139 files changed, 2172 insertions, 1960 deletions
diff --git a/.gitignore b/.gitignore
index 0c803b135..cbb1b2e83 100644
--- a/.gitignore
+++ b/.gitignore
@@ -22,6 +22,7 @@ firejail-users.5
 firejail.1
 firemon.1
 firecfg.1
+jailtest.5
 mkdeb.sh
 src/firejail/firejail
 src/firemon/firemon
@@ -40,6 +41,7 @@ src/fbuilder/fbuilder
 src/profstats/profstats
 src/bash_completion/firejail.bash_completion
 src/zsh_completion/_firejail
+src/jailtest/jailtest
 uids.h
 seccomp
 seccomp.debug
diff --git a/Makefile.in b/Makefile.in
index 593afdacf..f9422fc8b 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -22,14 +22,16 @@ MAN_SRC = src/man
 endif
 COMPLETIONDIRS = src/zsh_completion src/bash_completion
+.PHONY: all
 all: all_items mydirs $(MAN_TARGET) filters
-APPS = src/firecfg/firecfg src/firejail/firejail src/firemon/firemon src/profstats/profstats
+APPS = src/firecfg/firecfg src/firejail/firejail src/firemon/firemon src/profstats/profstats src/jailtest/jailtest
-SBOX_APPS = src/faudit/faudit src/fbuilder/fbuilder src/ftee/ftee
+SBOX_APPS = src/fbuilder/fbuilder src/ftee/ftee
 SBOX_APPS_NON_DUMPABLE = src/fcopy/fcopy src/fldd/fldd src/fnet/fnet src/fnetfilter/fnetfilter
 MYDIRS = src/lib $(MAN_SRC) $(COMPLETIONDIRS)
 MYLIBS = src/libpostexecseccomp/libpostexecseccomp.so src/libtrace/libtrace.so src/libtracelog/libtracelog.so
 COMPLETIONS = src/zsh_completion/_firejail src/bash_completion/firejail.bash_completion
-MANPAGES = firejail.1 firemon.1 firecfg.1 firejail-profile.5 firejail-login.5 firejail-users.5
+MANPAGES = firejail.1 firemon.1 firecfg.1 firejail-profile.5 firejail-login.5 firejail-users.5 jailtest.5
 SBOX_APPS_NON_DUMPABLE += src/fsec-optimize/fsec-optimize src/fsec-print/fsec-print src/fseccomp/fseccomp
 SECCOMP_FILTERS = seccomp seccomp.debug seccomp.32 seccomp.block_secondary seccomp.mdwx seccomp.mdwx.32
 ALL_ITEMS = $(APPS) $(SBOX_APPS) $(SBOX_APPS_NON_DUMPABLE) $(MYLIBS)
@@ -44,7 +46,6 @@ mydirs: $(MYDIRS)
 $(MYDIRS):
        $(MAKE) -C $@
 $(MANPAGES): src/man
        ./mkman.sh $(VERSION) src/man/$(basename $@).man $@
@@ -72,6 +73,7 @@ seccomp.mdwx: src/fseccomp/fseccomp
 seccomp.mdwx.32: src/fseccomp/fseccomp
        src/fseccomp/fseccomp memory-deny-write-execute.32 seccomp.mdwx.32
+.PHONY: clean
 clean:
        for dir in $$(dirname $(ALL_ITEMS)) $(MYDIRS); do \
                $(MAKE) -C $$dir clean; \
@@ -91,6 +93,7 @@ clean:
        rm -f test/sysutils/firejail_t*
        cd test/compile; ./compile.sh --clean; cd ../..
+.PHONY: distclean
 distclean: clean
        for dir in $$(dirname $(ALL_ITEMS)) $(MYDIRS); do \
                $(MAKE) -C $$dir distclean; \
@@ -109,6 +112,8 @@ endif
        install -m 0755 src/firemon/firemon $(DESTDIR)$(bindir)
        # firecfg executable
        install -m 0755 src/firecfg/firecfg $(DESTDIR)$(bindir)
+        # jailtest executable
+        install -m 0755 src/jailtest/jailtest $(DESTDIR)$(bindir)
        # libraries and plugins
        install -m 0755 -d $(DESTDIR)$(libdir)/firejail
        install -m 0644 -t $(DESTDIR)$(libdir)/firejail $(MYLIBS) $(SECCOMP_FILTERS) src/firecfg/firecfg.config
@@ -177,6 +182,7 @@ uninstall:
        rm -f $(DESTDIR)$(bindir)/firemon
        rm -f $(DESTDIR)$(bindir)/firecfg
        rm -fr $(DESTDIR)$(libdir)/firejail
+        rm -fr $(DESTDIR)$(libdir)/jailtest
        rm -fr $(DESTDIR)$(datarootdir)/doc/firejail
        for man in $(MANPAGES); do \
                rm -f $(DESTDIR)$(mandir)/man5/$$man*; \
@@ -188,7 +194,7 @@ uninstall:
        @echo "If you want to install a different version of firejail, you might also need to run 'rm -fr $(DESTDIR)$(sysconfdir)/firejail', see #2038."
 DISTFILES = "src etc m4 platform contrib configure configure.ac Makefile.in install.sh mkman.sh mketc.sh mkdeb.sh.in COPYING README RELNOTES"
-DISTFILES_TEST = "test/Makefile.in test/apps test/apps-x11 test/apps-x11-xorg test/root test/private-lib test/fnetfilter test/fcopy test/environment test/profiles test/utils test/compile test/filters test/network test/arguments test/fs test/sysutils test/chroot"
+DISTFILES_TEST = "test/Makefile.in test/apps test/apps-x11 test/apps-x11-xorg test/root test/private-lib test/fnetfilter test/fcopy test/environment test/profiles test/utils test/compile test/filters test/network test/fs test/sysutils test/chroot"
 dist:
        mv config.status config.status.old
@@ -229,24 +235,23 @@ cppcheck: clean
 scan-build: clean
        NO_EXTRA_CFLAGS="yes" scan-build make
 #
 # make test
 #
-TESTS=profiles private-lib apps apps-x11 apps-x11-xorg sysutils utils environment filters arguments fs fcopy fnetfilter
+TESTS=profiles private-lib apps apps-x11 apps-x11-xorg sysutils utils environment filters fs fcopy fnetfilter
 TEST_TARGETS=$(patsubst %,test-%,$(TESTS))
 $(TEST_TARGETS):
        $(MAKE) -C test $(subst test-,,$@)
-test: test-profiles test-private-lib test-fcopy test-fnetfilter test-fs test-utils test-sysutils test-environment test-apps test-apps-x11 test-apps-x11-xorg test-filters test-arguments
+test: test-profiles test-private-lib test-fcopy test-fnetfilter test-fs test-utils test-sysutils test-environment test-apps test-apps-x11 test-apps-x11-xorg test-filters
        echo "TEST COMPLETE"
-test-noprofiles: test-private-lib test-fcopy test-fnetfilter test-fs test-utils test-sysutils test-environment test-apps test-apps-x11 test-apps-x11-xorg test-filters test-arguments
+test-noprofiles: test-private-lib test-fcopy test-fnetfilter test-fs test-utils test-sysutils test-environment test-apps test-apps-x11 test-apps-x11-xorg test-filters
        echo "TEST COMPLETE"
-test-github: test-profiles test-fcopy test-fnetfilter test-fs test-utils test-sysutils test-environment test-arguments
+test-github: test-profiles test-fcopy test-fnetfilter test-fs test-utils test-sysutils test-environment
        echo "TEST COMPLETE"
 ##########################################
diff --git a/README b/README
index 3660c71e6..c2736a7b6 100644
--- a/README
+++ b/README
@@ -44,9 +44,10 @@ Committers
 - Fred-Barclay (https://github.com/Fred-Barclay)
 - Kelvin M. Klann (https://github.com/kmk3)
 - Kristóf Marussy (https://github.com/kris7t)
+- Neo00001 (https://github.com/Neo00001)
 - Reiner Herrmann (https://github.com/reinerh - Debian/Ubuntu maintainer)
 - rusty-snake (https://github.com/rusty-snake)
- smithsohu (https://github.com/smitsohu)
+- smitsohu (https://github.com/smitsohu)
 - SkewedZeppelin (https://github.com/SkewedZeppelin)
 - startx2017 (https://github.com/startx2017) - LTS and *bugfixes branches maintainer)
 - Topi Miettinen (https://github.com/topimiettinen)
@@ -76,6 +77,9 @@ Aidan Gauland (https://github.com/aidalgol)
        - whitelist Bohemia Interactive config dir for Steam
 Akhil Hans Maulloo (https://github.com/kouul)
        - xz profile
+Albin Kauffmann (https://github.com/albinou)
+        - Firefox and Chromium profile fixes
+        - info to allow screen sharing in profiles
 Alexey Kuznetsov (kuznet@ms2.inr.ac.ru)
        - src/lib/libnetlink.c extracted from iproute2 software package
 Aleksey Manevich (https://github.com/manevich)
@@ -165,9 +169,12 @@ Barış Ekin Yıldırım (https://github.com/circuitshaker)
        - removing net none from code.profile
 bbhtt (https://github.com/bbhtt)
        - improvements to balsa,fractal,gajim,trojita profiles
-        - improvements to nheko, spectral, feh, links, lynx profiles
+        - improvements to nheko, spectral, feh, links, lynx, smplayer profiles
-        - added alacartem com.github.bleakgrey.tootle, photoflare profiles
+        - added alacarte, com.github.bleakgrey.tootle, photoflare profiles
        - add profiles for MS Edge dev build for Linux and Librewolf
+        - fixes to cheese, authenticator, liferea
+        - add profile for straw-viewer
+        - email clients whitelisting and fixes
 Benjamin Kampmann (https://github.com/ligthyear)
        - Forward exit code from child process
 bitfreak25 (https://github.com/bitfreak25)
@@ -452,6 +459,8 @@ Impyy (https://github.com/Impyy)
        - added mumble profile
 intika (https://github.com/intika)
        - added musixmatch profile
+irandms (https://github.com/irandms)
+        - man firecfg fixes
 irregulator (https://github.com/irregulator)
        - thunderbird profile fixes for debian stretch
 Irvine (https://github.com/Irvinehimself)
@@ -798,7 +807,9 @@ Simon Peter (https://github.com/probonopd)
 sinkuu (https://github.com/sinkuu)
        - blacklisting kwalletd
        - fix symlink invocation for programs placing symlinks in $PATH
-smithsohu (https://github.com/smitsohu)
+Simo Piiroinen (https://github.com/spiiroin)
+        - Jolla/SailfishOS patches
+smitsohu (https://github.com/smitsohu)
        - read-only kde4 services directory
        - enhanced mediathekview profile
        - added tuxguitar profile
@@ -913,6 +924,8 @@ Tom Mellor (https://github.com/kalegrill)
        - mupen64plus profile
 Tomasz Jan Góralczyk (https://github.com/tjg)
        - fixed Steam profile
+Tomi Leppänen (https://github.com/Tomin1)
+        - Jolla/SailfishOS patches
 Topi Miettinen (https://github.com/topimiettinen)
        - improved seccomp printing
        - improve mount handling, fix /run/user handling
@@ -1011,4 +1024,7 @@ Zack Weinberg (https://github.com/zackw)
          with firejail --x11
        - support for xpra-extra-params in firejail.config
+zupatisc (https://github.com/zupatisc)
+        - patch-util fix
 Copyright (C) 2014-2021 Firejail Authors
diff --git a/README.md b/README.md
index db088ddf6..d7abc77ae 100644
--- a/README.md
+++ b/README.md
@@ -198,7 +198,100 @@ We also keep a list of profile fixes for previous released versions in [etc-fixe
 Milestone page: https://github.com/netblue30/firejail/milestone/1
 Release discussion: https://github.com/netblue30/firejail/issues/3696
+### jailtest
+`````
+JAILTEST(1)                    JAILTEST man page                   JAILTEST(1)
+NAME
+       jailtest - Simple utility program to test running sandboxes
+SYNOPSIS
+       sudo jailtest [OPTIONS] [directory]
+DESCRIPTION
+       WORK IN PROGRESS!  jailtest attaches itself to all sandboxes started by
+       the user and performs some basic tests on the sandbox filesystem:
+       1. Virtual directories
+              jailtest extracts a list with the main virtual  directories  in‐
+              stalled by the sandbox.  These directories are build by firejail
+              at startup using --private* and --whitelist commands.
+       2. Noexec test
+              jailtest inserts executable programs  in  /home/username,  /tmp,
+              and  /var/tmp  directories and tries to run them form inside the
+              sandbox, thus testing if the directory is executable or not.
+       3. Read access test
+              jailtest creates test files in the directories specified by  the
+              user and tries to read them from inside the sandbox.
+       4. AppArmor test
+       5. Seccomp test
+       The program is started as root using sudo.
+OPTIONS
+       --debug
+              Print debug messages
+       -?, --help
+              Print options end exit.
+       --version
+              Print program version and exit.
+       [directory]
+              One  or  more  directories in user home to test for read access.
+              ~/.ssh and ~/.gnupg are tested by default.
+OUTPUT
+       For each sandbox detected we print the following line:
+            PID:USER:Sandbox Name:Command
+       It is followed by relevant sandbox information, such as the virtual di‐
+       rectories and various warnings.
+EXAMPLE
+       $ sudo jailtest
+       2014:netblue::firejail /usr/bin/gimp
+          Virtual dirs: /tmp, /var/tmp, /dev, /usr/share,
+          Warning: I can run programs in /home/netblue
+       2055:netblue::firejail /usr/bin/ssh -X netblue@x.y.z.net
+          Virtual dirs: /var/tmp, /dev, /usr/share, /run/user/1000,
+          Warning: I can read ~/.ssh
+       2186:netblue:libreoffice:firejail --appimage /opt/LibreOffice-fresh.ap‐
+       pimage
+          Virtual dirs: /tmp, /var/tmp, /dev,
+       26090:netblue::/usr/bin/firejail /opt/firefox/firefox
+          Virtual dirs: /home/netblue, /tmp, /var/tmp, /dev, /etc, /usr/share,
+                        /run/user/1000,
+       26160:netblue:tor:firejail --private=~/tor-browser_en-US ./start-tor
+          Warning: AppArmor not enabled
+          Virtual dirs: /home/netblue, /tmp, /var/tmp, /dev, /etc, /bin,
+                        /usr/share, /run/user/1000,
+          Warning: I can run programs in /home/netblue
+LICENSE
+       This program is free software; you can redistribute it and/or modify it
+       under  the  terms of the GNU General Public License as published by the
+       Free Software Foundation; either version 2 of the License, or (at  your
+       option) any later version.
+       Homepage: https://firejail.wordpress.com
+SEE ALSO
+       firejail(1),  firemon(1), firecfg(1), firejail-profile(5), firejail-lo‐
+       gin(5), firejail-users(5),
+0.9.65                             Feb 2021                        JAILTEST(1)
+`````
 ### Profile Statistics
@@ -210,31 +303,32 @@ $ ./profstats *.profile
 Warning: multiple caps in transmission-daemon.profile
 Stats:
-    profiles                    1064
+    profiles                    1077
-    include local profile       1064   (include profile-name.local)
+    include local profile       1077   (include profile-name.local)
-    include globals             1064   (include globals.local)
+    include globals             1077   (include globals.local)
-    blacklist ~/.ssh            959   (include disable-common.inc)
+    blacklist ~/.ssh            971   (include disable-common.inc)
-    seccomp                     975
+    seccomp                     988
-    capabilities                1063
+    capabilities                1076
-    noexec                      944   (include disable-exec.inc)
+    noexec                      960   (include disable-exec.inc)
-    memory-deny-write-execute   229
+    memory-deny-write-execute   231
-    apparmor                    605
+    apparmor                    621
-    private-bin                 564
+    private-bin                 571
-    private-dev                 932
+    private-dev                 949
-    private-etc                 462
+    private-etc                 470
-    private-tmp                 823
+    private-tmp                 835
-    whitelist home directory    502
+    whitelist home directory    508
-    whitelist var               744   (include whitelist-var-common.inc)
+    whitelist var               758   (include whitelist-var-common.inc)
-    whitelist run/user          461   (include whitelist-runuser-common.inc
+    whitelist run/user          539   (include whitelist-runuser-common.inc
                                        or blacklist ${RUNUSER})
-    whitelist usr/share         451   (include whitelist-usr-share-common.inc
+    whitelist usr/share         526   (include whitelist-usr-share-common.inc
-    net none                    345
+    net none                    354
-    dbus-user none              564
+    dbus-user none              573
-    dbus-user filter            85
+    dbus-user filter            86
-    dbus-system none            696
+    dbus-system none            706
    dbus-system filter          7
 ```
 ### New profiles:
-vmware-view, display-im6.q16
+vmware-view, display-im6.q16, ipcalc, ipcalc-ng, ebook-convert, ebook-edit, ebook-meta, ebook-polish, lzop.
+avidemux, calligragemini, vmware-player, vmware-workstation, gget
+\ No newline at end of file
diff --git a/RELNOTES b/RELNOTES
index 98ae118a3..b1322e0dc 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -1,7 +1,21 @@
 firejail (0.9.65) baseline; urgency=low
  * filtering environment variables
  * zsh completion
-  * new profiles: vmware-view, display-im6.q16
+  * command line: --mkdir, --mkfile
+  * --protocol now accumulates
+  * Jolla/SailfishOS patches
+  * private-lib rework
+  * jailtest utility for testing running sandboxes
+  * removed --audit options, relpaced by jailtest
+  * capabilities list update
+  * faccessat2 syscall support
+  * compile time: --enable-force-nonewprivs
+  * compile time: --disable-output
+  * compile time: --enable-lts
+  * new profiles: vmware-view, display-im6.q16, ipcalc, ipcalc-ng
+  * ebook-convert, ebook-edit, ebook-meta, ebook-polish, lzop,
+  * avidemux, calligragemini, vmware-player, vmware-workstation
+  * gget
 -- netblue30 <netblue30@yahoo.com>  Tue, 9 Feb 2021 09:00:00 -0500
 firejail (0.9.64.4) baseline; urgency=low
diff --git a/configure b/configure
index fa2401070..e5e0dcc0d 100755
--- a/configure
+++ b/configure
@@ -627,7 +627,8 @@ LIBOBJS
 EGREP
 GREP
 CPP
-HAVE_SELINUX
+HAVE_LTS
+HAVE_FORCE_NONEWPRIVS
 HAVE_CONTRIB_INSTALL
 HAVE_GCOV
 BUSYBOX_WORKAROUND
@@ -645,10 +646,12 @@ HAVE_FIRETUNNEL
 HAVE_GAWK
 HAVE_MAN
 HAVE_USERTMPFS
+HAVE_OUTPUT
 HAVE_OVERLAYFS
 HAVE_DBUSPROXY
 EXTRA_LDFLAGS
 EXTRA_CFLAGS
+HAVE_SELINUX
 HAVE_APPARMOR
 AA_LIBS
 AA_CFLAGS
@@ -710,7 +713,9 @@ ac_user_opts='
 enable_option_checking
 enable_analyzer
 enable_apparmor
+enable_selinux
 enable_dbusproxy
+enable_output
 enable_usertmpfs
 enable_man
 enable_firetunnel
@@ -727,7 +732,8 @@ enable_fatal_warnings
 enable_busybox_workaround
 enable_gcov
 enable_contrib_install
-enable_selinux
+enable_force_nonewprivs
+enable_lts
 '
      ac_precious_vars='build_alias
 host_alias
@@ -1365,7 +1371,9 @@ Optional Features:
  --enable-FEATURE[=ARG]  include FEATURE [ARG=yes]
  --enable-analyzer       enable GCC 10 static analyzer
  --enable-apparmor       enable apparmor
+  --enable-selinux        SELinux labeling support
  --disable-dbusproxy     disable dbus proxy
+  --disable-output        disable --output logging
  --disable-usertmpfs     disable tmpfs as regular user
  --disable-man           disable man pages
  --disable-firetunnel    disable firetunnel
@@ -1385,7 +1393,9 @@ Optional Features:
  --enable-gcov           Gcov instrumentation
  --enable-contrib-install
                          install contrib scripts
-  --enable-selinux        SELinux labeling support
+  --enable-force-nonewprivs
+                          enable force nonewprivs
+  --enable-lts            enable long-term support software version (LTS)
 Some influential environment variables:
  CC          C compiler command
@@ -3511,6 +3521,20 @@ fi
 fi
+HAVE_SELINUX=""
+# Check whether --enable-selinux was given.
+if test "${enable_selinux+set}" = set; then :
+  enableval=$enable_selinux;
+fi
+if test "x$enable_selinux" = "xyes"; then :
+        HAVE_SELINUX="-DHAVE_SELINUX"
+        EXTRA_LDFLAGS+=" -lselinux "
+fi
@@ -3539,6 +3563,19 @@ HAVE_OVERLAYFS=""
 #       AC_SUBST(HAVE_OVERLAYFS)
 #])
+HAVE_OUTPUT=""
+# Check whether --enable-output was given.
+if test "${enable_output+set}" = set; then :
+  enableval=$enable_output;
+fi
+if test "x$enable_output" != "xno"; then :
+        HAVE_OUTPUT="-DHAVE_OUTPUT"
+fi
 HAVE_USERTMPFS=""
 # Check whether --enable-usertmpfs was given.
 if test "${enable_usertmpfs+set}" = set; then :
@@ -3792,20 +3829,80 @@ else
 fi
-HAVE_SELINUX=""
+HAVE_FORCE_NONEWPRIVS=""
-# Check whether --enable-selinux was given.
+# Check whether --enable-force-nonewprivs was given.
-if test "${enable_selinux+set}" = set; then :
+if test "${enable_force_nonewprivs+set}" = set; then :
-  enableval=$enable_selinux;
+  enableval=$enable_force_nonewprivs;
 fi
-if test "x$enable_selinux" = "xyes"; then :
+if test "x$enable_force_nonewprivs" = "xyes"; then :
-        HAVE_SELINUX="-DHAVE_SELINUX"
+        HAVE_FORCE_NONEWPRIVS="-DHAVE_FORCE_NONEWPRIVS"
-        EXTRA_LDFLAGS+=" -lselinux "
 fi
+HAVE_LTS=""
+# Check whether --enable-lts was given.
+if test "${enable_lts+set}" = set; then :
+  enableval=$enable_lts;
+fi
+if test "x$enable_lts" = "xyes"; then :
+        HAVE_LTS="-DHAVE_LTS"
+        HAVE_DBUSPROXY=""
+        HAVE_OVERLAYFS=""
+        HAVE_OUTPUT=""
+        HAVE_USERTMPFS=""
+        HAVE_MAN="-DHAVE_MAN"
+        HAVE_FIRETUNNEL=""
+        HAVE_PRIVATEHOME=""
+        HAVE_CHROOT=""
+        HAVE_GLOBALCFG=""
+        HAVE_USERNS=""
+        HAVE_X11=""
+        HAVE_FILE_TRANSFER=""
+        HAVE_SUID="yes"
+        BUSYBOX_WORKAROUND="no"
+        HAVE_CONTRIB_INSTALL="no",
+fi
 # checking pthread library
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for main in -lpthread" >&5
 $as_echo_n "checking for main in -lpthread... " >&6; }
@@ -4269,7 +4366,7 @@ fi
 ac_config_files="$ac_config_files mkdeb.sh"
-ac_config_files="$ac_config_files Makefile src/common.mk src/lib/Makefile src/fcopy/Makefile src/fnet/Makefile src/firejail/Makefile src/fnetfilter/Makefile src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile src/fbuilder/Makefile src/fsec-print/Makefile src/ftee/Makefile src/faudit/Makefile src/fseccomp/Makefile src/fldd/Makefile src/libpostexecseccomp/Makefile src/fsec-optimize/Makefile src/profstats/Makefile src/man/Makefile src/zsh_completion/Makefile src/bash_completion/Makefile test/Makefile"
+ac_config_files="$ac_config_files Makefile src/common.mk src/lib/Makefile src/fcopy/Makefile src/fnet/Makefile src/firejail/Makefile src/fnetfilter/Makefile src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile src/fbuilder/Makefile src/fsec-print/Makefile src/ftee/Makefile src/fseccomp/Makefile src/fldd/Makefile src/libpostexecseccomp/Makefile src/fsec-optimize/Makefile src/profstats/Makefile src/man/Makefile src/zsh_completion/Makefile src/bash_completion/Makefile test/Makefile src/jailtest/Makefile"
 cat >confcache <<\_ACEOF
 # This file is a shell script that caches the results of configure
@@ -4993,14 +5090,16 @@ do
    "src/fbuilder/Makefile") CONFIG_FILES="$CONFIG_FILES src/fbuilder/Makefile" ;;
    "src/fsec-print/Makefile") CONFIG_FILES="$CONFIG_FILES src/fsec-print/Makefile" ;;
    "src/ftee/Makefile") CONFIG_FILES="$CONFIG_FILES src/ftee/Makefile" ;;
-    "src/faudit/Makefile") CONFIG_FILES="$CONFIG_FILES src/faudit/Makefile" ;;
    "src/fseccomp/Makefile") CONFIG_FILES="$CONFIG_FILES src/fseccomp/Makefile" ;;
    "src/fldd/Makefile") CONFIG_FILES="$CONFIG_FILES src/fldd/Makefile" ;;
    "src/libpostexecseccomp/Makefile") CONFIG_FILES="$CONFIG_FILES src/libpostexecseccomp/Makefile" ;;
    "src/fsec-optimize/Makefile") CONFIG_FILES="$CONFIG_FILES src/fsec-optimize/Makefile" ;;
    "src/profstats/Makefile") CONFIG_FILES="$CONFIG_FILES src/profstats/Makefile" ;;
    "src/man/Makefile") CONFIG_FILES="$CONFIG_FILES src/man/Makefile" ;;
+    "src/zsh_completion/Makefile") CONFIG_FILES="$CONFIG_FILES src/zsh_completion/Makefile" ;;
+    "src/bash_completion/Makefile") CONFIG_FILES="$CONFIG_FILES src/bash_completion/Makefile" ;;
    "test/Makefile") CONFIG_FILES="$CONFIG_FILES test/Makefile" ;;
+    "src/jailtest/Makefile") CONFIG_FILES="$CONFIG_FILES src/jailtest/Makefile" ;;
  *) as_fn_error $? "invalid argument: \`$ac_config_target'" "$LINENO" 5;;
  esac
@@ -5466,6 +5565,7 @@ echo "Configuration options:"
 echo "   prefix: $prefix"
 echo "   sysconfdir: $sysconfdir"
 echo "   apparmor: $HAVE_APPARMOR"
+echo "   SELinux labeling support: $HAVE_SELINUX"
 echo "   global config: $HAVE_GLOBALCFG"
 echo "   chroot: $HAVE_CHROOT"
 echo "   network: $HAVE_NETWORK"
@@ -5477,6 +5577,7 @@ echo "   file transfer support: $HAVE_FILE_TRANSFER"
 echo "   overlayfs support: $HAVE_OVERLAYFS"
 echo "   DBUS proxy support: $HAVE_DBUSPROXY"
 echo "   allow tmpfs as regular user: $HAVE_USERTMPFS"
+echo "   enable --ouput logging: $HAVE_OUTPUT"
 echo "   Manpage support: $HAVE_MAN"
 echo "   firetunnel support: $HAVE_FIRETUNNEL"
 echo "   busybox workaround: $BUSYBOX_WORKAROUND"
@@ -5486,6 +5587,20 @@ echo "   EXTRA_CFLAGS: $EXTRA_CFLAGS"
 echo "   fatal warnings: $HAVE_FATAL_WARNINGS"
 echo "   Gcov instrumentation: $HAVE_GCOV"
 echo "   Install contrib scripts: $HAVE_CONTRIB_INSTALL"
-echo "   SELinux labeling support: $HAVE_SELINUX"
 echo "   Install as a SUID executable: $HAVE_SUID"
+echo "   LTS: $HAVE_LTS"
+echo "   Always enforce filters: $HAVE_FORCE_NONEWPRIVS"
 echo
+if test "$HAVE_LTS" = -DHAVE_LTS; then
+        echo
+        echo
+        echo "*********************************************************"
+        echo "*    Warning: Long-term support (LTS) was enabled!      *"
+        echo "*    Most compile-time options have bean rewritten!     *"
+        echo "*********************************************************"
+        echo
+        echo
+fi
diff --git a/configure.ac b/configure.ac
index aa2d0fb6b..e8bd6fb80 100644
--- a/configure.ac
+++ b/configure.ac
@@ -54,6 +54,15 @@ AS_IF([test "x$enable_apparmor" = "xyes"], [
        AC_SUBST(HAVE_APPARMOR)
 ])
+HAVE_SELINUX=""
+AC_ARG_ENABLE([selinux],
+    AS_HELP_STRING([--enable-selinux], [SELinux labeling support]))
+AS_IF([test "x$enable_selinux" = "xyes"], [
+        HAVE_SELINUX="-DHAVE_SELINUX"
+        EXTRA_LDFLAGS+=" -lselinux "
+        AC_SUBST(HAVE_SELINUX)
+])
 AC_SUBST([EXTRA_CFLAGS])
 AC_SUBST([EXTRA_LDFLAGS])
@@ -77,6 +86,14 @@ AC_SUBST(HAVE_OVERLAYFS)
 #       AC_SUBST(HAVE_OVERLAYFS)
 #])
+HAVE_OUTPUT=""
+AC_ARG_ENABLE([output],
+    AS_HELP_STRING([--disable-output], [disable --output logging]))
+AS_IF([test "x$enable_output" != "xno"], [
+        HAVE_OUTPUT="-DHAVE_OUTPUT"
+        AC_SUBST(HAVE_OUTPUT)
+])
 HAVE_USERTMPFS=""
 AC_ARG_ENABLE([usertmpfs],
    AS_HELP_STRING([--disable-usertmpfs], [disable tmpfs as regular user]))
@@ -211,15 +228,70 @@ AS_IF([test "x$enable_contrib_install" = "xno"],
 )
 AC_SUBST(HAVE_CONTRIB_INSTALL)
-HAVE_SELINUX=""
+HAVE_FORCE_NONEWPRIVS=""
-AC_ARG_ENABLE([selinux],
+AC_ARG_ENABLE([force-nonewprivs],
-    AS_HELP_STRING([--enable-selinux], [SELinux labeling support]))
+    AS_HELP_STRING([--enable-force-nonewprivs], [enable force nonewprivs]))
-AS_IF([test "x$enable_selinux" = "xyes"], [
+AS_IF([test "x$enable_force_nonewprivs" = "xyes"], [
-        HAVE_SELINUX="-DHAVE_SELINUX"
+        HAVE_FORCE_NONEWPRIVS="-DHAVE_FORCE_NONEWPRIVS"
-        EXTRA_LDFLAGS+=" -lselinux "
+        AC_SUBST(HAVE_FORCE_NONEWPRIVS)
-        AC_SUBST(HAVE_SELINUX)
+])
+HAVE_LTS=""
+AC_ARG_ENABLE([lts],
+    AS_HELP_STRING([--enable-lts], [enable long-term support software version (LTS)]))
+AS_IF([test "x$enable_lts" = "xyes"], [
+        HAVE_LTS="-DHAVE_LTS"
+        AC_SUBST(HAVE_LTS)
+        HAVE_DBUSPROXY=""
+        AC_SUBST(HAVE_DBUSPROXY)
+        HAVE_OVERLAYFS=""
+        AC_SUBST(HAVE_OVERLAYFS)
+        HAVE_OUTPUT=""
+        AC_SUBST(HAVE_OUTPUT)
+        HAVE_USERTMPFS=""
+        AC_SUBST(HAVE_USERTMPFS)
+        HAVE_MAN="-DHAVE_MAN"
+        AC_SUBST(HAVE_MAN)
+        HAVE_FIRETUNNEL=""
+        AC_SUBST(HAVE_FIRETUNNEL)
+        HAVE_PRIVATEHOME=""
+        AC_SUBST(HAVE_PRIVATE_HOME)
+        HAVE_CHROOT=""
+        AC_SUBST(HAVE_CHROOT)
+        HAVE_GLOBALCFG=""
+        AC_SUBST(HAVE_GLOBALCFG)
+        HAVE_USERNS=""
+        AC_SUBST(HAVE_USERNS)
+        HAVE_X11=""
+        AC_SUBST(HAVE_X11)
+        HAVE_FILE_TRANSFER=""
+        AC_SUBST(HAVE_FILE_TRANSFER)
+        HAVE_SUID="yes"
+        AC_SUBST(HAVE_SUID)
+        BUSYBOX_WORKAROUND="no"
+        AC_SUBST(BUSYBOX_WORKAROUND)
+        HAVE_CONTRIB_INSTALL="no",
+        AC_SUBST(HAVE_CONTRIB_INSTALL)
 ])
 # checking pthread library
 AC_CHECK_LIB([pthread], [main], [], AC_MSG_ERROR([*** POSIX thread support not installed ***]))
 AC_CHECK_HEADER(pthread.h,,AC_MSG_ERROR([*** POSIX thread support not installed ***]))
@@ -233,14 +305,16 @@ fi
 AC_CONFIG_FILES([mkdeb.sh], [chmod +x mkdeb.sh])
 AC_OUTPUT(Makefile src/common.mk src/lib/Makefile src/fcopy/Makefile src/fnet/Makefile src/firejail/Makefile src/fnetfilter/Makefile \
 src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile src/fbuilder/Makefile src/fsec-print/Makefile \
-src/ftee/Makefile src/faudit/Makefile src/fseccomp/Makefile src/fldd/Makefile src/libpostexecseccomp/Makefile src/fsec-optimize/Makefile \
+src/ftee/Makefile src/fseccomp/Makefile src/fldd/Makefile src/libpostexecseccomp/Makefile src/fsec-optimize/Makefile \
-src/profstats/Makefile src/man/Makefile src/zsh_completion/Makefile src/bash_completion/Makefile test/Makefile)
+src/profstats/Makefile src/man/Makefile src/zsh_completion/Makefile src/bash_completion/Makefile test/Makefile \
+src/jailtest/Makefile)
 echo
 echo "Configuration options:"
 echo "   prefix: $prefix"
 echo "   sysconfdir: $sysconfdir"
 echo "   apparmor: $HAVE_APPARMOR"
+echo "   SELinux labeling support: $HAVE_SELINUX"
 echo "   global config: $HAVE_GLOBALCFG"
 echo "   chroot: $HAVE_CHROOT"
 echo "   network: $HAVE_NETWORK"
@@ -252,6 +326,7 @@ echo "   file transfer support: $HAVE_FILE_TRANSFER"
 echo "   overlayfs support: $HAVE_OVERLAYFS"
 echo "   DBUS proxy support: $HAVE_DBUSPROXY"
 echo "   allow tmpfs as regular user: $HAVE_USERTMPFS"
+echo "   enable --ouput logging: $HAVE_OUTPUT"
 echo "   Manpage support: $HAVE_MAN"
 echo "   firetunnel support: $HAVE_FIRETUNNEL"
 echo "   busybox workaround: $BUSYBOX_WORKAROUND"
@@ -261,6 +336,20 @@ echo "   EXTRA_CFLAGS: $EXTRA_CFLAGS"
 echo "   fatal warnings: $HAVE_FATAL_WARNINGS"
 echo "   Gcov instrumentation: $HAVE_GCOV"
 echo "   Install contrib scripts: $HAVE_CONTRIB_INSTALL"
-echo "   SELinux labeling support: $HAVE_SELINUX"
 echo "   Install as a SUID executable: $HAVE_SUID"
+echo "   LTS: $HAVE_LTS"
+echo "   Always enforce filters: $HAVE_FORCE_NONEWPRIVS"
 echo
+if test "$HAVE_LTS" = -DHAVE_LTS; then
+        echo
+        echo
+        echo "*********************************************************"
+        echo "*    Warning: Long-term support (LTS) was enabled!      *"
+        echo "*    Most compile-time options have bean rewritten!     *"
+        echo "*********************************************************"
+        echo
+        echo
+fi
diff --git a/etc/apparmor/firejail-default b/etc/apparmor/firejail-default
index ec87f1d2d..80d527e41 100644
--- a/etc/apparmor/firejail-default
+++ b/etc/apparmor/firejail-default
@@ -126,40 +126,14 @@ signal (receive),
 # We let Firejail deal with capabilities, but ensure that
 # some AppArmor related capabilities will not be available.
 ##########
-capability chown,
+# The list of recognized capabilities varies from one apparmor version to another.
-capability dac_override,
+# For example on Debian 10 (apparmor 2.13.2) checkpoint_restore, perfmon, bpf are not available
-capability dac_read_search,
+# We allow all caps by default and remove the  ones we don't like:
-capability fowner,
+capability,
-capability fsetid,
+deny capability audit_write,
-capability kill,
+deny capability audit_control,
-capability setgid,
+deny capability mac_override,
-capability setuid,
+deny capability mac_admin,
-capability setpcap,
-capability linux_immutable,
-capability net_bind_service,
-capability net_broadcast,
-capability net_admin,
-capability net_raw,
-capability ipc_lock,
-capability ipc_owner,
-capability sys_module,
-capability sys_rawio,
-capability sys_chroot,
-capability sys_ptrace,
-capability sys_pacct,
-capability sys_admin,
-capability sys_boot,
-capability sys_nice,
-capability sys_resource,
-capability sys_time,
-capability sys_tty_config,
-capability mknod,
-capability lease,
-#capability audit_write,
-#capability audit_control,
-capability setfcap,
-#capability mac_override,
-#capability mac_admin,
 # Site-specific additions and overrides. See local/README for details.
 #include <local/firejail-default>
diff --git a/etc/inc/chromium-common-hardened.inc b/etc/inc/chromium-common-hardened.inc
deleted file mode 100644
index f33ce3115..000000000
--- a/etc/inc/chromium-common-hardened.inc
+++ /dev/null
@@ -1,5 +0,0 @@
-caps.drop all
-nonewprivs
-noroot
-protocol unix,inet,inet6,netlink
-seccomp !chroot
diff --git a/etc/inc/feh-network.inc b/etc/inc/feh-network.inc
deleted file mode 100644
index e94e7205c..000000000
--- a/etc/inc/feh-network.inc
+++ /dev/null
@@ -1,4 +0,0 @@
-ignore net none
-netfilter
-protocol unix,inet,inet6
-private-etc ca-certificates,crypto-policies,hosts,pki,resolv.conf,ssl
diff --git a/etc/profile-a-l/7z.profile b/etc/profile-a-l/7z.profile
index b2294c070..0d31255ad 100644
--- a/etc/profile-a-l/7z.profile
+++ b/etc/profile-a-l/7z.profile
@@ -7,8 +7,8 @@ include 7z.local
 # Persistent global definitions
 include globals.local
-# Included in archiver-common.inc
+# Included in archiver-common.profile
 ignore include disable-shell.inc
 # Redirect
-include archiver-common.inc
+include archiver-common.profile
diff --git a/etc/profile-a-l/android-studio.profile b/etc/profile-a-l/android-studio.profile
index 2cdd3a90c..5a21744cf 100644
--- a/etc/profile-a-l/android-studio.profile
+++ b/etc/profile-a-l/android-studio.profile
@@ -5,6 +5,7 @@ include android-studio.local
 # Persistent global definitions
 include globals.local
+noblacklist ${HOME}/.config/Google
 noblacklist ${HOME}/.AndroidStudio*
 noblacklist ${HOME}/.android
 noblacklist ${HOME}/.jack-server
diff --git a/etc/profile-a-l/ar.profile b/etc/profile-a-l/ar.profile
index f99934e66..5a20a8181 100644
--- a/etc/profile-a-l/ar.profile
+++ b/etc/profile-a-l/ar.profile
@@ -8,4 +8,4 @@ include ar.local
 include globals.local
 # Redirect
-include archiver-common.inc
+include archiver-common.profile
diff --git a/etc/inc/archiver-common.inc b/etc/profile-a-l/archiver-common.profile
index 74b0b6ef6..74b0b6ef6 100644
--- a/etc/inc/archiver-common.inc
+++ b/etc/profile-a-l/archiver-common.profile
diff --git a/etc/profile-a-l/atool.profile b/etc/profile-a-l/atool.profile
index 6e0ecb012..e377de2c8 100644
--- a/etc/profile-a-l/atool.profile
+++ b/etc/profile-a-l/atool.profile
@@ -17,4 +17,4 @@ private-etc alternatives,group,login.defs,passwd
 private-tmp
 # Redirect
-include archiver-common.inc
+include archiver-common.profile
diff --git a/etc/profile-a-l/bsdtar.profile b/etc/profile-a-l/bsdtar.profile
index fb4f643c8..d731a6a6e 100644
--- a/etc/profile-a-l/bsdtar.profile
+++ b/etc/profile-a-l/bsdtar.profile
@@ -9,4 +9,4 @@ include globals.local
 private-etc alternatives,group,localtime,passwd
 # Redirect
-include archiver-common.inc
+include archiver-common.profile
diff --git a/etc/profile-a-l/chromium-browser-privacy.profile b/etc/profile-a-l/chromium-browser-privacy.profile
index 09eaa2d12..0283a6934 100644
--- a/etc/profile-a-l/chromium-browser-privacy.profile
+++ b/etc/profile-a-l/chromium-browser-privacy.profile
@@ -11,7 +11,7 @@ mkdir ${HOME}/.config/ungoogled-chromium
 whitelist ${HOME}/.cache/ungoogled-chromium
 whitelist ${HOME}/.config/ungoogled-chromium
-# private-bin basename,bash,chromium-browser-privacy,dirname,mkdir,readlink,sed,touch,which,xdg-settings
+# private-bin basename,bash,cat,chromium-browser-privacy,dirname,mkdir,readlink,sed,touch,which,xdg-settings
 # Redirect
 include chromium.profile
diff --git a/etc/profile-a-l/chromium-common-hardened.profile b/etc/profile-a-l/chromium-common-hardened.profile
new file mode 100644
index 000000000..d756eec50
--- /dev/null
+++ b/etc/profile-a-l/chromium-common-hardened.profile
@@ -0,0 +1,9 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include chromium-common-hardened.local
+caps.drop all
+nonewprivs
+noroot
+protocol unix,inet,inet6,netlink
+seccomp !chroot
diff --git a/etc/profile-a-l/chromium-common.profile b/etc/profile-a-l/chromium-common.profile
index 1afb2c6e1..b81b1cb36 100644
--- a/etc/profile-a-l/chromium-common.profile
+++ b/etc/profile-a-l/chromium-common.profile
@@ -32,7 +32,7 @@ include whitelist-var-common.inc
 # Uncomment the next line (or add it to your chromium-common.local)
 # if your kernel allows unprivileged userns clone.
-#include chromium-common-hardened.inc
+#include chromium-common-hardened.profile
 # Uncomment or put in your chromium-common.local to allow screen sharing under
 # wayland.
diff --git a/etc/profile-a-l/cpio.profile b/etc/profile-a-l/cpio.profile
index 0e0299655..bdc4f21a6 100644
--- a/etc/profile-a-l/cpio.profile
+++ b/etc/profile-a-l/cpio.profile
@@ -11,4 +11,4 @@ noblacklist /sbin
 noblacklist /usr/sbin
 # Redirect
-include archiver-common.inc
+include archiver-common.profile
diff --git a/etc/profile-a-l/dosbox.profile b/etc/profile-a-l/dosbox.profile
index 11b9a4f42..b9ef5d49d 100644
--- a/etc/profile-a-l/dosbox.profile
+++ b/etc/profile-a-l/dosbox.profile
@@ -11,14 +11,17 @@ noblacklist ${DOCUMENTS}
 include disable-common.inc
 include disable-devel.inc
+include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
+include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
+apparmor
 caps.drop all
 netfilter
 nodvd
@@ -36,3 +39,6 @@ tracelog
 private-bin dosbox
 private-dev
 private-tmp
+dbus-user none
+dbus-system none
diff --git a/etc/profile-a-l/ebook-convert.profile b/etc/profile-a-l/ebook-convert.profile
new file mode 100644
index 000000000..988ba90fc
--- /dev/null
+++ b/etc/profile-a-l/ebook-convert.profile
@@ -0,0 +1,11 @@
+# Firejail profile alias for calibre
+# This file is overwritten after every install/update
+# Persistent local customizations
+include ebook-convert.local
+net none
+dbus-user none
+dbus-system none
+# Redirect
+include calibre.profile
diff --git a/etc/profile-a-l/ebook-edit.profile b/etc/profile-a-l/ebook-edit.profile
new file mode 100644
index 000000000..3b5fee0a8
--- /dev/null
+++ b/etc/profile-a-l/ebook-edit.profile
@@ -0,0 +1,11 @@
+# Firejail profile alias for calibre
+# This file is overwritten after every install/update
+# Persistent local customizations
+include ebook-edit.local
+net none
+dbus-user none
+dbus-system none
+# Redirect
+include calibre.profile
diff --git a/etc/profile-a-l/ebook-meta.profile b/etc/profile-a-l/ebook-meta.profile
new file mode 100644
index 000000000..594a8e241
--- /dev/null
+++ b/etc/profile-a-l/ebook-meta.profile
@@ -0,0 +1,11 @@
+# Firejail profile alias for calibre
+# This file is overwritten after every install/update
+# Persistent local customizations
+include ebook-meta.local
+net none
+dbus-user none
+dbus-system none
+# Redirect
+include calibre.profile
diff --git a/etc/profile-a-l/ebook-polish.profile b/etc/profile-a-l/ebook-polish.profile
new file mode 100644
index 000000000..ad94e32a2
--- /dev/null
+++ b/etc/profile-a-l/ebook-polish.profile
@@ -0,0 +1,11 @@
+# Firejail profile alias for calibre
+# This file is overwritten after every install/update
+# Persistent local customizations
+include ebook-polish.local
+net none
+dbus-user none
+dbus-system none
+# Redirect
+include calibre.profile
diff --git a/etc/profile-a-l/electron.profile b/etc/profile-a-l/electron.profile
index d3be07c9d..691616393 100644
--- a/etc/profile-a-l/electron.profile
+++ b/etc/profile-a-l/electron.profile
@@ -20,7 +20,7 @@ include whitelist-var-common.inc
 # Uncomment the next line (or add it to your chromium-common.local)
 # if your kernel allows unprivileged userns clone.
-#include chromium-common-hardened.inc
+#include chromium-common-hardened.profile
 apparmor
 caps.keep sys_admin,sys_chroot
diff --git a/etc/profile-a-l/feh-network.profile b/etc/profile-a-l/feh-network.profile
new file mode 100644
index 000000000..f35facd64
--- /dev/null
+++ b/etc/profile-a-l/feh-network.profile
@@ -0,0 +1,8 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include feh-network.local
+ignore net none
+netfilter
+protocol unix,inet,inet6
+private-etc ca-certificates,crypto-policies,hosts,pki,resolv.conf,ssl
diff --git a/etc/profile-a-l/feh.profile b/etc/profile-a-l/feh.profile
index 8ac7755de..6d6287f7f 100644
--- a/etc/profile-a-l/feh.profile
+++ b/etc/profile-a-l/feh.profile
@@ -18,7 +18,7 @@ include disable-shell.inc
 # This profile disables network access
 # In order to enable network access,
 # uncomment the following or put it in your feh.local:
-# include feh-network.inc
+# include feh-network.profile
 caps.drop all
 net none
diff --git a/etc/inc/firefox-common-addons.inc b/etc/profile-a-l/firefox-common-addons.profile
index ca7731442..ca7731442 100644
--- a/etc/inc/firefox-common-addons.inc
+++ b/etc/profile-a-l/firefox-common-addons.profile
diff --git a/etc/profile-a-l/firefox-common.profile b/etc/profile-a-l/firefox-common.profile
index fe0a27828..a955722c8 100644
--- a/etc/profile-a-l/firefox-common.profile
+++ b/etc/profile-a-l/firefox-common.profile
@@ -10,7 +10,7 @@ include firefox-common.local
 ?BROWSER_ALLOW_DRM: ignore noexec ${HOME}
 # Uncomment the following line (or put it in your firefox-common.local) to allow access to common programs/addons/plugins.
-#include firefox-common-addons.inc
+#include firefox-common-addons.profile
 noblacklist ${HOME}/.pki
 noblacklist ${HOME}/.local/share/pki
diff --git a/etc/profile-a-l/gget.profile b/etc/profile-a-l/gget.profile
new file mode 100644
index 000000000..828d638ed
--- /dev/null
+++ b/etc/profile-a-l/gget.profile
@@ -0,0 +1,59 @@
+# Firejail profile for gget
+# Description: a cli. to get things. from git repos
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include gget.local
+# Persistent global definitions
+include globals.local
+blacklist /tmp/.X11-unix
+blacklist ${RUNUSER}
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+whitelist ${DOWNLOADS}
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+apparmor
+caps.drop all
+ipc-namespace
+machine-id
+netfilter
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol inet,inet6
+seccomp
+seccomp.block-secondary
+shell none
+tracelog
+disable-mnt
+private-bin gget
+private-cache
+private-dev
+private-etc alternatives,ca-certificates,crypto-policies,pki,resolv.conf,ssl
+private-lib
+private-tmp
+dbus-user none
+dbus-system none
+memory-deny-write-execute
diff --git a/etc/profile-a-l/gzip.profile b/etc/profile-a-l/gzip.profile
index 035c6459c..b261c16f4 100644
--- a/etc/profile-a-l/gzip.profile
+++ b/etc/profile-a-l/gzip.profile
@@ -12,4 +12,4 @@ include globals.local
 noblacklist /var/lib/pacman
 # Redirect
-include archiver-common.inc
+include archiver-common.profile
diff --git a/etc/profile-a-l/ipcalc-ng.profile b/etc/profile-a-l/ipcalc-ng.profile
new file mode 100644
index 000000000..3ad0f3a4f
--- /dev/null
+++ b/etc/profile-a-l/ipcalc-ng.profile
@@ -0,0 +1,11 @@
+# Firejail profile ipcalc-ng
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include ipcalc-ng.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+# Redirect
+include ipcalc.profile
diff --git a/etc/profile-a-l/ipcalc.profile b/etc/profile-a-l/ipcalc.profile
new file mode 100644
index 000000000..4b97b83b7
--- /dev/null
+++ b/etc/profile-a-l/ipcalc.profile
@@ -0,0 +1,62 @@
+# Firejail profile for ipcalc
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include ipcalc.local
+# Persistent global definitions
+include globals.local
+# Allow perl (blacklisted by disable-interpreters.inc)
+include allow-perl.inc
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+# include disable-shell.inc
+include disable-write-mnt.inc
+include disable-xdg.inc
+# include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+apparmor
+caps.drop all
+ipc-namespace
+# machine-id
+net none
+netfilter
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+# protocol unix
+seccomp
+shell none
+# tracelog
+disable-mnt
+private
+private-bin bash,ipcalc,ipcalc-ng,perl,sh
+# private-cache
+private-dev
+# empty etc directory
+private-etc none
+private-lib
+private-opt none
+private-tmp
+dbus-user none
+dbus-system none
+# memory-deny-write-execute
+# read-only ${HOME}
diff --git a/etc/profile-a-l/lzop.profile b/etc/profile-a-l/lzop.profile
new file mode 100644
index 000000000..f3175c590
--- /dev/null
+++ b/etc/profile-a-l/lzop.profile
@@ -0,0 +1,12 @@
+# Firejail profile for lzop
+# Description: File compressor using lzo lib
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include lzop.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+# Redirect
+include cpio.profile
diff --git a/etc/profile-m-z/man.profile b/etc/profile-m-z/man.profile
index 6f74e6da3..c6c50cf47 100644
--- a/etc/profile-m-z/man.profile
+++ b/etc/profile-m-z/man.profile
@@ -29,6 +29,7 @@ whitelist /usr/share/locale
 whitelist /usr/share/man
 whitelist /var/cache/man
 include whitelist-common.inc
+include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
@@ -53,7 +54,7 @@ tracelog
 x11 none
 disable-mnt
-private-bin apropos,bash,cat,catman,col,gpreconv,groff,grotty,gunzip,gzip,less,man,most,nroff,preconv,sed,sh,tbl,tr,troff,whatis,which,xtotroff,zcat,zsoelim
+#private-bin apropos,bash,cat,catman,col,gpreconv,groff,grotty,gunzip,gzip,less,man,most,nroff,preconv,sed,sh,tbl,tr,troff,whatis,which,xtotroff,zcat,zsoelim
 private-cache
 private-dev
 private-etc alternatives,fonts,locale,locale.alias,locale.conf,man_db.conf,manpath.config,selinux,sysless,xdg
diff --git a/etc/profile-m-z/marker.profile b/etc/profile-m-z/marker.profile
index 55865fe72..029d0183d 100644
--- a/etc/profile-m-z/marker.profile
+++ b/etc/profile-m-z/marker.profile
@@ -12,6 +12,7 @@ include globals.local
 #private-etc ca-certificates,ssl,pki,crypto-policies,nsswitch.conf,resolv.conf
 noblacklist ${HOME}/.cache/marker
+noblacklist ${DOCUMENTS}
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-m-z/mate-color-select.profile b/etc/profile-m-z/mate-color-select.profile
index b6dc643d4..d30965922 100644
--- a/etc/profile-m-z/mate-color-select.profile
+++ b/etc/profile-m-z/mate-color-select.profile
@@ -15,6 +15,7 @@ include disable-shell.inc
 include whitelist-common.inc
+apparmor
 caps.drop all
 netfilter
 no3d
diff --git a/etc/profile-m-z/patch.profile b/etc/profile-m-z/patch.profile
index 46a84372c..b034efde9 100644
--- a/etc/profile-m-z/patch.profile
+++ b/etc/profile-m-z/patch.profile
@@ -43,7 +43,7 @@ x11 none
 private-bin patch,red
 private-dev
-private-lib libfakeroot
+private-lib libdl.so.*,libfakeroot
 dbus-user none
 dbus-system none
diff --git a/etc/profile-m-z/rtv-addons.profile b/etc/profile-m-z/rtv-addons.profile
new file mode 100644
index 000000000..c9da0b628
--- /dev/null
+++ b/etc/profile-m-z/rtv-addons.profile
@@ -0,0 +1,23 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include rtv-addons.local
+# You can configure rtv to open different type of links
+# in external applications. Configuration here:
+# https://github.com/michael-lazar/rtv#viewing-media-links
+# This include is meant to facilitate that configuration
+# with the use of a .local file.
+ignore nosound
+ignore private-bin
+ignore dbus-user none
+noblacklist ${HOME}/.config/mpv
+noblacklist ${HOME}/.mailcap
+noblacklist ${HOME}/.netrc
+noblacklist ${HOME}/.w3m
+whitelist ${HOME}/.cache/youtube-dl/youtube-sigfuncs
+whitelist ${HOME}/.config/mpv
+whitelist ${HOME}/.mailcap
+whitelist ${HOME}/.netrc
+whitelist ${HOME}/.w3m
diff --git a/etc/profile-m-z/rtv.profile b/etc/profile-m-z/rtv.profile
index 14740e05f..6f971b96b 100644
--- a/etc/profile-m-z/rtv.profile
+++ b/etc/profile-m-z/rtv.profile
@@ -16,6 +16,11 @@ noblacklist ${HOME}/.local/share/rtv
 include allow-python2.inc
 include allow-python3.inc
+# You can configure rtv to open different type of links
+# in external applications. Configuration here:
+# https://github.com/michael-lazar/rtv#viewing-media-links
+# Uncomment or put in rtv.local for external application support
+#include rtv-addons.profile
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
diff --git a/etc/profile-m-z/signal-desktop.profile b/etc/profile-m-z/signal-desktop.profile
index 666a37def..ebd3168b3 100644
--- a/etc/profile-m-z/signal-desktop.profile
+++ b/etc/profile-m-z/signal-desktop.profile
@@ -6,7 +6,6 @@ include signal-desktop.local
 include globals.local
 # Disabled until someone reported positive feedback
-ignore include-xdg.inc
 ignore include whitelist-runuser-common.inc
 ignore include whitelist-usr-share-common.inc
 ignore private-cache
diff --git a/etc/profile-m-z/skypeforlinux.profile b/etc/profile-m-z/skypeforlinux.profile
index b39763981..ed04eda8e 100644
--- a/etc/profile-m-z/skypeforlinux.profile
+++ b/etc/profile-m-z/skypeforlinux.profile
@@ -18,6 +18,7 @@ ignore dbus-user none
 ignore dbus-system none
 # breaks Skype
+ignore apparmor
 ignore noexec /tmp
 noblacklist ${HOME}/.config/skypeforlinux
diff --git a/etc/profile-m-z/ssh.profile b/etc/profile-m-z/ssh.profile
index 641c3a79d..7bc731333 100644
--- a/etc/profile-m-z/ssh.profile
+++ b/etc/profile-m-z/ssh.profile
@@ -24,6 +24,7 @@ whitelist ${RUNUSER}/keyring/ssh
 include whitelist-usr-share-common.inc
 include whitelist-runuser-common.inc
+apparmor
 caps.drop all
 ipc-namespace
 netfilter
diff --git a/etc/profile-m-z/tar.profile b/etc/profile-m-z/tar.profile
index 9d7a23d43..0d3a900e9 100644
--- a/etc/profile-m-z/tar.profile
+++ b/etc/profile-m-z/tar.profile
@@ -7,7 +7,7 @@ include tar.local
 # Persistent global definitions
 include globals.local
-# Included in archiver-common.inc
+# Included in archiver-common.profile
 ignore include disable-shell.inc
 # Arch Linux (based distributions) need access to /var/lib/pacman. As we drop
@@ -20,4 +20,4 @@ private-etc alternatives,group,localtime,login.defs,passwd
 writable-var
 # Redirect
-include archiver-common.inc
+include archiver-common.profile
diff --git a/etc/profile-m-z/torbrowser-launcher.profile b/etc/profile-m-z/torbrowser-launcher.profile
index 1045fa02a..5cb5caf8d 100644
--- a/etc/profile-m-z/torbrowser-launcher.profile
+++ b/etc/profile-m-z/torbrowser-launcher.profile
@@ -15,6 +15,9 @@ noblacklist ${HOME}/.local/share/torbrowser
 include allow-python2.inc
 include allow-python3.inc
+blacklist /opt
+blacklist /srv
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
@@ -28,8 +31,11 @@ mkdir ${HOME}/.local/share/torbrowser
 whitelist ${DOWNLOADS}
 whitelist ${HOME}/.config/torbrowser
 whitelist ${HOME}/.local/share/torbrowser
+whitelist /usr/share/torbrowser-launcher
 include whitelist-common.inc
 include whitelist-var-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
 # Uncomment the line below or put 'apparmor' in your torbrowser-launcher.local.
 # IMPORTANT: the relevant rule in /etc/apparmor.d/local/firejail-default will need
diff --git a/etc/profile-m-z/transmission-daemon.profile b/etc/profile-m-z/transmission-daemon.profile
index 8dbbfcc62..348d3cb80 100644
--- a/etc/profile-m-z/transmission-daemon.profile
+++ b/etc/profile-m-z/transmission-daemon.profile
@@ -14,7 +14,7 @@ whitelist ${HOME}/.config/transmission-daemon
 whitelist /var/lib/transmission
 caps.keep ipc_lock,net_bind_service,setgid,setuid,sys_chroot
-protocol unix,inet,inet6,packet
+protocol packet
 private-bin transmission-daemon
 private-etc alternatives,ca-certificates,crypto-policies,nsswitch.conf,pki,resolv.conf,ssl
diff --git a/etc/profile-m-z/unrar.profile b/etc/profile-m-z/unrar.profile
index 65f1a425a..9d3d9b40e 100644
--- a/etc/profile-m-z/unrar.profile
+++ b/etc/profile-m-z/unrar.profile
@@ -12,4 +12,4 @@ private-etc alternatives,group,localtime,passwd
 private-tmp
 # Redirect
-include archiver-common.inc
+include archiver-common.profile
diff --git a/etc/profile-m-z/unzip.profile b/etc/profile-m-z/unzip.profile
index c94416b87..0231e3dba 100644
--- a/etc/profile-m-z/unzip.profile
+++ b/etc/profile-m-z/unzip.profile
@@ -13,4 +13,4 @@ noblacklist ${HOME}/.local/share/gnome-shell
 private-etc alternatives,group,localtime,passwd
 # Redirect
-include archiver-common.inc
+include archiver-common.profile
diff --git a/etc/profile-m-z/virtualbox.profile b/etc/profile-m-z/virtualbox.profile
index 7a49ad88a..232ff8ae4 100644
--- a/etc/profile-m-z/virtualbox.profile
+++ b/etc/profile-m-z/virtualbox.profile
@@ -34,6 +34,7 @@ include whitelist-var-common.inc
 # For host-only network sys_admin is needed. See https://github.com/netblue30/firejail/issues/2868#issuecomment-518647630
+apparmor
 caps.keep net_raw,sys_nice
 netfilter
 nodvd
@@ -45,6 +46,7 @@ tracelog
 #disable-mnt
 private-cache
 private-etc alsa,asound.conf,ca-certificates,conf.d,crypto-policies,dconf,fonts,hostname,hosts,ld.so.cache,localtime,machine-id,pki,pulse,resolv.conf,ssl
+private-tmp
 dbus-user none
 dbus-system none
diff --git a/etc/profile-m-z/vmware-player.profile b/etc/profile-m-z/vmware-player.profile
new file mode 100644
index 000000000..582a0f693
--- /dev/null
+++ b/etc/profile-m-z/vmware-player.profile
@@ -0,0 +1,8 @@
+# Firejail profile for vmware-player
+# Description: The industry standard for running multiple operating systems as virtual machines on a single Linux PC.
+# This file is overwritten after every install/update
+# Persistent local customizations
+include vmware-player.local
+# Redirect
+include vmware.profile
diff --git a/etc/profile-m-z/vmware-workstation.profile b/etc/profile-m-z/vmware-workstation.profile
new file mode 100644
index 000000000..6290b57f4
--- /dev/null
+++ b/etc/profile-m-z/vmware-workstation.profile
@@ -0,0 +1,8 @@
+# Firejail profile for vmware-workstation
+# Description: The industry standard for running multiple operating systems as virtual machines on a single Linux PC.
+# This file is overwritten after every install/update
+# Persistent local customizations
+include vmware-workstation.local
+# Redirect
+include vmware.profile
diff --git a/etc/profile-m-z/xzdec.profile b/etc/profile-m-z/xzdec.profile
index c5e8d1631..79f71f2fd 100644
--- a/etc/profile-m-z/xzdec.profile
+++ b/etc/profile-m-z/xzdec.profile
@@ -8,4 +8,4 @@ include xzdec.local
 include globals.local
 # Redirect
-include archiver-common.inc
+include archiver-common.profile
diff --git a/etc/profile-m-z/zstd.profile b/etc/profile-m-z/zstd.profile
index 07a75f97f..faeb5c5c5 100644
--- a/etc/profile-m-z/zstd.profile
+++ b/etc/profile-m-z/zstd.profile
@@ -8,4 +8,4 @@ include zstd.local
 include globals.local
 # Redirect
-include archiver-common.inc
+include archiver-common.profile
diff --git a/etc/templates/profile.template b/etc/templates/profile.template
index 72b7d3025..17d7f55b2 100644
--- a/etc/templates/profile.template
+++ b/etc/templates/profile.template
@@ -155,8 +155,8 @@ include globals.local
 #  - unix is usually needed
 #  - inet,inet6 only if internet access is required (see 'net none'/'netfilter' above)
 #  - netlink is rarely needed
-#  - packet almost never
+#  - packet and bluetooth almost never
-#protocol unix,inet,inet6,netlink,packet
+#protocol unix,inet,inet6,netlink,packet,bluetooth
 #seccomp
 ##seccomp !chroot
 ##seccomp.drop SYSCALLS (see syscalls.txt)
@@ -200,6 +200,7 @@ include globals.local
 #    flatpak remote-info --show-metadata flathub <APP-ID>
 # Notes:
 #  - flatpak implicitly allows an app to own <APP-ID> on the session bus
+#  - Some features like native notifications are implemented as portal too.
 #  - In order to make dconf work (when used by the app) you need to allow
 #    'ca.desrt.dconf' even when not allowed by flatpak.
 # Notes and Policiy about addresses can be found at
diff --git a/platform/rpm/firejail.spec b/platform/rpm/firejail.spec
index b73ffe857..85df1b4eb 100644
--- a/platform/rpm/firejail.spec
+++ b/platform/rpm/firejail.spec
@@ -35,6 +35,7 @@ rm -rf %{buildroot}
 %attr(4755, -, -) %{_bindir}/__NAME__
 %{_bindir}/firecfg
 %{_bindir}/firemon
+%{_bindir}/jailtest
 %{_libdir}/__NAME__
 %{_datarootdir}/bash-completion/completions/__NAME__
 %{_datarootdir}/bash-completion/completions/firecfg
@@ -47,4 +48,5 @@ rm -rf %{buildroot}
 %{_mandir}/man5/__NAME__-login.5.gz
 %{_mandir}/man5/__NAME__-profile.5.gz
 %{_mandir}/man5/__NAME__-users.5.gz
+%{_mandir}/man5/jailtest.5.gz
 %config(noreplace) %{_sysconfdir}/__NAME__
diff --git a/src/bash_completion/Makefile.in b/src/bash_completion/Makefile.in
index d8a393aa4..f7db9e6b4 100644
--- a/src/bash_completion/Makefile.in
+++ b/src/bash_completion/Makefile.in
@@ -1,3 +1,4 @@
+.PHONY: all
 all: firejail.bash_completion
 include ../common.mk
@@ -7,8 +8,10 @@ firejail.bash_completion: firejail.bash_completion.in
        sed "s|_SYSCONFDIR_|$(sysconfdir)|" < $@.tmp > $@
        rm $@.tmp
+.PHONY: clean
 clean:
        rm -fr firejail.bash_completion
+.PHONY: distclean
 distclean: clean
        rm -fr Makefile
diff --git a/src/bash_completion/firejail.bash_completion.in b/src/bash_completion/firejail.bash_completion.in
index 00f04c310..f68edf380 100644
--- a/src/bash_completion/firejail.bash_completion.in
+++ b/src/bash_completion/firejail.bash_completion.in
@@ -90,10 +90,6 @@ _firejail()
            _filedir
            return 0
            ;;
-        --audit)
-            _filedir
-            return 0
-            ;;
         --net)
                comps=$(__interfaces)
            COMPREPLY=( $(compgen -W '$comps' -- "$cur") )
diff --git a/src/common.mk.in b/src/common.mk.in
index b8a13cd1b..a3df4abb6 100644
--- a/src/common.mk.in
+++ b/src/common.mk.in
@@ -25,6 +25,9 @@ HAVE_GCOV=@HAVE_GCOV@
 HAVE_SELINUX=@HAVE_SELINUX@
 HAVE_DBUSPROXY=@HAVE_DBUSPROXY@
 HAVE_USERTMPFS=@HAVE_USERTMPFS@
+HAVE_OUTPUT=@HAVE_OUTPUT@
+HAVE_LTS=@HAVE_LTS@
+HAVE_FORCE_NONEWPRIVS=@HAVE_FORCE_NONEWPRIVS@
 H_FILE_LIST       = $(sort $(wildcard *.[h]))
 C_FILE_LIST       = $(sort $(wildcard *.c))
@@ -34,7 +37,7 @@ BINOBJS =  $(foreach file, $(OBJS), $file)
 CFLAGS = @CFLAGS@
 CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' $(HAVE_GCOV)
 CFLAGS += -DPREFIX='"$(prefix)"' -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' -DBINDIR='"$(bindir)"'
-MANFLAGS = $(HAVE_X11) $(HAVE_PRIVATE_HOME) $(HAVE_APPARMOR) $(HAVE_OVERLAYFS) $(HAVE_USERTMPFS) $(HAVE_DBUSPROXY) $(HAVE_FIRETUNNEL) $(HAVE_GLOBALCFG) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_FILE_TRANSFER) $(HAVE_WHITELIST) $(HAVE_SELINUX)
+MANFLAGS = $(HAVE_LTS) $(HAVE_OUTPUT) $(HAVE_X11) $(HAVE_PRIVATE_HOME) $(HAVE_APPARMOR) $(HAVE_OVERLAYFS) $(HAVE_USERTMPFS) $(HAVE_DBUSPROXY) $(HAVE_FIRETUNNEL) $(HAVE_GLOBALCFG) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_FILE_TRANSFER) $(HAVE_WHITELIST) $(HAVE_SELINUX) $(HAVE_FORCE_NONEWPRIVS)
 CFLAGS += $(MANFLAGS)
 CFLAGS += -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security
 LDFLAGS += -pie -fPIE -Wl,-z,relro -Wl,-z,now -lpthread
diff --git a/src/faudit/Makefile.in b/src/faudit/Makefile.in
deleted file mode 100644
index 44c121a4c..000000000
--- a/src/faudit/Makefile.in
+++ /dev/null
@@ -1,14 +0,0 @@
-all: faudit
-include ../common.mk
-%.o : %.c $(H_FILE_LIST)
-        $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@
-faudit: $(OBJS)
-        $(CC)  $(LDFLAGS) -o $@ $(OBJS) $(LIBS) $(EXTRA_LDFLAGS)
-clean:; rm -fr *.o faudit *.gcov *.gcda *.gcno *.plist
-distclean: clean
-        rm -fr Makefile
diff --git a/src/faudit/caps.c b/src/faudit/caps.c
deleted file mode 100644
index e9547dc8e..000000000
--- a/src/faudit/caps.c
+++ /dev/null
@@ -1,78 +0,0 @@
-/*
- * Copyright (C) 2014-2021 Firejail Authors
- *
- * This file is part of firejail project
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or
- * (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License along
- * with this program; if not, write to the Free Software Foundation, Inc.,
- * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-*/
-#include "faudit.h"
-#include <linux/capability.h>
-#define MAXBUF 4098
-static int extract_caps(uint64_t *val) {
-        FILE *fp = fopen("/proc/self/status", "r");
-        if (!fp)
-                return 1;
-        char buf[MAXBUF];
-        while (fgets(buf, MAXBUF, fp)) {
-                if (strncmp(buf, "CapBnd:\t", 8) == 0) {
-                        char *ptr = buf + 8;
-                        unsigned long long tmp;
-                        sscanf(ptr, "%llx", &tmp);
-                        *val = tmp;
-                        fclose(fp);
-                        return 0;
-                }
-        }
-        fclose(fp);
-        return 1;
-}
-// return 1 if the capability is in the map
-static int check_capability(uint64_t map, int cap) {
-        int i;
-        uint64_t mask = 1ULL;
-        for (i = 0; i < 64; i++, mask <<= 1) {
-                if ((i == cap) && (mask & map))
-                        return 1;
-        }
-        return 0;
-}
-void caps_test(void) {
-        uint64_t caps_val;
-        if (extract_caps(&caps_val)) {
-                printf("SKIP: cannot extract capabilities on this platform.\n");
-                return;
-        }
-        if (caps_val) {
-                printf("BAD: the capability map is %llx, it should be all zero. ", (unsigned long long) caps_val);
-                printf("Use \"firejail --caps.drop=all\" to fix it.\n");
-                if (check_capability(caps_val, CAP_SYS_ADMIN))
-                        printf("UGLY: CAP_SYS_ADMIN is enabled.\n");
-                if (check_capability(caps_val, CAP_SYS_BOOT))
-                        printf("UGLY: CAP_SYS_BOOT is enabled.\n");
-        }
-        else
-                printf("GOOD: all capabilities are disabled.\n");
-}
diff --git a/src/faudit/dbus.c b/src/faudit/dbus.c
deleted file mode 100644
index 389504fb8..000000000
--- a/src/faudit/dbus.c
+++ /dev/null
@@ -1,131 +0,0 @@
-/*
- * Copyright (C) 2014-2021 Firejail Authors
- *
- * This file is part of firejail project
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or
- * (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License along
- * with this program; if not, write to the Free Software Foundation, Inc.,
- * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-*/
-#include "faudit.h"
-#include "../include/rundefs.h"
-#include <stdarg.h>
-#include <sys/socket.h>
-#include <sys/un.h>
-// return 0 if the connection is possible
-int check_unix(const char *sockfile) {
-        assert(sockfile);
-        int rv = -1;
-        // open socket
-        int sock = socket(AF_UNIX, SOCK_STREAM, 0);
-        if (sock == -1)
-                return rv;
-        // connect
-        struct sockaddr_un remote;
-        memset(&remote, 0, sizeof(struct sockaddr_un));
-        remote.sun_family = AF_UNIX;
-        strncpy(remote.sun_path, sockfile, sizeof(remote.sun_path) - 1);
-        int len = strlen(remote.sun_path) + sizeof(remote.sun_family);
-        if (*sockfile == '@')
-                remote.sun_path[0] = '\0';
-        if (connect(sock, (struct sockaddr *)&remote, len) == 0)
-                rv = 0;
-        close(sock);
-        return rv;
-}
-static char *test_dbus_env(char *env_var_name) {
-        // check the session bus
-        char *str = getenv(env_var_name);
-        char *found = NULL;
-        if (str) {
-                int rv = 0;
-                char *bus = strdup(str);
-                if (!bus)
-                        errExit("strdup");
-                char *sockfile;
-                if ((sockfile = strstr(bus, "unix:abstract=")) != NULL) {
-                        sockfile += 13;
-                        *sockfile = '@';
-                        char *ptr = strchr(sockfile, ',');
-                        if (ptr)
-                                *ptr = '\0';
-                        rv = check_unix(sockfile);
-                        *sockfile = '@';
-                        if (rv == 0)
-                                printf("MAYBE: D-Bus socket %s is available\n", sockfile);
-                        else if (rv == -1)
-                                printf("GOOD: cannot connect to D-Bus socket %s\n", sockfile);
-                }
-                else if ((sockfile = strstr(bus, "unix:path=")) != NULL) {
-                        sockfile += 10;
-                        char *ptr = strchr(sockfile, ',');
-                        if (ptr)
-                                *ptr = '\0';
-                        rv = check_unix(sockfile);
-                        if (rv == 0) {
-                                if (strcmp(RUN_DBUS_USER_SOCKET, sockfile) == 0 ||
-                                        strcmp(RUN_DBUS_SYSTEM_SOCKET, sockfile) == 0) {
-                                        printf("GOOD: D-Bus filtering is active on %s\n", sockfile);
-                                } else {
-                                        printf("MAYBE: D-Bus socket %s is available\n", sockfile);
-                                }
-                        }
-                        else if (rv == -1)
-                                printf("GOOD: cannot connect to D-Bus socket %s\n", sockfile);
-                        found = strdup(sockfile);
-                        if (!found)
-                                errExit("strdup");
-                }
-                else if (strstr(bus, "tcp:host=") != NULL)
-                        printf("UGLY: %s bus configured for TCP communication.\n", env_var_name);
-                else
-                        printf("GOOD: cannot find a %s D-Bus socket\n", env_var_name);
-                free(bus);
-        }
-        else
-                printf("MAYBE: %s environment variable not configured.\n", env_var_name);
-        return found;
-}
-static void test_default_socket(const char *found, const char *format, ...) {
-        va_list ap;
-        va_start(ap, format);
-        char *sockfile;
-        if (vasprintf(&sockfile, format, ap) == -1)
-                errExit("vasprintf");
-        va_end(ap);
-        if (found != NULL && strcmp(found, sockfile) == 0)
-                goto end;
-        int rv = check_unix(sockfile);
-        if (rv == 0)
-                printf("MAYBE: D-Bus socket %s is available\n", sockfile);
-end:
-        free(sockfile);
-}
-void dbus_test(void) {
-        char *found_user = test_dbus_env("DBUS_SESSION_BUS_ADDRESS");
-        test_default_socket(found_user, "/run/user/%d/bus", (int) getuid());
-        test_default_socket(found_user, "/run/user/%d/dbus/user_bus_socket", (int) getuid());
-        if (found_user != NULL)
-                free(found_user);
-        char *found_system = test_dbus_env("DBUS_SYSTEM_BUS_ADDRESS");
-        test_default_socket(found_system, "/run/dbus/system_bus_socket");
-        if (found_system != NULL)
-                free(found_system);
-}
diff --git a/src/faudit/files.c b/src/faudit/files.c
deleted file mode 100644
index 73e0a387d..000000000
--- a/src/faudit/files.c
+++ /dev/null
@@ -1,75 +0,0 @@
-/*
- * Copyright (C) 2014-2021 Firejail Authors
- *
- * This file is part of firejail project
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or
- * (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License along
- * with this program; if not, write to the Free Software Foundation, Inc.,
- * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-*/
-#include "faudit.h"
-#include <fcntl.h>
-#include <pwd.h>
-static char *username = NULL;
-static char *homedir = NULL;
-static void check_home_file(const char *name) {
-        assert(homedir);
-        char *fname;
-        if (asprintf(&fname, "%s/%s", homedir, name) ==  -1)
-                errExit("asprintf");
-        if (access(fname, R_OK) == 0) {
-                printf("UGLY: I can access files in %s directory. ", fname);
-                printf("Use \"firejail --blacklist=%s\" to block it.\n", fname);
-        }
-        else
-                printf("GOOD: I cannot access files in %s directory.\n", fname);
-        free(fname);
-}
-void files_test(void) {
-        struct passwd *pw = getpwuid(getuid());
-        if (!pw) {
-                fprintf(stderr, "Error: cannot retrieve user account information\n");
-                return;
-        }
-        username = strdup(pw->pw_name);
-        if (!username)
-                errExit("strdup");
-        homedir = strdup(pw->pw_dir);
-        if (!homedir)
-                errExit("strdup");
-        // check access to .ssh directory
-        check_home_file(".ssh");
-        // check access to .gnupg directory
-        check_home_file(".gnupg");
-        // check access to Firefox browser directory
-        check_home_file(".mozilla");
-        // check access to Chromium browser directory
-        check_home_file(".config/chromium");
-        // check access to Debian Icedove directory
-        check_home_file(".icedove");
-        // check access to Thunderbird directory
-        check_home_file(".thunderbird");
-}
diff --git a/src/faudit/main.c b/src/faudit/main.c
deleted file mode 100644
index 605d5ff7b..000000000
--- a/src/faudit/main.c
+++ /dev/null
@@ -1,98 +0,0 @@
-/*
- * Copyright (C) 2014-2021 Firejail Authors
- *
- * This file is part of firejail project
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or
- * (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License along
- * with this program; if not, write to the Free Software Foundation, Inc.,
- * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-*/
-#include "faudit.h"
-char *prog;
-int main(int argc, char **argv) {
-        // make test-arguments helper
-        if (getenv("FIREJAIL_TEST_ARGUMENTS")) {
-                printf("Arguments:\n");
-                int i;
-                for (i = 0; i < argc; i++) {
-                        printf("#%s#\n", argv[i]);
-                }
-                return 0;
-        }
-        if (argc != 1) {
-                int i;
-                for (i = 1; i < argc; i++) {
-                        if (strcmp(argv[i], "syscall") == 0) {
-                                syscall_helper(argc, argv);
-                                return 0;
-                        }
-                }
-                return 1;
-        }
-        printf("\n---------------- Firejail Audit: the GOOD, the BAD and the UGLY ----------------\n");
-        // extract program name
-        prog = realpath(argv[0], NULL);
-        if (prog == NULL) {
-                prog = strdup("faudit");
-                if (!prog)
-                        errExit("strdup");
-        }
-        printf("INFO: starting %s.\n", prog);
-        // check pid namespace
-        pid_test();
-        printf("\n");
-        // check seccomp
-        seccomp_test();
-        printf("\n");
-        // check capabilities
-        caps_test();
-        printf("\n");
-        // check some well-known problematic files and directories
-        files_test();
-        printf("\n");
-        // network
-        network_test();
-        printf("\n");
-        // dbus
-        dbus_test();
-        printf("\n");
-        // x11 test
-        x11_test();
-        printf("\n");
-        // /dev test
-        dev_test();
-        printf("\n");
-        free(prog);
-        printf("--------------------------------------------------------------------------------\n");
-        return 0;
-}
diff --git a/src/faudit/network.c b/src/faudit/network.c
deleted file mode 100644
index 8e799dc19..000000000
--- a/src/faudit/network.c
+++ /dev/null
@@ -1,101 +0,0 @@
-/*
- * Copyright (C) 2014-2021 Firejail Authors
- *
- * This file is part of firejail project
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or
- * (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License along
- * with this program; if not, write to the Free Software Foundation, Inc.,
- * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-*/
-#include "faudit.h"
-#include <sys/socket.h>
-#include <arpa/inet.h>
-#include <linux/netlink.h>
-#include <linux/rtnetlink.h>
-static void check_ssh(void) {
-        // open socket
-        int sock = socket(AF_INET, SOCK_STREAM, 0);
-        if (sock == -1) {
-                printf("GOOD: SSH server not available on localhost.\n");
-                return;
-        }
-        // connect to localhost
-        struct sockaddr_in server;
-        server.sin_addr.s_addr = inet_addr("127.0.0.1");
-        server.sin_family = AF_INET;
-        server.sin_port = htons(22);
-        if (connect(sock , (struct sockaddr *)&server , sizeof(server)) < 0)
-                printf("GOOD: SSH server not available on localhost.\n");
-        else {
-                printf("MAYBE: an SSH server is accessible on localhost. ");
-                printf("It could be a good idea to create a new network namespace using \"--net=none\" or \"--net=eth0\".\n");
-        }
-        close(sock);
-}
-static void check_http(void) {
-        // open socket
-        int sock = socket(AF_INET, SOCK_STREAM, 0);
-        if (sock == -1) {
-                printf("GOOD: HTTP server not available on localhost.\n");
-                return;
-        }
-        // connect to localhost
-        struct sockaddr_in server;
-        server.sin_addr.s_addr = inet_addr("127.0.0.1");
-        server.sin_family = AF_INET;
-        server.sin_port = htons(80);
-        if (connect(sock , (struct sockaddr *)&server , sizeof(server)) < 0)
-                printf("GOOD: HTTP server not available on localhost.\n");
-        else {
-                printf("MAYBE: an HTTP server is accessible on localhost. ");
-                printf("It could be a good idea to create a new network namespace using \"--net=none\" or \"--net=eth0\".\n");
-        }
-        close(sock);
-}
-void check_netlink(void) {
-        int sock = socket(AF_NETLINK, SOCK_RAW | SOCK_CLOEXEC, 0);
-        if (sock == -1) {
-                printf("GOOD: I cannot connect to netlink socket. Network utilities such as iproute2 will not work in the sandbox.\n");
-                return;
-        }
-        struct sockaddr_nl local;
-        memset(&local, 0, sizeof(local));
-        local.nl_family = AF_NETLINK;
-        local.nl_groups = 0; //subscriptions;
-        if (bind(sock, (struct sockaddr*)&local, sizeof(local)) < 0) {
-                printf("GOOD: I cannot connect to netlink socket. Network utilities such as iproute2 will not work in the sandbox.\n");
-                close(sock);
-                return;
-        }
-        close(sock);
-        printf("MAYBE: I can connect to netlink socket. Network utilities such as iproute2 will work fine in the sandbox. ");
-        printf("You can use \"--protocol\" to disable the socket.\n");
-}
-void network_test(void) {
-        check_ssh();
-        check_http();
-        check_netlink();
-}
diff --git a/src/faudit/pid.c b/src/faudit/pid.c
deleted file mode 100644
index ec8c37dc7..000000000
--- a/src/faudit/pid.c
+++ /dev/null
@@ -1,99 +0,0 @@
-/*
- * Copyright (C) 2014-2021 Firejail Authors
- *
- * This file is part of firejail project
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or
- * (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License along
- * with this program; if not, write to the Free Software Foundation, Inc.,
- * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-*/
-#include "faudit.h"
-void pid_test(void) {
-        static char *kern_proc[] = {
-                "kthreadd",
-                "ksoftirqd",
-                "kworker",
-                "rcu_sched",
-                "rcu_bh",
-                NULL    // NULL terminated list
-        };
-        int i;
-        // look at the first 10 processes
-        int not_visible = 1;
-        for (i = 1; i <= 10; i++) {
-                struct stat s;
-                char *fname;
-                if (asprintf(&fname, "/proc/%d/comm", i) == -1)
-                        errExit("asprintf");
-                if (stat(fname, &s) == -1) {
-                        free(fname);
-                        continue;
-                }
-                // open file
-                /* coverity[toctou] */
-                FILE *fp = fopen(fname, "r");
-                if (!fp) {
-                        free(fname);
-                        continue;
-                }
-                // read file
-                char buf[100];
-                if (fgets(buf, 10, fp) == NULL) {
-                        fclose(fp);
-                        free(fname);
-                        continue;
-                }
-                not_visible = 0;
-                // clean /n
-                char *ptr;
-                if ((ptr = strchr(buf, '\n')) != NULL)
-                        *ptr = '\0';
-                // check process name against the kernel list
-                int j = 0;
-                while (kern_proc[j] != NULL) {
-                        if (strncmp(buf, kern_proc[j], strlen(kern_proc[j])) == 0) {
-                                fclose(fp);
-                                free(fname);
-                                printf("BAD: Process %d is not running in a PID namespace. ", getpid());
-                                printf("Are you sure you're running in a sandbox?\n");
-                                return;
-                        }
-                        j++;
-                }
-                fclose(fp);
-                free(fname);
-        }
-        pid_t pid = getpid();
-        if (not_visible && pid > 100)
-                printf("BAD: Process %d is not running in a PID namespace.\n", pid);
-        else
-                printf("GOOD: process %d is running in a PID namespace.\n", pid);
-        // try to guess the type of container/sandbox
-        char *str = getenv("container");
-        if (str)
-                printf("INFO: container/sandbox %s.\n", str);
-        else {
-                str = getenv("SNAP");
-                if (str)
-                        printf("INFO: this is a snap package\n");
-        }
-}
diff --git a/src/faudit/seccomp.c b/src/faudit/seccomp.c
deleted file mode 100644
index d8acee160..000000000
--- a/src/faudit/seccomp.c
+++ /dev/null
@@ -1,101 +0,0 @@
-/*
- * Copyright (C) 2014-2021 Firejail Authors
- *
- * This file is part of firejail project
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or
- * (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License along
- * with this program; if not, write to the Free Software Foundation, Inc.,
- * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-*/
-#include "faudit.h"
-#define MAXBUF 4098
-static int extract_seccomp(int *val) {
-        FILE *fp = fopen("/proc/self/status", "r");
-        if (!fp)
-                return 1;
-        char buf[MAXBUF];
-        while (fgets(buf, MAXBUF, fp)) {
-                if (strncmp(buf, "Seccomp:\t", 9) == 0) {
-                        char *ptr = buf + 9;
-                        int tmp;
-                        sscanf(ptr, "%d", &tmp);
-                        *val = tmp;
-                        fclose(fp);
-                        return 0;
-                }
-        }
-        fclose(fp);
-        return 1;
-}
-void seccomp_test(void) {
-        int seccomp_status;
-        int rv = extract_seccomp(&seccomp_status);
-        if (rv) {
-                printf("INFO: cannot extract seccomp configuration on this platform.\n");
-                return;
-        }
-        if (seccomp_status == 0) {
-                printf("BAD: seccomp disabled. Use \"firejail --seccomp\" to enable it.\n");
-        }
-        else if (seccomp_status == 1)
-                printf("GOOD: seccomp strict mode - only  read, write, _exit, and sigreturn are allowed.\n");
-        else if (seccomp_status == 2) {
-                printf("GOOD: seccomp BPF enabled.\n");
-                printf("checking syscalls: "); fflush(0);
-                printf("mount... "); fflush(0);
-                syscall_run("mount");
-                printf("umount2... "); fflush(0);
-                syscall_run("umount2");
-                printf("ptrace... "); fflush(0);
-                syscall_run("ptrace");
-                printf("swapon... "); fflush(0);
-                syscall_run("swapon");
-                printf("swapoff... "); fflush(0);
-                syscall_run("swapoff");
-                printf("init_module... "); fflush(0);
-                syscall_run("init_module");
-                printf("delete_module... "); fflush(0);
-                syscall_run("delete_module");
-                printf("chroot... "); fflush(0);
-                syscall_run("chroot");
-                printf("pivot_root... "); fflush(0);
-                syscall_run("pivot_root");
-#if defined(__i386__) || defined(__x86_64__)
-                printf("iopl... "); fflush(0);
-                syscall_run("iopl");
-                printf("ioperm... "); fflush(0);
-                syscall_run("ioperm");
-#endif
-                printf("\n");
-        }
-        else
-                fprintf(stderr, "Error: unrecognized seccomp mode\n");
-}
diff --git a/src/faudit/syscall.c b/src/faudit/syscall.c
deleted file mode 100644
index 11e83a0f5..000000000
--- a/src/faudit/syscall.c
+++ /dev/null
@@ -1,105 +0,0 @@
-/*
- * Copyright (C) 2014-2021 Firejail Authors
- *
- * This file is part of firejail project
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or
- * (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License along
- * with this program; if not, write to the Free Software Foundation, Inc.,
- * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-*/
-#include "faudit.h"
-#include <sys/ptrace.h>
-#include <sys/swap.h>
-#if defined(__i386__) || defined(__x86_64__)
-#include <sys/io.h>
-#endif
-#include <sys/wait.h>
-extern int init_module(void *module_image, unsigned long len,
-                       const char *param_values);
-extern int finit_module(int fd, const char *param_values,
-                        int flags);
-extern int delete_module(const char *name, int flags);
-extern int pivot_root(const char *new_root, const char *put_old);
-void syscall_helper(int argc, char **argv) {
-        (void) argc;
-        if (argc < 3)
-                return;
-        if (strcmp(argv[2], "mount") == 0) {
-                int rv = mount(NULL, NULL, NULL, 0, NULL);
-                (void) rv;
-                printf("\nUGLY: mount syscall permitted.\n");
-        }
-        else if (strcmp(argv[2], "umount2") == 0) {
-                umount2(NULL, 0);
-                printf("\nUGLY: umount2 syscall permitted.\n");
-        }
-        else if (strcmp(argv[2], "ptrace") == 0) {
-                ptrace(0, 0, NULL, NULL);
-                printf("\nUGLY: ptrace syscall permitted.\n");
-        }
-        else if (strcmp(argv[2], "swapon") == 0) {
-                swapon(NULL, 0);
-                printf("\nUGLY: swapon syscall permitted.\n");
-        }
-        else if (strcmp(argv[2], "swapoff") == 0) {
-                swapoff(NULL);
-                printf("\nUGLY: swapoff syscall permitted.\n");
-        }
-        else if (strcmp(argv[2], "init_module") == 0) {
-                init_module(NULL, 0, NULL);
-                printf("\nUGLY: init_module syscall permitted.\n");
-        }
-        else if (strcmp(argv[2], "delete_module") == 0) {
-                delete_module(NULL, 0);
-                printf("\nUGLY: delete_module syscall permitted.\n");
-        }
-        else if (strcmp(argv[2], "chroot") == 0) {
-                int rv = chroot("/blablabla-57281292");
-                (void) rv;
-                printf("\nUGLY: chroot syscall permitted.\n");
-        }
-        else if (strcmp(argv[2], "pivot_root") == 0) {
-                pivot_root(NULL, NULL);
-                printf("\nUGLY: pivot_root syscall permitted.\n");
-        }
-#if defined(__i386__) || defined(__x86_64__)
-        else if (strcmp(argv[2], "iopl") == 0) {
-                iopl(0L);
-                printf("\nUGLY: iopl syscall permitted.\n");
-        }
-        else if (strcmp(argv[2], "ioperm") == 0) {
-                ioperm(0, 0, 0);
-                printf("\nUGLY: ioperm syscall permitted.\n");
-        }
-#endif
-        exit(0);
-}
-void syscall_run(const char *name) {
-        assert(prog);
-        pid_t child = fork();
-        if (child < 0)
-                errExit("fork");
-        if (child == 0) {
-                execl(prog, prog, "syscall", name, NULL);
-                perror("execl");
-                _exit(1);
-        }
-        // wait for the child to finish
-        waitpid(child, NULL, 0);
-}
diff --git a/src/faudit/x11.c b/src/faudit/x11.c
deleted file mode 100644
index 2ffd7bac7..000000000
--- a/src/faudit/x11.c
+++ /dev/null
@@ -1,63 +0,0 @@
-/*
- * Copyright (C) 2014-2021 Firejail Authors
- *
- * This file is part of firejail project
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or
- * (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License along
- * with this program; if not, write to the Free Software Foundation, Inc.,
- * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-*/
-#include "faudit.h"
-#include <sys/socket.h>
-#include <dirent.h>
-void x11_test(void) {
-        // check regular display 0 sockets
-        if (check_unix("/tmp/.X11-unix/X0") == 0)
-                printf("MAYBE: X11 socket /tmp/.X11-unix/X0 is available\n");
-        if (check_unix("@/tmp/.X11-unix/X0") == 0)
-                printf("MAYBE: X11 socket @/tmp/.X11-unix/X0 is available\n");
-        // check all unix sockets in /tmp/.X11-unix directory
-        DIR *dir;
-        if (!(dir = opendir("/tmp/.X11-unix"))) {
-                // sleep 2 seconds and try again
-                sleep(2);
-                if (!(dir = opendir("/tmp/.X11-unix"))) {
-                        ;
-                }
-        }
-        if (dir == NULL)
-                printf("GOOD: cannot open /tmp/.X11-unix directory\n");
-        else {
-                struct dirent *entry;
-                while ((entry = readdir(dir)) != NULL) {
-                        if (strcmp(entry->d_name, "X0") == 0)
-                                continue;
-                        if (strcmp(entry->d_name, ".") == 0)
-                                continue;
-                        if (strcmp(entry->d_name, "..") == 0)
-                                continue;
-                        char *name;
-                        if (asprintf(&name, "/tmp/.X11-unix/%s", entry->d_name) == -1)
-                                errExit("asprintf");
-                        if (check_unix(name) == 0)
-                                printf("MAYBE: X11 socket %s is available\n", name);
-                        free(name);
-                }
-                closedir(dir);
-        }
-}
diff --git a/src/fbuilder/Makefile.in b/src/fbuilder/Makefile.in
index 2847ca2cb..6eaee284b 100644
--- a/src/fbuilder/Makefile.in
+++ b/src/fbuilder/Makefile.in
@@ -1,3 +1,4 @@
+.PHONY: all
 all: fbuilder
 include ../common.mk
@@ -8,7 +9,9 @@ include ../common.mk
 fbuilder: $(OBJS)
        $(CC)  $(LDFLAGS) -o $@ $(OBJS) $(LIBS) $(EXTRA_LDFLAGS)
+.PHONY: clean
 clean:; rm -fr *.o fbuilder *.gcov *.gcda *.gcno *.plist
+.PHONY: distclean
 distclean: clean
        rm -fr Makefile
diff --git a/src/fcopy/Makefile.in b/src/fcopy/Makefile.in
index 85f84aa32..e19f5d3b5 100644
--- a/src/fcopy/Makefile.in
+++ b/src/fcopy/Makefile.in
@@ -1,3 +1,4 @@
+.PHONY: all
 all: fcopy
 include ../common.mk
@@ -8,7 +9,9 @@ include ../common.mk
 fcopy: $(OBJS) ../lib/common.o
        $(CC)  $(LDFLAGS) -o $@ $(OBJS) ../lib/common.o $(LIBS) $(EXTRA_LDFLAGS)
+.PHONY: clean
 clean:; rm -fr *.o fcopy *.gcov *.gcda *.gcno *.plist
+.PHONY: distclean
 distclean: clean
        rm -fr Makefile
diff --git a/src/fcopy/main.c b/src/fcopy/main.c
index 01633be59..572e9f601 100644
--- a/src/fcopy/main.c
+++ b/src/fcopy/main.c
@@ -51,8 +51,9 @@ static int selinux_enabled = -1;
 #endif
 // copy from firejail/selinux.c
-static void selinux_relabel_path(const char *path, const char *inside_path)
+static void selinux_relabel_path(const char *path, const char *inside_path) {
-{
+        assert(path);
+        assert(inside_path);
 #if HAVE_SELINUX
        char procfs_path[64];
        char *fcon = NULL;
@@ -172,6 +173,51 @@ static void mkdir_attr(const char *fname, mode_t mode, uid_t uid, gid_t gid) {
        }
 }
+static char *proc_pid_to_self(const char *target) {
+        assert(target);
+        char *use_target = 0;
+        char *proc_pid = 0;
+        if (!(use_target = realpath(target, NULL)))
+                goto done;
+        // target is under /proc/<PID>?
+        static const char proc[] = "/proc/";
+        if (strncmp(use_target, proc, sizeof(proc) - 1))
+                goto done;
+        int digit = use_target[sizeof(proc) - 1];
+        if (digit < '1' || digit > '9')
+                goto done;
+        // check where /proc/self points to
+        static const char proc_self[] = "/proc/self";
+        if (!(proc_pid = realpath(proc_self, NULL)))
+                goto done;
+        // redirect /proc/PID/xxx -> /proc/self/XXX
+        size_t pfix = strlen(proc_pid);
+        if (strncmp(use_target, proc_pid, pfix))
+                goto done;
+        if (use_target[pfix] != 0 && use_target[pfix] != '/')
+                goto done;
+        char *tmp;
+        if (asprintf(&tmp, "%s%s", proc_self, use_target + pfix) != -1) {
+                if (arg_debug)
+                        fprintf(stderr, "SYMLINK %s\n  -->   %s\n", use_target, tmp);
+                free(use_target);
+                use_target = tmp;
+        }
+        else
+                errExit("asprintf");
+done:
+        if (proc_pid)
+                free(proc_pid);
+        return use_target;
+}
 void copy_link(const char *target, const char *linkpath, mode_t mode, uid_t uid, gid_t gid) {
        (void) mode;
@@ -183,7 +229,7 @@ void copy_link(const char *target, const char *linkpath, mode_t mode, uid_t uid,
        if (lstat(linkpath, &s) == 0)
               return;
-        char *rp = realpath(target, NULL);
+        char *rp = proc_pid_to_self(target);
        if (rp) {
                if (symlink(rp, linkpath) == -1) {
                        free(rp);
@@ -227,16 +273,14 @@ static int fs_copydir(const char *infname, const struct stat *st, int ftype, str
                        first = 0;
                else if (!arg_quiet)
                        fprintf(stderr, "Warning fcopy: skipping %s, file already present\n", infname);
-                free(outfname);
+                goto out;
-                return 0;
        }
        // extract mode and ownership
        if (stat(infname, &s) != 0) {
                if (!arg_quiet)
                        fprintf(stderr, "Warning fcopy: skipping %s, cannot find inode\n", infname);
-                free(outfname);
+                goto out;
-                return 0;
        }
        uid_t uid = s.st_uid;
        gid_t gid = s.st_gid;
@@ -246,8 +290,7 @@ static int fs_copydir(const char *infname, const struct stat *st, int ftype, str
        if ((s.st_size + size_cnt) > copy_limit) {
                fprintf(stderr, "Error fcopy: size limit of %lu MB reached\n", (copy_limit / 1024) / 1024);
                size_limit_reached = 1;
-                free(outfname);
+                goto out;
-                return 0;
        }
        file_cnt++;
@@ -262,7 +305,8 @@ static int fs_copydir(const char *infname, const struct stat *st, int ftype, str
        else if (ftype == FTW_SL) {
                copy_link(infname, outfname, mode, uid, gid);
        }
+out:
+        free(outfname);
        return(0);
 }
@@ -295,6 +339,7 @@ static char *check(const char *src) {
                return rsrc;                      // normal exit from the function
 errexit:
+        free(rsrc);
        fprintf(stderr, "Error fcopy: invalid file %s\n", src);
        exit(1);
 }
diff --git a/src/firecfg/Makefile.in b/src/firecfg/Makefile.in
index 40f6b9679..43329be46 100644
--- a/src/firecfg/Makefile.in
+++ b/src/firecfg/Makefile.in
@@ -1,3 +1,4 @@
+.PHONY: all
 all: firecfg
 include ../common.mk
@@ -8,7 +9,9 @@ include ../common.mk
 firecfg: $(OBJS) ../lib/common.o ../lib/firejail_user.o
        $(CC)  $(LDFLAGS) -o $@ $(OBJS) ../lib/common.o ../lib/firejail_user.o $(LIBS) $(EXTRA_LDFLAGS)
+.PHONY: clean
 clean:; rm -fr *.o firecfg *.gcov *.gcda *.gcno *.plist
+.PHONY: distclean
 distclean: clean
        rm -fr Makefile
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config
index 721137cdc..16cd59aa5 100644
--- a/src/firecfg/firecfg.config
+++ b/src/firecfg/firecfg.config
@@ -191,6 +191,10 @@ dropbox
 d-feet
 easystroke
 ebook-viewer
+ebook-convert
+ebook-edit
+ebook-meta
+ebook-polish
 electron-mail
 electrum
 element-desktop
@@ -375,6 +379,8 @@ impressive
 inkscape
 inkview
 inox
+ipcalc
+ipcalc-ng
 iridium
 iridium-browser
 jd-gui
@@ -458,7 +464,7 @@ lynx
 lyx
 macrofusion
 magicor
-# man
+man
 manaplus
 marker
 masterpdfeditor
@@ -805,6 +811,8 @@ vivaldi-snapshot
 vivaldi-stable
 vlc
 vmware
+vmware-player
+vmware-workstation
 vscodium
 vulturesclaw
 vultureseye
diff --git a/src/firejail/Makefile.in b/src/firejail/Makefile.in
index b9bf13b9c..793d2cdd1 100644
--- a/src/firejail/Makefile.in
+++ b/src/firejail/Makefile.in
@@ -1,3 +1,4 @@
+.PHONY: all
 all: firejail
 include ../common.mk
@@ -8,7 +9,9 @@ include ../common.mk
 firejail: $(OBJS) ../lib/libnetlink.o ../lib/common.o ../lib/ldd_utils.o ../lib/firejail_user.o ../lib/errno.o ../lib/syscall.o
        $(CC)  $(LDFLAGS) -o $@ $(OBJS) ../lib/common.o ../lib/ldd_utils.o ../lib/firejail_user.o ../lib/errno.o ../lib/syscall.o $(LIBS) $(EXTRA_LDFLAGS)
+.PHONY: clean
 clean:; rm -fr *.o firejail *.gcov *.gcda *.gcno *.plist
+.PHONY: distclean
 distclean: clean
        rm -fr Makefile
diff --git a/src/firejail/caps.c b/src/firejail/caps.c
index 19eb8ec6e..597f9915b 100644
--- a/src/firejail/caps.c
+++ b/src/firejail/caps.c
@@ -162,6 +162,21 @@ static CapsEntry capslist[] = {
 #else
        {"audit_read", 37 },
 #endif
+#ifdef CAP_PERFMON
+        {"perfmon", CAP_PERFMON },
+#else
+        {"perfmon", 38 },
+#endif
+#ifdef CAP_BPF
+        {"bpf", CAP_BPF },
+#else
+        {"bpf", 39 },
+#endif
+#ifdef CAP_CHECKPOINT_RESTORE
+        {"checkpoint_restore", CAP_CHECKPOINT_RESTORE },
+#else
+        {"checkpoint_restore", 40 },
+#endif
 //
 // end of generated code
diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c
index 71dc364c9..e1613b325 100644
--- a/src/firejail/checkcfg.c
+++ b/src/firejail/checkcfg.c
@@ -269,6 +269,14 @@ errout:
 void print_compiletime_support(void) {
        printf("Compile time support:\n");
+        printf("\t- Always force nonewprivs support is %s\n",
+#ifdef HAVE_FORCE_NONEWPRIVS
+                "enabled"
+#else
+                "disabled"
+#endif
+                );
        printf("\t- AppArmor support is %s\n",
 #ifdef HAVE_APPARMOR
                "enabled"
@@ -333,6 +341,13 @@ void print_compiletime_support(void) {
 #endif
                );
+        printf("\t- output logging is %s\n",
+#ifdef HAVE_OUTPUT
+                "enabled"
+#else
+                "disabled"
+#endif
+                );
        printf("\t- overlayfs support is %s\n",
 #ifdef HAVE_OVERLAYFS
                "enabled"
@@ -380,4 +395,6 @@ void print_compiletime_support(void) {
                "disabled"
 #endif
                );
 }
diff --git a/src/firejail/dbus.c b/src/firejail/dbus.c
index 4b81d7758..658b84537 100644
--- a/src/firejail/dbus.c
+++ b/src/firejail/dbus.c
@@ -111,7 +111,7 @@ static int check_object_path(const char *path) {
                }
                ++p;
        }
-        return in_segment && segments >= 2;
+        return in_segment && segments >= 1;
 }
 int dbus_check_name(const char *name) {
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index 719cd74ae..b21b5bef6 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -328,8 +328,6 @@ extern int arg_keep_var_tmp; // don't overwrite /var/tmp
 extern int arg_writable_run_user;       // writable /run/user
 extern int arg_writable_var_log; // writable /var/log
 extern int arg_appimage;        // appimage
-extern int arg_audit;           // audit
-extern char *arg_audit_prog;    // audit
 extern int arg_apparmor;        // apparmor
 extern int arg_allow_debuggers; // allow debuggers
 extern int arg_x11_block;       // block X11
@@ -451,6 +449,9 @@ int profile_check_line(char *ptr, int lineno, const char *fname);
 // add a profile entry in cfg.profile list; use str to populate the list
 void profile_add(char *str);
 void profile_add_ignore(const char *str);
+char *profile_list_normalize(char *list);
+char *profile_list_compress(char *list);
+void profile_list_augment(char **list, const char *items);
 // list.c
 void list(void);
@@ -649,6 +650,8 @@ void network_set_run_file(pid_t pid);
 // fs_etc.c
 void fs_machineid(void);
+void fs_private_dir_copy(const char *private_dir, const char *private_run_dir, const char *private_list);
+void fs_private_dir_mount(const char *private_dir, const char *private_run_dir);
 void fs_private_dir_list(const char *private_dir, const char *private_run_dir, const char *private_list);
 // no_sandbox.c
diff --git a/src/firejail/fs_etc.c b/src/firejail/fs_etc.c
index d152ed2f6..abec25d45 100644
--- a/src/firejail/fs_etc.c
+++ b/src/firejail/fs_etc.c
@@ -18,6 +18,7 @@
 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 */
 #include "firejail.h"
+#include <errno.h>
 #include <sys/mount.h>
 #include <sys/stat.h>
 #include <sys/types.h>
@@ -138,7 +139,7 @@ static void duplicate(const char *fname, const char *private_dir, const char *pr
 }
-void fs_private_dir_list(const char *private_dir, const char *private_run_dir, const char *private_list) {
+void fs_private_dir_copy(const char *private_dir, const char *private_run_dir, const char *private_list) {
        assert(private_dir);
        assert(private_run_dir);
        assert(private_list);
@@ -147,12 +148,10 @@ void fs_private_dir_list(const char *private_dir, const char *private_run_dir, c
        struct stat s;
        if (stat(private_dir, &s) == -1) {
                if (arg_debug)
-                        printf("Cannot find %s\n", private_dir);
+                        printf("Cannot find %s: %s\n", private_dir, strerror(errno));
                return;
        }
-        timetrace_start();
        // create /run/firejail/mnt/etc directory
        mkdir_attr(private_run_dir, 0755, 0, 0);
        selinux_relabel_path(private_run_dir, private_dir);
@@ -185,9 +184,23 @@ void fs_private_dir_list(const char *private_dir, const char *private_run_dir, c
                free(dlist);
                fs_logger_print();
        }
+}
+void fs_private_dir_mount(const char *private_dir, const char *private_run_dir) {
+        assert(private_dir);
+        assert(private_run_dir);
        if (arg_debug)
                printf("Mount-bind %s on top of %s\n", private_run_dir, private_dir);
+        // nothing to do if directory does not exist
+        struct stat s;
+        if (stat(private_dir, &s) == -1) {
+                if (arg_debug)
+                        printf("Cannot find %s: %s\n", private_dir, strerror(errno));
+                return;
+        }
        if (mount(private_run_dir, private_dir, NULL, MS_BIND|MS_REC, NULL) < 0)
                errExit("mount bind");
        fs_logger2("mount", private_dir);
@@ -196,6 +209,11 @@ void fs_private_dir_list(const char *private_dir, const char *private_run_dir, c
        if (mount("tmpfs", private_run_dir, "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME,  "mode=755,gid=0") < 0)
                errExit("mounting tmpfs");
        fs_logger2("tmpfs", private_run_dir);
+}
+void fs_private_dir_list(const char *private_dir, const char *private_run_dir, const char *private_list) {
+        timetrace_start();
+        fs_private_dir_copy(private_dir, private_run_dir, private_list);
+        fs_private_dir_mount(private_dir, private_run_dir);
        fmessage("Private %s installed in %0.2f ms\n", private_dir, timetrace_end());
 }
diff --git a/src/firejail/fs_lib.c b/src/firejail/fs_lib.c
index a7f5b0bfc..7e9666fc0 100644
--- a/src/firejail/fs_lib.c
+++ b/src/firejail/fs_lib.c
@@ -28,6 +28,7 @@
 #define MAXBUF 4096
 extern void fslib_install_stdc(void);
+extern void fslib_install_firejail(void);
 extern void fslib_install_system(void);
 static int lib_cnt = 0;
@@ -137,33 +138,22 @@ void fslib_duplicate(const char *full_path) {
        lib_cnt++;
 }
 // requires full path for lib
 // it could be a library or an executable
 // lib is not copied, only libraries used by it
-void fslib_copy_libs(const char *full_path) {
+static void fslib_copy_libs(const char *full_path, unsigned mask) {
-        assert(full_path);
-        if (arg_debug || arg_debug_private_lib)
-                printf("    fslib_copy_libs %s\n", full_path);
-        // if library/executable does not exist or the user does not have read access to it
-        // print a warning and exit the function.
-        if (access(full_path, R_OK)) {
-                if (arg_debug || arg_debug_private_lib)
-                        printf("cannot find %s for private-lib, skipping...\n", full_path);
-                return;
-        }
        // create an empty RUN_LIB_FILE and allow the user to write to it
        unlink(RUN_LIB_FILE);                     // in case is there
        create_empty_file_as_root(RUN_LIB_FILE, 0644);
-        if (chown(RUN_LIB_FILE, getuid(), getgid()))
+        if (mask & SBOX_USER) {
-                errExit("chown");
+                if (chown(RUN_LIB_FILE, getuid(), getgid()))
+                        errExit("chown");
+        }
        // run fldd to extract the list of files
        if (arg_debug || arg_debug_private_lib)
                printf("    running fldd %s\n", full_path);
-        sbox_run(SBOX_USER | SBOX_SECCOMP | SBOX_CAPS_NONE, 3, PATH_FLDD, full_path, RUN_LIB_FILE);
+        sbox_run(mask | SBOX_SECCOMP | SBOX_CAPS_NONE, 3, PATH_FLDD, full_path, RUN_LIB_FILE);
        // open the list of libraries and install them on by one
        FILE *fp = fopen(RUN_LIB_FILE, "r");
@@ -182,6 +172,34 @@ void fslib_copy_libs(const char *full_path) {
        unlink(RUN_LIB_FILE);
 }
+void fslib_copy_libs_parse_as_root(const char *full_path) {
+        assert(full_path);
+        if (arg_debug || arg_debug_private_lib)
+                printf("    fslib_copy_libs_parse_as_root %s\n", full_path);
+        struct stat s;
+        if (stat(full_path, &s)) {
+                if (arg_debug || arg_debug_private_lib)
+                        printf("cannot find %s for private-lib, skipping...\n", full_path);
+                return;
+        }
+        fslib_copy_libs(full_path, SBOX_ROOT);
+}
+// if library/executable does not exist or the user does not have read access to it
+// print a warning and exit the function.
+void fslib_copy_libs_parse_as_user(const char *full_path) {
+        assert(full_path);
+        if (arg_debug || arg_debug_private_lib)
+                printf("    fslib_copy_libs_parse_as_user %s\n", full_path);
+        if (access(full_path, R_OK)) {
+                if (arg_debug || arg_debug_private_lib)
+                        printf("cannot find %s for private-lib, skipping...\n", full_path);
+                return;
+        }
+        fslib_copy_libs(full_path, SBOX_USER);
+}
 void fslib_copy_dir(const char *full_path) {
        assert(full_path);
@@ -236,7 +254,7 @@ static void load_library(const char *fname) {
                                    access(fname, X_OK) != 0) // don't duplicate executables, just install the libraries
                                        fslib_duplicate(fname);
-                                fslib_copy_libs(fname);
+                                fslib_copy_libs_parse_as_user(fname);
                        }
                }
        }
@@ -379,25 +397,12 @@ void fs_private_lib(void) {
                printf("Installing standard C library\n");
        fslib_install_stdc();
-        // start timetrace
+        // install other libraries needed by firejail
-        timetrace_start();
-        // bring in firejail executable libraries in case we are redirected here by a firejail symlink from /usr/local/bin/firejail
        if (arg_debug || arg_debug_private_lib)
                printf("Installing Firejail libraries\n");
-        fslib_install_list(PATH_FIREJAIL);
+        fslib_install_firejail();
-        // bring in firejail directory
-        fslib_install_list(LIBDIR "/firejail");
-        // bring in dhclient libraries
-        if (any_dhcp()) {
-                if (arg_debug || arg_debug_private_lib)
-                        printf("Installing dhclient libraries\n");
-                fslib_install_list(RUN_MNT_DIR "/dhclient");
-        }
-        fmessage("Firejail libraries installed in %0.2f ms\n", timetrace_end());
+        // start timetrace
        timetrace_start();
        // copy the libs in the new lib directory for the main exe
diff --git a/src/firejail/fs_lib2.c b/src/firejail/fs_lib2.c
index 30e993438..d46cfed86 100644
--- a/src/firejail/fs_lib2.c
+++ b/src/firejail/fs_lib2.c
@@ -22,7 +22,8 @@
 #include <sys/stat.h>
 extern void fslib_duplicate(const char *full_path);
-extern void fslib_copy_libs(const char *full_path);
+extern void fslib_copy_libs_parse_as_user(const char *full_path);
+extern void fslib_copy_libs_parse_as_root(const char *full_path);
 extern void fslib_copy_dir(const char *full_path);
 //***************************************************************
@@ -123,6 +124,52 @@ void fslib_install_stdc(void) {
        fmessage("Standard C library installed in %0.2f ms\n", timetrace_end());
 }
+//***************************************************************
+// Firejail libraries
+//***************************************************************
+static void fdir(void) {
+        fslib_copy_dir(LIBDIR "/firejail");
+        // executables and libraries from firejail directory
+        static const char * const fbin[] = {
+                PATH_FCOPY, // currently sufficient to find all needed libraries
+                // PATH_FSECCOMP,
+                // PATH_FSEC_OPTIMIZE,
+                // PATH_FSEC_PRINT,
+                // RUN_FIREJAIL_LIB_DIR "/libtrace.so",
+                // RUN_FIREJAIL_LIB_DIR "/libtracelog.so",
+                // RUN_FIREJAIL_LIB_DIR "/libpostexecseccomp.so",
+                NULL,
+        };
+        // need to run fldd as root user, unprivileged users have no read permission on executables
+        int i;
+        for (i = 0; fbin[i]; i++)
+                fslib_copy_libs_parse_as_root(fbin[i]);
+}
+void fslib_install_firejail(void) {
+        timetrace_start();
+        // bring in firejail executable libraries, in case we are redirected here
+        // by a firejail symlink from /usr/local/bin/firejail
+        fslib_copy_libs_parse_as_user(PATH_FIREJAIL);
+        // bring in firejail directory
+        fdir();
+        // bring in dhclient libraries
+        if (any_dhcp())
+                fslib_copy_libs_parse_as_user(RUN_MNT_DIR "/dhclient");
+#ifdef HAVE_X11
+        // bring in xauth libraries
+        if (arg_x11_xorg)
+                fslib_copy_libs_parse_as_user("/usr/bin/xauth");
+#endif
+        fmessage("Firejail libraries installed in %0.2f ms\n", timetrace_end());
+}
 //***************************************************************
 // various system libraries
@@ -268,7 +315,7 @@ void fslib_install_system(void) {
                        if (asprintf(&name, "/usr/lib/x86_64-linux-gnu/%s", ptr->dir1) == -1)
                                errExit("asprintf");
                        if (access(name, R_OK) == 0) {
-                                fslib_copy_libs(name);
+                                fslib_copy_libs_parse_as_user(name);
                                fslib_copy_dir(name);
                        }
                        else {
@@ -277,7 +324,7 @@ void fslib_install_system(void) {
                                if (asprintf(&name, "/usr/lib64/%s", ptr->dir1) == -1)
                                        errExit("asprintf");
                                if (access(name, R_OK) == 0) {
-                                        fslib_copy_libs(name);
+                                        fslib_copy_libs_parse_as_user(name);
                                        fslib_copy_dir(name);
                                }
                        }
@@ -288,7 +335,7 @@ void fslib_install_system(void) {
                                if (asprintf(&name, "/usr/lib/x86_64-linux-gnu/%s", ptr->dir2) == -1)
                                        errExit("asprintf");
                                if (access(name, R_OK) == 0) {
-                                        fslib_copy_libs(name);
+                                        fslib_copy_libs_parse_as_user(name);
                                        fslib_copy_dir(name);
                                }
                                else {
@@ -297,7 +344,7 @@ void fslib_install_system(void) {
                                        if (asprintf(&name, "/usr/lib64/%s", ptr->dir2) == -1)
                                                errExit("asprintf");
                                        if (access(name, R_OK) == 0) {
-                                                fslib_copy_libs(name);
+                                                fslib_copy_libs_parse_as_user(name);
                                                fslib_copy_dir(name);
                                        }
                                }
diff --git a/src/firejail/fs_mkdir.c b/src/firejail/fs_mkdir.c
index d1b3b5629..8cfeea582 100644
--- a/src/firejail/fs_mkdir.c
+++ b/src/firejail/fs_mkdir.c
@@ -46,7 +46,7 @@ static void mkdir_recursive(char *path) {
        struct stat s;
        if (chdir("/")) {
-                fprintf(stderr, "Error: can't chdir to /");
+                fprintf(stderr, "Error: can't chdir to /\n");
                return;
        }
@@ -63,7 +63,7 @@ static void mkdir_recursive(char *path) {
                        return;
                }
                if (chdir(subdir)) {
-                        fprintf(stderr, "Error: can't chdir to %s", subdir);
+                        fprintf(stderr, "Error: can't chdir to %s\n", subdir);
                        return;
                }
diff --git a/src/firejail/join.c b/src/firejail/join.c
index a8011aa14..1575a7469 100644
--- a/src/firejail/join.c
+++ b/src/firejail/join.c
@@ -411,7 +411,7 @@ void join(pid_t pid, int argc, char **argv, int index) {
        extract_x11_display(parent);
        int shfd = -1;
-        if (!arg_shell_none && !arg_audit)
+        if (!arg_shell_none)
                shfd = open_shell();
        EUID_ROOT();
diff --git a/src/firejail/main.c b/src/firejail/main.c
index 61533fcd9..9705c2436 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -130,8 +130,6 @@ int arg_keep_var_tmp = 0;                       // don't overwrite /var/tmp
 int arg_writable_run_user = 0;                  // writable /run/user
 int arg_writable_var_log = 0;           // writable /var/log
 int arg_appimage = 0;                           // appimage
-int arg_audit = 0;                              // audit
-char *arg_audit_prog = NULL;                    // audit
 int arg_apparmor = 0;                           // apparmor
 int arg_allow_debuggers = 0;                    // allow debuggers
 int arg_x11_block = 0;                          // block X11
@@ -297,7 +295,7 @@ static void check_network(Bridge *br) {
        else if (br->ipsandbox) { // for macvlan check network range
                char *rv = in_netrange(br->ipsandbox, br->ip, br->mask);
                if (rv) {
-                        fprintf(stderr, "%s", rv);
+                        fprintf(stderr, "%s\n", rv);
                        exit(1);
                }
        }
@@ -1233,10 +1231,12 @@ int main(int argc, char **argv, char **envp) {
 #endif
                }
        }
+#ifdef HAVE_OUTPUT
        else {
                // check --output option and execute it;
                check_output(argc, argv); // the function will not return if --output or --output-stderr option was found
        }
+#endif
        EUID_ASSERT();
        // check for force-nonewprivs in /etc/firejail/firejail.config file
@@ -1285,15 +1285,10 @@ int main(int argc, char **argv, char **envp) {
 #endif
                else if (strncmp(argv[i], "--protocol=", 11) == 0) {
                        if (checkcfg(CFG_SECCOMP)) {
-                                if (cfg.protocol) {
+                                const char *add = argv[i] + 11;
-                                        fwarning("more than one protocol list is present, \"%s\" will be installed\n", cfg.protocol);
+                                profile_list_augment(&cfg.protocol, add);
-                                }
+                                if (arg_debug)
-                                else {
+                                        fprintf(stderr, "[option] combined protocol list: \"%s\"\n", cfg.protocol);
-                                        // store list
-                                        cfg.protocol = strdup(argv[i] + 11);
-                                        if (!cfg.protocol)
-                                                errExit("strdup");
-                                }
                        }
                        else
                                exit_err_feature("seccomp");
@@ -1589,7 +1584,26 @@ int main(int argc, char **argv, char **envp) {
                        profile_add(line);
                }
 #endif
+                else if (strncmp(argv[i], "--mkdir=", 8) == 0) {
+                        char *line;
+                        if (asprintf(&line, "mkdir %s", argv[i] + 8) == -1)
+                                errExit("asprintf");
+                        /* Note: Applied both immediately in profile_check_line()
+                         *       and later on via fs_blacklist().
+                         */
+                        profile_check_line(line, 0, NULL);
+                        profile_add(line);
+                }
+                else if (strncmp(argv[i], "--mkfile=", 9) == 0) {
+                        char *line;
+                        if (asprintf(&line, "mkfile %s", argv[i] + 9) == -1)
+                                errExit("asprintf");
+                        /* Note: Applied both immediately in profile_check_line()
+                         *       and later on via fs_blacklist().
+                         */
+                        profile_check_line(line, 0, NULL);
+                        profile_add(line);
+                }
                else if (strncmp(argv[i], "--read-only=", 12) == 0) {
                        char *line;
                        if (asprintf(&line, "read-only %s", argv[i] + 12) == -1)
@@ -2592,28 +2606,6 @@ int main(int argc, char **argv, char **envp) {
                //*************************************
                else if (strncmp(argv[i], "--timeout=", 10) == 0)
                        cfg.timeout = extract_timeout(argv[i] + 10);
-                else if (strcmp(argv[i], "--audit") == 0) {
-                        arg_audit_prog = LIBDIR "/firejail/faudit";
-                        profile_add_ignore("shell none");
-                        arg_audit = 1;
-                }
-                else if (strncmp(argv[i], "--audit=", 8) == 0) {
-                        if (strlen(argv[i] + 8) == 0) {
-                                fprintf(stderr, "Error: invalid audit program\n");
-                                exit(1);
-                        }
-                        arg_audit_prog = strdup(argv[i] + 8);
-                        if (!arg_audit_prog)
-                                errExit("strdup");
-                        struct stat s;
-                        if (stat(arg_audit_prog, &s) != 0) {
-                                fprintf(stderr, "Error: cannot find the audit program %s\n", arg_audit_prog);
-                                exit(1);
-                        }
-                        profile_add_ignore("shell none");
-                        arg_audit = 1;
-                }
                else if (strcmp(argv[i], "--appimage") == 0)
                        arg_appimage = 1;
                else if (strcmp(argv[i], "--shell=none") == 0) {
diff --git a/src/firejail/network_main.c b/src/firejail/network_main.c
index f1ad6430a..ee3c00872 100644
--- a/src/firejail/network_main.c
+++ b/src/firejail/network_main.c
@@ -120,7 +120,7 @@ void net_configure_sandbox_ip(Bridge *br) {
                // check network range
                char *rv = in_netrange(br->ipsandbox, br->ip, br->mask);
                if (rv) {
-                        fprintf(stderr, "%s", rv);
+                        fprintf(stderr, "%s\n", rv);
                        exit(1);
                }
                // send an ARP request and check if there is anybody on this IP address
diff --git a/src/firejail/no_sandbox.c b/src/firejail/no_sandbox.c
index 3120fe527..60a82821e 100644
--- a/src/firejail/no_sandbox.c
+++ b/src/firejail/no_sandbox.c
@@ -168,29 +168,17 @@ void run_no_sandbox(int argc, char **argv) {
                errExit("setresuid");
        // process limited subset of options
+        // and find first non option arg:
+        //      - first argument not starting with --,
+        //      - whatever follows after -c (example: firejail -c ls)
+        int prog_index = 0;
        int i;
-        for (i = 0; i < argc; i++) {
+        for (i = 1; i < argc; i++) {
                if (strcmp(argv[i], "--debug") == 0)
                        arg_debug = 1;
                else if (strncmp(argv[i], "--shell=", 8) == 0)
-                        fwarning("shell-related command line options are disregarded - using SHELL environment variable\n");
+                        fwarning("shell-related command line options are disregarded\n");
-        }
+                else if (strcmp(argv[i], "-c") == 0) {
-        // use $SHELL to get shell used in sandbox, guess shell otherwise
-        cfg.shell = guess_shell();
-        if (!cfg.shell) {
-                fprintf(stderr, "Error: unable to guess your shell, please set SHELL environment variable\n");
-                exit(1);
-        }
-        else if (arg_debug)
-                printf("Selecting %s as shell\n", cfg.shell);
-        int prog_index = 0;
-        // find first non option arg:
-        //      - first argument not starting with --,
-        //      - whatever follows after -c (example: firejail -c ls)
-        for (i = 1; i < argc; i++) {
-                if (strcmp(argv[i], "-c") == 0) {
                        prog_index = i + 1;
                        if (prog_index == argc) {
                                fprintf(stderr, "Error: option -c requires an argument\n");
@@ -199,36 +187,36 @@ void run_no_sandbox(int argc, char **argv) {
                        break;
                }
                // check first argument not starting with --
-                if (strncmp(argv[i],"--",2) != 0) {
+                else if (strncmp(argv[i],"--",2) != 0) {
                        prog_index = i;
                        break;
                }
        }
-// if shell is /usr/bin/firejail, replace it with /bin/bash
-//      if (strcmp(cfg.shell, PATH_FIREJAIL) == 0) {
-//              cfg.shell = "/bin/bash";
-//              prog_index = 0;
-//      }
        if (prog_index == 0) {
-                assert(cfg.command_line == NULL); // runs cfg.shell
+                // got no command, require a shell and try to execute it
+                cfg.shell = guess_shell();
+                if (!cfg.shell) {
+                        fprintf(stderr, "Error: unable to guess your shell, please set SHELL environment variable\n");
+                        exit(1);
+                }
+                assert(cfg.command_line == NULL);
                cfg.window_title = cfg.shell;
        } else {
+                // this sandbox might not allow execution of a shell
+                // force --shell=none in order to not break firecfg symbolic links
+                arg_shell_none = 1;
                build_cmdline(&cfg.command_line, &cfg.window_title, argc, argv, prog_index);
        }
+        fwarning("an existing sandbox was detected. "
+                "%s will run without any additional sandboxing features\n", prog_index ? argv[prog_index] : cfg.shell);
        cfg.original_argv = argv;
        cfg.original_program_index = prog_index;
-        char *command;
-        if (prog_index == 0)
-                command = cfg.shell;
-        else
-                command = argv[prog_index];
-        fwarning("an existing sandbox was detected. "
-                "%s will run without any additional sandboxing features\n", command);
        arg_quiet = 1;
        start_application(1, -1, NULL);
diff --git a/src/firejail/output.c b/src/firejail/output.c
index db9728a3d..835dff2db 100644
--- a/src/firejail/output.c
+++ b/src/firejail/output.c
@@ -22,6 +22,7 @@
 #include <sys/stat.h>
 #include <unistd.h>
+#ifdef HAVE_OUTPUT
 void check_output(int argc, char **argv) {
        EUID_ASSERT();
@@ -149,3 +150,4 @@ void check_output(int argc, char **argv) {
        perror("execvp");
        exit(1);
 }
+#endif
diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index b706839a1..f3266c23e 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -911,15 +911,10 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
        if (strncmp(ptr, "protocol ", 9) == 0) {
                if (checkcfg(CFG_SECCOMP)) {
-                        if (cfg.protocol) {
+                        const char *add = ptr + 9;
-                                fwarning("more than one protocol list is present, \"%s\" will be installed\n", cfg.protocol);
+                        profile_list_augment(&cfg.protocol, add);
-                                return 0;
+                        if (arg_debug)
-                        }
+                                fprintf(stderr, "[profile] combined protocol list: \"%s\"\n", cfg.protocol);
-                        // store list
-                        cfg.protocol = strdup(ptr + 9);
-                        if (!cfg.protocol)
-                                errExit("strdup");
                }
                else
                        warning_feature_disabled("seccomp");
@@ -931,7 +926,6 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
                return 0;
        }
        if (strncmp(ptr, "rmenv ", 6) == 0) {
-                unsetenv(ptr + 6); // Remove also immediately from Firejail itself
                env_store(ptr + 6, RMENV);
                return 0;
        }
@@ -1774,3 +1768,143 @@ void profile_read(const char *fname) {
        }
        fclose(fp);
 }
+char *profile_list_normalize(char *list)
+{
+        /* Remove redundant commas.
+         *
+         * As result is always shorter than original,
+         * in-place copying can be used.
+         */
+        size_t i = 0;
+        size_t j = 0;
+        int c;
+        while (list[i] == ',')
+                ++i;
+        while ((c = list[i++])) {
+                if (c == ',') {
+                        while (list[i] == ',')
+                                ++i;
+                        if (list[i] == 0)
+                                break;
+                }
+                list[j++] = c;
+        }
+        list[j] = 0;
+        return list;
+}
+char *profile_list_compress(char *list)
+{
+        size_t i;
+        /* Comma separated list is processed so that:
+         * "item"  -> adds item to list
+         * "-item" -> removes item from list
+         * "+item" -> adds item to list
+         * "=item" -> clear list, add item
+         *
+         * For example:
+         * ,a,,,b,,,c, -> a,b,c
+         * a,,b,,,c,a  -> a,b,c
+         * a,b,c,-a    -> b,c
+         * a,b,c,-a,a  -> b,c,a
+         * a,+b,c      -> a,b,c
+         * a,b,=c,d    -> c,d
+         * a,b,c,=     ->
+         */
+        profile_list_normalize(list);
+        /* Count items: comma count + 1 */
+        size_t count = 1;
+        for (i = 0; list[i]; ++i) {
+                if (list[i] == ',')
+                        ++count;
+        }
+        /* Collect items in an array */
+        char *in[count];
+        count = 0;
+        in[count++] = list;
+        for (i = 0; list[i]; ++i) {
+                if (list[i] != ',')
+                        continue;
+                list[i] = 0;
+                in[count++] = list + i + 1;
+        }
+        /* Filter array: add, remove, reset, filter out duplicates */
+        for (i = 0; i < count; ++i) {
+                char *item = in[i];
+                assert(item);
+                size_t k;
+                switch (*item) {
+                case '-':
+                        ++item;
+                        /* Do not include this item */
+                        in[i] = 0;
+                        /* Remove if already included */
+                        for (k = 0; k < i; ++k) {
+                                if (in[k] && !strcmp(in[k], item)) {
+                                        in[k] = 0;
+                                        break;
+                                }
+                        }
+                        break;
+                case '+':
+                        /* Allow +/- symmetry */
+                        in[i] = ++item;
+                        /* FALLTHRU */
+                default:
+                        /* Adding empty item is a NOP */
+                        if (!*item) {
+                                in[i] = 0;
+                                break;
+                        }
+                        /* Include item unless it is already included */
+                        for (k = 0; k < i; ++k) {
+                                if (in[k] && !strcmp(in[k], item)) {
+                                        in[i] = 0;
+                                        break;
+                                }
+                        }
+                        break;
+                case '=':
+                        in[i] = ++item;
+                        /* Include non-empty item */
+                        if (!*item)
+                                in[i] = 0;
+                        /* Remove all allready included items */
+                        for (k = 0; k < i; ++k)
+                                in[k] = 0;
+                        break;
+                }
+        }
+        /* Copying back using in-place data works because the
+         * original order is retained and no item gets longer
+         * than what it used to be.
+         */
+        char *pos = list;
+        for (i = 0; i < count; ++i) {
+                char *item = in[i];
+                if (!item)
+                        continue;
+                if (pos > list)
+                        *pos++ = ',';
+                while (*item)
+                        *pos++ = *item++;
+        }
+        *pos = 0;
+        return list;
+}
+void profile_list_augment(char **list, const char *items)
+{
+        char *tmp = 0;
+        if (asprintf(&tmp, "%s,%s", *list ?: "", items ?: "") < 0)
+                errExit("asprintf");
+        free(*list);
+        *list = profile_list_compress(tmp);
+}
diff --git a/src/firejail/pulseaudio.c b/src/firejail/pulseaudio.c
index 08f9a14a7..4b9203c36 100644
--- a/src/firejail/pulseaudio.c
+++ b/src/firejail/pulseaudio.c
@@ -80,8 +80,6 @@ static void pulseaudio_fallback(const char *path) {
        fmessage("Cannot mount tmpfs on %s/.config/pulse\n", cfg.homedir);
        env_store_name_val("PULSE_CLIENTCONFIG", path, SETENV);
-        if (setenv("PULSE_CLIENTCONFIG", path, 1) < 0)
-                errExit("setenv");
 }
 // disable shm in pulseaudio (issue #69)
@@ -176,8 +174,7 @@ void pulseaudio_init(void) {
        char *p;
        if (asprintf(&p, "%s/client.conf", homeusercfg) == -1)
                errExit("asprintf");
-        if (setenv("PULSE_CLIENTCONFIG", p, 1) < 0)
+        env_store_name_val("PULSE_CLIENTCONFIG", p, SETENV);
-                errExit("setenv");
        fs_logger2("create", p);
        free(p);
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index 9a4be5cc0..b6e0468c6 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -475,23 +475,9 @@ void start_application(int no_sandbox, int fd, char *set_sandbox_status) {
        }
        //****************************************
-        // audit
-        //****************************************
-        if (arg_audit) {
-                assert(arg_audit_prog);
-#ifdef HAVE_GCOV
-                __gcov_dump();
-#endif
-                seccomp_install_filters();
-                if (set_sandbox_status)
-                        *set_sandbox_status = SANDBOX_DONE;
-                execl(arg_audit_prog, arg_audit_prog, NULL);
-        }
-        //****************************************
        // start the program without using a shell
        //****************************************
-        else if (arg_shell_none) {
+        if (arg_shell_none) {
                if (arg_debug) {
                        int i;
                        for (i = cfg.original_program_index; i < cfg.original_argc; i++) {
@@ -589,12 +575,12 @@ void start_application(int no_sandbox, int fd, char *set_sandbox_status) {
 }
 static void enforce_filters(void) {
+        fmessage("\n** Warning: dropping all Linux capabilities and setting NO_NEW_PRIVS prctl **\n\n");
        // enforce NO_NEW_PRIVS
        arg_nonewprivs = 1;
        force_nonewprivs = 1;
        // disable all capabilities
-        fmessage("\n**     Warning: dropping all Linux capabilities     **\n\n");
        arg_caps_drop_all = 1;
        // drop all supplementary groups; /etc/group file inside chroot
@@ -795,14 +781,18 @@ int sandbox(void* sandbox_arg) {
                        exit(rv);
        }
-        // need ld.so.preload if tracing or seccomp with any non-default lists
+#ifdef HAVE_FORCE_NONEWPRIVS
-        bool need_preload = arg_trace || arg_tracelog || arg_seccomp_postexec;
+        bool always_enforce_filters = true;
+#else
+        bool always_enforce_filters = false;
+#endif
        // for --appimage, --chroot and --overlay* we force NO_NEW_PRIVS
        // and drop all capabilities
-        if (getuid() != 0 && (arg_appimage || cfg.chrootdir || arg_overlay)) {
+        if (getuid() != 0 && (arg_appimage || cfg.chrootdir || arg_overlay || always_enforce_filters))
                enforce_filters();
-                need_preload = arg_trace || arg_tracelog;
-        }
+        // need ld.so.preload if tracing or seccomp with any non-default lists
+        bool need_preload = arg_trace || arg_tracelog || arg_seccomp_postexec;
        // trace pre-install
        if (need_preload)
@@ -969,11 +959,35 @@ int sandbox(void* sandbox_arg) {
                else if (arg_overlay)
                        fwarning("private-etc feature is disabled in overlay\n");
                else {
-                        fs_private_dir_list("/etc", RUN_ETC_DIR, cfg.etc_private_keep);
+                        /* Current /etc/passwd and /etc/group files are bind
-                        fs_private_dir_list("/usr/etc", RUN_USR_ETC_DIR, cfg.etc_private_keep); // openSUSE
+                         * mounted filtered versions of originals. Leaving
+                         * them underneath private-etc mount causes problems
+                         * in devices with older kernels, e.g. attempts to
+                         * update the real /etc/passwd file yield EBUSY.
+                         *
+                         * As we do want to retain filtered /etc content:
+                         * 1. duplicate /etc content to RUN_ETC_DIR
+                         * 2. unmount bind mounts from /etc
+                         * 3. mount RUN_ETC_DIR at /etc
+                         */
+                        timetrace_start();
+                        fs_private_dir_copy("/etc", RUN_ETC_DIR, cfg.etc_private_keep);
+                        if (umount2("/etc/group", MNT_DETACH) == -1)
+                                fprintf(stderr, "/etc/group: unmount: %s\n", strerror(errno));
+                        if (umount2("/etc/passwd", MNT_DETACH) == -1)
+                                fprintf(stderr, "/etc/passwd: unmount: %s\n", strerror(errno));
+                        fs_private_dir_mount("/etc", RUN_ETC_DIR);
+                        fmessage("Private /etc installed in %0.2f ms\n", timetrace_end());
                        // create /etc/ld.so.preload file again
                        if (need_preload)
                                fs_trace_preload();
+                        // openSUSE configuration is split between /etc and /usr/etc
+                        // process private-etc a second time
+                        fs_private_dir_list("/usr/etc", RUN_USR_ETC_DIR, cfg.etc_private_keep);
                }
        }
diff --git a/src/firejail/sbox.c b/src/firejail/sbox.c
index 933c93b0d..f9c41f661 100644
--- a/src/firejail/sbox.c
+++ b/src/firejail/sbox.c
@@ -203,15 +203,16 @@ static int __attribute__((noreturn)) sbox_do_exec_v(unsigned filtermask, char *
                }
        }
-        if (filtermask & SBOX_ROOT) {
+        if (filtermask & SBOX_USER)
+                drop_privs(1);
+        else if (filtermask & SBOX_ROOT) {
                // elevate privileges in order to get grsecurity working
                if (setreuid(0, 0))
                        errExit("setreuid");
                if (setregid(0, 0))
                        errExit("setregid");
        }
-        else if (filtermask & SBOX_USER)
+        else assert(0);
-                drop_privs(1);
        if (arg[0]) { // get rid of scan-build warning
                int fd = open(arg[0], O_PATH | O_CLOEXEC);
diff --git a/src/firejail/usage.c b/src/firejail/usage.c
index 2c6bbf98f..397150158 100644
--- a/src/firejail/usage.c
+++ b/src/firejail/usage.c
@@ -33,7 +33,6 @@ static char *usage_str =
        "    --apparmor - enable AppArmor confinement.\n"
        "    --apparmor.print=name|pid - print apparmor status.\n"
        "    --appimage - sandbox an AppImage application.\n"
-        "    --audit[=test-program] - audit the sandbox.\n"
 #ifdef HAVE_NETWORK
        "    --bandwidth=name|pid - set bandwidth limits.\n"
 #endif
@@ -56,6 +55,7 @@ static char *usage_str =
 #endif
        "    --cpu=cpu-number,cpu-number - set cpu affinity.\n"
        "    --cpu.print=name|pid - print the cpus in use.\n"
+#ifdef HAVE_DBUSPROXY
        "    --dbus-log=file - set DBus log file location.\n"
        "    --dbus-system=filter|none - set system DBus access policy.\n"
        "    --dbus-system.broadcast=rule - allow signals on the system DBus according to rule.\n"
@@ -71,6 +71,7 @@ static char *usage_str =
        "    --dbus-user.own=name - allow ownership of name on the session DBus.\n"
        "    --dbus-user.see=name - allow seeing name on the session DBus.\n"
        "    --dbus-user.talk=name - allow talking to name on the session DBus.\n"
+#endif
        "    --debug - print sandbox debug messages.\n"
        "    --debug-blacklists - debug blacklisting.\n"
        "    --debug-caps - print all recognized capabilities.\n"
@@ -125,6 +126,8 @@ static char *usage_str =
        "    --machine-id - preserve /etc/machine-id\n"
        "    --memory-deny-write-execute - seccomp filter to block attempts to create\n"
        "\tmemory mappings that are both writable and executable.\n"
+        "    --mkdir=dirname - create a directory.\n"
+        "    --mkfile=filename - create a file.\n"
 #ifdef HAVE_NETWORK
        "    --mtu=number - set interface MTU.\n"
 #endif
@@ -161,14 +164,18 @@ static char *usage_str =
        "    --novideo - disable video devices.\n"
        "    --nou2f - disable U2F devices.\n"
        "    --nowhitelist=filename - disable whitelist for file or directory.\n"
+#ifdef HAVE_OUTPUT
        "    --output=logfile - stdout logging and log rotation.\n"
        "    --output-stderr=logfile - stdout and stderr logging and log rotation.\n"
+#endif
+#ifdef HAVE_OVERLAYFS
        "    --overlay - mount a filesystem overlay on top of the current filesystem.\n"
        "    --overlay-named=name - mount a filesystem overlay on top of the current\n"
        "\tfilesystem, and store it in name directory.\n"
        "    --overlay-tmpfs - mount a temporary filesystem overlay on top of the\n"
        "\tcurrent filesystem.\n"
        "    --overlay-clean - clean all overlays stored in $HOME/.firejail directory.\n"
+#endif
        "    --private - temporary home directory.\n"
        "    --private=directory - use directory as user home.\n"
        "    --private-cache - temporary ~/.cache directory.\n"
diff --git a/src/firejail/util.c b/src/firejail/util.c
index f3709b5fd..53c671794 100644
--- a/src/firejail/util.c
+++ b/src/firejail/util.c
@@ -400,6 +400,8 @@ void touch_file_as_user(const char *fname, mode_t mode) {
                        SET_PERMS_STREAM(fp, -1, -1, mode);
                        fclose(fp);
                }
+                else
+                        fwarning("cannot create %s\n", fname);
 #ifdef HAVE_GCOV
                __gcov_flush();
 #endif
diff --git a/src/firemon/Makefile.in b/src/firemon/Makefile.in
index 9ee798fe9..a1b6692aa 100644
--- a/src/firemon/Makefile.in
+++ b/src/firemon/Makefile.in
@@ -1,3 +1,4 @@
+.PHONY: all
 all: firemon
 include ../common.mk
@@ -8,7 +9,9 @@ include ../common.mk
 firemon: $(OBJS) ../lib/common.o ../lib/pid.o
        $(CC)  $(LDFLAGS) -o $@ $(OBJS) ../lib/common.o ../lib/pid.o $(LIBS) $(EXTRA_LDFLAGS)
+.PHONY: clean
 clean:; rm -fr *.o firemon *.gcov *.gcda *.gcno *.plist
+.PHONY: distclean
 distclean: clean
        rm -fr Makefile
diff --git a/src/fldd/Makefile.in b/src/fldd/Makefile.in
index 37b139d38..ba87d16cd 100644
--- a/src/fldd/Makefile.in
+++ b/src/fldd/Makefile.in
@@ -1,3 +1,4 @@
+.PHONY: all
 all: fldd
 include ../common.mk
@@ -8,7 +9,9 @@ include ../common.mk
 fldd: $(OBJS) ../lib/common.o ../lib/ldd_utils.o
        $(CC)  $(LDFLAGS) -o $@ $(OBJS) ../lib/common.o ../lib/ldd_utils.o $(LIBS) $(EXTRA_LDFLAGS)
+.PHONY: clean
 clean:; rm -fr *.o fldd *.gcov *.gcda *.gcno *.plist
+.PHONY: distclean
 distclean: clean
        rm -fr Makefile
diff --git a/src/fnet/Makefile.in b/src/fnet/Makefile.in
index bd5fe9e7a..7447c6d3f 100644
--- a/src/fnet/Makefile.in
+++ b/src/fnet/Makefile.in
@@ -1,3 +1,4 @@
+.PHONY: all
 all: fnet
 include ../common.mk
@@ -8,7 +9,9 @@ include ../common.mk
 fnet: $(OBJS) ../lib/common.o ../lib/libnetlink.o
        $(CC)  $(LDFLAGS) -o $@ $(OBJS) ../lib/common.o ../lib/libnetlink.o $(LIBS) $(EXTRA_LDFLAGS)
+.PHONY: clean
 clean:; rm -fr *.o fnet *.gcov *.gcda *.gcno *.plist
+.PHONY: distclean
 distclean: clean
        rm -fr Makefile
diff --git a/src/fnetfilter/Makefile.in b/src/fnetfilter/Makefile.in
index 6fe650a17..825262482 100644
--- a/src/fnetfilter/Makefile.in
+++ b/src/fnetfilter/Makefile.in
@@ -1,3 +1,4 @@
+.PHONY: all
 all: fnetfilter
 include ../common.mk
@@ -8,7 +9,9 @@ include ../common.mk
 fnetfilter: $(OBJS) ../lib/common.o
        $(CC)  $(LDFLAGS) -o $@ $(OBJS) ../lib/common.o $(LIBS) $(EXTRA_LDFLAGS)
+.PHONY: clean
 clean:; rm -fr *.o fnetfilter *.gcov *.gcda *.gcno *.plist
+.PHONY: distclean
 distclean: clean
        rm -fr Makefile
diff --git a/src/fsec-optimize/Makefile.in b/src/fsec-optimize/Makefile.in
index cc5ac7e35..a2187e89c 100644
--- a/src/fsec-optimize/Makefile.in
+++ b/src/fsec-optimize/Makefile.in
@@ -1,3 +1,4 @@
+.PHONY: all
 all: fsec-optimize
 include ../common.mk
@@ -8,7 +9,9 @@ include ../common.mk
 fsec-optimize: $(OBJS) ../lib/common.o ../lib/libnetlink.o
        $(CC)  $(LDFLAGS) -o $@ $(OBJS) ../lib/common.o ../lib/errno.o $(LIBS) $(EXTRA_LDFLAGS)
+.PHONY: clean
 clean:; rm -fr *.o fsec-optimize *.gcov *.gcda *.gcno *.plist
+.PHONY: distclean
 distclean: clean
        rm -fr Makefile
diff --git a/src/fsec-print/Makefile.in b/src/fsec-print/Makefile.in
index bf39a8c77..824fb5daf 100644
--- a/src/fsec-print/Makefile.in
+++ b/src/fsec-print/Makefile.in
@@ -1,3 +1,4 @@
+.PHONY: all
 all: fsec-print
 include ../common.mk
@@ -8,7 +9,9 @@ include ../common.mk
 fsec-print: $(OBJS) ../lib/common.o ../lib/libnetlink.o ../lib/errno.o ../lib/syscall.o
        $(CC)  $(LDFLAGS) -o $@ $(OBJS) ../lib/common.o ../lib/errno.o ../lib/syscall.o $(LIBS) $(EXTRA_LDFLAGS)
+.PHONY: clean
 clean:; rm -fr *.o fsec-print *.gcov *.gcda *.gcno *.plist
+.PHONY: distclean
 distclean: clean
        rm -fr Makefile
diff --git a/src/fseccomp/Makefile.in b/src/fseccomp/Makefile.in
index b776a73ce..41abfce17 100644
--- a/src/fseccomp/Makefile.in
+++ b/src/fseccomp/Makefile.in
@@ -1,3 +1,4 @@
+.PHONY: all
 all: fseccomp
 include ../common.mk
@@ -8,7 +9,9 @@ include ../common.mk
 fseccomp: $(OBJS) ../lib/common.o ../lib/errno.o ../lib/syscall.o
        $(CC)  $(LDFLAGS) -o $@ $(OBJS) ../lib/common.o ../lib/errno.o ../lib/syscall.o $(LIBS) $(EXTRA_LDFLAGS)
+.PHONY: clean
 clean:; rm -fr *.o fseccomp *.gcov *.gcda *.gcno *.plist
+.PHONY: distclean
 distclean: clean
        rm -fr Makefile
diff --git a/src/ftee/Makefile.in b/src/ftee/Makefile.in
index 32cdc63d3..05caf81be 100644
--- a/src/ftee/Makefile.in
+++ b/src/ftee/Makefile.in
@@ -1,3 +1,4 @@
+.PHONY: all
 all: ftee
 include ../common.mk
@@ -8,7 +9,9 @@ include ../common.mk
 ftee: $(OBJS)
        $(CC)  $(LDFLAGS) -o $@ $(OBJS) $(LIBS) $(EXTRA_LDFLAGS)
+.PHONY: clean
 clean:; rm -fr *.o ftee *.gcov *.gcda *.gcno *.plist
+.PHONY: distclean
 distclean: clean
        rm -fr Makefile
diff --git a/src/jailtest/Makefile.in b/src/jailtest/Makefile.in
new file mode 100644
index 000000000..6306d24ec
--- /dev/null
+++ b/src/jailtest/Makefile.in
@@ -0,0 +1,17 @@
+.PHONY: all
+all: jailtest
+include ../common.mk
+%.o : %.c $(H_FILE_LIST) ../include/common.h ../include/pid.h
+        $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@
+jailtest: $(OBJS)
+        $(CC)  $(LDFLAGS) -o $@ $(OBJS)  ../lib/common.o ../lib/pid.o $(LIBS) $(EXTRA_LDFLAGS)
+.PHONY: clean
+clean:; rm -fr *.o jailtest *.gcov *.gcda *.gcno *.plist
+.PHONY: distclean
+distclean: clean
+        rm -fr Makefile
diff --git a/src/jailtest/access.c b/src/jailtest/access.c
new file mode 100644
index 000000000..4e737dc7a
--- /dev/null
+++ b/src/jailtest/access.c
@@ -0,0 +1,143 @@
+/*
+ * Copyright (C) 2014-2021 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
+#include "jailtest.h"
+#include <dirent.h>
+#include <sys/wait.h>
+typedef struct {
+        char *tfile;
+        char *tdir;
+} TestDir;
+#define MAX_TEST_FILES 16
+TestDir td[MAX_TEST_FILES];
+static int files_cnt = 0;
+void access_setup(const char *directory) {
+        // I am root!
+        assert(directory);
+        assert(user_home_dir);
+        if (files_cnt >= MAX_TEST_FILES) {
+                fprintf(stderr, "Error: maximum number of test directories exceded\n");
+                exit(1);
+        }
+        char *fname = strdup(directory);
+        if (!fname)
+                errExit("strdup");
+        if (strncmp(fname, "~/", 2) == 0) {
+                free(fname);
+                if (asprintf(&fname, "%s/%s", user_home_dir, directory + 2) == -1)
+                        errExit("asprintf");
+        }
+        char *path = realpath(fname, NULL);
+        free(fname);
+        if (path == NULL) {
+                fprintf(stderr, "Warning: invalid directory %s, skipping...\n", directory);
+                return;
+        }
+        // file in home directory
+        if (strncmp(path, user_home_dir, strlen(user_home_dir)) != 0) {
+                fprintf(stderr, "Warning: file %s is not in user home directory, skipping...\n", directory);
+                free(path);
+                return;
+        }
+        // try to open the dir as root
+        DIR *dir = opendir(path);
+        if (!dir) {
+                fprintf(stderr, "Warning: directory %s not found, skipping\n", directory);
+                free(path);
+                return;
+        }
+        closedir(dir);
+        // create a test file
+        char *test_file;
+        if (asprintf(&test_file, "%s/jailtest-access-%d", path, getpid()) == -1)
+                errExit("asprintf");
+        FILE *fp = fopen(test_file, "w");
+        if (!fp) {
+                printf("Warning: I cannot create test file in directory %s, skipping...\n", directory);
+                return;
+        }
+        fprintf(fp, "this file was created by firetest utility, you can safely delete it\n");
+        fclose(fp);
+        int rv = chown(test_file, user_uid, user_gid);
+        if (rv)
+                errExit("chown");
+        char *dname = strdup(directory);
+        if (!dname)
+                errExit("strdup");
+        td[files_cnt].tdir = dname;
+        td[files_cnt].tfile = test_file;
+        files_cnt++;
+}
+void access_destroy(void) {
+        // remove test files
+        int i;
+        for (i = 0; i < files_cnt; i++) {
+                int rv = unlink(td[i].tfile);
+                (void) rv;
+        }
+        files_cnt = 0;
+}
+void access_test(void) {
+        // I am root in sandbox mount namespace
+        assert(user_uid);
+        int i;
+        pid_t child = fork();
+        if (child == -1)
+                errExit("fork");
+        if (child == 0) { // child
+                // drop privileges
+                if (setgid(user_gid) != 0)
+                        errExit("setgid");
+                if (setuid(user_uid) != 0)
+                        errExit("setuid");
+                for (i = 0; i < files_cnt; i++) {
+                        assert(td[i].tfile);
+                        // try to open the file for reading
+                        FILE *fp = fopen(td[i].tfile, "r");
+                        if (fp) {
+                                printf("   Warning: I can read %s\n", td[i].tdir);
+                                fclose(fp);
+                        }
+                }
+                exit(0);
+        }
+        // wait for the child to finish
+        int status;
+        wait(&status);
+}
diff --git a/src/jailtest/apparmor.c b/src/jailtest/apparmor.c
new file mode 100644
index 000000000..9ddfea3de
--- /dev/null
+++ b/src/jailtest/apparmor.c
@@ -0,0 +1,40 @@
+/*
+ * Copyright (C) 2014-2021 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
+#include "jailtest.h"
+#ifdef HAVE_APPARMOR
+#include <sys/apparmor.h>
+void apparmor_test(pid_t pid) {
+        char *label = NULL;
+        char *mode = NULL;
+        int rv = aa_gettaskcon(pid, &label, &mode);
+        if (rv == -1 || mode == NULL)
+                printf("   Warning: AppArmor not enabled\n");
+}
+#else
+void apparmor_test(pid_t pid) {
+        (void) pid;
+        return;
+}
+#endif
diff --git a/src/faudit/faudit.h b/src/jailtest/jailtest.h
index cfed1504b..10174cc9a 100644
--- a/src/faudit/faudit.h
+++ b/src/jailtest/jailtest.h
@@ -17,52 +17,42 @@
 * with this program; if not, write to the Free Software Foundation, Inc.,
 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 */
+#ifndef JAILTEST_H
+#define JAILTEST_H
-#ifndef FAUDIT_H
+#include "../include/common.h"
-#define FAUDIT_H
-#define _GNU_SOURCE
-#include <stdio.h>
-#include <stdlib.h>
-#include <stdint.h>
-#include <string.h>
-#include <unistd.h>
-#include <sys/types.h>
-#include <sys/stat.h>
-#include <sys/mount.h>
-#include <assert.h>
-#define errExit(msg)    do { char msgout[500]; snprintf(msgout, 500, "Error %s:%s(%d)", msg, __FUNCTION__, __LINE__); perror(msgout); exit(1);} while (0)
 // main.c
-extern char *prog;
+extern uid_t user_uid;
+extern gid_t user_gid;
-// pid.c
+extern char *user_name;
-void pid_test(void);
+extern char *user_home_dir;
+extern char *user_run_dir;
-// caps.c
-void caps_test(void);
-// seccomp.c
+// access.c
-void seccomp_test(void);
+void access_setup(const char *directory);
+void access_test(void);
-// syscall.c
+void access_destroy(void);
-void syscall_helper(int argc, char **argv);
-void syscall_run(const char *name);
-// files.c
+// noexec.c
-void files_test(void);
+void noexec_setup(void);
+void noexec_test(const char *msg);
-// network.c
+// virtual.c
-void network_test(void);
+void virtual_setup(const char *directory);
+void virtual_destroy(void);
+void virtual_test(void);
-// dbus.c
+// apparmor.c
-int check_unix(const char *sockfile);
+void apparmor_test(pid_t pid);
-void dbus_test(void);
-// dev.c
+// seccomp.c
-void dev_test(void);
+void seccomp_test(pid_t pid);
-// x11.c
+// utils.c
-void x11_test(void);
+char *get_sudo_user(void);
+char *get_homedir(const char *user, uid_t *uid, gid_t *gid);
+int find_child(pid_t pid);
+pid_t switch_to_child(pid_t pid);
-#endif
+#endif
+\ No newline at end of file
diff --git a/src/jailtest/main.c b/src/jailtest/main.c
new file mode 100644
index 000000000..850277bc5
--- /dev/null
+++ b/src/jailtest/main.c
@@ -0,0 +1,167 @@
+/*
+ * Copyright (C) 2014-2021 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
+#include "jailtest.h"
+#include "../include/firejail_user.h"
+#include "../include/pid.h"
+#include <sys/wait.h>
+uid_t user_uid = 0;
+gid_t user_gid = 0;
+char *user_name = NULL;
+char *user_home_dir = NULL;
+char *user_run_dir = NULL;
+int arg_debug = 0;
+static char *usage_str =
+        "Usage: jailtest [options] directory [directory]\n\n"
+        "Options:\n"
+        "   --debug - print debug messages.\n"
+        "   --help, -? - this help screen.\n"
+        "   --version - print program version and exit.\n";
+static void usage(void) {
+        printf("firetest - version %s\n\n", VERSION);
+        puts(usage_str);
+}
+static void cleanup(void) {
+        // running only as root
+        if (getuid() == 0) {
+                if (arg_debug)
+                        printf("cleaning up!\n");
+                access_destroy();
+                virtual_destroy();
+        }
+}
+int main(int argc, char **argv) {
+        int i;
+        int findex = 0;
+        for (i = 1; i < argc; i++) {
+                if (strcmp(argv[i], "-?") == 0 || strcmp(argv[i], "--help") == 0) {
+                        usage();
+                        return 0;
+                }
+                else if (strcmp(argv[i], "--version") == 0) {
+                        printf("firetest version %s\n\n", VERSION);
+                        return 0;
+                }
+                else if (strncmp(argv[i], "--hello=", 8) == 0) { // used by noexec test
+                        printf("   Warning: I can run programs in %s\n", argv[i] + 8);
+                        return 0;
+                }
+                else if (strcmp(argv[i], "--debug") == 0)
+                        arg_debug = 1;
+                else if (strncmp(argv[i], "--", 2) == 0) {
+                        fprintf(stderr, "Error: invalid option\n");
+                        return 1;
+                }
+                else {
+                        findex = i;
+                        break;
+                }
+        }
+        // user setup
+        if (getuid() != 0) {
+                fprintf(stderr, "Error: you need to be root (via sudo) to run this program\n");
+                exit(1);
+        }
+        user_name = get_sudo_user();
+        assert(user_name);
+        user_home_dir = get_homedir(user_name, &user_uid, &user_gid);
+        if (user_uid == 0) {
+                fprintf(stderr, "Error: root user not supported\n");
+                exit(1);
+        }
+        if (asprintf(&user_run_dir, "/run/user/%d", user_uid) == -1)
+                errExit("asprintf");
+        // test setup
+        atexit(cleanup);
+        access_setup("~/.ssh");
+        access_setup("~/.gnupg");
+        if (findex > 0) {
+                for (i = findex; i < argc; i++)
+                        access_setup(argv[i]);
+        }
+        noexec_setup();
+        virtual_setup(user_home_dir);
+        virtual_setup("/tmp");
+        virtual_setup("/var/tmp");
+        virtual_setup("/dev");
+        virtual_setup("/etc");
+        virtual_setup("/bin");
+        virtual_setup("/usr/share");
+        virtual_setup(user_run_dir);
+        // print processes
+        pid_read(0);
+        for (i = 0; i < max_pids; i++) {
+                if (pids[i].level == 1) {
+                        uid_t uid = pid_get_uid(i);
+                        if (uid != user_uid) // not interested in other user sandboxes
+                                continue;
+                        // in case the pid is that of a firejail process, use the pid of the first child process
+                        uid_t pid = find_child(i);
+                        printf("\n");
+                        pid_print_list(i, 0); //  no wrapping
+                        apparmor_test(pid);
+                        seccomp_test(pid);
+                        fflush(0);
+                        pid_t child = fork();
+                        if (child == -1)
+                                errExit("fork");
+                        if (child == 0) {
+                                int rv = join_namespace(pid, "mnt");
+                                if (rv == 0) {
+                                        virtual_test();
+                                        noexec_test(user_home_dir);
+                                        noexec_test("/tmp");
+                                        noexec_test("/var/tmp");
+                                        noexec_test(user_run_dir);
+                                        access_test();
+                                }
+                                else {
+                                        printf("   Error: I cannot join the process mount space\n");
+                                        exit(1);
+                                }
+                                // drop privileges in order not to trigger cleanup()
+                                if (setgid(user_gid) != 0)
+                                        errExit("setgid");
+                                if (setuid(user_uid) != 0)
+                                        errExit("setuid");
+                                return 0;
+                        }
+                        int status;
+                        wait(&status);
+                }
+        }
+        return 0;
+}
diff --git a/src/jailtest/noexec.c b/src/jailtest/noexec.c
new file mode 100644
index 000000000..4347b7eef
--- /dev/null
+++ b/src/jailtest/noexec.c
@@ -0,0 +1,113 @@
+/*
+ * Copyright (C) 2014-2021 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
+#include "jailtest.h"
+#include <sys/wait.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+static unsigned char *execfile = NULL;
+static int execfile_len = 0;
+void noexec_setup(void) {
+        // grab a copy of myself
+        char *self = realpath("/proc/self/exe", NULL);
+        if (self) {
+                struct stat s;
+                if (access(self, X_OK) == 0 && stat(self, &s) == 0) {
+                        assert(s.st_size);
+                        execfile = malloc(s.st_size);
+                        int fd = open(self, O_RDONLY);
+                        if (fd == -1)
+                                errExit("open");
+                        int len = 0;
+                        do {
+                                int rv = read(fd, execfile + len, s.st_size - len);
+                                if (rv == -1)
+                                        errExit("read");
+                                if (rv == 0) {
+                                        // something went wrong!
+                                        free(execfile);
+                                        execfile = NULL;
+                                        printf("Warning: I cannot grab a copy of myself, skipping noexec test...\n");
+                                        break;
+                                }
+                                len += rv;
+                        }
+                        while (len < s.st_size);
+                        execfile_len = s.st_size;
+                        close(fd);
+                }
+        }
+}
+void noexec_test(const char *path) {
+        assert(user_uid);
+        // I am root in sandbox mount namespace
+        if (!execfile)
+                return;
+        char *fname;
+        if (asprintf(&fname, "%s/jailtest-noexec-%d", path, getpid()) == -1)
+                errExit("asprintf");
+        pid_t child = fork();
+        if (child == -1)
+                errExit("fork");
+        if (child == 0) { // child
+                // drop privileges
+                if (setgid(user_gid) != 0)
+                        errExit("setgid");
+                if (setuid(user_uid) != 0)
+                        errExit("setuid");
+                int fd = open(fname, O_CREAT | O_TRUNC | O_WRONLY, 0700);
+                if (fd == -1) {
+                        printf("   I cannot create files in %s, skipping noexec...\n", path);
+                        exit(1);
+                }
+                int len = 0;
+                while (len < execfile_len) {
+                        int rv = write(fd, execfile + len, execfile_len - len);
+                        if (rv == -1 || rv == 0) {
+                                printf("   I cannot create files in %s, skipping noexec....\n", path);
+                                exit(1);
+                        }
+                        len += rv;
+                }
+                fchmod(fd, 0700);
+                close(fd);
+                char *arg;
+                if (asprintf(&arg, "--hello=%s", path) == -1)
+                        errExit("asprintf");
+                int rv = execl(fname, fname, arg, NULL);
+                (void) rv; // if we get here execl failed
+                exit(0);
+        }
+        int status;
+        wait(&status);
+        int rv = unlink(fname);
+        (void) rv;
+}
+\ No newline at end of file
diff --git a/src/faudit/dev.c b/src/jailtest/seccomp.c
index 61cb1cabe..2cecb4b4d 100644
--- a/src/faudit/dev.c
+++ b/src/jailtest/seccomp.c
@@ -17,31 +17,31 @@
 * with this program; if not, write to the Free Software Foundation, Inc.,
 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 */
-#include "faudit.h"
+#include "jailtest.h"
-#include <dirent.h>
+#define MAXBUF 4096
-void dev_test(void) {
+void seccomp_test(pid_t pid) {
-        DIR *dir;
+        char *file;
-        if (!(dir = opendir("/dev"))) {
+        if (asprintf(&file, "/proc/%d/status", pid) == -1)
-                fprintf(stderr, "Error: cannot open /dev directory\n");
+                errExit("asprintf");
+        FILE *fp = fopen(file, "r");
+        if (!fp) {
+                printf("  Error: cannot open %s\n", file);
+                free(file);
                return;
        }
-        struct dirent *entry;
+        char buf[MAXBUF];
-        printf("INFO: files visible in /dev directory: ");
+        while (fgets(buf, MAXBUF, fp)) {
-        int cnt = 0;
+                if (strncmp(buf, "Seccomp:", 8) == 0) {
-        while ((entry = readdir(dir)) != NULL) {
+                        int val = -1;
-                if (strcmp(entry->d_name, ".") == 0 || strcmp(entry->d_name, "..") == 0)
+                        int rv = sscanf(buf + 8, "\t%d", &val);
-                        continue;
+                        if (rv != 1 || val == 0)
+                                printf("   Warning: seccomp not enabled\n");
-                printf("%s, ", entry->d_name);
+                        break;
-                cnt++;
+                }
        }
-        printf("\n");
+        fclose(fp);
+        free(file);
-        if (cnt > 20)
-                printf("MAYBE: /dev directory seems to be fully populated. Use --private-dev or --whitelist to restrict the access.\n");
-        else
-                printf("GOOD: Access to /dev directory is restricted.\n");
-        closedir(dir);
 }
diff --git a/src/jailtest/utils.c b/src/jailtest/utils.c
new file mode 100644
index 000000000..41c21b753
--- /dev/null
+++ b/src/jailtest/utils.c
@@ -0,0 +1,102 @@
+/*
+ * Copyright (C) 2014-2021 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
+#include "jailtest.h"
+#include "../include/pid.h"
+#include <errno.h>
+#include <pwd.h>
+#include <dirent.h>
+#define BUFLEN 4096
+char *get_sudo_user(void) {
+        char *user = getenv("SUDO_USER");
+        if (!user) {
+                user = getpwuid(getuid())->pw_name;
+                if (!user) {
+                        fprintf(stderr, "Error: cannot detect login user\n");
+                        exit(1);
+                }
+        }
+        return user;
+}
+char *get_homedir(const char *user, uid_t *uid, gid_t *gid) {
+        // find home directory
+        struct passwd *pw = getpwnam(user);
+        if (!pw)
+                goto errexit;
+        char *home = pw->pw_dir;
+        if (!home)
+                goto errexit;
+        *uid = pw->pw_uid;
+        *gid = pw->pw_gid;
+        return home;
+errexit:
+        fprintf(stderr, "Error: cannot find home directory for user %s\n", user);
+        exit(1);
+}
+// find the second child process for the specified pid
+// return -1 if not found
+//
+// Example:
+//14776:netblue:/usr/bin/firejail /usr/bin/transmission-qt
+//  14777:netblue:/usr/bin/firejail /usr/bin/transmission-qt
+//    14792:netblue:/usr/bin/transmission-qt
+// We need 14792, the first real sandboxed process
+// duplicate from src/firemon/main.c
+int find_child(int id) {
+        int i;
+        int first_child = -1;
+        // find the first child
+        for (i = 0; i < max_pids; i++) {
+                if (pids[i].level == 2 && pids[i].parent == id) {
+                        // skip /usr/bin/xdg-dbus-proxy (started by firejail for dbus filtering)
+                        char *cmdline = pid_proc_cmdline(i);
+                        if (strncmp(cmdline, XDG_DBUS_PROXY_PATH, strlen(XDG_DBUS_PROXY_PATH)) == 0) {
+                                free(cmdline);
+                                continue;
+                        }
+                        free(cmdline);
+                        first_child = i;
+                        break;
+                }
+        }
+        if (first_child == -1)
+                return -1;
+        // find the second-level child
+        for (i = 0; i < max_pids; i++) {
+                if (pids[i].level == 3 && pids[i].parent == first_child)
+                        return i;
+        }
+        // if a second child is not found, return the first child pid
+        // this happens for processes sandboxed with --join
+        return first_child;
+}
diff --git a/src/jailtest/virtual.c b/src/jailtest/virtual.c
new file mode 100644
index 000000000..fcdcf9720
--- /dev/null
+++ b/src/jailtest/virtual.c
@@ -0,0 +1,125 @@
+/*
+ * Copyright (C) 2014-2021 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
+#include "jailtest.h"
+#include <dirent.h>
+#include <sys/wait.h>
+#define MAX_TEST_FILES 16
+static char *dirs[MAX_TEST_FILES];
+static char *files[MAX_TEST_FILES];
+static int files_cnt = 0;
+void virtual_setup(const char *directory) {
+        // I am root!
+        assert(directory);
+        assert(*directory == '/');
+        assert(files_cnt < MAX_TEST_FILES);
+        // try to open the dir as root
+        DIR *dir = opendir(directory);
+        if (!dir) {
+                fprintf(stderr, "Warning: directory %s not found, skipping\n", directory);
+                return;
+        }
+        closedir(dir);
+        // create a test file
+        char *test_file;
+        if (asprintf(&test_file, "%s/jailtest-private-%d", directory, getpid()) == -1)
+                errExit("asprintf");
+        FILE *fp = fopen(test_file, "w");
+        if (!fp) {
+                printf("Warning: I cannot create test file in directory %s, skipping...\n", directory);
+                return;
+        }
+        fprintf(fp, "this file was created by firetest utility, you can safely delete it\n");
+        fclose(fp);
+        if (strcmp(directory, user_home_dir) == 0) {
+                int rv = chown(test_file, user_uid, user_gid);
+                if (rv)
+                        errExit("chown");
+        }
+        char *dname = strdup(directory);
+        if (!dname)
+                errExit("strdup");
+        dirs[files_cnt] = dname;
+        files[files_cnt] = test_file;
+        files_cnt++;
+}
+void virtual_destroy(void) {
+        // remove test files
+        int i;
+        for (i = 0; i < files_cnt; i++) {
+                int rv = unlink(files[i]);
+                (void) rv;
+        }
+        files_cnt = 0;
+}
+void virtual_test(void) {
+        // I am root in sandbox mount namespace
+        assert(user_uid);
+        int i;
+        int cnt = 0;
+        cnt += printf("   Virtual dirs: "); fflush(0);
+        for (i = 0; i < files_cnt; i++) {
+                assert(files[i]);
+                // I am root!
+                pid_t child = fork();
+                if (child == -1)
+                        errExit("fork");
+                if (child == 0) { // child
+                        // drop privileges
+                        if (setgid(user_gid) != 0)
+                                errExit("setgid");
+                        if (setuid(user_uid) != 0)
+                                errExit("setuid");
+                        // try to open the file for reading
+                        FILE *fp = fopen(files[i], "r");
+                        if (fp)
+                                fclose(fp);
+                        else {
+                                if (cnt == 0)
+                                        cnt += printf("\n                 ");
+                                cnt += printf("%s, ", dirs[i]);
+                                if (cnt > 60)
+                                        cnt = 0;
+                        }
+                        fflush(0);
+                        exit(cnt);
+                }
+                // wait for the child to finish
+                int status;
+                wait(&status);
+                cnt = WEXITSTATUS(status);
+        }
+        printf("\n");
+}
diff --git a/src/lib/Makefile.in b/src/lib/Makefile.in
index 681252832..49c8057b3 100644
--- a/src/lib/Makefile.in
+++ b/src/lib/Makefile.in
@@ -1,11 +1,14 @@
 include ../common.mk
+.PHONY: all
 all: $(OBJS)
 %.o : %.c $(H_FILE_LIST)
        $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@
+.PHONY: clean
 clean:; rm -fr $(OBJS) *.gcov *.gcda *.gcno *.plist
+.PHONY: distclean
 distclean: clean
        rm -fr Makefile
diff --git a/src/libpostexecseccomp/Makefile.in b/src/libpostexecseccomp/Makefile.in
index edd4534b8..e3e5716ca 100644
--- a/src/libpostexecseccomp/Makefile.in
+++ b/src/libpostexecseccomp/Makefile.in
@@ -11,6 +11,7 @@ BINOBJS =  $(foreach file, $(OBJS), $file)
 CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIC -Wformat -Wformat-security
 LDFLAGS += -pie -fPIE -Wl,-z,relro -Wl,-z,now
+.PHONY: all
 all: libpostexecseccomp.so
 %.o : %.c $(H_FILE_LIST) ../include/seccomp.h ../include/rundefs.h
@@ -19,7 +20,9 @@ all: libpostexecseccomp.so
 libpostexecseccomp.so: $(OBJS)
        $(CC) $(LDFLAGS) -shared -fPIC -z relro -o $@ $(OBJS) -ldl
+.PHONY: clean
 clean:; rm -fr $(OBJS) libpostexecseccomp.so *.plist
+.PHONY: distclean
 distclean: clean
        rm -fr Makefile
diff --git a/src/libtrace/Makefile.in b/src/libtrace/Makefile.in
index 5c7d0f885..095037569 100644
--- a/src/libtrace/Makefile.in
+++ b/src/libtrace/Makefile.in
@@ -11,6 +11,7 @@ BINOBJS =  $(foreach file, $(OBJS), $file)
 CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIC -Wformat -Wformat-security
 LDFLAGS += -pie -fPIE -Wl,-z,relro -Wl,-z,now
+.PHONY: all
 all: libtrace.so
 %.o : %.c $(H_FILE_LIST)
@@ -19,8 +20,9 @@ all: libtrace.so
 libtrace.so: $(OBJS)
        $(CC) $(LDFLAGS) -shared -fPIC -z relro -o $@ $(OBJS) -ldl
+.PHONY: clean
 clean:; rm -fr $(OBJS) libtrace.so *.plist
+.PHONY: distclean
 distclean: clean
        rm -fr Makefile
diff --git a/src/libtracelog/Makefile.in b/src/libtracelog/Makefile.in
index b1ac9e57c..5bac19c04 100644
--- a/src/libtracelog/Makefile.in
+++ b/src/libtracelog/Makefile.in
@@ -11,6 +11,7 @@ BINOBJS =  $(foreach file, $(OBJS), $file)
 CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIC -Wformat -Wformat-security
 LDFLAGS += -pie -fPIE -Wl,-z,relro -Wl,-z,now
+.PHONY: all
 all: libtracelog.so
 %.o : %.c $(H_FILE_LIST) ../include/rundefs.h
@@ -19,8 +20,9 @@ all: libtracelog.so
 libtracelog.so: $(OBJS)
        $(CC) $(LDFLAGS) -shared -fPIC -z relro -o $@ $(OBJS) -ldl
+.PHONY: clean
 clean:; rm -fr $(OBJS) libtracelog.so *.plist
+.PHONY: distclean
 distclean: clean
        rm -fr Makefile
diff --git a/src/man/Makefile.in b/src/man/Makefile.in
index 1c4444307..3711d5cec 100644
--- a/src/man/Makefile.in
+++ b/src/man/Makefile.in
@@ -1,10 +1,14 @@
-all: firecfg.man firejail.man firejail-login.man firejail-users.man firejail-profile.man firemon.man
+.PHONY: all
+all: firecfg.man firejail.man firejail-login.man firejail-users.man firejail-profile.man firemon.man jailtest.man
 include ../common.mk
 %.man: %.txt
        gawk -f ./preproc.awk -- $(MANFLAGS) < $< > $@
+.PHONY: clean
 clean:; rm -fr *.man
+.PHONY: distclean
 distclean: clean
        rm -fr Makefile
diff --git a/src/man/firecfg.txt b/src/man/firecfg.txt
index 2c02aee47..dbb9397c6 100644
--- a/src/man/firecfg.txt
+++ b/src/man/firecfg.txt
@@ -130,8 +130,9 @@ This program is free software; you can redistribute it and/or modify it under th
 .PP
 Homepage: https://firejail.wordpress.com
 .SH SEE ALSO
-\&\flfirejail\fR\|(1),
+.BR firejail (1),
-\&\flfiremon\fR\|(1),
+.BR firemon (1),
-\&\flfirejail-profile\fR\|(5),
+.BR firejail-profile (5),
-\&\flfirejail-login\fR\|(5)
+.BR firejail-login (5),
-\&\flfirejail-users\fR\|(5)
+.BR firejail-users (5),
+.BR jailtest (1)
diff --git a/src/man/firejail-login.txt b/src/man/firejail-login.txt
index 430e86cc8..ce27729b7 100644
--- a/src/man/firejail-login.txt
+++ b/src/man/firejail-login.txt
@@ -34,8 +34,9 @@ Firejail is free software; you can redistribute it and/or modify it under the te
 .PP
 Homepage: https://firejail.wordpress.com
 .SH SEE ALSO
-\&\flfirejail\fR\|(1),
+.BR firejail (1),
-\&\flfiremon\fR\|(1),
+.BR firemon (1),
-\&\flfirecfg\fR\|(1),
+.BR firecfg (1),
-\&\flfirejail-profile\fR\|(5)
+.BR firejail-profile (5),
-\&\flfirejail-users\fR\|(5)
+.BR firejail-users (5),
+.BR jailtest (1)
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt
index 5e77b5f70..b25fc9181 100644
--- a/src/man/firejail-profile.txt
+++ b/src/man/firejail-profile.txt
@@ -266,7 +266,7 @@ Mount new /root and /home/user directories in temporary
 filesystems. All modifications are discarded when the sandbox is
 closed.
 .TP
-\fBprivate=directory
+\fBprivate directory
 Use directory as user home.
 .TP
 \fBprivate-bin file,file
@@ -889,10 +889,12 @@ Firejail is free software; you can redistribute it and/or modify it under the te
 .PP
 Homepage: https://firejail.wordpress.com
 .SH SEE ALSO
-\&\flfirejail\fR\|(1),
+.BR firejail (1),
-\&\flfiremon\fR\|(1),
+.BR firemon (1),
-\&\flfirecfg\fR\|(1),
+.BR firecfg (1),
-\&\flfirejail-login\fR\|(5),
+.BR firejail-login (5),
-\&\flfirejail-users\fR\|(5),
+.BR firejail-users (5),
+.BR jailtest (1)
 .UR https://github.com/netblue30/firejail/wiki/Creating-Profiles
 .UE
diff --git a/src/man/firejail-users.txt b/src/man/firejail-users.txt
index 6fa09e05e..c5a9c1848 100644
--- a/src/man/firejail-users.txt
+++ b/src/man/firejail-users.txt
@@ -54,8 +54,9 @@ as published by the Free Software Foundation; either version 2 of the License, o
 .PP
 Homepage: https://firejail.wordpress.com
 .SH SEE ALSO
-\&\flfirejail\fR\|(1),
+.BR firejail (1),
-\&\flfiremon\fR\|(1),
+.BR firemon (1),
-\&\flfirecfg\fR\|(1),
+.BR firecfg (1),
-\&\flfirejail-profile\fR\|(5)
+.BR firejail-profile (5),
-\&\flfirejail-login\fR\|(5)
+.BR firejail-login (5),
+.BR jailtest (1)
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index e85a02ee8..68deb85ec 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -42,6 +42,15 @@ Miscellaneous:
 firejail {\-? | \-\-debug-caps | \-\-debug-errnos | \-\-debug-syscalls | \-\-debug-syscalls32 | \-\-debug-protocols | \-\-help | \-\-version}
 .RE
 .SH DESCRIPTION
+#ifdef HAVE_LTS
+This is Firejail long-term support (LTS), an enterprise focused version of the software,
+LTS is usually supported for two or three years.
+During this time  only bugs and the occasional documentation problems are fixed.
+The attack surface of the SUID executable was greatly reduced by removing some of the features.
+.br
+.br
+#endif
 Firejail is a SUID sandbox program that reduces the risk of security breaches by
 restricting the running environment of untrusted applications using Linux
 namespaces, seccomp-bpf and Linux capabilities.
@@ -146,12 +155,6 @@ $ firejail --appimage --private krita-3.0-x86_64.appimage
 $ firejail --appimage --net=none --x11 krita-3.0-x86_64.appimage
 #endif
 .TP
-\fB\-\-audit
-Audit the sandbox, see \fBAUDIT\fR section for more details.
-.TP
-\fB\-\-audit=test-program
-Audit the sandbox, see \fBAUDIT\fR section for more details.
-.TP
 \fB\-\-bandwidth=name|pid
 Set bandwidth limits for the sandbox identified by name or PID, see \fBTRAFFIC SHAPING\fR section for more details.
 .TP
@@ -1105,6 +1108,26 @@ Example:
 $ firejail \-\-machine-id
 .TP
+\fB\-\-mkdir=dirname
+Create a directory in user home. Parent directories are created as needed.
+.br
+.br
+Example:
+.br
+$ firejail --mkdir=~/work/project
+.TP
+\fB\-\-mkfile=filename
+Create an empty file in user home.
+.br
+.br
+Example:
+.br
+$ firejail --mkfile=~/work/project/readme
+.TP
 \fB\-\-memory-deny-write-execute
 Install a seccomp filter to block attempts to create memory mappings
 that are both writable and executable, to change mappings to be
@@ -1622,6 +1645,7 @@ Disable video devices.
 \fB\-\-nowhitelist=dirname_or_filename
 Disable whitelist for this directory or file.
+#ifdef HAVE_OUTPUT
 .TP
 \fB\-\-output=logfile
 stdout logging and log rotation. Copy stdout to logfile, and keep the size of the file under 500KB using log
@@ -1652,6 +1676,7 @@ $ ls -l sandboxlog*
 .TP
 \fB\-\-output-stderr=logfile
 Similar to \-\-output, but stderr is also stored.
+#endif
 #ifdef HAVE_OVERLAYFS
 .TP
@@ -2451,7 +2476,7 @@ $ firejail --seccomp.print=browser
 $
 .TP
-\fB\-\-seccomp-error-action= kill | ERRNO
+\fB\-\-seccomp-error-action= kill | ERRNO | log
 By default, if a seccomp filter blocks a system call, the process gets
 EPERM as the error. With \-\-seccomp-error-action=error, another error
 number can be returned, for example ENOSYS or EACCES. The process can
@@ -2941,30 +2966,6 @@ To enable AppArmor confinement on top of your current Firejail security features
 $ firejail --apparmor firefox
 #endif
-.SH AUDIT
-Audit feature allows the user to point out gaps in security profiles. The
-implementation replaces the program to be sandboxed with a test program. By
-default, we use faudit program distributed with Firejail. A custom test program
-can also be supplied by the user. Examples:
-Running the default audit program:
-.br
-        $ firejail --audit transmission-gtk
-Running a custom audit program:
-.br
-        $ firejail --audit=~/sandbox-test transmission-gtk
-In the examples above, the sandbox configures transmission-gtk profile and
-starts the test program. The real program, transmission-gtk, will not be
-started.
-You can also audit a specific profile without specifying a program.
-.br
-        $ firejail --audit --profile=/etc/firejail/zoom.profile
-Limitations: audit feature is not implemented for --x11 commands.
 .SH DESKTOP INTEGRATION
 A symbolic link to /usr/bin/firejail under the name of a program, will start the program in Firejail sandbox.
 The symbolic link should be placed in the first $PATH position. On most systems, a good place
@@ -3332,11 +3333,13 @@ This program is free software; you can redistribute it and/or modify it under th
 .PP
 Homepage: https://firejail.wordpress.com
 .SH SEE ALSO
-\&\flfiremon\fR\|(1),
+.BR firemon (1),
-\&\flfirecfg\fR\|(1),
+.BR firecfg (1),
-\&\flfirejail-profile\fR\|(5),
+.BR firejail-profile (5),
-\&\flfirejail-login\fR\|(5),
+.BR firejail-login (5),
-\&\flfirejail-users\fR\|(5),
+.BR firejail-users (5),
+.BR jailtest (1)
 .UR https://github.com/netblue30/firejail/wiki
 .UE ,
 .UR https://github.com/netblue30/firejail
diff --git a/src/man/firemon.txt b/src/man/firemon.txt
index cea6c0265..64f15a1f0 100644
--- a/src/man/firemon.txt
+++ b/src/man/firemon.txt
@@ -115,8 +115,9 @@ This program is free software; you can redistribute it and/or modify it under th
 .PP
 Homepage: https://firejail.wordpress.com
 .SH SEE ALSO
-\&\flfirejail\fR\|(1),
+.BR firejail (1),
-\&\flfirecfg\fR\|(1),
+.BR firecfg (1),
-\&\flfirejail-profile\fR\|(5),
+.BR firejail-profile (5),
-\&\flfirejail-login\fR\|(5)
+.BR firejail-login (5),
-\&\flfirejail-users\fR\|(5)
+.BR firejail-users (5),
+.BR jailtest (1)
diff --git a/src/man/jailtest.txt b/src/man/jailtest.txt
new file mode 100644
index 000000000..b52fc5eed
--- /dev/null
+++ b/src/man/jailtest.txt
@@ -0,0 +1,106 @@
+.TH JAILTEST 1 "MONTH YEAR" "VERSION" "JAILTEST man page"
+.SH NAME
+jailtest \- Simple utility program to test running sandboxes
+.SH SYNOPSIS
+sudo jailtest [OPTIONS] [directory]
+.SH DESCRIPTION
+WORK IN PROGRESS!
+jailtest attaches itself to all sandboxes started by the user and performs some basic tests
+on the sandbox filesystem:
+.TP
+\fB1. Virtual directories
+jailtest extracts a list with the main virtual directories installed by the sandbox.
+These directories are build by firejail at startup using --private* and --whitelist commands.
+.TP
+\fB2. Noexec test
+jailtest inserts executable programs in /home/username, /tmp, and /var/tmp directories
+and tries to run them from inside the sandbox, thus testing if the directory is executable or not.
+.TP
+\fB3. Read access test
+jailtest creates test files in the directories specified by the user and tries to read
+them from inside the sandbox.
+.TP
+\fB4. AppArmor test
+.TP
+\fB5. Seccomp test
+.TP
+The program is started as root using sudo.
+.SH OPTIONS
+.TP
+\fB\-\-debug
+Print debug messages.
+.TP
+\fB\-?\fR, \fB\-\-help\fR
+Print options and exit.
+.TP
+\fB\-\-version
+Print program version and exit.
+.TP
+\fB[directory]
+One or more directories in user home to test for read access. ~/.ssh and ~/.gnupg are tested by default.
+.SH OUTPUT
+For each sandbox detected we print the following line:
+        PID:USER:Sandbox Name:Command
+It is followed by relevant sandbox information, such as the virtual directories and various warnings.
+.SH EXAMPLE
+$ sudo jailtest
+.br
+2014:netblue::firejail /usr/bin/gimp
+.br
+   Virtual dirs: /tmp, /var/tmp, /dev, /usr/share,
+.br
+   Warning: I can run programs in /home/netblue
+.br
+.br
+2055:netblue::firejail /usr/bin/ssh -X netblue@x.y.z.net
+.br
+   Virtual dirs: /var/tmp, /dev, /usr/share, /run/user/1000,
+.br
+   Warning: I can read ~/.ssh
+.br
+.br
+2186:netblue:libreoffice:firejail --appimage /opt/LibreOffice-fresh.appimage
+.br
+   Virtual dirs: /tmp, /var/tmp, /dev,
+.br
+.br
+26090:netblue::/usr/bin/firejail /opt/firefox/firefox
+.br
+   Virtual dirs: /home/netblue, /tmp, /var/tmp, /dev, /etc, /usr/share,
+.br
+                 /run/user/1000,
+.br
+.br
+26160:netblue:tor:firejail --private=~/tor-browser_en-US ./start-tor
+.br
+   Warning: AppArmor not enabled
+.br
+   Virtual dirs: /home/netblue, /tmp, /var/tmp, /dev, /etc, /bin,
+.br
+                 /usr/share, /run/user/1000,
+.br
+   Warning: I can run programs in /home/netblue
+.br
+.SH LICENSE
+This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.
+.PP
+Homepage: https://firejail.wordpress.com
+.SH SEE ALSO
+.BR firejail (1),
+.BR firemon (1),
+.BR firecfg (1),
+.BR firejail-profile (5),
+.BR firejail-login (5),
+.BR firejail-users (5),
diff --git a/src/profstats/Makefile.in b/src/profstats/Makefile.in
index 2beaa3ed6..e025f5939 100644
--- a/src/profstats/Makefile.in
+++ b/src/profstats/Makefile.in
@@ -1,3 +1,4 @@
+.PHONY: all
 all: profstats
 include ../common.mk
@@ -8,7 +9,9 @@ include ../common.mk
 profstats: $(OBJS)
        $(CC)  $(LDFLAGS) -o $@ $(OBJS) $(LIBS) $(EXTRA_LDFLAGS)
+.PHONY: clean
 clean:; rm -fr *.o profstats *.gcov *.gcda *.gcno *.plist
+.PHONY: distclean
 distclean: clean
        rm -fr Makefile
diff --git a/src/tools/extract_caps.c b/src/tools/extract_caps.c
index 6cd850752..8da9c452b 100644
--- a/src/tools/extract_caps.c
+++ b/src/tools/extract_caps.c
@@ -17,6 +17,7 @@
 * with this program; if not, write to the Free Software Foundation, Inc.,
 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 */
+#include <ctype.h>
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
diff --git a/src/zsh_completion/Makefile.in b/src/zsh_completion/Makefile.in
index 3f756aa5f..a83cccf6c 100644
--- a/src/zsh_completion/Makefile.in
+++ b/src/zsh_completion/Makefile.in
@@ -1,3 +1,4 @@
+.PHONY: all
 all: _firejail
 include ../common.mk
@@ -7,8 +8,10 @@ _firejail: _firejail.in
        sed "s|_SYSCONFDIR_|$(sysconfdir)|" < $@.tmp > $@
        rm $@.tmp
+.PHONY: clean
 clean:
        rm -fr _firejail
+.PHONY: distclean
 distclean: clean
        rm -fr Makefile
diff --git a/src/zsh_completion/_firejail.in b/src/zsh_completion/_firejail.in
index 7e8df138e..f58f0d4b9 100644
--- a/src/zsh_completion/_firejail.in
+++ b/src/zsh_completion/_firejail.in
@@ -76,6 +76,8 @@ _firejail_args=(
    '(--cpu.print)'{--cpu.print=,--cpu.print=}'[print the cpus in use name|pid]: : _all_firejails'
    '--list[list all sandboxes]'
    '(--dns)'{--dns=,--dns=}'[set DNS server]: :'
+    '*--mkdir=-[create a directory]:'
+    '*--mkfile=-[create a file]:'
    '(--protocol)'{--protocol=,--protocol=}'[enable protocol filter]: :'
    '(--join-or-start)'{--join-or-start=,--join-or-start=}'[join the sandbox or start a new one name|pid]: : _all_firejails'
    '(--hosts-file)'{--hosts-file=,--hosts-file=}'[use file as /etc/hosts]: : _files'
@@ -112,8 +114,6 @@ _firejail_args=(
    '(--nice)'{--nice=,--nice=}'[set nice value]: :(1 10 15 20)'
    # Should be _files, a comma and files or files -/
    '*'{--bind=,--bind=}'[mount-bind dirname1/filename1 on top of dirname2/filename2]: :(file1,file2 dir1,dir2)'
-    '--audit[audit the sandbox]'
-    '(--audit)'{--audit=,--audit=}'[audit the sandbox with a test-program]: :'
    '(--cgroup)'{--cgroup=,--cgroup=}'[place the sandbox in the specified control group]: :'
    '*'{--env=,--env=}'[set environment variable]: :'
    '(--hostname)'{--hostname=,--hostname=}'[set sandbox hostname]: :'
diff --git a/test/Makefile.in b/test/Makefile.in
index d41ab39d1..264314a3b 100644
--- a/test/Makefile.in
+++ b/test/Makefile.in
@@ -1,13 +1,14 @@
 TESTS=$(patsubst %/,%,$(wildcard */))
 .PHONY: $(TESTS)
 $(TESTS):
        cd $@ && ./$@.sh 2>&1 | tee $@.log
        cd $@ && grep -a TESTING $@.log && grep -a -L "TESTING ERROR" $@.log
+.PHONY: clean
 clean:
        for test in $(TESTS); do rm -f "$$test/$$test.log"; done
+.PHONY: distclean
 distclean: clean
        rm -f Makefile
diff --git a/test/arguments/arguments.sh b/test/arguments/arguments.sh
deleted file mode 100755
index 583d77a26..000000000
--- a/test/arguments/arguments.sh
+++ /dev/null
@@ -1,30 +0,0 @@
-#!/bin/bash
-# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
-# License GPL v2
-export LC_ALL=C
-if [ -f /etc/debian_version ]; then
-        libdir=$(dirname "$(dpkg -L firejail | grep faudit)")
-        export PATH="$PATH:$libdir"
-fi
-export PATH="$PATH:/usr/lib/firejail:/usr/lib64/firejail"
-echo "TESTING: 1. regular bash session"
-./bashrun.exp
-sleep 1
-echo "TESTING: 2. symbolic link to firejail"
-./symrun.exp
-rm -fr symtest
-sleep 1
-echo "TESTING: 3. --join option"
-./joinrun.exp
-sleep 1
-echo "TESTING: 4. --output option"
-./outrun.exp
-rm out
-rm out.*
diff --git a/test/arguments/bashrun.exp b/test/arguments/bashrun.exp
deleted file mode 100755
index 22c38bd4c..000000000
--- a/test/arguments/bashrun.exp
+++ /dev/null
@@ -1,89 +0,0 @@
-#!/usr/bin/expect -f
-# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
-# License GPL v2
-set timeout 10
-spawn $env(SHELL)
-match_max 100000
-send --  "./bashrun.sh\r"
-expect {
-        timeout {puts "TESTING ERROR 1.1.1\n";exit}
-        "Arguments:"
-}
-expect {
-        timeout {puts "TESTING ERROR 1.1.2\n";exit}
-        "#arg1#"
-}
-expect {
-        timeout {puts "TESTING ERROR 1.1.3\n";exit}
-        "#arg2#"
-}
-expect {
-        timeout {puts "TESTING ERROR 1.2.1\n";exit}
-        "Arguments:"
-}
-expect {
-        timeout {puts "TESTING ERROR 1.2.2\n";exit}
-        "#arg1 tail#"
-}
-expect {
-        timeout {puts "TESTING ERROR 1.2.3\n";exit}
-        "#arg2 tail#"
-}
-expect {
-        timeout {puts "TESTING ERROR 1.3.1\n";exit}
-        "Arguments:"
-}
-expect {
-        timeout {puts "TESTING ERROR 1.3.2\n";exit}
-        "#arg1 tail#"
-}
-expect {
-        timeout {puts "TESTING ERROR 1.3.3\n";exit}
-        "#arg2 tail#"
-}
-expect {
-        timeout {puts "TESTING ERROR 1.4.1\n";exit}
-        "Arguments:"
-}
-expect {
-        timeout {puts "TESTING ERROR 1.4.2\n";exit}
-        "#arg1 tail#"
-}
-expect {
-        timeout {puts "TESTING ERROR 1.4.3\n";exit}
-        "#arg2 tail#"
-}
-expect {
-        timeout {puts "TESTING ERROR 1.5.1\n";exit}
-        "Arguments:"
-}
-expect {
-        timeout {puts "TESTING ERROR 1.5.2\n";exit}
-        "#arg1&tail#"
-}
-expect {
-        timeout {puts "TESTING ERROR 1.5.3\n";exit}
-        "#arg2&tail#"
-}
-expect {
-        timeout {puts "TESTING ERROR 1.6.1\n";exit}
-        "Arguments:"
-}
-expect {
-        timeout {puts "TESTING ERROR 1.6.2\n";exit}
-        "#arg1&tail#"
-}
-expect {
-        timeout {puts "TESTING ERROR 1.6.3\n";exit}
-        "#arg2&tail#"
-}
-puts "\nall done\n"
diff --git a/test/arguments/bashrun.sh b/test/arguments/bashrun.sh
deleted file mode 100755
index ba4118cdd..000000000
--- a/test/arguments/bashrun.sh
+++ /dev/null
@@ -1,25 +0,0 @@
-#!/bin/bash
-# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
-# License GPL v2
-echo "TESTING: 1.1 - simple args"
-firejail --env=FIREJAIL_TEST_ARGUMENTS=yes --quiet faudit arg1 arg2
-# simple quotes, testing spaces in file names
-echo "TESTING: 1.2 - args with space and \""
-firejail --env=FIREJAIL_TEST_ARGUMENTS=yes --quiet faudit "arg1 tail" "arg2 tail"
-echo "TESTING: 1.3 - args with space and '"
-firejail --env=FIREJAIL_TEST_ARGUMENTS=yes --quiet faudit 'arg1 tail' 'arg2 tail'
-# escaped space in file names
-echo "TESTING: 1.4 - args with space and \\"
-firejail --env=FIREJAIL_TEST_ARGUMENTS=yes --quiet faudit arg1\ tail arg2\ tail
-# & char appears in URLs - URLs should be quoted
-echo "TESTING: 1.5 - args with & and \""
-firejail --env=FIREJAIL_TEST_ARGUMENTS=yes --quiet faudit "arg1&tail" "arg2&tail"
-echo "TESTING: 1.6 - args with & and '"
-firejail --env=FIREJAIL_TEST_ARGUMENTS=yes --quiet faudit 'arg1&tail' 'arg2&tail'
diff --git a/test/arguments/joinrun.exp b/test/arguments/joinrun.exp
deleted file mode 100755
index 6095f0e55..000000000
--- a/test/arguments/joinrun.exp
+++ /dev/null
@@ -1,92 +0,0 @@
-#!/usr/bin/expect -f
-# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
-# License GPL v2
-set timeout 10
-spawn $env(SHELL)
-match_max 100000
-send -- "firejail --name=joinrun\r"
-sleep 2
-spawn $env(SHELL)
-send --  "./joinrun.sh\r"
-expect {
-        timeout {puts "TESTING ERROR 3.1.1\n";exit}
-        "Arguments:"
-}
-expect {
-        timeout {puts "TESTING ERROR 3.1.2\n";exit}
-        "#arg1#"
-}
-expect {
-        timeout {puts "TESTING ERROR 3.1.3\n";exit}
-        "#arg2#"
-}
-expect {
-        timeout {puts "TESTING ERROR 3.2.1\n";exit}
-        "Arguments:"
-}
-expect {
-        timeout {puts "TESTING ERROR 3.2.2\n";exit}
-        "#arg1 tail#"
-}
-expect {
-        timeout {puts "TESTING ERROR 3.2.3\n";exit}
-        "#arg2 tail#"
-}
-expect {
-        timeout {puts "TESTING ERROR 3.3.1\n";exit}
-        "Arguments:"
-}
-expect {
-        timeout {puts "TESTING ERROR 3.3.2\n";exit}
-        "#arg1 tail#"
-}
-expect {
-        timeout {puts "TESTING ERROR 3.3.3\n";exit}
-        "#arg2 tail#"
-}
-expect {
-        timeout {puts "TESTING ERROR 3.4.1\n";exit}
-        "Arguments:"
-}
-expect {
-        timeout {puts "TESTING ERROR 3.4.2\n";exit}
-        "#arg1 tail#"
-}
-expect {
-        timeout {puts "TESTING ERROR 3.4.3\n";exit}
-        "#arg2 tail#"
-}
-expect {
-        timeout {puts "TESTING ERROR 3.5.1\n";exit}
-        "Arguments:"
-}
-expect {
-        timeout {puts "TESTING ERROR 3.5.2\n";exit}
-        "#arg1&tail#"
-}
-expect {
-        timeout {puts "TESTING ERROR 3.5.3\n";exit}
-        "#arg2&tail#"
-}
-expect {
-        timeout {puts "TESTING ERROR 3.6.1\n";exit}
-        "Arguments:"
-}
-expect {
-        timeout {puts "TESTING ERROR 3.6.2\n";exit}
-        "#arg1&tail#"
-}
-expect {
-        timeout {puts "TESTING ERROR 3.6.3\n";exit}
-        "#arg2&tail#"
-}
-puts "\nall done\n"
diff --git a/test/arguments/joinrun.sh b/test/arguments/joinrun.sh
deleted file mode 100755
index c929f0879..000000000
--- a/test/arguments/joinrun.sh
+++ /dev/null
@@ -1,25 +0,0 @@
-#!/bin/bash
-# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
-# License GPL v2
-echo "TESTING: 3.1 - simple args"
-firejail --env=FIREJAIL_TEST_ARGUMENTS=yes --join=joinrun faudit arg1 arg2
-# simple quotes, testing spaces in file names
-echo "TESTING: 3.2 - args with space and \""
-firejail --env=FIREJAIL_TEST_ARGUMENTS=yes --join=joinrun faudit "arg1 tail" "arg2 tail"
-echo "TESTING: 3.3 - args with space and '"
-firejail --env=FIREJAIL_TEST_ARGUMENTS=yes --join=joinrun faudit 'arg1 tail' 'arg2 tail'
-# escaped space in file names
-echo "TESTING: 3.4 - args with space and \\"
-firejail --env=FIREJAIL_TEST_ARGUMENTS=yes --join=joinrun faudit arg1\ tail arg2\ tail
-# & char appears in URLs - URLs should be quoted
-echo "TESTING: 3.5 - args with & and \""
-firejail --env=FIREJAIL_TEST_ARGUMENTS=yes --join=joinrun faudit "arg1&tail" "arg2&tail"
-echo "TESTING: 3.6 - args with & and '"
-firejail --env=FIREJAIL_TEST_ARGUMENTS=yes --join=joinrun faudit 'arg1&tail' 'arg2&tail'
diff --git a/test/arguments/outrun.exp b/test/arguments/outrun.exp
deleted file mode 100755
index e727d44fb..000000000
--- a/test/arguments/outrun.exp
+++ /dev/null
@@ -1,93 +0,0 @@
-#!/usr/bin/expect -f
-# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
-# License GPL v2
-set timeout 10
-spawn $env(SHELL)
-match_max 100000
-send --  "./outrun.sh\r"
-expect {
-        timeout {puts "TESTING ERROR 4.1.1\n";exit}
-        "Arguments:"
-}
-expect {
-        timeout {puts "TESTING ERROR 4.1.2\n";exit}
-        "#arg1#"
-}
-expect {
-        timeout {puts "TESTING ERROR 4.1.3\n";exit}
-        "#arg2#"
-}
-exit
-#***************************************************
-#  breaking down from here on - bug to fix
-#***************************************************
-expect {
-        timeout {puts "TESTING ERROR 4.2.1\n";exit}
-        "Arguments:"
-}
-expect {
-        timeout {puts "TESTING ERROR 4.2.2\n";exit}
-        "#arg1 tail#"
-}
-expect {
-        timeout {puts "TESTING ERROR 4.2.3\n";exit}
-        "#arg2 tail#"
-}
-expect {
-        timeout {puts "TESTING ERROR 4.3.1\n";exit}
-        "Arguments:"
-}
-expect {
-        timeout {puts "TESTING ERROR 4.3.2\n";exit}
-        "#arg1 tail#"
-}
-expect {
-        timeout {puts "TESTING ERROR 4.3.3\n";exit}
-        "#arg2 tail#"
-}
-expect {
-        timeout {puts "TESTING ERROR 4.4.1\n";exit}
-        "Arguments:"
-}
-expect {
-        timeout {puts "TESTING ERROR 4.4.2\n";exit}
-        "#arg1 tail#"
-}
-expect {
-        timeout {puts "TESTING ERROR 4.4.3\n";exit}
-        "#arg2 tail#"
-}
-expect {
-        timeout {puts "TESTING ERROR 4.5.1\n";exit}
-        "Arguments:"
-}
-expect {
-        timeout {puts "TESTING ERROR 4.5.2\n";exit}
-        "#arg1&tail#"
-}
-expect {
-        timeout {puts "TESTING ERROR 4.5.3\n";exit}
-        "#arg2&tail#"
-}
-expect {
-        timeout {puts "TESTING ERROR 4.6.1\n";exit}
-        "Arguments:"
-}
-expect {
-        timeout {puts "TESTING ERROR 4.6.2\n";exit}
-        "#arg1&tail#"
-}
-expect {
-        timeout {puts "TESTING ERROR 4.6.3\n";exit}
-        "#arg2&tail#"
-}
-puts "\nall done\n"
diff --git a/test/arguments/outrun.sh b/test/arguments/outrun.sh
deleted file mode 100755
index b7870bb70..000000000
--- a/test/arguments/outrun.sh
+++ /dev/null
@@ -1,25 +0,0 @@
-#!/bin/bash
-# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
-# License GPL v2
-echo "TESTING: 4.1 - simple args"
-firejail --env=FIREJAIL_TEST_ARGUMENTS=yes --output=out faudit arg1 arg2
-# simple quotes, testing spaces in file names
-echo "TESTING: 4.2 - args with space and \""
-firejail --env=FIREJAIL_TEST_ARGUMENTS=yes --output=out faudit "arg1 tail" "arg2 tail"
-echo "TESTING: 4.3 - args with space and '"
-firejail --env=FIREJAIL_TEST_ARGUMENTS=yes --output=out faudit 'arg1 tail' 'arg2 tail'
-# escaped space in file names
-echo "TESTING: 4.4 - args with space and \\"
-firejail --env=FIREJAIL_TEST_ARGUMENTS=yes --output=out faudit arg1\ tail arg2\ tail
-# & char appears in URLs - URLs should be quoted
-echo "TESTING: 4.5 - args with & and \""
-firejail --env=FIREJAIL_TEST_ARGUMENTS=yes --output=out faudit "arg1&tail" "arg2&tail"
-echo "TESTING: 4.6 - args with & and '"
-firejail --env=FIREJAIL_TEST_ARGUMENTS=yes --output=out faudit 'arg1&tail' 'arg2&tail'
diff --git a/test/arguments/symrun.exp b/test/arguments/symrun.exp
deleted file mode 100755
index b1f660715..000000000
--- a/test/arguments/symrun.exp
+++ /dev/null
@@ -1,74 +0,0 @@
-#!/usr/bin/expect -f
-# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
-# License GPL v2
-set timeout 10
-spawn $env(SHELL)
-match_max 100000
-send --  "./symrun.sh\r"
-expect {
-        timeout {puts "TESTING ERROR 2.1.1\n";exit}
-        "Arguments:"
-}
-expect {
-        timeout {puts "TESTING ERROR 2.1.2\n";exit}
-        "#arg1#"
-}
-expect {
-        timeout {puts "TESTING ERROR 2.1.3\n";exit}
-        "#arg2#"
-}
-expect {
-        timeout {puts "TESTING ERROR 2.3.1\n";exit}
-        "Arguments:"
-}
-expect {
-        timeout {puts "TESTING ERROR 2.3.2\n";exit}
-        "#arg1 tail#"
-}
-expect {
-        timeout {puts "TESTING ERROR 2.3.3\n";exit}
-        "#arg2 tail#"
-}
-expect {
-        timeout {puts "TESTING ERROR 2.4.1\n";exit}
-        "Arguments:"
-}
-expect {
-        timeout {puts "TESTING ERROR 2.4.2\n";exit}
-        "#arg1 tail#"
-}
-expect {
-        timeout {puts "TESTING ERROR 2.4.3\n";exit}
-        "#arg2 tail#"
-}
-expect {
-        timeout {puts "TESTING ERROR 2.5.1\n";exit}
-        "Arguments:"
-}
-expect {
-        timeout {puts "TESTING ERROR 2.5.2\n";exit}
-        "#arg1&tail#"
-}
-expect {
-        timeout {puts "TESTING ERROR 2.5.3\n";exit}
-        "#arg2&tail#"
-}
-expect {
-        timeout {puts "TESTING ERROR 2.6.1\n";exit}
-        "Arguments:"
-}
-expect {
-        timeout {puts "TESTING ERROR 2.6.2\n";exit}
-        "#arg1&tail#"
-}
-expect {
-        timeout {puts "TESTING ERROR 2.6.3\n";exit}
-        "#arg2&tail#"
-}
diff --git a/test/arguments/symrun.sh b/test/arguments/symrun.sh
deleted file mode 100755
index 7bc4d21cf..000000000
--- a/test/arguments/symrun.sh
+++ /dev/null
@@ -1,34 +0,0 @@
-#!/bin/bash
-# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
-# License GPL v2
-mkdir symtest
-ln -s /usr/bin/firejail symtest/faudit
-# search for faudit in current directory
-export PATH=$PATH:.
-export FIREJAIL_TEST_ARGUMENTS=yes
-echo "TESTING: 2.1 - simple args"
-symtest/faudit arg1 arg2
-# simple quotes, testing spaces in file names
-echo "TESTING: 2.2 - args with space and \""
-symtest/faudit "arg1 tail" "arg2 tail"
-echo "TESTING: 2.3 - args with space and '"
-symtest/faudit 'arg1 tail' 'arg2 tail'
-# escaped space in file names
-echo "TESTING: 2.4 - args with space and \\"
-symtest/faudit arg1\ tail arg2\ tail
-# & char appears in URLs - URLs should be quoted
-echo "TESTING: 2.5 - args with & and \""
-symtest/faudit "arg1&tail" "arg2&tail"
-echo "TESTING: 2.6 - args with & and '"
-symtest/faudit 'arg1&tail' 'arg2&tail'
-rm -fr symtest
diff --git a/test/utils/audit.exp b/test/utils/audit.exp
deleted file mode 100755
index ba537c3af..000000000
--- a/test/utils/audit.exp
+++ /dev/null
@@ -1,167 +0,0 @@
-#!/usr/bin/expect -f
-# This file is part of Firejail project
-# Copyright (C) 2014-2021 Firejail Authors
-# License GPL v2
-set timeout 10
-spawn $env(SHELL)
-match_max 100000
-send -- "firejail --audit\r"
-expect {
-        timeout {puts "TESTING ERROR 0\n";exit}
-        "Firejail Audit"
-}
-expect {
-        timeout {puts "TESTING ERROR 1\n";exit}
-        "is running in a PID namespace"
-}
-expect {
-        timeout {puts "TESTING ERROR 2\n";exit}
-        "container/sandbox firejail"
-}
-expect {
-        timeout {puts "TESTING ERROR 3\n";exit}
-        "seccomp BPF enabled"
-}
-expect {
-        timeout {puts "TESTING ERROR 4\n";exit}
-        "all capabilities are disabled"
-}
-expect {
-        timeout {puts "TESTING ERROR 5\n";exit}
-        "dev directory seems to be fully populated"
-}
-expect {
-        timeout {puts "TESTING ERROR 5.1\n";exit}
-        "Parent is shutting down, bye..."
-}
-after 100
-send -- "firejail --audit\r"
-expect {
-        timeout {puts "TESTING ERROR 6\n";exit}
-        "Firejail Audit"
-}
-expect {
-        timeout {puts "TESTING ERROR 7\n";exit}
-        "is running in a PID namespace"
-}
-expect {
-        timeout {puts "TESTING ERROR 8\n";exit}
-        "container/sandbox firejail"
-}
-expect {
-        timeout {puts "TESTING ERROR 9\n";exit}
-        "seccomp BPF enabled"
-}
-expect {
-        timeout {puts "TESTING ERROR 10\n";exit}
-        "all capabilities are disabled"
-}
-expect {
-        timeout {puts "TESTING ERROR 11\n";exit}
-        "dev directory seems to be fully populated"
-}
-expect {
-        timeout {puts "TESTING ERROR 11.1\n";exit}
-        "Parent is shutting down, bye..."
-}
-after 100
-send -- "firejail --audit=blablabla\r"
-expect {
-        timeout {puts "TESTING ERROR 12\n";exit}
-        "cannot find the audit program"
-}
-after 100
-send -- "firejail --audit=\r"
-expect {
-        timeout {puts "TESTING ERROR 12\n";exit}
-        "invalid audit program"
-}
-after 100
-# run audit executable without a sandbox
-send -- "faudit\r"
-expect {
-        timeout {puts "TESTING ERROR 13\n";exit}
-        "is not running in a PID namespace"
-}
-expect {
-        timeout {puts "TESTING ERROR 14\n";exit}
-        "BAD: seccomp disabled"
-}
-expect {
-        timeout {puts "TESTING ERROR 15\n";exit}
-        "BAD: the capability map is"
-}
-expect {
-        timeout {puts "TESTING ERROR 16\n";exit}
-        "MAYBE: /dev directory seems to be fully populated"
-}
-after 100
-# test seccomp
-send -- "firejail --seccomp.drop=mkdir --audit\r"
-expect {
-        timeout {puts "TESTING ERROR 17\n";exit}
-        "Firejail Audit"
-}
-expect {
-        timeout {puts "TESTING ERROR 18\n";exit}
-        "GOOD: seccomp BPF enabled"
-}
-expect {
-        timeout {puts "TESTING ERROR 19\n";exit}
-        "UGLY: mount syscall permitted"
-}
-expect {
-        timeout {puts "TESTING ERROR 20\n";exit}
-        "UGLY: umount2 syscall permitted"
-}
-expect {
-        timeout {puts "TESTING ERROR 21\n";exit}
-        "UGLY: ptrace syscall permitted"
-}
-expect {
-        timeout {puts "TESTING ERROR 22\n";exit}
-        "UGLY: swapon syscall permitted"
-}
-expect {
-        timeout {puts "TESTING ERROR 23\n";exit}
-        "UGLY: swapoff syscall permitted"
-}
-expect {
-        timeout {puts "TESTING ERROR 24\n";exit}
-        "UGLY: init_module syscall permitted"
-}
-expect {
-        timeout {puts "TESTING ERROR 25\n";exit}
-        "UGLY: delete_module syscall permitted"
-}
-expect {
-        timeout {puts "TESTING ERROR 26\n";exit}
-        "UGLY: chroot syscall permitted"
-}
-expect {
-        timeout {puts "TESTING ERROR 27\n";exit}
-        "UGLY: pivot_root syscall permitted"
-}
-expect {
-        timeout {puts "TESTING ERROR 28\n";exit}
-        "UGLY: iopl syscall permitted"
-}
-expect {
-        timeout {puts "TESTING ERROR 29\n";exit}
-        "UGLY: ioperm syscall permitted"
-}
-expect {
-        timeout {puts "TESTING ERROR 30\n";exit}
-        "GOOD: all capabilities are disabled"
-}
-after 100
-puts "\nall done\n"
diff --git a/test/utils/utils.sh b/test/utils/utils.sh
index 9ef409ae7..c021d6287 100755
--- a/test/utils/utils.sh
+++ b/test/utils/utils.sh
@@ -8,7 +8,7 @@ export MALLOC_PERTURB_=$(($RANDOM % 255 + 1))
 export LC_ALL=C
 if [ -f /etc/debian_version ]; then
-        libdir=$(dirname "$(dpkg -L firejail | grep faudit)")
+        libdir=$(dirname "$(dpkg -L firejail | grep fcopy)")
        export PATH="$PATH:$libdir"
 fi
 export PATH="$PATH:/usr/lib/firejail:/usr/lib64/firejail"
@@ -18,13 +18,6 @@ echo "TESTING: build (test/utils/build.exp)"
 rm -f ~/firejail-test-file-7699
 rm -f firejail-test-file-4388
-if [ $(faudit | grep -c "is running in a PID namespace.") -gt 0 ]; then
-        echo "TESTING SKIP: already running in pid namespace (test/utils/audit.exp)"
-else
-        echo "TESTING: audit (test/utils/audit.exp)"
-        ./audit.exp
-fi
 echo "TESTING: name (test/utils/name.exp)"
 ./name.exp