38 files changed, 182 insertions, 218 deletions

diff --git a/.gitignore b/.gitignore
index 1285dea92..5e26f1711 100644
--- a/.gitignore
+++ b/.gitignore
@@ -14,6 +14,7 @@ firejail-*.tar.xz
 firejail-login.5
 firejail-profile.5
 firejail-config.5
+firejail-users.5
 firejail.1
 firemon.1
 firecfg.1
diff --git a/README b/README
index e6f8d935b..9be1d6ac5 100644
--- a/README
+++ b/README
@@ -251,6 +251,11 @@ glitsj16 (https://github.com/glitsj16)
         - gunzip, bunzip2 profiles
         - enchant, enchat-2, enchant-lsmod, enchant-lsmod-2 profiles
         - atool, soundconvertor, mpd, gnome-calculator, makepkg profile fixes
+        - acat, adiff, als, apack, arepack, aunpack profiles,
+        - fix sqlitebrowser blacklist
+        - spelling fixes
+        - bitblbee profile fixes
+        - fix firefox common addons
 graywolf (https://github.com/graywolf)
         - spelling fix
 greigdp (https://github.com/greigdp)
@@ -295,6 +300,8 @@ James Elford (https://github.com/jelford)
         - removed shell none from ssh-agent configuration, fixing the infinit loop
         - added gcloud profile
         - blacklist sensitive cloud provider files in disable-common
+Jean Lucas (https://github.com/flacks)
+        - fix Discord profile
 Jericho (https://github.com/attritionorg)
         - spelling
 Jesse Smith (https://github.com/slicer69)
diff --git a/README.md b/README.md
index c2c19d824..7fca1e4b4 100644
--- a/README.md
+++ b/README.md
@@ -368,4 +368,5 @@ pycharm-community, pycharm-professional, Pitivi, OnionShare, Fritzing, Kaffeine,
 tilp, vivaldi-snapshot, bitcoin-qt, VS Code, falkon, gnome-builder, lobase, asunder,
 gnome-recipes, akonadi_control, evince-previewer, evince-thumbnailer, blender-2.8,
 thunderbird-beta, ncdu, gnome-logs, gcloud, musixmatch, gunzip, bunzip2,
-enchant, enchant-2, enchant-lsmod, enchant-lsmod-2
+enchant, enchant-2, enchant-lsmod, enchant-lsmod-2, Discord,
+acat, adiff, als, apack, arepack, aunpack profiles
diff --git a/RELNOTES b/RELNOTES
index 87b3f3780..e77f2c7d4 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -1,6 +1,8 @@
 firejail (0.9.53) baseline; urgency=low
   * work in progress
   * modif: --force depercated
+  * modif: --csg, --zsh deprecated
+  * modif: --debug-check-filename deprecated
   * modif: --git-install and --git-uninstall deprecated
   * modif: support for private-bin, private-lib and shell none has been
      disabled while running AppImage archives in order to be able to use
@@ -39,7 +41,9 @@ firejail (0.9.53) baseline; urgency=low
   * new profiles: akonadi_controle, evince-previewer, evince-thumbnailer,
   * new profiles: blender-2.8, thunderbird-beta, ncdu, gnome-logs, gcloud
   * new profiles: musixmatch, gunzip, bunzip2, enchant-lsmod, enchant-lsmod-2
-  * new profiles: enchant, enchant-2
+  * new profiles: enchant, enchant-2, Discord, acat, adiff, als, apack
+  * new profiles: arepack, aunpack profiles
+
  -- netblue30 <netblue30@yahoo.com>  Thu, 1 Mar 2018 08:00:00 -0500
 
 firejail (0.9.52) baseline; urgency=low
diff --git a/etc/bitlbee.profile b/etc/bitlbee.profile
index b6baa66bc..1cd5d6a69 100644
--- a/etc/bitlbee.profile
+++ b/etc/bitlbee.profile
@@ -28,7 +28,6 @@ seccomp
 disable-mnt
 private
 private-dev
-private-dev
 private-tmp
 read-write /var/lib/bitlbee
 
diff --git a/etc/disable-common.inc b/etc/disable-common.inc
index ff5dc7b6b..7bc66b1e9 100644
--- a/etc/disable-common.inc
+++ b/etc/disable-common.inc
@@ -116,6 +116,10 @@ blacklist /run/user/*/kdeinit5__*
 # blacklist /tmp/ksocket-*/kdeinit4__*
 #  - causes issues when kdeinit4 gets killed; enable on KDE Plasma 4
 
+# gnome
+# contains extensions, last used times of applications, and notifications
+blacklist ${HOME}/.local/share/gnome-shell
+
 # systemd
 blacklist ${HOME}/.config/systemd
 blacklist ${HOME}/.local/share/systemd
diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc
index 54e0cfb1f..b8c49b28a 100644
--- a/etc/disable-programs.inc
+++ b/etc/disable-programs.inc
@@ -430,6 +430,7 @@ blacklist ${HOME}/.local/share/telepathy
 blacklist ${HOME}/.local/share/terasology
 blacklist ${HOME}/.local/share/torbrowser
 blacklist ${HOME}/.local/share/totem
+blacklist ${HOME}/.local/share/uzbl
 blacklist ${HOME}/.local/share/vlc
 blacklist ${HOME}/.local/share/vpltd
 blacklist ${HOME}/.local/share/vulkan
diff --git a/etc/firefox-common-addons.inc b/etc/firefox-common-addons.inc
index b237c3c05..333ebdaa2 100644
--- a/etc/firefox-common-addons.inc
+++ b/etc/firefox-common-addons.inc
@@ -16,7 +16,6 @@ noblacklist ${HOME}/.kde4/share/apps/okular
 noblacklist ${HOME}/.kde4/share/config/kgetrc
 noblacklist ${HOME}/.kde4/share/config/okularpartrc
 noblacklist ${HOME}/.kde4/share/config/okularrc
-# noblacklist ${HOME}/.local/share/gnome-shell/extensions
 noblacklist ${HOME}/.local/share/kget
 noblacklist ${HOME}/.local/share/okular
 noblacklist ${HOME}/.local/share/qpdfview
@@ -41,7 +40,6 @@ whitelist ${HOME}/.kde4/share/config/okularpartrc
 whitelist ${HOME}/.kde4/share/config/okularrc
 whitelist ${HOME}/.keysnail.js
 whitelist ${HOME}/.lastpass
-whitelist ${HOME}/.local/share/gnome-shell/extensions
 whitelist ${HOME}/.local/share/kget
 whitelist ${HOME}/.local/share/okular
 whitelist ${HOME}/.local/share/qpdfview
@@ -53,3 +51,14 @@ whitelist ${HOME}/.wine-pipelight
 whitelist ${HOME}/.wine-pipelight64
 whitelist ${HOME}/.zotero
 whitelist ${HOME}/dwhelper
+
+# GNOME Shell integration (chrome-gnome-shell) needs dbus and python 3 (blacklisted by disable-interpreters.inc)
+noblacklist ${HOME}/.local/share/gnome-shell/extensions
+whitelist ${HOME}/.local/share/gnome-shell/extensions
+ignore nodbus
+noblacklist ${PATH}/python3*
+noblacklist /usr/lib/python3*
+
+# Flash plugin
+# private-etc must first be enabled in firefox-common.profile and in profiles including it.
+#private-etc adobe
diff --git a/etc/firejail-default b/etc/firejail-default
index 2e48439f5..5cfb1b5ea 100644
--- a/etc/firejail-default
+++ b/etc/firejail-default
@@ -21,10 +21,10 @@ profile firejail-default flags=(attach_disconnected,mediate_deleted) {
 #dbus,
 
 ##########
-# Allows to attach to a running program and modify the process memory.
-# May be needed by chromium crash handler. Uncomment if you need it.
+# With ptrace it is possible to inspect and hijack running programs. Usually this
+# is needed only for debugging. To allow ptrace, uncomment the following line
 ##########
-#ptrace (trace tracedby),
+#ptrace,
 
 ##########
 # Line starting with /run/firejail/mnt/oroot deal with --overlay sandboxes
@@ -133,8 +133,8 @@ network raw,
 signal,
 
 ##########
-# We let Firejail deal with capabilities,
-# but mac_admin should be dropped in any case.
+# We let Firejail deal with capabilities, but ensure that
+# some AppArmor related capabilities will not be available.
 ##########
 capability chown,
 capability dac_override,
diff --git a/etc/flowblade.profile b/etc/flowblade.profile
index bad8538cf..e06107f0f 100644
--- a/etc/flowblade.profile
+++ b/etc/flowblade.profile
@@ -8,6 +8,12 @@ include /etc/firejail/globals.local
 noblacklist ${HOME}/.config/flowblade
 noblacklist ${HOME}/.flowblade
 
+# Allow python (blacklisted by disable-interpreters.inc)
+noblacklist ${PATH}/python2*
+noblacklist ${PATH}/python3*
+noblacklist /usr/lib/python2*
+noblacklist /usr/lib/python3*
+
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-interpreters.inc
diff --git a/etc/less.profile b/etc/less.profile
index e2616ba4f..9b04329f2 100644
--- a/etc/less.profile
+++ b/etc/less.profile
@@ -20,7 +20,7 @@ shell none
 tracelog
 writable-var-log
 
-# The user can have a custom coloring scritps configured in ${HOME}/.lessfilter.
+# The user can have a custom coloring script configured in ${HOME}/.lessfilter.
 # Enable private-bin and private-lib if you are not using any filter.
 # private-bin less
 # private-lib
diff --git a/etc/musixmatch.profile b/etc/musixmatch.profile
index 1a3ee5e6f..fce60e89e 100644
--- a/etc/musixmatch.profile
+++ b/etc/musixmatch.profile
@@ -24,7 +24,6 @@ notv
 novideo
 protocol unix,inet,inet6,netlink
 seccomp
-shell none
 
 disable-mnt
 private-dev
diff --git a/etc/openshot.profile b/etc/openshot.profile
index 114580f1e..832008564 100644
--- a/etc/openshot.profile
+++ b/etc/openshot.profile
@@ -8,6 +8,12 @@ include /etc/firejail/globals.local
 noblacklist ${HOME}/.openshot
 noblacklist ${HOME}/.openshot_qt
 
+# Allow python (blacklisted by disable-interpreters.inc)
+noblacklist ${PATH}/python2*
+noblacklist ${PATH}/python3*
+noblacklist /usr/lib/python2*
+noblacklist /usr/lib/python3*
+
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-interpreters.inc
diff --git a/etc/ranger.profile b/etc/ranger.profile
index 94b282669..ff65a057b 100644
--- a/etc/ranger.profile
+++ b/etc/ranger.profile
@@ -5,11 +5,19 @@ include /etc/firejail/ranger.local
 # Persistent global definitions
 include /etc/firejail/globals.local
 
+noblacklist ${HOME}/.config/ranger
+
+# Allow python (blacklisted by disable-interpreters.inc)
+noblacklist ${PATH}/python2*
+noblacklist ${PATH}/python3*
+noblacklist /usr/lib/python2*
+noblacklist /usr/lib/python3*
+
+# Allow perl
 # noblacklist ${PATH}/cpan*
 noblacklist ${PATH}/perl
 noblacklist /usr/lib/perl*
 noblacklist /usr/share/perl*
-noblacklist ${HOME}/.config/ranger
 
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-devel.inc
diff --git a/etc/skypeforlinux.profile b/etc/skypeforlinux.profile
index 015709247..c2270ce39 100644
--- a/etc/skypeforlinux.profile
+++ b/etc/skypeforlinux.profile
@@ -25,7 +25,7 @@ seccomp
 shell none
 
 disable-mnt
-#private-dev
+# private-dev - needs /dev/disk
 private-tmp
 
 noexec ${HOME}
diff --git a/etc/uzbl-browser.profile b/etc/uzbl-browser.profile
index 0a3549c97..b8a3fa497 100644
--- a/etc/uzbl-browser.profile
+++ b/etc/uzbl-browser.profile
@@ -7,6 +7,13 @@ include /etc/firejail/globals.local
 
 noblacklist ${HOME}/.config/uzbl
 noblacklist ${HOME}/.gnupg
+noblacklist ${HOME}/.local/share/uzbl
+
+# Allow python (blacklisted by disable-interpreters.inc)
+noblacklist ${PATH}/python2*
+noblacklist ${PATH}/python3*
+noblacklist /usr/lib/python2*
+noblacklist /usr/lib/python3*
 
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-devel.inc
diff --git a/etc/zathura.profile b/etc/zathura.profile
index b47aeb0da..028e15ef5 100644
--- a/etc/zathura.profile
+++ b/etc/zathura.profile
@@ -15,6 +15,7 @@ include /etc/firejail/disable-passwdmgr.inc
 include /etc/firejail/disable-programs.inc
 
 caps.drop all
+machine-id
 # net none
 # nodbus
 nodvd
@@ -29,7 +30,7 @@ shell none
 
 private-bin zathura
 private-dev
-private-etc fonts
+private-etc fonts,machine-id
 private-tmp
 
 read-only ${HOME}/
diff --git a/mkuid.sh b/mkuid.sh
index a59f58143..9a37dc2ca 100755
--- a/mkuid.sh
+++ b/mkuid.sh
@@ -6,15 +6,15 @@ echo "#define FIREJAIL_UIDS_H" >> uids.h
 
 if [ -r /etc/login.defs ]
 then
-        echo "// using values extracted from /etc/login.defs" >> uids.h
         UID_MIN=`awk '/^\s*UID_MIN\s*([0-9]*).*?$/ {print $2}' /etc/login.defs`
         GID_MIN=`awk '/^\s*GID_MIN\s*([0-9]*).*?$/ {print $2}' /etc/login.defs`
-        echo "#define UID_MIN $UID_MIN" >> uids.h
-        echo "#define GID_MIN $GID_MIN" >> uids.h
-else
-        echo "// using default values" >> uids.h
-        echo "#define UID_MIN 1000" >> uids.h
-        echo "#define GID_MIN 1000" >> uids.h
 fi
 
+# use default values if not found
+[ -z "$UID_MIN" ] && UID_MIN="1000"
+[ -z "$GID_MIN" ] && GID_MIN="1000"
+
+echo "#define UID_MIN $UID_MIN" >> uids.h
+echo "#define GID_MIN $GID_MIN" >> uids.h
+
 echo "#endif" >> uids.h
diff --git a/src/firecfg/desktop_files.c b/src/firecfg/desktop_files.c
index 49e58528c..eb3794d3f 100644
--- a/src/firecfg/desktop_files.c
+++ b/src/firecfg/desktop_files.c
@@ -163,8 +163,6 @@ void fix_desktop_files(char *homedir) {
                 // skip links
                 if (is_link(filename))
                         continue;
-                if (stat(filename, &sb) == -1)
-                        errExit("stat");
 
                 // no profile in /etc/firejail, no desktop file fixing
                 if (!have_profile(filename, homedir))
@@ -173,23 +171,33 @@ void fix_desktop_files(char *homedir) {
                 //****************************************************
                 // load the file in memory and do some basic checking
                 //****************************************************
-                /* coverity[toctou] */
-                int fd = open(filename, O_RDONLY);
-                if (fd == -1) {
+                FILE *fp = fopen(filename, "r");
+                if (!fp) {
                         fprintf(stderr, "Warning: cannot open /usr/share/applications/%s\n", filename);
                         continue;
                 }
 
-                char *buf = mmap(NULL, sb.st_size + 1, PROT_READ | PROT_WRITE, MAP_PRIVATE, fd, 0);
-                if (buf == MAP_FAILED)
-                        errExit("mmap");
-                close(fd);
+                fseek(fp, 0, SEEK_END);
+                size_t size = ftell(fp);
+                fseek(fp, 0, SEEK_SET);
+                char *buf = malloc(size + 1);
+                if (!buf)
+                        errExit("malloc");
+
+                size_t loaded = fread(buf, size, 1, fp);
+                fclose(fp);
+                if (loaded != 1) {
+                        fprintf(stderr, "Warning: cannot read /usr/share/applications/%s\n", filename);
+                        free(buf);
+                        continue;
+                }
+                buf[size] = '\0';
 
                 // check format
                 if (strstr(buf, "[Desktop Entry]\n") == NULL) {
                         if (arg_debug)
                                 printf("   %s - skipped: wrong format?\n", filename);
-                        munmap(buf, sb.st_size + 1);
+                        free(buf);
                         continue;
                 }
 
@@ -198,7 +206,7 @@ void fix_desktop_files(char *homedir) {
                 if (!ptr || strlen(ptr) < 7) {
                         if (arg_debug)
                                 printf("   %s - skipped: wrong format?\n", filename);
-                        munmap(buf, sb.st_size + 1);
+                        free(buf);
                         continue;
                 }
 
@@ -207,7 +215,7 @@ void fix_desktop_files(char *homedir) {
                 if (execname[0] == '"') {
                         if (arg_debug)
                                 printf("   %s - skipped: path quoting unsupported\n", filename);
-                        munmap(buf, sb.st_size + 1);
+                        free(buf);
                         continue;
                 }
 
@@ -241,12 +249,9 @@ void fix_desktop_files(char *homedir) {
                         }
                 }
 
-                if (change_exec == NULL && change_dbus == 0) {
-                        munmap(buf, sb.st_size + 1);
+                free(buf);
+                if (change_exec == NULL && change_dbus == 0)
                         continue;
-                }
-
-                munmap(buf, sb.st_size + 1);
 
                 //****************************************************
                 // generate output file
diff --git a/src/firejail/Makefile.in b/src/firejail/Makefile.in
index 48d985d73..d0f43041c 100644
--- a/src/firejail/Makefile.in
+++ b/src/firejail/Makefile.in
@@ -2,7 +2,7 @@ all: firejail
 
 include ../common.mk
 
-%.o : %.c $(H_FILE_LIST) ../include/common.h ../include/euid_common.h ../include/pid.h ../include/seccomp.h ../include/syscall.h ../include/firejail_user.h
+%.o : %.c $(H_FILE_LIST) ../include/common.h ../include/ldd_utils.h ../include/euid_common.h ../include/pid.h ../include/seccomp.h ../include/syscall.h ../include/firejail_user.h
         $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@
 
 firejail: $(OBJS) ../lib/libnetlink.o ../lib/common.o ../lib/ldd_utils.o ../lib/firejail_user.o
diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c
index 7b0ae30b6..f8094e893 100644
--- a/src/firejail/checkcfg.c
+++ b/src/firejail/checkcfg.c
@@ -166,10 +166,6 @@ int checkcfg(int val) {
                                 else
                                         goto errout;
                         }
-                        // follow symlink in private-bin command
-                        else if (strncmp(ptr, "follow-symlink-private-bin ", 27) == 0) {
-                                fwarning("follow-symlink-private-bin from firejail.config was deprecated\n");
-                        }
                         // nonewprivs
                         else if (strncmp(ptr, "force-nonewprivs ", 17) == 0) {
                                 if (strcmp(ptr + 17, "yes") == 0)
@@ -311,9 +307,6 @@ int checkcfg(int val) {
                                 else
                                         goto errout;
                         }
-                        else if (strncmp(ptr, "remount-proc-sys ", 17) == 0) {
-                                fwarning("remount-proc-sys from firejail.config was deprecated\n");
-                        }
                         else if (strncmp(ptr, "overlayfs ", 10) == 0) {
                                 if (strcmp(ptr + 10, "yes") == 0)
                                         cfg_val[CFG_OVERLAYFS] = 1;
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index 4fd11ab4f..2746deea1 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -309,7 +309,6 @@ static inline int any_interface_configured(void) {
 extern int arg_private;         // mount private /home
 extern int arg_private_template; // private /home template
 extern int arg_debug;           // print debug messages
-extern int arg_debug_check_filename;            // print debug messages for filename checking
 extern int arg_debug_blacklists;        // print debug messages for blacklists
 extern int arg_debug_whitelists;        // print debug messages for whitelists
 extern int arg_debug_private_lib;       // print debug messages for private-lib
@@ -577,9 +576,6 @@ void caps_keep_list(const char *clist);
 void caps_print_filter(pid_t pid);
 void caps_drop_dac_override(void);
 
-// syscall.c
-const char *syscall_find_nr(int nr);
-
 // fs_trace.c
 void fs_trace_preload(void);
 void fs_trace(void);
@@ -647,12 +643,6 @@ void env_ibus_load(void);
 // fs_whitelist.c
 void fs_whitelist(void);
 
-// errno.c
-int errno_highest_nr(void);
-int errno_find_name(const char *name);
-char *errno_find_nr(int nr);
-void errno_print(void);
-
 // pulseaudio.c
 void pulseaudio_init(void);
 void pulseaudio_disable(void);
@@ -795,10 +785,6 @@ void build_appimage_cmdline(char **command_line, char **window_title, int argc,
 // run sbox
 int sbox_run(unsigned filter, int num, ...);
 
-// git.c
-void git_install();
-void git_uninstall();
-
 // run_files.c
 void delete_run_files(pid_t pid);
 void delete_bandwidth_run_file(pid_t pid);
diff --git a/src/firejail/main.c b/src/firejail/main.c
index e676bbd7c..2d8af7f41 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -47,7 +47,6 @@ Config cfg;					// configuration
 int arg_private = 0;                            // mount private /home and /tmp directoryu
 int arg_private_template = 0; // mount private /home using a template
 int arg_debug = 0;                              // print debug messages
-int arg_debug_check_filename = 0;               // print debug messages for filename checking
 int arg_debug_blacklists = 0;                   // print debug messages for blacklists
 int arg_debug_whitelists = 0;                   // print debug messages for whitelists
 int arg_debug_private_lib = 0;                  // print debug messages for private-lib
@@ -1051,8 +1050,6 @@ int main(int argc, char **argv) {
 
                 if (strcmp(argv[i], "--debug") == 0 && !arg_quiet)
                         arg_debug = 1;
-                else if (strcmp(argv[i], "--debug-check-filename") == 0)
-                        arg_debug_check_filename = 1;
                 else if (strcmp(argv[i], "--debug-blacklists") == 0)
                         arg_debug_blacklists = 1;
                 else if (strcmp(argv[i], "--debug-whitelists") == 0)
@@ -1439,9 +1436,6 @@ int main(int argc, char **argv) {
                         custom_profile = 1;
                         free(ppath);
                 }
-                else if (strncmp(argv[i], "--profile-path=", 15) == 0) {
-                        fwarning("--profile-path has been deprecated\n");
-                }
                 else if (strcmp(argv[i], "--noprofile") == 0) {
                         if (custom_profile) {
                                 fprintf(stderr, "Error: --profile and --noprofile options are mutually exclusive\n");
@@ -1541,9 +1535,6 @@ int main(int argc, char **argv) {
                 else if (strcmp(argv[i], "--machine-id") == 0) {
                         arg_machineid = 1;
                 }
-                else if (strcmp(argv[i], "--allow-private-blacklist") == 0) {
-                        fwarning("--allow-private-blacklist was deprecated\n");
-                }
                 else if (strcmp(argv[i], "--private") == 0) {
                         arg_private = 1;
                 }
@@ -2117,29 +2108,6 @@ int main(int argc, char **argv) {
                 }
                 else if (strcmp(argv[i], "--appimage") == 0)
                         arg_appimage = 1;
-                else if (strcmp(argv[i], "--csh") == 0) {
-                        if (arg_shell_none) {
-
-                                fprintf(stderr, "Error: --shell=none was already specified.\n");
-                                return 1;
-                        }
-                        if (cfg.shell) {
-                                fprintf(stderr, "Error: only one default user shell can be specified\n");
-                                return 1;
-                        }
-                        cfg.shell = "/bin/csh";
-                }
-                else if (strcmp(argv[i], "--zsh") == 0) {
-                        if (arg_shell_none) {
-                                fprintf(stderr, "Error: --shell=none was already specified.\n");
-                                return 1;
-                        }
-                        if (cfg.shell) {
-                                fprintf(stderr, "Error: only one default user shell can be specified\n");
-                                return 1;
-                        }
-                        cfg.shell = "/bin/zsh";
-                }
                 else if (strcmp(argv[i], "--shell=none") == 0) {
                         arg_shell_none = 1;
                         if (cfg.shell) {
diff --git a/src/firejail/no_sandbox.c b/src/firejail/no_sandbox.c
index ba955bcca..5bd3f7e09 100644
--- a/src/firejail/no_sandbox.c
+++ b/src/firejail/no_sandbox.c
@@ -167,9 +167,7 @@ void run_no_sandbox(int argc, char **argv) {
         for (i = 0; i < argc; i++) {
                 if (strcmp(argv[i], "--debug") == 0)
                         arg_debug = 1;
-                else if (strcmp(argv[i], "--csh") == 0 ||
-                    strcmp(argv[i], "--zsh") == 0 ||
-                    strcmp(argv[i], "--shell=none") == 0 ||
+                else if (strcmp(argv[i], "--shell=none") == 0 ||
                     strncmp(argv[i], "--shell=", 8) == 0)
                         fwarning("shell-related command line options are disregarded - using SHELL environment variable\n");
         }
diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index 3ef9a1856..156ffa24a 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -257,10 +257,6 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
                 arg_nodbus = 1;
                 return 0;
         }
-        else if (strcmp(ptr, "allow-private-blacklist") == 0) {
-                fmessage("--allow-private-blacklist was deprecated\n");
-                return 0;
-        }
         else if (strcmp(ptr, "netfilter") == 0) {
 #ifdef HAVE_NETWORK
                 if (checkcfg(CFG_NETWORK))
diff --git a/src/firejail/usage.c b/src/firejail/usage.c
index effbf3751..742fc0465 100644
--- a/src/firejail/usage.c
+++ b/src/firejail/usage.c
@@ -29,8 +29,6 @@ static char *usage_str =
         "Options:\n"
         "    -- - signal the end of options and disables further option processing.\n"
         "    --allow-debuggers - allow tools such as strace and gdb inside the sandbox.\n"
-        "    --allow-private-blacklist - allow blacklisting files in private\n"
-        "\thome directories.\n"
         "    --allusers - all user home directories are visible inside the sandbox.\n"
         "    --apparmor - enable AppArmor confinement.\n"
         "    --apparmor.print=name|pid - print apparmor status.\n"
@@ -58,11 +56,9 @@ static char *usage_str =
 #endif
         "    --cpu=cpu-number,cpu-number - set cpu affinity.\n"
         "    --cpu.print=name|pid - print the cpus in use.\n"
-        "    --csh - use /bin/csh as default shell.\n"
         "    --debug - print sandbox debug messages.\n"
         "    --debug-blacklists - debug blacklisting.\n"
         "    --debug-caps - print all recognized capabilities.\n"
-        "    --debug-check-filename - debug filename checking.\n"
         "    --debug-errnos - print all recognized error numbers.\n"
         "    --debug-private-lib - debug for --private-lib option.\n"
         "    --debug-protocols - print all recognized protocols.\n"
@@ -77,7 +73,9 @@ static char *usage_str =
         "    --dns.print=name|pid - print DNS configuration.\n"
         "    --env=name=value - set environment variable.\n"
         "    --fs.print=name|pid - print the filesystem log.\n"
+#ifdef HAVE_FILE_TRANSFER
         "    --get=name|pid filename - get a file from sandbox container.\n"
+#endif
         "    --help, -? - this help screen.\n"
         "    --hostname=name - set sandbox hostname.\n"
         "    --hosts-file=file - use file as /etc/hosts.\n"
@@ -97,7 +95,9 @@ static char *usage_str =
 #endif
         "    --join-or-start=name|pid - join the sandbox or start a new one.\n"
         "    --list - list all sandboxes.\n"
+#ifdef HAVE_FILE_TRANSFER
         "    --ls=name|pid dir_or_filename - list files in sandbox container.\n"
+#endif
 #ifdef HAVE_NETWORK
         "    --mac=xx:xx:xx:xx:xx:xx - set interface MAC address.\n"
 #endif
@@ -159,13 +159,16 @@ static char *usage_str =
         "\tfilesystem, and copy the files and directories in the list.\n"
         "    --private-tmp - mount a tmpfs on top of /tmp directory.\n"
         "    --private-opt=file,directory - build a new /opt in a temporary filesystem.\n"
+        "    --private-srv=file,directory - build a new /srv in a temporary filesystem.\n"
         "    --profile=filename - use a custom profile.\n"
         "    --profile.print=name|pid - print the name of profile file.\n"
         "    --profile-path=directory - use this directory to look for profile files.\n"
         "    --protocol=protocol,protocol,protocol - enable protocol filter.\n"
         "    --protocol.print=name|pid - print the protocol filter.\n"
+#ifdef HAVE_FILE_TRANSFER
         "    --put=name|pid src-filename dest-filename - put a file in sandbox\n"
         "\tcontainer.\n"
+#endif
         "    --quiet - turn off Firejail's output.\n"
         "    --read-only=filename - set directory or file read-only..\n"
         "    --read-write=filename - set directory or file read-write.\n"
@@ -230,7 +233,6 @@ static char *usage_str =
         "    --x11=xvfb - enable Xvfb X11 server.\n"
         "    --xephyr-screen=WIDTHxHEIGHT - set screen size for --x11=xephyr.\n"
 #endif
-        "    --zsh - use /usr/bin/zsh as default shell.\n"
         "\n"
         "Examples:\n"
         "    $ firejail firefox\n"
diff --git a/src/firejail/util.c b/src/firejail/util.c
index 3437d495f..a44e52e98 100644
--- a/src/firejail/util.c
+++ b/src/firejail/util.c
@@ -800,9 +800,6 @@ void invalid_filename(const char *fname, int globbing) {
         assert(fname);
         const char *ptr = fname;
 
-        if (arg_debug_check_filename)
-                printf("Checking filename %s\n", fname);
-
         if (strncmp(ptr, "${HOME}", 7) == 0)
                 ptr = fname + 7;
         else if (strncmp(ptr, "${PATH}", 7) == 0)
diff --git a/src/firejail/x11.c b/src/firejail/x11.c
index 7040dea18..8cf4fccf3 100644
--- a/src/firejail/x11.c
+++ b/src/firejail/x11.c
@@ -1078,7 +1078,7 @@ void x11_xorg(void) {
         // check xauth utility is present in the system
         struct stat s;
         if (stat("/usr/bin/xauth", &s) == -1) {
-                fprintf(stderr, "Error: xauth utility not found in PATH.  Please install it:\n"
+                fprintf(stderr, "Error: xauth utility not found in /usr/bin. Please install it:\n"
                         "   Debian/Ubuntu/Mint: sudo apt-get install xauth\n");
                 exit(1);
         }
diff --git a/src/firemon/usage.c b/src/firemon/usage.c
index 37bd4e874..a4d642d66 100644
--- a/src/firemon/usage.c
+++ b/src/firemon/usage.c
@@ -43,6 +43,7 @@ static char *help_str =
         "\t--tree - print a tree of all sandboxed processes.\n\n"
         "\t--top - monitor the most CPU-intensive sandboxes.\n\n"
         "\t--version - print program version and exit.\n\n"
+        "\t--x11 - print X11 display number.\n\n"
 
         "Without any options, firemon monitors all fork, exec, id change, and exit\n"
         "events in the sandbox. Monitoring a specific PID is also supported.\n\n"
diff --git a/src/lib/firejail_user.c b/src/lib/firejail_user.c
index 5d92aa133..7d9784392 100644
--- a/src/lib/firejail_user.c
+++ b/src/lib/firejail_user.c
@@ -45,6 +45,12 @@ int firejail_user_check(const char *name) {
         if (strcmp(name, "root") == 0)
                 return 1;
 
+        // user nobody disabled by default
+        if (strcmp(name, "nobody") == 0) {
+                fprintf(stderr, "Error: user nobody is not allowed to run the sandbox\n");
+                exit(1);
+        }
+
         // check file existence
         char *fname = get_fname();
         if (access(fname, F_OK)) {
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt
index b529f63e3..0217e1353 100644
--- a/src/man/firejail-profile.txt
+++ b/src/man/firejail-profile.txt
@@ -223,7 +223,8 @@ Build a new /bin in a temporary filesystem, and copy the programs in the list.
 The same directory is also bind-mounted over /sbin, /usr/bin and /usr/sbin.
 .TP
 \fBprivate-dev
-Create a new /dev directory. Only dri, null, full, zero, tty, pts, ptmx, random, urandom, log and shm devices are available.
+Create a new /dev directory. Only disc, dri, null, full, zero, tty, pts, ptmx,
+random, snd, urandom, video, log and shm devices are available.
 .TP
 \fBprivate-etc file,directory
 Build a new /etc in a temporary
@@ -448,6 +449,12 @@ Run the program directly, without a shell.
 \fBipc-namespace
 Enable IPC namespace.
 .TP
+\fBnodbus
+Disable D-Bus access. Only the regular UNIX socket is handled by
+this command. To disable the abstract socket, you would need to
+request a new network namespace using the net command. Another
+option is to remove unix from protocol set.
+.TP
 \fBnosound
 Disable sound system.
 .TP
diff --git a/src/man/firejail-users.txt b/src/man/firejail-users.txt
index fcc0f914b..ec91e495c 100644
--- a/src/man/firejail-users.txt
+++ b/src/man/firejail-users.txt
@@ -5,7 +5,7 @@ firejail.users \- Firejail user access database
 .SH DESCRIPTION
 /etc/firejail/firejail.users lists the users allowed to run firejail SUID executable.
 If the file is not present in the system, all users are allowed to use the sandbox.
-root user is allowed by default.
+root user is allowed by default, user nobody is denied access by default.
 
 Example:
 
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index 6e8e4eb2c..d8fed1f31 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -314,15 +314,6 @@ $ firejail \-\-list
 $ firejail \-\-cpu.print=3272
 
 .TP
-\fB\-\-csh
-Use /bin/csh as default user shell.
-.br
-
-.br
-Example:
-.br
-$ firejail \-\-csh
-.TP
 \fB\-\-debug\fR
 Print debug messages.
 .br
@@ -351,15 +342,6 @@ Print all recognized capabilities in the current Firejail software build and exi
 Example:
 .br
 $ firejail \-\-debug-caps
-.TP
-\fB\-\-debug-check-filename\fR
-Debug filename checking.
-.br
-
-.br
-Example:
-.br
-$ firejail \-\-debug-check-filename firefox
 
 .TP
 \fB\-\-debug-errnos
@@ -1620,20 +1602,16 @@ $ firejail \-\-net=eth0 \-\-scan
 .TP
 \fB\-\-seccomp
 Enable seccomp filter and blacklist the syscalls in the default list (@default). The default list is as follows:
-mount, umount2, ptrace, kexec_load, kexec_file_load, name_to_handle_at, open_by_handle_at, create_module, init_module, finit_module, delete_module,
-iopl, ioperm, ioprio_set, swapon, swapoff, syslog, process_vm_readv, process_vm_writev,
-sysfs,_sysctl, adjtimex, clock_adjtime, lookup_dcookie, perf_event_open, fanotify_init, kcmp,
-add_key, request_key, keyctl, uselib, acct, modify_ldt, pivot_root, io_setup,
-io_destroy, io_getevents, io_submit, io_cancel,
-remap_file_pages, mbind, set_mempolicy,
-migrate_pages, move_pages, vmsplice, chroot,
-tuxcall, reboot, mfsservctl, get_kernel_syms,
-bpf, clock_settime, personality, process_vm_writev, query_module,
-settimeofday, stime, umount, userfaultfd, ustat, vm86, vm86old,
-afs_syscall, bdflush, break, ftime, getpmsg, gtty, lock, mpx, pciconfig_iobase, pciconfig_read,
-pciconfig_write, prof, profil, putpmsg, rtas, s390_runtime_instr, s390_mmio_read, s390_mmio_write,
-security, setdomainname,  sethostname, sgetmask, ssetmask, stty, subpage_prot, switch_endian,
-ulimit, vhangup and vserver.
+_sysctl, acct, add_key, adjtimex, afs_syscall, bdflush, bpf, break, chroot, clock_adjtime, clock_settime,
+create_module, delete_module, fanotify_init, finit_module, ftime, get_kernel_syms, getpmsg, gtty, init_module,
+io_cancel, io_destroy, io_getevents, io_setup, io_submit, ioperm, iopl, ioprio_set, kcmp, kexec_file_load,
+kexec_load, keyctl, lock, lookup_dcookie, mbind, mfsservctl, migrate_pages, modify_ldt, mount, move_pages, mpx,
+name_to_handle_at, open_by_handle_at, pciconfig_iobase, pciconfig_read, pciconfig_write, perf_event_open,
+personality, pivot_root, process_vm_readv, process_vm_writev, process_vm_writev, prof, profil, ptrace, putpmsg,
+query_module, reboot, remap_file_pages, request_key, rtas, s390_mmio_read, s390_mmio_write, s390_runtime_instr,
+security, set_mempolicy, setdomainname, sethostname, settimeofday, sgetmask, ssetmask, stime, stty, subpage_prot,
+swapoff, swapon, switch_endian, sysfs, syslog, tuxcall, ulimit, umount, umount2, uselib, userfaultfd, ustat, vhangup,
+vm86, vm86old, vmsplice and vserver.
 
 .br
 To help creating useful seccomp filters more easily, the following
@@ -1716,7 +1694,7 @@ Bad system call
 .br
 
 .TP
-\fB\-\-seccomp.block_secondary
+\fB\-\-seccomp.block-secondary
 Enable seccomp filter and filter system call architectures so that
 only the native architecture is allowed. For example, on amd64, i386
 and x32 system calls are blocked as well as changing the execution
@@ -1949,8 +1927,7 @@ $ firejail \-\-shell=none script.sh
 \fB\-\-shell=program
 Set default user shell. Use this shell to run the application using \-c shell option.
 For example "firejail \-\-shell=/bin/dash firefox" will start Mozilla Firefox as "/bin/dash \-c firefox".
-By default Bash shell (/bin/bash) is used. Options such as \-\-zsh and \-\-csh can also set the default
-shell.
+By default Bash shell (/bin/bash) is used.
 .br
 
 .br
@@ -2324,16 +2301,6 @@ Example:
 $ firejail --net=eth0 --x11=xephyr --xephyr-screen=640x480 firefox
 .br
 
-.TP
-\fB\-\-zsh
-Use /usr/bin/zsh as default user shell.
-.br
-
-.br
-Example:
-.br
-$ firejail \-\-zsh
-
 .SH DESKTOP INTEGRATION
 A symbolic link to /usr/bin/firejail under the name of a program, will start the program in Firejail sandbox.
 The symbolic link should be placed in the first $PATH position. On most systems, a good place
diff --git a/test/appimage/appimage-args.exp b/test/appimage/appimage-args.exp
index dcf16452f..0ec07c1ad 100755
--- a/test/appimage/appimage-args.exp
+++ b/test/appimage/appimage-args.exp
@@ -56,7 +56,7 @@ expect {
 sleep 2
 
 spawn $env(SHELL)
-send -- "firemon --seccomp\r"
+send -- "firemon --seccomp --nowrap\r"
 expect {
         timeout {puts "TESTING ERROR 8\n";exit}
         "need to be root" {puts "/proc mounted as hidepid, exiting...\n"; exit}
@@ -71,7 +71,7 @@ expect {
         "name=blablabla"
 }
 after 100
-send -- "firemon --caps\r"
+send -- "firemon --caps --nowrap\r"
 expect {
         timeout {puts "TESTING ERROR 11\n";exit}
         "appimage Leafpad"
diff --git a/test/appimage/appimage-v1.exp b/test/appimage/appimage-v1.exp
index 073c32dab..90b13b9ff 100755
--- a/test/appimage/appimage-v1.exp
+++ b/test/appimage/appimage-v1.exp
@@ -44,7 +44,7 @@ expect {
 sleep 2
 
 spawn $env(SHELL)
-send -- "firemon --seccomp\r"
+send -- "firemon --seccomp --nowrap\r"
 expect {
         timeout {puts "TESTING ERROR 5\n";exit}
         "need to be root" {puts "/proc mounted as hidepid, exiting...\n"; exit}
@@ -59,7 +59,7 @@ expect {
         "name=blablabla"
 }
 after 100
-send -- "firemon --caps\r"
+send -- "firemon --caps --nowrap\r"
 expect {
         timeout {puts "TESTING ERROR 6\n";exit}
         "appimage Leafpad"
diff --git a/test/environment/csh.exp b/test/environment/csh.exp
index 10a278ebc..7b5ab9b33 100755
--- a/test/environment/csh.exp
+++ b/test/environment/csh.exp
@@ -1,49 +1,31 @@
 #!/usr/bin/expect -f
-# This file is part of Firejail project
-# Copyright (C) 2014-2018 Firejail Authors
-# License GPL v2
 
 set timeout 10
+cd /home
 spawn $env(SHELL)
 match_max 100000
 
-send -- "firejail --private --tracelog --csh\r"
+send -- "firejail --private --shell=/bin/csh\r"
 expect {
         timeout {puts "TESTING ERROR 0\n";exit}
         "Child process initialized"
 }
 sleep 1
 
-send -- "find ~\r"
+send -- "env | grep SHELL;pwd\r"
 expect {
         timeout {puts "TESTING ERROR 1\n";exit}
-        ".cshrc"
-}
-
-send -- "env | grep SHELL\r"
-expect {
-        timeout {puts "TESTING ERROR 2\n";exit}
-        "SHELL"
+        "SHELL"
 }
 expect {
-        timeout {puts "TESTING ERROR 2.1\n";exit}
+        timeout {puts "TESTING ERROR 2\n";exit}
         "/bin/csh"
 }
-send -- "exit\r"
-sleep 1
-
-send -- "firejail --shell=none --csh\r"
 expect {
         timeout {puts "TESTING ERROR 3\n";exit}
-        "shell=none was already specified"
-}
-after 100
-
-send -- "firejail --csh --shell=none\r"
-expect {
-        timeout {puts "TESTING ERROR 4\n";exit}
-        "a shell was already specified"
+        "home"
 }
+send -- "exit\r"
 after 100
 
-puts "\n"
+puts "\nall done\n"
diff --git a/test/environment/zsh.exp b/test/environment/zsh.exp
index e7f610e98..a1b94a326 100755
--- a/test/environment/zsh.exp
+++ b/test/environment/zsh.exp
@@ -1,49 +1,31 @@
 #!/usr/bin/expect -f
-# This file is part of Firejail project
-# Copyright (C) 2014-2018 Firejail Authors
-# License GPL v2
 
 set timeout 10
+cd /home
 spawn $env(SHELL)
 match_max 100000
 
-send -- "firejail --private --tracelog --zsh\r"
+send -- "firejail --private --shell=/bin/zsh\r"
 expect {
         timeout {puts "TESTING ERROR 0\n";exit}
         "Child process initialized"
 }
 sleep 1
 
-send -- "find ~\r"
-expect {
-        timeout {puts "TESTING ERROR 1\n";exit}
-        ".zshrc"
-}
-
 send -- "env | grep SHELL;pwd\r"
 expect {
-        timeout {puts "TESTING ERROR 2\n";exit}
+        timeout {puts "TESTING ERROR 1\n";exit}
         "SHELL"
 }
 expect {
-        timeout {puts "TESTING ERROR 2.1\n";exit}
+        timeout {puts "TESTING ERROR 2\n";exit}
         "/bin/zsh"
 }
-send -- "exit\r"
-sleep 1
-
-send -- "firejail --shell=none --zsh\r"
 expect {
         timeout {puts "TESTING ERROR 3\n";exit}
-        "shell=none was already specified"
-}
-after 100
-
-send -- "firejail --zsh --shell=none\r"
-expect {
-        timeout {puts "TESTING ERROR 4\n";exit}
-        "a shell was already specified"
+        "home"
 }
+send -- "exit\r"
 after 100
 
 puts "\nall done\n"
diff --git a/test/root/private.exp b/test/root/private.exp
index 784761fc8..e3d3245ae 100755
--- a/test/root/private.exp
+++ b/test/root/private.exp
@@ -54,6 +54,21 @@ expect {
 after 100
 send -- "exit\r"
 sleep 1
+send -- "firejail --whitelist=/opt/firejail-test-file --whitelist=/opt/firejail-test-dir --debug\r"
+expect {
+        timeout {puts "TESTING ERROR 3.1\n";exit}
+        "Child process initialized"
+}
+sleep 1
+
+send -- "find /opt | wc -l\r"
+expect {
+        timeout {puts "TESTING ERROR 4.1\n";exit}
+        "4"
+}
+after 100
+send -- "exit\r"
+sleep 1
 
 
 send -- "touch /srv/firejail-test-file\r"
@@ -77,14 +92,20 @@ expect {
 after 100
 send -- "exit\r"
 sleep 1
+send -- "firejail --whitelist=/srv/firejail-test-file --whitelist=/srv/firejail-test-dir --debug\r"
+expect {
+        timeout {puts "TESTING ERROR 5.1\n";exit}
+        "Child process initialized"
+}
+sleep 1
 
-
-
-
-
-
-
-
-
+send -- "find /srv | wc -l\r"
+expect {
+        timeout {puts "TESTING ERROR 6.1\n";exit}
+        "4"
+}
+after 100
+send -- "exit\r"
+sleep 1
 
 puts "\nall done\n"