9 files changed, 355 insertions, 309 deletions

diff --git a/gcov.sh b/gcov.sh
index ff910cbe0..3df9bbd47 100755
--- a/gcov.sh
+++ b/gcov.sh
@@ -34,7 +34,7 @@ generate() {
 gcov_init
 lcov -q --capture -d src/firejail -d src/firemon -d src/faudit -d src/fbuilder -d  src/fcopy -d  src/fnetfilter -d src/fsec-print -d src/fsec-optimize -d src/fseccomp -d src/fnet -d src/ftee -d src/lib -d src/firecfg -d src/fldd  --output-file gcov-file-old
 
-#make test-environment
+#make test-utils
 #generate
 #sleep 2
 #exit
diff --git a/src/firecfg/desktop_files.c b/src/firecfg/desktop_files.c
index 0a6a0bbf0..49e58528c 100644
--- a/src/firecfg/desktop_files.c
+++ b/src/firecfg/desktop_files.c
@@ -136,15 +136,9 @@ void fix_desktop_files(char *homedir) {
 
         // source
         DIR *dir = opendir("/usr/share/applications");
-        if (!dir) {
+        if (!dir || chdir("/usr/share/applications")) {
                 perror("opendir");
-                fprintf(stderr, "Warning: cannot open /usr/share/applications directory, desktop files fixing skipped...\n");
-                free(user_apps_dir);
-                return;
-        }
-        if (chdir("/usr/share/applications")) {
-                perror("chdir");
-                fprintf(stderr, "Warning: cannot chdir to /usr/share/applications, desktop files fixing skipped...\n");
+                fprintf(stderr, "Warning: cannot access /usr/share/applications directory, desktop files fixing skipped...\n");
                 free(user_apps_dir);
                 return;
         }
diff --git a/src/firecfg/main.c b/src/firecfg/main.c
index ab0fd53e3..e636dc385 100644
--- a/src/firecfg/main.c
+++ b/src/firecfg/main.c
@@ -21,38 +21,41 @@
 #include "firecfg.h"
 int arg_debug = 0;
 
+static char *usage_str =
+        "Firecfg is the desktop configuration utility for Firejail software. The utility\n"
+        "creates several symbolic links to firejail executable. This allows the user to\n"
+        "sandbox applications automatically, just by clicking on a regular desktop\n"
+        "menus and icons.\n\n"
+        "The symbolic links are placed in /usr/local/bin. For more information, see\n"
+        "DESKTOP INTEGRATION section in man 1 firejail.\n\n"
+        "Usage: firecfg [OPTIONS]\n\n"
+        "   --clean - remove all firejail symbolic links.\n\n"
+        "   --debug - print debug messages.\n\n"
+        "   --fix - fix .desktop files.\n\n"
+        "   --fix-sound - create ~/.config/pulse/client.conf file.\n\n"
+        "   --help, -? - this help screen.\n\n"
+        "   --list - list all firejail symbolic links.\n\n"
+        "   --version - print program version and exit.\n\n"
+        "Example:\n\n"
+        "   $ sudo firecfg\n"
+        "   /usr/local/bin/firefox created\n"
+        "   /usr/local/bin/vlc created\n"
+        "   [...]\n"
+        "   $ firecfg --list\n"
+        "   /usr/local/bin/firefox\n"
+        "   /usr/local/bin/vlc\n"
+        "   [...]\n"
+        "   $ sudo firecfg --clean\n"
+        "   /usr/local/bin/firefox removed\n"
+        "   /usr/local/bin/vlc removed\n"
+        "   [...]\n"
+        "\n"
+        "License GPL version 2 or later\n"
+        "Homepage: http://firejail.wordpress.com\n\n";
+
 static void usage(void) {
         printf("firecfg - version %s\n\n", VERSION);
-        printf("Firecfg is the desktop configuration utility for Firejail software. The utility\n");
-        printf("creates several symbolic links to firejail executable. This allows the user to\n");
-        printf("sandbox applications automatically, just by clicking on a regular desktop\n");
-        printf("menus and icons.\n\n");
-        printf("The symbolic links are placed in /usr/local/bin. For more information, see\n");
-        printf("DESKTOP INTEGRATION section in man 1 firejail.\n\n");
-        printf("Usage: firecfg [OPTIONS]\n\n");
-        printf("   --clean - remove all firejail symbolic links.\n\n");
-        printf("   --debug - print debug messages.\n\n");
-        printf("   --fix - fix .desktop files.\n\n");
-        printf("   --fix-sound - create ~/.config/pulse/client.conf file.\n\n");
-        printf("   --help, -? - this help screen.\n\n");
-        printf("   --list - list all firejail symbolic links.\n\n");
-        printf("   --version - print program version and exit.\n\n");
-        printf("Example:\n\n");
-        printf("   $ sudo firecfg\n");
-        printf("   /usr/local/bin/firefox created\n");
-        printf("   /usr/local/bin/vlc created\n");
-        printf("   [...]\n");
-        printf("   $ firecfg --list\n");
-        printf("   /usr/local/bin/firefox\n");
-        printf("   /usr/local/bin/vlc\n");
-        printf("   [...]\n");
-        printf("   $ sudo firecfg --clean\n");
-        printf("   /usr/local/bin/firefox removed\n");
-        printf("   /usr/local/bin/vlc removed\n");
-        printf("   [...]\n");
-        printf("\n");
-        printf("License GPL version 2 or later\n");
-        printf("Homepage: http://firejail.wordpress.com\n\n");
+        puts(usage_str);
 }
 
 
diff --git a/src/firejail/usage.c b/src/firejail/usage.c
index d0292f524..e35549398 100644
--- a/src/firejail/usage.c
+++ b/src/firejail/usage.c
@@ -19,242 +19,245 @@
 */
 #include "firejail.h"
 
-void usage(void) {
-        printf("firejail - version %s\n\n", VERSION);
-        printf("Firejail is a SUID sandbox program that reduces the risk of security breaches by\n");
-        printf("restricting the running environment of untrusted applications using Linux\n");
-        printf("namespaces.\n");
-        printf("\n");
-        printf("Usage: firejail [options] [program and arguments]\n");
-        printf("\n");
-        printf("Options:\n");
-        printf("    -- - signal the end of options and disables further option processing.\n");
-        printf("    --allow-debuggers - allow tools such as strace and gdb inside the sandbox.\n");
-        printf("    --allow-private-blacklist - allow blacklisting files in private\n");
-        printf("\thome directories.\n");
-        printf("    --allusers - all user home directories are visible inside the sandbox.\n");
-        printf("    --apparmor - enable AppArmor confinement.\n");
-        printf("    --apparmor.print=name|pid - print apparmor status.\n");
-        printf("    --appimage - sandbox an AppImage application.\n");
-        printf("    --audit[=test-program] - audit the sandbox.\n");
+static char *usage_str =
+        "Firejail is a SUID sandbox program that reduces the risk of security breaches by\n"
+        "restricting the running environment of untrusted applications using Linux\n"
+        "namespaces.\n"
+        "\n"
+        "Usage: firejail [options] [program and arguments]\n"
+        "\n"
+        "Options:\n"
+        "    -- - signal the end of options and disables further option processing.\n"
+        "    --allow-debuggers - allow tools such as strace and gdb inside the sandbox.\n"
+        "    --allow-private-blacklist - allow blacklisting files in private\n"
+        "\thome directories.\n"
+        "    --allusers - all user home directories are visible inside the sandbox.\n"
+        "    --apparmor - enable AppArmor confinement.\n"
+        "    --apparmor.print=name|pid - print apparmor status.\n"
+        "    --appimage - sandbox an AppImage application.\n"
+        "    --audit[=test-program] - audit the sandbox.\n"
 #ifdef HAVE_NETWORK
-        printf("    --bandwidth=name|pid - set bandwidth limits.\n");
+        "    --bandwidth=name|pid - set bandwidth limits.\n"
 #endif
 #ifdef HAVE_BIND
-        printf("    --bind=dirname1,dirname2 - mount-bind dirname1 on top of dirname2.\n");
-        printf("    --bind=filename1,filename2 - mount-bind filename1 on top of filename2.\n");
+        "    --bind=dirname1,dirname2 - mount-bind dirname1 on top of dirname2.\n"
+        "    --bind=filename1,filename2 - mount-bind filename1 on top of filename2.\n"
 #endif
-        printf("    --blacklist=filename - blacklist directory or file.\n");
-        printf("    --build - build a whitelisted profile for the application.\n");
-        printf("    --build=filename - build a whitelisted profile for the application.\n");
-        printf("    -c - execute command and exit.\n");
-        printf("    --caps - enable default Linux capabilities filter.\n");
-        printf("    --caps.drop=all - drop all capabilities.\n");
-        printf("    --caps.drop=capability,capability - blacklist capabilities filter.\n");
-        printf("    --caps.keep=capability,capability - whitelist capabilities filter.\n");
-        printf("    --caps.print=name|pid - print the caps filter.\n");
-        printf("    --cgroup=tasks-file - place the sandbox in the specified control group.\n");
+        "    --blacklist=filename - blacklist directory or file.\n"
+        "    --build - build a whitelisted profile for the application.\n"
+        "    --build=filename - build a whitelisted profile for the application.\n"
+        "    -c - execute command and exit.\n"
+        "    --caps - enable default Linux capabilities filter.\n"
+        "    --caps.drop=all - drop all capabilities.\n"
+        "    --caps.drop=capability,capability - blacklist capabilities filter.\n"
+        "    --caps.keep=capability,capability - whitelist capabilities filter.\n"
+        "    --caps.print=name|pid - print the caps filter.\n"
+        "    --cgroup=tasks-file - place the sandbox in the specified control group.\n"
 #ifdef HAVE_CHROOT
-        printf("    --chroot=dirname - chroot into directory.\n");
+        "    --chroot=dirname - chroot into directory.\n"
 #endif
-        printf("    --cpu=cpu-number,cpu-number - set cpu affinity.\n");
-        printf("    --cpu.print=name|pid - print the cpus in use.\n");
-        printf("    --csh - use /bin/csh as default shell.\n");
-        printf("    --debug - print sandbox debug messages.\n");
-        printf("    --debug-blacklists - debug blacklisting.\n");
-        printf("    --debug-caps - print all recognized capabilities.\n");
-        printf("    --debug-check-filename - debug filename checking.\n");
-        printf("    --debug-errnos - print all recognized error numbers.\n");
-        printf("    --debug-private-lib - debug for --private-lib option.\n");
-        printf("    --debug-protocols - print all recognized protocols.\n");
-        printf("    --debug-syscalls - print all recognized system calls.\n");
+        "    --cpu=cpu-number,cpu-number - set cpu affinity.\n"
+        "    --cpu.print=name|pid - print the cpus in use.\n"
+        "    --csh - use /bin/csh as default shell.\n"
+        "    --debug - print sandbox debug messages.\n"
+        "    --debug-blacklists - debug blacklisting.\n"
+        "    --debug-caps - print all recognized capabilities.\n"
+        "    --debug-check-filename - debug filename checking.\n"
+        "    --debug-errnos - print all recognized error numbers.\n"
+        "    --debug-private-lib - debug for --private-lib option.\n"
+        "    --debug-protocols - print all recognized protocols.\n"
+        "    --debug-syscalls - print all recognized system calls.\n"
 #ifdef HAVE_WHITELIST
-        printf("    --debug-whitelists - debug whitelisting.\n");
+        "    --debug-whitelists - debug whitelisting.\n"
 #endif
 #ifdef HAVE_NETWORK
-        printf("    --defaultgw=address - configure default gateway.\n");
+        "    --defaultgw=address - configure default gateway.\n"
 #endif
-        printf("    --dns=address - set DNS server.\n");
-        printf("    --dns.print=name|pid - print DNS configuration.\n");
-
-        printf("    --env=name=value - set environment variable.\n");
-        printf("    --force - attempt to start a new sandbox inside the existing sandbox.\n");
-        printf("    --fs.print=name|pid - print the filesystem log.\n");
-        printf("    --get=name|pid filename - get a file from sandbox container.\n");
+        "    --dns=address - set DNS server.\n"
+        "    --dns.print=name|pid - print DNS configuration.\n"
+        "    --env=name=value - set environment variable.\n"
+        "    --force - attempt to start a new sandbox inside the existing sandbox.\n"
+        "    --fs.print=name|pid - print the filesystem log.\n"
+        "    --get=name|pid filename - get a file from sandbox container.\n"
 #ifdef HAVE_GIT_INSTALL
-        printf("    --git-install - download, compile and install mainline git version\n");
-        printf("\tof Firejail.\n");
-        printf("    --git-uninstall - uninstall mainline git version of Firejail\n");
+        "    --git-install - download, compile and install mainline git version\n"
+        "\tof Firejail.\n"
+        "    --git-uninstall - uninstall mainline git version of Firejail\n"
 #endif
-        printf("    --help, -? - this help screen.\n");
-        printf("    --hostname=name - set sandbox hostname.\n");
-        printf("    --hosts-file=file - use file as /etc/hosts.\n");
-        printf("    --ignore=command - ignore command in profile files.\n");
+        "    --help, -? - this help screen.\n"
+        "    --hostname=name - set sandbox hostname.\n"
+        "    --hosts-file=file - use file as /etc/hosts.\n"
+        "    --ignore=command - ignore command in profile files.\n"
 #ifdef HAVE_NETWORK
-        printf("    --interface=name - move interface in sandbox.\n");
-        printf("    --ip=address - set interface IP address.\n");
-        printf("    --ip=none - no IP address and no default gateway are configured.\n");
-        printf("    --ip6=address - set interface IPv6 address.\n");
-        printf("    --iprange=address,address - configure an IP address in this range.\n");
+        "    --interface=name - move interface in sandbox.\n"
+        "    --ip=address - set interface IP address.\n"
+        "    --ip=none - no IP address and no default gateway are configured.\n"
+        "    --ip6=address - set interface IPv6 address.\n"
+        "    --iprange=address,address - configure an IP address in this range.\n"
 #endif
-        printf("    --ipc-namespace - enable a new IPC namespace.\n");
-        printf("    --join=name|pid - join the sandbox.\n");
-        printf("    --join-filesystem=name|pid - join the mount namespace.\n");
+        "    --ipc-namespace - enable a new IPC namespace.\n"
+        "    --join=name|pid - join the sandbox.\n"
+        "    --join-filesystem=name|pid - join the mount namespace.\n"
 #ifdef HAVE_NETWORK
-        printf("    --join-network=name|pid - join the network namespace.\n");
+        "    --join-network=name|pid - join the network namespace.\n"
 #endif
-        printf("    --join-or-start=name|pid - join the sandbox or start a new one.\n");
-        printf("    --list - list all sandboxes.\n");
-        printf("    --ls=name|pid dir_or_filename - list files in sandbox container.\n");
+        "    --join-or-start=name|pid - join the sandbox or start a new one.\n"
+        "    --list - list all sandboxes.\n"
+        "    --ls=name|pid dir_or_filename - list files in sandbox container.\n"
 #ifdef HAVE_NETWORK
-        printf("    --mac=xx:xx:xx:xx:xx:xx - set interface MAC address.\n");
+        "    --mac=xx:xx:xx:xx:xx:xx - set interface MAC address.\n"
 #endif
-        printf("    --machine-id - preserve /etc/machine-id\n");
+        "    --machine-id - preserve /etc/machine-id\n"
 #ifdef HAVE_SECCOMP
-        printf("    --memory-deny-write-execute - seccomp filter to block attempts to create\n");
-        printf("\tmemory mappings  that are both writable and executable.\n");
+        "    --memory-deny-write-execute - seccomp filter to block attempts to create\n"
+        "\tmemory mappings  that are both writable and executable.\n"
 #endif
 #ifdef HAVE_NETWORK
-        printf("    --mtu=number - set interface MTU.\n");
+        "    --mtu=number - set interface MTU.\n"
 #endif
-        printf("    --name=name - set sandbox name.\n");
+        "    --name=name - set sandbox name.\n"
 #ifdef HAVE_NETWORK
-        printf("    --net=bridgename - enable network namespaces and connect to this bridge.\n");
-        printf("    --net=ethernet_interface - enable network namespaces and connect to this\n");
-        printf("\tEthernet interface.\n");
-        printf("    --net=none - enable a new, unconnected network namespace.\n");
-        printf("    --netfilter[=filename,arg1,arg2,arg3 ...] - enable firewall.\n");
-        printf("    --netfilter.print=name|pid - print the firewall.\n");
-        printf("    --netfilter6=filename - enable IPv6 firewall.\n");
-        printf("    --netfilter6.print=name|pid - print the IPv6 firewall.\n");
-        printf("    --netns=name - Run the program in a named, persistent network namespace.\n");
-        printf("    --netstats - monitor network statistics.\n");
+        "    --net=bridgename - enable network namespaces and connect to this bridge.\n"
+        "    --net=ethernet_interface - enable network namespaces and connect to this\n"
+        "\tEthernet interface.\n"
+        "    --net=none - enable a new, unconnected network namespace.\n"
+        "    --netfilter[=filename,arg1,arg2,arg3 ...] - enable firewall.\n"
+        "    --netfilter.print=name|pid - print the firewall.\n"
+        "    --netfilter6=filename - enable IPv6 firewall.\n"
+        "    --netfilter6.print=name|pid - print the IPv6 firewall.\n"
+        "    --netns=name - Run the program in a named, persistent network namespace.\n"
+        "    --netstats - monitor network statistics.\n"
 #endif
-        printf("    --nice=value - set nice value.\n");
-        printf("    --no3d - disable 3D hardware acceleration.\n");
-        printf("    --noblacklist=filename - disable blacklist for file or directory.\n");
-        printf("    --nodbus - disable D-Bus access.\n");
-        printf("    --nodvd - disable DVD and audio CD devices.\n");
-        printf("    --noexec=filename - remount the file or directory noexec nosuid and nodev.\n");
-        printf("    --nogroups - disable supplementary groups.\n");
-        printf("    --nonewprivs - sets the NO_NEW_PRIVS prctl.\n");
-        printf("    --noprofile - do not use a security profile.\n");
+        "    --nice=value - set nice value.\n"
+        "    --no3d - disable 3D hardware acceleration.\n"
+        "    --noblacklist=filename - disable blacklist for file or directory.\n"
+        "    --nodbus - disable D-Bus access.\n"
+        "    --nodvd - disable DVD and audio CD devices.\n"
+        "    --noexec=filename - remount the file or directory noexec nosuid and nodev.\n"
+        "    --nogroups - disable supplementary groups.\n"
+        "    --nonewprivs - sets the NO_NEW_PRIVS prctl.\n"
+        "    --noprofile - do not use a security profile.\n"
 #ifdef HAVE_USERNS
-        printf("    --noroot - install a user namespace with only the current user.\n");
+        "    --noroot - install a user namespace with only the current user.\n"
 #endif
-        printf("    --nosound - disable sound system.\n");
-        printf("    --novideo - disable video devices.\n");
-        printf("    --nowhitelist=filename - disable whitelist for file or directory .\n");
-        printf("    --output=logfile - stdout logging and log rotation.\n");
-        printf("    --output-stderr=logfile - stdout and stderr logging and log rotation.\n");
-        printf("    --overlay - mount a filesystem overlay on top of the current filesystem.\n");
-        printf("    --overlay-named=name - mount a filesystem overlay on top of the current\n");
-        printf("\tfilesystem, and store it in name directory.\n");
-        printf("    --overlay-tmpfs - mount a temporary filesystem overlay on top of the\n");
-        printf("\tcurrent filesystem.\n");
-        printf("    --overlay-clean - clean all overlays stored in $HOME/.firejail directory.\n");
-        printf("    --private - temporary home directory.\n");
-        printf("    --private=directory - use directory as user home.\n");
-        printf("    --private-home=file,directory - build a new user home in a temporary\n");
-        printf("\tfilesystem, and copy the files and directories in the list in\n");
-        printf("\tthe new home.\n");
-        printf("    --private-bin=file,file - build a new /bin in a temporary filesystem,\n");
-        printf("\tand copy the programs in the list.\n");
-        printf("    --private-dev - create a new /dev directory with a small number of\n");
-        printf("\tcommon device files.\n");
-        printf("    --private-etc=file,directory - build a new /etc in a temporary\n");
-        printf("\tfilesystem, and copy the files and directories in the list.\n");
-        printf("    --private-tmp - mount a tmpfs on top of /tmp directory.\n");
-        printf("    --private-opt=file,directory - build a new /opt in a temporary filesystem.\n");
-        printf("    --profile=filename - use a custom profile.\n");
-        printf("    --profile.print=name|pid - print the name of profile file.\n");
-        printf("    --profile-path=directory - use this directory to look for profile files.\n");
-        printf("    --protocol=protocol,protocol,protocol - enable protocol filter.\n");
-        printf("    --protocol.print=name|pid - print the protocol filter.\n");
-        printf("    --put=name|pid src-filename dest-filename - put a file in sandbox\n");
-        printf("\tcontainer.\n");
-        printf("    --quiet - turn off Firejail's output.\n");
-        printf("    --read-only=filename - set directory or file read-only..\n");
-        printf("    --read-write=filename - set directory or file read-write.\n");
-        printf("    --rlimit-as=number - set the maximum size of the process's virtual memory\n");
-        printf("\t(address space) in bytes.\n");
-        printf("    --rlimit-cpu=number - set the maximum CPU time in seconds.\n");
-        printf("    --rlimit-fsize=number - set the maximum file size that can be created\n");
-        printf("\tby a process.\n");
-        printf("    --rlimit-nofile=number - set the maximum number of files that can be\n");
-        printf("\topened by a process.\n");
-        printf("    --rlimit-nproc=number - set the maximum number of processes that can be\n");
-        printf("\tcreated for the real user ID of the calling process.\n");
-        printf("    --rlimit-sigpending=number - set the maximum number of pending signals\n");
-        printf("\tfor a process.\n");
-        printf("    --rmenv=name - remove environment variable in the new sandbox.\n");
+        "    --nosound - disable sound system.\n"
+        "    --novideo - disable video devices.\n"
+        "    --nowhitelist=filename - disable whitelist for file or directory .\n"
+        "    --output=logfile - stdout logging and log rotation.\n"
+        "    --output-stderr=logfile - stdout and stderr logging and log rotation.\n"
+        "    --overlay - mount a filesystem overlay on top of the current filesystem.\n"
+        "    --overlay-named=name - mount a filesystem overlay on top of the current\n"
+        "\tfilesystem, and store it in name directory.\n"
+        "    --overlay-tmpfs - mount a temporary filesystem overlay on top of the\n"
+        "\tcurrent filesystem.\n"
+        "    --overlay-clean - clean all overlays stored in $HOME/.firejail directory.\n"
+        "    --private - temporary home directory.\n"
+        "    --private=directory - use directory as user home.\n"
+        "    --private-home=file,directory - build a new user home in a temporary\n"
+        "\tfilesystem, and copy the files and directories in the list in\n"
+        "\tthe new home.\n"
+        "    --private-bin=file,file - build a new /bin in a temporary filesystem,\n"
+        "\tand copy the programs in the list.\n"
+        "    --private-dev - create a new /dev directory with a small number of\n"
+        "\tcommon device files.\n"
+        "    --private-etc=file,directory - build a new /etc in a temporary\n"
+        "\tfilesystem, and copy the files and directories in the list.\n"
+        "    --private-tmp - mount a tmpfs on top of /tmp directory.\n"
+        "    --private-opt=file,directory - build a new /opt in a temporary filesystem.\n"
+        "    --profile=filename - use a custom profile.\n"
+        "    --profile.print=name|pid - print the name of profile file.\n"
+        "    --profile-path=directory - use this directory to look for profile files.\n"
+        "    --protocol=protocol,protocol,protocol - enable protocol filter.\n"
+        "    --protocol.print=name|pid - print the protocol filter.\n"
+        "    --put=name|pid src-filename dest-filename - put a file in sandbox\n"
+        "\tcontainer.\n"
+        "    --quiet - turn off Firejail's output.\n"
+        "    --read-only=filename - set directory or file read-only..\n"
+        "    --read-write=filename - set directory or file read-write.\n"
+        "    --rlimit-as=number - set the maximum size of the process's virtual memory\n"
+        "\t(address space) in bytes.\n"
+        "    --rlimit-cpu=number - set the maximum CPU time in seconds.\n"
+        "    --rlimit-fsize=number - set the maximum file size that can be created\n"
+        "\tby a process.\n"
+        "    --rlimit-nofile=number - set the maximum number of files that can be\n"
+        "\topened by a process.\n"
+        "    --rlimit-nproc=number - set the maximum number of processes that can be\n"
+        "\tcreated for the real user ID of the calling process.\n"
+        "    --rlimit-sigpending=number - set the maximum number of pending signals\n"
+        "\tfor a process.\n"
+        "    --rmenv=name - remove environment variable in the new sandbox.\n"
 #ifdef HAVE_NETWORK
-        printf("    --scan - ARP-scan all the networks from inside a network namespace.\n");
+        "    --scan - ARP-scan all the networks from inside a network namespace.\n"
 #endif
 #ifdef HAVE_SECCOMP
-        printf("    --seccomp - enable seccomp filter and apply the default blacklist.\n");
-        printf("    --seccomp=syscall,syscall,syscall - enable seccomp filter, blacklist the\n");
-        printf("\tdefault syscall list and the syscalls specified by the command.\n");
-        printf("    --seccomp.block-secondary - build only the native architecture filters.\n");
-        printf("    --seccomp.drop=syscall,syscall,syscall - enable seccomp filter, and\n");
-        printf("\tblacklist the syscalls specified by the command.\n");
-        printf("    --seccomp.keep=syscall,syscall,syscall - enable seccomp filter, and\n");
-        printf("\twhitelist the syscalls specified by the command.\n");
-        printf("    --seccomp.print=name|pid - print the seccomp filter for the sandbox\n");
-        printf("\tidentified by name or PID.\n");
+        "    --seccomp - enable seccomp filter and apply the default blacklist.\n"
+        "    --seccomp=syscall,syscall,syscall - enable seccomp filter, blacklist the\n"
+        "\tdefault syscall list and the syscalls specified by the command.\n"
+        "    --seccomp.block-secondary - build only the native architecture filters.\n"
+        "    --seccomp.drop=syscall,syscall,syscall - enable seccomp filter, and\n"
+        "\tblacklist the syscalls specified by the command.\n"
+        "    --seccomp.keep=syscall,syscall,syscall - enable seccomp filter, and\n"
+        "\twhitelist the syscalls specified by the command.\n"
+        "    --seccomp.print=name|pid - print the seccomp filter for the sandbox\n"
+        "\tidentified by name or PID.\n"
 #endif
-        printf("    --shell=none - run the program directly without a user shell.\n");
-        printf("    --shell=program - set default user shell.\n");
-        printf("    --shutdown=name|pid - shutdown the sandbox identified by name or PID.\n");
-        printf("    --timeout=hh:mm:ss - kill the sandbox automatically after the time\n");
-        printf("\thas elapsed.\n");
-        printf("    --tmpfs=dirname - mount a tmpfs filesystem on directory dirname.\n");
-        printf("    --top - monitor the most CPU-intensive sandboxes.\n");
-        printf("    --trace - trace open, access and connect system calls.\n");
-        printf("    --tracelog - add a syslog message for every access to files or\n");
-        printf("\tdirectoires blacklisted by the security profile.\n");
-        printf("    --tree - print a tree of all sandboxed processes.\n");
-        printf("    --version - print program version and exit.\n");
+        "    --shell=none - run the program directly without a user shell.\n"
+        "    --shell=program - set default user shell.\n"
+        "    --shutdown=name|pid - shutdown the sandbox identified by name or PID.\n"
+        "    --timeout=hh:mm:ss - kill the sandbox automatically after the time\n"
+        "\thas elapsed.\n"
+        "    --tmpfs=dirname - mount a tmpfs filesystem on directory dirname.\n"
+        "    --top - monitor the most CPU-intensive sandboxes.\n"
+        "    --trace - trace open, access and connect system calls.\n"
+        "    --tracelog - add a syslog message for every access to files or\n"
+        "\tdirectoires blacklisted by the security profile.\n"
+        "    --tree - print a tree of all sandboxed processes.\n"
+        "    --version - print program version and exit.\n"
 #ifdef HAVE_NETWORK
-        printf("    --veth-name=name - use this name for the interface connected to the bridge.\n");
+        "    --veth-name=name - use this name for the interface connected to the bridge.\n"
 #endif
 #ifdef HAVE_WHITELIST
-        printf("    --whitelist=filename - whitelist directory or file.\n");
+        "    --whitelist=filename - whitelist directory or file.\n"
 #endif
-        printf("    --writable-etc - /etc directory is mounted read-write.\n");
-        printf("    --writable-run-user - allow access to /run/user/$UID/systemd and\n");
-        printf("\t/run/user/$UID/gnupg.\n");
-        printf("    --writable-var - /var directory is mounted read-write.\n");
-        printf("    --writable-var-log - use the real /var/log directory, not a clone.\n");
+        "    --writable-etc - /etc directory is mounted read-write.\n"
+        "    --writable-run-user - allow access to /run/user/$UID/systemd and\n"
+        "\t/run/user/$UID/gnupg.\n"
+        "    --writable-var - /var directory is mounted read-write.\n"
+        "    --writable-var-log - use the real /var/log directory, not a clone.\n"
 #ifdef HAVE_X11
-        printf("    --x11 - enable X11 sandboxing. The software checks first if Xpra is\n");
-        printf("\tinstalled, then it checks if Xephyr is installed. If all fails, it will\n");
-        printf("\tattempt to use X11 security extension.\n");
-        printf("    --x11=none - disable access to X11 sockets.\n");
-        printf("    --x11=xephyr - enable Xephyr X11 server. The window size is 800x600.\n");
-        printf("    --x11=xorg - enable X11 security extension.\n");
-        printf("    --x11=xpra - enable Xpra X11 server.\n");
-        printf("    --x11=xvfb - enable Xvfb X11 server.\n");
-        printf("    --xephyr-screen=WIDTHxHEIGHT - set screen size for --x11=xephyr.\n");
+        "    --x11 - enable X11 sandboxing. The software checks first if Xpra is\n"
+        "\tinstalled, then it checks if Xephyr is installed. If all fails, it will\n"
+        "\tattempt to use X11 security extension.\n"
+        "    --x11=none - disable access to X11 sockets.\n"
+        "    --x11=xephyr - enable Xephyr X11 server. The window size is 800x600.\n"
+        "    --x11=xorg - enable X11 security extension.\n"
+        "    --x11=xpra - enable Xpra X11 server.\n"
+        "    --x11=xvfb - enable Xvfb X11 server.\n"
+        "    --xephyr-screen=WIDTHxHEIGHT - set screen size for --x11=xephyr.\n"
 #endif
-        printf("    --zsh - use /usr/bin/zsh as default shell.\n");
-        printf("\n");
-        printf("Examples:\n");
-        printf("    $ firejail firefox\n");
-        printf("\tstart Mozilla Firefox\n");
-        printf("    $ firejail --debug firefox\n");
-        printf("\tdebug Firefox sandbox\n");
-        printf("    $ firejail --private --dns=8.8.8.8 firefox\n");
-        printf("\tstart Firefox with a new, empty home directory, and a well-known DNS\n");
-        printf("\tserver setting.\n");
-        printf("    $ firejail --net=eth0 firefox\n");
-        printf("\tstart Firefox in a new network namespace\n");
-        printf("    $ firejail --x11=xorg firefox\n");
-        printf("\tstart Firefox and sandbox X11\n");
-        printf("    $ firejail --list\n");
-        printf("\tlist all running sandboxes\n");
-        printf("\n");
-        printf("License GPL version 2 or later\n");
-        printf("Homepage: http://firejail.wordpress.com\n");
-        printf("\n");
+        "    --zsh - use /usr/bin/zsh as default shell.\n"
+        "\n"
+        "Examples:\n"
+        "    $ firejail firefox\n"
+        "\tstart Mozilla Firefox\n"
+        "    $ firejail --debug firefox\n"
+        "\tdebug Firefox sandbox\n"
+        "    $ firejail --private --dns=8.8.8.8 firefox\n"
+        "\tstart Firefox with a new, empty home directory, and a well-known DNS\n"
+        "\tserver setting.\n"
+        "    $ firejail --net=eth0 firefox\n"
+        "\tstart Firefox in a new network namespace\n"
+        "    $ firejail --x11=xorg firefox\n"
+        "\tstart Firefox and sandbox X11\n"
+        "    $ firejail --list\n"
+        "\tlist all running sandboxes\n"
+        "\n"
+        "License GPL version 2 or later\n"
+        "Homepage: http://firejail.wordpress.com\n"
+        "\n";
+
+
+void usage(void) {
+        printf("firejail - version %s\n\n", VERSION);
+        puts(usage_str);
 }
diff --git a/src/firemon/usage.c b/src/firemon/usage.c
index 617f4dacd..37bd4e874 100644
--- a/src/firemon/usage.c
+++ b/src/firemon/usage.c
@@ -19,62 +19,65 @@
 */
 #include "firemon.h"
 
-void usage(void) {
-        printf("firemon - version %s\n", VERSION);
-        printf("Usage: firemon [OPTIONS] [PID]\n\n");
-        printf("Monitor processes started in a Firejail sandbox. Without any PID specified,\n");
-        printf("all processes started by Firejail are monitored. Descendants of these processes\n");
-        printf("are also being monitored. On Grsecurity systems only root user\n");
-        printf("can run this program.\n\n");
-        printf("Options:\n");
-        printf("\t--apparmor - print AppArmor confinement status for each sandbox.\n\n");
-        printf("\t--arp - print ARP table for each sandbox.\n\n");
-        printf("\t--caps - print capabilities configuration for each sandbox.\n\n");
-        printf("\t--cgroup - print control group information for each sandbox.\n\n");
-        printf("\t--cpu - print CPU affinity for each sandbox.\n\n");
-        printf("\t--help, -? - this help screen.\n\n");
-        printf("\t--interface - print network interface information for each sandbox.\n\n");
-        printf("\t--list - list all sandboxes.\n\n");
-        printf("\t--name=name - print information only about named sandbox.\n\n");
-        printf("\t--netstats - monitor network statistics for sandboxes creating a new\n");
-        printf("\t\tnetwork namespace.\n\n");
-        printf("\t--nowrap - enable line wrapping in terminals.\n\n");
-        printf("\t--route - print route table for each sandbox.\n\n");
-        printf("\t--seccomp - print seccomp configuration for each sandbox.\n\n");
-        printf("\t--tree - print a tree of all sandboxed processes.\n\n");
-        printf("\t--top - monitor the most CPU-intensive sandboxes.\n\n");
-        printf("\t--version - print program version and exit.\n\n");
+static char *help_str =
+        "Usage: firemon [OPTIONS] [PID]\n\n"
+        "Monitor processes started in a Firejail sandbox. Without any PID specified,\n"
+        "all processes started by Firejail are monitored. Descendants of these processes\n"
+        "are also being monitored. On Grsecurity systems only root user\n"
+        "can run this program.\n\n"
+        "Options:\n"
+        "\t--apparmor - print AppArmor confinement status for each sandbox.\n\n"
+        "\t--arp - print ARP table for each sandbox.\n\n"
+        "\t--caps - print capabilities configuration for each sandbox.\n\n"
+        "\t--cgroup - print control group information for each sandbox.\n\n"
+        "\t--cpu - print CPU affinity for each sandbox.\n\n"
+        "\t--help, -? - this help screen.\n\n"
+        "\t--interface - print network interface information for each sandbox.\n\n"
+        "\t--list - list all sandboxes.\n\n"
+        "\t--name=name - print information only about named sandbox.\n\n"
+        "\t--netstats - monitor network statistics for sandboxes creating a new\n"
+        "\t\tnetwork namespace.\n\n"
+        "\t--nowrap - enable line wrapping in terminals.\n\n"
+        "\t--route - print route table for each sandbox.\n\n"
+        "\t--seccomp - print seccomp configuration for each sandbox.\n\n"
+        "\t--tree - print a tree of all sandboxed processes.\n\n"
+        "\t--top - monitor the most CPU-intensive sandboxes.\n\n"
+        "\t--version - print program version and exit.\n\n"
+
+        "Without any options, firemon monitors all fork, exec, id change, and exit\n"
+        "events in the sandbox. Monitoring a specific PID is also supported.\n\n"
 
-        printf("Without any options, firemon monitors all fork, exec, id change, and exit events\n");
-        printf("in the sandbox. Monitoring a specific PID is also supported.\n\n");
+        "Option --list prints a list of all sandboxes. The format for each entry is as\n"
+        "follows:\n\n"
+        "\tPID:USER:Command\n\n"
 
-        printf("Option --list prints a list of all sandboxes. The format for each entry is as\n");
-        printf("follows:\n\n");
-        printf("\tPID:USER:Command\n\n");
+        "Option --tree prints the tree of processes running in the sandbox. The format\n"
+        "for each process entry is as follows:\n\n"
+        "\tPID:USER:Command\n\n"
 
-        printf("Option --tree prints the tree of processes running in the sandbox. The format\n");
-        printf("for each process entry is as follows:\n\n");
-        printf("\tPID:USER:Command\n\n");
+        "Option --top is similar to the UNIX top command, however it applies only to\n"
+        "sandboxes. Listed below are the available fields (columns) in alphabetical\n"
+        "order:\n\n"
+        "\tCommand - command used to start the sandbox.\n"
+        "\tCPU%% - CPU usage, the sandbox share of the elapsed CPU time since the\n"
+        "\t       last screen update\n"
+        "\tPID - Unique process ID for the task controlling the sandbox.\n"
+        "\tPrcs - number of processes running in sandbox, including the\n"
+        "\t       controlling process.\n"
+        "\tRES - Resident Memory Size (KiB), sandbox non-swapped physical memory.\n"
+        "\t      It is a sum of the RES values for all processes running in the\n"
+        "\t      sandbox.\n"
+        "\tSHR - Shared Memory Size (KiB), it reflects memory shared with other\n"
+        "\t      processes. It is a sum of the SHR values for all processes\n"
+        "\t      running in the sandbox, including the controlling process.\n"
+        "\tUptime - sandbox running time in hours:minutes:seconds format.\n"
+        "\tUser - The owner of the sandbox.\n"
+        "\n"
+        "License GPL version 2 or later\n"
+        "Homepage: http://firejail.wordpress.com\n"
+        "\n";
 
-        printf("Option --top is similar to the UNIX top command, however it applies only to\n");
-        printf("sandboxes. Listed below are the available fields (columns) in alphabetical\n");
-        printf("order:\n\n");
-        printf("\tCommand - command used to start the sandbox.\n");
-        printf("\tCPU%% - CPU usage, the sandbox share of the elapsed CPU time since the\n");
-        printf("\t       last screen update\n");
-        printf("\tPID - Unique process ID for the task controlling the sandbox.\n");
-        printf("\tPrcs - number of processes running in sandbox, including the controlling\n");
-        printf("\t       process.\n");
-        printf("\tRES - Resident Memory Size (KiB), sandbox non-swapped physical memory.\n");
-        printf("\t      It is a sum of the RES values for all processes running in the\n");
-        printf("\t      sandbox.\n");
-        printf("\tSHR - Shared Memory Size (KiB), it reflects memory shared with other\n");
-        printf("\t      processes. It is a sum of the SHR values for all processes running\n");
-        printf("\t      in the sandbox, including the controlling process.\n");
-        printf("\tUptime - sandbox running time in hours:minutes:seconds format.\n");
-        printf("\tUser - The owner of the sandbox.\n");
-        printf("\n");
-        printf("License GPL version 2 or later\n");
-        printf("Homepage: http://firejail.wordpress.com\n");
-        printf("\n");
+void usage(void) {
+        printf("firemon - version %s\n", VERSION);
+        puts(help_str);
 }
diff --git a/test/root/firecfg.exp b/test/root/firecfg.exp
index 656b8e215..b73167bd1 100755
--- a/test/root/firecfg.exp
+++ b/test/root/firecfg.exp
@@ -7,10 +7,10 @@ set timeout 10
 spawn $env(SHELL)
 match_max 100000
 
-send -- "firecfg\r"
+send -- "firecfg --debug\r"
 sleep 1
 
-send --  "firecfg --clean\r"
+send --  "firecfg --debug --clean\r"
 expect {
         timeout {puts "TESTING ERROR 0\n";exit}
         "less removed"
@@ -27,7 +27,7 @@ expect {
 }
 sleep 1
 
-send --  "firecfg\r"
+send --  "firecfg --debug\r"
 expect {
         timeout {puts "TESTING ERROR 3\n";exit}
         "less created"
diff --git a/test/root/root.sh b/test/root/root.sh
index 22b12cf86..d77982993 100755
--- a/test/root/root.sh
+++ b/test/root/root.sh
@@ -3,6 +3,23 @@
 # set a new firejail config file
 #cp firejail.config /etc/firejail/firejail.config
 
+
+#********************************
+# firecfg
+#********************************
+which less
+if [ "$?" -eq 0 ];
+then
+        echo "TESTING: firecfg (test/root/firecfg.exp)"
+        rm -fr /home/netblue/.local/share/applications-store
+        mv /home/netblue/.local/share/applications /home/netblue/.local/share/applications-store
+        ./firecfg.exp
+        rm -fr /home/netblue/.local/share/applications
+        mv /home/netblue/.local/share/applications-store /home/netblue/.local/share/applications
+else
+        echo "TESTING SKIP: firecfg, less not found"
+fi
+
 #********************************
 # servers
 #********************************
@@ -107,17 +124,6 @@ rm -f tmpfile
 echo "TESTING: firemon events (test/root/firemon-events.exp)"
 ./firemon-events.exp
 
-#********************************
-# firecfg
-#********************************
-which less
-if [ "$?" -eq 0 ];
-then
-        echo "TESTING: firecfg (test/root/firecfg.exp)"
-        ./firecfg.exp
-else
-        echo "TESTING SKIP: firecfg, less not found"
-fi
 
 # restore the default config file
 #cp ../../etc/firejail.config /etc/firejail/firejail.config
diff --git a/test/utils/build.exp b/test/utils/build.exp
index de2a9b6ae..5e883e4ba 100755
--- a/test/utils/build.exp
+++ b/test/utils/build.exp
@@ -54,5 +54,38 @@ expect {
 }
 after 100
 
+send -- "firejail --build cat /etc/passwd\r"
+expect {
+        timeout {puts "TESTING ERROR 10\n";exit}
+        "private-etc passwd,"
+}
+after 100
+
+send -- "firejail --build cat /var/tmp/firejail-test-file-7699\r"
+expect {
+        timeout {puts "TESTING ERROR 11\n";exit}
+        "whitelist /var/tmp/firejail-test-file-7699"
+}
+after 100
+
+send -- "firejail --build man firejail\r"
+expect {
+        timeout {puts "TESTING ERROR 12\n";exit}
+        "whitelist /usr/share/man"
+}
+after 100
+
+send -- "firejail --build wget blablabla\r"
+expect {
+        timeout {puts "TESTING ERROR 13\n";exit}
+        "protocol inet"
+}
+after 100
+
+
+send -- "firejail --build cat /tmp/firejail-test-file-7699\r"
+#todo - bug: it comes back with private-tmp
+sleep 1
+
 
 puts "all done\n"
diff --git a/test/utils/utils.sh b/test/utils/utils.sh
index 9259ee33a..5438e11a8 100755
--- a/test/utils/utils.sh
+++ b/test/utils/utils.sh
@@ -13,9 +13,13 @@ fi
 export PATH="$PATH:/usr/lib/firejail"
 
 echo "testing" > ~/firejail-test-file-7699
+echo "testing" > /tmp/firejail-test-file-7699
+echo "testing" > /var/tmp/firejail-test-file-7699
 echo "TESTING: build (test/utils/build.exp)"
 ./build.exp
 rm -f ~/firejail-test-file-7699
+rm -f /tmp/firejail-test-file-7699
+rm -f /var/tmp/firejail-test-file-7699
 
 echo "TESTING: audit (test/utils/audit.exp)"
 ./audit.exp