141 files changed, 2538 insertions, 1800 deletions

diff --git a/.gitignore b/.gitignore
index 60d06099f..408290b85 100644
--- a/.gitignore
+++ b/.gitignore
@@ -2,6 +2,7 @@
 *.so
 *~
 *.swp
+*.rpm
 Makefile
 config.log
 config.status
diff --git a/Makefile.in b/Makefile.in
index 1de44c578..cf7ec6379 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -41,7 +41,7 @@ clean:
         for dir in $(MYLIBS); do \
                 $(MAKE) -C $$dir clean; \
         done
-        rm -f firejail.1 firejail.1.gz firemon.1 firemon.1.gz firejail-profile.5 firejail-profile.5.gz firejail-login.5 firejail-login.5.gz
+        rm -f firejail.1 firejail.1.gz firemon.1 firemon.1.gz firejail-profile.5 firejail-profile.5.gz firejail-login.5 firejail-login.5.gz firejail*.rpm
 
 distclean: clean
         for dir in $(APPS); do \
@@ -75,6 +75,7 @@ realinstall:
         install -m 0755 -d $(DESTDIR)/$(sysconfdir)/firejail
         install -c -m 0644 .etc/audacious.profile $(DESTDIR)/$(sysconfdir)/firejail/.
         install -c -m 0644 .etc/clementine.profile $(DESTDIR)/$(sysconfdir)/firejail/.
+        install -c -m 0644 .etc/epiphany.profile $(DESTDIR)/$(sysconfdir)/firejail/.
         install -c -m 0644 .etc/gnome-mplayer.profile $(DESTDIR)/$(sysconfdir)/firejail/.
         install -c -m 0644 .etc/rhythmbox.profile $(DESTDIR)/$(sysconfdir)/firejail/.
         install -c -m 0644 .etc/totem.profile $(DESTDIR)/$(sysconfdir)/firejail/.
@@ -129,7 +130,16 @@ realinstall:
         install -c -m 0644 .etc/rtorrent.profile $(DESTDIR)/$(sysconfdir)/firejail/.
         install -c -m 0644 .etc/parole.profile $(DESTDIR)/$(sysconfdir)/firejail/.
         install -c -m 0644 .etc/kmail.profile $(DESTDIR)/$(sysconfdir)/firejail/.
-        bash -c "if [ ! -f $(DESTDIR)/$(sysconfdir)/firejail/login.users ]; then install -c -m 0644 etc/login.users $(DESTDIR)/$(sysconfdir)/firejail/.; fi;"
+        install -c -m 0644 .etc/seamonkey.profile $(DESTDIR)/$(sysconfdir)/firejail/.
+        install -c -m 0644 .etc/seamonkey-bin.profile $(DESTDIR)/$(sysconfdir)/firejail/.
+        install -c -m 0644 .etc/telegram.profile $(DESTDIR)/$(sysconfdir)/firejail/.
+        install -c -m 0644 .etc/mathematica.profile $(DESTDIR)/$(sysconfdir)/firejail/.
+        install -c -m 0644 .etc/Mathematica.profile $(DESTDIR)/$(sysconfdir)/firejail/.
+        install -c -m 0644 .etc/uget-gtk.profile $(DESTDIR)/$(sysconfdir)/firejail/.
+        install -c -m 0644 .etc/mupen64plus.profile $(DESTDIR)/$(sysconfdir)/firejail/.
+        install -c -m 0644 .etc/disable-terminals.inc $(DESTDIR)/$(sysconfdir)/firejail/.
+        install -c -m 0644 .etc/lxterminal.profile $(DESTDIR)/$(sysconfdir)/firejail/.
+        sh -c "if [ ! -f $(DESTDIR)/$(sysconfdir)/firejail/login.users ]; then install -c -m 0644 etc/login.users $(DESTDIR)/$(sysconfdir)/firejail/.; fi;"
         rm -fr .etc
         # man pages
         rm -f firejail.1.gz
@@ -190,6 +200,10 @@ dist:
 deb: dist
         ./mkdeb.sh $(NAME) $(VERSION)
 
+.PHONY: rpms
+rpms:
+        ./platform/rpm/mkrpm.sh $(NAME) $(VERSION)
+
 extras: all
         $(MAKE) -C extras/firetools
         
diff --git a/README b/README
index ad325c8e9..799921cfe 100644
--- a/README
+++ b/README
@@ -18,6 +18,38 @@ License: GPL v2
 Firejail Authors:
 
 netblue30 (netblue30@yahoo.com)
+jrabe (https://github.com/jrabe)
+        - Epiphany profile
+jgriffiths (https://github.com/jgriffiths)
+        - make rpm packages support
+Tom Mellor (https://github.com/kalegrill)
+        - mupen64plus profile
+Martin Carpenter (https://github.com/mcarpenter)
+        - security audit and bug fixes
+        - Centos 6.x support
+Aleksey Manevich (https://github.com/manevich)
+        - several profile fixes
+        - fix problem with relative path in storage_find function
+        - fix build for systems without bash
+pszxzsd (https://github.com/pszxzsd)
+        -uGet profile
+Rahiel Kasim (https://github.com/rahiel)
+        - Mathematica profile
+creideiki (https://github.com/creideiki)
+        - make the sandbox process reap all children
+curiosity-seeker (https://github.com/curiosity-seeker)
+        - tightening unbound and dnscrypt-proxy profiles
+sinkuu (https://github.com/sinkuu)
+        - blacklisting kwalletd
+        - fix symlink invocation for programs placing symlinks in $PATH
+Bader Zaidan (https://github.com/BaderSZ)
+        - Telegram profile
+Holger Heinz (https://github.com/hheinz)
+        - manpage work
+Andrey Alekseenko (https://github.com/al42and)
+        - fixing lintian warnings
+mahdi1234 (https://github.com/mahdi1234)
+        - Seamonkey profiles
 Ivan Kozik (https://github.com/ivan)
         - speed up sandbox exit
 Christian Stadelmann (https://github.com/genodeftest)
diff --git a/README.md b/README.md
index 812ad4008..5f3ffbd8a 100644
--- a/README.md
+++ b/README.md
@@ -31,97 +31,51 @@ Features: https://firejail.wordpress.com/features-3/
 Documentation: https://firejail.wordpress.com/documentation-2/
 
 FAQ: https://firejail.wordpress.com/support/frequently-asked-questions/
-
-# Current development version: 0.9.37
-
-## Symlink invocation
-
-This is a small thing, but very convenient. Make a symbolic link (ln -s) to /usr/bin/firejail under
-the name of the program you want to run, and put the link in the first $PATH position (for
-example in /usr/local/bin). Example:
 `````
-$ which -a transmission-gtk 
-/usr/bin/transmission-gtk
-
-$ sudo ln -s /usr/bin/firejail /usr/local/bin/transmission-gtk
 
-$ which -a transmission-gtk 
-/usr/local/bin/transmission-gtk
-/usr/bin/transmission-gtk
 `````
-We have in this moment two entries in $PATH for transmission. The first one is a symlink to firejail.
-The second one is the real program. Starting transmission in this moment, invokes "firejail transmission-gtk"
+# Current development version: 0.9.39
 `````
-$ transmission-gtk
-Redirecting symlink to /usr/bin/transmission-gtk
-Reading profile /etc/firejail/transmission-gtk.profile
-Reading profile /etc/firejail/disable-mgmt.inc
-Reading profile /etc/firejail/disable-secret.inc
-Reading profile /etc/firejail/disable-common.inc
-Reading profile /etc/firejail/disable-devel.inc
-Parent pid 19343, child pid 19344
-Blacklist violations are logged to syslog
-Child process initialized
-`````
-
 
-## IPv6 support:
 `````
-      --ip6=address
-              Assign IPv6 addresses to the last network interface defined by a
-              --net option.
-
-              Example:
-              $ firejail --net=eth0 --ip6=2001:0db8:0:f101::1/64 firefox
 
-       --netfilter6=filename
-              Enable the IPv6 network filter specified by filename in the  new
-              network  namespace.  The  filter  file  format  is the format of
-              ip6tables-save  and  ip6table-restore  commands.   New   network
-              namespaces  are  created  using  --net  option. If a new network
-              namespaces is not created, --netfilter6 option does nothing.
+## Default seccomp filter update
 
-`````
+Currently 50 syscalls are blacklisted by default, out of a total of 318 calls (AMD64, Debian Jessie).
 
-## join command enhancements
+## STUN/WebRTC disabled in default netfilter configuration
 
+The  current netfilter configuration (--netfilter option) looks like this:
 `````
-       --join-filesystem=name
-              Join the mount namespace of the sandbox identified by  name.  By
-              default  a /bin/bash shell is started after joining the sandbox.
-              If a program is specified, the program is run  in  the  sandbox.
-              This  command is available only to root user.  Security filters,
-              cgroups and cpus configurations are not applied to  the  process
-              joining the sandbox.
-
-       --join-filesystem=pid
-              Join  the  mount  namespace of the sandbox identified by process
-              ID. By default a /bin/bash shell is started  after  joining  the
-              sandbox.   If  a program is specified, the program is run in the
-              sandbox. This command is available only to root user.   Security
-              filters,  cgroups and cpus configurations are not applied to the
-              process joining the sandbox.
-
-      --join-network=name
-              Join the network namespace of the sandbox identified by name. By
-              default  a /bin/bash shell is started after joining the sandbox.
-              If a program is specified, the program is run  in  the  sandbox.
-              This  command is available only to root user.  Security filters,
-              cgroups and cpus configurations are not applied to  the  process
-              joining the sandbox.
-
-       --join-network=pid
-              Join  the network namespace of the sandbox identified by process
-              ID. By default a /bin/bash shell is started  after  joining  the
-              sandbox.   If  a program is specified, the program is run in the
-              sandbox. This command is available only to root user.   Security
-              filters,  cgroups and cpus configurations are not applied to the
-              process joining the sandbox.
-
+             *filter
+              :INPUT DROP [0:0]
+              :FORWARD DROP [0:0]
+              :OUTPUT ACCEPT [0:0]
+              -A INPUT -i lo -j ACCEPT
+              -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
+              # allow ping
+              -A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT
+              -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT
+              -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
+              # drop STUN (WebRTC) requests
+              -A OUTPUT -p udp --dport 3478 -j DROP
+              -A OUTPUT -p udp --dport 3479 -j DROP
+              -A OUTPUT -p tcp --dport 3478 -j DROP
+              -A OUTPUT -p tcp --dport 3479 -j DROP
+              COMMIT
 `````
 
+The filter is loaded by default for Firefox if a network namespace is configured:
+`````
+$ firejail --net=eth0 firefox
+`````
 
-## New profiles: KMail
-
+## Set sandbox nice value
+`````
+      --nice=value
+              Set nice value for all processes running inside the sandbox.
 
+              Example:
+              $ firejail --nice=-5 firefox
+`````
 
diff --git a/RELNOTES b/RELNOTES
index 7d290e0f5..9e1f124fb 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -1,12 +1,31 @@
-firejail (0.9.37) baseline; urgency=low
-  * development version
-  * security profiles fixes
-  * dynamic allocation of noblacklist buffer
-  * --ip6 option - IPv6 support
-  * added KMail profile
+firejail (0.9.39) baseline; urgency=low
+  * work in progress!
+  * default seccomp filter update
+  * disable STUN/WebRTC in default netfilter configuration
+  * added --nice option
+  * --version also prints compile options
+  * build rpm packages using "make rpms"
+  * new profiles: lxterminal, Epiphany
+  * bugfixes
+ -- netblue30 <netblue30@yahoo.com>  Tue, 8 Feb 2016 10:00:00 -0500
+
+firejail (0.9.38) baseline; urgency=low
+  * IPv6 support (--ip6 and --netfilter6)
   * --join command enhancement (--join-network, --join-filesystem)
+  * added --user command
+  * added --disable-network and --disable-userns compile time flags
+  * Centos 6 support
   * symlink invocation
--- netblue30 <netblue30@yahoo.com>
+  * added KMail, Seamonkey, Telegram, Mathematica, uGet,
+  *   and mupen64plus profiles
+  * --chroot in user mode allowed only if seccomp support is available
+  *   in current Linux kernel
+  * deprecated --private-home feature
+  * the first protocol list installed takes precedence
+  * --tmpfs option allowed only running as root
+  * added --private-tmp option
+  * bugfixes
+ -- netblue30 <netblue30@yahoo.com>  Tue, 2 Feb 2016 10:00:00 -0500
 
 firejail (0.9.36) baseline; urgency=low
   * added  unbound, dnscrypt-proxy, BitlBee, HexChat, WeeChat,
diff --git a/configure b/configure
index 46668e28a..06642abb6 100755
--- a/configure
+++ b/configure
@@ -1,6 +1,6 @@
 #! /bin/sh
 # Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.69 for firejail 0.9.37.
+# Generated by GNU Autoconf 2.69 for firejail 0.9.39.
 #
 # Report bugs to <netblue30@yahoo.com>.
 #
@@ -580,8 +580,8 @@ MAKEFLAGS=
 # Identity of this package.
 PACKAGE_NAME='firejail'
 PACKAGE_TARNAME='firejail'
-PACKAGE_VERSION='0.9.37'
-PACKAGE_STRING='firejail 0.9.37'
+PACKAGE_VERSION='0.9.39'
+PACKAGE_STRING='firejail 0.9.39'
 PACKAGE_BUGREPORT='netblue30@yahoo.com'
 PACKAGE_URL='http://firejail.wordpress.com'
 
@@ -629,6 +629,8 @@ EGREP
 GREP
 CPP
 HAVE_FATAL_WARNINGS
+HAVE_USERNS
+HAVE_NETWORK
 HAVE_BIND
 HAVE_CHROOT
 HAVE_SECCOMP
@@ -687,6 +689,8 @@ enable_option_checking
 enable_seccomp
 enable_chroot
 enable_bind
+enable_network
+enable_userns
 enable_fatal_warnings
 '
       ac_precious_vars='build_alias
@@ -1238,7 +1242,7 @@ if test "$ac_init_help" = "long"; then
   # Omit some internal or obsolete options to make the list less imposing.
   # This message is too long to be a string in the A/UX 3.1 sh.
   cat <<_ACEOF
-\`configure' configures firejail 0.9.37 to adapt to many kinds of systems.
+\`configure' configures firejail 0.9.39 to adapt to many kinds of systems.
 
 Usage: $0 [OPTION]... [VAR=VALUE]...
 
@@ -1299,7 +1303,7 @@ fi
 
 if test -n "$ac_init_help"; then
   case $ac_init_help in
-     short | recursive ) echo "Configuration of firejail 0.9.37:";;
+     short | recursive ) echo "Configuration of firejail 0.9.39:";;
    esac
   cat <<\_ACEOF
 
@@ -1310,6 +1314,8 @@ Optional Features:
   --disable-seccomp       disable seccomp
   --disable-chroot        disable chroot
   --disable-bind          disable bind
+  --disable-network       disable network
+  --disable-userns        disable user namespace
   --enable-fatal-warnings -W -Wall -Werror
 
 Some influential environment variables:
@@ -1389,7 +1395,7 @@ fi
 test -n "$ac_init_help" && exit $ac_status
 if $ac_init_version; then
   cat <<\_ACEOF
-firejail configure 0.9.37
+firejail configure 0.9.39
 generated by GNU Autoconf 2.69
 
 Copyright (C) 2012 Free Software Foundation, Inc.
@@ -1691,7 +1697,7 @@ cat >config.log <<_ACEOF
 This file contains any messages produced by compilers while
 running configure, to aid debugging if configure makes a mistake.
 
-It was created by firejail $as_me 0.9.37, which was
+It was created by firejail $as_me 0.9.39, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
 
   $ $0 $@
@@ -3087,6 +3093,32 @@ if test "x$enable_bind" != "xno"; then :
 
 fi
 
+HAVE_NETWORK=""
+# Check whether --enable-network was given.
+if test "${enable_network+set}" = set; then :
+  enableval=$enable_network;
+fi
+
+if test "x$enable_network" != "xno"; then :
+
+        HAVE_NETWORK="-DHAVE_NETWORK"
+
+
+fi
+
+HAVE_USERNS=""
+# Check whether --enable-userns was given.
+if test "${enable_userns+set}" = set; then :
+  enableval=$enable_userns;
+fi
+
+if test "x$enable_userns" != "xno"; then :
+
+        HAVE_USERNS="-DHAVE_USERNS"
+
+
+fi
+
 HAVE_FATAL_WARNINGS=""
 # Check whether --enable-fatal_warnings was given.
 if test "${enable_fatal_warnings+set}" = set; then :
@@ -3100,6 +3132,7 @@ if test "x$enable_fatal_warnings" = "xyes"; then :
 
 fi
 
+
 # checking pthread library
 
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for main in -lpthread" >&5
@@ -4107,7 +4140,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
 # report actual input values of CONFIG_FILES etc. instead of their
 # values after options handling.
 ac_log="
-This file was extended by firejail $as_me 0.9.37, which was
+This file was extended by firejail $as_me 0.9.39, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
 
   CONFIG_FILES    = $CONFIG_FILES
@@ -4161,7 +4194,7 @@ _ACEOF
 cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
 ac_cs_version="\\
-firejail config.status 0.9.37
+firejail config.status 0.9.39
 configured by $0, generated by GNU Autoconf 2.69,
   with options \\"\$ac_cs_config\\"
 
@@ -4742,6 +4775,8 @@ echo "   seccomp: $HAVE_SECCOMP"
 echo "   <linux/seccomp.h>: $HAVE_SECCOMP_H"
 echo "   chroot: $HAVE_CHROOT"
 echo "   bind: $HAVE_BIND"
+echo "   network: $HAVE_NETWORK"
+echo "   user namespace: $HAVE_USERNS"
 echo "   fatal warnings: $HAVE_FATAL_WARNINGS"
 echo
 
diff --git a/configure.ac b/configure.ac
index 6d7a09bdf..f9d0a3f65 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1,5 +1,5 @@
 AC_PREREQ([2.68])
-AC_INIT(firejail, 0.9.37, netblue30@yahoo.com, , http://firejail.wordpress.com)
+AC_INIT(firejail, 0.9.39, netblue30@yahoo.com, , http://firejail.wordpress.com)
 AC_CONFIG_SRCDIR([src/firejail/main.c])
 #AC_CONFIG_HEADERS([config.h])
 
@@ -33,6 +33,22 @@ AS_IF([test "x$enable_bind" != "xno"], [
         AC_SUBST(HAVE_BIND)
 ])
 
+HAVE_NETWORK=""
+AC_ARG_ENABLE([network],
+    AS_HELP_STRING([--disable-network], [disable network]))
+AS_IF([test "x$enable_network" != "xno"], [
+        HAVE_NETWORK="-DHAVE_NETWORK"
+        AC_SUBST(HAVE_NETWORK)
+])
+
+HAVE_USERNS=""
+AC_ARG_ENABLE([userns],
+    AS_HELP_STRING([--disable-userns], [disable user namespace]))
+AS_IF([test "x$enable_userns" != "xno"], [
+        HAVE_USERNS="-DHAVE_USERNS"
+        AC_SUBST(HAVE_USERNS)
+])
+
 HAVE_FATAL_WARNINGS=""
 AC_ARG_ENABLE([fatal_warnings],
     AS_HELP_STRING([--enable-fatal-warnings], [-W -Wall -Werror]))
@@ -41,6 +57,7 @@ AS_IF([test "x$enable_fatal_warnings" = "xyes"], [
         AC_SUBST(HAVE_FATAL_WARNINGS)
 ])
 
+
 # checking pthread library
 AC_CHECK_LIB([pthread], [main], [], AC_MSG_ERROR([*** POSIX thread support not installed ***]))
 AC_CHECK_HEADER(pthread.h,,AC_MSG_ERROR([*** POSIX thread support not installed ***]))
@@ -62,6 +79,8 @@ echo "   seccomp: $HAVE_SECCOMP"
 echo "   <linux/seccomp.h>: $HAVE_SECCOMP_H"
 echo "   chroot: $HAVE_CHROOT"
 echo "   bind: $HAVE_BIND"
+echo "   network: $HAVE_NETWORK"
+echo "   user namespace: $HAVE_USERNS"
 echo "   fatal warnings: $HAVE_FATAL_WARNINGS"
 echo
 
diff --git a/etc/Mathematica.profile b/etc/Mathematica.profile
new file mode 100644
index 000000000..d1f4b1de1
--- /dev/null
+++ b/etc/Mathematica.profile
@@ -0,0 +1,13 @@
+# Mathematica profile
+whitelist ~/.Mathematica
+whitelist ~/.Wolfram Research
+whitelist ~/Documents/Wolfram Mathematica
+include /etc/firejail/whitelist-common.inc
+include /etc/firejail/disable-mgmt.inc
+include /etc/firejail/disable-secret.inc
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-terminals.inc
+caps.drop all
+seccomp
+noroot
diff --git a/etc/audacious.profile b/etc/audacious.profile
index fa9cbbc52..f9a48f33c 100644
--- a/etc/audacious.profile
+++ b/etc/audacious.profile
@@ -3,6 +3,7 @@ include /etc/firejail/disable-mgmt.inc
 include /etc/firejail/disable-secret.inc
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-terminals.inc
 blacklist ${HOME}/.pki/nssdb
 blacklist ${HOME}/.lastpass
 blacklist ${HOME}/.keepassx
diff --git a/etc/bitlbee.profile b/etc/bitlbee.profile
index 4cd24fd0a..5eeddb815 100644
--- a/etc/bitlbee.profile
+++ b/etc/bitlbee.profile
@@ -3,6 +3,7 @@ noblacklist /sbin
 noblacklist /usr/sbin
 include /etc/firejail/disable-mgmt.inc
 include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-terminals.inc
 protocol unix,inet,inet6
 private
 private-dev
diff --git a/etc/chromium.profile b/etc/chromium.profile
index 76dc6b234..af2c740a8 100644
--- a/etc/chromium.profile
+++ b/etc/chromium.profile
@@ -3,6 +3,7 @@ noblacklist ${HOME}/.config/chromium
 include /etc/firejail/disable-mgmt.inc
 include /etc/firejail/disable-secret.inc
 include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-terminals.inc
 
 # chromium is distributed with a perl script on Arch
 # include /etc/firejail/disable-devel.inc
@@ -12,4 +13,5 @@ netfilter
 whitelist ${DOWNLOADS}
 whitelist ~/.config/chromium
 whitelist ~/.cache/chromium
+whitelist ~/.pki
 include /etc/firejail/whitelist-common.inc
diff --git a/etc/clementine.profile b/etc/clementine.profile
index e84d8f19a..c9c0ca724 100644
--- a/etc/clementine.profile
+++ b/etc/clementine.profile
@@ -2,7 +2,9 @@
 include /etc/firejail/disable-mgmt.inc
 include /etc/firejail/disable-secret.inc
 include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-terminals.inc
 include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-terminals.inc
 blacklist ${HOME}/.pki/nssdb
 blacklist ${HOME}/.lastpass
 blacklist ${HOME}/.keepassx
diff --git a/etc/conkeror.profile b/etc/conkeror.profile
index 7c1384523..09f491c61 100644
--- a/etc/conkeror.profile
+++ b/etc/conkeror.profile
@@ -3,6 +3,7 @@ noblacklist ${HOME}/.conkeror.mozdev.org
 include /etc/firejail/disable-mgmt.inc
 include /etc/firejail/disable-secret.inc
 include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-terminals.inc
 caps.drop all
 seccomp
 protocol unix,inet,inet6
@@ -21,8 +22,4 @@ whitelist ~/.pentadactyl
 whitelist ~/.conkerorrc
 
 # common
-whitelist ~/.fonts
-whitelist ~/.fonts.d
-whitelist ~/.fontconfig
-whitelist ~/.fonts.conf
-whitelist ~/.fonts.conf.d
+include /etc/firejail/whitelist-common.inc
diff --git a/etc/deadbeef.profile b/etc/deadbeef.profile
index 0d6e70a4a..35760bf13 100644
--- a/etc/deadbeef.profile
+++ b/etc/deadbeef.profile
@@ -3,6 +3,7 @@ include /etc/firejail/disable-mgmt.inc
 include /etc/firejail/disable-secret.inc
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-terminals.inc
 blacklist ${HOME}/.pki/nssdb
 blacklist ${HOME}/.lastpass
 blacklist ${HOME}/.keepassx
diff --git a/etc/deluge.profile b/etc/deluge.profile
index 4f76f3666..30e9f91ad 100644
--- a/etc/deluge.profile
+++ b/etc/deluge.profile
@@ -3,6 +3,7 @@ include /etc/firejail/disable-mgmt.inc
 include /etc/firejail/disable-secret.inc
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-terminals.inc
 blacklist ${HOME}/.pki/nssdb
 blacklist ${HOME}/.lastpass
 blacklist ${HOME}/.keepassx
diff --git a/etc/disable-common.inc b/etc/disable-common.inc
index e7974f02d..d97740860 100644
--- a/etc/disable-common.inc
+++ b/etc/disable-common.inc
@@ -108,13 +108,19 @@ read-only ${HOME}/.csh_files
 # Initialization files that allow arbitrary command execution
 read-only ${HOME}/.mailcap
 read-only ${HOME}/.exrc
+read-only ${HOME}/_exrc
 read-only ${HOME}/.vimrc
+read-only ${HOME}/_vimrc
+read-only ${HOME}/.gvimrc
+read-only ${HOME}/_gvimrc
 read-only ${HOME}/.vim
 read-only ${HOME}/.emacs
 read-only ${HOME}/.tmux.conf
 read-only ${HOME}/.iscreenrc
 read-only ${HOME}/.muttrc
+read-only ${HOME}/.mutt/muttrc
 read-only ${HOME}/.xmonad
+read-only ${HOME}/.xscreensaver
 
 # The user ~/bin directory can override commands such as ls
 read-only ${HOME}/bin
diff --git a/etc/disable-secret.inc b/etc/disable-secret.inc
index 8336b6b52..7d29cda31 100644
--- a/etc/disable-secret.inc
+++ b/etc/disable-secret.inc
@@ -1,9 +1,9 @@
 # HOME directory
 blacklist ${HOME}/.ssh
-tmpfs ${HOME}/.gnome2_private
 blacklist ${HOME}/.gnome2/keyrings
 blacklist ${HOME}/kde4/share/apps/kwallet
 blacklist ${HOME}/kde/share/apps/kwallet
+blacklist ${HOME}/.local/share/kwalletd
 blacklist ${HOME}/.netrc
 blacklist ${HOME}/.gnupg
 blacklist ${HOME}/*.kdbx
diff --git a/etc/disable-terminals.inc b/etc/disable-terminals.inc
new file mode 100644
index 000000000..9631e7f62
--- /dev/null
+++ b/etc/disable-terminals.inc
@@ -0,0 +1,6 @@
+# disable terminals running as server
+blacklist ${PATH}/lxterminal
+blacklist ${PATH}/gnome-terminal
+blacklist ${PATH}/gnome-terminal.wrapper
+blacklist ${PATH}/xfce4-terminal
+blacklist ${PATH}/xfce4-terminal.wrapper
diff --git a/etc/dnscrypt-proxy.profile b/etc/dnscrypt-proxy.profile
index e0c5c93a3..0bc7ac78e 100644
--- a/etc/dnscrypt-proxy.profile
+++ b/etc/dnscrypt-proxy.profile
@@ -2,6 +2,10 @@
 noblacklist /sbin
 noblacklist /usr/sbin
 include /etc/firejail/disable-mgmt.inc
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-secret.inc
+include /etc/firejail/disable-terminals.inc
 private
 private-dev
 seccomp.drop mount,umount2,ptrace,kexec_load,kexec_file_load,open_by_handle_at,init_module,finit_module,delete_module,iopl,ioperm,swapon,swapoff,syslog,process_vm_readv,process_vm_writev,sysfs,_sysctl,adjtimex,clock_adjtime,lookup_dcookie,perf_event_open,fanotify_init,kcmp,add_key,request_key,keyctl,uselib,acct,modify_ldt,pivot_root,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,mbind,get_mempolicy,set_mempolicy,migrate_pages,move_pages,vmsplice,perf_event_open
diff --git a/etc/dropbox.profile b/etc/dropbox.profile
index 248e3ac9e..9d2c612de 100644
--- a/etc/dropbox.profile
+++ b/etc/dropbox.profile
@@ -2,6 +2,7 @@
 include /etc/firejail/disable-mgmt.inc
 include /etc/firejail/disable-secret.inc
 include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-terminals.inc
 blacklist ${HOME}/.pki/nssdb
 blacklist ${HOME}/.lastpass
 blacklist ${HOME}/.keepassx
diff --git a/etc/empathy.profile b/etc/empathy.profile
index 984bbc58e..7c96dc6fa 100644
--- a/etc/empathy.profile
+++ b/etc/empathy.profile
@@ -3,6 +3,7 @@ include /etc/firejail/disable-mgmt.inc
 include /etc/firejail/disable-secret.inc
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-terminals.inc
 blacklist ${HOME}/.wine
 caps.drop all
 seccomp
diff --git a/etc/epiphany.profile b/etc/epiphany.profile
new file mode 100644
index 000000000..e86a35258
--- /dev/null
+++ b/etc/epiphany.profile
@@ -0,0 +1,16 @@
+# Epiphany browser profile
+include /etc/firejail/disable-mgmt.inc
+include /etc/firejail/disable-secret.inc
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-terminals.inc
+whitelist ${DOWNLOADS}
+whitelist ${HOME}/.local/share/epiphany
+whitelist ${HOME}/.config/epiphany
+whitelist ${HOME}/.cache/epiphany
+include /etc/firejail/whitelist-common.inc
+caps.drop all
+seccomp
+protocol unix,inet,inet6
+netfilter
+
diff --git a/etc/evince.profile b/etc/evince.profile
index 34d8162b3..070dc7be7 100644
--- a/etc/evince.profile
+++ b/etc/evince.profile
@@ -3,6 +3,7 @@ include /etc/firejail/disable-mgmt.inc
 include /etc/firejail/disable-secret.inc
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-terminals.inc
 blacklist ${HOME}/.pki/nssdb
 blacklist ${HOME}/.lastpass
 blacklist ${HOME}/.keepassx
diff --git a/etc/fbreader.profile b/etc/fbreader.profile
index f94fc28df..a79f36398 100644
--- a/etc/fbreader.profile
+++ b/etc/fbreader.profile
@@ -4,6 +4,7 @@ include /etc/firejail/disable-mgmt.inc
 include /etc/firejail/disable-secret.inc
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-terminals.inc
 blacklist ${HOME}/.pki/nssdb
 blacklist ${HOME}/.lastpass
 blacklist ${HOME}/.keepassx
diff --git a/etc/filezilla.profile b/etc/filezilla.profile
index ba8649067..1462d134e 100644
--- a/etc/filezilla.profile
+++ b/etc/filezilla.profile
@@ -5,6 +5,7 @@ include /etc/firejail/disable-mgmt.inc
 include /etc/firejail/disable-secret.inc
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-terminals.inc
 blacklist ${HOME}/.wine
 caps.drop all
 seccomp
diff --git a/etc/firefox.profile b/etc/firefox.profile
index a21093313..0946ebfbe 100644
--- a/etc/firefox.profile
+++ b/etc/firefox.profile
@@ -4,6 +4,7 @@ include /etc/firejail/disable-mgmt.inc
 include /etc/firejail/disable-secret.inc
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-terminals.inc
 caps.drop all
 seccomp
 protocol unix,inet,inet6,netlink
@@ -23,6 +24,7 @@ whitelist ~/.pentadactyl
 whitelist ~/.keysnail.js
 whitelist ~/.config/gnome-mplayer
 whitelist ~/.cache/gnome-mplayer/plugin
+whitelist ~/.pki
 include /etc/firejail/whitelist-common.inc
 
 # experimental features
diff --git a/etc/generic.profile b/etc/generic.profile
index cc40ad27e..5618a555e 100644
--- a/etc/generic.profile
+++ b/etc/generic.profile
@@ -4,6 +4,7 @@
 include /etc/firejail/disable-mgmt.inc
 include /etc/firejail/disable-secret.inc
 include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-terminals.inc
 blacklist ${HOME}/.pki/nssdb
 blacklist ${HOME}/.lastpass
 blacklist ${HOME}/.keepassx
diff --git a/etc/gnome-mplayer.profile b/etc/gnome-mplayer.profile
index 0a495b0b0..8062c859a 100644
--- a/etc/gnome-mplayer.profile
+++ b/etc/gnome-mplayer.profile
@@ -3,6 +3,7 @@ include /etc/firejail/disable-mgmt.inc
 include /etc/firejail/disable-secret.inc
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-terminals.inc
 blacklist ${HOME}/.pki/nssdb
 blacklist ${HOME}/.lastpass
 blacklist ${HOME}/.keepassx
diff --git a/etc/google-chrome-beta.profile b/etc/google-chrome-beta.profile
index 6122876bf..f6b96575e 100644
--- a/etc/google-chrome-beta.profile
+++ b/etc/google-chrome-beta.profile
@@ -3,6 +3,7 @@ noblacklist ${HOME}/.config/google-chrome-beta
 include /etc/firejail/disable-mgmt.inc
 include /etc/firejail/disable-secret.inc
 include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-terminals.inc
 
 # chromium is distributed with a perl script on Arch
 # include /etc/firejail/disable-devel.inc
@@ -12,5 +13,6 @@ netfilter
 whitelist ${DOWNLOADS}
 whitelist ~/.config/google-chrome-beta
 whitelist ~/.cache/google-chrome-beta
+whitelist ~/.pki
 include /etc/firejail/whitelist-common.inc
 
diff --git a/etc/google-chrome-unstable.profile b/etc/google-chrome-unstable.profile
index 7b8b12d04..3054a63db 100644
--- a/etc/google-chrome-unstable.profile
+++ b/etc/google-chrome-unstable.profile
@@ -3,6 +3,7 @@ noblacklist ${HOME}/.config/google-chrome-unstable
 include /etc/firejail/disable-mgmt.inc
 include /etc/firejail/disable-secret.inc
 include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-terminals.inc
 
 # chromium is distributed with a perl script on Arch
 # include /etc/firejail/disable-devel.inc
@@ -12,5 +13,6 @@ netfilter
 whitelist ${DOWNLOADS}
 whitelist ~/.config/google-chrome-unstable
 whitelist ~/.cache/google-chrome-unstable
+whitelist ~/.pki
 include /etc/firejail/whitelist-common.inc
 
diff --git a/etc/google-chrome.profile b/etc/google-chrome.profile
index 351490d7f..3d5a6ebbd 100644
--- a/etc/google-chrome.profile
+++ b/etc/google-chrome.profile
@@ -3,6 +3,7 @@ noblacklist ${HOME}/.config/google-chrome
 include /etc/firejail/disable-mgmt.inc
 include /etc/firejail/disable-secret.inc
 include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-terminals.inc
 
 # chromium is distributed with a perl script on Arch
 # include /etc/firejail/disable-devel.inc
@@ -12,4 +13,5 @@ netfilter
 whitelist ${DOWNLOADS}
 whitelist ~/.config/google-chrome
 whitelist ~/.cache/google-chrome
+whitelist ~/.pki
 include /etc/firejail/whitelist-common.inc
diff --git a/etc/hexchat.profile b/etc/hexchat.profile
index 61c9ac5bb..35b98fde6 100644
--- a/etc/hexchat.profile
+++ b/etc/hexchat.profile
@@ -4,6 +4,7 @@ include /etc/firejail/disable-mgmt.inc
 include /etc/firejail/disable-secret.inc
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-terminals.inc
 caps.drop all
 seccomp
 protocol unix,inet,inet6
diff --git a/etc/kmail.profile b/etc/kmail.profile
index 05713755e..ca29675a0 100644
--- a/etc/kmail.profile
+++ b/etc/kmail.profile
@@ -4,6 +4,7 @@ include /etc/firejail/disable-mgmt.inc
 include /etc/firejail/disable-secret.inc
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-terminals.inc
 blacklist ${HOME}/.pki/nssdb
 blacklist ${HOME}/.lastpass
 blacklist ${HOME}/.keepassx
diff --git a/etc/lxterminal.profile b/etc/lxterminal.profile
new file mode 100644
index 000000000..a614a8dbf
--- /dev/null
+++ b/etc/lxterminal.profile
@@ -0,0 +1,19 @@
+# lxterminal (LXDE) profile
+
+include /etc/firejail/disable-mgmt.inc
+include /etc/firejail/disable-secret.inc
+include /etc/firejail/disable-common.inc
+blacklist ${HOME}/.pki/nssdb
+blacklist ${HOME}/.lastpass
+blacklist ${HOME}/.keepassx
+blacklist ${HOME}/.password-store
+caps.drop all
+seccomp
+protocol unix,inet,inet6
+netfilter
+
+#noroot - somehow this breaks on Debian Jessie!
+
+# lxterminal is a single-instence program
+# blacklist any existing lxterminal socket in order to force a second process instance
+blacklist /tmp/.lxterminal-socket*
diff --git a/etc/mathematica.profile b/etc/mathematica.profile
new file mode 100644
index 000000000..9410054ae
--- /dev/null
+++ b/etc/mathematica.profile
@@ -0,0 +1,2 @@
+# Mathematica profile
+include /etc/firejail/Mathematica.profile
diff --git a/etc/midori.profile b/etc/midori.profile
index 77a6fb984..e46a6baa2 100644
--- a/etc/midori.profile
+++ b/etc/midori.profile
@@ -4,6 +4,7 @@ include /etc/firejail/disable-mgmt.inc
 include /etc/firejail/disable-secret.inc
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-terminals.inc
 caps.drop all
 seccomp
 protocol unix,inet,inet6
diff --git a/etc/mupen64plus.profile b/etc/mupen64plus.profile
new file mode 100644
index 000000000..830531c04
--- /dev/null
+++ b/etc/mupen64plus.profile
@@ -0,0 +1,13 @@
+# mupen64plus profile
+# manually whitelist ROM files
+include /etc/firejail/disable-mgmt.inc
+include /etc/firejail/disable-secret.inc
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-terminals.inc
+whitelist ${HOME}/.local/share/mupen64plus/
+whitelist ${HOME}/.config/mupen64plus/
+noroot
+caps.drop all
+seccomp
+net none
diff --git a/etc/opera-beta.profile b/etc/opera-beta.profile
index c1672abce..783e8b0ef 100644
--- a/etc/opera-beta.profile
+++ b/etc/opera-beta.profile
@@ -4,10 +4,12 @@ include /etc/firejail/disable-mgmt.inc
 include /etc/firejail/disable-secret.inc
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-terminals.inc
 netfilter
 whitelist ~/.config/opera-beta
 whitelist ${DOWNLOADS}
 whitelist ~/.cache/opera-beta
+whitelist ~/.pki
 include /etc/firejail/whitelist-common.inc
 
 
diff --git a/etc/opera.profile b/etc/opera.profile
index a76806ed0..dd710a8fe 100644
--- a/etc/opera.profile
+++ b/etc/opera.profile
@@ -4,10 +4,12 @@ include /etc/firejail/disable-mgmt.inc
 include /etc/firejail/disable-secret.inc
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-terminals.inc
 netfilter
 whitelist ~/.config/opera
 whitelist ${DOWNLOADS}
 whitelist ~/.cache/opera
+whitelist ~/.pki
 include /etc/firejail/whitelist-common.inc
 
 
diff --git a/etc/parole.profile b/etc/parole.profile
index 24181c8d6..fd49bcf07 100644
--- a/etc/parole.profile
+++ b/etc/parole.profile
@@ -3,6 +3,7 @@ include /etc/firejail/disable-mgmt.inc
 include /etc/firejail/disable-secret.inc
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-terminals.inc
 private-etc passwd,group,fonts
 private-bin parole,dbus-launch
 blacklist ${HOME}/.pki/nssdb
diff --git a/etc/pidgin.profile b/etc/pidgin.profile
index 3dd57b623..54bedccc8 100644
--- a/etc/pidgin.profile
+++ b/etc/pidgin.profile
@@ -4,6 +4,7 @@ include /etc/firejail/disable-mgmt.inc
 include /etc/firejail/disable-secret.inc
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-terminals.inc
 blacklist ${HOME}/.wine
 caps.drop all
 seccomp
diff --git a/etc/qbittorrent.profile b/etc/qbittorrent.profile
index dd50c779e..c68eb716b 100644
--- a/etc/qbittorrent.profile
+++ b/etc/qbittorrent.profile
@@ -3,6 +3,7 @@ include /etc/firejail/disable-mgmt.inc
 include /etc/firejail/disable-secret.inc
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-terminals.inc
 blacklist ${HOME}/.pki/nssdb
 blacklist ${HOME}/.lastpass
 blacklist ${HOME}/.keepassx
diff --git a/etc/quassel.profile b/etc/quassel.profile
index cb97d0752..e8db77973 100644
--- a/etc/quassel.profile
+++ b/etc/quassel.profile
@@ -3,6 +3,7 @@ include /etc/firejail/disable-mgmt.inc
 include /etc/firejail/disable-secret.inc
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-terminals.inc
 blacklist ${HOME}/.wine
 caps.drop all
 seccomp
diff --git a/etc/rhythmbox.profile b/etc/rhythmbox.profile
index 9fc1fcb80..3326a34ed 100644
--- a/etc/rhythmbox.profile
+++ b/etc/rhythmbox.profile
@@ -3,6 +3,7 @@ include /etc/firejail/disable-mgmt.inc
 include /etc/firejail/disable-secret.inc
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-terminals.inc
 blacklist ${HOME}/.pki/nssdb
 blacklist ${HOME}/.lastpass
 blacklist ${HOME}/.keepassx
diff --git a/etc/rtorrent.profile b/etc/rtorrent.profile
index c2c0356d9..7ba5677e9 100644
--- a/etc/rtorrent.profile
+++ b/etc/rtorrent.profile
@@ -3,6 +3,7 @@ include /etc/firejail/disable-mgmt.inc
 include /etc/firejail/disable-secret.inc
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-terminals.inc
 caps.drop all
 seccomp
 protocol unix,inet,inet6
diff --git a/etc/seamonkey-bin.profile b/etc/seamonkey-bin.profile
index 55b64bdae..d585c719b 100644
--- a/etc/seamonkey-bin.profile
+++ b/etc/seamonkey-bin.profile
@@ -4,6 +4,7 @@ include /etc/firejail/disable-mgmt.inc
 include /etc/firejail/disable-secret.inc
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-terminals.inc
 caps.drop all
 seccomp
 protocol unix,inet,inet6,netlink
@@ -23,6 +24,7 @@ whitelist ~/.pentadactyl
 whitelist ~/.keysnail.js
 whitelist ~/.config/gnome-mplayer
 whitelist ~/.cache/gnome-mplayer/plugin
+whitelist ~/.pki
 include /etc/firejail/whitelist-common.inc
 
 # experimental features
diff --git a/etc/seamonkey.profile b/etc/seamonkey.profile
index 55b64bdae..d585c719b 100644
--- a/etc/seamonkey.profile
+++ b/etc/seamonkey.profile
@@ -4,6 +4,7 @@ include /etc/firejail/disable-mgmt.inc
 include /etc/firejail/disable-secret.inc
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-terminals.inc
 caps.drop all
 seccomp
 protocol unix,inet,inet6,netlink
@@ -23,6 +24,7 @@ whitelist ~/.pentadactyl
 whitelist ~/.keysnail.js
 whitelist ~/.config/gnome-mplayer
 whitelist ~/.cache/gnome-mplayer/plugin
+whitelist ~/.pki
 include /etc/firejail/whitelist-common.inc
 
 # experimental features
diff --git a/etc/server.profile b/etc/server.profile
index 5b706df9a..5471aed91 100644
--- a/etc/server.profile
+++ b/etc/server.profile
@@ -5,5 +5,6 @@ noblacklist /usr/sbin
 include /etc/firejail/disable-mgmt.inc
 private
 private-dev
+private-tmp
 seccomp
 
diff --git a/etc/skype.profile b/etc/skype.profile
index 4d2d042cc..a33cc339d 100644
--- a/etc/skype.profile
+++ b/etc/skype.profile
@@ -4,6 +4,7 @@ include /etc/firejail/disable-mgmt.inc
 include /etc/firejail/disable-secret.inc
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-terminals.inc
 caps.drop all
 netfilter
 noroot
diff --git a/etc/steam.profile b/etc/steam.profile
index 5b9244567..dc17c7a0f 100644
--- a/etc/steam.profile
+++ b/etc/steam.profile
@@ -5,6 +5,7 @@ include /etc/firejail/disable-mgmt.inc
 include /etc/firejail/disable-secret.inc
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-terminals.inc
 caps.drop all
 netfilter
 noroot
diff --git a/etc/telegram.profile b/etc/telegram.profile
new file mode 100644
index 000000000..261da6397
--- /dev/null
+++ b/etc/telegram.profile
@@ -0,0 +1,15 @@
+# Telegram profile
+noblacklist ${HOME}/.TelegramDesktop
+include /etc/firejail/disable-mgmt.inc
+include /etc/firejail/disable-secret.inc
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-terminals.inc
+
+caps.drop all
+seccomp
+protocol unix,inet,inet6
+noroot
+
+whitelist ~/Downloads/Telegram Desktop
+whitelist ~/.TelegramDesktop
diff --git a/etc/totem.profile b/etc/totem.profile
index 52b9450c3..65c62695e 100644
--- a/etc/totem.profile
+++ b/etc/totem.profile
@@ -3,6 +3,7 @@ include /etc/firejail/disable-mgmt.inc
 include /etc/firejail/disable-secret.inc
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-terminals.inc
 blacklist ${HOME}/.pki/nssdb
 blacklist ${HOME}/.lastpass
 blacklist ${HOME}/.keepassx
diff --git a/etc/transmission-gtk.profile b/etc/transmission-gtk.profile
index a66ab0d63..290de9445 100644
--- a/etc/transmission-gtk.profile
+++ b/etc/transmission-gtk.profile
@@ -3,6 +3,7 @@ include /etc/firejail/disable-mgmt.inc
 include /etc/firejail/disable-secret.inc
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-terminals.inc
 blacklist ${HOME}/.pki/nssdb
 blacklist ${HOME}/.lastpass
 blacklist ${HOME}/.keepassx
diff --git a/etc/transmission-qt.profile b/etc/transmission-qt.profile
index ad23c62dc..6ff49e476 100644
--- a/etc/transmission-qt.profile
+++ b/etc/transmission-qt.profile
@@ -3,6 +3,7 @@ include /etc/firejail/disable-mgmt.inc
 include /etc/firejail/disable-secret.inc
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-terminals.inc
 blacklist ${HOME}/.pki/nssdb
 blacklist ${HOME}/.lastpass
 blacklist ${HOME}/.keepassx
diff --git a/etc/uget-gtk.profile b/etc/uget-gtk.profile
new file mode 100644
index 000000000..0430f12b4
--- /dev/null
+++ b/etc/uget-gtk.profile
@@ -0,0 +1,14 @@
+# uGet profile
+include /etc/firejail/disable-mgmt.inc
+include /etc/firejail/disable-secret.inc
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-terminals.inc
+caps.drop all
+seccomp
+protocol unix,inet,inet6
+netfilter
+noroot
+whitelist ${DOWNLOADS}
+whitelist ~/.config/uGet
+include /etc/firejail/whitelist-common.inc
diff --git a/etc/unbound.profile b/etc/unbound.profile
index 4dd00178b..c4f009159 100644
--- a/etc/unbound.profile
+++ b/etc/unbound.profile
@@ -2,6 +2,10 @@
 noblacklist /sbin
 noblacklist /usr/sbin
 include /etc/firejail/disable-mgmt.inc
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-secret.inc
+include /etc/firejail/disable-terminals.inc
 private
 private-dev
 seccomp.drop mount,umount2,ptrace,kexec_load,kexec_file_load,open_by_handle_at,init_module,finit_module,delete_module,iopl,ioperm,swapon,swapoff,syslog,process_vm_readv,process_vm_writev,sysfs,_sysctl,adjtimex,clock_adjtime,lookup_dcookie,perf_event_open,fanotify_init,kcmp,add_key,request_key,keyctl,uselib,acct,modify_ldt,pivot_root,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,mbind,get_mempolicy,set_mempolicy,migrate_pages,move_pages,vmsplice,perf_event_open
diff --git a/etc/vlc.profile b/etc/vlc.profile
index 37ff29308..028de0ad1 100644
--- a/etc/vlc.profile
+++ b/etc/vlc.profile
@@ -3,6 +3,7 @@ include /etc/firejail/disable-mgmt.inc
 include /etc/firejail/disable-secret.inc
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-terminals.inc
 blacklist ${HOME}/.pki/nssdb
 blacklist ${HOME}/.lastpass
 blacklist ${HOME}/.keepassx
diff --git a/etc/weechat.profile b/etc/weechat.profile
index 79e3ae774..218df3b33 100644
--- a/etc/weechat.profile
+++ b/etc/weechat.profile
@@ -3,6 +3,7 @@ noblacklist ${HOME}/.weechat
 include /etc/firejail/disable-mgmt.inc
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-secret.inc
+include /etc/firejail/disable-terminals.inc
 caps.drop all
 seccomp
 protocol unix,inet,inet6
diff --git a/etc/whitelist-common.inc b/etc/whitelist-common.inc
index 97105e0b4..5a96c7fc4 100644
--- a/etc/whitelist-common.inc
+++ b/etc/whitelist-common.inc
@@ -4,6 +4,7 @@ whitelist ~/.config/mimeapps.list
 whitelist ~/.icons
 whitelist ~/.config/user-dirs.dirs
 read-only ~/.config/user-dirs.dirs
+whitelist ~/.asoundrc
 
 # fonts
 whitelist ~/.fonts
@@ -12,6 +13,7 @@ whitelist ~/.fontconfig
 whitelist ~/.fonts.conf
 whitelist ~/.fonts.conf.d
 whitelist ~/.config/fontconfig
+whitelist ~/.cache/fontconfig
 
 # gtk
 whitelist ~/.gtkrc
diff --git a/etc/wine.profile b/etc/wine.profile
index 8a7f66773..ae1f5d1b6 100644
--- a/etc/wine.profile
+++ b/etc/wine.profile
@@ -6,6 +6,7 @@ include /etc/firejail/disable-mgmt.inc
 include /etc/firejail/disable-secret.inc
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-terminals.inc
 caps.drop all
 netfilter
 noroot
diff --git a/etc/xchat.profile b/etc/xchat.profile
index 37e1371e6..be68e0add 100644
--- a/etc/xchat.profile
+++ b/etc/xchat.profile
@@ -4,6 +4,7 @@ include /etc/firejail/disable-mgmt.inc
 include /etc/firejail/disable-secret.inc
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-terminals.inc
 blacklist ${HOME}/.wine
 caps.drop all
 seccomp
diff --git a/install.sh b/install.sh
index b3ddf0423..a8a506096 100755
--- a/install.sh
+++ b/install.sh
@@ -1,2 +1,2 @@
-#!/bin/bash
+#!/bin/sh
 echo "installing..."
diff --git a/mkasc.sh b/mkasc.sh
index 09c7a35d4..2c9836f17 100755
--- a/mkasc.sh
+++ b/mkasc.sh
@@ -1,4 +1,4 @@
-#!/bin/bash
+#!/bin/sh
 
 echo "Calculationg SHA256 for all files in /transfer - firejail version $1"
 
diff --git a/mkdeb.sh b/mkdeb.sh
index 64d9fbe63..71c3b9a04 100755
--- a/mkdeb.sh
+++ b/mkdeb.sh
@@ -1,12 +1,12 @@
-#!/bin/bash
+#!/bin/sh
 # based on http://tldp.org/HOWTO/html_single/Debian-Binary-Package-Building-HOWTO/
 # a code archive should already be available
 
 TOP=`pwd`
 CODE_ARCHIVE="$1-$2.tar.bz2"
 CODE_DIR="$1-$2"
-INSTALL_DIR+="$CODE_DIR/debian"
-DEBIAN_CTRL_DIR+="$CODE_DIR/debian/DEBIAN"
+INSTALL_DIR="${INSTALL_DIR}${CODE_DIR}/debian"
+DEBIAN_CTRL_DIR="${DEBIAN_CTRL_DIR}${CODE_DIR}/debian/DEBIAN"
 
 echo "*****************************************"
 echo "code archive: $CODE_ARCHIVE"
@@ -36,6 +36,8 @@ cp platform/debian/copyright $INSTALL_DIR/usr/share/doc/firejail/.
 mkdir -p $DEBIAN_CTRL_DIR
 sed "s/FIREJAILVER/$2/g"  platform/debian/control > $DEBIAN_CTRL_DIR/control
 
+mkdir -p $INSTALL_DIR/usr/share/lintian/overrides/
+cp platform/debian/firejail.lintian-overrides $INSTALL_DIR/usr/share/lintian/overrides/firejail
 
 cp platform/debian/conffiles $DEBIAN_CTRL_DIR/.
 find $INSTALL_DIR  -type d | xargs chmod 755
diff --git a/mketc.sh b/mketc.sh
index cc7f0c440..f44238968 100755
--- a/mketc.sh
+++ b/mketc.sh
@@ -1,4 +1,4 @@
-#!/bin/bash
+#!/bin/sh
 rm -fr .etc
 mkdir .etc
 
diff --git a/mkman.sh b/mkman.sh
index 5cc79d277..e36475aad 100755
--- a/mkman.sh
+++ b/mkman.sh
@@ -1,4 +1,4 @@
-#!/bin/bash
+#!/bin/sh
 
 sed "s/VERSION/$1/g" $2 > $3
 MONTH=`LC_ALL=C date -u --date="@${SOURCE_DATE_EPOCH:-$(date +%s)}" +%b`
diff --git a/platform/debian/conffiles b/platform/debian/conffiles
index 83a4404cf..a2c3727ce 100644
--- a/platform/debian/conffiles
+++ b/platform/debian/conffiles
@@ -21,6 +21,7 @@
 /etc/firejail/vlc.profile
 /etc/firejail/audacious.profile
 /etc/firejail/clementine.profile
+/etc/firejail/epiphany.profile
 /etc/firejail/gnome-mplayer.profile
 /etc/firejail/rhythmbox.profile
 /etc/firejail/totem.profile
@@ -55,3 +56,12 @@
 /etc/firejail/rtorrent.profile
 /etc/firejail/parole.profile
 /etc/firejail/kmail.profile
+/etc/firejail/seamonkey.profile
+/etc/firejail/seamonkey-bin.profile
+/etc/firejail/telegram.profile
+/etc/firejail/mathematica.profile
+/etc/firejail/Mathematica.profile
+/etc/firejail/uget-gtk.profile
+/etc/firejail/mupen64plus.profile
+/etc/disable-terminals.inc
+/etc/lxterminal.profile
diff --git a/platform/debian/firejail.lintian-overrides b/platform/debian/firejail.lintian-overrides
new file mode 100644
index 000000000..5b5f7e7ef
--- /dev/null
+++ b/platform/debian/firejail.lintian-overrides
@@ -0,0 +1,2 @@
+# Firejail binary should be setuid
+firejail binary: setuid-binary usr/bin/firejail 4755 root/root
diff --git a/platform/rpm/firejail.spec b/platform/rpm/firejail.spec
index f1bf7ad7b..e365af2d6 100644
--- a/platform/rpm/firejail.spec
+++ b/platform/rpm/firejail.spec
@@ -1,5 +1,5 @@
-Name: firejail
-Version: 0.9.30
+Name: __NAME__
+Version: __VERSION__
 Release: 1
 Summary: Linux namepaces sandbox program
 
@@ -19,7 +19,7 @@ using Linux namespaces. It includes a sandbox profile for Mozilla Firefox.
 %setup -q
 
 %build
-%configure
+%configure --disable-userns
 make %{?_smp_mflags}
 
 %install
@@ -29,156 +29,21 @@ rm -rf %{buildroot}
 %clean
 rm -rf %{buildroot}
 
-
 %files
 %doc
 %defattr(-, root, root, -)
-%attr(4755, -, -) %{_bindir}/firejail
+%attr(4755, -, -) %{_bindir}/__NAME__
 %{_bindir}/firemon
-%{_libdir}/firejail/ftee
-%{_libdir}/firejail/fshaper.sh
-%{_libdir}/firejail/libtrace.so
-%{_datarootdir}/bash-completion/completions/firejail
+%{_libdir}/__NAME__/ftee
+%{_libdir}/__NAME__/fshaper.sh
+%{_libdir}/__NAME__/libtrace.so
+%{_libdir}/__NAME__/libtracelog.so
+%{_datarootdir}/bash-completion/completions/__NAME__
 %{_datarootdir}/bash-completion/completions/firemon
-%{_docdir}/firejail
-%{_mandir}/man1/firejail.1.gz
+%{_docdir}/__NAME__
+%{_mandir}/man1/__NAME__.1.gz
 %{_mandir}/man1/firemon.1.gz
-%{_mandir}/man5/firejail-login.5.gz
-%{_mandir}/man5/firejail-profile.5.gz
-%config %{_sysconfdir}/firejail
-
-%changelog
-* Mon Sep 14 2015 netblue30 <netblue30@yahoo.com> 0.9.30-1
- - added a disable-history.inc profile as a result of Firefox PDF.js exploit;
-   disable-history.inc included in all default profiles
- - Firefox PDF.js exploit (CVE-2015-4495) fixes
- - added --private-etc option
- - added --env option
- - added --whitelist option
- - support ${HOME} token in include directive in profile files
- - --private.keep is transitioned to --private-home
- - support ~ and blanks in blacklist option
- - support "net none" command in profile files
- - using /etc/firejail/generic.profile by default for user sessions
- - using /etc/firejail/server.profile by default for root sessions
- - added build --enable-fatal-warnings configure option
- - added persistence to --overlay option
- - added --overlay-tmpfs option
- - make install-strip implemented, make install renamed
- - bugfixes
-
-* Sat Aug 1 2015 netblue30 <netblue30@yahoo.com> 0.9.28-1
- - network scanning, --scan option
- - interface MAC address support, --mac option
- - IP address range, --iprange option
- - traffic shaping, --bandwidth option
- - reworked printing of network status at startup
- - man pages rework
- - added firejail-login man page
- - added GNU Icecat, FileZilla, Pidgin, XChat, Empathy, DeaDBeeF default
-   profiles
- - added an /etc/firejail/disable-common.inc file to hold common directory
-   blacklists
- - blacklist Opera and Chrome/Chromium config directories in profile files
- - support noroot option for profile files
- - enabled noroot in default profile files
- - bugfixes
-
-* Thu Apr 30 2015 netblue30 <netblue30@yahoo.com> 0.9.26-1
- - private dev directory
- - private.keep option for whitelisting home files in a new private directory
- - user namespaces support, noroot option
- - added Deluge and qBittorent profiles
- - bugfixes
-
-* Sun Apr 5 2015  netblue30 <netblue30@yahoo.com> 0.9.24-1
- - whitelist and blacklist seccomp filters
- - doubledash option
- - --shell=none support
- - netfilter file support in profile files
- - dns server support in profile files
- - added --dns.print option
- - added default profiles for Audoacious, Clementine, Rhythmbox and Totem.
- - added --caps.drop=all in default profiles
- - new syscalls in default seccomp filter: sysfs, sysctl, adjtimex, kcmp
- -        clock_adjtime, lookup_dcookie, perf_event_open, fanotify_init
- - Bugfix: using /proc/sys/kernel/pid_max for the max number of pids
- - two build patches from Reiner Herman (tickets 11, 12)
- - man page patch from Reiner Herman (ticket 13)
- - output patch (ticket 15) from sshirokov
-
-* Mon Mar 9 2015  netblue30 <netblue30@yahoo.com> 0.9.22-1
- - Replaced --noip option with --ip=none
- - Container stdout logging and log rotation
- - Added process_vm_readv, process_vm_writev and mknod to
-     default seccomp blacklist
- - Added CAP_MKNOD to default caps blacklist
- - Blacklist and whitelist custom Linux capabilities filters
- - macvlan device driver support for --net option
- - DNS server support, --dns option
- - Netfilter support
- - Monitor network statistics, --netstats option
- - Added profile for Mozilla Thunderbird/Icedove
- - --overlay support for Linux kernels 3.18+
- - Bugfix: preserve .Xauthority file in private mode (test with ssh -X)
- - Bugfix: check uid/gid for cgroup
-
-* Fri Feb 6 2015   netblue30 <netblue30@yahoo.com> 0.9.20-1
- - utmp, btmp and wtmp enhancements
- -    create empty /var/log/wtmp and /var/log/btmp files in sandbox
- -    generate a new /var/run/utmp file in sandbox
- - CPU affinity, --cpu option
- - Linux control groups support, --cgroup option
- - Opera web browser support
- - VLC support
- - Added "empty" attribute to seccomp command to remove the default
- -    syscall list form seccomp blacklist
- - Added --nogroups option to disable supplementary groups for regular
- -   users. root user always runs without supplementary groups.
- - firemon enhancements
- -   display the command that started the sandbox
- -   added --caps option to display capabilities for all sandboxes
- -   added --cgroup option to display the control groups for all sandboxes
- -   added --cpu option to display CPU affinity for all sandboxes
- -   added --seccomp option to display seccomp setting for all sandboxes
- - New compile time options: --disable-chroot, --disable-bind
- - bugfixes
-
-* Sat Dec 27 2014  netblue30 <netblue30@yahoo.com> 0.9.18-1
- - Support for tracing system, setuid, setgid, setfsuid, setfsgid syscalls
- - Support for tracing setreuid, setregid, setresuid, setresguid syscalls
- - Added profiles for transmission-gtk and transmission-qt
- - bugfixes
-
-* Tue Nov 4 2014  netblue30 <netblue30@yahoo.com> 0.9.16-1
- - Configurable private home directory
- - Configurable default user shell
- - Software configuration support for --docdir and DESTDIR
- - Profile file support for include, caps, seccomp and private keywords
- - Dropbox profile file
- - Linux capabilities and seccomp filters enabled by default for Firefox,
-  Midori, Evince and Dropbox
- - bugfixes
-
-* Wed Oct 8 2014  netblue30 <netblue30@yahoo.com> 0.9.14-1
- - Linux capabilities and seccomp filters are automatically enabled in 
-   chroot mode (--chroot option) if the sandbox is started as regular
-   user
- - Added support for user defined seccomp blacklists
- - Added syscall trace support
- - Added --tmpfs option
- - Added --balcklist option
- - Added --read-only option
- - Added --bind option
- - Logging enhancements
- - --overlay option was reactivated
- - Added firemon support to print the ARP table for each sandbox
- - Added firemon support to print the route table for each sandbox
- - Added firemon support to print interface information for each sandbox
- - bugfixes
-
-* Tue Sep 16 2014 netblue30 <netblue30@yahoo.com> 0.9.12-1
- - Added capabilities support
- - Added support for CentOS 7
- - bugfixes
+%{_mandir}/man5/__NAME__-login.5.gz
+%{_mandir}/man5/__NAME__-profile.5.gz
+%config %{_sysconfdir}/__NAME__
 
diff --git a/platform/rpm/mkrpm.sh b/platform/rpm/mkrpm.sh
index 3daede84c..e600c6bdd 100755
--- a/platform/rpm/mkrpm.sh
+++ b/platform/rpm/mkrpm.sh
@@ -1,296 +1,41 @@
 #!/bin/bash
 #
-# Usage: ./mkrpm.sh
-#        ./mkrpm.sh /path/to/firejail-0.9.30.tar.gz
+# Usage: ./platform/rpm/mkrpm.sh firejail <version>
 #
-# Script builds rpm in a temporary directory and places the built rpm in the
+# Builds rpms in a temporary directory then places the result in the
 # current working directory.
 
+name=$1
+version=$2
 
-source=$1
-
-create_tmp_dir() {
-    tmpdir=$(mktemp -d)
-    mkdir -p ${tmpdir}/{BUILD,RPMS,SOURCES,SPECS,SRPMS}
-}
-
-
-# copy or download source
-if [[ $source ]]; then
-
-    # check file exists
-    if [[ ! -f $source ]]; then
-        echo "$source does not exist!"
-        exit 1
-    fi
-
-    name=$(awk '/Name:/ {print $2}' firejail.spec)
-    version=$(awk '/Version:/ {print $2}' firejail.spec)
-    expected_filename="${name}-${version}.tar.gz"
-
-    # ensure file name matches spec file expets
-    if [[ $(basename $source) != $expected_filename ]]; then
-        echo "source ($source) does not match expected filename ($(basename $expected_filename))"
-        exit 1
-    fi
-
-    create_tmp_dir
-    cp ${source} ${tmpdir}/SOURCES
-else
-  create_tmp_dir
-  if ! spectool -C ${tmpdir}/SOURCES -g firejail.spec; then
-    echo "Failed to fetch firejail source code"
+if [[ ! -f platform/rpm/${name}.spec ]]; then
+    echo error: spec file not found for name \"${name}\"
     exit 1
-  fi
 fi
 
-cp ./firejail.spec "${tmpdir}/SPECS/firejail.spec"
-
-<<<<<<< HEAD
-echo "building tar.gz archive"
-tar -czvf firejail-$VERSION.tar.gz firejail-$VERSION
-
-cp firejail-$VERSION.tar.gz SOURCES/.
-
-echo "building config spec"
-cat <<EOF > SPECS/firejail.spec
-%define        __spec_install_post %{nil}
-%define          debug_package %{nil}
-%define        __os_install_post %{_dbpath}/brp-compress
-
-Summary: Linux namepaces sandbox program
-Name: firejail
-Version: $VERSION
-Release: 1
-License: GPL+
-Group: Development/Tools
-SOURCE0 : %{name}-%{version}.tar.gz
-URL: http://github.com/netblue30/firejail
-
-BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root
-
-%description
-Firejail  is  a  SUID sandbox program that reduces the risk of security
-breaches by restricting the running environment of untrusted applications
-using Linux namespaces. It includes a sandbox profile for Mozilla Firefox.
-
-%prep
-%setup -q
-
-%build
-
-%install
-rm -rf %{buildroot}
-mkdir -p  %{buildroot}
-
-cp -a * %{buildroot}
-
-
-%clean
-rm -rf %{buildroot}
-
-
-%files
-%defattr(-,root,root,-)
-%config(noreplace) %{_sysconfdir}/%{name}/chromium-browser.profile
-%config(noreplace) %{_sysconfdir}/%{name}/chromium.profile
-%config(noreplace) %{_sysconfdir}/%{name}/disable-mgmt.inc
-%config(noreplace) %{_sysconfdir}/%{name}/disable-secret.inc
-%config(noreplace) %{_sysconfdir}/%{name}/dropbox.profile
-%config(noreplace) %{_sysconfdir}/%{name}/evince.profile
-%config(noreplace) %{_sysconfdir}/%{name}/firefox.profile
-%config(noreplace) %{_sysconfdir}/%{name}/icedove.profile
-%config(noreplace) %{_sysconfdir}/%{name}/iceweasel.profile
-%config(noreplace) %{_sysconfdir}/%{name}/login.users
-%config(noreplace) %{_sysconfdir}/%{name}/midori.profile
-%config(noreplace) %{_sysconfdir}/%{name}/opera.profile
-%config(noreplace) %{_sysconfdir}/%{name}/thunderbird.profile
-%config(noreplace) %{_sysconfdir}/%{name}/transmission-gtk.profile
-%config(noreplace) %{_sysconfdir}/%{name}/transmission-qt.profile
-%config(noreplace) %{_sysconfdir}/%{name}/vlc.profile
-%config(noreplace) %{_sysconfdir}/%{name}/audacious.profile
-%config(noreplace) %{_sysconfdir}/%{name}/clementine.profile
-%config(noreplace) %{_sysconfdir}/%{name}/gnome-mplayer.profile
-%config(noreplace) %{_sysconfdir}/%{name}/rhythmbox.profile
-%config(noreplace) %{_sysconfdir}/%{name}/totem.profile
-%config(noreplace) %{_sysconfdir}/%{name}/deluge.profile
-%config(noreplace) %{_sysconfdir}/%{name}/qbittorrent.profile
-%config(noreplace) %{_sysconfdir}/%{name}/generic.profile
-%config(noreplace) %{_sysconfdir}/%{name}/deadbeef.profile
-%config(noreplace) %{_sysconfdir}/%{name}/disable-common.inc
-%config(noreplace) %{_sysconfdir}/%{name}/disable-history.inc
-%config(noreplace) %{_sysconfdir}/%{name}/empathy.profile
-%config(noreplace) %{_sysconfdir}/%{name}/filezilla.profile
-%config(noreplace) %{_sysconfdir}/%{name}/icecat.profile
-%config(noreplace) %{_sysconfdir}/%{name}/pidgin.profile
-%config(noreplace) %{_sysconfdir}/%{name}/quassel.profile
-%config(noreplace) %{_sysconfdir}/%{name}/server.profile
-%config(noreplace) %{_sysconfdir}/%{name}/xchat.profile
-
-/usr/bin/firejail
-/usr/bin/firemon
-/usr/lib/firejail/libtrace.so
-/usr/lib/firejail/ftee
-/usr/lib/firejail/fshaper.sh
-/usr/share/doc/packages/firejail/COPYING
-/usr/share/doc/packages/firejail/README
-/usr/share/doc/packages/firejail/RELNOTES
-/usr/share/man/man1/firejail.1.gz
-/usr/share/man/man1/firemon.1.gz
-/usr/share/man/man5/firejail-profile.5.gz
-/usr/share/man/man5/firejail-login.5.gz
-/usr/share/bash-completion/completions/firejail
-/usr/share/bash-completion/completions/firemon
- 
-%post
-chmod u+s /usr/bin/firejail
-
-%changelog
-* Mon Sep 14 2015 netblue30 <netblue30@yahoo.com> 0.9.30-1
- - added a disable-history.inc profile as a result of Firefox PDF.js exploit;
-   disable-history.inc included in all default profiles
- - Firefox PDF.js exploit (CVE-2015-4495) fixes
- - added --private-etc option
- - added --env option
- - added --whitelist option
- - support ${HOME} token in include directive in profile files
- - --private.keep is transitioned to --private-home
- - support ~ and blanks in blacklist option
- - support "net none" command in profile files
- - using /etc/firejail/generic.profile by default for user sessions
- - using /etc/firejail/server.profile by default for root sessions
- - added build --enable-fatal-warnings configure option
- - added persistence to --overlay option
- - added --overlay-tmpfs option
- - make install-strip implemented, make install renamed
- - bugfixes
-
-* Sat Aug 1 2015 netblue30 <netblue30@yahoo.com> 0.9.28-1
- - network scanning, --scan option
- - interface MAC address support, --mac option
- - IP address range, --iprange option
- - traffic shaping, --bandwidth option
- - reworked printing of network status at startup
- - man pages rework
- - added firejail-login man page
- - added GNU Icecat, FileZilla, Pidgin, XChat, Empathy, DeaDBeeF default
-   profiles
- - added an /etc/firejail/disable-common.inc file to hold common directory
-   blacklists
- - blacklist Opera and Chrome/Chromium config directories in profile files
- - support noroot option for profile files
- - enabled noroot in default profile files
- - bugfixes
-
-* Thu Apr 30 2015 netblue30 <netblue30@yahoo.com> 0.9.26-1
- - private dev directory
- - private.keep option for whitelisting home files in a new private directory
- - user namespaces support, noroot option
- - added Deluge and qBittorent profiles
- - bugfixes
-
-* Sun Apr 5 2015  netblue30 <netblue30@yahoo.com> 0.9.24-1
- - whitelist and blacklist seccomp filters
- - doubledash option
- - --shell=none support
- - netfilter file support in profile files
- - dns server support in profile files
- - added --dns.print option
- - added default profiles for Audoacious, Clementine, Rhythmbox and Totem.
- - added --caps.drop=all in default profiles
- - new syscalls in default seccomp filter: sysfs, sysctl, adjtimex, kcmp
- -        clock_adjtime, lookup_dcookie, perf_event_open, fanotify_init
- - Bugfix: using /proc/sys/kernel/pid_max for the max number of pids
- - two build patches from Reiner Herman (tickets 11, 12)
- - man page patch from Reiner Herman (ticket 13)
- - output patch (ticket 15) from sshirokov
-
-* Mon Mar 9 2015  netblue30 <netblue30@yahoo.com> 0.9.22-1
- - Replaced --noip option with --ip=none
- - Container stdout logging and log rotation
- - Added process_vm_readv, process_vm_writev and mknod to
-     default seccomp blacklist
- - Added CAP_MKNOD to default caps blacklist
- - Blacklist and whitelist custom Linux capabilities filters
- - macvlan device driver support for --net option
- - DNS server support, --dns option
- - Netfilter support
- - Monitor network statistics, --netstats option
- - Added profile for Mozilla Thunderbird/Icedove
- - --overlay support for Linux kernels 3.18+
- - Bugfix: preserve .Xauthority file in private mode (test with ssh -X)
- - Bugfix: check uid/gid for cgroup
-
-* Fri Feb 6 2015   netblue30 <netblue30@yahoo.com> 0.9.20-1
- - utmp, btmp and wtmp enhancements
- -    create empty /var/log/wtmp and /var/log/btmp files in sandbox
- -    generate a new /var/run/utmp file in sandbox
- - CPU affinity, --cpu option
- - Linux control groups support, --cgroup option
- - Opera web browser support
- - VLC support
- - Added "empty" attribute to seccomp command to remove the default
- -    syscall list form seccomp blacklist
- - Added --nogroups option to disable supplementary groups for regular
- -   users. root user always runs without supplementary groups.
- - firemon enhancements
- -   display the command that started the sandbox
- -   added --caps option to display capabilities for all sandboxes
- -   added --cgroup option to display the control groups for all sandboxes
- -   added --cpu option to display CPU affinity for all sandboxes
- -   added --seccomp option to display seccomp setting for all sandboxes
- - New compile time options: --disable-chroot, --disable-bind
- - bugfixes
-
-* Sat Dec 27 2014  netblue30 <netblue30@yahoo.com> 0.9.18-1
- - Support for tracing system, setuid, setgid, setfsuid, setfsgid syscalls
- - Support for tracing setreuid, setregid, setresuid, setresguid syscalls
- - Added profiles for transmission-gtk and transmission-qt
- - bugfixes
-
-* Tue Nov 4 2014  netblue30 <netblue30@yahoo.com> 0.9.16-1
- - Configurable private home directory
- - Configurable default user shell
- - Software configuration support for --docdir and DESTDIR
- - Profile file support for include, caps, seccomp and private keywords
- - Dropbox profile file
- - Linux capabilities and seccomp filters enabled by default for Firefox,
-  Midori, Evince and Dropbox
- - bugfixes
+if [[ -z "${version}" ]]; then
+    echo error: version must be given
+    exit 1
+fi
 
-* Wed Oct 8 2014  netblue30 <netblue30@yahoo.com> 0.9.14-1
- - Linux capabilities and seccomp filters are automatically enabled in 
-   chroot mode (--chroot option) if the sandbox is started as regular
-   user
- - Added support for user defined seccomp blacklists
- - Added syscall trace support
- - Added --tmpfs option
- - Added --balcklist option
- - Added --read-only option
- - Added --bind option
- - Logging enhancements
- - --overlay option was reactivated
- - Added firemon support to print the ARP table for each sandbox
- - Added firemon support to print the route table for each sandbox
- - Added firemon support to print interface information for each sandbox
- - bugfixes
+# Make a temporary directory and arrange to clean up on exit
+tmpdir=$(mktemp -d)
+mkdir -p ${tmpdir}/{BUILD,RPMS,SOURCES,SPECS,SRPMS}
+function cleanup {
+  rm -rf ${tmpdir}
+}
+trap cleanup EXIT
 
-* Tue Sep 16 2014 netblue30 <netblue30@yahoo.com> 0.9.12-1
- - Added capabilities support
- - Added support for CentOS 7
- - bugfixes
+# Create the spec file
+tmp_spec_file=${tmpdir}/SPECS/${name}.spec
+sed -e "s/__NAME__/${name}/g" -e "s/__VERSION__/${version}/g" platform/rpm/${name}.spec >${tmp_spec_file}
+# FIXME: We could parse RELNOTES and create a %changelog section here
 
-EOF
+# Copy the source to build into a tarball
+tar czf ${tmpdir}/SOURCES/${name}-${version}.tar.gz . --transform "s/^./${name}-${version}/" --exclude='.git/*'
 
-echo "building rpm"
-rpmbuild -ba SPECS/firejail.spec
-rpm -qpl RPMS/x86_64/firejail-$VERSION-1.x86_64.rpm
-cd ..
-rm -f firejail-$VERSION-1.x86_64.rpm
-cp rpmbuild/RPMS/x86_64/firejail-$VERSION-1.x86_64.rpm .
-=======
-rpmbuild --define "_topdir ${tmpdir}" -ba "${tmpdir}/SPECS/firejail.spec"
->>>>>>> d69c2f8a62fca967460265dedd5afa62592264dd
+# Build the files (rpm, debug rpm and source rpm)
+rpmbuild --quiet --define "_topdir ${tmpdir}" -ba ${tmp_spec_file}
 
-cp ${tmpdir}/RPMS/x86_64/firejail-*-1.x86_64.rpm .
-rm -rf "${tmpdir}"
+# Copy the results to cwd
+mv ${tmpdir}/SRPMS/*.rpm ${tmpdir}/RPMS/*/*rpm .
diff --git a/platform/rpm/old-mkrpm.sh b/platform/rpm/old-mkrpm.sh
deleted file mode 100755
index 5775783af..000000000
--- a/platform/rpm/old-mkrpm.sh
+++ /dev/null
@@ -1,417 +0,0 @@
-#!/bin/bash
-VERSION="0.9.36"
-rm -fr ~/rpmbuild
-rm -f firejail-$VERSION-1.x86_64.rpm
-
-mkdir -p ~/rpmbuild/{RPMS,SRPMS,BUILD,SOURCES,SPECS,tmp}
-cat <<EOF >~/.rpmmacros
-%_topdir   %(echo $HOME)/rpmbuild
-%_tmppath  %{_topdir}/tmp
-EOF
-
-cd ~/rpmbuild
-echo "building directory tree"
-
-mkdir -p firejail-$VERSION/usr/bin
-install -m 755 /usr/bin/firejail firejail-$VERSION/usr/bin/.
-install -m 755 /usr/bin/firemon firejail-$VERSION/usr/bin/.
-
-mkdir -p  firejail-$VERSION/usr/lib/firejail
-install -m 644 /usr/lib/firejail/libtrace.so  firejail-$VERSION/usr/lib/firejail/.
-install -m 644 /usr/lib/firejail/libtracelog.so  firejail-$VERSION/usr/lib/firejail/.
-install -m 755 /usr/lib/firejail/ftee  firejail-$VERSION/usr/lib/firejail/.
-install -m 755 /usr/lib/firejail/fshaper.sh  firejail-$VERSION/usr/lib/firejail/.
-
-mkdir -p firejail-$VERSION/usr/share/man/man1
-install -m 644 /usr/share/man/man1/firejail.1.gz firejail-$VERSION/usr/share/man/man1/.
-install -m 644 /usr/share/man/man1/firemon.1.gz firejail-$VERSION/usr/share/man/man1/.
-
-mkdir -p firejail-$VERSION/usr/share/man/man5
-install -m 644 /usr/share/man/man5/firejail-profile.5.gz firejail-$VERSION/usr/share/man/man5/.
-install -m 644 /usr/share/man/man5/firejail-login.5.gz firejail-$VERSION/usr/share/man/man5/.
-
-mkdir -p firejail-$VERSION/usr/share/doc/packages/firejail
-install -m 644 /usr/share/doc/firejail/COPYING firejail-$VERSION/usr/share/doc/packages/firejail/.
-install -m 644 /usr/share/doc/firejail/README firejail-$VERSION/usr/share/doc/packages/firejail/.
-install -m 644 /usr/share/doc/firejail/RELNOTES firejail-$VERSION/usr/share/doc/packages/firejail/.
-
-mkdir -p firejail-$VERSION/etc/firejail
-install -m 644 /etc/firejail/xchat.profile firejail-$VERSION/etc/firejail/xchat.profile
-install -m 644 /etc/firejail/server.profile firejail-$VERSION/etc/firejail/server.profile
-install -m 644 /etc/firejail/quassel.profile firejail-$VERSION/etc/firejail/quassel.profile
-install -m 644 /etc/firejail/pidgin.profile firejail-$VERSION/etc/firejail/pidgin.profile
-install -m 644 /etc/firejail/icecat.profile firejail-$VERSION/etc/firejail/icecat.profile
-install -m 644 /etc/firejail/filezilla.profile firejail-$VERSION/etc/firejail/filezilla.profile
-install -m 644 /etc/firejail/chromium-browser.profile firejail-$VERSION/etc/firejail/chromium-browser.profile
-install -m 644 /etc/firejail/chromium.profile firejail-$VERSION/etc/firejail/chromium.profile
-install -m 644 /etc/firejail/dropbox.profile firejail-$VERSION/etc/firejail/dropbox.profile
-install -m 644 /etc/firejail/disable-common.inc firejail-$VERSION/etc/firejail/disable-common.inc
-install -m 644 /etc/firejail/disable-secret.inc firejail-$VERSION/etc/firejail/disable-secret.inc
-install -m 644 /etc/firejail/disable-mgmt.inc firejail-$VERSION/etc/firejail/disable-mgmt.inc
-install -m 644 /etc/firejail/evince.profile firejail-$VERSION/etc/firejail/evince.profile
-install -m 644 /etc/firejail/firefox.profile firejail-$VERSION/etc/firejail/firefox.profile
-install -m 644 /etc/firejail/icedove.profile firejail-$VERSION/etc/firejail/icedove.profile
-install -m 644 /etc/firejail/iceweasel.profile firejail-$VERSION/etc/firejail/iceweasel.profile
-install -m 644 /etc/firejail/midori.profile firejail-$VERSION/etc/firejail/midori.profile
-install -m 644 /etc/firejail/thunderbird.profile firejail-$VERSION/etc/firejail/thunderbird.profile
-install -m 644 /etc/firejail/opera.profile firejail-$VERSION/etc/firejail/opera.profile
-install -m 644 /etc/firejail/transmission-gtk.profile firejail-$VERSION/etc/firejail/transmission-gtk.profile
-install -m 644 /etc/firejail/transmission-qt.profile firejail-$VERSION/etc/firejail/transmission-qt.profile
-install -m 644 /etc/firejail/vlc.profile firejail-$VERSION/etc/firejail/vlc.profile
-install -m 644 /etc/firejail/audacious.profile firejail-$VERSION/etc/firejail/audacious.profile
-install -m 644 /etc/firejail/clementine.profile firejail-$VERSION/etc/firejail/clementine.profile
-install -m 644 /etc/firejail/gnome-mplayer.profile firejail-$VERSION/etc/firejail/gnome-mplayer.profile
-install -m 644 /etc/firejail/rhythmbox.profile firejail-$VERSION/etc/firejail/rhythmbox.profile
-install -m 644 /etc/firejail/totem.profile firejail-$VERSION/etc/firejail/totem.profile
-install -m 644 /etc/firejail/deluge.profile firejail-$VERSION/etc/firejail/deluge.profile
-install -m 644 /etc/firejail/qbittorrent.profile firejail-$VERSION/etc/firejail/qbittorrent.profile
-install -m 644 /etc/firejail/generic.profile firejail-$VERSION/etc/firejail/generic.profile
-install -m 644 /etc/firejail/login.users firejail-$VERSION/etc/firejail/login.users
-install -m 644 /etc/firejail/deadbeef.profile firejail-$VERSION/etc/firejail/deadbeef.profile
-install -m 644 /etc/firejail/empathy.profile firejail-$VERSION/etc/firejail/empathy.profile
-install -m 644 /etc/firejail/fbreader.profile firejail-$VERSION/etc/firejail/fbreader.profile
-install -m 644 /etc/firejail/spotify.profile firejail-$VERSION/etc/firejail/spotify.profile
-install -m 644 /etc/firejail/google-chrome.profile firejail-$VERSION/etc/firejail/google-chrome.profile
-install -m 644 /etc/firejail/skype.profile firejail-$VERSION/etc/firejail/skype.profile
-install -m 644 /etc/firejail/steam.profile firejail-$VERSION/etc/firejail/steam.profile
-install -m 644 /etc/firejail/wine.profile firejail-$VERSION/etc/firejail/wine.profile
-install -m 644 /etc/firejail/disable-devel.inc firejail-$VERSION/etc/firejail/disable-devel.inc
-
-install -m 644 /etc/firejail/bitlbee.profile firejail-$VERSION/etc/firejail/bitlbee.profile
-install -m 644 /etc/firejail/conkeror.profile firejail-$VERSION/etc/firejail/conkeror.profile
-install -m 644 /etc/firejail/google-chrome-beta.profile firejail-$VERSION/etc/firejail/google-chrome-beta.profile
-install -m 644 /etc/firejail/google-chrome-stable.profile firejail-$VERSION/etc/firejail/google-chrome-stable.profile
-install -m 644 /etc/firejail/google-chrome-unstable.profile firejail-$VERSION/etc/firejail/google-chrome-unstable.profile
-install -m 644 /etc/firejail/hexchat.profile firejail-$VERSION/etc/firejail/hexchat.profile
-install -m 644 /etc/firejail/konqueror.profile firejail-$VERSION/etc/firejail/konqueror.profile
-install -m 644 /etc/firejail/nolocal.net firejail-$VERSION/etc/firejail/nolocal.net
-install -m 644 /etc/firejail/opera-beta.profile firejail-$VERSION/etc/firejail/opera-beta.profile
-install -m 644 /etc/firejail/parole.profile firejail-$VERSION/etc/firejail/parole.profile
-install -m 644 /etc/firejail/rtorrent.profile firejail-$VERSION/etc/firejail/rtorrent.profile
-install -m 644 /etc/firejail/unbound.profile firejail-$VERSION/etc/firejail/unbound.profile
-install -m 644 /etc/firejail/webserver.net firejail-$VERSION/etc/firejail/webserver.net
-install -m 644 /etc/firejail/weechat-curses.profile firejail-$VERSION/etc/firejail/weechat-curses.profile
-install -m 644 /etc/firejail/weechat.profile firejail-$VERSION/etc/firejail/weechat.profile
-install -m 644 /etc/firejail/whitelist-common.inc firejail-$VERSION/etc/firejail/whitelist-common.inc
-
-mkdir -p firejail-$VERSION/usr/share/bash-completion/completions
-install -m 644 /usr/share/bash-completion/completions/firejail  firejail-$VERSION/usr/share/bash-completion/completions/.
-install -m 644 /usr/share/bash-completion/completions/firemon  firejail-$VERSION/usr/share/bash-completion/completions/.
-
-echo "building tar.gz archive"
-tar -czvf firejail-$VERSION.tar.gz firejail-$VERSION
-
-cp firejail-$VERSION.tar.gz SOURCES/.
-
-echo "building config spec"
-cat <<EOF > SPECS/firejail.spec
-%define        __spec_install_post %{nil}
-%define          debug_package %{nil}
-%define        __os_install_post %{_dbpath}/brp-compress
-
-Summary: Linux namepaces sandbox program
-Name: firejail
-Version: $VERSION
-Release: 1
-License: GPL+
-Group: Development/Tools
-SOURCE0 : %{name}-%{version}.tar.gz
-URL: http://firejail.wordpress.com
-
-BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root
-
-%description
-Firejail  is  a  SUID sandbox program that reduces the risk of security
-breaches by restricting the running environment of untrusted applications
-using Linux namespaces. It includes a sandbox profile for Mozilla Firefox.
-
-%prep
-%setup -q
-
-%build
-
-%install
-rm -rf %{buildroot}
-mkdir -p  %{buildroot}
-
-cp -a * %{buildroot}
-
-
-%clean
-rm -rf %{buildroot}
-
-
-%files
-%defattr(-,root,root,-)
-%config(noreplace) %{_sysconfdir}/%{name}/chromium-browser.profile
-%config(noreplace) %{_sysconfdir}/%{name}/chromium.profile
-%config(noreplace) %{_sysconfdir}/%{name}/disable-mgmt.inc
-%config(noreplace) %{_sysconfdir}/%{name}/disable-secret.inc
-%config(noreplace) %{_sysconfdir}/%{name}/dropbox.profile
-%config(noreplace) %{_sysconfdir}/%{name}/evince.profile
-%config(noreplace) %{_sysconfdir}/%{name}/firefox.profile
-%config(noreplace) %{_sysconfdir}/%{name}/icedove.profile
-%config(noreplace) %{_sysconfdir}/%{name}/iceweasel.profile
-%config(noreplace) %{_sysconfdir}/%{name}/login.users
-%config(noreplace) %{_sysconfdir}/%{name}/midori.profile
-%config(noreplace) %{_sysconfdir}/%{name}/opera.profile
-%config(noreplace) %{_sysconfdir}/%{name}/thunderbird.profile
-%config(noreplace) %{_sysconfdir}/%{name}/transmission-gtk.profile
-%config(noreplace) %{_sysconfdir}/%{name}/transmission-qt.profile
-%config(noreplace) %{_sysconfdir}/%{name}/vlc.profile
-%config(noreplace) %{_sysconfdir}/%{name}/audacious.profile
-%config(noreplace) %{_sysconfdir}/%{name}/clementine.profile
-%config(noreplace) %{_sysconfdir}/%{name}/gnome-mplayer.profile
-%config(noreplace) %{_sysconfdir}/%{name}/rhythmbox.profile
-%config(noreplace) %{_sysconfdir}/%{name}/totem.profile
-%config(noreplace) %{_sysconfdir}/%{name}/deluge.profile
-%config(noreplace) %{_sysconfdir}/%{name}/qbittorrent.profile
-%config(noreplace) %{_sysconfdir}/%{name}/generic.profile
-%config(noreplace) %{_sysconfdir}/%{name}/deadbeef.profile
-%config(noreplace) %{_sysconfdir}/%{name}/disable-common.inc
-%config(noreplace) %{_sysconfdir}/%{name}/empathy.profile
-%config(noreplace) %{_sysconfdir}/%{name}/filezilla.profile
-%config(noreplace) %{_sysconfdir}/%{name}/icecat.profile
-%config(noreplace) %{_sysconfdir}/%{name}/pidgin.profile
-%config(noreplace) %{_sysconfdir}/%{name}/quassel.profile
-%config(noreplace) %{_sysconfdir}/%{name}/server.profile
-%config(noreplace) %{_sysconfdir}/%{name}/xchat.profile
-%config(noreplace) %{_sysconfdir}/%{name}/fbreader.profile
-%config(noreplace) %{_sysconfdir}/%{name}/spotify.profile
-%config(noreplace) %{_sysconfdir}/%{name}/google-chrome.profile
-%config(noreplace) %{_sysconfdir}/%{name}/skype.profile
-%config(noreplace) %{_sysconfdir}/%{name}/steam.profile
-%config(noreplace) %{_sysconfdir}/%{name}/wine.profile
-%config(noreplace) %{_sysconfdir}/%{name}/disable-devel.inc
-%config(noreplace) %{_sysconfdir}/%{name}/bitlbee.profile
-%config(noreplace) %{_sysconfdir}/%{name}/conkeror.profile
-%config(noreplace) %{_sysconfdir}/%{name}/google-chrome-beta.profile
-%config(noreplace) %{_sysconfdir}/%{name}/google-chrome-stable.profile
-%config(noreplace) %{_sysconfdir}/%{name}/google-chrome-unstable.profile
-%config(noreplace) %{_sysconfdir}/%{name}/hexchat.profile
-%config(noreplace) %{_sysconfdir}/%{name}/konqueror.profile
-%config(noreplace) %{_sysconfdir}/%{name}/nolocal.net
-%config(noreplace) %{_sysconfdir}/%{name}/opera-beta.profile
-%config(noreplace) %{_sysconfdir}/%{name}/parole.profile
-%config(noreplace) %{_sysconfdir}/%{name}/rtorrent.profile
-%config(noreplace) %{_sysconfdir}/%{name}/unbound.profile
-%config(noreplace) %{_sysconfdir}/%{name}/webserver.net
-%config(noreplace) %{_sysconfdir}/%{name}/weechat-curses.profile
-%config(noreplace) %{_sysconfdir}/%{name}/weechat.profile
-%config(noreplace) %{_sysconfdir}/%{name}/whitelist-common.inc
-
-/usr/bin/firejail
-/usr/bin/firemon
-/usr/lib/firejail/libtrace.so
-/usr/lib/firejail/libtracelog.so
-/usr/lib/firejail/ftee
-/usr/lib/firejail/fshaper.sh
-/usr/share/doc/packages/firejail/COPYING
-/usr/share/doc/packages/firejail/README
-/usr/share/doc/packages/firejail/RELNOTES
-/usr/share/man/man1/firejail.1.gz
-/usr/share/man/man1/firemon.1.gz
-/usr/share/man/man5/firejail-profile.5.gz
-/usr/share/man/man5/firejail-login.5.gz
-/usr/share/bash-completion/completions/firejail
-/usr/share/bash-completion/completions/firemon
- 
-%post
-chmod u+s /usr/bin/firejail
-
-%changelog
-* Thu Dec 24 2015 netblue30 <netblue30@yahoo.com> 0.9.36-1
- - added  unbound, dnscrypt-proxy, BitlBee, HexChat profiles
- - added WeeChat, parole and rtorrent profiles
- - Google Chrome profile rework
- - added google-chrome-stable profile
- - added google-chrome-beta profile
- - added google-chrome-unstable profile
- - Opera profile rework
- - added opera-beta profile
- - added --noblacklist option
- - added --profile-path option
- - added --force option
- - whitelist command enhancements
- - prevent user name enumeration
- - added /etc/firejail/nolocal.net network filter
- - added /etc/firejail/webserver.net network filter
- - blacklisting firejail configuration by default
- - allow default gateway configuration for --interface option
- - --debug enhancements: --debug-check-filenames
- - --debug enhancements:--debug-blacklists
- - --debug enhancements: --debug-whitelists
- - filesystem log
- - libtrace enhancements, tracing opendir call
- - added --tracelog option
- - added "name" command to profile files
- - added "hostname" command to profile files
- - added automated feature testing framework
- - Debian reproducible build
- - bugfixes
-
-* Sat Nov 7 2015 netblue30 <netblue30@yahoo.com> 0.9.34-1
- - added --ignore option
- - added --protocol option
- - support dual i386/amd64 seccomp filters
- - added Google Chrome profile
- - added Steam, Skype, Wine and Conkeror profiles
- - bugfixes
-
-* Wed Oct 21 2015 netblue30 <netblue30@yahoo.com> 0.9.32-1
- - added --interface option
- - added --mtu option
- - added --private-bin option
- - added --nosound option
- - added --hostname option
- - added --quiet option
- - added seccomp errno support
- - added FBReader default profile
- - added Spotify default profile
- - lots of default security profile changes
- - fixed a security problem on multi-user systems
- - bugfixes
-
-* Mon Sep 14 2015 netblue30 <netblue30@yahoo.com> 0.9.30-1
- - added a disable-history.inc profile as a result of Firefox PDF.js exploit;
-   disable-history.inc included in all default profiles
- - Firefox PDF.js exploit (CVE-2015-4495) fixes
- - added --private-etc option
- - added --env option
- - added --whitelist option
- - support ${HOME} token in include directive in profile files
- - --private.keep is transitioned to --private-home
- - support ~ and blanks in blacklist option
- - support "net none" command in profile files
- - using /etc/firejail/generic.profile by default for user sessions
- - using /etc/firejail/server.profile by default for root sessions
- - added build --enable-fatal-warnings configure option
- - added persistence to --overlay option
- - added --overlay-tmpfs option
- - make install-strip implemented, make install renamed
- - bugfixes
-
-* Sat Aug 1 2015 netblue30 <netblue30@yahoo.com> 0.9.28-1
- - network scanning, --scan option
- - interface MAC address support, --mac option
- - IP address range, --iprange option
- - traffic shaping, --bandwidth option
- - reworked printing of network status at startup
- - man pages rework
- - added firejail-login man page
- - added GNU Icecat, FileZilla, Pidgin, XChat, Empathy, DeaDBeeF default
-   profiles
- - added an /etc/firejail/disable-common.inc file to hold common directory
-   blacklists
- - blacklist Opera and Chrome/Chromium config directories in profile files
- - support noroot option for profile files
- - enabled noroot in default profile files
- - bugfixes
-
-* Thu Apr 30 2015 netblue30 <netblue30@yahoo.com> 0.9.26-1
- - private dev directory
- - private.keep option for whitelisting home files in a new private directory
- - user namespaces support, noroot option
- - added Deluge and qBittorent profiles
- - bugfixes
-
-* Sun Apr 5 2015  netblue30 <netblue30@yahoo.com> 0.9.24-1
- - whitelist and blacklist seccomp filters
- - doubledash option
- - --shell=none support
- - netfilter file support in profile files
- - dns server support in profile files
- - added --dns.print option
- - added default profiles for Audoacious, Clementine, Rhythmbox and Totem.
- - added --caps.drop=all in default profiles
- - new syscalls in default seccomp filter: sysfs, sysctl, adjtimex, kcmp
- -        clock_adjtime, lookup_dcookie, perf_event_open, fanotify_init
- - Bugfix: using /proc/sys/kernel/pid_max for the max number of pids
- - two build patches from Reiner Herman (tickets 11, 12)
- - man page patch from Reiner Herman (ticket 13)
- - output patch (ticket 15) from sshirokov
-
-* Mon Mar 9 2015  netblue30 <netblue30@yahoo.com> 0.9.22-1
- - Replaced --noip option with --ip=none
- - Container stdout logging and log rotation
- - Added process_vm_readv, process_vm_writev and mknod to
-     default seccomp blacklist
- - Added CAP_MKNOD to default caps blacklist
- - Blacklist and whitelist custom Linux capabilities filters
- - macvlan device driver support for --net option
- - DNS server support, --dns option
- - Netfilter support
- - Monitor network statistics, --netstats option
- - Added profile for Mozilla Thunderbird/Icedove
- - --overlay support for Linux kernels 3.18+
- - Bugfix: preserve .Xauthority file in private mode (test with ssh -X)
- - Bugfix: check uid/gid for cgroup
-
-* Fri Feb 6 2015   netblue30 <netblue30@yahoo.com> 0.9.20-1
- - utmp, btmp and wtmp enhancements
- -    create empty /var/log/wtmp and /var/log/btmp files in sandbox
- -    generate a new /var/run/utmp file in sandbox
- - CPU affinity, --cpu option
- - Linux control groups support, --cgroup option
- - Opera web browser support
- - VLC support
- - Added "empty" attribute to seccomp command to remove the default
- -    syscall list form seccomp blacklist
- - Added --nogroups option to disable supplementary groups for regular
- -   users. root user always runs without supplementary groups.
- - firemon enhancements
- -   display the command that started the sandbox
- -   added --caps option to display capabilities for all sandboxes
- -   added --cgroup option to display the control groups for all sandboxes
- -   added --cpu option to display CPU affinity for all sandboxes
- -   added --seccomp option to display seccomp setting for all sandboxes
- - New compile time options: --disable-chroot, --disable-bind
- - bugfixes
-
-* Sat Dec 27 2014  netblue30 <netblue30@yahoo.com> 0.9.18-1
- - Support for tracing system, setuid, setgid, setfsuid, setfsgid syscalls
- - Support for tracing setreuid, setregid, setresuid, setresguid syscalls
- - Added profiles for transmission-gtk and transmission-qt
- - bugfixes
-
-* Tue Nov 4 2014  netblue30 <netblue30@yahoo.com> 0.9.16-1
- - Configurable private home directory
- - Configurable default user shell
- - Software configuration support for --docdir and DESTDIR
- - Profile file support for include, caps, seccomp and private keywords
- - Dropbox profile file
- - Linux capabilities and seccomp filters enabled by default for Firefox,
-  Midori, Evince and Dropbox
- - bugfixes
-
-* Wed Oct 8 2014  netblue30 <netblue30@yahoo.com> 0.9.14-1
- - Linux capabilities and seccomp filters are automatically enabled in 
-   chroot mode (--chroot option) if the sandbox is started as regular
-   user
- - Added support for user defined seccomp blacklists
- - Added syscall trace support
- - Added --tmpfs option
- - Added --balcklist option
- - Added --read-only option
- - Added --bind option
- - Logging enhancements
- - --overlay option was reactivated
- - Added firemon support to print the ARP table for each sandbox
- - Added firemon support to print the route table for each sandbox
- - Added firemon support to print interface information for each sandbox
- - bugfixes
-
-* Tue Sep 16 2014 netblue30 <netblue30@yahoo.com> 0.9.12-1
- - Added capabilities support
- - Added support for CentOS 7
- - bugfixes
-
-EOF
-
-echo "building rpm"
-rpmbuild -ba SPECS/firejail.spec
-rpm -qpl RPMS/x86_64/firejail-$VERSION-1.x86_64.rpm
-cd ..
-rm -f firejail-$VERSION-1.x86_64.rpm
-cp rpmbuild/RPMS/x86_64/firejail-$VERSION-1.x86_64.rpm .
-
diff --git a/seamonkey.profile b/seamonkey.profile
deleted file mode 100644
index d21efc7f5..000000000
--- a/seamonkey.profile
+++ /dev/null
@@ -1,30 +0,0 @@
-# Firejail profile for Mozilla Firefox (Iceweasel in Debian)
-noblacklist ${HOME}/.mozilla
-include /etc/firejail/disable-mgmt.inc
-include /etc/firejail/disable-secret.inc
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-caps.drop all
-seccomp
-protocol unix,inet,inet6,netlink
-netfilter
-tracelog
-noroot
-whitelist ${DOWNLOADS}
-whitelist ~/.mozilla/seamonkey
-whitelist ~/.cache/mozilla/seamonkey
-whitelist ~/dwhelper
-whitelist ~/.zotero
-whitelist ~/.lastpass
-whitelist ~/.vimperatorrc
-whitelist ~/.vimperator
-whitelist ~/.pentadactylrc
-whitelist ~/.pentadactyl
-whitelist ~/.keysnail.js
-whitelist ~/.config/gnome-mplayer
-whitelist ~/.cache/gnome-mplayer/plugin
-include /etc/firejail/whitelist-common.inc
-
-# experimental features
-#private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,iceweasel,firefox,adobe,mime.types,mailcap,asound.conf,pulse
-
diff --git a/src/firejail/Makefile.in b/src/firejail/Makefile.in
index 87cda9ab2..83a2b0592 100644
--- a/src/firejail/Makefile.in
+++ b/src/firejail/Makefile.in
@@ -12,13 +12,15 @@ HAVE_SECCOMP=@HAVE_SECCOMP@
 HAVE_CHROOT=@HAVE_CHROOT@
 HAVE_BIND=@HAVE_BIND@
 HAVE_FATAL_WARNINGS=@HAVE_FATAL_WARNINGS@
+HAVE_NETWORK=@HAVE_NETWORK@
+HAVE_USERNS=@HAVE_USERNS@
 
 
 H_FILE_LIST       = $(sort $(wildcard *.[h]))
 C_FILE_LIST       = $(sort $(wildcard *.c))
 OBJS = $(C_FILE_LIST:.c=.o)
 BINOBJS =  $(foreach file, $(OBJS), $file)
-CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' -DPREFIX='"$(prefix)"'  -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' $(HAVE_SECCOMP) $(HAVE_SECCOMP_H) $(HAVE_CHROOT) $(HAVE_BIND) -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security
+CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' -DPREFIX='"$(prefix)"'  -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' $(HAVE_SECCOMP) $(HAVE_SECCOMP_H) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_BIND) -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security
 LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now -lpthread
 
 %.o : %.c $(H_FILE_LIST)
diff --git a/src/firejail/arp.c b/src/firejail/arp.c
index b25c2692e..fb5e426b0 100644
--- a/src/firejail/arp.c
+++ b/src/firejail/arp.c
@@ -87,7 +87,7 @@ int arp_check(const char *dev, uint32_t destaddr, uint32_t srcaddr) {
         memcpy(hdr.sender_ip, (uint8_t *)&srcaddr, 4);
         memcpy(hdr.target_ip, (uint8_t *)&destaddr, 4);
 
-        // buiild ethernet frame
+        // build ethernet frame
         uint8_t frame[ETH_FRAME_LEN]; // includes eht header, vlan, and crc
         memset(frame, 0, sizeof(frame));
         frame[0] = frame[1] = frame[2] = frame[3] = frame[4] = frame[5] = 0xff;
@@ -130,7 +130,7 @@ int arp_check(const char *dev, uint32_t destaddr, uint32_t srcaddr) {
                                 return -1;
                         }
                         
-                        // parse the incomming packet
+                        // parse the incoming packet
                         if ((unsigned int) len < 14 + sizeof(ArpHdr))
                                 continue;
                         if (frame[12] != (ETH_P_ARP / 256) || frame[13] != (ETH_P_ARP % 256))
@@ -384,7 +384,7 @@ void arp_scan(const char *dev, uint32_t ifip, uint32_t ifmask) {
                         uint32_t dst = htonl(dest);
                         memcpy(hdr.target_ip, (uint8_t *)&dst, 4);
                 
-                        // buiild ethernet frame
+                        // build ethernet frame
                         uint8_t frame[ETH_FRAME_LEN]; // includes eht header, vlan, and crc
                         memset(frame, 0, sizeof(frame));
                         frame[0] = frame[1] = frame[2] = frame[3] = frame[4] = frame[5] = 0xff;
@@ -409,7 +409,7 @@ void arp_scan(const char *dev, uint32_t ifip, uint32_t ifmask) {
                                 perror("recvfrom");
                         }
 
-                        // parse the incomming packet
+                        // parse the incoming packet
                         if ((unsigned int) len < 14 + sizeof(ArpHdr))
                                 continue;
 
diff --git a/src/firejail/bandwidth.c b/src/firejail/bandwidth.c
index cb3631ab7..da894b321 100644
--- a/src/firejail/bandwidth.c
+++ b/src/firejail/bandwidth.c
@@ -118,7 +118,7 @@ void shm_create_firejail_dir(void) {
         struct stat s;
         if (stat("/dev/shm/firejail", &s) == -1) {
                 /* coverity[toctou] */
-                if (mkdir("/dev/shm/firejail", 0777) == -1)
+                if (mkdir("/dev/shm/firejail", 0644) == -1)
                         errExit("mkdir");
                 if (chown("/dev/shm/firejail", 0, 0) == -1)
                         errExit("chown");
@@ -271,7 +271,7 @@ void shm_write_bandwidth_file(pid_t pid) {
         return;
 
 errout:
-        fprintf(stderr, "Error: cannot write bandwidht file %s\n", fname);
+        fprintf(stderr, "Error: cannot write bandwidth file %s\n", fname);
         exit(1);
 }
 
@@ -413,7 +413,7 @@ void bandwidth_pid(pid_t pid, const char *command, const char *dev, int down, in
                         errExit("asprintf");
                 FILE *fp = fopen(fname, "r");
                 if (!fp) {
-                        fprintf(stderr, "Error: cannot read netowk map filel %s\n", fname);
+                        fprintf(stderr, "Error: cannot read network map file %s\n", fname);
                         exit(1);
                 }
                 
diff --git a/src/firejail/caps.c b/src/firejail/caps.c
index 93049ebf0..1c4ac8d37 100644
--- a/src/firejail/caps.c
+++ b/src/firejail/caps.c
@@ -289,10 +289,12 @@ int caps_default_filter(void) {
         else if (arg_debug)
                 printf("Drop CAP_SYS_TTY_CONFIG\n");
 
+#ifdef CAP_SYSLOG
         if (prctl(PR_CAPBSET_DROP, CAP_SYSLOG, 0, 0, 0) && arg_debug)
                 fprintf(stderr, "Warning: cannot drop CAP_SYSLOG");
         else if (arg_debug)
                 printf("Drop CAP_SYSLOG\n");
+#endif
 
         if (prctl(PR_CAPBSET_DROP, CAP_MKNOD, 0, 0, 0) && arg_debug)
                 fprintf(stderr, "Warning: cannot drop CAP_MKNOD");
diff --git a/src/firejail/cgroup.c b/src/firejail/cgroup.c
index 8b8f7e970..040a1f934 100644
--- a/src/firejail/cgroup.c
+++ b/src/firejail/cgroup.c
@@ -64,7 +64,7 @@ void load_cgroup(const char *fname) {
                 return;
         }
 errout:
-        fprintf(stderr, "Warrning: cannot load control group\n");
+        fprintf(stderr, "Warning: cannot load control group\n");
         if (fp)
                 fclose(fp);
 }
diff --git a/src/firejail/env.c b/src/firejail/env.c
index 1cbc50af5..cccab966d 100644
--- a/src/firejail/env.c
+++ b/src/firejail/env.c
@@ -114,6 +114,13 @@ void env_defaults(void) {
         //export PS1='\[\e[1;32m\][\u@\h \W]\$\[\e[0m\] '
         if (setenv("PROMPT_COMMAND", "export PS1=\"\\[\\e[1;32m\\][\\u@\\h \\W]\\$\\[\\e[0m\\] \"", 1) < 0)
                 errExit("setenv");
+
+        // build the window title and set it
+        char *title;
+        if (asprintf(&title, "\033]0;firejail %s\007\n", cfg.window_title) == -1)
+                errExit("asprintf");
+        printf("%s", title);
+        free(title);
 }
 
 // parse and store the environment setting 
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index 180454bda..a754711b1 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -22,6 +22,7 @@
 #include "../include/common.h"
 
 // filesystem
+#define RUN_FIREJAIL_BASEDIR    "/run"
 #define RUN_FIREJAIL_DIR        "/run/firejail"
 #define RUN_NETWORK_LOCK_FILE   "/run/firejail/firejail.lock"
 #define RUN_RO_DIR      "/run/firejail/firejail.ro.dir"
@@ -49,6 +50,7 @@
 #define RUN_WHITELIST_OPT_DIR   "/run/firejail/mnt/orig-opt"
 
 #define RUN_XAUTHORITY_FILE     "/run/firejail/mnt/.Xauthority"
+#define RUN_ASOUNDRC_FILE       "/run/firejail/mnt/.asoundrc"
 #define RUN_HOSTNAME_FILE       "/run/firejail/mnt/hostname"
 #define RUN_HOSTS_FILE  "/run/firejail/mnt/hosts"
 #define RUN_RESOLVCONF_FILE     "/run/firejail/mnt/resolv.conf"
@@ -122,7 +124,6 @@ typedef struct config_t {
         char *profile_ignore[MAX_PROFILE_IGNORE];
         char *chrootdir;        // chroot directory
         char *home_private;     // private home directory
-        char *home_private_keep;        // keep list for private home directory
         char *etc_private_keep; // keep list for private etc directory
         char *bin_private_keep; // keep list for private bin directory
         char *cwd;              // current working directory
@@ -157,13 +158,15 @@ typedef struct config_t {
         unsigned rlimit_fsize;
         unsigned rlimit_sigpending;
         
-        // cpu affinity and control groups
+        // cpu affinity, nice and control groups
         uint32_t cpus;
+        int nice;
         char *cgroup;
         
 
         // command line
         char *command_line;
+        char *window_title;
         char *command_name;
         char *shell;
         char **original_argv;
@@ -223,12 +226,14 @@ extern int arg_shell_none;	// run the program directly without a shell
 extern int arg_private_dev;     // private dev directory
 extern int arg_private_etc;     // private etc directory
 extern int arg_private_bin;     // private bin directory
+extern int arg_private_tmp;     // private tmp directory
 extern int arg_scan;            // arp-scan all interfaces
 extern int arg_whitelist;       // whitelist commad
 extern int arg_nosound; // disable sound
 extern int arg_quiet;           // no output for scripting
 extern int arg_join_network;    // join only the network namespace
 extern int arg_join_filesystem; // join only the mount namespace
+extern int arg_nice;            // nice value configured
 
 extern int parent_to_child_fds[2];
 extern int child_to_parent_fds[2];
@@ -287,6 +292,7 @@ void fs_overlayfs(void);
 // chroot into an existing directory; mount exiting /dev and update /etc/resolv.conf
 void fs_chroot(const char *rootdir);
 int fs_check_chroot_dir(const char *rootdir);
+void fs_private_tmp(void);
 
 // profile.c
 // find and read the profile specified by name from dir directory
@@ -375,16 +381,12 @@ void fs_private_dev(void);
 void fs_private(void);
 // private mode (--private=homedir)
 void fs_private_homedir(void);
-// private mode (--private-home=list)
-void fs_private_home_list(void);
-// check directory list specified by user (--private-home option) - exit if it fails
-void fs_check_home_list(void);
 // check new private home directory (--private= option) - exit if it fails
 void fs_check_private_dir(void);
 
 
 // seccomp.c
-int seccomp_filter_drop(void);
+int seccomp_filter_drop(int enforce_seccomp);
 int seccomp_filter_keep(void);
 void seccomp_set(void);
 void seccomp_print_filter_name(const char *name);
@@ -437,6 +439,7 @@ void check_output(int argc, char **argv);
 // netfilter.c
 void check_netfilter_file(const char *fname);
 void netfilter(const char *fname);
+void netfilter6(const char *fname);
 
 // bandwidth.c
 void shm_create_firejail_dir(void);
@@ -503,5 +506,11 @@ void fs_logger_print_log(pid_t pid);
 // run_symlink.c
 void run_symlink(int argc, char **argv);
 
+// user.c
+void check_user(int argc, char **argv);
+
+// paths.c
+char **build_paths(void);
+
 #endif
 
diff --git a/src/firejail/fs.c b/src/firejail/fs.c
index cef1cc68b..c3e9890b4 100644
--- a/src/firejail/fs.c
+++ b/src/firejail/fs.c
@@ -60,16 +60,30 @@ static void create_empty_file(void) {
 void fs_build_firejail_dir(void) {
         struct stat s;
 
+        // CentOS 6 doesn't have /run directory
+        if (stat(RUN_FIREJAIL_BASEDIR, &s)) {
+                if (arg_debug)
+                        printf("Creating %s directory\n", RUN_FIREJAIL_BASEDIR);
+                /* coverity[toctou] */
+                int rv = mkdir(RUN_FIREJAIL_BASEDIR, 0755);
+                if (rv == -1)
+                        errExit("mkdir");
+                if (chown(RUN_FIREJAIL_BASEDIR, 0, 0) < 0)
+                        errExit("chown");
+                if (chmod(RUN_FIREJAIL_BASEDIR, 0755) < 0)
+                        errExit("chmod");
+        }
+
         if (stat(RUN_FIREJAIL_DIR, &s)) {
                 if (arg_debug)
                         printf("Creating %s directory\n", RUN_FIREJAIL_DIR);
                 /* coverity[toctou] */
-                int rv = mkdir(RUN_FIREJAIL_DIR, S_IRWXU | S_IRWXG | S_IRWXO);
+                int rv = mkdir(RUN_FIREJAIL_DIR, 0755);
                 if (rv == -1)
                         errExit("mkdir");
                 if (chown(RUN_FIREJAIL_DIR, 0, 0) < 0)
                         errExit("chown");
-                if (chmod(RUN_FIREJAIL_DIR, S_IRWXU  | S_IRGRP | S_IXGRP | S_IROTH | S_IXOTH) < 0)
+                if (chmod(RUN_FIREJAIL_DIR, 0755) < 0)
                         errExit("chmod");
         }
         else { // check /tmp/firejail directory belongs to root end exit if doesn't!
@@ -102,12 +116,12 @@ void fs_build_mnt_dir(void) {
                 if (arg_debug)
                         printf("Creating %s directory\n", RUN_MNT_DIR);
                 /* coverity[toctou] */
-                int rv = mkdir(RUN_MNT_DIR, S_IRWXU | S_IRWXG | S_IRWXO);
+                int rv = mkdir(RUN_MNT_DIR, 0755);
                 if (rv == -1)
                         errExit("mkdir");
                 if (chown(RUN_MNT_DIR, 0, 0) < 0)
                         errExit("chown");
-                if (chmod(RUN_MNT_DIR, S_IRWXU  | S_IRGRP | S_IXGRP | S_IROTH | S_IXOTH) < 0)
+                if (chmod(RUN_MNT_DIR, 0755) < 0)
                         errExit("chmod");
         }
 
@@ -136,12 +150,18 @@ void fs_build_cp_command(void) {
                         fprintf(stderr, "Error: /bin/cp not found\n");
                         exit(1);
                 }
+                if (is_link(fname)) {
+                        fprintf(stderr, "Error: invalid /bin/cp file\n");
+                        exit(1);
+                }
                 int rv = copy_file(fname, RUN_CP_COMMAND);
                 if (rv) {
                         fprintf(stderr, "Error: cannot access /bin/cp\n");
                         exit(1);
                 }
                 /* coverity[toctou] */
+                if (chown(RUN_CP_COMMAND, 0, 0))
+                        errExit("chown");
                 if (chmod(RUN_CP_COMMAND, 0755))
                         errExit("chmod");
                         
@@ -181,11 +201,40 @@ static void disable_file(OPERATION op, const char *filename) {
         
         // Resolve all symlinks
         char* fname = realpath(filename, NULL);
-        if (fname == NULL) {
+        if (fname == NULL && errno != EACCES) {
                 if (arg_debug)
                         printf("Warning: %s is an invalid file, skipping...\n", filename);
                 return;
         }
+        if (fname == NULL && errno == EACCES) {
+                if (arg_debug)
+                        printf("Debug: no access to file %s, forcing mount\n", filename);
+                // realpath and stat funtions will fail on FUSE filesystems
+                // they don't seem to like a uid of 0
+                // force mounting
+                int rv = mount(RUN_RO_DIR, filename, "none", MS_BIND, "mode=400,gid=0");
+                if (rv == 0)
+                        last_disable = SUCCESSFUL;
+                else {
+                        rv = mount(RUN_RO_FILE, filename, "none", MS_BIND, "mode=400,gid=0");
+                        if (rv == 0)
+                                last_disable = SUCCESSFUL;
+                }
+                if (last_disable == SUCCESSFUL) {
+                        if (arg_debug)
+                                printf("Disable %s\n", filename);
+                        if (op == BLACKLIST_FILE)
+                                fs_logger2("blacklist", filename);
+                        else
+                                fs_logger2("blacklist-nolog", filename);
+                }
+                else {
+                        if (arg_debug)
+                                printf("Warning: %s is an invalid file, skipping...\n", filename);
+                }
+                                
+                return;
+        }
         
         // if the file is not present, do nothing
         struct stat s;
@@ -411,13 +460,14 @@ void fs_blacklist(void) {
                         if (strncmp(ptr, "${PATH}", 7) == 0) {
                                 char *fname = ptr + 7;
                                 size_t fname_len = strlen(fname);
-                                char **path, *paths[] = {"/bin", "/sbin", "/usr/bin", "/usr/sbin", NULL};
-                                for (path = &paths[0]; *path; path++) {
-                                        char newname[strlen(*path) + fname_len + 1];
-                                        sprintf(newname, "%s%s", *path, fname);
+                                char **paths = build_paths(); //{"/bin", "/sbin", "/usr/bin", "/usr/sbin", NULL};
+                                int i = 0;
+                                while (paths[i] != NULL) {
+                                        char *path = paths[i];
+                                        i++;
+                                        char newname[strlen(path) + fname_len + 1];
+                                        sprintf(newname, "%s%s", path, fname);
                                         globbing(op, newname, (const char**)noblacklist, noblacklist_c);
-                                        if  (last_disable == SUCCESSFUL)
-                                                break;
                                 }
                         }
                         else
@@ -575,6 +625,18 @@ void fs_proc_sys_dev_boot(void) {
         if (stat("/dev/port", &s) == 0) {
                 disable_file(BLACKLIST_FILE, "/dev/port");
         }
+        
+        if (getuid() != 0) {
+                // disable /dev/kmsg
+                if (stat("/dev/kmsg", &s) == 0) {
+                        disable_file(BLACKLIST_FILE, "/dev/kmsg");
+                }
+                
+                // disable /proc/kmsg
+                if (stat("/proc/kmsg", &s) == 0) {
+                        disable_file(BLACKLIST_FILE, "/proc/kmsg");
+                }
+        }
 }
 
 // disable firejail configuration in /etc/firejail and in ~/.config/firejail
@@ -693,18 +755,18 @@ void fs_overlayfs(void) {
         char *oroot;
         if(asprintf(&oroot, "%s/oroot", RUN_MNT_DIR) == -1)
                 errExit("asprintf");
-        if (mkdir(oroot, S_IRWXU | S_IRWXG | S_IRWXO))
+        if (mkdir(oroot, 0755))
                 errExit("mkdir");
         if (chown(oroot, 0, 0) < 0)
                 errExit("chown");
-        if (chmod(oroot, S_IRWXU  | S_IRGRP | S_IXGRP | S_IROTH | S_IXOTH) < 0)
+        if (chmod(oroot, 0755) < 0)
                 errExit("chmod");
 
         char *basedir = RUN_MNT_DIR;
         if (arg_overlay_keep) {
                 // set base for working and diff directories
                 basedir = cfg.overlay_dir;
-                if (mkdir(basedir, S_IRWXU | S_IRWXG | S_IRWXO) != 0) {
+                if (mkdir(basedir, 0755) != 0) {
                         fprintf(stderr, "Error: cannot create overlay directory\n");
                         exit(1);
                 }
@@ -713,21 +775,21 @@ void fs_overlayfs(void) {
         char *odiff;
         if(asprintf(&odiff, "%s/odiff", basedir) == -1)
                 errExit("asprintf");
-        if (mkdir(odiff, S_IRWXU | S_IRWXG | S_IRWXO))
+        if (mkdir(odiff, 0755))
                 errExit("mkdir");
         if (chown(odiff, 0, 0) < 0)
                 errExit("chown");
-        if (chmod(odiff, S_IRWXU  | S_IRGRP | S_IXGRP | S_IROTH | S_IXOTH) < 0)
+        if (chmod(odiff, 0755) < 0)
                 errExit("chmod");
         
         char *owork;
         if(asprintf(&owork, "%s/owork", basedir) == -1)
                 errExit("asprintf");
-        if (mkdir(owork, S_IRWXU | S_IRWXG | S_IRWXO))
+        if (mkdir(owork, 0755))
                 errExit("mkdir");
         if (chown(owork, 0, 0) < 0)
                 errExit("chown");
-        if (chmod(owork, S_IRWXU  | S_IRGRP | S_IXGRP | S_IROTH | S_IXOTH) < 0)
+        if (chmod(owork, 0755) < 0)
                 errExit("chmod");
         
         // mount overlayfs
@@ -866,7 +928,7 @@ void fs_chroot(const char *rootdir) {
         if (asprintf(&rundir, "%s/run", rootdir) == -1)
                 errExit("asprintf");
         if (!is_dir(rundir)) {
-                int rv = mkdir(rundir, S_IRWXU | S_IRWXG | S_IRWXO);
+                int rv = mkdir(rundir, 0755);
                 (void) rv;
                 rv = chown(rundir, 0, 0);
                 (void) rv;
@@ -880,6 +942,10 @@ void fs_chroot(const char *rootdir) {
                 errExit("asprintf");
         if (arg_debug)
                 printf("Updating /etc/resolv.conf in %s\n", fname);
+        if (is_link(fname)) {
+                fprintf(stderr, "Error: invalid %s file\n", fname);
+                exit(1);
+        }
         if (copy_file("/etc/resolv.conf", fname) == -1)
                 fprintf(stderr, "Warning: /etc/resolv.conf not initialized\n");
                 
@@ -908,4 +974,11 @@ void fs_chroot(const char *rootdir) {
 }
 #endif
 
+void fs_private_tmp(void) {
+        // mount tmpfs on top of /run/firejail/mnt
+        if (arg_debug)
+                printf("Mounting tmpfs on /tmp directory\n");
+        if (mount("tmpfs", "/tmp", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC,  "mode=1777,gid=0") < 0)
+                errExit("mounting /tmp/firejail/mnt");
+}
 
diff --git a/src/firejail/fs_bin.c b/src/firejail/fs_bin.c
index e88d5c53b..af67ac290 100644
--- a/src/firejail/fs_bin.c
+++ b/src/firejail/fs_bin.c
@@ -169,7 +169,7 @@ void fs_private_bin_list(void) {
 
         // create /tmp/firejail/mnt/bin directory
         fs_build_mnt_dir();
-        int rv = mkdir(RUN_BIN_DIR, S_IRWXU | S_IRWXG | S_IRWXO);
+        int rv = mkdir(RUN_BIN_DIR, 0755);
         if (rv == -1)
                 errExit("mkdir");
         if (chown(RUN_BIN_DIR, 0, 0) < 0)
diff --git a/src/firejail/fs_dev.c b/src/firejail/fs_dev.c
index 0407b0626..97ee9de55 100644
--- a/src/firejail/fs_dev.c
+++ b/src/firejail/fs_dev.c
@@ -105,7 +105,7 @@ void fs_private_dev(void){
         }
 
         // mount tmpfs on top of /dev
-        if (mount("tmpfs", "/dev", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC,  "mode=777,gid=0") < 0)
+        if (mount("tmpfs", "/dev", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC,  "mode=755,gid=0") < 0)
                 errExit("mounting /dev");
         fs_logger("mount tmpfs on /dev");
 
@@ -139,12 +139,12 @@ void fs_private_dev(void){
         // create /dev/shm
         if (arg_debug)
                 printf("Create /dev/shm directory\n");
-        rv = mkdir("/dev/shm", 0777);
+        rv = mkdir("/dev/shm", 01777);
         if (rv == -1)
                 errExit("mkdir");
         if (chown("/dev/shm", 0, 0) < 0)
                 errExit("chown");
-        if (chmod("/dev/shm", 0777) < 0)
+        if (chmod("/dev/shm", 01777) < 0)
                 errExit("chmod");
         fs_logger("mkdir /dev/shm");
 
@@ -201,7 +201,7 @@ void fs_dev_shm(void) {
         if (is_dir("/dev/shm")) {
                 if (arg_debug)
                         printf("Mounting tmpfs on /dev/shm\n");
-                if (mount("tmpfs", "/dev/shm", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC,  "mode=777,gid=0") < 0)
+                if (mount("tmpfs", "/dev/shm", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC,  "mode=1777,gid=0") < 0)
                         errExit("mounting /dev/shm");
                 fs_logger("mount tmpfs on /dev/shm");
         }
@@ -210,16 +210,16 @@ void fs_dev_shm(void) {
                 if (lnk) {
                         if (!is_dir(lnk)) {
                                 // create directory
-                                if (mkdir(lnk, 0777))
+                                if (mkdir(lnk, 01777))
                                         errExit("mkdir");
                                 if (chown(lnk, 0, 0))
                                         errExit("chown");
-                                if (chmod(lnk, 0777))
+                                if (chmod(lnk, 01777))
                                         errExit("chmod");
                         }
                         if (arg_debug)
                                 printf("Mounting tmpfs on %s on behalf of /dev/shm\n", lnk);
-                        if (mount("tmpfs", lnk, "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC,  "mode=777,gid=0") < 0)
+                        if (mount("tmpfs", lnk, "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC,  "mode=1777,gid=0") < 0)
                                 errExit("mounting /var/tmp");
                         fs_logger3("mount tmpfs on", lnk, "on behalf of /dev/shm");
                         free(lnk);
diff --git a/src/firejail/fs_etc.c b/src/firejail/fs_etc.c
index 3d9abaf72..c3a247331 100644
--- a/src/firejail/fs_etc.c
+++ b/src/firejail/fs_etc.c
@@ -113,7 +113,7 @@ void fs_private_etc_list(void) {
 
         // create /tmp/firejail/mnt/etc directory
         fs_build_mnt_dir();
-        int rv = mkdir(RUN_ETC_DIR, S_IRWXU | S_IRWXG | S_IRWXO);
+        int rv = mkdir(RUN_ETC_DIR, 0755);
         if (rv == -1)
                 errExit("mkdir");
         if (chown(RUN_ETC_DIR, 0, 0) < 0)
diff --git a/src/firejail/fs_home.c b/src/firejail/fs_home.c
index ba62b788a..2bfabbe89 100644
--- a/src/firejail/fs_home.c
+++ b/src/firejail/fs_home.c
@@ -41,6 +41,10 @@ static void skel(const char *homedir, uid_t u, gid_t g) {
                 if (stat(fname, &s) == 0)
                         return;
                 if (stat("/etc/skel/.zshrc", &s) == 0) {
+                        if (is_link("/etc/skel/.zshrc")) {
+                                fprintf(stderr, "Error: invalid /etc/skel/.zshrc file\n");
+                                exit(1);
+                        }
                         if (copy_file("/etc/skel/.zshrc", fname) == 0) {
                                 if (chown(fname, u, g) == -1)
                                         errExit("chown");
@@ -71,6 +75,10 @@ static void skel(const char *homedir, uid_t u, gid_t g) {
                 if (stat(fname, &s) == 0)
                         return;
                 if (stat("/etc/skel/.cshrc", &s) == 0) {
+                        if (is_link("/etc/skel/.cshrc")) {
+                                fprintf(stderr, "Error: invalid /etc/skel/.cshrc file\n");
+                                exit(1);
+                        }
                         if (copy_file("/etc/skel/.cshrc", fname) == 0) {
                                 if (chown(fname, u, g) == -1)
                                         errExit("chown");
@@ -102,6 +110,10 @@ static void skel(const char *homedir, uid_t u, gid_t g) {
                 if (stat(fname, &s) == 0)
                         return;
                 if (stat("/etc/skel/.bashrc", &s) == 0) {
+                        if (is_link("/etc/skel/.bashrc")) {
+                                fprintf(stderr, "Error: invalid /etc/skel/.bashrc file\n");
+                                exit(1);
+                        }
                         if (copy_file("/etc/skel/.bashrc", fname) == 0) {
                                 /* coverity[toctou] */
                                 if (chown(fname, u, g) == -1)
@@ -123,7 +135,12 @@ static int store_xauthority(void) {
                 errExit("asprintf");
         
         struct stat s;
-        if (stat(src, &s) == 0) {       
+        if (stat(src, &s) == 0) {
+                if (is_link(src)) {
+                        fprintf(stderr, "Error: invalid .Xauthority file\n");
+                        exit(1);
+                }
+                        
                 int rv = copy_file(src, dest);
                 if (rv) {
                         fprintf(stderr, "Warning: cannot transfer .Xauthority in private home directory\n");
@@ -135,6 +152,33 @@ static int store_xauthority(void) {
         return 0;
 }
 
+static int store_asoundrc(void) {
+        // put a copy of .Xauthority in XAUTHORITY_FILE
+        fs_build_mnt_dir();
+
+        char *src;
+        char *dest = RUN_ASOUNDRC_FILE;
+        if (asprintf(&src, "%s/.asoundrc", cfg.homedir) == -1)
+                errExit("asprintf");
+        
+        struct stat s;
+        if (stat(src, &s) == 0) {       
+                if (is_link(src)) {
+                        fprintf(stderr, "Error: invalid .asoundrc file\n");
+                        exit(1);
+                }
+
+                int rv = copy_file(src, dest);
+                if (rv) {
+                        fprintf(stderr, "Warning: cannot transfer .asoundrc in private home directory\n");
+                        return 0;
+                }
+                return 1; // file copied
+        }
+        
+        return 0;
+}
+
 static void copy_xauthority(void) {
         // copy XAUTHORITY_FILE in the new home directory
         char *src = RUN_XAUTHORITY_FILE ;
@@ -144,13 +188,38 @@ static void copy_xauthority(void) {
         int rv = copy_file(src, dest);
         if (rv)
                 fprintf(stderr, "Warning: cannot transfer .Xauthority in private home directory\n");
-        fs_logger2("clone", dest);
+        else {
+                fs_logger2("clone", dest);
+        
+                // set permissions and ownership
+                if (chown(dest, getuid(), getgid()) < 0)
+                        errExit("chown");
+                if (chmod(dest, S_IRUSR | S_IWUSR) < 0)
+                        errExit("chmod");
+        }
+        
+        // delete the temporary file
+        unlink(src);
+}
 
-        // set permissions and ownership
-        if (chown(dest, getuid(), getgid()) < 0)
-                errExit("chown");
-        if (chmod(dest, S_IRUSR | S_IWUSR) < 0)
-                errExit("chmod");
+static void copy_asoundrc(void) {
+        // copy XAUTHORITY_FILE in the new home directory
+        char *src = RUN_ASOUNDRC_FILE ;
+        char *dest;
+        if (asprintf(&dest, "%s/.asoundrc", cfg.homedir) == -1)
+                errExit("asprintf");
+        int rv = copy_file(src, dest);
+        if (rv)
+                fprintf(stderr, "Warning: cannot transfer .asoundrc in private home directory\n");
+        else {
+                fs_logger2("clone", dest);
+        
+                // set permissions and ownership
+                if (chown(dest, getuid(), getgid()) < 0)
+                        errExit("chown");
+                if (chmod(dest, S_IRUSR | S_IWUSR) < 0)
+                        errExit("chmod");
+        }
 
         // delete the temporary file
         unlink(src);
@@ -168,6 +237,7 @@ void fs_private_homedir(void) {
         assert(private_homedir);
         
         int xflag = store_xauthority();
+        int aflag = store_asoundrc();
         
         uid_t u = getuid();
         gid_t g = getgid();
@@ -211,6 +281,8 @@ void fs_private_homedir(void) {
         skel(homedir, u, g);
         if (xflag)
                 copy_xauthority();
+        if (aflag)
+                copy_asoundrc();
 }
 
 // private mode (--private):
@@ -225,6 +297,7 @@ void fs_private(void) {
         gid_t g = getgid();
 
         int xflag = store_xauthority();
+        int aflag = store_asoundrc();
 
         // mask /home
         if (arg_debug)
@@ -258,76 +331,10 @@ void fs_private(void) {
         skel(homedir, u, g);
         if (xflag)
                 copy_xauthority();
+        if (aflag)
+                copy_asoundrc();
 }
 
-static void check_dir_or_file(const char *name) {
-        assert(name);
-        struct stat s;
-        
-        invalid_filename(name);
-        
-        
-        char *fname = expand_home(name, cfg.homedir);
-        if (!fname) {
-                fprintf(stderr, "Error: file %s not found.\n", name);
-                exit(1);
-        }
-        if (fname[0] != '/') {
-                // If it doesn't start with '/', it must be relative to homedir
-                char* tmp;
-                if (asprintf(&tmp, "%s/%s", cfg.homedir, fname) == -1)
-                        errExit("asprintf");
-                free(fname);
-                fname = tmp;
-        }
-        if (arg_debug)
-                printf("Checking %s\n", fname);         
-        if (stat(fname, &s) == -1) {
-                fprintf(stderr, "Error: file %s not found.\n", fname);
-                exit(1);
-        }
-        
-        // check uid
-        uid_t uid = getuid();
-        gid_t gid = getgid();
-        if (s.st_uid != uid || s.st_gid != gid) {
-                fprintf(stderr, "Error: only files or directories created by the current user are allowed.\n");
-                exit(1);
-        }
-
-        // dir or regular file
-        if (S_ISDIR(s.st_mode) || S_ISREG(s.st_mode)) {
-                free(fname);
-                return;
-        }
-
-        if (!is_link(fname)) {
-                free(fname);
-                return;
-        }
-        
-        fprintf(stderr, "Error: invalid file type, %s.\n", fname);
-        exit(1);
-}
-
-// check directory list specified by user (--private-home option) - exit if it fails
-void fs_check_home_list(void) {
-        if (strstr(cfg.home_private_keep, "..")) {
-                fprintf(stderr, "Error: invalid private-home list\n");
-                exit(1);
-        }
-        
-        char *dlist = strdup(cfg.home_private_keep);
-        if (!dlist)
-                errExit("strdup");
-
-        char *ptr = strtok(dlist, ",");
-        check_dir_or_file(ptr);
-        while ((ptr = strtok(NULL, ",")) != NULL)
-                check_dir_or_file(ptr);
-        
-        free(dlist);
-}
 
 // check new private home directory (--private= option) - exit if it fails
 void fs_check_private_dir(void) {
@@ -366,141 +373,3 @@ void fs_check_private_dir(void) {
         }
 }
 
-
-static void duplicate(char *name) {
-        char *cmd;
-        
-        char *fname = expand_home(name, cfg.homedir);
-        if (!fname) {
-                fprintf(stderr, "Error: file %s not found.\n", name);
-                exit(1);
-        }
-        if (fname[0] != '/') {
-                // If it doesn't start with '/', it must be relative to homedir
-                char* tmp;
-                if (asprintf(&tmp, "%s/%s", cfg.homedir, fname) == -1)
-                        errExit("asprintf");
-                free(fname);
-                fname = tmp;
-        }
-
-        // copy the file
-        if (asprintf(&cmd, "%s -a --parents \"%s\" %s", RUN_CP_COMMAND, fname, RUN_HOME_DIR) == -1)
-                errExit("asprintf");
-        if (arg_debug)
-                printf("%s\n", cmd);
-        if (system(cmd))
-                errExit("system cp -a --parents");
-        fs_logger2("clone", fname);
-        free(cmd);
-        free(fname);
-}
-
-
-// private mode (--private-home=list):
-//      mount homedir on top of /home/user,
-//      tmpfs on top of  /root in nonroot mode,
-//      tmpfs on top of /tmp in root mode,
-//      set skel files,
-//      restore .Xauthority
-void fs_private_home_list(void) {
-        char *homedir = cfg.homedir;
-        char *private_list = cfg.home_private_keep;
-        assert(homedir);
-        assert(private_list);
-        
-        int xflag = store_xauthority();
-        
-        uid_t u = getuid();
-        gid_t g = getgid();
-        struct stat s;
-        if (stat(homedir, &s) == -1) {
-                fprintf(stderr, "Error: cannot find user home directory\n");
-                exit(1);
-        }
-
-        // create /tmp/firejail/mnt/home directory
-        fs_build_mnt_dir();
-        int rv = mkdir(RUN_HOME_DIR, S_IRWXU | S_IRWXG | S_IRWXO);
-        if (rv == -1)
-                errExit("mkdir");
-        if (chown(RUN_HOME_DIR, u, g) < 0)
-                errExit("chown");
-        if (chmod(RUN_HOME_DIR, 0755) < 0)
-                errExit("chmod");
-
-        
-        // copy the list of files in the new home directory
-        // using a new child process without root privileges
-        fs_logger_print();      // save the current log
-        pid_t child = fork();
-        if (child < 0)
-                errExit("fork");
-        if (child == 0) {
-                if (arg_debug)
-                        printf("Copying files in the new home:\n");
-                
-                // drop privileges
-                if (setgroups(0, NULL) < 0)
-                        errExit("setgroups");
-                if (setgid(getgid()) < 0)
-                        errExit("setgid/getgid");
-                if (setuid(getuid()) < 0)
-                        errExit("setuid/getuid");
-                
-                // copy the list of files in the new home directory
-                char *dlist = strdup(cfg.home_private_keep);
-                if (!dlist)
-                        errExit("strdup");
-                
-                char *ptr = strtok(dlist, ",");
-                duplicate(ptr);
-        
-                while ((ptr = strtok(NULL, ",")) != NULL)
-                        duplicate(ptr);
-                free(dlist);    
-                fs_logger_print();
-                exit(0);
-        }
-        // wait for the child to finish
-        waitpid(child, NULL, 0);
-
-        // mount bind private_homedir on top of homedir
-        char *newhome;
-        if (asprintf(&newhome, "%s%s", RUN_HOME_DIR, cfg.homedir) == -1)
-                errExit("asprintf");
-
-        if (arg_debug)
-                printf("Mount-bind %s on top of %s\n", newhome, homedir);
-        if (mount(newhome, homedir, NULL, MS_BIND|MS_REC, NULL) < 0)
-                errExit("mount bind");
-        fs_logger2("mount", homedir);
-// preserve mode and ownership
-//      if (chown(homedir, s.st_uid, s.st_gid) == -1)
-//              errExit("mount-bind chown");
-//      if (chmod(homedir, s.st_mode) == -1)
-//              errExit("mount-bind chmod");
-
-        if (u != 0) {
-                // mask /root
-                if (arg_debug)
-                        printf("Mounting a new /root directory\n");
-                if (mount("tmpfs", "/root", "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME | MS_REC,  "mode=700,gid=0") < 0)
-                        errExit("mounting home directory");
-                fs_logger("mount tmpfs on /root");
-        }
-        else {
-                // mask /home
-                if (arg_debug)
-                        printf("Mounting a new /home directory\n");
-                if (mount("tmpfs", "/home", "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME | MS_REC,  "mode=755,gid=0") < 0)
-                        errExit("mounting home directory");
-                fs_logger("mount tmpfs on /home");
-        }
-
-        skel(homedir, u, g);
-        if (xflag)
-                copy_xauthority();
-
-}
-
diff --git a/src/firejail/fs_var.c b/src/firejail/fs_var.c
index def718720..82d453308 100644
--- a/src/firejail/fs_var.c
+++ b/src/firejail/fs_var.c
@@ -110,7 +110,7 @@ static void build_dirs(void) {
 void fs_var_log(void) {
         build_list("/var/log");
         
-        // create /var/log if it does't exit
+        // create /var/log if it doesn't exit
         if (is_dir("/var/log")) {
                 // extract group id for /var/log/wtmp
                 struct stat s;
@@ -184,7 +184,7 @@ void fs_var_lib(void) {
                         printf("Mounting tmpfs on /var/lib/nginx\n");
                 if (mount("tmpfs", "/var/lib/nginx", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC,  "mode=755,gid=0") < 0)
                         errExit("mounting /var/lib/nginx");
-                fs_logger("mount tmpfs on /var/lib/nignx");
+                fs_logger("mount tmpfs on /var/lib/nginx");
         }                       
 
         // net-snmp multiserver
@@ -232,14 +232,14 @@ void fs_var_cache(void) {
                         gid = p->pw_gid;
                 }
                 
-                int rv = mkdir("/var/cache/lighttpd/compress", S_IRWXU | S_IRWXG | S_IRWXO);
+                int rv = mkdir("/var/cache/lighttpd/compress", 0755);
                 if (rv == -1)
                         errExit("mkdir");
                 if (chown("/var/cache/lighttpd/compress", uid, gid) < 0)
                         errExit("chown");
                 fs_logger("mkdir /var/cache/lighttpd/compress");
 
-                rv = mkdir("/var/cache/lighttpd/uploads", S_IRWXU | S_IRGRP | S_IXGRP | S_IROTH | S_IXOTH);
+                rv = mkdir("/var/cache/lighttpd/uploads", 0755);
                 if (rv == -1)
                         errExit("mkdir");
                 if (chown("/var/cache/lighttpd/uploads", uid, gid) < 0)
@@ -268,7 +268,7 @@ void fs_var_lock(void) {
         if (is_dir("/var/lock")) {
                 if (arg_debug)
                         printf("Mounting tmpfs on /var/lock\n");
-                if (mount("tmpfs", "/var/lock", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC,  "mode=777,gid=0") < 0)
+                if (mount("tmpfs", "/var/lock", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC,  "mode=1777,gid=0") < 0)
                         errExit("mounting /lock");
                 fs_logger("mount tmpfs on /var/lock");
         }
@@ -286,7 +286,7 @@ void fs_var_lock(void) {
                         }
                         if (arg_debug)
                                 printf("Mounting tmpfs on %s on behalf of /var/lock\n", lnk);
-                        if (mount("tmpfs", lnk, "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC,  "mode=777,gid=0") < 0)
+                        if (mount("tmpfs", lnk, "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC,  "mode=1777,gid=0") < 0)
                                 errExit("mounting /var/lock");
                         free(lnk);
                         fs_logger("mount tmpfs on /var/lock");
@@ -304,7 +304,7 @@ void fs_var_tmp(void) {
                 if (!is_link("/var/tmp")) {
                         if (arg_debug)
                                 printf("Mounting tmpfs on /var/tmp\n");
-                        if (mount("tmpfs", "/var/tmp", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC,  "mode=777,gid=0") < 0)
+                        if (mount("tmpfs", "/var/tmp", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC,  "mode=1777,gid=0") < 0)
                                 errExit("mounting /var/tmp");
                         fs_logger("mount tmpfs on /var/tmp");
                 }
diff --git a/src/firejail/fs_whitelist.c b/src/firejail/fs_whitelist.c
index 22fbe2111..99c2e855c 100644
--- a/src/firejail/fs_whitelist.c
+++ b/src/firejail/fs_whitelist.c
@@ -262,9 +262,7 @@ static void whitelist_path(ProfileEntry *entry) {
         if (S_ISDIR(s.st_mode)) {       
                 // create directory
                 int rv = mkdir(path, 0755);
-                if (rv == -1)
-                        errExit("mkdir");
-                
+                (void) rv;
         }
         
         // process regular file
@@ -338,6 +336,14 @@ void fs_whitelist(void) {
                 if (arg_debug)
                         fprintf(stderr, "Debug %d: new_name #%s#\n", __LINE__, new_name);
 
+                // valid path referenced to filesystem root
+                if (*new_name != '/') {
+                        if (arg_debug)
+                                fprintf(stderr, "Debug %d: \n", __LINE__);
+                        goto errexit;
+                }
+
+
                 // extract the absolute path of the file
                 // realpath function will fail with ENOENT if the file is not found
                 char *fname = realpath(new_name, NULL);
@@ -351,19 +357,29 @@ void fs_whitelist(void) {
                                 perror("realpath");
                         }
                         *entry->data = '\0';
+
+                        // if 1 the file was not found; mount an empty directory
+                        if (strncmp(new_name, cfg.homedir, strlen(cfg.homedir)) == 0) {
+                                if(!arg_private)
+                                        home_dir = 1;
+                        }
+                        else if (strncmp(new_name, "/tmp/", 5) == 0)
+                                tmp_dir = 1;
+                        else if (strncmp(new_name, "/media/", 7) == 0)
+                                media_dir = 1;
+                        else if (strncmp(new_name, "/var/", 5) == 0)
+                                var_dir = 1;
+                        else if (strncmp(new_name, "/dev/", 5) == 0)
+                                dev_dir = 1;
+                        else if (strncmp(new_name, "/opt/", 5) == 0)
+                                opt_dir = 1;
+
                         continue;
                 }
                 
-                // valid path referenced to filesystem root
-                if (*new_name != '/') {
-                        if (arg_debug)
-                                fprintf(stderr, "Debug %d: \n", __LINE__);
-                        goto errexit;
-                }
-
                 // check for supported directories
                 if (strncmp(new_name, cfg.homedir, strlen(cfg.homedir)) == 0) {
-                        // whitelisting home directory is disabled if --private or --private-home option is present
+                        // whitelisting home directory is disabled if --private option is present
                         if (arg_private) {
                                 if (arg_debug || arg_debug_whitelists)
                                         printf("Removed whitelist path %s, --private option is present\n", entry->data);
@@ -466,7 +482,7 @@ void fs_whitelist(void) {
         // /home/user
         if (home_dir) {
                 // keep a copy of real home dir in RUN_WHITELIST_HOME_USER_DIR
-                int rv = mkdir(RUN_WHITELIST_HOME_USER_DIR, S_IRWXU | S_IRWXG | S_IRWXO);
+                int rv = mkdir(RUN_WHITELIST_HOME_USER_DIR, 0755);
                 if (rv == -1)
                         errExit("mkdir");
                 if (chown(RUN_WHITELIST_HOME_USER_DIR, getuid(), getgid()) < 0)
@@ -484,12 +500,12 @@ void fs_whitelist(void) {
         // /tmp mountpoint
         if (tmp_dir) {
                 // keep a copy of real /tmp directory in WHITELIST_TMP_DIR
-                int rv = mkdir(RUN_WHITELIST_TMP_DIR, S_IRWXU | S_IRWXG | S_IRWXO);
+                int rv = mkdir(RUN_WHITELIST_TMP_DIR, 1777);
                 if (rv == -1)
                         errExit("mkdir");
                 if (chown(RUN_WHITELIST_TMP_DIR, 0, 0) < 0)
                         errExit("chown");
-                if (chmod(RUN_WHITELIST_TMP_DIR, 0777) < 0)
+                if (chmod(RUN_WHITELIST_TMP_DIR, 1777) < 0)
                         errExit("chmod");
         
                 if (mount("/tmp", RUN_WHITELIST_TMP_DIR, NULL, MS_BIND|MS_REC, NULL) < 0)
@@ -498,7 +514,7 @@ void fs_whitelist(void) {
                 // mount tmpfs on /tmp
                 if (arg_debug || arg_debug_whitelists)
                         printf("Mounting tmpfs on /tmp directory\n");
-                if (mount("tmpfs", "/tmp", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC,  "mode=777,gid=0") < 0)
+                if (mount("tmpfs", "/tmp", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC,  "mode=1777,gid=0") < 0)
                         errExit("mounting tmpfs on /tmp");
                 fs_logger("mount tmpfs on /tmp");
         }
@@ -506,7 +522,7 @@ void fs_whitelist(void) {
         // /media mountpoint
         if (media_dir) {
                 // keep a copy of real /media directory in RUN_WHITELIST_MEDIA_DIR
-                int rv = mkdir(RUN_WHITELIST_MEDIA_DIR, S_IRWXU | S_IRWXG | S_IRWXO);
+                int rv = mkdir(RUN_WHITELIST_MEDIA_DIR, 0755);
                 if (rv == -1)
                         errExit("mkdir");
                 if (chown(RUN_WHITELIST_MEDIA_DIR, 0, 0) < 0)
@@ -528,7 +544,7 @@ void fs_whitelist(void) {
         // /var mountpoint
         if (var_dir) {
                 // keep a copy of real /var directory in RUN_WHITELIST_VAR_DIR
-                int rv = mkdir(RUN_WHITELIST_VAR_DIR, S_IRWXU | S_IRWXG | S_IRWXO);
+                int rv = mkdir(RUN_WHITELIST_VAR_DIR, 0755);
                 if (rv == -1)
                         errExit("mkdir");
                 if (chown(RUN_WHITELIST_VAR_DIR, 0, 0) < 0)
@@ -550,7 +566,7 @@ void fs_whitelist(void) {
         // /dev mountpoint
         if (dev_dir) {
                 // keep a copy of real /dev directory in RUN_WHITELIST_DEV_DIR
-                int rv = mkdir(RUN_WHITELIST_DEV_DIR, S_IRWXU | S_IRWXG | S_IRWXO);
+                int rv = mkdir(RUN_WHITELIST_DEV_DIR, 0755);
                 if (rv == -1)
                         errExit("mkdir");
                 if (chown(RUN_WHITELIST_DEV_DIR, 0, 0) < 0)
@@ -558,7 +574,7 @@ void fs_whitelist(void) {
                 if (chmod(RUN_WHITELIST_DEV_DIR, 0755) < 0)
                         errExit("chmod");
         
-                if (mount("/dev", RUN_WHITELIST_DEV_DIR, NULL, MS_BIND|MS_REC, NULL) < 0)
+                if (mount("/dev", RUN_WHITELIST_DEV_DIR, NULL, MS_BIND|MS_REC,  "mode=755,gid=0") < 0)
                         errExit("mount bind");
         
                 // mount tmpfs on /dev
@@ -571,8 +587,8 @@ void fs_whitelist(void) {
 
         // /opt mountpoint
         if (opt_dir) {
-                // keep a copy of real /opt directory in RUN_WHITELIST_DEV_DIR
-                int rv = mkdir(RUN_WHITELIST_OPT_DIR, S_IRWXU | S_IRWXG | S_IRWXO);
+                // keep a copy of real /opt directory in RUN_WHITELIST_OPT_DIR
+                int rv = mkdir(RUN_WHITELIST_OPT_DIR, 0755);
                 if (rv == -1)
                         errExit("mkdir");
                 if (chown(RUN_WHITELIST_OPT_DIR, 0, 0) < 0)
diff --git a/src/firejail/main.c b/src/firejail/main.c
index 2ae3213ee..6fd011868 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -85,13 +85,14 @@ int arg_shell_none = 0;			// run the program directly without a shell
 int arg_private_dev = 0;                        // private dev directory
 int arg_private_etc = 0;                        // private etc directory
 int arg_private_bin = 0;                        // private bin directory
+int arg_private_tmp = 0;                        // private tmp directory
 int arg_scan = 0;                               // arp-scan all interfaces
 int arg_whitelist = 0;                          // whitelist commad
 int arg_nosound = 0;                            // disable sound
 int arg_quiet = 0;                              // no output for scripting
 int arg_join_network = 0;                       // join only the network namespace
 int arg_join_filesystem = 0;                    // join only the mount namespace
-
+int arg_nice = 0;                               // nice value configured
 
 int parent_to_child_fds[2];
 int child_to_parent_fds[2];
@@ -107,7 +108,7 @@ static void myexit(int rv) {
                 printf("\nparent is shutting down, bye...\n");
         
         // delete sandbox files in shared memory
-        bandwidth_shm_del_file(sandbox_pid);            // bandwidht file
+        bandwidth_shm_del_file(sandbox_pid);            // bandwidth file
         network_shm_del_file(sandbox_pid);              // network map file
         
         exit(rv); 
@@ -208,7 +209,7 @@ static void check_network(Bridge *br) {
         }
 }
 
-
+#ifdef HAVE_USERNS
 void check_user_namespace(void) {
         if (getuid() == 0) {
                 fprintf(stderr, "Error: --noroot option cannot be used when starting the sandbox as root.\n");
@@ -228,6 +229,7 @@ void check_user_namespace(void) {
                 arg_noroot = 0;
         }
 }
+#endif
 
 // exit commands
 static void run_cmd_and_exit(int i, int argc, char **argv) {
@@ -241,8 +243,24 @@ static void run_cmd_and_exit(int i, int argc, char **argv) {
         }
         else if (strcmp(argv[i], "--version") == 0) {
                 printf("firejail version %s\n", VERSION);
+#ifndef HAVE_NETWORK
+                printf("Networking support is disabled.\n");
+#endif
+#ifndef HAVE_USERNS
+                printf("User namespace support is disabled.\n");
+#endif
+#ifndef HAVE_SECCOMP
+                printf("Seccomp-bpf support is disabled.\n");
+#endif
+#ifndef HAVE_BIND
+                printf("Bind support is disabled.\n");
+#endif
+#ifndef HAVE_CHROOT
+                printf("Chroot support is disabled.\n");
+#endif
                 exit(0);
         }
+#ifdef HAVE_NETWORK     
         else if (strncmp(argv[i], "--bandwidth=", 12) == 0) {
                 logargs(argc, argv);
                 
@@ -300,10 +318,10 @@ static void run_cmd_and_exit(int i, int argc, char **argv) {
                 if (read_pid(argv[i] + 12, &pid) == 0)
                         bandwidth_pid(pid, cmd, dev, down, up);
                 else
-                                bandwidth_name(argv[i] + 12, cmd, dev, down, up);
+                        bandwidth_name(argv[i] + 12, cmd, dev, down, up);
                 exit(0);
         }
-
+#endif
         //*************************************
         // independent commands - the program will exit!
         //*************************************
@@ -382,10 +400,12 @@ static void run_cmd_and_exit(int i, int argc, char **argv) {
                 top();
                 exit(0);
         }
+#ifdef HAVE_NETWORK     
         else if (strcmp(argv[i], "--netstats") == 0) {
                 netstats();
                 exit(0);
         }
+#endif  
         else if (strncmp(argv[i], "--join=", 7) == 0) {
                 logargs(argc, argv);
                 
@@ -397,6 +417,7 @@ static void run_cmd_and_exit(int i, int argc, char **argv) {
                         join_name(argv[i] + 7, cfg.homedir, argc, argv, i + 1);
                 exit(0);
         }
+#ifdef HAVE_NETWORK     
         else if (strncmp(argv[i], "--join-network=", 15) == 0) {
                 logargs(argc, argv);
                 arg_join_network = 1;
@@ -413,6 +434,7 @@ static void run_cmd_and_exit(int i, int argc, char **argv) {
                         join_name(argv[i] + 15, cfg.homedir, argc, argv, i + 1);
                 exit(0);
         }
+#endif
         else if (strncmp(argv[i], "--join-filesystem=", 18) == 0) {
                 logargs(argc, argv);
                 arg_join_filesystem = 1;
@@ -459,8 +481,9 @@ int main(int argc, char **argv) {
         int highest_errno = errno_highest_nr();
 #endif
 
-        // check argv[0] symlink wrapper
-        run_symlink(argc, argv);
+        // check argv[0] symlink wrapper if this is not a login shell
+        if (*argv[0] != '-')
+                run_symlink(argc, argv);
 
 
         // check if we already have a sandbox running
@@ -514,6 +537,7 @@ int main(int argc, char **argv) {
         else {
                 // check --output option and execute it;
                 check_output(argc, argv); // the function will not return if --output option was found
+                check_user(argc, argv); // the function will not return if --user option was found
         }
         
         // parse arguments
@@ -669,6 +693,10 @@ int main(int argc, char **argv) {
                         arg_ipc = 1;
                 else if (strncmp(argv[i], "--cpu=", 6) == 0)
                         read_cpu_list(argv[i] + 6);
+                else if (strncmp(argv[i], "--nice=", 7) == 0) {
+                        cfg.nice = atoi(argv[i] + 7);
+                        arg_nice = 1;
+                }
                 else if (strncmp(argv[i], "--cgroup=", 9) == 0) {
                         if (arg_cgroup) {
                                 fprintf(stderr, "Error: only a cgroup can be defined\n");
@@ -750,13 +778,18 @@ int main(int argc, char **argv) {
                         struct stat s;
                         if (stat(dirname, &s) == -1) {
                                 /* coverity[toctou] */
-                                if (mkdir(dirname, S_IRWXU | S_IRWXG | S_IRWXO))
+                                if (mkdir(dirname, 0700))
                                         errExit("mkdir");
                                 if (chown(dirname, getuid(), getgid()) < 0)
                                         errExit("chown");
-                                if (chmod(dirname, S_IRWXU  | S_IRGRP | S_IXGRP | S_IROTH | S_IXOTH) < 0)
+                                if (chmod(dirname, 0700) < 0)
                                         errExit("chmod");
                         }
+                        else if (is_link(dirname)) {
+                                fprintf(stderr, "Error: invalid ~/.firejail directory\n");
+                                exit(1);
+                        }
+                        
                         free(dirname);
                         
                         // check overlay directory
@@ -882,11 +915,6 @@ int main(int argc, char **argv) {
                 else if (strcmp(argv[i], "--private") == 0)
                         arg_private = 1;
                 else if (strncmp(argv[i], "--private=", 10) == 0) {
-                        if (cfg.home_private_keep) {
-                                fprintf(stderr, "Error: a private list of files was already defined with --private-home option.\n");
-                                exit(1);
-                        }
-                        
                         // extract private home dirname
                         cfg.home_private = argv[i] + 10;
                         if (*cfg.home_private == '\0') {
@@ -896,26 +924,11 @@ int main(int argc, char **argv) {
                         fs_check_private_dir();
                         arg_private = 1;
                 }
-                else if (strncmp(argv[i], "--private-home=", 15) == 0) {
-                        if (cfg.home_private) {
-                                fprintf(stderr, "Error: a private home directory was already defined with --private option.\n");
-                                exit(1);
-                        }
-                        
-                        // extract private home dirname
-                        cfg.home_private_keep = argv[i] + 15;
-                        if (*cfg.home_private_keep == '\0') {
-                                fprintf(stderr, "Error: invalid private-home option\n");
-                                exit(1);
-                        }
-                        fs_check_home_list();
-                        arg_private = 1;
-                }
                 else if (strcmp(argv[i], "--private-dev") == 0) {
                         arg_private_dev = 1;
                 }
                 else if (strncmp(argv[i], "--private-etc=", 14) == 0) {
-                        // extract private etc dirname
+                        // extract private etc list
                         cfg.etc_private_keep = argv[i] + 14;
                         if (*cfg.etc_private_keep == '\0') {
                                 fprintf(stderr, "Error: invalid private-etc option\n");
@@ -930,7 +943,7 @@ int main(int argc, char **argv) {
                         }
                 }
                 else if (strncmp(argv[i], "--private-bin=", 14) == 0) {
-                        // extract private etc dirname
+                        // extract private bin list
                         cfg.bin_private_keep = argv[i] + 14;
                         if (*cfg.bin_private_keep == '\0') {
                                 fprintf(stderr, "Error: invalid private-bin option\n");
@@ -939,8 +952,9 @@ int main(int argc, char **argv) {
                         fs_check_bin_list();
                         arg_private_bin = 1;
                 }
-                        
-
+                else if (strcmp(argv[i], "--private-tmp") == 0) {
+                        arg_private_tmp = 1;
+                }
 
                 //*************************************
                 // hostname, etc
@@ -961,9 +975,11 @@ int main(int argc, char **argv) {
                 }
                 else if (strcmp(argv[i], "--nogroups") == 0)
                         arg_nogroups = 1;
+#ifdef HAVE_USERNS
                 else if (strcmp(argv[i], "--noroot") == 0) {
                         check_user_namespace();
                 }
+#endif
                 else if (strncmp(argv[i], "--env=", 6) == 0)
                         env_store(argv[i] + 6);
                 else if (strncmp(argv[i], "--nosound", 9) == 0) {
@@ -974,6 +990,7 @@ int main(int argc, char **argv) {
                 //*************************************
                 // network
                 //*************************************
+#ifdef HAVE_NETWORK     
                 else if (strncmp(argv[i], "--interface=", 12) == 0) {
                         // checks
                         if (arg_nonetwork) {
@@ -1163,6 +1180,7 @@ int main(int argc, char **argv) {
                                 return 1;
                         }
                 }
+#endif          
                 else if (strncmp(argv[i], "--dns=", 6) == 0) {
                         uint32_t dns;
                         if (atoip(argv[i] + 6, &dns)) {
@@ -1181,6 +1199,7 @@ int main(int argc, char **argv) {
                                 return 1;
                         }
                 }
+#ifdef HAVE_NETWORK
                 else if (strcmp(argv[i], "--netfilter") == 0)
                         arg_netfilter = 1;
                 else if (strncmp(argv[i], "--netfilter=", 12) == 0) {
@@ -1193,7 +1212,7 @@ int main(int argc, char **argv) {
                         arg_netfilter6_file = argv[i] + 13;
                         check_netfilter_file(arg_netfilter6_file);
                 }
-
+#endif
                 //*************************************
                 // command
                 //*************************************
@@ -1315,18 +1334,22 @@ int main(int argc, char **argv) {
         // build the sandbox command
         if (prog_index == -1 && arg_zsh) {
                 cfg.command_line = "/usr/bin/zsh";
+                cfg.window_title = "/usr/bin/zsh";
                 cfg.command_name = "zsh";
         }
         else if (prog_index == -1 && arg_csh) {
                 cfg.command_line = "/bin/csh";
+                cfg.window_title = "/bin/csh";
                 cfg.command_name = "csh";
         }
         else if (prog_index == -1 && cfg.shell) {
                 cfg.command_line = cfg.shell;
+                cfg.window_title = cfg.shell;
                 cfg.command_name = cfg.shell;
         }
         else if (prog_index == -1) {
                 cfg.command_line = "/bin/bash";
+                cfg.window_title = "/bin/bash";
                 cfg.command_name = "bash";
         }
         else {
@@ -1341,16 +1364,24 @@ int main(int argc, char **argv) {
                 cfg.command_line = malloc(len + 1); // + '\0'
                 if (!cfg.command_line)
                         errExit("malloc");
-                char *ptr = cfg.command_line;
+                cfg.window_title = malloc(len + 1); // + '\0'
+                if (!cfg.window_title)
+                        errExit("malloc");
+
+                char *ptr1 = cfg.command_line;
+                char *ptr2 = cfg.window_title;
                 for (i = 0; i < argcnt; i++) {
                         // detect bash commands
                         if (strstr(argv[i + prog_index], "&&") || strstr(argv[i + prog_index], "||")) {
-                                sprintf(ptr, "%s ", argv[i + prog_index]);
+                                sprintf(ptr1, "%s ", argv[i + prog_index]);
                         }
                         else {
-                                sprintf(ptr, "\"%s\" ", argv[i + prog_index]);
+                                sprintf(ptr1, "\"%s\" ", argv[i + prog_index]);
                         }
-                        ptr += strlen(ptr);
+                        sprintf(ptr2, "%s ", argv[i + prog_index]);
+
+                        ptr1 += strlen(ptr1);
+                        ptr2 += strlen(ptr2);
                 }
         }
         
@@ -1582,6 +1613,16 @@ int main(int argc, char **argv) {
                 free(cfg.seccomp_list_errno);
         }
 #endif
+        if (cfg.profile) {
+                ProfileEntry *prf = cfg.profile;
+                while (prf != NULL) {
+                        ProfileEntry *next = prf->next;
+                        free(prf->data);
+                        free(prf->link);
+                        free(prf);
+                        prf = next;
+                }
+        }
 
         myexit(0);
 
diff --git a/src/firejail/netfilter.c b/src/firejail/netfilter.c
index 68a4207e5..2ed09434a 100644
--- a/src/firejail/netfilter.c
+++ b/src/firejail/netfilter.c
@@ -30,12 +30,17 @@ static char *client_filter =
 ":FORWARD DROP [0:0]\n"
 ":OUTPUT ACCEPT [0:0]\n"
 "-A INPUT -i lo -j ACCEPT\n"
-"# echo replay is handled by -m state RELEATED/ESTABLISHED below\n"
-"#-A INPUT -p icmp --icmp-type echo-reply -j ACCEPT\n"
 "-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT\n"
+"# echo replay is handled by -m state RELATED/ESTABLISHED below\n"
+"#-A INPUT -p icmp --icmp-type echo-reply -j ACCEPT\n"
 "-A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT\n"
 "-A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT\n"
 "-A INPUT -p icmp --icmp-type echo-request -j ACCEPT \n"
+"# disable STUN\n"
+"-A OUTPUT -p udp --dport 3478 -j DROP\n"
+"-A OUTPUT -p udp --dport 3479 -j DROP\n"
+"-A OUTPUT -p tcp --dport 3478 -j DROP\n"
+"-A OUTPUT -p tcp --dport 3479 -j DROP\n"
 "COMMIT\n";
 
 void check_netfilter_file(const char *fname) {
diff --git a/src/firejail/network.c b/src/firejail/network.c
index 46eeb5c57..aac48e521 100644
--- a/src/firejail/network.c
+++ b/src/firejail/network.c
@@ -292,7 +292,7 @@ void net_if_ip6(const char *ifname, const char *addr6) {
         char *ptr;
         if ((ptr = strchr(addr6, '/'))) {
                 prefix = atol(ptr + 1);
-                if ((prefix < 0) || (prefix > 128)) {
+                if (prefix > 128) {
                         fprintf(stderr, "Error: invalid prefix for IPv6 address %s\n", addr6);
                         exit(1);
                 }
diff --git a/src/firejail/paths.c b/src/firejail/paths.c
new file mode 100644
index 000000000..3d4b8cd8e
--- /dev/null
+++ b/src/firejail/paths.c
@@ -0,0 +1,98 @@
+/*
+ * Copyright (C) 2014-2016 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
+#include "firejail.h"
+
+static char **paths = NULL;
+static int path_cnt = 0;
+static char initialized = 0;
+
+static void add_path(const char *path) {
+        assert(paths);
+        assert(path_cnt);
+        
+        // filter out duplicates
+        int i;
+        int empty = 0;
+        for (i = 0; i < path_cnt; i++) {
+                if (paths[i] && strcmp(path, paths[i]) == 0) {
+                        return;
+                }
+                if (!paths[i]) {
+                        empty = i;
+                        break;
+                }
+        }
+
+        paths[empty] = strdup(path);
+        if (!paths[empty])
+                errExit("strdup");
+}
+
+char **build_paths(void) {
+        if (initialized) {
+                assert(paths);
+                return paths;
+        }
+        initialized = 1;
+        
+        int cnt = 5;    // 4 default paths + 1 NULL to end the array
+        char *path1 = getenv("PATH");
+        if (path1) {
+                char *path2 = strdup(path1);
+                if (!path2)
+                        errExit("strdup");
+                
+                // use path2 to count the entries
+                char *ptr = strtok(path2, ":");
+                while (ptr) {
+                        cnt++;
+                        ptr = strtok(NULL, ":");
+                }
+                free(path2);
+                path_cnt = cnt;
+
+                // allocate paths array
+                paths = malloc(sizeof(char *) * cnt);
+                if (!paths)
+                        errExit("malloc");
+                memset(paths, 0, sizeof(char *) * cnt);
+
+                // add default paths
+                add_path("/bin");
+                add_path("/sbin");
+                add_path("/usr/bin");
+                add_path("/usr/sbin");
+
+                path2 = strdup(path1);
+                if (!path2)
+                        errExit("strdup");
+                
+                // use path2 to count the entries
+                ptr = strtok(path2, ":");
+                while (ptr) {
+                        cnt++;
+                        add_path(ptr);
+                        ptr = strtok(NULL, ":");
+                }
+                free(path2);
+        }
+        
+        return paths;
+}
diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index f6b062d2b..70ec360ce 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -110,7 +110,9 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
         }
         // seccomp, caps, private, user namespace
         else if (strcmp(ptr, "noroot") == 0) {
+#if HAVE_USERNS
                 check_user_namespace();
+#endif
                 return 0;
         }
         else if (strcmp(ptr, "seccomp") == 0) {
@@ -141,36 +143,48 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
                 arg_private_dev = 1;
                 return 0;
         }
+        else if (strcmp(ptr, "private-tmp") == 0) {
+                arg_private_tmp = 1;
+                return 0;
+        }
         else if (strcmp(ptr, "nogroups") == 0) {
                 arg_nogroups = 1;
                 return 0;
         }
         else if (strcmp(ptr, "netfilter") == 0) {
+#ifdef HAVE_NETWORK
                 arg_netfilter = 1;
+#endif
                 return 0;
         }
         else if (strncmp(ptr, "netfilter ", 10) == 0) {
+#ifdef HAVE_NETWORK
                 arg_netfilter = 1;
                 arg_netfilter_file = strdup(ptr + 10);
                 if (!arg_netfilter_file)
                         errExit("strdup");
                 check_netfilter_file(arg_netfilter_file);
+#endif
                 return 0;
         }
         else if (strncmp(ptr, "netfilter6 ", 11) == 0) {
+#ifdef HAVE_NETWORK
                 arg_netfilter6 = 1;
                 arg_netfilter6_file = strdup(ptr + 11);
                 if (!arg_netfilter6_file)
                         errExit("strdup");
                 check_netfilter_file(arg_netfilter6_file);
+#endif
                 return 0;
         }
         else if (strcmp(ptr, "net none") == 0) {
+#ifdef HAVE_NETWORK
                 arg_nonetwork  = 1;
                 cfg.bridge0.configured = 0;
                 cfg.bridge1.configured = 0;
                 cfg.bridge2.configured = 0;
                 cfg.bridge3.configured = 0;
+#endif
                 return 0;
         }
         
@@ -276,6 +290,13 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
                 return 0;
         }
         
+        // nice value
+        if (strncmp(ptr, "nice ", 4) == 0) {
+                cfg.nice = atoi(ptr + 5);
+                arg_nice = 1;
+                return 0;
+        }
+
         // cgroup
         if (strncmp(ptr, "cgroup ", 7) == 0) {
                 set_cgroup(ptr + 7);
@@ -290,14 +311,6 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
                 return 0;
         }
 
-        // private home list of files and directories
-        if (strncmp(ptr, "private-home ", 13) == 0) {
-                cfg.home_private_keep = ptr + 13;
-                fs_check_home_list();
-                arg_private = 1;
-                return 0;
-        }
-        
         // private /etc list of files and directories
         if (strncmp(ptr, "private-etc ", 12) == 0) {
                 cfg.etc_private_keep = ptr + 12;
@@ -331,7 +344,7 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
                 char *dname1 = ptr + 5;
                 char *dname2 = split_comma(dname1); // this inserts a '0 to separate the two dierctories
                 if (dname2 == NULL) {
-                        fprintf(stderr, "Error: mising second directory for bind\n");
+                        fprintf(stderr, "Error: missing second directory for bind\n");
                         exit(1);
                 }
                 
@@ -407,8 +420,13 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
         }
         else if (strncmp(ptr, "read-only ", 10) == 0)
                 ptr += 10;
-        else if (strncmp(ptr, "tmpfs ", 6) == 0)
+        else if (strncmp(ptr, "tmpfs ", 6) == 0) {
+                if (getuid() != 0) {
+                        fprintf(stderr, "Error: tmpfs available only when running the sandbox as root\n");
+                        exit(1);
+                }
                 ptr += 6;
+        }
         else {
                 if (lineno == 0)
                         fprintf(stderr, "Error: \"%s\" as a command line option is invalid\n", ptr);
@@ -515,6 +533,10 @@ void profile_read(const char *fname) {
                 // verify syntax, exit in case of error
                 if (profile_check_line(ptr, lineno, fname))
                         profile_add(ptr);
+// we cannot free ptr here, data is extracted from ptr and linked as a pointer in cfg structure
+//              else {
+//                      free(ptr);
+//              }
         }
         fclose(fp);
 }
diff --git a/src/firejail/protocol.c b/src/firejail/protocol.c
index e6a8f61ab..407f8c62d 100644
--- a/src/firejail/protocol.c
+++ b/src/firejail/protocol.c
@@ -119,6 +119,11 @@ void protocol_list(void) {
 void protocol_store(const char *prlist) {
         assert(prlist);
         
+        if (cfg.protocol) {
+                fprintf(stderr, "Warning: a protocol list is present, the new list \"%s\" will not be installed\n", prlist);
+                return;
+        }
+        
         // temporary list
         char *tmplist = strdup(prlist);
         if (!tmplist)
diff --git a/src/firejail/pulseaudio.c b/src/firejail/pulseaudio.c
index 29f3bc4f0..8bf8d8303 100644
--- a/src/firejail/pulseaudio.c
+++ b/src/firejail/pulseaudio.c
@@ -93,8 +93,8 @@ void pulseaudio_init(void) {
          
         // create the new user pulseaudio directory
          fs_build_mnt_dir();
-        int rv = mkdir(RUN_PULSE_DIR, S_IRWXU | S_IRWXG | S_IRWXO);
-        (void) rv; // in --chroot mode the directory canalready be there
+        int rv = mkdir(RUN_PULSE_DIR, 0700);
+        (void) rv; // in --chroot mode the directory can already be there
         if (chown(RUN_PULSE_DIR, getuid(), getgid()) < 0)
                 errExit("chown");
         if (chmod(RUN_PULSE_DIR, 0700) < 0)
@@ -104,6 +104,10 @@ void pulseaudio_init(void) {
         char *pulsecfg = NULL;
         if (asprintf(&pulsecfg, "%s/client.conf", RUN_PULSE_DIR) == -1)
                 errExit("asprintf");
+        if (is_link("/etc/pulse/client.conf")) {
+                fprintf(stderr, "Error: invalid /etc/pulse/client.conf file\n");
+                exit(1);
+        }
         if (copy_file("/etc/pulse/client.conf", pulsecfg))
                 errExit("copy_file");
         FILE *fp = fopen(pulsecfg, "a+");
diff --git a/src/firejail/restrict_users.c b/src/firejail/restrict_users.c
index aa6a5d268..88dd38021 100644
--- a/src/firejail/restrict_users.c
+++ b/src/firejail/restrict_users.c
@@ -115,6 +115,10 @@ static void sanitize_passwd(void) {
                 return;
         if (arg_debug)
                 printf("Sanitizing /etc/passwd\n");
+        if (is_link("/etc/passwd")) {
+                fprintf(stderr, "Error: invalid /etc/passwd\n");
+                exit(1);
+        }
 
         FILE *fpin = NULL;
         FILE *fpout = NULL;
@@ -248,6 +252,10 @@ static void sanitize_group(void) {
                 return;
         if (arg_debug)
                 printf("Sanitizing /etc/group\n");
+        if (is_link("/etc/group")) {
+                fprintf(stderr, "Error: invalid /etc/group\n");
+                exit(1);
+        }
 
         FILE *fpin = NULL;
         FILE *fpout = NULL;
diff --git a/src/firejail/run_symlink.c b/src/firejail/run_symlink.c
index 5f8d131ae..bc1bb3011 100644
--- a/src/firejail/run_symlink.c
+++ b/src/firejail/run_symlink.c
@@ -42,7 +42,11 @@ void run_symlink(int argc, char **argv) {
         char *path = strdup(p);
         if (!path)
                 errExit("strdup");
-        
+
+        char *selfpath = realpath("/proc/self/exe", NULL);
+        if (!selfpath)
+                errExit("realpath");
+
         // look in path for our program
         char *tok = strtok(path, ":");
         int found = 0;
@@ -53,28 +57,37 @@ void run_symlink(int argc, char **argv) {
 
                 struct stat s;
                 if (stat(name, &s) == 0) {
-                        if (!is_link(name)) {
+                        char* rp = realpath(name, NULL);
+                        if (!rp)
+                                errExit("realpath");
+
+                        if (strcmp(selfpath, rp) != 0) {
                                 program = strdup(name);
                                 found = 1;
+                                free(rp);
                                 break;
                         }
+
+                        free(rp);
                 }
-                
+
                 free(name);
                 tok = strtok(NULL, ":");
-        }       
+        }
         if (!found) {
                 fprintf(stderr, "Error: cannot find the program in the path\n");
                 exit(1);
         }
-                
+
+        free(selfpath);
+
 
         // start the argv[0] program in a new sandbox
         char *firejail;
         if (asprintf(&firejail, "%s/bin/firejail", PREFIX) == -1)
                 errExit("asprintf");
 
-        printf("Redirecting symlink to %s\n", firejail, program);
+        printf("Redirecting symlink to %s\n", program);
 
         // run command
         char *a[3 + argc];
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index b49172f1f..1ba655301 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -27,6 +27,7 @@
 #include <sys/resource.h>
 #include <sys/types.h>
 #include <dirent.h>
+#include <errno.h>
 
 #include <sched.h>
 #ifndef CLONE_NEWUSER
@@ -134,7 +135,13 @@ static void monitor_application(pid_t app_pid) {
                 usleep(20000);
 
                 int status;
-                unsigned rv = waitpid(app_pid, &status, 0);
+                pid_t rv;
+                do {
+                        rv = waitpid(-1, &status, 0);
+                        if (rv == -1)
+                                break;
+                }
+                while(rv != app_pid);
                 if (arg_debug)
                         printf("Sandbox monitor: waitpid %u retval %d status %d\n", app_pid, rv, status);
 
@@ -167,7 +174,7 @@ static void monitor_application(pid_t app_pid) {
 
 #if 0
 // todo: find a way to shut down interfaces before closing the namespace
-// the problem is we don't have enough privileges to shutdown interfaces in this momen
+// the problem is we don't have enough privileges to shutdown interfaces in this moment
         // shut down bridge/macvlan interfaces
         if (any_bridge_configured()) {
                 
@@ -343,6 +350,9 @@ int sandbox(void* sandbox_arg) {
         //****************************
         // configure filesystem
         //****************************
+#ifdef HAVE_SECCOMP
+        int enforce_seccomp = 0;
+#endif
 #ifdef HAVE_CHROOT              
         if (cfg.chrootdir) {
                 fs_chroot(cfg.chrootdir);
@@ -354,6 +364,9 @@ int sandbox(void* sandbox_arg) {
                         // force default seccomp inside the chroot, no keep or drop list
                         // the list build on top of the default drop list is kept intact
                         arg_seccomp = 1;
+#ifdef HAVE_SECCOMP
+                        enforce_seccomp = 1;
+#endif
                         if (cfg.seccomp_list_drop) {
                                 free(cfg.seccomp_list_drop);
                                 cfg.seccomp_list_drop = NULL;
@@ -404,8 +417,6 @@ int sandbox(void* sandbox_arg) {
         if (arg_private) {
                 if (cfg.home_private)   // --private=
                         fs_private_homedir();
-                else if (cfg.home_private_keep) // --private-home=
-                        fs_private_home_list();
                 else // --private
                         fs_private();
         }
@@ -420,6 +431,8 @@ int sandbox(void* sandbox_arg) {
         }
         if (arg_private_bin)
                 fs_private_bin_list();
+        if (arg_private_tmp)
+                fs_private_tmp();
         
         //****************************
         // apply the profile file
@@ -570,6 +583,18 @@ int sandbox(void* sandbox_arg) {
         // set user-supplied environment variables
         env_apply();
 
+        // set nice
+        if (arg_nice) {
+                errno = 0;
+                int rv = nice(cfg.nice);
+                (void) rv;
+printf("nice rv %d\n", rv);             
+                if (errno) {
+                        fprintf(stderr, "Warning: cannot set nice value\n");
+                        errno = 0;
+                }
+        }
+        
         //****************************
         // set security filters
         //****************************
@@ -595,7 +620,7 @@ int sandbox(void* sandbox_arg) {
                 else if (cfg.seccomp_list_errno)
                         seccomp_filter_errno(); 
                 else
-                        seccomp_filter_drop();
+                        seccomp_filter_drop(enforce_seccomp);
         }
 #endif
 
diff --git a/src/firejail/seccomp.c b/src/firejail/seccomp.c
index 396ab99db..57f483b1c 100644
--- a/src/firejail/seccomp.c
+++ b/src/firejail/seccomp.c
@@ -324,7 +324,7 @@ static void read_seccomp_file(const char *fname) {
                 filter_debug();
 }
 
-// i386t filter installed on amd64 architectures
+// i386 filter installed on amd64 architectures
 void seccomp_filter_32(void) {
         // hardcoded syscall values
         struct sock_filter filter[] = {
@@ -373,6 +373,9 @@ void seccomp_filter_32(void) {
                 BLACKLIST(317), // move_pages
                 BLACKLIST(316), // vmsplice
                 BLACKLIST(61),  // chroot
+                BLACKLIST(88), // reboot
+                BLACKLIST(169), // nfsservctl
+                BLACKLIST(130), // get_kernel_syms
                 RETURN_ALLOW
         };
 
@@ -389,8 +392,78 @@ void seccomp_filter_32(void) {
         }
 }
 
+// amd64 filter installed on i386 architectures
+void seccomp_filter_64(void) {
+        // hardcoded syscall values
+        struct sock_filter filter[] = {
+                VALIDATE_ARCHITECTURE_64,
+                EXAMINE_SYSCALL,
+                BLACKLIST(165), // mount
+                BLACKLIST(166), // umount2
+                BLACKLIST(101), // ptrace
+                BLACKLIST(246), // kexec_load
+                BLACKLIST(304), // open_by_handle_at
+                BLACKLIST(175), // init_module
+                BLACKLIST(313), // finit_module
+                BLACKLIST(176), // delete_module
+                BLACKLIST(172), // iopl
+                BLACKLIST(173), // ioperm
+                BLACKLIST(167), // swapon
+                BLACKLIST(168), // swapoff
+                BLACKLIST(103), // syslog
+                BLACKLIST(310), // process_vm_readv
+                BLACKLIST(311), // process_vm_writev
+                BLACKLIST(139), // sysfs
+                BLACKLIST(156), // _sysctl
+                BLACKLIST(159), // adjtimex
+                BLACKLIST(305), // clock_adjtime
+                BLACKLIST(212), // lookup_dcookie
+                BLACKLIST(298), // perf_event_open
+                BLACKLIST(300), // fanotify_init
+                BLACKLIST(312), // kcmp
+                BLACKLIST(248), // add_key
+                BLACKLIST(249), // request_key
+                BLACKLIST(250), // keyctl
+                BLACKLIST(134), // uselib
+                BLACKLIST(163), // acct
+                BLACKLIST(154), // modify_ldt
+                BLACKLIST(155), // pivot_root
+                BLACKLIST(206), // io_setup
+                BLACKLIST(207), // io_destroy
+                BLACKLIST(208), // io_getevents
+                BLACKLIST(209), // io_submit
+                BLACKLIST(210), // io_cancel
+                BLACKLIST(216), // remap_file_pages
+                BLACKLIST(237), // mbind
+                BLACKLIST(239), // get_mempolicy
+                BLACKLIST(238), // set_mempolicy
+                BLACKLIST(256), // migrate_pages
+                BLACKLIST(279), // move_pages
+                BLACKLIST(278), // vmsplice
+                BLACKLIST(161), // chroot
+                BLACKLIST(184), // tuxcall
+                BLACKLIST(169), // reboot
+                BLACKLIST(180), // nfsservctl
+                BLACKLIST(177), // get_kernel_syms
+                RETURN_ALLOW
+        };
+
+        struct sock_fprog prog = {
+                .len = (unsigned short)(sizeof(filter) / sizeof(filter[0])),
+                .filter = filter,
+        };
+
+        if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog) || prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) {
+                ;
+        }
+        else if (arg_debug) {
+                printf("Dual i386/amd64 seccomp filter configured\n");
+        }
+}
+
+
 // drop filter for seccomp option
-int seccomp_filter_drop(void) {
+int seccomp_filter_drop(int enforce_seccomp) {
         filter_init();
         
         // default seccomp
@@ -398,6 +471,9 @@ int seccomp_filter_drop(void) {
 #if defined(__x86_64__)
                 seccomp_filter_32();
 #endif
+#if defined(__i386__)
+                seccomp_filter_64();
+#endif
 
 #ifdef SYS_mount                
                 filter_add_blacklist(SYS_mount, 0);
@@ -432,7 +508,7 @@ int seccomp_filter_drop(void) {
 #ifdef  SYS_ioperm      
                 filter_add_blacklist(SYS_ioperm, 0);
 #endif
-#ifdef SYS_ni_syscall // new io permisions call on arm devices
+#ifdef SYS_ni_syscall // new io permissions call on arm devices
                 filter_add_blacklist(SYS_ni_syscall, 0);
 #endif
 #ifdef SYS_swapon               
@@ -559,9 +635,19 @@ int seccomp_filter_drop(void) {
  // CHECK_SECCOMP(seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EPERM), SCMP_SYS(clone), 1,
  //     SCMP_A0(SCMP_CMP_MASKED_EQ, CLONE_NEWUSER, CLONE_NEWUSER)));
 
-// 32bit
-//              filter_add_blacklist(SYS_personality, 0); // test wine
-//              filter_add_blacklist(SYS_set_thread_area, 0); // test wine
+// 0.9.39
+#ifdef SYS_tuxcall
+                filter_add_blacklist(SYS_tuxcall, 0);
+#endif
+#ifdef SYS_reboot
+                filter_add_blacklist(SYS_reboot, 0);
+#endif
+#ifdef SYS_nfsservctl
+                filter_add_blacklist(SYS_nfsservctl, 0);
+#endif
+#ifdef SYS_get_kernel_syms
+                filter_add_blacklist(SYS_get_kernel_syms, 0);
+#endif
         }
 
         // default seccomp filter with additional drop list
@@ -595,7 +681,13 @@ int seccomp_filter_drop(void) {
         };
 
         if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog) || prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) {
-                fprintf(stderr, "Warning: seccomp disabled, it requires a Linux kernel version 3.5 or newer.\n");
+                if (enforce_seccomp) {
+                        fprintf(stderr, "Error: a seccomp-enabled Linux kernel is required, exiting...\n");
+                        exit(1);
+                }
+                else
+                        fprintf(stderr, "Warning: seccomp disabled, it requires a Linux kernel version 3.5 or newer.\n");
+
                 return 1;
         }
         
diff --git a/src/firejail/seccomp.h b/src/firejail/seccomp.h
index 3c4f14469..7d646dd9e 100644
--- a/src/firejail/seccomp.h
+++ b/src/firejail/seccomp.h
@@ -31,9 +31,9 @@
                 BLACKLIST(SYS_init_module), // kernel module handling
                 BLACKLIST(SYS_finit_module),
                 BLACKLIST(SYS_delete_module),
-                BLACKLIST(SYS_iopl), // io permisions
+                BLACKLIST(SYS_iopl), // io permissions
                 BLACKLIST(SYS_ioperm),
-                BLACKLIST(SYS_iopl), // io permisions
+                BLACKLIST(SYS_iopl), // io permissions
                 BLACKLIST(SYS_ni_syscall),
                 BLACKLIST(SYS_swapon), // swap on/off
                 BLACKLIST(SYS_swapoff),
@@ -105,6 +105,11 @@ struct seccomp_data {
      BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, ARCH_NR, 1, 0), \
      BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW)
 
+#define VALIDATE_ARCHITECTURE_64 \
+     BPF_STMT(BPF_LD+BPF_W+BPF_ABS, (offsetof(struct seccomp_data, arch))), \
+     BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, AUDIT_ARCH_X86_64, 1, 0), \
+     BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW)
+
 #define VALIDATE_ARCHITECTURE_32 \
      BPF_STMT(BPF_LD+BPF_W+BPF_ABS, (offsetof(struct seccomp_data, arch))), \
      BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, AUDIT_ARCH_I386, 1, 0), \
@@ -141,4 +146,4 @@ struct seccomp_data {
 #define KILL_PROCESS \
         BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_KILL)
 
-#endif
\ No newline at end of file
+#endif
diff --git a/src/firejail/shutdown.c b/src/firejail/shutdown.c
index 131f663d4..edaac7eb9 100644
--- a/src/firejail/shutdown.c
+++ b/src/firejail/shutdown.c
@@ -54,8 +54,14 @@ void shut(pid_t pid) {
                                 printf("Switching to pid %u, the first child process inside the sandbox\n", (unsigned) pid);
                         }
                 }
+                else {
+                        fprintf(stderr, "Error: this is not a firejail sandbox\n");
+                        exit(1);
+                }
                 free(comm);
         }
+        else
+                errExit("/proc/PID/comm");
 
         // check privileges for non-root users
         uid_t uid = getuid();
diff --git a/src/firejail/usage.c b/src/firejail/usage.c
index 9197baae2..33724c80f 100644
--- a/src/firejail/usage.c
+++ b/src/firejail/usage.c
@@ -34,10 +34,12 @@ void usage(void) {
         printf("\n");
         printf("Options:\n\n");
         printf("\t-- - signal the end of options and disables further option processing.\n\n");
+#ifdef HAVE_NETWORK     
         printf("\t--bandwidth=name - set  bandwidth  limits  for  the sandbox identified\n");
         printf("\t\tby name, see Traffic Shaping section for more details.\n\n");
         printf("\t--bandwidth=pid - set  bandwidth  limits  for  the sandbox identified\n");
         printf("\t\tby PID, see Traffic Shaping section for more details.\n\n");
+#endif
 #ifdef HAVE_BIND                
         printf("\t--bind=dirname1,dirname2 - mount-bind dirname1 on top of dirname2.\n\n");
         printf("\t--bind=filename1,dirname2 - mount-bind filename1 on top of filename2.\n\n");
@@ -46,7 +48,11 @@ void usage(void) {
         printf("\t-c - execute command and exit.\n\n");
         printf("\t--caps - enable default Linux capabilities filter. The filter disables\n");
         printf("\t\tCAP_SYS_MODULE, CAP_SYS_RAWIO, CAP_SYS_BOOT, CAP_SYS_NICE,\n");
+#ifdef CAP_SYSLOG
         printf("\t\tCAP_SYS_TTY_CONFIG, CAP_SYSLOG, CAP_MKNOD, CAP_SYS_ADMIN.\n\n");
+#else
+        printf("\t\tCAP_SYS_TTY_CONFIG, CAP_MKNOD, CAP_SYS_ADMIN.\n\n");
+#endif
         printf("\t--caps.drop=all - drop all capabilities.\n\n");
         printf("\t--caps.drop=capability,capability,capability - blacklist Linux\n");
         printf("\t\tcapabilities filter.\n\n");
@@ -71,7 +77,7 @@ void usage(void) {
         printf("\t--debug-caps - print all recognized capabilities in the current\n");
         printf("\t\tFirejail software build and exit.\n\n");
         printf("\t--debug-check-filename - debug filename checking.\n\n");
-        printf("\t--debug-errnos - print all recognized error numbres in the current\n");
+        printf("\t--debug-errnos - print all recognized error numbers in the current\n");
         printf("\t\tFirejail software build and exit.\n\n");
         printf("\t--debug-protocols - print all recognized protocols in the current\n");
         printf("\t\tFirejail software build and exit.\n\n");
@@ -81,8 +87,10 @@ void usage(void) {
 
 
 
+#ifdef HAVE_NETWORK     
         printf("\t--defaultgw=address - use this address as default gateway in the new\n");
         printf("\t\tnetwork namespace.\n\n");
+#endif
         printf("\t--dns=address - set a DNS server for the sandbox. Up to three DNS\n");
         printf("\t\tservers can be defined.\n\n");
         printf("\t--dns.print=name - print DNS configuration for the sandbox identified\n");
@@ -99,15 +107,16 @@ void usage(void) {
         printf("\t--help, -? - this help screen.\n\n");
         printf("\t--hostname=name - set sandbox hostname.\n\n");
         printf("\t--ignore=command - ignore command in profile files.\n\n");
+#ifdef HAVE_NETWORK     
         printf("\t--interface=name - move interface in a new network namespace. Up to\n");
-        printf("\t\tfour --interface options can be sepcified.\n\n");
-        
+        printf("\t\tfour --interface options can be specified.\n\n");
         printf("\t--ip=address - set interface IP address.\n\n");
         printf("\t--ip=none - no IP address and no default gateway address are configured\n");
         printf("\t\tin the new network namespace. Use this option in case you intend\n");
         printf("\t\tto start an external DHCP client in the sandbox.\n\n");
         printf("\t--ip6=address - set interface IPv6 address.\n\n");
         printf("\t--iprange=address,address - configure an IP address in this range\n\n");
+#endif
         printf("\t--ipc-namespace - enable a new IPC namespace if the sandbox was started\n");
         printf("\t\tas a regular user. IPC namespace is enabled by default only if\n");
         printf("\t\tthe sandbox is started as root.\n\n");
@@ -117,14 +126,19 @@ void usage(void) {
         printf("\t\tidentified by name.\n\n");
         printf("\t--join-filesystem=pid - join the mount namespace of the sandbox\n");
         printf("\t\tidentified by PID.\n\n");
+#ifdef HAVE_NETWORK     
         printf("\t--join-network=name - join the network namespace of the sandbox\n");
         printf("\t\tidentified by name.\n\n");
         printf("\t--join-network=pid - join the network namespace of the sandbox\n");
         printf("\t\tidentified by PID.\n\n");
+#endif
         printf("\t--list - list all sandboxes.\n\n");
+#ifdef HAVE_NETWORK     
         printf("\t--mac=xx:xx:xx:xx:xx:xx - set interface MAC address.\n\n");
         printf("\t--mtu=number - set interface MTU.\n\n");
+#endif
         printf("\t--name=name - set sandbox name.\n\n");
+#ifdef HAVE_NETWORK     
         printf("\t--net=bridgename - enable network namespaces and connect to this bridge\n");
         printf("\t\tdevice. Unless specified with option --ip and --defaultgw, an\n");
         printf("\t\tIP address and a default gateway will be assigned automatically\n");
@@ -163,6 +177,8 @@ void usage(void) {
 
         printf("\t--netstats - monitor network statistics for sandboxes creating a new\n");
         printf("\t\tnetwork namespace.\n\n");
+#endif
+        printf("\t--nice=value - set nice value\n\n");
         printf("\t--noblacklist=dirname_or_filename - disable blacklist for directory\n");
         printf("\t\tor file.\n\n");
         printf("\t--nogroups - disable supplementary groups. Without this option,\n");
@@ -175,11 +191,11 @@ void usage(void) {
         printf("\t\tmatches the command name, and lastly use %s.profile\n", DEFAULT_USER_PROFILE);
         printf("\t\tif running as regular user or %s.profile if running as\n", DEFAULT_ROOT_PROFILE);
         printf("\t\troot.\n\n");
-                        
+#ifdef HAVE_USERNS                      
         printf("\t--noroot - install a user namespace with a single user - the current\n");
         printf("\t\tuser. root user does not exist in the new namespace. This option\n");
         printf("\t\tis not supported for --chroot and --overlay configurations.\n\n");
-
+#endif
         printf("\t--nosound - disable sound system\n\n");
                 
         printf("\t--output=logfile - stdout logging and log rotation. Copy stdout to\n");
@@ -206,19 +222,16 @@ void usage(void) {
         printf("\t\tand copy the programs in the list. The same directory is\n");
         printf("\t\talso bind-mounted over /sbin, /usr/bin and /usr/sbin.\n\n");
 
-        printf("\t--private-home=file,directory - build a new user home in a temporary\n");
-        printf("\t\tfilesystem, and copy the files and directories in the list in\n");
-        printf("\t\tthe new home. All modifications are discarded when the sandbox\n");
-        printf("\t\tis closed.\n\n");
-
         printf("\t--private-dev - create a new /dev directory. Only dri, null, full, zero,\n");
-        printf("\t\ttty, pst, ptms, random, urandom, log and shm devices are\n");
+        printf("\t\tty, pst, ptms, random, urandom, log and shm devices are\n");
         printf("\t\tavailable.\n\n");
 
         printf("\t--private-etc=file,directory - build a new /etc in a temporary\n");
         printf("\t\tfilesystem, and copy the files and directories in the list.\n");
         printf("\t\tAll modifications are discarded when the sandbox is closed.\n\n");
         
+        printf("\t--private-tmp - mount a tmpfs on top of /tmp directory\n\n");
+        
         printf("\t--profile=filename - use a custom profile.\n\n");
         printf("\t--profile-path=directory - use this directory to look for profile files.\n\n");
         
@@ -239,24 +252,13 @@ void usage(void) {
         printf("\t\tcreated for the real user ID of the calling process.\n\n");
         printf("\t--rlimit-sigpending=number - set the maximum number of pending signals\n");
         printf("\t\tfor a process.\n\n");
-
+#ifdef HAVE_NETWORK     
         printf("\t--scan - ARP-scan all the networks from inside a network namespace.\n");
         printf("\t\tThis makes it possible to detect macvlan kernel device drivers\n");
         printf("\t\trunning on the current host.\n\n");
-        
+#endif  
 #ifdef HAVE_SECCOMP
-        printf("\t--seccomp - enable seccomp filter and blacklist the syscalls in the\n");
-        printf("\t\tlist. The default list is as follows: mount, umount2,\n");
-        printf("\t\tptrace, kexec_load, open_by_handle_at, init_module,\n");
-        printf("\t\tfinit_module, delete_module, iopl, ioperm, swapon, swapoff,\n");
-        printf("\t\tsyslog, process_vm_readv and process_vm_writev\n");
-        printf("\t\tsysfs,_sysctl, adjtimex, clock_adjtime, lookup_dcookie,\n");
-        printf("\t\tperf_event_open, fanotify_init, kcmp, add_key, request_key,\n");
-        printf("\t\tkeyctl, uselib, acct, modify_ldt, pivot_root, io_setup,\n");
-        printf("\t\tio_destroy, io_getevents, io_submit, io_cancel,\n");
-        printf("\t\tremap_file_pages, mbind, get_mempolicy, set_mempolicy,\n");
-        printf("\t\tmigrate_pages, move_pages, vmsplice, perf_event_open and\n");
-        printf("\t\tkexec_file_load, chroot.\n\n");
+        printf("\t--seccomp - enable seccomp filter and apply the default blacklist.\n\n");
         
         printf("\t--seccomp=syscall,syscall,syscall - enable seccomp filter, blacklist the\n");
         printf("\t\tdefault syscall list and the syscalls specified by the command.\n\n");
@@ -280,12 +282,14 @@ void usage(void) {
         printf("\t--shell=program - set default user shell.\n\n");
         printf("\t--shutdown=name - shutdown the sandbox identified by name.\n\n");
         printf("\t--shutdown=pid - shutdown the sandbox identified by PID.\n\n");
-        printf("\t--tmpfs=dirname - mount a tmpfs filesystem on directory dirname.\n\n");
+        printf("\t--tmpfs=dirname - mount a tmpfs filesystem on directory dirname.\n");
+        printf("\t\tThis option is available only when running the sandbox as root.\n\n");
         printf("\t--top - monitor the most CPU-intensive sandboxes.\n\n");
         printf("\t--trace - trace open, access and connect system calls.\n\n");
         printf("\t--tracelog - add a syslog message for every access to files or\n");
         printf("\t\tdirectoires blacklisted by the security profile.\n\n");
         printf("\t--tree - print a tree of all sandboxed processes.\n\n");
+        printf("\t--user=new_user - switch the user before starting the sandbox.\n\n");
         printf("\t--version - print program version and exit.\n\n");
         printf("\t--whitelist=dirname_or_filename - whitelist directory or file.\n\n");
         printf("\t--zsh - use /usr/bin/zsh as default shell.\n\n");
@@ -293,6 +297,7 @@ void usage(void) {
         printf("\n");
 
 
+#ifdef HAVE_NETWORK     
         printf("Traffic Shaping\n\n");
         
         printf("Network bandwidth is an expensive resource shared among  all  sandboxes\n");
@@ -322,7 +327,7 @@ void usage(void) {
             printf("\t$ firejail --bandwidth=mybrowser clear eth0\n");
         printf("\n");
         printf("\n");
-
+#endif
 
 
         printf("Monitoring\n\n");
diff --git a/src/firejail/user.c b/src/firejail/user.c
new file mode 100644
index 000000000..e5f7848e8
--- /dev/null
+++ b/src/firejail/user.c
@@ -0,0 +1,114 @@
+/*
+ * Copyright (C) 2014-2016 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ */
+#include "firejail.h"
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <unistd.h>
+#include <grp.h>
+#include <pwd.h>
+
+
+void check_user(int argc, char **argv) {
+        int i;
+        char *user = NULL;
+
+        int found = 0;
+        for (i = 1; i < argc; i++) {
+                // check options
+                if (strcmp(argv[i], "--") == 0)
+                        break;
+                if (strncmp(argv[i], "--", 2) != 0)
+                        break;
+                
+                // check user option            
+                if (strncmp(argv[i], "--user=", 7) == 0) {
+                        found = 1;
+                        user = argv[i] + 7;
+                        break;
+                }
+        }
+        if (!found)
+                return;
+
+        // check root
+        if (getuid() != 0) {
+                fprintf(stderr, "Error: you need to be root to use --user command line option\n");
+                exit(1);
+        }
+        
+        // switch user
+        struct passwd *pw = getpwnam(user);
+        if (!pw) {
+                fprintf(stderr, "Error: cannot find user %s\n", user);
+                exit(1);
+        }
+
+        printf("Switching to user %s, UID %d, GID %d\n", user, pw->pw_uid, pw->pw_gid);
+        int rv = initgroups(user, pw->pw_gid);
+        if (rv == -1) {
+                perror("initgroups");
+                fprintf(stderr, "Error: cannot switch to user %s\n", user);
+        }
+
+        rv = setgid(pw->pw_gid);
+        if (rv == -1) {
+                perror("setgid");
+                fprintf(stderr, "Error: cannot switch to user %s\n", user);
+        }
+
+        rv = setuid(pw->pw_uid);
+        if (rv == -1) {
+                perror("setuid");
+                fprintf(stderr, "Error: cannot switch to user %s\n", user);
+        }
+
+        // build the new command line
+        int len = 0;
+        for (i = 0; i < argc; i++) {
+                len += strlen(argv[i]) + 1; // + ' '
+        }
+        
+        char *cmd = malloc(len + 1); // + '\0'
+        if (!cmd)
+                errExit("malloc");
+        
+        char *ptr = cmd;
+        int first = 1;
+        for (i = 0; i < argc; i++) {
+                if (strncmp(argv[i], "--user=", 7) == 0 && first) {
+                        first = 0;
+                        continue;
+                }
+                
+                ptr += sprintf(ptr, "%s ", argv[i]);
+        }
+
+        // run command
+        char *a[4];
+        a[0] = "/bin/bash";
+        a[1] = "-c";
+        a[2] = cmd;
+        a[3] = NULL;
+
+        execvp(a[0], a); 
+
+        perror("execvp");
+        exit(1);
+}
diff --git a/src/firejail/util.c b/src/firejail/util.c
index d7964ccb8..d969f6439 100644
--- a/src/firejail/util.c
+++ b/src/firejail/util.c
@@ -439,9 +439,17 @@ void extract_command_name(int index, char **argv) {
                         exit(1);
                 }
 
+
                 char *tmp = strdup(ptr);
                 if (!tmp)
                         errExit("strdup");
+
+                // limit the command to the first '.'
+                char *ptr2 = tmp;
+                while (*ptr2 != '.' && *ptr2 != '\0')
+                        ptr2++;
+                *ptr2 = '\0';
+
                 free(cfg.command_name);
                 cfg.command_name = tmp;
         }
diff --git a/src/firemon/cpu.c b/src/firemon/cpu.c
index b31d9a467..06658f58c 100644
--- a/src/firemon/cpu.c
+++ b/src/firemon/cpu.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2015 6etblue30 (netblue30@yahoo.com)
+ * Copyright (C) 2014-2015 netblue30 (netblue30@yahoo.com)
  *
  * This file is part of firejail project
  *
diff --git a/src/firemon/firemon.c b/src/firemon/firemon.c
index 83cce5c32..679c5a3e9 100644
--- a/src/firemon/firemon.c
+++ b/src/firemon/firemon.c
@@ -74,7 +74,7 @@ void firemon_drop_privs(void) {
 // sleep and wait for a key to be pressed
 void firemon_sleep(int st) {
         if (terminal_set == 0) {
-                tcgetattr(0, &twait);          // get current terminal attirbutes; 0 is the file descriptor for stdin
+                tcgetattr(0, &twait);          // get current terminal attributes; 0 is the file descriptor for stdin
                 memcpy(&tlocal, &twait, sizeof(tlocal));
                 twait.c_lflag &= ~ICANON;      // disable canonical mode
                 twait.c_lflag &= ~ECHO; // no echo
diff --git a/src/include/libnetlink.h b/src/include/libnetlink.h
index e9cd6b186..7ff5d01b6 100644
--- a/src/include/libnetlink.h
+++ b/src/include/libnetlink.h
@@ -24,6 +24,7 @@
 #include <stdint.h>
 #include <string.h>
 #include <asm/types.h>
+#include <sys/socket.h>
 #include <linux/netlink.h>
 #include <linux/rtnetlink.h>
 #include <linux/if_link.h>
diff --git a/src/libtrace/libtrace.c b/src/libtrace/libtrace.c
index edd409af5..a3d1571f7 100644
--- a/src/libtrace/libtrace.c
+++ b/src/libtrace/libtrace.c
@@ -229,26 +229,26 @@ static char *translate(XTable *table, int val) {
         return NULL;
 }
 
-static void print_sockaddr(const char *call, const struct sockaddr *addr, int rv) {
+static void print_sockaddr(int sockfd, const char *call, const struct sockaddr *addr, int rv) {
         if (addr->sa_family == AF_INET) {
                 struct sockaddr_in *a = (struct sockaddr_in *) addr;
-                printf("%u:%s:%s %s port %u:%d\n", pid(), name(), call, inet_ntoa(a->sin_addr), ntohs(a->sin_port), rv);
+                printf("%u:%s:%s %d %s port %u:%d\n", pid(), name(), call, sockfd, inet_ntoa(a->sin_addr), ntohs(a->sin_port), rv);
         }
         else if (addr->sa_family == AF_INET6) {
                 struct sockaddr_in6 *a = (struct sockaddr_in6 *) addr;
                 char str[INET6_ADDRSTRLEN];
                 inet_ntop(AF_INET6, &(a->sin6_addr), str, INET6_ADDRSTRLEN);
-                printf("%u:%s:%s %s:%d\n", pid(), name(), call, str, rv);
+                printf("%u:%s:%s %d %s:%d\n", pid(), name(), call, sockfd, str, rv);
         }
         else if (addr->sa_family == AF_UNIX) {
                 struct sockaddr_un *a = (struct sockaddr_un *) addr;
                 if (a->sun_path[0])
-                        printf("%u:%s:%s %s:%d\n", pid(), name(), call, a->sun_path, rv);
+                        printf("%u:%s:%s %d %s:%d\n", pid(), name(), call, sockfd, a->sun_path, rv);
                 else
-                        printf("%u:%s:%s @%s:%d\n", pid(), name(), call, a->sun_path + 1, rv);
+                        printf("%u:%s:%s %d @%s:%d\n", pid(), name(), call, sockfd, a->sun_path + 1, rv);
         }
         else {
-                printf("%u:%s:%s family %d:%d\n", pid(), name(), call, addr->sa_family, rv);
+                printf("%u:%s:%s %d family %d:%d\n", pid(), name(), call, sockfd, addr->sa_family, rv);
         }
 }
 
@@ -465,7 +465,7 @@ int connect(int sockfd, const struct sockaddr *addr, socklen_t addrlen) {
                 orig_connect = (orig_connect_t)dlsym(RTLD_NEXT, "connect");
                         
         int rv = orig_connect(sockfd, addr, addrlen);
-        print_sockaddr("connect", addr, rv);
+        print_sockaddr(sockfd, "connect", addr, rv);
 
         return rv;
 }
@@ -500,11 +500,15 @@ int socket(int domain, int type, int protocol) {
         else
                 ptr += sprintf(ptr, "%s ", str);
 
-        str = translate(socket_protocol, protocol);
-        if (str == NULL)
-                sprintf(ptr, "%d", protocol);
-        else
-                sprintf(ptr, "%s", str);
+        if (domain == AF_LOCAL)
+                sprintf(ptr, "0");
+        else {
+                str = translate(socket_protocol, protocol);
+                if (str == NULL)
+                        sprintf(ptr, "%d", protocol);
+                else
+                        sprintf(ptr, "%s", str);
+        }
 
         printf("%s:%d\n", buf, rv);
         return rv;
@@ -518,7 +522,7 @@ int bind(int sockfd, const struct sockaddr *addr, socklen_t addrlen) {
                 orig_bind = (orig_bind_t)dlsym(RTLD_NEXT, "bind");
                         
         int rv = orig_bind(sockfd, addr, addrlen);
-        print_sockaddr("bind", addr, rv);
+        print_sockaddr(sockfd, "bind", addr, rv);
 
         return rv;
 }
@@ -531,7 +535,7 @@ int accept(int sockfd, struct sockaddr *addr, socklen_t addrlen) {
                 orig_accept = (orig_accept_t)dlsym(RTLD_NEXT, "accept");
                         
         int rv = orig_accept(sockfd, addr,  addrlen);
-        print_sockaddr("accept", addr, rv);
+        print_sockaddr(sockfd, "accept", addr, rv);
 
         return rv;
 }
diff --git a/src/libtracelog/libtracelog.c b/src/libtracelog/libtracelog.c
index f8601c892..c3fd40a67 100644
--- a/src/libtracelog/libtracelog.c
+++ b/src/libtracelog/libtracelog.c
@@ -91,6 +91,9 @@ static void storage_add(const char *str) {
         storage[h] = ptr;
 }
 
+char* cwd = NULL; // global variable for keeping current working directory
+typedef int (*orig_chdir_t)(const char *pathname);
+static orig_chdir_t orig_chdir = NULL;
 static char *storage_find(const char *str) {
 #ifdef DEBUG
         printf("storage find %s\n", str);
@@ -98,18 +101,27 @@ static char *storage_find(const char *str) {
         if (!str) {
 #ifdef DEBUG
                 printf("null pointer passed to storage_find\n");
-#endif                  
+#endif
                 return NULL;
         }
         const char *tofind = str;
         int allocated = 0;
 
-        if (strstr(str, "..") || strstr(str, "/./")) {
+        if (strstr(str, "..") || strstr(str, "/./") || strstr(str, "//") || str[0]!='/') {
+                if (!orig_chdir)
+                        orig_chdir = (orig_chdir_t)dlsym(RTLD_NEXT, "chdir");
+                if (!orig_chdir(cwd)) {
+#ifdef DEBUG
+                        printf("chdir failed\n");
+#endif
+                        return NULL;
+                }
+
                 tofind = realpath(str, NULL);
                 if (!tofind) {
 #ifdef DEBUG
                         printf("realpath failed\n");
-#endif                  
+#endif
                         return NULL;
                 }
                 allocated = 1;
@@ -139,7 +151,7 @@ static char *storage_find(const char *str) {
 
 
 //
-// load blacklistst form /run/firejail/mnt/fslogger
+// load blacklist form /run/firejail/mnt/fslogger
 //
 #define RUN_FSLOGGER_FILE               "/run/firejail/mnt/fslogger"
 #define MAXBUF 4096
@@ -296,9 +308,9 @@ int open(const char *pathname, int flags, mode_t mode) {
         if (!blacklist_loaded)
                 load_blacklist();
                 
-        int rv = orig_open(pathname, flags, mode);
         if (storage_find(pathname))
                 sendlog(name(), __FUNCTION__, pathname);
+        int rv = orig_open(pathname, flags, mode);
         return rv;
 }
 
@@ -317,9 +329,9 @@ int open64(const char *pathname, int flags, mode_t mode) {
         if (!blacklist_loaded)
                 load_blacklist();
                 
-        int rv = orig_open64(pathname, flags, mode);
         if (storage_find(pathname))
                 sendlog(name(), __FUNCTION__, pathname);
+        int rv = orig_open64(pathname, flags, mode);
         return rv;
 }
 //#endif
@@ -337,9 +349,9 @@ int openat(int dirfd, const char *pathname, int flags, mode_t mode) {
         if (!blacklist_loaded)
                 load_blacklist();
                 
-        int rv = orig_openat(dirfd, pathname, flags, mode);
         if (storage_find(pathname))
                 sendlog(name(), __FUNCTION__, pathname);
+        int rv = orig_openat(dirfd, pathname, flags, mode);
         return rv;
 }
 
@@ -354,9 +366,9 @@ int openat64(int dirfd, const char *pathname, int flags, mode_t mode) {
         if (!blacklist_loaded)
                 load_blacklist();
                 
-        int rv = orig_openat64(dirfd, pathname, flags, mode);
         if (storage_find(pathname))
                 sendlog(name(), __FUNCTION__, pathname);
+        int rv = orig_openat64(dirfd, pathname, flags, mode);
         return rv;
 }
 
@@ -371,9 +383,9 @@ FILE *fopen(const char *pathname, const char *mode) {
         if (!blacklist_loaded)
                 load_blacklist();
                 
-        FILE *rv = orig_fopen(pathname, mode);
         if (storage_find(pathname))
                 sendlog(name(), __FUNCTION__, pathname);
+        FILE *rv = orig_fopen(pathname, mode);
         return rv;
 }
 
@@ -387,9 +399,9 @@ FILE *fopen64(const char *pathname, const char *mode) {
         if (!blacklist_loaded)
                 load_blacklist();
                 
-        FILE *rv = orig_fopen64(pathname, mode);
         if (storage_find(pathname))
                 sendlog(name(), __FUNCTION__, pathname);
+        FILE *rv = orig_fopen64(pathname, mode);
         return rv;
 }
 #endif /* __GLIBC__ */
@@ -407,9 +419,9 @@ FILE *freopen(const char *pathname, const char *mode, FILE *stream) {
         if (!blacklist_loaded)
                 load_blacklist();
                 
-        FILE *rv = orig_freopen(pathname, mode, stream);
         if (storage_find(pathname))
                 sendlog(name(), __FUNCTION__, pathname);
+        FILE *rv = orig_freopen(pathname, mode, stream);
         return rv;
 }
 
@@ -425,9 +437,9 @@ FILE *freopen64(const char *pathname, const char *mode, FILE *stream) {
         if (!blacklist_loaded)
                 load_blacklist();
                 
-        FILE *rv = orig_freopen64(pathname, mode, stream);
         if (storage_find(pathname))
                 sendlog(name(), __FUNCTION__, pathname);
+        FILE *rv = orig_freopen64(pathname, mode, stream);
         return rv;
 }
 #endif /* __GLIBC__ */
@@ -444,9 +456,9 @@ int unlink(const char *pathname) {
         if (!blacklist_loaded)
                 load_blacklist();
                 
-        int rv = orig_unlink(pathname);
         if (storage_find(pathname))
                 sendlog(name(), __FUNCTION__, pathname);
+        int rv = orig_unlink(pathname);
         return rv;
 }
 
@@ -461,9 +473,9 @@ int unlinkat(int dirfd, const char *pathname, int flags) {
         if (!blacklist_loaded)
                 load_blacklist();
                 
-        int rv = orig_unlinkat(dirfd, pathname, flags);
         if (storage_find(pathname))
                 sendlog(name(), __FUNCTION__, pathname);
+        int rv = orig_unlinkat(dirfd, pathname, flags);
         return rv;
 }
 
@@ -479,9 +491,9 @@ int mkdir(const char *pathname, mode_t mode) {
         if (!blacklist_loaded)
                 load_blacklist();
                 
-        int rv = orig_mkdir(pathname, mode);
         if (storage_find(pathname))
                 sendlog(name(), __FUNCTION__, pathname);
+        int rv = orig_mkdir(pathname, mode);
         return rv;
 }
 
@@ -496,9 +508,9 @@ int mkdirat(int dirfd, const char *pathname, mode_t mode) {
         if (!blacklist_loaded)
                 load_blacklist();
                 
-        int rv = orig_mkdirat(dirfd, pathname, mode);
         if (storage_find(pathname))
                 sendlog(name(), __FUNCTION__, pathname);
+        int rv = orig_mkdirat(dirfd, pathname, mode);
         return rv;
 }
 
@@ -513,9 +525,9 @@ int rmdir(const char *pathname) {
         if (!blacklist_loaded)
                 load_blacklist();
                 
-        int rv = orig_rmdir(pathname);
         if (storage_find(pathname))
                 sendlog(name(), __FUNCTION__, pathname);
+        int rv = orig_rmdir(pathname);
         return rv;
 }
 
@@ -531,9 +543,9 @@ int stat(const char *pathname, struct stat *buf) {
         if (!blacklist_loaded)
                 load_blacklist();
                         
-        int rv = orig_stat(pathname, buf);
         if (storage_find(pathname))
                 sendlog(name(), __FUNCTION__, pathname);
+        int rv = orig_stat(pathname, buf);
         return rv;
 }
 
@@ -549,9 +561,9 @@ int stat64(const char *pathname, struct stat64 *buf) {
         if (!blacklist_loaded)
                 load_blacklist();
                         
-        int rv = orig_stat64(pathname, buf);
         if (storage_find(pathname))
                 sendlog(name(), __FUNCTION__, pathname);
+        int rv = orig_stat64(pathname, buf);
         return rv;
 }
 #endif /* __GLIBC__ */
@@ -567,9 +579,9 @@ int lstat(const char *pathname, struct stat *buf) {
         if (!blacklist_loaded)
                 load_blacklist();
                         
-        int rv = orig_lstat(pathname, buf);
         if (storage_find(pathname))
                 sendlog(name(), __FUNCTION__, pathname);
+        int rv = orig_lstat(pathname, buf);
         return rv;
 }
 
@@ -585,9 +597,9 @@ int lstat64(const char *pathname, struct stat64 *buf) {
         if (!blacklist_loaded)
                 load_blacklist();
                         
-        int rv = orig_lstat64(pathname, buf);
         if (storage_find(pathname))
                 sendlog(name(), __FUNCTION__, pathname);
+        int rv = orig_lstat64(pathname, buf);
         return rv;
 }
 #endif /* __GLIBC__ */
@@ -604,9 +616,9 @@ int access(const char *pathname, int mode) {
         if (!blacklist_loaded)
                 load_blacklist();
                         
-        int rv = orig_access(pathname, mode);
         if (storage_find(pathname))
                 sendlog(name(), __FUNCTION__, pathname);
+        int rv = orig_access(pathname, mode);
         return rv;
 }
 
@@ -622,10 +634,31 @@ DIR *opendir(const char *pathname) {
         if (!blacklist_loaded)
                 load_blacklist();
                         
-        DIR *rv = orig_opendir(pathname);
         if (storage_find(pathname))
                 sendlog(name(), __FUNCTION__, pathname);
+        DIR *rv = orig_opendir(pathname);
         return rv;
 }
 
+// chdir
+// definition of orig_chdir placed before storage_find function
+//typedef int (*orig_chdir_t)(const char *pathname);
+//static orig_chdir_t orig_chdir = NULL;
+int chdir(const char *pathname) {
+#ifdef DEBUG
+        printf("%s %s\n", __FUNCTION__, pathname);
+#endif
+        if (!orig_chdir)
+                orig_chdir = (orig_chdir_t)dlsym(RTLD_NEXT, "chdir");
+        if (!blacklist_loaded)
+                load_blacklist();
+
+        if (storage_find(pathname))
+                sendlog(name(), __FUNCTION__, pathname);
 
+        free(cwd);
+        cwd = strdup(pathname);
+
+        int rv = orig_chdir(pathname);
+        return rv;
+}
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt
index e91c5c089..3ebb11549 100644
--- a/src/man/firejail-profile.txt
+++ b/src/man/firejail-profile.txt
@@ -39,7 +39,7 @@ Reading profile /home/netblue/.config/firejail/icecat.profile
 \fB3.\fR Use a default.profile file if the sandbox
 is started by a regular user, or a server.profile file if the sandbox
 is started by root. Firejail looks for these files in ~/.config/firejail directory, followed by /etc/firejail directory.
-To disable default profile loading, use --noroot command option. Example:
+To disable default profile loading, use --noprofile command option. Example:
 .PP
 .RS
 $ firejail
@@ -126,7 +126,7 @@ blacklist ${HOME}/.ssh
 Make directory or file read-only.
 .TP
 \fBtmpfs directory
-Mount an empty tmpfs filesystem on top of directory.
+Mount an empty tmpfs filesystem on top of directory. This option is available only when running the sandbox as root.
 .TP
 \fBbind directory1,directory2
 Mount-bind directory1 on top of directory2. This option is only available when running as root.
@@ -139,18 +139,12 @@ Mount new /root and /home/user directories in temporary
 filesystems. All modifications are discarded when the sandbox is
 closed.
 .TP
-\fBprivate-bin file,file
-Build a new /bin in a temporary filesystem, and copy the programs in the list.
-The same directory is also bind-mounted over /sbin, /usr/bin and /usr/sbin.
-.TP
 \fBprivate directory
 Use directory as user home.
 .TP
-\fBprivate-home file,directory
-Build a new user home in a temporary
-filesystem, and copy the files and directories in the list in the
-new home. All modifications are discarded when the sandbox is
-closed.
+\fBprivate-bin file,file
+Build a new /bin in a temporary filesystem, and copy the programs in the list.
+The same directory is also bind-mounted over /sbin, /usr/bin and /usr/sbin.
 .TP
 \fBprivate-dev
 Create a new /dev directory. Only dri, null, full, zero, tty, pts, ptmx, random, urandom, log and shm devices are available.
@@ -160,6 +154,9 @@ Build a new /etc in a temporary
 filesystem, and copy the files and directories in the list.
 All modifications are discarded when the sandbox is closed.
 .TP
+\fBprivate-tmp
+Mount an empty temporary filesystem on top of /tmp directory.
+.TP
 \fBwhitelist file_or_directory
 Build a new user home in a temporary filesystem, and mount-bind file_or_directory.
 The modifications to file_or_directory are persistent, everything else is discarded
@@ -231,6 +228,10 @@ Set the CPU cores available for this sandbox using \fBcpu\fR command. Examples:
 cpu 1,2,3
 Use only CPU cores 0, 1 and 2.
 
+.TP
+nice -5
+Set a nice value of -5 to all processes running inside the sandbox.
+
 .SH Control Groups
 Place the sandbox in an existing control group specified by the full path of the task file using \fBcgroup\fR. Example:
 
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index 66ec40ce9..c4f0dbd3e 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -243,7 +243,7 @@ Example:
 $ firejail \-\-debug firefox
 
 .TP
-\fB\-\-debug-blackilsts\fR
+\fB\-\-debug-blacklists\fR
 Debug blacklisting.
 .br
 
@@ -430,7 +430,7 @@ $ firejail \-\-ignore=shell --ignore=seccomp firefox
 
 .TP
 \fB\-\-interface=interface
-Move interface in a new network namespace. Up to four --interface options can be sepcified.
+Move interface in a new network namespace. Up to four --interface options can be specified.
 .br
 
 .br
@@ -679,12 +679,24 @@ The default filter is as follows:
 .br
 \-A INPUT \-m state \-\-state RELATED,ESTABLISHED \-j ACCEPT
 .br
+# allow ping
+.br
 \-A INPUT \-p icmp \-\-icmp-type destination-unreachable \-j ACCEPT
 .br
 \-A INPUT \-p icmp \-\-icmp-type time-exceeded \-j ACCEPT
 .br
 \-A INPUT \-p icmp \-\-icmp-type echo-request \-j ACCEPT
 .br
+# drop STUN (WebRTC) requests
+.br
+-A OUTPUT -p udp --dport 3478 -j DROP
+.br
+-A OUTPUT -p udp --dport 3479 -j DROP
+.br
+-A OUTPUT -p tcp --dport 3478 -j DROP
+.br
+-A OUTPUT -p tcp --dport 3479 -j DROP
+.br
 COMMIT
 .br
 
@@ -749,6 +761,16 @@ PID  User    RX(KB/s) TX(KB/s) Command
 .br
 7383 netblue 9.045    0.112    firejail \-\-net=eth0 transmission
 
+.TP
+\fB\-\-nice=value
+Set nice value for all processes running inside the sandbox.
+.br
+
+.br
+Example:
+.br
+$ firejail --nice=-5 firefox
+
 
 .TP
 \fB\-\-noblacklist=dirname_or_filename
@@ -961,18 +983,6 @@ $ ls /bin
 bash  cat  ls  sed
 
 .TP
-\fB\-\-private-home=file,directory
-Build a new user home in a temporary
-filesystem, and copy the files and directories in the list in the
-new home. All modifications are discarded when the sandbox is
-closed.
-.br
-
-.br
-Example:
-.br
-$ firejail \-\-private-home=.mozilla firefox
-.TP
 \fB\-\-private-dev
 Create a new /dev directory. Only dri, null, full, zero, tty, pts, ptmx, random, urandom, log and shm devices are available.
 .br
@@ -1004,6 +1014,17 @@ Example:
 $ firejail --private-etc=group,hostname,localtime, \\
 .br
 nsswitch.conf,passwd,resolv.conf
+
+.TP
+\fB\-\-private-tmp
+Mount an empty temporary filesystem on top of /tmp directory.
+.br
+
+.br
+Example:
+.br
+$ firejail \-\-private-tmp
+
 .TP
 \fB\-\-profile=filename
 Load a custom security profile from filename. For filename use an absolute path or a path relative to the current path.
@@ -1032,7 +1053,7 @@ $ firejail \-\-profile-path=/home/netblue/myprofiles
 .TP
 \fB\-\-protocol=protocol,protocol,protocol
 Enable protocol filter. The filter is based on seccomp and checks the first argument to socket system call.
-Recognized values: unix, inet, inet6, netlink and packet.
+Recognized values: unix, inet, inet6, netlink and packet. This option is not supported for i386 architecture.
 .br
 
 .br
@@ -1113,7 +1134,14 @@ sysfs,_sysctl, adjtimex, clock_adjtime, lookup_dcookie, perf_event_open, fanotif
 add_key, request_key, keyctl, uselib, acct, modify_ldt, pivot_root, io_setup,
 io_destroy, io_getevents, io_submit, io_cancel,
 remap_file_pages, mbind, get_mempolicy, set_mempolicy,
-migrate_pages, move_pages, vmsplice, perf_event_open and chroot.
+migrate_pages, move_pages, vmsplice, perf_event_open, chroot,
+tuxcall, reboot, mfsservctl and get_kernel_syms.
+.br
+
+.br
+System architecture is not strictly imposed. The filter is applied
+at run time only if the correct architecture was detected. For the case of I386 and AMD64
+both 32-bit and 64-bit filters are installed.
 .br
 
 .br
@@ -1185,7 +1213,7 @@ SECCOMP Filter:
 .br
   VALIDATE_ARCHITECTURE
 .br
-  EXAMINE_SYSCAL
+  EXAMINE_SYSCALL
 .br
   BLACKLIST 165 mount
 .br
@@ -1348,13 +1376,13 @@ $ firejail \-\-list
 $ firejail \-\-shutdown=3272
 .TP
 \fB\-\-tmpfs=dirname
-Mount a tmpfs filesystem on directory dirname.
+Mount a tmpfs filesystem on directory dirname. This option is available only when running the sandbox as root.
 .br
 
 .br
 Example:
 .br
-$ firejail \-\-tmpfs=/var
+# firejail \-\-tmpfs=/var
 .TP
 \fB\-\-top
 Monitor the most CPU-intensive sandboxes, see \fBMONITORING\fR section for more details.
@@ -1441,6 +1469,15 @@ $ firejail \-\-tree
 .br
   11970:netblue:transmission-gtk 
 .TP
+\fB\-\-user=new-user
+Switch the user before starting the sandbox. This command should be run as root.
+.br
+
+.br
+Example:
+.br
+# firejail \-\-user=www-data
+.TP
 \fB\-\-version
 Print program version and exit.
 .br
@@ -1454,6 +1491,8 @@ firejail version 0.9.27
 .TP
 \fB\-\-whitelist=dirname_or_filename
 Whitelist directory or file. This feature is implemented only for user home, /dev, /media, /opt, /var, and /tmp directories.
+When whitlisting symbolic links, both the link and the real file should be in the same top directory
+(home user, /media, /var etc.)
 .br
 
 .br
diff --git a/test/chroot-resolvconf.exp b/test/chroot-resolvconf.exp
new file mode 100755
index 000000000..2d0da2fb0
--- /dev/null
+++ b/test/chroot-resolvconf.exp
@@ -0,0 +1,14 @@
+#!/usr/bin/expect -f
+
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+
+send -- "firejail --chroot=/tmp/chroot /bin/bash\r"
+expect {
+        timeout {puts "TESTING ERROR 0\n";exit}
+        "invalid /tmp/chroot/etc/resolv.conf file"
+}
+
+puts "\nall done\n"
+
diff --git a/test/compile/compile.sh b/test/compile/compile.sh
index 43d27eac9..789ebbf28 100755
--- a/test/compile/compile.sh
+++ b/test/compile/compile.sh
@@ -4,6 +4,8 @@ arr[1]="TEST 1: standard compilation"
 arr[2]="TEST 2: compile seccomp disabled"
 arr[3]="TEST 3: compile chroot disabled"
 arr[4]="TEST 4: compile bind disabled"
+arr[5]="TEST 5: compile user namespace disabled"
+arr[6]="TEST 6: compile network disabled"
 
 
 # remove previous reports and output file
@@ -28,7 +30,7 @@ while [ $# -gt 0 ]; do    # Until you run out of parameters . . .
         exit
         ;;
     --help)
-        echo "./autotest.sh [--clean|--help]"
+        echo "./compile.sh [--clean|--help]"
         exit
         ;;
     esac
@@ -96,10 +98,10 @@ rm output-configure output-make
 #*****************************************************************
 # TEST 4
 #*****************************************************************
-# - disable bindconfiguration
+# - disable bind configuration
 # - check compilation
 #*****************************************************************
-print_title "${arr[3]}"
+print_title "${arr[4]}"
 # seccomp
 cd firejail
 make distclean
@@ -110,6 +112,40 @@ grep Warning output-configure output-make > ./report-test4
 grep Error output-configure output-make >> ./report-test4
 rm output-configure output-make
 
+#*****************************************************************
+# TEST 5
+#*****************************************************************
+# - disable user namespace configuration
+# - check compilation
+#*****************************************************************
+print_title "${arr[5]}"
+# seccomp
+cd firejail
+make distclean
+./configure --prefix=/usr --disable-userns  --enable-fatal-warnings 2>&1 | tee ../output-configure
+make -j4 2>&1 | tee ../output-make
+cd ..
+grep Warning output-configure output-make > ./report-test5
+grep Error output-configure output-make >> ./report-test5
+rm output-configure output-make
+
+#*****************************************************************
+# TEST 6
+#*****************************************************************
+# - disable user namespace configuration
+# - check compilation
+#*****************************************************************
+print_title "${arr[6]}"
+# seccomp
+cd firejail
+make distclean
+./configure --prefix=/usr --disable-network  --enable-fatal-warnings 2>&1 | tee ../output-configure
+make -j4 2>&1 | tee ../output-make
+cd ..
+grep Warning output-configure output-make > ./report-test6
+grep Error output-configure output-make >> ./report-test6
+rm output-configure output-make
+
 
 #*****************************************************************
 # PRINT REPORTS
@@ -129,3 +165,5 @@ echo ${arr[1]}
 echo ${arr[2]}
 echo ${arr[3]}
 echo ${arr[4]}
+echo ${arr[5]}
+echo ${arr[6]}
diff --git a/test/configure b/test/configure
index c7fd66cfb..bdf36fcad 100755
--- a/test/configure
+++ b/test/configure
@@ -32,6 +32,7 @@ DEFAULT_FILES+=" /bin/cp /bin/ls /bin/cat /bin/ps /bin/netstat /bin/ping /sbin/i
 
 rm -fr $ROOTDIR
 mkdir -p $ROOTDIR/{root,bin,lib,lib64,usr,home,etc,dev/shm,tmp,var/run,var/tmp,var/lock,var/log,proc}
+chmod 777 $ROOTDIR/tmp
 mkdir -p $ROOTDIR/etc/firejail
 mkdir -p $ROOTDIR/home/netblue/.config/firejail
 chown netblue:netblue $ROOTDIR/home/netblue
diff --git a/test/features/1.2.exp b/test/features/1.2.exp
index fe61bf482..65fcd54ae 100755
--- a/test/features/1.2.exp
+++ b/test/features/1.2.exp
@@ -69,10 +69,6 @@ if { $overlay == "overlay" } {
                 timeout {puts "TESTING ERROR 3.1\n";exit}
                 "proc /proc proc"
         }
-#       expect {
-#               timeout {puts "TESTING ERROR 3.2\n";exit}
-#               "proc /proc proc"
-#       }
         expect {
                 timeout {puts "TESTING ERROR 3.3\n";exit}
                 "proc /proc/sys proc"
@@ -115,10 +111,6 @@ if { $chroot == "chroot" } {
                 "proc /proc proc"
         }
         expect {
-                timeout {puts "TESTING ERROR 5.2\n";exit}
-                "proc /proc proc"
-        }
-        expect {
                 timeout {puts "TESTING ERROR 5.3\n";exit}
                 "proc /proc/sys proc"
         }
@@ -126,10 +118,10 @@ if { $chroot == "chroot" } {
                 timeout {puts "TESTING ERROR 5.4\n";exit}
                 "proc /proc/sysrq-trigger proc"
         }
-        expect {
-                timeout {puts "TESTING ERROR 5.5\n";exit}
-                "proc /proc/sys/kernel/hotplug"
-        }
+#       expect {
+#               timeout {puts "TESTING ERROR 5.5\n";exit}
+#               "proc /proc/sys/kernel/hotplug"
+#       }
         expect {
                 timeout {puts "TESTING ERROR 5.6\n";exit}
                 "proc /proc/irq proc"
diff --git a/test/features/3.1.exp b/test/features/3.1.exp
index bcac4bf04..a66fbdae1 100755
--- a/test/features/3.1.exp
+++ b/test/features/3.1.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 #
-# tmpfs
+# private
 #
 
 set timeout 10
@@ -12,20 +12,49 @@ set chroot [lindex $argv 1]
 #
 # N
 #
-send -- "touch ~/.config/firejail-test-file\r"
-sleep 1
-send -- "firejail --noprofile --tmpfs=/home/netblue/.config\r"
+send -- "firejail --noprofile --private\r"
 expect {
         timeout {puts "TESTING ERROR 0\n";exit}
         "Child process initialized"
 }
 sleep 1
 
-send -- "ls ~/.config | wc -l\r"
+send -- "ls -al | wc -l\r"
+expect {
+        timeout {puts "TESTING ERROR 1.1\n";exit}
+        "5"
+}
+
+send -- "ls -al .bashrc\r"
+expect {
+        timeout {puts "TESTING ERROR 1.2\n";exit}
+        "netblue"
+}
+expect {
+        timeout {puts "TESTING ERROR 1.3\n";exit}
+        "netblue"
+}
+expect {
+        timeout {puts "TESTING ERROR 1.4\n";exit}
+        ".bashrc"
+}
+
+send -- "ls -al .Xauthority\r"
+expect {
+        timeout {puts "TESTING ERROR 1.5\n";exit}
+        "netblue"
+}
 expect {
-        timeout {puts "TESTING ERROR 1\n";exit}
-        "0"
+        timeout {puts "TESTING ERROR 1.6\n";exit}
+        "netblue"
 }
+expect {
+        timeout {puts "TESTING ERROR 1.7\n";exit}
+        ".Xauthority"
+}
+
+
+
 after 100
 send -- "exit\r"
 sleep 1
@@ -34,18 +63,47 @@ sleep 1
 # O
 #
 if { $overlay == "overlay" } {
-        send -- "firejail --noprofile --overlay --tmpfs=/home/netblue/.config\r"
+        send -- "firejail --noprofile --overlay --private\r"
         expect {
                 timeout {puts "TESTING ERROR 2\n";exit}
                 "Child process initialized"
         }
         sleep 1
         
-        send -- "ls ~/.config | wc -l\r"
+        send -- "ls -al | wc -l\r"
+        expect {
+                timeout {puts "TESTING ERROR 3.1\n";exit}
+                "5"
+        }
+        
+        send -- "ls -al .bashrc\r"
+        expect {
+                timeout {puts "TESTING ERROR 3.2\n";exit}
+                "netblue"
+        }
+        expect {
+                timeout {puts "TESTING ERROR 3.3\n";exit}
+                "netblue"
+        }
         expect {
-                timeout {puts "TESTING ERROR 3\n";exit}
-                "0"
+                timeout {puts "TESTING ERROR 3.4\n";exit}
+                ".bashrc"
         }
+        
+        send -- "ls -al .Xauthority\r"
+        expect {
+                timeout {puts "TESTING ERROR 3.5\n";exit}
+                "netblue"
+        }
+        expect {
+                timeout {puts "TESTING ERROR 3.6\n";exit}
+                "netblue"
+        }
+        expect {
+                timeout {puts "TESTING ERROR 3.7\n";exit}
+                ".Xauthority"
+        }
+
         after 100
         send -- "exit\r"
         sleep 1
@@ -55,20 +113,47 @@ if { $overlay == "overlay" } {
 # C
 #
 if { $chroot == "chroot" } {
-        send -- "touch /tmp/chroot/home/netblue/.config/firejail-test-file\r"
-        sleep 1
-        send -- "firejail --noprofile --chroot=/tmp/chroot --tmpfs=/home/netblue/.config\r"
+        send -- "firejail --noprofile --chroot=/tmp/chroot --private\r"
         expect {
                 timeout {puts "TESTING ERROR 4\n";exit}
                 "Child process initialized"
         }
         sleep 1
         
-        send -- "ls ~/.config | wc -l\r"
+        send -- "ls -al | wc -l\r"
+        expect {
+                timeout {puts "TESTING ERROR 5.1\n";exit}
+                "5"
+        }
+        
+        send -- "ls -al .bashrc\r"
         expect {
-                timeout {puts "TESTING ERROR 5\n";exit}
-                "0"
+                timeout {puts "TESTING ERROR 5.2\n";exit}
+                "netblue"
         }
+        expect {
+                timeout {puts "TESTING ERROR 5.3\n";exit}
+                "netblue"
+        }
+        expect {
+                timeout {puts "TESTING ERROR 5.4\n";exit}
+                ".bashrc"
+        }
+        
+        send -- "ls -al .Xauthority\r"
+        expect {
+                timeout {puts "TESTING ERROR 5.5\n";exit}
+                "netblue"
+        }
+        expect {
+                timeout {puts "TESTING ERROR 5.6\n";exit}
+                "netblue"
+        }
+        expect {
+                timeout {puts "TESTING ERROR 5.7\n";exit}
+                ".Xauthority"
+        }
+        
         after 100
         send -- "exit\r"
         sleep 1
diff --git a/test/features/3.10.exp b/test/features/3.10.exp
new file mode 100755
index 000000000..47da7f1c2
--- /dev/null
+++ b/test/features/3.10.exp
@@ -0,0 +1,183 @@
+#!/usr/bin/expect -f
+#
+# whitelist tmp
+#
+
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+set overlay [lindex $argv 0]
+set chroot [lindex $argv 1]
+
+#
+# N
+#
+send -- "mkdir /tmp/test1dir\r"
+sleep 1
+send -- "touch /tmp/test1dir/test1\r"
+sleep 1
+send -- "firejail --noprofile --whitelist=/tmp/test1dir\r"
+expect {
+        timeout {puts "TESTING ERROR 0\n";exit}
+        "Child process initialized"
+}
+sleep 1
+
+send -- "ls -l /tmp | wc -l\r"
+expect {
+        timeout {puts "TESTING ERROR 1.1\n";exit}
+        "2"
+}
+send -- "ls -l /tmp\r"
+expect {
+        timeout {puts "TESTING ERROR 1.2\n";exit}
+        "netblue"
+}
+expect {
+        timeout {puts "TESTING ERROR 1.3\n";exit}
+        "netblue"
+}
+expect {
+        timeout {puts "TESTING ERROR 1.4\n";exit}
+        "test1dir"
+}
+
+send -- "ls -l /tmp/test1dir | wc -l\r"
+expect {
+        timeout {puts "TESTING ERROR 1.5\n";exit}
+        "2"
+}
+send -- "ls -l /tmp/test1dir\r"
+expect {
+        timeout {puts "TESTING ERROR 1.6\n";exit}
+        "netblue"
+}
+expect {
+        timeout {puts "TESTING ERROR 1.7\n";exit}
+        "netblue"
+}
+expect {
+        timeout {puts "TESTING ERROR 1.8\n";exit}
+        "test1"
+}
+
+
+after 100
+send -- "exit\r"
+sleep 1
+
+
+#
+# O
+#
+if { $overlay == "overlay" } {
+        send -- "firejail --noprofile --overlay  --whitelist=/tmp/test1dir\r"
+        expect {
+                timeout {puts "TESTING ERROR 2\n";exit}
+                "Child process initialized"
+        }
+        sleep 1
+        
+        send -- "ls -l /tmp | wc -l\r"
+        expect {
+                timeout {puts "TESTING ERROR 3.1\n";exit}
+                "2"
+        }
+        send -- "ls -l /tmp\r"
+        expect {
+                timeout {puts "TESTING ERROR 3.2\n";exit}
+                "netblue"
+        }
+        expect {
+                timeout {puts "TESTING ERROR 3.3\n";exit}
+                "netblue"
+        }
+        expect {
+                timeout {puts "TESTING ERROR 3.4\n";exit}
+                "test1dir"
+        }
+        
+        send -- "ls -l /tmp/test1dir | wc -l\r"
+        expect {
+                timeout {puts "TESTING ERROR 3.5\n";exit}
+                "2"
+        }
+        send -- "ls -l /tmp/test1dir\r"
+        expect {
+                timeout {puts "TESTING ERROR 3.6\n";exit}
+                "netblue"
+        }
+        expect {
+                timeout {puts "TESTING ERROR 3.7\n";exit}
+                "netblue"
+        }
+        expect {
+                timeout {puts "TESTING ERROR 3.8\n";exit}
+                "test1"
+        }
+
+        after 100
+        send -- "exit\r"
+        sleep 1
+}
+
+#
+# C
+#
+if { $chroot == "chroot" } {
+        send -- "mkdir /tmp/chroot/tmp/test1dir\r"
+        sleep 1
+        send -- "touch /tmp/chroot/tmp/test1dir/test1\r"
+        sleep 1
+        send -- "firejail --noprofile --chroot=/tmp/chroot  --whitelist=/tmp/test1dir\r"
+        expect {
+                timeout {puts "TESTING ERROR 4\n";exit}
+                "Child process initialized"
+        }
+        sleep 1
+        
+        send -- "ls -l /tmp | wc -l\r"
+        expect {
+                timeout {puts "TESTING ERROR 5.1\n";exit}
+                "2"
+        }
+        send -- "ls -l /tmp\r"
+        expect {
+                timeout {puts "TESTING ERROR 5.2\n";exit}
+                "netblue"
+        }
+        expect {
+                timeout {puts "TESTING ERROR 5.3\n";exit}
+                "netblue"
+        }
+        expect {
+                timeout {puts "TESTING ERROR 5.4\n";exit}
+                "test1dir"
+        }
+        
+        send -- "ls -l /tmp/test1dir | wc -l\r"
+        expect {
+                timeout {puts "TESTING ERROR 5.5\n";exit}
+                "2"
+        }
+        send -- "ls -l /tmp/test1dir\r"
+        expect {
+                timeout {puts "TESTING ERROR 5.6\n";exit}
+                "netblue"
+        }
+        expect {
+                timeout {puts "TESTING ERROR 5.7\n";exit}
+                "netblue"
+        }
+        expect {
+                timeout {puts "TESTING ERROR 5.8\n";exit}
+                "test1"
+        }
+        
+        after 100
+        send -- "exit\r"
+        sleep 1
+}
+
+
+puts "\nall done\n"
diff --git a/test/features/3.4.exp b/test/features/3.4.exp
index f81dc6e0a..996312334 100755
--- a/test/features/3.4.exp
+++ b/test/features/3.4.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 #
-# whitelist
+# whitelist home
 #
 
 set timeout 10
@@ -19,11 +19,54 @@ expect {
 }
 sleep 1
 
-send -- "ls -al ~/. | wc -l\r"
+send -- "ls -al | wc -l\r"
 expect {
-        timeout {puts "TESTING ERROR 1\n";exit}
+        timeout {puts "TESTING ERROR 1.1\n";exit}
         "6"
 }
+
+send -- "ls -al .bashrc\r"
+expect {
+        timeout {puts "TESTING ERROR 1.2\n";exit}
+        "netblue"
+}
+expect {
+        timeout {puts "TESTING ERROR 1.3\n";exit}
+        "netblue"
+}
+expect {
+        timeout {puts "TESTING ERROR 1.4\n";exit}
+        ".bashrc"
+}
+
+send -- "ls -al .Xauthority\r"
+expect {
+        timeout {puts "TESTING ERROR 1.5\n";exit}
+        "netblue"
+}
+expect {
+        timeout {puts "TESTING ERROR 1.6\n";exit}
+        "netblue"
+}
+expect {
+        timeout {puts "TESTING ERROR 1.7\n";exit}
+        ".Xauthority"
+}
+
+send -- "ls -al | grep config\r"
+expect {
+        timeout {puts "TESTING ERROR 1.8\n";exit}
+        "netblue"
+}
+expect {
+        timeout {puts "TESTING ERROR 1.9\n";exit}
+        "netblue"
+}
+expect {
+        timeout {puts "TESTING ERROR 1.10\n";exit}
+        ".config"
+}
+
 after 100
 send -- "exit\r"
 sleep 1
@@ -40,11 +83,54 @@ if { $overlay == "overlay" } {
         }
         sleep 1
         
-        send -- "ls -al ~/. | wc -l\r"
+        send -- "ls -al | wc -l\r"
         expect {
-                timeout {puts "TESTING ERROR 1\n";exit}
+                timeout {puts "TESTING ERROR 3.1\n";exit}
                 "6"
         }
+        
+        send -- "ls -al .bashrc\r"
+        expect {
+                timeout {puts "TESTING ERROR 3.2\n";exit}
+                "netblue"
+        }
+        expect {
+                timeout {puts "TESTING ERROR 3.3\n";exit}
+                "netblue"
+        }
+        expect {
+                timeout {puts "TESTING ERROR 3.4\n";exit}
+                ".bashrc"
+        }
+
+        send -- "ls -al .Xauthority\r"
+        expect {
+                timeout {puts "TESTING ERROR 3.5\n";exit}
+                "netblue"
+        }
+        expect {
+                timeout {puts "TESTING ERROR 3.6\n";exit}
+                "netblue"
+        }
+        expect {
+                timeout {puts "TESTING ERROR 3.7\n";exit}
+                ".Xauthority"
+        }
+        
+        send -- "ls -al | grep config\r"
+        expect {
+                timeout {puts "TESTING ERROR 3.8\n";exit}
+                "netblue"
+        }
+        expect {
+                timeout {puts "TESTING ERROR 3.9\n";exit}
+                "netblue"
+        }
+        expect {
+                timeout {puts "TESTING ERROR 3.10\n";exit}
+                ".config"
+        }
+
         after 100
         send -- "exit\r"
         sleep 1
@@ -61,11 +147,54 @@ if { $chroot == "chroot" } {
         }
         sleep 1
         
-        send -- "ls -al ~/. | wc -l\r"
+        send -- "ls -al | wc -l\r"
         expect {
-                timeout {puts "TESTING ERROR 1\n";exit}
+                timeout {puts "TESTING ERROR 5.1\n";exit}
                 "6"
         }
+        
+        send -- "ls -al .bashrc\r"
+        expect {
+                timeout {puts "TESTING ERROR 5.2\n";exit}
+                "netblue"
+        }
+        expect {
+                timeout {puts "TESTING ERROR 5.3\n";exit}
+                "netblue"
+        }
+        expect {
+                timeout {puts "TESTING ERROR 5.4\n";exit}
+                ".bashrc"
+        }
+
+        send -- "ls -al .Xauthority\r"
+        expect {
+                timeout {puts "TESTING ERROR 5.5\n";exit}
+                "netblue"
+        }
+        expect {
+                timeout {puts "TESTING ERROR 5.6\n";exit}
+                "netblue"
+        }
+        expect {
+                timeout {puts "TESTING ERROR 5.7\n";exit}
+                ".Xauthority"
+        }
+        
+        send -- "ls -al | grep config\r"
+        expect {
+                timeout {puts "TESTING ERROR 5.8\n";exit}
+                "netblue"
+        }
+        expect {
+                timeout {puts "TESTING ERROR 5.9\n";exit}
+                "netblue"
+        }
+        expect {
+                timeout {puts "TESTING ERROR 5.10\n";exit}
+                ".config"
+        }
+
         after 100
         send -- "exit\r"
         sleep 1
diff --git a/test/features/3.5.exp b/test/features/3.5.exp
new file mode 100755
index 000000000..d190ef36f
--- /dev/null
+++ b/test/features/3.5.exp
@@ -0,0 +1,77 @@
+#!/usr/bin/expect -f
+#
+# private-dev
+#
+
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+set overlay [lindex $argv 0]
+set chroot [lindex $argv 1]
+
+#
+# N
+#
+send -- "firejail --noprofile --private-dev\r"
+expect {
+        timeout {puts "TESTING ERROR 0\n";exit}
+        "Child process initialized"
+}
+sleep 1
+
+send -- "ls -al /dev | wc -l\r"
+expect {
+        timeout {puts "TESTING ERROR 1.1\n";exit}
+        "14"
+}
+
+after 100
+send -- "exit\r"
+sleep 1
+
+#
+# O
+#
+if { $overlay == "overlay" } {
+        send -- "firejail --noprofile --overlay --private-dev\r"
+        expect {
+                timeout {puts "TESTING ERROR 2\n";exit}
+                "Child process initialized"
+        }
+        sleep 1
+        
+        send -- "ls -al /dev | wc -l\r"
+        expect {
+                timeout {puts "TESTING ERROR 3.1\n";exit}
+                "13"
+        }
+        
+        after 100
+        send -- "exit\r"
+        sleep 1
+}
+
+#
+# C
+#
+if { $chroot == "chroot" } {
+        send -- "firejail --noprofile --chroot=/tmp/chroot --private-dev\r"
+        expect {
+                timeout {puts "TESTING ERROR 4\n";exit}
+                "Child process initialized"
+        }
+        sleep 1
+        
+        send -- "ls -al /dev | wc -l\r"
+        expect {
+                timeout {puts "TESTING ERROR 5.1\n";exit}
+                "13"
+        }
+        
+        after 100
+        send -- "exit\r"
+        sleep 1
+}
+
+
+puts "\nall done\n"
diff --git a/test/features/3.6.exp b/test/features/3.6.exp
new file mode 100755
index 000000000..6117485da
--- /dev/null
+++ b/test/features/3.6.exp
@@ -0,0 +1,77 @@
+#!/usr/bin/expect -f
+#
+# private-etc
+#
+
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+set overlay [lindex $argv 0]
+set chroot [lindex $argv 1]
+
+#
+# N
+#
+send -- "firejail --noprofile --private-etc=group,hostname,hosts,nsswitch.conf,passwd,resolv.conf,skel\r"
+expect {
+        timeout {puts "TESTING ERROR 0\n";exit}
+        "Child process initialized"
+}
+sleep 1
+
+send -- "ls -al /etc | wc -l\r"
+expect {
+        timeout {puts "TESTING ERROR 1.1\n";exit}
+        "10"
+}
+
+after 100
+send -- "exit\r"
+sleep 1
+
+#
+# O
+#
+if { $overlay == "overlay" } {
+        send -- "firejail --noprofile --overlay --private-etc=group,hostname,hosts,nsswitch.conf,passwd,resolv.conf,skel\r"
+        expect {
+                timeout {puts "TESTING ERROR 2\n";exit}
+                "Child process initialized"
+        }
+        sleep 1
+        
+        send -- "ls -al /etc | wc -l\r"
+        expect {
+                timeout {puts "TESTING ERROR 3.1\n";exit}
+                "10"
+        }
+        
+        after 100
+        send -- "exit\r"
+        sleep 1
+}
+
+#
+# C
+#
+if { $chroot == "chroot" } {
+        send -- "firejail --noprofile --chroot=/tmp/chroot --private-etc=group,hostname,hosts,nsswitch.conf,passwd,resolv.conf,skel\r"
+        expect {
+                timeout {puts "TESTING ERROR 4\n";exit}
+                "Child process initialized"
+        }
+        sleep 1
+        
+        send -- "ls -al /etc | wc -l\r"
+        expect {
+                timeout {puts "TESTING ERROR 5.1\n";exit}
+                "10"
+        }
+        
+        after 100
+        send -- "exit\r"
+        sleep 1
+}
+
+
+puts "\nall done\n"
diff --git a/test/features/3.7.exp b/test/features/3.7.exp
new file mode 100755
index 000000000..d8236b851
--- /dev/null
+++ b/test/features/3.7.exp
@@ -0,0 +1,91 @@
+#!/usr/bin/expect -f
+#
+# private-tmp
+#
+
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+set overlay [lindex $argv 0]
+set chroot [lindex $argv 1]
+
+#
+# N
+#
+send -- "touch /tmp/test1\r"
+sleep 1
+send -- "touch /tmp/test2\r"
+sleep 1
+send -- "firejail --noprofile --private-tmp\r"
+expect {
+        timeout {puts "TESTING ERROR 0\n";exit}
+        "Child process initialized"
+}
+sleep 1
+
+send -- "ls -al /tmp | wc -l\r"
+expect {
+        timeout {puts "TESTING ERROR 1.1\n";exit}
+        "3"
+}
+
+
+after 100
+send -- "exit\r"
+sleep 1
+
+#
+# O
+#
+if { $overlay == "overlay" } {
+        send -- "touch /tmp/test1\r"
+        sleep 1
+        send -- "touch /tmp/test2\r"
+        sleep 1
+        send -- "firejail --noprofile --overlay --private-tmp\r"
+        expect {
+                timeout {puts "TESTING ERROR 2\n";exit}
+                "Child process initialized"
+        }
+        sleep 1
+        
+        send -- "ls -al /tmp | wc -l\r"
+        expect {
+                timeout {puts "TESTING ERROR 3.1\n";exit}
+                "3"
+        }
+        
+
+        after 100
+        send -- "exit\r"
+        sleep 1
+}
+
+#
+# C
+#
+if { $chroot == "chroot" } {
+        send -- "touch /tmp/test1\r"
+        sleep 1
+        send -- "touch /tmp/test2\r"
+        sleep 1
+        send -- "firejail --noprofile --chroot=/tmp/chroot --private-tmp\r"
+        expect {
+                timeout {puts "TESTING ERROR 4\n";exit}
+                "Child process initialized"
+        }
+        sleep 1
+        
+        send -- "ls -al /tmp | wc -l\r"
+        expect {
+                timeout {puts "TESTING ERROR 5.1\n";exit}
+                "3"
+        }
+        
+        after 100
+        send -- "exit\r"
+        sleep 1
+}
+
+
+puts "\nall done\n"
diff --git a/test/features/3.8.exp b/test/features/3.8.exp
new file mode 100755
index 000000000..2405e4fdb
--- /dev/null
+++ b/test/features/3.8.exp
@@ -0,0 +1,79 @@
+#!/usr/bin/expect -f
+#
+# private-bin
+#
+
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+set overlay [lindex $argv 0]
+set chroot [lindex $argv 1]
+
+#
+# N
+#
+send -- "firejail --noprofile --private-bin=bash,cat,cp,ls,wc\r"
+expect {
+        timeout {puts "TESTING ERROR 0\n";exit}
+        "Child process initialized"
+}
+sleep 1
+
+send -- "ls -l /usr/bin | wc -l\r"
+expect {
+        timeout {puts "TESTING ERROR 1.1\n";exit}
+        "6"
+}
+
+
+after 100
+send -- "exit\r"
+sleep 1
+
+#
+# O
+#
+if { $overlay == "overlay" } {
+        send -- "firejail --noprofile --overlay --private-bin=bash,cat,cp,ls,wc\r"
+        expect {
+                timeout {puts "TESTING ERROR 2\n";exit}
+                "Child process initialized"
+        }
+        sleep 1
+        
+        send -- "ls -l /usr/bin | wc -l\r"
+        expect {
+                timeout {puts "TESTING ERROR 3.1\n";exit}
+                "6"
+        }
+        
+
+        after 100
+        send -- "exit\r"
+        sleep 1
+}
+
+#
+# C
+#
+if { $chroot == "chroot" } {
+        send -- "firejail --noprofile --chroot=/tmp/chroot --private-bin=bash,cat,cp,ls,wc\r"
+        expect {
+                timeout {puts "TESTING ERROR 4\n";exit}
+                "Child process initialized"
+        }
+        sleep 1
+        
+        send -- "ls -l /usr/bin | wc -l\r"
+        expect {
+                timeout {puts "TESTING ERROR 5.1\n";exit}
+                "6"
+        }
+        
+        after 100
+        send -- "exit\r"
+        sleep 1
+}
+
+
+puts "\nall done\n"
diff --git a/test/features/3.9.exp b/test/features/3.9.exp
new file mode 100755
index 000000000..1dc556d78
--- /dev/null
+++ b/test/features/3.9.exp
@@ -0,0 +1,80 @@
+#!/usr/bin/expect -f
+#
+# whitelist dev
+#
+
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+set overlay [lindex $argv 0]
+set chroot [lindex $argv 1]
+
+#
+# N
+#
+send -- "firejail --noprofile --whitelist=/dev/tty --whitelist=/dev/shm --whitelist=/dev/null\r"
+expect {
+        timeout {puts "TESTING ERROR 0\n";exit}
+        "Child process initialized"
+}
+sleep 1
+
+send -- "ls -l /dev | wc -l\r"
+expect {
+        timeout {puts "TESTING ERROR 1.1\n";exit}
+        "4"
+}
+
+
+after 100
+send -- "exit\r"
+sleep 1
+
+
+#
+# O
+#
+if { $overlay == "overlay" } {
+        send -- "firejail --noprofile --overlay --whitelist=/dev/tty --whitelist=/dev/shm --whitelist=/dev/null\r"
+        expect {
+                timeout {puts "TESTING ERROR 2\n";exit}
+                "Child process initialized"
+        }
+        sleep 1
+        
+        send -- "ls -l /dev | wc -l\r"
+        expect {
+                timeout {puts "TESTING ERROR 3.1\n";exit}
+                "4"
+        }
+        
+
+        after 100
+        send -- "exit\r"
+        sleep 1
+}
+
+#
+# C
+#
+if { $chroot == "chroot" } {
+        send -- "firejail --noprofile --chroot=/tmp/chroot --whitelist=/dev/tty --whitelist=/dev/shm --whitelist=/dev/null\r"
+        expect {
+                timeout {puts "TESTING ERROR 4\n";exit}
+                "Child process initialized"
+        }
+        sleep 1
+        
+        send -- "ls -l /dev | wc -l\r"
+        expect {
+                timeout {puts "TESTING ERROR 5.1\n";exit}
+                "4"
+        }
+        
+        after 100
+        send -- "exit\r"
+        sleep 1
+}
+
+
+puts "\nall done\n"
diff --git a/test/features/features.txt b/test/features/features.txt
index d372d2f7a..4d8821a92 100644
--- a/test/features/features.txt
+++ b/test/features/features.txt
@@ -9,11 +9,7 @@ C - chroot filesystem
 1. Default features (tesing with --noprofile)
 
 1.1 disable /boot
-        - N, O, C
-
 1.2 new /proc
-        - N, O, C
-
 1.3 new /sys
         - N, O fails remount, C fails remount
 
@@ -23,53 +19,44 @@ C - chroot filesystem
         - /etc/group: N, O, C to test
 
 1.5 PID namespace
-        - N, O, C
-
 1.6 new /var/log
-        - N, O, C
-
 1.7 new /var/tmp
-        -N, O, C
-
 1.8 disable /etc/firejail and ~/.config/firejail
-        -N, O, C
-
 1.9 mount namespace
-
 1.10 disable /selinux
-        - N, O, C
-
-
 
 2. Networking features
 
 2.1 Hostname (use --hostname=newhostname, do a ping and cat /etc/hostname)
-        - N, O, C
         - ping disabled for C by default seccomp filter, use "getent hosts bingo"
 
 2.2 DNS (use --dns=4.2.2.1, use "dig google.com")
-        - N, O, C
-
 2.3 mac-vlan (use --net=eth0 and --noprofile; run ifconfig and dig google.com)
-        - N, O, C
-        - test --ip: N, O, C
-
 2.4 bridge (use --net=br0 and --noprofile; run ifconfig, netstat -rn, ping default gw)
-        - N, O, C
         - ping disabled for C by default seccomp filter - transfer test not implemented for C
-        - test --ip: N, O, C
-
 2.5 interface
-        - N, O, C
-
 2.6 Default gw (--noprofile --net=eth0 --defaultgw=192.168.1.10, run netstat -rn)
-        - N, O, C
-
-
 
 3. Filesystem features (use --noprofile)
 
-3.1 tmpfs
+3.1 private
 3.2 read-only
 3.3 blacklist
-3.4 whitelist
+3.4 whitelist home
+        - N braking on Fedora
+3.5 private-dev
+        - O, C - somehow /dev/log is missing
+        - N - problems on Debian wheezy 32-bit, Fedora
+3.6 private-etc
+        - O not working - todo
+3.7 private-tmp
+3.8 private-bin
+        - O, C not working - todo
+3.9 whitelist dev
+        - N not working on Debian wheezy (32-bit and 64-bit) - todo
+3.10 whitelist tmp
+        - O not working on Arch Linux - todo
+
+
+
+        
diff --git a/test/features/test.sh b/test/features/test.sh
index d4bcead0b..495996551 100755
--- a/test/features/test.sh
+++ b/test/features/test.sh
@@ -83,7 +83,7 @@ fi
 ####################
 # filesystem features
 ####################
-echo "TESTING: 3.1 tmpfs"
+echo "TESTING: 3.1 private"
 ./3.1.exp $OVERLAY $CHROOT
 
 echo "TESTING: 3.2 read-only"
@@ -92,6 +92,24 @@ echo "TESTING: 3.2 read-only"
 echo "TESTING: 3.3 blacklist"
 ./3.3.exp $OVERLAY $CHROOT
 
-echo "TESTING: 3.4 whitelist"
+echo "TESTING: 3.4 whitelist home"
 ./3.4.exp $OVERLAY $CHROOT
 
+echo "TESTING: 3.5 private-dev"
+./3.5.exp $OVERLAY $CHROOT
+
+echo "TESTING: 3.6 private-etc"
+./3.6.exp notworking $CHROOT
+
+echo "TESTING: 3.7 private-tmp"
+./3.7.exp $OVERLAY $CHROOT
+
+echo "TESTING: 3.8 private-bin"
+./3.8.exp notworking notworking
+
+echo "TESTING: 3.9 whitelist dev"
+./3.9.exp $OVERLAY $CHROOT
+
+echo "TESTING: 3.10 whitelist tmp"
+./3.10.exp $OVERLAY $CHROOT
+
diff --git a/test/fscheck-shell.exp b/test/fscheck-shell.exp
index 548955e60..6a3b5829c 100755
--- a/test/fscheck-shell.exp
+++ b/test/fscheck-shell.exp
@@ -37,12 +37,12 @@ expect {
 after 100
 
 # file link
-send -- "firejail --net=br0 --shell=fscheck-file-link\r"
-expect {
-        timeout {puts "TESTING ERROR 4\n";exit}
-        "Error"
-}
-after 100
+#send -- "firejail --net=br0 --shell=fscheck-file-link\r"
+#expect {
+#       timeout {puts "TESTING ERROR 4\n";exit}
+#       "Error"
+#}
+#after 100
 
 # ..
 send -- "firejail --net=br0 --shell=../test/fscheck-file-link\r"
diff --git a/test/invalid_filename.exp b/test/invalid_filename.exp
index e496e4aaf..dd1fa4634 100755
--- a/test/invalid_filename.exp
+++ b/test/invalid_filename.exp
@@ -124,22 +124,6 @@ expect {
 }
 after 100
 
-send -- "firejail --debug-check-filename --noprofile --private-home=\"bla&&bla\"\r"
-expect {
-        timeout {puts "TESTING ERROR 8.1\n";exit}
-        "Checking filename bla&&bla"
-}
-expect {
-        timeout {puts "TESTING ERROR 8.2\n";exit}
-        "Error:"
-}
-expect {
-        timeout {puts "TESTING ERROR 8.3\n";exit}
-        "is an invalid filename"
-}
-after 100
-
-
 send -- "firejail --debug-check-filename --noprofile --private-etc=\"bla&&bla\"\r"
 expect {
         timeout {puts "TESTING ERROR 9.1\n";exit}
@@ -200,20 +184,6 @@ expect {
 }
 after 100
 
-send -- "firejail --debug-check-filename --tmpfs=\"bla&&bla\"\r"
-expect {
-        timeout {puts "TESTING ERROR 13.1\n";exit}
-        "Checking filename bla&&bla"
-}
-expect {
-        timeout {puts "TESTING ERROR 13.2\n";exit}
-        "Error:"
-}
-expect {
-        timeout {puts "TESTING ERROR 13.3\n";exit}
-        "is an invalid filename"
-}
-after 100
 
 send -- "firejail --debug-check-filename --whitelist=\"bla&&bla\"\r"
 expect {
diff --git a/test/ip6.exp b/test/ip6.exp
index 4dc11d3dc..19a822ee2 100755
--- a/test/ip6.exp
+++ b/test/ip6.exp
@@ -14,30 +14,26 @@ expect {
         "DROP"
 }
 expect {
-        timeout {puts "TESTING ERROR 1\n";exit}
-        "DROP"
-}
-expect {
-        timeout {puts "TESTING ERROR 1\n";exit}
-        "2001:db8:1f0a:3ec::2/128"
+        timeout {puts "TESTING ERROR 2\n";exit}
+        "2001:db8:1f0a:3ec::2"
 }
 expect {
-        timeout {puts "TESTING ERROR 1\n";exit}
+        timeout {puts "TESTING ERROR 3\n";exit}
         "Child process initialized"
 }
 sleep 2
 
 send -- "/sbin/ifconfig\r"
 expect {
-        timeout {puts "TESTING ERROR 1\n";exit}
+        timeout {puts "TESTING ERROR 4\n";exit}
         "inet6 addr"
 }
 expect {
-        timeout {puts "TESTING ERROR 1\n";exit}
+        timeout {puts "TESTING ERROR 5\n";exit}
         "2001:db8:0:f101::1/64"
 }
 expect {
-        timeout {puts "TESTING ERROR 1\n";exit}
+        timeout {puts "TESTING ERROR 6\n";exit}
         "Scope:Global"
 }
 
diff --git a/test/kmsg.exp b/test/kmsg.exp
new file mode 100755
index 000000000..096bdb708
--- /dev/null
+++ b/test/kmsg.exp
@@ -0,0 +1,29 @@
+#!/usr/bin/expect -f
+
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+
+send -- "firejail\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "Child process initialized"
+}
+sleep 1
+
+send -- "cat /dev/kmsg\r"
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        "Permission denied"
+}
+sleep 1
+
+send -- "cat /proc/kmsg\r"
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        "Permission denied"
+}
+sleep 1
+
+puts "\nall done\n"
+
diff --git a/test/login_ssh.exp b/test/login_ssh.exp
index 163ee91b2..23c775763 100755
--- a/test/login_ssh.exp
+++ b/test/login_ssh.exp
@@ -56,4 +56,4 @@ expect {
 }
 sleep 1
 
-puts "\n"
+puts "\nall done\n"
diff --git a/test/name.profile b/test/name.profile
index 69e605600..1aa9f2d64 100644
--- a/test/name.profile
+++ b/test/name.profile
@@ -1 +1 @@
-name svntesting
+name jointesting
diff --git a/test/nice.exp b/test/nice.exp
new file mode 100755
index 000000000..f4afb547d
--- /dev/null
+++ b/test/nice.exp
@@ -0,0 +1,80 @@
+#!/usr/bin/expect -f
+
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+
+send -- "firejail --nice=15\r"
+expect {
+        timeout {puts "TESTING ERROR 0\n";exit}
+        "Child process initialized"
+}
+sleep 1
+
+send -- "top -b -n 1\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "netblue"
+}
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        "15"
+}
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        "bash"
+}
+expect {
+        timeout {puts "TESTING ERROR 4\n";exit}
+        "netblu"
+}
+expect {
+        timeout {puts "TESTING ERROR 5\n";exit}
+        "15"
+}
+expect {
+        timeout {puts "TESTING ERROR 6\n";exit}
+        "top"
+}
+
+sleep 1
+send -- "exit\r"
+sleep 1
+
+send -- "firejail --profile=nice.profile\r"
+expect {
+        timeout {puts "TESTING ERROR 10\n";exit}
+        "Child process initialized"
+}
+sleep 1
+
+send -- "top -b -n 1\r"
+expect {
+        timeout {puts "TESTING ERROR 11\n";exit}
+        "netblue"
+}
+expect {
+        timeout {puts "TESTING ERROR 12\n";exit}
+        "15"
+}
+expect {
+        timeout {puts "TESTING ERROR 13\n";exit}
+        "bash"
+}
+expect {
+        timeout {puts "TESTING ERROR 14\n";exit}
+        "netblu"
+}
+expect {
+        timeout {puts "TESTING ERROR 15\n";exit}
+        "15"
+}
+expect {
+        timeout {puts "TESTING ERROR 16\n";exit}
+        "top"
+}
+
+
+
+puts "\nall done\n"
+
diff --git a/test/nice.profile b/test/nice.profile
new file mode 100644
index 000000000..d02c8f58b
--- /dev/null
+++ b/test/nice.profile
@@ -0,0 +1 @@
+nice 15
diff --git a/test/option-join-profile.exp b/test/option-join-profile.exp
index 8f9c10bf7..9200980a1 100755
--- a/test/option-join-profile.exp
+++ b/test/option-join-profile.exp
@@ -12,16 +12,16 @@ expect {
 sleep 3
 
 spawn $env(SHELL)
-send --  "firejail --join=svntesting;pwd\r"
+send --  "firejail --join=jointesting;pwd\r"
 expect {
         timeout {puts "TESTING ERROR 1\n";exit}
         "Switching to pid"
 }
-sleep 1
+sleep 3
 
 
 spawn $env(SHELL)
-send --  "firejail --shutdown=svntesting;pwd\r"
+send --  "firejail --shutdown=jointesting;pwd\r"
 expect {
         timeout {puts "TESTING ERROR 3\n";exit}
         "home"
@@ -31,7 +31,7 @@ sleep 5
 send --  "firejail --list;pwd\r"
 expect {
         timeout {puts "TESTING ERROR 4\n";exit}
-        "svntesting" {puts "TESTING ERROR 5\n";exit}
+        "jointesting" {puts "TESTING ERROR 5\n";exit}
         "home"
 }
 sleep 1
diff --git a/test/option-shutdown.exp b/test/option-shutdown.exp
index 260a5b84f..e869f7611 100755
--- a/test/option-shutdown.exp
+++ b/test/option-shutdown.exp
@@ -4,7 +4,7 @@ set timeout 10
 spawn $env(SHELL)
 match_max 100000
 
-send --  "firejail --name=svntesting\r"
+send --  "firejail --name=shutdowntesting\r"
 expect {
         timeout {puts "TESTING ERROR 0\n";exit}
         "Child process initialized"
@@ -12,7 +12,7 @@ expect {
 sleep 3
 
 spawn $env(SHELL)
-send --  "firejail --shutdown=svntesting;pwd\r"
+send --  "firejail --shutdown=shutdowntesting;pwd\r"
 expect {
         timeout {puts "TESTING ERROR 4\n";exit}
         "home"
@@ -22,9 +22,9 @@ sleep 1
 send --  "firejail --list;pwd\r"
 expect {
         timeout {puts "TESTING ERROR 5\n";exit}
-        "svntesting" {puts "TESTING ERROR 6\n";exit}
+        "shutdowntesting" {puts "TESTING ERROR 6\n";exit}
         "home"
 }
 sleep 1
 
-puts "\n"
+puts "\nalldone\n"
diff --git a/test/option_tmpfs.exp b/test/option_tmpfs.exp
index 1ff47ab13..6522ef2d3 100755
--- a/test/option_tmpfs.exp
+++ b/test/option_tmpfs.exp
@@ -18,9 +18,27 @@ expect {
 }
 expect {
         timeout {puts "TESTING ERROR 2\n";exit}
-        "home"
+        "/root"
 }
 sleep 1
+send -- "exit\r"
+sleep 2
 
-puts "\n"
+send -- "firejail --debug-check-filename --tmpfs=\"bla&&bla\"\r"
+expect {
+        timeout {puts "TESTING ERROR 13.1\n";exit}
+        "Checking filename bla&&bla"
+}
+expect {
+        timeout {puts "TESTING ERROR 13.2\n";exit}
+        "Error:"
+}
+expect {
+        timeout {puts "TESTING ERROR 13.3\n";exit}
+        "is an invalid filename"
+}
+after 100
+
+
+puts "\nalldone\n"
 
diff --git a/test/private-keep.exp b/test/private-keep.exp
deleted file mode 100755
index 163aa2741..000000000
--- a/test/private-keep.exp
+++ /dev/null
@@ -1,192 +0,0 @@
-#!/usr/bin/expect -f
-
-set timeout 10
-spawn $env(SHELL)
-match_max 100000
-
-#**************************************************************
-send -- "firejail --noprofile --private-home=.mozilla,.config/firejail\r"
-expect {
-        timeout {puts "TESTING ERROR 0\n";exit}
-        "Child process initialized"
-}
-sleep 1
-
-send -- "ls -al\r"
-expect {
-        timeout {puts "TESTING ERROR 0.1\n";exit}
-        ".config"
-}
-expect {
-        timeout {puts "TESTING ERROR 0.2\n";exit}
-        ".mozilla"
-}
-sleep 1
-
-send -- "find .config\r"
-expect {
-        timeout {puts "TESTING ERROR 0.3\n";exit}
-        ".config"
-}
-expect {
-        timeout {puts "TESTING ERROR 0.4\n";exit}
-        ".config/firejail"
-}
-sleep 1
-puts "\n"
-send -- "exit\r"
-sleep 2
-
-
-#**************************************************************
-send -- "firejail --profile=private-keep.profile\r"
-expect {
-        timeout {puts "TESTING ERROR 1.0\n";exit}
-        "Child process initialized"
-}
-sleep 1
-
-send -- "ls -al\r"
-expect {
-        timeout {puts "TESTING ERROR 1.1\n";exit}
-        ".config"
-}
-expect {
-        timeout {puts "TESTING ERROR 1.2\n";exit}
-        ".mozilla"
-}
-sleep 1
-
-send -- "find .config\r"
-expect {
-        timeout {puts "TESTING ERROR 1.3\n";exit}
-        ".config"
-}
-expect {
-        timeout {puts "TESTING ERROR 1.4\n";exit}
-        ".config/firejail"
-}
-sleep 1
-puts "\n"
-send -- "exit\r"
-sleep 2
-
-
-#**************************************************************
-send -- "firejail --noprofile --private-home=~/.mozilla,~/.config/firejail\r"
-expect {
-        timeout {puts "TESTING ERROR 2\n";exit}
-        "Child process initialized"
-}
-sleep 1
-
-send -- "ls -al\r"
-expect {
-        timeout {puts "TESTING ERROR 2.1\n";exit}
-        ".config"
-}
-expect {
-        timeout {puts "TESTING ERROR 2.2\n";exit}
-        ".mozilla"
-}
-sleep 1
-
-send -- "find .config\r"
-expect {
-        timeout {puts "TESTING ERROR 2.3\n";exit}
-        ".config"
-}
-expect {
-        timeout {puts "TESTING ERROR 2.4\n";exit}
-        ".config/firejail"
-}
-sleep 1
-puts "\n"
-send -- "exit\r"
-sleep 2
-
-
-#**************************************************************
-send -- "firejail --noprofile --private-home=~/.mozilla,~/.config/firejail\r"
-expect {
-        timeout {puts "TESTING ERROR 3\n";exit}
-        "Child process initialized"
-}
-sleep 1
-
-send -- "ls -al\r"
-expect {
-        timeout {puts "TESTING ERROR 3.1\n";exit}
-        ".config"
-}
-expect {
-        timeout {puts "TESTING ERROR 3.2\n";exit}
-        ".mozilla"
-}
-sleep 1
-
-send -- "find .config\r"
-expect {
-        timeout {puts "TESTING ERROR 3.3\n";exit}
-        ".config"
-}
-expect {
-        timeout {puts "TESTING ERROR 3.4\n";exit}
-        ".config/firejail"
-}
-sleep 1
-puts "\n"
-send -- "exit\r"
-sleep 2
-
-#**************************************************************
-send -- "firejail --noprofile --private-home=/home/netblue/.mozilla,/home/netblue/.config/firejail\r"
-expect {
-        timeout {puts "TESTING ERROR 4\n";exit}
-        "Child process initialized"
-}
-sleep 1
-
-send -- "ls -al\r"
-expect {
-        timeout {puts "TESTING ERROR 4.1\n";exit}
-        ".config"
-}
-expect {
-        timeout {puts "TESTING ERROR 4.2\n";exit}
-        ".mozilla"
-}
-sleep 1
-
-send -- "find .config\r"
-expect {
-        timeout {puts "TESTING ERROR 4.3\n";exit}
-        ".config"
-}
-expect {
-        timeout {puts "TESTING ERROR 4.4\n";exit}
-        ".config/firejail"
-}
-sleep 1
-puts "\n"
-send -- "exit\r"
-sleep 2
-
-#**************************************************************
-send -- "firejail --noprofile --private-home=/home/netblue/../netblue/.mozilla,/home/netblue/.config/firejail\r"
-expect {
-        timeout {puts "TESTING ERROR 5\n";exit}
-        "Error: invalid private-home list"
-}
-sleep 1
-
-#**************************************************************
-send -- "firejail --noprofile --private-home=/root\r"
-expect {
-        timeout {puts "TESTING ERROR 6\n";exit}
-        "Error: only files or directories created by the current user are allowed"
-}
-sleep 1
-
-puts "all done\n"
-
diff --git a/test/servers3.exp b/test/servers3.exp
index 20a20a88d..eccdaa1d9 100755
--- a/test/servers3.exp
+++ b/test/servers3.exp
@@ -45,7 +45,7 @@ expect {
 send -- "cat index.html\r"
 expect {
         timeout {puts "TESTING ERROR 4\n";exit}
-        "This is the default web page for this server"
+        "DOCTYPE html PUBLIC"
 }
 
 sleep 1
@@ -63,6 +63,13 @@ expect {
         "ppp" {puts "TESTING ERROR 6\n";exit}
         "log"
 }
+sleep 1
+send -- "ls -al /tmp;pwd\r"
+expect {
+        timeout {puts "TESTING ERROR 10\n";exit}
+        "X11-unix" {puts "TESTING ERROR 11\n";exit}
+        "/root"
+}
 sleep 2
 
 puts "\nall done\n"
diff --git a/test/servers6.exp b/test/servers6.exp
index 2179f6f98..9ef4ea514 100755
--- a/test/servers6.exp
+++ b/test/servers6.exp
@@ -45,7 +45,7 @@ expect {
 send -- "cat index.html\r"
 expect {
         timeout {puts "TESTING ERROR 4\n";exit}
-        "Welcome to nginx"
+        "DOCTYPE html PUBLIC"
 }
 
 sleep 1
@@ -63,6 +63,13 @@ expect {
         "ppp" {puts "TESTING ERROR 6\n";exit}
         "log"
 }
+sleep 1
+send -- "ls -al /tmp;pwd\r"
+expect {
+        timeout {puts "TESTING ERROR 10\n";exit}
+        "X11-unix" {puts "TESTING ERROR 11\n";exit}
+        "/root"
+}
 sleep 2
 
 puts "\nall done\n"
diff --git a/test/test-root.sh b/test/test-root.sh
index ac6b2ef00..1c3fc4c96 100755
--- a/test/test-root.sh
+++ b/test/test-root.sh
@@ -2,6 +2,12 @@
 
 ./chk_config.exp
 
+echo "TESTING: tmpfs"
+./option_tmpfs.exp
+
+echo "TESTING: profile tmpfs"
+./profile_tmpfs.exp
+
 echo "TESTING: network interfaces"
 ./net_interface.exp
 
@@ -16,7 +22,7 @@ fi
 
 if [ -f /etc/init.d/apache2 ]
 then
-        echo "TESTING: servers apache2, private-dev"
+        echo "TESTING: servers apache2, private-dev, private-tmp"
         ./servers3.exp
 fi
 
@@ -28,13 +34,13 @@ fi
 
 if [ -f /etc/init.d/unbound ]
 then
-        echo "TESTING: servers unbound, private-dev"
+        echo "TESTING: servers unbound, private-dev, private-tmp"
         ./servers5.exp
 fi
 
 if [ -f /etc/init.d/nginx ]
 then
-        echo "TESTING: servers nginx, private-dev"
+        echo "TESTING: servers nginx, private-dev, private-tmp"
         ./servers6.exp
 fi
 
@@ -66,3 +72,10 @@ then
         echo "TESTING: firemon --cgroup"
         ./firemon-cgroup.exp
 fi
+
+echo "TESTING: chroot resolv.conf"
+rm -f tmpfile
+touch tmpfile
+ln -s tmp /tmp/chroot/etc/resolv.conf
+./chroot-resolvconf.exp
+rm -f tmpfile
diff --git a/test/test.sh b/test/test.sh
index 44bb7ba99..923a9b390 100755
--- a/test/test.sh
+++ b/test/test.sh
@@ -6,6 +6,9 @@
 
 ./fscheck.sh
 
+echo "TESTING: nice"
+./nice.exp
+
 echo "TESTING: protocol"
 ./protocol.exp
 
@@ -15,6 +18,9 @@ echo "TESTING: invalid filename"
 echo "TESTING: environment variables"
 ./env.exp
 
+echo "TESTING: whitelist empty"
+./whitelist-empty.exp
+
 echo "TESTING: ignore command"
 ./ignore.exp
 
@@ -86,6 +92,9 @@ rm -f index.html*
 echo "TESTING: extract command"
 ./extract_command.exp
 
+echo "TESTING: kmsg access"
+./kmsg.exp
+
 echo "TESTING: rlimit"
 ./option_rlimit.exp
 
@@ -107,9 +116,6 @@ echo "TESTING: firejail in firejail - force new sandbox"
 echo "TESTING: chroot overlay"
 ./option_chroot_overlay.exp
 
-echo "TESTING: tmpfs"
-./option_tmpfs.exp
-
 echo "TESTING: blacklist directory"
 ./option_blacklist.exp
 
@@ -175,9 +181,6 @@ echo "TESTING: profile rlimit"
 echo "TESTING: profile read-only"
 ./profile_readonly.exp
 
-echo "TESTING: profile tmpfs"
-./profile_tmpfs.exp
-
 echo "TESTING: private"
 ./private.exp `whoami`
 
@@ -193,29 +196,8 @@ mkdir dirprivate
 ./private_dir_profile.exp
 rm -fr dirprivate
 
-echo "TESTING: private keep"
-./private-keep.exp
-
-uname -r | grep "3.18"
-if [ "$?" -eq 0 ];
-then
-        echo "TESTING: overlayfs on 3.18 kernel"
-        ./fs_overlay.exp
-fi
-
-grep "openSUSE" /etc/os-release
-if [ "$?" -eq 0 ];
-then
-        echo "TESTING: overlayfs"
-        ./fs_overlay.exp
-fi
-
-grep "Ubuntu" /etc/os-release
-if [ "$?" -eq 0 ];
-then
-        echo "TESTING: overlayfs"
-        ./fs_overlay.exp
-fi
+echo "TESTING: overlayfs"
+./fs_overlay.exp
 
 echo "TESTING: seccomp debug"
 ./seccomp-debug.exp
@@ -269,6 +251,7 @@ echo "TESTING: network IP"
 ./net_ip.exp
 
 echo "TESTING: network MAC"
+sleep 2
 ./net_mac.exp
 
 echo "TESTING: network MTU"
diff --git a/test/whitelist-empty.exp b/test/whitelist-empty.exp
new file mode 100755
index 000000000..226b019db
--- /dev/null
+++ b/test/whitelist-empty.exp
@@ -0,0 +1,50 @@
+#!/usr/bin/expect -f
+
+set timeout 30
+spawn $env(SHELL)
+match_max 100000
+
+send -- "firejail --whitelist=~/blablabla --whitelist=/tmp/blablabla --whitelist=/media/blablabla --whitelist=/var/blablabla --whitelist=/dev/blablabla --whitelist=/opt/blablabla\r"
+expect {
+        timeout {puts "TESTING ERROR 0\n";exit}
+        "Child process initialized"
+}
+sleep 1
+
+send -- "ls -l ~/ | wc -l\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "0"
+}
+
+send -- "ls -l /tmp | wc -l\r"
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        "0"
+}
+
+send -- "ls -l /media | wc -l\r"
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        "0"
+}
+
+send -- "ls -l /var | wc -l\r"
+expect {
+        timeout {puts "TESTING ERROR 4\n";exit}
+        "0"
+}
+
+send -- "ls -l /dev | wc -l\r"
+expect {
+        timeout {puts "TESTING ERROR 5\n";exit}
+        "0"
+}
+send -- "ls -l /opt | wc -l\r"
+expect {
+        timeout {puts "TESTING ERROR 6\n";exit}
+        "0"
+}
+
+
+puts "\nall done\n"
diff --git a/todo b/todo
index 25fda9e74..8e8ffc9f2 100644
--- a/todo
+++ b/todo
@@ -115,3 +115,9 @@ The POSIX standard defines what a “portable filename” is. This turns out to
 http://pubs.opengroup.org/onlinepubs/9699919799/basedefs/V1_chap03.html#tag_03_276
 
 22. --shutdown does not clear sandboxes started with --join on Debian jessie
+
+23. to document:
+
+http://lwn.net/Articles/414813/
+echo 1 > /proc/sys/kernel/dmesg_restrict
+