55 files changed, 354 insertions, 481 deletions
diff --git a/README b/README
index 15696d9d7..405eb5c4e 100644
--- a/README
+++ b/README
@@ -2,11 +2,11 @@ Firejail  is  a  SUID sandbox program that reduces the risk of security
 breaches by restricting the running environment of  untrusted  applications
 using Linux namespaces and seccomp-bpf. It includes sandbox profiles for
 Iceweasel/Mozilla Firefox, Chromium, Midori, Opera, Evince, Transmission,
-VLC, Audoacious, Clementine, Rhythmbox, Totem, Deluge, qBittorrent.
+VLC, Audacious, Clementine, Rhythmbox, Totem, Deluge, qBittorrent.
 DeaDBeeF, Dropbox, Empathy, FileZilla, IceCat, Thunderbird/Icedove,
-Pidgin, Quassel and XChat.
+Pidgin, Quassel, and XChat.
-Firejail also expands the restricted shell facility found  in  bash  by adding 
+Firejail also expands the restricted shell facility found  in  bash  by adding
 Linux  namespace support. It supports sandboxing specific users upon login.
 Download: http://sourceforge.net/projects/firejail/files/
@@ -15,7 +15,9 @@ Documentation and support: https://firejail.wordpress.com/
 Development: https://github.com/netblue30/firejail
 License: GPL v2
-Compile and install
+Compile and install mainline version from GitHub:
 $ git clone https://github.com/netblue30/firejail.git
 $ cd firejail
@@ -26,19 +28,23 @@ On Debian/Ubuntu you will need to install git and a compiler:
 $ sudo apt-get install build-essential
-Firejail Authors:
-netblue30 (netblue30@yahoo.com)
+Maintainer:
-Reiner Herrmann (https://github.com/reinerh)
+- netblue30 (netblue30@yahoo.com)
-        - a number of build patches
-        - man page fixes
+Committers
-        - Debian and Ubuntu integration
+- Fred-Barclay (https://github.com/Fred-Barclay)
-        - clang-analyzer fixes
+- Reiner Herrmann (https://github.com/reinerh)
-        - Debian reproducible build
+- netblue30 (netblue30@yahoo.com)
-        - unit testing framework
-        - moved build to .xz
-        - detached signatures for source archive
-        - recursive mkdir
+Firejail Authors (alphabetical order)
+Akhil Hans Maulloo (https://github.com/kouul)
+        - xz profile
+Alexey Kuznetsov (kuznet@ms2.inr.ac.ru)
+        - src/lib/libnetlink.c extracted from iproute2 software package
 Aleksey Manevich (https://github.com/manevich)
        - several profile fixes
        - fix problem with relative path in storage_find function
@@ -57,6 +63,80 @@ Aleksey Manevich (https://github.com/manevich)
        - x11 xpra, xphyr, none profile commands
        - added --join-or-start command
        - CVE-2016-7545
+Alexander Stein (https://github.com/ajstein)
+        - added profile for qutebrowser
+Andrey Alekseenko (https://github.com/al42and)
+        - fixing lintian warnings
+        - fixed Skype profile
+andrew160 (https://github.com/andrew160)
+        - profile and man pages fixes
+Austin S. Hemmelgarn (https://github.com/Ferroin)
+        - unbound profile update
+avoidr (https://github.com/avoidr)
+        - whitelist fix
+        - recently-used.xbel fix
+        - added parole profile
+        - blacklist ncat
+        - hostname support in profile file
+        - Google Chrome profile rework
+        - added cmus profile
+        - man page fixes
+        - add net iface support in profile files
+        - paths fix
+        - lots of profile fixes
+        - added mcabber profile
+        - fixed mpv profile
+        - various other fixes
+Bader Zaidan (https://github.com/BaderSZ)
+        - Telegram profile
+Benjamin Kampmann (https://github.com/ligthyear)
+        - Forward exit code from child process
+BogDan Vatra (https://github.com/bog-dan-ro)
+        - zoom profile
+Bruno Nova (https://github.com/brunonova)
+        - whitelist fix
+        - bash arguments fix
+Cat (https://github.com/ecat3)
+        - prevent tmux connecting to an existing session
+creideiki (https://github.com/creideiki)
+        - make the sandbox process reap all children
+Christian Stadelmann (https://github.com/genodeftest)
+        - profile fixes
+        - evolution profile fix
+curiosity-seeker (https://github.com/curiosity-seeker)
+        - tightening unbound and dnscrypt-proxy profiles
+        - correct and tighten QuiteRss profile
+        - dnsmasq profile
+        - okular and gwenview profiles
+        - cherrytree profile fixes
+        - added quiterss profile
+        - added guayadeque profile
+        - added VirtualBox.profile
+        - various other profile fixes
+Daan Bakker (https://github.com/dbakker)
+        - protect shell startup files
+Dara Adib (https://github.com/daradib)
+        - ssh profile fix
+        - evince profile fix
+Deelvesh Bunjun (https://github.com/DeelveshBunjun)
+        - added xpdf profile
+dewbasaur (https://github.com/dewbasaur)
+        - block access to history files
+        - Firefox PDF.js exploit (CVE-2015-4495) fixes
+        - Steam profile
+dshmgh (https://github.com/dshmgh)
+        - overlayfs fix for systems with /home mounted on a separate partition
+Duncan Overbruck (https://github.com/Duncaen)
+        - musl libc fix
+        - utmp fix
+emacsomancer (https://github.com/emacsomancer)
+        - added profile for Conkeror browser
+eventyrer (https://github.com/eventyrer)
+        - update gnome-mplayer.profile
+Felipe Barriga Richards (https://github.com/fbarriga)
+        - --private-etc fix
+Franco (nextime) Lanza (https://github.com/nextime)
+        - added --private-template/--private-home
 Fred-Barclay (https://github.com/Fred-Barclay)
        - lots of profile fixes
        - added Vivaldi, Atril profiles
@@ -99,169 +179,57 @@ Fred-Barclay (https://github.com/Fred-Barclay)
        - compile/install scripts for --git-install/--git-uninstall commands
        - tighten keepassx
        - added Thunar profile
-SYN-cook (https://github.com/SYN-cook)
+G4JC (http://sourceforge.net/u/gaming4jc/profile/)
-        - keepass/keepassx browser fixes
+        - ARM support
-        - disable-common.inc fixes
-        - blacklist GNOME keyring and Konqueror
-        - fixed Keepass(x) profiles
-        - Engrampa profile
-        - Scribus profile
-valoq (https://github.com/valoq)
-        - lots of profile fixes
-        - added support for /srv in --whitelist feature
-        - Eye of GNOME, Evolution, display (imagemagik) and Wire profiles
-        - blacklist suid binaries in disable-common.inc
-        - fix man pages
-        - added keypass2, qemu profiles
-        - added amarok, ark, atool, bleachbit, brasero, dolphin, dragon, elinks, enchant, exiftool profiles
-        - added file-roller, gedit, gjs,gnome-books, gnome-documents, gnome-maps, gnome-music profiles
-        - added gnome-photos, gnome-weather, goobox, gpa, gpg, gpg-agent, highlight profiles
-        - added img2txt, k3b, kate, lynx, mediainfo, nautilus, odt2txt, pdftotext, simple-scan profiles
-        - added skanlite, ssh-agent, transmission-cli, tracker, transmission-show, w3m, xfburn, xpra profiles
-        - added wget profile
-        - disable gnupg and systemd directories under /run/user
-        - added iridium browser profile
-Zack Weinberg (https://github.com/zackw)
-        - removed libconnect
-        - fixed memory corruption in noblacklist processing
-        - rework DISPLAY environment parsing
-        - rework masking X11 sockets in /tmp/.X11-unix directory
-        - rework xpra and xephyr detection
-        - rework abstract X11 socket detection
-        - rework X11 display number assignment
-        - rework X11 xorg processing
-        - rework fcopy, --follow-link support in fcopy
-        - follow link support in --private-bin
-        - wait_for_other function rewrite
-        - xvfb X11 server support
-Austin S. Hemmelgarn (https://github.com/Ferroin)
-        - unbound profile update
-Igor Bukanov (https://github.com/ibukanov)
-        - found/fiixed privilege escalation in --hosts-file option
-Cat (https://github.com/ecat3)
-        - prevent tmux connecting to an existing session
-Zack Weinberg (https://github.com/zackw)
-        - sdded support for joining a persistent, named network namespace
-GSI (https://github.com/GSI)
-        - added Uzbl browser profile
-Mike Frysinger (vapier@gentoo.org)
-        - Gentoo compile patch
-Jericho (https://github.com/attritionorg)
-        - spelling
-Pixel Fairy (https://github.com/xahare)
-        - added fjclip.py, fjdisplay.py and fjresize.py in contrib section
-pshpsh (https://github.com/pshpsh)
-        - added FossaMail profile
-eventyrer (https://github.com/eventyrer)
-        - update gnome-mplayer.profile
-thewisenerd (https://github.com/thewisenerd)
-        - allow multiple private-home commands
-        - use $SHELL variable if the shell is not specified
-thewisenerd (https://github.com/thewisenerd)
-        - appimage: pass commandline arguments
-KOLANICH (https://github.com/KOLANICH)
-        - added symlink fixer fix_private-bin.py in contrib section
-Jesse Smith (https://github.com/slicer69)
-        - added QupZilla profile
-Lari Rauno (https://github.com/tuutti)
-        - qutebrowser profile fixes
-SpotComms (https://github.com/SpotComms)
-        - added Bless, Gnome 2048, Gnome Calculator, Gnome Contacts, JD-GUI, Lollypop, MultiMC5 profiles
-        - added PDFSam, Pithos, and Xonotic profiles
-Vasya Novikov (https://github.com/vn971)
-        - Wesnoth profile
-        - Hedegewars profile
-        - manpage fixes
-        - fixed firecfg clean/clear issue
-        - found the ugliest bug so far
-        - seccomp debug description in man page
-curiosity-seeker (https://github.com/curiosity-seeker)
-        - tightening unbound and dnscrypt-proxy profiles
-        - correct and tighten QuiteRss profile
-        - dnsmasq profile
-        - okular and gwenview profiles
-        - cherrytree profile fixes
-        - added quiterss profile
-        - added guayadeque profile
-        - added VirtualBox.profile
-        - various other profile fixes
-Simon Peter (https://github.com/probonopd)
-        - set $APPIMAGE and $APPDIR environment variables
-        - AppImage version detection
-        - Leafppad type v1 and v2 appimage packages in test/appimage
-BogDan Vatra (https://github.com/bog-dan-ro)
-        - zoom profile
-Impyy (https://github.com/Impyy)
-        - added mumble profile
-Vadim A. Misbakh-Soloviov (https://github.com/msva)
        - profile fixes
-Rafael Cavalcanti (https://github.com/rccavalcanti)
+Gaman Gabriel (https://github.com/stelariusinfinitek)
-        - chromium profile fixes for Arch Linux
+        - inox profile
-Deelvesh Bunjun (https://github.com/DeelveshBunjun)
+geg2048 (https://github.com/geg2048)
-        - added xpdf profile
+        - kwallet profile fixes
-Dara Adib (https://github.com/daradib)
-        - ssh profile fix
-        - evince profile fix
-vismir2 (https://github.com/vismir2)
-        - feh, ranger, 7z, keepass, keepassx and zathura profiles
-        - claws-mail, mutt, git, emacs, vim profiles
-        - lots of profile fixes
-        -  support for truecrypt and zuluCrypt
 graywolf (https://github.com/graywolf)
        - spelling fix
-Tomasz Jan Góralczyk (https://github.com/tjg)
-        - fixed Steam profile
-pwnage-pineapple (https://github.com/pwnage-pineapple)
-        - update Okular profile
-Sergey Alirzaev (https://github.com/l29ah)
-        - firejail.h enum fix
 greigdp (https://github.com/greigdp)
        - Gajim IM client profile
-        - fix Slack profile
+        - fixed spotify profile
+        - added Slack profile
+        - add Spotify profile
+GSI (https://github.com/GSI)
+        - added Uzbl browser profile
+hamzadis (https://github.com/hamzadis)
+        - added --overlay-named=name and --overlay-path=path
+Holger Heinz (https://github.com/hheinz)
+        - manpage work
 Icaro Perseo (https://github.com/icaroperseo)
        - Icecat profile
        - several profile fixes
-hamzadis (https://github.com/hamzadis)
+Igor Bukanov (https://github.com/ibukanov)
-        - added --overlay-named=name and --overlay-path=path    
+        - found/fiixed privilege escalation in --hosts-file option
-Gaman Gabriel (https://github.com/stelariusinfinitek)
+iiotx (https://github.com/iiotx)
-        - inox profile
+        - use generic.profile by default
-greigdp (https://github.com/greigdp)
+Impyy (https://github.com/Impyy)
-        - fixed spotify profile
+        - added mumble profile
-        - added Slack profile
+Ivan Kozik (https://github.com/ivan)
-Laurent Declercq (https://github.com/nuxwin)
+        - speed up sandbox exit
-        - fixed test for shell interpreter in chroots
-Franco (nextime) Lanza (https://github.com/nextime)
-        - added --private-template/--private-home
-xee5ch (https://github.com/xee5ch)
-        - skypeforlinux profile
-Peter Hogg (https://github.com/pigmonkey)
-        - WeeChat profile
-        - rtorrent profile
-        - bitlbee profile fixes
-        - mutt profile fixes
-Thomas Jarosch (https://github.com/thomasjfox)
-        - disable keepassx in disable-passwdmgr.inc
-        - added uudeview profile
-        - added tar (gtar), unzip and unrar profile
-        - added file profile
-        - improved profile list
-        - fixed small variable glitch in stat64() / lstat64() (libtracelog)
-        - added lstat() / lstat64() support to libtrace
-        - include mkuid.sh in make dist
-Niklas Haas (https://github.com/haasn)
-        - blacklisting for keybase.io's client
 Jaykishan Mutkawoa (https://github.com/jmutkawoa)
        - cpio profile
-Paupiah Yash (https://github.com/CaffeinatedStud)
+Jericho (https://github.com/attritionorg)
-        - gzip  profile
+        - spelling
-Akhil Hans Maulloo (https://github.com/kouul)
+Jesse Smith (https://github.com/slicer69)
-        - xz profile
+        - added QupZilla profile
-Rahul Golam (https://github.com/technoLord)
+jgriffiths (https://github.com/jgriffiths)
-        - strings profile
+        - make rpm packages support
-geg2048 (https://github.com/geg2048)
+Joan Figueras (https://github.com/figue)
-        - kwallet profile fixes
+        - added abrowser profile
-maces (https://github.com/maces)
+        - added Google-Play-Music-Desktop-Player
-        - Franz messenger profile
+        - added cyberfox profile
+jrabe (https://github.com/jrabe)
+        - disallow access to kdbx files
+        - Epiphany profile
+        - Polari profile
+        - qTox profile
+        - X11 fixes
+Kaan Genç (https://github.com/SeriousBug)
+        - dynamic allocation of noblacklist buffer
 KellerFuchs (https://github.com/KellerFuchs)
        - nonewpriv support, extended profiles for this feature
        - make `restricted-network` prevent use of netfilter
@@ -270,116 +238,45 @@ KellerFuchs (https://github.com/KellerFuchs)
        - added support for .local profile files in /etc/firejail
        - fixed Cryptocat profile
        - make ~/.local read-only
-ValdikSS (https://github.com/ValdikSS)
+KOLANICH (https://github.com/KOLANICH)
-        - Psi+, Corebird, Konversation profiles
+        - added symlink fixer fix_private-bin.py in contrib section
-        - various profile fixes
+Lari Rauno (https://github.com/tuutti)
-avoidr (https://github.com/avoidr)
+        - qutebrowser profile fixes
-        - whitelist fix
+Laurent Declercq (https://github.com/nuxwin)
-        - recently-used.xbel fix
+        - fixed test for shell interpreter in chroots
-        - added parole profile
+Loïc Damien (https://github.com/dzamlo)
-        - blacklist ncat
+        - small fixes
-        - hostname support in profile file
+maces (https://github.com/maces)
-        - Google Chrome profile rework
+        - Franz messenger profile
-        - added cmus profile
-        - man page fixes
-        - add net iface support in profile files
-        - paths fix
-        - lots of profile fixes
-        - added mcabber profile
-        - fixed mpv profile
-        - various other fixes
-Ruan (https://github.com/ruany)
-        - fixed hexchat profile
-Matthew Gyurgyik (https://github.com/pyther)
-        - rpm spec and several fixes
-Joan Figueras (https://github.com/figue)
-        - added abrowser profile
-        - added Google-Play-Music-Desktop-Player
-        - added cyberfox profile
-Petter Reinholdtsen (pere@hungry.com)
-        - Opera profile patch
-n1trux (https://github.com/n1trux)
-        - fix flashpeak-slimjet profile typos
-Felipe Barriga Richards (https://github.com/fbarriga)
-        - --private-etc fix
-Alexander Stein (https://github.com/ajstein)
-        - added profile for qutebrowser
-Benjamin Kampmann (https://github.com/ligthyear)
-        - Forward exit code from child process
-dshmgh (https://github.com/dshmgh)
-        - overlayfs fix for systems with /home mounted on a separate partition
-yumkam (https://github.com/yumkam)
-        - add compile-time option to restrict --net= to root only
-        - man page fixes
 mahdi1234 (https://github.com/mahdi1234)
        - cherrytree profile
        - Seamonkey profiles
-jrabe (https://github.com/jrabe)
-        - disallow access to kdbx files
-        - Epiphany profile
-        - Polari profile
-        - qTox profile
-        - X11 fixes
-jgriffiths (https://github.com/jgriffiths)
-        - make rpm packages support
-Tom Mellor (https://github.com/kalegrill)
-        - mupen64plus profile
 Martin Carpenter (https://github.com/mcarpenter)
        - security audit and bug fixes
        - Centos 6.x support
-pszxzsd (https://github.com/pszxzsd)
-        -uGet profile
-Rahiel Kasim (https://github.com/rahiel)
-        - Mathematica profile
-        - whitelisted Dropbox profile
-        - whitelisted keysnail config for firefox
-creideiki (https://github.com/creideiki)
-        - make the sandbox process reap all children
-sinkuu (https://github.com/sinkuu)
-        - blacklisting kwalletd
-        - fix symlink invocation for programs placing symlinks in $PATH
-Bader Zaidan (https://github.com/BaderSZ)
-        - Telegram profile
-Holger Heinz (https://github.com/hheinz)
-        - manpage work
-Andrey Alekseenko (https://github.com/al42and)
-        - fixing lintian warnings
-        - fixed Skype profile
-Ivan Kozik (https://github.com/ivan)
-        - speed up sandbox exit
-Christian Stadelmann (https://github.com/genodeftest)
-        - profile fixes
-        - evolution profile fix
-pirate486743186 (https://github.com/pirate486743186)
-        - KMail profile
-Kaan Genç (https://github.com/SeriousBug)
-        - dynamic allocation of noblacklist buffer
-Veeti Paananen (https://github.com/veeti)
-        - fixed Spotify profile
-rogshdo (https://github.com/rogshdo)
-        - BitlBee profile
-Bruno Nova (https://github.com/brunonova)
-        - whitelist fix
-        - bash arguments fix
 Matt Parnell (https://github.com/ilikenwf)
        - whitelisting for core firefox related functionality
-Ondra Nekola (https://github.com/satai)
-        - allow firefox theming with non-global themes
-emacsomancer (https://github.com/emacsomancer)
-        - added profile for Conkeror browser
-Daan Bakker (https://github.com/dbakker)
-        - protect shell startup files
-Duncan Overbruck (https://github.com/Duncaen)
-        - musl libc fix
-        - utmp fix
-andrew160 (https://github.com/andrew160)
-        - profile and man pages fixes
-Loïc Damien (https://github.com/dzamlo)
-        - small fixes
-greigdp (https://github.com/greigdp)
-        - add Spotify profile
 Mattias Wadman (https://github.com/wader)
        - seccomp errno filter support
+Matthew Gyurgyik (https://github.com/pyther)
+        - rpm spec and several fixes
+Michael Haas (https://github.com/mhaas)
+        - bugfixes
+Mike Frysinger (vapier@gentoo.org)
+        - Gentoo compile patch
+mjudtmann (https://github.com/mjudtmann)
+        - lock firejail configuration in disable-mgmt.inc
+n1trux (https://github.com/n1trux)
+        - fix flashpeak-slimjet profile typos
+netblue30 (netblue30@yahoo.com)
+Niklas Haas (https://github.com/haasn)
+        - blacklisting for keybase.io's client
+Ondra Nekola (https://github.com/satai)
+        - allow firefox theming with non-global themes
+Patrick Toomey (http://sourceforge.net/u/ptoomey/profile/)
+        - user namespace implementation
+Paupiah Yash (https://github.com/CaffeinatedStud)
+        - gzip  profile
 Peter Millerchip (https://github.com/pmillerchip)
        - memory allocation fix
        - --private.keep to --private-home transition
@@ -387,30 +284,142 @@ Peter Millerchip (https://github.com/pmillerchip)
        - support for files and directories with spaces in blacklist option
        - lots of other fixes
        - implement the --allow-private-blacklist option
+Peter Hogg (https://github.com/pigmonkey)
+        - WeeChat profile
+        - rtorrent profile
+        - bitlbee profile fixes
+        - mutt profile fixes
+Petter Reinholdtsen (pere@hungry.com)
+        - Opera profile patch
+pirate486743186 (https://github.com/pirate486743186)
+        - KMail profile
+Pixel Fairy (https://github.com/xahare)
+        - added fjclip.py, fjdisplay.py and fjresize.py in contrib section
+pshpsh (https://github.com/pshpsh)
+        - added FossaMail profile
+pstn (https://github.com/pstn)
+        - added install-strip, make install without strip
+pszxzsd (https://github.com/pszxzsd)
+        -uGet profile
+pwnage-pineapple (https://github.com/pwnage-pineapple)
+        - update Okular profile
+Rafael Cavalcanti (https://github.com/rccavalcanti)
+        - chromium profile fixes for Arch Linux
+Rahiel Kasim (https://github.com/rahiel)
+        - Mathematica profile
+        - whitelisted Dropbox profile
+        - whitelisted keysnail config for firefox
+Rahul Golam (https://github.com/technoLord)
+        - strings profile
+Reiner Herrmann (https://github.com/reinerh)
+        - a number of build patches
+        - man page fixes
+        - Debian and Ubuntu integration
+        - clang-analyzer fixes
+        - Debian reproducible build
+        - unit testing framework
+        - moved build to .xz
+        - detached signatures for source archive
+        - recursive mkdir
+rogshdo (https://github.com/rogshdo)
+        - BitlBee profile
+Ruan (https://github.com/ruany)
+        - fixed hexchat profile
 sarneaud (https://github.com/sarneaud)
        - rewrite globbing code to fix various minor issues
        - added noblacklist command for profile files
        - various enhancements and bug fixes
-Patrick Toomey (http://sourceforge.net/u/ptoomey/profile/)
+Sergey Alirzaev (https://github.com/l29ah)
-        - user namespace implementation
+        - firejail.h enum fix
+Simon Peter (https://github.com/probonopd)
+        - set $APPIMAGE and $APPDIR environment variables
+        - AppImage version detection
+        - Leafppad type v1 and v2 appimage packages in test/appimage
+sinkuu (https://github.com/sinkuu)
+        - blacklisting kwalletd
+        - fix symlink invocation for programs placing symlinks in $PATH
 sshirokov (http://sourceforge.net/u/yshirokov/profile/)
        - Patch to output "Reading profile" to stderr instead of stdout
-G4JC (http://sourceforge.net/u/gaming4jc/profile/)
+SpotComms (https://github.com/SpotComms)
-        - ARM support
+        - added Bless, Gnome 2048, Gnome Calculator, Gnome Contacts, JD-GUI, Lollypop, MultiMC5 profiles
+        - added PDFSam, Pithos, and Xonotic profiles
+SYN-cook (https://github.com/SYN-cook)
+        - keepass/keepassx browser fixes
+        - disable-common.inc fixes
+        - blacklist GNOME keyring and Konqueror
+        - fixed Keepass(x) profiles
+        - Engrampa profile
+        - Scribus profile
+        - autostart blacklist for KDE
+thewisenerd (https://github.com/thewisenerd)
+        - allow multiple private-home commands
+        - use $SHELL variable if the shell is not specified
+        - appimage: pass commandline arguments
+Thomas Jarosch (https://github.com/thomasjfox)
+        - disable keepassx in disable-passwdmgr.inc
+        - added uudeview profile
+        - added tar (gtar), unzip and unrar profile
+        - added file profile
+        - improved profile list
+        - fixed small variable glitch in stat64() / lstat64() (libtracelog)
+        - added lstat() / lstat64() support to libtrace
+        - include mkuid.sh in make dist
+Tom Mellor (https://github.com/kalegrill)
+        - mupen64plus profile
+Tomasz Jan Góralczyk (https://github.com/tjg)
+        - fixed Steam profile
+valoq (https://github.com/valoq)
+        - lots of profile fixes
+        - added support for /srv in --whitelist feature
+        - Eye of GNOME, Evolution, display (imagemagik) and Wire profiles
+        - blacklist suid binaries in disable-common.inc
+        - fix man pages
+        - added keypass2, qemu profiles
+        - added amarok, ark, atool, bleachbit, brasero, dolphin, dragon, elinks, enchant, exiftool profiles
+        - added file-roller, gedit, gjs,gnome-books, gnome-documents, gnome-maps, gnome-music profiles
+        - added gnome-photos, gnome-weather, goobox, gpa, gpg, gpg-agent, highlight profiles
+        - added img2txt, k3b, kate, lynx, mediainfo, nautilus, odt2txt, pdftotext, simple-scan profiles
+        - added skanlite, ssh-agent, transmission-cli, tracker, transmission-show, w3m, xfburn, xpra profiles
+        - added wget profile
+        - disable gnupg and systemd directories under /run/user
+        - added iridium browser profile
+Vadim A. Misbakh-Soloviov (https://github.com/msva)
        - profile fixes
-dewbasaur (https://github.com/dewbasaur)
+ValdikSS (https://github.com/ValdikSS)
-        - block access to history files
+        - Psi+, Corebird, Konversation profiles
-        - Firefox PDF.js exploit (CVE-2015-4495) fixes
+        - various profile fixes
-        - Steam profile
+Vasya Novikov (https://github.com/vn971)
-Michael Haas (https://github.com/mhaas)
+        - Wesnoth profile
-        - bugfixes
+        - Hedegewars profile
-mjudtmann (https://github.com/mjudtmann)
+        - manpage fixes
-        - lock firejail configuration in disable-mgmt.inc
+        - fixed firecfg clean/clear issue
-iiotx (https://github.com/iiotx)
+        - found the ugliest bug so far
-        - use generic.profile by default
+        - seccomp debug description in man page
-pstn (https://github.com/pstn)
+Veeti Paananen (https://github.com/veeti)
-        - added install-strip, make install without strip
+        - fixed Spotify profile
-Alexey Kuznetsov (kuznet@ms2.inr.ac.ru)
+vismir2 (https://github.com/vismir2)
-        - src/lib/libnetlink.c extracted from iproute2 software package
+        - feh, ranger, 7z, keepass, keepassx and zathura profiles
-        
+        - claws-mail, mutt, git, emacs, vim profiles
+        - lots of profile fixes
+        -  support for truecrypt and zuluCrypt
+xee5ch (https://github.com/xee5ch)
+        - skypeforlinux profile
+yumkam (https://github.com/yumkam)
+        - add compile-time option to restrict --net= to root only
+        - man page fixes
+Zack Weinberg (https://github.com/zackw)
+        - added support for joining a persistent, named network namespace
+        - removed libconnect
+        - fixed memory corruption in noblacklist processing
+        - rework DISPLAY environment parsing
+        - rework masking X11 sockets in /tmp/.X11-unix directory
+        - rework xpra and xephyr detection
+        - rework abstract X11 socket detection
+        - rework X11 display number assignment
+        - rework X11 xorg processing
+        - rework fcopy, --follow-link support in fcopy
+        - follow link support in --private-bin
+        - wait_for_other function rewrite
+        - xvfb X11 server support
 Copyright (C) 2014-2017 Firejail Authors
diff --git a/README.md b/README.md
index 0c4b7173a..bcdcc54ca 100644
--- a/README.md
+++ b/README.md
@@ -58,7 +58,7 @@ If you keep your Firejail profiles in a public repository, please give us a link
 * https://github.com/triceratops1/fe
-Use this issue to request new profiles: https://github.com/netblue30/firejail/issues/825
+Use this issue to request new profiles: https://github.com/netblue30/firejail/issues/1139
 `````
 `````
diff --git a/etc/0ad.profile b/etc/0ad.profile
index 84addc229..d4f06f732 100644
--- a/etc/0ad.profile
+++ b/etc/0ad.profile
@@ -3,7 +3,6 @@
 include /etc/firejail/0ad.local
 # Firejail profile for 0ad.
-noblacklist ~/.cache/0ad
 noblacklist ~/.config/0ad
 noblacklist ~/.local/share/0ad
 include /etc/firejail/disable-common.inc
@@ -12,9 +11,6 @@ include /etc/firejail/disable-passwdmgr.inc
 include /etc/firejail/disable-programs.inc
 # Whitelists
-mkdir ~/.cache/0ad
-whitelist ~/.cache/0ad
 mkdir ~/.config/0ad
 whitelist ~/.config/0ad
diff --git a/etc/abrowser.profile b/etc/abrowser.profile
index b9a30d6bf..3b60750d5 100644
--- a/etc/abrowser.profile
+++ b/etc/abrowser.profile
@@ -4,7 +4,6 @@ include /etc/firejail/abrowser.local
 # Firejail profile for Abrowser
 noblacklist ~/.mozilla
-noblacklist ~/.cache/mozilla
 noblacklist ~/.pki
 noblacklist ~/.lastpass
 include /etc/firejail/disable-common.inc
@@ -22,8 +21,6 @@ tracelog
 whitelist ${DOWNLOADS}
 mkdir ~/.mozilla
 whitelist ~/.mozilla
-mkdir ~/.cache/mozilla/abrowser
-whitelist ~/.cache/mozilla/abrowser
 whitelist ~/dwhelper
 whitelist ~/.zotero
 whitelist ~/.vimperatorrc
@@ -32,7 +29,6 @@ whitelist ~/.pentadactylrc
 whitelist ~/.pentadactyl
 whitelist ~/.keysnail.js
 whitelist ~/.config/gnome-mplayer
-whitelist ~/.cache/gnome-mplayer/plugin
 whitelist ~/.pki
 whitelist ~/.lastpass
diff --git a/etc/chromium.profile b/etc/chromium.profile
index 995c0001b..ce823e0db 100644
--- a/etc/chromium.profile
+++ b/etc/chromium.profile
@@ -4,7 +4,6 @@ include /etc/firejail/chromium.local
 # Chromium browser profile
 noblacklist ~/.config/chromium
-noblacklist ~/.cache/chromium
 noblacklist ~/.pki
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-programs.inc
@@ -18,8 +17,6 @@ netfilter
 whitelist ${DOWNLOADS}
 mkdir ~/.config/chromium
 whitelist ~/.config/chromium
-mkdir ~/.cache/chromium
-whitelist ~/.cache/chromium
 mkdir ~/.pki
 whitelist ~/.pki
diff --git a/etc/cyberfox.profile b/etc/cyberfox.profile
index a79303f77..d9896e4a7 100644
--- a/etc/cyberfox.profile
+++ b/etc/cyberfox.profile
@@ -4,7 +4,6 @@ include /etc/firejail/cyberfox.local
 # Firejail profile for Cyberfox (based on Mozilla Firefox)
 noblacklist ~/.8pecxstudios
-noblacklist ~/.cache/8pecxstudios
 noblacklist ~/.pki
 noblacklist ~/.lastpass
 include /etc/firejail/disable-common.inc
@@ -22,8 +21,6 @@ tracelog
 whitelist ${DOWNLOADS}
 mkdir ~/.8pecxstudios
 whitelist ~/.8pecxstudios
-mkdir ~/.cache/8pecxstudios
-whitelist ~/.cache/8pecxstudios
 whitelist ~/dwhelper
 whitelist ~/.zotero
 whitelist ~/.vimperatorrc
@@ -32,7 +29,6 @@ whitelist ~/.pentadactylrc
 whitelist ~/.pentadactyl
 whitelist ~/.keysnail.js
 whitelist ~/.config/gnome-mplayer
-whitelist ~/.cache/gnome-mplayer/plugin
 whitelist ~/.pki
 whitelist ~/.lastpass
diff --git a/etc/disable-common.inc b/etc/disable-common.inc
index 49ba7bc15..be3144133 100644
--- a/etc/disable-common.inc
+++ b/etc/disable-common.inc
@@ -1,4 +1,4 @@
-# This file is overwritten during software install. 
+# This file is overwritten during software install.
 # Persistent customizations should go in a .local file.
 include /etc/firejail/disable-common.local
@@ -235,6 +235,7 @@ blacklist ${PATH}/pantheon-terminal
 blacklist ${PATH}/roxterm
 blacklist ${PATH}/roxterm-config
 blacklist ${PATH}/terminix
+blacklist ${PATH}/tilix
 blacklist ${PATH}/urxvtc
 blacklist ${PATH}/urxvtcd
 #konsole doesn't seem to have this problem - last tested on Ubuntu 16.04
diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc
index 12f40e062..e61715ea2 100644
--- a/etc/disable-programs.inc
+++ b/etc/disable-programs.inc
@@ -1,4 +1,4 @@
-# This file is overwritten during software install. 
+# This file is overwritten during software install.
 # Persistent customizations should go in a .local file.
 include /etc/firejail/disable-programs.local
@@ -17,44 +17,6 @@ blacklist ${HOME}/.arduino15
 blacklist ${HOME}/.atom
 blacklist ${HOME}/.audacity-data
 blacklist ${HOME}/.bcast5
-blacklist ${HOME}/.cache/0ad
-blacklist ${HOME}/.cache/8pecxstudios
-blacklist ${HOME}/.cache/Franz
-blacklist ${HOME}/.cache/INRIA
-blacklist ${HOME}/.cache/QuiteRss
-blacklist ${HOME}/.cache/champlain
-blacklist ${HOME}/.cache/chromium
-blacklist ${HOME}/.cache/qupzilla
-blacklist ${HOME}/.cache/chromium-dev
-blacklist ${HOME}/.cache/darktable
-blacklist ${HOME}/.cache/epiphany
-blacklist ${HOME}/.cache/evolution
-blacklist ${HOME}/.cache/gajim
-blacklist ${HOME}/.cache/geeqie
-blacklist ${HOME}/.cache/google-chrome
-blacklist ${HOME}/.cache/google-chrome-beta
-blacklist ${HOME}/.cache/google-chrome-unstable
-blacklist ${HOME}/.cache/icedove
-blacklist ${HOME}/.cache/inox
-blacklist ${HOME}/.cache/libgweather
-blacklist ${HOME}/.cache/midori
-blacklist ${HOME}/.cache/mozilla
-blacklist ${HOME}/.cache/mutt
-blacklist ${HOME}/.cache/netsurf
-blacklist ${HOME}/.cache/opera
-blacklist ${HOME}/.cache/opera-beta
-blacklist ${HOME}/.cache/org.gnome.Books
-blacklist ${HOME}/.cache/qutebrowser
-blacklist ${HOME}/.cache/simple-scan
-blacklist ${HOME}/.cache/slimjet
-blacklist ${HOME}/.cache/spotify
-blacklist ${HOME}/.cache/telepathy
-blacklist ${HOME}/.cache/thunderbird
-blacklist ${HOME}/.cache/torbrowser
-blacklist ${HOME}/.cache/transmission
-blacklist ${HOME}/.cache/vivaldi
-blacklist ${HOME}/.cache/wesnoth
-blacklist ${HOME}/.cache/xreader
 blacklist ${HOME}/.claws-mail
 blacklist ${HOME}/.config/0ad
 blacklist ${HOME}/.config/Atom
@@ -280,7 +242,7 @@ blacklist ${HOME}/.thunderbird
 blacklist ${HOME}/.ts3client
 blacklist ${HOME}/.vst
 blacklist ${HOME}/.w3m
-blacklist ${HOME}/.warzone2100-3.1
+blacklist ${HOME}/.warzone2100-3.*
 blacklist ${HOME}/.weechat
 blacklist ${HOME}/.wine
 blacklist ${HOME}/.wine64
diff --git a/etc/epiphany.profile b/etc/epiphany.profile
index 1bf259440..0b281c448 100644
--- a/etc/epiphany.profile
+++ b/etc/epiphany.profile
@@ -4,7 +4,6 @@ include /etc/firejail/epiphany.local
 # Epiphany browser profile
 noblacklist ${HOME}/.config/epiphany
-noblacklist ${HOME}/.cache/epiphany
 noblacklist ${HOME}/.local/share/epiphany
 include /etc/firejail/disable-common.inc
@@ -16,8 +15,6 @@ mkdir ${HOME}/.local/share/epiphany
 whitelist ${HOME}/.local/share/epiphany
 mkdir ${HOME}/.config/epiphany
 whitelist ${HOME}/.config/epiphany
-mkdir ${HOME}/.cache/epiphany
-whitelist ${HOME}/.cache/epiphany
 include /etc/firejail/whitelist-common.inc
 caps.drop all
diff --git a/etc/evolution.profile b/etc/evolution.profile
index cb6615716..637ac334a 100644
--- a/etc/evolution.profile
+++ b/etc/evolution.profile
@@ -5,7 +5,6 @@ include /etc/firejail/evolution.local
 # evolution profile
 noblacklist ~/.config/evolution
 noblacklist ~/.local/share/evolution
-noblacklist ~/.cache/evolution
 noblacklist ~/.pki
 noblacklist ~/.pki/nssdb
 noblacklist ~/.gnupg
diff --git a/etc/firefox.profile b/etc/firefox.profile
index e2cfb9138..20acde62a 100644
--- a/etc/firefox.profile
+++ b/etc/firefox.profile
@@ -4,7 +4,6 @@ include /etc/firejail/firefox.local
 # Firejail profile for Mozilla Firefox (Iceweasel in Debian)
 noblacklist ~/.mozilla
-noblacklist ~/.cache/mozilla
 noblacklist ~/.config/qpdfview
 noblacklist ~/.local/share/qpdfview
 noblacklist ~/.kde/share/apps/okular
@@ -25,8 +24,6 @@ tracelog
 whitelist ${DOWNLOADS}
 mkdir ~/.mozilla
 whitelist ~/.mozilla
-mkdir ~/.cache/mozilla/firefox
-whitelist ~/.cache/mozilla/firefox
 whitelist ~/dwhelper
 whitelist ~/.zotero
 whitelist ~/.vimperatorrc
@@ -35,7 +32,6 @@ whitelist ~/.pentadactylrc
 whitelist ~/.pentadactyl
 whitelist ~/.keysnail.js
 whitelist ~/.config/gnome-mplayer
-whitelist ~/.cache/gnome-mplayer/plugin
 mkdir ~/.pki
 whitelist ~/.pki
 whitelist ~/.lastpass
@@ -55,4 +51,4 @@ include /etc/firejail/whitelist-common.inc
 #private-bin firefox,which,sh,dbus-launch,dbus-send,env
 #private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,xdg,gtk-2.0,gtk-3.0,X11,pango,fonts,firefox,mime.types,mailcap,asound.conf,pulse
 private-dev 
-#private-tmp
+private-tmp
diff --git a/etc/flashpeak-slimjet.profile b/etc/flashpeak-slimjet.profile
index 4dc5b5cfc..a35aa7a33 100644
--- a/etc/flashpeak-slimjet.profile
+++ b/etc/flashpeak-slimjet.profile
@@ -10,7 +10,6 @@ include /etc/firejail/flashpeak-slimjet.local
 #  firejail flashpeak-slimjet --no-sandbox
 #
 noblacklist ~/.config/slimjet
-noblacklist ~/.cache/slimjet
 noblacklist ~/.pki
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-programs.inc
@@ -29,8 +28,6 @@ seccomp
 whitelist ${DOWNLOADS}
 mkdir ~/.config/slimjet
 whitelist ~/.config/slimjet
-mkdir ~/.cache/slimjet
-whitelist ~/.cache/slimjet
 mkdir ~/.pki
 whitelist ~/.pki
diff --git a/etc/fossamail.profile b/etc/fossamail.profile
index 3caaad71c..a33514c88 100644
--- a/etc/fossamail.profile
+++ b/etc/fossamail.profile
@@ -12,8 +12,5 @@ noblacklist ~/.fossamail
 mkdir ~/.fossamail
 whitelist ~/.fossamail
-noblacklist ~/.cache/fossamail
-mkdir ~/.cache/fossamail
-whitelist ~/.cache/fossamail
 include /etc/firejail/firefox.profile
diff --git a/etc/franz.profile b/etc/franz.profile
index 05ff72a47..1692f4516 100644
--- a/etc/franz.profile
+++ b/etc/franz.profile
@@ -4,7 +4,6 @@ include /etc/firejail/franz.local
 # Franz profile
 noblacklist ~/.config/Franz
-noblacklist ~/.cache/Franz
 noblacklist ~/.pki
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-programs.inc
@@ -21,8 +20,6 @@ seccomp
 whitelist ${DOWNLOADS}
 mkdir ~/.config/Franz
 whitelist ~/.config/Franz
-mkdir ~/.cache/Franz
-whitelist ~/.cache/Franz
 mkdir ~/.pki
 whitelist ~/.pki
diff --git a/etc/gajim.profile b/etc/gajim.profile
index bac6cc466..f64d9241a 100644
--- a/etc/gajim.profile
+++ b/etc/gajim.profile
@@ -3,11 +3,9 @@
 include /etc/firejail/gajim.local
 # Firejail profile for Gajim
-noblacklist ${HOME}/.cache/gajim
 noblacklist ${HOME}/.local/share/gajim
 noblacklist ${HOME}/.config/gajim
-mkdir ${HOME}/.cache/gajim
 mkdir ${HOME}/.local/share/gajim
 mkdir ${HOME}/.config/gajim
 mkdir ${HOME}/Downloads
@@ -17,7 +15,6 @@ mkdir ${HOME}/.local/lib/python2.7/site-packages/
 whitelist ${HOME}/.local/lib/python2.7/site-packages/
 read-only ${HOME}/.local/lib/python2.7/site-packages/
-whitelist ${HOME}/.cache/gajim
 whitelist ${HOME}/.local/share/gajim
 whitelist ${HOME}/.config/gajim
 whitelist ${HOME}/Downloads
diff --git a/etc/geeqie.profile b/etc/geeqie.profile
index 57f942a50..9f79e15b8 100644
--- a/etc/geeqie.profile
+++ b/etc/geeqie.profile
@@ -3,7 +3,6 @@
 include /etc/firejail/geeqie.local
 # Firejail profile for Geeqie
-noblacklist ~/.cache/geeqie
 noblacklist ~/.config/geeqie
 noblacklist ~/.local/share/geeqie
 include /etc/firejail/disable-common.inc
diff --git a/etc/gjs.profile b/etc/gjs.profile
index 24ec70e86..03dd7893c 100644
--- a/etc/gjs.profile
+++ b/etc/gjs.profile
@@ -6,10 +6,8 @@ include /etc/firejail/gjs.local
 # when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them
-noblacklist ~/.cache/org.gnome.Books
 noblacklist ~/.config/libreoffice
 noblacklist ~/.local/share/gnome-photos
-noblacklist ~/.cache/libgweather
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-programs.inc
diff --git a/etc/gnome-books.profile b/etc/gnome-books.profile
index 692e32896..bf2a9f36f 100644
--- a/etc/gnome-books.profile
+++ b/etc/gnome-books.profile
@@ -6,8 +6,6 @@ include /etc/firejail/gnome-books.local
 # when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them
-noblacklist ~/.cache/org.gnome.Books
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-programs.inc
 include /etc/firejail/disable-devel.inc
diff --git a/etc/gnome-weather.profile b/etc/gnome-weather.profile
index 925420a5a..3b6bdd130 100644
--- a/etc/gnome-weather.profile
+++ b/etc/gnome-weather.profile
@@ -6,8 +6,6 @@ include /etc/firejail/gnome-weather.local
 # when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them
-noblacklist ~/.cache/libgweather
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-programs.inc
 include /etc/firejail/disable-devel.inc
diff --git a/etc/google-chrome-beta.profile b/etc/google-chrome-beta.profile
index 3bd16de4a..65bc42648 100644
--- a/etc/google-chrome-beta.profile
+++ b/etc/google-chrome-beta.profile
@@ -4,7 +4,6 @@ include /etc/firejail/google-chrome-beta.local
 # Google Chrome beta browser profile
 noblacklist ~/.config/google-chrome-beta
-noblacklist ~/.cache/google-chrome-beta
 noblacklist ~/.pki
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-programs.inc
@@ -18,8 +17,6 @@ netfilter
 whitelist ${DOWNLOADS}
 mkdir ~/.config/google-chrome-beta
 whitelist ~/.config/google-chrome-beta
-mkdir ~/.cache/google-chrome-beta
-whitelist ~/.cache/google-chrome-beta
 mkdir ~/.pki
 whitelist ~/.pki
 include /etc/firejail/whitelist-common.inc
diff --git a/etc/google-chrome-unstable.profile b/etc/google-chrome-unstable.profile
index d2def4f96..6f6fa1bf2 100644
--- a/etc/google-chrome-unstable.profile
+++ b/etc/google-chrome-unstable.profile
@@ -4,7 +4,6 @@ include /etc/firejail/google-chrome-unstable.local
 # Google Chrome unstable browser profile
 noblacklist ~/.config/google-chrome-unstable
-noblacklist ~/.cache/google-chrome-unstable
 noblacklist ~/.pki
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-programs.inc
@@ -18,8 +17,6 @@ netfilter
 whitelist ${DOWNLOADS}
 mkdir ~/.config/google-chrome-unstable
 whitelist ~/.config/google-chrome-unstable
-mkdir ~/.cache/google-chrome-unstable
-whitelist ~/.cache/google-chrome-unstable
 mkdir ~/.pki
 whitelist ~/.pki
 include /etc/firejail/whitelist-common.inc
diff --git a/etc/google-chrome.profile b/etc/google-chrome.profile
index 38feb12a5..131538dd9 100644
--- a/etc/google-chrome.profile
+++ b/etc/google-chrome.profile
@@ -4,7 +4,6 @@ include /etc/firejail/google-chrome.local
 # Google Chrome browser profile
 noblacklist ~/.config/google-chrome
-noblacklist ~/.cache/google-chrome
 noblacklist ~/.pki
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-programs.inc
@@ -18,8 +17,6 @@ netfilter
 whitelist ${DOWNLOADS}
 mkdir ~/.config/google-chrome
 whitelist ~/.config/google-chrome
-mkdir ~/.cache/google-chrome
-whitelist ~/.cache/google-chrome
 mkdir ~/.pki
 whitelist ~/.pki
 include /etc/firejail/whitelist-common.inc
diff --git a/etc/icecat.profile b/etc/icecat.profile
index 64401efe8..4bd3f3047 100644
--- a/etc/icecat.profile
+++ b/etc/icecat.profile
@@ -4,7 +4,6 @@ include /etc/firejail/icecat.local
 # Firejail profile for GNU Icecat
 noblacklist ~/.mozilla
-noblacklist ~/.cache/mozilla
 noblacklist ~/.pki
 noblacklist ~/.lastpass
 include /etc/firejail/disable-common.inc
@@ -22,8 +21,6 @@ tracelog
 whitelist ${DOWNLOADS}
 mkdir ~/.mozilla
 whitelist ~/.mozilla
-mkdir ~/.cache/mozilla/icecat
-whitelist ~/.cache/mozilla/icecat
 whitelist ~/dwhelper
 whitelist ~/.zotero
 whitelist ~/.vimperatorrc
@@ -32,7 +29,6 @@ whitelist ~/.pentadactylrc
 whitelist ~/.pentadactyl
 whitelist ~/.keysnail.js
 whitelist ~/.config/gnome-mplayer
-whitelist ~/.cache/gnome-mplayer/plugin
 whitelist ~/.pki
 whitelist ~/.lastpass
diff --git a/etc/icedove.profile b/etc/icedove.profile
index b5265e992..aae0e3bf5 100644
--- a/etc/icedove.profile
+++ b/etc/icedove.profile
@@ -14,10 +14,6 @@ noblacklist ~/.icedove
 mkdir ~/.icedove
 whitelist ~/.icedove
-noblacklist ~/.cache/icedove
-mkdir ~/.cache/icedove
-whitelist ~/.cache/icedove
 # allow browsers
 ignore private-tmp
 include /etc/firejail/firefox.profile
diff --git a/etc/inox.profile b/etc/inox.profile
index 0b2e4ee5e..6043ded8a 100644
--- a/etc/inox.profile
+++ b/etc/inox.profile
@@ -4,7 +4,6 @@ include /etc/firejail/inox.local
 # Inox browser profile
 noblacklist ~/.config/inox
-noblacklist ~/.cache/inox
 noblacklist ~/.pki
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-programs.inc
@@ -14,8 +13,6 @@ netfilter
 whitelist ${DOWNLOADS}
 mkdir ~/.config/inox
 whitelist ~/.config/inox
-mkdir ~/.cache/inox
-whitelist ~/.cache/inox
 mkdir ~/.pki
 whitelist ~/.pki
diff --git a/etc/iridium.profile b/etc/iridium.profile
index 2d79a3935..dcbd0b84b 100644
--- a/etc/iridium.profile
+++ b/etc/iridium.profile
@@ -4,7 +4,6 @@ include /etc/firejail/iridium.local
 # Iridium browser profile
 noblacklist ~/.config/iridium
-noblacklist ~/.cache/iridium
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-programs.inc
@@ -17,8 +16,6 @@ netfilter
 whitelist ${DOWNLOADS}
 mkdir ~/.config/iridium
 whitelist ~/.config/iridium
-mkdir ~/.cache/iridium
-whitelist ~/.cache/iridium
 mkdir ~/.pki
 whitelist ~/.pki
diff --git a/etc/mutt.profile b/etc/mutt.profile
index 2f0809f02..f9d537779 100644
--- a/etc/mutt.profile
+++ b/etc/mutt.profile
@@ -14,7 +14,6 @@ noblacklist ~/mail
 noblacklist ~/Mail
 noblacklist ~/sent
 noblacklist ~/postponed
-noblacklist ~/.cache/mutt
 noblacklist ~/.w3m
 noblacklist ~/.elinks
 noblacklist ~/.vim
diff --git a/etc/netsurf.profile b/etc/netsurf.profile
index c217346de..a3c360c1e 100644
--- a/etc/netsurf.profile
+++ b/etc/netsurf.profile
@@ -4,7 +4,6 @@ include /etc/firejail/netsurf.local
 # Firejail profile for Mozilla Firefox (Iceweasel in Debian)
 noblacklist ~/.config/netsurf
-noblacklist ~/.cache/netsurf
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-programs.inc
 include /etc/firejail/disable-devel.inc
@@ -20,7 +19,5 @@ tracelog
 whitelist ${DOWNLOADS}
 mkdir ~/.config/netsurf
 whitelist ~/.config/netsurf
-mkdir ~/.cache/netsurf
-whitelist ~/.cache/netsurf
 include /etc/firejail/whitelist-common.inc
diff --git a/etc/opera-beta.profile b/etc/opera-beta.profile
index 92624f334..5a0d54744 100644
--- a/etc/opera-beta.profile
+++ b/etc/opera-beta.profile
@@ -4,7 +4,6 @@ include /etc/firejail/opera-beta.local
 # Opera-beta browser profile
 noblacklist ~/.config/opera-beta
-noblacklist ~/.cache/opera-beta
 noblacklist ~/.pki
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-programs.inc
@@ -15,8 +14,6 @@ netfilter
 whitelist ${DOWNLOADS}
 mkdir ~/.config/opera-beta
 whitelist ~/.config/opera-beta
-mkdir ~/.cache/opera-beta
-whitelist ~/.cache/opera-beta
 mkdir ~/.pki
 whitelist ~/.pki
 include /etc/firejail/whitelist-common.inc
diff --git a/etc/opera.profile b/etc/opera.profile
index 57835f2f2..4af502060 100644
--- a/etc/opera.profile
+++ b/etc/opera.profile
@@ -4,7 +4,6 @@ include /etc/firejail/opera.local
 # Opera browser profile
 noblacklist ~/.config/opera
-noblacklist ~/.cache/opera
 noblacklist ~/.opera
 noblacklist ~/.pki
 include /etc/firejail/disable-common.inc
@@ -16,8 +15,6 @@ netfilter
 whitelist ${DOWNLOADS}
 mkdir ~/.config/opera
 whitelist ~/.config/opera
-mkdir ~/.cache/opera
-whitelist ~/.cache/opera
 mkdir ~/.opera
 whitelist ~/.opera
 mkdir ~/.pki
diff --git a/etc/palemoon.profile b/etc/palemoon.profile
index 8cac00e03..472d58cee 100644
--- a/etc/palemoon.profile
+++ b/etc/palemoon.profile
@@ -4,7 +4,6 @@ include /etc/firejail/palemoon.local
 # Firejail profile for Pale Moon
 noblacklist ~/.moonchild productions/pale moon
-noblacklist ~/.cache/moonchild productions/pale moon
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-programs.inc
 include /etc/firejail/disable-devel.inc
@@ -13,8 +12,6 @@ include /etc/firejail/whitelist-common.inc
 whitelist ${DOWNLOADS}
 mkdir ~/.moonchild productions
 whitelist ~/.moonchild productions
-mkdir ~/.cache/moonchild productions/pale moon
-whitelist ~/.cache/moonchild productions/pale moon
 caps.drop all
 netfilter
@@ -40,7 +37,6 @@ private-tmp
 #whitelist ~/.pentadactyl
 #whitelist ~/.keysnail.js
 #whitelist ~/.config/gnome-mplayer
-#whitelist ~/.cache/gnome-mplayer/plugin
 #whitelist ~/.pki
 #whitelist ~/.lastpass
diff --git a/etc/polari.profile b/etc/polari.profile
index 834a8b3d6..52a58322e 100644
--- a/etc/polari.profile
+++ b/etc/polari.profile
@@ -15,8 +15,6 @@ mkdir ${HOME}/.local/share/TpLogger
 whitelist ${HOME}/.local/share/TpLogger
 mkdir ${HOME}/.config/telepathy-account-widgets
 whitelist ${HOME}/.config/telepathy-account-widgets
-mkdir ${HOME}/.cache/telepathy
-whitelist ${HOME}/.cache/telepathy
 mkdir ${HOME}/.purple
 whitelist ${HOME}/.purple
 include /etc/firejail/whitelist-common.inc
diff --git a/etc/psi-plus.profile b/etc/psi-plus.profile
index 45cb22ee4..5106fccb2 100644
--- a/etc/psi-plus.profile
+++ b/etc/psi-plus.profile
@@ -14,8 +14,6 @@ mkdir ~/.config/psi+
 whitelist ~/.config/psi+
 mkdir ~/.local/share/psi+
 whitelist ~/.local/share/psi+
-mkdir ~/.cache/psi+
-whitelist ~/.cache/psi+
 caps.drop all
 netfilter
diff --git a/etc/quiterss.profile b/etc/quiterss.profile
index f4e4f96d3..158425e18 100644
--- a/etc/quiterss.profile
+++ b/etc/quiterss.profile
@@ -2,7 +2,6 @@
 # Persistent customizations should go in a .local file.
 include /etc/firejail/quiterss.local
-noblacklist ${HOME}/.cache/QuiteRss
 noblacklist ${HOME}/.config/QuiteRss
 noblacklist ${HOME}/.config/QuiteRssrc
 noblacklist ${HOME}/.local/share/QuiteRss
@@ -19,8 +18,6 @@ whitelist ${HOME}/.config/QuiteRssrc
 mkdir ~/.local/share/data
 mkdir ~/.local/share/data/QuiteRss
 whitelist ${HOME}/.local/share/data/QuiteRss
-mkdir ~/.cache/QuiteRss
-whitelist ${HOME}/.cache/QuiteRss
 caps.drop all
 netfilter
diff --git a/etc/qupzilla.profile b/etc/qupzilla.profile
index 3f5cb60c0..783bc516d 100644
--- a/etc/qupzilla.profile
+++ b/etc/qupzilla.profile
@@ -4,7 +4,6 @@ include /etc/firejail/qupzilla.local
 # Firejail profile for Qupzilla web browser
 noblacklist ${HOME}/.config/qupzilla
-noblacklist ${HOME}/.cache/qupzilla
 include /etc/firejail/disable-mgmt.inc
 include /etc/firejail/disable-secret.inc
 include /etc/firejail/disable-common.inc
@@ -17,7 +16,6 @@ tracelog
 noroot
 whitelist ${DOWNLOADS}
 whitelist ~/.config/qupzilla
-whitelist ~/.cache/qupzilla
 include /etc/firejail/whitelist-common.inc
 # experimental features
diff --git a/etc/qutebrowser.profile b/etc/qutebrowser.profile
index f43307ef9..53be1178c 100644
--- a/etc/qutebrowser.profile
+++ b/etc/qutebrowser.profile
@@ -4,7 +4,6 @@ include /etc/firejail/qutebrowser.local
 # Firejail profile for Qutebrowser (Qt5-Webkit+Python) browser
 noblacklist ~/.config/qutebrowser
-noblacklist ~/.cache/qutebrowser
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-programs.inc
 include /etc/firejail/disable-devel.inc
@@ -20,8 +19,6 @@ tracelog
 whitelist ${DOWNLOADS}
 mkdir ~/.config/qutebrowser
 whitelist ~/.config/qutebrowser
-mkdir ~/.cache/qutebrowser
-whitelist ~/.cache/qutebrowser
 mkdir ~/.local/share/qutebrowser
 whitelist ~/.local/share/qutebrowser
 include /etc/firejail/whitelist-common.inc
diff --git a/etc/seamonkey.profile b/etc/seamonkey.profile
index df1910469..756700c2f 100644
--- a/etc/seamonkey.profile
+++ b/etc/seamonkey.profile
@@ -4,7 +4,6 @@ include /etc/firejail/seamonkey.local
 # Firejail profile for Seamoneky based off Mozilla Firefox
 noblacklist ~/.mozilla
-noblacklist ~/.cache/mozilla
 noblacklist ~/.pki
 noblacklist ~/.lastpass
 include /etc/firejail/disable-common.inc
@@ -22,8 +21,6 @@ tracelog
 whitelist ${DOWNLOADS}
 mkdir ~/.mozilla/seamonkey
 whitelist ~/.mozilla/seamonkey
-mkdir ~/.cache/mozilla/seamonkey
-whitelist ~/.cache/mozilla/seamonkey
 whitelist ~/dwhelper
 whitelist ~/.zotero
 whitelist ~/.vimperatorrc
@@ -32,7 +29,6 @@ whitelist ~/.pentadactylrc
 whitelist ~/.pentadactyl
 whitelist ~/.keysnail.js
 whitelist ~/.config/gnome-mplayer
-whitelist ~/.cache/gnome-mplayer/plugin
 whitelist ~/.pki
 whitelist ~/.lastpass
 include /etc/firejail/whitelist-common.inc
diff --git a/etc/simple-scan.profile b/etc/simple-scan.profile
index ee7e50ba7..0f6d626a5 100644
--- a/etc/simple-scan.profile
+++ b/etc/simple-scan.profile
@@ -3,8 +3,6 @@
 include /etc/firejail/simple-scan.local
 # simple-scan profile
-noblacklist ~/.cache/simple-scan
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-programs.inc
 include /etc/firejail/disable-devel.inc
diff --git a/etc/spotify.profile b/etc/spotify.profile
index 843038a2b..23ef75b71 100644
--- a/etc/spotify.profile
+++ b/etc/spotify.profile
@@ -4,7 +4,6 @@ include /etc/firejail/spotify.local
 # Spotify media player profile
 noblacklist ${HOME}/.config/spotify
-noblacklist ${HOME}/.cache/spotify
 noblacklist ${HOME}/.local/share/spotify
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-programs.inc
@@ -16,8 +15,6 @@ mkdir ${HOME}/.config/spotify
 whitelist ${HOME}/.config/spotify
 mkdir ${HOME}/.local/share/spotify
 whitelist ${HOME}/.local/share/spotify
-mkdir ${HOME}/.cache/spotify
-whitelist ${HOME}/.cache/spotify
 caps.drop all
 netfilter
diff --git a/etc/thunderbird.profile b/etc/thunderbird.profile
index 88ab7501e..1dc8b15c7 100644
--- a/etc/thunderbird.profile
+++ b/etc/thunderbird.profile
@@ -14,10 +14,6 @@ noblacklist ~/.thunderbird
 mkdir ~/.thunderbird
 whitelist ~/.thunderbird
-noblacklist ~/.cache/thunderbird
-mkdir ~/.cache/thunderbird
-whitelist ~/.cache/thunderbird
 # allow browsers
 ignore private-tmp
 include /etc/firejail/firefox.profile
diff --git a/etc/transmission-cli.profile b/etc/transmission-cli.profile
index dbcc8d041..5b6bec4c1 100644
--- a/etc/transmission-cli.profile
+++ b/etc/transmission-cli.profile
@@ -4,7 +4,6 @@ include /etc/firejail/transmission-cli.local
 # transmission-cli bittorrent profile
 noblacklist ${HOME}/.config/transmission
-noblacklist ${HOME}/.cache/transmission
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-programs.inc
diff --git a/etc/transmission-gtk.profile b/etc/transmission-gtk.profile
index dcd3317ef..78ce5fba2 100644
--- a/etc/transmission-gtk.profile
+++ b/etc/transmission-gtk.profile
@@ -4,7 +4,6 @@ include /etc/firejail/transmission-gtk.local
 # transmission-gtk bittorrent profile
 noblacklist ${HOME}/.config/transmission
-noblacklist ${HOME}/.cache/transmission
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-programs.inc
diff --git a/etc/transmission-qt.profile b/etc/transmission-qt.profile
index ed63f7cff..2f7fe0714 100644
--- a/etc/transmission-qt.profile
+++ b/etc/transmission-qt.profile
@@ -4,7 +4,6 @@ include /etc/firejail/transmission-qt.local
 # transmission-qt bittorrent profile
 noblacklist ${HOME}/.config/transmission
-noblacklist ${HOME}/.cache/transmission
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-programs.inc
diff --git a/etc/transmission-show.profile b/etc/transmission-show.profile
index 0b88789b1..052843882 100644
--- a/etc/transmission-show.profile
+++ b/etc/transmission-show.profile
@@ -4,7 +4,6 @@ include /etc/firejail/transmission-show.local
 # transmission-show profile
 noblacklist ${HOME}/.config/transmission
-noblacklist ${HOME}/.cache/transmission
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-programs.inc
diff --git a/etc/vivaldi.profile b/etc/vivaldi.profile
index 2c2fbd9f0..bf6af3926 100644
--- a/etc/vivaldi.profile
+++ b/etc/vivaldi.profile
@@ -4,7 +4,6 @@ include /etc/firejail/vivaldi.local
 # Vivaldi browser profile
 noblacklist ~/.config/vivaldi
-noblacklist ~/.cache/vivaldi
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-programs.inc
 include /etc/firejail/disable-devel.inc
@@ -14,6 +13,4 @@ netfilter
 whitelist ${DOWNLOADS}
 mkdir ~/.config/vivaldi
 whitelist ~/.config/vivaldi
-mkdir ~/.cache/vivaldi
-whitelist ~/.cache/vivaldi
 include /etc/firejail/whitelist-common.inc
diff --git a/etc/warzone2100.profile b/etc/warzone2100.profile
index 702097d98..2f4055887 100644
--- a/etc/warzone2100.profile
+++ b/etc/warzone2100.profile
@@ -3,16 +3,17 @@
 include /etc/firejail/warzone2100.local
 # Firejail profile for warzone2100
-# Currently supports warzone2100-3.1
+noblacklist ~/.warzone2100-3.*
-noblacklist ~/.warzone2100-3.1
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
 include /etc/firejail/disable-programs.inc
 # Whitelist
-mkdir ~/.warzone2100-3.1
+#mkdir ~/.warzone2100-3.1
 whitelist ~/.warzone2100-3.1
+#mkdir ~/.warzone2100-3.2
+whitelist ~/.warzone2100-3.2
 # Call these options
 caps.drop all
diff --git a/etc/wesnoth.profile b/etc/wesnoth.profile
index 212466f5a..fbb381a86 100644
--- a/etc/wesnoth.profile
+++ b/etc/wesnoth.profile
@@ -4,7 +4,6 @@ include /etc/firejail/wesnoth.local
 # Whitelist-based profile for "Battle for Wesnoth" (game).
 noblacklist ${HOME}/.config/wesnoth
-noblacklist ${HOME}/.cache/wesnoth
 noblacklist ${HOME}/.local/share/wesnoth
 include /etc/firejail/disable-common.inc
@@ -23,8 +22,6 @@ private-tmp
 mkdir ${HOME}/.local/share/wesnoth
 mkdir ${HOME}/.config/wesnoth
-mkdir ${HOME}/.cache/wesnoth
 whitelist ${HOME}/.local/share/wesnoth
 whitelist ${HOME}/.config/wesnoth
-whitelist ${HOME}/.cache/wesnoth
 include /etc/firejail/whitelist-common.inc
diff --git a/etc/whitelist-common.inc b/etc/whitelist-common.inc
index cf7797100..516f47041 100644
--- a/etc/whitelist-common.inc
+++ b/etc/whitelist-common.inc
@@ -19,7 +19,6 @@ whitelist ~/.fonts.conf
 whitelist ~/.fonts.conf.d
 whitelist ~/.local/share/fonts
 whitelist ~/.config/fontconfig
-whitelist ~/.cache/fontconfig
 # gtk
 whitelist ~/.gtkrc
diff --git a/etc/xreader.profile b/etc/xreader.profile
index 2e6015aef..51dbcad51 100644
--- a/etc/xreader.profile
+++ b/etc/xreader.profile
@@ -4,7 +4,6 @@ include /etc/firejail/xreader.local
 # Xreader profile
 noblacklist ~/.config/xreader
-noblacklist ~/.cache/xreader
 noblacklist ~/.local/share
 include /etc/firejail/disable-common.inc
diff --git a/platform/debian/control b/platform/debian/control
index 991abb656..4287d6561 100644
--- a/platform/debian/control
+++ b/platform/debian/control
@@ -4,6 +4,7 @@ Architecture: amd64
 Maintainer: netblue30 <netblue30@yahoo.com>
 Installed-Size: 272
 Depends: libc6
+Suggests: python, python3
 Section: admin
 Priority: extra
 Homepage: http://github.com/netblue30/firejail
@@ -17,4 +18,3 @@ Description: Linux namepaces sandbox program.
 Firejail also expands the restricted shell facility found in bash by
 adding Linux namespace support. It also supports sandboxing SSH users
 upon login.
diff --git a/platform/debian/copyright b/platform/debian/copyright
index 4fd3a15d1..83952080f 100644
--- a/platform/debian/copyright
+++ b/platform/debian/copyright
@@ -7,7 +7,7 @@ This is the Debian/Ubuntu prepackaged version of firejail.
    and networking stack isolation, and it runs on any recent Linux system. It
    includes a sandbox profile for Mozilla Firefox.
-    Copyright (C) 2014,2015 Firejail Authors (see README file for more details)
+    Copyright (C) 2014-2017 Firejail Authors (see README file for more details)
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -27,4 +27,3 @@ The complete text of the GNU General Public License can be found
 in /usr/share/common-licenses/GPL-2.
 Homepage: http://github.com/netblue30/firejail.
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index fa6ba5c6a..f85560588 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -407,6 +407,7 @@ void fs_overlayfs(void);
 // chroot into an existing directory; mount exiting /dev and update /etc/resolv.conf
 void fs_chroot(const char *rootdir);
 void fs_check_chroot_dir(const char *rootdir);
+void fs_cache(void);
 // profile.c
 // find and read the profile specified by name from dir directory
diff --git a/src/firejail/main.c b/src/firejail/main.c
index aead29957..db9a9c8cb 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -2472,32 +2472,34 @@ int main(int argc, char **argv) {
                sprintf(ptr, "%d %d 1\n", gid, gid);
                ptr += strlen(ptr);
                
-                //  add tty group
+                if (!arg_nogroups) {
-                gid_t g = get_group_id("tty");
+                        //  add tty group
-                if (g) {
+                        gid_t g = get_group_id("tty");
-                        sprintf(ptr, "%d %d 1\n", g, g);
+                        if (g) {
-                        ptr += strlen(ptr);
+                                sprintf(ptr, "%d %d 1\n", g, g);
-                }
+                                ptr += strlen(ptr);
-                
+                        }
-                //  add audio group
+                        
-                g = get_group_id("audio");
+                        //  add audio group
-                if (g) {
+                        g = get_group_id("audio");
-                        sprintf(ptr, "%d %d 1\n", g, g);
+                        if (g) {
-                        ptr += strlen(ptr);
+                                sprintf(ptr, "%d %d 1\n", g, g);
-                }
+                                ptr += strlen(ptr);
-                
+                        }
-                //  add video group
+                        
-                g = get_group_id("video");
+                        //  add video group
-                if (g) {
+                        g = get_group_id("video");
-                        sprintf(ptr, "%d %d 1\n", g, g);
+                        if (g) {
-                        ptr += strlen(ptr);
+                                sprintf(ptr, "%d %d 1\n", g, g);
-                }
+                                ptr += strlen(ptr);
-                
+                        }
-                //  add games group
+                        
-                g = get_group_id("games");
+                        //  add games group
-                if (g) {
+                        g = get_group_id("games");
-                        sprintf(ptr, "%d %d 1\n", g, g);
+                        if (g) {
-                }
+                                sprintf(ptr, "%d %d 1\n", g, g);
+                        }
+                 }
                
                EUID_ROOT();
                update_map(gidmap, map_path);
diff --git a/src/firejail/restrict_users.c b/src/firejail/restrict_users.c
index 774e2908f..f759e7333 100644
--- a/src/firejail/restrict_users.c
+++ b/src/firejail/restrict_users.c
@@ -167,7 +167,7 @@ static void sanitize_passwd(void) {
                int rv = sscanf(ptr, "%d:", &uid);
                if (rv == 0 || uid < 0)
                        goto errout;
-                if (uid < UID_MIN) {
+                if (uid < UID_MIN || uid == 65534) { // on Debian platforms user nobody is 65534
                        fprintf(fpout, "%s", buf);
                        continue;
                }
@@ -299,7 +299,7 @@ static void sanitize_group(void) {
                int rv = sscanf(ptr, "%d:", &gid);
                if (rv == 0 || gid < 0)
                        goto errout;
-                if (gid < GID_MIN) {
+                if (gid < GID_MIN || gid == 65534) { // on Debian platforms 65534 is group nogroup
                        if (copy_line(fpout, buf, ptr))
                                goto errout;
                        continue;
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index f26f8b06a..d1557e8b2 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -742,6 +742,20 @@ int sandbox(void* sandbox_arg) {
                else {
                        // private-tmp is implemented as a whitelist
                        EUID_USER();
+                        // check XAUTHORITY file, KDE keeps it under /tmp
+                        char *xauth = getenv("XAUTHORITY");
+                        if (xauth) {
+                                char *rp = realpath(xauth, NULL);
+                                if (rp && strncmp(rp, "/tmp/", 5) == 0) {
+                                        char *cmd;
+                                        if (asprintf(&cmd, "whitelist %s", rp) == -1)
+                                                errExit("asprintf");
+                                        profile_add(cmd); // profile_add does not duplicate the string
+                                }
+                                if (rp)
+                                        free(rp);
+                        }
+                        // whitelist x11 directory
                        profile_add("whitelist /tmp/.X11-unix");
                        EUID_ROOT();
                }