28 files changed, 238 insertions, 158 deletions

diff --git a/etc/inc/disable-proc.inc b/etc/inc/disable-proc.inc
new file mode 100644
index 000000000..81a8883f3
--- /dev/null
+++ b/etc/inc/disable-proc.inc
@@ -0,0 +1,82 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include disable-proc.local
+
+blacklist /proc/acpi
+blacklist /proc/asound
+blacklist /proc/bootconfig
+blacklist /proc/buddyinfo
+blacklist /proc/cgroups
+blacklist /proc/cmdline
+blacklist /proc/config.gz
+blacklist /proc/consoles
+#blacklist /proc/cpuinfo
+blacklist /proc/crypto
+blacklist /proc/devices
+blacklist /proc/diskstats
+blacklist /proc/dma
+#blacklist /proc/driver
+blacklist /proc/dynamic_debug
+blacklist /proc/execdomains
+blacklist /proc/fb
+#blacklist /proc/filesystems
+blacklist /proc/fs
+blacklist /proc/i8k
+blacklist /proc/interrupts
+blacklist /proc/iomem
+blacklist /proc/ioports
+blacklist /proc/irq
+blacklist /proc/kallsyms
+blacklist /proc/kcore
+blacklist /proc/keys
+blacklist /proc/key-users
+blacklist /proc/kmsg
+blacklist /proc/kpagecgroup
+blacklist /proc/kpagecount
+blacklist /proc/kpageflags
+blacklist /proc/latency_stats
+#blacklist /proc/loadavg
+blacklist /proc/locks
+blacklist /proc/mdstat
+#blacklist /proc/meminfo
+blacklist /proc/misc
+#blacklist /proc/modules
+#blacklist /proc/mounts
+blacklist /proc/mtrr
+#blacklist /proc/net
+blacklist /proc/partitions
+blacklist /proc/pressure
+blacklist /proc/sched_debug
+blacklist /proc/schedstat
+blacklist /proc/scsi
+#blacklist /proc/self
+blacklist /proc/slabinfo
+blacklist /proc/softirqs
+blacklist /proc/spl
+#blacklist /proc/stat
+blacklist /proc/swaps
+#blacklist /proc/sys
+blacklist /proc/sysrq-trigger
+blacklist /proc/sysvipc
+#blacklist /proc/thread-self
+blacklist /proc/timer_list
+blacklist /proc/tty
+#blacklist /proc/uptime
+#blacklist /proc/version
+blacklist /proc/version_signature
+blacklist /proc/vmallocinfo
+#blacklist /proc/vmstat
+#blacklist /proc/zoneinfo
+
+blacklist /proc/sys/abi
+blacklist /proc/sys/crypto
+blacklist /proc/sys/debug
+blacklist /proc/sys/dev
+blacklist /proc/sys/fs
+blacklist /proc/sys/net
+blacklist /proc/sys/user
+blacklist /proc/sys/vm
+
+noblacklist /proc/sys/kernel/osrelease
+noblacklist /proc/sys/kernel/yama
+blacklist /proc/sys/*/*
diff --git a/etc/profile-a-l/alienarena.profile b/etc/profile-a-l/alienarena.profile
index 62857a3e2..68512e37b 100644
--- a/etc/profile-a-l/alienarena.profile
+++ b/etc/profile-a-l/alienarena.profile
@@ -29,7 +29,6 @@ caps.drop all
 netfilter
 nodvd
 nogroups
-noinput
 nonewprivs
 noroot
 notv
diff --git a/etc/profile-a-l/blobwars.profile b/etc/profile-a-l/blobwars.profile
index 6b7b59be4..66f38b358 100644
--- a/etc/profile-a-l/blobwars.profile
+++ b/etc/profile-a-l/blobwars.profile
@@ -29,7 +29,6 @@ caps.drop all
 net none
 nodvd
 nogroups
-noinput
 nonewprivs
 noroot
 notv
diff --git a/etc/profile-a-l/frozen-bubble.profile b/etc/profile-a-l/frozen-bubble.profile
index bb35c9447..88943760a 100644
--- a/etc/profile-a-l/frozen-bubble.profile
+++ b/etc/profile-a-l/frozen-bubble.profile
@@ -30,7 +30,6 @@ caps.drop all
 net none
 nodvd
 nogroups
-noinput
 nonewprivs
 noroot
 notv
diff --git a/etc/profile-a-l/funnyboat.profile b/etc/profile-a-l/funnyboat.profile
index 1009f345b..4a08fca9b 100644
--- a/etc/profile-a-l/funnyboat.profile
+++ b/etc/profile-a-l/funnyboat.profile
@@ -35,7 +35,6 @@ ipc-namespace
 netfilter
 nodvd
 nogroups
-noinput
 nonewprivs
 noroot
 notv
diff --git a/etc/profile-a-l/gl-117.profile b/etc/profile-a-l/gl-117.profile
index 35d969e6d..edb85048b 100644
--- a/etc/profile-a-l/gl-117.profile
+++ b/etc/profile-a-l/gl-117.profile
@@ -29,7 +29,6 @@ caps.drop all
 net none
 nodvd
 nogroups
-noinput
 nonewprivs
 noroot
 notv
diff --git a/etc/profile-a-l/glaxium.profile b/etc/profile-a-l/glaxium.profile
index dec0daef2..b5f98b411 100644
--- a/etc/profile-a-l/glaxium.profile
+++ b/etc/profile-a-l/glaxium.profile
@@ -29,7 +29,6 @@ caps.drop all
 net none
 nodvd
 nogroups
-noinput
 nonewprivs
 noroot
 notv
diff --git a/etc/profile-a-l/jumpnbump-menu.profile b/etc/profile-a-l/jumpnbump-menu.profile
index 8d391b90f..59d762f55 100644
--- a/etc/profile-a-l/jumpnbump-menu.profile
+++ b/etc/profile-a-l/jumpnbump-menu.profile
@@ -10,7 +10,7 @@ include jumpnbump-menu.local
 # Allow python (blacklisted by disable-interpreters.inc)
 include allow-python3.inc
 
-private-bin jumpnbump-menu,python3*
+private-bin env,jumpnbump-menu,python3*
 
 # Redirect
 include jumpnbump.profile
diff --git a/etc/profile-a-l/jumpnbump.profile b/etc/profile-a-l/jumpnbump.profile
index b9bc8f219..9726ff6fe 100644
--- a/etc/profile-a-l/jumpnbump.profile
+++ b/etc/profile-a-l/jumpnbump.profile
@@ -27,7 +27,6 @@ caps.drop all
 net none
 nodvd
 nogroups
-noinput
 nonewprivs
 noroot
 notv
diff --git a/etc/profile-m-z/mrrescue.profile b/etc/profile-m-z/mrrescue.profile
index 16dc97d0c..5b5902563 100644
--- a/etc/profile-m-z/mrrescue.profile
+++ b/etc/profile-m-z/mrrescue.profile
@@ -37,7 +37,6 @@ caps.drop all
 net none
 nodvd
 nogroups
-noinput
 nonewprivs
 noroot
 notv
diff --git a/etc/profile-m-z/open-invaders.profile b/etc/profile-m-z/open-invaders.profile
index 12c7ea3d0..c2c22f42d 100644
--- a/etc/profile-m-z/open-invaders.profile
+++ b/etc/profile-m-z/open-invaders.profile
@@ -25,7 +25,6 @@ caps.drop all
 net none
 nodvd
 nogroups
-noinput
 nonewprivs
 noroot
 notv
diff --git a/etc/profile-m-z/openclonk.profile b/etc/profile-m-z/openclonk.profile
index 253465991..68362cbc8 100644
--- a/etc/profile-m-z/openclonk.profile
+++ b/etc/profile-m-z/openclonk.profile
@@ -28,7 +28,6 @@ ipc-namespace
 netfilter
 nodvd
 nogroups
-noinput
 nonewprivs
 noroot
 notv
diff --git a/etc/profile-m-z/supertux2.profile b/etc/profile-m-z/supertux2.profile
index 323849e35..d48065c4b 100644
--- a/etc/profile-m-z/supertux2.profile
+++ b/etc/profile-m-z/supertux2.profile
@@ -30,7 +30,6 @@ caps.drop all
 net none
 nodvd
 nogroups
-noinput
 nonewprivs
 noroot
 notv
diff --git a/etc/profile-m-z/teeworlds.profile b/etc/profile-m-z/teeworlds.profile
index df54fb9ba..d0fb0d43e 100644
--- a/etc/profile-m-z/teeworlds.profile
+++ b/etc/profile-m-z/teeworlds.profile
@@ -26,7 +26,6 @@ ipc-namespace
 netfilter
 nodvd
 nogroups
-noinput
 nonewprivs
 noroot
 notv
diff --git a/etc/profile-m-z/torcs.profile b/etc/profile-m-z/torcs.profile
index a7ebaf2af..19e586db4 100644
--- a/etc/profile-m-z/torcs.profile
+++ b/etc/profile-m-z/torcs.profile
@@ -28,7 +28,6 @@ ipc-namespace
 net none
 nodvd
 nogroups
-noinput
 nonewprivs
 noroot
 notv
diff --git a/etc/profile-m-z/tremulous.profile b/etc/profile-m-z/tremulous.profile
index 4e16df553..96541ae25 100644
--- a/etc/profile-m-z/tremulous.profile
+++ b/etc/profile-m-z/tremulous.profile
@@ -8,6 +8,9 @@ include globals.local
 
 noblacklist ${HOME}/.tremulous
 
+# Allow /bin/sh (blacklisted by disable-shell.inc)
+include allow-bin-sh.inc
+
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
@@ -41,7 +44,7 @@ shell none
 tracelog
 
 disable-mnt
-private-bin tremded,tremulous,tremulous-wrapper
+private-bin env,sh,tremded,tremulous,tremulous-wrapper
 private-cache
 private-dev
 private-tmp
diff --git a/etc/profile-m-z/warsow.profile b/etc/profile-m-z/warsow.profile
index 5659ec69c..2f818b733 100644
--- a/etc/profile-m-z/warsow.profile
+++ b/etc/profile-m-z/warsow.profile
@@ -11,6 +11,9 @@ ignore noexec ${HOME}
 noblacklist ${HOME}/.cache/warsow-2.1
 noblacklist ${HOME}/.local/share/warsow-2.1
 
+# Allow /bin/sh (blacklisted by disable-shell.inc)
+include allow-bin-sh.inc
+
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
@@ -34,19 +37,18 @@ ipc-namespace
 netfilter
 nodvd
 nogroups
-noinput
 nonewprivs
 noroot
 notv
 nou2f
 novideo
-protocol unix,inet,inet6
+protocol unix,inet,inet6,netlink
 seccomp
 shell none
 tracelog
 
 disable-mnt
-private-bin warsow
+private-bin basename,bash,dirname,sed,sh,uname,warsow
 private-cache
 private-dev
 private-tmp
diff --git a/etc/profile-m-z/xonotic.profile b/etc/profile-m-z/xonotic.profile
index 6ffe9ece9..7c2b38d1d 100644
--- a/etc/profile-m-z/xonotic.profile
+++ b/etc/profile-m-z/xonotic.profile
@@ -32,7 +32,6 @@ caps.drop all
 netfilter
 nodvd
 nogroups
-noinput
 nonewprivs
 noroot
 notv
diff --git a/etc/templates/profile.template b/etc/templates/profile.template
index 7628313e0..44197b547 100644
--- a/etc/templates/profile.template
+++ b/etc/templates/profile.template
@@ -116,6 +116,7 @@ include globals.local
 #include disable-devel.inc
 #include disable-exec.inc
 #include disable-interpreters.inc
+#include disable-proc.inc
 #include disable-programs.inc
 #include disable-shell.inc
 #include disable-write-mnt.inc
diff --git a/src/fbuilder/build_fs.c b/src/fbuilder/build_fs.c
index 8700e0ba1..a1847284c 100644
--- a/src/fbuilder/build_fs.c
+++ b/src/fbuilder/build_fs.c
@@ -236,9 +236,6 @@ void build_share(const char *fname, FILE *fp) {
 //*******************************************
 static FileDB *tmp_out = NULL;
 static void tmp_callback(char *ptr) {
-        // skip strace file
-        if (strncmp(ptr, "/tmp/firejail-strace", 20) == 0)
-                return;
         if (strncmp(ptr, "/tmp/runtime-", 13) == 0)
                 return;
         if (strcmp(ptr, "/tmp") == 0)
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index d29c2a976..a6924b830 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -519,6 +519,7 @@ void touch_file_as_user(const char *fname, mode_t mode);
 int is_dir(const char *fname);
 int is_link(const char *fname);
 char *realpath_as_user(const char *fname);
+ssize_t readlink_as_user(const char *fname, char *buf, size_t sz);
 int stat_as_user(const char *fname, struct stat *s);
 int lstat_as_user(const char *fname, struct stat *s);
 void trim_trailing_slash_or_dot(char *path);
@@ -532,7 +533,7 @@ void update_map(char *mapping, char *map_file);
 void wait_for_other(int fd);
 void notify_other(int fd);
 uid_t pid_get_uid(pid_t pid);
-uid_t get_group_id(const char *group);
+gid_t get_group_id(const char *groupname);
 void flush_stdin(void);
 int create_empty_dir_as_user(const char *dir, mode_t mode);
 void create_empty_dir_as_root(const char *dir, mode_t mode);
@@ -566,7 +567,7 @@ typedef struct {
 // mountinfo.c
 MountData *get_last_mount(void);
 int get_mount_id(int fd);
-char **build_mount_array(const int mount_id, const char *path);
+char **build_mount_array(const int mountid, const char *path);
 
 // fs_var.c
 void fs_var_log(void);  // mounting /var/log
diff --git a/src/firejail/fs.c b/src/firejail/fs.c
index 0b9a38035..9c1b889ed 100644
--- a/src/firejail/fs.c
+++ b/src/firejail/fs.c
@@ -654,12 +654,13 @@ static void fs_remount_rec(const char *path, OPERATION op) {
 
         // build array with all mount points that need to get remounted
         char **arr = build_mount_array(mountid, path);
-        assert(arr);
+        if (!arr)
+                return;
         // remount
-        char **tmp = arr;
-        while (*tmp) {
-                fs_remount_simple(*tmp, op);
-                free(*tmp++);
+        int i;
+        for (i = 0; arr[i]; i++) {
+                fs_remount_simple(arr[i], op);
+                free(arr[i]);
         }
         free(arr);
 }
diff --git a/src/firejail/main.c b/src/firejail/main.c
index c5b3d5739..1ba70b0bd 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -2156,6 +2156,10 @@ int main(int argc, char **argv, char **envp) {
                         arg_novideo = 1;
                 else if (strcmp(argv[i], "--no3d") == 0)
                         arg_no3d = 1;
+                else if (strcmp(argv[i], "--noprinters") == 0) {
+                        profile_add("blacklist /dev/lp*");
+                        profile_add("blacklist /run/cups/cups.sock");
+                }
                 else if (strcmp(argv[i], "--notv") == 0)
                         arg_notv = 1;
                 else if (strcmp(argv[i], "--nodvd") == 0)
diff --git a/src/firejail/mountinfo.c b/src/firejail/mountinfo.c
index 304f80eee..ee437e10b 100644
--- a/src/firejail/mountinfo.c
+++ b/src/firejail/mountinfo.c
@@ -33,43 +33,38 @@ static MountData mdata;
 
 
 // Convert octal escape sequence to decimal value
-static int read_oct(const char *path) {
-        int dec = 0;
-        int digit, i;
-        // there are always exactly three octal digits
-        for (i = 1; i < 4; i++) {
-                digit = *(path + i);
-                if (digit < '0' || digit > '7') {
-                        fprintf(stderr, "Error: cannot read /proc/self/mountinfo\n");
-                        exit(1);
-                }
-                dec = (dec << 3) + (digit - '0');
-        }
-        return dec;
+static unsigned read_oct(char *s) {
+        assert(s[0] == '\\');
+        s++;
+
+        int i;
+        for (i = 0; i < 3; i++)
+                assert(s[i] >= '0' && s[i] <= '7');
+
+        return ((s[0] - '0') << 6 |
+                (s[1] - '0') << 3 |
+                (s[2] - '0') << 0);
 }
 
 // Restore empty spaces in pathnames extracted from /proc/self/mountinfo
 static void unmangle_path(char *path) {
-        char *p = strchr(path, '\\');
-        if (p && read_oct(p) == ' ') {
-                *p = ' ';
-                int i = 3;
-                do {
-                        p++;
-                        if (*(p + i) == '\\' && read_oct(p + i) == ' ') {
-                                *p = ' ';
-                                i += 3;
-                        }
-                        else
-                                *p = *(p + i);
-                } while (*p);
-        }
+        char *r = strchr(path, '\\');
+        if (!r)
+                return;
+
+        char *w = r;
+        do {
+                while (*r == '\\') {
+                        *w++ = read_oct(r);
+                        r += 4;
+                }
+                *w++ = *r;
+        } while (*r++);
 }
 
 // Parse a line from /proc/self/mountinfo,
 // the function does an exit(1) if anything goes wrong.
 static void parse_line(char *line, MountData *output) {
-        assert(line && output);
         memset(output, 0, sizeof(*output));
         // extract mount id, filesystem name, directory and filesystem types
         // examples:
@@ -87,8 +82,6 @@ static void parse_line(char *line, MountData *output) {
         char *ptr = strtok(line, " ");
         if (!ptr)
                 goto errexit;
-        if (ptr != line)
-                goto errexit;
         output->mountid = atoi(ptr);
         int cnt = 1;
 
@@ -109,10 +102,9 @@ static void parse_line(char *line, MountData *output) {
         ptr = strtok(NULL, " ");
         if (!ptr)
                 goto errexit;
-        output->fstype = ptr++;
+        output->fstype = ptr;
 
-
-        if (output->mountid == 0 ||
+        if (output->mountid < 0 ||
             output->fsname == NULL ||
             output->dir == NULL ||
             output->fstype == NULL)
@@ -195,9 +187,9 @@ static int get_mount_id_from_fdinfo(int fd) {
         char buf[MAX_BUF];
         while (fgets(buf, MAX_BUF, fp)) {
                 if (strncmp(buf, "mnt_id:", 7) == 0) {
-                        if (sscanf(buf + 7, "%d", &rv) != 1)
-                                goto errexit;
-                        break;
+                        if (sscanf(buf + 7, "%d", &rv) == 1)
+                                break;
+                        goto errexit;
                 }
         }
 
@@ -219,62 +211,50 @@ int get_mount_id(int fd) {
 
 // Check /proc/self/mountinfo if path contains any mounts points.
 // Returns an array that can be iterated over for recursive remounting.
-char **build_mount_array(const int mount_id, const char *path) {
+char **build_mount_array(const int mountid, const char *path) {
         assert(path);
 
-        // open /proc/self/mountinfo
         FILE *fp = fopen("/proc/self/mountinfo", "re");
         if (!fp) {
                 fprintf(stderr, "Error: cannot read /proc/self/mountinfo\n");
                 exit(1);
         }
 
-        // array to be returned
-        size_t cnt = 0;
+        // try to find line with mount id
+        int found = 0;
+        MountData mntp;
+        char line[MAX_BUF];
+        while (fgets(line, MAX_BUF, fp)) {
+                parse_line(line, &mntp);
+                if (mntp.mountid == mountid) {
+                        found = 1;
+                        break;
+                }
+        }
+
+        if (!found) {
+                fclose(fp);
+                return NULL;
+        }
+
+        // allocate array
         size_t size = 32;
         char **rv = malloc(size * sizeof(*rv));
         if (!rv)
                 errExit("malloc");
 
-        // read /proc/self/mountinfo
-        size_t pathlen = strlen(path);
-        char buf[MAX_BUF];
-        MountData mntp;
-        int found = 0;
+        // add directory itself
+        size_t cnt = 0;
+        rv[cnt] = strdup(path);
+        if (rv[cnt] == NULL)
+                errExit("strdup");
 
-        if (fgets(buf, MAX_BUF, fp) == NULL) {
-                fprintf(stderr, "Error: cannot read /proc/self/mountinfo\n");
-                exit(1);
-        }
-        do {
-                parse_line(buf, &mntp);
-                // find mount point with mount id
-                if (!found) {
-                        if (mntp.mountid == mount_id) {
-                                // give up if mount id has been reassigned,
-                                // don't remount blacklisted path
-                                if (strncmp(mntp.dir, path, strlen(mntp.dir)) ||
-                                    strstr(mntp.fsname, "firejail.ro.dir") ||
-                                    strstr(mntp.fsname, "firejail.ro.file"))
-                                            break;
-
-                                rv[cnt] = strdup(path);
-                                if (rv[cnt] == NULL)
-                                        errExit("strdup");
-                                cnt++;
-                                found = 1;
-                                continue;
-                        }
-                        continue;
-                }
-                // from here on add all mount points below path,
-                // don't remount blacklisted paths
-                if (strncmp(mntp.dir, path, pathlen) == 0 &&
-                    mntp.dir[pathlen] == '/' &&
-                    strstr(mntp.fsname, "firejail.ro.dir") == NULL &&
-                    strstr(mntp.fsname, "firejail.ro.file") == NULL) {
-
-                        if (cnt == size) {
+        // and add all following mountpoints contained in this directory
+        size_t pathlen = strlen(path);
+        while (fgets(line, MAX_BUF, fp)) {
+                parse_line(line, &mntp);
+                if (strncmp(mntp.dir, path, pathlen) == 0 && mntp.dir[pathlen] == '/') {
+                        if (++cnt == size) {
                                 size *= 2;
                                 rv = realloc(rv, size * sizeof(*rv));
                                 if (!rv)
@@ -283,18 +263,17 @@ char **build_mount_array(const int mount_id, const char *path) {
                         rv[cnt] = strdup(mntp.dir);
                         if (rv[cnt] == NULL)
                                 errExit("strdup");
-                        cnt++;
                 }
-        } while (fgets(buf, MAX_BUF, fp));
+        }
+        fclose(fp);
 
-        if (cnt == size) {
-                size++;
+        // end of array
+        if (++cnt == size) {
+                ++size;
                 rv = realloc(rv, size * sizeof(*rv));
                 if (!rv)
                         errExit("realloc");
         }
-        rv[cnt] = NULL; // end of the array
-
-        fclose(fp);
+        rv[cnt] = NULL;
         return rv;
 }
diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index 9d92b6199..babc3941e 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -449,6 +449,11 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
                 arg_no3d = 1;
                 return 0;
         }
+        else if (strcmp(ptr, "noprinters") == 0) {
+                profile_add("blacklist /dev/lp*");
+                profile_add("blacklist /run/cups/cups.sock");
+                return 0;
+        }
         else if (strcmp(ptr, "noinput") == 0) {
                 arg_noinput = 1;
                 return 0;
diff --git a/src/firejail/util.c b/src/firejail/util.c
index 8749f79cc..55dcdc246 100644
--- a/src/firejail/util.c
+++ b/src/firejail/util.c
@@ -484,13 +484,6 @@ int is_link(const char *fname) {
         if (*fname == '\0')
                 return 0;
 
-        int called_as_root = 0;
-        if (geteuid() == 0)
-                called_as_root = 1;
-
-        if (called_as_root)
-                EUID_USER();
-
         // remove trailing '/' if any
         char *tmp = strdup(fname);
         if (!tmp)
@@ -498,12 +491,9 @@ int is_link(const char *fname) {
         trim_trailing_slash_or_dot(tmp);
 
         char c;
-        ssize_t rv = readlink(tmp, &c, 1);
+        ssize_t rv = readlink_as_user(tmp, &c, 1);
         free(tmp);
 
-        if (called_as_root)
-                EUID_ROOT();
-
         return (rv != -1);
 }
 
@@ -525,6 +515,24 @@ char *realpath_as_user(const char *fname) {
         return rv;
 }
 
+ssize_t readlink_as_user(const char *fname, char *buf, size_t sz) {
+        assert(fname && buf && sz);
+
+        int called_as_root = 0;
+        if (geteuid() == 0)
+                called_as_root = 1;
+
+        if (called_as_root)
+                EUID_USER();
+
+        ssize_t rv = readlink(fname, buf, sz);
+
+        if (called_as_root)
+                EUID_ROOT();
+
+        return rv;
+}
+
 int stat_as_user(const char *fname, struct stat *s) {
         assert(fname);
 
@@ -959,10 +967,9 @@ uid_t pid_get_uid(pid_t pid) {
 }
 
 
-uid_t get_group_id(const char *group) {
-        // find tty group id
+gid_t get_group_id(const char *groupname) {
         gid_t gid = 0;
-        struct group *g = getgrnam(group);
+        struct group *g = getgrnam(groupname);
         if (g)
                 gid = g->gr_gid;
 
@@ -998,31 +1005,33 @@ int create_empty_dir_as_user(const char *dir, mode_t mode) {
         assert(dir);
         mode &= 07777;
 
-        if (access(dir, F_OK) != 0) {
+        if (access(dir, F_OK) == 0)
+                return 0;
+
+        pid_t child = fork();
+        if (child < 0)
+                errExit("fork");
+        if (child == 0) {
+                // drop privileges
+                drop_privs(0);
+
                 if (arg_debug)
                         printf("Creating empty %s directory\n", dir);
-                pid_t child = fork();
-                if (child < 0)
-                        errExit("fork");
-                if (child == 0) {
-                        // drop privileges
-                        drop_privs(0);
-
-                        if (mkdir(dir, mode) == 0) {
-                                int err = chmod(dir, mode);
-                                (void) err;
-                        }
-                        else if (arg_debug)
-                                printf("Directory %s not created: %s\n", dir, strerror(errno));
+                if (mkdir(dir, mode) == 0) {
+                        int err = chmod(dir, mode);
+                        (void) err;
+                }
+                else if (arg_debug)
+                        printf("Directory %s not created: %s\n", dir, strerror(errno));
 
-                        __gcov_flush();
+                __gcov_flush();
 
-                        _exit(0);
-                }
-                waitpid(child, NULL, 0);
-                if (access(dir, F_OK) == 0)
-                        return 1;
+                _exit(0);
         }
+        waitpid(child, NULL, 0);
+
+        if (access(dir, F_OK) == 0)
+                        return 1;
         return 0;
 }
 
@@ -1412,7 +1421,7 @@ static int has_link(const char *dir) {
 void check_homedir(const char *dir) {
         assert(dir);
         if (dir[0] != '/') {
-                fprintf(stderr, "Error: invalid user directory \"%s\"\n", cfg.homedir);
+                fprintf(stderr, "Error: invalid user directory \"%s\"\n", dir);
                 exit(1);
         }
         // symlinks are rejected in many places
diff --git a/src/libtrace/libtrace.c b/src/libtrace/libtrace.c
index d88512b0a..319902ff7 100644
--- a/src/libtrace/libtrace.c
+++ b/src/libtrace/libtrace.c
@@ -18,12 +18,12 @@
  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 */
 #define _GNU_SOURCE
+#include <errno.h>
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
 #include <dlfcn.h>
 #include <sys/types.h>
-#include <limits.h>
 #include <unistd.h>
 #include <sys/socket.h>
 #include <netinet/in.h>
@@ -706,10 +706,14 @@ __attribute__((constructor))
 static void log_exec(int argc, char** argv) {
         (void) argc;
         (void) argv;
-        static char buf[PATH_MAX + 1];
-        int rv = readlink("/proc/self/exe", buf, PATH_MAX);
-        if (rv != -1) {
-                buf[rv] = '\0'; // readlink does not add a '\0' at the end
+        char *buf = realpath("/proc/self/exe", NULL);
+        if (buf == NULL) {
+                if (errno == ENOMEM) {
+                        tprintf(ftty, "realpath: %s\n", strerror(errno));
+                        exit(1);
+                }
+        } else {
                 tprintf(ftty, "%u:%s:exec %s:0\n", mypid, myname, buf);
+                free(buf);
         }
 }
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index 154def585..e724e4bb9 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -310,6 +310,11 @@ regular user, nonewprivs and a default capabilities filter are enabled.
 Example:
 .br
 $ firejail \-\-chroot=/media/ubuntu warzone2100
+.br
+
+.br
+For automatic mounting of X11 and PulseAudio sockets set environment variables
+FIREJAIL_CHROOT_X11 and FIREJAIL_CHROOT_PULSE.
 #endif
 .TP
 \fB\-\-cpu=cpu-number,cpu-number,cpu-number
@@ -2192,6 +2197,11 @@ More information about groups can be found in /usr/share/doc/firejail/syscalls.t
 .br
 
 .br
+The default list can be customized, see \-\-seccomp= for a description.
+It can be customized also globally in /etc/firejail/firejail.config file.
+.br
+
+.br
 System architecture is strictly imposed only if flag
 \-\-seccomp.block-secondary is used. The filter is applied at run time
 only if the correct architecture was detected. For the case of I386
@@ -2206,11 +2216,7 @@ Firejail will print seccomp violations to the audit log if the kernel was compil
 Example:
 .br
 $ firejail \-\-seccomp
-.br
 
-.br
-The default list can be customized, see \-\-seccomp= for a description. It can be customized
-also globally in /etc/firejail/firejail.config file.
 
 .TP
 \fB\-\-seccomp=syscall,@group,!syscall2