
+# CONFIG_CM3232 is not set
+# CONFIG_CM3323 is not set
+# CONFIG_CM36651 is not set
+# CONFIG_GP2AP020A00F is not set
+# CONFIG_ISL29125 is not set
+CONFIG_HID_SENSOR_ALS=m
+CONFIG_HID_SENSOR_PROX=m
+CONFIG_JSA1212=m
+# CONFIG_RPR0521 is not set
+# CONFIG_LTR501 is not set
+# CONFIG_OPT3001 is not set
+# CONFIG_PA12203001 is not set
+# CONFIG_STK3310 is not set
+# CONFIG_TCS3414 is not set
+# CONFIG_TCS3472 is not set
+CONFIG_SENSORS_TSL2563=m
+# CONFIG_TSL4531 is not set
+# CONFIG_US5182D is not set
+# CONFIG_VCNL4000 is not set
+
+#
+# Magnetometer sensors
+#
+CONFIG_AK8975=m
+# CONFIG_AK09911 is not set
+# CONFIG_BMC150_MAGN is not set
+# CONFIG_MAG3110 is not set
+CONFIG_HID_SENSOR_MAGNETOMETER_3D=m
+# CONFIG_MMC35240 is not set
+# CONFIG_IIO_ST_MAGN_3AXIS is not set
+
+#
+# Inclinometer sensors
+#
+CONFIG_HID_SENSOR_INCLINOMETER_3D=m
+CONFIG_HID_SENSOR_DEVICE_ROTATION=m
+
+#
+# Triggers - standalone
+#
+# CONFIG_IIO_INTERRUPT_TRIGGER is not set
+# CONFIG_IIO_SYSFS_TRIGGER is not set
+
+#
+# Digital potentiometers
+#
+# CONFIG_MCP4531 is not set
+
+#
+# Pressure sensors
+#
+CONFIG_BMP280=m
+CONFIG_HID_SENSOR_PRESS=m
+# CONFIG_MPL115 is not set
+# CONFIG_MPL3115 is not set
+# CONFIG_MS5611 is not set
+# CONFIG_MS5637 is not set
+# CONFIG_IIO_ST_PRESS is not set
+# CONFIG_T5403 is not set
+
+#
+# Lightning sensors
+#
+# CONFIG_AS3935 is not set
+
+#
+# Proximity sensors
+#
+# CONFIG_LIDAR_LITE_V2 is not set
+CONFIG_SX9500=m
+
+#
+# Temperature sensors
+#
+# CONFIG_MLX90614 is not set
+# CONFIG_TMP006 is not set
+# CONFIG_TSYS01 is not set
+# CONFIG_TSYS02D is not set
+# CONFIG_NTB is not set
+# CONFIG_VME_BUS is not set
+# CONFIG_PWM is not set
+# CONFIG_IPACK_BUS is not set
+# CONFIG_RESET_CONTROLLER is not set
+# CONFIG_FMC is not set
+
+#
+# PHY Subsystem
+#
+CONFIG_GENERIC_PHY=y
+# CONFIG_PHY_PXA_28NM_HSIC is not set
+# CONFIG_PHY_PXA_28NM_USB2 is not set
+# CONFIG_BCM_KONA_USB2_PHY is not set
+CONFIG_POWERCAP=y
+CONFIG_INTEL_RAPL=m
+# CONFIG_MCB is not set
+
+#
+# Performance monitor support
+#
+CONFIG_RAS=y
+CONFIG_THUNDERBOLT=m
+
+#
+# Android
+#
+# CONFIG_ANDROID is not set
+CONFIG_LIBNVDIMM=m
+CONFIG_BLK_DEV_PMEM=m
+CONFIG_ND_BLK=m
+CONFIG_ND_CLAIM=y
+CONFIG_ND_BTT=m
+CONFIG_BTT=y
+CONFIG_ND_PFN=m
+CONFIG_NVDIMM_PFN=y
+# CONFIG_NVMEM is not set
+# CONFIG_STM is not set
+# CONFIG_STM_DUMMY is not set
+# CONFIG_STM_SOURCE_CONSOLE is not set
+# CONFIG_INTEL_TH is not set
+
+#
+# FPGA Configuration Support
+#
+# CONFIG_FPGA is not set
+
+#
+# Firmware Drivers
+#
+CONFIG_EDD=m
+# CONFIG_EDD_OFF is not set
+CONFIG_FIRMWARE_MEMMAP=y
+CONFIG_DELL_RBU=m
+CONFIG_DCDBAS=m
+CONFIG_DMIID=y
+CONFIG_DMI_SYSFS=y
+CONFIG_DMI_SCAN_MACHINE_NON_EFI_FALLBACK=y
+CONFIG_ISCSI_IBFT_FIND=y
+CONFIG_ISCSI_IBFT=m
+# CONFIG_GOOGLE_FIRMWARE is not set
+
+#
+# EFI (Extensible Firmware Interface) Support
+#
+CONFIG_EFI_VARS=m
+CONFIG_EFI_ESRT=y
+CONFIG_EFI_VARS_PSTORE=m
+# CONFIG_EFI_VARS_PSTORE_DEFAULT_DISABLE is not set
+# CONFIG_EFI_FAKE_MEMMAP is not set
+CONFIG_EFI_RUNTIME_WRAPPERS=y
+CONFIG_UEFI_CPER=y
+
+#
+# File systems
+#
+CONFIG_DCACHE_WORD_ACCESS=y
+# CONFIG_EXT2_FS is not set
+# CONFIG_EXT3_FS is not set
+CONFIG_EXT4_FS=m
+CONFIG_EXT4_USE_FOR_EXT2=y
+CONFIG_EXT4_FS_POSIX_ACL=y
+CONFIG_EXT4_FS_SECURITY=y
+CONFIG_EXT4_ENCRYPTION=m
+CONFIG_EXT4_FS_ENCRYPTION=y
+# CONFIG_EXT4_DEBUG is not set
+CONFIG_JBD2=m
+# CONFIG_JBD2_DEBUG is not set
+CONFIG_FS_MBCACHE=m
+CONFIG_REISERFS_FS=m
+# CONFIG_REISERFS_CHECK is not set
+# CONFIG_REISERFS_PROC_INFO is not set
+CONFIG_REISERFS_FS_XATTR=y
+CONFIG_REISERFS_FS_POSIX_ACL=y
+CONFIG_REISERFS_FS_SECURITY=y
+CONFIG_JFS_FS=m
+CONFIG_JFS_POSIX_ACL=y
+CONFIG_JFS_SECURITY=y
+# CONFIG_JFS_DEBUG is not set
+# CONFIG_JFS_STATISTICS is not set
+CONFIG_XFS_FS=m
+CONFIG_XFS_QUOTA=y
+CONFIG_XFS_POSIX_ACL=y
+CONFIG_XFS_RT=y
+# CONFIG_XFS_WARN is not set
+# CONFIG_XFS_DEBUG is not set
+CONFIG_GFS2_FS=m
+CONFIG_GFS2_FS_LOCKING_DLM=y
+CONFIG_OCFS2_FS=m
+CONFIG_OCFS2_FS_O2CB=m
+CONFIG_OCFS2_FS_USERSPACE_CLUSTER=m
+CONFIG_OCFS2_DEBUG_MASKLOG=y
+# CONFIG_OCFS2_DEBUG_FS is not set
+CONFIG_BTRFS_FS=m
+CONFIG_BTRFS_FS_POSIX_ACL=y
+# CONFIG_BTRFS_FS_CHECK_INTEGRITY is not set
+# CONFIG_BTRFS_FS_RUN_SANITY_TESTS is not set
+# CONFIG_BTRFS_DEBUG is not set
+# CONFIG_BTRFS_ASSERT is not set
+CONFIG_NILFS2_FS=m
+CONFIG_F2FS_FS=m
+CONFIG_F2FS_FS_XATTR=y
+CONFIG_F2FS_FS_POSIX_ACL=y
+CONFIG_F2FS_FS_SECURITY=y
+# CONFIG_F2FS_CHECK_FS is not set
+CONFIG_F2FS_FS_ENCRYPTION=y
+CONFIG_FS_DAX=y
+CONFIG_FS_POSIX_ACL=y
+CONFIG_EXPORTFS=y
+CONFIG_FILE_LOCKING=y
+CONFIG_FSNOTIFY=y
+CONFIG_DNOTIFY=y
+CONFIG_INOTIFY_USER=y
+CONFIG_FANOTIFY=y
+# CONFIG_FANOTIFY_ACCESS_PERMISSIONS is not set
+CONFIG_QUOTA=y
+CONFIG_QUOTA_NETLINK_INTERFACE=y
+CONFIG_PRINT_QUOTA_WARNING=y
+# CONFIG_QUOTA_DEBUG is not set
+CONFIG_QUOTA_TREE=m
+CONFIG_QFMT_V1=m
+CONFIG_QFMT_V2=m
+CONFIG_QUOTACTL=y
+CONFIG_QUOTACTL_COMPAT=y
+CONFIG_AUTOFS4_FS=m
+CONFIG_FUSE_FS=m
+CONFIG_CUSE=m
+CONFIG_OVERLAY_FS=m
+
+#
+# Caches
+#
+CONFIG_FSCACHE=m
+CONFIG_FSCACHE_STATS=y
+# CONFIG_FSCACHE_HISTOGRAM is not set
+# CONFIG_FSCACHE_DEBUG is not set
+# CONFIG_FSCACHE_OBJECT_LIST is not set
+CONFIG_CACHEFILES=m
+# CONFIG_CACHEFILES_DEBUG is not set
+# CONFIG_CACHEFILES_HISTOGRAM is not set
+
+#
+# CD-ROM/DVD Filesystems
+#
+CONFIG_ISO9660_FS=m
+CONFIG_JOLIET=y
+CONFIG_ZISOFS=y
+CONFIG_UDF_FS=m
+CONFIG_UDF_NLS=y
+
+#
+# DOS/FAT/NT Filesystems
+#
+CONFIG_FAT_FS=m
+CONFIG_MSDOS_FS=m
+CONFIG_VFAT_FS=m
+CONFIG_FAT_DEFAULT_CODEPAGE=437
+CONFIG_FAT_DEFAULT_IOCHARSET="utf8"
+CONFIG_NTFS_FS=m
+# CONFIG_NTFS_DEBUG is not set
+CONFIG_NTFS_RW=y
+
+#
+# Pseudo filesystems
+#
+CONFIG_PROC_FS=y
+CONFIG_PROC_SYSCTL=y
+# CONFIG_PROC_CHILDREN is not set
+CONFIG_KERNFS=y
+CONFIG_SYSFS=y
+CONFIG_TMPFS=y
+CONFIG_TMPFS_POSIX_ACL=y
+CONFIG_TMPFS_XATTR=y
+CONFIG_HUGETLBFS=y
+CONFIG_HUGETLB_PAGE=y
+CONFIG_CONFIGFS_FS=m
+CONFIG_EFIVAR_FS=m
+CONFIG_MISC_FILESYSTEMS=y
+CONFIG_ADFS_FS=m
+# CONFIG_ADFS_FS_RW is not set
+CONFIG_AFFS_FS=m
+CONFIG_ECRYPT_FS=m
+CONFIG_ECRYPT_FS_MESSAGING=y
+CONFIG_HFS_FS=m
+CONFIG_HFSPLUS_FS=m
+# CONFIG_HFSPLUS_FS_POSIX_ACL is not set
+CONFIG_BEFS_FS=m
+# CONFIG_BEFS_DEBUG is not set
+CONFIG_BFS_FS=m
+CONFIG_EFS_FS=m
+CONFIG_JFFS2_FS=m
+CONFIG_JFFS2_FS_DEBUG=0
+CONFIG_JFFS2_FS_WRITEBUFFER=y
+# CONFIG_JFFS2_FS_WBUF_VERIFY is not set
+CONFIG_JFFS2_SUMMARY=y
+CONFIG_JFFS2_FS_XATTR=y
+CONFIG_JFFS2_FS_POSIX_ACL=y
+CONFIG_JFFS2_FS_SECURITY=y
+CONFIG_JFFS2_COMPRESSION_OPTIONS=y
+CONFIG_JFFS2_ZLIB=y
+CONFIG_JFFS2_LZO=y
+CONFIG_JFFS2_RTIME=y
+# CONFIG_JFFS2_RUBIN is not set
+# CONFIG_JFFS2_CMODE_NONE is not set
+CONFIG_JFFS2_CMODE_PRIORITY=y
+# CONFIG_JFFS2_CMODE_SIZE is not set
+# CONFIG_JFFS2_CMODE_FAVOURLZO is not set
+CONFIG_UBIFS_FS=m
+CONFIG_UBIFS_FS_ADVANCED_COMPR=y
+CONFIG_UBIFS_FS_LZO=y
+CONFIG_UBIFS_FS_ZLIB=y
+# CONFIG_UBIFS_ATIME_SUPPORT is not set
+CONFIG_LOGFS=m
+# CONFIG_CRAMFS is not set
+CONFIG_SQUASHFS=m
+CONFIG_SQUASHFS_FILE_CACHE=y
+# CONFIG_SQUASHFS_FILE_DIRECT is not set
+CONFIG_SQUASHFS_DECOMP_SINGLE=y
+# CONFIG_SQUASHFS_DECOMP_MULTI is not set
+# CONFIG_SQUASHFS_DECOMP_MULTI_PERCPU is not set
+CONFIG_SQUASHFS_XATTR=y
+CONFIG_SQUASHFS_ZLIB=y
+# CONFIG_SQUASHFS_LZ4 is not set
+CONFIG_SQUASHFS_LZO=y
+CONFIG_SQUASHFS_XZ=y
+# CONFIG_SQUASHFS_4K_DEVBLK_SIZE is not set
+# CONFIG_SQUASHFS_EMBEDDED is not set
+CONFIG_SQUASHFS_FRAGMENT_CACHE_SIZE=3
+CONFIG_VXFS_FS=m
+CONFIG_MINIX_FS=m
+CONFIG_OMFS_FS=m
+# CONFIG_HPFS_FS is not set
+CONFIG_QNX4FS_FS=m
+CONFIG_QNX6FS_FS=m
+# CONFIG_QNX6FS_DEBUG is not set
+CONFIG_ROMFS_FS=m
+# CONFIG_ROMFS_BACKED_BY_BLOCK is not set
+# CONFIG_ROMFS_BACKED_BY_MTD is not set
+CONFIG_ROMFS_BACKED_BY_BOTH=y
+CONFIG_ROMFS_ON_BLOCK=y
+CONFIG_ROMFS_ON_MTD=y
+CONFIG_PSTORE=y
+# CONFIG_PSTORE_CONSOLE is not set
+# CONFIG_PSTORE_PMSG is not set
+CONFIG_PSTORE_RAM=m
+CONFIG_SYSV_FS=m
+CONFIG_UFS_FS=m
+# CONFIG_UFS_FS_WRITE is not set
+# CONFIG_UFS_DEBUG is not set
+CONFIG_EXOFS_FS=m
+# CONFIG_EXOFS_DEBUG is not set
+CONFIG_ORE=m
+CONFIG_NETWORK_FILESYSTEMS=y
+CONFIG_NFS_FS=m
+CONFIG_NFS_V2=m
+CONFIG_NFS_V3=m
+CONFIG_NFS_V3_ACL=y
+CONFIG_NFS_V4=m
+CONFIG_NFS_SWAP=y
+CONFIG_NFS_V4_1=y
+CONFIG_NFS_V4_2=y
+CONFIG_PNFS_FILE_LAYOUT=m
+CONFIG_PNFS_BLOCK=m
+CONFIG_PNFS_OBJLAYOUT=m
+CONFIG_PNFS_FLEXFILE_LAYOUT=m
+CONFIG_NFS_V4_1_IMPLEMENTATION_ID_DOMAIN="kernel.org"
+# CONFIG_NFS_V4_1_MIGRATION is not set
+CONFIG_NFS_V4_SECURITY_LABEL=y
+CONFIG_NFS_FSCACHE=y
+# CONFIG_NFS_USE_LEGACY_DNS is not set
+CONFIG_NFS_USE_KERNEL_DNS=y
+CONFIG_NFSD=m
+CONFIG_NFSD_V2_ACL=y
+CONFIG_NFSD_V3=y
+CONFIG_NFSD_V3_ACL=y
+CONFIG_NFSD_V4=y
+CONFIG_NFSD_PNFS=y
+CONFIG_NFSD_V4_SECURITY_LABEL=y
+CONFIG_GRACE_PERIOD=m
+CONFIG_LOCKD=m
+CONFIG_LOCKD_V4=y
+CONFIG_NFS_ACL_SUPPORT=m
+CONFIG_NFS_COMMON=y
+CONFIG_SUNRPC=m
+CONFIG_SUNRPC_GSS=m
+CONFIG_SUNRPC_BACKCHANNEL=y
+CONFIG_SUNRPC_SWAP=y
+CONFIG_RPCSEC_GSS_KRB5=m
+CONFIG_SUNRPC_XPRT_RDMA=m
+CONFIG_CEPH_FS=m
+CONFIG_CEPH_FSCACHE=y
+CONFIG_CEPH_FS_POSIX_ACL=y
+CONFIG_CIFS=m
+# CONFIG_CIFS_STATS is not set
+CONFIG_CIFS_WEAK_PW_HASH=y
+CONFIG_CIFS_UPCALL=y
+CONFIG_CIFS_XATTR=y
+CONFIG_CIFS_POSIX=y
+CONFIG_CIFS_ACL=y
+CONFIG_CIFS_DEBUG=y
+# CONFIG_CIFS_DEBUG2 is not set
+CONFIG_CIFS_DFS_UPCALL=y
+CONFIG_CIFS_SMB2=y
+# CONFIG_CIFS_SMB311 is not set
+CONFIG_CIFS_FSCACHE=y
+CONFIG_NCP_FS=m
+CONFIG_NCPFS_PACKET_SIGNING=y
+CONFIG_NCPFS_IOCTL_LOCKING=y
+CONFIG_NCPFS_STRONG=y
+CONFIG_NCPFS_NFS_NS=y
+CONFIG_NCPFS_OS2_NS=y
+# CONFIG_NCPFS_SMALLDOS is not set
+CONFIG_NCPFS_NLS=y
+CONFIG_NCPFS_EXTRAS=y
+CONFIG_CODA_FS=m
+CONFIG_AFS_FS=m
+# CONFIG_AFS_DEBUG is not set
+CONFIG_AFS_FSCACHE=y
+CONFIG_9P_FS=m
+CONFIG_9P_FSCACHE=y
+CONFIG_9P_FS_POSIX_ACL=y
+CONFIG_9P_FS_SECURITY=y
+CONFIG_NLS=y
+CONFIG_NLS_DEFAULT="utf8"
+CONFIG_NLS_CODEPAGE_437=m
+CONFIG_NLS_CODEPAGE_737=m
+CONFIG_NLS_CODEPAGE_775=m
+CONFIG_NLS_CODEPAGE_850=m
+CONFIG_NLS_CODEPAGE_852=m
+CONFIG_NLS_CODEPAGE_855=m
+CONFIG_NLS_CODEPAGE_857=m
+CONFIG_NLS_CODEPAGE_860=m
+CONFIG_NLS_CODEPAGE_861=m
+CONFIG_NLS_CODEPAGE_862=m
+CONFIG_NLS_CODEPAGE_863=m
+CONFIG_NLS_CODEPAGE_864=m
+CONFIG_NLS_CODEPAGE_865=m
+CONFIG_NLS_CODEPAGE_866=m
+CONFIG_NLS_CODEPAGE_869=m
+CONFIG_NLS_CODEPAGE_936=m
+CONFIG_NLS_CODEPAGE_950=m
+CONFIG_NLS_CODEPAGE_932=m
+CONFIG_NLS_CODEPAGE_949=m
+CONFIG_NLS_CODEPAGE_874=m
+CONFIG_NLS_ISO8859_8=m
+CONFIG_NLS_CODEPAGE_1250=m
+CONFIG_NLS_CODEPAGE_1251=m
+CONFIG_NLS_ASCII=m
+CONFIG_NLS_ISO8859_1=m
+CONFIG_NLS_ISO8859_2=m
+CONFIG_NLS_ISO8859_3=m
+CONFIG_NLS_ISO8859_4=m
+CONFIG_NLS_ISO8859_5=m
+CONFIG_NLS_ISO8859_6=m
+CONFIG_NLS_ISO8859_7=m
+CONFIG_NLS_ISO8859_9=m
+CONFIG_NLS_ISO8859_13=m
+CONFIG_NLS_ISO8859_14=m
+CONFIG_NLS_ISO8859_15=m
+CONFIG_NLS_KOI8_R=m
+CONFIG_NLS_KOI8_U=m
+CONFIG_NLS_MAC_ROMAN=m
+CONFIG_NLS_MAC_CELTIC=m
+CONFIG_NLS_MAC_CENTEURO=m
+CONFIG_NLS_MAC_CROATIAN=m
+CONFIG_NLS_MAC_CYRILLIC=m
+CONFIG_NLS_MAC_GAELIC=m
+CONFIG_NLS_MAC_GREEK=m
+CONFIG_NLS_MAC_ICELAND=m
+CONFIG_NLS_MAC_INUIT=m
+CONFIG_NLS_MAC_ROMANIAN=m
+CONFIG_NLS_MAC_TURKISH=m
+CONFIG_NLS_UTF8=m
+CONFIG_DLM=m
+CONFIG_DLM_DEBUG=y
+
+#
+# Kernel hacking
+#
+CONFIG_TRACE_IRQFLAGS_SUPPORT=y
+
+#
+# printk and dmesg options
+#
+CONFIG_PRINTK_TIME=y
+CONFIG_MESSAGE_LOGLEVEL_DEFAULT=4
+CONFIG_BOOT_PRINTK_DELAY=y
+
+#
+# Compile-time checks and compiler options
+#
+# CONFIG_DEBUG_INFO is not set
+CONFIG_ENABLE_WARN_DEPRECATED=y
+CONFIG_ENABLE_MUST_CHECK=y
+CONFIG_FRAME_WARN=2048
+CONFIG_STRIP_ASM_SYMS=y
+# CONFIG_READABLE_ASM is not set
+CONFIG_UNUSED_SYMBOLS=y
+# CONFIG_HEADERS_CHECK is not set
+# CONFIG_DEBUG_SECTION_MISMATCH is not set
+CONFIG_SECTION_MISMATCH_WARN_ONLY=y
+CONFIG_ARCH_WANT_FRAME_POINTERS=y
+# CONFIG_FRAME_POINTER is not set
+# CONFIG_DEBUG_FORCE_WEAK_PER_CPU is not set
+CONFIG_MAGIC_SYSRQ=y
+CONFIG_MAGIC_SYSRQ_DEFAULT_ENABLE=0x01b6
+CONFIG_DEBUG_KERNEL=y
+
+#
+# Memory Debugging
+#
+# CONFIG_PAGE_EXTENSION is not set
+# CONFIG_DEBUG_OBJECTS is not set
+# CONFIG_DEBUG_SLAB is not set
+CONFIG_HAVE_DEBUG_KMEMLEAK=y
+# CONFIG_DEBUG_STACK_USAGE is not set
+# CONFIG_DEBUG_VM is not set
+# CONFIG_DEBUG_VIRTUAL is not set
+CONFIG_DEBUG_MEMORY_INIT=y
+# CONFIG_DEBUG_PER_CPU_MAPS is not set
+CONFIG_HAVE_DEBUG_STACKOVERFLOW=y
+# CONFIG_DEBUG_STACKOVERFLOW is not set
+CONFIG_HAVE_ARCH_KMEMCHECK=y
+# CONFIG_KMEMCHECK is not set
+CONFIG_HAVE_ARCH_KASAN=y
+# CONFIG_DEBUG_SHIRQ is not set
+
+#
+# Debug Lockups and Hangs
+#
+CONFIG_LOCKUP_DETECTOR=y
+CONFIG_HARDLOCKUP_DETECTOR=y
+# CONFIG_BOOTPARAM_HARDLOCKUP_PANIC is not set
+CONFIG_BOOTPARAM_HARDLOCKUP_PANIC_VALUE=0
+# CONFIG_BOOTPARAM_SOFTLOCKUP_PANIC is not set
+CONFIG_BOOTPARAM_SOFTLOCKUP_PANIC_VALUE=0
+CONFIG_DETECT_HUNG_TASK=y
+CONFIG_DEFAULT_HUNG_TASK_TIMEOUT=120
+# CONFIG_BOOTPARAM_HUNG_TASK_PANIC is not set
+CONFIG_BOOTPARAM_HUNG_TASK_PANIC_VALUE=0
+# CONFIG_PANIC_ON_OOPS is not set
+CONFIG_PANIC_ON_OOPS_VALUE=0
+CONFIG_PANIC_TIMEOUT=0
+CONFIG_SCHED_DEBUG=y
+CONFIG_SCHED_INFO=y
+# CONFIG_SCHEDSTATS is not set
+CONFIG_SCHED_STACK_END_CHECK=y
+# CONFIG_DEBUG_TIMEKEEPING is not set
+CONFIG_TIMER_STATS=y
+
+#
+# Lock Debugging (spinlocks, mutexes, etc...)
+#
+# CONFIG_DEBUG_RT_MUTEXES is not set
+# CONFIG_DEBUG_SPINLOCK is not set
+# CONFIG_DEBUG_MUTEXES is not set
+# CONFIG_DEBUG_ATOMIC_SLEEP is not set
+# CONFIG_DEBUG_LOCKING_API_SELFTESTS is not set
+# CONFIG_LOCK_TORTURE_TEST is not set
+# CONFIG_STACKTRACE is not set
+# CONFIG_DEBUG_KOBJECT is not set
+CONFIG_DEBUG_BUGVERBOSE=y
+CONFIG_DEBUG_LIST=y
+# CONFIG_DEBUG_PI_LIST is not set
+# CONFIG_DEBUG_SG is not set
+# CONFIG_DEBUG_NOTIFIERS is not set
+# CONFIG_DEBUG_CREDENTIALS is not set
+
+#
+# RCU Debugging
+#
+# CONFIG_PROVE_RCU is not set
+# CONFIG_SPARSE_RCU_POINTER is not set
+# CONFIG_TORTURE_TEST is not set
+# CONFIG_RCU_TORTURE_TEST is not set
+CONFIG_RCU_CPU_STALL_TIMEOUT=21
+# CONFIG_RCU_TRACE is not set
+# CONFIG_RCU_EQS_DEBUG is not set
+# CONFIG_DEBUG_BLOCK_EXT_DEVT is not set
+# CONFIG_FAULT_INJECTION is not set
+CONFIG_ARCH_HAS_DEBUG_STRICT_USER_COPY_CHECKS=y
+CONFIG_USER_STACKTRACE_SUPPORT=y
+CONFIG_HAVE_FUNCTION_TRACER=y
+CONFIG_HAVE_FUNCTION_GRAPH_TRACER=y
+CONFIG_HAVE_FUNCTION_GRAPH_FP_TEST=y
+CONFIG_HAVE_DYNAMIC_FTRACE=y
+CONFIG_HAVE_DYNAMIC_FTRACE_WITH_REGS=y
+CONFIG_HAVE_FTRACE_MCOUNT_RECORD=y
+CONFIG_HAVE_SYSCALL_TRACEPOINTS=y
+CONFIG_HAVE_FENTRY=y
+CONFIG_HAVE_C_RECORDMCOUNT=y
+CONFIG_TRACE_CLOCK=y
+CONFIG_RING_BUFFER=y
+CONFIG_RING_BUFFER_ALLOW_SWAP=y
+
+#
+# Runtime Testing
+#
+# CONFIG_TEST_LIST_SORT is not set
+# CONFIG_KPROBES_SANITY_TEST is not set
+# CONFIG_BACKTRACE_SELF_TEST is not set
+# CONFIG_RBTREE_TEST is not set
+# CONFIG_INTERVAL_TREE_TEST is not set
+# CONFIG_PERCPU_TEST is not set
+# CONFIG_ATOMIC64_SELFTEST is not set
+# CONFIG_ASYNC_RAID6_TEST is not set
+# CONFIG_TEST_HEXDUMP is not set
+# CONFIG_TEST_STRING_HELPERS is not set
+# CONFIG_TEST_KSTRTOX is not set
+# CONFIG_TEST_PRINTF is not set
+# CONFIG_TEST_RHASHTABLE is not set
+# CONFIG_DMA_API_DEBUG is not set
+# CONFIG_TEST_LKM is not set
+CONFIG_TEST_USER_COPY=m
+CONFIG_TEST_BPF=m
+CONFIG_TEST_FIRMWARE=m
+# CONFIG_TEST_UDELAY is not set
+CONFIG_MEMTEST=y
+CONFIG_TEST_STATIC_KEYS=m
+# CONFIG_SAMPLES is not set
+CONFIG_HAVE_ARCH_KGDB=y
+# CONFIG_KGDB is not set
+CONFIG_STRICT_DEVMEM=y
+# CONFIG_X86_VERBOSE_BOOTUP is not set
+CONFIG_EARLY_PRINTK=y
+# CONFIG_EARLY_PRINTK_DBGP is not set
+CONFIG_EARLY_PRINTK_EFI=y
+# CONFIG_X86_PTDUMP_CORE is not set
+# CONFIG_EFI_PGT_DUMP is not set
+# CONFIG_DEBUG_NX_TEST is not set
+CONFIG_DOUBLEFAULT=y
+# CONFIG_DEBUG_TLBFLUSH is not set
+# CONFIG_IOMMU_DEBUG is not set
+# CONFIG_IOMMU_STRESS is not set
+CONFIG_HAVE_MMIOTRACE_SUPPORT=y
+# CONFIG_X86_DECODER_SELFTEST is not set
+CONFIG_IO_DELAY_TYPE_0X80=0
+CONFIG_IO_DELAY_TYPE_0XED=1
+CONFIG_IO_DELAY_TYPE_UDELAY=2
+CONFIG_IO_DELAY_TYPE_NONE=3
+CONFIG_IO_DELAY_0X80=y
+# CONFIG_IO_DELAY_0XED is not set
+# CONFIG_IO_DELAY_UDELAY is not set
+# CONFIG_IO_DELAY_NONE is not set
+CONFIG_DEFAULT_IO_DELAY_TYPE=0
+# CONFIG_CPA_DEBUG is not set
+CONFIG_OPTIMIZE_INLINING=y
+# CONFIG_DEBUG_ENTRY is not set
+# CONFIG_DEBUG_NMI_SELFTEST is not set
+# CONFIG_X86_DEBUG_STATIC_CPU_HAS is not set
+CONFIG_X86_DEBUG_FPU=y
+
+#
+# Security options
+#
+
+#
+# Grsecurity
+#
+CONFIG_PAX_KERNEXEC_PLUGIN=y
+CONFIG_PAX_PER_CPU_PGD=y
+CONFIG_TASK_SIZE_MAX_SHIFT=42
+CONFIG_PAX_USERCOPY_SLABS=y
+CONFIG_GRKERNSEC=y
+# CONFIG_GRKERNSEC_CONFIG_AUTO is not set
+CONFIG_GRKERNSEC_CONFIG_CUSTOM=y
+CONFIG_GRKERNSEC_TPE_TRUSTED_GID=64040
+CONFIG_GRKERNSEC_SYMLINKOWN_GID=33
+
+#
+# Customize Configuration
+#
+
+#
+# PaX
+#
+CONFIG_PAX=y
+
+#
+# PaX Control
+#
+CONFIG_PAX_SOFTMODE=y
+CONFIG_PAX_EI_PAX=y
+CONFIG_PAX_PT_PAX_FLAGS=y
+CONFIG_PAX_XATTR_PAX_FLAGS=y
+# CONFIG_PAX_NO_ACL_FLAGS is not set
+CONFIG_PAX_HAVE_ACL_FLAGS=y
+# CONFIG_PAX_HOOK_ACL_FLAGS is not set
+
+#
+# Non-executable pages
+#
+CONFIG_PAX_NOEXEC=y
+CONFIG_PAX_PAGEEXEC=y
+CONFIG_PAX_EMUTRAMP=y
+CONFIG_PAX_MPROTECT=y
+# CONFIG_PAX_MPROTECT_COMPAT is not set
+# CONFIG_PAX_ELFRELOCS is not set
+CONFIG_PAX_KERNEXEC=y
+CONFIG_PAX_KERNEXEC_PLUGIN_METHOD_BTS=y
+CONFIG_PAX_KERNEXEC_PLUGIN_METHOD="bts"
+
+#
+# Address Space Layout Randomization
+#
+CONFIG_PAX_ASLR=y
+CONFIG_PAX_RANDKSTACK=y
+CONFIG_PAX_RANDUSTACK=y
+CONFIG_PAX_RANDMMAP=y
+
+#
+# Miscellaneous hardening features
+#
+CONFIG_PAX_MEMORY_SANITIZE=y
+CONFIG_PAX_MEMORY_STACKLEAK=y
+CONFIG_PAX_MEMORY_STRUCTLEAK=y
+CONFIG_PAX_MEMORY_UDEREF=y
+CONFIG_PAX_REFCOUNT=y
+CONFIG_PAX_CONSTIFY_PLUGIN=y
+CONFIG_PAX_USERCOPY=y
+# CONFIG_PAX_USERCOPY_DEBUG is not set
+CONFIG_PAX_SIZE_OVERFLOW=y
+CONFIG_PAX_LATENT_ENTROPY=y
+
+#
+# Memory Protections
+#
+CONFIG_GRKERNSEC_KMEM=y
+CONFIG_GRKERNSEC_IO=y
+CONFIG_GRKERNSEC_BPF_HARDEN=y
+CONFIG_GRKERNSEC_PERF_HARDEN=y
+CONFIG_GRKERNSEC_RAND_THREADSTACK=y
+CONFIG_GRKERNSEC_PROC_MEMMAP=y
+CONFIG_GRKERNSEC_KSTACKOVERFLOW=y
+CONFIG_GRKERNSEC_BRUTE=y
+CONFIG_GRKERNSEC_MODHARDEN=y
+CONFIG_GRKERNSEC_HIDESYM=y
+CONFIG_GRKERNSEC_RANDSTRUCT=y
+CONFIG_GRKERNSEC_RANDSTRUCT_PERFORMANCE=y
+CONFIG_GRKERNSEC_KERN_LOCKOUT=y
+
+#
+# Role Based Access Control Options
+#
+# CONFIG_GRKERNSEC_NO_RBAC is not set
+CONFIG_GRKERNSEC_ACL_HIDEKERN=y
+CONFIG_GRKERNSEC_ACL_MAXTRIES=3
+CONFIG_GRKERNSEC_ACL_TIMEOUT=30
+
+#
+# Filesystem Protections
+#
+CONFIG_GRKERNSEC_PROC=y
+CONFIG_GRKERNSEC_PROC_USER=y
+CONFIG_GRKERNSEC_PROC_ADD=y
+CONFIG_GRKERNSEC_LINK=y
+CONFIG_GRKERNSEC_SYMLINKOWN=y
+CONFIG_GRKERNSEC_FIFO=y
+# CONFIG_GRKERNSEC_SYSFS_RESTRICT is not set
+CONFIG_GRKERNSEC_ROFS=y
+CONFIG_GRKERNSEC_DEVICE_SIDECHANNEL=y
+CONFIG_GRKERNSEC_CHROOT=y
+CONFIG_GRKERNSEC_CHROOT_MOUNT=y
+CONFIG_GRKERNSEC_CHROOT_DOUBLE=y
+CONFIG_GRKERNSEC_CHROOT_PIVOT=y
+CONFIG_GRKERNSEC_CHROOT_CHDIR=y
+CONFIG_GRKERNSEC_CHROOT_CHMOD=y
+CONFIG_GRKERNSEC_CHROOT_FCHDIR=y
+CONFIG_GRKERNSEC_CHROOT_MKNOD=y
+CONFIG_GRKERNSEC_CHROOT_SHMAT=y
+CONFIG_GRKERNSEC_CHROOT_UNIX=y
+CONFIG_GRKERNSEC_CHROOT_FINDTASK=y
+CONFIG_GRKERNSEC_CHROOT_NICE=y
+CONFIG_GRKERNSEC_CHROOT_SYSCTL=y
+CONFIG_GRKERNSEC_CHROOT_RENAME=y
+CONFIG_GRKERNSEC_CHROOT_CAPS=y
+CONFIG_GRKERNSEC_CHROOT_INITRD=y
+
+#
+# Kernel Auditing
+#
+CONFIG_GRKERNSEC_AUDIT_GROUP=y
+CONFIG_GRKERNSEC_AUDIT_GID=64044
+CONFIG_GRKERNSEC_EXECLOG=y
+CONFIG_GRKERNSEC_RESLOG=y
+CONFIG_GRKERNSEC_CHROOT_EXECLOG=y
+CONFIG_GRKERNSEC_AUDIT_PTRACE=y
+CONFIG_GRKERNSEC_AUDIT_CHDIR=y
+CONFIG_GRKERNSEC_AUDIT_MOUNT=y
+CONFIG_GRKERNSEC_SIGNAL=y
+CONFIG_GRKERNSEC_FORKFAIL=y
+CONFIG_GRKERNSEC_TIME=y
+CONFIG_GRKERNSEC_PROC_IPADDR=y
+CONFIG_GRKERNSEC_RWXMAP_LOG=y
+
+#
+# Executable Protections
+#
+CONFIG_GRKERNSEC_DMESG=y
+CONFIG_GRKERNSEC_HARDEN_PTRACE=y
+CONFIG_GRKERNSEC_PTRACE_READEXEC=y
+CONFIG_GRKERNSEC_SETXID=y
+CONFIG_GRKERNSEC_HARDEN_IPC=y
+CONFIG_GRKERNSEC_HARDEN_TTY=y
+CONFIG_GRKERNSEC_TPE=y
+CONFIG_GRKERNSEC_TPE_ALL=y
+CONFIG_GRKERNSEC_TPE_INVERT=y
+CONFIG_GRKERNSEC_TPE_GID=64040
+
+#
+# Network Protections
+#
+CONFIG_GRKERNSEC_BLACKHOLE=y
+CONFIG_GRKERNSEC_NO_SIMULT_CONNECT=y
+CONFIG_GRKERNSEC_SOCKET=y
+CONFIG_GRKERNSEC_SOCKET_ALL=y
+CONFIG_GRKERNSEC_SOCKET_ALL_GID=64041
+CONFIG_GRKERNSEC_SOCKET_CLIENT=y
+CONFIG_GRKERNSEC_SOCKET_CLIENT_GID=64042
+CONFIG_GRKERNSEC_SOCKET_SERVER=y
+CONFIG_GRKERNSEC_SOCKET_SERVER_GID=64043
+
+#
+# Physical Protections
+#
+CONFIG_GRKERNSEC_DENYUSB=y
+# CONFIG_GRKERNSEC_DENYUSB_FORCE is not set
+
+#
+# Sysctl Support
+#
+CONFIG_GRKERNSEC_SYSCTL=y
+CONFIG_GRKERNSEC_SYSCTL_DISTRO=y
+CONFIG_GRKERNSEC_SYSCTL_ON=y
+
+#
+# Logging Options
+#
+CONFIG_GRKERNSEC_FLOODTIME=10
+CONFIG_GRKERNSEC_FLOODBURST=6
+CONFIG_KEYS=y
+# CONFIG_PERSISTENT_KEYRINGS is not set
+# CONFIG_BIG_KEYS is not set
+# CONFIG_TRUSTED_KEYS is not set
+CONFIG_ENCRYPTED_KEYS=m
+CONFIG_SECURITY_DMESG_RESTRICT=y
+CONFIG_SECURITY=y
+CONFIG_SECURITYFS=y
+CONFIG_SECURITY_NETWORK=y
+CONFIG_SECURITY_NETWORK_XFRM=y
+CONFIG_SECURITY_PATH=y
+# CONFIG_INTEL_TXT is not set
+CONFIG_LSM_MMAP_MIN_ADDR=65536
+CONFIG_SECURITY_SELINUX=y
+# CONFIG_SECURITY_SELINUX_BOOTPARAM is not set
+# CONFIG_SECURITY_SELINUX_DISABLE is not set
+CONFIG_SECURITY_SELINUX_DEVELOP=y
+CONFIG_SECURITY_SELINUX_AVC_STATS=y
+CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE=1
+# CONFIG_SECURITY_SELINUX_POLICYDB_VERSION_MAX is not set
+# CONFIG_SECURITY_SMACK is not set
+CONFIG_SECURITY_TOMOYO=y
+CONFIG_SECURITY_TOMOYO_MAX_ACCEPT_ENTRY=2048
+CONFIG_SECURITY_TOMOYO_MAX_AUDIT_LOG=1024
+# CONFIG_SECURITY_TOMOYO_OMIT_USERSPACE_LOADER is not set
+CONFIG_SECURITY_TOMOYO_POLICY_LOADER="/sbin/tomoyo-init"
+CONFIG_SECURITY_TOMOYO_ACTIVATION_TRIGGER="/sbin/init"
+CONFIG_SECURITY_APPARMOR=y
+CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE=1
+CONFIG_SECURITY_APPARMOR_HASH=y
+CONFIG_INTEGRITY=y
+# CONFIG_INTEGRITY_SIGNATURE is not set
+CONFIG_INTEGRITY_AUDIT=y
+# CONFIG_IMA is not set
+# CONFIG_EVM is not set
+# CONFIG_DEFAULT_SECURITY_SELINUX is not set
+# CONFIG_DEFAULT_SECURITY_TOMOYO is not set
+# CONFIG_DEFAULT_SECURITY_APPARMOR is not set
+CONFIG_DEFAULT_SECURITY_DAC=y
+CONFIG_DEFAULT_SECURITY=""
+CONFIG_XOR_BLOCKS=m
+CONFIG_ASYNC_CORE=m
+CONFIG_ASYNC_MEMCPY=m
+CONFIG_ASYNC_XOR=m
+CONFIG_ASYNC_PQ=m
+CONFIG_ASYNC_RAID6_RECOV=m
+CONFIG_CRYPTO=y
+
+#
+# Crypto core or helper
+#
+CONFIG_CRYPTO_ALGAPI=y
+CONFIG_CRYPTO_ALGAPI2=y
+CONFIG_CRYPTO_AEAD=m
+CONFIG_CRYPTO_AEAD2=y
+CONFIG_CRYPTO_BLKCIPHER=m
+CONFIG_CRYPTO_BLKCIPHER2=y
+CONFIG_CRYPTO_HASH=y
+CONFIG_CRYPTO_HASH2=y
+CONFIG_CRYPTO_RNG=m
+CONFIG_CRYPTO_RNG2=y
+CONFIG_CRYPTO_RNG_DEFAULT=m
+CONFIG_CRYPTO_PCOMP=m
+CONFIG_CRYPTO_PCOMP2=y
+CONFIG_CRYPTO_AKCIPHER2=y
+CONFIG_CRYPTO_AKCIPHER=m
+# CONFIG_CRYPTO_RSA is not set
+CONFIG_CRYPTO_MANAGER=y
+CONFIG_CRYPTO_MANAGER2=y
+# CONFIG_CRYPTO_USER is not set
+# CONFIG_CRYPTO_MANAGER_DISABLE_TESTS is not set
+CONFIG_CRYPTO_GF128MUL=m
+CONFIG_CRYPTO_NULL=m
+CONFIG_CRYPTO_NULL2=y
+CONFIG_CRYPTO_PCRYPT=m
+CONFIG_CRYPTO_WORKQUEUE=y
+CONFIG_CRYPTO_CRYPTD=m
+# CONFIG_CRYPTO_MCRYPTD is not set
+CONFIG_CRYPTO_AUTHENC=m
+CONFIG_CRYPTO_TEST=m
+CONFIG_CRYPTO_ABLK_HELPER=m
+CONFIG_CRYPTO_GLUE_HELPER_X86=m
+
+#
+# Authenticated Encryption with Associated Data
+#
+CONFIG_CRYPTO_CCM=m
+CONFIG_CRYPTO_GCM=m
+CONFIG_CRYPTO_CHACHA20POLY1305=m
+CONFIG_CRYPTO_SEQIV=m
+CONFIG_CRYPTO_ECHAINIV=m
+
+#
+# Block modes
+#
+CONFIG_CRYPTO_CBC=m
+CONFIG_CRYPTO_CTR=m
+CONFIG_CRYPTO_CTS=m
+CONFIG_CRYPTO_ECB=m
+CONFIG_CRYPTO_LRW=m
+CONFIG_CRYPTO_PCBC=m
+CONFIG_CRYPTO_XTS=m
+# CONFIG_CRYPTO_KEYWRAP is not set
+
+#
+# Hash modes
+#
+CONFIG_CRYPTO_CMAC=m
+CONFIG_CRYPTO_HMAC=m
+CONFIG_CRYPTO_XCBC=m
+CONFIG_CRYPTO_VMAC=m
+
+#
+# Digest
+#
+CONFIG_CRYPTO_CRC32C=m
+CONFIG_CRYPTO_CRC32C_INTEL=m
+CONFIG_CRYPTO_CRC32=m
+CONFIG_CRYPTO_CRC32_PCLMUL=m
+CONFIG_CRYPTO_CRCT10DIF=y
+CONFIG_CRYPTO_CRCT10DIF_PCLMUL=m
+CONFIG_CRYPTO_GHASH=m
+CONFIG_CRYPTO_POLY1305=m
+CONFIG_CRYPTO_POLY1305_X86_64=m
+CONFIG_CRYPTO_MD4=m
+CONFIG_CRYPTO_MD5=y
+CONFIG_CRYPTO_MICHAEL_MIC=m
+CONFIG_CRYPTO_RMD128=m
+CONFIG_CRYPTO_RMD160=m
+CONFIG_CRYPTO_RMD256=m
+CONFIG_CRYPTO_RMD320=m
+CONFIG_CRYPTO_SHA1=y
+CONFIG_CRYPTO_SHA1_SSSE3=m
+CONFIG_CRYPTO_SHA256_SSSE3=m
+CONFIG_CRYPTO_SHA512_SSSE3=m
+# CONFIG_CRYPTO_SHA1_MB is not set
+CONFIG_CRYPTO_SHA256=y
+CONFIG_CRYPTO_SHA512=m
+CONFIG_CRYPTO_TGR192=m
+CONFIG_CRYPTO_WP512=m
+CONFIG_CRYPTO_GHASH_CLMUL_NI_INTEL=m
+
+#
+# Ciphers
+#
+CONFIG_CRYPTO_AES=y
+CONFIG_CRYPTO_AES_X86_64=m
+CONFIG_CRYPTO_AES_NI_INTEL=m
+CONFIG_CRYPTO_ANUBIS=m
+CONFIG_CRYPTO_ARC4=m
+CONFIG_CRYPTO_BLOWFISH=m
+CONFIG_CRYPTO_BLOWFISH_COMMON=m
+CONFIG_CRYPTO_BLOWFISH_X86_64=m
+CONFIG_CRYPTO_CAMELLIA=m
+CONFIG_CRYPTO_CAMELLIA_X86_64=m
+CONFIG_CRYPTO_CAMELLIA_AESNI_AVX_X86_64=m
+CONFIG_CRYPTO_CAMELLIA_AESNI_AVX2_X86_64=m
+CONFIG_CRYPTO_CAST_COMMON=m
+CONFIG_CRYPTO_CAST5=m
+CONFIG_CRYPTO_CAST5_AVX_X86_64=m
+CONFIG_CRYPTO_CAST6=m
+CONFIG_CRYPTO_CAST6_AVX_X86_64=m
+CONFIG_CRYPTO_DES=m
+CONFIG_CRYPTO_DES3_EDE_X86_64=m
+CONFIG_CRYPTO_FCRYPT=m
+CONFIG_CRYPTO_KHAZAD=m
+CONFIG_CRYPTO_SALSA20=m
+CONFIG_CRYPTO_SALSA20_X86_64=m
+CONFIG_CRYPTO_CHACHA20=m
+CONFIG_CRYPTO_CHACHA20_X86_64=m
+CONFIG_CRYPTO_SEED=m
+CONFIG_CRYPTO_SERPENT=m
+CONFIG_CRYPTO_SERPENT_SSE2_X86_64=m
+CONFIG_CRYPTO_SERPENT_AVX_X86_64=m
+CONFIG_CRYPTO_SERPENT_AVX2_X86_64=m
+CONFIG_CRYPTO_TEA=m
+CONFIG_CRYPTO_TWOFISH=m
+CONFIG_CRYPTO_TWOFISH_COMMON=m
+CONFIG_CRYPTO_TWOFISH_X86_64=m
+CONFIG_CRYPTO_TWOFISH_X86_64_3WAY=m
+CONFIG_CRYPTO_TWOFISH_AVX_X86_64=m
+
+#
+# Compression
+#
+CONFIG_CRYPTO_DEFLATE=m
+CONFIG_CRYPTO_ZLIB=m
+CONFIG_CRYPTO_LZO=y
+# CONFIG_CRYPTO_842 is not set
+CONFIG_CRYPTO_LZ4=m
+CONFIG_CRYPTO_LZ4HC=m
+
+#
+# Random Number Generation
+#
+CONFIG_CRYPTO_ANSI_CPRNG=m
+CONFIG_CRYPTO_DRBG_MENU=m
+CONFIG_CRYPTO_DRBG_HMAC=y
+# CONFIG_CRYPTO_DRBG_HASH is not set
+# CONFIG_CRYPTO_DRBG_CTR is not set
+CONFIG_CRYPTO_DRBG=m
+CONFIG_CRYPTO_JITTERENTROPY=m
+CONFIG_CRYPTO_USER_API=m
+CONFIG_CRYPTO_USER_API_HASH=m
+CONFIG_CRYPTO_USER_API_SKCIPHER=m
+# CONFIG_CRYPTO_USER_API_RNG is not set
+CONFIG_CRYPTO_USER_API_AEAD=m
+CONFIG_CRYPTO_HW=y
+CONFIG_CRYPTO_DEV_PADLOCK=m
+CONFIG_CRYPTO_DEV_PADLOCK_AES=m
+CONFIG_CRYPTO_DEV_PADLOCK_SHA=m
+CONFIG_CRYPTO_DEV_CCP=y
+CONFIG_CRYPTO_DEV_CCP_DD=m
+CONFIG_CRYPTO_DEV_CCP_CRYPTO=m
+CONFIG_CRYPTO_DEV_QAT=m
+CONFIG_CRYPTO_DEV_QAT_DH895xCC=m
+CONFIG_CRYPTO_DEV_QAT_DH895xCCVF=m
+# CONFIG_ASYMMETRIC_KEY_TYPE is not set
+
+#
+# Certificates for signature checking
+#
+# CONFIG_SYSTEM_TRUSTED_KEYRING is not set
+CONFIG_HAVE_KVM=y
+CONFIG_HAVE_KVM_IRQCHIP=y
+CONFIG_HAVE_KVM_IRQFD=y
+CONFIG_HAVE_KVM_IRQ_ROUTING=y
+CONFIG_HAVE_KVM_EVENTFD=y
+CONFIG_KVM_APIC_ARCHITECTURE=y
+CONFIG_KVM_MMIO=y
+CONFIG_KVM_ASYNC_PF=y
+CONFIG_HAVE_KVM_MSI=y
+CONFIG_HAVE_KVM_CPU_RELAX_INTERCEPT=y
+CONFIG_KVM_VFIO=y
+CONFIG_KVM_GENERIC_DIRTYLOG_READ_PROTECT=y
+CONFIG_KVM_COMPAT=y
+CONFIG_HAVE_KVM_IRQ_BYPASS=y
+CONFIG_VIRTUALIZATION=y
+CONFIG_KVM=m
+CONFIG_KVM_INTEL=m
+CONFIG_KVM_AMD=m
+CONFIG_KVM_DEVICE_ASSIGNMENT=y
+# CONFIG_BINARY_PRINTF is not set
+
+#
+# Library routines
+#
+CONFIG_RAID6_PQ=m
+CONFIG_BITREVERSE=y
+# CONFIG_HAVE_ARCH_BITREVERSE is not set
+CONFIG_RATIONAL=y
+CONFIG_GENERIC_STRNCPY_FROM_USER=y
+CONFIG_GENERIC_STRNLEN_USER=y
+CONFIG_GENERIC_NET_UTILS=y
+CONFIG_GENERIC_FIND_FIRST_BIT=y
+CONFIG_GENERIC_PCI_IOMAP=y
+CONFIG_GENERIC_IOMAP=y
+CONFIG_GENERIC_IO=y
+CONFIG_ARCH_USE_CMPXCHG_LOCKREF=y
+CONFIG_ARCH_HAS_FAST_MULTIPLIER=y
+CONFIG_CRC_CCITT=m
+CONFIG_CRC16=m
+CONFIG_CRC_T10DIF=y
+CONFIG_CRC_ITU_T=m
+CONFIG_CRC32=y
+# CONFIG_CRC32_SELFTEST is not set
+CONFIG_CRC32_SLICEBY8=y
+# CONFIG_CRC32_SLICEBY4 is not set
+# CONFIG_CRC32_SARWATE is not set
+# CONFIG_CRC32_BIT is not set
+CONFIG_CRC7=m
+CONFIG_LIBCRC32C=m
+# CONFIG_CRC8 is not set
+# CONFIG_AUDIT_ARCH_COMPAT_GENERIC is not set
+# CONFIG_RANDOM32_SELFTEST is not set
+CONFIG_ZLIB_INFLATE=y
+CONFIG_ZLIB_DEFLATE=y
+CONFIG_LZO_COMPRESS=y
+CONFIG_LZO_DECOMPRESS=y
+CONFIG_LZ4_COMPRESS=m
+CONFIG_LZ4HC_COMPRESS=m
+CONFIG_LZ4_DECOMPRESS=y
+CONFIG_XZ_DEC=y
+CONFIG_XZ_DEC_X86=y
+# CONFIG_XZ_DEC_POWERPC is not set
+# CONFIG_XZ_DEC_IA64 is not set
+# CONFIG_XZ_DEC_ARM is not set
+# CONFIG_XZ_DEC_ARMTHUMB is not set
+# CONFIG_XZ_DEC_SPARC is not set
+CONFIG_XZ_DEC_BCJ=y
+# CONFIG_XZ_DEC_TEST is not set
+CONFIG_DECOMPRESS_GZIP=y
+CONFIG_DECOMPRESS_BZIP2=y
+CONFIG_DECOMPRESS_LZMA=y
+CONFIG_DECOMPRESS_XZ=y
+CONFIG_DECOMPRESS_LZO=y
+CONFIG_DECOMPRESS_LZ4=y
+CONFIG_GENERIC_ALLOCATOR=y
+CONFIG_REED_SOLOMON=m
+CONFIG_REED_SOLOMON_ENC8=y
+CONFIG_REED_SOLOMON_DEC8=y
+CONFIG_REED_SOLOMON_DEC16=y
+CONFIG_BCH=m
+CONFIG_TEXTSEARCH=y
+CONFIG_TEXTSEARCH_KMP=m
+CONFIG_TEXTSEARCH_BM=m
+CONFIG_TEXTSEARCH_FSM=m
+CONFIG_BTREE=y
+CONFIG_INTERVAL_TREE=y
+CONFIG_ASSOCIATIVE_ARRAY=y
+CONFIG_HAS_IOMEM=y
+CONFIG_HAS_IOPORT_MAP=y
+CONFIG_HAS_DMA=y
+CONFIG_CHECK_SIGNATURE=y
+CONFIG_CPU_RMAP=y
+CONFIG_DQL=y
+CONFIG_GLOB=y
+# CONFIG_GLOB_SELFTEST is not set
+CONFIG_NLATTR=y
+CONFIG_ARCH_HAS_ATOMIC64_DEC_IF_POSITIVE=y
+CONFIG_LRU_CACHE=m
+CONFIG_CORDIC=m
+# CONFIG_DDR is not set
+CONFIG_OID_REGISTRY=m
+CONFIG_UCS2_STRING=y
+CONFIG_FONT_SUPPORT=y
+# CONFIG_FONTS is not set
+CONFIG_FONT_8x8=y
+CONFIG_FONT_8x16=y
+# CONFIG_SG_SPLIT is not set
+CONFIG_ARCH_HAS_SG_CHAIN=y
+CONFIG_ARCH_HAS_PMEM_API=y
+CONFIG_ARCH_HAS_MMIO_FLUSH=y
diff --git a/src/tools/grsec.conf b/src/tools/grsec.conf
new file mode 100644
index 000000000..177e4d59b
--- /dev/null
+++ b/src/tools/grsec.conf
@@ -0,0 +1,98 @@
+## Address Space Protection
+# Disable privileged io: iopl(2) and ioperm(2)
+# Warning: Xorg without modesetting needs it to be 0
+kernel.grsecurity.disable_priv_io = 1
+kernel.grsecurity.deter_bruteforce = 1
+
+kernel.grsecurity.deny_new_usb = 0
+kernel.grsecurity.harden_ipc = 1
+
+## Filesystem Protections
+# Prevent symlinks/hardlinks exploits (don't follow symlink on world-writable +t
+# folders)
+kernel.grsecurity.linking_restrictions = 1
+# Prevent writing to fifo not owned in world-writable +t folders
+kernel.grsecurity.fifo_restrictions = 1
+
+# Chroot restrictions
+kernel.grsecurity.chroot_deny_bad_rename = 1
+kernel.grsecurity.chroot_deny_mount = 1
+kernel.grsecurity.chroot_deny_chroot = 1
+kernel.grsecurity.chroot_deny_pivot = 1
+kernel.grsecurity.chroot_enforce_chdir = 1
+kernel.grsecurity.chroot_deny_chmod = 1
+kernel.grsecurity.chroot_deny_fchdir = 1
+kernel.grsecurity.chroot_deny_mknod = 1
+kernel.grsecurity.chroot_deny_shmat = 1
+kernel.grsecurity.chroot_deny_unix = 1
+kernel.grsecurity.chroot_findtask = 1
+kernel.grsecurity.chroot_restrict_nice = 1
+kernel.grsecurity.chroot_deny_sysctl = 1
+kernel.grsecurity.chroot_caps = 1
+
+## Kernel Auditing
+kernel.grsecurity.exec_logging = 1
+kernel.grsecurity.audit_chdir = 1
+# By default exec_logging and audit_chdir only target members of audit_gid, you
+# can change that by setting audit_group to 0
+kernel.grsecurity.audit_group = 1
+# You can also override audit_gid to use another group
+kernel.grsecurity.audit_gid = 0
+kernel.grsecurity.resource_logging = 1
+kernel.grsecurity.chroot_execlog = 1
+kernel.grsecurity.audit_ptrace = 1
+kernel.grsecurity.audit_mount = 1
+kernel.grsecurity.signal_logging = 1
+kernel.grsecurity.forkfail_logging = 1
+kernel.grsecurity.timechange_logging = 1
+kernel.grsecurity.rwxmap_logging = 1
+
+## Executable Protections
+kernel.grsecurity.dmesg = 1
+kernel.grsecurity.consistent_setxid = 1
+# Trusted execution
+# Add users to the 64040 (grsec-tpe) group to enable them to execute binaries
+# from untrusted directories
+kernel.grsecurity.tpe = 1
+kernel.grsecurity.tpe_invert = 1
+kernel.grsecurity.tpe_restrict_all = 1
+kernel.grsecurity.tpe_gid = 64040
+
+## Kernel-enforce SymlinkIfOwnerMatch
+kernel.grsecurity.enforce_symlinksifowner = 1
+kernel.grsecurity.symlinkown_gid = 33
+
+## Network Protections
+kernel.grsecurity.ip_blackhole = 1
+kernel.grsecurity.lastack_retries = 4
+# Socket restrictions
+# If the setting is enabled and an user is added to relevant group, she won't
+# be able to open this kind of socket
+kernel.grsecurity.socket_all = 1
+kernel.grsecurity.socket_all_gid = 64041
+kernel.grsecurity.socket_client = 1
+kernel.grsecurity.socket_client_gid = 64042
+kernel.grsecurity.socket_server = 1
+kernel.grsecurity.socket_server_gid = 64043
+
+# Ptrace
+kernel.grsecurity.harden_ptrace = 1
+kernel.grsecurity.ptrace_readexec = 1
+
+# Protect mounts
+# don't try to set it to 0, it'll fail, just let it commented
+# kernel.grsecurity.romount_protect = 1
+
+# PAX
+kernel.pax.softmode = 0
+
+# Disable module loading
+# This is not a grsecurity anymore, but you might still want to disable module
+# loading so no code is inserted into the kernel
+# kernel.modules_disabled=1
+
+# Once you're satisfied with settings, set grsec_lock to 1 so noone can change
+# grsec sysctl on a running system
+kernel.grsecurity.grsec_lock = 1
+
+# vim: filetype=conf:
diff --git a/test/apps-x11/apps-x11.sh b/test/apps-x11/apps-x11.sh
new file mode 100755
index 000000000..1b3494290
--- /dev/null
+++ b/test/apps-x11/apps-x11.sh
@@ -0,0 +1,70 @@
+#!/bin/bash
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
+
+export MALLOC_CHECK_=3
+export MALLOC_PERTURB_=$(($RANDOM % 255 + 1))
+
+# check xpra/xephyr
+which xpra
+if [ "$?" -eq 0 ];
+then
+        echo "xpra found"
+else
+        echo "xpra not found"
+        which Xephyr
+        if [ "$?" -eq 0 ];
+        then
+                echo "Xephyr found"
+        else
+                echo "TESTING SKIP: xpra and/or Xephyr not found"
+                exit
+        fi
+fi
+
+which xterm
+if [ "$?" -eq 0 ];
+then
+        echo "TESTING: xterm x11"
+        ./xterm.exp
+else
+        echo "TESTING SKIP: xterm not found"
+fi
+
+which firefox
+if [ "$?" -eq 0 ];
+then
+        echo "TESTING: firefox x11"
+        ./firefox.exp
+else
+        echo "TESTING SKIP: firefox not found"
+fi
+
+which chromium
+if [ "$?" -eq 0 ];
+then
+        echo "TESTING: chromium x11"
+        ./chromium.exp
+else
+        echo "TESTING SKIP: chromium not found"
+fi
+
+which transmission-gtk
+if [ "$?" -eq 0 ];
+then
+        echo "TESTING: transmission-gtk x11"
+        ./transmission-gtk.exp
+else
+        echo "TESTING SKIP: transmission-gtk not found"
+fi
+
+which icedove
+if [ "$?" -eq 0 ];
+then
+        echo "TESTING: icedove x11"
+        ./icedove.exp
+else
+        echo "TESTING SKIP: icedove not found"
+fi
+
diff --git a/test/chromium-x11.exp b/test/apps-x11/chromium.exp
index 0d8a5dfb3..38c932aca 100755
--- a/test/chromium-x11.exp
+++ b/test/apps-x11/chromium.exp
@@ -1,10 +1,13 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
 
 set timeout 10
 spawn $env(SHELL)
 match_max 100000
 
-send -- "firejail --name=test --x11 --net=br0 chromium www.gentoo.org\r"
+send -- "firejail --name=test --x11 chromium www.gentoo.org\r"
 sleep 10
 
 spawn $env(SHELL)
@@ -19,6 +22,13 @@ expect {
 }
 sleep 1
 
+# grsecurity exit
+send -- "file /proc/sys/kernel/grsecurity\r"
+expect {
+        timeout {puts "TESTING ERROR - grsecurity detection\n";exit}
+        "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit}
+        "cannot open" {puts "grsecurity not present\n"}
+}
 send -- "firejail --name=blablabla\r"
 expect {
         timeout {puts "TESTING ERROR 4\n";exit}
diff --git a/test/firefox-x11.exp b/test/apps-x11/firefox.exp
index c82408896..e82fc6e72 100755
--- a/test/firefox-x11.exp
+++ b/test/apps-x11/firefox.exp
@@ -1,10 +1,13 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
 
 set timeout 10
 spawn $env(SHELL)
 match_max 100000
 
-send -- "firejail --name=test --x11 --net=br0 firefox www.gentoo.org\r"
+send -- "firejail --name=test --x11 firefox -no-remote www.gentoo.org\r"
 sleep 10
 
 spawn $env(SHELL)
@@ -18,7 +21,18 @@ expect {
         "firefox" {puts "firefox detected\n";}
         "iceweasel" {puts "iceweasel detected\n";}
 }
+expect {
+        timeout {puts "TESTING ERROR 3.2\n";exit}
+        "no-remote"
+}
 sleep 1
+# grsecurity exit
+send -- "file /proc/sys/kernel/grsecurity\r"
+expect {
+        timeout {puts "TESTING ERROR - grsecurity detection\n";exit}
+        "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit}
+        "cannot open" {puts "grsecurity not present\n"}
+}
 send -- "firejail --name=blablabla\r"
 expect {
         timeout {puts "TESTING ERROR 4\n";exit}
@@ -34,6 +48,10 @@ expect {
         " iceweasel" {puts "iceweasel detected\n";}
 }
 expect {
+        timeout {puts "TESTING ERROR 5.0\n";exit}
+        "no-remote"
+}
+expect {
         timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit}
         "Seccomp:       2"
 }
@@ -49,6 +67,10 @@ expect {
         " iceweasel" {puts "iceweasel detected\n";}
 }
 expect {
+        timeout {puts "TESTING ERROR 6.0\n";exit}
+        "no-remote"
+}
+expect {
         timeout {puts "TESTING ERROR 6.1\n";exit}
         "CapBnd:"
 }
diff --git a/test/apps-x11/icedove.exp b/test/apps-x11/icedove.exp
new file mode 100755
index 000000000..a07344f36
--- /dev/null
+++ b/test/apps-x11/icedove.exp
@@ -0,0 +1,85 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
+
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+
+send -- "firejail --name=test --x11 icedove\r"
+sleep 10
+
+spawn $env(SHELL)
+send -- "firejail --list\r"
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        ":firejail"
+}
+expect {
+        timeout {puts "TESTING ERROR 3.1\n";exit}
+        "icedove"
+}
+sleep 1
+
+# grsecurity exit
+send -- "file /proc/sys/kernel/grsecurity\r"
+expect {
+        timeout {puts "TESTING ERROR - grsecurity detection\n";exit}
+        "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit}
+        "cannot open" {puts "grsecurity not present\n"}
+}
+
+send -- "firejail --name=blablabla\r"
+expect {
+        timeout {puts "TESTING ERROR 4\n";exit}
+        "Child process initialized"
+}
+sleep 2
+
+spawn $env(SHELL)
+send -- "firemon --seccomp\r"
+expect {
+        timeout {puts "TESTING ERROR 5\n";exit}
+        ":firejail"
+}
+expect {
+        timeout {puts "TESTING ERROR 5.0\n";exit}
+        "icedove"
+}
+expect {
+        timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit}
+        "Seccomp:       2"
+}
+expect {
+        timeout {puts "TESTING ERROR 5.1\n";exit}
+        "name=blablabla"
+}
+sleep 2
+send -- "firemon --caps\r"
+expect {
+        timeout {puts "TESTING ERROR 6\n";exit}
+        ":firejail"
+}
+expect {
+        timeout {puts "TESTING ERROR 6.0\n";exit}
+        "icedove"
+}
+expect {
+        timeout {puts "TESTING ERROR 6.1\n";exit}
+        "CapBnd"
+}
+expect {
+        timeout {puts "TESTING ERROR 6.2\n";exit}
+        "0000000000000000"
+}
+expect {
+        timeout {puts "TESTING ERROR 6.3\n";exit}
+        "name=blablabla"
+}
+sleep 1
+send -- "firejail --shutdown=test\r"
+sleep 3
+
+puts "\nall done\n"
+
diff --git a/test/transmission-gtk-x11.exp b/test/apps-x11/transmission-gtk.exp
index 6192b277c..6391a3717 100755
--- a/test/transmission-gtk-x11.exp
+++ b/test/apps-x11/transmission-gtk.exp
@@ -1,10 +1,13 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
 
 set timeout 10
 spawn $env(SHELL)
 match_max 100000
 
-send -- "firejail --name=test --net=br0 --x11 transmission-gtk\r"
+send -- "firejail --name=test --x11 transmission-gtk\r"
 sleep 10
 
 spawn $env(SHELL)
@@ -19,6 +22,14 @@ expect {
 }
 sleep 1
 
+# grsecurity exit
+send -- "file /proc/sys/kernel/grsecurity\r"
+expect {
+        timeout {puts "TESTING ERROR - grsecurity detection\n";exit}
+        "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit}
+        "cannot open" {puts "grsecurity not present\n"}
+}
+
 send -- "firejail --name=blablabla\r"
 expect {
         timeout {puts "TESTING ERROR 4\n";exit}
diff --git a/test/apps-x11/xterm.exp b/test/apps-x11/xterm.exp
new file mode 100755
index 000000000..7d61da542
--- /dev/null
+++ b/test/apps-x11/xterm.exp
@@ -0,0 +1,85 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
+
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+
+send -- "firejail --name=test --x11 xterm\r"
+sleep 10
+
+spawn $env(SHELL)
+send -- "firejail --list\r"
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        ":firejail"
+}
+expect {
+        timeout {puts "TESTING ERROR 3.1\n";exit}
+        "xterm"
+}
+sleep 1
+
+# grsecurity exit
+send -- "file /proc/sys/kernel/grsecurity\r"
+expect {
+        timeout {puts "TESTING ERROR - grsecurity detection\n";exit}
+        "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit}
+        "cannot open" {puts "grsecurity not present\n"}
+}
+
+send -- "firejail --name=blablabla\r"
+expect {
+        timeout {puts "TESTING ERROR 4\n";exit}
+        "Child process initialized"
+}
+sleep 2
+
+spawn $env(SHELL)
+send -- "firemon --seccomp\r"
+expect {
+        timeout {puts "TESTING ERROR 5\n";exit}
+        ":firejail"
+}
+expect {
+        timeout {puts "TESTING ERROR 5.0\n";exit}
+        "xterm"
+}
+expect {
+        timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit}
+        "Seccomp:       2"
+}
+expect {
+        timeout {puts "TESTING ERROR 5.1\n";exit}
+        "name=blablabla"
+}
+sleep 1
+send -- "firemon --caps\r"
+expect {
+        timeout {puts "TESTING ERROR 6\n";exit}
+        ":firejail"
+}
+expect {
+        timeout {puts "TESTING ERROR 6.0\n";exit}
+        "xterm"
+}
+expect {
+        timeout {puts "TESTING ERROR 6.1\n";exit}
+        "CapBnd"
+}
+expect {
+        timeout {puts "TESTING ERROR 6.2\n";exit}
+        "0000000000000000"
+}
+expect {
+        timeout {puts "TESTING ERROR 6.3\n";exit}
+        "name=blablabla"
+}
+sleep 1
+send -- "firejail --shutdown=test\r"
+sleep 3
+
+puts "\nall done\n"
+
diff --git a/test/test-apps.sh b/test/apps/apps.sh
index 5ada20549..c329c57e5 100755
--- a/test/test-apps.sh
+++ b/test/apps/apps.sh
@@ -1,4 +1,10 @@
 #!/bin/bash
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
+
+export MALLOC_CHECK_=3
+export MALLOC_PERTURB_=$(($RANDOM % 255 + 1))
 
 which firefox
 if [ "$?" -eq 0 ];
@@ -6,7 +12,7 @@ then
         echo "TESTING: firefox"
         ./firefox.exp
 else
-        echo "TESTING: firefox not found"
+        echo "TESTING SKIP: firefox not found"
 fi
 
 which midori
@@ -15,7 +21,7 @@ then
         echo "TESTING: midori"
         ./midori.exp
 else
-        echo "TESTING: midori not found"
+        echo "TESTING SKIP: midori not found"
 fi
 
 which chromium
@@ -24,16 +30,7 @@ then
         echo "TESTING: chromium"
         ./chromium.exp
 else
-        echo "TESTING: chromium not found"
-fi
-
-which google-chrome
-if [ "$?" -eq 0 ];
-then
-        echo "TESTING: google-chrome"
-        ./chromium.exp
-else
-        echo "TESTING: google-chrome not found"
+        echo "TESTING SKIP: chromium not found"
 fi
 
 which opera
@@ -42,7 +39,7 @@ then
         echo "TESTING: opera"
         ./opera.exp
 else
-        echo "TESTING: opera not found"
+        echo "TESTING SKIP: opera not found"
 fi
 
 which transmission-gtk
@@ -51,7 +48,7 @@ then
         echo "TESTING: transmission-gtk"
         ./transmission-gtk.exp
 else
-        echo "TESTING: transmission-gtk not found"
+        echo "TESTING SKIP: transmission-gtk not found"
 fi
 
 which transmission-qt
@@ -60,7 +57,34 @@ then
         echo "TESTING: transmission-qt"
         ./transmission-qt.exp
 else
-        echo "TESTING: transmission-qt not found"
+        echo "TESTING SKIP: transmission-qt not found"
+fi
+
+which qbittorrent
+if [ "$?" -eq 0 ];
+then
+        echo "TESTING: qbittorrent"
+        ./qbittorrent.exp
+else
+        echo "TESTING SKIP: qbittorrent not found"
+fi
+
+which uget-gtk
+if [ "$?" -eq 0 ];
+then
+        echo "TESTING: uget"
+        ./uget-gtk.exp
+else
+        echo "TESTING SKIP: uget-gtk not found"
+fi
+
+which filezilla
+if [ "$?" -eq 0 ];
+then
+        echo "TESTING: filezilla"
+        ./filezilla.exp
+else
+        echo "TESTING SKIP: filezilla not found"
 fi
 
 which evince
@@ -69,7 +93,17 @@ then
         echo "TESTING: evince"
         ./evince.exp
 else
-        echo "TESTING: evince not found"
+        echo "TESTING SKIP: evince not found"
+fi
+
+
+which gthumb
+if [ "$?" -eq 0 ];
+then
+        echo "TESTING: gthumb"
+        ./gthumb.exp
+else
+        echo "TESTING SKIP: gthumb not found"
 fi
 
 which icedove
@@ -78,7 +112,7 @@ then
         echo "TESTING: icedove"
         ./icedove.exp
 else
-        echo "TESTING: icedove not found"
+        echo "TESTING SKIP: icedove not found"
 fi
 
 which vlc
@@ -87,7 +121,7 @@ then
         echo "TESTING: vlc"
         ./vlc.exp
 else
-        echo "TESTING: vlc not found"
+        echo "TESTING SKIP: vlc not found"
 fi
 
 which fbreader
@@ -96,7 +130,7 @@ then
         echo "TESTING: fbreader"
         ./fbreader.exp
 else
-        echo "TESTING: fbreader not found"
+        echo "TESTING SKIP: fbreader not found"
 fi
 
 which deluge
@@ -105,7 +139,7 @@ then
         echo "TESTING: deluge"
         ./deluge.exp
 else
-        echo "TESTING: deluge not found"
+        echo "TESTING SKIP: deluge not found"
 fi
 
 which gnome-mplayer
@@ -114,7 +148,7 @@ then
         echo "TESTING: gnome-mplayer"
         ./gnome-mplayer.exp
 else
-        echo "TESTING: gnome-mplayer not found"
+        echo "TESTING SKIP: gnome-mplayer not found"
 fi
 
 which xchat
@@ -123,7 +157,7 @@ then
         echo "TESTING: xchat"
         ./xchat.exp
 else
-        echo "TESTING: xchat not found"
+        echo "TESTING SKIP: xchat not found"
 fi
 
 which hexchat
@@ -132,7 +166,7 @@ then
         echo "TESTING: hexchat"
         ./hexchat.exp
 else
-        echo "TESTING: hexchat not found"
+        echo "TESTING SKIP: hexchat not found"
 fi
 
 which weechat-curses
@@ -141,7 +175,7 @@ then
         echo "TESTING: weechat"
         ./weechat.exp
 else
-        echo "TESTING: weechat not found"
+        echo "TESTING SKIP: weechat not found"
 fi
 
 which wine
@@ -150,6 +184,6 @@ then
         echo "TESTING: wine"
         ./wine.exp
 else
-        echo "TESTING: wine not found"
+        echo "TESTING SKIP: wine not found"
 fi
 
diff --git a/test/chromium.exp b/test/apps/chromium.exp
index 77325d070..c01f9a54d 100755
--- a/test/chromium.exp
+++ b/test/apps/chromium.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
 
 set timeout 10
 spawn $env(SHELL)
@@ -25,7 +28,15 @@ expect {
         timeout {puts "TESTING ERROR 3.1\n";exit}
         "chromium"
 }
-sleep 1
+after 100
+
+# grsecurity exit
+send -- "file /proc/sys/kernel/grsecurity\r"
+expect {
+        timeout {puts "TESTING ERROR - grsecurity detection\n";exit}
+        "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit}
+        "cannot open" {puts "grsecurity not present\n"}
+}
 
 send -- "firejail --name=blablabla\r"
 expect {
@@ -48,7 +59,7 @@ expect {
         timeout {puts "TESTING ERROR 5.1\n";exit}
         "name=blablabla"
 }
-sleep 1
+after 100
 send -- "firemon --caps\r"
 expect {
         timeout {puts "TESTING ERROR 6\n";exit}
@@ -66,7 +77,7 @@ expect {
         timeout {puts "TESTING ERROR 6.3\n";exit}
         "name=blablabla"
 }
-sleep 1
+after 100
 
 puts "\n"
 
diff --git a/test/deluge.exp b/test/apps/deluge.exp
index 49266813e..df7899b51 100755
--- a/test/deluge.exp
+++ b/test/apps/deluge.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
 
 set timeout 10
 spawn $env(SHELL)
@@ -25,7 +28,15 @@ expect {
         timeout {puts "TESTING ERROR 3.1\n";exit}
         "deluge"
 }
-sleep 1
+after 100
+
+# grsecurity exit
+send -- "file /proc/sys/kernel/grsecurity\r"
+expect {
+        timeout {puts "TESTING ERROR - grsecurity detection\n";exit}
+        "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit}
+        "cannot open" {puts "grsecurity not present\n"}
+}
 
 send -- "firejail --name=blablabla\r"
 expect {
@@ -48,7 +59,7 @@ expect {
         timeout {puts "TESTING ERROR 5.1\n";exit}
         "name=blablabla"
 }
-sleep 1
+after 100
 send -- "firemon --caps\r"
 expect {
         timeout {puts "TESTING ERROR 6\n";exit}
@@ -66,7 +77,7 @@ expect {
         timeout {puts "TESTING ERROR 6.3\n";exit}
         "name=blablabla"
 }
-sleep 1
+after 100
 
 puts "\n"
 
diff --git a/test/evince.exp b/test/apps/evince.exp
index 0c57f3871..0c1efcf59 100755
--- a/test/evince.exp
+++ b/test/apps/evince.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
 
 set timeout 10
 spawn $env(SHELL)
@@ -25,7 +28,15 @@ expect {
         timeout {puts "TESTING ERROR 3.1\n";exit}
         "evince"
 }
-sleep 1
+after 100
+
+# grsecurity exit
+send -- "file /proc/sys/kernel/grsecurity\r"
+expect {
+        timeout {puts "TESTING ERROR - grsecurity detection\n";exit}
+        "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit}
+        "cannot open" {puts "grsecurity not present\n"}
+}
 
 send -- "firejail --name=blablabla\r"
 expect {
@@ -48,7 +59,7 @@ expect {
         timeout {puts "TESTING ERROR 5.1\n";exit}
         "name=blablabla"
 }
-sleep 1
+after 100
 send -- "firemon --caps\r"
 expect {
         timeout {puts "TESTING ERROR 6\n";exit}
@@ -66,7 +77,7 @@ expect {
         timeout {puts "TESTING ERROR 6.3\n";exit}
         "name=blablabla"
 }
-sleep 1
+after 100
 
 puts "\nall done\n"
 
diff --git a/test/fbreader.exp b/test/apps/fbreader.exp
index a4df50932..30fbb1a77 100755
--- a/test/fbreader.exp
+++ b/test/apps/fbreader.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
 
 set timeout 10
 spawn $env(SHELL)
@@ -25,7 +28,15 @@ expect {
         timeout {puts "TESTING ERROR 3.1\n";exit}
         "fbreader"
 }
-sleep 1
+after 100
+
+# grsecurity exit
+send -- "file /proc/sys/kernel/grsecurity\r"
+expect {
+        timeout {puts "TESTING ERROR - grsecurity detection\n";exit}
+        "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit}
+        "cannot open" {puts "grsecurity not present\n"}
+}
 
 send -- "firejail --name=blablabla\r"
 expect {
@@ -48,7 +59,7 @@ expect {
         timeout {puts "TESTING ERROR 5.1\n";exit}
         "name=blablabla"
 }
-sleep 1
+after 100
 send -- "firemon --caps\r"
 expect {
         timeout {puts "TESTING ERROR 6\n";exit}
@@ -66,7 +77,7 @@ expect {
         timeout {puts "TESTING ERROR 6.3\n";exit}
         "name=blablabla"
 }
-sleep 1
+after 100
 
 puts "\nall done\n"
 
diff --git a/test/apps/filezilla.exp b/test/apps/filezilla.exp
new file mode 100755
index 000000000..1533eae69
--- /dev/null
+++ b/test/apps/filezilla.exp
@@ -0,0 +1,83 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
+
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+
+send -- "firejail filezilla\r"
+expect {
+        timeout {puts "TESTING ERROR 0\n";exit}
+        "Reading profile /etc/firejail/filezilla.profile"
+}
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "Child process initialized"
+}
+sleep 3
+
+spawn $env(SHELL)
+send -- "firejail --list\r"
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        ":firejail"
+}
+expect {
+        timeout {puts "TESTING ERROR 3.1\n";exit}
+        "filezilla"
+}
+after 100
+
+# grsecurity exit
+send -- "file /proc/sys/kernel/grsecurity\r"
+expect {
+        timeout {puts "TESTING ERROR - grsecurity detection\n";exit}
+        "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit}
+        "cannot open" {puts "grsecurity not present\n"}
+}
+
+send -- "firejail --name=blablabla\r"
+expect {
+        timeout {puts "TESTING ERROR 4\n";exit}
+        "Child process initialized"
+}
+sleep 2
+
+spawn $env(SHELL)
+send -- "firemon --seccomp\r"
+expect {
+        timeout {puts "TESTING ERROR 5\n";exit}
+        ":firejail filezilla"
+}
+expect {
+        timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit}
+        "Seccomp:       2"
+}
+expect {
+        timeout {puts "TESTING ERROR 5.1\n";exit}
+        "name=blablabla"
+}
+after 100
+send -- "firemon --caps\r"
+expect {
+        timeout {puts "TESTING ERROR 6\n";exit}
+        ":firejail filezilla"
+}
+expect {
+        timeout {puts "TESTING ERROR 6.1\n";exit}
+        "CapBnd:"
+}
+expect {
+        timeout {puts "TESTING ERROR 6.2\n";exit}
+        "0000000000000000"
+}
+expect {
+        timeout {puts "TESTING ERROR 6.3\n";exit}
+        "name=blablabla"
+}
+after 100
+
+puts "\nall done\n"
+
diff --git a/test/firefox.exp b/test/apps/firefox.exp
index c2e64e04f..64a733f98 100755
--- a/test/firefox.exp
+++ b/test/apps/firefox.exp
@@ -1,10 +1,13 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
 
 set timeout 10
 spawn $env(SHELL)
 match_max 100000
 
-send -- "firejail firefox www.gentoo.org\r"
+send -- "firejail firefox -no-remote www.gentoo.org\r"
 expect {
         timeout {puts "TESTING ERROR 0\n";exit}
         "Reading profile /etc/firejail/firefox.profile"
@@ -26,7 +29,21 @@ expect {
         "firefox" {puts "firefox detected\n";}
         "iceweasel" {puts "iceweasel detected\n";}
 }
-sleep 1
+expect {
+        timeout {puts "TESTING ERROR 3.2\n";exit}
+        "no-remote"
+}
+after 100
+
+# grsecurity exit
+send -- "file /proc/sys/kernel/grsecurity\r"
+expect {
+        timeout {puts "TESTING ERROR - grsecurity detection\n";exit}
+        "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit}
+        "cannot open" {puts "grsecurity not present\n"}
+}
+
+
 send -- "firejail --name=blablabla\r"
 expect {
         timeout {puts "TESTING ERROR 4\n";exit}
@@ -42,6 +59,10 @@ expect {
         " iceweasel" {puts "iceweasel detected\n";}
 }
 expect {
+        timeout {puts "TESTING ERROR 5.0\n";exit}
+        "no-remote"
+}
+expect {
         timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit}
         "Seccomp:       2"
 }
@@ -49,7 +70,7 @@ expect {
         timeout {puts "TESTING ERROR 5.1\n";exit}
         "name=blablabla"
 }
-sleep 1
+after 100
 send -- "firemon --caps\r"
 expect {
         timeout {puts "TESTING ERROR 6\n";exit}
@@ -57,6 +78,10 @@ expect {
         " iceweasel" {puts "iceweasel detected\n";}
 }
 expect {
+        timeout {puts "TESTING ERROR 6.0\n";exit}
+        "no-remote"
+}
+expect {
         timeout {puts "TESTING ERROR 6.1\n";exit}
         "CapBnd:"
 }
@@ -68,7 +93,7 @@ expect {
         timeout {puts "TESTING ERROR 6.3\n";exit}
         "name=blablabla"
 }
-sleep 1
+after 100
 
 puts "\n"
 
diff --git a/test/gnome-mplayer.exp b/test/apps/gnome-mplayer.exp
index 193d532ae..aa0ef44fb 100755
--- a/test/gnome-mplayer.exp
+++ b/test/apps/gnome-mplayer.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
 
 set timeout 10
 spawn $env(SHELL)
@@ -13,7 +16,7 @@ expect {
         timeout {puts "TESTING ERROR 1\n";exit}
         "Child process initialized"
 }
-sleep 10
+sleep 5
 
 spawn $env(SHELL)
 send -- "firejail --list\r"
@@ -25,7 +28,15 @@ expect {
         timeout {puts "TESTING ERROR 3.1\n";exit}
         "gnome-mplayer"
 }
-sleep 1
+after 100
+
+# grsecurity exit
+send -- "file /proc/sys/kernel/grsecurity\r"
+expect {
+        timeout {puts "TESTING ERROR - grsecurity detection\n";exit}
+        "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit}
+        "cannot open" {puts "grsecurity not present\n"}
+}
 
 send -- "firejail --name=blablabla\r"
 expect {
@@ -48,7 +59,7 @@ expect {
         timeout {puts "TESTING ERROR 5.1\n";exit}
         "name=blablabla"
 }
-sleep 1
+after 100
 send -- "firemon --caps\r"
 expect {
         timeout {puts "TESTING ERROR 6\n";exit}
@@ -66,7 +77,7 @@ expect {
         timeout {puts "TESTING ERROR 6.3\n";exit}
         "name=blablabla"
 }
-sleep 1
+after 100
 
 puts "\nall done\n"
 
diff --git a/test/apps/gthumb.exp b/test/apps/gthumb.exp
new file mode 100755
index 000000000..8dcd2fcd0
--- /dev/null
+++ b/test/apps/gthumb.exp
@@ -0,0 +1,83 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
+
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+
+send -- "firejail gthumb\r"
+expect {
+        timeout {puts "TESTING ERROR 0\n";exit}
+        "Reading profile /etc/firejail/gthumb.profile"
+}
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "Child process initialized"
+}
+sleep 3
+
+spawn $env(SHELL)
+send -- "firejail --list\r"
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        ":firejail"
+}
+expect {
+        timeout {puts "TESTING ERROR 3.1\n";exit}
+        "gthumb"
+}
+after 100
+
+# grsecurity exit
+send -- "file /proc/sys/kernel/grsecurity\r"
+expect {
+        timeout {puts "TESTING ERROR - grsecurity detection\n";exit}
+        "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit}
+        "cannot open" {puts "grsecurity not present\n"}
+}
+
+send -- "firejail --name=blablabla\r"
+expect {
+        timeout {puts "TESTING ERROR 4\n";exit}
+        "Child process initialized"
+}
+sleep 2
+
+spawn $env(SHELL)
+send -- "firemon --seccomp\r"
+expect {
+        timeout {puts "TESTING ERROR 5\n";exit}
+        ":firejail gthumb"
+}
+expect {
+        timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit}
+        "Seccomp:       2"
+}
+expect {
+        timeout {puts "TESTING ERROR 5.1\n";exit}
+        "name=blablabla"
+}
+after 100
+send -- "firemon --caps\r"
+expect {
+        timeout {puts "TESTING ERROR 6\n";exit}
+        ":firejail gthumb"
+}
+expect {
+        timeout {puts "TESTING ERROR 6.1\n";exit}
+        "CapBnd:"
+}
+expect {
+        timeout {puts "TESTING ERROR 6.2\n";exit}
+        "0000000000000000"
+}
+expect {
+        timeout {puts "TESTING ERROR 6.3\n";exit}
+        "name=blablabla"
+}
+after 100
+
+puts "\nall done\n"
+
diff --git a/test/hexchat.exp b/test/apps/hexchat.exp
index 0653bcb13..a66cc52cc 100755
--- a/test/hexchat.exp
+++ b/test/apps/hexchat.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
 
 set timeout 10
 spawn $env(SHELL)
@@ -25,7 +28,16 @@ expect {
         timeout {puts "TESTING ERROR 3.1\n";exit}
         "hexchat"
 }
-sleep 1
+after 100
+
+# grsecurity exit
+send -- "file /proc/sys/kernel/grsecurity\r"
+expect {
+        timeout {puts "TESTING ERROR - grsecurity detection\n";exit}
+        "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit}
+        "cannot open" {puts "grsecurity not present\n"}
+}
+
 send -- "firejail --name=blablabla\r"
 expect {
         timeout {puts "TESTING ERROR 4\n";exit}
@@ -47,7 +59,7 @@ expect {
         timeout {puts "TESTING ERROR 5.1\n";exit}
         "name=blablabla"
 }
-sleep 1
+after 100
 send -- "firemon --caps\r"
 expect {
         timeout {puts "TESTING ERROR 6\n";exit}
@@ -65,7 +77,7 @@ expect {
         timeout {puts "TESTING ERROR 6.3\n";exit}
         "name=blablabla"
 }
-sleep 1
+after 100
 
 puts "\n"
 
diff --git a/test/icedove.exp b/test/apps/icedove.exp
index be5309e07..667f6745d 100755
--- a/test/icedove.exp
+++ b/test/apps/icedove.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
 
 set timeout 10
 spawn $env(SHELL)
@@ -25,7 +28,15 @@ expect {
         timeout {puts "TESTING ERROR 3.1\n";exit}
         "icedove"
 }
-sleep 1
+after 100
+
+# grsecurity exit
+send -- "file /proc/sys/kernel/grsecurity\r"
+expect {
+        timeout {puts "TESTING ERROR - grsecurity detection\n";exit}
+        "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit}
+        "cannot open" {puts "grsecurity not present\n"}
+}
 
 send -- "firejail --name=blablabla\r"
 expect {
@@ -48,7 +59,7 @@ expect {
         timeout {puts "TESTING ERROR 5.1\n";exit}
         "name=blablabla"
 }
-sleep 1
+after 100
 send -- "firemon --caps\r"
 expect {
         timeout {puts "TESTING ERROR 6\n";exit}
@@ -66,7 +77,7 @@ expect {
         timeout {puts "TESTING ERROR 6.3\n";exit}
         "name=blablabla"
 }
-sleep 1
+after 100
 
 puts "\nall done\n"
 
diff --git a/test/midori.exp b/test/apps/midori.exp
index ec33816dd..fdd47954c 100755
--- a/test/midori.exp
+++ b/test/apps/midori.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
 
 set timeout 10
 spawn $env(SHELL)
@@ -13,7 +16,7 @@ expect {
         timeout {puts "TESTING ERROR 1\n";exit}
         "Child process initialized"
 }
-sleep 10
+sleep 5
 
 spawn $env(SHELL)
 send -- "firejail --list\r"
@@ -25,7 +28,15 @@ expect {
         timeout {puts "TESTING ERROR 3.1\n";exit}
         "midori"
 }
-sleep 1
+after 100
+
+# grsecurity exit
+send -- "file /proc/sys/kernel/grsecurity\r"
+expect {
+        timeout {puts "TESTING ERROR - grsecurity detection\n";exit}
+        "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit}
+        "cannot open" {puts "grsecurity not present\n"}
+}
 
 send -- "firejail --name=blablabla\r"
 expect {
@@ -48,7 +59,7 @@ expect {
         timeout {puts "TESTING ERROR 5.1\n";exit}
         "name=blablabla"
 }
-sleep 1
+after 100
 send -- "firemon --caps\r"
 expect {
         timeout {puts "TESTING ERROR 6\n";exit}
@@ -66,7 +77,7 @@ expect {
         timeout {puts "TESTING ERROR 6.3n";exit}
         "name=blablabla"
 }
-sleep 1
+after 100
 
 
 puts "\n"
diff --git a/test/opera.exp b/test/apps/opera.exp
index f536ae866..b94c9dbbd 100755
--- a/test/opera.exp
+++ b/test/apps/opera.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
 
 set timeout 10
 spawn $env(SHELL)
@@ -25,7 +28,15 @@ expect {
         timeout {puts "TESTING ERROR 3.1\n";exit}
         "opera"
 }
-sleep 1
+after 100
+
+# grsecurity exit
+send -- "file /proc/sys/kernel/grsecurity\r"
+expect {
+        timeout {puts "TESTING ERROR - grsecurity detection\n";exit}
+        "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit}
+        "cannot open" {puts "grsecurity not present\n"}
+}
 
 send -- "firejail --name=blablabla\r"
 expect {
@@ -48,7 +59,7 @@ expect {
         timeout {puts "TESTING ERROR 5.1\n";exit}
         "name=blablabla"
 }
-sleep 1
+after 100
 send -- "firemon --caps\r"
 expect {
         timeout {puts "TESTING ERROR 6\n";exit}
@@ -66,7 +77,7 @@ expect {
         timeout {puts "TESTING ERROR 6.3\n";exit}
         "name=blablabla"
 }
-sleep 1
+after 100
 
 puts "\n"
 
diff --git a/test/apps/qbittorrent.exp b/test/apps/qbittorrent.exp
new file mode 100755
index 000000000..ee4044a84
--- /dev/null
+++ b/test/apps/qbittorrent.exp
@@ -0,0 +1,83 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
+
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+
+send -- "firejail qbittorrent\r"
+expect {
+        timeout {puts "TESTING ERROR 0\n";exit}
+        "Reading profile /etc/firejail/qbittorrent.profile"
+}
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "Child process initialized"
+}
+sleep 3
+
+spawn $env(SHELL)
+send -- "firejail --list\r"
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        ":firejail"
+}
+expect {
+        timeout {puts "TESTING ERROR 3.1\n";exit}
+        "qbittorrent"
+}
+after 100
+
+# grsecurity exit
+send -- "file /proc/sys/kernel/grsecurity\r"
+expect {
+        timeout {puts "TESTING ERROR - grsecurity detection\n";exit}
+        "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit}
+        "cannot open" {puts "grsecurity not present\n"}
+}
+
+send -- "firejail --name=blablabla\r"
+expect {
+        timeout {puts "TESTING ERROR 4\n";exit}
+        "Child process initialized"
+}
+sleep 2
+
+spawn $env(SHELL)
+send -- "firemon --seccomp\r"
+expect {
+        timeout {puts "TESTING ERROR 5\n";exit}
+        ":firejail qbittorrent"
+}
+expect {
+        timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit}
+        "Seccomp:       2"
+}
+expect {
+        timeout {puts "TESTING ERROR 5.1\n";exit}
+        "name=blablabla"
+}
+after 100
+send -- "firemon --caps\r"
+expect {
+        timeout {puts "TESTING ERROR 6\n";exit}
+        ":firejail qbittorrent"
+}
+expect {
+        timeout {puts "TESTING ERROR 6.1\n";exit}
+        "CapBnd:"
+}
+expect {
+        timeout {puts "TESTING ERROR 6.2\n";exit}
+        "0000000000000000"
+}
+expect {
+        timeout {puts "TESTING ERROR 6.3\n";exit}
+        "name=blablabla"
+}
+after 100
+
+puts "\n"
+
diff --git a/test/transmission-gtk.exp b/test/apps/transmission-gtk.exp
index 77d5dd30c..33f4ef963 100755
--- a/test/transmission-gtk.exp
+++ b/test/apps/transmission-gtk.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
 
 set timeout 10
 spawn $env(SHELL)
@@ -9,7 +12,7 @@ expect {
         timeout {puts "TESTING ERROR 1\n";exit}
         "Child process initialized"
 }
-sleep 10
+sleep 5
 
 spawn $env(SHELL)
 send -- "firejail --list\r"
@@ -21,8 +24,15 @@ expect {
         timeout {puts "TESTING ERROR 3.1\n";exit}
         "transmission-gtk"
 }
-sleep 1
+after 100
 
+# grsecurity exit
+send -- "file /proc/sys/kernel/grsecurity\r"
+expect {
+        timeout {puts "TESTING ERROR - grsecurity detection\n";exit}
+        "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit}
+        "cannot open" {puts "grsecurity not present\n"}
+}
 send -- "firejail --name=blablabla\r"
 expect {
         timeout {puts "TESTING ERROR 4\n";exit}
@@ -44,7 +54,7 @@ expect {
         timeout {puts "TESTING ERROR 5.1\n";exit}
         "name=blablabla"
 }
-sleep 1
+after 100
 send -- "firemon --caps\r"
 expect {
         timeout {puts "TESTING ERROR 6\n";exit}
@@ -62,7 +72,7 @@ expect {
         timeout {puts "TESTING ERROR 6.3\n";exit}
         "name=blablabla"
 }
-sleep 1
+after 100
 
 puts "\nall done\n"
 
diff --git a/test/transmission-qt.exp b/test/apps/transmission-qt.exp
index d27c16d6d..991742106 100755
--- a/test/transmission-qt.exp
+++ b/test/apps/transmission-qt.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
 
 set timeout 10
 spawn $env(SHELL)
@@ -13,7 +16,7 @@ expect {
         timeout {puts "TESTING ERROR 1\n";exit}
         "Child process initialized"
 }
-sleep 10
+sleep 3
 
 spawn $env(SHELL)
 send -- "firejail --list\r"
@@ -25,7 +28,15 @@ expect {
         timeout {puts "TESTING ERROR 3.1\n";exit}
         "transmission-qt"
 }
-sleep 1
+after 100
+
+# grsecurity exit
+send -- "file /proc/sys/kernel/grsecurity\r"
+expect {
+        timeout {puts "TESTING ERROR - grsecurity detection\n";exit}
+        "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit}
+        "cannot open" {puts "grsecurity not present\n"}
+}
 
 send -- "firejail --name=blablabla\r"
 expect {
@@ -48,7 +59,7 @@ expect {
         timeout {puts "TESTING ERROR 5.1\n";exit}
         "name=blablabla"
 }
-sleep 1
+after 100
 send -- "firemon --caps\r"
 expect {
         timeout {puts "TESTING ERROR 6\n";exit}
@@ -66,7 +77,7 @@ expect {
         timeout {puts "TESTING ERROR 6.3\n";exit}
         "name=blablabla"
 }
-sleep 1
+after 100
 
 puts "\nall done\n"
 
diff --git a/test/apps/uget-gtk.exp b/test/apps/uget-gtk.exp
new file mode 100755
index 000000000..1511a07af
--- /dev/null
+++ b/test/apps/uget-gtk.exp
@@ -0,0 +1,83 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
+
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+
+send -- "firejail uget-gtk\r"
+expect {
+        timeout {puts "TESTING ERROR 0\n";exit}
+        "Reading profile /etc/firejail/uget-gtk.profile"
+}
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "Child process initialized"
+}
+sleep 3
+
+spawn $env(SHELL)
+send -- "firejail --list\r"
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        ":firejail"
+}
+expect {
+        timeout {puts "TESTING ERROR 3.1\n";exit}
+        "uget-gtk"
+}
+after 100
+
+# grsecurity exit
+send -- "file /proc/sys/kernel/grsecurity\r"
+expect {
+        timeout {puts "TESTING ERROR - grsecurity detection\n";exit}
+        "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit}
+        "cannot open" {puts "grsecurity not present\n"}
+}
+
+send -- "firejail --name=blablabla\r"
+expect {
+        timeout {puts "TESTING ERROR 4\n";exit}
+        "Child process initialized"
+}
+sleep 2
+
+spawn $env(SHELL)
+send -- "firemon --seccomp\r"
+expect {
+        timeout {puts "TESTING ERROR 5\n";exit}
+        ":firejail uget-gtk"
+}
+expect {
+        timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit}
+        "Seccomp:       2"
+}
+expect {
+        timeout {puts "TESTING ERROR 5.1\n";exit}
+        "name=blablabla"
+}
+after 100
+send -- "firemon --caps\r"
+expect {
+        timeout {puts "TESTING ERROR 6\n";exit}
+        ":firejail uget-gtk"
+}
+expect {
+        timeout {puts "TESTING ERROR 6.1\n";exit}
+        "CapBnd:"
+}
+expect {
+        timeout {puts "TESTING ERROR 6.2\n";exit}
+        "0000000000000000"
+}
+expect {
+        timeout {puts "TESTING ERROR 6.3\n";exit}
+        "name=blablabla"
+}
+after 100
+
+puts "\nall done\n"
+
diff --git a/test/vlc.exp b/test/apps/vlc.exp
index 53d25c9dd..f0903c170 100755
--- a/test/vlc.exp
+++ b/test/apps/vlc.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
 
 set timeout 10
 spawn $env(SHELL)
@@ -25,7 +28,15 @@ expect {
         timeout {puts "TESTING ERROR 3.1\n";exit}
         "vlc"
 }
-sleep 1
+after 100
+
+# grsecurity exit
+send -- "file /proc/sys/kernel/grsecurity\r"
+expect {
+        timeout {puts "TESTING ERROR - grsecurity detection\n";exit}
+        "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit}
+        "cannot open" {puts "grsecurity not present\n"}
+}
 
 send -- "firejail --name=blablabla\r"
 expect {
@@ -48,7 +59,7 @@ expect {
         timeout {puts "TESTING ERROR 5.1\n";exit}
         "name=blablabla"
 }
-sleep 1
+after 100
 send -- "firemon --caps\r"
 expect {
         timeout {puts "TESTING ERROR 6\n";exit}
@@ -66,7 +77,7 @@ expect {
         timeout {puts "TESTING ERROR 6.3\n";exit}
         "name=blablabla"
 }
-sleep 1
+after 100
 
 puts "\nall done\n"
 
diff --git a/test/weechat.exp b/test/apps/weechat.exp
index ac2430280..b3e04da84 100755
--- a/test/weechat.exp
+++ b/test/apps/weechat.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
 
 set timeout 10
 spawn $env(SHELL)
@@ -25,7 +28,16 @@ expect {
         timeout {puts "TESTING ERROR 3.1\n";exit}
         "weechat-curses"
 }
-sleep 1
+after 100
+
+# grsecurity exit
+send -- "file /proc/sys/kernel/grsecurity\r"
+expect {
+        timeout {puts "TESTING ERROR - grsecurity detection\n";exit}
+        "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit}
+        "cannot open" {puts "grsecurity not present\n"}
+}
+
 send -- "firejail --name=blablabla\r"
 expect {
         timeout {puts "TESTING ERROR 4\n";exit}
@@ -47,7 +59,7 @@ expect {
         timeout {puts "TESTING ERROR 5.1\n";exit}
         "name=blablabla"
 }
-sleep 1
+after 100
 send -- "firemon --caps\r"
 expect {
         timeout {puts "TESTING ERROR 6\n";exit}
@@ -65,7 +77,7 @@ expect {
         timeout {puts "TESTING ERROR 6.3\n";exit}
         "name=blablabla"
 }
-sleep 1
+after 100
 
 puts "\n"
 
diff --git a/test/wine.exp b/test/apps/wine.exp
index d87c1f205..a2f465acb 100755
--- a/test/wine.exp
+++ b/test/apps/wine.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
 
 set timeout 10
 spawn $env(SHELL)
@@ -23,7 +26,7 @@ expect {
 }
 expect {
         timeout {puts "TESTING ERROR 4\n";exit}
-        "parent is shutting down, bye..."
+        "Parent is shutting down, bye..."
 }
 
 puts "\nall done\n"
diff --git a/test/xchat.exp b/test/apps/xchat.exp
index babbcf87d..206397f3e 100755
--- a/test/xchat.exp
+++ b/test/apps/xchat.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
 
 set timeout 10
 spawn $env(SHELL)
@@ -25,7 +28,16 @@ expect {
         timeout {puts "TESTING ERROR 3.1\n";exit}
         "xchat"
 }
-sleep 1
+after 100
+
+# grsecurity exit
+send -- "file /proc/sys/kernel/grsecurity\r"
+expect {
+        timeout {puts "TESTING ERROR - grsecurity detection\n";exit}
+        "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit}
+        "cannot open" {puts "grsecurity not present\n"}
+}
+
 send -- "firejail --name=blablabla\r"
 expect {
         timeout {puts "TESTING ERROR 4\n";exit}
@@ -47,7 +59,7 @@ expect {
         timeout {puts "TESTING ERROR 5.1\n";exit}
         "name=blablabla"
 }
-sleep 1
+after 100
 send -- "firemon --caps\r"
 expect {
         timeout {puts "TESTING ERROR 6\n";exit}
@@ -65,7 +77,7 @@ expect {
         timeout {puts "TESTING ERROR 6.3\n";exit}
         "name=blablabla"
 }
-sleep 1
+after 100
 
 puts "\n"
 
diff --git a/test/arguments/Makefile b/test/arguments/Makefile
new file mode 100644
index 000000000..3ccab3702
--- /dev/null
+++ b/test/arguments/Makefile
@@ -0,0 +1,13 @@
+all: argtest
+
+argtest: main.c
+        gcc -o argtest main.c
+
+clean:; rm -f argtest; rm -fr symtest; rm -f out out.*
+
+install:;install -c -m 0755 argtest /usr/local/bin/argtest
+
+uninstall:; rm -f /usr/local/bin/argtest
+
+
+test:; ./arguments.sh | grep TESTING
diff --git a/test/arguments/arguments.sh b/test/arguments/arguments.sh
new file mode 100755
index 000000000..2f53eb3fa
--- /dev/null
+++ b/test/arguments/arguments.sh
@@ -0,0 +1,19 @@
+#!/bin/bash
+
+[ -f argtest ] || make argtest
+
+echo "TESTING: 1. regular bash session"
+./bashrun.exp
+
+echo "TESTING: 2. symbolic link to firejail"
+./symrun.exp
+
+echo "TESTING: 3. --join option"
+./joinrun.exp
+
+echo "TESTING: 4. --output option"
+./outrun.exp
+rm out
+rm out.*
+
+
diff --git a/test/arguments/bashrun.exp b/test/arguments/bashrun.exp
new file mode 100755
index 000000000..a3c9e382d
--- /dev/null
+++ b/test/arguments/bashrun.exp
@@ -0,0 +1,86 @@
+#!/usr/bin/expect -f
+
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+
+send --  "./bashrun.sh\r"
+expect {
+        timeout {puts "TESTING ERROR 1.1.1\n";exit}
+        "Arguments:"
+}
+expect {
+        timeout {puts "TESTING ERROR 1.1.2\n";exit}
+        "#arg1#"
+}
+expect {
+        timeout {puts "TESTING ERROR 1.1.3\n";exit}
+        "#arg2#"
+}
+
+expect {
+        timeout {puts "TESTING ERROR 1.2.1\n";exit}
+        "Arguments:"
+}
+expect {
+        timeout {puts "TESTING ERROR 1.2.2\n";exit}
+        "#arg1 tail#"
+}
+expect {
+        timeout {puts "TESTING ERROR 1.2.3\n";exit}
+        "#arg2 tail#"
+}
+
+expect {
+        timeout {puts "TESTING ERROR 1.3.1\n";exit}
+        "Arguments:"
+}
+expect {
+        timeout {puts "TESTING ERROR 1.3.2\n";exit}
+        "#arg1 tail#"
+}
+expect {
+        timeout {puts "TESTING ERROR 1.3.3\n";exit}
+        "#arg2 tail#"
+}
+
+expect {
+        timeout {puts "TESTING ERROR 1.4.1\n";exit}
+        "Arguments:"
+}
+expect {
+        timeout {puts "TESTING ERROR 1.4.2\n";exit}
+        "#arg1 tail#"
+}
+expect {
+        timeout {puts "TESTING ERROR 1.4.3\n";exit}
+        "#arg2 tail#"
+}
+
+expect {
+        timeout {puts "TESTING ERROR 1.5.1\n";exit}
+        "Arguments:"
+}
+expect {
+        timeout {puts "TESTING ERROR 1.5.2\n";exit}
+        "#arg1&tail#"
+}
+expect {
+        timeout {puts "TESTING ERROR 1.5.3\n";exit}
+        "#arg2&tail#"
+}
+
+expect {
+        timeout {puts "TESTING ERROR 1.6.1\n";exit}
+        "Arguments:"
+}
+expect {
+        timeout {puts "TESTING ERROR 1.6.2\n";exit}
+        "#arg1&tail#"
+}
+expect {
+        timeout {puts "TESTING ERROR 1.6.3\n";exit}
+        "#arg2&tail#"
+}
+
+puts "\nall done\n"
diff --git a/test/arguments/bashrun.sh b/test/arguments/bashrun.sh
new file mode 100755
index 000000000..c2f209548
--- /dev/null
+++ b/test/arguments/bashrun.sh
@@ -0,0 +1,22 @@
+#!/bin/bash
+
+echo "TESTING: 1.1 - simple args"
+firejail --quiet ./argtest arg1 arg2
+
+# simple quotes, testing spaces in file names
+echo "TESTING: 1.2 - args with space and \""
+firejail --quiet ./argtest "arg1 tail" "arg2 tail"
+
+echo "TESTING: 1.3 - args with space and '"
+firejail --quiet ./argtest 'arg1 tail' 'arg2 tail'
+
+# escaped space in file names
+echo "TESTING: 1.4 - args with space and \\"
+firejail --quiet ./argtest arg1\ tail arg2\ tail
+
+# & char appears in URLs - URLs should be quoted
+echo "TESTING: 1.5 - args with & and \""
+firejail --quiet ./argtest "arg1&tail" "arg2&tail"
+
+echo "TESTING: 1.6 - args with & and '"
+firejail --quiet ./argtest 'arg1&tail' 'arg2&tail'
diff --git a/test/arguments/joinrun.exp b/test/arguments/joinrun.exp
new file mode 100755
index 000000000..8e8570e4f
--- /dev/null
+++ b/test/arguments/joinrun.exp
@@ -0,0 +1,91 @@
+#!/usr/bin/expect -f
+
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+
+
+send -- "firejail --name=joinrun\r"
+sleep 2
+
+spawn $env(SHELL)
+send --  "./joinrun.sh\r"
+expect {
+        timeout {puts "TESTING ERROR 3.1.1\n";exit}
+        "Arguments:"
+}
+expect {
+        timeout {puts "TESTING ERROR 3.1.2\n";exit}
+        "#arg1#"
+}
+expect {
+        timeout {puts "TESTING ERROR 3.1.3\n";exit}
+        "#arg2#"
+}
+
+expect {
+        timeout {puts "TESTING ERROR 3.2.1\n";exit}
+        "Arguments:"
+}
+expect {
+        timeout {puts "TESTING ERROR 3.2.2\n";exit}
+        "#arg1 tail#"
+}
+expect {
+        timeout {puts "TESTING ERROR 3.2.3\n";exit}
+        "#arg2 tail#"
+}
+
+expect {
+        timeout {puts "TESTING ERROR 3.3.1\n";exit}
+        "Arguments:"
+}
+expect {
+        timeout {puts "TESTING ERROR 3.3.2\n";exit}
+        "#arg1 tail#"
+}
+expect {
+        timeout {puts "TESTING ERROR 3.3.3\n";exit}
+        "#arg2 tail#"
+}
+
+expect {
+        timeout {puts "TESTING ERROR 3.4.1\n";exit}
+        "Arguments:"
+}
+expect {
+        timeout {puts "TESTING ERROR 3.4.2\n";exit}
+        "#arg1 tail#"
+}
+expect {
+        timeout {puts "TESTING ERROR 3.4.3\n";exit}
+        "#arg2 tail#"
+}
+
+expect {
+        timeout {puts "TESTING ERROR 3.5.1\n";exit}
+        "Arguments:"
+}
+expect {
+        timeout {puts "TESTING ERROR 3.5.2\n";exit}
+        "#arg1&tail#"
+}
+expect {
+        timeout {puts "TESTING ERROR 3.5.3\n";exit}
+        "#arg2&tail#"
+}
+
+expect {
+        timeout {puts "TESTING ERROR 3.6.1\n";exit}
+        "Arguments:"
+}
+expect {
+        timeout {puts "TESTING ERROR 3.6.2\n";exit}
+        "#arg1&tail#"
+}
+expect {
+        timeout {puts "TESTING ERROR 3.6.3\n";exit}
+        "#arg2&tail#"
+}
+
+puts "\nall done\n"
diff --git a/test/arguments/joinrun.sh b/test/arguments/joinrun.sh
new file mode 100755
index 000000000..f6c2b2e22
--- /dev/null
+++ b/test/arguments/joinrun.sh
@@ -0,0 +1,22 @@
+#!/bin/bash
+
+echo "TESTING: 3.1 - simple args"
+firejail --join=joinrun ./argtest arg1 arg2
+
+# simple quotes, testing spaces in file names
+echo "TESTING: 3.2 - args with space and \""
+firejail --quiet ./argtest "arg1 tail" "arg2 tail"
+
+echo "TESTING: 3.3 - args with space and '"
+firejail --quiet ./argtest 'arg1 tail' 'arg2 tail'
+
+# escaped space in file names
+echo "TESTING: 3.4 - args with space and \\"
+firejail --quiet ./argtest arg1\ tail arg2\ tail
+
+# & char appears in URLs - URLs should be quoted
+echo "TESTING: 3.5 - args with & and \""
+firejail --quiet ./argtest "arg1&tail" "arg2&tail"
+
+echo "TESTING: 3.6 - args with & and '"
+firejail --quiet ./argtest 'arg1&tail' 'arg2&tail'
diff --git a/test/arguments/main.c b/test/arguments/main.c
new file mode 100644
index 000000000..75bdca715
--- /dev/null
+++ b/test/arguments/main.c
@@ -0,0 +1,31 @@
+/*
+ * Copyright (C) 2014-2016 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
+#include <stdio.h>
+
+int main(int argc, char **argv) {
+        printf("Arguments:\n");
+
+        int i;
+        for (i = 0; i < argc; i++) {
+                printf("#%s#\n", argv[i]);
+        }
+        
+        return 0;
+}
diff --git a/test/arguments/outrun.exp b/test/arguments/outrun.exp
new file mode 100755
index 000000000..d28e75661
--- /dev/null
+++ b/test/arguments/outrun.exp
@@ -0,0 +1,90 @@
+#!/usr/bin/expect -f
+
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+
+send --  "./outrun.sh\r"
+expect {
+        timeout {puts "TESTING ERROR 4.1.1\n";exit}
+        "Arguments:"
+}
+expect {
+        timeout {puts "TESTING ERROR 4.1.2\n";exit}
+        "#arg1#"
+}
+expect {
+        timeout {puts "TESTING ERROR 4.1.3\n";exit}
+        "#arg2#"
+}
+
+exit
+#***************************************************
+#  breaking down from here on - bug to fix
+#***************************************************
+expect {
+        timeout {puts "TESTING ERROR 4.2.1\n";exit}
+        "Arguments:"
+}
+expect {
+        timeout {puts "TESTING ERROR 4.2.2\n";exit}
+        "#arg1 tail#"
+}
+expect {
+        timeout {puts "TESTING ERROR 4.2.3\n";exit}
+        "#arg2 tail#"
+}
+
+expect {
+        timeout {puts "TESTING ERROR 4.3.1\n";exit}
+        "Arguments:"
+}
+expect {
+        timeout {puts "TESTING ERROR 4.3.2\n";exit}
+        "#arg1 tail#"
+}
+expect {
+        timeout {puts "TESTING ERROR 4.3.3\n";exit}
+        "#arg2 tail#"
+}
+
+expect {
+        timeout {puts "TESTING ERROR 4.4.1\n";exit}
+        "Arguments:"
+}
+expect {
+        timeout {puts "TESTING ERROR 4.4.2\n";exit}
+        "#arg1 tail#"
+}
+expect {
+        timeout {puts "TESTING ERROR 4.4.3\n";exit}
+        "#arg2 tail#"
+}
+
+expect {
+        timeout {puts "TESTING ERROR 4.5.1\n";exit}
+        "Arguments:"
+}
+expect {
+        timeout {puts "TESTING ERROR 4.5.2\n";exit}
+        "#arg1&tail#"
+}
+expect {
+        timeout {puts "TESTING ERROR 4.5.3\n";exit}
+        "#arg2&tail#"
+}
+
+expect {
+        timeout {puts "TESTING ERROR 4.6.1\n";exit}
+        "Arguments:"
+}
+expect {
+        timeout {puts "TESTING ERROR 4.6.2\n";exit}
+        "#arg1&tail#"
+}
+expect {
+        timeout {puts "TESTING ERROR 4.6.3\n";exit}
+        "#arg2&tail#"
+}
+
+puts "\nall done\n"
diff --git a/test/arguments/outrun.sh b/test/arguments/outrun.sh
new file mode 100755
index 000000000..cfd8e684c
--- /dev/null
+++ b/test/arguments/outrun.sh
@@ -0,0 +1,22 @@
+#!/bin/bash
+
+echo "TESTING: 4.1 - simple args"
+firejail --output=out ./argtest arg1 arg2
+
+# simple quotes, testing spaces in file names
+echo "TESTING: 4.2 - args with space and \""
+firejail --output=out ./argtest "arg1 tail" "arg2 tail"
+
+echo "TESTING: 4.3 - args with space and '"
+firejail --output=out ./argtest 'arg1 tail' 'arg2 tail'
+
+# escaped space in file names
+echo "TESTING: 4.4 - args with space and \\"
+firejail --output=out ./argtest arg1\ tail arg2\ tail
+
+# & char appears in URLs - URLs should be quoted
+echo "TESTING: 4.5 - args with & and \""
+firejail --output=out ./argtest "arg1&tail" "arg2&tail"
+
+echo "TESTING: 4.6 - args with & and '"
+firejail --output=out ./argtest 'arg1&tail' 'arg2&tail'
diff --git a/test/arguments/readme b/test/arguments/readme
new file mode 100644
index 000000000..f5844848e
--- /dev/null
+++ b/test/arguments/readme
@@ -0,0 +1,9 @@
+Argument testing fremework for Firejail.
+
+A small test program, argtest, is compiled and installed in /usr/local/bin directory.
+Run "make && sudo make install" to install it.
+
+Run "make test" to run the tests.
+
+Run "make uninstall" to remove the test program.
+
diff --git a/test/arguments/symrun.exp b/test/arguments/symrun.exp
new file mode 100755
index 000000000..10e7ac6c8
--- /dev/null
+++ b/test/arguments/symrun.exp
@@ -0,0 +1,71 @@
+#!/usr/bin/expect -f
+
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+
+send --  "./symrun.sh\r"
+expect {
+        timeout {puts "TESTING ERROR 2.1.1\n";exit}
+        "Arguments:"
+}
+expect {
+        timeout {puts "TESTING ERROR 2.1.2\n";exit}
+        "#arg1#"
+}
+expect {
+        timeout {puts "TESTING ERROR 2.1.3\n";exit}
+        "#arg2#"
+}
+
+expect {
+        timeout {puts "TESTING ERROR 2.3.1\n";exit}
+        "Arguments:"
+}
+expect {
+        timeout {puts "TESTING ERROR 2.3.2\n";exit}
+        "#arg1 tail#"
+}
+expect {
+        timeout {puts "TESTING ERROR 2.3.3\n";exit}
+        "#arg2 tail#"
+}
+
+expect {
+        timeout {puts "TESTING ERROR 2.4.1\n";exit}
+        "Arguments:"
+}
+expect {
+        timeout {puts "TESTING ERROR 2.4.2\n";exit}
+        "#arg1 tail#"
+}
+expect {
+        timeout {puts "TESTING ERROR 2.4.3\n";exit}
+        "#arg2 tail#"
+}
+
+expect {
+        timeout {puts "TESTING ERROR 2.5.1\n";exit}
+        "Arguments:"
+}
+expect {
+        timeout {puts "TESTING ERROR 2.5.2\n";exit}
+        "#arg1&tail#"
+}
+expect {
+        timeout {puts "TESTING ERROR 2.5.3\n";exit}
+        "#arg2&tail#"
+}
+
+expect {
+        timeout {puts "TESTING ERROR 2.6.1\n";exit}
+        "Arguments:"
+}
+expect {
+        timeout {puts "TESTING ERROR 2.6.2\n";exit}
+        "#arg1&tail#"
+}
+expect {
+        timeout {puts "TESTING ERROR 2.6.3\n";exit}
+        "#arg2&tail#"
+}
diff --git a/test/arguments/symrun.sh b/test/arguments/symrun.sh
new file mode 100755
index 000000000..d28f024a8
--- /dev/null
+++ b/test/arguments/symrun.sh
@@ -0,0 +1,30 @@
+#!/bin/bash
+
+mkdir symtest
+ln -s /usr/bin/firejail symtest/argtest
+
+# search for argtest in current directory
+export PATH=$PATH:.
+
+echo "TESTING: 2.1 - simple args"
+symtest/argtest arg1 arg2
+
+# simple quotes, testing spaces in file names
+echo "TESTING: 2.2 - args with space and \""
+symtest/argtest "arg1 tail" "arg2 tail"
+
+echo "TESTING: 2.3 - args with space and '"
+symtest/argtest 'arg1 tail' 'arg2 tail'
+
+# escaped space in file names
+echo "TESTING: 2.4 - args with space and \\"
+symtest/argtest arg1\ tail arg2\ tail
+
+# & char appears in URLs - URLs should be quoted
+echo "TESTING: 2.5 - args with & and \""
+symtest/argtest "arg1&tail" "arg2&tail"
+
+echo "TESTING: 2.6 - args with & and '"
+symtest/argtest 'arg1&tail' 'arg2&tail'
+
+rm -fr symtest
diff --git a/test/auto/autotest.sh b/test/auto/autotest.sh
deleted file mode 100755
index 0fb7565af..000000000
--- a/test/auto/autotest.sh
+++ /dev/null
@@ -1,202 +0,0 @@
-#!/bin/bash
-
-arr[1]="TEST 1: svn and standard compilation"
-arr[2]="TEST 2: cppcheck"
-arr[3]="TEST 3: compile seccomp disabled, chroot disabled, bind disabled"
-arr[4]="TEST 4: rvtest"
-arr[5]="TEST 5: expect test as root, no malloc perturb"
-arr[6]="TEST 6: expect test as user, no malloc perturb"
-arr[7]="TEST 7: expect test as root, malloc perturb"
-arr[8]="TEST 8: expect test as user, malloc perturb"
-
-
-# remove previous reports and output file
-cleanup() {
-        rm -f out-test
-        rm -f output*
-        rm -f report*
-        rm -fr firejail-trunk
-}
-
-print_title() {
-        echo
-        echo
-        echo
-        echo "**************************************************"
-        echo $1
-        echo "**************************************************"
-}
-
-while [ $# -gt 0 ]; do    # Until you run out of parameters . . .
-    case "$1" in
-    --clean)
-        cleanup
-        exit
-        ;;
-    --help)
-        echo "./autotest.sh [--clean|--help]"
-        exit
-        ;;
-    esac
-    shift       # Check next set of parameters.
-done
-
-cleanup
-# enable sudo
-sudo ls -al
-
-#*****************************************************************
-# TEST 1
-#*****************************************************************
-# - checkout source code
-# - check compilation
-# - install
-#*****************************************************************
-print_title "${arr[1]}"
-svn checkout svn://svn.code.sf.net/p/firejail/code-0/trunk firejail-trunk
-cd firejail-trunk
-./configure --prefix=/usr 2>&1 | tee ../output-configure
-make -j4 2>&1 | tee ../output-make
-sudo make install 2>&1 | tee ../output-install
-cd src/tools
-gcc -o rvtest rvtest.c
-cd ../..
-cd test
-sudo ./configure > /dev/null
-cd ../..
-grep warning output-configure output-make output-install > ./report-test1
-grep error output-configure output-make output-install >> ./report-test1
-cat report-test1 > out-test1
-
-#*****************************************************************
-# TEST 2
-#*****************************************************************
-# - run cppcheck
-#*****************************************************************
-print_title "${arr[2]}"
-cd firejail-trunk
-cp /home/netblue/bin/cfg/std.cfg .
-cppcheck --force . 2>&1 | tee ../output-cppcheck
-cd ..
-grep error output-cppcheck > report-test2
-cat report-test2 > out-test2
-
-#*****************************************************************
-# TEST 3
-#*****************************************************************
-# - disable seccomp configuration
-# - check compilation
-#*****************************************************************
-print_title "${arr[3]}"
-# seccomp
-cd firejail-trunk
-make distclean
-./configure --prefix=/usr --disable-seccomp 2>&1 | tee ../output-configure-noseccomp
-make -j4 2>&1 | tee ../output-make-noseccomp
-cd ..
-grep warning output-configure-noseccomp output-make-noseccomp > ./report-test3
-grep error output-configure-noseccomp output-make-noseccomp >> ./report-test3
-# chroot
-cd firejail-trunk
-make distclean
-./configure --prefix=/usr --disable-chroot 2>&1 | tee ../output-configure-nochroot
-make -j4 2>&1 | tee ../output-make-nochroot
-cd ..
-grep warning output-configure-nochroot output-make-nochroot >> ./report-test3
-grep error output-configure-nochroot output-make-nochroot >> ./report-test3
-# bind
-cd firejail-trunk
-make distclean
-./configure --prefix=/usr --disable-bind 2>&1 | tee ../output-configure-nobind
-make -j4 2>&1 | tee ../output-make-nobind
-cd ..
-grep warning output-configure-nobind output-make-nobind >> ./report-test3
-grep error output-configure-nobind output-make-nobind >> ./report-test3
-# save result
-cat report-test3 > out-test3
-
-#*****************************************************************
-# TEST 4
-#*****************************************************************
-# - rvtest
-#*****************************************************************
-print_title "${arr[4]}"
-cd firejail-trunk
-cd test
-../src/tools/rvtest test.rv 2>/dev/null | tee ../../output-test4 | grep TESTING
-cd ../..
-grep TESTING output-test4 > ./report-test4
-grep ERROR report-test4 > out-test4
-
-
-#*****************************************************************
-# TEST 5
-#*****************************************************************
-# - expect test as root, no malloc perturb
-#*****************************************************************
-print_title "${arr[5]}"
-cd firejail-trunk/test
-sudo ./test-root.sh 2>&1 | tee ../../output-test5 | grep TESTING
-cd ../..
-grep TESTING output-test5 > ./report-test5
-grep ERROR report-test5 > out-test5
-
-#*****************************************************************
-# TEST 6
-#*****************************************************************
-# - expect test as user, no malloc perturb
-#*****************************************************************
-print_title "${arr[6]}"
-cd firejail-trunk/test
-./test.sh 2>&1 | tee ../../output-test6 | grep TESTING
-cd ../..
-grep TESTING output-test6 > ./report-test6
-grep ERROR report-test6 > out-test6
-
-
-
-#*****************************************************************
-# TEST 7
-#*****************************************************************
-# - expect test as root, malloc perturb
-#*****************************************************************
-print_title "${arr[7]}"
-export MALLOC_CHECK_=3
-export MALLOC_PERTURB_=$(($RANDOM % 255 + 1))
-cd firejail-trunk/test
-sudo ./test-root.sh 2>&1 | tee ../../output-test7 | grep TESTING
-cd ../..
-grep TESTING output-test7 > ./report-test7
-grep ERROR report-test7 > out-test7
-
-#*****************************************************************
-# TEST 8
-#*****************************************************************
-# - expect test as user, malloc perturb
-#*****************************************************************
-print_title "${arr[8]}"
-cd firejail-trunk/test
-./test.sh 2>&1 | tee ../../output-test8| grep TESTING
-cd ../..
-grep TESTING output-test8 > ./report-test8
-grep ERROR report-test8 > out-test8
-
-#*****************************************************************
-# PRINT REPORTS
-#*****************************************************************
-echo
-echo
-echo
-echo
-echo "**********************************************************"
-echo "TEST RESULTS"
-echo "**********************************************************"
-
-wc -l out-test*
-rm out-test*
-echo
-
-
-
-
-exit
diff --git a/test/compile/compile.sh b/test/compile/compile.sh
index 70c24ca3e..1207ef518 100755
--- a/test/compile/compile.sh
+++ b/test/compile/compile.sh
@@ -15,6 +15,7 @@ arr[9]="TEST 9: compile file transfer disabled"
 cleanup() {
         rm -f report*
         rm -fr firejail
+        rm -f oc* om*
 }
 
 print_title() {
@@ -41,9 +42,6 @@ while [ $# -gt 0 ]; do    # Until you run out of parameters . . .
 done
 
 cleanup
-# enable sudo
-sudo ls -al
-
 
 #*****************************************************************
 # TEST 1
@@ -57,11 +55,12 @@ git clone https://github.com/netblue30/firejail.git
 cd firejail
 ./configure --prefix=/usr --enable-fatal-warnings 2>&1 | tee ../output-configure
 make -j4 2>&1 | tee ../output-make
-sudo make install 2>&1 | tee ../output-install
 cd ..
-grep Warning output-configure output-make output-install > ./report-test1
-grep Error output-configure output-make output-install >> ./report-test1
-rm output-configure output-make output-install
+grep Warning output-configure output-make > ./report-test1
+grep Error output-configure output-make >> ./report-test1
+cp output-configure oc1
+cp output-make om1
+rm output-configure output-make
 
 
 #*****************************************************************
@@ -79,6 +78,8 @@ make -j4 2>&1 | tee ../output-make
 cd ..
 grep Warning output-configure output-make > ./report-test2
 grep Error output-configure output-make >> ./report-test2
+cp output-configure oc2
+cp output-make om2
 rm output-configure output-make
 
 #*****************************************************************
@@ -96,6 +97,8 @@ make -j4 2>&1 | tee ../output-make
 cd ..
 grep Warning output-configure output-make > ./report-test3
 grep Error output-configure output-make >> ./report-test3
+cp output-configure oc3
+cp output-make om3
 rm output-configure output-make
 
 #*****************************************************************
@@ -113,6 +116,8 @@ make -j4 2>&1 | tee ../output-make
 cd ..
 grep Warning output-configure output-make > ./report-test4
 grep Error output-configure output-make >> ./report-test4
+cp output-configure oc4
+cp output-make om4
 rm output-configure output-make
 
 #*****************************************************************
@@ -130,6 +135,8 @@ make -j4 2>&1 | tee ../output-make
 cd ..
 grep Warning output-configure output-make > ./report-test5
 grep Error output-configure output-make >> ./report-test5
+cp output-configure oc5
+cp output-make om5
 rm output-configure output-make
 
 #*****************************************************************
@@ -147,6 +154,8 @@ make -j4 2>&1 | tee ../output-make
 cd ..
 grep Warning output-configure output-make > ./report-test6
 grep Error output-configure output-make >> ./report-test6
+cp output-configure oc6
+cp output-make om6
 rm output-configure output-make
 
 #*****************************************************************
@@ -164,6 +173,8 @@ make -j4 2>&1 | tee ../output-make
 cd ..
 grep Warning output-configure output-make > ./report-test7
 grep Error output-configure output-make >> ./report-test7
+cp output-configure oc7
+cp output-make om7
 rm output-configure output-make
 
 
@@ -182,6 +193,8 @@ make -j4 2>&1 | tee ../output-make
 cd ..
 grep Warning output-configure output-make > ./report-test8
 grep Error output-configure output-make >> ./report-test8
+cp output-configure oc8
+cp output-make om8
 rm output-configure output-make
 
 
@@ -200,6 +213,8 @@ make -j4 2>&1 | tee ../output-make
 cd ..
 grep Warning output-configure output-make > ./report-test9
 grep Error output-configure output-make >> ./report-test9
+cp output-configure oc9
+cp output-make om9
 rm output-configure output-make
 
 
diff --git a/test/configure b/test/configure
index bdf36fcad..9acd021c8 100755
--- a/test/configure
+++ b/test/configure
@@ -28,7 +28,7 @@ ROOTDIR="/tmp/chroot"			# default chroot directory
 DEFAULT_FILES="/bin/bash /bin/sh "      # basic chroot files
 DEFAULT_FILES+="/etc/passwd /etc/nsswitch.conf /etc/group "
 DEFAULT_FILES+=`find /lib -name libnss*`        # files required by glibc
-DEFAULT_FILES+=" /bin/cp /bin/ls /bin/cat /bin/ps /bin/netstat /bin/ping /sbin/ifconfig /usr/bin/touch /bin/hostname /bin/grep /usr/bin/dig /usr/bin/openssl /usr/bin/id /usr/bin/getent /usr/bin/whoami /usr/bin/wc /usr/bin/wget /bin/umount"
+DEFAULT_FILES+=" /bin/cp /bin/ls /bin/cat /bin/ps /bin/netstat /bin/ping /sbin/ifconfig /usr/bin/touch /bin/ip /bin/hostname /bin/grep /usr/bin/dig /usr/bin/openssl /usr/bin/id /usr/bin/getent /usr/bin/whoami /usr/bin/wc /usr/bin/wget /bin/umount"
 
 rm -fr $ROOTDIR
 mkdir -p $ROOTDIR/{root,bin,lib,lib64,usr,home,etc,dev/shm,tmp,var/run,var/tmp,var/lock,var/log,proc}
diff --git a/test/dist-compile/compile.sh b/test/dist-compile/compile.sh
new file mode 100755
index 000000000..2d055c1bd
--- /dev/null
+++ b/test/dist-compile/compile.sh
@@ -0,0 +1,289 @@
+#!/bin/bash
+
+arr[1]="TEST 1: standard compilation"
+arr[2]="TEST 2: compile seccomp disabled"
+arr[3]="TEST 3: compile chroot disabled"
+arr[4]="TEST 4: compile bind disabled"
+arr[5]="TEST 5: compile user namespace disabled"
+arr[6]="TEST 6: compile network disabled"
+arr[7]="TEST 7: compile X11 disabled"
+arr[8]="TEST 8: compile network restricted"
+arr[9]="TEST 9: compile file transfer disabled"
+arr[10]="TEST 10: compile disable whitelist"
+arr[11]="TEST 11: compile disable global config"
+
+# remove previous reports and output file
+cleanup() {
+        rm -f report*
+        rm -fr firejail
+        rm -f oc* om*
+}
+
+print_title() {
+        echo
+        echo
+        echo
+        echo "**************************************************"
+        echo $1
+        echo "**************************************************"
+}
+
+DIST="$1"
+while [ $# -gt 0 ]; do    # Until you run out of parameters . . .
+    case "$1" in
+    --clean)
+        cleanup
+        exit
+        ;;
+    --help)
+        echo "./compile.sh [--clean|--help]"
+        exit
+        ;;
+    esac
+    shift       # Check next set of parameters.
+done
+
+cleanup
+
+
+#*****************************************************************
+# TEST 1
+#*****************************************************************
+# - checkout source code
+# - check compilation
+# - install
+#*****************************************************************
+print_title "${arr[1]}"
+echo "$DIST"
+tar -xjvf ../../$DIST.tar.bz2
+mv $DIST firejail
+
+cd firejail
+./configure --prefix=/usr --enable-fatal-warnings 2>&1 | tee ../output-configure
+make -j4 2>&1 | tee ../output-make
+cd ..
+grep Warning output-configure output-make > ./report-test1
+grep Error output-configure output-make >> ./report-test1
+cp output-configure oc1
+cp output-make om1
+rm output-configure output-make
+
+
+#*****************************************************************
+# TEST 2
+#*****************************************************************
+# - disable seccomp configuration
+# - check compilation
+#*****************************************************************
+print_title "${arr[2]}"
+# seccomp
+cd firejail
+make distclean
+./configure --prefix=/usr --disable-seccomp  --enable-fatal-warnings 2>&1 | tee ../output-configure
+make -j4 2>&1 | tee ../output-make
+cd ..
+grep Warning output-configure output-make > ./report-test2
+grep Error output-configure output-make >> ./report-test2
+cp output-configure oc2
+cp output-make om2
+rm output-configure output-make
+
+#*****************************************************************
+# TEST 3
+#*****************************************************************
+# - disable chroot configuration
+# - check compilation
+#*****************************************************************
+print_title "${arr[3]}"
+# seccomp
+cd firejail
+make distclean
+./configure --prefix=/usr --disable-chroot  --enable-fatal-warnings 2>&1 | tee ../output-configure
+make -j4 2>&1 | tee ../output-make
+cd ..
+grep Warning output-configure output-make > ./report-test3
+grep Error output-configure output-make >> ./report-test3
+cp output-configure oc3
+cp output-make om3
+rm output-configure output-make
+
+#*****************************************************************
+# TEST 4
+#*****************************************************************
+# - disable bind configuration
+# - check compilation
+#*****************************************************************
+print_title "${arr[4]}"
+# seccomp
+cd firejail
+make distclean
+./configure --prefix=/usr --disable-bind  --enable-fatal-warnings 2>&1 | tee ../output-configure
+make -j4 2>&1 | tee ../output-make
+cd ..
+grep Warning output-configure output-make > ./report-test4
+grep Error output-configure output-make >> ./report-test4
+cp output-configure oc4
+cp output-make om4
+rm output-configure output-make
+
+#*****************************************************************
+# TEST 5
+#*****************************************************************
+# - disable user namespace configuration
+# - check compilation
+#*****************************************************************
+print_title "${arr[5]}"
+# seccomp
+cd firejail
+make distclean
+./configure --prefix=/usr --disable-userns  --enable-fatal-warnings 2>&1 | tee ../output-configure
+make -j4 2>&1 | tee ../output-make
+cd ..
+grep Warning output-configure output-make > ./report-test5
+grep Error output-configure output-make >> ./report-test5
+cp output-configure oc5
+cp output-make om5
+rm output-configure output-make
+
+#*****************************************************************
+# TEST 6
+#*****************************************************************
+# - disable user namespace configuration
+# - check compilation
+#*****************************************************************
+print_title "${arr[6]}"
+# seccomp
+cd firejail
+make distclean
+./configure --prefix=/usr --disable-network  --enable-fatal-warnings 2>&1 | tee ../output-configure
+make -j4 2>&1 | tee ../output-make
+cd ..
+grep Warning output-configure output-make > ./report-test6
+grep Error output-configure output-make >> ./report-test6
+cp output-configure oc6
+cp output-make om6
+rm output-configure output-make
+
+#*****************************************************************
+# TEST 7
+#*****************************************************************
+# - disable X11 support
+# - check compilation
+#*****************************************************************
+print_title "${arr[7]}"
+# seccomp
+cd firejail
+make distclean
+./configure --prefix=/usr --disable-x11  --enable-fatal-warnings 2>&1 | tee ../output-configure
+make -j4 2>&1 | tee ../output-make
+cd ..
+grep Warning output-configure output-make > ./report-test7
+grep Error output-configure output-make >> ./report-test7
+cp output-configure oc7
+cp output-make om7
+rm output-configure output-make
+
+
+#*****************************************************************
+# TEST 8
+#*****************************************************************
+# - enable network restricted
+# - check compilation
+#*****************************************************************
+print_title "${arr[8]}"
+# seccomp
+cd firejail
+make distclean
+./configure --prefix=/usr --enable-network=restricted  --enable-fatal-warnings 2>&1 | tee ../output-configure
+make -j4 2>&1 | tee ../output-make
+cd ..
+grep Warning output-configure output-make > ./report-test8
+grep Error output-configure output-make >> ./report-test8
+cp output-configure oc8
+cp output-make om8
+rm output-configure output-make
+
+
+#*****************************************************************
+# TEST 9
+#*****************************************************************
+# - disable file transfer
+# - check compilation
+#*****************************************************************
+print_title "${arr[9]}"
+# seccomp
+cd firejail
+make distclean
+./configure --prefix=/usr --disable-file-transfer  --enable-fatal-warnings 2>&1 | tee ../output-configure
+make -j4 2>&1 | tee ../output-make
+cd ..
+grep Warning output-configure output-make > ./report-test9
+grep Error output-configure output-make >> ./report-test9
+cp output-configure oc9
+cp output-make om9
+rm output-configure output-make
+
+#*****************************************************************
+# TEST 10
+#*****************************************************************
+# - disable whitelist
+# - check compilation
+#*****************************************************************
+print_title "${arr[10]}"
+# seccomp
+cd firejail
+make distclean
+./configure --prefix=/usr --disable-whitelist  --enable-fatal-warnings 2>&1 | tee ../output-configure
+make -j4 2>&1 | tee ../output-make
+cd ..
+grep Warning output-configure output-make > ./report-test10
+grep Error output-configure output-make >> ./report-test10
+cp output-configure oc10
+cp output-make om10
+rm output-configure output-make
+
+#*****************************************************************
+# TEST 11
+#*****************************************************************
+# - disable global config
+# - check compilation
+#*****************************************************************
+print_title "${arr[11]}"
+# seccomp
+cd firejail
+make distclean
+./configure --prefix=/usr --disable-globalcfg  --enable-fatal-warnings 2>&1 | tee ../output-configure
+make -j4 2>&1 | tee ../output-make
+cd ..
+grep Warning output-configure output-make > ./report-test11
+grep Error output-configure output-make >> ./report-test11
+cp output-configure oc11
+cp output-make om11
+rm output-configure output-make
+
+
+#*****************************************************************
+# PRINT REPORTS
+#*****************************************************************
+echo
+echo
+echo
+echo
+echo "**********************************************************"
+echo "TEST RESULTS"
+echo "**********************************************************"
+
+wc -l report-test*
+echo
+echo  "Legend:"
+echo ${arr[1]}
+echo ${arr[2]}
+echo ${arr[3]}
+echo ${arr[4]}
+echo ${arr[5]}
+echo ${arr[6]}
+echo ${arr[7]}
+echo ${arr[8]}
+echo ${arr[9]}
+echo ${arr[10]}
+echo ${arr[11]}
diff --git a/test/dns.exp b/test/dns.exp
deleted file mode 100755
index 96513f278..000000000
--- a/test/dns.exp
+++ /dev/null
@@ -1,69 +0,0 @@
-#!/usr/bin/expect -f
-
-set timeout 30
-spawn $env(SHELL)
-match_max 100000
-
-# no chroot
-send -- "firejail --trace --dns=208.67.222.222 wget -q debian.org\r"
-expect {
-        timeout {puts "TESTING ERROR 1.1\n";exit}
-        "Child process initialized"
-}
-expect {
-        timeout {puts "TESTING ERROR 1.2\n";exit}
-        "1:wget:connect 208.67.222.222:53"
-}
-sleep 1
-
-send -- "rm index.html\r"
-sleep 1
-
-# with chroot
-send -- "firejail --chroot=/tmp/chroot --trace --dns=208.67.222.222 wget -q debian.org\r"
-expect {
-        timeout {puts "TESTING ERROR 2.1\n";exit}
-        "Child process initialized"
-}
-expect {
-        timeout {puts "TESTING ERROR 2.2\n";exit}
-        "1:wget:connect 208.67.222.222:53"
-}
-sleep 1
-
-send -- "rm index.html\r"
-sleep 1
-
-# net eth0
-send -- "firejail --net=eth0 --trace --dns=208.67.222.222 wget -q debian.org\r"
-expect {
-        timeout {puts "TESTING ERROR 3.1\n";exit}
-        "Child process initialized"
-}
-expect {
-        timeout {puts "TESTING ERROR 3.2\n";exit}
-        "1:wget:connect 208.67.222.222:53"
-}
-sleep 1
-
-send -- "rm index.html\r"
-sleep 1
-
-# net eth0 and chroot
-send -- "firejail --net=eth0 --chroot=/tmp/chroot --trace --dns=208.67.222.222 wget -q debian.org\r"
-expect {
-        timeout {puts "TESTING ERROR 4.1\n";exit}
-        "Child process initialized"
-}
-expect {
-        timeout {puts "TESTING ERROR 4.2\n";exit}
-        "1:wget:connect 208.67.222.222:53"
-}
-sleep 1
-
-send -- "rm index.html\r"
-sleep 1
-
-
-puts "\n"
-
diff --git a/test/shell_csh.exp b/test/environment/csh.exp
index a2634f633..2f1ae17b9 100755
--- a/test/shell_csh.exp
+++ b/test/environment/csh.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
 
 set timeout 10
 spawn $env(SHELL)
@@ -11,16 +14,13 @@ expect {
 }
 sleep 1
 
-send -- "ls -al;pwd\r"
+send -- "find /home\r"
 expect {
         timeout {puts "TESTING ERROR 1\n";exit}
         ".cshrc"
 }
-expect {
-        timeout {puts "TESTING ERROR 1.1\n";exit}
-        "home"
-}
-send -- "env | grep SHELL;pwd\r"
+
+send -- "env | grep SHELL\r"
 expect {
         timeout {puts "TESTING ERROR 2\n";exit}
         "SHELL"
@@ -29,10 +29,6 @@ expect {
         timeout {puts "TESTING ERROR 2.1\n";exit}
         "/bin/csh"
 }
-expect {
-        timeout {puts "TESTING ERROR 2.2\n";exit}
-        "home"
-}
 send -- "exit\r"
 sleep 1
 
diff --git a/test/shell_dash.exp b/test/environment/dash.exp
index f5a60719e..d727d302e 100755
--- a/test/shell_dash.exp
+++ b/test/environment/dash.exp
@@ -1,6 +1,7 @@
 #!/usr/bin/expect -f
 
 set timeout 10
+cd /home
 spawn $env(SHELL)
 match_max 100000
 
diff --git a/test/environment/dns.exp b/test/environment/dns.exp
new file mode 100755
index 000000000..6ffb124cf
--- /dev/null
+++ b/test/environment/dns.exp
@@ -0,0 +1,30 @@
+#!/usr/bin/expect -f
+
+set timeout 30
+spawn $env(SHELL)
+match_max 100000
+
+# no chroot
+send -- "firejail --trace --dns=208.67.222.222 wget -q debian.org\r"
+expect {
+        timeout {puts "TESTING ERROR 1.1\n";exit}
+        "Child process initialized"
+}
+expect {
+        timeout {puts "TESTING ERROR 1.2\n";exit}
+        "connect"
+}
+expect {
+        timeout {puts "TESTING ERROR 1.2\n";exit}
+        "208.67.222.222"
+}
+expect {
+        timeout {puts "TESTING ERROR 1.2\n";exit}
+        "53"
+}
+
+after 100
+
+send -- "rm index.html\r"
+after 100
+puts "\nall done\n"
diff --git a/test/doubledash.exp b/test/environment/doubledash.exp
index 3c8a42471..7abf4b918 100755
--- a/test/doubledash.exp
+++ b/test/environment/doubledash.exp
@@ -15,7 +15,7 @@ expect {
 }
 expect {
         timeout {puts "TESTING ERROR 3\n";exit}
-        "parent is shutting down"
+        "Parent is shutting down"
 }
 sleep 1
 
@@ -36,23 +36,23 @@ expect {
 sleep 3
 
 spawn $env(SHELL)
-send --  "firejail --list;pwd\r"
+send --  "firejail --list;ls -d /tmp\r"
 expect {
         timeout {puts "TESTING ERROR 6\n";exit}
         "name=testing"
 }
 expect {
         timeout {puts "TESTING ERROR 7\n";exit}
-        "home"
+        "/tmp"
 }
-send --  "firejail --list;pwd\r"
+send --  "firejail --list;ls -d /tmp\r"
 expect {
         timeout {puts "TESTING ERROR 8 (join)\n";exit}
         "join=testing"
 }
 expect {
         timeout {puts "TESTING ERROR 9\n";exit}
-        "home"
+        "/tmp"
 }
 
 sleep 1
diff --git a/test/env.exp b/test/environment/env.exp
index d7aee3c64..a09c3f9c5 100755
--- a/test/env.exp
+++ b/test/environment/env.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
 
 set timeout 10
 spawn $env(SHELL)
diff --git a/test/env.profile b/test/environment/env.profile
index ba66e6210..ba66e6210 100644
--- a/test/env.profile
+++ b/test/environment/env.profile
diff --git a/test/environment/environment.sh b/test/environment/environment.sh
new file mode 100755
index 000000000..a6fe07a1c
--- /dev/null
+++ b/test/environment/environment.sh
@@ -0,0 +1,85 @@
+#!/bin/bash
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
+
+export MALLOC_CHECK_=3
+export MALLOC_PERTURB_=$(($RANDOM % 255 + 1))
+
+echo "TESTING: DNS (test/environment/dns.exp)"
+./dns.exp
+
+echo "TESTING: doubledash (test/environment/doubledash.exp"
+mkdir -- -testdir
+touch -- -testdir/ttt
+cp -- /bin/bash -testdir/.
+./doubledash.exp
+rm -fr -- -testdir
+
+echo "TESTING: output (test/environment/output.exp)"
+./output.exp
+
+echo "TESTING: extract command (extract_command.exp)"
+./extract_command.exp
+
+echo "TESTING: environment variables (test/environment/env.exp)"
+./env.exp
+
+echo "TESTING: shell none(test/environment/shell-none.exp)"
+./shell-none.exp
+
+which dash
+if [ "$?" -eq 0 ];
+then
+        echo "TESTING: dash (test/environment/dash.exp)"
+        ./dash.exp
+else
+        echo "TESTING SKIP: dash not found"
+fi
+
+which csh
+if [ "$?" -eq 0 ];
+then
+        echo "TESTING: csh (test/environment/csh.exp)"
+        ./csh.exp
+else
+        echo "TESTING SKIP: csh not found"
+fi
+
+which zsh
+if [ "$?" -eq 0 ];
+then
+        echo "TESTING: zsh (test/environment/zsh.exp)"
+        ./csh.exp
+else
+        echo "TESTING SKIP: zsh not found"
+fi
+
+echo "TESTING: rlimit (test/environment/rlimit.exp)"
+./rlimit.exp
+
+echo "TESTING: rlimit profile (test/environment/rlimit-profile.exp)"
+./rlimit-profile.exp
+
+echo "TESTING: firejail in firejail - single sandbox (test/environment/firejail-in-firejail.exp)"
+./firejail-in-firejail.exp
+
+echo "TESTING: firejail in firejail - force new sandbox (test/environment/firejail-in-firejail2.exp)"
+./firejail-in-firejail2.exp
+
+which aplay
+if [ "$?" -eq 0 ];
+then
+        echo "TESTING: sound (test/environment/sound.exp)"
+        ./sound.exp
+else
+        echo "TESTING SKIP: aplay not found"
+fi
+
+echo "TESTING: nice (test/environment/nice.exp)"
+./nice.exp
+
+echo "TESTING: quiet (test/environment/quiet.exp)"
+./quiet.exp
+
+
diff --git a/test/extract_command.exp b/test/environment/extract_command.exp
index cbc36afd4..266f66ff5 100755
--- a/test/extract_command.exp
+++ b/test/environment/extract_command.exp
@@ -7,7 +7,7 @@ match_max 100000
 send -- "firejail --debug ls -al\r"
 expect {
         timeout {puts "TESTING ERROR 0\n";exit}
-        "Reading profile /etc/firejail/generic.profile"
+        "Reading profile /etc/firejail/default.profile"
 }
 expect {
         timeout {puts "TESTING ERROR 2\n";exit}
@@ -15,9 +15,9 @@ expect {
 }
 expect {
         timeout {puts "TESTING ERROR 2\n";exit}
-        "parent is shutting down, bye"
+        "Parent is shutting down, bye"
 }
-sleep 1
+after 100
 
 puts "\nall done\n"
 
diff --git a/test/firejail-in-firejail.exp b/test/environment/firejail-in-firejail.exp
index 5ba18d1fa..7e7f4fd17 100755
--- a/test/firejail-in-firejail.exp
+++ b/test/environment/firejail-in-firejail.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
 
 set timeout 10
 spawn $env(SHELL)
diff --git a/test/firejail-in-firejail2.exp b/test/environment/firejail-in-firejail2.exp
index b0fed0dae..5a2213074 100755
--- a/test/firejail-in-firejail2.exp
+++ b/test/environment/firejail-in-firejail2.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
 
 set timeout 10
 spawn $env(SHELL)
diff --git a/test/nice.exp b/test/environment/nice.exp
index f4afb547d..3a5db71c8 100755
--- a/test/nice.exp
+++ b/test/environment/nice.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
 
 set timeout 10
 spawn $env(SHELL)
@@ -14,7 +17,7 @@ sleep 1
 send -- "top -b -n 1\r"
 expect {
         timeout {puts "TESTING ERROR 1\n";exit}
-        "netblue"
+        $env(USER)
 }
 expect {
         timeout {puts "TESTING ERROR 2\n";exit}
@@ -26,7 +29,7 @@ expect {
 }
 expect {
         timeout {puts "TESTING ERROR 4\n";exit}
-        "netblu"
+        $env(USER)
 }
 expect {
         timeout {puts "TESTING ERROR 5\n";exit}
@@ -51,7 +54,7 @@ sleep 1
 send -- "top -b -n 1\r"
 expect {
         timeout {puts "TESTING ERROR 11\n";exit}
-        "netblue"
+        $env(USER)
 }
 expect {
         timeout {puts "TESTING ERROR 12\n";exit}
@@ -63,7 +66,7 @@ expect {
 }
 expect {
         timeout {puts "TESTING ERROR 14\n";exit}
-        "netblu"
+        $env(USER)
 }
 expect {
         timeout {puts "TESTING ERROR 15\n";exit}
diff --git a/test/nice.profile b/test/environment/nice.profile
index d02c8f58b..d02c8f58b 100644
--- a/test/nice.profile
+++ b/test/environment/nice.profile
diff --git a/test/output.exp b/test/environment/output.exp
index 90a9d64b6..10c325832 100755
--- a/test/output.exp
+++ b/test/environment/output.exp
@@ -59,8 +59,7 @@ expect {
         timeout {puts "TESTING ERROR 7\n";exit}
         "logfile.5"
 }
-sleep 1
+after 100
 send -- "rm -f logfile*\r"
-sleep 1
-
-puts "\n"
+after 100
+puts "\nall done\n"
diff --git a/test/output.sh b/test/environment/output.sh
index 2be188e3a..2be188e3a 100755
--- a/test/output.sh
+++ b/test/environment/output.sh
diff --git a/test/environment/quiet.exp b/test/environment/quiet.exp
new file mode 100755
index 000000000..38da4673e
--- /dev/null
+++ b/test/environment/quiet.exp
@@ -0,0 +1,21 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
+
+set timeout 4
+spawn $env(SHELL)
+match_max 100000
+
+# check ip address
+send -- "firejail --quiet echo done\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "Reading profile" {puts "TESTING ERROR 2\n";exit}
+        "Child process initialized" {puts "TESTING ERROR 3\n";exit}
+        "done"
+}
+sleep 1
+
+puts "\nall done\n"
+
diff --git a/test/profile_rlimit.exp b/test/environment/rlimit-profile.exp
index 7d2637444..7ee828bf2 100755
--- a/test/profile_rlimit.exp
+++ b/test/environment/rlimit-profile.exp
@@ -1,6 +1,7 @@
 #!/usr/bin/expect -f
 
 set timeout 10
+#cd /home
 spawn $env(SHELL)
 match_max 100000
 
@@ -11,7 +12,7 @@ expect {
 }
 sleep 1
 
-send -- "cat /proc/self/limits; pwd\r"
+send -- "cat /proc/self/limits\r"
 expect {
         timeout {puts "TESTING ERROR 1.1\n";exit}
         "Max file size             1024                 1024"
@@ -28,9 +29,5 @@ expect {
         timeout {puts "TESTING ERROR 1.4\n";exit}
         "Max pending signals       200                  200"
 }
-expect {
-        timeout {puts "TESTING ERROR 1.5\n";exit}
-        "home"
-}
 sleep 1
-puts "\n"
+puts "\nall done\n"
diff --git a/test/option_rlimit.exp b/test/environment/rlimit.exp
index 17d2bd9d1..680520b33 100755
--- a/test/option_rlimit.exp
+++ b/test/environment/rlimit.exp
@@ -1,6 +1,7 @@
 #!/usr/bin/expect -f
 
 set timeout 10
+cd /home
 spawn $env(SHELL)
 match_max 100000
 
diff --git a/test/rlimit.profile b/test/environment/rlimit.profile
index 271891c03..271891c03 100644
--- a/test/rlimit.profile
+++ b/test/environment/rlimit.profile
diff --git a/test/seccomp-dualfilter.exp b/test/environment/shell-none.exp
index b497be5ea..e30008f83 100755
--- a/test/seccomp-dualfilter.exp
+++ b/test/environment/shell-none.exp
@@ -1,38 +1,48 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
 
 set timeout 10
 spawn $env(SHELL)
 match_max 100000
 
-send -- "firejail ../src/tools/syscall_test mount\r"
+send -- "firejail  --shell=none\r"
 expect {
         timeout {puts "TESTING ERROR 0\n";exit}
-        "Child process initialized"
+        "shell=none configured, but no program specified"
 }
+sleep 1
+
+send -- "firejail  --profile=shell-none.profile\r"
 expect {
         timeout {puts "TESTING ERROR 1\n";exit}
-        "before mount"
+        "shell=none configured, but no program specified"
 }
+sleep 1
+
+send -- "firejail  --shell=none ls\r"
 expect {
         timeout {puts "TESTING ERROR 2\n";exit}
-        "after mount" {puts "TESTING ERROR 2.1\n";exit}
-        "parent is shutting down"
+        "Child process initialized"
 }
-sleep 1
-
-send -- "firejail ../src/tools/syscall_test32 mount\r"
 expect {
         timeout {puts "TESTING ERROR 3\n";exit}
-        "Child process initialized"
+        "environment.sh"
 }
+sleep 1
+
+send -- "firejail  --profile=shell-none.profile ls\r"
 expect {
         timeout {puts "TESTING ERROR 4\n";exit}
-        "before mount"
+        "Child process initialized"
 }
 expect {
         timeout {puts "TESTING ERROR 5\n";exit}
-        "after mount" {puts "TESTING ERROR 5.1\n";exit}
-        "parent is shutting down"
+        "environment.sh"
 }
+sleep 1
+
 
 puts "\nall done\n"
+
diff --git a/test/environment/shell-none.profile b/test/environment/shell-none.profile
new file mode 100644
index 000000000..f16ebe3a0
--- /dev/null
+++ b/test/environment/shell-none.profile
@@ -0,0 +1 @@
+shell none
diff --git a/test/sound.exp b/test/environment/sound.exp
index 7df50bf16..e2e8fb610 100755
--- a/test/sound.exp
+++ b/test/environment/sound.exp
@@ -1,4 +1,8 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
+
 
 set timeout 10
 spawn $env(SHELL)
@@ -11,7 +15,7 @@ expect {
 }
 expect {
         timeout {puts "TESTING ERROR 2\n";exit}
-        "parent is shutting down"
+        "Parent is shutting down"
 }
 sleep 2
 
@@ -27,7 +31,7 @@ expect {
 }
 expect {
         timeout {puts "TESTING ERROR 5\n";exit}
-        "parent is shutting down"
+        "Parent is shutting down"
 }
 sleep 2
 
@@ -39,7 +43,7 @@ expect {
 }
 expect {
         timeout {puts "TESTING ERROR 12\n";exit}
-        "parent is shutting down"
+        "Parent is shutting down"
 }
 sleep 2
 
@@ -55,7 +59,7 @@ expect {
 }
 expect {
         timeout {puts "TESTING ERROR 15\n";exit}
-        "parent is shutting down"
+        "Parent is shutting down"
 }
 sleep 2
 
@@ -71,9 +75,9 @@ expect {
 }
 expect {
         timeout {puts "TESTING ERROR 25\n";exit}
-        "parent is shutting down"
+        "Parent is shutting down"
 }
 sleep 2
 
-puts "\n"
+puts "\nall done\n"
 
diff --git a/test/sound.profile b/test/environment/sound.profile
index 2f83a0bbb..2f83a0bbb 100644
--- a/test/sound.profile
+++ b/test/environment/sound.profile
diff --git a/test/shell_zsh.exp b/test/environment/zsh.exp
index 1d73fd926..7ab7faa76 100755
--- a/test/shell_zsh.exp
+++ b/test/environment/zsh.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
 
 set timeout 10
 spawn $env(SHELL)
@@ -11,15 +14,12 @@ expect {
 }
 sleep 1
 
-send -- "ls -al;pwd\r"
+send -- "find /home\r"
 expect {
         timeout {puts "TESTING ERROR 1\n";exit}
         ".zshrc"
 }
-expect {
-        timeout {puts "TESTING ERROR 1.1\n";exit}
-        "home"
-}
+
 send -- "env | grep SHELL;pwd\r"
 expect {
         timeout {puts "TESTING ERROR 2\n";exit}
@@ -29,12 +29,8 @@ expect {
         timeout {puts "TESTING ERROR 2.1\n";exit}
         "/usr/bin/zsh"
 }
-expect {
-        timeout {puts "TESTING ERROR 2.2\n";exit}
-        "home"
-}
 send -- "exit\r"
 sleep 1
 
-puts "\n"
+puts "\nall done\n"
 
diff --git a/test/features/1.1.exp b/test/features/1.1.exp
index 0d02b54c1..804b73135 100755
--- a/test/features/1.1.exp
+++ b/test/features/1.1.exp
@@ -36,7 +36,8 @@ if { $overlay == "overlay" } {
         send -- "firejail --noprofile --overlay\r"
         expect {
                 timeout {puts "TESTING ERROR 2\n";exit}
-                "Child process initialized"
+                "overlay option is not available" {puts "grsecurity\n"; exit}
+                "Child process initialized" {puts "normal system\n"}
         }
         sleep 1
         
diff --git a/test/features/1.10.exp b/test/features/1.10.exp
index d9ed8cc6e..e7d51007c 100755
--- a/test/features/1.10.exp
+++ b/test/features/1.10.exp
@@ -37,7 +37,8 @@ if { $overlay == "overlay" } {
         send -- "firejail --noprofile --overlay\r"
         expect {
                 timeout {puts "TESTING ERROR 2\n";exit}
-                "Child process initialized"
+                "overlay option is not available" {puts "grsecurity\n"; exit}
+                "Child process initialized" {puts "normal system\n"}
         }
         sleep 1
         
diff --git a/test/features/1.2.exp b/test/features/1.2.exp
index 65fcd54ae..685acf737 100755
--- a/test/features/1.2.exp
+++ b/test/features/1.2.exp
@@ -34,7 +34,7 @@ expect {
 }
 expect {
         timeout {puts "TESTING ERROR 1.4\n";exit}
-        "proc /proc/sysrq-trigger proc"
+        "/proc/sysrq-trigger"
 }
 #expect {
 #       timeout {puts "TESTING ERROR 1.5\n";exit}
@@ -42,11 +42,11 @@ expect {
 #}
 expect {
         timeout {puts "TESTING ERROR 1.6\n";exit}
-        "proc /proc/irq proc"
+        "/proc/irq"
 }
 expect {
         timeout {puts "TESTING ERROR 1.7\n";exit}
-        "proc /proc/bus proc"
+        "/proc/bus"
 }
 after 100
 send -- "exit\r"
@@ -60,7 +60,8 @@ if { $overlay == "overlay" } {
         send -- "firejail --noprofile --overlay\r"
         expect {
                 timeout {puts "TESTING ERROR 2\n";exit}
-                "Child process initialized"
+                "overlay option is not available" {puts "grsecurity\n"; exit}
+                "Child process initialized" {puts "normal system\n"}
         }
         sleep 1
         
diff --git a/test/features/1.4.exp b/test/features/1.4.exp
index 1c626518b..d6f373e2a 100755
--- a/test/features/1.4.exp
+++ b/test/features/1.4.exp
@@ -49,7 +49,8 @@ if { $overlay == "overlay" } {
         send -- "firejail --noprofile --overlay\r"
         expect {
                 timeout {puts "TESTING ERROR 2\n";exit}
-                "Child process initialized"
+                "overlay option is not available" {puts "grsecurity\n"; exit}
+                "Child process initialized" {puts "normal system\n"}
         }
         sleep 1
         
diff --git a/test/features/1.5.exp b/test/features/1.5.exp
index 56530f3f4..a17504e74 100755
--- a/test/features/1.5.exp
+++ b/test/features/1.5.exp
@@ -36,7 +36,8 @@ if { $overlay == "overlay" } {
         send -- "firejail --noprofile --overlay\r"
         expect {
                 timeout {puts "TESTING ERROR 2\n";exit}
-                "Child process initialized"
+                "overlay option is not available" {puts "grsecurity\n"; exit}
+                "Child process initialized" {puts "normal system\n"}
         }
         sleep 1
         
diff --git a/test/features/1.6.exp b/test/features/1.6.exp
index e8ab456e4..0db929c5a 100755
--- a/test/features/1.6.exp
+++ b/test/features/1.6.exp
@@ -36,7 +36,8 @@ if { $overlay == "overlay" } {
         send -- "firejail --noprofile --overlay\r"
         expect {
                 timeout {puts "TESTING ERROR 2\n";exit}
-                "Child process initialized"
+                "overlay option is not available" {puts "grsecurity\n"; exit}
+                "Child process initialized" {puts "normal system\n"}
         }
         sleep 1
         
diff --git a/test/features/1.7.exp b/test/features/1.7.exp
index 2b79ea6be..b838c092f 100755
--- a/test/features/1.7.exp
+++ b/test/features/1.7.exp
@@ -38,7 +38,8 @@ if { $overlay == "overlay" } {
         send -- "firejail --noprofile --overlay\r"
         expect {
                 timeout {puts "TESTING ERROR 2\n";exit}
-                "Child process initialized"
+                "overlay option is not available" {puts "grsecurity\n"; exit}
+                "Child process initialized" {puts "normal system\n"}
         }
         sleep 1
         
diff --git a/test/features/1.8.exp b/test/features/1.8.exp
index d937f4f12..4c6d3f3dc 100755
--- a/test/features/1.8.exp
+++ b/test/features/1.8.exp
@@ -20,15 +20,39 @@ expect {
 }
 sleep 1
 
-send -- "ls /etc/firejail\r"
+send -- "ls ~/.config/firejail\r"
 expect {
-        timeout {puts "TESTING ERROR 1\n";exit}
+        timeout {puts "TESTING ERROR 1.1\n";exit}
         "Permission denied"
 }
 after 100
-send -- "ls ~/.config/firejail\r"
+send -- "ls /run/firejail/bandwidth\r"
 expect {
-        timeout {puts "TESTING ERROR 1.1\n";exit}
+        timeout {puts "TESTING ERROR 1.2\n";exit}
+        "Permission denied"
+}
+after 100
+#send -- "ls /run/firejail/mnt\r"
+#expect {
+#       timeout {puts "TESTING ERROR 1.3\n";exit}
+#       "Permission denied"
+#}
+#after 100
+send -- "ls /run/firejail/name\r"
+expect {
+        timeout {puts "TESTING ERROR 1.4\n";exit}
+        "Permission denied"
+}
+after 100
+send -- "ls /run/firejail/network\r"
+expect {
+        timeout {puts "TESTING ERROR 1.5\n";exit}
+        "Permission denied"
+}
+after 100
+send -- "ls /run/firejail/x11\r"
+expect {
+        timeout {puts "TESTING ERROR 1.6\n";exit}
         "Permission denied"
 }
 after 100
@@ -43,18 +67,43 @@ if { $overlay == "overlay" } {
         send -- "firejail --noprofile --overlay\r"
         expect {
                 timeout {puts "TESTING ERROR 2\n";exit}
-                "Child process initialized"
+                "overlay option is not available" {puts "grsecurity\n"; exit}
+                "Child process initialized" {puts "normal system\n"}
         }
         sleep 1
-        send -- "ls /etc/firejail\r"
+        send -- "ls ~/.config/firejail\r"
+        expect {
+                timeout {puts "TESTING ERROR 3.1\n";exit}
+                "Permission denied"
+        }
+        after 100
+        send -- "ls /run/firejail/bandwidth\r"
         expect {
-                timeout {puts "TESTING ERROR 3\n";exit}
+                timeout {puts "TESTING ERROR 3.2\n";exit}
                 "Permission denied"
         }
         after 100
-        send -- "ls ~/.config/firejail\r"
+        #send -- "ls /run/firejail/mnt\r"
+        #expect {
+        #       timeout {puts "TESTING ERROR 3.3\n";exit}
+        #       "Permission denied"
+        #}
+        #after 100
+        send -- "ls /run/firejail/name\r"
         expect {
-                timeout {puts "TESTING ERROR 3.1\n";exit}
+                timeout {puts "TESTING ERROR 3.4\n";exit}
+                "Permission denied"
+        }
+        after 100
+        send -- "ls /run/firejail/network\r"
+        expect {
+                timeout {puts "TESTING ERROR 3.5\n";exit}
+                "Permission denied"
+        }
+        after 100
+        send -- "ls /run/firejail/x11\r"
+        expect {
+                timeout {puts "TESTING ERROR 3.6\n";exit}
                 "Permission denied"
         }
         after 100
@@ -73,15 +122,39 @@ if { $chroot == "chroot" } {
                 "Child process initialized"
         }
         sleep 1
-        send -- "ls /etc/firejail\r"
+        send -- "ls ~/.config/firejail\r"
         expect {
-                timeout {puts "TESTING ERROR 5\n";exit}
+                timeout {puts "TESTING ERROR 5.1\n";exit}
                 "Permission denied"
         }
         after 100
-        send -- "ls ~/.config/firejail\r"
+        send -- "ls /run/firejail/bandwidth\r"
         expect {
-                timeout {puts "TESTING ERROR 5.1\n";exit}
+                timeout {puts "TESTING ERROR 5.2\n";exit}
+                "Permission denied"
+        }
+        after 100
+        #send -- "ls /run/firejail/mnt\r"
+        #expect {
+        #       timeout {puts "TESTING ERROR 5.3\n";exit}
+        #       "Permission denied"
+        #}
+        #after 100
+        send -- "ls /run/firejail/name\r"
+        expect {
+                timeout {puts "TESTING ERROR 5.4\n";exit}
+                "Permission denied"
+        }
+        after 100
+        send -- "ls /run/firejail/network\r"
+        expect {
+                timeout {puts "TESTING ERROR 5.5\n";exit}
+                "Permission denied"
+        }
+        after 100
+        send -- "ls /run/firejail/x11\r"
+        expect {
+                timeout {puts "TESTING ERROR 5.6\n";exit}
                 "Permission denied"
         }
         after 100
diff --git a/test/features/2.1.exp b/test/features/2.1.exp
index 07d6a9820..074b5989b 100755
--- a/test/features/2.1.exp
+++ b/test/features/2.1.exp
@@ -52,7 +52,8 @@ if { $overlay == "overlay" } {
         send -- "firejail --noprofile --hostname=bingo --overlay\r"
         expect {
                 timeout {puts "TESTING ERROR 2\n";exit}
-                "Child process initialized"
+                "overlay option is not available" {puts "grsecurity\n"; exit}
+                "Child process initialized" {puts "normal system\n"}
         }
         sleep 1
         
diff --git a/test/features/2.2.exp b/test/features/2.2.exp
index 9e3878a4d..f30ccaf79 100755
--- a/test/features/2.2.exp
+++ b/test/features/2.2.exp
@@ -44,7 +44,8 @@ if { $overlay == "overlay" } {
         send -- "firejail --noprofile --dns=4.2.2.1 --overlay\r"
         expect {
                 timeout {puts "TESTING ERROR 2\n";exit}
-                "Child process initialized"
+                "overlay option is not available" {puts "grsecurity\n"; exit}
+                "Child process initialized" {puts "normal system\n"}
         }
         sleep 1
         
diff --git a/test/features/2.3.exp b/test/features/2.3.exp
index 1363e41b6..63caab14c 100755
--- a/test/features/2.3.exp
+++ b/test/features/2.3.exp
@@ -107,7 +107,8 @@ if { $overlay == "overlay" } {
         send -- "firejail --noprofile  --net=eth0 --overlay --dns=8.8.8.8 --dns=8.8.4.4\r"
         expect {
                 timeout {puts "TESTING ERROR 2\n";exit}
-                "Child process initialized"
+                "overlay option is not available" {puts "grsecurity\n"; exit}
+                "Child process initialized" {puts "normal system\n"}
         }
         sleep 1
         
diff --git a/test/features/2.4.exp b/test/features/2.4.exp
index 0c4808a1a..fed596410 100755
--- a/test/features/2.4.exp
+++ b/test/features/2.4.exp
@@ -95,7 +95,8 @@ if { $overlay == "overlay" } {
         send -- "firejail --noprofile  --net=br0 --overlay\r"
         expect {
                 timeout {puts "TESTING ERROR 2\n";exit}
-                "Child process initialized"
+                "overlay option is not available" {puts "grsecurity\n"; exit}
+                "Child process initialized" {puts "normal system\n"}
         }
         sleep 1
         
diff --git a/test/features/2.5.exp b/test/features/2.5.exp
index a3a330643..1d6105ae8 100755
--- a/test/features/2.5.exp
+++ b/test/features/2.5.exp
@@ -47,7 +47,8 @@ if { $overlay == "overlay" } {
         send -- "firejail --noprofile --overlay --interface=eth0.6\r"
         expect {
                 timeout {puts "TESTING ERROR 2\n";exit}
-                "Child process initialized"
+                "overlay option is not available" {puts "grsecurity\n"; exit}
+                "Child process initialized" {puts "normal system\n"}
         }
         sleep 1
         
diff --git a/test/features/2.6.exp b/test/features/2.6.exp
index f3eea2fd6..596e8f435 100755
--- a/test/features/2.6.exp
+++ b/test/features/2.6.exp
@@ -12,17 +12,17 @@ set chroot [lindex $argv 1]
 #
 # N
 #
-send -- "firejail --noprofile --net=eth0 --defaultgw=192.168.1.10\r"
+send -- "firejail --noprofile --net=eth0 --defaultgw=192.168.1.10 --protocol=unix,inet,netlink\r"
 expect {
         timeout {puts "TESTING ERROR 0\n";exit}
         "Child process initialized"
 }
 sleep 1
 
-send -- "netstat -rn\r"
+send -- "ip route show\r"
 expect {
         timeout {puts "TESTING ERROR 1\n";exit}
-        "0.0.0.0         192.168.1.10"
+        "default via 192.168.1.10 dev eth0"
 }
 after 100
 send -- "exit\r"
@@ -32,17 +32,18 @@ sleep 1
 # O
 #
 if { $overlay == "overlay" } {
-        send -- "firejail --noprofile --overlay --net=eth0 --defaultgw=192.168.1.10\r"
+        send -- "firejail --noprofile --overlay --net=eth0 --defaultgw=192.168.1.10 --protocol=unix,inet,netlink\r"
         expect {
                 timeout {puts "TESTING ERROR 2\n";exit}
-                "Child process initialized"
+                "overlay option is not available" {puts "grsecurity\n"; exit}
+                "Child process initialized" {puts "normal system\n"}
         }
         sleep 1
         
-        send -- "netstat -rn\r"
+        send -- "ip route show\r"
         expect {
                 timeout {puts "TESTING ERROR 3\n";exit}
-                "0.0.0.0         192.168.1.10"
+                "default via 192.168.1.10 dev eth0"
         }
         after 100
         send -- "exit\r"
@@ -53,17 +54,17 @@ if { $overlay == "overlay" } {
 # C
 #
 if { $chroot == "chroot" } {
-        send -- "firejail --noprofile --chroot=/tmp/chroot --net=eth0 --defaultgw=192.168.1.10\r"
+        send -- "firejail --noprofile --chroot=/tmp/chroot --net=eth0 --defaultgw=192.168.1.10 --protocol=unix,inet,netlink\r"
         expect {
                 timeout {puts "TESTING ERROR 4\n";exit}
                 "Child process initialized"
         }
         sleep 1
         
-        send -- "netstat -rn\r"
+        send -- "ip route show\r"
         expect {
                 timeout {puts "TESTING ERROR 5\n";exit}
-                "0.0.0.0         192.168.1.10"
+                "default via 192.168.1.10 dev eth0"
         }
         after 100
         send -- "exit\r"
diff --git a/test/features/3.1.exp b/test/features/3.1.exp
index a66fbdae1..046c703b7 100755
--- a/test/features/3.1.exp
+++ b/test/features/3.1.exp
@@ -22,7 +22,7 @@ sleep 1
 send -- "ls -al | wc -l\r"
 expect {
         timeout {puts "TESTING ERROR 1.1\n";exit}
-        "5"
+        "6"
 }
 
 send -- "ls -al .bashrc\r"
@@ -66,14 +66,15 @@ if { $overlay == "overlay" } {
         send -- "firejail --noprofile --overlay --private\r"
         expect {
                 timeout {puts "TESTING ERROR 2\n";exit}
-                "Child process initialized"
+                "overlay option is not available" {puts "grsecurity\n"; exit}
+                "Child process initialized" {puts "normal system\n"}
         }
         sleep 1
         
         send -- "ls -al | wc -l\r"
         expect {
                 timeout {puts "TESTING ERROR 3.1\n";exit}
-                "5"
+                "6"
         }
         
         send -- "ls -al .bashrc\r"
diff --git a/test/features/3.10.exp b/test/features/3.10.exp
index 47da7f1c2..4a06463a7 100755
--- a/test/features/3.10.exp
+++ b/test/features/3.10.exp
@@ -74,7 +74,8 @@ if { $overlay == "overlay" } {
         send -- "firejail --noprofile --overlay  --whitelist=/tmp/test1dir\r"
         expect {
                 timeout {puts "TESTING ERROR 2\n";exit}
-                "Child process initialized"
+                "overlay option is not available" {puts "grsecurity\n"; exit}
+                "Child process initialized" {puts "normal system\n"}
         }
         sleep 1
         
diff --git a/test/features/3.11.exp b/test/features/3.11.exp
index 3a5e38257..dc41ed743 100755
--- a/test/features/3.11.exp
+++ b/test/features/3.11.exp
@@ -69,7 +69,8 @@ if { $overlay == "overlay" } {
         send -- "firejail --profile=3.11.profile\r"
         expect {
                 timeout {puts "TESTING ERROR 10\n";exit}
-                "Child process initialized"
+                "overlay option is not available" {puts "grsecurity\n"; exit}
+                "Child process initialized" {puts "normal system\n"}
         }
         sleep 1
         
diff --git a/test/features/3.2.exp b/test/features/3.2.exp
index 6f743c414..be20b1547 100755
--- a/test/features/3.2.exp
+++ b/test/features/3.2.exp
@@ -37,7 +37,8 @@ if { $overlay == "overlay" } {
         send -- "firejail --noprofile --overlay --read-only=/home/netblue/.config\r"
         expect {
                 timeout {puts "TESTING ERROR 2\n";exit}
-                "Child process initialized"
+                "overlay option is not available" {puts "grsecurity\n"; exit}
+                "Child process initialized" {puts "normal system\n"}
         }
         sleep 1
         
diff --git a/test/features/3.3.exp b/test/features/3.3.exp
index 74260cad3..bb2c34dc1 100755
--- a/test/features/3.3.exp
+++ b/test/features/3.3.exp
@@ -36,7 +36,8 @@ if { $overlay == "overlay" } {
         send -- "firejail --noprofile --overlay --blacklist=/home/netblue/.config\r"
         expect {
                 timeout {puts "TESTING ERROR 2\n";exit}
-                "Child process initialized"
+                "overlay option is not available" {puts "grsecurity\n"; exit}
+                "Child process initialized" {puts "normal system\n"}
         }
         sleep 1
         
diff --git a/test/features/3.4.exp b/test/features/3.4.exp
index 3f316af5b..7ed439669 100755
--- a/test/features/3.4.exp
+++ b/test/features/3.4.exp
@@ -79,7 +79,8 @@ if { $overlay == "overlay" } {
         send -- "firejail --noprofile --overlay --whitelist=/home/netblue/.config\r"
         expect {
                 timeout {puts "TESTING ERROR 2\n";exit}
-                "Child process initialized"
+                "overlay option is not available" {puts "grsecurity\n"; exit}
+                "Child process initialized" {puts "normal system\n"}
         }
         sleep 1
         
diff --git a/test/features/3.5.exp b/test/features/3.5.exp
index b1a16830d..f4b544b3d 100755
--- a/test/features/3.5.exp
+++ b/test/features/3.5.exp
@@ -22,8 +22,8 @@ sleep 1
 send -- "ls -l /dev | wc -l\r"
 expect {
         timeout {puts "TESTING ERROR 1.1\n";exit}
-        "12" { puts "Debian\n"}
-        "11" { puts "Centos\n"}
+        "13" { puts "Debian\n"}
+        "12" { puts "Centos\n"}
 }
 
 after 100
@@ -37,15 +37,16 @@ if { $overlay == "overlay" } {
         send -- "firejail --noprofile --overlay --private-dev\r"
         expect {
                 timeout {puts "TESTING ERROR 2\n";exit}
-                "Child process initialized"
+                "overlay option is not available" {puts "grsecurity\n"; exit}
+                "Child process initialized" {puts "normal system\n"}
         }
         sleep 1
         
         send -- "ls -l /dev | wc -l\r"
         expect {
                 timeout {puts "TESTING ERROR 3.1\n";exit}
-                "12" { puts "Debian\n"}
-                "11" { puts "Centos\n"}
+                "13" { puts "Debian\n"}
+                "12" { puts "Centos\n"}
         }
         
         after 100
@@ -67,7 +68,7 @@ if { $chroot == "chroot" } {
         send -- "ls -l /dev | wc -l\r"
         expect {
                 timeout {puts "TESTING ERROR 5.1\n";exit}
-                "11"
+                "12"
         }
         
         after 100
diff --git a/test/features/3.6.exp b/test/features/3.6.exp
index 6117485da..a00517716 100755
--- a/test/features/3.6.exp
+++ b/test/features/3.6.exp
@@ -36,7 +36,8 @@ if { $overlay == "overlay" } {
         send -- "firejail --noprofile --overlay --private-etc=group,hostname,hosts,nsswitch.conf,passwd,resolv.conf,skel\r"
         expect {
                 timeout {puts "TESTING ERROR 2\n";exit}
-                "Child process initialized"
+                "overlay option is not available" {puts "grsecurity\n"; exit}
+                "Child process initialized" {puts "normal system\n"}
         }
         sleep 1
         
@@ -58,6 +59,7 @@ if { $chroot == "chroot" } {
         send -- "firejail --noprofile --chroot=/tmp/chroot --private-etc=group,hostname,hosts,nsswitch.conf,passwd,resolv.conf,skel\r"
         expect {
                 timeout {puts "TESTING ERROR 4\n";exit}
+                "chroot option is not available" {puts "grsecurity\n"; exit}
                 "Child process initialized"
         }
         sleep 1
diff --git a/test/features/3.7.exp b/test/features/3.7.exp
index d8236b851..2a9ce84d6 100755
--- a/test/features/3.7.exp
+++ b/test/features/3.7.exp
@@ -45,7 +45,8 @@ if { $overlay == "overlay" } {
         send -- "firejail --noprofile --overlay --private-tmp\r"
         expect {
                 timeout {puts "TESTING ERROR 2\n";exit}
-                "Child process initialized"
+                "overlay option is not available" {puts "grsecurity\n"; exit}
+                "Child process initialized" {puts "normal system\n"}
         }
         sleep 1
         
diff --git a/test/features/3.8.exp b/test/features/3.8.exp
index 2405e4fdb..94a1abf67 100755
--- a/test/features/3.8.exp
+++ b/test/features/3.8.exp
@@ -37,7 +37,8 @@ if { $overlay == "overlay" } {
         send -- "firejail --noprofile --overlay --private-bin=bash,cat,cp,ls,wc\r"
         expect {
                 timeout {puts "TESTING ERROR 2\n";exit}
-                "Child process initialized"
+                "overlay option is not available" {puts "grsecurity\n"; exit}
+                "Child process initialized" {puts "normal system\n"}
         }
         sleep 1
         
diff --git a/test/features/3.9.exp b/test/features/3.9.exp
index a1797804f..660ccbe05 100755
--- a/test/features/3.9.exp
+++ b/test/features/3.9.exp
@@ -38,7 +38,8 @@ if { $overlay == "overlay" } {
         send -- "firejail --noprofile --overlay --whitelist=/dev/tty --whitelist=/dev/null\r"
         expect {
                 timeout {puts "TESTING ERROR 2\n";exit}
-                "Child process initialized"
+                "overlay option is not available" {puts "grsecurity\n"; exit}
+                "Child process initialized" {puts "normal system\n"}
         }
         sleep 1
         
diff --git a/test/features/features.txt b/test/features/features.txt
index 283e85d93..b793257c3 100644
--- a/test/features/features.txt
+++ b/test/features/features.txt
@@ -21,7 +21,7 @@ C - chroot filesystem
 1.5 PID namespace
 1.6 new /var/log
 1.7 new /var/tmp
-1.8 disable /etc/firejail and ~/.config/firejail
+1.8 disable firejail config and run time information
 1.9 mount namespace
 1.10 disable /selinux
 
diff --git a/test/features/test.sh b/test/features/test.sh
index 3570dae5a..f28da37d5 100755
--- a/test/features/test.sh
+++ b/test/features/test.sh
@@ -50,7 +50,7 @@ echo "TESTING: 1.6 new /var/log"
 echo "TESTING: 1.7 new /var/tmp"
 ./1.7.exp $OVERLAY $CHROOT
 
-echo "TESTING: 1.8 disable /etc/firejail and ~/.config/firejail"
+echo "TESTING: 1.8 disable firejail config and run time information"
 ./1.8.exp $OVERLAY $CHROOT
 
 echo "TESTING: 1.10 disable /selinux"
diff --git a/test/filters/caps.exp b/test/filters/caps.exp
new file mode 100755
index 000000000..034d6a733
--- /dev/null
+++ b/test/filters/caps.exp
@@ -0,0 +1,72 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
+
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+
+send -- "firejail --caps.keep=chown,fowner --noprofile\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "Child process initialized"
+}
+sleep 2
+
+send -- "cat /proc/self/status\r"
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        "CapBnd:        0000000000000009"
+}
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        "Seccomp:"
+}
+send -- "exit\r"
+sleep 1
+
+send -- "firejail --caps.drop=all --noprofile\r"
+expect {
+        timeout {puts "TESTING ERROR 4\n";exit}
+        "Child process initialized"
+}
+sleep 2
+
+send -- "cat /proc/self/status\r"
+expect {
+        timeout {puts "TESTING ERROR 5\n";exit}
+        "CapBnd:        0000000000000000"
+}
+expect {
+        timeout {puts "TESTING ERROR 6\n";exit}
+        "Seccomp:"
+}
+send -- "exit\r"
+sleep 1
+
+send -- "firejail --caps.drop=chown,dac_override,dac_read_search,fowner --noprofile\r"
+expect {
+        timeout {puts "TESTING ERROR 7\n";exit}
+        "Child process initialized"
+}
+sleep 2
+
+send -- "cat /proc/self/status\r"
+expect {
+        timeout {puts "TESTING ERROR 8\n";exit}
+        "CapBnd:"
+}
+expect {
+        timeout {puts "TESTING ERROR 9\n";exit}
+        "fffffff0"
+}
+expect {
+        timeout {puts "TESTING ERROR 10\n";exit}
+        "Seccomp:"
+}
+send -- "exit\r"
+sleep 1
+
+
+puts "\nall done\n"
diff --git a/test/filters/filters.sh b/test/filters/filters.sh
new file mode 100755
index 000000000..67b9f2c0d
--- /dev/null
+++ b/test/filters/filters.sh
@@ -0,0 +1,61 @@
+#!/bin/bash
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
+
+export MALLOC_CHECK_=3
+export MALLOC_PERTURB_=$(($RANDOM % 255 + 1))
+
+echo "TESTING: noroot (test/filters/noroot.exp)"
+./noroot.exp
+
+echo "TESTING: capabilities (test/filters/caps.exp)"
+./caps.exp
+
+if [ "$(uname -m)" = "x86_64" ]; then
+        echo "TESTING: protocol (test/filters/protocol.exp)"
+        ./protocol.exp
+else
+        echo "TESTING SKIP: protocol, not running on x86_64"
+fi
+
+echo "TESTING: seccomp bad empty (test/filters/seccomp-bad-empty.exp)"
+./seccomp-bad-empty.exp
+
+echo "TESTING: seccomp debug  (test/filters/seccomp-debug.exp)"
+./seccomp-debug.exp
+
+echo "TESTING: seccomp errno (test/filters/seccomp-errno.exp)"
+./seccomp-errno.exp
+
+echo "TESTING: seccomp su (test/filters/seccomp-su.exp)"
+./seccomp-su.exp
+
+which strace
+if [ $? -eq 0 ]; then
+        echo "TESTING: seccomp ptrace (test/filters/seccomp-ptrace.exp)"
+        ./seccomp-ptrace.exp
+else
+        echo "TESTING SKIP: ptrace, strace not found"
+fi
+
+echo "TESTING: seccomp chmod - seccomp lists (test/filters/seccomp-chmod.exp)"
+./seccomp-chmod.exp
+
+echo "TESTING: seccomp chmod profile - seccomp lists (test/filters/seccomp-chmod-profile.exp)"
+./seccomp-chmod-profile.exp
+
+# todo:  fix pwd and add seccomp-chown.exp and seccomp-umount.exp
+
+echo "TESTING: seccomp empty (test/filters/seccomp-empty.exp)"
+./seccomp-empty.exp
+
+echo "TESTING: seccomp bad empty (test/filters/seccomp-bad-empty.exp)"
+./seccomp-bad-empty.exp
+
+if [ "$(uname -m)" = "x86_64" ]; then
+        echo "TESTING: seccomp dual filter (test/filters/seccomp-dualfilter.exp)"
+        ./seccomp-dualfilter.exp
+else
+        echo "TESTING SKIP: seccomp dual, not running on x86_64"
+fi
diff --git a/test/filters/noroot.exp b/test/filters/noroot.exp
new file mode 100755
index 000000000..1e08cee12
--- /dev/null
+++ b/test/filters/noroot.exp
@@ -0,0 +1,159 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
+
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+
+send -- "firejail --noprofile --noroot --caps.drop=all --seccomp\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "cannot create a new user namespace" {puts "TESTING SKIP: user namespace not available\n"; exit}
+        "Child process initialized"
+}
+sleep 1
+
+send -- "cat /proc/self/status\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "CapBnd:        0000000000000000"
+}
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        "Seccomp:"
+}
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        "2"
+}
+expect {
+        timeout {puts "TESTING ERROR 4\n";exit}
+        "Cpus_allowed:"
+}
+puts "\n"
+
+send -- "ping 0\r"
+expect {
+        timeout {puts "TESTING ERROR 5\n";exit}
+        "Operation not permitted"
+}
+send -- "whoami\r"
+expect {
+        timeout {puts "TESTING ERROR 6\n";exit}
+        $env(USER)
+}
+send -- "sudo -s\r"
+expect {
+        timeout {puts "TESTING ERROR 8\n";exit}
+        "effective uid is not 0, is sudo installed setuid root?" { puts "OK\n";}
+        "sudo must be owned by uid 0 and have the setuid bit set" { puts "OK\n";}
+        "Bad system call" { puts "OK\n";}
+}
+send -- "cat /proc/self/uid_map | wc -l\r"
+expect {
+        timeout {puts "TESTING ERROR 7\n";exit}
+        "1"
+}
+send -- "cat /proc/self/gid_map | wc -l\r"
+expect {
+        timeout {puts "TESTING ERROR 8\n";exit}
+        "3"
+}
+
+puts "\n"
+send -- "exit\r"
+sleep 2
+
+
+
+send -- "firejail --name=test --noroot --noprofile\r"
+expect {
+        timeout {puts "TESTING ERROR 9\n";exit}
+        "Child process initialized"
+}
+sleep 1
+
+send -- "cat /proc/self/status\r"
+expect {
+        timeout {puts "TESTING ERROR 10\n";exit}
+        "CapBnd:"
+}
+expect {
+        timeout {puts "TESTING ERROR 11\n";exit}
+        "ffffffff"
+}
+expect {
+        timeout {puts "TESTING ERROR 12\n";exit}
+        "Seccomp:"
+}
+expect {
+        timeout {puts "TESTING ERROR 13\n";exit}
+        "0"
+}
+expect {
+        timeout {puts "TESTING ERROR 14\n";exit}
+        "Cpus_allowed:"
+}
+puts "\n"
+
+send -- "whoami\r"
+expect {
+        timeout {puts "TESTING ERROR 15\n";exit}
+        $env(USER)
+}
+send -- "sudo -s\r"
+expect {
+        timeout {puts "TESTING ERROR 16\n";exit}
+        "effective uid is not 0, is sudo installed setuid root?" { puts "OK\n";}
+        "sudo must be owned by uid 0 and have the setuid bit set" { puts "OK\n";}
+}
+send -- "ping 0\r"
+expect {
+        timeout {puts "TESTING ERROR 17\n";exit}
+        "Operation not permitted"
+}
+send -- "cat /proc/self/uid_map | wc -l\r"
+expect {
+        timeout {puts "TESTING ERROR 18\n";exit}
+        "1"
+}
+send -- "cat /proc/self/gid_map | wc -l\r"
+expect {
+        timeout {puts "TESTING ERROR 19\n";exit}
+        "3"
+}
+
+
+
+spawn $env(SHELL)
+send -- "firejail --debug --join=test\r"
+expect {
+        timeout {puts "TESTING ERROR 20\n";exit}
+        "User namespace detected"
+}
+expect {
+        timeout {puts "TESTING ERROR 21\n";exit}
+        "Joining user namespace"
+}
+sleep 1
+
+send -- "sudo -s\r"
+expect {
+        timeout {puts "TESTING ERROR 22\n";exit}
+        "effective uid is not 0, is sudo installed setuid root?" { puts "OK\n";}
+        "sudo must be owned by uid 0 and have the setuid bit set" { puts "OK\n";}
+        "Permission denied" { puts "OK\n";}
+}
+send -- "cat /proc/self/uid_map | wc -l\r"
+expect {
+        timeout {puts "TESTING ERROR 23\n";exit}
+        "1"
+}
+send -- "cat /proc/self/gid_map | wc -l\r"
+expect {
+        timeout {puts "TESTING ERROR 24\n";exit}
+        "3"
+}
+puts "\nall done\n"
diff --git a/test/protocol.exp b/test/filters/protocol.exp
index 018f4cd9b..82e9a63eb 100755
--- a/test/protocol.exp
+++ b/test/filters/protocol.exp
@@ -1,16 +1,21 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
 
 set timeout 10
 spawn $env(SHELL)
 match_max 100000
 
-send -- "firejail --noprofile --protocol=unix ../src/tools/syscall_test socket\r"
+send -- "firejail --noprofile --protocol=unix ./syscall_test socket\r"
 expect {
         timeout {puts "TESTING ERROR 1\n";exit}
+        "Permission denied" {puts "TESTING SKIP: permission denied\n"; exit}
         "Child process initialized"
 }
 expect {
         timeout {puts "TESTING ERROR 1.1\n";exit}
+        "Permission denied" {puts "TESTING SKIP: permission denied\n"; exit}
         "socket AF_INET"
 }
 expect {
@@ -47,7 +52,7 @@ expect {
 }
 sleep 1
 
-send -- "firejail --noprofile --protocol=inet6,packet ../src/tools/syscall_test socket\r"
+send -- "firejail --noprofile --protocol=inet6,packet ./syscall_test socket\r"
 expect {
         timeout {puts "TESTING ERROR 2\n";exit}
         "Child process initialized"
@@ -91,7 +96,7 @@ expect {
 sleep 1
 
 # profile testing
-send -- "firejail --profile=protocol1.profile ../src/tools/syscall_test socket\r"
+send -- "firejail --profile=protocol1.profile ./syscall_test socket\r"
 expect {
         timeout {puts "TESTING ERROR 3\n";exit}
         "Child process initialized"
@@ -134,7 +139,7 @@ expect {
 }
 sleep 1
 
-send -- "firejail --profile=protocol2.profile ../src/tools/syscall_test socket\r"
+send -- "firejail --profile=protocol2.profile ./syscall_test socket\r"
 expect {
         timeout {puts "TESTING ERROR 4\n";exit}
         "Child process initialized"
@@ -177,8 +182,4 @@ expect {
 }
 sleep 1
 
-
-
-
-
 puts "\nall done\n"
diff --git a/test/protocol1.profile b/test/filters/protocol1.profile
index 3e1ea2a29..3e1ea2a29 100644
--- a/test/protocol1.profile
+++ b/test/filters/protocol1.profile
diff --git a/test/protocol2.profile b/test/filters/protocol2.profile
index b7eb4ab91..b7eb4ab91 100644
--- a/test/protocol2.profile
+++ b/test/filters/protocol2.profile
diff --git a/test/seccomp-bad-empty.exp b/test/filters/seccomp-bad-empty.exp
index 631d67743..53f06e632 100755
--- a/test/seccomp-bad-empty.exp
+++ b/test/filters/seccomp-bad-empty.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
 
 set timeout 10
 spawn $env(SHELL)
diff --git a/test/seccomp-bad-empty.profile b/test/filters/seccomp-bad-empty.profile
index 2d4fcde7c..2d4fcde7c 100644
--- a/test/seccomp-bad-empty.profile
+++ b/test/filters/seccomp-bad-empty.profile
diff --git a/test/seccomp-bad-empty2.profile b/test/filters/seccomp-bad-empty2.profile
index c4e6c9f74..c4e6c9f74 100644
--- a/test/seccomp-bad-empty2.profile
+++ b/test/filters/seccomp-bad-empty2.profile
diff --git a/test/seccomp-chmod-profile.exp b/test/filters/seccomp-chmod-profile.exp
index 098328cea..e5d16f524 100755
--- a/test/seccomp-chmod-profile.exp
+++ b/test/filters/seccomp-chmod-profile.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
 
 set timeout 10
 spawn $env(SHELL)
@@ -11,36 +14,38 @@ expect {
 }
 sleep 2
 
-send -- "touch testfile;pwd\r"
+send -- "cd ~; echo done\r"
 expect {
         timeout {puts "TESTING ERROR 1\n";exit}
-        "/root" {puts "running as root"}
-        "/home"
+        "done"
 }
 
-send -- "ls -l testfile;pwd\r"
+send -- "touch testfile; echo done\r"
 expect {
         timeout {puts "TESTING ERROR 2\n";exit}
-        "testfile"
+        "done"
 }
+
+send -- "ls -l testfile; echo done\r"
 expect {
         timeout {puts "TESTING ERROR 3\n";exit}
-        "/root" {puts "running as root"}
-        "/home"
+        "testfile"
+}
+expect {
+        timeout {puts "TESTING ERROR 4\n";exit}
+        "done"
 }
 
-send -- "chmod +x testfile;pwd\r"
+send -- "chmod +x testfile; echo done\r"
 expect {
-        timeout {puts "TESTING ERROR 2\n";exit}
+        timeout {puts "TESTING ERROR 5\n";exit}
         "Bad system call"
 }
 expect {
-        timeout {puts "TESTING ERROR 3\n";exit}
-        "/root" {puts "running as root"}
-        "/home"
+        timeout {puts "TESTING ERROR 6\n";exit}
+        "done"
 }
 
-
 send -- "exit\r"
 sleep 1
-puts "\n"
+puts "\nall done\n"
diff --git a/test/seccomp-chmod.exp b/test/filters/seccomp-chmod.exp
index b4a213206..9ca084e7f 100755
--- a/test/seccomp-chmod.exp
+++ b/test/filters/seccomp-chmod.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
 
 set timeout 10
 spawn $env(SHELL)
@@ -11,36 +14,38 @@ expect {
 }
 sleep 2
 
-send -- "touch testfile;pwd\r"
+send -- "cd ~; echo done\r"
 expect {
         timeout {puts "TESTING ERROR 1\n";exit}
-        "/root" {puts "running as root"}
-        "/home"
+        "done"
 }
 
-send -- "ls -l testfile;pwd\r"
+send -- "touch testfile; echo done\r"
 expect {
         timeout {puts "TESTING ERROR 2\n";exit}
-        "testfile"
+        "done"
 }
+
+send -- "ls -l testfile; echo done\r"
 expect {
         timeout {puts "TESTING ERROR 3\n";exit}
-        "/root" {puts "running as root"}
-        "/home"
+        "testfile"
+}
+expect {
+        timeout {puts "TESTING ERROR 4\n";exit}
+        "done"
 }
 
-send -- "chmod +x testfile;pwd\r"
+send -- "chmod +x testfile; echo done\r"
 expect {
-        timeout {puts "TESTING ERROR 2\n";exit}
+        timeout {puts "TESTING ERROR 5\n";exit}
         "Bad system call"
 }
 expect {
-        timeout {puts "TESTING ERROR 3\n";exit}
-        "/root" {puts "running as root"}
-        "/home"
+        timeout {puts "TESTING ERROR 6\n";exit}
+        "done"
 }
 
-
 send -- "exit\r"
 sleep 1
-puts "\n"
+puts "\nall done\n"
diff --git a/test/seccomp-chown.exp b/test/filters/seccomp-chown.exp
index 69b896700..4e393fea2 100755
--- a/test/seccomp-chown.exp
+++ b/test/filters/seccomp-chown.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
 
 set timeout 10
 spawn $env(SHELL)
diff --git a/test/seccomp-debug.exp b/test/filters/seccomp-debug.exp
index 1034f040e..dbc0d37a9 100755
--- a/test/seccomp-debug.exp
+++ b/test/filters/seccomp-debug.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
 
 set timeout 10
 spawn $env(SHELL)
diff --git a/test/filters/seccomp-dualfilter.exp b/test/filters/seccomp-dualfilter.exp
new file mode 100755
index 000000000..8a48130b3
--- /dev/null
+++ b/test/filters/seccomp-dualfilter.exp
@@ -0,0 +1,54 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
+
+set timeout 1
+spawn $env(SHELL)
+match_max 100000
+
+send -- "./syscall_test\r"
+expect {
+        timeout {puts "\nTESTING SKIP: 64-bit support missing\n";exit}
+        "Usage"
+}
+
+send -- "./syscall_test32\r"
+expect {
+        timeout {puts "\nTESTING SKIP: 32-bit support missing\n";exit}
+        "Usage"
+}
+
+set timeout 10
+send -- "firejail ./syscall_test mount\r"
+expect {
+        timeout {puts "TESTING ERROR 0\n";exit}
+        "Child process initialized"
+}
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "before mount"
+}
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        "after mount" {puts "TESTING ERROR 3\n";exit}
+        "Parent is shutting down"
+}
+sleep 1
+
+send -- "firejail ./syscall_test32 mount\r"
+expect {
+        timeout {puts "TESTING ERROR 4\n";exit}
+        "Child process initialized"
+}
+expect {
+        timeout {puts "TESTING ERROR 5\n";exit}
+        "before mount"
+}
+expect {
+        timeout {puts "TESTING ERROR 6\n";exit}
+        "after mount" {puts "TESTING ERROR 7\n";exit}
+        "Parent is shutting down"
+}
+
+puts "\nall done\n"
diff --git a/test/seccomp-empty.exp b/test/filters/seccomp-empty.exp
index 11abf2e00..11b275c7d 100755
--- a/test/seccomp-empty.exp
+++ b/test/filters/seccomp-empty.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
 
 set timeout 10
 spawn $env(SHELL)
diff --git a/test/seccomp-empty.profile b/test/filters/seccomp-empty.profile
index 8f71f55a5..8f71f55a5 100644
--- a/test/seccomp-empty.profile
+++ b/test/filters/seccomp-empty.profile
diff --git a/test/seccomp-errno.exp b/test/filters/seccomp-errno.exp
index e6678ab8f..aefe816e1 100755
--- a/test/seccomp-errno.exp
+++ b/test/filters/seccomp-errno.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
 
 set timeout 10
 spawn $env(SHELL)
diff --git a/test/seccomp-ptrace.exp b/test/filters/seccomp-ptrace.exp
index 9a9b7430e..fba9ea92f 100755
--- a/test/seccomp-ptrace.exp
+++ b/test/filters/seccomp-ptrace.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
 
 set timeout 10
 spawn $env(SHELL)
diff --git a/test/seccomp-su.exp b/test/filters/seccomp-su.exp
index dcae6f869..3f1f2e732 100755
--- a/test/seccomp-su.exp
+++ b/test/filters/seccomp-su.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
 
 set timeout 10
 spawn $env(SHELL)
@@ -14,19 +17,22 @@ sleep 2
 send -- "sudo su -\r"
 expect {
         timeout {puts "TESTING ERROR 1\n";exit}
-        "effective uid is not 0"
+        "effective uid is not 0" {puts "OK\n"}
+        "Bad system call" {puts "OK\n"}
 }
 
 send -- "sudo ls\r"
 expect {
         timeout {puts "TESTING ERROR 2\n";exit}
-        "effective uid is not 0"
+        "effective uid is not 0" {puts "OK\n"}
+        "Bad system call" {puts "OK\n"}
 }
 
 send -- "ping google.com\r"
 expect {
         timeout {puts "TESTING ERROR 2\n";exit}
-        "Operation not permitted"
+        "Operation not permitted" {puts "OK\n"}
+        "unknown host" {puts "OK\n"}
 }
 
 send -- "exit\r"
diff --git a/test/seccomp-umount.exp b/test/filters/seccomp-umount.exp
index c0107a084..6e2f8c6c2 100755
--- a/test/seccomp-umount.exp
+++ b/test/filters/seccomp-umount.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
 
 set timeout 10
 spawn $env(SHELL)
diff --git a/test/seccomp.profile b/test/filters/seccomp.profile
index cb0b15aee..cb0b15aee 100644
--- a/test/seccomp.profile
+++ b/test/filters/seccomp.profile
diff --git a/src/tools/syscall_test b/test/filters/syscall_test
index bf29c5b99..bf29c5b99 100755
--- a/src/tools/syscall_test
+++ b/test/filters/syscall_test
diff --git a/src/tools/syscall_test.c b/test/filters/syscall_test.c
index b3f43c755..422af619d 100644
--- a/src/tools/syscall_test.c
+++ b/test/filters/syscall_test.c
@@ -1,3 +1,7 @@
+// This file is part of Firejail project
+// Copyright (C) 2014-2016 Firejail Authors
+// License GPL v2
+
 #include <stdlib.h>
 #include <stdio.h>
 #include <unistd.h>
diff --git a/src/tools/syscall_test32 b/test/filters/syscall_test32
index 8d72f58c4..8d72f58c4 100755
--- a/src/tools/syscall_test32
+++ b/test/filters/syscall_test32
diff --git a/test/fs/fs.sh b/test/fs/fs.sh
new file mode 100755
index 000000000..08888020c
--- /dev/null
+++ b/test/fs/fs.sh
@@ -0,0 +1,55 @@
+#!/bin/bash
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
+
+export MALLOC_CHECK_=3
+export MALLOC_PERTURB_=$(($RANDOM % 255 + 1))
+
+echo "TESTING: kmsg access (test/fs/kmsg.exp)"
+./kmsg.exp
+
+echo "TESTING: read/write /var/tmp (test/fs/fs_var_tmp.exp)"
+./fs_var_tmp.exp
+
+echo "TESTING: read/write /var/lock (test/fs/fs_var_lock.exp)"
+./fs_var_lock.exp
+
+echo "TESTING: read/write /dev/shm (test/fs/fs_dev_shm.exp)"
+./fs_dev_shm.exp
+
+echo "TESTING: private (test/fs/private.exp)"
+./private.exp `whoami`
+
+echo "TESTING: private-etc (test/fs/private-etc.exp)"
+./private-etc.exp
+
+echo "TESTING: empty private-etc (test/fs/private-etc-empty.exp)"
+./private-etc-empty.exp
+
+echo "TESTING: private-bin (test/fs/private-bin.exp)"
+./private-bin.exp
+
+echo "TESTING: whitelist empty (test/fs/whitelist-empty.exp)"
+./whitelist-empty.exp
+
+echo "TESTING: private whitelist (test/fs/private-whitelist.exp)"
+./private-whitelist.exp
+
+echo "TESTING: invalid filename (test/fs/invalid_filename.exp)"
+./invalid_filename.exp
+
+echo "TESTING: blacklist directory (test/fs/option_blacklist.exp)"
+./option_blacklist.exp
+
+echo "TESTING: blacklist file (test/fs/option_blacklist_file.exp)"
+./option_blacklist_file.exp
+
+echo "TESTING: blacklist glob (test/fs/option_blacklist_glob.exp)"
+./option_blacklist_glob.exp
+
+echo "TESTING: bind as user (test/fs/option_bind_user.exp)"
+./option_bind_user.exp
+
+
+
diff --git a/test/fs_dev_shm.exp b/test/fs/fs_dev_shm.exp
index b54f24eb5..6d27978e2 100755
--- a/test/fs_dev_shm.exp
+++ b/test/fs/fs_dev_shm.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
 
 set timeout 10
 spawn $env(SHELL)
@@ -12,33 +15,33 @@ expect {
 }
 sleep 1
 
-send -- "echo mytest > /dev/shm/ttt;pwd\r"
+send -- "echo mytest > /dev/shm/ttt;echo done\r"
 expect {
         timeout {puts "TESTING ERROR 1\n";exit}
-        "home"
+        "done"
 }
 
-send -- "cat /dev/shm/ttt;pwd\r"
+send -- "cat /dev/shm/ttt;echo done\r"
 expect {
-        timeout {puts "TESTING ERROR 2.1\n";exit}
+        timeout {puts "TESTING ERROR 2\n";exit}
         "mytest"
 }
 expect {
-        timeout {puts "TESTING ERROR 2\n";exit}
-        "home"
+        timeout {puts "TESTING ERROR 3\n";exit}
+        "done"
 }
 
-send -- "rm /dev/shm/ttt;pwd\r"
+send -- "rm /dev/shm/ttt;echo done\r"
 expect {
-        timeout {puts "TESTING ERROR 3\n";exit}
-        "home"
+        timeout {puts "TESTING ERROR 4\n";exit}
+        "done"
 }
 
-send -- "cat /dev/shm/ttt;pwd\r"
+send -- "cat /dev/shm/ttt;echo done\r"
 expect {
-        timeout {puts "TESTING ERROR 4\n";exit}
-        "mytest" {puts "TESTING ERROR 4.1\n";exit}
-        "home"
+        timeout {puts "TESTING ERROR 5\n";exit}
+        "mytest" {puts "TESTING ERROR 6\n";exit}
+        "done"
 }
 
 sleep 1
@@ -48,40 +51,40 @@ sleep 1
 # redo the test with --private
 send -- "firejail\r"
 expect {
-        timeout {puts "TESTING ERROR 10\n";exit}
+        timeout {puts "TESTING ERROR 7\n";exit}
         "Child process initialized"
 }
 sleep 1
 
-send -- "echo mytest > /dev/shm/ttt;pwd\r"
+send -- "echo mytest > /dev/shm/ttt;echo done\r"
 expect {
-        timeout {puts "TESTING ERROR 11\n";exit}
-        "home"
+        timeout {puts "TESTING ERROR 8\n";exit}
+        "done"
 }
 
-send -- "cat /dev/shm/ttt;pwd\r"
+send -- "cat /dev/shm/ttt;echo done\r"
 expect {
-        timeout {puts "TESTING ERROR 12.1\n";exit}
+        timeout {puts "TESTING ERROR 9\n";exit}
         "mytest"
 }
 expect {
-        timeout {puts "TESTING ERROR 12\n";exit}
-        "home"
+        timeout {puts "TESTING ERROR 10\n";exit}
+        "done"
 }
 
-send -- "rm /dev/shm/ttt;pwd\r"
+send -- "rm /dev/shm/ttt;echo done\r"
 expect {
-        timeout {puts "TESTING ERROR 13\n";exit}
-        "home"
+        timeout {puts "TESTING ERROR 11\n";exit}
+        "done"
 }
 
-send -- "cat /dev/shm/ttt;pwd\r"
+send -- "cat /dev/shm/ttt;echo done\r"
 expect {
-        timeout {puts "TESTING ERROR 14\n";exit}
-        "mytest" {puts "TESTING ERROR 14.1\n";exit}
-        "home"
+        timeout {puts "TESTING ERROR 12\n";exit}
+        "mytest" {puts "TESTING ERROR 13\n";exit}
+        "done"
 }
 
 sleep 1
 
-puts "\n"
+puts "\nall done\n"
diff --git a/test/fs_var_lock.exp b/test/fs/fs_var_lock.exp
index dfcf571f4..0e2b3181a 100755
--- a/test/fs_var_lock.exp
+++ b/test/fs/fs_var_lock.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
 
 set timeout 10
 spawn $env(SHELL)
@@ -12,33 +15,33 @@ expect {
 }
 sleep 1
 
-send -- "echo mytest > /var/lock/ttt;pwd\r"
+send -- "echo mytest > /var/lock/ttt;echo done\r"
 expect {
         timeout {puts "TESTING ERROR 1\n";exit}
-        "home"
+        "done"
 }
 
-send -- "cat /var/lock/ttt;pwd\r"
+send -- "cat /var/lock/ttt;echo done\r"
 expect {
-        timeout {puts "TESTING ERROR 2.1\n";exit}
+        timeout {puts "TESTING ERROR 2\n";exit}
         "mytest"
 }
 expect {
-        timeout {puts "TESTING ERROR 2\n";exit}
-        "home"
+        timeout {puts "TESTING ERROR 3\n";exit}
+        "done"
 }
 
-send -- "rm /var/lock/ttt;pwd\r"
+send -- "rm /var/lock/ttt;echo done\r"
 expect {
-        timeout {puts "TESTING ERROR 3\n";exit}
-        "home"
+        timeout {puts "TESTING ERROR 4\n";exit}
+        "done"
 }
 
-send -- "cat /var/lock/ttt;pwd\r"
+send -- "cat /var/lock/ttt;echo done\r"
 expect {
-        timeout {puts "TESTING ERROR 4\n";exit}
-        "mytest" {puts "TESTING ERROR 4.1\n";exit}
-        "home"
+        timeout {puts "TESTING ERROR 5\n";exit}
+        "mytest" {puts "TESTING ERROR 6\n";exit}
+        "done"
 }
 
 sleep 1
@@ -48,40 +51,40 @@ sleep 1
 # redo the test with --private
 send -- "firejail\r"
 expect {
-        timeout {puts "TESTING ERROR 10\n";exit}
+        timeout {puts "TESTING ERROR 7\n";exit}
         "Child process initialized"
 }
 sleep 1
 
-send -- "echo mytest > /var/lock/ttt;pwd\r"
+send -- "echo mytest > /var/lock/ttt;echo done\r"
 expect {
-        timeout {puts "TESTING ERROR 11\n";exit}
-        "home"
+        timeout {puts "TESTING ERROR 8\n";exit}
+        "done"
 }
 
-send -- "cat /var/lock/ttt;pwd\r"
+send -- "cat /var/lock/ttt;echo done\r"
 expect {
-        timeout {puts "TESTING ERROR 12.1\n";exit}
+        timeout {puts "TESTING ERROR 9\n";exit}
         "mytest"
 }
 expect {
-        timeout {puts "TESTING ERROR 12\n";exit}
-        "home"
+        timeout {puts "TESTING ERROR 10\n";exit}
+        "done"
 }
 
-send -- "rm /var/lock/ttt;pwd\r"
+send -- "rm /var/lock/ttt;echo done\r"
 expect {
-        timeout {puts "TESTING ERROR 13\n";exit}
-        "home"
+        timeout {puts "TESTING ERROR 11\n";exit}
+        "done"
 }
 
-send -- "cat /var/lock/ttt;pwd\r"
+send -- "cat /var/lock/ttt;echo done\r"
 expect {
-        timeout {puts "TESTING ERROR 14\n";exit}
-        "mytest" {puts "TESTING ERROR 14.1\n";exit}
-        "home"
+        timeout {puts "TESTING ERROR 12\n";exit}
+        "mytest" {puts "TESTING ERROR 13\n";exit}
+        "done"
 }
 
 sleep 1
 
-puts "\n"
+puts "\nall done\n"
diff --git a/test/fs_var_tmp.exp b/test/fs/fs_var_tmp.exp
index 95ceeb2a4..811baac68 100755
--- a/test/fs_var_tmp.exp
+++ b/test/fs/fs_var_tmp.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
 
 set timeout 10
 spawn $env(SHELL)
@@ -12,33 +15,33 @@ expect {
 }
 sleep 1
 
-send -- "echo mytest > /var/tmp/ttt;pwd\r"
+send -- "echo mytest > /var/tmp/ttt;echo done\r"
 expect {
         timeout {puts "TESTING ERROR 1\n";exit}
-        "home"
+        "done"
 }
 
-send -- "cat /var/tmp/ttt;pwd\r"
+send -- "cat /var/tmp/ttt;echo done\r"
 expect {
-        timeout {puts "TESTING ERROR 2.1\n";exit}
+        timeout {puts "TESTING ERROR 2\n";exit}
         "mytest"
 }
 expect {
-        timeout {puts "TESTING ERROR 2\n";exit}
-        "home"
+        timeout {puts "TESTING ERROR 3\n";exit}
+        "done"
 }
 
-send -- "rm /var/tmp/ttt;pwd\r"
+send -- "rm /var/tmp/ttt;echo done\r"
 expect {
-        timeout {puts "TESTING ERROR 3\n";exit}
-        "home"
+        timeout {puts "TESTING ERROR 4\n";exit}
+        "done"
 }
 
-send -- "cat /var/tmp/ttt;pwd\r"
+send -- "cat /var/tmp/ttt;echo done\r"
 expect {
-        timeout {puts "TESTING ERROR 4\n";exit}
-        "mytest" {puts "TESTING ERROR 4.1\n";exit}
-        "home"
+        timeout {puts "TESTING ERROR 5\n";exit}
+        "mytest" {puts "TESTING ERROR 6\n";exit}
+        "done"
 }
 
 sleep 1
@@ -48,40 +51,40 @@ sleep 1
 # redo the test with --private
 send -- "firejail\r"
 expect {
-        timeout {puts "TESTING ERROR 10\n";exit}
+        timeout {puts "TESTING ERROR 7\n";exit}
         "Child process initialized"
 }
 sleep 1
 
-send -- "echo mytest > /var/tmp/ttt;pwd\r"
+send -- "echo mytest > /var/tmp/ttt;echo done\r"
 expect {
-        timeout {puts "TESTING ERROR 11\n";exit}
-        "home"
+        timeout {puts "TESTING ERROR 8\n";exit}
+        "done"
 }
 
-send -- "cat /var/tmp/ttt;pwd\r"
+send -- "cat /var/tmp/ttt;echo done\r"
 expect {
-        timeout {puts "TESTING ERROR 12.1\n";exit}
+        timeout {puts "TESTING ERROR 9\n";exit}
         "mytest"
 }
 expect {
-        timeout {puts "TESTING ERROR 12\n";exit}
-        "home"
+        timeout {puts "TESTING ERROR 10\n";exit}
+        "done"
 }
 
-send -- "rm /var/tmp/ttt;pwd\r"
+send -- "rm /var/tmp/ttt;echo done\r"
 expect {
-        timeout {puts "TESTING ERROR 13\n";exit}
-        "home"
+        timeout {puts "TESTING ERROR 11\n";exit}
+        "done"
 }
 
-send -- "cat /var/tmp/ttt;pwd\r"
+send -- "cat /var/tmp/ttt;echo done\r"
 expect {
-        timeout {puts "TESTING ERROR 14\n";exit}
-        "mytest" {puts "TESTING ERROR 14.1\n";exit}
-        "home"
+        timeout {puts "TESTING ERROR 12\n";exit}
+        "mytest" {puts "TESTING ERROR 13\n";exit}
+        "done"
 }
 
 sleep 1
 
-puts "\n"
+puts "\nall done\n"
diff --git a/test/invalid_filename.exp b/test/fs/invalid_filename.exp
index dd1fa4634..1acc85491 100755
--- a/test/invalid_filename.exp
+++ b/test/fs/invalid_filename.exp
@@ -1,23 +1,7 @@
 #!/usr/bin/expect -f
-
-#invalid_filename checks:
-#
-#--bind (two files) - profile.c - Note: The test is not implemented here, need to be root to test it
-#--blacklist - profile.c
-#--cgroup - cgroup.c
-#--chroot - main.c
-#--netfilter - netfilter.c
-#--output - output.c
-#--private - fs_home.c
-#--privte-bin (list) - fs_bin.c
-#--private-home (list) - fs_home.c
-#--private-etc (list) - fs_etc.c
-#--profile - main.c
-#--read_only - profile.c
-#--shell - main.c
-#--tmpfs - profile.c
-#--white-list
-
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
 
 set timeout 10
 spawn $env(SHELL)
@@ -56,7 +40,8 @@ after 100
 send -- "firejail --debug-check-filename --noprofile --chroot=\"bla&&bla\"\r"
 expect {
         timeout {puts "TESTING ERROR 3.1\n";exit}
-        "Checking filename bla&&bla"
+        "Checking filename bla&&bla" {puts "normal system\n"}
+        "Error: --chroot option is not available on Grsecurity systems" { puts "\nall done\n"; exit}
 }
 expect {
         timeout {puts "TESTING ERROR 3.2\n";exit}
@@ -200,7 +185,5 @@ expect {
 }
 after 100
 
-
-
 puts "\nall done\n"
 
diff --git a/test/kmsg.exp b/test/fs/kmsg.exp
index 096bdb708..abc711aee 100755
--- a/test/kmsg.exp
+++ b/test/fs/kmsg.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
 
 set timeout 10
 spawn $env(SHELL)
@@ -16,14 +19,14 @@ expect {
         timeout {puts "TESTING ERROR 2\n";exit}
         "Permission denied"
 }
-sleep 1
+after 100
 
 send -- "cat /proc/kmsg\r"
 expect {
         timeout {puts "TESTING ERROR 3\n";exit}
         "Permission denied"
 }
-sleep 1
+after 100
 
 puts "\nall done\n"
 
diff --git a/test/option_bind_user.exp b/test/fs/option_bind_user.exp
index 9d2d17d7f..9d2d17d7f 100755
--- a/test/option_bind_user.exp
+++ b/test/fs/option_bind_user.exp
diff --git a/test/option_blacklist.exp b/test/fs/option_blacklist.exp
index b80d0cc60..38fd19237 100755
--- a/test/option_blacklist.exp
+++ b/test/fs/option_blacklist.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
 
 set timeout 10
 spawn $env(SHELL)
@@ -11,23 +14,23 @@ expect {
 }
 sleep 1
 
-send -- "ls -l /var;pwd\r"
+send -- "ls -l /var;echo done\r"
 expect {
         timeout {puts "TESTING ERROR 1\n";exit}
         "Permission denied"
 }
 expect {
         timeout {puts "TESTING ERROR 2\n";exit}
-        "home"
+        "done"
 }
-send -- "cd /var;pwd\r"
+send -- "cd /var;echo done\r"
 expect {
         timeout {puts "TESTING ERROR 3\n";exit}
         "Permission denied"
 }
 expect {
         timeout {puts "TESTING ERROR 4\n";exit}
-        "home"
+        "done"
 }
 sleep 1
 
diff --git a/test/option_blacklist_file.exp b/test/fs/option_blacklist_file.exp
index ecdfe3b82..846735d9e 100755
--- a/test/option_blacklist_file.exp
+++ b/test/fs/option_blacklist_file.exp
@@ -11,14 +11,14 @@ expect {
 }
 sleep 1
 
-send -- "cat /etc/passwd;pwd\r"
+send -- "cat /etc/passwd;echo done\r"
 expect {
         timeout {puts "TESTING ERROR 1\n";exit}
         "Permission denied"
 }
 expect {
         timeout {puts "TESTING ERROR 2\n";exit}
-        "home"
+        "done"
 }
 sleep 1
 
diff --git a/test/fs/option_blacklist_glob.exp b/test/fs/option_blacklist_glob.exp
new file mode 100755
index 000000000..01939736d
--- /dev/null
+++ b/test/fs/option_blacklist_glob.exp
@@ -0,0 +1,32 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
+
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+
+send -- "firejail --blacklist=testdir1/*\r"
+expect {
+        timeout {puts "TESTING ERROR 0\n";exit}
+        "Child process initialized"
+}
+sleep 1
+send -- "cd testdir1\r"
+sleep 1
+
+send -- "cat .file\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "Permission denied"
+}
+
+send -- "ls .directory\r"
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        "Permission denied"
+}
+
+puts "\n"
+
diff --git a/test/private-bin.exp b/test/fs/private-bin.exp
index a82d2b213..c19702e77 100755
--- a/test/private-bin.exp
+++ b/test/fs/private-bin.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
 
 set timeout 10
 spawn $env(SHELL)
@@ -63,9 +66,6 @@ expect {
 }
 send -- "exit\r"
 
-
-
-
 sleep 1
 puts "\nall done\n"
 
diff --git a/test/private-bin.profile b/test/fs/private-bin.profile
index 24cf5929a..24cf5929a 100644
--- a/test/private-bin.profile
+++ b/test/fs/private-bin.profile
diff --git a/test/fs/private-etc-empty.exp b/test/fs/private-etc-empty.exp
new file mode 100755
index 000000000..13e917a5c
--- /dev/null
+++ b/test/fs/private-etc-empty.exp
@@ -0,0 +1,38 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
+
+set timeout 30
+spawn $env(SHELL)
+match_max 100000
+
+send -- "firejail --private-etc=blablabla\r"
+expect {
+        timeout {puts "TESTING ERROR 0\n";exit}
+        "Child process initialized"
+}
+sleep 1
+
+send -- "ls -l /etc | wc -l\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "0"
+}
+send -- "exit\r"
+sleep 1
+
+send -- "firejail --profile=private-etc-empty.profile\r"
+expect {
+        timeout {puts "TESTING ERROR 0\n";exit}
+        "Child process initialized"
+}
+sleep 1
+
+send -- "ls -l /etc | wc -l\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "0"
+}
+
+puts "\nall done\n"
diff --git a/test/fs/private-etc-empty.profile b/test/fs/private-etc-empty.profile
new file mode 100644
index 000000000..38aa8cd68
--- /dev/null
+++ b/test/fs/private-etc-empty.profile
@@ -0,0 +1 @@
+private-etc blablabla
diff --git a/test/private-etc.exp b/test/fs/private-etc.exp
index db1d1df3a..3b4f3eb2b 100755
--- a/test/private-etc.exp
+++ b/test/fs/private-etc.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
 
 set timeout 10
 spawn $env(SHELL)
@@ -12,29 +15,29 @@ expect {
 }
 sleep 1
 
-send -- "ls -al /etc\r"
+send -- "LC_ALL=C ls -al /etc\r"
 expect {
         timeout {puts "TESTING ERROR 3\n";exit}
-        "group"
+        "X11"
 }
 expect {
         timeout {puts "TESTING ERROR 4\n";exit}
-        "passwd"
+        "group"
 }
 expect {
         timeout {puts "TESTING ERROR 5\n";exit}
-        "resolv.conf"
+        "passwd"
 }
 expect {
         timeout {puts "TESTING ERROR 6\n";exit}
-        "X11"
+        "resolv.conf"
 }
 
-send -- "ls -al /etc\r"
+send -- "ls -al /etc; echo done\r"
 expect {
         timeout {puts "TESTING ERROR 7\n";exit}
         "shadow" {puts "TESTING ERROR 8\n";exit}
-        "X11"
+        "done"
 }
 
 sleep 1
diff --git a/test/private-whitelist.exp b/test/fs/private-whitelist.exp
index f06415c52..4dadeacb1 100755
--- a/test/private-whitelist.exp
+++ b/test/fs/private-whitelist.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
 
 set timeout 10
 spawn $env(SHELL)
@@ -9,26 +12,28 @@ expect {
         timeout {puts "TESTING ERROR 1\n";exit}
         "Child process initialized"
 }
-sleep 1
+after 100
 
 send -- "ls -al /tmp\r"
 expect {
         timeout {puts "TESTING ERROR 2\n";exit}
         ".X11-unix"
 }
-sleep 1
+after 100
 
 send -- "ls -a /tmp | wc -l\r"
 expect {
         timeout {puts "TESTING ERROR 3\n";exit}
         "3"
 }
-sleep 1
+after 100
 
 send -- "ls -a ~ | wc -l\r"
 expect {
         timeout {puts "TESTING ERROR 4\n";exit}
-        "4"
+        "3" {puts "3\n"}
+        "4" {puts "4\n"}
+        "5" {puts "5\n"}
 }
 
 sleep 1
diff --git a/test/fs/private.exp b/test/fs/private.exp
new file mode 100755
index 000000000..7eee0c82b
--- /dev/null
+++ b/test/fs/private.exp
@@ -0,0 +1,59 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
+
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+
+if { $argc != 1 } {
+        puts "TESTING ERROR: argument missing"
+        puts "Usage: private.exp username"
+        puts "where username is the name of the current user"
+        exit
+}
+
+# testing profile and private
+send -- "firejail --private --profile=/etc/firejail/default.profile\r"
+expect {
+        timeout {puts "TESTING ERROR 0\n";exit}
+        "Child process initialized"
+}
+sleep 1
+send -- "exit\r"
+sleep 1
+
+send -- "firejail --private --noprofile\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "Child process initialized"
+}
+
+sleep 1
+send -- "cd ~; ls -al; echo done\r"
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        ".bashrc"
+}
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        done
+}
+
+# owner /tmp
+send -- "stat -c %U%a /tmp;echo done\r"
+expect {
+        timeout {puts "TESTING ERROR 10\n";exit}
+        "root777" {puts "version 1\n";}
+            "root1777" {puts "version 2\n";}
+        "nobody777" {puts "version 3\n";}
+            "nobody1777" {puts "version 4\n";}
+}
+expect {
+        timeout {puts "TESTING ERROR 11\n";exit}
+        "done"
+}
+sleep 1
+
+puts "all done\n"
diff --git a/test/fs/testdir1/.directory/file b/test/fs/testdir1/.directory/file
new file mode 100644
index 000000000..e69de29bb
--- /dev/null
+++ b/test/fs/testdir1/.directory/file
diff --git a/test/fs/testdir1/.file b/test/fs/testdir1/.file
new file mode 100644
index 000000000..e69de29bb
--- /dev/null
+++ b/test/fs/testdir1/.file
diff --git a/test/whitelist-empty.exp b/test/fs/whitelist-empty.exp
index 226b019db..f44d4fb58 100755
--- a/test/whitelist-empty.exp
+++ b/test/fs/whitelist-empty.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
 
 set timeout 30
 spawn $env(SHELL)
diff --git a/test/fs_chroot.exp b/test/fs_chroot.exp
index cc0d82179..aeb5669e1 100755
--- a/test/fs_chroot.exp
+++ b/test/fs_chroot.exp
@@ -7,7 +7,8 @@ match_max 100000
 send -- "firejail  --chroot=/tmp/chroot\r"
 expect {
         timeout {puts "TESTING ERROR 0\n";exit}
-        "Child process initialized"
+        "Error: --chroot option is not available on Grsecurity systems" {puts "\nall done\n"; exit}
+        "Child process initialized" {puts "chroot available\n"};
 }
 sleep 1
 
diff --git a/test/fs_overlay.exp b/test/fs_overlay.exp
index 42d25b407..b7eeba80f 100755
--- a/test/fs_overlay.exp
+++ b/test/fs_overlay.exp
@@ -20,6 +20,7 @@ send -- "firejail --noprofile --overlay\r"
 expect {
         timeout {puts "TESTING ERROR 2\n";exit}
         "not available for kernels older than 3.18" {puts "\nTESTING: overlayfs not available\n"; exit}
+        "Error: --overlay option is not available on Grsecurity systems" {puts "\nTESTING: overlayfs not available\n"; exit}
         "Child process initialized" {puts "found\n"}
 }
 sleep 1
diff --git a/test/google-chrome.exp b/test/google-chrome.exp
deleted file mode 100755
index 7999831d7..000000000
--- a/test/google-chrome.exp
+++ /dev/null
@@ -1,72 +0,0 @@
-#!/usr/bin/expect -f
-
-set timeout 10
-spawn $env(SHELL)
-match_max 100000
-
-send -- "firejail google-chrome www.gentoo.org\r"
-expect {
-        timeout {puts "TESTING ERROR 0\n";exit}
-        "Reading profile /etc/firejail/google-chrome.profile"
-}
-expect {
-        timeout {puts "TESTING ERROR 1\n";exit}
-        "Child process initialized"
-}
-sleep 10
-
-spawn $env(SHELL)
-send -- "firejail --list\r"
-expect {
-        timeout {puts "TESTING ERROR 3\n";exit}
-        ":firejail"
-}
-expect {
-        timeout {puts "TESTING ERROR 3.1\n";exit}
-        "google-chrome"
-}
-sleep 1
-
-send -- "firejail --name=blablabla\r"
-expect {
-        timeout {puts "TESTING ERROR 4\n";exit}
-        "Child process initialized"
-}
-sleep 2
-
-spawn $env(SHELL)
-send -- "firemon --seccomp\r"
-expect {
-        timeout {puts "TESTING ERROR 5\n";exit}
-        ":firejail google-chrome"
-}
-expect {
-        timeout {puts "TESTING ERROR 5.1\n";exit}
-        "Seccomp:       0"
-}
-expect {
-        timeout {puts "TESTING ERROR 5.1\n";exit}
-        "name=blablabla"
-}
-sleep 1
-send -- "firemon --caps\r"
-expect {
-        timeout {puts "TESTING ERROR 6\n";exit}
-        ":firejail google-chrome"
-}
-expect {
-        timeout {puts "TESTING ERROR 6.1\n";exit}
-        "CapBnd:"
-}
-expect {
-        timeout {puts "TESTING ERROR 6.2\n";exit}
-        "fffffffff"
-}
-expect {
-        timeout {puts "TESTING ERROR 6.3\n";exit}
-        "name=blablabla"
-}
-sleep 1
-
-puts "\n"
-
diff --git a/test/net_defaultgw2.exp b/test/net_defaultgw2.exp
deleted file mode 100755
index be9b4882a..000000000
--- a/test/net_defaultgw2.exp
+++ /dev/null
@@ -1,65 +0,0 @@
-#!/usr/bin/expect -f
-
-set timeout 10
-spawn $env(SHELL)
-match_max 100000
-
-# check ip address
-send -- "firejail --net=br0 --net=br1 --defaultgw=10.10.30.89\r"
-expect {
-        timeout {puts "TESTING ERROR 0\n";exit}
-        "eth1"
-}
-expect {
-        timeout {puts "TESTING ERROR 4\n";exit}
-        "Child process initialized"
-}
-
-# check default gateway
-send -- "bash\r"
-sleep 1
-send -- "netstat -rn;pwd\r"
-expect {
-        timeout {puts "TESTING ERROR 10.1\n";exit}
-        "0.0.0.0"
-}
-expect {
-        timeout {puts "TESTING ERROR 10.2\n";exit}
-        "10.10.30.89"
-}
-expect {
-        timeout {puts "TESTING ERROR 10.3\n";exit}
-        "eth1"
-}
-expect {
-        timeout {puts "TESTING ERROR 10.4\n";exit}
-        "10.10.20.0"
-}
-expect {
-        timeout {puts "TESTING ERROR 10.5\n";exit}
-        "0.0.0.0"
-}
-expect {
-        timeout {puts "TESTING ERROR 10.6\n";exit}
-        "eth0"
-}
-expect {
-        timeout {puts "TESTING ERROR 10.4\n";exit}
-        "10.10.30.0"
-}
-expect {
-        timeout {puts "TESTING ERROR 10.5\n";exit}
-        "0.0.0.0"
-}
-expect {
-        timeout {puts "TESTING ERROR 10.6\n";exit}
-        "eth1"
-}
-expect {
-        timeout {puts "TESTING ERROR 10\n";exit}
-        "home"
-}
-sleep 1
-
-puts "\n"
-
diff --git a/test/4bridges_arp.exp b/test/network/4bridges_arp.exp
index 3004082e6..f769df43b 100755
--- a/test/4bridges_arp.exp
+++ b/test/network/4bridges_arp.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
 
 set timeout 10
 spawn $env(SHELL)
@@ -115,7 +118,7 @@ sleep 2
 
 
 # check loopback
-send -- "firejail --net=br0 --net=br1 --net=br2 --net=br3\r"
+send -- "firejail --net=br0 --net=br1 --net=br2 --net=br3 --protocol=unix,inet,netlink\r"
 expect {
         timeout {puts "TESTING ERROR 5\n";exit}
         "lo"
@@ -136,40 +139,35 @@ expect {
         timeout {puts "TESTING ERROR 9\n";exit}
         "Child process initialized"
 }
+sleep 1
 
 # check default gateway
-send -- "bash\r"
-sleep 1
-send -- "netstat -rn;pwd\r"
+send -- "ip route show\r"
 expect {
         timeout {puts "TESTING ERROR 10.1\n";exit}
-        "0.0.0.0"
+        "default via 10.10.20.1 dev eth0"
 }
+send -- "ip route show\r"
 expect {
         timeout {puts "TESTING ERROR 10.2\n";exit}
-        "10.10.20.1"
-}
-expect {
-        timeout {puts "TESTING ERROR 10.3\n";exit}
-        "eth0"
+        "10.10.20.0/29 dev eth0  proto kernel  scope link"
 }
+send -- "ip route show\r"
 expect {
-        timeout {puts "TESTING ERROR 10.4\n";exit}
-        "10.10.20.0"
-}
-expect {
-        timeout {puts "TESTING ERROR 10.5\n";exit}
-        "0.0.0.0"
+        timeout {puts "TESTING ERROR 10.2\n";exit}
+        "10.10.30.0/24 dev eth1  proto kernel  scope link"
 }
+send -- "ip route show\r"
 expect {
-        timeout {puts "TESTING ERROR 10.6\n";exit}
-        "eth0"
+        timeout {puts "TESTING ERROR 10.2\n";exit}
+        "10.10.40.0/24 dev eth2  proto kernel  scope link"
 }
+send -- "ip route show\r"
 expect {
-        timeout {puts "TESTING ERROR 10\n";exit}
-        "home"
+        timeout {puts "TESTING ERROR 10.2\n";exit}
+        "10.10.50.0/24 dev eth3  proto kernel  scope link"
 }
 sleep 1
 
-puts "\n"
+puts "\nall done\n"
 
diff --git a/test/4bridges_ip.exp b/test/network/4bridges_ip.exp
index 9e37b4ff4..db7a61867 100755
--- a/test/4bridges_ip.exp
+++ b/test/network/4bridges_ip.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
 
 set timeout 10
 spawn $env(SHELL)
@@ -115,7 +118,7 @@ sleep 2
 
 
 # check loopback
-send -- "firejail --net=br0 --net=br1 --ip=10.10.30.50 --net=br2 --ip=10.10.40.100 --net=br3\r"
+send -- "firejail --net=br0 --net=br1 --ip=10.10.30.50 --net=br2 --ip=10.10.40.100 --net=br3 --protocol=unix,inet,netlink\r"
 expect {
         timeout {puts "TESTING ERROR 5\n";exit}
         "lo"
@@ -138,38 +141,37 @@ expect {
 }
 
 # check default gateway
-send -- "bash\r"
-sleep 1
-send -- "netstat -rn;pwd\r"
+send -- "ip route show\r"
 expect {
         timeout {puts "TESTING ERROR 10.1\n";exit}
-        "0.0.0.0"
+        "default via 10.10.20.1 dev eth0"
 }
+
+send -- "ip route show\r"
 expect {
         timeout {puts "TESTING ERROR 10.2\n";exit}
-        "10.10.20.1"
+        "10.10.20.0/29 dev eth0  proto kernel  scope link"
 }
+
+send -- "ip route show\r"
 expect {
         timeout {puts "TESTING ERROR 10.3\n";exit}
-        "eth0"
+        "10.10.30.0/24 dev eth1  proto kernel  scope link  src 10.10.30.50"
 }
+
+send -- "ip route show\r"
 expect {
         timeout {puts "TESTING ERROR 10.4\n";exit}
-        "10.10.20.0"
+        "10.10.40.0/24 dev eth2  proto kernel  scope link  src 10.10.40.100"
 }
+
+send -- "ip route show\r"
 expect {
         timeout {puts "TESTING ERROR 10.5\n";exit}
-        "0.0.0.0"
-}
-expect {
-        timeout {puts "TESTING ERROR 10.6\n";exit}
-        "eth0"
-}
-expect {
-        timeout {puts "TESTING ERROR 10\n";exit}
-        "home"
+        "10.10.50.0/24 dev eth3  proto kernel  scope link"
 }
+
 sleep 1
 
-puts "\n"
+puts "\nall done\n"
 
diff --git a/test/network/README b/test/network/README
new file mode 100644
index 000000000..a715d8edf
--- /dev/null
+++ b/test/network/README
@@ -0,0 +1,15 @@
+Warning: this test requires root access to configure a number of bridge, mac
+and vlan devices. Please take a look at configure file. By the time you are
+finished testing, you'll probably have to reboot the computer to get your
+networking subsytem back to normal.
+
+Limitations - to be investigated and fixed:
+        - the test is assuming an eth0 wired interface to be present
+        - using netstat and ifconfig - this needs to be moved to iproute2
+        - configure script inserts an entry in system netfilter configuration
+        - the test will probably not work on grsecurity settings
+        - macvlan interfaces don't seem to work correctly under VirtualBox
+
+Run the test:
+        $ sudo ./configure
+        $ ./network.sh | grep TESTING
diff --git a/test/network/bandwidth.exp b/test/network/bandwidth.exp
new file mode 100755
index 000000000..2913c6b14
--- /dev/null
+++ b/test/network/bandwidth.exp
@@ -0,0 +1,65 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
+
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+
+send -- "firejail --name=test --net=br0\r"
+expect {
+        timeout {puts "TESTING ERROR 0\n";exit}
+        "Child process initialized"
+}
+sleep 2
+
+spawn $env(SHELL)
+send -- "firejail --bandwidth=test status\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "qdisc * 0: dev eth0"
+}
+sleep 1
+
+send -- "firejail --bandwidth=test set br0 50 10\r"
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        "Configuring interface eth0"
+}
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        "configuring tc ingress"
+}
+expect {
+        timeout {puts "TESTING ERROR 4\n";exit}
+        "configuring tc egress"
+}
+
+send -- "firejail --bandwidth=test status\r"
+expect {
+        timeout {puts "TESTING ERROR 5\n";exit}
+        "dev eth0"
+}
+expect {
+        timeout {puts "TESTING ERROR 6\n";exit}
+        "rate 80Kbit burst 10Kb"
+}
+sleep 1
+
+send -- "firejail --bandwidth=test clear br0\r"
+expect {
+        timeout {puts "TESTING ERROR 7\n";exit}
+        "Removing bandwith limits"
+}
+sleep 1
+
+send -- "firejail --bandwidth=test status; echo done\r"
+expect {
+        timeout {puts "TESTING ERROR 8\n";exit}
+        "rate 80Kbit burst 10Kb" {puts "TESTING ERROR 9\n";exit}
+        "done"
+}
+sleep 1
+
+puts "\nall done\n"
diff --git a/test/network/configure b/test/network/configure
new file mode 100755
index 000000000..35d938340
--- /dev/null
+++ b/test/network/configure
@@ -0,0 +1,27 @@
+#!/bin/bash
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
+
+brctl addbr br0
+ifconfig br0 10.10.20.1/29 up
+# NAT masquerade
+iptables -t nat -A POSTROUTING -o eth0 -s 10.10.20.0/29 -j MASQUERADE
+# port forwarding
+# iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to 10.10.20.2:80
+        
+brctl addbr br1
+ifconfig br1 10.10.30.1/24 up
+brctl addbr br2
+ifconfig br2 10.10.40.1/24 up
+brctl addbr br3
+ifconfig br3 10.10.50.1/24 up
+brctl addbr br4
+ifconfig br4 10.10.60.1/24 up
+ip link add link eth0 name eth0.5 type vlan id 5
+/sbin/ifconfig eth0.5 10.10.205.10/24 up
+ip link add link eth0 name eth0.6 type vlan id 6
+/sbin/ifconfig eth0.6 10.10.206.10/24 up
+ip link add link eth0 name eth0.7 type vlan id 7
+/sbin/ifconfig eth0.7 10.10.207.10/24 up
+
diff --git a/test/hostname.exp b/test/network/hostname.exp
index 4e5c7e073..53f24f7b1 100755
--- a/test/hostname.exp
+++ b/test/network/hostname.exp
@@ -1,24 +1,27 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
 
 set timeout 10
 spawn $env(SHELL)
 match_max 100000
 
-send --  "firejail --hostname=baluba --noprofile\r"
+send --  "firejail --hostname=bingo --noprofile\r"
 expect {
         timeout {puts "TESTING ERROR 1\n";exit}
         "Child process initialized"
 }
 sleep 1
 
-send -- "ping -c 3 baluba;pwd\r"
+send -- "ping -c 3 bingo; echo done\r"
 expect {
         timeout {puts "TESTING ERROR 2\n";exit}
         "3 packets transmitted, 3 received"
 }
 expect {
         timeout {puts "TESTING ERROR 3\n";exit}
-        "home"
+        "done"
 }
 sleep 1
 
diff --git a/test/ip6.exp b/test/network/ip6.exp
index fba47d095..e5939021e 100755
--- a/test/ip6.exp
+++ b/test/network/ip6.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
 
 set timeout 10
 spawn $env(SHELL)
@@ -15,6 +18,7 @@ expect {
 }
 expect {
         timeout {puts "TESTING ERROR 2\n";exit}
+        "unable to initialize table 'filter'" {puts "\nTESTING SKIP 2: no IPv6 support\n"; exit}
         "2001:db8:1f0a:3ec::2"
 }
 expect {
diff --git a/test/ipv6.net b/test/network/ipv6.net
index cc8f22943..cc8f22943 100644
--- a/test/ipv6.net
+++ b/test/network/ipv6.net
diff --git a/test/network/net-profile.profile b/test/network/net-profile.profile
new file mode 100644
index 000000000..05052b6dc
--- /dev/null
+++ b/test/network/net-profile.profile
@@ -0,0 +1,10 @@
+net br0
+mac 00:11:22:33:44:55
+mtu 1000
+net br1
+ip 10.10.30.50
+net br2
+ip 10.10.40.100
+net br3
+defaultgw 10.10.20.2
+
diff --git a/test/net_arp.exp b/test/network/net_arp.exp
index 9e07744f3..f27f85814 100755
--- a/test/net_arp.exp
+++ b/test/network/net_arp.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
 
 set timeout 10
 spawn $env(SHELL)
diff --git a/test/net_badip.exp b/test/network/net_badip.exp
index 71b69e104..8003252d6 100755
--- a/test/net_badip.exp
+++ b/test/network/net_badip.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
 
 set timeout 10
 spawn $env(SHELL)
diff --git a/test/net_defaultgw.exp b/test/network/net_defaultgw.exp
index 9820660b7..5534b7706 100755
--- a/test/net_defaultgw.exp
+++ b/test/network/net_defaultgw.exp
@@ -1,11 +1,14 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
 
 set timeout 10
 spawn $env(SHELL)
 match_max 100000
 
 # check ip address
-send -- "firejail --net=br0 --ip=10.10.20.5 --defaultgw=10.10.20.2\r"
+send -- "firejail --net=br0 --ip=10.10.20.5 --defaultgw=10.10.20.2 --protocol=unix,inet,netlink\r"
 expect {
         timeout {puts "TESTING ERROR 0\n";exit}
         "eth0"
@@ -26,40 +29,21 @@ expect {
         timeout {puts "TESTING ERROR 4\n";exit}
         "Child process initialized"
 }
+sleep 1
 
 # check default gateway
-send -- "bash\r"
-sleep 1
-send -- "netstat -rn;pwd\r"
+send -- "ip route show\r"
 expect {
         timeout {puts "TESTING ERROR 10.1\n";exit}
-        "0.0.0.0"
+        "default via 10.10.20.2 dev eth0"
 }
+
+send -- "ip route show\r"
 expect {
         timeout {puts "TESTING ERROR 10.2\n";exit}
-        "10.10.20.2"
-}
-expect {
-        timeout {puts "TESTING ERROR 10.3\n";exit}
-        "eth0"
-}
-expect {
-        timeout {puts "TESTING ERROR 10.4\n";exit}
-        "10.10.20.0"
-}
-expect {
-        timeout {puts "TESTING ERROR 10.5\n";exit}
-        "0.0.0.0"
-}
-expect {
-        timeout {puts "TESTING ERROR 10.6\n";exit}
-        "eth0"
-}
-expect {
-        timeout {puts "TESTING ERROR 10\n";exit}
-        "home"
+        "10.10.20.0/29 dev eth0  proto kernel  scope link"
 }
 sleep 1
 
-puts "\n"
+puts "\nall done\n"
 
diff --git a/test/network/net_defaultgw2.exp b/test/network/net_defaultgw2.exp
new file mode 100755
index 000000000..86f204e8c
--- /dev/null
+++ b/test/network/net_defaultgw2.exp
@@ -0,0 +1,43 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
+
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+
+# check ip address
+send -- "firejail --net=br0 --net=br1 --defaultgw=10.10.30.89 --protocol=unix,inet,netlink\r"
+expect {
+        timeout {puts "TESTING ERROR 0\n";exit}
+        "eth1"
+}
+expect {
+        timeout {puts "TESTING ERROR 4\n";exit}
+        "Child process initialized"
+}
+sleep 1
+
+# check default gateway
+send -- "ip route show\r"
+expect {
+        timeout {puts "TESTING ERROR 10.1\n";exit}
+        "default via 10.10.30.89 dev eth1"
+}
+
+send -- "ip route show\r"
+expect {
+        timeout {puts "TESTING ERROR 10.2\n";exit}
+        "10.10.20.0/29 dev eth0  proto kernel  scope link"
+}
+
+send -- "ip route show\r"
+expect {
+        timeout {puts "TESTING ERROR 10.3\n";exit}
+        "10.10.30.0/24 dev eth1  proto kernel  scope link"
+}
+sleep 1
+
+puts "\nall done\n"
+
diff --git a/test/net_defaultgw3.exp b/test/network/net_defaultgw3.exp
index 64da9dfca..30150938f 100755
--- a/test/net_defaultgw3.exp
+++ b/test/network/net_defaultgw3.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
 
 set timeout 10
 spawn $env(SHELL)
diff --git a/test/net_interface.exp b/test/network/net_interface.exp
index 4b55187ff..2e6619938 100755
--- a/test/net_interface.exp
+++ b/test/network/net_interface.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
 
 set timeout 10
 spawn $env(SHELL)
diff --git a/test/net_ip.exp b/test/network/net_ip.exp
index 5995296c7..0eff212dd 100755
--- a/test/net_ip.exp
+++ b/test/network/net_ip.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
 
 set timeout 10
 spawn $env(SHELL)
@@ -31,7 +34,7 @@ send -- "exit\r"
 sleep 2
 
 # check loopback
-send -- "firejail --net=br0 --ip=10.10.20.5\r"
+send -- "firejail --net=br0 --ip=10.10.20.5 --protocol=unix,inet,netlink\r"
 expect {
         timeout {puts "TESTING ERROR 5\n";exit}
         "lo"
@@ -52,38 +55,19 @@ expect {
         timeout {puts "TESTING ERROR 9\n";exit}
         "Child process initialized"
 }
+sleep 1
 
 # check default gateway
-send -- "bash\r"
-sleep 1
-send -- "netstat -rn;pwd\r"
+send -- "ip route show\r"
 expect {
         timeout {puts "TESTING ERROR 10.1\n";exit}
-        "0.0.0.0"
-}
-expect {
-        timeout {puts "TESTING ERROR 10.2\n";exit}
-        "10.10.20.1"
-}
-expect {
-        timeout {puts "TESTING ERROR 10.3\n";exit}
-        "eth0"
-}
-expect {
-        timeout {puts "TESTING ERROR 10.4\n";exit}
-        "10.10.20.0"
-}
-expect {
-        timeout {puts "TESTING ERROR 10.5\n";exit}
-        "0.0.0.0"
-}
-expect {
-        timeout {puts "TESTING ERROR 10.6\n";exit}
-        "eth0"
+        "default via 10.10.20.1 dev eth0"
 }
+
+send -- "ip route show\r"
 expect {
         timeout {puts "TESTING ERROR 10\n";exit}
-        "home"
+        "10.10.20.0/29 dev eth0  proto kernel  scope link"
 }
 sleep 1
 
diff --git a/test/net_local.exp b/test/network/net_local.exp
index 642213658..60ab2af05 100755
--- a/test/net_local.exp
+++ b/test/network/net_local.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
 
 set timeout 10
 spawn $env(SHELL)
diff --git a/test/net_mac.exp b/test/network/net_mac.exp
index 076634730..5c48be9fd 100755
--- a/test/net_mac.exp
+++ b/test/network/net_mac.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
 
 set timeout 10
 spawn $env(SHELL)
diff --git a/test/net_macvlan.exp b/test/network/net_macvlan.exp
index 20d022de9..ca503c26a 100755
--- a/test/net_macvlan.exp
+++ b/test/network/net_macvlan.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
 
 set timeout 10
 spawn $env(SHELL)
diff --git a/test/net_mtu.exp b/test/network/net_mtu.exp
index 7943b2866..21b9aa5cb 100755
--- a/test/net_mtu.exp
+++ b/test/network/net_mtu.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
 
 set timeout 10
 spawn $env(SHELL)
diff --git a/test/net_netfilter.exp b/test/network/net_netfilter.exp
index 989fcc407..f011f3746 100755
--- a/test/net_netfilter.exp
+++ b/test/network/net_netfilter.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
 
 set timeout 10
 spawn $env(SHELL)
diff --git a/test/net_noip.exp b/test/network/net_noip.exp
index 8d28adb39..3fb53d860 100755
--- a/test/net_noip.exp
+++ b/test/network/net_noip.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
 
 set timeout 10
 spawn $env(SHELL)
@@ -16,24 +19,24 @@ send -- "bash\r"
 sleep 1
 
 # no default gateway configured
-send -- "netstat -rn;pwd\r"
+send -- "netstat -rn;echo done\r"
 expect {
         timeout {puts "TESTING ERROR 2\n";exit}
         "0.0.0.0" {puts "TESTING ERROR 3\n";exit}
         "eth0" {puts "TESTING ERROR 4\n";exit}
-        "home"
+        "done"
 }
 sleep 1
 
 # eth0 configured
-send -- "/sbin/ifconfig;pwd\r"
+send -- "/sbin/ifconfig;echo done\r"
 expect {
         timeout {puts "TESTING ERROR 5\n";exit}
         "eth0"
 }
 expect {
         timeout {puts "TESTING ERROR 6\n";exit}
-        "home"
+        "done"
 }
 after 100
 
diff --git a/test/net_noip2.exp b/test/network/net_noip2.exp
index 58f90422b..cf86d7f6b 100755
--- a/test/net_noip2.exp
+++ b/test/network/net_noip2.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
 
 set timeout 10
 spawn $env(SHELL)
@@ -16,24 +19,24 @@ send -- "bash\r"
 sleep 1
 
 # no default gateway configured
-send -- "netstat -rn;pwd\r"
+send -- "netstat -rn;echo done\r"
 expect {
         timeout {puts "TESTING ERROR 2\n";exit}
         "0.0.0.0" {puts "TESTING ERROR 3\n";exit}
         "eth0" {puts "TESTING ERROR 4\n";exit}
-        "home"
+        "done"
 }
 sleep 1
 
 # eth0 configured
-send -- "/sbin/ifconfig;pwd\r"
+send -- "/sbin/ifconfig;echo done\r"
 expect {
         timeout {puts "TESTING ERROR 5\n";exit}
         "eth0"
 }
 expect {
         timeout {puts "TESTING ERROR 6\n";exit}
-        "home"
+        "done"
 }
 after 100
 
diff --git a/test/net_none.exp b/test/network/net_none.exp
index 54b6cb946..1c1577d76 100755
--- a/test/net_none.exp
+++ b/test/network/net_none.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
 
 set timeout 10
 spawn $env(SHELL)
@@ -16,20 +19,20 @@ sleep 1
 # test default gw
 send -- "bash\r"
 sleep 1
-send -- "netstat -rn; pwd\r"
+send -- "netstat -rn; echo done\r"
 expect {
         timeout {puts "TESTING ERROR 1\n";exit}
         "0.0.0.0" {puts "TESTING ERROR 1.1\n";exit}
-        "home"
+        "done"
 }
 sleep 1
 
 # check again devices
-send -- "cat /proc/1/net/dev;pwd\r"
+send -- "cat /proc/1/net/dev;echo done\r"
 expect {
         timeout {puts "TESTING ERROR 2\n";exit}
         "eth0" {puts "TESTING ERROR 2.1\n";exit}
-        "home"
+        "done"
 }
 send -- "exit\r"
 sleep 1
@@ -48,21 +51,21 @@ sleep 1
 # test default gw
 send -- "bash\r"
 sleep 1
-send -- "netstat -rn; pwd\r"
+send -- "netstat -rn; echo done\r"
 expect {
         timeout {puts "TESTING ERROR 4\n";exit}
         "0.0.0.0" {puts "TESTING ERROR 4.1\n";exit}
-        "home"
+        "done"
 }
 sleep 1
 
 # check again devices
-send -- "cat /proc/1/net/dev;pwd\r"
+send -- "cat /proc/1/net/dev;echo done\r"
 expect {
         timeout {puts "TESTING ERROR 5\n";exit}
         "eth0" {puts "TESTING ERROR 5.1\n";exit}
-        "home"
+        "done"
 }
 sleep 1
 
-puts "\n"
+puts "\nall done\n"
diff --git a/test/net_none.profile b/test/network/net_none.profile
index 079c08ea8..079c08ea8 100644
--- a/test/net_none.profile
+++ b/test/network/net_none.profile
diff --git a/test/network/net_profile.exp b/test/network/net_profile.exp
new file mode 100755
index 000000000..7e88193cc
--- /dev/null
+++ b/test/network/net_profile.exp
@@ -0,0 +1,76 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
+
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+
+# check eth0
+send -- "firejail --profile=net-profile.profile\r"
+expect {
+        timeout {puts "TESTING ERROR 0.0\n";exit}
+        "eth0"
+}
+expect {
+        timeout {puts "TESTING ERROR 0.1\n";exit}
+        "00:11:22:33:44:55"
+}
+expect {
+        timeout {puts "TESTING ERROR 0.1\n";exit}
+        "10.10.20"
+}
+expect {
+        timeout {puts "TESTING ERROR 0.2\n";exit}
+        "255.255.255.248"
+}
+expect {
+        timeout {puts "TESTING ERROR 0.3\n";exit}
+        "UP"
+}
+expect {
+        timeout {puts "TESTING ERROR 0.4\n";exit}
+        "Child process initialized"
+}
+sleep 2
+
+send -- "ip route show\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "10.10.30.0/24 dev eth1  proto kernel  scope link  src 10.10.30.50"
+}
+
+send -- "ip route show\r"
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        "10.10.40.0/24 dev eth2  proto kernel  scope link  src 10.10.40.100"
+}
+
+
+# check default gw
+send -- "ip route show\r"
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        "default via 10.10.20.2 dev eth0"
+}
+
+# check mtu
+send -- "ip link show\r"
+expect {
+        timeout {puts "TESTING ERROR 4\n";exit}
+        "eth0"
+}
+expect {
+        timeout {puts "TESTING ERROR 5\n";exit}
+        "mtu 1000"
+}
+expect {
+        timeout {puts "TESTING ERROR 6\n";exit}
+        "state UP"
+}
+
+sleep 1
+
+puts "\nall done\n"
+
diff --git a/test/netfilter.filter b/test/network/netfilter.filter
index 3e232065c..3e232065c 100644
--- a/test/netfilter.filter
+++ b/test/network/netfilter.filter
diff --git a/test/netfilter.profile b/test/network/netfilter.profile
index 824c6cd0f..824c6cd0f 100644
--- a/test/netfilter.profile
+++ b/test/network/netfilter.profile
diff --git a/test/network/network.sh b/test/network/network.sh
new file mode 100755
index 000000000..7b6d66e34
--- /dev/null
+++ b/test/network/network.sh
@@ -0,0 +1,62 @@
+#!/bin/bash
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
+
+export MALLOC_CHECK_=3
+export MALLOC_PERTURB_=$(($RANDOM % 255 + 1))
+
+echo "TESTING: network profile (net_profile.exp)"
+./net_profile.exp
+
+echo "TESTING: bandwidth (bandwidth.exp)"
+./bandwidth.exp
+
+echo "TESTING: IPv6 support (ip6.exp)"
+./ip6.exp
+
+echo "TESTING: local network (net_local.exp)"
+./net_local.exp
+
+echo "TESTING: no network (net_none.exp)"
+./net_none.exp
+
+echo "TESTING: network IP (net_ip.exp)"
+./net_ip.exp
+
+echo "TESTING: network MAC (net_mac.exp)"
+sleep 2
+./net_mac.exp
+
+echo "TESTING: network MTU (net_mtu.exp)"
+./net_mtu.exp
+
+echo "TESTING: network hostname (hostname.exp)"
+./hostname.exp
+
+echo "TESTING: network bad IP (net_badip.exp)"
+./net_badip.exp
+
+echo "TESTING: network no IP test 1 (net_noip.exp)"
+./net_noip.exp
+
+echo "TESTING: network no IP test 2 (net_noip2.exp)"
+./net_noip2.exp
+
+echo "TESTING: network default gateway test 1 (net_defaultgw.exp)"
+./net_defaultgw.exp
+
+echo "TESTING: network default gateway test 2 (net_defaultgw2.exp)"
+./net_defaultgw2.exp
+
+echo "TESTING: network default gateway test 3 (net_defaultgw3.exp)"
+./net_defaultgw3.exp
+
+echo "TESTING: netfilter (net_netfilter.exp)"
+./net_netfilter.exp
+
+echo "TESTING: 4 bridges ARP (4bridges_arp.exp)"
+./4bridges_arp.exp
+
+echo "TESTING: 4 bridges IP (4bridges_ip.exp)"
+./4bridges_ip.exp
diff --git a/test/noroot.exp b/test/noroot.exp
deleted file mode 100755
index 37d55fe78..000000000
--- a/test/noroot.exp
+++ /dev/null
@@ -1,117 +0,0 @@
-#!/usr/bin/expect -f
-
-set timeout 10
-spawn $env(SHELL)
-match_max 100000
-
-send -- "firejail --debug --noprofile --noroot --caps.drop=all --seccomp --cpu=0,1 --name=noroot-sandbox\r"
-expect {
-        timeout {puts "TESTING ERROR 0.1\n";exit}
-        "Child process initialized"
-}
-sleep 1
-
-send -- "cat /proc/self/status\r"
-expect {
-        timeout {puts "TESTING ERROR 1\n";exit}
-        "CapBnd:"
-}
-expect {
-        timeout {puts "TESTING ERROR 1.1\n";exit}
-        "0000000000000000"
-}
-
-send -- "cat /proc/self/status\r"
-expect {
-        timeout {puts "TESTING ERROR 2\n";exit}
-        "Cpus_allowed:"
-}
-expect {
-        timeout {puts "TESTING ERROR 2.1\n";exit}
-        "3"
-}
-expect {
-        timeout {puts "TESTING ERROR 2.2\n";exit}
-        "Cpus_allowed_list:"
-}
-puts "\n"
-
-send -- "cat /proc/self/status\r"
-expect {
-        timeout {puts "TESTING ERROR 2\n";exit}
-        "Seccomp:"
-}
-expect {
-        timeout {puts "TESTING ERROR 2.1\n";exit}
-        "2"
-}
-expect {
-        timeout {puts "TESTING ERROR 2.2\n";exit}
-        "Cpus_allowed:"
-}
-puts "\n"
-
-send -- "ping 0\r"
-expect {
-        timeout {puts "TESTING ERROR 4\n";exit}
-        "Operation not permitted"
-}
-puts "\n"
-
-send -- "whoami\r"
-expect {
-        timeout {puts "TESTING ERROR 55\\n";exit}
-        "netblue"
-}
-puts "\n"
-send -- "exit\r"
-sleep 2
-
-
-send -- "firejail --noroot --noprofile\r"
-expect {
-        timeout {puts "TESTING ERROR 6\n";exit}
-        "Child process initialized"
-}
-sleep 1
-send -- "whoami\r"
-expect {
-        timeout {puts "TESTING ERROR 7\n";exit}
-        "netblue"
-}
-send -- "sudo -s\r"
-expect {
-        timeout {puts "TESTING ERROR 8\n";exit}
-        "effective uid is not 0, is sudo installed setuid root?" { puts "OK\n";}
-        "sudo must be owned by uid 0 and have the setuid bit set" { puts "OK\n";}
-}
-puts "\n"
-send -- "exit\r"
-sleep 2
-
-send -- "firejail --name=test --noroot --noprofile\r"
-expect {
-        timeout {puts "TESTING ERROR 9\n";exit}
-        "Child process initialized"
-}
-sleep 1
-
-spawn $env(SHELL)
-send -- "firejail --debug --join=test\r"
-expect {
-        timeout {puts "TESTING ERROR 9\n";exit}
-        "User namespace detected"
-}
-expect {
-        timeout {puts "TESTING ERROR 9\n";exit}
-        "Joining user namespace"
-}
-sleep 1
-
-send -- "sudo -s\r"
-expect {
-        timeout {puts "TESTING ERROR 8\n";exit}
-        "effective uid is not 0, is sudo installed setuid root?" { puts "OK\n";}
-        "sudo must be owned by uid 0 and have the setuid bit set" { puts "OK\n";}
-}
-puts "all done\n"
diff --git a/test/notes b/test/notes
deleted file mode 100644
index 864cd5519..000000000
--- a/test/notes
+++ /dev/null
@@ -1,13 +0,0 @@
-Testing --nosound
-
-Get a list of active PulseAudio clients:
-$ pacmd info | grep application.process.binary
-                application.process.binary = "lxpanel"
-                application.process.binary = "plugin-container"
-                application.process.binary = "plugin-container"
- 
-Find active PulseAudio socket:
-$ netstat -l | grep pulse
-unix  2      [ ACC ]     STREAM     LISTENING     10669    /tmp/pulse-WwG6ohxIJmGO/cli
-unix  2      [ ACC ]     STREAM     LISTENING     12584    /tmp/pulse-WwG6ohxIJmGO/dbus-socket
-unix  2      [ ACC ]     STREAM     LISTENING     12581    /tmp/pulse-WwG6ohxIJmGO/native
diff --git a/test/option-trace.exp b/test/option-trace.exp
deleted file mode 100755
index 38038b58e..000000000
--- a/test/option-trace.exp
+++ /dev/null
@@ -1,25 +0,0 @@
-#!/usr/bin/expect -f
-
-set timeout 10
-spawn $env(SHELL)
-match_max 100000
-
-send --  "firejail --trace\r"
-expect {
-        timeout {puts "TESTING ERROR 0\n";exit}
-        "Child process initialized"
-}
-expect {
-        timeout {puts "TESTING ERROR 1\n";exit}
-        "bash:open /dev/tty" {puts "64bit\n"}
-        "bash:open64 /dev/tty" {puts "32bit\n"}
-}
-expect {
-        timeout {puts "TESTING ERROR 3\n";exit}
-        "bash:access /etc/terminfo/x/xterm" {puts "debian\n"}
-        "bash:access /usr/share/terminfo/x/xterm" {puts "arch\n"}
-}
-
-sleep 1
-
-puts "\nall done\n"
diff --git a/test/option_chroot_overlay.exp b/test/option_chroot_overlay.exp
index b39bc0c8e..08ffb1b43 100755
--- a/test/option_chroot_overlay.exp
+++ b/test/option_chroot_overlay.exp
@@ -7,7 +7,8 @@ match_max 100000
 send --  "firejail --chroot=/tmp/chroot --overlay\r"
 expect {
         timeout {puts "TESTING ERROR 0\n";exit}
-        "mutually exclusive"
+        "mutually exclusive" {puts "normal system\n"}
+        "Error: --chroot option is not available on Grsecurity systems" { puts "\nall done\n"; exit}
 }
 sleep 1
 
diff --git a/test/private.exp b/test/private.exp
deleted file mode 100755
index a5920c37b..000000000
--- a/test/private.exp
+++ /dev/null
@@ -1,97 +0,0 @@
-#!/usr/bin/expect -f
-
-set timeout 10
-spawn $env(SHELL)
-match_max 100000
-
-if { $argc != 1 } {
-        puts "TESTING ERROR: argument missing"
-        puts "Usage: private.exp username"
-        puts "where username is the name of the current user"
-        exit
-}
-
-# testing profile and private
-send -- "firejail --private --profile=/etc/firejail/generic.profile\r"
-expect {
-        timeout {puts "TESTING ERROR 0\n";exit}
-        "Child process initialized"
-}
-sleep 1
-send -- "exit\r"
-sleep 1
-
-send -- "firejail --private --noprofile\r"
-expect {
-        timeout {puts "TESTING ERROR 0\n";exit}
-        "Child process initialized"
-}
-
-sleep 1
-send -- "ls -al; pwd\r"
-expect {
-        timeout {puts "TESTING ERROR 0.1\n";exit}
-        ".bashrc"
-}
-expect {
-        timeout {puts "TESTING ERROR 0.2\n";exit}
-        [lindex $argv 0]
-}
-send -- "ls -al; pwd\r"
-expect {
-        timeout {
-                # OpenSUSE doesn't use .Xauthority from user home directory
-                send -- "env | grep XAUTHORITY\r"
-
-                expect {
-                        timeout {puts "TESTING ERROR 0.3\n";exit}
-                        "/run/lightdm/netblue/xauthority"
-                }
-        }
-        ".Xauthority"
-}
-expect {
-        timeout {puts "TESTING ERROR 0.4\n";exit}
-        [lindex $argv 0]
-}
-
-
-# testing private only
-send -- "bash\r"
-sleep 1
-# owner /home/netblue
-send -- "ls -l /home;pwd\r"
-expect {
-        timeout {puts "TESTING ERROR 1\n";exit}
-        [lindex $argv 0]
-}
-expect {
-        timeout {puts "TESTING ERROR 1.1\n";exit}
-        [lindex $argv 0]
-}
-expect {
-        timeout {puts "TESTING ERROR 1.2\n";exit}
-        [lindex $argv 0]
-}
-expect {
-        timeout {puts "TESTING ERROR 1.3\n";exit}
-        "home"
-}
-sleep 1
-
-# owner /tmp
-send -- "stat -c %U%a /tmp;pwd\r"
-expect {
-        timeout {puts "TESTING ERROR 2\n";exit}
-        "root777" {puts "version 1\n";}
-            "root1777" {puts "version 2\n";}
-        "nobody777" {puts "version 3\n";}
-            "nobody1777" {puts "version 4\n";}
-}
-expect {
-        timeout {puts "TESTING ERROR 2.1\n";exit}
-        "home"
-}
-sleep 1
-
-puts "all done\n"
diff --git a/test/private_dir.exp b/test/private_dir.exp
index 95f89362a..a4beeba27 100755
--- a/test/private_dir.exp
+++ b/test/private_dir.exp
@@ -42,8 +42,8 @@ expect {
 send -- "ls -al | wc -l;pwd\r"
 expect {
         timeout {puts "TESTING ERROR 1\n";exit}
-        "5" {puts "normal system\n";}
-        "4" {puts "OpenSUSE\n";}
+        "6" {puts "normal system\n";}
+        "5" {puts "OpenSUSE\n";}
 }
 expect {
         timeout {puts "TESTING ERROR 2\n";exit}
diff --git a/test/private_dir_profile.exp b/test/private_dir_profile.exp
index e6c01798e..8d1c74444 100755
--- a/test/private_dir_profile.exp
+++ b/test/private_dir_profile.exp
@@ -42,13 +42,13 @@ expect {
 send -- "ls -al | wc -l;pwd\r"
 expect {
         timeout {puts "TESTING ERROR 1\n";exit}
-        "5" {puts "normal system\n";}
-        "4" {puts "OpenSUSE\n";}
+        "6" {puts "normal system\n";}
+        "5" {puts "OpenSUSE\n";}
 }
 expect {
         timeout {puts "TESTING ERROR 2\n";exit}
         "home"
 }
 
-puts "\n"
+puts "\nall done\n"
 
diff --git a/test/ignore.exp b/test/profiles/ignore.exp
index c5ea25684..281697b26 100755
--- a/test/ignore.exp
+++ b/test/profiles/ignore.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
 
 set timeout 10
 spawn $env(SHELL)
diff --git a/test/ignore.profile b/test/profiles/ignore.profile
index aec231ad2..aec231ad2 100644
--- a/test/ignore.profile
+++ b/test/profiles/ignore.profile
diff --git a/test/ignore2.profile b/test/profiles/ignore2.profile
index 49fcd8324..49fcd8324 100644
--- a/test/ignore2.profile
+++ b/test/profiles/ignore2.profile
diff --git a/test/profile_followlnk.exp b/test/profiles/profile_followlnk.exp
index e2ede2865..4d89de26b 100755
--- a/test/profile_followlnk.exp
+++ b/test/profiles/profile_followlnk.exp
@@ -5,34 +5,22 @@ spawn $env(SHELL)
 match_max 100000
 
 send -- "mkdir /tmp/firejailtestdir\r"
-sleep 1
 send -- "ln -s /tmp/firejailtestdir  /tmp/firejailtestdirlnk\r"
-sleep 1
 send -- "touch /tmp/firejailtestfile\r"
-sleep 1
 send -- "ln -s /tmp/firejailtestfile /tmp/firejailtestfilelnk\r"
 sleep 1
 
-send -- "firejail --profile=readonly-lnk.profile --debug\r"
+send -- "firejail --profile=readonly-lnk.profile\r"
 expect {
         timeout {puts "TESTING ERROR 0\n";exit}
         "Child process initialized"
 }
 
-# testing private only
-send -- "bash\r"
-sleep 1
-
-
-send -- "ls > /tmp/firejailtestdirlnk/ttt;pwd\r"
+send -- "ls > /tmp/firejailtestdirlnk/ttt\r"
 expect {
         timeout {puts "TESTING ERROR 1\n";exit}
         "Read-only file system"
 }
-expect {
-        timeout {puts "TESTING ERROR 1.1\n";exit}
-        "home"
-}
 sleep 1
 
 send -- "ls > /tmp/firejailtestfilelnk;pwd\r"
@@ -40,29 +28,10 @@ expect {
         timeout {puts "TESTING ERROR 2\n";exit}
         "Read-only file system"
 }
-expect {
-        timeout {puts "TESTING ERROR 2.1\n";exit}
-        "home"
-}
 sleep 1
 
 send -- "exit\r"
-sleep 1
-send -- "pwd\r"
-expect {
-        timeout {puts "TESTING ERROR 3\n";exit}
-        "home"
-}
-sleep 1
-send -- "exit\r"
-sleep 1
-send -- "pwd\r"
-expect {
-        timeout {puts "TESTING ERROR 4\n";exit}
-        "home"
-}
-sleep 2
 send -- "rm -fr /tmp/firejailtest*\r"
 sleep 1
 
-puts "\n"
+puts "\nall done\n"
diff --git a/test/profile_noperm.exp b/test/profiles/profile_noperm.exp
index b3ed558bc..25ec580bd 100755
--- a/test/profile_noperm.exp
+++ b/test/profiles/profile_noperm.exp
@@ -10,4 +10,4 @@ expect {
         "cannot access profile"
 }
 sleep 1
-puts "\n"
+puts "\nall done\n"
diff --git a/test/profile_readonly.exp b/test/profiles/profile_readonly.exp
index 046b0d738..e8e78d6ad 100755
--- a/test/profile_readonly.exp
+++ b/test/profiles/profile_readonly.exp
@@ -5,7 +5,6 @@ spawn $env(SHELL)
 match_max 100000
 
 send -- "mkdir /tmp/firejailtestdir\r"
-sleep 1
 send -- "touch /tmp/firejailtestfile\r"
 sleep 1
 
@@ -14,51 +13,24 @@ expect {
         timeout {puts "TESTING ERROR 0\n";exit}
         "Child process initialized"
 }
+sleep 2
 
-# testing private only
-send -- "bash\r"
-sleep 1
-
-
-send -- "ls > /tmp/firejailtestdir/ttt;pwd\r"
+send -- "ls > /tmp/firejailtestdir/ttt\r"
 expect {
         timeout {puts "TESTING ERROR 1\n";exit}
         "Read-only file system"
 }
-expect {
-        timeout {puts "TESTING ERROR 1.1\n";exit}
-        "home"
-}
 sleep 1
 
-send -- "ls > /tmp/firejailtestfile;pwd\r"
+send -- "ls > /tmp/firejailtestfile\r"
 expect {
         timeout {puts "TESTING ERROR 2\n";exit}
         "Read-only file system"
 }
-expect {
-        timeout {puts "TESTING ERROR 2.1\n";exit}
-        "home"
-}
-sleep 1
-
-send -- "exit\r"
-sleep 1
-send -- "pwd\r"
-expect {
-        timeout {puts "TESTING ERROR 3\n";exit}
-        "home"
-}
-sleep 1
 send -- "exit\r"
 sleep 1
-send -- "pwd\r"
-expect {
-        timeout {puts "TESTING ERROR 4\n";exit}
-        "home"
-}
-sleep 2
+
 send -- "rm -fr /tmp/firejailtest*\r"
 sleep 1
 
-puts "\n"
+puts "\nall done\n"
diff --git a/test/profile_syntax.exp b/test/profiles/profile_syntax.exp
index 559947276..dd6b637ed 100755
--- a/test/profile_syntax.exp
+++ b/test/profiles/profile_syntax.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
 
 set timeout 10
 spawn $env(SHELL)
@@ -26,38 +29,26 @@ expect {
 }
 
 sleep 1
-send -- "rmdir;pwd\r"
+send -- "rmdir\r"
 expect {
         timeout {puts "TESTING ERROR 4\n";exit}
         "Permission denied"
 }
-expect {
-        timeout {puts "TESTING ERROR 5\n";exit}
-        "home"
-}
 
 sleep 1
-send -- "mount;pwd\r"
+send -- "mount\r"
 expect {
         timeout {puts "TESTING ERROR 6\n";exit}
         "Permission denied"
 }
-expect {
-        timeout {puts "TESTING ERROR 7\n";exit}
-        "home"
-}
 
 sleep 1
-send -- "umount;pwd\r"
+send -- "umount\r"
 expect {
         timeout {puts "TESTING ERROR 8\n";exit}
         "Permission denied"
 }
-expect {
-        timeout {puts "TESTING ERROR 9\n";exit}
-        "home"
-}
 send -- "exit\r"
 
 sleep 1
-puts "\n"
+puts "\nall done\n"
diff --git a/test/profile_syntax2.exp b/test/profiles/profile_syntax2.exp
index 96e85ba93..ba83731be 100755
--- a/test/profile_syntax2.exp
+++ b/test/profiles/profile_syntax2.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
 
 set timeout 10
 spawn $env(SHELL)
diff --git a/test/profiles/profiles.sh b/test/profiles/profiles.sh
new file mode 100755
index 000000000..ca0b9fb29
--- /dev/null
+++ b/test/profiles/profiles.sh
@@ -0,0 +1,34 @@
+#!/bin/bash
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
+
+export MALLOC_CHECK_=3
+export MALLOC_PERTURB_=$(($RANDOM % 255 + 1))
+
+echo "TESTING: default profiles installed in /etc"
+PROFILES=`ls /etc/firejail/*.profile`
+for PROFILE in $PROFILES
+do
+        echo "TESTING: $PROFILE"
+        ./test-profile.exp $PROFILE
+done
+
+echo "TESTING: profile syntax (test/profiles/profile_syntax.exp)"
+./profile_syntax.exp
+
+echo "TESTING: profile syntax 2 (test/profiles/profile_syntax2.exp)"
+./profile_syntax2.exp
+
+echo "TESTING: ignore command (test/profiles/ignore.exp)"
+./ignore.exp
+
+echo "TESTING: profile read-only (test/profiles/profile_readonly.exp)"
+./profile_readonly.exp
+
+echo "TESTING: profile read-only links (test/profiles/profile_readonly.exp)"
+./profile_followlnk.exp
+
+echo "TESTING: profile no permissions (test/profiles/profile_noperm.exp)"
+./profile_noperm.exp
+
diff --git a/test/readonly-lnk.profile b/test/profiles/readonly-lnk.profile
index 71ffb1a26..71ffb1a26 100644
--- a/test/readonly-lnk.profile
+++ b/test/profiles/readonly-lnk.profile
diff --git a/test/readonly.profile b/test/profiles/readonly.profile
index 55d89e3d7..55d89e3d7 100644
--- a/test/readonly.profile
+++ b/test/profiles/readonly.profile
diff --git a/test/test-profile.exp b/test/profiles/test-profile.exp
index 89fe9c10a..590b42652 100755
--- a/test/test-profile.exp
+++ b/test/profiles/test-profile.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
 
 set timeout 10
 spawn $env(SHELL)
@@ -10,7 +13,7 @@ if { $argc != 1 } {
         exit
 }
 
-send -- "firejail --profile=$argv\r"
+send -- "firejail --profile=$argv /bin/bash\r"
 expect {
         timeout {puts "TESTING ERROR 0\n";exit}
         "Child process initialized"
diff --git a/test/test.profile b/test/profiles/test.profile
index 1d69cc960..1d69cc960 100644
--- a/test/test.profile
+++ b/test/profiles/test.profile
diff --git a/test/test2.profile b/test/profiles/test2.profile
index d7e1a1f21..d7e1a1f21 100644
--- a/test/test2.profile
+++ b/test/profiles/test2.profile
diff --git a/test/quiet.exp b/test/quiet.exp
deleted file mode 100755
index fa46aebf2..000000000
--- a/test/quiet.exp
+++ /dev/null
@@ -1,17 +0,0 @@
-#!/usr/bin/expect -f
-
-set timeout 4
-spawn $env(SHELL)
-match_max 100000
-
-# check ip address
-send -- "firejail --net=br0 --quiet\r"
-expect {
-        "Child process initialized" {puts "TESTING ERROR 1\n";exit}
-        "Interface" {puts "TESTING ERROR 1\n";exit}
-}
-sleep 1
-send -- "\r"
-
-puts "\nall done\n"
-
diff --git a/test/sysutils/cpio.exp b/test/sysutils/cpio.exp
new file mode 100755
index 000000000..9755d8737
--- /dev/null
+++ b/test/sysutils/cpio.exp
@@ -0,0 +1,26 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
+
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+
+send -- "find /usr/share/doc/firejail | /bin/cpio -ov > firejail_t1\r"
+sleep 1
+
+send -- "find /usr/share/doc/firejail | firejail /bin/cpio -ov > firejail_t2\r"
+sleep 1
+
+send -- "diff -s firejail_t1 firejail_t2\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "firejail_t1 and firejail_t2 are identical"
+}
+
+send -- "rm firejail_t*\r"
+sleep 1
+
+
+puts "\nall done\n"
diff --git a/test/sysutils/gzip.exp b/test/sysutils/gzip.exp
new file mode 100755
index 000000000..ab0e727de
--- /dev/null
+++ b/test/sysutils/gzip.exp
@@ -0,0 +1,26 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
+
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+
+send -- "/bin/gzip -c /usr/bin/firejail > firejail_t1\r"
+sleep 1
+
+send -- "firejail /bin/gzip -c /usr/bin/firejail > firejail_t2\r"
+sleep 1
+
+send -- "diff -s firejail_t1 firejail_t2\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "firejail_t1 and firejail_t2 are identical"
+}
+
+send -- "rm firejail_t*\r"
+sleep 1
+
+
+puts "\nall done\n"
diff --git a/test/sysutils/less.exp b/test/sysutils/less.exp
new file mode 100755
index 000000000..720830304
--- /dev/null
+++ b/test/sysutils/less.exp
@@ -0,0 +1,20 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
+
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+
+send -- "firejail less ../../Makefile.in\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "MYLIBS"
+}
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        "APPS"
+}
+
+puts "\nall done\n"
diff --git a/test/sysutils/strings.exp b/test/sysutils/strings.exp
new file mode 100755
index 000000000..1fd0f5dc0
--- /dev/null
+++ b/test/sysutils/strings.exp
@@ -0,0 +1,26 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
+
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+
+send -- "/usr/bin/strings /usr/bin/firejail > firejail_t1\r"
+sleep 1
+
+send -- "firejail /usr/bin/strings /usr/bin/firejail > firejail_t2\r"
+sleep 1
+
+send -- "diff -s firejail_t1 firejail_t2\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "firejail_t1 and firejail_t2 are identical"
+}
+
+send -- "rm firejail_t*\r"
+sleep 1
+
+
+puts "\nall done\n"
diff --git a/test/sysutils/sysutils.sh b/test/sysutils/sysutils.sh
new file mode 100755
index 000000000..d75738f97
--- /dev/null
+++ b/test/sysutils/sysutils.sh
@@ -0,0 +1,62 @@
+#!/bin/bash
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
+
+export MALLOC_CHECK_=3
+export MALLOC_PERTURB_=$(($RANDOM % 255 + 1))
+
+which cpio
+if [ "$?" -eq 0 ];
+then
+        echo "TESTING: cpio"
+        ./cpio.exp
+else
+        echo "TESTING SKIP: cpio not found"
+fi
+
+which strings
+if [ "$?" -eq 0 ];
+then
+        echo "TESTING: strings"
+        ./strings.exp
+else
+        echo "TESTING SKIP: strings not found"
+fi
+
+which gzip
+if [ "$?" -eq 0 ];
+then
+        echo "TESTING: gzip"
+        ./gzip.exp
+else
+        echo "TESTING SKIP: gzip not found"
+fi
+
+which xzdec
+if [ "$?" -eq 0 ];
+then
+        echo "TESTING: xzdec"
+        ./xzdec.exp
+else
+        echo "TESTING SKIP: xzdec not found"
+fi
+
+which xz
+if [ "$?" -eq 0 ];
+then
+        echo "TESTING: xz"
+        ./xz.exp
+else
+        echo "TESTING SKIP: xz not found"
+fi
+
+which less
+if [ "$?" -eq 0 ];
+then
+        echo "TESTING: less"
+        ./less.exp
+else
+        echo "TESTING SKIP: less not found"
+fi
+
diff --git a/test/sysutils/xz.exp b/test/sysutils/xz.exp
new file mode 100755
index 000000000..11d0e560c
--- /dev/null
+++ b/test/sysutils/xz.exp
@@ -0,0 +1,26 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
+
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+
+send -- "/usr/bin/xz -c /usr/bin/firejail > firejail_t1\r"
+sleep 1
+
+send -- "firejail /usr/bin/xz -c /usr/bin/firejail > firejail_t2\r"
+sleep 1
+
+send -- "diff -s firejail_t1 firejail_t2\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "firejail_t1 and firejail_t2 are identical"
+}
+
+send -- "rm firejail_t*\r"
+sleep 1
+
+
+puts "\nall done\n"
diff --git a/test/sysutils/xzdec.exp b/test/sysutils/xzdec.exp
new file mode 100755
index 000000000..0ea6f5fb0
--- /dev/null
+++ b/test/sysutils/xzdec.exp
@@ -0,0 +1,29 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
+
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+
+send -- "/usr/bin/xz -c /usr/bin/firejail > firejail_t3\r"
+sleep 1
+
+send -- "/usr/bin/xzdec -c firejail_t3 > firejail_t1\r"
+sleep 1
+
+send -- "firejail /usr/bin/xzdec -c firejail_t3 > firejail_t2\r"
+sleep 1
+
+send -- "diff -s firejail_t1 firejail_t2\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "firejail_t1 and firejail_t2 are identical"
+} 
+
+send -- "rm firejail_t*\r"
+sleep 1
+
+
+puts "\nall done\n"
diff --git a/test/test-apps-x11.sh b/test/test-apps-x11.sh
deleted file mode 100755
index 6521fa2b0..000000000
--- a/test/test-apps-x11.sh
+++ /dev/null
@@ -1,29 +0,0 @@
-#!/bin/bash
-
-which firefox
-if [ "$?" -eq 0 ];
-then
-        echo "TESTING: firefox x11"
-        ./firefox-x11.exp
-else
-        echo "TESTING: firefox not found"
-fi
-
-which chromium
-if [ "$?" -eq 0 ];
-then
-        echo "TESTING: chromium x11"
-        ./chromium-x11.exp
-else
-        echo "TESTING: chromium not found"
-fi
-
-which transmission-gtk
-if [ "$?" -eq 0 ];
-then
-        echo "TESTING: transmission-gtk x11"
-        ./transmission-gtk.exp
-else
-        echo "TESTING: transmission-gtk not found"
-fi
-
diff --git a/test/test-nonet.sh b/test/test-nonet.sh
deleted file mode 100755
index 3df8b2d4e..000000000
--- a/test/test-nonet.sh
+++ /dev/null
@@ -1,44 +0,0 @@
-#!/bin/bash
-
-echo "TESTING: version"
-./option_version.exp
-
-echo "TESTING: help"
-./option_help.exp
-
-echo "TESTING: man"
-./option_man.exp
-
-echo "TESTING: list"
-./option_list.exp
-
-echo "TESTING: PID"
-./pid.exp
-
-echo "TESTING: profile no permissions"
-./profile_noperm.exp
-
-echo "TESTING: profile syntax"
-./profile_syntax.exp
-
-echo "TESTING: profile read-only"
-./profile_readonly.exp
-
-echo "TESTING: profile tmpfs"
-./profile_tmpfs.exp
-
-echo "TESTING: private"
-./private.exp `whoami`
-
-echo "TESTING: read/write /var/tmp"
-./fs_var_tmp.exp
-
-echo "TESTING: read/write /var/run"
-./fs_var_run.exp
-
-echo "TESTING: read/write /var/lock"
-./fs_var_lock.exp
-
-echo "TESTING: read/write /dev/shm"
-./fs_dev_shm.exp
-
diff --git a/test/test-profiles.sh b/test/test-profiles.sh
deleted file mode 100755
index d9142885b..000000000
--- a/test/test-profiles.sh
+++ /dev/null
@@ -1,10 +0,0 @@
-#!/bin/bash
-
-echo "TESTING: default profiles installed in /etc"
-PROFILES=`ls /etc/firejail/*.profile`
-for PROFILE in $PROFILES
-do
-        echo "TESTING: $PROFILE"
-        ./test-profile.exp $PROFILE
-done
-
diff --git a/test/test-root.sh b/test/test-root.sh
index 1c3fc4c96..aca48d334 100755
--- a/test/test-root.sh
+++ b/test/test-root.sh
@@ -2,80 +2,81 @@
 
 ./chk_config.exp
 
-echo "TESTING: tmpfs"
+echo "TESTING: tmpfs (option_tmpfs.exp)"
 ./option_tmpfs.exp
 
-echo "TESTING: profile tmpfs"
+echo "TESTING: profile tmpfs (profile_tmpfs)"
 ./profile_tmpfs.exp
 
-echo "TESTING: network interfaces"
-./net_interface.exp
+echo "TESTING: network interfaces (net_interface.exp)"
+./network/net_interface.exp
 
-echo "TESTING: chroot"
+echo "TESTING: chroot (fs_chroot_asroot.exp)"
 ./fs_chroot_asroot.exp
 
 if [ -f /etc/init.d/snmpd ]
 then
-        echo "TESTING: servers snmpd, private-dev"
+        echo "TESTING: servers snmpd, private-dev (servers2.exp)"
         ./servers2.exp
 fi
 
 if [ -f /etc/init.d/apache2 ]
 then
-        echo "TESTING: servers apache2, private-dev, private-tmp"
+        echo "TESTING: servers apache2, private-dev, private-tmp (servers3.exp)"
         ./servers3.exp
 fi
 
 if [ -f /etc/init.d/isc-dhcp-server ]
 then
-        echo "TESTING: servers isc dhcp server, private-dev"
+        echo "TESTING: servers isc dhcp server, private-dev (servers4.exp)"
         ./servers4.exp
 fi
 
 if [ -f /etc/init.d/unbound ]
 then
-        echo "TESTING: servers unbound, private-dev, private-tmp"
+        echo "TESTING: servers unbound, private-dev, private-tmp (servers5.exp)"
         ./servers5.exp
 fi
 
 if [ -f /etc/init.d/nginx ]
 then
-        echo "TESTING: servers nginx, private-dev, private-tmp"
+        echo "TESTING: servers nginx, private-dev, private-tmp (servers6.exp)"
         ./servers6.exp
 fi
 
-echo "TESTING: /proc/sysrq-trigger reset disabled"
+echo "TESTING: /proc/sysrq-trigger reset disabled (sysrq-trigger.exp)"
 ./sysrq-trigger.exp
 
-echo "TESTING: seccomp umount"
-./seccomp-umount.exp
+echo "TESTING: seccomp umount (seccomp-umount.exp)"
+./filters/seccomp-umount.exp
 
-echo "TESTING: seccomp chmod (seccomp lists)"
-./seccomp-chmod.exp
+echo "TESTING: seccomp chmod (seccomp-chmod.exp)"
+./filters/seccomp-chmod.exp
 
-echo "TESTING: seccomp chown (seccomp lists)"
-./seccomp-chown.exp
+echo "TESTING: seccomp chown (seccomp-chown.exp)"
+./filters/seccomp-chown.exp
 
-echo "TESTING: bind directory"
+echo "TESTING: bind directory (option_bind_directory.exp)"
 ./option_bind_directory.exp
 
-echo "TESTING: bind file"
+echo "TESTING: bind file (option_bind_file.exp)"
 echo hello > tmpfile
 ./option_bind_file.exp
 rm -f tmpfile
 
-echo "TESTING: firemon --interface"
+echo "TESTING: firemon --interface (firemon-interface.exp)"
 ./firemon-interface.exp
 
 if [ -f /sys/fs/cgroup/g1/tasks ]
 then
-        echo "TESTING: firemon --cgroup"
+        echo "TESTING: firemon --cgroup (firemon-cgroup.exp)"
         ./firemon-cgroup.exp
 fi
 
-echo "TESTING: chroot resolv.conf"
+echo "TESTING: chroot resolv.conf (chroot-resolvconf.exp)"
 rm -f tmpfile
 touch tmpfile
+rm -f /tmp/chroot/etc/resolv.conf
 ln -s tmp /tmp/chroot/etc/resolv.conf
 ./chroot-resolvconf.exp
 rm -f tmpfile
diff --git a/test/test.sh b/test/test.sh
index 2dcb89f2a..4b7d5bb6d 100755
--- a/test/test.sh
+++ b/test/test.sh
@@ -1,45 +1,15 @@
 #!/bin/bash
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
 
 ./chk_config.exp
 
-./test-profiles.sh
-
 ./fscheck.sh
 
-echo "TESTING: sound (sound.exp)"
-./sound.exp
-
-echo "TESTING: nice (nice.exp)"
-./nice.exp
-
 echo "TESTING: tty (tty.exp)"
 ./tty.exp
 
-echo "TESTING: protocol (protocol.exp)"
-./protocol.exp
-
-echo "TESTING: invalid filename (invalid_filename.exp)"
-./invalid_filename.exp
-
-echo "TESTING: environment variables (env.exp)"
-./env.exp
-
-echo "TESTING: whitelist empty (whitelist-empty.exp)"
-./whitelist-empty.exp
-
-echo "TESTING: ignore command (ignore.exp)"
-./ignore.exp
-
-echo "TESTING: private-etc (private-etc.exp)"
-./private-etc.exp
-
-echo "TESTING: private-bin (private-bin.exp)"
-./private-bin.exp
-
-echo "TESTING: private whitelist (private-whitelist.exp)"
-echo "TESTING:    failing on OpenSUSE"
-./private-whitelist.exp
-
 sleep 1
 rm -fr dir\ with\ space
 mkdir dir\ with\ space
@@ -57,93 +27,9 @@ rm -fr auto2
 rm -fr auto3
 rm -fr auto4
 
-
-echo "TESTING: version (option_version.exp)"
-./option_version.exp
-
-echo "TESTING: help (option_help.exp)"
-./option_help.exp
-
-echo "TESTING: man (option_man.exp)"
-./option_man.exp
-
-echo "TESTING: list (option_list.exp)"
-./option_list.exp
-
-echo "TESTING: tree (option_tree.exp)"
-./option_tree.exp
-
-if [ -f /proc/self/uid_map ];
-then
-        echo "TESTING: noroot (noroot.exp)"
-        ./noroot.exp
-else
-        echo "TESTING: user namespaces not available"
-fi
-
-echo "TESTING: doubledash"
-mkdir -- -testdir
-touch -- -testdir/ttt
-cp -- /bin/bash -testdir/.
-./doubledash.exp
-rm -fr -- -testdir
-
-echo "TESTING: trace1 (option-trace.exp)"
-./option-trace.exp
-
-echo "TESTING: trace2 (trace.exp)"
-rm -f index.html*
-./trace.exp
-rm -f index.html*
-
-echo "TESTING: extract command (extract_command.exp)"
-./extract_command.exp
-
-echo "TESTING: kmsg access (kmsg.exp)"
-./kmsg.exp
-
-echo "TESTING: rlimit (option_rlimit.exp)"
-./option_rlimit.exp
-
-echo "TESTING: shutdown (option_shutdown.exp)"
-./option-shutdown.exp
-
-echo "TESTING: join (option-join.exp)"
-./option-join.exp
-
-echo "TESTING: join2 (option-join2.exp)"
-./option-join2.exp
-
-echo "TESTING: join3 (option-join3.exp)"
-./option-join3.exp
-
-echo "TESTING: join profile (option-join-profile.exp)"
-./option-join-profile.exp
-
-echo "TESTING: firejail in firejail - single sandbox (firejail-in-firejail.exp)"
-./firejail-in-firejail.exp
-
-echo "TESTING: firejail in firejail - force new sandbox (firejail-in-firejail2.exp)"
-./firejail-in-firejail2.exp
-
 echo "TESTING: chroot overlay (option_chroot_overlay.exp)"
 ./option_chroot_overlay.exp
 
-echo "TESTING: blacklist directory (option_blacklist.exp)"
-./option_blacklist.exp
-
-echo "TESTING: blacklist file (opiton_blacklist_file.exp)"
-./option_blacklist_file.exp
-
-echo "TESTING: bind as user (option_bind_user.exp)"
-./option_bind_user.exp
-
-if [ -d /home/bingo ];
-then
-        echo "TESTING: home sanitize (opiton_version.exp)"
-        ./option_version.exp
-fi
-
 echo "TESTING: chroot as user (fs_chroot.exp)"
 ./fs_chroot.exp
 
@@ -156,47 +42,7 @@ ls -al > tmpreadonly
 sleep 5
 rm -f tmpreadonly
 
-echo "TESTING: zsh (shell_zsh.exp)"
-./shell_zsh.exp
-
-echo "TESTING: csh (shell_csh.exp)"
-./shell_csh.exp
-
-which dash
-if [ "$?" -eq 0 ];
-then
-        echo "TESTING: dash (shell_dash.exp)"
-        ./shell_dash.exp
-else
-        echo "TESTING: dash not found"
-fi
-
-./test-apps.sh
-./test-apps-x11.sh
-
-echo "TESTING: PID (pid.exp)"
-./pid.exp
 
-echo "TESTING: output (output.exp)"
-./output.exp
-
-echo "TESTING: profile no permissions (profile_noperm.exp)"
-./profile_noperm.exp
-
-echo "TESTING: profile syntax (profile_syntax.exp)"
-./profile_syntax.exp
-
-echo "TESTING: profile syntax 2 (profile_syntax2.exp)"
-./profile_syntax2.exp
-
-echo "TESTING: profile rlimit (profile_rlimit.exp)"
-./profile_rlimit.exp
-
-echo "TESTING: profile read-only (profile_readonly.exp)"
-./profile_readonly.exp
-
-echo "TESTING: private (private.exp)"
-./private.exp `whoami`
 
 echo "TESTING: private directory (private_dir.exp)"
 rm -fr dirprivate
@@ -213,113 +59,13 @@ rm -fr dirprivate
 echo "TESTING: overlayfs (fs_overlay.exp)"
 ./fs_overlay.exp
 
-echo "TESTING: seccomp debug  (seccomp-debug.exp)"
-./seccomp-debug.exp
-
-echo "TESTING: seccomp errno (seccomp-errno.exp)"
-./seccomp-errno.exp
-
-echo "TESTING: seccomp su (seccomp-su.exp)"
-./seccomp-su.exp
-
-echo "TESTING: seccomp ptrace (seccomp-ptrace.exp)"
-./seccomp-ptrace.exp
-
-echo "TESTING: seccomp chmod - seccomp lists (seccomp-chmod.exp)"
-./seccomp-chmod.exp
-
-echo "TESTING: seccomp chmod profile - seccomp lists (seccomp-chmod-profile.exp)"
-./seccomp-chmod-profile.exp
-
-echo "TESTING: seccomp empty (seccomp-empty.exp)"
-./seccomp-empty.exp
-
-echo "TESTING: seccomp bad empty (seccomp-bad-empty.exp)"
-./seccomp-bad-empty.exp
-
-echo "TESTING: seccomp dual filter (seccomp-dualfilter.exp)"
-./seccomp-dualfilter.exp
-
-echo "TESTING: read/write /var/tmp (fs_var_tmp.exp)"
-./fs_var_tmp.exp
-
-echo "TESTING: read/write /var/lock (fs_var_lock.exp)"
-./fs_var_lock.exp
-
-echo "TESTING: read/write /dev/shm (fs_dev_shm.exp)"
-./fs_dev_shm.exp
-
-echo "TESTING: quiet (quiet.exp)"
-./quiet.exp
-
-echo "TESTING: IPv6 support (ip6.exp)"
-echo "TESTING:    broken on Centos - todo"
-./ip6.exp
-
-echo "TESTING: local network (net_local.exp)"
-./net_local.exp
-
-echo "TESTING: no network (net_none.exp)"
-./net_none.exp
-
-echo "TESTING: network IP (net_ip.exp)"
-./net_ip.exp
-
-echo "TESTING: network MAC (net_mac.exp)"
-sleep 2
-./net_mac.exp
-
-echo "TESTING: network MTU (net_mtu.exp)"
-./net_mtu.exp
-
-echo "TESTING: network hostname (hostname.exp)"
-./hostname.exp
-
-echo "TESTING: network bad IP (net_badip.exp)"
-./net_badip.exp
-
-echo "TESTING: network no IP test 1 (net_noip.exp)"
-./net_noip.exp
-
-echo "TESTING: network no IP test 2 (net_noip2.exp)"
-./net_noip2.exp
-
-echo "TESTING: network default gateway test 1 (net_defaultgw.exp)"
-./net_defaultgw.exp
-
-echo "TESTING: network default gateway test 2 (net_defaultgw2.exp)"
-./net_defaultgw2.exp
-
-echo "TESTING: network default gateway test 3 (net_defaultgw3.exp)"
-./net_defaultgw3.exp
-
-echo "TESTING: netfilter (net_netfilter.exp)"
-./net_netfilter.exp
-
-echo "TESTING: 4 bridges ARP (4bridges_arp.exp)"
-./4bridges_arp.exp
-
-echo "TESTING: 4 bridges IP (4bridges_ip.exp)"
-./4bridges_ip.exp
-
 echo "TESTING: login SSH (login_ssh.exp)"
 ./login_ssh.exp
 
-echo "TESTING: ARP (net_arp.exp)"
-./net_arp.exp
-
-echo "TESTING: DNS (dns.exp)"
-./dns.exp
-
 echo "TESTING: firemon --arp (firemon-arp.exp)"
 ./firemon-arp.exp
 
 echo "TESTING: firemon --route (firemon-route.exp)"
 ./firemon-route.exp
 
-echo "TESTING: firemon --seccomp (firemon-seccomp.exp)"
-./firemon-seccomp.exp
-
-echo "TESTING: firemon --caps (firemon-caps.exp)"
-./firemon-caps.exp
 
diff --git a/test/utils/caps-print.exp b/test/utils/caps-print.exp
new file mode 100755
index 000000000..9cc4b1872
--- /dev/null
+++ b/test/utils/caps-print.exp
@@ -0,0 +1,32 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
+
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+
+send -- "firejail --name=test\r"
+expect {
+        timeout {puts "TESTING ERROR 0\n";exit}
+        "Child process initialized"
+}
+sleep 2
+
+spawn $env(SHELL)
+send -- "firejail --caps.print=test\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "setgid              - disabled"
+}
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        "setuid              - disabled"
+}
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        "net_raw             - disabled"
+}
+sleep 1
+puts "\nall done\n"
diff --git a/test/firemon-caps.exp b/test/utils/caps.exp
index 3dd6384db..ab1067921 100755
--- a/test/firemon-caps.exp
+++ b/test/utils/caps.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
 
 set timeout 10
 spawn $env(SHELL)
diff --git a/test/caps1.profile b/test/utils/caps1.profile
index e14655b2e..e14655b2e 100644
--- a/test/caps1.profile
+++ b/test/utils/caps1.profile
diff --git a/test/caps2.profile b/test/utils/caps2.profile
index cb2258c52..cb2258c52 100644
--- a/test/caps2.profile
+++ b/test/utils/caps2.profile
diff --git a/test/utils/catchsignal-master.sh b/test/utils/catchsignal-master.sh
new file mode 100755
index 000000000..62a1801cc
--- /dev/null
+++ b/test/utils/catchsignal-master.sh
@@ -0,0 +1,4 @@
+#!/bin/bash
+
+./catchsignal.sh &
+./catchsignal.sh &
diff --git a/test/utils/catchsignal.sh b/test/utils/catchsignal.sh
new file mode 100755
index 000000000..87a1d0adf
--- /dev/null
+++ b/test/utils/catchsignal.sh
@@ -0,0 +1,27 @@
+#!/bin/bash
+
+_term() {
+  echo "Caught Signal"
+  echo 1
+  sleep 1
+  echo 2
+  sleep 1
+  echo 3
+  sleep 1
+  echo 4
+  sleep 1
+  echo 5
+  sleep 1
+
+  kill $pid
+  exit
+}
+
+trap _term SIGTERM
+trap _term SIGINT
+
+echo "Sleeping..."
+
+sleep inf &
+pid=$!
+wait $pid
diff --git a/test/utils/catchsignal2.sh b/test/utils/catchsignal2.sh
new file mode 100755
index 000000000..424350397
--- /dev/null
+++ b/test/utils/catchsignal2.sh
@@ -0,0 +1,49 @@
+#!/bin/bash
+
+_term() {
+  echo "Caught Signal"
+  echo 1
+  sleep 1
+  echo 2
+  sleep 1
+  echo 3
+  sleep 1
+  echo 4
+  sleep 1
+  echo 5
+  sleep 1
+
+  echo 10
+  sleep 1
+  echo 20
+  sleep 1
+  echo 30
+  sleep 1
+  echo 40
+  sleep 1
+  echo 50
+  sleep 1
+
+  echo 100
+  sleep 1
+  echo 200
+  sleep 1
+  echo 300
+  sleep 1
+  echo 400
+  sleep 1
+  echo 500
+  sleep 1
+
+  kill $pid
+  exit
+}
+
+trap _term SIGTERM
+trap _term SIGINT
+
+echo "Sleeping..."
+
+sleep inf &
+pid=$!
+wait $pid
diff --git a/test/utils/cpu-print.exp b/test/utils/cpu-print.exp
new file mode 100755
index 000000000..4a9ffa0ac
--- /dev/null
+++ b/test/utils/cpu-print.exp
@@ -0,0 +1,24 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
+
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+
+send -- "firejail --name=test --cpu=1,2\r"
+expect {
+        timeout {puts "TESTING ERROR 0\n";exit}
+        "Child process initialized"
+}
+sleep 2
+
+spawn $env(SHELL)
+send -- "firejail --cpu.print=test\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "Cpus_allowed_list:     1-2"
+}
+sleep 1
+puts "\nall done\n"
diff --git a/test/utils/dns-print.exp b/test/utils/dns-print.exp
new file mode 100755
index 000000000..51dcab508
--- /dev/null
+++ b/test/utils/dns-print.exp
@@ -0,0 +1,24 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
+
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+
+send -- "firejail --name=test --dns=1.2.3.4\r"
+expect {
+        timeout {puts "TESTING ERROR 0\n";exit}
+        "Child process initialized"
+}
+sleep 2
+
+spawn $env(SHELL)
+send -- "firejail --dns.print=test\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "nameserver 1.2.3.4"
+}
+sleep 1
+puts "\nall done\n"
diff --git a/test/utils/fs-print.exp b/test/utils/fs-print.exp
new file mode 100755
index 000000000..fa0eab95b
--- /dev/null
+++ b/test/utils/fs-print.exp
@@ -0,0 +1,32 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
+
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+
+send -- "firejail --name=test\r"
+expect {
+        timeout {puts "TESTING ERROR 0\n";exit}
+        "Child process initialized"
+}
+sleep 2
+
+spawn $env(SHELL)
+send -- "firejail --fs.print=test\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "blacklist /boot"
+}
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        "blacklist /dev/kmsg"
+}
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        "blacklist /proc/kmsg"
+}
+sleep 1
+puts "\nall done\n"
diff --git a/test/option_help.exp b/test/utils/help.exp
index f4518219c..5b9864578 100755
--- a/test/option_help.exp
+++ b/test/utils/help.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
 
 set timeout 10
 spawn $env(SHELL)
diff --git a/test/option-join-profile.exp b/test/utils/join-profile.exp
index 9200980a1..a4262b999 100755
--- a/test/option-join-profile.exp
+++ b/test/utils/join-profile.exp
@@ -4,36 +4,32 @@ set timeout 10
 spawn $env(SHELL)
 match_max 100000
 
+
 send --  "firejail --profile=name.profile\r"
 expect {
         timeout {puts "TESTING ERROR 0\n";exit}
         "Child process initialized"
 }
-sleep 3
+sleep 2
 
 spawn $env(SHELL)
-send --  "firejail --join=jointesting;pwd\r"
+send --  "firejail --join=jointesting\r"
 expect {
         timeout {puts "TESTING ERROR 1\n";exit}
         "Switching to pid"
 }
-sleep 3
-
-
-spawn $env(SHELL)
-send --  "firejail --shutdown=jointesting;pwd\r"
+sleep 1
+send -- "ps aux\r"
 expect {
-        timeout {puts "TESTING ERROR 3\n";exit}
-        "home"
+        timeout {puts "TESTING ERROR 2\n";exit}
+        "/bin/bash"
 }
-sleep 5
-
-send --  "firejail --list;pwd\r"
 expect {
-        timeout {puts "TESTING ERROR 4\n";exit}
-        "jointesting" {puts "TESTING ERROR 5\n";exit}
-        "home"
+        timeout {puts "TESTING ERROR 3\n";exit}
+        "/bin/bash"
 }
+
+send -- "exit"
 sleep 1
 
 puts "\nall done\n"
diff --git a/test/option-join.exp b/test/utils/join.exp
index 6250e87a2..ab4917f7d 100755
--- a/test/option-join.exp
+++ b/test/utils/join.exp
@@ -1,39 +1,38 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
 
 set timeout 10
+cd /home
 spawn $env(SHELL)
 match_max 100000
 
-send --  "firejail --name=svntesting\r"
+send --  "firejail --name=jointesting\r"
 expect {
         timeout {puts "TESTING ERROR 0\n";exit}
         "Child process initialized"
 }
-sleep 3
+sleep 2
 
 spawn $env(SHELL)
-send --  "firejail --join=svntesting;pwd\r"
+send --  "firejail --join=jointesting\r"
 expect {
         timeout {puts "TESTING ERROR 1\n";exit}
         "Switching to pid"
 }
 sleep 1
-
-
-spawn $env(SHELL)
-send --  "firejail --shutdown=svntesting;pwd\r"
+send -- "ps aux\r"
 expect {
-        timeout {puts "TESTING ERROR 3\n";exit}
-        "home"
+        timeout {puts "TESTING ERROR 2\n";exit}
+        "/bin/bash"
 }
-sleep 1
-
-send --  "firejail --list;pwd\r"
 expect {
-        timeout {puts "TESTING ERROR 4\n";exit}
-        "svntesting" {puts "TESTING ERROR 5\n";exit}
-        "home"
+        timeout {puts "TESTING ERROR 3\n";exit}
+        "/bin/bash"
 }
+
+send -- "exit"
 sleep 1
 
 puts "\nall done\n"
diff --git a/test/option-join3.exp b/test/utils/join2.exp
index aa8a445df..82540fe39 100755
--- a/test/option-join3.exp
+++ b/test/utils/join2.exp
@@ -1,39 +1,38 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
 
 set timeout 10
+cd /home
 spawn $env(SHELL)
 match_max 100000
 
-send --  "firejail --name=svn\\ testing\r"
+send --  "firejail --name=\"join testing\"\r"
 expect {
         timeout {puts "TESTING ERROR 0\n";exit}
         "Child process initialized"
 }
-sleep 3
+sleep 2
 
 spawn $env(SHELL)
-send --  "firejail --join=svn\\ testing;pwd\r"
+send --  "firejail --join=\"join testing\"\r"
 expect {
         timeout {puts "TESTING ERROR 1\n";exit}
         "Switching to pid"
 }
 sleep 1
-
-
-spawn $env(SHELL)
-send --  "firejail --shutdown=svn\\ testing;pwd\r"
+send -- "ps aux\r"
 expect {
-        timeout {puts "TESTING ERROR 3\n";exit}
-        "home"
+        timeout {puts "TESTING ERROR 2\n";exit}
+        "/bin/bash"
 }
-sleep 1
-
-send --  "firejail --list;pwd\r"
 expect {
-        timeout {puts "TESTING ERROR 4\n";exit}
-        "svn testing" {puts "TESTING ERROR 5\n";exit}
-        "home"
+        timeout {puts "TESTING ERROR 3\n";exit}
+        "/bin/bash"
 }
+
+send -- "exit"
 sleep 1
 
 puts "\nall done\n"
diff --git a/test/option-join2.exp b/test/utils/join3.exp
index 630b62d9e..e92045dd1 100755
--- a/test/option-join2.exp
+++ b/test/utils/join3.exp
@@ -1,39 +1,38 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
 
 set timeout 10
+cd /home
 spawn $env(SHELL)
 match_max 100000
 
-send --  "firejail --name=\"svn testing\"\r"
+send --  "firejail --name=join\\ testing\r"
 expect {
         timeout {puts "TESTING ERROR 0\n";exit}
         "Child process initialized"
 }
-sleep 3
+sleep 2
 
 spawn $env(SHELL)
-send --  "firejail --join=\"svn testing\";pwd\r"
+send --  "firejail --join=join\\ testing\r"
 expect {
         timeout {puts "TESTING ERROR 1\n";exit}
         "Switching to pid"
 }
 sleep 1
-
-
-spawn $env(SHELL)
-send --  "firejail --shutdown=\"svn testing\";pwd\r"
+send -- "ps aux\r"
 expect {
-        timeout {puts "TESTING ERROR 3\n";exit}
-        "home"
+        timeout {puts "TESTING ERROR 2\n";exit}
+        "/bin/bash"
 }
-sleep 1
-
-send --  "firejail --list;pwd\r"
 expect {
-        timeout {puts "TESTING ERROR 4\n";exit}
-        "svn testing" {puts "TESTING ERROR 5\n";exit}
-        "home"
+        timeout {puts "TESTING ERROR 3\n";exit}
+        "/bin/bash"
 }
+
+send -- "exit"
 sleep 1
 
 puts "\nall done\n"
diff --git a/test/option_list.exp b/test/utils/list.exp
index b9c73e52b..69db1f568 100755
--- a/test/option_list.exp
+++ b/test/utils/list.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
 
 set timeout 10
 spawn $env(SHELL)
diff --git a/test/utils/ls.exp b/test/utils/ls.exp
new file mode 100755
index 000000000..3a99be0d5
--- /dev/null
+++ b/test/utils/ls.exp
@@ -0,0 +1,41 @@
+#!/usr/bin/expect -f
+
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+
+send -- "rm -f lstesting\r"
+sleep 1
+send -- "firejail --private --name=test\r"
+expect {
+        timeout {puts "TESTING ERROR 0\n";exit}
+        "Child process initialized"
+}
+sleep 2
+send -- "echo my_testing > ~/lstesting\r"
+sleep 2
+
+
+spawn $env(SHELL)
+send -- "firejail --ls=test ~/.\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "lstesting"
+}
+sleep 1
+send -- "firejail --get=test ~/lstesting\r"
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        "Transfer complete"
+}
+sleep 1
+send -- "cat lstesting\r"
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        "my_testing"
+}
+sleep 1
+send -- "rm -f lstesting\r"
+
+sleep 1
+puts "\nall done\n"
diff --git a/test/option_man.exp b/test/utils/man.exp
index d941a2432..d29f760b0 100755
--- a/test/option_man.exp
+++ b/test/utils/man.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
 
 set timeout 10
 spawn $env(SHELL)
diff --git a/test/name.profile b/test/utils/name.profile
index 1aa9f2d64..1aa9f2d64 100644
--- a/test/name.profile
+++ b/test/utils/name.profile
diff --git a/test/utils/protocol-print.exp b/test/utils/protocol-print.exp
new file mode 100755
index 000000000..152a64467
--- /dev/null
+++ b/test/utils/protocol-print.exp
@@ -0,0 +1,24 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
+
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+
+send -- "firejail --name=test\r"
+expect {
+        timeout {puts "TESTING ERROR 0\n";exit}
+        "Child process initialized"
+}
+sleep 2
+
+spawn $env(SHELL)
+send -- "firejail --protocol.print=test\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "unix,inet,inet6"
+}
+sleep 1
+puts "\nall done\n"
diff --git a/test/utils/seccomp-print.exp b/test/utils/seccomp-print.exp
new file mode 100755
index 000000000..d0531a9c3
--- /dev/null
+++ b/test/utils/seccomp-print.exp
@@ -0,0 +1,36 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
+
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+
+send -- "firejail --name=test\r"
+expect {
+        timeout {puts "TESTING ERROR 0\n";exit}
+        "Child process initialized"
+}
+sleep 2
+
+spawn $env(SHELL)
+send -- "firejail --seccomp.print=test\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "EXAMINE_SYSCAL"
+}
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        "init_module"
+}
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        "delete_module"
+}
+expect {
+        timeout {puts "TESTING ERROR 4\n";exit}
+        "RETURN_ALLOW"
+}
+sleep 1
+puts "\nall done\n"
diff --git a/test/firemon-seccomp.exp b/test/utils/seccomp.exp
index 55817faf3..c9726ff21 100755
--- a/test/firemon-seccomp.exp
+++ b/test/utils/seccomp.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
 
 set timeout 10
 spawn $env(SHELL)
@@ -37,7 +40,7 @@ expect {
         "bingo2"
 }
 expect {
-        timeout {puts "TESTING ERROR 3\n";exit}
+        timeout {puts "TESTING ERROR 4\n";exit}
         "Seccomp:       0"
 }
 after 100
diff --git a/test/option-shutdown.exp b/test/utils/shutdown.exp
index e869f7611..15a9a62c8 100755
--- a/test/option-shutdown.exp
+++ b/test/utils/shutdown.exp
@@ -1,6 +1,10 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
 
 set timeout 10
+cd /home
 spawn $env(SHELL)
 match_max 100000
 
@@ -9,22 +13,23 @@ expect {
         timeout {puts "TESTING ERROR 0\n";exit}
         "Child process initialized"
 }
-sleep 3
+sleep 2
 
 spawn $env(SHELL)
-send --  "firejail --shutdown=shutdowntesting;pwd\r"
+send --  "firejail --shutdown=shutdowntesting; echo done\r"
 expect {
         timeout {puts "TESTING ERROR 4\n";exit}
-        "home"
+        "done"
 }
-sleep 1
+sleep 5
 
-send --  "firejail --list;pwd\r"
+spawn $env(SHELL)
+send --  "firejail --list;echo done\r"
 expect {
         timeout {puts "TESTING ERROR 5\n";exit}
         "shutdowntesting" {puts "TESTING ERROR 6\n";exit}
-        "home"
+        "done"
 }
 sleep 1
 
-puts "\nalldone\n"
+puts "\nall done\n"
diff --git a/test/pid.exp b/test/utils/shutdown2.exp
index d382feb96..7857b919c 100755
--- a/test/pid.exp
+++ b/test/utils/shutdown2.exp
@@ -1,48 +1,45 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
 
 set timeout 10
 spawn $env(SHELL)
 match_max 100000
 
-send -- "firejail\r"
+set firstspawn $spawn_id
+
+send --  "firejail --name=shutdowntesting ./catchsignal.sh\r"
 expect {
         timeout {puts "TESTING ERROR 0\n";exit}
         "Child process initialized"
 }
-sleep 1
+sleep 2
 
-# test processes
-send -- "bash\r"
-sleep 1
-send -- "ps aux; pwd\r"
+spawn $env(SHELL)
+send --  "firejail --shutdown=shutdowntesting\r"
+
+set spawn_id $firstspawn
 expect {
         timeout {puts "TESTING ERROR 1\n";exit}
-        "/bin/bash"
+        "1"
 }
 expect {
         timeout {puts "TESTING ERROR 2\n";exit}
-        "bash"
+        "2"
 }
 expect {
         timeout {puts "TESTING ERROR 3\n";exit}
-        "ps aux"
+        "3"
 }
 expect {
         timeout {puts "TESTING ERROR 4\n";exit}
-        "home"
+        "4"
 }
-sleep 1
-
-
-send -- "ps aux |wc -l; pwd\r"
 expect {
         timeout {puts "TESTING ERROR 5\n";exit}
-        "6"
-}
-expect {
-        timeout {puts "TESTING ERROR 6\n";exit}
-        "home"
+        "5"
 }
 sleep 1
 
-puts "\n"
+puts "\nalldone\n"
diff --git a/test/utils/shutdown3.exp b/test/utils/shutdown3.exp
new file mode 100755
index 000000000..02b68c4ce
--- /dev/null
+++ b/test/utils/shutdown3.exp
@@ -0,0 +1,65 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
+
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+
+set firstspawn $spawn_id
+
+send --  "firejail --name=shutdowntesting ./catchsignal-master.sh\r"
+expect {
+        timeout {puts "TESTING ERROR 0\n";exit}
+        "Child process initialized"
+}
+sleep 2
+
+spawn $env(SHELL)
+send --  "firejail --shutdown=shutdowntesting\r"
+
+set spawn_id $firstspawn
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "1"
+}
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        "1"
+}
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        "2"
+}
+expect {
+        timeout {puts "TESTING ERROR 4\n";exit}
+        "2"
+}
+expect {
+        timeout {puts "TESTING ERROR 5\n";exit}
+        "3"
+}
+expect {
+        timeout {puts "TESTING ERROR 6\n";exit}
+        "3"
+}
+expect {
+        timeout {puts "TESTING ERROR 7\n";exit}
+        "4"
+}
+expect {
+        timeout {puts "TESTING ERROR 8\n";exit}
+        "4"
+}
+expect {
+        timeout {puts "TESTING ERROR 9\n";exit}
+        "5"
+}
+expect {
+        timeout {puts "TESTING ERROR 10\n";exit}
+        "5"
+}
+sleep 1
+
+puts "\nalldone\n"
diff --git a/test/utils/shutdown4.exp b/test/utils/shutdown4.exp
new file mode 100755
index 000000000..0f2e0e7fe
--- /dev/null
+++ b/test/utils/shutdown4.exp
@@ -0,0 +1,65 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
+
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+
+set firstspawn $spawn_id
+
+send --  "firejail --name=shutdowntesting ./catchsignal2.sh\r"
+expect {
+        timeout {puts "TESTING ERROR 0\n";exit}
+        "Child process initialized"
+}
+sleep 2
+
+spawn $env(SHELL)
+send --  "firejail --shutdown=shutdowntesting\r"
+
+set spawn_id $firstspawn
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "1"
+}
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        "2"
+}
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        "3"
+}
+expect {
+        timeout {puts "TESTING ERROR 4\n";exit}
+        "4"
+}
+expect {
+        timeout {puts "TESTING ERROR 5\n";exit}
+        "5"
+}
+expect {
+        timeout {puts "TESTING ERROR 10\n";exit}
+        "10"
+}
+expect {
+        timeout {puts "TESTING ERROR 20\n";exit}
+        "20"
+}
+expect {
+        timeout {puts "TESTING ERROR 30\n";exit}
+        "30"
+}
+expect {
+        timeout {puts "TESTING ERROR 40\n";exit}
+        "40"
+}
+expect {
+        timeout {puts "TESTING ERROR 50\n";exit}
+        "50"
+}
+sleep 1
+
+puts "\nalldone\n"
diff --git a/test/trace.exp b/test/utils/trace.exp
index 21dd6a559..b562a6b49 100755
--- a/test/trace.exp
+++ b/test/utils/trace.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
 
 set timeout 30
 spawn $env(SHELL)
@@ -76,6 +79,7 @@ expect {
         timeout {puts "TESTING ERROR 8.6\n";exit}
         "wget:fopen64 index.html" {puts "OK\n";}
         "wget:fopen index.html" {puts "OK\n";}
+        "Parent is shutting down" {puts "OK\n";}
 }
 sleep 1
 
@@ -86,9 +90,25 @@ expect {
 }
 expect {
         timeout {puts "TESTING ERROR 10\n";exit}
-        "rm:unlinkat index.html"
+        "rm:unlinkat index.html" {puts "OK\n";}
+        "Parent is shutting down" {puts "OK\n";}
 }
 sleep 1
 
+send --  "firejail --trace\r"
+expect {
+        timeout {puts "TESTING ERROR 11\n";exit}
+        "Child process initialized"
+}
+expect {
+        timeout {puts "TESTING ERROR 12\n";exit}
+        "bash:open /dev/tty" {puts "64bit\n"}
+        "bash:open64 /dev/tty" {puts "32bit\n"}
+}
+expect {
+        timeout {puts "TESTING ERROR 13\n";exit}
+        "bash:access /etc/terminfo/" {puts "debian\n"}
+        "bash:access /usr/share/terminfo/" {puts "arch\n"}
+}
 
 puts "\nall done\n"
diff --git a/test/option_tree.exp b/test/utils/tree.exp
index 1841907d1..a8ef763f1 100755
--- a/test/option_tree.exp
+++ b/test/utils/tree.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
 
 set timeout 10
 spawn $env(SHELL)
diff --git a/test/utils/utils.sh b/test/utils/utils.sh
new file mode 100755
index 000000000..0428c4807
--- /dev/null
+++ b/test/utils/utils.sh
@@ -0,0 +1,90 @@
+#!/bin/bash
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
+
+export MALLOC_CHECK_=3
+export MALLOC_PERTURB_=$(($RANDOM % 255 + 1))
+
+echo "TESTING: version (test/utils/version.exp)"
+./version.exp
+
+echo "TESTING: help (test/utils/help.exp)"
+./help.exp
+
+which man
+if [ "$?" -eq 0 ];
+then
+        echo "TESTING: man (test/utils/man.exp)"
+        ./man.exp
+else
+        echo "TESTING SKIP: man not found"
+fi
+
+echo "TESTING: list (test/utils/list.exp)"
+./list.exp
+
+echo "TESTING: tree (test/utils/tree.exp)"
+./tree.exp
+
+if [ $(grep -c ^processor /proc/cpuinfo) -gt 1 ];
+then
+        echo "TESTING: cpu.print (test/utils/cpu-print.exp)"
+        ./cpu-print.exp
+else
+        echo "TESTING SKIP: cpu.print, not enough CPUs"
+fi
+
+echo "TESTING: fs.print (test/utils/fs-print.exp)"
+./fs-print.exp
+
+echo "TESTING: dns.print (test/utils/dns-print.exp)"
+./dns-print.exp
+
+echo "TESTING: caps.print (test/utils/caps-print.exp)"
+./caps-print.exp
+
+echo "TESTING: seccomp.print (test/utils/seccomp-print.exp)"
+./seccomp-print.exp
+
+echo "TESTING: protocol.print (test/utils/protocol-print.exp)"
+./protocol-print.exp
+
+echo "TESTING: shutdown (test/utils/shutdown.exp)"
+./shutdown.exp
+
+echo "TESTING: shutdown2 (test/utils/shutdown2.exp)"
+./shutdown2.exp
+
+echo "TESTING: shutdown3 (test/utils/shutdown3.exp)"
+./shutdown3.exp
+
+echo "TESTING: shutdown4 (test/utils/shutdown4.exp)"
+./shutdown4.exp
+
+echo "TESTING: join (test/utils/join.exp)"
+./join.exp
+
+echo "TESTING: join2 (test/utils/join2.exp)"
+./join2.exp
+
+echo "TESTING: join3 (test/utils/join3.exp)"
+./join3.exp
+
+echo "TESTING: join profile (test/utils/join-profile.exp)"
+./join-profile.exp
+
+echo "TESTING: trace (test/utils/trace.exp)"
+rm -f index.html*
+./trace.exp
+rm -f index.html*
+
+echo "TESTING: firemon --seccomp (test/utils/seccomp.exp)"
+./seccomp.exp
+
+echo "TESTING: firemon --caps (test/utils/caps.exp)"
+./caps.exp
+
+echo "TESTING: file transfer (test/utils/ls.exp)"
+./ls.exp
+
diff --git a/test/option_version.exp b/test/utils/version.exp
index 44c0c217f..2ce6f1680 100755
--- a/test/option_version.exp
+++ b/test/utils/version.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
 
 set timeout 10
 spawn $env(SHELL)
diff --git a/todo b/todo
index e45d86eba..30e8f3949 100644
--- a/todo
+++ b/todo
@@ -35,3 +35,214 @@ socat ABSTRACT-LISTEN:/tmp/dbus-awBoQTCc,fork UNIX-CONNECT:/tmp/mysock
 8. profile for dillo
 Also, in dillo open a directory (file:///etc), when the browser window is closed the sandbox still remains active.
 This is probably a dillo problem.
+
+9. --force sandbox in a overlayfs sandbox
+
+$ sudo firejail --overlay
+# su netblue
+$ xterm &
+$ firejail --force --private
+Parent pid 77, child pid 78
+Warning: failed to unmount /sys
+
+Warning: cannot mount a new user namespace, going forward without it...
+Child process initialized
+
+Try to join the forced sandbox in xterm window:
+$ firejail --join=77
+Switching to pid 78, the first child process inside the sandbox
+Warning: seccomp file not found
+Warning: seccomp disabled, it requires a Linux kernel version 3.5 or newer.
+$ ls ~ <----------------- all files are available, the directory is not empty!
+
+10. Posibly capabilities broken for --join
+
+$ firejail --name=test
+...
+$ firejail --debug --join=test
+Switching to pid 18591, the first child process inside the sandbox
+User namespace detected: /proc/18591/uid_map, 1000, 1000
+Set caps filter 0
+Set protocol filter: unix,inet,inet6
+Read seccomp filter, size 792 bytes
+
+However, in the join sandbox we have:
+$ cat /proc/self/status | grep Cap
+CapInh: 0000000000000000
+CapPrm: 0000000000000000
+CapEff: 0000000000000000
+CapBnd: 0000003fffffffff
+CapAmb: 0000000000000000
+
+11. check seccomp on Docker: https://docs.docker.com/engine/security/seccomp/
+Seccomp lists:
+https://github.com/torvalds/linux/blob/1e75a9f34a5ed5902707fb74b468356c55142b71/arch/x86/entry/syscalls/syscall_64.tbl
+https://github.com/torvalds/linux/blob/1e75a9f34a5ed5902707fb74b468356c55142b71/arch/x86/entry/syscalls/syscall_32.tbl
+
+12. check for --chroot why .config/pulse dir is not created
+
+13. print error line number for profile files in  profile_check_line()
+
+14. make rpms problems
+$ firejail --version
+firejail version 0.9.40
+User namespace support is disabled.
+
+$ rpmlint firejail-0.9.40-1.x86_64.rpm 
+firejail.x86_64: E: no-changelogname-tag
+firejail.x86_64: W: unstripped-binary-or-object /usr/lib64/firejail/libtracelog.so
+firejail.x86_64: W: unstripped-binary-or-object /usr/lib64/firejail/libtrace.so
+firejail.x86_64: E: missing-call-to-setgroups /usr/lib64/firejail/libtrace.so
+firejail.x86_64: W: conffile-without-noreplace-flag /etc/firejail/google-play-music-desktop-player.profile
+firejail.x86_64: W: conffile-without-noreplace-flag /etc/firejail/rtorrent.profi
+
+$ rpmlint firejail-0.9.40-1.src.rpm
+firejail.src: E: no-changelogname-tag
+firejail.src: W: invalid-url Source0: https://github.com/netblue30/firejail/archive/0.9.40.tar.gz#/firejail-0.9.40.tar.gz HTTP Error 404: Not Found
+1 packages and 0 specfiles checked; 1 errors, 1 warnings.
+
+15. bug: capabiliteis declared on the command line take precedence over caps declared in profiles
+
+$ firejail  --caps.keep=chown,net_bind_service src/faudit/faudit
+Reading profile /etc/firejail/default.profile
+Reading profile /etc/firejail/disable-common.inc
+Reading profile /etc/firejail/disable-programs.inc
+Reading profile /etc/firejail/disable-passwdmgr.inc
+
+** Note: you can use --noprofile to disable default.profile **
+
+Parent pid 6872, child pid 6873
+
+Child process initialized
+
+----- Firejail Audit: the Good, the Bad and the Ugly -----
+
+GOOD: Process PID 2, running in a PID namespace
+Container/sandbox: firejail
+GOOD: all capabilities are disabled
+
+
+Parent is shutting down, bye...
+
+16. Sound devices:
+/dev/snd
+
+
+    /dev/snd/pcmC0D0 -> /dev/audio0 (/dev/audio) -> minor 4
+    /dev/snd/pcmC0D0 -> /dev/dsp0 (/dev/dsp) -> minor 3
+    /dev/snd/pcmC0D1 -> /dev/adsp0 (/dev/adsp) -> minor 12
+    /dev/snd/pcmC1D0 -> /dev/audio1 -> minor 4+16 = 20
+    /dev/snd/pcmC1D0 -> /dev/dsp1 -> minor 3+16 = 19
+    /dev/snd/pcmC1D1 -> /dev/adsp1 -> minor 12+16 = 28
+    /dev/snd/pcmC2D0 -> /dev/audio2 -> minor 4+32 = 36
+    /dev/snd/pcmC2D0 -> /dev/dsp2 -> minor 3+32 = 35
+    /dev/snd/pcmC2D1 -> /dev/adsp2 -> minor 12+32 = 44
+
+
+17. test 3d acceleration
+
+$ lspci -nn | grep VGA
+
+# apt-get install mesa-utils
+
+$ glxinfo  | grep rendering
+
+The output should be:
+
+direct rendering: Yes
+        
+$ glxinfo | grep "renderer string"
+
+OpenGL renderer string: Gallium 0.4 on AMD KAVERI
+
+
+glxgears stuck to 60fps may be due to VSync signal synchronization.
+To disable Vsync
+
+$ vblank_mode=0 glxgears
+
+18. Bring in nvidia drives in private-dev
+
+/dev/nvidia[0-9], /dev/nvidiactl, /dev/nvidia-modset and /dev/nvidia-uvm
+
+19. testing snaps
+
+Install firejail from official repository
+sudo apt-get install firejail
+
+Check firejail version
+firejail --version
+
+Above command outputs: firejail version 0.9.38
+
+Search the snap 'ubuntu clock' application
+sudo snap find ubuntu-clock-app
+
+Install 'ubuntu clock' application using snap
+sudo snap install ubuntu-clock-app
+
+Ubuntu snap packages are installed in /snap/// directory and can be executed from /snap/bin/
+cd /snap/bin/
+ls -l
+
+Note: We see application name is: ubuntu-clock-app.clock
+
+Run application
+/snap/bin/ubuntu-clock-app.clock
+
+Note: Application starts-up without a problem and clock is displayed.
+
+Close application using mouse.
+
+Now try to firejail the application.
+firejail /snap/bin/ubuntu-clock-app.clock
+
+-------- Error message --------
+Reading profile /etc/firejail/generic.profile
+Reading profile /etc/firejail/disable-mgmt.inc
+Reading profile /etc/firejail/disable-secret.inc
+Reading profile /etc/firejail/disable-common.inc
+
+** Note: you can use --noprofile to disable generic.profile **
+
+Parent pid 3770, child pid 3771
+
+Child process initialized
+need to run as root or suid
+
+parent is shutting down, bye...
+-------- End of Error message --------
+
+Try running as root as message instructs.
+sudo firejail /snap/bin/ubuntu-clock-app.clock
+
+extract env for process
+ps e -p <pid> | sed 's/ /\n/g' 
+
+
+20. check default disable - from grsecurity
+
+GRKERNSEC_HIDESYM
+/proc/kallsyms and other files
+
+GRKERNSEC_PROC_USER
+If you say Y here, non-root users will only be able to view their own
+processes, and restricts them from viewing network-related information,
+and viewing kernel symbol and module information.
+
+GRKERNSEC_PROC_ADD
+If you say Y here, additional restrictions will be placed on
+/proc that keep normal users from viewing device information and 
+slabinfo information that could be useful for exploits.
+
+21. Core Infrastructure Initiative (CII) Best Practices
+
+Proposal
+
+Someone closely involved with the project could go thought the criteria and keep them up-to-date.
+References
+
+    https://bestpractices.coreinfrastructure.org
+    https://twit.tv/shows/floss-weekly/episodes/389
+
+22. add support for read-write and noexec to Firetools