38 files changed, 336 insertions, 192 deletions

diff --git a/README.md b/README.md
index c556de88b..e29c01d9a 100644
--- a/README.md
+++ b/README.md
@@ -34,7 +34,7 @@ FAQ: https://firejail.wordpress.com/support/frequently-asked-questions/
 `````
 
 `````
-# Current development version: 0.9.39
+# Current development version: 0.9.40-rc2
 Version 0.9.40-rc1 released!
 
 ## X11 sandboxing support
diff --git a/configure b/configure
index 6e95643db..73a5c89e6 100755
--- a/configure
+++ b/configure
@@ -1,6 +1,6 @@
 #! /bin/sh
 # Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.69 for firejail 0.9.40-rc1.
+# Generated by GNU Autoconf 2.69 for firejail 0.9.40-rc2.
 #
 # Report bugs to <netblue30@yahoo.com>.
 #
@@ -580,8 +580,8 @@ MAKEFLAGS=
 # Identity of this package.
 PACKAGE_NAME='firejail'
 PACKAGE_TARNAME='firejail'
-PACKAGE_VERSION='0.9.40-rc1'
-PACKAGE_STRING='firejail 0.9.40-rc1'
+PACKAGE_VERSION='0.9.40-rc2'
+PACKAGE_STRING='firejail 0.9.40-rc2'
 PACKAGE_BUGREPORT='netblue30@yahoo.com'
 PACKAGE_URL='http://firejail.wordpress.com'
 
@@ -1246,7 +1246,7 @@ if test "$ac_init_help" = "long"; then
   # Omit some internal or obsolete options to make the list less imposing.
   # This message is too long to be a string in the A/UX 3.1 sh.
   cat <<_ACEOF
-\`configure' configures firejail 0.9.40-rc1 to adapt to many kinds of systems.
+\`configure' configures firejail 0.9.40-rc2 to adapt to many kinds of systems.
 
 Usage: $0 [OPTION]... [VAR=VALUE]...
 
@@ -1307,7 +1307,7 @@ fi
 
 if test -n "$ac_init_help"; then
   case $ac_init_help in
-     short | recursive ) echo "Configuration of firejail 0.9.40-rc1:";;
+     short | recursive ) echo "Configuration of firejail 0.9.40-rc2:";;
    esac
   cat <<\_ACEOF
 
@@ -1403,7 +1403,7 @@ fi
 test -n "$ac_init_help" && exit $ac_status
 if $ac_init_version; then
   cat <<\_ACEOF
-firejail configure 0.9.40-rc1
+firejail configure 0.9.40-rc2
 generated by GNU Autoconf 2.69
 
 Copyright (C) 2012 Free Software Foundation, Inc.
@@ -1705,7 +1705,7 @@ cat >config.log <<_ACEOF
 This file contains any messages produced by compilers while
 running configure, to aid debugging if configure makes a mistake.
 
-It was created by firejail $as_me 0.9.40-rc1, which was
+It was created by firejail $as_me 0.9.40-rc2, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
 
   $ $0 $@
@@ -4184,7 +4184,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
 # report actual input values of CONFIG_FILES etc. instead of their
 # values after options handling.
 ac_log="
-This file was extended by firejail $as_me 0.9.40-rc1, which was
+This file was extended by firejail $as_me 0.9.40-rc2, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
 
   CONFIG_FILES    = $CONFIG_FILES
@@ -4238,7 +4238,7 @@ _ACEOF
 cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
 ac_cs_version="\\
-firejail config.status 0.9.40-rc1
+firejail config.status 0.9.40-rc2
 configured by $0, generated by GNU Autoconf 2.69,
   with options \\"\$ac_cs_config\\"
 
diff --git a/configure.ac b/configure.ac
index 9a57ea774..a4486b3ff 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1,5 +1,5 @@
 AC_PREREQ([2.68])
-AC_INIT(firejail, 0.9.40-rc1, netblue30@yahoo.com, , http://firejail.wordpress.com)
+AC_INIT(firejail, 0.9.40-rc2, netblue30@yahoo.com, , http://firejail.wordpress.com)
 AC_CONFIG_SRCDIR([src/firejail/main.c])
 #AC_CONFIG_HEADERS([config.h])
 
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config
index f01d3e8fa..c066d5aab 100644
--- a/src/firecfg/firecfg.config
+++ b/src/firecfg/firecfg.config
@@ -1,4 +1,4 @@
-# /etc/firejail/firecfg.config - firecfg utility configuration file
+# /usr/lib/firejail/firecfg.config - firecfg utility configuration file
 # This is the list of programs handled by firecfg utility
 #
 
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index d58c6291d..e50b22b4e 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -264,6 +264,7 @@ void net_configure_veth_pair(Bridge *br, const char *ifname, pid_t child);
 void net_check_cfg(void);
 void net_dns_print_name(const char *name);
 void net_dns_print(pid_t pid);
+void network_main(pid_t child);
 
 // network.c
 void net_if_up(const char *ifname);
diff --git a/src/firejail/join.c b/src/firejail/join.c
index 251260091..98e140ce4 100644
--- a/src/firejail/join.c
+++ b/src/firejail/join.c
@@ -201,7 +201,9 @@ void join(pid_t pid, int argc, char **argv, int index) {
         extract_command(argc, argv, index);
 
         // if the pid is that of a firejail  process, use the pid of the first child process
+        EUID_ROOT();
         char *comm = pid_proc_comm(pid);
+        EUID_USER();
         if (comm) {
                 if (strcmp(comm, "firejail") == 0) {
                         pid_t child;
diff --git a/src/firejail/list.c b/src/firejail/list.c
index 676df6a14..e6f0cc7ac 100644
--- a/src/firejail/list.c
+++ b/src/firejail/list.c
@@ -18,9 +18,25 @@
  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 */
 #include "firejail.h"
+#include <sys/types.h>
+#include <sys/stat.h>
+
+void static grsec_elevate_privileges(void) {
+        struct stat s;
+        if (stat("/proc/sys/kernel/grsecurity", &s) == 0) {
+                EUID_ROOT();
+
+                // elevate privileges
+                if (setreuid(0, 0))
+                        errExit("setreuid");
+                if (setregid(0, 0))
+                        errExit("setregid");
+        }
+}
 
 void top(void) {
         EUID_ASSERT();
+        grsec_elevate_privileges();
         
         char *arg[4];
         arg[0] = "bash";
@@ -32,6 +48,7 @@ void top(void) {
 
 void netstats(void) {
         EUID_ASSERT();
+        grsec_elevate_privileges();
         
         char *arg[4];
         arg[0] = "bash";
@@ -43,6 +60,7 @@ void netstats(void) {
 
 void list(void) {
         EUID_ASSERT();
+        grsec_elevate_privileges();
         
         char *arg[4];
         arg[0] = "bash";
@@ -54,6 +72,7 @@ void list(void) {
 
 void tree(void) {
         EUID_ASSERT();
+        grsec_elevate_privileges();
         
         char *arg[4];
         arg[0] = "bash";
diff --git a/src/firejail/main.c b/src/firejail/main.c
index 24efae814..e86aa85ac 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -174,9 +174,11 @@ static void init_cfg(int argc, char **argv) {
         cfg.bridge3.devsandbox = "eth3";
         
         // extract user data
+        EUID_ROOT(); // rise permissions for grsecurity
         struct passwd *pw = getpwuid(getuid());
         if (!pw)
                 errExit("getpwuid");
+        EUID_USER();
         cfg.username = strdup(pw->pw_name);
         if (!cfg.username)
                 errExit("strdup");
@@ -701,7 +703,9 @@ int main(int argc, char **argv) {
                 run_symlink(argc, argv);
 
         // check if we already have a sandbox running
+        EUID_ROOT();
         int rv = check_kernel_procs();
+        EUID_USER();
         if (rv == 0) {
                 // if --force option is passed to the program, disregard the existing sandbox
                 int found = 0;
@@ -1961,54 +1965,27 @@ int main(int argc, char **argv) {
                         printf("The new log directory is /proc/%d/root/var/log\n", child);
         }
         
-
-        EUID_ROOT();    
         if (!arg_nonetwork) {
-                // create veth pair or macvlan device
-                if (cfg.bridge0.configured) {
-                        if (cfg.bridge0.macvlan == 0) {
-                                net_configure_veth_pair(&cfg.bridge0, "eth0", child);
-                        }
-                        else
-                                net_create_macvlan(cfg.bridge0.devsandbox, cfg.bridge0.dev, child);
-                }
-                
-                if (cfg.bridge1.configured) {
-                        if (cfg.bridge1.macvlan == 0)
-                                net_configure_veth_pair(&cfg.bridge1, "eth1", child);
-                        else
-                                net_create_macvlan(cfg.bridge1.devsandbox, cfg.bridge1.dev, child);
-                }
-                
-                if (cfg.bridge2.configured) {
-                        if (cfg.bridge2.macvlan == 0)
-                                net_configure_veth_pair(&cfg.bridge2, "eth2", child);
-                        else
-                                net_create_macvlan(cfg.bridge2.devsandbox, cfg.bridge2.dev, child);
-                }
-                
-                if (cfg.bridge3.configured) {
-                        if (cfg.bridge3.macvlan == 0)
-                                net_configure_veth_pair(&cfg.bridge3, "eth3", child);
-                        else
-                                net_create_macvlan(cfg.bridge3.devsandbox, cfg.bridge3.dev, child);
-                }
-        
-                // move interfaces in sandbox
-                if (cfg.interface0.configured) {
-                        net_move_interface(cfg.interface0.dev, child);
-                }
-                if (cfg.interface1.configured) {
-                        net_move_interface(cfg.interface1.dev, child);
-                }
-                if (cfg.interface2.configured) {
-                        net_move_interface(cfg.interface2.dev, child);
-                }
-                if (cfg.interface3.configured) {
-                        net_move_interface(cfg.interface3.dev, child);
+                EUID_ROOT();    
+                pid_t net_child = fork();
+                if (net_child < 0)
+                        errExit("fork");
+                if (net_child == 0) {
+                        // elevate privileges in order to get grsecurity working
+                        if (setreuid(0, 0))
+                                errExit("setreuid");
+                        if (setregid(0, 0))
+                                errExit("setregid");
+                        network_main(child);
+                        if (arg_debug)
+                                printf("Host network configured\n");                    
+                        exit(0);                        
                 }
+
+                // wait for the child to finish
+                waitpid(net_child, NULL, 0);
+                EUID_USER();
         }
-        EUID_USER();
 
         // close each end of the unused pipes
         close(parent_to_child_fds[0]);
diff --git a/src/firejail/netfilter.c b/src/firejail/netfilter.c
index 4a5499699..71abfb53d 100644
--- a/src/firejail/netfilter.c
+++ b/src/firejail/netfilter.c
@@ -139,7 +139,6 @@ void netfilter(const char *fname) {
                         exit(1);
                 }
                 dup2(fd,STDIN_FILENO);
-                close(fd);
 
                 // wipe out environment variables
                 environ = NULL;
@@ -155,6 +154,11 @@ void netfilter(const char *fname) {
                 if (child < 0)
                         errExit("fork");
                 if (child == 0) {
+                        // elevate privileges in order to get grsecurity working
+                        if (setreuid(0, 0))
+                                errExit("setreuid");
+                        if (setregid(0, 0))
+                                errExit("setregid");
                         environ = NULL;
                         execl(iptables, iptables, "-vL", NULL);
                         // it will never get here!!!
@@ -246,7 +250,6 @@ void netfilter6(const char *fname) {
                         exit(1);
                 }
                 dup2(fd,STDIN_FILENO);
-                close(fd);
 
                 // wipe out environment variables
                 environ = NULL;
diff --git a/src/firejail/network_main.c b/src/firejail/network_main.c
index 3fb79b9f4..80f3bd579 100644
--- a/src/firejail/network_main.c
+++ b/src/firejail/network_main.c
@@ -212,7 +212,10 @@ void net_check_cfg(void) {
                 // first network is a mac device
                 else {
                         // get the host default gw
+                        EUID_ROOT();    // rise permissions for grsecurity
+                        // Error fopen:network_get_defaultgw(479): Permission denied
                         uint32_t gw = network_get_defaultgw();
+                        EUID_USER();
                         // check the gateway is network range
                         if (in_netrange(gw, cfg.bridge0.ip, cfg.bridge0.mask))
                                 gw = 0;
@@ -275,3 +278,49 @@ void net_dns_print(pid_t pid) {
         free(fname);
         exit(0);
 }
+
+void network_main(pid_t child) {
+        // create veth pair or macvlan device
+        if (cfg.bridge0.configured) {
+                if (cfg.bridge0.macvlan == 0) {
+                        net_configure_veth_pair(&cfg.bridge0, "eth0", child);
+                }
+                else
+                        net_create_macvlan(cfg.bridge0.devsandbox, cfg.bridge0.dev, child);
+        }
+        
+        if (cfg.bridge1.configured) {
+                if (cfg.bridge1.macvlan == 0)
+                        net_configure_veth_pair(&cfg.bridge1, "eth1", child);
+                else
+                        net_create_macvlan(cfg.bridge1.devsandbox, cfg.bridge1.dev, child);
+        }
+        
+        if (cfg.bridge2.configured) {
+                if (cfg.bridge2.macvlan == 0)
+                        net_configure_veth_pair(&cfg.bridge2, "eth2", child);
+                else
+                        net_create_macvlan(cfg.bridge2.devsandbox, cfg.bridge2.dev, child);
+        }
+        
+        if (cfg.bridge3.configured) {
+                if (cfg.bridge3.macvlan == 0)
+                        net_configure_veth_pair(&cfg.bridge3, "eth3", child);
+                else
+                        net_create_macvlan(cfg.bridge3.devsandbox, cfg.bridge3.dev, child);
+        }
+
+        // move interfaces in sandbox
+        if (cfg.interface0.configured) {
+                net_move_interface(cfg.interface0.dev, child);
+        }
+        if (cfg.interface1.configured) {
+                net_move_interface(cfg.interface1.dev, child);
+        }
+        if (cfg.interface2.configured) {
+                net_move_interface(cfg.interface2.dev, child);
+        }
+        if (cfg.interface3.configured) {
+                net_move_interface(cfg.interface3.dev, child);
+        }
+}
diff --git a/src/firejail/no_sandbox.c b/src/firejail/no_sandbox.c
index 9f9ace527..a9242f035 100644
--- a/src/firejail/no_sandbox.c
+++ b/src/firejail/no_sandbox.c
@@ -26,8 +26,10 @@
 // check process space for kernel processes
 // return 1 if found, 0 if not found
 int check_kernel_procs(void) {
-        EUID_ASSERT();
-        
+        // we run this function with EUID set in order to detect grsecurity
+        // only user processes are available in /proc when running grsecurity
+        // EUID_ASSERT();
+
         char *kern_proc[] = {
                 "kthreadd",
                 "ksoftirqd",
diff --git a/src/firejail/shutdown.c b/src/firejail/shutdown.c
index 3671901d0..b7ef48c8d 100644
--- a/src/firejail/shutdown.c
+++ b/src/firejail/shutdown.c
@@ -44,7 +44,9 @@ void shut(pid_t pid) {
         
         pid_t parent = pid;
         // if the pid is that of a firejail  process, use the pid of a child process inside the sandbox
+        EUID_ROOT();
         char *comm = pid_proc_comm(pid);
+        EUID_USER();
         if (comm) {
                 if (strcmp(comm, "firejail") == 0) {
                         pid_t child;
diff --git a/src/firejail/util.c b/src/firejail/util.c
index 1fa60bb4d..da73bbfd5 100644
--- a/src/firejail/util.c
+++ b/src/firejail/util.c
@@ -346,6 +346,7 @@ int find_child(pid_t parent, pid_t *child) {
         *child = 0;                               // use it to flag a found child
 
         DIR *dir;
+        EUID_ROOT(); // grsecurity fix
         if (!(dir = opendir("/proc"))) {
                 // sleep 2 seconds and try again
                 sleep(2);
@@ -397,7 +398,7 @@ int find_child(pid_t parent, pid_t *child) {
                 free(file);
         }
         closedir(dir);
-
+        EUID_USER();
         return (*child)? 0:1;                     // 0 = found, 1 = not found
 }
 
@@ -576,6 +577,7 @@ uid_t pid_get_uid(pid_t pid) {
                 perror("asprintf");
                 exit(1);
         }
+        EUID_ROOT();    // grsecurity fix
         FILE *fp = fopen(file, "r");
         if (!fp) {
                 free(file);
@@ -602,6 +604,7 @@ uid_t pid_get_uid(pid_t pid) {
 
         fclose(fp);
         free(file);
+        EUID_USER();    // grsecurity fix
         
         if (rv == 0) {
                 fprintf(stderr, "Error: cannot read /proc file\n");
diff --git a/test/4bridges_arp.exp b/test/4bridges_arp.exp
index 3004082e6..6a3e6db2a 100755
--- a/test/4bridges_arp.exp
+++ b/test/4bridges_arp.exp
@@ -115,7 +115,7 @@ sleep 2
 
 
 # check loopback
-send -- "firejail --net=br0 --net=br1 --net=br2 --net=br3\r"
+send -- "firejail --net=br0 --net=br1 --net=br2 --net=br3 --protocol=unix,inet,netlink\r"
 expect {
         timeout {puts "TESTING ERROR 5\n";exit}
         "lo"
@@ -136,40 +136,35 @@ expect {
         timeout {puts "TESTING ERROR 9\n";exit}
         "Child process initialized"
 }
+sleep 1
 
 # check default gateway
-send -- "bash\r"
-sleep 1
-send -- "netstat -rn;pwd\r"
+send -- "ip route show\r"
 expect {
         timeout {puts "TESTING ERROR 10.1\n";exit}
-        "0.0.0.0"
+        "default via 10.10.20.1 dev eth0"
 }
+send -- "ip route show\r"
 expect {
         timeout {puts "TESTING ERROR 10.2\n";exit}
-        "10.10.20.1"
-}
-expect {
-        timeout {puts "TESTING ERROR 10.3\n";exit}
-        "eth0"
+        "10.10.20.0/29 dev eth0  proto kernel  scope link"
 }
+send -- "ip route show\r"
 expect {
-        timeout {puts "TESTING ERROR 10.4\n";exit}
-        "10.10.20.0"
-}
-expect {
-        timeout {puts "TESTING ERROR 10.5\n";exit}
-        "0.0.0.0"
+        timeout {puts "TESTING ERROR 10.2\n";exit}
+        "10.10.30.0/24 dev eth1  proto kernel  scope link"
 }
+send -- "ip route show\r"
 expect {
-        timeout {puts "TESTING ERROR 10.6\n";exit}
-        "eth0"
+        timeout {puts "TESTING ERROR 10.2\n";exit}
+        "10.10.40.0/24 dev eth2  proto kernel  scope link"
 }
+send -- "ip route show\r"
 expect {
-        timeout {puts "TESTING ERROR 10\n";exit}
-        "home"
+        timeout {puts "TESTING ERROR 10.2\n";exit}
+        "10.10.50.0/24 dev eth3  proto kernel  scope link"
 }
 sleep 1
 
-puts "\n"
+puts "\nall done\n"
 
diff --git a/test/4bridges_ip.exp b/test/4bridges_ip.exp
index 9e37b4ff4..8068aeebb 100755
--- a/test/4bridges_ip.exp
+++ b/test/4bridges_ip.exp
@@ -115,7 +115,7 @@ sleep 2
 
 
 # check loopback
-send -- "firejail --net=br0 --net=br1 --ip=10.10.30.50 --net=br2 --ip=10.10.40.100 --net=br3\r"
+send -- "firejail --net=br0 --net=br1 --ip=10.10.30.50 --net=br2 --ip=10.10.40.100 --net=br3 --protocol=unix,inet,netlink\r"
 expect {
         timeout {puts "TESTING ERROR 5\n";exit}
         "lo"
@@ -138,38 +138,37 @@ expect {
 }
 
 # check default gateway
-send -- "bash\r"
-sleep 1
-send -- "netstat -rn;pwd\r"
+send -- "ip route show\r"
 expect {
         timeout {puts "TESTING ERROR 10.1\n";exit}
-        "0.0.0.0"
+        "default via 10.10.20.1 dev eth0"
 }
+
+send -- "ip route show\r"
 expect {
         timeout {puts "TESTING ERROR 10.2\n";exit}
-        "10.10.20.1"
+        "10.10.20.0/29 dev eth0  proto kernel  scope link"
 }
+
+send -- "ip route show\r"
 expect {
         timeout {puts "TESTING ERROR 10.3\n";exit}
-        "eth0"
+        "10.10.30.0/24 dev eth1  proto kernel  scope link  src 10.10.30.50"
 }
+
+send -- "ip route show\r"
 expect {
         timeout {puts "TESTING ERROR 10.4\n";exit}
-        "10.10.20.0"
+        "10.10.40.0/24 dev eth2  proto kernel  scope link  src 10.10.40.100"
 }
+
+send -- "ip route show\r"
 expect {
         timeout {puts "TESTING ERROR 10.5\n";exit}
-        "0.0.0.0"
-}
-expect {
-        timeout {puts "TESTING ERROR 10.6\n";exit}
-        "eth0"
-}
-expect {
-        timeout {puts "TESTING ERROR 10\n";exit}
-        "home"
+        "10.10.50.0/24 dev eth3  proto kernel  scope link"
 }
+
 sleep 1
 
-puts "\n"
+puts "\nall done\n"
 
diff --git a/test/chromium-x11.exp b/test/chromium-x11.exp
index 0d8a5dfb3..bcac3233c 100755
--- a/test/chromium-x11.exp
+++ b/test/chromium-x11.exp
@@ -19,6 +19,13 @@ expect {
 }
 sleep 1
 
+# grsecurity exit
+send -- "file /proc/sys/kernel/grsecurity\r"
+expect {
+        timeout {puts "TESTING ERROR - grsecurity detection\n";exit}
+        "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit}
+        "cannot open" {puts "grsecurity not present\n"}
+}
 send -- "firejail --name=blablabla\r"
 expect {
         timeout {puts "TESTING ERROR 4\n";exit}
diff --git a/test/chromium.exp b/test/chromium.exp
index 77325d070..676f7e314 100755
--- a/test/chromium.exp
+++ b/test/chromium.exp
@@ -27,6 +27,14 @@ expect {
 }
 sleep 1
 
+# grsecurity exit
+send -- "file /proc/sys/kernel/grsecurity\r"
+expect {
+        timeout {puts "TESTING ERROR - grsecurity detection\n";exit}
+        "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit}
+        "cannot open" {puts "grsecurity not present\n"}
+}
+
 send -- "firejail --name=blablabla\r"
 expect {
         timeout {puts "TESTING ERROR 4\n";exit}
diff --git a/test/deluge.exp b/test/deluge.exp
index 49266813e..9f5063495 100755
--- a/test/deluge.exp
+++ b/test/deluge.exp
@@ -27,6 +27,14 @@ expect {
 }
 sleep 1
 
+# grsecurity exit
+send -- "file /proc/sys/kernel/grsecurity\r"
+expect {
+        timeout {puts "TESTING ERROR - grsecurity detection\n";exit}
+        "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit}
+        "cannot open" {puts "grsecurity not present\n"}
+}
+
 send -- "firejail --name=blablabla\r"
 expect {
         timeout {puts "TESTING ERROR 4\n";exit}
diff --git a/test/evince.exp b/test/evince.exp
index 0c57f3871..3c3ad4bdd 100755
--- a/test/evince.exp
+++ b/test/evince.exp
@@ -27,6 +27,14 @@ expect {
 }
 sleep 1
 
+# grsecurity exit
+send -- "file /proc/sys/kernel/grsecurity\r"
+expect {
+        timeout {puts "TESTING ERROR - grsecurity detection\n";exit}
+        "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit}
+        "cannot open" {puts "grsecurity not present\n"}
+}
+
 send -- "firejail --name=blablabla\r"
 expect {
         timeout {puts "TESTING ERROR 4\n";exit}
diff --git a/test/fbreader.exp b/test/fbreader.exp
index a4df50932..d2bee880e 100755
--- a/test/fbreader.exp
+++ b/test/fbreader.exp
@@ -27,6 +27,14 @@ expect {
 }
 sleep 1
 
+# grsecurity exit
+send -- "file /proc/sys/kernel/grsecurity\r"
+expect {
+        timeout {puts "TESTING ERROR - grsecurity detection\n";exit}
+        "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit}
+        "cannot open" {puts "grsecurity not present\n"}
+}
+
 send -- "firejail --name=blablabla\r"
 expect {
         timeout {puts "TESTING ERROR 4\n";exit}
diff --git a/test/firefox-x11.exp b/test/firefox-x11.exp
index 8bc7fbd25..7e30437db 100755
--- a/test/firefox-x11.exp
+++ b/test/firefox-x11.exp
@@ -23,6 +23,13 @@ expect {
         "no-remote"
 }
 sleep 1
+# grsecurity exit
+send -- "file /proc/sys/kernel/grsecurity\r"
+expect {
+        timeout {puts "TESTING ERROR - grsecurity detection\n";exit}
+        "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit}
+        "cannot open" {puts "grsecurity not present\n"}
+}
 send -- "firejail --name=blablabla\r"
 expect {
         timeout {puts "TESTING ERROR 4\n";exit}
diff --git a/test/firefox.exp b/test/firefox.exp
index d531cf977..2585e4b5c 100755
--- a/test/firefox.exp
+++ b/test/firefox.exp
@@ -31,6 +31,16 @@ expect {
         "no-remote"
 }
 sleep 1
+
+# grsecurity exit
+send -- "file /proc/sys/kernel/grsecurity\r"
+expect {
+        timeout {puts "TESTING ERROR - grsecurity detection\n";exit}
+        "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit}
+        "cannot open" {puts "grsecurity not present\n"}
+}
+
+
 send -- "firejail --name=blablabla\r"
 expect {
         timeout {puts "TESTING ERROR 4\n";exit}
diff --git a/test/gnome-mplayer.exp b/test/gnome-mplayer.exp
index 193d532ae..6965322fc 100755
--- a/test/gnome-mplayer.exp
+++ b/test/gnome-mplayer.exp
@@ -27,6 +27,14 @@ expect {
 }
 sleep 1
 
+# grsecurity exit
+send -- "file /proc/sys/kernel/grsecurity\r"
+expect {
+        timeout {puts "TESTING ERROR - grsecurity detection\n";exit}
+        "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit}
+        "cannot open" {puts "grsecurity not present\n"}
+}
+
 send -- "firejail --name=blablabla\r"
 expect {
         timeout {puts "TESTING ERROR 4\n";exit}
diff --git a/test/google-chrome.exp b/test/google-chrome.exp
index 7999831d7..389988e3c 100755
--- a/test/google-chrome.exp
+++ b/test/google-chrome.exp
@@ -27,6 +27,14 @@ expect {
 }
 sleep 1
 
+# grsecurity exit
+send -- "file /proc/sys/kernel/grsecurity\r"
+expect {
+        timeout {puts "TESTING ERROR - grsecurity detection\n";exit}
+        "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit}
+        "cannot open" {puts "grsecurity not present\n"}
+}
+
 send -- "firejail --name=blablabla\r"
 expect {
         timeout {puts "TESTING ERROR 4\n";exit}
diff --git a/test/hexchat.exp b/test/hexchat.exp
index 0653bcb13..7e99c8cdf 100755
--- a/test/hexchat.exp
+++ b/test/hexchat.exp
@@ -26,6 +26,15 @@ expect {
         "hexchat"
 }
 sleep 1
+
+# grsecurity exit
+send -- "file /proc/sys/kernel/grsecurity\r"
+expect {
+        timeout {puts "TESTING ERROR - grsecurity detection\n";exit}
+        "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit}
+        "cannot open" {puts "grsecurity not present\n"}
+}
+
 send -- "firejail --name=blablabla\r"
 expect {
         timeout {puts "TESTING ERROR 4\n";exit}
diff --git a/test/icedove.exp b/test/icedove.exp
index be5309e07..344febb93 100755
--- a/test/icedove.exp
+++ b/test/icedove.exp
@@ -27,6 +27,14 @@ expect {
 }
 sleep 1
 
+# grsecurity exit
+send -- "file /proc/sys/kernel/grsecurity\r"
+expect {
+        timeout {puts "TESTING ERROR - grsecurity detection\n";exit}
+        "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit}
+        "cannot open" {puts "grsecurity not present\n"}
+}
+
 send -- "firejail --name=blablabla\r"
 expect {
         timeout {puts "TESTING ERROR 4\n";exit}
diff --git a/test/midori.exp b/test/midori.exp
index ec33816dd..470f5de77 100755
--- a/test/midori.exp
+++ b/test/midori.exp
@@ -27,6 +27,14 @@ expect {
 }
 sleep 1
 
+# grsecurity exit
+send -- "file /proc/sys/kernel/grsecurity\r"
+expect {
+        timeout {puts "TESTING ERROR - grsecurity detection\n";exit}
+        "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit}
+        "cannot open" {puts "grsecurity not present\n"}
+}
+
 send -- "firejail --name=blablabla\r"
 expect {
         timeout {puts "TESTING ERROR 4\n";exit}
diff --git a/test/net_defaultgw.exp b/test/net_defaultgw.exp
index 9820660b7..840f2ccac 100755
--- a/test/net_defaultgw.exp
+++ b/test/net_defaultgw.exp
@@ -5,7 +5,7 @@ spawn $env(SHELL)
 match_max 100000
 
 # check ip address
-send -- "firejail --net=br0 --ip=10.10.20.5 --defaultgw=10.10.20.2\r"
+send -- "firejail --net=br0 --ip=10.10.20.5 --defaultgw=10.10.20.2 --protocol=unix,inet,netlink\r"
 expect {
         timeout {puts "TESTING ERROR 0\n";exit}
         "eth0"
@@ -26,40 +26,21 @@ expect {
         timeout {puts "TESTING ERROR 4\n";exit}
         "Child process initialized"
 }
+sleep 1
 
 # check default gateway
-send -- "bash\r"
-sleep 1
-send -- "netstat -rn;pwd\r"
+send -- "ip route show\r"
 expect {
         timeout {puts "TESTING ERROR 10.1\n";exit}
-        "0.0.0.0"
+        "default via 10.10.20.2 dev eth0"
 }
+
+send -- "ip route show\r"
 expect {
         timeout {puts "TESTING ERROR 10.2\n";exit}
-        "10.10.20.2"
-}
-expect {
-        timeout {puts "TESTING ERROR 10.3\n";exit}
-        "eth0"
-}
-expect {
-        timeout {puts "TESTING ERROR 10.4\n";exit}
-        "10.10.20.0"
-}
-expect {
-        timeout {puts "TESTING ERROR 10.5\n";exit}
-        "0.0.0.0"
-}
-expect {
-        timeout {puts "TESTING ERROR 10.6\n";exit}
-        "eth0"
-}
-expect {
-        timeout {puts "TESTING ERROR 10\n";exit}
-        "home"
+        "10.10.20.0/29 dev eth0  proto kernel  scope link"
 }
 sleep 1
 
-puts "\n"
+puts "\nall done\n"
 
diff --git a/test/net_defaultgw2.exp b/test/net_defaultgw2.exp
index be9b4882a..db14e17cb 100755
--- a/test/net_defaultgw2.exp
+++ b/test/net_defaultgw2.exp
@@ -5,7 +5,7 @@ spawn $env(SHELL)
 match_max 100000
 
 # check ip address
-send -- "firejail --net=br0 --net=br1 --defaultgw=10.10.30.89\r"
+send -- "firejail --net=br0 --net=br1 --defaultgw=10.10.30.89 --protocol=unix,inet,netlink\r"
 expect {
         timeout {puts "TESTING ERROR 0\n";exit}
         "eth1"
@@ -14,52 +14,27 @@ expect {
         timeout {puts "TESTING ERROR 4\n";exit}
         "Child process initialized"
 }
+sleep 1
 
 # check default gateway
-send -- "bash\r"
-sleep 1
-send -- "netstat -rn;pwd\r"
+send -- "ip route show\r"
 expect {
         timeout {puts "TESTING ERROR 10.1\n";exit}
-        "0.0.0.0"
+        "default via 10.10.30.89 dev eth1"
 }
+
+send -- "ip route show\r"
 expect {
         timeout {puts "TESTING ERROR 10.2\n";exit}
-        "10.10.30.89"
+        "10.10.20.0/29 dev eth0  proto kernel  scope link"
 }
+
+send -- "ip route show\r"
 expect {
         timeout {puts "TESTING ERROR 10.3\n";exit}
-        "eth1"
-}
-expect {
-        timeout {puts "TESTING ERROR 10.4\n";exit}
-        "10.10.20.0"
-}
-expect {
-        timeout {puts "TESTING ERROR 10.5\n";exit}
-        "0.0.0.0"
-}
-expect {
-        timeout {puts "TESTING ERROR 10.6\n";exit}
-        "eth0"
-}
-expect {
-        timeout {puts "TESTING ERROR 10.4\n";exit}
-        "10.10.30.0"
-}
-expect {
-        timeout {puts "TESTING ERROR 10.5\n";exit}
-        "0.0.0.0"
-}
-expect {
-        timeout {puts "TESTING ERROR 10.6\n";exit}
-        "eth1"
-}
-expect {
-        timeout {puts "TESTING ERROR 10\n";exit}
-        "home"
+        "10.10.30.0/24 dev eth1  proto kernel  scope link"
 }
 sleep 1
 
-puts "\n"
+puts "\nall done\n"
 
diff --git a/test/net_ip.exp b/test/net_ip.exp
index 5995296c7..f5d487ecc 100755
--- a/test/net_ip.exp
+++ b/test/net_ip.exp
@@ -31,7 +31,7 @@ send -- "exit\r"
 sleep 2
 
 # check loopback
-send -- "firejail --net=br0 --ip=10.10.20.5\r"
+send -- "firejail --net=br0 --ip=10.10.20.5 --protocol=unix,inet,netlink\r"
 expect {
         timeout {puts "TESTING ERROR 5\n";exit}
         "lo"
@@ -52,38 +52,19 @@ expect {
         timeout {puts "TESTING ERROR 9\n";exit}
         "Child process initialized"
 }
+sleep 1
 
 # check default gateway
-send -- "bash\r"
-sleep 1
-send -- "netstat -rn;pwd\r"
+send -- "ip route show\r"
 expect {
         timeout {puts "TESTING ERROR 10.1\n";exit}
-        "0.0.0.0"
-}
-expect {
-        timeout {puts "TESTING ERROR 10.2\n";exit}
-        "10.10.20.1"
-}
-expect {
-        timeout {puts "TESTING ERROR 10.3\n";exit}
-        "eth0"
-}
-expect {
-        timeout {puts "TESTING ERROR 10.4\n";exit}
-        "10.10.20.0"
-}
-expect {
-        timeout {puts "TESTING ERROR 10.5\n";exit}
-        "0.0.0.0"
-}
-expect {
-        timeout {puts "TESTING ERROR 10.6\n";exit}
-        "eth0"
+        "default via 10.10.20.1 dev eth0"
 }
+
+send -- "ip route show\r"
 expect {
         timeout {puts "TESTING ERROR 10\n";exit}
-        "home"
+        "10.10.20.0/29 dev eth0  proto kernel  scope link"
 }
 sleep 1
 
diff --git a/test/opera.exp b/test/opera.exp
index f536ae866..23eed5504 100755
--- a/test/opera.exp
+++ b/test/opera.exp
@@ -27,6 +27,14 @@ expect {
 }
 sleep 1
 
+# grsecurity exit
+send -- "file /proc/sys/kernel/grsecurity\r"
+expect {
+        timeout {puts "TESTING ERROR - grsecurity detection\n";exit}
+        "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit}
+        "cannot open" {puts "grsecurity not present\n"}
+}
+
 send -- "firejail --name=blablabla\r"
 expect {
         timeout {puts "TESTING ERROR 4\n";exit}
diff --git a/test/pid.exp b/test/pid.exp
index d382feb96..fb5b90f04 100755
--- a/test/pid.exp
+++ b/test/pid.exp
@@ -37,7 +37,8 @@ sleep 1
 send -- "ps aux |wc -l; pwd\r"
 expect {
         timeout {puts "TESTING ERROR 5\n";exit}
-        "6"
+        "6" {puts "normal system\n'}
+        "5" {puts "grsecurity\n"}
 }
 expect {
         timeout {puts "TESTING ERROR 6\n";exit}
@@ -45,4 +46,4 @@ expect {
 }
 sleep 1
 
-puts "\n"
+puts "\nall done\n"
diff --git a/test/transmission-gtk-x11.exp b/test/transmission-gtk-x11.exp
index 6192b277c..4ee3de701 100755
--- a/test/transmission-gtk-x11.exp
+++ b/test/transmission-gtk-x11.exp
@@ -19,6 +19,14 @@ expect {
 }
 sleep 1
 
+# grsecurity exit
+send -- "file /proc/sys/kernel/grsecurity\r"
+expect {
+        timeout {puts "TESTING ERROR - grsecurity detection\n";exit}
+        "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit}
+        "cannot open" {puts "grsecurity not present\n"}
+}
+
 send -- "firejail --name=blablabla\r"
 expect {
         timeout {puts "TESTING ERROR 4\n";exit}
diff --git a/test/transmission-gtk.exp b/test/transmission-gtk.exp
index 77d5dd30c..1acfc6f94 100755
--- a/test/transmission-gtk.exp
+++ b/test/transmission-gtk.exp
@@ -23,6 +23,13 @@ expect {
 }
 sleep 1
 
+# grsecurity exit
+send -- "file /proc/sys/kernel/grsecurity\r"
+expect {
+        timeout {puts "TESTING ERROR - grsecurity detection\n";exit}
+        "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit}
+        "cannot open" {puts "grsecurity not present\n"}
+}
 send -- "firejail --name=blablabla\r"
 expect {
         timeout {puts "TESTING ERROR 4\n";exit}
diff --git a/test/transmission-qt.exp b/test/transmission-qt.exp
index d27c16d6d..944fd28a2 100755
--- a/test/transmission-qt.exp
+++ b/test/transmission-qt.exp
@@ -27,6 +27,14 @@ expect {
 }
 sleep 1
 
+# grsecurity exit
+send -- "file /proc/sys/kernel/grsecurity\r"
+expect {
+        timeout {puts "TESTING ERROR - grsecurity detection\n";exit}
+        "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit}
+        "cannot open" {puts "grsecurity not present\n"}
+}
+
 send -- "firejail --name=blablabla\r"
 expect {
         timeout {puts "TESTING ERROR 4\n";exit}
diff --git a/test/vlc.exp b/test/vlc.exp
index 53d25c9dd..290c0fc2f 100755
--- a/test/vlc.exp
+++ b/test/vlc.exp
@@ -27,6 +27,14 @@ expect {
 }
 sleep 1
 
+# grsecurity exit
+send -- "file /proc/sys/kernel/grsecurity\r"
+expect {
+        timeout {puts "TESTING ERROR - grsecurity detection\n";exit}
+        "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit}
+        "cannot open" {puts "grsecurity not present\n"}
+}
+
 send -- "firejail --name=blablabla\r"
 expect {
         timeout {puts "TESTING ERROR 4\n";exit}
diff --git a/test/weechat.exp b/test/weechat.exp
index ac2430280..630af55ee 100755
--- a/test/weechat.exp
+++ b/test/weechat.exp
@@ -26,6 +26,15 @@ expect {
         "weechat-curses"
 }
 sleep 1
+
+# grsecurity exit
+send -- "file /proc/sys/kernel/grsecurity\r"
+expect {
+        timeout {puts "TESTING ERROR - grsecurity detection\n";exit}
+        "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit}
+        "cannot open" {puts "grsecurity not present\n"}
+}
+
 send -- "firejail --name=blablabla\r"
 expect {
         timeout {puts "TESTING ERROR 4\n";exit}
diff --git a/test/xchat.exp b/test/xchat.exp
index babbcf87d..cde89d754 100755
--- a/test/xchat.exp
+++ b/test/xchat.exp
@@ -26,6 +26,15 @@ expect {
         "xchat"
 }
 sleep 1
+
+# grsecurity exit
+send -- "file /proc/sys/kernel/grsecurity\r"
+expect {
+        timeout {puts "TESTING ERROR - grsecurity detection\n";exit}
+        "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit}
+        "cannot open" {puts "grsecurity not present\n"}
+}
+
 send -- "firejail --name=blablabla\r"
 expect {
         timeout {puts "TESTING ERROR 4\n";exit}