35 files changed, 468 insertions, 108 deletions
diff --git a/README b/README
index b8c0aef44..8284ce825 100644
--- a/README
+++ b/README
@@ -571,6 +571,8 @@ kortewegdevries (https://github.com/kortewegdevries)
        - whitelisting evolution, kmail
 Kristóf Marussy (https://github.com/kris7t)
        - dns support
+kuesji koesnu (https://github.com/kuesji)
+        - unit suffixes for rlimit-fsize and rlimit-as
 Kunal Mehta (https://github.com/legoktm)
        - converted all links to https in manpages
 laniakea64 (https://github.com/laniakea64)
diff --git a/RELNOTES b/RELNOTES
index c989b00ff..0a07e7bda 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -1,6 +1,10 @@
 firejail (0.9.65) baseline; urgency=low
  * deprecated --audit options, relpaced by jailcheck utility
  * deprecated follow-symlink-as-user from firejail.config
+  * new firejail.config settings: private-bin, private-etc
+  * new firejail.config settings: private-opt, private-srv
+  * new firejail.config settings: whitelist-disable-topdir
+  * new firejail.config settings: seccomp-filter-add
  * rename --noautopulse to keep-config-pulse
  * filtering environment variables
  * zsh completion
diff --git a/etc/firejail.config b/etc/firejail.config
index f5b3d5efa..43db49422 100644
--- a/etc/firejail.config
+++ b/etc/firejail.config
@@ -113,6 +113,10 @@
 # Enable or disable seccomp support, default enabled.
 # seccomp yes
+# Add rules to the default seccomp filter. Same syntax as for --seccomp=
+# None by default; this is an example.
+# seccomp-filter-add !chroot,kcmp,mincore
 # Seccomp error action, kill, log or errno (EPERM, ENOSYS etc)
 # seccomp-error-action EPERM
diff --git a/etc/inc/disable-programs.inc b/etc/inc/disable-programs.inc
index 6fb62e017..0e575e5eb 100644
--- a/etc/inc/disable-programs.inc
+++ b/etc/inc/disable-programs.inc
@@ -39,6 +39,8 @@ blacklist ${HOME}/.WebStorm*
 blacklist ${HOME}/.Wolfram Research
 blacklist ${HOME}/.ZAP
 blacklist ${HOME}/.abook
+blacklist ${HOME}/.addressbook
+blacklist ${HOME}/.alpine-smime
 blacklist ${HOME}/.aMule
 blacklist ${HOME}/.android
 blacklist ${HOME}/.anydesk
@@ -831,6 +833,14 @@ blacklist ${HOME}/.paradoxinteractive
 blacklist ${HOME}/.parallelrealities/blobwars
 blacklist ${HOME}/.pcsxr
 blacklist ${HOME}/.penguin-command
+blacklist ${HOME}/.pine-crash
+blacklist ${HOME}/.pine-debug1
+blacklist ${HOME}/.pine-debug2
+blacklist ${HOME}/.pine-debug3
+blacklist ${HOME}/.pine-debug4
+blacklist ${HOME}/.pine-interrupted-mail
+blacklist ${HOME}/.pinerc
+blacklist ${HOME}/.pinercex
 blacklist ${HOME}/.pingus
 blacklist ${HOME}/.pioneer
 blacklist ${HOME}/.purple
diff --git a/etc/profile-a-l/alpine.profile b/etc/profile-a-l/alpine.profile
new file mode 100644
index 000000000..0b5cf0df0
--- /dev/null
+++ b/etc/profile-a-l/alpine.profile
@@ -0,0 +1,104 @@
+# Firejail profile for alpine
+# Description: Text-based email and newsgroups reader
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include alpine.local
+# Persistent global definitions
+include globals.local
+# Workaround for bug https://github.com/netblue30/firejail/issues/2747
+# firejail --private-bin=sh --include='${CFG}/allow-bin-sh.inc' --profile=alpine sh -c '(alpine)'
+noblacklist /var/mail
+noblacklist /var/spool/mail
+noblacklist ${DOCUMENTS}
+noblacklist ${HOME}/.addressbook
+noblacklist ${HOME}/.alpine-smime
+noblacklist ${HOME}/.mailcap
+noblacklist ${HOME}/.mh_profile
+noblacklist ${HOME}/.mime.types
+noblacklist ${HOME}/.newsrc
+noblacklist ${HOME}/.pine-crash
+noblacklist ${HOME}/.pine-debug1
+noblacklist ${HOME}/.pine-debug2
+noblacklist ${HOME}/.pine-debug3
+noblacklist ${HOME}/.pine-debug4
+noblacklist ${HOME}/.pine-interrupted-mail
+noblacklist ${HOME}/.pinerc
+noblacklist ${HOME}/.pinercex
+noblacklist ${HOME}/.signature
+noblacklist ${HOME}/mail
+blacklist /tmp/.X11-unix
+blacklist ${RUNUSER}/wayland-*
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+#whitelist ${DOCUMENTS}
+#whitelist ${DOWNLOADS}
+#whitelist ${HOME}/.addressbook
+#whitelist ${HOME}/.alpine-smime
+#whitelist ${HOME}/.mailcap
+#whitelist ${HOME}/.mh_profile
+#whitelist ${HOME}/.mime.types
+#whitelist ${HOME}/.newsrc
+#whitelist ${HOME}/.pine-crash
+#whitelist ${HOME}/.pine-interrupted-mail
+#whitelist ${HOME}/.pinerc
+#whitelist ${HOME}/.pinercex
+#whitelist ${HOME}/.pine-debug1
+#whitelist ${HOME}/.pine-debug2
+#whitelist ${HOME}/.pine-debug3
+#whitelist ${HOME}/.pine-debug4
+#whitelist ${HOME}/.signature
+#whitelist ${HOME}/mail
+whitelist /var/mail
+whitelist /var/spool/mail
+#include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+apparmor
+caps.drop all
+ipc-namespace
+machine-id
+netfilter
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+seccomp.block-secondary
+shell none
+tracelog
+disable-mnt
+private-bin alpine
+private-cache
+private-dev
+private-etc alternatives,c-client.cf,ca-certificates,crypto-policies,host.conf,hostname,hosts,krb5.keytab,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,mailcap,mime.types,nsswitch.conf,passwd,pine.conf,pinerc.fixed,pki,protocols,resolv.conf,rpc,services,ssl,terminfo,xdg
+private-tmp
+writable-run-user
+writable-var
+dbus-user none
+dbus-system none
+memory-deny-write-execute
+read-only ${HOME}/.signature
diff --git a/etc/profile-a-l/alpinef.profile b/etc/profile-a-l/alpinef.profile
new file mode 100644
index 000000000..97b97fe5f
--- /dev/null
+++ b/etc/profile-a-l/alpinef.profile
@@ -0,0 +1,14 @@
+# Firejail profile for alpinef
+# Description: Text-based email and newsgroups reader using function keys
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include alpinef.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+private-bin alpinef
+# Redirect
+include alpine.profile
diff --git a/etc/profile-a-l/cargo.profile b/etc/profile-a-l/cargo.profile
index 043fd6718..7cf04c550 100644
--- a/etc/profile-a-l/cargo.profile
+++ b/etc/profile-a-l/cargo.profile
@@ -34,6 +34,7 @@ include disable-xdg.inc
 #whitelist ${HOME}/.cargo
 #whitelist ${HOME}/.rustup
 #include whitelist-common.inc
+whitelist /usr/share/pkgconfig
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-a-l/chromium-common.profile b/etc/profile-a-l/chromium-common.profile
index f7493aa82..b0e0254d4 100644
--- a/etc/profile-a-l/chromium-common.profile
+++ b/etc/profile-a-l/chromium-common.profile
@@ -37,8 +37,9 @@ include whitelist-var-common.inc
 # Add the next line to your chromium-common.local if your kernel allows unprivileged userns clone.
 #include chromium-common-hardened.inc.profile
-# Add the next line to your chromium-common.local to allow screen sharing under wayland.
+# Add the next two lines to your chromium-common.local to allow screen sharing under wayland.
 #whitelist ${RUNUSER}/pipewire-0
+#whitelist /usr/share/pipewire/client.conf
 apparmor
 caps.keep sys_admin,sys_chroot
diff --git a/etc/profile-a-l/firefox.profile b/etc/profile-a-l/firefox.profile
index 7874c882f..3ad67734d 100644
--- a/etc/profile-a-l/firefox.profile
+++ b/etc/profile-a-l/firefox.profile
@@ -56,8 +56,9 @@ dbus-user.own org.mpris.MediaPlayer2.firefox.*
 #dbus-user.own org.mpris.MediaPlayer2.plasma-browser-integration
 #dbus-user.talk org.kde.JobViewServer
 #dbus-user.talk org.kde.kuiserver
-# Add the next two lines to your firefox.local to allow screen sharing under wayland.
+# Add the next three lines to your firefox.local to allow screen sharing under wayland.
 #whitelist ${RUNUSER}/pipewire-0
+#whitelist /usr/share/pipewire/client.conf
 #dbus-user.talk org.freedesktop.portal.*
 # Add the next line to your firefox.local if screen sharing sharing still does not work
 # with the above lines (might depend on the portal implementation).
diff --git a/etc/profile-a-l/librewolf.profile b/etc/profile-a-l/librewolf.profile
index 8e3e58f19..da047357a 100644
--- a/etc/profile-a-l/librewolf.profile
+++ b/etc/profile-a-l/librewolf.profile
@@ -44,8 +44,9 @@ dbus-user filter
 #dbus-user.own org.mpris.MediaPlayer2.plasma-browser-integration
 #dbus-user.talk org.kde.JobViewServer
 #dbus-user.talk org.kde.kuiserver
-# Add the next lines to your librewolf.local to allow screensharing under Wayland.
+# Add the next three lines to your librewolf.local to allow screensharing under Wayland.
 #whitelist ${RUNUSER}/pipewire-0
+#whitelist /usr/share/pipewire/client.conf
 #dbus-user.talk org.freedesktop.portal.*
 # Also add the next line to your librewolf.local if screensharing does not work with
 # the above lines (depends on the portal implementation).
diff --git a/etc/profile-m-z/minecraft-launcher.profile b/etc/profile-m-z/minecraft-launcher.profile
index 2536d0b38..1028e374a 100644
--- a/etc/profile-m-z/minecraft-launcher.profile
+++ b/etc/profile-m-z/minecraft-launcher.profile
@@ -31,7 +31,6 @@ include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
-apparmor
 caps.drop all
 netfilter
 nodvd
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config
index f23488e20..e58fe39ec 100644
--- a/src/firecfg/firecfg.config
+++ b/src/firecfg/firecfg.config
@@ -38,6 +38,8 @@ abrowser
 akonadi_control
 akregator
 alacarte
+alpine
+alpinef
 amarok
 amule
 amuled
diff --git a/src/firejail/appimage.c b/src/firejail/appimage.c
index e019de36f..056640eec 100644
--- a/src/firejail/appimage.c
+++ b/src/firejail/appimage.c
@@ -61,9 +61,13 @@ int appimage_find_profile(const char *archive) {
                char *ptr = strchr(buf, '\n');
                if (ptr)
                        *ptr = '\0';
-                if (strcasestr(archive, buf))
+                if (strcasestr(archive, buf)) {
+                        fclose(fp);
                        return profile_find_firejail(buf, 1);
+                }
        }
+        fclose(fp);
        return 0;
 }
diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c
index f3ab0a6d8..1e9f4b641 100644
--- a/src/firejail/checkcfg.c
+++ b/src/firejail/checkcfg.c
@@ -35,6 +35,7 @@ char *xvfb_extra_params = "";
 char *netfilter_default = NULL;
 unsigned long join_timeout = 5000000; // microseconds
 char *config_seccomp_error_action_str = "EPERM";
+char *config_seccomp_filter_add = NULL;
 char **whitelist_reject_topdirs = NULL;
 int checkcfg(int val) {
@@ -225,6 +226,10 @@ int checkcfg(int val) {
                        else if (strncmp(ptr, "join-timeout ", 13) == 0)
                                join_timeout = strtoul(ptr + 13, NULL, 10) * 1000000; // seconds to microseconds
+                        // add rules to default seccomp filter
+                        else if (strncmp(ptr, "seccomp-filter-add ", 19) == 0)
+                                config_seccomp_filter_add = seccomp_check_list(ptr + 19);
                        // seccomp error action
                        else if (strncmp(ptr, "seccomp-error-action ", 21) == 0) {
                                if (strcmp(ptr + 21, "kill") == 0)
diff --git a/src/firejail/dbus.c b/src/firejail/dbus.c
index bfa28fcba..9a4cb2e6b 100644
--- a/src/firejail/dbus.c
+++ b/src/firejail/dbus.c
@@ -470,7 +470,7 @@ void dbus_apply_policy(void) {
        create_empty_dir_as_root(RUN_DBUS_DIR, 0755);
        if (arg_dbus_user != DBUS_POLICY_ALLOW) {
-                create_empty_file_as_root(RUN_DBUS_USER_SOCKET, 0700);
+                create_empty_file_as_root(RUN_DBUS_USER_SOCKET, 0600);
                if (arg_dbus_user == DBUS_POLICY_FILTER) {
                        assert(dbus_user_proxy_socket != NULL);
@@ -509,7 +509,7 @@ void dbus_apply_policy(void) {
        }
        if (arg_dbus_system != DBUS_POLICY_ALLOW) {
-                create_empty_file_as_root(RUN_DBUS_SYSTEM_SOCKET, 0700);
+                create_empty_file_as_root(RUN_DBUS_SYSTEM_SOCKET, 0600);
                if (arg_dbus_system == DBUS_POLICY_FILTER) {
                        assert(dbus_system_proxy_socket != NULL);
diff --git a/src/firejail/dhcp.c b/src/firejail/dhcp.c
index 47dd39ac0..ec482e2ea 100644
--- a/src/firejail/dhcp.c
+++ b/src/firejail/dhcp.c
@@ -160,9 +160,6 @@ void dhcp_start(void) {
                exit(1);
        }
-        sbox_run(SBOX_ROOT| SBOX_SECCOMP, 4, PATH_FCOPY, "--follow-link", dhclient_path, RUN_MNT_DIR);
-        dhclient_path = RUN_MNT_DIR "/dhclient";
        EUID_ROOT();
        if (mkdir(RUN_DHCLIENT_DIR, 0700))
                errExit("mkdir");
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index 622be4d97..9971d30b6 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -5,7 +5,7 @@
 *
 * This program is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; eithe r version 2 of the License, or
+ * the Free Software Foundation; either version 2 of the License, or
 * (at your option) any later version.
 *
 * This program is distributed in the hope that it will be useful,
@@ -498,6 +498,7 @@ int macro_id(const char *name);
 void errLogExit(char* fmt, ...) __attribute__((noreturn));
 void fwarning(char* fmt, ...);
 void fmessage(char* fmt, ...);
+long long unsigned parse_arg_size(char *str);
 void drop_privs(int nogroups);
 int mkpath_as_root(const char* path);
 void extract_command_name(int index, char **argv);
@@ -507,7 +508,7 @@ void logargs(int argc, char **argv) ;
 void logerr(const char *msg);
 void set_nice(int inc);
 int copy_file(const char *srcname, const char *destname, uid_t uid, gid_t gid, mode_t mode);
-void copy_file_as_user(const char *srcname, const char *destname, uid_t uid, gid_t gid, mode_t mode);
+void copy_file_as_user(const char *srcname, const char *destname, mode_t mode);
 void copy_file_from_user_to_root(const char *srcname, const char *destname, uid_t uid, gid_t gid, mode_t mode);
 void touch_file_as_user(const char *fname, mode_t mode);
 int is_dir(const char *fname);
@@ -809,6 +810,7 @@ extern char *xvfb_extra_params;
 extern char *netfilter_default;
 extern unsigned long join_timeout;
 extern char *config_seccomp_error_action_str;
+extern char *config_seccomp_filter_add;
 extern char **whitelist_reject_topdirs;
 int checkcfg(int val);
diff --git a/src/firejail/fs.c b/src/firejail/fs.c
index 803b081c9..806fa9249 100644
--- a/src/firejail/fs.c
+++ b/src/firejail/fs.c
@@ -171,21 +171,28 @@ static void disable_file(OPERATION op, const char *filename) {
                fs_remount_rec(fname, op);
        }
        else if (op == MOUNT_TMPFS) {
-                if (S_ISDIR(s.st_mode)) {
+                if (!S_ISDIR(s.st_mode)) {
-                        if (getuid()) {
+                        fwarning("%s is not a directory; cannot mount a tmpfs on top of it.\n", fname);
-                                if (strncmp(cfg.homedir, fname, strlen(cfg.homedir)) != 0 ||
+                        free(fname);
-                                    fname[strlen(cfg.homedir)] != '/') {
+                        return;
-                                        fprintf(stderr, "Error: tmpfs outside $HOME is only available for root\n");
+                }
-                                        exit(1);
-                                }
+                uid_t uid = getuid();
+                if (uid != 0) {
+                        // only user owned directories in user home
+                        if (s.st_uid != uid ||
+                            strncmp(cfg.homedir, fname, strlen(cfg.homedir)) != 0 ||
+                            fname[strlen(cfg.homedir)] != '/') {
+                                fwarning("you are not allowed to mount a tmpfs on %s\n", fname);
+                                free(fname);
+                                return;
                        }
-                        // fs_tmpfs returns with EUID 0
-                        fs_tmpfs(fname, getuid());
-                        selinux_relabel_path(fname, fname);
-                        EUID_USER();
                }
-                else
-                        fwarning("%s is not a directory; cannot mount a tmpfs on top of it.\n", fname);
+                fs_tmpfs(fname, uid);
+                EUID_USER(); // fs_tmpfs returns with EUID 0
+                selinux_relabel_path(fname, fname);
        }
        else
                assert(0);
diff --git a/src/firejail/fs_home.c b/src/firejail/fs_home.c
index eab952eb8..0ed476063 100644
--- a/src/firejail/fs_home.c
+++ b/src/firejail/fs_home.c
@@ -34,12 +34,13 @@
 #define O_PATH 010000000
 #endif
-static void skel(const char *homedir, uid_t u, gid_t g) {
+static void skel(const char *homedir) {
-        char *fname;
+        EUID_ASSERT();
        // zsh
        if (!arg_shell_none && (strcmp(cfg.shell,"/usr/bin/zsh") == 0 || strcmp(cfg.shell,"/bin/zsh") == 0)) {
                // copy skel files
+                char *fname;
                if (asprintf(&fname, "%s/.zshrc", homedir) == -1)
                        errExit("asprintf");
                // don't copy it if we already have the file
@@ -50,7 +51,7 @@ static void skel(const char *homedir, uid_t u, gid_t g) {
                        exit(1);
                }
                if (access("/etc/skel/.zshrc", R_OK) == 0) {
-                        copy_file_as_user("/etc/skel/.zshrc", fname, u, g, 0644); // regular user
+                        copy_file_as_user("/etc/skel/.zshrc", fname, 0644); // regular user
                        fs_logger("clone /etc/skel/.zshrc");
                        fs_logger2("clone", fname);
                }
@@ -64,6 +65,7 @@ static void skel(const char *homedir, uid_t u, gid_t g) {
        // csh
        else if (!arg_shell_none && strcmp(cfg.shell,"/bin/csh") == 0) {
                // copy skel files
+                char *fname;
                if (asprintf(&fname, "%s/.cshrc", homedir) == -1)
                        errExit("asprintf");
                // don't copy it if we already have the file
@@ -74,7 +76,7 @@ static void skel(const char *homedir, uid_t u, gid_t g) {
                        exit(1);
                }
                if (access("/etc/skel/.cshrc", R_OK) == 0) {
-                        copy_file_as_user("/etc/skel/.cshrc", fname, u, g, 0644); // regular user
+                        copy_file_as_user("/etc/skel/.cshrc", fname, 0644); // regular user
                        fs_logger("clone /etc/skel/.cshrc");
                        fs_logger2("clone", fname);
                }
@@ -88,6 +90,7 @@ static void skel(const char *homedir, uid_t u, gid_t g) {
        // bash etc.
        else {
                // copy skel files
+                char *fname;
                if (asprintf(&fname, "%s/.bashrc", homedir) == -1)
                        errExit("asprintf");
                // don't copy it if we already have the file
@@ -98,7 +101,7 @@ static void skel(const char *homedir, uid_t u, gid_t g) {
                        exit(1);
                }
                if (access("/etc/skel/.bashrc", R_OK) == 0) {
-                        copy_file_as_user("/etc/skel/.bashrc", fname, u, g, 0644); // regular user
+                        copy_file_as_user("/etc/skel/.bashrc", fname, 0644); // regular user
                        fs_logger("clone /etc/skel/.bashrc");
                        fs_logger2("clone", fname);
                }
@@ -108,6 +111,7 @@ static void skel(const char *homedir, uid_t u, gid_t g) {
 }
 static int store_xauthority(void) {
+        EUID_ASSERT();
        if (arg_x11_block)
                return 0;
@@ -118,7 +122,7 @@ static int store_xauthority(void) {
                errExit("asprintf");
        struct stat s;
-        if (lstat_as_user(src, &s) == 0) {
+        if (lstat(src, &s) == 0) {
                if (S_ISLNK(s.st_mode)) {
                        fwarning("invalid .Xauthority file\n");
                        free(src);
@@ -126,6 +130,7 @@ static int store_xauthority(void) {
                }
                // create an empty file as root, and change ownership to user
+                EUID_ROOT();
                FILE *fp = fopen(dest, "we");
                if (fp) {
                        fprintf(fp, "\n");
@@ -134,10 +139,11 @@ static int store_xauthority(void) {
                }
                else
                        errExit("fopen");
+                EUID_USER();
-                copy_file_as_user(src, dest, getuid(), getgid(), 0600); // regular user
+                copy_file_as_user(src, dest, 0600); // regular user
-                fs_logger2("clone", dest);
                selinux_relabel_path(dest, src);
+                fs_logger2("clone", dest);
                free(src);
                return 1; // file copied
        }
@@ -147,6 +153,7 @@ static int store_xauthority(void) {
 }
 static int store_asoundrc(void) {
+        EUID_ASSERT();
        if (arg_nosound)
                return 0;
@@ -157,11 +164,11 @@ static int store_asoundrc(void) {
                errExit("asprintf");
        struct stat s;
-        if (lstat_as_user(src, &s) == 0) {
+        if (lstat(src, &s) == 0) {
                if (S_ISLNK(s.st_mode)) {
                        // make sure the real path of the file is inside the home directory
                        /* coverity[toctou] */
-                        char *rp = realpath_as_user(src);
+                        char *rp = realpath(src, NULL);
                        if (!rp) {
                                fprintf(stderr, "Error: Cannot access %s\n", src);
                                exit(1);
@@ -174,6 +181,7 @@ static int store_asoundrc(void) {
                }
                // create an empty file as root, and change ownership to user
+                EUID_ROOT();
                FILE *fp = fopen(dest, "we");
                if (fp) {
                        fprintf(fp, "\n");
@@ -182,10 +190,11 @@ static int store_asoundrc(void) {
                }
                else
                        errExit("fopen");
+                EUID_USER();
-                copy_file_as_user(src, dest, getuid(), getgid(), 0644); // regular user
+                copy_file_as_user(src, dest, 0644); // regular user
-                selinux_relabel_path(dest, src);
                fs_logger2("clone", dest);
+                selinux_relabel_path(dest, src);
                free(src);
                return 1; // file copied
        }
@@ -195,6 +204,7 @@ static int store_asoundrc(void) {
 }
 static void copy_xauthority(void) {
+        EUID_ASSERT();
        // copy XAUTHORITY_FILE in the new home directory
        char *src = RUN_XAUTHORITY_FILE ;
        char *dest;
@@ -207,16 +217,18 @@ static void copy_xauthority(void) {
                exit(1);
        }
-        copy_file_as_user(src, dest, getuid(), getgid(), S_IRUSR | S_IWUSR); // regular user
+        copy_file_as_user(src, dest, S_IRUSR | S_IWUSR); // regular user
-        selinux_relabel_path(dest, src);
        fs_logger2("clone", dest);
+        selinux_relabel_path(dest, dest);
        free(dest);
-        // delete the temporary file
+        EUID_ROOT();
-        unlink(src);
+        unlink(src); // delete the temporary file
+        EUID_USER();
 }
 static void copy_asoundrc(void) {
+        EUID_ASSERT();
        // copy ASOUNDRC_FILE in the new home directory
        char *src = RUN_ASOUNDRC_FILE ;
        char *dest;
@@ -229,13 +241,14 @@ static void copy_asoundrc(void) {
                exit(1);
        }
-        copy_file_as_user(src, dest, getuid(), getgid(), S_IRUSR | S_IWUSR); // regular user
+        copy_file_as_user(src, dest, S_IRUSR | S_IWUSR); // regular user
-        selinux_relabel_path(dest, src);
        fs_logger2("clone", dest);
+        selinux_relabel_path(dest, dest);
        free(dest);
-        // delete the temporary file
+        EUID_ROOT();
-        unlink(src);
+        unlink(src); // delete the temporary file
+        EUID_USER();
 }
 // private mode (--private=homedir):
@@ -248,18 +261,18 @@ void fs_private_homedir(void) {
        char *private_homedir = cfg.home_private;
        assert(homedir);
        assert(private_homedir);
+        EUID_ASSERT();
+        uid_t u = getuid();
+        // gid_t g = getgid();
        int xflag = store_xauthority();
        int aflag = store_asoundrc();
-        uid_t u = getuid();
-        gid_t g = getgid();
        // mount bind private_homedir on top of homedir
        if (arg_debug)
                printf("Mount-bind %s on top of %s\n", private_homedir, homedir);
        // get file descriptors for homedir and private_homedir, fails if there is any symlink
-        EUID_USER();
        int src = safer_openat(-1, private_homedir, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC);
        if (src == -1)
                errExit("opening private directory");
@@ -287,6 +300,7 @@ void fs_private_homedir(void) {
        EUID_ROOT();
        if (bind_mount_by_fd(src, dst))
                errExit("mount bind");
+        EUID_USER();
        // check /proc/self/mountinfo to confirm the mount is ok
        MountData *mptr = get_last_mount();
@@ -305,6 +319,7 @@ void fs_private_homedir(void) {
 //      if (chmod(homedir, s.st_mode) == -1)
 //              errExit("mount-bind chmod");
+        EUID_ROOT();
        if (u != 0) {
                // mask /root
                if (arg_debug)
@@ -323,8 +338,9 @@ void fs_private_homedir(void) {
                selinux_relabel_path("/home", "/home");
                fs_logger("tmpfs /home");
        }
+        EUID_USER();
-        skel(homedir, u, g);
+        skel(homedir);
        if (xflag)
                copy_xauthority();
        if (aflag)
@@ -339,12 +355,15 @@ void fs_private_homedir(void) {
 void fs_private(void) {
        char *homedir = cfg.homedir;
        assert(homedir);
+        EUID_ASSERT();
        uid_t u = getuid();
        gid_t g = getgid();
        int xflag = store_xauthority();
        int aflag = store_asoundrc();
+        EUID_ROOT();
        // mask /root
        if (arg_debug)
                printf("Mounting a new /root directory\n");
@@ -387,8 +406,9 @@ void fs_private(void) {
                selinux_relabel_path(homedir, homedir);
        }
+        EUID_USER();
-        skel(homedir, u, g);
+        skel(homedir);
        if (xflag)
                copy_xauthority();
        if (aflag)
@@ -530,26 +550,29 @@ static void duplicate(char *name) {
 //      set skel files,
 //      restore .Xauthority
 void fs_private_home_list(void) {
-        timetrace_start();
        char *homedir = cfg.homedir;
        char *private_list = cfg.home_private_keep;
        assert(homedir);
        assert(private_list);
+        EUID_ASSERT();
-        int xflag = store_xauthority();
+        timetrace_start();
-        int aflag = store_asoundrc();
        uid_t uid = getuid();
        gid_t gid = getgid();
+        int xflag = store_xauthority();
+        int aflag = store_asoundrc();
        // create /run/firejail/mnt/home directory
+        EUID_ROOT();
        mkdir_attr(RUN_HOME_DIR, 0755, uid, gid);
        selinux_relabel_path(RUN_HOME_DIR, homedir);
        fs_logger_print();      // save the current log
+        EUID_USER();
        // copy the list of files in the new home directory
-        EUID_USER();
        if (arg_debug)
                printf("Copying files in the new home:\n");
        char *dlist = strdup(cfg.home_private_keep);
@@ -587,6 +610,7 @@ void fs_private_home_list(void) {
        EUID_ROOT();
        if (bind_mount_path_to_fd(RUN_HOME_DIR, fd))
                errExit("mount bind");
+        EUID_USER();
        close(fd);
        // check /proc/self/mountinfo to confirm the mount is ok
@@ -595,11 +619,7 @@ void fs_private_home_list(void) {
                errLogExit("invalid private-home mount");
        fs_logger2("tmpfs", homedir);
-        // mask RUN_HOME_DIR, it is writable and not noexec
+        EUID_ROOT();
-        if (mount("tmpfs", RUN_HOME_DIR, "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME,  "mode=755,gid=0") < 0)
-                errExit("mounting tmpfs");
-        fs_logger2("tmpfs", RUN_HOME_DIR);
        if (uid != 0) {
                // mask /root
                if (arg_debug)
@@ -619,7 +639,12 @@ void fs_private_home_list(void) {
                fs_logger("tmpfs /home");
        }
-        skel(homedir, uid, gid);
+        // mask RUN_HOME_DIR, it is writable and not noexec
+        if (mount("tmpfs", RUN_HOME_DIR, "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME,  "mode=755,gid=0") < 0)
+                errExit("mounting tmpfs");
+        EUID_USER();
+        skel(homedir);
        if (xflag)
                copy_xauthority();
        if (aflag)
diff --git a/src/firejail/fs_whitelist.c b/src/firejail/fs_whitelist.c
index 370035a4d..943f275de 100644
--- a/src/firejail/fs_whitelist.c
+++ b/src/firejail/fs_whitelist.c
@@ -374,9 +374,11 @@ static void tmpfs_topdirs(const TopDir *topdirs) {
        }
        // user home directory
-        if (tmpfs_home)
+        if (tmpfs_home) {
-                // checks owner if outside /home
+                EUID_USER();
-                fs_private();
+                fs_private(); // checks owner if outside /home
+                EUID_ROOT();
+        }
        // /run/user/$UID directory
        if (tmpfs_runuser) {
diff --git a/src/firejail/main.c b/src/firejail/main.c
index 86c6575e2..7b32f6f07 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -967,7 +967,7 @@ void filter_add_blacklist_override(int fd, int syscall, int arg, void *ptrarg, b
 static int check_postexec(const char *list) {
        char *prelist, *postlist;
-        if (list) {
+        if (list && list[0]) {
                syscalls_in_list(list, "@default-keep", -1, &prelist, &postlist, true);
                if (postlist)
                        return 1;
@@ -1496,8 +1496,11 @@ int main(int argc, char **argv, char **envp) {
                        arg_rlimit_nproc = 1;
                }
                else if (strncmp(argv[i], "--rlimit-fsize=", 15) == 0) {
-                        check_unsigned(argv[i] + 15, "Error: invalid rlimit");
+                        cfg.rlimit_fsize = parse_arg_size(argv[i] + 15);
-                        sscanf(argv[i] + 15, "%llu", &cfg.rlimit_fsize);
+                        if (cfg.rlimit_fsize == 0) {
+                                perror("Error: invalid rlimit-fsize. Only use positive numbers and k, m or g suffix.");
+                                exit(1);
+                        }
                        arg_rlimit_fsize = 1;
                }
                else if (strncmp(argv[i], "--rlimit-sigpending=", 20) == 0) {
@@ -1506,8 +1509,11 @@ int main(int argc, char **argv, char **envp) {
                        arg_rlimit_sigpending = 1;
                }
                else if (strncmp(argv[i], "--rlimit-as=", 12) == 0) {
-                        check_unsigned(argv[i] + 12, "Error: invalid rlimit");
+                        cfg.rlimit_as = parse_arg_size(argv[i] + 12);
-                        sscanf(argv[i] + 12, "%llu", &cfg.rlimit_as);
+                        if (cfg.rlimit_as == 0) {
+                                perror("Error: invalid rlimit-as. Only use positive numbers and k, m or g suffix.");
+                                exit(1);
+                        }
                        arg_rlimit_as = 1;
                }
                else if (strncmp(argv[i], "--ipc-namespace", 15) == 0)
@@ -2889,6 +2895,15 @@ int main(int argc, char **argv, char **envp) {
        // check network configuration options - it will exit if anything went wrong
        net_check_cfg();
+        // customization of default seccomp filter
+        if (config_seccomp_filter_add) {
+                if (arg_seccomp && !cfg.seccomp_list_keep && !cfg.seccomp_list_drop)
+                        profile_list_augment(&cfg.seccomp_list, config_seccomp_filter_add);
+                if (arg_seccomp32 && !cfg.seccomp_list_keep32 && !cfg.seccomp_list_drop32)
+                        profile_list_augment(&cfg.seccomp_list32, config_seccomp_filter_add);
+        }
        if (arg_seccomp)
                arg_seccomp_postexec = check_postexec(cfg.seccomp_list) || check_postexec(cfg.seccomp_list_drop);
diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index 8675a1712..7b21eb387 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -1510,8 +1510,11 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
                        arg_rlimit_nproc = 1;
                }
                else if (strncmp(ptr, "rlimit-fsize ", 13) == 0) {
-                        check_unsigned(ptr + 13, "Error: invalid rlimit in profile file: ");
+                        cfg.rlimit_fsize = parse_arg_size(ptr + 13);
-                        sscanf(ptr + 13, "%llu", &cfg.rlimit_fsize);
+                        if (cfg.rlimit_fsize == 0) {
+                                perror("Error: invalid rlimit-fsize in profile file. Only use positive numbers and k, m or g suffix.");
+                                exit(1);
+                        }
                        arg_rlimit_fsize = 1;
                }
                else if (strncmp(ptr, "rlimit-sigpending ", 18) == 0) {
@@ -1520,8 +1523,11 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
                        arg_rlimit_sigpending = 1;
                }
                else if (strncmp(ptr, "rlimit-as ", 10) == 0) {
-                        check_unsigned(ptr + 10, "Error: invalid rlimit in profile file: ");
+                        cfg.rlimit_as = parse_arg_size(ptr + 10);
-                        sscanf(ptr + 10, "%llu", &cfg.rlimit_as);
+                        if (cfg.rlimit_as == 0) {
+                                perror("Error: invalid rlimit-as in profile file. Only use positive numbers and k, m or g suffix.");
+                                exit(1);
+                        }
                        arg_rlimit_as = 1;
                }
                else {
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index 7bf372a14..99abce57f 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -840,6 +840,7 @@ int sandbox(void* sandbox_arg) {
        // private mode
        //****************************
        if (arg_private) {
+                EUID_USER();
                if (cfg.home_private) { // --private=
                        if (cfg.chrootdir)
                                fwarning("private=directory feature is disabled in chroot\n");
@@ -858,6 +859,7 @@ int sandbox(void* sandbox_arg) {
                }
                else // --private
                        fs_private();
+                EUID_ROOT();
        }
        if (arg_private_dev)
diff --git a/src/firejail/seccomp.c b/src/firejail/seccomp.c
index 9670fe816..3d9bf9082 100644
--- a/src/firejail/seccomp.c
+++ b/src/firejail/seccomp.c
@@ -208,7 +208,8 @@ int seccomp_filter_drop(bool native) {
        //      - seccomp
        if (cfg.seccomp_list_drop == NULL) {
                // default seccomp if error action is not changed
-                if (cfg.seccomp_list == NULL && arg_seccomp_error_action == DEFAULT_SECCOMP_ERROR_ACTION) {
+                if ((cfg.seccomp_list == NULL || cfg.seccomp_list[0] == '\0')
+                    && arg_seccomp_error_action == DEFAULT_SECCOMP_ERROR_ACTION) {
                        if (arg_seccomp_block_secondary)
                                seccomp_filter_block_secondary();
                        else {
@@ -261,7 +262,7 @@ int seccomp_filter_drop(bool native) {
                        }
                        // build the seccomp filter as a regular user
-                        if (list)
+                        if (list && list[0])
                                if (arg_allow_debuggers)
                                        rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 7,
                                                      PATH_FSECCOMP, command, "drop", filter, postexec_filter, list, "allow-debuggers");
diff --git a/src/firejail/util.c b/src/firejail/util.c
index 71dd84e8f..55998e6c3 100644
--- a/src/firejail/util.c
+++ b/src/firejail/util.c
@@ -31,6 +31,9 @@
 #include <sys/wait.h>
 #include <limits.h>
+#include <string.h>
+#include <ctype.h>
 #include <fcntl.h>
 #ifndef O_PATH
 #define O_PATH 010000000
@@ -50,6 +53,44 @@
 #define EMPTY_STRING ("")
+long long unsigned parse_arg_size(char *str) {
+        long long unsigned result = 0;
+        int len = strlen(str);
+        sscanf(str, "%llu", &result);
+        char suffix = *(str + len - 1);
+        if (!isdigit(suffix) && (suffix == 'k' || suffix == 'm' || suffix == 'g')) {
+                len -= 1;
+        }
+        /* checks for is value valid positive number */
+        for (int i = 0; i < len; i++) {
+                if (!isdigit(*(str+i))) {
+                        return 0;
+                }
+        }
+        if (isdigit(suffix))
+                return result;
+        switch (suffix) {
+        case 'k':
+                result *= 1024;
+                break;
+        case 'm':
+                result *= 1024 * 1024;
+                break;
+        case 'g':
+                result *= 1024 * 1024 * 1024;
+                break;
+        default:
+                result = 0;
+                break;
+        }
+        return result;
+}
 // send the error to /var/log/auth.log and exit after a small delay
 void errLogExit(char* fmt, ...) {
        va_list args;
@@ -329,7 +370,7 @@ int copy_file(const char *srcname, const char *destname, uid_t uid, gid_t gid, m
 }
 // return -1 if error, 0 if no error
-void copy_file_as_user(const char *srcname, const char *destname, uid_t uid, gid_t gid, mode_t mode) {
+void copy_file_as_user(const char *srcname, const char *destname, mode_t mode) {
        pid_t child = fork();
        if (child < 0)
                errExit("fork");
@@ -337,8 +378,8 @@ void copy_file_as_user(const char *srcname, const char *destname, uid_t uid, gid
                // drop privileges
                drop_privs(0);
-                // copy, set permissions and ownership
+                // copy, set permissions
-                int rv = copy_file(srcname, destname, uid, gid, mode); // already a regular user
+                int rv = copy_file(srcname, destname, -1, -1, mode); // already a regular user
                if (rv)
                        fwarning("cannot copy %s\n", srcname);
 #ifdef HAVE_GCOV
@@ -1190,6 +1231,7 @@ unsigned extract_timeout(const char *str) {
 }
 void disable_file_or_dir(const char *fname) {
+        assert(geteuid() == 0);
        assert(fname);
        EUID_USER();
diff --git a/src/firejail/x11.c b/src/firejail/x11.c
index 0619ff380..896aa2fd3 100644
--- a/src/firejail/x11.c
+++ b/src/firejail/x11.c
@@ -1290,9 +1290,11 @@ void x11_xorg(void) {
        if (envar) {
                char *rp = realpath(envar, NULL);
                if (rp) {
-                        if (strcmp(rp, dest) != 0)
+                        if (strcmp(rp, dest) != 0) {
-                                // disable_file_or_dir returns with EUID 0
+                                EUID_ROOT();
                                disable_file_or_dir(rp);
+                                EUID_USER();
+                        }
                        free(rp);
                }
        }
diff --git a/src/jailcheck/jailcheck.h b/src/jailcheck/jailcheck.h
index 32be1c978..be3104da3 100644
--- a/src/jailcheck/jailcheck.h
+++ b/src/jailcheck/jailcheck.h
@@ -53,6 +53,8 @@ void apparmor_test(pid_t pid);
 // seccomp.c
 void seccomp_test(pid_t pid);
+// network.c
+void network_test(void);
 // utils.c
 char *get_sudo_user(void);
 char *get_homedir(const char *user, uid_t *uid, gid_t *gid);
diff --git a/src/jailcheck/main.c b/src/jailcheck/main.c
index 4d642bf96..812ac5808 100644
--- a/src/jailcheck/main.c
+++ b/src/jailcheck/main.c
@@ -157,6 +157,7 @@ int main(int argc, char **argv) {
                        seccomp_test(pid);
                        fflush(0);
+                        // filesystem tests
                        pid_t child = fork();
                        if (child == -1)
                                errExit("fork");
@@ -185,6 +186,28 @@ int main(int argc, char **argv) {
                        }
                        int status;
                        wait(&status);
+                        // network test
+                        child = fork();
+                        if (child == -1)
+                                errExit("fork");
+                        if (child == 0) {
+                                int rv = join_namespace(pid, "net");
+                                if (rv == 0)
+                                        network_test();
+                                else {
+                                        printf("   Error: I cannot join the process network stack\n");
+                                        exit(1);
+                                }
+                                // drop privileges in order not to trigger cleanup()
+                                if (setgid(user_gid) != 0)
+                                        errExit("setgid");
+                                if (setuid(user_uid) != 0)
+                                        errExit("setuid");
+                                return 0;
+                        }
+                        wait(&status);
                }
        }
diff --git a/src/jailcheck/network.c b/src/jailcheck/network.c
new file mode 100644
index 000000000..636344e77
--- /dev/null
+++ b/src/jailcheck/network.c
@@ -0,0 +1,56 @@
+/*
+ * Copyright (C) 2014-2021 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
+#include "jailcheck.h"
+#include <netdb.h>
+#include <arpa/inet.h>
+#include <ifaddrs.h>
+#include <net/if.h>
+#include <linux/connector.h>
+#include <linux/netlink.h>
+#include <linux/if_link.h>
+#include <linux/sockios.h>
+#include <sys/ioctl.h>
+void network_test(void) {
+        // I am root running in a network namespace
+        struct ifaddrs *ifaddr, *ifa;
+        int found = 0;
+        // walk through the linked list
+        if (getifaddrs(&ifaddr) == -1)
+                errExit("getifaddrs");
+        for (ifa = ifaddr; ifa != NULL; ifa = ifa->ifa_next) {
+                if (strcmp(ifa->ifa_name, "lo") == 0)
+                        continue;
+                found = 1;
+                break;
+        }
+        freeifaddrs(ifaddr);
+        if (found)
+                printf("   Networking: enabled\n");
+        else
+                printf("   Networking: disabled\n");
+}
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt
index 6f3bef7f2..db58e0910 100644
--- a/src/man/firejail-profile.txt
+++ b/src/man/firejail-profile.txt
@@ -420,7 +420,7 @@ Make directory or file read-only.
 Make directory or file read-write.
 .TP
 \fBtmpfs directory
-Mount an empty tmpfs filesystem on top of directory. This option is available only when running the sandbox as root.
+Mount an empty tmpfs filesystem on top of directory. Directories outside user home or not owned by the user are not allowed. Sandboxes running as root are exempt from these restrictions.
 .TP
 \fBtracelog
 Blacklist violations logged to syslog.
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index 3212a88e4..0462705c0 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -2129,6 +2129,7 @@ $ firejail --read-only=~/test --read-write=~/test/a
 .TP
 \fB\-\-rlimit-as=number
 Set the maximum size of the process's virtual memory (address space) in bytes.
+Use k(ilobyte), m(egabyte) or g(igabyte) for size suffix (base 1024).
 .TP
 \fB\-\-rlimit-cpu=number
@@ -2142,6 +2143,7 @@ track of CPU seconds for each process independently.
 .TP
 \fB\-\-rlimit-fsize=number
 Set the maximum file size that can be created by a process.
+Use k(ilobyte), m(egabyte) or g(igabyte) for size suffix (base 1024).
 .TP
 \fB\-\-rlimit-nofile=number
 Set the maximum number of files that can be opened by a process.
@@ -2176,7 +2178,7 @@ $ firejail \-\-net=eth0 \-\-scan
 .TP
 \fB\-\-seccomp
 Enable seccomp filter and blacklist the syscalls in the default list,
-which is  @default-nodebuggers unless allow-debuggers is specified,
+which is  @default-nodebuggers unless \-\-allow-debuggers is specified,
 then it is @default.
 .br
@@ -2187,18 +2189,13 @@ system call groups are defined: @aio, @basic-io, @chown, @clock,
 @network-io, @obsolete, @privileged, @process, @raw-io, @reboot,
 @resources, @setuid, @swap, @sync, @system-service and @timer.
 More information about groups can be found in /usr/share/doc/firejail/syscalls.txt
+.br
-In addition, a system call can be specified by its number instead of
-name with prefix $, so for example $165 would be equal to mount on i386.
-Exceptions can be allowed with prefix !.
 .br
 System architecture is strictly imposed only if flag
 \-\-seccomp.block-secondary is used. The filter is applied at run time
 only if the correct architecture was detected. For the case of I386
-and AMD64 both 32-bit and 64-bit filters are installed. On a 64 bit
+and AMD64 both 32-bit and 64-bit filters are installed.
-architecture, an additional filter for 32 bit system calls can be
-installed with \-\-seccomp.32.
 .br
 .br
@@ -2209,11 +2206,18 @@ Firejail will print seccomp violations to the audit log if the kernel was compil
 Example:
 .br
 $ firejail \-\-seccomp
+.br
+.br
+The default list can be customized, see \-\-seccomp= for a description. It can be customized
+also globally in /etc/firejail/firejail.config file.
 .TP
 \fB\-\-seccomp=syscall,@group,!syscall2
-Enable seccomp filter, whitelist "syscall2", but blacklist the default
+Enable seccomp filter, blacklist the default list and the syscalls or syscall groups
-list and the syscalls or syscall groups specified by the
+specified by the command, but don't blacklist "syscall2". On a 64 bit
-command.
+architecture, an additional filter for 32 bit system calls can be
+installed with \-\-seccomp.32.
 .br
 .br
@@ -2223,6 +2227,13 @@ $ firejail \-\-seccomp=utime,utimensat,utimes firefox
 .br
 $ firejail \-\-seccomp=@clock,mkdir,unlinkat transmission-gtk
 .br
+$ firejail '\-\-seccomp=@ipc,!pipe,!pipe2' audacious
+.br
+.br
+Syscalls can be specified by their number if prefix $ is added,
+so for example $165 would be equal to mount on i386.
+.br
 .br
 Instead of dropping the syscall by returning EPERM, another error
@@ -2235,6 +2246,7 @@ by using \fBsyscall:kill\fR syntax, or the attempt may be logged with
 .br
 Example:
+.br
 $ firejail \-\-seccomp=unlinkat:ENOENT,utimensat,utimes
 .br
 Parent pid 10662, child pid 10663
@@ -2243,9 +2255,13 @@ Child process initialized
 .br
 $ touch testfile
 .br
+$ ls testfile
+.br
+testfile
+.br
 $ rm testfile
 .br
-rm: cannot remove `testfile': Operation not permitted
+rm: cannot remove `testfile': No such file or directory
 .br
 .br
@@ -2258,7 +2274,7 @@ filters.
 .br
 Example:
 .br
-$ firejail \-\-noprofile \-\-shell=none \-\-seccomp=execve bash
+$ firejail \-\-noprofile \-\-shell=none \-\-seccomp=execve sh
 .br
 Parent pid 32751, child pid 32752
 .br
@@ -2270,8 +2286,7 @@ Child process initialized in 46.44 ms
 .br
 $ ls
 .br
-Bad system call
+Operation not permitted
-.br
 .TP
 \fB\-\-seccomp.block-secondary
@@ -2315,15 +2330,15 @@ Child process initialized
 .br
 $ touch testfile
 .br
+$ ls testfile
+.br
+testfile
+.br
 $ rm testfile
 .br
-rm: cannot remove `testfile': Operation not permitted
+rm: cannot remove `testfile': No such file or directory
 .br
 .TP
 \fB\-\-seccomp.keep=syscall,@group,!syscall2
 Enable seccomp filter, blacklist all syscall not listed and "syscall2".
@@ -2566,14 +2581,13 @@ Kill the sandbox automatically after the time has elapsed. The time is specified
 $ firejail \-\-timeout=01:30:00 firefox
 .TP
 \fB\-\-tmpfs=dirname
-Mount a writable tmpfs filesystem on directory dirname. This option is available only when running the sandbox as root.
+Mount a writable tmpfs filesystem on directory dirname. Directories outside user home or not owned by the user are not allowed. Sandboxes running as root are exempt from these restrictions. File globbing is supported, see \fBFILE GLOBBING\fR section for more details.
-File globbing is supported, see \fBFILE GLOBBING\fR section for more details.
 .br
 .br
 Example:
 .br
-# firejail \-\-tmpfs=/var
+$ firejail \-\-tmpfs=~/.local/share
 .TP
 \fB\-\-top
 Monitor the most CPU-intensive sandboxes, see \fBMONITORING\fR section for more details.
diff --git a/src/man/jailcheck.txt b/src/man/jailcheck.txt
index c80e305cc..483f47fb9 100644
--- a/src/man/jailcheck.txt
+++ b/src/man/jailcheck.txt
@@ -23,6 +23,8 @@ them from inside the sandbox.
 .TP
 \fB5. Seccomp test
 .TP
+\fB6. Networking test
+.TP
 The program is started as root using sudo.
 .SH OPTIONS
@@ -56,6 +58,8 @@ $ sudo jailcheck
 .br
   Warning: I can run programs in /home/netblue
 .br
+   Networking: disabled
+.br
 .br
 2055:netblue::firejail /usr/bin/ssh -X netblue@x.y.z.net
@@ -64,12 +68,16 @@ $ sudo jailcheck
 .br
   Warning: I can read ~/.ssh
 .br
+   Networking: enabled
+.br
 .br
 2186:netblue:libreoffice:firejail --appimage /opt/LibreOffice-fresh.appimage
 .br
   Virtual dirs: /tmp, /var/tmp, /dev,
 .br
+   Networking: enabled
+.br
 .br
 26090:netblue::/usr/bin/firejail /opt/firefox/firefox
@@ -78,6 +86,8 @@ $ sudo jailcheck
 .br
                 /run/user/1000,
 .br
+   Networking: enabled
+.br
 .br
 26160:netblue:tor:firejail --private=~/tor-browser_en-US ./start-tor
@@ -90,6 +100,8 @@ $ sudo jailcheck
 .br
   Warning: I can run programs in /home/netblue
 .br
+   Networking: enabled
+.br
 .SH LICENSE
diff --git a/test/environment/rlimit-bad-profile.exp b/test/environment/rlimit-bad-profile.exp
index b838f83f4..b1572afb6 100755
--- a/test/environment/rlimit-bad-profile.exp
+++ b/test/environment/rlimit-bad-profile.exp
@@ -11,7 +11,7 @@ match_max 100000
 send -- "firejail --profile=rlimit-bad1.profile\r"
 expect {
        timeout {puts "TESTING ERROR 4\n";exit}
-        "invalid rlimit"
+        "invalid rlimit-fsize in profile file. Only use positive numbers and k, m or g suffix."
 }
 after 100
diff --git a/test/environment/rlimit-bad.exp b/test/environment/rlimit-bad.exp
index 3a82ded9b..c05e14b97 100755
--- a/test/environment/rlimit-bad.exp
+++ b/test/environment/rlimit-bad.exp
@@ -10,7 +10,7 @@ match_max 100000
 send -- "firejail --rlimit-fsize=-1024\r"
 expect {
        timeout {puts "TESTING ERROR 0\n";exit}
-        "invalid rlimit"
+        "invalid rlimit-fsize. Only use positive numbers and k, m or g suffix."
 }
 after 100
diff --git a/test/fs/fscheck-tmpfs.exp b/test/fs/fscheck-tmpfs.exp
index 8dd08aa72..78b6efb76 100755
--- a/test/fs/fscheck-tmpfs.exp
+++ b/test/fs/fscheck-tmpfs.exp
@@ -41,7 +41,7 @@ after 500
 send -- "firejail --noprofile --tmpfs=/tmp/fjtest-dir\r"
 expect {
        timeout {puts "TESTING ERROR 5\n";exit}
-        "Error"
+        "Warning: you are not allowed to mount a tmpfs"
 }
 after 500