76 files changed, 1536 insertions, 573 deletions
diff --git a/Makefile.in b/Makefile.in
index 6be62cb6e..17bd76464 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -31,7 +31,7 @@ SBOX_APPS_NON_DUMPABLE = src/fcopy/fcopy src/fldd/fldd src/fnet/fnet src/fnetfil
 MYDIRS = src/lib $(MAN_SRC) $(COMPLETIONDIRS)
 MYLIBS = src/libpostexecseccomp/libpostexecseccomp.so src/libtrace/libtrace.so src/libtracelog/libtracelog.so
 COMPLETIONS = src/zsh_completion/_firejail src/bash_completion/firejail.bash_completion
-MANPAGES = firejail.1 firemon.1 firecfg.1 firejail-profile.5 firejail-login.5 firejail-users.5 jailcheck.5
+MANPAGES = firejail.1 firemon.1 firecfg.1 firejail-profile.5 firejail-login.5 firejail-users.5 jailcheck.1
 SBOX_APPS_NON_DUMPABLE += src/fsec-optimize/fsec-optimize src/fsec-print/fsec-print src/fseccomp/fseccomp
 SECCOMP_FILTERS = seccomp seccomp.debug seccomp.32 seccomp.block_secondary seccomp.mdwx seccomp.mdwx.32
 ALL_ITEMS = $(APPS) $(SBOX_APPS) $(SBOX_APPS_NON_DUMPABLE) $(MYLIBS)
diff --git a/README b/README
index 7310d22da..8284ce825 100644
--- a/README
+++ b/README
@@ -500,6 +500,7 @@ Jean-Philippe Eisenbarth (https://github.com/jpeisenbarth)
        - fixed spotify.profile
 Jeff Squyres (https://github.com/jsquyres)
        - various manpage fixes
+        - cmdline.c: optionally quote the resulting command line
 Jericho (https://github.com/attritionorg)
        - spelling
 Jesse Smith (https://github.com/slicer69)
@@ -570,6 +571,8 @@ kortewegdevries (https://github.com/kortewegdevries)
        - whitelisting evolution, kmail
 Kristóf Marussy (https://github.com/kris7t)
        - dns support
+kuesji koesnu (https://github.com/kuesji)
+        - unit suffixes for rlimit-fsize and rlimit-as
 Kunal Mehta (https://github.com/legoktm)
        - converted all links to https in manpages
 laniakea64 (https://github.com/laniakea64)
diff --git a/README.md b/README.md
index 1c1823cb6..c235759e9 100644
--- a/README.md
+++ b/README.md
@@ -126,18 +126,18 @@ $ cd firejail
 $ ./configure && make && sudo make install-strip
 `````
 On Debian/Ubuntu you will need to install git and gcc compiler. AppArmor
-development libraries and pkg-config are required when using --apparmor
+development libraries and pkg-config are required when using `--apparmor`
 ./configure option:
 `````
 $ sudo apt-get install git build-essential libapparmor-dev pkg-config gawk
 `````
-For --selinux option, add libselinux1-dev (libselinux-devel for Fedora).
+For `--selinux` option, add libselinux1-dev (libselinux-devel for Fedora).
 Detailed information on using firejail from git is available on the [wiki](https://github.com/netblue30/firejail/wiki/Using-firejail-from-git).
 ## Running the sandbox
-To start the sandbox, prefix your command with “firejail”:
+To start the sandbox, prefix your command with `firejail`:
 `````
 $ firejail firefox            # starting Mozilla Firefox
@@ -145,7 +145,7 @@ $ firejail transmission-gtk   # starting Transmission BitTorrent
 $ firejail vlc                # starting VideoLAN Client
 $ sudo firejail /etc/init.d/nginx start
 `````
-Run "firejail --list" in a terminal to list all active sandboxes. Example:
+Run `firejail --list` in a terminal to list all active sandboxes. Example:
 `````
 $ firejail --list
 1617:netblue:/usr/bin/firejail /usr/bin/firefox-esr
@@ -188,9 +188,7 @@ Use this issue to request new profiles: [#1139](https://github.com/netblue30/fir
 You can also use this tool to get a list of syscalls needed by a program: [contrib/syscalls.sh](contrib/syscalls.sh).
 We also keep a list of profile fixes for previous released versions in [etc-fixes](https://github.com/netblue30/firejail/tree/master/etc-fixes) directory.
-`````
-`````
 ## Latest released version: 0.9.64
 ## Current development version: 0.9.65
@@ -334,5 +332,6 @@ avidemux, calligragemini, vmware-player, vmware-workstation, gget, com.github.ph
 pcsxr, PPSSPPSDL, openmw, openmw-launcher, jami-gnome, PCSX2, bcompare, b2sum, cksum, md5sum, sha1sum, sha224sum,
 sha256sum, sha384sum, sha512sum, sum, librewold-nightly, Quodlibet, tmux, sway, alienarena, alienarena-wrapper,
 ballbuster, ballbuster-wrapper, colorful, colorful-wrapper, gl-117, gl-117-wrapper, glaxium, glaxium-wrapper,
-pinball, pinball-wrapper, etr-wrapper, neverball-wrapper, neverputt-wrapper, supertuxkart-wrapper, firedragon
+pinball, pinball-wrapper, etr-wrapper, neverball-wrapper, neverputt-wrapper, supertuxkart-wrapper, firedragon,
-neochat, node, nvm, cargo, LibreCAD, blobby, funnyboat, pipe-viewer, gtk-pipe-viewer, links2, xlinks2
+neochat, node, nvm, cargo, LibreCAD, blobby, funnyboat, pipe-viewer, gtk-pipe-viewer, links2, xlinks2, googler, ddgr,
+tin
diff --git a/RELNOTES b/RELNOTES
index b6b5f0f7e..6a629476d 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -38,7 +38,7 @@ firejail (0.9.65) baseline; urgency=low
  * glaxium-wrapper, pinball, pinball-wrapper, etr-wrapper, firedragon
  * neverball-wrapper, neverputt-wrapper, supertuxkart-wrapper, neochat,
  * cargo, LibreCAD, blobby, funnyboat, pipe-viewer, gtk-pipe-viewer
-  * links2, xlinks2
+  * links2, xlinks2, googler, ddgr, tin
 -- netblue30 <netblue30@yahoo.com>  Wed, 2 Jun 2021 09:00:00 -0500
 firejail (0.9.64.4) baseline; urgency=low
diff --git a/etc/firejail.config b/etc/firejail.config
index 4b59f8955..43db49422 100644
--- a/etc/firejail.config
+++ b/etc/firejail.config
@@ -35,11 +35,6 @@
 # cannot be overridden by --noblacklist or --ignore.
 # disable-mnt no
-# Set the limit for file copy in several --private-* options. The size is set
-# in megabytes. By default we allow up to 500MB.
-# Note: the files are copied in RAM.
-# file-copy-limit 500
 # Enable or disable file transfer support, default enabled.
 # file-transfer yes
@@ -77,18 +72,35 @@
 # Enable or disable overlayfs features, default enabled.
 # overlayfs yes
+# Set the limit for file copy in several --private-* options. The size is set
+# in megabytes. By default we allow up to 500MB.
+# Note: the files are copied in RAM.
+# file-copy-limit 500
+# Enable or disable private-bin feature, default enabled.
+# private-bin yes
 # Remove /usr/local directories from private-bin list, default disabled.
 # private-bin-no-local no
 # Enable or disable private-cache feature, default enabled
 # private-cache yes
+# Enable or disable private-etc feature, default enabled.
+# private-etc yes
 # Enable or disable private-home feature, default enabled
 # private-home yes
 # Enable or disable private-lib feature, default enabled
 # private-lib yes
+# Enable or disable private-opt feature, default enabled.
+# private-opt yes
+# Enable or disable private-srv feature, default enabled.
+# private-srv yes
 # Enable --quiet as default every time the sandbox is started. Default disabled.
 # quiet-by-default no
diff --git a/etc/inc/disable-programs.inc b/etc/inc/disable-programs.inc
index 18d1978fc..0e575e5eb 100644
--- a/etc/inc/disable-programs.inc
+++ b/etc/inc/disable-programs.inc
@@ -39,6 +39,8 @@ blacklist ${HOME}/.WebStorm*
 blacklist ${HOME}/.Wolfram Research
 blacklist ${HOME}/.ZAP
 blacklist ${HOME}/.abook
+blacklist ${HOME}/.addressbook
+blacklist ${HOME}/.alpine-smime
 blacklist ${HOME}/.aMule
 blacklist ${HOME}/.android
 blacklist ${HOME}/.anydesk
@@ -810,6 +812,7 @@ blacklist ${HOME}/.netactview
 blacklist ${HOME}/.neverball
 blacklist ${HOME}/.newsbeuter
 blacklist ${HOME}/.newsboat
+blacklist ${HOME}/.newsrc
 blacklist ${HOME}/.nicotine
 blacklist ${HOME}/.node-gyp
 blacklist ${HOME}/.npm
@@ -830,6 +833,14 @@ blacklist ${HOME}/.paradoxinteractive
 blacklist ${HOME}/.parallelrealities/blobwars
 blacklist ${HOME}/.pcsxr
 blacklist ${HOME}/.penguin-command
+blacklist ${HOME}/.pine-crash
+blacklist ${HOME}/.pine-debug1
+blacklist ${HOME}/.pine-debug2
+blacklist ${HOME}/.pine-debug3
+blacklist ${HOME}/.pine-debug4
+blacklist ${HOME}/.pine-interrupted-mail
+blacklist ${HOME}/.pinerc
+blacklist ${HOME}/.pinercex
 blacklist ${HOME}/.pingus
 blacklist ${HOME}/.pioneer
 blacklist ${HOME}/.purple
@@ -867,6 +878,7 @@ blacklist ${HOME}/.teeworlds
 blacklist ${HOME}/.texlive20*
 blacklist ${HOME}/.thunderbird
 blacklist ${HOME}/.tilp
+blacklist ${HOME}/.tin
 blacklist ${HOME}/.tooling
 blacklist ${HOME}/.tor-browser*
 blacklist ${HOME}/.torcs
diff --git a/etc/profile-a-l/alpine.profile b/etc/profile-a-l/alpine.profile
new file mode 100644
index 000000000..0b5cf0df0
--- /dev/null
+++ b/etc/profile-a-l/alpine.profile
@@ -0,0 +1,104 @@
+# Firejail profile for alpine
+# Description: Text-based email and newsgroups reader
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include alpine.local
+# Persistent global definitions
+include globals.local
+# Workaround for bug https://github.com/netblue30/firejail/issues/2747
+# firejail --private-bin=sh --include='${CFG}/allow-bin-sh.inc' --profile=alpine sh -c '(alpine)'
+noblacklist /var/mail
+noblacklist /var/spool/mail
+noblacklist ${DOCUMENTS}
+noblacklist ${HOME}/.addressbook
+noblacklist ${HOME}/.alpine-smime
+noblacklist ${HOME}/.mailcap
+noblacklist ${HOME}/.mh_profile
+noblacklist ${HOME}/.mime.types
+noblacklist ${HOME}/.newsrc
+noblacklist ${HOME}/.pine-crash
+noblacklist ${HOME}/.pine-debug1
+noblacklist ${HOME}/.pine-debug2
+noblacklist ${HOME}/.pine-debug3
+noblacklist ${HOME}/.pine-debug4
+noblacklist ${HOME}/.pine-interrupted-mail
+noblacklist ${HOME}/.pinerc
+noblacklist ${HOME}/.pinercex
+noblacklist ${HOME}/.signature
+noblacklist ${HOME}/mail
+blacklist /tmp/.X11-unix
+blacklist ${RUNUSER}/wayland-*
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+#whitelist ${DOCUMENTS}
+#whitelist ${DOWNLOADS}
+#whitelist ${HOME}/.addressbook
+#whitelist ${HOME}/.alpine-smime
+#whitelist ${HOME}/.mailcap
+#whitelist ${HOME}/.mh_profile
+#whitelist ${HOME}/.mime.types
+#whitelist ${HOME}/.newsrc
+#whitelist ${HOME}/.pine-crash
+#whitelist ${HOME}/.pine-interrupted-mail
+#whitelist ${HOME}/.pinerc
+#whitelist ${HOME}/.pinercex
+#whitelist ${HOME}/.pine-debug1
+#whitelist ${HOME}/.pine-debug2
+#whitelist ${HOME}/.pine-debug3
+#whitelist ${HOME}/.pine-debug4
+#whitelist ${HOME}/.signature
+#whitelist ${HOME}/mail
+whitelist /var/mail
+whitelist /var/spool/mail
+#include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+apparmor
+caps.drop all
+ipc-namespace
+machine-id
+netfilter
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+seccomp.block-secondary
+shell none
+tracelog
+disable-mnt
+private-bin alpine
+private-cache
+private-dev
+private-etc alternatives,c-client.cf,ca-certificates,crypto-policies,host.conf,hostname,hosts,krb5.keytab,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,mailcap,mime.types,nsswitch.conf,passwd,pine.conf,pinerc.fixed,pki,protocols,resolv.conf,rpc,services,ssl,terminfo,xdg
+private-tmp
+writable-run-user
+writable-var
+dbus-user none
+dbus-system none
+memory-deny-write-execute
+read-only ${HOME}/.signature
diff --git a/etc/profile-a-l/alpinef.profile b/etc/profile-a-l/alpinef.profile
new file mode 100644
index 000000000..97b97fe5f
--- /dev/null
+++ b/etc/profile-a-l/alpinef.profile
@@ -0,0 +1,14 @@
+# Firejail profile for alpinef
+# Description: Text-based email and newsgroups reader using function keys
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include alpinef.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+private-bin alpinef
+# Redirect
+include alpine.profile
diff --git a/etc/profile-a-l/cargo.profile b/etc/profile-a-l/cargo.profile
index 043fd6718..7cf04c550 100644
--- a/etc/profile-a-l/cargo.profile
+++ b/etc/profile-a-l/cargo.profile
@@ -34,6 +34,7 @@ include disable-xdg.inc
 #whitelist ${HOME}/.cargo
 #whitelist ${HOME}/.rustup
 #include whitelist-common.inc
+whitelist /usr/share/pkgconfig
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-a-l/chromium-common.profile b/etc/profile-a-l/chromium-common.profile
index f7493aa82..b0e0254d4 100644
--- a/etc/profile-a-l/chromium-common.profile
+++ b/etc/profile-a-l/chromium-common.profile
@@ -37,8 +37,9 @@ include whitelist-var-common.inc
 # Add the next line to your chromium-common.local if your kernel allows unprivileged userns clone.
 #include chromium-common-hardened.inc.profile
-# Add the next line to your chromium-common.local to allow screen sharing under wayland.
+# Add the next two lines to your chromium-common.local to allow screen sharing under wayland.
 #whitelist ${RUNUSER}/pipewire-0
+#whitelist /usr/share/pipewire/client.conf
 apparmor
 caps.keep sys_admin,sys_chroot
diff --git a/etc/profile-a-l/ddgr.profile b/etc/profile-a-l/ddgr.profile
new file mode 100644
index 000000000..b1d41ddf7
--- /dev/null
+++ b/etc/profile-a-l/ddgr.profile
@@ -0,0 +1,13 @@
+# Firejail profile for ddgr
+# Description: Search DuckDuckGo from your terminal
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include ddgr.local
+# Persistent global definitions
+include globals.local
+private-bin ddgr
+# Redirect
+include googler-common.profile
diff --git a/etc/profile-a-l/firefox.profile b/etc/profile-a-l/firefox.profile
index 7874c882f..3ad67734d 100644
--- a/etc/profile-a-l/firefox.profile
+++ b/etc/profile-a-l/firefox.profile
@@ -56,8 +56,9 @@ dbus-user.own org.mpris.MediaPlayer2.firefox.*
 #dbus-user.own org.mpris.MediaPlayer2.plasma-browser-integration
 #dbus-user.talk org.kde.JobViewServer
 #dbus-user.talk org.kde.kuiserver
-# Add the next two lines to your firefox.local to allow screen sharing under wayland.
+# Add the next three lines to your firefox.local to allow screen sharing under wayland.
 #whitelist ${RUNUSER}/pipewire-0
+#whitelist /usr/share/pipewire/client.conf
 #dbus-user.talk org.freedesktop.portal.*
 # Add the next line to your firefox.local if screen sharing sharing still does not work
 # with the above lines (might depend on the portal implementation).
diff --git a/etc/profile-a-l/googler-common.profile b/etc/profile-a-l/googler-common.profile
new file mode 100644
index 000000000..2d0bce52b
--- /dev/null
+++ b/etc/profile-a-l/googler-common.profile
@@ -0,0 +1,62 @@
+# Firejail profile for googler clones
+# Description: common profile for googler clones
+# This file is overwritten after every install/update
+# Persistent local customizations
+include googler-common.local
+# Persistent global definitions
+# added by caller profile
+#include globals.local
+blacklist /tmp/.X11-unix
+blacklist ${RUNUSER}
+noblacklist ${HOME}/.w3m
+# Allow /bin/sh (blacklisted by disable-shell.inc)
+include allow-bin-sh.inc
+# Allow python (blacklisted by disable-interpreters.inc)
+include allow-python3.inc
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+whitelist ${HOME}/.w3m
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+apparmor
+caps.drop all
+ipc-namespace
+machine-id
+netfilter
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+seccomp.block-secondary
+shell none
+tracelog
+disable-mnt
+private-bin env,python3*,sh,w3m
+private-cache
+private-dev
+private-etc ca-certificates,crypto-policies,host.conf,hostname,hosts,nsswitch.conf,pki,protocols,resolv.conf,rpc,services,ssl
+private-tmp
+dbus-user none
+dbus-system none
diff --git a/etc/profile-a-l/googler.profile b/etc/profile-a-l/googler.profile
new file mode 100644
index 000000000..9d67006f6
--- /dev/null
+++ b/etc/profile-a-l/googler.profile
@@ -0,0 +1,13 @@
+# Firejail profile for googler
+# Description: Search Google from your terminal
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include googler.local
+# Persistent global definitions
+include globals.local
+private-bin googler
+# Redirect
+include googler-common.profile
diff --git a/etc/profile-a-l/librewolf.profile b/etc/profile-a-l/librewolf.profile
index 8e3e58f19..da047357a 100644
--- a/etc/profile-a-l/librewolf.profile
+++ b/etc/profile-a-l/librewolf.profile
@@ -44,8 +44,9 @@ dbus-user filter
 #dbus-user.own org.mpris.MediaPlayer2.plasma-browser-integration
 #dbus-user.talk org.kde.JobViewServer
 #dbus-user.talk org.kde.kuiserver
-# Add the next lines to your librewolf.local to allow screensharing under Wayland.
+# Add the next three lines to your librewolf.local to allow screensharing under Wayland.
 #whitelist ${RUNUSER}/pipewire-0
+#whitelist /usr/share/pipewire/client.conf
 #dbus-user.talk org.freedesktop.portal.*
 # Also add the next line to your librewolf.local if screensharing does not work with
 # the above lines (depends on the portal implementation).
diff --git a/etc/profile-m-z/mcomix.profile b/etc/profile-m-z/mcomix.profile
new file mode 100644
index 000000000..fcd1e24e5
--- /dev/null
+++ b/etc/profile-m-z/mcomix.profile
@@ -0,0 +1,74 @@
+# Firejail profile for mcomix
+# Description: A comic book and manga viewer in python
+# This file is overwritten after every install/update
+# Persistent local customizations
+include mcomix.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.config/mcomix
+noblacklist ${HOME}/.local/share/mcomix
+noblacklist ${DOCUMENTS}
+# Allow /bin/sh (blacklisted by disable-shell.inc)
+include allow-bin-sh.inc
+# Allow python (blacklisted by disable-interpreters.inc)
+# mcomix <= 1.2 uses python2
+include allow-python2.inc
+include allow-python3.inc
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-write-mnt.inc
+include disable-xdg.inc
+mkdir ${HOME}/.config/mcomix
+mkdir ${HOME}/.local/share/mcomix
+whitelist /usr/share/mcomix
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+include whitelist-runuser-common.inc
+apparmor
+caps.drop all
+machine-id
+net none
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+seccomp.block-secondary
+shell none
+tracelog
+# mcomix <= 1.2 uses python2
+private-bin 7z,lha,mcomix,mutool,python*,rar,sh,unrar,unzip
+private-cache
+private-dev
+# mcomix <= 1.2 uses gtk-2.0
+private-etc alternatives,dconf,fonts,gconf,gtk-2.0,gtk-3.0,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,mime.types,pango,passwd,X11,xdg
+private-tmp
+dbus-user none
+dbus-system none
+read-only ${HOME}
+read-write ${HOME}/.config/mcomix
+read-write ${HOME}/.local/share/mcomix
+#to allow ${HOME}/.local/share/recently-used.xbel
+read-write ${HOME}/.local/share
+# used by mcomix <= 1.2, tip, make a symbolic link to .cache/thumbnails
+read-write ${HOME}/.thumbnails
diff --git a/etc/profile-m-z/minecraft-launcher.profile b/etc/profile-m-z/minecraft-launcher.profile
index 2536d0b38..1028e374a 100644
--- a/etc/profile-m-z/minecraft-launcher.profile
+++ b/etc/profile-m-z/minecraft-launcher.profile
@@ -31,7 +31,6 @@ include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
-apparmor
 caps.drop all
 netfilter
 nodvd
diff --git a/etc/profile-m-z/qcomicbook.profile b/etc/profile-m-z/qcomicbook.profile
new file mode 100644
index 000000000..0e52d7fc4
--- /dev/null
+++ b/etc/profile-m-z/qcomicbook.profile
@@ -0,0 +1,68 @@
+# Firejail profile for qcomicbook
+# Description: A comic book and manga viewer in QT
+# This file is overwritten after every install/update
+# Persistent local customizations
+include qcomicbook.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.cache/PawelStolowski
+noblacklist ${HOME}/.config/PawelStolowski
+noblacklist ${HOME}/.local/share/PawelStolowski
+noblacklist ${DOCUMENTS}
+# Allow /bin/sh (blacklisted by disable-shell.inc)
+include allow-bin-sh.inc
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-write-mnt.inc
+include disable-xdg.inc
+mkdir ${HOME}/.cache/PawelStolowski
+mkdir ${HOME}/.config/PawelStolowski
+mkdir ${HOME}/.local/share/PawelStolowski
+whitelist /usr/share/qcomicbook
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+apparmor
+caps.drop all
+machine-id
+net none
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+seccomp.block-secondary
+shell none
+tracelog
+private-bin 7z,7zr,qcomicbook,rar,sh,tar,unace,unrar,unzip
+private-cache
+private-dev
+private-etc alternatives,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,mime.types,pango,passwd,Trolltech.conf,X11,xdg
+private-tmp
+dbus-user none
+dbus-system none
+read-only ${HOME}
+read-write ${HOME}/.cache/PawelStolowski
+read-write ${HOME}/.config/PawelStolowski
+read-write ${HOME}/.local/share/PawelStolowski
+#to allow ${HOME}/.local/share/recently-used.xbel
+read-write ${HOME}/.local/share
diff --git a/etc/profile-m-z/rtin.profile b/etc/profile-m-z/rtin.profile
new file mode 100644
index 000000000..cd84ce05e
--- /dev/null
+++ b/etc/profile-m-z/rtin.profile
@@ -0,0 +1,8 @@
+# Firejail profile for rtin
+# Description: ncurses-based Usenet newsreader
+#              symlink to tin, same as `tin -r`
+# This file is overwritten after every install/update
+# Persistent local customizations
+include rtin.local
+include tin.profile
diff --git a/etc/profile-m-z/tin.profile b/etc/profile-m-z/tin.profile
new file mode 100644
index 000000000..e0ed3090a
--- /dev/null
+++ b/etc/profile-m-z/tin.profile
@@ -0,0 +1,69 @@
+# Firejail profile for tin
+# Description: ncurses-based Usenet newsreader
+# This file is overwritten after every install/update
+# Persistent local customizations
+include tin.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.newsrc
+noblacklist ${HOME}/.tin
+blacklist /tmp/.X11-unix
+blacklist ${RUNUSER}
+blacklist /usr/libexec
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+mkdir ${HOME}/.tin
+mkfile ${HOME}/.newsrc
+# Note: files/directories directly in ${HOME} can't be whitelisted, as
+#       tin saves .newsrc by renaming a temporary file, which is not possible for
+#       bind-mounted files.
+#whitelist ${HOME}/.newsrc
+#whitelist ${HOME}/.tin
+#include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+apparmor
+caps.drop all
+ipc-namespace
+machine-id
+netfilter
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol inet,inet6
+seccomp
+seccomp.block-secondary
+shell none
+tracelog
+disable-mnt
+private-bin rtin,tin
+private-cache
+private-dev
+private-etc passwd,resolv.conf,terminfo,tin
+private-lib terminfo
+private-tmp
+dbus-user none
+dbus-system none
+memory-deny-write-execute
diff --git a/etc/profile-m-z/tuxguitar.profile b/etc/profile-m-z/tuxguitar.profile
index d0bcbe79f..3cd496412 100644
--- a/etc/profile-m-z/tuxguitar.profile
+++ b/etc/profile-m-z/tuxguitar.profile
@@ -6,6 +6,9 @@ include tuxguitar.local
 # Persistent global definitions
 include globals.local
+# tuxguitar fails to launch
+ignore noexec ${HOME}
 noblacklist ${HOME}/.tuxguitar*
 noblacklist ${DOCUMENTS}
 noblacklist ${MUSIC}
@@ -41,6 +44,3 @@ tracelog
 private-dev
 private-tmp
-# noexec ${HOME} - tuxguitar may fail to launch
-noexec /tmp
diff --git a/etc/profile-m-z/w3m.profile b/etc/profile-m-z/w3m.profile
index 131213ed2..69b2c6c59 100644
--- a/etc/profile-m-z/w3m.profile
+++ b/etc/profile-m-z/w3m.profile
@@ -17,18 +17,32 @@ noblacklist ${HOME}/.w3m
 blacklist /tmp/.X11-unix
 blacklist ${RUNUSER}/wayland-*
+# Allow /bin/sh (blacklisted by disable-shell.inc)
+include allow-bin-sh.inc
+# Allow perl (blacklisted by disable-interpreters.inc)
 include allow-perl.inc
 include disable-common.inc
 include disable-devel.inc
+include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 include disable-xdg.inc
+mkdir ${HOME}/.w3m
+whitelist /usr/share/w3m
+whitelist ${DOWNLOADS}
+whitelist ${HOME}/.w3m
 include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
 caps.drop all
+ipc-namespace
+machine-id
 netfilter
 no3d
 nodvd
@@ -45,8 +59,14 @@ seccomp
 shell none
 tracelog
-# private-bin w3m
+disable-mnt
+private-bin perl,sh,w3m
 private-cache
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,pki,resolv.conf,ssl
+private-etc alternatives,ca-certificates,crypto-policies,mailcap,nsswitch.conf,pki,resolv.conf,ssl
 private-tmp
+dbus-user none
+dbus-system none
+memory-deny-write-execute
diff --git a/etc/profile-m-z/weechat.profile b/etc/profile-m-z/weechat.profile
index 3a93d2ec7..76935212f 100644
--- a/etc/profile-m-z/weechat.profile
+++ b/etc/profile-m-z/weechat.profile
@@ -11,6 +11,7 @@ noblacklist ${HOME}/.weechat
 include disable-common.inc
 include disable-programs.inc
+whitelist /usr/share/weechat
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-m-z/zathura.profile b/etc/profile-m-z/zathura.profile
index a39729685..d0e68c980 100644
--- a/etc/profile-m-z/zathura.profile
+++ b/etc/profile-m-z/zathura.profile
@@ -17,12 +17,14 @@ include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
+include disable-write-mnt.inc
 include disable-xdg.inc
 mkdir ${HOME}/.config/zathura
 mkdir ${HOME}/.local/share/zathura
 whitelist /usr/share/doc
 whitelist /usr/share/zathura
+include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
@@ -41,6 +43,7 @@ nou2f
 novideo
 protocol unix
 seccomp
+seccomp.block-secondary
 shell none
 tracelog
diff --git a/etc/templates/profile.template b/etc/templates/profile.template
index 61e9c9fd8..18e4e8bce 100644
--- a/etc/templates/profile.template
+++ b/etc/templates/profile.template
@@ -192,7 +192,7 @@ include globals.local
 #  GUI: fonts,pango,X11
 #  GTK: dconf,gconf,gtk-2.0,gtk-3.0
 #  KDE: kde4rc,kde5rc
-#  Networking: ca-certificates,crypto-policies,host.conf,hostname,hosts,nsswitch.conf,pki,protocols,resolv.conf,services,rpc,ssl
+#  Networking: ca-certificates,crypto-policies,host.conf,hostname,hosts,nsswitch.conf,pki,protocols,resolv.conf,rpc,services,ssl
 #    Extra: gai.conf,proxychains.conf
 #  Qt: Trolltech.conf
 ##private-lib LIBS
diff --git a/platform/rpm/firejail.spec b/platform/rpm/firejail.spec
index acdc8d561..86cd6006e 100644
--- a/platform/rpm/firejail.spec
+++ b/platform/rpm/firejail.spec
@@ -45,8 +45,8 @@ rm -rf %{buildroot}
 %{_mandir}/man1/__NAME__.1.gz
 %{_mandir}/man1/firecfg.1.gz
 %{_mandir}/man1/firemon.1.gz
+%{_mandir}/man1/jailcheck.1.gz
 %{_mandir}/man5/__NAME__-login.5.gz
 %{_mandir}/man5/__NAME__-profile.5.gz
 %{_mandir}/man5/__NAME__-users.5.gz
-%{_mandir}/man5/jailcheck.5.gz
 %config(noreplace) %{_sysconfdir}/__NAME__
diff --git a/src/fcopy/main.c b/src/fcopy/main.c
index 869549821..31810de9a 100644
--- a/src/fcopy/main.c
+++ b/src/fcopy/main.c
@@ -19,11 +19,15 @@
 */
 #include "../include/common.h"
-#include <fcntl.h>
 #include <ftw.h>
 #include <errno.h>
 #include <pwd.h>
+#include <fcntl.h>
+#ifndef O_PATH
+#define O_PATH 010000000
+#endif
 #if HAVE_SELINUX
 #include <sys/stat.h>
 #include <sys/types.h>
@@ -55,7 +59,7 @@ static void selinux_relabel_path(const char *path, const char *inside_path) {
        assert(path);
        assert(inside_path);
 #if HAVE_SELINUX
-        char procfs_path[64];
+        char procfs_path[64];
        char *fcon = NULL;
        int fd;
        struct stat st;
@@ -69,20 +73,23 @@ static void selinux_relabel_path(const char *path, const char *inside_path) {
        if (!label_hnd)
                label_hnd = selabel_open(SELABEL_CTX_FILE, NULL, 0);
+        if (!label_hnd)
+                errExit("selabel_open");
        /* Open the file as O_PATH, to pin it while we determine and adjust the label */
-        fd = open(path, O_NOFOLLOW|O_CLOEXEC|O_PATH);
+        fd = open(path, O_NOFOLLOW|O_CLOEXEC|O_PATH);
        if (fd < 0)
                return;
        if (fstat(fd, &st) < 0)
                goto close;
-        if (selabel_lookup_raw(label_hnd, &fcon, inside_path, st.st_mode)  == 0) {
+        if (selabel_lookup_raw(label_hnd, &fcon, inside_path, st.st_mode)  == 0) {
                sprintf(procfs_path, "/proc/self/fd/%i", fd);
                if (arg_debug)
                        printf("Relabeling %s as %s (%s)\n", path, inside_path, fcon);
                setfilecon_raw(procfs_path, fcon);
-        }
+        }
        freecon(fcon);
 close:
        close(fd);
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config
index 245e6a4a0..e58fe39ec 100644
--- a/src/firecfg/firecfg.config
+++ b/src/firecfg/firecfg.config
@@ -38,6 +38,8 @@ abrowser
 akonadi_control
 akregator
 alacarte
+alpine
+alpinef
 amarok
 amule
 amuled
@@ -167,6 +169,7 @@ cvlc
 cyberfox
 darktable
 dconf-editor
+ddgr
 ddgtk
 deadbeef
 deluge
@@ -350,6 +353,7 @@ google-chrome-unstable
 google-earth
 google-earth-pro
 google-play-music-desktop-player
+googler
 gpa
 gpicview
 gpredict
@@ -492,6 +496,7 @@ mathematica
 matrix-mirage
 mattermost-desktop
 mcabber
+mcomix
 mediainfo
 mediathekview
 megaglest
@@ -652,6 +657,7 @@ pybitmessage
 # pycharm-professional
 # pzstd - disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095)
 qbittorrent
+qcomicbook
 qemu-launcher
 qgis
 qlipper
diff --git a/src/firejail/appimage.c b/src/firejail/appimage.c
index 6b9fed765..056640eec 100644
--- a/src/firejail/appimage.c
+++ b/src/firejail/appimage.c
@@ -28,8 +28,13 @@
 #include <linux/loop.h>
 #include <errno.h>
+#ifdef HAVE_GCOV
+#include "../include/gcov_wrapper.h"
+#endif
 static char *devloop = NULL;    // device file
 static long unsigned size = 0;  // offset into appimage file
+#define MAXBUF 4096
 #ifdef LOOP_CTL_GET_FREE        // test for older kernels; this definition is found in /usr/include/linux/loop.h
 static void err_loop(void) {
@@ -38,6 +43,36 @@ static void err_loop(void) {
 }
 #endif
+// return 1 if found
+int appimage_find_profile(const char *archive) {
+        assert(archive);
+        assert(strlen(archive));
+        // try to match the name of the archive with the list of programs in /usr/lib/firejail/firecfg.config
+        FILE *fp = fopen(LIBDIR "/firejail/firecfg.config", "r");
+        if (!fp) {
+                fprintf(stderr, "Error: cannot find %s, firejail is not correctly installed\n", LIBDIR "/firejail/firecfg.config");
+                exit(1);
+        }
+        char buf[MAXBUF];
+        while (fgets(buf, MAXBUF, fp)) {
+                if (*buf == '#')
+                        continue;
+                char *ptr = strchr(buf, '\n');
+                if (ptr)
+                        *ptr = '\0';
+                if (strcasestr(archive, buf)) {
+                        fclose(fp);
+                        return profile_find_firejail(buf, 1);
+                }
+        }
+        fclose(fp);
+        return 0;
+}
 void appimage_set(const char *appimage) {
        assert(appimage);
        assert(devloop == NULL);        // don't call this twice!
diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c
index 12b5fc683..1e9f4b641 100644
--- a/src/firejail/checkcfg.c
+++ b/src/firejail/checkcfg.c
@@ -111,10 +111,14 @@ int checkcfg(int val) {
                        PARSE_YESNO(CFG_RESTRICTED_NETWORK, "restricted-network")
                        PARSE_YESNO(CFG_XEPHYR_WINDOW_TITLE, "xephyr-window-title")
                        PARSE_YESNO(CFG_OVERLAYFS, "overlayfs")
-                        PARSE_YESNO(CFG_PRIVATE_HOME, "private-home")
+                        PARSE_YESNO(CFG_PRIVATE_BIN, "private-bin")
+                        PARSE_YESNO(CFG_PRIVATE_BIN_NO_LOCAL, "private-bin-no-local")
                        PARSE_YESNO(CFG_PRIVATE_CACHE, "private-cache")
+                        PARSE_YESNO(CFG_PRIVATE_ETC, "private-etc")
+                        PARSE_YESNO(CFG_PRIVATE_HOME, "private-home")
                        PARSE_YESNO(CFG_PRIVATE_LIB, "private-lib")
-                        PARSE_YESNO(CFG_PRIVATE_BIN_NO_LOCAL, "private-bin-no-local")
+                        PARSE_YESNO(CFG_PRIVATE_OPT, "private-opt")
+                        PARSE_YESNO(CFG_PRIVATE_SRV, "private-srv")
                        PARSE_YESNO(CFG_DISABLE_MNT, "disable-mnt")
                        PARSE_YESNO(CFG_XPRA_ATTACH, "xpra-attach")
                        PARSE_YESNO(CFG_BROWSER_DISABLE_U2F, "browser-disable-u2f")
@@ -131,8 +135,7 @@ int checkcfg(int val) {
                                        *end = '\0';
                                // is the file present?
-                                struct stat s;
+                                if (access(fname, F_OK) == -1) {
-                                if (stat(fname, &s) == -1) {
                                        fprintf(stderr, "Error: netfilter-default file %s not available\n", fname);
                                        exit(1);
                                }
diff --git a/src/firejail/chroot.c b/src/firejail/chroot.c
index 757ffb1f7..0d4baa618 100644
--- a/src/firejail/chroot.c
+++ b/src/firejail/chroot.c
@@ -29,6 +29,9 @@
 #define O_PATH 010000000
 #endif
+#ifdef HAVE_GCOV
+#include "../include/gcov_wrapper.h"
+#endif
 // exit if error
 void fs_check_chroot_dir(void) {
@@ -163,12 +166,8 @@ void fs_chroot(const char *rootdir) {
        int fd = openat(parentfd, "dev", O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC);
        if (fd == -1)
                errExit("open");
-        char *proc;
+        if (bind_mount_path_to_fd("/dev", fd))
-        if (asprintf(&proc, "/proc/self/fd/%d", fd) == -1)
-                errExit("asprintf");
-        if (mount("/dev", proc, NULL, MS_BIND|MS_REC, NULL) < 0)
                errExit("mounting /dev");
-        free(proc);
        close(fd);
 #ifdef HAVE_X11
@@ -192,11 +191,8 @@ void fs_chroot(const char *rootdir) {
                fd = openat(parentfd, "tmp/.X11-unix", O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC);
                if (fd == -1)
                        errExit("open");
-                if (asprintf(&proc, "/proc/self/fd/%d", fd) == -1)
+                if (bind_mount_path_to_fd("/tmp/.X11-unix", fd))
-                        errExit("asprintf");
-                if (mount("/tmp/.X11-unix", proc, NULL, MS_BIND|MS_REC, NULL) < 0)
                        errExit("mounting /tmp/.X11-unix");
-                free(proc);
                close(fd);
        }
 #endif // HAVE_X11
@@ -225,19 +221,11 @@ void fs_chroot(const char *rootdir) {
                        fprintf(stderr, "Error: cannot open %s\n", pulse);
                        exit(1);
                }
-                free(pulse);
+                if (bind_mount_by_fd(src, dst))
+                        errExit("mounting pulseaudio");
-                char *proc_src, *proc_dst;
-                if (asprintf(&proc_src, "/proc/self/fd/%d", src) == -1)
-                        errExit("asprintf");
-                if (asprintf(&proc_dst, "/proc/self/fd/%d", dst) == -1)
-                        errExit("asprintf");
-                if (mount(proc_src, proc_dst, NULL, MS_BIND|MS_REC, NULL) < 0)
-                        errExit("mount bind");
-                free(proc_src);
-                free(proc_dst);
                close(src);
                close(dst);
+                free(pulse);
                // update /etc/machine-id in chroot
                update_file(parentfd, "etc/machine-id");
@@ -256,11 +244,8 @@ void fs_chroot(const char *rootdir) {
        fd = openat(parentfd, &RUN_FIREJAIL_LIB_DIR[1], O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC);
        if (fd == -1)
                errExit("open");
-        if (asprintf(&proc, "/proc/self/fd/%d", fd) == -1)
+        if (bind_mount_path_to_fd(RUN_FIREJAIL_LIB_DIR, fd))
-                errExit("asprintf");
-        if (mount(RUN_FIREJAIL_LIB_DIR, proc, NULL, MS_BIND|MS_REC, NULL) < 0)
                errExit("mount bind");
-        free(proc);
        close(fd);
        // create /run/firejail/mnt directory in chroot
@@ -271,11 +256,8 @@ void fs_chroot(const char *rootdir) {
        fd = openat(parentfd, &RUN_MNT_DIR[1], O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC);
        if (fd == -1)
                errExit("open");
-        if (asprintf(&proc, "/proc/self/fd/%d", fd) == -1)
+        if (bind_mount_path_to_fd(RUN_MNT_DIR, fd))
-                errExit("asprintf");
-        if (mount(RUN_MNT_DIR, proc, NULL, MS_BIND|MS_REC, NULL) < 0)
                errExit("mount bind");
-        free(proc);
        close(fd);
        // update chroot resolv.conf
@@ -289,11 +271,8 @@ void fs_chroot(const char *rootdir) {
        if (mkdir(oroot, 0755) == -1)
                errExit("mkdir");
        // mount the chroot dir on top of /run/firejail/mnt/oroot in order to reuse the apparmor rules for overlay
-        if (asprintf(&proc, "/proc/self/fd/%d", parentfd) == -1)
+        if (bind_mount_fd_to_path(parentfd, oroot))
-                errExit("asprintf");
-        if (mount(proc, oroot, NULL, MS_BIND|MS_REC, NULL) < 0)
                errExit("mounting rootdir oroot");
-        free(proc);
        close(parentfd);
        // chroot into the new directory
        if (arg_debug)
diff --git a/src/firejail/cmdline.c b/src/firejail/cmdline.c
index f902c4e1c..2fa68a55d 100644
--- a/src/firejail/cmdline.c
+++ b/src/firejail/cmdline.c
@@ -26,7 +26,7 @@
 #include <assert.h>
 #include <errno.h>
-static int cmdline_length(int argc, char **argv, int index) {
+static int cmdline_length(int argc, char **argv, int index, bool want_extra_quotes) {
        assert(index != -1);
        unsigned i,j;
@@ -46,10 +46,11 @@ static int cmdline_length(int argc, char **argv, int index) {
                                        len += 3;
                                in_quotes = false;
                        } else {
-                                if (!in_quotes)
+                                if (!in_quotes && want_extra_quotes)
                                        len++;
                                len++;
-                                in_quotes = true;
+                                if (want_extra_quotes)
+                                        in_quotes = true;
                        }
                }
                if (in_quotes) {
@@ -64,7 +65,7 @@ static int cmdline_length(int argc, char **argv, int index) {
        return len;
 }
-static void quote_cmdline(char *command_line, char *window_title, int len, int argc, char **argv, int index) {
+static void quote_cmdline(char *command_line, char *window_title, int len, int argc, char **argv, int index, bool want_extra_quotes) {
        assert(index != -1);
        unsigned i,j;
@@ -103,14 +104,15 @@ static void quote_cmdline(char *command_line, char *window_title, int len, int a
                        // anything other
                        else
                        {
-                                if (!in_quotes) {
+                                if (!in_quotes && want_extra_quotes) {
                                        // open quotes
                                        ptr1[0] = '\'';
                                        ptr1++;
                                }
                                ptr1[0] = argv[i + index][j];
                                ptr1++;
-                                in_quotes = true;
+                                if (want_extra_quotes)
+                                        in_quotes = true;
                        }
                }
                // close quotes
@@ -134,12 +136,12 @@ static void quote_cmdline(char *command_line, char *window_title, int len, int a
        assert((unsigned) len == strlen(command_line));
 }
-void build_cmdline(char **command_line, char **window_title, int argc, char **argv, int index) {
+void build_cmdline(char **command_line, char **window_title, int argc, char **argv, int index, bool want_extra_quotes) {
        // index == -1 could happen if we have --shell=none and no program was specified
        // the program should exit with an error before entering this function
        assert(index != -1);
-        int len = cmdline_length(argc, argv, index);
+        int len = cmdline_length(argc, argv, index, want_extra_quotes);
        if (len > ARG_MAX) {
                errno = E2BIG;
                errExit("cmdline_length");
@@ -152,7 +154,7 @@ void build_cmdline(char **command_line, char **window_title, int argc, char **ar
        if (!*window_title)
                        errExit("malloc");
-        quote_cmdline(*command_line, *window_title, len, argc, argv, index);
+        quote_cmdline(*command_line, *window_title, len, argc, argv, index, want_extra_quotes);
        if (arg_debug)
                printf("Building quoted command line: %s\n", *command_line);
@@ -161,17 +163,17 @@ void build_cmdline(char **command_line, char **window_title, int argc, char **ar
        assert(*window_title);
 }
-void build_appimage_cmdline(char **command_line, char **window_title, int argc, char **argv, int index) {
+void build_appimage_cmdline(char **command_line, char **window_title, int argc, char **argv, int index, bool want_extra_quotes) {
        // index == -1 could happen if we have --shell=none and no program was specified
        // the program should exit with an error before entering this function
        assert(index != -1);
        char *apprun_path = RUN_FIREJAIL_APPIMAGE_DIR "/AppRun";
-        int len1 = cmdline_length(argc, argv, index);  // length of argv w/o changes
+        int len1 = cmdline_length(argc, argv, index, want_extra_quotes);  // length of argv w/o changes
-        int len2 = cmdline_length(1, &argv[index], 0); // apptest.AppImage
+        int len2 = cmdline_length(1, &argv[index], 0, want_extra_quotes); // apptest.AppImage
-        int len3 = cmdline_length(1, &apprun_path, 0); // /run/firejail/appimage/AppRun
+        int len3 = cmdline_length(1, &apprun_path, 0, want_extra_quotes); // /run/firejail/appimage/AppRun
-        int len4 = (len1 - len2 + len3) + 1;           // apptest.AppImage is replaced by /path/to/AppRun
+        int len4 = (len1 - len2 + len3) + 1;                              // apptest.AppImage is replaced by /path/to/AppRun
        if (len4 > ARG_MAX) {
                errno = E2BIG;
@@ -187,7 +189,7 @@ void build_appimage_cmdline(char **command_line, char **window_title, int argc,
                        errExit("malloc");
        // run default quote_cmdline
-        quote_cmdline(command_line_tmp, *window_title, len1, argc, argv, index);
+        quote_cmdline(command_line_tmp, *window_title, len1, argc, argv, index, want_extra_quotes);
        assert(command_line_tmp);
        assert(*window_title);
diff --git a/src/firejail/dbus.c b/src/firejail/dbus.c
index b8aa2c974..9a4cb2e6b 100644
--- a/src/firejail/dbus.c
+++ b/src/firejail/dbus.c
@@ -258,12 +258,8 @@ static char *find_user_socket_by_format(char *format) {
        if (asprintf(&dbus_user_socket, format, (int) getuid()) == -1)
                errExit("asprintf");
        struct stat s;
-        if (stat(dbus_user_socket, &s) == -1) {
+        if (lstat(dbus_user_socket, &s) == -1)
-                if (errno == ENOENT)
+                goto fail;
-                        goto fail;
-                return NULL;
-                errExit("stat");
-        }
        if (!S_ISSOCK(s.st_mode))
                goto fail;
        return dbus_user_socket;
@@ -426,12 +422,8 @@ static void socket_overlay(char *socket_path, char *proxy_path) {
                errno = ENOTSOCK;
                errExit("mounting DBus proxy socket");
        }
-        char *proxy_fd_path;
+        if (bind_mount_fd_to_path(fd, socket_path))
-        if (asprintf(&proxy_fd_path, "/proc/self/fd/%d", fd) == -1)
-                errExit("asprintf");
-        if (mount(proxy_path, socket_path, NULL, MS_BIND | MS_REC, NULL) == -1)
                errExit("mount bind");
-        free(proxy_fd_path);
        close(fd);
 }
@@ -478,7 +470,7 @@ void dbus_apply_policy(void) {
        create_empty_dir_as_root(RUN_DBUS_DIR, 0755);
        if (arg_dbus_user != DBUS_POLICY_ALLOW) {
-                create_empty_file_as_root(RUN_DBUS_USER_SOCKET, 0700);
+                create_empty_file_as_root(RUN_DBUS_USER_SOCKET, 0600);
                if (arg_dbus_user == DBUS_POLICY_FILTER) {
                        assert(dbus_user_proxy_socket != NULL);
@@ -517,7 +509,7 @@ void dbus_apply_policy(void) {
        }
        if (arg_dbus_system != DBUS_POLICY_ALLOW) {
-                create_empty_file_as_root(RUN_DBUS_SYSTEM_SOCKET, 0700);
+                create_empty_file_as_root(RUN_DBUS_SYSTEM_SOCKET, 0600);
                if (arg_dbus_system == DBUS_POLICY_FILTER) {
                        assert(dbus_system_proxy_socket != NULL);
diff --git a/src/firejail/dhcp.c b/src/firejail/dhcp.c
index 5bcdcad37..ec482e2ea 100644
--- a/src/firejail/dhcp.c
+++ b/src/firejail/dhcp.c
@@ -153,19 +153,13 @@ void dhcp_start(void) {
        if (!any_dhcp())
                return;
-        char *dhclient_path = RUN_MNT_DIR "/dhclient";;
+        char *dhclient_path = RUN_MNT_DIR "/dhclient";
        struct stat s;
        if (stat(dhclient_path, &s) == -1) {
-                dhclient_path = "/usr/sbin/dhclient";
+                fprintf(stderr, "Error: %s was not found.\n", dhclient_path);
-                if (stat(dhclient_path, &s) == -1) {
+                exit(1);
-                        fprintf(stderr, "Error: dhclient was not found.\n");
-                        exit(1);
-                }
        }
-        sbox_run(SBOX_ROOT| SBOX_SECCOMP, 4, PATH_FCOPY, "--follow-link", dhclient_path, RUN_MNT_DIR);
-        dhclient_path = RUN_MNT_DIR "/dhclient";
        EUID_ROOT();
        if (mkdir(RUN_DHCLIENT_DIR, 0700))
                errExit("mkdir");
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index 60d178f1e..9971d30b6 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -45,6 +45,15 @@
                assert(s.st_gid == gid);\
                assert((s.st_mode & 07777) == (mode));\
        } while (0)
+#define ASSERT_PERMS_AS_USER(file, uid, gid, mode) \
+        do { \
+                assert(file);\
+                struct stat s;\
+                if (stat_as_user(file, &s) == -1) errExit("stat");\
+                assert(s.st_uid == uid);\
+                assert(s.st_gid == gid);\
+                assert((s.st_mode & 07777) == (mode));\
+        } while (0)
 #define ASSERT_PERMS_FD(fd, uid, gid, mode) \
        do { \
                struct stat s;\
@@ -489,6 +498,7 @@ int macro_id(const char *name);
 void errLogExit(char* fmt, ...) __attribute__((noreturn));
 void fwarning(char* fmt, ...);
 void fmessage(char* fmt, ...);
+long long unsigned parse_arg_size(char *str);
 void drop_privs(int nogroups);
 int mkpath_as_root(const char* path);
 void extract_command_name(int index, char **argv);
@@ -498,11 +508,14 @@ void logargs(int argc, char **argv) ;
 void logerr(const char *msg);
 void set_nice(int inc);
 int copy_file(const char *srcname, const char *destname, uid_t uid, gid_t gid, mode_t mode);
-void copy_file_as_user(const char *srcname, const char *destname, uid_t uid, gid_t gid, mode_t mode);
+void copy_file_as_user(const char *srcname, const char *destname, mode_t mode);
 void copy_file_from_user_to_root(const char *srcname, const char *destname, uid_t uid, gid_t gid, mode_t mode);
 void touch_file_as_user(const char *fname, mode_t mode);
 int is_dir(const char *fname);
 int is_link(const char *fname);
+char *realpath_as_user(const char *fname);
+int stat_as_user(const char *fname, struct stat *s);
+int lstat_as_user(const char *fname, struct stat *s);
 void trim_trailing_slash_or_dot(char *path);
 char *line_remove_spaces(const char *buf);
 char *split_comma(char *str);
@@ -526,11 +539,15 @@ unsigned extract_timeout(const char *str);
 void disable_file_or_dir(const char *fname);
 void disable_file_path(const char *path, const char *file);
 int safer_openat(int dirfd, const char *path, int flags);
+int remount_by_fd(int dst, unsigned long mountflags);
+int bind_mount_by_fd(int src, int dst);
+int bind_mount_path_to_fd(const char *srcname, int dst);
+int bind_mount_fd_to_path(int src, const char *destname);
 int has_handler(pid_t pid, int signal);
 void enter_network_namespace(pid_t pid);
 int read_pid(const char *name, pid_t *pid);
 pid_t require_pid(const char *name);
-void check_homedir(void);
+void check_homedir(const char *dir);
 // Get info regarding the last kernel mount operation from /proc/self/mountinfo
 // The return value points to a static area, and will be overwritten by subsequent calls.
@@ -762,8 +779,14 @@ enum {
        CFG_WHITELIST,
        CFG_XEPHYR_WINDOW_TITLE,
        CFG_OVERLAYFS,
-        CFG_PRIVATE_HOME,
+        CFG_PRIVATE_BIN,
        CFG_PRIVATE_BIN_NO_LOCAL,
+        CFG_PRIVATE_CACHE,
+        CFG_PRIVATE_ETC,
+        CFG_PRIVATE_HOME,
+        CFG_PRIVATE_LIB,
+        CFG_PRIVATE_OPT,
+        CFG_PRIVATE_SRV,
        CFG_FIREJAIL_PROMPT,
        CFG_DISABLE_MNT,
        CFG_JOIN,
@@ -771,10 +794,8 @@ enum {
        CFG_XPRA_ATTACH,
        CFG_BROWSER_DISABLE_U2F,
        CFG_BROWSER_ALLOW_DRM,
-        CFG_PRIVATE_LIB,
        CFG_APPARMOR,
        CFG_DBUS,
-        CFG_PRIVATE_CACHE,
        CFG_CGROUP,
        CFG_NAME_CHANGE,
        CFG_SECCOMP_ERROR_ACTION,
@@ -796,6 +817,7 @@ int checkcfg(int val);
 void print_compiletime_support(void);
 // appimage.c
+int appimage_find_profile(const char *archive);
 void appimage_set(const char *appimage_path);
 void appimage_mount(void);
 void appimage_clear(void);
@@ -804,8 +826,8 @@ void appimage_clear(void);
 long unsigned int appimage2_size(int fd);
 // cmdline.c
-void build_cmdline(char **command_line, char **window_title, int argc, char **argv, int index);
+void build_cmdline(char **command_line, char **window_title, int argc, char **argv, int index, bool want_extra_quotes);
-void build_appimage_cmdline(char **command_line, char **window_title, int argc, char **argv, int index);
+void build_appimage_cmdline(char **command_line, char **window_title, int argc, char **argv, int index, bool want_extra_quotes);
 // sbox.c
 // programs
diff --git a/src/firejail/fs.c b/src/firejail/fs.c
index 09de11de9..806fa9249 100644
--- a/src/firejail/fs.c
+++ b/src/firejail/fs.c
@@ -33,6 +33,10 @@
 #define O_PATH 010000000
 #endif
+#ifdef HAVE_GCOV
+#include "../include/gcov_wrapper.h"
+#endif
 #define MAX_BUF 4096
 #define EMPTY_STRING ("")
 // check noblacklist statements not matched by a proper blacklist in disable-*.inc files
@@ -54,16 +58,10 @@ static char *opstr[] = {
        [MOUNT_RDWR_NOCHECK] = "read-write",
 };
-typedef enum {
-        UNSUCCESSFUL,
-        SUCCESSFUL
-} LAST_DISABLE_OPERATION;
-LAST_DISABLE_OPERATION last_disable = UNSUCCESSFUL;
 static void disable_file(OPERATION op, const char *filename) {
        assert(filename);
        assert(op <OPERATION_MAX);
-        last_disable = UNSUCCESSFUL;
+        EUID_ASSERT();
        // Resolve all symlinks
        char* fname = realpath(filename, NULL);
@@ -71,20 +69,24 @@ static void disable_file(OPERATION op, const char *filename) {
                return;
        }
        if (fname == NULL && errno == EACCES) {
-                if (arg_debug)
-                        printf("Debug: no access to file %s, forcing mount\n", filename);
                // realpath and stat functions will fail on FUSE filesystems
                // they don't seem to like a uid of 0
                // force mounting
-                int rv = mount(RUN_RO_DIR, filename, "none", MS_BIND, "mode=400,gid=0");
+                int fd = open(filename, O_PATH|O_CLOEXEC);
-                if (rv == 0)
+                if (fd < 0) {
-                        last_disable = SUCCESSFUL;
+                        if (arg_debug)
-                else {
+                                printf("Warning (blacklisting): cannot open %s: %s\n", filename, strerror(errno));
-                        rv = mount(RUN_RO_FILE, filename, "none", MS_BIND, "mode=400,gid=0");
+                        return;
-                        if (rv == 0)
-                                last_disable = SUCCESSFUL;
                }
-                if (last_disable == SUCCESSFUL) {
+                EUID_ROOT();
+                int err = bind_mount_path_to_fd(RUN_RO_DIR, fd);
+                if (err != 0)
+                        err = bind_mount_path_to_fd(RUN_RO_FILE, fd);
+                EUID_USER();
+                close(fd);
+                if (err == 0) {
                        if (arg_debug)
                                printf("Disable %s\n", filename);
                        if (op == BLACKLIST_FILE)
@@ -92,21 +94,18 @@ static void disable_file(OPERATION op, const char *filename) {
                        else
                                fs_logger2("blacklist-nolog", filename);
                }
-                else {
+                else if (arg_debug)
-                        if (arg_debug)
+                        printf("Warning (blacklisting): cannot mount on %s\n", filename);
-                                printf("Warning (blacklisting): %s is an invalid file, skipping...\n", filename);
-                }
                return;
        }
        // if the file is not present, do nothing
+        assert(fname);
        struct stat s;
-        if (fname == NULL)
+        if (stat(fname, &s) < 0) {
-                return;
-        if (stat(fname, &s) == -1) {
                if (arg_debug)
-                        fwarning("%s does not exist, skipping...\n", fname);
+                        printf("Warning (blacklisting): cannot access %s: %s\n", fname, strerror(errno));
                free(fname);
                return;
        }
@@ -115,8 +114,10 @@ static void disable_file(OPERATION op, const char *filename) {
        // we migth have a file found in ${PATH} pointing to /usr/bin/firejail
        // blacklisting it here will end up breaking situations like user clicks on a link in Thunderbird
        //     and expects Firefox to open in the same sandbox
-        if (strcmp(BINDIR "/firejail", fname) == 0)
+        if (strcmp(BINDIR "/firejail", fname) == 0) {
+                free(fname);
                return;
+        }
        // modify the file
        if (op == BLACKLIST_FILE || op == BLACKLIST_NOLOG) {
@@ -141,15 +142,25 @@ static void disable_file(OPERATION op, const char *filename) {
                                        printf(" - no logging\n");
                        }
+                        int fd = open(fname, O_PATH|O_CLOEXEC);
+                        if (fd < 0) {
+                                if (arg_debug)
+                                        printf("Warning (blacklisting): cannot open %s: %s\n", fname, strerror(errno));
+                                free(fname);
+                                return;
+                        }
+                        EUID_ROOT();
                        if (S_ISDIR(s.st_mode)) {
-                                if (mount(RUN_RO_DIR, fname, "none", MS_BIND, "mode=400,gid=0") < 0)
+                                if (bind_mount_path_to_fd(RUN_RO_DIR, fd) < 0)
                                        errExit("disable file");
                        }
                        else {
-                                if (mount(RUN_RO_FILE, fname, "none", MS_BIND, "mode=400,gid=0") < 0)
+                                if (bind_mount_path_to_fd(RUN_RO_FILE, fd) < 0)
                                        errExit("disable file");
                        }
-                        last_disable = SUCCESSFUL;
+                        EUID_USER();
+                        close(fd);
                        if (op == BLACKLIST_FILE)
                                fs_logger2("blacklist", fname);
                        else
@@ -158,23 +169,30 @@ static void disable_file(OPERATION op, const char *filename) {
        }
        else if (op == MOUNT_READONLY || op == MOUNT_RDWR || op == MOUNT_NOEXEC) {
                fs_remount_rec(fname, op);
-                // todo: last_disable = SUCCESSFUL;
        }
        else if (op == MOUNT_TMPFS) {
-                if (S_ISDIR(s.st_mode)) {
+                if (!S_ISDIR(s.st_mode)) {
-                        if (getuid()) {
+                        fwarning("%s is not a directory; cannot mount a tmpfs on top of it.\n", fname);
-                                if (strncmp(cfg.homedir, fname, strlen(cfg.homedir)) != 0 ||
+                        free(fname);
-                                    fname[strlen(cfg.homedir)] != '/') {
+                        return;
-                                        fprintf(stderr, "Error: tmpfs outside $HOME is only available for root\n");
+                }
-                                        exit(1);
-                                }
+                uid_t uid = getuid();
+                if (uid != 0) {
+                        // only user owned directories in user home
+                        if (s.st_uid != uid ||
+                            strncmp(cfg.homedir, fname, strlen(cfg.homedir)) != 0 ||
+                            fname[strlen(cfg.homedir)] != '/') {
+                                fwarning("you are not allowed to mount a tmpfs on %s\n", fname);
+                                free(fname);
+                                return;
                        }
-                        fs_tmpfs(fname, getuid());
-                        selinux_relabel_path(fname, fname);
-                        last_disable = SUCCESSFUL;
                }
-                else
-                        fwarning("%s is not a directory; cannot mount a tmpfs on top of it.\n", fname);
+                fs_tmpfs(fname, uid);
+                EUID_USER(); // fs_tmpfs returns with EUID 0
+                selinux_relabel_path(fname, fname);
        }
        else
                assert(0);
@@ -191,6 +209,7 @@ static int *nbcheck = NULL;
 // Treat pattern as a shell glob pattern and blacklist matching files
 static void globbing(OPERATION op, const char *pattern, const char *noblacklist[], size_t noblacklist_len) {
        assert(pattern);
+        EUID_ASSERT();
 #ifdef TEST_NO_BLACKLIST_MATCHING
        if (nbcheck_start == 0) {
@@ -264,6 +283,7 @@ void fs_blacklist(void) {
        if (noblacklist == NULL)
                errExit("failed allocating memory for noblacklist entries");
+        EUID_USER();
        while (entry) {
                OPERATION op = OPERATION_MAX;
                char *ptr;
@@ -294,11 +314,13 @@ void fs_blacklist(void) {
                        if (arg_debug)
                                printf("Mount-bind %s on top of %s\n", dname1, dname2);
                        // preserve dname2 mode and ownership
+                        // EUID_ROOT(); - option not accessible to non-root users
                        if (mount(dname1, dname2, NULL, MS_BIND|MS_REC, NULL) < 0)
                                errExit("mount bind");
                        /* coverity[toctou] */
                        if (set_perms(dname2,  s.st_uid, s.st_gid,s.st_mode))
                                errExit("set_perms");
+                        // EUID_USER();
                        entry = entry->next;
                        continue;
@@ -376,16 +398,12 @@ void fs_blacklist(void) {
                        op = MOUNT_TMPFS;
                }
                else if (strncmp(entry->data, "mkdir ", 6) == 0) {
-                        EUID_USER();
                        fs_mkdir(entry->data + 6);
-                        EUID_ROOT();
                        entry = entry->next;
                        continue;
                }
                else if (strncmp(entry->data, "mkfile ", 7) == 0) {
-                        EUID_USER();
                        fs_mkfile(entry->data + 7);
-                        EUID_ROOT();
                        entry = entry->next;
                        continue;
                }
@@ -441,6 +459,8 @@ void fs_blacklist(void) {
        for (i = 0; i < noblacklist_c; i++)
                free(noblacklist[i]);
        free(noblacklist);
+        EUID_ROOT();
 }
 //***********************************************
@@ -449,6 +469,7 @@ void fs_blacklist(void) {
 // mount a writable tmpfs on directory; requires a resolved path
 void fs_tmpfs(const char *dir, unsigned check_owner) {
+        EUID_USER();
        assert(dir);
        if (arg_debug)
                printf("Mounting tmpfs on %s, check owner: %s\n", dir, (check_owner)? "yes": "no");
@@ -473,6 +494,7 @@ void fs_tmpfs(const char *dir, unsigned check_owner) {
                errExit("fstatvfs");
        unsigned long flags = buf.f_flag & ~(MS_RDONLY|MS_BIND);
        // mount via the symbolic link in /proc/self/fd
+        EUID_ROOT();
        char *proc;
        if (asprintf(&proc, "/proc/self/fd/%d", fd) == -1)
                errExit("asprintf");
@@ -490,38 +512,42 @@ void fs_tmpfs(const char *dir, unsigned check_owner) {
 // remount path, preserving other mount flags; requires a resolved path
 static void fs_remount_simple(const char *path, OPERATION op) {
+        EUID_ASSERT();
        assert(path);
        // open path without following symbolic links
-        int fd1 = safer_openat(-1, path, O_PATH|O_NOFOLLOW|O_CLOEXEC);
+        int fd = safer_openat(-1, path, O_PATH|O_NOFOLLOW|O_CLOEXEC);
-        if (fd1 == -1)
+        if (fd < 0)
                goto out;
-        struct stat s1;
-        if (fstat(fd1, &s1) == -1) {
+        struct stat s;
+        if (fstat(fd, &s) < 0) {
                // fstat can fail with EACCES if path is a FUSE mount,
                // mounted without 'allow_root' or 'allow_other'
                if (errno != EACCES)
                        errExit("fstat");
-                close(fd1);
+                close(fd);
                goto out;
        }
        // get mount flags
        struct statvfs buf;
-        if (fstatvfs(fd1, &buf) == -1)
+        if (fstatvfs(fd, &buf) < 0) {
-                errExit("fstatvfs");
+                close(fd);
+                goto out;
+        }
        unsigned long flags = buf.f_flag;
        // read-write option
        if (op == MOUNT_RDWR || op == MOUNT_RDWR_NOCHECK) {
                // nothing to do if there is no read-only flag
                if ((flags & MS_RDONLY) == 0) {
-                        close(fd1);
+                        close(fd);
                        return;
                }
                // allow only user owned directories, except the user is root
-                if (op != MOUNT_RDWR_NOCHECK && getuid() != 0 && s1.st_uid != getuid()) {
+                if (op != MOUNT_RDWR_NOCHECK && getuid() != 0 && s.st_uid != getuid()) {
                        fwarning("you are not allowed to change %s to read-write\n", path);
-                        close(fd1);
+                        close(fd);
                        return;
                }
                flags &= ~MS_RDONLY;
@@ -530,7 +556,7 @@ static void fs_remount_simple(const char *path, OPERATION op) {
        else if (op == MOUNT_NOEXEC) {
                // nothing to do if path is mounted noexec already
                if ((flags & (MS_NOEXEC|MS_NODEV|MS_NOSUID)) == (MS_NOEXEC|MS_NODEV|MS_NOSUID)) {
-                        close(fd1);
+                        close(fd);
                        return;
                }
                flags |= MS_NOEXEC|MS_NODEV|MS_NOSUID;
@@ -539,7 +565,7 @@ static void fs_remount_simple(const char *path, OPERATION op) {
        else if (op == MOUNT_READONLY) {
                // nothing to do if path is mounted read-only already
                if ((flags & MS_RDONLY) == MS_RDONLY) {
-                        close(fd1);
+                        close(fd);
                        return;
                }
                flags |= MS_RDONLY;
@@ -549,29 +575,37 @@ static void fs_remount_simple(const char *path, OPERATION op) {
        if (arg_debug)
                printf("Mounting %s %s\n", opstr[op], path);
+        // make path a mount point:
        // mount --bind path path
-        char *proc;
+        EUID_ROOT();
-        if (asprintf(&proc, "/proc/self/fd/%d", fd1) == -1)
+        int err = bind_mount_by_fd(fd, fd);
-                errExit("asprintf");
+        EUID_USER();
-        if (mount(proc, proc, NULL, MS_BIND|MS_REC, NULL) < 0)
+        if (err) {
-                errExit("mount");
+                close(fd);
-        free(proc);
+                goto out;
+        }
-        // mount --bind -o remount,ro path
+        // remount the mount point
-        // need to open path again without following symbolic links
+        // need to open path again
        int fd2 = safer_openat(-1, path, O_PATH|O_NOFOLLOW|O_CLOEXEC);
-        if (fd2 == -1)
+        close(fd); // earliest timepoint to close fd
-                errExit("open");
+        if (fd2 < 0)
+                goto out;
+        // device and inode number should be the same
        struct stat s2;
-        if (fstat(fd2, &s2) == -1)
+        if (fstat(fd2, &s2) < 0)
                errExit("fstat");
-        // device and inode number should be the same
+        if (s.st_dev != s2.st_dev || s.st_ino != s2.st_ino)
-        if (s1.st_dev != s2.st_dev || s1.st_ino != s2.st_ino)
                errLogExit("invalid %s mount", opstr[op]);
-        if (asprintf(&proc, "/proc/self/fd/%d", fd2) == -1)
-                errExit("asprintf");
+        EUID_ROOT();
-        if (mount(NULL, proc, NULL, flags|MS_BIND|MS_REMOUNT, NULL) < 0)
+        err = remount_by_fd(fd2, flags);
-                errExit("mount");
+        EUID_USER();
+        close(fd2);
+        if (err)
+                goto out;
        // run a sanity check on /proc/self/mountinfo and confirm that target of the last
        // mount operation was path; if there are other mount points contained inside path,
@@ -582,10 +616,8 @@ static void fs_remount_simple(const char *path, OPERATION op) {
           (*(mptr->dir + len) != '\0' && *(mptr->dir + len) != '/'))
           && strcmp(path, "/") != 0) // support read-only=/
                errLogExit("invalid %s mount", opstr[op]);
        fs_logger2(opstr[op], path);
-        free(proc);
-        close(fd1);
-        close(fd2);
        return;
 out:
@@ -594,7 +626,9 @@ out:
 // remount recursively; requires a resolved path
 static void fs_remount_rec(const char *dir, OPERATION op) {
+        EUID_ASSERT();
        assert(dir);
        struct stat s;
        if (stat(dir, &s) != 0)
                return;
@@ -632,6 +666,14 @@ static void fs_remount_rec(const char *dir, OPERATION op) {
 // resolve a path and remount it
 void fs_remount(const char *path, OPERATION op, int rec) {
        assert(path);
+        int called_as_root = 0;
+        if (geteuid() == 0)
+                called_as_root = 1;
+        if (called_as_root)
+                EUID_USER();
        char *rpath = realpath(path, NULL);
        if (rpath) {
                if (rec)
@@ -640,10 +682,14 @@ void fs_remount(const char *path, OPERATION op, int rec) {
                        fs_remount_simple(rpath, op);
                free(rpath);
        }
+        if (called_as_root)
+                EUID_ROOT();
 }
 // Disable /mnt, /media, /run/mount and /run/media access
 void fs_mnt(const int enforce) {
+        EUID_USER();
        if (enforce) {
                // disable-mnt set in firejail.config
                // overriding with noblacklist is not possible in this case
@@ -653,13 +699,12 @@ void fs_mnt(const int enforce) {
                disable_file(BLACKLIST_FILE, "/run/media");
        }
        else {
-                EUID_USER();
                profile_add("blacklist /mnt");
                profile_add("blacklist /media");
                profile_add("blacklist /run/mount");
                profile_add("blacklist /run/media");
-                EUID_ROOT();
        }
+        EUID_ROOT();
 }
@@ -674,7 +719,6 @@ void fs_proc_sys_dev_boot(void) {
                errExit("mounting /proc/sys");
        fs_logger("read-only /proc/sys");
        /* Mount a version of /sys that describes the network namespace */
        if (arg_debug)
                printf("Remounting /sys directory\n");
@@ -689,13 +733,13 @@ void fs_proc_sys_dev_boot(void) {
        else
                fs_logger("remount /sys");
+        EUID_USER();
        disable_file(BLACKLIST_FILE, "/sys/firmware");
        disable_file(BLACKLIST_FILE, "/sys/hypervisor");
        { // allow user access to some directories in /sys/ by specifying 'noblacklist' option
-                EUID_USER();
                profile_add("blacklist /sys/fs");
                profile_add("blacklist /sys/module");
-                EUID_ROOT();
        }
        disable_file(BLACKLIST_FILE, "/sys/power");
        disable_file(BLACKLIST_FILE, "/sys/kernel/debug");
@@ -739,12 +783,8 @@ void fs_proc_sys_dev_boot(void) {
        // disable /dev/port
        disable_file(BLACKLIST_FILE, "/dev/port");
        // disable various ipc sockets in /run/user
        if (!arg_writable_run_user) {
-                struct stat s;
                char *fname;
                if (asprintf(&fname, "/run/user/%d", getuid()) == -1)
                        errExit("asprintf");
@@ -755,8 +795,7 @@ void fs_proc_sys_dev_boot(void) {
                                errExit("asprintf");
                        if (create_empty_dir_as_user(fnamegpg, 0700))
                                fs_logger2("create", fnamegpg);
-                        if (stat(fnamegpg, &s) == 0)
+                        disable_file(BLACKLIST_FILE, fnamegpg);
-                                disable_file(BLACKLIST_FILE, fnamegpg);
                        free(fnamegpg);
                        // disable /run/user/{uid}/systemd
@@ -765,8 +804,7 @@ void fs_proc_sys_dev_boot(void) {
                                errExit("asprintf");
                        if (create_empty_dir_as_user(fnamesysd, 0755))
                                fs_logger2("create", fnamesysd);
-                        if (stat(fnamesysd, &s) == 0)
+                        disable_file(BLACKLIST_FILE, fnamesysd);
-                                disable_file(BLACKLIST_FILE, fnamesysd);
                        free(fnamesysd);
                }
                free(fname);
@@ -777,35 +815,30 @@ void fs_proc_sys_dev_boot(void) {
                disable_file(BLACKLIST_FILE, "/dev/kmsg");
                disable_file(BLACKLIST_FILE, "/proc/kmsg");
        }
+        EUID_ROOT();
 }
 // disable firejail configuration in ~/.config/firejail
 void disable_config(void) {
-        struct stat s;
+        EUID_USER();
        char *fname;
        if (asprintf(&fname, "%s/.config/firejail", cfg.homedir) == -1)
                errExit("asprintf");
-        if (stat(fname, &s) == 0)
+        disable_file(BLACKLIST_FILE, fname);
-                disable_file(BLACKLIST_FILE, fname);
        free(fname);
        // disable run time information
-        if (stat(RUN_FIREJAIL_NETWORK_DIR, &s) == 0)
+        disable_file(BLACKLIST_FILE, RUN_FIREJAIL_NETWORK_DIR);
-                disable_file(BLACKLIST_FILE, RUN_FIREJAIL_NETWORK_DIR);
+        disable_file(BLACKLIST_FILE, RUN_FIREJAIL_BANDWIDTH_DIR);
-        if (stat(RUN_FIREJAIL_BANDWIDTH_DIR, &s) == 0)
+        disable_file(BLACKLIST_FILE, RUN_FIREJAIL_NAME_DIR);
-                disable_file(BLACKLIST_FILE, RUN_FIREJAIL_BANDWIDTH_DIR);
+        disable_file(BLACKLIST_FILE, RUN_FIREJAIL_PROFILE_DIR);
-        if (stat(RUN_FIREJAIL_NAME_DIR, &s) == 0)
+        disable_file(BLACKLIST_FILE, RUN_FIREJAIL_X11_DIR);
-                disable_file(BLACKLIST_FILE, RUN_FIREJAIL_NAME_DIR);
+        EUID_ROOT();
-        if (stat(RUN_FIREJAIL_PROFILE_DIR, &s) == 0)
-                disable_file(BLACKLIST_FILE, RUN_FIREJAIL_PROFILE_DIR);
-        if (stat(RUN_FIREJAIL_X11_DIR, &s) == 0)
-                disable_file(BLACKLIST_FILE, RUN_FIREJAIL_X11_DIR);
 }
 // build a basic read-only filesystem
-// top level directories could be links, run no after-mount checks
 void fs_basic_fs(void) {
        uid_t uid = getuid();
@@ -815,6 +848,7 @@ void fs_basic_fs(void) {
        if (mount("proc", "/proc", "proc", MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_REC, NULL) < 0)
                errExit("mounting /proc");
+        EUID_USER();
        if (arg_debug)
                printf("Basic read-only filesystem:\n");
        if (!arg_writable_etc) {
@@ -834,6 +868,7 @@ void fs_basic_fs(void) {
        fs_remount("/lib64", MOUNT_READONLY, 1);
        fs_remount("/lib32", MOUNT_READONLY, 1);
        fs_remount("/libx32", MOUNT_READONLY, 1);
+        EUID_ROOT();
        // update /var directory in order to support multiple sandboxes running on the same root directory
        fs_var_lock();
@@ -862,6 +897,7 @@ void fs_basic_fs(void) {
 #ifdef HAVE_OVERLAYFS
 char *fs_check_overlay_dir(const char *subdirname, int allow_reuse) {
        assert(subdirname);
+        EUID_ASSERT();
        struct stat s;
        char *dirname;
@@ -1221,6 +1257,7 @@ void fs_overlayfs(void) {
 // this function is called from sandbox.c before blacklist/whitelist functions
 void fs_private_tmp(void) {
+        EUID_ASSERT();
        if (arg_debug)
                printf("Generate private-tmp whitelist commands\n");
@@ -1241,8 +1278,8 @@ void fs_private_tmp(void) {
        // whitelist x11 directory
        profile_add("whitelist /tmp/.X11-unix");
-        // read-only x11 directory
+        // read-only x11 directory
-        profile_add("read-only /tmp/.X11-unix");
+        profile_add("read-only /tmp/.X11-unix");
        // whitelist any pulse* file in /tmp directory
        // some distros use PulseAudio sockets under /tmp instead of the socket in /urn/user
diff --git a/src/firejail/fs_dev.c b/src/firejail/fs_dev.c
index 8c2870a4d..8cc3ecc62 100644
--- a/src/firejail/fs_dev.c
+++ b/src/firejail/fs_dev.c
@@ -187,8 +187,10 @@ static void mount_dev_shm(void) {
 static void process_dev_shm(void) {
        // Jack audio keeps an Unix socket under (/dev/shm/jack_default_1000_0 or /dev/shm/jack/...)
        // looking for jack socket
+        EUID_USER();
        glob_t globbuf;
        int globerr = glob(RUN_DEV_DIR "/shm/jack*", GLOB_NOSORT, NULL, &globbuf);
+        EUID_ROOT();
        if (globerr && !arg_keep_dev_shm) {
                empty_dev_shm();
                return;
diff --git a/src/firejail/fs_home.c b/src/firejail/fs_home.c
index 4bcefa443..0ed476063 100644
--- a/src/firejail/fs_home.c
+++ b/src/firejail/fs_home.c
@@ -34,24 +34,24 @@
 #define O_PATH 010000000
 #endif
-static void skel(const char *homedir, uid_t u, gid_t g) {
+static void skel(const char *homedir) {
-        char *fname;
+        EUID_ASSERT();
        // zsh
        if (!arg_shell_none && (strcmp(cfg.shell,"/usr/bin/zsh") == 0 || strcmp(cfg.shell,"/bin/zsh") == 0)) {
                // copy skel files
+                char *fname;
                if (asprintf(&fname, "%s/.zshrc", homedir) == -1)
                        errExit("asprintf");
-                struct stat s;
                // don't copy it if we already have the file
-                if (stat(fname, &s) == 0)
+                if (access(fname, F_OK) == 0)
                        return;
-                if (is_link(fname)) { // stat on dangling symlinks fails, try again using lstat
+                if (is_link(fname)) { // access(3) on dangling symlinks fails, try again using lstat
                        fprintf(stderr, "Error: invalid %s file\n", fname);
                        exit(1);
                }
-                if (stat("/etc/skel/.zshrc", &s) == 0) {
+                if (access("/etc/skel/.zshrc", R_OK) == 0) {
-                        copy_file_as_user("/etc/skel/.zshrc", fname, u, g, 0644); // regular user
+                        copy_file_as_user("/etc/skel/.zshrc", fname, 0644); // regular user
                        fs_logger("clone /etc/skel/.zshrc");
                        fs_logger2("clone", fname);
                }
@@ -65,19 +65,18 @@ static void skel(const char *homedir, uid_t u, gid_t g) {
        // csh
        else if (!arg_shell_none && strcmp(cfg.shell,"/bin/csh") == 0) {
                // copy skel files
+                char *fname;
                if (asprintf(&fname, "%s/.cshrc", homedir) == -1)
                        errExit("asprintf");
-                struct stat s;
                // don't copy it if we already have the file
-                if (stat(fname, &s) == 0)
+                if (access(fname, F_OK) == 0)
                        return;
-                if (is_link(fname)) { // stat on dangling symlinks fails, try again using lstat
+                if (is_link(fname)) { // access(3) on dangling symlinks fails, try again using lstat
                        fprintf(stderr, "Error: invalid %s file\n", fname);
                        exit(1);
                }
-                if (stat("/etc/skel/.cshrc", &s) == 0) {
+                if (access("/etc/skel/.cshrc", R_OK) == 0) {
-                        copy_file_as_user("/etc/skel/.cshrc", fname, u, g, 0644); // regular user
+                        copy_file_as_user("/etc/skel/.cshrc", fname, 0644); // regular user
                        fs_logger("clone /etc/skel/.cshrc");
                        fs_logger2("clone", fname);
                }
@@ -91,18 +90,18 @@ static void skel(const char *homedir, uid_t u, gid_t g) {
        // bash etc.
        else {
                // copy skel files
+                char *fname;
                if (asprintf(&fname, "%s/.bashrc", homedir) == -1)
                        errExit("asprintf");
-                struct stat s;
                // don't copy it if we already have the file
-                if (stat(fname, &s) == 0)
+                if (access(fname, F_OK) == 0)
                        return;
-                if (is_link(fname)) { // stat on dangling symlinks fails, try again using lstat
+                if (is_link(fname)) { // access(3) on dangling symlinks fails, try again using lstat
                        fprintf(stderr, "Error: invalid %s file\n", fname);
                        exit(1);
                }
-                if (stat("/etc/skel/.bashrc", &s) == 0) {
+                if (access("/etc/skel/.bashrc", R_OK) == 0) {
-                        copy_file_as_user("/etc/skel/.bashrc", fname, u, g, 0644); // regular user
+                        copy_file_as_user("/etc/skel/.bashrc", fname, 0644); // regular user
                        fs_logger("clone /etc/skel/.bashrc");
                        fs_logger2("clone", fname);
                }
@@ -112,6 +111,7 @@ static void skel(const char *homedir, uid_t u, gid_t g) {
 }
 static int store_xauthority(void) {
+        EUID_ASSERT();
        if (arg_x11_block)
                return 0;
@@ -122,14 +122,15 @@ static int store_xauthority(void) {
                errExit("asprintf");
        struct stat s;
-        if (stat(src, &s) == 0) {
+        if (lstat(src, &s) == 0) {
-                if (is_link(src)) {
+                if (S_ISLNK(s.st_mode)) {
                        fwarning("invalid .Xauthority file\n");
                        free(src);
                        return 0;
                }
                // create an empty file as root, and change ownership to user
+                EUID_ROOT();
                FILE *fp = fopen(dest, "we");
                if (fp) {
                        fprintf(fp, "\n");
@@ -138,10 +139,11 @@ static int store_xauthority(void) {
                }
                else
                        errExit("fopen");
+                EUID_USER();
-                copy_file_as_user(src, dest, getuid(), getgid(), 0600); // regular user
+                copy_file_as_user(src, dest, 0600); // regular user
-                fs_logger2("clone", dest);
                selinux_relabel_path(dest, src);
+                fs_logger2("clone", dest);
                free(src);
                return 1; // file copied
        }
@@ -151,6 +153,7 @@ static int store_xauthority(void) {
 }
 static int store_asoundrc(void) {
+        EUID_ASSERT();
        if (arg_nosound)
                return 0;
@@ -161,11 +164,11 @@ static int store_asoundrc(void) {
                errExit("asprintf");
        struct stat s;
-        if (stat(src, &s) == 0) {
+        if (lstat(src, &s) == 0) {
-                if (is_link(src)) {
+                if (S_ISLNK(s.st_mode)) {
                        // make sure the real path of the file is inside the home directory
                        /* coverity[toctou] */
-                        char* rp = realpath(src, NULL);
+                        char *rp = realpath(src, NULL);
                        if (!rp) {
                                fprintf(stderr, "Error: Cannot access %s\n", src);
                                exit(1);
@@ -178,6 +181,7 @@ static int store_asoundrc(void) {
                }
                // create an empty file as root, and change ownership to user
+                EUID_ROOT();
                FILE *fp = fopen(dest, "we");
                if (fp) {
                        fprintf(fp, "\n");
@@ -186,10 +190,11 @@ static int store_asoundrc(void) {
                }
                else
                        errExit("fopen");
+                EUID_USER();
-                copy_file_as_user(src, dest, getuid(), getgid(), 0644); // regular user
+                copy_file_as_user(src, dest, 0644); // regular user
-                selinux_relabel_path(dest, src);
                fs_logger2("clone", dest);
+                selinux_relabel_path(dest, src);
                free(src);
                return 1; // file copied
        }
@@ -199,6 +204,7 @@ static int store_asoundrc(void) {
 }
 static void copy_xauthority(void) {
+        EUID_ASSERT();
        // copy XAUTHORITY_FILE in the new home directory
        char *src = RUN_XAUTHORITY_FILE ;
        char *dest;
@@ -211,16 +217,18 @@ static void copy_xauthority(void) {
                exit(1);
        }
-        copy_file_as_user(src, dest, getuid(), getgid(), S_IRUSR | S_IWUSR); // regular user
+        copy_file_as_user(src, dest, S_IRUSR | S_IWUSR); // regular user
-        selinux_relabel_path(dest, src);
        fs_logger2("clone", dest);
+        selinux_relabel_path(dest, dest);
        free(dest);
-        // delete the temporary file
+        EUID_ROOT();
-        unlink(src);
+        unlink(src); // delete the temporary file
+        EUID_USER();
 }
 static void copy_asoundrc(void) {
+        EUID_ASSERT();
        // copy ASOUNDRC_FILE in the new home directory
        char *src = RUN_ASOUNDRC_FILE ;
        char *dest;
@@ -233,12 +241,14 @@ static void copy_asoundrc(void) {
                exit(1);
        }
-        copy_file_as_user(src, dest, getuid(), getgid(), S_IRUSR | S_IWUSR); // regular user
+        copy_file_as_user(src, dest, S_IRUSR | S_IWUSR); // regular user
        fs_logger2("clone", dest);
+        selinux_relabel_path(dest, dest);
        free(dest);
-        // delete the temporary file
+        EUID_ROOT();
-        unlink(src);
+        unlink(src); // delete the temporary file
+        EUID_USER();
 }
 // private mode (--private=homedir):
@@ -251,13 +261,14 @@ void fs_private_homedir(void) {
        char *private_homedir = cfg.home_private;
        assert(homedir);
        assert(private_homedir);
+        EUID_ASSERT();
+        uid_t u = getuid();
+        // gid_t g = getgid();
        int xflag = store_xauthority();
        int aflag = store_asoundrc();
-        uid_t u = getuid();
-        gid_t g = getgid();
        // mount bind private_homedir on top of homedir
        if (arg_debug)
                printf("Mount-bind %s on top of %s\n", private_homedir, homedir);
@@ -286,17 +297,11 @@ void fs_private_homedir(void) {
                exit(1);
        }
        // mount via the links in /proc/self/fd
-        char *proc_src, *proc_dst;
+        EUID_ROOT();
-        if (asprintf(&proc_src, "/proc/self/fd/%d", src) == -1)
+        if (bind_mount_by_fd(src, dst))
-                errExit("asprintf");
-        if (asprintf(&proc_dst, "/proc/self/fd/%d", dst) == -1)
-                errExit("asprintf");
-        if (mount(proc_src, proc_dst, NULL, MS_NOSUID | MS_NODEV | MS_BIND | MS_REC, NULL) < 0)
                errExit("mount bind");
-        free(proc_src);
+        EUID_USER();
-        free(proc_dst);
-        close(src);
-        close(dst);
        // check /proc/self/mountinfo to confirm the mount is ok
        MountData *mptr = get_last_mount();
        size_t len = strlen(homedir);
@@ -304,6 +309,8 @@ void fs_private_homedir(void) {
           (*(mptr->dir + len) != '\0' && *(mptr->dir + len) != '/'))
                errLogExit("invalid private mount");
+        close(src);
+        close(dst);
        fs_logger3("mount-bind", private_homedir, homedir);
        fs_logger2("whitelist", homedir);
 // preserve mode and ownership
@@ -312,6 +319,7 @@ void fs_private_homedir(void) {
 //      if (chmod(homedir, s.st_mode) == -1)
 //              errExit("mount-bind chmod");
+        EUID_ROOT();
        if (u != 0) {
                // mask /root
                if (arg_debug)
@@ -330,8 +338,9 @@ void fs_private_homedir(void) {
                selinux_relabel_path("/home", "/home");
                fs_logger("tmpfs /home");
        }
+        EUID_USER();
-        skel(homedir, u, g);
+        skel(homedir);
        if (xflag)
                copy_xauthority();
        if (aflag)
@@ -346,12 +355,15 @@ void fs_private_homedir(void) {
 void fs_private(void) {
        char *homedir = cfg.homedir;
        assert(homedir);
+        EUID_ASSERT();
        uid_t u = getuid();
        gid_t g = getgid();
        int xflag = store_xauthority();
        int aflag = store_asoundrc();
+        EUID_ROOT();
        // mask /root
        if (arg_debug)
                printf("Mounting a new /root directory\n");
@@ -394,8 +406,9 @@ void fs_private(void) {
                selinux_relabel_path(homedir, homedir);
        }
+        EUID_USER();
-        skel(homedir, u, g);
+        skel(homedir);
        if (xflag)
                copy_xauthority();
        if (aflag)
@@ -438,6 +451,7 @@ void fs_check_private_cwd(const char *dir) {
 // --private-home
 //***********************************************************************************
 static char *check_dir_or_file(const char *name) {
+        EUID_ASSERT();
        assert(name);
        // basic checks
@@ -498,6 +512,7 @@ errexit:
 }
 static void duplicate(char *name) {
+        EUID_ASSERT();
        char *fname = check_dir_or_file(name);
        if (arg_debug)
@@ -535,28 +550,31 @@ static void duplicate(char *name) {
 //      set skel files,
 //      restore .Xauthority
 void fs_private_home_list(void) {
-        timetrace_start();
        char *homedir = cfg.homedir;
        char *private_list = cfg.home_private_keep;
        assert(homedir);
        assert(private_list);
+        EUID_ASSERT();
-        int xflag = store_xauthority();
+        timetrace_start();
-        int aflag = store_asoundrc();
        uid_t uid = getuid();
        gid_t gid = getgid();
+        int xflag = store_xauthority();
+        int aflag = store_asoundrc();
        // create /run/firejail/mnt/home directory
+        EUID_ROOT();
        mkdir_attr(RUN_HOME_DIR, 0755, uid, gid);
        selinux_relabel_path(RUN_HOME_DIR, homedir);
        fs_logger_print();      // save the current log
+        EUID_USER();
+        // copy the list of files in the new home directory
        if (arg_debug)
                printf("Copying files in the new home:\n");
-        // copy the list of files in the new home directory
        char *dlist = strdup(cfg.home_private_keep);
        if (!dlist)
                errExit("strdup");
@@ -589,24 +607,19 @@ void fs_private_home_list(void) {
                exit(1);
        }
        // mount using the file descriptor
-        char *proc;
+        EUID_ROOT();
-        if (asprintf(&proc, "/proc/self/fd/%d", fd) == -1)
+        if (bind_mount_path_to_fd(RUN_HOME_DIR, fd))
-                errExit("asprintf");
-        if (mount(RUN_HOME_DIR, proc, NULL, MS_BIND|MS_REC, NULL) < 0)
                errExit("mount bind");
-        free(proc);
+        EUID_USER();
        close(fd);
        // check /proc/self/mountinfo to confirm the mount is ok
        MountData *mptr = get_last_mount();
        if (strcmp(mptr->dir, homedir) != 0 || strcmp(mptr->fstype, "tmpfs") != 0)
                errLogExit("invalid private-home mount");
        fs_logger2("tmpfs", homedir);
-        // mask RUN_HOME_DIR, it is writable and not noexec
+        EUID_ROOT();
-        if (mount("tmpfs", RUN_HOME_DIR, "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME,  "mode=755,gid=0") < 0)
-                errExit("mounting tmpfs");
-        fs_logger2("tmpfs", RUN_HOME_DIR);
        if (uid != 0) {
                // mask /root
                if (arg_debug)
@@ -626,7 +639,12 @@ void fs_private_home_list(void) {
                fs_logger("tmpfs /home");
        }
-        skel(homedir, uid, gid);
+        // mask RUN_HOME_DIR, it is writable and not noexec
+        if (mount("tmpfs", RUN_HOME_DIR, "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME,  "mode=755,gid=0") < 0)
+                errExit("mounting tmpfs");
+        EUID_USER();
+        skel(homedir);
        if (xflag)
                copy_xauthority();
        if (aflag)
diff --git a/src/firejail/fs_lib.c b/src/firejail/fs_lib.c
index 5df356d04..9d7a17cf3 100644
--- a/src/firejail/fs_lib.c
+++ b/src/firejail/fs_lib.c
@@ -178,8 +178,7 @@ void fslib_mount(const char *full_path) {
        if (*full_path == '\0' ||
            !valid_full_path(full_path) ||
-            access(full_path, F_OK) != 0 ||
+            stat_as_user(full_path, &s) != 0 ||
-            stat(full_path, &s) != 0 ||
            s.st_uid != 0)
                return;
@@ -203,7 +202,7 @@ void fslib_mount_libs(const char *full_path, unsigned user) {
        }
        if (arg_debug || arg_debug_private_lib)
-                printf("    fslib_mount_libs %s (parse as %s)\n", full_path, user ? "user" : "root");
+                printf("    fslib_mount_libs %s\n", full_path);
        // create an empty RUN_LIB_FILE and allow the user to write to it
        unlink(RUN_LIB_FILE);                     // in case is there
        create_empty_file_as_root(RUN_LIB_FILE, 0644);
@@ -212,7 +211,7 @@ void fslib_mount_libs(const char *full_path, unsigned user) {
        // run fldd to extract the list of files
        if (arg_debug || arg_debug_private_lib)
-                printf("    running fldd %s\n", full_path);
+                printf("    running fldd %s as %s\n", full_path, user ? "user" : "root");
        unsigned mask;
        if (user)
                mask = SBOX_USER;
@@ -246,7 +245,7 @@ static void load_library(const char *fname) {
        // existing file owned by root
        struct stat s;
-        if (!access(fname, F_OK) && stat(fname, &s) == 0 && s.st_uid == 0) {
+        if (stat_as_user(fname, &s) == 0 && s.st_uid == 0) {
                // load directories, regular 64 bit libraries, and 64 bit executables
                if (S_ISDIR(s.st_mode))
                        fslib_mount(fname);
@@ -286,19 +285,21 @@ static void install_list_entry(const char *lib) {
 #define DO_GLOBBING
 #ifdef DO_GLOBBING
                // globbing
+                EUID_USER();
                glob_t globbuf;
                int globerr = glob(fname, GLOB_NOCHECK | GLOB_NOSORT | GLOB_PERIOD, NULL, &globbuf);
                if (globerr) {
                        fprintf(stderr, "Error: failed to glob private-lib pattern %s\n", fname);
                        exit(1);
                }
+                EUID_ROOT();
                size_t j;
                for (j = 0; j < globbuf.gl_pathc; j++) {
                        assert(globbuf.gl_pathv[j]);
 //printf("glob %s\n", globbuf.gl_pathv[j]);
                        // GLOB_NOCHECK - no pattern matched returns the original pattern; try to load it anyway
-                        // foobar/* includes foobar/. and foobar/..
+                        // foobar/* expands to foobar/. and foobar/..
                        const char *base = gnu_basename(globbuf.gl_pathv[j]);
                        if (strcmp(base, ".") == 0 || strcmp(base, "..") == 0)
                                continue;
diff --git a/src/firejail/fs_mkdir.c b/src/firejail/fs_mkdir.c
index 8cfeea582..0195435f9 100644
--- a/src/firejail/fs_mkdir.c
+++ b/src/firejail/fs_mkdir.c
@@ -25,6 +25,9 @@
 #include <sys/wait.h>
 #include <string.h>
+#ifdef HAVE_GCOV
+#include "../include/gcov_wrapper.h"
+#endif
 static void check(const char *fname) {
        // manufacture /run/user directory
diff --git a/src/firejail/fs_trace.c b/src/firejail/fs_trace.c
index 1fc38361e..475a391ec 100644
--- a/src/firejail/fs_trace.c
+++ b/src/firejail/fs_trace.c
@@ -71,12 +71,8 @@ void fs_tracefile(void) {
        // mount using the symbolic link in /proc/self/fd
        if (arg_debug)
                printf("Bind mount %s to %s\n", arg_tracefile, RUN_TRACE_FILE);
-        char *proc;
+        if (bind_mount_fd_to_path(fd, RUN_TRACE_FILE))
-        if (asprintf(&proc, "/proc/self/fd/%d", fd) == -1)
-                errExit("asprintf");
-        if (mount(proc, RUN_TRACE_FILE, NULL, MS_BIND|MS_REC, NULL) < 0)
                errExit("mount bind " RUN_TRACE_FILE);
-        free(proc);
        close(fd);
        // now that RUN_TRACE_FILE is user-writable, mount it noexec
        fs_remount(RUN_TRACE_FILE, MOUNT_NOEXEC, 0);
diff --git a/src/firejail/fs_var.c b/src/firejail/fs_var.c
index bae3d6df0..20e262d80 100644
--- a/src/firejail/fs_var.c
+++ b/src/firejail/fs_var.c
@@ -323,4 +323,8 @@ void fs_var_utmp(void) {
        if (mount(RUN_UTMP_FILE, UTMP_FILE, NULL, MS_BIND|MS_NOSUID|MS_NOEXEC | MS_NODEV | MS_REC, NULL) < 0)
                errExit("mount bind utmp");
        fs_logger2("create", UTMP_FILE);
+        // blacklist RUN_UTMP_FILE
+        if (mount(RUN_RO_FILE, RUN_UTMP_FILE, NULL, MS_BIND, "mode=400,gid=0") < 0)
+                errExit("mount bind");
 }
diff --git a/src/firejail/fs_whitelist.c b/src/firejail/fs_whitelist.c
index 9a7a1bac7..943f275de 100644
--- a/src/firejail/fs_whitelist.c
+++ b/src/firejail/fs_whitelist.c
@@ -195,15 +195,7 @@ static void whitelist_file(int dirfd, const char *relpath, const char *path) {
        if (arg_debug || arg_debug_whitelists)
                printf("Whitelisting %s\n", path);
+        if (bind_mount_by_fd(fd, fd3))
-        // in order to make this mount resilient against symlink attacks, use
-        // magic links in /proc/self/fd instead of mounting the paths directly
-        char *proc_src, *proc_dst;
-        if (asprintf(&proc_src, "/proc/self/fd/%d", fd) == -1)
-                errExit("asprintf");
-        if (asprintf(&proc_dst, "/proc/self/fd/%d", fd3) == -1)
-                errExit("asprintf");
-        if (mount(proc_src, proc_dst, NULL, MS_BIND | MS_REC, NULL) < 0)
                errExit("mount bind");
        // check the last mount operation
        MountData *mptr = get_last_mount(); // will do exit(1) if the mount cannot be found
@@ -221,8 +213,6 @@ static void whitelist_file(int dirfd, const char *relpath, const char *path) {
        //  - there should be more than one '/' char in dest string
        if (mptr->dir == strrchr(mptr->dir, '/'))
                errLogExit("invalid whitelist mount");
-        free(proc_src);
-        free(proc_dst);
        close(fd);
        close(fd3);
        fs_logger2("whitelist", path);
@@ -267,6 +257,7 @@ static void whitelist_symlink(const char *link, const char *target) {
 }
 static void globbing(const char *pattern) {
+        EUID_ASSERT();
        assert(pattern);
        // globbing
@@ -304,7 +295,6 @@ static void globbing(const char *pattern) {
 }
 // mount tmpfs on all top level directories
-// home directories *inside* /run/user/$UID are not fully supported
 static void tmpfs_topdirs(const TopDir *topdirs) {
        int tmpfs_home = 0;
        int tmpfs_runuser = 0;
@@ -335,18 +325,15 @@ static void tmpfs_topdirs(const TopDir *topdirs) {
                // mount tmpfs
                fs_tmpfs(topdirs[i].path, 0);
+                selinux_relabel_path(topdirs[i].path, topdirs[i].path);
                // init tmpfs
                if (strcmp(topdirs[i].path, "/run") == 0) {
                        // restore /run/firejail directory
                        if (mkdir(RUN_FIREJAIL_DIR, 0755) == -1)
                                errExit("mkdir");
-                        char *proc;
+                        if (bind_mount_fd_to_path(fd, RUN_FIREJAIL_DIR))
-                        if (asprintf(&proc, "/proc/self/fd/%d", fd) == -1)
-                                errExit("asprintf");
-                        if (mount(proc, RUN_FIREJAIL_DIR, NULL, MS_BIND | MS_REC, NULL) < 0)
                                errExit("mount bind");
-                        free(proc);
                        close(fd);
                        fs_logger2("whitelist", RUN_FIREJAIL_DIR);
@@ -384,14 +371,14 @@ static void tmpfs_topdirs(const TopDir *topdirs) {
                        const char *rel = cfg.homedir + topdir_len + 1;
                        whitelist_file(topdirs[i].fd, rel, cfg.homedir);
                }
-                selinux_relabel_path(topdirs[i].path, topdirs[i].path);
        }
        // user home directory
-        if (tmpfs_home)
+        if (tmpfs_home) {
-                // checks owner if outside /home
+                EUID_USER();
-                fs_private();
+                fs_private(); // checks owner if outside /home
+                EUID_ROOT();
+        }
        // /run/user/$UID directory
        if (tmpfs_runuser) {
@@ -467,9 +454,9 @@ static TopDir *add_topdir(const char *dir, TopDir *topdirs, const char *path) {
                errExit("strdup");
        // open the directory, don't follow symbolic links
-        rv->fd = safer_openat(-1, rv->path, O_PATH|O_NOFOLLOW|O_DIRECTORY|O_CLOEXEC);
+        rv->fd = safer_openat(-1, dir, O_PATH|O_NOFOLLOW|O_DIRECTORY|O_CLOEXEC);
        if (rv->fd == -1) {
-                fprintf(stderr, "Error: cannot open %s\n", rv->path);
+                fprintf(stderr, "Error: cannot open %s\n", dir);
                exit(1);
        }
@@ -750,10 +737,11 @@ void fs_whitelist(void) {
                        }
                        // create the link if any
-                        if (link)
+                        if (link) {
                                whitelist_symlink(link, file);
+                                free(link);
+                        }
-                        free(link);
                        free(file);
                        free(entry->wparam);
                        entry->wparam = NULL;
diff --git a/src/firejail/join.c b/src/firejail/join.c
index bab4b830f..394bbb528 100644
--- a/src/firejail/join.c
+++ b/src/firejail/join.c
@@ -147,7 +147,7 @@ static void extract_command(int argc, char **argv, int index) {
        }
        // build command
-        build_cmdline(&cfg.command_line, &cfg.window_title, argc, argv, index);
+        build_cmdline(&cfg.command_line, &cfg.window_title, argc, argv, index, true);
 }
 static void extract_nogroups(pid_t pid) {
diff --git a/src/firejail/ls.c b/src/firejail/ls.c
index 796c42290..ae7e89741 100644
--- a/src/firejail/ls.c
+++ b/src/firejail/ls.c
@@ -31,6 +31,10 @@
 //#include <stdio.h>
 //#include <stdlib.h>
+#ifdef HAVE_GCOV
+#include "../include/gcov_wrapper.h"
+#endif
 // uid/gid cache
 static uid_t c_uid = 0;
 static char *c_uid_name = NULL;
diff --git a/src/firejail/macros.c b/src/firejail/macros.c
index bcac1feb4..cd29d8f85 100644
--- a/src/firejail/macros.c
+++ b/src/firejail/macros.c
@@ -149,6 +149,7 @@ static char *resolve_xdg(const char *var) {
 // returns mallocated memory
 static char *resolve_hardcoded(char *entries[]) {
+        EUID_ASSERT();
        char *fname;
        struct stat s;
diff --git a/src/firejail/main.c b/src/firejail/main.c
index d46a56627..7b32f6f07 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -44,6 +44,10 @@
 #define O_PATH 010000000
 #endif
+#ifdef HAVE_GCOV
+#include "../include/gcov_wrapper.h"
+#endif
 #ifdef __ia64__
 /* clone(2) has a different interface on ia64, as it needs to know
   the size of the stack */
@@ -259,8 +263,8 @@ static void init_cfg(int argc, char **argv) {
                fprintf(stderr, "Error: user %s doesn't have a user directory assigned\n", cfg.username);
                exit(1);
        }
+        check_homedir(pw->pw_dir);
        cfg.homedir = clean_pathname(pw->pw_dir);
-        check_homedir();
        // initialize random number generator
        sandbox_pid = getpid();
@@ -862,12 +866,11 @@ static void run_cmd_and_exit(int i, int argc, char **argv) {
 char *guess_shell(void) {
        const char *shell;
        char *retval;
-        struct stat s;
        shell = env_get("SHELL");
        if (shell) {
                invalid_filename(shell, 0); // no globbing
-                if (!is_dir(shell) && strstr(shell, "..") == NULL && stat(shell, &s) == 0 && access(shell, X_OK) == 0 &&
+                if (access(shell, X_OK) == 0 && !is_dir(shell) && strstr(shell, "..") == NULL &&
                    strcmp(shell, PATH_FIREJAIL) != 0)
                        goto found;
        }
@@ -878,12 +881,15 @@ char *guess_shell(void) {
        int i = 0;
        while (shells[i] != NULL) {
                // access call checks as real UID/GID, not as effective UID/GID
-                if (stat(shells[i], &s) == 0 && access(shells[i], X_OK) == 0) {
+                if (access(shells[i], X_OK) == 0) {
                        shell = shells[i];
-                        break;
+                        goto found;
                }
                i++;
        }
+        return NULL;
 found:
        retval = strdup(shell);
        if (!retval)
@@ -1490,8 +1496,11 @@ int main(int argc, char **argv, char **envp) {
                        arg_rlimit_nproc = 1;
                }
                else if (strncmp(argv[i], "--rlimit-fsize=", 15) == 0) {
-                        check_unsigned(argv[i] + 15, "Error: invalid rlimit");
+                        cfg.rlimit_fsize = parse_arg_size(argv[i] + 15);
-                        sscanf(argv[i] + 15, "%llu", &cfg.rlimit_fsize);
+                        if (cfg.rlimit_fsize == 0) {
+                                perror("Error: invalid rlimit-fsize. Only use positive numbers and k, m or g suffix.");
+                                exit(1);
+                        }
                        arg_rlimit_fsize = 1;
                }
                else if (strncmp(argv[i], "--rlimit-sigpending=", 20) == 0) {
@@ -1500,8 +1509,11 @@ int main(int argc, char **argv, char **envp) {
                        arg_rlimit_sigpending = 1;
                }
                else if (strncmp(argv[i], "--rlimit-as=", 12) == 0) {
-                        check_unsigned(argv[i] + 12, "Error: invalid rlimit");
+                        cfg.rlimit_as = parse_arg_size(argv[i] + 12);
-                        sscanf(argv[i] + 12, "%llu", &cfg.rlimit_as);
+                        if (cfg.rlimit_as == 0) {
+                                perror("Error: invalid rlimit-as. Only use positive numbers and k, m or g suffix.");
+                                exit(1);
+                        }
                        arg_rlimit_as = 1;
                }
                else if (strncmp(argv[i], "--ipc-namespace", 15) == 0)
@@ -1959,61 +1971,77 @@ int main(int argc, char **argv, char **envp) {
                        arg_keep_dev_shm = 1;
                }
                else if (strncmp(argv[i], "--private-etc=", 14) == 0) {
-                        if (arg_writable_etc) {
+                        if (checkcfg(CFG_PRIVATE_ETC)) {
-                                fprintf(stderr, "Error: --private-etc and --writable-etc are mutually exclusive\n");
+                                if (arg_writable_etc) {
-                                exit(1);
+                                        fprintf(stderr, "Error: --private-etc and --writable-etc are mutually exclusive\n");
-                        }
+                                        exit(1);
+                                }
-                        // extract private etc list
+                                // extract private etc list
-                        if (*(argv[i] + 14) == '\0') {
+                                if (*(argv[i] + 14) == '\0') {
-                                fprintf(stderr, "Error: invalid private-etc option\n");
+                                        fprintf(stderr, "Error: invalid private-etc option\n");
-                                exit(1);
+                                        exit(1);
+                                }
+                                if (cfg.etc_private_keep) {
+                                        if ( asprintf(&cfg.etc_private_keep, "%s,%s", cfg.etc_private_keep, argv[i] + 14) < 0 )
+                                                errExit("asprintf");
+                                } else
+                                        cfg.etc_private_keep = argv[i] + 14;
+                                arg_private_etc = 1;
                        }
-                        if (cfg.etc_private_keep) {
+                        else
-                                if ( asprintf(&cfg.etc_private_keep, "%s,%s", cfg.etc_private_keep, argv[i] + 14) < 0 )
+                                exit_err_feature("private-etc");
-                                        errExit("asprintf");
-                        } else
-                                cfg.etc_private_keep = argv[i] + 14;
-                        arg_private_etc = 1;
                }
                else if (strncmp(argv[i], "--private-opt=", 14) == 0) {
-                        // extract private opt list
+                        if (checkcfg(CFG_PRIVATE_OPT)) {
-                        if (*(argv[i] + 14) == '\0') {
+                                // extract private opt list
-                                fprintf(stderr, "Error: invalid private-opt option\n");
+                                if (*(argv[i] + 14) == '\0') {
-                                exit(1);
+                                        fprintf(stderr, "Error: invalid private-opt option\n");
+                                        exit(1);
+                                }
+                                if (cfg.opt_private_keep) {
+                                        if ( asprintf(&cfg.opt_private_keep, "%s,%s", cfg.opt_private_keep, argv[i] + 14) < 0 )
+                                                errExit("asprintf");
+                                } else
+                                        cfg.opt_private_keep = argv[i] + 14;
+                                arg_private_opt = 1;
                        }
-                        if (cfg.opt_private_keep) {
+                        else
-                                if ( asprintf(&cfg.opt_private_keep, "%s,%s", cfg.opt_private_keep, argv[i] + 14) < 0 )
+                                exit_err_feature("private-opt");
-                                        errExit("asprintf");
-                        } else
-                                cfg.opt_private_keep = argv[i] + 14;
-                        arg_private_opt = 1;
                }
                else if (strncmp(argv[i], "--private-srv=", 14) == 0) {
-                        // extract private srv list
+                        if (checkcfg(CFG_PRIVATE_SRV)) {
-                        if (*(argv[i] + 14) == '\0') {
+                                // extract private srv list
-                                fprintf(stderr, "Error: invalid private-srv option\n");
+                                if (*(argv[i] + 14) == '\0') {
-                                exit(1);
+                                        fprintf(stderr, "Error: invalid private-srv option\n");
+                                        exit(1);
+                                }
+                                if (cfg.srv_private_keep) {
+                                        if ( asprintf(&cfg.srv_private_keep, "%s,%s", cfg.srv_private_keep, argv[i] + 14) < 0 )
+                                                errExit("asprintf");
+                                } else
+                                        cfg.srv_private_keep = argv[i] + 14;
+                                arg_private_srv = 1;
                        }
-                        if (cfg.srv_private_keep) {
+                        else
-                                if ( asprintf(&cfg.srv_private_keep, "%s,%s", cfg.srv_private_keep, argv[i] + 14) < 0 )
+                                exit_err_feature("private-srv");
-                                        errExit("asprintf");
-                        } else
-                                cfg.srv_private_keep = argv[i] + 14;
-                        arg_private_srv = 1;
                }
                else if (strncmp(argv[i], "--private-bin=", 14) == 0) {
-                        // extract private bin list
+                        if (checkcfg(CFG_PRIVATE_BIN)) {
-                        if (*(argv[i] + 14) == '\0') {
+                                // extract private bin list
-                                fprintf(stderr, "Error: invalid private-bin option\n");
+                                if (*(argv[i] + 14) == '\0') {
-                                exit(1);
+                                        fprintf(stderr, "Error: invalid private-bin option\n");
+                                        exit(1);
+                                }
+                                if (cfg.bin_private_keep) {
+                                        if ( asprintf(&cfg.bin_private_keep, "%s,%s", cfg.bin_private_keep, argv[i] + 14) < 0 )
+                                                errExit("asprintf");
+                                } else
+                                        cfg.bin_private_keep = argv[i] + 14;
+                                arg_private_bin = 1;
                        }
-                        if (cfg.bin_private_keep) {
+                        else
-                                if ( asprintf(&cfg.bin_private_keep, "%s,%s", cfg.bin_private_keep, argv[i] + 14) < 0 )
+                                exit_err_feature("private-bin");
-                                        errExit("asprintf");
-                        } else
-                                cfg.bin_private_keep = argv[i] + 14;
-                        arg_private_bin = 1;
                }
                else if (strncmp(argv[i], "--private-lib", 13) == 0) {
                        if (checkcfg(CFG_PRIVATE_LIB)) {
@@ -2801,6 +2829,11 @@ int main(int argc, char **argv, char **envp) {
        // build the sandbox command
        if (prog_index == -1 && cfg.shell) {
                assert(cfg.command_line == NULL); // runs cfg.shell
+                if (arg_appimage) {
+                        fprintf(stderr, "Error: no appimage archive specified\n");
+                        exit(1);
+                }
                cfg.window_title = cfg.shell;
                cfg.command_name = cfg.shell;
        }
@@ -2808,10 +2841,11 @@ int main(int argc, char **argv, char **envp) {
                if (arg_debug)
                        printf("Configuring appimage environment\n");
                appimage_set(cfg.command_name);
-                build_appimage_cmdline(&cfg.command_line, &cfg.window_title, argc, argv, prog_index);
+                build_appimage_cmdline(&cfg.command_line, &cfg.window_title, argc, argv, prog_index, true);
        }
        else {
-                build_cmdline(&cfg.command_line, &cfg.window_title, argc, argv, prog_index);
+                // Only add extra quotes if we were not launched by sshd.
+                build_cmdline(&cfg.command_line, &cfg.window_title, argc, argv, prog_index, !parent_sshd);
        }
 /*      else {
                fprintf(stderr, "Error: command must be specified when --shell=none used.\n");
@@ -2825,7 +2859,13 @@ int main(int argc, char **argv, char **envp) {
        // load the profile
        if (!arg_noprofile && !custom_profile) {
-                custom_profile = profile_find_firejail(cfg.command_name, 1);
+                if (arg_appimage) {
+                        custom_profile = appimage_find_profile(cfg.command_name);
+                        // disable shell=* for appimages
+                        arg_shell_none = 0;
+                }
+                else
+                        custom_profile = profile_find_firejail(cfg.command_name, 1);
        }
        // use default.profile as the default
@@ -2839,7 +2879,7 @@ int main(int argc, char **argv, char **envp) {
                custom_profile = profile_find_firejail(profile_name, 1);
                if (!custom_profile) {
-                        fprintf(stderr, "Error: no default.profile installed\n");
+                        fprintf(stderr, "Error: no %s installed\n", profile_name);
                        exit(1);
                }
diff --git a/src/firejail/mountinfo.c b/src/firejail/mountinfo.c
index a700729d3..64a94bd84 100644
--- a/src/firejail/mountinfo.c
+++ b/src/firejail/mountinfo.c
@@ -22,7 +22,7 @@
 #include <fcntl.h>
 #ifndef O_PATH
-# define O_PATH 010000000
+#define O_PATH 010000000
 #endif
 #define MAX_BUF 4096
@@ -153,6 +153,7 @@ MountData *get_last_mount(void) {
 // Extract the mount id from /proc/self/fdinfo and return it.
 int get_mount_id(const char *path) {
+        EUID_ASSERT();
        assert(path);
        int fd = open(path, O_PATH|O_CLOEXEC);
@@ -162,7 +163,9 @@ int get_mount_id(const char *path) {
        char *fdinfo;
        if (asprintf(&fdinfo, "/proc/self/fdinfo/%d", fd) == -1)
                errExit("asprintf");
+        EUID_ROOT();
        FILE *fp = fopen(fdinfo, "re");
+        EUID_USER();
        free(fdinfo);
        if (!fp)
                goto errexit;
diff --git a/src/firejail/no_sandbox.c b/src/firejail/no_sandbox.c
index 0e153c47b..665bef73d 100644
--- a/src/firejail/no_sandbox.c
+++ b/src/firejail/no_sandbox.c
@@ -204,7 +204,7 @@ void run_no_sandbox(int argc, char **argv) {
                // force --shell=none in order to not break firecfg symbolic links
                arg_shell_none = 1;
-                build_cmdline(&cfg.command_line, &cfg.window_title, argc, argv, prog_index);
+                build_cmdline(&cfg.command_line, &cfg.window_title, argc, argv, prog_index, true);
        }
        fwarning("an existing sandbox was detected. "
diff --git a/src/firejail/paths.c b/src/firejail/paths.c
index b800fa944..d58a9d272 100644
--- a/src/firejail/paths.c
+++ b/src/firejail/paths.c
@@ -136,7 +136,7 @@ int program_in_path(const char *program) {
                        // ('x' permission means something different for directories).
                        // exec follows symlinks, so use stat, not lstat.
                        struct stat st;
-                        if (stat(scratch, &st)) {
+                        if (stat_as_user(scratch, &st)) {
                                perror(scratch);
                                exit(1);
                        }
diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index af28cd488..7b21eb387 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -22,6 +22,11 @@
 #include "../include/syscall.h"
 #include <dirent.h>
 #include <sys/stat.h>
+#ifdef HAVE_GCOV
+#include "../include/gcov_wrapper.h"
+#endif
 extern char *xephyr_screen;
 #define MAX_READ 8192                             // line buffer for profile files
@@ -1275,56 +1280,69 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
        // private /etc list of files and directories
        if (strncmp(ptr, "private-etc ", 12) == 0) {
-                if (arg_writable_etc) {
+                if (checkcfg(CFG_PRIVATE_ETC)) {
-                        fprintf(stderr, "Error: --private-etc and --writable-etc are mutually exclusive\n");
+                        if (arg_writable_etc) {
-                        exit(1);
+                                fprintf(stderr, "Error: --private-etc and --writable-etc are mutually exclusive\n");
-                }
+                                exit(1);
-                if (cfg.etc_private_keep) {
+                        }
-                        if ( asprintf(&cfg.etc_private_keep, "%s,%s", cfg.etc_private_keep, ptr + 12) < 0 )
+                        if (cfg.etc_private_keep) {
-                                errExit("asprintf");
+                                if ( asprintf(&cfg.etc_private_keep, "%s,%s", cfg.etc_private_keep, ptr + 12) < 0 )
-                } else {
+                                        errExit("asprintf");
-                        cfg.etc_private_keep = ptr + 12;
+                        } else {
+                                cfg.etc_private_keep = ptr + 12;
+                        }
+                        arg_private_etc = 1;
                }
-                arg_private_etc = 1;
+                else
+                        warning_feature_disabled("private-etc");
                return 0;
        }
        // private /opt list of files and directories
        if (strncmp(ptr, "private-opt ", 12) == 0) {
-                if (cfg.opt_private_keep) {
+                if (checkcfg(CFG_PRIVATE_OPT)) {
-                        if ( asprintf(&cfg.opt_private_keep, "%s,%s", cfg.opt_private_keep, ptr + 12) < 0 )
+                        if (cfg.opt_private_keep) {
-                                errExit("asprintf");
+                                if ( asprintf(&cfg.opt_private_keep, "%s,%s", cfg.opt_private_keep, ptr + 12) < 0 )
-                } else {
+                                        errExit("asprintf");
-                        cfg.opt_private_keep = ptr + 12;
+                        } else {
+                                cfg.opt_private_keep = ptr + 12;
+                        }
+                        arg_private_opt = 1;
                }
-                arg_private_opt = 1;
+                else
+                        warning_feature_disabled("private-opt");
                return 0;
        }
        // private /srv list of files and directories
        if (strncmp(ptr, "private-srv ", 12) == 0) {
-                if (cfg.srv_private_keep) {
+                if (checkcfg(CFG_PRIVATE_SRV)) {
-                        if ( asprintf(&cfg.srv_private_keep, "%s,%s", cfg.srv_private_keep, ptr + 12) < 0 )
+                        if (cfg.srv_private_keep) {
-                                errExit("asprintf");
+                                if ( asprintf(&cfg.srv_private_keep, "%s,%s", cfg.srv_private_keep, ptr + 12) < 0 )
-                } else {
+                                        errExit("asprintf");
-                        cfg.srv_private_keep = ptr + 12;
+                        } else {
+                                cfg.srv_private_keep = ptr + 12;
+                        }
+                        arg_private_srv = 1;
                }
-                arg_private_srv = 1;
+                else
+                        warning_feature_disabled("private-srv");
                return 0;
        }
        // private /bin list of files
        if (strncmp(ptr, "private-bin ", 12) == 0) {
-                if (cfg.bin_private_keep) {
+                if (checkcfg(CFG_PRIVATE_BIN)) {
-                        if ( asprintf(&cfg.bin_private_keep, "%s,%s", cfg.bin_private_keep, ptr + 12) < 0 )
+                        if (cfg.bin_private_keep) {
-                                errExit("asprintf");
+                                if ( asprintf(&cfg.bin_private_keep, "%s,%s", cfg.bin_private_keep, ptr + 12) < 0 )
-                } else {
+                                        errExit("asprintf");
-                        cfg.bin_private_keep = ptr + 12;
+                        } else {
+                                cfg.bin_private_keep = ptr + 12;
+                        }
+                        arg_private_bin = 1;
                }
-                arg_private_bin = 1;
+                else
+                        warning_feature_disabled("private-bin");
                return 0;
        }
@@ -1492,8 +1510,11 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
                        arg_rlimit_nproc = 1;
                }
                else if (strncmp(ptr, "rlimit-fsize ", 13) == 0) {
-                        check_unsigned(ptr + 13, "Error: invalid rlimit in profile file: ");
+                        cfg.rlimit_fsize = parse_arg_size(ptr + 13);
-                        sscanf(ptr + 13, "%llu", &cfg.rlimit_fsize);
+                        if (cfg.rlimit_fsize == 0) {
+                                perror("Error: invalid rlimit-fsize in profile file. Only use positive numbers and k, m or g suffix.");
+                                exit(1);
+                        }
                        arg_rlimit_fsize = 1;
                }
                else if (strncmp(ptr, "rlimit-sigpending ", 18) == 0) {
@@ -1502,8 +1523,11 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
                        arg_rlimit_sigpending = 1;
                }
                else if (strncmp(ptr, "rlimit-as ", 10) == 0) {
-                        check_unsigned(ptr + 10, "Error: invalid rlimit in profile file: ");
+                        cfg.rlimit_as = parse_arg_size(ptr + 10);
-                        sscanf(ptr + 10, "%llu", &cfg.rlimit_as);
+                        if (cfg.rlimit_as == 0) {
+                                perror("Error: invalid rlimit-as in profile file. Only use positive numbers and k, m or g suffix.");
+                                exit(1);
+                        }
                        arg_rlimit_as = 1;
                }
                else {
diff --git a/src/firejail/pulseaudio.c b/src/firejail/pulseaudio.c
index 1b01a71c6..f8d4c2f3c 100644
--- a/src/firejail/pulseaudio.c
+++ b/src/firejail/pulseaudio.c
@@ -75,31 +75,34 @@ void pulseaudio_disable(void) {
        closedir(dir);
 }
-static void pulseaudio_fallback(const char *path) {
-        assert(path);
-        fmessage("Cannot mount tmpfs on %s/.config/pulse\n", cfg.homedir);
-        env_store_name_val("PULSE_CLIENTCONFIG", path, SETENV);
-}
 // disable shm in pulseaudio (issue #69)
 void pulseaudio_init(void) {
-        struct stat s;
        // do we have pulseaudio in the system?
-        if (stat(PULSE_CLIENT_SYSCONF, &s) == -1) {
+        if (access(PULSE_CLIENT_SYSCONF, R_OK)) {
                if (arg_debug)
-                        printf("%s not found\n", PULSE_CLIENT_SYSCONF);
+                        printf("Cannot read %s\n", PULSE_CLIENT_SYSCONF);
                return;
        }
+        // create ~/.config/pulse directory if not present
+        char *homeusercfg = NULL;
+        if (asprintf(&homeusercfg, "%s/.config", cfg.homedir) == -1)
+                errExit("asprintf");
+        if (create_empty_dir_as_user(homeusercfg, 0700))
+                fs_logger2("create", homeusercfg);
+        free(homeusercfg);
+        if (asprintf(&homeusercfg, "%s/.config/pulse", cfg.homedir) == -1)
+                errExit("asprintf");
+        if (create_empty_dir_as_user(homeusercfg, 0700))
+                fs_logger2("create", homeusercfg);
        // create the new user pulseaudio directory
+        // that will be mounted over ~/.config/pulse
        if (mkdir(RUN_PULSE_DIR, 0700) == -1)
                errExit("mkdir");
-        selinux_relabel_path(RUN_PULSE_DIR, RUN_PULSE_DIR);
+        selinux_relabel_path(RUN_PULSE_DIR, homeusercfg);
-        // mount it nosuid, noexec, nodev
        fs_remount(RUN_PULSE_DIR, MOUNT_NOEXEC, 0);
        // create the new client.conf file
        char *pulsecfg = NULL;
        if (asprintf(&pulsecfg, "%s/client.conf", RUN_PULSE_DIR) == -1)
@@ -116,37 +119,14 @@ void pulseaudio_init(void) {
        if (set_perms(RUN_PULSE_DIR, getuid(), getgid(), 0700))
                errExit("set_perms");
-        // create ~/.config/pulse directory if not present
-        char *homeusercfg = NULL;
-        if (asprintf(&homeusercfg, "%s/.config", cfg.homedir) == -1)
-                errExit("asprintf");
-        if (create_empty_dir_as_user(homeusercfg, 0700))
-                fs_logger2("create", homeusercfg);
-        free(homeusercfg);
-        if (asprintf(&homeusercfg, "%s/.config/pulse", cfg.homedir) == -1)
-                errExit("asprintf");
-        if (create_empty_dir_as_user(homeusercfg, 0700))
-                fs_logger2("create", homeusercfg);
        // if ~/.config/pulse exists and there are no symbolic links, mount the new directory
        // else set environment variable
+        EUID_USER();
        int fd = safer_openat(-1, homeusercfg, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC);
+        EUID_ROOT();
        if (fd == -1) {
-                pulseaudio_fallback(pulsecfg);
+                fwarning("not mounting tmpfs on %s\n", homeusercfg);
-                goto out;
+                env_store_name_val("PULSE_CLIENTCONFIG", pulsecfg, SETENV);
-        }
-        // confirm the actual mount destination is owned by the user
-        if (fstat(fd, &s) == -1) { // FUSE
-                if (errno != EACCES)
-                        errExit("fstat");
-                close(fd);
-                pulseaudio_fallback(pulsecfg);
-                goto out;
-        }
-        if (s.st_uid != getuid()) {
-                close(fd);
-                pulseaudio_fallback(pulsecfg);
                goto out;
        }
        // preserve a read-only mount
@@ -158,17 +138,13 @@ void pulseaudio_init(void) {
        // mount via the link in /proc/self/fd
        if (arg_debug)
                printf("Mounting %s on %s\n", RUN_PULSE_DIR, homeusercfg);
-        char *proc;
+        if (bind_mount_path_to_fd(RUN_PULSE_DIR, fd))
-        if (asprintf(&proc, "/proc/self/fd/%d", fd) == -1)
-                errExit("asprintf");
-        if (mount(RUN_PULSE_DIR, proc, "none", MS_BIND, NULL) < 0)
                errExit("mount pulseaudio");
        // check /proc/self/mountinfo to confirm the mount is ok
        MountData *mptr = get_last_mount();
        if (strcmp(mptr->dir, homeusercfg) != 0 || strcmp(mptr->fstype, "tmpfs") != 0)
                errLogExit("invalid pulseaudio mount");
        fs_logger2("tmpfs", homeusercfg);
-        free(proc);
        close(fd);
        char *p;
diff --git a/src/firejail/restrict_users.c b/src/firejail/restrict_users.c
index 53e395b89..6f17231a4 100644
--- a/src/firejail/restrict_users.c
+++ b/src/firejail/restrict_users.c
@@ -104,12 +104,8 @@ static void sanitize_home(void) {
        selinux_relabel_path(cfg.homedir, cfg.homedir);
        // bring back real user home directory
-        char *proc;
+        if (bind_mount_fd_to_path(fd, cfg.homedir))
-        if (asprintf(&proc, "/proc/self/fd/%d", fd) == -1)
-                errExit("asprintf");
-        if (mount(proc, cfg.homedir, NULL, MS_BIND|MS_REC, NULL) < 0)
                errExit("mount bind");
-        free(proc);
        close(fd);
        if (!arg_private)
@@ -154,12 +150,8 @@ static void sanitize_run(void) {
        selinux_relabel_path(runuser, runuser);
        // bring back real run/user/$UID directory
-        char *proc;
+        if (bind_mount_fd_to_path(fd, runuser))
-        if (asprintf(&proc, "/proc/self/fd/%d", fd) == -1)
-                errExit("asprintf");
-        if (mount(proc, runuser, NULL, MS_BIND|MS_REC, NULL) < 0)
                errExit("mount bind");
-        free(proc);
        close(fd);
        fs_logger2("whitelist", runuser);
@@ -246,6 +238,11 @@ static void sanitize_passwd(void) {
        // mount-bind tne new password file
        if (mount(RUN_PASSWD_FILE, "/etc/passwd", "none", MS_BIND, "mode=400,gid=0") < 0)
                errExit("mount");
+        // blacklist RUN_PASSWD_FILE
+        if (mount(RUN_RO_FILE, RUN_PASSWD_FILE, "none", MS_BIND, "mode=400,gid=0") < 0)
+                errExit("mount");
        fs_logger("create /etc/passwd");
        return;
@@ -376,6 +373,11 @@ static void sanitize_group(void) {
        // mount-bind tne new group file
        if (mount(RUN_GROUP_FILE, "/etc/group", "none", MS_BIND, "mode=400,gid=0") < 0)
                errExit("mount");
+        // blacklist RUN_GROUP_FILE
+        if (mount(RUN_RO_FILE, RUN_GROUP_FILE, "none", MS_BIND, "mode=400,gid=0") < 0)
+                errExit("mount");
        fs_logger("create /etc/group");
        return;
diff --git a/src/firejail/rlimit.c b/src/firejail/rlimit.c
index 78f00bc63..2666486fa 100644
--- a/src/firejail/rlimit.c
+++ b/src/firejail/rlimit.c
@@ -21,6 +21,10 @@
 #include <sys/time.h>
 #include <sys/resource.h>
+#ifdef HAVE_GCOV
+#include "../include/gcov_wrapper.h"
+#endif
 void set_rlimits(void) {
        EUID_ASSERT();
        // resource limits
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index a6bcec02c..99abce57f 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -49,6 +49,9 @@
 #include <sys/apparmor.h>
 #endif
+#ifdef HAVE_GCOV
+#include "../include/gcov_wrapper.h"
+#endif
 static int force_nonewprivs = 0;
@@ -837,6 +840,7 @@ int sandbox(void* sandbox_arg) {
        // private mode
        //****************************
        if (arg_private) {
+                EUID_USER();
                if (cfg.home_private) { // --private=
                        if (cfg.chrootdir)
                                fwarning("private=directory feature is disabled in chroot\n");
@@ -855,6 +859,7 @@ int sandbox(void* sandbox_arg) {
                }
                else // --private
                        fs_private();
+                EUID_ROOT();
        }
        if (arg_private_dev)
diff --git a/src/firejail/sbox.c b/src/firejail/sbox.c
index d2c0bcc19..37111324a 100644
--- a/src/firejail/sbox.c
+++ b/src/firejail/sbox.c
@@ -265,7 +265,6 @@ int sbox_run(unsigned filtermask, int num, ...) {
 }
 int sbox_run_v(unsigned filtermask, char * const arg[]) {
-        EUID_ROOT();
        assert(arg);
        if (arg_debug) {
@@ -285,6 +284,7 @@ int sbox_run_v(unsigned filtermask, char * const arg[]) {
        if (child < 0)
                errExit("fork");
        if (child == 0) {
+                EUID_ROOT();
                sbox_do_exec_v(filtermask, arg);
        }
diff --git a/src/firejail/selinux.c b/src/firejail/selinux.c
index 06189d7f6..6969e7a3d 100644
--- a/src/firejail/selinux.c
+++ b/src/firejail/selinux.c
@@ -19,10 +19,13 @@
 */
 #if HAVE_SELINUX
 #include "firejail.h"
 #include <sys/types.h>
 #include <sys/stat.h>
 #include <fcntl.h>
+#ifndef O_PATH
+#define O_PATH 010000000
+#endif
 #include <selinux/context.h>
 #include <selinux/label.h>
@@ -52,8 +55,9 @@ void selinux_relabel_path(const char *path, const char *inside_path)
        if (!label_hnd)
                errExit("selabel_open");
-        /* Open the file as O_PATH, to pin it while we determine and adjust the label */
+        /* Open the file as O_PATH, to pin it while we determine and adjust the label
-        fd = open(path, O_NOFOLLOW|O_CLOEXEC|O_PATH);
+         * Defeat symlink races by not allowing symbolic links */
+        fd = safer_openat(-1, path, O_NOFOLLOW|O_CLOEXEC|O_PATH);
        if (fd < 0)
                return;
        if (fstat(fd, &st) < 0)
diff --git a/src/firejail/util.c b/src/firejail/util.c
index 6a7318c4b..55998e6c3 100644
--- a/src/firejail/util.c
+++ b/src/firejail/util.c
@@ -31,6 +31,9 @@
 #include <sys/wait.h>
 #include <limits.h>
+#include <string.h>
+#include <ctype.h>
 #include <fcntl.h>
 #ifndef O_PATH
 #define O_PATH 010000000
@@ -41,11 +44,53 @@
 #include <linux/openat2.h>
 #endif
+#ifdef HAVE_GCOV
+#include "../include/gcov_wrapper.h"
+#endif
 #define MAX_GROUPS 1024
 #define MAXBUF 4098
 #define EMPTY_STRING ("")
+long long unsigned parse_arg_size(char *str) {
+        long long unsigned result = 0;
+        int len = strlen(str);
+        sscanf(str, "%llu", &result);
+        char suffix = *(str + len - 1);
+        if (!isdigit(suffix) && (suffix == 'k' || suffix == 'm' || suffix == 'g')) {
+                len -= 1;
+        }
+        /* checks for is value valid positive number */
+        for (int i = 0; i < len; i++) {
+                if (!isdigit(*(str+i))) {
+                        return 0;
+                }
+        }
+        if (isdigit(suffix))
+                return result;
+        switch (suffix) {
+        case 'k':
+                result *= 1024;
+                break;
+        case 'm':
+                result *= 1024 * 1024;
+                break;
+        case 'g':
+                result *= 1024 * 1024 * 1024;
+                break;
+        default:
+                result = 0;
+                break;
+        }
+        return result;
+}
 // send the error to /var/log/auth.log and exit after a small delay
 void errLogExit(char* fmt, ...) {
        va_list args;
@@ -325,7 +370,7 @@ int copy_file(const char *srcname, const char *destname, uid_t uid, gid_t gid, m
 }
 // return -1 if error, 0 if no error
-void copy_file_as_user(const char *srcname, const char *destname, uid_t uid, gid_t gid, mode_t mode) {
+void copy_file_as_user(const char *srcname, const char *destname, mode_t mode) {
        pid_t child = fork();
        if (child < 0)
                errExit("fork");
@@ -333,8 +378,8 @@ void copy_file_as_user(const char *srcname, const char *destname, uid_t uid, gid
                // drop privileges
                drop_privs(0);
-                // copy, set permissions and ownership
+                // copy, set permissions
-                int rv = copy_file(srcname, destname, uid, gid, mode); // already a regular user
+                int rv = copy_file(srcname, destname, -1, -1, mode); // already a regular user
                if (rv)
                        fwarning("cannot copy %s\n", srcname);
 #ifdef HAVE_GCOV
@@ -394,11 +439,11 @@ void touch_file_as_user(const char *fname, mode_t mode) {
                // drop privileges
                drop_privs(0);
-                FILE *fp = fopen(fname, "wx");
+                int fd = open(fname, O_RDONLY|O_CREAT|O_EXCL|O_CLOEXEC, S_IRUSR | S_IWUSR);
-                if (fp) {
+                if (fd > -1) {
-                        fprintf(fp, "\n");
+                        int err = fchmod(fd, mode);
-                        SET_PERMS_STREAM(fp, -1, -1, mode);
+                        (void) err;
-                        fclose(fp);
+                        close(fd);
                }
                else
                        fwarning("cannot create %s\n", fname);
@@ -417,6 +462,13 @@ int is_dir(const char *fname) {
        if (*fname == '\0')
                return 0;
+        int called_as_root = 0;
+        if (geteuid() == 0)
+                called_as_root = 1;
+        if (called_as_root)
+                EUID_USER();
        // if fname doesn't end in '/', add one
        int rv;
        struct stat s;
@@ -432,6 +484,9 @@ int is_dir(const char *fname) {
                free(tmp);
        }
+        if (called_as_root)
+                EUID_ROOT();
        if (rv == -1)
                return 0;
@@ -447,18 +502,83 @@ int is_link(const char *fname) {
        if (*fname == '\0')
                return 0;
-        char *dup = strdup(fname);
+        int called_as_root = 0;
-        if (!dup)
+        if (geteuid() == 0)
+                called_as_root = 1;
+        if (called_as_root)
+                EUID_USER();
+        // remove trailing '/' if any
+        char *tmp = strdup(fname);
+        if (!tmp)
                errExit("strdup");
-        trim_trailing_slash_or_dot(dup);
+        trim_trailing_slash_or_dot(tmp);
        char c;
-        ssize_t rv = readlink(dup, &c, 1);
+        ssize_t rv = readlink(tmp, &c, 1);
+        free(tmp);
+        if (called_as_root)
+                EUID_ROOT();
-        free(dup);
        return (rv != -1);
 }
+char *realpath_as_user(const char *fname) {
+        assert(fname);
+        int called_as_root = 0;
+        if (geteuid() == 0)
+                called_as_root = 1;
+        if (called_as_root)
+                EUID_USER();
+        char *rv = realpath(fname, NULL);
+        if (called_as_root)
+                EUID_ROOT();
+        return rv;
+}
+int stat_as_user(const char *fname, struct stat *s) {
+        assert(fname);
+        int called_as_root = 0;
+        if (geteuid() == 0)
+                called_as_root = 1;
+        if (called_as_root)
+                EUID_USER();
+        int rv = stat(fname, s);
+        if (called_as_root)
+                EUID_ROOT();
+        return rv;
+}
+int lstat_as_user(const char *fname, struct stat *s) {
+        assert(fname);
+        int called_as_root = 0;
+        if (geteuid() == 0)
+                called_as_root = 1;
+        if (called_as_root)
+                EUID_USER();
+        int rv = lstat(fname, s);
+        if (called_as_root)
+                EUID_ROOT();
+        return rv;
+}
 // remove all slashes and single dots from the end of a path
 // for example /foo/bar///././. -> /foo/bar
 void trim_trailing_slash_or_dot(char *path) {
@@ -891,35 +1011,37 @@ static int remove_callback(const char *fpath, const struct stat *sb, int typefla
 int remove_overlay_directory(void) {
        EUID_ASSERT();
-        struct stat s;
        sleep(1);
        char *path;
        if (asprintf(&path, "%s/.firejail", cfg.homedir) == -1)
                errExit("asprintf");
-        if (lstat(path, &s) == 0) {
+        if (access(path, F_OK) == 0) {
-                // deal with obvious problems such as symlinks and root ownership
-                if (!S_ISDIR(s.st_mode)) {
-                        if (S_ISLNK(s.st_mode))
-                                fprintf(stderr, "Error: %s is a symbolic link\n", path);
-                        else
-                                fprintf(stderr, "Error: %s is not a directory\n", path);
-                        exit(1);
-                }
-                if (s.st_uid != getuid()) {
-                        fprintf(stderr, "Error: %s is not owned by the current user\n", path);
-                        exit(1);
-                }
                pid_t child = fork();
                if (child < 0)
                        errExit("fork");
                if (child == 0) {
-                        // open ~/.firejail, fails if there is any symlink
+                        // open ~/.firejail
-                        int fd = safer_openat(-1, path, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC);
+                        int fd = safer_openat(-1, path, O_PATH|O_NOFOLLOW|O_CLOEXEC);
-                        if (fd == -1)
+                        if (fd == -1) {
-                                errExit("safer_openat");
+                                fprintf(stderr, "Error: cannot open %s\n", path);
+                                exit(1);
+                        }
+                        struct stat s;
+                        if (fstat(fd, &s) == -1)
+                                errExit("fstat");
+                        if (!S_ISDIR(s.st_mode)) {
+                                if (S_ISLNK(s.st_mode))
+                                        fprintf(stderr, "Error: %s is a symbolic link\n", path);
+                                else
+                                        fprintf(stderr, "Error: %s is not a directory\n", path);
+                                exit(1);
+                        }
+                        if (s.st_uid != getuid()) {
+                                fprintf(stderr, "Error: %s is not owned by the current user\n", path);
+                                exit(1);
+                        }
                        // chdir to ~/.firejail
                        if (fchdir(fd) == -1)
                                errExit("fchdir");
@@ -942,7 +1064,7 @@ int remove_overlay_directory(void) {
                // wait for the child to finish
                waitpid(child, NULL, 0);
                // check if ~/.firejail was deleted
-                if (stat(path, &s) == 0)
+                if (access(path, F_OK) == 0)
                        return 1;
        }
        return 0;
@@ -975,9 +1097,8 @@ void flush_stdin(void) {
 int create_empty_dir_as_user(const char *dir, mode_t mode) {
        assert(dir);
        mode &= 07777;
-        struct stat s;
-        if (stat(dir, &s)) {
+        if (access(dir, F_OK) != 0) {
                if (arg_debug)
                        printf("Creating empty %s directory\n", dir);
                pid_t child = fork();
@@ -988,8 +1109,8 @@ int create_empty_dir_as_user(const char *dir, mode_t mode) {
                        drop_privs(0);
                        if (mkdir(dir, mode) == 0) {
-                                if (chmod(dir, mode) == -1)
+                                int err = chmod(dir, mode);
-                                        {;} // do nothing
+                                (void) err;
                        }
                        else if (arg_debug)
                                printf("Directory %s not created: %s\n", dir, strerror(errno));
@@ -999,7 +1120,7 @@ int create_empty_dir_as_user(const char *dir, mode_t mode) {
                        _exit(0);
                }
                waitpid(child, NULL, 0);
-                if (stat(dir, &s) == 0)
+                if (access(dir, F_OK) == 0)
                        return 1;
        }
        return 0;
@@ -1110,20 +1231,35 @@ unsigned extract_timeout(const char *str) {
 }
 void disable_file_or_dir(const char *fname) {
+        assert(geteuid() == 0);
+        assert(fname);
+        EUID_USER();
+        int fd = open(fname, O_PATH|O_CLOEXEC);
+        EUID_ROOT();
+        if (fd < 0)
+                return;
        struct stat s;
-        if (stat(fname, &s) != -1) {
+        if (fstat(fd, &s) < 0) { // FUSE
-                if (arg_debug)
+                if (errno != EACCES)
-                        printf("blacklist %s\n", fname);
+                        errExit("fstat");
-                if (is_dir(fname)) {
+                close(fd);
-                        if (mount(RUN_RO_DIR, fname, "none", MS_BIND, "mode=400,gid=0") < 0)
+                return;
-                                errExit("disable directory");
+        }
-                }
-                else {
+        if (arg_debug)
-                        if (mount(RUN_RO_FILE, fname, "none", MS_BIND, "mode=400,gid=0") < 0)
+                printf("blacklist %s\n", fname);
-                                errExit("disable file");
+        if (S_ISDIR(s.st_mode)) {
-                }
+                if (bind_mount_path_to_fd(RUN_RO_DIR, fd) < 0)
-                fs_logger2("blacklist", fname);
+                        errExit("disable directory");
+        }
+        else {
+                if (bind_mount_path_to_fd(RUN_RO_FILE, fd) < 0)
+                        errExit("disable file");
        }
+        close(fd);
+        fs_logger2("blacklist", fname);
 }
 void disable_file_path(const char *path, const char *file) {
@@ -1210,6 +1346,60 @@ int safer_openat(int dirfd, const char *path, int flags) {
        return fd;
 }
+int remount_by_fd(int dst, unsigned long mountflags) {
+        char *proc;
+        if (asprintf(&proc, "/proc/self/fd/%d", dst) < 0)
+                errExit("asprintf");
+        int rv = mount(NULL, proc, NULL, mountflags|MS_BIND|MS_REMOUNT, NULL);
+        if (rv < 0 && arg_debug)
+                printf("Failed mount: %s\n", strerror(errno));
+        free(proc);
+        return rv;
+}
+int bind_mount_by_fd(int src, int dst) {
+        char *proc_src, *proc_dst;
+        if (asprintf(&proc_src, "/proc/self/fd/%d", src) < 0 ||
+            asprintf(&proc_dst, "/proc/self/fd/%d", dst) < 0)
+                errExit("asprintf");
+        int rv = mount(proc_src, proc_dst, NULL, MS_BIND|MS_REC, NULL);
+        if (rv < 0 && arg_debug)
+                printf("Failed mount: %s\n", strerror(errno));
+        free(proc_src);
+        free(proc_dst);
+        return rv;
+}
+int bind_mount_fd_to_path(int src, const char *destname) {
+        char *proc;
+        if (asprintf(&proc, "/proc/self/fd/%d", src) < 0)
+                errExit("asprintf");
+        int rv = mount(proc, destname, NULL, MS_BIND|MS_REC, NULL);
+        if (rv < 0 && arg_debug)
+                printf("Failed mount: %s\n", strerror(errno));
+        free(proc);
+        return rv;
+}
+int bind_mount_path_to_fd(const char *srcname, int dst) {
+        char *proc;
+        if (asprintf(&proc, "/proc/self/fd/%d", dst) < 0)
+                errExit("asprintf");
+        int rv = mount(srcname, proc, NULL, MS_BIND|MS_REC, NULL);
+        if (rv < 0 && arg_debug)
+                printf("Failed mount: %s\n", strerror(errno));
+        free(proc);
+        return rv;
+}
 int has_handler(pid_t pid, int signal) {
        if (signal > 0 && signal <= SIGRTMAX) {
                char *fname;
@@ -1319,14 +1509,14 @@ static int has_link(const char *dir) {
        return 0;
 }
-void check_homedir(void) {
+void check_homedir(const char *dir) {
-        assert(cfg.homedir);
+        assert(dir);
-        if (cfg.homedir[0] != '/') {
+        if (dir[0] != '/') {
                fprintf(stderr, "Error: invalid user directory \"%s\"\n", cfg.homedir);
                exit(1);
        }
        // symlinks are rejected in many places
-        if (has_link(cfg.homedir)) {
+        if (has_link(dir)) {
                fprintf(stderr, "No full support for symbolic links in path of user directory.\n"
                        "Please provide resolved path in password database (/etc/passwd).\n\n");
        }
diff --git a/src/firejail/x11.c b/src/firejail/x11.c
index f4f093138..896aa2fd3 100644
--- a/src/firejail/x11.c
+++ b/src/firejail/x11.c
@@ -204,7 +204,6 @@ static int random_display_number(void) {
 void x11_start_xvfb(int argc, char **argv) {
        EUID_ASSERT();
        int i;
-        struct stat s;
        pid_t jail = 0;
        pid_t server = 0;
@@ -348,7 +347,7 @@ void x11_start_xvfb(int argc, char **argv) {
        // wait for x11 server to start
        while (++n < 10) {
                sleep(1);
-                if (stat(fname, &s) == 0)
+                if (access(fname, F_OK) == 0)
                        break;
        };
@@ -427,7 +426,6 @@ static char *extract_setting(int argc, char **argv, const char *argument) {
 void x11_start_xephyr(int argc, char **argv) {
        EUID_ASSERT();
        int i;
-        struct stat s;
        pid_t jail = 0;
        pid_t server = 0;
@@ -586,7 +584,7 @@ void x11_start_xephyr(int argc, char **argv) {
        // wait for x11 server to start
        while (++n < 10) {
                sleep(1);
-                if (stat(fname, &s) == 0)
+                if (access(fname, F_OK) == 0)
                        break;
        };
@@ -701,7 +699,6 @@ static char * get_title_arg_str() {
 static void __attribute__((noreturn)) x11_start_xpra_old(int argc, char **argv, int display, char *display_str) {
        EUID_ASSERT();
        int i;
-        struct stat s;
        pid_t client = 0;
        pid_t server = 0;
@@ -818,7 +815,7 @@ static void __attribute__((noreturn)) x11_start_xpra_old(int argc, char **argv,
        // wait for x11 server to start
        while (++n < 10) {
                sleep(1);
-                if (stat(fname, &s) == 0)
+                if (access(fname, F_OK) == 0)
                        break;
        }
@@ -1207,14 +1204,13 @@ void x11_xorg(void) {
        fmessage("Generating a new .Xauthority file\n");
        mkdir_attr(RUN_XAUTHORITY_SEC_DIR, 0700, getuid(), getgid());
        // create new Xauthority file in RUN_XAUTHORITY_SEC_DIR
+        EUID_USER();
        char tmpfname[] = RUN_XAUTHORITY_SEC_DIR "/.Xauth-XXXXXX";
        int fd = mkstemp(tmpfname);
        if (fd == -1) {
                fprintf(stderr, "Error: cannot create .Xauthority file\n");
                exit(1);
        }
-        if (fchown(fd, getuid(), getgid()) == -1)
-                errExit("chown");
        close(fd);
        // run xauth
@@ -1224,16 +1220,14 @@ void x11_xorg(void) {
        else
                sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 7, RUN_XAUTH_FILE, "-f", tmpfname,
                        "generate", display, "MIT-MAGIC-COOKIE-1", "untrusted");
-        // remove xauth copy
-        unlink(RUN_XAUTH_FILE);
        // ensure there is already a file ~/.Xauthority, so that bind-mount below will work.
        char *dest;
        if (asprintf(&dest, "%s/.Xauthority", cfg.homedir) == -1)
                errExit("asprintf");
-        if (lstat(dest, &s) == -1) {
+        if (access(dest, F_OK) == -1) {
                touch_file_as_user(dest, 0600);
-                if (stat(dest, &s) == -1) {
+                if (access(dest, F_OK) == -1) {
                        fprintf(stderr, "Error: cannot create %s\n", dest);
                        exit(1);
                }
@@ -1276,21 +1270,16 @@ void x11_xorg(void) {
        // mount via the link in /proc/self/fd
        if (arg_debug)
                printf("Mounting %s on %s\n", tmpfname, dest);
-        char *proc_src, *proc_dst;
+        EUID_ROOT();
-        if (asprintf(&proc_src, "/proc/self/fd/%d", src) == -1)
+        if (bind_mount_by_fd(src, dst)) {
-                errExit("asprintf");
-        if (asprintf(&proc_dst, "/proc/self/fd/%d", dst) == -1)
-                errExit("asprintf");
-        if (mount(proc_src, proc_dst, NULL, MS_BIND, NULL) == -1) {
                fprintf(stderr, "Error: cannot mount the new .Xauthority file\n");
                exit(1);
        }
+        EUID_USER();
        // check /proc/self/mountinfo to confirm the mount is ok
        MountData *mptr = get_last_mount();
        if (strcmp(mptr->dir, dest) != 0 || strcmp(mptr->fstype, "tmpfs") != 0)
                errLogExit("invalid .Xauthority mount");
-        free(proc_src);
-        free(proc_dst);
        close(src);
        close(dst);
@@ -1301,8 +1290,11 @@ void x11_xorg(void) {
        if (envar) {
                char *rp = realpath(envar, NULL);
                if (rp) {
-                        if (strcmp(rp, dest) != 0)
+                        if (strcmp(rp, dest) != 0) {
+                                EUID_ROOT();
                                disable_file_or_dir(rp);
+                                EUID_USER();
+                        }
                        free(rp);
                }
        }
@@ -1311,9 +1303,13 @@ void x11_xorg(void) {
        free(dest);
        // mask RUN_XAUTHORITY_SEC_DIR
+        EUID_ROOT();
        if (mount("tmpfs", RUN_XAUTHORITY_SEC_DIR, "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME,  "mode=755,gid=0") < 0)
                errExit("mounting tmpfs");
        fs_logger2("tmpfs", RUN_XAUTHORITY_SEC_DIR);
+        // cleanup
+        unlink(RUN_XAUTH_FILE);
 #endif
 }
@@ -1336,6 +1332,8 @@ void fs_x11(void) {
                return;
        }
+        // the mount source is under control of the user, so be careful and
+        // mount without following symbolic links, using a file descriptor
        char *x11file;
        if (asprintf(&x11file, "/tmp/.X11-unix/X%d", display) == -1)
                errExit("asprintf");
@@ -1344,10 +1342,10 @@ void fs_x11(void) {
                free(x11file);
                return;
        }
-        struct stat x11stat;
+        struct stat s3;
-        if (fstat(src, &x11stat) < 0)
+        if (fstat(src, &s3) < 0)
                errExit("fstat");
-        if (!S_ISSOCK(x11stat.st_mode)) {
+        if (!S_ISSOCK(s3.st_mode)) {
                close(src);
                free(x11file);
                return;
@@ -1360,6 +1358,7 @@ void fs_x11(void) {
                MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_STRICTATIME,
                "mode=1777,uid=0,gid=0") < 0)
                errExit("mounting tmpfs on /tmp/.X11-unix");
+        selinux_relabel_path("/tmp/.X11-unix", "/tmp/.X11-unix");
        fs_logger("tmpfs /tmp/.X11-unix");
        // create an empty root-owned file which will have the desired socket bind-mounted over it
@@ -1367,14 +1366,8 @@ void fs_x11(void) {
        if (dst < 0)
                errExit("open");
-        char *proc_src, *proc_dst;
+        if (bind_mount_by_fd(src, dst))
-        if (asprintf(&proc_src, "/proc/self/fd/%d", src) == -1 ||
-            asprintf(&proc_dst, "/proc/self/fd/%d", dst) == -1)
-                errExit("asprintf");
-        if (mount(proc_src, proc_dst, NULL, MS_BIND | MS_REC, NULL) < 0)
                errExit("mount bind");
-        free(proc_src);
-        free(proc_dst);
        close(src);
        close(dst);
        fs_logger2("whitelist", x11file);
diff --git a/src/firemon/interface.c b/src/firemon/interface.c
index e04b6f431..372cdee41 100644
--- a/src/firemon/interface.c
+++ b/src/firemon/interface.c
@@ -33,6 +33,10 @@
 //#include <net/route.h>
 //#include <linux/if_bridge.h>
+#ifdef HAVE_GCOV
+#include "../include/gcov_wrapper.h"
+#endif
 // print IP addresses for all interfaces
 static void net_ifprint(void) {
        uint32_t ip;
diff --git a/src/firemon/netstats.c b/src/firemon/netstats.c
index 850959eb3..bc951aa26 100644
--- a/src/firemon/netstats.c
+++ b/src/firemon/netstats.c
@@ -24,6 +24,10 @@
 #include <sys/stat.h>
 #include <unistd.h>
+#ifdef HAVE_GCOV
+#include "../include/gcov_wrapper.h"
+#endif
 #define MAXBUF 4096
 // ip -s link: device stats
diff --git a/src/firemon/procevent.c b/src/firemon/procevent.c
index 8085d2d29..79f487582 100644
--- a/src/firemon/procevent.c
+++ b/src/firemon/procevent.c
@@ -30,6 +30,10 @@
 #include <fcntl.h>
 #include <sys/uio.h>
+#ifdef HAVE_GCOV
+#include "../include/gcov_wrapper.h"
+#endif
 #define PIDS_BUFLEN 4096
 #define SERVER_PORT 889 // 889-899 is left unassigned by IANA
diff --git a/src/firemon/top.c b/src/firemon/top.c
index a25e3c0d8..d0f911e60 100644
--- a/src/firemon/top.c
+++ b/src/firemon/top.c
@@ -24,6 +24,10 @@
 #include <sys/stat.h>
 #include <unistd.h>
+#ifdef HAVE_GCOV
+#include "../include/gcov_wrapper.h"
+#endif
 static unsigned pgs_rss = 0;
 static unsigned pgs_shared = 0;
 static unsigned clocktick = 0;
diff --git a/src/include/gcov_wrapper.h b/src/include/gcov_wrapper.h
new file mode 100644
index 000000000..2f409309d
--- /dev/null
+++ b/src/include/gcov_wrapper.h
@@ -0,0 +1,40 @@
+/*
+ * Copyright (C) 2021 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ */
+#ifndef GCOV_WRAPPER_H
+#define GCOV_WRAPPER_H
+#include <gcov.h>
+/*
+ * __gcov_flush was removed on gcc 11.1.0 (as it's no longer needed), but it
+ * appears to be the safe/"correct" way to do things on previous versions (as
+ * it ensured proper locking, which is now done elsewhere).  Thus, keep using
+ * it in the code and ensure that it exists, in order to support gcc <11.1.0
+ * and gcc >=11.1.0, respectively.
+ */
+#if __GNUC__ > 11 || (__GNUC__ == 11 && __GNUC_MINOR__ >= 1)
+static void __gcov_flush(void) {
+       __gcov_dump();
+       __gcov_reset();
+}
+#endif
+#endif /* GCOV_WRAPPER_H */
diff --git a/src/jailcheck/access.c b/src/jailcheck/access.c
index c18d64a82..3c2f46495 100644
--- a/src/jailcheck/access.c
+++ b/src/jailcheck/access.c
@@ -36,7 +36,7 @@ void access_setup(const char *directory) {
        assert(user_home_dir);
        if (files_cnt >= MAX_TEST_FILES) {
-                fprintf(stderr, "Error: maximum number of test directories exceded\n");
+                fprintf(stderr, "Error: maximum number of test directories exceeded\n");
                exit(1);
        }
diff --git a/src/jailcheck/jailcheck.h b/src/jailcheck/jailcheck.h
index 32be1c978..be3104da3 100644
--- a/src/jailcheck/jailcheck.h
+++ b/src/jailcheck/jailcheck.h
@@ -53,6 +53,8 @@ void apparmor_test(pid_t pid);
 // seccomp.c
 void seccomp_test(pid_t pid);
+// network.c
+void network_test(void);
 // utils.c
 char *get_sudo_user(void);
 char *get_homedir(const char *user, uid_t *uid, gid_t *gid);
diff --git a/src/jailcheck/main.c b/src/jailcheck/main.c
index 4d642bf96..812ac5808 100644
--- a/src/jailcheck/main.c
+++ b/src/jailcheck/main.c
@@ -157,6 +157,7 @@ int main(int argc, char **argv) {
                        seccomp_test(pid);
                        fflush(0);
+                        // filesystem tests
                        pid_t child = fork();
                        if (child == -1)
                                errExit("fork");
@@ -185,6 +186,28 @@ int main(int argc, char **argv) {
                        }
                        int status;
                        wait(&status);
+                        // network test
+                        child = fork();
+                        if (child == -1)
+                                errExit("fork");
+                        if (child == 0) {
+                                int rv = join_namespace(pid, "net");
+                                if (rv == 0)
+                                        network_test();
+                                else {
+                                        printf("   Error: I cannot join the process network stack\n");
+                                        exit(1);
+                                }
+                                // drop privileges in order not to trigger cleanup()
+                                if (setgid(user_gid) != 0)
+                                        errExit("setgid");
+                                if (setuid(user_uid) != 0)
+                                        errExit("setuid");
+                                return 0;
+                        }
+                        wait(&status);
                }
        }
diff --git a/src/jailcheck/network.c b/src/jailcheck/network.c
new file mode 100644
index 000000000..636344e77
--- /dev/null
+++ b/src/jailcheck/network.c
@@ -0,0 +1,56 @@
+/*
+ * Copyright (C) 2014-2021 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
+#include "jailcheck.h"
+#include <netdb.h>
+#include <arpa/inet.h>
+#include <ifaddrs.h>
+#include <net/if.h>
+#include <linux/connector.h>
+#include <linux/netlink.h>
+#include <linux/if_link.h>
+#include <linux/sockios.h>
+#include <sys/ioctl.h>
+void network_test(void) {
+        // I am root running in a network namespace
+        struct ifaddrs *ifaddr, *ifa;
+        int found = 0;
+        // walk through the linked list
+        if (getifaddrs(&ifaddr) == -1)
+                errExit("getifaddrs");
+        for (ifa = ifaddr; ifa != NULL; ifa = ifa->ifa_next) {
+                if (strcmp(ifa->ifa_name, "lo") == 0)
+                        continue;
+                found = 1;
+                break;
+        }
+        freeifaddrs(ifaddr);
+        if (found)
+                printf("   Networking: enabled\n");
+        else
+                printf("   Networking: disabled\n");
+}
diff --git a/src/jailcheck/sysfiles.c b/src/jailcheck/sysfiles.c
index caeb580af..9a0d6350e 100644
--- a/src/jailcheck/sysfiles.c
+++ b/src/jailcheck/sysfiles.c
@@ -34,7 +34,7 @@ void sysfiles_setup(const char *file) {
        assert(file);
        if (files_cnt >= MAX_TEST_FILES) {
-                fprintf(stderr, "Error: maximum number of system test files exceded\n");
+                fprintf(stderr, "Error: maximum number of system test files exceeded\n");
                exit(1);
        }
diff --git a/src/lib/ldd_utils.c b/src/lib/ldd_utils.c
index cd60d74e4..c5dde85b0 100644
--- a/src/lib/ldd_utils.c
+++ b/src/lib/ldd_utils.c
@@ -50,7 +50,7 @@ int is_lib_64(const char *exe) {
        unsigned char buf[EI_NIDENT];
        ssize_t len = 0;
        while (len < EI_NIDENT) {
-                ssize_t sz = read(fd, buf, EI_NIDENT);
+                ssize_t sz = read(fd, buf + len, EI_NIDENT - len);
                if (sz <= 0)
                        goto doexit;
                len += sz;
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt
index 6f3bef7f2..db58e0910 100644
--- a/src/man/firejail-profile.txt
+++ b/src/man/firejail-profile.txt
@@ -420,7 +420,7 @@ Make directory or file read-only.
 Make directory or file read-write.
 .TP
 \fBtmpfs directory
-Mount an empty tmpfs filesystem on top of directory. This option is available only when running the sandbox as root.
+Mount an empty tmpfs filesystem on top of directory. Directories outside user home or not owned by the user are not allowed. Sandboxes running as root are exempt from these restrictions.
 .TP
 \fBtracelog
 Blacklist violations logged to syslog.
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index d4c2a5bc8..0462705c0 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -2129,6 +2129,7 @@ $ firejail --read-only=~/test --read-write=~/test/a
 .TP
 \fB\-\-rlimit-as=number
 Set the maximum size of the process's virtual memory (address space) in bytes.
+Use k(ilobyte), m(egabyte) or g(igabyte) for size suffix (base 1024).
 .TP
 \fB\-\-rlimit-cpu=number
@@ -2142,6 +2143,7 @@ track of CPU seconds for each process independently.
 .TP
 \fB\-\-rlimit-fsize=number
 Set the maximum file size that can be created by a process.
+Use k(ilobyte), m(egabyte) or g(igabyte) for size suffix (base 1024).
 .TP
 \fB\-\-rlimit-nofile=number
 Set the maximum number of files that can be opened by a process.
@@ -2579,14 +2581,13 @@ Kill the sandbox automatically after the time has elapsed. The time is specified
 $ firejail \-\-timeout=01:30:00 firefox
 .TP
 \fB\-\-tmpfs=dirname
-Mount a writable tmpfs filesystem on directory dirname. This option is available only when running the sandbox as root.
+Mount a writable tmpfs filesystem on directory dirname. Directories outside user home or not owned by the user are not allowed. Sandboxes running as root are exempt from these restrictions. File globbing is supported, see \fBFILE GLOBBING\fR section for more details.
-File globbing is supported, see \fBFILE GLOBBING\fR section for more details.
 .br
 .br
 Example:
 .br
-# firejail \-\-tmpfs=/var
+$ firejail \-\-tmpfs=~/.local/share
 .TP
 \fB\-\-top
 Monitor the most CPU-intensive sandboxes, see \fBMONITORING\fR section for more details.
diff --git a/src/man/jailcheck.txt b/src/man/jailcheck.txt
index c80e305cc..483f47fb9 100644
--- a/src/man/jailcheck.txt
+++ b/src/man/jailcheck.txt
@@ -23,6 +23,8 @@ them from inside the sandbox.
 .TP
 \fB5. Seccomp test
 .TP
+\fB6. Networking test
+.TP
 The program is started as root using sudo.
 .SH OPTIONS
@@ -56,6 +58,8 @@ $ sudo jailcheck
 .br
   Warning: I can run programs in /home/netblue
 .br
+   Networking: disabled
+.br
 .br
 2055:netblue::firejail /usr/bin/ssh -X netblue@x.y.z.net
@@ -64,12 +68,16 @@ $ sudo jailcheck
 .br
   Warning: I can read ~/.ssh
 .br
+   Networking: enabled
+.br
 .br
 2186:netblue:libreoffice:firejail --appimage /opt/LibreOffice-fresh.appimage
 .br
   Virtual dirs: /tmp, /var/tmp, /dev,
 .br
+   Networking: enabled
+.br
 .br
 26090:netblue::/usr/bin/firejail /opt/firefox/firefox
@@ -78,6 +86,8 @@ $ sudo jailcheck
 .br
                 /run/user/1000,
 .br
+   Networking: enabled
+.br
 .br
 26160:netblue:tor:firejail --private=~/tor-browser_en-US ./start-tor
@@ -90,6 +100,8 @@ $ sudo jailcheck
 .br
   Warning: I can run programs in /home/netblue
 .br
+   Networking: enabled
+.br
 .SH LICENSE
diff --git a/test/environment/rlimit-bad-profile.exp b/test/environment/rlimit-bad-profile.exp
index b838f83f4..b1572afb6 100755
--- a/test/environment/rlimit-bad-profile.exp
+++ b/test/environment/rlimit-bad-profile.exp
@@ -11,7 +11,7 @@ match_max 100000
 send -- "firejail --profile=rlimit-bad1.profile\r"
 expect {
        timeout {puts "TESTING ERROR 4\n";exit}
-        "invalid rlimit"
+        "invalid rlimit-fsize in profile file. Only use positive numbers and k, m or g suffix."
 }
 after 100
diff --git a/test/environment/rlimit-bad.exp b/test/environment/rlimit-bad.exp
index 3a82ded9b..c05e14b97 100755
--- a/test/environment/rlimit-bad.exp
+++ b/test/environment/rlimit-bad.exp
@@ -10,7 +10,7 @@ match_max 100000
 send -- "firejail --rlimit-fsize=-1024\r"
 expect {
        timeout {puts "TESTING ERROR 0\n";exit}
-        "invalid rlimit"
+        "invalid rlimit-fsize. Only use positive numbers and k, m or g suffix."
 }
 after 100
diff --git a/test/fs/fscheck-tmpfs.exp b/test/fs/fscheck-tmpfs.exp
index 8dd08aa72..78b6efb76 100755
--- a/test/fs/fscheck-tmpfs.exp
+++ b/test/fs/fscheck-tmpfs.exp
@@ -41,7 +41,7 @@ after 500
 send -- "firejail --noprofile --tmpfs=/tmp/fjtest-dir\r"
 expect {
        timeout {puts "TESTING ERROR 5\n";exit}
-        "Error"
+        "Warning: you are not allowed to mount a tmpfs"
 }
 after 500