21 files changed, 399 insertions, 23 deletions
diff --git a/Makefile.in b/Makefile.in
index 0b2455292..dabd9aa15 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -45,6 +45,7 @@ ifeq ($(HAVE_SECCOMP),-DHAVE_SECCOMP)
        src/fseccomp/fseccomp default seccomp.debug allow-debuggers
        src/fseccomp/fseccomp secondary 32 seccomp.i386
        src/fseccomp/fseccomp secondary 64 seccomp.amd64
+        src/fseccomp/fseccomp memory-deny-write-execute seccomp.mdwx
 endif
 clean:
@@ -52,7 +53,7 @@ clean:
                $(MAKE) -C $$dir clean; \
        done
        rm -f $(MANPAGES) $(MANPAGES:%=%.gz) firejail*.rpm
-        rm -f seccomp seccomp.debug seccomp.i386 seccomp.amd64
+        rm -f seccomp seccomp.debug seccomp.i386 seccomp.amd64 seccomp.mdwx
        rm -f test/utils/index.html*
        rm -f test/utils/wget-log
        rm -f test/utils/lstesting
@@ -101,6 +102,7 @@ ifeq ($(HAVE_SECCOMP),-DHAVE_SECCOMP)
        install -c -m 0644 seccomp.debug $(DESTDIR)/$(libdir)/firejail/.
        install -c -m 0644 seccomp.i386 $(DESTDIR)/$(libdir)/firejail/.
        install -c -m 0644 seccomp.amd64 $(DESTDIR)/$(libdir)/firejail/.
+        install -c -m 0644 seccomp.mdwx $(DESTDIR)/$(libdir)/firejail/.
 endif
 ifeq ($(HAVE_CONTRIB_INSTALL),yes)
        install -c -m 0755 contrib/fix_private-bin.py $(DESTDIR)/$(libdir)/firejail/.
diff --git a/README b/README
index 33ccd9ef9..8fec5c83f 100644
--- a/README
+++ b/README
@@ -345,6 +345,7 @@ Rahiel Kasim (https://github.com/rahiel)
        - Mathematica profile
        - whitelisted Dropbox profile
        - whitelisted keysnail config for firefox
+        - added telegram-desktop profile
 Rahul Golam (https://github.com/technoLord)
        - strings profile
 Raphaël Droz (https://github.com/drzraf)
@@ -397,8 +398,9 @@ SpotComms (https://github.com/SpotComms)
        - fixed wget profile
        - fixed firecfg.config file
        - added novideo and disable-mnt support in all profile files
-        - added Peek and silent profiles
+        - added Peek and silent profiles
        - added IntelliJ IDEA and Android Studio profiles
+    - added arm profile
 SYN-cook (https://github.com/SYN-cook)
        - keepass/keepassx browser fixes
        - disable-common.inc fixes
diff --git a/README.md b/README.md
index 765c746ed..61279e14a 100644
--- a/README.md
+++ b/README.md
@@ -128,5 +128,6 @@ ulimit, vhangup, vserver. This brings us to a total of 91 syscalls blacklisted b
 curl, mplayer2, SMPlayer, Calibre, ebook-viewer, KWrite, Geary, Liferea, peek, silentarmy,
 IntelliJ IDEA, Android Studio, electron, riot-web,
-Extreme Tux Racer, Frozen Bubble, Open Invaders, Pingus, Simutrans, SuperTux
+Extreme Tux Racer, Frozen Bubble, Open Invaders, Pingus, Simutrans, SuperTux,
+telegram-desktop, arm
diff --git a/RELNOTES b/RELNOTES
index 9cdd71e8d..d1f28ac17 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -7,9 +7,9 @@ firejail (0.9.49) baseline; urgency=low
  * enhancement: rework IP address assingment for --net options
  * new profiles: curl, mplayer2, SMPlayer, Calibre, ebook-viewer, KWrite,
  * new profiles: Geary, Liferea, peek, silentarmy, IntelliJ IDEA,
-  * new profiles: Android Studio, electron, riot-web, Extreme Tux Racer, 
+  * new profiles: Android Studio, electron, riot-web, Extreme Tux Racer,
  * new profiles: Frozen Bubble, Open Invaders, Pingus, Simutrans, SuperTux
-  
+  * new profiles: telegram-desktop, arm
  * bugfixes
 -- netblue30 <netblue30@yahoo.com>  Mon, 12 Jun 2017 20:00:00 -0500
diff --git a/etc/Telegram.profile b/etc/Telegram.profile
index a8841eb8c..7b44a62f1 100644
--- a/etc/Telegram.profile
+++ b/etc/Telegram.profile
@@ -5,5 +5,5 @@ include /etc/firejail/globals.local
 # Persistent customizations should go in a .local file.
 include /etc/firejail/Telegram.local
-# Telegram IRC profile
+# Telegram profile
 include /etc/firejail/telegram.profile
diff --git a/etc/telegram-desktop.profile b/etc/telegram-desktop.profile
new file mode 100644
index 000000000..db5c2bdbb
--- /dev/null
+++ b/etc/telegram-desktop.profile
@@ -0,0 +1,9 @@
+# Persistent global definitions go here
+include /etc/firejail/globals.local
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/telegram-desktop.local
+# Telegram profile
+include /etc/firejail/telegram.profile
diff --git a/etc/telegram.profile b/etc/telegram.profile
index 5282789ce..db00e8082 100644
--- a/etc/telegram.profile
+++ b/etc/telegram.profile
@@ -5,7 +5,7 @@ include /etc/firejail/globals.local
 # Persistent customizations should go in a .local file.
 include /etc/firejail/telegram.local
-# Telegram IRC profile
+# Telegram profile
 noblacklist ${HOME}/.TelegramDesktop
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-programs.inc
diff --git a/platform/debian/conffiles b/platform/debian/conffiles
index a60bf92c3..54bd2f697 100644
--- a/platform/debian/conffiles
+++ b/platform/debian/conffiles
@@ -16,6 +16,7 @@
 /etc/firejail/amarok.profile
 /etc/firejail/android-studio.profile
 /etc/firejail/arduino.profile
+/etc/firejail/arm.profile
 /etc/firejail/ark.profile
 /etc/firejail/atom-beta.profile
 /etc/firejail/atom.profile
@@ -330,3 +331,4 @@
 /etc/firejail/pingus.profile
 /etc/firejail/simutrans.profile
 /etc/firejail/supertux2.profile
+/etc/firejail/telegram-desktop.profile
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config
index eb611034f..a6472a604 100644
--- a/src/firecfg/firecfg.config
+++ b/src/firecfg/firecfg.config
@@ -239,6 +239,7 @@ supertux2
 synfigstudio
 telegram
 Telegram
+telegram-desktop
 thunderbird
 totem
 tracker
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index b90c8d8ed..1a26396a7 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -48,15 +48,18 @@
 #define RUN_SRV_DIR     "/run/firejail/mnt/srv"
 #define RUN_BIN_DIR     "/run/firejail/mnt/bin"
 #define RUN_PULSE_DIR   "/run/firejail/mnt/pulse"
+#define RUN_LIB_DIR     "/run/firejail/mnt/lib"
 #define RUN_SECCOMP_PROTOCOL    "/run/firejail/mnt/seccomp.protocol"    // protocol filter
 #define RUN_SECCOMP_CFG "/run/firejail/mnt/seccomp"                     // configured filter
 #define RUN_SECCOMP_AMD64       "/run/firejail/mnt/seccomp.amd64"       // amd64 filter installed on i386 architectures
 #define RUN_SECCOMP_I386        "/run/firejail/mnt/seccomp.i386"                // i386 filter installed on amd64 architectures
+#define RUN_SECCOMP_MDWX        "/run/firejail/mnt/seccomp.mdwx"                // filter for memory-deny-write-execute
 #define PATH_SECCOMP_DEFAULT (LIBDIR "/firejail/seccomp")                       // default filter built during make
 #define PATH_SECCOMP_DEFAULT_DEBUG (LIBDIR "/firejail/seccomp.debug")   // default filter built during make
 #define PATH_SECCOMP_AMD64 (LIBDIR "/firejail/seccomp.amd64")           // amd64 filter built during make
 #define PATH_SECCOMP_I386 (LIBDIR "/firejail/seccomp.i386")                     // i386 filter built during make
+#define PATH_SECCOMP_MDWX (LIBDIR "/firejail/seccomp.mdwx")             // filter for memory-deny-write-execute built during make
 #define RUN_DEV_DIR             "/run/firejail/mnt/dev"
@@ -207,6 +210,7 @@ typedef struct config_t {
        char *opt_private_keep; // keep list for private opt directory
        char *srv_private_keep; // keep list for private srv directory
        char *bin_private_keep; // keep list for private bin directory
+        char *lib_private_keep; // keep list for private bin directory
        char *cwd;              // current working directory
        char *overlay_dir;
        char *private_template; // template dir for tmpfs home
@@ -328,6 +332,7 @@ extern int arg_private_opt;	// private opt directory
 extern int arg_private_srv;     // private srv directory
 extern int arg_private_bin;     // private bin directory
 extern int arg_private_tmp;     // private tmp directory
+extern int arg_private_lib;     // private lib directory
 extern int arg_scan;            // arp-scan all interfaces
 extern int arg_whitelist;       // whitelist commad
 extern int arg_nosound; // disable sound
@@ -352,6 +357,7 @@ extern int arg_allusers;	// all user home directories visible
 extern int arg_machineid;       // preserve /etc/machine-id
 extern int arg_disable_mnt;     // disable /mnt and /media
 extern int arg_noprofile;       // use default.profile if none other found/specified
+extern int arg_memory_deny_write_execute;       // block writable and executable memory
 extern int login_shell;
 extern int parent_to_child_fds[2];
@@ -625,6 +631,9 @@ void pulseaudio_disable(void);
 // fs_bin.c
 void fs_private_bin_list(void);
+// fs_lib.c
+void fs_private_lib(void);
 // protocol.c
 void protocol_filter_save(void);
 void protocol_filter_load(const char *fname);
diff --git a/src/firejail/fs_lib.c b/src/firejail/fs_lib.c
new file mode 100644
index 000000000..cc60a330f
--- /dev/null
+++ b/src/firejail/fs_lib.c
@@ -0,0 +1,202 @@
+/*
+ * Copyright (C) 2017 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
+#include "firejail.h"
+#include <elf.h>
+#include <fcntl.h>
+#include <sys/mman.h>
+#include <sys/mount.h>
+#include <sys/stat.h>
+#include <sys/types.h>
+#include <unistd.h>
+#ifdef __LP64__
+#define Elf_Ehdr Elf64_Ehdr
+#define Elf_Phdr Elf64_Phdr
+#define Elf_Shdr Elf64_Shdr
+#define Elf_Dyn Elf64_Dyn
+#else
+#define Elf_Ehdr Elf32_Ehdr
+#define Elf_Phdr Elf32_Phdr
+#define Elf_Shdr Elf32_Shdr
+#define Elf_Dyn Elf32_Dyn
+#endif
+static const char * const lib_paths[] = {
+        "/lib",
+        "/lib/x86_64-linux-gnu",
+        "/lib64",
+        "/usr/lib",
+        "/usr/lib/x86_64-linux-gnu",
+        LIBDIR,
+        "/usr/local/lib",
+        NULL
+};
+static void copy_libs_for_lib(const char *lib, const char *private_run_dir);
+static void duplicate(const char *fname, const char *private_run_dir) {
+        if (arg_debug)
+                printf("copying %s to private %s\n", fname, private_run_dir);
+        sbox_run(SBOX_ROOT| SBOX_SECCOMP, 4, PATH_FCOPY, "--follow-link", fname, private_run_dir);
+}
+static void copy_libs_for_exe(const char *exe, const char *private_run_dir) {
+        if (arg_debug)
+                printf("copy libs for %s\n", exe);
+        int f;
+        f = open(exe, O_RDONLY);
+        if (f < 0)
+                return;
+        struct stat s;
+        char *base = NULL;
+        if (fstat(f, &s) == -1)
+                goto error_close;
+        base = mmap(0, s.st_size, PROT_READ | PROT_WRITE, MAP_PRIVATE, f, 0);
+        if (base == MAP_FAILED)
+                goto error_close;
+        Elf_Ehdr *ebuf = (Elf_Ehdr *)base;
+        if (strncmp((const char *)ebuf->e_ident, ELFMAG, SELFMAG) != 0)
+                goto close;
+        Elf_Phdr *pbuf = (Elf_Phdr *)(base + sizeof(*ebuf));
+        while (ebuf->e_phnum-- > 0) {
+                switch (pbuf->p_type) {
+                case PT_INTERP:
+                        // dynamic loader ld-linux.so
+                        duplicate(base + pbuf->p_offset, private_run_dir);
+                        break;
+                }
+                pbuf++;
+        }
+        Elf_Shdr *sbuf = (Elf_Shdr *)(base + ebuf->e_shoff);
+        // Find strings section
+        char *strbase = NULL;
+        int sections = ebuf->e_shnum;
+        while (sections-- > 0) {
+                if (sbuf->sh_type == SHT_STRTAB) {
+                        strbase = base + sbuf->sh_offset;
+                        break;
+                }
+                sbuf++;
+        }
+        if (strbase == NULL)
+                goto error_close;
+        // Find dynamic section
+        sections = ebuf->e_shnum;
+        while (sections-- > 0) {
+                if (sbuf->sh_type == SHT_DYNAMIC) {
+                        // Find DT_NEEDED tags
+                        Elf_Dyn *dbuf = (Elf_Dyn *)(base + sbuf->sh_offset);
+                        while (sbuf->sh_size >= sizeof(*dbuf)) {
+                                if (dbuf->d_tag == DT_NEEDED) {
+                                        const char *lib = strbase + dbuf->d_un.d_ptr;
+                                        copy_libs_for_lib(lib, private_run_dir);
+                                }
+                                sbuf->sh_size -= sizeof(*dbuf);
+                                dbuf++;
+                        }
+                }
+                sbuf++;
+        }
+        goto close;
+ error_close:
+        perror("copy libs");
+ close:
+        if (base)
+                munmap(base, s.st_size);
+        close(f);
+}
+static void copy_libs_for_lib(const char *lib, const char *private_run_dir) {
+        for (int i = 0; lib_paths[i]; i++) {
+                char *fname;
+                if (asprintf(&fname, "%s/%s", lib_paths[i], lib) == -1)
+                        errExit("asprintf");
+                if (access(fname, R_OK) == 0) {
+                        char *dst;
+                        if (asprintf(&dst, "%s/%s", private_run_dir, lib) == -1)
+                                errExit("asprintf");
+                        if (access(dst, R_OK) != 0) {
+                                duplicate(fname, private_run_dir);
+                                // libs may need other libs
+                                copy_libs_for_exe(fname, private_run_dir);
+                        }
+                        free(dst);
+                        free(fname);
+                        return;
+                }
+                free(fname);
+        }
+        errExit("library not found");
+}
+void fs_private_lib(void) {
+        char *private_list = cfg.lib_private_keep;
+        // create /run/firejail/mnt/lib directory
+        mkdir_attr(RUN_LIB_DIR, 0755, 0, 0);
+        // copy the libs in the new lib directory for the main exe
+        if (cfg.original_program_index > 0)
+                copy_libs_for_exe(cfg.original_argv[cfg.original_program_index], RUN_LIB_DIR);
+        // for the shell
+        if (!arg_shell_none)
+                copy_libs_for_exe(cfg.shell, RUN_LIB_DIR);
+        // for the listed libs
+        if (private_list && *private_list != '\0') {
+                if (arg_debug)
+                        printf("Copying extra files (%s) in the new lib directory:\n", private_list);
+                char *dlist = strdup(private_list);
+                if (!dlist)
+                        errExit("strdup");
+                char *ptr = strtok(dlist, ",");
+                copy_libs_for_lib(ptr, RUN_LIB_DIR);
+                while ((ptr = strtok(NULL, ",")) != NULL)
+                        copy_libs_for_lib(ptr, RUN_LIB_DIR);
+                free(dlist);
+                fs_logger_print();
+        }
+        if (arg_debug)
+                printf("Mount-bind %s on top of /lib /lib64 /usr/lib\n", RUN_LIB_DIR);
+        if (mount(RUN_LIB_DIR, "/lib", NULL, MS_BIND|MS_REC, NULL) < 0 ||
+            mount(NULL, "/lib", NULL, MS_BIND|MS_REMOUNT|MS_NOSUID|MS_NODEV|MS_REC, NULL) < 0)
+                errExit("mount bind");
+        fs_logger("mount /lib");
+        if (mount(RUN_LIB_DIR, "/lib64", NULL, MS_BIND|MS_REC, NULL) < 0 ||
+            mount(NULL, "/lib64", NULL, MS_BIND|MS_REMOUNT|MS_NOSUID|MS_NODEV|MS_REC, NULL) < 0)
+                errExit("mount bind");
+        fs_logger("mount /lib64");
+        if (mount(RUN_LIB_DIR, "/usr/lib", NULL, MS_BIND|MS_REC, NULL) < 0 ||
+            mount(NULL, "/usr/lib", NULL, MS_BIND|MS_REMOUNT|MS_NOSUID|MS_NODEV|MS_REC, NULL) < 0)
+                errExit("mount bind");
+        fs_logger("mount /usr/lib");
+}
diff --git a/src/firejail/main.c b/src/firejail/main.c
index c055a1537..ff57a5693 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -85,6 +85,7 @@ int arg_private_opt = 0;			// private opt directory
 int arg_private_srv = 0;                        // private srv directory
 int arg_private_bin = 0;                        // private bin directory
 int arg_private_tmp = 0;                        // private tmp directory
+int arg_private_lib = 0;                        // private lib directory
 int arg_scan = 0;                               // arp-scan all interfaces
 int arg_whitelist = 0;                          // whitelist commad
 int arg_nosound = 0;                            // disable sound
@@ -110,6 +111,7 @@ int arg_allow_private_blacklist = 0; 		// blacklist things in private directorie
 int arg_writable_var_log = 0;           // writable /var/log
 int arg_disable_mnt = 0;                        // disable /mnt and /media
 int arg_noprofile = 0; // use default.profile if none other found/specified
+int arg_memory_deny_write_execute = 0;          // block writable and executable memory
 int login_shell = 0;
@@ -1144,6 +1146,12 @@ int main(int argc, char **argv) {
                        else
                                exit_err_feature("seccomp");
                }
+                else if (strcmp(argv[i], "--memory-deny-write-execute") == 0) {
+                        if (checkcfg(CFG_SECCOMP))
+                                arg_memory_deny_write_execute = 1;
+                        else
+                                exit_err_feature("seccomp");
+                }
 #endif
                else if (strcmp(argv[i], "--caps") == 0)
                        arg_caps_default_filter = 1;
@@ -1622,6 +1630,17 @@ int main(int argc, char **argv) {
                                cfg.bin_private_keep = argv[i] + 14;
                        arg_private_bin = 1;
                }
+                else if (strncmp(argv[i], "--private-lib", 13) == 0) {
+                        // extract private lib list (if any)
+                        if (argv[i][13] == '=') {
+                                if (cfg.lib_private_keep) {
+                                        if (argv[i][14] != '\0' && asprintf(&cfg.lib_private_keep, "%s,%s", cfg.lib_private_keep, argv[i] + 14) < 0)
+                                                errExit("asprintf");
+                                } else
+                                        cfg.lib_private_keep = argv[i] + 14;
+                        }
+                        arg_private_lib = 1;
+                }
                else if (strcmp(argv[i], "--private-tmp") == 0) {
                        arg_private_tmp = 1;
                }
diff --git a/src/firejail/preproc.c b/src/firejail/preproc.c
index ef93368bf..9c474415d 100644
--- a/src/firejail/preproc.c
+++ b/src/firejail/preproc.c
@@ -83,6 +83,8 @@ void preproc_mount_mnt_dir(void) {
                else
                        copy_file(PATH_SECCOMP_DEFAULT, RUN_SECCOMP_CFG, getuid(), getgid(), 0644); // root needed
+                if (arg_memory_deny_write_execute)
+                        copy_file(PATH_SECCOMP_MDWX, RUN_SECCOMP_MDWX, getuid(), getgid(), 0644); // root needed
                // as root, create an empty RUN_SECCOMP_PROTOCOL file
                create_empty_file_as_root(RUN_SECCOMP_PROTOCOL, 0644);
                if (set_perms(RUN_SECCOMP_PROTOCOL, getuid(), getgid(), 0644))
diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index 18891ac58..972f5932d 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -595,6 +595,17 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
                return 0;
        }
+        // memory deny write&execute
+        if (strcmp(ptr, "memory-deny-write-execute") == 0) {
+#ifdef HAVE_SECCOMP
+                if (checkcfg(CFG_SECCOMP))
+                        arg_memory_deny_write_execute = 1;
+                else
+                        warning_feature_disabled("seccomp");
+#endif
+                return 0;
+        }
        // caps drop list
        if (strncmp(ptr, "caps.drop ", 10) == 0) {
                arg_caps_drop = 1;
@@ -849,6 +860,20 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
                return 0;
        }
+        // private /lib list of files
+        if (strncmp(ptr, "private-lib", 11) == 0) {
+                if (ptr[11] == ' ') {
+                        if (cfg.lib_private_keep) {
+                                if (ptr[12] != '\0' && asprintf(&cfg.lib_private_keep, "%s,%s", cfg.lib_private_keep, ptr + 12) < 0)
+                                        errExit("asprintf");
+                        } else {
+                                cfg.lib_private_keep = ptr + 12;
+                        }
+                }
+                arg_private_lib = 1;
+                return 0;
+        }
 #ifdef HAVE_OVERLAYFS
        if (strncmp(ptr, "overlay-named ", 14) == 0) {
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index 55733d5d7..6c0fdebe3 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -811,6 +811,16 @@ int sandbox(void* sandbox_arg) {
                }
        }
+        if (arg_private_lib) {
+                if (cfg.chrootdir)
+                        fwarning("private-lib feature is disabled in chroot\n");
+                else if (arg_overlay)
+                        fwarning("private-lib feature is disabled in overlay\n");
+                else {
+                        fs_private_lib();
+                }
+        }
        if (arg_private_tmp) {
                if (cfg.chrootdir)
                        fwarning("private-tmp feature is disabled in chroot\n");
@@ -991,6 +1001,11 @@ int sandbox(void* sandbox_arg) {
                else
                        seccomp_filter_drop(enforce_seccomp);
        }
+        if (arg_memory_deny_write_execute) {
+                if (arg_debug)
+                        printf("Install memory write&execute filter\n");
+                seccomp_load(RUN_SECCOMP_MDWX); // install filter
+        }
 #endif
        //****************************************
diff --git a/src/firejail/seccomp.c b/src/firejail/seccomp.c
index 29f928ee7..6e0fc0919 100644
--- a/src/firejail/seccomp.c
+++ b/src/firejail/seccomp.c
@@ -19,6 +19,7 @@
 */
 #ifdef HAVE_SECCOMP
+#include <sys/mman.h>
 #include "firejail.h"
 #include "../include/seccomp.h"
@@ -64,24 +65,14 @@ int seccomp_load(const char *fname) {
        int size = lseek(fd, 0, SEEK_END);
        if (size == -1)
                goto errexit;
-        if (lseek(fd, 0 , SEEK_SET) == -1)
-                goto errexit;
        unsigned short entries = (unsigned short) size / (unsigned short) sizeof(struct sock_filter);
        if (arg_debug)
                printf("configuring %d seccomp entries from %s\n", entries, fname);
        // read filter
-        struct sock_filter *filter = malloc(size);
+        struct sock_filter *filter = mmap(NULL, size, PROT_READ, MAP_PRIVATE, fd, 0);
-        if (filter == NULL)
+        if (filter == MAP_FAILED)
                goto errexit;
-        memset(filter, 0, size);
-        int rd = 0;
-        while (rd < size) {
-                int rv = read(fd, (unsigned char *) filter + rd, size - rd);
-                if (rv == -1)
-                        goto errexit;
-                rd += rv;
-        }
        // close file
        close(fd);
@@ -91,14 +82,16 @@ int seccomp_load(const char *fname) {
                .len = entries,
                .filter = filter,
        };
+        int r = 0;
        if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog) || prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) {
                if (!err_printed)
                        fwarning("seccomp disabled, it requires a Linux kernel version 3.5 or newer.\n");
                err_printed = 1;
-                return 1;
+                r = 1;
        }
-        return 0;
+        munmap(filter, size);
+        return r;
 errexit:
        fprintf(stderr, "Error: cannot read %s\n", fname);
@@ -194,7 +187,7 @@ int seccomp_filter_drop(int enforce_seccomp) {
                sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 3,
                        PATH_FSECCOMP, "print", RUN_SECCOMP_CFG);
-        return seccomp_load(RUN_SECCOMP_CFG);
+        return 0;
 }
 // keep filter for seccomp option
diff --git a/src/fseccomp/fseccomp.h b/src/fseccomp/fseccomp.h
index 1e4881e9c..157b71011 100644
--- a/src/fseccomp/fseccomp.h
+++ b/src/fseccomp/fseccomp.h
@@ -48,6 +48,7 @@ void seccomp_secondary_64(const char *fname);
 void seccomp_secondary_32(const char *fname);
 // seccomp_file.c
+void write_to_file(int fd, const void *data, int size);
 void filter_init(int fd);
 void filter_add_whitelist(int fd, int syscall, int arg);
 void filter_add_blacklist(int fd, int syscall, int arg);
@@ -64,6 +65,8 @@ void seccomp_drop(const char *fname, char *list, int allow_debuggers);
 void seccomp_default_drop(const char *fname, char *list, int allow_debuggers);
 // whitelisted filter
 void seccomp_keep(const char *fname, char *list);
+// block writable and executable memory
+void memory_deny_write_execute(const char *fname);
 // seccomp_print
 void filter_print(const char *fname);
diff --git a/src/fseccomp/main.c b/src/fseccomp/main.c
index e322b5bbb..3d95d5bb2 100644
--- a/src/fseccomp/main.c
+++ b/src/fseccomp/main.c
@@ -35,6 +35,7 @@ static void usage(void) {
        printf("\tfseccomp default drop file list\n");
        printf("\tfseccomp default drop file list allow-debuggers\n");
        printf("\tfseccomp keep file list\n");
+        printf("\tfseccomp memory-deny-write-execute file\n");
        printf("\tfseccomp print file\n");
 }
@@ -87,6 +88,8 @@ printf("\n");
                seccomp_default_drop(argv[3], argv[4], 1);
        else if (argc == 4 && strcmp(argv[1], "keep") == 0)
                seccomp_keep(argv[2], argv[3]);
+        else if (argc == 3 && strcmp(argv[1], "memory-deny-write-execute") == 0)
+                memory_deny_write_execute(argv[2]);
        else if (argc == 3 && strcmp(argv[1], "print") == 0)
                filter_print(argv[2]);
        else {
diff --git a/src/fseccomp/seccomp.c b/src/fseccomp/seccomp.c
index 4f8de8c5e..7d2ccbbce 100644
--- a/src/fseccomp/seccomp.c
+++ b/src/fseccomp/seccomp.c
@@ -19,7 +19,10 @@
 */
 #include "fseccomp.h"
 #include "../include/seccomp.h"
+#include <sys/mman.h>
+#include <sys/shm.h>
 #include <sys/syscall.h>
+#include <sys/types.h>
 static void add_default_list(int fd, int allow_debuggers) {
 #ifdef SYS_mount
@@ -428,3 +431,54 @@ void seccomp_keep(const char *fname, char *list) {
        // close file
        close(fd);
 }
+void memory_deny_write_execute(const char *fname) {
+        // open file
+        int fd = open(fname, O_CREAT|O_WRONLY|O_TRUNC, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH);
+        if (fd < 0) {
+                fprintf(stderr, "Error fseccomp: cannot open %s file\n", fname);
+                exit(1);
+        }
+        filter_init(fd);
+        // build filter
+        static const struct sock_filter filter[] = {
+#ifndef __x86_64__
+                // block old multiplexing mmap syscall for i386
+                BLACKLIST(SYS_mmap),
+#endif
+                // block mmap(,,x|PROT_WRITE|PROT_EXEC) so W&X memory can't be created
+#ifndef __x86_64__
+                // mmap2 is used for mmap on i386 these days
+                BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SYS_mmap2, 0, 5),
+#else
+                BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SYS_mmap, 0, 5),
+#endif
+                EXAMINE_ARGUMENT(2),
+                BPF_STMT(BPF_ALU+BPF_AND+BPF_K, PROT_WRITE|PROT_EXEC),
+                BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, PROT_WRITE|PROT_EXEC, 0, 1),
+                KILL_PROCESS,
+                RETURN_ALLOW,
+                // block mprotect(,,PROT_EXEC) so writable memory can't be turned into executable
+                BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SYS_mprotect, 0, 5),
+                EXAMINE_ARGUMENT(2),
+                BPF_STMT(BPF_ALU+BPF_AND+BPF_K, PROT_EXEC),
+                BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, PROT_EXEC, 0, 1),
+                KILL_PROCESS,
+                RETURN_ALLOW,
+                // block shmat(,,x|SHM_EXEC) so W&X shared memory can't be created
+                BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SYS_shmat, 0, 5),
+                EXAMINE_ARGUMENT(2),
+                BPF_STMT(BPF_ALU+BPF_AND+BPF_K, SHM_EXEC),
+                BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SHM_EXEC, 0, 1),
+                KILL_PROCESS,
+                RETURN_ALLOW
+        };
+        write_to_file(fd, filter, sizeof(filter));
+        filter_end_blacklist(fd);
+        // close file
+        close(fd);
+}
diff --git a/src/fseccomp/seccomp_file.c b/src/fseccomp/seccomp_file.c
index c74de9faf..16ffd5302 100644
--- a/src/fseccomp/seccomp_file.c
+++ b/src/fseccomp/seccomp_file.c
@@ -21,7 +21,7 @@
 #include "../include/seccomp.h"
 #include <sys/syscall.h>
-static void write_to_file(int fd, void *data, int size) {
+void write_to_file(int fd, const void *data, int size) {
        assert(data);
        assert(size);
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index cd47800c5..3a5e8560c 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -740,6 +740,12 @@ Example:
 $ firejail \-\-machine-id
 .TP
+\fB\-\-memory-deny-write-execute
+Install a seccomp filter to block attempts to create memory mappings
+that are both writable and executable, to change mappings to be
+executable or to create executable shared memory.
+.TP
 \fB\-\-mtu=number
 Assign a MTU value to the last network interface defined by a \-\-net option.
 .br
@@ -1232,6 +1238,34 @@ $ ls /bin
 bash  cat  ls  sed
 .TP
+\fB\-\-private-lib=file,file
+Build a new /lib in a temporary filesystem. For command to be executed,
+the shell (if \-\-shell=none is not used), and the listed libraries
+find out dynamic libraries and copy them to the /lib directory.
+If no listed file is found, /lib directory will be empty and no programs will be able to execute.
+The same directory is also bind-mounted over /lib64 and /usr/lib.
+All modifications are discarded when the sandbox is closed.
+.br
+.br
+Example:
+.br
+$ firejail \-\-noprofile \-\-shell=none \-\-private-lib= \-\-private-bin=ls /bin/ls /lib /bin
+.br
+Parent pid 15733, child pid 15734
+.br
+Child process initialized in 69.61 ms
+.br
+/bin:
+.br
+ls
+.br
+.br
+/lib:
+.br
+ld-linux-x86-64.so.2  libc.so.6  libdl.so.2  libpcre.so.3  libpthread.so.0  libselinux.so.1
+.TP
 \fB\-\-private-dev
 Create a new /dev directory. Only dri, null, full, zero, tty, pts, ptmx, random, snd, urandom, video, log and shm devices are available.
 .br