96 files changed, 860 insertions, 595 deletions

diff --git a/README b/README
index 15696d9d7..03b934a3e 100644
--- a/README
+++ b/README
@@ -2,11 +2,11 @@ Firejail  is  a  SUID sandbox program that reduces the risk of security
 breaches by restricting the running environment of  untrusted  applications
 using Linux namespaces and seccomp-bpf. It includes sandbox profiles for
 Iceweasel/Mozilla Firefox, Chromium, Midori, Opera, Evince, Transmission,
-VLC, Audoacious, Clementine, Rhythmbox, Totem, Deluge, qBittorrent.
+VLC, Audacious, Clementine, Rhythmbox, Totem, Deluge, qBittorrent.
 DeaDBeeF, Dropbox, Empathy, FileZilla, IceCat, Thunderbird/Icedove,
-Pidgin, Quassel and XChat.
+Pidgin, Quassel, and XChat.
 
-Firejail also expands the restricted shell facility found  in  bash  by adding 
+Firejail also expands the restricted shell facility found  in  bash  by adding
 Linux  namespace support. It supports sandboxing specific users upon login.
 
 Download: http://sourceforge.net/projects/firejail/files/
@@ -15,7 +15,9 @@ Documentation and support: https://firejail.wordpress.com/
 Development: https://github.com/netblue30/firejail
 License: GPL v2
 
-Compile and install
+
+
+Compile and install mainline version from GitHub:
 
 $ git clone https://github.com/netblue30/firejail.git
 $ cd firejail
@@ -26,19 +28,23 @@ On Debian/Ubuntu you will need to install git and a compiler:
 $ sudo apt-get install build-essential
 
 
-Firejail Authors:
 
-netblue30 (netblue30@yahoo.com)
-Reiner Herrmann (https://github.com/reinerh)
-        - a number of build patches
-        - man page fixes
-        - Debian and Ubuntu integration
-        - clang-analyzer fixes
-        - Debian reproducible build
-        - unit testing framework
-        - moved build to .xz
-        - detached signatures for source archive
-        - recursive mkdir
+Maintainer:
+- netblue30 (netblue30@yahoo.com)
+
+Committers
+- Fred-Barclay (https://github.com/Fred-Barclay)
+- Reiner Herrmann (https://github.com/reinerh)
+- netblue30 (netblue30@yahoo.com)
+
+
+
+Firejail Authors (alphabetical order)
+
+Akhil Hans Maulloo (https://github.com/kouul)
+        - xz profile
+Alexey Kuznetsov (kuznet@ms2.inr.ac.ru)
+        - src/lib/libnetlink.c extracted from iproute2 software package
 Aleksey Manevich (https://github.com/manevich)
         - several profile fixes
         - fix problem with relative path in storage_find function
@@ -57,6 +63,80 @@ Aleksey Manevich (https://github.com/manevich)
         - x11 xpra, xphyr, none profile commands
         - added --join-or-start command
         - CVE-2016-7545
+Alexander Stein (https://github.com/ajstein)
+        - added profile for qutebrowser
+Andrey Alekseenko (https://github.com/al42and)
+        - fixing lintian warnings
+        - fixed Skype profile
+andrew160 (https://github.com/andrew160)
+        - profile and man pages fixes
+Austin S. Hemmelgarn (https://github.com/Ferroin)
+        - unbound profile update
+avoidr (https://github.com/avoidr)
+        - whitelist fix
+        - recently-used.xbel fix
+        - added parole profile
+        - blacklist ncat
+        - hostname support in profile file
+        - Google Chrome profile rework
+        - added cmus profile
+        - man page fixes
+        - add net iface support in profile files
+        - paths fix
+        - lots of profile fixes
+        - added mcabber profile
+        - fixed mpv profile
+        - various other fixes
+Bader Zaidan (https://github.com/BaderSZ)
+        - Telegram profile
+Benjamin Kampmann (https://github.com/ligthyear)
+        - Forward exit code from child process
+BogDan Vatra (https://github.com/bog-dan-ro)
+        - zoom profile
+Bruno Nova (https://github.com/brunonova)
+        - whitelist fix
+        - bash arguments fix
+Cat (https://github.com/ecat3)
+        - prevent tmux connecting to an existing session
+creideiki (https://github.com/creideiki)
+        - make the sandbox process reap all children
+Christian Stadelmann (https://github.com/genodeftest)
+        - profile fixes
+        - evolution profile fix
+curiosity-seeker (https://github.com/curiosity-seeker)
+        - tightening unbound and dnscrypt-proxy profiles
+        - correct and tighten QuiteRss profile
+        - dnsmasq profile
+        - okular and gwenview profiles
+        - cherrytree profile fixes
+        - added quiterss profile
+        - added guayadeque profile
+        - added VirtualBox.profile
+        - various other profile fixes
+Daan Bakker (https://github.com/dbakker)
+        - protect shell startup files
+Dara Adib (https://github.com/daradib)
+        - ssh profile fix
+        - evince profile fix
+Deelvesh Bunjun (https://github.com/DeelveshBunjun)
+        - added xpdf profile
+dewbasaur (https://github.com/dewbasaur)
+        - block access to history files
+        - Firefox PDF.js exploit (CVE-2015-4495) fixes
+        - Steam profile
+dshmgh (https://github.com/dshmgh)
+        - overlayfs fix for systems with /home mounted on a separate partition
+Duncan Overbruck (https://github.com/Duncaen)
+        - musl libc fix
+        - utmp fix
+emacsomancer (https://github.com/emacsomancer)
+        - added profile for Conkeror browser
+eventyrer (https://github.com/eventyrer)
+        - update gnome-mplayer.profile
+Felipe Barriga Richards (https://github.com/fbarriga)
+        - --private-etc fix
+Franco (nextime) Lanza (https://github.com/nextime)
+        - added --private-template/--private-home
 Fred-Barclay (https://github.com/Fred-Barclay)
         - lots of profile fixes
         - added Vivaldi, Atril profiles
@@ -99,169 +179,57 @@ Fred-Barclay (https://github.com/Fred-Barclay)
         - compile/install scripts for --git-install/--git-uninstall commands
         - tighten keepassx
         - added Thunar profile
-SYN-cook (https://github.com/SYN-cook)
-        - keepass/keepassx browser fixes
-        - disable-common.inc fixes
-        - blacklist GNOME keyring and Konqueror
-        - fixed Keepass(x) profiles
-        - Engrampa profile
-        - Scribus profile
-valoq (https://github.com/valoq)
-        - lots of profile fixes
-        - added support for /srv in --whitelist feature
-        - Eye of GNOME, Evolution, display (imagemagik) and Wire profiles
-        - blacklist suid binaries in disable-common.inc
-        - fix man pages
-        - added keypass2, qemu profiles
-        - added amarok, ark, atool, bleachbit, brasero, dolphin, dragon, elinks, enchant, exiftool profiles
-        - added file-roller, gedit, gjs,gnome-books, gnome-documents, gnome-maps, gnome-music profiles
-        - added gnome-photos, gnome-weather, goobox, gpa, gpg, gpg-agent, highlight profiles
-        - added img2txt, k3b, kate, lynx, mediainfo, nautilus, odt2txt, pdftotext, simple-scan profiles
-        - added skanlite, ssh-agent, transmission-cli, tracker, transmission-show, w3m, xfburn, xpra profiles
-        - added wget profile
-        - disable gnupg and systemd directories under /run/user
-        - added iridium browser profile
-Zack Weinberg (https://github.com/zackw)
-        - removed libconnect
-        - fixed memory corruption in noblacklist processing
-        - rework DISPLAY environment parsing
-        - rework masking X11 sockets in /tmp/.X11-unix directory
-        - rework xpra and xephyr detection
-        - rework abstract X11 socket detection
-        - rework X11 display number assignment
-        - rework X11 xorg processing
-        - rework fcopy, --follow-link support in fcopy
-        - follow link support in --private-bin
-        - wait_for_other function rewrite
-        - xvfb X11 server support
-Austin S. Hemmelgarn (https://github.com/Ferroin)
-        - unbound profile update
-Igor Bukanov (https://github.com/ibukanov)
-        - found/fiixed privilege escalation in --hosts-file option
-Cat (https://github.com/ecat3)
-        - prevent tmux connecting to an existing session
-Zack Weinberg (https://github.com/zackw)
-        - sdded support for joining a persistent, named network namespace
-GSI (https://github.com/GSI)
-        - added Uzbl browser profile
-Mike Frysinger (vapier@gentoo.org)
-        - Gentoo compile patch
-Jericho (https://github.com/attritionorg)
-        - spelling
-Pixel Fairy (https://github.com/xahare)
-        - added fjclip.py, fjdisplay.py and fjresize.py in contrib section
-pshpsh (https://github.com/pshpsh)
-        - added FossaMail profile
-eventyrer (https://github.com/eventyrer)
-        - update gnome-mplayer.profile
-thewisenerd (https://github.com/thewisenerd)
-        - allow multiple private-home commands
-        - use $SHELL variable if the shell is not specified
-thewisenerd (https://github.com/thewisenerd)
-        - appimage: pass commandline arguments
-KOLANICH (https://github.com/KOLANICH)
-        - added symlink fixer fix_private-bin.py in contrib section
-Jesse Smith (https://github.com/slicer69)
-        - added QupZilla profile
-Lari Rauno (https://github.com/tuutti)
-        - qutebrowser profile fixes
-SpotComms (https://github.com/SpotComms)
-        - added Bless, Gnome 2048, Gnome Calculator, Gnome Contacts, JD-GUI, Lollypop, MultiMC5 profiles
-        - added PDFSam, Pithos, and Xonotic profiles
-Vasya Novikov (https://github.com/vn971)
-        - Wesnoth profile
-        - Hedegewars profile
-        - manpage fixes
-        - fixed firecfg clean/clear issue
-        - found the ugliest bug so far
-        - seccomp debug description in man page
-curiosity-seeker (https://github.com/curiosity-seeker)
-        - tightening unbound and dnscrypt-proxy profiles
-        - correct and tighten QuiteRss profile
-        - dnsmasq profile
-        - okular and gwenview profiles
-        - cherrytree profile fixes
-        - added quiterss profile
-        - added guayadeque profile
-        - added VirtualBox.profile
-        - various other profile fixes
-Simon Peter (https://github.com/probonopd)
-        - set $APPIMAGE and $APPDIR environment variables
-        - AppImage version detection
-        - Leafppad type v1 and v2 appimage packages in test/appimage
-BogDan Vatra (https://github.com/bog-dan-ro)
-        - zoom profile
-Impyy (https://github.com/Impyy)
-        - added mumble profile
-Vadim A. Misbakh-Soloviov (https://github.com/msva)
+G4JC (http://sourceforge.net/u/gaming4jc/profile/)
+        - ARM support
         - profile fixes
-Rafael Cavalcanti (https://github.com/rccavalcanti)
-        - chromium profile fixes for Arch Linux
-Deelvesh Bunjun (https://github.com/DeelveshBunjun)
-        - added xpdf profile
-Dara Adib (https://github.com/daradib)
-        - ssh profile fix
-        - evince profile fix
-vismir2 (https://github.com/vismir2)
-        - feh, ranger, 7z, keepass, keepassx and zathura profiles
-        - claws-mail, mutt, git, emacs, vim profiles
-        - lots of profile fixes
-        -  support for truecrypt and zuluCrypt
+Gaman Gabriel (https://github.com/stelariusinfinitek)
+        - inox profile
+geg2048 (https://github.com/geg2048)
+        - kwallet profile fixes
 graywolf (https://github.com/graywolf)
         - spelling fix
-Tomasz Jan Góralczyk (https://github.com/tjg)
-        - fixed Steam profile
-pwnage-pineapple (https://github.com/pwnage-pineapple)
-        - update Okular profile
-Sergey Alirzaev (https://github.com/l29ah)
-        - firejail.h enum fix
 greigdp (https://github.com/greigdp)
         - Gajim IM client profile
-        - fix Slack profile
+        - fixed spotify profile
+        - added Slack profile
+        - add Spotify profile
+GSI (https://github.com/GSI)
+        - added Uzbl browser profile
+hamzadis (https://github.com/hamzadis)
+        - added --overlay-named=name and --overlay-path=path
+Holger Heinz (https://github.com/hheinz)
+        - manpage work
 Icaro Perseo (https://github.com/icaroperseo)
         - Icecat profile
         - several profile fixes
-hamzadis (https://github.com/hamzadis)
-        - added --overlay-named=name and --overlay-path=path    
-Gaman Gabriel (https://github.com/stelariusinfinitek)
-        - inox profile
-greigdp (https://github.com/greigdp)
-        - fixed spotify profile
-        - added Slack profile
-Laurent Declercq (https://github.com/nuxwin)
-        - fixed test for shell interpreter in chroots
-Franco (nextime) Lanza (https://github.com/nextime)
-        - added --private-template/--private-home
-xee5ch (https://github.com/xee5ch)
-        - skypeforlinux profile
-Peter Hogg (https://github.com/pigmonkey)
-        - WeeChat profile
-        - rtorrent profile
-        - bitlbee profile fixes
-        - mutt profile fixes
-Thomas Jarosch (https://github.com/thomasjfox)
-        - disable keepassx in disable-passwdmgr.inc
-        - added uudeview profile
-        - added tar (gtar), unzip and unrar profile
-        - added file profile
-        - improved profile list
-        - fixed small variable glitch in stat64() / lstat64() (libtracelog)
-        - added lstat() / lstat64() support to libtrace
-        - include mkuid.sh in make dist
-Niklas Haas (https://github.com/haasn)
-        - blacklisting for keybase.io's client
+Igor Bukanov (https://github.com/ibukanov)
+        - found/fiixed privilege escalation in --hosts-file option
+iiotx (https://github.com/iiotx)
+        - use generic.profile by default
+Impyy (https://github.com/Impyy)
+        - added mumble profile
+Ivan Kozik (https://github.com/ivan)
+        - speed up sandbox exit
 Jaykishan Mutkawoa (https://github.com/jmutkawoa)
         - cpio profile
-Paupiah Yash (https://github.com/CaffeinatedStud)
-        - gzip  profile
-Akhil Hans Maulloo (https://github.com/kouul)
-        - xz profile
-Rahul Golam (https://github.com/technoLord)
-        - strings profile
-geg2048 (https://github.com/geg2048)
-        - kwallet profile fixes
-maces (https://github.com/maces)
-        - Franz messenger profile
+Jericho (https://github.com/attritionorg)
+        - spelling
+Jesse Smith (https://github.com/slicer69)
+        - added QupZilla profile
+jgriffiths (https://github.com/jgriffiths)
+        - make rpm packages support
+Joan Figueras (https://github.com/figue)
+        - added abrowser profile
+        - added Google-Play-Music-Desktop-Player
+        - added cyberfox profile
+jrabe (https://github.com/jrabe)
+        - disallow access to kdbx files
+        - Epiphany profile
+        - Polari profile
+        - qTox profile
+        - X11 fixes
+Kaan Genç (https://github.com/SeriousBug)
+        - dynamic allocation of noblacklist buffer
 KellerFuchs (https://github.com/KellerFuchs)
         - nonewpriv support, extended profiles for this feature
         - make `restricted-network` prevent use of netfilter
@@ -270,116 +238,45 @@ KellerFuchs (https://github.com/KellerFuchs)
         - added support for .local profile files in /etc/firejail
         - fixed Cryptocat profile
         - make ~/.local read-only
-ValdikSS (https://github.com/ValdikSS)
-        - Psi+, Corebird, Konversation profiles
-        - various profile fixes
-avoidr (https://github.com/avoidr)
-        - whitelist fix
-        - recently-used.xbel fix
-        - added parole profile
-        - blacklist ncat
-        - hostname support in profile file
-        - Google Chrome profile rework
-        - added cmus profile
-        - man page fixes
-        - add net iface support in profile files
-        - paths fix
-        - lots of profile fixes
-        - added mcabber profile
-        - fixed mpv profile
-        - various other fixes
-Ruan (https://github.com/ruany)
-        - fixed hexchat profile
-Matthew Gyurgyik (https://github.com/pyther)
-        - rpm spec and several fixes
-Joan Figueras (https://github.com/figue)
-        - added abrowser profile
-        - added Google-Play-Music-Desktop-Player
-        - added cyberfox profile
-Petter Reinholdtsen (pere@hungry.com)
-        - Opera profile patch
-n1trux (https://github.com/n1trux)
-        - fix flashpeak-slimjet profile typos
-Felipe Barriga Richards (https://github.com/fbarriga)
-        - --private-etc fix
-Alexander Stein (https://github.com/ajstein)
-        - added profile for qutebrowser
-Benjamin Kampmann (https://github.com/ligthyear)
-        - Forward exit code from child process
-dshmgh (https://github.com/dshmgh)
-        - overlayfs fix for systems with /home mounted on a separate partition
-yumkam (https://github.com/yumkam)
-        - add compile-time option to restrict --net= to root only
-        - man page fixes
+KOLANICH (https://github.com/KOLANICH)
+        - added symlink fixer fix_private-bin.py in contrib section
+Lari Rauno (https://github.com/tuutti)
+        - qutebrowser profile fixes
+Laurent Declercq (https://github.com/nuxwin)
+        - fixed test for shell interpreter in chroots
+Loïc Damien (https://github.com/dzamlo)
+        - small fixes
+maces (https://github.com/maces)
+        - Franz messenger profile
 mahdi1234 (https://github.com/mahdi1234)
         - cherrytree profile
         - Seamonkey profiles
-jrabe (https://github.com/jrabe)
-        - disallow access to kdbx files
-        - Epiphany profile
-        - Polari profile
-        - qTox profile
-        - X11 fixes
-jgriffiths (https://github.com/jgriffiths)
-        - make rpm packages support
-Tom Mellor (https://github.com/kalegrill)
-        - mupen64plus profile
 Martin Carpenter (https://github.com/mcarpenter)
         - security audit and bug fixes
         - Centos 6.x support
-pszxzsd (https://github.com/pszxzsd)
-        -uGet profile
-Rahiel Kasim (https://github.com/rahiel)
-        - Mathematica profile
-        - whitelisted Dropbox profile
-        - whitelisted keysnail config for firefox
-creideiki (https://github.com/creideiki)
-        - make the sandbox process reap all children
-sinkuu (https://github.com/sinkuu)
-        - blacklisting kwalletd
-        - fix symlink invocation for programs placing symlinks in $PATH
-Bader Zaidan (https://github.com/BaderSZ)
-        - Telegram profile
-Holger Heinz (https://github.com/hheinz)
-        - manpage work
-Andrey Alekseenko (https://github.com/al42and)
-        - fixing lintian warnings
-        - fixed Skype profile
-Ivan Kozik (https://github.com/ivan)
-        - speed up sandbox exit
-Christian Stadelmann (https://github.com/genodeftest)
-        - profile fixes
-        - evolution profile fix
-pirate486743186 (https://github.com/pirate486743186)
-        - KMail profile
-Kaan Genç (https://github.com/SeriousBug)
-        - dynamic allocation of noblacklist buffer
-Veeti Paananen (https://github.com/veeti)
-        - fixed Spotify profile
-rogshdo (https://github.com/rogshdo)
-        - BitlBee profile
-Bruno Nova (https://github.com/brunonova)
-        - whitelist fix
-        - bash arguments fix
 Matt Parnell (https://github.com/ilikenwf)
         - whitelisting for core firefox related functionality
-Ondra Nekola (https://github.com/satai)
-        - allow firefox theming with non-global themes
-emacsomancer (https://github.com/emacsomancer)
-        - added profile for Conkeror browser
-Daan Bakker (https://github.com/dbakker)
-        - protect shell startup files
-Duncan Overbruck (https://github.com/Duncaen)
-        - musl libc fix
-        - utmp fix
-andrew160 (https://github.com/andrew160)
-        - profile and man pages fixes
-Loïc Damien (https://github.com/dzamlo)
-        - small fixes
-greigdp (https://github.com/greigdp)
-        - add Spotify profile
 Mattias Wadman (https://github.com/wader)
         - seccomp errno filter support
+Matthew Gyurgyik (https://github.com/pyther)
+        - rpm spec and several fixes
+Michael Haas (https://github.com/mhaas)
+        - bugfixes
+Mike Frysinger (vapier@gentoo.org)
+        - Gentoo compile patch
+mjudtmann (https://github.com/mjudtmann)
+        - lock firejail configuration in disable-mgmt.inc
+n1trux (https://github.com/n1trux)
+        - fix flashpeak-slimjet profile typos
+netblue30 (netblue30@yahoo.com)
+Niklas Haas (https://github.com/haasn)
+        - blacklisting for keybase.io's client
+Ondra Nekola (https://github.com/satai)
+        - allow firefox theming with non-global themes
+Patrick Toomey (http://sourceforge.net/u/ptoomey/profile/)
+        - user namespace implementation
+Paupiah Yash (https://github.com/CaffeinatedStud)
+        - gzip  profile
 Peter Millerchip (https://github.com/pmillerchip)
         - memory allocation fix
         - --private.keep to --private-home transition
@@ -387,30 +284,146 @@ Peter Millerchip (https://github.com/pmillerchip)
         - support for files and directories with spaces in blacklist option
         - lots of other fixes
         - implement the --allow-private-blacklist option
+Peter Hogg (https://github.com/pigmonkey)
+        - WeeChat profile
+        - rtorrent profile
+        - bitlbee profile fixes
+        - mutt profile fixes
+Petter Reinholdtsen (pere@hungry.com)
+        - Opera profile patch
+pirate486743186 (https://github.com/pirate486743186)
+        - KMail profile
+Pixel Fairy (https://github.com/xahare)
+        - added fjclip.py, fjdisplay.py and fjresize.py in contrib section
+pshpsh (https://github.com/pshpsh)
+        - added FossaMail profile
+pstn (https://github.com/pstn)
+        - added install-strip, make install without strip
+pszxzsd (https://github.com/pszxzsd)
+        -uGet profile
+pwnage-pineapple (https://github.com/pwnage-pineapple)
+        - update Okular profile
+Rafael Cavalcanti (https://github.com/rccavalcanti)
+        - chromium profile fixes for Arch Linux
+Rahiel Kasim (https://github.com/rahiel)
+        - Mathematica profile
+        - whitelisted Dropbox profile
+        - whitelisted keysnail config for firefox
+Rahul Golam (https://github.com/technoLord)
+        - strings profile
+Reiner Herrmann (https://github.com/reinerh)
+        - a number of build patches
+        - man page fixes
+        - Debian and Ubuntu integration
+        - clang-analyzer fixes
+        - Debian reproducible build
+        - unit testing framework
+        - moved build to .xz
+        - detached signatures for source archive
+        - recursive mkdir
+rogshdo (https://github.com/rogshdo)
+        - BitlBee profile
+Ruan (https://github.com/ruany)
+        - fixed hexchat profile
 sarneaud (https://github.com/sarneaud)
         - rewrite globbing code to fix various minor issues
         - added noblacklist command for profile files
         - various enhancements and bug fixes
-Patrick Toomey (http://sourceforge.net/u/ptoomey/profile/)
-        - user namespace implementation
+Sergey Alirzaev (https://github.com/l29ah)
+        - firejail.h enum fix
+Simon Peter (https://github.com/probonopd)
+        - set $APPIMAGE and $APPDIR environment variables
+        - AppImage version detection
+        - Leafppad type v1 and v2 appimage packages in test/appimage
+sinkuu (https://github.com/sinkuu)
+        - blacklisting kwalletd
+        - fix symlink invocation for programs placing symlinks in $PATH
 sshirokov (http://sourceforge.net/u/yshirokov/profile/)
         - Patch to output "Reading profile" to stderr instead of stdout
-G4JC (http://sourceforge.net/u/gaming4jc/profile/)
-        - ARM support
+SpotComms (https://github.com/SpotComms)
+        - added Bless, Gnome 2048, Gnome Calculator, Gnome Contacts, JD-GUI, Lollypop, MultiMC5 profiles
+        - added PDFSam, Pithos, and Xonotic profiles
+SYN-cook (https://github.com/SYN-cook)
+        - keepass/keepassx browser fixes
+        - disable-common.inc fixes
+        - blacklist GNOME keyring and Konqueror
+        - fixed Keepass(x) profiles
+        - Engrampa profile
+        - Scribus profile
+        - autostart blacklist for KDE
+        - blacklist startup scripts
+startx2017 (https://github.com/startx2017)
+        - syscall list update
+        - enable/disable join support in /etc/firejail/firejail.config
+thewisenerd (https://github.com/thewisenerd)
+        - allow multiple private-home commands
+        - use $SHELL variable if the shell is not specified
+        - appimage: pass commandline arguments
+Thomas Jarosch (https://github.com/thomasjfox)
+        - disable keepassx in disable-passwdmgr.inc
+        - added uudeview profile
+        - added tar (gtar), unzip and unrar profile
+        - added file profile
+        - improved profile list
+        - fixed small variable glitch in stat64() / lstat64() (libtracelog)
+        - added lstat() / lstat64() support to libtrace
+        - include mkuid.sh in make dist
+Tom Mellor (https://github.com/kalegrill)
+        - mupen64plus profile
+Tomasz Jan Góralczyk (https://github.com/tjg)
+        - fixed Steam profile
+valoq (https://github.com/valoq)
+        - lots of profile fixes
+        - added support for /srv in --whitelist feature
+        - Eye of GNOME, Evolution, display (imagemagik) and Wire profiles
+        - blacklist suid binaries in disable-common.inc
+        - fix man pages
+        - added keypass2, qemu profiles
+        - added amarok, ark, atool, bleachbit, brasero, dolphin, dragon, elinks, enchant, exiftool profiles
+        - added file-roller, gedit, gjs,gnome-books, gnome-documents, gnome-maps, gnome-music profiles
+        - added gnome-photos, gnome-weather, goobox, gpa, gpg, gpg-agent, highlight profiles
+        - added img2txt, k3b, kate, lynx, mediainfo, nautilus, odt2txt, pdftotext, simple-scan profiles
+        - added skanlite, ssh-agent, transmission-cli, tracker, transmission-show, w3m, xfburn, xpra profiles
+        - added wget profile
+        - disable gnupg and systemd directories under /run/user
+        - added iridium browser profile
+Vadim A. Misbakh-Soloviov (https://github.com/msva)
         - profile fixes
-dewbasaur (https://github.com/dewbasaur)
-        - block access to history files
-        - Firefox PDF.js exploit (CVE-2015-4495) fixes
-        - Steam profile
-Michael Haas (https://github.com/mhaas)
-        - bugfixes
-mjudtmann (https://github.com/mjudtmann)
-        - lock firejail configuration in disable-mgmt.inc
-iiotx (https://github.com/iiotx)
-        - use generic.profile by default
-pstn (https://github.com/pstn)
-        - added install-strip, make install without strip
-Alexey Kuznetsov (kuznet@ms2.inr.ac.ru)
-        - src/lib/libnetlink.c extracted from iproute2 software package
-        
+ValdikSS (https://github.com/ValdikSS)
+        - Psi+, Corebird, Konversation profiles
+        - various profile fixes
+Vasya Novikov (https://github.com/vn971)
+        - Wesnoth profile
+        - Hedegewars profile
+        - manpage fixes
+        - fixed firecfg clean/clear issue
+        - found the ugliest bug so far
+        - seccomp debug description in man page
+Veeti Paananen (https://github.com/veeti)
+        - fixed Spotify profile
+vismir2 (https://github.com/vismir2)
+        - feh, ranger, 7z, keepass, keepassx and zathura profiles
+        - claws-mail, mutt, git, emacs, vim profiles
+        - lots of profile fixes
+        -  support for truecrypt and zuluCrypt
+xee5ch (https://github.com/xee5ch)
+        - skypeforlinux profile
+yumkam (https://github.com/yumkam)
+        - add compile-time option to restrict --net= to root only
+        - man page fixes
+Zack Weinberg (https://github.com/zackw)
+        - added support for joining a persistent, named network namespace
+        - removed libconnect
+        - fixed memory corruption in noblacklist processing
+        - rework DISPLAY environment parsing
+        - rework masking X11 sockets in /tmp/.X11-unix directory
+        - rework xpra and xephyr detection
+        - rework abstract X11 socket detection
+        - rework X11 display number assignment
+        - rework X11 xorg processing
+        - rework fcopy, --follow-link support in fcopy
+        - follow link support in --private-bin
+        - wait_for_other function rewrite
+        - xvfb X11 server support
+
 Copyright (C) 2014-2017 Firejail Authors
diff --git a/README.md b/README.md
index 0c4b7173a..8987b1fd0 100644
--- a/README.md
+++ b/README.md
@@ -58,7 +58,7 @@ If you keep your Firejail profiles in a public repository, please give us a link
 
 * https://github.com/triceratops1/fe
 
-Use this issue to request new profiles: https://github.com/netblue30/firejail/issues/825
+Use this issue to request new profiles: https://github.com/netblue30/firejail/issues/1139
 `````
 
 `````
@@ -195,4 +195,4 @@ goobox, gpa, gpg, gpg-agent, highlight, img2txt, k3b, kate, lynx, mediainfo, nau
 simple-scan, skanlite, ssh-agent, tracker, transmission-cli, transmission-show, w3m, xfburn, xpra, wget,
 xed, pluma, Cryptocat, Bless, Gnome 2048, Gnome Calculator, Gnome Contacts, JD-GUI, Lollypop, MultiMC5,
 PDFSam, Pithos, Xonotic, wireshark, keepassx2, QupZilla, FossaMail, Uzbl browser, xmms, iridium browser,
-Kino, Thunar, Geeqie, Engrampa, Scribus
+Kino, Thunar, Geeqie, Engrampa, Scribus, mousepad
diff --git a/RELNOTES b/RELNOTES
index ba8298a3b..4775cf0f6 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -26,7 +26,7 @@ firejail (0.9.45) baseline; urgency=low
   * feature: AppImage type 2 support
   * feature: pass command line arguments to appimages
   * feature: allow non-seccomp setup for OverlayFS sandboxes - more work to come
-  * feature: added a number o Python scripts for handling sandboxes
+  * feature: added a number of Python scripts for handling sandboxes
   * feature: allow local customization using .local files under /etc/firejail
   * feature: follow-symlink-as-user runtime config option in /etc/firejail/firejail.config
   * feature: follow-symlink-private-bin option in /etc/firejail/firejail.config
@@ -34,16 +34,14 @@ firejail (0.9.45) baseline; urgency=low
   * feature: allow /tmp directory in mkdir and mkfile profile commands
   * feature: implemented --noblacklist command, profile support
   * feature: config support to disable access to /mnt and /media (disable-mnt)
-  * feature: allow tmpfs for regular users for files in home directory
-  * feature: mount a tmpfs on top of ~/.cache directory by default
-  * feature: config support to disable tmpfs mounting on ~/.cache (cache-tmpfs)
+  * feature: config support to disable join (join)
   * new profiles: xiphos, Tor Browser Bundle, display (imagemagik), Wire,
   * new profiles: mumble, zoom, Guayadeque, qemu, keypass2, xed, pluma,
   * new profiles: Cryptocat, Bless, Gnome 2048, Gnome Calculator,
   * new profiles: Gnome Contacts, JD-GUI, Lollypop, MultiMC5, PDFSam, Pithos,
   * new profies: Xonotic, wireshark, keepassx2, QupZilla, FossaMail,
   * new profiles: Uzbl browser, iridium browser, Thunar, Geeqie, Engrampa
-  * new profiles: Scribus
+  * new profiles: Scribus, mousepad
   * bugfixes
  -- netblue30 <netblue30@yahoo.com>  Sun, 23 Oct 2016 08:00:00 -0500
 
diff --git a/etc/0ad.profile b/etc/0ad.profile
index 84addc229..d4f06f732 100644
--- a/etc/0ad.profile
+++ b/etc/0ad.profile
@@ -3,7 +3,6 @@
 include /etc/firejail/0ad.local
 
 # Firejail profile for 0ad.
-noblacklist ~/.cache/0ad
 noblacklist ~/.config/0ad
 noblacklist ~/.local/share/0ad
 include /etc/firejail/disable-common.inc
@@ -12,9 +11,6 @@ include /etc/firejail/disable-passwdmgr.inc
 include /etc/firejail/disable-programs.inc
 
 # Whitelists
-mkdir ~/.cache/0ad
-whitelist ~/.cache/0ad
-
 mkdir ~/.config/0ad
 whitelist ~/.config/0ad
 
diff --git a/etc/abrowser.profile b/etc/abrowser.profile
index b9a30d6bf..3b60750d5 100644
--- a/etc/abrowser.profile
+++ b/etc/abrowser.profile
@@ -4,7 +4,6 @@ include /etc/firejail/abrowser.local
 
 # Firejail profile for Abrowser
 noblacklist ~/.mozilla
-noblacklist ~/.cache/mozilla
 noblacklist ~/.pki
 noblacklist ~/.lastpass
 include /etc/firejail/disable-common.inc
@@ -22,8 +21,6 @@ tracelog
 whitelist ${DOWNLOADS}
 mkdir ~/.mozilla
 whitelist ~/.mozilla
-mkdir ~/.cache/mozilla/abrowser
-whitelist ~/.cache/mozilla/abrowser
 whitelist ~/dwhelper
 whitelist ~/.zotero
 whitelist ~/.vimperatorrc
@@ -32,7 +29,6 @@ whitelist ~/.pentadactylrc
 whitelist ~/.pentadactyl
 whitelist ~/.keysnail.js
 whitelist ~/.config/gnome-mplayer
-whitelist ~/.cache/gnome-mplayer/plugin
 whitelist ~/.pki
 whitelist ~/.lastpass
 
diff --git a/etc/chromium.profile b/etc/chromium.profile
index 995c0001b..ce823e0db 100644
--- a/etc/chromium.profile
+++ b/etc/chromium.profile
@@ -4,7 +4,6 @@ include /etc/firejail/chromium.local
 
 # Chromium browser profile
 noblacklist ~/.config/chromium
-noblacklist ~/.cache/chromium
 noblacklist ~/.pki
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-programs.inc
@@ -18,8 +17,6 @@ netfilter
 whitelist ${DOWNLOADS}
 mkdir ~/.config/chromium
 whitelist ~/.config/chromium
-mkdir ~/.cache/chromium
-whitelist ~/.cache/chromium
 mkdir ~/.pki
 whitelist ~/.pki
 
diff --git a/etc/cyberfox.profile b/etc/cyberfox.profile
index a79303f77..d9896e4a7 100644
--- a/etc/cyberfox.profile
+++ b/etc/cyberfox.profile
@@ -4,7 +4,6 @@ include /etc/firejail/cyberfox.local
 
 # Firejail profile for Cyberfox (based on Mozilla Firefox)
 noblacklist ~/.8pecxstudios
-noblacklist ~/.cache/8pecxstudios
 noblacklist ~/.pki
 noblacklist ~/.lastpass
 include /etc/firejail/disable-common.inc
@@ -22,8 +21,6 @@ tracelog
 whitelist ${DOWNLOADS}
 mkdir ~/.8pecxstudios
 whitelist ~/.8pecxstudios
-mkdir ~/.cache/8pecxstudios
-whitelist ~/.cache/8pecxstudios
 whitelist ~/dwhelper
 whitelist ~/.zotero
 whitelist ~/.vimperatorrc
@@ -32,7 +29,6 @@ whitelist ~/.pentadactylrc
 whitelist ~/.pentadactyl
 whitelist ~/.keysnail.js
 whitelist ~/.config/gnome-mplayer
-whitelist ~/.cache/gnome-mplayer/plugin
 whitelist ~/.pki
 whitelist ~/.lastpass
 
diff --git a/etc/disable-common.inc b/etc/disable-common.inc
index ae15a3f63..78b41371a 100644
--- a/etc/disable-common.inc
+++ b/etc/disable-common.inc
@@ -1,4 +1,4 @@
-# This file is overwritten during software install. 
+# This file is overwritten during software install.
 # Persistent customizations should go in a .local file.
 include /etc/firejail/disable-common.local
 
@@ -236,6 +236,7 @@ blacklist ${PATH}/pantheon-terminal
 blacklist ${PATH}/roxterm
 blacklist ${PATH}/roxterm-config
 blacklist ${PATH}/terminix
+blacklist ${PATH}/tilix
 blacklist ${PATH}/urxvtc
 blacklist ${PATH}/urxvtcd
 #konsole doesn't seem to have this problem - last tested on Ubuntu 16.04
diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc
index c60333a00..39a8ed4f5 100644
--- a/etc/disable-programs.inc
+++ b/etc/disable-programs.inc
@@ -1,4 +1,4 @@
-# This file is overwritten during software install. 
+# This file is overwritten during software install.
 # Persistent customizations should go in a .local file.
 include /etc/firejail/disable-programs.local
 
@@ -17,44 +17,6 @@ blacklist ${HOME}/.arduino15
 blacklist ${HOME}/.atom
 blacklist ${HOME}/.audacity-data
 blacklist ${HOME}/.bcast5
-blacklist ${HOME}/.cache/0ad
-blacklist ${HOME}/.cache/8pecxstudios
-blacklist ${HOME}/.cache/Franz
-blacklist ${HOME}/.cache/INRIA
-blacklist ${HOME}/.cache/QuiteRss
-blacklist ${HOME}/.cache/champlain
-blacklist ${HOME}/.cache/chromium
-blacklist ${HOME}/.cache/qupzilla
-blacklist ${HOME}/.cache/chromium-dev
-blacklist ${HOME}/.cache/darktable
-blacklist ${HOME}/.cache/epiphany
-blacklist ${HOME}/.cache/evolution
-blacklist ${HOME}/.cache/gajim
-blacklist ${HOME}/.cache/geeqie
-blacklist ${HOME}/.cache/google-chrome
-blacklist ${HOME}/.cache/google-chrome-beta
-blacklist ${HOME}/.cache/google-chrome-unstable
-blacklist ${HOME}/.cache/icedove
-blacklist ${HOME}/.cache/inox
-blacklist ${HOME}/.cache/libgweather
-blacklist ${HOME}/.cache/midori
-blacklist ${HOME}/.cache/mozilla
-blacklist ${HOME}/.cache/mutt
-blacklist ${HOME}/.cache/netsurf
-blacklist ${HOME}/.cache/opera
-blacklist ${HOME}/.cache/opera-beta
-blacklist ${HOME}/.cache/org.gnome.Books
-blacklist ${HOME}/.cache/qutebrowser
-blacklist ${HOME}/.cache/simple-scan
-blacklist ${HOME}/.cache/slimjet
-blacklist ${HOME}/.cache/spotify
-blacklist ${HOME}/.cache/telepathy
-blacklist ${HOME}/.cache/thunderbird
-blacklist ${HOME}/.cache/torbrowser
-blacklist ${HOME}/.cache/transmission
-blacklist ${HOME}/.cache/vivaldi
-blacklist ${HOME}/.cache/wesnoth
-blacklist ${HOME}/.cache/xreader
 blacklist ${HOME}/.claws-mail
 blacklist ${HOME}/.config/0ad
 blacklist ${HOME}/.config/Atom
@@ -68,6 +30,7 @@ blacklist ${HOME}/.config/Gpredict
 blacklist ${HOME}/.config/INRIA
 blacklist ${HOME}/.config/Luminance
 blacklist ${HOME}/.config/Meltytech
+blacklist ${HOME}/.config/Mousepad
 blacklist ${HOME}/.config/Mumble
 blacklist ${HOME}/.config/QuiteRss
 blacklist ${HOME}/.config/QuiteRssrc
@@ -283,7 +246,7 @@ blacklist ${HOME}/.thunderbird
 blacklist ${HOME}/.ts3client
 blacklist ${HOME}/.vst
 blacklist ${HOME}/.w3m
-blacklist ${HOME}/.warzone2100-3.1
+blacklist ${HOME}/.warzone2100-3.*
 blacklist ${HOME}/.weechat
 blacklist ${HOME}/.wine
 blacklist ${HOME}/.wine64
diff --git a/etc/epiphany.profile b/etc/epiphany.profile
index 1bf259440..0b281c448 100644
--- a/etc/epiphany.profile
+++ b/etc/epiphany.profile
@@ -4,7 +4,6 @@ include /etc/firejail/epiphany.local
 
 # Epiphany browser profile
 noblacklist ${HOME}/.config/epiphany
-noblacklist ${HOME}/.cache/epiphany
 noblacklist ${HOME}/.local/share/epiphany
 
 include /etc/firejail/disable-common.inc
@@ -16,8 +15,6 @@ mkdir ${HOME}/.local/share/epiphany
 whitelist ${HOME}/.local/share/epiphany
 mkdir ${HOME}/.config/epiphany
 whitelist ${HOME}/.config/epiphany
-mkdir ${HOME}/.cache/epiphany
-whitelist ${HOME}/.cache/epiphany
 include /etc/firejail/whitelist-common.inc
 
 caps.drop all
diff --git a/etc/evolution.profile b/etc/evolution.profile
index cb6615716..637ac334a 100644
--- a/etc/evolution.profile
+++ b/etc/evolution.profile
@@ -5,7 +5,6 @@ include /etc/firejail/evolution.local
 # evolution profile
 noblacklist ~/.config/evolution
 noblacklist ~/.local/share/evolution
-noblacklist ~/.cache/evolution
 noblacklist ~/.pki
 noblacklist ~/.pki/nssdb
 noblacklist ~/.gnupg
diff --git a/etc/firefox.profile b/etc/firefox.profile
index e2cfb9138..20acde62a 100644
--- a/etc/firefox.profile
+++ b/etc/firefox.profile
@@ -4,7 +4,6 @@ include /etc/firejail/firefox.local
 
 # Firejail profile for Mozilla Firefox (Iceweasel in Debian)
 noblacklist ~/.mozilla
-noblacklist ~/.cache/mozilla
 noblacklist ~/.config/qpdfview
 noblacklist ~/.local/share/qpdfview
 noblacklist ~/.kde/share/apps/okular
@@ -25,8 +24,6 @@ tracelog
 whitelist ${DOWNLOADS}
 mkdir ~/.mozilla
 whitelist ~/.mozilla
-mkdir ~/.cache/mozilla/firefox
-whitelist ~/.cache/mozilla/firefox
 whitelist ~/dwhelper
 whitelist ~/.zotero
 whitelist ~/.vimperatorrc
@@ -35,7 +32,6 @@ whitelist ~/.pentadactylrc
 whitelist ~/.pentadactyl
 whitelist ~/.keysnail.js
 whitelist ~/.config/gnome-mplayer
-whitelist ~/.cache/gnome-mplayer/plugin
 mkdir ~/.pki
 whitelist ~/.pki
 whitelist ~/.lastpass
@@ -55,4 +51,4 @@ include /etc/firejail/whitelist-common.inc
 #private-bin firefox,which,sh,dbus-launch,dbus-send,env
 #private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,xdg,gtk-2.0,gtk-3.0,X11,pango,fonts,firefox,mime.types,mailcap,asound.conf,pulse
 private-dev 
-#private-tmp
+private-tmp
diff --git a/etc/firejail.config b/etc/firejail.config
index 0887e05b5..121f2dd74 100644
--- a/etc/firejail.config
+++ b/etc/firejail.config
@@ -43,6 +43,10 @@
 # that is partially under their control.  Default disabled.
 # force-nonewprivs no
 
+# Allow sandbox joining as a regular user, default enabled.
+# root user can always join sandboxes.
+# join yes
+
 # Enable or disable networking features, default enabled.
 # network yes
 
@@ -99,3 +103,13 @@
 # Xephyr command extra parameters. None by default; these are examples.
 # xephyr-extra-params -keybd ephyr,,,xkbmodel=evdev
 # xephyr-extra-params -grayscale
+
+# Screen size for --x11=xvfb, default 800x600x24.  The third dimension is
+# color depth; use 24 unless you know exactly what you're doing.
+# xvfb-screen 640x480x24
+# xvfb-screen 800x600x24
+# xvfb-screen 1024x768x24
+# xvfb-screen 1280x1024x24
+
+# Xvfb command extra parameters.  None by default; this is an example.
+# xvfb-extra-params -pixdepths 8 24 32
diff --git a/etc/flashpeak-slimjet.profile b/etc/flashpeak-slimjet.profile
index 4dc5b5cfc..a35aa7a33 100644
--- a/etc/flashpeak-slimjet.profile
+++ b/etc/flashpeak-slimjet.profile
@@ -10,7 +10,6 @@ include /etc/firejail/flashpeak-slimjet.local
 #  firejail flashpeak-slimjet --no-sandbox
 #
 noblacklist ~/.config/slimjet
-noblacklist ~/.cache/slimjet
 noblacklist ~/.pki
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-programs.inc
@@ -29,8 +28,6 @@ seccomp
 whitelist ${DOWNLOADS}
 mkdir ~/.config/slimjet
 whitelist ~/.config/slimjet
-mkdir ~/.cache/slimjet
-whitelist ~/.cache/slimjet
 mkdir ~/.pki
 whitelist ~/.pki
 
diff --git a/etc/fossamail.profile b/etc/fossamail.profile
index 3caaad71c..a33514c88 100644
--- a/etc/fossamail.profile
+++ b/etc/fossamail.profile
@@ -12,8 +12,5 @@ noblacklist ~/.fossamail
 mkdir ~/.fossamail
 whitelist ~/.fossamail
 
-noblacklist ~/.cache/fossamail
-mkdir ~/.cache/fossamail
-whitelist ~/.cache/fossamail
 
 include /etc/firejail/firefox.profile
diff --git a/etc/franz.profile b/etc/franz.profile
index 05ff72a47..1692f4516 100644
--- a/etc/franz.profile
+++ b/etc/franz.profile
@@ -4,7 +4,6 @@ include /etc/firejail/franz.local
 
 # Franz profile
 noblacklist ~/.config/Franz
-noblacklist ~/.cache/Franz
 noblacklist ~/.pki
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-programs.inc
@@ -21,8 +20,6 @@ seccomp
 whitelist ${DOWNLOADS}
 mkdir ~/.config/Franz
 whitelist ~/.config/Franz
-mkdir ~/.cache/Franz
-whitelist ~/.cache/Franz
 mkdir ~/.pki
 whitelist ~/.pki
 
diff --git a/etc/gajim.profile b/etc/gajim.profile
index bac6cc466..f64d9241a 100644
--- a/etc/gajim.profile
+++ b/etc/gajim.profile
@@ -3,11 +3,9 @@
 include /etc/firejail/gajim.local
 
 # Firejail profile for Gajim
-noblacklist ${HOME}/.cache/gajim
 noblacklist ${HOME}/.local/share/gajim
 noblacklist ${HOME}/.config/gajim
 
-mkdir ${HOME}/.cache/gajim
 mkdir ${HOME}/.local/share/gajim
 mkdir ${HOME}/.config/gajim
 mkdir ${HOME}/Downloads
@@ -17,7 +15,6 @@ mkdir ${HOME}/.local/lib/python2.7/site-packages/
 whitelist ${HOME}/.local/lib/python2.7/site-packages/
 read-only ${HOME}/.local/lib/python2.7/site-packages/
 
-whitelist ${HOME}/.cache/gajim
 whitelist ${HOME}/.local/share/gajim
 whitelist ${HOME}/.config/gajim
 whitelist ${HOME}/Downloads
diff --git a/etc/geeqie.profile b/etc/geeqie.profile
index 57f942a50..9f79e15b8 100644
--- a/etc/geeqie.profile
+++ b/etc/geeqie.profile
@@ -3,7 +3,6 @@
 include /etc/firejail/geeqie.local
 
 # Firejail profile for Geeqie
-noblacklist ~/.cache/geeqie
 noblacklist ~/.config/geeqie
 noblacklist ~/.local/share/geeqie
 include /etc/firejail/disable-common.inc
diff --git a/etc/gjs.profile b/etc/gjs.profile
index 24ec70e86..03dd7893c 100644
--- a/etc/gjs.profile
+++ b/etc/gjs.profile
@@ -6,10 +6,8 @@ include /etc/firejail/gjs.local
 
 # when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them
 
-noblacklist ~/.cache/org.gnome.Books
 noblacklist ~/.config/libreoffice
 noblacklist ~/.local/share/gnome-photos
-noblacklist ~/.cache/libgweather
 
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-programs.inc
diff --git a/etc/gnome-books.profile b/etc/gnome-books.profile
index 692e32896..bf2a9f36f 100644
--- a/etc/gnome-books.profile
+++ b/etc/gnome-books.profile
@@ -6,8 +6,6 @@ include /etc/firejail/gnome-books.local
 
 # when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them
 
-noblacklist ~/.cache/org.gnome.Books
-
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-programs.inc
 include /etc/firejail/disable-devel.inc
diff --git a/etc/gnome-weather.profile b/etc/gnome-weather.profile
index 925420a5a..3b6bdd130 100644
--- a/etc/gnome-weather.profile
+++ b/etc/gnome-weather.profile
@@ -6,8 +6,6 @@ include /etc/firejail/gnome-weather.local
 
 # when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them
 
-noblacklist ~/.cache/libgweather
-
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-programs.inc
 include /etc/firejail/disable-devel.inc
diff --git a/etc/google-chrome-beta.profile b/etc/google-chrome-beta.profile
index 3bd16de4a..65bc42648 100644
--- a/etc/google-chrome-beta.profile
+++ b/etc/google-chrome-beta.profile
@@ -4,7 +4,6 @@ include /etc/firejail/google-chrome-beta.local
 
 # Google Chrome beta browser profile
 noblacklist ~/.config/google-chrome-beta
-noblacklist ~/.cache/google-chrome-beta
 noblacklist ~/.pki
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-programs.inc
@@ -18,8 +17,6 @@ netfilter
 whitelist ${DOWNLOADS}
 mkdir ~/.config/google-chrome-beta
 whitelist ~/.config/google-chrome-beta
-mkdir ~/.cache/google-chrome-beta
-whitelist ~/.cache/google-chrome-beta
 mkdir ~/.pki
 whitelist ~/.pki
 include /etc/firejail/whitelist-common.inc
diff --git a/etc/google-chrome-unstable.profile b/etc/google-chrome-unstable.profile
index d2def4f96..6f6fa1bf2 100644
--- a/etc/google-chrome-unstable.profile
+++ b/etc/google-chrome-unstable.profile
@@ -4,7 +4,6 @@ include /etc/firejail/google-chrome-unstable.local
 
 # Google Chrome unstable browser profile
 noblacklist ~/.config/google-chrome-unstable
-noblacklist ~/.cache/google-chrome-unstable
 noblacklist ~/.pki
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-programs.inc
@@ -18,8 +17,6 @@ netfilter
 whitelist ${DOWNLOADS}
 mkdir ~/.config/google-chrome-unstable
 whitelist ~/.config/google-chrome-unstable
-mkdir ~/.cache/google-chrome-unstable
-whitelist ~/.cache/google-chrome-unstable
 mkdir ~/.pki
 whitelist ~/.pki
 include /etc/firejail/whitelist-common.inc
diff --git a/etc/google-chrome.profile b/etc/google-chrome.profile
index 38feb12a5..131538dd9 100644
--- a/etc/google-chrome.profile
+++ b/etc/google-chrome.profile
@@ -4,7 +4,6 @@ include /etc/firejail/google-chrome.local
 
 # Google Chrome browser profile
 noblacklist ~/.config/google-chrome
-noblacklist ~/.cache/google-chrome
 noblacklist ~/.pki
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-programs.inc
@@ -18,8 +17,6 @@ netfilter
 whitelist ${DOWNLOADS}
 mkdir ~/.config/google-chrome
 whitelist ~/.config/google-chrome
-mkdir ~/.cache/google-chrome
-whitelist ~/.cache/google-chrome
 mkdir ~/.pki
 whitelist ~/.pki
 include /etc/firejail/whitelist-common.inc
diff --git a/etc/icecat.profile b/etc/icecat.profile
index 64401efe8..4bd3f3047 100644
--- a/etc/icecat.profile
+++ b/etc/icecat.profile
@@ -4,7 +4,6 @@ include /etc/firejail/icecat.local
 
 # Firejail profile for GNU Icecat
 noblacklist ~/.mozilla
-noblacklist ~/.cache/mozilla
 noblacklist ~/.pki
 noblacklist ~/.lastpass
 include /etc/firejail/disable-common.inc
@@ -22,8 +21,6 @@ tracelog
 whitelist ${DOWNLOADS}
 mkdir ~/.mozilla
 whitelist ~/.mozilla
-mkdir ~/.cache/mozilla/icecat
-whitelist ~/.cache/mozilla/icecat
 whitelist ~/dwhelper
 whitelist ~/.zotero
 whitelist ~/.vimperatorrc
@@ -32,7 +29,6 @@ whitelist ~/.pentadactylrc
 whitelist ~/.pentadactyl
 whitelist ~/.keysnail.js
 whitelist ~/.config/gnome-mplayer
-whitelist ~/.cache/gnome-mplayer/plugin
 whitelist ~/.pki
 whitelist ~/.lastpass
 
diff --git a/etc/icedove.profile b/etc/icedove.profile
index b5265e992..aae0e3bf5 100644
--- a/etc/icedove.profile
+++ b/etc/icedove.profile
@@ -14,10 +14,6 @@ noblacklist ~/.icedove
 mkdir ~/.icedove
 whitelist ~/.icedove
 
-noblacklist ~/.cache/icedove
-mkdir ~/.cache/icedove
-whitelist ~/.cache/icedove
-
 # allow browsers
 ignore private-tmp
 include /etc/firejail/firefox.profile
diff --git a/etc/inox.profile b/etc/inox.profile
index 0b2e4ee5e..6043ded8a 100644
--- a/etc/inox.profile
+++ b/etc/inox.profile
@@ -4,7 +4,6 @@ include /etc/firejail/inox.local
 
 # Inox browser profile
 noblacklist ~/.config/inox
-noblacklist ~/.cache/inox
 noblacklist ~/.pki
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-programs.inc
@@ -14,8 +13,6 @@ netfilter
 whitelist ${DOWNLOADS}
 mkdir ~/.config/inox
 whitelist ~/.config/inox
-mkdir ~/.cache/inox
-whitelist ~/.cache/inox
 mkdir ~/.pki
 whitelist ~/.pki
 
diff --git a/etc/iridium.profile b/etc/iridium.profile
index 2d79a3935..dcbd0b84b 100644
--- a/etc/iridium.profile
+++ b/etc/iridium.profile
@@ -4,7 +4,6 @@ include /etc/firejail/iridium.local
 
 # Iridium browser profile
 noblacklist ~/.config/iridium
-noblacklist ~/.cache/iridium
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-programs.inc
 
@@ -17,8 +16,6 @@ netfilter
 whitelist ${DOWNLOADS}
 mkdir ~/.config/iridium
 whitelist ~/.config/iridium
-mkdir ~/.cache/iridium
-whitelist ~/.cache/iridium
 mkdir ~/.pki
 whitelist ~/.pki
 
diff --git a/etc/mousepad.profile b/etc/mousepad.profile
new file mode 100644
index 000000000..3901c8a0e
--- /dev/null
+++ b/etc/mousepad.profile
@@ -0,0 +1,26 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/mousepad.local
+
+# Firejail profile for mousepad
+noblacklist ~/.config/Mousepad
+
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+
+caps.drop all
+netfilter
+nogroups
+nonewprivs
+noroot
+nosound
+protocol unix
+seccomp
+shell none
+tracelog
+
+private-bin mousepad
+private-dev
+private-tmp
diff --git a/etc/mutt.profile b/etc/mutt.profile
index 2f0809f02..f9d537779 100644
--- a/etc/mutt.profile
+++ b/etc/mutt.profile
@@ -14,7 +14,6 @@ noblacklist ~/mail
 noblacklist ~/Mail
 noblacklist ~/sent
 noblacklist ~/postponed
-noblacklist ~/.cache/mutt
 noblacklist ~/.w3m
 noblacklist ~/.elinks
 noblacklist ~/.vim
diff --git a/etc/netsurf.profile b/etc/netsurf.profile
index c217346de..a3c360c1e 100644
--- a/etc/netsurf.profile
+++ b/etc/netsurf.profile
@@ -4,7 +4,6 @@ include /etc/firejail/netsurf.local
 
 # Firejail profile for Mozilla Firefox (Iceweasel in Debian)
 noblacklist ~/.config/netsurf
-noblacklist ~/.cache/netsurf
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-programs.inc
 include /etc/firejail/disable-devel.inc
@@ -20,7 +19,5 @@ tracelog
 whitelist ${DOWNLOADS}
 mkdir ~/.config/netsurf
 whitelist ~/.config/netsurf
-mkdir ~/.cache/netsurf
-whitelist ~/.cache/netsurf
 
 include /etc/firejail/whitelist-common.inc
diff --git a/etc/opera-beta.profile b/etc/opera-beta.profile
index 92624f334..5a0d54744 100644
--- a/etc/opera-beta.profile
+++ b/etc/opera-beta.profile
@@ -4,7 +4,6 @@ include /etc/firejail/opera-beta.local
 
 # Opera-beta browser profile
 noblacklist ~/.config/opera-beta
-noblacklist ~/.cache/opera-beta
 noblacklist ~/.pki
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-programs.inc
@@ -15,8 +14,6 @@ netfilter
 whitelist ${DOWNLOADS}
 mkdir ~/.config/opera-beta
 whitelist ~/.config/opera-beta
-mkdir ~/.cache/opera-beta
-whitelist ~/.cache/opera-beta
 mkdir ~/.pki
 whitelist ~/.pki
 include /etc/firejail/whitelist-common.inc
diff --git a/etc/opera.profile b/etc/opera.profile
index 57835f2f2..4af502060 100644
--- a/etc/opera.profile
+++ b/etc/opera.profile
@@ -4,7 +4,6 @@ include /etc/firejail/opera.local
 
 # Opera browser profile
 noblacklist ~/.config/opera
-noblacklist ~/.cache/opera
 noblacklist ~/.opera
 noblacklist ~/.pki
 include /etc/firejail/disable-common.inc
@@ -16,8 +15,6 @@ netfilter
 whitelist ${DOWNLOADS}
 mkdir ~/.config/opera
 whitelist ~/.config/opera
-mkdir ~/.cache/opera
-whitelist ~/.cache/opera
 mkdir ~/.opera
 whitelist ~/.opera
 mkdir ~/.pki
diff --git a/etc/palemoon.profile b/etc/palemoon.profile
index 8cac00e03..472d58cee 100644
--- a/etc/palemoon.profile
+++ b/etc/palemoon.profile
@@ -4,7 +4,6 @@ include /etc/firejail/palemoon.local
 
 # Firejail profile for Pale Moon
 noblacklist ~/.moonchild productions/pale moon
-noblacklist ~/.cache/moonchild productions/pale moon
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-programs.inc
 include /etc/firejail/disable-devel.inc
@@ -13,8 +12,6 @@ include /etc/firejail/whitelist-common.inc
 whitelist ${DOWNLOADS}
 mkdir ~/.moonchild productions
 whitelist ~/.moonchild productions
-mkdir ~/.cache/moonchild productions/pale moon
-whitelist ~/.cache/moonchild productions/pale moon
 
 caps.drop all
 netfilter
@@ -40,7 +37,6 @@ private-tmp
 #whitelist ~/.pentadactyl
 #whitelist ~/.keysnail.js
 #whitelist ~/.config/gnome-mplayer
-#whitelist ~/.cache/gnome-mplayer/plugin
 #whitelist ~/.pki
 #whitelist ~/.lastpass
 
diff --git a/etc/polari.profile b/etc/polari.profile
index 834a8b3d6..52a58322e 100644
--- a/etc/polari.profile
+++ b/etc/polari.profile
@@ -15,8 +15,6 @@ mkdir ${HOME}/.local/share/TpLogger
 whitelist ${HOME}/.local/share/TpLogger
 mkdir ${HOME}/.config/telepathy-account-widgets
 whitelist ${HOME}/.config/telepathy-account-widgets
-mkdir ${HOME}/.cache/telepathy
-whitelist ${HOME}/.cache/telepathy
 mkdir ${HOME}/.purple
 whitelist ${HOME}/.purple
 include /etc/firejail/whitelist-common.inc
diff --git a/etc/psi-plus.profile b/etc/psi-plus.profile
index 45cb22ee4..5106fccb2 100644
--- a/etc/psi-plus.profile
+++ b/etc/psi-plus.profile
@@ -14,8 +14,6 @@ mkdir ~/.config/psi+
 whitelist ~/.config/psi+
 mkdir ~/.local/share/psi+
 whitelist ~/.local/share/psi+
-mkdir ~/.cache/psi+
-whitelist ~/.cache/psi+
 
 caps.drop all
 netfilter
diff --git a/etc/quiterss.profile b/etc/quiterss.profile
index f4e4f96d3..158425e18 100644
--- a/etc/quiterss.profile
+++ b/etc/quiterss.profile
@@ -2,7 +2,6 @@
 # Persistent customizations should go in a .local file.
 include /etc/firejail/quiterss.local
 
-noblacklist ${HOME}/.cache/QuiteRss
 noblacklist ${HOME}/.config/QuiteRss
 noblacklist ${HOME}/.config/QuiteRssrc
 noblacklist ${HOME}/.local/share/QuiteRss
@@ -19,8 +18,6 @@ whitelist ${HOME}/.config/QuiteRssrc
 mkdir ~/.local/share/data
 mkdir ~/.local/share/data/QuiteRss
 whitelist ${HOME}/.local/share/data/QuiteRss
-mkdir ~/.cache/QuiteRss
-whitelist ${HOME}/.cache/QuiteRss
 
 caps.drop all
 netfilter
diff --git a/etc/qupzilla.profile b/etc/qupzilla.profile
index 3f5cb60c0..783bc516d 100644
--- a/etc/qupzilla.profile
+++ b/etc/qupzilla.profile
@@ -4,7 +4,6 @@ include /etc/firejail/qupzilla.local
 
 # Firejail profile for Qupzilla web browser
 noblacklist ${HOME}/.config/qupzilla
-noblacklist ${HOME}/.cache/qupzilla
 include /etc/firejail/disable-mgmt.inc
 include /etc/firejail/disable-secret.inc
 include /etc/firejail/disable-common.inc
@@ -17,7 +16,6 @@ tracelog
 noroot
 whitelist ${DOWNLOADS}
 whitelist ~/.config/qupzilla
-whitelist ~/.cache/qupzilla
 include /etc/firejail/whitelist-common.inc
 
 # experimental features
diff --git a/etc/qutebrowser.profile b/etc/qutebrowser.profile
index f43307ef9..53be1178c 100644
--- a/etc/qutebrowser.profile
+++ b/etc/qutebrowser.profile
@@ -4,7 +4,6 @@ include /etc/firejail/qutebrowser.local
 
 # Firejail profile for Qutebrowser (Qt5-Webkit+Python) browser
 noblacklist ~/.config/qutebrowser
-noblacklist ~/.cache/qutebrowser
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-programs.inc
 include /etc/firejail/disable-devel.inc
@@ -20,8 +19,6 @@ tracelog
 whitelist ${DOWNLOADS}
 mkdir ~/.config/qutebrowser
 whitelist ~/.config/qutebrowser
-mkdir ~/.cache/qutebrowser
-whitelist ~/.cache/qutebrowser
 mkdir ~/.local/share/qutebrowser
 whitelist ~/.local/share/qutebrowser
 include /etc/firejail/whitelist-common.inc
diff --git a/etc/seamonkey.profile b/etc/seamonkey.profile
index df1910469..756700c2f 100644
--- a/etc/seamonkey.profile
+++ b/etc/seamonkey.profile
@@ -4,7 +4,6 @@ include /etc/firejail/seamonkey.local
 
 # Firejail profile for Seamoneky based off Mozilla Firefox
 noblacklist ~/.mozilla
-noblacklist ~/.cache/mozilla
 noblacklist ~/.pki
 noblacklist ~/.lastpass
 include /etc/firejail/disable-common.inc
@@ -22,8 +21,6 @@ tracelog
 whitelist ${DOWNLOADS}
 mkdir ~/.mozilla/seamonkey
 whitelist ~/.mozilla/seamonkey
-mkdir ~/.cache/mozilla/seamonkey
-whitelist ~/.cache/mozilla/seamonkey
 whitelist ~/dwhelper
 whitelist ~/.zotero
 whitelist ~/.vimperatorrc
@@ -32,7 +29,6 @@ whitelist ~/.pentadactylrc
 whitelist ~/.pentadactyl
 whitelist ~/.keysnail.js
 whitelist ~/.config/gnome-mplayer
-whitelist ~/.cache/gnome-mplayer/plugin
 whitelist ~/.pki
 whitelist ~/.lastpass
 include /etc/firejail/whitelist-common.inc
diff --git a/etc/simple-scan.profile b/etc/simple-scan.profile
index ee7e50ba7..0f6d626a5 100644
--- a/etc/simple-scan.profile
+++ b/etc/simple-scan.profile
@@ -3,8 +3,6 @@
 include /etc/firejail/simple-scan.local
 
 # simple-scan profile
-noblacklist ~/.cache/simple-scan
-
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-programs.inc
 include /etc/firejail/disable-devel.inc
diff --git a/etc/spotify.profile b/etc/spotify.profile
index 843038a2b..23ef75b71 100644
--- a/etc/spotify.profile
+++ b/etc/spotify.profile
@@ -4,7 +4,6 @@ include /etc/firejail/spotify.local
 
 # Spotify media player profile
 noblacklist ${HOME}/.config/spotify
-noblacklist ${HOME}/.cache/spotify
 noblacklist ${HOME}/.local/share/spotify
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-programs.inc
@@ -16,8 +15,6 @@ mkdir ${HOME}/.config/spotify
 whitelist ${HOME}/.config/spotify
 mkdir ${HOME}/.local/share/spotify
 whitelist ${HOME}/.local/share/spotify
-mkdir ${HOME}/.cache/spotify
-whitelist ${HOME}/.cache/spotify
 
 caps.drop all
 netfilter
diff --git a/etc/thunderbird.profile b/etc/thunderbird.profile
index 88ab7501e..df1a4cdbb 100644
--- a/etc/thunderbird.profile
+++ b/etc/thunderbird.profile
@@ -14,9 +14,9 @@ noblacklist ~/.thunderbird
 mkdir ~/.thunderbird
 whitelist ~/.thunderbird
 
-noblacklist ~/.cache/thunderbird
-mkdir ~/.cache/thunderbird
-whitelist ~/.cache/thunderbird
+noblacklist ~/.icedove
+mkdir ~/.icedove
+whitelist ~/.icedove
 
 # allow browsers
 ignore private-tmp
diff --git a/etc/transmission-cli.profile b/etc/transmission-cli.profile
index dbcc8d041..5b6bec4c1 100644
--- a/etc/transmission-cli.profile
+++ b/etc/transmission-cli.profile
@@ -4,7 +4,6 @@ include /etc/firejail/transmission-cli.local
 
 # transmission-cli bittorrent profile
 noblacklist ${HOME}/.config/transmission
-noblacklist ${HOME}/.cache/transmission
 
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-programs.inc
diff --git a/etc/transmission-gtk.profile b/etc/transmission-gtk.profile
index dcd3317ef..78ce5fba2 100644
--- a/etc/transmission-gtk.profile
+++ b/etc/transmission-gtk.profile
@@ -4,7 +4,6 @@ include /etc/firejail/transmission-gtk.local
 
 # transmission-gtk bittorrent profile
 noblacklist ${HOME}/.config/transmission
-noblacklist ${HOME}/.cache/transmission
 
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-programs.inc
diff --git a/etc/transmission-qt.profile b/etc/transmission-qt.profile
index ed63f7cff..2f7fe0714 100644
--- a/etc/transmission-qt.profile
+++ b/etc/transmission-qt.profile
@@ -4,7 +4,6 @@ include /etc/firejail/transmission-qt.local
 
 # transmission-qt bittorrent profile
 noblacklist ${HOME}/.config/transmission
-noblacklist ${HOME}/.cache/transmission
 
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-programs.inc
diff --git a/etc/transmission-show.profile b/etc/transmission-show.profile
index 0b88789b1..052843882 100644
--- a/etc/transmission-show.profile
+++ b/etc/transmission-show.profile
@@ -4,7 +4,6 @@ include /etc/firejail/transmission-show.local
 
 # transmission-show profile
 noblacklist ${HOME}/.config/transmission
-noblacklist ${HOME}/.cache/transmission
 
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-programs.inc
diff --git a/etc/vivaldi.profile b/etc/vivaldi.profile
index 2c2fbd9f0..bf6af3926 100644
--- a/etc/vivaldi.profile
+++ b/etc/vivaldi.profile
@@ -4,7 +4,6 @@ include /etc/firejail/vivaldi.local
 
 # Vivaldi browser profile
 noblacklist ~/.config/vivaldi
-noblacklist ~/.cache/vivaldi
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-programs.inc
 include /etc/firejail/disable-devel.inc
@@ -14,6 +13,4 @@ netfilter
 whitelist ${DOWNLOADS}
 mkdir ~/.config/vivaldi
 whitelist ~/.config/vivaldi
-mkdir ~/.cache/vivaldi
-whitelist ~/.cache/vivaldi
 include /etc/firejail/whitelist-common.inc
diff --git a/etc/warzone2100.profile b/etc/warzone2100.profile
index 702097d98..2f4055887 100644
--- a/etc/warzone2100.profile
+++ b/etc/warzone2100.profile
@@ -3,16 +3,17 @@
 include /etc/firejail/warzone2100.local
 
 # Firejail profile for warzone2100
-# Currently supports warzone2100-3.1
-noblacklist ~/.warzone2100-3.1
+noblacklist ~/.warzone2100-3.*
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
 include /etc/firejail/disable-programs.inc
 
 # Whitelist
-mkdir ~/.warzone2100-3.1
+#mkdir ~/.warzone2100-3.1
 whitelist ~/.warzone2100-3.1
+#mkdir ~/.warzone2100-3.2
+whitelist ~/.warzone2100-3.2
 
 # Call these options
 caps.drop all
diff --git a/etc/wesnoth.profile b/etc/wesnoth.profile
index 212466f5a..fbb381a86 100644
--- a/etc/wesnoth.profile
+++ b/etc/wesnoth.profile
@@ -4,7 +4,6 @@ include /etc/firejail/wesnoth.local
 
 # Whitelist-based profile for "Battle for Wesnoth" (game).
 noblacklist ${HOME}/.config/wesnoth
-noblacklist ${HOME}/.cache/wesnoth
 noblacklist ${HOME}/.local/share/wesnoth
 
 include /etc/firejail/disable-common.inc
@@ -23,8 +22,6 @@ private-tmp
 
 mkdir ${HOME}/.local/share/wesnoth
 mkdir ${HOME}/.config/wesnoth
-mkdir ${HOME}/.cache/wesnoth
 whitelist ${HOME}/.local/share/wesnoth
 whitelist ${HOME}/.config/wesnoth
-whitelist ${HOME}/.cache/wesnoth
 include /etc/firejail/whitelist-common.inc
diff --git a/etc/whitelist-common.inc b/etc/whitelist-common.inc
index cf7797100..516f47041 100644
--- a/etc/whitelist-common.inc
+++ b/etc/whitelist-common.inc
@@ -19,7 +19,6 @@ whitelist ~/.fonts.conf
 whitelist ~/.fonts.conf.d
 whitelist ~/.local/share/fonts
 whitelist ~/.config/fontconfig
-whitelist ~/.cache/fontconfig
 
 # gtk
 whitelist ~/.gtkrc
diff --git a/etc/xreader.profile b/etc/xreader.profile
index 2e6015aef..51dbcad51 100644
--- a/etc/xreader.profile
+++ b/etc/xreader.profile
@@ -4,7 +4,6 @@ include /etc/firejail/xreader.local
 
 # Xreader profile
 noblacklist ~/.config/xreader
-noblacklist ~/.cache/xreader
 noblacklist ~/.local/share
 
 include /etc/firejail/disable-common.inc
diff --git a/platform/debian/conffiles b/platform/debian/conffiles
index c68852f26..253af3f01 100644
--- a/platform/debian/conffiles
+++ b/platform/debian/conffiles
@@ -132,6 +132,7 @@
 /etc/firejail/mcabber.profile
 /etc/firejail/mediainfo.profile
 /etc/firejail/midori.profile
+/etc/firejail/mousepad.profile
 /etc/firejail/mpv.profile
 /etc/firejail/mumble.profile
 /etc/firejail/mupdf.profile
diff --git a/platform/debian/control b/platform/debian/control
index 991abb656..4287d6561 100644
--- a/platform/debian/control
+++ b/platform/debian/control
@@ -4,6 +4,7 @@ Architecture: amd64
 Maintainer: netblue30 <netblue30@yahoo.com>
 Installed-Size: 272
 Depends: libc6
+Suggests: python, python3
 Section: admin
 Priority: extra
 Homepage: http://github.com/netblue30/firejail
@@ -17,4 +18,3 @@ Description: Linux namepaces sandbox program.
  Firejail also expands the restricted shell facility found in bash by
  adding Linux namespace support. It also supports sandboxing SSH users
  upon login.
-
diff --git a/platform/debian/copyright b/platform/debian/copyright
index 4fd3a15d1..83952080f 100644
--- a/platform/debian/copyright
+++ b/platform/debian/copyright
@@ -7,7 +7,7 @@ This is the Debian/Ubuntu prepackaged version of firejail.
     and networking stack isolation, and it runs on any recent Linux system. It
     includes a sandbox profile for Mozilla Firefox.
 
-    Copyright (C) 2014,2015 Firejail Authors (see README file for more details)
+    Copyright (C) 2014-2017 Firejail Authors (see README file for more details)
 
     This program is free software; you can redistribute it and/or modify
     it under the terms of the GNU General Public License as published by
@@ -27,4 +27,3 @@ The complete text of the GNU General Public License can be found
 in /usr/share/common-licenses/GPL-2.
 
 Homepage: http://github.com/netblue30/firejail.
-
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config
index 656e3b14a..1db8736e9 100644
--- a/src/firecfg/firecfg.config
+++ b/src/firecfg/firecfg.config
@@ -192,6 +192,7 @@ keepass
 keepass2
 keepassx
 keepassx2
+mousepad
 pluma
 Thunar
 thunar
diff --git a/src/firejail/appimage.c b/src/firejail/appimage.c
index 4cc5cc180..980c80bd9 100644
--- a/src/firejail/appimage.c
+++ b/src/firejail/appimage.c
@@ -31,6 +31,11 @@
 static char *devloop = NULL;    // device file 
 static char *mntdir = NULL;     // mount point in /tmp directory
 
+static void err_loop(void) {
+        fprintf(stderr, "Error: cannot configure loopback device\n");
+        exit(1);
+}
+
 void appimage_set(const char *appimage) {
         assert(appimage);
         assert(devloop == NULL);        // don't call this twice!
@@ -61,35 +66,27 @@ void appimage_set(const char *appimage) {
         // find or allocate a free loop device to use
         EUID_ROOT();
         int cfd = open("/dev/loop-control", O_RDWR);
-        if (cfd == -1) {
-                fprintf(stderr, "Error: /dev/loop-control interface is not supported by your kernel\n");
-                exit(1);
-        }
+        if (cfd == -1)
+                err_loop();
         int devnr = ioctl(cfd, LOOP_CTL_GET_FREE);
-        if (devnr == -1) {
-                fprintf(stderr, "Error: cannot allocate a new loopback device\n");
-                exit(1);
-        }
+        if (devnr == -1)
+                err_loop();
         close(cfd);
         if (asprintf(&devloop, "/dev/loop%d", devnr) == -1)
                 errExit("asprintf");
                 
         int lfd = open(devloop, O_RDONLY);
-        if (lfd == -1) {
-                fprintf(stderr, "Error: cannot open %s\n", devloop);
-                exit(1);
-        }
-        if (ioctl(lfd, LOOP_SET_FD, ffd) == -1) {
-                fprintf(stderr, "Error: cannot configure the loopback device\n");
-                exit(1);
-        }
+        if (lfd == -1)
+                err_loop();
+        if (ioctl(lfd, LOOP_SET_FD, ffd) == -1)
+                err_loop();
         
         if (size) {
                 struct loop_info64 info;
                 memset(&info, 0, sizeof(struct loop_info64));
                 info.lo_offset = size;
                 if (ioctl(lfd,  LOOP_SET_STATUS64, &info) == -1)
-                        errExit("configure appimage offset");
+                        err_loop();
         }
         
         close(lfd);
@@ -151,8 +148,12 @@ void appimage_clear(void) {
                 int rv = 0;
                 for (i = 0; i < 5; i++) {
                         rv = umount2(mntdir, MNT_FORCE);
-                        if (rv == 0)
+                        if (rv == 0) {
+                                if (!arg_quiet)
+                                        printf("AppImage unmounted\n");
+                                
                                 break;
+                        }
                         if (rv == -1 && errno == EBUSY) {
                                 if (!arg_quiet)
                                         printf("Warning: EBUSY error trying to unmount %s\n", mntdir);                  
diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c
index 476ecbe10..f76f83d85 100644
--- a/src/firejail/checkcfg.c
+++ b/src/firejail/checkcfg.c
@@ -92,6 +92,15 @@ int checkcfg(int val) {
                                 else
                                         goto errout;
                         }
+                        // join
+                        else if (strncmp(ptr, "join ", 5) == 0) {
+                                if (strcmp(ptr + 5, "yes") == 0)
+                                        cfg_val[CFG_JOIN] = 1;
+                                else if (strcmp(ptr + 5, "no") == 0)
+                                        cfg_val[CFG_JOIN] = 0;
+                                else
+                                        goto errout;
+                        }
                         // x11
                         else if (strncmp(ptr, "x11 ", 4) == 0) {
                                 if (strcmp(ptr + 4, "yes") == 0)
@@ -282,6 +291,10 @@ int checkcfg(int val) {
                         else if (strncmp(ptr, "quiet-by-default ", 17) == 0) {
                                 if (strcmp(ptr + 17, "yes") == 0)
                                         arg_quiet = 1;
+                                else if (strcmp(ptr + 17, "no") == 0)
+                                        arg_quiet = 0;
+                                else
+                                        goto errout;
                         }
                         // remount /proc and /sys
                         else if (strncmp(ptr, "remount-proc-sys ", 17) == 0) {
@@ -404,16 +417,16 @@ void print_compiletime_support(void) {
 #endif
                 );
 
-        printf("\t- networking support is %s\n",
-#ifdef HAVE_NETWORK
+        printf("\t- git install support is %s\n",
+#ifdef HAVE_GIT_INSTALL
                 "enabled"
 #else
                 "disabled"
 #endif
                 );
 
-        printf("\t- git install support is %s\n",
-#ifdef HAVE_GIT_INSTALL
+        printf("\t- networking support is %s\n",
+#ifdef HAVE_NETWORK
                 "enabled"
 #else
                 "disabled"
diff --git a/src/firejail/cmdline.c b/src/firejail/cmdline.c
index 60301ed58..e62ed8d33 100644
--- a/src/firejail/cmdline.c
+++ b/src/firejail/cmdline.c
@@ -153,6 +153,9 @@ void build_cmdline(char **command_line, char **window_title, int argc, char **ar
                         errExit("malloc");
         
         quote_cmdline(*command_line, *window_title, len, argc, argv, index);
+        
+        if (arg_debug)
+                printf("Building quoted command line: %s\n", *command_line);
 
         assert(*command_line);
         assert(*window_title);
@@ -163,7 +166,9 @@ void build_appimage_cmdline(char **command_line, char **window_title, int argc,
         // the program should exit with an error before entering this function
         assert(index != -1);
 
-//      unsigned argcount = argc - index;
+        if (arg_debug)
+                printf("Building AppImage command line: %s\n", *command_line);
+
 
         int len1 = cmdline_length(argc, argv, index);  // length of argv w/o changes
         int len2 = cmdline_length(1, &argv[index], 0); // apptest.AppImage
@@ -198,6 +203,9 @@ void build_appimage_cmdline(char **command_line, char **window_title, int argc,
         if (asprintf(command_line, "'%s' %s", tmp1, command_line_tmp + len2) == -1)
                 errExit("asprintf");
 
+        if (arg_debug)
+                printf("AppImage quoted command line: %s\n", *command_line);
+
         // free strdup
         free(tmp1);
 }
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index fa6ba5c6a..75e5feaff 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -407,6 +407,7 @@ void fs_overlayfs(void);
 // chroot into an existing directory; mount exiting /dev and update /etc/resolv.conf
 void fs_chroot(const char *rootdir);
 void fs_check_chroot_dir(const char *rootdir);
+void fs_cache(void);
 
 // profile.c
 // find and read the profile specified by name from dir directory
@@ -541,7 +542,7 @@ void fs_trace(void);
 // fs_hostname.c
 void fs_hostname(const char *hostname);
 void fs_resolvconf(void);
-char *fs_check_hosts_fiile(const char *fname);
+char *fs_check_hosts_file(const char *fname);
 void fs_store_hosts_file(void);
 void fs_mount_hosts_file(void);
 
@@ -685,6 +686,7 @@ enum {
         CFG_FOLLOW_SYMLINK_PRIVATE_BIN,
         CFG_DISABLE_MNT,
         CFG_CACHE_TMPFS,
+        CFG_JOIN,
         CFG_MAX // this should always be the last entry
 };
 extern char *xephyr_screen;
diff --git a/src/firejail/fs.c b/src/firejail/fs.c
index 3413febcb..fc6bdc7d0 100644
--- a/src/firejail/fs.c
+++ b/src/firejail/fs.c
@@ -486,7 +486,15 @@ void fs_cache(void) {
         char *cache;
         if (asprintf(&cache, "%s/.cache", cfg.homedir) == -1)
                 errExit("asprintf");
+        if (is_link(cache)) {
+                fprintf(stderr, "Error: ~/.cache directory is a symbolik link\n");
+                exit(1);
+        }
         disable_file(MOUNT_TMPFS, cache);
+        if (is_link(cache)) {
+                fprintf(stderr, "Error: ~/.cache directory is a symbolik link\n");
+                exit(1);
+        }
         free(cache);
 }
 
diff --git a/src/firejail/fs_etc.c b/src/firejail/fs_etc.c
index 19c2210b3..69c422f1d 100644
--- a/src/firejail/fs_etc.c
+++ b/src/firejail/fs_etc.c
@@ -34,7 +34,9 @@ void fs_machineid(void) {
         // if --machine-id flag is inactive, do nothing
         if (arg_machineid == 0)
                 return;
-
+        if (arg_debug)
+                printf("Generating a new machine-id\n");
+                
         // init random number generator
         srand(time(NULL));
         
diff --git a/src/firejail/fs_hostname.c b/src/firejail/fs_hostname.c
index 535526409..32243c700 100644
--- a/src/firejail/fs_hostname.c
+++ b/src/firejail/fs_hostname.c
@@ -127,7 +127,7 @@ void fs_resolvconf(void) {
         }
 }
 
-char *fs_check_hosts_fiile(const char *fname) {
+char *fs_check_hosts_file(const char *fname) {
         assert(fname);
         invalid_filename(fname);
         char *rv = expand_home(fname, cfg.homedir);
@@ -151,6 +151,9 @@ void fs_store_hosts_file(void) {
 }
 
 void fs_mount_hosts_file(void) {
+        if (arg_debug)
+                printf("Loading user hosts file\n");
+
         // check /etc/hosts file
         struct stat s;
         if (stat("/etc/hosts", &s) == -1)
diff --git a/src/firejail/main.c b/src/firejail/main.c
index aead29957..843dc2f3a 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -615,23 +615,27 @@ static void run_cmd_and_exit(int i, int argc, char **argv) {
         }
 #endif
         else if (strncmp(argv[i], "--join=", 7) == 0) {
-                logargs(argc, argv);
-
-                if (arg_shell_none) {
-                        if (argc <= (i+1)) {
-                                fprintf(stderr, "Error: --shell=none set, but no command specified\n");
-                                exit(1);
+                if (checkcfg(CFG_JOIN) || getuid() == 0) {
+                        logargs(argc, argv);
+        
+                        if (arg_shell_none) {
+                                if (argc <= (i+1)) {
+                                        fprintf(stderr, "Error: --shell=none set, but no command specified\n");
+                                        exit(1);
+                                }
+                                cfg.original_program_index = i + 1;
                         }
-                        cfg.original_program_index = i + 1;
+        
+                        if (!cfg.shell && !arg_shell_none)
+                                cfg.shell = guess_shell();
+        
+                        // join sandbox by pid or by name
+                        pid_t pid = read_pid(argv[i] + 7);
+                        join(pid, argc, argv, i + 1);
+                        exit(0);
                 }
-
-                if (!cfg.shell && !arg_shell_none)
-                        cfg.shell = guess_shell();
-
-                // join sandbox by pid or by name
-                pid_t pid = read_pid(argv[i] + 7);
-                join(pid, argc, argv, i + 1);
-                exit(0);
+                else
+                        exit_err_feature("join");
 
         }
         else if (strncmp(argv[i], "--join-or-start=", 16) == 0) {
@@ -1965,7 +1969,7 @@ int main(int argc, char **argv) {
                 }
                 
                 else if (strncmp(argv[i], "--hosts-file=", 13) == 0)
-                        cfg.hosts_file = fs_check_hosts_fiile(argv[i] + 13);
+                        cfg.hosts_file = fs_check_hosts_file(argv[i] + 13);
 
 #ifdef HAVE_NETWORK
                 else if (strcmp(argv[i], "--netfilter") == 0) {
@@ -2472,32 +2476,34 @@ int main(int argc, char **argv) {
                 sprintf(ptr, "%d %d 1\n", gid, gid);
                 ptr += strlen(ptr);
                 
-                //  add tty group
-                gid_t g = get_group_id("tty");
-                if (g) {
-                        sprintf(ptr, "%d %d 1\n", g, g);
-                        ptr += strlen(ptr);
-                }
-                
-                //  add audio group
-                g = get_group_id("audio");
-                if (g) {
-                        sprintf(ptr, "%d %d 1\n", g, g);
-                        ptr += strlen(ptr);
-                }
-                
-                //  add video group
-                g = get_group_id("video");
-                if (g) {
-                        sprintf(ptr, "%d %d 1\n", g, g);
-                        ptr += strlen(ptr);
-                }
-                
-                //  add games group
-                g = get_group_id("games");
-                if (g) {
-                        sprintf(ptr, "%d %d 1\n", g, g);
-                }
+                if (!arg_nogroups) {
+                        //  add tty group
+                        gid_t g = get_group_id("tty");
+                        if (g) {
+                                sprintf(ptr, "%d %d 1\n", g, g);
+                                ptr += strlen(ptr);
+                        }
+                        
+                        //  add audio group
+                        g = get_group_id("audio");
+                        if (g) {
+                                sprintf(ptr, "%d %d 1\n", g, g);
+                                ptr += strlen(ptr);
+                        }
+                        
+                        //  add video group
+                        g = get_group_id("video");
+                        if (g) {
+                                sprintf(ptr, "%d %d 1\n", g, g);
+                                ptr += strlen(ptr);
+                        }
+                        
+                        //  add games group
+                        g = get_group_id("games");
+                        if (g) {
+                                sprintf(ptr, "%d %d 1\n", g, g);
+                        }
+                 }
                 
                 EUID_ROOT();
                 update_map(gidmap, map_path);
diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index 00dd87dad..993acf2aa 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -608,7 +608,7 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
         
         // hosts-file
         if (strncmp(ptr, "hosts-file ", 11) == 0) {
-                cfg.hosts_file = fs_check_hosts_fiile(ptr + 11);
+                cfg.hosts_file = fs_check_hosts_file(ptr + 11);
                 return 0;
         }
         
@@ -970,19 +970,8 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
                 ptr += 7;
         else if (strncmp(ptr, "tmpfs ", 6) == 0) {
                 if (getuid() != 0) {
-                        // allow a non-root user  to mount tmpfs in user home directory, links are not allowed
-                        invalid_filename(ptr + 6);
-                        char *newfname = expand_home(ptr + 6, cfg.homedir);
-                        assert(newfname);
-                        if (is_link(newfname)) {
-                                fprintf(stderr, "Error: for regular user, tmpfs is not available for symbolic links\n");
-                                exit(1);        
-                        }
-                        if (strncmp(newfname, cfg.homedir, strlen(cfg.homedir)) != 0) {
-                                fprintf(stderr, "Error: for regular user, tmpfs is available only for files in user home directory\n");
-                                exit(1);        
-                        }
-                        free(newfname);
+                        fprintf(stderr, "Error: tmpfs available only when running the sandbox as root\n");
+                        exit(1);
                 }
                 ptr += 6;
         }
diff --git a/src/firejail/restrict_users.c b/src/firejail/restrict_users.c
index 774e2908f..f759e7333 100644
--- a/src/firejail/restrict_users.c
+++ b/src/firejail/restrict_users.c
@@ -167,7 +167,7 @@ static void sanitize_passwd(void) {
                 int rv = sscanf(ptr, "%d:", &uid);
                 if (rv == 0 || uid < 0)
                         goto errout;
-                if (uid < UID_MIN) {
+                if (uid < UID_MIN || uid == 65534) { // on Debian platforms user nobody is 65534
                         fprintf(fpout, "%s", buf);
                         continue;
                 }
@@ -299,7 +299,7 @@ static void sanitize_group(void) {
                 int rv = sscanf(ptr, "%d:", &gid);
                 if (rv == 0 || gid < 0)
                         goto errout;
-                if (gid < GID_MIN) {
+                if (gid < GID_MIN || gid == 65534) { // on Debian platforms 65534 is group nogroup
                         if (copy_line(fpout, buf, ptr))
                                 goto errout;
                         continue;
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index f26f8b06a..f9e59f1ed 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -742,6 +742,20 @@ int sandbox(void* sandbox_arg) {
                 else {
                         // private-tmp is implemented as a whitelist
                         EUID_USER();
+                        // check XAUTHORITY file, KDE keeps it under /tmp
+                        char *xauth = getenv("XAUTHORITY");
+                        if (xauth) {
+                                char *rp = realpath(xauth, NULL);
+                                if (rp && strncmp(rp, "/tmp/", 5) == 0) {
+                                        char *cmd;
+                                        if (asprintf(&cmd, "whitelist %s", rp) == -1)
+                                                errExit("asprintf");
+                                        profile_add(cmd); // profile_add does not duplicate the string
+                                }
+                                if (rp)
+                                        free(rp);
+                        }
+                        // whitelist x11 directory
                         profile_add("whitelist /tmp/.X11-unix");
                         EUID_ROOT();
                 }
@@ -851,6 +865,14 @@ int sandbox(void* sandbox_arg) {
                         }
                 }
         }
+        if (arg_debug) {
+                char *cpath = get_current_dir_name();
+                if (cpath) {
+                        printf("Current directory: %s\n", cpath);
+                        free(cpath);
+                }
+        }
+        
         
         // set nice
         if (arg_nice) {
diff --git a/src/include/syscall.h b/src/include/syscall.h
index c49760703..8852fcbd5 100644
--- a/src/include/syscall.h
+++ b/src/include/syscall.h
@@ -1076,6 +1076,11 @@
         {"preadv", __NR_preadv},
 #endif
 #endif
+#ifdef SYS_preadv2
+#ifdef __NR_preadv2
+        {"preadv2", __NR_preadv2},
+#endif
+#endif
 #ifdef SYS_prlimit64
 #ifdef __NR_prlimit64
         {"prlimit64", __NR_prlimit64},
@@ -1126,6 +1131,11 @@
         {"pwritev", __NR_pwritev},
 #endif
 #endif
+#ifdef SYS_pwritev2
+#ifdef __NR_pwritev2
+        {"pwritev2", __NR_pwritev2},
+#endif
+#endif
 #ifdef SYS_query_module
 #ifdef __NR_query_module
         {"query_module", __NR_query_module},
@@ -1892,6 +1902,7 @@
 #endif
 #endif
 #endif
+//#endif
 #if defined __x86_64__ && defined __LP64__
 #ifdef SYS__sysctl
 #ifdef __NR__sysctl
@@ -2828,6 +2839,11 @@
         {"preadv", __NR_preadv},
 #endif
 #endif
+#ifdef SYS_preadv2
+#ifdef __NR_preadv2
+        {"preadv2", __NR_preadv2},
+#endif
+#endif
 #ifdef SYS_prlimit64
 #ifdef __NR_prlimit64
         {"prlimit64", __NR_prlimit64},
@@ -2868,6 +2884,11 @@
         {"pwritev", __NR_pwritev},
 #endif
 #endif
+#ifdef SYS_pwritev2
+#ifdef __NR_pwritev2
+        {"pwritev2", __NR_pwritev2},
+#endif
+#endif
 #ifdef SYS_query_module
 #ifdef __NR_query_module
         {"query_module", __NR_query_module},
@@ -3529,6 +3550,7 @@
 #endif
 #endif
 #endif
+//#endif
 #if defined __x86_64__ && defined __ILP32__
 #ifdef SYS_accept
 #ifdef __NR_accept
@@ -4430,6 +4452,11 @@
         {"preadv", __NR_preadv},
 #endif
 #endif
+#ifdef SYS_preadv2
+#ifdef __NR_preadv2
+        {"preadv2", __NR_preadv2},
+#endif
+#endif
 #ifdef SYS_prlimit64
 #ifdef __NR_prlimit64
         {"prlimit64", __NR_prlimit64},
@@ -4470,6 +4497,11 @@
         {"pwritev", __NR_pwritev},
 #endif
 #endif
+#ifdef SYS_pwritev2
+#ifdef __NR_pwritev2
+        {"pwritev2", __NR_pwritev2},
+#endif
+#endif
 #ifdef SYS_quotactl
 #ifdef __NR_quotactl
         {"quotactl", __NR_quotactl},
@@ -5111,3 +5143,5 @@
 #endif
 #endif
 #endif
+//#endif
+
diff --git a/test/appimage/appimage-args.exp b/test/appimage/appimage-args.exp
index f304f5b94..b93ad509d 100755
--- a/test/appimage/appimage-args.exp
+++ b/test/appimage/appimage-args.exp
@@ -7,6 +7,7 @@ set timeout 10
 spawn $env(SHELL)
 match_max 100000
 
+set appimage_id $spawn_id
 send -- "firejail --name=appimage-test --debug --appimage Leafpad-0.8.17-x86_64.AppImage testfile\r"
 expect {
         timeout {puts "TESTING ERROR 1\n";exit}
@@ -91,7 +92,14 @@ after 100
 
 spawn $env(SHELL)
 send -- "firejail --shutdown=appimage-test\r"
-sleep 3
+
+set spawn_id $appimage_id
+expect {
+        timeout {puts "TESTING ERROR 15\n";exit}
+        "AppImage unmounted"
+}
+
+after 100
 
 puts "\nall done\n"
 
diff --git a/test/appimage/appimage-v1.exp b/test/appimage/appimage-v1.exp
index d9b64af1d..3364ff677 100755
--- a/test/appimage/appimage-v1.exp
+++ b/test/appimage/appimage-v1.exp
@@ -6,6 +6,7 @@
 set timeout 10
 spawn $env(SHELL)
 match_max 100000
+set appimage_id $spawn_id
 
 send -- "firejail --name=appimage-test --debug --appimage Leafpad-0.8.17-x86_64.AppImage\r"
 expect {
@@ -79,7 +80,14 @@ after 100
 
 spawn $env(SHELL)
 send -- "firejail --shutdown=appimage-test\r"
-sleep 3
+
+set spawn_id $appimage_id
+expect {
+        timeout {puts "TESTING ERROR 7\n";exit}
+        "AppImage unmounted"
+}
+
+after 100
 
 puts "\nall done\n"
 
diff --git a/test/appimage/appimage-v2.exp b/test/appimage/appimage-v2.exp
index 10443a1c7..ad741c559 100755
--- a/test/appimage/appimage-v2.exp
+++ b/test/appimage/appimage-v2.exp
@@ -6,8 +6,9 @@
 set timeout 10
 spawn $env(SHELL)
 match_max 100000
+set appimage_id $spawn_id
 
-send -- "firejail --appimage Leafpad-0.8.18.1.glibc2.4-x86_64.AppImage\r"
+send -- "firejail --name=appimage-test --appimage Leafpad-0.8.18.1.glibc2.4-x86_64.AppImage\r"
 expect {
         timeout {puts "TESTING ERROR 1\n";exit}
         "Child process initialized"
@@ -79,7 +80,13 @@ after 100
 
 spawn $env(SHELL)
 send -- "firejail --shutdown=appimage-test\r"
-sleep 3
+set spawn_id $appimage_id
+expect {
+        timeout {puts "TESTING ERROR 7\n";exit}
+        "AppImage unmounted"
+}
+
+after 100
 
 puts "\nall done\n"
 
diff --git a/test/apps-x11-xorg/apps-x11-xorg.sh b/test/apps-x11-xorg/apps-x11-xorg.sh
index d39d8390e..7d1d681ab 100755
--- a/test/apps-x11-xorg/apps-x11-xorg.sh
+++ b/test/apps-x11-xorg/apps-x11-xorg.sh
@@ -24,12 +24,12 @@ else
         echo "TESTING SKIP: transmission-gtk not found"
 fi
 
-which icedove
+which thunderbird
 if [ "$?" -eq 0 ];
 then
-        echo "TESTING: icedove x11 xorg"
-        ./icedove.exp
+        echo "TESTING: thunderbird x11 xorg"
+        ./thunderbird.exp
 else
-        echo "TESTING SKIP: icedove not found"
+        echo "TESTING SKIP: thunderbird not found"
 fi
 
diff --git a/test/apps-x11-xorg/icedove.exp b/test/apps-x11-xorg/thunderbird.exp
index 8f6722cd7..1626c732b 100755
--- a/test/apps-x11-xorg/icedove.exp
+++ b/test/apps-x11-xorg/thunderbird.exp
@@ -7,7 +7,7 @@ set timeout 10
 spawn $env(SHELL)
 match_max 100000
 
-send -- "firejail --name=test --x11=xorg --ignore=net --ignore=netfilter --ignore=iprange icedove\r"
+send -- "firejail --name=test --x11=xorg --ignore=net --ignore=netfilter --ignore=iprange thunderbird\r"
 sleep 10
 
 spawn $env(SHELL)
@@ -18,7 +18,7 @@ expect {
 }
 expect {
         timeout {puts "TESTING ERROR 3.1\n";exit}
-        "icedove"
+        "thunderbird"
 }
 sleep 1
 
@@ -46,7 +46,7 @@ expect {
 }
 expect {
         timeout {puts "TESTING ERROR 5.0\n";exit}
-        "icedove"
+        "thunderbird"
 }
 expect {
         timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit}
@@ -64,7 +64,7 @@ expect {
 }
 expect {
         timeout {puts "TESTING ERROR 6.0\n";exit}
-        "icedove"
+        "thunderbird"
 }
 expect {
         timeout {puts "TESTING ERROR 6.1\n";exit}
diff --git a/test/apps-x11/apps-x11.sh b/test/apps-x11/apps-x11.sh
index 739a94f2e..965f1a56b 100755
--- a/test/apps-x11/apps-x11.sh
+++ b/test/apps-x11/apps-x11.sh
@@ -77,12 +77,12 @@ else
         echo "TESTING SKIP: transmission-gtk not found"
 fi
 
-which icedove
+which thunderbird
 if [ "$?" -eq 0 ];
 then
-        echo "TESTING: icedove x11"
-        ./icedove.exp
+        echo "TESTING: thunderbird x11"
+        ./thunderbird.exp
 else
-        echo "TESTING SKIP: icedove not found"
+        echo "TESTING SKIP: thunderbird not found"
 fi
 
diff --git a/test/apps-x11/icedove.exp b/test/apps-x11/thunderbird.exp
index f81d814a7..060b5a760 100755
--- a/test/apps-x11/icedove.exp
+++ b/test/apps-x11/thunderbird.exp
@@ -7,7 +7,7 @@ set timeout 10
 spawn $env(SHELL)
 match_max 100000
 
-send -- "firejail --name=test --x11 icedove\r"
+send -- "firejail --name=test --x11 thunderbird\r"
 sleep 10
 
 spawn $env(SHELL)
@@ -18,7 +18,7 @@ expect {
 }
 expect {
         timeout {puts "TESTING ERROR 3.1\n";exit}
-        "icedove"
+        "thunderbird"
 }
 sleep 1
 
@@ -46,7 +46,7 @@ expect {
 }
 expect {
         timeout {puts "TESTING ERROR 5.0\n";exit}
-        "icedove"
+        "thunderbird"
 }
 expect {
         timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit}
@@ -64,7 +64,7 @@ expect {
 }
 expect {
         timeout {puts "TESTING ERROR 6.0\n";exit}
-        "icedove"
+        "thunderbird"
 }
 expect {
         timeout {puts "TESTING ERROR 6.1\n";exit}
diff --git a/test/apps/apps.sh b/test/apps/apps.sh
index 4b7afe1a9..fc04f188b 100755
--- a/test/apps/apps.sh
+++ b/test/apps/apps.sh
@@ -106,13 +106,13 @@ else
         echo "TESTING SKIP: gthumb not found"
 fi
 
-which icedove
+which thunderbird
 if [ "$?" -eq 0 ];
 then
-        echo "TESTING: icedove"
-        ./icedove.exp
+        echo "TESTING: thunderbird"
+        ./thunderbird.exp
 else
-        echo "TESTING SKIP: icedove not found"
+        echo "TESTING SKIP: thunderbird not found"
 fi
 
 which vlc
diff --git a/test/apps/icedove.exp b/test/apps/thunderbird.exp
index 1acb59112..16b0dc60e 100755
--- a/test/apps/icedove.exp
+++ b/test/apps/thunderbird.exp
@@ -7,10 +7,10 @@ set timeout 10
 spawn $env(SHELL)
 match_max 100000
 
-send -- "firejail icedove\r"
+send -- "firejail thunderbird\r"
 expect {
         timeout {puts "TESTING ERROR 0\n";exit}
-        "Reading profile /etc/firejail/icedove.profile"
+        "Reading profile /etc/firejail/thunderbird.profile"
 }
 expect {
         timeout {puts "TESTING ERROR 1\n";exit}
@@ -26,7 +26,7 @@ expect {
 }
 expect {
         timeout {puts "TESTING ERROR 3.1\n";exit}
-        "icedove"
+        "thunderbird"
 }
 after 100
 
@@ -50,7 +50,7 @@ send -- "firemon --seccomp\r"
 expect {
         timeout {puts "TESTING ERROR 5\n";exit}
         "need to be root" {puts "/proc mounted as hidepid, exiting...\n"; exit}
-        ":firejail icedove"
+        ":firejail thunderbird"
 }
 expect {
         timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit}
@@ -64,7 +64,7 @@ after 100
 send -- "firemon --caps\r"
 expect {
         timeout {puts "TESTING ERROR 6\n";exit}
-        ":firejail icedove"
+        ":firejail thunderbird"
 }
 expect {
         timeout {puts "TESTING ERROR 6.1\n";exit}
diff --git a/test/environment/environment.sh b/test/environment/environment.sh
index e2b9cb9d4..60ba7f245 100755
--- a/test/environment/environment.sh
+++ b/test/environment/environment.sh
@@ -10,6 +10,12 @@ export MALLOC_PERTURB_=$(($RANDOM % 255 + 1))
 echo "TESTING: DNS (test/environment/dns.exp)"
 ./dns.exp
 
+echo "TESTING: machine-id (test/environment/machineid.exp)"
+./machineid.exp
+
+echo "TESTING: hosts file (test/environment/hostfile.exp)"
+./hostfile.exp
+
 echo "TESTING: doubledash (test/environment/doubledash.exp"
 mkdir -- -testdir
 touch -- -testdir/ttt
diff --git a/test/environment/hostfile b/test/environment/hostfile
new file mode 100644
index 000000000..913f90c13
--- /dev/null
+++ b/test/environment/hostfile
@@ -0,0 +1 @@
+hostfile test
diff --git a/test/environment/hostfile.exp b/test/environment/hostfile.exp
new file mode 100755
index 000000000..06003f744
--- /dev/null
+++ b/test/environment/hostfile.exp
@@ -0,0 +1,32 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2017 Firejail Authors
+# License GPL v2
+
+
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+
+send -- "firejail --debug --hosts-file=hostfile\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "Loading user hosts file"
+}
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        "Child process initialized"
+}
+after 100
+
+send -- "cat /etc/hosts\r"
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        "hostfile test"
+}
+
+send -- "exit\r"
+after 100
+
+puts "\nall done\n"
+
diff --git a/test/environment/machineid.exp b/test/environment/machineid.exp
new file mode 100755
index 000000000..85510247b
--- /dev/null
+++ b/test/environment/machineid.exp
@@ -0,0 +1,25 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2017 Firejail Authors
+# License GPL v2
+
+
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+
+send -- "firejail --debug --machine-id\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "Generating a new machine-id"
+}
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "Child process initialized"
+}
+after 100
+send -- "exit\r"
+after 100
+
+puts "\nall done\n"
+
diff --git a/test/fs/mkdir.exp b/test/fs/mkdir.exp
index 111db06db..81df7cd86 100755
--- a/test/fs/mkdir.exp
+++ b/test/fs/mkdir.exp
@@ -17,4 +17,11 @@ expect {
 send -- "rm -rf ~/.firejail_test\r"
 after 100
 
+send -- "firejail --profile=mkdir2.profile\r"
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        "only directories in user home or /tmp"
+}
+after 100
+
 puts "\nall done\n"
diff --git a/test/fs/mkdir2.profile b/test/fs/mkdir2.profile
new file mode 100644
index 000000000..28afb8d21
--- /dev/null
+++ b/test/fs/mkdir2.profile
@@ -0,0 +1 @@
+mkdir /etc/somefile
diff --git a/test/fs/mkdir_mkfile.exp b/test/fs/mkdir_mkfile.exp
index e2e7d3ef0..28a5ae459 100755
--- a/test/fs/mkdir_mkfile.exp
+++ b/test/fs/mkdir_mkfile.exp
@@ -42,5 +42,14 @@ expect {
         "_firejail_test_dir/dir1/dir2/dir3/file1"
 }
 after 100
+send -- "exit\r"
+after 100
+
+send -- "firejail --profile=mkfile.profile\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "only files in user home or /tmp"
+}
+after 100
 
 puts "all done\n"
diff --git a/test/fs/mkfile.profile b/test/fs/mkfile.profile
new file mode 100644
index 000000000..6b7fbb322
--- /dev/null
+++ b/test/fs/mkfile.profile
@@ -0,0 +1 @@
+mkfile /etc/somefile
diff --git a/test/network/configure b/test/network/configure
index 35d938340..d4511c705 100755
--- a/test/network/configure
+++ b/test/network/configure
@@ -25,3 +25,6 @@ ip link add link eth0 name eth0.6 type vlan id 6
 ip link add link eth0 name eth0.7 type vlan id 7
 /sbin/ifconfig eth0.7 10.10.207.10/24 up
 
+# network namespace
+ip netns add red
+
diff --git a/test/network/netns.exp b/test/network/netns.exp
new file mode 100755
index 000000000..9475cf958
--- /dev/null
+++ b/test/network/netns.exp
@@ -0,0 +1,34 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2017 Firejail Authors
+# License GPL v2
+
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+
+send --  "firejail --netns=red --noprofile\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "Child process initialized"
+}
+after 100
+
+send -- "ip link show\r"
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        "LOOPBACK"
+}
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        "DOWN"
+}
+expect {
+        timeout {puts "TESTING ERROR 4\n";exit}
+        "link/loopback"
+}
+after 100
+send -- "exit\r"
+after 100
+
+puts "all done\n"
diff --git a/test/network/network.sh b/test/network/network.sh
index 2c60be0a5..c4c104042 100755
--- a/test/network/network.sh
+++ b/test/network/network.sh
@@ -11,6 +11,9 @@ sudo ./configure
 echo "TESTING: firemon interface (firemon-interfaces.exp)"
 sudo ./firemon-interfaces.exp
 
+echo "TESTING: netns (netns.exp)"
+./netns.exp
+
 echo "TESTING: print dns (dns-print.exp)"
 ./dns-print.exp
 
diff --git a/test/root/cgroup.exp b/test/root/cgroup.exp
new file mode 100755
index 000000000..4b07183a1
--- /dev/null
+++ b/test/root/cgroup.exp
@@ -0,0 +1,61 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2017 Firejail Authors
+# License GPL v2
+
+set timeout 10
+cd /home
+spawn $env(SHELL)
+match_max 100000
+
+
+send -- "mkdir /sys/fs/cgroup/systemd/firejail\r"
+sleep 1
+send -- "ls /sys/fs/cgroup/systemd/firejail\r"
+expect {
+        timeout {puts "TESTING ERROR 0\n";exit}
+        "tasks"
+}
+
+send --  "firejail --name=\"join testing\" --cgroup=/sys/fs/cgroup/systemd/firejail/tasks\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "Child process initialized"
+}
+sleep 2
+
+spawn $env(SHELL)
+send -- "wc -l /sys/fs/cgroup/systemd/firejail/tasks\r"
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        "3"
+}
+
+spawn $env(SHELL)
+send --  "firejail --join=\"join testing\"\r"
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        "Switching to pid"
+}
+sleep 1
+send -- "ps aux\r"
+expect {
+        timeout {puts "TESTING ERROR 4\n";exit}
+        "/bin/bash"
+}
+expect {
+        timeout {puts "TESTING ERROR 5\n";exit}
+        "/bin/bash"
+}
+
+after 100
+
+spawn $env(SHELL)
+send -- "wc -l /sys/fs/cgroup/systemd/firejail/tasks\r"
+expect {
+        timeout {puts "TESTING ERROR 6\n";exit}
+        "3"
+}
+after 100
+
+puts "\nall done\n"
diff --git a/test/root/checkcfg.exp b/test/root/checkcfg.exp
index e1ec6cf79..205ef1e0c 100755
--- a/test/root/checkcfg.exp
+++ b/test/root/checkcfg.exp
@@ -8,13 +8,6 @@ cd /home
 spawn $env(SHELL)
 match_max 100000
 
-send --  "firejail --noprofile --overlay\r"
-expect {
-        timeout {puts "TESTING ERROR 0\n";exit}
-        "Child process initialized"
-}
-sleep 2
-
 send -- "rm /etc/firejail/firejail.config\r"
 after 100
 
@@ -27,18 +20,16 @@ expect {
 # seccomp
 send --  "echo \"seccomp no\" > /etc/firejail/firejail.config\r"
 after 100
-send --  "firejail --noprofile --seccomp --force\r"
+send --  "firejail --noprofile --seccomp\r"
 expect {
         timeout {puts "TESTING ERROR 2\n";exit}
         "seccomp feature is disabled in Firejail configuration file\r"
 }
-send --  "exit\r"
-after 100
 
 # whitelist
 send --  "echo \"whitelist no\" > /etc/firejail/firejail.config\r"
 after 100
-send --  "firejail --noprofile --whitelist=~/.config --force\r"
+send --  "firejail --noprofile --whitelist=~/.config\r"
 expect {
         timeout {puts "TESTING ERROR 3\n";exit}
         "whitelist feature is disabled in Firejail configuration file\r"
@@ -47,7 +38,7 @@ expect {
 # network
 send --  "echo \"network no\" > /etc/firejail/firejail.config\r"
 after 100
-send --  "firejail --noprofile --net=eth0 --force\r"
+send --  "firejail --noprofile --net=eth0\r"
 expect {
         timeout {puts "TESTING ERROR 4\n";exit}
         "networking feature is disabled in Firejail configuration file\r"
@@ -56,7 +47,7 @@ expect {
 # bind
 send --  "echo \"bind no\" > /etc/firejail/firejail.config\r"
 after 100
-send --  "firejail --noprofile --bind=/tmp,/var/tmp --force\r"
+send --  "firejail --noprofile --bind=/tmp,/var/tmp\r"
 expect {
         timeout {puts "TESTING ERROR 5\n";exit}
         "bind feature is disabled in Firejail configuration file\r"
@@ -65,7 +56,7 @@ expect {
 # overlay
 send --  "echo \"overlayfs no\" > /etc/firejail/firejail.config\r"
 after 100
-send --  "firejail --noprofile --overlay --force\r"
+send --  "firejail --noprofile --overlay\r"
 expect {
         timeout {puts "TESTING ERROR 6\n";exit}
         "overlayfs feature is disabled in Firejail configuration file\r"
@@ -74,7 +65,7 @@ expect {
 # private-home
 send --  "echo \"private-home no\" > /etc/firejail/firejail.config\r"
 after 100
-send --  "firejail --noprofile --private-home=/tmp --force\r"
+send --  "firejail --noprofile --private-home=/tmp\r"
 expect {
         timeout {puts "TESTING ERROR 7\n";exit}
         "private-home feature is disabled in Firejail configuration file\r"
@@ -83,7 +74,7 @@ expect {
 # chroot
 send --  "echo \"chroot no\" > /etc/firejail/firejail.config\r"
 after 100
-send --  "firejail --noprofile --chroot=/tmp --force\r"
+send --  "firejail --noprofile --chroot=/tmp\r"
 expect {
         timeout {puts "TESTING ERROR 8\n";exit}
         "chroot feature is disabled in Firejail configuration file\r"
@@ -92,15 +83,80 @@ expect {
 # userns
 send --  "echo \"userns no\" > /etc/firejail/firejail.config\r"
 after 100
-send --  "firejail --noprofile --noroot --force\r"
+send --  "firejail --noprofile --noroot\r"
 expect {
         timeout {puts "TESTING ERROR 9\n";exit}
         "noroot feature is disabled in Firejail configuration file\r"
 }
 
-send --  "exit\r"
+# netfilter-default
+send --  "echo \"netfilter-default blablabla\" > /etc/firejail/firejail.config\r"
 after 100
+send --  "firejail --noprofile\r"
+expect {
+        timeout {puts "TESTING ERROR 10\n";exit}
+        "netfilter-default file blablabla not available\r"
+}
 
+# strings
+send --  "echo \"xephyr-screen 800x600\" > /etc/firejail/firejail.config\r"
+after 100
+send --  "echo \"xvfb-screen 800x600x24\" >> /etc/firejail/firejail.config\r"
+after 100
+send --  "echo \"xvfb-extra-params blablabla\" >> /etc/firejail/firejail.config\r"
+after 100
+send --  "firejail --noprofile\r"
+expect {
+        timeout {puts "TESTING ERROR 11\n";exit}
+        "Child process initialized\r"
+}
+after 100
+send -- "exit\r"
+after 100
 
+# error exit
+send --  "echo \"join no\" > /etc/firejail/firejail.config\r"
+after 100
+send --  "echo \"cache-tmpfs no\" >> /etc/firejail/firejail.config\r"
+after 100
+send --  "echo \"file-transfer no\" >> /etc/firejail/firejail.config\r"
+after 100
+send --  "echo \"x11 no\" >> /etc/firejail/firejail.config\r"
+after 100
+send --  "echo \"firejail-prompt yes\" >> /etc/firejail/firejail.config\r"
+after 100
+send --  "echo \"follow-symlink-as-user yes\" >> /etc/firejail/firejail.config\r"
+after 100
+send --  "echo \"follow-symlink-private-bin yes\" >> /etc/firejail/firejail.config\r"
+after 100
+send --  "echo \"force-nonewprivs yes\" >> /etc/firejail/firejail.config\r"
+after 100
+send --  "echo \"seccomp no\" >> /etc/firejail/firejail.config\r"
+after 100
+send --  "echo \"restricted-network yes\" >> /etc/firejail/firejail.config\r"
+after 100
+send --  "echo \"xephyr-window-title yes\" >> /etc/firejail/firejail.config\r"
+after 100
+send --  "echo \"quiet-by-default yes\" >> /etc/firejail/firejail.config\r"
+after 100
+send --  "echo \"chroot-desktop no\" >> /etc/firejail/firejail.config\r"
+after 100
+send --  "echo \"private-bin-no-local yes\" >> /etc/firejail/firejail.config\r"
+after 100
+send --  "echo \"disable-mnt yes\" >> /etc/firejail/firejail.config\r"
+after 100
+send --  "echo \"xephyr-window-title no\" >> /etc/firejail/firejail.config\r"
+after 100
+send --  "echo \"remount-proc-sys no\" >> /etc/firejail/firejail.config\r"
+after 100
+send --  "echo \"disable-mnt no\" >> /etc/firejail/firejail.config\r"
+after 100
+send --  "echo \"blablabla\" >> /etc/firejail/firejail.config\r"
+after 100
+send --  "firejail --noprofile\r"
+expect {
+        timeout {puts "TESTING ERROR 12\n";exit}
+        ""
+}
 after 100
 puts "\nall done\n"
diff --git a/test/root/firejail.config b/test/root/firejail.config
index 71ff2f4e9..4ad5edd4d 100644
--- a/test/root/firejail.config
+++ b/test/root/firejail.config
@@ -1,8 +1,14 @@
+
 bind yes
 chroot yes
 chroot-desktop yes
+cache-tmpfs yes
 file-transfer yes
+firejail-prompt no
+follow-symlink-as-user no
+follow-symlink-private-bin no
 force-nonewprivs no
+join yes
 network yes
 overlayfs yes
 private-bin-no-local no
diff --git a/test/root/root.sh b/test/root/root.sh
index e23499d2a..406e7dc4f 100755
--- a/test/root/root.sh
+++ b/test/root/root.sh
@@ -1,7 +1,7 @@
 #!/bin/bash
 
 # set a new firejail config file
-cp firejail.config /etc/firejail/firejail.config
+#cp firejail.config /etc/firejail/firejail.config
 
 #********************************
 # servers
@@ -82,6 +82,10 @@ echo "TESTING: seccomp chown (test/root/seccomp-chown.exp)"
 #********************************
 echo "TESTING: firejail configuration (test/root/checkcfg.exp)"
 ./checkcfg.exp
+cp ../../etc/firejail.config /etc/firejail/.
+
+echo "TESTING: cgroup (test/root/cgroup.exp)"
+./cgroup.exp
 
 echo "TESTING: tmpfs (test/root/option_tmpfs.exp)"
 ./option_tmpfs.exp
@@ -116,5 +120,5 @@ else
 fi
 
 # restore the default config file
-cp ../../etc/firejail.config /etc/firejail/firejail.config
+#cp ../../etc/firejail.config /etc/firejail/firejail.config
 
diff --git a/test/utils/join-profile.exp b/test/utils/join-profile.exp
index a2078c2f6..716bd2947 100755
--- a/test/utils/join-profile.exp
+++ b/test/utils/join-profile.exp
@@ -29,7 +29,7 @@ expect {
         "/bin/bash"
 }
 
-send -- "exit"
+send -- "exit\r"
 after 100
 
 puts "\nall done\n"
diff --git a/test/utils/join2.exp b/test/utils/join2.exp
index b7d1f345f..0c1fa6684 100755
--- a/test/utils/join2.exp
+++ b/test/utils/join2.exp
@@ -32,7 +32,7 @@ expect {
         "/bin/bash"
 }
 
-send -- "exit"
+send -- "exit\r"
 after 100
 
 puts "\nall done\n"
diff --git a/test/utils/join3.exp b/test/utils/join3.exp
index c0cc7c2e4..968aa3008 100755
--- a/test/utils/join3.exp
+++ b/test/utils/join3.exp
@@ -32,7 +32,7 @@ expect {
         "/bin/bash"
 }
 
-send -- "exit"
+send -- "exit\r"
 after 100
 
 puts "\nall done\n"
diff --git a/test/utils/join4.exp b/test/utils/join4.exp
index c953320e0..27f52fd56 100755
--- a/test/utils/join4.exp
+++ b/test/utils/join4.exp
@@ -32,7 +32,7 @@ expect {
         "/bin/bash"
 }
 
-send -- "exit"
+send -- "exit\r"
 after 100
 
 puts "\nall done\n"