32 files changed, 314 insertions, 193 deletions
diff --git a/Makefile.in b/Makefile.in
index db326d2db..c6147cee7 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -223,6 +223,7 @@ realinstall:
        install -c -m 0644 .etc/atom-beta.profile $(DESTDIR)/$(sysconfdir)/firejail/.
        install -c -m 0644 .etc/atom.profile $(DESTDIR)/$(sysconfdir)/firejail/.
        install -c -m 0644 .etc/jitsi.profile $(DESTDIR)/$(sysconfdir)/firejail/.
+        install -c -m 0644 .etc/eom.profile $(DESTDIR)/$(sysconfdir)/firejail/.
        sh -c "if [ ! -f $(DESTDIR)/$(sysconfdir)/firejail/login.users ]; then install -c -m 0644 etc/login.users $(DESTDIR)/$(sysconfdir)/firejail/.; fi;"
        install -c -m 0644 etc/firejail.config $(DESTDIR)/$(sysconfdir)/firejail/.
        rm -fr .etc
diff --git a/README b/README
index f2547ad90..1c9d85d65 100644
--- a/README
+++ b/README
@@ -58,6 +58,8 @@ Fred-Barclay (https://github.com/Fred-Barclay)
        - tightened 0ad, atril, evince, gthumb, pix, qtox, and xreader profiles.
        - several private-bin conversions
        - added jitsi profile
+        - pidgin private-bin conversion
+        - added eom profile
 Jaykishan Mutkawoa (https://github.com/jmutkawoa)
        - cpio profile
 Paupiah Yash (https://github.com/CaffeinatedStud)
diff --git a/README.md b/README.md
index 8f4a66c0f..5e9c2e3f2 100644
--- a/README.md
+++ b/README.md
@@ -34,12 +34,31 @@ FAQ: https://firejail.wordpress.com/support/frequently-asked-questions/
 `````
 `````
-# Current development version: 0.9.41
+# Current development version: 0.9.42~rc2
+Version 0.9.41~rc1 was released.
 ## Deprecated --user
 --user option was deprecated, please use "sudo -u username firejail application" instead.
+## --whitelist rework
+Symlinks outside user home directories are allowed:
+`````
+      --whitelist=dirname_or_filename
+              Whitelist directory or file. This feature  is  implemented  only
+              for  user  home, /dev, /media, /opt, /var, and /tmp directories.
+              With the exeception of user home, both the  link  and  the  real
+              file should be in the same top directory.
+              Example:
+              $ firejail --noprofile --whitelist=~/.mozilla
+              $ firejail --whitelist=/tmp/.X11-unix --whitelist=/dev/null
+              $ firejail "--whitelist=/home/username/My Virtual Machines"
+`````
 ## AppImage
 AppImage (http://appimage.org/) is a distribution-agnostic packaging format.
@@ -119,11 +138,11 @@ BitTorrent: deluge, qbittorrent, rtorrent, transmission-gtk, transmission-qt, ug
 File transfer: filezilla
-Media: vlc, mpv, gnome-mplayer, audacity, rhythmbox, spotify, xplayer, xviewer
+Media: vlc, mpv, gnome-mplayer, audacity, rhythmbox, spotify, xplayer, xviewer, eom
-Office: evince, gthumb, fbreader, pix, atril, xreader
+Office: evince, gthumb, fbreader, pix, atril, xreader,
-Chat/messaging: qtox, gitter
+Chat/messaging: qtox, gitter, pidgin
 Games: warzone2100
@@ -135,5 +154,5 @@ Browsers: Palemoon
 ## New security profiles
-Gitter, gThumb, mpv, Franz messenger, LibreOffice, pix, audacity, strings, xz, xzdec, gzip, cpio, less, Atom Beta, Atom, jitsi
+Gitter, gThumb, mpv, Franz messenger, LibreOffice, pix, audacity, strings, xz, xzdec, gzip, cpio, less, Atom Beta, Atom, jitsi, eom
diff --git a/RELNOTES b/RELNOTES
index 3ff1bf1ad..be65b9fca 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -1,20 +1,21 @@
-firejail (0.9.41) baseline; urgency=low
+firejail (0.9.42~rc1) baseline; urgency=low
-  * work in progress...
  * deprecated --user option, please use "sudo -u username firejail" instead
+  * --read-write option rework
+  * allow symlinks in home directory for --whitelist option
  * AppImage support (--appimage)
  * Sandbox auditing support (--audit)
  * remove environment variable (--rmenv)
  * noexec support (--noexec)
+  * Ubuntu snap support
  * include /dev/snd in --private-dev
  * added mkfile profile command
  * seccomp filter updated
  * compile time and run time support to disable whitelists
  * compile time support to disable global configuration file
-  * some profiles have been converted to private-bin
  * new profiles: Gitter, gThumb, mpv, Franz messenger, LibreOffice
  * new profiles: pix, audacity, strings, xz, xzdec, gzip, cpio, less
-  * new profiles: Atom Beta, Atom, jitsi
+  * new profiles: Atom Beta, Atom, jitsi, eom
- -- netblue30 <netblue30@yahoo.com>  Tue, 31 May 2016 08:00:00 -0500
+ -- netblue30 <netblue30@yahoo.com>  Thu, 21 Jul 2016 08:00:00 -0500
 firejail (0.9.40) baseline; urgency=low
  * added --nice option
diff --git a/configure b/configure
index d7017e6d7..cd4be9296 100755
--- a/configure
+++ b/configure
@@ -1,6 +1,6 @@
 #! /bin/sh
 # Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.69 for firejail 0.9.41.
+# Generated by GNU Autoconf 2.69 for firejail 0.9.42~rc2.
 #
 # Report bugs to <netblue30@yahoo.com>.
 #
@@ -580,8 +580,8 @@ MAKEFLAGS=
 # Identity of this package.
 PACKAGE_NAME='firejail'
 PACKAGE_TARNAME='firejail'
-PACKAGE_VERSION='0.9.41'
+PACKAGE_VERSION='0.9.42~rc2'
-PACKAGE_STRING='firejail 0.9.41'
+PACKAGE_STRING='firejail 0.9.42~rc2'
 PACKAGE_BUGREPORT='netblue30@yahoo.com'
 PACKAGE_URL='http://firejail.wordpress.com'
@@ -1250,7 +1250,7 @@ if test "$ac_init_help" = "long"; then
  # Omit some internal or obsolete options to make the list less imposing.
  # This message is too long to be a string in the A/UX 3.1 sh.
  cat <<_ACEOF
-\`configure' configures firejail 0.9.41 to adapt to many kinds of systems.
+\`configure' configures firejail 0.9.42~rc2 to adapt to many kinds of systems.
 Usage: $0 [OPTION]... [VAR=VALUE]...
@@ -1311,7 +1311,7 @@ fi
 if test -n "$ac_init_help"; then
  case $ac_init_help in
-     short | recursive ) echo "Configuration of firejail 0.9.41:";;
+     short | recursive ) echo "Configuration of firejail 0.9.42~rc2:";;
   esac
  cat <<\_ACEOF
@@ -1410,7 +1410,7 @@ fi
 test -n "$ac_init_help" && exit $ac_status
 if $ac_init_version; then
  cat <<\_ACEOF
-firejail configure 0.9.41
+firejail configure 0.9.42~rc2
 generated by GNU Autoconf 2.69
 Copyright (C) 2012 Free Software Foundation, Inc.
@@ -1712,7 +1712,7 @@ cat >config.log <<_ACEOF
 This file contains any messages produced by compilers while
 running configure, to aid debugging if configure makes a mistake.
-It was created by firejail $as_me 0.9.41, which was
+It was created by firejail $as_me 0.9.42~rc2, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
  $ $0 $@
@@ -4217,7 +4217,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
 # report actual input values of CONFIG_FILES etc. instead of their
 # values after options handling.
 ac_log="
-This file was extended by firejail $as_me 0.9.41, which was
+This file was extended by firejail $as_me 0.9.42~rc2, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
  CONFIG_FILES    = $CONFIG_FILES
@@ -4271,7 +4271,7 @@ _ACEOF
 cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
 ac_cs_version="\\
-firejail config.status 0.9.41
+firejail config.status 0.9.42~rc2
 configured by $0, generated by GNU Autoconf 2.69,
  with options \\"\$ac_cs_config\\"
diff --git a/configure.ac b/configure.ac
index 470c55d37..c22228d0f 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1,5 +1,5 @@
 AC_PREREQ([2.68])
-AC_INIT(firejail, 0.9.41, netblue30@yahoo.com, , http://firejail.wordpress.com)
+AC_INIT(firejail, 0.9.42~rc2, netblue30@yahoo.com, , http://firejail.wordpress.com)
 AC_CONFIG_SRCDIR([src/firejail/main.c])
 #AC_CONFIG_HEADERS([config.h])
diff --git a/etc/disable-common.inc b/etc/disable-common.inc
index 17f37c5cc..d18ee0287 100644
--- a/etc/disable-common.inc
+++ b/etc/disable-common.inc
@@ -20,6 +20,8 @@ blacklist ${HOME}/.config/lxsession/LXDE/autostart
 blacklist ${HOME}/.fluxbox/startup
 blacklist ${HOME}/.config/openbox/autostart
 blacklist ${HOME}/.config/openbox/environment
+blacklist ${HOME}/.gnomerc
+blacklist /etc/X11/Xsession.d/
 # VirtualBox
 blacklist ${HOME}/.VirtualBox
diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc
index 837ac1e4c..0f155351d 100644
--- a/etc/disable-programs.inc
+++ b/etc/disable-programs.inc
@@ -20,6 +20,7 @@ blacklist ${HOME}/.config/xreader
 blacklist ${HOME}/.config/xviewer
 blacklist ${HOME}/.config/libreoffice
 blacklist ${HOME}/.config/pix
+blacklist ${HOME}/.config/mate/eom
 blacklist ${HOME}/.kde/share/apps/okular
 blacklist ${HOME}/.kde/share/config/okularrc
 blacklist ${HOME}/.kde/share/config/okularpartrc
diff --git a/etc/eom.profile b/etc/eom.profile
new file mode 100644
index 000000000..81d993e96
--- /dev/null
+++ b/etc/eom.profile
@@ -0,0 +1,20 @@
+# Firejail profile for Eye of Mate (eom)
+noblacklist ~/.config/mate/eom
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+caps.drop all
+nogroups
+nonewprivs
+noroot
+nosound
+protocol unix
+seccomp
+shell none
+tracelog
+private-bin eom
+private-dev
diff --git a/etc/pidgin.profile b/etc/pidgin.profile
index 091456d76..3df2cafa6 100644
--- a/etc/pidgin.profile
+++ b/etc/pidgin.profile
@@ -2,11 +2,19 @@
 noblacklist ${HOME}/.purple
 include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-programs.inc
 include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+include /etc/firejail/disable-programs.inc
 caps.drop all
+netfilter
 nonewprivs
+nogroups
 noroot
 protocol unix,inet,inet6
 seccomp
+shell none
+tracelog
+private-bin pidgin
+private-dev
diff --git a/etc/snap.profile b/etc/snap.profile
index b7e6d9b19..270fdf1a5 100644
--- a/etc/snap.profile
+++ b/etc/snap.profile
@@ -6,6 +6,7 @@ include /etc/firejail/disable-programs.inc
 include /etc/firejail/disable-passwdmgr.inc
 whitelist ~/snap
+whitelist ${DOWNLOADS}
 include /etc/firejail/whitelist-common.inc
 caps.keep chown,sys_admin
diff --git a/platform/debian/conffiles b/platform/debian/conffiles
index 3bbd93d3c..24884228e 100644
--- a/platform/debian/conffiles
+++ b/platform/debian/conffiles
@@ -129,3 +129,4 @@
 /etc/firejail/atom-beta.profile
 /etc/firejail/atom.profile
 /etc/firejail/jitsi.profile
+/etc/firejail/eom.profile
diff --git a/src/bash_completion/firejail.bash_completion b/src/bash_completion/firejail.bash_completion
index 78bd622fc..d3dcd57d0 100644
--- a/src/bash_completion/firejail.bash_completion
+++ b/src/bash_completion/firejail.bash_completion
@@ -47,6 +47,10 @@ _firejail()
            _filedir
            return 0
            ;;
+       --read-write)
+            _filedir
+            return 0
+            ;;
        --bind)
            _filedir
            return 0
diff --git a/src/faudit/dbus.c b/src/faudit/dbus.c
index 1ead2aa38..1edce5802 100644
--- a/src/faudit/dbus.c
+++ b/src/faudit/dbus.c
@@ -42,7 +42,7 @@ void check_session_bus(const char *sockfile) {
                printf("GOOD: I cannot connect to session bus. If the application misbehaves, please log a bug with the application developer.\n");
        }
        else {
-                printf("MAYBE: I can connect to session bus. It could be a good idea to create a new network namespace using \"--net=none\" or \"--net=eth0\".\n");
+                printf("MAYBE: I can connect to session bus. It could be a good idea to disable it by creating a new network namespace using \"--net=none\" or \"--net=eth0\".\n");
        }       
        close(sock);
@@ -65,8 +65,8 @@ void dbus_test(void) {
                        check_session_bus(sockfile);
                        
                        sockfile -= 13;
-                        free(sockfile);
                }
+                free(bus);
        }
 }
diff --git a/src/faudit/dev.c b/src/faudit/dev.c
new file mode 100644
index 000000000..92f615958
--- /dev/null
+++ b/src/faudit/dev.c
@@ -0,0 +1,47 @@
+/*
+ * Copyright (C) 2014-2016 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
+#include "faudit.h"
+#include <dirent.h>
+void dev_test(void) {
+        DIR *dir;
+        if (!(dir = opendir("/dev"))) {
+                fprintf(stderr, "Error: cannot open /dev directory\n");
+                return;
+        }
+        
+        struct dirent *entry;
+        printf("INFO: files visible in /dev directory: ");
+        int cnt = 0;
+        while ((entry = readdir(dir)) != NULL) {
+                if (strcmp(entry->d_name, ".") == 0 || strcmp(entry->d_name, "..") == 0)
+                        continue;
+                
+                printf("%s, ", entry->d_name);
+                cnt++;
+        }
+        printf("\n");
+        
+        if (cnt > 20)
+                printf("MAYBE: /dev directory seems to be fully populated. Use --private-dev or --whitelist to restrict the access.\n");
+        else
+                printf("GOOD: Access to /dev directory is restricted.\n");
+        closedir(dir);
+}
diff --git a/src/faudit/faudit.h b/src/faudit/faudit.h
index 3c08a3eab..93fb4b709 100644
--- a/src/faudit/faudit.h
+++ b/src/faudit/faudit.h
@@ -58,4 +58,7 @@ void network_test(void);
 // dbus.c
 void dbus_test(void);
+// dev.c
+void dev_test(void);
 #endif
diff --git a/src/faudit/main.c b/src/faudit/main.c
index 14794719d..6ff938d98 100644
--- a/src/faudit/main.c
+++ b/src/faudit/main.c
@@ -38,8 +38,9 @@ int main(int argc, char **argv) {
        // extract program name
        prog = realpath(argv[0], NULL);
        if (prog == NULL) {
-                fprintf(stderr, "Error: cannot extract the path of the audit program\n");
+                prog = strdup("faudit");
-                return 1;
+                if (!prog)
+                        errExit("strdup");
        }
        printf("INFO: starting %s.\n", prog);
        
@@ -67,7 +68,11 @@ int main(int argc, char **argv) {
        // dbus
        dbus_test();
        printf("\n");
-        
+        // /dev test
+        dev_test();
+        printf("\n");
        free(prog);
        printf("--------------------------------------------------------------------------------\n");
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config
index ba975c4b4..48e205a58 100644
--- a/src/firecfg/firecfg.config
+++ b/src/firecfg/firecfg.config
@@ -40,6 +40,7 @@ midori
 netsurf
 opera-beta
 opera
+palemoon
 qutebrowser
 seamonkey
 seamonkey-bin
@@ -98,6 +99,7 @@ totem
 vlc
 xplayer
 xviewer
+eom
 # news readers
 quiterss
@@ -110,10 +112,11 @@ fbreader
 gwenview
 gthumb
 libreoffice
+localc
 lodraw
 loffice
 lofromtemplate
-loimpres
+loimpress
 lomath
 loweb
 lowriter
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index 8856986e6..29bb6c494 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -584,10 +584,6 @@ extern char *xephyr_screen;
 extern char *xephyr_extra_params;
 int checkcfg(int val);
-// fs_rdwr.c
-void fs_rdwr_add(const char *path);
-void fs_rdwr(void);
 // appimage.c
 void appimage_set(const char *appimage_path);
 void appimage_clear(void);
diff --git a/src/firejail/fs.c b/src/firejail/fs.c
index 4b2b91b17..630458549 100644
--- a/src/firejail/fs.c
+++ b/src/firejail/fs.c
@@ -27,6 +27,8 @@
 #include <fcntl.h>
 #include <errno.h>
+static void fs_rdwr(const char *dir);
 static void create_empty_dir(void) {
        struct stat s;
        
@@ -229,6 +231,7 @@ typedef enum {
        MOUNT_READONLY,
        MOUNT_TMPFS,
        MOUNT_NOEXEC,
+        MOUNT_RDWR,
        OPERATION_MAX
 } OPERATION;
@@ -331,6 +334,12 @@ static void disable_file(OPERATION op, const char *filename) {
                fs_rdonly(fname);
 // todo: last_disable = SUCCESSFUL;
        }
+        else if (op == MOUNT_RDWR) {
+                if (arg_debug)
+                        printf("Mounting read-only %s\n", fname);
+                fs_rdwr(fname);
+// todo: last_disable = SUCCESSFUL;
+        }
        else if (op == MOUNT_NOEXEC) {
                if (arg_debug)
                        printf("Mounting noexec %s\n", fname);
@@ -492,6 +501,10 @@ void fs_blacklist(void) {
                        ptr = entry->data + 10;
                        op = MOUNT_READONLY;
                }                       
+                else if (strncmp(entry->data, "read-write ", 11) == 0) {
+                        ptr = entry->data + 11;
+                        op = MOUNT_RDWR;
+                }                       
                else if (strncmp(entry->data, "noexec ", 7) == 0) {
                        ptr = entry->data + 7;
                        op = MOUNT_NOEXEC;
@@ -560,6 +573,29 @@ void fs_rdonly(const char *dir) {
        }
 }
+static void fs_rdwr(const char *dir) {
+        assert(dir);
+        // check directory exists
+        struct stat s;
+        int rv = stat(dir, &s);
+        if (rv == 0) {
+                // if the file is outside /home directory, allow only root user
+                uid_t u = getuid();
+                if (u != 0 && s.st_uid != u) {
+                        fprintf(stderr, "Warning: you are not allowed to change %s to read-write\n", dir);
+                        return;
+                }
+                
+                // mount --bind /bin /bin
+                if (mount(dir, dir, NULL, MS_BIND|MS_REC, NULL) < 0)
+                        errExit("mount read-write");
+                // mount --bind -o remount,rw /bin
+                if (mount(NULL, dir, NULL, MS_BIND|MS_REMOUNT|MS_REC, NULL) < 0)
+                        errExit("mount read-write");
+                fs_logger2("read-write", dir);
+        }
+}
 void fs_noexec(const char *dir) {
        assert(dir);
        // check directory exists
@@ -757,9 +793,6 @@ void fs_basic_fs(void) {
        // firejail sandboxes (firejail --force)
        if (getuid() != 0)
                disable_firejail_config();
-                
-        if (getuid() == 0)
-                fs_rdwr();
 }
@@ -1093,7 +1126,7 @@ void fs_chroot(const char *rootdir) {
                if (asprintf(&newx11, "%s/tmp/.X11-unix", rootdir) == -1)
                        errExit("asprintf");
                if (arg_debug)
-                        printf("Mounting /tmp/.X11-unix on %s\n", newdev);
+                        printf("Mounting /tmp/.X11-unix on %s\n", newx11);
                if (mount("/tmp/.X11-unix", newx11, NULL, MS_BIND|MS_REC, NULL) < 0)
                        errExit("mounting /tmp/.X11-unix");
                free(newx11);
diff --git a/src/firejail/fs_rdwr.c b/src/firejail/fs_rdwr.c
deleted file mode 100644
index 68df6465f..000000000
--- a/src/firejail/fs_rdwr.c
+++ /dev/null
@@ -1,93 +0,0 @@
-/*
- * Copyright (C) 2014-2016 Firejail Authors
- *
- * This file is part of firejail project
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or
- * (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License along
- * with this program; if not, write to the Free Software Foundation, Inc.,
- * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-*/
-#include "firejail.h"
-#include <sys/mount.h>
-#include <sys/stat.h>
-#include <sys/types.h>
-#include <sys/wait.h>
-#include <unistd.h>
-typedef struct rdwr_t {
-        struct rdwr_t *next;
-        const char *path;
-} RDWR;
-RDWR *rdwr = NULL;
-void fs_rdwr_add(const char *path) {
-        // verify path
-        if (*path != '/') {
-                fprintf(stderr, "Error: invalid path for read-write command\n");
-                exit(1);
-        }
-        invalid_filename(path);
-        if (is_link(path)) {
-                fprintf(stderr, "Error: invalid symbolic link for read-write command\n");
-                exit(1);
-        }
-        if (strstr(path, "..")) {
-                fprintf(stderr, "Error: invalid path for read-write command\n");
-                exit(1);
-        }
-        
-        // print warning if the file doesn't exist
-        struct stat s;
-        if (stat(path, &s) == -1) {
-                fprintf(stderr, "Warning: %s not found, skipping read-write command\n", path);
-                return;
-        }
-        
-        // build list entry
-        RDWR *r = malloc(sizeof(RDWR));
-        if (!r)
-                errExit("malloc");
-        memset(r, 0, sizeof(RDWR));
-        r->path = path;
-        
-        // add
-        r->next = rdwr;
-        rdwr = r;
-}
-static void mount_rdwr(const char *path) {
-        assert(path);
-        // check directory exists
-        struct stat s;
-        int rv = stat(path, &s);
-        if (rv == 0) {
-                // mount --bind /bin /bin
-                if (mount(path, path, NULL, MS_BIND|MS_REC, NULL) < 0)
-                        errExit("mount read-write");
-                // mount --bind -o remount,rw /bin
-                if (mount(NULL, path, NULL, MS_BIND|MS_REMOUNT|MS_REC, NULL) < 0)
-                        errExit("mount read-write");
-                fs_logger2("read-write", path);
-        }
-}
-void fs_rdwr(void) {
-        RDWR *ptr = rdwr;
-        
-        while (ptr) {
-                mount_rdwr(ptr->path);
-                ptr = ptr->next;
-        }
-}
diff --git a/src/firejail/fs_whitelist.c b/src/firejail/fs_whitelist.c
index ba6c8cd74..926e5415c 100644
--- a/src/firejail/fs_whitelist.c
+++ b/src/firejail/fs_whitelist.c
@@ -181,11 +181,15 @@ static void whitelist_path(ProfileEntry *entry) {
        char *wfile = NULL;
        if (entry->home_dir) {
-                fname = path + strlen(cfg.homedir);
+                if (strncmp(path, cfg.homedir, strlen(cfg.homedir)) == 0) {             
-                if (*fname == '\0') {
+                        fname = path + strlen(cfg.homedir);
-                        fprintf(stderr, "Error: file %s is not in user home directory, exiting...\n", path);
+                        if (*fname == '\0') {
-                        exit(1);
+                                fprintf(stderr, "Error: file %s is not in user home directory, exiting...\n", path);
+                                exit(1);
+                        }
                }
+                else
+                        fname = path;
        
                if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_HOME_USER_DIR, fname) == -1)
                        errExit("asprintf");
@@ -248,9 +252,6 @@ static void whitelist_path(ProfileEntry *entry) {
                        printf("Whitelisting %s\n", path);
        }
        else {
-                if (arg_debug || arg_debug_whitelists) {
-                        fprintf(stderr, "Warning (whitelisting): %s is an invalid file, skipping...\n", path);
-                }
                return;
        }
        
@@ -390,13 +391,14 @@ void fs_whitelist(void) {
                        entry->home_dir = 1;
                        home_dir = 1;
+                        if (arg_debug)
+                                fprintf(stderr, "Debug %d: fname #%s#, cfg.homedir #%s#\n",
+                                        __LINE__, fname, cfg.homedir);
                        // both path and absolute path are under /home
-                        if (strncmp(fname, cfg.homedir, strlen(cfg.homedir)) != 0) {
+//                      if (strncmp(fname, cfg.homedir, strlen(cfg.homedir)) != 0) {
-                                if (arg_debug)
+//                              goto errexit;
-                                        fprintf(stderr, "Debug %d: fname #%s#, cfg.homedir #%s#\n",
+//                      }
-                                                __LINE__, fname, cfg.homedir);
-                                goto errexit;
-                        }
                }
                else if (strncmp(new_name, "/tmp/", 5) == 0) {
                        entry->tmp_dir = 1;
diff --git a/src/firejail/main.c b/src/firejail/main.c
index 4f1c81e2b..cbc3d57cf 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -1206,7 +1206,7 @@ int main(int argc, char **argv) {
                                errExit("asprintf");
                        
                        profile_check_line(line, 0, NULL);      // will exit if something wrong
-                        // profile_add(line); is not necessary
+                        profile_add(line);
                }
                else if (strcmp(argv[i], "--overlay") == 0) {
                        if (cfg.chrootdir) {
@@ -2142,8 +2142,6 @@ int main(int argc, char **argv) {
                        fprintf(stderr, "Warning: default profile disabled by --chroot option\n");
                else if (arg_overlay)
                        fprintf(stderr, "Warning: default profile disabled by --overlay option\n");
-//              else if (cfg.home_private_keep)
-//                      fprintf(stderr, "Warning: default profile disabled by --private-home option\n");
                else {
                        // try to load a default profile
                        char *profile_name = DEFAULT_USER_PROFILE;
@@ -2166,6 +2164,10 @@ int main(int argc, char **argv) {
                                else
                                        custom_profile = profile_find(profile_name, SYSCONFDIR);
                        }
+                        if (!custom_profile) {
+                                fprintf(stderr, "Error: no default.profile installed\n");
+                                exit(1);
+                        }
                        
                        if (custom_profile && !arg_quiet)
                                printf("\n** Note: you can use --noprofile to disable %s.profile **\n\n", profile_name);
diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index 40e2e4330..46ef0921d 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -716,16 +716,6 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
                return 0;               
        }
-        // read-write
-        if (strncmp(ptr, "read-write ", 11) == 0) {
-                if (getuid() != 0) {
-                        fprintf(stderr, "Error: read-write command is available only for root user\n");
-                        exit(1);
-                }
-                fs_rdwr_add(ptr + 11);
-                return 0;
-        }
        // rest of filesystem
        if (strncmp(ptr, "blacklist ", 10) == 0)
                ptr += 10;
@@ -747,6 +737,8 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
        }
        else if (strncmp(ptr, "read-only ", 10) == 0)
                ptr += 10;
+        else if (strncmp(ptr, "read-write ", 11) == 0)
+                ptr += 11;
        else if (strncmp(ptr, "noexec ", 7) == 0)
                ptr += 7;
        else if (strncmp(ptr, "tmpfs ", 6) == 0) {
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index cd9ea6a8a..fed573e6c 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -1184,16 +1184,23 @@ A short note about mixing \-\-whitelist and \-\-read-only options. Whitelisted d
 should be made read-only independently. Making a parent directory read-only, will not
 make the whitelist read-only. Example:
 .br
+.br
 $ firejail --whitelist=~/work --read-only=~ --read-only=~/work
 .TP
 \fB\-\-read-write=dirname_or_filename
-By default, the sandbox mounts system directories read-only.
+Set directory or file read-write. Only files or directories belonging to the current user are allowed for
-These directories are /etc, /var, /usr, /bin, /sbin, /lib, /lib32, /libx32 and /lib64. 
+this operation. Example:
-Use this option to mount read-write files or directories inside the system directories.
+.br
+.br
+$ mkdir ~/test
+.br
+$ touch ~/test/a
+.br
+$ firejail --read-only=~/test --read-write=~/test/a
-This option is available only to root user. It has no effect when --chroot or --overlay are also set. In these
-cases the system directories are mounted read-write.
 .TP
 \fB\-\-rlimit-fsize=number
@@ -1515,14 +1522,14 @@ firejail version 0.9.27
 .TP
 \fB\-\-whitelist=dirname_or_filename
 Whitelist directory or file. This feature is implemented only for user home, /dev, /media, /opt, /var, and /tmp directories.
-When whitlisting symbolic links, both the link and the real file should be in the same top directory
+With the exeception of user home, both the link and the real file should be in 
-(home user, /media, /var etc.)
+the same top directory.
 .br
 .br
 Example:
 .br
-$ firejail \-\-whitelist=~/.mozilla \-\-whitelist=~/Downloads
+$ firejail \-\-noprofile \-\-whitelist=~/.mozilla
 .br
 $ firejail \-\-whitelist=/tmp/.X11-unix --whitelist=/dev/null
 .br
diff --git a/test/features/1.2.exp b/test/features/1.2.exp
index 6f7cae888..685acf737 100755
--- a/test/features/1.2.exp
+++ b/test/features/1.2.exp
@@ -34,7 +34,7 @@ expect {
 }
 expect {
        timeout {puts "TESTING ERROR 1.4\n";exit}
-        "proc /proc/sysrq-trigger proc"
+        "/proc/sysrq-trigger"
 }
 #expect {
 #       timeout {puts "TESTING ERROR 1.5\n";exit}
@@ -42,11 +42,11 @@ expect {
 #}
 expect {
        timeout {puts "TESTING ERROR 1.6\n";exit}
-        "proc /proc/irq proc"
+        "/proc/irq"
 }
 expect {
        timeout {puts "TESTING ERROR 1.7\n";exit}
-        "proc /proc/bus proc"
+        "/proc/bus"
 }
 after 100
 send -- "exit\r"
diff --git a/test/features/1.8.exp b/test/features/1.8.exp
index 493a87328..4c6d3f3dc 100755
--- a/test/features/1.8.exp
+++ b/test/features/1.8.exp
@@ -20,12 +20,6 @@ expect {
 }
 sleep 1
-send -- "ls /etc/firejail\r"
-expect {
-        timeout {puts "TESTING ERROR 1\n";exit}
-        "Permission denied"
-}
-after 100
 send -- "ls ~/.config/firejail\r"
 expect {
        timeout {puts "TESTING ERROR 1.1\n";exit}
@@ -77,12 +71,6 @@ if { $overlay == "overlay" } {
                "Child process initialized" {puts "normal system\n"}
        }
        sleep 1
-        send -- "ls /etc/firejail\r"
-        expect {
-                timeout {puts "TESTING ERROR 3\n";exit}
-                "Permission denied"
-        }
-        after 100
        send -- "ls ~/.config/firejail\r"
        expect {
                timeout {puts "TESTING ERROR 3.1\n";exit}
@@ -134,12 +122,6 @@ if { $chroot == "chroot" } {
                "Child process initialized"
        }
        sleep 1
-        send -- "ls /etc/firejail\r"
-        expect {
-                timeout {puts "TESTING ERROR 5\n";exit}
-                "Permission denied"
-        }
-        after 100
        send -- "ls ~/.config/firejail\r"
        expect {
                timeout {puts "TESTING ERROR 5.1\n";exit}
diff --git a/test/features/3.5.exp b/test/features/3.5.exp
index aed5fe836..f4b544b3d 100755
--- a/test/features/3.5.exp
+++ b/test/features/3.5.exp
@@ -22,8 +22,8 @@ sleep 1
 send -- "ls -l /dev | wc -l\r"
 expect {
        timeout {puts "TESTING ERROR 1.1\n";exit}
-        "12" { puts "Debian\n"}
+        "13" { puts "Debian\n"}
-        "11" { puts "Centos\n"}
+        "12" { puts "Centos\n"}
 }
 after 100
@@ -45,8 +45,8 @@ if { $overlay == "overlay" } {
        send -- "ls -l /dev | wc -l\r"
        expect {
                timeout {puts "TESTING ERROR 3.1\n";exit}
-                "12" { puts "Debian\n"}
+                "13" { puts "Debian\n"}
-                "11" { puts "Centos\n"}
+                "12" { puts "Centos\n"}
        }
        
        after 100
@@ -68,7 +68,7 @@ if { $chroot == "chroot" } {
        send -- "ls -l /dev | wc -l\r"
        expect {
                timeout {puts "TESTING ERROR 5.1\n";exit}
-                "11"
+                "12"
        }
        
        after 100
diff --git a/test/private_dir.exp b/test/private_dir.exp
index 9dfb2ea9f..a4beeba27 100755
--- a/test/private_dir.exp
+++ b/test/private_dir.exp
@@ -42,7 +42,7 @@ expect {
 send -- "ls -al | wc -l;pwd\r"
 expect {
        timeout {puts "TESTING ERROR 1\n";exit}
-        "7" {puts "normal system\n";}
+        "6" {puts "normal system\n";}
        "5" {puts "OpenSUSE\n";}
 }
 expect {
diff --git a/test/private_dir_profile.exp b/test/private_dir_profile.exp
index 5b38ad0bb..8d1c74444 100755
--- a/test/private_dir_profile.exp
+++ b/test/private_dir_profile.exp
@@ -42,7 +42,7 @@ expect {
 send -- "ls -al | wc -l;pwd\r"
 expect {
        timeout {puts "TESTING ERROR 1\n";exit}
-        "7" {puts "normal system\n";}
+        "6" {puts "normal system\n";}
        "5" {puts "OpenSUSE\n";}
 }
 expect {
diff --git a/test/test.sh b/test/test.sh
index 71e2c6720..4b7d5bb6d 100755
--- a/test/test.sh
+++ b/test/test.sh
@@ -62,9 +62,6 @@ echo "TESTING: overlayfs (fs_overlay.exp)"
 echo "TESTING: login SSH (login_ssh.exp)"
 ./login_ssh.exp
-echo "TESTING: DNS (dns.exp)"
-./dns.exp
 echo "TESTING: firemon --arp (firemon-arp.exp)"
 ./firemon-arp.exp
diff --git a/todo b/todo
index 88baff216..30e8f3949 100644
--- a/todo
+++ b/todo
@@ -161,3 +161,88 @@ To disable Vsync
 $ vblank_mode=0 glxgears
+18. Bring in nvidia drives in private-dev
+/dev/nvidia[0-9], /dev/nvidiactl, /dev/nvidia-modset and /dev/nvidia-uvm
+19. testing snaps
+Install firejail from official repository
+sudo apt-get install firejail
+Check firejail version
+firejail --version
+Above command outputs: firejail version 0.9.38
+Search the snap 'ubuntu clock' application
+sudo snap find ubuntu-clock-app
+Install 'ubuntu clock' application using snap
+sudo snap install ubuntu-clock-app
+Ubuntu snap packages are installed in /snap/// directory and can be executed from /snap/bin/
+cd /snap/bin/
+ls -l
+Note: We see application name is: ubuntu-clock-app.clock
+Run application
+/snap/bin/ubuntu-clock-app.clock
+Note: Application starts-up without a problem and clock is displayed.
+Close application using mouse.
+Now try to firejail the application.
+firejail /snap/bin/ubuntu-clock-app.clock
+-------- Error message --------
+Reading profile /etc/firejail/generic.profile
+Reading profile /etc/firejail/disable-mgmt.inc
+Reading profile /etc/firejail/disable-secret.inc
+Reading profile /etc/firejail/disable-common.inc
+** Note: you can use --noprofile to disable generic.profile **
+Parent pid 3770, child pid 3771
+Child process initialized
+need to run as root or suid
+parent is shutting down, bye...
+-------- End of Error message --------
+Try running as root as message instructs.
+sudo firejail /snap/bin/ubuntu-clock-app.clock
+extract env for process
+ps e -p <pid> | sed 's/ /\n/g' 
+20. check default disable - from grsecurity
+GRKERNSEC_HIDESYM
+/proc/kallsyms and other files
+GRKERNSEC_PROC_USER
+If you say Y here, non-root users will only be able to view their own
+processes, and restricts them from viewing network-related information,
+and viewing kernel symbol and module information.
+GRKERNSEC_PROC_ADD
+If you say Y here, additional restrictions will be placed on
+/proc that keep normal users from viewing device information and 
+slabinfo information that could be useful for exploits.
+21. Core Infrastructure Initiative (CII) Best Practices
+Proposal
+Someone closely involved with the project could go thought the criteria and keep them up-to-date.
+References
+    https://bestpractices.coreinfrastructure.org
+    https://twit.tv/shows/floss-weekly/episodes/389
+22. add support for read-write and noexec to Firetools