29 files changed, 405 insertions, 34 deletions

diff --git a/README b/README
index e3169e161..074b98510 100644
--- a/README
+++ b/README
@@ -35,6 +35,8 @@ Maintainer:
 Committers
 - Fred-Barclay (https://github.com/Fred-Barclay)
 - Reiner Herrmann (https://github.com/reinerh)
+- smithsohu (https://github.com/smitsohu)
+- SpotComms (https://github.com/SpotComms)
 - startx2017 (https://github.com/startx2017) - 0.9.38-LTS and *bugfixes branches maintainer
 - Topi Miettinen (https://github.com/topimiettinen)
 - netblue30 (netblue30@yahoo.com)
@@ -112,6 +114,10 @@ creideiki (https://github.com/creideiki)
         - make the sandbox process reap all children
 chiraag-nataraj (https://github.com/chiraag-nataraj)
         - support for newer Xpra versions (2.1+)
+        - added Viber, amule, ardour5, brackets, calligra, cin, fetchmail profiles
+        - added freecad, google-earth, imagej, kdenlive, linphone, lmms profiles
+        - added macrofusion, mpd, natron, ricochet, shotcut, tor-browser-en profiles
+        - added tor, x-terminal-emulator, zart profiles
 Christian Stadelmann (https://github.com/genodeftest)
         - profile fixes
         - evolution profile fix
@@ -241,6 +247,8 @@ Impyy (https://github.com/Impyy)
         - added mumble profile
 irregulator (https://github.com/irregulator)
         - thunderbird profile fixes for debian stretch
+Irvine (https://github.com/Irvinehimself)
+        - added conky profile
 Ivan Kozik (https://github.com/ivan)
         - speed up sandbox exit
 Jaykishan Mutkawoa (https://github.com/jmutkawoa)
@@ -307,6 +315,8 @@ Mattias Wadman (https://github.com/wader)
         - seccomp errno filter support
 Matthew Gyurgyik (https://github.com/pyther)
         - rpm spec and several fixes
+melvinvermeeren (https://github.com/melvinvermeeren)
+        - added teamspeak3 profile
 Michael Haas (https://github.com/mhaas)
         - bugfixes
 Mike Frysinger (vapier@gentoo.org)
@@ -320,6 +330,8 @@ n1trux (https://github.com/n1trux)
 netblue30 (netblue30@yahoo.com)
 Niklas Haas (https://github.com/haasn)
         - blacklisting for keybase.io's client
+nyancat18 (https://github.com/nyancat18)
+        - added ardour4, dooble, karbon, krita profiles
 Ondra Nekola (https://github.com/satai)
         - allow firefox theming with non-global themes
 Panzerfather (https://github.com/Panzerfather)
@@ -343,6 +355,8 @@ Peter Hogg (https://github.com/pigmonkey)
         - fixes for youtube-dl in mpv profile
 Petter Reinholdtsen (pere@hungry.com)
         - Opera profile patch
+PharmaceuticalCobweb (https://github.com/PharmaceuticalCobweb)
+        - fix quiterss profile
 pirate486743186 (https://github.com/pirate486743186)
         - KMail profile
 Pixel Fairy (https://github.com/xahare)
diff --git a/README.md b/README.md
index 91bba52d2..26f3dc3c5 100644
--- a/README.md
+++ b/README.md
@@ -114,12 +114,12 @@ in order to allow strace to run. Chromium and Chromium-based browsers will not w
 
 Example:
 `````
-$ firejail --build vlc ~/Videos/test.mp4
+$ firejail --build /usr/bin/vlc ~/Videos/test.mp4
 
 [...]
 
 ############################################
-# vlc profile
+# /usr/bin/vlc profile
 ############################################
 # Persistent global definitions
 # include /etc/firejail/globals.local
@@ -141,13 +141,14 @@ private-tmp
 private-dev
 private-etc vdpau_wrapper.cfg,udev,drirc,fonts,xdg,gtk-3.0,machine-id,selinux,
 whitelist /var/lib/menu-xdg
+# private-bin vlc,
 
 ### security filters
 caps.drop all
 nonewprivs
 seccomp
-# seccomp.keep futex,poll,rt_sigtimedwait,ioctl,fdatasync,stat,writev,read,recvmsg,mprotect,write,sendto,clock_nanosleep,open,dup3,mmap,rt_sigprocmask,close,fstat,lstat,lseek,munmap,brk,rt_sigaction,rt_sigreturn,access,madvise,shmget,shmat,shmctl,alarm,getpid,socket,connect,recvfrom,sendmsg,shutdown,getsockname,getpeername,setsockopt,getsockopt,clone,execve,uname,shmdt,fcntl,flock,ftruncate,getdents,rename,mkdir,unlink,readlink,chmod,getrlimit,sysinfo,getuid,getgid,setuid,setgid,geteuid,getegid,getppid,getpgrp,setresuid,getresuid,setresgid,getresgid,statfs,fstatfs,prctl,arch_prctl,sched_getaffinity,set_tid_address,fadvise64,clock_getres,tgkill,set_robust_list,eventfd2,pipe2,getrandom,memfd_create
-# 82 syscalls total
+# seccomp.keep futex,poll,rt_sigtimedwait,ioctl,fdatasync,read,writev,sendmsg,sendto,write,recvmsg,mmap,mprotect,getpid,stat,clock_nanosleep,munmap,close,access,lseek,fcntl,open,fstat,lstat,brk,rt_sigaction,rt_sigprocmask,rt_sigreturn,madvise,shmget,shmat,shmctl,alarm,socket,connect,recvfrom,shutdown,getsockname,getpeername,setsockopt,getsockopt,clone,execve,uname,shmdt,flock,ftruncate,getdents,rename,mkdir,unlink,readlink,chmod,getrlimit,sysinfo,getuid,getgid,geteuid,getegid,getresuid,getresgid,statfs,fstatfs,prctl,arch_prctl,sched_getaffinity,set_tid_address,fadvise64,clock_getres,tgkill,set_robust_list,eventfd2,dup3,pipe2,getrandom,memfd_create
+# 76 syscalls total
 # Probably you will need to add more syscalls to seccomp.keep. Look for
 # seccomp errors in /var/log/syslog or /var/log/audit/audit.log while
 # running your sandbox.
@@ -178,4 +179,5 @@ amule, ardour4, ardour5, brackets, calligra, calligraauthor, calligraconverter,
 calligraflow, calligraplan, calligraplanwork, calligrasheets, calligrastage,
 calligrawords, cin, dooble, dooble-qt4, fetchmail, freecad, freecadcmd, google-earth,
 imagej, karbon, kdenlive, krita, linphone, lmms, macrofusion, mpd, natron, Natron,
-ricochet, shotcut, teamspeak3, tor, tor-browser-en, Viber, x-terminal-emulator, zart
+ricochet, shotcut, teamspeak3, tor, tor-browser-en, Viber, x-terminal-emulator, zart,
+conky, arch-audit, ffmpeg
diff --git a/RELNOTES b/RELNOTES
index d4302c134..5bc07f000 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -1,5 +1,6 @@
 firejail (0.9.51) baseline; urgency=low
   * work in progress!
+  * enhancement: support Firejail user config directory in firecfg
   * feature: --writable-run-user
   * feature: profile build tool (--build)
  -- netblue30 <netblue30@yahoo.com>  Thu, 14 Sep 2017 20:00:00 -0500
diff --git a/etc/arch-audit.profile b/etc/arch-audit.profile
new file mode 100644
index 000000000..d8ed64811
--- /dev/null
+++ b/etc/arch-audit.profile
@@ -0,0 +1,40 @@
+# Firejail profile for arch-audit
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include /etc/firejail/arch-audit.local
+# Persistent global definitions
+include /etc/firejail/globals.local
+
+
+noblacklist /var/lib/pacman
+
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+include /etc/firejail/disable-programs.inc
+
+caps.drop all
+ipc-namespace
+netfilter
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+
+disable-mnt
+private
+private-bin arch-audit
+private-dev
+private-tmp
+
+memory-deny-write-execute
+noexec ${HOME}
+noexec /tmp
diff --git a/etc/audacious.profile b/etc/audacious.profile
index bd2367fe0..52e701821 100644
--- a/etc/audacious.profile
+++ b/etc/audacious.profile
@@ -15,6 +15,7 @@ include /etc/firejail/disable-programs.inc
 
 caps.drop all
 netfilter
+nogroups
 nonewprivs
 noroot
 notv
diff --git a/etc/conky.profile b/etc/conky.profile
new file mode 100644
index 000000000..4ee25f099
--- /dev/null
+++ b/etc/conky.profile
@@ -0,0 +1,35 @@
+# Firejail profile for conky
+# This file is overwritten after every install/update
+# Persistent local customizations
+include /etc/firejail/conky.local
+# Persistent global definitions
+include /etc/firejail/globals.local
+
+
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+include /etc/firejail/disable-programs.inc
+
+caps.drop all
+ipc-namespace
+netfilter
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+
+disable-mnt
+private-dev
+private-tmp
+
+memory-deny-write-execute
+noexec ${HOME}
+noexec /tmp
diff --git a/etc/corebird.profile b/etc/corebird.profile
index 87f7a970b..99a3335ef 100644
--- a/etc/corebird.profile
+++ b/etc/corebird.profile
@@ -5,16 +5,30 @@ include /etc/firejail/corebird.local
 # Persistent global definitions
 include /etc/firejail/globals.local
 
+noblacklist ~/.config/corebird
 
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
 include /etc/firejail/disable-programs.inc
 
+include /etc/firejail/whitelist-var-common.inc
+
 caps.drop all
 netfilter
 nodvd
+nogroups
+nonewprivs
 noroot
 notv
+novideo
 protocol unix,inet,inet6
 seccomp
+shell none
+
+private-bin corebird
+private-dev
+private-tmp
+
+noexec ${HOME}
+noexec /tmp
diff --git a/etc/disable-common.inc b/etc/disable-common.inc
index ca6ba9710..abce0fe57 100644
--- a/etc/disable-common.inc
+++ b/etc/disable-common.inc
@@ -2,15 +2,14 @@
 # Persistent customizations should go in a .local file.
 include /etc/firejail/disable-common.local
 
-# History files and clipboard managers in $HOME
+# History files in $HOME and clipboard managers
 blacklist-nolog ${HOME}/.*_history
 blacklist-nolog ${HOME}/.adobe
-blacklist-nolog ${HOME}/.bash_history
+blacklist-nolog ${HOME}/.cache/greenclip*
 blacklist-nolog ${HOME}/.history
 blacklist-nolog ${HOME}/.local/share/fish/fish_history
 blacklist-nolog ${HOME}/.macromedia
-blacklist-nolog /tmp/clipmenu*   
-blacklist-nolog ${HOME}/.cache/greenclip*
+blacklist-nolog /tmp/clipmenu*
 
 # X11 session autostart
 # blacklist ${HOME}/.xpra - this will kill --x11=xpra cmdline option for all programs
@@ -229,7 +228,6 @@ blacklist ${HOME}/.mutt/muttrc
 blacklist ${HOME}/.muttrc
 blacklist ${HOME}/.netrc
 blacklist ${HOME}/.pki
-blacklist ${HOME}/.password-store
 blacklist ${HOME}/.smbcredentials
 blacklist ${HOME}/.ssh
 blacklist /etc/group+
diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc
index 88b7e7d32..615e28172 100644
--- a/etc/disable-programs.inc
+++ b/etc/disable-programs.inc
@@ -82,6 +82,7 @@ blacklist ${HOME}/.config/chromium-dev
 blacklist ${HOME}/.config/chromium-flags.conf
 blacklist ${HOME}/.config/clipit
 blacklist ${HOME}/.config/cmus
+blacklist ${HOME}/.config/corebird
 blacklist ${HOME}/.config/darktable
 blacklist ${HOME}/.config/deadbeef
 blacklist ${HOME}/.config/deluge
diff --git a/etc/ffmpeg.profile b/etc/ffmpeg.profile
new file mode 100644
index 000000000..e098c95e3
--- /dev/null
+++ b/etc/ffmpeg.profile
@@ -0,0 +1,33 @@
+# Firejail profile for default
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include /etc/firejail/ffmpeg.local
+# Persistent global definitions
+include /etc/firejail/globals.local
+
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+include /etc/firejail/disable-programs.inc
+
+caps.drop all
+net none
+no3d
+nodvd
+nosound
+notv
+novideo
+nonewprivs
+noroot
+# protocol none - needs to be implemented!
+seccomp
+# seccomp.keep futex,write,read,munmap,fstat,mprotect,mmap,open,close,stat,lseek,brk,rt_sigaction,rt_sigprocmask,ioctl,access,select,madvise,getpid,clone,execve,fcntl,getdents,readlink,getrlimit,getrusage,statfs,getpriority,setpriority,arch_prctl,sched_getaffinity,set_tid_address,set_robust_list,getrandom
+# memory-deny-write-execute - it breaks old versions of ffmpeg
+shell none
+tracelog
+
+private-tmp
+private-dev
+private-bin ffmpeg
+include /etc/firejail/whitelist-var-common.inc
diff --git a/etc/firefox.profile b/etc/firefox.profile
index f65b020a9..1f4a8e3f6 100644
--- a/etc/firefox.profile
+++ b/etc/firefox.profile
@@ -73,7 +73,8 @@ seccomp
 shell none
 tracelog
 
-# private-bin firefox,which,sh,dbus-launch,dbus-send,env
+# firefox requires a shell to launch on Arch. We can possibly remove sh though.
+# private-bin firefox,which,sh,dbus-launch,dbus-send,env,sh,bash
 private-dev
 # private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,xdg,gtk-2.0,gtk-3.0,X11,pango,fonts,firefox,mime.types,mailcap,asound.conf,pulse
 private-tmp
diff --git a/etc/geary.profile b/etc/geary.profile
index 7878154a6..3ab4a21d8 100644
--- a/etc/geary.profile
+++ b/etc/geary.profile
@@ -14,7 +14,6 @@ noblacklist ~/.local/share/geary
 mkdir ~/.gnupg
 mkdir ~/.local/share/geary
 whitelist ~/.gnupg
-whitelist ~/.local/share/applications
 whitelist ~/.local/share/geary
 include /etc/firejail/whitelist-common.inc
 
diff --git a/etc/musescore.profile b/etc/musescore.profile
index 3b5a0b13c..b039d07b2 100644
--- a/etc/musescore.profile
+++ b/etc/musescore.profile
@@ -19,6 +19,7 @@ caps.drop all
 netfilter
 no3d
 nodvd
+nogroups
 nonewprivs
 noroot
 notv
diff --git a/etc/quiterss.profile b/etc/quiterss.profile
index 96fe04e83..f820b590e 100644
--- a/etc/quiterss.profile
+++ b/etc/quiterss.profile
@@ -23,6 +23,7 @@ whitelist ${HOME}/.cache/QuiteRss
 whitelist ${HOME}/.config/QuiteRss/
 whitelist ${HOME}/.config/QuiteRssrc
 whitelist ${HOME}/.local/share/data/QuiteRss
+whitelist ${HOME}/.local/share/QuiteRss
 whitelist ${HOME}/quiterssfeeds.opml
 include /etc/firejail/whitelist-common.inc
 
diff --git a/smtube.profile b/etc/smtube.profile
index 2694dd5b0..2694dd5b0 100644
--- a/smtube.profile
+++ b/etc/smtube.profile
diff --git a/etc/thunderbird.profile b/etc/thunderbird.profile
index 17bf51873..8e878eb1c 100644
--- a/etc/thunderbird.profile
+++ b/etc/thunderbird.profile
@@ -20,7 +20,6 @@ mkdir ~/.thunderbird
 whitelist ~/.cache/thunderbird
 whitelist ~/.gnupg
 whitelist ~/.icedove
-whitelist ~/.local/share/applications
 whitelist ~/.thunderbird
 include /etc/firejail/whitelist-common.inc
 
diff --git a/etc/tuxguitar.profile b/etc/tuxguitar.profile
index 5b6a257f6..fbc198cc3 100644
--- a/etc/tuxguitar.profile
+++ b/etc/tuxguitar.profile
@@ -17,6 +17,7 @@ caps.drop all
 netfilter
 no3d
 nodvd
+nogroups
 nonewprivs
 noroot
 notv
diff --git a/etc/whitelist-common.inc b/etc/whitelist-common.inc
index ef95a7e5e..310149ecd 100644
--- a/etc/whitelist-common.inc
+++ b/etc/whitelist-common.inc
@@ -35,10 +35,14 @@ whitelist ~/.gtkrc-2.0
 whitelist ~/.gtk-2.0
 whitelist ~/.config/gtk-2.0
 whitelist ~/.config/gtk-3.0
+whitelist ~/.config/gtkrc
+whitelist ~/.config/gtkrc-2.0
 whitelist ~/.themes
 whitelist ~/.local/share/themes
 whitelist ~/.kde/share/config/gtkrc
 whitelist ~/.kde/share/config/gtkrc-2.0
+whitelist ~/.kde4/share/config/gtkrc
+whitelist ~/.kde4/share/config/gtkrc-2.0
 whitelist ~/.gnome2
 whitelist ~/.gnome2-private
 
@@ -51,3 +55,6 @@ whitelist ~/.config/kdeglobals
 whitelist ~/.kde/share/config/oxygenrc
 whitelist ~/.kde/share/config/kdeglobals
 whitelist ~/.kde/share/icons
+whitelist ~/.kde4/share/config/oxygenrc
+whitelist ~/.kde4/share/config/kdeglobals
+whitelist ~/.kde4/share/icons
diff --git a/etc/whitelist-var-common.inc b/etc/whitelist-var-common.inc
index bd3473acc..024995f20 100644
--- a/etc/whitelist-var-common.inc
+++ b/etc/whitelist-var-common.inc
@@ -8,3 +8,4 @@ whitelist /var/lib/menu-xdg
 whitelist /var/cache/fontconfig
 whitelist /var/tmp
 whitelist /var/run
+whitelist /var/lock
diff --git a/platform/debian/conffiles b/platform/debian/conffiles
index af6547f7f..27623aee3 100644
--- a/platform/debian/conffiles
+++ b/platform/debian/conffiles
@@ -358,3 +358,4 @@
 /etc/firejail/yandex-browser.profile
 /etc/firejail/itch.profile
 /etc/firejail/whitelist-var-common.inc
+/etc/firejail/ffmpeg
diff --git a/src/fbuilder/build_bin.c b/src/fbuilder/build_bin.c
new file mode 100644
index 000000000..7d0e2cb7c
--- /dev/null
+++ b/src/fbuilder/build_bin.c
@@ -0,0 +1,121 @@
+/*
+ * Copyright (C) 2014-2017 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
+#include "fbuilder.h"
+
+static FileDB *bin_out = NULL;
+
+static void process_bin(const char *fname) {
+        assert(fname);
+        
+        // process trace file
+        FILE *fp = fopen(fname, "r");
+        if (!fp) {
+                fprintf(stderr, "Error: cannot open %s\n", fname);
+                exit(1);
+        }
+        
+        char buf[MAX_BUF];
+        while (fgets(buf, MAX_BUF, fp)) {
+                // remove \n
+                char *ptr = strchr(buf, '\n');
+                if (ptr)
+                        *ptr = '\0';
+        
+                // parse line: 4:galculator:access /etc/fonts/conf.d:0
+                // number followed by :
+                ptr = buf;
+                if (!isdigit(*ptr))
+                        continue;
+                while (isdigit(*ptr))
+                        ptr++;
+                if (*ptr != ':')
+                        continue;
+                ptr++;
+
+                // next :
+                ptr = strchr(ptr, ':');
+                if (!ptr)
+                        continue;
+                ptr++;
+                if (strncmp(ptr, "exec ", 5) == 0)
+                        ptr +=  5;
+                else
+                        continue;
+                if (strncmp(ptr, "/bin/", 5) == 0)
+                        ptr += 5;
+                else if (strncmp(ptr, "/sbin/", 6) == 0)
+                        ptr += 6;
+                else if (strncmp(ptr, "/usr/bin/", 9) == 0)
+                        ptr += 9;
+                else if (strncmp(ptr, "/usr/sbin/", 10) == 0)
+                        ptr += 10;
+                else if (strncmp(ptr, "/usr/local/bin/", 15) == 0)
+                        ptr += 15;
+                else if (strncmp(ptr, "/usr/local/sbin/", 16) == 0)
+                        ptr += 16;
+                else if (strncmp(ptr, "/usr/games/", 11) == 0)
+                        ptr += 12;
+                else if (strncmp(ptr, "/usr/local/games/", 17) == 0)
+                        ptr += 17;
+                else
+                        continue;
+
+                // end of filename
+                char *ptr2 = strchr(ptr, ':');
+                if (!ptr2)
+                        continue;
+                *ptr2 = '\0';
+                
+                bin_out = filedb_add(bin_out, ptr);
+        }
+        
+        fclose(fp);
+}
+
+
+// process fname, fname.1, fname.2, fname.3, fname.4, fname.5
+void build_bin(const char *fname) {
+        assert(fname);
+        
+        // run fname
+        process_bin(fname);
+        
+        // run all the rest
+        struct stat s;
+        int i;
+        for (i = 1; i <= 5; i++) {
+                char *newname;
+                if (asprintf(&newname, "%s.%d", fname, i) == -1)
+                        errExit("asprintf");
+                if (stat(newname, &s) == 0)
+                        process_bin(newname);
+                free(newname);
+        }
+
+        if (bin_out) {
+                printf("# private-bin ");
+                FileDB *ptr = bin_out;
+                while (ptr) {
+                        printf("%s,", ptr->fname);
+                        ptr = ptr->next;
+                }
+                printf("\n");
+        }
+}
diff --git a/src/fbuilder/build_profile.c b/src/fbuilder/build_profile.c
index 5fca22648..3f5fe48ca 100644
--- a/src/fbuilder/build_profile.c
+++ b/src/fbuilder/build_profile.c
@@ -33,6 +33,7 @@ static char *cmdlist[] = {
         "--caps.drop=all",
         "--nonewprivs",
         "--trace",
+        "--shell=none",
         "/usr/bin/strace", // also used as a marker in build_profile()
         "-c",
         "-f",
@@ -56,8 +57,6 @@ static void clear_tmp_files(void) {
 }
 
 void build_profile(int argc, char **argv, int index) {
-        unlink("/tmp/strace-output");
-
         // next index is the application name
         if (index >= argc) {
                 fprintf(stderr, "Error: application name missing\n");
@@ -136,6 +135,7 @@ void build_profile(int argc, char **argv, int index) {
                 build_dev(TRACE_OUTPUT);
                 build_etc(TRACE_OUTPUT);
                 build_var(TRACE_OUTPUT);
+                build_bin(TRACE_OUTPUT);
                 printf("\n");
 
                 printf("### security filters\n");
diff --git a/src/fbuilder/fbuilder.h b/src/fbuilder/fbuilder.h
index a9049ea2d..c448f3e06 100644
--- a/src/fbuilder/fbuilder.h
+++ b/src/fbuilder/fbuilder.h
@@ -44,6 +44,9 @@ void build_var(const char *fname);
 void build_tmp(const char *fname);
 void build_dev(const char *fname);
 
+// build_bin.c
+void build_bin(const char *fname);
+
 // build_home.c
 void build_home(const char *fname);
 
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config
index 5d6afe68b..5a36f5e3e 100644
--- a/src/firecfg/firecfg.config
+++ b/src/firecfg/firecfg.config
@@ -20,6 +20,7 @@ amarok
 amule
 android-studio
 apktool
+arch-audit
 ardour4
 ardour5
 arduino
@@ -65,6 +66,7 @@ clementine
 clipit
 cmus
 conkeror
+conky
 corebird
 cvlc
 cyberfox
@@ -97,6 +99,7 @@ evolution
 exiftool
 fbreader
 feh
+ffmpeg
 file-roller
 filezilla
 firefox
@@ -290,7 +293,7 @@ soundconverter
 spotify
 sqlitebrowser
 ssh
-ssh-agent
+# ssh-agent - problems on Arch with Fish shell (#1568)
 start-tor-browser
 steam
 stellarium
diff --git a/src/firecfg/main.c b/src/firecfg/main.c
index 1ecfbf524..5928b9ae5 100644
--- a/src/firecfg/main.c
+++ b/src/firecfg/main.c
@@ -31,6 +31,7 @@
 #include <errno.h>
 #include <sys/mman.h>
 #include <pwd.h>
+#include <dirent.h>
 
 #include "../include/common.h"
 static int arg_debug = 0;
@@ -277,7 +278,8 @@ static void set_file(const char *name, const char *firejail_exec) {
         free(fname);
 }
 
-static void set_links(void) {
+// parse /usr/lib/firejail/firecfg.cfg file
+static void set_links_firecfg(void) {
         char *cfgfile;
         if (asprintf(&cfgfile, "%s/firejail/firecfg.config", LIBDIR) == -1)
                 errExit("asprintf");
@@ -286,12 +288,13 @@ static void set_links(void) {
         if (asprintf(&firejail_exec, "%s/bin/firejail", PREFIX) == -1)
                 errExit("asprintf");
 
+        // parse /usr/lib/firejail/firecfg.cfg file
         FILE *fp = fopen(cfgfile, "r");
         if (!fp) {
                 fprintf(stderr, "Error: cannot open %s\n", cfgfile);
                 exit(1);
         }
-        printf("Configuring symlinks in /usr/local/bin\n");
+        printf("Configuring symlinks in /usr/local/bin based on firecfg.config\n");
 
         char buf[MAX_BUF];
         int lineno = 0;
@@ -330,7 +333,69 @@ static void set_links(void) {
         free(firejail_exec);
 }
 
-int have_profile(const char *filename) {
+// parse ~/.config/firejail/ directory
+static void set_links_homedir(const char *homedir) {
+        assert(homedir);
+
+        // check firejail config directory
+        char *dirname;
+        if (asprintf(&dirname, "%s/.config/firejail", homedir) == -1)
+                errExit("asprintf");
+        struct stat s;
+        if (stat(dirname, &s) != 0) {
+                free(dirname);
+                return;
+        }
+
+        char *firejail_exec;
+        if (asprintf(&firejail_exec, "%s/bin/firejail", PREFIX) == -1)
+                errExit("asprintf");
+
+        // parse ~/.config/firejail/ directory
+        printf("\nConfiguring symlinks in /usr/local/bin based on local firejail config directory\n");
+
+        DIR *dir = opendir(dirname);
+        if (!dir) {
+                fprintf(stderr, "Error: cannot open ~/.config/firejail directory\n");
+                free(dirname);
+                return;
+        }
+
+        struct dirent *entry;
+        while ((entry = readdir(dir))) {
+                if (strcmp(entry->d_name, ".") == 0 || strcmp(entry->d_name, "..") == 0)
+                        continue;
+
+                char *exec = strdup(entry->d_name);
+                if (!exec)
+                        errExit("strdup");
+                char *ptr = strrchr(exec, '.');
+                if (!ptr) {
+                        free(exec);
+                        continue;
+                }
+                if (strcmp(ptr, ".profile") != 0) {
+                        free(exec);
+                        continue;
+                }
+
+                *ptr = '\0';
+                set_file(exec, firejail_exec);
+                free(exec);
+        }
+        closedir(dir);
+
+        free(firejail_exec);
+}
+
+// look for a profile file in /etc/firejail diectory and in homedir/.config/firejail directory
+static int have_profile(const char *filename, const char *homedir) {
+        assert(filename);
+        assert(homedir);
+
+        if (arg_debug)
+                printf("checking profile for %s\n", filename);
+
         // remove .desktop extension
         char *f1 = strdup(filename);
         if (!f1)
@@ -338,15 +403,29 @@ int have_profile(const char *filename) {
         f1[strlen(filename) - 8] = '\0';
 
         // build profile name
-        char *profname;
-        if (asprintf(&profname, "%s/%s.profile", SYSCONFDIR, f1) == -1)
+        char *profname1;
+        char *profname2;
+        if (asprintf(&profname1, "%s/%s.profile", SYSCONFDIR, f1) == -1)
+                errExit("asprintf");
+        if (asprintf(&profname2, "%s/.config/firejail/%s.profile", homedir, f1) == -1)
                 errExit("asprintf");
 
-        struct stat s;
-        int rv = stat(profname, &s);
+        int rv = 0;
+        if (access(profname1, R_OK) == 0) {
+                if (arg_debug)
+                        printf("found %s\n", profname1);
+                rv = 1;
+        }
+        else if (access(profname2, R_OK) == 0) {
+                if (arg_debug)
+                        printf("found %s\n", profname2);
+                rv = 1;
+        }
+                
         free(f1);
-        free(profname);
-        return (rv == 0)? 1: 0;
+        free(profname1);
+        free(profname2);
+        return rv;
 }
 
 static void fix_desktop_files(char *homedir) {
@@ -411,7 +490,7 @@ static void fix_desktop_files(char *homedir) {
                         errExit("stat");
 
                 // no profile in /etc/firejail, no desktop file fixing
-                if (!have_profile(filename))
+                if (!have_profile(filename, homedir))
                         continue;
 
                 /* coverity[toctou] */
@@ -599,7 +678,7 @@ int main(int argc, char **argv) {
                         }
                 }
         }
-        set_links();
+        set_links_firecfg();
 
 
 
@@ -623,6 +702,9 @@ int main(int argc, char **argv) {
                         goto errexit;
                 }
 
+                // running as root
+                set_links_homedir(home);
+
                 // drop permissions
                 if (setgroups(0, NULL) < 0)
                         errExit("setgroups");
diff --git a/src/firejail/util.c b/src/firejail/util.c
index 3e0729620..4d1c94c25 100644
--- a/src/firejail/util.c
+++ b/src/firejail/util.c
@@ -196,7 +196,7 @@ static int copy_file_by_fd(int src, int dst) {
                         done += rv;
                 }
         }
-        fflush(0);
+//      fflush(0);
         return 0;
 }
 
diff --git a/src/libtrace/libtrace.c b/src/libtrace/libtrace.c
index 5cdb254a3..04cf64997 100644
--- a/src/libtrace/libtrace.c
+++ b/src/libtrace/libtrace.c
@@ -673,3 +673,15 @@ int setresgid(gid_t rgid, gid_t egid, gid_t sgid) {
 
         return rv;
 }
+
+// every time a new process is started, this gets called
+// it can be used to build things like private-bin
+__attribute__((constructor))
+static void log_exec(int argc, char** argv) {
+        static char buf[PATH_MAX + 1];
+        int rv = readlink("/proc/self/exe", buf, PATH_MAX);
+        if (rv != -1) {
+                buf[rv] = '\0'; // readlink does not add a '\0' at the end
+                printf("%u:%s:exec %s:0\n", pid(), name(), buf);
+        }
+}
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index f205bfa30..9bbb224e1 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -1338,13 +1338,13 @@ $ ps
 .br
    48 pts/0    00:00:00 ps
 .br
-$ 
+$
 .br
 
 
 .TP
 \fB\-\-private-dev
-Create a new /dev directory. Only dri, null, full, zero, tty, pts, ptmx, random, snd, urandom, video, log and shm devices are available.
+Create a new /dev directory. Only disc, dri, null, full, zero, tty, pts, ptmx, random, snd, urandom, video, log and shm devices are available.
 .br
 
 .br
@@ -1358,7 +1358,7 @@ Child process initialized
 .br
 $ ls /dev
 .br
-dri  full  log  null  ptmx  pts  random  shm  snd  tty  urandom  zero
+cdrom  cdrw  dri  dvd  dvdrw  full  log  null  ptmx  pts  random  shm  snd  sr0  tty  urandom  zero
 .br
 $
 .TP
diff --git a/test/sysutils/less.exp b/test/sysutils/less.exp
index 5ff11174d..29781c21a 100755
--- a/test/sysutils/less.exp
+++ b/test/sysutils/less.exp
@@ -7,14 +7,14 @@ set timeout 10
 spawn $env(SHELL)
 match_max 100000
 
-send -- "firejail less ../../Makefile.in\r"
+send -- "firejail less sysutils.sh\r"
 expect {
         timeout {puts "TESTING ERROR 1\n";exit}
-        "MYLIBS"
+        "MALLOC_CHECK"
 }
 expect {
         timeout {puts "TESTING ERROR 2\n";exit}
-        "APPS"
+        "./cpio.exp"
 }
 
 puts "\nall done\n"